Method and system for homomorphicly randomizing an input

Abstract

In one embodiment, a method for reducing information leakage in order to counter side channel attacks against a secure execution environment is described, the method including receiving at the secure execution environment a first input comprising a key comprising a sequence of k input elements in a commutative ring, CR, receiving at the secure execution environment a second input comprising a text comprising a sequence of p input elements in the commutative ring, CR, defining an input INP comprising a sequence of j input elements, wherein INP comprises either one or both of the first input or the second input, performing one of a matrix randomization operation or a polynomial randomization operation on the inputs, and producing a randomized output.

Claims

1. A method for reducing information leakage in order to counter side channel attacks against a secure execution environment, the method comprising: receiving at the secure execution environment a first input comprising a key comprising a sequence of k input elements in a commutative ring, CR, wherein the secure execution environment comprises a low performance security element supported by an untrusted high performance server; receiving at the secure execution environment a second input comprising a text comprising a sequence of p input elements in the commutative ring, CR; defining an input INP comprising a sequence of j input elements, wherein INP comprises either one or both of the first input or the second input; performing by the secure execution environment either one of (a) or (b); (a) randomly choosing a secret nn matrix in CR, hereinafter denoted as S, S being utilized as a symmetric randomizing key, wherein S comprises an invertible matrix over CR; determining S.sup.1; for each set i of m distinct input elements among j elements comprising INP, wherein 0<m<k+1 and m<n selected from INP that are to be jointly randomized, and denoted hereinafter as X.sub.1, X.sub.2, . . . , X.sub.m, selecting nm (n minus m) random numbers Y.sub.1, Y.sub.2, . . . Y.sub.nm, in CR, where the input elements X.sub.1, X.sub.2, . . . , X.sub.m; at least one random number selected from among the set of random numbers Y.sub.1, Y.sub.2, . . . Y.sub.nm; and, optionally, one or more constants are placed in a diagonal of an nn diagonal matrix, denoted M, wherein, aside from the diagonal, matrix M is only populated by zeros; and determining random output A.sub.im for the m input elements in set i denoted as {X.sub.im}=X.sub.1, X.sub.2, . . . , X.sub.m, by utilizing a matrix-based randomizing and homomorphic transformation function hereinafter denoted MRHT, wherein: $\mathrm{MRHT}\left(\left\{X_{\mathrm{im}}\right\}\right)=A_{\mathrm{im}}={\mathrm{SMS}}^{-1}=\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)$ thereby producing a random output A.sub.im corresponding to the i set of m input elements {X.sub.im}=X.sub.1, X.sub.2, . . . , X.sub.m; and (b) selecting n random numbers in CR, the n random numbers hereinafter denoted as v.sub.1, v.sub.2, . . . , v.sub.n; determining a public polynomial P(v)=.sub.i=1.sup.n(vv.sub.i)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1); choosing nm random values in CR, for a.sub.i,m, a.sub.i,m+1 . . . , a.sub.i,n1, that would yield a solution for the above equations for a.sub.i,0, a.sub.i,1 . . . , a.sub.i,m1; and selecting a polynomial-based randomizing and homomorphic transformation function hereinafter denoted PRHT (X.sub.im), comprising any function in variable v of the form .sub.j=0.sup.n1a.sub.ij.Math.v.sup.j which satisfies the equations:
.sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.1, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=X.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m.sup.j=X.sub.m; if (b) was performed, then performing either one of (c) or (d): (c) producing a random output A.sub.im corresponding to input elements X.sub.1, X.sub.2, . . . , X.sub.m comprising the set (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and public set of coefficients (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) of P(v), wherein the public set of coefficients (C.sub.0, C.sub.1, C.sub.n1, C.sub.n) are required for arithmetic performing operations with input elements; (d) selecting for the given input elements X.sub.1, X.sub.2, . . . , X.sub.m, nm random values R.sub.1, . . . , R.sub.nm in CR that would solve the following n simultaneous equations: .sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.1, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=X.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m.sup.j=X.sub.m, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m+1.sup.j=R.sub.1, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m+2.sup.j=R.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.n.sup.j=R.sub.nm for unknowns a.sub.i0, a.sub.i1, . . . , a.sub.i n1, thereby producing, for X.sub.1, X.sub.2, . . . X.sub.m a random text comprising the set (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and public set (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) of P(v); and after the performing either one of (a) or (b), and if (b) was performed additionally performing either one of (c) or (d), then outputting one or both of a randomized transformed first output comprising a randomized transformation of the key and a randomized transformed second output comprising a randomized transformation of the text.

2. The method according to claim 1 wherein the low performance security element comprises a smart card.

3. The method according to claim 1 wherein the key comprises a cryptographic key.

4. The method according to claim 3 wherein the cryptographic key comprises an AES key.

5. The method according to claim 1 wherein the text comprises a plaintext.

6. The method according to claim 1 wherein the text comprises a ciphertext.

7. The method according to claim 1 wherein the side channel attacks comprise a differential power analysis type side channel attack.

8. A method for derandomizing the randomized input of claim 1, the method comprising: performing either one of (a) or (b): (a) receiving an output comprising a randomized X.sub.im input being an nn diagonal matrix denoted hereinafter as A.sub.im, over CR, where: $A_{\mathrm{im}}=\mathrm{MRHT}\left(X_{\mathrm{im}}\right)=S_{\mathrm{MS}}^{-1}=\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)$ using S to determine $S^{-1}=\left(\begin{array}{ccc}{s}_{11}^{}& \mathrm{.Math.}& s_{in}^{}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ s_{n1}^{}& \mathrm{.Math.}& s_{\mathrm{nn}}^{}\end{array}\right)$ and determining X.sub.im by performing one of: S.sup.1.Math.A.sub.im.Math.S=M where X.sub.1, X.sub.2, . . . , X.sub.m are the upper left elements of the resulting diagonal matrix above, alternatively:
X.sub.i=(1/s.sub.i1).Math..sub.j=1.sup.na.sub.j1.Math.s.sub.ij for i=1, . . . m; and (b) receiving the randomized output for X.sub.im as (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and using v.sub.1, v.sub.2, . . . , v.sub.m to determine the derandomized input .sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.1,.sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=X.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m.sup.j=X.sub.m.

9. A method for addition of randomized X.sub.1 and randomized X.sub.2, X.sub.1 and X.sub.2 being randomized according to the fully homomorphic method for randomizing an input of claim 1, the method comprising: for X.sub.i comprising MRHT (X.sub.i)=A.sub.i: receiving A.sub.1 and A.sub.2; and MRHT (X.sub.1)+MRHT (X.sub.2)=A.sub.1+A.sub.2; and for X.sub.i comprising PRHT (X.sub.i)=a.sub.i0, a.sub.i1, a.sub.i n1: receiving PRHT (X.sub.1)=a.sub.10, a.sub.11, . . . , a.sub.1 n1 and PRHT (X.sub.2)=a.sub.20, a.sub.21, . . . , a.sub.2 n1 and C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n of P(v)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1); and PRHT (X.sub.1)+PRHT (X.sub.2)=a.sub.10+a.sub.20a.sub.11+a.sub.21, . . . , a.sub.1 n1+a.sub.2 n1.

10. A method for multiplication of randomized X.sub.1 and randomized X.sub.2, X.sub.1 and X.sub.2 being randomized according to the fully homomorphic method for randomizing an input of claim 1, the method comprising: for X.sub.i comprising MRHT (X.sub.i)=A.sub.i: receiving A.sub.1 and A.sub.2; and MRHT (X.sub.1).Math.MRHT (X.sub.2)=A.sub.1.Math.A.sub.2; and for X.sub.i comprising PRHT (X.sub.i)=a.sub.i0, a.sub.i1, . . . , a.sub.i n1: receiving PRHT (X.sub.1)=a.sub.10, a.sub.11, . . . , a.sub.1 n1 and PRHT (X.sub.2)=a.sub.20, a.sub.21, . . . , a.sub.2 n1 and C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n of P(v)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1); and PRHT (X.sub.1).Math.PRHT (X.sub.2)=r=r.sub.10, r.sub.11, . . . , r.sub.1 n1, the coefficients of the resulting n1 order polynomial r(v), where r(v)=((.sub.j=0.sup.n1a.sub.1j.Math.v.sup.j).Math.(.sub.j=0.sup.n1a.sub.2j.Math.v.sup.j))mod .sub.j=0.sup.nC.sub.j.Math.v.sup.j.

11. A method for dividing of randomized X.sub.1 and randomized X.sub.2, X.sub.1 and X.sub.2 being randomized according to the fully homomorphic method for randomizing an input of claim 1, the method comprising: for X.sub.i comprising MRHT (X.sub.i)=A.sub.i: receiving A.sub.1 and A.sub.2; 1/MRHT (X.sub.2)=A.sub.2.sup.1 and MRHT (X.sub.1)/MRHT (X.sub.2)=A.sub.1.Math.A.sub.2.sup.1 for X.sub.i comprising PRHT (X.sub.i)=a.sub.i0, a.sub.i1, . . . , a.sub.i n1: receiving PRHT (X.sub.1)=a.sub.10, a.sub.11, . . . , a.sub.1 n1 and PRHT (X.sub.2)=a.sub.20, a.sub.21, . . . , a.sub.2 n1 and C.sub.0, C.sub.1, C.sub.n1, C.sub.n of P(v)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1); deriving 1/PRHT(X.sub.2)=u.sub.20, u.sub.21, . . . , u.sub.2 n1 by calculating ((.sub.j=0.sup.n1u.sub.2j.Math.v.sup.j).Math.(.sub.j=0.sup.n1a.sub.2j.Math.v.sup.j))mod .sub.j=0.sup.nc.sub.j.Math.v.sup.j=1 in terms of n unknown coefficients u.sub.2j, (j=0, . . . , n1), thereby determining .sub.j=0.sup.n1g.sub.2j(u.sub.20, u.sub.21, . . . , u.sub.2 n1, a.sub.10,a.sub.21, . . . , a.sub.2 n1, c.sub.10, c.sub.21, . . . , c.sub.2 n1,).Math.v.sup.k), wherein g.sub.2j( ) is a linear combination of a plurality of n unknowns u.sub.2j; solving n derived equations g.sub.20( )=1, and g.sub.2j( )=0 for j=1, . . . , n1 for all u.sub.2j j=0, . . . , n1; and
PRHT(X.sub.1)/PRHT(X.sub.2)=PRHT(X.sub.1).Math.(1/PRHT(X.sub.2))=((.sub.j=0.sup.n1a.sub.1j.Math.v.sup.j).Math.(.sub.j=0.sup.n1u.sub.2j.Math.v.sup.j))mod .sub.j=0.sup.nC.sub.j.Math.v.sup.j.

12. A method for addition of a pair of cipher text outputs Ci and Cj, Ci and Cj being cipher texts produced as an output from a plain text input and all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key, wherein the encryption functions are denoted as MEnc and PEnc correspond to MRHT and PRHT, respectively, the method comprising adding Ci and Cj according to the method of claim 9 wherein all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key.

13. A method for multiplication of a pair of cipher text outputs Ci and Cj, Ci and Cj comprising cipher texts produced as an output from a plain text input and all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key, wherein the encryption functions are denoted as MEnc and PEnc correspond to MRHT and PRHT, respectively, the method comprising multiplying Ci and Cj according to the method of claim 10, wherein all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises a symmetric encryption key.

14. A method for division of a pair of cipher texts outputs Ci and Cj, Ci and Cj comprising cipher texts produced as an output from a plain text input and all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key, wherein the encryption functions are denoted as MEnc and PEnc correspond to MRHT and PRHT, respectively, the method comprising dividing Ci and Cj according to the method of claim 11 wherein all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:

(2) FIG. 1 is a simplified depiction of a low security high performance device interacting with a high security low performance device constructed and operative in accordance with an embodiment of the present invention;

(3) FIG. 2 is a depiction of an embodiment of the system of FIG. 1 where a private algorithm and a public input are used; and

(4) FIGS. 3A-3E are data flow diagrams depicting methods for the various embodiments of the system of FIG. 1.

(5) The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the Appendices in which:

(6) Appendix A is a paper published at eprint.iacr.org/2012/637.pdf, entitled Efficient Methods for Practical Fully-Homomorphic Symmetric-key Encryption, Randomization, and Verification, by the inventors of the invention described herein, and which provides a mathematical approach, including proofs, to the method and security described herein. Said paper is also found as Appendix A of published PCT application, WO 2014/016795. The disclosures of said publication and Appendix A of said PCT application are incorporated herein by reference.

DETAILED DESCRIPTION OF AN EMBODIMENT

(7) Reference is made to FIG. 1, which is a simplified depiction of a low security high performance device interacting with a high security low performance device constructed and operative in accordance with an embodiment of the present invention.

(8) As noted above, the present provides several embodiments of non-deterministic fully homomorphic methods for:

(9) Practical (highly efficient) fully homomorphic: A. Symmetric randomization of any data in a commutative ring, CR; B. Symmetric Encryption of special data, (mod-N in Z.sub.N); and C. Coupling of computations

(10) The present application describes the following embodiments of the present invention:

(11) Randomization of Any Data

(12) In this case the data and operations are over CR. The application of the method to the data results in Randomized and Homomorphic Transformation (RHT) of the data. The result can be an input to a polynomial function consisting of additions and multiplications, e.g., AES algorithms that run within a silicon chip. Application of RHT to the secret AES key protects against Side Channel Attacks (e.g., Differential Power Attack) aimed at revealing the clear AES-key.

(13) Efficient Homomorphic Encryption of Mod-N Numbers in Z.sub.N

(14) Secure use in open untrusted platforms of both: secrets (symmetric keys); and a family of private algorithms.

(15) Examples are a keyed-hash (where the key is secret), and a Private-Function for Key-Generation (PFKG) whose input is public (e.g., a broadcast ECM (entitlement control message) is processed by a secret PFKG running in the STB; or a comparable component in the smart card). The private function can be any polynomial with secret coefficients (and a0=0).

(16) Most of the security workload will be carried out by a low-security host while the homomorphic-encryption key is kept by a Low-performance High-security component.

(17) Enhanced protection for certain algorithms, e.g., securing OSS (public key) signature from Pollard attacks.

(18) Coupling of Computations

(19) Verification of computational integrity is provided by utilizing inseparable coupling, i.e., entanglement, of parallel, multiple independent computations, thereby providing protection against fault attacks.

(20) I. Definitions

(21) N is a number which is a product of two primes P and Q; (for security reasons P and Q are presumed secret); it is assumed that factoring N into primes is a computationally difficult problem).

(22) The message X to be encrypted consists of a sequence of k modulo N numbers X.sub.1, X.sub.2, X.sub.m in Z.sub.N.

(23) Z.sub.N is the ring of residues modulo N.

(24) CR is a commutative ring.

(25) M.sub.nn (Z.sub.N) is the ring of nn matrices over Z.sub.N.

(26) P(v)=.sub.i=1.sup.n(vv.sub.i)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1) over Z.sub.N where Z.sub.N[v]/P(v) is the polynomial ring mod P(v).

(27) In general, the method uses one X.sub.i per method application to allow for computation of (arbitrary) multivariate input in functions whose operations are addition, multiplication and division. However, if, for example, there are two known multivariate functions with two distinct sets of inputs(X.sub.1, X.sub.2, . . . , X.sub.h) and (X.sub.h1, X.sub.h+2, . . . , X.sub.L), then no pair of variables in each of the input sets shall be encrypted (or randomized) jointly, i.e., with a single application of the method. In general, the methods discussed herein are discussed under the presumption of one variable.

(28) Additionally, it is appreciated that the method described herein may be run on dedicated software, dedicated hardware, non-dedicated hardware, or some combination thereof. For example, and without limiting the generality of the foregoing, steps which are described herein as receiving an input may be operative to run in software which is running on appropriate hardware. Alternatively, the step of receiving an input may be running in a dedicated circuit of a specialized chip. Further alternatively, there may be a hardware based processor which can, for certain operations be utilized to run the steps of receiving an input. The same would be true of the other steps described in the various methods and procedures described herein.

(29) II. Fully Homomorphic Randomization of Arbitrary Data

(30) The randomization of arbitrary data over CR is presumed to take place in a secure environment as it is not considered a strong encryption. One of its purposes is to thwart side-channel attacks on algorithm execution to get information on sensitive data such as symmetric cipher keys, e.g., an AES encryption key. Such attacks presume that the secret data, e.g., the key, is static over repeated runs of the AES algorithm to cumulatively glean information of the key and the attack also assumes that the attacker knows the inputs processed by the algorithm (or, alternatively, the outputs produced as the outcome of the algorithm). However, in this non-deterministic approach the randomized-key changes per cipher run thereby foiling such attack. (The inputs to the algorithm are randomized and therefore operations are carried over randomized values. The algorithm manipulates only randomized data and randomized keys, the data manipulated by the algorithm is not exposed outside the boundaries of the secure environment. Data which is exposed outside of the secure environment is data which has already been derandomized according to the methods disclosed herein.)

(31) By way of example, randomization may be useful to thwart side channel attacks, for example, and without limiting the generality of the foregoing, differential power analysis (DPA) attacks. DPA is a concrete example of a side channel attack. DPA requires interaction between unknown key-bits and known data-bits. The attacker chooses and inputs the data bits into the cipher, and learns about their interaction with the key-bits by measuring the electrical current that the enciphering device consumes. Then by using statistical methods, the attacker can retrieve the key-bits previously unknown to him.

(32) Randomization may also be useful against fault attacks. Fault attacks rely on the attacker's ability to induce a fault into the cryptographic computation. Then the attacker observes the results of the faulty computation, compares it to the results of non-faulty computations and attempts to deduce the value of unknown key-bits.

(33) Randomized and homomorphic transformation (RHT)is a transformation T (and its inverse T.sup.1) which allows simple operations (e.g., addition, multiplication) on transformed data. The transformation is randomized since it takes an input value, appends to it random data, and then applies the transformation to it. The transformation is referred to as homomorphic because it allows operations in the transformed domain (although the operations themselves are also transformed). Consider an input value X, then T(X, r) randomizes X with r, and transforms it. RHT should satisfy:
X+Y=T.sup.1(T(X,r1)+T(Y,r2)) and
X*Y=T.sup.1(T(X,r1)*T(Y,r2)).

(34) In an embodiment of the present invention for countering side channel attacks by using the randomization property of RHT, the homomorphic property provides for secure and efficient protection as there is no need to successively remove errors due to computation with randomized data.

(35) Additionally RHT computes two or more values in a single inseparable step (i.e. any impact on one of the values will perforce impact the second value).

(36) Furthermore, fault attacks may be countered using the computational coupling of RHT: RHT can be done for a homomorphic evaluation of a function requiring a secure environment for its execution; and RHT can be applied for a homomorphic algorithm that requires no secure execution. The main application is for the data to be randomized, i.e., statistically flattened.

(37) Therefore, for all computations are over CR, the method of fully homomorphic randomization of arbitrary data comprises:

(38) receiving an input denoted X comprising a sequence of k input elements X.sub.1, X.sub.2, X.sub.3, . . . , X.sub.i, . . . , X.sub.k in CR and then performing one of the following:

(39) Matrix Method

(40) The most generalized statement of the matrix method is:

(41) An input, denoted INP, is received. INP comprises a sequence of k input elements in CR.

(42) A secret nn matrix is selected in CR, the matrix hereinafter being denoted S, wherein S is utilized as a symmetric randomizing key. S comprises an invertible matrix over CR. S.sup.1 is determined.

(43) For each set i of m distinct input elements wherein 0<m<k+1 and m<n selected from INP that are to be jointly randomized, and denoted hereinafter as X.sub.i1, X.sub.i2, . . . , X.sub.im, wherein X.sub.i1, X.sub.i2, . . . , X.sub.im comprise any subset of input elements X.sub.1, X.sub.2, X.sub.3, . . . , X.sub.i, . . . , X.sub.k. For ease of discussion, the input elements discussed hereinafter are denoted as X.sub.1, X.sub.2, X.sub.3, . . . , X.sub.m.

(44) Additionally, nm (n minus m) random numbers Y.sub.1, Y.sub.2, . . . , Y.sub.nm, are selected in CR for each input set of i of m distinct elements, where the input elements X.sub.1, X.sub.2, . . . , X.sub.m and random numbers Y.sub.1, Y.sub.2, . . . , Y.sub.nm are placed in order on the diagonal of a nn diagonal matrix:

(45) $\left(\begin{array}{cccccccc}{X}_1& 0& & & \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& 0\\ 0& X_2& 0& & & & \mathrm{.Math.}& \mathrm{.Math.}\\ \mathrm{.Math.}& 0& & 0& & \mathrm{.Math.}& & \\ & & & X_m& & 0& \mathrm{.Math.}& \\ & & & 0& Y_1& & \mathrm{.Math.}& 0\\ & \mathrm{.Math.}& & \mathrm{.Math.}& 0& Y_2& 0& \\ & & & & \mathrm{.Math.}& & & 0\\ 0& 0& \mathrm{.Math.}& & & & 0& Y_{n\text{-}m}\end{array}\right)$

(46) Random output A.sub.im is determined for the m input elements in set i denoted as {X.sub.im}=X.sub.1, X.sub.2, . . . , X.sub.m, by utilizing a matrix-based randomizing and homomorphic transformation function hereinafter denoted MRHT, wherein:

(47) $\mathrm{MRHT}\left(\left\{X_{\mathrm{im}}\right\}\right)=A_{\mathrm{im}}=S\left(\begin{array}{cccccccc}{X}_1& 0& & & \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& 0\\ 0& X_2& 0& & & & \mathrm{.Math.}& \mathrm{.Math.}\\ \mathrm{.Math.}& 0& & 0& & \mathrm{.Math.}& & \\ & & & X_m& & 0& \mathrm{.Math.}& \\ & & & 0& Y_1& & \mathrm{.Math.}& 0\\ & \mathrm{.Math.}& & \mathrm{.Math.}& 0& Y_2& 0& \\ & & & & \mathrm{.Math.}& & & 0\\ 0& 0& \mathrm{.Math.}& & & & 0& Y_{n\text{-}m}\end{array}\right)S^{-1}\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)$
thereby producing a random output A.sub.im corresponding to the i set of m input elements {X.sub.im}=X.sub.1, X.sub.2, . . . , X.sub.m.

(48) Those skilled in the art will appreciate that trivial variations of the matrix (denoted M):

(49) $M=\left(\begin{array}{cccccccc}{X}_1& 0& & & \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& 0\\ 0& X_2& 0& & & & \mathrm{.Math.}& \mathrm{.Math.}\\ \mathrm{.Math.}& 0& & 0& & \mathrm{.Math.}& & \\ & & & X_m& & 0& \mathrm{.Math.}& \\ & & & 0& Y_1& & \mathrm{.Math.}& 0\\ & \mathrm{.Math.}& & \mathrm{.Math.}& 0& Y_2& 0& \\ & & & & \mathrm{.Math.}& & & 0\\ 0& 0& \mathrm{.Math.}& & & & 0& Y_{n\text{-}m}\end{array}\right)$
such as:

(50) dispersing constants among the values on the diagonal; and

(51) changing the order (i.e. intermixing the X.sub.is and the Y.sub.is), will not change the basic method as defined herein. By way of example, and without limiting the generality of the foregoing, the following may all be exemplary trivial variations of the matrix:

(52) The diagonal is: X.sub.1, X.sub.2, . . . X.sub.m, 0, Y.sub.1, Y.sub.2, . . . , Y.sub.m.

(53) The diagonal is: X.sub.1, 0, X.sub.2, 0, . . . X.sub.m, 0, Y.sub.1, 0, Y.sub.2, 0, . . . Y.sub.m, 0.

(54) The diagonal is: X.sub.1, Y.sub.1, X.sub.2, Y.sub.2, . . . X.sub.m, Y.sub.m.

(55) Additionally, adding rows and columns with zeros around the matrix diagonal, i.e.:

(56) 0$\left(\begin{array}{cccccccc}{X}_1& 0& & & \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& 0\\ 0& X_2& 0& & & & \mathrm{.Math.}& \mathrm{.Math.}\\ \mathrm{.Math.}& 0& & 0& & \mathrm{.Math.}& & \\ & & & X_m& & 0& \mathrm{.Math.}& \\ & & & 0& Y_1& & \mathrm{.Math.}& 0\\ & & & \mathrm{.Math.}& 0& & 0& \\ & \mathrm{.Math.}& & & \mathrm{.Math.}& & Y_{n-m}& 0\\ 0& 0& & \mathrm{.Math.}& & & 0& 0\end{array}\right)$
would also be a trivial variation which will not change the basic method as defined herein.

(57) A less generalized statement of the matrix method is:

(58) for each input element X.sub.i, selecting n1 random numbers Y.sub.1, Y.sub.2, . . . Y.sub.n1, in CR, where the input element X.sub.i and random numbers Y.sub.1, Y.sub.2, . . . Y.sub.n1 are placed in order on the diagonal of a nn diagonal matrix;

(59) a secret nn matrix in CR is randomly chosen, the secret nn matrix hereinafter denoted as S, S being utilized as a symmetric randomizing key, wherein S comprises an invertible matrix over CR;

(60) determining S.sup.1; and

(61) a random output A, is determined for input element X.sub.i by utilizing a matrix-based randomizing and homomorphic transformation function, method hereinafter denoted MRHT, wherein:

(62) $\mathrm{MRHT}\left(X_i\right)=A_i=S\left(\begin{array}{ccc}{X}_i\mathrm{.Math.}& 0\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& Y_l\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& 0\mathrm{.Math.}& Y_{n-1}\end{array}\right)S^{-1}=\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)$

(63) thereby producing a random output A.sub.i corresponding to input element X.sub.i.

(64) It is appreciated that the above method may be generalized. Instead of selecting n1 random numbers Y.sub.1, Y.sub.2, . . . Y.sub.n1, in CR for an input element X.sub.i, for a set of m (where 1mk; and m<n) input elements, nm random numbers Y.sub.1, Y.sub.2, . . . Y.sub.nm are selected.

(65) Polynomial Method

(66) The most generalized statement of the polynomial method is:

(67) n random numbers in CR are selected, the n random numbers hereinafter denoted as v.sub.1, v.sub.2, . . . , v.sub.n;

(68) a public polynomial P(v)=.sub.i=1.sup.n(vv.sub.i)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1) is determined;

(69) for each set i of m distinct input elements wherein 0<m<k+1 and m<n selected from INP that are to be jointly randomized, and denoted hereinafter as X.sub.i1, X.sub.i2, . . . , X.sub.im, wherein X.sub.i1, X.sub.i2, . . . , X.sub.im comprise any subset of input elements X.sub.1, X.sub.2, X.sub.3, . . . , X.sub.i, . . . , X.sub.k. For ease of discussion, the input elements discussed hereinafter are denoted as X.sub.1, X.sub.2, X.sub.3, . . . , X.sub.m;

(70) a polynomial-based randomizing and homomorphic transformation function hereinafter denoted PRHT (X.sub.1, X.sub.2, X.sub.3, . . . , X.sub.m) is selected, comprising any function in variable v of the form .sub.j=0.sup.n1a.sub.ij.Math.v.sup.j which satisfies the equation
.sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.1,.sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=X.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m.sup.j=X.sub.m;

(71) nm (n minus m) random values are chosen in CR, for a.sub.i,m, a.sub.i,m+1 . . . , a.sub.i,n1, that would yield a solution for the above equations for a.sub.i,0, a.sub.i,1 . . . , a.sub.i,m1; and then one of the following is performed: a random output A.sub.im corresponding to input elements X.sub.1, X.sub.2, . . . , X.sub.m is produced wherein A.sub.im comprises comprising the set (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and public set of coefficients (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) of P(v), wherein the set of coefficients (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) are required for arithmetic performing operations with input elements; and for the given input elements X.sub.1, X.sub.2, . . . , X.sub.m, nm (n minus m) random values R.sub.1, . . . , R.sub.nm are selected in CR that would solve the following n simultaneous equations:

(72) .sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.1, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=X.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m.sup.j=X.sub.m, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m+1.sup.j=R.sub.1, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m+2.sup.j=R.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.n.sup.j=R.sub.nm for unknowns a.sub.i0, a.sub.i1, . . . , a.sub.i n1, thereby producing, for X.sub.1, X.sub.2, . . . X.sub.m a random text comprising the set (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and public set (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) of P(v).

(73) A less generalized statement of the polynomial method is:

(74) n random numbers in CR are selected, the n random numbers hereinafter denoted as v.sub.1, v.sub.2, . . . , v.sub.n;

(75) a public polynomial P(v)=.sub.i=0.sup.n(vv.sub.i)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1) is determined;

(76) a polynomial-based randomizing and homomorphic transformation function hereinafter denoted PRHT (X.sub.i) is selected, comprising any function in variable v of the form .sub.j=0.sup.n1a.sub.ij.Math.v.sup.j which satisfies the equation .sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.i;

(77) n1 random values in CR are chosen, for a.sub.i1, a.sub.i2 . . . , a.sub.i n1, of X.sub.i thereby determining a.sub.i0=X.sub.i.sub.=1.sup.n1a.sub.ij.Math.v.sub.1.sup.j; and

(78) a randomized output corresponding to input element X.sub.i is produced, the random output comprising the set (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and public set of coefficients (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) of P(v), wherein the set of coefficients (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) are required for arithmetic performing operations with the input element X.sub.i;

(79) or, alternatively,

(80) selecting n1 random values R.sub.i1, . . . , R.sub.i n1 in CR for the given X.sub.i and solving n simultaneous equations:

(81) .sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.i, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=R.sub.i1, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.n.sup.j=R.sub.i n1 for unknowns a.sub.i0, a.sub.i1, . . . , a.sub.i n1, thereby producing, as above, for X.sub.i a randomized text comprising the set (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and public set (C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n) of P(v).

(82) By way of example, the input X is transformed into a 22 matrix M[x] as follows (S is a random, invertible matrix):

(83) $M\left[X\right]=S\left(\begin{array}{cc}X& 0\\ 0& Y\end{array}\right)S^{-1}$
where the element Y (0) can be selected at random or selected to be a predefined value. Elements are added by matrix addition and multiplied by matrix multiplication. Note that popular cryptographic primitives such as the AES cipher can be easily expressed and calculated over the transformed elements described above, for example, and without limiting the generality of the foregoing, take the CR to be F.sub.256 the extension field of degree eight over the field with two elements F.sub.2 and express the AES operations as an algebraic operation over F.sub.256. Note, however, that the actual, final result of the AES cipher must be extracted from the transformed elements (i.e., the matrices). This is done by decrypting the resulting matrix (i.e., multiplying M[x] by S.sup.1 from the left and by S from the right), and taking the upper left value as the actual resulting AES cipher text.

(84) Countering DPA: When using a randomized transformation (i.e., Y is selected at random) for a cipher such as AES, the randomization is applied to both inputsthe key elements and the text elements. Since the attacker does not know the exact value of his transformed data elements (as they were randomized under the scheme), DPA can no longer work.

(85) Countering fault attacks: The scheme has the property that it turns every operation on elements into an extended inseparable calculation over 22 matrices. Therefore by inserting specific pre-defined values for Y, one can verify that a computation like the AES cipher was carried out correctly without faults. This is done, e.g., by applying the matrix method with the preset Y, and then comparing the results in position Y to the expected result.

(86) It is appreciated that the randomization of the input X comprises a successive application of a mix of functions PRHT(X.sub.i) and MRHT(X.sub.i), wherein: the randomization of the input X comprises a successive application of a mix of functions PRHT(X.sub.i) and MRHT(X.sub.i), wherein:

(87) $\mathrm{MRHT}\left(\mathrm{PRHT}\left(X_i\right)\right)=\left(\mathrm{MRHT}\left(a_{i0}\right),\mathrm{MRHT}\left(a_{i1}\right)\mathrm{.Math.},\mathrm{MRHT}\left(a_{in-1}\right)\right)==\left({\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)}_{i0},{\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)}_{i1},\mathrm{.Math.},{\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)}_{in-1}\right);\mathrm{and}$$\mathrm{PRHT}\left(\mathrm{MRHT}\left(X_i\right)\right)=\mathrm{PRHT}\left(\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)\right)\mathrm{where}\mathrm{PRHT}\left(a_{\mathrm{pj}}\right)=\left(a_{i0},a_{i1},\mathrm{.Math.},a_{in-1}\right)p_j,$
therefore (bearing in mind that the index i of X.sub.i and in a.sub.i0, a.sub.i1, . . . , a.sub.i n1 should not be confused with the index i in a.sub.ij):

(88) $\mathrm{PRHT}\left(\mathrm{MRHT}\left(X_i\right)\right)=\left(\begin{array}{ccc}{\left(a_{i0},a_{i1},\mathrm{.Math.},a_{in-1}\right)}_{11}& \mathrm{.Math.}& {\left(a_{i0},a_{i1},\mathrm{.Math.},a_{in-1}\right)}_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ {\left(a_{i0},a_{i1},\mathrm{.Math.},a_{in-1}\right)}_{n1}& \mathrm{.Math.}& {\left(a_{i0},a_{i1},\mathrm{.Math.},a_{in-1}\right)}_{\mathrm{nn}}\end{array}\right).$

(89) Derandomizing the Randomized Input

(90) One of the following is performed:

(91) Matrix Method

(92) To derandomize a randomized input produced according to the most generalized matrix method of randomization given above:

(93) an output comprising a randomized set of inputs, {X.sub.im}=X.sub.1, X.sub.2, . . . , X.sub.m, is received, the input being an nn diagonal matrix denoted hereinafter as A.sub.im, over CR, where:

(94) $\begin{array}{c}{A}_{\mathrm{im}}=\mathrm{MRHT}\left(X_{\mathrm{im}}\right)\\ =S\left(\begin{array}{cccccccc}{X}_1& 0& & & \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& 0\\ 0& X_2& 0& & & & \mathrm{.Math.}& \mathrm{.Math.}\\ \mathrm{.Math.}& 0& & 0& & \mathrm{.Math.}& & \\ & & & X_m& & 0& \mathrm{.Math.}& \\ & & & 0& Y_1& & \mathrm{.Math.}& 0\\ & & & \mathrm{.Math.}& 0& Y_2& 0& \\ & \mathrm{.Math.}& & & \mathrm{.Math.}& & & 0\\ 0& 0& & \mathrm{.Math.}& & & 0& Y_{n\text{-}m}\end{array}\right)S^{-1}\\ =\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)\end{array}$

(95) S is used determine

(96) $S^{-1}=\left(\begin{array}{ccc}{s}_{11}^{}& \mathrm{.Math.}& s_{1n}^{}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ s_{n1}^{}& \mathrm{.Math.}& s_{\mathrm{nn}}^{}\end{array}\right)$
and determining X.sub.im

(97) Then, the following is performed:

(98) $S^{-1}.Math.A_i.Math.S=\left(\begin{array}{cccccccc}{X}_1& 0& & & \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& 0\\ 0& X_2& 0& & & & \mathrm{.Math.}& \mathrm{.Math.}\\ \mathrm{.Math.}& 0& & 0& & \mathrm{.Math.}& & \\ & & & X_m& & 0& \mathrm{.Math.}& \\ & & & 0& Y_1& & \mathrm{.Math.}& 0\\ & & & \mathrm{.Math.}& 0& Y_2& 0& \\ & \mathrm{.Math.}& & & \mathrm{.Math.}& & & 0\\ 0& 0& & \mathrm{.Math.}& & & 0& Y_{n\text{-}m}\end{array}\right)$

(99) where X.sub.1, X.sub.2, . . . , X.sub.m is in the upper left element of the matrix,

(100) Equivalently the following formula can be used for more efficient computation to determine
X.sub.i=(1/s.sub.i1).Math.E.sub.j=1.sup.n.sub.=1a.sub.j1.Math.s.sub.ij for i=1, . . . m.

(101) To derandomize a randomized input produced according to the less generalized statement of the matrix method given above:

(102) An output comprising a randomized X.sub.i, and the input being an nn diagonal matrix denoted hereinafter as A.sub.i, over Z.sub.N, where:

(103) $A_i=\mathrm{MRHT}\left(X_i\right)=S\left(\begin{array}{ccc}{X}_i\mathrm{.Math.}& 0\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& Y_l\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& 0\mathrm{.Math.}& Y_{n-1}\end{array}\right)S^{-1}=\left(\begin{array}{ccc}{a}_{11}& \mathrm{.Math.}& a_{1n}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ a_{n1}& \mathrm{.Math.}& a_{\mathrm{nn}}\end{array}\right)$

(104) S is used to determine

(105) $S^{-1}=\left(\begin{array}{ccc}{s}_{11}^{}& \mathrm{.Math.}& s_{1n}^{}\\ \mathrm{.Math.}& & \mathrm{.Math.}\\ s_{n1}^{}& \mathrm{.Math.}& s_{\mathrm{nn}}^{}\end{array}\right)$

(106) Xi is determined by performing one of:

(107) 0$S^{-1}.Math.A_i.Math.S=\left(\begin{array}{ccc}{X}_i\mathrm{.Math.}& 0\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& Y_l\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& 0\mathrm{.Math.}& Y_{n-1}\end{array}\right)$

(108) where X.sub.i is the upper left element of the matrix, thereby determining X.sub.i=a.sub.11+(1/s.sub.11).Math..sub.j=2.sup.na.sub.j1.Math.s.sub.1j; and
X.sub.i=(1/s.sub.11).Math..sub.j=1.sup.na.sub.i1.Math.s.sub.1j.

(109) Polynomial Method

(110) To derandomize a randomized input produced according to the most generalized polynomial method of randomization given above:

(111) The randomized output for {X.sub.i} is received as (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and v.sub.1 . . . v.sub.m, are used to determine the derandomized input .sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j=X.sub.1, .sub.j=0.sup.n1a.sub.ij.Math.v.sub.2.sup.j=X.sub.2, . . . , .sub.j=0.sup.n1a.sub.ij.Math.v.sub.m.sup.j=X.sub.m.

(112) To derandomize a randomized input produced according to the less generalized statement of the polynomial method given above:

(113) The randomized output for X.sub.i is received as (a.sub.i0, a.sub.i1, . . . , a.sub.i n1) and v.sub.1, is used to determine the derandomized input X.sub.i=.sub.j=0.sup.n1a.sub.ij.Math.v.sub.1.sup.j.

(114) Arithmetic Property of Fully Homomorphic Operations

(115) Because the above methods are fully homomorphic, both additive and multiplicative properties are satisfied.

(116) Additive Homomorphism:
RHT.sup.1(RHT(x)+RHT(y))=RHT.sup.1(RHT(x+y))=x+y(1)
Multiplicative Homomorphism:
RHT.sup.1(RHT(x).Math.RHT(y))=RHT.sup.1(RHT(x.Math.y))=x.Math.y(2)

(117) In addition, the methods above are homomorphic for a division operation:
RHT.sup.1(RHT(x)/RHT(y))=RHT.sup.1(RHT(x/y))=x/y(3)

(118) Addition and multiplication of randomized values are defined by the addition and multiplication, respectively, of the corresponding matrices and polynomials.

(119) Matrix Method

(120) Addition and multiplication of randomized values are defined by the addition and multiplication, respectively, of the corresponding A matrices.

(121) for X.sub.i comprising MRHT (X.sub.i)=A.sub.i:
MRHT(X.sub.1)+MRHT(X.sub.2)=A.sub.1+A.sub.2; and
MRHT(X.sub.1).Math.MRHT(X.sub.2)=A.sub.1.Math.A.sub.2.

(122) For division, if X.sub.20 and MRHT.sup.1(MRHT(X.sub.2)0, then MRHT(X.sub.1/X.sub.2) is calculated by MRHT(X.sub.1).Math.(MRHT(X.sub.2)).sup.1=A.sub.1.Math.A.sub.2.sup.1
1/MRHT(X.sub.2)=A.sub.2.sup.1 and
MRHT(X.sub.1)/MRHT(X.sub.2)=A.sub.1.Math.A.sub.2.sup.1

(123) Polynomial Method

(124) Addition and multiplication of randomized values are defined by the addition and multiplication, respectively, of the corresponding linear functions in Z.sub.N[v]/P(v).

(125) Given PRHT(X.sub.1)=(m.sub.1; d.sub.1), PRHT(X.sub.2)=(m.sub.2; d.sub.2) and P(v)=v.sup.2+bv+c, then for: Addition: PRHT(X.sub.1)+PRHT(X.sub.2)=(m.sub.1+m.sub.2; d.sub.1+d.sub.2); and Multiplication: PRHT(X.sub.1).Math.PRHT(X.sub.2)=((m.sub.1.Math.d.sub.2+m.sub.2.Math.(d.sub.1b.Math.m.sub.1)); (d.sub.1.Math.d.sub.2c.Math.m.sub.1.Math.m.sub.2))

(126) Note, (PRHT(X.sub.1)).sup.2=(m.sub.1.Math.(2d.sub.1b.Math.m.sub.1); (d.sub.1+{square root over (c)}.Math.m.sub.1).Math.(d.sub.1{square root over (c)}.Math.m.sub.1))

(127) PRHT(X.sub.1)=a.sub.10, a.sub.11, . . . , a.sub.1 n1 and PRHT(X.sub.2)=a.sub.20, a.sub.21, . . . , a.sub.2 n1 and C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n of P(v)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1); and

(128) PRHT(X.sub.1)+PRHT(X.sub.2)=a.sub.10+a.sub.20, a.sub.11+a.sub.21, . . . , a.sub.1 n1+a.sub.2 n1

(129) For division, let D=(m.sub.2).sup.2.Math.cd.sub.2.Math.(m.sub.2.Math.b+d.sub.2)

(130) PRHT(X.sub.1)/PRHT(X.sub.2)=((m.sub.1.Math.(d.sub.2m.sub.2.Math.b)m.sub.2.Math.(d.sub.1b.Math.m.sub.1))/D; (d.sub.1.Math.(d.sub.2m.sub.2.Math.b)+c.Math.m.sub.1.Math.m.sub.2)/D)

(131) Therefore, for PRHT(X.sub.1)=a.sub.10, a.sub.11, . . . , a.sub.1 n1 and PRHT(X.sub.2)=a.sub.20, a.sub.21, . . . , a.sub.2 n1 and C.sub.0, C.sub.1, . . . , C.sub.n1, C.sub.n of P(v)=.sub.j=0.sup.nC.sub.j.Math.v.sup.j (C.sub.n=1), can be determined 1/PRHT(X.sub.2)=u.sub.20, u.sub.21, . . . , u.sub.2 n1 by calculating ((.sub.j=0.sup.n1u.sub.2j.Math.v.sup.j).Math.(.sub.j=0.sup.n1a.sub.2j.Math.v.sup.j))mod .sub.j=o.sup.nC.sub.j.Math.v.sup.j=1 in terms of n unknown coefficients u.sub.2j, (j=0, . . . , n1), thereby determining

(132) $\underset{j=0}{\overset{n-1}{.Math.}}{g}_{2j}\left(u_{20},u_{21},\mathrm{.Math.},u_{2n-1},a_{10},a_{21},\mathrm{.Math.},a_{2n-1},c_{10},c_{21},\mathrm{.Math.},c_{2n-1,}\right).Math.v^j)$
wherein g.sub.2j( ) is a linear combination of a plurality of n unknowns u.sub.2j; and

(133) solve the system of n derived equations g.sub.20( )=1, and g.sub.2j( )=0 for j=1, . . . , n1 for all u.sub.2j j=0, . . . , n1; and
PRHT(X.sub.1)/PRHT(X.sub.2)=PRHT(X.sub.1).Math.(1/PRHT(X.sub.2))=((.sub.j=0.sup.n1a.sub.1j.Math.v.sup.j).Math.(.sub.j=0.sup.n1u.sub.2j.Math.v.sup.j))mod .sub.j=0.sup.nC.sub.j.Math.v.sup.j.
III. Fully Homomorphic Encryption of Mod-N Numbers

(134) The plain text X is a sequence of k modulo N elements X.sub.1, X.sub.2, . . . X.sub.k.

(135) Both the matrix-based method and polynomial-based method are equivalent in their utility but some implementation and performance differences exist.

(136) Only one modular multiplication is required for encryption and decryption of the polynomial method where encryption using the matrix method requires more multiplications.

(137) It is appreciated that the method of encryption is a special case of the fully homomorphic randomization of arbitrary data method described above. In the encryption of a mod-N number, the input comprises a plain text, the output comprises a cipher text, and all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key. Encryption functions MEnc (Matrix method Encryption) and PEnc (Polynomial method Encryption) correspond to MRHT and PRHT, respectively. It is appreciated that N need not necessarily be a product of two prime numbers as discussed above, and any N may be used. For security reasons, however, it is preferably that N be a product of two prime numbers (as noted above). Alternatively, P and Q may be any numbers, provided that P and Q are approximately as large as the square root of N, and thus, security considerations will be satisfied.

(138) Matrix Method

(139) By way of example, consider a case where the nn matrix is a 22 matrix where one input element X.sub.i is the plaintext and one corresponding random value Y.sub.i is selected, and a secret randomly chosen 22 matrix denoted S over Z.sub.N is selected to be the symmetric encryption key. S is selected to be an invertible matrix over Z.sub.N, that is Det(S)0.

(140) S.sup.1 is then determined

(141) The encryption of X is defined over its components X.sub.i as follows: Enc(X)=(Enc(X.sub.1), . . . , Enc(X.sub.k)).

(142) Encryption of Xi is defined as follows:

(143) $A_1=\mathrm{Enc}\left(X_i\right)=S\left(\begin{array}{cc}{X}_i& 0\\ 0& Y_i\end{array}\right)S^{-1},$
where all operations are mod N.

(144) The encryption function yields , the cipher text for input element X.sub.i; is a 22 matrix over Z.sub.N.

(145) Polynomial Method

(146) By way of example, consider a case where the polynomial is a quadratic equation. Two mod N secret random numbers, v1 and v2 are selected. The public polynomial P(v)=(vv1).Math.(vv2) mod N=v.sup.2+b.Math.v+c is computed. Encryption of X.sub.i, Enc (Xi), is any linear function in variable v of the form m.sub.i.Math.v+d.sub.i satisfying m.sub.i.Math.v.sub.1+d.sub.i=X.sub.i.

(147) A number mod N random for the m.sub.i value is selected. The linear equation m.sub.i.Math.v.sub.i+d.sub.i=X.sub.i for d.sub.i=X.sub.im.sub.i.Math.v.sub.1 is solved. It is appreciated that all calculations are mod N. The cipher text consists of the pair (m.sub.i, d.sub.i) and b and c, the coefficients of P(v).

(148) Alternatively, a random Y.sub.i is selected for a given X.sub.i. The following simultaneous equations are solved for unknowns m.sub.i and d.sub.i:
m.sub.i.Math.v.sub.1+d.sub.i=X.sub.i: and
m.sub.i.Math.v.sub.2+d.sub.i=Y.sub.i

(149) The result: m.sub.i=(X.sub.iY.sub.i)/(v1v2), and d.sub.i=X.sub.im.sub.i.Math.v.sub.1=(Y.sub.i.Math.v.sub.1X.sub.i.Math.v.sub.2)/(v.sub.1v.sub.2) is the plain text.

(150) It is appreciated that the alternative is computationally heavier than the first alternative embodiment, and is useful when Yi is needed independent-of and well-ahead of Xi.

(151) It is appreciated that the methods described above for combining the matrix and polynomial randomization methods above are applicable to the encryption method herein, as it was noted, the method of encryption is a special case of the fully homomorphic randomization of arbitrary data method.

(152) Decryption

(153) The derandomization method detailed above is performed, however, the received output comprises a cipher text denoted C, the cipher text C being produced according to the encryption method above, and the derandomized input comprises a plain text, and all computations are performed modulo N over a ring Z.sub.N, where N is a product of two prime numbers, and matrix S comprises symmetric encryption key. Only one modular multiplication is required.

(154) Matrix Method

(155) To decrypt the encryption using the exemplary 22 matrix above where the cipher text A is 22 diagonal matrix over Z.sub.N, let the vector (1, e) be an eigenvector of the matrix:

(156) $A=S\left(\begin{array}{cc}X& 0\\ 0& Y\end{array}\right)S^{-1},$
satisfying: (1, e)A=(X, e.Math.X).

(157) Decrypt A as follows:

(158) X=A.sub.1,1+e.Math.A.sub.2,1 (Mod N) where e=(S.sub.12/S.sub.22)mod N, and A.sub.ij and S.sub.ij are the ij elements of matrix S and A, respectively.

(159) Polynomial Method

(160) The cipher text of Xi is the pair (m.sub.i, d.sub.i) (representing the linear function m.sub.iv+d.sub.i). The decryption of the cipher text is as follows: m.sub.i.Math.v.sub.1d.sub.i+=X.sub.i.

(161) It is appreciated that because the above encryption methods are fully homomorphic, the additive, multiplicative, and divisive properties described above are satisfied.

(162) Security In Open Untrusted Platforms

(163) For remote computing in an untrusted platform three cases defining the secrets in a model of an input and function (algorithm) are considered: a. Only the input is private (not the algorithm)The algorithm is characterized as a public polynomial whose input is homomorphically-encrypted data as in a keyed-hash where only the key is secret. In general the computed polynomial may have a multivariate input b. Only the algorithm is private (not the input)The algorithm is characterized by a polynomial with some of the polynomial's coefficients are mod N-numbers secrets and the input is public. An example as mentioned above could be a PFKG (Private Function Key Generation) whose input is a public ECM used in broadcast CA systems. Yet another similar example is a private HMAC (hash-based message authentication code) depicted in FIG. 2, which is a depiction of an embodiment of the system of FIG. 1 where a private algorithm and a public input are used, a polynomial with mod N homomorphic-encrypted coefficients. The HMAC securely runs on an open machine; the last step in its process is delivered to the secure client for verification. c. Both the algorithm and input are privateNeither the algorithm nor its input are known to the processing entity. (Note that both the algorithm and its input must be encrypted with the same homomorphic-encryption key known by the entity that is authorized to know the input and the algorithm).

(164) Such untrusted platform could be a public (open) cloud server, a set top box host, a mobile phone ACPU (application central processing unit), etc.; the decryption of the result is done by the secure client, e.g., smart card, SIM, RFID, or secure execution environment with secure OTP (one-time programmable memory) of a low performance device.

(165) Enhanced Protection for Certain AlgorithmsSecuring OSS Signature Against Pollard Attacks

(166) The Original OSS (Ong, Schnorr, Shamir) scheme is a signature scheme based on a modular equation with two variables.

(167) The following two variables modular equation is given: X.sup.2Y.sup.2=M (mod N) wherein the public key consists of (, N).

(168) The private key is the square root modulo N .sup.2= (mod N).

(169) A signature of a message is a pair (X,Y) satisfying the above equation where M is the hash of the message.

(170) One who knows can find a solution for the equation.

(171) A random value r modulo N is selected, which defines X and Y as follows:

(172) $X=\frac{1}{2}\left(r+\frac{M}{r}\right);Y=\frac{1}{2\mathrm{.Math.}}\left(r-\frac{M}{r}\right).$

(173) The OSS scheme is considered very efficient for the signer and the verifier.

(174) OSS Signing requires 3 modular multiplications and one modular division, and verification requires 3 modular multiplications.

(175) OSS Signing was, however, broken by Pollard, who presented an algorithm for finding solutions for the equation without having to know the factorization of N or the value of .

(176) A modification of the original OSS scheme based on the above modulo-N Homomorphic Encryption scheme is herein described.

(177) Consider two modular equations:
X.sub.1.sup.2.sub.1Y.sub.1.sup.2=M.sub.1(mod N) and X.sub.2.sup.2.sub.2Y.sub.2.sup.2=M.sub.2(mod N)

(178) The values .sub.1, .sub.2 are secret. A random invertible 22 matrix S and define

(179) $U=S\left(\begin{array}{cc}{}_1& 0\\ 0& {}_2\end{array}\right)S^{-1}$
is selected to be the public key.

(180) The private key is the matrix S and values .sub.1, .sub.2 the square roots of .sub.1, .sub.2 respectively.

(181) To sign a message, the hash of the message is calculated and a matrix M in the dimension 2 subspace of matrices that commute with U is selected. M has the form

(182) $M=S\left(\begin{array}{cc}{M}_1& 0\\ 0& M_2\end{array}\right)S^{-1}.$
M.sub.1 and M.sub.2 are calculated (calculation of M.sub.1 and M.sub.2 require 2 modular multiplications) and two random modulo N numbers r.sub.1, r.sub.2 are selected. The values X.sub.1, X.sub.2, Y.sub.1, Y.sub.2 that solve the two modular equations with M.sub.1 and M.sub.2 are found and as in the original OSS.

(183) The matrices A and B are defined:

(184) $A=S\left(\begin{array}{cc}{X}_1& 0\\ 0& X_2\end{array}\right)S^{-1},B=S\left(\begin{array}{cc}{Y}_1& 0\\ 0& Y_2\end{array}\right)S^{-1}.$

(185) The signature is the matrices pair (A, B). The matrices A and B commutes with U, The subspace of all matrices that commutes with U has dimension 2, only two parameters of A and two parameters of B are required for the signature (total of 4 modulo N numbers).

(186) The verifier recovers the missing elements of A and B (each one of the missing parameters is a known linear combination of the two parameters in the signature). The verifier calculates the hash of the message and defines M and verifies that: A.sup.2U.Math.B.sup.2=M.

(187) A simplified version of the scheme is when M.sub.1=M.sub.2. In this case there is no need to calculate the matrix M, the modulo N number M is defined to be the hash of the message, the matrices A and B are defined the same as before and the verification of the signature is done by checking the equality A.sup.2U.Math.B.sup.2=M.Math.I

(188) The Modified OSS scheme protects against Pollard attack as the attack cannot be launched against matrices.

(189) Note that although the above was presented in terms of the Matrix-method, an equivalent protection against Pollard attack can be presented using the Polynomial-method.

(190) Low-Cost (Collaborative) Security Platforms

(191) The logical components of a low cost collaborative security platform, (LH).sup.2, consisting of a low performance high security element and a low-security high performance host or server is depicted in FIG. 1. The idea is that a given security function or data can be performed under a homomorphic encryption in low (or no security) environment, e.g., public cloud server, while the homomorphic secret and its related light operation is performed in the low performance secure (low-cost) element.

(192) An example is a PFKG private function for (content) key generation. The PFKG in its homomorphic-encrypted form runs in the hostlow security STB (set top box) (and not in clear form in the SC (smart card) thus making the SC leaner)with the broadcast ECM as its input. The output of the operation is the desired homomorphic-encrypted pre-hash content key. The SC receives the homomorphic-encrypted pre-hash content key and decrypts it to get the pre-hash content key. It then hashes it and sends it back to the host as the content key used in content decryption.

(193) Thus the mechanism to generate the broadcast content key is protected from any attack on the host STB.

(194) Verification of Computational Integrity

(195) It is frequently necessary to verify that the party who performed a homomorphic computation on behalf of a secure client did in fact do the job correctly, i.e., the returned result is valid.

(196) Denoting the received result to be verified as R*.sub.M for a result returned using an MRHT or MEnc function hereinafter denoted as M, and the result being denoted R*.sub.P for a result returned using a PRHT or PEnc function denoted as hereinafter P, then the result comprising a result of a homomorphic calculation denoted f performed on A.sub.1, A.sub.2, . . . , A.sub.k wherein A.sub.i is equal to one of M(X.sub.i) and P(X.sub.i); f(A.sub.1, A.sub.2, . . . , A.sub.k) is equal to one of: M(f(X.sub.1, X.sub.2, . . . , X.sub.k))=f(M(X.sub.1), M(X.sub.2), . . . , M(X.sub.k)) and P(f(X.sub.1, X.sub.2, . . . , X.sub.k))=f(P(X.sub.1), P(X.sub.2), . . . , P(X.sub.k)). The result of f(A.sub.1, A.sub.2, . . . , A.sub.k) is in one of two forms:

(197) Either

(198) $M\left(f\left(X_1,X_2,\mathrm{.Math.},X_K\right)\right)=S\left(\begin{array}{ccc}f\left(X_1,X_2,\mathrm{.Math.},X_K\right)\mathrm{.Math.}& 0\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& f\left(Y_{m1},Y_{m2},\mathrm{.Math.},Y_{\mathrm{mk}}\right)\mathrm{.Math.}& 0\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}\\ 0\mathrm{.Math.}& 0\mathrm{.Math.}& f\left(Y_{n-1,1},Y_{n-1,2},\mathrm{.Math.},Y_{n-1,k}\right)\end{array}\right)S^{-1}=R_M^{*};$
Or:

(199) f(A.sub.1, A.sub.2, . . . , A.sub.k) in the form of a*.sub.0, a*.sub.1 . . . , a*.sub.n1, =R*.sub.P.

(200) in the case where the result is in the form of R*.sub.M:

(201) f(Y.sub.m1, Y.sub.m2, . . . , Y.sub.mk), hereinafter denoted Q, is computed for some value, m, m=1, 2, . . . , n1 where Y.sub.mj is the m.sup.th random value used in either randomizing or in encrypting X.sub.m.

(202) R*.sub.M is then one of: decrypted; and derandomized using the decryption and derandomization techniques explained above, thereby determining f(Y.sub.m1, Y.sub.m2, . . . , Y.sub.mk), hereinafter denoted E, from the resulting matrix diagonal of the m+1 row of the matrix. E is then compared with Q. The result of the computation of f(Xi) is deemed valid if a match occurs.

(203) Alternatively, in the case where the result is in the form of R*.sub.P:

(204) f(Y.sub.m1, Y.sub.m2, . . . , Y.sub.mk), hereinafter denoted Q, is computed for some value, m, m=1, 2, . . . , n1 where Y.sub.mj the m.sup.th random used in one of randomizing; and encrypting X.sub.m.

(205) R*.sub.P is one of decrypted or derandomized, thereby determining:
.sub.j=0.sup.n1a*.sub.j.Math.v.sub.m+1.sup.j=f(R.sub.m1, R.sub.m2, . . . , R.sub.mk), denoted as E.

(206) E is then compared with Q. The result of the computation of f(Xi) is deemed valid if a match occurs.

Matrix Mode Example

(207) Although, as has been noted, the Matrix-method and Polynomial-method are equivalent, for the sake of illustration consider the matrix

(208) $A=S\left(\begin{array}{cc}X& 0\\ 0& Y\end{array}\right)S^{-1}$
as the cipher text of X (it is appreciated that the cipher text may be generalized as an NN matrix); A is used in homomorphic computation of a function f(A)=Enc(f(X))=R*. The result R* is returned to the secure client for decryption of the form

(209) 0$R=\left(\begin{array}{cc}f\left(X\right)& 0\\ 0& f\left(Y\right)\end{array}\right)$

(210) The secure client has pre-computed f(Y) and compares it with the f(Y) in R. A positive match ensures the client that f(X) is a valid result.

(211) Those skilled in the art will appreciate that the above verification of computational integrity can be shown for the polynomial method as well.

(212) Recently, Xiao published a paper entitled, An Efficient Homomorphic Encryption Protocol for Multi-User Systems, available at www.utdallas.edu/ilyen/techrep/HPbound.pdf which proposes a solution for the homomorphic encryption problem. The inventors of the present invention are of the opinion that the above-mentioned paper presents a method based on 44 diagonal matrices where an arbitrary plaintext data and a nonce instantiate the diagonal; and the cipher text is represented through the application of a secret 44 matrix to the diagonal matrix.

(213) The matrix-based method described herein (referred to as MORE in Appendix A) claims (see the proofs in the section entitled Security in Appendix A) that the use of diagonal commutative matrices over Z.sub.N is valid, i.e. secure, for homomorphic encryption for plaintext inputs (x.sub.1, x.sub.2, . . . , x.sub.n) that are constrained, that is, selected uniformly and independently over Z.sub.N; i.e., the x.sub.i's are randomly chosen in Z.sub.N.

(214) On the other hand, the reference mentioned above (An Efficient Homomorphic Encryption Protocol for Multi-User Systems) presents a homomorphic encryption scheme for any (arbitrary) plaintext inputs, namely, the (x.sub.1, x.sub.2, . . . , x.sub.n) are unconstrained both in size and statistical properties. The reference's claim for security of the scheme presented therein is incorrect.

(215) It can be shown that: for small-value plaintext inputs, (e.g., x.sub.i<80 bytes); or for plaintext values that are not statistically independent (e.g., x1=3x.sub.24(x.sub.3).sup.2),

(216) the scheme presented in the An Efficient . . . reference is not secure and can be broken despite the reference's claim to security strength of factoring. As such, the scheme presented in the An Efficient . . . reference cannot be considered a valid encryption scheme as presented. Note that the attack described below works even when no known plaintext is available, and, more importantly, the attack will also work in the case of 44 scheme (E.sub.4) that is claimed to be secure in the known-plaintext model.

(217) For the case of small-value plaintext inputs, (e.g., x.sub.i<80 bytes): the encryption scheme is not secure and can be broken in practice i.e. once a sequence of n small-value plain text values is encrypted using the scheme proposed it is possible to recover the secret plain text values.

(218) Suppose there is a sequence of n cipher text messages with plain texts: x.sub.1, . . . x.sub.n each one of which satisfies x.sub.i<2.sup.80.Math.8 (i.e. x.sub.i<80 bytes). Take N with conventional size, e.g., N is an integer with a base 2 representation of 1024 bit long.

(219) Using the notation of the An Efficient . . . reference, the cipher text takes the form:

(220) $E\left(x_i\right)=k^{-1}\left(\begin{array}{cc}{x}_i& 0\\ 0& R_i\end{array}\right)k.$

(221) All matrices E (x.sub.i) reside in subspace of dimension 2, therefore there are two mod N numbers a and b such that for all 1in there are: x.sub.i=aE(x.sub.i).sub.1,1+bE(x.sub.i).sub.1,2 mod N.

(222) Consider the following lattice L of dimension n+2 spanned by the vectors: w.sub.1=(, 0, E(x.sub.1).sub.1,1, . . . , E(x.sub.n).sub.1,1) w.sub.2=(0, , E(x.sub.1).sub.1,2, . . . , E(x.sub.n).sub.1,2) w.sub.3=(0, 0, N, , 0, . . . , 0, , 0) w.sub.4=(0, 0, 0, , N, . . . , 0, , 0) . . . w.sub.n+2=(0, 0, 0, . . . 0 N)

(223) For sufficiently large n (e.g. n>4) and a correct choice for 2.sup.8.Math.80/N, since x.sub.i are small enough the vector (a, b, x.sub.1 . . . x.sub.n) is the nonzero vector in L having the smallest norm (length) and any other nonzero vector in the lattice has much larger norm. These are sufficient to ensure that the LLL algorithm will result in finding the smallest non-zero element in a lattice.

(224) The representation of the vector w.sub.min as an integer combination of the lattice base elements w.sub.1 . . . , w.sub.i, . . . , w.sub.n+2 is unique and has the form:

(225) $w_{\min }={\mathrm{aw}}_1+{\mathrm{bw}}_2+\underset{i=3}{\overset{n+2}{.Math.}}{c}_i{w}_i$

(226) Once w.sub.min is recovered the coefficients a, b are easily found using standard linear algebra and the required parameters are found.

(227) As mentioned above, the relationship between the cipher text and the plain text is known: x.sub.i=aE(x.sub.i).sub.1,1+bE(x.sub.i).sub.1,2 mod N and this enables an attacker to recover the plain text given the cipher text.

(228) As a result the inventors of the present invention conclude that the proposed algorithm is not a secure encryption scheme for encrypting small plain text values.

(229) For the case of plaintext values that are not statistically independent (e.g., x1=3x.sub.24(x.sub.3).sup.2):

(230) It can be shown that for plaintext values that are not statistically independent (e.g., x.sub.1=3x.sub.24(x.sub.3).sup.2), the scheme is not secure and can be broken despite the authors' claim to security strength of factoring.

(231) The notations E(x.sub.1), E(x.sub.2), E(x.sub.3) are used for encrypted values of the plaintexts x.sub.1, x.sub.2, x.sub.3

(232) $E\left(x_i\right)=k^{-1}\left(\begin{array}{cc}{x}_i& 0\\ 0& R_i\end{array}\right)k$
for 1i3. Assume that x.sub.1, x.sub.2, x.sub.3 satisfy an algebraic relation: x.sub.1=3x.sub.24(x.sub.3).sup.2 or x.sub.1+4(x.sub.3).sup.23x.sub.2=0 then, it can be shown how the plain text can be recovered.

(233) Since the scheme is homomorphic there is the following matrix relation:

(234) $E\left(x_1\right)-3E\left(x_2\right)+2{\left(E\left(x_3\right)\right)}^2=E\left(0\right)\mathrm{or}$$E\left(x_1\right)-3E\left(x_2\right)+2{\left(E\left(x_3\right)\right)}^2=k^{-1}\left(\begin{array}{cc}0& 0\\ 0& R\end{array}\right)k$

(235) The values R.sub.1, R.sub.2, R.sub.3 are chosen randomly and therefore the value R is not equal 0 with very high probability. Given that it is easy to find the subspace of all vectors mapped to (0,0) by the matrix

(236) $k^{-1}\left(\begin{array}{cc}0& 0\\ 0& R\end{array}\right)k$
using standard linear algebra techniques. any non zero vector in this one dimensional subspace v.sub.1 is good E(x.sub.1)v.sub.1=x.sub.1.Math.v.sub.1; E(x.sub.2)v.sub.1=x.sub.2.Math.v.sub.1; E(x.sub.3)v.sub.1=x.sub.3.Math.v.sub.1

(237) The alternative polynomial-based encryption method described herein provides great performance enhancement over the matrix method herein (from four large number multiplications to only one). Unlike the matrix method (where the algebraic operations of addition and multiplication are standard matrix operations), the polynomial performs the algebraic operations of addition and multiplication over a ring of polynomials modulo some special polynomial of degree 2 or higher.

(238) Moreover:

(239) a. the efficiency of the computation for arbitrary function of cipher texts (with additions and multiplications) is preserved (capped) by calculating the intermediate results modulo some special polynomial of degree 2 or above; and

(240) b. the efficiency of multiplication of cipher texts is improved over the matrix method.

(241) Reference is now made to FIGS. 3A-3E, which are flowchart diagrams depicting methods for the various embodiments of the system of FIG. 1. FIGS. 3A-3E are believed to be self-explanatory in light of the above discussion.

(242) It is appreciated that software components of the present invention may, if desired, be implemented in ROM (read only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques. It is further appreciated that the software components may be instantiated, for example: as a computer program product; on a tangible medium; or as a signal interpretable by an appropriate computer.

(243) It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.

(244) It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined by the appended claims and equivalents thereof: