CN113746620A

CN113746620A - Homomorphic encryption method, apparatus, medium, and computer program product

Info

Publication number: CN113746620A
Application number: CN202111078984.1A
Authority: CN
Inventors: 谭明超; 马国强; 范涛; 陈天健; 杨强
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Priority date: 2021-09-13
Filing date: 2021-09-13
Publication date: 2021-12-03
Anticipated expiration: 2041-09-13
Also published as: CN113746620B

Abstract

The application discloses a homomorphic encryption method, device, medium and computer program product, the method comprising: acquiring a plaintext scalar to be transmitted by first equipment, and acquiring ciphertext data multiplied by the plaintext scalar; sequencing all plaintext elements in a plaintext scalar according to a sequence from small to large to obtain a sequenced plaintext element sequence; subtracting every two adjacent plaintext elements in the plaintext element sequence after the plaintext scalar sorting to obtain a subtracted plaintext element sequence; performing exponentiation on a plaintext scalar ciphertext data which is used as an exponentiation base number and a plaintext element sequence which is subtracted from a plaintext scalar which is used as an exponentiation exponent to obtain a plurality of exponentiation results; and multiplying adjacent power operation results in the multiple power operation results of the plaintext scalar by two to obtain homomorphic encryption results, and sending the homomorphic encryption results to the second equipment. The method and the device improve the efficiency of cryptographic number multiplication operation under homomorphic encryption, thereby improving the applicability of homomorphic encryption.

Description

Homomorphic encryption method, apparatus, medium, and computer program product

Technical Field

The present application relates to the field of data processing technology for financial technology (Fintech), and in particular, to a homomorphic encryption method, apparatus, medium, and computer program product.

Background

With the rapid development of financial science and technology and internet technology, more and more technologies (such as distributed, big data, artificial intelligence, Blockchain, etc.) are applied in the financial field to realize various data processing and business processing.

Homomorphic encryption is a very widely used cryptographic tool that can perform a number multiplication operation in the ciphertext state. However, when performing multiplication on ciphertext data and plaintext data, since the ciphertext data and the plaintext data are usually large integers (i.e. large bit numbers), a large number of modular exponentiations are required, so that the efficiency of the ciphertext multiplication under homomorphic encryption is too low, and the homomorphic encryption cannot be applied to a scene with a high timeliness requirement. Therefore, how to improve the efficiency of cryptographic multiplication under homomorphic encryption to improve the applicability of homomorphic encryption is a problem that needs to be solved at present.

Disclosure of Invention

The present application mainly aims to provide a homomorphic encryption method, device, medium and computer program product, and aims to solve the technical problem of too low efficiency of ciphertext number multiplication operation under homomorphic encryption, thereby improving applicability of homomorphic encryption.

In order to achieve the above object, the present application provides a homomorphic encryption method applied to a first device, the homomorphic encryption method including the steps of:

acquiring a plaintext scalar to be transmitted by the first equipment, and acquiring ciphertext data which is subjected to multiplication operation with the plaintext scalar, wherein the ciphertext data is data obtained by homomorphically encrypting the plaintext scalar;

sequencing all plaintext elements in the plaintext scalar from small to large to obtain a sequenced plaintext element sequence;

subtracting every two adjacent plaintext elements in the sorted plaintext element sequence to obtain a subtracted plaintext element sequence, wherein the process of subtracting every two adjacent plaintext elements is that the next plaintext element subtracts the previous plaintext element;

performing exponentiation on the ciphertext data serving as an exponentiation base number and the subtracted plaintext element sequence serving as an exponentiation exponent to obtain a plurality of exponentiation results, wherein the sequence of the exponentiation results is consistent with the sequence of elements in the subtracted plaintext element sequence;

and multiplying every two adjacent power operation results in the plurality of power operation results to obtain homomorphic encryption results, and sending the homomorphic encryption results to second equipment.

Optionally, the exponentiation of the subtracted plaintext element sequences as exponentiation exponentials and the ciphertext data as exponentiation base number to obtain a plurality of exponentiation results includes:

decomposing each element in the subtracted plaintext element sequence by a preset system to obtain a digit sequence corresponding to each element, wherein one digit sequence corresponds to one element and comprises a plurality of digits of the preset system;

performing exponentiation on the ciphertext data as an exponentiation base and each of the digit sequences as exponentiation exponentials to obtain a plurality of exponentiation results.

Optionally, the exponentiation of the ciphertext data as an exponentiation base and each of the sequence of digits as an exponentiation exponent, to obtain a plurality of exponentiation results, includes:

taking the ciphertext data as a power operation base number, and taking a plurality of digits in a digit sequence as power operation exponents;

performing power operation based on the power operation base number and a plurality of power operation exponents to obtain a plurality of sub power operation results;

performing multiplication operation on the plurality of sub-power operation results to obtain a power operation result corresponding to the element;

returning to the step of taking a plurality of digits in the digit sequence as exponentiation indexes until each digit sequence is subjected to exponentiation;

and obtaining a plurality of power operation results based on the power operation result corresponding to each element.

Optionally, after the step of obtaining the ciphertext data and the plaintext scalar that require the multiplication, the method further includes:

performing fixed-point processing on each plaintext element in the plaintext scalar;

after the step of multiplying each adjacent power operation result in the plurality of power operation results by two to obtain a homomorphic encryption result, the method further comprises the following steps:

and performing anti-fixed point processing on the homomorphic encryption result.

and carrying out array conversion on the plaintext scalar so as to enable the plaintext scalar to be a plaintext array.

Optionally, after the step of multiplying each adjacent power operation result by two in the plurality of power operation results to obtain a homomorphic encryption result, the method further includes:

and sequencing the operation results in the homomorphic encryption result based on the sequence of the plaintext elements in the plaintext scalar before sequencing.

Optionally, the first device is a device participating in federal learning, and the step of obtaining a plaintext scalar to be sent by the first device and obtaining ciphertext data multiplied by the plaintext scalar includes:

and receiving ciphertext data sent by second equipment participating in federated learning, and acquiring a plaintext scalar to be sent by the first equipment so as to multiply the plaintext scalar and the ciphertext data.

In addition, to achieve the above object, the present application also provides a homomorphic encryption device, including: a memory, a processor and a homomorphic encryption program stored on the memory and executable on the processor, the homomorphic encryption program when executed by the processor implementing the steps of the homomorphic encryption method as described above.

Further, to achieve the above object, the present application also provides a computer readable storage medium having stored thereon a homomorphic encryption program, which when executed by a processor, implements the steps of the homomorphic encryption method as described above.

Furthermore, to achieve the above object, the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the homomorphic encryption method as described above.

The application provides a homomorphic encryption method, equipment, a medium and a computer program product, which are characterized in that a plaintext scalar to be sent by first equipment is obtained, and ciphertext data subjected to multiplication operation with the plaintext scalar is obtained, and the ciphertext data and the plaintext scalar can be directly subjected to multiplication operation because the ciphertext data is data for homomorphic encryption of the plaintext scalar, namely, a ciphertext can be directly processed, and meanwhile, the multiplication result is also an encrypted result; then, sequencing each plaintext element in the plaintext scalar according to a sequence from small to large to obtain a sequenced plaintext element sequence, so that each plaintext element can be subjected to pairwise subtraction processing in the following process; then, subtracting every two adjacent plaintext elements in the sorted plaintext element sequence to obtain a subtracted plaintext element sequence, wherein the process of subtracting every two adjacent plaintext elements is that the next plaintext element subtracts the previous plaintext element; performing power operation on the ciphertext data serving as the power operation base number and the subtracted plaintext element sequence serving as the power operation exponent to obtain a plurality of power operation results, wherein the sequence of the power operation results is consistent with the sequence of the elements in the subtracted plaintext element sequence; finally, multiplying each adjacent power operation result in the multiple power operation results pairwise to obtain a homomorphic encryption result, and sending the homomorphic encryption result to the second device.

Drawings

Fig. 1 is a schematic terminal structure diagram of a hardware operating environment according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of a homomorphic encryption method according to a first embodiment of the present application;

FIG. 3 is a flowchart illustrating a ciphertext multiplication operation according to an embodiment of the present disclosure;

fig. 4 is a flowchart illustrating a homomorphic encryption method according to a second embodiment of the present application.

The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

Referring to fig. 1, fig. 1 is a schematic terminal structure diagram of a hardware operating environment according to an embodiment of the present application.

The terminal in the embodiment of the present application is a homomorphic encryption device, and the homomorphic encryption device may be a terminal device having a processing function, such as a PC (personal computer), a microcomputer, a notebook computer, and a server.

As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU (Central Processing Unit), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.

Those skilled in the art will appreciate that the terminal structure shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a homomorphic encryption program.

In the terminal shown in fig. 1, the processor 1001 may be configured to call a homomorphic encryption program stored in the memory 1005 and execute the steps in the homomorphic encryption method provided in the following embodiments of the present application.

Based on the hardware structure, various embodiments of the homomorphic encryption method are provided.

The application provides a homomorphic encryption method.

Referring to fig. 2, fig. 2 is a flowchart illustrating a homomorphic encryption method according to a first embodiment of the present application.

In this embodiment, the homomorphic encryption method is applied to the first device, and the homomorphic encryption method includes:

step S10, ciphertext data and a plaintext scalar quantity which need to be subjected to multiplication are obtained, and the ciphertext data are homomorphic encrypted data;

in this embodiment, the homomorphic encryption method is applied in a homomorphic encryption scenario. Further, the method may be applied to an encryption process, security calculation, or privacy calculation under federal learning, or applied to a privacy calculation under non-federal learning, which is not particularly limited herein. Wherein, the algorithm of homomorphic encryption can be a Paillier algorithm, i.e. an additive homomorphic algorithm; the homomorphic encryption algorithm can also be a Gentry algorithm, namely a fully homomorphic algorithm (including an algorithm of addition homomorphism and multiplication homomorphism); of course, the homomorphic encryption algorithm may also be other homomorphic encryption algorithms, and the Paillier algorithm is taken as an example for explanation in this embodiment and the following embodiments.

In particular, the homomorphic encryption method can be applied to interaction scenes with high privacy requirements or large data volumes, such as image recognition, text recognition, voice recognition and the like. That is, the plaintext scalar may be image data, text data, voice data, or the like. Of course, the application scenario of the homomorphic encryption method is not limited, and the homomorphic encryption method can be applied to any interactive scenario, so that the homomorphic encryption performance under each scenario is improved.

Further, the homomorphic encryption method can be applied to a federal learning scene for constructing an image recognition model, or a federal learning scene for constructing a text recognition model, or a federal learning scene for constructing a voice recognition model, or a federal learning scene for other recognition models or prediction models. That is, the plaintext scalar may be an intermediate parameter corresponding to federated learning. Specifically, reference is made to the following fourth embodiment, which is not repeated herein.

It should be noted that the plaintext scalar is data that needs to be encrypted and transmitted by the first device, and the ciphertext data may be a ciphertext (which may be a ciphertext obtained by the same homomorphic encryption by the other party, or a key-related parameter) transmitted by the other party or a key of the first device itself that performs homomorphic encryption.

In an embodiment, the homomorphic encryption method is applied to a first device participating in federal learning, and the step S10 includes:

and receiving ciphertext data of second equipment participating in federated learning, and acquiring a plaintext scalar needing to be subjected to multiplication, wherein the ciphertext data is data subjected to multiplication with the plaintext scalar. The first device participating in the federal learning may be a party participating in the federal learning, i.e., a data party (data provider or data application party) or a collaborator (coordinator), among others. Accordingly, the second device participating in federal learning can also be a party participating in federal learning, i.e., a data party (data provider or data application party) or a collaborator (coordinator). For example, the first device serves as a data application side, the second device serves as a data provider side, the second device performs homomorphic encryption on own data to obtain ciphertext data, then the second device sends the ciphertext data to the first device so that the first device can receive the ciphertext data of the second device, and finally the first device performs multiplication operation on the ciphertext data and own plaintext data to obtain a ciphertext multiplication operation result.

It should be noted that the ciphertext data of the second device is obtained by performing homomorphic encryption on the plaintext data of the second device by the second device. In addition, the ciphertext data and the plaintext scalar are multiplied to obtain a homomorphism called scalar, namely, one plaintext is multiplied by one ciphertext to obtain one ciphertext. For example, the first device is the party a, the second device is the party B, and the data of the party B can be sent to the party a, because the data of the party B is the ciphertext, there is no risk in sending the data to the party a; the party A can calculate the data, and because the obtained result is still the ciphertext, the party A can be safely sent to the party B, and because the two parties both hold the public key, the data cannot be decrypted; of course, a coordinator party C can be added on the basis of the A party and the B party to perform the logistic regression operation.

In another embodiment, the homomorphic encryption method is applied to a first device participating in federal learning, and the step S10 includes:

and acquiring ciphertext data and a plaintext scalar quantity which need to be subjected to multiplication, wherein the ciphertext data is a homomorphic encrypted public key. When the ciphertext data is a homomorphic encrypted public key, the plaintext scalar is homomorphic encrypted by the current number multiplication operation, so that the ciphertext corresponding to the plaintext scalar is obtained. For example, the first device is a data provider, and the first device performs homomorphic encryption on its own plaintext scalar quantity by using the public key, that is, performs modular exponentiation equivalent to multiplication operation, so as to obtain a ciphertext corresponding to the plaintext scalar quantity, where a modulus of the modular exponentiation may also be the public key of homomorphic encryption, and finally, the first device sends the ciphertext to another party involved in federal learning.

In this embodiment, a plaintext scalar to be sent by the first device is obtained, and ciphertext data obtained by performing multiplication operation on the plaintext scalar is obtained, where the ciphertext data is data obtained by homomorphically encrypting the plaintext scalar. The ciphertext data may be a ciphertext obtained by homomorphic encryption; it can also be a public key for homomorphic encryption or a related key parameter for homomorphic encryption.

It should be noted that the ciphertext multiplication (ciphertext multiplication) in the homomorphic encryption state is a multiplication of plaintext data and ciphertext data, and may be equivalent to performing a modular exponentiation, that is, performing a power operation with plaintext as an exponent. Specifically, reference is made to the following formula:

d*b≡d^b mod m；

wherein d is ciphertext data, b is a plaintext scalar, ≡ is an equivalent symbol, mod represents a modular operation, m is a modulus, and the modulus m can be key data generated in a homomorphic encryption process.

In addition, since the result of repeating the modulo operation is not changed for the modulo operation, if the ciphertext data is data obtained by performing the modular exponentiation operation, the ciphertext multiplication operation in the homomorphic encryption state may be equivalent to performing the power operation, that is, performing the power operation by directly using the ciphertext data as the power operation base and the plaintext element in the plaintext scalar as the power operation exponent. Specifically, reference is made to the following formula:

d*b≡d^b；

wherein d is ciphertext data, b is a plaintext scalar, and ≡ is an equivalent symbol.

In this embodiment, the ciphertext data is a ciphertext element. In other embodiments, if the ciphertext data is a scalar, each ciphertext element in the ciphertext data is separately multiplied by the plaintext scalar to obtain a number multiplication result corresponding to each ciphertext element. The scalar quantity or plain text scalar quantity of the ciphertext data comprises a one-dimensional vector form, a two-dimensional matrix form or a higher-dimensional scalar quantity form.

Further, after the step S10, the homomorphic encryption method further includes:

step a60, performing tuple conversion on the plaintext scalar so that the plaintext scalar is a plaintext tuple.

In this embodiment, the plaintext scalar is subjected to array conversion, so that the plaintext scalar becomes a plaintext array. It should be noted that, if the plaintext scalar is in a two-dimensional matrix form or a higher-dimensional scalar form, the plaintext scalar may be subjected to array conversion to convert the plaintext scalar into a plaintext array, so as to improve efficiency of multiplication operation of the plaintext number, and facilitate subsequent sorting of each plaintext element in the plaintext scalar from small to large. Correspondingly, the result of the number multiplication operation is subsequently converted into a scalar form before the plaintext scalar is subjected to array conversion.

In an embodiment, after the step S10, the homomorphic encryption method further includes:

and if the plaintext scalar is a plaintext matrix, converting the plaintext matrix into a plaintext array so as to enable the plaintext scalar to be the plaintext array. It can be understood that the efficiency of the number multiplication operation can be improved by converting the plaintext matrix into the plaintext array.

Accordingly, after the following step S30, the homomorphic encryption method further includes:

and converting the number multiplication operation result into an operation result in a matrix form. It should be noted that the conversion process of converting the number multiplication result into a matrix corresponds to the process of converting the plaintext matrix into a plaintext array, and details are not described here.

In some embodiments, after the step S10, the homomorphic encryption method further includes:

step a70, performing fixed-point processing on each plaintext element in the plaintext scalar.

In this embodiment, since floating point numbers may exist in the plaintext scalar, that is, the plaintext elements may be floating point numbers, based on this, in order to facilitate the calculation, the fixed-point plaintext elements in the plaintext scalar are fixed-point processed to obtain fixed-point plaintext elements. It should be noted that, no matter whether floating point numbers exist in the plaintext scalar quantity, the fixed-point processing is performed on each plaintext element in the plaintext scalar quantity, and then only the corresponding inverse fixed-point processing is performed on the result of the multiplication operation.

Accordingly, after the following step S50, the homomorphic encryption method further includes:

and step A80, performing anti-fixed point processing on the homomorphic encryption result.

In this embodiment, since the fixed-point processing is performed on each plaintext element in the plaintext scalar, the anti-fixed-point processing is also performed on the homomorphic encryption result after the homomorphic encryption result is obtained.

In another embodiment, the step A70 includes

And if floating point numbers exist in all plaintext elements in the plaintext scalar, performing fixed point processing on the floating point numbers so as to enable all plaintext elements in the plaintext scalar to be fixed point numbers. That is, the floating point number is simulated by an integer, and fixed point processing is performed on the floating point number to obtain a fixed point number, thereby improving the efficiency of cryptographic multiplication.

Step S20, sorting each plaintext element in the plaintext scalar according to the sequence from small to large to obtain a sorted plaintext element sequence;

in this embodiment, the plaintext elements in the plaintext scalar are sorted in the order from small to large to obtain a sorted plaintext element sequence. The plaintext element sequence may be represented in an array form, or in other forms such as an array form. The plaintext elements in the sequence of plaintext elements are arranged from small to large.

It should be noted that, whether the plaintext scalar is in the form of a two-dimensional array, a three-dimensional matrix, or a higher-dimensional scalar, the plaintext elements in the plaintext scalar may be sorted in order from small to large. Specifically, each plaintext element in the plaintext scalar is acquired, the plaintext elements are sequenced from small to large, and a sequenced plaintext element sequence is generated based on the sequenced plaintext elements. Of course, the plaintext scalar is subjected to array conversion, so that the plaintext scalar is a plaintext array, and the sequencing efficiency can be further improved.

step a90, based on the order before each plaintext element in the plaintext scalar is not sorted, sorting each operation result in the homomorphic encryption result.

In this embodiment, since the plaintext elements in the plaintext scalar are sorted in the order from small to large before, and the subsequent exponentiation operation is also based on the sorted plaintext element sequence, after the homomorphic encryption result is obtained, the operation results in the homomorphic encryption result also need to be sorted based on the order before the plaintext elements in the plaintext scalar are not sorted, that is, the permutation order of the elements in the plaintext scalar is restored.

Step S30, subtracting each adjacent plaintext element in the sorted plaintext element sequence by two to obtain a subtracted plaintext element sequence, where the process of subtracting each adjacent plaintext element by two is to subtract a previous plaintext element from a next plaintext element;

in this embodiment, the adjacent plaintext elements in the sorted plaintext element sequence are subtracted from each other, so as to obtain a subtracted plaintext element sequence, and the process of subtracting each other is to subtract the previous plaintext element from the next plaintext element. Since the plaintext element sequence is sorted from small to large, the adjacent plaintext elements are two plaintext elements with sizes close to each other in all the plaintext elements. For example, if the plaintext element sequence is {7, 15, 30, 35}, each adjacent plaintext element includes {7, 15}, {15, 30}, and {30, 35}, and subtraction of two plaintext elements results in 8, 15, and at this time, the subtracted plaintext element sequence is {7, 8, 15}, where the first element of the subtracted plaintext element sequence is the same as the first element of the sorted plaintext element sequence.

Step S40 of performing exponentiation on the ciphertext data as an exponentiation base and the subtracted plaintext element sequence as an exponentiation exponent to obtain a plurality of exponentiation results, the order of the plurality of exponentiation results being identical to the order of elements in the subtracted plaintext element sequence;

in this embodiment, the ciphertext data as the base of the exponentiation and the subtracted plaintext element sequence as the exponentiation exponent are subjected to the exponentiation to obtain a plurality of exponentiation results, and the order of the plurality of exponentiation results coincides with the order of the elements in the subtracted plaintext element sequence. One element in the subtracted plaintext element sequences corresponds to one power operation result, namely the number of the subtracted plaintext element sequences is consistent with the number of the plurality of power operation results, so that the sequence of the plurality of power operation results is consistent with the sequence of the elements in the subtracted plaintext element sequences.

It should be noted that, for how many elements of the plaintext element sequence, how many exponentiations are constructed, the exponentiation base number of each exponentiation is ciphertext data, and the exponentiation exponent of each exponentiation corresponds to different elements, based on which different exponentiation results can be obtained.

In one embodiment, the calculation unit performs the exponentiation based on the exponentiation base number and the exponentiation indexes respectively to obtain a plurality of exponentiation results.

In another embodiment, a predetermined system decomposition may be performed on each element in the subtracted plaintext element sequences to obtain a digit sequence corresponding to each element, where one digit sequence corresponds to one element, and one digit sequence includes a plurality of digits of the predetermined system; performing exponentiation on the ciphertext data as an exponentiation base and each of the digit sequences as exponentiation exponentials to obtain a plurality of exponentiation results. For a specific implementation process, reference is made to the following second embodiment, which is not described in detail herein.

It should be noted that the cryptographic number multiplication in the homomorphic encryption state may be equivalent to performing power operation, that is, directly taking the cryptographic data as the power operation base number, taking the plaintext elements in the plaintext scalar as the power operation exponent, and performing the power operation, and at this time, obtaining the subtracted plaintext element sequence after sequencing and subtracting every two plaintext elements in the plaintext scalar, and based on this, taking the subtracted plaintext element sequence as the power operation exponent.

In addition, it should be noted that the binary digit numbers of the ciphertext data as the base of the exponentiation and the plaintext element as the exponentiation are often large, for example, 1024 bits or 2048 bits, so the embodiment has a great benefit for improving the efficiency of the ciphertext multiplication, and has practical value. Based on this, if the binary number of the ciphertext data or the plaintext element is larger, the benefit of the embodiment for improving the ciphertext multiplication efficiency is larger.

It can be understood that, when the ciphertext data as the base of the exponentiation and the subtracted plaintext element sequence as the exponentiation are subjected to the exponentiation, the number of bits of each element as the exponentiation in the subtracted plaintext element sequence is smaller than that of the plaintext element originally as the exponentiation, so that the computational complexity of the ciphertext multiplication can be reduced.

And step S50, multiplying each adjacent power operation result in the power operation results pairwise to obtain a homomorphic encryption result, and sending the homomorphic encryption result to the second device.

In this embodiment, each adjacent exponentiation result in the plurality of exponentiation results is multiplied by two to obtain a homomorphic encryption result, and the homomorphic encryption result is sent to the second device. Since the plaintext elements adjacent to each other in the sorted plaintext element sequence are subtracted from each other two by two to obtain the subtracted plaintext element sequence, and the exponentiation result is obtained based on the subtracted plaintext element sequence, the exponentiation result adjacent to each other in the exponentiation results also needs to be multiplied by two to obtain a multiply-by-two operation result (i.e., a homomorphic encryption result).

Wherein the adjacent power operation results are two power operation results sequentially close in the plurality of power operation results. For example, if the plurality of exponentiation results are {8, 16, 32, 64}, each adjacent exponentiation result includes {8, 16}, {16, 32}, and {32, 64}, and multiplication by two results yields 128, 512, 2048, where the multiplication result (i.e., homomorphic encryption result) is {8, 128, 512, 2048}, and a first multiplication result of the multiplication result is the same as a first exponentiation result of the plurality of exponentiation results.

For ease of understanding, referring to fig. 3, fig. 3 is a flowchart of a ciphertext multiplication operation according to an embodiment of the present application. The plaintext elements in the plaintext scalar are x0, x1, x2, x3, x4, x5, x6, the like and x n, then the plaintext elements in the plaintext scalar are sequenced from small to large to obtain sequenced plaintext element sequences { x0', x1', x2', x3', x4', x5', x6',. the like and x ' after sequencing, next adjacent plaintext elements in the sequenced plaintext element sequences are subtracted in pairs to obtain subtracted plaintext element sequences { x0', x1' -x0', x2' -x1',. the like and x ' -x ' 1', and then ciphertext data as a power operation base number and the subtracted plaintext element sequences as power operation indexes are operated to obtain a plurality of operation results { D ^ x 0D ^ x 56 ', x λ 9D ^ x ', x λ 56 ', x 8253 ', x 8653 ', and x 828653 ', x 8653 ', x ' 8653 ', and x 8253 ', 8653 ', x ', 1', and x ', x λ 80 ', x λ 8645 ', x ', and x λ, x ', x λ, 9, x ', 1', x ', b, and x λ, and x λ, and x ', are obtained by which are obtained power operation results of the power operation indexes of the operation results of the operation, and x, obtained by subtracting the operation, and x ', the operation results of the operation, and x, and the operation results of the operation, are obtained by subtracting the operation, and the operation results of the operation, and the operation of the operation, and the operation of the operation, are obtained by subtracting the operation of the operation, and the operation of the operation, are obtained by the operation of the operation, and the operation of the operation, are obtained by the operation, and the operation of the operation, and the operation of the operation, are obtained, .., D ^ xn ' -xn-1', and finally, multiplying each adjacent power operation result in the multiple power operation results by each other (namely multiplying the adjacent power operation result by the previous element) to obtain the number multiplication operation results { D ^ x0', D ^ x1', D ^ x2',.

The embodiment of the application provides a homomorphic encryption method, a plaintext scalar to be sent by first equipment is obtained, ciphertext data which is subjected to multiplication operation with the plaintext scalar is obtained, and the ciphertext data is homomorphic encrypted data of the plaintext scalar, so that the ciphertext data and the plaintext scalar can be directly subjected to multiplication operation, namely the ciphertext can be directly processed, and meanwhile, the multiplication result is also an encrypted result; then, sequencing each plaintext element in the plaintext scalar according to a sequence from small to large to obtain a sequenced plaintext element sequence, so that each plaintext element can be subjected to pairwise subtraction processing in the following process; then, subtracting every two adjacent plaintext elements in the sorted plaintext element sequence to obtain a subtracted plaintext element sequence, wherein the process of subtracting every two adjacent plaintext elements is that the next plaintext element subtracts the previous plaintext element; performing power operation on the ciphertext data serving as the power operation base number and the subtracted plaintext element sequence serving as the power operation exponent to obtain a plurality of power operation results, wherein the sequence of the power operation results is consistent with the sequence of the elements in the subtracted plaintext element sequence; finally, multiplying each adjacent power operation result in the multiple power operation results pairwise to obtain a homomorphic encryption result, and sending the homomorphic encryption result to the second device.

Further, based on the first embodiment described above, a second embodiment of the homomorphic encryption method of the present application is proposed.

Referring to fig. 4, fig. 4 is a flowchart illustrating a homomorphic encryption method according to a second embodiment of the present application.

In this embodiment, the step S40 includes:

step S41, performing predetermined scale decomposition on each element in the subtracted plaintext element sequences to obtain a digit sequence corresponding to each element, where one digit sequence corresponds to one element, and one digit sequence includes a plurality of digits of the predetermined scale;

in this embodiment, each element in the subtracted plaintext element sequences is decomposed by a predetermined scale to obtain a digit sequence corresponding to each element, where a digit sequence corresponds to an element and a digit sequence includes a plurality of digits of the predetermined scale. The digits of the preset system comprise one or more digits.

It should be noted that the preset binary system may include a binary system, an octal system, a hexadecimal system, or the like. In order to further improve the efficiency of the multiplication operation, the preset binary system may be set to be a binary system to conform to the calculation binary system of the current calculation device, and of course, other higher power binary systems may also be set to facilitate the processing of the calculation device.

In one embodiment, the step S41 includes:

and performing binary decomposition on each element in the subtracted plaintext element sequences to obtain a binary bit sequence corresponding to each element, wherein one binary bit sequence corresponds to one element, and one binary bit sequence comprises a plurality of binary digits. Wherein the number of binary digits includes one or more digits.

It should be noted that each element in the subtracted plaintext element sequence can be regarded as a set of binary digits, i.e., a binary bit sequence. For example, if an element in the subtracted plaintext element sequence is 7, then 7 ═ 1+2+4 ^ 2^0+2^1+2^ 2; if an element in the subtracted plaintext element sequence is 19, then 19 ═ 16+2+1 ^ 2^4+2^1+2^ 0.

It should be noted that the relationship between the bits in the bit sequence is an addition relationship, for example, the bit sequence is {2^0, 2^1, 2^2}, and the result of adding the bits in the bit sequence is 2^0+2^1+2^ 1+2+4 ^ 7. That is, each element in the subtracted plaintext element sequence is decomposed into a binary number bit addition result. Specifically, an element b in the plaintext element sequence after subtraction is:

where i represents the position of the current bit, n represents the number of bits of the element b, b_iIs 1 or 0, if b_iIf the value of (b) is 1, the corresponding bit number is 1, and if b is_iA value of 0 represents that the corresponding bit number is 0.

It is understood that the binary decomposition for higher power is basically the same as the binary decomposition, and is not described in detail here. For example, when the predetermined system is an octal system, an element b in the subtracted plaintext element sequence is:

where i represents the position of the current bit, n represents the number of bits of the element b, b_iIs 1 or 0, if b_iIf the value of (b) is 1, the corresponding bit number is not 0, and if b is not 0_iA value of 0 represents that the corresponding bit number is 0.

In step S42, an exponentiation is performed on the ciphertext data as an exponentiation base and each of the sequence of digits as an exponentiation exponent to obtain a plurality of exponentiation results.

In this embodiment, a plurality of exponentiation results are obtained by performing an exponentiation on ciphertext data as an exponentiation base and each digit sequence as an exponentiation exponent.

For convenience of understanding, the predetermined binary system is taken as an example for explanation, and an element b in the subtracted plaintext element sequence is:

where i represents the position of the current bit, n represents the number of bits of the element b, b_iIs 1 or 0, if b_iIf the value of (b) is 1, the corresponding bit number is 1, and if b is_iA value of 0 represents that the corresponding bit number is 0. Based on this, the product of the results of the respective exponentiations can be converted. Specifically, reference is made to the following formula:

wherein d is ciphertext data, b is an element in the plaintext element sequence after subtraction, i represents the position of the current bit in the element b, n represents the bit number of the element b, b_iIs 1 or 0, if b_iIf the value of (b) is 1, the corresponding bit number is 1, and if b is_iA value of 0 represents that the corresponding bit number is 0. For example, the number of bits n of the element b is 53 bits, and the following formula is referred to:

specifically, based on the above derivation formula for performing exponentiation, it is possible to perform exponentiation on ciphertext data as an exponentiation base and each digit sequence as an exponentiation exponent, and to perform exponentiation and multiplication. Namely, the step S42 includes: performing exponentiation and multiplication on the ciphertext data as an exponentiation base number and each digit sequence as an exponentiation exponent to obtain a plurality of exponentiation results.

It should be noted that the number of binary digits of the ciphertext data as the base of the exponentiation and the element as the exponentiation exponent is often relatively large, for example, 1024 bits or 2048 bits, so the embodiment has a relatively large benefit for improving the efficiency of the ciphertext multiplication operation, and has practical value. Based on this, if the binary digit number of the ciphertext data or the element is larger, the benefit of the embodiment for improving the ciphertext multiplication efficiency is larger.

It is understood that, when the ciphertext data as the base of the exponentiation and each digit sequence as the exponentiation exponent are subjected to the exponentiation, the number of digits of each digit in the digit sequence as the exponentiation exponent is smaller than the original element as the exponentiation exponent, so that the computational complexity of the ciphertext multiplication operation can be reduced. Specifically, if the element is set to n, the original calculation complexity of directly performing the exponentiation with the element as the exponentiation exponent is n, i.e., n multiplications are performed, and the calculation complexity of performing the exponentiation with each digit sequence subjected to the predetermined binary decomposition as the exponentiation exponent is log (n), i.e., log (n) multiplications are performed.

Further, the step S42 includes:

step A421, using the ciphertext data as a power operation base number, and using a plurality of digits in a digit sequence as a power operation exponent;

in this embodiment, the ciphertext data is used as the power base, and a number of digits in a sequence of digits are used as the power exponent. Wherein, a digit sequence may comprise 1 or more digits. For example, if the predetermined binary system in step S41 is binary system, and an element in the subtracted plaintext element sequence is 4, the digit sequence thereof includes a value of 2^ 2; if an element in the subtracted plaintext element sequence is 7, the bit sequence comprises 2^0, 2^1 and 2^ 2. For another example, if the predetermined scale in step S41 is octal, and an element in the subtracted plaintext element sequence is 64, the digit sequence thereof includes an 8^ 2; if an element in the subtracted plaintext element sequence is 75, the bit sequence comprises 8^1, 8^2, and 3.

Step A422, performing power operation based on the power operation base number and a plurality of power operation exponents to obtain a plurality of sub power operation results;

in this embodiment, an exponentiation is performed based on an exponentiation base and a number of exponentiation exponentials, resulting in a number of sub-exponentiation results. Wherein, the number of the power operation exponents corresponds to the number of the sub power operation results one by one.

It should be noted that, for how many exponentiation indexes, how many exponentiation expressions are constructed, the exponentiation base number of each exponentiation expression is ciphertext data, and the exponentiation index of each exponentiation expression corresponds to different digits, based on which different sub-exponentiation results can be obtained.

In one embodiment, the calculation unit performs the exponentiation based on the exponentiation base number and the exponentiation indexes to obtain a plurality of sub-exponentiation results.

In another embodiment, the step a422 includes:

and obtaining a plurality of prestored sub-power operation results based on the power operation base number and the power operation exponents, wherein the prestored power operation results are a plurality of sub-power operation results obtained by performing power operation based on the power operation base number and the power operation exponents. Specifically, based on the power operation base number and the power operation exponents, the corresponding power operation expressions can be determined, and then a plurality of prestored sub power operation results are obtained based on the power operation expressions, wherein the prestored sub power operation results are also a plurality of sub power operation results obtained by performing power operation based on the power operation base number and the power operation exponents.

It should be noted that, when performing exponentiation based on the exponentiation base number and a plurality of exponentiation indexes, it is not necessary to use the computing unit to calculate the sub-exponentiation result again, and it is only necessary to multiplex the sub-exponentiation result calculated in advance and stored, so that the computing process and the computing resources can be saved, and further the ciphertext multiplication efficiency can be further improved.

Correspondingly, to obtain a plurality of pre-stored sub-power operation results, before the step of obtaining a plurality of pre-stored sub-power operation results based on the power operation base number and a plurality of power operation exponentials, the homomorphic encryption method further includes:

carrying out preset scale decomposition on the maximum value of the plaintext scalar to obtain a corresponding maximum value digit sequence, wherein the maximum value of the plaintext scalar is determined by the bit number of the plaintext scalar; performing an exponentiation based on the ciphertext data as an exponentiation base and the maximum value digit sequence as an exponentiation exponent to obtain a plurality of sub-exponentiation results; storing the plurality of sub-exponentiation results for exponentiation of the ciphertext data as an exponentiation base and each of the sequence of digits as an exponentiation exponent based on the plurality of sub-exponentiation results.

In another embodiment, the predetermined binary system is a binary system, and the step a422 includes:

comparing the number of the power operation indexes with the binary bit number of a current element, wherein the current element is an element corresponding to the power operation indexes; if half of the binary bit number is smaller than the number, determining a pre-stored maximum power operation result based on the power operation base number and the binary bit number, and determining a plurality of pre-stored zero-bit power operation results based on the binary number of the current element, wherein the zero-bit power operation result is a power operation result corresponding to the binary number with the bit number of zero, the power operation base number of the zero-bit power operation result is the ciphertext data, and the power operation exponent of the zero-bit power operation result is a negative number of the binary bit number corresponding to the bit number of zero in the binary number; and taking the maximum power operation result and the plurality of zero-bit power operation results as a plurality of sub power operation results obtained by performing power operation based on the power operation base number and a plurality of power operation exponentials.

Specifically, whether the binary bit number of the current element is more than 1 or more than 0 is judged, and if more than 1, half of the binary bit number of the current element is smaller than the number of a plurality of power operation exponents; if 0 is moreThen half of the binary bit number of the current element is greater than the number of power exponents. If the base number of the power operation is d and the binary bit number is n, the maximum power operation result is

The method comprises the steps of determining the bit number of 0 in the binary number based on the binary number of a current element, obtaining the binary number corresponding to the bit number of 0, then determining a corresponding power operation expression based on ciphertext data and the binary number, and finally obtaining a corresponding zero-bit power operation result based on the power operation expression.

The binary number indicates the bit length of the current element, for example, if the binary number of the current element is 111110, the binary number is 6.

It should be noted that the number of the power exponents represents the number of digits of the digit sequence obtained by binary decomposition of the current element. Specifically, reference is made to the following formula:

where b represents the current element, i represents the position of the current bit, n represents the binary bit number of the current element b, b_iIs 1 or 0, if b_iIf the value of (b) is 1, the corresponding bit number is 1, and if b is_iA value of 0 represents that the corresponding bit number is 0. Based on this, the bit number of the current element b is 1 at the positions from i-0 to i-n, and then b is corresponding to the current element b_iIs 1, and there is a corresponding digit 2 in the digit sequenceⁱAnd further there is a corresponding power exponent 2ⁱ. For example, if the binary bit number of the current element is 111110, the number of bits of the bit sequence corresponding to the current element is 5, and correspondingly, the number of the power exponentiations is also 5.

Wherein the maximum power operation result is the maximum value corresponding to the binary bit number of the current element, for example, if the ciphertext data is d and the binary bit number is 4, the corresponding maximum power operation result is d¹⁵If the binary bit number is 5, the corresponding maximum power operation result is d³¹。

The binary number of the current element is a binary representation of the current element, for example, if the binary bit number of the current element is 4, the decimal number of the current element is 14, and then the binary number of the current element is 1110. The zero-bit exponentiation result is the exponentiation result with the bit number of zero corresponding to the binary number of the current element, for example, the ciphertext data is d, if the binary number of the current element is 1110, the zero-bit exponentiation result is d^-1If the binary number of the current element is 11100, the zero-bit exponentiation result is d^-1And d^-2If the binary number of the current element is 11010, the zero-bit exponentiation result is d^-1And d^-3。

The binary digit number is incremented from 1, that is, the lowest bit of the binary digit of the current element is 1.

For example, if the base number of the power operation (ciphertext data) is 2 and the binary bit number of the current element is 4, the maximum power operation result is 2¹⁵If the binary number of the current element is 1110, the zero-bit exponentiation result is 2^-1And only one zero-bit exponentiation result, so that the subsequent maximum exponentiation result is 2¹⁵And the result of the zero bit exponentiation is 2^-1Multiplication to obtain 2¹⁴. For another example, if the base number of the exponentiation (ciphertext data) is 4, and the binary bit number of the current element is 4, the maximum exponentiation result is 4¹⁵If the binary number of the current element is 1110, the zero-bit exponentiation result is 4^-1And only one zero-bit exponentiation result, so that the subsequent maximum exponentiation result 4¹⁵And the result of the zero bit exponentiation is 4^-1Multiplication to obtain 4¹⁴。

It can be understood that if half of the binary bit number of the current element is less than the number of the power operation exponents, it means that the binary number of the current element is more than 0, and at this time, if the power operation is directly performed based on the power operation base number and a plurality of power operation exponents, the multiplication times of subsequently performing multiplication on a plurality of sub-power operation results are certainly more than n/2, where n is the binary bit number of the current element; in the embodiment, because the zero-bit exponentiation results are necessarily less than n/2, and correspondingly, the multiplication times of the subsequent multiplication of the sub-exponentiation results are necessarily less than n/2, the ciphertext multiplication efficiency can be further improved.

Correspondingly, before the step of determining a pre-stored maximum power operation result based on the power operation base number and the binary bit number and determining a pre-stored plurality of zero-bit power operation results based on the binary number of the current element if half of the binary bit number is smaller than the number, the homomorphic encryption method further includes:

acquiring the maximum value of the plaintext scalar, and determining a negative digit sequence based on the bit number of the plaintext scalar, wherein the maximum value of the plaintext scalar is determined by the bit number of the plaintext scalar; performing an exponentiation based on the ciphertext data as an exponentiation base and the maximum value as an exponentiation exponent to obtain a maximum exponentiation result; performing exponentiation operation based on the ciphertext data serving as an exponentiation base number and the negative number digit sequence serving as an exponentiation exponent to obtain a plurality of zero-bit exponentiation results; and storing the maximum power operation result and the plurality of zero-bit power operation results so as to determine a pre-stored maximum power operation result based on the power operation base number and the binary digit, and determine a plurality of pre-stored zero-bit power operation results based on the binary number of the current element. That is, calculating

And storing the result as the maximum power operation result to calculate d^-1、d^-2、d^-3To d^-nAs a result of each zero-bit power operation, where d is the ciphertext data and n is the number of bits of the plaintext scalar.

It can be understood that, since the stored maximum power operation result and the zero-bit power operation result can be multiplexed, when the dimensionality of the plaintext scalar is higher, the plaintext scalar contains more plaintext elements, and the reusability is stronger, so that the embodiment has a higher benefit for improving the efficiency of the ciphertext multiplication operation, and has a higher practical value. Meanwhile, the number of binary digits of the ciphertext data serving as the base of the exponentiation and the element serving as the exponentiation exponent is often large, for example, 1024 bits or 2048 bits, so that the advantage that the stored maximum exponentiation result and the zero-bit exponentiation result are reusable is utilized, so that the benefit of improving the efficiency of the ciphertext multiplication operation in the embodiment is improved. Based on this, if the binary digit number of the ciphertext data or the current element is larger, the benefit of the embodiment for improving the ciphertext multiplication efficiency is larger.

Furthermore, it should be noted that, a plurality of sub-exponentiations are required to be multiplied subsequently to obtain an exponentiation result corresponding to an element, based on which, the product of the maximum exponentiation result and a plurality of zero-bit exponentiations is equal to the product of a plurality of sub-exponentiations obtained by exponentiations based on the power base and a plurality of exponentiation exponents, so that the maximum exponentiation result and the plurality of zero-bit exponentiations can be used as a plurality of sub-exponentiations, that is, one maximum exponentiation result corresponds to one sub-exponentiation result, one zero-bit exponentiation result corresponds to one sub-exponentiation result, and the number of the plurality of sub-exponentiations is one increased by the number of zero-bit exponentiations results.

For easy understanding, for example, if the base number of the power operation (ciphertext data) is 2, the binary bit number of the current element is 4, and the maximum power operation result is 2¹⁵If the binary number of the current element is 1110, the zero-bit exponentiation result is 2^-1And only one zero-bit exponentiation result, so that the subsequent maximum exponentiation result is 2¹⁵And the result of the zero bit exponentiation is 2^-1Multiplication to obtain 2¹⁴. Based on this, the exponentiations are 2, 4 and 8, and the sub-exponentiations are 2²、2⁴、2⁸Subsequently, a plurality of sub-power operation results 2²、2⁴、2⁸Multiplying to obtain 2¹⁴Therefore, the result of the number multiplication operation obtained by the above embodiment or the present embodiment is uniform。

Step A423, performing multiplication operation on the plurality of sub-power operation results to obtain a power operation result corresponding to the element;

in this embodiment, a plurality of sub-exponentiations are multiplied to obtain an exponentiation result corresponding to an element. Specifically, a plurality of sub-exponentiation results are sequentially multiplied to finally obtain an exponentiation result corresponding to an element.

It should be noted that, with reference to the formula obtained by the above analysis:

wherein d is ciphertext data, b is an element in the digit sequence, i represents the position of the current bit in the element b, n represents the bit number of the element b, b_iIs 1 or 0, if b_iIf the value of (b) is 1, the corresponding bit number is 1, and if b is_iA value of 0 represents that the corresponding bit number is 0. Based on this, it can be known that several sub-power operation results are obtained in the calculation

It also needs to operate on several sub-exponentiations

And performing multiplication to obtain a power operation result corresponding to an element.

Step A424, returning to the step of using a plurality of digits in the digit sequence as exponentiation indexes until each digit sequence is subjected to exponentiation;

in this embodiment, the step of returning to step a421 above, in which a plurality of digits in a digit sequence are used as exponentiation exponentiations, is performed until each digit sequence is subjected to exponentiation. It should be noted that, the above steps a422 and a423 are used for calculating the exponentiation result corresponding to an element, and the plaintext element sequence after subtraction includes several elements, each of which corresponds to a digit sequence, so that the step of calculating the exponentiation result corresponding to an element needs to be executed in a loop until each digit sequence is subjected to the exponentiation operation, and the corresponding exponentiation result is obtained.

In step a425, a plurality of exponentiation results are obtained based on the exponentiation result corresponding to each of the elements.

In the present embodiment, a plurality of exponentiation results are determined based on the exponentiation result corresponding to each element.

In this embodiment, compared with the prior art in which the elements in the sorted plaintext element sequence are directly used as exponentiation indexes to perform exponentiation, the present application performs decomposition of the preset scale on the elements, so that the number of bits used as exponentiation indexes is smaller than the original element used as exponentiation indexes, thereby reducing the computational complexity and further improving the efficiency of cryptographic number multiplication under homomorphic encryption.

Further, based on the first embodiment described above, a third embodiment of the homomorphic encryption method of the present application is proposed.

In this embodiment, the first device is a device participating in federal learning, and before the step S10, the homomorphic encryption method further includes:

and when receiving ciphertext data of second equipment participating in federated learning, acquiring a plaintext scalar to be sent by the first equipment, and acquiring ciphertext data multiplied by the plaintext scalar to obtain a logistic regression model. Specifically, when ciphertext data of the second device participating in federal learning is received, the ciphertext data is ciphertext data that needs to be subjected to multiplication. The ciphertext data is data obtained by homomorphic encryption of own plaintext data by the second device, and the plaintext data is data required to be sent and shared by the second device.

The first device participating in the federal learning may be a party participating in the federal learning, i.e., a data party (data provider or data application party) or a collaborator (coordinator), among others. Accordingly, the second device participating in federal learning can also be a party participating in federal learning, i.e., a data party (data provider or data application party) or a collaborator (coordinator). For example, the first device serves as a data application side, the second device serves as a data provider side, the second device performs homomorphic encryption on own plaintext data to obtain ciphertext data, then the second device sends the ciphertext data to the first device so that the first device receives the ciphertext data of the second device, and finally the first device performs number multiplication on the ciphertext data and the own plaintext data to obtain a number multiplication result.

It should be noted that the ciphertext data of the second device is obtained by performing homomorphic encryption on the plaintext data of the second device by the second device. In addition, the ciphertext data and the plaintext scalar are multiplied to obtain a homomorphism called scalar, namely, one plaintext is multiplied by one ciphertext to obtain one ciphertext. For example, the first device is the party a, the second device is the party B, and the data of the party B can be sent to the party a, because the data of the party B is the ciphertext, there is no risk in sending the data to the party a; the party A can calculate the data, and because the obtained result is still the ciphertext, the party A can be safely sent to the party B, and because the two parties both hold the public key, the data cannot be decrypted; of course, a coordinator party C can be added to the a party and the B party to perform a logistic regression operation to obtain a logistic regression model.

In one embodiment, the logistic regression model is as follows:

wherein, w^Tx is an intermediate parameter for federal learning, w^Tx is data that the first device needs to interact with the second device, e.g. w for the second device itself^Tx is set to u_ASecond device pair u_APerforming homomorphic encryption to obtain [ u ]_A]]And then the first device receives [ [ u ]_A]]And converts the ciphertext data [ [ u ]_A]]Operating with own plaintext data, e.g. w^Tx (set to u)_B)。

It should be noted that taylor expansion is performed on the loss function and the gradient, and polynomial approximation is performed, so that homomorphic encryption, that is, only number multiplication and addition and subtraction, is supported. It will be appreciated that the loss function and the gradient both comprise w in the logistic regression model^Tx, therefore, after the logistic regression model is constructed, model training, model prediction, and the like may be performed on the model of the first device and/or the second device. Specifically, the application of homomorphic encryption in federal learning is very wide, and the description is omitted here.

In some embodiments, the first device is a device participating in federal learning, and the step S10 includes:

step A11, receiving ciphertext data sent by a second device participating in federated learning, and obtaining a plaintext scalar to be sent by the first device, so as to multiply the plaintext scalar with the ciphertext data.

In this embodiment, ciphertext data sent by a second device participating in federated learning is received, and a plaintext scalar to be sent by a first device is obtained, so that multiplication operation is performed on the plaintext scalar and the ciphertext data. The first device participating in the federal learning may be a party participating in the federal learning, i.e., a data party (data provider or data application party) or a collaborator (coordinator), among others. Accordingly, the second device participating in federal learning can also be a party participating in federal learning, i.e., a data party (data provider or data application party) or a collaborator (coordinator). For example, the first device serves as a data application side, the second device serves as a data provider side, the second device performs homomorphic encryption on own data to obtain ciphertext data, then the second device sends the ciphertext data to the first device so that the first device can receive the ciphertext data of the second device, and finally the first device performs multiplication operation on the ciphertext data and own plaintext data to obtain a ciphertext multiplication operation result.

In this embodiment, the homomorphic encryption method is applied to the scenario of federal learning to solve the operation bottleneck of calculating the product of ciphertext data and plaintext data in the logical regression of homomorphic encryption, and further solve the problem of too low operation efficiency of ciphertext number multiplication under homomorphic encryption in federal learning.

The present application further provides a computer-readable storage medium having stored thereon a homomorphic encryption program that, when executed by a processor, implements the steps of a homomorphic encryption method as described in any of the above embodiments.

The specific embodiment of the computer-readable storage medium of the present application is substantially the same as the embodiments of the homomorphic encryption method described above, and is not described herein again.

The present application further provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the homomorphic encryption method as described in any of the above embodiments.

The specific embodiment of the computer program product of the present application is substantially the same as the embodiments of the homomorphic encryption method described above, and is not described herein again.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present application may be substantially or partially embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.

The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are included in the scope of the present application.

Claims

1. A homomorphic encryption method, applied to a first device, comprising the steps of:

2. The homomorphic encryption method according to claim 1, wherein said step of performing exponentiation on said ciphertext data as a base of exponentiation and said subtracted plaintext element sequence as an exponentiation exponent to obtain a plurality of exponentiation results comprises:

3. The homomorphic encryption method according to claim 2, wherein said step of performing exponentiation on said ciphertext data as a base of exponentiation and each of said sequence of exponentiation bits to obtain a plurality of exponentiation results comprises:

4. The homomorphic encryption method of claim 1, wherein said step of obtaining ciphertext data and plaintext scalar that require multiplication further comprises:

5. The homomorphic encryption method of claim 1, wherein said step of obtaining ciphertext data and plaintext scalar that require multiplication further comprises:

6. The homomorphic encryption method of claim 1, wherein said step of multiplying each adjacent one of said plurality of power results by two to obtain a homomorphic encryption result further comprises:

7. The homomorphic encryption method of any one of claims 1 to 6, wherein the first device is a device participating in federal learning, and the step of obtaining a plaintext scalar to be sent by the first device and obtaining ciphertext data multiplied by the plaintext scalar comprises:

8. A homomorphic encryption device, characterized in that the homomorphic encryption device comprises: memory, a processor and a homomorphic encryption program stored on the memory and executable on the processor, the homomorphic encryption program when executed by the processor implementing the steps of the homomorphic encryption method of any of claims 1 to 7.

9. A computer-readable storage medium, having stored thereon a homomorphic encryption program that, when executed by a processor, implements the steps of the homomorphic encryption method of any one of claims 1-7.

10. A computer program product, characterized in that it comprises a computer program which, when being executed by a processor, implements the steps of the homomorphic encryption method according to any one of claims 1 to 7.