CN115834020A - Homomorphic encryption bootstrap method and device, processor, system on chip and computing equipment - Google Patents
Homomorphic encryption bootstrap method and device, processor, system on chip and computing equipment Download PDFInfo
- Publication number
- CN115834020A CN115834020A CN202211384665.8A CN202211384665A CN115834020A CN 115834020 A CN115834020 A CN 115834020A CN 202211384665 A CN202211384665 A CN 202211384665A CN 115834020 A CN115834020 A CN 115834020A
- Authority
- CN
- China
- Prior art keywords
- rlwe
- ciphertext
- encryption
- homomorphic
- twiddle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a homomorphic encryption bootstrap method and device, a processor, a system on a chip and computing equipment. The homomorphic encryption bootstrap method comprises the following steps: adopting an RLWE key to perform homomorphic encryption on plaintext belonging to a plaintext space of a first variable type to obtain a first RLWE ciphertext; respectively determining a plurality of twiddle factors based on a polynomial ring where an LW E private key vector is located based on a plurality of RLWE encryption matrixes of the LW E private key vector, wherein the polynomial ring corresponds to a plaintext space of a second variable type; and sequentially rotating the first RLWE ciphertext based on the plurality of rotation factors to obtain a homomorphic decrypted second RLWE ciphertext. In the scheme of the embodiment of the invention, in the homomorphic encryption bootstrapping process, the conversion of the plaintext corresponding to the RLWE ciphertext from the plaintext space of the first variable type to the plaintext space of the second variable type is realized, and the calculation efficiency of the secret state calculation is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a homomorphic encryption bootstrap method and device, a processor, a system on chip and a computing device.
Background
The homomorphic encryption technology is one of typical algorithms for outsourcing computation, and is one of the popular fields in privacy computation due to the characteristics of low communication interaction requirement and good security model.
The fully homomorphic encryption can perform secret calculation such as multiplication and addition on encrypted data, and the security is reliably guaranteed through a cryptology theory. With the obvious increase of the depth and the complexity of the secret state calculation, the noise of the secret state data becomes larger, which is not beneficial to the accurate decryption of the ciphertext, and the bootstrap algorithm (bootstrapping) in the fully homomorphic encryption process can effectively reduce the noise before the noise of the ciphertext is accumulated to be larger, thereby ensuring the smooth operation of the secret state calculation process.
The Fast homomorphic Encryption algorithm (TFHE) based on the Torus has strong boolean operation capability, and can support infinite calculation depth through a bootstrap algorithm, but under the condition of larger calculation depth, the calculation amount of the bootstrap algorithm is larger, so that the efficiency of secret state calculation is lower.
Disclosure of Invention
Embodiments of the present invention provide a homomorphic encryption bootstrapping method and apparatus, a processor, a system on chip, and a computing device to at least partially solve the above problems.
According to a first aspect of the embodiments of the present invention, there is provided a homomorphic encryption bootstrapping method, including: adopting an RLWE key to perform homomorphic encryption on plaintext belonging to a plaintext space of a first variable type to obtain a first RLWE ciphertext; respectively determining a plurality of twiddle factors based on a polynomial ring where an RLWE key is located based on a plurality of RLWE encryption matrixes of LWE private key vectors, wherein the polynomial ring corresponds to a plaintext space of a second variable type; and sequentially rotating the first RLWE ciphertext based on the plurality of rotation factors to obtain a homomorphic decrypted second RLWE ciphertext.
In another implementation of the invention, the method further comprises: and respectively encrypting each element of the LWE private key vector to obtain the plurality of RLWE encryption matrixes.
In another implementation of the invention, the method further comprises: obtaining an LWE public key vector corresponding to the LWE private key vector, wherein the LWE public key vector corresponds to a plaintext space of the first variable type; the plurality of RLWE encryption matrixes based on the LWE private key vector respectively determine a plurality of twiddle factors based on a polynomial ring where the RLWE key is located, and the method comprises the following steps: based on a plurality of RLWE encryption matrixes of the LWE private key vector and the LWE public key vector, a plurality of twiddle factors of a polynomial ring where the RLWE keys are located are determined.
In another implementation manner of the present invention, the sequentially rotating the first RLWE ciphertext based on the plurality of twiddle factors, respectively, to obtain a homomorphic decrypted second RLWE ciphertext includes: based on the current twiddle factor in the multiple twiddle factors, performing rotation processing on the first RLWE ciphertext to obtain a second RLWE ciphertext; outputting the homomorphic decrypted second RLWE ciphertext if the next twiddle factor does not exist in the plurality of twiddle factors.
In another implementation manner of the present invention, the sequentially rotating the first RLWE ciphertext based on the plurality of twiddle factors, respectively, to obtain a homomorphic decrypted second RLWE ciphertext, further includes: updating the current twiddle factor based on a next twiddle factor if the next twiddle factor exists among the plurality of twiddle factors.
In another implementation of the invention, the method further comprises: performing polynomial decomposition on the first RLWE ciphertext to obtain a plurality of decomposition polynomials based on a second modulus of the plaintext space of the second variable type; the rotating the first RLWE ciphertext based on a current twiddle factor of the multiple twiddle factors to obtain a second RLWE ciphertext, including: determining a second RLWE ciphertext based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of decomposition polynomials.
In another implementation of the invention, the method further comprises: determining a remainder systematic representation of the first RLWE ciphertext based on a plurality of preset modulo; converting the remainder system representation to a binary representation of the first RLWE ciphertext based on the second modulus; performing polynomial decomposition on the first RLWE ciphertext to obtain a plurality of decomposition polynomials, including: and carrying out polynomial decomposition on the binary expression of the first RLWE ciphertext to obtain a plurality of decomposition polynomials of the binary expression.
In another implementation of the present invention, the determining a second RLWE ciphertext based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of decomposition polynomials comprises: converting a plurality of decomposition polynomials of the binary representation to a remainder system representation based on the plurality of preset modulo; determining a second RLWE ciphertext based on a product of the remainder systematic representation of the plurality of preset moduli and the plurality of decomposition polynomials.
In another implementation of the present invention, the first variable type and the second variable type are different variable types among a boolean variable, a short integer variable, and a long integer variable.
According to a second aspect of the embodiments of the present invention, there is provided a homomorphic encryption bootstrap apparatus, including: the first encryption unit is used for homomorphic encryption of plaintext belonging to a plaintext space of a first variable type by adopting an RLWE key to obtain a first RLWE ciphertext; the second encryption unit is used for respectively determining a plurality of twiddle factors based on a polynomial ring where an RLWE secret key is located on the basis of a plurality of RLWE encryption matrixes of LWE private key vectors, and the polynomial ring corresponds to a plaintext space of a second variable type; and the decryption unit is used for sequentially rotating the first RLWE ciphertext based on the plurality of twiddle factors to obtain a homomorphic decrypted second RLWE ciphertext.
According to a third aspect of embodiments of the present invention, there is provided a processor, including: the homomorphic cryptographic bootstrap apparatus of the first aspect.
According to a fourth aspect of embodiments of the present invention, there is provided a system on chip, including: the processor according to the third aspect.
According to a fifth aspect of embodiments of the present invention, there is provided a computing device comprising: the system on chip according to the fourth aspect.
In the scheme of the embodiment of the invention, based on a plurality of rotation factors of a polynomial ring where the RLWE key is located, the first RLWE ciphertext is subjected to rotation processing, homomorphic encryption bootstrapping is realized, in addition, the first RLWE ciphertext is obtained by homomorphic encryption of a plaintext belonging to a plaintext space of a first variable type, the polynomial ring corresponds to a plaintext space of a second variable type, in the homomorphic encryption bootstrapping process, conversion of the plaintext corresponding to the RLWE ciphertext from the plaintext space of the first variable type to the plaintext space of the second variable type is realized, conversion of the plaintext space before or after homomorphic encryption bootstrapping is not required, and the calculation efficiency of secret calculation is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present invention, and it is also possible for a person skilled in the art to obtain other drawings based on the drawings.
Fig. 1 is a schematic diagram of a homomorphic encryption process according to one example.
FIG. 2 is an exemplary block diagram of a computing device employing a homomorphic encryption component in accordance with one embodiment of the present invention.
Fig. 3 is a flowchart illustrating steps of a homomorphic encryption bootstrapping method according to an embodiment of the present invention.
Fig. 4 is a schematic block diagram of a homomorphic encryption bootstrapping apparatus according to another embodiment of the present invention.
FIG. 5 is a schematic block diagram of a processor according to another embodiment of the invention.
FIG. 6 is a schematic block diagram of a system on chip according to another embodiment of the invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present invention, the technical solutions in the embodiments of the present invention will be described in detail below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments of the present invention shall fall within the scope of the protection of the embodiments of the present invention.
The following further describes specific implementation of the embodiments of the present invention with reference to the drawings.
Homomorphic Encryption (HE) refers to a form of encryption that allows computations to be performed on ciphertext to produce encrypted results that, when decrypted, match the results of operations as if they were performed in plaintext.
As shown in fig. 1, in process 1, a plaintext m is homomorphically encrypted by using a first key (corresponding to a key represented by a box), and an initial ciphertext is obtained. In the process 2, the crypto-state calculation F is performed based on the initial ciphertext to obtain the first ciphertext of F (m), and as the noise generated in the calculation process is accumulated more and more, the reliability of the decryption process is deteriorated. In the process 3, the first ciphertext is converted into the second ciphertext using the second key, while removing the noise generated in the above-described secret calculation, and the secret calculation is further performed using the second ciphertext of F (m) (corresponding to the key indicated by the circle).
In one example, the first ciphertext of F (m) may be encrypted with the second key in process 31, and then homomorphic decryption of the first key may be performed in the encrypted state of the second key in process 32 to obtain the second ciphertext of F (m).
Further, in modern HE schemes, the ciphertext may be organized as an algebraic ring with high dimensionality and large coefficients. In contrast to conventional error Learning (LWE), for example, ring error Learning (RLWE) is a typical choice for algebraic rings, where multiplication of two ciphertexts utilizes multiplication of a higher-order polynomial (e.g., 8192-th order), where the coefficients are modulo (modulo) a large integer (e.g., 220 bits).
Example application areas of HEs include medical, financial, and, in general, areas that benefit from combined analysis of data provided from multiple parties. Examples of the workload of the HE application include, but are not limited to, logistic regression training, bayesian inference, or neural networks.
The Fast Homomorphic Encryption algorithm (Fast full Homomorphic Encryption Over the Torus, TFHE) (see the paper: TFHE: fast full Homomorphic Encryption Over the Torus) based on the Torus has stronger Boolean operation capability, can support infinite calculation depth through a bootstrap algorithm, but under the condition of larger calculation depth, the calculation amount of the bootstrap algorithm is larger, so that the efficiency of dense state calculation is lower. The embodiment of the invention provides a series of schemes, and the efficiency of dense state calculation can be improved.
Examples of software environments and hardware environments to which aspects of embodiments of the invention may be applied are described below in conjunction with FIG. 2. In fig. 2, computing device 100 represents a communication and data processing device that includes or represents (without limitation) a smart voice command device, a smart personal assistant, a home/office automation system, a home appliance (e.g., washing machine, television, etc.), a mobile device (e.g., smartphone, tablet computer, etc.), a gaming device, a handheld device, a wearable device (e.g., smart watch, smart bracelet, etc.), a Virtual Reality (VR) device, a Head Mounted Display (HMD), an internet of things (IoT) device, a laptop computer, a desktop computer, a server computer, a set-top box (e.g., internet-based cable set-top box, etc.), a Global Positioning System (GPS) -based device, an automotive infotainment device, etc.
In some embodiments, computing device 100 includes or works with any number and type of other intelligent devices, such as, but not limited to, autonomous machines or artificial intelligent agents, such as mechanical agents or machines, electronic agents or machines, virtual agents or machines, electromechanical agents or machines, and the like, or embedded in or otherwise facilitates such intelligent devices. Examples of autonomous machines or artificial intelligence agents may include, but are not limited to, robots, autonomous vehicles (e.g., autopilot cars, autopilot airplanes, autopilot boats, etc.), autonomous device autonomous construction vehicles, autonomous medical devices, etc., and so forth. Further, "autonomous vehicles" are not limited to automobiles, but rather they may include any number and type of autonomous machines, such as robots, autonomous devices, home autonomous devices, and the like, and any one or more tasks or operations associated with such autonomous machines may be referred to interchangeably with autonomous driving.
Further, for example, computing device 100 may include a computer platform, such as a system on a chip ("SOC" or "SOC"), that carries an integrated circuit ("IC"), where various hardware and/or software components of computing device 100 are integrated on a single chip.
As shown, in one embodiment, computing device 100 may include any number and type of hardware and/or software components, such as, but not limited to, a graphics processing unit ("GPU" or simply "graphics processor") 114, a graphics driver (also referred to as a "GPU driver," "graphics driver logic," "driver logic," User Mode Driver (UMD), user Mode Driver Framework (UMDF), or simply "driver") 115, a central processing unit ("CPU" or simply "application processor") 112, a memory 108, a network device, a driver, etc., and an input/output (I/O) source 104, such as a touchscreen, touchpad, virtual or conventional keyboard, virtual or conventional mouse, port, connector, etc. Computing device 100 may include an Operating System (OS) 106 that serves as an interface between hardware and/or physical resources of computing device 100 and a user.
It should be appreciated that for certain embodiments, fewer or more outfitted systems than the above-described examples may be utilized. Thus, the configuration of computing device 100 may vary from implementation to implementation depending on a number of factors, such as price constraints, performance requirements, technological improvements, or other circumstances.
Embodiments may be implemented as any one or combination of the following: one or more microchips or integrated circuits interconnected using a motherboard, hardwired logic, software stored by a memory device and executed by a microprocessor, firmware, an Application Specific Integrated Circuit (ASIC), and/or a Field Programmable Gate Array (FPGA). The terms "logic," "module," "component," "engine," "circuitry," "element," and "mechanism" may include, for example, software, hardware, and/or combinations thereof, such as firmware.
In one embodiment, as shown, HE component 110 may be hosted by memory 108 in communication with I/O source(s) 104 of computing device 100, such as a microphone, speakers, and the like. In another embodiment, HE component 110 may be part of or hosted by operating system 106. In yet another embodiment, HE component 110 may be hosted or facilitated by a graphics driver 115. In yet another embodiment, HE component 110 may be hosted by or part of hardware accelerator 114; for example, the HE component 110 may be embedded in or implemented as part of the processing hardware of the hardware accelerator 114, such as in the form of the HE component 140. In yet another embodiment, HE component 110 may be hosted by or be a part of a graphics processing unit ("GPU" or simply "graphics processor") 116 or firmware of the graphics processor 116; for example, the HE component may be embedded in or implemented as part of the processing hardware of the graphics processor 116, such as in the form of the HE component 130. Similarly, in yet another embodiment, HE component 110 may be hosted by or be part of a central processing unit ("CPU" or simply "application processor") 112; for example, HE component 120 may be embedded in or implemented as part of the processing hardware of application processor 112, such as in the form of HE component 120. In some embodiments, HE component 110 may be provided by one or more processors including one or more of a graphics processor, an application processor, and another processor, where the one or more processors are co-located on a common semiconductor package.
It is contemplated that embodiments are not limited to certain specific implementations or hosts of HE component 110, and that one or more portions or components of HE component 110 may be employed or implemented as hardware, software, or any combination thereof, such as firmware. In one embodiment, for example, the HE component may be hosted by a machine learning processing unit that is different from the GPU. In another embodiment, the HE components may be distributed between the machine learning processing unit and the CPU. In another embodiment, HE components may be distributed among the machine learning processing unit, the CPU, and the GPU. In another embodiment, HE components may be distributed among the machine learning processing unit, CPU, GPU, and hardware accelerator.
Computing device 100 may host network interface device(s) to provide access to a network, such as a LAN, a Wide Area Network (WAN), a Metropolitan Area Network (MAN), a Personal Area Network (PAN), bluetooth, a cloud network, a mobile network (e.g., third generation (3G), fourth generation (4G), etc.), an intranet, the internet, and so forth. The network interface(s) may include, for example, a wireless network interface having an antenna, which may represent one or more antennas. The network interface(s) may also include, for example, a wired network interface to communicate with remote devices via a network cable, which may be, for example, an ethernet cable, a coaxial cable, an optical cable, a serial cable, or a parallel cable.
Fig. 3 is a flowchart illustrating steps of a homomorphic encryption bootstrapping method according to an embodiment of the present invention. The homomorphic encryption bootstrapping method of the embodiment may be applied to the homomorphic encryption units 110 to 140 of fig. 2, and includes:
s210: and performing homomorphic encryption on the plaintext belonging to the plaintext space of the first variable type by adopting the RLWE key to obtain a first RLWE ciphertext.
It is to be understood that the first variable type and the second variable type are different variable types among boolean variables, short integer variables, and long integer variables. For example, the first variable type is a boolean variable and the second variable type is an integer variable, the integer variable comprising a short integer variable or a long integer variable. For another example, the first variable type is a short integer variable and the second variable type is a long integer variable. The second modulus of the plaintext space for the second variable type may correspond to a number of processor bits, e.g., 64-bit processor or 32-bit processor, to perform a homomorphic cryptographic bootstrapping method.
S220: and respectively determining a plurality of rotation factors of a polynomial ring based on the RL WE secret key on the basis of a plurality of RLWE encryption matrixes of the LWE private key vector, wherein the polynomial ring corresponds to the plaintext space of the second variable type.
It is understood that the polynomial ring is R Q =Z Q [x]/(x N +1)。
It should also be appreciated that the various elements of the LWE private key vector may be separately encrypted, resulting in multiple RLWE encryption matrices. The LWE ciphertext may be formed from an n-dimensional vector → a is formed with a number b, for an LWE plaintext mu (between 0 and q/delta) 0 Between-1), one n-dimensional LWE private key vector → s and noise e of smaller absolute value. The encryption process of the LWE ciphertext is as follows:
accordingly, the decryption process is;
for example, LWE private key vector s [ i ]]=0 or 1,i is an integer, 0 ≦ i<N≤1。
If s [ i ]]If =0, then v (x) × x a[i]s[i] = v (x) × 0= v (x), while v (x) + v (x) × (x) a[i] -1)*s[i]= v (x); if s [ i ]]If =1, then v (x) × x a[i]s[i] =v(x)*x a[i] While v (x) + v (x) × (x) a[i] -1)*s[i]=v(x)+v(x)*(x a[i] -1)=v(x)*x a[i] . The twiddle factor may be x a[i]s[i] N times of rotation process realizes a [ i ]]*s[i]The dot product process of (1).
S230: and sequentially rotating the first RLWE ciphertext based on the plurality of rotation factors to obtain a homomorphic decrypted second RLWE ciphertext.
It is to be understood that the rotation process may be an N-time iterative process in which, for a current twiddle factor, a homomorphic decrypted second RL WE ciphertext is output if the next twiddle factor does not exist in the plurality of twiddle factors, and the current twiddle factor is updated based on the next twiddle factor if the next twiddle factor exists in the plurality of twiddle factors.
In the scheme of the embodiment of the invention, based on a plurality of rotation factors of a polynomial ring where an RLWE key is located, a first RLWE ciphertext is subjected to rotation processing, homomorphic encryption bootstrapping is realized, in addition, the first RLWE ciphertext is obtained by homomorphic encryption of a plaintext belonging to a plaintext space of a first variable type, the polynomial ring corresponds to a plaintext space of a second variable type, in the homomorphic encryption bootstrapping process, conversion of the plaintext corresponding to the RLWE ciphertext from the plaintext space of the first variable type to the plaintext space of the second variable type is realized, conversion of the plaintext space is not required to be executed again before or after homomorphic encryption bootstrapping, and the calculation efficiency of secret calculation is improved.
In some other examples, the homomorphic encryption bootstrapping method further includes: and respectively encrypting each element of the LWE private key vector to obtain a plurality of RLWE encryption matrixes. The plurality of RLWE encryption matrixes are beneficial to realizing polynomial decomposition, so that the calculation efficiency is improved.
In some other examples, the homomorphic encryption bootstrapping method further includes: and obtaining an LWE public key vector corresponding to the LWE private key vector, wherein the LWE public key vector corresponds to a plaintext space of the first variable type. Further, respectively determining a plurality of twiddle factors based on the polynomial ring where the RLWE key is located based on a plurality of RLWE encryption matrices of the LWE private key vector, including: based on a plurality of RLWE encryption matrixes of the LWE private key vector and the LWE public key vector, a plurality of twiddle factors of a polynomial ring where the RLWE key is located are determined, the RLWE encryption matrixes are safer than the LWE private key vector, and the safety of data calculation is guaranteed in the homomorphic encryption bootstrap process.
In other examples, sequentially rotating the first RLWE ciphertext based on a plurality of rotation factors, respectively, to obtain a homomorphic decrypted second RLWE ciphertext includes: based on the current twiddle factor in the multiple twiddle factors, performing twiddle processing on the first RLWE ciphertext to obtain a second RLWE ciphertext; and if the next twiddle factor does not exist in the plurality of twiddle factors, outputting a homomorphic decrypted second RL WE ciphertext. Alternatively, if there is a next twiddle factor in the plurality of twiddle factors, the current twiddle factor is updated based on the next twiddle factor. Through the iteration mode, convenient rotation processing is realized, and the homomorphic decryption process is simplified.
More specifically, the process of multiplying the ciphertext of RLWE by x to the power of x is referred to as rotation thereof, and thus this process is rotation. The LWE private key vector s [ i ] =0 or 1, i is an integer, i is more than or equal to 0 and less than or equal to N and less than or equal to 1.
However, in practice s [ i ]]As the key, it cannot be transmitted in plaintext, i.e. it cannot be directly rotated in the calculation process using the following formula:
if s [ i ]]If =0, then v (x) × x a[i]s[i] = v (x) × 0= v (x), while v (x) + v (x) × (x) a[i] -1)*s[i]= v (x); if s [ i ]]If =1, then v (x) × x a[i]s[i] =v(x)*x a[i] While v (x) + v (x) × (x) a[i] -1)*s[i]=v(x)+v(x)*(x a[i] -1)=v(x)*x a[i] . The twiddle factor may be x a[i]s[i] 。
In some other examples, the homomorphic encryption bootstrapping method further includes: and performing polynomial decomposition on the first RLWE ciphertext based on a second modulus of the plaintext space of the second variable type to obtain a plurality of decomposition polynomials. Further, based on a current twiddle factor in the multiple twiddle factors, the rotating process is performed on the first RLWE ciphertext to obtain a second RLWE ciphertext, and the rotating process includes: a second RLWE ciphertext is determined based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of factorizations. The computational efficiency of the product with multiple RLWE encryption matrices (e.g., N) is improved by polynomial decomposition.
In some other examples, the homomorphic encryption bootstrapping method further includes: determining a remainder system representation of the first RLWE ciphertext based on a plurality of preset moduli; the remainder systematic representation is converted to a second modulus based binary representation of the first RLWE ciphertext. Further, performing polynomial decomposition on the first RLWE ciphertext to obtain a plurality of decomposition polynomials, including: and carrying out polynomial decomposition on the binary expression of the first RLWE ciphertext to obtain a plurality of decomposition polynomials of the binary expression. In this example, the computational efficiency of the processor is improved by the binary representation of the first RLWE ciphertext.
In other examples, determining the second RLWE ciphertext based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of factorizations polynomials includes: converting a plurality of decomposition polynomials of the binary representation into a remainder system representation based on a plurality of preset modulus; a second RLWE ciphertext is determined based on a product of the remainder system representation of the plurality of predetermined moduli and the plurality of decomposition polynomials. In the present example, the calculation efficiency of the product with a plurality of decomposition polynomials is improved by the remainder system representation.
More specifically, continuing with the specific example described above, the matrices of s [0] =0, s [1] =1 are given as Ms [0] and Ms [1], respectively. When calculating matrix vector multiplication, the two polynomials in RLWE ciphertext are respectively decomposed into a plurality of polynomials l.
For the polynomial v (x), the decomposition method is as follows:
wherein, the absolute values of the coefficients of v (x) -Decompose (v (x)) (M/B, M/B2, ·, M/Bl) do not exceed M/Bl, and M is required to be more than or equal to Q; decompose (.) denotes the decomposition process.
For example, according to the TFHE scheme, as an example:
v (x) =100x +31, m =125, b =5,l =2, then the following operations are performed:
it can be seen that 100x +31-Decompose (100x + 31) = (25, 5) =100x +31- (100x +25+ 5) =1, and the absolute value of each coefficient is less than or equal to M/Bl =5.
Without loss of generality, in the case where v (x) is the remainder system representation, it is necessary to first convert from the remainder system representation using the Chinese Remainder Theorem (CRT) back to a single modulus Q representation (an example of a binary representation of a second modulus) and then to proceed with a decomposition process such as Decompose (i.e., polynomial decomposition).
For example, the rotation process can be represented by Ms [ i ] (an example of an RLWE encryption matrix):
initial RLWE ciphertext (example of first RLWE ciphertext): ct = (v 0 (x), v1 (x)). For example, ct = (0,10x).
Realize one-time rotation
For example,
wherein the first RLWE ciphertext has a plaintext space parameter q/delta of a first variable type,
realizing N times of rotation, and selecting the realization mode to be ct each time i +1=ct i +Decompose(ct i *(x (a[t]*2N)/q -1))*Ms[i]And obtaining a second RLWE ciphertext as CT = CT n The second RLWE ciphertext has a plaintext space Q/delta of the second variable type.
In one specific example, in the case of N =2, ct 1 =(0,95)+Decompose((0,95)*(x3-1))Ms[0]=(0,95)+Decompose((0,10x+10))Ms[0]Where Decompose ((0, 10x)) = (0, 2x + 2), then the result is:
ct 1 =(0,95)+((52x+93)(2x+2),(93x+55)(2x+2))=(80x+82,,86x+19)。
ct 2 =(80x+82,86x+19)+Decompose((80x+82,86x+19)*(x2-1))Ms[1]=(80x+82,86x+19)+Decompose((50x+46,38x+67))Ms[1]wherein, decompose ((50x +46,38x + 67)) = (2x +1,4, x +2,2x + 3), then the result is:
ct 2 = (80x +82,86x + 19) + ((30x + 80) (2x + 1) + (99x + 57) 4+ (85x + 62) (x + 2) + (18x + 93) (2x + 3), (55x + 77) (2x + 1) + (52x + 4) 4+ (62x + 45) (x + 2) + (93x + 90) (2x + 3)) = (88x +87,81x + 9). Accordingly, the output result is ciphertext CT = CT 2 = (88x +87,81x + 9) (example of second ciphertext).
And verifying that the plaintext obtained by decrypting the ciphertext is as follows: μ =, ("(81x+9- (88x + 87) x)/10" = "(-6 x + -8)/10") = -x-1. It can be seen that the plaintext polynomial constant term in the case of Q/Δ is obtained as ( → a, b) represents the reverse (-1) RLWE ciphertext of the plaintext (1), and the conversion from the parameter Q/delta to the parameter Q/delta is completed.
That is, based on the LWE private key vector and the LWE public key vector, a plurality of RLWE encryption matrices (e.g., ms [0] and Ms [1] described above) based on the RLWE key and a plurality of twiddle factors (e.g., processing methods in the TFHE technology) of the polynomial ring where the RLWE key is located are determined, and in the polynomial decomposition (decompaction) process, the conversion from the plaintext space of the first variable type to the plaintext space of the second variable type is realized through the conversion from the remainder system representation to the single modulus Q representation, and since the polynomial decomposition process is in the rotation operation, the conversion from the plaintext space is realized while the ciphertext noise reduction process is realized.
Fig. 4 is a schematic block diagram of a homomorphic encryption bootstrapping apparatus according to another embodiment of the present invention.
The homomorphic encryption bootstrapping apparatus of this embodiment corresponds to the homomorphic encryption bootstrapping method of fig. 3, and includes:
the first encryption unit 410 homomorphically encrypts the plaintext belonging to the plaintext space of the first variable type using the RLWE key to obtain a first RLWE ciphertext.
The second encryption unit 420 determines a plurality of twiddle factors based on a polynomial ring in which the RLWE key is located, respectively, based on a plurality of RLWE encryption matrices of the LWE private key vector, where the polynomial ring corresponds to a plaintext space of the second variable type.
And the decryption unit 430, which sequentially performs rotation processing on the first RLWE ciphertext based on the plurality of twiddle factors, respectively, to obtain a homomorphic decrypted second RLWE ciphertext.
In the scheme of the embodiment of the invention, based on a plurality of rotation factors of a polynomial ring where the RLWE key is located, the first RLWE ciphertext is subjected to rotation processing, homomorphic encryption bootstrapping is realized, in addition, the first RLWE ciphertext is obtained by homomorphic encryption of a plaintext belonging to a plaintext space of a first variable type, the polynomial ring corresponds to a plaintext space of a second variable type, in the homomorphic encryption bootstrapping process, conversion of the plaintext corresponding to the RLWE ciphertext from the plaintext space of the first variable type to the plaintext space of the second variable type is realized, conversion of the plaintext space before or after homomorphic encryption bootstrapping is not required, and the calculation efficiency of secret calculation is improved.
In other examples, the second encryption unit is further to: and respectively encrypting each element of the LWE private key vector to obtain the plurality of RLWE encryption matrixes.
In other examples, the apparatus further comprises: and the obtaining unit is used for obtaining an LWE public key vector corresponding to the LWE private key vector, and the LWE public key vector corresponds to the plaintext space of the first variable type. The second encryption unit is specifically configured to: based on a plurality of RLWE encryption matrixes of the LWE private key vector and the LWE public key vector, a plurality of twiddle factors of a polynomial ring where the RLWE keys are located are determined.
In other examples, the decryption unit is specifically configured to: based on the current twiddle factor in the multiple twiddle factors, performing rotation processing on the first RLWE ciphertext to obtain a second RLWE ciphertext; outputting the homomorphic decrypted second RLWE ciphertext if the next twiddle factor does not exist in the plurality of twiddle factors.
In other examples, the decryption unit is further to: updating the current twiddle factor based on a next twiddle factor if the next twiddle factor exists among the plurality of twiddle factors.
In other examples, the apparatus further comprises: and the decomposition unit is used for carrying out polynomial decomposition on the first RLWE ciphertext according to a second modulus of the plaintext space of the second variable type to obtain a plurality of decomposition polynomials. The decryption unit is specifically configured to: determining a second RLWE ciphertext based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of decomposition polynomials.
In other examples, the apparatus further comprises: a representation unit that determines a remainder system representation of the first RLWE ciphertext based on a plurality of preset modulo; converting the remainder system representation to a binary representation of the first RLWE ciphertext based on the second modulus. The decomposition unit is specifically configured to: and carrying out polynomial decomposition on the binary expression of the first RLWE ciphertext to obtain a plurality of decomposition polynomials of the binary expression.
In other examples, the decomposition unit is specifically configured to: converting a plurality of decomposition polynomials of the binary representation to a remainder system representation based on the plurality of preset modulo; determining a second RLWE ciphertext based on a product of the remainder systematic representation of the plurality of preset moduli and the plurality of decomposition polynomials.
In other examples, the first variable type and the second variable type are different variable types of a boolean variable, a short integer variable, and a long integer variable.
The apparatus of this embodiment is used to implement the corresponding method in the foregoing method embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein again. In addition, the functional implementation of each module in the apparatus of this embodiment can refer to the description of the corresponding part in the foregoing method embodiment, and is not described herein again.
FIG. 5 is a schematic block diagram of a processor according to another embodiment of the invention. The processor of fig. 5 includes the homomorphic cryptographic bootstrap apparatus 400 of fig. 4. For example, the homomorphic encryption bootstrapping apparatus 400 may be implemented as the homomorphic encryption components 110-140 of fig. 2.
FIG. 6 is a schematic block diagram of a system on chip according to another embodiment of the invention. The system-on-chip of fig. 6 includes the processor 500 of fig. 5. For example, the processor 500 may be implemented as the CPU 112 and/or the GPU 116 of fig. 2. As another example, the system-on-chip may also include a hardware accelerator 114 and memory 108.
In addition, for specific implementation of each step in the program, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing method embodiments, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
It should be noted that, according to the implementation requirement, each component/step described in the embodiment of the present invention may be divided into more components/steps, and two or more components/steps or partial operations of the components/steps may also be combined into a new component/step to achieve the purpose of the embodiment of the present invention.
The above-described method according to an embodiment of the present invention may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, a RAM, a floppy disk, a hard disk, or a magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium downloaded through a network and to be stored in a local recording medium, so that the method described herein may be stored in such software processing on a recording medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware such as an ASIC or FPGA. It will be appreciated that a computer, processor, microprocessor controller, or programmable hardware includes memory components (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by a computer, processor, or hardware, implements the methods described herein. Further, when a general-purpose computer accesses code for implementing the methods illustrated herein, execution of the code transforms the general-purpose computer into a special-purpose computer for performing the methods illustrated herein.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The above embodiments are only for illustrating the embodiments of the present invention and not for limiting the embodiments of the present invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the embodiments of the present invention, so that all equivalent technical solutions also belong to the scope of the embodiments of the present invention, and the scope of patent protection of the embodiments of the present invention should be defined by the claims.
Claims (13)
1. A homomorphic cryptographic bootstrapping method comprising:
adopting an RLWE key to perform homomorphic encryption on plaintext belonging to a plaintext space of a first variable type to obtain a first RLWE ciphertext;
respectively determining a plurality of rotation factors based on a polynomial ring where an RLWE key is located based on a plurality of RLWE encryption matrixes of LWE private key vectors, wherein the polynomial ring corresponds to a plaintext space of a second variable type;
and sequentially rotating the first RLWE ciphertext on the basis of the plurality of rotation factors respectively to obtain a homomorphic decrypted second RLWE ciphertext.
2. The method of claim 1, wherein the method further comprises:
and respectively encrypting each element of the LWE private key vector based on the RLWE key to obtain a plurality of RLWE encryption matrixes.
3. The method of claim 1, wherein the method further comprises:
obtaining an LWE public key vector corresponding to the LWE private key vector, wherein the LWE public key vector corresponds to a plaintext space of the first variable type;
the plurality of RLWE encryption matrixes based on the LWE private key vector respectively determine a plurality of twiddle factors based on a polynomial ring where the RLWE key is located, and the method comprises the following steps:
based on a plurality of RLWE encryption matrixes of the LWE private key vector and the LWE public key vector, a plurality of twiddle factors of a polynomial ring where the RLWE keys are located are determined.
4. The method of claim 3, wherein the sequentially rotating the first RLWE ciphertext based on the plurality of twiddle factors, respectively, to obtain a homomorphic decrypted second RLWE ciphertext comprises:
based on the current twiddle factor in the multiple twiddle factors, performing rotation processing on the first RLWE ciphertext to obtain a second RLWE ciphertext;
outputting the homomorphic decrypted second RLWE ciphertext if the next twiddle factor does not exist in the plurality of twiddle factors.
5. The method of claim 4, wherein the sequentially rotating the first RLWE ciphertext based on the plurality of twiddle factors, respectively, to obtain a homomorphic decrypted second RLWE ciphertext, further comprises:
updating the current twiddle factor based on a next twiddle factor if the next twiddle factor exists among the plurality of twiddle factors.
6. The method of claim 4, wherein the method further comprises:
performing polynomial decomposition on the first RLWE ciphertext to obtain a plurality of decomposition polynomials based on a second modulus of the plaintext space of the second variable type;
the rotating the first RLWE ciphertext based on a current twiddle factor of the multiple twiddle factors to obtain a second RLWE ciphertext, including:
determining a second RLWE ciphertext based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of decomposition polynomials.
7. The method of claim 6, wherein the method further comprises:
determining a remainder system representation of the first RLWE ciphertext based on a plurality of preset moduli;
converting the remainder system representation to a binary representation of the first RLWE ciphertext based on the second modulus;
performing polynomial decomposition on the first RLWE ciphertext to obtain a plurality of decomposition polynomials, including:
and carrying out polynomial decomposition on the binary expression of the first RLWE ciphertext to obtain a plurality of decomposition polynomials of the binary expression.
8. The method of claim 7, wherein the determining a second RLWE ciphertext based on a product of a current twiddle factor of the plurality of twiddle factors and the plurality of decomposition polynomials comprises:
converting a plurality of decomposition polynomials of the binary representation to a remainder system representation based on the plurality of preset modulo;
determining a second RLWE ciphertext based on a product of the remainder systematic representation of the plurality of preset moduli and the plurality of decomposition polynomials.
9. The method of claim 1, wherein the first variable type and the second variable type are different ones of a boolean variable, a short integer variable, and a long integer variable.
10. A homomorphic cryptographic bootstrap device, comprising:
the first encryption unit is used for homomorphic encryption of plaintext belonging to a plaintext space of a first variable type by adopting an RLWE key to obtain a first RLWE ciphertext;
the second encryption unit is used for respectively determining a plurality of twiddle factors based on a polynomial ring where an RLWE secret key is located on the basis of a plurality of RLWE encryption matrixes of LWE private key vectors, and the polynomial ring corresponds to a plaintext space of a second variable type;
and the decryption unit is used for sequentially rotating the first RLWE ciphertext based on the plurality of twiddle factors to obtain a homomorphic decrypted second RLWE ciphertext.
11. A processor, comprising:
the homomorphic cryptographic bootstrap device of claim 10.
12. A system on a chip, comprising:
the processor of claim 11.
13. A computing device, comprising:
the system on a chip of claim 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211384665.8A CN115834020A (en) | 2022-11-07 | 2022-11-07 | Homomorphic encryption bootstrap method and device, processor, system on chip and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211384665.8A CN115834020A (en) | 2022-11-07 | 2022-11-07 | Homomorphic encryption bootstrap method and device, processor, system on chip and computing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834020A true CN115834020A (en) | 2023-03-21 |
Family
ID=85526866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211384665.8A Pending CN115834020A (en) | 2022-11-07 | 2022-11-07 | Homomorphic encryption bootstrap method and device, processor, system on chip and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834020A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116150795A (en) * | 2023-04-17 | 2023-05-23 | 粤港澳大湾区数字经济研究院(福田) | Homomorphic encryption-based data processing method, system and related equipment |
-
2022
- 2022-11-07 CN CN202211384665.8A patent/CN115834020A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116150795A (en) * | 2023-04-17 | 2023-05-23 | 粤港澳大湾区数字经济研究院(福田) | Homomorphic encryption-based data processing method, system and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mohassel et al. | ABY3: A mixed protocol framework for machine learning | |
| CN110363030B (en) | Method and processing device for performing a trellis-based cryptographic operation | |
| US20240113858A1 (en) | Systems and Methods for Performing Secure Machine Learning Analytics Using Homomorphic Encryption | |
| US11323241B2 (en) | Encryption processing system, encryption processing device and recording medium | |
| CN112262544B (en) | Device, system and method for generating and processing cryptographic parameters | |
| US11777707B2 (en) | Homomorphic encryption for machine learning and neural networks using high-throughput CRT evaluation | |
| CN115834020A (en) | Homomorphic encryption bootstrap method and device, processor, system on chip and computing equipment | |
| US11823060B2 (en) | Method and system for performing deterministic data processing through artificial intelligence | |
| CN112865973A (en) | Method for generating encryption key and digital signature based on lattice | |
| CN116861477A (en) | Data processing method, system, terminal and storage medium based on privacy protection | |
| KR20220097330A (en) | System, apparatus and method for privacy preserving machine learning process | |
| EP4087177A1 (en) | Blind rotation for use in fully homomorphic encryption | |
| CN115208548A (en) | Apparatus for processing non-polynomial operation on homomorphic encrypted message and method thereof | |
| EP4335073A1 (en) | Blind rotation for use in fully homomorphic encryption | |
| CN115918028A (en) | Device and method for performing statistical operation on homomorphic ciphertext | |
| Meehan et al. | Deep learning inferences with hybrid homomorphic encryption | |
| CN112152811A (en) | Digital signature verification engine for reconfigurable circuit devices | |
| Yudheksha et al. | A study of AES and RSA algorithms based on GPUs | |
| US11902415B2 (en) | Secure computing device, secure computing method, and program | |
| US20180373672A1 (en) | Calculating device and method | |
| CN116455575B (en) | Key generation, encryption and decryption methods, electronic equipment and storage medium | |
| CN115801258B (en) | Data processing method, device, electronic equipment and computer readable storage medium | |
| CN116232562B (en) | Model reasoning method and device | |
| CN116132049B (en) | Data encryption method, device, equipment and storage medium | |
| US20230379134A1 (en) | Method and device for performing homomorphic permutation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |