CN114553394B - Complementary code arithmetic unit and arithmetic method based on multi-key fully homomorphic scheme - Google Patents

Abstract

The invention discloses a complementary code arithmetic unit and an arithmetic method based on a multi-key fully homomorphic scheme, wherein the arithmetic unit comprises a multi-key fully homomorphic addition arithmetic unit, a multi-key fully homomorphic subtraction arithmetic unit, a multi-key fully homomorphic multiplication arithmetic unit and a multi-key fully homomorphic division arithmetic unit; the multi-key fully homomorphic adder is composed of a multi-key fully homomorphic 0-class adder; the multi-key fully homomorphic subtracter consists of a multi-key fully homomorphic 0-type adder and a multi-key fully homomorphic negation extractor; the multi-key fully homomorphic multiplier consists of a multi-key fully homomorphic 0-class adder, a multi-key fully homomorphic 1-class adder, a multi-key fully homomorphic 2-class adder and a multi-key fully homomorphic AND gate; the multi-key fully homomorphic divider is composed of a multi-key fully homomorphic complementarily obtaining device, a multi-key fully homomorphic CAS unit and a multi-key fully homomorphic XOR gate. The invention constructs a four-fundamental arithmetic unit of complement integers of any bit, can support four-fundamental arithmetic between positive and negative integers of any bit, and greatly improves the practicability of the MKTFHE scheme.

Description

Complement arithmetic unit and arithmetic method based on multi-key fully homomorphic scheme

Technical Field

The invention belongs to the technical field of information security, and particularly relates to a complementary code arithmetic unit and an arithmetic method based on a multi-key fully homomorphic scheme.

Background

The privacy computation is a technique capable of performing data computation without revealing specific information, and commonly used privacy computation techniques include Homomorphic Encryption (HE), secure multiparty computation, differential privacy techniques, and the like.

The homomorphic encryption technology is a cryptography technology based on a mathematical problem, and is used for decrypting after operating homomorphic encrypted data, and the result of the decryption is the same as the result of directly operating unencrypted data by using the same method. At present, fully homomorphic encryption schemes are roughly divided into three generations according to different technical stages.

First generation: the ideal lattice based scheme Gentry09 and the variant scheme DGHV10 based on the maximum likelihood common factor problem are referred to as first generation homomorphic encryption schemes. This generation scheme has large key size and low efficiency. They are based on non-standard security assumptions and are found to be no longer secure in a quantum computing environment. Nevertheless, the first generation solution still brings great inspiration for the later work and has epoch-making significance.

And (4) second generation: based on the lattice "Learning With Error (LWE)" assumption. Compared with the first generation, the homomorphic encryption scheme constructed based on the LWE problem is simpler, and the security thereof can be reduced to the standard lattice difficulty problem. The method has the defect that the dimension of the ciphertext is expanded sharply due to the fact that the ciphertext homomorphic multiplication operation is realized through tensor product operation because the ciphertext is a vector. The second generation of fully homomorphic encryption schemes represent BV schemes, BGV schemes, CKKS schemes, and the like.

And (3) third generation: the eigenvectors are approximated based on the matrix. The scheme is characterized in that the ciphertext is formed by a matrix, natural multiplication and addition operation can be carried out, the problem of dimension expansion of the ciphertext is avoided, and a key conversion technology and an analog-digital conversion technology are not needed. The third generation fully homomorphic encryption scheme is represented by a GSW scheme, a FHEW scheme, a TFHE scheme, and the like.

One limitation of fully homomorphic encryption is that it can only process data encrypted under the same key. However, in many application scenarios, it is desirable that fully homomorphic encryption be able to handle encrypted data associated with several different keys: each participant who owns the private data set wants to use a respective key to perform fully homomorphic encryption on the ciphertext, and wants the cloud server to be able to operate on the ciphertext encrypted by different keys and return a ciphertext operation result under the condition of no key, and decryption depends on the corresponding key of each participant. A fully homomorphic encryption scheme that supports this approach is referred to as a multi-key fully homomorphic encryption scheme.

In 2019, Chen et al constructed the first multi-key fully homomorphic encryption scheme with a specific implementation and named mkfhe scheme. However, this scheme provides only a bootstrapped nand gate, which, while well-behaved, requires more efficient and user-friendly packaging to further support mathematical operations.

Many researchers have developed multiple LWE-based multi-key fully homomorphic encryption schemes, but there are still many problems in current multi-key fully homomorphic encryption, such as: low efficiency, large ciphertext expansion rate, expansion of the ciphertext of the encryption scheme along with the increase of the number of different keys, practicality and the like. The important research directions in the field are to improve the efficiency of multi-key fully homomorphic encryption, expand the functions of multi-key fully homomorphic encryption, research dedicated hardware for accelerating multi-key fully homomorphic encryption, reduce the ciphertext expansion rate of a multi-key fully homomorphic encryption algorithm and the like.

Disclosure of Invention

The invention mainly aims to overcome the defects of the prior art and provide a complement arithmetic device and an arithmetic method based on a multi-key fully homomorphic scheme.

In order to achieve the purpose, the invention adopts the following technical scheme:

the invention provides a complementary code arithmetic unit based on a multi-key fully homomorphic scheme, which comprises a multi-key fully homomorphic addition arithmetic unit, a multi-key fully homomorphic subtraction arithmetic unit, a multi-key fully homomorphic multiplication arithmetic unit and a multi-key fully homomorphic division arithmetic unit;

the multi-key fully homomorphic adder is composed of a multi-key fully homomorphic 0-class adder; the multi-key fully homomorphic subtracter consists of a multi-key fully homomorphic 0-type adder and a multi-key fully homomorphic negation extractor; the multi-key fully homomorphic multiplier is composed of a multi-key fully homomorphic 0-class adder, a multi-key fully homomorphic 1-class adder, a multi-key fully homomorphic 2-class adder and a multi-key fully homomorphic AND gate; the multi-key fully homomorphic divider consists of a multi-key fully homomorphic complementer, a multi-key fully homomorphic CAS unit and a multi-key fully homomorphic XOR gate;

the multi-key fully homomorphic 0-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate and a multi-key fully homomorphic bootstrap XOR gate, the multi-key fully homomorphic 1-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate, a multi-key fully homomorphic bootstrap XOR gate and a multi-key fully homomorphic NOT gate, the multi-key fully homomorphic 2-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, the multi-key full homomorphic bootstrap OR gate, the multi-key full homomorphic bootstrap XOR gate and the multi-key full homomorphic NOT gate are formed, the multi-key full homomorphic NOT extractor is formed by the multi-key full homomorphic NOT gate, the multi-key full homomorphic compensator is formed by the multi-key full homomorphic bootstrap XOR gate and the multi-key full homomorphic CAS unit, and the multi-key full homomorphic CAS unit is formed by the multi-key full homomorphic bootstrap AND gate, the multi-key full homomorphic bootstrap OR gate and the multi-key full homomorphic NOT gate.

As a preferred technical solution, the operation modes of the multi-key fully homomorphic bootstrap and gate, the multi-key fully homomorphic bootstrap or gate, the multi-key fully homomorphic nor gate, the multi-key fully homomorphic bootstrap nand gate, the multi-key fully homomorphic bootstrap nor gate, the multi-key fully homomorphic bootstrap xor gate and the multi-key fully homomorphic bootstrap nor gate are that ciphertext expansion is performed on c1 and c2 under encryption of two input different keys to obtain ciphertexts c1 'and c 2' under encryption of a combined key, and then the gate operation is performed by evaluating the following equations:

multi-key fully homomorphic bootstrapped and gate (c = mkbootsan (c1, c 2)): c = BS ((0, -1/8) + c1+ c2)

Multi-key fully homomorphic bootstrapped or-gate (c = MKbootsOR (c1, c 2)): c = BS ((0, 1/8) + c1+ c2)

Multi-key fully homomorphic not gate (c' = mkhot (c)): c' = (0,1/4) -c

Multi-key fully homomorphic bootstrapped nor gate (c = mkbootnor (c1, c 2)): c = BS ((0,3/8) -c1-c2)

Multi-key fully homomorphic bootstrapped xor gate (c = mkbootsxr (c1, c 2)): c = BS (2. (c1-c2))

Multi-key fully homomorphic bootstrap xnor (c = MKbootsXNOR (c1, c 2)): c = BS ((0,1/2) -2. (c1-c2))

Wherein BS denotes bootstrap Bootstrapping.

As a preferred technical solution, when the control bit cp corresponds to a plaintext 0, the multi-key fully-homomorphic CAS unit performs an addition operation of ca [ i ] and cb [ i ], inputs 2 input bits ca [ i ] and cb [ i ], a carry bit cc [ i ] and a control bit cp, and outputs 2 output bits cout [ i ] and cb [ i ], a carry bit cc [ i +1] and a control bit cp, where the operation formula is as follows:

cout[i]=MKbootsXOR(cc[i],MKbootsXOR(ca[i],cb[i]))

cb[i]=cb[i]

cc[i+1]=MKbootsOR(MKbootsAND(ca[i],cc[i]),MKbootsAND(MKbootsOR(ca[i],cc[i]),cb[i]))

cp=cp

when the control bit cp corresponds to a plaintext 1, the hom-CAS unit performs a subtraction operation of ca [ i ] and cb [ i ], inputs 2 input bits ca [ i ] and cb [ i ], a borrow bit cc [ i ] and a control bit cp, and outputs 2 output bits cout [ i ] and cb [ i ], a borrow bit cc [ i +1] and a control bit cp, where the operation formula is as follows:

cout[i]=MKbootsXOR(cc[i],MKbootsXOR(ca[i],MKNOT(cb[i])))

cb[i]=cb[i]

cc[i+1]=MKbootsOR(MKbootsAND(ca[i],cc[i]),MKbootsAND(MKbootsOR(ca[i],cc[i]),MKNOT(cb[i])))

cp=cp。

as a preferred technical solution, the negation extractor ca' = hom-not (ca) negating the input multi-key homomorphic encrypted ciphertext, inverting (interchanging 0 and 1) the plaintext of the input ciphertext, and inputting, for k bits: ca [1], ca [2], …, ca [ k ], outputs ca ' [1], ca ' [2], …, ca ' [ k ], satisfying:

ca’[i]=MKNOT(ca[i]),i=1,2,…,k。

as a preferable technical solution, the complementary extractor ca' = hom-cd (ca) can perform interconversion between complementary codes and original codes for input, and for k-bit input: ca [1], ca [2], …, ca [ k ], outputs ca ' [1], ca ' [2], …, ca ' [ k ], satisfying the following equations:

t[1]=MKbootsXOR(ca[1],ca[2])

t [ i ] = MKbootsXOR (t [ i-1], ca [ i +1]), where i =2,3, …, k

ca’[1]=t[k]

(ca' [2], cb [1], cc [1], MKEnc (1)) = hom-CAS (t [1], ca [1], MKEnc (0), MKEnc (1)), where MKEnc (0) represents a ciphertext of 0 and MKEnc (1) represents a ciphertext of 1;

(ca' [ i ], cb [ i ], cc [ i ], MKEnc (1)) = hom-CAS (t [ i ], cb [ i-1], cc [ i-1], MKEnc (1)), where i =2,3, …, k.

As a preferred technical solution, the multi-key fully homomorphic 0-type adder (cc [ i +1], cout [ i ]) = hom-0-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs the carry bit cc [ i +1] and the output bit cout [ i ], and satisfies the following formula:

cout[i]=MKbootsXOR(cc[i],MKbootsXOR(ca[i],cb[i]))

cc[i+1]=MKbootsOR(MKbootsAND(ca[i],cb[i]),MKbootsAND(cc[i],MKbootsXOR(ca[i],cb[i])))

a multi-key fully homomorphic 1-class adder (cc [ i +1], cout [ i ]) = hom-1-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], and satisfies the following formula:

cout[i]=MKNOT(MKbootsXOR(cc[i],MKbootsXOR(MKNOT(ca[i]),cb[i])))

cc[i+1]=MKbootsOR(MKbootsAND(MKNOT(MKNOT(ca[i])),cb[i]),MKbootsAND(cc[i],MKbootsXOR(ca[i],cb[i])))

a multi-key fully homomorphic 2-class adder (cc [ i +1], cout [ i ]) = hom-2-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 carry-in bits ca [ i ], cb [ i ], and one carry-in bit cc [ i ], outputs carry-in bit cc [ i +1], and output bit cout [ i ], satisfying the following formula:

cout[i]=MKbootsXOR(MKNOT(cc[i]),MKbootsXOR(ca[i],MKNOT(cb[i])))

cc[i+1]=MKNOT(MKbootsOR(MKbootsAND(ca[i],MKNOT(cb[i])),MKbootsAND(MKNOT(cc[i]),MKbootsXOR(ca[i],MKNOT(cb[i])))))。

as a preferred technical solution, the operation rule is as follows:

the multi-key fully homomorphic adder cout = mkfhe _ ADD (ca, cb) inputs two addends of k bits of ciphertext ca and cb and outputs a ciphertext cout of a k-bit result, which satisfies the following equation:

(cc[2],cout[1])=hom-0-adder(ca[1],cb[1],Enc(0))

(cc [ i +1], cout [ i ]) = hom-0-adder (ca [ i ], cb [ i ], cc [ i ]), where i =2,3, …, k

The multi-key fully homomorphic subtractor cout = mkfhe _ SUB (ca, cb) inputs two k-bit subtrahend and subtrahend ciphertexts ca and cb, and outputs a k-bit result cipher text cout, which satisfies the following equation:

ca’=hom-NOT(ca)

cb’=hom-NOT(cb)

(cc[2],cout[1])=hom-0-adder(ca’[1],cb’[1],Enc(0))

(cc [ i +1], cout [ i ]) = hom-0-adder (ca '[ i ], cb' [ i ], cc [ i ]), where i =2,3, …, k.

As a preferred technical solution, the multi-key fully homomorphic multiplier cout = mkfhe _ MUL (ca, cb) inputs two k-bit subtractions and ciphertexts ca and cb, and outputs a cipher text cout of a 2 k-bit result, which is constructed by using the following steps:

(1) the sign bit cout [1] = MKbootsAND (ca [1], cb [1]) of the calculation result;

(2) arranging adders into k rows and k-1 columns, numbering the adders from top to bottom and from right to left, and setting input and output according to the following rules:

(2-1) the input ca of the j-th adder in the 1 st row is MKbootsAND (ca [ j +1], cb [1]), cb is MKbootsAND (ca [ j ], cb [2]), cc is input in the first row 0, and the output is cc' [1] [ j ] and cout [1] [ j ] respectively;

(2-2) the input ca of the ith row k-1 adder is MKbootsAND (ca [ k ], cb [ i-1]), the input ca of the other adders is cout [ i-i ] [ j +1], the input cb of the ith row is MKbootsAND (ca [ j ], cb [ i +1]), the input cc is cc '[ i-1] [ j ], the output is cc' [ i ] [ j ] and cout [ i ] [ j ], wherein i =2,3, … k-1;

(2-3) the input ca of the 0 th adder in the kth row is cout [ k-1] [ j +1], the input cb is Enc (0), the input cc is cc ' [ k-1] [ j ], the input ca of the 2 nd to k-2 th adders is cout [ k-1] [ j +1], the input cb is cc ' [ k ] [ j-1], the input cc is cc ' [ k-1] [ j ], the input ca of the k-1 th adder is MKbootsAND (ca [ k ], cb [ k ]), the input cb is cc ' [ k ] [ j-1], and the input cc is cc ' [ k-1] [ j ];

(3) the most significant bits (ca [ k-1] and cb [ k-1]) of the complement addend are weighted to be-1, and the adder is selected according to the following rules:

(3-1) if neither of the two inputs ca and cb has a weight, using a multi-key fully homomorphic 0-class adder;

(3-2) if one of the two inputs ca and cb has a weight of-1, using a multi-key fully homomorphic 1-class adder;

(3-3) if the weights of the two inputs ca and cb are both-1, using a multi-key fully homomorphic 2-class adder;

(3-4) if one of the two inputs ca and cb is the output of the multi-key fully homomorphic 2-class adder, using the multi-key fully homomorphic 2-class adder;

(4) the composition of the final result was:

cout[1]=MKbootsAND(ca[1],cb[1])

cout [ i ] = cout [ i-1] [1], where i =2,3, …, k

cout [ i ] = cout [ k ] [ i-k ], where i = k +1, k +2, …,2k-1

cout[2k]=cc’[k][k-1]。

As a preferred technical solution, the multi-key fully homomorphic divider cout = mkfhe _ MUL (ca, cb) inputs a ciphertext ca of a 2 k-bit dividend and a ciphertext cb of a k-bit divisor, and outputs a ciphertext cq of a k-bit quotient and a ciphertext cr of a k-bit result, and is constructed by using the following steps:

(1) firstly, a multi-key fully homomorphic complementation device is used for complementation operation to obtain the complementation results of dividend and divisor:

ca’=hom-CD(ca)

cb’=hom-CD(cb)

(2) calculating cq ' [1] = MKbootsXOR (ca ' [1], cb ' [1]) to obtain a ciphertext of a sign bit of the quotient;

(3) using (k-1) ^2 hom-CAS cells arranged in k-1 row, k-1 column, numbered sequentially from top to bottom, left to right, the function of the jth hom-CAS of row i is: (cout [ i ] [ j ], cb '[ i ] [ j ], cc' [ i + i ] [ j ], cp [ i ] [ j ]) = hom-CAS (ca [ i ] [ j ], cb [ i ] [ j ], cc [ i ] [ j ], cp [ i ] [ j ]), satisfying the following condition:

(3-1) if i =1 and j =1, then input ca is Enc (0), input cb is Enc (0), input cp is Enc (1) and input cc is cc' [1] [2 ];

(3-2) if i =1 and j =2,3, …, k-1, then the input ca is ca ' [ j ], the input cb is cb ' [ j ], the input cp is cp [1] [ j-1], the input cc is cc ' [1] [ j +1 ]; when j = k-1, the input ca is ca' [ k +1], and the input cc is cp;

(3-3) if i =2,3, …, k-1, then the input ca is cout [ i-1] [ j +1], the input cb is cb ' [ i-1] [ j ], the input cp is cp [ i ] [ j-1], the input cc is cc ' [ i ] [ j +1], when j = k-1, the input ca is ca ' [ k + i ], and the input cc is cp;

(3-4) discarding an output cout [ i ] [ j ] of the hom-CAS if j =1, and discarding an output cb' [ i ] [ j ] of the hom-CAS if i = k-1;

(4) the composition of the quotient source form ciphertext cq' is as follows:

cq’[1]=MKbootsXOR(ca’[1],cb’[1])

cq' [ i ] = cc [ i ] [1], where i =2,3, …, k

(5) The source code form ciphertext cr' of the remainder is composed as follows:

cr' [ i ] = cout [ k-1] [ j ], where j =1,2, …, k

(6) And (3) performing complementation operation by using a multi-key fully homomorphic complementation device to obtain a ciphertext of a quotient and a remainder in a final complementation form:

quotient: cq = hom-CD (cq')

Remainder: cr = hom-CD (cr').

The invention also provides an operation method of a complement arithmetic unit based on a multi-key fully homomorphic scheme, which comprises the following steps:

a public reference character string CRS server generates and discloses a parameter set required by the operation by calling a setting function of multi-key homomorphic encryption = (1^), and a participant and a cloud server receive the public parameter set to perform the subsequent steps;

the method comprises the following steps that a participant inputs a parameter set, calls a key generation function (_,,) =. () to independently generate a private key and a public key { __, _ } of the participant, belongs to [ ], and sends a public key part (a ciphertext expansion key _, a bootstrap key and a conversion key _) to a cloud server;

the participants call an encryption function i = encrypt data by using respective private keys, and send an encrypted result to the cloud server;

the cloud server firstly uses ciphertext expansion keys of the participants to perform full homomorphic ciphertext expansion operation on ciphertexts 1 and 2 encrypted by different private keys, expands the ciphertexts encrypted by the respective keys of the different participants into ciphertexts encrypted by a combined key, then uses bootstrap keys and key conversion keys of all the participants to call a series of multi-key homomorphic encryption operation functions to perform multi-key full homomorphic operation, and finally sends operation results to the participants;

each participant calls a decryption function =. (,) and obtains a plaintext result by using a private key for decryption.

Compared with the prior art, the invention has the following advantages and beneficial effects:

compared with the similar application based on the MKTFHE scheme, the method increases new operation logic and greatly improves the efficiency of basic gate circuit operation. In addition, the invention encapsulates the four common arithmetic operations, thereby greatly improving the practicability of the MKTFHE library.

Compared with other multi-key fully homomorphic encryption schemes, the method can perform any Boolean operation, including division operation which cannot be realized by the conventional multi-key CKKS scheme and multi-key BGV scheme. The scheme used by the invention has the advantages of being capable of carrying out quick bootstrap and infinite operation.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a schematic diagram of a complementary arithmetic unit according to an embodiment of the present invention;

FIG. 2 is a circuit diagram of a multi-key hom-CAS cell according to an embodiment of the present invention;

FIG. 3 is a circuit diagram of a negation device according to an embodiment of the present invention;

FIG. 4 is a circuit diagram of a compensator according to an embodiment of the present invention;

FIG. 5 is a diagram illustrating a structure of a third type of adder according to an embodiment of the present invention;

FIG. 6 is a block diagram of a multi-key fully homomorphic complement adder according to an embodiment of the present invention;

FIG. 7 is a block diagram of a multi-key fully homomorphic complement subtractor according to an embodiment of the invention;

FIG. 8 is a block diagram of a multi-key fully homomorphic complement multiplier according to an embodiment of the present invention;

FIG. 9 is a block diagram illustrating a multi-key fully homomorphic complement divider according to an embodiment of the present invention;

FIG. 10 is a flowchart illustrating a method for performing complementary arithmetic operations based on a multi-key fully homomorphic scheme according to an embodiment of the present invention.

Detailed Description

In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.

MKTFHE: the Multi-key full Homomorphic Encryption scheme proposed in 2019 is Multi-key full Homomorphic Encryption over the Torus. A multi-key fully homomorphic encryption scheme based on a Torus mathematical structure is disclosed.

Error-learning LWE: the standard is a matter of difficulty in the lattice, and is considered to have the capability of resisting quantum attack.

Referring to fig. 1, the complementary arithmetic unit based on the multi-key fully homomorphic scheme of the present embodiment includes a multi-key fully homomorphic addition arithmetic unit, a multi-key fully homomorphic subtraction arithmetic unit, a multi-key fully homomorphic multiplication arithmetic unit, and a multi-key fully homomorphic division arithmetic unit. The multi-key fully homomorphic arithmetic unit mainly comprises a multi-key fully homomorphic arithmetic unit, and the multi-key fully homomorphic arithmetic unit comprises: a multi-key fully homomorphic class-0 adder, a multi-key fully homomorphic class-1 adder, a multi-key fully homomorphic class-2 adder, a multi-key fully homomorphic inverter, and a multi-key fully homomorphic CAS unit. The multi-key fully homomorphic arithmetic unit is composed of a multi-key fully homomorphic basic gate, and the multi-key fully homomorphic basic gate comprises: the system comprises a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate, a multi-key fully homomorphic NOT gate, a multi-key fully homomorphic bootstrap NAND gate, a multi-key fully homomorphic bootstrap NOR gate, a multi-key fully homomorphic bootstrap XOR gate and a multi-key fully homomorphic bootstrap NOR gate. The multi-key fully homomorphic basic gate is realized by multi-key fully homomorphic ciphertext operation. The multi-key fully homomorphic ciphertext operation implementation comprises LWE ciphertext addition, LWE ciphertext subtraction, LWE ciphertext multiplication, LWE ciphertext initialization operation and bootstrap operation.

The multi-key fully homomorphic adder is constructed by a multi-key fully homomorphic 0-type adder, the multi-key fully homomorphic subtracter is constructed by a multi-key fully homomorphic 0-type adder and a multi-key fully homomorphic negation device, the multi-key fully homomorphic multiplier is constructed by a multi-key fully homomorphic 0-type adder, a multi-key fully homomorphic 1-type adder, a multi-key fully homomorphic 2-type adder and a multi-key fully homomorphic AND gate, and the multi-key fully homomorphic divider is constructed by a multi-key fully homomorphic complement device, a multi-key fully homomorphic CAS unit and a multi-key fully homomorphic OR gate.

The multi-key fully homomorphic 0-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate and a multi-key fully homomorphic bootstrap XOR gate, the multi-key fully homomorphic 1-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate, a multi-key fully homomorphic bootstrap XOR gate and a multi-key fully homomorphic NOT gate, the multi-key fully homomorphic 2-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, the multi-key full homomorphic bootstrap OR gate, the multi-key full homomorphic bootstrap XOR gate and the multi-key full homomorphic NOT gate are formed, the multi-key full homomorphic NOT extractor is formed by the multi-key full homomorphic NOT gate, the multi-key full homomorphic compensator is formed by the multi-key full homomorphic bootstrap XOR gate and the multi-key full homomorphic CAS unit, and the multi-key full homomorphic CAS unit is formed by the multi-key full homomorphic bootstrap AND gate, the multi-key full homomorphic bootstrap OR gate and the multi-key full homomorphic NOT gate.

The multi-key fully homomorphic ciphertext operation included in the multi-key fully homomorphic bootstrap AND gate comprises: the method comprises the following steps of LWE ciphertext addition, LWE ciphertext initialization operation and bootstrap operation, wherein the multi-key fully homomorphic ciphertext operation included by a multi-key fully homomorphic bootstrap OR gate comprises the following steps: the method comprises the following steps of LWE ciphertext addition, LWE ciphertext initialization operation and bootstrap operation, wherein the multi-key fully homomorphic ciphertext operation included by the multi-key fully homomorphic NOT gate comprises the following steps: the LWE ciphertext subtraction and LWE ciphertext initialization operations include: the method comprises the following steps of LWE ciphertext subtraction, LWE ciphertext initialization operation and bootstrap operation, wherein the multi-key fully homomorphic bootstrap NOR gate comprises the following multi-key fully homomorphic ciphertext operations: the method comprises the following steps of LWE ciphertext subtraction, LWE ciphertext initialization operation and bootstrap operation, wherein the multi-key fully homomorphic ciphertext operation included by a multi-key fully homomorphic bootstrap XOR gate comprises the following steps: the LWE ciphertext subtraction, the LWE ciphertext multiplication and the bootstrap operation are as follows, and the multi-key fully homomorphic ciphertext operation included in the multi-key fully homomorphic bootstrap homogate comprises the following steps: LWE ciphertext subtraction, LWE ciphertext multiplication, LWE ciphertext initialization operation and bootstrap operation.

The specific construction process of the complement arithmetic unit based on the multi-key fully homomorphic scheme in this embodiment is as follows:

firstly, the invention designs the operation of two MKTFHE scheme ciphertexts to support more basic homomorphic gate circuits; subsequently, other multi-key fully homomorphic bootstrap gates are designed, and the efficiency is improved to a certain extent compared with the efficiency of the gates which are directly spliced by multi-key fully homomorphic bootstrap NAND gates. Then, the invention uses the basic multi-key fully homomorphic bootstrap gate to construct the four arithmetic units of complement integers of any bit, can support the four arithmetic units between positive and negative integers of any bit, and greatly improves the practicability of the MKTFHE scheme.

(1) Two MKTFHE scheme ciphertext operation designs;

the invention firstly designs the LWE ciphertext addition and LWE ciphertext multiplication operation of multiple keys so as to realize other multi-key fully homomorphic bootstrap gates.

The core idea of the LWE ciphertext addition (lwoad) is: the elements in the two + 1-dimensional vectors are added one by one, where the dimensions of the lattice. In the variance step of the ciphertext of Lweadd, the variance of ciphertext 1 needs to be added to the variance of ciphertext 2 to obtain the variance of ciphertext.

The core idea of LWE ciphertext multiplication (LweMul) is: and multiplying elements in one + 1-dimensional vector by times one by one, and then adding the multiplied elements with the other + 1-dimensional vector, wherein the multiplication finally completes the dot product operation between the LWE ciphertexts. In the variance step in the ciphertext update of LweMul, the variance of ciphertext 1 needs to be added to the variance of ciphertext 2 to obtain the variance of ciphertext.

(2) A multi-key fully homomorphic bootstrap gate design;

the invention designs 6 kinds of multi-key fully homomorphic bootstrap gate circuits, each kind of multi-key fully homomorphic gate circuit firstly carries out ciphertext expansion on c1 and c2 under the encryption of two input different keys to obtain ciphertexts c1 'and c 2' under the encryption of a combined key, and then carries out gate operation by evaluating the following equations:

multi-key fully homomorphic bootstrapped and gate (c = mkbootsan (c1, c 2)): c = BS ((0, -1/8) + c1+ c2)

Multi-key fully homomorphic bootstrapped or-gate (c = MKbootsOR (c1, c 2)): c = BS ((0, 1/8) + c1+ c2)

Multi-key fully homomorphic not gate (c' = mkhot (c)): c' = (0,1/4) -c

Multi-key fully homomorphic bootstrapped nor gate (c = mkbootnor (c1, c 2)): c = BS ((0,3/8) -c1-c2)

Multi-key fully homomorphic bootstrapped xor gate (c = mkbootsxr (c1, c 2)): c = BS (2- (c1-c2))

Multi-key fully homomorphic bootstrap xnor (c = MKbootsXNOR (c1, c 2)): c = BS ((0,1/2) -2. (c1-c2))

Wherein BS denotes bootstrap Bootstrapping.

(3) Multi-key fully homomorphic arithmetic unit design

The invention designs and realizes 6 kinds of multi-key fully homomorphic operation units, which comprise a multi-key fully homomorphic CAS unit (hom-CAS), a multi-key fully homomorphic negation extractor (hom-NOT), a multi-key fully homomorphic complement extractor (hom-CD), a multi-key fully homomorphic 0-type adder (hom-0-order), a multi-key fully homomorphic 1-type adder (hom-1-order) and a multi-key fully homomorphic 2-type adder (hom-2-order).

Multi-key fully Homomorphic Controllable addition/subtraction (hom-CAS), the corresponding function is: (cout [ i ], cb [ i ], cc [ i + i ], cp) = hom-CAS (ca [ i ], cb [ i ], cc [ i ], cp).

Referring to FIG. 2, when the control bit cp corresponds to plaintext 0, the hom-CAS unit performs an addition operation of ca [ i ] and cb [ i ], and inputs 2 input bits ca [ i ] and cb [ i ], a carry bit cc [ i ] and a control bit cp, and outputs 2 output bits cout [ i ] and cb [ i ], a carry bit cc [ i +1] and a control bit cp, as shown in the following formula:

cout[i]=MKbootsXOR(cc[i],MKbootsXOR(ca[i],cb[i]))

cb[i]=cb[i]

cc[i+1]=MKbootsOR(MKbootsAND(ca[i],cc[i]),MKbootsAND(MKbootsOR(ca[i],cc[i]),cb[i]))

cp=cp

when the control bit cp corresponds to a plaintext 1, the hom-CAS unit performs a subtraction operation of ca [ i ] and cb [ i ], inputs 2 input bits ca [ i ] and cb [ i ], a borrow bit cc [ i ] and a control bit cp, and outputs 2 output bits cout [ i ] and cb [ i ], a borrow bit cc [ i +1] and a control bit cp, where the operation formula is as follows:

cout[i]=MKbootsXOR(cc[i],MKbootsXOR(ca[i],MKNOT(cb[i])))

cb[i]=cb[i]

cc[i+1]=MKbootsOR(MKbootsAND(ca[i],cc[i]),MKbootsAND(MKbootsOR(ca[i],cc[i]),MKNOT(cb[i])))

cp=cp

referring to fig. 3, the negation extractor ca' = hom-not (ca) negates the input multi-key homomorphic encrypted ciphertext, inverts the plaintext of the input ciphertext (0 and 1 interchange), and for k-bit input: ca [1], ca [2], …, ca [ k ], outputs ca ' [1], ca ' [2], …, ca ' [ k ], satisfying:

ca’[i]=MKNOT(ca[i]),i=1,2,…,k。

referring to fig. 4, the compensator ca' = hom-cd (ca) can interconvert the input between complement and original, for k-bit input: ca [1], ca [2], …, ca [ k ], outputs ca ' [1], ca ' [2], …, ca ' [ k ], satisfying the following equations:

t[1]=MKbootsXOR(ca[1],ca[2])

t [ i ] = MKbootsXOR (t [ i-1], ca [ i +1]), where i =2,3, …, k

ca’[1]=t[k]

(ca' [2], cb [1], cc [1], MKEnc (1)) = hom-CAS (t [1], ca [1], MKEnc (0), MKEnc (1)), where MKEnc (0) represents a ciphertext of 0 and MKEnc (1) represents a ciphertext of 1.

(ca' [ i ], cb [ i ], cc [ i ], MKEnc (1)) = hom-CAS (t [ i ], cb [ i-1], cc [ i-1], MKEnc (1)), where i =2,3, …, k

Referring to FIG. 5, three types of adders are further illustrated:

a multi-key fully homomorphic 0-class adder (cc [ i +1], cout [ i ]) = hom-0-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], and satisfies the following formula:

cout[i]=MKbootsXOR(cc[i],MKbootsXOR(ca[i],cb[i]))

cc[i+1]=MKbootsOR(MKbootsAND(ca[i],cb[i]),MKbootsAND(cc[i],MKbootsXOR(ca[i],cb[i])))

a multi-key fully homomorphic 1-class adder (cc [ i +1], cout [ i ]) = hom-1-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], and satisfies the following formula:

cout[i]=MKNOT(MKbootsXOR(cc[i],MKbootsXOR(MKNOT(ca[i]),cb[i])))

cc[i+1]=MKbootsOR(MKbootsAND(MKNOT(MKNOT(ca[i])),cb[i]),MKbootsAND(cc[i],MKbootsXOR(ca[i],cb[i])))

a multi-key fully homomorphic 2-class adder (cc [ i +1], cout [ i ]) = hom-2-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], satisfying the following formula:

cout[i]=MKbootsXOR(MKNOT(cc[i]),MKbootsXOR(ca[i],MKNOT(cb[i])))

cc[i+1]=MKNOT(MKbootsOR(MKbootsAND(ca[i],MKNOT(cb[i])),MKbootsAND(MKNOT(cc[i]),MKbootsXOR(ca[i],MKNOT(cb[i])))))

(4) designing a multi-key fully homomorphic complement four arithmetic unit;

the invention constructs a complement four arithmetic unit for arbitrary bit positive and negative integer operation, which comprises a multi-key fully homomorphic adder, a multi-key fully homomorphic subtracter, a multi-key fully homomorphic multiplier and a multi-key fully homomorphic divider.

(4-1) the multi-key fully homomorphic adder cout = mkfhe _ ADD (ca, cb) inputs two ciphertexts ca and cb of addend of k bits and outputs the cipher text cout of k-bit result, see fig. 6, which satisfies the following equation:

(cc[2],cout[1])=hom-0-adder(ca[1],cb[1],Enc(0))

(cc [ i +1], cout [ i ]) = hom-0-adder (ca [ i ], cb [ i ], cc [ i ]), where i =2,3, …, k.

(4-2) the multi-key fully homomorphic subtractor cout = mkfhe _ SUB (ca, cb) inputs two k-bit subtrahend and the ciphertext ca and cb of the subtrahend, and outputs the ciphertext cout of the k-bit result, see fig. 7, which satisfies the following equation:

ca’=hom-NOT(ca)

cb’=hom-NOT(cb)

(cc[2],cout[1])=hom-0-adder(ca’[1],cb’[1],Enc(0))

(cc [ i +1], cout [ i ]) = hom-0-adder (ca '[ i ], cb' [ i ], cc [ i ]), where i =2,3, …, k

(4-3) the multi-key fully homomorphic multiplier cout = mkfhe _ MUL (ca, cb) inputs the two k-bit subtrahend and subtrahend ciphertexts ca and cb, and outputs the ciphertext cout of the 2 k-bit result, see fig. 8, constructed using the following steps:

(4-3-1) the sign bit of the calculation result cout [1] = MKbootsAND (ca [1], cb [1 ]).

(4-3-2) the adders are arranged in k rows and k-1 columns, numbered from top to bottom and from right to left. The input and output are set according to the following rules:

(4-3-2-1) the j-th adder in line 1 has input ca MKbootsAND (ca [ j +1], cb [1]), cb MKbootsAND (ca [ j ], cb [2]), input cc in the first line 0, and outputs cc' [1] [ j ] and cout [1] [ j ], respectively.

(4-3-2-2) the input ca of the ith row k-1 adder is MKbootsAND (ca [ k ], cb [ i-1]), the input ca of the other adders is cout [ i-i ] [ j +1], the input cb of the ith row is MKbootsAND (ca [ j ], cb [ i +1]), the input cc is cc '[ i-1] [ j ], the output is cc' [ i ] [ j ] and cout [ i ] [ j ], respectively, wherein i =2,3, … k-1.

(4-3-2-3) the input ca of the 0 th adder in the kth row is cout [ k-1] [ j +1], the input cb is Enc (0), the input cc is cc ' [ k-1] [ j ], the input ca of the 2 nd to k-2 th adders is cout [ k-1] [ j +1], the input cb is cc ' [ k ] [ j-1], the input cc is cc ' [ k-1] [ j ], the input ca of the k-1 th adder is MKbootsAND (ca [ k ], cb [ k ]), the input cb is cc ' [ k ] [ j-1], and the input cc is cc ' [ k-1] [ j ].

(4-3-3) weighting-1 to the most significant bit (ca [ k-1] and cb [ k-1]) of the complement addend, and selecting an adder according to the following rule:

(4-3-3-1) if neither of the two inputs ca and cb has a weight, then a multi-key fully homomorphic 0-class adder is used.

(4-3-3-2) if one of the two inputs ca and cb has a weight of-1, then a multi-key fully homomorphic 1-class adder is used.

(4-3-3-3) if both inputs ca and cb are weighted-1, then a multi-key fully homomorphic 2-class adder is used.

(4-3-3-4) if one of the two inputs ca and cb is the output of the multi-key fully homomorphic 2-class adder, then the multi-key fully homomorphic 2-class adder is used.

(4-3-4) composition of the final result:

cout[1]=MKbootsAND(ca[1],cb[1])

cout [ i ] = cout [ i-1] [1], where i =2,3, …, k

cout [ i ] = cout [ k ] [ i-k ], where i = k +1, k +2, …,2k-1

cout[2k]=cc’[k][k-1]

(4-4) the multi-key homomorphic book divider cout = mkfhe _ MUL (ca, cb) inputs ciphertext ca of a 2 k-bit dividend, ciphertext cb of a k-bit divisor, and outputs ciphertext cq of a k-bit quotient and ciphertext cr of a k-bit result, referring to fig. 9, constructed using the following steps:

(4-4-1) firstly, using a multi-key fully homomorphic complementation device to carry out complementation operation, and obtaining the complementation results of the dividend and the divisor:

ca’=hom-CD(ca)

cb’=hom-CD(cb)

(4-4-2) calculating cq ' [1] = MKbootsXOR (ca ' [1], cb ' [1]), and obtaining the ciphertext of the sign bit of the quotient.

(4-4-3) using (k-1) ^2 hom-CAS cells arranged in k-1 row, column k-1, numbered sequentially from top to bottom, left to right, the function of the ith row, the jth hom-CAS is: (cout [ i ] [ j ], cb '[ i ] [ j ], cc' [ i + i ] [ j ], cp [ i ] [ j ]) = hom-CAS (ca [ i ] [ j ], cb [ i ] [ j ], cc [ i ] [ j ], cp [ i ] [ j ]), satisfying the following condition:

(4-4-3-1) if i =1 and j =1, then input ca is Enc (0), input cb is Enc (0), input cp is Enc (1) and input cc is cc' [1] [2 ].

(4-4-3-2) if i =1 and j =2,3, …, k-1, then input ca is ca ' [ j ], input cb is cb ' [ j ], input cp is cp [1] [ j-1], and input cc is cc ' [1] [ j +1 ]. When j = k-1, the input ca is ca' [ k +1], and the input cc is cp.

(4-4-3-3) if i =2,3, …, k-1, then input ca is cout [ i-1] [ j +1], input cb is cb '[ i-1] [ j ], input cp is cp [ i ] [ j-1], and input cc is cc' [ i ] [ j +1 ]. When j = k-1, the input ca is ca' [ k + i ], and the input cc is cp.

(4-4-3-4) the output cout [ i ] [ j ] of the hom-CAS is discarded if j =1, and the output cb' [ i ] [ j ] of the hom-CAS is discarded if i = k-1.

The composition of the (4-3-4) quotient source code form ciphertext cq' is as follows:

cq’[1]=MKbootsXOR(ca’[1],cb’[1])

cq' [ i ] = cc [ i ] [1], where i =2,3, …, k

(4-3-5) the composition of the source code form ciphertext cr' of the remainder is as follows:

cr' [ i ] = cout [ k-1] [ j ], where j =1,2, …, k

(4-3-6) performing complementation operation by using a multi-key fully homomorphic complementation device to obtain a ciphertext of a quotient and a remainder in a final complementation form:

quotient: cq = hom-CD (cq')

Remainder: cr = hom-CD (cr')

Referring to fig. 10, in another embodiment of the present application, a method for operating a complement arithmetic unit based on a multi-key homomorphic scheme is further provided, which includes the following steps:

s1, the Common Reference String (CRS) server generates a set of parameters required for this operation by calling the setting function of multi-key homomorphic encryption = (1^) and discloses the set of parameters, and the participant and the cloud server receive the set of parameters for the subsequent steps.

S2, the participant inputs the parameter set, invokes the key generation function (,,,) = generates the respective private key and public key independently {,, } for e [ ], and sends the public key part (ciphertext expansion key, bootstrap key, and translation key) to the cloud server.

S3, the participants call the encryption function _ i =. (_, _) to encrypt data using their respective private keys, and send the result of encryption _ to the cloud server.

S4, the cloud server with strong calculation power firstly uses the ciphertext expansion key of the participant to perform full homomorphic ciphertext expansion operation on ciphertexts 1 and 2 encrypted by different private keys, expands the ciphertexts encrypted by the different participants by using respective keys into ciphertexts encrypted by a combined key (including keys of all the participants), then uses the bootstrap key and the key conversion key of all the participants to call a series of multi-key homomorphic encryption operation functions (such as a multi-key homomorphic bootstrap NAND gate) to perform multi-key full homomorphic operation, and finally sends the operation result to each participant.

S5, each participant calls the decryption function =. (,) and decrypts with the private key to obtain the plaintext result.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.

Claims (3)

1. The complementary code arithmetic unit based on the multi-key fully homomorphic scheme is characterized by comprising a multi-key fully homomorphic addition arithmetic unit, a multi-key fully homomorphic subtraction arithmetic unit, a multi-key fully homomorphic multiplication arithmetic unit and a multi-key fully homomorphic division arithmetic unit;

the multi-key fully homomorphic adder is composed of a multi-key fully homomorphic 0-class adder; the multi-key fully homomorphic subtracter consists of a multi-key fully homomorphic 0-type adder and a multi-key fully homomorphic negation extractor; the multi-key fully homomorphic multiplier consists of a multi-key fully homomorphic 0-class adder, a multi-key fully homomorphic 1-class adder, a multi-key fully homomorphic 2-class adder and a multi-key fully homomorphic AND gate; the multi-key fully homomorphic divider consists of a multi-key fully homomorphic complementer, a multi-key fully homomorphic CAS unit and a multi-key fully homomorphic XOR gate;

the multi-key fully homomorphic 0-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate and a multi-key fully homomorphic bootstrap XOR gate, the multi-key fully homomorphic 1-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate, a multi-key fully homomorphic bootstrap XOR gate and a multi-key fully homomorphic NOT gate, the multi-key fully homomorphic 2-class adder is composed of a multi-key fully homomorphic bootstrap AND gate, the system comprises a multi-key fully homomorphic bootstrap OR gate, a multi-key fully homomorphic bootstrap XOR gate and a multi-key fully homomorphic NOT gate, wherein the multi-key fully homomorphic NOT extractor comprises a multi-key fully homomorphic NOT gate, a multi-key fully homomorphic compensator comprises a multi-key fully homomorphic bootstrap XOR gate and a multi-key fully homomorphic CAS unit, and the multi-key fully homomorphic CAS unit comprises a multi-key fully homomorphic bootstrap AND gate, a multi-key fully homomorphic bootstrap OR gate and a multi-key fully homomorphic NOT gate;

a multi-key fully homomorphic 0-class adder (cc [ i +1], cout [ i ]) = hom-0-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], and satisfies the following formula:

cout[i]=MKboots XOR (cc[i],MKboots XOR (ca[i],cb[i]))

cc[i+1]=MKboots OR (MKboots AND (ca[i],cb[i]),MKboots AND (cc[i],MKboots XOR (ca[i],cb[i])))

a multi-key fully homomorphic 1-class adder (cc [ i +1], cout [ i ]) = hom-1-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], and satisfies the following formula:

cout[i]=MK NOT (MKboots XOR (cc[i],MKboots XOR (MK NOT (ca[i]),cb[i])))

cc[i+1]=MKboots OR (MKboots AND (MK NOT (MK NOT (ca[i])),cb[i]),MKboots AND (cc[i],MKboots XOR (ca[i],cb[i])))

a multi-key fully homomorphic 2-class adder (cc [ i +1], cout [ i ]) = hom-2-adder (ca [ i ], cb [ i ], cc [ i ]), inputs 2 input bits ca [ i ], cb [ i ], and a carry bit cc [ i ], outputs a carry bit cc [ i +1] and an output bit cout [ i ], satisfying the following formula:

cout[i]=MKboots XOR (MK NOT (cc[i]),MKboots XOR (ca[i],MK NOT (cb[i])))

cc[i+1]=MK NOT (MKboots OR (MKboots AND (ca[i],MK NOT (cb[i])),MKboots AND (MK NOT (cc[i]),MKboots XOR (ca[i],MK NOT (cb[i])))))；

the operation rule is as follows:

the multi-key fully homomorphic adder cout = mkfhe _ ADD (ca, cb) inputs two ciphertexts ca and cb of addend of k bits, and outputs a cipher text cout of k-bit result, satisfying the following equation:

(cc[2],cout[1])=hom-0-adder(ca[1],cb[1],Enc(0))

(cc [ i +1], cout [ i ]) = hom-0-adder (ca [ i ], cb [ i ], cc [ i ]), where i =2,3, …, k

The multi-key fully homomorphic subtractor cout = mkfhe _ SUB (ca, cb) inputs two k-bit subtrahend and subtrahend ciphertexts ca and cb, and outputs a k-bit result cipher text cout, which satisfies the following equation:

ca’=hom-NOT(ca)

cb’=hom-NOT(cb)

(cc[2],cout[1])=hom-0-adder(ca’[1],cb’[1],Enc(0))

(cc [ i +1], cout [ i ]) = hom-0-adder (ca '[ i ], cb' [ i ], cc [ i ]), wherein i =2,3, …, k;

a multi-key fully homomorphic negation extractor ca' = hom-not (ca), negating an input multi-key homomorphic encrypted ciphertext, inverting (interchanging 0 and 1) a plaintext of the input ciphertext, and inputting k bits: ca [1], ca [2], …, ca [ k ], outputs ca ' [1], ca ' [2], …, ca ' [ k ], satisfying:

ca’[i]=MK NOT (ca[i]),i=1,2,…,k；

a multi-key fully homomorphic complementor ca' = hom-cd (ca) is capable of interconverting the input between complement and original, for a k-bit input: ca [1], ca [2], …, ca [ k ], outputs ca ' [1], ca ' [2], …, ca ' [ k ], satisfying the following equations:

t[1]=MKboots XOR (ca[1],ca[2])

t [ i ] = MKboots XOR (t [ i-1], ca [ i +1]), where i =2,3, …, k

ca’[1]=t[k]

(ca' [2], cb [1], cc [1], MKEnc (1)) = hom-CAS (t [1], ca [1], MKEnc (0), MKEnc (1)), where MKEnc (0) represents a ciphertext of 0 and MKEnc (1) represents a ciphertext of 1;

(ca' [ i ], cb [ i ], cc [ i ], MKEnc (1)) = hom-CAS (t [ i ], cb [ i-1], cc [ i-1], MKEnc (1)), where i =2,3, …, k;

the multi-key fully homomorphic multiplier cout = mkfhe _ MUL (ca, cb) inputs two k-bit subtrahend and subtrahend ciphertexts ca and cb, outputs a 2 k-bit result cipher text cout, and is constructed by the following steps:

(1) calculating a sign bit cout [1] = MKboots AND (ca [1], cb [1]) of the result;

(2) arranging adders into k rows and k-1 columns, numbering the adders from top to bottom and from right to left, and setting input and output according to the following rules:

(2-1) the input ca of the j adder in the 1 st row is MKboots AND (ca [ j +1], cb [1]), cb is MKboots AND (ca [ j ], cb [2]), the input cc is in the first row 0, AND the output is cc' [1] [ j ] AND cout [1] [ j ], respectively;

(2-2) the input ca of the kth-1 st adder in the ith row is MKboots AND (ca [ k ], cb [ i-1]), the input ca of the other adders is cout [ i-i ] [ j +1], the input cb of the ith row is MKboots AND (ca [ j ], cb [ i +1]), the input cc is cc '[ i-1] [ j ], the output is cc' [ i ] [ j ] AND cout [ i ] [ j ], wherein i =2,3, … k-1;

(2-3) the input ca of the 0 th adder in the kth row is cout [ k-1] [ j +1], the input cb is Enc (0), the input cc is cc ' [ k-1] [ j ], the input ca of the 2 nd to k-2 th adders is cout [ k-1] [ j +1], the input cb is cc ' [ k ] [ j-1], the input cc is cc ' [ k-1] [ j ], the input ca of the k-1 th adder is MKboots AND (ca [ k ], cb [ k ]), the input cb is cc ' [ k ] [ j-1], AND the input cc is cc ' [ k-1] [ j ];

(3) the most significant bits (ca [ k-1] and cb [ k-1]) of the complement addend are weighted to be-1, and the adder is selected according to the following rules:

(3-1) if neither of the two inputs ca and cb has a weight, using a multi-key fully homomorphic 0-class adder;

(3-2) if one of the two inputs ca and cb has a weight of-1, using a multi-key fully homomorphic 1-class adder;

(3-3) if the weights of the two inputs ca and cb are both-1, using a multi-key fully homomorphic 2-class adder;

(3-4) if one of the two inputs ca and cb is the output of the multi-key fully homomorphic 2-class adder, using the multi-key fully homomorphic 2-class adder;

(4) the composition of the final result was:

cout[1]=MKboots AND (ca[1],cb[1])

cout [ i ] = cout [ i-1] [1], where i =2,3, …, k

cout [ i ] = cout [ k ] [ i-k ], where i = k +1, k +2, …,2k-1

cout[2k]=cc’[k][k-1]；

The multi-key fully homomorphic divider cout = mkfhe _ MUL (ca, cb) inputs a ciphertext ca of a 2 k-bit dividend, a ciphertext cb of a k-bit divisor, and outputs a ciphertext cq of a k-bit quotient and a ciphertext cr of a k-bit result, and is constructed by the following steps:

(1) firstly, a multi-key fully homomorphic complementation device is used for complementation operation to obtain the complementation results of dividend and divisor:

ca’=hom-CD(ca)

cb’=hom-CD(cb)

(2) calculating cq ' [1] = MKboots XOR (ca ' [1], cb ' [1]) to obtain a ciphertext of the sign bit of the quotient;

(3) using (k-1) ^2 hom-CAS cells arranged in k-1 row, k-1 column, numbered sequentially from top to bottom, left to right, the function of the jth hom-CAS of row i is: (cout [ i ] [ j ], cb '[ i ] [ j ], cc' [ i + i ] [ j ], cp [ i ] [ j ]) = hom-CAS (ca [ i ] [ j ], cb [ i ] [ j ], cc [ i ] [ j ], cp [ i ] [ j ]), satisfying the following condition:

(3-1) if i =1 and j =1, then input ca is Enc (0), input cb is Enc (0), input cp is Enc (1) and input cc is cc' [1] [2 ];

(3-2) if i =1 and j =2,3, …, k-1, then the input ca is ca ' [ j ], the input cb is cb ' [ j ], the input cp is cp [1] [ j-1], the input cc is cc ' [1] [ j +1 ]; when j = k-1, the input ca is ca' [ k +1], and the input cc is cp;

(3-3) if i =2,3, …, k-1, then the input ca is cout [ i-1] [ j +1], the input cb is cb ' [ i-1] [ j ], the input cp is cp [ i ] [ j-1], the input cc is cc ' [ i ] [ j +1], when j = k-1, the input ca is ca ' [ k + i ], and the input cc is cp;

(3-4) discarding an output cout [ i ] [ j ] of the hom-CAS if j =1, and discarding an output cb' [ i ] [ j ] of the hom-CAS if i = k-1;

(4) the composition of the quotient source form ciphertext cq' is as follows:

cq’[1]=MKboots XOR (ca’[1],cb’[1])

cq' [ i ] = cc [ i ] [1], where i =2,3, …, k

(5) The source code form ciphertext cr' of the remainder is composed as follows:

cr' [ i ] = cout [ k-1] [ j ], where j =1,2, …, k

(6) And (3) performing complementation operation by using a multi-key fully homomorphic complementation device to obtain a ciphertext of a quotient and a remainder in a final complementation form:

quotient: cq = hom-CD (cq')

Remainder: cr = hom-CD (cr');

when the control bit cp corresponds to a plaintext 0, the multi-key fully homomorphic CAS unit performs an addition operation of ca [ i ] and cb [ i ], inputs 2 input bits ca [ i ] and cb [ i ], a carry bit cc [ i ] and a control bit cp, and outputs 2 output bits cout [ i ] and cb [ i ], a carry bit cc [ i +1] and a control bit cp, where the operation formula is as follows:

cout[i]=MKboots XOR (cc[i],MKboots XOR (ca[i],cb[i]))

cb[i]=cb[i]

cc[i+1]=MKboots OR (MKboots AND (ca[i],cc[i]),MKboots AND (MKboots OR (ca[i],cc[i]),cb[i]))

cp=cp

when the control bit cp corresponds to a plaintext 1, the hom-CAS unit performs a subtraction operation of ca [ i ] and cb [ i ], inputs 2 input bits ca [ i ] and cb [ i ], a borrow bit cc [ i ] and a control bit cp, and outputs 2 output bits cout [ i ] and cb [ i ], a borrow bit cc [ i +1] and a control bit cp, where the operation formula is as follows:

cout[i]=MKboots XOR (cc[i],MKboots XOR (ca[i],MK NOT(cb[i])))

cb[i]=cb[i]

cc[i+1]=MKboots OR(MKboots AND (ca[i],cc[i]),MKboots AND (MKboots OR (ca[i],cc[i]),MK NOT (cb[i])))

cp=cp。

2. the complementary code arithmetic unit according to claim 1, wherein the operation modes of the multi-key fully homomorphic bootstrap and gate, the multi-key fully homomorphic bootstrap or gate, the multi-key fully homomorphic nor gate, the multi-key fully homomorphic bootstrap nand gate, the multi-key fully homomorphic bootstrap nor gate, the multi-key fully homomorphic bootstrap xor gate and the multi-key fully homomorphic bootstrap xor gate are that c1 and c2 under two different input key encryptions are first subjected to ciphertext expansion to obtain ciphertexts c1 'and c 2' under combined key encryption, and then the gate operation is performed by evaluating the following equations:

multi-key fully homomorphic bootstrapped AND-gate (c = MKboots AND (c1, c 2)): c = BS ((0, -1/8) + c1+ c2)

Multi-key fully homomorphic bootstrapped OR-gate (c = MKboots OR (c1, c 2)): c = BS ((0, 1/8) + c1+ c2)

Multi-key fully homomorphic NOT gate (c' = mknot (c)): c' = (0,1/4) -c

Multi-key fully homomorphic bootstrapped NOR gate (c = MKboots NOR (c1, c 2)): c = BS ((0,3/8) -c1-c2)

Multi-key fully homomorphic bootstrapped XOR gates (c = MKboots XOR (c1, c 2)): c = BS (2. (c1-c2))

Multi-key fully homomorphic bootstrap XNOR (c = MKboots XNOR (c1, c 2)): c = BS ((0,1/2) -2. (c1-c2))

Wherein BS denotes bootstrap Bootstrapping.

3. The method of any one of claims 1-2, comprising the steps of:

a public reference character string CRS server generates and discloses a parameter set required by the operation by calling a setting function of multi-key homomorphic encryption = (1^), and a participant and a cloud server receive the parameter set to perform the subsequent steps;

the method comprises the following steps that a participant inputs a parameter set, calls a key generation function (_, _, _.) =. () to independently generate a private key and a public key { ___, _ and _ [ ], and sends a public key part to a cloud server, wherein the public key part comprises a ciphertext expansion key, a bootstrap key and a conversion key;

the participants call an encryption function i = encrypt data by using respective private keys, and send an encrypted result to the cloud server;

the cloud server firstly uses ciphertext expansion keys of the participants to perform full homomorphic ciphertext expansion operation on ciphertexts 1 and 2 encrypted by different private keys, expands the ciphertexts encrypted by the respective keys of the different participants into ciphertexts encrypted by a combined key, then uses bootstrap keys and key conversion keys of all the participants to call a series of multi-key homomorphic encryption operation functions to perform multi-key full homomorphic operation, and finally sends operation results to the participants;

each participant calls a decryption function =. (,) and obtains a plaintext result by using a private key for decryption.

Images