CN109412786B - Integer cipher text arithmetic operation method based on homomorphic encryption - Google Patents

Integer cipher text arithmetic operation method based on homomorphic encryption Download PDF

Info

Publication number
CN109412786B
CN109412786B CN201811355108.7A CN201811355108A CN109412786B CN 109412786 B CN109412786 B CN 109412786B CN 201811355108 A CN201811355108 A CN 201811355108A CN 109412786 B CN109412786 B CN 109412786B
Authority
CN
China
Prior art keywords
homomorphic
ciphertext
polynomial
calculation
complement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811355108.7A
Other languages
Chinese (zh)
Other versions
CN109412786A (en
Inventor
拱长青
李梦飞
赵亮
戚晗
林娜
郭振洲
李席广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Aerospace University
Original Assignee
Shenyang Aerospace University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Aerospace University filed Critical Shenyang Aerospace University
Priority to CN201811355108.7A priority Critical patent/CN109412786B/en
Publication of CN109412786A publication Critical patent/CN109412786A/en
Application granted granted Critical
Publication of CN109412786B publication Critical patent/CN109412786B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)

Abstract

本发明提供一种基于同态加密的整数密文算术运算的同态计算方法,包括求补同态计算、加法减法同态计算、乘法同态计算和除法同态计算。参考了计算机中二进制整数的求补、加减乘除运算规则,并将这个规则转换成只包含逻辑与、异或运算的布尔多项式。在乘法和除法中需要根据特殊位的信息做出不同的计算去修正最终计算的结果。因此我们修改了布尔多项式的形式,让其表示不同的运算结果,即布尔多项式包括本层全部的输入和互斥的计算分支。再将布尔多项式转换成能适用密文计算的同态多项式,并证明了同态多项式的安全性,符合语义安全的要求。实现了整数同态算术运算的多比特并行操作,改善同态运算的算法效率,减少降噪操作的频度,提升了运算效率。The present invention provides a homomorphic calculation method based on homomorphic encryption for integer ciphertext arithmetic operation, including complementary homomorphic calculation, addition and subtraction homomorphic calculation, multiplication homomorphic calculation and division homomorphic calculation. Referring to the rules of complement, addition, subtraction, multiplication and division of binary integers in the computer, this rule is converted into a Boolean polynomial that only contains logical AND and XOR operations. In multiplication and division, different calculations need to be made according to the information of special bits to correct the final calculation result. Therefore, we modify the form of the Boolean polynomial to express different operation results, that is, the Boolean polynomial includes all the inputs of this layer and mutually exclusive calculation branches. Then the Boolean polynomial is converted into a homomorphic polynomial suitable for ciphertext calculation, and the security of the homomorphic polynomial is proved, which meets the requirements of semantic security. The multi-bit parallel operation of integer homomorphic arithmetic operation is realized, the algorithm efficiency of homomorphic operation is improved, the frequency of noise reduction operation is reduced, and the operation efficiency is improved.

Description

一种基于同态加密的整数密文算术运算方法A Method of Integer Ciphertext Arithmetic Operation Based on Homomorphic Encryption

技术领域:Technical field:

本发明属于密码学技术领域,涉及一种基于同态加密的整数密文算术 运算方法。The invention belongs to the technical field of cryptography, and relates to an integer ciphertext arithmetic operation method based on homomorphic encryption.

背景技术:Background technique:

本专利涉及的密文算术运算是基于同态加密的整数密文算数运算。这 种同态计算的优点是在密文中可实现明文空间中的相关运算,对得到的密 文计算结果解密后,恰可得到明文做相应运算的正确结果。下面将介绍算 术运算同态计算的一些相关方案。The ciphertext arithmetic operation involved in this patent is an integer ciphertext arithmetic operation based on homomorphic encryption. The advantage of this homomorphic calculation is that the correlation operation in the plaintext space can be realized in the ciphertext, and after decrypting the obtained ciphertext calculation result, the correct result of the corresponding operation in the plaintext can be obtained. In the following, some related schemes for homomorphic computation of arithmetic operations will be introduced.

Gentry等人提出了一个复杂电路的同态计算,通过使用BGV方案,实 现一个完整的AES-128位的同态计算。该方案使用批处理技术、密钥转换 和模数转换技术,以获得有效的分层实现。Chen Y.等人提出了一种基于BGV 方案的密文整数算法和同态数据聚合算法。该方案利用Helib同态加密运 算库实现无符号整数的同态加、减、乘、除运算。然而,这些方案没有优 化整数算法在密文中的自举和模转换操作,实验结果存在局限性。Gentry et al. proposed a homomorphic calculation of a complex circuit, by using the BGV scheme, to achieve a complete AES-128-bit homomorphic calculation. The scheme uses batching techniques, key conversion and analog-to-digital conversion techniques for an efficient hierarchical implementation. Chen Y. et al. proposed a ciphertext integer algorithm and homomorphic data aggregation algorithm based on BGV scheme. The scheme uses the Helib homomorphic encryption operation library to realize the homomorphic addition, subtraction, multiplication and division of unsigned integers. However, these schemes do not optimize the bootstrapping and modulo conversion operations of integer algorithms in ciphertext, and the experimental results are limited.

Gentry等人从2009年起提出一系列全同态加密方案,包括理想格上的 同态加密、整数上的同态加密,以及基于LWE的更简单快速的RLWE全同态 加密方法等等。这些同态加密方案的密文运算涉及噪音,噪音超过一定的 上限会使解密失败。因而必须频繁进行降噪算法,每进行一次加法或乘法 运算,都需要对其输入的密文运行降噪算法,从而保证其运算过程的全同 态特性。这种频繁的降噪操作,极大地降低了算法的运行效率,削弱了同 态加密方案的实用性。Gentry et al. proposed a series of fully homomorphic encryption schemes since 2009, including homomorphic encryption on ideal lattices, homomorphic encryption on integers, and a simpler and faster RLWE fully homomorphic encryption method based on LWE, etc. The ciphertext operations of these homomorphic encryption schemes involve noise, and if the noise exceeds a certain upper limit, decryption will fail. Therefore, the noise reduction algorithm must be carried out frequently. Every time an addition or multiplication operation is performed, the noise reduction algorithm needs to be run on the input ciphertext, so as to ensure the fully homomorphic characteristics of the operation process. This frequent noise reduction operation greatly reduces the operating efficiency of the algorithm and weakens the practicability of the homomorphic encryption scheme.

发明内容:Invention content:

鉴于上述同态加密密文算术运算存在的问题,本发明构造了一种整数 算数运算的同态计算方案,该方案包括补码运算的同态计算、加法运算的 同态计算、减法运算的同态计算、乘法运算的同态计算和除法运算的同态 计算。我们提出的方法不再局限于某一位明文对应的密文之间的操作,而 可以实现多个密文序列之间,即多个密文向量间的操作。不仅如此,本方 案还在一定程度上优化了运算流程,能够减少降噪操作的频度,提升算法效率。In view of the problems existing in the above-mentioned homomorphic encryption ciphertext arithmetic operation, the present invention constructs a homomorphic calculation scheme for integer arithmetic operation, which includes the homomorphic calculation of complement operation, the homomorphic calculation of addition operation, and the homomorphic calculation of subtraction operation. Homomorphic computation for multiplication, homomorphic computation for division, and homomorphic computation for division. The method we propose is no longer limited to the operation between ciphertexts corresponding to a certain plaintext, but can realize operations between multiple ciphertext sequences, that is, between multiple ciphertext vectors. Not only that, this solution also optimizes the operation process to a certain extent, which can reduce the frequency of noise reduction operations and improve the efficiency of the algorithm.

本发明的技术特点及有益效果:Technical characteristics and beneficial effects of the present invention:

我们参考了计算机中二进制整数的求补、加、减、乘、除运算规则, 并将这个规则转换成只包含逻辑与、异或运算的布尔多项式。在乘法和除 法中需要根据特殊位的信息做出不同的计算、去修正最终计算的结果;因 此,我们修改了布尔多项式的形式,让其表示不同的运算结果,即布尔多 项式包括本层全部的输入和互斥的计算分支;然后将布尔多项式转换成能 够适用于密文计算的同态多项式。本方案中的同态多项式经过安全性论证, 符合语义安全的要求。We refer to the rules of complement, addition, subtraction, multiplication, and division of binary integers in the computer, and convert this rule into a Boolean polynomial that only contains logical AND and XOR operations. In multiplication and division, different calculations need to be made according to the information of special bits to correct the final calculation result; therefore, we modify the form of the Boolean polynomial to express different operation results, that is, the Boolean polynomial includes all the Input and mutually exclusive computation branches; then transform the Boolean polynomial into a homomorphic polynomial suitable for ciphertext computation. The homomorphic polynomial in this scheme has been proved by security and meets the requirements of semantic security.

本方案实现了整数同态算术运算的多比特并行操作,改善了同态运算 的算法效率;本方案优化了相关的同态运算流程,能够减少降噪操作的频 度,提升了运算效率。This scheme realizes the multi-bit parallel operation of integer homomorphic arithmetic operation, and improves the algorithm efficiency of homomorphic operation; this scheme optimizes the related homomorphic operation process, which can reduce the frequency of noise reduction operation and improve the operation efficiency.

本发明方案可用于电子计票、密文检索、加密机器学习等领域。The solution of the invention can be used in the fields of electronic vote counting, ciphertext retrieval, encrypted machine learning and the like.

具体实施方式:Detailed ways:

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合实施 例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例 仅仅用以解释本发明,并不用于限定本发明。In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

本分发明提供了一种基于同态加密的整数密文算术运算方法,将传统 计算设备中的算法转换到密文情况下进行的密文算术运算,包括,补码运 算的同态计算、加法运算的同态计算、减法运算的同态计算、乘法运算的 同态计算和除法运算的同态计算,具体如下:The present invention provides an integer ciphertext arithmetic operation method based on homomorphic encryption, which converts an algorithm in a traditional computing device into an ciphertext arithmetic operation performed under the condition of ciphertext, including homomorphic calculation of complement arithmetic, addition The homomorphic calculation of operation, the homomorphic calculation of subtraction operation, the homomorphic calculation of multiplication operation and the homomorphic calculation of division operation are as follows:

在CPU的算术运算单元中,二进制的加、减、乘、除运算是通过补码 的加法和移位实现的。简单的一位全加器可以通过

Figure BDA0001865875860000031
(逻辑异或)求和,用 ∧(逻辑与)求进位。在下面介绍的二进制整数运算都会以
Figure BDA0001865875860000032
Figure BDA0001865875860000033
作 为输入,都为补码,
Figure BDA0001865875860000034
Figure BDA0001865875860000035
Figure BDA0001865875860000036
Figure BDA0001865875860000037
原码的负数的补码。我们用密文向量
Figure BDA0001865875860000038
表示加密后的
Figure BDA0001865875860000039
其中ai=Enc(ai),0≤i≤n,
Figure BDA00018658758600000310
表示加密后的
Figure BDA00018658758600000311
其中
Figure BDA00018658758600000312
密文 向量
Figure BDA00018658758600000313
表示加密后的
Figure BDA00018658758600000314
Figure BDA00018658758600000315
密文向 量
Figure BDA00018658758600000316
表示加密后的
Figure BDA00018658758600000317
其中
Figure BDA00018658758600000318
Figure BDA00018658758600000319
and
Figure BDA00018658758600000323
是证书算数运算的同态计算的输入。n足够大,我们不考虑 运算之间的溢出。In the arithmetic operation unit of the CPU, the binary addition, subtraction, multiplication, and division operations are realized by addition and shifting of complement. A simple one-bit full adder can be
Figure BDA0001865875860000031
(logical XOR) sum, use ∧ (logical AND) for carry. The binary integer operations described below will all start with
Figure BDA0001865875860000032
and
Figure BDA0001865875860000033
as input, both complement,
Figure BDA0001865875860000034
and
Figure BDA0001865875860000035
Yes
Figure BDA0001865875860000036
and
Figure BDA0001865875860000037
The complement of the negative number of the original code. We use the ciphertext vector
Figure BDA0001865875860000038
means encrypted
Figure BDA0001865875860000039
where a i =Enc(a i ), 0≤i≤n,
Figure BDA00018658758600000310
means encrypted
Figure BDA00018658758600000311
in
Figure BDA00018658758600000312
Ciphertext vector
Figure BDA00018658758600000313
means encrypted
Figure BDA00018658758600000314
Figure BDA00018658758600000315
Ciphertext vector
Figure BDA00018658758600000316
means encrypted
Figure BDA00018658758600000317
in
Figure BDA00018658758600000318
Figure BDA00018658758600000319
and
Figure BDA00018658758600000323
is the input to the homomorphic computation of certificate arithmetic operations. n is large enough that we do not consider overflow between operations.

(1)补码运算的同态计算(1) Homomorphic calculation of complement operation

原码到补码的转换规则是,如果原码是正数,原码与补码相同,如果 原码是负数,将原码的最高位记为符号位置1,最高位之后的有效位取反, 然后加1。假设一个二进制整数原码

Figure BDA00018658758600000320
最高位an为符号位, an-1…a0为有效位(为了方便表示,下文仍然用
Figure BDA00018658758600000321
Figure BDA00018658758600000322
表示二进制整数的 补码,即用
Figure BDA0001865875860000041
Figure BDA0001865875860000042
表示运算的输入),默认 初始进位c-1=0,那么求二进制的补码
Figure BDA0001865875860000043
的迭代公式:The conversion rule of the original code to the complement code is that if the original code is a positive number, the original code is the same as the complement code. If the original code is a negative number, the highest bit of the original code is recorded as the symbol position 1, and the significant bits after the highest bit are inverted. Then add 1. Assume a binary integer source code
Figure BDA00018658758600000320
The highest bit an is the sign bit, and a n -1 ...a 0 is the significant bit (for convenience of representation, the following is still used
Figure BDA00018658758600000321
and
Figure BDA00018658758600000322
Represents the complement of a binary integer, i.e.
Figure BDA0001865875860000041
and
Figure BDA0001865875860000042
Indicates the input of the operation), the default initial carry c -1 = 0, then find the two's complement
Figure BDA0001865875860000043
The iterative formula of :

Figure BDA0001865875860000044
Figure BDA0001865875860000044

上述公式中ci=ai∨ci-1,在同态加密中只有逻辑异或

Figure BDA0001865875860000045
的同态运算 (加法同态)和逻辑与∧的同态运算(乘法同态)。因此ci的迭代公式转换成 只有异或
Figure BDA0001865875860000046
和与∧的公式,转换成的迭代公式为
Figure BDA0001865875860000047
Figure BDA0001865875860000048
由于c-1=0,ci可以表示为如下多项式:In the above formula, c i =a i ∨c i-1 , in homomorphic encryption there is only logical XOR
Figure BDA0001865875860000045
The homomorphic operation (additive homomorphism) and the homomorphic operation of logical AND ∧ (multiplicative homomorphism). So the iterative formula for c i converts to only XOR
Figure BDA0001865875860000046
The formula of sum and ∧ is converted into iterative formula as
Figure BDA0001865875860000047
Figure BDA0001865875860000048
Since c -1 = 0, c i can be expressed as the following polynomial:

Figure BDA0001865875860000049
Figure BDA0001865875860000049

其中

Figure BDA00018658758600000410
集合,
Figure BDA00018658758600000411
是子集的长度。我们用密文向量
Figure BDA00018658758600000412
表示加密后的
Figure BDA00018658758600000413
其中αi=Enc(ai),0≤i≤n-1, αn=Enc(e)。求补的同态多项式可以写成:in
Figure BDA00018658758600000410
gather,
Figure BDA00018658758600000411
is the length of the subset. We use the ciphertext vector
Figure BDA00018658758600000412
means encrypted
Figure BDA00018658758600000413
where α i =Enc(a i ), 0≤i≤n-1, α n =Enc(e). The complementary homomorphic polynomial can be written as:

Figure BDA00018658758600000414
Figure BDA00018658758600000414

其中x0是同态加密中一个最大的奇数公钥。

Figure BDA00018658758600000415
是求补同态多项式产生的密文 进位,满足
Figure BDA00018658758600000416
表示求得的密文补码,满足
Figure BDA00018658758600000417
where x 0 is one of the largest odd public keys in homomorphic encryption.
Figure BDA00018658758600000415
is the ciphertext carry generated by the complementary homomorphic polynomial, satisfying
Figure BDA00018658758600000416
Indicates the complement of the obtained ciphertext, satisfying
Figure BDA00018658758600000417

(2)加法和减法运算的同态计算(2) Homomorphic calculation of addition and subtraction operations

二进补码加法运算从低位到高位依次计算结果和进位,把进位加到高 位的结果上,不断迭代可以求得补码加法的结果。假设二进制整数补码

Figure BDA00018658758600000418
Figure BDA00018658758600000419
an
Figure BDA00018658758600000420
Figure BDA00018658758600000421
Figure BDA00018658758600000422
的符号位。初始进 位为c-1=0,求得的和为
Figure BDA0001865875860000051
那么每一位的和
Figure BDA0001865875860000052
和 进位可以写成如下布尔迭代公式:The two's complement addition operation calculates the result and the carry from the low order to the high order, and adds the carry to the result of the high order. The result of the two's complement addition can be obtained by continuous iteration. Assume two's complement integer
Figure BDA00018658758600000418
and
Figure BDA00018658758600000419
an and
Figure BDA00018658758600000420
for
Figure BDA00018658758600000421
and
Figure BDA00018658758600000422
sign bit. The initial carry is c -1 = 0, and the obtained sum is
Figure BDA0001865875860000051
Then the sum of each
Figure BDA0001865875860000052
The sum and carry can be written as the following Boolean iteration formula:

Figure BDA0001865875860000053
Figure BDA0001865875860000053

转换成密文下的加法同态多项式:Converted to an additive homomorphic polynomial in the ciphertext:

Figure BDA0001865875860000054
Figure BDA0001865875860000054

其中

Figure BDA00018658758600000529
是在密文同态多项式运算过程中产生的密文进位,满足
Figure BDA0001865875860000055
初始进位为
Figure BDA0001865875860000056
为密文同态多项式产生的第i位的密文和,最终 得到的结果为
Figure BDA0001865875860000057
满足
Figure BDA0001865875860000058
in
Figure BDA00018658758600000529
is the ciphertext carry generated during the ciphertext homomorphic polynomial operation, satisfying
Figure BDA0001865875860000055
The initial carry is
Figure BDA0001865875860000056
is the ciphertext sum of the i-th bit generated by the ciphertext homomorphic polynomial, and the final result is
Figure BDA0001865875860000057
Satisfy
Figure BDA0001865875860000058

二进制减法运算是通过加法运算得到的,假设有一个二进制整数补码

Figure BDA0001865875860000059
Figure BDA00018658758600000510
an
Figure BDA00018658758600000511
Figure BDA00018658758600000512
Figure BDA00018658758600000513
的符号位。计算
Figure BDA00018658758600000514
转换成
Figure BDA00018658758600000515
(此处的右上角的*表示
Figure BDA00018658758600000516
的two’s complement,即
Figure BDA00018658758600000517
取负数以后的补码),利用加法计算。求
Figure BDA00018658758600000518
即用求补电路计算
Figure BDA00018658758600000519
位,得到
Figure BDA00018658758600000520
再把符号位
Figure BDA00018658758600000521
取反,即
Figure BDA00018658758600000522
因 此,减法操作与加法操作有相同的公式和计算次数。因此,密文下减法同 态计算只需要用加法
Figure BDA00018658758600000523
即可求出结果。A binary subtraction operation is obtained by an addition operation, assuming a two's complement integer
Figure BDA0001865875860000059
and
Figure BDA00018658758600000510
an and
Figure BDA00018658758600000511
for
Figure BDA00018658758600000512
and
Figure BDA00018658758600000513
sign bit. calculate
Figure BDA00018658758600000514
convert to
Figure BDA00018658758600000515
(The * in the upper right corner here means
Figure BDA00018658758600000516
the two's complement of
Figure BDA00018658758600000517
Take the complement after the negative number), and use addition to calculate. beg
Figure BDA00018658758600000518
Complementary circuit calculation
Figure BDA00018658758600000519
bit, get
Figure BDA00018658758600000520
the sign bit
Figure BDA00018658758600000521
negate, that is
Figure BDA00018658758600000522
Therefore, the subtraction operation has the same formula and number of calculations as the addition operation. Therefore, the subtractive homomorphic calculation under the ciphertext only needs to use addition
Figure BDA00018658758600000523
The result can be obtained.

(3)乘法运算的同态计算(3) Homomorphic calculation of multiplication operation

乘法计算是基于Booth′s算法完成的。该算法将两个有符号数乘以二进 制补码表示法。设置被乘数

Figure BDA00018658758600000524
和乘数
Figure BDA00018658758600000525
Booth的算法检查乘数
Figure BDA00018658758600000526
的相邻比 特对的有符号二进制补码表示,包括低于最低有效位的隐含位,
Figure BDA00018658758600000527
我们用
Figure BDA00018658758600000528
表示累加器。乘法运算的基本算法步骤:The multiplication calculation is done based on Booth's algorithm. This algorithm multiplies two signed numbers in two's complement notation. set multiplicand
Figure BDA00018658758600000524
and multiplier
Figure BDA00018658758600000525
Booth's algorithm to check the multiplier
Figure BDA00018658758600000526
The signed two's complement representation of adjacent bit pairs of , including the implied bits below the least significant bit,
Figure BDA00018658758600000527
we use
Figure BDA00018658758600000528
Represents an accumulator. The basic algorithm steps of the multiplication operation:

1.初始化

Figure BDA0001865875860000061
Figure BDA0001865875860000062
的值。1. Initialization
Figure BDA0001865875860000061
and
Figure BDA0001865875860000062
value of .

·

Figure BDA0001865875860000063
算术左移(n+1)位。
Figure BDA0001865875860000064
·
Figure BDA0001865875860000063
Arithmetic shift left by (n+1) bits.
Figure BDA0001865875860000064

·

Figure BDA0001865875860000065
算术左移(n+1)位。
Figure BDA0001865875860000066
·
Figure BDA0001865875860000065
Arithmetic shift left by (n+1) bits.
Figure BDA0001865875860000066

·

Figure BDA0001865875860000067
用0填充最高有效n位。右边部分用
Figure BDA0001865875860000068
填充。最后LSB填充 为0。
Figure BDA0001865875860000069
·
Figure BDA0001865875860000067
Pad the most significant n bits with 0s. right part
Figure BDA0001865875860000068
filling. The last LSB is padded with 0.
Figure BDA0001865875860000069

2.

Figure BDA00018658758600000610
的最低的2位用来决定累加器
Figure BDA00018658758600000611
的运算方式。2.
Figure BDA00018658758600000610
The least significant 2 bits are used to determine the accumulator
Figure BDA00018658758600000611
operation method.

·如果

Figure BDA00018658758600000612
算术右移1位。·if
Figure BDA00018658758600000612
Arithmetic shift right by 1 bit.

·如果

Figure BDA00018658758600000613
算术右移1位。·if
Figure BDA00018658758600000613
Arithmetic shift right by 1 bit.

·如果

Figure BDA00018658758600000614
算术右移1位。·if
Figure BDA00018658758600000614
Arithmetic shift right by 1 bit.

重复第二步n-1次.删除

Figure BDA00018658758600000615
的最低有效位。根据第二步提到的技术,我们可 以总结一个判断选择布尔多项式:Repeat the second step n-1 times. Delete
Figure BDA00018658758600000615
the least significant bit of . According to the technique mentioned in the second step, we can summarize a judgment selection Boolean polynomial:

Figure BDA00018658758600000616
Figure BDA00018658758600000616

使用

Figure BDA00018658758600000617
表示每一步的累加器
Figure BDA00018658758600000618
乘法运算的布尔公式如下所示:use
Figure BDA00018658758600000617
Accumulator representing each step
Figure BDA00018658758600000618
The Boolean formula for multiplication is as follows:

Figure BDA00018658758600000619
Figure BDA00018658758600000619

其中>>算术右移。我们使用加法同态合成法同态转换以上的布尔公式到同 态多项式:Where >> Arithmetic right shift. We use additive homomorphism to homomorphically convert the above Boolean formula to a homomorphic polynomial:

Figure BDA00018658758600000620
Figure BDA00018658758600000620

Figure BDA00018658758600000621
Figure BDA00018658758600000622
表示
Figure BDA00018658758600000623
Figure BDA00018658758600000624
的密文向量,r=<r0,…,rn-1>是噪音向量,
Figure BDA00018658758600000625
Figure BDA00018658758600000626
乘法运算的同态多项式为:
Figure BDA00018658758600000621
and
Figure BDA00018658758600000622
express
Figure BDA00018658758600000623
and
Figure BDA00018658758600000624
The ciphertext vector of , r=<r 0 , ..., r n-1 > is the noise vector,
Figure BDA00018658758600000625
Figure BDA00018658758600000626
The homomorphic polynomial for the multiplication operation is:

Figure BDA00018658758600000627
Figure BDA00018658758600000627

其中~>>表示密文向量右移,当

Figure BDA0001865875860000071
右移一个密文槽,
Figure BDA0001865875860000072
的最高有效 分量被填充为原始的最高有效分量。最终的
Figure BDA0001865875860000073
有效的密文结果乘积。where ~>> means the ciphertext vector is shifted to the right, when
Figure BDA0001865875860000071
Shift right one ciphertext slot,
Figure BDA0001865875860000072
The most significant component of is padded with the original most significant component. final
Figure BDA0001865875860000073
Product of valid ciphertext results.

(4)除法运算的同态计算(4) Homomorphic calculation of division operation

除法是最复杂的基本算术运算。对于使用加法器电路进行算术运算的 简单计算机来说,使用传统的长除法(称为非还原除法)的变种提供了更简 单和更快的速度。该方法只需要对每个商位进行一次决策和加减法运算, 减减后不需要恢复步长。我们设置被除数

Figure BDA0001865875860000074
和除数
Figure BDA0001865875860000075
Figure BDA0001865875860000076
的Two’s Complement,
Figure BDA0001865875860000077
是余数,
Figure BDA0001865875860000078
是商。具体算法如下所示Division is the most complex basic arithmetic operation. For simple computers that use adder circuits for arithmetic operations, a variant that uses traditional long division (called nonreductive division) provides simpler and faster speed. This method only needs to perform one decision and addition and subtraction operations for each quotient, and does not need to restore the step size after subtraction and subtraction. We set the dividend
Figure BDA0001865875860000074
and divisor
Figure BDA0001865875860000075
Yes
Figure BDA0001865875860000076
Two's Complement,
Figure BDA0001865875860000077
is the remainder,
Figure BDA0001865875860000078
is a business. The specific algorithm is as follows

1.初始化

Figure BDA0001865875860000079
Figure BDA00018658758600000710
的值。1. Initialization
Figure BDA0001865875860000079
and
Figure BDA00018658758600000710
value of .

·

Figure BDA00018658758600000711
算术左移n位。
Figure BDA00018658758600000712
·
Figure BDA00018658758600000711
Arithmetic shift left by n bits.
Figure BDA00018658758600000712

·

Figure BDA00018658758600000713
算术左移n位。
Figure BDA00018658758600000714
·
Figure BDA00018658758600000713
Arithmetic shift left by n bits.
Figure BDA00018658758600000714

·

Figure BDA00018658758600000715
算术右移n位。
Figure BDA00018658758600000716
·
Figure BDA00018658758600000715
Arithmetic shift right n bits.
Figure BDA00018658758600000716

·

Figure BDA00018658758600000717
填充n个0。·
Figure BDA00018658758600000717
Fill n zeros.

2.根据

Figure BDA00018658758600000718
的最低有效位执行下面的操作。2. According to
Figure BDA00018658758600000718
The least significant bits perform the following operations.

·如果

Figure BDA00018658758600000719
用1填充
Figure BDA00018658758600000720
的最低有效位,逻辑左移1位。·if
Figure BDA00018658758600000719
fill with 1
Figure BDA00018658758600000720
The least significant bit of , logically shifted left by 1 bit.

Figure BDA00018658758600000721
Figure BDA00018658758600000721

·如果

Figure BDA00018658758600000722
用0填充
Figure BDA00018658758600000723
的最低有效位,逻辑左移1位。·if
Figure BDA00018658758600000722
pad with 0
Figure BDA00018658758600000723
The least significant bit of , logically shifted left by 1 bit.

Figure BDA00018658758600000724
Figure BDA00018658758600000724

3.重复第二部n-1次。3. Repeat the second part n-1 times.

4.转换

Figure BDA00018658758600000725
(假设
Figure BDA00018658758600000726
)。4. Convert
Figure BDA00018658758600000725
(assuming
Figure BDA00018658758600000726
).

·

Figure BDA00018658758600000727
·
Figure BDA00018658758600000727

·取反

Figure BDA00018658758600000728
·Negate
Figure BDA00018658758600000728

·求差

Figure BDA00018658758600000729
·Seeking difference
Figure BDA00018658758600000729

5.最终的余数

Figure BDA0001865875860000081
商位奇数,余数
Figure BDA0001865875860000082
的范围是
Figure BDA0001865875860000083
如 果余数是负数,需要做一次余数转换:
Figure BDA0001865875860000084
Figure BDA0001865875860000085
根据以上的算法我们可以写出除法的Boolean判断多项式(JCBP)5. The final remainder
Figure BDA0001865875860000081
Quotient odd, remainder
Figure BDA0001865875860000082
The range is
Figure BDA0001865875860000083
If the remainder is negative, a remainder conversion is required:
Figure BDA0001865875860000084
and
Figure BDA0001865875860000085
According to the above algorithm, we can write the Boolean judgment polynomial of division (JCBP)

Figure BDA0001865875860000086
Figure BDA0001865875860000086

使用

Figure BDA0001865875860000087
表示每次迭代余数的中间结果,除法的布尔多项式为:use
Figure BDA0001865875860000087
Representing the intermediate result of the remainder of each iteration, the Boolean polynomial for division is:

Figure BDA0001865875860000088
Figure BDA0001865875860000088

其中

Figure BDA0001865875860000089
Figure BDA00018658758600000810
的最低有效位,最后执行校正
Figure BDA00018658758600000811
Figure BDA00018658758600000812
我们转换除法的Boolean判断多项式到同态多项式为:in
Figure BDA0001865875860000089
Yes
Figure BDA00018658758600000810
LSB of the least significant bit, the correction is performed last
Figure BDA00018658758600000811
and
Figure BDA00018658758600000812
We convert the Boolean judgment polynomial of division to a homomorphic polynomial as:

Figure BDA00018658758600000813
Figure BDA00018658758600000813

其中

Figure BDA00018658758600000814
Figure BDA00018658758600000815
表示
Figure BDA00018658758600000816
Figure BDA00018658758600000817
的密文向量。除法的同态多项式为:in
Figure BDA00018658758600000814
and
Figure BDA00018658758600000815
express
Figure BDA00018658758600000816
and
Figure BDA00018658758600000817
ciphertext vector. The homomorphic polynomial for division is:

Figure BDA00018658758600000818
Figure BDA00018658758600000818

其中

Figure BDA00018658758600000819
表示
Figure BDA00018658758600000820
的密文向量,
Figure BDA00018658758600000821
表示
Figure BDA00018658758600000822
的 密文向量,
Figure BDA00018658758600000823
运算表示
Figure BDA00018658758600000824
最终,我们 校正密文向量
Figure BDA00018658758600000825
Figure BDA00018658758600000826
in
Figure BDA00018658758600000819
express
Figure BDA00018658758600000820
ciphertext vector,
Figure BDA00018658758600000821
express
Figure BDA00018658758600000822
ciphertext vector,
Figure BDA00018658758600000823
Operational representation
Figure BDA00018658758600000824
Finally, we correct the ciphertext vector
Figure BDA00018658758600000825
and
Figure BDA00018658758600000826

Figure BDA00018658758600000827
Figure BDA00018658758600000827

Figure BDA00018658758600000828
Figure BDA00018658758600000829
为除法同态运算最终的密文结果。
Figure BDA00018658758600000828
and
Figure BDA00018658758600000829
The final ciphertext result for the division homomorphic operation.

本发明的安全性:Safety of the present invention:

整数算术运算的同态计算时是构建在DGHV及其变种上,因此其安全性 依赖于加密算法本身。在DGHV原始方案中,其安全性依赖于近似GCD困难 性假设保证了,单纯依靠因数分解很难直接从公钥恢复出私钥。以及增强 解密电路,保证密文结果不会泄露乘法或者加法的运算次数。加密电路对 明文的重新随机化掩盖了明文的信息。并通过哈希剩余引理证明的电路的 隐私性。之后对原始整数同态加密的改进方案,也同时继承了这一安全性。在整数基本运算同态运算中,求补运算的输入是经过对整数的原码加密的 密文

Figure BDA0001865875860000091
和初始进位的密文
Figure BDA0001865875860000092
加密算法本身的安全性保 证了加密后的每一个密文都无限接近于均匀分布(哈希剩余引理),唯一可 能泄露明文信息的是初始进位
Figure BDA0001865875860000093
根据加密电路,包含的三个部 分,明文部分、公钥随机子序列、随机噪音三个部分。随机噪音部分保证 了密文中的噪音是随机的,公钥随机子序列保证了密文除以密钥所得的商 的随机性。这两部分的随机性保证了密文的随机性。因此即使知道了
Figure BDA0001865875860000094
是0的密文,也无法从其中找出任何关于密钥的任何信息。在求补运算过程中, 是通过不断迭代运算,i-1位运算的进位
Figure BDA0001865875860000095
作为求解i位补码其中一个输 入
Figure BDA0001865875860000096
每一个输入的密文都参与了计算,即每个 密文被计算的概率都相同,因此计算过程中,密文的输入或者密文产生的 中间结果不会泄露任何信息。同样整数加法和减法同态计算与整数求补同 态计算类似(整数密文求补是特殊的整数密文加法运算),因此具有相同 的安全性。The homomorphic calculation of integer arithmetic operations is built on DGHV and its variants, so its security depends on the encryption algorithm itself. In the original DGHV scheme, its security depends on the assumption of approximate GCD difficulty, and it is difficult to directly recover the private key from the public key by simply relying on factorization. And enhance the decryption circuit to ensure that the ciphertext result will not reveal the number of operations of multiplication or addition. The re-randomization of the plaintext by the encryption circuit masks the information of the plaintext. And the privacy of the circuit proved by the Hash Remainder Lemma. Later improvements to the original integer homomorphic encryption also inherited this security. In the homomorphic operation of the basic operation of integers, the input of the complement operation is the ciphertext encrypted by the original code of the integer.
Figure BDA0001865875860000091
and the ciphertext of the initial carry
Figure BDA0001865875860000092
The security of the encryption algorithm itself ensures that each encrypted ciphertext is infinitely close to a uniform distribution (hash residual lemma), and the only thing that may leak the plaintext information is the initial carry
Figure BDA0001865875860000093
According to the encryption circuit, it consists of three parts, the plaintext part, the public key random subsequence, and the random noise. The random noise part ensures that the noise in the ciphertext is random, and the random subsequence of the public key ensures the randomness of the quotient obtained by dividing the ciphertext by the key. The randomness of these two parts ensures the randomness of the ciphertext. So even knowing
Figure BDA0001865875860000094
is the ciphertext of 0, and no information about the key can be found from it. In the process of the complement operation, it is through continuous iterative operation, the carry of the i-1 bit operation
Figure BDA0001865875860000095
as one of the inputs to solve for i-bit complement
Figure BDA0001865875860000096
Each input ciphertext participates in the calculation, that is, the probability of each ciphertext being calculated is the same, so during the calculation process, the input of the ciphertext or the intermediate result generated by the ciphertext will not reveal any information. Similarly, the homomorphic computation of integer addition and subtraction is similar to the homomorphic computation of integer complement (integer ciphertext complement is a special integer ciphertext addition operation), so it has the same security.

整数乘法同态计算过程涉及到了求补同态计算,加法同态计算。但是 并不表示整数乘法同态计算不会泄露任何信息。因为在乘法计算过程中需 要判断移位后的部分积

Figure BDA0001865875860000101
与被乘数
Figure BDA0001865875860000102
还是
Figure BDA0001865875860000103
相加。存在判断的过 程是否是安全的是我们分析的重点。判断密文使用密文向量
Figure BDA0001865875860000104
加上附加位 Enc(0)之后的最后两个密文
Figure BDA0001865875860000105
Figure BDA0001865875860000106
作为判断依据。像密文求补一样,我们 知道乘数密文附加位
Figure BDA0001865875860000107
的密文,但是同样不会泄露信息。那么在 密文状态下判断最后密文过程中使用的公式(8),该公式的
Figure BDA0001865875860000108
的加 法同态隐藏了
Figure BDA0001865875860000109
的信息,
Figure BDA00018658758600001010
隐藏了与部分积
Figure BDA00018658758600001011
相加的是
Figure BDA00018658758600001012
还是
Figure BDA00018658758600001013
在这个过程中,不会泄露乘数
Figure BDA00018658758600001014
最后两位
Figure BDA00018658758600001015
的明文信息,我们 用2r,给运算的结果添加扰动,用模x0抹除运算过程中留下的痕迹。因为
Figure BDA00018658758600001016
Figure BDA00018658758600001017
都在参与了运算,每一个选择计算的分支也同时被计算,因 此被计算的概率相同,不会因为计算过程的偏好泄露信息。The process of integer multiplication homomorphic calculation involves complementary homomorphic calculation and addition homomorphic calculation. But that doesn't mean that the integer multiplication homomorphic computation doesn't leak any information. Because in the multiplication process, it is necessary to judge the shifted partial product
Figure BDA0001865875860000101
with the multiplicand
Figure BDA0001865875860000102
still
Figure BDA0001865875860000103
add up. Whether the process of existential judgment is safe is the focus of our analysis. Judging ciphertext using ciphertext vector
Figure BDA0001865875860000104
Add the last two ciphertexts after the additional bit Enc(0)
Figure BDA0001865875860000105
and
Figure BDA0001865875860000106
as a basis for judgment. Like ciphertext complement, we know that the multiplier ciphertext has additional bits
Figure BDA0001865875860000107
ciphertext, but also does not reveal information. Then in the ciphertext state, the formula (8) used in the process of judging the final ciphertext, the formula
Figure BDA0001865875860000108
The additive homomorphism of is hidden
Figure BDA0001865875860000109
Information,
Figure BDA00018658758600001010
hidden and partial product
Figure BDA00018658758600001011
adding up is
Figure BDA00018658758600001012
still
Figure BDA00018658758600001013
In the process, the multiplier is not leaked
Figure BDA00018658758600001014
last two
Figure BDA00018658758600001015
The plaintext information of , we use 2r to add disturbance to the result of the operation, and use modulo x 0 to erase the traces left in the operation process. because
Figure BDA00018658758600001016
and
Figure BDA00018658758600001017
All are participating in the calculation, and each branch selected for calculation is also calculated at the same time, so the probability of being calculated is the same, and information will not be leaked due to the preference of the calculation process.

我们定义一个窃听不可区分性试验

Figure BDA00018658758600001018
来猜测
Figure BDA00018658758600001019
该实验 对任何攻击者A,以及任何安全参数λ,同态加密 ε=(Gen,Enc,Dec,Evalute)都适用。We define a wiretap indistinguishability test
Figure BDA00018658758600001018
to guess
Figure BDA00018658758600001019
This experiment is applicable to any attacker A, and any security parameter λ, homomorphic encryption ε=(Gen, Enc, Dec, Evalute).

窃听不可区分试验

Figure BDA00018658758600001020
eavesdropping indistinguishable test
Figure BDA00018658758600001020

(1).给定输入1λ给攻击者A,A输出一个结果

Figure BDA00018658758600001021
(1). Given an input of 1 λ to the attacker A, A outputs a result
Figure BDA00018658758600001021

(2).运行Gen(1λ)生成一个密钥k,选择两个随机比特b1和b2, b1←{0,-1},b2←{0,-1}。通过计算

Figure BDA00018658758600001022
c为 挑战密文。(2). Run Gen(1 λ ) to generate a key k, select two random bits b 1 and b 2 , b 1 ←{0,-1}, b 2 ←{0,-1}. via caculation
Figure BDA00018658758600001022
c is the challenge ciphertext.

(3).A输出两个比特b′1和b′2.(3).A outputs two bits b' 1 and b' 2 .

(4).该实验输出被定义为:如果

Figure BDA00018658758600001023
Figure BDA00018658758600001024
则成功,否则失败。(4). The experimental output is defined as: if
Figure BDA00018658758600001023
Figure BDA00018658758600001024
success, otherwise fail.

根据同态加密本身是符合语义安全的,假设存在一个攻击者B存在∈的优势 能够恢复出密钥,转化成攻击者A下的优势为∈/4。对于所有多项式时间的 攻击者A,存在一个可忽略的函数negl(λ)=∈/4使得:According to the homomorphic encryption itself is semantically secure, it is assumed that there is an attacker B with the advantage of ∈ and can recover the key, which translates into the advantage of the attacker A as ∈/4. For all polynomial-time attackers A, there exists a negligible function negl(λ) = ∈/4 such that:

Figure BDA0001865875860000111
Figure BDA0001865875860000111

即使攻击者A知道c是明文消息运算的结果,仍然无法判断是从

Figure BDA0001865875860000112
加密而来, 还是
Figure BDA0001865875860000113
加密而来。自然也无法知道
Figure BDA0001865875860000114
的结果。整数密文除法与乘法 虽然判断位不同但是相同的判断过程,因此也不会泄露信息。因此整数密 文除法也是安全的。Even if the attacker A knows that c is the result of the operation of the plaintext message, he still cannot judge whether it is from the plaintext message.
Figure BDA0001865875860000112
encrypted, or
Figure BDA0001865875860000113
Encrypted. nature can't know
Figure BDA0001865875860000114
the result of. Integer ciphertext division and multiplication have different judgment bits but the same judgment process, so no information is leaked. Therefore integer ciphertext division is also safe.

本发明的噪音Noise of the present invention

在整数基本运算部分我们得出了n位整数求补、加、减、乘、除五种运 算的迭代公式需要计算的最大次数和最大项数(公式1,4,8,11)。具体如下 表1所示,In the basic operation of integers, we have obtained the maximum number of times and the maximum number of items to be calculated in the iterative formulas for the five operations of n-bit integer complement, addition, subtraction, multiplication, and division (formulas 1, 4, 8, and 11). The details are shown in Table 1 below.

表1.迭代公式的最大深度和项数Table 1. Maximum depth and number of terms for iterative formulas

Figure RE-GDA0001946775780000115
Figure RE-GDA0001946775780000115

整数乘法和除法的迭代公式的项数太大,这个不讨论具体值。通过表1 我们可以得出在求补、加法和减法的计算次数是

Figure BDA0001865875860000116
乘法与密文除法运 算中计算次数位
Figure BDA0001865875860000117
同态多项式f的噪音可以由每个输入所含的噪 音2ρ′、多项式次数d和该多项式的l1范数
Figure BDA0001865875860000118
表示
Figure BDA0001865875860000119
log d表示 同态多项式层数。整数算术运算的同态多项式的系数都为1,因此我们可以 用同态多项式的项数表示
Figure BDA0001865875860000121
我们设置同态加密中的噪音长度为ρ′整数基 本运算的同态计算的噪音上限如表2所示:The iterative formulas for integer multiplication and division have too many terms to discuss specific values. From Table 1, we can conclude that the number of computations in complement, addition and subtraction is
Figure BDA0001865875860000116
The number of counts in multiplication and ciphertext division operations
Figure BDA0001865875860000117
The noise of a homomorphic polynomial f can be determined by the noise 2 ρ′ contained in each input, the polynomial degree d and the l 1 norm of the polynomial
Figure BDA0001865875860000118
express
Figure BDA0001865875860000119
log d represents the number of levels of homomorphic polynomials. The coefficients of the homomorphic polynomials of integer arithmetic operations are all 1, so we can express by the number of terms of the homomorphic polynomial
Figure BDA0001865875860000121
We set the noise length in homomorphic encryption as the upper limit of the noise of the homomorphic calculation of the ρ′ integer basic operation as shown in Table 2:

表2.最大噪音大小Table 2. Maximum noise level

Figure BDA0001865875860000122
Figure BDA0001865875860000122

我们提出的整数算术运算的同态计算是参考计算机中二进制补码算术 运算规则,包括求补、加、减、乘、除运算,并将运算规则转换成只包含 逻辑与、异或运算的布尔多项式。乘法与除法需要不断地执行加减运算, 得到需要根据特殊位选择不同分支的结果。因此我们提出了判断包含所有 分支的布尔多项式(JCBP)。然后通过对密文的加法和乘法将JCBP转化为 判断同态多项式(JCHP),解决了密文无法直接做判断的问题;本发明可以为电子计票,密文检索,加密机器学习等提供基础的密文运算的支持;利 用本发明可以解决密文统计的基本数量特征的计算,比如平均值,相似度 和线性拟合等等。可进帮助密文统计进一步实现对密文文档的其他操作。The homomorphic calculation of integer arithmetic operations proposed by us refers to the two's complement arithmetic operation rules in computers, including complement, addition, subtraction, multiplication, and division operations, and converts the operation rules into Boolean operations that only contain logical AND and XOR operations. polynomial. Multiplication and division need to continuously perform addition and subtraction operations to obtain results that require different branches to be selected according to special bits. Therefore, we propose a Boolean polynomial (JCBP) that judges all branches. Then, the JCBP is transformed into a Judgment Homomorphic Polynomial (JCHP) through the addition and multiplication of the ciphertext, which solves the problem that the ciphertext cannot be directly judged; the invention can provide a basis for electronic vote counting, ciphertext retrieval, encrypted machine learning, etc. The ciphertext operation is supported by the present invention; the calculation of basic quantitative characteristics of ciphertext statistics, such as average value, similarity and linear fitting, can be solved by the present invention. It can help ciphertext statistics to further realize other operations on ciphertext documents.

Claims (1)

1.一种基于同态加密的整数密文算术运算方法,将传统计算设备中的算法转换到密文情况下进行的密文算术运算,其特征在于,包括,补码运算的同态计算、加法和减法运算的同态计算、乘法运算的同态计算和除法运算的同态计算;1. an integer ciphertext arithmetic operation method based on homomorphic encryption, the algorithm in traditional computing equipment is converted to the ciphertext arithmetic operation carried out under the ciphertext situation, it is characterized in that, comprise, the homomorphic calculation of complement operation, Homomorphic calculations for addition and subtraction operations, homomorphic calculations for multiplication operations, and homomorphic calculations for division operations; 设有二进制整数原码
Figure FDA0003750366010000011
Figure FDA0003750366010000012
最高位an
Figure FDA0003750366010000013
Figure FDA0003750366010000014
Figure FDA0003750366010000015
的符号位;an-1…a0
Figure FDA0003750366010000016
为有效位,默认初始进位c-1=0;
Figure FDA0003750366010000017
Figure FDA0003750366010000018
Figure FDA0003750366010000019
Figure FDA00037503660100000110
原码的负数的补码,则补码
Figure FDA00037503660100000111
密文向量
Figure FDA00037503660100000112
表示加密后的
Figure FDA00037503660100000113
其中ai=Enc(ai),0≤i≤n;binary integer source code
Figure FDA0003750366010000011
and
Figure FDA0003750366010000012
The most significant bits an and
Figure FDA0003750366010000013
for
Figure FDA0003750366010000014
and
Figure FDA0003750366010000015
The sign bit of ; a n-1 ...a 0 and
Figure FDA0003750366010000016
is a valid bit, the default initial carry c -1 = 0;
Figure FDA0003750366010000017
and
Figure FDA0003750366010000018
Yes
Figure FDA0003750366010000019
and
Figure FDA00037503660100000110
The complement of the negative number of the original code, the complement
Figure FDA00037503660100000111
Ciphertext vector
Figure FDA00037503660100000112
means encrypted
Figure FDA00037503660100000113
where a i =Enc(a i ), 0≤i≤n;
Figure FDA00037503660100000114
表示加密后的
Figure FDA00037503660100000115
即表示求得的密文补码;密文向量
Figure FDA00037503660100000116
表示加密后的
Figure FDA00037503660100000117
密文向量
Figure FDA00037503660100000118
表示加密后的
Figure FDA00037503660100000119
其中
Figure FDA00037503660100000120
Figure FDA00037503660100000114
means encrypted
Figure FDA00037503660100000115
That is, it represents the obtained ciphertext complement; ciphertext vector
Figure FDA00037503660100000116
means encrypted
Figure FDA00037503660100000117
Ciphertext vector
Figure FDA00037503660100000118
means encrypted
Figure FDA00037503660100000119
in
Figure FDA00037503660100000120
 补码运算的同态计算,具体为,Homomorphic calculation of complement operation, specifically, 集合
Figure FDA00037503660100000121
Figure FDA00037503660100000122
是子集的长度;求补的同态多项式写成:gather
Figure FDA00037503660100000121
Figure FDA00037503660100000122
is the length of the subset; the complementary homomorphic polynomial is written as:
Figure FDA00037503660100000123
Figure FDA00037503660100000123
 其中,x0是同态加密中一个最大的奇数公钥;ci是求补同态多项式产生的密文进位,满足Dec(ci)=ci
Figure FDA00037503660100000124
表示求得的密文补码,满足
Figure FDA00037503660100000125
Among them, x 0 is the largest odd-numbered public key in homomorphic encryption; c i is the ciphertext carry generated by the complementary homomorphic polynomial, satisfying Dec( ci )= ci ;
Figure FDA00037503660100000124
Indicates the complement of the obtained ciphertext, satisfying
Figure FDA00037503660100000125
 加法和减法运算的同态计算,具体为,Homomorphic computation of addition and subtraction operations, specifically, 设有二进制整数补码
Figure FDA00037503660100000126
Figure FDA00037503660100000127
a′n
Figure FDA00037503660100000128
Figure FDA00037503660100000129
Figure FDA00037503660100000130
的符号位;初始进位为c-1=0,求得的和为
Figure FDA00037503660100000131
每一位的和
Figure FDA00037503660100000132
密文下的加法和减法的同态计算公式:two's complement
Figure FDA00037503660100000126
and
Figure FDA00037503660100000127
a' n and
Figure FDA00037503660100000128
for
Figure FDA00037503660100000129
and
Figure FDA00037503660100000130
The sign bit of ; the initial carry is c -1 = 0, and the obtained sum is
Figure FDA00037503660100000131
the sum of each
Figure FDA00037503660100000132
Homomorphic calculation formulas for addition and subtraction under ciphertext:
Figure FDA0003750366010000021
Figure FDA0003750366010000021
 其中,
Figure FDA0003750366010000022
表示加密后的
Figure FDA0003750366010000023
表示加密后的
Figure FDA0003750366010000024
采用与ai、bi类似的方式获得a′i、b′i,ci是在密文同态多项式运算过程中产生的密文进位,满足Dec(ci)=ci,初始进位为c-1=Enc(0),
Figure FDA0003750366010000025
为密文同态多项式产生的第i位的密文和,最终得到的结果为
Figure FDA0003750366010000026
满足
Figure FDA0003750366010000027
Figure FDA0003750366010000028
in,
Figure FDA0003750366010000022
means encrypted
Figure FDA0003750366010000023
means encrypted
Figure FDA0003750366010000024
Obtain a′ i , b′ i in a similar way to a i , b i , c i is the ciphertext carry generated during the ciphertext homomorphic polynomial operation, satisfying Dec( ci )= ci , and the initial carry is c -1 =Enc(0),
Figure FDA0003750366010000025
is the ciphertext sum of the i-th bit generated by the ciphertext homomorphic polynomial, and the final result is
Figure FDA0003750366010000026
Satisfy
Figure FDA0003750366010000027
Figure FDA0003750366010000028
 二进制减法运算是通过加法运算得到的,Binary subtraction is obtained by addition, 计算
Figure FDA0003750366010000029
转换成
Figure FDA00037503660100000210
Figure FDA00037503660100000211
Figure FDA00037503660100000212
的负数的补码,利用加法计算;求
Figure FDA00037503660100000213
即用求补电路计算
Figure FDA00037503660100000214
位,得到
Figure FDA00037503660100000215
再把符号位
Figure FDA00037503660100000216
取反,即
Figure FDA00037503660100000217
calculate
Figure FDA0003750366010000029
convert to
Figure FDA00037503660100000210
Figure FDA00037503660100000211
for
Figure FDA00037503660100000212
The complement of the negative number is calculated by addition; find
Figure FDA00037503660100000213
Complementary circuit calculation
Figure FDA00037503660100000214
bit, get
Figure FDA00037503660100000215
the sign bit
Figure FDA00037503660100000216
negate, that is
Figure FDA00037503660100000217
 乘法运算的同态计算,具体为,Homomorphic computation of multiplication operation, specifically, 设置被乘数
Figure FDA00037503660100000218
和乘数
Figure FDA00037503660100000219
Booth算法检查乘数
Figure FDA00037503660100000220
的相邻2个比特,决定了累加器
Figure FDA00037503660100000221
的不同操作,包括低于最低有效位的隐含位,
Figure FDA00037503660100000222
判断选择布尔多项式:set multiplicand
Figure FDA00037503660100000218
and multiplier
Figure FDA00037503660100000219
Booth's algorithm to check the multiplier
Figure FDA00037503660100000220
The adjacent 2 bits of , determine the accumulator
Figure FDA00037503660100000221
different operations on , including the implied bits below the least significant bit,
Figure FDA00037503660100000222
Judgment choice Boolean polynomial:
Figure FDA00037503660100000223
Figure FDA00037503660100000223
 使用
Figure FDA00037503660100000224
表示每一步的累加器
Figure FDA00037503660100000225
乘法运算的布尔公式如下所示:use
Figure FDA00037503660100000224
Accumulator representing each step
Figure FDA00037503660100000225
The Boolean formula for multiplication is as follows:
Figure FDA00037503660100000226
Figure FDA00037503660100000226
 其中>>算术右移;使用加法同态合成法同态转换以上的布尔公式到同态多项式:where >> arithmetic shift right; use additive homomorphic composition to homomorphically convert the above Boolean formula to a homomorphic polynomial:
Figure FDA00037503660100000227
Figure FDA00037503660100000227
Figure FDA0003750366010000031
Figure FDA0003750366010000032
表示
Figure FDA0003750366010000033
Figure FDA0003750366010000034
的密文向量,b-1=Enc(0),r=<r0,…,rn-1>是噪音向量,
Figure FDA0003750366010000035
ρ′为噪音长度,乘法运算的同态多项式:
Figure FDA0003750366010000031
and
Figure FDA0003750366010000032
express
Figure FDA0003750366010000033
and
Figure FDA0003750366010000034
The ciphertext vector of , b -1 = Enc(0), r = <r 0 , ..., r n-1 > is the noise vector,
Figure FDA0003750366010000035
ρ' is the noise length, the homomorphic polynomial of the multiplication operation:
Figure FDA0003750366010000036
Figure FDA0003750366010000036
 其中~>>表示密文向量右移,
Figure FDA0003750366010000037
表示第i次累加同态运算产生的密文结果,当
Figure FDA0003750366010000038
右移一个密文槽,
Figure FDA0003750366010000039
的最高有效分量被填充为原始的最高有效分量;最终的
Figure FDA00037503660100000310
有效的密文结果乘积;where ~>> means the ciphertext vector is shifted to the right,
Figure FDA0003750366010000037
represents the ciphertext result generated by the i-th cumulative homomorphic operation, when
Figure FDA0003750366010000038
move right one ciphertext slot,
Figure FDA0003750366010000039
The most significant component of is padded with the original most significant component; the final
Figure FDA00037503660100000310
Product of valid ciphertext results; 除法运算的同态计算,具体的,Homomorphic computation of division operations, specifically, 设置被除数
Figure FDA00037503660100000311
和除数
Figure FDA00037503660100000312
Figure FDA00037503660100000313
取负数以后的补码,
Figure FDA00037503660100000314
是余数,
Figure FDA00037503660100000315
Figure FDA00037503660100000316
是商,
Figure FDA00037503660100000317
取反为
Figure FDA00037503660100000318
除法的Boolean判断多项式JCBP为:set dividend
Figure FDA00037503660100000311
and divisor
Figure FDA00037503660100000312
Yes
Figure FDA00037503660100000313
Take the complement after the negative number,
Figure FDA00037503660100000314
is the remainder,
Figure FDA00037503660100000315
Figure FDA00037503660100000316
is a business,
Figure FDA00037503660100000317
Negative as
Figure FDA00037503660100000318
The Boolean judgment polynomial JCBP of division is:
Figure FDA00037503660100000319
Figure FDA00037503660100000319
 使用
Figure FDA00037503660100000320
表示每次迭代余数的中间结果,除法的布尔多项式为:use
Figure FDA00037503660100000320
Representing the intermediate result of the remainder of each iteration, the Boolean polynomial for division is:
Figure FDA00037503660100000321
Figure FDA00037503660100000321
 其中
Figure FDA00037503660100000322
Figure FDA00037503660100000323
的最低有效位,最后执行校正
Figure FDA00037503660100000324
Figure FDA00037503660100000325
转换除法的Boolean判断多项式到同态多项式为:in
Figure FDA00037503660100000322
Yes
Figure FDA00037503660100000323
LSB of the least significant bit, the correction is performed last
Figure FDA00037503660100000324
and
Figure FDA00037503660100000325
Converting the Boolean judgment polynomial for division to a homomorphic polynomial is:
Figure FDA00037503660100000326
Figure FDA00037503660100000326
 其中
Figure FDA00037503660100000327
Figure FDA00037503660100000328
表示
Figure FDA00037503660100000329
Figure FDA00037503660100000330
的密文向量;除法的同态多项式为:in
Figure FDA00037503660100000327
and
Figure FDA00037503660100000328
express
Figure FDA00037503660100000329
and
Figure FDA00037503660100000330
The ciphertext vector of ; the homomorphic polynomial for division is:
Figure FDA0003750366010000041
Figure FDA0003750366010000041
 其中
Figure FDA0003750366010000042
表示
Figure FDA0003750366010000043
的密文向量,
Figure FDA0003750366010000044
表示
Figure FDA0003750366010000045
的密文向量,
Figure FDA0003750366010000046
运算表示qi=(qi+Enc(1))mod x0,0≤i<n;最终,校正密文向量
Figure FDA0003750366010000047
Figure FDA0003750366010000048
in
Figure FDA0003750366010000042
express
Figure FDA0003750366010000043
ciphertext vector,
Figure FDA0003750366010000044
express
Figure FDA0003750366010000045
ciphertext vector,
Figure FDA0003750366010000046
The operation represents q i =(q i +Enc(1))mod x 0 , 0≤i<n; finally, correct the ciphertext vector
Figure FDA0003750366010000047
and
Figure FDA0003750366010000048
Figure FDA0003750366010000049
Figure FDA0003750366010000049
Figure FDA00037503660100000410
Figure FDA00037503660100000411
为除法同态运算最终的密文结果。
Figure FDA00037503660100000410
and
Figure FDA00037503660100000411
The final ciphertext result of the division homomorphic operation.
CN201811355108.7A 2018-11-14 2018-11-14 Integer cipher text arithmetic operation method based on homomorphic encryption Active CN109412786B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811355108.7A CN109412786B (en) 2018-11-14 2018-11-14 Integer cipher text arithmetic operation method based on homomorphic encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811355108.7A CN109412786B (en) 2018-11-14 2018-11-14 Integer cipher text arithmetic operation method based on homomorphic encryption

Publications (2)

Publication Number Publication Date
CN109412786A CN109412786A (en) 2019-03-01
CN109412786B true CN109412786B (en) 2022-09-06

Family

ID=65473120

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811355108.7A Active CN109412786B (en) 2018-11-14 2018-11-14 Integer cipher text arithmetic operation method based on homomorphic encryption

Country Status (1)

Country Link
CN (1) CN109412786B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111079934B (en) * 2019-11-18 2022-09-27 华中科技大学 Number Theoretical Transformation Unit and Method Applied to Error Learning Encryption Algorithm in Ring Domain
CN113098675B (en) * 2019-12-23 2023-04-18 郑珂威 Binary data encryption system and method based on polynomial complete homomorphism
US11671239B2 (en) 2020-05-08 2023-06-06 Samsung Electronics Co., Ltd. Encryption method and apparatus based on homomorphic encryption using odd function property
CN111371545B (en) * 2020-05-27 2020-09-11 支付宝(杭州)信息技术有限公司 Encryption method and system based on privacy protection
CN112543091B (en) * 2020-10-26 2022-10-14 中国人民武装警察部队工程大学 Multi-key Fully Homomorphic Encryption with Fixed Ciphertext Length
CN112653686B (en) * 2020-12-17 2022-08-09 中国科学院电工研究所 CAN bus message authentication method based on MAC encryption
EP4050471A1 (en) * 2021-02-26 2022-08-31 Zama SAS Encrypted scalar multiplication
CN113849840B (en) * 2021-10-13 2023-06-09 福建师范大学 Encryption data statistical analysis method based on authenticatable encryption counter
CN114063978A (en) * 2021-10-27 2022-02-18 华控清交信息科技(北京)有限公司 Data processing method and device and data processing device
CN115001649A (en) * 2022-04-15 2022-09-02 支付宝(杭州)信息技术有限公司 Batch encryption method, related device, system, equipment, medium and program product
CN114553394B (en) * 2022-04-22 2022-08-16 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Complementary code arithmetic unit and arithmetic method based on multi-key fully homomorphic scheme
CN117478305B (en) * 2023-12-28 2024-04-16 粤港澳大湾区数字经济研究院(福田) Fully homomorphic encryption method, system, terminal and medium based on two-party security cooperation

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106452723B (en) * 2016-12-13 2017-05-31 深圳市全同态科技有限公司 Fully homomorphic encryption processing method based on modular operation
CN107359979B (en) * 2017-07-25 2019-11-01 西安电子科技大学 Symmetrical full homomorphic cryptography method based on Representation theorem
CN108282328B (en) * 2018-02-02 2021-03-12 沈阳航空航天大学 A statistical method of ciphertext based on homomorphic encryption

Also Published As

Publication number Publication date
CN109412786A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
CN109412786B (en) Integer cipher text arithmetic operation method based on homomorphic encryption
Sahari et al. A pseudo-random numbers generator based on a novel 3D chaotic map with an application to color image encryption
CN107147484B (en) Floating point number fully homomorphic encryption method facing privacy protection
CN109039640B (en) An encryption and decryption hardware system and method based on RSA cryptographic algorithm
CN104283669B (en) Re-encryption depth optimization method in full homomorphic cryptography
CN111444518A (en) Security processor and method of operation, method of encrypting or decrypting data
Sangavi et al. An exquisite multiple image encryption harnessing multi-scroll Lu–Chen and Chua chaotic systems employing domino strategy
Li et al. Privacy preserving via multi-key homomorphic encryption in cloud computing
CN111682932B (en) Single-round image encryption method based on mixed chaotic mapping
CN111368317B (en) A computer data encryption system and method
JP2007187908A (en) Modular exponentiation calculation device and method having tolerance to side-channel attack
JP4616169B2 (en) Apparatus, method and program for calculating conversion parameter in Montgomery modular multiplication
Pandey et al. Improved cryptanalysis of a ElGamal cryptosystem based on matrices over group rings
Latoui et al. A two-parameter extended logistic chaotic map for modern image cryptosystems
Babenko et al. Euclidean division method for the homomorphic scheme ckks
CN113114461A (en) N-time public key compression method for integer homomorphic encryption
JP2018092010A (en) Encryption device and encryption method, encryption program, key generation device, key generation method, and key generation program
You et al. Secure two-party computation approach for ntruencrypt
Cao et al. Image encryption algorithm based on an improved ML neuron model and DNA dynamic coding
Anshel et al. Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA (TM)
Varghese et al. A Novel Method for Mapping Plaintext Characters to Elliptic Curve Affine points over Prime Field and Pseudorandom Number Generation
Song et al. Grover on SPEEDY
Poniszewska-Marańda et al. Code-based encryption algorithms for generating and verifying digital signature
CN115333740B (en) An asymmetric encryption and signature method that can resist quantum computer attacks
Wilhelm Aspects of hardware methodologies for the NTRU public-key cryptosystem

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant