PIE: p-adic Encoding for High-Precision Arithmetic in Homomorphic Encryption

Abstract

A large part of current research in homomorphic encryption (HE) aims towards making HE practical for real-world applications. In any practical HE, an important issue is to convert the application data (type) to the data type suitable for the HE.

The main purpose of this work is to investigate an efficient HE-compatible encoding method that is generic, and can be easily adapted to apply to the HE schemes over integers or polynomials.

p-adic number theory provides a way to transform rationals to integers, which makes it a natural candidate for encoding rationals. Although one may use naive number-theoretic techniques to perform rational-to-integer transformations without reference to p-adic numbers, we contend that the theory of p-adic numbers is the proper lens to view such transformations.

In this work we identify mathematical techniques (supported by p-adic number theory) as appropriate tools to construct a generic rational encoder which is compatible with HE. Based on these techniques, we propose a new encoding scheme \(\textsf{PIE}\) that can be easily combined with both AGCD-based and RLWE-based HE to perform high precision arithmetic. After presenting an abstract version of \(\textsf{PIE}\), we show how it can be attached to two well-known HE schemes: the AGCD-based \(\textsf {IDGHV}\) scheme and the RLWE-based (modified) Fan-Vercauteren scheme. We also discuss the advantages of our encoding scheme in comparison with previous works.

Appendices

A Appendix: Encodings with Primes and Prime Powers

Assume we want to encode the following fractions:

$$\begin{aligned} m_{1}=-\frac{2}{3},m_{2}=-\frac{1}{2},m_{3}=\frac{1}{3}. \end{aligned}$$

(15)

Let \(p=11\) and \(r=3\), so \(p^{r}=1331\) and \(N = \lfloor \sqrt{(p^r-1)/2}\rfloor =25\). Since the above fractions lie in \(\mathcal {F}_{25}\), we can encode them as follows:

$$\begin{aligned} \left. \begin{array}{l} m_{1} =H_{1331}\left( -\frac{2}{3}\right) =443,\\ \\ m_{2} =H_{1331}\left( -\frac{1}{2}\right) =665,\\ \\ m_{3} =H_{1331}\left( \frac{1}{3}\right) =444. \end{array}\right. \end{aligned}$$

Due to the restriction \(\gcd (\text {denominator},p^r)=1\), many fractions \(x\big /y\) which satisfy \(|x|,|y|\le N\) cannot be encoded. E.g., when \(p^r=11^3\), 23/22 cannot be encoded. Of course, this is because the mapping \(H_{p^r}\) requires the inverse of the denominator modulo \(p^r\), which does not exist when \(\gcd (\text {denominator},p^r)\ne 1\).

1.1 A.1 Choosing the Encoding Parameters p and r

Let \(\mathcal {S}\) be a set of fractions such that

$$\begin{aligned} \mathcal {S}=\left\{ -\frac{13}{25},\frac{23}{19},\frac{31}{5},\frac{17}{61},\frac{48}{23}\right\} . \end{aligned}$$

One can choose a prime that is sufficient for encoding and decoding all fractions by simply checking the largest numerator or denominator in absolute value and set it as the value of b and then find the right prime p such that

$$\begin{aligned} p\ge 2b^{2}+1. \end{aligned}$$

The largest quantity in \(\mathcal {S}\) is 61, so we set \(b=61\) which means we need a prime p that satisfies

$$\begin{aligned} p\ge 7443. \end{aligned}$$

The smallest prime to satisfy the above inequality is 7451 which gives \(N=\left\lfloor \sqrt{\left( 7451-1\right) \big /2}\right\rfloor =61\). That allows us to encode all fractions in \(\mathcal {S}\). We emphasize that this process works for any finite set of rationals.

Equivalently, one could choose a small prime which is co-prime with all of the denominators, and then choose an exponent r large enough to allow the fractions to be encoded. For example, \(p=3\) is co-prime with all denominators in \(\mathcal {S}\), which means we must choose r large enough so that \(3^r\ge 2(61)^2+1=7443\). That is,

$$\begin{aligned} r\ge \frac{\log (7443)}{\log (3)}\approx 8.1. \end{aligned}$$

So \(p^r=3^9\) also suffices to encode the members of \(\mathcal {S}\).

However, can we actually do something with it? If we hope to compute over the image of \(\mathcal {S}\), we need to choose a prime (power) that allows “room” for including the outputs of the operations we expect to work with. Instead of choosing a prime from strict parameters, a more conservative approach could be to consider the bit length of the largest numerator or denominator and the function one wishes to compute. If this time we let b be the bit-length of the largest numerator or denominator in absolute value and the function be \(f(x_1,x_2,\ldots ,x_n)=x_1x_2\cdots x_n\), then we need a prime that satisfies the following inequality:

$$\begin{aligned} \left| p\right| _{\text {bits}}>2bn+1. \end{aligned}$$

Say that we have \(n=5\). Since 61 is a 6-bit number, we set \(b=6\). We now need a prime such that

$$\begin{aligned} \left| p\right| _{\text {bits}}>61. \end{aligned}$$

We choose \(p=3693628617552068003\), a 62-bit prime which give us the following encodings of the members of \(\mathcal {S}\):

$$\begin{aligned} \left. \begin{array}{llc} h_{1} =H_{p}\left( -\frac{13}{25}\right) &{} =3102648038743737122,\\ h_{2} =H_{p}\left( \frac{23}{19}\right) &{} =2138416568056460424,\\ h_{3} =H_{p}\left( \frac{31}{5}\right) &{} =2216177170531240808,\\ h_{4} =H_{p}\left( \frac{17}{61}\right) &{} =3390872173490423085,\\ h_{5} =H_{p}\left( \frac{48}{23}\right) &{} =321185097178440698, \end{array}\right. \end{aligned}$$

and we can check that

$$\begin{aligned} \prod _{i=1}^{5}h_{i}\bmod p=2444130464540096986 \end{aligned}$$

which decodes to

$$\begin{aligned} H_{p}^{-1}\left( 2444130464540096986\right) =\frac{-328848}{144875} \end{aligned}$$

and matches

$$\begin{aligned} -\frac{13}{25}\cdot \frac{23}{19}\cdot \frac{31}{5}\cdot \frac{17}{61}\cdot \frac{48}{23}=\frac{-328848}{144875}. \end{aligned}$$

This example shows the intuition behind Proposition 7 and Theorem 8.

B Appendix: Extending Farey Rationals for Larger Input Space

Extending the Set \(\mathbf {\mathcal {F}_N}\). While the Farey rationals \(\mathcal {F}_N\) have a very simple description and are easy to work with, they have a downside: their size. For example, if \(p=907\), then \(N=21\) and the cardinality of \(\mathcal {F}_N\) is 559. This means that \(907-559=348\) integers in \(Z_{907}\) do not have a pre-image (under \(H_{907}^{-1}\)) in \(\mathcal {F}_N\). We address this by extending \(\mathcal {F}_N\) to a set \(\mathcal {F}_{N,g}\)

Definition 9

(Extended Farey Rationals). For a positive integer g, the extended Farey rationals are defined as the set of reduced fractions:

$$\begin{aligned} \mathcal {F}_{N,g} = \left\{ \frac{x}{y}\,\Bigg |\, \exists h\in \mathcal {Z}_g\text { s.t. }\textsf{MEEA}(g,h)=(x,y),\,\gcd (g,y)=1\right\} . \end{aligned}$$

Clearly \(\mathcal {F}_N\subseteq \mathcal {F}_{N,g}\). We also note that for all \(m\in \mathcal {F}_{N,g}\), \(H_{g}^{-1}\big (H_{g}(m)\big )=m\) \(\big (\)generalize proof of Proposition 1(i)\(\big )\). The following lemma provides a necessary, though not sufficient, condition for a rational number to be in \(\mathcal {F}_{N,g}\).

Proposition 11

Let g be a positive integer, and \(N=\left\lfloor \sqrt{(g-1)\big /2}\right\rfloor \). If \(x\big /y\in \mathcal {F}_{N,g}\), then \(|x|\le N\) and \(|y|\le 2N+1\).

Proof

Let \(h\in \mathcal {Z}_{g}\), and suppose \(H_{g}^{-1}(h)=x\big /y\). By definition of \(\textsf{MEEA}\), \(x\big /y=x_i\big /y_i\) for some \(x_i,y_i\) computed by the \(\textsf{EEA}\). That \(|x|\le N\) is immediate from the definition of \(H_{g}^{-1}\) (i.e. the stopping condition in \(\textsf{MEEA}\)). The outputs of the \(\textsf{EEA}\) satisfy [29, Theorem 4.3(v)]

$$\begin{aligned} |y_k|\le \frac{x_0}{x_{k-1}},\,\text { for all }\, k. \end{aligned}$$

By definition, \(x_{i-1}> N\). Whence, for \(N'=\sqrt{(g-1)\big /2}\),

$$\begin{aligned} |y_i|\le \frac{g}{x_{i-1}}<\frac{g}{N'}<\frac{2(N')^2+1}{N'}=2N'+\frac{1}{N'} \end{aligned}$$

It follows that \(|y_i|\le \big \lfloor 2N'+1\big /N' \big \rfloor \le 2N+1\), completing the proof.

This proposition simplifies the process of deciding whether a given reduced rational number \(x\big /y\) is in \(\mathcal {F}_{N,g}\):

1. (i)

   If \(|x|\le N\), \(|y|\le N\), and \(\gcd (g,y)=1\), then \(x\big /y\in \mathcal {F}_N\subset \mathcal {F}_{N,g}\).

2. (ii)

   If \(|x|>N\) or \(|y|>2N+1\) or \(\gcd (g,y)>1\), then \(x\big /y\notin \mathcal {F}_{N,g}\).

3. (iii)

   If \(|x|\le N\), \(N<|y|\le 2N+1\), and \(\gcd (g,y)=1\), then

   \(x\big /y \in \mathcal {F}_{N,g}\) if and only if \(H_{g}^{-1}\big (H_{g}\big (x\big /y\big )\big )=x\big /y\).

Two Options for the Message Space. For a fixed positive integer g, we now have two sets of rationals which can serve as the domain of the encoder:

• the Farey rationals \(\mathcal {F}_N\), and

• the extended Farey rationals \(\mathcal {F}_{N,g}\).

The advantage of \(\mathcal {F}_N\) is its simplicity. \(\mathcal {F}_{N,g}\), on the other hand, is larger than \(\mathcal {F}_N\) and, when g is prime, has exactly g elements.