METHODS AND SYSTEMS FOR PUBLIC AND PRIVATE-KEY LEVELED FULLY HOMOMORPHIC ENCRYPTION WITHOUT BOOTSTRAPPING WITH HENSEL CODES

Information

  • Patent Application
  • 20220385448
  • Publication Number
    20220385448
  • Date Filed
    February 18, 2022
    2 years ago
  • Date Published
    December 01, 2022
    2 years ago
Abstract
Disclosed are methods and systems to provide public and private-key leveled Fully Homomorphic Encryption (FHE) systems using Hensel Codes and p-adic and g-adic properties for encryption and decryption that also provide for homomorphic arithmetic operations on encrypted ciphertexts. A source device may encrypt the ciphertext of a message using Hensel Codes, then deliver the ciphertext to either a destination device or an intermediary device. When the intermediary device receives the ciphertext from the source device, the intermediary device may homomorphically perform Hensel Code arithmetic computations with the ciphertext and at least one additional ciphertext and send the result ciphertext to the destination device. The destination device decrypts the ciphertext, giving the original message when no computations have been performed by the intermediary device, or the unencrypted result equivalent to the unencrypted computations performed on the ciphertexts by the intermediary device.
Description
BACKGROUND OF THE INVENTION

The advancement of science is possible when knowledge is shared and information is exchanged in a seamless manner. In a world where many businesses rely on information as their main assets, analysis over data is a crucial competitive advantage. Consequently, the amount of data processed and stored will continue to increase, creating a demand for virtualized services. To this end, some applications can be provided as cloud computing resources including Internet of Things (IoT), machine learning, virtual reality (VR) and blockchain. As a result, concerns about custody and privacy of data are on the rise.


Modern concealment/encryption employs mathematical techniques that manipulate positive integers or binary bits. Asymmetric concealment/encryption, such as RSA (Rivest-Shamir-Adleman), relies on number theoretic one-way functions that are predictably difficult to factor and can be made more difficult with an ever-increasing size of the encryption keys. Symmetric encryption, such as DES (Data Encryption Standard) and AES (Advanced Encryption Standard), uses bit manipulations within registers to shuffle the concealed text/cryptotext to increase “diffusion” as well as register-based operations with a shared key to increase “confusion.” Diffusion and confusion are measures for the increase in statistical entropy on the data payload being transmitted. The concepts of diffusion and confusion in encryption are normally attributed as first being identified by Claude Shannon in the 1940s. Diffusion is generally thought of as complicating the mathematical process of generating unencrypted (plain text) data from the encrypted (cryptotext) data, thus, making it difficult to discover the encryption key of the concealment/encryption process by spreading the influence of each piece of the unencrypted (plain) data across several pieces of the concealed/encrypted (cryptotext) data. Consequently, an encryption system that has a high degree of diffusion will typically change several characters of the concealed/encrypted (cryptotext) data for the change of a single character in the unencrypted (plain) data making it difficult for an attacker to identify changes in the unencrypted (plain) data. Confusion is generally thought of as obscuring the relationship between the unencrypted (plain) data and the concealed/encrypted (cryptotext) data. Accordingly, a concealment/encryption system that has a high degree of confusion would entail a process that drastically changes the unencrypted (plain) data into the concealed/encrypted (cryptotext) data in a way that, even when an attacker knows the operation of the concealment/encryption method (such as the public standards of RSA, DES, and/or AES), it is still difficult to deduce the encryption key.


Homomorphic Encryption is a form of encryption that allows computations to be carried out on concealed cipher text as it is concealed/encrypted without decrypting the cipher text that generates a concealed/encrypted result which, when decrypted, matches the result of operations performed on the unencrypted plaintext.


The word homomorphism comes from the ancient Greek language: óμó (homos) meaning “same” and μoρφ{acute over (η)}(morphe) meaning “form” or “shape.” Homomorphism may have different definitions depending on the field of use. In mathematics, for example, homomorphism may be considered a transformation of a first set into a second set where the relationship between the elements of the first set are preserved in the relationship of the elements of the second set.


For instance, a map f between sets A and B is a homomorphism of A into B if






f(a1op a2)=f(a1)op f(a2)|a1,a2∈A


where “op” is the respective group operation defining the relationship between A and B.


More specifically, for abstract algebra, the term homomorphism may be a structure-preserving map between two algebraic structures such as groups, rings, or vector spaces. Isomorphisms, automorphisms, and endomorphisms are typically considered special types of homomorphisms. Among other more specific definitions of homomorphism, algebra homomorphism may be considered a homomorphism that preserves the algebra structure between two sets.


SUMMARY OF THE INVENTION

An embodiment of the present invention may comprise a method for private-key Fully Homomorphic Encryption (FHE) communication of a message m between a source computing device and a destination computing device, the method comprising: generating by the source computing device prime numbers p1 . . . p5 as a function of provided parameters λ and d; setting by the source computing device a secret key sk to be comprised of the prime numbers p1 . . . p5 wherein the secret key is known to both of the source computing device and the destination computing device but not to other computing devices; setting by the source computing device a public evaluation key evk to be equal to a product (Πi=15 pi) of the prime numbers p1 . . . p5 wherein the evk also equals a g of Hensel Code g-adic computations (Hg); generating by the source computing device values s1, s2, s3, and δ as a function of the prime numbers p2 . . . p4, the parameter λ, and the value g; encrypting by the source computing device the message m as ciphertext c in accord with Hensel Code encryption computation c=|Hg(s1·{tilde over (H)}p1,p2,p3−1(0, s2, s3)+δp4)|g; sending by the source computing device the ciphertext c to the destination computing device; decrypting by the destination computing device the ciphertext c back into the message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp4−1(c))).


An embodiment of the present invention may further comprise the method of the preceding paragraph: wherein the process of sending by the source computing device the ciphertext c to the destination computing device instead sends the ciphertext c to an intermediary computing device; wherein the intermediary computing device does not have knowledge of the secret key sk, but does have knowledge of the public evaluation key evk that equals the g of the Hensel Code g-adic computations (Hg); wherein the method of claim 1 further comprises: homomorphically computing by the intermediary computing device at least one arithmetic function with the ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; and sending by the intermediary computing device the result ciphertext cresult in place of the ciphertext c to the destination computing device; and wherein the process of decrypting by the destination computing device the ciphertext c back into the message m instead decrypts the ciphertext cresult to obtain a result r equal to an unencrypted computation of the arithmetic functions homomorphically performed as the Hensel code arithmetic functions with the ciphertext c and the at least one additional ciphertext cadditional.


An embodiment of the present invention may further comprise a method for public-key Fully Homomorphic Encryption (FHE) communication of a message m between a source computing device and a destination computing device, the method comprising: generating by the source computing device prime numbers p1, p2, p3, and p′4 as a function of provided parameters λ and d; computing by the source computing device a value p4 as a function of the prime number p′4 and the parameters λ and d; setting by the source computing device a value g of Hensel Code g-adic computations (Hg) to a product of the values p1, p2, p3, p4 and a value g′ of Hensel Code g′-adic computations (Hg′) to a product of the values p3, p4; generating by the source computing device values t and δe as a function of the parameters λ and d; computing by the source computing device a value e in accord with Hensel Code value e computation e=Hg(Hp3({tilde over (H)}p1,p2−1(0, t))+δep3); setting by the source computing device a secret key sk to be comprised of the prime numbers p1 and p3 wherein the secret key sk is known to both of the source computing device and the destination computing device but not to other computing devices; setting by the source computing device a public key pk to be comprised of the values e, g′, g=evk; generating by the source computing device values s1, s2 as a function of the parameter λ, and a value δ as a function of the values p1, p2, p4; encrypting by the source computing device the message m as ciphertext c in accord with Hensel Code encryption computation c=Hg(Hg′(s1e+m)+s2g′+S(g′)2); sending by the source computing device the ciphertext c to the destination computing device; decrypting by the destination computing device the ciphertext c back into the message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp3−1(c))).


An embodiment of the present invention may further comprise the method the preceding paragraph: wherein the process of sending by the source computing device the ciphertext c to the destination computing device instead sends the ciphertext c to an intermediary computing device; wherein the intermediary computing device does not have knowledge of the secret key sk, but does have knowledge of the public key pk that includes the g of the Hensel Code g-adic computations (Hg); wherein the method of claim 4 further comprises: homomorphically computing by the intermediary computing device at least one arithmetic function with the ciphertext c at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; and sending by the intermediary computing device the result ciphertext cresult in place of the ciphertext c to the destination computing device; and wherein the process of decrypting by the destination computing device the ciphertext c back into the message m instead decrypts the ciphertext cresult to obtain a result r equal to an unencrypted computation of the arithmetic functions homomorphically performed as the Hensel code arithmetic functions with the ciphertext c and the at least one additional ciphertext cadditional.


An embodiment of the present invention may further comprise a private-key leveled Fully Homomorphic Encryption (FHE) system that communicates a message m between a source computing device and a destination computing device, the private-key leveled FHE system comprising: the source computing device, wherein the source device further comprises: a Gen subsystem that generates device prime numbers p1 . . . p5 as a function of provided parameters and d, sets a secret key sk to be comprised of the prime numbers p1 . . . p5 wherein the secret key is known to both of the source computing device and the destination computing device but not to other computing devices, sets a public evaluation key evk to be equal to a product (Πi=15 pi) of the prime numbers p1 . . . p5 wherein the evk also equals a g of Hensel Code g-adic computations (Hg); an Enc subsystem that generates device values s1, s2, s3, and δ as a function of the prime numbers p2 . . . p4, the parameter λ, and the value g, encrypts the message m as ciphertext c in accord with Hensel Code encryption computation c=|Hg(s1·{tilde over (H)}p1,p2,p3−1(0, s2, s3)+δp4)|g; a ciphertext send subsystem that sends the ciphertext c to the destination computing device; and the destination computing device, wherein the destination computing device further comprises: a Dec subsystem that decrypts the ciphertext c back into the message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp4−1(c))).


An embodiment of the present invention may further comprise the private-key leveled FHE system of preceding paragraph: wherein the ciphertext send subsystem sends the ciphertext c to an intermediary computing device; wherein the intermediary computing device does not have knowledge of the secret key sk, but does have knowledge of the public evaluation key evk that equals the g of the Hensel Code g-adic computations (Hg); wherein the private-key leveled FHE system of claim 9 further comprises: an Eval subsystem that homomorphically computes at least one arithmetic function with the ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; and a result ciphertext send subsystem that sends the result ciphertext cresult in place of the ciphertext c to the destination computing device; and wherein the Dec subsystem decrypts the ciphertext cresult to obtain a result r equal to an unencrypted computation of the arithmetic functions homomorphically performed as the Hensel code arithmetic functions with the ciphertext c and the at least one additional ciphertext cadditional.


An embodiment of the present invention may further comprise a public-key leveled Fully Homomorphic Encryption (FHE) system that communicates a message m between a source computing device and a destination computing device, the private-key leveled FHE system comprising: the source computing device, wherein the source device further comprises: a Gen subsystem that generates prime numbers p1, p2, p3, and p′4 as a function of provided parameters 2 and d, computes a value p4 as a function of the prime number p′4 and the parameters λ and d, sets a value g of Hensel Code g-adic computations (Hg) to a product of the values p1, p2, p3, p4 and a value g′ of Hensel Code g′-adic computations (Hg′) to a product of the values p3, p4, generates values t and δe as a function of the parameters λ and d, computes a value e in accord with Hensel Code value e computation e=Hg(Hp3({tilde over (H)}p1,p2−1(0, t))+δep3), sets a secret key sk to be comprised of the prime numbers p1 and p3 wherein the secret key sk is known to both of the source computing device and the destination computing device but not to other computing devices, and sets a public key pk to be comprised of the values e, g′, g=evk; an Enc subsystem that generates values s1, s2 as a function of the parameter λ, and a value δ as a function of the values p1, p2, p4, and encrypts the message m as ciphertext c in accord with Hensel Code encryption computation c=Hg(Hg′(s1e+m)+s2g′+δ(g′)2); a ciphertext send subsystem that sends the ciphertext c to the destination computing device; and the destination computing device, wherein the destination computing device further comprises: a Dec subsystem that decrypts the ciphertext c back into the message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp3−1(c))).


An embodiment of the present invention may further comprise the public-key leveled FHE system of the preceding paragraph: wherein the ciphertext send subsystem sends the ciphertext c to an intermediary computing device; wherein the intermediary computing device does not have knowledge of the secret key sk, but does have knowledge of the public key pk that includes the g of the Hensel Code g-adic computations (Hg) wherein the private-key leveled FHE system of claim 9 further comprises: an Eval subsystem that homomorphically computes at least one arithmetic function with the ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; and a result ciphertext send subsystem that sends the result ciphertext cresult in place of the ciphertext c to the destination computing device; and wherein the Dec subsystem decrypts the ciphertext cresult to obtain a result r equal to an unencrypted computation of the arithmetic functions homomorphically performed as the Hensel code arithmetic functions with the ciphertext c and the at least one additional ciphertext cadditional.





BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings,



FIG. 1 is a block diagram of the hardware implementation for a private or public-key leveled Fully Homomorphic Encryption (FHE) embodiment.



FIG. 2 is a flow chart of operations for a private-key leveled FHE embodiment.



FIG. 3 is a flow chart of operations for a public-key leveled FHE embodiment.





DETAILED DESCRIPTION OF THE EMBODIMENTS

We propose the use of Hensel codes (a mathematical tool lifted from the theory of p-adic numbers) as an alternative way to construct Fully Homomorphic Encryption (FHE) schemes that rely on the hardness of some instance of the Approximate Greatest Common Divisor (AGCD) problem. We provide a self-contained introduction to Hensel codes which covers all the properties of interest for this work. Two constructions are presented: a private-key leveled FHE scheme and a public-key leveled FHE scheme. The public-key scheme is obtained via minor modifications to the private-key scheme in which we explore asymmetric properties of Hensel codes. The efficiency and security (under an AGCD variant) of the public-key scheme are discussed in detail. Our constructions take messages from large specialized subsets of the rational numbers that admit fractional numerical inputs and associated computations for virtually any real-world application. Further, our results can be seen as a natural unification of error-free computation (computation free of rounding errors over rational numbers) and homomorphic encryption. Experimental results indicate the scheme is practical for a large variety of applications.


1. Introduction

Homomorphic Encryption (HE) is a type of encryption that enables meaningful and general computation over encrypted data. This notion, originally referred to as privacy homomorphisms, was introduced in 1978. Although every single instance of practical homomorphic computation can be interesting in itself, it is clear that the ultimate goal of HE was to enable computation of any circuit. Several constructions provided partial solutions but it was not until 2009 that Craig Gentry proposed the first fully homomorphic encryption (FHE) scheme. Gentry's strategy consisted in first realizing a Somewhat Homomorphic Encryption (SHE) scheme that enables the (homomorphic) evaluation of low-degree multivariate polynomials. Ciphertexts are embodied with noise, which grows slightly over addition and tremendously over multiplication, which compromises the limits of low-degree polynomials. To solve this problem, Gentry introduced a bootstrapping mechanism with which one can transform a SHE scheme that is able to homomorphically evaluate its own decryption function into a leveled FHE scheme, that is, an encryption scheme that is able to evaluate any circuit up to a predefined depth. The bootstrapping technique produces a “fresh” ciphertext: a ciphertext with an amount of noise equivalent to what it was prior to any homomorphic operation.


Only a few SHE schemes are able to evaluate their own decryption function but also FHE schemes that follow Gentry's blueprint suffer from poor performance. To put things into perspective, the complexity of performing bootstrapping is at least the complexity of decryption multiplied by the bit-length of the individual ciphertexts that are used to encrypt the bits of the secret key. In the context of Gentry's blueprint this is necessary since the SWHE evaluates the decryption function using an encrypted secret key and each bit of the secret key is then replaced by a very large ciphertext that encrypts that bit. To address this problem, Brakerski, Gentry, and Vaikuntanathan introduced two schemes (known as BGV) which are conceived via an entirely new approach, with much better performance than Gentry's original blueprint. This new approach consists in skipping the SWHE step and directly constructing leveled FHE schemes with the possibility of using bootstrapping as an optimization. The BGV scheme, as the vast majority of FHE schemes, is latticed-based and its security is based on some version of the learning with errors (LWE) assumption.


Dijk, Gentry, Halevi, and Vaikuntanathan, when introducing the scheme known as DGHV propose an interesting question: “What is the simplest encryption scheme for which one can hope to achieve security?”. Naturally, the simple will not always be secure so the reconciliation of simplicity and security is undoubtedly a much desired and sometimes hard-to-achieve property. Compared to any lattice-based FHE scheme, DGHV is significantly simpler: very small description with basic modular arithmetic. Similar to Gentry-like constructions, it encrypts individual bits. Unlike lattice-based schemes (which work with vectors and matrices), it operates over the integers. DGHV's security is based on both the single-source-shortest-paths (SSSP) and the approximate greatest common divisor (AGCD) assumption introduced by Howgrave-Graham. Several other contributions were able to improve DGHV's efficiency.


Could a simpler FHE scheme be as secure as the lattice-based ones? A remarkable result by Cheon and Stehle introduces a reduction from LWE to AGCD which is demonstrated by constructing a FHE scheme with security based on the AGCD assumption by deriving the AGCD parameters from the LWE parameters. Among the similarities between DGHV and the scheme proposed by Cheon and Stehle, we remark two facts: 1) they both encrypt bits and 2) they derive a public-key encryption scheme by first describing a private-key encryption scheme and then converted into its public-key counterpart by applying the method introduced by Rothblum, which is based on the fact that any additively homomorphic private-key encryption scheme that is compact can be converted into a public-key encryption scheme. (Informally, a FHE scheme is compact if the size of ciphertexts output by homomorphic evaluations is independent of the number of ciphertexts and/or operations from which it was created.) The combination of these two facts has, at least, the following implication: if γ is the bit length of ciphertexts generated by a FHE scheme with the aforementioned characteristics, for each n-bit message, their corresponding ciphertexts have length nγ. Since, in that kind of encryption scheme, the public key is a r-tuple of ciphertexts encrypting n-bit messages, the length of the public-key is τnγ bits.


1.1 Homomorphic Rational Arithmetic


The need for performing homomorphic operations with rational numbers has been recently investigated. This issue is usually addressed by adding an encoding scheme to the homomorphic encryption scheme so rational numbers can be encoded to, typically, polynomials over some ring. A clever solution was proposed where a technique proposed by Hoffstein and Silverman is combined with the Fan-Vercauteren homomorphic encryption scheme, so a new encryption scheme is derived where rational numbers can be encoded and then used as input. Another interesting solution was proposed where rational numbers are thought as continued fractions and then represented as a sequence of integers. It is not surprising, due to its simplicity, that some form of modular arithmetic is used to encode rational numbers for carrying computation over the integers. Our contribution, at the very least, is distinct in the fact that the encoding of rational numbers into integers is the encryption function itself. Thus, we do not follow the blueprint of using a scheme for encoding rational numbers and another scheme for encrypting and evaluating homomorphic operations. Instead, Hensel codes are employed for both encoding and encryption. Another advantage of our constructions is that we show how to probabilistically encode rational numbers in a structure-preserving way so other homomorphic encryption schemes can use our encoding for performing rational arithmetic.


1.2 Our Contribution


Would it be possible to describe a leveled FHE scheme that conveniently evaluates ciphertexts over the integers and at the same time has a better ciphertext expansion? Would it be possible to work with a public key with length smaller than the length of corresponding ciphertexts? Furthermore, what if we wanted to further expand the message space from bits to not only large integers but also large (positive and negative) rational numbers? Properly expanding the message space of a FHE scheme to a more comprehensive set that includes rational numbers immediately enables the application of homomorphic encryption in scenarios that involve fractional data such as those associated with statistics, finance, machine learning, digital signal processing, among others, without any further need of data formatting. Besides the obvious benefits of such features, not having to format data at the bit level (for accommodating custom message spaces) represents, at the very minimum, less overhead. We believe that a leveled FHE scheme with these desired characteristics requires an approach that is distinct from those employed up to today.


We propose a new approach to construct a leveled FHE scheme that takes messages over a specialized set of rational numbers that can be sufficiently large to contain all rational numbers of interest for any real-world practical application. Our technique allows us to describe a private-key encryption scheme and turn it into a public-key encryption scheme where its public-key has length smaller than the ciphertext it generates. Moreover, both private-key and public-key leveled FHE schemes produce ciphertexts with the same length. We show that the security of our schemes can be clearly mapped to the AGCD assumption while we also introduce the notion of a new hardness assumption, which makes the security analysis clearer and more objective. We showcase a mathematical tool mostly used outside the context of cryptography, which enables our contributions, and we propose its use and further investigation in cryptography.


1.3 Hensel Codes


Between the end of the 19th and the beginning of the 20th centuries, Kurt Hensel introduced the p-adic numbers theory. One of Hensel's main motivations was to relate the ring integers custom-character to the field of rationals custom-character. For our purposes, it suffices to provide a brief discussion of the fundamental idea. If p is prime, any positive integer x can be represented uniquely as an expansion of the form x=a0+a1p+a2p2+ . . . +anpn, where ai is an integer with 0≤ai<p. In fact, one can similarly expand any rational number x/y by allowing negative powers of p. Such expansions are called p-adic numbers. In the p-adic number system, the elements of custom-character are represented as infinite expansions α=Σ−∞aipi. Applications of p-adic numbers are varied, and include dynamical systems, theoretical physics, algebraic geometry, non-Archemdian analysis, differential calculus, topology, and analytic functions.


Between the 1970s and 1980s, Krishnamurthy, Rao, Subramanian, Alparslan, Hehner and Horspool proposed the use of truncation of p-adic expansions to replace arithmetic operation on rational numbers by the corresponding operations on integers that represent those rational numbers. They named these special integers as Hensel codes and they established the foundation of the theory of Hensel codes (also known as the finite-segment p-adic arithmetic) as a solution to the problem of error-free computation, that is, the computation over approximations of real numbers in such a way that rounding errors do not occur. This property is particularly necessary when working with ill-conditioned problems and numerically unstable algorithms.


Converting rational numbers into Hensel codes is rather trivial, however, the inverse mapping of Hensel codes was for many years an open problem until Gregory identified the required boundaries in absolute value to the numerators and denominators of rational numbers so a Hensel code could be uniquely inverted. Having these boundaries well-defined allowed Miola to propose an efficient algebraic solution for inverting Hensel codes by applying a modified version of the Extended Euclidean Algorithm. Over the years, the theory of Hensel codes expanded to address a variety of areas benefited by error-free computation such as computation of Grobner basis, overflow detection, matrix inversion, fast integer division, parallel computation, solving linear systems of equations, polynomial matrix computations, to cite a few.


Hensel codes can be represented and computed in many forms, from the “dotted” representation to matrices of rational polynomials. In this work we focus on the integer representation of Hensel codes using just the first coefficient of a conventional truncated p-adic expansion. We show that Hensel codes can be p-adic and g-adic (defined via single or multiple primes, respectively) and we expand the original special set of rational numbers to represent as Hensel codes in order to achieve a bijection between those special rational numbers and a finite set of integers reduced modulo a prime or a prime composite.


1.4 General Intuition


We were initially interested in Hensel codes solely for purpose of establishing a bijection between a subset of the rationals and a finite set of integers so we could construct a level FHE scheme with a more comprehensive message space. In the past, the use of Hensel codes for error-free computation was shown to be a more efficient solution in comparison to known alternative. Could Hensel codes still provide advantages for error-free computation nowadays? In 2019, Barillas proposed an efficient machine learning classification approach based on Restricted Boltzmann Machines using Hensel codes. Barillas worked with limited hardware resources since the goal was to provide a solution suitable for embedded devices and classification problems over data containing a small to medium amount of features. Barillas' results over the MNIST dataset outperformed the current state-of-the-art of exact machine learning computations by a factor of 42 in terms of performance, and a factor of 62 in terms of energy efficiency. So, we were encouraged to proceed.


However, we identified an additional opportunity that is enabled by two facts: 1) The mapping we use to establish a connection between a special set of rational numbers and their corresponding Hensel codes has well-defined boundaries which are unique per prime or group of primes. Failure in observing these boundaries will lead to correctness violation. 2) The knowledge of the primes involved in the computation of Hensel codes is required for computing back their corresponding rational numbers. We then created a cryptosystem based on the hardness of inverting Hensel codes without the knowledge of the primes involved in that computation. We do it in such a way that trivial attempts will always violate the boundaries for correctness. Once the primes are unknown, so are the boundaries. This allows us to provide a new asymmetric encryption algorithm based on Hensel codes.


2. Hensel Codes

We now provide a sufficient and self-contained review of the theory of Hensel codes. While we omitted some portions of that theory (for lack of a direct connection with our contributions), we believe that more of the theory can not only be applied in future developments of our research. We hope that this work can motivate further study of Hensel codes as underlying tools for building cryptographic tools.


Error-free computation is a goal that has been long pursued. One way of addressing this problem is via infinite precision integer and rational number arithmetics, which can be very demanding concerning space and time resources. A promising alternative arises from the work of Kurt Hensel, who in 1908 introduced the p-adic number system or p-adic arithmetic, through which one can perform rational arithmetic over the integers. In p-adic number theory, p denotes a fixed prime and each rational number in custom-character is represented by a quantity called p-adic integer, which is a formal series Σi≥0 ai pi with integral coefficients ai satisfying 0≤ai≤p. This quantity can be expressed infinitely or finitely and what is called the finite-segment p-adic arithmetic where we find an opportunity for constructing our scheme. The reader can find detailed introductions to the p-adic number theory.


2.1 Finite-Segment p-adic Arithmetic


For all rational numbers α=a/b there is a n∈Z such that a Hensel code h is given by:






h=a
0
+a
1
p+a
2
p
2
+ . . . +a
n-1
p
n-1  Eq. A


where ai is the base p representation of h.


Example A: Let a=2, b=3, p=5, n=5. We compute the Hensel code h as follows:






h=4+1·5+3·52+1·53+3·54=2084  Eq. B


In Example A, a0=4, a1=1, a2=3, a3=1, and a4=3. In fact, 2084 in base 5 is 31314 (the same ai in reverse order) so it is easy to see that the Hensel code h is the base p representation of a rational number α. In general, a p-adic number is a base p representation (usually via an infinite p-adic expansion) of a rational number. Thus, a Hensel code is a finite p-adic number.


An alternative way to compute h is as follows: given α=a/b, a fixed prime p and some positive n∈custom-character, we have:






h=a·b
−1 mod pn,h∈{0, . . . ,pn−1}  Eq. C


where a, b and p″ must be pairwise coprime.


Example B: Let a=2, b=3, p=5, n=5. We compute the Hensel code h as follows:






h=2·3−1 mod 55=2·1042 mod 3125=2084.  Eq. D


If b is not pairwise coprime with p″, the inverse modulo p″ for b fails to exist, thus we cannot compute h as shown in Example B. A limitation of the second approach to compute h with pn is that all values of b that are multiples of p will fail to have an inverse. However, this is only an issue for n>1. We will then consider the case where n=1 so we can just omit n. We rewrite Eq. C as follows:






h=a·
b−1 mod p,h∈{0, . . . ,p−1}  Eq. E


Although Eq. E, which we refer to as the Hensel encode, is a very simple expression, for many years, finding its inverse, that is, the original rational a/b that generated h under p, remained an open problem for many years, until Miola introduced an algebraic solution for what we refer to as the Hensel decode. Miola observed that Gregory developed algorithms for the Hensel encoding and decoding; however, the decoding solution was based on look-up tables, which was inefficient as a general method. Notwithstanding, Miola took into consideration Gregory's unique answer for the Hensel decoding problem would only be possible if the absolute value of both the numerator and denominator of a/b was bounded by some value N. A rational number that would be under that bound was called an order-N Farey fraction. Only then would it be possible to uniquely retrieve a/b from h under p using a slightly modified version of the Extended Euclidean Algorithm (EEA). We use Gregory's method for encoding and Miola's method for decoding; however, we introduce a new definition for the set order-N Farey fractions.


Lemma A1: p/q is a convergent of a/b if:












"\[LeftBracketingBar]"



p
q

-

a
b




"\[RightBracketingBar]"





1

2


q
2



.





Eq
.

F







Before discussing our new definition of order-N Farey fractions and Miola's method for Hensel decoding, recall that a convergent of rational number c/d, is another rational number, typically denoted by pn/qn, obtained via a limited number of terms in a continued fraction with a total of n convergents where pn/qn is the n-th convergent of c/d. Miola's method finds the original a/b from a Hensel code h under p as a convergent of h/p. This procedure is captured by Theorem 1.


Theorem A: Given a Hensel code h and an odd prime p, a rational number a/b is a convergent of h/p if, by writing h as a Diophantine equation such that h=ab−1 mod p and hb−a≡0 mod p, there is an integer solution for k such that:






hb−a=kp  Eq. G


and the following holds:












"\[LeftBracketingBar]"



h
p

-

k
b




"\[RightBracketingBar]"





1

b
2


.





Eq
.

H







Proof: We start by rewriting h=ab−1 mod p as hb−a ≡0 mod p. Then, in order to prove that −k/b is indeed a convergent of h/p, we rearrange |h−a/b| as a/(bp)=h/p−k/b. Notice that hb−a is congruent to 0 and thus a multiple k of p. Therefore, we can write:






hb−a=kp and a=hb−kp.  Eq. I


So, when we divide both sides by bp we have:










a

b

p


=


h
p

-


k
b

.






Eq
.

J







Then we just need to check that −k/b is in fact a convergent of h/p since it holds that:













"\[LeftBracketingBar]"



h

p
r


-

k
b




"\[RightBracketingBar]"




1

b
2



,




Eq
.

K







which can be computed by the EEA (the algorithm that computes all the convergents of any given fraction). So, we know that a/b is computed by the EEA in the form of xi/yi for the i-th term (the first convergent) that satisfies |xi|≤N.


We now introduce Definition A, which depicts Miola's algebraic method for the Hensel decoding.


Definition A: (Hensel decoding) Given an odd prime p, N=|√{square root over (p/2)}|, and a Hensel code h, set x0=p, x1=h, y0=0, y1=1, and i=1. Then, while xi>N, the following is computed:






q=|x
i−1
/x
i|






x
i+1
=x
i−1
−q·x
i






y
i+1
=y
i−1
−q·y
i






i=i+1.  Eq. L


Then, the answer a/b is given by:






c/d=((−1)i+1·xi)/yi  Eq. M


We write this syntax as a/b=H−1 (p, h).


Notice that Eq. L is the actual computation of the convergents of h/p. If the algorithm never enters that loop, then no convergent is computed. If the algorithm enters the loop, it will stop computing the convergents when it finds the first convergent that does not satisfy the inequality xi>N.


Now we have everything we need to introduce the definition of the set of order-N Farey fractions.


Definition B: (Order-N Farey Fractions) The set of order-N Farey fractions custom-characterN,p, is given by:










𝔽

N
,
p


=


{




a
,
b
,

c


are


pairwise


coprime

,









a
/
b




p




and



a
/
b



is


the


convergent


of







h
/
p



v


ia


EEA


,







0




"\[LeftBracketingBar]"

a


"\[RightBracketingBar]"



N

,




"\[LeftBracketingBar]"

b


"\[RightBracketingBar]"







p
/
N

+
1








}

.





Eq
.

N







Now we can define the Hensel encoding using Definition B.


Definition C: (Hensel Encoding) Given an odd prime p and a rational number a/b∈custom-characterFN,p, a Hensel code h is computed as follows:






h=ab
−1 mod p.  Eq. O


We write this syntax as h=H (p, a/b).


Theorem B: For all a/b∈custom-characterN,p and all odd primes p, the following holds:





18H−1(p,H(a/b))=a/b.  Eq. P


Proof: The elements of the set of order-N Farey fractions are irreducible fractions a/b such that 0≤|a|≤N and 0≤|b|≤└p/(N+1)┘. By Theorem A, we know that the fraction a/b that is encoded as h under p is a convergent of h/p. We also know that the EEA computes all the convergents of h/p. The algorithm for H−1 (p, h) stops computing the convergents when it finds the first fraction that is under the N bound, which is precisely the fraction that originated h.


We can also use multiple primes to represent a rational number, which is referred to as a g-adic expansion of rational numbers, where, given unique odd primes p1, . . . , pk, g is given by g=Πi=1k pi.


There are two ways of encoding an order-N Farey fraction a/b using g-adic numbers. One is to replace p by g such that:






h=H(g,a/b),  Eq. Q






ab=H
−1(g,h).  Eq. R


Since Hensel codes can be computed with p and g, we establish the distinction between the two asp-adic Hensel codes and g-adic Hensel codes.


Theorem C: There is a one-to-one mapping from order-N Farey fractions into g-adic Hensel codes where N=└√{square root over (g/2)}┘ and the set of g-adic Hensel codes is custom-character.


The second way of encoding an order-N Farey fraction a/b using g-adic numbers is by computing a g-adic Hensel code tuple, where each element of the tuple is a p-adic Hensel code for each prime pi in g such that:





(h1, . . . ,hk)=Hg((p1, . . . ,pk),a/b).  Eq. S


The procedure of Eq. S is captured by Definition D.


Definition D: Given k unique odd primes p1, . . . , pk, N=└√{square root over (g/2)}┘ for g=Πi=1k pi, and a/b∈custom-characterN,p, g-adic Hensel code is computed as follows:





(h1, . . . ,hk)=(H(p1,a/b), . . . ,H(pk,a/b)).  Eq. T


We write this syntax as (h1, . . . , hk)=Hg ((p1, . . . , pk), a/b).


Theorem D: For all unique odd primes p1, . . . , pk and g=Πi=1k pi, there is an isomorphism between g-adic numbers and p-adic numbers.


We decode a g-adic Hensel code tuple in two steps:


1. Transform (h1, . . . , hk) into h via Chinese Remainder Theorem (CRT);


2. Decode h such that ab=H−1 (g, h).


Definition E: (g-adic Hensel Decode) Given k unique odd primes p1, . . . , pk, g=Πi=1k pi, N=└√{square root over (g/2)}┘, and a g-adic Hensel code tuple (h1, . . . , hk), the corresponding order-N Farey fraction is given by:










h
=




i
=
1

k



g

p
i




(



(

g

p
i


)


-
1



mod



p
i


)



h
i



mod


g



,




Eq
.

U













a
/
b

=



H

-
1


(

g
,
h

)

.






Eq
.

V








We write this syntax as a/b=Hg−1((p1, . . . , pk), (h1, . . . , hk)).


2.2 Hensel Codes and the Extended Euclidean Algorithm


It was shown by R. T. Gregory that there is a one-to-one mapping from the so-called order-N Farey fractions






custom-character
N
:={x/y||x|≤N,0<|y|≤N},N=└√{square root over ((p−1)/2)}┘


to the finite field custom-characterp, given via the mapping x/y→xy−1(mod p). The major drawback of the order-N Farey fractions is that they only correspond to a subset of custom-characterP. We will use a modification of the Extended Euclidean algorithm (EEA) to enlarge custom-characterto a set whose elements are in bijective correspondence with the elements of custom-characterP. In particular, we construct a factor ring (isomorphic to the finite field of order p) from a subring of the rationals custom-character and then use the to-be-defined modification of the EEA to select one representative fraction from each coset of the factor ring. To this end, fix an odd prime p, and recall that the set {a/b|gcd(p, b)=1} can be realized as the localization of the integers Z at the prime ideal (p). We will denote this ring by custom-character(p). Since gcd(p, b)=1 guarantees that b−1 exists in custom-characterp, we can define the map Hp:custom-character(p)custom-characterP by a/b→ab−1(mod p). It is easy to verify that this map is a surjective ring homomorphism. Consequently, we obtain an isomorphism custom-character(p)/ker (Hp)≅custom-characterp. There are many ways to select representatives from the cosets of custom-character(p)/ker (Hp), but we will make our selection to guarantee that the set of representatives contains custom-characterN.


Recall that the Extended Euclidean Algorithm (EEA) calculates the greatest common divisor of two integers x0, x1 along with the associated Bezout coefficients. The computation generates the tuples (x2, . . . , xn), (y2, . . . , yn), (z2, . . . , zn), and =└xi−1−1/xi┘ such that:






x
i+1
=x
i−1
−q
i
x
i, where x0,x1 are the input,






y
i+1
=y
i−1
−q
i
y
i, with y0=1,y1=0,






z
i+1
=z
i−1
−q
i
z
i, with z0=0,z1=0.


Moreover, for each i≤n, we have yix1+zix0=xi. The computation stops with xn=0, at which point xn-1=gcd(x0, x1). We define a modified version of this algorithm, as follows:


Definition 1 (Modified Extended Euclidean Algorithm). Let g be a product of distinct odd primes, h∈custom-character, and N=└√{square root over ((g−1)/2)}┘. Run EEA with x0=g and x1=h. Once |xi|≤N, output (x, y)=((−1)i+1xi, (−1)i+1yi). We write this as MEEA(g, h)=(x, y). Observe that there is an integer z (namely, (−1)i+1zi) such that yh+zg=x.


Lemma 1. Let g be a product of distinct, odd primes, N=└√{square root over ((g−1)/2)}┘, and h, h′∈custom-characterg. The following hold:

    • (i) If MEEA(g, h)=(x, y), then |x|≤N and |y|≤2N.
    • (ii) Let p be prime, MEEA(p, h)=(x, y), and MEEA(p, α)=(x′, y′). α=h(mod p) if and only if x=x′ and y′=y (mod p).
    • (iii) MEEA(g, h)=(0,⋅) if and only if gcd(g, h)>N or h=0.


Proof

    • (i) Suppose MEEA(g, h)=((−1)i+1xi, (−1)i+1yi). That |x|≤N is immediate from the stopping condition in MEEA. The outputs of the EEA satisfy:










"\[LeftBracketingBar]"


y
k



"\[RightBracketingBar]"





x
0


x

k
-
1




,


for


all



k
.






By definition, xi−1>N. Whence, N′=√{square root over ((g−1)/2)},










"\[LeftBracketingBar]"


y
i



"\[RightBracketingBar]"




g

x

i
-
1



<

g

N



<



2



(

N


)

2


+
1


N




=


2


N



+


1

N



.






It follows that











"\[LeftBracketingBar]"


y
i



"\[RightBracketingBar]"







2


N



+

1

N







=

2

N


,




proving 1.

    • (ii) By hypothesis, there is an integer k such that α=h+kg. Suppose that α≠h (i.e., at least one of h,k is nonzero). Apply the EEA in two cases: (1) x0=p, x1=h, and (2) x0=p, x1=h+kp. After three iterations of (2), one observes that the values of xi match those obtained after one iteration of (1). Moreover, MEEA applied to (1) and (2), respectively, will not terminate before the values of xi match. This proves x=x′. The above, in conjunction with yh+zp=x and y′α+z′p=x′, yields yh=y′α. Then yh−y′h=y′kp, and so y′h=yh (mod p). Since gcd(g, h)=1, y′=y(mod p). The converse follows easily.
    • (iii) Suppose gcd(g, h)>N. Recall that the EEA with x0=g and x1=h terminates when xn=0, at which point xn-1=gcd (g, h). Item 3 then follows from the stopping condition in MEEA. Conversely, if MEEA(g, h)=(0,⋅), then gcd(g, h)>N. For if not, then MEEA(g, h)=((−1)i+1xi,⋅), where i≤n−1, a contradiction.


Definition 2 (Order-(N,p) Farey Fractions). Let p be an odd prime and N=└√{square root over ((p−1)/2)}┘. We define the set of order-(N, p) Farey fractions as:







𝔽

N
,
p


:=


{



x
y

:



h




p




s
.
t
.






MEEA

(

p
,
h

)






=

(

x
,
y

)


}

.





Throughout the paper, we will consider custom-characterN,p with the familiar addition and multiplication on custom-character. Note that custom-characterN,p is not closed under these operations. The following lemma collects some important facts about custom-characterN,p.


Proposition 1. Let p be an odd prime and N=└√{square root over ((p−1)/2)}┘.

    • (i) custom-characterNcustom-characterN,p.
    • (ii) If x/y∈custom-characterN,p, then |x|≤N and |y|≤2N.
    • (iii) The elements of custom-characterN,p are in lowest terms.
    • (iv) Distinct elements of custom-characterN,p lie in distinct cosets of custom-character(p)/ker (Hp).
    • (v) Hp:custom-characterN,pcustom-characterp is a bijection.


Proof

    • (i) Let x/y∈custom-characterN such that h=xy−1 (mod p), and say MEEA(p, h)=(xi, yi). By construction, xi≤N and xj>N for all j<i. As shown by Kornerup, implementing EEA with x0=p and x1=h will yield xk/yk=x/y for some k. Now, suppose that |yi|>N. One easily verifies inductively |yj|≤|yj+1| and xj>xj+1 for all j. Whence for all i, either xi>N or |yi|>N, contradicting xk/ykcustom-characterN. Thus |yi|>N, and xi/yicustom-characterN. Finally, since xiyi−1(mod p)=xy−1(mod p)=h, and representations of elements of custom-characterN in custom-characterp are unique, we conclude that xi/yi=x/y. This shows that x/y∈custom-characterN,p.
    • (ii) Use Lemma 1 with g=p.
    • (iii) MEEA(p, 0)=(0,⋅), so let h∈custom-characterp be nonzero and MEEA(p, h)=(x, y). By definition there is an integer z (output by EEA) such that x=yh+zp. Further, properties of greatest common divisors yield:






gcd(zp,y)=gcd(yh+zp,y)=gcd(zp,y).


By (ii), 0<|y|<p, we deduce Lemma 1(iii), that 0<|z|<p. Consequently,






gcd(zp,y)=gcd(z,ygcd(p,y)=gcd(z,y).


Now, gcd(z, y)=1, which proves (iii).

    • (iv) First, notice that (ii) implies custom-characterN,pcustom-character(p). Let x/y, x′/y′∈custom-characterN,p be distinct. Necessarily, Hp(x/y)≠Hp(x′/y′). Since Hp is a homomorphism, then Hp(x/y−x′/y′)≠0, which implies x/y and x′/y′ lie in distinct cosets.
    • (v) The result follows immediately from (iv) and the isomorphism custom-character(p)/ker (Hp)≅custom-characterp.


We may now define the mapping that allows us to recover an element of custom-characterN,p given an arbitrary integer.


Definition 3. Let p be prime and h∈custom-character. Define:











H
p

-
1


:





𝔽

N
,
p




by


h



x

y


mod


p




,




Eq
.

1







where MEEA (p, h)=(x, y).


Remark 1. Lemma 1(ii) guarantees that the output x/y (mod p) from the preceding definition is in custom-characterN,p. Moreover, by the definition of the order-(N, p) Farey fractions, Hp−1 is surjective.


Proposition 2. If x/y∈custom-characterN,p and h∈custom-characterp, then Hp−1(Hp(x/y))=x/y and Hp(Hp−1(h))=h.


Proof Obvious.


The following results establish the compatibility of Hp−1 with arbitrary arithmetic circuits. For simplicity, we represent a circuit by the multivariate polynomial which it computes.


Lemma 2. Let h1, . . . , hk custom-character. If P is a polynomial in k variables over custom-character which takes rational arguments, and Hp−1(P(h1, . . . , hk))=a/b, then:








H
p

(

P

(



H
p

-
1


(

h
1

)

,


,


H
p

-
1


(

h
k

)


)

)

=



H
p

(

a
b

)

.





Proof Suppose Hp−1(hi)=xi/yi. Certainly xiyi−1=hi(mod p), whence






P(Hp−1(h1), . . . ,Hp−1(hk))=P(h1, . . . ,hk)(mod p).


The result follows, since P(h1, . . . , hk)=ab−1(mod p).


Proposition 3. If h1, . . . , hkcustom-character and P is a polynomial in k variables over custom-character which takes rational arguments, then:






H
p
−1(P(h1, . . . ,hk))=Hp−1(Hp(P(Hp−1(h1), . . . ,Hp−1(hk)))).


Proof Since custom-characterN,p is not closed under addition and multiplication then






custom-character=P(Hp−1(h1), . . . ,Hp−1(hk))


need not be an element of custom-characterN,p. However, by Lemma 3, custom-character and Hp−1((h1, . . . , hk)) lie in the same coset (are equivalent modulo p). Consequently, Hp−1(Hp(custom-character))=Hp−1(P(h1, . . . , hk)).


We now present the remaining maps which are fundamental to our scheme.


Definition 4. Let g=p1, . . . , pk be a product of at least two distinct primes. Define maps:







H
g

:






g



by



x
y




{






xy

-
1


(

mod


g

)

,





if



gcd

(

g
,
y

)


=
1






0
,





if


gcd


(

g
,
y

)



1















H


g

-
1


:







by


h



x

y


mod


g




,



where



MEEA

(

g
,
h

)


=


(

x
,
y

)

.






Remark 2. If n is an integer, then Hg(n)=n (mod g).


Remark 3. We write “{tilde over (H)}g−1(⋅)” instead of “Hg−1(⋅)” because {tilde over (H)}g−1 is not the inverse of Hg when g is composite. This is because if {tilde over (H)}g−1(h)=x/y we may have y|g, in which case y Text is not invertible modulo g, and so (provided x≠0) Hg ({tilde over (H)}g−1(x))=0≠x/y.


Recall that the Chinese Remainder Theorem (CRT) simply describes an isomorphism custom-characterp1× . . . ×custom-characterpkcustom-characterp1. . . pk. The image of (h1, . . . , hk) under this isomorphism will be denoted by h=CRTp1, . . . , pk(h1, . . . , hk).


Henceforth, for primes p1, . . . , pk and h1, . . . , hkcustom-character, we will denote:






{tilde over (H)}
p

1

. . . p

k

−1(CRTp1, . . . ,pk(h1, . . . ,hk))


by {tilde over (H)}p1, . . . pk−1(h1, . . . , hk).


Lemma 3. Let g=p1, . . . , pk be a product of distinct primes. If Hg (x/y)≠0, then Hg(x/y)=Hpi(x/y)(mod pi).


Proof. To avoid confusion, we will denote the (multiplicative) inverse of y modulo n by yn−1. If h=Hg(x/y)≠0, then y is invertible modulo pi for each i. Put hi=Hpi(x/y). By definition, h=xyg−1(mod g) and hi=xypi−1 (mod pi) for all i. Multiplying both sides of each congruence by y yields hy=x(mod g) and x=hiy(mod pi). It follows that hy=hiy (mod pi) for all i. Finally, since y is invertible modulo each pi, h=hi(mod pi).


Proposition 4. If g=p1, . . . , pk is a product of distinct primes, Hg(x/y)≠0, and x/Y∈custom-characterN,pi, then Hpi−1(Hg(x/y))=x/y.


Proof By Lemma 1(ii), Lemma 3, and the definition of Hpi−1, we see that:






H
p

i

−1(Hg(x/y))=Hpi−1(Hpi(x/y)).


The result then follows from Lemma 2.


Lemma 4. If g is a product of distinct primes and g|n, then {tilde over (H)}g−1(n)=0.


Proof Observe that gcd(g, n)=g>[√{square root over ((g−1)/2)}]. The result then follows from Lemma 1(iii).


3. The AGCD Problem


Informally, the AGCD problem is defined as follows: given polynomially many samples of the form x=r+qp for a randomly chosen odd prime p, find p. Since, in the remainder of this paper we will refer to known (ρ, η, γ) AGCD parameters, a formal definition of the AGCD problem is reproduced below.


Definition 5. (AGCD). Let p, X≥1, and ϕ a distribution over custom-character. We define AX,ϕAGCD (p) as the distribution over custom-character obtained by sampling







q






[

0
,

x
p





)




and r←ϕ, and returning x=qp+r.


Let custom-character be a distribution over custom-character∩[0,X). AGCDX,φ(custom-character) consists in distinguishing, given arbitrarily many independent samples, between the uniform distribution over custom-character∩[0,X) and the distribution AX,φAGCD(p) for p←custom-character. We use the notation AGCDX,φ(custom-character) to emphasize the number of samples m used by the eventual distinguisher. We say that an algorithm custom-character is an (∈1, ∈2)-distinguisher for AGCDX,ϕ(custom-character) if, with probability ≥∈2 over the choice of p←custom-character, its distinguishing advantage between AX,ϕ(p) and U(custom-character∩[0, X)) is ≥∈1.


For ρ, η, γ≥1, the (ρ, η, γ)-AGCD problem is AGCD2γ,ϕ(custom-character) with custom-character the uniform distribution over η-bit prime integers and ϕ the uniform distribution over custom-character∩(−2ρ, 2ρ).


Cheon and Stehle discuss a reduction from the Learning With Errors (LWE) problem to a variant of the AGCD where such search variant consists in finding the unknown p while also introducing a reduction from the search variant to the decision variant. They arrive at a set of secure AGCD parameters via reduction of a LWE instance. For appreciating this reduction, we refer the reader to since we shall not repeat that discussion in this work. Instead, we will use the proposed AGCD parameters.


3.1 Recommended AGCD Parameters


We let ρ denote the size of the noise, η denote the size of the secret greatest common divisor, and γ denote the size of an AGCD sample. Cheon and Stehle note that for the AGCD problem to be potentially hard, the parameters must satisfy the following: ρ≥λ in order to prevent brute force attacks on the noise, η>ρ, and γ≥Ω((λ/log λ)(η−φ2) in order to prevent lattice reduction attacks on AGCD such as orthogonal lattice attacks, as well as the Lagarias' simultaneous Diophantine approximation attack, and the Cohn-Heninger attack.


4. A Private-Key Leveled FHE Scheme


Now we introduce a private-key leveled FHE scheme based on Hensel codes. Our motivation is to provide a basic blueprint for a leveled FHE scheme with Hensel codes and then use it as the foundation of a public-key leveled FHE scheme by only applying an asymmetric property we have with Hensel codes. The reader can see this private encryption scheme as first step towards its public-key counterpart, which is the candidate scheme we want to highlight. For this reason, we will concentrate the discussions about correctness, security, and practical implications on the public-key version.


Given a parameter and the parameter d, define ρ, η, γ, and μ as follows: ρ=λ, η=2(d+2)λ, μ=γ−η−2λ, and







γ
=


λ


log
2

(
λ
)





(

η
-
ρ

)

2



.




The encryption scheme is then given by:

    • Gen takes λ and d as inputs and generates uniform primes p1, . . . , p5 such that











"\[LeftBracketingBar]"


p
1



"\[RightBracketingBar]"



b

i

t

s


=

ρ
+
1


,











"\[LeftBracketingBar]"


p
2



"\[RightBracketingBar]"



b

i

t

s


=


|

p
3


|

b

i

t

s



=

ρ
2



,











"\[LeftBracketingBar]"


p
4



"\[RightBracketingBar]"



b

i

t

s


=
η

,










"\[LeftBracketingBar]"


p
5



"\[RightBracketingBar]"



b

i

t

s


=

μ
.







    •  We set private secret key sk=(p1, p2, p3, p4) and public evaluation key evk=g=Πi=15pi. Note that |g|bits=γ. The message space is defined as custom-character=custom-characterN,p1. We write the syntax as (sk, evk)←Gen(1λ, 1d).

    • Enc takes a message m∈custom-character and sk, evk as inputs, generates uniform and independent s1custom-character2λ-1, s2custom-characterp2, s3custom-characterp3, and δ←custom-characterg/p4, and then computes c=|Hg(s1·{tilde over (H)}p1,p2,p3−1(0, s2, s3)+δp4)|g. We write this as c←Encsk,evk(m).

    • Dec takes c and sk as inputs and computes m=Hp1−1(Hp1(Hp4−1(c))). We write this as m=Decsk (c).

    • Addition and multiplication of ciphertexts are computed in the natural way over the integers modulo g.





Remark 4. In the encryption algorithm, let x/y={tilde over (H)}p1,p2,p3−1(0, s2, s3). Then, x/y is a rational encoding of zero, and so is s1·x/y. Moreover, setting |p1|bits=ρ+1 implies p1>2└√{square root over ((p1p2p3−1)/2)}┘, which guarantees (by Lemma 2.5(ii)) that gcd(p1, y)=1, so Hp1(x/y) is defined.


Remark 5. In the decryption algorithm, for all c output by Enc, with high probability, it holds that Hp4−1(c)∉custom-characterN,p1. We address this issue by computing Hp1 (Hp4−1(c)) which gives as a Hensel code in custom-characterp1. Then, we can just decode that Hensel code using p1, which gives us the expression in the decryption algorithm, so we obtain the desired member of custom-characterN,p1.


5. A Public-Key Leveled FHE Scheme


Now we introduce a public-key leveled FHE scheme that is similar to the previously described private-key encryption with the exception that we now explore asymmetric Hensel “encodings.” The parameters we use are conservative. The reason for employing a more conservative parameter definition is due to the fact that the ciphertext expansion of our construction is significantly more efficient than any leveled FHE construction where the message space is defined as {0, 1}. At the same time, we know there are room for optimizations which can further improve the already encouraging runtime results presented in Section 7.1. Given a parameter and the parameter d, define η, γ, and μ as follows:





ρ=λ,η=dλ,μ=d2λ log2(λ)−η−2λ−3,γ=2η+(3λ)/2+μ+3.  Eq. 2

    • Gen takes 1λ and 1d as input and generates uniform and independent odd primes p1, p2, p3, and p′4 such that |p1|bits=λ, |p2|bits=λ+3, |p3|bits=η, |p′4|bits=η, |p5|bits=μ, so we compute p4=(p′4)μ/η+1. Let g=p1 . . . p4 and g′=p3p4. For t←custom-character2λ-1 and δecustom-character2λ-η, we compute:






e=H
g(Hp3({tilde over (H)}p1,p2−1(0,t))+δep3).  Eq. 3

    • The public key is pk=(e, g′, evk=g) and the secret key is sk=(p1, p3).
    • Enc encrypts a message m∈custom-characterN,p1 by choosing s1, s2custom-character2λ-η and δ←[p1p2, p1p2p4)∪custom-character and then computing:






c←Enc
pk,evk(m)=Hg(Hg′(s1e+m)+s2g′+((g′)2)  Eq. 4

    • Dec takes a ciphertext c as input and computes m as follows:






m=Dec
sk,pk(c)=Hp1−1(Hp1(Hp3−1(c))).  Eq. 5

    • Addition and multiplication of ciphertexts are computed in the natural way over the integers modulo g.


Remark 6. The constant e in the public key should never equal δep3, else an adversary trivially computes gcd(e, g′)=p3 which compromises the secret key. To this end, recall that {tilde over (H)}p1,p2−1(0, t)={tilde over (H)}p1,p2−1(h), where h=CRTp1,p2(0, t). Since t≠0, h≠0 and gcd(h, p1p2)=p1. Lemma 1(iii) then implies that {tilde over (H)}p1p2−1(h)≠0 as long as p1<└√{square root over ((p1p2−1)/2)}┘. This is guaranteed since |p1|bits=λ and |└√{square root over ((p1p2−1)/2)}┘∥bits>λ.


5.1 Correctness


Here we continue with the previously-adopted convention of using multivariate polynomials instead of arithmetic circuits.


Definition 6. Let custom-characterk,ncustom-character└x1, . . . , xk┘ be the family of polynomials of the form custom-character(x1, . . . , xk)=y1*y2* . . . * yn, where yi∈{x1, . . . , xk} and * is either + or x.


Proof. If P∈custom-characterk,n has i≤n−1 additions, then the numerator of x is the sum of i+1 monomials, each being a product of the ai, bj. Moreover, the denominator y is simply a product of n (not necessarily distinct) of the bj. Note that for each monomial m summand of x satisfies: m/y is a product (possibly with repeated factors) of some number of the ai/bi. It follows that each monomial in the numerator is a product of at most n of the aj, bj. For if there is a monomial m with more than n factors, then m/y reduces to a fraction with more factors (the ai, bj) in the numerator than the denominator. Such a fraction cannot satisfy the above note, and so a contradiction is obtained. Now, since |ai|, |bj|≤α, we see that the denominator y and the monomial summands of x all have absolute value at most αn. The result then follows since x has at most n monomial summands.


Theorem 1 (Correctness). For all sk, pk, and evk output by Gen and all m∈custom-characterN,p1,






Dec
sk,pk(Encpk,evk(m)m.  Eq. 6


Let P∈custom-characterp1,D, m1, . . . , mkcustom-characterN,p1 and ci←Encpk,evk(mi). If P(m1, . . . , mk)∈custom-characterN,p1, d≤λ, and D≤(d/5)−1, then:






Dec
sk,pk(P(c1, . . . ,ck))=P(m1, . . . ,mt).  Eq. 7


Proof Let m∈custom-characterN,p1, and suppose c=Encpk, evk(m). By construction,






c=H
g(Hg′(se+m)+s2g′δ(g′)2)=Hg′(se+m)+αp3,α∈custom-character,


where e=Hg(Hp3({tilde over (H)}p1,p2−1(0, t)+δep3)) and s∈custom-characterp1.


Proceeding with Dec (which computes Hp1−1(Hp1(Hp3−1(c))) and applying Proposition 2 and Proposition 3, we obtain:












H

p
3


-
1


(
c
)

=



H

p
3


-
1


(



H

g



(


s

e

+
m

)

+

α


p
3



)


,



for


some


α










=



H

p
3


-
1


(


H

p
3


(



H

p
3


-
1


(


H

g



(


s

e

+
m

)

)

+


H

p
3


-
1


(

α


p
3


)


)

)







=



H

p
3


-
1


(


H

p
3


(


H

p
3


-
1


(


H

g



(


s

e

+
m

)

)

)

)







=



H

p
3


-
1


(


H

g



(


s

e

+
m

)

)








Put x/y={tilde over (H)}p1,p2−1(0, t) and N=└√{square root over ((p3−1)/2)}┘. We note that |s|bits≤λ, and deduce from Lemma 1(i) that |x|bits≤λ+1 and |y|bits≤λ+2. Further, since (dλ−2)/2≤|N|bits(for d≥5), we see that |sx|bits, |y|bits≤|N|bits. Consequently sx/y∈custom-characterN custom-characterN,p3. Now, through repeated applications of the above observation, Lemma 1(iii), Proposition 3, and Lemma 4, we obtain:








H

p
3


-
1


(


H

g



(


s

e

+
m

)

)

=



H

p
3


-
1


(


H

p
3


(



s

x

y

+
m

)

)

.





By comparing bit lengths (as above), we find that sx/y+m∈custom-characterN,p3 (this time, as long as d≥6). Thus, Hp3−1(c)=sx/y+m.


Lastly, we compute:









H

p
1


-
1


(


H

p
1


(



s

x

y

+
m

)

)

=


H

p
1


-
1


(



H

p
1


(


s

x

y

)

+


H

p
1


(
m
)

-

k


p
1



)


,


k



{

0
,
1

}

.






Since Hp1 is a ring homomorphism and s∈custom-character2λ-1 custom-characterp1, we have Hp1(sx/y)=Hp1(s)Hp1(sx/y)(mod p1)=sHp1(sx/y)−np1 for some n∈custom-character. Moreover, Hp1(x/y)=0 by construction.


Whence,









H

p
1


-
1


(


H

p
1


(



s

x

y

+
m

)

)

=


H

p
1


-
1


(



H

p
1


(
m
)

-


(

k
+
n

)



p
1



)


.




With a final application of Proposition 3 and Lemma 4, the above simplifies to Hp1−1(Hp1(m))=m. Thus Eq. 6 is established.


We now show that the scheme is compatible with homomorphic operations. Let c1, . . . , ckcustom-characterg be ciphertexts with corresponding messages micustom-characterN,p1, and P∈custom-characterk,D. Then, as above, there are sicustom-character2λ-1 and an integer α′ such that for each i, ci=Hg′(sie+mi)+α′g′. Suppose further that P(m1, . . . , mk)∈custom-characterN,p1. Proceeding as in the proof of (6), we compute:











H

p
3


-
1


(

P

(


c
1

,


,

c
k


)

)

=



H

p
3


-
1


(

P

(



H

g



(



s
1


e

+

m
1


)


,


,


H

g



(



s
k


e

+

m
k


)


)

)







=



H

p
3


-
1


(


H

p
3


(

P

(



H

p
3


-
1


(


H

g



(



s
1


e

+

m
1


)

)


,


,


H

p
3


-
1


(


H

g



(



s
k


e

+

m
k


)

)


)

)

)







=




H

p
3


-
1


(


H

p
3


(

P

(




s
1



x
y


+

m
1


,


,



s
k



x
y


+

m
k



)

)

)

.








Now, let xi/yi=six/y+mi and x*/y*=P(x1/y1, . . . , xk/yk). We will show that x*/y*∈custom-characterN,p1. Recall that |si|bits≤λ, |xi|bits≤λ+1 and |yi|bits≤λ+2.


It follows that |xi|bits≤(5λ+3)/2 and |yi|bits≤(3λ+3)/2. For simplicity, we take (5λ+3)/2 as the bound for bit length for both xi and yi.


By invoking Lemma 5, and the binary logarithm (to count bit lengths), we have:










"\[LeftBracketingBar]"


x
*



"\[RightBracketingBar]"


bits

,





"\[LeftBracketingBar]"


y
*



"\[RightBracketingBar]"



b

i

t

s






log
2

(
D
)

+

D

(



5

λ

+
3

2

)

+

1
.







Now, recalling that |└√{square root over ((p3−1)/2)}┘|bits, we see that:









log
2

(
D
)

+

D

(



5

λ

+
3

2

)

+
1





d

λ

-
2

2





is a sufficient condition to guarantee that x*/y*∈custom-characterN, where N=└√{square root over ((p3−1)/2)}┘. Easy algebraic manipulations verify that the above inequality reduces to:










log
2

(

D
2

)

+

3

D

+
3


d
-

5

D





λ
.





The hypotheses that d≤λ and D≤(d/5)−1 guarantees that the above inequality is true. Whence, x*/y*∈custom-characterNcustom-characterN,p3, and








H

p
3


-
1


(

P

(


c
1

,


,

c
k


)

)

=



x



y



=


P

(



x
1


y
1


,


,



x
k


y
k



)

.






All that remains is to compute Hp1−1(Hp1(x*/y*)). To this end, observe that since Hp1 is a homomorphism under addition and multiplication modulo p1, Hp1(xi/yi)=Hp1(six/y)+Hp1(mi)−αip1=Hp1(mi)−αip1, and Hp1(P(x1/y1, . . . , xk/yk))=Hp1(P(Hp1(x1/y1), . . . , Hp1(xk/yk)))−αp1, where α, αicustom-character. Now, by the preceding observations and Proposition 3, we obtain:











H

p
1


-
1


(


H

p
1


(


x



y



)

)

=



H

p
1


-
1


(


P

(




H

p
1


(

m
1

)

-


α
1



p
1



,


,



H

p
1


(

m
k

)

-


α
k



p
1




)

-

α


p
1



)







=




H

p
1


-
1


(


H

p
1


(

P

(


m
1

,


,

m
k


)

)

)

.








Finally, since P(m1, . . . , mk)∈custom-characterN,p1,






H
p

1

−1(Hp1(P(m1, . . . ,mk)))=P(m1, . . . ,mk).


This completes the proof of Eq. 7,


Remark 7. The set custom-characterp1,D=└(d/5)−1┘, does not contain all polynomials with which our scheme is compatible. In particular, we note that for any polynomial custom-character taking rational arguments: if Q(m1, . . . , mk)∈custom-characterN,p1 and Q(s1x/y+m1, . . . , skx/y+mk)∈custom-characterFN,p3, then Decsk,pk(Q(c1, . . . , ck))=Q(m1, . . . , mt).


Remark 8. The requirement that P(m1, . . . , mk)∈custom-characterN,p1 may seem unreasonable since custom-characterN,p1 is not closed under addition. However, one can always choose p1 large enough to guarantee that the scheme is compatible with the requisite polynomials P. For example, if one only needs to work with fractions whose numerators and denominators are bounded (in absolute value) by M, then one simply chooses p1 so that N=└√{square root over ((p3−1)/2)}┘>>M. This creates a “bounded closure.”


6. Security Analysis


We present a discussion on the security properties of our construction from at least four perspectives: CPA indistinguishability, an analysis on encryptions of zero, factoring concerns, and an intrinsic hardness of Hensel codes that are meant to violate correctness boundaries.


6.1 Indistinguishability under Chosen Plaintext Attacks (CPA)


We present a variant of the AGCD assumption where the distinguisher is additionally given e, g, g′. For simplicity, we use (e; g; g0)-AGCD to denote the variant of the AGCD problem and (e, g, g′)-AGCD(p) to denote its associated distribution.


Definition 7 ((e, g, g′)-AGCD). Let u, v, p be primes such that |u|bits=λ, |v|bits=λ+3, |p|bits=η, and |w′|bits=η such that w=(w′)γ/μ, g=uvpw and g′=pw. We sample r, s←custom-character2λ-1, q←[uv, uvw)∩custom-character, and σ←custom-character2γ-η and we compute e=Hg(Hp({tilde over (H)}u,v−1(0, t))+σp). Finally, we compute x=Hg(r+qg′) and (e, g, g′)-AGCD(p) outputs x together with e, g, g′.


Lemma 6. For any message m∈custom-characterN,p1, we can perfectly simulate Encpk, evk(m) by obtaining x, e, g, g′ from (e, g, g′)-AGCD(p), sampling t←custom-character2λ-1, and outputting c=Hg(xg′+Hg′(te+m)).


Proof Fix m∈custom-characterN,u. We claim that the following simulated ciphertext csim decrypts to m: csim=Hg′(te+m)+qg′−kg, for some integer k. We further simplify to get c=Hg′(te+m)+αg′, where α=x−k(g/g′). It now follows immediately from the proof of correctness (Theorem 1, Eq. 6) that Decsk,pk(csim)=m. Furthermore, we observe trivially that the simulated encryptions are distributed identically to the actual encryptions.


Definition 8. Consider the following experiment: a uniform η-bit prime p is chosen use along with a fixed message m from custom-character2λ. Then a uniform bit b←{0,1} is chosen. A distinguisher custom-character is given g, g′ from (e, g, g′)-AGCD(p), and then:


If b=0, the distinguisher is given repeated random samples from (e, g, g′)-AGCD(p).


If b=1, the distinguisher is given repeated simulations of encryptions of m using samples from (e, g, g′)-AGCD(p) in the form Hg(xg′+Hg′(m)).


The distinguisher outputs a guess b′, and succeeds if b′=b. It E-distinguishes if Pr[b′=b]=½+∈.


Assumption 1. For any probabilistic polynomial-time distinguisher custom-character, the probability that D is successful in the preceding experiment is negligible. That is, at best, custom-character∈-distinguishes with ∈=∈(λ) negligible.


Theorem 2. The private-key leveled FHE scheme described in Section 5 is CPA-secure under Assumption 1.


Proof Fix an adversary custom-character attacking the scheme. Construct an adversary custom-character as follows: custom-character is given repeated samples from (unknown) distribution. custom-character runs custom-character. When custom-character requests an encryption of m, then custom-character does: 1) Get a sample x from the given distribution, 2) Return a simulated ciphertext c (dependent on x) to custom-character. When custom-character outputs its challenge messages m0, m1 then custom-character chooses a random bit b and does the exact same thing as above using the message mb. When custom-character outputs a guess b′, then custom-character outputs 1 if and only if b′=b.


Claim (1). When custom-character is given samples from distribution (e, g, g′)-AGCD(p), then the probability that custom-character outputs 1 is identical to custom-character's success probability in the CPA experiment.


Proof(1). This follows since when custom-character is given samples from distribution (e, g, g′)-AGCD, then custom-character's view is identical to its view in the CPA experiment.


Claim (2). When custom-character is given random samples from (e, g, g′)-AGCD(p), then the probability that custom-character outputs 1 is ½.


Proof(2). This follows since custom-character's view is independent of b. Indeed, for any message m, custom-character can perfectly simulate a ciphertext for m using random samples from (e, g, g′)-AGCD(p). So, as per Lemma 6, the challenge ciphertext is computationally indistinguishable from a random element of (e, g, g′)-AGCD(p), which is independent of m regardless of the choice of b. It follows that custom-character correctly outputs b′=b with probability exactly ½.


By Assumption 1, the difference in the probability that custom-character outputs 1 when given samples from (e, g, g′)-AGCD(p) and the probability that it outputs 1 when given uniform samples is negligible. It follows from this and the above claims that the probability that A succeeds in the CPA experiment is ½+negl. This completes the proof.


6.2 Further Discussion of Security


Here we show that, under a particular assumption, ciphertexts are indistinguishable from random elements of custom-characterg.


Lemma 7. There are p12p2 distinct encryptions of 0.


Proof. Encryptions of 0 are of the form Encpk,evk(0), where s←[0, p1)∩custom-character and δ←[p1,p2,p1p2p4)∩custom-character. We will show that each pair s, δ yields a unique encryption of 0. To this end, suppose s≠s′ or δ≠δ′ (mod p1p2). If Hg(Hg′(se)+δg′)=Hg(Hg′(s′e)+δ′g′), then we deduce that s=s′(mod g′). Since 0≤s, s′<g′, s=s′, a contradiction. All that remains is the case where s=s′ and δ≠δ′(mod p1p2). Again, if Hg(Hg′(se)+δg′)=Hg(Hg′(s′e)+δ′g′), then Hg′(se)=Hg′(s′e) implies δg′−kg=δ′g′−k′g, for some k, k′∈custom-character. Rearranging the equation yields δ−δ′=(k−k′)p1p2, also a contradiction. The result follows from the fact that there are p1 choices for s, and p1p2 choices for δ.


We now define an experiment in which a distinguisher tries to distinguish between a random subset of [0; g)∩custom-character and a set of encryptions of 0.


Definition 9. Let custom-character be a probabilistic polynomial-time distinguisher which knows the public-key pk=(e, g, g′). A uniform bit b←{0,1} and a random k≤p12p2 are chosen, and then:

    • If b=0, then custom-character is given a random subset of [0, g)∩custom-character with k elements.
    • If b=1, then custom-character is given a set k of random encryptions of 0.
    • custom-character outputs a guess b′∈{0,1} and succeeds if b=b′. Say custom-character∈-distinguishes if Pr[b′=b]=½+∈.


Assumption 2. The probability that custom-character is successful in the preceding experiment is negligible. That is, custom-character can only ∈-distinguish if ∈=∈(λ) is negligible.


Proposition 5. For a fixed m∈custom-characterN,p1, elements of the set Encpk,evk are indistinguishable from random elements of [0; g)∩custom-character under Assumption 2.


Proof. Let m∈custom-characterN,p1, Encpk,evk(m)=Encpk,evk(m+0)=Encpk,evk(m)+Encpk,evk(m+0). By Assumption 2, encryptions of 0 are indistinguishable from random elements of [0; g)∩custom-character, whence Encpk,evk(m)+Encpk,evk(m+0)=Encpk,evk(m) is indistinguishable from a random element of [0; g)∩custom-character


6.3 Factoring


The most obvious threat to our construction is also the easiest to thwart. It is associated with factoring attacks since the public evaluation key evk corresponds to g, which is the product of p1, . . . , p4. Successfully factoring g leads to a total break of the scheme since decryption only uses the knowledge of p1 and p3 according to Eq. 5. Even a partial factorization of g might lead to a total break of our scheme, as long as p1 and p3 are recovered. The main threat could be provided by some variation ECM factoring method (since p4 in our scheme is not prime) with running time on the size of the smallest prime factor as opposed to the size of g. To prevent ECM threats, one must set the size of individual primes to be at least 512 bits and preferably at least 768 bits. Additionally, if g is sufficiently large (e.g., greater than or equal to 4096 bits), index calculus methods such as the Number Field Sieve method will not succeed.


6.4 Hensel Code Problem


We close this section with a proof that an adversary, knowing only g=p1, . . . , p4, g′=p3p4, and c=Hg(Hg′(x/y)+dg′), cannot deduce x/y using Hg−1 or Hg′−1. Furthermore, the range of the “noise parameter” can be restricted to guarantee that an adversary cannot even deduce the denominatory (a problem we noticed in some simulations).


Proposition 6. If α=g′ or g, then {tilde over (H)}α−1(Hg′(se+m))≠m.


Proof Suppose by way of contradiction that Hg′(se+m)=Hα(m).


Let α=g′.


If we let m=x/y, then we get Hg′((sey+m)/y)=Hg′(x/y). Since p1<<p3, p4, y is invertible modulo g′, whence (sey+x)y−1=xy−1(mod g′). It follows that se=0 (mod g′). Since s<p1, we also have s invertible modulo (mod g′), which means e=0 (mod g′). In particular, we note that e=0 (mod p4). But, since e=Hp1,p2−1(0, s2)+δep4, this implies Hp1,p2−1(0, s2)=0 (mod p4). Put Hp1,p2−1(0, s2)=x0/y0. Since s2≠0, x0≠0. Moreover, since the inverse of y0 modulo p4 cannot be divisible by p4, we conclude that x0=0 (mod p4). This contradicts 0<|x0|└√{square root over ((p1p2−1)/2)}┘<p4.


Let α=g.


Since g′|g, Hg′((sey+m)/y)=Hg(x/y) implies Hg′((sey+m)/y)=Hg′(x/y).


The result follows.


Lemma 8. Suppose {tilde over (H)}α−1(Hg′(x/y))=x′/y′, where α=g or g′. If x≠x′ then y≠y′ or |x−x′|≥g′.


Proof Suppose α=g. Then Hg′(x/y)=Hg(x′/y′). We will prove the contrapositive. If y=y′ and |x−x′|<g′, then we use the fact that g′|g to obtain |x−x′|g′=0. Since |x−x′| is less than g′, x=x′. The proof for α=g′ is analogous.


Proposition 7. Let x/y∈custom-characterN,p1, N=└√{square root over ((g′−1)/2)}┘, and α=g or g′. If










s


(




N
+

|
x
|


e
|
y
|


,





g


-
N
+

|
x
|


e
|
y
|



)


,

and




Eq
.

8













H


α

-
1




(


H

g



(


s

e

+

x
y


)

)


=


x



y




,




then y≠y′.


Proof. In light of Lemma 8, it suffices to prove that x+sey≠x′ and |(x+sey)−x′|<g′.


If s>(N+|x|)/(e|y|), then





|x+sey|≥||x|−se|y||>x−(N+|x|)|=N.


Since |x′|≤N, by definition of {tilde over (H)}α−1 (MEEA, in particular), we see that x+δp4y≠x′.


Similarly, if 0<s<(g′−N−|x|)/|e|y||, then:





|(x+sey)|−x′|≤|x|+se|y|+N>|x|+(g′−N−|x|)+N=g′.


This completes the proof.


7. Practical Considerations


Among several alternative concrete parameter configurations we considered, the one we discuss in this work is not the most efficient in terms of ciphertext expansion. However, it is an instance that works as desired with respect to the homomorphic operations. As mentioned before, the noise growth on addition is still a concern. In our scheme, messages are members of a subset of the rational numbers so if we let two messages x1/y1 and x2/y2, be encrypted to two ciphertexts c1 and c2, then c1·c2 and c1+c2 will decrypt, respectively, to:












x
1



x
2




y
1



y
2





and










x
1



y
2


+


x
2



y
1





y
1



y
2







Eq
.

9







We note that the space taken up by addition is similar to the space taken up by multiplication (in the sense that the scheme admits a similar number of additions and multiplications), and acknowledge that this might be a downside for some applications.


Advantages of Working with Hensel Codes. Although there are some limiting aspects, we want to emphasize some of the advantages in working with Hensel codes. Recall that custom-character=custom-characterN,p1. Considering that p1 must be at least a 768-bit prime, its corresponding Nis a 384-bit number and, thus, the message space will be sufficiently large to include the solutions for most applications that require rational numbers as inputs. For instance, the set of rational numbers custom-characterN,p1 includes integers (negative and positive) up to 384 bits. This is a message space large enough to contemplate a large class of real-world applications. Obviously, the larger p1 is, the larger will be the message space. Perhaps one of the greatest takeaways is that we can merge error-free computation with homomorphic encryption via Hensel codes. As an immediate consequence, we can naturally compute the arithmetic gates addition, subtraction, multiplication, and division as follows: |c1+c2|g, |c1−c2|g, |c1c2|g and |c1/c2|g, respectively. Correctness follows the discussion in Section 5.1. It is clear that addition, subtraction, and multiplication are computed in the natural way modulo g. For all c1, c2 output by Enc or Eval, the division |c1/c2|g, will work as long as gcd(c2, g)=1. One simple way to ensure that division is always defined is to allow an encryption of zero to be public and implement the following division algorithm: Given c1, c2, g and a public encryption of zero cz, generate a uniform rccustom-character2λ-1 and update c2 as c2=rccz+c2. If gcd(c2, g)=1, compute and output |c1/c2|g, if not, repeat.


Given any homomorphic encryption that takes positive integers as valid messages, it is not surprising that one could easily provide a way for allowing that scheme to accept rational numbers as inputs. Given a rational number a/b (assumed to be positive, for simplicity), options include: 1) a simple modular encoding with a modulus q>a, b such that you have m=aq+b, 2) CRT with two moduli q1, q2>a, b such that m=CRTq1,q2(a, b), or yet 3) any pairing function, such as the Cantor pairing function, in which case we could obtain m=½ (a+b) (a+b+1)+b. None of the above options, along with many other numeric manipulations, preserve operations in the message space. Thus, since Hensel codes create an operation-preserving correspondence between a set of rationals and a set of integers, they are preferable as a tool for modifying existing schemes to take rational inputs.


7.1 Performance


The results presented in Table 1 were generated from experiments conducted with an implementation of our candidate scheme using Python 3.8.5, on a Mac-Book Pro 15-inch, MacOS High Sierra 10.13.6, 2.8 GHz Intel Core i7, 16 GB 1600 MHz DDR3, 500 GB HD. Each runtime (in seconds) presented is the arithmetic mean of 100 runs.





|p1|bits=λ,|p2|bits=λ+3,|p3|bits−η,|p4|bits=η,|p5|bits


We present practical results using two configurations. First, we set ρ=λ=512, d=10, which gives η=5120, μ=454653, γ=461571, |p1|bits=512, |p2|bits=515, |p3|bits=5120, |p4|bits=455672, |g′|bits=460791, and |g|bits=461818 (slightly larger than γ). Second, we set ρ=λ=768, d=20, which gives η=15360, μ=2927601, γ=2950275, |p1|bits=768, |p2|bits=771, |p3|bits=15360, |p4|bits=2933708, |g′|bits=2949067, and |g|bits=2950606. In Table 1 we display runtime results for the key generation, encryption, and decryption algorithms, and the homomorphic evaluation of the dot product of two 3D vectors.









TABLE 1







Runtime results









Algorithm
Runtime for λ =512; d = 10
Runtime λ = 768; d = 20












Key Generation
184.244738
927.6136270000001


Encryption
0.9383330000000001
35.50052400000004


Decryption
0.0067889999999977135
0.09174399999994876


3D vector dot product
0.3805450000000121
12.849364999999807









Hardware Implementation for a Private or Public-Key Leveled FHE Embodiment (FIG. 1)


FIG. 1 is a block diagram 100 of the hardware implementation for a private or public-key leveled Fully Homomorphic Encryption (FHE) embodiment. A source computing device 102 is connected over an electronic network/bus connection 108 to an intermediary computing device 104 and a destination device 106. Likewise, the intermediary computing device 104 and destination computing device 106 are, in turn, connected to each other 104, 106 as well as to the source computing device 102 over the electronic network/bus connection 108. In the embodiment shown in FIG. 1, the source computing device 102 acts as the source of the encrypted data 110 and the source computing device 102 sends the encrypted data 110 over the network/bus connection 108 to the intermediary computing device 104 and/or the destination computing device 106. When the intermediary computing device 104 receives the encrypted data 110 from the source computing device 102, the intermediary computing device 104 may perform homomorphic Hensel Code arithmetic operations (addition, subtraction, multiplication, and/or division) with at least one additional ciphertext to obtain a result ciphertext 110 that the intermediary computing device 104 may then send over the network/bus connection 108 to the destination computing device 106. The destination computing device 106 may decrypt the received encrypted ciphertext 110 to obtain unencrypted data reflecting either the original message if the ciphertext 110 was the original ciphertext sent by the source computing device 102 or an unencrypted result of the arithmetic operations performed by the intermediary computing device 104 if the received ciphertext 110 is a result ciphertext sent by the intermediary computing device 104 after performing homomorphic arithmetic operations with the original ciphertext and at least one additional ciphertext. The destination device 104 generally acts as a final destination for the encrypted data 110 received from the network/bus connection 106 intended for decryption. Generally, communications, including concealed/encrypted communications, are bi-directional such that the source 102, intermediary 104, and destination 106 computing devices may change roles as the encrypted data 110 source 102, intermediary 104, and the encrypted data 110 destination 106 as is necessary to accommodate the transfer of data back and forth between the computing devices 102, 104, 106. Notably, the intermediary computing device 104 does not require knowledge of the secret keys to perform the homomorphic Hensel Code arithmetic operations, so it is likely that the intermediary computing device 104 will be at least computationally isolated from the source 102 and destination 106 computing devices. Additionally, while the computing devices 102, 104, 106 are depicted as separate devices in FIG. 1, the functionality of the source computing device 102, the intermediary 104 and the destination device 106 may be shared on a single computing system/device or among two or more computing devices as it is often desirable to conceal data when transferring data between components of a single device.


Further, as shown in FIG. 1, the source computing device 102 appears to be a laptop computer and the destination computing device 104 appears to be a tablet device and the intermediary computing device appears as a “cloud” that may represent one or several devices connected on the network 108 performing homomorphic arithmetic computations without a need to decrypt to the data 110 to obtain the correct decrypted value for the arithmetic operations. Generally, any computing device capable of communication over any form of electronic network or bus communication platform 106 may be one or more of the source 102, the intermediary 104, and destination 106 computing devices. Additionally, the source 102, intermediary 104 and/or destination 106 computing devices may actually be the same physical computing device communicating over an internal bus connection 108 with itself, but still desiring to encrypt transferred data to ensure that an attacker cannot monitor the internal communications bus 108 to obtain sensitive data communications in an unencrypted format.


Various embodiments may implement the network/bus communications channel 108 using any communications channel 108 capable of transferring electronic data between the source 102, intermediary 104, and destination 106 computing devices. For instance, the network/bus communication connection 108 may be an Internet connection routed over one or more different communications channels during transmission between the source 102, intermediary 104, and destination 106 devices. Likewise, the network/bus communication connection 108 may be an internal communications bus of a computing device, or even the internal bus of a processing or memory storage Integrated Circuit (IC) chip, such as a memory chip or a Central Processing Unit (CPU) chip. The network/bus communication channel 108 may utilize any medium capable of transmitting electronic data communications, including, but not limited to: wired communications, wireless electro-magnetic communications, fiber-optic cable communications, light/laser communications, sonic/sound communications, etc., and any combination thereof of the various communication channels.


The various embodiments may provide the control and management functions detailed herein via an application operating on the source 102, intermediary 104, and/or destination 106 computing devices. The source 102, intermediary 104, and/or destination 106 computing devices may each be a computer or computer system, or any other electronic devices device capable of performing the communications and computations of an embodiment. The source 102, intermediary 104, and/or destination 106 devices may include, but are not limited to: a general-purpose computer, a laptop/portable computer, a tablet device, a smart phone, an industrial control computer, a data storage system controller, a CPU, a Graphical Processing Unit (GPU), an Application Specific Integrated Circuit (ASI), and/or a Field Programmable Gate Array (FPGA). Notably, the first 102, second 104, and/or third 106 computing devices may be the storage controller of a data storage media (e.g., the controller for a hard disk drive) such that data delivered to/from the data storage media is always encrypted so as to limit the ability of an attacker to ever have access to unencrypted data. Embodiments may be provided as a computer program product which may include a computer-readable, or machine-readable, medium having stored thereon instructions which may be used to program/operate a computer (or other electronic devices) or computer system to perform a process or processes in accordance with the various embodiments. The computer-readable medium may include, but is not limited to, hard disk drives, floppy diskettes, optical disks, Compact Disc Read-Only Memories (CD-ROMs), Digital Versatile Disc ROMS (DVD-ROMs), Universal Serial Bus (USB) memory sticks, magneto-optical disks, ROMs, random access memories (RAMs), Erasable Programmable ROMs (EPROMs), Electrically Erasable Programmable ROMs (EEPROMs), magnetic optical cards, flash memory, or other types of media/machine-readable medium suitable for storing electronic instructions. The computer program instructions may reside and operate on a single computer/electronic device or various portions may be spread over multiple computers/devices that comprise a computer system. Moreover, embodiments may also be downloaded as a computer program product, wherein the program may be transferred from a remote computer to a requesting computer by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a modem or network connection, including both wired/cabled and wireless connections).


Operational Flow Chart for a Private-Key Leveled FHE Embodiment (FIG. 2)


FIG. 2 is a flow chart 200 of operations for a private-key leveled FHE embodiment. At process 216, the source computing device 202 generates prime numbers p1 . . . p5 as a function of provided parameters λ and d. Given the parameter and the parameter d, then ρ, η, γ, and μ are defined as follows: ρ=λ, η=2(d+2)λ, μ=γ−η−2λ, and






γ
=


λ


log
2

(
λ
)





(

η
-
ρ

)

2






such that the bit widths are computed as











"\[LeftBracketingBar]"


p
1



"\[RightBracketingBar]"



b

i

t

s


=


ρ
+
1


,











"\[LeftBracketingBar]"


p
2



"\[RightBracketingBar]"



b

i

t

s


=





"\[LeftBracketingBar]"


p
3



"\[RightBracketingBar]"



b

i

t

s


=

ρ
2



,











"\[LeftBracketingBar]"


p
4



"\[RightBracketingBar]"



b

i

t

s


=
η

,











"\[LeftBracketingBar]"


p
5



"\[RightBracketingBar]"



b

i

t

s


=
μ

,




and |g|bits=γ. At process 218, the source computing device 202 sets a secret key sk to be comprised of the prime numbers p1 . . . p5 wherein the secret key is known to both of the source computing device 202 and the destination computing device 206 but not to other computing devices, including the intermediary computing device 204. At process 220, the source computing device 202 sets a public evaluation key evk to be equal to a product (Πi=15 pi) of the prime numbers p1 . . . p5 wherein the public evaluation key evk also equals a g of Hensel Code g-adic computations (Hg). Processes 216-220 are part of a Gen (generate) 208 subsystem/algorithm that performs the necessary operations to generate the necessary security keys for the encryption operations.


At process 222, the source computing device 206 generates uniform and independent values s1, s2, s3, and δ as a function of the prime numbers p2 . . . p4, the parameter λ, and the value g such that s1custom-character2λ-1, s2custom-characterp2, s3custom-characterp3, and δ←custom-characterg/p4. At process 224, the source computing device 206 encrypts a message m as ciphertext c in accord with Hensel Code encryption computation c=|Hg(s1·{tilde over (H)}p1,p2,p3−1(0, s2, s3)+δp4)|. Processes 222-224 are part of an Enc (encrypt) 210 subsystem/algorithm that performs the necessary operations to encrypt the message m. At process 226, the source computing device 202 sends the ciphertext c to the destination computing device 206 if no homomorphic calculations are desired, or to the intermediary computing device 204 if homomorphic calculations are desired.


The processes 228-230 of the intermediary computing device 204 are not necessary if it is not desired to perform homomorphic calculations with at least one additional ciphertext cadditional to obtain a result ciphertext cresult, in which case the original ciphertext c may simply be sent to the destination computing device 206 for decryption. Assuming homomorphic calculation operations are desired, at process 228, the intermediary computing device 204 homomorphically computes at least one arithmetic function with said ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult. The potential arithmetic functions are one or more of addition, subtraction, multiplication, and division. Notably, the intermediary computing device 204 does not have knowledge of the secret key sk, but does have knowledge of the public evaluation key evk that equals the g of the Hensel Code g-adic computations (Hg). Process 228 is part of an Eval (evaluate) 212 subsystem/algorithm that performs the necessary operations to perform homomorphic calculations on encrypted data. At process 230, the intermediary computing device 204 sends the result ciphertext cresult to the destination computing device 206.


At process 232, the destination computing device 206 decrypts the ciphertext c or the result ciphertext cresult into an unencrypted value (message m or the unencrypted calculation result r, as appropriate) in accord with Hensel Code decryption computation m (or r)=Hp1−1(Hp1(Hp4−1(c))). Process 232 is part of an Dec (decrypt) 214 subsystem/algorithm that performs the necessary operations to decrypt encrypted data.


Operational Flow Chart for a Public-Key Leveled FHE Embodiment (FIG. 3)


FIG. 3 is a flow chart 300 of operations for a public-key leveled FHE embodiment. At process 316, the source computing device 302 generates prime numbers p1, p2, p3, and p4 as a function of provided parameters λ and d. Given the parameter and the parameter d, then ρ, η, γ, and, μ are defined as follows: ρ=λ, η=dλ, μ=d2λ log2(λ)−η−2λ−3, and γ=2η+(3λ)/2+μ+3 such that the bit widths are computed as |p1|bits=λ, |p2|bits=λ+3, |p3|bits=η, and |p′4|bits=η. At process 318, the source computing device 302 computes a value p4 as a function of the prime number p4 and the parameters λ and d, such that p4 as p4=(p′4)μ/η+1. At process 320, the source computing device 302 sets a value g of Hensel Code g-adic computations (Hg) to a product of the values p1, p2, p3, p4 and a value g′ of Hensel Code g′-adic computations (Hg′) to a product of the values p3, p4. At process 322, the source computing device 302 generates values t and δe as a function of said parameters λ and d where the values t and δe, are restricted such that t←custom-character2λ-1 and δecustom-character2λ-n. At process 324, the source computing device 302 computes a value e in accord with Hensel Code value e computation e=Hg(Hp3({tilde over (H)}p1,p2−1(0, t))+δep3). At process 326, the source computing device 302 computes a secret key sk that is comprised of the prime numbers p1 and p3 wherein the secret key sk is known to both of the source computing device 302 and the destination computing device 306, but not to other computing devices, including the intermediary computing device 304. At process 328, the source computing device 302 sets a public key pk that is comprised of the values e, g′, g=evk. Processes 316-328 are part of a Gen (generate) 308 subsystem/algorithm that performs the necessary operations to generate the necessary security keys for the encryption operations.


At process 330, the source computing device 306 generates uniform and independent values s1, s2 as a function of said parameter λ, and a value δ as a function of said values p1, p2, p4 where the values s1, s2 and δe, are restricted such that s1custom-character2λ-1, s2custom-characterp2, s1, s2custom-character2λ-η and δ←[p1p2, p1p2p4)∩custom-character. At process 332, the source computing device 306 encrypts a message m as ciphertext c in accord with Hensel Code encryption computation c=Hg(Hg′(s1e+m)+s2g′+S(g′)2). Processes 330-332 are part of an Enc (encrypt) 310 subsystem/algorithm that performs the necessary operations to encrypt the message m. At process 334, the source computing device 302 sends the ciphertext c to the destination computing device 306 if no homomorphic calculations are desired, or to the intermediary computing device 304 if homomorphic calculations are desired.


The processes 336-338 of the intermediary computing device 304 are not necessary if it is not desired to perform homomorphic calculations with at least one additional ciphertext cadditional to obtain a result ciphertext cresult, in which case the original ciphertext c may simply be sent to the destination computing device 306 for decryption. Assuming homomorphic calculation operations are desired, at process 336, the intermediary computing device 304 homomorphically computes at least one arithmetic function with said ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult. The potential arithmetic functions are one or more of addition, subtraction, multiplication, and division. Notably, the intermediary computing device 304 does not have knowledge of the secret key sk, but does have knowledge of the public key pk that includes the g of the Hensel Code g-adic computations (Hg). Process 336 is part of an Eval (evaluate) 312 subsystem/algorithm that performs the necessary operations to perform homomorphic calculations on encrypted data. At process 3380, the intermediary computing device 304 sends the result ciphertext cresult to the destination computing device 306.


At process 340, the destination computing device 306 decrypts the ciphertext c or the result ciphertext cresult into an unencrypted value (message m or the unencrypted calculation result r, as appropriate) in accord with Hensel Code decryption computation m (or r)=Hp1−1(Hp1(Hp4−1(c))). Process 340 is part of an Dec (decrypt) 314 subsystem/algorithm that performs the necessary operations to decrypt encrypted data.


The foregoing description of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed, and other modifications and variations may be possible in light of the above teachings. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application to thereby enable others skilled in the art to best utilize the invention in various embodiments and various modifications as are suited to the particular use contemplated.

Claims
  • 1. A method for private-key Fully Homomorphic Encryption (FHE) communication of a message m between a source computing device and a destination computing device, the method comprising: generating by said source computing device prime numbers p1 . . . p5 as a function of provided parameters λ and d;setting by said source computing device a secret key sk to be comprised of said prime numbers p1 . . . p5 wherein said secret key is known to both of said source computing device and said destination computing device but not to other computing devices;setting by said source computing device a public evaluation key evk to be equal to a product (Πi=15 pi) of said prime numbers p1 . . . p5 wherein said evk also equals a g of Hensel Code g-adic computations (Hg);generating by said source computing device values s1, s2, s3, and δ as a function of said prime numbers p2 . . . p4, said parameter λ, and said value g;encrypting by said source computing device said message m as ciphertext c in accord with Hensel Code encryption computation c=|Hg(s1·{tilde over (H)}p1,p2,p3−1(0, s2, s3)+δp4)|g;sending by said source computing device said ciphertext c to said destination computing device;decrypting by said destination computing device said ciphertext c back into said message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp4−1(c))).
  • 2. The method of claim 1: wherein said process of sending by said source computing device said ciphertext c to said destination computing device instead sends said ciphertext c to an intermediary computing device;wherein said intermediary computing device does not have knowledge of said secret key sk, but does have knowledge of said public evaluation key evk that equals said g of said Hensel Code g-adic computations (Hg);wherein the method of claim 1 further comprises: homomorphically computing by said intermediary computing device at least one arithmetic function with said ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; andsending by said intermediary computing device said result ciphertext cresult in place of said ciphertext c to said destination computing device; andwherein said process of decrypting by said destination computing device said ciphertext c back into said message m instead decrypts said ciphertext cresult to obtain a result r equal to an unencrypted computation of said arithmetic functions homomorphically performed as said Hensel code arithmetic functions with said ciphertext c and said at least one additional ciphertext cadditional.
  • 3. The method of claim 1 further comprising: computing by said source computing device said values ρ, ρ, γ, and μ as functions of said parameters λ and d such that ρ=λ, η=2(d+2)λ, μ=γ−η−2λ, and
  • 4. The method of claim 1 wherein said arithmetic functions are at least one of group of arithmetic functions chosen from: addition, subtraction, multiplication, and division.
  • 5. A method for public-key Fully Homomorphic Encryption (FHE) communication of a message m between a source computing device and a destination computing device, the method comprising: generating by said source computing device prime numbers p1, p2, p3, and p′4 as a function of provided parameters λ and d;computing by said source computing device a value p4 as a function of said prime number p′4 and said parameters λ and d;setting by said source computing device a value g of Hensel Code g-adic computations (Hg) to a product of said values p1, p2, p3, p4 and a value g′ of Hensel Code g′-adic computations (Hg′) to a product of said values p3, p4;generating by said source computing device values t and δe as a function of said parameters λ and d;computing by said source computing device a value e in accord with Hensel Code value e computation e=Hg(Hp3({tilde over (H)}p1,p2−1(0, t))+δep3);setting by said source computing device a secret key sk to be comprised of said prime numbers p1 and p3 wherein said secret key skis known to both of said source computing device and said destination computing device but not to other computing devices;setting by said source computing device a public key pk to be comprised of said values e, g′, g=evk;generating by said source computing device values s1, s2 as a function of said parameter λ, and a value δ as a function of said values p1, p2, p4;encrypting by said source computing device said message m as ciphertext c in accord with Hensel Code encryption computation c=Hg(Hg′(s1e+m)+s2g′+δ(g′)2);sending by said source computing device said ciphertext c to said destination computing device;decrypting by said destination computing device said ciphertext c back into said message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp3−1(c))).
  • 6. The method of claim 5: wherein said process of sending by said source computing device said ciphertext c to said destination computing device instead sends said ciphertext c to an intermediary computing device;wherein said intermediary computing device does not have knowledge of said secret key sk, but does have knowledge of said public key pk that includes said g of said Hensel Code g-adic computations (Hg);wherein the method of claim 4 further comprises: homomorphically computing by said intermediary computing device at least one arithmetic function with said ciphertext c at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; andsending by said intermediary computing device said result ciphertext cresult in place of said ciphertext c to said destination computing device; andwherein said process of decrypting by said destination computing device said ciphertext c back into said message m instead decrypts said ciphertext cresult to obtain a result r equal to an unencrypted computation of said arithmetic functions homomorphically performed as said Hensel code arithmetic functions with said ciphertext c and said at least one additional ciphertext cadditional.
  • 7. The method of claim 5 further comprising: computing by said source computing device said values ρ, η, γ, and μ as functions of said parameters λ and d such that ρ=λ, η=dλ, μ=d2λ log2(λ)−η−2λ−3, and γ=2η+(3λ)/2+μ+3; andcomputing by said source computing device bit widths as functions of said values ρ, η, γ, and μ and said parameters λ and d such that |p1|bits=λ, |p2|bits=λ+3, |p3|bits=η, and |p′4|bits=η; andwherein said values t, δe, s1, s2, and δ are restricted such that t←2λ-1, δe←2λ-η, s1←2λ-1, s2←p2, s1, s2←2λ-η and δ←[p1p2,p1p2p4)∩; andwherein said process of computing by said source computing device said value p4 computes said value of p4 as p4=(p′4)μ/η+1.
  • 8. The method of claim 5 wherein said arithmetic functions are at least one of group of arithmetic functions chosen from: addition, subtraction, multiplication, and division.
  • 9. A private-key leveled Fully Homomorphic Encryption (FHE) system that communicates a message m between a source computing device and a destination computing device, the private-key leveled FHE system comprising: said source computing device, wherein said source device further comprises: a Gen subsystem that generates device prime numbers p1 . . . p5 as a function of provided parameters λ and d, sets a secret key sk to be comprised of said prime numbers p1 . . . p5 wherein said secret key is known to both of said source computing device and said destination computing device but not to other computing devices, sets a public evaluation key evk to be equal to a product (Πi=15 pi) of said prime numbers p1 . . . p5 wherein said evk also equals a g of Hensel Code g-adic computations (Hg);an Enc subsystem that generates device values s1, s2, s3, and δ as a function of said prime numbers p2 . . . p4, said parameter λ, and said value g, encrypts said message m as ciphertext c in accord with Hensel Code encryption computation c=|Hg(s1·{tilde over (H)}p1,p2,p3−1(0, s2, s3)+δp4)g;a ciphertext send subsystem that sends said ciphertext c to said destination computing device; andsaid destination computing device, wherein said destination computing device further comprises: a Dec subsystem that decrypts said ciphertext c back into said message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp4−1(c))).
  • 10. The private-key leveled FHE system of claim 9: wherein said ciphertext send subsystem sends said ciphertext c to an intermediary computing device;wherein said intermediary computing device does not have knowledge of said secret key sk, but does have knowledge of said public evaluation key evk that equals said g of said Hensel Code g-adic computations (Hg);wherein the private-key leveled FHE system of claim 9 further comprises: an Eval subsystem that homomorphically computes at least one arithmetic function with said ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; anda result ciphertext send subsystem that sends said result ciphertext cresult in place of said ciphertext c to said destination computing device; andwherein said Dec subsystem decrypts said ciphertext cresult to obtain a result r equal to an unencrypted computation of said arithmetic functions homomorphically performed as said Hensel code arithmetic functions with said ciphertext c and said at least one additional ciphertext cadditional.
  • 11. The private-key leveled FHE system of claim 9: wherein said Gen subsystem further computes said values ρ, η, γ, and μ as functions of said parameters λ and d such that ρ=λ, η=2(d+2)λ, μ=γ−η−2λ, and
  • 12. The private-key leveled FHE system of claim 9 wherein said arithmetic functions are at least one of group of arithmetic functions chosen from: addition, subtraction, multiplication, and division.
  • 13. A public-key leveled Fully Homomorphic Encryption (FHE) system that communicates a message m between a source computing device and a destination computing device, the private-key leveled FHE system comprising: said source computing device, wherein said source device further comprises: a Gen subsystem that generates prime numbers p1, p2, p3, and p′4 as a function of provided parameters λ and d, computes a value p4 as a function of said prime number p′4 and said parameters λ and d, sets a value g of Hensel Code g-adic computations (Hg) to a product of said values p1, p2, p3, p4 and a value g′ of Hensel Code g′-adic computations (Hg′) to a product of said values p3, p4, generates values t and δe as a function of said parameters λ and d, computes a value e in accord with Hensel Code value e computation e=Hg(Hp3({tilde over (H)}p1,p2−1(0, t))+δep3), sets a secret key sk to be comprised of said prime numbers p1 and p3 wherein said secret key skis known to both of said source computing device and said destination computing device but not to other computing devices, and sets a public key pk to be comprised of said values e, g′, g=evk;an Enc subsystem that generates values s1, s2 as a function of said parameter λ, and a value δ as a function of said values p1, p2, p4, and encrypts said message m as ciphertext c in accord with Hensel Code encryption computation c=Hg(Hg′(s1e+m)+s2g′+((g′)2);a ciphertext send subsystem that sends said ciphertext c to said destination computing device; andsaid destination computing device, wherein said destination computing device further comprises: a Dec subsystem that decrypts said ciphertext c back into said message m in accord with Hensel Code decryption computation m=Hp1−1(Hp1(Hp3−1(c))).
  • 14. The public-key leveled FHE system of claim 13: wherein said ciphertext send subsystem sends said ciphertext c to an intermediary computing device;wherein said intermediary computing device does not have knowledge of said secret key sk, but does have knowledge of said public key pk that includes said g of said Hensel Code g-adic computations (Hg)wherein the private-key leveled FHE system of claim 9 further comprises: an Eval subsystem that homomorphically computes at least one arithmetic function with said ciphertext c and at least one additional ciphertext cadditional in accord with Hensel Code arithmetic functions over integers modulo g to obtain a result ciphertext cresult; anda result ciphertext send subsystem that sends said result ciphertext cresult in place of said ciphertext c to said destination computing device; andwherein said Dec subsystem decrypts said ciphertext cresult to obtain a result r equal to an unencrypted computation of said arithmetic functions homomorphically performed as said Hensel code arithmetic functions with said ciphertext c and said at least one additional ciphertext cadditional.
  • 15. The public-key leveled FHE system of claim 13: wherein said Gen subsystem further computes said values ρ, η, γ, and μ as functions of said parameters λ and d such that ρ=λ, η=dλ, μ=d2λ log2(λ)−η−2λ−3, and γ=2η+(3λ)/2+μ+3;wherein said Gen subsystem further computes bit widths as functions of said values ρ, η, γ, and μ and said parameters λ and d such that |p1|bits=λ, |p2|bits=λ+3, |p3|bits=η, and |p′4|bits=η;wherein said Gen subsystem further computes said value p4 as p4=(p′4)μ/η+1;wherein said Gen subsystem further restricts said values t and δe, such that t←2λ-1 and δe←2λ-η; andwherein said Enc subsystem further restricts said values s1, s2, and δ such s1←2λ-1, s2←p2, s1, s2←2λ-η, and δ←[p1p2, p1p2p4)∩.
  • 16. The public-key leveled FHE system of claim 13 wherein said arithmetic functions are at least one of group of arithmetic functions chosen from: addition, subtraction, multiplication, and division.
CROSS REFERENCE TO RELATED APPLICATIONS

This application is based upon and claims the benefit of U.S. provisional application Ser. No. 63/150,884, filed Feb. 18, 2021, entitled “Private-Key Leveled Fully Homomorphic Encryption Without Bootstrapping With Hensel Codes,” all of which is also specifically incorporated herein by reference for all that it discloses and teaches.

Provisional Applications (1)
Number Date Country
63150884 Feb 2021 US