Content uploaded by David W. H. A. da Silva
Author content
All content in this area was uploaded by David W. H. A. da Silva on Feb 18, 2021
Content may be subject to copyright.
Somewhat Homomorphic Key Update Protocol
Based on Clifford Geometric Algebra for
Distributed Ledger Technology
1st David W. H. A. da Silva
Computer Science
University of Colorado C. Springs
Colorado Springs, USA
dhonorio@uccs.edu
2nd Hanes Oliveira
Computer Science
University of Colorado C. Springs
Colorado Springs, USA
hbarbosa@uccs.edu
3rd Marcelo A. Xavier
Research and Advanced Engineering
Ford Motor Company
Dearborn, USA
maraujox@ford.com
4th C. Edward Chow
Computer Science
University of Colorado C. Springs
Colorado Springs, USA
cchow@uccs.edu
5th Carlos Paz de Araujo
Electrical Engineering
University of Colorado C. Springs
Colorado Springs, USA
cpazdear@uccs.edu
Abstract—In this work, we aim to address the challenge
of expanding Blockchain Technologies (BT) by implementing
a somewhat homomorphic encryption scheme that not only
enables computation on encrypted data but also yields a key
update protocol with which one can selectively reveal consoli-
dated data from a blockchain application. Our constructions are
meant to be compliant with the fundamental requirements of BT,
including ownership control and non-repudiation. In isolation,
BT and homomorphic encryption (HE) can both suffer from
performance issues. Combining the two only escalates that risk.
We rely on Clifford Geometric Algebra as the single algebraic
structure for introducing efficient solutions for merging BT with
HE. The target application considers a trusted environment with
pre-screened parties which allows us to consider cryptographic
solutions based on relaxed notions of security. Along with the
detailed description of our constructions, we refer to a library
written in Ruby language with which we implement our ideas.
Index Terms—clifford geometric algebra, homomorphic en-
cryption, key update, blockchain
I. INTRODUCTION
The advancement of science is possible when knowledge
is shared and information is exchanged in a seamless manner.
In a world where many businesses rely on information as to
their main assets, analysis over data is a crucial competitive
advantage [1]. Consequently, the amount of data processed
and stored will continue to increase [2], creating a demand
for virtualized services. To this end, some applications can
be provided as cloud computing resources including Internet
of Things (IoT), machine learning, virtual reality (VR), and
blockchain. As a result, concerns about custody and privacy
of data are on the rise [3].
As aforementioned, blockchain can be offered as a virtu-
alized resource – Blockchain as a Service (BaaS) [4]. It has
been used to reduce costs and the complexity of management,
but it raises concerns about the custody of data [5] and the
classical Trust Model [6].
Blockchain is a distributed ledger where the state lies
on a linked list of interdependent blocks, persisted under
Marcelo A. Xavier was originally with University of Colorado Colorado
Springs and is now with Ford Motor Company
consensus. It defines conjunction of technologies behind
Bitcoin [7], where anonymous parties would join a network
without permission, so it was considered permissionless [8].
However, replicating the information amongst participants was
onerous. So new initiatives approached the state replication
paradigm in a more efficient way, increasing throughput by
different consensus mechanisms [9]–[11]. Companies then
employed the new Distributed Ledger Technology (DLT)
concept to promote cooperation, on a premise of identified
nodes – permissioned [8].
Private blockchains provide immutability and non-
repudiation [12], but they have restrictive analysis over
encrypted data when it is done without segregating information,
participants, or third-party trusted architectures [13]–[17].
Public key cryptography is used in blockchain operations,
but its limitations towards computability spawned a new race
for Homomorphic Encryption (HE) schemes. Additionally,
adversarial behaviors can arise in DLT environments from
semi-honest partners, such as the use of shared data to
leverage a commercial advantage. HE offers the ability to
correctly evaluate encrypted data allowing the outsourcing of
computation without loss of privacy. Thus, parties can agree
on common scripts implementing HE prior to the operation
over data assets.
A. The Problems
Exclusivity is ingrained in the meaning of data property
[18] and no repossession suit can restore ownership of a
shared digital data. Moreover, a legal contract cannot prevent
misbehavior, being only a prior agreement on posterior
punitive actions [19]. Consequently, under the expectancy
of misconduct, companies may avoid cooperation [20].
Conversely, a smart contract defines the behavior prior to
accordance between parties, resembling a legal preventive
action that avoids undesired executions. If combined with
HE, it can realize blind computations (i.e., big data analytics).
Additionally, if improved with a homomorphic key update, it
can offer a mechanism to transfer ownership without leaving
the trusted environment.
Cloud computing became a very expensive structure to
reproduce in-house [21] and the market made it a premise to
stay competitive. Therefore, blockchain, with its ever-growing
database and inherent complexity, has an appeal to be used as
a third-party service for storage and management. However,
its philosophy is built on the concept of cryptographic proof
instead of trust [22], which creates a conundrum and weakens
the ability of the technology to remain trustworthy since
cloud suppliers work under the assumption of reputation and
legal agreements. Another competence of blockchains is the
capability to share digital assets avoiding power imbalance
between parties. Nevertheless, fearing a loss of ownership,
companies may restrain themselves from sharing sensitive
data that could favor analysis and leverage a commercial
relationship or research effort.
In summary, cloud services bring uncertainty in the treat-
ment of Confidentiality, Integrity, and Availability (CIA) [23],
[24] whereas partnerships can be restrictive due to lack of
trust or regulatory concerns. Therefore, we can propose the
problems that we are addressing in this work as follows.
Problem 1: Given an immutable ledger on a permissioned
blockchain setting, provide an efficient privacy-preserving
smart contract for computing arithmetic functions over en-
crypted data without violating the principles of ownership (the
legal right of data access) and non-repudiation (the assurance
that one cannot deny the validity of the data).
Problem 2: Given a smart contract that solves Problem 1,
provide the ability to transfer ownership of homomorphically
encrypted data without revealing to non-owners anything that
is supposed to be known only by data owners.
B. Related Work
One of the motivations for Bitcoin was the avoidance
of a single point of failure. It can mean the absence of a
computational node due to censorship or a dishonest behavior
from a participant. Therefore, publicizing transactions was
a means to verify integrity [25], although secrecy was not
a concern. User’s anonymity [26] was provided by public-
key encryption [27] and cryptography provided the trust
for the model. Furthermore, companies realized that their
commercial relationships would benefit from the provenance
given by the immutable track of events. Also, their partnerships
are mediated by legal contracts, facilitating a transition to
electronic scripts (e.g., smart contracts) when transacting
digital assets. Therefore, the applicability of cryptography
is expanded and problems such as the ownership of data
become the main concern.
Remarkable solutions for secrecy are already available such
as Solidous [14] that offers Zero-Knowledge Proofs (ZKP)
[28] for verification of data. Similarly, the Confidential Assets
initiative [16] makes possible the verification of total amounts
through homomorphic commitments and ZKP. However, ZKPs
can only reveal if a ciphered statement is true like in Zcash
[29], serving as a procedure for acknowledgment.
Hawk [15], on the other hand, provides confidentiality by
privacy-preserving the smart contract. It approaches the smart
contract as a fundamental part of the framework, dividing
it into private and public parts. Others preserve secrecy by
parallel storage for sensitive data such as in Hyperledger
Fabric [9], or by encryption and segmentation like r3 Corda
[11] or Quorum [10]. Also, Multi-Party Computation (MPC)
protocols like Enigma [17] and a secure-MPC such as in [13]
can compute private data. Although the latter is an on-chain
MPC protocol, it uses an insecure implementation to make
the model feasible and Enigma is an off-chain MPC protocol,
being a third-party that needs to be trusted.
Hyperledger Fabric and Quorum does not offer homo-
morphism, whereas r3 Corda resembles the benefits of
homomorphic computation by secure hardware enclaves [30],
although it relies on the premise that side-channel attacks are
sufficiently mitigated.
In summary, on-chain solutions sometimes are based on
the segregation of information or just under-covered data or
scripts, not allowing computation or any kind of analytical
result over encrypted assets. On the other hand off-chain
implementations can violate the credibility that is only earned
when every operation is performed at sight.
For our solution, two main guidelines must be preserved in
order to favor CIA and DLT core principles. First, any sensitive
data must be encrypted or decrypted off-chain, in possession
of the owner. Second, any operation over an encrypted asset
must occur on-chain and the algorithm must be known by
the parties and consequently agreed upon before execution.
Finally, the script implementing the mathematical operations
must be sufficiently efficient to not overload the performance
of the consensus mechanism at hand.
C. Clifford Geometric Algebra
As remarked by Hildenbrand in [31], Clifford Geometric
Algebra (here simplified to GA) is a very powerful math-
ematical system. Not only existing applications based on
other mathematical tools might be strongly benefited by being
implemented with GA but also new applications might emerge
from this simple, flexible and robust framework [32]. The
advantages commonly associated to GA computing include
compactness of algorithms, implicit use of parallelism and
high runtime performance and robustness [33]. While we
fully agree with all the aforementioned, if we could single
out three major benefits of working with GA based on our
own results it would be: (1) the ability of working with
notions from several different branches of mathematics in a
single framework (i.e., modular arithmetic, complex arithmetic,
matrix algebra, etc); (2) how much can be accomplished by
even a very small set of computationally inexpensive algebraic
tools; and (3) the simplicity of the construction itself, which
favors understanding, maintenance and analysis.
Some fields of applications are inherently complex, as it
is the case of blockchain technologies [34] and cryptography
[35]. The combination of blockchain and cryptography could
easily increase the associated complexity exponentially should
one fail to take into account the additional complexity from
any particular tool or approach. In scenarios like this one
it seems critical to consider solutions that are simple to
implement and yet powerful, so one can achieve much
without necessarily adding complexity. GA seems to be an
appealing candidate for providing an efficient cryptographic
protocol that aims to expand blockchain capabilities without
violating its rigid, but necessary, constraints. To the best of
our knowledge, there are currently very few cryptographic-
related constructions explicitly based on GA. We highlight
a fully homomorphic encryption (FHE) scheme [36] that
combines GA with number theoretic functions [37], and a
somewhat homomorphic encryption (SWHE) scheme that
yields a GA-based framework for image processing [38]. The
closest construction to the key update we propose in this work,
a rather limited version of it, was discussed in [39].
D. Our Contribution
We propose the first known solution for the problem of
ownership protection and ownership transfer for distributed
ledger technologies based on homomorphic encryption. DLT-
based applications currently do not offer any protection against
the volatility of data, that is, the data owner either shares their
entire information or keep it entirely encrypted - no utility in
between. With our constructions, data owners have the power
of selectively review information that is originally encrypted.
Third parties can homomorphically operate on encrypted
data and later request access to aggregated results. Previous
instantiations of cryptographic-related protocols based on GA
indicate that we can resort to Clifford algebras for the purpose
of constructing efficient algorithms for data representation and
data process in scenarios involving critical requirements such
as those related to security and privacy. The approach of
fixing a certain dimension is in favor of presenting simpler
equations and numerical examples. The particular choice for
G3
is due to the convenience of working with complex-like
scalars in a very intuitive way, and to our intent of keeping all
algorithms running under polynomial-time. This is indeed our
only concern in terms of performance in this work since we
aim to highlight the utility of our algorithms and protocols.
We provide access to a library written in Ruby language
in which we implement our ideas. The Ruby language is
known to be one of the world’s best languages for prototyping,
which fits perfectly our goal for providing proof of concept.
Since the first realization of a fully homomorphic encryption
scheme [40], at least in theory, any function/circuit of any size
and depth can be homomorphically computed. However, we
reduce the set target of homomorphic functions to addition and
scalar division since we are mostly interested in summation of
encrypted records and the most complex operation of interest
is the arithmetic mean.
E. Preliminaries
Favoring the quick distinction of a multivector from any
other data structure, we use capital letters with an overbar
as in
¯
M
. We let the Clifford signature
C`p3,0q
generate a
geometric product space here denoted by
G3
q
. Computations
on the coefficients of
¯
M
will be reduced to a given modulus
q
,
where
q
is prime. This space reduced modulo
q
is denoted by
G3
q
and thus we write
¯
MPG3
q
. The multivector involutions
reverse and Clifford conjugation [41] are denoted by
¯
M:
and
M, respectively. The inverse of ¯
Mis computed as
¯
M´1“M´¯
MM ¯:ˆ¯
MM ´¯
MM¯:˙´1
,(1)
such that
¯
M¯
M´1“1
. For compactness, we denote
amod q
by
|a|q
. The expression
ˇˇXaLb\ˇˇq
reads “the floor division
of
a
by
b
mod
q
”. The multiplication of two multivectors
¯
A, ¯
BPG3
q
follow the standard geometric product definition in
C`p3,0q
[42] added that the computation for all coefficients
is now reduced modulo
q
. The scalar multiplication
¯
Aα
for
αPZq
is computed by multiplying each coefficient of
¯
A
by
α
modulo
q
. The scalar division
¯
ALα
is computed by
multiplying each coefficient of
¯
A
by
x“α´1mod q
where
x
is the modular multiplicative inverse of
α
with respect to
q
such that
αx “1 mod q
. Thus the following notations are
equivalent: α´1mod q“ˇˇa´1ˇˇq“ˇˇ1Lαˇˇq.
II. TARGET DEFIN IT IO NS
Before introducing our proposed constructions to address
the problems discussed in Section
I-A
, we define the general
syntax and notions we aim to achieve. This is useful for many
reasons including the ability of one investigating not only if
we achieved the desired goals but also how well we achieved
it. Furthermore, a general syntax might allow one to propose
different constructions that aim to satisfy the same general
syntax and notions.
A. HE Scheme
We define the syntax of a somewhat homomorphic encryp-
tion (HE) scheme as follows:
Definition 1: (HE Scheme
Π
) A HE scheme denoted as
Π“ pGen,Enc,Dec,Add,SDivq
. is a tuple of efficient (e.g.,
probabilistic polynomial-time) algorithms with the following
syntax:
‚Gen
takes as input the security parameter
1λ
and outputs
a private-key
sk
and a public evaluation key
pk
. The
secret key implicitly defines a ring
M
that will serve as
the message space. We write the syntax as
psk, pkq Ð
Gen `1λ˘1.
‚Enc
takes as input a secret key
sk
and message
m
and
outputs a ciphertext
c
as a
n
-dimensional tuple. We write
the syntax as cÐEnc psk, mq.
‚Dec
is a deterministic polynomial-time encryption algo-
rithm that takes as input a secret key
sk
and a ciphertext
c
and outputs a message
m
. We write the syntax as
m“Dec psk, cq.
‚Add
takes two ciphertexts
c1
and
c2
and outputs a
ciphertext
c
which corresponds to the component-wise
addition of
c1
and
c2
reduced modulo
pk
. We write the
syntax as c“Add ppk, c1,c2q.
‚Sdiv
takes a ciphertexts
c1
and a scalar
α
and outputs
a ciphertext
c
which corresponds to the scalar division
of all elements of
c
by
α
reduced modulo
pk
. We write
the syntax as c“SDiv ppk, c1, αq.
Correctness requires the following:
1)
For all
sk, pk
output by
Gen
, and all
mPM
we have
Dec psk, Enc psk, mqq “ m.
2)
For all
ciÐEnc psk, miq, i “1,2
and all
αPM
where α‰0, the following holds:
Dec psk, Enc psk, Add ppk , c1,c2qqq “ m1`m2,
Dec psk, Enc psk, SDiv ppk , c1, αqqq “ m1Lα. (2)
Definition 2: (Security of
Π
) A HE scheme
Π
is secure
if for a uniform
mPM
, all
psk, pkq Ð Gen `1λ˘
and all
cÐEnc psk, mq
, no efficient adversary
A
can recover
m
by
knowing only pk and c.
B. Key Update Protocol
We now define the syntax of a key update protocol:
Definition 3: (Key Update Protocol
Σ
) A key update
protocol denoted as
Σ“ pTokGen,KeyUpdq
, is a tuple of
efficient algorithms with the following syntax:
‚TokGen
is a deterministic polynomial-time token genera-
tion algorithm that takes an old secret key
skold
and a
1
The security parameter is usually given in unary notation which indicates
a
λ
-bit string of 1s so the efficiency of the algorithm is expected to be
polynomial-time in λ
new secret key
sknew
and outputs a token
t
. We write
the syntax as t“TokGen pskold, sknewq.
‚KeyUpd
is a deterministic polynomial-time key update
algorithm that takes a token
t
and a ciphertext
cold
,
previously encrypted with
skold
, and outputs a ciphertext
cnew
that is encrypted with
sknew
. We write the syntax
as cnew “KeyUpd pt, coldq.
Definition 4: (Security of
Σ
) The key update protocol
Σ
is
secure if for all uniform
skold
and
sknew
output by
Gen `1λ˘
and
t
output by
TokGen
, the probability of any efficient
adversary
A
to recover either
skold
or
sknew
by knowing
t,cold and cnew is negligible.
III. DESCRIPTION OF THE HE SCHEME
In this section we propose a construction that aims to satisfy
the definitions in Section
II-A
. But first let us introduce our
motivation and a couple of useful remarks and definitions.
Motivation 1: We want to design a HE scheme that is secure
based on the assumption that solving an underdetermined
system of equations is computationally hard. In order to
achieve this goal we propose a design of an encryption
function based on randomness and underdeterminancy. We
want to transform a message
m
into a random multivector
¯
MPG3
q
where a particular combination of addition and
subtraction of its coefficients results in
m
, which implies
that we have a different ciphertext even if we encrypt the
same message multiple times. We want also to perform a
modular multiplication using a secret factor, which implies
that recovering
m
requires a modular multiplicative inverse
operation with an unknown operand. Finally, we want to “seal”
the randomly generated and modular displaced multivector
with two secret key multivectors via a triple geometric product.
In doing so, we expect to pose a challenge when tempting to
recover a plaintext message from any give ciphertext, which is
equivalent to solve a non-redundant underdetermined system
of equations.
Motivation 2: We want to build an encryption scheme
to be applied in a private (permissioned) blockchain among
trusted parties. Thus, we are providing privacy in a trusted
environment assuming that all the parties must follow a given
protocol.
Remark 1: Due to Motivation 2, we assume that a relaxed
threat model is in place where the adversary is not supposed
to have any knowledge about the message that originated a
given ciphertext. This allows us to propose an experimental
and compact solution to solve Problems 1 and 2. Although
this is not enough for some real-world applications, it allows
us to introduce and discuss instances of a new approach for
expanding BT capabilities with HE.
In Definition 1, the algorithm
SDiv
, for any useful re-
sult, might imply a fractional output. We will introduce
a construction in which the encryption function receives
positive integers as inputs and generates ciphertexts where the
underlying computation is performed over the integers modulo
a prime. Since
Enc
takes integers in
Zq
as input and generates
ciphertexts also over integers in
Zq
, the decryption function is
expected to output integers in
Zq
. The algorithm
Add
performs
homomorphic addition of ciphertexts and the decryption of the
results is also an integer. However, in the specific case of
SDiv
,
a ciphertext is divided by a scalar which might result in a
non-integer rational number. The scalar division is performed
over the integers, with the modular multiplicative inverse.
In order to map the integer result of a scalar division to its
corresponding rational representation we will use the Extended
Euclidean Algorithm (EEA) according to Definition 5.
Definition 5: (Extended Euclidean Algorithm - EEA) Given
a prime
p
and a positive integer
cPZp
, let the EEA be
computed as follows:
1) Set a0“p, a1“c, b0“0, b1“1, i “1.
2) While aiąYbpL2]compute
q“Xai´1Lai\ai`1“ai´1´qai
bi`1“bi´1´qbii“i`1.
3) aLb“aiLbi.
4) Return aLb. We write the syntax as aLb“EEA pp, cq.
In order words,
SDiv
allows us to compute a homomorphic
scalar division operation that when decrypted, will originally
result into an integer. The EEA in Definition 5 takes a prime
p
and an integer
c
as input and outputs the rational representation
of
c
. Now we are ready to introduce constructions that satisfy
the definitions in II-A.
Gen
takes as input
1λ
and proceeds as follows: (1) set
b“
λL8
; (2) let
q
the smallest prime greater than
2b
; (3) choose
16
uniform
b
-bit integers and define
¯
K1,¯
K2PG3
q
such that
the first
8
integers are the coefficients of
¯
K1
and the second
8
integers are the coefficients of
¯
K2
– the generated
¯
K1,¯
K2
must have an inverse otherwise other
16 b
-bit integers must
be uniformly chosen and transformed into the secret key
multivectors
¯
K1,¯
K2
until they have inverse; (4) choose a
uniform
b
-bit integer
g
; and (5) output the secret key
sk “
`¯
K1,¯
K2, g˘
and the public evaluation key
pk “ pb, qq
. The
message space is originally defined by M“Zq.
Enc
takes as input
sk “`¯
K1,¯
K2, g˘
and
m
and proceeds as
follows:
1)
Let
m0, . . . , m123
, with the exception of
m12
, be
uniformly chosen from the set
0,...,2b´1(
, so
m12
is computed as follows:
m12 “| ´ m0´m1`m2`m3
´m13 `m23 `m123 `m|q.(3)
2) For jP t0,1,2,3,12,13,23,123u, define ¯
Msuch that
¯
M“ÿ
j
mj¯
ej.(4)
3) Compute ¯
M1“¯
Mg and output ¯
C“¯
K1¯
M1¯
K2.
Dec
takes as input
sk “`¯
K1,¯
K2, g˘
and
¯
CPG3
q
and
proceeds as follows:
1) Retrieve ¯
M1“¯
K´1
1
¯
C¯
K´1
2and ¯
M“¯
M1Lg.
2) Compute msuch that
m“|m0`m1´m2´m3`
m12 `m13 ´m23 ´m123|q.(5)
3)
Update the value of
m
by mapping it to a rational format
such that m“aLb“EEA pq, mq. Output m.
Add
takes as input
pk
and
¯
C1,¯
C2PG3
q
and computes and
outputs
¯
C
as a component-wise addition of the coefficients
of ¯
C1,¯
C2.
SDiv
takes as input
pk
,
¯
C1PG3
q
and a scalar
α
in
Zq
, and
computes and outputs
¯
C
as a scalar division of all elements
in ¯
C1by αwhich is denoted by ¯
C1Lα.
Lemma 1: For all uniformly generated coefficients
mjPZq
of
¯
MPG3
q
, where
jP t0,1,2,3,12,13,23,123u
,
q
is prime,
and for all m12 as defined in (3), the result in (5) holds.
Proof: Given the definition of
m12
in
(3)
let’s re-write
(5) as m“ma`mbsuch that
ma“m0`m1´m2´m3`m12,(6)
mb“m13 ´m23 ´m123.(7)
If we substitute for m12 in (6) we have:
ma“m´m13 `m23 `m123,(8)
so when we compute
ma`mb
adding
(7)
and
(8)
we obtain
ma`mb“m´m13 `m23 `m123`
`m13 ´m23 ´m123 “m. (9)
Lemma 2: For any prime
q
, any non-zero
gPZq
and any
¯
MPG3
q
, we define
¯
M1“¯
Mg
such that
¯
M1Lg“¯
M
where
¯
M1Lg
is equivalent to
¯
Mx
and
x
is the modular multiplicative
inverse of gmod p.
Proof: For any prime
q
, all non-zero elements
gPZq
have a unique modular multiplicative inverse
x“ˇˇg´1ˇˇq
such
that
|gx|q“1
. When we compute
¯
M1“¯
Mg
, we recover
¯
M
by performing the scalar division of
¯
M1
by
g
, denoted by
¯
M1Lg
, which is in fact equivalent to the scalar multiplication
of
¯
M1
by
ˇˇg´1ˇˇq
. Since
q
is prime, for all
gą0
we have
an
x
such that
|gx|q“1
, where
g, x PZq
. According to the
B´
ezout’s identity [43], if gcdpg, qq “ 1, then we can write
gx `qy “gcd pg , qq “ 1,(10)
where
x, y
have integer solutions. We can then rewrite
(10)
as
gx ´1“ p´yqqand gx ”1 mo d q,
. and thus
x
is the
modular multiplicative inverse of gwith respect to q.
For small values of
q
one can naively compute
x
by iterating
x
from
1
to
q´1
until finding the result that satisfies
|gx|q“1
.
However, a better way is to use the Extended Euclidean
Algorithm (EEA) [44] which can efficiently compute modular
multiplicative inverses for large values of
g
and
q
as long as
gcd pg, qq “ 1.
Theorem 1: For all
sk
output by
Gen
and
mPZq
, we have
Dec psk, Enc psk, mqq “ m.
Proof: Recall that in the definition of
Gen
,
¯
K1,¯
K2
must
have an inverse. Therefore, for all
sk “`¯
K1,¯
K2, g˘
and all
mPZq
, we obtain
¯
M1
as
¯
M1“¯
K´1
1
¯
C¯
K´1
2
. By applying
Lemma 2, we recover
¯
M
from
¯
M1
and we recover
m
from
¯
Mby applying Lemma 1.
Lemma 3: For all
a, b PZq
that is transformed into
¯
A, ¯
BP
G3
q
according the first two steps in the
Enc
algorithm, decoding
¯
A`¯
B
back to a scalar in
Zq
results in
a`b
and therefore the
transformation of
a, b
into
¯
A, ¯
B
is homomorphic with respect
to addition.
Proof: For all
a, b PZq
that are represented by
¯
A, ¯
BP
G3
q
, respectively, where the coefficients of
¯
A, ¯
B
are all uniform
in
Zq
with the exception of
a12
in
¯
A
and
b12
in
¯
B
which
are both defined as
(3)
. Let
¯
S“¯
A`¯
B
. The multivector
addition is performed element-wise where
sj“aj`bj
for
jP t0,1,2,3,13,23,123u
. For the particular case of
s12 “
a12 `b12 we have:
s12 “a´a0´a1`a2`a3´a13 `a23 `a123
`b´b0´b1`b2´b3´b13 `b23 `b123.(11)
If we organize the coefficients of ¯
Sas
sa“a0`b0´a2´a3`b0`b1´b2´b3
sb“s12
sc“a13 ´a23 ´a123 `b13 ´b23 ´b123,
(12)
we compute sa`sbto obtain
sa`sb“a´a13 `a23 `a123 `b´b13 `b23 `b123
“a`b´sc
(13)
so, essentially, computing
sa`sb`sc
gives
sa`sb`sc“a`b
.
Lemma 4: Lemma 2 also applies to scalar multiplication
and scalar division of all
¯
A, ¯
BPG3
q
by all nonzero scalars
gPZq.
Proof: Recall that scalar division by
gmod q
is a
scalar multiplication by
g´1mod q
. A multivector scalar
multiplication holds the properties of additivity in the scalar
and additivity in the (multi)vector [45], and, therefore, we
have ¯
Ag `¯
Bg “`¯
A`¯
B˘g.
Lemma 5: For all prime
q
,
¯
C1ÐEnc psk, mq
and
αPZu
where u“YbqL2], the following holds:
mLα“Dec `sk, SDiv `pk, ¯
C1, α˘˘.(14)
Proof: On the encrypted domain, where computation is
performed modulo
q
, for
q
is a prime, the scalar division
of
¯
C1
by
α
is achieved via the scalar multiplication of
¯
C1
by the modular multiplicative inverse of
α
with respect to
q
. If we let
¯
C“SDiv `pk, ¯
C1, α˘
, the decryption of
¯
C
will
result on the integer representation of
m
divided by
α
, that is,
ˇˇmα´1ˇˇq
. Since the definition of
Dec
in Section III requires
a rational output in order to accommodate the results from
computation including
SDiv
, we need to use the EEA in
Definition 5 to achieve this goal. If we let
c“ˇˇmα´1ˇˇq
,
the EEA, whose standard implementation computes all the
convergents of
cLq
[46], will output the first convergent of
cLq
whose numerator satisfies
aiďu
(according to the modified
version presented in Definition 5), for
u“YbqL2]
. This
result implies
c”mLα
. To prove this equivalence, we can
rewrite
m
as a Diophantine equation [47] where there is an
integer solution for
k
such that
m“αc `kq
. We can now
write the solution for
k
as
k“pm´αcqLq
. It is clear that
c“ pm´kqqLα
and since
pm´kqqmo d q“m
then we
have c”mLαmod q.
Due to Lemma 5, and since we assume that homomorphic
scalar divisions will always occur, in order to guarantee the
desired result of scalar divisions over encrypted data, we
reduce the message space originally defined as
Zq
in
Gen
by
Zu, for u“YbqL2].
Theorem 2: (Correctness of
Π
) For all
psk, pkq
output by
Gen,¯
C1,¯
C2PG3
q, and m1, m2, α PZq, the following holds:
Dec psk, Add ppk, Enc psk , m1q,Enc psk, m2qqq “m1`m2,
(15)
and Dec psk, SDiv ppk, Enc psk , m1q, αqq “ m1Lα.
Proof: Given
m1, m2, α PZq
,
sk “`¯
K1,¯
K2, g˘
, and
pk “q, we compute ¯
C1,¯
C2PG3
qas follows:
¯
C1“Enc psk, m1q,¯
C2“Enc psk, m2q.(16)
We compute
¯
C“Add `pk, ¯
C1,¯
C2˘
. When decrypting
¯
C
we
have:
Dec `sk, ¯
C˘“¯
K´1
1
¯
C¯
K´1
2“¯
K´1
1`¯
C1`¯
C2˘¯
K´1
2
“¯
K´1
1
¯
C1¯
K´1
2`¯
K´1
1
¯
C2¯
K´1
2
“¯
K´1
1
¯
K1¯
M1
1
¯
K2¯
K´1
2`¯
K´1
1
¯
K1¯
M1
2
¯
K2¯
K´1
2
“¯
M1
1`¯
M1
2.
(17)
By applying Lemma 3 and 4 we obtain
m1`m2
. Similarly,
let ¯
C“SDiv `pk, ¯
C1, α˘, then
Dec `sk, ¯
C˘“¯
K´1
1
¯
C¯
K´1
2“¯
K´1
1
¯
C1α´1¯
K´1
2
“¯
K´1
1
¯
K1¯
M1
1
¯
K2¯
K´1
2α´1
“¯
M1
1α´1.
(18)
By applying Lemma 3, 4 and 5 we obtain m1Lα.
Theorem 3: For all ciphertexts
¯
C
output by
Enc
, an
adversary
A
can efficiently recover
m
from
¯
C
without
knowing anything other than
¯
C
if and only if
A
can efficiently
solve a system of equations with
8
non-redundant equations
and 24 unknowns.
Proof: Let a multivector ¯
APG3
qbe written as
¯
A“ xAy0` xAy1` xAy2` xAy3(19)
where
x¨yi
, for
iP t0,1,2,3u
, is called a multivector grade.
Grades 0 and 3 contain a single element each and grades 1
and 2 contain three elements each, for a total of 8 elements.
Given
¯
CPG3
q
such that
¯
C“¯
K1¯
M1¯
K2
, we can write
¯
C“
ř3
i“0x¯
K1¯
M1¯
K2yi
. Similarly, if one wants to recover
¯
M1
they
need to compute
¯
M1“¯
K´1
1
¯
C¯
K´1
2“ř3
i“0x¯
K´1
1
¯
C¯
K´1
2yi
.
Assuming the adversary
A
only knows
¯
C
an attack to recover
¯
M
from
¯
C
can be formulated by solving a system of equations
on the form of
x¯
Cyi“ x ¯
K1¯
M1¯
K2yi,(20)
where each element of
¯
C
can be computed from a combination
of the elements of
¯
K1
,
¯
M1
according the rules of the geometric
product, for a total of 8 equations. Since
¯
K1
,
¯
M1
, and
¯
K2
are unknowns, and each also have a total of 8 elements, the
adversary
A
is faced with a total of 24 unknown variables.
This means that the system of equations the adversary needs
to solve in order to recover
¯
M1
from
¯
C
is considered an
underdetermined system, i.e., a system that has less equations
than unknowns. As for any underdetermined system, the
number of basic variables is given by the number of equations,
thus we have
24 ´8“16
free variables. Therefore, in order
to recover
m
from
¯
C
by only knowing
¯
C
, it is required that
A
first solve the above described underdetermined system of
equations. If
A
can solve this type of system, then
A
can
solve for m, and vice-versa.
Lemma 6: The proposed HE Scheme is secure assuming
that no adversary
A
can efficiently solve (that is, solve under
polynomial-time) an underdetermined system of equations
whose underdeterminancy is unaffected by the number of
ciphertexts samples under consideration.
Proof: Given
¯
C1“Enc psk, m1q
,
¯
C2“Enc psk, m2q
,
and
¯
C“Add `pk, ¯
C1,¯
C2˘
, an adversary
A
may try to solve
for
¯
M1
1
and
¯
M1
2
and/or simply
¯
M1“¯
M1
1`¯
M1
2
, by organizing
a system of equations as in (20), such that
x¯
C1yi“ x ¯
K1¯
M1
1
¯
K2yi,x¯
C2yi“ x ¯
K1¯
M1
2
¯
K2yi
x¯
Cyi“ x ¯
K1¯
M1¯
K2yi.(21)
The system would then have a total of 24 equations (8 for
each cyphertext) and 32 unknowns if solving for both
¯
M1
1
and
¯
M1
2
, or 24 unknowns if solving for
¯
M1
. However, notice
that
x¯
Cyi“ x ¯
K1¯
M1¯
K2yi“ x ¯
K1¯
M1
1
¯
K2yi` x ¯
K1¯
M1
2
¯
K2yi
“ x ¯
K1`¯
M1
1`¯
M1
2˘¯
K2yi,(22)
i.e, the 8 equations with respect to the elements of
¯
C
are
generated as a sum of the equations with respect to
¯
C1
and
¯
C2
, and, therefore, are redundant, which reduces the total
number of non-redundant equations to 16. Hence, the resulting
system, despite solving for both
¯
M1
1
and
¯
M1
2
, or
¯
M1
only, is
underdetermined and can have an infinite number of solutions.
Similarly, if we compute ¯
C“SDiv `pk, ¯
C1, α˘, then
x¯
Cyi“ x ¯
K1¯
M1¯
K2yi“ x ¯
K1`¯
M1
1α´1˘¯
K2yi
“α´1x¯
K1¯
M1
1
¯
K2yi.(23)
Notice that the equations for the elements of
¯
C
are the result of
α´1
multiplied by the equations with respect to the elements of
¯
C1
, and hence are redundant. Therefore, the resulting systems
of equations for the scalar division case has a total of 8 non-
redundant equations and 24 unknowns, which turns to be an
underdetermined system with an infinite number of possible
solutions.
IV. DESCRIPTION OF THE KEY UP DATE PROTOC OL
In this section we propose a construction that aims to satisfy
the definitions presented in Section II-B.
Motivation 3: We want to design a key update protocol that
securely allows one to update the secret key of an existing
ciphertext without revealing the corresponding message, the
old key or the new key, also based on the assumption that
solving a non-redundant underdetermined system of equation
is computationally hard. In order to achieve this goal we
propose a design for a protocol based on underdeterminancy.
From the old and the new key we want to generate a token
that is expected to not reveal information about neither the old
or the new key. Once the token is generated, one should be
able to use it for changing the keys on an existing ciphertext
under the old key, generating a new ciphertext under the new
key. In this process, one should not be able to derive the
underlying plaintext message.
TokGen
takes as input two secret keys
sk1“`¯
K11,¯
K21, g1˘
and
sk2“`¯
K21,¯
K22, g2˘
, the old and the new key, respec-
tively, and computes and returns the token
t“`¯
T1,¯
T2˘
such
that ¯
T1“¯
K21 ¯
K´1
11 g´1
1g2,¯
T2“¯
K´1
12
¯
K22.
KeyUpd
takes as input the token
t“`¯
T1,¯
T2˘
and an existing
(old) ciphertext
¯
Cold
and computes and outputs an updated
(new) ciphertext ¯
Cnew as ¯
Cnew “¯
T1¯
Cold ¯
T2.
Theorem 4: For all
sk1
and
sk2
output by
Gen
, and all
¯
T1
and
¯
T2
output by
TokGen
, given that
¯
C
is a ciphertext
such that
¯
Cold “¯
K11 ¯
Mold ¯
K12,¯
Mold “¯
M1g1
, it holds that
¯
Cnew “¯
K21 ¯
Mnew ¯
K22,¯
Mnew “¯
M1g2.
Proof: Given the setup in Theorem 4, we verify that:
¯
Cnew “¯
T1¯
Cold ¯
T2
“¯
K21 ¯
K´1
11 g´1
1g2¯
K11 ¯
M1g1¯
K12 ¯
K´1
12
¯
K22
“¯
K21 ¯
M1g2¯
K22 “¯
K21 ¯
Mnew ¯
K22.
(24)
Theorem 5: For all
sk1“`¯
K11,¯
K21, g1˘
and
sk2“
`¯
K21,¯
K22, g2˘
output by
Gen
, all
¯
T1,¯
T2
output by
TokGen
,
all
¯
Cold
output by
Enc
, and all
¯
Cnew
output by
KeyUpd
, an
adversary
A
can recover
m
from
¯
Cnew
if and only if
A
can
efficiently solve a system of equations with more unknowns
than non-redundant equations.
Proof: Given a token
t“`¯
T1,¯
T2˘
computed according
to
TokGen
,
¯
Cold “¯
K11 ¯
M1¯
K12 “¯
K11 ¯
Mg1¯
K12
computed
according to
Enc
, and
¯
Cnew “¯
T1¯
Cold ¯
T2
computed according
to
KeyUpd
, an adversary
A
, with knowledge of
¯
Cold
,
t
, and
¯
Cnew
, may try to solve for
¯
M
, and consequently obtain
m
according to
Dec
, by organizing a system of equations on the
form of
x¯
Coldyi“ x ¯
K11 ¯
Mg1¯
K12yi,x¯
Cnewyi“ x ¯
T1¯
Cold ¯
T2yi
x¯
T1yi“ x ¯
K21 ¯
K´1
11 g´1
1g2yi,x¯
T2yi“ x ¯
K´1
12
¯
K22yi.(25)
Notice that this system of equations contains a total of 32
equations (8 equations for each of the multivectors
¯
Cold
,
¯
Cnew
,
¯
T1
, and
¯
T2
) and 42 unknowns (40 related to the multivectors
¯
K11
,
¯
K12
,
¯
K21
,
¯
K22
, and
¯
M
, and 2 related to the scalars
g1
and
g2
. Therefore, the system is considered underdetermined
as the number of unknowns surpasses the number of non-
redundant equations.
Theorem 6: For all
sk1“`¯
K11,¯
K21, g1˘
and
sk2“
`¯
K21,¯
K22, g2˘
output by
Gen
, all
¯
T1,¯
T2
output by
TokGen
,
all
¯
Cold
output by
Enc
, and all
¯
Cnew
output by
KeyUpd
, an
adversary
A
can efficiently recover
sk1
or
sk2
from
t
if and
only if
A
can efficiently solve a system of equations with
8
non-redundant equations and 16 unknowns.
Proof: The proof of Theorem 6 can be borrowed from
the proof of Theorem 5, as the same system of equations and
its characteristics apply in this case.
V. APPLICATI ON
In order to provide practical insights on how to connect the
proposed constructions to real-world DLT-based systems, we
introduce an illustrative design where we apply our HE scheme
and key update protocol. We describe an instance of problem
2, where legal restrictions constrain possible solutions. Due
to space limitations, we cannot fully describe the system (e.g.,
consensus mechanism), so we provide a high-level description
of its building blocks.
Motivation 4:
$
300 billion out of more than
$
1.7 trillion are spent annually
on medical research alone [48], where the reproducibility
of experiments and scientific correctness are paramount.
Moreover, healthcare systems operate under strict regulations
[49] yielding a very siloed industry [18]. In such a scenario,
DLTs have the potential to mediate access to data [50],
avoiding power imbalance. With the addition of HE, a DLT
system can protect the privacy of Electronic Medical Records
(EMRs) while offering legal-compliant analysis.
Definition 6: ABlockchain Application
BA
is composed
by:
‚
User
UA
: The data owner.
UA
persists information on-
chain and decides when and to whom the ownership is
transferred.
‚
User
UB
: A participant of the same consortium of
UA
.
UB
has access to the off-chain cryptographic library and
performs homomorphic computations on-chain.
UB
want
to get insights from data processed at the blockchain.
‚
App component
AC
: Software that executes the HE
scheme and key update protocol.
AC
imports algorithms
Gen,Enc, and Dec, and TokGen.
‚
Blockchain component
BC
: a system composed by the
ledger and a smart contract that controls the access to it.
The smart contract imports Add,SDiv, and KeyUpd.
Definition 7:
BC
is a tuple with the following efficient algo-
rithms:
NewRecord
,
GetRecords
,
GenReport
,
GenResult
,
GetReport and GetResult, such that
‚GenReport
generates a report calculating the median
from a given number of records. We write the syntax
as
GenReport pidsLedgerq
; First,
GetRecords
is called,
retrieving the records represented by
idsLedger
; Then,
Add
operates the addition of multivectors inside the
records returned by
GetRecords
;
SDiv
takes all summed
multivectors given by
Add
and divide by the number of
records returned by
GetRecords
; Finally
NewRecord
is
used to persist the aggregated data.
‚GenResult
takes as input an id,
idLedger
, and the gener-
ated tokens
t
to update the keys of a report. We write
the syntax as
GenResult pidLedger, tq
; First,
GetReport
is called, retrieving the report of id
idLedger
; Second,
KeyUpd
is used to change the keys of report
idLedger
;
Finally NewRecord is used to persist the resulting data.
‚GetResult
takes as input
idLedger
and retrieves a re-
port that had its keys updated. We use the syntax
GetResult pidLedgerq.
Example 1:
UA
represents a hospital that owns patients’
records.
UB
stands for a research institution that makes
analysis over patients’ data. A disease outbreak urged the
aforementioned organizations to cooperate. Therefore, the
hospital agreed to share information under a security protocol,
that could lead to a better triage of patients and, perhaps, a
path to a cure.
In the DLT environment, both institutions have a copy
of the data, but their ownership is tied to their keys. Since
the smart contract is using a HE scheme, computations can
be performed homomorphically and the ownership over the
resulting analysis can be transferred by UA.
UB
calculates the average number of pre-existing conditions
for every expired patient, generating a report. Then,
UA
analyzes the result and decides to grant permission. To do so,
a symmetric key is shared with
UB
through a traditional key
exchange protocol. Now,
UA
updates the keys of the report,
allowing
UB
to finally detect a high number of pre-existing
conditions in patients that did not recover.
VI. AVAILABILITY
We implemented the HE scheme and the key update protocol
using Ruby programming language which is available at
https://github.com/davidwilliam/clifford-key-update .
VII. CONCLUSIONS
Through practical constructions we demonstrated the re-
alization of a homomorphic encryption (HE) scheme and a
key update protocol as a strategy for expanding the current
capabilities of blockchain technologies (BT). With a very
small set of elementary functions found in Clifford geometric
algebra, we were able to provide simple and yet efficient cryp-
tographic protocols to equip BT with a homomorphic smart
contract. Without violating current business logic constraints
in BT, one can use our constructions to homomorphically
analyze encrypted data, generate reports and transfer the data
ownership without compromising the original key holder’s
and/or third parties’ privacy. We provide evidence of the
proposed algorithms’s correctness as well as the security
properties they carry, under some strong assumptions such as
the attacker’s knowledge restricted to public information. In
order to further support the practicality of our methods, we
offer access to a library we implemented in Ruby language
where one can see some numerical examples and inspect its
source code. As future directions we envision cryptographic
primitives according to stronger notions of security, the
development of fully homomorphic encryption schemes to
enable smart controls to compute any function over encrypted
data and a comprehensive cryptanalysis for investigating the
resilience of our constructions according to well-known thread
models (e.g., chosen-plaintext attack), which can indicate how
security may be improved.
REFERENCES
[1]
P. Rosati, P. Deeney, M. Cummins, L. Van der Werff, and T. Lynn,
“Social media and stock price reaction to data breach announcements:
Evidence from us listed companies,” Research in International Business
and Finance, vol. 47, pp. 458–469, 2019.
[2]
D. R.-J. G.-J. Rydning, “The digitization of the world from edge to
core,” Framingham: International Data Corporation, 2018.
[3]
S. B. Chebrolu, “Assessing the relationships among cloud adoption,
strategic alignment and it effectiveness,” Journal of Information
Technology Management, vol. 22, no. 2, pp. 13–29, 2011.
[4]
W. Yang, E. Aghasian, S. Garg, D. Herbert, L. Disiuta, and B. Kang, “A
survey on blockchain-based internet service architecture: requirements,
challenges, trends, and future,” IEEE Access, vol. 7, pp. 75845–75 872,
2019.
[5]
C. Barrera and S. Hurder, “Can blockchain solve the hold-up problem
for shared databases?” Prysm White Paper May, vol. 13, 2019.
[6] W. Dai, “B-money,” Consulted, vol. 1, p. 2012, 1998.
[7]
A. Narayanan and J. Jeremy Clark, “Bitcoin’s academic pedigree.
acmqueue 15 (4),” 2017.
[8] I. Bashir, Mastering blockchain. Packt Publishing Ltd, 2017.
[9]
E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis,
A. De Caro, D. Enyeart, C. Ferris, G. Laventman, Y. Manevich et al.,
“Hyperledger fabric: a distributed operating system for permissioned
blockchains,” in Proceedings of the Thirteenth EuroSys Conference.
ACM, 2018, p. 30.
[10]
J. Morgan, “Quorum whitepaper,” New York: JP Morgan Chase, 2016.
[11]
M. Hearn, “Corda: A distributed ledger,” Corda Technical White Paper,
vol. 2016, 2016.
[12]
K. W
¨
ust and A. Gervais, “Do you need a blockchain?” in 2018 Crypto
Valley Conference on Blockchain Technology (CVCBT). IEEE, 2018,
pp. 45–54.
[13]
F. Benhamouda, S. Halevi, and T. T. Halevi, “Supporting private data on
hyperledger fabric with secure multiparty computation,” IBM Journal
of Research and Development, 2019.
[14]
E. Cecchetti, F. Zhang, Y. Ji, A. Kosba, A. Juels, and E. Shi, “Solidus:
Confidential distributed ledger transactions via pvorm,” in Proceedings of
the 2017 ACM SIGSAC Conference on Computer and Communications
Security. ACM, 2017, pp. 701–717.
[15]
A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou, “Hawk:
The blockchain model of cryptography and privacy-preserving smart
contracts,” in 2016 IEEE symposium on security and privacy (SP).
IEEE, 2016, pp. 839–858.
[16]
A. Poelstra, A. Back, M. Friedenbach, G. Maxwell, and P. Wuille, “Con-
fidential assets,” in International Conference on Financial Cryptography
and Data Security. Springer, 2018, pp. 43–63.
[17]
G. Zyskind, O. Nathan, and A. Pentland, “Enigma: Decentral-
ized computation platform with guaranteed privacy,” arXiv preprint
arXiv:1506.03471, 2015.
[18]
X. Xu, I. Weber, and M. Staples, Architecture for blockchain applica-
tions. Springer, 2019.
[19]
O. Hart and J. Moore, “Incomplete contracts and renegotiation,”
Econometrica: Journal of the Econometric Society, pp. 755–785, 1988.
[20]
Y.-K. Che, J. S
´
akovics et al., “The hold-up problem,” Edinburgh School
of Economics, University of Edinburgh, Tech. Rep., 2006.
[21]
M. Z. Nkhoma, D. Dang, and A. De Souza-Daw, “Contributing factors
of cloud computing adoption: a technology-organisation-environment
framework approach,” in Proceedings of the European Conference
on Information Management & Evaluation, vol. 2, no. 1, 2013, pp.
180–188.
[22]
E. Hughes, “A cypherpunk’s manifesto,” URL (accessed 3 August 2004):
http://www.activism.net/cypherpunk/manifesto.html, 1993.
[23]
A. Tchernykh, U. Schwiegelsohn, E.-g. Talbi, and M. Babenko,
“Towards understanding uncertainty in cloud computing with risks of
confidentiality, integrity, and availability,” Journal of Computational
Science, vol. 36, p. 100581, 2019.
[24]
S. S. Yau and H. G. An, “Confidentiality protection in cloud computing
systems.” Int. J. Software and Informatics, vol. 4, no. 3, pp. 351–365,
2010.
[25]
S. Haber and W. S. Stornetta, “How to time-stamp a digital document,”
in Conference on the Theory and Application of Cryptography. Springer,
1990, pp. 437–455.
[26]
——, “Secure names for bit-strings,” in Proceedings of the 4th ACM
Conference on Computer and Communications Security. Acm, 1997,
pp. 28–35.
[27]
R. C. Merkle, “Protocols for public key cryptosystems,” in 1980 IEEE
Symposium on Security and Privacy. IEEE, 1980, pp. 122–122.
[28]
S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity
of interactive proof systems,” SIAM Journal on computing, vol. 18,
no. 1, pp. 186–208, 1989.
[29]
D. Hopwood, S. Bowe, T. Hornby, and N. Wilcox, “Zcash protocol
specification,” GitHub: San Francisco, CA, USA, 2016.
[30]
F. McKeen, I. Alexandrovich, I. Anati, D. Caspi, S. Johnson, R. Leslie-
Hurd, and C. Rozas, “Intel
®
software guard extensions (intel
®
sgx)
support for dynamic memory management inside an enclave,” in
Proceedings of the Hardware and Architectural Support for Security
and Privacy 2016, 2016, pp. 1–9.
[31]
D. Hildenbrand, Introduction to geometric algebra computing. Chap-
man & Hall/CRC, 2018.
[32] D. Hestenes, Space-time algebra. Springer, 1966, vol. 1, no. 6.
[33]
D. Hildenbrand, “Foundations of geometric algebra computing,” in
AIP Conference Proceedings, vol. 1479, no. 1. American Institute of
Physics, 2012, pp. 27–30.
[34]
K. Hernandez, “Blockchain for development–hope or hype?” Institute
of Development Studies, 2017.
[35]
B. A. Forouzan, Cryptography & Network Security, 1st ed. USA:
McGraw-Hill, Inc., 2007.
[36]
D. W. H. A. da Silva, C. P. de Araujo, E. Chow, and B. S. Barillas, “A
new approach towards fully homomorphic encryption over geometric
algebra,” in 2019 IEEE 10th Annual Ubiquitous Computing, Electronics
& Mobile Communication Conference (UEMCON). IEEE, 2019, pp.
0241–0249.
[37]
D. W. H. A. da Silva, C. P. de Araujo, and E. Chow, “An efficient
homomorphic data encoding with multiple secret hensel codes,” Inter-
national Journal of Information and Electronics Engineering, vol. 10,
no. 1, 2020.
[38]
D. W. H. A. da Silva, H. B. M. de Oliveira, E. Chow, B. S. Barillas,
and C. P. de Araujo, “Homomorphic image processing over geometric
product spaces and finite p-adic arithmetic,” in 2019 IEEE International
Conference on Cloud Computing Technology and Science (CloudCom).
IEEE, 2019, pp. 27–36.
[39]
D. W. H. A. da Silva, C. P. de Araujo, and E. Chow, “Fully homomorphic
key update and key exchange over exterior product spaces for cloud
computing applications,” in 2019 IEEE 24th Pacific Rim International
Symposium on Dependable Computing (PRDC). IEEE, 2019, pp.
25–251.
[40]
C. Gentry, “Fully homomorphic encryption using ideal lattices,” in
Proceedings of the forty-first annual ACM symposium on Theory of
computing, 2009, pp. 169–178.
[41]
J. M. Chappell, A. Iqbal, L. J. Gunn, and D. Abbott, “Functions of
multivector variables,” PloS one, vol. 10, no. 3, 2015.
[42]
L. Dorst, D. Fontijne, and S. Mann, Geometric algebra for computer
science: an object-oriented approach to geometry. Elsevier, 2010.
[43]
G. A. Jones and J. M. Jones, Elementary number theory. Springer
Science & Business Media, 2012.
[44]
D. E. Knuth, The art of computer programming. Pearson Education,
1997, vol. 3.
[45]
D. C. Lay, Linear algebra and its applications. Addison Wesley
Publishing Company, 1994.
[46]
A. Miola, “Algebraic approach to p-adic conversion of rational numbers,”
Information Processing Letters, vol. 18, no. 3, pp. 167–171, 1984.
[47]
L. Mordell, “Pure and applied mathematics,” Diophantine Equations,
vol. 30, 1969.
[48]
S. T. Manion and Y. Bizouati-Kennedy, Blockchain for Medical
Research: Accelerating Trust in Healthcare. CRC Press, 2020.
[49]
V. Puri, S. Sachdeva, and P. Kaur, “Privacy preserving publication of
relational and transaction data: Survey on the anonymization of patient
data,” Computer Science Review, vol. 32, pp. 45–61, 2019.
[50]
A. Theodouli, S. Arakliotis, K. Moschou, K. Votis, and D. Tzovaras,
“On the design of a blockchain-based system to facilitate healthcare
data sharing,” in 2018 17th IEEE International Conference On Trust,
Security And Privacy In Computing And Communications/12th IEEE
International Conference On Big Data Science And Engineering
(TrustCom/BigDataSE). IEEE, 2018, pp. 1374–1379.
