homomorphic computation in reed-muller codesccl.snu.ac.kr/papers/journal_int/journal2020_6_1.pdf ·...
TRANSCRIPT
Received May 15, 2020, accepted May 31, 2020, date of publication June 9, 2020, date of current version June 22, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.3001120
Homomorphic Computation in Reed-Muller CodesJINKYU CHO 1, (Graduate Student Member, IEEE), YOUNG-SIK KIM 2, (Member, IEEE),AND JONG-SEON NO 1, (Fellow, IEEE)1Department of Electrical and Computer Engineering, INMC, Seoul National University, Seoul 08826, South Korea2Department of Information and Communication Engineering, Chosun University, Gwangju 61452, South Korea
Corresponding author: Young-Sik Kim ([email protected])
This work was supported by the Institute for Information & Communications Technology Promotion (IITP) grant funded by the KoreaGovernment (MSIT) (R-20160229-002941, Research on Lightweight Post-Quantum Crypto-systems for IoT and Cloud Computing).
ABSTRACT With the ongoing developments in artificial intelligence (AI), big data, and cloud services, fullyhomomorphic encryption (FHE) is being considered as a solution for preserving the privacy and securityin machine learning systems. Currently, the existing FHE schemes are constructed using lattice-basedcryptography. In state-of-the-art algorithms, a huge amount of computational resources are required forhomomorphic multiplications and the corresponding bootstrapping that is necessary to refresh the ciphertextfor a larger number of operations. Therefore, it is necessary to discover a new innovative approach forFHE that can reduce the computational complexity for practical applications. In this paper, we propose acode-based homomorphic operation scheme. Linear codes are closed under the addition, however, achievingmultiplicative homomorphic operations with linear codes has been impossible until now. We strive tosolve this problem by proposing a fully homomorphic code scheme that can support both addition andmultiplication simultaneously using the Reed-Muller (RM) codes. This can be considered as a precedingstep for constructing code-based FHE schemes. As the order of RM codes increases after multiplication,a bootstrapping technique is required to reduce the order of intermediate RM codes to accomplish a largenumber of operations. We propose a bootstrapping technique to preserve the order of RM codes afterthe addition or multiplication by proposing three consecutive transformations that create a one-to-onerelationship between computations on messages and that on the corresponding codewords in RM codes.
INDEX TERMS Error-correcting codes (ECCs), fully homomorphic encryption (FHE), homomorphiccomputation, post-quantum cryptography (PQC), Reed-Muller (RM) codes.
I. INTRODUCTIONError-correcting codes (ECCs) are being used in diverseapplication areas. They have been developed for wirelesscommunication systems in noisy channels and digital storagesystems [1], [2]. They are also widely used in other areassuch as distributed computing systems or public-key cryptog-raphy, also known as code-based cryptography. The securityof code-based cryptography is based on the fact that thedecoding problem of a random linear code is an NP-completeproblem [3]. Especially, code-based cryptography is one ofthe candidates for post-quantum cryptography that can resistattacks using operations over quantum computers.
Recently, machine learning has become popular in manyareas and a few applications that employ this technologyrequire the privacy of input data to be maintained. For thesecurity of machine learning, differential privacy and fully
The associate editor coordinating the review of this manuscript and
approving it for publication was Massimo Cafaro .
homomorphic encryption (FHE) are considered as candi-dates. In the case of differential privacy, the information onthe individuals in the dataset is not disclosed even thoughthe entire dataset is available. However, when it comes toFHE, both multiplication and addition can be performedfor encrypted messages. Thus, confidential messages can besecurely manipulated on the untrusted cloud server. In FHE,the encryption schemes can support both addition and multi-plication without any limitations on the number of operations.
As Gentry proposed the first generation FHE in2009 [4], there has been extensive research on homomorphicencryption schemes based on lattice-based hard problems[5]–[10]. The most promising recent research works onlattice-based homomorphic encryption schemes are thehomomorphic encryption for the arithmetic of approxi-mate numbers scheme, called the Cheon-Kim-Kim-Song(CKKS) scheme [6] and the fast FHE over the torus (TFHE)scheme [7]. Despite substantial progress since Gentry’s firstFHE scheme, the computational complexity of FHEs is still
108622 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ VOLUME 8, 2020
J. Cho et al.: Homomorphic Computation in RM Codes
too high to be used in privacy-preserving machine learn-ing systems. For example, it takes almost 30 seconds forone bootstrapping operation while using the CKKS library.As more than 105 bootstrappings are necessary to sorthundreds of data packets, several days are needed for thehomomorphic sorting operation [10]. Therefore, we need todiscover a new innovative approach to achieve more efficientFHE.
Along with the extremely fast-growing data and compu-tation sizes, the size of distributed computing systems hasalso grown increasingly larger with time. During computing,a certain amount of unpredictable system noise or stragglernodes that cause delays cannot be avoided. To reduce theseproblems, we frequently use coded computation, which is amethod of using coding theoretic techniques in distributedsystems. In this regard, the first known study was conductedon the computing matrix multiplication problem using era-sure codes andminimumdistance separable codes [11]. Later,more studies with diverse approaches to increase the speed ofcoded computations also appeared [12]–[14]. System com-ponents, such as sensors, are required to working efficientlyeven in noisy conditions, such as high temperature. To ensurethis, we need a coding technique with high error tolerance,such as Reed-Muller (RM) codes, because they can correctrandom erasures and errors with high probability [15].
Besides, we also expect these results to be used in quantumcomputing. There are numerous studies on the applicationof ECCs in quantum computing [16]–[19]. Researchers havealso succeeded in mapping the ECCs of classical computersinto new quantum codes called ‘‘stabilizer codes.’’ Severaltrials on using algebraically defined codes, such as Hammingcodes, Bose-Chaudhuri-Hocquenghem codes, RM codes, andGolay codes have been accomplished.Moreover, methods forusing sparse-graph codes such as low-density parity-checkcodes are also being studied. The goal of all these studies isto achieve fault-tolerant quantum computation. In the future,we expect homomorphic computation to be an importantcomponent in quantum computers, and therefore our con-tribution to creating a homomorphic computation methodfor RM codes may turn out to be useful in RM-code-basedquantum error correction.
In this paper, we propose a code-based homomorphic com-putation scheme using RM codes that can support simulta-neous addition and multiplication operations. Addition canbe performed freely in linear codes due to the nature ofthe linearity. However, no such method of multiplicationexists for codewords, that is, it is not possible to obtain avalid codeword just by multiplying two valid codewords.Therefore, we propose a linear transformation that can mapthe multiplication result of any pair of valid codewords toa valid codeword. As the order of the codewords monoton-ically increases during the multiplication in the RM codes,there is a certain limitation on the number of multiplications.To resolve this problem, we propose a bootstrapping methodto reduce the RM codewords of the second-order to that ofthe first-order after codeword multiplication.
The paper is organized as follows: We present the pre-liminaries in Section II, where we describe the basic con-cepts of the original RM codes, and set a few notations.Moreover, we present the fundamental definition of FHE.Our main results are presented in Section III. We define theaddition and multiplication operations on the message andcodeword domains, respectively, and also propose the mainscheme used in our bootstrapping technique for RM codes.Finally, we conclude our paper and mention future works inSection IV.
II. PRELIMINARIESA. RM CODESIn this subsection, we briefly introduce the fundamentalnotions and properties of RM codes. An RM code, RM(r,m)is defined with integers r and m, where r is the order ofthe code and n = 2m is the code length. The dimensionof RM(r,m) is kr =
∑ri=0
(mi
)and the minimum dis-
tance is dmin = 2m−r . Further, we can express RM(r,m)with r-th order linear combinations of Boolean functionsv0 = 1, v1, · · · , vm. Thus, the generator matrix Gr of ther-th order RM code, RM(r,m) can be expressed as
Gr =
v0v1...vmv1v2v1v3...
vm−1vm...
v1 · · · vrv1 · · · vr−1vr+1
...vm−r+1 · · · vm
, (1)
where, vivj denotes the component-wise multiplication ofvi and vj [1], [2], [20]–[23]. We abuse notations of thereal generator matrix and the matrix of Boolean functions.The columns of the generator matrix are evaluated by eachBoolean function of each row with every m-tuple binaryvector from (1, 1, · · · , 1) to (0, 0, · · · , 0) in the reverse lexi-cographical order.
The generator matrix G of the first-order RM codes isconstructed from {v0, v1, · · · , vm} in (1), and the genera-tor matrix of the second-order RM codes is created from{v0, v1, · · · , vm, v1v2, v1v3, · · · , vm−1vm
}. The first-order
RMcode has a dimension of k = m+1 and can be representedwith linear combinations of v0, · · · , vm.
The message can be expressed with a polynomial of degreem, a(x), or with a (m+ 1)-tuple vector a as
a(x) =m∑i=0
aix i
a = (a0, a1, · · · , am).
VOLUME 8, 2020 108623
J. Cho et al.: Homomorphic Computation in RM Codes
And codeword of the first-order RM codes, RM(1, m), canbe expressed with a polynomial of degree n− 1, c(x), or witha n-tuple vector c by multiplying the k×n generator matrixGin (1) to message as
c(x) =n−1∑i=0
cix i
c = (c0, c1, · · · , cn−1) = aG =m∑i=0
aivi, (2)
where we abuse the vector and polynomial notations.
B. FULLY HOMOMORPHIC ENCRYPTIONHomomorphic encryption plays a crucial part in ensuring pri-vacy because it does not expose the original data in computingenvironments such as machine learning or cloud services [4].An encryption scheme is said to be ‘‘homomorphic’’ withrespect to an operation ♦ on plaintext space P if it satisfies
Decrypt(Encrypt(m1) ∗ Encrypt(m2))
= Decrypt(Encrypt(m1♦m2))
= m1♦m2
for an operation ∗ on ciphertext space C . The operation ♦ isusually an addition or multiplication.
An encryption scheme is called ‘‘somewhat homomor-phic’’ if it satisfies only a limited number of operationsbecause of its inability to perform decryption after a certainnumber of operations. The scheme is called ‘‘fully homomor-phic’’ if it can perform an infinite number of homomorphicoperations for addition and multiplication [5].
III. HOMOMORPHIC COMPUTATION OF RM(1,M)A. ADDITION AND MULTIPLICATION IN RM CODESHomomorphic operations are executed both on the messageand codeword domains. Although addition is performed iden-tically in both the domains, the multiplication of the code-words must be defined as a new codeword of a message thatis defined as a polynomial multiplication with modulo xk−1.
In our proposed scheme, we only consider the first-orderRM codes for homomorphic operations because they havethe maximum Hamming distance 2m−1 and can be efficientlyused for related homomorphic computations. As described inSubsection II-A, the RM codes can be described as polyno-mials. Therefore, for the homomorphic addition of two code-words, we perform a component-wise addition⊕ between thecoefficients of the same order of the polynomial terms. In thecase of homomorphic multiplication, the codewords can bemultiplied by performing some multiplication �, which cor-responds to the codeword of multiplication of two messagepolynomials of the order m, a(x) and a′(x), as a(x)a′(x) mod(xm+1 − 1), as given in Table 1.
In the case of addition, it is evident that the computationon the message domain and codeword domain are directlyrelated because the RM codes are linear. However, whilemultiplying two corresponding codewords, c(x) and c′(x),
TABLE 1. Addition and multiplication with messages and codewords.
or c and c′, we have two fundamental problems. The firstproblem is that just multiplying c and c′ component-wiselydoes not completelymatch the codeword corresponding to themultiplied message. Therefore, we need to apply the lineartransformation for correctly matching the message and thecode domains. The second problem is that the multipliedcodeword is a second-order RM code instead of the first one.To fix the relationship between the two domains and reducethe order of codeword, we need a linear transformation of themultiplied codewords. This linear transformation is describedin the next subsection.
B. BOOTSTRAPPING TECHNIQUE IN RM CODESThe two problems encountered during the homomorphicmul-tiplications of RM code can be resolved by using the boot-strapping technique that will be introduced in this subsection.And this bootstrapping technique is operated on the plaintextdomain. The first-order RM code is represented with linearcombination of {v0, v1, · · · , vm}. The multiplied codewordsare of the second-order, which is RM (2, m). Therefore,we need to reduce the order of the RM code for furtheroperations.
Let c and c′ be two distinct codewords of the first-order RMcode for two messages a(x) and a′(x). The multiplication ofa(x) and a′(x) is expressed as
a(x)a′(x) mod (xm+1− 1) =m∑l=0
(∑
i+j=l mod (m+1)
aia′j)xl . (3)
Thus, the corresponding codeword of a(x)a′(x) mod(xm+1 − 1) is given as
m∑l=0
(∑
i+j=l mod (m+1)
aia′j)vl . (4)
However, the direct multiplication of the two correspondingcodewords is given as
(m∑i=0
aivi)(m∑j=0
a′jvj). (5)
Therefore, (4) and (5) are not the same even though theyrepresent the same message. Notably, (5) is a second-orderRM code. Therefore, (5) should be modified to fit (4). Thisprocess is called bootstrapping in this paper.
The bootstrapping process comprises three steps as fol-lows.
1) Step 1: Represent the coefficients aia′j + aja′i of vivjin (5) as the components of the codewords c =(c0, c1, · · · , cn−1) and c′ = (c′0, c
′
1, · · · , c′
n−1), whosetransformation is denoted by (n + m) × (k2 + m)matrix V .
108624 VOLUME 8, 2020
J. Cho et al.: Homomorphic Computation in RM Codes
2) Step 2: Derive the coefficients∑
i+j=l mod (m+1) aia′j of
x l in (3) by using coef(vivj), whose transformation isdenoted by (k2 + m)× k matrix X .
3) Step 3: Find the codeword cnew of the messagea(x)a′(x) mod (xm+1 − 1) in RM(1, m) by using thegenerator matrix G.
The proposed bootstrapping procedure for homomorphicmultiplication in RM (1, m) code is depicted in Fig. 1, wherenotations of polynomials and vectors are abused. Notably,the above three steps can be combined into an (n + m) × nlinear transformation VXG. We can do this as many times asnecessary to finish the arbitrary homomorphic computations.To perform Steps 1 and 2, we need the following theorem andcorollary.
FIGURE 1. Bootstrapping process in the first-order RM codes.
Theorem 1: In the first-order RM code, RM(1, m),we have
cn−1−∑mi=1 αi2i−1
= a0 +m∑i=1
αiai,
where the transpose of (α0, α1, · · · , αm) denotes the p-thcolumn of G with p = n− 1−
∑mi=1 αi2
i−1.Proof: From (2), we have
cp = (a0, a1, · · · , am)(p-th column of G)
=
m∑i=0
aigip,
where gip denotes the (i, p) element of G. Clearly, the firstrow of G is all-one vector, that is, α0 = 1, and thus every cpincludes a0. Then, for the remaining rows of G, we shouldadd ai if the (i+ 1)-th component of p-th column of G is ’1’.
It can be observed that the p-th column of the gen-erator matrix of RM(1, m) except the first row, is theone’s complement of the binary representation of p. Let(1, α1, α2, · · · , αm)T be the p-th column ofG. Then, we havep = 2m − 1−
∑mi=1 αi2
i−1. Thus, the theorem is proved. �From Theorem 1, it is straightforward to obtain the
following corollary.Corollary 1: In the first-order RM code, RM(1, m),
we have
c0 + c2i−1 = ai, i = 1, 2, · · · ,m.
The three steps of the bootstrapping are explained in detailas follows.
Step 1: Coefficient mapping from c and c′ to the coef(vivj)Here, we will represent the coefficients of vivj in (5)
by using the components of the codewords, c =
(c0, c1, · · · , cn−1) and c′ = (c′0, c′
1, · · · , c′
n−1) as follows.In another variation explained later, the coefficient of vivj isdenoted as a function fij of components of c and c′
coef(vivj) = fij(c0, c1, · · · , cn−1, c′0, c′
1, · · · , c′
n−1).
The coefficient of vivj can be determined by consideringthe following four cases.Case 1-1) i 6= j and i, j 6= 0: From (5), the coefficient of
vivj becomes aia′j + aja′i. We can express this as
coef(vivj) = aia′j + aja′i
= (a0 + ai + aj)(a′0 + a′i + a
′j)
+ (a0 + ai)(a′0 + a′i)+ (a0 + aj)(a′0 + a
′j)
+ a0 a′0
and from Theorem 1, we have
coef(vivj) = cn−1−2i−1−2j−1c′
n−1−2i−1−2j−1
+ cn−1−2i−1c′
n−1−2i−1
+ cn−1−2j−1c′
n−1−2j−1
+ cn−1c′n−1.
Case 1-2) i 6= 0, j = 0: From (5), the coefficient ofviv0 = vi becomes aia′0 + a0a
′i. We can express this as
coef(vi) = aia′0 + a0 a′i
= (a0 + ai)(a′0 + a′i)
+ a0 a′0+ aia′i
and from Theorem 1 and Corollary 1, we have
coef(vi) = cn−1−2i−1c′
n−1−2i−1
+ cn−1c′n−1+ (c0 + c2i−1 )(c
′
0 + c′
2i−1 ).
This case is very similar to Case 1-1), but we cannot useTheorem 1when j = 0. Thus, we separate this fromCase 1-1)and use Corollary 1.Case 2-1) i = j 6= 0: From (5), we can express the
coefficient as
coef(vi2) = aia′i
and from Corollary 1, we have
(c0 + c2i−1 )(c′
0 + c′
2i−1 ).
It should be noted that the Boolean function vi2 is actuallyequal to vi. However, we have separated these two casesbecause coef(vi) corresponds to coef(x i) and coef(vi2) corre-sponds to coef(x2i mod(m+1)).Case 2-2) i = j = 0: From (5), we can express the
coefficient as
coef(v0) = a0a′0
VOLUME 8, 2020 108625
J. Cho et al.: Homomorphic Computation in RM Codes
and from Theorem 1, we have
cn−1c′n−1.
By merging the above four cases, we can make a binary(n+m)× (k2+m) matrix V , which is a linear transformationfrom
(c0c′0, c1c′
1, · · · , cn−1c′
n−1, (c0 + c20 )(c′
0 + c′
20 ),
(c0 + c21 )(c′
0 + c′
21 ), · · · , (c0 + c2m−1 )(c′
0 + c′
2m−1 ))
to
(coef(v0), coef(v1), · · · coef(vm),
coef(v1v2), coef(v1v3), · · · coef(vm−1vm),
coef(v12), coef(v22), · · · , coef(vm2)).
Step 2: Message mappingWe will derive the coefficient
∑i+j=l mod (m+1) aia
′j of x
l
in (3) with a function gl as
coef(x l) =∑
i+j=l mod(m+1)
aia′j
= gl(coef(vivj)). (6)
We can determine gl as given in the following theorem.Theorem 2: In the first-order RM code, RM(1, m),
coef(x l) in (3) is given as
coef(x l) =∑
i+j=l mod(m+1)
coef(vivj).
Proof: It can be easily observed that (5) can be rewrittenas
m∑l=0
(∑
i+j=l mod(m+1)
aia′jvivj). (7)
Focusing on the coefficients of vivj in (7), when i + j = lmod (m + 1), the sum of coef(vivj) is the sum of aia′j. Andthis result equals the coefficients of x l also from (6). Thus,the theorem is proved. �
Now, by using Theorem 2, we can perform a linear trans-formation from
(coef(v0), coef(v1), · · · , coef(vm),
coef(v1v2), coef(v1v3), · · · , coef(vm−1vm),
coef(v12), coef(v22), · · · , coef(vm2))
to
(coef(x0), coef(x1), · · · , coef(xm))
denoted by (k2+m)×k matrix X , where k2 =(m0
)+(m1
)+(m2
).
After merging Steps 1 and 2, we obtain
coef(x l) = gl(fij(c0, c1, · · · , cn−1, c′0, c′
1, · · · , c′
n−1)).
Step 3: Re-encoding of RM(1, m)Here, the k × n generator matrix G is multiplied with
VX to obtain a new codeword of the first-order RM code
that corresponds to the resulting codeword obtained for themultiplication of the two messages, a(x)a′(x) mod xm+1 − 1.Combining Steps 1–3
In case of addition, clearly, the codeword of the messagea(x)+a′(x) is c⊕c′. However, for multiplication, it is dividedinto three steps called bootstrapping.
Let
z = (c0c′0, c1c′
1, · · · , cn−1c′
n−1, (c0 + c20 )(c′
0 + c′
20 ),
(c0 + c21 )(c′
0 + c′
21 ), · · · , (c0 + c2m−1 )(c′
0 + c′
2m−1 )).
Then, the new codeword cnew in RM(1, m), corresponding toa(x)a′(x) mod xm+1 − 1, is given as
cnew = z · V · X · G.
Finally, we can determine the codeword cnew in RM(1, m),corresponding to the message a(x)a′(x) mod xm+1 − 1,by using c, c′, and the (n+ m)× n matrix, T = V · X · G.Note: In fact, there exist a few all-zero rows in V for some
row indices. This is because we do not use every case listedin Theorem 1 in Step 1. Only cn−1−2i−1−2j−1c
′
n−1−2i−1−2j−1,
cn−1−2i−1c′
n−1−2i−1, cn−1−2j−1c
′
n−1−2j−1, and cn−1c′n−1 are
used for Cases 1-1), 1-2), 2-1), and 2-2). Thus, for therest of ci and c′i, we have all-zero rows in V and we add(c0 + c20 )(c
′
0 + c′20), (c0 + c21 )(c
′
0 + c′21), · · · , and (c0 +
c2m−1 )(c′
0 + c′
2m−1) to the last m elements in z.
C. EXAMPLETo help understand the homomorphic computation of thefirst-order RM codes, RM(1, m), we present an example ofan RM(1,4) code. First, we determine the matrix V as
V =
0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 1 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 1 0 0 0 0 00 0 0 0 0 0 0 1 0 0 0 0 0 0 00 0 0 0 1 0 0 1 0 1 1 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 1 0 0 0 0 0 00 0 0 0 0 0 1 0 0 0 0 0 0 0 00 0 0 1 0 0 1 0 1 0 1 0 0 0 00 0 0 0 0 1 0 0 0 0 0 0 0 0 00 0 1 0 0 1 0 0 1 1 0 0 0 0 00 1 0 0 0 1 1 1 0 0 0 0 0 0 01 1 1 1 1 1 1 1 1 1 1 0 0 0 00 1 0 0 0 0 0 0 0 0 0 1 0 0 00 0 1 0 0 0 0 0 0 0 0 0 1 0 00 0 0 1 0 0 0 0 0 0 0 0 0 1 00 0 0 0 1 0 0 0 0 0 0 0 0 0 1
.
This matrix is obtained bymerging Cases 1-1), 1-2), 2-1), and2-2), whose size is 20×15. In this example, the 0, 1, 2, 4, and8-th rows are ’0s.’
108626 VOLUME 8, 2020
J. Cho et al.: Homomorphic Computation in RM Codes
Then, in Step 2, we can obtain the relations betweencoef(x l) and coef(vivj) as
coef(x0) = coef(v02)+ coef(v1v4)+ coef(v2v3)
coef(x1) = coef(v0v1)+ coef(v2v4)+ coef(v32)
coef(x2) = coef(v0v2)+ coef(v12)+ coef(v3v4)
coef(x3) = coef(v0v3)+ coef(v1v2)+ coef(v42)
coef(x4) = coef(v0v4)+ coef(v1v3)+ coef(v22).
From Theorem 2, the corresponding matrix X is given as
X =
1 0 0 0 00 1 0 0 00 0 1 0 00 0 0 1 00 0 0 0 10 0 0 1 00 0 0 0 11 0 0 0 01 0 0 0 00 1 0 0 00 0 1 0 00 0 1 0 00 0 0 0 10 1 0 0 00 0 0 1 0
,
where the matrix size is 15 × 5. For Step 3, we obtain the5× 16 generator matrix G from (1) as
G =
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 0 1 0 1 0 1 0 1 0 1 0 1 0 1 01 1 0 0 1 1 0 0 1 1 0 0 1 1 0 01 1 1 1 0 0 0 0 1 1 1 1 0 0 0 01 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
.Then, by multiplying these three matrices, we obtain a matrixT with size of 20× 16 as
T =
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 1 0 0 1 1 0 0 1 1 0 0 1 1 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 1 0 1 0 1 0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1 1 1 1 1 1 1 10 1 1 0 0 1 1 0 1 0 0 1 1 0 0 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 0 0 0 0 0 0 0 00 0 1 1 1 1 0 0 1 1 0 0 0 0 1 11 1 1 1 0 0 0 0 1 1 1 1 0 0 0 00 1 1 0 1 0 0 1 0 1 1 0 1 0 0 10 1 0 1 1 0 1 0 1 0 1 0 0 1 0 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 10 1 1 0 0 1 1 0 0 1 1 0 0 1 1 00 0 1 1 0 0 1 1 1 1 0 0 1 1 0 00 1 0 1 1 0 1 0 0 1 0 1 1 0 1 00 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0
.
Now, we obtain a new codeword cnew of the first-order RMcode by multiplying T on the right of the vector z. Thus,cnew corresponds to the codeword of the message multipli-cation polynomial a(x)a′(x) mod x5− 1 in RM(1,4), as givenin Table 2, where we have presented three examples.
TABLE 2. Examples with RM(1,4) code.
For message vectors a and a′, we have c and c′. Then,we determine a vector z and perform Steps 1 and 2, which arethe matrices V and X . Thus, we obtain a new message vector‘‘anew’’ and this corresponds to the polynomial multiplicationof twomessages, a(x)a′(x) mod x5−1, also denoted as ‘‘apm.’’Finally, we obtain a new codeword cnew of the first-order RMcode from the generator matrix G.
IV. CONCLUSION AND FUTURE WORKSIn this paper, we suggested a transformation method, calledbootstrapping, which facilitates the homomorphic multipli-cation of the first-order RM codes while preserving theorder of the RM codes after the computation (addition andmultiplication). Furthermore, we created a relation betweenthe proposed codeword multiplication c � c′ and the mul-tiplication of two messages. We employed three steps forperforming the bootstrapping. In Step 1, we expressed thecoefficients of vivj as the components of the codewordsc0, c1, · · · , cn−1, c′0, c
′
1, · · · , and c′n−1. In Step 2, we rep-resented the coefficients of x l by the coefficients of vivj .Thus, by merging these two steps, we constructed a relationbetween the codeword components and coefficients of x l ,which are the components of message polynomial multipli-cation. We encoded this process by multiplying the generatormatrix in Step 3 to obtain the corresponding codeword as thefirst-order RM code.
As future works, we will consider the homomorphic com-putation of higher-order RM codes. Moreover, we plan toimplement the computation in the presence of noise, whichcan be useful in homomorphic cryptography.
ACKNOWLEDGMENTSThe authors would like to thank anonymous reviewers and theassociate editor for their valuable suggestions and commentsthat helped improve the quality of this paper.
REFERENCES[1] S. Lin and D. Costello, Error Control Coding, 2nd ed. Upper Saddle River,
NJ, USA: Prentice-Hall, 2001, pp. 105–118.
VOLUME 8, 2020 108627
J. Cho et al.: Homomorphic Computation in RM Codes
[2] F. J.Macwilliams andN. J. A. Sloane, The Theory Error-Correcting Codes,vol. 16. New York, NY, USA: Elsevier/North-Holland, 1977, pp. 370–479.
[3] R. J. McEliece, ‘‘A public-key cryptosystem based on algebraic codingtheory,’’ DSN Prog., Jet Propuls. Lab., Pasadena, CA, USA, Tech. Rep. 44,Jan. 1978, pp. 114–1116.
[4] C. Gentry, ‘‘A fully homomorphic encryption scheme,’’ Ph.D. dissertation,Dept. Comput. Sci., Stanford Univ., Stanford, CA, USA, 2009.
[5] R. Meissen, ‘‘A mathematical approach to fully homomorphic encryp-tion,’’ Ph.D. dissertation, Dept. Math. Sci., Worcester Polytechnic Inst.,Worcester, WA, USA, 2012.
[6] J. H. Cheon, A. Kim, M. Kim, and Y. Song, ‘‘Homomorphic encryptionfor arithmetic of approximate numbers,’’ in Proc. Int. Conf. Theory Appl.Cryptol. Inf. Sec. New York, NY, USA: Springer, 2017, pp. 409–437.
[7] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachene, ‘‘TFHE: Fastfully homomorphic encryption over the torus,’’ J. Cryptol., vol. 33, no. 1,pp. 34–91, 2020.
[8] H. Chen, I. Chillotti, and Y. Song, ‘‘Improved bootstrapping forapproximate homomorphic encryption,’’ Int. Assoc. Cryptol. Res.,Santa Barbara, CA, USA, Tech. Rep. 2018/1043, 2018. [Online].Available: https://eprint.iacr.org/2018/1043
[9] K. Han and D. Ki, ‘‘Better bootstrapping for approximate homomor-phic encryption,’’ in Proc. Cryptographers Track at RSA Conf. Cham,Switzerland: Springer, 2020, pp. 364–390.
[10] J.-W. Lee, Y.-S. Kim, and J.-S. No, ‘‘Analysis of modified shell sort forfully homomorphic encryption,’’ Cryptol. ePrint Arch., Santa Barbara, CA,USA, Tech. Rep. 2019/1497, 2019.
[11] K. Lee, M. Lam, R. Pedarsani, D. Papailiopoulos, and K. Ramchandran,‘‘Speeding up distributed machine learning using codes,’’ IEEE Trans. Inf.Theory, vol. 64, no. 3, pp. 1514–1529, Mar. 2018.
[12] K. Lee, C. Suh, and K. Ramchandran, ‘‘High-dimensional coded matrixmultiplication,’’ in Proc. IEEE Int. Symp. Inf. Theory (ISIT), Feb. 2017,pp. 2418–2422.
[13] S. Dutta, V. Cadambe, and P. Grover, ‘‘Short-dot: Computing large lineartransforms distributedly using coded short dot products,’’ IEEE Trans. Inf.Theory, vol. 65, no. 10, pp. 6171–6193, Oct. 2019.
[14] R. Tandon, Q. Lei, A. G. Dimakis, and N. Karampatziakis, ‘‘Gradi-ent coding,’’ 2016, arXiv:1612.03301. [Online]. Available: http://arxiv.org/abs/1612.03301
[15] E. Abbe, A. Shpilka, and A. Wigderson, ‘‘Reed-Muller codes for ran-dom erasures and errors,’’ IEEE Trans. Inf. Theory, vol. 61, no. 10,pp. 5229–5252, Oct. 2015.
[16] A. R. Calderbank, E. M. Rains, P. W. Shor, and N. J. A. Sloane, ‘‘Quantumerror correction via codes over GF(4),’’ IEEE Trans. Inf. Theory, vol. 44,no. 4, pp. 1369–1387, Jul. 1998.
[17] D. MacKay, G. Mitchison, and P. McFadden, ‘‘Sparse-graph codes forquantum error correction,’’ IEEE Trans. Inf. Theory, vol. 50, no. 10,pp. 2315–2330, Oct. 2004.
[18] C. Y. Lai, Y. C. Zheng, and T. A. Brun, ‘‘Fault-tolerant preparation of stabi-lizer states for quantum Calderbank-Shor-Steane codes by classical error-correcting codes,’’ Phys. Rev. Lett., vol. 95, Oct. 2017, Art. no. 032339.
[19] F. Lacerda, J. Renes, and R. Renner, ‘‘Classical leakage resiliencefrom fault-tolerant quantum computation,’’ J. Cryptol., vol. 32, no. 4,pp. 1071–1094, 2019.
[20] I. Reed, ‘‘A class of multiple-error-correcting codes and the decodingscheme,’’ IRE Prof. Group Inf. Theory, vol. 4, no. 4, pp. 38–49, Sep. 1954.
[21] D. E. Muller, ‘‘Application of Boolean algebra to switching circuit designand to error detection,’’ IEEE Trans. Comput. vol. C-3, no. 3, pp. 6–12,Sep. 1954.
[22] W. Lee, J.-S. No, and Y.-S. Kim, ‘‘Punctured Reed–Muller code-basedMcEliece cryptosystems,’’ IET Commun., vol. 11, no. 10, pp. 1543–1548,Jul. 2017.
[23] Y. Lee, W. Lee, Y.-S. Kim, and J.-S. No, ‘‘A modified pqsigRM: RM code-based signature scheme,’’ Cryptol. ePrint Arch., Santa Barbara, CA, USA,Tech. Rep. 2019/678, 2019.
JINKYU CHO (Graduate Student Member, IEEE)received the B.S. degree in electronics engineer-ing from Sogang University, Seoul, South Korea,in 2017. He is currently pursuing the Ph.D. degreein electrical engineering and computer sciencewith Seoul National University, Seoul. His cur-rent research interests include cryptography anderror-correcting codes.
YOUNG-SIK KIM (Member, IEEE) received theB.S., M.S., and Ph.D. degrees in electrical engi-neering and computer science from Seoul NationalUniversity, in 2001, 2003, and 2007, respec-tively. He joined the Semiconductor Division,Samsung Electronics, where he performedresearch and development of security hardwareIPs for various embedded systems, including mod-ular exponentiation hardware accelerator (calledTornado 2MX2) for RSA and elliptic curve
cryptography in smart card products and mobile application processors,until 2010. He is currently a Professor with Chosun University, Gwangju,South Korea. He is also a submitter for two candidate algorithms (McNieand pqsigRM) in the first round for the NIST Post Quantum CryptographyStandardization. His research interests include post-quantum cryptography,the IoT security, physical layer security, data hiding, channel coding, andsignal design. Hewas selected as one of 2025’s 100 Best Technology Leaders(for Crypto-Systems) by the National Academy of Engineering of Korea inNovember 2017.
JONG-SEON NO (Fellow, IEEE) received theB.S. and M.S.E.E. degrees in electronics engineer-ing from Seoul National University, Seoul, SouthKorea, in 1981 and 1984, respectively, and thePh.D. degree in electrical engineering from theUniversity of Southern California, Los Angeles,CA, USA, in 1988. He was a Senior MTS withHughes Network Systems, from 1988 to 1990.He was an Associate Professor with the Depart-ment of Electronics Engineering, Konkuk Univer-
sity, Seoul, from 1990 to 1999. He joined the Faculty of the Department ofElectrical and Computer Engineering, Seoul National University, in 1999,where he is currently a Professor. His current research interests includeerror-correcting codes, sequences, cryptography, LDPC codes, interferencealignment, and wireless communication systems. He became a member ofthe National Academy of Engineering of Korea (NAEK), in 2015, wherehe is currently a Division Chair of electrical, electronics, and informationengineering. He became an IEEE Fellow through the IEEE InformationTheory Society, in 2012. He was a recipient of the IEEE Information TheorySociety Chapter of the Year Award, in 2007. From 1996 to 2008, he servedas the Founding Chair of the Seoul Chapter of the IEEE Information TheorySociety. He was the General Chair of Sequence and Their Applications,Seoul, in 2004. He also served as the General Co-Chair of the InternationalSymposium on Information Theory and Its Applications, in 2006, and theInternational Symposium on Information Theory, Seoul, in 2009.
108628 VOLUME 8, 2020