A MATHEMATICAL FRAMEWORK TOWARDS EFFICIENT CLIFFORD-BASED HOMOMORPHIC CRYPTOSYSTEMS USING P-ADIC NUMBERS
by
DAVID WILLIAM HONORIO ARAUJO DA SILVA
B.S.B.A., Universidade Potiguar (Brazil), 2012
M.S.C.S., University of Colorado Colorado Springs, 2017
A dissertation submitted to the Graduate Faculty of the
University of Colorado Colorado Springs
in partial fulfillment of the
requirements for the degree of
Doctor of Philosophy
Department of Computer Science
2020 © Copyright by David William Honorio Araujo da Silva 2020 All Rights Reserved This dissertation for the Doctor of Philosophy degree by David William Honorio Araujo da Silva has been approved for the Department of Computer Science by
Edward C. Chow, Chair
Carlos Paz de Araujo
Chuan Yue
Sang-Yoon Chang
Philip Brown
30 November 2020 Date
ii Honorio Araujo da Silva, David William (Ph.D., Engineering: Computer Science) A Mathematical Framework Towards Efficient Clifford-Based Homomorphic Cryptosystems using p-adic Numbers Dissertation directed by Professor Edward C. Chow
ABSTRACT
As we observe the advances in cryptography throughout history, we can see that cryptog- raphy needs to follow society’s changes in general as it gets more and more sophisticated. One critical example of this fact is that there was a time were having a message writ- ten in plain language was enough to hide information from uneducated soldiers. The next step was to apply simple replacements of letters in the message, which quickly evolved to more elaborated scramble techniques. Indeed, until the late 20th century, cryptography was considered an art. Creativity was the single most crucial strategy when producing a new encryption function. However, the advent of computers and the advances in cryptanalysis generated a demand for data security science. In the theory of cryptography, anything un- til the 1980s is considered classical cryptography. From the 1980s, modern definitions of security arose, and thus the cryptography studies and practiced from that time on is re- ferred to as modern cryptography. However, society continues to evolve. New events might change modern definitions of security even further, as is the case, to cite a few examples, the realization of large-scale quantum computers and an eventual default requirement for secure computation. If these two events became a reality today, many of the current crypto- graphic tools would be entirely or partially compromised. It seems to us that their pursuit of new ideas in cryptography must never end as we must provide proper and timely answers to such changes in society as they occur. Our motivation starts by inquiring if there are mathematical tools currently receiving none or little attention by the cryptographic com- munity that could be instrumental in producing new, efficient, and further advantageous cryptographic constructions with the ability to address the abrupt changes in the reality of cryptography such as quantum computers and secure computation. For this reason, we
iii propose the use of the finite-segment p-adic arithmetic (Hensel codes) and Clifford geometric Algebra (GA) as the mathematics foundations for the construction of several homomorphic cryptographic tools such as somewhat homomorphic encryption schemes, key update, and key exchange protocols, hash algorithm, homomorphic encryption for special applications including edge computing, homomorphic image processing, and distributed computation. We discuss the security characteristics of constructions based on Hensel codes and GA by examining a leveled fully homomorphic encryption scheme based on Hensel codes whose se- curity is associated with the approximate-gcd problem and implementation of lattice-based cryptography with GA. We also introduce a mapping between arbitrary dimensional vec- tors and matrices to multivectors, which allow us to replace vector and matrix algebra by GA in constructing quantum-resistant lattice-based cryptography. We demonstrate how to use Hensel codes and GA in isolation for cryptography and different ways of combining the two mathematics foundations in a single solution. Finally, we introduce mapping between Hensel codes and multivectors in GA, which allows us to have two algebraic structures into a single one. Our work is the first exposition of a family of cryptographic functions based on Hensel codes and GA, which from concrete examples of application-specific scenarios we evolve to an application-agnostic framework, where Hensel codes and GA and explored as a mathematical framework for the production of efficient general-purpose algorithms that can satisfy modern definitions of security and also stand as candidate solutions for the era of quantum-resistant cryptography and secure computation.
iv DEDICATION
This dissertation is dedicated to my wife Cimaria, my son Johnathan, my daughters Samara and Sarah, and my parents Janildo and Elisabete. I could never do or be anything without you all in my life. I love you all much more than I am able to describe.
v ACKNOWLEDGEMENTS
I would like to thank God, first and foremost, and His Son Jesus Christ, for renewing in me every day the certainty that it is worthwhile to live a life with purpose and do not measure efforts in the search for what is good, perfect and pleasant, even in the midst of my many imperfections and limitations; Dr. Carlos Araujo for believing in me since day one, for teaching me that seeking the impossible is an honorable mission and for investing in my academic and professional growth; Dr. Edward Chow for being an encouraging ad- visor, for truly believing in the potential of my research and for keeping a supporting and positive attitude even when I faced some challenging circumstances through the course of my academic pursue; Greg Jones for being a tireless source of inspiration, a constant help- ing hand and someone I can always count on; Dr. Sang-Yoon Chang for accepting being part of my committee, for demonstrating interest in my work and for providing feedback on how to improve my research; Dr. Philip Brown for accepting being part of my committee, for being eager to contribute with my research and for the significant collaboration in one publication; Dr. Chuan Yue for accepting being part of my committee. Hanes Oliveira, Jordan Pattee, and Bhagiradh Kantheti for being trench partners, research companions, for sharing moments of tension and relaxation, for helping in my research in many ways, and for being supportive in all situations; Marcelo Xavier for countless discussions on the most varied ideas, for investing time to understand my challenges in order to help me, and for always believing that the state of impossibility of the impossible is uncertain until proven otherwise. This dissertation would not have been possible without the valuable contribution of each one of you.
vi Table of Contents
CHAPTER
1 Introduction 1 1.1 Motivation ...... 4 1.2 Contributions ...... 5 1.3 Two Important Related Work ...... 6 1.3.1 Clifford Geometric Algebra ...... 6 1.3.2 p-adic Numbers ...... 7
2 Research Questions, Metrics and Methodology 10 2.1 General-Purpose Mathematical Framework ...... 10 2.2 Mathematical Framework Applied to Cryptography ...... 12 2.3 Metrics and Methodology ...... 13
3 Homomorphic Encryption 16 3.1 Requirements ...... 18 3.2 HE Classes ...... 19 3.3 Key Contributions ...... 20 3.4 Conclusions ...... 26
4 p-Adic Numbers 27 4.1 A Compact Tutorial ...... 27 4.1.1 Basic Definitions ...... 28 4.1.2 Finite-Segment p-adic Arithmetic ...... 28 4.2 Homomorphic Data Encoding ...... 36 4.2.1 Performance ...... 37 4.3 Encrypting Rational Numbers ...... 38
vii 4.3.1 RSA with Rational Numbers ...... 40 4.4 Adding Randomness to Deterministic Algorithms ...... 42 4.4.1 Randomized RSA ...... 42 4.5 Pairing Functions ...... 45 4.5.1 p-adic Pairing ...... 46 4.6 Distributed Computation ...... 47 4.6.1 Description of the Scheme ...... 49 4.6.1.1 Security of the Scheme ...... 51 4.7 Conclusions ...... 52
5 Clifford Geometric Algebra 54 5.1 A Compact Tutorial ...... 55 5.1.1 Basic Definitions ...... 55 5.1.2 Basic Definitions in G2 ...... 57 5.1.3 Basic Definitions in G3 ...... 59 5.2 A First Experiment Towards FHE Based on GA ...... 65 5.2.1 Auxiliary Algorithms ...... 65 5.2.2 The Main Construction ...... 67 5.2.3 Performance ...... 68 5.2.4 General Considerations ...... 70 5.3 A Framework for Homomorphic Image Processing ...... 70 5.3.1 Auxiliary Algorithms ...... 71 5.3.2 The Main Construction ...... 72 5.3.3 Homomorphic Image Processing ...... 73 5.3.4 Homomorphic Results ...... 75 5.3.5 Performance ...... 75 5.3.6 General Considerations ...... 77 5.4 Multivector Packing Schemes ...... 77 5.4.1 Multivector Packing Schemes ...... 78 5.4.2 Clifford Eigenvalue Packing Scheme ...... 78
viii 5.4.3 Complex Magnitude Squared Packing Scheme ...... 79 5.5 Concealment Schemes ...... 81 5.5.1 Clifford Sylvester’s Equation Concealment (CSEC) ...... 82 5.5.2 Modular Concealment (MC) ...... 83 5.5.3 General Considerations ...... 84 5.6 Experimental Key Update ...... 85 5.6.1 HE Scheme ...... 85 5.6.2 Key Update Protocol ...... 86 5.6.3 Application ...... 86 5.6.4 General Considerations ...... 88 5.7 Further Cryptographic Experiments ...... 89 5.7.1 Auxiliary Algorithms ...... 89 5.7.2 Key Exchange Protocol ...... 91 5.7.3 Edge Computing Protocol ...... 93 5.7.4 Hash Algorithm ...... 94 5.7.5 Private-Key Encryption Scheme ...... 95 5.8 Conclusions ...... 97
6 Security with p-adic Numbers and GA 98 6.1 Private-Key Leveled FHE Scheme ...... 98 6.2 Target Definitions ...... 99 6.2.1 The Concrete Construction ...... 101 6.3 Security ...... 103 6.3.1 Proof by Reduction ...... 104 6.3.2 Weaker Version of our Scheme ...... 108 6.3.3 Factorization Attacks ...... 109 6.3.3.1 Instance With One Prime ...... 109 6.3.3.2 Instance With Two Primes - Option 1 ...... 110 6.3.3.3 Instance With Two Primes - Option 2 ...... 112 6.3.3.4 Instance With Three Primes - Option 1 ...... 112
ix 6.3.3.5 Instance With Three Primes - Option 2 ...... 112 6.3.3.6 Instance With Four Primes ...... 113 6.3.3.7 Instance With Five Primes ...... 114
6.3.4 Solving for p4 ...... 114 6.3.5 GCD of Two Numbers ...... 115 6.3.5.1 Continued Fractions ...... 115 6.3.5.2 Howgrave-Graham’s Lattice Attack ...... 116 6.3.6 Lattice Reduction for Approximate GCD of Multiple Numbers . . . . 116 6.3.7 A Two-Stage Lattice Attack on the Weaker Construction ...... 117 6.3.8 Attacking the Stronger Construction ...... 118 6.3.8.1 Reviewing the Known Attacks ...... 119 6.3.8.2 Reviewing the Two-Stage Lattice Attack ...... 119 6.3.9 Proof of Security ...... 120 6.3.10 A Note on Ciphertext Size ...... 123 6.4 General Considerations ...... 124 6.5 GA and Lattice Cryptography ...... 125 6.5.1 Why Lattice is Used in Cryptography? ...... 126 6.5.2 Average-Case Hard Problems ...... 127 6.5.2.1 Short Integer Solutions ...... 127 6.6 GA and Matrices ...... 128 6.6.1 More on Matrix Multiplication with Multivectors ...... 139 6.6.2 A First Lattice Problem ...... 140 6.6.3 Why Is This A Lattice Problem? ...... 141 6.6.4 A Lattice Trapdoor With GA ...... 142 6.6.5 Why Does our Lattice Implementation with GA Work? ...... 143 6.6.6 Learning With Errors ...... 144 6.7 Conclusions ...... 148
7 The Framework 150 7.1 Hensel Codes and GA ...... 154
x 7.2 GA and Hensel Codes ...... 155 7.2.1 GA and Hensel Codes as a Single Data Structure ...... 155 7.3 How To Build Custom Schemes ...... 158 7.3.1 Short Integer Solution ...... 158 7.3.2 A Password Generation Application ...... 159 7.3.2.1 A Numerical Example ...... 161 7.3.2.2 Why A Password Generation Application with GA ...... 162 7.4 Conclusions ...... 164
8 Future Directions 165 8.1 Additional Hard Problems with Hensel Codes ...... 165 8.2 GA Constructions in Higher Dimensions ...... 166 8.3 Quantum Encryption with GA ...... 166 8.4 Conclusions ...... 167
9 Conclusions 168
Bibliography 171
APPENDIX
A Installation and Usage Guides 198 A.1 (Towards) FHE with CRT and GA ...... 199 A.2 Clifford Crypto ...... 199 A.3 Clifford GA Ruby ...... 199 A.4 Clifford SWHE and Key Update ...... 199 A.5 SWHE Image Encryption ...... 200 A.6 Multiple Secret Hensel Codes (MSH Code) ...... 200 A.7 p-adic Cryto Ruby ...... 200
B Highlights and Demonstrations 201 B.1 (Towards) FHE with CRT and GA ...... 201
xi B.2 Clifford Crypto ...... 203 B.3 Clifford GA Ruby ...... 217 B.4 Clifford SWHE and Key Update ...... 227 B.5 SWHE Image Encryption ...... 235 B.6 Multiple Secret Hensel Codes (MSH Code) ...... 238 B.7 p-adic Cryto Ruby ...... 241 B.7.1 Hensel Code Base Functions ...... 241 B.7.2 leveled FHE Scheme ...... 245 B.7.3 Homomorphic Distributed Computation ...... 248 B.7.4 Party Test ...... 252 B.7.5 Pairing Function ...... 253 B.7.6 Rational and Randomized RSA ...... 255
xii List of Tables
TABLE
3.1 Most noticeable homomorphic encryption libraries ...... 26
4.1 Performance results with λ = 1024 ...... 39 4.2 Performance results with λ = 2048 ...... 39 4.3 Setup algorithm in Python 3 ...... 39
5.1 Multiplication table in G2...... 59 5.2 Multiplication table in G3...... 62 5.3 Experiment run with m = 8, γ = 4, λ = 128 ...... 68 | |bits 5.4 Experiment run with m = 8, γ = 4, λ = 256 ...... 68 | |bits 5.5 Experiment run with m = 8, γ = 4, λ = 512 ...... 69 | |bits 5.6 Performance for m = 8, γ = 8, λ = 128 ...... 77 | |bits
6.1 Bit length of elements of interest...... 120 6.2 Similarities and differences between our leveled FHE scheme and the DGHV scheme...... 124
7.1 Basic Hensel codes functions ...... 151 7.2 Basic GA functions ...... 151 7.3 Constructions based on Hensel codes...... 151 7.4 Constructions based on GA...... 152
xiii List of Figures
FIGURE
3.1 A FHE Timeline...... 21
4.1 Encoding...... 37 4.2 Decoding...... 38
5.1 Homomorphic Image Processing Architecture...... 75 5.2 Original Einstein and Monalisa pictures...... 76 5.3 Decrease and increase brightness...... 76 5.4 Merge and mask...... 76 5.5 Contrast stretching and logical not ...... 76 5.6 Pixel Packing ...... 76
6.1 Indistinguishability experiment for pseudorandom function...... 105 6.2 as a subroutine of ...... 106 A B 6.3 Growth comparison of matrix and the associated multivector multiplication. . 137
7.1 Overview of abstract model of homomorphic applications...... 153
xiv CHAPTER 1
Introduction
It is 2020. Why would one be concerned or even interested in constructing a new cryp- tographic tool? After all, if one needs public-key cryptography and digital signatures algorithms, we have the encryption scheme introduced by Rivest, Shamir, and Adleman (RSA) [1], which was proposed in 1978 and to this date continues to be a relevant crypto- graphic asset in the industry. The same be said about another type of public-key crypto- graphic protocol, with which one can securely exchange secret keys over an insecure channel, namely, the Diffie-Hellman key exchange protocol [2]. One might also resort to Elliptic Curve Digital Signature Algorithms (ECDSA) [3] and Ellipt Curve Diffie-Hellman (ECDH) [4]. For private-key encryption, we have the Advanced Encryption Standard (AES) [5], and for secure hashing algorithms, we have SHA-2 and SHA-3 [6]. With respect to all the afore- mentioned cryptographic solutions, there are no known efficient attacks that run in any currently existing machine [7–10]. Many of the most crucial communication protocols rely on functionalities implemented using the RSA cryptosystem, elliptic curve cryptosystems, and the Diffie-Hellman key exchange [11]. Again, why would anyone care to produce yet another cryptographic tool, especially one that supposedly does the “same thing" that the ones previously mentioned do? In the absence of a compelling reason, no other public-key encryption scheme, digital signature algorithm, key exchange protocol, private-key encryp- tion scheme, and secure hash algorithm would ever be needed. The question then becomes if there are any compelling reasons to justify the proposal of new cryptographic tools. In a report released by the National Institute of Standards and Technology (NIST) on post-quantum cryptography from 2016 [11], Chen et al. remark that most of the current public-key cryptographic solutions rely on problems that can be broken by polynomial- time algorithms for solving the integer factorization and discrete logarithm problems on a quantum computer. Such algorithms were introduced by Peter Shor in the 1990s [12, 13]. Chapter 1 Introduction
A quantum computer is a particular type of machine that can perform computations based on quantum phenomena such as superposition and entanglement [14], which allows efficient solutions for some computational issues as is the case of integer factorization and discrete logarithm, as well as other problems in number theory, physics simulation and topology [11]. Chen et al. remark that after Shor’s work, the advent of large scale quantum computers will compromise those mentioned above public-key cryptographic tools. Private-key encryption solutions such as AES are not immune to the impacts of eventual large-scale quantum computers since there are some recorded speedups for solving problems related to searching, collision finding, and evaluation of Boolean formulae. As in the particular case of Grover’s search algorithm [15], such speedups would require some adaptation for specific private- key encryption solutions, such as larger keys for AES, in order to remain secure. Even secure hashing algorithms such as SHA-2 and SHA-3 would require larger outputs [11]. Thus it is clear that the realization of large-scale quantum computers is an event that can dramatically change our needs concerning cryptography. If/when such an event occurs, then the answer to the question previously asked is: yes, in large-scale quantum computer become a reality, then we need new cryptographic solutions that are resilient against known quantum algorithms, which is commonly referred to as quantum resistant or post-quantum cryptography (PQC) [11, 16–21]. In fact, NIST has an active group (NIST PQC) working on standards for post-quantum cryptography [22]. Another event has the potential of changing the cryptographic world even further, which is the requirement for secure computation. Secure computation can be informally defined as the ability to perform some meaningful computation on encrypted data without prior decryption. In 1978, Rivest, Shamir, and Adleman proposed the following question: “Can two potentially dishonest players play a fair game of poker without using any cards (e.g., over the phone)?" [23]. Their conclusion was that such a challenge would only be possible using an encryption scheme that would satisfy certain requirements such as commutativity and asymmetry while introducing a complete protocol in which it would be possible to play a mental poker game. In 1982, Andrew Yao proposed yet another challenge: “Two millionaires wish to know who is richer; however, they do not want to find out inadvertently any additional information about each other’s wealth. How can they carry out such a
2 Chapter 1 Introduction
conversation?" [24]. Yao then proposes a secure two-party computation protocol to solve this problem, which was then generalized to be a secure multi-party computation protocol [25– 28]. Even before Yao introduced his problem, an apparent more challenging task was first discussed by Rivest, Adleman, and Dertouzos in 1978. The ability to computing arbitrary functions on encrypted data was considered as possible [29]. What kind of functions would be computed on encrypted data? Gentry remarks that such type of encryption scheme would not impose any limitation on what type of computation could be performed on encrypted data [30]. Such type of encryption is referred to a fully homomorphic encryption (FHE), and in 2009 Gentry proposed the first realization of a FHE scheme [31,32]. More generally, homomorphic encryption (HE) encompasses classes of encryption schemes that allow the evaluation of some set of functions on encrypted data. An active group comprises industry members, academia, and government working towards a homomorphic encryption commu- nity standard [33]. Suppose one day, the ability to perform secure computation becomes a requirement in any secure algorithm or systems, then, most prominent security solutions currently in use will fail will be impacted, and new algorithms must be provided to support the new reality. We discussed two events that, if come to reality, can provoke a range of profound impacts in today’s cryptography tools, from turning some solutions obsolete to require sig- nificant changes in their configurations. If these two events are considered together, then most of today’s encryption schemes would be compromised. Therefore, it seems safe to assume that there are events, such as the ones we discussed above, that have the potential of changing our perspective with respect to what is necessary for cryptography. Such events might create new requirements, making current solutions partially or entirely obsolete, which immediately creates the need for new solutions. It also seems reasonable to consider that other events might surge in the near future, and thus, the ability to properly and timely respond to those events might be cultivated.
3 1.1. Motivation
1.1 Motivation
Until the late 20th century, cryptography was considered an art as opposed to a science. Another important distinction is the one between classical cryptography (prior to the 1980s) and modern cryptography. This later applies well-establish security definitions that compose the goals of modern cryptographic constructions [34]. However, as we discussed in the previ- ous section, other events can impact existing solutions even in modern cryptography. As an example, imagine a scenario where every encryption scheme must produce a compressed ci- phertext while still preserving the existing security properties. Such an event would demand modifications in current encryption functions and the proposal of new ones. Furthermore, it seems reasonable to consider that society will continue to advance in sophistication, which can change the cryptography’s scenario even further. For this reason, it seems that being limited to the knowledge of how specific cryptographic constructions work and what the current general requirements that must be fulfilled in modern cryptography are might not be enough to appropriately respond to new threats as new events emerge. We classify as a necessity for the proactive inspection of new venues in mathematics with the goal of expanding our cryptographic toolbelt. Even before focusing on particular cryptographic constructions, we deem necessary to first dive into an open-minded mathe- matical exploration for the sake of mathematics. As Mateus et al. remarked (and we firmly agree), cryptography is all about mathematics [35]. This exploration can shine a light on new ways of addressing old and new problems. These new ways can serve as an advantage from several different perspectives, including improvements in performance, better memory use for storage, compactness of algorithms, and simplification of language and notation, which favors readability and analysis. Even if we achieve only one of these benefits, our mathematical quest would be awarding and justified. We also consider that the designing of new cryptographic tools must be exercised to satisfy well-established security notions or address emerging security needs. The combination of new mathematical resources/insights and the practice of applying them to solve old and new problems might favor a faster and more efficient response to the uncertainty of the future with respect to cryptography.
4 1.2. Contributions
1.2 Contributions
In this work, we showcase two mathematical resources of interest, Clifford geometric algebra and the finite-segment of p-adic numbers, in which we find a source of functionalities and properties that we believe can be not only useful but also advantageous for cryptography in a wide variety of scenarios. We provide condensed tutorials, which we aim to be sufficient to appreciate the examples we propose. We hope that this mathematical parade can serve as objective illustrations of these mathematical resources’ practical applications to cryp- tography and inspiration for other researchers to explore and implement opportunities that we did not cover. In practical terms, we aim to address the need for secure computation and the construction of homomorphic cryptographic tools. We detail our approach towards this challenge. We aim to derive concrete constructions and a general approach towards homomorphic cryptographic tools so that we can organize it as a framework for arbitrary homomorphic solutions. The remaining of this work is organized as follows: in Chapter 2, we introduce the research questions that drive the efforts of this work together with a discussion on the asso- ciated strategy, goals, and results. In Chapter 3, we review the most important properties, facts, and definitions in the theory of homomorphic encryption, in particular those directly associated with this work. In Chapter 4, we review the basics of p-adic numbers with em- phasis on its finite-segment, namely Hensel codes, together with a detailed discussion on how we explore Hensel codes as a cryptographic primitive. We introduce several concrete constructions and their fitness for applications in the real world. In Chapter 5, we review the basics of Clifford geometric algebra and its applications for cryptography through the description and analysis of several concrete constructions. In both Chapters 4, 5, we focus on showcasing mathematics as a rewarding alternative for constructing some well-known cryptographic tools. Indeed, we emphasize functionality, while security is only briefly and rather informally discussed. It is in Chapter 6 that we dedicate special attention to our lead- ing concrete construction based on p-adic numbers, a private-key leveled FHE scheme. We formally discuss our construction’s security, and we compare it with some other encryption schemes that explore the same underlying computational hard problem. We also introduce
5 1.3. Two Important Related Work
a new way of implementing lattice cryptography based on GA. In Chapter 7, we propose a framework for developing homomorphic applications using the tools discussed in previous chapters to derive custom ideas using similar strategies. In Chapter 8, we propose some of the future directions for our research as well as indications of how we believe our work can contribute to other researches. In Chapter 9 we present the conclusions.
1.3 Two Important Related Work
Our optic on the related work for both Clifford geometric algebra and p-adic numbers is somewhat from a general perspective but mostly related to applications indirectly or directly related to cryptography.
1.3.1 Clifford Geometric Algebra
Clifford geometric algebra (GA) is named after its proponent, William Kingdom Clifford [36]. In 1878, Clifford introduced a new product, namely the gemetric product, which unifies the algebras of Grassmann [37] and Hamilton [38]. GA was mostly studied in theoretical mathematics until David Hestenes proposed the use of GA as a language and a framework for the development of a multitude of applications in physics and engineering [39]. Fast forward to the current era, Hildebrand [40] highlights the benefits of investing in Clifford geometric algebra as a computing tool, as it can be directly integrated with standard programming languages to achieve compactness of algorithms and implicit use of parallelism, among other advantages, which result in higher run-time performance and robustness [41,42]. The Clifford Mutivector Toolbox for Matlab, by Sangwine and Hitzer [43], is a practical instance of GA computing, which can also be used to test some of the results that we present in this work. Dorst et al. discuss the object-oriented approach to geometry and the peculiarities of GA from a computer science standpoint in [44–46], where the use of vectors as a more general modeling tool (and not only a way to represent geometric aspects) and the ability of computing within subspaces of a multivector is approached in detail. This manuscript considers several multivector decompositions, their relationship with complex arithmetic, and the evaluation of eigenvalues, in line with the contributions of Josipovi´c [47].
6 1.3. Two Important Related Work
Rockwood et al. [48] propose a method that encodes input data so the structure of objects and their behavior can be modeled. Carré et al. [49] demonstrated how to apply GA to encode and process color transformations of images. Augello et al. [50] found that Clifford rotors could be used to encode sentences from natural languages through rotations of the orthogonal basis of a semantic space, which was revealed to be more efficient than natural language representation via vectors in high dimensional spaces. Majumdar [51] also explored GA for data encoding using sub-symbolic codes in order to provide new methods for search- ing, indexing, clustering, translations, and other data transformations. The application of GA as an approach towards fully homomorphic encryption is introduced in [52]. Based on similar ideas, a homomorphic image processing application based on GA is demonstrated in [53]. The experimental homomorphic primitives based on multivector objects enables the construction of additional protocols such as key exchange and key update, as discussed in [54]. To the best of our knowledge, this work is the first proposition of general-purpose methods for both data representation and data concealment based on GA. To this date and to the best of our knowledge, Clifford geometric algebra has not been directly applied to cryptography as a main mathematical resource by the crypto- community. Carlos Paz de Araujo was the first to propose the use of Clifford geometric algebra as a cryptographic resource [55], which lead to our preliminary investigation of homomorphic encryption based on Clifford geometric algebra [56] followed by several illus- trations of prospective applications [57–59]. In order to provide a detailed discussion on the utility of Clifford geometric algebra to cryptography such as homomorphic mappings, data representation, and encoding techniques, we have demonstrated several experimen- tal concrete constructions [52–54, 60–62]. We have not yet, however, provided an in-depth discussion on the security properties of such constructions. For this reason, we include a dis- cussion on how GA can be used to implement lattice-based cryptography for the production of quantum-resistant encryption schemes.
1.3.2 p-adic Numbers
In 1817, Kurt Hensel introduced the p-adic number theory [63], and since then, it has been studied as part of Number Theory [64–66]; however, it was only in the 1970s, and 1980s
7 1.3. Two Important Related Work
that this branch of mathematics took traction due to the work of Krishnamurthy, Rao, and Subramanian [67, 68] and Alparslan [69] when they found that the finite segment of the p-adic arithmetic was an efficient solution for error-free computation. During this period, other researchers became interested in error-free computation via p-adic numbers and helped to consolidate the finite segment p-adic numbers theory for practical applications in several areas of physics, engineering, and computer science. The subject rapidly advanced with the contributions of Gregory [70,71], Beiser [72], Farinmade [73], Hehner and Horspool [74,75], Lewis [76], among others. The practical implications of working with the finite p-adic arithmetic for error-free computation were so vast that Rao remarks in [77] that would not need to have a complete understanding of the theoretical aspects of p-adic numbers in order to work with its finite segment, since the theory of the finite segment p-adic had become a well-organized and nearly self-sufficient subset of the theory of p-adic numbers. Krishnamurthy, Rao, and Subramanian named the finite-segment p-adic numbers as Hensel codes [67]. Along-side with error-free computation, p-adic numbers have been successfully applied to parallel computation [73,78–86]. The theory of p-adic numbers is currently present in many other theories, including the theory of dynamical systems, theoretical physics, number theory, algebraic geometry, non-Archemdian analysis [87], differential calculus [88], topology [89,90], and analytic functions [91,92]. We want to highlight some relevant use cases of p-adic numbers in cryptography. In 1986, Gorgui-Naguib discussed the study of p-adic number theory for constructing public- key cryptosystems by combining the ideas in the RSA and Diffie-Hellman key exchange, thus exploring the prime factorization and discrete logarithm problems [93]. Gadiyar dis- cussed a p-adic approach of the discrete logarithm problem in [94]. Anashin discusses uniformly distributed sequences of p-adic integers [95], particularly useful for construct- ing pseudorandom-number generators (PRNG). Several PRNGs have been proposed based on p-adic arithmetic [96–102]. Those familiar with ECC should also be familiar with the basics of p-adic numbers. Xu et al. introduce an elliptic curve cryptosystem that is based on groups of rational points on elliptic curves defined over p-adic number fields [103]. Satoh demonstrates efficient algorithms for replacing rational point counting by p-adic point counting for elliptic curves
8 1.3. Two Important Related Work
[104]. Blake, Seroussi, Seroussi, and Smart discuss an attack to solve the elliptic curve discrete logarithm problem by exploring elliptic curves defined over the p-adic numbers [105]. Cohen et al. provide an overview of p-adic numbers and its arithmetic and demonstrate the practical use of p-adic methods for elliptic and hyperelliptic curves [106]. In 1998 Takagi introduced a modified version of the RSA by calculating the public modulus where one of its factors was a p-adic expansion in order to provide a more efficient decryption algorithm [107], which was later generalized to be the product of two p-adic expansions [108]. The cryptanalysis of such schemes is offered by [109], where it is showed that the decisions that lead to greater efficiency of decryption algorithms might also take into consideration the potential efficiency of some attacks such as Wiener’s continued fractions and Boneh-Durfee’s methods. Sometimes p-adic methods appear as a minor portion of cryptosystems or attacks, as it is the case of Coron, Naccache, and Stern when proposing an attack against RSA signatures where p-adic expansions are analyzed in order to find shortest vectors. Some other times, the special properties in the p-adic numbers are more fundamental for a discussion, as discussed by Catalano, Nguyen, and Stern in [110] whom remarks that in number theory, many problems can be solved via prior examination of the problem modulo a small prime number p and then computing the Hensel lifting, a technique in p-adic number theory that maps solutions modulo p into solutions modulo pr, for arbitrary positive values of r. In that work, the complexity of solving the factorization and the discrete logarithm problem using Hensel lifting is analyzed. Recently, p-adic numbers have been demonstrated in cryptography either as a component of cryptographic solutions [52–54] or as the unique structure for privacy-preserving encoding schemes [111]. We believe that the aforementioned cases and many others [112–116] represent a diverse set of pieces of evidence of the richness and usefulness of p-adic numbers. We hope further demonstrate the applicability of p-adic numbers to cryptography as we believe that p-adic numbers can be further researched and explored as its own branch of cryptography.
9 CHAPTER 2
Research Questions, Metrics and Methodology
In Chapter 1, we discussed the existence of imminent events with the potential to change how cryptography is implemented and used today dramatically. We also discussed the impor- tance of investigating mathematical resources that are commonly not present in mainstream cryptographic constructions. We highlighted our choice for GA and p-adic numbers for their overall mathematical richness, which serve us as our candidate tools for new cryptographic solutions. In this chapter, we introduce the research questions we are driven by, how we expect to answer them, and how we intend to verify our results as we organize this process in the form of a methodology.
2.1 General-Purpose Mathematical Framework
We start our investigation with the following question:
Research Question 1. Is it possible to construct a flexible mathematical system in the form of a framework through which many general-purpose homomorphic algorithms can be produced efficiently?
If we have any hope to answer Research Question 1 we need to break it down into smaller parts: essentially, what do we mean by “framework", “mathematical system", “ho- momorphic cryptographic solutions", and “efficient way"? Additionally, notice that Research Question 1 is not particularly focusing on cryptographic algorithms. Instead, it focuses on “general-purpose homomorphic algorithms". Why is this important? We aim to show that cryptographic algorithms are composed of several general-purpose elements: subroutines 2.1. General-Purpose Mathematical Framework
that are common to many other applications, not just cryptography. Probably the greatest example of this type of sub-routine is data encoding. Generally speaking, before working with data, we need to make sure that that data is in a certain given format, which might be convenient or required for further operations, depending on the type of application. Using this example, Research Question 1 includes investigating the use of GA and p-adic numbers for constructing general-purpose data representation and encoding. Not just any type of representation or encoding but specifically, homomorphic ones. We refer to “framework" and “mathematical system" in the light of the notions in- troduced by Hestenes in [39]. In that work, Anthony Lasenby remarks that mathematical resources that are used to construct solutions are mathematical languages and that when these languages are used in a structured way in other to produce practical applications, we then have a mathematical system or a framework. Lasenby recalls that some mathematical languages in physics in engineering are disparate, and so it will be the mathematical systems produced by them. Lasenby yet remarks that GA is a mathematical language that can unify otherwise disparate concepts in physics in engineering, with which we can produce similarly unified mathematical systems. In other words, GA can be applied as both a mathematical language and a mathematical system in many areas of engineering, robotics, and computer science, with no changes whatsoever in the language and in the system, since it works as the very same underlying mathematics in all of these areas. The practical implication of this phenomenon is that GA enables physicists to understand topics in engineering, as well as engineers to understand topics in physics. Lasenby remarks that the unification of concepts of several different areas via GA is done in such a way that “no other single mathematical system could hope to make possible." Our second mathematical resource of choice also has properties that can help us in building general-purpose homomorphic algorithms. The theory of p-adic numbers is com- monly referred to as a theory of representation [117–120] where the most significant example is the representation of rational numbers as integers, where one can replace the costly arith- metic over rational numbers by the efficient arithmetic over the integers, without loss. This ability gave birth to the field of error-free computation via p-adic numbers [68, 121–124].
11 2.2. Mathematical Framework Applied to Cryptography
We will show that this representation can be isomorphic, and we will explore this feature in other to produce homomorphic mappings.
2.2 Mathematical Framework Applied to Cryptography
With general-purpose routines being established, such as the ones for that encoding, could we use the same mathematical language and system to construct cryptographic tools? More specifically, can we repeat the successful application of GA and p-adic numbers in physics and engineering to cryptography? From now on, we use the term “framework" to refer to a mathematical language together with a mathematical system built upon GA and/or p-adic numbers. Thus we rephrase our question as follows:
Research Question 2. Can this framework be successfully applied to cryptography as it is in engineering and physics?
This question can also be broken down into smaller parts: the idea of successfully our framework to cryptography is a challenge by itself, and the notion of success, in this case, comes from cryptography, that is, cryptography has its own requirements, and if we can satisfy them, then we would consider this application successful. However, we want to investigate if we can be as successful as other applications of GA and p-adic numbers are in other areas of science. As previously mentioned, GA has been successfully applied in many applications in physics, and engineering [41, 42, 125, 126] which is contributing to a growing interest in the computational aspects of Clifford GA [40, 42, 44, 46, 46, 127–131]. Hildenbrand in [40] highlights that the unification of many mathematical systems into an easy-to-understand mathematical framework serves as an extension of standard programming languages while enabling compact algorithms that can run in parallel yielding high runtime performance and robustness. Similarly, p-adic numbers has been successfully applied in several ares in physics in engineering [67,70–73,73–92], contributing with benefits such as increase in runtime perfor- mance and error-free computation. We want to investigate GA and p-adic numbers applied
12 2.3. Metrics and Methodology
to cryptography, first in isolation, that is, applying GA only and then applying p-adic num- bers only, and then experiment on and evaluate the combination of these two resources.
Research Question 3. Could such a framework help to simplify the complexity commonly associated with homomorphic encryption, allowing the implementation of constructions that are easier to understand?
We aim to construct algorithms that are compact (both mathematical and algorithmic descriptions are reasonably small), easy to read, to understand, and to analyze. Obviously, it must be simple to implement and to maintain. If we think about an abstract way to construct algorithms via our proposed framework, ideally without necessarily think of GA and p-adic numbers, then we can think of some type of domain-specific language (DSL) for generating cryptographic algorithms. More specifically:
Research Question 4. Is it possible to use GA as an extension of classical programming languages for implementing cryptographic algorithms?
A significant barrier for homomorphic encryption, in general, is performance. This could be easily qualified as the single most important barrier in the broader adoption of homomorphic encryption. For this reason, we want to investigate the following:
Research Question 5. Will an FHE scheme implemented with GA and Hensel codes be benefited by the overall improvement in runtime performance that have been demonstrated in other fields?
Last but not least, we want to investigate if GA and p-adic numbers are viable candi- dates from the computational security standpoint.
Research Question 6. Is it possible to explore GA and p-adic numbers for security purposes in association with a well-known computational hard problem while still achieving satisfactory levels of performance?
2.3 Metrics and Methodology
We aim to address each researching question according to their own context. However, a general approach in the attempt to confirm all of them is to introduce an associated concrete
13 2.3. Metrics and Methodology
algorithm. For Research Question 1, we target demonstrating homomorphic data encoding algorithms that could be incorporated as a sub-routine to any other algorithm that could leverage homomorphism. For Research Question 2, we target concrete algorithms in which we can demonstrate improvements in at least one of the following:
• Performance,
• Exact computation,
• Input space (allowing a broader range in the input than usual),
• Randomization (adding randomization to deterministic algorithms),
• Compactness.
The more benefits we achieve, the better. However, even a single one of the above improvements would represent a significant contribution of our framework to cryptography. For Research Question 3, we also focus on a concrete algorithm to serve as an illustration of reduced complexity for reading and analyzing a homomorphic encryption scheme. However, this question involves a significant amount of subjectivity. After all, how to measure the complexity of reading or analyzing a scheme? We will demonstrate concrete examples, and we will philosophically defend our stance. For Research Question 4, we target a set of concrete algorithms in which one can use as the underlying tool for building arbitrary schemes. In this sense, it would serve the purpose of a DSL for cryptographic algorithms. Research Question 5 is closely related to how we aim to address Research Question 4. This time we are solely concerned about efficiency. To keep the discussion as broad as possible and when analyzing a standalone instance, by “efficient," we mean running in polynomial- time. For Research Question 6, we target constructing an encryption scheme for which we can reduce an attack that breaks the scheme to an algorithm that solves a well-known computational hard problem. We plan to answer all research questions with concrete examples. We are investigating the existence of instances of algorithms that satisfies specific properties or meet certain expectations. Thus, the existence of an algorithm that meets a particular set of expectations is proof that the problem can be solved algorithmcally [132].
14 2.3. Metrics and Methodology
Our approach consists of answering each research question at a time, in no particular order, using GA and p-adic numbers, both in isolation and together. By the conclusion of this work, we want to have shown individual examples that answer the research questions and a single instance that can address all research questions at once.
15 CHAPTER 3
Homomorphic Encryption
In this chapter, we aim to review the basics of homomorphic encryption theory as a prepa- ration for the following chapters. We will discuss several different approaches towards con- crete homomorphic encryption schemes and some other related algorithms. Since we will only introduce private-key encryption components, our review will focus on the aspects of private-key homomorphic encryption as well. We conclude this chapter by discussing some critical works in the ongoing history of homomorphic encryption. Since homomorphic encryption (HE) was initially proposed [29] to the present time, over 40 years of research advances have been demonstrated towards general-purpose practical applications of meaningful computation over encrypted data. Since the beginning, the target was always the ability of unlimited secure computation, a property that is captured by the notion of fully homomorphic encryption (FHE). It seems to be safe to assume that the HE timeline can be divided before and after FHE, with the first concrete FHE scheme proposed by Gentry in 2009 [31,32]. However, HE has been described in many different scenarios and for several different purposes, which gives rise to distinct classes of HE schemes. In general, a HE scheme is composed of the standard cryptographic algorithms Gen, Enc, and Dec, and an additional algorithm Eval, which is responsible for evaluating functions on encrypted data. Gentry introduced a FHE scheme with which one can compute all functions over en- crypted data for an unlimited number of times. Gentry first constructed a somewhat ho- momorphic encryption (SWHE) scheme and then transformed it into a FHE scheme via a remarkable technique called bootstrapping, a process that involves a type of recryption of an existing ciphertext (generating a new “double encrypted" ciphertext) followed by the evaluation of an augmented version of the own scheme’s decryption circuit. This process Chapter 3 Homomorphic Encryption
corresponds to a homomorphic decryption of the inner encryption (using the encrypted se- cret key). Such a technique reduces the noise that is propagated at every homomorphic evaluation, in particular during multiplication. Bootstrapping can then be described as a noise reduction technique that brings noise of an evaluated ciphertext (ciphertexts output by Eval) to a level that is compatible with the noise of a fresh ciphertext (ciphertexts output by Enc), which enables an unlimited number of computations on encrypted data. Gentry and Halevi introduced a working implementation of a variant of Gentry’s original scheme while adding several optimizations [133], a work somewhat similar to preceding implementation by Smart and Vercauteren [134]. Several other schemes followed some variation of Gentry’s strategy [134–137]. Cur- rently, many libraries [138–146] are mostly based on lattices and the Ring Learning With Errors (RLWE) problem, while implementing either/and the schemes known as BGV [147] and B/FV [148,149]. Brakerski remarks that constructing a FHE directly is sometimes not feasible due to security and functionality overhead [150]. In such a case, the construction of a leveled FHE scheme is sufficient for some applications. A leveled FHE scheme is a scheme that, given an additional parameter 1d, evaluates all circuits with depth up to d. Brakerski also remarks that leveled FHE schemes can sometimes be promoted to a standard FHE scheme via bootstrapping, usually at the expense of efficiency and security assumptions. Homomorphic encryption is described as the ability of meaningfully computing on en- crypted data [30]. What is computed and how computation takes place, together, determine the classes in which HE schemes are organized. As we discuss definitions and properties in HE, we fix a private-key HE scheme Π=(Gen,Enc,Dec,Eval), where Gen, Enc, and Dec denote the key-generation, encryption and decryption algorithms, and Eval denotes an al- gorithm that evaluates functions/circuits over encrypted data. For now, we consider the following algorithm signatures: the key-generation algorithm as (sk,evk) Gen 1λ , the ← encryption algorithm as c Enc(sk,m), the decryption algorithm as m Enc(sk,c ), and ← ← the evaluation algorithm as c Eval(evk,C (c ,...,c )). ← 1 t
17 3.1. Requirements
3.1 Requirements
Gentry describes HE as a technology that aims to promote delegation, which is a separation of data process from data access [30]. Overall, delegation is only useful if convenience meets privacy, and secure homomorphic evaluations of encrypted data materialize it. When key owners successfully delegate homomorphic evaluation, they are benefited by a reduction in data workload. Delegation must observe some requirements, as discussed below.
Definition 3.1.0.1. (Correctness) For all keys output by Gen and all messages taken as input by Enc, Π is said to be correct if the decryption of all encryptions and the decryption of all homomorphic evaluations are correct.
When we say that accepts some functions, we mean that Π evaluates those functions and correctly decrypts theirQ result. It is clear that if any delegation attempt fails correctness, the delegation itself is useless. However, delegation alone is not enough. Suppose the key owner outsources the evaluation of some highly complex function on encrypted data for which the decryption also involves a complexity significantly higher than decrypting fresh ciphertexts. In that case, the delegation attempt defeats the purpose of workload reduction. For this reason, any successful delegation must satisfy the compactness requirement.
Definition 3.1.0.2. (Compactness) Given a ciphertext c2 output by Eval and a ciphertext
c1 output by Enc, Π is said to be compact if computational time for decrypting c2 is the same
of the one for decrypting c1 and c2 and c1 are of the same size.
Delegation might as well take into consideration the interests of the outsourcee (the third party). Brakerski remarks that delegation might involve proprietary algorithms, in which case the key owner should not know anything about the functions homomorphically evaluated [150]. This is captured by the circuit privacy requirement, according to which no one should learn anything about an evaluated function from a ciphertext output by that function except the value of the function itself.
Definition 3.1.0.3. (Circuit Privacy) Π is said to be circuit-private if the distribution Enc and the distribution of Eval are indistinguishable.
18 3.2. HE Classes
With the fundamental delegation requirements in mind, we can now discuss the classi- fication of HE schemes.
3.2 HE Classes
For FHE’s particular case, Gentry remarks that there should not be any limitation as to which type of computation can be performed on encrypted data, nor the number of times those computations occur. We can capture this description using the HE requirements previously discussed.
Definition 3.2.0.1. (FHE) Π is a FHE scheme if it is is correct, compact, and circuit- private for all functions.
Another way to say “correct for all functions" is “accepts all functions". The property of unlimited computations on encrypted data is implied in “all functions" since we refer to circuits of any size and depth. We can now discuss other HE classes by “downgrading" a FHE scheme. Instead of accepting all circuits indefinitely, we now consider that Π accepts all circuits up to depth d while still satisfying correctness, compactness, and circuit privacy. Such a scheme is a leveled FHE scheme.
Definition 3.2.0.2. (Leveled FHE) Π is said to be a leveled FHE scheme if Π takes an additional parameter 1d as an argument and Π accepts all circuits with depth at most d, and it is correct, compact, and circuit-private.
Now we consider the case where can only accept a limited set of functions such that no function is too complex [30]. In thisQ scenario can only evaluate low-degree polynomi- als [147] for a limited number of times [134]. SuchQ a scheme is a SWHE scheme.
Definition 3.2.0.3. (SWHE) Π is said to be a SWHE scheme if only accepts circuits of low complexity for a limited number of times, and it is correct and circuit-private.
The correctness and circuit privacy requirements still hold for a SWHE scheme since the violation of any of these compromises the interests of the key owner and the outsourcee.
19 3.3. Key Contributions
However, compactness is not required [151], which is reasonable since homomorphic evalu- ations only consider circuits of low complexity. Here we consider any other more restricted scheme (with respect to which circuits are accepted) as a type of SWHE.
3.3 Key Contributions
Vinod Vaikuntanathan maintains a webpage [152], which keeps track of the most noticeable works related to the advancement of fully homomorphic encryption over the years. Next, we follow Vaikuntanathan’s reference collection to review some of the key contributions related to fully homomorphic encryption. For first-timers, one simple question might be hard to an- swer: “Where to start?". We find the discussions introduced by Gentry in [30] a good start, in particular, due to the introductory discussion on the need for homomorphic encryption, the fundamental goals, and requirements. The frequent use of physical analogies is undoubtedly helpful in understanding the underlying concepts. Vaikuntanathan introduces a detailed survey on homomorphic encryption [153], with in-depth discussions including the history of homomorphic encryption, fundamental definitions, main constructions, and applications. Shai Halevi introduces a tutorial on homomorphic encryption [154], which covers from a review of the fundamentals to discussions on advanced topics. One attractive characteristic of Halevi’s work is that there are separate discussions on defining and how to implement certain classes of homomorphic encryption. We can see the references organized by Vaikuntanathan as some sort of timeline, es- pecially the sections identified as Pre-FHE, Gen I, Gen II, and Gen III. For a side-by-side visualization, we organized these sections in Figure 3.1. Next, we provide some context for each essential contribution.
• Pre-FHE: The Pre-FHE era consists of the period in which it was introduced the works that paved the way for the first concrete instance of a FHE scheme.
– Privacy homomorphisms [29]: in 1978 with the seminal paper on homomorphic encryption, then referred to as privacy-homomomorphisms by Rivest, Adleman, and Dertouzos, who believed that encryption with which one cannot compute on
20 3.3. Key Contributions
Pre-FHE Gen I Gen II Gen III
RSA and Privacy FHE Ideal FHE from Attributed-Based 1978 2009 2012 2013 Homomorphisms Lattices GapSVP FHE LWE
Probabilistic FHE over the FHE with Polylog Lattice-based 1984 2010 2012 2014 Encryption Integers Overhead FHE
FHE Smaller Homomorphic Faster ElGamal 1985 2012 2014 Keys and 2010 AES Evaluation Bootstrapping Ciphertexts FHE from Paillier 1999 2014 FHEW 2015 FHE Worst-case Standard LWE 2010 Hardness Generalized Optmized GSW- 2001 Leveled FHE 2014 2016 Paillier FHE Without FHE 2011 Squashing 2-DNF Formulas 2006 Faster FHE 2016 on Ciphertexts
BGN-type Cryptosystem 2010 from LWE
Figure 3.1: A FHE Timeline.
the encrypted data is a limited encryption function. This consideration is followed by the remark that there must be encryption functions that allow such computa- tions. Rivest, Adleman, and Dertouzos proposed some applications which would be possible with such type of encryption.
– Probabilistic encryption [155]: In 1984, Goldwasser and Micali introduced a prob- abilistic model of encryption, which is not only fundamental to homomorphic en- cryption but for cryptography in general. Among other results, Goldwasser and Micali showed that, under proper conditions, probabilistic encryption achieves a much higher security level than what is possible with deterministic encryption.
– ElGamal cryptosystem [156]: In 1985, ElGamal introduced a probabilistic public- key encryption scheme and a digital signature algorithm based on the discrete logarithm problem. One can compute multiplications on encrypted data using the ElGamal cryptosystem;
– Paillier cryptosystems [157]: In 1999, Paillier introduced three public-key en- cryption schemes whose security was based on the Composite Residuosity Class
21 3.3. Key Contributions
Problem. One can compute additions on encrypted data using Paillier cryptosys- tems;
– A generalization of the Paillier cryptosystems [158]: In 2001, Damgard and Jurik proposed a generalization of the Paillier cryptosystems in which, among other optimizations, implied in a reduction of the ciphertext expansion without com- promising the homomorphic property. Damgard and Jurik remark that the opti- mizations proposed favored the use of the scheme in an application of electronic voting.
– Evaluation of 2-DNF formulas on ciphertexts [159]: In 2006 Boneh, Goh and Nissim introduced a homomorphic public-key encryption scheme with which one can evaluate quadratic multivariate polynomials on ciphertexts using 2-DNF for- mulas on Boolean variables. Among the possible applications, Boneh, Goh, and Nissim highlight an efficient election system based on homomorphic encryption. The encryption scheme is known as BGN.
– BGN-type cryptosystem from LWE [160]: In 2010, Gentry, Halevi, and Vaikun- tanathan introduce a public-key encryption scheme that is similar to the BGN with which one can compute polynomially many additions and one multiplication on encrypted data. The scheme’s security is based on the hardness of learning with errors (LWE) problem, a computational problem known to be as hard as certain worst-case lattice problems.
• Gen I: The first generation of FHE schemes.
– FHE using ideal lattices [32]: In 2009, Gentry introduced the first FHE scheme with which one can compute arbitrary functions on encrypted data. The notion of “arbitrary functions" implies computing any function for an unlimited number of times. Gentry achieved this goal by constructing first a SWHE scheme and turning it into a FHE through bootstrapping. Gentry’s remarkable work was a breakthrough in the theory of homomorphic encryption.
22 3.3. Key Contributions
– FHE over the integers [135]: In 2010, Dijk, Gentry, Halevi, and Vaikuntanathan introduced a SWHE scheme that is then converted into a FHE using bootstrap- ping. The schemes are based on modular arithmetic, and its advertised main appeal is the conceptual simplicity of its construction. The encryption scheme is known as DGHV, and its security is based on the approximate-gcd problem;
– FHE with smaller keys and ciphertexts [134]: In 2010, Smart and Vercauteren introduced a SWHE scheme that is also converted into a FHE scheme using Gen- try’s bootstrapping technique. The difference of this particular construction is that the public key, the secrete key, and the ciphertexts are smaller if compared with Gentry’s original construction. Smart and Vercauteren remark that their scheme allows efficient fully homomorphic encryption over any field of character- istic two;
– FHE on worst-case hardness [161]: In 2010, Gentry proposed a modified key generation algorithm for his previous FHE scheme on ideal lattices, which allows basing the security of the encryption scheme on the shortest independent vector problem (SIVP), which is considered to be quantum-resistant;
– FHE without squashing [162]: In 2011, Gentry and Halevi introduced a FHE scheme that uses bootstrapping but does not require the “squashing" of the de- cryption circuit, a routine that is necessary on Gentry’s original blueprint, in order to allow bootstrapping. The encryption scheme is hybrid, that is, a mix of a SWHE scheme and a multiplicative homomorphic encryption scheme, similar to the ElGamal scheme. The security of Gentry and Halevi’s scheme is based on the Decision Diffie-Hellman problem.
• Gen II: The second generation of FHE schemes.
– FHE without modulus switching from classical GapSVP [163]: In 2012, Brakerski introduced a scale-invariant FHE scheme whose ciphertext noise grows linearly, as opposed to quadratically, as seen in previous candidates. The security of the encryption scheme is based on the hardness of the GapSVP problem;
23 3.3. Key Contributions
– FHE with polylog overhead [164]: In 2012, Gentry, Halevi, and Smart proposed the construction of FHE schemes whose complexity of evaluating arithmetic circuits would occur with only polylogarithmic overhead;
– Homomorphic evaluation of the AES circuit [165]: In 2012, Gentry, Halevi, and Smart introduced a leveled homomorphic encryption scheme that could work with or without bootstrapping, capable of evaluating the AES-128 circuit.
– Efficient FHE from (standard) LWE [148]: In 2012, Brakerski and Vaikun- tanathan proposed a FHE scheme based on the standard LWE assumption. More specifically, the security of the scheme is based on the worst-case hardness of short vector problems on arbitrary lattices.
– (Leveled) FHE without bootstrapping [147]: In 2014, Brakerski, Gentry, and Vaikuntanathan proposed a new approach in constructing a level FHE scheme without requiring bootstrapping, which is showcased in two ways: first, by intro- ducing a leveled FHE scheme based on the RLWE assumption and without using bootstrapping and by introducing a second leveled FHE scheme that is also based on the RLWE assumption but this time bootstrapping is used as an optimization technique.
– Vaikuntanathan lists additional works as part of Gen II, such as [149,166–169].
• Gen III: The third generation of FHE schemes.
– Attribute-based homomorphic encryption from LWE [170]: In 2013 Gentry, Sahai and Waters proposed a FHE scheme based on the LWE assumption with an optimization on homomorphic multiplications. With this change, homomorphic addition and multiplication are just matrix addition and multiplication, which makes the encryption scheme asymptotically faster and easier to understand. The encryption scheme is known as GSW;
– Lattice-based FHE as secure as PKE [171]: In 2014, Brakerski and Vaikun- tanathan introduced a leveled FHE scheme which security is based on lattice problems such as GapSVP. The security of the schemes matches the security of non-homomorphic lattice-based public-key encryption schemes;
24 3.3. Key Contributions
– Faster bootstrapping with polynomial error [172]: In 2014, Alperin-Sheriff and Peikert introduced a new algorithm for bootstrapping that implements an elemen- tary and efficient arithmetic procedure, as opposed to Boolean circuits, which is more efficient than Gentry’s original approach;
– FHEW: fast bootstrapping [144]: In 2015, Ducas and Micciancio introduced a new method for homomorphically compute single bit operations and refresh the output, which is the goal of bootrstrapping. This procedure runs on a personal computer in less than a second;
– Optmized GSW-FHE [173]: In 2016, Hiromasa, Abe, and Okamoto introduced a FHE scheme that encrypts matrices and supports homomorphic matrix addition and multiplication.
– Faster FHE [174]: In 2016, Chillotti, Gama, Georgieva, and IzabachÚne propose a variant of the GSW-FHE scheme which uses a simpler external product between a GSW and an LWE ciphertext. Then, the bootstrapping used in FHEW can be applied, resulting in a speedup from less than 1 second to less than 0.1 seconds and a bootstrapping key size reduction from 1GB to 24MB.
For more information about other types of FHE schemes, applications, and advanced topics, the reader can resort to Vaikuntanathan’s collection [152]. Several other interesting topics are not covered in this work, including: 1) Modulo switching, 2) Circuit squashing, 3) Single-hop and multi-hop homomorphism, 4) Public key compression, and 5) Circular security. The reader can find discussions about each of the above topics and more in [30, 136, 147,150,151,153,154,175]. There are active workgroups developing practical instantiations of homomorphic en- cryption, including the following libraries: SEAL [138], HElib [139], Palisade [140], cuHE [141], NFLLib [142], HEAAN [143], FHEW [144], TFHE [145], and Lattigo [146] as shown in Table 3.1. Most of these libraries are based on the Ring Learning With Errors problem while implementing one or two of the following schemes: BGV [147] and B/FV [148, 149]. As part of an ongoing effort, a group of members from industry, government and academia is developing a community standard for homomorphic encryption [33].
25 3.4. Conclusions
Library Language Schemes HElib C++ BGV,CKKS,SV,GHS Microsoft SEAL C++ BFV,CKKS PALISADE C++ BGV, BFV, CKKS,FHEW,TFHE FHEW/TFHE C++ CKKS Λ λ (Lol) Haskell Lattice-based HE ◦ NFLlib C++ FV-NFLib cuHE Cuda C++ DHS,LTV Lattigo Go Lang full-RNS BFV,CKKS Table 3.1: Most noticeable homomorphic encryption libraries
3.4 Conclusions
Homomorphic encryption is one of the answers to society’s changes that impact our notion of security and utility. Since 1978, there is a pursue for a type of encryption that goes beyond securely encrypting and decrypting. The notion of secure delegation implies reconciling data access with data privacy, which at first glance seems to be a conflicting goal. However, homomorphic encryption has received continued attention and investments by a growing community with members of academia, industry, and government. Currently, the single greatest challenge to be overcome is the performance issues related to fully homomorphic encryption. We consider this challenge to be complex and big enough to justify searching for mathematical resources that are currently not being explored to the fullest, for that matter.
26 CHAPTER 4
p-Adic Numbers
In this chapter, we discuss our approach towards homomorphic cryptographic constructions using p-adic numbers. Furthermore, we will discuss concrete constructions as a first step towards the answer to the research questions presented in Chapter 2. Recall that p-adic numbers are one of the mathematical resources we resort to in order to explore functionalities and properties that can be used in cryptography for utility and, hopefully, for security. We start with a tutorial that is tailored to equip a reader, even those unfamiliar with the finite-segment p-adic arithmetic, to sufficiently understand the notation, the terminologies, special properties, and the functions that will serve us as the underlying engine for producing concrete instances of homomorphic cryptographic tools. Next, we will discuss concrete constructions as we apply each component of the covered material on finite-segment p-adic numbers.
4.1 A Compact Tutorial
As we discussed in Section 1.3.2, p-adic numbers have been successfully applied in many areas of physics, engineering, and computer science. When it comes to the finite-segment p-adic arithmetic, the literature is abundant about error-free and parallel/distributed com- putation. As also discussed previously, although there are several examples of the use of finite-segment p-adic arithmetic in cryptography, p-adic numbers are far from being main- stream in the crypto-community. Although we will focus on Hensel codes in the remaining of this work, we cannot stress enough that Hensel codes are finite p-adic numbers(!) and without understanding what infinite p-adic expansions are, we consider that is unlikely that one will adequately understand what finite p-adic are. Hensel codes are an important subset of the theory of p-adic numbers, and we deem necessary to start from the right place. 4.1. A Compact Tutorial
4.1.1 Basic Definitions
Error-free computation is a goal that have been long pursued [176–178]. One way of ad- dressing this problem is via infinite precision integer and rational number arithmetics [179], which can be very demanding concerning space and time resources. A promising alternative arises from the work of Kurt Hensel, who in 1908 introduced the p-adic number system [180] or p-adic arithmetic, through which one can perform rational arithmetic over the integers. In p-adic number theory, p denotes a fixed prime and each rational number in Q is repre- i sented by a quantity called p-adic integer, which is a formal series i∞0 aip with integral ≥ coefficients ai satisfying 0 ai
4.1.2 Finite-Segment p-adic Arithmetic
For all rational numbers α = a b there is a n Z such that a Hensel code h is given by ∈ 2 n 1 h = a0 + a1p + a2p + ... + an 1p − (4.1) −
where ai is the base p representation of h.
Example 4.1 Let a = 2, b = 3, p = 5, n = 5. We compute the Hensel code h as follows:
h = 4 + 1 5 + 3 52 + 1 53 + 3 54 = 2084. (4.2) · · · ·
In Example 4.1, a0 = 4, a1 = 1, a2 = 3, a3 = 1, and a4 = 3. In fact, 2084 in base 5 is
31314 (the same ai in reverse order) so it is easy to see that the Hensel code h is the base p representation of a rational number α. In general, a p-adic number is a base p representation (usually via an infinite p-adic expansion) of a rational number. Thus, a Hensel code is a finite p-adic number.
28 4.1. A Compact Tutorial
An alternative way to compute h is as follows: given α = a b, a fixed prime p and some positive n Z, we have ∈
1 n n h = a b− mod p , h 0,...,p 1 (4.3) · ∈ { − }
where a, b and pn must be pairwise coprime.
Example 4.2 Let a = 2, b = 3, p = 5, n = 5. We compute the Hensel code h as follows:
− h = 2 3 1 mod 55 = 2 1042 mod 3125 = 2084. (4.4) · ·
If b is not pairwise coprime with pn, the inverse modulo pn for b fails to exist, thus we cannot compute h as shown in Example 4.2. A limitation of the second approach to compute h with pn is that all values of b that are multiples of p will fail to have an inverse. However this is only an issue for n> 1. We will then consider the case where n = 1so we just omit n. We rewrite (4.3) as follows:
1 h = a b− mod p, h 0,...,p 1 (4.5) · ∈ { − }
Although (4.5), which we refer to as the Hensel encode, is a very simple expression, for many years, finding its inverse, that is, the original rational a b that generated h under p, remained an open problem for many years [70,71,77,187,188], until Miola [187] introduced an algebraic solution for what we refer to as the Hensel decode. Miola observed that Gregory developed algorithms for the Hensel encoding and decoding; however, the decoding solution was based on look-up tables, which was inefficient as a general method [188]. Notwithstand- ing, Miola considered Gregory’s a unique answer for the Hensel decoding problem would only be possible if the absolute value of both numerator and denominator of a b was bounded by some value N. A rational number that would be under that bound was called an order-N Farey fraction. Only then would it be possible to uniquely retrieve a b from h under p using a slightly modified version of the extended euclidean algorithm (EEA). We use Gre- gory’s method for encoding and Miola’s method for decoding; however, we introduce a new definition for the set order-N Farey fractions.
29 4.1. A Compact Tutorial
Lemma 4.1.2.1. [187] p q is a convergent of a b if p a 1 . (4.6) q − b ≤ 2q2
Proof. In order to find the distance between a convergent pn of a continued fraction and the qn fraction itself x, we begin by establishing, 1 [a ,a ,...,a ]= a + (4.7) 0 1 n 0 1 a + 1 1 a2 + ... an and
p0 = a0, q0 = 1, pn = anpn 1 + pn 2 − − (4.8) p1 = a1a0 + 1, q1 = a1, qn = anqn 1 + qn 2 − − Thus,
a0 n = 0 pn 1 a = = a + n = 1 (4.9) n q 0 a n 1 anpn 1 + pn 2 − − n 2 anqn 1 + qn 2 ≥ − − Every an is a partial quotient of the continued fraction, which has a corresponding complete
an′ +1pn+pn 1 quotient an′ = an +ξn with 0 ξn < 1. As a result, x can be represented as x = − . an′ +1qn+qn 1 ≤ − Therefore, x pn is − qn
pn an′ +1pn + pn 1 pn x = − − qn an′ +1qn + qn 1 − qn − an′ +1pnqn + pn 1qn an′ +1pnqn + pnqn 1 = − − (4.10) qn(an′ +1qn + qn 1) − qn(an′ +1qn + qn 1) − − pn 1qn pnqn 1 = − − − qn(an′ +1qn + qn 1) − n Observe that pn 1qn pnqn 1 =( 1) , which can be verified with n = 2. Therefore, − − − − n pn pn 1qn pnqn 1 ( 1) x = − − − = − (4.11) − qn qn(an′ +1qn + qn 1) qn(an′ +1qn + qn 1) − −
Let q1′ = a1′ and qn′ = an′ qn 1 + qn 2. Then, − − p ( 1)n ( 1)n x n = − = − (4.12) − qn qn(an′ +1qn + qn 1) qnqn′ +1 −
30 4.1. A Compact Tutorial
Notice that qn increases steadily as n increases, so qn >qn 1. Similarly, qn′ +1 qn+1 because − ≥ qn′ = an′ qn 1 +qn 2 and qn = anqn 1 +qn 2, where the complete quotient an′ is always greater − − − − than the partial quotient an. Then, the following inequalities can be defined. 1 1 1 qn′ +1 qn+1 >qn and < . (4.13) ≥ qn′ +1 ≤ qn+1 qn Finally, n pn ( 1) 1 1 x = − < 2 (4.14) | − qn | qnqn′ +1 ≤ qnqn+1 qn
Before discussing our new definition of order-N Farey fractions and Miola’s method for Hensel decoding, recall that a convergent of rational number c d, is another rational number, typically denoted by pn qn, obtained via a limited number of terms in a continued
fraction with a total of n convergents where pn qn is the n-th convergent of c d. Miola’s method finds the original a b from a Hensel code h under p as a convergent ofh p. This procedure is capture by Theorem 4.1.2.1.
Theorem 4.1.2.1. Given a Hensel code h and an odd prime p, a rational number a b is a 1 convergent of h p if, by writing h as a Diophantine equation such that h = ab− modp and hb a 0 modp, there is an integer solution for k such that − ≡ hb a = kp (4.15) − and the following holds: h k 1 < . (4.16) p − b b2
Proof. We start by rewriting h = ab 1 mod p as hb a 0 mod p. Then, in order to prove − − ≡ that k b is indeed a convergent of h p, we rearrange h a b as a (bp)= h p k b. − | − | − Notice that hb a is congruent to 0 and thus a multiple k of p. Therefore we can write − hb a = kp and a = hb kp (4.17) − − So when we divide both sides by bp we have a h k = . (4.18) bp p − b
31 4.1. A Compact Tutorial
Then we just need to check that k b is in fact a convergent of h p since it holds that − h k 1 < (4.19) pr − b b2
which can be computed by the EEA (the algorithm that computes all the convergents of any given fraction). So we know that a b is computed by the EEA in the form of xi yi for the i-th term (the first convergent) that satisfies x N. | i|≤ We now introduce Definition 4.1.2.1, which depicts Miola’s algebraic method for the Hensel decoding.
Definition 4.1.2.1. (Hensel decoding) Given an odd prime p, N = p 2 , and a Hensel q code h, set x0 = p, x1 = h, y0 = 0, y1 = 1, and i = 1. Then, while xji >N,k the following is computed:
q = xi 1 xi −
xi+1 = xi 1 q xi − − · (4.20) yi+1 = yi 1 + q yi − · i = i + 1
Then, the answer a b is given by c d = ( 1)i+1 x y . (4.21) − · i i 1 We write this syntax as a b = H− (p,h). Notice that (4.20) is the actual computation of the convergents of h p. If the algorithm never enters that loop, then no convergent is computed. If the algorithm enters the loop, it will stop computing the convergents when it finds the first convergent that does not satisfy
the inequality xi >N. Now we have everything we need to introduce the definition of the set of order-N Farey fractions.
32 4.1. A Compact Tutorial
Definition 4.1.2.2. (Order-N Farey Fractions) The set of order-N Farey fractions FN,p is given by
a,b,p are pairwise coprime,
h FN,p = a b Qp and a b is the first convergent of via EEA, . (4.22) ∈ p 0 a N, 0 < b p (N + 1) ≤| |≤ | |≤ Now we can define the Hensel encoding using Definition 4.1.2.2.
Definition 4.1.2.3. (Hensel Encoding) Given an odd prime p and a rational number a b ∈ FN,p, a Hensel code h is computed as follows:
1 h = ab− mod p. (4.23)
We write this syntax as h = H p,a b .
Theorem 4.1.2.2. For all a b F and all odd primes p, the following holds: ∈ N,p 1 H− p,H a b = a b. (4.24)
Proof. The elements of the set of order-N Farey fractions are irreducible fractions a b such that 0 a N and 0 < b p (N + 1) . By Theorem 4.1.2.1, we know that the fraction ≤| |≤ | |≤ a b that is encoded as h under p is a convergent of h p. We also know that the EEA 1 computes all the convergents of h p [187]. The algorithm for H− (p,h) stops computing the convergents when it finds the first fraction that is under the N bound, which is precisely the fraction that originated h.
We can also use multiple primes to represent a rational number, which is referred to as a g-adic expansion of rational numbers [80], where given unique odd primes p1,...,pk, g is k given by g = i=1 pi. There areQ two ways of encoding an order-N Farey fraction a b using g-adic numbers. One is to replace p by g such that
h = H g,a b , (4.25)
1 a b = H− (g,h ). (4.26) 33 4.1. A Compact Tutorial
Since Hensel codes can be computed with p and g, we establish the distinction between the two as p-adic Hensel codes and g-adic Hensel codes.
Theorem 4.1.2.3. [80] There is a one-to-one mapping from order-N Farey fractions into
g-adic Hensel codes where N = g/2 and the set of g-adic Hensel codes is Zg. jp k Proof. The proof is detailed and fully given in [76, 121]. We here provide a more compact way to prove it. The single most relevant property in any prime p for being used to compute Hensel codes for order-N Farey fractions α is that p does not share any common divisor greater than 1 with any number less than p and therefore a modular multiplicative inverse
of any number less than p and p is guaranteed to exist. Given k primes p1,...,pk, the
k-digit Hensel code of α = a b is computed as (H (p1,α),...,H (pk,α)). Since the Hensel
code direct mapping requiresa,b and each pi to be pairwise coprime and each Hensel code
digit hi is less than each corresponding pi, it is guaranteed that gcd(a,g) = gcd(b,g) = 1 for k g = i=1 pi. If we compute (h1,...,hk)= Hg ((p1,...,pk),α), we verify that Q k 1 g g − 1 mod pi hi mod g = ab− mod g (4.27) pi pi ! Xi=1 and thus H ((p ,...,p ),α) H (g,α). g 1 k ≡ The second way of encoding an order-N Farey fraction a b using g-adic numbers is by computing a g-adic Hensel code tuple, where each element of the tuple is a p-adic Hensel
code for each prime pi in g such that
(h1,...,hk)= Hg (p1,...,pk) ,a b . (4.28) The procedure of (4.28) is captured by Definition 4.1.2.4.
k Definition 4.1.2.4. Given k unique odd primes p1,...,pk, N = g/2 for g = i=1 pi, and a b FN,p, g-adic Hensel code is computed as follows: jp k Q ∈ (h1,...,hk)= H p1,a b ,...,H pk,a b . (4.29)
34 4.1. A Compact Tutorial
We write this syntax as (h1,...,hk)= Hg (p1,...,pk),a b .