WO2018084691A2

WO2018084691A2 - Quaternion-based, efficient fully-homomorphic cryptosystem

Info

Publication number: WO2018084691A2
Application number: PCT/MA2018/050001
Authority: WO
Inventors: Dafir EL KETTANI MOHAMED; El Yahyaoui AHMED
Original assignee: University Mohammed V In Rabat
Priority date: 2016-11-07
Filing date: 2018-01-02
Publication date: 2018-05-11
Also published as: MA39511A1; WO2018084691A3

Abstract

The present invention relates to an efficient fully-homomorphic cryptosystem based on a new homomorphic and probabilistic transform between ring ℤ⁄2ℤ (ring of the residual integers modulo 2) and the modular Lipschitz integer ring. The cryptosystem of the invention can process clear messages in the form of input bits and supply ciphertexts in the form of Lipschitz quaternion matrices modulo a large even natural number η in a non-deterministic manner. The security of the present cryptosystem is based on the difficulty of solving a system of multivariate polynomial equations in a non-commutative ring. The cryptosystem can be used to further reduce multiplication computation time in fully-homomorphic encryption algorithms, since it allows the size of a secret key to be minimised and the expansion of ciphertexts to be reduced.

Description

Title: AN EFFECTIVE CRYPTOSYSTEM ENTIRELY HOMOLOGICAL BASED ON

Quaternions.

Description;

Technical area

The present invention relates to a fully homomorphous (EH) and probabilistic symmetric cryptosystem based on the use of quaternions, more particularly the use of the Lipschitz integer ring. This cryptosystem uses a homomorphic transformation between the Z / 2Z ring (the clear space) and the Lipschitz integer ring (the space of the encrypted messages) to transform a binary number {0,1} into a quaternion of Lipschitz before encrypting it.

Previous state

After the conjecture of Rivest et al [R. Rivest, L. Adleman, and M. Dertouzos. "On data banks and privacy homomorphisms," Foundations of Secure Computation, pp 169-180, 1978], the design of an EH encryption scheme remained the ambition of each cryptologist. The emergence of cloud computing in the past decade has excited researchers' efforts to realize this dream. Indeed, the cloud makes it possible to pool the structures of conservation and data processing. Data processing is considered a major force of the cloud because it has unlimited computing power. To take advantage of these privileges, we often delegate to cloud servers to perform complex calculations on private data. With standard encryption, the cloud provider must decrypt the data before doing the requested calculations. However, one of the disadvantages of this is the preservation of confidentiality between the customer and the provider. Homomorphic encryption is a great solution for this problem, its idea is very simple: do the calculation on encrypted data. If a cryptosystem allows a limited number of operations on the encrypted data, it is said to be partially homomorphic. If necessary a cryptosystem, to evaluate any treatment on the encrypted data, is said to be entirely homomorphic.

An EH cryptosystem is defined, in general, as being a quadruplet of algorithms (Gen, Enc, Dec, Eval), executing in polynomial time, such as:

• Gen (λ): is a key generation algorithm, takes a security parameter λ as input and outputs a key pair (sk, pk).

• Enc (m, pk): is an encryption algorithm, takes as input a clear message m and a so-called public key pk and outputs a cryptogram c.

• Dec (c, sk): is a decryption algorithm, takes as input a cryptogram c and a so-called secret key sk and outputs the clear message.

• Eval (C, C ₁ , .., c _n ): is an evaluation algorithm, takes as input a circuit C and cryptograms c _x , .., c _n and verifies Dec (Eval (C, c _x , .., c _n), sk) = C (m1, ..., m _n).

After having withstood nearly three decades, the conjecture of Rivest et al was finally resolved in 2009 by Craig Gentry. This invention has been the subject of US20110110525. Indeed, Gentry gave a renaissance to homomorphic cryptography research by designing an EH encryption scheme considered semantically safe. Gentry's design can be summarized in three main steps: • Somewhat Homomorphic Encryption Scheme (SWHE): Gentry starts from a schema called SWHE or simply homomorphic which supports a limited number of homomorphic multiplication.

• Squashing of the decryption circuit: Gentry reduces the complexity of the decryption circuit by publishing a set of vectors whose sum of a part of them is equal to the secret key. This 'squashed' pattern can evaluate, in addition to its SWHE capabilities, a NAND gate.

• Bootstrapping: The bootstrap procedure invented by Gentry consists of the evaluation of the decryption circuit plus the NAND to obtain a so-called 'leveled' FHE scheme which makes it possible to evaluate any circuit with a depth of the circuit initially defined.

This first scheme is based on the addition of noise to clear to obtain rhomomorphic cryptosystem. The major disadvantage of noisy schemes is the growth of noise after each manipulation of the cryptogram (addition and / or multiplication). Indeed, in order to keep the decryption capacity we must control and reduce the noise generated after each treatment. Noise control in this type of diagram increases their spatial and temporal complexity, which results in a slowness of calculations (especially during bootstrapping) and a greed for the storage space required for storing the results (noise amplification). One thing that influences the practice and application of EH encryption to everyday life. All of these causes have encouraged researchers to find other EH encryption scheme frameworks to make EH encryption applicable.

Among the most prominent attempts to simplify EH encryption schemes is the MORE cryptosystem. The latter was the subject of patent WO2014016795 A2. It is a symmetric cryptosystem based on modular rarithmetic whose rhomomorphism derives from the usual matrix operations, its multiplication and its addition are matrix multiplication and addition. In the MORE encryption scheme, the clear space is the ring Z / ηZ (ring of the integer residuals modulo n) where n is a modulo chosen as in the famous RSA algorithm whereas the space of the cryptograms is the ring modular matrices M ₂ (Z / nZ). The secret key of this cryptosystem is an invertible matrix K 6 M ₂ (Z / nZ) chosen randomly by the client and kept confidential with its inverse K ^-1 .

However, the MORE cryptosystem is not resistant to IND-CPA attacks (Indistinguishability under Chosen Plaintext Attack) and IND-KPA (Indistinguishability under Known Plaintext Attack). Indeed, if a third party of bad faith has access to only one clear and its cryptogram it will be able to decrypt any message encrypted thereafter without having found the secret key. The cryptosystem MORE has been cryptanalyzed several times [http://eprint.iacr.org/2014/250.pdf, https://www.academia.edu/26297806/].

A second attempt, to overcome the security vulnerabilities of the MORE scheme and build an EH cryptosystem, is recently due to Wang and Li [http://eprint.iacr.org/2015/641.pdf]. The two authors kept almost the same conception of MORE except that they proposed to change the ring Έ / ηΈ by a non-commutative ring R and they used square matrices of order 3 instead of matrices of order 2 Despite the use of a non-commutative ring R, the clear messages always remain numbers that commute with the elements of R.

Therefore an attack of the scheme of Wang and Li is given by Kristian Gjosteen and Martin Strand in [http://eprint.iacr.org/2016/105.pdf]. Indeed, according to these authors: to attack the cryptosystem of Wang-Li, we only need to distinguish the cryptography of 0 from a random encryption. The two authors have observed that the diagonal of the cryptogram matrix completely determines the invertibility of said matrix, since a cryptogram of "0" can not be invertible. Thus, with a high probability, the invertible elements of the ring R can be distinguished from the non-invertible elements. If the ring R is divisional, then there are no other non-invertible elements than "0". Finally, by using a variant of the LU decomposition adapted to the non commutative rings, the secret key matrix of the algorithm can be calculated efficiently.

From what has come before, it can be pointed out that there are two types of construction of EH cryptosystems:

A noise-based construct that uses the bootstrap technique as described in the Gentry framework. The advantage of this construction is its safety, since the schemas conceived so far (from this approach) are based on mathematical problems stemming from the theory of Euclidean networks, which nevertheless remains an immune and complex theory. While its major disadvantage lies in the slowness of its operations (especially the bootstrap) and the complexity of its algorithms.

A noiseless construction that uses raster operations as described in the MORE framework. This construction has the advantage of being very simple, easy to implement and provides very fast operations for any processing on cryptograms. The major disadvantage of this construction lies in the safety of the schemes designed so far. The schemas based on the MORE framework have been attacked by IND-CPA and IND-KPA. A second disadvantage resulting from the cryptosystem MORE is that it is just partially homomorphic even if its authors declare its complete homomorphism in the patent WO2014016795 A2. Indeed, this scheme is unable to handle any type of processing on cryptograms. Let us take as an example the cryptogram C = MORE (m) of the clear message m = N-1, where N is the modulo used in this cryptosystem, if we calculate C = C ² and decrypt the result we obtain m '= 1 ≠ m ² = (N-1) ² , because the operations are carried out modulo N.

A first objective of the present invention is to improve the execution time of EH cryptosystems. For this reason we will adopt the MORE framework as a build basis instead of the Gentry framework which requires a very slow bootstrap step. Our second goal is to overcome the overwhelming obstruction of security in earlier cryptosystems. We offer a safer EH cryptosystem than its predecessors and resistant to IND-CPA and IND-KPA attacks. Finally we aim that our cryptosystem is completely homomorphic, that is to say it allows to execute any type of processing on messages encrypted antipodes MORE scheme. Therefore, the choice of a well adapted space of clear is essential to concretize the whole homomorphy of our cryptosystem. We plan to use the binary space, sanctioned by the two operations XOR and AND, (this is the ringZ / 2Z) as clear space for our encryption scheme. In addition, we use a homomorphic transform that converts a bit into a Lipschitz quaternion. This allows the bits to be randomized to ensure that the diagonal does not give any useful information about the clear (avoid attacking the Li-Wang cryptosystem).

Our cryptosystem is resistant to IND-CPA and IND-KPA attacks by the non-commutative ring of Lipschitz quaternions and the use of a smaller clear space (the Z / 2Z ring). He inherits his homomorphy on the one hand from matrix operations and on the other hand from a new homomorphic transformation, between the Z / 2Z ring and the ring of Lipschitz integers, which we invented. Its entire homomorphism is obtained by manipulating these Lipschitz integers using an even modulo (n = 2. p. Description of figures

Figure 1 represents, in general, the operation of a cryptosystem EH. It explains how the Eval algorithm can be used in an encrypted data context.

Figure 2 shows the two encryption and decryption strings for our EH cryptosystem.

Figure 3 shows how we can use our cryptosystem in a computing delegation situation in a cloud.

The body of quaternionsH

A quaternion is a number in a generalized sense. Quaternions encompass real and complex numbers in a system of numbers where multiplication is no longer a commutative law.

Quaternions were introduced by the Irish mathematician William Rowan Hamilton in 1843. They now find applications in mathematics, physics, computer science and engineering.

Mathematically, the set of quaternions H is a noncommutative associative algebra on the real number field H generated by three elements i, j and h satisfying the relations: i ² = j ² = k ² = ij k = -1. all quaternion q is uniquely written as: q = a + bi + cj + dJi where a, b, c and d are real numbers.

The operations of addition and multiplication by a real scalar are terms in terms, whereas the multiplication between two quaternions is term-terms respecting the non-commutativity and the

The quaternion

q module.

bi + cj + dk.

A quaternion q is invertible if and only if its module is non-zero, and we have

Reduced form of a quaternion:

We can represent a quaternion in a more economical way, which considerably simplifies the calculations and highlights interesting results. Indeed, it is easy to see that H is a vector M-space of dimension 4, of which (l, i, j, Ji) constitutes a direct orthonormal basis. We can thus separate the real component from the pure components, and we have for q∈l, q = (o, u) with u vector of

Ring of Lipschitz integers

The set of quaternions defines as follows: = {q = a + bi + cj + dd / a, b, c, d 6 Z} has a ring structure called a ring of Lipschitz integers. Η (Ζ) is trivially non commutative.

For n 6 N ^* , the set of quaternions:

= {q = a + bi + cj + d / a, b, c, of Z / nZ} has a non-commutative ring structure.

A modular quaternion of Lipschitz q 6 is invertible if and only if its module is

first with n, that is to say \ q \ ² A n = 1.

Quaternionic matrices of M ₂ (H (Z / nZ)):

The set of matrices M ₂ (H (Z / nZ)) describes the matrices with four inputs (two rows and two columns) which are quaternions of H (Z / nZ). This set has a noncommutative ring structure.

There are two ways to multiply quaternionic matrices: the hamiltonian product, which respects the order of the factors, and the octonionic product, which does not respect it.

• The Hamiltonian product is defined as for all matrices with coefficients in a ring (not necessarily commutative). For example :

• The octonionic product does not respect the order of the factors: on the main diagonal, there is switching of the second products and on the second diagonal there is switching of the first products.

In our report we will adopt the Hamiltonian product as a multiplication operation of quaternionic matrices.

Schur complementation and invertibility of quaternionic matrices

Let JZ be any associative ring, a matrix M∈ R ^nxn is said to be invertible if

such that MN = NM = I _n where N is necessarily unique.

The Schur complement method is a very powerful tool for calculating inverses of matrices in rings. Let M∈ R ^{nxn be} a block matrix satisfying:

Supposing A is invertible, we have:

the complement of Schur of A in

Mr.

The invertibility of A ensures that the matrix M is invertible if only if ^ 4 _S is. The inverse of M

For a quaternionic matrix where the quaternion is

invertible as well as its complement of Schur has _s = d- ca ^{~ x} b we have M is invertible and:

So to randomly generate an invertible quaternionic matrix, just: (***)

• Randomly choose three quaternions a, b and c of which a is invertible.

• Randomly select the fourth quaternion d so that the Schur complement _s = d- ca ^{~ x} b of a in M is invertible.

Description of the transform and the cryptosystem

Homomorphic transform between (*)

All bit

can be transformed into a quaternion of Lipschitz according to a homomorphous transform whose operations on the quaternions preserve those on the bits. We can give this transform as follows:

bitToQuatern: σ 6 ΊZ / 2Z <→ bitToQuatern () σ = m + 2U + pj + qh 6 H (Z) such that m, t, p, q are randomly selected relative integers satisfying the two conditions: m≡ σ [ 2] and p≡ q [2]. The inverse transform that will be named quaternToBit is given by: quaternToBit (q) = Re (q) [2].

We can easily check rhomomorphism of the bitToQuatern transform:

• for addition we have: bitToQuatern (σ) + bitToQuatern ('σ) = bitToQuatern (XσORo ^J ).

• For multiplication, passing to the reduced notation of quaternions, we have bitToQuatern () σ * bitToQuatern ('σ) = (m, u) * (m', v) = (mm'-u, v, mv + u + u A v), so we can easily check that mm'- u. v≡ (aANDa ') [2] and that mv + m'u + u A v has the form (2L, P, Q) such that P≡ Q [2]. Then bitToQuatern () σ * bitToQuatern (σ ') = bitToQuatern (aANDa').

The fact that the reduction modulo an even number of a relative integer retains its parity (that is,

, allows to change the set of arrival H (Z) of the bitToQuatern transform by the set H (Z / 2nZ) while preserving its homomorphism and obtaining the same properties. In the rest of this report the bitToQuatern transform represents the bitToQuatern transform whose arrival set is H (Z / nZ) for an integer n that will be defined.

Note: Any permutation σ of the triplet (2-6, p, q) generates a transformed bitToQuatern who _has the same properties as the transformed bitToQuatern. The inverse transform for bitToQuatern _has remained unchangeable.

Cryptosystem completely homomorphic and effective

We place ourselves in a context where Bob wants to store confidential data in a very powerful cloud but not confident. Bob will later need to do complex processing on his data, which he does not have the computing power to perform them. At this level he thinks, a priori, the encryption of its sensitive data to avoid any fraudulent action. But the usual encryption, which he knows, does not allow the cloud to process its computation requests without having decrypted the previously stored data, which puts into question their confidentiality. Bob asks if he There is a convenient and efficient type of encryption that allows you to process your data without revealing it to the cloud. The answer to the request of Bob is favorable, indeed since 2009 there are cryptosystems called entirely homomorphic, whose principle is quite simple: to make the calculations on the encrypted data without thinking of any preliminary deciphering.

To be completely homomorphic, it suffices that a cryptosystem makes it possible to carry out the two operations of addition and multiplication a multitude of times on the cryptograms. Since their first appearance in 2009, EH cryptosystems make it easy to make additions while multiplication remains very expensive in terms of computation time and exhausting in terms of noise generated. Actually, on average, an addition doubles the noise of an encrypted message while a multiplication removes it squared.

In order to benefit from the cloud's technological breakthrough and outsource its heavy computation comfortably, Bob needs a robust security EH cryptosystem, whose addition and multiplication operations are done in a timely manner and whose noise generated during a treatment is manageable.

To help Bob take full advantage of the power of the cloud, we invented a probabilistic symmetric EH cryptosystem without noise. Addition and multiplication operations do not generate any noise. The multiplication is very fast and is done in less than a millisecond. Cryptosystem security is based on the difficulty of solving a system of multivariate equations in a noncommutative ring.

We can describe our cryptosystem as follows:

Key generation;

-Bob randomly generates two large prime numbers p and q.

then, it calculates n = 2. p. q.

-Bob randomly generates an invertible matrix as described in (***).

-Bob calculates the inverse of K, which will be noted K ^-1 , as described in (**).

the secret key is (K, K ^-1 ).

Encryption;

Let σ 6 Z / 2Z = {0,1} be a clear message. To encrypt σ Bob proceeds as follows:

Using the bitToQuatern transform described in (*), Bob transforms σ into a quaternion m = bitToQuatern (σ) 6 M (Z / nZ).

-Bob generates a matrix MZ) are generated

randomly.

-The cryptogram of σ is: C = Enc (σ) = KM K ^-1 6 M ₂ (H (Z / nZ)) Decryption

Either a cryptogram

To decipher C, Bob proceeds as follows:

-It calculates M = K ^-1 CK.

-Then he takes the first entry of the matrix m = (M) 1,1.

-Finally, he finds his clear message by calculating σ = quaternToBit (m).

Addition and multiplication;

Let σ ₁ and σ _{2 be} two clear messages and Cy = Enc (σ ₁ ) and C ₂ = Enc (σ ₂ ) their cryptograms respectively.

One can easily check, thanks to the bitToQuatern transform, that:

For our cryptosystem, the reduction of quaternions modulo a large number n has the advantage of giving a cryptosystem without expansion of noise. But if we use an odd modulo, the entire homomorphy can be questioned. Indeed, an odd modulo does not preserve, in general, the parity of the integers after a treatment (additions and / or multiplications) which gives a partially homomorphic cryptosystem whereas an even modulo always preserves the parity of the integers and gives a schema entirely homomorphic.

Asymmetrical version;

Our cryptosystem admits an asymmetric version by applying the Rothblum transformation to it [https://www.iacr.org/archive/tcc2011/65970216/65970216.pdf].

Utility of the invention

The scope of our cryptosystem is very wide. Its usefulness in the field of cloud computing is obvious. Among the applications of our cryptosystem we find:

1. In general, the delegation of complex calculations on sensitive data to a powerful cloud but not confident. Indeed, rexternalisation of calculation becomes an effective solution for those who possess gigantic data hosted at a subcontractor. These data are confidential in most cases and require special handling. Thanks to the computing alternatives offered by our cryptosystem, customers can store their encrypted data and ask subcontractors to make calculations on these data on demand. In particular, this cryptosystem can be very useful, in calculation delegation, in the two following cases: ❖ To encrypt data of a banking operator before their storage in a cloud. Surely, the banking sector is known for the volume and speed of the data it produces, transports and stores. The nature of a bank's data, such as customer bank account numbers, sums of money, and transactions, is highly sensitive, while cloud providers provide no privacy guarantees. and the confidentiality of this type of data. Storing the masses of data in a cloud is a very important gain for a bank. The ability to do treatments on these data, without disclosing them, in a practical time while exhausting less resources is very useful. Our cryptosystem is an adequate solution to this problem. It allows a bank to store its encrypted data in a cloud with the ability to perform any processing without decryption.

❖ Encrypt medical data of patients before they are stored in a cloud. In a medical cloud, patient data such as the biometric identifier, the social security number, the age and the state of health are personal data. The use of these data for medical research and pharmacovigilance raises the question of confidentiality of this type of data, with the rules of ethics and respect for privacy. In this context, we are interested only in the results of the treatments that can be performed on these data. Our encryption scheme allows for processing on medical data and providing the requested results while preserving data privacy and patient privacy.

2. Private information retrieval: In cryptography, private information retrieval (RIP) is a protocol that allows a user to retrieve an item from a database without revealing to the server which item has been retrieved. Homomorphic encryption makes it easy to perform such protocols. Our cryptosystem has the homomorphic property that allows it to easily perform the RIP protocol.

3. Multi-part calculation: in multi-party computing systems, several parties are interested in computing a common function, without being able to disclose their private data. The function to be calculated is publicly known, while the individual entries of the different users must remain unknown for the other parts of the system. This problem comes from the problem of computation with the encrypted data, from where the utility of the use of the homomorphic cryptography. The asymmetric version of our cryptosystem allows to implement multiparty calculations.

4. Electronic voting: The electronic voting is a special case of delegation of calculation to a third party able to calculate the result of the elections without disclosing the identities of the different candidates. In this situation homomorphic encryption allows the electoral authorities to count the votes and present the final results without going through the process of deciphering the votes and counting them afterwards. In a voting system based on homomorphic encryption, voters are just allowed to increment a counted count of 1 (indicating a vote for the candidate) where 0 (indicating the case of non-voting). In elections where each voter votes for one of the candidates among candidates, voters modify the encrypted scores by adding an £-bit vector, where exactly one entry is 1 and the rest are all 0. And they are unable to change the counters in any other way. The asymmetric version of our cryptosystem allows to implement a secure electronic voting system.

Claims

claims

1. A fully homomorphic and fast probabilistic symmetric encryption method whose clear space is {0,1} provided with XOR and AND operations while the cryptograms are Lipschitz quaternions matrices modulo a large number of natural integers n characterized in that in one embodiment the plaintext messages are encoded by a homomorphous inverse transform bitToQuatern between (Z / 2Z, XOR, AND) and (H (Z / nZ), +, x), said transform makes it possible to preserve the two XOR and AND operations on the bits and replace them with the addition and multiplication operations on the modular Lipschitz quaternions

to code a bit ff by a modular Lipschitz quaternion, proceed as follows:

-Select randomly an integer m

-Select randomly an integer

-Select randomly two integers p, q∈ Z / nZ such that p≡ q [2].

-On a bitToQuatern

Said transform is realized, otherwise, by any permutation of the triplet (2-6, p, q) and keeps the same properties of homomorphism.

2. The method according to claim 1, wherein in one embodiment the quaternToBit inverse transform makes it possible to recover a bit σ, randomized from the bitToQuatern transform or the result of a treatment (additions and / or multiplications). ) of several bits randomized from the bitToQuatern transform, the inverse transform is calculated as follows: σ = quaternToBit (jq) = Re (q) [2], where q is a Lipschitz quaternion obtained according to claim (1) and Re is his real part.

3. The method according to claim 1 is characterized in that in one embodiment, the encryption of a bit (0 or 1) which represents the plaintext message is done by transforming this bit into a quaternion into using the bitToQuatern transform, the result of this transformation is inserted at the first input of a second order triangular quaternionic matrix whose two remaining entries are quaternions chosen randomly (it is the matrix M), the continuation of the encryption is done by multiplying on the left the matrix M by an invertible quaternionic matrix K chosen randomly and by its inverse K ^-1 on the right (matrices K and K ^-1 are used as secret key for the encryption and decryption). The resulting matrix of the product KMK ^-1 constitutes the encrypted message.

4. The method according to the preceding claims is characterized in that in one embodiment, the decryption of a cryptogram C (which is a quaternionic matrix) is done by multiplying the matrix C by the matrix K ^-1 on the left and by the matrix K on the right, the continuation of the decryption is done by taking the first entry of the resulting matrix of the produces K ^-1 CK and applying the inverse transform according to claim (2), the result of these operations is the clear message after decryption.

5. The method according to the preceding claims is characterized in that in one embodiment the cryptogram multiplication method takes as input two matrices C ₁ and C ₂ cryptograms of two clear messages and σ ₂ according to claim (3), makes a matrix multiplication C ₁ . C ₂ and gives a quaternionic cryptogram matrix of the light σ = σ ₁ . σ ₂ , said matrix product can be in any order (that is, C _1, C ₂ can be calculated as C _2, C ₁ can be calculated).

6. The method according to the preceding claims is characterized in that in one embodiment the cryptogram addition method takes as input two matrices C ₁ and C ₂ cryptograms of two clear messages and σ ₂ according to claim (3), makes a C ₁ + C ₂ matrix addition and outputs a cryptogram quaternionic matrix of the light σ = (σ ₁ + σ ₂ ) mod 2.

7. The method according to the preceding claims, characterized in that if the Rothblum transform is applied to it, it becomes asymmetrical.