Fully Homomorphic Encryption Over Exterior Product Spaces

Home , Geometric Algebra (book), Triple product

FULLY HOMOMORPHIC ENCRYPTION OVER EXTERIOR PRODUCT SPACES

DAVID WILLIAM HONORIO ARAUJO DA SILVA

B.S.B.A., Universidade Potiguar (Brazil), 2012

A thesis submitted to the Graduate Faculty of the

University of Colorado Colorado Springs

in partial fulﬁllment of the

requirements for the degree of

Master of Science

Department of Computer Science

2017 © Copyright by David William Honorio Araujo da Silva 2017 All Rights Reserved This thesis for the Master of Science degree by David William Honorio Araujo da Silva has been approved for the Department of Computer Science by

C. Edward Chow, Chair

Carlos Paz de Araujo

Jonathan Ventura

9 December 2017 Date

ii Honorio Araujo da Silva, David William (M.S., Computer Science) Fully Homomorphic Encryption Over Exterior Product Spaces Thesis directed by Professor C. Edward Chow

ABSTRACT

In this work I propose a new symmetric fully homomorphic encryption powered by Exterior Algebra and Product Spaces, more specifically by Geometric Algebra as a mathematical language for creating cryptographic solutions, which is organized and presented as the En- hanced Data-Centric Homomorphic Encryption - EDCHE, invented by Dr. Carlos Paz de Araujo, Professor and Associate Dean at the University of Colorado Colorado Springs, in the Electrical Engineering department. Given GA as mathematical language, EDCHE is the framework for developing solutions for cryptology, such as encryption primitives and sub-primitives. In 1978 Rivest et al introduced the idea of an encryption scheme able to provide security and the manipulation of encrypted data, without decrypting it. With such encryption scheme, it would be possible to process encrypted data in a meaningful way. In 2009, Craig Gentry proposed the first fully homomorphic encryption scheme based on ideal lattices. Although his original solution has faced some important improvements, Gentry’s scheme is currently impracticable. Geometric Algebra is a field of mathematics already explored in many areas of Com- puter Science, Physics, Electrical Engineering, to cite a few. However, this is the first time that Geometric Algebra is proposed as the main building block of cryptographic solutions. Numbers are represented as multivectors, the special object for data representation, and through the GA operations (and some of its extensions), a series of transformations are performed, providing the mathematical under-determinacy required for encryption. Since the mathematics that empowers EDCHE is naturally homomorphic, EDCHE is illustrated as an intrinsically fully homomorphic encryption, allowing the required homomorphic additive and multiplicative properties and adding special capabilities such as comparison, sorting and searching.

iii DEDICATION

Dedicated to my parents, Janildo and Elisabete, my wife Cimaria, and my son and daughters, Johnathan, Samara and Sarah. Not even a thousand theses would be enough to properly express how much I love you all.

iv ACKNOWLEDGEMENTS

I would like to thank God, my Lord and Savior, for the gift of life and for so much love, for what I am constantly astonished and amazed. I also want to thank Dr. Carlos A. Paz de Araujo for believing in my potential and for investing in my academic and professional career in so many ways. Thank you for being such an inspiration, for mentoring me with absolute excellence and for teaching me that learning and creating are achievable goals, not matter the size or the complexity of the challenges in front of us. I want to thank Greg Jones for supporting me in my personal and professional development with the type of guidance that makes the diﬀerence in the life of any successful person. Thank you for being always optimistic and and willing to serve. I want to thank Marcelo Araujo Xavier for being a great incentive for my academic growth, helping me whenever I needed it. My gratitude also goes to my advisor Dr. Edward Chow for believing in me and in my ideas, for giving me practicable orientation during the entire research process and teaching me how to think as a Computer Scientist. I learned a lot during this whole process.

v Table of Contents

CHAPTER

1Introduction 1 1.1 Fundamental concepts and deﬁnitions ...... 1 1.2 Types and properties of secrecy system ...... 3 1.3 Statisticalmethods...... 4 1.4 Homomorphism...... 6 1.5 Homomorphicencryption ...... 7 1.6 Fullyhomomorphicencryption ...... 8 1.7 Exterior product spaces and Geometric Algebra ...... 9 1.8 Enhanced Data-Centric Homomorphic Encryption ...... 9 1.9 EDCHESpecialApplications ...... 11 1.10MyContribution ...... 13

2 FHE Using Ideal Lattices 15 2.1 Introduction...... 15 2.2 FullyHomomorphicEncryption ...... 16 2.3 Gentry’sFullyHomomorphicEncryption...... 16 2.4 LimitationsofGentry’sscheme ...... 18 2.5 Intrinsic and Extrinsic Homomorphism ...... 20 2.6 Conclusion...... 21

3ProductspacesandGeometricAlgebra 22 3.1 Introduction...... 22 3.2 Exterior Algebra and Product Spaces ...... 23 3.3 GeometricAlgebra ...... 26

vi 3.4 Conclusion...... 35

4EncryptionusingMultivectors 37 4.1 Introduction...... 37 4.2 BasicMultivectorPackingScheme ...... 41 4.3 Sylvester’sEquation ...... 43 4.4 Tripleproduct...... 44 4.5 The Underdeterminacy of the EDCHE Primitives ...... 45 4.6 EDCHEasaFramework...... 47 4.7 EDCHESub-primitives ...... 48 4.8 SecretKeyExchange...... 50 4.9 Sendingwithoutsending...... 55 4.10 Hierarchy Identity-Based Encryption ...... 59 4.11 ContinuousAuthentication ...... 62 4.12 EDCHE With Real Secret Keys ...... 64 4.13 Generating Keys from Existing Keys ...... 66 4.14 AutomaticKeyUpdate ...... 68 4.15 Multivectortranslation...... 68 4.16EDCHEwithXOR...... 71 4.17 EDCHEWithRationalNumbers ...... 73 4.18Cryptanalysis ...... 76 4.19 TimeandSpaceComplexity...... 82 4.20Conclusion...... 83

5 FHE with EDCHE 85 5.1 Introduction...... 85 5.2 Selected Encryption Primitive ...... 86 5.3 DynamicPackingScheme ...... 86 5.4 Additive Homomorphism ...... 90 5.5 ScalarMultiplicativeHomomorphism ...... 92 5.6 Multiplicative Properties of the Rationalize ...... 93

vii 5.7 Multiplicative Homomorphism with Cartesian product ...... 95 5.8 Multiplicative Homomorphism With the Edge Product ...... 102 5.9 Conclusion...... 105

6 EDCHE Applications 107 6.1 Introduction...... 107 6.2 Additive Homomorphism ...... 108 6.3 ScalarMultiplicativeHomomorphism ...... 109 6.4 MultiplicativeHomomorphism...... 111 6.5 HomomorphicSearch...... 114 6.6 HomomorphicNumericSorting ...... 118 6.7 Homomorphic Alphanumeric Sort ...... 122 6.8 Conclusions ...... 126

7 AES Overall Comparison with EDCHE 127 7.1 Introduction...... 127 7.2 BlockCiphers...... 128 7.3 OverviewofAESDesign...... 130 7.4 Mathematical Concepts and Terminology Used in AES ...... 131 7.5 BooleanFunctions ...... 136 7.6 Bundle Partitions, Transpositions and Bricklayer Functions ...... 136 7.7 Overall Diﬀerences Between AES and EDCHE ...... 139 7.8 PerformanceAnalysis...... 141 7.9 Conclusions ...... 145

8 Conclusions and Future Work 147 8.1 Futurework...... 153

Bibliography 155

APPENDIX

viii AAdditionalExamples 159 A.1 ScaleProperties...... 159 A.2 RatioProperties ...... 161 A.3 SortingProperties ...... 162

B Ruby Codes 165 B.1 MultivectorClass...... 165 B.2 ToolsClass ...... 171 B.3 EDCHEModule ...... 172 B.4 Loader...... 174 B.5 ExampleWithPre-deﬁnedKeys ...... 174 B.6 ExampleWithCustomKeys ...... 175

ix List of Tables

TABLE

4.1 Diﬃe-HellmanKeyExchange ...... 51

7.1 Main Diﬀerences Between AES and EDCHE ...... 140 7.2 EDCHEPerformanceSpecs ...... 142 7.3 EncryptionTime ...... 142 7.4 CiphtertextSize...... 143 7.5 EncryptionTime ...... 143 7.6 AESPerformanceSpecs ...... 144 7.7 AESPerformanceResults ...... 144

x List of Figures

FIGURE

4.1 EncryptionwiththeSylvester’sEquation ...... 44 4.2 EncryptionwiththeTripleProduct...... 45 4.3 Multi-Ciphertexts Multivector ...... 60 4.4 NestedCiphtertexts ...... 61 4.5 ContinuousAuthentication ...... 63 4.6 Key Generation via Rationalize ...... 68 4.7 Rationalnumbers...... 74

5.1 EDCHEOverview ...... 85

7.1 BlockCipherDiagram ...... 129 7.2 AESStateDiagram ...... 130 7.3 ExampleofBundleTransposition ...... 137 7.4 ExampleofBricklayerTransformation ...... 138 7.5 IterativeBooleanTransformation ...... 139

xi CHAPTER 1

Introduction

After years of technological evolution, data is literally everywhere. While this is a useful and appreciated phenomenon, it is also a subject of concern when it comes to security. Some data are meant to be public while other data are meant to be private. Even the personal identity must be protected, since identity theft is really a crime of the information age [29].Private data should be fully accessible by those previously allowed to do so and it is a big challenge to increase availability while keeping confidentiality. A key constraint in organizations and/or systems is that the data is only accessed by the intended targets. Thus, it is important to know and understand the basic building blocks of Information Security, which are: 1) Confidentiality (information is not made available or disclosed to unauthorized individuals, entities, or processes), 2) Integrity (maintaining and assuring the accuracy and completeness of data over its entire life-cycle) and 3) Availability (Information and other critical assets are accessible to customers and the business when needed) [36]. There are many security resources that can be implemented to ensure each one of these key concepts. However, this work is focused on the areas of Cryptology that promote Confidentiality by allowing a system to perform various, useful and sometimes complex operations on encrypted data without decrypting it at all, which is the goal of fully homomorphic encryption. [25]

1.1 Fundamental concepts and deﬁnitions

Christopher Swenson discuss in [36] the concepts of Security. Looking up security in few dictionaries he found the general consensus that security is "freedom from danger, risk, and loss" and since security here is studied in terms of computers, the concern of security is with dangers, risks, and losses related to computers, especially information. By using this deﬁnition, the fundamental principles of information security can be thought as following: 1.1. Fundamental concepts and deﬁnitions

• Conﬁdentiality: keeping information free from the danger of being exposed to unauthorized parties;

• Integrity: keeping information free from danger of being modiﬁed by unauthorized parties, and thus being invalid.

• Availability : keeping information around, that is, free from loss.

Yet another property of information security can be described in this context:

• Authenticity: keeping information written only by the party that is allowed to do it.

In order to study Cryptanalysis, it is important to understand key concepts of data security and a good way to give the ﬁrst step if to look at the following deﬁnitions:

• Cryptology: the science of securely transferring information. It is usually separated into two distinct yet related sciences: cryptography and cryptanalysis.

• Cryptography: the most commonly encountered area of cryptology, consisting of the science of understanding, implementing, and using information obfuscation techniques. These techniques are called cryptographic algorithms, codes, codebooks, cryptosystems, cryptoalgorithms, or ciphers. It is also describe as "secret writing", by concealing the content of an important message from the unintended readers [24].

• Encryption: refers to taking information that is unobfuscated (the plaintext) and applying the cipher to acquire obfuscated data (the ciphertext).

• Decryption: taking the ciphertext and obtaining the plaintext.

• Key: the external piece of information (to the plaintext or ciphertext) that is necessary to guide the encryption and decryption processes to obtain its goal.

• Cryptanalysis: the study of defeating and strengthening cryptographic techniques. Finding, exploiting, and correcting weaknesses in either the algorithms themselves or in particular implementations. Understanding cryptanalytic methods helps one to break bad ciphers and make good ones.

2 1.2. Types and properties of secrecy system

• Steganography: a separate ﬁeld, not directly involved with cryptology, that is con- cerned with hiding data in other information, usually without altering the original information. Steganographic and cryptographic techniques can be combined to increase the security of the data hiding.

Another deﬁnition to help us understand further concepts is given as follows:

• Cryptogram: a communication in cipher or code; a ﬁgure or representation having a hidden signiﬁcance [41].

1.2 Types and properties of secrecy system

Claude Shannon in [31] developed a theory of secrecy systems and introduced three general types of secrecy system:

1. Concealment systems, including such methods as invisible ink, concealing a message in an innocent text, or in a fake covering cryptogram, or other methods in which the existence of the message is concealed from the enemy;

2. Privacy systems, such as speech inversion, in which special equipment is required to recover the message;

3. "True" secrecy systems, where the meaning of the message is concealed by cipher, code, etc., although its existence is not hidden, and the enemy is assumed to have any special equipment necessary to intercept and record the transmitted signal.

Shannon considered only the third type since concealment systems are primarily a psycho- logical problem, and privacy systems a technological one. Swenson in [36] summarized Shannon’s proposal on criteria to determine what is a good ciphers as follows:

1. The amount of security necessary should dictate how much eﬀort we put into securing or encrypting our data. Basically, only data that must be encrypted should be encrypted.

3 1.3. Statistical methods

2. The size of the ciphertext should be less than or equal to the size of the plaintext. From an information theory perspective, the plaintext contains some amount of information encoded into bits. If the ciphertext contains the same information, but more bits, theoretically there is more room there for one derive the original information.

3. The cryptographic system should be simple. A lot of complexity makes lots of room for errors. Currently, AES is recognized as a model of simplicity, while being robust. Implementation must also be simple. If the algorithm itself is simple, but the implementation can only be programmed on an incredibly complex machine, then this can also be undesirable. Additionally, keys shouldn’t be unnecessarily complicated.

4. Errors should not propagate. If there is a transmission error when sending an encrypted message, accidentally leaving out a bit, or getting some part of the message wrong, should have as limited an impact as possible.

Swenson points that this last principle is less relevant nowadays than it was in 1949, as communication methods have become more robust, and the use of error detection and cor- rection had accelerated. Also, this principle is difficult and conflicts a bit with the concept of diffusion: if errors never propagate, then there isn’t enough entropy in the cipher, and this might lead to a line of attack.

1.3 Statistical methods

Shannon in [31] discusses statistical methods for breaking ciphers, which can be solved by statistical analysis. The author proposes the following general statistical attack: A certain statistic is measured on the intercepted cryptogram E. This statistic is such

that for all reasonable message M it assumes about the same value, SK , the value depending only on the particular key K that was used. The value thus obtained servers to limit the possible keys to those which would give values of S in the neighborhood of that observed. A statistic which does not depend on K or which varies as much with M as with K is not value in limiting K.

4 1.3. Statistical methods

The author states that there are good and poor statistics, just as there are good and poor methods of trial and error. Indeed, the trial and error testing of an hypothesis is a type of statistic. A good statistic for solving a system must have the following properties:

1. It must be simple to measure;

2. It must depend more on the key than on the message if it is meant to solve for the key. The variation with M should not mask its variation with K;

3. The values of the statistic that can be "resolved" in spite of the "fuzziness" produced by variation in M should divide the key space into a number of subsets of comparable probability, with the statistic specifying the one in which the correct key lies. The statistic should give us sizable information about the key, not a tiny fraction of a bit;

4. The information it gives must be simple and usable. Thus the subsets in which the statistic locates the key must be of a simple nature in the key space.

It is in this context of statistical methods that the author introduces two methods for frus- trating a statistical analysis. They are methods of diffusion and confusion. In the method of diffusion the statistical structure of M which leads to its redundancy is "dissipated" into long range statistics. As a result, the enemy must intercept a tremendous amount of material to tie down this structure, since the structure is evident only in blocks of very small individual probability. Furthermore, even when the enemy has sufficient material, the analytical work required is much greater since the redundancy has been diffused over a large number of individual statistics. The method of confusion is to make the relation between the simple statistics of E and the simple description of K a very complex and involved one. The confusion is that for a good ciphering system steps should be taken either to diffuse or confuse the redundancy (or both).

5 1.4. Homomorphism

1.4 Homomorphism

The concepts of congruence, quotient algebra, and homomorphism are all closely related [7]. Normal subgroups, which were introduced by Galois at the beginning of the 19th century, play a fundamental role in defining quotient groups and in the so-called homomorphism and isomorphism theorems which are so basic to the general development of group theory. Ideals, introduced in the second half of the 19th century by Dedekind, play an analogous role in defining quotient rings, and in the corresponding homomorphism and isomorphism theorems in ring theory. Homomorphisms are a natural generalization of the concept of isomorphism and congruences, and is defined as follows: Suppose A and B are two algebras of the same type .Amapping↵: A B is called F ! a homomorphism from A to B if

A B ↵f (a1,...,an)=f (↵a1,...,↵an) (1.1)

for each n-ary f in and each sequence a ,...,a from A. If, in addition, the mapping F 1 n ↵ is onto then B is said to be a homomorphic image of A,and↵ is called an epimorphism, where in this terminology an isomorphism is a homomorphism which is one-to-one and onto. If A = B a homomorphism is also called an endomorphism and an isomorphism is referred to as an automorphism. In order to express that ↵ is a homomorphism from A to B it is said that ↵: A B is a homomorphism. As special cases of homomorphisms deﬁned above ! we have lattices, group, ring, module and monoid homomorphisms [6]. In Group Theory, a homomorphism ✓ : G H from a group G to a group H is a map ! which preserves structure in the same sense that an isomorphism does, without insisting that ✓ must be a bijection. Therefore, an isomorphism is a special kind of homomorphism and the theorems proved true about homomorphisms will be also true of isomorphisms [34]. While studying higher algebra, more speciﬁcally Rings and Fields, the homomorphic property is introduced as follows: Let R, S be two rings. Let f be a function from R to S. Thus R is the domain of f, and S is the range of f: for each r in R, f (r) is an element of S,suchthat:

f : R S (1.2) !

6 1.5. Homomorphic encryption

R, S, as rings, have algebraic operations, such as +, , . Then, f : R S is called a · − ! ring homomorphism, or just homomorphism, if f satisﬁes the following properties:

0 0 0 f r + r = f (r)+f r for all r, r in R (1.3) ⇣ ⌘ ⇣ ⌘ 0 where the addition of f (r) and f r is the addition in S.And, ⇣ ⌘ 0 0 0 f r r = f (r) f r for all r, r in R (1.4) · · ⇣ ⌘ ⇣ ⌘ where the multiplication on the right-hand side of the equation is in S.

f (1) = 1 (1.5)

where the 1 in f (1) is in R,andthe1 on the right hand side of the equation is in S. If f satisﬁes the conditions above, then the following will be also true:

f (0) = 0 (1.6)

f (b)=f (0 + b)=f (0) + f (b) (1.7)

0=f (0) + 0 = f (0) (1.8)

f ( r)= f (r) for any r in R (1.9) − − Additionally, for all a,b in R,iff (a)=f (b) then a = b [7]. The properties above will be directly applied to the mathematical implementation of homomorphic encryption.

1.5 Homomorphic encryption

One of the main goals of encryption is to protect the conﬁdentiality of the encrypted data. For that same reason, the nature of encryption is meant to obscure some features of the plaintext, which makes operating on the ciphertext a very diﬃcult task, if not impossible [22]. Before homomorphic encryption, encryption itself faced some limitations such as, while encrypted, the data could only be stored or retrieved. Any other more complex operation would require the data to be decrypted before being processed [25]. As a response to

7 1.6. Fully homomorphic encryption

this problem, homomorphic encryption is a resource that allows computation on encrypted data, by which is possible to process encrypted data without affecting its confidentiality. This enables many and useful tasks over data even if this data is sitting on untrusted environments [2]. In 1978, Ronald L. Rivest, Len Adleman and Michael L. Dertouzos wrote the first paper about homomorphism in encryption. They introduced the concept, allowed by some encryption functions, of performing a set of interesting operations on encrypted data without the need of decrypting any of the operands, which they referred as "privacy homomorphisms", forming a subset of arbitrary encryption schemes, called "privacy transformations". The basic idea behind their approach consists of a mapping between two algebraic systems, one being the unencrypted data and its operations and the other being the encrypted data and its operations [25].

1.6 Fully homomorphic encryption

In 2009 Craig Gentry proposed the first fully homomorphic encryption scheme for solving the problem of computing arbitrary functions over encrypted data without the need of the encryption key. The author defines the essence of fully homomorphic encryption such as: given ciphertexts that encrypt ⇡1,...,⇡t, fully homomorphic encryption should allow anyone, and not just the key-holder, to output a ciphertext that encrypts f (⇡1,...,⇡t), for any desired function f, as long as the function ca be efficiently computed, while no information about ⇡1,...,⇡t or f (⇡1,...,⇡t), or any intermediate plaintext values should leak. All the elements involved (inputs, outputs and intermediate values, are always encrypted [12]. Although the idea of homomorphism in encryption was introduced many years before his own proposal, Gentry highlighted that for some it is surprising that fully homomorphic encryption is possible even in principle. For more details see [12]. Gentry’s approach involves the use of a "bootstrappable" encryption, ideal lattices and circuits as a setup that allows operations on encrypted data.

8 1.7. Exterior product spaces and Geometric Algebra

1.7 Exterior product spaces and Geometric Algebra

Product spaces opens a door to solve problems that are not tractable in the vector space, which are one dimensional objects and members of the inner product space Rn.Itispos- sible to describe higher dimensional objects geometrically or with equations, however, it is not possible to manipulate them algebraically in Rn, since they are not members of Rn. Geometric Algebra Gn is an extension of the inner product space Rn such that the members of Gn represent geometric objects of all dimensions in Rn, which are manipulated by the algebraic operations of Gn [21].

1.8 Enhanced Data-Centric Homomorphic Encryption

Enhanced Data-Centric Homomorphic Encryption (EDCHE) is the set of homomorphic applications based on Enhanced Data-Centric Encryption (EDCHE), a cryptographic suite powered by Geometric Algebra, invented by Dr. Carlos Paz de Araujo, Professor and As- sociate Dean at the University of Colorado Colorado Springs, in the Electrical Engineering department. Geometric Algebra (GA), is a vast area of Mathematics that has not been utilized before for encryption. This area encompasses Geometric Algebra, Conformal Geometric Algebra, Abstract Algebra, and Clifford Algebra, being referred here as just “Geometric Al- gebra”, which allows the organization and representation of data as special objects called multivectors. The data may be plaintext, cryptotext, and/or secret keys. Geometric Alge- bra defines a powerful set of operations that, when combined, creates a robust technique for encryption. Among many GA operations, EDCHE makes use of the geometric product and its inverse as the main elements for encryption and decryption using multivectors. Modern encryption employs mathematical techniques that manipulate positive integers or binary bits. Asymmetric encryption such as RSA relies on number theoretic one-way functions that are predictably difficult to factor and can be made more difficult with an ever increasing size of the encryption keys. Symmetric encryption, such as AES uses bit manipulations within registers to shuffle the cryptotext to increase “diffusion” as well as register based operations with a shared key to increase “confusion”.

9 1.8. Enhanced Data-Centric Homomorphic Encryption

With the arrival of the Internet and many forms of mobile devices, the volume of encrypted data is growing exponentially. Portable devices like “thumb drives,” “smart cards” and solid state disks (SSDs) contain both plain text and/or encrypted “passive” data storage. Passive data storage is found on the tiny devices for the Internet of Things (IoT) as well as the large memories in server farms. When data leaves storage, when it is in motion, it is even more vulnerable to attack. Current encryption techniques have not evolved alongside network security infrastructure and they are not well suited for the sheer volume of data in motion. As we move towards “cloud computing,” as mobile devices move us towards “perimeterless” network security, the industry is moving away from trusting just the security of networks, servers or applications and focusing toward data-centric encryption. With data-centric encryption and authentication there are controls that are traveling with the data rather than just happening at the application layer or the final destination in a network. However, the fluidity of this data in motion stalls with the computationally intensive mathematics that remain at the heart of current encryption infrastructures. Cyphers such as RSA and AES are little more than static “machinery” that bogs down communication efficiency. The actual problem is much bigger. How can robust security be provided when:

• End-point computational resources are limited (e.g., IoT);

• Encryption/decryption must be near-real time;

• Authentication of the sender and receiver must be continuously reasserted.

The subject invention is Enhanced Data-Centric Encryption, or EDCHE. Compared to incumbent encryption schemes, EDCHE is computationally simplistic while providing robust security over the span of the communication channel. EDCHE security is scalable from tiny embedded IoT devices to server farms. Beyond encryption, EDCHE is unique in its capability to provide message sequence indexing for multiple transmissions (live video) as well as “ghost transmission” of the most sensitive data. EDCHE functionality enables many cypher schemes that show speed and bandwidth advantages over current methods. A key novelty of this invention is the use of Geometric Algebra, an area of Mathematics that has not been utilized before in encryption. This area of Mathematics encompasses

10 1.9. EDCHE Special Applications

Geometric Algebra, Conformal Geometric Algebra and Clifford Algebra (collectively herein, “Geometric Algebra”). Geometric Algebra allows for the organization and representation of data into the “payload” of a multivector where the data may be plaintext, cryptotext, or signatures for example. Geometric Algebra defines the operations, such as geometric product, inverses and identities, which are the enablers of this invention. Multivectors are simply the additive combination (or a set) of a scalar, a vector, a bi-vector and so forth up to an n-dimension vector. However, the unit vectors follow the algebraic structure of quaternions and Grassman Algebra. These two types of algebra allowed Clifford to invent the geometric product operation which we use as one of the “primitive” functions of EDCHE. An example of a two-dimension (2D) multivector that includes a scalar, a vector, and a bi-vector is:

A¯ = a0 + a1e1 + a2e2 + a12e12 (1.10)

where the set e , e are unit vectors that form the standard basis for an Euclidean space, { 1 2} ai,bi, for i =1, 2 and 12, are scalars, e12 represents the area created by the basis vectors

through the “exterior product” operation, and the sign of e12 represents the orientation of the area. The operations of Geometric Algebra on multivectors are discussed more fully in Chapter 3.

1.9 EDCHE Special Applications

The construction and use of new encryption primitives based on Geometric Algebra allows the examination of not only encryption/decryption schemes but also the implementation of routines for secure data exchange. These routines takes advantage of the lightweight operations and also the structure of multivector objects to oﬀer resources for specialized transmission techniques, hierarchy and identity and authentication.

1.9.1 Sending Without Sending

Sending Without Sending (SWS), which can also be considered a type of a “ghost” transmission, is a form of payload transmission that is enabled by a series of Geometric Algebra

11 1.9. EDCHE Special Applications

operations that prepares a payload with no trace of the original information. It is a way to send sensitive data without that data being represented in any manner within the payload of the transmitted message. The sensitive data may be organized using the entire multivector or just a section of it, and it is reconstructed using auxiliary information transmitted separately. The beneﬁt of implementing a routine such as Sending Without Sending comes from the ability of creating a partition data set of encrypted data. In this setting, it is possible to establish multiple transmissions, each one with the same security properties discussed previously. However, the transmitted data doesn’t make any sense individually. In order to retrieve the correct information, the receiver should not only possess the proper secret key but also the complete set of transmitted data, which works as an instruction set for data retrieving. This application will be discussed in Section 4.9.

1.9.2 Hierarchy Identity-based Encryption

The concept of Identity-base encryption was proposed by Adi Shamir in 1984 [30] and it is a type of public key encryption. However, this work introduces a new identity-based encryption using symmetric encryption and hierarchy. The idea is to allow the communication between parties with diﬀerent hierarchies and address the message to speciﬁc individuals. This application will be discussed in Section 4.10.

1.9.3 Continuous Authentication

The continuous authentication is the routine that allows two or more people to establish a “conversation ID”, which identifies a series of messages as part of a certain conversation. So one conversation has many messages. Starting with a Diffie-Hellman setup, the sender creates the ID of the conversation. Every message one party sends to the other will generate a signature specifically for that message, which is derived from hers original one. The signature will identify the payload that is going to be transmitted. The first transmission is always the initial signature. By doing this, for every other transmission it will be possible to capture the order of the messages. Thus, the messages can be sent in any order, since the receiver is able to rearrange them in the correct order. This "shuffled exchange" can occur

12 1.10. My Contribution

intentionally, in order to create one more layer of obfuscation in case of interception. This application will be discussed in Section 4.11.

1.10 My Contribution

There are currently many encryption solutions available. However, when it comes to homomorphic encryption and security for IoT, the options are just a few. Homomorphic encryption requires an encryption primitive that fully preserves the algebraic structures while mapping from the plaintext to the ciphertext. Security for IoT requires an encryption solution that is lightweight, of low power consumption and secure even if a not so large secret key is used. This work introduce a new symmetric encryption scheme that is fully homomorphic and suitable for low power devices, which ca be leverage in the IoT context. This work will discuss and detail new security applications that is enabled by Geometric Algebra applied for Cryptology.

1.10.1 Organization of thesis

The original work in this thesis is structured as follows:

Chapter 2: I present a critique on homomorphic encryption over ideals and integers based on an overview taking into consideration fundamental limitations Gentry’s FHE scheme.

Chapter 3: I introduce the knowledge foundation on Product Spaces and Geometric Al- gebra as the least one should know to implement any of the EDCHE cryptographic solutions.

Chapter 4: I introduce a model for encrypting data using multivector objects using Geo- metric Algebra as a mathematical language and EDCHE as a framework for developing encryption primitives and many other cryptographic resources.

Chapter 5: Based on then application of data as multivectors objects for encrypting data using Geometric Algebra operations presented in Chapter 4. I introduce the mathematical foundation of a new homomorphic encryption scheme that is mathematically

13 1.10. My Contribution

robust, secure, computationally tractable, and adaptable to changes, in a way that it can be used as a standalone solution or as and additional component of other solutions.

Chapter 6: Taking into consideration the new homomorphic encryption approach with multivectors and Geometric Algebra operations discussed in Chapter 4 and Chapter 5, main EDCHE applications combining fully homomorphic properties will be detailed. I show that EDCHE scheme is fully homomorphic through a series of mathematical explanations and examples. With EDCHE it is possible to develop practical and secure solutions such as massive data encryption and real-time video encryption.

Chapter 7: I show the mathematical model of operations in AES in comparison with the operations in EDCHE.

Chapter 8: I presents conclusions and future avenues of research.

14 CHAPTER 2

FHE Using Ideal Lattices

2.1 Introduction

Fully homomorphic encryption has been considered the holy grail of cryptography with the potential of solving many problems in the IT world with regards to security and trust. The purpose of homomorphic encryption is to allow computation on encrypted data, which remains confidential while processed, enabling many useful tasks to be performed even with data residing in untrusted environments. Finding a general method for computing on encrypted data had been a goal in cryptography since it was proposed by Rivest, Adleman and Dertouzos in 1978 [2]. The purpose of this Section is to briefly discuss the general idea of the fully homomorphic encryption solution proposed by Craig Gentry [12]. The author describes his proposed scheme in [13] as a scheme that allows one to evaluate circuits over encrypted data without the need to decrypt. Gentry was the first to propose a fully homomorphic encryption scheme in order to solve a central open problem in cryptography. Among the possible applications of his FHE scheme, the author highlights the possibility of enabling private queries to a search engine, searching on encrypted data and improving the efficiency of secure multiparty computation on encrypted data. From a somewhat homomorphic "bootsrappable" encryption, Gentry shows how to evolve to a fully homomorphic encryption scheme via ideal lattices [12]. It is important to notice that this chapter is not a survey on existing fully homomorphic encryption scheme nor an exhaustive coverage of the scheme proposed by Gentry. Instead, this is an overview of the key points introduced by Gentry and a brief discussion about his scheme’s limitations. One important question that could be asked about this chapter is why to discuss key aspects of Gentry’s scheme, an asymmetric FHE, while introducing a new symmetric 2.2. Fully Homomorphic Encryption

FHE? The first part of the answer relates to the fact that Gentry’s scheme is the first fully homomorphic encryption proposed. After publication in 2009, many other schemes were developed as variations on the Gentry’s scheme. The second part of the answer will be detailed in the next topics while discussing two very important concepts: 1) Intrinsic homomorphism and 2) Extrinsic homomorphism. The goal of this chapter is to highlight the main conceptual differences between Gentry’s scheme and the new scheme that is introduced in this work.

2.2 Fully Homomorphic Encryption

There are many formal deﬁnitions, notations and further representations about what is fully homomorphic encryption. However, one of the most important concepts is that FHE allows arbitrary computations on encrypted data. By computation on encrypted data it is implied that if one has a function f (here representing any kind of arbitrary operation) and want to

obtain the result of f (m1,...,mn) for some inputs m1,...,mn, it will be possible to compute

on the encrypted version of these inputs, c1,...,cn obtaining a result which will decrypt to

f (m1,...,mn). A fully homomorphic encryption could be expressed as extending the function f to be any function [2].

2.3 Gentry’s Fully Homomorphic Encryption

Craig Gentry, research scientist at IBM, deﬁnes Fully Homomorphic Encryption as a special type of encryption scheme that allow anyone that might not even have the secret key to perform useful operations on the encrypted data while it remains encrypted without the decryption key. He proposes a physical analogy for this phenomenon and he calls it the "Al- ice’s Jewelry Store", where Alice owns a jewelry store where her workers turn raw materials such as gold, diamonds and silver into ﬁnished products like rings and necklaces. However, since she does not trust her workers, they should be able to perform this task using glove boxes with locks so she can put the raw materials inside, then locking the box with a key that only she possess. The workers, without the key, put their hands inside the gloves to

16 2.3. Gentry’s Fully Homomorphic Encryption

manipulate the raw materials in order to create the rings and necklaces. When Alice un- locks the boxes, she will be able to obtain the finished piece. This is his goal with his FHE solution. In terms of encryption, one might want to put some encrypted files on the cloud and still be able to operate meaningful tasks with them without revealing anything to the cloud [1]. Craig Gentry showed that his fully homomorphic encryption scheme could work in principle [2]. His solutions is structured in three main steps. The first step consists of providing a general result in which it will be possible to evaluate arbitrary circuits (thus the need to build an encryption scheme that is able to evaluate its own decryption circuit). The scheme that can evaluate its decryption circuit is called a bootstrappable scheme. The second step is describing a public key encryption that makes use of ideal lattices and is boot- strapple in some manner. Gentry points out that lattice-base cryptosystems usually have decryption algorithms with low circuit complexity, which are often dominated by an inner product computation. Another reason to use ideal lattices is that they provide additive and multiplicative homomorphisms, which is needed to evaluate general circuits. The third and last step consists of modifying the decryption circuit in order to obtain a bootstrappable encryption scheme without affecting its ability to evaluate [13].

The components of Gentry’s solutions involves a scheme ",analgorithmEvaluate", a public key pk, any circuit C, any ciphtertexts Encrypt (pk,⇡ ),outputs i " i Evaluate" (pk,C, 1,..., t), a valid encryption of C (⇡1,...,⇡t). More speciﬁcally the fully

homomorphic encryption " requires the algorithms KeyGen", Encrypt", Decrypt",andEvaluate",

the public key pk, a circuit C from a permitted set C" of circuits, and a tuple of ciphertexts Ψ= ,..., , and outputs a ciphtertext [12]. h 1 ti Gentry make use of the following deﬁnitions:

DEFINITION 1 (Homomorphic Encryption). " is homomorphic for circuits in C" if " is

correct for C" and Decrypt" can be expressed as a circuit D" of size poly(λ).

DEFINITION 2 (Fully Homomorphic Encryption). " is fully homomorphic if it is homomorphic for all circuits.

DEFINITION 3 (Leveled Fully Homomorphic Encryption). A family of schemes "(d) : d Z+ 2 is leveled fully homomorphic encryption if they all use the same decryption# circuit,

17 2.4. Limitations of Gentry’s scheme

"(d) is homomorphic for all circuits of depth at most d (that use some speciﬁed gates Γ), and the computational complexity of the "(d)’s algorithm is polynomial in λ, d,

and (in the case of Evalutate"(d) ) the size of C.

This work does not intend to show Gentry’s work in details. There signiﬁcant load of mathematical and algorithmic information to be discussed. This is surely outside of the scope of this research for many reasons. To cite a few, Gentry’s scheme is an asymmetric encryption scheme, while this work introduces a new symmetric FHE scheme. Additionally, the mathematics of the underlying encryption primitive used by Gentry is not fully homomorphic. The homomorphism proposed by Gentry is the result of his algorithm that organize and manipulate circuits on top of encrypted data in order to allow computation. Another reason is, if thought as a product, Gentry’s FHE is currently outside of the set of "real world" solutions, and as a currently impracticable solution, to contrast, it is only necessary to show a practical, purely and mathematically fully homomorphic that is circumstantially symmetric (property referred here as extrinsically symmetric) with the ability of being asymmetric, given a diﬀerent type of use of the elements in the Geometric Algebra language.

2.4 Limitations of Gentry’s scheme

Although Gentry’s work is under constant evolution and diﬀerent approaches were already introduced by him as advancements of this initial idea, as we can see in [4], in this work we will discuss the aspects of his original FHE solution, as a way of focusing on the mathematical choices he made in order to build his scheme. Although feasible in theory, Gentry’s solutions adds immense computational requirements to tasks that would be simple with equivalent unencrypted data. Considering his original scheme, and as a matter of keeping things in perspective, a Google search would take about a trillion times longer using his process. Gentry himself estimated that it would be a decade or more before the scheme became practically usable. As mentioned previously, his scheme has been slowly improved and with these improvements Gentry stated recently that his fully homomorphic encryption would multiply the computing time necessary for a function by anything around a million which is about half as many zeroes as few years ago [15].

18 2.4. Limitations of Gentry’s scheme

In face of such limitations, some researchers are investing in speeding homomorphic encryption solutions, such as Gentry’s, by investing in both conventional computer engineering and solutions such as artificial intelligence. It is known that IBM has improved the speed of Gentry’s scheme by making calculations on a 16-core server over two million times faster than past systems. In a new paper, Microsoft announced a huge leap forward in speed by applying the encryption system to deep learning neural networks. The prin- cipal research manager at Microsoft, Professor Kristin Lauter, stated that there is a team developing artificial intelligence CryptoNets which would be able to process encrypted data without having to decrypt the information. Using this type of solution falls into the need to know in advance the complexity of the math that is to be applied to the data. And this is so it will be possible to structure a neural network appropriately and keep data loads under a certain size, so a computer can process it [37] Although Gentry, other researchers and even companies recognize current limitations of the first FHE scheme proposed, they all believe that with the proper investment in infrastructure, combined with improvements in the scheme and the additional use of specialized technologies, such as artificial intelligence, the impracticability of Gentry’s scheme will be overcome in the future and his scheme will be available for many applications, Bruce Schneier wrote an article [28] detailing why he does not believe Gentry’s scheme will be practical anytime soon: Gentry’s scheme is completely impractical. It uses something called an ideal lattice as the basis for the encryption scheme, and both the size of the ciphertext and the complexity of the encryption and decryption operations grow enormously with the number of operations you need to perform on the ciphertext -- and that number needs to be fixed in advance. And converting a computer program, even a simple one, into a Boolean circuit requires an enormous number of operations. These aren’t impracticalities that can be solved with some clever optimization techniques and a few turns of Moore’s Law; this is an inherent limitation in the algorithm. In one article, Gentry estimates that performing a Google search with encrypted keywords -- a perfectly reasonable simple application of this algorithm -- would increase the amount of computing time by about a trillion. Moore’s law calculates that it

19 2.5. Intrinsic and Extrinsic Homomorphism

would be 40 years before that homomorphic search would be as efficient as a search today, and I think he’s being optimistic with even this most simple of examples. Although it is expected that each new scientific proposal (this present work very much included) will pass through the filters of discredit, disbelief, skepticism, not always motivated by scientific reasons, Gentry’s scheme is apparently endowed with limitations that cannot be properly solved in a timely manner.

2.5 Intrinsic and Extrinsic Homomorphism

In the overview of Gentry’s scheme we see that, in order to be homomorphic, the use of circuits on top of the encryption scheme is required, in order for the encrypted data to be evaluated. This clearly shows that the encryption scheme and its algebraic structure, mathematically speaking, are not endowed with full homomorphism, thus requiring special or artificial structures and algorithms that can mimic this property in a secondary way, which we call a "extrinsic homomorphism". We call any homomorphic encryption scheme that falls into this category a extrinsically homomorphic encryption scheme. At the same time, the encryption scheme is intrinsically asymmetric, meaning that the mathematical properties and algorithmic construction are solely asymmetric. Algebraic structures such as Linear algebra and its sub algebra such as Geometric Algebra are already endowed with two types of Homomorphisms: 1. Vector addition and 2. Scalar multiplication. This "intrinsic homomorphism" is the basis of the fully homomorphic encryption solutions we propose in this work. At the same time, the mathematics that empowers the solution is extrinsically symmetric. This means that, as a recipe, we have a symmetric encryption scheme, however as of the mathematics of the the scheme, it does not really matter if the solutions is symmetric or asymmetric since the mathematics applied is the very same for either scheme, varying solely in the recipe of the algorithm. In the definition of "edge algebra", defined by A¯ B¯ , we developed another type of ^ algebra that is commutative from the non-commutative% wedge% product. To prove that this % % extends to vector multiplication as well addition and scalar multiplication we show the action of these properties by examples and consider the definition axiomatic as it is beyond this

20 2.6. Conclusion

thesis to show a deeper proof. The details of the intrinsic homomorphism and the "edge product" will be discussed in greater details in future chapters.

2.6 Conclusion

Fully Homomorphic Encryption is indeed a useful and greatly desired property for encryption schemes since it allows a series of new operations on encrypted data, which would only be possible after decryption. It is not a new concept. It was ﬁrst mentioned in 1979 by Rivest et al in [25]. With a practical FHE scheme available, it would be possible to conciliate meaning and security on encrypted data. Gentry Gentry’s solution is the ﬁrst fully homomorphic encryption proposed [12]. It is based on a concept of creating binary circuits on top of encrypted data so basic mathematical operations can be performed, which would allow any type of computation on the encrypted data. His contribution inspired many others either to improve his scheme or introduce completely new solutions. He presented a theoretical way to solve one big problem in encryption and his scheme is constantly evolving. A practical application ca be expected in the future, according to Gentry. However, his scheme is currently impractical leaving a gap in the market when it comes to solutions that are ready to be implemented and tested. Additionally, Gentry’s scheme is extrinsically homomorphic being yet intrinsically asymmetric. This discussion is introduced in this work in order to highlight additional issues and limitations of Gentry’s and other researchers’ work. A solution for the present moment, intrinsically homomorphic and extrinsically asymmetric/symmetric, rises as necessary, as the mathematical foundation to produce many fully homomorphic encryption applications. This work aims to introduce and detail the fundaments of EDCHE as a practical and secure solution for FHE.

21 CHAPTER 3

Product spaces and Geometric Algebra

3.1 Introduction

The approach for encryption introduced in this work is based on "Product Spaces", which gives us a set of powerful abstract operations, a new object called multivector and its inverse. By doing so, we obtain homomorphism immediately as of via the Linear algebra, however not any trivial homomorphism as of the simple vectors. Operators within the Clifford Algebra such as the wedge and other types of "generalized inverses" that zero out "Blades" are used to completely blank-out information that can never be easily accessible to any unintended receiver or intercepter. This new concept offers a much larger set of solutions and opportunities than any other current encryption implementation, which will be discussed in detail in future chapters. The exploration of product spaces and many powerful operations provided by specialized abstract algebras have initiated the full discovery of many encryption primitives. This higher level extended Hilbert space is full of "hiding" operations that are de facto primitives. Instead of operating at the binary level, or integers, this work is focused on the Product Spaces and Clifford Algebra-type operations, in which the product space is a subset of a Hilbert Space. Due to the automatic Homomorphic capability that is endowed in a Hilbert Space, the ability to do these operations instantaneously became very simple. At the same time, the encryption primitive of such a scheme had to really be "discovered" in order for the Homomorphic Encryption apparatus not to be trivial and easily hacked. Product spaces are similar to Quantum Spaces in which there are 2n vector states where n is the dimension. Hilbert Spaces are inherently linear, which is not a celebrated characteristic of encryption schemes, due to the allowance to attacks. However, the specific mathematics detailed is this work is different. It uses a variant of Clifford Algebra which although defined over a 3.2. Exterior Algebra and Product Spaces

product space, is in one form (when defined over the Complex Field) a Hilbert Space, as an algebra, much can be done to avoid linear paths in the crypto payload. Using vector spaces, we are automatically endowed with a Homomorphism for addition and scalar multiplication, but that would be in terms of encryption a trivial Homomorphic Encryption scheme. However, with the richness of Clifford Algebra, sub-algebras and the combination of arithmetic functions and multivector based translation of elementary functions and arithmetic functions, things become really different. By working with Product Spaces and Clifford Algebra, it is possible to create different primitives that are multivector based and inject arithmetic functions like Euler’s Totient, as a single example. In summary, this new methodology is intended to be smooth, which approximates it to a type of "language" that allows one to write ciphers that incorporate block ciphers, asymmetric and secret sharing schemes in a formal singular framework that yields not only new primitives but also known primitives in multivector representations. This then allows homomorphism in a higher level and non-linearity at the content level. In this Chapter we will discuss the basis of the exterior algebra provided by product spaces combined with Geometric Algebra in order to explore multivector objects and geometric operations on them as part of a mathematical framework that will allow the construction of encryption solutions, this last one being discussed in future Chapters.

3.2 Exterior Algebra and Product Spaces

The concept of product spaces to be explored, introduced by the author in [?] comes from

the Exterior Algebra of a linear space Vn, where n is the dimension of the linear space. The

idea of "exterior" is due to the vectors in Vn will be used to construct objects called exterior products which do not belong to the space Vn. They are exterior the space Vn. The exterior n algebra itself is constructed from any linear space Vn and it is deﬁned as a 2 dimensional linear space denoted by V (a capital wedge action on V ). [8] ^ n n The V is called the exterior product space of V and the object V is also a linear ^ n n ^ n space and Vn is a n-dimensional linear space. The exterior algebra allows us a way of

23 3.2. Exterior Algebra and Product Spaces

multiplying vectors with other vectors while regular linear spaces have addition of vectors but it is not possible to multiply them together. The exterior algebra of V is given by the combination of the linear space V and ^ n ^ n the wedge product A B where A and B are vectors in the exterior product space. The ^ wedge product of vectors in the exterior algebra is closed within the linear space V .Some ^ n authors call this algebra the "Multi-Vector Algebra". Another property of the exterior product space V is that it consists of n +1 sub- ^ n spaces pV , which are linear spaces and each one has dimension of the binomial coeﬃcient ^ n n n! 0 1 = p!(n−p)! p = 0,1,...,n . p | { } B C p p @ TheA vectors in Vn are called p-vectors Vn is called the "p-th" exterior power space ^ ^ of the linear space Vn. One simple way of viewing the wedge product is as the anti-symetric tensor product of vectors A,B V as 2 n

A B = A B B A ^ ⌦ − ⌦

Instead of following the approach of tensor algebra, we will define the product A B ^ by a set of abstract algebraic rules that not only simplifies the process but also makes itself contained. Recall that a set is a collection of elements that are definite and separate objects [32]. The basis vectors e¯ of V (a set of n vectors labeled as e¯ ) are used to construct { k}n n k basis vectors of pV (an exterior power space) of V . For the p-th exterior power space are ^ n n obtained by taking wedge products of elements of the basis Vn.

So the wedge product between vectors in Vn (an n-dimensional linear space) as

w¯ = A B with A, B V and w/¯ V ^ 2 n 2 n

The wedge product w¯ is going to give us a vector in some other space, which means the wedge product is not an element of Vn. The wedge product A B, for A,B V and ↵,β R, [19], can be expressed using the ^ 2 n 2 following abstract deﬁnition:

1. Left associative (↵A + B) C = ↵(A C)+B C ^ ^ ^

24 3.2. Exterior Algebra and Product Spaces

2. Right associative A (βB + C)=βA B + A C ^ ^ ^ 3. Null product A A = 0¯, the zero vector of 2V ^ ^ n The zero vector is obtained when the wedge product of a vector with itself is calculated.

This is the zero vector in the second exterior power space of Vn. By applying the rules 1, 2 and 3, the following is true:

(A + B) (A + B)=A A + A B + B A + B B ^ ^ ^ ^ ^

and by using the distributive left and right rules 1 and 2 then A A and B B vanish, ^ ^ therefore 0=¯ A B + B A ^ ^ and the all the elements and this equation are elements of the second exterior power space of V , or just 2V . n ^ n The wedge product is anti-commutative, meaning A B = B A and it is right and ^ − ^ left associative, therefore compound products can be written as

w¯ = A B C ... Z ^ ^ ^ ^

without the need of parentheses. Commutation of adjacent vectors in the product change the sign of w¯. From the rules of the wedge product the following lemma is obtained: Any rearrangement of a non-vanishing compound product is linearly dependent on the original product vector. In another words, if a compound product gives us a vector w¯,if rearranged it, the sign of w¯ will change. Although a simple concept, it is very handy because it suﬃces to describe the action of on a set of basis vectors e¯ of V , where k is an element of the index set, denoted ^ { k}n n by I = 1, 2, 3,...,n n { }

25 3.3. Geometric Algebra

The sequence (directed set) I¯n =[1,2,...,n] provides a natural ordering of e¯k as a basis

sequence [¯e1,e¯2,...,e¯n]. Because we have the directed set I¯ of the basis vector e¯ , any subset of e¯ also n k { k}n can be order by I¯n, meaning that if there is a subset of the basis set, then they can be lined up in order so that the subset can be converted into an ordered sequence of basis vectors. So we can construct the products of any subset of basis vectors e¯ ,e¯ ,...,e¯ as ^{ ↵ β γ} w¯p =¯e↵,e¯β,...,e¯γ, where ↵<β<...<γ.

Lemma: A compound wedge product of any non-empty subset of basis vectors of Vn is non-vanishing. If we take elements of a subset, each of the elements is distinct, hence all the sub products of pairs of vectors (e¯ e¯ )donotvanish. i ^ j 3.2.0.1 Fiber bundle

The discrete collection of vectors in a basis B = e¯ of V can be associated with an { k}n n instance of the real numbers to construct the space B R and a projection map ⇡ that ⇥ associates elements of R with elements of B. The set B R together with the map ⇡ is a ⇥ ﬁber bundle over B.

3.3 Geometric Algebra

Geometric Algebra was pioneered by the American physicist David Hestenes in the early 1960’s. GA and it’s extension to Geometric Calculus unify, simplify, and generalize vast ares of mathematics involving geometric ideas, including vector algebra, vector calculus, exterior (Grassmann) algebra, tensor algebra, quaternions, real analysis, complex analysis, and euclidean, non-euclidian and projective geometries. More than just mathematical operations, GA provides a common mathematical language for many ares of physics (classical and quantum mechanics, electrodynamics, relativity), computer science (graphics, robotics, computer vision), engineering, and other ﬁelds. [21] GA can be understood not only as a language but also as a framework where lines, areas, volumes and hyper-volumes are recognized as structures with magnitude and orientation. In terms of representation of its objects, oriented lines are represented by vectors, oriented areas by bivectors and oriented volumes

26 3.3. Geometric Algebra

by trivectors, and so on, since it is possible to work in higher dimensions. The most fundamental operation in GA is the geometric product, which is the sum of of the inner product (or dot product) and the outer product (or wedge product) [39]. GA involves specialized operations on multivectors in n dimensions. This proposal is focused in the application of GA for the field of encryption, enabling not only secure encryption primitives but also fully homomorphic encryption. Geometric Algebra, also known as Clifford Algebra or Abstract Algebra, was developed by William K. Clifford around 1878. It combines the work of Hamilton (Quartenion) and Grassman (Non-Commutative Exterior Algebra) into a field that generalizes the product of two vectors, including the 3-dimensionally restricted “cross product” to an n-dimensional subspace of the vector space (V ) over number fields (R, Z, C, etc.) such that the subspace is a product space that allows two vectors1 a and b to have a “geometric product” as:

ab = a b + a b, (3.1) · ^ where the operation a b is known as a “wedge product” or “exterior product”, and the ^ operation a b is the “dot product”, “interior product”, or “inner product”.. · Consider a and b a simple pair of two-dimensional vectors such that:

a = a1e1 + a2e2

b = b1e1 + b2e2.

The geometric product in Eq. 3.1 follows the rules of Geometric Algebra, as described below:

e e =0 (3.2) i ^ i e e = e e (3.3) j ^ i − i ^ j e e = e (compact notation) (3.4) i ^ j ij e e =1 (3.5) i · i e e =0. (3.6) i · j 1In this document we refer to Euclidean vectors, or simply vectors, with a lowercase bold letter. Mul- tivectors are defined by a bold uppercase letter with a bar on the top. Scalars as vector or multivector coefficients are defined by a regular lowercase letter. When used for scalar mutliplications, scalars will be represented by a regular lowercase greek letter.

27 3.3. Geometric Algebra

Thus, by performing the geometric product between aand b we have

1 0 0 1

ab = (a1b1) e1 e1 +(a1b2) e1 e2 +(a2b1) e2 e1 +(a2b2) e2 e2 " · · · · # z }| { z }| { z }| { z }| { dot product e e | 0 12 {z − 12 0} + (a b ) e e +(a b ) e e +(a b ) e e +(a b ) e e , (3.7) 2 1 1 1 ^ 1 1 2 1 ^ 2 2 1 2 ^ 1 2 2 2 ^ 23 z }| { z }| { z }| { z }| { 4 wedge product 5 resulting in | {z } ab =(a b + a b )+(a b a b ) e . (3.8) 1 1 2 2 1 2 − 2 1 12 The product ab produces a scalar and an object e e which in compact notation 1 ^ 2 is written as e12 and represents an area created by clockwise rotation or in anti-clockwise. The orientation is given by the sign of the term in front of the component. As an example, let a = 2e +4e and b =3e +5e . Using the rules of GA listed in − 1 2 1 2 Eqs.(3.2)–(3.6) we can compute the geometric product between a and b as

ab =( 2 3+4 5) + ( 2 5 4 3)e − ⇥ ⇥ − ⇥ − ⇥ 12 =( 6 + 20) + ( 10 12)e − − − 12 ab = 14 + 22e . − 12 Another way of computing the geometric product between multivectors combines the rules of the dot and the wedge products shown above, where we deﬁne the following rules when expanding a general geometric product:

eiei =1 (3.9)

e e = e e (3.10) j i − i j

eiej = e12 (compact notation) (3.11)

This method is used for computer coding in order to speed up the computation of the geometric product. Using the same pair of vectors of the previous numerical example, together with the rules above, the geometric product between a and b is calculated as

1 e12 −e12 1 ab =( 2 3) e e +( 2 5) e e +(4 3) e e +(4 5) e e − ⇥ 1 1 − ⇥ 1 2 ⇥ 2 1 ⇥ 2 2 z}|{ z}|{ z}|{ z}|{ 28 3.3. Geometric Algebra

= 6 10e 12e + 20 − − 12 − 12 ab = 14 22e . − 12

3.3.1 Deﬁnition of Multivectors and Blades

Another way of describing the objects (or elements) that form a multivector is to use the deﬁnition of “blade”, or a k-blade. In this convention at k =0, we have a scalar, at k =1a vector, k =2a bivector, and so on. A multivector is then formed by:

C¯ = C + C + C + + C , (3.12) h i0 h i1 h i2 ··· h in

where n is the dimension of the multivector C¯ . As was shown in the previous example, if we assume a = A¯ and b = B¯ being two 1- blade multivectors, therefore the Geometric Product A¯ B¯ = ab yields a 0-blade plus 2-blade multivector as a result: C¯ = A¯ B¯ = 14 22e . (3.13) − 12 scalar bi−vector 3.3.2 Multivector Operations |{z} | {z }

3.3.2.1 Scalar Multiplication

Note that if one wishes to multiply a scalar ↵ by a multivector this would follow a distributive principle giving ↵C¯ = ↵ C + ↵ C + ↵ C + + ↵ C . (3.14) h i0 h i1 h i2 ··· h in Using the previous numerical example, and letting ↵ =3one would have

↵C¯ = 14↵ 22↵e = 42 66e . − 12 − 12

3.3.2.2 Addition and Subtraction

Let A¯ = a0 + a1e1 + a2e2 + a12e12 and B¯ = b0 + b1e1 + bae2 + b12e12. If we wish to add A¯ and B¯ the resulting multivector would be

A¯ + B¯ =(a0 + b0)+(a1 + b1) e1 +(a2 + b2) e2 +(a12 + b12) e12. (3.15)

29 3.3. Geometric Algebra

Note that in order to sum two multivectors one jut simply adds the corresponding coeﬃcients as shown in the equation above. Subtracting two multivectors is straightforward. By using the same principle of addition, A¯ B¯ yields −

A¯ B¯ =(a b )+(a b ) e +(a b ) e +(a b ) e . (3.16) − 0 − 0 1 − 1 1 2 − 2 2 12 − 12 12

In terms of scalar multiplication and geometric product we can write the following:

1. ↵ A¯ + B¯ = ↵A¯ + ↵B¯ . 6 7 2. ↵ A¯ B¯ = ↵A¯ ↵B¯ . − − 6 7 3. C¯ A¯ + B¯ = C¯ A¯ + C¯ B¯ . 6 7 4. C¯ A¯ B¯ = C¯ A¯ C¯ B¯ . − − 6 7 5. A¯ + B¯ D¯ = A¯ D¯ + B¯ D¯ . 6 7 6. A¯ B¯ D¯ = A¯ D¯ B¯ D¯ . − − 6 7 7. C¯ A¯ + B¯ D¯ = C¯ A¯ D¯ + C¯ B¯ D¯ . 6 7 8. C¯ A¯ B¯ D¯ = C¯ A¯ D¯ C¯ B¯ D¯ . − − 6 7 3.3.2.3 Multivector Inverse

This invention relies in part upon the unique characteristics of Geometric Algebra multivector operations. Key among these operations is

A¯ A¯ −1 =1, (3.17)

where A¯ −1 is the inverse of A¯ , and the resulting geometric product between A¯ and its inverse is the unity. There are several important multivector operations, known as multivector involtuions, that are applied to determine multivector inversion.

Space inversion Denoted as A¯ ⇤, the space inversion operation changes the orientation of the basis vector as e e yielding the following general representation: i !− i

A¯ ⇤ = A A + A + +( 1)n A . (3.18) h i0 −h i1 h i2 ··· − h in

30 3.3. Geometric Algebra

Reverse Written as A¯ †, the reverse of a multivector is multivector where the order of all

products are reversed such that e e e − e e e − e e . Note that the order 1 2 ··· n 1 n ! n n 1 ··· 2 1 of a scalar or a vector cannot be reversed because it is impossible to reverse the order of one or no things. From the rules of Geometric Algebra in Eqs. 3.9–3.11 we have, for example, e e = e e . A general blade representation is written as: i j − j i

A¯ † = A + A A + +( 1)n/2 A . (3.19) h i0 h i1 −h i2 ··· − h in

Clifford conjugation Represented by A¯ , the Clifford conjugation combines the space inversion and the reverse in order to determined the sign of a blade. The general blade representation that defines the Clifford conjugation is written as

A¯ = A A A + +( 1)n+n/2 A . (3.20) h i0 −h i1 −h i2 ··· − h in

3.3.2.4 Multivector amplitude

We make use of the reverse and the Cliﬀord conjugation to compute the amplitude of a multivector as follows: 1/2 A¯ = A¯ A¯ . (3.21) % % ⇣ ⌘ This equation is valid for 2- and% 3-blade% multivectors. For higher dimensions, diﬀerent formulas are required. In this document we will restrict our solution for up to 3D. As an example, consider a 2-blade multivector

A¯ =2+5e1 +3e2 +8e12, and its Cliﬀord conjugation is given by

A¯ =2 5e 3e 8e . − 1 − 2 − 12

The amplitude of A¯ can be found by ﬁrst computing the geometric product between A¯ and A¯ :

A¯ A¯ =(2 2) + (2 ( 5))e +(2 ( 3))e (2 ( 8))e + ⇥ ⇥ − 1 ⇥ − 2 ⇥ − 12 1 e12 e2 (5 2)e +(5 ( 5)) e e +(5 ( 3)) e e +(5 ( 8)) e e + ⇥ 1 ⇥ − 1 1 ⇥ − 1 2 ⇥ − 1 12 z}|{ z}|{ z }| { 31 3.3. Geometric Algebra

−e12 1 −e1 (3 2)e +(3 ( 5)) e e +(3 ( 3)) e e +(3 ( 8)) e e + ⇥ 2 ⇥ − 2 1 ⇥ − 2 2 ⇥ − 2 12 e e z}|−{2 z}|{1 z }| {−1 (8 2)e +(8 ( 5)) e e +(8 ( 3)) e e +(8 ( 8)) e e ⇥ 12 ⇥ − 12 1 ⇥ − 12 2 ⇥ − 12 12 =(4 25 9 + 64) + ( 10z +}| 10{ + 24 24)e z+(}| {6 40 + 6 + 40)z e}|+{ − − − − 1 − − 2 ( 16 15 + 15 + 16)e − − 12 A¯ A¯ = 34.

Therefore, the amplitude of A¯ if ﬁnally computed as

1/2 A¯ = A¯ A¯ = p34. (3.22) % % ⇣ ⌘ 3.3.2.5 Multivector Norm % %

The norm of a multivector is deﬁned as

1/2 A¯ = A¯ A¯ † , 0 8 8 D E where the operator picks only the8 8 element of the 0-blade of the resulting multivector h·i0 of the geometric product between A¯ and its reverse. As a general example, consider A¯ = a + a e + a e + a e , and its reverse A¯ † = a + a e + a e a e . The norm of A¯ is 0 1 1 2 2 12 12 0 1 1 2 2 − 12 12 computed as

A¯ A¯ † = a2 + a2 + a2 + a2 +(a a + a a a a + a a )e + 0 1 2 12 0 1 1 0 − 2 12 12 2 1 6 A¯ A¯ † 7 D E0 | {z } (a a + a a + a a a a )e +(a a + a a a a + a a )e . 0 2 1 12 2 0 − 12 1 2 0 12 1 2 − 2 1 12 0 12 Thus, 1/2 ¯ ¯ ¯ † 2 2 2 2 A = AA = a0 + a1 + a2 + a12. (3.23) 0 q 8 8 D ¯ E For a numerical example8 8 using A =2+5e1 +3e2 +8e12,weobtain

A¯ = 22 +52 +32 +82 = 102. 8 8 p 3.3.2.6 The Inverse 8 8

Multivector inversion is deﬁned as A¯ A¯ −1 = , (3.24) A¯ 2 % % 32% % 3.3. Geometric Algebra

which gives, by the deﬁnition in Eq. 3.17, the following ¯ ¯ ¯ ¯ ¯ −1 ¯ A AA AA = A 2 = 2 =1. A¯ 1/2 A¯ A¯ % %  > % % ⇣ ⌘ As an example, consider again the multivector A¯ =2+5e1 +3e2 +8e12.Usingthe result from Eq. 3.22, its inverse is computed as ¯ −1 A¯ 2 5e 3e 8e A¯ = = − 1 − 2 − 12 . A¯ 2 34 % % Hence, % %

−1 2 5e 3e 8e A¯ A¯ =2+5e +3e +8e − 1 − 2 − 12 1 2 12 34 34 = =1. 34

For the special case where the multivector reduces to the sub-algebra of an Euclidean vector (i.e., 1-vector), the inverse can also be computed using the reverse and the square of the the norm as follows A¯ † A¯ −1 = . (3.25) A¯ 2 ¯ 8 8 ¯ † For example, consider the multivector A =5e18+38e2 +8e3, where its reverse is A =5e1 +

3e2 +8e3 = A¯ . If we make use of Eq. 3.25 we compute the inverse of A¯ we have

A¯ † 5e +3e +8e 5e +3e +8e A¯ −1 = = 1 2 3 = 1 2 3 . ¯ 2 2 98 A p52 +32 +82 8 8 ⇣ ⌘ Which is true, since 8 8 A¯ A¯ † 52 +32 +82 A¯ A¯ −1 = = =1. ¯ 2 2 A p52 +32 +82 8 8 ⇣ ⌘ For application purposes we wish8 8 to have a single formula to compute the inverse and we choose the ﬁrst option, which uses the Cliﬀord conjugation operation. However, when computing the inverse of a given multivector that is reduced to the even sub-algebra it is possible to obtain a complex-like number from the geometric product between A¯ A¯ .Acom- mon operation in complex number theory is the process of ‘rationalizing the denominator’

33 3.3. Geometric Algebra

for a complex number in the form 1 = 1 , where i2 = 1,bymultiplyingtopandbot- x+iy z − tom by the complex conjugate z¯ = x iy which produces a single real valued denominator − x−iy x2+y2 . This process can be duplicated for a multivector where now the reverse operation will play the role of the complex conjugate. This allows us to rewrite the inverse equation for a multivector as follows: † A¯ A¯ A¯ A¯ −1 = , (3.26) ⇣ ⌘ † A¯ A¯ A¯ A¯ where we call the operation on the denominator⇣ ⌘⇣ the “Rationalize”.⌘ This speciﬁc operation will be latter used for other purposes inside the EDCHE suite. As an example of the use of this general formula let

A¯ =2+3e1 +4e2 +6e3 +7e12 +8e23 +9e13 + 10e123, where its Cliﬀord conjugation is given by

A¯ =2 3e 4e 6e 7e 8e 9e + 10e . − 1 − 2 − 3 − 12 − 23 − 13 123

Using the properties of the geometric product described in Eqs. 3.9–3.11 we compute A¯ A¯ to obtain A¯ A¯ = 37 34e . − 123 If we use Eq. 3.24 to compute A¯ −1 we would have ¯ ¯ ¯ −1 A A 2 3e1 4e2 6e3 7e12 8e23 9e13 + 10e123 A = 2 = = − − − − − − . A¯ A¯ A¯ 37 34e123 − The result% above% is clearly a complex-like number, since (e )2 = i2 = 1. It is neces- % % 123 − sary that we “rationalize” the denominator by performing a geometric product on top and ¯ † bottom with its reverse A¯ A¯ = 37 + 34e123. The result is the following: ⇣ ⌘ † A¯ A¯ A¯ A¯ −1 = ⇣ ⌘ † A¯ A¯ A¯ A¯ (2⇣ 3⌘⇣e 4e⌘ 6e 7e 8e 9e + 10e )(37 + 34e ) = − 1 − 2 − 3 − 12 − 23 − 13 123 123 (37 34e )(37 + 34e ) − 123 123 −1 266 + 195e 420e + 16e 463e 160e 435e + 438e A¯ = − 1 − 2 3 − 12 − 23 − 13 123 . 2525

34 3.4. Conclusion

The use of multivector inverses is fundamental to this invention. The algorithms in Geometric Algebra used to compute inverses vary according to the space dimension of the multivector. This overview of Geometric Algebra is not intended to be exhaustive, only suﬃcient for the discussion of this invention and the examples herein presented.

3.4 Conclusion

The fluidity of systems based on Product Spaces and Geometric Algebra and the ability to construct "expressions" that perform encryption sub-systems is one of the key points of development in this work. The mathematics here applied is already organized to provide homomorphism, however, homomorphic properties will only be discussed in future chapters. Still important to notice that no mathematical "twist" will be necessary to enable this homomorphic properties. From linear spaces it is possible to migrate to a higher space-dimension where new objects and operations are possible without losing the ones on the vector space, thus, combining the best of lower and higher spaces. This is the direct benefit of working with exterior algebra and product spaces. The operations on the multivectors and the elements as organized by the Clifford product will be used in future chapters as the "cipher producing" vector elements. The product space can be seen as a 2n lattice completely organized and linear, albeit, as described previously, filled with non-linear operations as arithmetic functions do the encryption. Thus, it is not necessary to mix the "encryption" part with the lattice part, which would make the system heavy and non-fluid. At an abstract algebra level, there are many generalizations that can take this mathematical basis to an even more elegant, powerful and useful set of operations. The multivector is an special object and when combined with operations found in the Geometric Algebra it is possible to construct systems as of using a framework. The mathematics here play the role of a language and can be organized as algorithms for the purpose of building encryption schemes that are intrinsically fully homomorphic. Each blade of the multivector carry different representations and meanings, since they can be manipulated as objects inside objects, which gives to the multivector this property of a multi-dimensional object. The main operation used in this work is the geometric product, a geometric equivalent multiplications of multivectors. Powered by

35 3.4. Conclusion

the geometric product many involutions (special operations that has the ability of "zeroing", among other capabilities) are generated which unlock the useful and powerful inverse of the multivector. The inverse applied for encryption algorithms, detailed as an application in future chapters is the key to unlock the principle of decryption. In this work, Geometric Algebra is described as a mathematical language is the fundamental building block of the cryptographic framework EDCHE. The mathematical elements discussed about Geometric Algebra is far from an extensive coverage of the subject. Instead, this chapter should be seen as the least one should know about the subject in order to initiate implementations of cryptographic solutions using EDCHE.

36 CHAPTER 4

Encryption using Multivectors

4.1 Introduction

Consider a very simple symmetric encryption scheme operating on integers that multiplies the message by a secret key. In this scenario, let the plaintext p =6 and the secret key k =9. Then Alice generates the ciphertext c as follows:

c = p k · c =6 9 · c = 54

which is sent to Bob. Since Bob has the same secret key that Alice has, Bob should be able to decrypt c and obtain p. The way of recovering p can be seen in two diﬀerent ways, both leading to the same result. One way is to keep the encryption function the same and look to the inverse of the key. Another way is to key the key the same and look to the inverse of the encryption function. Both ways are equivalent in the send that they generate the same result. For real numbers, the additive inverse of a number a is the number that, when added to a yields 0. This number will have the reverse sign of a, meaning that if a is positive, the additive inverse will be the same number with the negative sign. This is also referred as opposite number of a [38]. The additive inverse is deﬁned as the inverse element in a binary operation of addition. The multiplicative inverse of a number b is the number that, when 1 −1 multiplied by b yields 1. It is denoted by b or b . The multiplicative inverse of b is also referred as the reciprocal of b [5]. 4.1. Introduction

So Bob can recover p by multiplying the ciphertext c by the inverse of the secret key k. This can be seen as the same operation with a diﬀerent "object", in this case, the inverse of the secret key k.Sop is recovered as follows:

p = c k−1 · p = 54 9−1 · 1 p = 54 · 9 54 p = 9 p =6

Another way to achieve the same result is to think the above operation as the inverse of the encryption function. In this way, instead of calculating the inverse of the key and keeping the same multiplication operation for encryption, one could deﬁne the decryption function as the inverse function of the encryption and use the secret key without modiﬁcations. The reverse function of f is a function that reverses f.Iff is the function in consideration and g is its inverse, if f is applied to x to generate y, g applied to y will generate x, given f(x)=y if and only if g (y)=x [26]. So if the encryption function f (p)=p k = c,the · c inverse function g (c)= k = p. As mentioned, both ways of recovering p are equivalent. By using the inverse operation, Bob recovers p as follows:

c p = k 54 p = 9 p =6

If both ways are equivalent, then what is the difference? The answer can be the complexity of the function into consideration. For simple functions, finding the inverse will be trivial. However, a more complex function might imply extra work in such way that finding the inverse of the object used in the operation might be a better option, leaving the operation itself intact. It all depends on each scenario.

38 4.1. Introduction

What if, instead a simple product, a triple product is used as the encryption function? The function changes however the principle is the same. Say the encryption function uses two secret keys k1 =9and k2 = 13. The encryption function is given by:

c = k p k 1 · · 2 c =9 6 13 · · c = 702

The decryption function is then:

p = k−1 c k−1 1 · · 2 1 1 p = 702 9 · · 13 p =6

Notice that since c is the product between k1, k2,andp, c is divisible by k1, k2,andp. So k−1 c = 1 702 = 78 and k−1 c = 1 702 = 54. It is clear to see that 78 =6and 54 =6. 1 · 9 · 2 · 13 · 13 9 So no matter how the function is organize in this scenario, the principle of the multiplicative inverse holds. Now, one example where the inverse function is preferred since the multiplicative inverse of the number will not work as a simple replacement in the function into consideration. If the encryption function is deﬁned as follows:

c =(k p)+(p k ) 1 · · 1

replacing k1 and k2 by its multiplicative inverses and replacing p by c will not yield p. See the example below:

c =(k p)+(p k ) 1 · · 2 c =(9 6) + (6 13) · · c = 54 + 78

c = 132

39 4.1. Introduction

then

p = k−1 c + c k−1 6 1 · · 2 1 1 p = 6 1327 +6 1327 6 9 · · 13 ✓ ◆ ✓ ◆ p = 14.66 + 10.15 6 p = 14.66 + 10.15 6 p = 24.81 6

Depending on each scenario, finding a multiplicative inverse for applying in the encryption function without modification might not even be possible. So this a case when finding the inverse of the function will be the better option and sometimes the only option. So the inverse function for retrieving p is given by:

c p = k1 + k2 132 p = 9 + 13 132 p = 22 p =6

In order make use of the principles and relationships discussed so far on the universe of Geometric Algebra, and its operations and objects, it is necessary to ﬁnd the correspondent elements that will allow reversing and encryption function. Given simple product example as a encryption function using Geometric Algebra, it is necessary to ﬁnd:

1. The operand object

2. The equivalent multiplication operation

3. The inverse of the operand object

4. The inverse of the equivalent multiplication operation

As discussed in the previous chapter, the operand object for the GA operations into consideration is the multivector. The multiplication operation on multivector is the geometric

40 4.2. Basic Multivector Packing Scheme

product. The inverse of the operand object is the inverse of the multivector. For encryption primitives using the triple geometric product, the inverse of the multivector will be enough for computing the decryption. For other primitives with custom operations, the inverse of the resultant multivector might not be possible. For those cases, it will be necessary to develop the inverse of the operation. In this chapter it will be discussed many way to create and organize multivectors, the operations available for a variety of cryptographic goals, encryption primitives, how to manage secret keys and how to combine GA operations with other types of functions. Additionally, this chapter includes some examples of how to explore GA and its extension in order to create cryptographic applications.

4.2 Basic Multivector Packing Scheme

4.2.1 Number Factorization

First step to represent a raw number in a multivector form in order to make use of the homomorphic properties that will be described later is to factorize the number and write it

as a sum of other numbers that we call herein ci:

n−1 N10 = ci, Xi=0 where n is the number of elements in a multivector (e.g., for a 3D multivector the total number of elements is n =2m, where m =3is the dimensionality).

There are several forms that one could factorize N10. Below we describe two ways of

achieving it for a given number N10 = 5487:

1. Case 1: We perform an integer division of N10 by the number of elements of the

multivector, N10/n. In this case the result is 685. The reminder, obtained by calculating

N10 modn, is added to the last coeﬃcient, resulting the following:

5487 = 685 + 685 + 685 + 685 + 685 + 685 + 685 + 692.

41 4.2. Basic Multivector Packing Scheme

2. Case 2: The user could create an algorithm that could randomly ﬁnd integers where

the sum of these integers result in the original number N10. For example, assume an

algorithm generate the following set of coeﬃcients ci:

5487 = 385 + 985 + 685 + 584 + 786 + 482 + 888 + 692.

Note: For case 1 if the number N10 is divisible by the number of elements nof the multivector one alternative is to do the following:

• For n =8, subtract 1 from c7 and add 1 to c6. For example, let N10 = 2944.Ifwe divide it by n we obtain 368 and no reminder:

2944 = 368 + 368 + 368 + 368 + 368 + 368 + 368 + 368.

• If we subtract 1 from c7 and add 1 to c6 we end up with:

2944 = 368 + 368 + 368 + 368 + 368 + 368 + 369 + 367.

As mentioned earlier, the cases above are not the only ways of representing a number as a summation. Any form of factorization of a number in a summation form described in the literature is acceptable.

4.2.2 Organize Coeﬃcients into Multivector Structure

The coeﬃcients generated from the number factorization can be organized in a multivector randomly or following a predetermined form. As an example, let

N¯ = n0 + n1e1 + n2e2 + n3e3 + n12e12 + n13e13 + n23e23 + n123e123 = N10 be the multivector representation of N10.Ifwemake

n0 = c0

n1 = c1

n2 = c2

n3 = c3

42 4.3. Sylvester’s Equation

n12 = c4

n13 = c5

n23 = c6

n123 = c7 and let N10 = 5487, we have, for case 1

N¯ = 685 + 685e1 + 685e2 + 685e3 + 685e12 + 685e13 + 685e23 + 692e123, and

N¯ = 385 + 985e1 + 685e2 + 584e3 + 786e12 + 482e13 + 888e23 + 692e123, for case 2.

In the case N10 is a multiple of n, for example N10 = 2944, a possible way of organizing

the coeﬃcients ci as multivectors coeﬃcients ni,couldbe

N¯ = 368 + 368e1 + 368e2 + 368e3 + 368e12 + 368e13 + 369e23 + 367e123.

4.3 Sylvester’s Equation

EDCHE makes use of a well-known matrix equation in the ﬁeld of mathematics called the Sylvester’s Equation, which is given by

C = AX + XB. (4.1)

By knowing the matrices A, B,andC it is possible to calculate a unique solution for the matrix X. EDCHE applies an analogous deﬁnition of the Sylvester’s Equation for multivectors as follows: Y¯ = A¯ M¯ + M¯ B¯ , (4.2)

which is obtained when deﬁned a linear function over multivectors in the form of

n f M¯ = R¯ mM¯ S¯ m. (4.3) m=1 6 7 X

43 4.4. Triple product

The encryption primitive using the Sylvester’s Equation is computed as follows:

C¯ = S¯ 1M¯ + M¯ S¯ 2. (4.4)

where C¯ is the ciphertext, S¯ i, for i =1, 2, are secret keys, and M¯ is the original message. The closed form solution for the ciphertext can be obtained by a sequence of algebraic manipulations and is given by

−1 ¯ ¯ ¯ ¯ −1 ¯ ¯ ¯ ¯ −1 ¯ ¯ ¯ M = S2 + S2 + S1 + S2S2 + S1 S1 CS2 + C . (4.5) ⇣ ⌘ ⇣ ⌘ The solution above is used by the receiver to decipher the encrypted text and recover the original message.

Figure 4.1: Encryption with the Sylvester’s Equation

4.4 Triple product

Another way of encrypting data with EDCHE is by applying the triple product, which is a sequence of geometric products that makes a "sandwich" with a pair of secret keys and the original message resulting in

C¯ = S¯ 1M¯ S¯ 2. (4.6)

44 4.5. The Underdeterminacy of the EDCHE Primitives

The original message M¯ can be easily recovered by the intend recipient by performing:

¯ ¯ −1 ¯ ¯ −1 M = S1 CS2 . (4.7)

Figure 4.2: Encryption with the Triple Product

4.5 The Underdeterminacy of the EDCHE Primitives

For ease of notation let A¯ = S¯ 1 and B¯ = S¯ 2, M¯ is the message and C¯ is the ciphertext. The example in this Chapter will make use of a primitive generated by the triple product in a 3D space vector, however the same principle applies to the Za generated through the Sylvester’s equation. Eq. 4.6 yields

C¯ = A¯ M¯ B¯ , (4.8)

where,

C¯ = c0 + c1e1 + c2e2 + c3e3 + c12e12 + c13e13 + c23e23 + c123e123

A¯ = a0 + a1e1 + a2e2 + a3e3 + a12e12 + a13e13 + a23e23 + a123e123

B¯ = b0 + b1e1 + b2e2 + b3e3 + b12e12 + b13e13 + b23e23 + b123e123

M¯ = m0 + m1e1 + m2e2 + m3e3 + m12e12 + m13e13 + m23e23 + m123e123.

45 4.5. The Underdeterminacy of the EDCHE Primitives

Recall that in Eq. 4.8 A¯ and B¯ are the unknowns and M¯ and C¯ known variables. If we split the triple product into two parts we ﬁrst compute the geometric product between A¯ and M¯ as:

Q¯ = A¯ M¯ = a m + a m + a m + a m a m a m a m a m 0 0 1 1 2 2 3 3 − 12 12 − 23 23 − 13 13 − 123 123 ✓ q0 ◆

+ a m +|a m a m a m + a m {za m + a m a m e } 0 1 1 0 − 2 12 − 3 13 12 2 − 23 123 13 3 − 123 23 1 ✓ q1 ◆

+ |a m + a m + a m a m a{z m + a m + a m + a m } e 0 2 1 12 2 0 − 3 23 − 12 1 23 3 13 123 123 13 2 ✓ q2 ◆

+ |a m a m + a m + a m a{z m a m a m + a m } e 0 3 − 1 13 2 23 3 0 − 12 123 − 23 2 − 13 1 123 12 3 ✓ q3 ◆

+ |a m + a m a m + a m +{za m + a m a m + a m} e 0 12 1 2 − 2 1 3 123 12 0 23 13 − 13 23 123 3 12 ✓ q12 ◆

+ |a m + a m + a m a m {za m + a m + a m + a m} e 0 23 1 123 2 3 − 3 2 − 12 13 23 0 13 12 123 1 23 ✓ q23 ◆

+ |a m + a m a m a m +{za m a m + a m a m} e 0 13 1 3 − 2 123 − 3 1 12 23 − 23 12 13 0 − 123 2 13 ✓ q13 ◆

+ a| m + a m a m + a m {z+ a m + a m a m + a m} e 0 123 1 23 − 2 13 3 12 12 3 23 1 − 13 2 123 0 123 ✓ q123 ◆ The| second part of the triple product involves{z the result of A¯ M¯ = Q¯ geometric} product B¯ which yields

C¯ = Q¯ B¯ = q b + q b + q b + q b q b q b q b q b 0 0 1 1 2 2 3 3 − 12 12 − 23 23 − 13 13 − 123 123 ✓ c0 ◆

+ q b + q| b q b q b + q b {zq b + q b q b e } 0 1 1 0 − 2 12 − 3 13 12 2 − 23 123 13 3 − 123 23 1 ✓ c1 ◆

+ |q b + q b + q b q b q{z b + q b + q b + q b } e 0 2 1 12 2 0 − 3 23 − 12 1 23 3 13 123 123 13 2 ✓ c2 ◆

+ |q b q b + q b + q b q{z b q b q b + q b } e 0 3 − 1 13 2 23 3 0 − 12 123 − 23 2 − 13 1 123 12 3 ✓ c3 ◆

+ |q b + q b q b + q b +{zq b + q b q b + q b} e 0 12 1 2 − 2 1 3 123 12 0 23 13 − 13 23 123 3 12 ✓ c12 ◆ | {z } 46 4.6. EDCHE as a Framework

+ q b + q b + q b q b q b + q b + q b + q b e 0 23 1 123 2 3 − 3 2 − 12 13 23 0 13 12 123 1 23 ✓ c23 ◆

+ |q b + q b q b q b +{zq b q b + q b q b} e 0 13 1 3 − 2 123 − 3 1 12 23 − 23 12 13 0 − 123 2 13 ✓ c13 ◆

+ |q b + q b q b + q b {z+ q b + q b q b + q b} e 0 123 1 23 − 2 13 3 12 12 3 23 1 − 13 2 123 0 123 ✓ c123 ◆

Note that| the qicoeﬃcients in the i-th{z position embed the ai coeﬃ} cients which are

unknowns. Therefore, the ci coeﬃcients are comprised by both ai and bi coeﬃcients. If one decides to build a linear system of equations such that

c = q b + q b + q b + q b q b q b q b q b 0 0 0 1 1 2 2 3 3 − 12 12 − 23 23 − 13 13 − 123 123 8 > c1 = q0b1 + q1b0 q2b12 q3b13 + q12b2 q23b123 + q13b3 q123b23 > − − − − > > c = q b + q b + q b q b q b + q b + q b + q b > 2 0 2 1 12 2 0 3 23 12 1 23 3 13 123 123 13 > − − > > c3 = q0b3 q1b13 + q2b23 + q3b0 q12b123 q23b2 q13b1 + q123b12 > − − − − > > c = q b + q b q b + q b + q b + q b q b + q b < 12 0 12 1 2 − 2 1 3 123 12 0 23 13 − 13 23 123 3 > c23 = q0b23 + q1b123 + q2b3 q3b2 q12b13 + q23b0 + q13b12 + q123b1 > − − > > c13 = q0b13 + q1b3 q2b123 q3b1 + q12b23 q23b12 + q13b0 q123b2 > − − − − > > c = q b + q b q b + q b + q b + q b q b + q b > 123 0 123 1 23 2 13 3 12 12 3 23 1 13 2 123 0 > − − > in order to:> perform a known plaintext attack to compute the secret keys A¯ and B¯ , the resulting linear system would be an underdetermined type, i.e., more unknowns than available equations, and therefore the number of possible solutions would comprise the entire range of the real numbers set. For further discussions on the properties of real number refer to [11]. As long the keys are unique per transmission, the attacker could not perform a pair of known plaintext attacks in order to obtain more equations. By doing this, the number of equations would always the half of the number of unknowns.

4.6 EDCHE as a Framework

After discussing the core mathematics behind EDCHE, how to represent data as multivectors and how to build encryption primitives, the next sections will focus on how to extend

47 4.7. EDCHE Sub-primitives

core functionalities to elaborate specialized cryptographic routines. This includes, but are not limited to, authorization mechanisms, secret key exchange and management, diﬀerent methods for identity and digital signature, data transmission and organization, among others. The goal of the following sections in this chapter is to provide practical examples of the use of EDCHE as a framework for developing cryptographic solutions making use of the building blocks available in Geometric Algebra and its extensions.

4.7 EDCHE Sub-primitives

Consider a scenario when an administrative authority wants to organize an online meeting. Given the sensitivity of the subjects discussed in this meeting, only authorized users should be able to join it. The meeting has a secret key that is managed by the administrative authority. The versatile algebraic framework provided by Cliﬀord algebra allows us to use the sub-algebra within the Cliﬀord multivector space C`( n) in order to create related < primitives. Such primitives are either multivector blades or the result of a geometric algebra operation of blades. Consider a general 3D multivector U¯ for a given user:

U¯ = u0e¯0 + u1e¯1 + u2e¯2 + u3e¯3 + u12e¯12 + u13e¯13 + u23e¯23 + u123e¯123

where

U¯ = u e¯ 0-blade scalar 0 0 0 ! ! ⌦U¯↵ = u e¯ ,u e¯ ,u e¯ 1-blade vector 1 1 1 2 2 3 3 ! ! ⌦U¯↵ = u e¯ ,u e¯ ,u e¯ 2-blade bivector 2 12 12 13 13 23 23 ! ! ⌦U¯↵ = u e¯ 3-blade trivector 3 123 123 ! ! ⌦ ↵ Also, consider a second multivector S¯ given by

S¯ = s0e¯0 + s1e¯1 + s2e¯2 + s3e¯3 + s12e¯12 + s13e¯13 + s23e¯23 + s123e¯123

An alternative way of describing the bivector piece of a multivector is to display it as a geometric product between the pseudo-scalar J¯ = e¯123 and a vector w¯ = w1e¯1 +w2e¯2 +w3e¯3. Thus let, ¯ e e e U 2 = j (w1¯1 + w2¯2 + w3¯3) ⌦ ↵ 48 4.7. EDCHE Sub-primitives

where w = u , w = u , w = u . 1 23 2 − 13 3 12 Assume that in the process of creating/registering a user his multivector U¯ has the 1- ¯ e e e blade empty, i.e., U 1 =0¯1 +0¯2 +0¯3, and the 2-blade contains his ID. In order to fulﬁll the vector piece (1-blade)⌦ ↵ of the multivector U¯ one could perform a Cliﬀord equivalent cross product between w¯ and the 1-blade of the private system key S¯ such that,

j w¯ S¯ = j [(w e¯ + w e¯ + w e¯ ) (s e¯ + s e¯ + s e¯ )] ^ 1 1 1 2 2 3 3 ^ 1 1 2 2 3 3 6 ⌦ ↵ 7 Note that the Cliﬀord equivalent cross product consists of a geometric product between ¯ the pseudo-scalar j and the resulting multivector of the wedge product of w¯ and S 1. The motivation behind of this approach is that, just like the standard cross product⌦ ↵ of the Euclidian algebra, the result that comes out from the Cliﬀord equivalent cross product ¯ is a vector orthogonal to plane of w¯ and S 1 . Assuming the resulting vector is ⌦ ↵ u¯ = u1e¯1 + u2e¯2 + u3e¯3

it then becomes the 1-blade of the user multivector U¯, which was originally empty:

¯ e e e U 1 = u1¯1 + u2¯2 + u3¯3 ⌦ ↵ The now non-zero 1-blade can be used to perform user authorization, for example, where every time the user tries to access a restricted area or service he provides the 1-blade ¯ of his multivector, U 1. The central authority/administrator uses this 1-blade to perform two simultaneous operations:⌦ ↵

¯ 1. A dot product with the 1-blade piece of the system’s key S 1: ⌦ ↵ U¯ S¯ = scalar 1 · 1 ⌦ ↵ ⌦ ↵ 2. and a dot product with the 2-blade vector representation (¯w) of the multivector U¯

U¯ w¯ = scalar 1 · ⌦ ↵

49 4.8. Secret Key Exchange

If and only if both results equal zero it means that the 1-blade of U¯ is an orthogonal vector ¯ to the plane of w¯ and S 1, and thus is authorized to access the requested service. Without ¯ knowing what S 1 is,⌦ the↵ only way of coming up with an orthogonal vector that fulﬁlls the orthogonality requirement⌦ ↵ is by brute force.

4.8 Secret Key Exchange

4.8.1 Diﬃe-Hellman

Consider a scenario where Alice and Bob desire to share a secret key so they can commu- nicate with each other making use of a symmetric encryption through an insecure channel. By an insecure channel is implied that every single data there is exchanged in that channel is accessible and observed by an adversary Eve. The problem here is how to start the communication. If Alice and Bob already share a secret key, they can just use it. However, given that Alice and Bob are in different location and must use a remote channel for communication, how to start this process in a secure way? It was exactly for solving this kind of problem that Diffie and Hellman provided a possible solution based on a insight of the F⇤ difficulty of the discrete logarithm problem for p [16]. Following the Diffie-Hellman protocol, Alice and Bob need to agree on a large prime p and a nonzero integer g modulo p. Alice and Bob make g and p public knowledge, which means Eve will know g and p as well. Then Alice chooses a secret integer a that will remain secret. Bob will choose a secret integer b.Soa and b are never disclosed, Alice does not know what b is and Bob does not know what ais. Alice will compute A and Bob will compute B as follows:

A ga (mod p) ⌘ B gb (mod p) ⌘

Alice sends A to Bob and Bob sends B to Alice. So obviously, A and B are public,

0 0 thus known by Eve. Then Alice computes A and Bob computes B as follows:

0 A Ba (mod p) ⌘

50 4.8. Secret Key Exchange

0 B Ab (mod p) ⌘ where 0 a 0 A Ba gb gab Ab B (mod p) ⌘ ⌘ ⌘ ⌘ ⌘ ⇣ ⌘ The Diﬃe-Hellman exchange is summarized in the table below [16]:

Public Parameter Creation

A trusted party chooses and publishes a (large) prime p F⇤ and an integer g having large prime order in p. Private Computations

Alice Bob

Choose a secret integer a. Choose a secret integer b. Compute A ga (mod p) Compute B gb (mod p) ⌘ ⌘ Public Exchange of Values

Alice send A to Bob A −! B Bob sends B to Alice − Further Private Comutations

Alice Bob

Compute the number Compute the number Ba (mod p) Ab (mod p) a The shared secret value is Ba gb gab Ab (mod p) ⌘ ⌘ ⌘ Table 4.1: Diﬃe-Hellman Key Exchange 6 7

Now Alice and Bob has a shared secret key and they can start the communication securely.

4.8.2 A New Key Exchange Method

Diﬃe-Hellman is an elegant mathematical solution for the key exchange problem. Most of the EDCHE routines consider that a secret key was already agreed under the Diﬃe- Hellman protocol. In this section a new key exchange method is introduced. Important to

51 4.8. Secret Key Exchange

noticed that Diffie-Hellman is still necessary. This new key exchange method still requires an initial secret key. Thus, the proposed secret key protocol does not aim to replace Diffie- Hellman, instead, provides a way of updating the secret key for already stablished secret key communities. For this example, Alice and Bob start with the same secret keys, which will only be used for the very first transmission. After that, each transmission will carry the key for the next transmission, which will be generated by following a special protocol with some variations.

4.8.2.1 The setup

¯ ¯ Everything starts with the two ﬁrst secret keys: S11 and S21 , randomly generated.

4.8.2.2 The ﬁrst exchange

Alice wants to send a message to Bob, which will be M¯ 1. In the ﬁrst exchange, the ciphtertext is generated as follows:

¯ ¯ ¯ ¯ C1 = S11 M1S21

Note that M¯ 1 will only be known by Bob (or whoever else in the possession of the shared secret keys). Bob will then receive and decrypt the message as follows:

M¯ = S¯−1C¯ S¯−1 1 11 1 21

4.8.2.3 The protocol

Now Bob wants to send a message to Alice. Since the idea was to use the initial keys only one time, they need now a protocol for key generation. Let the rationalize of a multivector (which gives a scalar) be represented by R M¯ , where M¯ is any given multivector. The protocol for generating the ﬁrst key is: 6 7

S = R M¯ 2 R M¯ 3 mod 2bits 12 1 ⇥ 1 ⇣ 6 7 6 7 ⌘

52 4.8. Secret Key Exchange

where bits is the desirable key size in bits. This modular operation will keep the key size under the speciﬁed number of bits.

Since the above expression will generate a scalar, S12 will be converted to multivector ¯ as S12 . The second key is generated as follows:

S = R M¯ 3 R M¯ 4 mod 2bits 22 1 ⇥ 1 ⇣ 6 7 6 7 ⌘ Since the above expression will generate a scalar, S22 will be converted to multivector ¯ as S22 .

Now, Bob will create C¯2 from M¯ 2 as follows:

¯ ¯ ¯ ¯ C2 = S12 M2S22

Alice knows what the previous message and the previous keys were. So she can generate the second key pair: S = R M¯ 2 R M¯ 3 mod 2bits 12 1 ⇥ 1 ⇣ 6 7 6 7 ⌘

S = R M¯ 3 R M¯ 4 mod 2bits 22 1 ⇥ 1 ⇣ ⌘ 6 7 6 7 ¯ By converting S12 and S22 to multivectors, Alice will recover M2 as follows:

M¯ = S¯−1C¯ S¯−1 2 12 2 22

Notice that only the ﬁrst exchange uses the initial secret keys. In order to create the keys for the next exchange, the user uses the Rationalize of the previous message (which is only know by the key holders) modulo a power of two in order to keep the key under a

certain bit size. As an example, let us say that Alice wants to send M¯ 3 to Bob. Alice will ﬁrst create the new key pair:

S = R M¯ 2 R M¯ 3 mod 2bits 13 2 ⇥ 2 ⇣ 6 7 6 7 ⌘ S = R M¯ 3 R M¯ 4 mod 2bits 23 2 ⇥ 2 ⇣ 6 7 6 7 ⌘

53 4.8. Secret Key Exchange

Then, Alice will create C¯3 from M¯ 3 as follows:

¯ ¯ ¯ ¯ C3 = S13 M3S23

¯ ¯ ¯ Since Bob has the ability of computing S13 and S23 , Bob will recover M3 as follows:

M¯ = S¯−1C¯ S¯−1 3 13 3 23

And this process goes on as long as its necessary. There is no need to store all the exchange chain. The only thing it is necessary is to keep a record of the previous message and keys.

4.8.2.4 A Variation of The Protocol

Another way to generate unique keys for each exchange is to pack the message multivector using only certain coefficients and leaving some other coefficients for carrying the next key. As an example, one protocol could state the the message will be packed using the vector and bivector parts of the multivector. The scalar and pseudoscalar parts would be used for carrying the next key, which would be randomly generated. This variation adds the true randomness to each exchange. For instance, given the message m, the multivector M¯ would be configured as follows:

M¯ = m0e¯0 + m1e¯1 + m2e¯2 + m3e¯3 + m12e¯13 + m13e¯13 + m23e¯23 + m123e¯123 reserved for the key reserved for the message reserved for the message reserved for the key

¯ | {z ¯} | {z } | {z } | {z } S11 and S21 are the initial keys, randomly generated. They will be used for creating

C¯1 and recovering M¯ 1. For the second exchange on, the protocol for creating the keys works as follows: S = (m e¯ )2 (m e¯ )3 mod 2bits 12 0 0 ⇥ 123 123 ⇣ ⌘ S = (m e¯ )3 (m e¯ )4 mod 2bits 22 0 0 ⇥ 123 123 ⇣ ⌘ This is scheme, for the second exchange on, takes always into consideration, the previous message, which contains not only the message but also the "seed" for the new keys, which were randomly generated.

54 4.9. Sending without sending

4.8.2.5 The Protocol as a Signature

The protocol could work as a signature, an agreement between the parties. So the protocol could be unique per shared secret community, which creates another layer of security. Im- portant to notice that the initial keys are not reused, not as a whole or in part. The new keys are the result of a mathematical function operating on the previous message, which works as a seed. One could argue that, in the ﬁrst version of the protocol, in case of the message is the same (a repeated message) the next keys would be also repeated (which is true). There are indeed many ways to avoid this (which could be achieved by using counters of a clock mechanism), however the goal of this document is to provide an introduction to the subject, keeping things simple at this stage. Even so, the second version of the protocol does not fall in the same risk of repeated messages that could lead to repeated keys, since the coeﬃcients reserved for holding the new key seeds would be randomly generated.

4.8.2.6 Final considerations on the protocol

Attacks such as Known Plaintext Attack (KPA) consider the ability of the attacker on generating several ciphertexts for known plaintexts and then solving for the secret key by creating a system of equations. This option is not available here since no key pair will be used twice, no matter which version of the protocol is being used. The "seed" for new keys comes from secret elements. No public data or data available at rest or in transit is used. So the only way for getting access to the source of the next keys is not only knowing original secret keys but also knowing the most recent received message. The examples on how to build the protocol here are merely illustrative. It could follow more complex mathematical constructions.

4.9 Sending without sending

Sending Without Sending (SWS), which we also refer as “ghost” transmission, is a form of payload transmission that is enabled by a series of Geometric Algebra operations. It is a way to send sensitive data without that data being represented in any manner within the

55 4.9. Sending without sending

payload of the transmitted message. The sensitive data is reconstructed using auxiliary information transmitted separately. In this chapter we present a simple example where we wish to send a sensitive information, the number 221. Recall that each of the coeﬃcients of the multivectors that form the payload can be very long number strings and comprise the entire message. Using a small number facilitates the numeric example below. Recall also that the distribution of the number string into the multivector can be arbitrary .

4.9.1 Why Sending Without Sending?

The beneﬁt of implementing a routine such as Sending Without Sending comes from the ability of creating a partition data set of encrypted data. In this setting, it is possible to establish multiple transmissions, each one with the same security properties discussed previously. However, the transmitted data doesn’t make any sense individually. In order to retrieve the correct information, the receiver should not only possess the proper secret key but also the complete set of transmitted data. This is another layer of security with EDCHE.

4.9.2 The Ghost Transmission Protocol

The Ghost Transmission Protocol can be summarized as creating, organizing and sending a data set composed of three multivectors which will be transmitted one at a time. The overall structure of the protocol is listed below:

1. Message and key setup: deﬁning the message M¯ and the secret multivector S¯.

2. Data set conﬁguration: calculating the required data set J¯, D¯ 0, N¯ 0, N¯ 00, D¯ 00

and N¯ 1.

3. Payload transmission: sending N¯ 0, D¯ 00 and N¯ 1.

4. Data set interpretation: calculating T¯ and V¯ from the received payload.

5. Message recovery: recovering M¯ .

Next we will detail each step with a numerical example..

56 4.9. Sending without sending

4.9.3 Message and key setup

Let,

M¯ =2+5e1 +3e2 + 221e3 +9e12 +6e13 + 13e23 + 26e123

S¯ = 12 + 22e1 + 63e2 + 98e3 + 43e12 + 76e13 + 71e23 + 84e123.

where in the message multivector M¯ , the coeﬃcient m3 represents the sensitive information that Alice wants to send to Bob. The multivector S¯ is the secret key.

4.9.4 Data set conﬁguration

The purpose of conﬁguring the data set is to build the set of multivectors required for the transmission. In this step, the following multivectors will be created: J¯, D¯ 0, N¯ 0, N¯ 00, D¯ 00 and N¯ 1. Let be J¯ the geometric product between M¯ and S¯,thus

J¯ = M¯ S¯

J¯ = 18031 18604e 11758e + 616e + − 1 − 2 3 22117e 5958e 12765e + 10900e 12 − 13 − 23 123

Let D¯ 0 be the null multivector (an arbitrary multivector created for each message in order

to “erase” any trace of e3 in M¯ )

D¯ =(m e s e )+0e +0e +0e +0e + 0 3 3 · 3 3 1 2 3 12 ((m e s e ) (m e s e ))e + 2 2 · 3 3 − 3 3 · 2 2 13 ((m e s e ) (m e se ))e +0e , 1 1 · 3 3 − 3 3 · 1 23 123

which yields

D¯ 0 = 21658 + 0e1 +0e2 +0e3+

0e 13629e 4372e +0e . 12 − 13 − 23 123

57 4.9. Sending without sending

Let N¯ 0 be the diﬀerence between J¯ and D¯ 0

N¯ = J¯ D¯ 0 − 0 N¯ = 3627 18604e 11758e + 616e + 0 − − 1 − 2 3 22117e + 7671e 8393e + 10900e . 12 13 − 23 123

Let N¯ 00 be the sum between J¯ and D¯ 0

N¯ 00 = J¯ + D¯ 0

N¯ = 39689 18604e 11758e + 616e + 00 − 1 − 2 3 22117e 19587e 17137e + 10900e . 12 − 13 − 23 123 −1 Let D¯ 00 be the geometric product between D¯ 0 and J¯

−1 D¯ 00 = D¯ 0J¯ D¯ 0

D¯ = 15548.48 + 27623.70e 10613.27e 14137.77e 00 1 − 2 − 3− 35530.18e 8178.83e 9345.46e 912.44e . 12 − 13 − 23 − 123 −1 Finally, let N¯ 1 be the geometric product between N¯ 00 and J¯

−1 N¯ 1 = N¯ 00J¯

N¯ =2.34 + 1.21e +0.30e +0.65e 1 1 2 3− 0.86e 0.50e +1.13e +0.67e . 12 − 13 23 123 4.9.5 Payload transmission

Upon creating the set of multivectors described above, Alice sends N¯ 0, D¯ 00,andN¯ 1 to Bob.

4.9.6 Data set interpretation

Once Bob receives N¯ 0, D¯ 00 and N¯ 1, the ﬁrst step is to recover the contents of the multivector J¯. First, the receiver will compute V¯ as

V¯ = N¯ N¯ = N¯ J¯ −1 J¯ D¯ = N¯ N¯ J¯ −1D¯ 1 0 00 − 0 00 − 00 0 = J¯ + D¯ J¯ + D¯6 J¯ −1D¯7 = J¯ + D¯ D¯ D¯ J¯ −1D¯ , 0 − 0 0 0 − 0 − 0 0 6 7 6 7 58 4.10. Hierarchy Identity-Based Encryption

which results in,

V¯ = 9125.53 56498.22e 12056.47e + 4366.83e + − − 1 − 2 3 58261.12e + 19348.55e 19647.83e 2436.26e 12 13 − 23 − 123

In order to fully recover J¯, Bob will add D¯ 00 to V¯ , which yields

T¯ = V¯ + D¯ = J¯ + D¯ D¯ D¯ J¯ −1D¯ + D¯ J¯ −1D¯ 00 0 − 0 − 0 0 0 0 T¯ = J¯.

Substituting for V¯ and D¯ 00 we have

T¯ = 18031 18604e 11758e + 616e + − 1 − 2 3 22117e 5958e 12765e + 10900e = J¯. 12 − 13 − 23 123

4.9.7 Message recovery

Recall that the content in J¯ was recovered as the multivector T¯ . Also, recall that J¯ was originally calculated through a geometric product between the message M¯ and the secret S¯. Therefore, in order to recover the message M¯ , the receiver will perform a geometric product between T¯ and the inverse of the secret ,S¯ −1, as follows:

−1 M¯ r = T¯ S¯ ,

allowing him to recover

M¯ r =2+5e1 +3e2 + 221e3 +9e12 +6e13 + 13e23 + 26e123.

where M¯ r is the recovered message. Note that as the original message is recovered, the

sensitive information can be extracted from the m3 coeﬀciente.

4.10 Hierarchy Identity-Based Encryption

Why so many different types of solutions for security? Cryptology is a field of knowledge in constant evolution. This evolution is directly affected the levels of sophistication the

59 4.10. Hierarchy Identity-Based Encryption

civilization reaches, which requires new types and levels of communications between two (or more) geographically distant parties. There are consolidated methods for private and public key encryption such as RSA and AES for solving encryption problems and provide secure communication for two or more parties. In 1984 Samir introduced [30] the concept of identity-based encryption, IBE, which is a variation of the public key encryption scheme where the public key of a user can be any string such as the user’s email. If Bob wants to send a message to Alice he will use Alice’s email as the public key, eliminating the need of a Certificate Authority to verify the public key. This approach aims to simplify the certificate management. Shamir states that by doing so, the cryptographic aspects of the communication become almost transparent to the user, an it can be used effectively by those who know nothing about keys or protocols. Shamir proposed a set of algorithms for implementing IBE, which will not be discussed here. Since it is an asymmetric encryption scheme and follows a completely different approach, this section will be limited to an introduction on how to apply different levels of encryption using multivectors for different shared secret communities, given a symmetric encryption scheme such as EDCHE. A 3D multivector has four blades and eight coefficients. Probably the most simple example of making use of the multivector structure for creating a ciphertext would be creating a ciphertext multivector where each blade or each coefficient is a different ciphertext generated with a different shared secret. In the example below, it is shown a ciphtertext multivector that consists of coefficients yielded by a function r (x) that transforms a multivector into a scalar. Its reverse function builds the multivector again from the scalar.

Figure 4.3: Multi-Ciphertexts Multivector

60 4.10. Hierarchy Identity-Based Encryption

Another example is to use the approach of nested ciphtertext multivectors. The same function r (x) has the ability of, given a multivector passed as argument, it will return a number that can be organized as individual coeﬃcients or blades. In the example below, the blades 0 and 1 are used for the message being read at the current level of hierarchy. The blades 2 and 3 are the ciphertext for a higher level of hierarchy. If the current level has no access the the higher level, the message will be only read up to that point. As long as someone have access to the next level, the ciphertext can be read in rounds of decryption until reaching the blades 2 and 3 with zero content.

Figure 4.4: Nested Ciphtertexts

There are many approaches for implementing a function such as r (x) that enables Multi-Ciphertexts and Nested Ciphertexts for achieving an IBE-like type of implementation with EDCHE. The function r (x) will not be discussed in this section because it would be necessary to introduce additional subjects which are all outside the scope of this work. These two diﬀerent types of multivector organization for implementing IBE-like schemes are given as an introductory discussion to the subject from an EDCHE stand point.

61 4.11. Continuous Authentication

4.11 Continuous Authentication

In a setting where the continuous transmission of data occurs, it is practicable to encode the sequence number of each message in the “conversation.” Messages may be sent deliberately out of sequence to increase confusion. Messages may also be received out of sequence due to communication limitations. Examples of conversations that may utilize Secure Message Sequence Indexing are the encrypted frames of video, live audio feed, or tracking data. This sequence of communications takes into consideration that both parties agreed the shared secret using the Diffie-Hellman key exchange protocol. For more details on how the Diffie- Hellman key exchange works, refer to [20]. Cryptotext Interlacing may be summarized as follows: T¯ is used in Secure Message Sequence Indexing as the “conversation ID”. Whenever Alice wants to establish a communication with Bob, she will create and send T¯. This is how a conversation is started. Every messages that uses as a base for identification is a message that belongs to a conversation identified by a certain . Each time a message is created, T¯ is translated by the function T¯n = T T,n¯ in order to refer to the “message ID”. The procedure is: 6 7

1. Alice creates time stamp in the format of a multivector T¯. This information plays a role of a “conversation ID” and is sent to Bob.

2. Alice then creates the message M¯ n, where n =1, 2,...,N is the message index and

denotes the sequence and encrypts it as C¯n = M¯ nS¯n.

3. Before signing and packing the cryptotext C¯n, Alice creates her “timed signature” as follows: ¯n ¯ ¯0 SA = TnSA

where T¯n is the “translated” multivector by the sequence index as result of a scalar- multivector product nT¯.

62 4.11. Continuous Authentication

4. Alice uses the “Continuous Authentication” method to sign and pack the cryptotext as: ¯ ¯n ¯ ¯ ¯0 Pn = SACn + CnSB

5. Alice sends both P¯n and T¯n to Bob.

6. When Bob receives T¯n he is able to identify the sequence number of the current message by computing: ¯−1 ¯ n = Tn T

7. Knowing n, Bob computes Alice’s timed-signature and uses this signature as an input

to unpack C¯n by performing

−1 ¯ ¯0 ¯0 ¯n −1 ¯n ¯0 ¯n ¯n −1 ¯ ¯0 ¯ Cn = SB + SB + SA SBSB + SA SA PnSB + Pn ⇣ 6 7 ⌘ ⇣6 7 ⌘ 8. Once Bob recovers C¯n he can decrypt the message using the inverse of the shared

secret key S¯s −1 M¯ n = C¯n S¯s 6 7 This sequence is performed for every message M¯ n that Alice sends.

Figure 4.5: Continuous Authentication

63 4.12. EDCHE With Real Secret Keys

4.12 EDCHE With Real Secret Keys

EDCHE operates on the field of real numbers. In mathematics, real numbers include all the rational numbers (positive and negative integers, and fractions), and all the irrational numbers (such as p2). Within the rationals are the transcendental numbers (such as ⇡). Real numbers are also referred as points on an infinitely long line (the number line or real line), where the points corresponding to integers are equally spaced and the real numbers are determined by a possibly infinite decimal representation, where each consecutive digit is measured in units one tenth the size of the previous one. The real line is also a part of the complex plane, and complex numbers include real numbers. The real numbers are uncountable, meaning literally that they form an infinite set that contains too many elements to be countable. The uncountability of a set is closely related to its cardinal number: a set is uncountable if its cardinal number is larger than that of the set of all natural numbers. The set of all real numbers are infinite set is an infinite set. The cardinality of the set of all real numbers is strictly greater than the cardinality of the set of all natural numbers. Here, the highlighted characteristics of real numbers are:

1. Points on an inﬁnitely long line;

2. Inﬁnite decimal representation;

3. Real numbers are uncountable;

4. Inﬁnite set;

5. Too many elements.

In EDCHE, the coefficients of a multivector can be real numbers. Operations like geometric product, reverse and Clifford conjugation, generate positive and negative coefficients. Operations like scalar division and inverse, generate rational numbers. Considering the arbitrary creation of a multivector, its coefficients can be any real number. Multivectors and operations over real numbers carry the characteristics highlighted previously.

64 4.12. EDCHE With Real Secret Keys

This document shows some examples of the use of real numbers as coefficients of secret key multivectors, here called real secret keys. An attack over a ciphertext multivector generated using real secret keys would consider infinite possibilities. While a regular secret key consists of a multivector with positive integer coefficients, a real secret key might have any of the members of the real numbers set.

4.12.1 Encryption With Real Secret Keys

The EDCHE encryption primitive is given by two equations and the user can choose one of them. They are the 1) Sylvester’s equation and, 2) The triple product. For the examples provided in this document, the triple product will be applied.

The real secret keys S¯ 1 and S¯ 2 are arbitrarily deﬁned as

S¯ = 25 + 12.94e 5.271e + 92e + 37.4312e 0.2e +8e 33.79472e 1 − 1 − 2 3 12 − 13 23 − 123 S¯ = 2.3 9.4e +3e +2.75e 0.5e +9e +1.943e +7e 2 − − 1 2 3 − 12 13 23 123 The coefficients of the real secret multivectors include positive and negative integers, positive and negative rational numbers with 1, 2, 3, 4 and 5 decimals. If one tries to guess the content of the real secret keys it would have to face the following questions: Which coefficients are positive? Which coefficients are negative? Which coefficients are integers? Which coefficients are rational? How many decimals places the rational coefficients have? Which rational coefficients are positive or negative? The possibilities of combinations and values are countless. The message M¯ is defined as

M¯ =2+6e1 + 13e2 +9e3 +5e12 +7e13 + 21e23 + 16e123

The ciphertext C¯ is given by

C¯ = S¯ 1M¯ S¯ 2

C¯ = 20863.59248004 + 12829.14487252e + 28111.0094438e − 1 2 + 4850.72953168e 48720.58397608e + 20334.57897456e 3 − 12 13 15765.16412964e + 50237.14558596e − 23 123

65 4.13. Generating Keys from Existing Keys

The decryption process is given by

−1 −1 M¯ = S¯ 1 M¯ S¯ 2

M¯ =2+66 7e1 + 136 e2 7+9e3 +5e12 +7e13 + 21e23 + 16e123

Any change on the signs of the multivector, on number of decimals of the rational coefficients will affect the outcome. The application of real secret multivectors adds even more security to a EDCHE ciphertext. The EDCHE encryption primitive involves the use of two secret keys to encrypt a message either via Sylvester’s equation or triple geometric product. Both ways generate a ciphertext where only a secret key holder can decrypt it. When the secret keys are unique per encryption process, the relationship of more unknowns than equations of the algebraic expression is preserved, making the solution for the ciphertext multivector a consistent underdetermined system (a solvable system of equations with infinite solutions). If the parties decide to use the secret keys for more decryption processes, the underdetermined system could be preserved by masking the ciphertext with some operation that "removes" the algebraic relationship with the original multivectors, such as the XOR operation with one of the secret keys. Building the secret keys using a variety of possibilities in the field of real numbers adds a very important layer of security on the ciphertext. A system of equations that attempts to solve for the ciphertext generated using real secret keys would be impracticable because not only the system is undetermined but also there are infinite combinations in the range of real numbers for each coefficient. One small change in the precision of a single coefficient will lead to an incorrect result. The real secret key may not be a solution for all types of systems, since there are some specific IoT devices or embedded systems could not support floating points. In those cases, the regular secret key is applied. For the majority of the cases though, the real secret key could be a perfect fit.

4.13 Generating Keys from Existing Keys

The are many options for managing the pair of secret keys used to create the primitive on both the Sylvester’s Equation and triple product. They can either be arbitrarily deﬁned,

66 4.13. Generating Keys from Existing Keys

randomly generated, calculated from an giving input, or a combination of the previous options, among many other sources and procedures. In this chapter, one possible scheme for generating a key from an existing key is presented.

4.13.1 Rationalize - A One Way Function

It is said to be a one-way function every function that is easy to compute in one direction for every input but unfeasible to revert the process. One very simple example are the boolean functions: given the exclusive knowledge of the value true or false, that came out as the result of a certain function or operation, how could one find out the original input? There are, literally, infinite possibilities. EDCHE makes use of a special GA function that is originally used to compute the denominator of the equation that calculates the inverse of a multivector. This function was first introduced in Eq. (3.26). Loosely speaking, this GA function takes a multivector as input and generates a scalar. For that reason, in EDCHE, the Rationalize is also called a 0-blade reduction operation. Recall that the Rationalize function for 3D is given by:

† R A¯ = A¯ A¯ A¯ A¯ 6 7 ⇣ ⌘⇣ ⌘ It is worthwhile pointing out that the Rationalize is dimension-sensitive, meaning that for higher dimensions, i.e., n>3, diﬀerent equations will apply. From the resulting scalar, it is unfeasible to revert the Rationalize process and recover the original multivector A¯ .Similarly to what happens with boolean functions, if one decided to solve this problem, it would be necessary to take inﬁnite possibilities into consideration.

¯ ¯ 4.13.2 Generating S2 from S1 via Rationalize

Although the encryption processes using both Sylvester’s equation and the triple product apply a pair of secret keys, this doesn’t mean the user should store both keys. EDCHE can dynamically calculate keys from an existing key by using GA functions. One way of accomplishing this process is through the Rationalize function explained in the previous

67 4.14. Automatic Key Update

Chapter. Assuming the ﬁrst secret key S¯ 1 is already deﬁned, the second secret key is calculated as follows:

S¯ 2 = NTM R S¯ 1 (4.9) 6 6 77 where NTM( ) here represents the function that converts a number to a multivector. ·

Figure 4.6: Key Generation via Rationalize

4.14 Automatic Key Update

In order to avoid attacks as discussed in Chapter 3, one strategy is to change the secret keys each time a message is encrypted. In that sense, the relationship of more unknowns than available equations in a linear system is preserved. In this chapter, the "freshness" of the key is implemented by two strategies: (1) translation by scalar multiplication, and, (2) translating keys with Rationalize. Although very eﬃcient, it is important to highlight these are not the only possible techniques for key translation.

4.15 Multivector translation

Recall that a multivector is a “collection” of geometric elements, such as vectors, bi-vectors, and etc.. Therefore, the translation can be understood as a geometric transformation that moves every point of a ﬁgure or a space by the same amount in a given direction. Loosely

68 4.15. Multivector translation

speaking, a translation operation could either stretch or shorten the geometric elements of a multivector. By applying the vector rules to the multivector space, in EDCHE, a translation of a multivector can be deﬁned by:

A¯ A¯ Tδ i = f i + δ , (4.10) 6⌦ ↵ 7 6⌦ ↵ 7 where Tδ is a translation operator. For example, if A¯ is a 1-vector and δ is a ﬁxed 1-vector, then the translation Tδ is given by

Tδ = A¯ + δ. (4.11) and is usually achieved by using translation matrix. Using the mathematical concept described above, assume the following scenario: Alice wants to send an encrypted message to

Bob, and Alice and Bob shares a secret key. In this scenario, the original secret key S¯ 1 will never be directly applied to the encryption scheme. Instead, a translation will take place.

4.15.1 Translation by scalar multiplication

One possible way of EDCHE performing this translation is to apply a scalar multiplication (see Chapter 3) such that,

Tδ A¯ = δA¯ (4.12) 6 7 If δ =2, for example, than the operation above is equivalent to

T2 A¯ =2A¯ = A¯ + A¯ 6 7 The scalar can be incremental, following a agreement between parties which allows each party to know how to precisely calculate the key that will decrypt the received ciphertext.

4.15.2 Using Multivector Translation and the Rationalize for Key Update

Given the following multivectors:

S¯ 1 =3+5e1 +9e2 +2e3 +5e12 +8e13 +6e23 +7e123

M¯ = 8 + 12e1 +6e2 + 21e3 +3e12 +9e13 + 11e23 +2e123

69 4.15. Multivector translation

where S¯ 1 is the secret key and M¯ is the message that will be encrypted. According to Chapter 4, we can generate a second key from the ﬁrst one as follows:

S¯ 2 = NTM R S¯ 1

S¯ 2 = 1249 +6 17156 e771 + 683e2 + 2281e3+

251e12 + 2713e13 + 960e23 + 2009e123.

Upon deﬁning S¯ 2 from S¯ 1, the next step is to translate both keys. Assuming the parties agreed that the scalar δ for the translation increments by 315, the sender will compute the following:

T S¯ = S¯ δ = 315 S¯ δ 1 1 ⇥ 1 6 7 ¯ δ S1 = 945 + 1575e1 + 2835e2 + 630e3+

1575e12 + 2520e13 + 1890e23 + 2205e123,

and,

T S¯ = S¯ δ = 315 S¯ δ 2 2 ⇥ 2 6 7 ¯ δ S2 = 393435 + 540225e1 + 215145e2 + 718515e3+

79065e12 + 854595e13 + 302400e23 + 632835e123,

¯ δ ¯ δ ¯ ¯ where S1 and S2 are the translated keys S1 and S2, respectively. The following step makes use of the resulting translations above as input to the Ratio- ¯ δ ¯ δ nalize function, where we compute R S1 and R S2 . Finally Alice and Bob can create ¯ ¯ ⇣ ⌘ ⇣ ⌘ S1a and S1b as follows:

¯ ¯ δ S1a = NTM R S1 (4.13) ¯ ⇣ ⇣¯ δ⌘⌘ S2b = NTM R S2 (4.14) ⇣ ⇣ ⌘⌘ Then, the ciphertext multivector can be either created by the Sylvester’s equation or by the triple product.

70 4.16. EDCHE with XOR

4.16 EDCHE with XOR

For the case where tracking of “translated” keys is neither possible nor preferred given a certain scenario, a viable option to avoid the attacks discussed in Chapter 3 is to apply an XOR operation between the ciphertext and a secret key. This additional step creates a mask on the ciphertext, eliminating the possibility of establishing a systems of equations in order to determine the unknowns. This chapter will provide details on how to use the XOR operation in EDCHE for additional security layer.

4.16.1 XORing Ciphertext With Existing Keys

As mentioned early in this chapter, if keeping track of translated keys is not an option, one alternative would be to XOR the ciphertext with one of the existing secret keys, either S¯ 1 or S¯ 2. For example, let

M¯ = 8 + 12e1 +6e2 + 21e3 +3e12 +9e13 + 11e23 +2e123

S¯ 1 =3+5e1 +9e2 +2e3 +5e12 +8e13 +6e23 +7e123

S¯ 2 = 1249 + 1715e1 + 683e2 + 2281e3+

251e12 + 2713e13 + 960e23 + 2009e123.

The ciphertext multivector can be computed using the triple product, for example, as

C¯ = S¯ 1M¯ S¯ 2

C¯ = 538703 452019e + 1638546e + 1972e + − − 1 2 3 1083329e 135636e + 1278167e + 437218e . 12 − 13 23 123 In order to perform the XOR operation, we ﬁrst need to convert the multivector representation of the ciphertext to a base 10 number representation, such as

C10 =MTN C¯ = 3312874. where MTN( ) denotes the operation that converts6 7 a multivector to number. Similarly, the · base 10 number representation of S¯ 2, for example, is obtained from

S2 =MTN S¯ 2 = 11861. 6 7 71 4.16. EDCHE with XOR

Finally, it is possible to compute

C0 = C S 10 10 ⊕ 2 0 C10 = 3318463,

0 where C10 is the “masked” ciphertext that is sent to Bob. On the receiving side Bob posses

S¯ 1, and therefore is able to calculate S¯ 2 from S¯ 1 ,andthenS2. Bob can decrypt the 0 received C10 by doing

C = C0 S 10 10 ⊕ 2

C10 = 3312874.

The ciphertext multivecor is retrieved as follows

C¯ = NTM(C10)

C¯ = 538703 452019e + 1638546e + 1972e + − − 1 2 3 1083329e 135636e + 1278167e + 437218e . 12 − 13 23 123

The last step to recover the message multivector involves the inverse of the keys:

¯ ¯ −1 ¯ ¯ −1 M = S1 MS2

M¯ = 8 + 12e1 +6e2 + 21e3 +3e12 +9e13 + 11e23 +2e123.

4.16.2 XORing Ciphertext With Special Key

There are many ways of deﬁning the key that will be used to perform an XOR operation

with the ciphertext C10. In the previous Chapter S¯ 2 was chosen. However, one can gather all that was covered so far, with regards to key generation based on Geometric Algebra functions, to deﬁne/create a new either a new key or a set of keys, such as:

1. S¯ 1 or S¯ 2

¯ δ ¯ δ 2. S1 or S2

3. R S¯ 1 or R S¯ 2 6 7 6 7 72 4.17. EDCHE With Rational Numbers

¯ δ ¯ δ 4. R S1 or R S2 ⇣ ⌘ ⇣ ⌘ 5. GA function on combinations of the above

In order to highlight how the special key can be obtained from a combination of the listed

options, let for example the special key S¯ s be calculated as follows:

¯ ¯ δ ¯ ¯ δ Ss = NTM R S1 S2NTM R S2 ⇣ ⇣ ⌘⌘ ⇣ ⇣ ⌘⌘ where S¯ s is the result of a triple product that involves the multivector built from the the

rationalize of the translation of S¯ 1, S¯ 2, and the multivector built from the rationalize of the

translation of S¯ 2.

4.17 EDCHE With Rational Numbers

EDCHE operates on the set of Real numbers. In most of examples in this work, the input number is an integer and the multivector is packed with integers all the way through encryption and back. Also in most of the cases, the only time when a number that is not an integer is processed is when the inverse of a multivector is calculated. The inverse of a multivector is computed as follows:

† M MM ⇣ ⌘ † MM MM ⇣ ⌘⇣ ⌘ which involves a division. For that reason, it is necessary to care about precision, usually by using a library that handles multiple precision arithmetic. The application of such libraries (or even programming languages itself) might be not feasible for limited devices (as it often happens in IoT) or even restricted hardware infrastructures. There is a highly efficient way to perform all required mathematical operations in EDCHE without having to deal with precision at all by using Rational numbers. Numbers are members of different sets, according to their types. The graph below shows how the different types of numbers relate to each other.

73 4.17. EDCHE With Rational Numbers

Figure 4.7: Rational numbers

As the graph shows, by saying that EDCHE operates with Real numbers it is already implied all the other sets connected to it, including the set of Rational numbers. Rational numbers is the set of numbers that can be written as a ratio of two integers. The numbers below are all rational numbers in diﬀerent representations:

17 2 =5.666 ...=5.6=5 3 3

however, in order to avoid dealing with precision, the preferred representation is:

numerator denominator

where both numerator and denominator are integers. The use of rational numbers does not interfere on the Geometric Algebra operations. The only diﬀerence is that it will never compute the ratio. Both numerators and denomina- tors will be carried until the result of the division is equal to the number into consideration, as follows: 5 =5 1

74 4.17. EDCHE With Rational Numbers

4.17.1 A Numerical Example

Given the message multivector M¯ as follows:

M¯ =2e¯0 +3e¯1 +4e¯2 +5e¯3 +6e¯12 +7e¯13 +8e¯23 +9e¯123

and the secret keys

S¯1 = 29e¯0 + 22e¯1 + 31e¯2 + 28e¯3 + 23e¯12 + 17e¯13 + 20e¯23 + 32e¯123

S¯2 = 13e¯0 + 53e¯1 + 14e¯2 + 32e¯3 + 17e¯12 + 29e¯13 + 25e¯23 + 12e¯123

They would all be rewritten to:

2 3 4 5 6 7 8 9 M¯ = e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ 1 0 1 1 1 2 1 3 1 12 1 13 1 23 1 123 29 22 31 28 23 17 20 32 S¯ = e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ 1 1 0 1 1 1 2 1 3 1 12 1 13 1 23 1 123 13 53 14 32 17 29 25 12 S¯ = e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ 2 1 0 1 1 1 2 1 3 1 12 1 13 1 23 1 123

M¯ is encrypted using the triple product:

C¯ = S¯1M¯ S¯2

which gives

50764 48247 9103 32170 C¯ = e¯ + e¯ + e¯ + e¯ 1 0 − 1 1 − 1 2 − 1 3 6206 37751 17859 28090 + e¯ + e¯ + e¯ + e¯ 1 12 − 1 13 1 23 1 123

For decrypting C¯ , the inverse of the secret keys will be calculated. This is when a division would take place:

M¯ = S¯1M¯ S¯2

However, since Rational numbers are being used, the inverse of the secret keys are deﬁned as follows:

5441 2857 12407 8183 S¯−1 = e¯ + e¯ + e¯ + e¯ 1 −988100 0 494050 1 494050 2 988100 3 24119 338 29863 28090 + e¯ + e¯ + e¯ + e¯ 988100 12 −247025 13 494050 23 −988100 123

75 4.18. Cryptanalysis

60605 184547 44320 116406 S¯−1 = e¯ + e¯ + e¯ + e¯ 2 −11890997 0 11890997 1 −11890997 2 11890997 3 45415 101817 82317 6994 + e¯ + e¯ + e¯ + e¯ −11890997 12 11890997 13 −11890997 23 −11890997 123

By calculating the inverse using rational numbers, there is no need for precision since we are dealing with integers only on both numerator and denominator, therefore there is no loss whatsoever. The result is 100% precise and even a very limited device can work with this type of operation. Therefore

M¯ = S¯1M¯ S¯2

gives exactly

2 3 4 5 6 7 8 9 M¯ = e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ + e¯ 1 0 1 1 1 2 1 3 1 12 1 13 1 23 1 123

4.18 Cryptanalysis

This section aims to acknowledge the desired security characteristics of a new cipher as well as to provide an overview of cryptanalysis and the main known types of attacks. By acknowledging and reviewing the basics of cryptanalysis the goal of this section includes to initiate the discussion about the path for EDCHE to prove itself safe against all possible known attacks.The actual implementation and results of the known-attacks against EDCHE is provisioned as future work since the scope of this work is to show a new encryption scheme that is fully homomorphic as a mathematical discussion. Security must be the most important criterion for a block cipher which means that when the cipher is secure, there is no cryptanalytic attack that exploit its internal structure. In another words, there should not be any attack available with a workload smaller than brute-force (an exhaustive search of the key) [9]. Let E be an encryption function and D be a decryption function. Let K be the secret

key used in both in the encryption and decryption function as Ek and Dk respectively. So

the ciphertext C from the message M is obtained as C = Ek (M) and the message M is

76 4.18. Cryptanalysis

recovered as M = Dk (C). All ciphers share a fundamental property in which is said that

Dk (Ek (M)) = M for every M, meaning that if M is encrypted with key K,itshouldbe decrypted with the same key to recover M. As general requirements, it is expected that the cipher is easy to use, the functions Ek and Dk must be fast for all keys K, and the security of the cipher should only depend on the secrecy of the key and not on the secrecy of the functions E and D. So the cipher may be public and known by an adversary but without the keys, no one should be able to recover the message or the key from a ciphertext [40].

4.18.1 What Is Cryptanalysis?

Cryptanalysis is the study of attacks on ciphers. The methods of attacks are classified into general types mainly based on what information is known and what is unknown to the cryptanalyst [40]. Breaking a cipher means to find a weakness in that cipher that can be exploited with a complexity less than brute-force. Thus, technically speaking, if a brute- force requires 2128 encryptions, an attack requiring 2110 would be considered a break. Breaks can also require unrealistic amounts of known or chosen plaintext or unrealistic amounts of storage. Hence, a break can be a "certification weakness" as an evidence that the cipher does not perform as advised [27]. A good cipher all types of known attacks. It is expected that the cipher offers such security that would be computationally infeasible for a cryptanalyst to successfully do any of the following tasks, no matter how much ciphertext is given:

1. Find M given C

2. Find Dk given C or C and the corresponding M

3. Construct C so that Dk (C) is any meaningful message

4. Find Ek given C or C and the corresponding M

The requirements 1 and 2 ensure the secrecy of the cipher and the messages that are encrypted with it. In another words, they establishes that a ciphertext-only attack should be hard. The requirement 2 adds that a known-plaintext attach should be hard. The requirements 3 and 4 ensure the authenticity of messages encrypted with it. Requirement

77 4.18. Cryptanalysis

3 says that no attacker should be able to create a ciphertext which would decipher into a meaningful plaintext.. The requirement 4 says that no attacker should be able to create a fake an illegitimate ciphertext and make the recipient accept it as authentic. In summary, if an attacker replaces one ciphertext with another, the change should be detected [40].

4.18.2 Attacks

4.18.2.1 Ciphertext-Only Attack

This attack requires the minimum amount of information for cryptanalysis, an intercepted ciphertext from which one desires to obtain the plaintext and, if possible, the secret key. While designing an encryption scheme, at least this attack must be considered [36]. So for this attack, only the ciphertext is known. This is considered to be the most diﬃcult type of attack [40].

4.18.2.2 Known-Plaintext Attack

This attack considers that some ciphertexts were obtained and the associated plaintexts are known, so the goal is to derive the key. A known–plaintext attack is often considered reasonable [36]. Once having some plaintext-ciphertext pairs, the cryptanalyst will investigate the required transformations in order to extract the key and be able to decrypt other ciphertexts [40].

4.18.2.3 Probable Plaintext Attack

If the plaintext is known to be organized in such structure, beginning with certain words, or ﬁelds, then certain portions of the message will be known and many will appear more often. In this way, it is possible to associate some plaintexts with a ciphertext [36].

4.18.2.4 Chosen-Plaintext Attack

This attack considers creating plaintexts with certain properties with the goal of aﬀecting the changes in ciphertext in a measurable way in order to derive information about the key. It is considered one of the least realistic, but often most powerful [36]. This might be accomplished by "tricking" the cipher machine operator into encrypting any given message, as an example [40].

78 4.18. Cryptanalysis

4.18.2.5 Chosen-Ciphertext Attack

This attack is about choosing ciphertexts to be decrypted with a certain key. It is considered the least realistic attack [36].

4.18.2.6 Brute-Force

Whenever no highly developed mathematics or simplifications are necessary in order to perform an attack, meaning that all possible keys will be tried with the goal of checking which one gives the correct plaintext-ciphertext pair, a brute-fore attack is in place. The standard known-ciphertext attack and known-plaintext attack can be seen simply as brute- force attacks. Brute-fore attacks can be optimized by splitting the key space into chunks and process them in different processors or computers. Brute-force has one key advantage not always true for other cryptanalytic techniques: it is always guaranteed to find the correct key after some length of time [36].

4.18.2.7 Diﬀerential and Linear Cryptanalysis

The discovery of differential and linear cryptanalysis has become the theoretical basis for the design of block ciphers in terms of its security to the point that a new block cipher is only taken seriously if it is shown evidence that it resists differential and linear cryptanalysis. Differential cryptanalysis is a chosen-plaintext (difference) attack in which a large number of plaintext-ciphertext pairs are used to determine the value of key bits. Statistical key information is deduced from ciphertext blocks obtained by encrypting pairs of plaintext blocks with a specific bitwise difference under the target key. Linear cryptanalysis is a known-plaintext attack in which a large number of plaintext-ciphertext pairs are used to determine the value of key bits. Although a cipher must resist all possible types of attacks, it is observed that in most cases, the resistance against differential and linear cryptanalysis are the criteria that shape a block cipher. Remaining known-attacks will only be considered later and resistance against them ca be obtained with small modifications in the original design [9].

79 4.18. Cryptanalysis

4.18.2.8 Initial Considerations on Brute-Force Attacks on EDCHE

In Mathematics, a linear system of equations that has fewer equations than unknowns is called an underdetermined system. If a system has two equations and three unknowns is already considered underdetermined. An underdetermined system might be either consistent or inconsistent, depending on the equations. A consistent underdetermined system is a system of equations with fewer equations than unknowns that has at least one solution. While a inconsistent underdetermined system is a system of equations with fewer equations than unknowns that has no solution. A opposed to that, a linear system of equations in which there are more equations than unknowns is called an overdetermined system, which might be either consistent or inconsistent as well [33]. As discussed in section 4.5, the EDCHE primitives generate a ciphertext that represents a consistent underdetermined system of equations. Working with 3D multivectors, the ciphertext is the result of 8 equations and 16 unknowns. So the number of unknowns doubles the number of possible equations. As an initial brute-force analysis, consider that each multivector represents an scalar. This means that, for the triple product encryption primitive, the two secret keys and the message multivectors represent a scalar, each one respectively. Taking only scalars into consideration, a ciphertext generated by a triple product such as

c = s m s 1 · · 2

where bk is the number of bits of each secret key and bm is the number of bits of the message, the number of attacks a until ﬁnding both keys is:

a =2bk 2bk · Now, consider that, when represented as multivectors, each element of the triple product will be generated using the Dynamic Packing Scheme, as discussed in section 5.3. Given the bit size as b of the first coefficient into consideration, and given there are 8 coefficients,

8 there are 2b possible distributions for creating a multivector. So the triple product as multivectors, the number of attacks a until ﬁnding both keys is:

8 8 a =2b 2b ·

80 4.18. Cryptanalysis

As an example, if two secret keys of 256 bits are used, the number of possible attacks is: 8 8 a =2256 2256 · If real secret keys are used, as shown in section 4.12, which is perfectly possible with EDCHE, there will be yet larger number of possibilities. Let p be the precision size of the floating point number representation. The number of possible attacks is now: p 8 p 8 p 8 2 a = 2b 2b = 2b · ⇣⇣ ⌘ ⌘ ⇣⇣ ⌘ ⌘ ✓⇣⇣ ⌘ ⌘ ◆ As an example, let the approach for dealing with floating point numbers be an implementation that considers a precision of 10 digits. The number of possible attacks is: 2 10 8 10 8 10 8 a = 2256 2256 = 2256 · ⇣ ⌘ ⇣ ⌘ ✓⇣ ⌘ ◆ which computationally6 speaking,7 is6 an infinity7 number6 7 of attacks. This is not even considering the fact that the numbers can be either positive or negative, which clearly expands yet more the number of possibilities. Below, the brute-force complexity is presented for an implementation without precision but including the ability of choosing positive and negative numbers in any combination. Given the key length, it is raised to the power of 2, meaning, positive or negative sign: 2 2 8 2 8 2 8 a = 2b 2b = 2b · ! ✓⇣ ⌘ ◆ ✓⇣ ⌘ ◆ ✓⇣ ⌘ ◆ 4.18.2.9 Initial Considerations on Differential and Linear Cryptanalysis

Consider a scenario where If the plaintext and/or the ciphertext is known. Recall that EDCHE makes use of the Dynamic Packing Scheme, as discussed in section 5.3. The DPS use 4 random displacements in the range of the bit size in consideration. So if the original ﬁrst coeﬃcients is of the size of 128 bits, the range of possible random displacements is 2128.

4 In order to match all 4 random displacements, that would require 2128 attempts. So the number of possible displacements is equivalent to the size of the numbers into consideration. There is no direct linear relationship between plaintext and ciphtertext. If using a good pseudo-random number generator, having many pairs of plaintexts and ciphertexts will not give the attacker the transformation path from and/or for the ciphertext since if the same plaintext is encrypted many times, for each time it will be a diﬀerent ciphertext.

81 4.19. Time and Space Complexity

4.19 Time and Space Complexity

4.19.1 Space Complexity

As a matter of making evaluative judgments about the algorithm discussed in this report, some basic considerations on performance are included. Those are related to the time of computation and storage requirements. Thus is necessary to analyze the algorithm’s space and time complexity. The space complexity of an algorithm is the amount of memory it needs to run to completion. The time complexity of an algorithm is the amount of computer time it needs to run to completion. The authors in [17] introduces space complexity as the sum of two components: 1) A ﬁxed part that is independent of the characteristics of the inputs and outputs, which is typically related to instruction space (code), space for simple variables and ﬁxed-size component variables (aggregate), space for constants and so on; 2) A variable part consisting of the space needed by component variables whose size is not dependent on the particular problem instance being solved. Thus, the space requirement

S (P ) of any algorithm P may be written as S (P )=c + SP (instance characteristics) where c is a constant. The EDCHE encryption algorithm consists of the triple geometric product. The space complexity of the geometric product generates a multivector object of four coefficients, since it is operated in 2 dimensions. The number of coefficients does not change according to the size of the input. The number of geometric product operations performed in sequence does not change the fact that there will be only one multivector object as the output. The multivector object will still have four coefficients. Although the decryption process uses a different set of operations (in which the in addition to the geometric product, the inverse is also calculated), the output is still a single multivector object of four coefficients. No matter the size of the input, the output will be always one multivector with four coefficients. The space complexity is then constant, O (1).

4.19.2 Time Complexity

The time T (P ) taken by a program P is the sum of the compile time and the execution time. [17] As oppose to what happens in the space complexity, the compile does not depend

82 4.20. Conclusion

on the instance characteristics. Additionally, it is assumed that a program, once compiled, will run many times without recompilation. This run time is denoted by tP (instance characteristics). The time complexity works more as a tool for estimate tP .Estimating the time an algorithm takes to its completion comes from the concern of finding the most efficient algorithm for solving a problem and this notion of efficiency is usually to the fastest solution. The time requirements of an algorithm are expressed in terms of a single variable, which is the size of a problem instance. This will reflect the amount of input data needed to describe the instance [10]. Basically, the size of the input and the steps required to calculate the answer to a problem will define its time complexity. The EDCHE encryption and decryption algorithms consists, each one, of the very same number of operations no matter what the size of the input is. Similarly to what happens with the space complexity, the time complexity is not affected by the size of the input. Therefore, the time complexity is also constant, O (1).

4.20 Conclusion

In this chapter it was discussed how simple mathematical concepts such as the multiplicative inverse can be explored and extended to powerful operations in Geometric Algebra in favor of creating cryptographic solutions. In Geometric Algebra, the main object in consideration is the multivector, which is explored in many way as special structure for any type of data. Through the principle of number factorization, multivectors are intended to represent the original input in a certain way that, even submitted to a number of operations, both unencrypted and encrypted, it will be able to preserve the algebraic structures present of the plaintext data, so homomorphism is a natural and direct reality. It is pointed in this work that Geometric Algebra should be seen as a mathematical language as EDCHE should be seen as a cryptographic framework. In this chapter two encryption primitives were discussed and along the examples in this work the triple product will be the choice for demonstration. However, both work for all scenarios. The primitives inﬂuence how results are obtained however both of the primitives discussed obtain the same results. As a framework, EDCHE allows the creating of many other primitives. The primitives Triple

83 4.20. Conclusion

Product and Sylvester’s equation create a consistent under-determined system where, without the secret keys, there just two many solutions (inﬁnite), which makes the core EDCHE encryption primitives secure. For more specialized operations, it is possible to develop sub- primitive, as it was discussed for user registration and authorization, as many others might be derived from particular resources in Geometric Algebra. The examples in this chapter serves as a quick demonstration of these capabilities. EDCHE can be implemented as a solution that makes use of known-standard cryptographic resources, such as the Diﬃe-Hellman key exchange protocol. Additionally, EDCHE allows the creation of new protocols. The new key exchange protocol powered by EDCHE is an illustration of how to create complete cryptographic solutions with this framework. The cryptographic applications such as Send- ing Without Sending. Hierarchy Identity-based Encryption and Continuous Authentication were introduced in order to provide insights on how to apply EDCHE resources on real world routines.

84 CHAPTER 5

FHE with EDCHE

5.1 Introduction

Required and desired homomorphic properties and operations are illustrated in this chapter. As discussed before, the examples work no matter the primitive being used. For simpliﬁca- tion, the triple product is the selected encryption primitive for most of the cases. Although fully homomorphic encryption is considered a cryptographic breakthrough, there are still concerns about how meaningful and useful an encrypted data can be without compromising security. After being convinced about the fully homomorphic properties of EDCHE one could ask about the security of the encryption primitives. If it is not secure, the homomorphic properties are not worth it. For this reason it is included in this chapter additional capabilities and conﬁgurations, such as the Dynamic Packing Scheme, in order to add security while keeping the homomorphic structures intact. The graph below summarizes the core fully homomorphic characteristics of EDCHE:

Figure 5.1: EDCHE Overview 5.2. Selected Encryption Primitive

5.2 Selected Encryption Primitive

In Chapter 4 we discussed the building blocks of an encryption scheme powered by Geomet- ric Algebra, which includes two encryption primitives: the triple product and the Sylvester’s equation. These two primitives are perfectly applicable for regular encryption and fully homomorphic encryption. However, as mentioned before, the mathematics provided by product spaces and Geometric Algebra work as a framework, where the Geometric Algebra objects and operators are members of a language that can be explored to create new operators and develop as many encryption primitives as desired. For that reason, EDCHE can be seen as a cryptographic framework that allows the creation of cryptographic solutions built upon its primitives. In order to get into more details of routines and subroutines present in EDCHE, we will work always with the triple product primitive, just as a matter of choice, since it could be either one. The triple product technique, as shown in 4.4, implies obtaining the product of three elements. The product operation is initially the geometric product, then it will change in the future in order to cover and/or accommodate further properties.

5.3 Dynamic Packing Scheme

One of the ways to demonstrate how EDCHE can work as a framework, in this section we will make use of some of the available resources in order to increase security and versatility while implementing cryptographic solutions with EDCHE. Our goal is to generate diﬀerent ciphertext for the same plaintext every time. For this we apply a technique we call "Dynamic Packing Scheme", or just DPS. The DPS occurs in two steps. First, the general rule for packing a multivector and allowing homomorphism. Given that we are working in 3D, and a multivector in 3D is composed by scalar, vector, bivector and trivector, given a scalar s, each part of the multivector is deﬁned as follows: s scalar = +(s mod 2n) 2n j k

86 5.3. Dynamic Packing Scheme

s vector, bivector,trivector = 2n j k where n is the dimension, so n =3. Recall the formal deﬁnition of the modulo operator: let m 1 be an integer. It is said that the integers a and b are congruent modulo m if ≥ their diﬀerence a b is divisible by m. Thus, −

a b (mod m) ⌘

where the number m is called the modulus [16]. The second step is to generate and apply random displacements which will affect the 2n coefficients distribution. Let D be a sequence containing 2 random elements, which is the size of the sequence, that can expressed simply as half of the number of coefficients in the multivector. Since a 3D multivector has 23 =8coefficients, the size of the sequence with 23 8 the displacements will be 2 = 2 =4. Once the scalar is converted to a multivector using the description of the first step, the randomly generated numbers in D are used as displacements on the coefficients as follows: Let the coefficients of a multivector be a sequence C of k =2n elements. The random displacements are applied and the new coefficient distribution is calculated as follows:

Ci = Ci + Di

C = C D i+1 i+1 − i . .

Ck−1 = Ck−1 + D k 2 −1

k Ck = Ck D −1 − 2

The bit size of the random displacement is given by the bit size of the blade 0 (scalar part) generated by step 1. So, given that the ﬁrst step generates the multivector M¯ ,the

displacements will be random number of bit size equal to the bit size of m0e¯0.

87 5.3. Dynamic Packing Scheme

5.3.1 Numerical example

Let the input scalar s = 147 and the dimension n =3. Te ﬁrst step of the dynamic packing scheme will accommodate s as coeﬃcients of the multivector M¯ : 147 m e¯ = + 147 mod 23 = 18 + 3 = 21 0 0 23 L ⌫ 147 6 7 m e¯ = = 18 1 1 23 L ⌫ . .

m123e¯123 = 18

M¯ = 21e¯0 + 18e¯1 + 18e¯2 + 18e¯3 + 18e¯12 + 18e¯13 + 18e¯23 + 18e¯123

In the second step we will generate four random numbers which will operate as displacements on the coeﬃcients of M¯ . The bit size of each random displacement is deﬁned by the bit size of m0e¯0 = 21, which is a 5-bit number. Let D be a sequence of four 5-bit random numbers:

D = (30, 25, 17, 23)

The coeﬃcients are calculated as follows:

m0e¯0 =(m0 + D0)e¯0 = (21 + 30)e¯0 = 51e¯0

m e¯ =(m D )e¯ = (18 30)e¯ = 12e¯ 1 1 1 − 0 1 − 1 − 1

m2e¯2 =(m2 + D1)e¯2 = (18 + 25)e¯2 = 43e¯2

m e¯ =(m D )e¯ = (18 25)e¯ = 7e¯ 3 3 3 − 1 3 − 3 − 3

m12e¯12 =(m12 + D2)e¯12 = (18 + 17)e¯12 = 35e¯12

m e¯ =(m D )e¯ = (18 17)e¯ =1e¯ 13 13 13 − 2 13 − 13 13

m23e¯23 =(m23 + D3)e¯23 = (18 + 23)e¯23 = 41e¯23

m e¯ =(m D )e¯ = (18 23)e¯ = 5e¯ 123 123 123 − 3 123 − 123 − 123 So after the ﬁrst and the second step, M¯ is deﬁned as:

M¯ = 51e¯ + 12e¯ + 43e¯ + 7e¯ + 35e¯ +1e¯ + 41e¯ + 5e¯ 0 − 1 2 − 3 12 13 23 − 123

88 5.3. Dynamic Packing Scheme

The sum of the coeﬃcients of M¯ still adds to 147.

5.3.2 Encryption using DPS

Given the following secret keys:

S¯1 = 10e¯0 + 93e¯1 + 15e¯2 + 26e¯ + 32e¯12 + 79e¯13 + 41e¯23 + 52e¯123

S¯2 = 53e¯0 + 37e¯1 + 81e¯2 + 26e¯ + 28e¯12 + 37e¯13 + 74e¯23 + 39e¯123

The ciphertext C¯1 is generated using the triple product:

C¯1 = S¯1M¯ S¯2

C¯ = 258166e¯ + 127615e¯ + 221561e¯ + 231774e¯ 1 − 0 − 1 2 − 3 + 244318e¯ + 211557e¯ + 255719e¯ + 208514e¯ 12 − 13 23 123

Since we are using DPS, each time we encrypt M¯ it will be generated a diﬀerent ciphertext due to the randomness of the displacements. Let s = 147, which is the very same original input scalar. By applying the ﬁrst step of DPS, we have:

M¯ = 21e¯0 + 18e¯1 + 18e¯2 + 18e¯3 + 18e¯12 + 18e¯13 + 18e¯23 + 18e¯123

For the second step, the following sequence of random displacements is generated:

D = (24, 19, 24, 30)

After application of the displacements yields:

M¯ = 45e¯ + 6e¯ + 37e¯ + 1e¯ + 42e¯ + 6e¯ + 48e¯ + 12e¯ 0 − 1 2 − 3 12 − 13 23 − 123

The ciphertext C¯2 is generated using the triple product:

C¯2 = S¯1M¯ S¯2

C¯ = 346320e¯ + 293383e¯ + 470543e¯ + 340708e¯ 2 − 0 − 1 2 − 3 + 197556e¯ + 354113e¯ + 528677e¯ + 263156e¯ 12 − 13 23 123

89 5.4. Additive Homomorphism

For both C¯1 and C¯2, the original input scalar s is the same: s = 147. The secret key multivector are also the same in both cases. However, due to the DPS, the ciphertext for M¯ will be always diﬀerent without any penalty in terms of message ﬁdelity and homomorphic

properties, therefore the equivalent ciphertexts will be distinct, as C¯1 and C¯2 are distinct.

5.4 Additive Homomorphism

Translating the properties discussed in Section 1.4 to EDCHE, the encryption scheme ✏ is additive homomorphic if ✏ A¯ + B¯ = ✏ A¯ + ✏ B¯

Given the scalars a, b, c as follows:6 7 6 7 6 7

a = 23

b = 45

c = 79

By using the DPS, the following multivectors represent the above scalars:

A¯ = 141e¯ + 130e¯ + 147e¯ + 143e¯ + 251e¯ + 247e¯ + 151e¯ + 147e¯ 0 − 1 2 − 3 12 − 13 23 − 123 B¯ = 140e¯ + 125e¯ + 197e¯ + 187e¯ + 142e¯ + 132e¯ + 238e¯ + 228e¯ 0 − 1 2 − 3 12 − 13 23 − 123 C¯ = 226e¯ + 201e¯ + 236e¯ + 21e¯ + 242e¯ + 224e¯ + 200e¯ + 182e¯ 0 − 1 2 − 3 12 − 13 23 − 123 Given the following secret key multivectors:

S¯ = 201e¯ + 180e¯ + 234e¯ + 218e¯ + 227e¯ + 211e¯ + 150e¯ + 134e¯ 1 0 − 1 2 − 3 12 − 13 23 − 123 S¯ = 184e¯ + 157e¯ + 147e¯ + 125e¯ + 253e¯ + 231e¯ + 150e¯ + 128e¯ 2 0 − 1 2 − 3 12 − 13 23 − 123 and applying the triple product encryption primitive, the following ciphertexts are generated:

¯ ¯ ¯ ¯ CA¯ = S1AS2 ¯ ¯ ¯ ¯ CB¯ = S1BS2 ¯ ¯ ¯ ¯ CC¯ = S1CS2

90 5.4. Additive Homomorphism

which yields:

C¯ ¯ = 51119166e¯ + 22222639e¯ + 31355100e¯ + 64478768e¯ A − 0 1 2 3 + 15504245e¯ + 40074939e¯ + 36688749e¯ + 10910607e¯ 12 13 23 − 123 C¯ ¯ = 43887411e¯ + 20324010e¯ + 68240907e¯ + 63301489e¯ B − 0 1 2 3 + 37636503e¯ + 40194401e¯ + 68164472e¯ + 23329660e¯ 12 13 23 − 123 C¯ ¯ = 48168133e¯ + 6912600e¯ + 75046859e¯ + 64591773e¯ C − 0 1 2 3 + 53260310e¯ + 29755242e¯ + 71184712e¯ + 35264708e¯ 12 13 23 − 123

Let C¯sum be the sum of the generated ciphertexts:

¯ ¯ ¯ ¯ Csum = CA¯ + CB¯ + CC¯ C¯ = 143174710e¯ + 49459249e¯ + 174642866e¯ + 192372030e¯ sum − 0 1 2 3 + 106401058e¯ + 110024582e¯ + 176037933e¯ + 69504975e¯ 12 13 23 − 123

Let M¯ sum be the result of the decryption of C¯sum, which is given by:

¯ ¯−1 ¯ ¯−1 Msum = S1 CsumS2 M¯ = 507e¯ + 456e¯ + 580e¯ + 548e¯ sum 0 − 1 2 − 3 + 635e¯ + 603e¯ + 589e¯ + 557e¯ 12 − 13 23 − 123

The sum of the coeﬃcients of M¯ sum, which is the same of the scalar representation of the multivector M¯ sum equals to 147. We can see that:

A¯ + B¯ + C¯ = M¯ sum

and also that

a + b + c = 23 + 45 + 79 = 147

Thus, it is shown that

✏ A¯ + B¯ + C¯ = ✏ A¯ + ✏ B¯ + ✏ C¯ 6 7 6 7 6 7 6 7 91 5.5. Scalar Multiplicative Homomorphism

5.5 Scalar Multiplicative Homomorphism

Following the properties discussed in the previous Section, the encryption scheme ✏ is scalar multiplicative homomorphic if

✏ ↵ A¯ = ↵ ✏ A¯ ↵ R · · 8 2 6 7 6 7 Let

a = 23

By using the DPS, the a is represented as multivector as follows:

A¯ = 256e¯ + 245e¯ + 214e¯ + 210e¯ + 221e¯ + 217e¯ + 219e¯ + 215e¯ 0 − 1 2 − 3 12 − 13 23 − 123 Given the following secret key multivectors:

¯ ¯ ¯ ¯ CA¯ = S1AS2

which yields:

C¯ ¯ = 55094745e¯ + 7195804e¯ + 86841611e¯ + 74305209e¯ A − 0 1 2 3 + 62150731e¯ + 33770057e¯ + 82420645e¯ + 41342155e¯ 12 13 23 − 123 ¯↵ ¯ Let CA¯ be the scalar multiplication between ↵ and A:

a C¯ = a C¯ ¯ A¯ · A C¯↵ = 1267179135e¯ + 165503492e¯ + 1997357053e¯ + 1709019807e¯ A¯ − 0 1 2 3 + 1429466813e¯ + 776711311e¯ + 1895674835e¯ + 950869565e¯ 12 13 23 − 123

92 5.6. Multiplicative Properties of the Rationalize

¯↵ ¯↵ Let A be the result of the decryption of CA¯, which is given by:

¯a ¯−1 ¯a ¯−1 A = S1 CA¯S2 A¯a = 5888e¯ + 5635e¯ + 4922e¯ + 4830e¯ 0 − 1 2 − 3 + 5083e¯ + 4991e¯ + 5037e¯ + 4945e¯ 12 − 13 23 − 123 The sum of the coeﬃcients of A¯a, which is the same of the scalar representation of the multivector A¯a equals to 529. We can see that: a A¯ = A¯a · and, considering that A¯ represents a, therefore the sum of the coeﬃcients of A¯ is equal to a, the following is true:

a A¯ a a 23 23 = 529 · ⌘ · ⌘ · Thus, it is shown that ✏ a A¯ = a ✏ A¯ · · 6 7 6 7 5.6 Multiplicative Properties of the Rationalize

Given the following multivectors

A¯ =2+3e¯1 +4e¯2 +5e¯3 +6e¯12 +7e¯13 +8e¯23 +9e¯123

B¯ =4+9e¯1 +2e¯2 +6e¯3 +5e¯12 + 11e¯13 +3e¯23 +7e¯123

The Rationalize of A¯ and B¯ is given by

† R A¯ = A¯ A¯ A¯ A¯ = 740 ⇣ ⌘⇣ ⌘ † R 6B¯ 7 = B¯ B¯ B¯ B¯ = 197 6 7 ⇣ ⌘⇣ ⌘ The geometric product between A¯ and B¯ is calculated as follows

A¯ B¯ = 121 74 + 162 89 + 160 45 + 123 + 134 − − − −

93 5.6. Multiplicative Properties of the Rationalize

Now, the Rationalize of A¯ B¯ is calculated

R A¯ B¯ = 145780 6 7 Turns out that R A¯ R B¯ = 145780 · 6 7 6 7 Thus, R A¯ B¯ = R A¯ R B¯ · 6 7 6 7 6 7 This is true for ciphertext multivectors too. Given the following keys:

S¯ 1 = 12 + 14e¯1 + 15e¯2 + 17e¯3 + 21e¯12 + 23e¯13 + 24e¯23 + 25e¯123

S¯ 2 = 31 + 33e¯1 + 24e¯2 + 27e¯3 + 32e¯12 + 28e¯13 + 39e¯23 + 23e¯123

The ciphertext for A¯ and B¯ is deﬁned as follows

CA¯ = 53374 50998e¯ + 3407e¯ 37615e¯ − − 1 2 − 3 10702e¯ 34190e¯ 961e¯ 10453e¯ − 12 − 13 − 23 − 123

CB¯ = 47809 41240e¯ + 15515e¯ 32409e¯ − − 1 2 − 3 + 6690e¯ 23353e¯ + 13465e¯ + 8628e¯ 12 − 13 23 123

The Rationalize of CA¯ and CB¯ is given by

R CA¯ = 421901558956420

R 6CB¯ 7 = 112317036641101 6 7 The geometric product between CA¯ and CB¯ is calculated as follows

CA¯ CB¯ = 5303124885 + 4829154550e¯ 1286761360e¯ + 3532146791e¯ 1 − 2 3 + 890208e¯ + 2977693673e¯ 687141129e¯ + 97398464e¯ 12 13 − 23 123

94 5.7. Multiplicative Homomorphism with Cartesian product

Now, the Rationalize of CA¯ CB¯ is calculated

R CA¯ CB¯ = 47386732856245858919639818420 6 7 Similarly to what happened with the plaintext multivectors, the following is true:

R CA¯ R CB¯ = 47386732856245858919639818420 · 6 7 6 7 Thus, R CA¯ CB¯ = R CA¯ R CB¯ · 6 7 6 7 6 7 Although very simple, the above equation is very interesting because it is a direct relationship between the geometric product and the multiplication operation.

5.7 Multiplicative Homomorphism with Cartesian product

Given that:

a = 100

b = 200

And

A¯ = 50 + 7e1 + 11e2 +5e3 + 13e12 +3e13 +7e23 +4e123

B¯ = 100 + 15e1 + 19e2 + 13e3 + 21e12 + 11e13 + 19e23 +2e123

And also that we represent the sum of all the coeﬃcients as the function ntm (number to multivector), such that: ntm B¯ = 200 6 7 Then, it is true that:

C¯ = A¯ ntm B¯ ·

C¯ = 10000 +6 14007 e1 + 2200e2 + 1000e3 + 2600e12 + 600e13 + 1400e23 + 800e123

ntm C¯ = 20000 6 7 95 5.7. Multiplicative Homomorphism with Cartesian product

Therefore

C¯ = A¯ ntm B¯ a b = 20000 · ⌘ · ntm6C¯7 a b = 20000 ⌘ · 6 7 If, instead of filling all the coefficients, B¯ is defined just as a scalar, the following is also true:

B¯ = 200 + 0e1 +0e2 +0e3 +0e12 +0e13 +0e23 +0e123

C¯ = A¯B¯

C¯ = 10000 + 1400e1 + 2200e2 + 1000e3 + 2600e12 + 600e13 + 1400e23 + 800e123

ntm C¯ = 20000 6 7 Therefore

C¯ = A¯B¯ a b = 20000 ⌘ · ntm C¯ a b = 20000 ⌘ · 6 7 Given two vectors A¯ and B¯, the algebraic deﬁnition of the dot product is given by:

n−1 A¯ B¯ = a b · i i Xi=0 where n is, for instance, the size of the vector (or the number of coefficients of a vector). Dot product is also referred as scalar product, inner product or yet projection product. The point here is to highlight that the dot product is the sum of equivalent coefficients (same index in different objects). In computation, when working with arrays (or lists), there is one operation called "product", which is an array of all combinations of elements from all arrays. The length of the returned array is the product of the lengths of the involved arrays. For clarification, here is an example. Given two arrays u and v,suchthat:

u =[3,4,5]

v =[8,7,9]

96 5.7. Multiplicative Homomorphism with Cartesian product

The product of u and v is:

z = product(u,v)

z =[[3,8],[3,7],[3,9],[4,8],[4,7],[4,9],[5,8][5,7],[5,9]]

If you multiply each pair, you get:

z = [24, 21, 27, 32, 28, 36, 40, 35, 45]

In mathematics, more speciﬁcally in Set theory, a Cartesian product is the operation that returns a product set (or simply a product) from multiple sets. Given the sets A and B, the Cartesian product is the set of all ordered pairs (a,b) where a A and b B. The 2 2 set-builder notation is given by:

A B = (a, b) a A and b B ⇥ { | 2 2 }

This is the mathematical principle implemented in computation for the array product operation. If the multivector coeﬃcients are treated as sets and the Cartesian product is performed, the result is given by:

A = 50,7,11,5,13,3,7,4 { } B = 100,15,19,13,21,11,19,2 { }

Then, C = A B ⇥

97 5.7. Multiplicative Homomorphism with Cartesian product

(50,100), (50,15), (50,19), (50,13), (50,21), (50,11), (50,19), (50,2), 0 1 (7,100), (7,15), (7,19), (7,13), (7,21), (7,11), (7,19), (7,2), B C B C B (11,100), (11,15), (11,19), (11,13), (11,21), (11,11), (11,19), (11,2), C B C B C B (5,100), (5,15), (5,19), (5,13), (5,21), (5,11), (5,19), (5,2), C B C C = B C B C B (13,100), (13,15), (13,19), (13,13), (13,21), (13,11), (13,19), (13,2), C B C B C B (3,100), (3,15), (3,19), (3,13), (3,21), (3,11), (3,19), (3,2), C B C B C B C B (7,100), (7,15), (7,19), (7,13), (7,21), (7,11), (7,19), (7,2), C B C B C B (4,100), (4,15), (4,19), (4,13), (4,21), (4,11), (4,19), (4,2) C B C @ A If we multiply each pair we have:

5000, 750, 950, 650, 1050, 550, 950, 100, 8 9 700, 105, 133, 91, 147, 77, 133, 14, > > > > > > > 1100, 165, 209, 143, 231, 121, 209, 22, > > > > > > 500, 75, 95, 65, 105, 55, 95, 10, > > > C = > > > > <> 1300, 195, 247, 169, 273, 143, 247, 26, =>

> 300, 45, 57, 39, 63, 33, 57, 6, > > > > > > 700, 105, 133, 91, 147, 77, 133, 14, > > > > > > 400, 60, 76, 52, 84, 44, 76, 8 > > > > > > > If we consider a:> function "sum" that adds all the items together, we;> have:

sum (C) = 20000

Then we see that:

C = A B sum (C) a b = 20000 ⇥ ⌘ ⌘ ·

The Cartesian product is not commutative, so

A B = B A ⇥ 6 ⇥

98 5.7. Multiplicative Homomorphism with Cartesian product

since the Cartesian product generates a set of ordered pairs, and by changing the order of sets, it changes the order of pairs, except if A = B or if A or B is the empty set. It is important to observe that non-commutativeness does not mean, necessarily, a bad property. In fact, various cryptographic primitives make use of non-commutative (semi)groups as platforms, such as the ground-breaking Anshel-Anshel-Goldfeld protocol [23]. Similarly, the Cartesian product is not associative:

(A B) C = A (B C) ⇥ ⇥ 6 ⇥ ⇥

for the same reason it is not commutative, except if one of the involved sets is empty. However, its application on multivectors can be very useful for homomorphism since the order of the pairs doesn’t matter, as each member of the pais is an operand of a multiplication and the order of the elements being multiplied does not matter:

a b = b a · · (a b) c = a (b c) · · · ·

Considering the order pairs will always generate the same results, no matter the order, the Cartesian product can be useful for homomorphic purposes. Let the coeﬃcients of multivectors A¯ and B¯, in 3 dimensions, be represented by sets of 8 coeﬃcients as follows:

A = a ,a ,a ,a ,a ,a ,a ,a { 0 1 2 3 4 5 6 7} B = b ,b ,b ,b ,b ,b ,b ,b { 0 1 2 3 4 5 6 7} The Cartesian product is given by:

8 (a0 · b0)+ (a0 · b1)+ (a0 · b2)+ (a0 · b3)+ (a0 · b4)+ (a0 · b5)+ (a0 · b6)+ (a0 · b7), 9 > > > > > (a1 · b0)+ (a1 · b1)+ (a1 · b2)+ (a1 · b3)+ (a1 · b4)+ (a1 · b5)+ (a1 · b6)+ (a1 · b7), > > > > > > (a2 · b0)+ (a2 · b1)+ (a2 · b2)+ (a2 · b3)+ (a2 · b4)+ (a2 · b5)+ (a2 · b6)+ (a2 · b7), > > > > > > (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b ), > > 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 > A ⇥ B = <> => (a4 · b0)+ (a4 · b1)+ (a4 · b2)+ (a4 · b3)+ (a4 · b4)+ (a4 · b5)+ (a4 · b6)+ (a4 · b7), > > > > > (a5 · b0)+ (a5 · b1)+ (a5 · b2)+ (a5 · b3)+ (a5 · b4)+ (a5 · b5)+ (a5 · b6)+ (a5 · b7), > > > > > > (a6 · b0)+ (a6 · b1)+ (a6 · b2)+ (a6 · b3)+ (a6 · b4)+ (a6 · b5)+ (a6 · b6)+ (a6 · b7), > > > > > > (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b )+ (a · b ) > > 7 0 7 1 7 2 7 3 7 4 7 5 7 6 7 7 > :> ;>

99 5.7. Multiplicative Homomorphism with Cartesian product

Now, we have a set with 64 ordered pairs. Since 64 is a multiple of 8, we can see this set as 8 groups of ordered pairs. Each order pair will be a multiplication of its members and the result will be added with the multiplication of each order pair in each subgroup. By doing this, we can use the Cartesian product to on multivectors and deﬁne the coeﬃcients of the resulting multivector as follows:

A¯ ⇥ B¯ =((a0 · b0)+(a0 · b1)+(a0 · b2)+(a0 · b3)+(a0 · b12)+(a0 · b13)+(a0 · b23)+(a0 · b123))e¯0+

((a1 · b0)+(a1 · b1)+(a1 · b2)+(a1 · b3)+(a1 · b12)+(a1 · b13)+(a1 · b23)+(a1 · b123))e¯1+

((a2 · b0)+(a2 · b1)+(a2 · b2)+(a2 · b3)+(a2 · b12)+(a2 · b13)+(a2 · b23)+(a2 · b123))e¯2+

((a3 · b0)+(a3 · b1)+(a3 · b2)+(a3 · b3)+(a3 · b12)+(a3 · b13)+(a3 · b23)+(a3 · b123))e¯3+

((a12 · b0)+(a12 · b1)+(a12 · b2)+(a12 · b3)+(a12 · b12)+(a12 · b13)+(a12 · b23)+(a12 · b123))e¯12+

((a13 · b0)+(a13 · b1)+(a13 · b2)+(a13 · b3)+(a13 · b12)+(a13 · b13)+(a13 · b23)+(a13 · b123))e¯13+

((a23 · b0)+(a23 · b1)+(a23 · b2)+(a23 · b3)+(a23 · b12)+(a23 · b13)+(a23 · b23)+(a23 · b123))e¯23+

((a123 · b0)+(a123 · b1)+(a123 · b2)+(a123 · b3)+(a123 · b12)+(a123 · b13)+(a123 · b23)+(a123 · b123))e¯123

Let s M¯ be the function that sums all coeﬃcients of the multivector, which yields the input scalar6 7 it represents. Let a and b be scalars. By applying the Cartesian product on multivectors, the following is true:

a b s A¯ B¯ · ⌘ ⇥ 6 7 What if the Cartesian product could be used as an encryption primitive? Would the product of two encrypted multivectors, when decrypted, be also isomorphic to the multiplication of the two original scalars? In order to apply an encryption primitive based on the Cartesian product, it is necessary to find the solution for the inverse of a multivector that also applies the Cartesian product. The current multivector inverse formula of EDCHE will not work, since it is based on the geometric product. It was not possible to find an inverse for the multivector using current methods of blade reduction. As it happens with the geometric product, some multivectors has no inverses. For what could be observed, by applying the Cartesian product operation, it is not possible to find an inverse. However, this is not an assertion that there is not a formula for a multivector inverse using the Cartesian product. Without a formula that calculates the inverse of a multivector using the Cartesian product, the solution was to build the inverse operation of Cartesian product. So, for the specific use with EDCHE, the formula of the inverse of the Cartesian product as follows:

100 5.7. Multiplicative Homomorphism with Cartesian product

given

C¯ = A¯ B¯ ⇥ the inverse of the Cartesian product, for which the notation −1 is here applied, is ⇥ given by c A¯ = C¯ −1 B¯ = 0 e¯ + ⇥ b + b + b + b + b + b + b + b 0 ✓ 0 1 2 3 12 13 23 123 ◆ c 1 e¯ + b + b + b + b + b + b + b + b 1 ✓ 0 1 2 3 12 13 23 123 ◆ c 2 e¯ + b + b + b + b + b + b + b + b 2 ✓ 0 1 2 3 12 13 23 123 ◆ c 3 e¯ + b + b + b + b + b + b + b + b 3 ✓ 0 1 2 3 12 13 23 123 ◆ c 12 e¯ + b + b + b + b + b + b + b + b 12 ✓ 0 1 2 3 12 13 23 123 ◆ c 13 e¯ + b + b + b + b + b + b + b + b 13 ✓ 0 1 2 3 12 13 23 123 ◆ c 23 e¯ + b + b + b + b + b + b + b + b 23 ✓ 0 1 2 3 12 13 23 123 ◆ c 123 e¯ b + b + b + b + b + b + b + b 123 ✓ 0 1 2 3 12 13 23 123 ◆ Since the denominator is the sum of all the coeﬃcients of the multivector the plays the role of the secret key, for each coeﬃcient, we can generalize the operation as:

ci s B¯ And why this works? Because all the coe6 ﬃ7 cients generated by the Cartesian product are divisible by (or multiples of) the sum of all the coeﬃcients of the multivector that plays the role of the secret key. So let’s create the encryption and decryption process using Cartesian product. In order to make it work, I changed the order of the multivector in the triple product.

Given that we have two secret keys, S¯1and S¯2, the encryption of and is given by:

C¯ ¯ = A¯ S¯ S¯ A ⇥ 1 ⇥ 2 C¯ ¯ = B¯ S¯ S¯ B ⇥ 1 ⇥ 2

101 5.8. Multiplicative Homomorphism With the Edge Product

Let the encryption function powered by the Cartesian product be f (x). The following is true:

f A¯ + B¯ = f A¯ + f B¯

f 6A¯ B¯7 = f 6A¯7 f 6B¯7 ⇥ ⇥ 6 7 6 7 6 7 and since it is shown that a b s A¯ B¯ , the Cartesian product plays the role of the · ⌘ ⇥ multiplication, which allows EDCHE to6 be fully7 homomorphic encryption solution. If two encrypted multivectors are added, the decryption is given by:

¯ ¯ ¯ CC¯ = CA¯ + CB¯

−1 −1 A¯ + B¯ = C¯ ¯ S¯ S¯ C ⇥ 1 ⇥ 2

If two encrypted multivectors are multiplied, the decryption is given by:

C¯ ¯ = C¯ ¯ C¯ ¯ C A ⇥ B −1 −1 −1 −1 A¯ B¯ = C¯ ¯ S¯ S¯ S¯ S¯ ⇥ C ⇥ 1 ⇥ 2 ⇥ 1 ⇥ 2

Using the Cartesian product with multivectors provides not only one more encryption primitive and additional tools for EDCHE but also the credentials for a FHE scheme.

5.8 Multiplicative Homomorphism With the Edge Product

Recall the geometric product of A¯ and B¯ can be expressed as:

A¯B¯ = A¯ B¯ + A¯ B¯ · ^

where A¯ B¯ is the dot product of A¯ and B¯ and A¯ B¯ is the wedge product of A¯ and · ^ B¯. The geometric product is indeed a powerful resource of Geometric Algebra, being without a doubt the main operation of most solutions created with EDCHE. However, as mentioned in previous sections, it is not the only possible product. For achieving diﬀerent goals, it is possible to create new types of product or make changes on existing ones.

102 5.8. Multiplicative Homomorphism With the Edge Product

Given that

A¯ = a0e¯0 + a1e¯1 + a2e¯2 + a3e¯3 + a12e¯12 + a23e¯23 + a13e¯13 + a123e¯123

B¯ = b0e¯0 + b1e¯1 + b2e¯2 + b3e¯3 + b12e¯12 + b23e¯23 + b13e¯13 + b123e¯123

the geometric product of C¯ = A¯B¯ will deﬁne the following coeﬃcients of C¯:

c = a b + a b + a b + a b a b a b a b a b 0 0 0 1 1 2 2 3 3 − 12 12 − 23 23 − 13 13 − 123 123 8 > c1 = a0b1 + a1b0 a2b12 a3b13 + a12b2 a23b123 + a13b3 a123b23 > − − − − > > c = a b + a b + a b a b a b + a b + a b + a b > 2 0 2 1 12 2 0 3 23 12 1 23 3 13 123 123 13 > − − > > c3 = a0b3 a1b13 + a2b23 + a3b0 a12b123 a23b2 a13b1 + a123b12 C¯ = > − − − − > > c = a b + a b a b + a b + a b + a b a b + a b < 12 0 12 1 2 − 2 1 3 123 12 0 23 13 − 13 23 123 3 > c23 = a0b23 + a1b123 + a2b3 a3b2 a12b13 + a23b0 + a13b12 + a123b1 > − − > > c13 = a0b13 + a1b3 a2b123 a3b1 + a12b23 a23b12 + a13b0 a123b2 > − − − − > > c = a b + a b a b + a b + a b + a b a b + a b > 123 0 123 1 23 2 13 3 12 12 3 23 1 13 2 123 0 > − − > A new:> product can be derived by the geometric product. This is called here as the "edge product", identiﬁed as the operation , and it is deﬁned as: ⇧

A¯ B¯ = A¯ B¯ + A¯ B¯ ⇧ · ^ % % Notice that only the modiﬁcation consists of obtaining% % the absolute value of the wedge product. By doing so, the edge product will not generate any negative value. So another way of seeing the edge product is as the geometric product version with no negative signs generated by the wedge operation.

103 5.8. Multiplicative Homomorphism With the Edge Product

So the edge product formula is given by:

c0 = a0b0 + a1b1 + a2b2 + a3b3 + a12b12 + a23b23 + a13b13 + a123b123 8 c = a b + a b + a b + a b + a b + a b + a b + a b > 1 0 1 1 0 2 12 3 13 12 2 23 123 13 3 123 23 > > > c2 = a0b2 + a1b12 + a2b0 + a3b23 + a12b1 + a23b3 + a13b123 + a123b13 > > > c = a b + a b + a b + a b + a b + a b + a b + a b ¯ ¯ ¯ > 3 0 3 1 13 2 23 3 0 12 123 23 2 13 1 123 12 A B = C = > ⇧ > <> c12 = a0b12 + a1b2 + a2b1 + a3b123 + a12b0 + a23b13 + a13b23 + a123b3

> c23 = a0b23 + a1b123 + a2b3 + a3b2 + a12b13 + a23b0 + a13b12 + a123b1 > > > c13 = a0b13 + a1b3 + a2b123 + a3b1 + a12b23 + a23b12 + a13b0 + a123b2 > > > c = a b + a b + a b + a b + a b + a b + a b + a b > 123 0 123 1 23 2 13 3 12 12 3 23 1 13 2 123 0 > > Similarly to:> the Cartesian product on multivectors, the edge product allows multiplicative homomorphism on encrypted data. So the triple product encryption primitive for allowing multiplicative homomorphism without any penalty for the other homomorphic operation is given by:

let S¯1 and S¯2 be the secret keys multivectors. A message multivector M¯ will be encrypted as

C¯ = S¯ M¯ S¯ 1 ⇧ ⇧ 2 No inverse was found during this research for the resulting multivector of a edge product operation. However, it is possible to expand the multivectors to a 8x8 matrix and execute a matrix inversion on the secret key matrices. The resulting matrix is then reduced to a multivector format and the result of the decryption is obtained. Let m M¯ be the function that operates an expansion from a multivector to an 8x8 matrix and6 let7M¯ m be the multivector in matrix format. The decryption using the edge product is given by: let

C¯m = m C¯ ¯ 6 ¯7 S1m = m S1 ¯ 6 ¯ 7 S2m = m S2 6 7 104 5.9. Conclusion

then

M¯ = S¯−1 C¯ S¯−1 1m ⇧ m ⇧ 2m where operating on multivectors expanded as matrices should be understood as a ⇧ regular 8x8 matrix multiplication. Matrices are powerful mathematics resources. They are used to solve problems in elec- tronics, optics, quantum mechanics, statistics, robotics, linear programming, optimization, genetics, among many others. The calculus used on matrices is a mathematical tool that can be used in connection with linear equations, linear transformations, systems of diﬀerential equations, to cite just a few [3].

5.9 Conclusion

The illustrations present in this chapter aim to describe the core fully homomorphic resources available in EDCHE. Out of the fundamental mathematical operations and basic routines, one can be inspired to extend them to perform complex operations on encrypted data. The selected encryption primitive for the examples is the geometric triple product, just as a matter of illustration. The examples also work with Sylvester’s equation as well. The existing primitives may be extended while keeping its homomorphic properties. New encryption primitives might be constructed and in this case, it is always required to check the preservation of the algebraic structures between plaintext and ciphertext data. The Dynamic Packing Scheme is introduced, adding a layer of security by producing a diﬀer- ent ciphertext when encrypting the same plaintext multiple times. Examples of the building blocks of any mathematical operation are discussed using diﬀerent components of Geometric Algebra. One of these components is the Rationalize, a one way function that generates a scalar from a multivector. Not only a fundamental piece of the multivector’s inverse formula (since a multivector that does not produce a Rationalize, yielding 0, has no inverse), but also one more element of the homomorphic properties of EDCHE. Multiplicative homomorphism is introduced in many ways, from the use of the geometric product with multivectors originally packed as complex numbers, to the application of new products such as the Cartesian

105 5.9. Conclusion

product and the edge product. EDCHE is a intrinsic fully homomorphic encryption solution, extrinsically symmetric, and its encryption primitives allows a series of homomorphic operations on encrypted data without penalty to security. All the examples showed in this chapter illustrates some ways of achieving a FHE status, but not all. It is clear that EDCHE, as a framework, does not have certain limitations and constraints of speciﬁc cryptographic algorithms (as a computational recipe). Instead, EDCHE provides a tool-belt for creating many algorithms. In the graph below there is a quick summary of the main homomorphic properties of EDCHE.

106 CHAPTER 6

EDCHE Applications

6.1 Introduction

In 1978, Rivest et al introduced a discussion on privacy homomorphisms [25]. The motivation was to investigate the viability of performing computations on encrypted data without decrypting it. The initial illustration was small loan company with a “data bank” containing sensitive information which should be kept private. Programmers would have access to sensitive information, which could represent privacy issue for the company. For this reason, all the contents in the data bank is encrypted and should never be decrypted even under manipulation by those without the proper access privileges. With that in mind, and with the ability of achieving such condition, the loan company would be able to answer the following questions:

1. What is the size of the average loan outstanding?

2. How much income from loan payments is expected next month?

3. How many loans over $5,000 have been granted?

The preferred solution for this problem would be one that did not require decryption of the data in order to allow the computation of the these questions’ answers. It would be the encryption function used that would permit the computer system to operate on the data without decrypting it. In this chapter it is shown sample applications of the homomorphic operations that can be extended to any complex scenario by combining the mathematics resources of EDCHE. Starting with additive, scalar multiplicative and multiplicative homomorphism, and going through extra functionalities such as homomorphic search and numeric and alphanumeric homomorphic sorting. 6.2. Additive Homomorphism

6.2 Additive Homomorphism

Consider the scenario where the owner of a online store encrypts and stores information about products in the cloud. When some products are selected, the owner wants to know the total amount of that selection, which is the sum of the value of each product. Let the product values be p1 = 37, p2 = 49 ,andp3 = 82, and, by using the DPS, the three multivectors representing the three input scalars are deﬁned as follows:

P¯ = 18 + 5e¯ +4e¯ +5e¯ +6e¯ +7e¯ +8e¯ +9e¯ 1 − 1 2 3 12 13 23 123 P¯ = 14 + 1e¯ + 12e¯ +0e¯ + 11e¯ +1e¯ + 13e¯ + 1e¯ 2 − 1 2 3 12 13 23 − 123 P¯ = 23 + 1e¯ + 19e¯ +1e¯ + 22e¯ + 2e¯ + 20e¯ +0e¯ 3 − 1 2 3 12 − 13 23 123 Given the following secret key multivectors:

¯ ¯ ¯ ¯ CP¯1 = S1P1S2 ¯ ¯ ¯ ¯ CP¯2 = S1P2S2 ¯ ¯ ¯ ¯ CP¯3 = S1P3S2

which yields:

C¯ ¯ = 3182657e¯ + 888628e¯ + 3902276e¯ + 4180562e¯ P1 − 0 1 2 3 + 2506441e¯ + 2225169e¯ + 3895704e¯ + 1636978e¯ 12 13 23 − 123

C¯ ¯ = 1580389e¯ + 139902e¯ + 2879839e¯ + 2162653e¯ P2 − 0 1 2 3 + 2023597e¯ + 939383e¯ + 2723867e¯ + 1303197e¯ 12 13 23 − 123

108 6.3. Scalar Multiplicative Homomorphism

C¯ ¯ = 2979305e¯ + 534301e¯ + 3635961e¯ + 3831367e¯ P3 − 0 1 2 3 + 2517914e¯ + 1819570e¯ + 3611624e¯ + 1657788e¯ 12 13 23 − 123

Let C¯sum be the sum of all encrypted product values:

¯ ¯ ¯ ¯ Csum = CP¯1 + CP¯2 + CP¯3 C¯ = 7742351e¯ + 1562831e¯ + 10418076e¯ + 10174582e¯ sum − 0 1 2 3 = +7047952e¯ + 4984122e¯ + 10231195e¯ + 4597963e¯ 12 13 23 − 123

The online store’s owner will decrypt the sum and generate the actual sum of the unencrypted product values, which is P¯sum

¯ ¯−1 ¯ ¯−1 Psum = S1 CsumS2 P¯ = 55e¯ + 7e¯ + 48e¯ + 8e¯ + 52e¯ + 12e¯ + 49e¯ + 9e¯ sum 0 − 1 2 − 3 12 − 13 23 − 123

The sum of the coeﬃcients of P¯sum, which is the same of the scalar representation of the multivector P¯sum equals to 168. We can see that:

P¯1 + P¯2 + P¯3 = P¯sum

and also that

p1 + p2 + p3 = 37 + 49 + 82 = s P¯sum = 168 6 7 6.3 Scalar Multiplicative Homomorphism

For the scalar multiplicative example consider that Alice has an investment i = 1500 and that the simple monthly interest rate is r =0.008. The investment, represented as multivector using the DPS, is given by:

I¯ = 426 + 48e¯ + 382e¯ + 8e¯ + 351e¯ + 23e¯ + 409e¯ + 35e¯ − 1 2 − 3 12 13 23 − 123

109 6.3. Scalar Multiplicative Homomorphism

Given the following secret key multivectors:

S¯ = 201e¯ + 180e¯ + 234e¯ + 218e¯ + 227e¯ + 211e¯ + 150e¯ + 134e¯ 1 0 − 1 2 − 3 12 − 13 23 − 123 S¯ = 184e¯ + 157e¯ + 147e¯ + 125e¯ + 253e¯ + 231e¯ + 150e¯ + 128e¯ 2 0 − 1 2 − 3 12 − 13 23 − 123

and applying the triple product encryption primitive, the following ciphertext is generated:

¯ ¯ ¯¯ CI¯ = S1IS2

which yields:

C¯¯ = 50257888e¯ + 4693568e¯ + 90971274e¯ + 68808898e¯ I − 0 1 2 3 + 63847659e¯ + 30119057e¯ + 86087739e¯ + 41147113e¯ 12 13 23 − 123

In order to test the scalar multiplicative homomorphic properties of EDCHE, the interest rate r will be applied on the encrypted investment. That would be done by the cloud. When Alice gets the calculated information from the cloud, she will decrypt the information and see the diﬀerence in the amount she invested. So she will obtain the proﬁt. The investment rate applied on the encrypted investment is calculated as follows:

0 C¯ = C¯¯ r I¯ I ·

which yields

0 C¯ = 402063.104e¯ + 37548.544e¯ + 727770.192e¯ + 550471.184e¯ I¯ − 0 1 2 3 + 510781.272e¯ + 240952.456e¯ + 688701.912e¯ + 329176.904e¯ 12 13 23 − 123

Alice then receives the investment after, say, one month. She will decrypted and obtain how much she earned on top of the original investment:

0 I¯ =3.408 + 0.384e¯ +3.056e¯ + 0.064e¯ +2.808e¯ +0.184e¯ +3.272e¯ + 0.280e¯ − 1 2 − 3 12 13 23 − 123

110 6.4. Multiplicative Homomorphism

0 The sum of the coeﬃcients of the I¯ multivector is given by:

0 s I¯ = s I¯ r = 1500 0.008 = 12 · · ⇣ ⌘ 6 7 Alice sent one encrypted investment to the cloud. After a while, she needed to know the updated value of her investment. The cloud applies a public interest rate on the encrypted investment and send the result (the diﬀerence on the investment) to Alice.

6.4 Multiplicative Homomorphism

The use of a particular encryption primitive allows a whole range of operations within the homomorphic encryption spectrum. So far, the majority of EDCHE examples and applications are powered by encryption primitives based geometric product, more speciﬁcally, the triple product. In order to show the variety of operations allowed by EDCHE as a mathematical framework, the multiplicative homomorphic capabilities of EDCHE where discussed in the previous chapter using the Rationalize, the cartesian product applied to multivectors. Additionally, the edge product was introduced as a multiplicative homomorphic solution for encryption. In this Section one more option will be discussed, which is based on a complex- like multivector packing that allows a new way to achieve multiplicative homomorphism. Current implementations of EDCHE require that commutative properties be preserved, that is A¯B¯ = B¯A¯

For this particular implementation of multivector multiplication, it is required a packing scheme that is more restrictive than the schemes used in the other homomorphic functions (add, scalar multiply, etc.). For multivector multiplication in 3D, the message data is packed only in the scalar and the trivector (essentially a complex number vector). This packing is termed “Complex Packing.” Under this packing scheme, are the unused (zero value) coeﬃcients in the resulting message multivector a concern? Answer requires further hardness testing under these conditions. Higher multivector dimensions are currently under evaluation, as well alternative packing schemes and number theoretic remedies, if necessary.

111 6.4. Multiplicative Homomorphism

To demonstrate by way of example, consider the following two messages:

m1 = 13789

m2 = 43873

The above messages will be represented as multivectors using only the scalar and the trivector, so they commute:

M¯ 1 = 6894e¯0 +0e¯1 +0e¯2 +0e¯3 +0e¯12 +0e¯13 +0e¯23 + 6895e¯123

M¯ 2 = 21936e¯0 +0e¯1 +0e¯2 +0e¯3 +0e¯12 +0e¯13 +0e¯23 + 21937e¯123

Given the following secret key multivectors:

and applying the triple product encryption primitive, the following ciphertext is generated:

C¯1 = S¯1M¯ 1S¯2

C¯1 = S¯1M¯ 2S¯2

which yields

C¯ = 554790632e¯ + 1233240352e¯ + 574791171e¯ + 864162679e¯ 1 0 − 1 2 − 3 = +1129097862e¯ + 1281350044e¯ + 196300397e¯ + 815744588e¯ 12 − 13 23 − 123

C¯ = 1765069952e¯ + 3923817934e¯ + 1829038257e¯ + 2749361497e¯ 2 0 − 1 2 − 3 = +3592631496e¯ + 4076830534e¯ + 624771767e¯ + 2595574196e¯ 12 − 13 23 − 123

112 6.4. Multiplicative Homomorphism

In order to test the multiplicative homomorphic properties of EDCHE, the direct geometric product of the messages and the ciphertexts will be performed in order to verify its consistency with regard to manipulating the encrypted data and recover meaningful data to the intended party. The product of the messages is calculated as follows:

P¯ = M¯ 1M¯ 2

P¯ = 28831e¯ +0e¯ +0e¯ +0e¯ +0e¯ +0e¯ +0e¯ + 302482398e¯ − 0 1 2 3 12 13 23 123

Similarly, with the encryption data

¯ ¯ ¯ CP¯ = C1C2 = 2274782551608685953e¯ + 3334486487582694584e¯ + 8680771469713716832e¯ + − 0 − 1 2 2810699394046495088e¯ + 8471870119684547416e¯ + 1539518658244108744e¯ 3 12 − 13 + 7094901534855055872e¯ + 5942539080121722006e¯ 23 − 123

So, considering that Alice encrypted and sent M¯ 1 and M¯ 2 to the cloud, and for any reason she would like to get the product of the two messages, the cloud will perform the product of the two encrypted messages and send to Alice. For homomorphic purposes, the decryption process will have two steps. The ﬁrst step

0 recovers P¯ and the second step will recover P¯.

¯0 ¯−1 ¯ ¯−1 P = S1 CP¯S2 = 30064876330508e¯ + 30242289788053e¯ + 6046943412438e¯ 0 − 1 − 2 + 39321118633964e¯ + 7197384332743e¯ + 38268287050819e¯ − 3 − 12 − 13 + 7389484859004e¯ + 5723731188184e¯ 23 − 123

The actual product of the messages is recovered as follows:

¯ ¯−1 ¯0 ¯−1 P = S2 P S1 = 28831e¯ +0e¯ +0e¯ +0e¯ +0e¯ +0e¯ +0e¯ + 302482398e¯ − 0 1 2 3 12 13 23 123

113 6.5. Homomorphic Search

The messages can be rewritten in terms of the product multivector as follows:

¯ ¯ ¯ −1 M1 = P M2 ¯ ¯ −1 ¯ M2 = M1 P

6.5 Homomorphic Search

In this Section it will be demonstrated how to homomorphically search over encrypted data with EDCHE. Alice receives sales reports and store them in the cloud. Let the following multivectors represent the reports:

R¯ = 10e¯ + 2e¯ +9e¯ + 1e¯ + 11e¯ + 3e¯ + 10e¯ + 2e¯ 1 0 − 1 2 − 3 12 − 13 23 − 123 R¯ = 13e¯ + 1e¯ + 10e¯ +0e¯ + 12e¯ + 2e¯ + 10e¯ +0e¯ 2 0 − 1 2 3 12 − 13 23 123 R¯ = 23e¯ + 7e¯ + 21e¯ + 9e¯ + 20e¯ + 8e¯ + 20e¯ + 8e¯ 3 0 − 1 2 − 3 12 − 13 23 − 123 R¯ = 24e¯ + 4e¯ + 21e¯ + 7e¯ + 21e¯ + 7e¯ + 16e¯ + 2e¯ 4 0 − 1 2 − 3 12 − 13 23 − 123 R¯ = 19e¯ + 1e¯ + 19e¯ + 1e¯ + 21e¯ + 3e¯ + 20e¯ + 2e¯ 5 0 − 1 2 − 3 12 − 13 23 − 123

Given the following secret key multivectors:

and applying the triple product encryption primitive, the following ciphertexts are generated:

¯ ¯ ¯ ¯ CR¯1 = S1R1S2 ¯ ¯ ¯ ¯ CR¯2 = S1R2S2 ¯ ¯ ¯ ¯ CR¯3 = S1R3S2 ¯ ¯ ¯ ¯ CR¯4 = S1R4S2 ¯ ¯ ¯ ¯ CR¯5 = S1R5S2

114 6.5. Homomorphic Search

which yields

C¯ ¯ = 1764240e¯ + 537404e¯ + 1814881e¯ + 2284839e¯ R1 − 0 1 2 3 + 1129795e¯ + 1251789e¯ + 1882998e¯ + 743862e¯ 12 13 23 − 123

C¯ ¯ = 1605097e¯ + 175085e¯ + 1997405e¯ + 2033745e¯ R2 − 0 1 2 3 + 1469453e¯ + 876765e¯ + 1950396e¯ + 980246e¯ 12 13 23 − 123

C¯ ¯ = 3290103e¯ + 402513e¯ + 5595677e¯ + 4454007e¯ R3 − 0 1 2 3 + 3932488e¯ + 2002832e¯ + 5293488e¯ + 2559552e¯ 12 13 23 − 123

C¯ ¯ = 2397036e¯ + 363788e¯ + 4693781e¯ + 3116017e¯ R4 − 0 − 1 2 3 + 3726283e¯ + 890791e¯ + 4242000e¯ + 2460662e¯ 12 13 23 − 123

C¯ ¯ = 2944779e¯ + 911913e¯ + 3384830e¯ + 3865300e¯ R5 − 0 1 2 3 + 2073320e¯ + 2132750e¯ + 3463414e¯ + 1332052e¯ 12 13 23 − 123

All encrypted reports are sent by Alice to the cloud. Now, Alice wants to perform a very basic search. After a while, she wants to know if the report R¯3 is in the cloud and if it is, she would like to retrieve it.

So Alice will send to the cloud the Rationalize of R¯3, which is a one-way 0-blade reduction operation, that she can keep in her local records, since it is not the information itself, instead, it can work as a "ﬁngerprint" of the original information, and is calculated as follows: † R R¯3 = R¯3R R¯3R = 578660 6 7 ⇣ ⌘⇣ ⌘

115 6.5. Homomorphic Search

For clariﬁcation, let R R¯3 be now q, which stands for part of the query it will be performed on the cloud in order6 7 to ﬁnd the desired report. So,

q = R R¯3 = 578660 6 7 So Alice sends q to the cloud as her search criteria. The cloud has the ability of calculating the Rationalize for each encrypted report. The Rationalize by itself does not reveal anything from the plaintext multivector. The Rationalize of the encrypted multivector is calculated as follows:

† ¯ ¯ ¯ R CR¯1 = CR¯1 CR¯1 CR¯1 CR¯1 = 21422551223794144625920 ⇣ ⌘⇣ ⌘† 6 ¯ 7 ¯ ¯ R CR¯2 = CR¯2 CR¯2 CR¯2 CR¯2 = 36635836781739658904480 ⇣ ⌘⇣ ⌘† 6 ¯ 7 ¯ ¯ R CR¯3 = CR¯3 CR¯3 CR¯3 CR¯3 = 211455606767888914595300 ⇣ ⌘⇣ ⌘† 6 ¯ 7 ¯ ¯ R CR¯4 = CR¯4 CR¯4 CR¯4 CR¯4 = 241313579874360188631440 ⇣ ⌘⇣ ⌘† 6 ¯ 7 ¯ ¯ R CR¯5 = CR¯5 CR¯5 CR¯5 CR¯5 = 264566168907392206420000 6 7 ⇣ ⌘⇣ ⌘ Since Alice already sent q, the cloud will then perform the following operation:

¯ R CR¯i mod q 6 7 and check the result. The cloud found the desired encrypted report if the result of the above operation is 0. The searching operation results on all encrypted reports are showned below:

¯ R CR¯1 mod q = 217140 6 ¯ 7 R CR¯2 mod q = 515060 6 ¯ 7 R CR¯3 mod q =0 6 ¯ 7 R CR¯4 mod q = 351640 6 ¯ 7 R CR¯5 mod q = 264360 6 7 ¯ Therefore, R CR¯3 mod q =0indicates to the cloud that the desired report was found without the cloud6 knowing7 the content of the object being searched.

116 6.5. Homomorphic Search

6.5.1 Further mathematical explanations

Given any multivector A¯, the 0-blade reduction, here just referred as the Rationalize, of A¯ is given by:

† R A¯ = A¯A A¯A ⇣ ⌘⇣† ⌘ 6 7 = A¯A¯A¯ A¯†

By using some involutions properties, the following is true:

A¯B¯ = B A ⇣ ⌘ and also † A¯B¯ = B¯†A¯† 6 7 Given a ciphtertext C¯

C¯ = S¯1A¯S¯2

the Rationalize of C¯ can be calculated as follows:

† R C¯ = S¯1A¯S¯2S¯1A¯S¯2 S¯1A¯S¯2S¯1A¯S¯2 6 7 ⇣ ⌘⇣ ⌘ By applying the properties discussed in the previous equations, let P¯ = S¯1A¯ so we can expand the previous equation as:

† R C¯ = P¯S¯2P¯S¯2 P¯S¯2P¯S¯2

6 7 ⇣ ⌘⇣ † ⌘ † = P¯S¯2S¯2P¯ P¯S¯2 P¯S¯2 ⇣ ⌘⇣ † ⌘ ¯ ¯ ¯ ¯ ¯ ¯ ¯† 6¯† 7 = P S2S2P S2P S2P ¯ ¯ ¯ ¯ ⇣¯† ¯ †⌘¯† ¯† = P S2S2P P S2 S2P

By replacing P¯ by S¯1A¯, the following applies:

† ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ † ¯† ¯ ¯ † R C = S1AS2S2 S1A S1A S2 S2 S1A 6 7 ⇣ ⌘⇣ ⌘ 6 7

117 6.6. Homomorphic Numeric Sorting

which can be rearranged to

† ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ † ¯† ¯† ¯† R C = S1AS2S2AS1 AS1 S2 S2A S1 6 7 ¯ ¯ ¯ ¯ ¯ ¯ ⇣¯ † ¯†⌘¯ † ¯† ¯† ¯† = S1AS2S2AS1S1 A S2 S2A S1 † ¯ ¯ ¯ ¯ ¯ ¯ ¯ † ¯† ¯ ¯ ¯† ¯† = S1AS2S2AS1S1 A S2S2 A S1 ⇣ ⌘ † Notice that S¯2S¯2 and S¯2S¯2 result in a complex-like number, and therefore they commute. Thus we can rearrange⇣ the⌘ equation above as follows:

† ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ † ¯† ¯ ¯ ¯† ¯† R C = S1AAS2S2S1S1 A S2S2 A S1 6 7 ⇣ ⌘ Now, A¯A¯ also result in a complex-like number. Keeping this property in mind, the rearrangement continues.

† ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ † ¯† ¯ ¯ ¯† ¯† R C = S1AAS2S2S1S1 A S2S2 A S1 † † ⇣ ⌘† 6 7 ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯† ¯† = S1S1S1 AAA S2S2 S2S2 A S1 † † ⇣ ⌘ † ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯† ¯† ¯ ¯ = S1S1S1 AAA S2S2A S1 S2S2 † † ⇣ ⌘† ¯ ¯ ¯ ¯ ¯ ¯ ¯† ¯† ¯ ¯ ¯ ¯ = S1S1S1 AAA A S1S2S2 S2S2 ⇣ ⌘ † † † Since R A¯ = A¯A¯A¯ A¯ and R S¯2 = S¯2S¯2 S¯2S¯2 , the equation can be rearranged once again as6 follows:7 6 7 ⇣ ⌘ ¯ ¯ ¯ ¯ † ¯† ¯ ¯ R C = S1S1S1 S1R A R S2 6 7 6 7 6 7 And ﬁnally the multiplicative homomorphic relationship between the Rationalize of the ciphertext and the plaintext it is clearly denoted as follows:

R C¯ = R S¯1 R A¯ R S¯2 6 7 6 7 6 7 6 7 6.6 Homomorphic Numeric Sorting

For demonstrating homomorphic sorting operations with EDCHE it is considered a ﬁnite set of scalars S = s ,s ,...,s for any positive k number of elements, a multivector packing { 1 2 k} function p(x) that when applied to each scalar in S, generates the set of multivectors M =

118 6.6. Homomorphic Numeric Sorting

M¯ 1,M¯ 2,...,M¯ k , and encryption function ✏(x) that when applied to each multivector in

M# generates the set of ciphtertext multivectors C = C¯1,C¯2,...,C¯k , and a sorting function f (x) that arranges elements in an ascending or descending# order according to the magnitude of the scalar being used or represented. A multivector packing scheme is valid for homomorphic sorting if when applied to the set of scalars , the following relationship holds:

f (S) f (M) f (C) ⌘ ⌘ which means that the sorting function applied on a ﬁnite set of scalars S is isomorphic to the same sorting function applied to the corresponding set of multivectors M and is also isomorphic to the same sorting function applied to the corresponding set of ciphertext multivectors C. The above relationship can also be expressed as:

f (S) f (✏ (p (S))) ⌘ or s s ... s f (s ,s ,...,s ) f (✏ (p (s ,s ,...,s ))) 1  2   k ⌘ 1 2 k ⌘ 1 2 k 6.6.1 Packing Scheme for Sorting

For these relationships to hold, a more restrictive scheme for multivector message packing is required. Consider a 3D multivector M¯ that has the following unit vectors:

M¯ = m0e¯0 + m1e¯1 + m2e¯2 + m3e¯3 + m12e¯12 + m13e¯ + m23e¯23 + m123e¯123

It has been shown above that when a scalar value is represented as a multivector, the homomorphic properties under geometric algebra are preserved when the sum of the coefficients equals the scalar value. More specifically, Let the coefficients in M¯ be represented as a sequence/list of coefficients c where i goes from 0 to 2n 1, where n is the dimension i − of the multivector. For 3D, there are 23 =8coefficients, whose indices go from 0 to 7. The total value of a multivector as the sum of its coefficients can be represented by:

2n−1 s M¯ = mi i=0 6 7 X 119 6.6. Homomorphic Numeric Sorting

where s(x) is the function the returns the sum of the coeﬃcients of a given multivector. Consider the scalars a, b and c, and the multivectors from these scalars, A¯, B¯ and C¯, such that the following is true:

a = s A¯

b = s6B¯7

c = s6C¯7 6 7 so if a

¯ ¯ ¯ s CA¯

~~1. s M¯ = m, which means that the sum of the coeﬃcients of a multivector must be equal6 7 the scalar it represents;~~

~~2. For any multivector M¯ , m0e¯0 must be greater than any other mie¯i;~~

~~3. Given any sequence of multivectors, say A¯, B¯, the following must be true:~~

~~if a~~

~~if a>bthen a0e¯0 >b0e¯0~~

~~if a = b then a0e¯0 = b0e¯0~~

~~One packing scheme that conforms to these constraints is as follows. Given that n identiﬁes the multivector dimension and s a scalar to be represented, the packing is scheme is deﬁned as follows:~~

~~s scalar = +(s mod 2n) 2n j k s vector, bivector,trivector = 2n j k~~

~~120 6.6. Homomorphic Numeric Sorting~~

This packing technique is termed “Modular Packing”. Although this particular packing scheme generates a multivector with coeﬃcients of equal values for vector, bivector and trivector parts, those coeﬃcients do not need to be the same but must add, together with the scalar, to the number being represented by the multivector.

~~Let n1 = 89, n2 = 123,andn3 = 553. Using the Modular Packing scheme, the multivector representations of these scalars are:~~

~~N¯1 = 12e¯0 + 11e¯1 + 11e¯2 + 11e¯3 + 11e¯12 + 11e¯13 + 11e¯23 + 11e¯123~~

~~N¯2 = 18e¯0 + 15e¯1 + 15e¯2 + 15e¯3 + 15e¯12 + 15e¯13 + 15e¯23 + 15e¯123~~

~~N¯3 = 70e¯0 + 69e¯1 + 69e¯2 + 69e¯3 + 69e¯12 + 69e¯13 + 69e¯23 + 69e¯123~~

~~Given the following secret key multivectors:~~

~~S¯1 = 10e¯0 +4e¯1 +4e¯2 +4e¯3 +4e¯12 +4e¯13 +4e¯23 +4e¯123~~

~~S¯2 = 13e¯0 +8e¯1 +8e¯2 +8e¯3 +8e¯12 +8e¯13 +8e¯23 +8e¯123~~

~~and applying the triple product encryption primitive, the following ciphertexts are generated:~~

~~¯ ¯ ¯ ¯ CN¯1 = S1N1S2 ¯ ¯ ¯ ¯ CN¯2 = S1N2S2 ¯ ¯ ¯ ¯ CN¯3 = S1N3S2~~

~~which gives~~

~~C¯ ¯ = 2388e¯ + 2418e¯ + 6334e¯ + 2418e¯ N1 − 0 − 1 2 − 3 + 6334e¯ + 2418e¯ + 6334e¯ + 6334e¯ 12 − 13 23 123~~

~~C¯ ¯ = 3096e¯ + 3186e¯ + 8958e¯ + 3186e¯ N2 − 0 − 1 2 − 3 + 8958e¯ + 3186e¯ + 8958e¯ + 8958e¯ 12 − 13 23 123~~

~~121 6.7. Homomorphic Alphanumeric Sort~~

~~C¯ ¯ = 15496e¯ + 15526e¯ + 38698e¯ + 15526e¯ N3 − 0 − 1 2 − 3 + 38698e¯ + 15526e¯ + 38698e¯ + 38698e¯ 12 − 13 23 123~~

~~The base 10 representation (given by summing all coeﬃcients together) of the above multivectors are:~~

~~¯ s CN¯1 = 15694 6 ¯ 7 s CN¯2 = 23178 6 ¯ 7 s CN¯3 = 92718 6 7 where it is clear that ¯ ¯ ¯ s CN¯1~~

~~This relationship between the magnitude of the original scalars and the sum of the co- eﬃcients of the encrypted multivector allows homomorphic sorting operations on encrypted data.~~

~~6.7 Homomorphic Alphanumeric Sort~~

~~6.7.1 The basics~~

In order perform an alphanumeric sorting, both in unencrypted and encrypted data, it is necessary to convert the alphanumeric data into number and from number into blocks. So before going into the details of the sorting itself, the block management is explained next. Each symbol of the alphabet, including numbers, treated as character strings, has a equivalent code in the ASCII table. As an example, the word "Amanda" in ASCII code is given by: A m a n d a 65 109 97 110 100 97 |{z}|{z}|{z}|{z}|{z}|{z} 122 6.7. Homomorphic Alphanumeric Sort

Thus, any alphanumeric data can be represented as numbers. There ca ben a straight conversion between an alphanumeric data and blocks or there can be a conversion between numbers and blocks. Each context and need will determine which one will be the best approach. A number B can be represented by a list of blocks of 8 bits (28 = 256):

~~Bblocks =[b0,b1,b2,...,bi]~~

~~Once Bblocks we know the value of s , which is the size of the Bblocks list.~~

~~Given that n starts at 0, from Bblocks it is possible to calculate the original value of B by updating n, as follows:~~

~~s−1 n = n 256 + b · i Xi=0 Example: B = 32546543~~

~~Bblocks is obtained by splitting the binary sequence in blocks of 8 bits, from the least signiﬁcant bit (LSB) to the most signiﬁcant bit (MSD):~~

~~Bblocks = −−−−−−−−−−−−−−−−−−−−−−−−1 111100001001111011101111 1 240 158 239 So B can also be written as: blocks |{z}| {z }| {z }| {z }~~

~~Bblocks = 1 , 240 , 158 , 239 2 3 b0 b1 b2 b3 4 5 |{z} |{z} |{z} |{z} s = Bblocks =4 | |~~

~~Now, in order to recover B from Bblocks , the following equation applies: s−1 n = n 256 + b · i Xi=0 which step by step is calculated as follows: Step 1: n =0 n = n 256 + b =0 256 + 1 = 1 · 0 ·~~

~~123 6.7. Homomorphic Alphanumeric Sort~~

~~Step 2: n =1 n = n 256 + b =1 256 + 240 = 496 · 1 · Step 3: n = 496~~

~~n = n 256 + b = 496 256 + 158 = 127134 · 2 ·~~

~~Step 4: n = 127134~~

~~n = n 256 + b = 127134 256 + 239 = 32546543 · 3 ·~~

~~6.7.2 Alphanumeric sort~~

~~Given the following names:~~

~~names = Amanda, Carl, Bob, Barbara~~

~~These names are diﬀerent in size. If converted to numbers, the result is:~~

~~numbers = 71938041865313, 1130459756, 4353890, 18684492367622753~~

So clearly we cannot use their magnitudes to apply a sort, since "Bob" has the smallest number but it should come before "Carl" in a ascending sorted list. To solve this problem, all we need to to is to convert the alphanumeric data to blocks. It doesn’t matter if the alphanumeric data is converted to blocks or the numbers are converted to blocks. The result will be the same:

~~Amanda = [65, 109, 97, 110, 100, 97]~~

~~Carl = [67, 97, 114, 108]~~

~~Bob = [66, 111, 98]~~

~~Barbara = [66, 97, 114, 98, 97, 114, 97]~~

~~124 6.7. Homomorphic Alphanumeric Sort~~

The size of the list of blocks are diﬀerent for each name. So we will get the size of the smallest list and limit the other lists to this size. The smallest list of blocks is Bob, with size = 3. The blocks now will look like:

~~Amanda = [65, 109, 97]~~

~~Carl = [67, 97, 114]~~

~~Bob = [66, 111, 98]~~

~~Barbara = [66, 97, 114]~~

~~Now, the following equation will give the corresponding number for each new block:~~

~~s−1 n = n 256 + b · i Xi=0 which will produce:~~

~~Amanda10 = 4287841~~

~~Carl10 = 4415858~~

~~Bob10 = 4353890~~

~~Barbara10 = 4350322~~

~~Now we can sort the values and we will ﬁnd the correct sorting for the given names:~~

~~sortedlist =[Amanda, Barbara, Bob, Carl]~~

~~125 6.8. Conclusions~~

~~The very same approach is used on the encrypted and it works the same way.~~

~~6.8 Conclusions~~

Rivest et al initiated the discussion on the meaning of encrypted data [25]. With the evolution of society and its needs, keeping private information secure was not enough. Decrypting secure information in order to perform computation was not the preferred idea. The solution would be a encryption scheme that allowed computation on the encrypted data. In this chapter it was shown how additive, scalar multiplicative and multiplicative homomorphism is achieved with EDCHE. For the additive homomorphic example, an owner of a online store encrypts and stores information about products in the cloud. When some products are selected, the owner wants to know the total amount of that selection, which is the sum of the value of each product. Under the selection of the encrypted products, when decrypted, the owner will have access to the sum of the products. For the scalar multiplicative example, Alice has an investment that is encrypted and sent to the cloud. Given a public interest rate, after one month Alice requests the amount earned within the period. When Alice decrypts the information, she obtains exactly how much she earned with the interest rate applied on the original investment. For the multiplicative homomorphic, in addition to other multiplication techniques, such as the multiplication using the Cartesian product and the edge product, a multiplication using the geometric product is discussed by packing the input multivectors as complex-like numbers. In addition to the fundamental mathematical operations, special applications are introduced, such as homomorphic search (via the versatility of the Rationalize) and numeric and alphanumeric sorting. These FHE resources can be incorporated either combined or in isolation, providing a variety of possible computations on encrypted data.

~~126 CHAPTER 7~~

~~AES Overall Comparison with EDCHE~~

~~7.1 Introduction~~

Advanced Encryption Standard, AES, is the result of an open selection process announced by the US National Institute of Standards and Technology (NIST) in 1997. The goal was to replace the old Data Encryption Standard (DES), becoming a Federal Information Process- ing Standard (FIPS). Anyone could submit solutions for this problem, as a candidate cipher. NIST invited the cryptology community to attack and try many cryptanalytic procedures on the different candidates. Results of this attacks were to made public either on the NIST AES website or as presentations at AES conferences. Among the requirements asked, it was included as minimum functional requirements for symmetric block ciphers the capability of supporting block lengths of 128 bits and key lengths of 128, 192 and 256 bits. The original goal announced by NIST was to find a block cipher as secure as the triple DES, but much more efficient. It was also required for all candidates to make their ciphers available on a world wide royalty-free basis, if it would be selected as the AES. For any candidate be qualified as an official AES candidate, designers were required to provide:

~~1. A complete written speciﬁcation of the block cipher in the form of an algorithm.~~

~~2. A reference implementation in ANSI C, and mathematically optimized implementations in ANSI C and Java.~~

~~3. Implementations of a series of known-answer and Monte Carlo tests, as well as the expected outputs of these tests for a correct implementation of their block cipher.~~

4. Statements concerning the estimated computational eﬃciency in both hardware and software, the expected strength against cryptanalytic attacks, and the advantages and limitations of the cipher in various applications. 7.2. Block Ciphers

~~5. An analysis of the cipher’s strength against known cryptanalytic attacks.~~

It was in October, 2000, that NIST officially announced that Rijndael, a candidate cipher developed by Joan Daemen and Vincent Rijmen, without modificiations, became the AES. For more details about the process, each step, candidates and finalists, refer to [9]. During the AES process, Rijndael was particularly attractive given its efficiencies and its cryptographic properties. Rijndael is known as a substituition-permutation network as an extension of the work of Daemens Ph.D. wide-trail design philosophy. After the cryptanalytic attacks, the design as considered secure against linear and differential cryptanalysis. It is worth to mention that there were exactly these kind of attacks that broke DES. Additionally, Rijndael was considered to have very good statistical properties and out of the five finalists of the AES process, it was the only candidate that could prove such claims [35]. The goal of this Chapter is not to cover AES in details. That would be the focus of a research on symmetric encryption schemes and/or a survey on the current standard. Instead, given this work is focused on a extrinsic symmetric encryption scheme that is intrinsically fully homomorphic, this Chapter aims to highlight the basics of the mathematics that empowers AES, so the reader can briefly identify the main differences on the mathematical structures behind AES and EDCHE.

~~7.2 Block Ciphers~~

The term block ciphers was placed mainly to distinguish algorithms from the normal stream cipher, which was the type of cipher used before block ciphers. In a stream cipher, the computation step is the encryption of a single symbol at a time, which generates a stream of ciphers [18]. Recall that a cipher is a method to conceal the meaning a given message. The diﬀerence between block ciphers and stream ciphers is that block ciphers encode a grouping of symbols in one step and the mapping from the plaintext to the ciphertext is ﬁxed for a given secret key. In this raw setting, the same plaintext encrypted with the same secret key will alway map to the same ciphertext. If a 128-bit cipher is used, longer messages are encoded by invoking the cipher multiple times, which is also called a chaining mode operation. This happens in order to guarantee the privacy of the message [35].

~~128 7.2. Block Ciphers~~

Block ciphers aim to transform plaintext blocks of a ﬁxed length into ciphertext blocks of the same length nb (the size of binary string that represents a number n), using a cipher key k. In terms of its functionalities, a block cipher is a set of Boolean permutations operating on nb-bits vectors. For each value of the cipher key k in the set, there is a Boolean permutation. If the number of bits in the cipher key is denoted by nk and a block cipher consists of 2nk Boolean permutations. Encryption is the name of the operation that transforms a plaintext block into a ciphertext block and the reverse procedure is called decryption. For that reason, block ciphers are often referred as encryption algorithms. The permutations performed by these algorithms are relatively simple. There are at least two requirements for block ciphers:

~~1. Eﬃciency: given the value of the cipher key, applying the corresponding Boolean permutation, or its inverse, is eﬃcient, preferably on a wide range of platforms.~~

~~2. Security: it must be impossible to exploit knowledge of the internal structure of the cipher in cryptographic attacks.~~

~~Block ciphers usually satisfy these requirements by applying iteratively Boolean permutations that have relatively simple descriptions [9].~~

~~Figure 7.1: Block Cipher Diagram~~

~~129 7.3. Overview of AES Design~~

~~7.3 Overview of AES Design~~

The AES block cipher accepts a 128-bit plaintext, producing a 128-bit ciphertext under the control of a secret key that can be of size of 128, 192 or 256 bits. AES is a Substitution- Permutation Network design. Each single collection of steps is called a round, which can be repeated many times, depending of the key length in order to properly map the plaintext to the ciphertext. Each round of AES consists of four steps, as described below:

~~1. SubBytes~~

~~2. ShiftRows~~

~~3. MixColumns~~

~~4. AddRoundKey~~

In each round, a diﬀerent 128-bit round key will be used, which is derived from the original secret key. This process is called key schedule. The schedule is responsible for distributing the entropy of the key across each of the round keys. If this distribution if not performed correctly, attacks would be possible on the keys. AES sees the 128-bit input as a vector containing 16 bytes which are organized in 4x4 matrix called the state, as it is shown in the graph below:

~~Figure 7.2: AES State Diagram~~

~~So, as as overview, the entire AES cipher consists of:~~

~~130 7.4. Mathematical Concepts and Terminology Used in AES~~

~~1. AddRoundKey(round=0)~~

~~2. for round = 1 to Nr-1 do~~

~~(a) SubBytes~~

~~(b) ShiftRows~~

~~(c) MixColumns~~

~~(d) AddRoundKey(round)~~

~~3. SubBytes~~

~~4. ShiftRows~~

~~5. AddRoundKey(Nr)~~

AddRoundKey consists of adding the round key to the state by performing 16 parallel additions (using the XOR operation) of key material to to state material. The SubBytes step is responsible for performing a nonlinear confusion by mapping each of the 16 bytes in parallel to a new byte. ShiftRows cyclically and linearly shifting each row of the state to the left by 0, 1, 2, and 3 positions. MixColumns multiplies each column of the state by a 4x4 matrix called Maximally Distance Separable (MDS). The goal of MixColumns is to spread diﬀerences and make the outputs linearly dependent upon other inputs, so if a single input byte changes between two plaintexts, the change will spread to other bytes of the state [35].

~~7.4 Mathematical Concepts and Terminology Used in AES~~

AES makes use of mathematical resources such as Groups, Rings, and Fields. In this section it will be brieﬂy discussed the basics of each one in order to allow a better mathematical understanding of how AES operates. For more details and examples refer to [9].

~~7.4.1 Group~~

~~An Abelian group G,+ consists of a set G and an operation deﬁned on its elements, here h i denoted by 0+0 such that:~~

~~+: G G G:(a, b) a + b ⇥ ! 7!~~

~~131 7.4. Mathematical Concepts and Terminology Used in AES~~

~~For qualifying as an Abelian group, the operation has to fulﬁll the following conditions:~~

closed: a,b G :(a + b) G 8 2 2 associative: a,b,c G :(a + b)+c = a +(b + c) 8 2 commutative: a,b G : a + b = b + a 8 2 neutral element: 0 G, a G : a + 0 = a 9 2 8 2 inverse element: a G, :,b G : a + b = 0 8 2 9 2

where the best-known example of an Abelian group is Z,+ , the set of integer, with h i the addition operation. The structure Z ,+ is the set containing the integer numbers 0 to h n i n 1 and the operation is called addition modulo n. −

~~7.4.2 Ring~~

Aring R,+, consists of a set R with two operations deﬁned on its elements, which is h ·i denoted by 0+0 and 0 0 . For qualifying as a ring, the operations have to fulﬁll the following · conditions:

~~1. The structure R,+, is an Abelian group. h ·i 2. The operation 0 0 is closed, and associative over R. There is neutral element for 0 0 in · · R.~~

~~3. The two operations 0+0 and 0 0 are related by the law of distributivity: ·~~

~~a, b, c R :(a + b) c =(a c)+(b c) 8 2 · · ·~~

~~where the best-known example of a ring is Z,+, , the set of integers, with the addition h ·i and multiplication operations. This is a commutative ring.~~

~~7.4.3 Field~~

~~A structure F,+, is a ﬁeld if the following two conditions are satisﬁed: h ·i 1. F,+, is a commutative ring. h ·i~~

~~132 7.4. Mathematical Concepts and Terminology Used in AES~~

2. For all elements of F , there is an inverse element in F with respect to the operation 0 0, except for the element 0, the neutral element of F,+, . · h ·i where the best-known example of a filed is the set of real numbers, with addition and multiplication the operations. Other examples are the set of complex numbers and the set of rational numbers, using the same operations. These examples of fields have an infinite number of elements.

~~7.4.4 Vector Spaces~~

~~Let F,+, be a ﬁeld with unit element 1 and let V,+, be an Abelian group. Let be h ·i h ·i 5 an operation on elements of F and V :~~

~~: F V V 5 ⇥ !~~

~~so the structure F,V,+,+, , is a vector space over F if the following conditions are h · 5i satisﬁed:~~

~~1. Distributivity:~~

~~a F, v, w V : a (v + w)=(a v) + (a w) 8 2 8 2 5 5 5~~

~~a, b F, v V :(a + b) v =(a v) + (a v) 8 2 8 2 5 5 5~~

~~2. Associativity: a, b F, v V :(a b) v = a (b v) 8 2 8 2 · 5 5 5~~

~~3. Neutral element: v V : 1 v = v 8 2 5~~

~~The elements of V are called vectors, and the elements of F are the scalars. The operation + is called vector addition and the is the scalar multiplication. 5~~

~~133 7.4. Mathematical Concepts and Terminology Used in AES~~

~~7.4.5 Finite Fields~~

A field with a finite number of elements is called a finite field. The order of the set is determined by the number of elements in the set. A field with order m exists iff m is a prime power, as m = pn for some integer n and with p a prime integer. p is referred as the characteristic of the finite field. In AES, all finite fields used have characteristic of 2. The symbol always denotes the addition operation in a field with a characteristic of 2. ⊕ When two fields have the same order they are said to be isomorphic. They possess the same algebraic structure differing only in the representation of the elements. For each prime power, there is exactly one finite field, denoted by GF (pn). The elements of a finite field GF(p) can be represented by integers ranging from 0 to p 1 and the two operations of the − field are integer addition modulo p and integer multiplication modulo p [9]. The AES cipher can be fully specified as a series of scalar an vector operations on elements of the field GF(2). AES makes use of the filed GF(2), which is the field of integers modulo 2. This extends to the field of polynomials, denoted as GF 28 and also as a vector, denoted as GF(2)8. For the smallest unit, AES works with 8-bit6 quantities,7 written as GF 28 , which is technically incorrect, as it should be written instead as GF (2) [x] or GF(2)86. This7 representation serves to indicate a vector of eight GF(2) elements, which is the same of saying 8 bits. This representation is for the vector of eight bits as coefficients to a seventh degree polynomial where a ,a ,a ,a a ,a ,a ,a turns into the polynomial p(x)=a x0 + a x1 + h 0 1 2 3 4 5 6 7i 0 1 7 ...+ a7x . In order to create a field it is required to use a polynomial that is not divisible by any lower degree polynomials [35].

~~7.4.6 Polynomials~~

~~A polynomial over a ﬁeld F is expressed as follows:~~

~~n−1 n−2 2 b (x)=bn−1x + bn−22x + ...+ b2x + b1x + b0~~

where x is the indeterminate of the polynomial, and the b F the coeﬃcients. Poly- i 2 nomials here are considered abstract entities only, which means they are never evaluated, so the sum is never evaluated. For this reason, the symbol + is used in polynomials.

~~134 7.4. Mathematical Concepts and Terminology Used in AES~~

If b =0, j>`, then the degree of a polynomial equals `,and` is the smallest number j 8 with this property. F [x] is the set of polynomials over a field F and F [x] . In terms of |` computer memory, the polynomials in F [x] with F a finite field ca be stored efficiently by |` storing the ` coefficients as a string. The sum of polynomials consists of summing the coefficients with equal powers of x, where the summing of the coefficients occurs in the underlying field F :

~~c (x)=a (x)+b (x) c = a + b , 0 i~~

The special case of 0, which is the neutral element for the addition, is the polynomial with all coefficients equal to 0. In order to find the inverse element of a polynomial, it is necessary to replace each coefficient by its inverse element in F . The authors in [9] show the following example: Let F be the field GF(2). The sum of the polynomials denoted by 57 and 83 is the polynomial denoted by D4, since

~~x6 + x4 + x2 + x +1 x7 + x +1 ⊕ 6= x7 + x6 + x4 + x2 +(17 6 1)x +(17 1) ⊕ ⊕ = x7 + x6 + x4 + x2~~

~~which in binary notation it is written~~

~~01010111 10000011 = 11010100 ⊕~~

so it is clear that the addition can be implemented and expressed in terms of the bitwise XOR instruction. The multiplication of polynomials is associative, commutative and distributive with respect t addition of polynomials. The multiplication of two polynomials a(x) and b(x) is deﬁned as the algebraic product of the polynomials modulo the polynomial m(x) as follows:

~~c (x)=a (x) b (x) c (x) a (x) b (x)(mod m (x)) · , ⌘ ⇥~~

~~where the structure F [x] ,+, is a commutative ring [9]. h |` ·i~~

~~135 7.5. Boolean Functions~~

~~7.5 Boolean Functions~~

GF(2) is the smallest finite field with order of 2. The only two elements in this field are 0 and 1. The integer addition and the integer multiplication are both module 2.Sointhis GF(2), any variables are called Boolean variables, or just bits. The exclusive or operation corresponds to the addition of 2 bits, which is denoted as XOR. Similarly, the multiplication of 2 bits corresponds to the Boolean operation AND. The operation that consists of changing the value of a bit is called the complementation. A vector with bits as coefficients is called a Boolean vector. Given two boolean vectors a and b of the same dimension, the following operations apply:

~~1. Bitwise XOR: the result is a vector whose bits consist of the XOR of the corresponding bits of a and b.~~

~~2. Bitwise AND: the result is a vector whose bits consist of the AND of the corresponding bits of a and b.~~

A Boolean function is the function that maps a Boolean vector to another Boolean vector. Let b = φ(a). Thus φ : GF (2)n GF (2)m : a b = φ (a) ! 7! where b is referred as the output Boolean vector and a the input Boolean vector.

~~7.6 Bundle Partitions, Transpositions and Bricklayer Func- tions~~

Given the bits of a state, the organization of these bits in partitions as subsets is called bundles. Organizing the state bits in bundles allows to express the Boolean transformations operating in a state in terms of these bundles rather than in terms of individual bits.

~~136 7.6. Bundle Partitions, Transpositions and Bricklayer Functions~~

~~A Boolean permutation that only moves the positions of bits of the state without aﬀecting their value is called a transposition. Consider the case of a transposition b = ⇡ (a) where~~

~~bi = ap(i)~~

and p(i) is a permutation over the index space. If a transposition changes the positions of the bundles while leaving the positions of the bits within the bundles intact, this transposition is called a bundle transposition, which is expressed as:

~~b(i,j) = a(p(i),j)~~

~~Figure 7.3: Example of Bundle Transposition~~

The function that can be decomposed into a number of Boolean functions operating independently on subsets of bits of the input vector is called a bricklayer function. These subsets form a partition of the bits of the input vector. Another way of understanding the bricklayer function is as the parallel application of a number of Boolean functions operating on smaller inputs. S-boxes are the non-linear functions. The linear functions are the D- boxes, where D stands for diﬀusion. When the bricklayer function operates on a state it is called a bricklayer transformation. A bundle partition is deﬁned as a bricklayer transformation operates on a number of subsets of the state independently. A bricklayer permutation is an invertible bricklayer transformation and this requires that all of its S-boxes or D-boxes must be permutations.

~~137 7.6. Bundle Partitions, Transpositions and Bricklayer Functions~~

~~Given the bricklayer transformation b = φ(a), then~~

~~b(i,1),b(i,2),...,bi,m = φi a(i,1),a(i,2),...,ai,m 6 7 6 7 If the bundles within a and b are represented by ai and bi, respectively, the following applies:~~

~~bi = φi (ai)~~

~~Figure 7.4: Example of Bricklayer Transformation~~

A sequence of Boolean transformations ca be applied in order to transform iteratively a Boolean vector. This sequence is called an iterative Boolean transformation. For the case where each individual Boolean transformation is denoted by p(i), an iterative Boolean transformation is of the form:

~~β = p(r) ... p(2) p(1) ◦ ◦ ◦~~

For the case where b = β (d) and d = a(0),b = a(m) and a(i) = p(i) a(i−1) ,thevalue of a(i) is called the intermediate state. So when an iterative Boolean transform6 7 ation is a sequence of Boolean permutation, it is an iterative Boolean permutation [9].

~~138 7.7. Overall Diﬀerences Between AES and EDCHE~~

~~Figure 7.5: Iterative Boolean Transformation~~

~~7.7 Overall Diﬀerences Between AES and EDCHE~~

After a brief overview on the mathematics that empowers AES as well the approach of its structures and algorithms, it is possible to identify some of the fundamental differences between AES and EDCHE. It is worth to mention that this is not an extensive and all- inclusive list of differences between both approaches and/or mathematics, instead, is the highlight of the most significant differences between the two symmetric encryption schemes, which is summarized in the table below:

~~139 7.7. Overall Diﬀerences Between AES and EDCHE~~

~~AES EDCHE~~

~~Operates on the finite field GF(2). Operates on the infinite field of Real numbers~~

~~Operations transforms bits. Operations transforms special objects called multivectors and its coeﬃcients of Real numbers.~~

Does not allow any operation other than Allow the expansion, combination, and the ones provides by GF(2) the introduction of operations on other ﬁelds and spaces, such as complex numbers and its complex operations and spaces.

~~It is not homomorphic. It is fully homomorphic.~~

~~It is a full encryption suite in the form of It is a mathematical framework that can a ﬁnal product. be used to produce suites and cryptographic products.~~

~~It is a recognized and consolidated It is under development. standard for symmetric encryption.~~

It is mainly a block cipher, with the It is mainly an arbitrary size cipher, with ability of encrypting arbitrary data by the ability of creating a block cipher using some of the available modes of capability. operation.

Ciphertext size is equal to plaintext size Ciphertext size is currently larger than (considering that large messages will the plaintext. always be organized as blocks of ﬁxed length) Table 7.1: Main Diﬀerences Between AES and EDCHE

~~140 7.8. Performance Analysis~~

~~Those are certainly not the only diﬀerences. At the same time, the mathematics of AES has some similarities with EDCHE’s one. However, further details extrapolates the scope of this overview.~~

~~7.8 Performance Analysis~~

As already discussed, AES operates on a GF(2), which is a finite field of order 2. The size of the ciphertext will be always limited by this finite field, which allows AES to generate ciphertext of fixed sizes. In this work, no size limiter is discussed for EDCHE. There are some possibilities, discussed in the form of future work. However, in the examples that will be shared in this section, there are not size constraints. EDCHE operates on the Real numbers field, which is an infinite field. The size of the ciphertext currently grows arbitrarily, depending on the size of the message to be encrypted.

~~Given the size of the keys in bits as bk and the size of the message in bits as bm,~~

the upper bound of the ciphertext size is 2bk + bm. With the storage arrangements of the ciphertext, with support for large numbers and the ability of recovering the multivector object for decryption, the size of the encrypted data is about 8 to 10 times larger than the plaintext data. By applying size limiters such as finite fields and compression, the ciphertext size can be reduced significantly. In this section some performance results are shown as an overall performance comparison between EDCHE and AES, which initiates the discussion on the performance of EDCHE. There are no hardware optimizations available for EDCHE. Additionally, AES is not a fully homomorphic solution. Yet, the performance numbers are given a reference of the current status of EDCHE with no optimization of any kind in comparison with AES.

~~141 7.8. Performance Analysis~~

~~7.8.1 EDCHE Performance Results~~

~~Key size 128 bits~~

~~Number of keys 2~~

~~Operating system MacOS Sierra V.10.12.6~~

~~Machine MacBook Pro~~

~~Processor 2 GHz Intel Core i5~~

~~Memory 8GB1867MHzLPDDR3 Table 7.2: EDCHE Performance Specs~~

~~The following table show the results for encryption time varying from data size and block size:~~

~~Block Size~~

~~128 bits 256 bits 512 bits 1024 bits 4096 bits~~

~~real 0m10.638s real 0m6.141s real 0m3.967s real 0m2.960s real 0m2.146s~~

~~10.5 MB user 0m10.240s user 0m5.941s user 0m3.769s user 0m2.774s user 0m1.973s~~

~~sys 0m0.267s sys 0m0.170s sys 0m0.166s sys 0m0.148s sys 0m0.146s~~

~~real 1m1.705s real 0m39.164s real 0m28.704s real 0m21.815s~~

~~File Sizes 104.9 MB user 0m59.761s user 0m37.484s user 0m27.139s user 0m20.062s~~

~~sys 0m1.598s sys 0m1.421s sys 0m1.342s sys 0m1.291s~~

~~real 3m27.751s~~

~~1.05 GB user 3m14.330s~~

~~sys 0m11.879s Table 7.3: Encryption Time~~

~~The following table show the results for ciphertext size varying from data size and block size:~~

~~142 7.8. Performance Analysis~~

~~Block Size~~

~~128 bits 256 bits 512 bits 1024 bits 4096 bits~~

~~10.5 MB 107.9 MB 95.8 MB 89.8 MB 86.8 MB 84.6 MB~~

~~File Sizes 104.9 MB 957.8 MB 898.1 MB 868.4 MB 846.2 MB~~

~~1.05 GB 8.46 GB Table 7.4: Ciphtertext Size~~

~~The following table show the results for decryption time varying from data size and block size:~~

~~Block Size~~

~~128 bits 256 bits 512 bits 1024 bits 4096 bits~~

~~real 0m36.584s real 0m20.757s real 0m12.228s real 0m8.149s real 0m5.050s~~

~~10.5 MB user 0m36.227s user 0m20.389s user 0m12.037s user 0m7.966s user 0m4.941s~~

~~sys 0m0.195s sys 0m0.212s sys 0m0.123s sys 0m0.117s sys 0m0.078s~~

~~real 3m21.792s real 2m0.706s real 1m20.718s real 0m50.361s~~

~~File Sizes 104.9 MB user 3m19.998s user 1m59.302s user 1m19.385s user 0m49.394s~~

~~sys 0m1.229s sys 0m0.950s sys 0m0.931s sys 0m0.732s~~

~~real 8m24.560s~~

~~1.05 GB user 8m13.044s~~

~~sys 0m8.461s Table 7.5: Encryption Time~~

~~143 7.8. Performance Analysis~~

~~7.8.2 AES Performance Results~~

~~Key size 256~~

~~Number of keys 1~~

~~Operating system MacOS Sierra V.10.12.6~~

~~Machine MacBook Pro~~

~~Processor 2 GHz Intel Core i5~~

~~Memory 8GB1867MHzLPDDR3 Table 7.6: AES Performance Specs~~

~~The following table show the summarized results for AES:~~

~~Encryption Time Ciphertext Size Decryption Time~~

~~real 0m0.513s real 0m0.481s~~

~~10.5 MB user 0m0.450s 10.5 MB user 0m0.442s~~

~~sys 0m0.038s sys 0m0.030s~~

~~real 0m4.371s real 0m4.688s~~

~~File Sizes 104.9 MB user 0m4.097s 104.9 MB user 0m4.316s~~

~~sys 0m0.223s sys 0m0.250s~~

~~real 0m43.323s real 0m42.697s~~

~~1.05 GB user 0m40.553s 1.05 GB user 0m40.233s~~

~~sys 0m2.129s sys 0m2.138s Table 7.7: AES Performance Results~~

~~It is clear that AES has currently better results than EDCHE however, as already anticipated, few things need to be considered:~~

~~1. This is a comparison of a FHE scheme and a non-FHE scheme~~

~~2. AES is a consolidated symmetric encryption scheme with hardware optimizations available~~

~~144 7.9. Conclusions~~

~~3. No optimization whatsoever was considered or applied to EDCHE in the scope of this work~~

4. Great part of the encryption and decryption time of EDCHE is about dealing with the extra size of the ciphertext, in comparison with the plaintext size. This eﬀect is specially perceived when encrypting and decrypting a 1.05 GB ﬁle.

~~7.9 Conclusions~~

When NIST announced the AES process, the effort required for producing a complete and proper submission package already filtered out several of the proposals [9]. Rijndael not only satisfied all the security, technical and other quality requirements but also was particularly attractive due to its "nice cryptographic properties" [35]. Rijndael, and now AES, has indeed a very elegant construction, both mathematically and algorithmically. However, the focus of this work is to discuss a new symmetric fully homomorphic encryption, due to the need of such solution on insecure environments, while it is possible to operate on encrypted data in a meaningful and secure way. AES, as is, is not homomorphic at all. This difference is significantly observed in the performance test results. EDCHE has no optimization applied, while there are room for ciphertext size constraints, which will impact encryption and decryption time. The same approach Gentry applied on asymmetric encryption in order to produce his FHE scheme can be applied on AES as well. Actually, gentry already did it [14]. However, this falls into creating circuits on top of AES as it happens with the original Gentry’s scheme. That implies that similar limitations on performance occur with this approach on AES. Any performance advantage AES possess will be lost due to the heavy load added on top of it in order to allow computation on encrypted data. This kind of limitation is what classifies similar solutions as impracticable in the real world. Bruce Schneier in [28] points out that homomorphic cryptosystems required that mathematical operations on the ciphertext have regular effects on the plaintext. By this requirement, any normal symmetric cipher such as DES, AES, or similar, is not homomorphic. The author argues that, assuming a plaintext P is encrypted with AES in order to obtain the corresponding ciphertext C. If the ciphertext is multiplied by 2 and the result, 2C, is decrypted, it will

~~145 7.9. Conclusions~~

yield a meaningless P . When it comes to the FHE scheme proposed by Gentry, the author classiﬁes it as "completely impractical". Since Gentry uses ideal lattice as the basis for the encryption scheme, and both the size of the ciphertext and the complexity of the encryption and decryption operations grow enormously with the number of operations. According to Schneier, converting a computer program, even a simple one, into a Boolean circuit requires an enormous number of operations. The author enforces that these are not impracticalities that can be solved with some optimization techniques and a turns of Moore’s Law. He classiﬁes the problem as an inherent limitation in the algorithm. So it can be inferred that a similar approach on AES will fall in the same limitations.

~~146 CHAPTER 8~~

~~Conclusions and Future Work~~

This work is the introduction to a new FHE symmetric scheme based on Geometric Algebra for arbitrary data sizes. The resulting mathematics of Geometric Algebra and its extensions works as a language where EDCHE is the framework for the development of many cryptographic solutions as desired. The term introduction is appropriated in this case since not all cases, possibilities and extensions of EDCHE possible implementations were detailed or even initially discussed in this work. This is very vast and rich, which requires a deep discussion for each sub-topic in order to be considered an exhaustive coverage of the matter. Instead, this work gives the minimal mathematical background for working with EDCHE and the main examples of FHE operations and its applications in the real world. There is no doubt upon the usefulness of Fully Homomorphic Encryption, which is an object of desire in terms of cyber security, being also considered one valuable property for encryption schemes since it allows a series of new operations on encrypted data, which would only be possible after decryption. It is not a new concept. It was ﬁrst mentioned in 1979 by Rivest et al in [25]. With a practical FHE scheme available, it would be possible to conciliate meaning and security on encrypted data. Gentry Gentry’s solution is the ﬁrst fully homomorphic encryption proposed [12]. It is based on a concept of creating binary circuits on top of encrypted data so basic mathematical operations can be performed, which would allow any type of computation on the encrypted data. His contribution inspired many others either to improve his scheme or introduce completely new solutions. He presented a theoretical way to solve one big problem in encryption and his scheme is constantly evolving. A practical application ca be expected in the future, according to Gentry. However, his scheme is currently impractical leaving a gap in the market when it comes to solutions that are ready to be implemented and tested. Additionally, Gentry’s scheme Chapter 8 Conclusions and Future Work

is extrinsically homomorphic being yet intrinsically asymmetric. This discussion is introduced in this work in order to highlight additional issues and limitations of Gentry’s and other researchers’ work. A solution for the present moment, intrinsically homomorphic and extrinsically asymmetric/symmetric, rises as necessary, as the mathematical foundation to produce many fully homomorphic encryption applications. This work aims to introduce and detail the fundaments of EDCHE as a practical and secure solution for FHE. This work covers only few basic resources from Geometric Algebra, which one providing direct benefits of its application. GA is a vast area of mathematics which is already explored in another fields of Computer Science and Physics for a variety of purposes. In this work, Geometric Algebra is introduced as a language for creating cryptographic solutions. The discussion starts with the power that is unlocked with the studies of Product Spaces. The fluidity of systems based on Product Spaces and Geometric Algebra and the ability to construct "expressions" that perform encryption sub-systems is one of the key points of development in this work. Still important to notice that no mathematical "twist" is necessary to enable this set of homomorphic characteristics. From linear spaces it is possible to migrate to a higher space-dimension where new objects and operations are possible without losing the ones on the vector space, thus, combining the best of lower and higher spaces. This is the direct benefit of working with exterior algebra and product spaces. The operations on the multivectors and the elements as organized by the Clifford product were used as the "cipher producing" vector elements. The product space can be seen as a 2n lattice completely organized and linear, albeit, as described previously, filled with non-linear operations as arithmetic functions do the encryption. Thus, it is not necessary to mix the "encryption" part with the lattice part, which would make the system heavy and non-fluid. At an abstract algebra level, there are many generalizations that can take this mathematical basis to an even more elegant, powerful and useful set of operations. The multivector is an special object and when combined with operations found in the Geometric Algebra it is possible to construct systems as of using a framework. The mathematics here play the role of a language and can be organized as algorithms for the purpose of building encryption schemes that are intrinsically fully homomorphic. Each blade of the multivector carry different representations and meanings, since they can be manipulated as objects inside objects, which gives to

~~148 Chapter 8 Conclusions and Future Work~~

the multivector this property of a multi-dimensional object. The main operation used in this work is the geometric product, a geometric equivalent multiplications of multivectors. Powered by the geometric product many involutions (special operations that has the ability of "zeroing", among other capabilities) are generated which unlock the useful and powerful inverse of the multivector. The inverse applied for encryption algorithms, detailed as an application in in this work is the key to unlock the principle of decryption. In this work, Geometric Algebra is described as a mathematical language is the fundamental building block of the cryptographic framework EDCHE. The mathematical elements discussed about Geometric Algebra is far from an extensive coverage of the subject. Instead, this work should be seen as the least one should know about the subject in order to initiate implementations of cryptographic solutions using EDCHE. It was discussed in this work how simple mathematical concepts such as the multiplicative inverse can be explored and extended to powerful operations in Geometric Algebra in favor of creating cryptographic solutions. In Geometric Algebra, the main object in consideration is the multivector, which is explored in many way as special structure for any type of data. Through the principle of number factorization, multivectors are intended to represent the original input in a certain way that, even submitted to a number of operations, both unencrypted and encrypted, it will be able to preserve the algebraic structures present of the plaintext data, so homomorphism is a natural and direct reality. It is pointed in this work that Geometric Algebra should be seen as a mathematical language as EDCHE should be seen as a cryptographic framework. It was detailed the operations powered by two different encryption schemes along with their examples. For most of the demonstrations, the triple product was the choice of configuration. However, both work for all scenarios. The primitives influence how results are obtained however both of the primitives discussed obtain the same results. As a framework, EDCHE allows the creating of many other primitives. The primitives Triple Product and Sylvester’s equation create a consistent under-determined system where, without the secret keys, there just two many solutions (infinite), which makes the core EDCHE encryption routines secure. For more specialized operations, it is possible to develop sub-primitive, as it was discussed for user registration and authorization, as many

~~149 Chapter 8 Conclusions and Future Work~~

others might be derived from particular resources in Geometric Algebra. The examples contained in this work serve as a quick demonstration of these capabilities. EDCHE can be implemented as a solution that makes use of known-standard cryptographic resources, such as the Diffie-Hellman key exchange protocol. Additionally, EDCHE allows the creation of new protocols. The new key exchange protocol powered by EDCHE is an illustration of how to create complete cryptographic solutions with this framework. The cryptographic applications such as Sending Without Sending. Hierarchy Identity-based Encryption and Continuous Authentication were introduced in order to provide insights on how to apply EDCHE resources on real world routines. My contributions include providing numeric examples and illustrations of direct applications for the mathematics of EDCHE on the majority of the topics discussed in this work. Given natural homomorphisms obtained via the specialized Exterior Algebra used in EDCHE, many homomorphic operations are possible, going beyond the investigation of homomorphic addition and multiplication and reaching comparisons, sorting and searching. The illustrations present in this work aim to describe the core fully homomorphic resources available in EDCHE. Out of the fundamental mathematical operations and basic routines, one can be inspired to extend them to perform complex operations on encrypted data. The selected encryption primitive for the examples is the geometric triple product, just as a matter of illustration. The examples also work with Sylvester’s equation as well. The existing primitives may be extended while keeping its homomorphic properties. New encryption primitives might be constructed and in this case, it is always required to check the preservation of the algebraic structures between plaintext and ciphertext data. The Dynamic Packing Scheme is introduced, adding a layer of security by producing a different ciphertext when encrypting the same plaintext multiple times. Examples of the building blocks of any mathematical operation are discussed using different components of Geometric Algebra. One of these components is the Rationalize, a one way function that generates a scalar from a multivector. Not only a fundamental piece of the multivector’s inverse formula (since a multivector that does not produce a Rationalize, yielding 0, has no inverse), but also one more element of the homomorphic properties of EDCHE. Multiplicative homomorphism is

~~150 Chapter 8 Conclusions and Future Work~~

introduced in many ways, from the use of the geometric product with multivectors originally packed as complex numbers, to the application of new products such as the Cartesian product and the edge product. EDCHE is a intrinsic fully homomorphic encryption solution, extrinsically symmetric, and its encryption functions allows a series of homomorphic operations on encrypted data without penalty to security. All the examples showed in this work illustrates some ways of achieving a FHE status, but not all. It is clear that EDCHE, as a framework, does not have certain limitations and constraints of speciﬁc cryptographic algorithms (as a computational recipe). Instead, EDCHE provides a tool-belt for creating many algorithms. In the graph below there is a quick summary of the main homomorphic properties of EDCHE. Although no fully homomorphic encryption scheme is stablished as a standard until the present moment, the discussion about the subject are not recent at all. Rivest et al initiated the discussion on the meaning of encrypted data [25]. With the evolution of society and its needs, keeping private information secure was not enough. Decrypting secure information in order to perform computation was not the preferred idea. The solution would be a encryption scheme that allowed computation on the encrypted data. In this work it was shown how additive, scalar multiplicative and multiplicative homomorphism is achieved with EDCHE. For the additive homomorphic example, an owner of a online store encrypts and stores information about products in the cloud. When some products are selected, the owner wants to know the total amount of that selection, which is the sum of the value of each product. Under the selection of the encrypted products, when decrypted, the owner will have access to the sum of the products. For the scalar multiplicative example, Alice has an investment that is encrypted and sent to the cloud. Given a public interest rate, after one month Alice requests the amount earned within the period. When Alice decrypts the information, she obtains exactly how much she earned with the interest rate applied on the original investment. For the multiplicative homomorphic, in addition to other multiplication techniques, such as the multiplication using the Cartesian product and the edge product, a multiplication using the geometric product is discussed by packing the input multivectors as complex-like numbers. In addition to the fundamental mathematical operations, special

~~151 Chapter 8 Conclusions and Future Work~~

applications are introduced, such as homomorphic search (via the versatility of the Ratio- nalize) and numeric and alphanumeric sorting. These FHE resources can be incorporated either combined or in isolation, providing a variety of possible computations on encrypted data. EDCHE is compared with AES, at least in few certain aspects, in order to highlight some of the fundamental differences between the two symmetric encryption schemes. Un- derstanding those differences is important when considering applying EDCHE as a full encryption solution, replacing AES completely in order to work homomorphically on encrypted data. When NIST announced the AES process, the effort required for producing a complete and proper submission package already filtered out several of the proposals [9]. Rijndael not only satisfied all the security, technical and other quality requirements but also was particularly attractive due to its "nice cryptographic properties" [35]. Rijndael, and now AES, has indeed a very elegant construction, both mathematically and algorithmically. However, the focus of this work is to discuss a new symmetric fully homomorphic encryption, due to the need of such solution on insecure environments, while it is possible to operate on encrypted data in a meaningful and secure way. AES, as is, is not homomorphic at all. The same approach Gentry applied on asymmetric encryption in order to produce his FHE scheme can be applied on AES as well. Actually, gentry already did it [14]. However, this falls into creating circuits on top of AES as it happens with the original Gentry’s scheme. That implies that similar limitations on performance occur with this approach on AES. Any performance advantage AES possess will be lost due to the heavy load added on top of it in order to allow computation on encrypted data. This kind of limitation is what classifies similar solutions as impracticable in the real world. Bruce Schneier in [28] points out that homomorphic cryptosystems required that mathematical operations on the ciphertext have regular effects on the plaintext. By this requirement, any normal symmetric cipher such as DES, AES, or similar, is not homomorphic. The author argues that, assuming a plaintext P is encrypted with AES in order to obtain the corresponding ciphertext C. If the ciphertext is multiplied by 2 and the result, 2C, is decrypted, it will yield a meaningless P . When it comes to the FHE scheme proposed by Gentry, the author classifies it as "completely impractical". Since Gentry uses ideal lattice as the basis for the encryption scheme, and

~~152 8.1. Future work~~

both the size of the ciphertext and the complexity of the encryption and decryption operations grow enormously with the number of operations. According to Schneier, converting a computer program, even a simple one, into a Boolean circuit requires an enormous number of operations. The author enforces that these are not impracticalities that can be solved with some optimization techniques and a turns of Moore’s Law. He classiﬁes the problem as an inherent limitation in the algorithm. So it can be inferred that a similar approach on AES will fall in the same limitations.

~~8.1 Future work~~

~~8.1.1 Ciphertext size~~

This work introduces a way to represent scalars as multivectors while preserving the homomorphism between plaintext and ciphertext data. This can be achieved either by the basic multivector scheme or the Dynamic Packing Scheme. This is the first step for allowing the manipulation of any data as a multivector. However, after encrypted, the multivector needs to be either transmitted and/or stored. For this step, the ciphertext multivector can be definitely stored "as is". However, due to the arbitrary size of data through the encryption primitive operations and the infinite field where EDCHE operates, the ciphertext size will be anything between 8 to 10 times larger than the plaintext size after stored. Due to this increase in size, some aspects of EDCHE are affected such as the performance. One way of approaching this problem is to create a unpacking scheme for any multivector that converts coefficients into a scalar through auxiliary functions and objects such as matrices. This type of function is of great value for EDCHE since it would allow storing a unique integer that represents the ciphertext. That eliminates any extra information on the stored encrypted file. Another approach for limiting the size of the ciphertext is to work with finite fields. An implementation of a finite field of order 256 could be a reasonable start for EDCHE. It is necessary to investigate if the homomorphic properties of EDCHE are affected in anyway, and if the security properties are somehow affected as well.

~~153 8.1. Future work~~

One more option is the compression of either the plaintext or the ciphertext. Com- pressing the plaintext allows to make a large input smaller, which will make the ciphertext smaller as well, if compared to the associated ciphertext of the uncompressed plaintext. Compressing the ciphertext allows to apply the EDCHE operations without modification and reduce the final ciphertext size. In both cases it is necessary to investigate if those manipulations will affect security or homomorphism in a negative way.

~~8.1.2 Performance~~

The performance results discussed on chapter 7 were produced by an implementation of EDCHE in C code using GMP, The GNU Multiple Precision Arithmetic Library. This library, very robust and eﬃcient, brings more functionality than it is necessary for EDCHE and also forces some limitations while developing due to its design. One possible approach for future work is to develop an EDCHE extension in C for dealing with large Rational numbers containing only a small set of operations that is required for implementing EDCHE routines. A hardware implementation of EDCHE is also a path to pursue, initially with FPGA, for checking the advantages of running EDCHE on hardware against other known cryptographic solutions also implemented on hardware. Finally, a parallel version of EDCHE in CUDA is expected as next steps. One characteristic worth to notice is that the equations for each coeﬃcient of the multivectors in EDCHE are independent of each other, which make the geometric product a perfect candidate for parallel processing. This would be specially useful for massive data encryption, real time video encryption and other heavy-load tasks.

~~8.1.3 Exhaustive Cryptanalysis~~

~~An exhaustive cryptanalysis of EDCHE should take place in the future work for investigating the resilience of EDCHE against all known attacks.~~

~~154 Bibliography~~

~~[1] Computer scientist craig gentry, 2014 macarthur fellow, 09 2014.~~

[2] Frederik Armknecht, Colin Boyd, Christopher Carr, Kristian Gjøsteen, Angela Jäschke, Christian A Reuter, and Martin Strand. A guide to fully homomorphic encryption. IACR Cryptology ePrint Archive,2015:1192,2015.

~~[3] John Bird. Higher engineering mathematics. Routledge, 2007.~~

~~[4] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT),6(3):13,2014.~~

~~[5] Encyclopaedia Britannica. Encyclopaedia britannica. Millennium 4th Edition. Copy- right,2003:1994–2003,1994.~~

~~[6] Stanley Burris and Hanamantagida Pandappa Sankappanavar. ACourseinUniversal Algebra-With 36 Illustrations.2006.~~

~~[7] Lindsay Childs and Lindsay N Childs. Aconcreteintroductiontohigheralgebra,volume 1. Springer, 1979.~~

~~[8] Professor Cliﬀord. Applications of grassmann’s extensive algebra. American Journal of Mathematics,1(4):350–358,1878.~~

~~[9] Joan Daemen and Vincent Rijmen. The design of Rijndael: AES-the advanced encryption standard. Springer Science & Business Media, 2013.~~

~~[10] Michael R Garey and David S Johnson. Computers and intractability, volume 29. wh freeman New York, 2002.~~

~~[11] Midhat J Gazalé. Number: From Ahmes to Cantor. Princeton University Press, 2000.~~

~~155 Bibliography~~

~~[12] Craig Gentry. Afullyhomomorphicencryptionscheme. PhD thesis, Stanford University, 2009.~~

~~[13] Craig Gentry et al. Fully homomorphic encryption using ideal lattices. In STOC, volume 9, pages 169–178, 2009.~~

~~[14] Craig Gentry, Shai Halevi, and Nigel P Smart. Homomorphic evaluation of the aes circuit. In Advances in Cryptology–CRYPTO 2012, pages 850–867. Springer, 2012.~~

~~[15] Andy Greenberg. Hacker lexicon: What is homomorphic encryption?, 11 2014.~~

~~[16] Jeﬀrey Hoﬀstein, Jill Catherine Pipher, Joseph H Silverman, and Joseph H Silverman. An introduction to mathematical cryptography, volume 1. Springer, 2008.~~

~~[17] Ellis Horowitz, Sartaj Sahni, and Sanguthevar Rajasekeran. Computer Algorithms. Silicon Press, 2008.~~

~~[18] Michael Huth. Secure communicating systems: design, analysis, and implementation. Cambridge University Press, 2001.~~

~~[19] Kenichi Kanatani et al. Understanding geometric algebra. Hamilton, Grassmann, and Cliﬀord for Computer Vision and Graphics,2015.~~

~~[20] Jonathan Katz and Yehuda Lindell. Introduction to modern cryptography. CRC press, 2014.~~

~~[21] Alan Macdonald. Linear and geometric algebra. Alan Macdonald, 2010.~~

~~[22] Rebecca Meissen. AMathematicalApproachtoFullyHomomorphicEncryption.PhD thesis, Worcester Polytechnic Institute, 2012.~~

~~[23] Alexei Myasnikov, Vladimir Shpilrain, and Alexander Ushakov. Group-based cryptography. Springer Science & Business Media, 2008.~~

~~[24] John R Pierce. An introduction to information theory: symbols, signals and noise. Courier Corporation, 2012.~~

~~156 Bibliography~~

~~[25] Ronald L Rivest, Len Adleman, and Michael L Dertouzos. On data banks and privacy homomorphisms. Foundations of secure computation,4(11):169–180,1978.~~

~~[26] Edward R Scheinerman. Mathematics: A discrete introduction, brooks, 2000.~~

~~[27] Bruce Schneier. A self-study course in block-cipher cryptanalysis. Cryptologia,24(1):18– 33, 2000.~~

~~[28] Bruce Schneier. Homomorphic encryption breakthrough. Schneier on Security,9,2009.~~

~~[29] Bruce Schneier. Schneier on security. John Wiley & Sons, 2009.~~

~~[30] Adi Shamir et al. Identity-based cryptosystems and signature schemes. In Crypto, volume 84, pages 47–53. Springer, 1984.~~

~~[31] Claude E Shannon. Communication theory of secrecy systems. Bell Labs Technical Journal,28(4):656–715,1949.~~

~~[32] Hiroyuki Shima and Tsuneyoshi Nakayama. Higher mathematics for physics and engineering. Springer Science & Business Media, 2010.~~

~~[33] B Simmons. Mathwords–website. Oregon City, OR: Author,2007.~~

~~[34] Geoﬀrey C Smith. Introductory mathematics: Algebra and analysis. Springer Science & Business Media, 2012.~~

~~[35] Tom St Denis. Cryptography for developers. Syngress, 2006.~~

~~[36] Christopher Swenson. Modern cryptanalysis: techniques for advanced code breaking. John Wiley & Sons, 2008.~~

~~[37] Iain Thomson. Microsoft researchers smash homomorphic encryption speed barrier, 02 2016.~~

~~[38] Alan Tussy and R Gustafson. Elementary Algebra. Nelson Education, 2012.~~

~~[39] John A Vince. Geometric algebra: An algebraic system for computer games and ani- mation. Springer, 2009.~~

~~157 Bibliography~~

~~[40] Samuel S Wagstaﬀ Jr. Cryptanalysis of number theoretic ciphers. CRC Press, 2002.~~

~~[41] Merriam Webster. Merriam-webster online dictionary. 2006.~~

~~158 APPENDIX A~~

~~Additional Examples~~

~~A.1 Scale Properties~~

~~Given the input scalars a = 33,b= 57,c= 35, by using the basic packing scheme discussed in Sections 4.2 and 6.6, the multivectors A,¯ B,¯ C¯ are given by:~~

~~A¯ =5e¯0 +4e¯1 +4e¯2 +4e¯ +4e¯12 +4e¯13 +4e¯23 +4e¯123~~

~~B¯ =8e¯0 +7e¯1 +7e¯2 +7e¯ +7e¯12 +7e¯13 +7e¯23 +7e¯123~~

~~C¯ =15e¯0 + 11e¯1 + 11e¯2 + 11e¯ + 11e¯12 + 11e¯13 + 11e¯23 + 11e¯123~~

~~Let S¯1 and S¯2 be two secret key multivectors with the following characteristics:~~

~~S¯1 =4e¯0 +7e¯1 +6e¯2 +9e¯ +8e¯12 +6e¯13 +7e¯23 +5e¯123~~

~~S¯2 =9e¯0 +3e¯1 +8e¯2 +2e¯ +7e¯12 +3e¯13 +6e¯23 +4e¯123~~

~~¯ ¯ ¯ The ciphertext multivectors CA¯, CB¯ ,andCC¯ are deﬁned using the edge product primitive as discussed in Section 5.8:~~

¯ CA¯ =8995e¯0 + 9014e¯1 + 9002e¯2 + 9023e¯ + 9013e¯12 + 9004e¯13 + 9016e¯23 + 9005e¯123 ¯ CB¯ =15547e¯0 + 15566e¯1 + 15554e¯2 + 15575e¯ + 15565e¯12 + 15556e¯13 + 15568e¯23 + 15557e¯123 ¯ CC¯ =25060e¯0 + 25136e¯1 + 25088e¯2 + 25172e¯ + 25132e¯12 + 25096e¯13 + 25144e¯23 + 25100e¯123

~~Recall the edge product is deﬁned as:~~

~~A¯B¯ = A¯ B¯ + A¯ B¯ · ^ A.1. Scale Properties~~

~~Let s M¯ be the function that returns the sum of the coeﬃcients of M¯ . By applying this function6 on7 the generated ciphertexts we have:~~

~~¯ s CA¯ =72072 6 ¯ 7 s CB¯ =124488 6 ¯ 7 s CC¯ =200928 6 7 The sorting properties of EDCHE will be discussed in later with a proof, however it is important to notice that~~

~~s A¯ =33~~

~~s 6B¯7 =57~~

~~s6C¯7 =92 6 7 and~~

~~D¯ = 43e¯0 + 41e¯1 + 41e¯2 + 41e¯ + 41e¯12 + 41e¯13 + 41e¯23 + 41e¯123~~

~~By encrypting D¯ using the edge product we obtain:~~

~~¯ CD¯ = 90062e¯0 + 90100e¯1 + 90076e¯2 + 90118e¯ + 90098e¯12 + 90080e¯13 + 90104e¯23 + 90082e¯123~~

~~¯ The sum of the coeﬃcients of CD¯ is:~~

~~¯ s CD¯ = 720720 6 7 and we see that ¯ s CA¯ ¯ = 10 s 6CD¯ 7 6 7~~

~~160 A.2. Ratio Properties~~

~~which shows that by scaling the input variables by some factor, packing the result as a multivector and encrypting it, the scale property will be preserved.~~

~~A.2 Ratio Properties~~

~~Using the same multivectors generated in the previous section, we show the ration properties of EDCHE. Recall that~~

~~s A¯ =33~~

~~s 6B¯7 =57~~

~~s6C¯7 =92 6 7 and~~

~~¯ s CA¯ =72072 6 ¯ 7 s CB¯ =124488 6 ¯ 7 s CC¯ =200928 6 7 The ration of B¯ over A¯, C¯ over B¯ and C¯ over A¯,usingthes function, is:~~

s B¯ ¯ =1.7272727272727273 s6A7 ¯ s 6C7 ¯ =1.6140350877192982 s6B7 ¯ s6C7 ¯ =2.787878787878788 s6A7 and we see that 6 7 ¯ s CB¯ ¯ =1.7272727272727273 s6CA¯7 ¯ s6CC¯7 ¯ =1.6140350877192982 s6CB¯7 ¯ s6CC¯7 ¯ =2.787878787878788 s6CA¯7 6 7 161 A.3. Sorting Properties

which shows that when we divide the sum of the coeﬃcients of a plaintext multivector by another plaintext multivector, the ratio is the very same of the sum of the encrypted version of that division, so the ratio property will be preserved.

~~A.3 Sorting Properties~~

~~In the Section A.1 we saw that~~

~~s A¯ =33~~

~~s 6B¯7 =57~~

~~s6C¯7 =92 6 7 and~~

~~¯ s CA¯ =72072 6 ¯ 7 s CB¯ =124488 6 ¯ 7 s CC¯ =200928 6 7 so we want to show that~~

~~A¯ = a0e¯0 + a1e¯1 + a2e¯2 + a3e¯3 + a12e¯12 + a23e¯23 + a13e¯13 + a123e¯123~~

~~B¯ = b0e¯0 + b1e¯1 + b2e¯2 + b3e¯3 + b12e¯12 + b23e¯23 + b13e¯13 + b123e¯123~~

~~162 A.3. Sorting Properties~~

~~The edge product of A¯ and B¯ is given by:~~

a b a b c0 = 8 + a mod 8 8 + b mod 8 +7 8 8 8 c = a 6⌅b ⇧+ b mod 8 76⌅b ⇧ a + a mod7 8⌅ +6⇧⌅ ⇧a b > 1 8 8 8 8 8 8 > > a b b a a b > c2 = 6⌅ ⇧6⌅ ⇧ + b mod 8776⌅ ⇧6⌅ ⇧ + a mod 877 +6⌅ ⇧⌅ ⇧ > 8 8 8 8 8 8 > > c = 6⌅ a ⇧6⌅b ⇧ + b mod 8776⌅ b ⇧6⌅a ⇧ + a mod 877 +6⌅ a ⇧⌅b ⇧ ¯ ¯ ¯ > 3 8 8 8 8 8 8 A B = C = > ⇧ > 6⌅ a⇧6⌅ b⇧ 776⌅ b⇧6⌅ a⇧ 77 ⌅ a⇧⌅ b⇧ <> c12 = 8 8 + b mod 8 8 8 + a mod 8 +6 8 8 6⌅ a ⇧6⌅b ⇧ 776⌅ b ⇧6⌅a ⇧ 77 ⌅ a ⇧⌅b ⇧ > c23 = 8 8 + b mod 8 8 8 + a mod 8 +6 8 8 > > a b b a a b > c13 = 6⌅ ⇧6⌅ ⇧ + b mod 8776⌅ ⇧6⌅ ⇧ + a mod 877 +6⌅ ⇧⌅ ⇧ > 8 8 8 8 8 8 > > c =6⌅ a⇧6⌅ b⇧ + b mod 8776⌅ b⇧6⌅ a⇧ + a mod 877 +6⌅ a⇧⌅ b⇧ > 123 8 8 8 8 8 8 > > which can be simpliﬁed:> 6⌅ to ⇧6⌅ ⇧ 776⌅ ⇧6⌅ ⇧ 77 ⌅ ⇧⌅ ⇧

c = a 7 a b 7 b +7 a b 0 − 8 − 8 8 8 8 a b b > 6c1 = ⌅ ⇧76b 8 ⌅ ⇧7+ a ⌅ ⇧⌅ ⇧ > 8 − 8 8 > > c = ⌅ a ⇧6b 8⌅ b ⇧7 + a⌅ b ⇧ > 2 8 8 8 > − > ⌅ a ⇧6 ⌅ b ⇧7 ⌅ b ⇧ > c3 = 8 b 8 8 + a 8 A¯ B¯ = C¯ = > − ⇧ > > c =⌅ a⇧6b 8⌅ b⇧7 + a⌅ b⇧ < 12 8 − 8 8 ⌅ a ⇧6 ⌅ b ⇧7 ⌅ b ⇧ > c23 = 8 b 8 8 + a 8 > − > a b b > c13 = ⌅ ⇧6b 8⌅ ⇧7 + a⌅ ⇧ > 8 − 8 8 > > c =⌅ a⇧6b 8⌅ b⇧7 + a⌅ b⇧ > 123 8 8 8 > − > :> ⌅ ⇧6 ⌅ ⇧7 ⌅ ⇧ 163 A.3. Sorting Properties

therefore a b a b a b b s C¯ = a − 7 b − 7 +7 +7 b − 8 + a ✓ 8 ✓ ( 8 ⌫◆ 8 ( 8 ⌫◆ ✓ 8 ✓ ( 8 ⌫◆ ( 8 ⌫◆ ! " ⇣ j k⌘ j k j k If if calculate s C¯ in terms of the input scalars a +1 and b, we have: a b a +1 b a +1 b b s C¯ = (a +1)− 76 7 b − 7 +7 +7 b − 8 +(a +1) 2 ✓ 8 ✓ ( 8 ⌫◆ ( 8 ⌫(8 ⌫◆ ✓( 8 ⌫✓ ( 8 ⌫◆ ( 8 ⌫◆ ! " ⇣ j k⌘ and we can clearly see that

s C¯ >s C¯ , a, b > 0 2 8 6 7 6 7 which shows that, the edge product preserves the magnitude relationship between numbers. Since we already showed that a s A¯ ⌘ as a multiplicative homomorphic operation,6 7 the edge product follows the property

~~ab A¯ B¯ ⌘ ⇧ Therefore, it is really easy to see that if~~

~~given we have a third variable c, when we generate the multivectors for a,b and c , which are A¯ , B¯,andC¯ , the following applies:~~

~~A¯ C<¯ B¯ C¯ ⇧ ⇧ A simple way of illustrating this property is:~~

~~a =5~~

~~b =6~~

~~c =8~~

~~thus ac = 40~~

~~Calculating a triple product does not change this relationship. Let d =9. We see that:~~

~~dac = 360~~

~~164 APPENDIX B~~

~~Ruby Codes~~

~~In this appendix, it will be shown a Ruby implementation of EDCHE in 6 ﬁles:~~

~~1. multivector.rb : the class Multivector with all needed GA operations~~

~~2. tools.rb : the class Tools with required utilities~~

~~3. edche.rb : the module XLogos that holds the sample secret keys and the encryption/decryption routines~~

~~4. boot.rb : it loads all the ﬁles above~~

~~5. example.rb : one example of encryption and decryption applying the code~~

~~6. example_diﬀerent_keys.rb : one example showing the same encryption/decryption routine with diﬀerent keys.~~

~~The three classes are inside the scope of the EDCHE module.~~

~~B.1 Multivector Class~~

~~File: multivector.rb~~

~~module EDCHE class Multivector attr_accessor :e0,:e1,:e2,:e3,:e12,:e13,:e23,:e123~~

~~def initialize( input=[]) @e0 = input[0] @e1 = input[1] @e2 = input[2] B.1. Multivector Class~~

~~@e3 = input[3] @e12 = input[4] @e13 = input[5] @e23 = input[6] @e123 = input[7] end~~

~~def to_s "#{self.e0}e0 +#{self.e1}e1 +#{self.e2}e2 +#{self.e3}e3 + #{self. e12} e12 +#{self. e13} e13 +#{self. e23} e23 + #{self. e123} e123" end~~

~~def inspect to_s end~~

def geometric_product(m2) m = self. clone m.e0 =(self.e0*m2.e0)+(self.e1*m2.e1)+ ( self.e2*m2.e2)+(self.e3*m2.e3)- ( self. e12*m2. e12)-(self. e13*m2. e13)- ( self. e23*m2. e23)-(self. e123*m2. e123) m.e1 =(self.e0*m2.e1)+(self.e1*m2.e0)- ( self.e2*m2. e12)-(self.e3*m2. e13)+ ( self. e12*m2.e2)+(self. e13*m2.e3)- ( self. e23*m2. e123)-(self. e123*m2. e23) m.e2 =(self.e0*m2.e2)+(self.e1*m2. e12)+ ( self.e2*m2.e0)-(self.e3*m2. e23)- ( self. e12*m2.e1)+(self. e13*m2. e123)+ ( self. e23*m2.e3)+(self. e123*m2. e13) m.e3 =(self.e0*m2.e3)+(self.e1*m2. e13)+ ( self.e2*m2. e23)+(self.e3*m2.e0)- ( self. e12*m2. e123)-(self. e13*m2.e1)- ( self. e23*m2.e2)-(self. e123*m2. e12) m. e12 =(self.e0*m2. e12)+(self.e1*m2.e2)- ( self.e2*m2.e1)+(self.e3*m2. e123)+

~~166 B.1. Multivector Class~~

( self. e12*m2.e0)-(self. e13*m2. e23)+ ( self. e23*m2. e13)+(self. e123*m2.e3) m. e13 =(self.e0*m2. e13)+(self.e1*m2.e3)- ( self.e2*m2. e123)-(self.e3*m2.e1)+ ( self. e12*m2. e23)+(self. e13*m2.e0)- ( self. e23*m2. e12)-(self. e123*m2.e2) m. e23 =(self.e0*m2. e23)+(self.e1*m2. e123)+ ( self.e2*m2.e3)-(self.e3*m2.e2)- ( self. e12*m2. e13)+(self. e13*m2. e12)+ ( self. e23*m2.e0)+(self. e123*m2.e1) m. e123 =(self.e0*m2. e123)+(self.e1*m2. e23)- ( self.e2*m2. e13)+(self.e3*m2. e12)+ ( self. e12*m2.e3)-(self. e13*m2.e2)+ ( self. e23*m2.e1)+(self. e123*m2.e0) m end

~~alias_method :gp,:geometric_product~~

~~def clifford_conjugation m = self. clone m.e0 = self.e0 m.e1 =-self.e1 m.e2 =-self.e2 m.e3 =-self.e3 m. e12 =-self. e12 m. e13 =-self. e13 m. e23 =-self. e23 m. e123 = self. e123 m end~~

~~alias_method :cc,:clifford_conjugation~~

~~def reverse m = self. clone m.e0 = self.e0~~

~~167 B.1. Multivector Class~~

~~m.e1 =-self.e1 m.e2 =-self.e2 m.e3 =-self.e3 m. e12 = self. e12 m. e13 = self. e13 m. e23 = self. e23 m. e123 =-self. e123 m end~~

~~def space_inversion m = self. clone m.e0 = self.e0 m.e1 = self.e1 m.e2 = self.e2 m.e3 = self.e3 m. e12 =-self. e12 m. e13 =-self. e13 m. e23 =-self. e23 m. e123 =-self. e123 m end~~

~~def amplitude_squared self.gp( self.cc) end~~

~~def rationalize self. amplitude_squared.gp( amplitude_squared. reverse) end~~

~~def scalar_div( scalar) m = self. clone m.e0 = Rational( self.e0, scalar) m.e1 = Rational( self.e1, scalar) m.e2 = Rational( self.e2, scalar) m.e3 = Rational( self.e3, scalar)~~

~~168 B.1. Multivector Class~~

~~m. e12 = Rational( self.e12, scalar) m. e13 = Rational( self.e13, scalar) m. e23 = Rational( self.e23, scalar) m. e123 = Rational( self.e123, scalar) m end~~

def scalar_mul( scalar) m = self. clone m.e0 = self.e0 * scalar m.e1 = self.e1 * scalar m.e2 = self.e2 * scalar m.e3 = self.e3 * scalar m. e12 = self. e12 * scalar m. e13 = self. e13 * scalar m. e23 = self. e23 * scalar m. e123 = self. e123 * scalar m end

def sum(m2) m = self. clone m.e0 = self.e0 + m2.e0 m.e1 = self.e1 + m2.e1 m.e2 = self.e2 + m2.e2 m.e3 = self.e3 + m2.e3 m. e12 = self. e12 + m2. e12 m. e13 = self. e13 + m2. e13 m. e23 = self. e23 + m2. e23 m. e123 = self. e123 + m2. e123 m end

~~def minus(m2) m = self. clone m.e0 = self.e0 - m2.e0 m.e1 = self.e1 - m2.e1~~

~~169 B.1. Multivector Class~~

~~m.e2 = self.e2 - m2.e2 m.e3 = self.e3 - m2.e3 m. e12 = self. e12 - m2. e12 m. e13 = self. e13 - m2. e13 m. e23 = self. e23 - m2. e23 m. e123 = self. e123 - m2. e123 m end~~

def m_to_i m = self. clone m.e0 = self.e0. to_i m.e1 = self.e1. to_i m.e2 = self.e2. to_i m.e3 = self.e3. to_i m. e12 = self. e12. to_i m. e13 = self. e13. to_i m. e23 = self. e23. to_i m. e123 = self. e123. to_i m end

~~def inverse numerator = self.cc.gp( self. amplitude_squared. reverse) denominator = self. rationalize.e0 numerator. scalar_div( denominator) end~~

~~def data [e0,e1,e2,e3,e12,e13,e23, e123] end~~

~~def number data. inject(:+) end~~

~~end~~

~~170 B.2. Tools Class~~

~~end~~

~~B.2 Tools Class~~

~~File: tools.rb~~

~~module EDCHE class Tools~~

~~def self. number_to_multivector( number) coefficients =[] coefficients << (number /8)+(number % 8) coefficients += Array. new(8,(number /8)) m = EDCHE::Multivector. new( coefficients) end~~

~~def self. multivector_to_number( multivector) multivector. number end~~

~~def self. bit_size( number) number. to_s(2).size end~~

def self. n_to_m( number) m = number_to_multivector( number) bits = bit_size(m.e0) displacements = Array. new(4){random_number( bits)} m.e0 += displacements[0] m.e1 -= displacements[0] m.e2 += displacements[1] m.e3 -= displacements[1] m. e12 += displacements[2] m. e13 -= displacements[2] m. e23 += displacements[3] m. e123 -= displacements[3]

~~171 B.3. EDCHE Module~~

~~m end~~

~~def self. random_number( bits) rng = Random. new rng. rand(((2**(bits -1))+1)..((2**bits)-1)) end~~

~~end end~~

~~B.3 EDCHE Module~~

~~File: edche.rb~~

~~module EDCHE~~

~~@s1 =0 @s2 =0~~

# here, fixed secret keys # in the real world, these keys would # be generated by a Diffie - Hellman exchange # or by a true random number generator # or any other accepted exchange scheme @s1_10 =715305687675857286502473229202941 526618622776129778235681947350268 82660369534 @s2_10 =952283688991249580728475114749775 289350191058173324892505348345030 19561842604

~~@internal_s1 = EDCHE::Tools. n_to_m( @s1_10) @internal_s2 = EDCHE::Tools. n_to_m( @s2_10)~~

~~class << self~~

~~172 B.3. EDCHE Module~~

~~attr_accessor : internal_s1 ,:internal_s2 , :s1,:s2 end~~

~~def self.s1 @s1 == 0 ? internal_s1 : @s1 end~~

~~def self.s2 @s2 == 0 ? internal_s2 : @s2 end~~

~~def self. set_s1( s1_10) self.s1 = EDCHE::Tools. n_to_m( s1_10) end~~

~~def self. set_s2( s2_10) self.s2 = EDCHE::Tools. n_to_m( s2_10) end~~

~~def self. encrypt(m, primitive) self. send("#{primitive. to_s} _encryption",m) end~~

~~def self. decrypt(c, primitive) self. send("#{primitive. to_s} _decryption",c) end~~

~~def self. triple_product_encryption(m) s1.gp(m).gp(s2) end~~

~~def self. triple_product_decryption(c) s1. inverse.gp(c).gp(s2. inverse).m_to_i end~~

~~def self. sylvesters_equation_encryption(m)~~

~~173 B.4. Loader~~

~~s1.gp(m).sum(m.gp(s2)) end~~

def self. sylvesters_equation_decryption(c) s2_sum_s2_cc = s2. sum(s2.cc) s1_inverse_gp_s2 = s1. inverse.gp(s2) s1_inverse_gp_s2_gp_s2_cc = s1_inverse_gp_s2.gp(s2.cc) left_side = s2_sum_s2_cc. sum( s1_inverse_gp_s2_gp_s2_cc).sum(s1) right_side = s1. inverse.gp(c).gp(s2.cc).sum(c) left_side. inverse.gp( right_side).m_to_i end

~~end~~

~~B.4 Loader~~

~~File: boot.rb~~

~~require Dir. pwd +"/multivector" require Dir. pwd +"/tools" require Dir. pwd +"/edche"~~

~~B.5 Example With Pre-deﬁned Keys~~

~~File: example.rb. It contains a basic routine for encryption and decryption using EDCE.~~

~~require Dir. pwd +"/boot.rb"~~

~~# message to be encrypted , in base 10 m_10 =2689762632~~

~~# message to be encrypted , in multivector form # packing a multivector using dynamic packing # refer to the document on Dynamic Packing for more details m1 = EDCHE::Tools. n_to_m( m_10)~~

~~174 B.6. Example With Custom Keys~~

~~# cipher 1: encryption using the triple product c1 = EDCHE. encrypt(m1,:triple_product)~~

~~# recovered message 1: decryption using the triple product rm1 = EDCHE. decrypt(c1,:triple_product)~~

~~# packing m_10 again. Due to dynamic packing , # it will be a different multivector m2 = EDCHE::Tools. n_to_m( m_10)~~

~~# cipher 2: encryption using the Sylvester 's equation c2 = EDCHE. encrypt(m2,:sylvesters_equation)~~

~~# recovered message 2: decryption using the Sylvester 's equation rm2 = EDCHE. decrypt(c2,:sylvesters_equation)~~

~~# Printing the outputs~~

~~puts "\n\ nEDCE EXAMPLE\n\n" puts " m_10 =#{m_10}"~~

~~puts " Encryption using the triple product\n\n" puts "m1 =#{m1}" puts "c1 =#{c1}" puts " rm1 =#{rm1}\n\n"~~

~~puts " Encryption using the Sylvester 's equation\n\n" puts "m2 =#{m2}" puts "c2 =#{c2}" puts " rm2 =#{rm2}\n\n"~~

~~B.6 Example With Custom Keys~~

~~File: example_diﬀerent_keys.rb. It shows how to apply diﬀerent keys (instead of using the sample internal ones).~~

~~175 B.6. Example With Custom Keys~~

~~require Dir. pwd +"/boot.rb"~~

~~# message to be encrypted , in base 10 m_10 =2689762632~~

~~# here, given that two different keys were generated # by some agreed exchange method of by an Oracle # we can set the different keys as follows~~

~~EDCHE. set_s1(588493041973359020484653389067273756278 45720941925403464800015970127452376225) EDCHE. set_s2(105328255942747013308835206991850438267 373271088477121573889453153966403260357)~~

~~# message to be encrypted , in multivector form # packing a multivector using dynamic packing # refer to the document on Dynamic Packing for more details m1 = EDCHE::Tools. n_to_m( m_10)~~

~~# cipher 1: encryption using the triple product c1 = EDCHE. encrypt(m1,:triple_product)~~

~~# recovered message 1: decryption using the triple product rm1 = EDCHE. decrypt(c1,:triple_product)~~

~~# packing m_10 again. Due to dynamic packing , it will be a # different multivector m2 = EDCHE::Tools. n_to_m( m_10)~~

~~# cipher 2: encryption using the Sylvester 's equation c2 = EDCHE. encrypt(m2,:sylvesters_equation)~~

~~# recovered message 2: decryption using the Sylvester 's equation rm2 = EDCHE. decrypt(c2,:sylvesters_equation)~~

~~# Printing the outputs~~

~~176 B.6. Example With Custom Keys~~

~~puts "\n\ nEDCE EXAMPLE\n\n" puts " m_10 =#{m_10}"~~

~~puts " Encryption using the triple product\n\n" puts "m1 =#{m1}" puts "c1 =#{c1}" puts " rm1 =#{rm1}\n\n"~~

~~puts " Encryption using the Sylvester 's equation\n\n" puts "m2 =#{m2}" puts "c2 =#{c2}" puts " rm2 =#{rm2}\n\n"~~

~~177~~