Hypercomplex
Abstract & fast header-only C++ template library for lattice-based cryptosystems in high-dimensional algebras
|
The following library aims to deliver a simple method to construct hypercomplex numbers from any of the Cayley-Dickson algebras. It supports calculations in an arbitrary-precise arithmetic as well as encryption/decryption procedures for public-key lattice-based cryptosystems in high-dimensional algebras of truncated polynomial rings. The library is dedicated mostly to computational mathematicians and computational scientists whose focus is (post-quantum) cryptography and precise computation. As a header-only C++ template code it's greatest advantage is the combination of speed, generic programming and convenience for the end user, making it well suited for wide range of computationally challenging projects.
The following is a header-only library, meaning that the easiest way to use it is to copy the core hpp files alongside your main program and include it into the code with the directive:
Remember to specify a proper langauge standard and optimisation level for the compiler, as in the command below:
For computations based on high precision arithmetics it is essential to install the MPFR library first. This should be rather straightforward with the following commands:
It is then essential to provide a preprocessor macro specifying the use of this library at the compile time as well as linking with GNU MP and GNU MPFR as in the command below:
Alternatively, if you work with conda environments this library is installable with:
However, please note that during compilation time it might be necessary to provide additional flags which point to the headers and other libs for the linker.
The command above would be adjusted to:
The following section demonstrates general functionality and behaviour of the library. For the full unit test suite please refer to this file.
Please note that throughout this whole documentation many links may point to the main template Hypercomplex class instead of its specialisations. This is because the doxygen engine unfortunately cannot distinguish between template classes of the same name properly. Always check the description carefully while accessing links at this page.
Let us construct two hypercomplex numbers from an algebra obtained with the Cayley-Dickson process. For simplicity of the presentation we will focus on quaternions.
\( H_1=(1,0,-0.5,5)\)
\( H_2=(-2,-4,-6,0)\)
The code above results in:
For every hypercomplex number we may extract its' real as well as imaginary part:
\(Re(H) := (H^{(0)}, 0, 0, 0, \dotsc)\)
\(Im(H) := (0, H^{(1)}, H^{(2)}, H^{(3)}, \dotsc)\)
Therefore the commands:
yield:
In case you already forgot what the dimensionality of our objects is, don't worry - we got your back. Asking the right questions...
...leads to right answers:
It would be very nice if we could access the components directly... But we can!
results in:
Do you wish you could represent your objects in different systems? Nothing easier than that. Embedding lower-dimensional hypercomplex numbers into higher dimensional algebras is a piece of cake!
The template method above creates a new class instance, printed below:
For every hypercomplex number we might calculate its' Euclidean norm:
\(||H||_2 := \sqrt{H^{(0)}\times H^{(0)} + \dotsc + H^{(n-1)} \times H^{(n-1)} }\)
Luckily, there is a function dedicated to this operation:
It returns value of the same type as the template type for the base class:
Having defined a norm for every non-zero hypercomplex number we may calculate its' inverse according to the following formula: \(H^{-1} = \frac{\bar{H}}{||H||_2^2}\)
Calling a class method...
...creates a new class instance:
Arithmetic operations on hypercomplex numbers are not complicated at all.
To test these operations we may execute the code below:
Obtained output should match:
Moreover, one can easily raise a hypercomplex number to a natural power: \((H^n, n\in N)\). This operation is implemented simply as an iterative multiplication:
\(H^n := (\dotsc((H \times H) \times H)\dotsc)\)
Please note that the products are evaluated from LHS to RHS. However, all Cayley-Dickson algebras are power-associative therefore it does not really matter.
Calling:
Produces:
Last, but not least: our little cherry on top. A very special function linked to the magical Euler number - hypercomplex exponentiation:
\(e^H = e^{Re(H)+Im(H)} := e^{Re(H)} \times (cos||Im(H)||_2 + \frac{Im(H)}{||Im(H)||_2} \times sin||Im(H)||_2)\)
Regardless of the algebra hypercomplex numbers in the equation above are multiplied by scalars, therefore associativity and commutativity still holds for these formulas. For that reason the exponentiation function is highly optimized, implemented efficiently with as few operations and variables as possible.
Finally, we validate it with:
and get:
Calculations on MPFR types are availabla via partial template specialisation (meaning that the hpp file already includes the necessary header and the user should not include it again). It is strongly advised to read the library manual beforehand (sections 1 and 4 as a must-read). Please do not mix this library with another MPFR-dependant code in the same translation unit.
We start with setting a global precision for all objects.
What follows is an initialization of 8 MPFR variables in a single array:
Let us create an octonion composed of these numbers:
To print the first element of our number after raising it to the 30-th power we need to use library specific function:
In result we obtain:
After all the calculations it is essential to clear constructed objects from the memory manually:
Also, following that, to call a wrapper function which cleans all internally-reserved memory:
All the code specified up to this point may be executed upon compilation of this source code.
The main feature of Hypercomplex is an implementation of cryptographic operations as in NTRU cryptosystem but generalized on an arbitrary-high-dimensional algebras generated with the Cayley-Dickson construction. The library provides additional helper class for truncated polynomials (with necessary operators e.g. modular reduction, convolution-multiplication) and a partial template specialisation for hypercomplex numbers based on these objects.
Briefly, let \(N, p, q\) denote three selected primes such that \(p << q\). The former will become a multiplicative order whereas the two latter will mark characteristics of the structures we will work on. Let \(R = \mathbb{Z}[x] / (x^N - 1)\) be the underlying polynomial quotient ring ( \(R_p, R_q\) are modular structures, modulo \(p,q\) respectively) and \(D\) mark the dimension of the algebra we operate in: \(A = \{x_0 + \sum^{D-1}_{i=1} x_i \cdot e_i | x_i \in R\} \), where all \(e_i\) are imaginary basis elements (similarly for modular algebras: \(A_p, A_q\)).
Mathematical derivations for these structures and their operations are analogous to those presented for QTRU and OTRU.
Imagine that Alice wishes to send a message to Bob. Bob chooses \(F \in A\) such that \(F_p^{-1} \in A_p\) and \(F_q^{-1} \in A_q\) exist, then generates his public key for the cryptosystem:
\( H = F_q^{-1} \times G \mod q\)
Alice chooses a "blinding element" \(\Phi \in A_q\) and encrypts her top secret message \(M\) as:
\( E = (p \cdot H \times \Phi + M) \mod q\)
Which Bob then decrypts with the following operations:
\( C_1 = ((F \times E) \times F) \mod q\)
\( C_2 = C_1 \mod p\)
\( C_3 = (F_p^{-1} \times (C_2 \times F_p^{-1})) \mod p\)
If the decryption was successfull Bob receives \( C_3 = M\) (up to coefficients' centered lift)
Please remember that lattice-based cryptography is always burdened with a chance of decryption failure due to incorrect recovery of polynomial's coefficients at the centered lift step.
With a simple example of how to create a hypercomplex number based on truncated polynomials...
... the scheme presented above may be implemented with the following functions of the library:
Remarkably, for a cryptosystem based on an algebra of \(D \geq 16\) dimensions \(F\) needs to contain at most one \( x_i \in R | x_i \neq 0\). This is because sedonions (and higher) are not associative, thus the decryption process will only be possible for a specific, reduced subset of private keys.
Cryptographic applications of Hypercomplex have been extensively tested in the test case: Cryptosystem based on Cayley-Dickson Algebras of the following file.
All tests underlying Figure 1 in the publication are available here.