Fully Homomorphic Public-Key Encryption Against Ciphertext Square Attack with Two Ciphertexts

2018; 3(2): 50-65

http://www.sciencepublishinggroup.com/j/ijics doi: 10.11648/j.ijics.20180302.15

ISSN: 2575-1700 (Print); ISSN: 2575-1719 (Online)

Fully Homomorphic Public-Key Encryption Against

Ciphertext Square Attack with Two Ciphertexts

Masahiro Yagisawa

Yokohama-shi, Kanagawa-ken, Japan

Email address:

[email protected]

To cite this article:

Masahiro Yagisawa. Fully Homomorphic Public-Key Encryption Against Ciphertext Square Attack with Two Ciphertexts. International Journal of Information and Communication Sciences. Vol. 3, No. 2, 2018, pp. 50-65. doi: 10.11648/j.ijics.20180302.15

Received: July 12, 2018; Accepted: September 4, 2018; Published: October 8, 2018

Abstract:

A fully homomorphic public-key encryption (FHPKE) is the important cryptosystem as the basic scheme for the cloud computing. Since Gentry discovered in 2009 the first fully homomorphic encryption scheme, some fully homomorphic encryption schemes were proposed. In the systems proposed until now the bootstrapping process is the main bottleneck and the large complexity for computing the ciphertext is required. The existence of an efficient fully homomorphic cryptosystem would have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing. In recent year Yagisawa proposed fully homomorphic encryptions without bootstrapping which have the weak point in the enciphering function or not immune from “ciphertext square attack” which is the attack proposed in this article. In this article, a new FHPKE against “ciphertext square attack” is proposed which does not need the bootstrapping and does not require the large complexity for enciphering. The scheme has the following features; (a) its security bases on computational difficulty to solve the multivariate algebraic equations of high degrees; (b) it requires two ciphertexts corresponding to a plaintext. We describe concretely how to construct the proposed system over octonion ring. It is shown that proposed system is immune from “ciphertext square attack”, “m and -m attack” and the Gröbner basis attacks and the complexity to encipher and decipher is not large.

Keywords:

Two Ciphertexts, Ciphertext Square Attack, Fully Homomorphic Public-Key Encryption, Multivariate Algebraic Equation, Gröbner Basis, Non-associative Ring

1. Introduction

A cryptosystem which supports both addition and multiplication (thereby preserving the ring structure of the plaintexts) is known as fully homomorphic encryption (FHE) and is very powerful. Using such a scheme, any circuit can be homomorphically evaluated, effectively allowing the construction of programs which may be run on encryptions of their inputs to produce an encryption of their output. Since such a program never decrypts its input, it can be run by an untrusted party without revealing its inputs and internal state. The existence of an efficient and fully homomorphic cryptosystem would have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing.

In 2009 Gentry, an IBM researcher, has created a homomorphic encryption scheme that makes it possible to encrypt the data in such a way that performing a

mathematical operation on the encrypted information and then decrypting the result produces the same answer as performing an analogous operation on the unencrypted data [1, 2].

But in Gentry’s scheme a task like finding a piece of text in an e-mail requires chaining together thousands of basic operations. His solution was to use a second layer of encryption, essentially to protect intermediate results when the system broke down and needed to be reset.

Some fully homomorphic encryption schemes were proposed until now [3-7].

In recent year Yagisawa proposed fully homomorphic encryptions without bootstrapping [8, 9] which have the weak point in the enciphering function [10]. After that Yagisawa proposed the some fully homomorphic encryption schemes [11-13].

another fully homomorphic public-key system against “ciphertext square attack” with two ciphertexts which is based on computational difficulty to solve the multivariate algebraic equations of high degree while the almost all multivariate cryptosystems [14-17] proposed until now are based on the quadratic equations avoiding the explosion of the coefficients. Proposed scheme is immune from the Gröbner basis [18] attack, the differential attack, rank attack and so on.

2. Preliminaries for Octonion Operation

In this section we describe the operations on octonion ring and properties of octonion ring.

2.1. Multiplication and Addition on Octonion Ring O

Let q be a fixed modulus to be as large prime as 22000_. Let O be the octonion [19] ring over a finite field Fq.

O={(a0,a1,…,a7)|aj∈ Fq (j=0,1,…,7)} (1)

We define the multiplication and addition of A,B∈O as follows. A=(a0,a1,…,a7), aj∈ Fq (j=0,1,…,7), (2)

B=(b0,b1,…,b7), bj∈ Fq (j=0,1,…,7). (3)

AB mod q = (a0b0 - a1b1- a2b2- a3b3-a4b4- a5b5-a6b6-a7b7 mod q, a0b1+a1b0+a2b4+a3b7-a4b2+a5b6-a6b5-a7b3 mod q, a0b2-a1b4+a2b0+a3b5+a4b1-a5b3+a6b7-a7b6 mod q, a0b3-a1b7-a2b5+a3b0+a4b6+a5b2-a6b4+a7b1 mod q, a0b4+a1b2-a2b1-a3b6+a4b0+a5b7+a6b3-a7b5 mod q, a0b5-a1b6+a2b3-a3b2-a4b7+a5b0+a6b1+a7b4 mod q, a0b6+a1b5-a2b7+a3b4-a4b3-a5b1+a6b0+a7b2 mod q, a0b7+a1b3+a2b6-a3b1+a4b5-a5b4-a6b2+a7b0 mod q) (4)

A+B mod q =(a0+b0 mod q, a1+b1 mod q, a2+b2 mod q, a3+b3 mod q , a4+b4 mod q, a5+b5 mod q, a6+b6 mod q, a7+b7 mod q). (5)

Let |A|2_{= a} 02+a12+…+a72mod q. (6)

If |A|2_{≠0 mod q, we can have A}-1_{, the inverse of A by using} the algorithm Octinv(A) such that A-1_=(a 0/|A|2 mod q,-a1/|A|2 mod q,…,-a7/|A|2 mod q) ←Octinv(A). (7)

Here details of the algorithm Octinv(A) are omitted and can be looked up in the Appendix A. 2.2. Property of Multiplication over Octonion Ring O A,B,C etc.∈O satisfy the following formulae in general where A,B and C have the inverse A-1 , B-1 and C-1 mod q. (1) Non-commutative AB≠BA mod q. (8)

(2) Non-associative A(BC)≠(AB)C mod q. (9)

(3) Alternative (AA)B=A(AB) mod q, (10)

A(BB)=(AB)B mod q, (11)

(AB)A=A(BA) mod q. (12)

(4) Moufang’s formulae [19], C(A(CB))=((CA)C)B mod q, (13)

A(C(BC))=((AC)B)C mod q, (14)

(CA)(BC)=(C(AB))C mod q, (15)

(CA)(BC)=C((AB)C) mod q. (16)

(5) Lemma 1 A-1_{(AB)= B mod q, (17)}

(BA)A-1= B mod q. (18)

(Proof:) Here proof is omitted and can be looked up in the Appendix B. (6) Lemma 2 (A-1_B)A=A-1_{(BA) mod q. (19)}

(Proof) From (12) A-1_B=A-1_((BA)A-1_)=(A-1_(BA))A-1 _{mod q. (20)}

By multiplying A from right side we have (A-1_B)A=A-1_{(BA) mod q. q.e.d. (21)}

(7) Lemma 3 (ABA-1_{)( ABA}-1 _{)= AB}2_A-1 _{mod q. (22)}

(8) Theorem 1

A2_=-L

A1+ 2a0A mod q, (24)

where LA= a02+a12+a22+a32+a42+a52+a62+a72 mod q∈Fq, (25) 1=(1,0,0,0,0,0,0,0)∈O, (26)

A=(a0,a1,…,a7)∈O. (27)

(Proof:) A2 _{mod q} =( a0a0 - a1a1 - a2a2- a3a3- a4a4- a5a5-a6a6-a7a7 mod q, a0a1+a1a0+a2a4+a3a7-a4a2+a5a6-a6a5-a7a3 mod q, a0a2-a1a4+a2a0+a3a5+a4a1-a5a3+a6a7-a7a6 mod q, a0a3-a1a7-a2a5+a3a0+a4a6+a5a2-a6a4+a7a1 mod q, a0a4+a1a2-a2a1-a3a6+a4a0+a5a7+a6a3-a7a5 mod q, a0a5-a1a6+a2a3-a3a2-a4a7+a5a0+a6a1+a7a4 mod q, a0a6+a1a5-a2a7+a3a4-a4a3-a5a1+a6a0+a7a2 mod q, a0a7+a1a3+a2a6-a3a1+a4a5-a5a4-a6a2+a7a0 mod q) =(2a02- LA mod q, 2a0a1 mod q, 2a0a2 mod q, 2a0a3 mod q, 2a0a4 mod q, 2a0a5 mod q,2a0a6 mod q, 2a0a7 mod q) =-LA1+2a0(a0,a1,…,a7) mod q, =-LA1+2a0A mod q, (28)

where LA= a02+a12+a22+a32+a42+a52+a62+a72 mod q∈Fq. (29) q.e.d. (9) Theorem 2 Let A*:=(a0,-a1,…,-a7)∈O be the conjugate of A=(a0, a1,…,a7)∈O. We have AA*= A*A= LA1∈O (30)

where LA= a02+a12+…+a72 mod q∈Fq. (31)

(Proof:) As A+A*=(2a0,0,…,0)=2a01∈O, (32)

A2_{=- L} A 1+2a0A = -LA1+( A+A*)A = -LA1+ A ( A+A*) mod q, (33)

we have LA1=A*A = AA*mod q∈O. q.e.d. (34)

(10) Theorem 3 LALB= LAB mod q∈Fq (35)

where A=(a0,a1,…,a7), B=(b0,b1,…,b7) , C=(c0,c1,…,c7)∈O, (36) C=AB mod q∈O, (37)

LA=a02+a12+…+a72 mod q, (38)

LB=b02+b12+…+b72 mod q, (39)

LAB=c02+c12+…+c72 mod q (40)

(Proof:) Here proof is omitted and can be looked up in the Appendix C. (11) Theorem 4 D∈O does not exist that satisfies the following equation. B(AX)=DX mod q∈O[X], (41)

where B,A,D∈O and X are variables. (Proof:) When X=1, we have BA=D mod q. (42)

Then B(AX)=(BA)X mod q. (43)

We can select C∈O that satisfies B(AC)≠(BA)C mod q. (44)

We substitute C∈O to X to obtain B(AC)=(BA)C mod q. (45)

(45) is contradictory to (44). q.e.d. (12) Theorem 5 D∈O does not exist that satisfies the following equation. C(B(AX))=DX mod q∈O[X], (46)

where C,B,A,D∈O, C has inverse C -1 _{mod q and X is a} variable. B,A and C are non-associative, that is, B(AC)≠(BA)C mod q. (47)

(Proof:) If D exists, we have at X=1 C(BA)=D mod q. (48)

Then C(B(AX))=(C(BA))X mod q. (49)

We substitute C to X to obtain C(B(AC))=(C(BA))C mod q. (50)

From (12) C(B(AC))=(C(BA))C=C((BA)C) mod q. (51)

(52) is contradictory to (47). q.e.d. (13) Theorem 6

D and E∈O do not exist that satisfy the following equation.

C(B(AX))= E (DX) mod q∈O[X], (53)

where C,B,A,D and E∈O have inverse and X is a variable and A,B,C are non-associative, that is, C(BA)≠(CB)A mod q. (54)

(Proof:) If D and E exist, we have at X=1 C(BA)=ED mod q. (55)

We have at X=(ED)-1_=D-1_E-1 _{mod q} C(B(A(D-1_E-1_{)))= E (D(D}-1_E-1_{)) mod q=1, (56)}

(C(B(A(D-1_E-1₎₎₎₎-1 _{mod q=1, (57)}

(((ED)A-1)B-1)C-1 mod q=1, (58)

ED =(CB)A mod q. (59)

From (55) and (59) we have C(BA) =(CB)A mod q. (60)

(60) is contradictory to (54). q.e.d. (14) Theorem 7 D∈O does not exist that satisfies the following equation. A(B(A-1_{X))=DX mod q} ∈O[X], (61)

where B,A,D∈O, A has the inverse A -1 _{mod q and X is a} variable. (Proof:) If D exists, we have at X=1 A(BA-1_{)=D mod q. (62)}

Then A(B(A-1_X))=(A(BA-1_{))X mod q. (63)}

We can select C∈O such that (BA-1_)(CA2_{) ≠((BA}-1_)C)A2 _{mod q. (64)}

That is, (BA-1_{), C and A}2 _{are non-associative.} Substituting CA to X in (63), we have A(B(A-1(CA)))=(A(BA-1))(CA) mod q. (65)

From Lemma 2 A(B((A-1_C)A))=(A(BA-1_{))(CA) mod q. (66)}

From (16) A(B((A-1_{C)A)))=A([(BA}-1_{)C]A) mod q. (67)}

By multiplying A-1 _{from left side we have} B((A-1_{C)A))= ((BA}-1_{)C)A mod q. (68)}

From Lemma 2 B(A-1_(CA))=((BA-1_{)C)A mod q. (69)}

Transforming CA to ((CA2)A-1), we have B(A-1_((CA2_)A-1_))=((BA-1_{)C)A mod q. (70)}

From (14) we have ((BA-1_)(CA2_))A-1_=((BA-1_{)C)A mod q. (71)}

Multiply A from right side we have (BA-1_)(CA2_)=((BA-1_)C)A2 _{mod q. (72)}

(72) is contradictory to (64). q.e.d.

3. Yagisawa’s Scheme

In recent year Yagisawa proposed fully homomorphic public-key encryptions with medium texts which consist of some octonion elements [11-13]. We describe ” Fully homomorphic public-key encryption with small ciphertext size” [13] as an example of Yagisawa’s encryption scheme. 3.1. Yagisawa’s Encryption Scheme Let q be a prime. We select the elements G=(g0,g1,…, g7)∈O and H=(h0,h1,…,h7)∈O such that [G]0=g0=1/2 mod q, (73)

[H]0=h0=0 mod q, (74)

LG:=|G|2= g02+g12+…+g72=0 mod q , (75)

LH:=|H|2= h02+h12+…+h72=0 mod q , (76)

g1h1+g2h2+…+ g7h7=0 mod q, (77)

where we denote i-th element of octonion K∈O such as [K]i. Then we have [GH]0= [HG]0=g0h0-(g1h1+g2h2+…+ g7h7)=0 mod q , G2 _{mod q =2g} 0G=G, (78)

H2 _{mod q =2h} 0H =0=(0,0…,0). (79)

Let p∈Fq be a plaintext and u,v,w∈Fq be the random numbers. The medium text M ∈O is defined as M:=pG+uH+vGH+wHG mod q∈O. (80)

The plaintext p is given from the medium text M such that p= 2[M]0 mod q∈Fq. (81)

EA(X,Y):=A1(…(ArA(Y(ArA-1(…(A1-1X)…))))…) mod q∈ O[X,Y]

={eAijk}(i,j,k=0,…,7). (82)

Let skB=(rB ,AB j(j=1,…,rB)) be a secret key of user B and pkB=({eBijk}0≦i,j,k≦7 ) be the public key of user B such that

EB(X,Y):= B1(…(BrB(Y(BrB-1(…(B1-1X)…))))…) mod q∈ O[X,Y]

={eBijk}(i,j,k=0,…,7). (83)

Let EBA(X,Y) be the common enciphering function between user A and user B such that

EBA(X,Y) : =A1(…(ArA(B1(…(BrB(Y(BrB-1( BrB-1-1 (…(B1-1

(ArA-1(…(A1-1X)…)))…)))))…)))…) mod q∈O[X,Y] (84)

Let C(X,p) be the ciphertext of the plaintext p such that C(X,p):= EBA(X,M)∈O[X,Y]

=A1(..(ArA(B1(..(BrB(M(BrB-1(..(B1-1(ArA-1(..(A1-1X)..)mod q

={cjkl} (j,k,l=0,…,7), (85)

where

M= pG+uH+vGH+wHG∈O ,u,v,w∈Fq. (86)

3.2. Analysis of Yagisawa’s Encryption Scheme

We adopt“ciphertext square attack”. We calculate M2 _mod q here.

As |M|2_{=0 mod q from [13],}

M2_=-|M|2_1+2[M]

0M mod q

=2[pG]0M mod q

=pM mod q. (87)

Then we have

C(C(X,p),p)= A1(…(ArA(B1(…(BrB(M(BrB-1(…(B1-1(ArA-1 (… (A1-1[A1(…(ArA(B1(…(BrB(M(BrB-1(…(B1-1(ArA-1(…(A1-1 X) …)])…)mod q

= A1(…(ArA(B1(…(BrB(M2(BrB-1(…(B1-1(ArA-1(…(A1-1X) …)mod q

=A1(…(ArA(B1(…(BrB(pM(BrB-1(…(B1-1(ArA-1(…(A1-1X) …)mod q

= pC(X,p) mod q. (88)

That is, we get the plaintext p.

We call the above scheme “ciphertext square attack (CSA)”.

As the norm of medium text |M|2 _{is zero and the 0-th} element of medium text [M]0 consists of the plaintext p, ciphertext square attack is efficient. In next section we describe the enciphering system where the norm of medium text |M|2 _{is not zero and the 0-th element of medium text [M]}

0 consists of the plaintext and a random parameter.

4. Proposed Fully Homomorphic

Public-Key Encryption Scheme

We propose the encryption scheme with two ciphertextsto be immune from “ciphertext square attack”.

4.1. Definition of Homomorphic Public-Key Encryption

A homomorphic public-key encryption scheme HPKE := (KeyGen; Enc; Dec; Eval) is a quadruple of PPT (Probabilistic polynomial time) algorithms.

In this work, the medium text space Me of the encryption schemes will be octonion ring, and the functions to be evaluated will be represented as arithmetic circuits over this ring, composed of addition and multiplication gates. The syntax of these algorithms is given as follows.

-Key-Generation. The algorithm KeyGen, on input the security parameter 1λ, outputs (sk) ← KeyGen(1λ) , where sk is a secret key and (pk) ← KeyGen(1λ) , where pk is a public key.

-Encryption. The algorithm Enc, on input system parameter (q,S), secret key(sk), public key(pk) and a plaintext m∈Fq, outputs a ciphertext C∈O←Enc(sk,pk;m)

where S∈O is a part of system parameter such that S -1

mod q∈O exists.

-Decryption. The algorithm Dec, on input system parameter (q,S), secret key(sk) and a ciphertext C, outputs a plaintext m*←Dec(sk;C).

-Homomorphic-Evaluation. The algorithm Eval, on input system parameter (q,S), an arithmetic circuit ckt, and a tuple of n ciphertexts (C1,…,Cn),outputs a ciphertext C’ ← Eval (ckt; C1,…,Cn).

4.2. Definition of Fully Homomorphic Public-Key Encryption

A scheme HPKE is fully homomorphic if it is both compact and homomorphic with respect to a class of circuits. More formally:

Definition (Fully homomorphic public-key encryption). A homomorphic encryption scheme HPKE :=(KeyGen; Enc; Dec; Eval) is fully homomorphic if it satisfies the following properties:

(1) Homomorphism: Let CR = {CRλ}λ∈N be the set of all polynomial sized arithmetic circuits. On input sk ←KeyGen(1λ),∀ckt ∈CRλ,∀(m1,…, mn)∈Fq

n

where n = n(λ), ∀(C1,…,Cn) where Ci← Enc(sk,pk;mi) (i=1,..,n), it holds that:

Pr[Dec(sk;Eval(ckt; C1,…,Cn)) ≠ ckt(m1,…, mn)] = negl(λ).

4.3. Medium Text

We define the medium text 1_M,2_M

∈O which are adopted in proposed fully homomorphic public-key encryption (FHPKE) scheme as follows.

We select the modulus q to be the prime.

We select the secret elements G=(g0,g1,…, g7)∈O and H=(h0,-g1,…, -g7)∈O such that

[G]0=g0=1/2 mod q, (89)

[H]0=h0=1/2 mod q, (90)

[G]1=g1≠0 mod q, (91)

G+H=1 mod q, (92)

LG:=|G|2= g02+g12+…+g72=0 mod q , (93)

LH:=|H|2= h02+g12+…+g72=0 mod q , (94)

where we denote i-th element of octonion K∈O such as [K]i. Then we have G2 _{mod q =2g} 0G=G, (95)

H2 _{mod q =2h} 0H =H. (96)

Let m∈Fq be a plaintext , h,k∈Fq,(h≠k) be fixed secret parameters and u,v∈Fq be the random numbers where h and k are given in (99),(100). The medium text 1_{M ,}2_M ∈O are defined as 1_{M:=(m+u)G+(m+v)H mod q} ∈O, (97)

2_{M:=(m+hu)G+(m+kv)H mod q} ∈O, (98)

h2_{+2h-1 =αh mod q, (99)}

k2_{+2k-1 =αk mod q, (100)}

where α∈Fq is an arbitrary parameter. The plaintext m is given from the medium text 1_{M or} 2_M such that m=[1_M] 0+[1M]1(h+k)/(2g1(h-k))-[2M]1/(g1(h-k)) mod q∈Fq. (101) Let skA=(rA ,A j(j=1,…,rA),GA) be a secret key of user A and pkA=({eAijk}0≦i,j,k≦7) be the public key of user A such that EA(X,Y):=A1(…(ArA(Y(ArA-1(…(A1-1X)…))))…) mod q∈ O[X,Y] ={eAijk}(i,j,k=0,…,7). (102)

Let skB=(rB ,AB j(j=1,…,rB) ,GB) be a secret key of user B and pkB=({eBijk}0≦i,j,k≦7 ) be the public key of user B such that EB(X,Y):= B1(…(BrB(Y(BrB-1(…(B1-1X)…))))…) mod q∈ O[X,Y] ={eBijk}(i,j,k=0,…,7). (103)

Let EBA(X,Y) be the common enciphering function between user A and user B such that EBA(X,Y) : =A1(…(ArA(B1(…(BrB(Y(BrB-1( BrB-1-1 (…(B1-1 (ArA-1(…(A1-1X)…)))…)))))…)))…) mod q∈O[X,Y] (104) Let C(m) be the ciphertext corresponding to the plaintext m such that i_{C(m):= E} BA(iM,S)∈O =A1(…(ArA(B1(…(BrB(S(BrB-1(…(B1-1(ArA-1(…(A1-1 ( i_{M)…) mod q} ={i_c j} (i=1,2; j=0,…,7), (105)

where 1_{M:= (m+u)G+(m+v)H mod q} ∈O, (106)

2_{M:= (m+hu)G+(m+kv)H mod q} ∈O, (107) m,u,v∈Fq, (108) S∈O is one of the system parameters. (Addition and multiplication of medium texts) [Addition] Let 1_M 1:= (m1+u1)G+(m1+v1)H mod q∈O, (109)

2_M 1:= (m1+hu1)G+(m1+kv1)H mod q∈O, (110) be medium texts corresponding to the plaintext m1 and 1_M 2:= (m2+u2)G+(m2+v2)H mod q∈O, (111)

2_M 2:= (m2+hu2)G+(m2+kv2)H mod q∈O, (112) be medium texts corresponding to the plaintext m2 where m1=[1M1]0 +[1M1]1(h+k)/(2g1(h-k))-[2M1]1/(g1(h-k)) mod q∈Fq, (113)

m2=[1M2]0 +[1M2]1(h+k)/(2g1(h-k))-[2M2]1/(g1(h-k)) mod q∈Fq. (114)

Let 1_M 1+2, 2M1+2 be the medium texts corresponding to the sum of the plaintexts m1 and m2 such that 1_M 1+2:=1M1+ 1M2∈O =(m1+u1)G+(m1+v1)H+(m2+u2)G+(m2+v2)H mod q, =(m1+m2+v1+v2)G+(m1+m2+v1+v2)H mod q, (115)

2_M 1+2:=2M1+2M2∈O =(m1+hu1)G+(m1+kv1)H+(m2+hu2)G+(m2+kv2)H =(m1+m2+h(u1+u2))G+(m1+m2+k(v1+ v2))H mod q. (116)

We obtain m1+2 , the sum of m1 and m2 as follows. m1+2:= [1M1+2]0+[1M1+2]1(h+k)/(2g1(h-k))-[2M1+2]1/(g1(h-k)) =m1+m2 mod q∈Fq. (117)

[Multiplication] First we calculate 1_M

mod q and 2_M

11M2 mod q as follows. 1_M

11M2∈O

=((m1+u1)G+(m1+v1)H)((m2+u2)G+(m2+v2)H)

=(m1+u1)(m2+u2) G+(m1+v1)(m2+v2)H,

=(m1m2+m1u2+u1m2+u1u2)G+(m1m2+m1v2+v1m2 +v1v2 )H],

mod q (118)

2_M 12M2∈O =((m1+hu1)G+(m1+kv1)H)((m2+hu2)G+(m2+kv2)H) =(m1+hu1)(m2+hu2) G+(m1+kv1)(m2+kv2)H mod q, =(m1m2+hm1u2+hu1m2+h2u1u2)G+(m1m2+km1v2+kv1m2 +k2_v 1v2 )H], mod q (119)

1_M 12M2∈O =((m1+u1)G+(m1+v1)H)((m2+hu2)G+(m2+kv2)H) =(m1+u1)(m2+hu2) G+(m1+v1)(m2+kv2)H, =(m1m2+hm1u2+u1m2+hu1u2)G +(m1m2+km1v2+v1m2 +kv1v2 )H mod q, (120)

2_M 11M2∈O =((m1+hu1)G+(m1+ku1)H)((m2+u2)G+(m2+v2)H) =(m1+hu1)(m2+u2)G+(m1+kv1)(m2+v2)H mod q, (121)

= (m1m2+m1u2+hu1m2+hu1u2)G+(m1m2+m1v2+kv1m2 +kv1v2 )H] mod q, (122)

We define 1_M 12 and 2M12, the medium texts corresponding to the product of m1 and m2 as follows. Here we select α such that α=0 (123)

as an example. As h2_{+2h-1=αh=0 mod q, (124)}

k2_{+2k-1=αk=0 mod q (125)}

and h≠k, (126)

we have 1_M 12:=( 1M11M2- 2M12M2,+ 1M12M2+2M11M2)/2 mod q =(m1m2+m1u2+u1m2+2hu1u2)G +( m1m2+m1v2+v1m2+2kv1v2 )H] mod q∈O (127) 2_M 12:= ( 1M11M2+3(2M12M2)-1M12M2-2M11M2)/2 mod q =(m1m2+hm1u2+hu1m2+2h2u1u2)G +( m1m2+km1v2+kv1m2+2k2v1v2 )H] mod q∈O (128) Naturally we can define the plaintexts m12 and the random number u12 and v12 to satisfy the following equations. As h+k=-2, m12: =[1M12]0 –([1M12]1+[2M12]1)/(g1(h-k)) mod q =(m1m2+(u2+v2)m1/2+(u1+v1)m2/2+ hu1u2+ kv1v2) - [(u2-v2)m1+(u1-v1)m2+2 hu1u2-2kv1v2 +(hu2-kv2)m1+(hu1-kv1)m2+2 h2u1u2-2k2v1v2]g1/(g1(h-k)) =(m1m2+(1/2-(1+h)/(h-k))u2m1 +(1/2+(1+k)/(h-k))v2m1 +(1/2-(1+h)/(h-k))u1m2 +(1/2+(1+k)/(h-k))v1m2 +(h-(2h+2h2_)/(h-k)u 1u2 +(k+(2k+2k2_)/(h-k)v 1v2 = m1m2 mod q∈Fq. (129)

Here we notice that since that h=-1+√2 =mod q, k=-1-√2mod q. 1/2-(1+h)/(h-k)=1/2- √2/(2√2)=0mod q (130)

1/2+(1+k)/(h-k)= 1/2- √2/(2√2)=0mod q . (131)

u12:= m1u2+u1m2+2hu1u2 mod q∈Fq. (132)

v12:= m1v2+v1m2+2kv1v2 mod q∈Fq. (133)

We can express 1_M 12,2M12 as follows. 1_M 12=(m12+u12)G+(m12+v12 )H mod q∈O (134)

2_M 12=(m12+hu12)G+(m12+kv12 )H mod q∈O. (135)

4.4. Proposed Fully Homomorphic Public-Key Encyption We propose a fully homomorphic public-key encryption (FHPKE) scheme on octonion ring over Fq. Here we define some parameters for describing FHPKE. We select the elements G=(g0,g1,…,g7)∈O, (136)

H=(h0,-g1,…,-g7) ∈O, (137)

where g0=1/2 mod q, (138)

g1≠0 mod q, (140)

g02+g12+…+g72=0 mod q∈Fq. (141)

as defined in section 4.3 Medium text.

Let m∈Fq be a plaintext and u∈Fq be the random parameter.

The medium texts 1_{M and} 2_{M are defined as} 1_{M:=(m+u)G+(m+v)H mod q}

∈O, (142) 2_{M:=(m+hu)G+(m+kv)H mod q}

∈O, (143)

h2_{+2h-1=αh mod q, (144)}

k2_{+2k-1=αk mod q. (145)}

We select as an example,

α=0. (146) The plaintext m is given from the medium texts 1_{M and} 2_M as follows.

m=[1_M]

0 –([1M]1+[2M]1)/(g1(h-k)) mod q∈Fq. (147)

where

g1≠0 mod q. (148)

[Basic enciphering function f(X,Y)]

Basic enciphering function f(X,Y)∈O[X,Y] is defined as follows.

Let X=(x0,…,x7)∈O[X] and Y=(y0,…,y7)∈O[Y] be variables.

We select A1,…, Ar∈O such that Aj (j=1,..,r) has the inverse Ai-1 mod q. We define the basic enciphering function f(X,Y) such that

f(X,Y):=A1-1(…(Ar-1(Y(Ar(…(A1X)...) mod q∈O[X,Y] =( f000x0y0+f001x0y1+ …+f077x7y7,

f100x0y0+f101x0y1+ …+f177x7y7, …. ….

f700x0y0+f701x0y1+ …+f777x7y7)t,

= {fijk}(i,j,k=0,…,7). (149)

Since f(X,1)=X at Y=1, some fijk are determined such that f000=1, f010=0, …, f070=0,

f100=0, f110=1, …, f170=0, … …

f700=0, f710=0, …, f770=1.

Let g(X,Y)∈O[X,Y] be a sub-enciphering function such that

g(X,Y):=

(…((XA1)A2)…)Ar)Y)Ar-1)…)A1-1 mod q∈O[X,Y] =( g000x0y0+g001x0y1+ …+g077x7y7,

g100x0y0+g101x0y1+ …+g177x7y7, …. ….

g700x0y0+g701x0y1+ …+g777x7y7)t,

= {gijk}(i,j,k=0,…,7). (150)

Since g(X,1)=X at Y=1, some gijk are determined such that g000=1, g010=0, …, g070=0,

g100=0, g110=1, …, g170=0, … …

g700=0, g710=0, …, g770=1. Theorem 8

Let

Rn=Un((…((U2((U1((PQ)U1))U2))…))Un) mod q∈O (151) Ln= (Un((…((U2((U1(PQ))U1))U2))…))Un mod q∈O (152) Mn=[Un(…(U2(U1P)…)][(…(QU1)U2)…)Un]mod q∈O (153) where

P, Q, Uj∈O (j=1,2,…,n).

For any positive integer n, it holds that

Rn mod q =Ln mod q =Mn mod q. (154)

(Proof)

We use the mathematical induction. In case that n=1, from (15),(16)

R1=U1((PQ)U1)=(U1(PQ))U1=(U1P)(QU1) mod q is obtained. That is,

R1=L1=M1 mod q. (155)

In case that n=t-1,if Rt-1=Lt-1=Mt-1 mod q, then Ut(Rt-1Ut)=Ut((Ut-1((…((U1((PQ)U1))…))Ut-1 ) )Ut)

=Rt mod q (156)

Ut(Rt-1Ut)=Ut(Lt-1Ut)

=Ut(((Ut-1((…((U2((U1(PQ))U1))U2))…))Ut-1)Ut) =(Ut((Ut-1((…((U2((U1(PQ))U1))U2))…))Ut-1))Ut

=Lt mod q. (157) Ut(Rt-1Ut)= Ut(Mt-1Ut)

=Ut(([Ut-1(Ut-2(…(U1P))…)][(…((QU1)…)Ut-2)Ut-1])Ut) from (16)

=(Ut[(Ut-1(…(U2(U1P))…)]) ([(…((QU1)U2)…)Ut-1)]Ut) =[Ut(Ut-1(…(U2(U1P))…)][(…((QU1)U2)…)Ut-1)Ut]

=Mt mod q (158)

That is, we obtain

Rt=Lt=Mt mod q. (159)

So for n=1,2,…, we obtain

Rn mod q =Ln mod q =Mn mod q. q.e.d. (160)

4.5. Addition and Multiplication of f(X,S)

Let 1_M

1, 2M1 and 1M2, 2M2 be the medium texts corresponding to the plaintexts m1 and m2 such that

1_M

1:= (m1+u1)G+(m1+v1)H mod q∈O, (161)

2_M

1:= (m1+hu1)G+(m1+kv1)H mod q∈O, (162)

1_M

2:= (m2+u2)G+(m2+v2)H mod q∈O, (163)

2_M

2:= (m2+hu2)G+(m2+kv2H mod q∈O. (164)

follows. [Addition] f(i_M

1,S)+ f(iM2,S) mod q∈O

= A1-1(…(Ar-1(S (Ar(.. (A1 iM1)...) + A1-1(…(Ar-1(S (Ar(.. (A1iM2)...)) mod q

= A1-1(…(Ar-1(S (Ar(.. (A1 (iM1+iM2))..) mod q

=f(i_M

1+iM2,S) mod q∈O.(i=1,2) (165)

[Multiplication] f(i_M

1,S){ [f(1,S) ]-1[f(iM2,S)g(1,S)]}mod q∈O =f(i_M

1,S){[f(1,S)]-1[(A1-1(…(Ar-1(S(Ar(..(A1iM2)...) (…(1A1)…)Ar)S)Ar-1)…)A1-1)]}

from Theorem 8 =f(i_M

1,S){[f(1,S)]-1[(A1-1(…(Ar-1(S(Ar(..(A11)...) (…(i_M

2A1)…)Ar)S)Ar-1)…)A1-1)]} =f(i_M

1,S) {[ f(1,S) ]-1 [ f(1,S)g(iM2,S)]} mod q from Lemma 1,

=f(i_M

1,S)g(iM2,S) mod q

=[A1-1(…(Ar-1(S(Ar(..(A1iM1)...)][(…(iM2A1)… )Ar)S)Ar-1)…)A1-1]

from Theorem 8

=[A1-1(…(Ar-1(S (Ar(.. (A1(iM1iM2)...)][(…(1A1)… )Ar)S)Ar-1)…)A1-1]

=f(i_M

1iM2,S)g(1,S) mod q(i=1,2). (166)

Then we have

f(i_M

1iM2,S)=[f(iM1,S){[f(1,S)]-1[f(iM2,S)g(1,S)]}][g(1,S)]-1 mod q∈O. (i=1,2) (167)

That is, we can obtain f(i_M

1iM2,S) from f(iM1,S), f(i_M

2,S),f(1,S) and g(1,S) without g(iM2,S) (i=1,2).

4.6. Octonion Elements Assumption OEA (q)

Here we describe the assumption on which the proposed scheme bases.

Octonion elements assumption OEA(q)

Let q be a prime. Let r be a secret integer parameter. Let A:={A1,…,Ar}∈O

r _{be secret parameters. Let f(X ,Y)= A} 1-1 (…(Ar-1 (Y (Ar(…(A1X)…) mod q∈O[X,Y] and g(X ,Y)= (…(XA1)…)Ar)Y)Ar-1)…)A1-1 mod q∈O[X,Y] be the basic enciphering function and sub-basic enciphering function where X and Y are variables.

In the OEA(q) assumption, the adversary Ad is given f(X ,Y), g(X,Y) and his goal is to find a set of parameters A={A1,…,Ar}∈O

r _{with the order of the elements A}

1,…, Ar . For parameters r= r(λ) defined in terms of the security parameter λ and for any PPT adversary Ad we have

Pr[A1-1(…(Ar-1(Y(Ar(…(A1X)…))…)mod q={fijk}(i,j,k= 0, …,7), (…(XA1)…)Ar)Y)Ar-1)…)A1-1 mod q={gijk}(i,j,k =0, …,7): A={A1,…, Ar}←Ad (1λ,q, f(X ,Y), g(X ,Y))]= negl(λ). (168) To solve directly OEA(q) assumption is known to be the problem for solving the multivariate algebraic equations of high degree which is known to be NP-hard.

4.7. Property of Proposed fully Homomorphic Encryption

The syntax of proposed scheme is given as follows. -Key-Generation. The algorithm KeyGen, on input the security parameter 1λ _{and system parameter (q,S) outputs}

sk←KeyGen(1λ_{) where sk=(r}

A ,Aj(j=1,…,rA),GA) is a secret encryption key and

pk←KeyGen(1λ_{) where pk=({f}

ijk}0≦i,j,k≦7 , {gijk}0≦i,j,k≦7) is

a public key.

-Encryption. The algorithm Enc, on input system parameter (q,S) and secret keys of user B, skB=(rB ,Bj(j=1,…,rB), GB) , public key of user A, pkA=({fAijk}0≦i,j,k≦7, {gAijk}0≦i,j,k≦7) and a plaintext m∈Fq,

outputs a ciphertext C(m;skB, pkA)∈O

2 _←Enc(sk

B, pkA;m). -Decryption. The algorithm Dec, on input system parameter (q,S), secret keys of user A, skA,public key of user B, pkB and a ciphertext C(m;skB, pkA), outputs plaintext m* ∈Fq =Dec(skA,pkB;C(m;skB,pkA)) where C(m;skB,pkA) ← Enc (skB, pkA;m).

-Homomorphic-Evaluation. The algorithm Eval, on input system parameter (q,S), an arithmetic circuit ckt, and a tuple of n ciphertexts (C1,…, Cn)∈O

2n_{, outputs an evaluated cipher}

text C’←Eval(ckt; C1,…, Cn) where Cj= C(mj;skB, pkA). (Fully homomorphic encryption). Proposed fully homomorphic encryption =(KeyGen; Enc; Dec; Eval) is fully homomorphic because it satisfies the following properties:

1. Homomorphism: Let CR = {CRλ}λ∈N be the set of all

polynomial sized arithmetic circuits. On input sk ←KeyGen(1λ_{), pk←KeyGen(1}λ_),∀ckt

∈ CRλ, ∀(m1,…,mn)

∈Fq

n _{where n= n(λ), ∀(C}

1,…,Cn)∈O

2n _where

Cj=C(mj;skB,pkA)←Enc(skB,pkA;mj),(j =1,…,n),we have Dec(skA, pkB ;Eval(ckt; C1,…,Cn)) = ckt(m1,…,mn).

Then it holds that:

Pr[Dec(skA,pkB;Eval(ckt; C1,…,Cn))≠ckt(m1,…,mn)] =negl(λ). (169)

2. Compactness: As the output length of Eval is at most αlog2q=αλ where α is a positive integer, there exists a polynomial µ = µ(λ) such that the output length of Eval is at most µ bits long regardless of the input circuit ckt and the number of its inputs.

4.8. Procedure for Constructing Proposed Public-Key Encryption

Here we show the procedure for constructing the proposed public-key encryption scheme by using the cryptosystem described in above sections.

User B tries to send his information to user A by using the public-key of user A pkA and the secret key of user B skB through the insecure line.

(1) System centre publishes the system parameter(q,S). (2) User A downloads system parameter (q,S) and selects

skA=(rA ,A j(j=1,…,rA),GA) which is a secret key of user A and generates the public key of user A pkA=({fAijk}0≦i,j,k≦7, {gAijk}0≦i,j,k≦7) such that

={fAijk}(i,j,k=0,…,7), (170)

gA(X,Y):=(…(XA1)…)ArA)Y)ArA-1)…)A1-1 mod q∈O[X, Y]

={gijk}(i,j,k=0,…,7), (171)

User A sends [{fAijk}, {gAijk} (i,j,k=0,…,7)] to system centre.

(3) User B downloads system parameter (q,S) and selects skB=(rB ,B j(j=1,…,rB),GB) which is a secret key of user B and generates the public key of user B pkB=({fBijk}0≦i,j,k≦7, {gBijk}0≦i,j,k≦7) such that

fB(X,Y):= B1-1(…(BrB-1(Y(BrB (…(B1X)…) mod q∈O[X, Y]

={fBijk}(i,j,k=0,…,7), (172)

gB(X,Y):= (…(XB1)…)BrB)Y)BrB-1)…)B1-1 mod q∈O[X, Y]

={gijk}(i,j,k=0,…,7). (173)

User B sends [{fBijk},{gBijk} (i,j,k=0,…,7)] to system centre.

(4) User B downloads fA(X,Y) ={fAijk}, gA(X,Y) ={gAijk} (i,j,k=0,…,7) from system centre.

(5) User B generates the common enciphering function fBA(X,Y) as follows.

fB1-1(X,Y):=fA(fA(X,Y),B1-1)

=A1-1 (…(ArA-1 (B1-1(ArA (…(A1 [A1-1 (…(ArA-1 (Y(ArA (…(A1X)…))))…)])…))))…)

=A1-1 (…(ArA-1 (B1-1(Y(ArA (…(A1X)…)))))…) mod q∈ O[X,Y] (174)

fB2-1 (X,Y):= fB1-1 (fA(X,Y),B2-1)

=A1-1(…(ArA-1(B1-1(B2-1(ArA(…(A1-1[A1(…(ArA-1 (Y(ArA(…(A1X)…)…)])…)

=A1-1 (…(ArA-1 (B1-1(B2-1(Y(ArA (…(A1X)…)…) mod q∈

O[X,Y] (175)

… …

fBrB-1(X,Y):= fBrB-1-1(fA(X,Y),BrB-1)

=A1-1(…(ArA-1(B1-1(…(BrB-1(ArA(…(A1[A1-1(…(ArA-1 (Y(ArA(…(A1X)…)…)])…)

= A1-1(…(ArA-1 (B1-1(…(BrB-1(Y(ArA (…(A1X)…)…) mod q

∈O[X,Y] (176)

fBrB(X,Y):= fBrB-1(fA(X,BrB),Y)

=A1-1(…(ArA-1(B1-1(…(BrB-1(Y(ArA (…(A1[A1-1(…(ArA-1 (BrB(ArA(…(A1X)…)…)])…)

= A1-1(…(ArA-1(B1-1(…(BrB-1(Y(BrB (ArA(…(A1X)…) mod q

∈O[X,Y] (177)

fBrB-1(X,Y)= fBrB (fA(X,BrB-1),Y)

=A1-1(…(ArA-1(B1-1(…(BrB-1(Y(BrB(ArA(…(A1[A1-1(… (ArA-1 (BrB-1(ArA(…(A1X)…)])…) mod q∈O[X,Y] (178)

=A1-1(…(ArA-1(B1-1(…(BrB-1(Y(BrB(BrB-1(ArA(…(A1X)…) mod q∈O[X,Y] (179)

… …

fBA(X,Y)=fB1(X,Y) := fB2(fA(X,B1),Y)

=A1-1(…(ArA-1(B1-1(…(BrB-1(Y(BrB(…(B2(ArA(…(A1[A1-1 (…(ArA-1(B1(ArA(…(A1X)…)])…) mod q∈O[X,Y]

=A1-1(…(ArA-1(B1-1(…(BrB-1(Y(BrB(…(B1(ArA(…(A1X)…) mod q∈O[X,Y]

={fBAijk}(i,j,k=0,…,7). (180)

(6) User B generates the fixed secret parameters TBA and β(=(g1(h-k))-1 mod q) as follows.

TBA= fBA(1,S)

= A1-1(…(ArA-1 (B1-1(…(BrB-1(S(BrB(…(B1(ArA(…(A11)…) (181) β=(g1(h-k))-1 mod q (182)

(7) User B generates the sub-common enciphering function gBA(X,Y) in the same manner as follows. gBA(X,Y):=

(…((XA1)A2)…)ArA)B1)..)BrB)Y)BnB-1)..)B1-1)AnA-1) …)A1-1 mod q∈O[X,Y]. (183)

(8) User A generate fAB(X,Y) and gAB(X,Y) such that fAB(X,Y):=A1-1(…(ArA-1(fB((ArA(…(A1X)…),Y)))…) ∈O [X,Y]

=A1-1(…(ArA-1(B1-1(…(BrB-1(Y(BrB(…(B1(ArA(…(A1X)…) ∈O[X,Y]

={fABijk}(i,j,k=0,…,7) = fBA(X,Y)∈O[X,Y], (184)

gAB(X,Y):=(…((XA1)A2)…)ArA)B1)..)BrB)Y)BrB-1)..)B1-1)

ArA-1)…)A1-1 mod q∈O[X, (185)

(9) User B enciphers the plaintext m by using fBA(X,Y) such that

C(m):= [fBA(1M, TBA); fBA(2M, TBA),]∈O 2

=(1_c

0,…,1c7; 2c0,…,2c7) (186)

where

1_{M:= (m+u)G}

B+(m+v)HB mod q∈O, (187)

2_M:=((m+hu)G

B+ (m+kv)HB mod q∈O, (188)

TBA =fBA(1,S)∈O, (189)

(10) User B sends [C(m)= (1_c

0,…,1c7; 2c0,…,2c7)∈O 2_{, β}

B] to user A

through the insecure line.

(11) User A receives [C(m)= (1_c

0,…,1c7; 2c0,…,2c7)∈O 2_,

βB] and deciphers as follows. User A calculates TAB .

TAB= fAB(1,S)

= A1-1(…(ArA-1 (B1-1(…(BrB-1(S(BrB(…(B1(ArA(…(A11)…)

Let (i_z

0,…,iz7) : =iM (i=1,2). fAB(iM, TAB) (i=1,2)

=A1-1(…(AnA-1(B1-1(…(BrB-1(TAB(BrB(…(B1(ArA(…(A1iM) …)mod q∈O

=( f00iz0+f01iz1+ …+f07iz7, f10iz0+f11iz1+ …+f17iz7, …. ….

f70iz0+f71iz1+ …+f77iz7)t mod q, = (ic0,…,ic7) (i=1,2) . (191)

where

f jk∈Fq (j,k=0,…,7).

User A solves above simultaneous equation to obtain (i_z

0,…,iz7) = iM(i=1,2).

(12) User A recovers the plaintext m as follows.

[1_M]

0–([1M]1+[1M]1) βB mod q =m∈Fq, (192)

where

g1≠0 mod q. (193)

Theorem 9

For arbitrary P,Q∈O fBA (P, TBA) gBA (Q, TBA) = fBA (PQ, TBA) gBA (1, TBA)

= fBA(1,TBA) gBA (PQ, TBA) mod q∈O. (194)

[Proof]

From Theorem 8 fBA(P, TBA)gBA(Q, TBA)

= fBA(PQ, TBA) gBA (1, TBA) mod q∈O

=fBA(1, TBA)gBA(PQ, TBA) mod q∈O. q.e.d. (195)

We notice that

fBA(P, TBA)gBA(1, TBA)= fBA(1P, TBA)gBA(1, TBA)

=fBA(1, TBA)gBA(P, TBA) mod q∈O. (196)

Then we have

gBA(P,TBA)=(fBA(1,TBA))-1[fBA(P,TBA)gBA(1,TBA)]

mod q ∈O, (197) fBA(P,TBA) =[fBA(1,TBA)gBA(P,TBA)] ( gBA(1,TBA))-1

mod q∈O. (198)

In case that the third party that does not know the value of TBA tries to calculate the ciphertext corresponding to product of two plaintexts, he uses [fBA(1, TBA), gBA(1, TBA)] such that

{fBA(iM1,TBA)[(fBA(1,TBA))-1(fBA(iM2,TBA)gBA(1,TBA))]} (gBA(1,TBA))-1

=fBA(iM1iM2,TBA) mod q∈O. (i=1,2) (199)

We describe in detail in next section.

4.9. Procedure for Addition and Multiplication on CipherTexts by Third Party

Here we show the procedure that the third party calculates the ciphertexts corresponding to the sum and the product of n

plaintexts by using n ciphertexts.

(1) Through the insecure line, user B uploads his data {C(mj)= [fBA(1Mj,TBA);fBA(2Mj,TBA)](j=1,…,n)} and [fBA(1, TBA), gBA(1, TBA)] to the cloud centre by using the common enciphering function fBA(X,Y) and sub-common enciphering function gBA(X,Y) of user A and user B where user A is also allowed to be user B. (2) User B requests the ciphertext corresponding to the

sum of mi (i=1,…,n) and the ciphertext corresponding to the product of mi (i=1,…,n) to user U.(user U is the data processing centre or the cloud centre). (3) User U downloads the system parameter (q,S) from

the system centre .

(4) User U downloads {C(mj) =[ fBA(1Mj,TBA); fBA(2Mj,TBA) ] (j=1,…,n) } and [fBA(1, TBA), gBA(1, TBA)] from cloud centre where

1_M

j:= (mj+uj)GB+(mj+vj)HB mod q∈O, (200)

2_M

j:= (mj+huj)GB+(mj+kvj)HB mod q∈O, (201)

(j=1,…,n)

(5) User U calculates [fBA(1,TBA)]-1 mod q,[gBA(1,TBA)]-1 mod q.

(6) User U calculates the ciphertext corresponding to the sum of mi (i=1,…,n) and the ciphertext corresponding to the product of mi (i=1,…,n) as follows.

[Ciphertext corresponding to sum of mj (j=1,…,n)] C(m1+…+n):=C(m1+…+ mn)

=[fBA(1M1 +…+1Mn,TBA); fBA(2M1 +…+2Mn,TBA)]∈O 2

=[fBA(1M1,TBA) +…+fBA(1Mh,TBA) mod q; fBA(2M1,TBA)+…+fBA(2Mh,TBA) mod q]∈O

2

= (1_c

+0,…,1c+7; 2c+0,…,2c+7). (202)

[Ciphertext corresponding to product of mj (j=1,…,n)] (a) fBA(iM1iM2,TBA)=

{fBA(iM1,TBA)[(fBA(1,TBA))-1(fBA(iM2,TBA)gBA(1,TBA))]}

(gBA(1,TBA))-1 mod q(i=1,2) (203)

(b) fBA(1M12M2,TBA)=

{fBA(1M1,TBA)[(fBA(1,TBA))-1(fBA(2M2,TBA)gBA(1,TBA))]}

(gBA(1,TBA))-1 mod q (204)

(c) fBA(2M11M2,TBA)=

{fBA(2M1,TBA)[(fBA(1,TBA))-1(fBA(1M2,TBA)gBA(1,TBA))]}

(gBA(1,TBA))-1 mod q (205)

(d) fBA(1M12,TBA)=

[fBA(1M11M2,TBA)-fBA(1M12M2,TBA)]

=fBA((1M11M2-1M12M2),TBA) (206)

(e) fBA(2M12,TBA)=

[fBA(2M11M2,TBA)-fBA(2M12M2,TBA)]

(f) C(m1m2)= C(m12)= [ fBA(1M12,TBA); fBA(2M12,TBA)] =[ fBA((1M11M2-1M12M2)) ,TBA);

fBA((2M11M2-2M12M2) ,TBA)]∈O

2 ₍₂₀₈₎

……

(g) In the same manner fBA(1M12…n,TBA)=

[fBA(1M12…n-11Mn,TBA)-fBA(1M12…n-12Mn,TBA)] (209)

=fBA((1M12…n-11Mn-1M12…n-12Mn),TBA)), fBA(2M12…n,TBA)=

[fBA(2M12…n-11Mn,TBA)-fBA(2M12…n-12Mn,TBA)]

=fBA((2M12…n-11Mn- 2M12…n-12Mn),TBA)) (210)

(h) C(m1m2...mn)= C(m12…n) ∈O 2

= [ fBA(1M12…n,TBA); fBA(2M12…n,TBA)]

= (1_c

*0,…,1c*7; 2c*0,…,2c*7). (211)

(7) User U sends{(1_c

+0,…,1c+7; 2c+0,…,2c+7) and (1_c

*0,…,1c*7; 2c*0,…,2c*7)} to user B.

(8) ser B deciphers to obtain (m1+…+ mn) mod q and m1m2 …mn mod q as follows.

Let 1_M

+=(1s+0,…,1s+7):=1M1 +…+1Mn mod q, (212)

2_M

+=(2s+0,…,2s+7):=2M1 +…+2Mn mod q, (213)

1_M

*=(1s*0,…,1s*7):= 1M12…n mod q, (214)

2_M

*=(2s*0,…,2s*7):= 2M12…n mod q. (215)

fAB(iM+, TAB)

=A1-1(…(ArA-1(B1-1(…(BrB-1(TAB(BrB(…(B1(ArA(…(A1 i_M

+)…) mod q∈O

=( f00is+0+f01i s+1+ …+f07is+7, f10is+0+ f11is+1+ …+ f17is+7, …. ….

f70is+0+ f71is+1+ …+ f77is+7)t mod q,

= (i_c

+0,…,ic+7) (i=1,2). (216)

(i_s

+0,…,is+7) is obtained by solving above simultaneous equation (i=1,2).

User B has

m1+…+ mn =1s+0-( 1s+1+2s+1) βB mod q∈Fq. (217)

fAB(iM*, TAB)

=A1-1(…(ArA-1(B1-1(…(BrB-1(TAB(BrB(…(B1(ArA(…(A1 i_M

*)…) mod q∈O

=( f00is*0+f01is*1+ …+f07i s*7, f10is*0+f11is*1+ …+ f17is*7, …. ….

f70is*0+ f71is*1+ …+ f77is*7)t mod q,

= (i_c

*0,…,ic*7) (i=1,2). (218)

(i_s

*0,…,is*7) is obtained by solving above simultaneous equation(i=1,2).

User B has

m1m2 …mn =1s*0 –( 1s*1+2s*1) βB mod q∈Fq. (219)

5. Analysis of Proposed Scheme

Here we analyse the proposed fully homomorphic encryption scheme.

5.1. Ciphertext Square Attack

Ciphertext is given as follows.

C(m):= [fBA(1M, TBA); fBA(2M, TBA),], (220) 1_{M:= (m+u)G+(m+v)H mod q}

∈O, (221) 2_{M:= (m+hu)G+(m+kv)H ) mod q}

∈O. (222)

As

(1_M)2 _=(m+u)2_G+(m+v)2_{H mod q≠m(}1_{M), (223)}

(2_M)2 _{= (m+hu)}2_G+(m+kv)2_{H mod q≠m(}2_{M), (224)}

we have

fBA((jM)2,TBA)≠mfBA(jM,TBA) (j=1,2). (225)

“Ciphertext square attack” is not efficient for the proposed encryption scheme.

5.2. Computing Ai from {fijk}, Coefficients of f(X,Y) and

g(X,Y)

Basic enciphering function f(X,Y) is given as follows. Let X=(x0,…,x7)∈O[X] and Y=(y0,…,y7)∈O[X] be variables.

f(X,Y)= A1-1(…(Ar-1(Y(Ar(.. (A1X)...) mod q∈O[X,Y] =( f000x0y0+f001x0y1+ …+f077x7y7,

f100x0y0+f101x0y1+ …+f177x7y7, …. ….

f700x0y0+f701x0y1+ …+f777x7y7)t,

= {fijk} (i,j,k=0,…,7), (226)

g(X,Y):=(…((XA1)A2)…)Ar)Y)Ar-1)…)A1-1 mod q∈ O[X,Y]

=( g000x0y0+g001x0y1+ …+g077x7y7, g100x0y0+g101x0y1+ …+g177x7y7, …. ….

g700x0y0+g701x0y1+ …+g777x7y7)t,

= {gijk}(i,j,k=0,…,7). (227)

Aj∈O to be selected randomly such that Aj -1 _exist

(j=1,…,r) are the secret keys of user A.

, … , = , … …

, … , = ≠ 0 ,

… …

, … , = ,

, … , = ,

… …

, … , = ≠ 0 ,

… …

, … , = ,

(228)

where F001,…, F777, G001,…, G777 are the 112th (=56*2)th algebraic multivariate equations.

Then the complexity G required for solving above simultaneous equations by using Gröbner basis[18] is given such as

G>G’=(448+dregCdreg)w=(493C45)w ≈2509>> 280, (229)

where G’ is the complexity required for solving 896(=448*2) simultaneous quadratic equations with 448 variables by using Gröbner basis, where w=2.39, and

dreg≈0.0858*448+1.04*(448)^(1/3)-1.47+1.71*448^(-1/3) +448^(-2/3)>45. (230)

The complexity G required for solving above simultaneous equations by using Gröbner basis is enough large for secure.

5.3. Computing Medium Text jM and Aj, Bj from Ciphertext

C(m)

Ciphertext C(m)

=(1_c

0,…,1c;2c0,…,2c)=[fBA(1M,TBA); fBA(2M,TBA)] (231)

is generated by user B as follows. Let (jz0,…,jz7) : =jM (j=1,2). C(m) =fBA(jM,TBA)∈O

= A1-1(…(ArA-1(B1-1(…(BrB-1(TBA (BrB(…(B1(ArA(…(A1 j_M)…)

∈O

=( f00jz+f01jz1+ …+f07jz7, f10jz0+f11jz1+ …+f17jz7, …. ….

f70jz0+f71jz1+ …+f77jz7)t,

= (j_c

0,…,jc7) (j=1,2). (232)

(j_z

0,…,jz7) =jM(j=1,2) is obtained by solving above simultaneous equation.

Ah, Bk∈O to be selected randomly such that Ah -1 _{and B}

k-1 exist (h=1,…,rA;k=1,…,rB) are the secret keys of user A and user B respectively.

We try to find medium text j_{M and A}

h, Bk (j=1,2 ;h=1,…,rA ;k=1,…,rB) from jch∈Fq (j=1,2;h=0,…,7).

In case that rA =56 and rB=56 the number of unknown variables ((j_z

0,…,jz7)(j=1,2), TBA, Ah , Bk, (h,k=1,…,56)) is 920(=8*2+8+2*56*8), the number of equations is 16 such that

, … , , , . . , , " , . . , " = # ,

, … , , , . . , , " , . . , " = # ,

… …

F -z , … , z , A , . . , A , B , . . , B- = c mod q,

-j = 1,2

(233)

where F0,…,F7 are the 226th(=56*2*2+2)th algebraic multivariate equations.

Then the complexity G required for solving above simultaneous equations by using Gröbner basis [18] is given such as

G>G’=(920+dregCdreg)w=(104532C920)w >> 280, (234)

where G’ is the complexity required for solving 921 simultaneous algebraic equations with 920 variables by using Gröbner basis,

where w=2.39, and

dreg≈103612(=921*(226-1)/2-0√(921*(226^2-1)/6)).(235)

The complexity G required for solving above simultaneous equations by using Gröbner basis is enough large for safety.

5.4. Attack by Using the Ciphertexts of m and -m

We show that we cannot easily distinguish the ciphertexts corresponding to m and -m. We try to attack by using “m and -m attack”. We define the medium texts 1_M

+ , 2M+ by

1_M

+:=(m+u)GB+(m+v)HB mod q∈O, (236)

2_M

+:=(m+hu)GB+(m+kv)HB mod q∈O. (237)

where u,v∈Fq are selected randomly, and plaintext m∈Fq. We define the medium texts 1_M

– , 2M – corresponding to the plaintext -m by

1_M

-:=(-m+u’)GB+(-m+v’)HB mod q∈O, (238)

2_M

-:=(-m+hu’)GB+(-m+kv’)HB mod q∈O, (239)

where u’,v’∈Fq are selected randomly.

The ciphertext corresponding to m , C(m) =[fBA(1M+, TBA); fBA(2M+, TBA)]∈O

2 _{is given as follows.}

fBA(1M+, TBA)∈O

=A1-1(…(ArA-1(B1-1(…(BrB-1(TBA(BrB(…(B1(ArA(…(A1 1_M

+)…)∈O, (240)

fBA(2M+, TBA)∈O

=A1-1(…(ArA-1(B1-1(…(BrB-1(TBA(BrB(…(B1(ArA(…(A1 2_M

+)…)∈O. (241)

The ciphertext corresponding to -m , C(-m) =[fBA(1M-, TBA); fBA(2M-, TBA)]∈O

2 _{is given as follows.}

fBA(1M-, TBA )

=A1-1(…(ArA-1(B1-1(…(BrB-1(TBA (BrB(…(B1(ArA(…(A11M -)…)∈O, (242)

=A1-1(…(ArA-1(B1-1(…(BrB-1(TBA (BrB(…(B1(ArA(…(A12M -)…)∈O. (243)

As m-m= 0 mod q, we have fBA(1M+, TBA)+ fBA(1M-, TBA) mod q = fBA(1M++1M-, TBA) mod q

=fBA((m+u)GB+(m+v)HB+(-m+u’)GB+(-m+v’)HB), TBA)

= fBA((u+u’) GB +(v+v’)HB), TBA) mod q (244)

As in general u+u’≠0 mod q∈Fq , v+v’≠0 mod q∈Fq ,we have

fBA(1M+, TBA)+ fBA(1M-, TBA) mod q ≠0. (245)

In the same manner it is said that

fBA(2M+, TBA)+ fBA(2M-, TBA) mod q ≠0. (246)

When m-m= 0 mod q, we can calculate | fBA(1M, TBA)+ fBA(1M-, TBA) |2 as follows. | fBA(1M, TBA)+ fBA(1M-, TBA) |2 mod q =| fBA((u+u’) GB +(v+v’)HB, TBA)|2 mod q = |TBA|2|(u+u’) GB +(v+v’)HB|2 mod q,

=|TBA|2[(u+u’+v+v’)2/4-((u+u’-(v+v’))2/4] mod q =|TBA|2[(u+u’)(v+v’)] mod q

≠ 0 mod q (in general). (247)

In the same manner

| fBA(2M, TBA)+ fBA(2M-, TBA) |2 mod q

=|TBA|2[hk(u+u’)(v+v’)] mod q, (h,k are secret parameters) ≠ 0 mod q (in general). (248)

It is said that the attack by using “m and -m attack” is not efficient. Then we cannot easily distinguish the cipher texts of m and -m.

6. The Size of the Modulus q and the

Complexity for Enciphering

/Deciphering

We consider the size of the modulus q. We select q≈22000_. (1) In case of q≈22000_{, the size of f}

ijk∈Fq (i,j,k=0,…,7) which are the coefficients of elements in f(X,Y)=A1-1 (…(Ar-1 (Y(Ar(.. (A1X)...) mod q∈O[X,Y] is (448)(log2q)bits ≈896kbits and the size of gijk∈Fq (i,j,k=0,…,7) which are the coefficients of elements in g(X,Y):=(…((XA1)A2)…)Ar)Y)Ar-1)…)A1-1 mod q ∈O[X,Y] is (448)(log2q)bits ≈896kbits. Then the size of fijk and gijk (i,j,k=0,…,7) is 2*(448)(log2q)bits ≈1792kbits. The size of plaintext m is 2kbits and the size of ciphertext C(m)∈O is 32kbits.

(2) In case of r=56, q≈22000_{, the complexity to obtain} f(X,Y) from A1,…,Ar and q is

(55*8*64+55*8*512)(log2q)2+56*(16*(log2q)2+2*(log2q)3 ) ≈ 241 _{bit-operations,}

where 56*(16*(log2q)2+2*(log2q)3) is the complexity for inverse of Ai-1(i=1,…,56).

And the complexity to obtain g(X,Y) from A1,…,Ar and q

is ≈241 _{bit-operations.}

(3) In case of rB=56, q≈22000, the complexity to obtain fBA(X,Y) from fA(X,Y), B1,…,BrB, BrB-1,…,B1-1 and q is

((512+64*8*8)*56+(512+64*8*8)*56) (log2q)2 ≈241 _{bit-operations.}

In the same manner, the complexity to obtain gBA(X,Y) from fA(X,Y), B1,…,BrB, BrB-1,…,B1-1 and q is

((512+64*8*8)*56+(512+64*8*8)*56)(log2q)2≈241 bit-operations.

(4) In case of rA=56, q≈22000, the complexity to obtain fAB(X,Y) from fB(X,Y), A1,…,ArA, ArA-1,…,A1-1 and q is

((512+64*8*8)*56+(512+64*8*8)*56)(log2q)2 ≈241 _{bit-operations.}

(5) In case of q≈22000_{, the complexity for enciphering m} to obtain C(m)=[ fBA(1M,TBA),fBA(2M,TBA)] from fBA(X,Y),1M, 2M, TBA and q is 2*(2*64*8) (log2q)2 ≈233 _{bit-operations.}

(6) In case of q≈22000_{, the complexity for calculating T} BA = fBA(1,S) from fBA(X,Y), S and q is 64(log2q)2≈228 bit-operations.

(7) In case of q≈22000_{, the complexity for calculating h =} [fBA(S,S)]0, k =[fBA(S,S)]1 from fBA(X,Y), S and q is at most 7*2*512*2(log2q)2 ≈236 bit-operations. (8) In case of q≈22000_{, the complexity for deciphering}

C(m) =[fBA(1M, TBA), fBA(2M, TBA)] to obtainm from C(m), fAB(X,Y), TAB , β and q is

[2*(64*8+8*8+7*7+…+2*2+1*1+1+2+…+7)+1](log2q)2 +(8*2)*( log2q)3

≈(2*(512+232)+1)*222_+16*233_=1489*222_+16*233 ≈238 _{bit-operations.}

(9) In case of rA=56, q≈22000, the complexity for calculating fBA(1M12,TBA), fBA(2M12,TBA) from fBA(1M1,TBA), fBA(1M2,S), fBA(2M1,TBA), fBA(2M2,S), fBA(1,TBA), gBA(1,TBA) and q is

4*[4*64*(log2q)2]+2*2*(log2q)3+4*8*(log2q)2 ≈236 _{bit-operations.}

On the other hand the complexity of the enciphering and deciphering in RSA scheme is

2(log n)3 _≈234 _{bit-operations}

where the size of modulus n is 2048bits.

Then our scheme does not require large complexity to encipher and decipher so that we are able to implement our scheme to the mobile device.

7. Conclusion

problem of whether octonion elements assumption OEA(q) holds or not, and there is a need for more careful studying of attacks based on the algorithm for solving the multivariate algebraic equations of high degrees.

Appendix

Appendix A:

Octinv(A) --- S ← a02+a12+…+a72mod q.

% S-1 _{mod q}

q[1] ← q div S ;% integer part of q/S r[1] ← q mod S ;% residue

k ←1 q[0] ← q r[0] ← S while r[k] ≠ 0 begin k← k + 1

q[k] ← r[k−2] div r[k−1] r[k] ← r[k−2] mod [rk−1] end

Q [k−1] ← (-1)*q[k−1] L[ k−1] ← 1

i ← k−1 while i > 1 begin

Q[ i−1] ← (-1)*Q[ i] *q[i−1] + L[ i] L[ i−1 ] ← Q[ i ]

i← i−1 end

invS ← Q[1] mod q invA[0] ← a0*invS mod q For i=1,…,7,

invA[i] ← (-1)*ai*invS mod q

Return A-1_{= (invA[0], invA[1],…, invA[7])}

--- Appendix B:

Lemma 2

A-1_{(AB)= B mod q} (BA)A-1_{= B mod q} (Proof:)

A-1_{= (a}

0 / |A|2 mod q, -a1 / |A|2 mod q,…, -a7 / |A|2 mod q). AB mod q

= ( a0b0-a1b1- a2b2- a3b3-a4b4- a5b5-a6b6-a7b7 mod q, a0b1+a1b0+a2b4+a3b7-a4b2+a5b6-a6b5-a7b3 mod q, a0b2-a1b4+a2b0+a3b5+a4b1-a5b3+a6b7-a7b6 mod q, a0b3-a1b7-a2b5+a3b0+a4b6+a5b2-a6b4+a7b1 mod q, a0b4+a1b2-a2b1-a3b6+a4b0+a5b7+a6b3-a7b5 mod q, a0b5-a1b6+a2b3-a3b2-a4b7+a5b0+a6b1+a7b4 mod q, a0b6+a1b5-a2b7+a3b4-a4b3-a5b1+a6b0+a7b2 mod q, a0b7+a1b3+a2b6-a3b1+a4b5-a5b4-a6b2+a7b0 mod q). [A-1_(AB)]

0

={ a0(a0b0-a1b1- a2b2- a3b3-a4b4- a5b5-a6b6-a7b7) +a1(a0b1+a1b0+a2b4+a3b7-a4b2+a5b6-a6b5-a7b3) + a2(a0b2-a1b4+a2b0+a3b5+a4b1-a5b3+a6b7-a7b6) +a3(a0b3-a1b7-a2b5+a3b0+a4b6+a5b2-a6b4+a7b1)

+a4(a0b4+a1b2-a2b1-a3b6+a4b0+a5b7+a6b3-a7b5) + a5(a0b5-a1b6+a2b3-a3b2-a4b7+a5b0+a6b1+a7b4) +a6(a0b6+a1b5-a2b7+a3b4-a4b3-a5b1+a6b0+a7b2)

+a7(a0b7+a1b3+a2b6-a3b1+a4b5-a5b4-a6b2+a7b0)}/|A|2mod q ={( a02+a12+…+a72) b0} /|A|2 =b0 mod q

where [M ]n denotes the n-th element of M∈O. [A-1_(AB)]

1

={ a0(a0b1+a1b0+a2b4+a3b7-a4b2+a5b6-a6b5-a7b3) -a1(a0b0-a1b1- a2b2- a3b3-a4b4- a5b5-a6b6-a7b7) -a2(a0b4+a1b2-a2b1-a3b6+a4b0+a5b7+a6b3-a7b5) -a3(a0b7+a1b3+a2b6-a3b1+a4b5-a5b4-a6b2+a7b0) +a4(a0b2-a1b4+a2b0+a3b5+a4b1-a5b3+a6b7-a7b6) - a5(a0b6+a1b5-a2b7+a3b4-a4b3-a5b1+a6b0+a7b2) +a6(a0b5-a1b6+a2b3-a3b2-a4b7+a5b0+a6b1+a7b4 )

+a7(a0b3-a1b7-a2b5+a3b0+a4b6+a5b2-a6b4+a7b1)} /|A|2 mod q ={( a02+a12+…+a72) b1} /|A|2=b1 mod q.

Similarly we have [A-1_(AB)]

i=bi mod q (i=2,3,…,7). Then we have

A-1_{(AB)= B mod q. q.e.d.} Appendix C:

Theorem 3

LALB= LAB mod q∈Fq where

A=(a0,a1,…,a7), B=(b0,b1,…,b7) , C=(c0,c1,…,c7)∈O, C=AB mod q∈O.

LA=a02+a12+…+a72=0 mod q, LB=b02+b12+…+b72=0 mod q LAB=c02+c12+…+c72=0 mod q (Proof:)

AB mod q

= ( a0b0 - a1b1- a2b2- a3b3-a4b4- a5b5-a6b6-a7b7 mod q, a0b1+a1b0+a2b4+a3b7-a4b2+a5b6-a6b5-a7b3 mod q, a0b2-a1b4+a2b0+a3b5+a4b1-a5b3+a6b7-a7b6 mod q, a0b3-a1b7-a2b5+a3b0+a4b6+a5b2-a6b4+a7b1 mod q, a0b4+a1b2 -a2b1 -a3b6+a4b0+a5b7+ a6b3 -a7b5 mod q, a0b5-a1b6+a2b3-a3b2-a4b7+a5b0+a6b1+a7b4 mod q, a0b6+a1b5 -a2b7+a3b4 -a4b3 -a5b1+a6b0 +a7b2 mod q, a0b7+a1b3+a2b6-a3b1+a4b5-a5b4-a6b2+a7b0 mod q) LAB= a02(b02+…+ b72)

+ a12(b12+ b02+ b42+ b72+ b22+ b62+ b52+b32) + a22(b12+ b02+ b42+ b72+ b22+ b62+ b52+b32) + a32(b32+ b72+ b52+ b02+ b62+ b22+ b42+b12) + a42(b42+ b22+ b12+ b62+ b02+ b72+ b32+b52) + a52(b52+ b62+ b32+ b22+ b72+ b02+ b12+b42) + a62(b62+ b52+ b72+ b42+ b32+ b12+ b02+b22) + a72(b72+ b32+ b12+ b62+ b52+ b42+ b22+b02)

- 2a0b0 a1b1+2 a0b1a1b0 -….-a6b2a7b0+ a6b0 a7b2 mod q =( a02+a12+…+a72)( b02+b12+…+b72) mod q

= LALB mod q. q.e.d.

References

[2] Craig Gentry, A Fully Homomorphic Encryption Scheme, 2009. Available at http://crypto.stanford.edu/craig/craig-thesis.pdf. [3] Marten van Dijk; Craig Gentry, Shai Halevi, and Vinod

Vaikuntanathan (2009-12-11). "Fully Homomorphic Encryption over the Integers" (PDF). International Association for Cryptologic Research. Retrieved 2010-03-18.

[4] Damien Stehle; Ron Steinfeld (2010-05-19). "Faster Fully Homomorphic Encryption" (PDF). International Association for Cryptologic Research. Retrieved 2010-09-15.

[5] JS Coron, A Mandal, D Naccache, M Tibouchi ,” Fully homomorphic encryption over the integers with shorter public keys”, Advances in Cryptology–CRYPTO 2011, 487-504. [6] Halevi, Shai. "An Implementation of homomorphic

encryption". Retrieved 30 April 2013. Available at https://github.com/shaih/HElib .

[7] Nuida and Kurosawa,”(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces”, Cryptology ePrint Archive, Report 2014/777, 2014. http://eprint.iacr.org/.

[8] Masahiro, Y. (2015). Fully Homomorphic Encryption without bootstrapping. Saarbrücken/Germany: LAP LAMBERT Academic Publishing.

[9] Masahiro Yagisawa,” Fully Homomorphic Encryption without bootstrapping”, Cryptology ePrint Archive, Report 2015/474, 2015. http://eprint.iacr.org/.

[10] Yongge Wang,” Notes on Two Fully Homomorphic Encryption Schemes Without Bootstrapping”, Cryptology ePrint Archive, Report 2015/519, 2015. http://eprint.iacr.org/. [11] Masahiro Yagisawa,” FHE with Recursive Ciphertext”,

Cryptology ePrint Archive, Report 2017/198, 2017. http://eprint.iacr.org/.

[12] Masahiro Yagisawa,” Improved Fully Homomorphic Encryption without Bootstrapping”, Cryptology ePrint Archive, Report 2017/763, 2017. http://eprint.iacr.org/. [13] Masahiro Yagisawa,” Fully homomorphic public-key

encryption with small ciphertext size”, Cryptology ePrint Archive, Report 2018/088, 2018. http://eprint.iacr.org/. [14] Shigeo Tsujii , Kohtaro Tadaki , Masahito Gotaishi ,Ryo

Fujita ,and Masao Kasahara ,"Proposal Integrated MPKC:PPS—STS Enhanced Perturbed Piece in Hand Method—," IEICE Tech. Rep.ISEC2009-27,SITE2009-19,ICSS2009-41(2009-07),July 2009.

[15] T. Matsumoto, and H. Imai, “Public quadratic polynomial-tuples for efficient signature verification and message-encryption,” Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT’88, pp.419–453, New York, NY, USA, 1988, Springer-Verlag New York, Inc.

[16] S. Tsujii, K. Tadaki, and R. Fujita, “Piece in hand concept for enhancing the security of multivariate type public key cryptosystems: Public key without containing all the information of secret key,” Cryptology ePrint Archive, Report 2004/366, 2004.

[17] C.Wolf, and B. Preneel, “Taxonomy of public key schemes based on the problem of multivariate quadratic equations,” Cryptology ePrint Archive, Report 2005/077, 2005, http://eprint.iacr.org/.

[18] M. Bardet, J. C. Faugere, and B. Salvy, "On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations," Proceeding of the International Conference on Polynomial System Solving (ICPSS2004), pp.71-75, November 2004.