HOMOMORPHIC ENCRYPTION BASED ON THE RING LEARNING WITH ERRORS (RLWE) PROBLEM A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY IREM˙ KESKINKURT˙ IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY SEPTEMBER 2017 Approval of the thesis: HOMOMORPHIC ENCRYPTION BASED ON THE RING LEARNING WITH ERRORS (RLWE) PROBLEM submitted by IREM˙ KESKINKURT˙ in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Bulent¨ Karasozen¨ Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Murat Cenk Supervisor, Cryptography, METU Examining Committee Members: Prof. Dr. Ferruh Ozbudak¨ Mathematics, METU Assoc. Prof. Dr. Murat Cenk Cryptography, METU Assist. Prof. Dr. Oguz˘ Yayla Mathematics, Hacettepe University Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: IREM˙ KESKINKURT˙ Signature : v vi ABSTRACT HOMOMORPHIC ENCRYPTION BASED ON THE RING LEARNING WITH ERRORS (RLWE) PROBLEM Keskinkurt, Irem˙ M.S., Department of Cryptography Supervisor : Assoc. Prof. Dr. Murat Cenk September 2017, 41 pages The encryption techniques used to ensure data secrecy have been evolving in compli- ance with the developments in technology and reforming according to need. Nowa- days, the increase in the amount of data that should be stored in encrypted form, has led to the need for encryption schemes that provide both the safety and the efficient usability of data. Homomorphic encryption, which enables the ability to make compu- tations on encrypted data, is seen as one of the solutions that can meet this need. In this thesis, the definitions and the properties of homomorphic encryption, some pos- sible practical applications of homomorphic encryption, the Ring Learning with Errors problem and a somewhat homomorphic encryption scheme based on this problem has been examined. The computational complexity and efficiency of the algorithm have been studied by adapting some techniques in the literature to the algorithm. Keywords : homomorphic encryption, partially homomorphic, fully homomorphic, somewhat homomorphic, relinearization vii viii OZ¨ HALKALARDA HATALARLA O¨ GRENME˘ (HHO)¨ PROBLEMINE˙ DAYALI HOMOMORFIK˙ S¸IFRELEME˙ Keskinkurt, Irem˙ Yuksek¨ Lisans, Kriptografi Bol¨ um¨ u¨ Tez Yoneticisi¨ : Doc¸. Dr. Murat Cenk Eylul¨ 2017, 41 sayfa Verilerin mahremiyetini saglamak˘ ic¸in kullanılan s¸ifreleme teknikleri, teknolojideki gelis¸melere uygun olarak degis¸mekte˘ ve ihtiyac¸lara gore¨ s¸ekillenmektedir. Gun¨ um¨ uzde¨ s¸ifrelenerek depolanması gereken verilerin miktarının artması, verilerin hem guvenli¨ gini˘ ve hem de verimli bir s¸ekilde kullanılabilirligini˘ saglayan˘ s¸ifreleme tekniklerine ihtiyac¸ dogmasına˘ sebep olmus¸tur. S¸ifreli veriler uzerinde¨ hesaplamalar yapabilme imkanı saglayan˘ homomorfik s¸ifeleme, bu ihtiyacı kars¸ılayabilecek c¸oz¨ umlerden¨ biri olarak gor¨ ulmektedir.¨ Bu tezde, homomorfik s¸ifreleme tanımları ve temel ozellikleri,¨ homomorfik s¸ifrelemenin olası uygulama alanları ve s¸ekilleri, Halkalarda Hatalarla O¨ grenme˘ problemi ve guvenli¨ gi˘ bu probleme dayalı olan bir sınırlı homomorfik s¸ifreleme algoritması incelenmis¸tir. Literaturdeki¨ bazı teknikler algoritmaya uyarlanarak algoritmanın hesaplama karmas¸ıklıgı˘ ve verimliligi˘ uzerine¨ c¸alıs¸ılmıs¸tır. Anahtar Kelimeler : homomorfik s¸ifreleme, kısmi homomorfik s¸ifreleme, sınırlı ho- momorfik s¸ifreleme, tam homomorfik s¸ifreleme, tekrar dogrusallas¸tırma˘ ix x Dedicated to my family xi xii ACKNOWLEDGMENTS I would like to thank my thesis supervisor Accos. Prof. Dr. Murat Cenk for his support and guidance. I want to thank to my parents Sabiha Keskinkurt and Ilker˙ Keskinkurt for always be- lieving in me. Thanks are also due to my friends for their frienship and support. I would like to express my gratitude to my fiancee Sinan Paksoy. I am grateful to him for his patience, support and love. This work is partially supported by The Scientific and Technological Research Council of Turkey (TUB¨ ITAK)˙ under the grant no 115R289. xiii xiv TABLE OF CONTENTS ABSTRACT . vii OZ.........................................¨ ix ACKNOWLEDGMENTS . xiii TABLE OF CONTENTS . xv LIST OF ABBREVIATIONS . xix CHAPTERS 1 INTRODUCTION . .1 1.1 Historical Process and Literature Review . .2 1.2 Outline . .4 2 BACKGROUND . .5 2.1 Definitions and Properties . .5 2.2 Discrete Fourier Transform . .7 2.3 Fast Fourier Transform(FFT) . .9 2.4 Toeplitz Matrix Vector Product . 12 3 HOMOMORPHIC ENCRYPTION AND ITS PRACTICAL APPLI- CATIONS . 15 3.1 Homomorphic Encryption . 15 3.2 Practical Applications . 16 xv 4 A SOMEWHAT HOMOMORPHIC ENCRYPTION SCHEME (SwHE) BASED ON THE RING LEARNING WITH ERRORS (RLWE) PROB- LEM .................................. 21 4.1 The Ring Learning with Errors(RLWE) Problem . 21 4.2 A Somewhat Homomorphic Encryption Scheme . 22 4.2.1 Symmetric Key Variant of the Scheme . 22 4.2.1.1 Key Generation . 22 4.2.1.2 Encryption . 23 4.2.1.3 Decryption . 23 4.2.2 Public Key Variant of the Scheme . 24 4.2.2.1 Key Generation . 24 4.2.2.2 Encryption . 24 4.2.2.3 Decryption . 24 4.2.3 Homomorphic Operations . 25 4.2.3.1 Homomorphic Addition (?)...... 25 4.2.3.2 Homomorphic Multiplication ()... 26 4.2.4 Re-linearization . 27 4.2.5 How to Encode Messages and How to Choose Mes- sage Space . 29 5 OUR WORK . 33 5.1 Polynomial Multiplication Modulo xn + 1 .......... 33 5.1.1 Multiplication using FFT . 34 5.1.2 Multiplication using TMVP . 35 5.1.3 Comparison . 36 xvi 6 CONCLUSION . 37 REFERENCES . 39 xvii xviii LIST OF ABBREVIATIONS DFT Discrete Fourier Transform FFT Fast Fourier Transform FHE Fully Homomorphic Encryption N Natural Numbers PHE Partially Homomorphic Encryption Q Rational Numbers RLWE Ring Learning with Errors SwHE Somewhat Homomorphic Encryption TMVP Toeplitz Matrix Vector Product Z Integers xix xx CHAPTER 1 INTRODUCTION Since long before the common era, cryptography has been the main tool for informa- tion security. Back then, people were using simple ciphers and techniques, such as shift cipher, substitution cipher and stenography [20], to conceal private information or communicate in secrecy. In time, the concept of cryptography has evolved. Today, we can define cryptography as an interdisciplinary science that deals with designing and developing secure cryptographic algorithms. Modern cryptographic studies are being pursued in two main parts: the symmetric key cryptography and the asymmetric(public) key cryptography [28]. Symmetric key schemes use only one cryptographic key for both encryption and decryption, and they are very efficient compared to asymmetric key schemes. Public key schemes are based on hard mathematical problems, such as integer factorization and discrete logarithm, and they require two different keys one for encryption, one for decryption. In public key schemes, the key which must be kept secret is the decryption key, that we refer to as the private key. In today’s world people safely store or transmit their confidential data securely under favor of symmetric and public key cryptosystems. Technological developments bring about need for new cryptographic algorithms to provide more efficiency and security. As an example of this, the use of cloud storage gives rise to a need for cryptosystems that provide the ability to perform computations on encrypted data without having to decrypt it. The search of encryption schemes that can compute arbitrary functions on encrypted data, namely fully homomorphic, started almost 40 years ago. Since then, lots of schemes have been presented but none of them can be used practically due to effi- ciency problems. The biggest problem is that computing arbitrary functions requires so many arithmetic operations on ciphertext space. A ciphertext space is usually a set with a large number of elements with which we can not make calculations easily. For example the scheme we examine in this thesis has a ciphertext space which consists of high degree polynomials with large coefficients. Operations on this set take lots of time and make it unpractical. On the other hand, it is easier to use homomorphic encryption to evaluate the functions that can be computed with less arithmetic operations. The schemes that can support a 1 limited number of arithmetic operations are called somewhat homomorphic. With these schemes simple functions, such as functions that includes the sum of numbers and multiplication of a few numbers, can be computed efficiently while they are encrypted. But for more complicated functions, such as exponentiation and division, we need many homomorphic multiplications and this makes the homomorpic operations very slow. Therefore, any development on arithmetic operations would be a big contribution to this subject. 1.1 Historical Process and Literature Review In 1978 the widely used cryptosystem RSA was presented as the first practical public key encryption scheme [32]. A classical RSA set up starts with generating two large primes p and q. The numbers n = pq and N = (p − 1)(q − 1) are calculated. A number d satisfying gcd(d; N) = 1 is chosen as the private key(decryption key). The public key(encryption key) e is the number satisfying ed ≡ 1 mod N. The pair (n; e) is published. RSA encrypts a message m by computing c = me mod n and decrypts the ciphertext c by computing m = cd mod n. The matematical foundations of the algorithm can be found in [32]. Suppose two messages m1 and m2 are encrypted by RSA with the parameters above and e e ciphertexts c1 and c2 are obtained. Then c1 = m1 mod n and c2 = m2 mod n. The e e e multiplication of this ciphertexts c1c2 = m1m2 mod n = (m1m2) mod n yields the multiplication of the message m1m2 when decrypted. Because of this property RSA is said to be a multiplicatively homomorphic encryption scheme.