Abstract
A large part of current research in homomorphic encryption (HE) aims towards making HE practical for real-world applications. In any practical HE, an important issue is to convert the application data (type) to the data type suitable for the HE.
The main purpose of this work is to investigate an efficient HE-compatible encoding method that is generic, and can be easily adapted to apply to the HE schemes over integers or polynomials.
p-adic number theory provides a way to transform rationals to integers, which makes it a natural candidate for encoding rationals. Although one may use naive number-theoretic techniques to perform rational-to-integer transformations without reference to p-adic numbers, we contend that the theory of p-adic numbers is the proper lens to view such transformations.
In this work we identify mathematical techniques (supported by p-adic number theory) as appropriate tools to construct a generic rational encoder which is compatible with HE. Based on these techniques, we propose a new encoding scheme \(\textsf{PIE}\) that can be easily combined with both AGCD-based and RLWE-based HE to perform high precision arithmetic. After presenting an abstract version of \(\textsf{PIE}\), we show how it can be attached to two well-known HE schemes: the AGCD-based \(\textsf {IDGHV}\) scheme and the RLWE-based (modified) Fan-Vercauteren scheme. We also discuss the advantages of our encoding scheme in comparison with previous works.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
FHE part of our implementation is not optimized.
- 2.
The \(k^\text {th}\) Farey sequence is the set of reduced fractions in the interval [0, 1) with numerator and denominator each at most k.
- 3.
An integer is b-rough provided it has no prime factors smaller than b.
- 4.
Primes of the form \(2^{2^n}+1\).
- 5.
Primes of the form “\(b^n+1\)” chosen from https://oeis.org/A056993.
- 6.
Since \(b^n\) is quite large, \(\frac{|\mathcal {F}_n|}{|\mathcal {P}|}\approx \frac{0.6(b^n+1)(b-1)}{b^n-1}\approx 0.6(b-1)\).
- 7.
FHE part of our implementation is not optimized.
References
The online encyclopedia of integer sequences. https://oeis.org/A056993
Arita, S., Nakasato, S.: Fully homomorphic encryption for point numbers. Cryptology ePrint Archive, Report 2016/402 (2016). https://ia.cr/2016/402
Bonte, C., Bootland, C., Bos, J.W., Castryck, W., Iliashenko, I., Vercauteren, F.: Faster homomorphic function evaluation using non-integral base encoding. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 579–600. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_28
Bos, J.W., Lauter, K.E., Naehrig, M.: Private predictive analysis on encrypted medical data. J. Biomed. Inform. 50, 234–43 (2014)
Chen, H., Laine, K., Player, R., Xia, Y.: High-precision arithmetic in homomorphic encryption. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 116–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_7
Cheon, J.H., et al.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_20
Cheon, J.H., Jeong, J., Lee, J., Lee, K.: Privacy-preserving computations of predictive medical models with minimax approximation and non-adjacent form. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 53–74. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_4
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Cheon, J.H., Kim, J., Lee, M.S., Yun, A.: CRT-based fully homomorphic encryption over the integers. Inf. Sci. 310, 149–162 (2015)
Costache, A., Smart, N., Vivek, S., Waller, A.: Fixed point arithmetic in SHE scheme. Cryptology ePrint Archive, Report 2016/250 (2016). https://eprint.iacr.org/2016/250
Costache, A., Smart, N.P.: Which ring based somewhat homomorphic encryption scheme is best? In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 325–340. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_19
Dowlin, N., Gilad-Bachrach, R., Laine, K., Lauter, K., Naehrig, M., Wernsing, J.: Manual for using homomorphic encryption for bioinformatics. Proc. IEEE 105(3), 552–567 (2017). https://doi.org/10.1109/JPROC.2016.2622218
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptology ePrint Archive 2012/144 (2012)
Gregory, R.: Error-free computation with rational numbers. BIT Numer. Math. 21(2), 194–202 (1981). https://doi.org/10.1007/BF01933164
Hoffstein, J., Silverman, J.: Optimizations for NTRU. Public-key cryptography and computational number theory (2002)
Jäschke, A., Armknecht, F.: Accelerating homomorphic computations on rational numbers. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 405–423. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_22
Knuth, D.E.: Art of Computer Programming, Volume 2: Seminumerical Algorithms. Addison-Wesley Professional (2014)
Koç, Ç.K.: Parallel \(p\)-adic method for solving linear systems of equations. Parallel Comput. 23(13), 2067–2074 (1997)
Krishnamurthy, E.V.: Error-Free Polynomial Matrix Computations. Springer, New York (2012)
Lauter, K., López-Alt, A., Naehrig, M.: Private computation on encrypted genomic data. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 3–27. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16295-9_1
Li, X., Lu, C., Sjogren, J.A.: A method for Hensel code overflow detection. ACM SIGAPP Appl. Comput. Rev. 12(1), 6–11 (2012)
Lu, C., Li, X.: An introduction of multiple \(p\)-adic data type and its parallel implementation. In: 2014 IEEE/ACIS 13th International Conference on Computer and Information Science (ICIS), pp. 303–308. IEEE (2014)
Mahler, K.: Introduction to p-adic numbers and their functions. No. 64, CUP Archive (1973)
Mahler, K., et al.: Part 1: p-adic and g-adic numbers, and their approximations. In: Lectures on Diophantine Approximations, pp. 1–2. University of Notre Dame (1961)
Mukhopadhyay, A.: A solution to the polynomial hensel-code conversion problem. In: Caviness, B.F. (ed.) EUROCAL 1985. LNCS, vol. 204, p. 327. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-15984-3_288
Naehrig, M., Lauter, K., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 113–124. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/2046660.2046682
Rao, T.M., Gregory, R.T.: The conversion of Hensel codes to rational numbers. In: 1981 IEEE 5th Symposium on Computer Arithmetic (ARITH), pp. 10–20. IEEE (1981)
Shoup, V.: NTL: a library for doing number theory. https://libntl.org
Shoup, V.: A Computational Introduction to Number Theory and Algebra, 2nd edn. Cambridge University Press, Cambridge (2009)
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Acknowledgements
We thank Jonathan Katz for helpful discussions. This work is fully supported by Algemetric.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Appendix: Encodings with Primes and Prime Powers
Assume we want to encode the following fractions:
Let \(p=11\) and \(r=3\), so \(p^{r}=1331\) and \(N = \lfloor \sqrt{(p^r-1)/2}\rfloor =25\). Since the above fractions lie in \(\mathcal {F}_{25}\), we can encode them as follows:
Due to the restriction \(\gcd (\text {denominator},p^r)=1\), many fractions \(x\big /y\) which satisfy \(|x|,|y|\le N\) cannot be encoded. E.g., when \(p^r=11^3\), 23/22 cannot be encoded. Of course, this is because the mapping \(H_{p^r}\) requires the inverse of the denominator modulo \(p^r\), which does not exist when \(\gcd (\text {denominator},p^r)\ne 1\).
1.1 A.1 Choosing the Encoding Parameters p and r
Let \(\mathcal {S}\) be a set of fractions such that
One can choose a prime that is sufficient for encoding and decoding all fractions by simply checking the largest numerator or denominator in absolute value and set it as the value of b and then find the right prime p such that
The largest quantity in \(\mathcal {S}\) is 61, so we set \(b=61\) which means we need a prime p that satisfies
The smallest prime to satisfy the above inequality is 7451 which gives \(N=\left\lfloor \sqrt{\left( 7451-1\right) \big /2}\right\rfloor =61\). That allows us to encode all fractions in \(\mathcal {S}\). We emphasize that this process works for any finite set of rationals.
Equivalently, one could choose a small prime which is co-prime with all of the denominators, and then choose an exponent r large enough to allow the fractions to be encoded. For example, \(p=3\) is co-prime with all denominators in \(\mathcal {S}\), which means we must choose r large enough so that \(3^r\ge 2(61)^2+1=7443\). That is,
So \(p^r=3^9\) also suffices to encode the members of \(\mathcal {S}\).
However, can we actually do something with it? If we hope to compute over the image of \(\mathcal {S}\), we need to choose a prime (power) that allows “room” for including the outputs of the operations we expect to work with. Instead of choosing a prime from strict parameters, a more conservative approach could be to consider the bit length of the largest numerator or denominator and the function one wishes to compute. If this time we let b be the bit-length of the largest numerator or denominator in absolute value and the function be \(f(x_1,x_2,\ldots ,x_n)=x_1x_2\cdots x_n\), then we need a prime that satisfies the following inequality:
Say that we have \(n=5\). Since 61 is a 6-bit number, we set \(b=6\). We now need a prime such that
We choose \(p=3693628617552068003\), a 62-bit prime which give us the following encodings of the members of \(\mathcal {S}\):
and we can check that
which decodes to
and matches
This example shows the intuition behind Proposition 7 and Theorem 8.
B Appendix: Extending Farey Rationals for Larger Input Space
Extending the Set \(\mathbf {\mathcal {F}_N}\). While the Farey rationals \(\mathcal {F}_N\) have a very simple description and are easy to work with, they have a downside: their size. For example, if \(p=907\), then \(N=21\) and the cardinality of \(\mathcal {F}_N\) is 559. This means that \(907-559=348\) integers in \(Z_{907}\) do not have a pre-image (under \(H_{907}^{-1}\)) in \(\mathcal {F}_N\). We address this by extending \(\mathcal {F}_N\) to a set \(\mathcal {F}_{N,g}\)
Definition 9
(Extended Farey Rationals). For a positive integer g, the extended Farey rationals are defined as the set of reduced fractions:
Clearly \(\mathcal {F}_N\subseteq \mathcal {F}_{N,g}\). We also note that for all \(m\in \mathcal {F}_{N,g}\), \(H_{g}^{-1}\big (H_{g}(m)\big )=m\) \(\big (\)generalize proof of Proposition 1(i)\(\big )\). The following lemma provides a necessary, though not sufficient, condition for a rational number to be in \(\mathcal {F}_{N,g}\).
Proposition 11
Let g be a positive integer, and \(N=\left\lfloor \sqrt{(g-1)\big /2}\right\rfloor \). If \(x\big /y\in \mathcal {F}_{N,g}\), then \(|x|\le N\) and \(|y|\le 2N+1\).
Proof
Let \(h\in \mathcal {Z}_{g}\), and suppose \(H_{g}^{-1}(h)=x\big /y\). By definition of \(\textsf{MEEA}\), \(x\big /y=x_i\big /y_i\) for some \(x_i,y_i\) computed by the \(\textsf{EEA}\). That \(|x|\le N\) is immediate from the definition of \(H_{g}^{-1}\) (i.e. the stopping condition in \(\textsf{MEEA}\)). The outputs of the \(\textsf{EEA}\) satisfy [29, Theorem 4.3(v)]
By definition, \(x_{i-1}> N\). Whence, for \(N'=\sqrt{(g-1)\big /2}\),
It follows that \(|y_i|\le \big \lfloor 2N'+1\big /N' \big \rfloor \le 2N+1\), completing the proof.
This proposition simplifies the process of deciding whether a given reduced rational number \(x\big /y\) is in \(\mathcal {F}_{N,g}\):
-
(i)
If \(|x|\le N\), \(|y|\le N\), and \(\gcd (g,y)=1\), then \(x\big /y\in \mathcal {F}_N\subset \mathcal {F}_{N,g}\).
-
(ii)
If \(|x|>N\) or \(|y|>2N+1\) or \(\gcd (g,y)>1\), then \(x\big /y\notin \mathcal {F}_{N,g}\).
-
(iii)
If \(|x|\le N\), \(N<|y|\le 2N+1\), and \(\gcd (g,y)=1\), then
\(x\big /y \in \mathcal {F}_{N,g}\) if and only if \(H_{g}^{-1}\big (H_{g}\big (x\big /y\big )\big )=x\big /y\).
Two Options for the Message Space. For a fixed positive integer g, we now have two sets of rationals which can serve as the domain of the encoder:
-
the Farey rationals \(\mathcal {F}_N\), and
-
the extended Farey rationals \(\mathcal {F}_{N,g}\).
The advantage of \(\mathcal {F}_N\) is its simplicity. \(\mathcal {F}_{N,g}\), on the other hand, is larger than \(\mathcal {F}_N\) and, when g is prime, has exactly g elements.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Harmon, L., Delavignette, G., Roy, A., Silva, D. (2023). PIE: p-adic Encoding for High-Precision Arithmetic in Homomorphic Encryption. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-33488-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33487-0
Online ISBN: 978-3-031-33488-7
eBook Packages: Computer ScienceComputer Science (R0)