CN109889320B - BGV type multi-key fully homomorphic encryption method - Google Patents

Abstract

The invention particularly relates to a high-efficiency BGV type multi-key fully homomorphic encryption method, which comprises the following steps: carrying out BGV homomorphic encryption on a plaintext of a user participating in operation to obtain a ciphertext corresponding to the user; expanding the ciphertext of the user participating in the operation to obtain an expanded ciphertext corresponding to the user set; performing homomorphic operation on the expanded ciphertext of the user set participating in the operation to obtain a high-dimensional BGV ciphertext, performing BGV homomorphic encryption and GSW homomorphic encryption on the key of the user participating in the calculation respectively, performing ciphertext expansion and mixed homomorphic multiplication on the encrypted result to obtain a calculation key, and performing dimensionality reduction on the high-dimensional BGV ciphertext through the calculation key; and (4) running a mode changing function on the ciphertext subjected to dimension reduction, reducing the noise in the ciphertext, and finally outputting a final ciphertext result of homomorphic operation. The BGV type multi-key fully homomorphic encryption method can allow homomorphic operation to be carried out between ciphertexts of users with different keys, thereby realizing a safe multi-party computing function.

Description

BGV type multi-key fully homomorphic encryption method

Technical Field

The invention belongs to the field of information security and privacy protection, and particularly relates to a high-efficiency BGV (band gap virtual) type multi-key fully homomorphic encryption method.

Background

The Full Homomorphic Encryption (FHE) can randomly calculate a ciphertext under the condition that a secret key is unknown, has the property of exchangeable encryption and operation, has high theoretical and application values in the current cloud computing environment, and can be widely applied to ciphertext retrieval, safe multi-party computation, cloud data analysis and the like. Since 2009 Gentry proposed the first lattice-based all-homomorphic encryption scheme Gen09, more and more all-homomorphic encryption schemes (DGHV10, BV11a, BV11b, BGV12, GSW13, AP14, etc.) were proposed based on the blueprints that Gentry depicts for all-homomorphic encryption.

Multi-key fully homomorphic encryption (mkhe) allows computation of ciphertexts of different private keys, an extension of fully homomorphic encryption in secure multiparty computing. LATV12 first proposes the concept of mkhe and proposes a multi-key fully homomorphic encryption scheme based on NTRU public key cryptosystem, but the security of the encryption scheme based on NTRU is based on the non-standard assumption on the polynomial ring, and the difficult problem of strict reduction to the lattice can not be solved, so the security needs to be further examined.

Clear and McGoldrick use GSW type FHE to provide a first GSW type MKFHE scheme CM15 based on error learning problem (LWE), because LWE problem can be quantum-reduced to the difficulty problem of the worst case on an ideal lattice, the safety of the scheme is guaranteed, and the number of the participator keys in the scheme has no upper limit. The CM15 is improved by Mukherjee and Wichs, and an LWE-based MKFHE scheme MW16 is provided, which can be used for realizing one-round threshold decryption protocol and realizing a two-round secure multi-party computing (MPC) protocol on the basis of the one-round threshold decryption protocol.

The CM15 and MW16 schemes need to set the number of users participating in homomorphic computation in advance, and cannot realize the addition of new users in the computation process, and this type of mkhe is called single-hop (single-hop) type mkhe in PS 16. Meanwhile, the PS16 proposes the concept of multi-hop (multi-hop) mkhe: the cryptograph of the original participant after homomorphic operation can be operated again with the cryptograph of the newly added participant, namely, any participant can be dynamically added into the cryptograph operation process in real time. BP16 proposes the concept of a fully dynamic mkhe, i.e. the number of participants does not need to be set in advance.

On TCC2017, chenlong et al propose a BGV type multi-hop mkhe based on RLWE. The scheme supports the cipher text packing technology based on the Chinese remainder theorem, simplifies the cipher text extension process in the MKFHE, and can be used for constructing two rounds of MPC protocols and threshold decryption protocols.

Currently, the BGV type MKFHE scheme supporting Batched Multi-hop is represented by CZW 17. The BGV type MKFHE scheme has the defects of ciphertext quantity, relatively large public parameter and large calculation quantity in the key generation and calculation process.

Disclosure of Invention

In order to solve the defects of relatively large cipher text amount and public parameters and large operation amount in the process of generating and calculating the key in the prior art, the invention provides a high-efficiency BGV type multi-key fully homomorphic encryption method, which can allow homomorphic operation to be carried out between cipher texts of users with different keys, thereby realizing a safe multi-party calculation function. In order to achieve the purpose, the technical scheme adopted by the invention is as follows:

an efficient BGV-type multi-key fully homomorphic encryption method comprises the following steps:

the method comprises the following steps: carrying out BGV homomorphic encryption on a plaintext of a user participating in operation to obtain a ciphertext corresponding to the user;

step two: expanding the ciphertext of the user participating in the operation to obtain an expanded ciphertext corresponding to the user set;

step three: performing homomorphic operation on the expanded ciphertext of the user set participating in the operation to obtain a high-dimensional BGV ciphertext, performing BGV homomorphic encryption and GSW homomorphic encryption on the key of the user participating in the calculation respectively, performing ciphertext expansion and mixed homomorphic multiplication on the encrypted result to obtain a calculation key, and performing dimensionality reduction on the high-dimensional BGV ciphertext through the calculation key;

step four: and (4) running a mode changing function on the ciphertext subjected to dimension reduction, reducing the noise in the ciphertext, and finally outputting a final ciphertext result of homomorphic operation.

Further, the specific operation of the step one is as follows: the safety parameter l, the integer m, the modulus q ═ ploy (n), the polynomial ring R ═ Z [ X ] are given]/Φ_mAnd the ring B-bounded discrete c (B < q), the integer N ═ O (nlogq),

polynomial ring R_qR/qR; the circuit depth is L, and the modulus q of each layer of circuit_L＞＞q_L-1＞＞＞＞q₀A small integer p and coprime to all moduli,

R_qR/qR; selecting L +1 random common vectors

L ═ 0., L; defining S as an ordered set, wherein the ordered set comprises ordered tags of all participants related to the ciphertext and no repeated elements; defining a ciphertext tuple ct ═ { c, { S }, l }, which includes ciphertext c of user set S, user set S

(1) And (3) key generation: generating the required key for the jth participant:

selection of z_l,jEither ae in e, e

Then the private key of the party is sk_j＝{s_l,j}， l∈{L,...,0}；

Random selection

Defining:

l is belonged to { L.,. 0}, and a public key pk is generated_l,j＝{p_l,j}，l∈{L,...,0}；

A generation unit for calculating a calculation key required for the homomorphic calculation of the ciphertext,

(a) for m e {0_l-1, j ∈ { 1., k }, ζ ∈ { 0., k }, calculating

(b) For j ∈ { 1.,. k }, ζ ∈ { 0.,. k }, a calculation is performed

(2) And (3) encryption process: inputting plaintext mu e R to be encrypted_pAnd the public key pk_l,jRandomly selecting R ∈ R²And the error matrix E ═ E (E)₁,e₂)←χ²Generating a plaintext mu_jLayer i ciphertext:

and outputting the ciphertext tuple ct ═ { c, { j }, l }.

Further, the specific operation of the second step is as follows:

BGV.CTExt(c_ls'): cipher text tuple

Is extended to

Wherein S is the same as S',

(1) decompose ciphertext c into k +1 equal parts:

corresponding private key

And user set S ═ i₁,...,i_k}；

(2) And (3) generating an extended ciphertext:

wherein

Corresponding extended key

Easy to verify

Further, the specific operation of the third step is as follows: inputting t ciphertext groups (ct) after ciphertext expansion₁,…ct_t) And assuming that it is in the same circuit layer, an

j belongs to { 1.,. t }, and a public user set is generated

(1) By calling basic homomorphic arithmetic units in the scheme

And

homomorphic operation circuit for t ciphertexts

The result after the operation is

(2) Generating a calculation key evk required in a ciphertext operation_S＝MKFHE.EvkGen(em_S)；

(3) For ciphertext

And (3) performing dimensionality reduction:

further, the specific operation of the step four is as follows: inputting a ciphertext of the layer I after homomorphic operation

Computing

Compared with the prior art, the invention has the beneficial effects that:

1. the invention converts the BGV ciphertext and the GSW ciphertext from a single user to multiple users, thereby reducing the size of the expanded ciphertext;

2. the invention improves the generation process of the conversion key required in the key conversion technology, replaces the original RGSW ciphertext multiplication by the mixed homomorphic multiplication of the RBGV and the RGSW ciphertext, and reduces the size of public parameters and calculation keys;

3. the value range of the private key coefficient of the user is set to be { -1,0,1}, so that the size and the number of ciphertexts in the key generation process are reduced;

4. the invention reduces the data volume in the homomorphic calculation process, and the reduction of the data volume can further reduce the calculation complexity of homomorphic calculation.

Drawings

FIG. 1 is a schematic flow diagram of the present invention.

Detailed Description

The present invention will be described in further detail with reference to specific examples, but the embodiments of the present invention are not limited thereto.

The embodiment provides an efficient BGV-type multi-key fully homomorphic encryption method, which is characterized in that a single-user ciphertext is converted into a multi-user ciphertext by using a ciphertext expansion technology, so that a multi-key fully homomorphic encryption scheme is converted into a single-key fully homomorphic encryption scheme, the ciphertext is processed by using a key conversion technology and a mode conversion technology, and the dimensionality and the noise of the ciphertext are reduced. The BGV type multi-key fully homomorphic encryption method can be effectively applied to safe multi-party computing among multiple users in a cloud computing environment, and has the excellent characteristics of confidentiality, ciphertext availability, collusion attack resistance, quantum attack resistance and the like. Compared with the BGV type multi-key fully homomorphic encryption scheme [ CZW17],

referring to fig. 1, the BGV-type multi-key fully homomorphic encryption method includes the following steps:

the method comprises the following steps: carrying out BGV homomorphic encryption on a plaintext of a user participating in operation to obtain a ciphertext corresponding to the user;

step two: expanding the ciphertext of the user participating in the operation to obtain an expanded ciphertext corresponding to the user set;

step three: performing homomorphic operation on the expanded ciphertext of the user set participating in the operation to obtain a high-dimensional BGV ciphertext, performing BGV homomorphic encryption and GSW homomorphic encryption on the key of the user participating in the calculation respectively, performing ciphertext expansion and mixed homomorphic multiplication on the encrypted result to obtain a calculation key, and performing dimensionality reduction on the high-dimensional BGV ciphertext through the calculation key;

step four: and (4) running a mode changing function on the ciphertext subjected to dimension reduction, reducing the noise in the ciphertext, and finally outputting a final ciphertext result of homomorphic operation.

Initialization: the safety parameter l, the integer m, the modulus q ═ ploy (n), the polynomial ring R ═ Z [ X ] are given]/Φ_mAnd the ring B-bounded discrete c (B < q), the integer N ═ O (nlogq),

polynomial ring R_qR/qR; the circuit depth is L, and the modulus q of each layer of circuit_L＞＞q_L-1＞＞…＞＞q₀A small integer p and coprime to all moduli,

R_qR/qR; selecting L +1 random common vectors

L is 0, …, L; defining S as an ordered set, wherein the ordered set comprises ordered tags of all participants related to the ciphertext and no repeated elements; defining a cipher text tuple ct ═ { c, { S }, l }, wherein the cipher text c of the user set S, the user set S and the corresponding circuit are contained

And (3) key generation: generating the required key for the jth participant:

selection of z_l,jEither ae in e, e

Then the private key of the party is sk_j＝{s_l,j}， l∈{L,...,0}；

Random selection

Defining:

l is belonged to { L.,. 0}, and a public key pk is generated_l,j＝{p_l,j}，l∈{L,...,0}；

A generation unit for calculating a calculation key required for the homomorphic calculation of the ciphertext,

(a) for m e {0_l-1, j ∈ { 1., k }, ζ ∈ { 0., k }, calculating

(b) For j ∈ { 1.,. k }, ζ ∈ { 0.,. k }, a calculation is performed

And (3) encryption process: inputting plaintext mu e R to be encrypted_pAnd the public key pk_l,jRandomly selecting R ∈ R²And the error matrix E ═ E (E)₁,e₂)←χ²Generating a plaintext mu_jLayer i ciphertext:

and outputting the ciphertext tuple ct ═ { c, { j }, l }.

And (3) decryption process: input device

And corresponding private key, outputting the plaintext

Outputting the plaintext

BGV ciphertext expansion process:

BGV.CTExt(c_ls'): cipher text tuple

Is extended to

Wherein S is the same as S',

(1) decompose ciphertext c into k +1 equal parts:

corresponding private key

And user set S ═ i₁,...,i_k}；

(2) And (3) generating an extended ciphertext:

wherein

Corresponding extended key

Easy to verify

The homomorphic operation process of the multi-user ciphertext: inputting t ciphertext groups (ct) after ciphertext expansion₁,…,ct_t) And assuming that it is in the same circuit layer, an

j belongs to {1, …, t }, and a public user set is generated

(1) By calling basic homomorphic arithmetic units in the scheme

And

homomorphic operation circuit for t ciphertexts

The result after the operation is

(2) Generating a calculation key evk required in a ciphertext operation_S＝MKFHE.EvkGen(em_S)；

(3) For ciphertext

And (3) performing dimensionality reduction:

and (3) die changing process: inputting a ciphertext of the layer I after homomorphic operation

Computing

And (3) safety analysis: in terms of basic scheme, the invention and CZW17 use the same BGV encryption scheme and GSW encryption scheme. The main differences between the present invention and CZW17 are two points: on one hand, a mixed homomorphic multiplication function among a BGV ciphertext nested expansion function, a GSW type ciphertext split expansion function and an RBGV ciphertext and an RGSW ciphertext is provided, the input and the output of the three functions are ciphertexts, and the calculation process is on the ciphertexts, so the safety of the scheme cannot be reduced; on the other hand, the coefficient value of the private key of the BGV ciphertext is limited to {0,1} from c, so the dimensionality N of the polynomial needs to be increased to a certain extent to ensure the safety of the scheme.

The invention is compared with the storage overhead of CZW 17:

the foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (1)

1. A BGV-type multi-key fully homomorphic encryption method is characterized by comprising the following steps:

the method comprises the following steps: the method comprises the steps of conducting BGV type homomorphic encryption on a plaintext of a user participating in operation to obtain a ciphertext corresponding to the user, specifically, giving a security parameter l, an integer m, a modulus q ═ ploy (n), a polynomial ring R ═ Z [ X ], (n)]/Φ_mAnd a ring B-bounded discrete component c, B < q, the integer N ═ O (nlogq),

polynomial ring R_qR/qR; the circuit depth is L, and the modulus q of each layer of circuit_L＞＞q_L-1＞＞…＞＞q₀A small integer p and coprime to all moduli,

R_qR/qR; selecting L +1 random common vectors

L ═ 0., L; definition S is an ordered set, whichThe method comprises the steps of including the tags with sequences of all the participants involved in the ciphertext, wherein the tags have no repeated elements; defining a ciphertext tuple ct ═ { c, { S }, l }, wherein the ciphertext c of the user set S, the user set S and corresponding circuit level l are included;

(1) and (3) key generation: generating the required key for the jth participant:

selection of z_l,jEither ae in e, e

Then the private key of the party is sk_j＝{s_l,j}，l∈{L,...,0}；

Random selection

Defining:

l is belonged to { L.,. 0}, and a public key pk is generated_l,j＝{p_l,j}，l∈{L,...,0}；

A generation unit for calculating a calculation key required for the homomorphic calculation of the ciphertext,

(a) for m e {0_l-1, j ∈ { 1., k }, ζ ∈ { 0., k }, calculating

(b) For j ∈ { 1.,. k }, ζ ∈ { 0.,. k }, a calculation is performed

(2) And (3) encryption process: inputting plaintext mu e R to be encrypted_pAnd the public key pk_l,jRandomly selecting R ∈ R²And the error matrix E ═ E (E)₁,e₂)←χ²Generating a plaintext mu_jLayer i ciphertext:

outputting a ciphertext tuple ct ═ { c, { j }, l };

step two: expanding the ciphertext of the user participating in the operation to obtain an expanded ciphertext corresponding to the user set, wherein the BGV ciphertext expansion process comprises the following steps: CTExt (c)_lS'): cipher text tuple

Is extended to

Wherein S belongs to S', (1) decomposing the ciphertext c into k +1 equal parts:

corresponding private key

And user set S ═ i₁,...,i_k}; (2) and (3) generating an extended ciphertext:

wherein

Corresponding extended key

Easy to verify

Step three: performing homomorphic operation on the expanded ciphertext of the user set participating in the operation to obtain a high-dimensional BGV ciphertext, performing BGV homomorphic encryption and GSW homomorphic encryption on the key of the user participating in the calculation respectively, performing ciphertext expansion and mixed homomorphic multiplication on the encrypted result to obtain a calculation key, performing dimensionality reduction on the high-dimensional BGV ciphertext through the calculation key, and performing a multi-user ciphertext homomorphic operation process: inputting t ciphertext groups (ct) after ciphertext expansion₁,...ct_t) And assuming that it is in the same circuit layer, an

j belongs to { 1.,. t }, and a public user set is generated

(1) By calling basic homomorphic arithmetic units in the scheme

And

for t ciphertext homomorphic operation circuits C, the result after operation is

(2) Generating a calculation key evk required in a ciphertext operation_S＝MKFHE.EvkGen(em_S) (ii) a (3) For ciphertext

To carry outAnd (3) reducing the dimensionality:

step four: and (3) operating a mode changing function on the ciphertext subjected to dimension reduction, reducing noise in the ciphertext, and finally outputting a final ciphertext result of homomorphic operation, wherein the mode changing function is as follows: inputting a ciphertext of the layer I after homomorphic operation

Computing

Images