Arithmetic and Algorithms for Emerging Cryptography
Paulo Martins, Leonel Sousa
INESC-ID
Instituto Superior Ténico
Universidade de Lisboa
Email: paulo.sergio@netcabo.pt, las@inesc-id.pt
Abstract—Current cryptography needs to urgently deal with
two major issues. The first pertains to the derivation of schemes
resistant to quantum computing. The second is related with the
ubiquity of embedded devices. As more and more sensors are
integrated into our general infrastructure, there is an increas-
ing need to securely offload the data they collect to the Internet.
This data is often centralised in computing servers, which need
to manage large amounts of connections simultaneously. In this
paper this topic is addressed in two manners, both exploit-
ing innovative number representations. First, a post-quantum
cryptographic system is designed achieving efficient encryption
on embedded devices and large decryption throughput on high
performance computing platforms. In particular, the Residue
Number System (RNS) is used to increase the decryption
throughput. A second solution to the problem of offloading
sensitive data is derived using Fully Homomorphic Encryption
(FHE). With this type of cryptography one can encrypt data,
producing ciphertexts that are malleable, and that can be
processed by others without any real access to the hidden
data. A plaintext number representation, rooted in stochastic
computing, is proposed, which achieves homomorphic circuits
with small multiplicative depth.
1. Introduction
Number representations can have a profound impact on
the efficiency of cryptographic systems. Certain numeral
systems, such as the RNS, provide for parallel additions and
multiplications, while penalising the execution of operations
such as number comparison and division. Others, like the
Mixed-Radix System (MRS), allow to efficiently compare
two numbers, but are less efficient when it comes to mul-
tiplications. The design of efficient cryptographic systems
should therefore take into account which representation is
more suitable for which cryptographic operation.
In the past, innovative number representations have been
applied to traditional cryptographic schemes such as Rivest-
Shamir-Adleman (RSA) and Elliptic Curve (EC) Cryptogra-
phy (ECC) [1] to improve their efficiency and security. For
instance, since the RNS breaks down long integer arithmetic
into smaller channels, these may be processed in parallel
to accelerate cryptographic primitives. Since the underlying
channels are independent of one another, they may also be
~b1
~c
p~
~b0
Figure 1. Encryption and Decryption in GGH
randomly chosen to achieve a form of message blinding and
reduce the amount of leaked data. As new cryptographic
schemes emerge, namely achieving post-quantum security
and with homomorphic capabilities, there is a need to update
number representation techniques and adapt them to the new
schemes.
Emerging schemes include post-quantum cryptography
and FHE. Goldreich-Goldwasser-Halevi (GGH) is a form
of Lattice-based Cryptography (LBC) that achieves post-
quantum security. A lattice is a repeated arrangement of
points. Encryption corresponds to adding a message, en-
coded as a vector, to a lattice point. In Figure 1, the message
p~ is added to the lattice point ~b0 , producing the ciphertext ~c.
Babai’s round-off [2] is used during decryption to compute
the closest lattice vector, ~b0 , to ~c. This is only possible to
the holder of the private key, which consists of a nearly-
orthogonal basis of the lattice (~b0 and ~b1 ). Since lattices
of very large dimension are used to ensure security, the
numbers one needs to process during decryption are very
large. In this paper, this bottleneck is overcome through the
use of the RNS, which parallelises the arithmetic associated
with these numbers [3].
With FHE, ciphertexts are endowed with a certain level
of malleability, allowing for others to operate on them with-
out any real access to the underlying plaintexts [4]. While
FHE was impractical at the time of its uncovering, there
has been a large effort by the research community to make
it more efficient, with the introduction of techniques such
as batching. Batching is a technique that exploits arithmetic
properties of the plaintext space to simultaneously encrypt
multiple messages in a single ciphertext. When operations
are applied to a ciphertext, they affect each slot individu-
ally. An initial strategy to exploit batching was to design
Boolean circuits and evaluate multiple gates in parallel.
Herein, we argue that for a certain class of numbers, a
stochastic representation of numbers can take better ad-
vantage of this technique [5]. With stochastic computing,
numbers are represented as the relative frequency of 1s in
a bit sequence. Arithmetic operations can be implemented
using simple logical circuits: for instance, multiplication is
achieved through the bitwise AND of two bit sequences.
2. Number representations
Certain cryptographic applications need to deal with
unusually large integers. Due to hardware limitations, pro-
cessors can only handle integers with up to 32 or 64 bits.
Traditionally, larger numbers are processed by breaking their
representation into words of 32 or 64 bits, and processing
them one at a time.
PnAa −1
school-book algorithm
Pnb −1to multiply
two numbers a = i=0 ai wi and b = j=0 bj wj with
32 64
w = 2 or 2 would proceed as follows:
a −1
nX b −1
nX a −1 n
nX X b −1
c= ai wi bj wj = ai bj wi+j
i=0 j=0 i=0 j=0
requiring na × nb basic multiplications.
The complexity of (1) can be reduced through a change
in number representation. The RNS is a numeral system
relying on the Chinese Remainder Theorem (CRT) [1]. An
RNS relies on a basis of coprime integers n1 , . . . , nm . Each
value a in the interval [0, n − 1), for n = n1 × . . . nm , has
a unique representation in RNS:
(a1 , . . . , am ) = (a mod n1 , . . . , a mod nm )
Due to the CRT, a multiplication in RNS can be per-
formed by multiplying the digits of a by the digits of b
element-wise. Suppose that n > c, so that no wrap-around
happens. Then, (1) can be rewritten as
c = (a1 , . . . , am ) × (b1 , . . . , bm )
= (a1 × b1 mod n1 , . . . , am × bm mod nm ) (3)
If each ni is smaller than 232 or 264 , then the number
of basic multiplications is reduced from na × nb in (1) to
m ≈ na + nb in (3). Additions and subtractions can also
be performed coefficient-wise. However, the RNS does not
have a positional nature. This means that operations such as
ba/be ∈ Z (i.e. division with rounding to the nearest integer)
cannot be directly computed in RNS.
A second number representation enabling parallelism
makes use of stochastic processes [5]. In order to rep-
resent a number a ∈ [0, 1], a sequence of independent
bits a0 , . . . , am−1 is generated such that the probability
P (ai = 1) = a∀i ∈ {0, . . . , m − 1}.
Like with RNS, the multiplication of two independent
number representations can be performed by multiplying
their digits element-wise:
c = (a1 , . . . , am ) × (b1 , . . . , bm ) = (a1 × b1 , . . . , am × bm )
(4)
However, the use of a stochastic number representation
introduces further restrictions than RNS. First, it is not pos-
sible to directly add two numbers. Instead, a scaled addition
operation is available. Given the independent number rep-
resentations of a, b, s ∈ [0, 1], the stochastic representation
of c = s × a + (1 − s) × b can be computed as:
c = (s1 × a1 + (1 − s1 ) × b1 mod 2,
. . . , sm × am + (1 − sm ) × bm mod 2) (5)
Also, there is no direct way to compute divisions.
3. Improving Babai’s Round-off
Babai’s round-off plays a crucial role in decrypting
cryptograms in GGH. Given a basis B generating the lattice
~zB , for ~z ∈ Zn , and an input vector ~c, Babai’s round-off
approximates the closest vector ~v in the lattice to ~c as:
(1) ~v = ~cB −1 B
 
(6)
For a nearly orthogonal basis B and a well-formed cryp-
togram ~c, the expression in (6) will produce the exact closest
lattice vector. For thiscomputation to be correct, the vector-
matrix multiplication ~cB −1 has to be computed with high-

precision rationals. Since one of the main objectives of this
paper is to maximise the throughput of (6) by using the RNS,
and the RNS can only handle integers, this multiplication
has to be converted to integer arithmetic:
(2)  −1 
~cB =
~cB 0 ~cB 0
   
1
= + ~v1 =
det(B) det(B) 2
2~cB 0 + det(R)~v1 − [2~cB 0 + det(B)~v1 mod 2det(B)]
(7)
2det(B)
where B 0 = det(B)B −1 is an integer matrix and ~v1 is the
all-ones vector.
In (7), the rounding operation of (6) has been replaced by
a modular reduction. In RNS, this operation can be achieved
through Montgomery’s reduction [1]. This algorithm has
been represented in Figure 2. It replaces a reduction of A
modulo D = 2det(B) by another modulus M1 , that under-
pins an RNS representation,
Q i.e. the moduli in basis M1
satisfy M1 = m∈M1 m. Since operations are implicitly
reduced by M1 in RNS, the first step of the algorithm can be
achieved very efficiently. In contrast, since a division by M1
is later required, and this operation cannot be implemented

M1 M2
Q ← −AD−1 mod M1 Q mod M2
Z ← (A + QD)M1−1 mod M2
if Z ≥ D:
Z ←Z −D
Figure 2. RNS Montgomery’s reduction
in M1 , data has to be converted to another basis M2 . After
this division, the result will be in the [0, 2D) interval. To
perform a full modular reduction, Z has to be compared
with D and a subtraction carried out if necessary. Since the
RNS is of a non-positional nature, the comparison with D
is very expensive and ideally should be avoided.
However, if one simply omits the comparison, an er-
ror
 will  possibly be introduced during the computation of
~cB −1 , and the wrong lattice vector will be associated with
~c. A strategy to detect and eliminate this error is as follows.
If ~c is scaled by γ ∈ Z, the expected result will similarly be
scaled by γ , but the error introduced during the computation
will be detectable modc γ :
RNS( γ~cB −1 ) = γ ~cB −1 +
   
ve (8)
|{z}
detectable modc γ
In addition, if the plaintext p~ is constrained such that
||~
p||∞ < mσ /2, then (7) may be computed modulo mσ . By
following this design approach, it is possible not only to re-
move an expensive number comparison from Montgomery’s
reduction, but also to reduce M2 to two moduli: γ and mσ .
4. Homomorphic Stochastic Computing
FHE refers to the class of encryption systems that sup-
port two operations ⊕ and ⊗ satisfying:
Enc(a) ⊕ Enc(b) = Enc(a + b) (9)
Enc(a) ⊗ Enc(b) = Enc(a × b) (10)
for a and b belonging to a certain ring, and without ⊕
and ⊗ accessing the private-key. Using such a system, an
embedded platform may offload the processing of sensitive
data to a server, without giving the service provider access
to that data.
Several FHE cryptosystems support batching [4]. Batch-
ing is a technique supporting the encryption of several bits
in the same ciphertext, so that homomorphic additions and
multiplications operate on them in parallel. In this paper, a
stochastic representation is proposed as a generic framework
for the homomorphic processing of applications requiring
accurate but inexact computations. There is a direct map-
ping between the batching slots and a stochastic number
representation, namely by encoding each bit of a stochastic
number in a different batching slot.
The proposed encoding leads to low complexity cir-
cuits for the homomorphic evaluation of operations such as
weighted sums or multiplications. Since homomorphic mul-
tiplications map to the coefficient-wise AND of two plain-
texts and homomorphic additions map to their coefficient-
wise XOR, one can implement stochastic multiplication
with homomorphic multiplication and scaled addition by a
combination of homomorphic additions and multiplications.
While the previous set of operations may seem limited,
a wide range of polynomials can be evaluated with it.
In particular, certain polynomials can be converted to a
Bernstein representation [6, Corollary 1] b0 , . . . , bd such
that:
d  
X d i
B(x) = bi Bi (x), Bi (x) = x (1 − x)d−i (11)
i
i=0
With this representation, the evaluation of polynomials
can be performed using Algorithm 1. Since this algorithm, at
its core, performs repeated scaled addition, and the proposed
method can evaluate this operation homomorphically, it can
also evaluate Bernstein polynomials.
Algorithm 1 de Casteljau’s Algorithm for the evaluation of
Bernstein polynomials
Pd
Require: B(x) = i=0 bi Bi (x)
Require: x0
1: for i ∈ {0, . . . , d} do
(0)
2: bi = bi
3: end for
4: for j ∈ {1, . . . , d} do
5: for i ∈ {0, . . . , d − j} do
(j) (j−1) (j−1)
6: bi = bi (1 − x0 ) + bi+1 x0
7: end for
8: end for
(d)
9: return B(x0 ) = b0
5. Implementation Details & Experimental Re-
sults
The implementation of the GGH decryption operation
using the strategy described in Section 3 took into account
several levels of parallelism. Since servers often need to
handle several connections simultaneously, a first level of
parallelism relates to using work-groups to decrypt several
messages in parallel in Graphical Processing Units (GPUs).
Since GGH has to deal with vector arithmetic, the work-
load of processing vector components can be distributed
among several work-items in GPUs or threads in multi-
core Central Processing Units (CPUs). Finally, the usage
of the RNS leads to the homogeneous execution of several
 RNS Bernstein Average
Function Polynomial Mean Squared Error Execution
103 RNS AVX2
MRS Degree Time [s]
MRS AVX2
cos(x) 6 8.94 · 10−6 2.24
NTL
8.9 · 10−5
Delay [ms]

2 sin(x) 5 1.79
10
tan(x)/tan(1) 5 1.92 · 10−5 1.8
acos(x)/acos(0) 5 2.82 · 10−5 1.79
asin(x)/asin(1) 5 3.22 · 10−5 1.8
101 atan(x) 5 2.85 · 10−5 1.77
cosh(x)/cosh(1) 6 3.61 · 10−5 2.31
sinh(x)/sinh(1) 5 2.57 · 10−5 1.78
tanh(x) 5 3.19 · 10−5 1.79
100 exp(x)/exp(1) 6 2.38 · 10−5 2.28
1000 1200 1400 1600 1800 ln(x+1) 6 1.08 · 10−4 2.23
Lattice Dimension
Table 1. H OMOMORPHIC EVALUATION OF NONLINEAR FUNCTIONS IN A
Figure 3. GGH decryption latency in a i7 6700k I 7 5960X

RNS AVX2 - i7 4770K

6. Conclusion
104 RNS AVX2 - i7 5960X
RNS AVX2 - i7 6700K The representation of data has a major influence on how
Throughput [messages/s]

RNS GPU - K40c

103
102
101
100
1000 1200 1400 1600
Lattice Dimension
Figure 4. GGH decryption throughput
work-items, which is very suitable to GPU architectures and
for the exploitation of CPU Single-Instruction-Multiple-Data
(SIMD) extensions.
Figure 3 depicts the delay of the decryption operation
for several implementation strategies. First, the MRS label
refers to an implementation using the Mixed-Radix System
(MRS) to perform the comparison in Figure 2. Due to the
complexity of this operation, it achieves worse performance
than a generic multiprecision library (NTL). Nevertheless, it
exposes a greater level of parallelism, which when exploited
(MRS AVX2), leads to large performance improvements.
Notwithstanding, when the bottleneck of number compar-
ison is removed, the delay is reduced to a great extent
(RNS), while still allowing for parallel implementations
(RNS AVX2). The amenability of the RNS approach to
parallel architectures is verified in practice in Figure 4,
where massively parallel GPUs achieve throughputs one
order of magnitude larger than CPUs.
Finally, the applicability of the proposed homomorphic
stochastic representation has been verified in practice for
a wide range of nonlinear functions in Table 1. These
functions were approximated with Taylor series, and the re-
sulting polynomials converted to Bernstein representations.
An average Mean Squared Error (MSE) of about 10−5 was
achieved for an execution time of about 2 s. It should
be noted that if a different precision were required, the
cryptographic parameters could be changed to achieve that.
RNS GPU - GTX 980
efficiently it can be processed. In public-key cryptography
RNS GPU - Titan X this motto is materialised by the way numbers are repre-
sented. In this paper, RNS-based architectures supporting
GGH decryption were proposed and evaluated, achieving
low-latency on CPUs and high-throughput on GPUs. More-
over, with the proposal of homomorphic stochastic represen-
tations, the homomorphic evaluation of nonlinear functions
1800
has become more viable and efficient, with applications on
image processing and machine learning.
Acknowledgments
This work was supported by Portuguese funds through
Fundação para a Ciência e a Tecnologia (FCT) with ref-
erence UID/CEC/50021/2013 and by the Ph.D. grant with
reference SFRH/BD/103791/2014.
References
[1] L. Sousa, S. Antão, and P. Martins, “Combining Residue Arithmetic to
Design Efficient Cryptographic Circuits and Systems,” IEEE Circuits
and Systems Magazine, vol. 16, no. 4, 2016. [Online]. Available:
http://ieeexplore.ieee.org/document/7748580/
[2] L. Babai, “On Lovász’ Lattice Reduction and the Nearest Lattice
Point Problem (Shortened Version),” in Proc. of the 2nd Symp. of
Theoretical Aspects of Comput. Sci., ser. STACS ’85, London, UK,
1985, pp. 13–20. [Online]. Available: http://dl.acm.org/citation.cfm?
id=646502.696106
[3] P. Martins, J. Eynard, J.-C. Bajard, and L. Sousa, “Arithmetical
Improvement of the Round-Off for Cryptosystems in High-
Dimensional Lattices,” IEEE Transactions on Computers, vol. 66,
no. 12, pp. 2005–2018, 2017. [Online]. Available: http://ieeexplore.
ieee.org/document/7891511/
[4] P. Martins, L. Sousa, and A. Mariano, “A Survey on Fully
Homomorphic Encryption: an Engineering Perspective,” ACM
Computing Surveys, vol. 50, no. 6, pp. 1–33, dec 2017. [Online].
Available: http://dl.acm.org/citation.cfm?doid=3161158.3124441
[5] P. Martins and L. Sousa, “A Stochastic Number Representation
for Fully Homomorphic Cryptography,” in 2017 IEEE International
Workshop on Signal Processing Systems (SiPS). IEEE, oct 2017, pp.
1–6. [Online]. Available: http://ieeexplore.ieee.org/document/8109973/
[6] W. Qian and M. D. Riedel, “The synthesis of robust polynomial
arithmetic with stochastic logic,” in 2008 45th ACM/IEEE Design
Automation Conference, June 2008, pp. 648–653.