A MATHEMATICAL FRAMEWORK TOWARDS EFFICIENT CLIFFORD-BASED HOMOMORPHIC USING P-ADIC NUMBERS

by

DAVID WILLIAM HONORIO ARAUJO DA SILVA

B.S.B.A., Universidade Potiguar (Brazil), 2012

M.S.C.S., University of Colorado Colorado Springs, 2017

A dissertation submitted to the Graduate Faculty of the

University of Colorado Colorado Springs

in partial fulfillment of the

requirements for the degree of

Doctor of Philosophy

Department of Computer Science

2020 © Copyright by David William Honorio Araujo da Silva 2020 All Rights Reserved This dissertation for the Doctor of Philosophy degree by David William Honorio Araujo da Silva has been approved for the Department of Computer Science by

Edward C. Chow, Chair

Carlos Paz de Araujo

Chuan Yue

Sang-Yoon Chang

Philip Brown

30 November 2020 Date

ii Honorio Araujo da Silva, David William (Ph.D., Engineering: Computer Science) A Mathematical Framework Towards Efficient Clifford-Based Homomorphic Cryptosystems using p-adic Numbers Dissertation directed by Professor Edward C. Chow

ABSTRACT

As we observe the advances in cryptography throughout history, we can see that cryptog- raphy needs to follow society’s changes in general as it gets more and more sophisticated. One critical example of this fact is that there was a time were having a message writ- ten in plain language was enough to hide information from uneducated soldiers. The next step was to apply simple replacements of letters in the message, which quickly evolved to more elaborated scramble techniques. Indeed, until the late 20th century, cryptography was considered an art. Creativity was the single most crucial strategy when producing a new function. However, the advent of computers and the advances in cryptanalysis generated a demand for data security science. In the theory of cryptography, anything un- til the 1980s is considered classical cryptography. From the 1980s, modern definitions of security arose, and thus the cryptography studies and practiced from that time on is re- ferred to as modern cryptography. However, society continues to evolve. New events might change modern definitions of security even further, as is the case, to cite a few examples, the realization of large-scale quantum computers and an eventual default requirement for secure computation. If these two events became a reality today, many of the current crypto- graphic tools would be entirely or partially compromised. It seems to us that their pursuit of new ideas in cryptography must never end as we must provide proper and timely answers to such changes in society as they occur. Our motivation starts by inquiring if there are mathematical tools currently receiving none or little attention by the cryptographic com- munity that could be instrumental in producing new, efficient, and further advantageous cryptographic constructions with the ability to address the abrupt changes in the reality of cryptography such as quantum computers and secure computation. For this reason, we

iii propose the use of the finite-segment p-adic arithmetic (Hensel codes) and Clifford (GA) as the foundations for the construction of several homomorphic cryptographic tools such as somewhat homomorphic encryption schemes, update, and key exchange protocols, hash algorithm, homomorphic encryption for special applications including edge computing, homomorphic image processing, and distributed computation. We discuss the security characteristics of constructions based on Hensel codes and GA by examining a leveled fully homomorphic encryption scheme based on Hensel codes whose se- curity is associated with the approximate-gcd problem and implementation of lattice-based cryptography with GA. We also introduce a mapping between arbitrary dimensional vec- tors and matrices to , which allow us to replace vector and algebra by GA in constructing quantum-resistant lattice-based cryptography. We demonstrate how to use Hensel codes and GA in isolation for cryptography and different ways of combining the two mathematics foundations in a single solution. Finally, we introduce mapping between Hensel codes and multivectors in GA, which allows us to have two algebraic structures into a single one. Our work is the first exposition of a family of cryptographic functions based on Hensel codes and GA, which from concrete examples of application-specific scenarios we evolve to an application-agnostic framework, where Hensel codes and GA and explored as a mathematical framework for the production of efficient general-purpose algorithms that can satisfy modern definitions of security and also stand as candidate solutions for the era of quantum-resistant cryptography and secure computation.

iv DEDICATION

This dissertation is dedicated to my wife Cimaria, my son Johnathan, my daughters Samara and Sarah, and my parents Janildo and Elisabete. I could never do or be anything without you all in my life. I love you all much more than I am able to describe.

v ACKNOWLEDGEMENTS

I would like to thank God, first and foremost, and His Son Jesus Christ, for renewing in me every day the certainty that it is worthwhile to live a life with purpose and do not measure efforts in the search for what is good, perfect and pleasant, even in the midst of my many imperfections and limitations; Dr. Carlos Araujo for believing in me since day one, for teaching me that seeking the impossible is an honorable mission and for investing in my academic and professional growth; Dr. Edward Chow for being an encouraging ad- visor, for truly believing in the potential of my research and for keeping a supporting and positive attitude even when I faced some challenging circumstances through the course of my academic pursue; Greg Jones for being a tireless source of inspiration, a constant help- ing hand and someone I can always count on; Dr. Sang-Yoon Chang for accepting being part of my committee, for demonstrating interest in my work and for providing feedback on how to improve my research; Dr. Philip Brown for accepting being part of my committee, for being eager to contribute with my research and for the significant collaboration in one publication; Dr. Chuan Yue for accepting being part of my committee. Hanes Oliveira, Jordan Pattee, and Bhagiradh Kantheti for being trench partners, research companions, for sharing moments of tension and relaxation, for helping in my research in many ways, and for being supportive in all situations; Marcelo Xavier for countless discussions on the most varied ideas, for investing time to understand my challenges in order to help me, and for always believing that the state of impossibility of the impossible is uncertain until proven otherwise. This dissertation would not have been possible without the valuable contribution of each one of you.

vi Table of Contents

CHAPTER

1 Introduction 1 1.1 Motivation ...... 4 1.2 Contributions ...... 5 1.3 Two Important Related Work ...... 6 1.3.1 Clifford Geometric Algebra ...... 6 1.3.2 p-adic Numbers ...... 7

2 Research Questions, Metrics and Methodology 10 2.1 General-Purpose Mathematical Framework ...... 10 2.2 Mathematical Framework Applied to Cryptography ...... 12 2.3 Metrics and Methodology ...... 13

3 Homomorphic Encryption 16 3.1 Requirements ...... 18 3.2 HE Classes ...... 19 3.3 Key Contributions ...... 20 3.4 Conclusions ...... 26

4 p-Adic Numbers 27 4.1 A Compact Tutorial ...... 27 4.1.1 Basic Definitions ...... 28 4.1.2 Finite-Segment p-adic Arithmetic ...... 28 4.2 Homomorphic Data Encoding ...... 36 4.2.1 Performance ...... 37 4.3 Encrypting Rational Numbers ...... 38

vii 4.3.1 RSA with Rational Numbers ...... 40 4.4 Adding Randomness to Deterministic Algorithms ...... 42 4.4.1 Randomized RSA ...... 42 4.5 Pairing Functions ...... 45 4.5.1 p-adic Pairing ...... 46 4.6 Distributed Computation ...... 47 4.6.1 Description of the Scheme ...... 49 4.6.1.1 Security of the Scheme ...... 51 4.7 Conclusions ...... 52

5 Clifford Geometric Algebra 54 5.1 A Compact Tutorial ...... 55 5.1.1 Basic Definitions ...... 55 5.1.2 Basic Definitions in G2 ...... 57 5.1.3 Basic Definitions in G3 ...... 59 5.2 A First Experiment Towards FHE Based on GA ...... 65 5.2.1 Auxiliary Algorithms ...... 65 5.2.2 The Main Construction ...... 67 5.2.3 Performance ...... 68 5.2.4 General Considerations ...... 70 5.3 A Framework for Homomorphic Image Processing ...... 70 5.3.1 Auxiliary Algorithms ...... 71 5.3.2 The Main Construction ...... 72 5.3.3 Homomorphic Image Processing ...... 73 5.3.4 Homomorphic Results ...... 75 5.3.5 Performance ...... 75 5.3.6 General Considerations ...... 77 5.4 Packing Schemes ...... 77 5.4.1 Multivector Packing Schemes ...... 78 5.4.2 Clifford Eigenvalue Packing Scheme ...... 78

viii 5.4.3 Complex Magnitude Squared Packing Scheme ...... 79 5.5 Concealment Schemes ...... 81 5.5.1 Clifford Sylvester’s Equation Concealment (CSEC) ...... 82 5.5.2 Modular Concealment (MC) ...... 83 5.5.3 General Considerations ...... 84 5.6 Experimental Key Update ...... 85 5.6.1 HE Scheme ...... 85 5.6.2 Key Update Protocol ...... 86 5.6.3 Application ...... 86 5.6.4 General Considerations ...... 88 5.7 Further Cryptographic Experiments ...... 89 5.7.1 Auxiliary Algorithms ...... 89 5.7.2 Key Exchange Protocol ...... 91 5.7.3 Edge Computing Protocol ...... 93 5.7.4 Hash Algorithm ...... 94 5.7.5 Private-Key Encryption Scheme ...... 95 5.8 Conclusions ...... 97

6 Security with p-adic Numbers and GA 98 6.1 Private-Key Leveled FHE Scheme ...... 98 6.2 Target Definitions ...... 99 6.2.1 The Concrete Construction ...... 101 6.3 Security ...... 103 6.3.1 Proof by Reduction ...... 104 6.3.2 Weaker Version of our Scheme ...... 108 6.3.3 Factorization Attacks ...... 109 6.3.3.1 Instance With One Prime ...... 109 6.3.3.2 Instance With Two Primes - Option 1 ...... 110 6.3.3.3 Instance With Two Primes - Option 2 ...... 112 6.3.3.4 Instance With Three Primes - Option 1 ...... 112

ix 6.3.3.5 Instance With Three Primes - Option 2 ...... 112 6.3.3.6 Instance With Four Primes ...... 113 6.3.3.7 Instance With Five Primes ...... 114

6.3.4 Solving for p4 ...... 114 6.3.5 GCD of Two Numbers ...... 115 6.3.5.1 Continued Fractions ...... 115 6.3.5.2 Howgrave-Graham’s Lattice Attack ...... 116 6.3.6 Lattice Reduction for Approximate GCD of Multiple Numbers . . . . 116 6.3.7 A Two-Stage Lattice Attack on the Weaker Construction ...... 117 6.3.8 Attacking the Stronger Construction ...... 118 6.3.8.1 Reviewing the Known Attacks ...... 119 6.3.8.2 Reviewing the Two-Stage Lattice Attack ...... 119 6.3.9 Proof of Security ...... 120 6.3.10 A Note on Size ...... 123 6.4 General Considerations ...... 124 6.5 GA and Lattice Cryptography ...... 125 6.5.1 Why Lattice is Used in Cryptography? ...... 126 6.5.2 Average-Case Hard Problems ...... 127 6.5.2.1 Short Integer Solutions ...... 127 6.6 GA and Matrices ...... 128 6.6.1 More on with Multivectors ...... 139 6.6.2 A First Lattice Problem ...... 140 6.6.3 Why Is This A Lattice Problem? ...... 141 6.6.4 A Lattice Trapdoor With GA ...... 142 6.6.5 Why Does our Lattice Implementation with GA Work? ...... 143 6.6.6 Learning With Errors ...... 144 6.7 Conclusions ...... 148

7 The Framework 150 7.1 Hensel Codes and GA ...... 154

x 7.2 GA and Hensel Codes ...... 155 7.2.1 GA and Hensel Codes as a Single Data Structure ...... 155 7.3 How To Build Custom Schemes ...... 158 7.3.1 Short Integer Solution ...... 158 7.3.2 A Password Generation Application ...... 159 7.3.2.1 A Numerical Example ...... 161 7.3.2.2 Why A Password Generation Application with GA ...... 162 7.4 Conclusions ...... 164

8 Future Directions 165 8.1 Additional Hard Problems with Hensel Codes ...... 165 8.2 GA Constructions in Higher Dimensions ...... 166 8.3 Quantum Encryption with GA ...... 166 8.4 Conclusions ...... 167

9 Conclusions 168

Bibliography 171

APPENDIX

A Installation and Usage Guides 198 A.1 (Towards) FHE with CRT and GA ...... 199 A.2 Clifford Crypto ...... 199 A.3 Clifford GA Ruby ...... 199 A.4 Clifford SWHE and Key Update ...... 199 A.5 SWHE Image Encryption ...... 200 A.6 Multiple Secret Hensel Codes (MSH Code) ...... 200 A.7 p-adic Cryto Ruby ...... 200

B Highlights and Demonstrations 201 B.1 (Towards) FHE with CRT and GA ...... 201

xi B.2 Clifford Crypto ...... 203 B.3 Clifford GA Ruby ...... 217 B.4 Clifford SWHE and Key Update ...... 227 B.5 SWHE Image Encryption ...... 235 B.6 Multiple Secret Hensel Codes (MSH Code) ...... 238 B.7 p-adic Cryto Ruby ...... 241 B.7.1 Hensel Code Base Functions ...... 241 B.7.2 leveled FHE Scheme ...... 245 B.7.3 Homomorphic Distributed Computation ...... 248 B.7.4 Party Test ...... 252 B.7.5 Pairing Function ...... 253 B.7.6 Rational and Randomized RSA ...... 255

xii List of Tables

TABLE

3.1 Most noticeable homomorphic encryption libraries ...... 26

4.1 Performance results with λ = 1024 ...... 39 4.2 Performance results with λ = 2048 ...... 39 4.3 Setup algorithm in Python 3 ...... 39

5.1 Multiplication table in G2...... 59 5.2 Multiplication table in G3...... 62 5.3 Experiment run with m = 8, γ = 4, λ = 128 ...... 68 | |bits 5.4 Experiment run with m = 8, γ = 4, λ = 256 ...... 68 | |bits 5.5 Experiment run with m = 8, γ = 4, λ = 512 ...... 69 | |bits 5.6 Performance for m = 8, γ = 8, λ = 128 ...... 77 | |bits

6.1 Bit length of elements of interest...... 120 6.2 Similarities and differences between our leveled FHE scheme and the DGHV scheme...... 124

7.1 Basic Hensel codes functions ...... 151 7.2 Basic GA functions ...... 151 7.3 Constructions based on Hensel codes...... 151 7.4 Constructions based on GA...... 152

xiii List of Figures

FIGURE

3.1 A FHE Timeline...... 21

4.1 Encoding...... 37 4.2 Decoding...... 38

5.1 Homomorphic Image Processing Architecture...... 75 5.2 Original Einstein and Monalisa pictures...... 76 5.3 Decrease and increase brightness...... 76 5.4 Merge and mask...... 76 5.5 Contrast stretching and logical not ...... 76 5.6 Pixel Packing ...... 76

6.1 Indistinguishability experiment for pseudorandom function...... 105 6.2 as a subroutine of ...... 106 A B 6.3 Growth comparison of matrix and the associated multivector multiplication. . 137

7.1 Overview of abstract model of homomorphic applications...... 153

xiv CHAPTER 1

Introduction

It is 2020. Why would one be concerned or even interested in constructing a new cryp- tographic tool? After all, if one needs public-key cryptography and digital signatures algorithms, we have the encryption scheme introduced by Rivest, Shamir, and Adleman (RSA) [1], which was proposed in 1978 and to this date continues to be a relevant crypto- graphic asset in the industry. The same be said about another type of public-key crypto- graphic protocol, with which one can securely exchange secret keys over an insecure channel, namely, the Diffie-Hellman key exchange protocol [2]. One might also resort to Elliptic Curve Digital Signature Algorithms (ECDSA) [3] and Ellipt Curve Diffie-Hellman (ECDH) [4]. For private-key encryption, we have the Advanced Encryption Standard (AES) [5], and for secure hashing algorithms, we have SHA-2 and SHA-3 [6]. With respect to all the afore- mentioned cryptographic solutions, there are no known efficient attacks that run in any currently existing machine [7–10]. Many of the most crucial communication protocols rely on functionalities implemented using the RSA , elliptic curve cryptosystems, and the Diffie-Hellman key exchange [11]. Again, why would anyone care to produce yet another cryptographic tool, especially one that supposedly does the “same thing" that the ones previously mentioned do? In the absence of a compelling reason, no other public-key encryption scheme, digital signature algorithm, key exchange protocol, private-key encryp- tion scheme, and secure hash algorithm would ever be needed. The question then becomes if there are any compelling reasons to justify the proposal of new cryptographic tools. In a report released by the National Institute of Standards and Technology (NIST) on post-quantum cryptography from 2016 [11], Chen et al. remark that most of the current public-key cryptographic solutions rely on problems that can be broken by - time algorithms for solving the integer factorization and discrete logarithm problems on a quantum computer. Such algorithms were introduced by Peter Shor in the 1990s [12, 13]. Chapter 1 Introduction

A quantum computer is a particular type of machine that can perform computations based on quantum phenomena such as superposition and entanglement [14], which allows efficient solutions for some computational issues as is the case of integer factorization and discrete logarithm, as well as other problems in number theory, physics simulation and topology [11]. Chen et al. remark that after Shor’s work, the advent of large scale quantum computers will compromise those mentioned above public-key cryptographic tools. Private-key encryption solutions such as AES are not immune to the impacts of eventual large-scale quantum computers since there are some recorded speedups for solving problems related to searching, collision finding, and evaluation of Boolean formulae. As in the particular case of Grover’s search algorithm [15], such speedups would require some adaptation for specific private- key encryption solutions, such as larger keys for AES, in order to remain secure. Even secure hashing algorithms such as SHA-2 and SHA-3 would require larger outputs [11]. Thus it is clear that the realization of large-scale quantum computers is an event that can dramatically change our needs concerning cryptography. If/when such an event occurs, then the answer to the question previously asked is: yes, in large-scale quantum computer become a reality, then we need new cryptographic solutions that are resilient against known quantum algorithms, which is commonly referred to as quantum resistant or post-quantum cryptography (PQC) [11, 16–21]. In fact, NIST has an active group (NIST PQC) working on standards for post-quantum cryptography [22]. Another event has the potential of changing the cryptographic world even further, which is the requirement for secure computation. Secure computation can be informally defined as the ability to perform some meaningful computation on encrypted data without prior decryption. In 1978, Rivest, Shamir, and Adleman proposed the following question: “Can two potentially dishonest players play a fair game of poker without using any cards (e.g., over the phone)?" [23]. Their conclusion was that such a challenge would only be possible using an encryption scheme that would satisfy certain requirements such as commutativity and asymmetry while introducing a complete protocol in which it would be possible to play a mental poker game. In 1982, Andrew Yao proposed yet another challenge: “Two millionaires wish to know who is richer; however, they do not want to find out inadvertently any additional information about each other’s wealth. How can they carry out such a

2 Chapter 1 Introduction

conversation?" [24]. Yao then proposes a secure two-party computation protocol to solve this problem, which was then generalized to be a secure multi-party computation protocol [25– 28]. Even before Yao introduced his problem, an apparent more challenging task was first discussed by Rivest, Adleman, and Dertouzos in 1978. The ability to computing arbitrary functions on encrypted data was considered as possible [29]. What kind of functions would be computed on encrypted data? Gentry remarks that such type of encryption scheme would not impose any limitation on what type of computation could be performed on encrypted data [30]. Such type of encryption is referred to a fully homomorphic encryption (FHE), and in 2009 Gentry proposed the first realization of a FHE scheme [31,32]. More generally, homomorphic encryption (HE) encompasses classes of encryption schemes that allow the evaluation of some set of functions on encrypted data. An active group comprises industry members, academia, and government working towards a homomorphic encryption commu- nity standard [33]. Suppose one day, the ability to perform secure computation becomes a requirement in any secure algorithm or systems, then, most prominent security solutions currently in use will fail will be impacted, and new algorithms must be provided to support the new reality. We discussed two events that, if come to reality, can provoke a range of profound impacts in today’s cryptography tools, from turning some solutions obsolete to require sig- nificant changes in their configurations. If these two events are considered together, then most of today’s encryption schemes would be compromised. Therefore, it seems safe to assume that there are events, such as the ones we discussed above, that have the potential of changing our perspective with respect to what is necessary for cryptography. Such events might create new requirements, making current solutions partially or entirely obsolete, which immediately creates the need for new solutions. It also seems reasonable to consider that other events might surge in the near future, and thus, the ability to properly and timely respond to those events might be cultivated.

3 1.1. Motivation

1.1 Motivation

Until the late 20th century, cryptography was considered an art as opposed to a science. Another important distinction is the one between classical cryptography (prior to the 1980s) and modern cryptography. This later applies well-establish security definitions that compose the goals of modern cryptographic constructions [34]. However, as we discussed in the previ- ous section, other events can impact existing solutions even in modern cryptography. As an example, imagine a scenario where every encryption scheme must produce a compressed ci- phertext while still preserving the existing security properties. Such an event would demand modifications in current encryption functions and the proposal of new ones. Furthermore, it seems reasonable to consider that society will continue to advance in sophistication, which can change the cryptography’s scenario even further. For this reason, it seems that being limited to the knowledge of how specific cryptographic constructions work and what the current general requirements that must be fulfilled in modern cryptography are might not be enough to appropriately respond to new threats as new events emerge. We classify as a necessity for the proactive inspection of new venues in mathematics with the goal of expanding our cryptographic toolbelt. Even before focusing on particular cryptographic constructions, we deem necessary to first dive into an open-minded mathe- matical exploration for the sake of mathematics. As Mateus et al. remarked (and we firmly agree), cryptography is all about mathematics [35]. This exploration can shine a light on new ways of addressing old and new problems. These new ways can serve as an advantage from several different perspectives, including improvements in performance, better memory use for storage, compactness of algorithms, and simplification of language and notation, which favors readability and analysis. Even if we achieve only one of these benefits, our mathematical quest would be awarding and justified. We also consider that the designing of new cryptographic tools must be exercised to satisfy well-established security notions or address emerging security needs. The combination of new mathematical resources/insights and the practice of applying them to solve old and new problems might favor a faster and more efficient response to the uncertainty of the future with respect to cryptography.

4 1.2. Contributions

1.2 Contributions

In this work, we showcase two mathematical resources of interest, Clifford geometric algebra and the finite-segment of p-adic numbers, in which we find a source of functionalities and properties that we believe can be not only useful but also advantageous for cryptography in a wide variety of scenarios. We provide condensed tutorials, which we aim to be sufficient to appreciate the examples we propose. We hope that this mathematical parade can serve as objective illustrations of these mathematical resources’ practical applications to cryp- tography and inspiration for other researchers to explore and implement opportunities that we did not cover. In practical terms, we aim to address the need for secure computation and the construction of homomorphic cryptographic tools. We detail our approach towards this challenge. We aim to derive concrete constructions and a general approach towards homomorphic cryptographic tools so that we can organize it as a framework for arbitrary homomorphic solutions. The remaining of this work is organized as follows: in Chapter 2, we introduce the research questions that drive the efforts of this work together with a discussion on the asso- ciated strategy, goals, and results. In Chapter 3, we review the most important properties, facts, and definitions in the theory of homomorphic encryption, in particular those directly associated with this work. In Chapter 4, we review the basics of p-adic numbers with em- phasis on its finite-segment, namely Hensel codes, together with a detailed discussion on how we explore Hensel codes as a cryptographic primitive. We introduce several concrete constructions and their fitness for applications in the real world. In Chapter 5, we review the basics of Clifford geometric algebra and its applications for cryptography through the description and analysis of several concrete constructions. In both Chapters 4, 5, we focus on showcasing mathematics as a rewarding alternative for constructing some well-known cryptographic tools. Indeed, we emphasize functionality, while security is only briefly and rather informally discussed. It is in Chapter 6 that we dedicate special attention to our lead- ing concrete construction based on p-adic numbers, a private-key leveled FHE scheme. We formally discuss our construction’s security, and we compare it with some other encryption schemes that explore the same underlying computational hard problem. We also introduce

5 1.3. Two Important Related Work

a new way of implementing lattice cryptography based on GA. In Chapter 7, we propose a framework for developing homomorphic applications using the tools discussed in previous chapters to derive custom ideas using similar strategies. In Chapter 8, we propose some of the future directions for our research as well as indications of how we believe our work can contribute to other researches. In Chapter 9 we present the conclusions.

1.3 Two Important Related Work

Our optic on the related work for both Clifford geometric algebra and p-adic numbers is somewhat from a general perspective but mostly related to applications indirectly or directly related to cryptography.

1.3.1 Clifford Geometric Algebra

Clifford geometric algebra (GA) is named after its proponent, William Kingdom Clifford [36]. In 1878, Clifford introduced a new product, namely the gemetric product, which unifies the algebras of Grassmann [37] and Hamilton [38]. GA was mostly studied in theoretical mathematics until David Hestenes proposed the use of GA as a language and a framework for the development of a multitude of applications in physics and engineering [39]. Fast forward to the current era, Hildebrand [40] highlights the benefits of investing in Clifford geometric algebra as a computing tool, as it can be directly integrated with standard programming languages to achieve compactness of algorithms and implicit use of parallelism, among other advantages, which result in higher run-time performance and robustness [41,42]. The Clifford Mutivector Toolbox for Matlab, by Sangwine and Hitzer [43], is a practical instance of GA computing, which can also be used to test some of the results that we present in this work. Dorst et al. discuss the object-oriented approach to geometry and the peculiarities of GA from a computer science standpoint in [44–46], where the use of vectors as a more general modeling tool (and not only a way to represent geometric aspects) and the ability of computing within subspaces of a multivector is approached in detail. This manuscript considers several multivector decompositions, their relationship with complex arithmetic, and the evaluation of eigenvalues, in line with the contributions of Josipovi´c [47].

6 1.3. Two Important Related Work

Rockwood et al. [48] propose a method that encodes input data so the structure of objects and their behavior can be modeled. Carré et al. [49] demonstrated how to apply GA to encode and process color transformations of images. Augello et al. [50] found that Clifford rotors could be used to encode sentences from natural languages through rotations of the orthogonal of a semantic space, which was revealed to be more efficient than natural language representation via vectors in high dimensional spaces. Majumdar [51] also explored GA for data encoding using sub-symbolic codes in order to provide new methods for search- ing, indexing, clustering, translations, and other data transformations. The application of GA as an approach towards fully homomorphic encryption is introduced in [52]. Based on similar ideas, a homomorphic image processing application based on GA is demonstrated in [53]. The experimental homomorphic primitives based on multivector objects enables the construction of additional protocols such as key exchange and key update, as discussed in [54]. To the best of our knowledge, this work is the first proposition of general-purpose methods for both data representation and data concealment based on GA. To this date and to the best of our knowledge, Clifford geometric algebra has not been directly applied to cryptography as a main mathematical resource by the crypto- community. Carlos Paz de Araujo was the first to propose the use of Clifford geometric algebra as a cryptographic resource [55], which lead to our preliminary investigation of homomorphic encryption based on Clifford geometric algebra [56] followed by several illus- trations of prospective applications [57–59]. In order to provide a detailed discussion on the utility of Clifford geometric algebra to cryptography such as homomorphic mappings, data representation, and encoding techniques, we have demonstrated several experimen- tal concrete constructions [52–54, 60–62]. We have not yet, however, provided an in-depth discussion on the security properties of such constructions. For this reason, we include a dis- cussion on how GA can be used to implement lattice-based cryptography for the production of quantum-resistant encryption schemes.

1.3.2 p-adic Numbers

In 1817, Kurt Hensel introduced the p-adic number theory [63], and since then, it has been studied as part of Number Theory [64–66]; however, it was only in the 1970s, and 1980s

7 1.3. Two Important Related Work

that this branch of mathematics took traction due to the work of Krishnamurthy, Rao, and Subramanian [67, 68] and Alparslan [69] when they found that the finite segment of the p-adic arithmetic was an efficient solution for error-free computation. During this period, other researchers became interested in error-free computation via p-adic numbers and helped to consolidate the finite segment p-adic numbers theory for practical applications in several areas of physics, engineering, and computer science. The subject rapidly advanced with the contributions of Gregory [70,71], Beiser [72], Farinmade [73], Hehner and Horspool [74,75], Lewis [76], among others. The practical implications of working with the finite p-adic arithmetic for error-free computation were so vast that Rao remarks in [77] that would not need to have a complete understanding of the theoretical aspects of p-adic numbers in order to work with its finite segment, since the theory of the finite segment p-adic had become a well-organized and nearly self-sufficient subset of the theory of p-adic numbers. Krishnamurthy, Rao, and Subramanian named the finite-segment p-adic numbers as Hensel codes [67]. Along-side with error-free computation, p-adic numbers have been successfully applied to computation [73,78–86]. The theory of p-adic numbers is currently present in many other theories, including the theory of dynamical systems, theoretical physics, number theory, algebraic geometry, non-Archemdian analysis [87], differential calculus [88], topology [89,90], and analytic functions [91,92]. We want to highlight some relevant use cases of p-adic numbers in cryptography. In 1986, Gorgui-Naguib discussed the study of p-adic number theory for constructing public- key cryptosystems by combining the ideas in the RSA and Diffie-Hellman key exchange, thus exploring the prime factorization and discrete logarithm problems [93]. Gadiyar dis- cussed a p-adic approach of the discrete logarithm problem in [94]. Anashin discusses uniformly distributed sequences of p-adic integers [95], particularly useful for construct- ing pseudorandom-number generators (PRNG). Several PRNGs have been proposed based on p-adic arithmetic [96–102]. Those familiar with ECC should also be familiar with the basics of p-adic numbers. Xu et al. introduce an elliptic curve cryptosystem that is based on groups of rational points on elliptic curves defined over p-adic number fields [103]. Satoh demonstrates efficient algorithms for replacing rational point counting by p-adic point counting for elliptic curves

8 1.3. Two Important Related Work

[104]. Blake, Seroussi, Seroussi, and Smart discuss an attack to solve the elliptic curve discrete logarithm problem by exploring elliptic curves defined over the p-adic numbers [105]. Cohen et al. provide an overview of p-adic numbers and its arithmetic and demonstrate the practical use of p-adic methods for elliptic and hyperelliptic curves [106]. In 1998 Takagi introduced a modified version of the RSA by calculating the public modulus where one of its factors was a p-adic expansion in order to provide a more efficient decryption algorithm [107], which was later generalized to be the product of two p-adic expansions [108]. The cryptanalysis of such schemes is offered by [109], where it is showed that the decisions that lead to greater efficiency of decryption algorithms might also take into consideration the potential efficiency of some attacks such as Wiener’s continued fractions and Boneh-Durfee’s methods. Sometimes p-adic methods appear as a portion of cryptosystems or attacks, as it is the case of Coron, Naccache, and Stern when proposing an attack against RSA signatures where p-adic expansions are analyzed in order to find shortest vectors. Some other times, the special properties in the p-adic numbers are more fundamental for a discussion, as discussed by Catalano, Nguyen, and Stern in [110] whom remarks that in number theory, many problems can be solved via prior examination of the problem modulo a small prime number p and then computing the Hensel lifting, a technique in p-adic number theory that maps solutions modulo p into solutions modulo pr, for arbitrary positive values of r. In that work, the complexity of solving the factorization and the discrete logarithm problem using Hensel lifting is analyzed. Recently, p-adic numbers have been demonstrated in cryptography either as a component of cryptographic solutions [52–54] or as the unique structure for privacy-preserving encoding schemes [111]. We believe that the aforementioned cases and many others [112–116] represent a diverse set of pieces of evidence of the richness and usefulness of p-adic numbers. We hope further demonstrate the applicability of p-adic numbers to cryptography as we believe that p-adic numbers can be further researched and explored as its own branch of cryptography.

9 CHAPTER 2

Research Questions, Metrics and Methodology

In Chapter 1, we discussed the existence of imminent events with the potential to change how cryptography is implemented and used today dramatically. We also discussed the impor- tance of investigating mathematical resources that are commonly not present in mainstream cryptographic constructions. We highlighted our choice for GA and p-adic numbers for their overall mathematical richness, which serve us as our candidate tools for new cryptographic solutions. In this chapter, we introduce the research questions we are driven by, how we expect to answer them, and how we intend to verify our results as we organize this process in the form of a methodology.

2.1 General-Purpose Mathematical Framework

We start our investigation with the following question:

Research Question 1. Is it possible to construct a flexible mathematical system in the form of a framework through which many general-purpose homomorphic algorithms can be produced efficiently?

If we have any hope to answer Research Question 1 we need to break it down into smaller parts: essentially, what do we mean by “framework", “mathematical system", “ho- momorphic cryptographic solutions", and “efficient way"? Additionally, notice that Research Question 1 is not particularly focusing on cryptographic algorithms. Instead, it focuses on “general-purpose homomorphic algorithms". Why is this important? We aim to show that cryptographic algorithms are composed of several general-purpose elements: subroutines 2.1. General-Purpose Mathematical Framework

that are common to many other applications, not just cryptography. Probably the greatest example of this type of sub-routine is data encoding. Generally speaking, before working with data, we need to make sure that that data is in a certain given format, which might be convenient or required for further operations, depending on the type of application. Using this example, Research Question 1 includes investigating the use of GA and p-adic numbers for constructing general-purpose data representation and encoding. Not just any type of representation or encoding but specifically, homomorphic ones. We refer to “framework" and “mathematical system" in the light of the notions in- troduced by Hestenes in [39]. In that work, Anthony Lasenby remarks that mathematical resources that are used to construct solutions are mathematical languages and that when these languages are used in a structured way in other to produce practical applications, we then have a mathematical system or a framework. Lasenby recalls that some mathematical languages in physics in engineering are disparate, and so it will be the mathematical systems produced by them. Lasenby yet remarks that GA is a mathematical language that can unify otherwise disparate concepts in physics in engineering, with which we can produce similarly unified mathematical systems. In other words, GA can be applied as both a mathematical language and a mathematical system in many areas of engineering, robotics, and computer science, with no changes whatsoever in the language and in the system, since it works as the very same underlying mathematics in all of these areas. The practical implication of this phenomenon is that GA enables physicists to understand topics in engineering, as well as engineers to understand topics in physics. Lasenby remarks that the unification of concepts of several different areas via GA is done in such a way that “no other single mathematical system could hope to make possible." Our second mathematical resource of choice also has properties that can help us in building general-purpose homomorphic algorithms. The theory of p-adic numbers is com- monly referred to as a theory of representation [117–120] where the most significant example is the representation of rational numbers as integers, where one can replace the costly arith- metic over rational numbers by the efficient arithmetic over the integers, without loss. This ability gave birth to the field of error-free computation via p-adic numbers [68, 121–124].

11 2.2. Mathematical Framework Applied to Cryptography

We will show that this representation can be isomorphic, and we will explore this feature in other to produce homomorphic mappings.

2.2 Mathematical Framework Applied to Cryptography

With general-purpose routines being established, such as the ones for that encoding, could we use the same mathematical language and system to construct cryptographic tools? More specifically, can we repeat the successful application of GA and p-adic numbers in physics and engineering to cryptography? From now on, we use the term “framework" to refer to a mathematical language together with a mathematical system built upon GA and/or p-adic numbers. Thus we rephrase our question as follows:

Research Question 2. Can this framework be successfully applied to cryptography as it is in engineering and physics?

This question can also be broken down into smaller parts: the idea of successfully our framework to cryptography is a challenge by itself, and the notion of success, in this case, comes from cryptography, that is, cryptography has its own requirements, and if we can satisfy them, then we would consider this application successful. However, we want to investigate if we can be as successful as other applications of GA and p-adic numbers are in other areas of science. As previously mentioned, GA has been successfully applied in many applications in physics, and engineering [41, 42, 125, 126] which is contributing to a growing interest in the computational aspects of Clifford GA [40, 42, 44, 46, 46, 127–131]. Hildenbrand in [40] highlights that the unification of many mathematical systems into an easy-to-understand mathematical framework serves as an extension of standard programming languages while enabling compact algorithms that can run in parallel yielding high runtime performance and robustness. Similarly, p-adic numbers has been successfully applied in several ares in physics in engineering [67,70–73,73–92], contributing with benefits such as increase in runtime perfor- mance and error-free computation. We want to investigate GA and p-adic numbers applied

12 2.3. Metrics and Methodology

to cryptography, first in isolation, that is, applying GA only and then applying p-adic num- bers only, and then experiment on and evaluate the combination of these two resources.

Research Question 3. Could such a framework help to simplify the complexity commonly associated with homomorphic encryption, allowing the implementation of constructions that are easier to understand?

We aim to construct algorithms that are compact (both mathematical and algorithmic descriptions are reasonably small), easy to read, to understand, and to analyze. Obviously, it must be simple to implement and to maintain. If we think about an abstract way to construct algorithms via our proposed framework, ideally without necessarily think of GA and p-adic numbers, then we can think of some type of domain-specific language (DSL) for generating cryptographic algorithms. More specifically:

Research Question 4. Is it possible to use GA as an extension of classical programming languages for implementing cryptographic algorithms?

A significant barrier for homomorphic encryption, in general, is performance. This could be easily qualified as the single most important barrier in the broader adoption of homomorphic encryption. For this reason, we want to investigate the following:

Research Question 5. Will an FHE scheme implemented with GA and Hensel codes be benefited by the overall improvement in runtime performance that have been demonstrated in other fields?

Last but not least, we want to investigate if GA and p-adic numbers are viable candi- dates from the computational security standpoint.

Research Question 6. Is it possible to explore GA and p-adic numbers for security purposes in association with a well-known computational hard problem while still achieving satisfactory levels of performance?

2.3 Metrics and Methodology

We aim to address each researching question according to their own context. However, a general approach in the attempt to confirm all of them is to introduce an associated concrete

13 2.3. Metrics and Methodology

algorithm. For Research Question 1, we target demonstrating homomorphic data encoding algorithms that could be incorporated as a sub-routine to any other algorithm that could leverage . For Research Question 2, we target concrete algorithms in which we can demonstrate improvements in at least one of the following:

• Performance,

• Exact computation,

• Input space (allowing a broader range in the input than usual),

• Randomization (adding randomization to deterministic algorithms),

• Compactness.

The more benefits we achieve, the better. However, even a single one of the above improvements would represent a significant contribution of our framework to cryptography. For Research Question 3, we also focus on a concrete algorithm to serve as an illustration of reduced complexity for reading and analyzing a homomorphic encryption scheme. However, this question involves a significant amount of subjectivity. After all, how to measure the complexity of reading or analyzing a scheme? We will demonstrate concrete examples, and we will philosophically defend our stance. For Research Question 4, we target a set of concrete algorithms in which one can use as the underlying tool for building arbitrary schemes. In this sense, it would serve the purpose of a DSL for cryptographic algorithms. Research Question 5 is closely related to how we aim to address Research Question 4. This time we are solely concerned about efficiency. To keep the discussion as broad as possible and when analyzing a standalone instance, by “efficient," we mean running in polynomial- time. For Research Question 6, we target constructing an encryption scheme for which we can reduce an attack that breaks the scheme to an algorithm that solves a well-known computational hard problem. We plan to answer all research questions with concrete examples. We are investigating the existence of instances of algorithms that satisfies specific properties or meet certain expectations. Thus, the existence of an algorithm that meets a particular set of expectations is proof that the problem can be solved algorithmcally [132].

14 2.3. Metrics and Methodology

Our approach consists of answering each research question at a time, in no particular order, using GA and p-adic numbers, both in isolation and together. By the conclusion of this work, we want to have shown individual examples that answer the research questions and a single instance that can address all research questions at once.

15 CHAPTER 3

Homomorphic Encryption

In this chapter, we aim to review the basics of homomorphic encryption theory as a prepa- ration for the following chapters. We will discuss several different approaches towards con- crete homomorphic encryption schemes and some other related algorithms. Since we will only introduce private-key encryption components, our review will focus on the aspects of private-key homomorphic encryption as well. We conclude this chapter by discussing some critical works in the ongoing history of homomorphic encryption. Since homomorphic encryption (HE) was initially proposed [29] to the present time, over 40 years of research advances have been demonstrated towards general-purpose practical applications of meaningful computation over encrypted data. Since the beginning, the target was always the ability of unlimited secure computation, a property that is captured by the notion of fully homomorphic encryption (FHE). It seems to be safe to assume that the HE timeline can be divided before and after FHE, with the first concrete FHE scheme proposed by Gentry in 2009 [31,32]. However, HE has been described in many different scenarios and for several different purposes, which gives rise to distinct classes of HE schemes. In general, a HE scheme is composed of the standard cryptographic algorithms Gen, Enc, and Dec, and an additional algorithm Eval, which is responsible for evaluating functions on encrypted data. Gentry introduced a FHE scheme with which one can compute all functions over en- crypted data for an unlimited number of times. Gentry first constructed a somewhat ho- momorphic encryption (SWHE) scheme and then transformed it into a FHE scheme via a remarkable technique called bootstrapping, a process that involves a type of recryption of an existing ciphertext (generating a new “double encrypted" ciphertext) followed by the evaluation of an augmented version of the own scheme’s decryption circuit. This process Chapter 3 Homomorphic Encryption

corresponds to a homomorphic decryption of the inner encryption (using the encrypted se- cret key). Such a technique reduces the noise that is propagated at every homomorphic evaluation, in particular during multiplication. Bootstrapping can then be described as a noise reduction technique that brings noise of an evaluated ciphertext ( output by Eval) to a level that is compatible with the noise of a fresh ciphertext (ciphertexts output by Enc), which enables an unlimited number of computations on encrypted data. Gentry and Halevi introduced a working implementation of a variant of Gentry’s original scheme while adding several optimizations [133], a work somewhat similar to preceding implementation by Smart and Vercauteren [134]. Several other schemes followed some variation of Gentry’s strategy [134–137]. Cur- rently, many libraries [138–146] are mostly based on lattices and the Learning With Errors (RLWE) problem, while implementing either/and the schemes known as BGV [147] and B/FV [148,149]. Brakerski remarks that constructing a FHE directly is sometimes not feasible due to security and functionality overhead [150]. In such a case, the construction of a leveled FHE scheme is sufficient for some applications. A leveled FHE scheme is a scheme that, given an additional parameter 1d, evaluates all circuits with depth up to d. Brakerski also remarks that leveled FHE schemes can sometimes be promoted to a standard FHE scheme via bootstrapping, usually at the expense of efficiency and security assumptions. Homomorphic encryption is described as the ability of meaningfully computing on en- crypted data [30]. What is computed and how computation takes place, together, determine the classes in which HE schemes are organized. As we discuss definitions and properties in HE, we fix a private-key HE scheme Π=(Gen,Enc,Dec,Eval), where Gen, Enc, and Dec denote the key-generation, encryption and decryption algorithms, and Eval denotes an al- gorithm that evaluates functions/circuits over encrypted data. For now, we consider the following algorithm signatures: the key-generation algorithm as (sk,evk) Gen 1λ , the ← encryption algorithm as c Enc(sk,m), the decryption algorithm as m Enc(sk,c ), and ← ← the evaluation algorithm as c Eval(evk,C (c ,...,c )). ← 1 t

17 3.1. Requirements

3.1 Requirements

Gentry describes HE as a technology that aims to promote delegation, which is a separation of data process from data access [30]. Overall, delegation is only useful if convenience meets privacy, and secure homomorphic evaluations of encrypted data materialize it. When key owners successfully delegate homomorphic evaluation, they are benefited by a reduction in data workload. Delegation must observe some requirements, as discussed below.

Definition 3.1.0.1. (Correctness) For all keys output by Gen and all messages taken as input by Enc, Π is said to be correct if the decryption of all and the decryption of all homomorphic evaluations are correct.

When we say that accepts some functions, we mean that Π evaluates those functions and correctly decrypts theirQ result. It is clear that if any delegation attempt fails correctness, the delegation itself is useless. However, delegation alone is not enough. Suppose the key owner outsources the evaluation of some highly complex function on encrypted data for which the decryption also involves a complexity significantly higher than decrypting fresh ciphertexts. In that case, the delegation attempt defeats the purpose of workload reduction. For this reason, any successful delegation must satisfy the compactness requirement.

Definition 3.1.0.2. (Compactness) Given a ciphertext c2 output by Eval and a ciphertext

c1 output by Enc, Π is said to be compact if computational time for decrypting c2 is the same

of the one for decrypting c1 and c2 and c1 are of the same size.

Delegation might as well take into consideration the interests of the outsourcee (the third party). Brakerski remarks that delegation might involve proprietary algorithms, in which case the key owner should not know anything about the functions homomorphically evaluated [150]. This is captured by the circuit privacy requirement, according to which no one should learn anything about an evaluated function from a ciphertext output by that function except the value of the function itself.

Definition 3.1.0.3. (Circuit Privacy) Π is said to be circuit-private if the distribution Enc and the distribution of Eval are indistinguishable.

18 3.2. HE Classes

With the fundamental delegation requirements in mind, we can now discuss the classi- fication of HE schemes.

3.2 HE Classes

For FHE’s particular case, Gentry remarks that there should not be any limitation as to which type of computation can be performed on encrypted data, nor the number of times those computations occur. We can capture this description using the HE requirements previously discussed.

Definition 3.2.0.1. (FHE) Π is a FHE scheme if it is is correct, compact, and circuit- private for all functions.

Another way to say “correct for all functions" is “accepts all functions". The property of unlimited computations on encrypted data is implied in “all functions" since we refer to circuits of any size and depth. We can now discuss other HE classes by “downgrading" a FHE scheme. Instead of accepting all circuits indefinitely, we now consider that Π accepts all circuits up to depth d while still satisfying correctness, compactness, and circuit privacy. Such a scheme is a leveled FHE scheme.

Definition 3.2.0.2. (Leveled FHE) Π is said to be a leveled FHE scheme if Π takes an additional parameter 1d as an argument and Π accepts all circuits with depth at most d, and it is correct, compact, and circuit-private.

Now we consider the case where can only accept a limited set of functions such that no function is too complex [30]. In thisQ scenario can only evaluate low-degree polynomi- als [147] for a limited number of times [134]. SuchQ a scheme is a SWHE scheme.

Definition 3.2.0.3. (SWHE) Π is said to be a SWHE scheme if only accepts circuits of low complexity for a limited number of times, and it is correct and circuit-private.

The correctness and circuit privacy requirements still hold for a SWHE scheme since the violation of any of these compromises the interests of the key owner and the outsourcee.

19 3.3. Key Contributions

However, compactness is not required [151], which is reasonable since homomorphic evalu- ations only consider circuits of low complexity. Here we consider any other more restricted scheme (with respect to which circuits are accepted) as a type of SWHE.

3.3 Key Contributions

Vinod Vaikuntanathan maintains a webpage [152], which keeps track of the most noticeable works related to the advancement of fully homomorphic encryption over the years. Next, we follow Vaikuntanathan’s reference collection to review some of the key contributions related to fully homomorphic encryption. For first-timers, one simple question might be hard to an- swer: “Where to start?". We find the discussions introduced by Gentry in [30] a good start, in particular, due to the introductory discussion on the need for homomorphic encryption, the fundamental goals, and requirements. The frequent use of physical analogies is undoubtedly helpful in understanding the underlying concepts. Vaikuntanathan introduces a detailed survey on homomorphic encryption [153], with in-depth discussions including the history of homomorphic encryption, fundamental definitions, main constructions, and applications. Shai Halevi introduces a tutorial on homomorphic encryption [154], which covers from a review of the fundamentals to discussions on advanced topics. One attractive characteristic of Halevi’s work is that there are separate discussions on defining and how to implement certain classes of homomorphic encryption. We can see the references organized by Vaikuntanathan as some sort of timeline, es- pecially the sections identified as Pre-FHE, Gen I, Gen II, and Gen III. For a side-by-side visualization, we organized these sections in Figure 3.1. Next, we provide some context for each essential contribution.

• Pre-FHE: The Pre-FHE era consists of the period in which it was introduced the works that paved the way for the first concrete instance of a FHE scheme.

– Privacy [29]: in 1978 with the seminal paper on homomorphic encryption, then referred to as privacy-homomomorphisms by Rivest, Adleman, and Dertouzos, who believed that encryption with which one cannot compute on

20 3.3. Key Contributions

Pre-FHE Gen I Gen II Gen III

RSA and Privacy FHE Ideal FHE from Attributed-Based 1978 2009 2012 2013 Homomorphisms Lattices GapSVP FHE LWE

Probabilistic FHE over the FHE with Polylog Lattice-based 1984 2010 2012 2014 Encryption Integers Overhead FHE

FHE Smaller Homomorphic Faster ElGamal 1985 2012 2014 Keys and 2010 AES Evaluation Bootstrapping Ciphertexts FHE from Paillier 1999 2014 FHEW 2015 FHE Worst-case Standard LWE 2010 Hardness Generalized Optmized GSW- 2001 Leveled FHE 2014 2016 Paillier FHE Without FHE 2011 Squashing 2-DNF Formulas 2006 Faster FHE 2016 on Ciphertexts

BGN-type Cryptosystem 2010 from LWE

Figure 3.1: A FHE Timeline.

the encrypted data is a limited encryption function. This consideration is followed by the remark that there must be encryption functions that allow such computa- tions. Rivest, Adleman, and Dertouzos proposed some applications which would be possible with such type of encryption.

[155]: In 1984, Goldwasser and Micali introduced a prob- abilistic model of encryption, which is not only fundamental to homomorphic en- cryption but for cryptography in general. Among other results, Goldwasser and Micali showed that, under proper conditions, probabilistic encryption achieves a much higher security level than what is possible with deterministic encryption.

– ElGamal cryptosystem [156]: In 1985, ElGamal introduced a probabilistic public- key encryption scheme and a digital signature algorithm based on the discrete logarithm problem. One can compute multiplications on encrypted data using the ElGamal cryptosystem;

– Paillier cryptosystems [157]: In 1999, Paillier introduced three public-key en- cryption schemes whose security was based on the Composite Residuosity Class

21 3.3. Key Contributions

Problem. One can compute additions on encrypted data using Paillier cryptosys- tems;

– A generalization of the Paillier cryptosystems [158]: In 2001, Damgard and Jurik proposed a generalization of the Paillier cryptosystems in which, among other optimizations, implied in a reduction of the ciphertext expansion without com- promising the homomorphic property. Damgard and Jurik remark that the opti- mizations proposed favored the use of the scheme in an application of electronic voting.

– Evaluation of 2-DNF formulas on ciphertexts [159]: In 2006 Boneh, Goh and Nissim introduced a homomorphic public-key encryption scheme with which one can evaluate quadratic multivariate on ciphertexts using 2-DNF for- mulas on Boolean variables. Among the possible applications, Boneh, Goh, and Nissim highlight an efficient election system based on homomorphic encryption. The encryption scheme is known as BGN.

– BGN-type cryptosystem from LWE [160]: In 2010, Gentry, Halevi, and Vaikun- tanathan introduce a public-key encryption scheme that is similar to the BGN with which one can compute polynomially many additions and one multiplication on encrypted data. The scheme’s security is based on the hardness of learning with errors (LWE) problem, a computational problem known to be as hard as certain worst-case lattice problems.

• Gen I: The first generation of FHE schemes.

– FHE using ideal lattices [32]: In 2009, Gentry introduced the first FHE scheme with which one can compute arbitrary functions on encrypted data. The notion of “arbitrary functions" implies computing any function for an unlimited number of times. Gentry achieved this goal by constructing first a SWHE scheme and turning it into a FHE through bootstrapping. Gentry’s remarkable work was a breakthrough in the theory of homomorphic encryption.

22 3.3. Key Contributions

– FHE over the integers [135]: In 2010, Dijk, Gentry, Halevi, and Vaikuntanathan introduced a SWHE scheme that is then converted into a FHE using bootstrap- ping. The schemes are based on modular arithmetic, and its advertised main appeal is the conceptual simplicity of its construction. The encryption scheme is known as DGHV, and its security is based on the approximate-gcd problem;

– FHE with smaller keys and ciphertexts [134]: In 2010, Smart and Vercauteren introduced a SWHE scheme that is also converted into a FHE scheme using Gen- try’s bootstrapping technique. The difference of this particular construction is that the public key, the secrete key, and the ciphertexts are smaller if compared with Gentry’s original construction. Smart and Vercauteren remark that their scheme allows efficient fully homomorphic encryption over any field of character- istic two;

– FHE on worst-case hardness [161]: In 2010, Gentry proposed a modified key generation algorithm for his previous FHE scheme on ideal lattices, which allows basing the security of the encryption scheme on the shortest independent vector problem (SIVP), which is considered to be quantum-resistant;

– FHE without squashing [162]: In 2011, Gentry and Halevi introduced a FHE scheme that uses bootstrapping but does not require the “squashing" of the de- cryption circuit, a routine that is necessary on Gentry’s original blueprint, in order to allow bootstrapping. The encryption scheme is hybrid, that is, a mix of a SWHE scheme and a multiplicative homomorphic encryption scheme, similar to the ElGamal scheme. The security of Gentry and Halevi’s scheme is based on the Decision Diffie-Hellman problem.

• Gen II: The second generation of FHE schemes.

– FHE without modulus switching from classical GapSVP [163]: In 2012, Brakerski introduced a scale- FHE scheme whose ciphertext noise grows linearly, as opposed to quadratically, as seen in previous candidates. The security of the encryption scheme is based on the hardness of the GapSVP problem;

23 3.3. Key Contributions

– FHE with polylog overhead [164]: In 2012, Gentry, Halevi, and Smart proposed the construction of FHE schemes whose complexity of evaluating arithmetic circuits would occur with only polylogarithmic overhead;

– Homomorphic evaluation of the AES circuit [165]: In 2012, Gentry, Halevi, and Smart introduced a leveled homomorphic encryption scheme that could work with or without bootstrapping, capable of evaluating the AES-128 circuit.

– Efficient FHE from (standard) LWE [148]: In 2012, Brakerski and Vaikun- tanathan proposed a FHE scheme based on the standard LWE assumption. More specifically, the security of the scheme is based on the worst-case hardness of short vector problems on arbitrary lattices.

– (Leveled) FHE without bootstrapping [147]: In 2014, Brakerski, Gentry, and Vaikuntanathan proposed a new approach in constructing a level FHE scheme without requiring bootstrapping, which is showcased in two ways: first, by intro- ducing a leveled FHE scheme based on the RLWE assumption and without using bootstrapping and by introducing a second leveled FHE scheme that is also based on the RLWE assumption but this time bootstrapping is used as an optimization technique.

– Vaikuntanathan lists additional works as part of Gen II, such as [149,166–169].

• Gen III: The third generation of FHE schemes.

– Attribute-based homomorphic encryption from LWE [170]: In 2013 Gentry, Sahai and Waters proposed a FHE scheme based on the LWE assumption with an optimization on homomorphic multiplications. With this change, homomorphic addition and multiplication are just matrix addition and multiplication, which makes the encryption scheme asymptotically faster and easier to understand. The encryption scheme is known as GSW;

– Lattice-based FHE as secure as PKE [171]: In 2014, Brakerski and Vaikun- tanathan introduced a leveled FHE scheme which security is based on lattice problems such as GapSVP. The security of the schemes matches the security of non-homomorphic lattice-based public-key encryption schemes;

24 3.3. Key Contributions

– Faster bootstrapping with polynomial error [172]: In 2014, Alperin-Sheriff and Peikert introduced a new algorithm for bootstrapping that implements an elemen- tary and efficient arithmetic procedure, as opposed to Boolean circuits, which is more efficient than Gentry’s original approach;

– FHEW: fast bootstrapping [144]: In 2015, Ducas and Micciancio introduced a new method for homomorphically compute single bit operations and refresh the output, which is the goal of bootrstrapping. This procedure runs on a personal computer in less than a second;

– Optmized GSW-FHE [173]: In 2016, Hiromasa, Abe, and Okamoto introduced a FHE scheme that encrypts matrices and supports homomorphic matrix addition and multiplication.

– Faster FHE [174]: In 2016, Chillotti, Gama, Georgieva, and IzabachÚne propose a variant of the GSW-FHE scheme which uses a simpler external product between a GSW and an LWE ciphertext. Then, the bootstrapping used in FHEW can be applied, resulting in a speedup from less than 1 second to less than 0.1 seconds and a bootstrapping key size reduction from 1GB to 24MB.

For more information about other types of FHE schemes, applications, and advanced topics, the reader can resort to Vaikuntanathan’s collection [152]. Several other interesting topics are not covered in this work, including: 1) Modulo switching, 2) Circuit squashing, 3) Single-hop and multi-hop homomorphism, 4) Public key compression, and 5) Circular security. The reader can find discussions about each of the above topics and more in [30, 136, 147,150,151,153,154,175]. There are active workgroups developing practical instantiations of homomorphic en- cryption, including the following libraries: SEAL [138], HElib [139], Palisade [140], cuHE [141], NFLLib [142], HEAAN [143], FHEW [144], TFHE [145], and Lattigo [146] as shown in Table 3.1. Most of these libraries are based on the Ring Learning With Errors problem while implementing one or two of the following schemes: BGV [147] and B/FV [148, 149]. As part of an ongoing effort, a group of members from industry, government and academia is developing a community standard for homomorphic encryption [33].

25 3.4. Conclusions

Library Language Schemes HElib C++ BGV,CKKS,SV,GHS Microsoft SEAL C++ BFV,CKKS PALISADE C++ BGV, BFV, CKKS,FHEW,TFHE FHEW/TFHE C++ CKKS Λ λ (Lol) Haskell Lattice-based HE ◦ NFLlib C++ FV-NFLib cuHE Cuda C++ DHS,LTV Lattigo Go Lang full-RNS BFV,CKKS Table 3.1: Most noticeable homomorphic encryption libraries

3.4 Conclusions

Homomorphic encryption is one of the answers to society’s changes that impact our notion of security and utility. Since 1978, there is a pursue for a type of encryption that goes beyond securely encrypting and decrypting. The notion of secure delegation implies reconciling data access with data privacy, which at first glance seems to be a conflicting goal. However, homomorphic encryption has received continued attention and investments by a growing community with members of academia, industry, and government. Currently, the single greatest challenge to be overcome is the performance issues related to fully homomorphic encryption. We consider this challenge to be complex and big enough to justify searching for mathematical resources that are currently not being explored to the fullest, for that matter.

26 CHAPTER 4

p-Adic Numbers

In this chapter, we discuss our approach towards homomorphic cryptographic constructions using p-adic numbers. Furthermore, we will discuss concrete constructions as a first step towards the answer to the research questions presented in Chapter 2. Recall that p-adic numbers are one of the mathematical resources we resort to in order to explore functionalities and properties that can be used in cryptography for utility and, hopefully, for security. We start with a tutorial that is tailored to equip a reader, even those unfamiliar with the finite-segment p-adic arithmetic, to sufficiently understand the notation, the terminologies, special properties, and the functions that will serve us as the underlying engine for producing concrete instances of homomorphic cryptographic tools. Next, we will discuss concrete constructions as we apply each component of the covered material on finite-segment p-adic numbers.

4.1 A Compact Tutorial

As we discussed in Section 1.3.2, p-adic numbers have been successfully applied in many areas of physics, engineering, and computer science. When it comes to the finite-segment p-adic arithmetic, the literature is abundant about error-free and parallel/distributed com- putation. As also discussed previously, although there are several examples of the use of finite-segment p-adic arithmetic in cryptography, p-adic numbers are far from being main- stream in the crypto-community. Although we will focus on Hensel codes in the remaining of this work, we cannot stress enough that Hensel codes are finite p-adic numbers(!) and without understanding what infinite p-adic expansions are, we consider that is unlikely that one will adequately understand what finite p-adic are. Hensel codes are an important subset of the theory of p-adic numbers, and we deem necessary to start from the right place. 4.1. A Compact Tutorial

4.1.1 Basic Definitions

Error-free computation is a goal that have been long pursued [176–178]. One way of ad- dressing this problem is via infinite precision integer and rational number arithmetics [179], which can be very demanding concerning space and time resources. A promising alternative arises from the work of Kurt Hensel, who in 1908 introduced the p-adic number system [180] or p-adic arithmetic, through which one can perform rational arithmetic over the integers. In p-adic number theory, p denotes a fixed prime and each rational number in Q is repre- i sented by a quantity called p-adic integer, which is a formal series i∞0 aip with integral ≥ coefficients ai satisfying 0 ai

4.1.2 Finite-Segment p-adic Arithmetic

For all rational numbers α = a b there is a n Z such that a Hensel code h is given by ∈  2 n 1 h = a0 + a1p + a2p + ... + an 1p − (4.1) −

where ai is the base p representation of h.

Example 4.1 Let a = 2, b = 3, p = 5, n = 5. We compute the Hensel code h as follows:

h = 4 + 1 5 + 3 52 + 1 53 + 3 54 = 2084. (4.2) · · · ·

In Example 4.1, a0 = 4, a1 = 1, a2 = 3, a3 = 1, and a4 = 3. In fact, 2084 in base 5 is

31314 (the same ai in reverse order) so it is easy to see that the Hensel code h is the base p representation of a rational number α. In general, a p-adic number is a base p representation (usually via an infinite p-adic expansion) of a rational number. Thus, a Hensel code is a finite p-adic number.

28 4.1. A Compact Tutorial

An alternative way to compute h is as follows: given α = a b, a fixed prime p and some positive n Z, we have  ∈

1 n n h = a b− mod p , h 0,...,p 1 (4.3) · ∈ { − }

where a, b and pn must be pairwise coprime.

Example 4.2 Let a = 2, b = 3, p = 5, n = 5. We compute the Hensel code h as follows:

− h = 2 3 1 mod 55 = 2 1042 mod 3125 = 2084. (4.4) · ·

If b is not pairwise coprime with pn, the inverse modulo pn for b fails to exist, thus we cannot compute h as shown in Example 4.2. A limitation of the second approach to compute h with pn is that all values of b that are multiples of p will fail to have an inverse. However this is only an issue for n> 1. We will then consider the case where n = 1so we just omit n. We rewrite (4.3) as follows:

1 h = a b− mod p, h 0,...,p 1 (4.5) · ∈ { − }

Although (4.5), which we refer to as the Hensel encode, is a very simple expression, for many years, finding its inverse, that is, the original rational a b that generated h under p, remained an open problem for many years [70,71,77,187,188], until Miola [187] introduced an algebraic solution for what we refer to as the Hensel decode. Miola observed that Gregory developed algorithms for the Hensel encoding and decoding; however, the decoding solution was based on look-up tables, which was inefficient as a general method [188]. Notwithstand- ing, Miola considered Gregory’s a unique answer for the Hensel decoding problem would only be possible if the of both numerator and denominator of a b was bounded by some value N. A rational number that would be under that bound was called an order-N Farey fraction. Only then would it be possible to uniquely retrieve a b from h under p using a slightly modified version of the extended euclidean algorithm (EEA). We use Gre- gory’s method for encoding and Miola’s method for decoding; however, we introduce a new definition for the set order-N Farey fractions.

29 4.1. A Compact Tutorial

Lemma 4.1.2.1. [187] p q is a convergent of a b if  p a 1 . (4.6) q − b ≤ 2q2

Proof. In order to find the distance between a convergent pn of a continued fraction and the qn fraction itself x, we begin by establishing, 1 [a ,a ,...,a ]= a + (4.7) 0 1 n 0 1 a + 1 1 a2 + ... an and

p0 = a0, q0 = 1, pn = anpn 1 + pn 2 − − (4.8) p1 = a1a0 + 1, q1 = a1, qn = anqn 1 + qn 2 − − Thus,

a0 n = 0  pn 1 a = = a + n = 1 (4.9) n q  0 a n  1 anpn 1 + pn 2 − − n 2  anqn 1 + qn 2 ≥  − −  Every an is a partial quotient of the continued fraction, which has a corresponding complete

an′ +1pn+pn 1 quotient an′ = an +ξn with 0 ξn < 1. As a result, x can be represented as x = − . an′ +1qn+qn 1 ≤ − Therefore, x pn is − qn

pn an′ +1pn + pn 1 pn x = − − qn an′ +1qn + qn 1 − qn − an′ +1pnqn + pn 1qn an′ +1pnqn + pnqn 1 = − − (4.10) qn(an′ +1qn + qn 1) − qn(an′ +1qn + qn 1) − − pn 1qn pnqn 1 = − − − qn(an′ +1qn + qn 1) − n Observe that pn 1qn pnqn 1 =( 1) , which can be verified with n = 2. Therefore, − − − − n pn pn 1qn pnqn 1 ( 1) x = − − − = − (4.11) − qn qn(an′ +1qn + qn 1) qn(an′ +1qn + qn 1) − −

Let q1′ = a1′ and qn′ = an′ qn 1 + qn 2. Then, − − p ( 1)n ( 1)n x n = − = − (4.12) − qn qn(an′ +1qn + qn 1) qnqn′ +1 −

30 4.1. A Compact Tutorial

Notice that qn increases steadily as n increases, so qn >qn 1. Similarly, qn′ +1 qn+1 because − ≥ qn′ = an′ qn 1 +qn 2 and qn = anqn 1 +qn 2, where the complete quotient an′ is always greater − − − − than the partial quotient an. Then, the following inequalities can be defined. 1 1 1 qn′ +1 qn+1 >qn and < . (4.13) ≥ qn′ +1 ≤ qn+1 qn Finally, n pn ( 1) 1 1 x = − < 2 (4.14) | − qn | qnqn′ +1 ≤ qnqn+1 qn

Before discussing our new definition of order-N Farey fractions and Miola’s method for Hensel decoding, recall that a convergent of rational number c d, is another rational number, typically denoted by pn qn, obtained via a limited number of terms in a continued

fraction with a total of n convergents where pn qn is the n-th convergent of c d. Miola’s method finds the original a b from a Hensel code h under p as a convergent ofh p. This procedure is capture by Theorem 4.1.2.1. 

Theorem 4.1.2.1. Given a Hensel code h and an odd prime p, a rational number a b is a 1 convergent of h p if, by writing h as a Diophantine equation such that h = ab− modp and hb a 0 modp, there is an integer solution for k such that − ≡ hb a = kp (4.15) − and the following holds: h k 1 < . (4.16) p − b b2

Proof. We start by rewriting h = ab 1 mod p as hb a 0 mod p. Then, in order to prove − − ≡ that k b is indeed a convergent of h p, we rearrange h a b as a (bp)= h p k b. − | − | − Notice that hb a is congruent to 0 and thus a multiple k of p. Therefore we can write  − hb a = kp and a = hb kp (4.17) − − So when we divide both sides by bp we have a h k = . (4.18) bp p − b

31 4.1. A Compact Tutorial

Then we just need to check that k b is in fact a convergent of h p since it holds that −  h k 1  < (4.19) pr − b b2

which can be computed by the EEA (the algorithm that computes all the convergents of any given fraction). So we know that a b is computed by the EEA in the form of xi yi for the i-th term (the first convergent) that satisfies x N.  | i|≤ We now introduce Definition 4.1.2.1, which depicts Miola’s algebraic method for the Hensel decoding.

Definition 4.1.2.1. (Hensel decoding) Given an odd prime p, N = p 2 , and a Hensel q code h, set x0 = p, x1 = h, y0 = 0, y1 = 1, and i = 1. Then, while xji >N,k the following is computed:

q = xi 1 xi −

xi+1 = xi 1 q xi − − · (4.20) yi+1 = yi 1 + q yi − · i = i + 1

Then, the answer a b is given by  c d = ( 1)i+1 x y . (4.21) − · i i     1 We write this syntax as a b = H− (p,h).  Notice that (4.20) is the actual computation of the convergents of h p. If the algorithm never enters that loop, then no convergent is computed. If the algorithm enters the loop, it will stop computing the convergents when it finds the first convergent that does not satisfy

the inequality xi >N. Now we have everything we need to introduce the definition of the set of order-N Farey fractions.

32 4.1. A Compact Tutorial

Definition 4.1.2.2. (Order-N Farey Fractions) The set of order-N Farey fractions FN,p is given by

a,b,p are pairwise coprime,

 h  FN,p = a b Qp and a b is the first convergent of via EEA, . (4.22)  ∈ p       0 a N, 0 < b p (N + 1)  ≤| |≤ | |≤         Now we can define the Hensel encoding using Definition 4.1.2.2.

Definition 4.1.2.3. (Hensel Encoding) Given an odd prime p and a rational number a b ∈ FN,p, a Hensel code h is computed as follows: 

1 h = ab− mod p. (4.23)

We write this syntax as h = H p,a b .

Theorem 4.1.2.2. For all a b F  and all odd primes p, the following holds: ∈ N,p  1 H− p,H a b = a b. (4.24)   

Proof. The elements of the set of order-N Farey fractions are irreducible fractions a b such that 0 a N and 0 < b p (N + 1) . By Theorem 4.1.2.1, we know that the fraction ≤| |≤ | |≤ a b that is encoded as h under p is a convergent of h p. We also know that the EEA 1 computes all the convergents of h p [187]. The algorithm for H− (p,h) stops computing the convergents when it finds the first fraction that is under the N bound, which is precisely the fraction that originated h.

We can also use multiple primes to represent a rational number, which is referred to as a g-adic expansion of rational numbers [80], where given unique odd primes p1,...,pk, g is k given by g = i=1 pi. There areQ two ways of encoding an order-N Farey fraction a b using g-adic numbers. One is to replace p by g such that 

h = H g,a b , (4.25)

1 a b = H− (g,h ). (4.26)  33 4.1. A Compact Tutorial

Since Hensel codes can be computed with p and g, we establish the distinction between the two as p-adic Hensel codes and g-adic Hensel codes.

Theorem 4.1.2.3. [80] There is a one-to-one mapping from order-N Farey fractions into

g-adic Hensel codes where N = g/2 and the set of g-adic Hensel codes is Zg. jp k Proof. The proof is detailed and fully given in [76, 121]. We here provide a more compact way to prove it. The single most relevant property in any prime p for being used to compute Hensel codes for order-N Farey fractions α is that p does not share any common divisor greater than 1 with any number less than p and therefore a modular

of any number less than p and p is guaranteed to exist. Given k primes p1,...,pk, the

k-digit Hensel code of α = a b is computed as (H (p1,α),...,H (pk,α)). Since the Hensel

code direct mapping requiresa,b and each pi to be pairwise coprime and each Hensel code

digit hi is less than each corresponding pi, it is guaranteed that gcd(a,g) = gcd(b,g) = 1 for k g = i=1 pi. If we compute (h1,...,hk)= Hg ((p1,...,pk),α), we verify that Q k 1 g g − 1 mod pi hi mod g = ab− mod g (4.27) pi pi ! Xi=1   and thus H ((p ,...,p ),α) H (g,α). g 1 k ≡ The second way of encoding an order-N Farey fraction a b using g-adic numbers is by computing a g-adic Hensel code tuple, where each element of the tuple is a p-adic Hensel

code for each prime pi in g such that

(h1,...,hk)= Hg (p1,...,pk) ,a b . (4.28)   The procedure of (4.28) is captured by Definition 4.1.2.4.

k Definition 4.1.2.4. Given k unique odd primes p1,...,pk, N = g/2 for g = i=1 pi, and a b FN,p, g-adic Hensel code is computed as follows: jp k Q ∈  (h1,...,hk)= H p1,a b ,...,H pk,a b . (4.29)    

34 4.1. A Compact Tutorial

We write this syntax as (h1,...,hk)= Hg (p1,...,pk),a b .

  k Theorem 4.1.2.4. For all unique odd primes p1,...,pk and g = i=1 pi, there is an iso- morphism between g-adic numbers and p-adic numbers. Q

Proof. The proof is detailed and fully given in [178]. Here, we provide a more compact version. As per Theorem 4.1.2.3, we we known that there is a one-to-one mapping between order-N Farey fractions and g-adic Hensel codes. In the proof of Theorem 4.1.2.3 we see that H ((p ,...,p ) ,α) H (g,α) (4.30) g 1 k ≡ k and that happens since g = i=1 pi. Thus, g-adic Hensel codes using multiple primes

p1,...,pk are the same quantitiesQ represented by p-adic Hensel codes where g is the only value used to encode the order-N Farey fractions. Both sets are of the same size and there- fore they encode the same number of elements, since g = k p . Thus, it is clear that | | i=1 i

the following holds: Q

0,...,g 1 0,...,p 1 ... 0,...,p 1 . (4.31) { − } ≡ { 1 − }× × { k − }

We decode a g-adic Hensel code tuple in two steps:

1. Transform (h1,...,hk) into h via Chinese Remainder Theorem (CRT);

1 2. Decode h such that a b = H− (g,h).  Definition 4.1.2.5. (g-adic Hensel Decode) Given k unique odd primes p1,...,pk, g = k i=1 pi, N = g/2 , and a g-adic Hensel code tuple (h1,...,hk), the corresponding order- NQ Farey fractionjp is givenk by:

k 1 g g − h = mod pi hi mod g (4.32) pi pi ! Xi=1   1 a b = H− (g,h). (4.33) 

35 4.2. Homomorphic Data Encoding

1 We write this syntax as a b = Hg− ((p1,...,pk),(h1,...,hk)).

 k Theorem 4.1.2.5. Let (p1,...,pk) be k distinct primes, and N = g 2 ,g = i=1 pi.A q k-digit Hensel code encoded in terms of (p1,...,pk) is equivalent to aj single k digit HenselQ code encoded in terms of g.

k Proof. Given k primes (p1,...,pk), N = g 2 ,g = i=1 pi, a rational number a b where q a,b,g are pairwise coprimes and a k-digitj Hensel k code Q(h1,...,hk)= Hg (p1,...,pk),a b , it holds that  

k 1 g g − 1 mod pi hi mod g = ab− mod g. (4.34) pi pi ! Xi=1   It is easy to see that (4.34) holds if we have a single prime and g = p. Then

1 g g − mod p = 1 (4.35) p p i i  i  ! 1 and we gave h mod g left, since we have a single code for a single prime. Thus, ab− mod g. Another way to see this equivalence is by inspecting the g-adic number inverse map in Definition 4.1.2.5. The first of decoding a k-digit Hensel code is to compute z in (4.33). Then, h is decoded as a single Hensel code in terms of g and it is clear that

k 1 g g − H g,a b = mod p h mod g. (4.36) p p i i i=1 i  i  !   X

4.2 Homomorphic Data Encoding

In 2020 we introduced a probabilistic homomorphic data encoding technique using Hensel codes [111]. Among its possible applications, this technique can be used as an add-on for deterministic encryption schemes, which will turn them into probabilistic encryption schemes without compromising any existing homomorphic property. This alone seems to be a justifying reason to consider the relevance of this encoding scheme. By expanding the ideas presented in [111] we arrived at a leveled FHE schemed based on Hensel codes. So the

36 4.2. Homomorphic Data Encoding

Setup

p1 p2 0 rand m

−1 0 Input m Hg ( p1,p2 ,r, m ,m ) m { } { } α

H (p2,r,α) β Output

Figure 4.1: Encoding.

strategy we follow from now on is to breakdown the utilities of interest and discuss them in isolation before we discuss the leveled FHE scheme, which encompasses all the properties discussed in the isolated examples. Since there is a much more comprehensive discussion around our proposed leveled FHE scheme, we will discuss it in detail in Chapter 6. Here we provide an overview of the solution discussed in [111] which is illustrated in Figures 4.1 and 4.2.

4.2.1 Performance

The results in this section were obtained in an environment with the following specs:

• Processor: 2.8 GHz Intel Core i7

• Memory: 16 GB 1600 MHz DDR3

• OS: macOS High Sierra 10.13.6 (17G65)

The results in Tables 4.1 and 4.2 were obtained with the MSH Code Ruby library, ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin17]. Ruby [189, 190] is not an ideal programming language for writing software for performance tests. We chose Ruby for being a language of fast prototyping and human-friendly readability. The generation of prime

37 4.3. Encrypting Rational Numbers

Input −1 β H (p2,r,β) α m0 Hg ( p1,p2 ,r,α) { } m Output

p1 p2

Setup

Figure 4.2: Decoding. numbers via OpenSSL [191] implementation in Ruby (OpenSSL 2.1.2) is very slow, thus the discrepancy in time from the Setup algorithm to all the other operations. This should not be a critical factor since the Setup algorithm is the least executed algorithm among all the others (once the primes are generated, Setup will generally not be executed again for a while. The Setup algorithm consists mostly of just generating two prime numbers and computing their product. The time taken to generate these primes is the determining factor for the overall algorithm runtime. To illustrate how the programming language might affect the runtime of the Setup algorithm, consider the results in Table 4.3 for a code written in Python 3.7.4.

4.3 Encrypting Rational Numbers

The theory of p-adic numbers are sometimes referred to as a theory of representation [117, 118, 192, 193], mostly for its ability to consistently replacing the arithmetic over rational numbers by the arithmetic over the integers. In some applications, critical data are often represented as fractions, as it is the case of machine learning, where some data need to be normalized and then taken the standard deviation, production values within, say, 0, and 1.

38 4.3. Encrypting Rational Numbers

Table 4.1: Performance results with λ = 1024 Algorithm/Operation Time (seconds) Setup 0.653246 Encode 0.006342 Decode 0.000038 Addition 0.000008 Multiplication 0.000019 Encoding 4D vector 0.012901 Decoding 4D vector 0.000176 4D 0.000048

Table 4.2: Performance results with λ = 2048 Operation Time (seconds) Setup 24.494334 Encode 0.009593 Decode 0.000055 Addition 0.000005 Multiplication 0.000027 Encoding 4D vector 0.034336 Decoding 4D vector 0.000179 Dot product 4D 0.000094

Table 4.3: Setup algorithm in Python 3 λ Time (seconds) 1024 0.09601879119873047 2048 0.59281396865844730 4096 3.69716095924377440

39 4.3. Encrypting Rational Numbers

In this section, we want to demonstrate that some well-known cryptosystems can be slightly modified to include rational numbers in the set of inputs without adding extra variables or compromising existing homomorphic properties, as it is the case of RSA.

4.3.1 RSA with Rational Numbers

The RSA cryptosystem was introduced in [1] and it can be summarized as follows: given a public key e and two secret prime numbers p and q, a public key n is computed such that n = pq and the private keys φ(n) and d are computed such that φ(n)=(p 1)(q 1) and − − 1 d = e− mod φ (n), i.e., ed = 1 mod φ (n). Given a message m, a ciphertext c is computed such that c = me mod n. The message m can be retrieved from c such that m = cd mod n. This is known as the “naive“ RSA signatures, as remarked by Smart in [194], which is sufficient for this particular discussion, since we are addressing an extension of RSA’s utility without affecting its security. For the secure versions of RSA discussed by Katz and Lindell in [34] such as RSA PKCS and RSA-OAEP, we propose the same basic approach that will be discussed next, that, to consider the message m a rational number and replace it by its corresponding Hesnel code h. RSA operates over the integers. If one wants to use RSA to encrypt any data that is not in integer form, then a mapping from any other format to integer form is required. We show that Hensel codes can be used to solve this problem without compromising RSA properties.

Definition 4.3.1.1. Hensel codes with single existing prime Let Fp be a set of order- N Farey fractions. Then, p is chosen to encode α = a b F where N = p 2 . The ∈ p Hensel encoding is given by h = H p,a b . The ciphertext c is computed as jcq= he modk n. This scheme preserves the multiplicative   homomorphism in the original textbook definition of RSA since p is a factor of n.

Remark 1. According to Definition 4.3.1.1, the message space is reduced from 0,...,n 1 { − } to 0,...,p 1 . { − } Remark 2. Because p is needed to encode m Q as h Z , the encryption scheme is no ∈ ∈ p longer a public-key one; instead, it is a private-key encryption scheme.

40 4.3. Encrypting Rational Numbers

Example 4.3 Let e = 17, p = 211, q = 199, n = 41989, φ(n) = 41580 and d = 22013. Let α = 9 7 be the fraction we want to encrypt. We proceed as follows: 

h = H (p,α) = H 211,9 7 = 152 (4.37) c = he mod n = 15217 mod  41989 = 35864 Decryption is computed as follows:

h = cd mod n = 3586422013 mod n = 152 (4.38) α = H−1 (p,h) = 9 7 

Definition 4.3.1.2. Hensel codes with public modulus Let FN be a set of order-N Farey fractions for any given N = n 2 . We use n = pq to encode α = a b F so the ∈ N 1q e Hensel encoding is given by h = ab−j mod nk. The ciphertext c is computed asc = h mod n.

Remark 3. According to Definition 4.3.1.2, the message space size is exactly the same as the standard RSA configuration, that is, 0,...,n 1 = n. |{ − }| Remark 4. By using n to encode m Q as h Z , the encryption scheme remains a ∈ ∈ n public-key encryption scheme.

Example 4.4 Let e = 17, p = 211, q = 199, n = 41989, φ(n) = 41580 and d = 22013. Let α = 9 7 be the fraction we want to encrypt. We proceed as follows: 

h = H (n,α) = H 41989,9 7 = 23995 (4.39) c = he mod n = 23995 17 mod  41989 = 15608

Decryption is computed as follows:

h = cd mod n = 1560822013 mod n = 23995 (4.40) α = H−1 (n,h) = 9 7 

41 4.4. Adding Randomness to Deterministic Algorithms

Remark 5. The Hensel code function is homomorphic with respect to addition and mul- tiplication. The RSA function is homomorphic with respect to multiplication. Since both functions are homomorphic with respect to multiplication, adding the Hensel code step to the RSA implementation will preserve the multiplicative homomorphism of RSA.

Example 4.5

Let e = 23, p = 227, q = 173, n = 39271, φ (n) = 38872 and d = 18591. Let α1 =

4 5, α2 = 7 6, and n be used to compute the Hensel code of α1 and α2. We have

h1 = H (n,α1) = 7855 and h2 = H (n,α2) = 32727. We compute c1 and c2 as c1 =

h1 mod n = 2415 and c2 = h2 mod n = 20018. Let c3 be the product of c1 and c2 such d that c3 = c1c2 mod n = c3 = c1c2 mod n = 869. We compute h3 = c3 mod n = 2619 −1 and α3 = H (n,h3) = 14 15. We then verify that a1a2 = 4 5 7 6 = 14 15 = a3. ·     The methods introduced are particularly interesting if a given encryption scheme is originally designed to work over the integers and is homomorphic with respect to addition and/or multiplication. They allow such an encryption scheme to operate with rational numbers while preserving any existing homomorphism.

4.4 Adding Randomness to Deterministic Algorithms

In 1984, Goldwasser and Micali introduced a new model of encryption, that is, the probabilis- tic (or randomized) encryption, while remarking its superiority in computational complexity in comparison with its deterministic counterpart [155]. All techniques used to address this problem result in some form of ciphertext expansion.

4.4.1 Randomized RSA

Once again, we use the RSA cryptosystem to illustrate utilities provided by Hensel codes, this time, randomization. Our goal is to modify the RSA scheme in order to add randomization without affecting its multiplicative homomorphism. We propose two versions, one that is a private-key and another that is a public-key encryption scheme.

42 4.4. Adding Randomness to Deterministic Algorithms

Definition 4.4.1.1. Let the randomized private-key RSA be defined as follows: given e, p, q, n, φ(n), and d from the standard RSA configuration,

• Enc is a probabilistic-polynomial time algorithm that, in order to encrypt a message m Z , choose a uniform s 1,...,q 1 compute α = H 1 ((p,q),(m,s)), then ∈ p ∈ { − } g− h = H (n,α), so the ciphertext c is given by c = he mod n.

• Dec is a deterministic-polynomial time algorithm that, given a ciphertext c, we compute 1 α = H− (n,h) in order to retrieve m as m = H (p,α).

Example 4.6 Let e = 23,p = 227,q = 173,n = 39271,φ (n) = 38872,d = 18591, the message m = 16, the random number s = 179. We compute α, h and c as follows:

First we compute α:

−1 α = Hg ((227, 173) , (16, 179)) = 123 107 (4.41)  then we compute h:

− h = 123 107 1 mod 39271 = 123 19452 mod 39271 = 36336. (4.42) · ·

The ciphertext c is computed as

c = he mod n = 3633623 mod 39271 = 20893. (4.43)

Decryption is computed as follows: we first recover h

h = cd mod n = 2089318591 mod 39271 = 36336. (4.44)

then we compute α:

− − α = H 1 (n,h)= H 1 (39271, 36336) = 123 107. (4.45)  so we can finally recover m:

− − m = ab 1 mod p = 123 107 1 mod 39271 = 123 157 mod 227 = 16. (4.46) · ·

43 4.4. Adding Randomness to Deterministic Algorithms

Remark 6. We could simplify the encryption function to be:

1 1 h = q q− mod p m + p p− mod q s (4.47) c = he mod n   however, in order to keep notation and strategy consistent with the remaining of this work, which include constructions with more than two primes, we favor generalization and express the computations in terms of single and multiple Hensel codes.

Remark 7. The randomization in Definition 4.4.1.1 is given by s. If s is uniformly random in the set 1,...,q 1 , then there will be q 1 possible values for h and c for every message { − } − m that is encrypted.

Example 4.7 −1 Let p = 227,q = 173,n = 39271. If the message m = 23 and s = 202, α = Hg ((p,q),(m,s)) = 73 92 and h = H (n,α) = 17502, thus c = he mod n = 20747. If the same message is −1 accompanied of s = 234, α = Hg ((p,q),(m,s)) = 67 72, h = H (n,α) = 19091, hence c = he mod n = 6900. 

Definition 4.4.1.2. Let the randomized public-key RSA be defined as follows: given e, p, q, n, φ (n), d from the standard RSA configuration, and let two additional public primes x,y, xy

• Enc is a probabilistic-polynomial time algorithm that, in order to encrypt a message m Z , choose a uniform s 1,...,y 1 compute α = H 1 ((x,y),(m,s)), then ∈ x ∈ { − } g− h = H (n,α), so the ciphertext c is given by c = he mod xyn.

• Dec is a deterministic-polynomial time algorithm such that, given a ciphertext c, we 1 compute α = H− (n,h) in order to retrieve m as m = H (x,α).

Remark 8. Since x,y,n are public, only public information is required for encrypting; thus, the proposed randomized RSA encryption scheme remains a public-key one and multiplicative homomorphic. If one is not interested in homomorphism, the encryption can be computed as c = he mod n.

44 4.5. Pairing Functions

Remark 9. Similarly to what we discussed in Section 4.3, we are adding Hensel codes to the RSA recipe as a tool of representation, meaning, we are transforming a deterministic encryption scheme into a probabilistic one by representing a message m together with a random s as a 2-digit Hensel code (m,s), which is then represented as a Farey fraction α. As we discussed in Section 4.1.2, there is a unique Farey fraction α for each k-digit Hensel code with respect to k primes.

4.5 Pairing Functions

When it come to encoding numbers, one interesting resource is known in mathematics as pairing function [195], which is a computable bijection that allows one to uniquely encode two natural numbers into one natural number. Among well-known pairing functions, we highlight Cantor pairing [196], Elegant pairing [197], Tate pairing [198–200], Weil pairing [201–203] , and many of these have been used in cryptography [204–209]. While sharing similar goals, these techniques differ mostly in space and performance efficiency. One particularly interesting pairing function is the one proposed by Tate in 1958 [199] where the following is proposed: if A is an Abelian variety [210] and K is a p-adic number field, then WC A K ˆ ˆ is canonically isomorphic to the character group [211] AK∗ of the compact group [212] AK of rational points over K on the Picard variety [213]. Cantor and elegant pairing, as an example, allow pairing integers and not only natural numbers, which significantly expands the possibility for pairing numbers. We are similarly interested in broader possibilities for pairing, including the ability of homomorphically computed on “paired" data which leads us to propose Definition 4.5.0.1.

Definition 4.5.0.1. A pairing function f : Q Q N is a bijective mapping such that for × → all a,b,c,d Q it holds that ∈

f(a + c,b + d)= f(a,b)+ f(c,d)

and f(a c,b d)= f(a,b) f(c,d). · · ·

45 4.5. Pairing Functions

Aiming to satisfy Definition 4.5.0.1, we propose a rather much more straightforward and intuitive pairing function strategy based on p-adic numbers.

Remark 10. Overall, the proposed pairing functions target simplicity, a broader input do- main, and homomorphisms. Due to the added functionalities, our constructions might not be space-efficient as some of the pairing mentioned above functions.

4.5.1 p-adic Pairing

We are interested in a pairing function with the following characteristics:

1. Simple construction based on p-adic numbers;

2. Accepts positive, negative and rational numbers as input;

3. Additive and multiplicative homomorphic.

In order to provide a solution with these characteristics, we resort to the finite segment of g-adic numbers.

Definition 4.5.1.1. Given primes p ,p , the p-adic pairing function P maps α,β F to 1 2 H ∈ N ζ Z where N = g 2 and g = p p . We write the syntax as P (α,β)= ζ. ∈ g 1 2 H jq  k Definition 4.5.1.2. Let N = g 2 , g = p p . For all α,β F , the pairing function 1 2 ∈ N P maps α,β into ζ Z as follows:jq  k H ∈ g

2 1 H (p1,α), g g − PH (α,β)=(h1,h2)=   , ζ = mod pi hi. (4.48) pi pi H (p2,β) i=1   !   X  

Definition 4.5.1.3. Assuming that p1,p2 are public, let N = g 2 , g = p1p2. For all 1 ζ Z , the inverse pairing function P − maps ζ into α,β F jasq follows: k ∈ g H ∈ N

h = ζ mod p , H 1 (p ,h ), 1 1 1 − 1 1 PH− (ζ)= , (α,β)= . (4.49)    1  h2 = ζ mod p2, H− (p2,h2)         46 4.6. Distributed Computation

Theorem 4.5.1.1. For all α,β,p ,p where α,β F , N = g 2 and g = p p , the 1 2 ∈ N 1 2 following holds: jq  k 1 PH− (PH (α,β))=(α,β) . (4.50)

Proof. The homomorphic p-adic pairing applies the direct in the inverse map of g-adic numbers, which are equivalent to single-digit Hensel codes. The proof for equivalence is given for Theorem 4.1.2.5, and the proof of correctness is given in the proof for Theorem 4.1.2.2.

Theorem 4.5.1.2. The pairing function PH is homomorphic with respect to addition and multiplication, such that:

PH (α1 + α2,β1 + β2) = PH (α1,β1)+ PH (α2,β2) (4.51) PH (α1α2,β1β2) = PH (α1,β1)PH (α2,β2)

Proof. Although the p-adic pairing uses two primes, we have just two independent single digits Hensel codes being computed. The proof for Theorem 4.5.1.2 follows Theorems 4.1.2.1 and 4.1.2.2.

For the next examples, let p1 = 51407, p2 = 62939.

Example 4.8 −1 For α = 5 and β = 9, 3069409161 = PH (5,9), (5,9) = PH (3069409161).

Example 4.9 −1 For α = 5 and β = 9, 2895256928 = PH 2 7, 11 , 2 7, 11 = P (2895256928). − − H    

4.6 Distributed Computation

Bertsekas and Tsitsiklis compare the improvement in computing power brought by dis- tributed computing systems, together with parallel computing, to a quantum leap [214]. In fact, a growing interest in distributed architecture is transforming the way that systems, in

47 4.6. Distributed Computation

general, are designed and maintained [215–217]. It seems reasonable to believe that if there a computational advantage in allowing a particular operation to be outsourced to multiple in- dependent computing units, that is, servers, IoT devices, virtual machines, threads, etc., then it would be even more valuable to have this same procedure executed in a privacy-preserving manner. To address this issue, we propose a fully-homomorphic encryption scheme designed to allow multiple parties to jointly and homomorphically compute an operation over assigned encrypted inputs. Here we will consider an operation as any combination of additions and multiplications. Examples of possible applications include parallel computing, multi-party computation, and distributed systems. We define the syntax of distributed private-key fully homomorphic encryption (FHE) scheme as follows:

Definition 4.6.0.1. A distributed private-key FHE scheme D =(Gen,Enc,Dec) is a tuple of efficient (i.e., probabilistic polynomial-time) algorithms with the following syntax:

• The key-generation algorithm Gen takes as input the security parameter 1λ and a positive integer t that determines in how many units the computation will be dis- tributed and outputs a private-key sk and a public evaluation key pk. The secret key implicitly defines a ring R that will serve as the message space. We write this as (sk,pk) Gen 1λ,t . ←  • The encryption algorithm Enc takes as input a secret key sk and message m and outputs t ciphertexts (c ,...,c ). We write this as (c ,...,c ) Enc(sk,m). 1 t 1 t ← • The decryption algorithm Dec takes as input a secret key sk and a t ciphertexts (c ,...,c ) and output a message m. We write this as m Dec(sk,(c ,...,c )). 1 t ← 1 t

• Addition and multiplication are computed such that, given (a1,...,at)= Enc(sk,a) and

(b1,...,bt)= Enc(sk,b), the distributed computation of a+b is computed as ai +bi, the distributed computation of a b is computed as a b for all i, i = 1...t. · i · i

Correctness requires the following:

48 4.6. Distributed Computation

1. For all sk,k output by Gen, and all m R we have ∈

Dec (sk, Enc (sk, m)) = m. (4.52)

2. For all (a ,...,a ) Enc(sk,a) and (b ,...,b ) Enc(sk,b), when operation are t+1 2t ← t+1 2t ← computed at the Hensel digit level, which we denote by

(a b mod pk,...,a b mod pk), (4.53) t+1 ◦ t+1 2t ◦ 2t

we have Dec (sk, Enc (sk,a b)) = a b, (4.54) ◦ ◦ where +, . ◦ ∈ { ·}

Definition 4.6.0.2. A distributed private-key FHE scheme D is secure if for a uniform m R, all (sk,pk) Gen 1λ,t and all (c ,...,c ) Enc(sk,m), no efficient adversary ∈ ← 1 t ← A can recover m by knowing onlypk and (c1,...,ct).

4.6.1 Description of the Scheme

We now describe the distributed private-key FHE scheme. Gen takes as input the security parameter 1λ and a positive integer t that determines the number of computable units the scheme will distribute the computation to, chooses

uniform λ-bit primes p1,...,pt and uniform dλ-bit primes pt+1,...,p2t, for a fixed positive integer d t. Set g := 2t p . Output the secret key sk =(p ,...,p ) and pk = g. The ≥ i=1 i 1 2t

message space is R = ZpQ1 . Enc takes as input sk and m Z and proceeds as follows: ∈ p1

1. Choose uniform s2,...,st from Zp2 ,...,Zpt , respectively.

1 2. Compute α = Hg− ((p1,...,pt),(h1,...,h2t)), where

(h1,...,ht)=(m, s2,...,st) . (4.55)

49 4.6. Distributed Computation

3. Compute (ht+1,...,h2t)= Hg ((pt+1,...,p2t),α).

4. Output (ht+1,...,h2t).

Dec takes as input sk and (ht+1,...,h2t) and proceeds as follows:

1 1. Compute α = Hg− ((pt+1,...,p2t),(ht+1,...,h2t)).

2. Compute m = H (p1,α).

3. Output m.

Addition and multiplication are computed at the Hensel digit level reduced modulo g.

Theorem 4.6.1.1. For all sk output by Gen and all m Z we have ∈ p1 Dec (sk, Enc (sk, m)) = m. (4.56)

Proof. The proof for Theorem 4.6.1.1 is the combination of the proofs for Theorem 4.1.2.5, which states that k-digit Hensel codes are equivalent to single-digit Hensel codes and Theo- rem 4.1.2.2, which states the correctness of the forward mapping of Hensel codes. According to the definition of key-generation algorithm, Gen outputs tλ-bit primes and t dλ-bit primes where d t which satisfies correctness since in the first step of the encryption, the compu- ≥ 1 tation of α = a b, that is α = Hg− ((p1,...,pt),(h1,...,ht)), will result on an order-N Farey t fraction in F t where N is given by N = pi 2 and therefore i=1 pi i=1 Q   q  t Q a N, 0 < b p (N + 1) . (4.57) | |≤ | |≤ i i=1 ! Y  In the second step of the encryption, α is transformed into t ciphertexts, that is, (ht+1,...,h2t), using the dλ-bit primes, which is clearly exponentially larger than the first tλ and therefore allows correct encryption and decryption with a depth d for multiplications given that all α generated with t λ-bit primes will be encoded with t dλ-bit primes, so the depth d can be expressed in terms of bits as follows:

tdλ d = . (4.58) tλ

50 4.6. Distributed Computation

Theorem 4.6.1.2. For all (a ,...,a ) Enc (sk,a), (b ,...,b ) Enc (sk,b), and t+1 2t ← t+1 2t ← (a b mod pk,...,a b mod pk), we have t+1 ◦ t+1 2t ◦ 2t

(a b mod pk,...,a b mod pk)= Enc (sk,a b) (4.59) t+1 ◦ t+1 2t ◦ 2t ◦

and therefore Dec (sk, Enc (sk,a b)) = a b, (4.60) ◦ ◦ where +, . ◦ ∈ { ·} Proof. The proof for Theorem 4.6.1.2 is the combination of proofs for Theorem 4.1.2.5, which states that k-digit Hensel codes are equivalent to single-digit Hensel codes, and Theorem 4.1.2.2, which states the correct direct and inverse mappings between order-N Farey fractions and their corresponding Hensel codes and vice-versa

4.6.1.1 Security of the Scheme

The distributed private-key FHE scheme consists of computing an order-N Farey fraction t α where N = i=1 pi 2 , for a t-digit Hensel code (h1,...,ht)=(m,s2,...,st), then q  computing an additionalQ t-digit Hensel code (ht+1,...,h2t) using the primes pt+1,...,p2t where the homomorphic computation will be conducted independently on each digit in 2t (ht+1,...,h2t) reduced mod g where g = i=1 pi. We show if one knows the order-N Farey

fraction α and an integer ki for each ciphertextQ in (ht+1,...,h2t), then one can efficiently

factor pt+1,...,p2t and p1 from g. 1 Recall that for all a b in Fp a Hensel code h is computed as h = ab− mod p, which can be rewritten as the following diophantine equation:

a = bh + kp (4.61) and from (4.61) we can derive b =(a kp) h − (4.62) k =(a bh) p − 

51 4.7. Conclusions

and it is clear that if one can compute the k associated with a b and h, then computing p is as trivial as:  p =(a bh) /k. (4.63) −

Lemma 4.6.1.1. Given a message m and its correspondent ciphertexts (ht+1,...,h2t), if one can compute α and each (kt+1,...,k2t) corresponding to each one of the t ciphertexts such that (k ,...,k )= (bh a) p ,..., (bh a) p (4.64) t+1 2t t+1 − t+1 2t − 2t    then one can efficiently factor pt+1,...,p2t and p1 from g, which is the minimum required information for a total break of the scheme.

2t Proof. Recall that g = i=1 pi and, each hi in (ht+1,...,h2t) is computed as

Q 1 1 ab− mod pt+1,...,ab− mod p2t (4.65)  where α = a/b, which can be rearranged as

(h b a = k p ,...,h b a = k p ) (4.66) k+1 − k+1 k+1 2t − 2t 2t for some integers kt+1,...,k2t. Thus, if one can solve for a b each ki associate with each public hi in 

k =(bh a) p , a = h b kp b =(a + kp ) h t+1 t+1 − t+1 t+1 − t+1 t+1 t+1 .  .  (4.67)

k =(bh a) p , a = h b kp , b =(a + kp ) h 2t 2t − 2t 2t − 2t 2t 2t and k =(bm a) p , then one can efficiently factor p ,...,p andp from g since 1 − 1 t+1 2t 1  pi =(bhi a) ki, i = t + 1...2t − (4.68) p =(bm a)k 1 − 1 

4.7 Conclusions

The tutorial, discussions, and concrete constructions presented in this chapter are the first step towards the results of our investigation, described in Chapter 2. So far, we have

52 4.7. Conclusions

demonstrated that the finite-segment p-adic numbers we can represent data, replace ratio- nal arithmetic by its representation over the integers, we can expand the input space of algorithms that work over integers to accept rational numbers as well, we can transform de- terministic algorithms into probabilistic ones, we can create mappings such as data encoding and encryptions, and we can encrypt data in distributed fashion so multiple parties receive only pieces of ciphertexts and yet can compute a joint function, send the results back to the key owner, which will be able to decrypt the result correctly. This type of distributed computation might imply geographically remote computation units and/or multiple inde- pendent threads; thus, it also serves the purpose of parallel computation. And All of this, while relying only on Hensel codes. Our understanding that the results discussed in this chapter are strong pieces of evidence that Hensel codes are worthy of thorough, extensive, and continuous investigation regarding the results presented here and others that were not covered in this work. We are not done with Hensel codes yet. In the next chapter, we will dedicate similar attention to GA, and although we will see Hensel codes coming in as an attractive supporting cast member, the star of Chapter 5 is undoubtedly GA. We will come back to Hensel codes in Chapter 6.

53 CHAPTER 5

Clifford Geometric Algebra

In this chapter, we discuss GA for practical applications in cryptography, which can be expanded to other areas in computer science. We aim to provide enough information to get anyone in computer science, even those who never heard about GA before, on-board on an experience that highlights the usefulness of GA for practical and modern applications in cryptography and related areas. Why should anyone, and in particular a computer scientist, care about GA? Before any influence from some hands-on experiments, we find some insightful answers in modern literature. From an engineering perspective, Hildenbrand remarks in [218] the abilities of GA of unifying many mathematical systems into a new easy-to-understand system, handling geometric objects and geometric operations intuitively. This unification includes working with vector algebra, complex numbers, and quaternions (to cite a few) while thinking exclu- sively in terms of GA at all times. From a computational standpoint, Hildenbrand remarks that GA offers some appealing benefits for programmers, such as direct integration of GA itself with standard programming languages, compactness of algorithms, implicit use of par- allelism, high runtime performance, and robustness. According to Perwarss, if there is any mathematical language that can be considered the language for geometry, that is GA [42]. Perwarss remarks that studying GA is equivalent to studying several branches of mathemat- ics at the same time, such as vector analysis, Grassmann’s algebra, Hamilton’s quaternions, complex numbers, and Pauli matrices. Vince discusses how he went from an expert in vector analysis to a student of GA as soon as he learned that in GA, he could easily expand his ideas for two and three dimensions to arbitrarily large dimensions, more consistently and more efficiently [219]. 5.1. A Compact Tutorial

Before we continue, it is important to acknowledge the different types of GA. A par- ticular set of mathematical tools for construction, analysis, and integration of classical Eu- clidean, inversive and projective geometries are commonly referred to as Conformal Geo- metric Algebra (CGA), with several practical applications in computer science, engineering, and physics [46]. The focus of CGA is on the meaning and manipulation of geometric ob- jects and phenomena. On the other hand, David Hestenes remarks an important difference between what is known as simply Clifford Algebra (CA) and GA. While CA and GA share the same root on the work of William Kingdom Clifford, CA is a mathematical system focused on algebraic notions with very little attention to their geometric meaning, whereas GA is referred to as a universal geometric language, where algebraic properties and their geometric meaning are reconciled [46]. Several authors adopt the term Clifford Geometric Algebra [41,220–227], which we generalize as GA.

5.1 A Compact Tutorial

In this section, we present a compact GA tutorial. Our goal is to introduce the theory required to understand the concrete constructions discussed in this work.

5.1.1 Basic Definitions

We now provide basic and yet relevant definitions in GA. The terminology and notation, whenever applicable, are adjusted to the computer science audience. Currently, the most popular Euclidean n-space algebraic structure is the Rn [228]. We now discuss GA as a powerful extension of Rn, which we refer to as the geometric product space Gn.

Definition 5.1.1.1. ( [228] Geometric Algebra) The geometric algebra represented by the geometric product space Gn is an extension of the inner product space Rn. Gn is an associa- tive algebra and its product is the anti-commutative geometric product. Members of Gn are called multivectors which are denoted by M¯ Gn while vectors are members of Rn which is ∈

55 5.1. A Compact Tutorial

denoted by v Rn. The geometric product of Gn and the algebraic structure of Rn are linked ∈ via vv = v v = v 2 v Rn (5.1) · | | ∀ ∈ where vv is the geometric product and v v is the inner product of v with itself. One direct · implication of this fact is that nonzero vectors have an inverse in Gn such that v v 2. Every | | orthonomal basis for Rn determines a canonical basis for the multivector spaceGn.

n In R , we have what is called the basis vectors e1, e2,..., en as the basic algebraic elements of an n-dimensional vector algebra [218]. In Gn, the basic algebraic elements are called blades which we denoted it as e¯i. Blades belong to grades, which can be loosely described as a collection of blades, and a n-dimensional geometric algebra Gn is composed by grades 0,1,2,...,n.

Definition 5.1.1.2. ( [218] Multivector in G¯n) A of blades with different grades is called a multivector. Multivectors are the general elements of GA. In Gn, there are 2n blades and n + 1 grades, such that

e¯0 , e¯1,...,e¯n, e¯12,...,e¯n 1n,..., e¯1...n . (5.2) − 0-grade 1-grade 2-grade n-grade All multivectors M¯ Gn |{z}are then| denoted{z } | by the{z following} linear| {z } combination of blades: ∈

M¯ = m0e¯0 + m1e¯1 + ... + mne¯n + m12e¯12 + ... + mn 1ne¯n 1n + ... + m1...ne¯1...n (5.3) − − for all m0,...,m1...n in some arbitrary space K.

The blades of higher dimensions are usually defined in terms of the exterior product of lower dimension blades. However, we didn’t discuss the exterior product yet. To make this tutorial smoother, we will discuss grades, blades, and all the remaining properties of interest in GA in terms of a fixed dimension n. The properties presented in Definition 5.1.1.1 are valid for any dimension n. It is important to provide a generic definition for those interested in arbitrarily high dimensions, especially when defining geometric algebra itself. Before discussing definitions that are dimension-specific, we present the definitions of the inner product and wedge product of multivectors.

56 5.1. A Compact Tutorial

Definition 5.1.1.3. (Inner Product) The inner product of two multivectors A,¯ B¯ G3 is ∈ given by a linear combination of the blades of A¯ and B¯ according to the following rules:

e¯ e¯ = 1, e¯ e¯ = 0, e¯ e¯ = 0 (5.4) i · i i · j j · i and it is denoted by A¯ B¯ = C¯ where C¯ denotes a scalar. · 0 0

Definition 5.1.1.4. (Wedge Product) The wedge product (or exterior product) of two mul- tivectors A,¯ B¯ G3 is given by a linear combination of the blades of A¯ and B¯ according to ∈ the following rules:

e e = 0, e e = e e , e e = e (5.5) i ∧ i j ∧ i − i ∧ i i ∧ j ij and it is denoted by A¯ B¯ = C¯ + C¯ + C¯ . ∧ 1 2 3

The most basic arithmetic operations in GA are the following: in Gn, for i = (0,1,...,1...n), let a multivector A,¯ B¯ Gn be represented by A¯ = a e¯ and B¯ = b e¯ . Then, we have ∈ i i i i i i ¯ ¯ P P • Addition: A + B = i (ai + bi)e¯i. P • Subtraction: A¯ B¯ = (a b )e¯ . − i i − i i P¯ • : Aα = i (aiα)e¯i.

¯ P • Scalar division: A α = i ai α e¯i  P   for all A,¯ B¯ Gn and all α K, where K is an arbitrary scalar space in which the coefficients ∈ ∈ of A,¯ B¯ lie. As we move forward, we want to fix n to either 2 or 3 for the remaining definitions in GA since, as mentioned earlier, this tutorial aims to equip the reader with the required theory to understand the concrete constructions discussed in this work. All the remaining definitions are dimension sensitive; thus, from now on, we present the basic definitions in terms of a fixed dimension n.

5.1.2 Basic Definitions in G2

Now we discuss the dimension-sensitive definitions for n = 2.

57 5.1. A Compact Tutorial

Definition 5.1.2.1. (Multivector in G3) A multivector in G2 22 blades and 2 + 1 grades, such that

e¯0 , e¯1,e¯2 , e¯12 . (5.6) 0-grade 1-grade 2-grade The 0-grade is composed by one scalar,|{z} the|1-grade{z } |{z} is composed by two (basis) vectors, the 2- grade is composed by one . All multivectors M¯ G2 are then denoted by the following ∈ linear combination of blades:

M¯ = m0e¯0 + m1e¯1 + m2e¯2 + m12e¯12 (5.7) for all m0,...,m12 in some arbitrary scalar space K.

Now we discuss a type of multivector transformation called involutions [218]. Simply put, involutions are transformations that change the signs of certain grades, depending on the type of involution. The most compact way to define multivector involutions is by using grade notation. Next, we define the multivector involution Clifford conjugation.

Definition 5.1.2.2. (Clifford Conjugation in G2) The Clifford conjugation is a multivector involution that changes the sign of the 1-grade and 2-grade and it is denoted by

M = M¯ M¯ M¯ . (5.8) 0 − 1 − 2

For all M¯ G3 and N¯ = M, it holds that N = M¯ . ∈ Definition 5.1.2.3. (Geometric Product in G2) The geometric product of two multivectors A,¯ B¯ G2 is given by the direct sum of the inner product and the wedge product of A¯ and ∈ B¯ and it is denoted by A¯B¯ = A¯ B¯ + A¯ B¯. The geometric product is computed via a linear · ∧ combination of the blades of A¯ and B¯ according to the following rules:

e¯ e¯ = e¯ , e¯ ..... e¯ = e¯ ... e¯ (5.9) i i 0 i k i ∧ ∧ k

for all A,¯ B¯ G2 such that ∈

A¯ = a0e¯0 + a1e¯1 + a2e¯2 + a12e¯12 (5.10) B¯ = b0e¯0 + b1e¯1 + b2e¯2 + b12e¯12

58 5.1. A Compact Tutorial

such that A¯B¯ = (a b + a b + a b a b )e¯ 0 0 1 1 2 2 − 12 12 0 (a0b1 + a1b0 a2b12 + a12b2)e¯1+ − (5.11) (a b + a b + a b a b )e¯ + 0 2 1 12 2 0 − 12 1 2 (a b + a b a b + a b )e¯ . 0 12 1 2 − 2 1 12 0 12

The geometric product in G2 can also be expressed in terms of its multiplication table, which is given in Table 5.1.

e¯0 e¯1 e¯2 e¯12 e¯0 e¯0 e¯1 e¯2 e¯12 e¯1 e¯1 e¯0 e¯12 e¯2 e¯ e¯ e¯ e¯ e¯ 2 2 − 12 0 − 1 e¯ e¯ e¯ e¯ e¯ 12 12 − 2 1 − 0 Table 5.1: Multiplication table in G2.

A function that combines the geometric product with the Clifford conjugation results in a multivector representing a scalar. We refer to this function as the rationalize.

Definition 5.1.2.4. (Rationalize in G2) For all M¯ G2, the rationalize of M¯ is given by ∈ R M¯ = M¯ M. (5.12) 

Definition 5.1.2.5. (Inverse in G2) For all M¯ G2 where M¯ M = 0, the inverse of M¯ is ∈ 6 given by

1 M M¯ − = (5.13) R M¯ ¯ ¯ 1 such that MM − = 1. 

5.1.3 Basic Definitions in G3

Now we discuss the dimension-sensitive definitions for n = 3.

Definition 5.1.3.1. (Multivector in G3) A multivector in G3 23 blades and 3 + 1 grades, such that

e¯0 , e¯1,e¯2,e¯3, e¯12,e¯13,e¯23, e¯123 . (5.14) 0-grade 1-grade 2-grade 3-grade |{z} | {z } | {z } |{z} 59 5.1. A Compact Tutorial

The 0-grade is composed by one scalar, the 1-grade is composed by three (basis) vectors, the 2- grade is composed by three , and 3-grade is composed by the trivector or pseudoscalar. All multivectors M¯ G3 are then denoted by the following linear combination of blades: ∈

M¯ = m0e¯0 + m1e¯1 + m2e¯2 + m3e¯3 + m12e¯12 + m13e¯13 + m23e¯23 + m123e¯123 (5.15) for all m0,...,m123 in some arbitrary scalar space K.

We denote a single grade of a multivector M¯ G3 by M¯ ,i = 0,...,3. Thus, we can ∈ i represent a mutivector using grade notation such that

¯ ¯ ¯ ¯ ¯ M = M 0 + M 1 + M 2 + M 3 (5.16) where (5.3) is equivalent to (5.16). Now we discuss a type of multivector transformation called involutions [218]. Simply put, involutions are transformations that change the signs of certain grades, depending on the type of involution. The most compact way to define multivector involutions is by using grade notation. Next we define two multivector involutions: Clifford conjugation and reverse.

Definition 5.1.3.2. (Clifford Conjugation in G3) The Clifford conjugation is a multivector involution that changes the sign of the 1-grade and 2-grade and it is denoted by

M = M¯ M¯ M¯ + M¯ . (5.17) 0 − 1 − 2 3

For all M¯ G3 and N¯ = M, it holds that N = M¯ . ∈ Definition 5.1.3.3. (Reverse in G3) The reverse is a multivector involution that changes the sign of the 1-grade and 3-grade and it is denoted by

M¯ † = M¯ M¯ + M¯ M¯ . (5.18) 0 − 1 2 − 3

For all M¯ G3 and N¯ = M¯ , it holds that N¯ = M¯ . ∈ † † The inner product in Rn is well-known. However, we can also compute the inner product of multivectors as defined next. Now we are to define the main operation in GA, the geometric product, in terms of the inner and the wedge product.

60 5.1. A Compact Tutorial

Definition 5.1.3.4. (Geometric Product in G3) The geometric product of two multivectors A,¯ B¯ G3 is given by the direct sum of the inner product and the wedge product of A¯ and ∈ B¯ and it is denoted by A¯B¯ = A¯ B¯ + A¯ B¯. The geometric product is computed via a linear · ∧ combination of the blades of A¯ and B¯ according to the following rules:

e¯ e¯ = e¯ , e¯ ..... e¯ = e¯ ... e¯ (5.19) i i 0 i k i ∧ ∧ k

for all A,¯ B¯ G3 such that ∈

A¯ = a0e¯0 + a1e¯1 + a2e¯2 + a3e¯3 + a12e¯12 + a13e¯13 + a23e¯23 + a123e¯123 (5.20) B¯ = b0e¯0 + b1e¯1 + b2e¯2 + b3e¯3 + b12e¯12 + b13e¯13 + b23e¯23 + b123e¯123

such that

A¯B¯ = (a b + a b + a b + a b a b a b a b a b )e¯ 0 0 1 1 2 2 3 3 − 12 12 − 13 13 − 23 23 − 123 123 0 (a b + a b a b a b + a b + a b a b a b )e¯ + 0 1 1 0 − 2 12 − 3 13 12 2 13 3 − 23 123 − 123 23 1 (a b + a b + a b a b a b + a b + a b + a b )e¯ + 0 2 1 12 2 0 − 3 23 − 12 2 13 123 23 3 123 13 2 (a0b3 + a1b13 + a2b23 + a3b0 a12b123 a13b1 a23b2 a123b12)e¯3+ − − − − (5.21) (a b + a b a b + a b + a b a b + a b + a b )e¯ + 0 12 1 2 − 2 1 3 123 12 0 − 13 23 23 13 123 3 12 (a b + a b a b a b + a b + a b a b a b )e¯ + 0 13 1 3 − 2 123 − 3 1 12 23 13 0 − 23 12 − 123 2 13 (a b + a b + a b a b a b + a b + a b + a b )e¯ + 0 23 1 123 2 3 − 3 2 − 12 13 13 12 23 0 123 1 23 (a b + a b a b + a b + a b a b + a b + a b )e¯ . 0 123 1 23 − 2 13 3 12 12 3 − 13 2 23 1 123 0 123

The geometric product in G3 can also be expressed in terms of its multiplication table, which is given in Table 5.2. As we previously mentioned, GA is know by unifying notions of several different branches of mathematics in a single mathematical systems. Sometimes this is related to how the multivector is configured, which determines how the computation on multivectors take places with respect to certain configurations. In order to provide a concrete instantia- tions of this idea, we first discuss special multivectors known as complex-like scalars [47].

61 5.1. A Compact Tutorial

e¯0 e¯1 e¯2 e¯3 e¯12 e¯13 e¯23 e¯123 e¯0 e¯0 e¯1 e¯2 e¯3 e¯12 e¯13 e¯23 e¯123 e¯1 e¯1 e¯0 e¯12 e¯13 e¯2 e¯3 e¯123 e¯23 e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ 2 2 − 12 0 23 − 1 − 123 3 − 13 e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ 3 3 − 13 − 23 − 0 123 − 1 − 2 12 e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ 12 12 − 2 1 123 − 0 − 23 13 − 3 e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ 13 13 − 3 − 123 1 23 − 0 − 12 2 e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ 23 23 123 − 3 2 − 13 12 − 0 − 1 e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ e¯ 123 123 23 − 13 2 − 3 2 − 1 − 0 Table 5.2: Multiplication table in G3.

Definition 5.1.3.5. (Complex-like Scalar in G3) For all M¯ G3, a complex-like scalar ∈ is a multivector composed by the scalar and the pseudoscalar part, 0-grade and 3-grade, respectively, such that ¯ ¯ ¯ M = M 0 + M 3 . (5.22)

Such multivector M¯ is under the same rules of complex arithmetic so we say that M¯ C. ∈ By combining the geometric product with the Clifford conjugation we generate a complex-like scalar. For all M¯ G3, the following holds: ∈

M¯ M = M¯ M + M¯ M . (5.23) 0 3 D E D E Since M¯ M is a complex-like scalar in which we can apply the rules of complex arith- metic via GA, if we multiply M¯ M by its reverse, we obtain a scalar which is equivalent to computing the magnitude squared of a . We refer to this operation as the rationalize.

Definition 5.1.3.6. (Rationalize in G3) For all M¯ G3, the rationalize of M¯ is given by ∈

R M¯ = M¯ M M¯ M † . (5.24)    

The rationalize of a multivector M¯ G3 results in a scalar of the same space of the ∈ coefficients of M¯ . As an example, if the coefficient of M¯ is in Q, the rationalize will result in a scalar in Q.

62 5.1. A Compact Tutorial

For complex-like solutions, the inverse of a multivector M¯ G3, if M¯ M = 0, is given ∈ 6 1 by M¯ − = M¯ M¯ M . However, in the remaining of this work we will apply the inverse definition “non-complex"   solutions.

Definition 5.1.3.7. (Inverse in G3) For all M¯ G3 where M¯ M = 0, the inverse of M¯ is ∈ 6 given by M M¯ M † 1 M¯ − = (5.25) R M¯  1 such that M¯ M¯ − = 1. 

Not only is it possible to represent multivectors in terms of scalars, but we also have the ability to derive several multivectors from a single multivector such that we recover the original multivector through a function that takes the derived multivectors as input. If there is a generalized derivation that works for all multivectors, then we have a multivector decomposition.

Definition 5.1.3.8. (Multivector Decomposition in G3) For all M¯ G3, a multivector ∈ decomposition is a set of t functions f : G3 G3 for i = 1...t, where, for each i, we have i → fi M¯ = N¯i and there is a function f such that f N¯1,...,N¯t = M¯ .   Multivector decompositions are useful, as an example, for computing functions in terms of decomposed multivectors, which usually simplifies the computation altogether. As an example of this fact, we introduce Lemma 5.1.3.1 that presents a multivector decomposition that will useful for computing functions in terms of the derived multivectors.

Lemma 5.1.3.1. A multivector M¯ G3 can be decomposed in terms of the multivectors Z¯ ∈ and F¯ where f M¯ = 1 M¯ + M = Z¯ and f M¯ = 1 M¯ M = F¯ such that f Z,¯ F¯ = 1 2 2 2 − ¯ ¯ ¯ ¯   ¯ ¯  ¯ ¯ ¯ Z + F = M where Z is a complex scalar in the form of Z = M 0 + M 3, and F = M 1 + ¯ M 2.

¯ ¯ ¯ ¯ Proof. Recall we can write M as M using grade notation, that is, M = M 0 + M 1 + M¯ + M¯ and M = M¯ M¯ M¯ + M¯ , thus we have 2 3 0 − 1 − 2 3

¯ ¯ ¯ ¯ M + M = 2 M 0 + M 3 = 2Z (5.26)  63 5.1. A Compact Tutorial

and it is clear that Z¯ = 1 M¯ + M . Similarly, M¯ M = 2 M¯ + M¯ = 2F¯ and 2 − 1 2 therefore F¯ = 1 M¯ M .    2 −   Given the multivector decomposition in Lemma 5.1.3.1 we ca compute the eigenvalues of a multivector in terms of Z¯ and F¯ as show in Theorem 5.1.3.1.

Theorem 5.1.3.1. For all M¯ G3, eigenvalues α ,α C of M¯ are computed as follows: ∈ 1 1 ∈

α = Z¯ Z¯2 M¯ M = Z¯ F¯2, i = 1 for +, 2 for . (5.27) i ± − ± − q p

Proof. Given M = M¯ M¯ M¯ + M¯ , we rewrite it as 0 − 1 − 2 3

M¯ + M¯ M¯ + M¯ , (5.28) 0 3 − 1 2  thus M = Z¯ F¯ and −

M¯ M = Z¯ + F¯ Z¯ F¯ = Z¯2 Z¯F¯ + F¯Z¯ F¯2. (5.29) − − −   Recall that Z¯ is a complex scalar and therefore commutes. Then Z¯F¯ and F¯Z¯ also commutes, which allow us to write M¯ M = Z¯2 F¯2. Since we want to compute the eigenvalues of − M¯ , we first need to solve for α considering the characteristic equation M¯ X¯ = αX,¯ α ∈ C. For that, we write M¯ α X¯ = 0. Then, the of M¯ , which is a complex − scalar, is given by det M¯ =M¯ M [47]. This allows us to write det M¯ α = 0 and − det M¯ α = M¯ α M¯  α = 0. Let N¯ = M¯ α such that N¯N = 0. For readability, − − − − let Z¯N ,Z¯M,Z¯α,F¯N ,F¯M,F¯α be the Z¯-type and the F¯-type multivectors computed for N¯,Z¯ 2 and α, respectively. We write N¯N = Z¯2 F¯2 , which can be expressed as Z¯ + Z¯ N − N α M − 2 F¯ + F¯ = 0. Since Z¯ is the complex-like part of α C, then Z¯ = α and we can write α M α ∈ α 2 α + Z¯  F¯2 = 0. The expansion of the terms gives us M − M  α + 2αZ¯ + Z¯2 F¯2 = 0. (5.30) M M − M

64 5.2. A First Experiment Towards FHE Based on GA

Since we now only have multivectors in terms of M¯ , we let Z¯ = Z¯ and M¯ M = Z¯2 F¯2 M − so we can write α2 + 2αZ¯ + M¯ M = 0. In order to solve for α, we finally arrive at α = Z¯ Z¯2 M¯ M = Z¯ √F¯2. ± − ± q

To conclude this tutorial, we remark that everything we discussed so far can be com- puted over the integers reduced to a certain modulus, as it is done in modular arithmetic. We denote the three-dimensional geometric product space where the coefficients of multi- 3 vectors are integers reduced to a certain modulus q by Gq. The basic arithmetic on the 3 coefficients of multivectors in Gq is all performed modulo q. We have now covered the fundamental theory in which is based on all the concrete ideas and constructions that will be discussed in this work. As the reader can realize, we have only covered a very small set of simple algebraic functions in GA, which will be enough for our purposes.

5.2 A First Experiment Towards FHE Based on GA

In 2019 we proposed an experiment that would be the first concrete construction (yet exper- imental) towards a fully homomorphic encryption scheme based on GA [52]. The encryption scheme is composed of three main building blocks: 1) Hensel codes (for allowing rational numbers as input, as opposed to being limited to positive integers), 2) random partitions (where the randomness of the encryption is mostly concentrated), 3) Chinese Remainder Theorem (as an encoding mechanism), and 3) GA (as the main algebraic structure). This work’s main contribution is to show that complex data structures can be represented as multivectors as opposed to just vectors or matrices. All multivectors are members of G2.A summary of the scheme is given next.

5.2.1 Auxiliary Algorithms

The following auxiliary algorithms are required by the encryption scheme:

65 5.2. A First Experiment Towards FHE Based on GA

• Partitionrand takes a prime p and a message m and proceeds as follows: gener- γλ ate uniform ri 0,...,2 for i... 4, and compute dj = r2j 1 r2j for j = 1, 2. ← − Generate uniform δ 0,..., 2γλ for z = 1 ... 3, set δ = m  4 δ and M = z ← 4 − i=1 i (δ1 + d1,δ2 d1,δ3 + d2,δ4 d2). Partition rand outputs M and theP syntax is defined − − as M Partitionrand (p,m). ←

• Packhen takes p,N,M as input and proceeds as follows: compute M such that

H =(H(p,m ),...,H(p,m )), m ,...m M. (5.31) 1 4 1 4 ∈

Compute M¯ G2 such that ∈

M¯ = h e¯ + h e¯ + h e¯ + h e¯ ,h ,...,h H. (5.32) 1 0 2 1 3 2 4 3 1 4 ∈

Packhen outputs M¯ and the syntax is defined as M¯ = Packhen (p,N,M).

• Packiso takes p,q,N,M as input and proceeds as follows: let

A¯ = m e¯ + m e¯ + m e¯ + m e¯ , m ,...,m M (5.33) 1 0 2 1 3 2 4 12 1 4 ∈

and

1 1 1 1 E¯ = e¯ + e¯ + e¯ + e¯ . (5.34) 2 0 2 1 2 2 −2 12   Compute B¯ = A¯E¯ and and uniformly generate

r 0,...,2γλ ,i = 1...4 (5.35) i ← n o so M¯ can be computed such that

M¯ =(r1q + H (p,b0))e¯0 + ... +(r4q + H (p,b12))e¯12 (5.36)

where b ,...,b B¯. 0 12 ∈

Packiso outputs M¯ and the syntax is defined as M¯ Packiso (p,q,N,M). ← ¯ • Unpackhen takes as input p,q,M and proceeds as follows: m is recovered such that

m = H (p,m mod q)+ ... + H (p,m mod q), m ,...,m M.¯ (5.37) 0 12 0 12 ∈

66 5.2. A First Experiment Towards FHE Based on GA

¯ Unpackhen outputs m and the syntax is defined as m = Unpackhen p,q,M .  • Encodecrt takes Ni,xi,M¯ as input, for i = 1...4, and proceeds as follows:

C¯crt = m0N1x1e¯0 + m1N2x2e¯1 + m2N3x3e¯2 + m12N4x4e¯12 (5.38)

where m , ... , m M¯ . Encodecrt outputs C¯crt and the syntax is defined as C¯crt = 0 12 ∈ Encodecrt Ni,xi,M¯ .  • Decodecrt takes ni,C¯crt as input, for i = 1...4, and proceeds as follows: M¯ is computed such that

M¯ = c0 mod n1e¯0 + c1 mod n2e¯1 + c2 mod n3e¯2 + c12 mod n4e¯12 (5.39)

where c ,...,c C¯crt. Decodecrt outputs M¯ and the syntax is defined as M¯ = 0 12 ∈ Decodecrt ni,C¯crt .  5.2.2 The Main Construction

The encryption scheme is a tuple of five algorithms: (Gen,Enc,Dec,Add,Mul), where

• Gen takes γ and λ as argument, where λ is the security parameter and γ denotes the number of homomorphic, and uniformly generates the following: a secret prime p from the set of γλ-bit primes, k ,k 0,...,2λ 2 1 , q 0,...,22γλ 1 , 1 2 ← − ← −    n 0,...,28γλ 1 ,i = 1...4, where all n are pairwise coprime. Set N = p 4 n , i ← − i i=1 i 1 N1 =n2n3n4, N2 = n 1n3n4, N3 = n1n2n4, N4 = n1n2n3, xi = Ni− mod ni,i =Q 1...4.

The secret key multivector K¯ is generated by setting K Partitionrand (k ,p), K¯ = i ← i i Packhen (Ki,p,N), for i = 1,2, so K¯ = K¯1K¯2. The secret key is sk = p,ni,q,Ni,xi,K¯ for i = 1...4 and the public evaluation key is evk = N. Gen outputs(sk,evk) and the syntax is defined as (sk,evk) Gen(λ,γ). ←

• Enc takes sk,evk,m as input and proceeds as follows: compute M Partitionrand (m,p), ← 1 M¯ Packiso (M,p,N), C¯crt = Encodecrt sk,N,M¯ , and C¯ = K¯ C¯crtK¯ . Enc outputs ← − C¯ and the syntax is defined as C¯ Enc(sk,evk,m). ←

67 5.2. A First Experiment Towards FHE Based on GA

1 • Dec takes sk,evk,C¯ as input and proceeds as follows: compute C¯crt = K¯ − C¯K¯ , M¯ = ¯ ¯ Decodecrt sk,N,Ccrt , m = Unpachen sk,N,M . Dec outputs m and the syntax is defined asm = Dec sk,N, C¯ .   • Add takes as input C¯1, C¯2 and computes C¯3 = C¯1 + C¯2 mod N. Add outputs C¯3 and

the syntax is defined as C¯3 = Add evk,C¯1,C¯2 .  • Mul takes as input C¯1,C¯2 and computes C¯3 = C¯1C¯24 mod N. Mul outputs C¯3 and the

syntax is defined as C¯3 = Mul evk,C¯1,C¯2 .  5.2.3 Performance

We now present some scenarios that we chose from a broader performance experiment with our construction. The idea was to repair the m and γ values and to raise the λ size | |bits only. The tests were carried out with Ruby 2.4.0, on a MacBook Pro / macOS High Sierra 10.13.6, with a 2.8 GHz Intel Core i7 processor, 16 GB 1600 MHz DDR3 RAM, and 500 GB HD storage, using our Ruby FHE library. We did not enforced or even pursued any optimization for performance, which means that the results we present in Table 5.3, Table 5.4 and Table 5.5 can be greatly improved.

Table 5.3: Experiment run with m bits = 8, γ = 4, λ = 128 | | Algorithm Time (seconds) Key Generation 3.736898 Encryption 0.026063 Decryption 0.022578 Addition 0.000038 Multiplication 0.001690

Table 5.4: Experiment run with m bits = 8, γ = 4, λ = 256 | | Algorithm Time (seconds) Key Generation 46.341090 Encryption 0.071288 Decryption 0.084080 Addition 0.000107 Multiplication 0.004084

68 5.2. A First Experiment Towards FHE Based on GA

Table 5.5: Experiment run with m bits = 8, γ = 4, λ = 512 | | Algorithm Time (seconds) Key Generation 4646.399635 Encryption 0.232549 Decryption 0.251651 Addition 0.000107 Multiplication 0.010047

The difference between the Key Generation runtime and other algorithms is mainly due to Ruby’s time for the generation of large primes with OpenSSL 2.0.2. This runtime will be significantly reduced by implementations in C. Since we were targeting real-world applications on the cloud, for which we would apply some taste of a scripting language, such as Ruby, we decided to implement the FHE library and to conduct the performance tests in Ruby. At the same time, in order to illustrate the success function for that type of situation, we wanted to express that our experiments actively considered non-optimal configurations. The runtime provided in tables 5.3, 5.4 and 5.5 clearly shows that the performance for encryption, decryption, and homomorphic addition and multiplication allows a series of op- erations over a large volume of data without significantly decreasing performance, including using a library implemented with a high-level programming language. For the five primary algorithms in our construction, the output results capture the runtime: Key Generation, Encryption, Decryption, Addition, and Multiplication. The time is recorded in seconds and refers to single operations (intentionally done this way to provide each algorithm with a unitary runtime. We give three runs of experiments where the size of the message ( m = 8) and the depth of the worst case (γ = 4)are set. The results differ | |bits concerning the λ protection parameter. The results in table 5.5 are especially important because it involves the largest size of the hidden variables in our scheme. According to the description of the key generation, a prime number of p of 2048 bits, a product of primes of q of 8192 bits (from two 4096- bit primes), four secret CRT modules of ni of 32768 bits each, and a secret multivector key of 512 bits each are considered. We have an encryption algorithm running in 0.232549 seconds, a decryption algorithm running in 0.251651 seconds, an add-on algorithm running

69 5.3. A Framework for Homomorphic Image Processing

in 0.000107 seconds, and a multiplication algorithm running in 0.010047 seconds, also with such a setup.

5.2.4 General Considerations

The encryption scheme described in Section 5.2.2 is homomorphic with respect to addition, subtraction, and multiplication. It allows an arbitrary number of operations on encrypted data, which is defined apriori by γ in Gen. It is, therefore, a leveled FHE scheme [150]. Security is only informally discussed in [52]. In order to highlight the assumed security of the scheme, we review the encryption procedure. The encryption consists of transforming a message m into a random partition of rational numbers M. Each element of M is placed as a coefficient of a multivector A¯ and B¯ is computed such that B¯ = A¯E¯, where E¯ is a pre-defined multivector as in Eq. (5.34). Then M¯ is computed where its coefficients are in the form r q + H (p,b ) where i = 1 ... 4 and j = b ,...,b B¯. M¯ is then encoded using i j 0 12 ∈ the CRT where the multivector C¯crt is computed and its coefficients are in the form mjNixi where j = m , ... , m M¯ and i = 1 ... 4. Then the final multivector C¯ is output such 0 12 ∈ 1 that C¯ = K¯ C¯crtK¯ − . There are two encodings in place: The Hensel encode, using a secret

prime p, and the CRT encoding, where the entire CRT configuration (Ni,xi,ni) is secret.

The multivector K¯ , that “wraps" C¯crt is also secret. The security is assumed from the combination of these three encoding layers (Hensel code, CRT, triple geometric product). The first encoding, although using a secret prime p, is really meant to allow rational numbers as input. However, this encoding helps with the randomization process since for the same message m there are multiple random partitions of rational numbers. The security is mostly due to the CRT with secret configuration. For each coefficient that is CRT encoded there are one equation and two unknowns. The final triple geometric product, yet due to the CRT encoding, results in a non-linearly decryptable function.

5.3 A Framework for Homomorphic Image Processing

In Section 5.2, we discussed an experiment towards fully homomorphic encryption with GA as the main algebraic structure that is rather general-purpose. In 2019 we introduced a

70 5.3. A Framework for Homomorphic Image Processing

slightly modified scheme to reduce the size of the construction that is application-specific, that is, a homomorphic image processing framework based on GA [53]. We proposed a homomorphic encryption scheme to perform a set of algebraic functions homomorphically and then compute image processing functions on demand. In order to show its applicability, we first define the basic functions, and then we implement some well-known image processing operations. For this particular application, it is sufficient that the encryption scheme is a SWHE scheme. The construction is built upon G2, and similarly to the construction used in Section 5.2, it uses Hensel codes. However, there is no use of CRT this time. A summary of the scheme is given next.

5.3.1 Auxiliary Algorithms

The following auxiliary algorithms are required by the encryption scheme:

• Packrand takes p, m, iso as input and proceeds as follows: uniformly generate r i ← 0,...,2λγ 1 for i = 1 ... 4 and set d = r r , d = r r . Uniformly generate − 1 1 2 2 3 4 a 0,...,2λ 8+4 1 for i = 1...3 and set a = m 3 a . Compute i ← − 4 − i=1 i    P b = a + d ,b = a d ,b = a + d ,b = a d (5.40) 1 1 1 2 2 − 1 3 3 2 4 4 − 2

such that M¯ ′ = b1e¯0 +b2e¯1 +b3e¯2 +b4e¯12 If iso = true, then given E¯ = 1 2e¯0 +1 2e¯1 +

1 2e¯ + 1 2 e¯ , compute M¯ = M¯ E¯, otherwise, M¯ = M¯ . Packrand outputs M¯ and 2 − 12 ′ ′ the syntax is defined as M¯ Packrand (p,m,iso). ← • Unpacking takes M¯ and computes m = m + m + m + m where m ,m ,m ,m 0 1 2 12 0 1 2 12 ∈ M¯ . Unpacking outputs m and the syntax is defined as m = Unpacking M¯ .

¯  • Sealinghen takes p,q,M as input and computes

M¯ h = H (p,m0)e¯0 + H (p,m1)e¯1 + H (p,m2)e¯2 + H (p,m12)e¯12 (5.41)

where m , m , m , m M¯ . Sealing outputs M¯ h and the syntax is defined as 0 1 2 12 ∈ hen ¯ ¯ Mh = Sealinghen p,q,M .  • Unsealinghen takes p as input and computes

¯ 1 1 1 1 M = H− (p,mh0 )e¯0 + H− (p,mh1 )e¯1 + H− (p,mh2 )e¯2 + H− (p,mh12 )e¯12 (5.42)

71 5.3. A Framework for Homomorphic Image Processing

where m ,m ,m ,m M¯ h. Unsealing outputs M¯ and the syntax is defined h0 h1 h2 h12 ∈ hen ¯ ¯ as M = Unsealinghen p,Mh .  5.3.2 The Main Construction

The encryption scheme is a tuple of eight algorithms:

Π=(Gen,Enc,Dec,Add,Sub,SMul,SDiv,Mul) (5.43)

where

• Gen takes λ and γ as input and proceeds as follows: uniformly generate p1, p2, and p3 3 from the set of λγ, λγ + 1, and λγ + 1-bit primes, respectively. Set q = i=1 pi, and λ uniformly generate k1,k2 0,...,2 1 . Then compute K¯i = PackrandQ(p2,ki,false) ← − ¯ ¯ ¯ and Kih = Sealinghen p,q,Ki where Kih must have an inverse, for i = 1,2. Compute ¯ ¯ ¯ ¯ ¯ 1 = Packrand (p2,1,true) and 1h = Sealinghen (p1,q,1). sk = p1,p2,K1h ,K2h and evk = q,E¯ . Gen outputs (sk,evk) and the syntax is defined as (sk,evk) Gen(λ,γ). c ←  • Enc takes sk, evk, m as input and proceeds as follows: M¯ = Packrand (p2,m,true), ¯ ¯ ¯ ¯ ¯ Mh = Sealinghen p1,q,M , 1 = Packrand (p2,1,true), and 1h = Sealinghen (p1,q,1) 2 are computed so C¯= K¯ M¯h1¯hK¯ G . Enc outputs C¯ and the syntax is defined as 1h 2h ∈ q C¯ Enc(sk,evk,m). ←

1 1 2 • Dec takes as input sk,evk, C¯ and proceeds as follows: M¯ h = K¯ − C¯K¯ − G and 1h 2h ∈ q ¯ ¯ ¯ M = Unsealinghen p1,q,Mh so m = Unpack M . Dec outputs m and the syntax is defined as m = Decsk,evk,C¯ .   • Add takes evk,C¯ ,C¯ and computes C¯ = C¯ + C¯ G2. Add outputs C¯ and the syntax 1 2 1 2 ∈ q is defined as C¯ = Add evk,C¯1,C¯2 .  • Sub takes evk,C¯ ,C¯ and computes C¯ = C¯ C¯ G2. Sub outputs C¯ and the syntax 1 2 1 − 2 ∈ q is defined as C¯ = Sub evk,C¯1,C¯2 .  • SMul takes evk,C¯ ,αQ and computes C¯ = C¯ α G2. SMul outputs C¯ and the syntax 1 1 ∈ q is defined as C¯ = SMul evk,C¯1,α .  72 5.3. A Framework for Homomorphic Image Processing

• SDiv takes evk,C¯ ,αQ and computes C¯ = C¯ α G2. SDiv outputs C¯ and the syntax 1 1 ∈ q is defined as C¯ = SDiv evk,C¯1,α . 

 2 • Mul takes evk, E¯c, C¯ , C¯ and computes C¯ = C¯ E¯cC¯ G . Mul outputs C¯ and the 1 2 1 2 ∈ q syntax is defined as C¯ = Mul evk,E¯c,C¯1,C¯2 .  5.3.3 Homomorphic Image Processing

Now we discuss how the encryption scheme described in Section 5.3.2 can be used in an application-specific scenario. We use the scheme’s main construction as a framework for building a homomorphic image processing application, which is here summarized as follows:

• Processpxl takes a bound ϑ and a m n-matrix M as input and proceeds as follows: × for all m M, if m < 0 then m = 0, if m >ϑ, then m = ϑ, else, m = mn ∈ mn mn mn mn mn mmn. Processpxl outputs the processed matrix M and the syntax is defined as M =

Processpxl (ϑ,M).

• Encimg takes as input sk,evk,M and proceeds as follows: for all m M, compute mn ∈ C¯mn = Enc (sk,evk,mmn) where all C¯mn are the entries of a matrix C of encrypted

image pixels. Encimg outputs C and the syntax is defined as C = Encimg (sk,evk,M).

• Decimg takes as input sk,evk,C and proceeds as follows: for all C¯ C, compute mn ∈ mmn = Dec sk,evk,C¯mn , where mmn are the entries of the matrix M with unen-

crypted image pixels. Compute M = Processpxl (ϑ,M). Decimg outputs M and the

syntax is defined as M = Decimg (sk,evk,C).

¯ • Brightinc takes as input an encrypted pixel displacement D and an encrypted ma- trix C and proceeds as follows: for all C¯ C, compute C¯ = Add evk,C¯ ,D¯ . mn ∈ mn mn ¯ Brightinc outputs C and the syntax is defined as C = Brightinc D,C .   ¯ • Brightdec takes as input an encrypted pixel displacement D and an encrypted ma- trix C and proceeds as follows: for all C¯ C, compute C¯ = Sub evk,C¯ ,D¯ . mn ∈ mn mn ¯ Brightdec outputs C and the syntax is defined as C = Brightdec D,C.  

73 5.3. A Framework for Homomorphic Image Processing

• Blend takes as input two encrypted images C1,C2 and proceeds as follows: for all C¯ C and C¯ C , compute 1mn ∈ 1 2mn ∈ 2 ¯ ¯ ¯ Cmn = SDiv evk,Add evk,C1mn ,C2mn ,2 . (5.44)   where C C. Blend outputs C and the syntax is defined as C = Blend(evk,C ,C ). mn ∈ 1 2

• Mask takes as input evk,C1,C2,sh and computes:

¯ ¯ Cmn = Add evk,SMul evk,C2mn ,sh ,C1mn . (5.45)   Mask outputs C and the syntax is defined as C = Mask(evk,C1,C2,sh).

• Contraststr takes ϑ,C1 as input and proceeds as follows: compute

c = ϑ 0.7 ,d = ϑ 0.3 , A¯c = Enc(sk,evk,ϑ), A¯c = Enc(sk,evk,c) (5.46) ⌈ · ⌉ ⌈ · ⌉

and

ϑ s = ,s = H (p ,s) (5.47) c d h 1 − such that, for all C¯ C , we have 1mn ∈ 1 ¯ ¯ ¯ ¯ Cmn = Add evk,SMul evk,Sub evk,C1mn ,Cc ,sh ,Ac (5.48)    where C¯ C for all m, n. Contraststr outputs C and the syntax is defined as mn ∈ C = Contraststr (ϑ,C1).

• LogicalNot takes sk,evk,ϑ,C1 as input and proceeds as follows: compute X¯c = Enc(sk,evk,ϑ) and for all C¯ C , we have 1mn ∈ 1 ¯ ¯ ¯ Cmn = Sub evk,Xc,C1mn (5.49)  where C¯ C for all m, n. LogicalNot outputs C and the syntax is defined as mn ∈ C = LogicalNot(sk,evk,ϑ,C1).

74 5.3. A Framework for Homomorphic Image Processing

Figure 5.1: Homomorphic Image Processing Architecture.

5.3.4 Homomorphic Results

Consider the architecture defined in Figure 5.1. In this architecture, there are edge computing devices that are responsible for collecting, encrypting, and transmitting encrypted images to the cloud in a timely fashion. The client outsources operations over large volumes of encrypted images to a “blind server" that does not know anything about the images stored on the cloud. The server receives encrypted images, executes the process requested by the client (without even knowing what the process does), and sends the result back to cloud and to the client. The client then decrypts the received result, which is processed (prepared) to be viewed. Finally, the client is able to see the unencrypted result of the operations performed by the server. Now we discuss results of homomorphic image processing using our construction over Figure 5.2 (original figures obtained on [229]), which are:

1. The results for Brightinc and Brightdec are shown in Figure 5.3.

2. The results for Blend and Mask are shown in Figure 5.4.

3. The results for Contraststr and LogicalNot are shown in Figure 5.5.

5.3.5 Performance

The results shown in the 5.6 table are pixel-wise. The performance experiments were per- formed on a MacBook Pro 15-inch, macOS High Sierra 10.13.6, 2.8 GHz Intel Core i7, 16

75 5.3. A Framework for Homomorphic Image Processing

Figure 5.2: Original Einstein and Monalisa pictures.

Figure 5.3: Decrease and increase brightness.

Figure 5.4: Merge and mask.

Figure 5.5: Contrast stretching and logical not

Figure 5.6: Pixel Packing

76 5.4. Multivector Packing Schemes

Table 5.6: Performance for m bits = 8, γ = 8, λ = 128 | | Algorithm Time (seconds) Key Generation 10.944646 Encryption 0.002076 Decryption 0.001667 Addition 0.000045 Subtraction 0.000032 Multiplication 0.000280 Scalar multiplication 0.000018 Scalar division 0.000033 Increase brightness 0.355258 Decrease brightness 0.318498 Image merge 0.723985 Image mask 0.678895 Contrast stretching 0.898379 Logical not 0.378258

GB 1600 MHz DDR3, 500 GB HD with our building implemented with Ruby language ver- sion 2.4.0. Each presented runtime is the arithmetic mean of 100 runs over 200x200 pixel grayscale JPEG images in seconds.

5.3.6 General Considerations

Security is only informally discussed in [53]. The encryption function of the underlying homomorphic scheme is secure under the assumption that Hensel codes with secret primes as coefficients of randomized multivectors that are “wrapped" with secret key multivectors results in a non-linearly decryptable scheme that is assumed to be non-trivial to solve.

5.4 Multivector Packing Schemes

In 2020 we proposed general-purpose data representation and data concealment methods via multivector decompositions and a small subset of functions in the three dimensional Clifford geometric algebra [230]. We demonstrate mechanisms that can be explored for purposes from explicit data manipulation to homomorphic data processing with multivectors. Our

77 5.4. Multivector Packing Schemes

constructions can be incorporated into existing applications as add-ons as well as used to provide standalone data-centric algorithms. A summary of these constructions is given next.

5.4.1 Multivector Packing Schemes

We now describe multivectors packing schemes based on GA.

Definition 5.4.1.1. Given a function f : G3 R, a Multivector Packing Scheme is a prob- → abilistic polynomial-time computable function g : R G3 such that for all m R, f(g(m)) = → ∈ m.

5.4.2 Clifford Eigenvalue Packing Scheme

Definition 5.4.2.1. CEP Forward Mapping (M¯ = CEP→ (m)) Given a message m Z ∈ and a random number r uniformly selected from m,...,b 1 , for an arbitrary boundary { − } b, where r > m, and pre-defined auxiliary multivector A¯ G3 such that R A¯ = 0 and ∈ 6 therefore A¯A¯ 1 = 1, a message multivector M¯ G3 is computed as follows: letd = r+m − ∈ 0 2 r m 3 and d = − so the multivector D¯ G is defined as D¯ = d e¯ + 0e¯ + d e¯ + 0e¯ + 0e¯ + 2 2 ∈ 0 0 1 2 2 3 12 1 0e¯13 + 0e¯23 + 0e¯123. Therefore, M¯ = A¯D¯A¯− .

Remark 11. Since a packing scheme is not meant to hide information, A¯ does not need to be secret. A¯ can be generated as a system variable and be globally available to the application where the CEP is being implemented and used.

Definition 5.4.2.2. CEP Backward Mapping (m = CEP← M¯ ) Given a message multi- vector M¯ G3, a message m Z is computed such that m = Z¯  Z¯2 M¯ M = Z¯ √F¯2. ∈ ∈ − − − q Theorem 5.4.2.1. Correctness of CEP If m Z, it holds that CEP← CEP→ (m) = m. ∈   Proof. Given a multivector M¯ generated according to Definition 5.4.2.1, we know that D¯ does not have a pseudoscalar, thus, Z¯ and F¯2 from M¯ are integers and thus commute. Since ¯2 ¯ ¯ ¯ ¯ 1 ¯2 2 F is just an integer, the scalar part of A is cancelled in ADA− thus F = d2. We also

know that Z¯ = d0. According to Definition 5.4.2.1 we know that we recover m as follows:

Z¯ F¯2 = d d = m. (5.50) − 0 − 2 p 78 5.4. Multivector Packing Schemes

Definition 5.4.2.3. Alternative CEP Backward Mapping Since A¯ is known, an al- ternative CEP Backward Mapping is computed as follows:

1 m = d d , D¯ = A¯− M¯ A.¯ (5.51) 0 − 2

Remark 12. The CEP is a packing scheme that leverages the function that computes the eigenvalue of a multivector. Since this function is both additive and multiplicative homomor- phic, the packing scheme is also homomorphic with respect to addition and multiplication, i.e., CEP← A¯ B¯ = CEP← A¯ CEP← B¯ , +, , A¯ = CEP→ (a), B¯ = CEP→ (b), a,b Z. ◦ ◦ ◦ ∈ { ·} ∈    5.4.3 Complex Magnitude Squared Packing Scheme

For this packing scheme, we select two coefficients of M¯ to be computed in such a way

that R M¯ = m. We take advantage of how the coefficients m0 and m1 of the multivector M¯ are involved in the computation of R M¯ and, therefore, we define them in terms of a complex number z = a + bi, where z 2 = a2+ b2. Due to the lengthy aspect of the final | | solution, we break it down into auxiliary equations, which are showed in Definition 5.4.3.1.

For computing m0 and m1, let

τ = b2 4bm m + 4bm m + 4m2m2 + 4m2m2 − 2 13 3 12 2 13 2 23 2 2 2 2 2 2 2 2 µ = 4m2m123 8m2m3m12m13 + 4m3m12 + 4m3m23 4m3m123 − − − (5.52) υ = 4m2 m2 + 4m2 m2 4m2 m2 + 4m2 m2 4m4 − 12 23 12 123 − 13 23 13 123 − 23 ω = 8m2 m2 + 4am2 4m4 4am2 23 123 23 − 123 − 123

Definition 5.4.3.1. Auxiliary Equations for m0 and m1

79 5.4. Multivector Packing Schemes

Let x1 ...x6 be auxiliary equations for m0 and x7 ...x9 be auxiliary equations for m1 such that x =(b 2m m + 2m m ) (2m ) 1 − 2 13 3 12 123 x2 = m23 

x3 = bm23

x4 = m123 (5.53) x5 =(τ + µ + υ + ω) x =( 2m m m + 2m m m ) 6 − 2 13 23 3 12 23 x = (2m (m + m )(m m )) 7 123 23 123 23 − 123 x =(2(m + m )(m m )) 8 23 123 23 − 123

Definition 5.4.3.2. CMSP Forward Mapping (M¯ = CMSP→ (m)) Given a message m ∈ Z,m> 0, we let m to be expressed as the magnitude squared of a complex number z = a + bi such that m = z 2 = a2 + b2. We first define the coefficients a and b of z as follows: let | | a be a random number in Z and b = √m a2. The message multivector M¯ is computed − such that M¯ M = z. Let the coefficients from m2 to m123 be random numbers in Z such that m = 0 and m = m in order to avoid division by zero when computing x in 123 6 123 6 23 1 (5.53). We compute m and m such that m = x x x + x √x + x x and m = 0 1 0 1 − 2 3 4 5 6 7 1 x + x √x + x x . Notice that given the definition of m and m , we guarantee − 3 4 5 6 8 23 123 that no division by zero will occur when computing m0 and m1.

Theorem 5.4.3.1. The operation M¯ M produces a complex scalar. The multiplication of this complex scalar with its own reverse results in the magnitude squared.

Proof. The Clifford conjugation of a multivector M¯ changes the sign of the vector and the bivector part of M¯ . The geometric product of M¯ and its Clifford conjugation M cancels the vector and bivector parts, i.e., M¯ M = M¯ M = 0, resulting in a multivector con- 1 2 sisting of only its scalar and pseudoscalarD E parts:D M¯ ME = M¯ M + M¯ M . The reverse 0 3 of a multivector M¯ changes the sign of the vector and trivectorD E (pseudoscalar)D E parts. The reverse of M¯ M will change the sign of M¯ M , which is equivalent to perform the complex 3 D E

80 5.5. Concealment Schemes

conjugation operation on the complex scalar. The product of a complex number and its co- jugate results in the magnitude squared of that complex number. Recall that the rationalize is computed as R M¯ = M¯ M M¯ M †, where M¯ M results in a complex scalar and      M¯ M † is the complex  conjugate. The CMSP packs a multivector M¯ such that M¯ M C, ∈ where the rationalize computes the magnitude squared of the complex scalar M¯ M.

Definition 5.4.3.3. CMSP Backward Mapping (m = CMSP← M¯ ) Given a message mul- tivector M¯ G3, a message m C is computed such that R M¯ =m. ∈ ∈  Theorem 5.4.3.2. Correctness of CMSP For all m C and all M¯ G3 that are output ∈ ∈ by CMSP→ (m), the following holds: CMSP← CMSP→ (m) = m.   Remark 13. For spatial purposes, we omit the complete proof, but include the following evidence outline. We compute the complex number z = a+bi with the message m by allowing a to be a random integer and b = √m a2 by allowing a to be a random integer. Then we − construct a M¯ multivector, such that M¯ M 0= a and M¯ M 3= b. It is therefore obvious that because rationalize, R M¯ = mDis theE product of theD scalarE complex M¯ M through its M¯ M †, which is the square magnitude of the complex amount. In the definition 5.4.3.1, the proof then depends on the correctness of the auxiliary functions. If those equations are right, then the CMSP is correct as well.

Remark 14. The rationalize of a multivector is multiplicative homomorphic, analogous to the complex magnitude square of a complex number, i.e., R A¯B¯ = R A¯ R B¯ . Hence, CMSP← A¯B¯ = CMSP← A¯ CMSP← B¯ , A¯ = CMSP→ (a), B¯ = CMSP→ (b), a,b  C.   ∈   

5.5 Concealment Schemes

With the assistance of a private key, we suggest methods for concealing arbitrary message multivectors. The private key is a tuple consisting of two secret multivectors, k = K¯ 1,K¯ 2 , where K¯ 1, K¯ 1, K¯ 2 G3, must have an inverse. The K = K¯ K¯ 1 G3 . is the set of ∈ |∃ − ∈ invertible secret key multivectors. 

81 5.5. Concealment Schemes

Definition 5.5.0.1. A Concealment Scheme is a polynomial-time algorithm that hides a message multivector by computing a concealed multivector with the support of secret key multivectors.

5.5.1 Clifford Sylvester’s Equation Concealment (CSEC)

The first concealment scheme we propose is based on the well-known Sylvester’s equation [231], where we use its multivector variant [232].

Definition 5.5.1.1. CSEC Forward Mapping (C¯ = CSEC→ k,M¯ ) Given a secret tuple k = K¯ ,K¯ , where K¯ , K¯ K, and a message multivectorM¯ G3, we can compute a 1 2 1 2 ∈ ∈ concealed multivector C¯ G3 such that C¯ = CSEC→ k,M¯ = K¯ M¯ + M¯ K¯ . ∈ 1 2  Definition 5.5.1.2. CSEC Backward Mapping (M¯ = CSEC← k,C¯ ) Given a secret tuple k = K¯ ,K¯ , for K¯ ,K¯ G3, and a concealed multivector C¯ G3, a message multivector 1 2 1 2 ∈ ∈ M¯ G3 is recovered by computing ∈ 1 1 − ¯ ← ¯ ¯ ¯ 1 ¯ − ¯ ¯ 1 ¯ ¯ M = CSEC k, C = K1 + K2 + K1− K2K2 + K1 K1− CK2 + C (5.54)      Theorem 5.5.1.1. Correctness of CSEC For all k K, where R K¯ ,R K¯ = 0, and ∈ 1 2 6 for all M,¯ C¯ G3, the following holds: CSEC← k,CSEC→ k,M¯ = M¯ .   ∈   Proof. Given

C¯ = K¯1M¯ + M¯ K¯2 (5.55)

¯ 1 left multiply by K1− and right multiply by K2 both sides of (5.55):

¯ 1 ¯ ¯ 1 ¯ ¯ ¯ 1 ¯ ¯ K1− CK2 = K1− K1MK2 + K1− MK2K2 (5.56)

3 ¯ 1 ¯ According to the definition of the inverse in G , K1− K1 = 1, which allows us to simplify (5.56) as follows: ¯ 1 ¯ ¯ ¯ 1 ¯ ¯ K1− CK2 = MK2 + K1− MK2K2 (5.57)

If we sum (5.57) with (5.55) and combine like terms we obtain the following:

¯ 1 ¯ ¯ ¯ ¯ 1 ¯ ¯ ¯ ¯ K1− CK2 = M K2 + K2 + K1− MK2K2 + K1M (5.58)  

82 5.5. Concealment Schemes

Note that K2 + K¯2 and K¯2K2 are commuting complex-like numbers, which allows us to re-write (5.58) as follows:

¯ 1 ¯ ¯ ¯ 1 ¯ ¯ ¯ K1− CK2 = K2 + K2 + K1− K2K2 + K1 M (5.59)   Assuming that the expression inside the parenthesis that multiplies M¯ on the right hand side of the equation above results in a multivector that has an inverse, we can now solve (5.59) for M¯ to obtain:

1 ¯ ¯ ¯ 1 ¯ ¯ − ¯ 1 ¯ ¯ M = K2 + K2 + K1− K2K2 + K1 K1− CK2 + C . (5.60)    

Remark 15. The CSEC scheme is homomorphic with respect to addition, since adding C¯1 =

K¯1M¯ 1 +M¯ 1K¯2 to C¯2 = K¯1M¯ 2 +M¯ 2K¯2 results in C¯1 +C¯2 = K¯1 M¯ 1 + M2 + M¯ 1 + M¯ 2 K¯2. However, it is not homomorphic with respect to multiplication.  

5.5.2 Modular Concealment (MC)

Definition 5.5.2.1. MC Forward Mapping (C¯ = MC→ k,M¯ ) Given a secret tuple k K, ∈ a message multivector M¯ G3, and a random multivector R¯  G3, such that the secret key ∈ ∈ multivectors in k, M¯ and R¯ are all packed with CEP→ (all using the same auxiliary multivector A¯), we compute a concealed multivector C¯ G3 such that C¯ = MC→ k,M¯ = R¯K¯ K¯ + M¯ . ∈ 1 2  Definition 5.5.2.2. MC Backward Mapping (M¯ = MC← k,C¯ ) Given a secret tuple k = K¯ ,K¯ , for K¯ , K¯ G3, and a concealed multivector C¯ G 3, a message multivector 1 2 1 2 ∈ ∈ M¯ G3 is recovered as M¯ = MC← k,C¯ = C¯ mod K¯ K¯ , where the modulo operation is ∈ 1 2 computed at the eigenvalue level.  

Theorem 5.5.2.1. Correctness of MC For all k K and for all M¯ G3, the following ∈ ∈ holds: MC← k,MC→ k,M¯ = M¯ .   Proof. The modulo operation A¯ modB¯ is computed in terms of the multivector packing that generated the message multivector such that M¯ mod M¯ m mod m . Let R¯, K¯ , K¯ , and 1 2 ≡ 1 2 1 2 M¯ be the multivector representation of the integers r, k1, k2, and m, respectively, therefore,

R¯K¯1K¯2 + M¯ mod K¯1K¯2 , which is equal to (rk1k1 + m) mod (k1k2)= m.   83 5.5. Concealment Schemes

Remark 16. The MC is both additive and multiplicative homomorphic for all message mul-

→ tivectors M¯ < K¯1K¯2 , which is equivalent of saying that, given C¯1 = MC k,M¯ 1 and C¯2 = MC→ k,M¯ , then MC← C¯ C¯ = C¯ C¯ mod K¯ K¯ , which is equivalent to (m m ) mod (k k ) 2 1 ◦ 2 1 ◦ 2 1 2 1 ◦ 2 1 2 for + , .    ◦ ∈ { ·}

5.5.3 General Considerations

In this work, we demonstrated how multivector involutions, decompositions, and a small set of multivector functions could be combined and explored as the sufficient components to implement protocol-agnostic homomorphic data representation and homomorphic data concealment with Clifford geometric algebra. We introduced two methods for representing numerical data, namely multivector packing schemes, such that a given datum is expressed in terms of the output of the Clifford eigenvalue and the rationalize functions. We also introduced two methods for hiding data represented as multivectors, namely concealment schemes, which consist of operations that compute a concealed multivector with the support of secret key multivectors. The multivector packing and concealment schemes discussed in this work are homomorphic with respect to addition, multiplication, or both. These constructions can be used in a wide variety of privacy-preserving applications since, due to its homomorphic properties, data can be meaningfully computed while concealed. The homomorphism on both packing and concealment schemes provides a guarantee that apply- ing our methods will not compromise the numerical meaning of the data represented and concealed as multivectors. We made available a Ruby library that implements our con- structions, provides numerical examples of each method, illustrates their use on simulations of real-world applications, and allows one to test customized ideas. We implemented this library to demonstrate in practice that our ideas work and facilitate further experiments by interested researchers so they can easily reproduce our results and quickly implement their own.

84 5.6. Experimental Key Update

5.6 Experimental Key Update

In our quest to discover what more we can do with GA in cryptography, we now discuss some additional experiments with GA for creating cryptographic tools for a variety of pur- poses. As previously discussed, our first attempt to apply GA to cryptography was via constructing homomorphic encryption schemes. In 2019 we presented fledgling ideas con- cerning homomorphic key update and key exchange protocols [54]. Now we described those ideas as a letter of intent. We introduce a better attempt to formally define these protocols with GA in [62]. The constructions target distributed ledger technologies (DLT) in which homomorphic encryption serves the purpose of ownership protection, and the key update protocol serves the purpose of ownership transfer. The constructions are here summarized next. For a detailed discussion on correctness, security assumptions, and the rules these schemes observe, we refer the reader to [62].

5.6.1 HE Scheme

The key update and the key exchange protocol requires a HE scheme, which is described below:

Gen takes as input 1λ and proceeds as follows: (1) set b = λ 8; (2) let q the smallest prime greater than 2b; (3) choose 16 uniform b-bit integers and define K¯ ,K¯ G3 such that the 1 2 ∈ q first 8 integers are the coefficients of K¯1 and the second 8 integers are the coefficients of

K¯2 – the generated K¯1,K¯2 must have an inverse otherwise other 16 b-bit integers must be

uniformly chosen and transformed into the secret key multivectors K¯1,K¯2 until they have

inverse; (4) choose a uniform b-bit integer g; and (5) output the secret key sk = K¯1,K¯2,g

and the public evaluation key pk =(b,q). The message space is originally defined by M = Zq.

Enc takes as input sk = K¯1,K¯2,g and m and proceeds as follows:  1. Let m ,...,m , with the exception of m , be uniformly chosen from the set 0,...,2b 1 , 0 123 12 − so m12 is computed as follows: 

m12 = m0 m1 + m2 + m3 |− − (5.61) m + m + m + m . − 13 23 123 |q

85 5.6. Experimental Key Update

2. For j 0,1,2,3,12,13,23,123 , define M¯ such that ∈ { }

M¯ = mje¯j. (5.62) Xj

3. Compute M¯ ′ = Mg¯ and output C¯ = K¯1M¯ ′K¯2.

Dec takes as input sk = K¯ ,K¯ ,g and C¯ G3 and proceeds as follows: 1 2 ∈ q ¯ ¯ 1 ¯ ¯ 1  ¯ ¯ 1. Retrieve M ′ = K1− CK2− and M = M ′ g.  2. Compute m such that

m = m0 + m1 m2 m3+ | − − (5.63) m + m m m . 12 13 − 23 − 123|q 3. Update the value of m by mapping it to a rational format such that m = a b = EEA(q,m). Output m. 

Add takes as input pk and C¯ ,C¯ G3 and computes and outputs C¯ as a component-wise 1 2 ∈ q addition of the coefficients of C¯1,C¯2.

SDiv takes as input pk, C¯ G3 and a scalar α in Z , and computes and outputs C¯ as a 1 ∈ q q scalar division of all elements in C¯1 by α which is denoted by C¯1 α.  5.6.2 Key Update Protocol

TokGen takes as input two secret keys sk1 = K¯11,K¯21,g1 and sk2 = K¯21,K¯22,g2 , the old

and the new key, respectively, and computes and returns the token t = T¯1,T¯2 such that ¯ ¯ ¯ 1 1 ¯ ¯ 1 ¯ T1 = K21K11− g1− g2, T2 = K12− K22. 

KeyUpd takes as input the token t = T¯1,T¯2 and an existing (old) ciphertext C¯old and

computes and outputs an updated (new) ciphertext C¯new as C¯new = T¯1C¯oldT¯2.

5.6.3 Application

Now we illustrate how the HE scheme can be combined with the key update protocol on a Blockchain-based application.

86 5.6. Experimental Key Update

Definition 5.6.3.1. A Blockchain Application BA is composed by:

• User UA: The data owner. UA persists information on-chain and decides when and to whom the ownership is transferred.

• User UB: A participant of the same consortium of UA. UB has access to the off-chain

cryptographic library and performs homomorphic computations on-chain. UB want to get insights from data processed at the blockchain.

• App component AC: Software that executes the HE scheme and key update protocol.

AC imports algorithms Gen, Enc, and Dec, and TokGen.

• Blockchain component BC: a system composed by the ledger and a smart contract that controls the access to it. The smart contract imports Add, SDiv, and KeyUpd.

Definition 5.6.3.2. BC is a tuple with the following efficient algorithms: NewRecord, GetRecords, GenReport, GenResult, GetReport and GetResult, such that

• GenReport generates a report calculating the median from a given number of records.

We write the syntax as GenReport(idsLedger); First, GetRecords is called, retrieving

the records represented by idsLedger; Then, Add operates the addition of multivectors inside the records returned by GetRecords; SDiv takes all summed multivectors given by Add and divide by the number of records returned by GetRecords; Finally NewRecord is used to persist the aggregated data.

• GenResult takes as input an id, idLedger, and the generated tokens t to update the keys

of a report. We write the syntax as GenResult(idLedger,t); First, GetReport is called,

retrieving the report of id idLedger; Second, KeyUpd is used to change the keys of report

idLedger; Finally NewRecord is used to persist the resulting data.

• GetResult takes as input idLedger and retrieves a report that had its keys updated. We

use the syntax GetResult(idLedger).

Example 5.1

UA represents a hospital that owns patients’ records. UB stands for a research institution

87 5.6. Experimental Key Update

that makes analysis over patients’ data. A disease outbreak urged the aforementioned organizations to cooperate. Therefore, the hospital agreed to share information under a security protocol that could lead to a better triage of patients and, perhaps, a path to a cure.

In the DLT environment, both institutions have a copy of the data, but their ownership is tied to their keys. Since the smart contract is using a HE scheme, computations can be performed homomorphically, and the ownership over the resulting analysis can be

transferred by UA.

UB calculates the average number of pre-existing conditions for every expired patient,

generating a report. Then, UA analyzes the result and decides to grant permission. To

do so, a symmetric key is shared with UB through a traditional key exchange protocol.

Now, UA updates the keys of the report, allowing UB to finally detect a high number of pre-existing conditions in patients that did not recover.

5.6.4 General Considerations

Through practical constructions, we demonstrated the realization of a homomorphic en- cryption (HE) scheme and a key update protocol as a strategy for expanding the current capabilities of blockchain technologies (BT). With a very small set of elementary functions found in Clifford geometric algebra, we were able to provide simple and yet efficient cryp- tographic protocols to equip BT with a homomorphic smart contract. Without violating current business logic constraints in BT, one can use our constructions to homomorphically analyze encrypted data, generate reports and transfer the data ownership without compro- mising the original key holder’s and/or third parties’ privacy. We provide evidence of the proposed algorithms’ correctness as well as the security properties they carry, under some strong assumptions such as the attacker’s knowledge restricted to public information. In order to further support the practicality of our methods, we offer access to a library we implemented in Ruby language, where one can see some numerical examples and inspect its source code. In future directions, we envision cryptographic primitives according to stronger notions of security, the development of fully homomorphic encryption schemes to enable smart controls to compute any function over encrypted data, and comprehensive cryptanalysis for investigating the resilience of our constructions according to well-known

88 5.7. Further Cryptographic Experiments

thread models (e.g., chosen-plaintext attack), which can indicate how security may be im- proved.

5.7 Further Cryptographic Experiments

Now we consider some cryptographic resources based on GA that are not necessarily tar- geted to be homomorphic. We find this type of resource still interesting since it can work in conjunction with homomorphic encryption schemes. We introduce a family of further cryptographic experiments based on GA in [61]. A summary o these constructions is given next.

5.7.1 Auxiliary Algorithms

We define some auxiliary algorithms that will be used as sub-routines in the constructions discussed in this section.

Definition 5.7.1.1. (Number to Multivector) Given n,b Z, we transform n into ∈ M¯ G3 as follows: ∈ ¯ ib M = n 2b e¯0 + n 2 e¯j (5.64) | | 2b X j k for i = 1 ... 7 and j 1,2,3,12,13,23,123 . We return M¯ and define the syntax as M¯ = ∈ { } NumToMult(n,b).

Definition 5.7.1.2. NumToMultmod is a variation of NumToMult that transforms a num- ber n Z into a multivector M¯ G3 while defining that the computation of the coeffi- ∈ ∈ cients of M¯ will be reduced modulus q for q N and q > 1. We define the syntax as ∈ M¯ = NumToMultmod (n,b,q).

Definition 5.7.1.3. (Multivector to Number) Given a multivector M¯ G3 and a pos- ∈ itive integer b, convert M¯ to n Z as follows: ∈ Assign each coefficient of M¯ to ni, for i = 1...8, such that

n1 = m123, n2 = m23, n3 = m13, n4 = m12,

n5 = m3, n6 = m2, n7 = m1, n8 = m0, (5.65)

89 5.7. Further Cryptographic Experiments

then we set n = n1 and, for i = 2...8, we compute

n = n 2b + n . (5.66) · i

We return n and define the syntax as n = MultToNum M,b¯ .  Definition 5.7.1.4. (String to Multivector) Given a string s of size k, and a positive integer b, obtain the integer representation of each character of s in the form of

S =(s ,...,s ) , s 0,..., 255 (5.67) 1 k i ∈ { }

We set n = s1 and, for si,i = 2...k, we compute

n = n 256 + s (5.68) · i

We then transform n in to the multivector M¯ G3: ∈

M¯ = NumToMult (n,b) (5.69)

Return M¯ . We define the syntax as M¯ = StrToMult(s,b).

Definition 5.7.1.5. StrToMultmod is a variation of StrToMult that transforms a string s into a multivector M¯ G3 while defining that the computation of the coefficients of M¯ will ∈ be reduced modulus q N. We define the syntax as M¯ = StrToMultmod (s,b,q). ∈ Definition 5.7.1.6. (Random Multivector) Given b, a positive integer, we generate the random coefficients r ,r ,r ,r ,r ,r ,r ,r uniformly select from the set 0,...,2b 1 0 1 2 3 12 13 23 123 − as the coefficients of R¯ G3 and return R¯.  ∈ We define the syntax as R¯ = RandMult(b).

Definition 5.7.1.7. RandMultmod is a variation of RandMult that generates a multivector R¯ G3 with random b-bits coefficients while defining that the computation of each coefficient ∈ will be reduced modulus q N. We define the syntax as R¯ = RandMultmod (b,q). ∈

90 5.7. Further Cryptographic Experiments

5.7.2 Key Exchange Protocol

When two parties want to establish a secret communication they might resort to a cryp- tographic protocol known as Key Exchange or Key Agreement [233, 234]. We introduce a family of algorithms for a GA-based Key Exchange protocol denoted by Exch, which are efficient algorithms (i.e., probabilistic polynomial-time) designed for a peer-to-peer setting, where each shared secret key is used only once per communication event. We define its syntax as

Exch = Initparty, PCIparty, Subkeyparty, Exchparty . (5.70)  For any two parties, generically named Party 1 and Party 2, the following algorithms

apply. Each party has a public ID, denoted by P¯u, and a private ID, denoted by P¯r. In order to initiate a key exchange, we need to initialize both parties, as shown in Algorithm 5.7.2.1, and have them agree on a public communication identifier G¯ that is generated according to Algorithm 5.7.2.2. Each party will compute their sub-key, as defined in Algorithm 5.7.2.3, which will be exchanged so both parties can compute the same secret key locally, according to Algorithm 5.7.2.4.

Definition 5.7.2.1. (Public Communication Identifier) Given λ, a parameter that specifies the bit length of the desired shared secret key, and b ¯ an index i, compute b = λ 8, let q be the smallest prime greater than 2 and generate Pri ¯ and Pui : 

¯ Pri = RandMultmod (b,q) (5.71) ¯ Pui = RandMultNImod (b,q)

¯ ¯ ¯ where Pri is composed by eight distinct coefficients. We return Pri ,Pui and we define the ¯ ¯ syntax as Pri ,Pui = Initparty (λ,i).   Definition 5.7.2.2. (Party Initialization) ¯ ¯ Given two public party identifiers, Pu1 and Pu2 , generate the public communication ¯ ¯ ¯ ¯ ¯ ¯ ¯ identifier as G = Pu1 Pu2 . We return G and we define the syntax as G = PCIparty Pu1 ,Pu2 .  Definition 5.7.2.3. (SubKey)

91 5.7. Further Cryptographic Experiments

¯ ¯ Given the party private ID Pri , the public communication identifier G, and the index ¯ ¯ ¯ ¯ ¯ ¯ ¯ i, generate the subkey Si such that if i = 1, then S1 = Pr1 G. If i = 2, then S2 = GPr2 . We ¯ ¯ ¯ ¯ return Si and we define the syntax as Si = Subkeyparty Pri ,G,i .  Definition 5.7.2.4. (Exchange)

Given Party 1 subkey S¯1, Party 2 subkey S¯2, the public communication identifier G¯,

and the index i, generate the shared secret key K¯i such that ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ if i = 1, then K1 = Pr1 S2G + G + 1. If i = 2, then K2 = S1Pr2 G + G + 1. Return Ki. ¯ ¯ ¯ ¯ We write Ki = Exchparty Si,Pri ,G,i .  Now we illustrate how the above algorithms work together to compose our key exchange protocol. Given that Alice (Party 1) and Bob (Party 2) agreed upon a value for λ, the key exchange routine proceeds as follows:

1. Alice generates her identification:

¯ ¯ Pr1 , Pu1 = Initparty (λ, 1) (5.72)  2. Bob generates his identification:

¯ ¯ Pr2 , Pu2 = Initparty (λ, 2) (5.73)  3. Alice and Bob establish a public communication identifier:

¯ ¯ ¯ G = PCIparty Pu1 , Pu2 (5.74)  4. Alice generates and sends to Bob her subkey:

¯ ¯ ¯ S1 = Subkeyparty Pr1 , G, 1 (5.75)  5. Bob generates and sends to Alice his subkey:

¯ ¯ ¯ S2 = Subkeyparty Pr2 , G, 2 (5.76)  6. Alice privately calculates the shared secret key:

¯ ¯ ¯ ¯ K1 = Exchparty S2, Pr1 , G, 1 (5.77)  92 5.7. Further Cryptographic Experiments

7. Bob privately calculates the shared secret key:

¯ ¯ ¯ ¯ K2 = Exchparty S1, Pr2 , G, 2 (5.78)  8. Alice and Bob now share the same secret key.

5.7.3 Edge Computing Protocol

One could wonder how useful and/or realistic it is a key exchange protocol that generates secret keys that are meant to be used only once. In order to provide an answer with insights for real-world applications, we discuss a scenario where a device requests access to a server. Prior to granting access, the server and the device must agree upon a secret key that must be generated and used only once. This can be seen as a device handshake technique [235–237] for establishing communications between devices in an Edge Computing setting [238, 239]. To solve this problem, we propose a protocol for edge computing that is based on the key exchange protocol discussed in Section 5.7.2.

Definition 5.7.3.1. The Edge Computing protocol is composed of the family of algorithms ES (Edge Server) and ED (Edge Device).

Definition 5.7.3.2. The Edge Server family of algorithms is denoted by

ES =(Initserver, InitReqserver, Regserver, ReqDataserver) , (5.79) such that:

1. Initserver initializes a server instance;

2. InitReqserver processes a device’s access authorization request;

3. Regserver authorizes a device to access the server instance;

4. ReqDataserver processes a device’s data access request.

Definition 5.7.3.3. The Edge Device family of algorithms is denoted by

ED =(Initdevice,Exchdevice,Recdevice) (5.80)

93 5.7. Further Cryptographic Experiments

such that:

1. Initdevice initializes a device instance;

2. Exchdevice processes the server’s authorization response;

3. Recdevice processes the data received by the server.

The Edge Computing protocol is described next:

1. A server is initiated: s = Initserver (λ)

2. A device is initiated: d = Initdevice (λ)

¯ ¯ 3. A device sends Pu2 to the server, which initiates the device’s request by computing G ¯ s ¯ ¯ and the subkey S1: = InitReqserver Pu2 . The server sends S1 to the device.  4. Upon receiving the subkey from the server, the device computes its subkey and shared d ¯ ¯ ¯ secret key: = Exchdevice Pu1 ,S1 . The device sends S2 to the server.  5. Upon receiving the subkey S¯2 from the device, the server registers and authorizes the s ¯ ¯ device by computing = Regserver Pu2 ,S2 .  ¯ 6. The device sends its public ID Pui and a datum ID to the server which process and ¯ ¯ ¯ encrypts the request: C = ReqDataserver Pu2 ,j . The server sends C to the device.  7. The device processes C¯ in order to obtain D¯ computed as D¯ = Recdevice C¯ .  5.7.4 Hash Algorithm

A secure Hash algorithm is meant to be a one-way function, that is, a function that is easy to compute and to verify but infeasible to invert [240]. With elementary functions in GA, the use of rounds, and coefficients reduced to a certain modulus, we propose a lightweight, simple, and yet promising GA-based Hash algorithm. Let the bit size of the message digest generated by the Hash algorithm be denoted by λ. We define an iterative Hash algorithm consisting of one-way hash functions that are able to process a message and result in a condensed representation called message digest. The proposed GA-based Hash algorithm

94 5.7. Further Cryptographic Experiments

can be used for a variety of applications, including determining a message’s integrity, and it is denoted as h = GAHashdige (λ) where GAHash (see Algorithm 5.7.4.3) is the combination

of the algorithms GAHashprep (Algorithm 5.7.4.1) and GAHashsche (Algorithm 5.7.4.2).

Definition 5.7.4.1. (Preprocessing) Given λ, a string s, b = λ 8, and q = 2b, we trans- form it into a multivector M¯ as M¯ = StrToMult(s,b) and we reduce each coefficient of M¯ to the modulus and all the GA computation will be performed reduced to modulus q. We compute a value multivector V¯ , where each coefficient of V¯ is the first b bits of the fractional part of the of the first eight prime numbers. Return V,¯ M¯ . We define the

syntax as V,¯ M¯ = GAHashprep (λ,s). 

Definition 5.7.4.2. (Message Schedule) Given a number r of rounds, successively update V¯ and M¯ as follows:

V¯ = V¯ † + V¯ V V¯ + V¯ † (5.81) M¯ = V¯ † M¯ MM¯ M¯ − − We let h be the concatenation of the coefficients of M¯ converted to hexadecimal. Return h. We define the syntax as h = GAHashsche V,¯ M¯ .

Definition 5.7.4.3. (GA Hash) Given λ, and a string s, compute V¯ and M¯ such that

V,¯ M¯ = GAHashprep (λ) then compute the hash value h = GAHashsche V,¯ M¯ . Return h. We

define the syntax as h = GAHashdige (λ,s). 

Remark 17. A hash function, to be considered secure, is expected to be collision resistant (i.e., finding two different inputs that have the same hash value), preimage resistant (or have the one-way property, i.e., given a randomly chosen h it must be infeasible to find s such that h = GAHashdige (λ,s) for any fixed λ), and second preimage resistant (given s and its corresponding h, finding a second input s′ which its corresponding h′ satisfies h = h′) [241]. An evident future direction of this research is investigating if these properties are present in our proposed hash function.

5.7.5 Private-Key Encryption Scheme

We now propose a combination of many of the ideas discussed in the previous sections in order to introduce a probabilistic private-key encryption scheme. In order to provide

95 5.7. Further Cryptographic Experiments

concrete insight into the security of the proposed encryption scheme, we shall introduce some strong assumptions while attempting to avoid these to be too strong. We will then claim security based on those assumptions. In order to provide a probabilistic encryption (encrypting the same input multiple times will randomly generate different ciphertexts) we will use a variation of the RandMultmod algorithm, as stated in Definition 5.7.5.1.

Definition 5.7.5.1. Algorithm NumToRandMultmod is a variation of RandMultmod that gen-

erates a random multivector M¯ where m0,m1,m2,m12,m13,m23,m123 are coefficients uni- formly selected from 0,...,2b 1 and m is defined to be the number passed as input, such − 3 that m3 = n. We define the syntax as M¯ = NumToRandMultmod (n,b,q).

Definition 5.7.5.2. For the proposed private-key scheme, we consider three spaces: the key space , containing all possible secret keys, the message space , containing all possible K M messages, and the ciphertext space , containing all possible ciphertexts. C Definition 5.7.5.3. The private-key encryption scheme Π is composed by three polynomial- time algorithms that we denote by Π=(Gen,Enc,Dec), such that

1. Gen is a probabilistic polynomial-time algorithm that takes the security parameter λ as input and outputs an uniformly generated secret key which is an invertible multivector K¯ such that b = λ 8 and q is the first prime greater than 2b, where b and q are ∈K public. We define the syntax as K,b,q¯ Gen(λ). ←  2. Enc is a probabilistic polynomial-time algorithm that takes a secret key K¯ and a ∈K message m as input and outputs a ciphertext C¯ . We start by setting C¯ = M¯ , ∈M ∈C 0 where M¯ = NumToRandMultmod (m,b,q) and K¯0 = K¯ . Then, for i = 1...r, where r is

a fixed value that determines how rounds will be executed, C¯i is computed as follows: ¯ ¯ ¯ ¯ ¯ Ki = Ki† 1 + Ki 1Ki 1Ki 1 + Ki† 1 − − − − − (5.82) ¯ ¯ ¯ ¯ ¯ ¯ Ci = Ki† 1Ki 1Ci 1Ki 1Ki† 1 − − − − − At the end of the r-th iteration, we set C¯ = C¯ . We write C¯ Enc K,m¯ . r ←  3. Dec is a deterministic polynomial-time algorithm that takes a secret key K¯ and a ∈K ciphertext C¯ as input and outputs the message m as follows: ∈C ∈M

96 5.8. Conclusions

We set K¯0 = K¯ and C¯r = C¯. Then, for i = 1...r, we compute all K¯i:

¯ ¯ ¯ ¯ ¯ Ki = Ki† 1 + Ki 1Ki 1Ki 1 + Ki† 1 (5.83) − − − − −

Then, for i = r...1, we compute all C¯i as follows:

1 1 ¯ ¯ 1 ¯ − ¯ ¯ − ¯ 1 Ci 1 = Ki− Ki† Ci Ki† Ki− (5.84) −      At the end of the r-th round we set M¯ = C¯0 and m = m3. We define the syntax as m = Dec k,C¯ . 

Remark 18. The encryption algorithm is inspired in the message schedule GAHashsche and hence is assumed here to be a one-way function.

Remark 19. The encryption scheme can work with the secret key generated by Gen, as defined in Definition 5.7.5.3, or mightQ consider an agreed secret key generated by the key exchange protocol Exch.

5.8 Conclusions

We demonstrate that even a fixed set of elementary algebraic operations in GA can be use- ful for building cryptographic tools. In our exposition, we introduced several encryption schemes, a framework for homomorphic image processing, mechanisms for data represen- tation and data hiding, a key exchange protocol that is applied to an edge computing application, a hash algorithm, and a private-key encryption scheme. These constructions are obviously not intended to be final; however, we hope to be evident how computationally inexpensive they are in comparison with their promising security properties based on the observation of their underlying mathematical operations. Based on a very simple blueprint, we propose a hash algorithm where our goal is that its message digest is equivalent to the output of a one-way function. We introduce a private-key encryption scheme that can work in conjunction with the key exchange protocol or rely solely on its randomized and round-based encryption function.

97 CHAPTER 6

Security with p-adic Numbers and GA

We dedicate this chapter to discussions on the security of constructions based on p-adic numbers and GA. For the case of p-adic numbers we introduce a private-key leveled FHE scheme. For the case of GA we will discuss how GA can be used as an alternative and advantageous way to implement lattice cryptography.

6.1 Private-Key Leveled FHE Scheme

We introduce a private-key leveled FHE scheme that is built upon Hensel codes (also known as the finite-segment p-adic arithmetic [70,72,123,242]), a mathematical resource with inter- esting properties that allows us to produce a conceptually simple and significantly compact construction that is secure under the decisional approximate-gcd assumption. Although one can easily translate our ideas to conventional modular arithmetic and the Chinese Remainder Theorem (CRT), it is actually from the theory of Hensel codes that we find an opportunity of constructing an encryption function whose hardness is equivalent to a non-trivial instance of the approximate-gcd problem. Additionally, introducing our construction from the per- spective of Hensel codes allows us to simplify notation and keep the discussion condensed, which favors readability significantly. We aim to show that our encryption scheme is simple, efficient, and suitable for real-world applications. We allow our construction to accept plain- text messages m such that m Z for a uniform λ-bit prime p as opposed to m 0,1 , ∈ p1 1 ∈ { } which significantly and positively impacts our ciphertext expansion. We show that a weaker version of our scheme seems to resist known attacks related to the approximate-gcd prob- lem such as attacks based on gcd of two numbers, continued fractions, Howgrave-Graham’s lattice attack, and the regular simultaneous Diophantine approximation (SDA). However, 6.2. Target Definitions

we discuss a variation of the SDA, that is, a two-stage lattice attack that succeeds against our weaker scheme while giving us insights on how to produce a stronger construction. Our construction is similar to the work of Dijk, Gentry, Halevi, and Vaikuntanathan [135], the DGHV scheme, in at least two ways: 1) we share the same security assumption, that is, the approximate-gcd problem and 2) both constructions are conceptually simple, although we hope to introduce an even simpler encryption scheme.

6.2 Target Definitions

Now we review the target definitions that we aim to satisfy with our scheme. A private-key leveled FHE scheme Π=(Gen,Enc,Dec,Eval) is a tuple of efficient algorithms such that

• Gen takes 1λ and 1d as arguments and output a private key sk and a public evaluation key evk. Gen implicitly defines a message space . We define this syntax as (sk,evk) P ← Gen 1λ,1d .  • Enc takes a secret key sk and a message m as arguments and output a ciphertext c. We define this syntax as c Enc(sk,m). ← • Dec takes a secret key sk and a ciphertext c as arguments and output a message m. We define this syntax as m = Dec(sk,c).

• Eval takes the public evaluation key evk, a circuit Cd with depth at most d, and t

ciphertexts c1,...,ct as arguments and output a ciphertext c. We define this syntax d as c = Eval evk,C ,c1,...,ct .  For all (sk,evk) output by Gen, all m , ... , m , all c output by Eval and all c 1 t ∈P x y output by Enc:

• Correctness is required such that

Dec(sk,Enc(sk,m1)) = m1 (6.1)

d d Dec sk,Eval evk,C (c1,...,ct) = C (m1,...,mt). (6.2)   

99 6.2. Target Definitions

• Compactness is required such that

time(Dec(sk,c )) time(Dec(sk,c )) (6.3) x ≈ y c = c . (6.4) | x| | y|

• Circuit privacy is required such that, given a function that obtains the distribution D of any given algorithm, the following holds:

(Eval)= (Enc) . (6.5) D D

The security notion we target is CPA-security, which is described in the following experiment:

cpa Definition 6.2.0.1. ( [34] The CPA Indistinguishability Experiment PrivK ,Π (λ)) A 1. Gen 1λ outputs a secret key sk.  2. 1λ is given to the adversary together with oracle access to Enc(sk, ). outputs the A · A messages m ,m such that m = m . 0 1 | 0| | 1| 3. A uniform bit b 0,1 is selected and a a ciphertext c Enc(sk,m ) is given to . ∈ { } ← b A 4. While continuing to have access to Enc(sk, ), outputs a bit b . · A ′ 5. If b = b , the experiment outputs 1 and 0 if otherwise. We say that succeeds if ′ A cpa PrivK ,Π (λ) = 1. A Definition 6.2.0.2. [34] A private-key leveled FHE scheme Π=(Gen,Enc,Dec,Eval) has indistinguishable encryptions under a chosen-plaintext attack, or is CPA-secure, if for all probabilistic polynomial-time adversaries there is a negligible function negl such that, for A all λ, cpa 1 Pr PrivK ,Π (λ) = 1 + negl, (6.6) A ≤ 2 h i

100 6.2. Target Definitions

where the probability is taken over the randomness used by and the randomness used in A the experiment (for choosing the key and the bit b, as well as any randomness used by Enc).

6.2.1 The Concrete Construction

Now we introduce the concrete construction for our private-key leveled FHE scheme:

λ d • Gen takes 1 and 1 as input and, compute r = log2 λ 2 2 , then, the λ-bit primes p ,p ,p , and the d(6λr 2λ)-bit primes p ,p are uniformly    chosen, g is defined as 1 2 3 − 4 5 5 g = Πi=1pi, such that sk =(p1,p4) and evk = g. The message space is then defined as = Z . Gen outputs (sk,evk) and we define the syntax as (sk,evk) Gen 1λ,1d . P p1 ←  • Enc takes sk, evk, and a message m as arguments and proceeds as follows:

1. Generate 4r uniform random values s such that s 0,...,p 1 . i i ← { 1 − } 2. Compute αi and βi for all 1...r such that

1 αi = Hg− ((p1,p2,p3),(m,s4i 3,s4i 2)), (6.7) − − 1 βi = Hg− ((p1,p2,p3),(1,s4i 1,s4i)). (6.8) − Then, compute c such that r 1 c = H (p ,α ) H (p ,β ) H (p ,α ) H (p ,β ) H p ,α− mod g. (6.9) 4 1 · 4 1 · 4 i · 4 i · 4 i i>1 Y  We define the syntax as c Enc(sk,evk,m). ← 1 • Dec takes sk and c as arguments and computes α = H− (p4,c) and retrieves the

message m such that m = H (p1,α). Dec outputs m and we define the syntax as m = Dec(sk,c).

d • Eval takes evk, a binary circuit C , and t ciphertexts c1,...,ct as input and computes the corresponding arithmetic gates of Cd with the input ciphertexts while carrying all computations over the integers. Eval outputs the result of all computations as a new d ciphertext c and we define the syntax as c = Eval evk,C (c1,...,ct) .  Lemma 6.2.1.1. For all sk output by Gen and all m , the following holds: ∈P Dec (sk, Enc (sk, m)) = m. (6.10)

101 6.2. Target Definitions

Proof. In Enc, a message m is transformed into an order-N Farey fraction a b that is then

transformed into a ciphertext c, which is the Hensel code of a b under p4. According to

Theorem 4.1.2.1, a b is a convergent of c p4. We know that the EEA computes all the 1 convergents of c p4 and in particular, H− (p4,c) computes a single convergent of c p4, which is the first convergent for which a N. Since c encodes a b and H 1 (p ,c) only ≤ − 4 1 computes a single convergent of c p4, then is guaranteed that a b= H− (p4,c) since the modified EEA only computes a single convergent, that is the first convergent. By computing

H p1,a b , we obtain the first element of the Hensel code tuple (m,s1,s2), since we are only

using p1. 

The correctness of the decryption of homomorphic evaluations is captured by Lemma 6.2.1.2.

Lemma 6.2.1.2. For all (sk,evk) output by Gen, all m , and all c ,...,c output by ∈P 1 n Enc, the following holds:

d d Dec sk, Eval evk,C (c1,...,cn) = C (m1, . . . , mt) . (6.11)   

Proof. Recall that in Enc, every message m is transformed into a rational a b. Let c1 and

c2 be the ciphertexts for m1 and m2. We can rearrange them as 

a1 + k1p4 a2 + k2p4 c1 = , c2 = . (6.12) b1 b2

Computing c1 + c2 gives

a2b1 + a1b2 + b1k2p4 + b2k1p4 c1 + c2 = (6.13) b1b2 If we let

a3 = a2b1 + a1b2, k3p4 = b1k2p4 + b2k1p4, b3 = b1b2, (6.14) then we have a3 + k3p4 c3 = , (6.15) b3 1 which is in the same form of (6.12) and m3 = m1 +m2 is obtained by m1 +m2 = H p1,H− (p4,c3) . Computing c c gives  1 − 2 a1b2 a2b1 + b1k2p4 b2k1p4 c1 c2 = − − (6.16) − b1b2

102 6.3. Security

where we can also rewrite c c in the same form of (6.14) and (6.15). Computing c c 1 − 2 1 2 gives (a1 + k1p4)(a2 + k2p4) c1c2 = (6.17) b1b2 which can be rearranged as

a1 (a2 + k2p4)+ p4 (a2k1 + k2k1p4) c1c2 = (6.18) b1b2

such that if we let

a3 = a1 (a2 + k2p4) , k3p4 = p4 (a2k1 + k2k1p4) , b3 = b1b2. (6.19)

then c1c2 is in the same form of (6.15).

Lemma 6.2.1.3. The leveled FHE scheme is compact and circuit-private.

Proof. Due to how Enc is structured, a ciphertext c is computed and then updated r 1 − times via homomorphic multiplications before it is output by Enc. Therefore, the ciphertext output by Enc is, in fact, an evaluated ciphertext, like the ones output by Eval, which is compliant with the definition of strong homomorphism discussed by Halevi in [154].

Homomorphic Operations

Although each m is encoded as a rational number a b, all the homomorphic computations are performed over encrypted integers and decrypted back to plaintext integers. This is relevant since the encoding of every message m takes three primes p1,p2,p3 to generate a rational number a b, while the decoding only considers a single Hensel digit (an integer)

that is encoded byp1. Thus, all the operations are preserved in terms of integers.

6.3 Security

Our end goal in this section is to provide a proof of security by reduction where we reduce breaking our scheme to the ability of solving the approximate-gcd problem. First, let us review the mechaniscs of a proof of security by reduction for a private-key encryption scheme as it is shown in [34].

103 6.3. Security

6.3.1 Proof by Reduction

Let F be a pseudorandom function such that F : 0,1 λ 0,1 λ 0,1 λ. So we define a { } × { } → { } private-key encryption scheme Π as follows:

• Gen takes a security parameter 1λ as input and choose a secret key k uniformly at random such that k 0,1 λ. Gen outputs k and we write the syntax as k Gen 1λ . ∈ { } ←  • Enc takes a secret key k and a plaintext message m 0,1 λ as input. The encryption ∈ { } algorithm Enc is randomized and it outputs a ciphertext c by first uniformly selecting a random r 0,1 λ where the ciphertext c is a pair of elements such that c = ← { } r,F (k,r) m . We write the syntax as c Enc(k,m) h ⊕ i ← • Dec takes a secret key k and a ciphertext c as input and outputs the plaintext message such that m = F (k,r) s where s is the second element of c = r,s . ⊕ h i

Assumption 6.3.1.1. F is a pseudorandom function such that for all polynomial-time adversaries , given that λ is the set of all functions that maps λ-bit strings to λ-bit A F strings and F λ is uniformly chosen, we have ← F

λ F (k, ) λ F ( ) Pr k 0, 1 : · = 1 Pr F : · = 1 negl. (6.20) ← { } A − ← F A ≤ h i h i

In other words, Assumption 6.3.1.1 states that F is a pseudorandom function if the difference of probability of the experiment when A is given access to F (k, ) for a uniform · k and the probability of the experiment of the experiment when is given access to a A uniformly chosen function F ( ) λ is negligible. · ∈ F Another way to describe the assumption is that there is a adversary which we don’t A know how it operates. However, we know that has access to F (k, ) for a uniformly A · random k and it is able to provide inputs to it and receive outputs from. Similarly, A is able to provide inputs to and receive outputs from F ( ) where F is also uniformly chosen from · mathcalF λ. The key point is that if is not able to distinguish if it is being given access A

104 6.3. Security

ξ F (k, ) ,F ( ) 2 { · · } x ξξ y A ?

Figure 6.1: Indistinguishability experiment for pseudorandom function.

to F (k, ) or F ( ), than F (k, ) is a pseudorandom function. This notion is illustrated in · · · Figure 6.1.

Theorem 6.3.1.1. If F is a pseudorandom function then Π is CPA-secure.

Proof. We start by considering the opposite of what states the theorem, that is, that Π is not CPA-secure. We assume there exists a polynomial-time adversary for which A cpa 1 , Pr PrivK ,Π (λ) = 1 ǫ (λ) (6.21) A − 2 h i where ǫ (λ) denotes a non-negligible quantity that is a function of the security parameter λ. Now we want to show that (6.21) violates Assumption 6.3.1.1. In order to do that, we will construct a polynomial-time adversary that “breaks" F , that is, B succeeds in B the pseudorandom function (PRF) experiment as per Assumption 6.3.1.1 in which has A oracle access to F and we will assume that the probability with which breaks F with B the quantity ǫ(n) and we will show that if ǫ(n) is not negligible then the probability that distinguishes F from a random function is also non-negligible and that contradicts our B Assumption 6.3.1.1, which indicates that Π is indeed CPA-secure. We do not know anything about how works internally. We only know that is A A polynomial-time and we assume that is able to break F with non-negligible probability A ǫ(n). Yet, we want to construct to break F and use as a subroutine. B A Since we want to construct an adversary that uses as a blackbox, then we need B A to think about the interface of and the interface of . Once again, the goal of is A B B

105 6.3. Security

m0,m1 A m

Figure 6.2: as a subroutine of . A B to distinguish F (k, ) from a random F ( ). This means that we will design a that will · · B be given access to ξ where ξ F (k, ),F ( ) . Among other things, will be run as ∈ { · · } B A a subrountine, which breaks Π. This means that will have to provide an interface that B cpa matches the one that expects, which is the following: recall the PrivK ,Π (λ) experiment. A A outputs a pair of messages m ,m and it is given the challenge ciphertext Enc(k,m ) for a A 0 1 b uniform b. has oracle access to the encryption algorithm which allows it to send messages A m and receive Enc(k,m). Later in the experiment, outputs a random bit b . A ′ Therefore, we fix some adversary and we define as follows: A B

1. has access to function ξ and runs . B B A 2. When requests an encryption of a message m, will choose a random r 0,1 λ A B i ← { } and will query and obtain a value yi = ξ (ri).

3. returns a ciphertext c = r ,y m to . B i h i i ⊕ ii A 4. At some point during the execution of , outputs a pair of messages (m ,m ) which A A 0 1 are the messages that is going to be used in the indistinguishability challenge. will B then proceed as follows:

(a) Choose a uniform bit b 0,1 ; ← { } (b) Chose a uniform r 0,1 λ. ∗ ← { } (c) Query y ξ (r ). ∗ ← ∗

106 6.3. Security

(d) Return c = r ,y m to . h ∗ ∗ ⊕ bi A 5. At some point, outputs a bit b and the execution of A is done at that point. Then A ′ outputs 1 if b = b and 0 if otherwise. B ′

Notice when ξ ( )= F (k, ), then view of running as a subroutine of is identical · · A B cpa to the view of running in the PrivK ,Π (λ) experiment since if ξ ( )= F (k, ) for uniform A A · · k, every time outputs a message m it receives back a ciphertext of the form r ,y m A i h i i ⊕ ii where r is uniform and y m = F (k,r ) m . i i ⊕ i i ⊕ i Since our goal is to show that can break the pseudorandomness of F , then we want B to analyze the probability of to output 1 when it is given access to F (k, ) for a uniform B · k and we claim that this probability is exactly equal to the probability of to succeed in A cpa the PrivK ,Π (λ) such that A

λ F (k, ) cpa Pr k 0, 1 : · = 1 = Pr PrivK ,Π (λ) = 1 . (6.22) ← { } B A h i h i The notion represented in (6.22) follows the idea that is perfectly simulating the B encryption scheme Π. Now we want to analyze the probability of to output 1 when is given access to B B F ( ) where F is uniformly chosen from λ. In this case, according to the description of · F the execution of , either r will be equal to or completely distinct from any used value r . B ∗ i If r is not equal to any other used value r , then since y ξ (r ) and ξ ( )= F ( ), then ∗ i ∗ ← ∗ · · y∗ will be uniformly independent of everything else in the experiment. And therefore the ciphertext that is returned to is going to contain r which has no information about the A ∗ message that was encrypted together with a uniform string y m that is equivalent to the ∗ ⊕ b one-time pad. Thus, no matter what does it will not be possible to correctly guess b with A probability any better than 1 2. Therefore, Pr[b′ = b] = 1 2 , which is the same to say that the probability that  outputs 1 is 1 2. Whenever r B ∗ is equal to any previously used value r , then the probability of to output 1 is going to be i B upper-bounded by 1. Then we see that the probability of to output 1 is affected by if r is B ∗ going to repeat some value from the set of all possible r∗ or not. If we denote the event where

r∗ repeats a value by Repeat and Repeat for r∗ not repeating any value, then, based on what

107 6.3. Security

we just discussed, we can write that Pr[b = b Repeat] 1 and Pr b = b Repeat = 1 2. ′ | ≤ ′ | We know that there are 2λ possible values for r and we know that runs in polynomial-  ∗ B time, which means that there can only be polynomially many queries of ri. If we let all the possible executed queries be denoted by the r ,...,r , then the probability that some r { 1 q} ∗ λ will repeat some previously used value ri is q (λ) 2 . Then we can write the following:  Pr F λ : F ( ) = 1 = Pr[b = b Repeat] Pr[Repeat] ← F B · ′ | ·   Pr b′ = b Repeat Pr Repeat | · (6.23) 1 Pr[ Repeat]+ 1    ≤ · 2 q(λ) + 1 . ≤ 2λ 2 Now, we refer to Assumption 6.3.1.1: since F is a pseudorandom function and is B polynomial-time, then

(6.22) (6.23) negl (λ) , (6.24) | − |≤ which implies that

(6.22) (6.23) + negl (λ) (6.25) ≤ which tells us that

1 q (λ) cpa negl PrivK ,Π (λ) + λ + (λ). (6.26) A ≤ 2 2 Since q (λ) and 2λ is exponential, then q (λ) 2λ + negl(λ) is negligible and we conclude cpa that the probability that PrivK ,Π (λ) succeeds is 1 2+ negl(λ). A  6.3.2 Weaker Version of our Scheme

Now we discuss the security of our construction. Our encryption scheme explores the approximate-gcd problem, which has been discussed in details in [135, 243–245]. In this section, we analyze several known attacks discussed by Dijk et al. against our construction. In order to explain our final design choices, we first introduce a weaker version of our scheme, which helps us in highlighting the key security elements of our final construction.

108 6.3. Security

Definition 6.3.2.1. (Weaker Scheme) The weaker Leveled FHE scheme is given as follows:

• Gen takes 1λ and 1d as input and, having a fixed positive integer r, the λ-bit primes p ,p ,p , the d(6λr 2λ)-bit prime p , and the 2λ-bit prime p are uniformly chosen, 1 2 3 − 4 5 5 g is defined as g = Πi=1pi, such that sk =(p1,p4) and evk = g.

• Enc takes sk, evk, and a message m as arguments and generates 2 uniform random values s ,s such that s 0,...,p 1 and compute α 1 2 i ← { 1 − }

1 α = Hg− ((p1,p2,p3),(m,s1,s2)),c = H (p4,α). (6.27)

• Dec takes sk and c as arguments and outputs m such that

1 m = H p1,H− (p4,c) . (6.28)  • Eval identical to the description in Section 6.2.1.

6.3.3 Factorization Attacks

The most obvious attacks against the scheme are those based on factorization. In fact, a total

break of the scheme is given by the factorization of p1 and p4 from g. However, for sufficiently large individual prime factors of g ( 768 bits), known attacks are unsuccessful [7–9]. ≥ 6.3.3.1 Instance With One Prime

Our scheme, as described in Section 6.2.1, uses five secret odd prime numbers. Why do we need five primes? Could we implement the FHE scheme with less primes? We start an investigation about the implications of having less primes in our configuration. Recall that Hensel codes can be described as an isomorphic mapping between the set of order-N Farey fractions (for any given N) and a set of corresponding integers through one or more prime numbers. If you have a single prime number in place, then our encryption is deterministic, which means that if a message m is encrypted multiple times it will always generate the same ciphertext. As discussed by Rivest et al. in [246], a randomized encryption has the potential of achieving greater cryptographic security than deterministic encryptions, which can lead to the elimination of threats of chosen-plaintext attacks and the improvement

109 6.3. Security

of the a priori statistics for the inputs of the encryption functions. Thus working with one prime is not a valid option.

6.3.3.2 Instance With Two Primes - Option 1

In this first option of an instance with two primes we will place the message as the second Hensel code digit in the first step of the encryption process. In order to understand the configuration selected in this first option, consider the following:

1. Having two primes involved in the encryption process allows us to use one random value in the first step of the encryption process, which allows us to randomize the entire encryption;

2. The encryption function consists of two steps, and giving the selected blueprint we need to repeat one of the primes in the second step, since we are committed to using only two primes;

3. The repetition of one of the primes is only possible if we scale that prime by raising it to the power of r.

Below we discuss the issues of this approach. Given p ,p P, g = p pr, N = pr 2 , 1 2 ∈ 1 2 2 q two random numbers s1,s2

Thus the prime numbers are retrieved with the knowledge of m, c1, c2 and g. Additionally, the encryption of zero yields a ciphertext equal to zero, such that

1 α = Hg− ((p1,p2),(s1,0)) = 0 (6.32) r c = H (p2,α) = 0

The reason the encryption of zero yields an α = 0 and thus a c = 0 is found in the multiple inverse Hensel code mapping (Definition 4.1.2.5). Recall that the first step of the multiple decoding process is:

2 1 g g − z = mod pi hi mod g (6.33) pi pi ! Xi=1   which for two primes p1, p2 and two Hensel codes h1,h2 can be written as

1 1 g g − g g − z = mod p h + mod p h mod g (6.34) p p 1 1 p p 2 2 1  1  ! 2  2  ! or yet 1 1 z = p2 p2− mod p1 h1 + p1 p1− mod p2 h2 mod g (6.35)   It is clear that if either h2 or h2, the answer z will be a multiple of either p1 or p2. Since g is a multiple of both p1 and p2, the gcd(g,z) will be wither p1 or p2. The decoding process (described in Definition 4.1.2.1) will receive g and z as arguments and will subsequently compute the remainder of g and z, which will eventually yield zero. We will now show an example of the multiple inverse Hensel code mapping where the message is placed as the first code for generating α):

Example 6.1 We want to compute −1 α = Hg ((p1,p2) , (m, s1)) (6.36)

for p1 = 241,p2 = 251,g = p1p2 = 60491,m = 0 and s1 = 101.

The first step is to calculate z as follows:

−1 −1 z = p2 p2 mod p1 m + p1 p1 mod p2 s1 mod g = 251 217 0 + 241 25 101 mod 60491 (6.37) · · · · = 3615

111 6.3. Security

−1 −1 and we clearly see that p2 p2 mod p1 m = 0, thus we see that z = p1 p1 mod p2 s1 mod

g, which is also clear thatz is a multiple of p1. So now we have g = 60491 and z = 3615 .

−1 We calculate Hg (g,z), and we see in Definition 4.1.2.1 that the numerator is computed g through subsequent remainder calculations while the value of ai > 2 . Since the

numerator is the last computed value for ai, we can show that in thisp example, it will be equal to zero. Since 0 divided by anything other than 0 is just 0, then the answer is 0. Thus Option 1 for two primes is not a valid one.

6.3.3.3 Instance With Two Primes - Option 2

If we change the configuration in Option 1 by the order of s1 and m, where m is now going to be the first parameter, we eliminate the issues in (6.31) however we still have the issue in (6.32). Thus Option 2 for two primes is not a valid one.

6.3.3.4 Instance With Three Primes - Option 1

If we decide to use three primes without repeating any prime, that is, two primes for the first step and the third prime for the second step, we still deal with the problem of encrypting zero, as seen in (6.32), no matter in which the message is at. Thus Option 1 for three primes is not a valid one.

6.3.3.5 Instance With Three Primes - Option 2

If we decide to use three primes and repeat the use of one of these primes, that is, three primes for the first step and a repeated and scaled prime for the second step, such that

1 α = Hg− ((p1,p2,p3),(m,s1,s2)) (6.38) r c = H (p3,α) we eliminate the problem of encrypting zero and obtaining zero as a ciphertext. The first step of the multiple inverse Hensel code mapping is to calculate z such that 3 1 g g − z = mod pi hi mod g. (6.39) pi pi ! Xi=1   If m = 0, it is clear that z is now the same as 3 1 g g − z = mod pi hi mod g = 0 (6.40) pi pi ! 6 Xi=2  

112 6.3. Security

given that s1 and s2 are non-zero random values. In the second step of the multiple inverse Hensel code mapping, z is decoded as

1 α = H− (g, z) (6.41)

which is a valid non-zero order-N Farey fraction. Although it is true that, if two

different zero messages are encoded, generating z1 and z2, the following holds

gcd (z1, z2)= p1, (6.42)

it is also true that p4 has no relationship with the day z1 and z2 were computed, when

the corresponding α1, α2 are encoded as c1 and c2 through p4, the zero message has no

meaningful relationship with c1 and c2. However, as showed in (6.38), it breaks homomorphism. This happens because in the second step, we repeat one prime used in the first step, and by repeating a prime we violate one of the fundamental Hensel code premises which is the use of distinct primes for the Hensel codes computation [80, 93,122,247,248].

As we see in (6.38), α is associated with a 3-digit Hensel code through p1, p2 and p3. If a fourth distinct prime number were used to encode α in the second step, then 3-digit Hensel code associated with α would be encoded with a distinct (and larger enough) prime number that would preserve the original mapping. Objectively speaking, encoding α with a repeated prime from the original mapping that generated α will preserve only the single-digit Hensel code that is common to α and c. Thus repeating a prime is not an strategy that will work if one cares about homomorphism which makes Option 2 for three primes also invalid.

6.3.3.6 Instance With Four Primes

Given p ,p ,p P and p P , the encryption is given by 1 2 3 ∈ λ 4 ∈ rλ 1 α = Hg− ((p1,p2,p3),(m,s1,s2)) (6.43) c = H (p4,α)

Notice that we still eliminate the problem of encrypting zero (as seen in Section 6.3.3.5) with the difference that now we preserve homomorphism since we use only distinct primes on both steps. Since all Hensel code digits in α are being encoded with a distinct prime

113 6.3. Security

number, tt does not matter where we are placing the the message m for generating α. Thus, if we repeat the experiment in (6.29) and 6.30, such that

1 α1 = Hg− ((p1,p2,p3),(m,s11,s21)) (6.44) c1 = H (p4,α1) and 1 α2 = Hg− ((p1,p2,p3),(m,s21,s22)) (6.45) c2 = H (p4,α2) we observe the following:

gcd (c m, g)= gcd (c m, g)= gcd (c c2,g) = 1. (6.46) 1 − 2 − 1 −

We see in (6.46) does not reveal p4 (or any other prime involved in the encryption).

Even if it were possible to retrieve p4, one would still need to know at least p1 to retrieve

the message m. Thus, it is our intent to force an attacker to solve for p1 and p4 in order to be able to break the scheme.

6.3.3.7 Instance With Five Primes

There are cases where α can be recovered from c using g depending on the sizes of the prime

numbers in g. For this reason, we add a fifth prime p5 with the same bit length of p4 so g 5 is then defined as g = i=1 pi. The purpose of p5 is to “hide" the exact size of the mapping we are establishing betweenQ order-N Farey fractions and their correspondent Hensel codes.

6.3.4 Solving for p4

A much more viable option is to reduce breaking the scheme to solving for p4. We know that that given a ciphertext c, there is an order-N Farey fraction a b such that  1 c ab− mod p (6.47) ≡ 4 1 m ab− mod p . (6.48) ≡ 1

114 6.3. Security

Therefore, if one can solve for p4 then, with high probability, one can also solve for p1 since gcd(bm a,g)= p . Notice that modular equations of the form (6.47) can be represented as − 1 linear Diophantine equations, where d = cb = kp+a. Thus, we consider the approximate-gcd instance d ,...,d in order to solve for p . { 1 t} 4 Next, we discuss known attacks on the approximate gcd problem, including the gcd between two numbers, continued fractions, Howgrave-Graham’s lattice attack, and a lattice- based approach to the simultaneous Diophantine approximation [249].

6.3.5 GCD of Two Numbers

The simplest gcd attack is to guess a1 and a2, and verify the guess through a gcd computa- tion. The first step of the attack is to select a ,a ( 2ρ,2ρ), where ρ is the bit length of a 1′ 2′ ∈ − 1 and a . Next, create an approximation for d and d such that d = d a and d = d a . 2 1 2 1′ 1 − 1′ 2′ 2 − 2′ Remember that p has a bit length of d(6λr 2λ) bits. Therefore, if ρ d(6λr 2λ), p can 4 − ≪ − 4 surely be found with this approach. The run-time for the attack is approximately 22ρ [135]. In order to avoid the attack, the bit length of ρ can be increased or the parameters d, r, and λ can be adjusted such that ρ / d(6λr 2λ). An alternative brute force approach is ≪ − to factor d1′ and check if any factor is the same length as p4. If d2 is also divisible by the

selected factor, one has recovered p4. The run-time for the attack depends on the chosen factoring algorithm. The run-time using Lenstra’s elliptic curve factoring algorithm [8] for the constructed scheme is approximately exp(O( d(6λr 2λ)). − p 6.3.5.1 Continued Fractions

Another approach to the approximate gcd problem is with the use of continued fractions to recover p4 from d1 and d2. Continued fractions give a list of convergent pairs (mi,ni) for a rational number d /d such that d d m n < 1/n2. Consider the instance where 1 2 | 1 2 − i i| i k p > ρ, the bit lengths for d will be approximately the same as k . Thus, k /k i ≫ 4 i i 1 2 becomes a good approximation for d1/d2 and an attacker can attempt to find the (k1,k2) pair in the sequence of convergents. Then p4 is given by p4 = d1/k1. However, with the

115 6.3. Security

chosen parameters, the difference between d d k k is not small enough to satisfy the | 1 2 − 1 2| condition for k1/k2 to be a convergent for d1/d2.

d k k p + a k k a k a k a k a 1 1 1 = 1 4 1 1 = 2 1 − 1 2 2 1 − 1 2 (6.49) d − k k p + a − k k (k p + a ) ≈ p · k2 2 2 2 4 2 2 2 2 4 2 4 2

Observe that as long as (k a k a )/p > 1, the difference between d d k k does not | 2 1 − 1 2 4 | | 1 2 − 1 2| satisfy the condition for k /k to be a convergent of d /d . In other words, (k a k a )/p > 1 2 1 2 | 2 1 − 1 2 4| 1 gives d d k k > 1/k2, and the continued fraction approach does not work on the | 1 2 − 1 2| 2 scheme.

6.3.5.2 Howgrave-Graham’s Lattice Attack

One more attack using only two integer instances is Howgrave-Graham’s [250] lattice attack for fiding small solutions to univariate and bivariate modular equations with Coppersmith’s algorithm. When p4 is a factor of d1, the attack solves for p4 under the condition that ρ/δ < (d(6λr 2λ))2, where δ denotes the bit length of g. −

6.3.6 Lattice Reduction for Approximate GCD of Multiple Numbers

The final technique discussed by Van Dijk et al. [135] follows Lagarias’ algorithm for the simultaneous Diophantine approximation [249], which accounts for more than two integer instances. Given t samples, for all i it holds that d /d =(k +ǫ)/k , where ǫ 2d(6λr 2λ) ρ. i 1 i 1 | |≈ − − An estimation of k1 is obtained by constructing the lattice

ρ 2 d2 d3 ... dt   d1 ...  −     d1 ...  L =  −  . (6.50)    d ...   − 1     ..   .       d1   −    The target vector v = k ,k ,...k L has a first entry of k 2ρ with bit length 2ρ. Since h 1 2 ti· 1 the size of k ρ, the target solution is in fact the first entry of the vector, and k is obtained i ≈ 1 by dividing the first entry 2ρk by 2ρ. Then p can be computed since a d mod k and 1 4′ 1 ≡ 1 1

116 6.3. Security

p =(d a ) k . All other entries of the vector are of the form k d k d and have a bit 4 1 − 1 1 1 i − i 1 size of ρ + d(6λr 2λ). According to Minkowski’s theorem [194], L has a nonzero vector of − length at most

1/t+1 ρ+t(d(6λr 2λ))/t+1 λ (L) √t + 1 ∆(L) < √t + 1 2 − , (6.51) 1 ≤ · · which is longer that the target solution and lattice reduction will easily find the the solution.

6.3.7 A Two-Stage Lattice Attack on the Weaker Construction

We now show that a two-stage lattice attack [251] succeeds against the weaker construction.

The first stage obtains approximations for a list of bi’s that are then used in the second stage

to solve for p4. Recall that the bit length for p1, p2, and p3 is λ bits. Since ai’s and bi’s

are obtained through encoding modulo p1, p2, and p3, we know that the bit length for the a ’s and b ’s satisfies a , b N (λ λ λ) 2 1.5λ (from Definition 4.1.2.2). We also i i | i| | i|≤ ≤ · · ≈ know that k =(b c a )/p , and becauseq c has a bit length approximately equal to p , the i i i − i 4 i 4 bit length of the k is roughly the length of b 1.5λ. Now, we start with two ciphertexts i i ≈ c1 and ci such that

b1c1 = a1 + k1p4 (6.52) bici = ai + kip4.

Multiplying the first equation by ki and the second by k1 gives

kib1c1 = kia1 + kik1p4 (6.53) k1bici = k1ai + kik1p4. Then, subtracting the second equation from the first yields

k b c k b c = k a k a , (6.54) i 1 1 − 1 i i i 1 − 1 i

where we have a small unknown linear combination of c1 and ci. The linear combination can be found through reduction on the following lattice

c1 1 0 L =   , (6.55) ci 0 1     117 6.3. Security

which contains the vector (k a k a ,k b , k b ). Minkowski’s theorem shows that the i 1 − 1 i i 1 − 1 i desired vector is in fact one of the shortest vectors in the lattice [194]. We repeat the process for t pairs of ciphertexts (c1,c2),(c1,c3),...,(c1,ct) to obtain the list b1k2,b1k3,...,b1kt. Then with high probability, the value of b1 can be found by taking the gcd between the entire list of b1ki’s. After completing the first stage, we have an approximation for d1, which can be generalized to find any di. The approximations for di form instances of the approximate gcd problem, where di = kip4 + ai, and the ai’s and ki’s are small in bit length in comparison with p4. Due to the small bit length of ai compared to p4, we have

d k + ǫ i = i , (6.56) d1 k1 for all ǫ of the order ai (kip4).

An approximation of k1 is obtained by constructing the lattice

1.5λ 2 d2 d3 ... dt   d1 ...  −    L =  d1 ...  , (6.57)  −     d ...   1   −     d1   −   1.5λ  finding its shortest vector, which first entry is 2 k1, and then dividing the shortest vector by 21.5λ in order to obtain k . Then p can be computed since a d mod k and 1 4′ 1 ≡ 1 1 p =(d a ) k . If p = p , then p is a very good approximation of p and p can be 4 1 − 1 1 4′ 6 4 4′ 4 4 recovered by iterating gcd(p4′ + i,g) i times (over a range few bits below and up) until we

find the p4′ + i such that gcd(p4′ + i,g) = 1. Then, p4 is exactly recovered.

6.3.8 Attacking the Stronger Construction

Now we discuss the security of the construction described in Section 6.2.1. The fundamental change between the weaker and the stronger construction is in the Gen algorithm, where

p5 has now the same bit length of p4 and in Enc, which now outputs evaluated ciphertexts

118 6.3. Security

of the same bit length of g. The following facts apply to the stronger construction: for all m and all c Enc(sk,evk,m), ∈P ←

• c =(a + kp4) b, m =(a + kp1) b, d = cb = a + kp4;   • The bit length of p5 is the same of p4.

• The bit length of c is roughly the same bit length of g, that is, δ = 4λ+2dλ(6r 2) 1 − − such that p4

• a,b ( 2ρ,2ρ), ρ = dλ(3r 1); ∈ − − • k ( 2τ ,2τ ),τ = 4λ + dλ(9r 3); ∈ − − • The ciphertexts output by Enc are indistinguishable from the ciphertexts output by Eval.

6.3.8.1 Reviewing the Known Attacks

• GCD of two numbers: the brute-force approach discussed in Section xxx is still not a viable option since the runtime for that attack is roughly 22σ and in the stronger construction, the size of σ has significantly increased, going from 1.5λ to 2λr + d + 1.

• Continued fractions: the attack using continued fractions is also not a viable solution

since the target pair k1 k2 is still not a convergent of d1 d2 as shown by (6.49).   • SDA via two-stage lattice attack: the two stage lattice attack remains the best option

for solving for p4 out of the discussed attacks, however now we show how the new size

of p5 in conjunction with the evaluation of ciphertexts inside Enc impact this attack.

6.3.8.2 Reviewing the Two-Stage Lattice Attack

In Section 6.3.7, we showed that the weaker scheme is not secure against Lagarias’ SDA at- tack. The attack succeeded because the size of the ki’s were too small compared to p4, that is, the bit length of the k ’s were roughly 1.5λ while p has bit length of d(6λr 2λ). In the i 4 − stronger construction, due to the bit length of p5 being the same bit length of p4 in conjunc- tion with a series of consecutive evaluations that results in the ciphertext output by Enc, the

119 6.3. Security

k ’s now have bit length of 4λ(r 1) + d(6λr 2λ) which is much larger than the length of i − − p4. Dijk et al. in [135] remark that increasing the size of ki compared to p4 will prevent the target solution from being the shortest vector in small lattices. Conversely, the target vector is likely to be the shortest vector in larger lattices, but known lattice reduction algorithms are not efficient for large lattice dimensions. In general, lattice reduction algorithms require time 2t/k to yield a 2k estimation of the shortest vector. For the stronger scheme, not only

the bit length for the ki’s are much larger than the length of p4 but also each ciphertext c has the same bit length of g, which is δ. The first entry of the vector v = k ,k ,...k L h 0 1 ti· δ d(6λr 2λ) 2δ d(6λr 2λ) is of size 2 − − , and all other entries are of size 2 − − . From Minkowski’s theorem, the longest entry found through lattice reduction on L is √t 1 2ρ+tδ/t+1, which − · is shorter than the target solution when t + 1 < δ/d(6λr 2λ). From [135] we learn that − setting δ (d(6λr 2λ))2 = ω (logλ) foils this type of attack. −  6.3.9 Proof of Security

Now we discuss the security of our encryption scheme. We start by defining our instance of the approximte-gcd problem. For convenience, we present Table 6.1 for a summary of the length of the elements on interest in our encryption scheme.

Element Size in bits

p1,p2,p3 λ p ,p dλ(6r 2) 4 5 − g δ = 4λ + 2dλ(6r 1) − a,b ρ = dλ(3r 1) − c δ = 4λ + 2dλ(6r 2) − cb σ = 4λ + dλ(15r 3) − k τ = 4λ + dλ(9r 3) Table 6.1: Bit length of elements− of interest.

Let r = (log2 λ) 2 and let Pn denote the set of all n-bit primes. Recall that τ(λ)= 4λ + dλ(9r 3), δ(λ) = 4λ + 2dλ(6r 2), and σ(λ)= dλ(3r 1). Recall also that 1λ is the − − − security parameter and 1d is the additional parameter that Gen takes as input in order to determine the max depth of accepted circuits by Π.

120 6.3. Security

Definition 6.3.9.1. For fixed λ and p Pd(6λr 2λ), define distribution λ,p as follows: ∈ − D

choose x Z , ← p1    choose si 0,...,p1 1 for 1...4r,   ← { − }     for 1...r, compute:       α = H 1 ((p ,p ,p ),(x,s ,s )),   i g− 1 2 3 4i 3 4i 2   − −   1   βi = Hg− ((p1,p2,p3),(1,s4i 1,s4i)),  =  −  . (6.58) Dλ,pi    compute: y = H (p ,α ) H (p ,β ),   4 1 · 4 1  r 1  compute: c = y H (p4,αi) H (p4,βi) H p4,α− mod g.   · i>1 · · i     Q 1    compute: a b = H− (p4,c),       compute: d= cb,       output d         

Assumption 6.3.9.1. (d-Approximate GCD Assumption) For all probabilistic polynomial- time algorithms , the following is negligible (in λ): A 5 λ,d,p λ Pr p1,p2,p3 Pλ; p4,p5 Pd(6λr 2λ); g = pi : D 4 (1 ,g)= p4 . (6.59) " ← ← − A # Yi=1

We consider an experiment where the adversary is given two finite sets of integers, the first composed of uniformly generated integers and the second composed of close-to- uniformly generated integers. The experiment outputs 1 if and only if the adversary can distinguish between these two sets with probability any better than 1 2+ negl. Recall that the ciphertexts output by Enc and Eval are δ-bit integers. Since b are σ-bit integers and d = cb according to (6.3.9.1), then d are δσ-bit integers. Since outputs Dλ,d,pi c,d , then we let denote the uniform distribution on δσ-bit strings, where the result is h i Uδσ interpreted in the natural way as a nonnegative integer.

121 6.3. Security

Assumption 6.3.9.2. For all probabilistic polynomial-time algorithms , the following is A negligible (in λ):

p ,p ,p P , 1 2 3 ← λ  Uδ σ λ  Pr p ,p P , : · (1 ,g) = 1 4 5 d(6λr 2λ) A −  ← −   5   g = i=1 pi    .   p ,pQ,p P , 1 2 3 ← λ  λ,d,p λ  Pr p ,p P , : D 4 (1 ,g) = 1 4 5 d(6λr 2λ) A  ← −   5   g = i=1 pi   

 Q 

Theorem 6.3.9.1. Our private-key leveled FHE scheme as described in Section 6.2.1 is CPA-secure under Assumption 6.3.9.2.

Proof. (Sketch) Fix some adversary attacking Π. We construct a polynomial-time adver- A sary which uses as a subroutine in order to contradict Assumption 3. B A

1. is given g and has access to . It runs as a subroutine. provides 1λ and g B Dλ,d,pi A B to . A 2. When requests an encryption of m , obtains d from and proceeds as follows: A i B Dλ,d,pi (a) Choose x 0,2τλ and y 0,2τdλ(6r 2) ; ← ← − (b) Compute b =dy 1 mod g, a =bm x mod g, and c = ab 1 mod g. − i − i − (c) sends c to . B i A 3. At some point outputs a pair of messages (m ,m ), and chooses a uniform bit A 0 1 B b 0,1 , queries d from D and proceeds as followS: ∈ { } B (a) Choose x 0,2τλ and y 0,2τdλ(6r 2) ; ← ← − (b) Compute b =dy 1 mod g, a =bm x mod g, and c = ab 1 mod g. − b − − (c) sends c to . B A 4. A outputs a bit b 0,1 . If b = b, outputs 1 and 0 otherwise. ′ ∈ { } ′ B

122 6.3. Security

The execution of is is then complete. B Notice that x represents k1p1 for every message m that can be written in terms of

m =(a + k1p1) b and y represents k2p2 for every c that can be written in terms of c =

(a + k2p4) b. Additionally, notice that we can write b as b = d y mod g which can be expressed as b =(d + k g) y, for some k . Similarly, we can writea as a = bm x mod g 3 3 b − which can be expressed as a = bm x + k g, for some k . The simulated ciphertext is b − 4 4 then given by c = a b mod g which can be rewritten as c =(a + k5g) b, for some k5 or,

equivalently, c =(a +k6p4) b, for some k6 where k5g = k6p4, and therefore we see that the ciphertexts simulated by are clearly of the same distribution of the ciphertexts output by B Enc. As per Assumption 6.3.9.2, the probability that is able to distinguish from B Dλ,d,pi is negligible. If polynomially many samples are obtained from by , there will be Uδσ Uδσ B no information about any given m or p4 whatsoever. Therefore, Π is CPA-secure under Assumption 6.3.9.2.

6.3.10 A Note on Ciphertext Size

As we discussed previously, our leveled FHE scheme is similar to the construction introduced by Dijk, Gentry, Halevi, and Vaikuntanathan in [135] is some aspects: both constructions are based on modular arithmetic, conceptually simple and the security is associated with the approximated-gcd problem. The DGHV scheme can be both a private-key and a public-key scheme. From the private-key version, the DGHV scheme is converted into a public-key scheme using the technique introduced by Rothblum in [252] where any private-key scheme that is additive homomorphic modulo 2 can be converted into a public-key scheme. As for the differences, we chose a different strategy for constructing our scheme as we build directly a leveled FHE scheme while in the case of DGHV a SWHE scheme is first constructed and then converted into a FHE scheme via bootstrapping. Since our scheme is a leveled FHE scheme and the DGHV is a regular FHE scheme, a benchmark between the two is not necessarily a “apples-to-apples" comparison. However, the DGHV is still the closest construction to our scheme, both in terms of the mathematics used and the security properties. Here we highlight one crucial difference between the two schemes

123 6.4. General Considerations

which is the message space, which has a significant impact in memory use and, generally speaking, in performance. For determining the size of the ciphertexts of the DGHV scheme we use the parameters defined in [175] in comparison with compatible parameters in our scheme as shown in Table 6.2.

Schemes Class. Bootst. Ciphert. min size Ciphert. max size Our scheme Leveled FHE No 36,864 bits 7,217,152 bits DGHV scheme Regular FHE Yes 150,000 bits 19,350,000 bits Table 6.2: Similarities and differences between our leveled FHE scheme and the DGHV scheme.

The DGHV scheme accepts plaintext messages m such that m 0,1 . Thus, the ci- ∈ { } phertext shown in Table 6.2 corresponds to each bit of the plaintext message. Our scheme also accepts plaintexts messages m 0,1 and in this setting ha a smaller ciphertext expan- ∈ { } sion compared to the DGHV scheme. However we assume that one can change the message space to be such that m Z for large values of p while the encryption scheme preserves ∈ p1 1 the same security achieved with m 0,1 . The ciphertext expansion of the second case ∈ { } goes from the bit length of p1 to the bit length of the ciphertext c, which is from λ to 4λ + 2dλ(6r 2). −

6.4 General Considerations

We introduced a private-key leveled FHE scheme built upon Hensel codes whose security is based on the decisional approximate-gcd assumption. Although Hensel codes are not so often directly applied to cryptographic schemes, our construction can be easily analyzed even by those unfamiliar with the finite-segment p-adic arithmetic. In order to discuss the security of our scheme, we consider a weaker construction that is resilient against known attacks related to the approximate-gcd problem. The analysis of this weaker version is relevant in our view since it provide insights on where remaining threats are, which is successfully explored by a two-stage lattice attack. In the weaker version, Gen generates five secret primes while Enc never uses the fifth one. Therefore, there is a substantial difference between fresh ciphertext and evaluated ciphertexts. The fresh ciphertets in the weaker version can be expressed as

124 6.5. GA and Lattice Cryptography

a Diophnatine equation where solving for the prime number of interest is possible since the linear combination of multiple samples of ciphertext is small and the ciphertext itself is smaller than the prime the attack is targeting. Thus, even a lattice of low dimension will contain the answer as the shortest (or one of the shortest) vectors. In the stronger version, we set the fifth prime to be of the same size of the fourth prime and we evaluate the ciphertext internally in Enc several times before we output a final ciphertext. The evaluation is identical to the ones performed by Eval. Thus, the ciphertexts from Enc and Eval are now indistinguishable. Moreover, the new Diophantine equation that expresses each ciphertext

in the scheme has now a factor multiplying p4 that is much larger p4. In this new scenario, lower dimensional lattices won’t contain the answer as a shortest vector.

6.5 GA and Lattice Cryptography

An n-dimensional lattice is composed by all integer linear combinations of n basis vectors L b1,b2,...,bn. The same lattice can be generated in many different ways. The generation of lattices is related to its basis, and basis might be good or bad, generally speaking, depending on the length of the basis vectors. A good basis is composed by short vectors, while long vectors are commonly associated to bad basis. A lattice basis is denoted by B and it is only valid if all the lattices vectors of the same n-dimensional lattice can be generated by integer linear combinations of that basis. One particular quantity of interest in lattice theory is the length of the shortest vector in the lattice, which has important applications to cryptography as a computational hard problem. The shortest vector problem (SVP) is given by: given an arbitrary basis in the lattice, find the shortest nonzero vector. Let the length of the shortest

vector be denoted by µ1. Formally:

Definition 6.5.0.1. (SVP) Given a basis B Zn n, find ∈ ×

v (B) 0 s.t v = µ . (6.60) ∈L \{ } k k 1

The shortest vector in the lattice goes from the origin of the basis to the closest lattice point to the origin. In the case where the shortest vector cannot be found, an approximation of the shortest vector in the lattice might be found. This is related to the α-approximate

125 6.5. GA and Lattice Cryptography

shortest vector problem (Approximate SVP) which consists of finding a nonzero vector of length at most αµ1, that is, the length of the α-approximate shortest vector which length is at most α times the length µ1 of the actual shortest vector. Formally:

Definition 6.5.0.2. (α-Approximate SVP) Given a basis B Zn n, find ∈ ×

v (B) 0 s.t v αµ . (6.61) ∈L \{ } k k≤ 1

α can be, as an example, a function of the dimension n. One might want to find another shortest vector (or, one of the shortest vectors) that is linearly independent of the actual shortest vector. This notion is related to the shortest independent vector problem

(SIVP). Given a basis in the lattice, we have the length µ1 of the shortest vector and then

µ2,µ3,...,µn other short vectors. If one draws a circle at the lattice origin and expands that circle until finding the first lattice point, then the shortest vector of the lattice is found. One can also keep expanding the circle up to a certain radius r that will contain n linearly independent lattice vectors. One can ask what is the minimum radius that will contain n linearly independent lattice vectors, which is denoted by

µ = min r n linearly independent lattice vectors of length r . (6.62) n { |∃ ≤ }

Formally:

Definition 6.5.0.3. (SVIP) Given a basis B Zn n, find linearly independent vectors ∈ ×

v ,...,v s.t v µ ,i = 1...n. (6.63) 1 n k ik≤ n

The complexity of known algorithms for solving the SVP is 2O(n) [253] and for the α-Approximate SVP is 2n 2 [254]. The best known approximation by a polynomial time O n loglog n algorithm is 2  log n . The best known result, even in the advent of quantum computers,

k On k is a 2 approximation that runs in 2 e .  6.5.1 Why Lattice is Used in Cryptography?

Vaikuntanathan remarks that there is a common-sense safety when it comes to lattices [255]. If the hard underlying hard problems associated to standard cryptosystems breaj, such as

126 6.5. GA and Lattice Cryptography

factoring, discrete logarithm, one will eventually need to rely on lattices. Since there are only known quantum attacks against factoring and discrete logarithm, lattice-based cryptography is currently consider quantum resistant. Another compelling feature of lattice cryptography is that the worst-case hardness, that is, at least one instance of a problem is hard, is known to be equal to the average-case hardness, that is, the average instance of a problem is hard. This is considered a feature that no other mathematical system offers but lattices. The practical implication of this fact is that you can derive a lattice cryptosystem safely assuming the worst-case hardness. Lattices are considered to be simple and efficient and very useful. Among the possible applications, it has been demonstrated concrete lattice-based constructions for the following applications:

• Related to the short integer solution problem (SIS): one-way functions [256], hash algorithms [256,257].

• Related to the learning with errors problem (LWE): pseudorandom number genera- tors [256, 258], public-key encryption [258–261], oblivious transfer and secure multi- party computation [262].

• Related to lattice trapdoors: trapdoor functions [263–265], digital signatures [260].

• Related to punctured trapdoors: identity-based encryption [263], attribute-based en- cryption [266], predicate encryption [267].

6.5.2 Average-Case Hard Problems

6.5.2.1 Short Integer Solutions

One example of how interesting lattice problems are is the following: it is generally easy to solve an equation of the form Ax = b for some matrix A and column vectors x and b where the goal is to solve for x, which can be done via . However, if the problem is changed to solve for a short vector x, the the problem changes completely. Vaikuntanathan remarks that there are two types of problems that one can define one lattices: 1) purely algebraic problems, and 2) geometric problems [255]. Although not necessarily all geometric problems in lattices are hard, Vaikuntanathan highlights that the

127 6.6. GA and Matrices

core of hardness of lattices problems comes from geometric notions. Thus “short" is a geometric notion. Finding a nonzero short vector x that satisfies Ax = b is an entirely different problem than its purely algebraic counterpart. Formally:

Definition 6.5.2.1. (Short Integer Solution SIS ) Given a matrix A Zn m, find a n,q,m,β ∈ q × vector x Zm such that Ax = 0 Zn and x β where n is the number of equations, q is ∈ ∈ q k k≤ the modulus to which the matrix and vector computations are reduced to, m is the number of variables, and β is a bound that determines how short the vector x must be.

6.6 GA and Matrices

Recall that multivectors in the 2-dimensional geometric product space are denoted by M¯ ∈ G2 such that

M¯ = m0e¯0 + m1e¯1 + m2e¯2 + m12e¯12. (6.64)

Lounesto remarks that the the 2-dimensional matrix algebra Mat(2,R) is isomorphic with the 2-dimensional geometric algebra G2 [268]. Here explore this relationship in or- der to offer a replacement for matrix computations in arbitrary dimensions under certain conditions.

Definition 6.6.0.1. (2D Matrix to multivector) For all matrices A R2 2, we have an ∈ × one-to-one mapping between A and a multivector M¯ G2 by computing the coefficients m ’s ∈ i of M¯ as follows:

a + a a a a + a a a m = 11 22 , m = 11 − 22 , m = 12 21 , m = 12 − 21 , (6.65) 0 2 1 2 2 2 12 2

where the aij’s are the entries of A. We define the syntax as TM (A)= M¯ .

Proof. For all A,B R2 2, we show that ∈ ×

TM (AB)= TM (A) TM (B) . (6.66)

Let

a11 a12 b11 b12 A =   , B =   (6.67) a21 a22 b21 b22         128 6.6. GA and Matrices

such that a11+a22 a11 a22 a12+a21 a12 a21 TM (A) = e¯0 + − e¯1 + e¯2 + − e¯12, 2 2 2 2 (6.68) b11+b22 b11 b22 b12+b21 b12 b21 TM (B) = 2 e¯0 + −2 e¯1 + 2 e¯2 + −2 e¯12. The matrix product AB is given by

a11b11 + a12b21 a11b12 + a12b22 AB =   (6.69) a21b11 + a22b21 a21b12 + a22b22     which when converted to multivector gives

a11b11 a12b21 a21b12 a22b22 AB = 2 + 2 + 2 + 2 e¯0+

 a11b11 a12b21 a21b12 a22b22  2 + 2 2 2 e¯1+ − − (6.70)  a11b12 a21b11 a12b22 a22b21  2 + 2 + 2 + 2 e¯2+  a11b12 a21b11 + a12b22 a22b21 e¯ 2 − 2 2 − 2 12   which we verify that is equivalent (it represents the same quantity) of computing the fol-

lowing: let C¯ = TM (A)TM (B), and then

a11 a22 b11 b22 + a11+a22 b11+b22 + ¯ −2 −2 2 2 C =  e¯0+ a12+a21 b12+b21 a12 a21 b12 b21 2 2 −2 −2  −   a11 a22 b11+b22  a12 a21 b12+b21   −  −  + 2 2 − 2 2  e¯1+ a11+a22  b11 b22  a12 a21  b12+b21  2 −2 + −2 2   (6.71)  a12 a22  a12 b21  a11+a22  b12+b21   −  − +  2 2 2 2 −  e¯2+ a12 a21  b11 b22  a12+a21 b11+b22  −2 −2 + 2 2    a11+a22  a12 b21  a11 a22  b12+b21   2 −2 + −2 2 +  e¯12. a12 a21  b11+b22  a12+a21 b11 b22  −2 2 2 −2  −        We see that the following holds: in the computation of the coefficient of e¯0, as per (6.71), the segment a a b b a + a b + b 11 − 22 11 − 22 + 11 22 11 22 (6.72) 2 2 2 2       can be rewritten as a b + a b 11 11 22 22 . (6.73) 2

129 6.6. GA and Matrices

Similarly, the segment

a + a b + b a a b b 12 21 12 21 12 − 21 12 − 21 (6.74) 2 2 − 2 2       can be rewritten as a a + a a 21 12 12 21 (6.75) 2

which matches the coefficient of e¯0 as per (6.70). In fact, the same rewriting process can be applied to all coefficients of C¯ which shows that (6.71) is equivalent to (6.70).

Definition 6.6.0.2. (2D Multivector to matrix) For all multivectors M¯ G2, we have ∈ an one-to-one mapping between M¯ and a matrix A R2 2 by computing the entries a ’s of ∈ × ij A as follows:

a = m + m ,a = m + m ,a = m m ,a = m m , (6.76) 11 1 2 12 3 4 21 3 − 4 22 1 − 2 ¯ 1 ¯ where the mi’s are the coefficients of M. We define the syntax as TM− M = A.  Proof. For all A,¯ B¯ G2, we show that ∈ 1 ¯ ¯ 1 ¯ 1 ¯ TM− AB = TM− A TM− B . (6.77)    Let

A¯ = a0e¯0 + a1e¯1 + a2e¯2 + a12e¯12, (6.78) B¯ = b0e¯0 + b1e¯1 + b2e¯2 + b12e¯12, such that

a + a a + a b + b b + b 1 ¯ 0 1 2 12 1 ¯ 0 1 2 12 TM− A =   , TM− B =   . (6.79) a2 a12 a0 a1 b2 b12 b0 b1   − −    − −      The geometric product A¯B¯ is given as follows:

A¯B¯ = (a b + a b + a b a b )e¯ + 0 0 1 1 2 2 − 12 12 0 (a0b1 + a1b0 a2b12 + a12b2)e¯1+ − (6.80) (a b + a b + a b a b )e¯ + 0 2 1 12 2 0 − 12 1 2 (a0b12 + a1b2 = a2b1 + a12b0)e¯12.

130 6.6. GA and Matrices

1 ¯ 1 ¯ When we compute the matrix product TM− A TM− B we obtain   (a + a )(b + b )+(a + a )(b b ), (a + a )(b + b )+(a + a )(b b ) 0 1 0 1 2 12 2 − 12 0 1 2 12 2 12 0 − 1   (a2 a12)(b0 + b1)+(a0 a1)(b2 b12), (a2 a12)(b2 + b12)+(a0 a1)(b0 b1)  − − − − − −   (6.81) By considering (6.80) and the linear combinations of 2 2-matrix multiplication, it is × 1 ¯ ¯ 1 ¯ 1 ¯ easy to check that TM− AB = TM− A TM− B .    Definition 6.6.0.3. (2D Vector to multivector) For all vectors v R2 we have an ∈ one-to-one mapping between v and a multivector M¯ G2 such that given ∈

v1 v =   (6.82) v2     we compute v v v v m = 1 , m = 1 , m = 2 , m = 2 (6.83) 0 2 1 2 2 2 12 − 2 where the mi’s are the coefficients of M¯ . We define the syntax as Tv (v)= M¯ .

Proof. We show that

v1 0 v1 V =   = v =   (6.84) v2 0 v2         and therefore, by applying (6.65), it is clear that we have

v v v v T (V )= 1 e¯ + 1 e¯ + 2 e¯ + 2 e¯ . (6.85) M 2 0 2 1 2 2 − 2 12  

Definition 6.6.0.4. (2D Multivector to vector) For all multivectors M¯ G2 we have a ∈ one-to-one mapping between a vector v R2 and M¯ such that given the coefficients m ’s of ∈ i M¯ we compute v = m + m , v = m m (6.86) 1 2 12 2 0 − 1

131 6.6. GA and Matrices

1 ¯ where the v1’s are the coefficients of v. We define the syntax as Tv− M = v.  Proof. Since v is equal to a matrix V as per (6.84), by applying (6.76), it is clear that we have:

v1 0 v1 1 ¯ v TM− M =   = =   . (6.87) v2 0 v2         

There are mappings between the several matrix algebras and several dimensional geo- metric algebras. As an example, we show the mappings between G3 and Mat(4,R).

Definition 6.6.0.5. G3 to Mat(4,R) mapping Given a multivector M¯ from ℓ(3,0), a matrix A from Mat(4,R) that is isomorphic to C M¯ can be computed as follows:

a = m + m , a = m m , 11 0 2 12 1 − 12 a = (m m ), a = m + m , 13 − 13 − 123 14 3 23 a = m + m , a = m m , 21 1 12 22 0 − 2 a23 = (m3 m23), a24 = m13 + m123, − − (6.88) a = m m , a = (m + m ), 31 13 − 123 32 − 3 23 a = m + m , a = m m , 33 0 2 34 1 − 12 a = m m , a = (m + m ), 41 3 − 23 42 − 13 123 a = m + m , a = m m 42 1 12 44 0 − 2

Definition 6.6.0.6. Mat(4,R) to G3 mapping Given a matrix A from Mat(4,R), a multivector M¯ from ℓ(3,0) that is isomorphic to C A can be computed as follows:

132 6.6. GA and Matrices

1 m0 = 4 (a11 + a22 + a33 + a44)

1 m1 = 4 (a12 + a21 + a34 + a43)

m = 1 (a a + a a ) 2 4 11 − 22 33 − 44

m = 1 (a a a + a ) 3 4 14 − 23 − 32 41 (6.89)

m = 1 ( a + a a + a ) 12 4 − 12 21 − 34 43

m = 1 ( a + a + a a ) 13 4 − 13 24 31 − 42

m = 1 (a + a a a ) 23 4 14 23 − 32 − 41

m = 1 (a + a a a ) 123 4 13 24 − 31 − 42 Due to Definitions 6.6.0.1, 6.6.0.2, 6.6.0.3, 6.6.0.4, we propose an alternative way to perform matrix computations in which we replace them by computations with multivectors in G2. Our approach works for any matrix n m. For simplicity, we start discussing the × mapping between arbitrary n n matrices, for n even, and multivectors. × Definition 6.6.0.7. (Arbitrary even square matrices to multivectors) Given a n n- × matrix A

a11 ... a1n  . . .  A = . .. . (6.90)      an1 ... ann      2 where n is even, we rewrite A in terms of block matrices Ak, for k = 1... n 2 , such that  

133 6.6. GA and Matrices

A1 ...A4 ...Ai  . . . . .  A = ...... (6.91)      Aj ...Ai+3 ...A 2   n 2        2 By doing so, we replace the computations on A by computations on n 2 multivectors G2. We write the syntax as  

TS (A)= TM (A1) ,...,TM A 2 = M¯ 1,..., M¯ 2 . (6.92) n 2 !! n 2 ! Definition 6.6.0.8. (Arbitrary even dimensional vector to multivectors ) Given an even n-dimensional vector

v1  .  v = . (6.93)      vn    we map v to n multivectors in G2 such that 

v1 vn 1 − ¯ ¯ Ts (v)= Tv   ,...,Tv   = M1,..., Mn . (6.94) v2 vn           

We can then state the following lemmas.

Lemma 6.6.0.1. For all matrices A Rn n where n is even, we have a one-to-one mapping ∈ × between A and n 2 2 multivectors in G2.   Proof. We use an concrete example that is intuitive and clear enough to show the lemma holds for any n n matrix where n is even. Let n = 6 and the matrix A be such that ×

a11 a12 a13 a14 a15 a16   a21 a22 a23 a24 a25 a26      a31 a32 a33 a34 a35 a36  A =   . (6.95)    a a a a a a   41 42 43 44 45 46       a51 a52 a53 a54 a55 a56       a61 a62 a63 a64 a65 a66      134 6.6. GA and Matrices

2 We subdvivide A in n 2 = 9 block matrices which gives us   a11 a12 a13 a14 a15 a16 A1 =  ,A2 =  ,A3 =  , a21 a22 a23 a24 a25 a26             a31 a32 a33 a34 a35 a36 A4 =  ,A5 =  ,A6 =  , (6.96) a41 a42 a43 a44 a45 a46             a51 a52 a53 a54 a55 a56 A7 =  ,A8 =  ,A9 =  . a61 a62 a63 a64 a65 a66             Now we can rewrite A as

A1 A2 A3   A = A4 A5 A6 (6.97)      A7 A8 A9     

Lemma 6.6.0.2. A n n-matrix multiplication can be obtained in O n2 operations, in the × best case scenario. 

Proof. It is well-known that the complexity of the multiplication of two n n matrices × in the worst case scenario corresponds to n3 multiplications and (n 1) n2 additions, and − thus the complexity in this scenario is O n3 . Significant optimizations were introduced by the Coppersmith-Winograd algorithm, reducing  the complexity to O n2.3755 [269, 270]. A refined result, reducing the complexity to O n2.3728696 was shown in [271]. Finally, a series of experiments and exercises, together with their proofs, show that the best possible case scenario for the complexity of n n matrix multiplication can be at the best case scenario, × O n2 . The proof is given in [272,273], in particular, in the Chapter 5 of [273].  Lemma 6.6.0.3. A n n-matrix matrix multiplication can be obtained in O n 2 2 via × equivalent operations with multivectors in G2.    

2 Proof. We showed that a n n matrix for n even can be represented by n 2 multivectors × where each multivector has constant factor of 4 operations. Therefore,  given two n n ×

135 6.6. GA and Matrices

2 matrix for n even, we have 4 n 2 steps to compute the product with multivectors, which 2 is bounded by O n 2 . Figure   6.3 shows a comparison of the growth of the two functions.    

Later, we will see that we can achieve much greater speedups with matrix multiplication by replacing its computation with the equivalent computation on multivectors. However, since we are targeting in this work the construction of a framework, which implies generality, we will introduce a transformation of arbitrary matrices to multivectors using the mappings over two dimensional matrices and multivectors. What if we want to convert a non-square n m matrix to multivectors in G2? One × way of doing this is to think of a “virtual" square matrix Aa for every non-square n m × matrix A where Aa is an augmented version of A. The augment is given by zeros “filling" the different between any given n m matrix and the next dimension of a square matrix × with zeros. For more information on how zeros are “filled" in any given non-square matrix, consider Example 6.2.

Example 6.2 (Augmented Square Matrices) For all non-square n m-matrix A, we treat A as a × square matrix and we consider each “missing" entry (the entries that if added to A will turn it into a square matrix) as zero. As an example, let A, B and C be non-square matrices of different dimensions n m. Then, we have ×

136 6.6. GA and Matrices

2 2 106 Growth of n and (n/2) 4 n 2 (n/2)2 3.5

3

2.5

2

1.5

1

0.5

0 0 200 400 600 800 1000 1200 1400 1600 1800 2000

Figure 6.3: Growth comparison of matrix and the associated multivector multiplication.

137 6.6. GA and Matrices

b11 ... b1m  . . .  . .. . a11 ... a1m 0 ... 0      ......   bn1 ... bnm  A = ...... ,B =  , . . . .      0 ... 0       an1 ... anm 0 ... 0   . . .     . .. .         .   0 . 0    (6.98)   c11 ... c1m 0 ... 0  ......  ......      cn1 ... cnm 0 ... 0  C =      0 ... 0 0 ... 0     ......   ......   . . . .       0 ... 0 0 ... 0    such that the zeros are included in each case until A,B and C become square matrices and then we can organize each one of them in terms of block matrices in the same form of (6.91). The conversion from multivectors to each original matrix will always work when the dimension of each matrix is known.

We can use the same idea of Example 6.2 for vectors of odd dimensions where we augment the vector by adding a zero coefficient, which allows us to apply Definition 6.6.0.8. If nothing else, this replacement offers a better asymptotic complexity of operations that replace n n-matrix multiplications by equivalent operations with multivectors (that is, × operations with multivectors that represent the same quantity of the ones with n n-matrix × multiplications). However we want to show that our approach can be successfully applied to particular instances of lattice cryptography. In reality, we describe the above procedure as how we treat matrices of arbitrary di- mensions. It does not really matter if the zeros are expressly present in the matrix. We just need to treat non-existing entries in any given non-square n m matrix as zeros. For × clarity, consider Example 6.3.

138 6.6. GA and Matrices

Example 6.3 Given the 4 3 matrix × a11 a12 a13   a21 a22 a23 A =   (6.99)    a31 a32 a33       a41 a42 a43      we obtain the following multivectors using TS (A) such that

a11+a22 a11−a22 a12+a21 a12−a21 2 e¯0 + 2 e¯1 + 2 e¯2 + 2 e¯12,

 a13 a13 a23 −a23  2 e¯0 + 2 e¯1 + 2 e¯2 + 2 e¯12, TS (A)=   . (6.100)  a31+a42 a31−a42 a32+a41 a32−a41   2 e¯0 + 2 e¯1 + 2 e¯2 + 2 e¯12,     a33 a33 a43 −a43   2 e¯0 + 2 e¯1 + 2 e¯2 + 2 e¯12     

Notice that (6.100) is computed by treating the “missing entries" of A as zeros. More precisely, A is a 4 3 matrix. In order to become a even square matrix, we think about a × “virtual" augmented matrix Aa which is composed by the entries of A and a fourth column with the entries as zeros. We call it “virtual" since we don’t need to work with matrices at all. What we want is to have a correspondence between matrices and multivectors so we can replace the computation on matrices by equivalent computations on multivectors.

6.6.1 More on Matrix Multiplication with Multivectors

By applying our proposed mapping from arbitrary dimensional matrices to multivectors, one can perform the computation that is equivalent to the mapped matrices as follows: Let A,B Rn n such that ∈ ×

TS (A) = A¯1,...A¯ 2 , n 2 ! (6.101)  TS (B) = B¯1,...B¯ 2 . n 2 ! 

139 6.6. GA and Matrices

The matrix multiplication AB is computed over multivectors via the T ( ) mapping as S · follows:

for j = 1 ...n 2, i = 1 ...n 2, C¯ = A¯ B¯ . (6.102) k j m 2 m 2 +i j m 2 m 2 +i  −   −    For clarity and generality, we will consider this technique for replacing matrix mul- tiplication in the remaining of this work. However, we remark that greater speedups in performance are possible. For instance, consider the matrices A, B R16 16 and consider ∈ × that we will organize A and B in 16 4 4-block matrices. Each 4 4-block matrices is × × then converted into 16 multivectors using the mapping in Definition 6.6.0.6. In this partic- ular case, we reduce the complexity of matrix multiplication from O n2 to O (n) and the computation with multivectors is the same as (6.102). 

6.6.2 A First Lattice Problem

In 1996, Ajtai introduced an encryption function that was shown to be as hard to break on average as solving lattice problems in the worst case [256]. This is extremely valuable for cryptography because even without further cryptanalysis, by following Ajtai’s work one can be sure of obtaining a distribution statistically close to uniform distribution, which is the hardest possible distribution one can rely on when it comes to lattices. Ajtai’s encryption function is defined below:

n m m f (x)= Ax mod q where A Z × and x 0, 1 (6.103) A ∈ q ∈ { } where A is a uniformly random n m matrix which is used as the (public) key and with × high probability it will have full , x is a m-dimensional vector which is the input of the encryption function and q is some integer. The function is just a matrix-vector multiplication which outputs Ax. Without any particular constraints, Ajtai’s function is easy to invert by solving a linear system. In order to make this function hard to invert, Ajtai’s imposed that the input vector x must be a short vector. From the moment we require x to be short, inverting Ax becomes an optimization problem, which is the problem of finding a small

140 6.6. GA and Matrices

solution to a system of linear equations, which is a problem we do not know how to solve efficiently. The problem proposed by Ajtai’s can then be described as: given A and y, find x ∈ 0,1 m such that y = Ax. If one can invert this function, then one would be able to { } approximate the minimum vector length in any lattice within a factor n, in other words, if one can solve Ajtai’s problem, then one can be given a lattice of dimension n and one will

be able to find a value that is guaranteed to be between λ1 and nλ1. So if we assume that no efficient algorithm can approximate λ1 within a factor n in the worst case (which is a fairly weak assumption), without ever worrying about the input distribution, then Ajtai’s function is hard to break on average even with very small probability [256], which qualify this function as a good cryptographic function. In order to make this function surjective, since we have 2m possible inputs, it is required that m is chosen such that m nlogq. One ≥ basic implication of this fact is that the input will be larger than the output.

6.6.3 Why Is This A Lattice Problem?

Why is this inhomogeneous linear system (Ax = 0) related to a lattice problem? Recall the 6 problem: given A and y, find a small solution x 0,1 m to inhomogeneous linear system ∈ { } Ax = y mod q. We now show that inverting Ajtai’s function can be expressed as a lattice problem. Recall that we are not trying to find an arbitrary solution x (which would give as any solution that satisfies the system). If you find any solution to the system of equation, any other solution will have the form of x + where L

= x Zm : Ax = 0 mod q (6.104) L { ∈ } where any other solution is the sum of that arbitry solution for x and the solution to the homogeneous linear system of equation which is a lattice. Instead we want to find a short vector in and this is by definition equivalent to solve the closest vector problem (CVP). L

141 6.6. GA and Matrices

6.6.4 A Lattice Trapdoor With GA

We now consider 2-dimensional multivectors which all coefficients are in Zq. We then denote 2 such multivectors as members of Gq for some prime q. Let m be a perfect square and generate m √m uniform multivectors such that − ¯ ¯ 2 A1,..., Am √m Gq. (6.105) − ←

Generate uniform values x ,...,x Z and define them as the coefficients of √m 1 2√m ← q multivectors such that

B¯ = x e¯ + x e¯ + x e¯ +( x )e¯ , 1 1 0 1 1 2 2 − 2 12 . . (6.106) ¯ B√m = x2√m 1e¯0 + x2√m 1e¯1 + x2√me¯2 + x2√m e¯12. − − −   Generate uniform values y ,...,y 0,1 and define them as the coefficients of 1 2√m ← { } √m multivectors such that

R¯ = y1 e¯ + y1 e¯ + y2 e¯ + y2 e¯ , 1 2 0 − 2 1 1 2 2 2 12 . .  (6.107)

¯ y2√m y2√m R√m = 0e¯0 + 0e¯1 + 2 e¯2 + 2 e¯12,

and

√m 1 ¯ − ¯ ¯ ¯ ¯ for j = 1 ... √m, Sj = A3j 3+iR3j 3+i + BjR√m ( 1) . (6.108)  − −  · − Xi=1   Then we compute √m multivectors D¯j such that

¯ ¯ ¯ ¯ ¯ ¯ D1,..., D√m = B1 + S1,..., B1 + S√m. (6.109)

Our lattice is then represented by

¯ ¯ ¯ ¯ = A1,..., Am √m, D1,..., D√m (6.110) L −  

142 6.6. GA and Matrices

¯ and in order to define our trapdoor t we modify R√m as follows:

1 1 y2√m y2√m R¯ = e¯ + e¯ + e¯ + e¯ (6.111) √m 2 0 −2 1 2 2 2 12   and we define t such that

¯ ¯ t = R1,..., R√m . (6.112)   A lattice trapdoor such as the above one is useful as one-way functions and digital signatures.

6.6.5 Why Does our Lattice Implementation with GA Work?

2 In our construction, each multivector in Gq has a one-to-one mapping with either a matrix 2 2 2 in Zq× or a vector in Zq according to Definitions 6.6.0.2, 6.6.0.4. For any m, we have m √m multivectors A¯ and √m multivectors B¯ such that, when we convert all A¯ ’s to − k j k their respective 2 2 matrices A ’s and each B¯ ’s to their respective 2-dimensional column × k j vectors bj’s, we have the following:

A1 ...A√m 1 b1 −  . . . .  A′ = . .. . . (6.113)      Am √m 2 ...Am √m b√m   − − −    which gives us a m 2 m 2 1 matrix A . Recall that all the A¯ ’s and the B¯ ’s are × − ′ k j uniformly generated, thus the matrix A′ is a uniformly generated matrix. Converting each

multivector R¯i to their corresponding vectors, gives us √m vectors ri’s which turns into a m 2 1 Z − -dimensional column vector r such that  r1  .  r = . . (6.114)    r   m 2 1   −    Then, we compute a m 2 m 2 matrix A such that ×   A = A′ A′r (6.115)  |− 

143 6.6. GA and Matrices

which is equivalent (it computes the same quantity) as converting all S¯j’s to √m-

dimensional column vectors sj’s, we have a m 2-dimensional vector s such that 

s1  .  s = . (6.116)      s√m      where

A = A′ A′r = A′ s . (6.117)  |−   |  Finally, we compute a trapdoor vector t such that

r t =   (6.118) 1     where

At = 0 (6.119)

which matches the construction given by Ajtai in [256].

6.6.6 Learning With Errors

Regev defines [258] the “learning form parity with error" problem as follows: given a list of “equations with errors"

s,a b mod 2 h 1i≈ǫ 1 s,a b mod 2 h 2i≈ǫ 2 . (6.120) .

s,a b mod 2 h ti≈ǫ t

144 6.6. GA and Matrices

where n is an integer such that n 1, ǫ is a such that ǫ 0, the a ’s are ≥ ≥ 1 chosen independently from the uniform distribution on Zn, s,a = s (a ) is the inner 2 h ii j i i j product modulo 2 of s and ai, and each equation is correct independentlyP with probability 1 ǫ, solve for s. If ǫ = 0, the problem can be efficiently solved with Gaussian elimination. IF − ǫ> 0, the problem becomes significantly harder. Regev remarks that this learning problem becomes even harder with higher moduli. If we let p = p (n) poly (n) be some prime ≤ integer, then consider the following list of “equations with error":

s,a b mod p h 1i≈χ 1 s,a b mod p h 2i≈χ 2 . (6.121) .

s,a b mod 2 h ti≈ǫ t where s Zn, a are chosen independently and uniformly from Zn, and b Z . The ∈ p i p i ∈ p error in the above equations are given by a probability distribution χ : Z R+ on Z . In p → p other words, for all i, b = s,a + e for e Z chosen independently according to χ. This i h ii i i ∈ p problem is called learning with error and it is denoted by LWEp,χ. This problem can be implemented in many ways. One well-known [258, 274, 275] way to instantiate this problem is as follows: let A Zn m such that A is uniformly generated. ∈ q × Let s Zn be a short (normed) nonzero vector and let e Zm be a “small" error vector (a ∈ q ∈ vector with small coefficients). Given

sT A + eT = b, (6.122)

where b Zm, solve for s. It is clear that we can immediately instantiate this problem ∈ q in GA as follows: let s = Ts (s), a = TS (A), and e = Ts (e) such that

b = sa + e. (6.123)

However, there is a simpler way. To illustrate it, consider the following example: let n = 4, m = 8, and q = 257. Then,

145 6.6. GA and Matrices

s1 a11 a12 a13 a14 a15 a16 a17 a18 e1       s2 a21 a22 a23 a24 a25 a26 a27 a28 e2 s =   ,A =   , e =   . (6.124)        s3   a31 a32 a33 a34 a35 a36 a37 a38   e3               s4   a41 a42 a43 a44 a45 a46 a47 a48   e4              We compute b in the same way of (6.122). However, instead, we can consider s Zn ∈ q and e Zm as “virtual" augmented matrices (that is, we don’t actually need to augment ∈ them, but just treat them as augmented) S Z4 8 and E Z8 8 such that ∈ q× ∈ ×

e1 0 0 0 0 0 0 0   e2 0 0 0 0 0 0 0     s1 0 0 0 0 0 0 0  e3 0 0 0 0 0 0 0        s 0 0 0 0 0 0 0  e 0 0 0 0 0 0 0  2  4  S =   ,E =   . (6.125)      s3 0 0 0 0 0 0 0   e5 0 0 0 0 0 0 0           s4 0 0 0 0 0 0 0   e6 0 0 0 0 0 0 0             e7 0 0 0 0 0 0 0       e8 0 0 0 0 0 0 0      We then compute

b1 b2 b3 b4 b5 b6 b7 b8   0 0 0 0 0 0 0 0      0 0 0 0 0 0 0 0       0 0 0 0 0 0 0 0  T T   S A + E = B =   (6.126)    0 0 0 0 0 0 0 0       0 0 0 0 0 0 0 0         0 0 0 0 0 0 0 0       0 0 0 0 0 0 0 0     

146 6.6. GA and Matrices

where it is clear that B = b and (6.126) is equivalent to (6.122). If we break ST A+ET in two steps, we first compute ST A = X which gives

s1 s2 s3 s4   0 0 0 0      0 0 0 0  a11 a12 a13 a14 a15 a16 a17 a18        0 0 0 0  a a a a a a a a T   21 22 23 24 25 26 27 28 S E =     = X (6.127)      0 0 0 0   a31 a32 a33 a34 a35 a36 a37 a38           0 0 0 0   a41 a42 a43 a44 a45 a46 a47 a48             0 0 0 0       0 0 0 0      where

x1 x2 x3 x4 x5 x6 x7 x8   0 0 0 0 0 0 0 0      0 0 0 0 0 0 0 0       0 0 0 0 0 0 0 0    X =   . (6.128)    0 0 0 0 0 0 0 0       0 0 0 0 0 0 0 0         0 0 0 0 0 0 0 0       0 0 0 0 0 0 0 0      Then we compute B = X + ET . We can rewrite ST , A, E in terms of 14 2 2 block × matrices such that

A A A A T 1 2 3 4 T S = S1 S2 ,A =   ,E = E1 E2 E3 E4 . (6.129)   A5 A6 A7 A8      

147 6.7. Conclusions

Now, consider a conversion of each to multivectors in G2 which gives

s = S¯1, S¯2 ,a = A¯1,..., A¯8 ,e = E¯1,..., E¯4 . (6.130)    We compute sa + e = b as follows: first, we compute x such that

x = S¯1A¯1 + S¯2A¯5,S¯1A¯2 + S¯2A¯6,S¯1A¯3 + S¯2A¯7,S¯1A¯4 + S¯2A¯8 (6.131) X¯1,X¯2.X¯3,X¯4 .  Then, we compute b such that

b = x + e = X¯1 + E¯1, X¯2 + E¯2, X¯3 + E¯3, X¯4 + E¯4 . (6.132)  It is important to remark that one does not really need to work with matrices at all. We can concentrate all the computations over corresponding multivectors. We only showed the matrix correspondence so one can easily visualize the coherence between the two algebraic structures.

6.7 Conclusions

Through a concrete construction of an encryption scheme, we present p-adic numbers and as a candidate solutions for achieving modern definitions of security. Our leveled FHE scheme based on Hensel codes has a compact and very simple description and yet we show that under proper parameter configurations it can be CPA-secure. Additionally, we introduce a mapping between matrices and multivectors that allow us to construct lattice-based cryptographic tools using the same GA structure that we previously applied to a number of cryptographic resources. For all the constructions based on both or either p-adic numbers and GA, it is true that the entire mechanism of the construction is computationally and conceptually simple. Through the variety of examples implemented we highlight the flexibility and usefulness of these tools. Thus, the ideas discussed in this chapter have great relevance since they add to our contributions the single most important factor of any cryptographic tool, namely, security properties. We consider that the versatility of our constructions combined with

148 6.7. Conclusions

the security properties we have the opportunity to explore are pieces of evidence of the importance and validity of p-adic numbers and GA to cryptography.

149 CHAPTER 7

The Framework

As discussed in Chapter 2, we refer to the notion of “framework" discussed by Hestenes in [39]. that is, a collection of mathematical resources that are used to construct solutions in the form of mathematical languages which are then used in a structured way in other to produce practical applications. The language and the structure do not change and/or do not need to be translated in terms of what type of application is being built. For all mathematical resources with this property, we refer to it as a mathematical system or a framework. From a practical standpoint, the homomorphic image processing scheme discussed in Chapter 5 is a concrete example of a homomorphic framework. However, it is application- specific, so we want to discuss this concept in a broader and more abstract (however, directly related to our concrete contributions) way. Before we discussed our contributions with p-adic numbers and GA, we introduced a small set of very simple mathematical functions on which our contributions are entirety. From that point on, we introduce algorithms that are also meant to be application agnostic. From the moment that we have our algorithms implemented, one does not need to be concerned with the particular core operations that are computed at a lower level. In fact, even the most fundamental mathematical operations such as addition and multiplications can be performed in terms of high-level algorithms at the application level. In order to highlight how compact the set of core functions being used on both p-adic numbers and GA we present Tables 7.1 and 7.2. Based on this core functions, we have proposed a catalogue of cryptographic-related constructions for a broad variety of purposes, as shown in Tables 7.3 and 7.4. Based on the presented collection of concrete constructions, we can abstract a model for the conception of homomorphic applications, that is, applications that only consider Chapter 7 The Framework

Description Syntax p-adic Hensel encoding h = H (p,α) 1 p-adic Hensel decoding α = H− (p,h) g-adic Hensel encoding (h1,...,hk)= Hg ((p1,...,pk),α) 1 g-adic Hensel decoding α = Hg− ((p1,...,pk),(h1,...,hk)) Table 7.1: Basic Hensel codes functions

Description Syntax Clifford Conjugation in G2 M¯ M¯ M¯ = M 0 − 1 − 2 Clifford Conjugation in G3 M¯ M¯ M¯ + M¯ = M 0 − 1 − 2 3 Reverse in G2 M¯ M¯ + M¯ = M¯ 0 − 1 2 † Reverse in G3 M¯ M¯ + M¯ = M¯ 0 − 1 2 † Geometric Product C¯ = A¯B¯

Rationalize R M¯ Add, subtract, scalar mul and scalar div Element wise in M¯ .  1 Inverse M¯ − Table 7.2: Basic GA functions

Name Description Homomorphic data encoding A general-purpose probabilistic data representation that preserves addition and multiplication. Encryption of rational numbers An enabler of rational numbers for encryption schemes that only work with integers while keeping any pre-existing homomorphisms. Deterministic to probabilistic An enabler of probabilism for deterministic encryption schemes while keeping any pre-existing homomorphisms. Distributed computation A homomorphic encryption scheme that allows separate parties to compute a join-function independently, which can be done by physical simultaneous threads in a single server and/or separate computers. Private-key leveled FHE scheme An encryption scheme whose security is associated with the approximate-gcd problem. Table 7.3: Constructions based on Hensel codes.

151 Chapter 7 The Framework

Name Description Homomorphic encryption schemes Several different instances of homomorphic encryption schemes. Homomorphic image processing A tool for encrypting images and compute image processing functions on encrypted data. Multivector packing schemes Homomorphic data representation mechanisms with multivectors. Multivector concealment schemes Homomorphic data hiding mechanisms with multivectors. Key update protocol A tool for updating the secret key of existing ciphertexts without exposing the corresponding plaintext. Key exchange protocol A tool for exchanging a secret key between two parties without exposing the computed key to an eavesdropper. Edge computing protocol A tool allowing single-time device communication. Hashing algorithm A lightweight hash algorithms with multivectors. Private-key encryption A private-key encryption based on the proposed hashing algorithm. Matrix to multivector mapping An arbitrary dimensional mapping between matrices and multivectors. GA-based lattice-cryptography Implementations of lattice-cryptography with with GA. Table 7.4: Constructions based on GA.

encrypted data as input. An overview of this abstract model is shown in Figure 7.1. We consider that the inputs might include strings, integers, rational numbers, vectors, matrices, still images, videos, etc. Whatever is the data format of the input, we will encode it homo- morphically and probabilistically. The reason for this is that we want to conform to different types of inputs into a single data structured that is understood in our model without losing the ability to work with that data in a meaningful way. As an example, if the input data are images, we want to homomorphically and probabilistically encode that data and then encrypt it at the same time that we want to mathematically operate on the pixels of any given image in order to, for instance, increase the brightness or apply a mask. Data can be encoded to be either integer (which would allow working with Hensel codes and the approximate-gcd problem, or multivectors, which allow us to explore options within

152 Chapter 7 The Framework

Hensel codes Strings Integers Homomorphic Approx-gcd Probabilistic Encoding GA Integers Multivectors Lattice-crypto

Rational numbers SWHE, Homomorphic Leveled FHE encryption Vectors Homomorphic Ciphertexts Appllications Matrices

Homomorphic Database Still images Requirements: Real-time video encryption - All concrete constructions must Videos allow parallelism Homomorphic image - Compact code base processing - Only polynomial-time algorithms Homomorphic smart - Must run in edge computing / IoT devices contracts Etc. - The execution time of all homomorphic algorithms must be under 1 second Etc.

Figure 7.1: Overview of abstract model of homomorphic applications. lattice-based cryptography. However, these choices don’t need to be separated, rather, they can work together in interesting ways, as we show next.

153 7.1. Hensel Codes and GA

7.1 Hensel Codes and GA

Consider a scenario where the input data are matrices. One option is to resort to our private-key leveled FHE scheme for the encryption of the matrices’ entries and convert the matrices to multivectors, for performance gains. Given a matrix A such that

a11 a12 a13 a14 a15 a16   a21 a22 a23 a24 a25 a26      a31 a32 a33 a34 a35 a36  A =   (7.1)    a a a a a a   41 42 43 44 45 46       a51 a52 a53 a54 a55 a56       a61 a62 a63 a64 a65 a66      where a Q, we encrypt all entries as ij ∈

cij = Enc (k,aij) (7.2)

for some secret key k, which gives us and encrypted matrix C from A such that

c11 c12 c13 c14 c15 c16   c21 c22 c23 c24 c25 c26      c31 c32 c33 c34 c35 c36  C =   . (7.3)    c c c c c c   41 42 43 44 45 46       c51 c52 c53 c54 c55 c56       c61 c62 c63 c64 c65 c66      By converting C into multivectors, we have

TS (C)= C¯1,..., C¯9 (7.4)  and all the homomorphic computations are ready to be performed over multivectors. In this particular case, GA is being used as an efficient algebraic structure that is compatible with the input data. And yet, security is provided solely by Hensel codes.

154 7.2. GA and Hensel Codes

7.2 GA and Hensel Codes

We can also flip the roles of GA and Hensel codes as follows: consider a lattice-base en- cryption scheme with GA. In particular, consider an encryption function Enc(k,m) for some secret key k and some message m that proceeds (in a higher level view) as follows:

1. Given a secret multivector A¯, the message m is converted to a multivector X¯ such that X¯ represents the α-approximated shortest vector of a high-dimensional lattice L associated with A¯, for some factor α.

2. The ciphertext is computed such that C¯ = A¯X¯.

Solving for X¯ must be equivalent to solving for the α-approximated shortest vector of , L which we assume is hard. In this scenario, security is clearly related to the α-approximated SVP. However, we still can use Hensel codes for utility reasons. Consider that the universe of all possible messages m is some subset of the rational numbers. In this case, since we want to work with lattices of positive integers, we can consider some prime p that does not need to be secret with which we can encode m to h such that h = H (p,m). Now we have an encryption scheme that combines GA and Hensel codes, and yet Hensel codes are not being used for security reasons.

7.2.1 GA and Hensel Codes as a Single Data Structure

We now propose the combination of GA and Hensel codes into a single algebraic structure. Our motivation is the following: among its many benefits, Hensel codes allows one to work with rational numbers over the integers. Similarly, highlighting just one out of many other benefits, GA allows one to efficiently replace matrix computations with operations over multivectors. In the previous section, we saw that we could work with both GA and Hensel codes by Hensel, encoding the rational coefficients of a multivector. What if we could represent a single Hensel code as an entire multivector? We show this is possible following a theorem presented by Kraeft in [276], which is given below.

Theorem 7.2.1.1. All rational numbers are equivalent to each other.

155 7.2. GA and Hensel Codes

Proof. Let m and m′ be two reduced fractions; then one can find integer solutions to the n n′ equations mν nµ = 1 or m ν n µ = 1 (the proof is given in [277]). It follows that − ± ′ ′ − ′ ′ ± m µ m′ µ′ 1 M =   and M ′ =   are two linear transformations if (M ′)− is the n ν n′ ν′         1 α β of M ′ with M (M ′)− =  , this is a linear transformation like also γ δ     m µ 1 α β m′ µ′ M =   = M M ′ − M ′ =     (7.5) n ν   γ δ n′ ν′              with m = αm′ + βn′ and n = γm′ + δn′ such that

m α m′ + β = n′ (7.6) n γ m′ + δ n′ as also confirmed in [278].

By taking into consideration the proof of Theorem 7.2.1.1 and the fact that we can 1 rewrite a Hensel code h = ab− mod p for some irreducible fraction a b and some odd prime p where a,b,p are pairwise coprime as h =(a + kp) b for some integer k. We show that we can use the Diophantine equation and Theorem 7.2.1.1 to convert a Hensel code under an odd prime number p into a multivector in G2 even if we do not satisfy mν nµ = 1. − ± Theorem 7.2.1.2. Given an odd prime number p, for all Hensel codes h Z written in the ∈ p form of a Diophantine equation h =(a + kp) b where k =(bh a) p, there is a one-to-one − mapping between h Z and M¯ G2 such that  ∈ p ∈

a k ¯ h =(a + kp) b, H =   , M = TM (H) . (7.7) p b     

Proof. For all h Z , we can rewrite h as h = (a + kp) b. If we compute k such that ∈ p k =(bh a) p, then we check that we can construct a matrix H such that − 

156 7.2. GA and Hensel Codes

a k H =   . (7.8) p b     Now we can use Definition 6.6.0.1 to transform H into a multivector H¯ such that

a b a b k p k p T (H)= H¯ = + e¯ + e¯ + + e¯ + e¯ . (7.9) M 2 2 0 2 − 2 1 2 2 2 2 − 2 12         Let

a1+k1p h1 = , b1 (7.10) h = a2+k2p , 2 b2 so we have

a1 k1 a2 k2 H1 =   , H2 =   (7.11) p b1 p b2     and therefore    

a1a2 + k1p a1k2 + b2k1 H1H2 =   . (7.12) a2p + b1p b1b2 + k2p   It is easy to see that  

a1a2 (a1k2 + b2k1) mod p H1H2 mod p =   (7.13) 0 b1b2   and therefore  

a1a2 H1H2 . (7.14) ≡ b1b2

By computing TM (H1)= H¯1 and TM (H2)= H¯2, according to Definition 6.6.0.1 and Definition 6.6.0.2, we know that

1 ¯ ¯ 1 ¯ 1 ¯ TM− H1H2 = TM− H1 TM− H2 . (7.15)    157 7.3. How To Build Custom Schemes

Remark 20. By applying Theorem 7.2.1.2, we unlock several new opportunities in map- ping matrices to multivector in terms of representation techniques. For instance, we can reorganize square matrices in terms of Hensel code 2 2 matrices, which can be converted × directly to Hensel codes. Each Hensel code can now be used as the coefficient of any n- dimensional multivector in GA. The speedups in computation can be even higher than the ones discussed previously. For instance, a 8 8 matrix can be rewritten as 16 2 2 matrices × × and then converted to 16 Hensel codes. Now we can represent the original matrix as a single 4-dimensional multivector M G4, which has 16 coefficients. ∈ Remark 21. Another benefit of Theorem 7.2.1.2 is that we can use the theory of Hensel codes over multivectors.

7.3 How To Build Custom Schemes

By combining the ideas in Section 7.1 and Section 7.2, and it clear that numerous other schemes can be conceived with these two mathematical resources. We discuss a simple but interesting example next.

7.3.1 Short Integer Solution

Consider that one wants to create a cryptographic function whose securit is associated with the Short Integer Solution SISn,q,m,β which can be described as follows: given a matrix An m Z , find a vector r Zm such that Ar =0 mod Zn where r β for some bound × ∈ q ∈ q k k≤ β. We immediately see that this problem can be efficiently represented with GA as follows: let

TS (A)= A¯1,..., A¯ 2 (7.16) n 2 ! and 

T (r)= R¯ ,..., R¯ . (7.17) s 1 m 2    158 7.3. How To Build Custom Schemes

What we have now is a lattice trapdoor with GA, as discussed in Section 6.6.4. Since

Ri represent a short vector bounded by β that satisfies the SISn,q,m,β problem, this is a optimization problem, which is considered to be hard.

7.3.2 A Password Generation Application

In order to highlight how broad the possibilities are in terms of creating security applications using our fundamental buildings, consider a password generation application. We want to show that we can have this type of utility easily implemented with some of our most basic components. For this particular application we consider the following specifications: our password generation application must

1. Produce passwords with size that is multiple of eight, with minimum size being eight characters;

2. Take into consideration both the ASCII table [279], with characters encoded with integers from 0 to 127;

3. Produce passwords with at least: one lowercase letter, one uppercase letter, one num- ber, one special character.

We need also to take into consideration the following: characters encoded with

• 0-31 are not printable. They are called control characters, and for this reason we cannot generate them as part of the password;

• 32-126 are the printable characters from the ASCII table.

The above considerations are important because we want to work with numbers and at the same time we want to make sure we produce a password that is printable and according to the specifications we elected. For this example, we choose to work with GA. We will manipulate multivectors in the three-dimensional product space with computations reduced modulo 128, which is denoted 3 by G128.

159 7.3. How To Build Custom Schemes

This simple application can be constructed as follows: let the user select a multiple of 8. The user selects 16. This means that we need to generate a password with length 16. 3 Since multivectors in G128 has 8 coefficients and each one of them ranges from 0 to 127, 3 we will need two multivectors in G128 to compose the final password. If fact, we will work always in blocks of two in order to generate the final password. The procedure is described below:

1. Generate two uniformly random multivectors X¯ ,X¯ G3 ; 1 2 ∈ 128 2. Generate two uniformly random multivectors B¯ ,B¯ G3 ; 1 2 ∈ 128

3. Compute a list P with two multivectors P¯1 and P¯2 which are the geometric product

of X¯1 and B¯1, and X¯2 and B¯2, respectively, such that

P = X¯1B¯1, X¯2B¯2 = P¯1, P¯2 . (7.18)  

4. Check if all coefficients of P¯1 and P¯2 are in the range 32 to 126. If not, restart the procedure. If yes, continue.

5. Check if there is at least one coefficient in either P¯1 or P¯2 within 33 and 47 or 123 to 126 (a smaller subset of special characters). If not, restart the procedure. If yes, continue.

6. Check if there is at least one coefficient in either P¯1 or P¯2 within 48 and 57 (numbers). If not, restart the procedure. If yes, continue.

7. Check if there is at least one coefficient in either P¯1 or P¯2 within 65 and 90 (uppercase letters). If not, restart the procedure. If yes, continue.

8. Check if there is at least one coefficient in either P¯1 or P¯2 within 97 and 122 (lowercase letters). If not, restart the procedure. If yes, continue.

9. Replace the coefficients of P¯1 and P¯2 their corresponding characters, concatenate all the coefficients and output the password.

160 7.3. How To Build Custom Schemes

7.3.2.1 A Numerical Example

We repeat the procedure described previously in order to provide a numerical examples in each step:

1. Generate two uniformly random multivectors X¯ ,X¯ G3 . We have: 1 2 ∈ 128

X¯1 = 90e¯0 + 124e¯1 + 72e¯2 + 90e¯3+

71e¯12 + 117e¯13 + 85e¯23 + 79e¯123, (7.19) X¯2 = 121e¯0 + 126e¯1 + 78e¯2 + 75e¯3+

95e¯12 + 64e¯13 + 67e¯23 + 80e¯123.

2. Generate two uniformly random multivectors B¯ ,B¯ G3 . We have: 1 2 ∈ 128

B¯1 = 89e¯0 + 103e¯1 + 107e¯2 + 82e¯3+

74e¯12 + 85e¯13 + 100e¯23 + 122e¯123, (7.20) B¯2 = 89e¯0 + 74e¯1 + 106e¯2 + 127e¯3+

94e¯12 + 121e¯13 + 70e¯23 + 119e¯123.

3. Compute a list P with two multivectors P¯1 and P¯2 which are the geometric product

of X¯1 and B¯1, and X¯2 and B¯2, respectively, such that

P = X¯1B¯1, X¯2B¯2 = P¯1, P¯2 . (7.21)   which gives us

P¯1 = 97e¯0 + 105e¯1 + 124e¯2 + 36e¯3+

70e¯12 + 102e¯13 + 71e¯23 + 46e¯123, (7.22) P¯2 = 90e¯0 + 66e¯1 + 81e¯2 + 53e¯3+

77e¯12 + 67e¯13 + 80e¯23 + 46e¯123.

4. Check if all coefficients of P¯1 and P¯2 are in the range 32 to 127. If not, restart the

procedure. If yes, continue. We check that all coefficients of P¯1 and P¯2 are between 32 and 127. So we continue.

161 7.3. How To Build Custom Schemes

5. Check if there is at least one coefficient in either P¯1 or P¯2 within 33 and 47 or 123 to 126 (a smaller subset of special characters). If not, restart the procedure. If yes,

continue. We check that P¯1 has 36e¯3, 124e¯2 and 46e¯123 and P¯2 has 46e¯123. So we continue.

6. Check if there is at least one coefficient in either P¯1 or P¯2 within 48 and 57 (numbers).

If not, restart the procedure. If yes, continue. We check that P¯2 has 53e¯3. So we continue.

7. Check if there is at least one coefficient in either P¯1 or P¯2 within 65 and 90 (uppercase

letters). If not, restart the procedure. If yes, continue. We check that P¯1 has 70e¯12

and 71e¯23 and P¯2 has 90e¯0, 66e¯1, 81e¯2, 77e¯12, 67e¯13, and 80e¯23. So we continue.

8. Check if there is at least one coefficient in either P¯1 or P¯2 within 97 and 122 (lowercase

letters). If not, restart the procedure. If yes, continue. We check that P¯1 has 97e¯0,

105e¯1, and 102e¯13. So we continue.

9. Replace the coefficients of P¯1 and P¯2 their corresponding characters, concatenate all the coefficients and output the password: the list of all coefficients together is

97, 105, 124, 36, 70, 102, 71, 46, 90, 66, 81, 53, 77, 67, 80, 46 (7.23)

and the ASCII representation gives us the following password:

ai|$FfG.ZBQ5MCP (7.24)

and we conclude the password generation.

7.3.2.2 Why A Password Generation Application with GA

If we don’t have any addition purpose in generating a password, we could achieve a password generation without having to use GA at all, which would be actually much simpler. If we want to use GA for this task, we might as well have extra goals that could justify resorting to GA in the first place. The password generating in the previous section involves a mathematics that we can explore for further utility. For instance, we can consider a password

162 7.3. How To Build Custom Schemes

generation that would generate passwords in terms of hierarchy where one administrator could have access to any level in the hierarchy without having to store all the passwords. Consider that one administrator wants to generate a master password. For that, the following multivectors are randomly selected: X¯ ,X¯ G3 and B¯ ,B¯ G3 . Now, the 1 2 ∈ 128 1 2 ∈ 128 multivectors P¯1 and P¯2 are generated as follows:

P¯1 = X¯1B¯1 + B¯1X¯2, P¯2 = X¯1B¯2 + B¯2X¯2. (7.25)

Then we run all the 9 steps from the previous section to check if P¯1 and P¯2 satisfy the requirements of the password generation. In order to generate another password for a higher

level in the hierarchy, the administrator can use the same X¯1,X¯2 and B¯1,B¯2 as follows:

P¯3 = X¯1X¯1 B¯1 + B¯1 X¯2X¯2 , P¯4 = X¯1X¯1 B¯2 + B¯2 X¯2X¯2 , (7.26)     and we run all the 9 steps from the password generation. At every new password

generation, a new X¯i is added within the parenthesis of the creating of each P¯i, always

checking if all the 9 steps pass. If a single step does not pass, then a new X¯i is added within parenthesis and the password generation continues.

The administration just need to store X¯1, X¯2 and B¯1, B¯2 and from that generate on demand thousands of passwords while having full control of them. For instance, from the

stored X¯1,X¯2 and B¯1,B¯2, the administrator can compute every next level in the hierarchy. Maybe more interestingly, from any existing password, the administrator can check which

level is the password from. For instance, given P¯1 and P¯2, the administrator can check if

1 1 − ¯ ¯ ¯ 1 ¯ − ¯ ¯ 1 ¯ ¯ B1 = X1 + X2 + X1− X2X2 + X1 X1− P1X2 + P1 ,   1 (7.27) 1 −   ¯ ¯ ¯ 1 ¯ − ¯ ¯ 1 ¯ ¯ B2 = X1 + X2 + X1− X2X2 + X1 X1− P2X2 + P2 .     Given more levels, the administrator just need to increase the numbers of X¯i’s:

163 7.4. Conclusions

1 1 1 − ¯ ¯ ¯ ¯ 1 ¯ 1 ¯ ¯ − − ¯ ¯ ¯ 1 ¯ 1 ¯ ¯ B1 = X1X1 + X2X2 + X1− X1− X2X2X2 X2 + X1X1 X1− X1− P3X2X2 + P3 ,   1 1 1 −   ¯ ¯ ¯ ¯ 1 ¯ 1 ¯ ¯ − − ¯ ¯ ¯ 1 ¯ 1 ¯ ¯ B2 = X1X1 + X2X2 + X1− X1− X2X2X2 X2 + X1X1 X1− X1− P4X2X2 + P4 ,    (7.28) and so on. So the administrator can not only navigate between levels of password, but also verify their authenticity. To make this procedure more interesting, the administrator but select few characters from the accepted ranges and remove them from the list of valid characters. This selection must be held secret. This way, any malicious password holder would not know if any derivation of its own password would be valid or not due to the lack of knowledge of the removed characters. This makes this simple application an interesting and it shows how the use of GA leverages its mathematics in order to offer a utility for any administrator in charge of many passwords in a hierarchical fashion. In other words, we add the mathematics of GA to the task of password management.

7.4 Conclusions

The combination of p-adic numbers and GA should not see limits as for the possibilities in constructing cryptographic ideas that were not discussed in this work. When observed from the utility spectrum, the possibilities for applying Hensel codes and GA are literally endless. When observed from the security spectrum, GA as an alternative for lattice cryptography is also an abundant source of opportunities due to the numerous lattice-cryptography applica- tions that can be implemented with GA as a replacement of matrix and vector algebra. For these reasons, we consider some particular operations in our contributions, such as multivec- tor packing schemes, probabilistic data encoding with Hensel codes, conversion of matrices, and vectors to multivectors, among other, as general-purpose mechanisms of interest for homomorphic encryption related applications.

164 CHAPTER 8

Future Directions

We now discuss our proposed future directions for this current research. The following discussions result from either our own perception of immediate continuation of investigating new functionalities based on p-adic numbers and GA or considerations provided to us by advisors, reviewers, research partners, fellow students, and colleagues, among other agents.

8.1 Additional Hard Problems with Hensel Codes

We showed how to construct a private-key leveled FHE scheme whose security is associated with the approximate-gcd problem in our exposition. An immediate question can be: what other problems can be explored with Hensel codes? Would we be able to construct another leveled FHE scheme based on the SIS problem [280], or on the knapsack problem [281], or on the clique problem [282], or on the shortest path problem [283]? It seems necessary to investigate at least two things in this regard:

1. What other computational hard problems can we explore with Hensel codes?

2. Is there a general strategy for selecting a hard problem and then constructing an encryption function that whose security is equivalent to solving that hard problem?

Any reasonably successful answer for the above has the potential of opening new lines of research. What about a lattice-based problem with Hensel codes? We have reasons to believe that we can implement lattice-based problems with Hensel codes. As an example, consider the equation Ax = b where A is a secret matrix, b is one of the shortest vectors of a lattice related to A. An idea of implementing a related construction with Hensel codes is to L 8.2. GA Constructions in Higher Dimensions

encode m to a random integer partition of length t with entries mi and encode each entry with p = 2 (so obviously, p is known). Then for each partition entry mi we generate a Hensel

code hi such that

hi = H (2, mi) , i = 1 ...t. (8.1)

For some encryption function fA (m) and for uniform A, solving for (h1,...,ht) is considered to be hard if (h ,...,h ) is indeed one of the shortest vectors of . 1 t L

8.2 GA Constructions in Higher Dimensions

In our contributions with GA, we presented concrete constructions based on either 2D or 3D GA. One interesting direction is to investigate if the same and other constructions can be yielded in higher dimensions. It seems necessary to investigate at least two things in this regard:

1. Is it possible to implement GA-based homomorphic encryption in arbitrary dimensions, in particular, much higher dimensions? As an example, the 10-dimensional geometric product space in GA is equivalent to the 1024-dimensional matrix algebra. It is known that the higher the dimension of the lattice, the harder the problems associated with it [256].

2. Is it possible to construct lattice-based cryptographic tools with higher dimensions in GA without severe penalty to performance? How high (minimum) must a n- dimensional geometric product space in GA to be secure and efficient?

8.3 Quantum Encryption with GA

One key component of our contributions is the mappings between different algebraic struc- tures such as integer to multivector, vector to multivector, matrix to multivector, among others. One interesting direction seems to investigate the existence of an isomorphic map- ping between qubits and multivectors so one can replace the computations on qubits with

166 8.4. Conclusions

the computations in GA. The lattice-based problem mentioned in this work is considered to be quantum-resistant. However, we would like to investigate if we can construct a quantum encryption scheme, which leads us to the following questions:

1. Is there an isomorphic mapping between qubits and multivectors?

2. Can we construct a quantum homomorphic encryption scheme by representing com- putations on qubits?

3. Would there be any immediate advantage of constructing a quantum homomorphic encryption scheme using this strategy?

4. Is a quantum homomorphic encryption scheme necessarily a quantum-resistant en- cryption scheme?

8.4 Conclusions

In this work, we present some selected ideas that we believe that contribute to the effort of showcasing p-adic numbers and GA as viable and advantageous candidates for cryptography. In our quest for constructing cryptographic tools as relevant instantiations of these mathe- matical resources, we produced many more schemes and protocols that we actually present in this manuscript. When we consider what we have demonstrated so far in conjunction with our proposed future directions of this research, it seems to us that we just scratched the surface of a seemly never-ending and very promising line of research.

167 CHAPTER 9

Conclusions

In this work, we showcase two mathematical resources of interest: Clifford geometric algebra (GA) and the finite-segment of p-adic numbers (also known as Hensel codes), with which we demonstrated functionalities and properties that we describe as useful and advantageous for cryptography in a wide variety of scenarios. We provided condensed tutorials for both GA and p-adic numbers. We organized these tutorials as sufficient material to appreciate the examples and concrete constructions discussed in this work. Our examples serve as objective illustrations of these resources’ practical applications to cryptography. We hope that our objective discussion will inspire other researchers to explore and implement opportunities that we did not cover in this manuscript. We addressed the need for secure computation through several constructions of homomorphic cryptographic tools based on GA and/or Hensel codes. From particular examples to the description of general approaches towards homomorphic encryption, we explored GA and Hensel codes as a framework for arbitrary homomorphic solutions. Based on these solutions, we created our own mathematical collec- tion of functions. We started our exposition with p-adic numbers by providing a tutorial and several and concrete constructions based on Hensel codes. As concrete instances, we included homomorphic data encoding, an enabler of rational numbers for an algorithm that only accepts integers, the transformation of deterministic algorithms into probabilistic ones, a homomorphic encryption scheme for distributed computation. For the particular case of distributed computation, multiple parties receive only pieces of ciphertexts and can com- pute a joint function and send the results back to the key owner, which will decrypt the result correctly. This type of encryption scheme allows the computation of encrypted data by geographically distant computation units and/or multiple independent and simultaneous computational threads. We also dedicated special attention to GA through a compact tuto- rial describing elementary algebraic operations in GA, which we deemed enough for building Chapter 9 Conclusions

the cryptographic tools that compose our contributions. We introduced several encryption schemes based on GA, such as a framework for homomorphic image processing, mechanisms for data representation and data hiding, a key exchange protocol applied to an edge comput- ing application, a hash algorithm, and a private-key encryption scheme. We also proposed a hash algorithm where our goal is that its message digest is equivalent to the result of a one- way function. We introduced a private-key encryption scheme that can work in conjunction with a key exchange protocol or rely solely on its randomized and round-based encryption function. Together with many examples of GA and Hensel codes’ utility appeal, we pre- sented a discussion on achieving modern definitions of security through concrete encryption schemes based on p-adic numbers and GA. When discussing security with Hensel codes, we showed that our leveled FHE scheme based has a compact and very simple description, which can be CPA-secure under proper parameter configurations. Its security is associated with the approximate-gcd problem. We detailed how our construction is resilient against known attacks. When discussing security with GA, we introduced a mapping between matrices and multivectors that allow us to construct lattice-based cryptographic tools using the same GA structure that we previously applied to several cryptographic resources. We introduced a mapping to multivectors that work for arbitrary dimensional matrices. We discussed how to use this mapping for constructing lattice-based cryptography tools. For all the construc- tions based on either p-adic numbers and GA, indeed, the entire construction mechanism is computationally and conceptually simple. Through a variety of examples implemented, we highlighted the flexibility and usefulness of these tools. Thus, we believe that the map- ping to computational hard problems using Hensel codes and GA have singular relevance since they add to our contributions the single most crucial factor of any cryptographic tool, namely, security properties according to modern definitions of security in cryptography. We consider that with our constructions’ versatility combined with these security properties, we have the opportunity to advocate the importance and validity of p-adic numbers and GA applied to cryptography. The combination of Hensel codes and GA should not see limits as to the possibilities in constructing cryptographic ideas. When observed from the utility spectrum, the possibilities for applying Hensel codes and GA are endless. When observed

169 Chapter 9 Conclusions

from the security spectrum, GA as an alternative for lattice cryptography is also an abun- dant source of opportunities due to the numerous lattice-cryptography applications that can be implemented with GA as a replacement of matrix and vector algebra. We consider some operations in our contributions, such as multivector packing schemes, probabilistic data en- coding with Hensel codes, conversion of matrices, and vectors to multivectors, among others, as general-purpose mechanisms of interest for homomorphic encryption related applications. As future directions, we propose the investigation of constructing homomorphic encryption schemes based on Hensel codes and associated with other computational hard problems. In particular, it seems that one can use Hensel codes for constructing lattice-based cryptog- raphy. We believe that the contributions discussed in this work, in conjunction with our proposed future directions, serve as an indication that further research on the exploration of Hensel codes and GA must be pursued.

170 Bibliography

[1] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120– 126, 1978.

[2] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.

[3] P. FIPS, “186-4: Federal information processing standards publication. digital signa- ture standard (dss),” Information Technology Laboratory, National Institute of Stan- dards and Technology (NIST), Gaithersburg, MD, pp. 20899–8900, 2013.

[4] E. Barker, L. Chen, S. Keller, A. Roginsky, A. Vassilev, and R. Davis, “Recommenda- tion for pair-wise key-establishment schemes using discrete logarithm cryptography,” tech. rep., National Institute of Standards and Technology, 2017.

[5] J. Daemen and V. Rijmen, The design of Rijndael, vol. 2. Springer, 2002.

[6] F. P. NIST, “180-4 secure hash standard (shs), no,” August. Gaithersburg: National Institute of Standards and Technology, 2015.

[7] D. J. Bernstein, Y.-A. Chang, C.-M. Cheng, L.-P. Chou, N. Heninger, T. Lange, and N. Van Someren, “Factoring keys from certified smart cards: Coppersmith in the wild,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 341–360, Springer, 2013.

[8] H. W. Lenstra Jr, “Factoring integers with elliptic curves,” Annals of mathematics, pp. 649–673, 1987.

[9] A. K. Lenstra and H. W. Lenstra, The development of the number field sieve, vol. 1554. Springer Science & Business Media, 1993.

171 Bibliography

[10] P. Mahajan and A. Sachdeva, “A study of encryption algorithms aes, des and rsa for security,” Global Journal of Computer Science and Technology, 2013.

[11] L. Chen, L. Chen, S. Jordan, Y.-K. Liu, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone, Report on post-quantum cryptography, vol. 12. US Department of Commerce, National Institute of Standards and Technology, 2016.

[12] P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete loga- rithms on a quantum computer,” SIAM review, vol. 41, no. 2, pp. 303–332, 1999.

[13] P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings 35th annual symposium on foundations of computer science, pp. 124– 134, Ieee, 1994.

[14] N. A. of Sciences Engineering and Medicine, Quantum computing: progress and prospects. National Academies Press, 2019.

[15] C. H. Bennett, E. Bernstein, G. Brassard, and U. Vazirani, “Strengths and weaknesses of quantum computing,” SIAM journal on Computing, vol. 26, no. 5, pp. 1510–1523, 1997.

[16] D. J. Bernstein and T. Lange, “Post-quantum cryptography,” Nature, vol. 549, no. 7671, pp. 188–194, 2017.

[17] F. Song, “A note on quantum security for post-quantum cryptography,” in Interna- tional Workshop on Post-Quantum Cryptography, pp. 246–265, Springer, 2014.

[18] J. Buchmann and J. Ding, Post-Quantum Cryptography: Second International Workshop, PQCrypto 2008 Cincinnati, OH, USA October 17-19, 2008 Proceedings, vol. 5299. Springer Science & Business Media, 2008.

[19] D. Jao and L. De Feo, “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies,” in International Workshop on Post-Quantum Cryptography, pp. 19–34, Springer, 2011.

172 Bibliography

[20] R. A. Perlner and D. A. Cooper, “Quantum resistant public key cryptography: a survey,” in Proceedings of the 8th Symposium on Identity and Trust on the Internet, pp. 85–93, 2009.

[21] D. Jao and V. Soukharev, “Isogeny-based quantum-resistant undeniable signatures,” in International Workshop on Post-Quantum Cryptography, pp. 160–179, Springer, 2014.

[22] N. I. of Standards and Technology, “Post-quantum cryptography | csrc.” https : / / csrc . nist . gov / projects / post-quantum-cryptography. (Accessed on 10/16/2020).

[23] A. Shamir, R. L. Rivest, and L. M. Adleman, “Mental poker,” in The mathematical gardner, pp. 37–43, Springer, 1981.

[24] A. C. Yao, “Protocols for secure computations,” in 23rd annual symposium on foun- dations of computer science (sfcs 1982), pp. 160–164, IEEE, 1982.

[25] A. C.-C. Yao, “Protocols for secure computations extended abstract,” in 23rd FOCS, 1982.

[26] A. C.-C. Yao, “How to generate and exchange secrets extended abstract,” in 27th FOCS, 1986.

[27] O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game, or a com- pleteness theorem for protocols with honest majority,” in Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali, pp. 307–328, ACM, USA, 2019.

[28] D. Chaum, I. B. Damgård, and J. Van de Graaf, “Multiparty computations ensuring privacy of each partyś input and correctness of the result,” in Conference on the Theory and Application of Cryptographic Techniques, pp. 87–119, Springer, 1987.

[29] R. L. Rivest, L. Adleman, M. L. Dertouzos, et al., “On data banks and privacy homo- morphisms,” Foundations of secure computation, vol. 4, no. 11, pp. 169–180, 1978.

173 Bibliography

[30] C. Gentry, “Computing arbitrary functions of encrypted data,” Communications of the ACM, vol. 53, no. 3, pp. 97–105, 2010.

[31] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the forty-first annual ACM symposium on Theory of computing, pp. 169–178, 2009.

[32] C. Gentry and D. Boneh, A fully homomorphic encryption scheme, vol. 20. Stanford university Stanford, 2009.

[33] M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison, A. Sahai, and V. Vaikuntanathan, “Homomorphic encryption security standard,” tech. rep., HomomorphicEncryption.org, Toronto, Canada, November 2018.

[34] J. Katz and Y. Lindell, Introduction to modern cryptography. CRC press, 2014.

[35] A. S. Paulo Mateus, Amilcar Sernadas and L. Antunes, Notes on Cryptography, vol. 1. Instituto Superior Tecnico, Universidade do Porto, Faculdade de Ciencias, 2012.

[36] P. Clifford, “Applications of grassmann’s extensive algebra,” American Journal of Mathematics, vol. 1, no. 4, pp. 350–358, 1878.

[37] H. Grassmann, Die lineale Ausdehnungslehre ein neuer Zweig der Mathematik: dargestellt und durch Anwendungen auf die übrigen Zweige der Mathematik, wie auch auf die Statik, Mechanik, die Lehre vom Magnetismus und die Krystallonomie er- läutert, vol. 1. O. Wigand, 1844.

[38] T. L. Hankins, Sir William Rowan Hamilton. Johns Hopkins University Press, 1980.

[39] D. Hestenes, Space-time algebra, vol. 1. Springer, 1966.

[40] D. Hildenbrand, “Foundations of geometric algebra computing,” in AIP Conference Proceedings, vol. 1479, 1, pp. 27–30, American Institute of Physics, 2012.

[41] E. Hitzer, T. Nitta, and Y. Kuroe, “Applications of cliffordś geometric algebra,” Ad- vances in Applied Clifford Algebras, vol. 23, no. 2, pp. 377–404, 2013.

174 Bibliography

[42] C. Perwass, H. Edelsbrunner, L. Kobbelt, and K. Polthier, Geometric algebra with applications in engineering, vol. 4. Springer, 2009.

[43] S. J. Sangwine and E. Hitzer, “Clifford multivector toolbox (for matlab),” Advances in Applied Clifford Algebras, vol. 27, no. 1, pp. 539–558, 2017.

[44] L. Dorst, D. Fontijne, and S. Mann, Geometric algebra for computer science: an object-oriented approach to geometry. Elsevier, 2010.

[45] D. Hildenbrand, J. Albert, P. Charrier, and C. Steinmetz, “Geometric algebra comput- ing for heterogeneous systems,” Advances in Applied Clifford Algebras, vol. 27, no. 1, pp. 599–620, 2017.

[46] E. Bayro-Corrochano and G. Scheuermann, Geometric algebra computing: in engi- neering and computer science. Springer Science & Business Media, 2010.

[47] M. Josipović, Geometric Multiplication of Vectors: An Introduction to Geometric Al- gebra in Physics. Springer Nature, 2019.

[48] A. Rockwood, H. Li, and D. Hestenes, “System for encoding and manipulating models of objects,” Feb. 8 2005. US Patent 6,853,964.

[49] P. Carré and M. Berthier, “Color representation and processes with clifford algebra,” in Advanced Color Image Processing and Analysis, pp. 147–179, Springer, 2013.

[50] A. Augello, M. Gentile, G. Pilato, and G. Vassallo, “Geometric encoding of sentences based on clifford algebra.,” in KDIR, pp. 457–462, 2012.

[51] A. Majumdar, “Weighted subsymbolic data encoding,” Nov. 6 2018. US Patent 10,120,933.

[52] D. W. da Silva, C. P. de Araujo, E. Chow, and B. S. Barillas, “A new approach towards fully homomorphic encryption over geometric algebra,” in 2019 IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), pp. 0241–0249, IEEE, 2019.

175 Bibliography

[53] D. W. H. A. da Silva, H. B. M. de Oliveira, E. Chow, B. S. Barillas, and C. P. de Araujo, “Homomorphic image processing over geometric product spaces and finite p-adic arith- metic,” in 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp. 27–36, IEEE, 2019.

[54] D. W. da Silva, C. P. de Araujo, and E. Chow, “Fully homomorphic key update and key exchange over exterior product spaces for cloud computing applications,” in 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 25–251, IEEE, 2019.

[55] C. A. P. de Araujo, “Methods and systems for enhanced data-centric encryption sys- tems using geometric algebra,” Feb. 8 2018. US Patent App. 15/667,325.

[56] D. W. H. A. da Silva, Fully Homomorphic Encryption Over Exterior Product Spaces. University of Colorado Colorado Springs, 2017.

[57] C. A. P. de Araujo, D. W. H. A. da Silva, and G. B. Jones, “Methods and systems for enhanced data-centric homomorphic encryption searching using geometric algebra,” Feb. 7 2019. US Patent App. 16/162,068.

[58] C. A. P. de Araujo, D. W. H. A. da Silva, and G. B. Jones, “Methods and systems for enhanced data-centric scalar multiplicative homomorphic encryption systems using geometric algebra,” Oct. 11 2018. US Patent App. 15/946,631.

[59] C. A. P. de Araujo, D. W. H. A. da Silva, and G. B. Jones, “Methods and systems for enhanced data-centric homomorphic encryption sorting using geometric algebra,” Apr. 11 2019. US Patent App. 16/162,090.

[60] D. W. H. A. da Silva, M. A. Xavier, P. N. Brown, E. Chow, and C. P. de Araujo, “Homomorphic data concealment powered by clifford geometric algebra,” in Advances in Computer Graphics, pp. 513–525, Springer International Publishing, 2020.

176 Bibliography

[61] D. W. H. A. da Silva, M. A. Xavier, E. Chow, and C. P. de Araujo, “Experiments with clifford geometric algebra applied to cryptography,” in SCIS&ISIS, Joint 11th Interna- tional Conference on Soft Computing and Intelligent Systems and 21st International Symposium on Advanced Intelligent Systems, 2020.

[62] D. W. H. A. da Silva, H. Oliveira, M. A. Xavier, E. Chow, and C. P. de Araujo, “Homo- morphic key update protocol based on clifford geometric algebra for distributed ledger technology,” in SCIS&ISIS, Joint 11th International Conference on Soft Computing and Intelligent Systems and 21st International Symposium on Advanced Intelligent Systems, 2020. To appear.

[63] K. Hensel, “Über eine neue begründung der theorie der algebraischen zahlen.,” Jahres- bericht der Deutschen Mathematiker-Vereinigung, vol. 6, pp. 83–88, 1897.

[64] B. Fine and G. Rosenberger, Number theory. Springer, 2007.

[65] M. R. Murty, Problems in analytic number theory, vol. 206. Springer Science & Busi- ness Media, 2008.

[66] W. A. Coppel, Number Theory: An introduction to mathematics. Springer Science & Business Media, 2009.

[67] E. Krishnamurthy, T. M. Rao, and K. Subramanian, “Finite segmentp-adic number systems with applications to exact computation,” in Proceedings of the Indian Academy of Sciences-Section A, vol. 81, pp. 58–79, Springer, 1975.

[68] E. Krishnamurthy, T. M. Rao, and K. Subramanian, “P-adic arithmetic procedures for exact matrix computations,” in Proceedings of the Indian Academy of Sciences-Section A, vol. 82, pp. 165–175, Springer, 1975.

[69] E. Alparslan, Finite p-adic number systems with possible applications. PhD thesis, Ph. D. Dissertation. Department of Electrical Engineering, 1975.

[70] R. T. Gregory, “The use of finite-segmentp-adic arithmetic for exact computation,” BIT Numerical Mathematics, vol. 18, no. 3, pp. 282–300, 1978.

177 Bibliography

[71] R. T. Gregory, Error-free computation: why it is needed and methods for doing it. RE Krieger, 1980.

[72] P. S. Beiser, An examination of finite segment p-adic number systems as an alternative methodology for performing exact arithmetic. PhD thesis, University of Virginia, 1979.

[73] J. Farinmade, Fast, parallel, exact matrix computations using p-adic arithmetic. PhD thesis, MS thesis, Department of Computer Science, University of Lagos, Nigeria, 1976.

[74] E. C. R. Hehner and R. Horspool, “A new representation of the rational numbers for fast easy arithmetic,” SIAM Journal on Computing, vol. 8, no. 2, pp. 124–134, 1979.

[75] R. N. Horspool and E. C. Hehner, “Exact arithmetic using a variable-length p-adic rep- resentation,” in 1978 IEEE 4th Symposium onomputer Arithmetic (ARITH), pp. 10– 14, IEEE, 1978.

[76] R. A. Lewis, “P-adic number systems for error-free computation.,” The University of Tennessee, 1980.

[77] T. M. Rao and R. T. Gregory, “The conversion of hensel codes to rational numbers,” in 1981 IEEE 5th Symposium on Computer Arithmetic (ARITH), pp. 10–20, IEEE, 1981.

[78] C. Limongelli and H. W. Loidl, “Rational number arithmetic by parallel p-adic algo- rithms,” in International Conference of the Austrian Center for Parallel Computation, pp. 72–86, Springer, 1993.

[79] A. Colagrossi and C. Limongelli, “Big numbers p-adic arithmetic: a parallel approach,” in International Conference on Applied Algebra, Algebraic Algorithms, and Error- Correcting Codes, pp. 169–180, Springer, 1988.

[80] J. F. Morrison, “Parallel p-adic computation,” Information processing letters, vol. 28, no. 3, pp. 137–140, 1988.

178 Bibliography

[81] C. Lu and X. Li, “An introduction of multiple p-adic data type and its parallel im- plementation,” in 2014 IEEE/ACIS 13th International Conference on Computer and Information Science (ICIS), pp. 303–308, IEEE, 2014.

[82] X. Li, C. Lu, and J. A. Sjogren, “Parallel implementation of exact matrix computa- tion using multiple p-adic arithmetic,” in 2013 14th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, pp. 296–302, IEEE, 2013.

[83] X. Li, C. Lu, and J. A. Sjogren, “Overflow detection in multiple p-adic parallel im- plementation,” in Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems, pp. 23–28, 2014.

[84] J. A. Howell and R. T. Gregory, “An algorithm for solving linear algebraic equations using residue arithmetic ii,” BIT Numerical Mathematics, vol. 9, no. 4, pp. 324–337, 1969.

[85] Ç. K. Koç, “Parallel p-adic method for solving linear systems of equations,” Parallel Computing, vol. 23, no. 13, pp. 2067–2074, 1997.

[86] A. A. Ruffa, M. A. Jandron, and B. Toni, “Parallelized solution of banded linear systems with an introduction to p-adic computation,” in Mathematical Sciences with Multidisciplinary Applications, pp. 431–464, Springer, 2016.

[87] A. Y. Khrennikov, p-Adic valued distributions in mathematical physics, vol. 309. Springer Science & Business Media, 2013.

[88] M. Kurt, “Introduction to p-adic numbers and their functions,” 1981.

[89] M. Krasner, “Nombres semi-réels et espaces ultramétriques,” Comptes-Rendus de l’Académie des Sciences, vol. 2, p. 219, 1944.

[90] M. Krasner, “Prolongement analytique uniforme et multiforme dans les corps values complets: preservation de l’analycite par la convergence uniforme et par la derivation; theoreme de mittag-leffler generalise pour les elements analytiques’,” CR Acad. Sci. Paris, vol. 244, pp. 2570–2573, 1957.

179 Bibliography

[91] E. Motzkin and P. Robba, “Prolongement analytique en analyse p-adique,” Séminaire de théorie des nombres de Bordeaux, pp. 1–47, 1968.

[92] P. Robba, “Fonctions analytiques sur les corps valués ultramétriques complets,” Pro- longement analytique et algèbres de Banach ultramétriques, 1973.

[93] R. N. Gorgui-Naguib, p-adic number theory and its applications in a cryptographic form. PhD thesis, University of London, 1986.

[94] H. G. Gadiyar, K. S. Maini, and R. Padma, “Cryptography, connections, cocycles and crystals: A p-adic exploration of the discrete logarithm problem,” in International Conference on Cryptology in India, pp. 305–314, Springer, 2004.

[95] V. Anashin, “Uniformly distributed sequences of p-adic integers,” in Math. Appl, Cite- seer, 2002.

[96] Z. Tasheva, B. Bedzhev, and B. Stoyanov, “Self-shrinking p-adic cryptographic gener- ator,” in XL International Scientific Conference on Information, Communication and Energy Systems and Technologies, ICEST, pp. 7–10, 2005.

[97] B. Stoyanov, “Improved cryptoanalysis of the self-shrinking p-adic cryptographic gen- erator,” Advanced Studies in Software and Knowledge Engineering, 2008.

[98] Z. Tasheva, B. Bedzhev, and B. Stoyanov, “P-adic shrinking-multiplexing generator,” in 2005 IEEE Intelligent Data Acquisition and Advanced Computing Systems: Tech- nology and Applications, pp. 443–448, IEEE, 2005.

[99] P. Solé and D. Zinoviev, “Inversive pseudorandom numbers over galois rings,” European Journal of Combinatorics, vol. 30, no. 2, pp. 458–467, 2009.

[100] Z. Tasheva and B. Bedzhev, “Software implementation of p-adic self-shrinking gener- ator for aerospace cryptographic systems,” in Scientific Conference SPACE, ECOL- OGY, SAFETY with International Participation, pp. 10–13, 2005.

180 Bibliography

[101] B. Stoyanov, A. Milev, and A. Nachev, “Research on the self-shrinking 2-adic crypto- graphic generator,” Journal of Communication and Computer, vol. 7, no. 11, pp. 67–71, 2010.

[102] V. Anashin, “Non-archimedean ergodic theory and pseudorandom generators,” The Computer Journal, vol. 53, no. 4, pp. 370–392, 2010.

[103] M. Xu, C. Zhao, M. Feng, Z. Ren, and J. Ye, “Cryptography on elliptic curves over p-adic number fields,” Science in China Series F: Information Sciences, vol. 51, no. 3, pp. 258–272, 2008.

[104] T. Satoh, “On p-adic point counting algorithms for elliptic curves over finite fields,” in International Algorithmic Number Theory Symposium, pp. 43–66, Springer, 2002.

[105] I. Blake, G. Seroussi, G. Seroussi, and N. Smart, Elliptic curves in cryptography, vol. 265. Cambridge university press, 1999.

[106] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren, Handbook of elliptic and hyperelliptic curve cryptography. CRC press, 2005.

[107] T. Takagi, “Fast rsa-type cryptosystem modulo p k q,” in Annual International Cryp- tology Conference, pp. 318–326, Springer, 1998.

[108] S. Lim, S. Kim, I. Yie, and H. Lee, “A generalized takagi-cryptosystem with a modulus of the form p r q s,” in International Conference on Cryptology in India, pp. 283–294, Springer, 2000.

[109] M. Ciet, F. Koeune, F. Laguillaumie, and J.-J. Quisquater, “Short private exponent at- tacks on fast variants of rsa,” UCL Crypto Group Technical Report Series CG-2002/4, University Catholique de Louvain, 2002.

[110] D. Catalano, P. Q. Nguyen, and J. Stern, “The hardness of hensel lifting: The case of rsa and discrete logarithm,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 299–310, Springer, 2002.

181 Bibliography

[111] D. W. da Silva, C. P. de Araujo, and E. Chow, “An efficient homomorphic data en- coding with multiple secret hensel codes,” International Journal of Information and Electronics Engineering, vol. 10, no. 1, 2020.

[112] K. El Makkaoui, A. Beni-Hssane, A. Ezzati, and A. El-Ansari, “Fast cloud-rsa scheme for promoting data confidentiality in the cloud computing,” Procedia computer science, vol. 113, pp. 33–40, 2017.

[113] J.-S. Coron, J.-C. Faugère, G. Renault, and R. Zeitoun, “Factoring n = prqs for large r and s,” in Cryptographers Track at the RSA Conference, pp. 448–464, Springer, 2016.

[114] Ö. Ç. Havare and H. Menken, “A note on the p-adic gamma function and q-changhee polynomials,” J. Math. Comput. Sci, vol. 18, p. 11, 2018.

[115] G. Micheli and V. Weger, “Cryptanalysis of the clr-cryptosystem,” Designs, Codes and Cryptography, vol. 87, no. 5, pp. 1069–1086, 2019.

[116] J. Holden, P. A. Richardson, and M. M. Robinson, “Counting fixed points and rooted closed walks of the singular map modulo powers of a prime,” p-Adic Numbers, Ultra- metric Analysis and Applications, vol. 12, no. 1, pp. 12–28, 2020.

[117] N. Avni, B. Klopsch, U. Onn, C. Voll, et al., “Representation zeta functions of compact p-adic analytic groups and arithmetic groups,” Duke Mathematical Journal, vol. 162, no. 1, pp. 111–197, 2013.

[118] E. J. Dubuc, “On the representation theory of galois and atomic topoi,” Journal of Pure and Applied Algebra, vol. 186, no. 3, pp. 233–275, 2004.

[119] A. Madrecki, “On sazonov type topology inp-adic banach space,” Mathematische Zeitschrift, vol. 188, no. 2, pp. 225–236, 1985.

[120] Y. Kitaoka, “A note on local densities of quadratic forms,” Nagoya Mathematical Jour- nal, vol. 92, pp. 145–152, 1983.

[121] R. T. Gregory and E. V. Krishnamurthy, Methods and applications of error-free com- putation. Springer Science & Business Media, 2012.

182 Bibliography

[122] E. Krishnamurtht, “Matrix processors using p-adic arithmetic for exact linear compu- tations,” in 1975 IEEE 3rd Symposium on Computer Arithmetic (ARITH), pp. 92–97, IEEE, 1975.

[123] C. K. Koç, “A tutorial on p-adic arithmetic,” Electrical and Computer Engineering, Oregon State University, Corvallis, Oregon, vol. 97331, 2002.

[124] X. Li, M. Zhao, and C. Lu, “Efficient algorithms and implementation for error-free computation using p-adic,” in 2011 First ACIS/JNU International Conference on Computers, Networks, Systems and Industrial Engineering, pp. 76–80, IEEE, 2011.

[125] L. Dorst, C. Doran, and J. Lasenby, Applications of geometric algebra in computer science and engineering. Springer Science & Business Media, 2012.

[126] C. Doran, S. R. Gullans, A. Lasenby, J. Lasenby, and W. Fitzgerald, Geometric algebra for physicists. Cambridge University Press, 2003.

[127] L. Dorst and S. Mann, “Geometric algebra: A computational framework for geometri- cal applications (part 1),” IEEE Computer Graphics and Applications, no. 3, pp. 24–31, 2002.

[128] S. Mann and L. Dorst, “Geometric algebra: A computational framework for geo- metrical applications. 2,” IEEE Computer Graphics and Applications, vol. 22, no. 4, pp. 58–67, 2002.

[129] L. Dorst, “Honing geometric algebra for its use in the computer sciences,” in Geometric computing with Clifford algebras, pp. 127–152, Springer, 2001.

[130] E. Bayro-Corrochano, L. Reyes-Lozano, and J. Zamora-Esquivel, “Conformal geomet- ric algebra for robotic vision,” Journal of Mathematical Imaging and Vision, vol. 24, no. 1, pp. 55–81, 2006.

[131] D. Hildenbrand, “Geometric computing in computer graphics using conformal geomet- ric algebra,” Computers & Graphics, vol. 29, no. 5, pp. 795–803, 2005.

183 Bibliography

[132] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, Introduction to algorithms. MIT press, 2009.

[133] C. Gentry and S. Halevi, “Implementing gentry’s fully-homomorphic encryption scheme,” in Annual international conference on the theory and applications of crypto- graphic techniques, pp. 129–148, Springer, 2011.

[134] N. P. Smart and F. Vercauteren, “Fully homomorphic encryption with relatively small key and ciphertext sizes,” in International Workshop on Public Key Cryptography, pp. 420–443, Springer, 2010.

[135] M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 24–43, Springer, 2010.

[136] J.-S. Coron, A. Mandal, D. Naccache, and M. Tibouchi, “Fully homomorphic encryp- tion over the integers with shorter public keys,” in Annual Cryptology Conference, pp. 487–504, Springer, 2011.

[137] Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryption from ring-lwe and security for key dependent messages,” in Annual cryptology conference, pp. 505– 524, Springer, 2011.

[138] H. Chen, K. Laine, and R. Player, “Simple encrypted arithmetic library-seal v2. 1,” in International Conference on Financial Cryptography and Data Security, pp. 3–18, Springer, 2017.

[139] S. Halevi and V. Shoup, “Helib-an implementation of homomorphic encryption,” Cryp- tology ePrint Archive, Report 2014/039, 2014.

[140] Y. Polyakov, K. Rohloff, and G. W. Ryan, “Palisade lattice cryptography library user manual,” Cybersecurity Research Center, New Jersey Institute ofTechnology (NJIT), Tech. Rep, 2017.

184 Bibliography

[141] W. Dai and B. Sunar, “cuhe: A homomorphic encryption accelerator library,” in International Conference on Cryptography and Information Security in the Balkans, pp. 169–186, Springer, 2015.

[142] C. Aguilar-Melchor, J. Barrier, S. Guelton, A. Guinet, M.-O. Killijian, and T. Lepoint, “Nfllib: Ntt-based fast lattice library,” in Cryptographers Track at the RSA Conference, pp. 341–356, Springer, 2016.

[143] J. H. Cheon, A. Kim, M. Kim, and Y. Song, “Homomorphic encryption for arithmetic of approximate numbers,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 409–437, Springer, 2017.

[144] L. Ducas and D. Micciancio, “Fhew: bootstrapping homomorphic encryption in less than a second,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 617–640, Springer, 2015.

[145] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, “Tfhe: fast fully homomorphic encryption over the torus,” Journal of Cryptology, vol. 33, no. 1, pp. 34–91, 2020.

[146] “Lattigo 1.3.1.” Online: http : / / github . com / ldsec / lattigo, Feb. 2020. EPFL- LDS.

[147] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(leveled) fully homomorphic encryp- tion without bootstrapping,” ACM Transactions on Computation Theory (TOCT), vol. 6, no. 3, pp. 1–36, 2014.

[148] Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) lwe,” SIAM Journal on Computing, vol. 43, no. 2, pp. 831–871, 2014.

[149] J. Fan and F. Vercauteren, “Somewhat practical fully homomorphic encryption.,” IACR Cryptol. ePrint Arch., vol. 2012, p. 144, 2012.

[150] Z. Brakerski, “Fundamentals of fully homomorphic encryption-a survey.,” in Electronic Colloquium on Computational Complexity (ECCC), vol. 25, p. 125, 2018.

185 Bibliography

[151] F. Armknecht, C. Boyd, C. Carr, K. Gjøsteen, A. Jäschke, C. A. Reuter, and M. Strand, “A guide to fully homomorphic encryption.,” IACR Cryptol. ePrint Arch., vol. 2015, p. 1192, 2015.

[152] V. Vaikuntanathan, “Homomorphic encryption references.” https : //people.csail. mit . edu / vinodv / FHE / FHE-refs . html. (Accessed on 10/19/2020).

[153] V. Vaikuntanathan, “Computing blindfolded: New developments in fully homomorphic encryption,” in 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 5–16, IEEE, 2011.

[154] S. Halevi, “Homomorphic encryption,” in Tutorials on the Foundations of Cryptogra- phy, pp. 219–276, Springer, 2017.

[155] S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of computer and sys- tem sciences, vol. 28, no. 2, pp. 270–299, 1984.

[156] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE transactions on information theory, vol. 31, no. 4, pp. 469–472, 1985.

[157] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in International conference on the theory and applications of cryptographic techniques, pp. 223–238, Springer, 1999.

[158] I. Damgard and M. Jurik, “A generalisation, a simplification, and some applications of paillier’s probabilistic public-key system, presented at the 4th international workshop on practice and theory in public key cryptosystems, cheju island,” Korea, 2001.

[159] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on ciphertexts,” in Theory of cryptography conference, pp. 325–341, Springer, 2005.

[160] C. Gentry, S. Halevi, and V. Vaikuntanathan, “A simple bgn-type cryptosystem from lwe,” in Annual International Conference on the Theory and Applications of Crypto- graphic Techniques, pp. 506–522, Springer, 2010.

186 Bibliography

[161] C. Gentry, “Toward basing fully homomorphic encryption on worst-case hardness,” in Annual Cryptology Conference, pp. 116–137, Springer, 2010.

[162] C. Gentry and S. Halevi, “Fully homomorphic encryption without squashing using depth-3 arithmetic circuits,” in 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 107–109, IEEE, 2011.

[163] Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical gapsvp,” in Annual Cryptology Conference, pp. 868–886, Springer, 2012.

[164] C. Gentry, S. Halevi, and N. P. Smart, “Fully homomorphic encryption with polylog overhead,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 465–482, Springer, 2012.

[165] C. Gentry, S. Halevi, and N. P. Smart, “Homomorphic evaluation of the aes circuit,” in Annual Cryptology Conference, pp. 850–867, Springer, 2012.

[166] C. Gentry, S. Halevi, C. Peikert, and N. P. Smart, “Field switching in bgv-style ho- momorphic encryption,” Journal of Computer Security, vol. 21, no. 5, pp. 663–684, 2013.

[167] Z. Brakerski, C. Gentry, and S. Halevi, “Packed ciphertexts in lwe-based homomor- phic encryption,” in International Workshop on Public Key Cryptography, pp. 1–13, Springer, 2013.

[168] A. López-Alt, E. Tromer, and V. Vaikuntanathan, “Multikey fully homomorphic en- cryption and on-the-fly multiparty computation,” IACR Cryptology ePrint Archive, vol. 2013, 2013.

[169] T. Lepoint and M. Naehrig, “A comparison of the homomorphic encryption schemes fv and yashe,” in International Conference on Cryptology in Africa, pp. 318–335, Springer, 2014.

[170] C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with er- rors: Conceptually-simpler, asymptotically-faster, attribute-based,” in Annual Cryp- tology Conference, pp. 75–92, Springer, 2013.

187 Bibliography

[171] Z. Brakerski and V. Vaikuntanathan, “Lattice-based fhe as secure as pke,” in Proceed- ings of the 5th conference on Innovations in theoretical computer science, pp. 1–12, 2014.

[172] J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” in Annual Cryptology Conference, pp. 297–314, Springer, 2014.

[173] R. Hiromasa, M. Abe, and T. Okamoto, “Packing messages and optimizing bootstrap- ping in gsw-fhe,” IEICE TRANSACTIONS on Fundamentals of Electronics, Commu- nications and Computer Sciences, vol. 99, no. 1, pp. 73–82, 2016.

[174] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachene, “Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds,” in international conference on the theory and application of cryptology and information security, pp. 3–33, Springer, 2016.

[175] J.-S. Coron, D. Naccache, and M. Tibouchi, “Public key compression and modulus switching for fully homomorphic encryption over the integers,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 446–464, Springer, 2012.

[176] B. K. Horn, “Rational arithmetic for minicomputers,” Software: Practice and Experi- ence, vol. 8, no. 2, pp. 171–176, 1978.

[177] D. W. Matula and P. Kornerup, “Approximate rational arithmetic systems: analysis of recovery of simple fractions during expression evaluation,” in International Symposium on Symbolic and Algebraic Manipulation, pp. 383–397, Springer, 1979.

[178] G. H. Hardy, E. M. Wright, et al., An introduction to the theory of numbers. Oxford university press, 1979.

[179] D. E. Knuth, The art of computer programming, vol. 3. Pearson Education, 1997.

[180] K. Hensel, Theorie der algebraischen Zahlen, vol. 1. BG Teubner, 1908.

188 Bibliography

[181] A. M. Robert, A course in p-adic analysis, vol. 198. Springer Science & Business Media, 2013.

[182] R. T. Gregory, “Error-free computation with finite number systems,” ACM SIGNUM Newsletter, vol. 14, no. 3, pp. 9–16, 1979.

[183] A. Froment, “Error free computation: a direct method to convert finite-segment p-adic numbers into rational numbers,” IEEE transactions on computers, no. 4, pp. 337–343, 1983.

[184] F. Q. Gouvãea, P-adic numbers: An introduction. Springer-Verlag, 1993.

[185] N. Koblitz, p-adic Numbers, p-adic Analysis, and Zeta-Functions, vol. 58. Springer Science & Business Media, 2012.

[186] K. Mahler, Introduction to P-Adic Numbers and Their Function. CUP Archive, 1973.

[187] A. Miola, “Algebraic approach to p-adic conversion of rational numbers,” Information Processing Letters, vol. 18, no. 3, pp. 167–171, 1984.

[188] R. Gregory, “Error-free computation with rational numbers,” BIT Numerical Mathe- matics, vol. 21, no. 2, pp. 194–202, 1981.

[189] D. Flanagan and Y. Matsumoto, The Ruby Programming Language: Everything You Need to Know. " O’Reilly Media, Inc.", 2008.

[190] Y. Matsumoto and K. Ishituka, “Ruby programming language,” 2002.

[191] J. Viega, M. Messier, and P. Chandra, Network security with openSSL: cryptography for secure communications. " O’Reilly Media, Inc.", 2002.

[192] T. Rossmann, “Topological representation zeta functions of groups,” Journal of Algebra, vol. 448, pp. 210–237, 2016.

[193] A. W. Dress, “Congruence relations characterizing the representation ring of the sym- metric group,” Journal of Algebra, vol. 101, no. 2, pp. 350–364, 1986.

189 Bibliography

[194] N. P. Smart, Cryptography made simple, vol. 481. Springer, 2016.

[195] A. L. Rosenberg, “Efficient pairing functions and why you should care,” International journal of foundations of computer science, vol. 14, no. 01, pp. 3–17, 2003.

[196] M. Lisi, “Some remarks on the cantor pairing function,” Le Matematiche, vol. 62, no. 1, pp. 55–65, 2007.

[197] M. Szudzik, “An elegant pairing function,” in Wolfram Research (ed.) Special NKS 2006 Wolfram Science Conference, pp. 1–12, 2006.

[198] J. Tate, “Duality theorems in galois cohomology over number fields,” in Proc. Internat. Congr. Mathematicians (Stockholm, 1962), pp. 288–295, 1962.

[199] J. Tate, “Wc-groups over p-adic fields,” Séminaire Bourbaki, vol. 156, pp. 156–1, 1957.

[200] S. Lichtenbaum, “Duality theorems for curves overp-adic fields,” Inventiones mathe- maticae, vol. 7, no. 2, pp. 120–136, 1969.

[201] V. S. Miller, “The weil pairing, and its efficient calculation,” Journal of cryptology, vol. 17, no. 4, pp. 235–261, 2004.

[202] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 514–532, Springer, 2001.

[203] D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in An- nual international cryptology conference, pp. 213–229, Springer, 2001.

[204] A. Joux, “A one round protocol for tripartite diffie–hellman,” Journal of cryptology, vol. 17, no. 4, pp. 263–276, 2004.

[205] A. Joux, “A one round protocol for tripartite diffie–hellman,” in International algo- rithmic number theory symposium, pp. 385–393, Springer, 2000.

[206] S. D. Galbraith, K. Harrison, and D. Soldera, “Implementing the tate pairing,” in International Algorithmic Number Theory Symposium, pp. 324–337, Springer, 2002.

190 Bibliography

[207] R. Sakai, “Cryptosystems based on pairing,” Proc. of SCIS2000, Jan., 2000.

[208] D. He, C. Chen, S. Chan, and J. Bu, “Secure and efficient handover authentication based on bilinear pairing functions,” IEEE Transactions on Wireless Communications, vol. 11, no. 1, pp. 48–53, 2011.

[209] N. P. Smart, “Identity-based authenticated key agreement protocol based on weil pair- ing,” Electronics letters, vol. 38, no. 13, pp. 630–632, 2002.

[210] D. Mumford, C. P. Ramanujam, and I. Manin, Abelian varieties, vol. 2. Oxford university press Oxford, 1974.

[211] S. Eilenberg and S. MacLane, “Natural isomorphisms in group theory,” Proceedings of the National Academy of Sciences of the United States of America, vol. 28, no. 12, p. 537, 1942.

[212] N. Isik, J. Pym, and A. Ülger, “The second dual of the group algebra of a compact group,” Journal of the London Mathematical Society, vol. 2, no. 1, pp. 135–148, 1987.

[213] L. Caporaso, “A compactification of the universal picard variety over the moduli space of stable curves,” Journal of the American Mathematical Society, vol. 7, no. 3, pp. 589– 660, 1994.

[214] D. P. Bertsekas and J. N. Tsitsiklis, Parallel and distributed computation: numerical methods, vol. 23. Prentice hall Englewood Cliffs, NJ, 1989.

[215] D. Zonta, M. Pozzi, and P. Zanon, “Managing the historical heritage using distributed technologies,” International Journal of Architectural Heritage, vol. 2, no. 3, pp. 200– 225, 2008.

[216] I. Wijegunaratne and G. Fernandez, Distributed Applications Engineering: Build- ing new applications and managing legacy applications with distributed technologies. Springer Science & Business Media, 2012.

191 Bibliography

[217] R. Shirley and D. Kammen, “Energy planning and development in malaysian bor- neo: Assessing the benefits of distributed technologies versus large scale energy mega- projects,” Energy Strategy Reviews, vol. 8, pp. 15–29, 2015.

[218] D. Hildenbrand, “Geometric algebra computers,” in Foundations of Geometric Algebra Computing, pp. 179–188, Springer, 2013.

[219] J. Vince, Geometric algebra for computer graphics. Springer Science & Business Media, 2008.

[220] W. E. Baylis, Clifford (Geometric) Algebras: with applications to physics, mathemat- ics, and engineering. Springer Science & Business Media, 2012.

[221] B. Mawardi and E. M. Hitzer, “Clifford fourier transformation and uncertainty prin- ciple for the clifford geometric algebra cl 3, 0,” Advances in applied Clifford algebras, vol. 16, no. 1, pp. 41–61, 2006.

[222] E. Hitzer, “Introduction to cliffordś geometric algebra,” arXiv preprint arXiv:1306.1660, 2013.

[223] J. Snygg, A new approach to differential geometry using Clifford’s geometric algebra. Springer Science & Business Media, 2011.

[224] E. M. Hitzer et al., “Euclidean geometric objects in the clifford geometric algebra of origin, 3-space, infinity,” Bulletin of the Belgian Mathematical Society-Simon Stevin, vol. 11, no. 5, pp. 653–662, 2005.

[225] P. W. Khan, G. Xu, M. A. Latif, K. Abbas, and A. Yasin, “Uavś agricultural image segmentation predicated by clifford geometric algebra,” IEEE Access, vol. 7, pp. 38442– 38450, 2019.

[226] E. Hitzer and C. Perwass, “Interactive 3d space group visualization with clucalc and the clifford geometric algebra description of space groups,” Advances in applied Clifford algebras, vol. 20, no. 3-4, pp. 631–658, 2010.

192 Bibliography

[227] J. Rivera-Rovelo and E. Bayro-Corrochano, “Medical image segmentation using a self- organizing neural network and clifford geometric algebra,” in The 2006 IEEE Interna- tional Joint Conference on Neural Network Proceedings, pp. 3538–3545, IEEE, 2006.

[228] A. Macdonald, “A survey of geometric algebra and geometric calculus,” Advances in Applied Clifford Algebras, vol. 27, no. 1, pp. 853–891, 2017.

[229] W. Commons, “Wikimedia commons,” Retrieved August, 2019.

[230] D. W. H. A. da Silva, M. A. Xavier, P. N. Brown, E. Chow, and C. P. de Araujo, “Homomorphic data concealment powered by clifford geometric algebra,” in COM- PUTER GRAPHICS INTERNATIONAL (CGI) 2020, Computer Graphics Society (CGS), 2020.

[231] D. Janovská and G. Opfer, “Linear equations in quaternionic variables,” Mitt. Math. Ges. Hamburg, vol. 27, pp. 223–234, 2008.

[232] J. M. Chappell, A. Iqbal, L. J. Gunn, and D. Abbott, “Functions of multivector vari- ables,” PloS one, vol. 10, no. 3, p. e0116943, 2015.

[233] D. J. Bernstein, “Curve25519: new diffie-hellman speed records,” in International Workshop on Public Key Cryptography, pp. 207–228, Springer, 2006.

[234] E. Rescorla, “Rfc2631: Diffie-hellman key agreement method,” 1999.

[235] L. Chappell, “Inside the tcp handshake,” NetWare Connection, 2000.

[236] M. Van Os and C. Cranfill, “Digital handshake for authentication of devices,” Oct. 7 2014. US Patent 8,856,901.

[237] R. Bruce, M. O. Fuentes, and R. B. David, “Input-output device and storage controller handshake protocol using key exchange for data security,” Apr. 24 2012. US Patent 8,165,301.

[238] W. Shi, J. Cao, Q. Zhang, Y. Li, and L. Xu, “Edge computing: Vision and challenges,” IEEE internet of things journal, vol. 3, no. 5, pp. 637–646, 2016.

193 Bibliography

[239] M. Satyanarayanan, “The emergence of edge computing,” Computer, vol. 50, no. 1, pp. 30–39, 2017.

[240] D. Eastlake and P. Jones, “Us secure hash algorithm 1 (sha1),” 2001.

[241] Q. H. Dang, “Sp 800-107. recommendation for applications using approved hash algo- rithms,” 2009.

[242] E. Krishnamurthy and V. K. Murthy, “Fast iterative division of p-adic numbers,” IEEE transactions on computers, no. 4, pp. 396–398, 1983.

[243] J. H. Cheon and D. Stehlé, “Fully homomophic encryption over the integers revisited,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 513–536, Springer, 2015.

[244] J. H. Cheon, J.-S. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, and A. Yun, “Batch fully homomorphic encryption over the integers,” in Annual International Con- ference on the Theory and Applications of Cryptographic Techniques, pp. 315–335, Springer, 2013.

[245] J.-S. Coron, T. Lepoint, and M. Tibouchi, “Scale-invariant fully homomorphic en- cryption over the integers,” in International Workshop on Public Key Cryptography, pp. 311–328, Springer, 2014.

[246] R. L. Rivest and A. T. Sherman, “Randomized encryption techniques,” in Advances in Cryptology, pp. 145–163, Springer, 1983.

[247] E. Krishnamurthy, “On the conversion of hensel codes to farey rationals,” IEEE trans- actions on computers, vol. 100, no. 4, pp. 331–337, 1983.

[248] T. M. Rao, K. Subramanian, and E. Krishnamurthy, “Residue arithmetic algorithms for exact computation of g-inverses of matrices,” SIAM Journal on Numerical Analysis, vol. 13, no. 2, pp. 155–171, 1976.

[249] J. C. Lagarias, “The computational complexity of simultaneous diophantine approxi- mation problems,” SIAM Journal on Computing, vol. 14, no. 1, pp. 196–209, 1985.

194 Bibliography

[250] N. Howgrave-Graham, “Approximate integer common divisors,” in International Cryp- tography and Lattices Conference, pp. 51–66, Springer, 2001.

[251] W. Beullens, N. Smart, and F. Vercauteren. Personal communication.

[252] R. Rothblum, “Homomorphic encryption: From private-key to public-key,” in Theory of cryptography conference, pp. 219–234, Springer, 2011.

[253] R. Kannan, “Minkowski’s convex body theorem and integer programming,” Mathe- matics of operations research, vol. 12, no. 3, pp. 415–440, 1987.

[254] A. K. Lenstra, H. W. Lenstra, and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische annalen, vol. 261, no. ARTICLE, pp. 515–534, 1982.

[255] V. Vaikuntanathan, “(32) the mathematics of lattices i - youtube.” https : / / www . youtube . com / watch ? v = LlPXfy6bKIY, May 2015. (Accessed on 09/26/2020).

[256] M. Ajtai, “Generating hard instances of lattice problems,” in Proceedings of the twenty- eighth annual ACM symposium on Theory of computing, pp. 99–108, 1996.

[257] O. Goldreich, S. Goldwasser, and S. Halevi, “Collision-free hashing from lattice prob- lems.,” IACR Cryptol. ePrint Arch., vol. 1996, p. 9, 1996.

[258] O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM (JACM), vol. 56, no. 6, pp. 1–40, 2009.

[259] M. Ajtai and C. Dwork, “A public-key cryptosystem with worst-case/average-case equivalence,” in Proceedings of the twenty-ninth annual ACM symposium on Theory of computing, pp. 284–293, 1997.

[260] O. Goldreich, S. Goldwasser, and S. Halevi, “Public-key cryptosystems from lattice reduction problems,” in Annual International Cryptology Conference, pp. 112–131, Springer, 1997.

[261] J. Hoffstein, J. Pipher, and J. H. Silverman, “Ntru: A ring-based public key cryptosys- tem,” in International Algorithmic Number Theory Symposium, pp. 267–288, Springer, 1998.

195 Bibliography

[262] C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and compos- able oblivious transfer,” in Annual international cryptology conference, pp. 554–571, Springer, 2008.

[263] C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the fortieth annual ACM symposium on Theory of computing, pp. 197–206, 2008.

[264] M. Ajtai, “Generating hard instances of the short basis problem,” in International Colloquium on Automata, Languages, and Programming, pp. 1–9, Springer, 1999.

[265] D. Micciancio and C. Peikert, “Trapdoors for lattices: Simpler, tighter, faster, smaller,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 700–718, Springer, 2012.

[266] S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Attribute-based encryption for cir- cuits,” Journal of the ACM (JACM), vol. 62, no. 6, pp. 1–33, 2015.

[267] S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Predicate encryption for circuits from lwe,” in Annual Cryptology Conference, pp. 503–523, Springer, 2015.

[268] P. Lounesto, “Clifford algebras and hestenes spinors,” Foundations of physics, vol. 23, no. 9, pp. 1203–1237, 1993.

[269] V. V. Williams, “Multiplying matrices in o n2.373 time,” preprint, 2014.  [270] D. Coppersmith and S. Winograd, “Matrix multiplication via arithmetic progressions,” in Proceedings of the nineteenth annual ACM symposium on Theory of computing, pp. 1–6, 1987.

[271] J. Alman and V. V. Williams, “A refined laser method and faster matrix multiplica- tion,” arXiv preprint arXiv:2010.05846, 2020.

[272] D. Coppersmith and S. Winograd, “On the asymptotic complexity of matrix multipli- cation,” SIAM Journal on Computing, vol. 11, no. 3, pp. 472–492, 1982.

196 Bibliography

[273] A. J. Stothers, “On the complexity of matrix multiplication,” 2010.

[274] A. Blum, M. Furst, M. Kearns, and R. J. Lipton, “Cryptographic primitives based on hard learning problems,” in Annual International Cryptology Conference, pp. 278–291, Springer, 1993.

[275] M. Alekhnovich, “More on average case vs approximation complexity,” in 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings., pp. 298– 307, IEEE, 2003.

[276] U. Kraeft, Fractions, continued fractions, and p-adic numbers. Berichte aus der Math- ematik, Shaker Verlag, 2007.

[277] U. Kraeft, From algebraic to transcendental numbers. Aachen: Shaker, 2007.

[278] H. Weber, “Lehrbuch der algebra,” Bull. Amer. Math. Soc, vol. 4, pp. 200–234, 1898.

[279] A. Table, “Ascii table,” 2007.

[280] D. Micciancio and C. Peikert, “Hardness of sis and lwe with small parameters,” in Annual Cryptology Conference, pp. 21–39, Springer, 2013.

[281] G. J. Simmons, “Symmetric and asymmetric encryption,” ACM Computing Surveys (CSUR), vol. 11, no. 4, pp. 305–330, 1979.

[282] A. Juels and M. Peinado, “Hiding cliques for cryptographic security,” Designs, Codes and Cryptography, vol. 20, no. 3, pp. 269–280, 2000.

[283] S. E. Dreyfus, “An appraisal of some shortest-path algorithms,” Operations research, vol. 17, no. 3, pp. 395–412, 1969.

197 APPENDIX A

Installation and Usage Guides

We provide access to projects that implement the ideas discussed in this work. All projects are written in Ruby programming language. All projects require Ruby installed on your system. There are several options for downloading and installing Ruby: https://www.ruby-lang.org/en/downloads/ . This project uses only Ruby standard libraries, so once you have Ruby installed (ver- sion 2.6.3 and greater), you have everything required to run the code. We tested our im- plementation on Mac OSX version 10.13.6 with ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin17]. Once Ruby is installed on your machine, from the command line and in the root directory of the project, run the tests to check the code with the following command:

$ rake

You should get a result similiar to the following:

Run options: --seed 9109

# Running:

......

Finished in 5.316182s, 2.0692 runs/s, 9.0290 assertions/s.

11 runs, 48 assertions, 0 failures, 0 errors, 0 skips A.1. (Towards) FHE with CRT and GA

You can also run code from the Ruby Interactive Shell (IRB). From the project’s root directory, execute the following command on the terminal:

$ irb

All the projects cited next have usage instructions on the provided URL.

A.1 (Towards) FHE with CRT and GA

(Towards) a fully homomorphic encryption scheme Ruby library based on Hensel code, Chinese Remainder Theorem and Geometric Algebra. The source code can be found in https://github.com/davidwilliam/fhe-crt-ga .

A.2 Clifford Crypto

Clifford Crypto is a Ruby library for cryptographic tools in Ruby. The source code can be found in https://github.com/davidwilliam/clifford-crypto .

A.3 Clifford GA Ruby

Clifford GA Ruby is a Ruby library for data representation and data concealment with Ruby. The source code can be found in https://github.com/davidwilliam/clifford-ga-ruby.

A.4 Clifford SWHE and Key Update

Clifford SWHE and Key Update is Ruby library for a somewhat homomorphic encryption scheme and a key update protocol based on Clifford geometric algebra. The source code can be found in https://github.com/davidwilliam/clifford-key-update .

199 A.5. SWHE Image Encryption

A.5 SWHE Image Encryption

SWHE Image Encryption is a Ruby code for an SWHE for Image Processing. The source code can be found in https://github.com/davidwilliam/swhe-image .

A.6 Multiple Secret Hensel Codes (MSH Code)

Multiple Secret Hensel Codes (MSH Code) is a Ruby code for the MSH Code library, a lightweight, probabilistic, general purpose, fully homomorphic data encoding mechanism. The source code can be found in https://github.com/davidwilliam/ruby-msh-code .

A.7 p-adic Cryto Ruby p-adic Cryto Ruby is a Ruby code for a leveled FHE scheme. The source code can be found in https://github.com/davidwilliam/p-adic-crypto-ruby .

200 APPENDIX B

Highlights and Demonstrations

Now we demonstrate the use of the developed software for the libraries listed in Appendix A.

B.1 (Towards) FHE with CRT and GA

From the project’s root directory, execute the following command on the terminal:

$ irb

You will see the IRB’s prompt. Next, command snippets for specific cases that can be executed on IRB.

Key Generation: Require the file the will boot the entire project on IRB:

> require ’./x’

Create the ’x’ object with the required secret and public variables by passing a configuration for depth (first argument) and security parameter (second argument):

> x = X::FHE.new(8,128)

Encryt the number 231:

> c1 = x.encrypt(231) B.1. (Towards) FHE with CRT and GA

Encryt the number 209:

> c2 = x.encrypt(209)

Add c1 e c2:

> c1_add_c2 = c1 + c2

Multiply c1 e c2:

> c1_mul_c2 = c1 * c2

Decrypt c1_add_c2:

> x.decrypt(c1_add_c2)

As a result you should get:

=> (440/1)

Decrypt c1_mul_c2:

> x.decrypt(c1_mul_c2)

As a result you should get:

=> (48279/1)

202 B.2. Clifford Crypto

B.2 Clifford Crypto

From the project’s root directory, execute the following command on the terminal:

$ irb

You will see the IRB’s prompt. Next, command snippets for specific cases that can be executed on IRB.

Working with multivectors Require the file the will boot the entire project on IRB:

> require ’./boot’

Creating a multivector:

> m = Clifford::Multivector3D.new [2,3,4,5,6,7,8,9] which returns

=> 2e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 9e123

Clifford conjugation:

> m.clifford_conjugation or

> m.cc

203 B.2. Clifford Crypto

=> 2e0 + -3e1 + -4e2 + -5e3 + -6e12 + -7e13 + -8e23 + 9e123

Reverse:

> m.reverse

=> 2e0 + 3e1 + 4e2 + 5e3 + -6e12 + -7e13 + -8e23 + -9e123

Amplitude squared:

> m.amplitude_squared

=> 22e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + -16e123

Rationalize:

> m.rationalize

=> 740e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

Inverse:

> m.inverse

=> -5/37e0 + 31/370e1 + -10/37e2 + -7/370e3 + -53/185e12 + -9/74e13 + -56/185e23 + 23/74e123

Geometric product:

> m.geometric_product(m.inverse) or >> m.gp(m.inverse)

204 B.2. Clifford Crypto

=> 1e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

> m.gp(m)

=> -176e0 + -132e1 + 142e2 + -88e3 + 114e12 + -44e13 + 86e23 + 88e123

Addition:

> m.plus(m)

=> 4e0 + 6e1 + 8e2 + 10e3 + 12e12 + 14e13 + 16e23 + 18e123

Subtraction:

> m.minus(m)

=> 0e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

Scalar division:

> m.scalar_div(2)

=> 1e0 + 3/2e1 + 2e2 + 5/2e3 + 3e12 + 7/2e13 + 4e23 + 9/2e123

Scalar multiplication:

> m.scalar_mul(2)

=> 4e0 + 6e1 + 8e2 + 10e3 + 12e12 + 14e13 + 16e23 + 18e123

205 B.2. Clifford Crypto

All multivectors M in Cl(3,0) can be decomposed as in M = Z + F. Obtaining Z:

> m.z

=> 2e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 9e123

Obtaining F:

> m.f

=> 0e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 0e123

Obtaining F squared:

> m.f2

=> -99e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 52e123

Obtaining the eigenvalues a multivector:

> m.eigenvalues

=> [(4.5323662175072155+19.26707741568027i), (-0.5323662175072155-1.2670774156802675i)]

Working with multivectors and modular arithmetic In order to create a mulltivector m with modulus 257 (a prime number, so it is guaranteed that all numbers less then 257 has a multiplicative inverse with respect to 257), we execute:

206 B.2. Clifford Crypto

> m = Clifford::Multivector3DMod.new [2,3,4,5,6,7,8,9], 257

=> 2e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 9e123

All the multivector functions previously showed are reduced the given modulus. Here are few examples:

> m.gp(m)

=> 81e0 + 125e1 + 142e2 + 169e3 + 114e12 + 213e13 + 86e23 + 88e123 m.scalar_div(2)

=> 1e0 + 130e1 + 2e2 + 131e3 + 3e12 + 132e13 + 4e23 + 133e123 m.inverse

=> 111e0 + 255e1 + 222e2 + 216e3 + 40e12 + 177e13 + 115e23 + 233e123

Tools Random number:

> bits = 16

> Clifford::Tools.random_number(bits)

=> 33756

Random prime:

207 B.2. Clifford Crypto

> Clifford::Tools.random_prime(bits)

=> 49499

Next prime:

> Clifford::Tools.next_prime(19222)

=> 19231

Number to multivector:

> n = 34985

>b=8

> Clifford::Tools.number_to_multivector(n,b)

=> 169e0 + 136e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123 n = 18169120281480229197

> m = Clifford::Tools.number_to_multivector(n,b)

> Clifford::Tools.multivector_to_number(m,b)

=> 18169120281480229197

Number to multivector with modulus:

208 B.2. Clifford Crypto

> b = 16

> q = Clifford::Tools.next_prime(2**b)

=> 65537 n = 155255861474355364696744344743093116292

> m = Clifford::Tools.number_to_multivector_mod(n,b,q)

=> 40324e0 + 22750e1 + 2092e2 + 50819e3 + 18412e12 + 50885e13 + 12534e23 + 29901e123

String to multivector:

> s = "Clifford"

> m = Clifford::Tools.string_to_multivector(s,b)

=> 100e0 + 114e1 + 111e2 + 102e3 + 102e12 + 105e13 + 108e23 + 67e123

String to multivector with modulus:

> s = "Clifford geometric algebra"

> m = Clifford::Tools.string_to_multivector_mod(s,b,q)

=> 29281e0 + 25954e1 + 27751e2 + 8289e3 + 26979e12 + 29810e13 + 28005e23 + 25967e123

209 B.2. Clifford Crypto

Random multivector:

> m = Clifford::Tools.generate_random_multivector(b)

=> 44981e0 + 50764e1 + 52829e2 + 39937e3 + 50099e12 + 58945e13 + 36262e23 + 56362e123

Random multivector with modulus:

> m = Clifford::Tools.generate_random_multivector_mod(b,q)

=> 60703e0 + 43439e1 + 52290e2 + 37782e3 + 59922e12 + 33501e13 + 40135e23 + 57261e12

Random non-invertible multivector:

> m = Clifford::Tools.generate_random_multivector_mod_ni(b,q)

=> 49726e0 + 35271e1 + 50769e2 + 49726e3 + 31036e12 + 35271e13 + 50769e23 + 31036e123

Number to random multivector with modulus:

> m = Clifford::Tools.number_to_random_multivector_mod(n,b,q)

=> 41072e0 + 33223e1 + 42126e2 + 1274e3 + 62091e12 + 52417e13 + 58782e23 + 49587e123

Key Exchange Protocol

210 B.2. Clifford Crypto

Let l (lambda) be l=256. Alice generates her private and public identification:

> party1 = Clifford::Party.new(l,1)

=> #

Bob generates his identification:

> party2 = Clifford::Party.new(l,2)

=> #

Alice computes the public communication identifier between her and Bob:

> party1.set_public_communication_identifier(party2.pu)

=> 4210356305e0 + 4089303194e1 + 14255468e2 + 529900161e3 + 2901154698e12 + 2157868276e13 + 322773276e23 + 2455086363e123

Bob computes the public communication identifier between him and Alice:

211 B.2. Clifford Crypto

> party2.set_public_communication_identifier(party1.pu)

=> 4210356305e0 + 4089303194e1 + 14255468e2 + 529900161e3 + 2901154698e12 + 2157868276e13 + 322773276e23 + 2455086363e123

Alice computes her subkey:

> party1.generate_sub_key

=> 18112708e0 + 68617604e1 + 2673310093e2 + 1016875217e3 + 1995411623e12 + 1569928174e13 + 347823432e23 + 1123480071e123

Bob computes his subkey:

> party2.generate_sub_key

=> 1160333216e0 + 1302916347e1 + 2392935595e2 + 3572898714e3 + 857440264e12 + 550001767e13 + 3937478375e23 + 2290586975e123

Alice computes the shated secret key by processing Bob’s subkey:

> party1.exchange(party2.s)

=> 1508356315e0 + 3213603373e1 + 3757510450e2 + 2495228342e3 + 1118860303e12 + 1019561553e13 + 1508301431e23 + 2912177267e123

Bob computes the shared secret key by processing Alice’s subkey:

> party2.exchange(party1.s)

212 B.2. Clifford Crypto

=> 1508356315e0 + 3213603373e1 + 3757510450e2 + 2495228342e3 + 1118860303e12 + 1019561553e13 + 1508301431e23 + 2912177267e123

Alice and Bob now shares the same secret key:

> party1.k

=> 1508356315e0 + 3213603373e1 + 3757510450e2 + 2495228342e3 + 1118860303e12 + 1019561553e13 + 1508301431e23 + 2912177267e123

> party2.k

=> 1508356315e0 + 3213603373e1 + 3757510450e2 + 2495228342e3 + 1118860303e12 + 1019561553e13 + 1508301431e23 + 2912177267e123

Edge Computing Communication Simulation Let l (lambda) be l=256.

Initiate the server:

> server = Clifford::EdgeServer.new(l)

=> #

213 B.2. Clifford Crypto

4207097895e12 + 3873964047e13 + 3107259472e23 + 4195818052e123, 4227402580e0 + 2336621835e1 + 2314282052e2 + 2355411878e3 + 2254483697e12 + 2333459783e13 + 3707702393e23 + 3422014906e123, 3131451880e0 + 2999212870e1 + 4251293590e2 + 4151653557e3 + 2652719859e12 + 2784093882e13 + 2258766432e23 + 3449041157e123, 4168737979e0 + 4208827959e1 + 4190304648e2 + 3933551184e3 + 3430813711e12 + 3888011618e13 + 3078610763e23 + 2289171039e123, 3883367289e0 + 2338542177e1 + 2446101734e2 + 3401989627e3 + 3936608260e12 + 2294082743e13 + 2448391638e23 + 2637761792e123]>

Initiate the device: device = Clifford::EdgeDevice.new(l)

=> #>

Initiate an access request from the device to the server:

> pu_1,s_1 = server.initiate_request(device.party.pu)

=> [3609741775e0 + 4033861436e1 + 2472252217e2 + 3383726549e3 + 2789401950e12 + 3574581422e13 + 4088312480e23 + 2917855981e123, 3689229509e0 + 2433374628e1 + 2558452138e2 + 2824421460e3 + 755547577e12 + 3020689430e13 + 2448557229e23 + 1399424609e123]

214 B.2. Clifford Crypto

Exchange the server’s subkey with the device so both can share the same secret key for a one time access:

> pu_2,s_2 = device.exchange(pu_1,s_1)

=> [3187110577e0 + 3386054633e1 + 4028910751e2 + 3389217251e3 + 2436110671e12 + 3215888003e13 + 3967274834e23 + 3898096089e123, 1487110752e0 + 1407463346e1 + 764696177e2 + 1913394294e3 + 1903366650e12 + 3438111503e13 + 3142483320e23 + 267123246e123]

The server registers the device as an authorized device:

> server.register(pu_2,s_2)

The device requests acesss to an object with ID = 3. The server processes the request and, if the request is valid, responds with an encrypted object:

> c = server.request_data(pu_2,3)

=> 2244895724e0 + 1214249872e1 + 3596991337e2 + 3751755225e3 + 2529704933e12 + 1974934899e13 + 534947787e23 + 2910596580e123

The device receives and decrypts the encrypted object:

> d = device.receive_data(c)

=> 3429580229e0 + 2749926600e1 + 2173909838e2 + 4224153541e3 + 4207097895e12 + 3873964047e13 + 3107259472e23 + 4195818052e123

And we can check that d is the object with index 3 from the server data:

215 B.2. Clifford Crypto

> server.data[3]

=> 3429580229e0 + 2749926600e1 + 2173909838e2 + 4224153541e3 + 4207097895e12 + 3873964047e13 + 3107259472e23 + 4195818052e123

Hash Algorithm Let s = "Clifford geometric algebra"

Compute the hash value of s as follows:

> Clifford::Hash.new(256,s)

=> fe97a5f31fc86359cea5ff77de2740bd2016b1af7ea0f5f31283a3e31bf7666

Private-Key Encryption Scheme Let l = 256 and m_10, the number we want to encrypt be > m_10 = 784. We instantiate the crypto object as follows:

> crypto = Clifford::Crypto.new l

=> #

Encrypt m_10:

> c = crypto.encrypt(m_10)

=> 1928814270e0 + 2450327391e1 + 742280819e2 + 3744386726e3 +

216 B.3. Clifford GA Ruby

1432075849e12 + 1021926058e13 + 106172601e23 + 806413551e123

Decrypt c:

> crypto.decrypt(c)

=> 784

B.3 Clifford GA Ruby

From the project’s root directory, execute the following command on the terminal:

$ irb

You will see the IRB’s prompt. Next, command snippets for specific cases that can be executed on IRB.

Working with multivectors Require the file the will boot the entire project on IRB:

> require ’./boot’

Creating a multivector:

> m = Clifford::Multivector3D.new [2,3,4,5,6,7,8,9] which returns

=> 2e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 9e123

217 B.3. Clifford GA Ruby

Clifford conjugation:

> m.clifford_conjugation or > m.cc

=> 2e0 + -3e1 + -4e2 + -5e3 + -6e12 + -7e13 + -8e23 + 9e123

Reverse:

> m.reverse

=> 2e0 + 3e1 + 4e2 + 5e3 + -6e12 + -7e13 + -8e23 + -9e123

Amplitude squared:

> m.amplitude_squared

=> 22e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + -16e123

Rationalize:

> m.rationalize

=> 740e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

Inverse:

> m.inverse

=> -5/37e0 + 31/370e1 + -10/37e2 + -7/370e3 + -53/185e12 + -9/74e13 +

218 B.3. Clifford GA Ruby

-56/185e23 + 23/74e123

Geometric product:

> m.geometric_product(m.inverse) or >> m.gp(m.inverse)

=> 1e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

> m.gp(m)

=> -176e0 + -132e1 + 142e2 + -88e3 + 114e12 + -44e13 + 86e23 + 88e123

Addition:

> m.plus(m)

=> 4e0 + 6e1 + 8e2 + 10e3 + 12e12 + 14e13 + 16e23 + 18e123

Subtraction:

> m.minus(m)

=> 0e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

Scalar division:

> m.scalar_div(2)

=> 1e0 + 3/2e1 + 2e2 + 5/2e3 + 3e12 + 7/2e13 + 4e23 + 9/2e123

219 B.3. Clifford GA Ruby

Scalar multiplication:

> m.scalar_mul(2)

=> 4e0 + 6e1 + 8e2 + 10e3 + 12e12 + 14e13 + 16e23 + 18e123

All multivectors M in Cl(3,0) can be decomposed as in M = Z + F. Obtaining Z:

> m.z

=> 2e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 9e123

Obtaining F:

> m.f

=> 0e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 0e123

Obtaining F squared:

> m.f2

=> -99e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 52e123

Obtaining the eigenvalues a multivector:

> m.eigenvalues

=> [(4.5323662175072155+19.26707741568027i),

220 B.3. Clifford GA Ruby

(-0.5323662175072155-1.2670774156802675i)]

Packing multivectors Clifford Eigenvalue Packing Scheme > a = Clifford::Packing.cep_forward(23)

=> 181/2e0 + -35507199447/428048393e1 + -68935712985/856096786e2 + 144683344314/428048393e3 + -29616707322/428048393e12 + 145732761090/428048393e13 + 20785971411/428048393e23 + 0e123

> b = Clifford::Packing.cep_forward(18)

=> 111e0 + -244605151746/2140241965e1 + -47489046723/428048393e2 + 996707483052/2140241965e3 + -204026205996/2140241965e12 + 200787359724/428048393e13 + 143192247498/2140241965e23 + 0e123

Recovering the packed message:

> Clifford::Packing.cep_backward(a)

=> 23

> Clifford::Packing.cep_backward(b)

=> 18

Addition: a_plus_b = a.plus(b)

221 B.3. Clifford GA Ruby

=> 403/2e0 + -422141148981/2140241965e1 + -163913806431/856096786e2 + 1720124204622/2140241965e3 + -352109742606/2140241965e12 + 346520120814/428048393e13 + 247122104553/2140241965e23 + 0e123

> Clifford::Packing.cep_backward(a_plus_b)

=> 41

Multiplication:

> a_times_b = a.gp(b)

=> 16323e0 + -41843261926098/2140241965e1 + -8123690799099/428048393e2 + 170501283310476/2140241965e3 + -34901644206348/2140241965e12 + 34347592536012/428048393e13 + 24495112531674/2140241965e23 + 0e123

> Clifford::Packing.cep_backward(a_times_b)

=> 414

Complex Magnitude Squared Packing Scheme > a = Clifford::Packing.cmsp_forward(26)

=> 6.471338332083668+31.438854634950513ie0 + 4.906228887222669+41.4679929927055ie1 + 22e2 + 29e3 + 19e12 + 22e13 + 18e23 + 24e123

> b = Clifford::Packing.cmsp_forward(41)

=> -103.99587604803894-2.337670283500854ie0 +

222 B.3. Clifford GA Ruby

-94.53195854374974-2.5717024463389007ie1 + 52e2 + 49e3 + 38e12 + 36e13 + 56e23 + 51e123

Multiplication:

> a_times_b = a.gp(b)

=> -2137.6509095698448-7217.307040332529ie0 + -3020.185983839764-7312.5882643378845ie1 + 1275.1442302572004+3208.0377749836557ie2 + -2027.457499218519+3022.136640447904ie3 + 2675.8162018045127+3363.173830181745ie12 + -1063.1090798591918+3186.881048207597ie13 + -3806.080154069653+3771.64457837006ie23 + -3495.689206319693+3823.1944631358633ie123

> Clifford::Packing.cmsp_backward(a_times_b)

=> 1066

Concealing multivectors Clifford Sylvester’s Equation Concelament Scheme First, pack two multivectors A and B:

> a = Clifford::Packing.cep_forward(12)

=> 74e0 + -163070101164/2140241965e1 + -31659364482/428048393e2 + 664471655368/2140241965e3 + -136017470664/2140241965e12 + 133858239816/428048393e13 + 95461498332/2140241965e23 + 0e123

223 B.3. Clifford GA Ruby

> b = Clifford::Packing.cep_forward(19)

=> 177/2e0 + -182796323079/2140241965e1 + -70978252629/856096786e2 + 744851291098/2140241965e3 + -152471196954/2140241965e12 + 150050768826/428048393e13 + 107009260227/2140241965e23 + 0e123

Generate a tuple of secret keys: k = Clifford::Tools.generate_regular_keys

=> [189e0 + 216e1 + 202e2 + 222e3 + 152e12 + 172e13 + 202e23 + 187e123, 184e0 + 235e1 + 176e2 + 225e3 + 148e12 + 177e13 + 144e23 + 145e123]

Conceal:

> ca = Clifford::Concealment.csec_forward(k,a)

=> -618818306222/428048393e0 + -19501147572462/2140241965e1 + 265089164434222/2140241965e2 + 361931982799054/2140241965e3 + 263927103941858/2140241965e12 + 352630738821406/2140241965e13 + 51070915692586/2140241965e23 + -3998489933290/428048393e123

> cb = Clifford::Concealment.csec_forward(k,b)

=> 384383003877/856096786e0 + -33009163124779/4280483930e1 + 603290221657139/4280483930e2 + 822044307451883/4280483930e3 + 598832474024101/4280483930e12 + 798864039917347/4280483930e13 + 122715122589577/4280483930e23 + -7387370951481/856096786e123

224 B.3. Clifford GA Ruby

Addition over concealed data:

> ca_plus_cb = ca.plus(cb)

=> -853253608567/856096786e0 + -72011458269703/4280483930e1 + 1133468550525583/4280483930e2 + 1545908273049991/4280483930e3 + 1126686681907817/4280483930e12 + 1504125517560159/4280483930e13 + 224856953974749/4280483930e23 + -15384350818061/856096786e123

> a_plus_b = Clifford::Concealment.csec_backward(k,ca_plus_cb)

=> 325/2e0 + -345866424243/2140241965e1 + -134296981593/856096786e2 + 1409322946466/2140241965e3 + -288488667618/2140241965e12 + 283909008642/428048393e13 + 202470758559/2140241965e23 + 0e123

> Clifford::Packing.cep_backward(a_plus_b)

=> 31

Modular Concelament Scheme First, generate modular secret keys:

> k = Clifford::Tools.generate_modular_keys

=> [449/2e0 + 9205570227/2140241965e1 + 3574444377/856096786e2 + -37510496674/2140241965e3 + 7678405602/2140241965e12 + -7556513538/428048393e13 + -5388955551/2140241965e23 + 0e123, 351/2e0 + 74959643277/2140241965e1 + 29106189927/856096786e2 + -305442615774/2140241965e3 + 62524159902/2140241965e12 +

225 B.3. Clifford GA Ruby

-61531610238/428048393e13 + -43881495201/2140241965e23 + 0e123]

Create two multivectors A and B:

> a = Clifford::Packing.cep_forward(22)

=> 159/2e0 + -30246873603/428048393e1 + -58723014765/856096786e2 + 123248774786/428048393e3 + -25229046978/428048393e12 + 124142722410/428048393e13 + 17706568239/428048393e23 + 0e123

> b = Clifford::Packing.cep_forward(25)

=> 129e0 + -273536943888/2140241965e1 + -53106030744/428048393e2 + 1114597615456/2140241965e3 + -228158337888/2140241965e12 + 224536402272/428048393e13 + 160128964944/2140241965e23 + 0e123

Conceal:

> ca = Clifford::Concealment.mc_forward(k,a)

=> 14908785/2e0 + 947656906366827/428048393e1 + 1839835456554885/856096786e2 + -3861475210965874/428048393e3 + 790444689377202/428048393e12 + -3889483250769690/428048393e13 + -554759870391351/428048393e23 + 0e123

> cb = Clifford::Concealment.mc_forward(k,b)

=> 16241565/2e0 + 3841917117527769/2140241965e1 + 1491783637407819/856096786e2 + -15654893255403878/2140241965e3 + 3204559542777894/2140241965e12 + -3153688255543686/428048393e13 +

226 B.4. Clifford SWHE and Key Update

-2249064432343197/2140241965e23 + 0e123

> ca_times_cb = ca.gp(cb)

=> 63167002896385e0 + 13423547250531991237194/428048393e1 + 13030622168392992896235/428048393e2 + -54697744091672128203228/428048393e3 + 11196638325009710340444/428048393e12 + -55094477596356546423180/428048393e13 + -7858166054471528380722/428048393e23 + 0e123

> a_times_b = Clifford::Concealment.mc_backward(k,ca_times_cb)

=> 29521e0 + -76198450013262/2140241965e1 + -14793604006581/428048393e2 + 310490456897844/2140241965e3 + -63557453913012/2140241965e12 + 62548501059828/428048393e13 + 44606694648006/2140241965e23 + 0e123

> Clifford::Packing.cep_backward(a_times_b)

=> 550

B.4 Clifford SWHE and Key Update

From the project’s root directory, execute the following command on the terminal:

$ irb

You will see the IRB’s prompt. Next, command snippets for specific cases that can be executed on IRB.

227 B.4. Clifford SWHE and Key Update

Working with multivectors and modular arithmetic Require the file the will boot the entire project on IRB:

> require ’./boot’

In order to create a mulltivector m with modulus 257 (a prime number, so it is guaranteed that all numbers less then 257 has a multiplicative inverse with respect to 257), we execute:

> m = Clifford::Multivector3DMod.new [2,3,4,5,6,7,8,9], 257

=> 2e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 9e123

Clifford conjugation:

> m.clifford_conjugation or

> m.cc

=> 2e0 + 254e1 + 253e2 + 252e3 + 251e12 + 250e13 + 249e23 + 9e123

Reverse:

> m.reverse

=> 2e0 + 3e1 + 4e2 + 5e3 + 251e12 + 250e13 + 249e23 + 248e123

228 B.4. Clifford SWHE and Key Update

Amplitude squared:

> m.amplitude_squared

=> 22e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + -16e123

Rationalize:

> m.rationalize

=> 226e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

Inverse:

> m.inverse

=> 111e0 + 255e1 + 222e2 + 216e3 + 40e12 + 177e13 + 115e23 + 233e123

Geometric product:

> m.geometric_product(m.inverse) or >> m.gp(m.inverse)

=> 1e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

> m.gp(m)

=> 81e0 + 125e1 + 142e2 + 169e3 + 114e12 + 213e13 + 86e23 + 88e123

Addition:

229 B.4. Clifford SWHE and Key Update

> m.plus(m)

=> 4e0 + 6e1 + 8e2 + 10e3 + 12e12 + 14e13 + 16e23 + 18e123

Subtraction:

> m.minus(m)

=> 0e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 0e123

Scalar division:

> m.scalar_div(2)

=> 1e0 + 130e1 + 2e2 + 131e3 + 3e12 + 132e13 + 4e23 + 133e123

Scalar multiplication:

> m.scalar_mul(2)

=> 4e0 + 6e1 + 8e2 + 10e3 + 12e12 + 14e13 + 16e23 + 18e123

All multivectors M in Cl(3,0) can be decomposed as in M = Z + F. Obtaining Z:

> m.z

=> 2e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 9e123

Obtaining F:

230 B.4. Clifford SWHE and Key Update

> m.f

=> 0e0 + 3e1 + 4e2 + 5e3 + 6e12 + 7e13 + 8e23 + 0e123

Obtaining F squared:

> m.f2

=> 158e0 + 0e1 + 0e2 + 0e3 + 0e12 + 0e13 + 0e23 + 52e123

Tools Random number:

> bits = 16

> Clifford::Tools.random_number(bits)

=> 33756

Random prime:

> Clifford::Tools.random_prime(bits)

=> 49499

Next prime:

> Clifford::Tools.next_prime(19222)

231 B.4. Clifford SWHE and Key Update

=> 19231

Random input: say we want to generate a random multivector input of 16-bit coefficients

> input = Clifford::Tools.generate_random_input(16)

=> [59387, 41848, 35190, 60138, 53917, 57341, 44830, 55623]

Random multivector: say we want to generate a random multivector with 16-bit coefficints and with the modulus being the smallest next prime to 2**16: b = 16 q = Clifford::Tools.next_prime(2**b)

=> 65537 m = Clifford::Tools.generate_random_multivector_mod(b,q)

=> 62315e0 + 34016e1 + 33222e2 + 44867e3 + 62742e12 + 54760e13 + 41000e23 + 36601e123

Number to multivector:

> n = 19

> b = 32

232 B.4. Clifford SWHE and Key Update

> q = Clifford::Tools.next_prime(2**b)

=> 4294967311 g = Clifford::Tools.random_number(b)

=> 3333669772

> m = Clifford::Tools.number_to_random_multivector_mod(n,b,q,g)

=> 2118956385e0 + 1814335862e1 + 4291020503e2 + 601431315e3 + 1671051067e12 + 2614893202e13 + 1204384486e23 + 3207184209e123

> Clifford::Tools.multivector_to_number(m,b,q,g)

=> 19

SWHE Scheme Let l (the security parameter 1^lambda) be l = 256. m1_10 = 16 m2_10 = 19 s = 4 sk = Clifford::SWHE.new l c1 = sk.encrypt(m1_10)

233 B.4. Clifford SWHE and Key Update

=> 2507348350e0 + 714892089e1 + 4086593007e2 + 3029231088e3 + 3544757319e12 + 3529259721e13 + 4159126069e23 + 2329096678e123 c2 = sk.encrypt(m2_10)

=> 3573928374e0 + 712457465e1 + 441882640e2 + 764429612e3 + 2812231519e12 + 3863896228e13 + 3578512188e23 + 3157681092e123

>s=2

> sk.decrypt(sk.add(c1,c2))

=> 40 sk.decrypt(sk.sdiv(sk.add(c1,c2),s))

=> 20

Key Update Protocol l = 256 sk1 = Clifford::SWHE.new l sk2 = Clifford::SWHE.new l m_10 = 18 c_old = sk1.encrypt(m_10)

=> 1563854386e0 + 2091271712e1 + 648391928e2 + 2240080558e3 +

234 B.5. SWHE Image Encryption

3254051676e12 + 986877749e13 + 541981368e23 + 2807228404e123 c_test = sk2.encrypt(m_10)

=> 2046430320e0 + 1659420006e1 + 3331331529e2 + 1046982661e3 + 2654118961e12 + 3632208347e13 + 4117720672e23 + 2892896236e123 t = Clifford::KeyUpdate.token_generation(sk1,sk2) t = Clifford::KeyUpdate.token_generation(sk1,sk2)

=> [3134816283e0 + 892430456e1 + 2353052136e2 + 3264834372e3 + 1576924386e12 + 4151342564e13 + 613685620e23 + 343425411e123, 1786059064e0 + 3230632592e1 + 2940301275e2 + 2364499527e3 + 1283420839e12 + 1876862914e13 + 3425636812e23 + 2295065137e123] c_new = Clifford::KeyUpdate.key_update(t,c_old) sk2.decrypt(c_new)

=> 18

B.5 SWHE Image Encryption

From the project’s root directory, execute the following command on the terminal:

$ irb

You will see the IRB’s prompt. Next, command snippets for specific

235 B.5. SWHE Image Encryption

cases that can be executed on IRB.

Key Generation Require the file the will boot the entire project on IRB:

> require ’./x’

Create the ’x’ object with the required secret and public variables by passing a configuration for depth (first argument) and security parameter (second argument):

> x = X::SWHE.new(8,128)

Encryt the number 231:

> c1 = x.encrypt(231)

Encryt the number 209:

> c2 = x.encrypt(209)

Add c1 e c2:

> c1_add_c2 = c1 + c2

Multiply c1 e c2:

> c1_mul_c2 = c1 * c2

Decrypt c1_add_c2:

236 B.5. SWHE Image Encryption

> x.decrypt(c1_add_c2)

As a result you should get:

=> (440/1)

Decrypt c1_mul_c2:

> x.decrypt(c1_mul_c2)

As a result you should get:

=> (48279/1)

Homomorphic Image Examples Although you can create your own script of encrypted image manipulation, we prepared few examples to illustrate the basic functions of our library.

All the command below consider you are on the project root folder, using a terminal.

Increase brightness $ ruby examples/increase_brightness.rb

Decrease brightness $ ruby examples/decrease_brightness.rb

Merge images $ ruby examples/merge_images.rb

237 B.6. Multiple Secret Hensel Codes (MSH Code)

Mask images $ ruby examples/mask_image.rb

Contrast Stretching $ ruby examples/contrast_stretching.rb

Logical not $ ruby examples/logical_not.rb

B.6 Multiple Secret Hensel Codes (MSH Code)

From the project’s root directory, execute the following command on the terminal:

$ irb

You will see the IRB’s prompt. Next, command snippets for specific cases that can be executed on IRB.

Key Generation Require the file the will boot the entire project on IRB:

> require ’./x’

Create the ’x’ object with the required secret and public variables by passing a configuration for depth (first argument) and security parameter (second argument):

> code = X::MSHCode.new 1024

238 B.6. Multiple Secret Hensel Codes (MSH Code)

which return something like

=> #

Encode the number 219:

> beta1 = code.encode(219) which returns it encoded value

=> 6799619...

Encryt the number 173:

> beta2 = code.decode(173) which return it encoded value

=> 7027868...

Add beta1 e beta2:

> beta1_add_beta2 = code.add(beta1,beta2) returning

=> => 750240...

239 B.6. Multiple Secret Hensel Codes (MSH Code)

Multiply beta1 e beta2:

> beta1_mul_beta2 = code.mul(beta1,beta2) returning

=> 1427542...

Decode beta1_mul_beta2

> code.decode(beta1_add_beta2) which returns

=> 392 and we see that the result equals to 219 + 173 = 392

Decode beta1_mul_beta2:

> code.decode(beta1_mul_beta2) which returns

=> 37887 and we see that the result equals to 219 * 173 = 37887

240 B.7. p-adic Cryto Ruby

B.7 p-adic Cryto Ruby

This is the code for our leveled FHE scheme, the encryption for distributed computation, pairing function, RSA with rational numbers and randomized RSA. Below, we provide the test cases of our program interface.

B.7.1 Hensel Code Base Functions

# hensel_code_test.rb

require "minitest/autorun" # require ’minitest/hooks/default’

require Dir.pwd + "/p-adic-crypto"

class TestHenselCode < Minitest::Test

def test_hensel_encode r_exp = 1 p = 257 m = Rational(5,3)

h = HenselCode.encode(p,r_exp,m) assert_equal 173, h end

def test_hensel_decode r_exp = 1 p = 257 h = 173

241 B.7. p-adic Cryto Ruby

m = HenselCode.decode(p,r_exp,h) assert_equal Rational(5,3), m end

def test_multiple_hensel_encode r_exp = 1 p = 257 q = 281 m = Rational(5,3)

h = HenselCode.multiple_encode([p,q],r_exp,m) assert_equal [173,189], h end

def test_multiple_hensel_decode r_exp = 1 p = 257 q = 281 h = [173,189]

m = HenselCode.multiple_decode([p,q],r_exp,h) assert_equal Rational(5,3), m end

def test_addition_with_single_hensel_code r_exp = 1 p = 54959 m1 = Rational(5,3) m2 = Rational(7,4)

242 B.7. p-adic Cryto Ruby

h1 = HenselCode.encode(p,r_exp,m1) h2 = HenselCode.encode(p,r_exp,m2) h3 = h1 + h2

m3 = HenselCode.decode(p,r_exp,h3) assert_equal m1 + m2, m3 end

def test_multiplication_with_single_hensel_code r_exp = 1 p = 54959 m1 = Rational(5,3) m2 = Rational(7,4)

h1 = HenselCode.encode(p,r_exp,m1) h2 = HenselCode.encode(p,r_exp,m2) h3 = h1 * h2

m3 = HenselCode.decode(p,r_exp,h3) assert_equal m1 * m2, m3 end

def test_addition_with_multiple_hensel_code r_exp = 1 p = 54959 q = 60647 m1 = Rational(5,3) m2 = Rational(7,4)

h1 = HenselCode.multiple_encode([p,q],r_exp,m1)

243 B.7. p-adic Cryto Ruby

h2 = HenselCode.multiple_encode([p,q],r_exp,m2) h3 = [h1[0] + h2[0], h1[1] + h2[1]]

m3 = HenselCode.multiple_decode([p,q],r_exp,h3) assert_equal m1 + m2, m3 end

def test_multiplication_with_multiple_hensel_code r_exp = 1 p = 54959 q = 60647 m1 = Rational(5,3) m2 = Rational(7,4)

h1 = HenselCode.multiple_encode([p,q],r_exp,m1) h2 = HenselCode.multiple_encode([p,q],r_exp,m2) h3 = [h1[0] * h2[0], h1[1] * h2[1]]

m3 = HenselCode.multiple_decode([p,q],r_exp,h3) assert_equal m1 * m2, m3 end

def test_addition_with_inverse_multiple_hensel_code r_exp = 1 p = 54959 q = 60647

h1 = [5,23] h2 = [5,17]

244 B.7. p-adic Cryto Ruby

m1 = HenselCode.multiple_decode([p,q],r_exp,h1) m2 = HenselCode.multiple_decode([p,q],r_exp,h2) m3 = m1 + m2

h3 = HenselCode.multiple_encode([p,q],r_exp,m3) assert_equal [10,40], h3 end

def test_multiplication_with_inverse_multiple_hensel_code r_exp = 1 p = 54959 q = 60647

h1 = [5,23] h2 = [5,17]

m1 = HenselCode.multiple_decode([p,q],r_exp,h1) m2 = HenselCode.multiple_decode([p,q],r_exp,h2) m3 = m1 * m2

h3 = HenselCode.multiple_encode([p,q],r_exp,m3) assert_equal [25,391], h3 end end

B.7.2 leveled FHE Scheme

# p-adic-crypto_test.rb

require "minitest/autorun"

245 B.7. p-adic Cryto Ruby

# require ’minitest/hooks/default’

require Dir.pwd + "/p-adic-crypto"

class TestPAdicCrypto < Minitest::Test

def test_encrypt_and_decrypt k = Gen.new(8)

m1 = 5 m2 = 3

c1 = PAdicCrypto.encrypt(k,m1) c2 = PAdicCrypto.encrypt(k,m2)

m1_d = PAdicCrypto.decrypt(k,c1) m2_d = PAdicCrypto.decrypt(k,c2)

assert_equal m1_d, m1 assert_equal m2_d, m2 end

def test_homomorphic_addition k = Gen.new(8)

m1 = 5 m2 = 3

c1 = PAdicCrypto.encrypt(k,m1) c2 = PAdicCrypto.encrypt(k,m2)

246 B.7. p-adic Cryto Ruby

c3 = PAdicCrypto.add(k.g,c1,c2)

m3_d = PAdicCrypto.decrypt(k,c3)

assert_equal m1 + m2, m3_d end

def test_homomorphic_subtraction k = Gen.new(8)

m1 = 5 m2 = 3

c1 = PAdicCrypto.encrypt(k,m1) c2 = PAdicCrypto.encrypt(k,m2)

c3 = PAdicCrypto.sub(k.g,c1,c2)

m3_d = PAdicCrypto.decrypt(k,c3)

assert_equal m1 - m2, m3_d end

def test_homomorphic_multiplication k = Gen.new(8)

m1 = 5 m2 = 3

247 B.7. p-adic Cryto Ruby

c1 = PAdicCrypto.encrypt(k,m1) c2 = PAdicCrypto.encrypt(k,m2)

c3 = PAdicCrypto.mul(k.g,c1,c2)

m3_d = PAdicCrypto.decrypt(k,c3)

assert_equal m1 * m2, m3_d end

def test_encryption_of_zero k = Gen.new(8)

m1 = 0 m2 = 0

c1 = PAdicCrypto.encrypt(k,m1) c2 = PAdicCrypto.encrypt(k,m2)

assert c1 != 0 assert c2 != 0 end end

B.7.3 Homomorphic Distributed Computation

# dc_test.rb

require "minitest/autorun" # require ’minitest/hooks/default’

248 B.7. p-adic Cryto Ruby

require Dir.pwd + "/p-adic-crypto"

class TestDC < Minitest::Test

def test_initialization dc = DC.new(4,16)

assert_equal 4, dc.k assert_equal 16, dc.l assert_equal 4, dc.p_primes.size assert_equal 4, dc.q_primes.size assert_equal [16], dc.p_primes.map{|prime| prime.bit_length }.uniq assert_equal [32], dc.q_primes.map{|prime| prime.bit_length }.uniq end

def test_generate_parties dc = DC.new(4,16) dc.generate_parties

assert_equal [0,"Party-0"], [dc.parties[0].pid,dc.parties[0].name] assert_equal [1,"Party-1"], [dc.parties[1].pid,dc.parties[1].name] assert_equal [2,"Party-2"], [dc.parties[2].pid,dc.parties[2].name] assert_equal [3,"Party-3"], [dc.parties[3].pid,dc.parties[3].name] end

def test_generate_digits dc = DC.new(4,16) dc.generate_parties digits = dc.generate_digits(23)

249 B.7. p-adic Cryto Ruby

alpha = HenselCode.multiple_decode(dc.q_primes,1,digits)

assert_equal 23, HenselCode.encode(dc.p_primes[0],1,alpha) end

def test_assign_digits dc = DC.new(4,16) dc.generate_parties

a_digits = dc.generate_digits(42) b_digits = dc.generate_digits(39)

dc.assign_digits(a_digits,b_digits)

dc.order.each_with_index do |o,i| assert_equal a_digits[o], dc.parties[i].a assert_equal b_digits[o], dc.parties[i].b end end

def test_request_addition dc = DC.new(4,16) dc.generate_parties

a_digits = dc.generate_digits(42) b_digits = dc.generate_digits(39)

dc.assign_digits(a_digits,b_digits)

dc.request_addition

250 B.7. p-adic Cryto Ruby

dc.order.each_with_index do |o,i| assert_equal a_digits[o] + b_digits[o], dc.parties[i].add_result end end

def test_request_multiplication dc = DC.new(4,16) dc.generate_parties

a_digits = dc.generate_digits(42) b_digits = dc.generate_digits(39)

dc.assign_digits(a_digits,b_digits)

dc.request_multiplication

dc.order.each_with_index do |o,i| assert_equal a_digits[o] * b_digits[o], dc.parties[i].mul_result end end

def test_retrieve_addition dc = DC.new(4,16) dc.generate_parties

a_digits = dc.generate_digits(42) b_digits = dc.generate_digits(39)

dc.assign_digits(a_digits,b_digits)

251 B.7. p-adic Cryto Ruby

dc.request_addition

a_add_b = dc.retrieve_addition

assert_equal 42 + 39, a_add_b end

end

B.7.4 Party Test

# party_test.rb

require "minitest/autorun" # require ’minitest/hooks/default’

require Dir.pwd + "/p-adic-crypto"

class TestParty < Minitest::Test

def test_initialization party = Party.new(1)

assert_equal 1, party.pid assert_equal "Party-1", party.name end

def test_addtion_and_multiplication party = Party.new(1)

252 B.7. p-adic Cryto Ruby

party.a = 3 party.b = 4

party.add party.mul

assert_equal 3 + 4, party.add_result assert_equal 3 * 4, party.mul_result end

end

B.7.5 Pairing Function

# pairing_test.rb

require "minitest/autorun" # require ’minitest/hooks/default’

require Dir.pwd + "/p-adic-crypto"

class TestPairing < Minitest::Test

def test_initialization pairing = Pairing.new

assert Prime.prime?(pairing.p1) assert Prime.prime?(pairing.p2) assert pairing.r >= 1

253 B.7. p-adic Cryto Ruby

end

def test_positive_pairing pairing = Pairing.new zeta = pairing.pairing(5,9)

assert_equal [5,9], pairing.unpairing(zeta) end

def test_negative_pairing pairing = Pairing.new zeta1 = pairing.pairing(-3,2) zeta2 = pairing.pairing(4,-7) zeta3 = pairing.pairing(23,-11)

assert_equal [-3,2], pairing.unpairing(zeta1) assert_equal [4,-7], pairing.unpairing(zeta2) assert_equal [23,-11], pairing.unpairing(zeta3) end

def test_rational_pairing pairing = Pairing.new zeta1 = pairing.pairing(Rational(2,7),6) zeta2 = pairing.pairing(-12,Rational(5,3)) zeta3 = pairing.pairing(Rational(6,5),Rational(6,5))

assert_equal [Rational(2,7),6], pairing.unpairing(zeta1) assert_equal [-12,Rational(5,3)], pairing.unpairing(zeta2) assert_equal [Rational(6,5),Rational(6,5)], pairing.unpairing(zeta3) end

254 B.7. p-adic Cryto Ruby

end

B.7.6 Rational and Randomized RSA

require "minitest/autorun" # require ’minitest/hooks/default’

require Dir.pwd + "/p-adic-crypto"

class TestDC < Minitest::Test

def test_initialization rsar = RSAR.new(16)

assert_equal 16, rsar.p.bit_length assert_equal 16, rsar.q.bit_length assert_equal 32, rsar.n.bit_length assert_equal 1, (rsar.e * rsar.d) % rsar.phi_n end

def test_encrypt_p rsar = RSAR.new(16)

alpha = Rational(3,5) c = rsar.encrypt(alpha,rsar.p)

assert_equal alpha, rsar.decrypt(c,rsar.p) end

255 B.7. p-adic Cryto Ruby

def test_encrypt_p rsar = RSAR.new(16)

alpha = Rational(3,5) c = rsar.encrypt(alpha,rsar.p)

assert_equal alpha, rsar.decrypt(c,rsar.p) end

def test_encrypt_q rsar = RSAR.new(16)

alpha = Rational(2,9) c = rsar.encrypt(alpha,rsar.q)

assert_equal alpha, rsar.decrypt(c,rsar.q) end

def test_encrypt_n rsar = RSAR.new(16)

alpha = Rational(4,7) c = rsar.encrypt(alpha,rsar.n)

assert_equal alpha, rsar.decrypt(c,rsar.n) end

def test_homomorphic_multiplication rsar = RSAR.new(16)

256 B.7. p-adic Cryto Ruby

alpha1 = Rational(3,4) alpha2 = Rational(2,7)

c1 = rsar.encrypt(alpha1,rsar.n) c2 = rsar.encrypt(alpha2,rsar.n)

c1_times_c2 = (c1 * c2) % rsar.n

assert_equal alpha1 * alpha2, rsar.decrypt(c1_times_c2,rsar.n) end

def test_encrypt_random rsar = RSAR.new(16)

m1 = 24 m2 = 39

c1 = rsar.encrypt_random(m1) c2 = rsar.encrypt_random(m2)

assert_equal m1, rsar.decrypt_random(c1) assert_equal m2, rsar.decrypt_random(c2) end

end

257