EP3909193A1 - Apparatus for processing approximately encrypted messages and methods thereof - Google Patents

Apparatus for processing approximately encrypted messages and methods thereof

Info

Publication number
EP3909193A1
EP3909193A1 EP19908950.9A EP19908950A EP3909193A1 EP 3909193 A1 EP3909193 A1 EP 3909193A1 EP 19908950 A EP19908950 A EP 19908950A EP 3909193 A1 EP3909193 A1 EP 3909193A1
Authority
EP
European Patent Office
Prior art keywords
homomorphic encryption
encryption
approximate
polynomial
homomorphic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP19908950.9A
Other languages
German (de)
French (fr)
Other versions
EP3909193A4 (en
Inventor
Jung Hee Cheon
Kyoo Hyung Han
Do Hyeong KI
Minki HHAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Crypto Lab Inc
Original Assignee
Crypto Lab Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Crypto Lab Inc filed Critical Crypto Lab Inc
Priority claimed from PCT/KR2019/016001 external-priority patent/WO2020145503A1/en
Publication of EP3909193A1 publication Critical patent/EP3909193A1/en
Publication of EP3909193A4 publication Critical patent/EP3909193A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3026Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials

Definitions

  • the disclosure relates to an apparatus for performing a rebooting method for an approximately encrypted encryption effectively, and a method thereof.
  • homomorphic encryption For overcoming such a problem, a homomorphic encryption method is being researched. According to homomorphic encryption, even if an operation is performed in an encryption itself without decrypting encrypted information, the same result as a value which is a result of performing an operation for a plain text and encrypting the text can be achieved. Accordingly, various types of operations can be performed while an encryption is not decrypted.
  • a conventional rebooting method requires a large amount of calculation or the accuracy of calculation is low. Accordingly, there is a demand for a rebooting method which can reduce the amount of calculation, and at the same time, of which accuracy of calculation is high.
  • the disclosure was devised for overcoming the aforementioned problem, and the purpose of the disclosure is in providing an apparatus for performing a rebooting operation for an approximately encrypted encryption effectively, and a method thereof.
  • a method for processing a homomorphic encryption includes the steps of linearly transforming a homomorphic encryption for an approximate message including an error, performing an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transforming the homomorphic encryption which was approximately modulus operated into a form of encryption.
  • the multi-degree polynomial may be a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range may be from -12 to 12.
  • a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times may be set, and an approximate modulus operation may be performed by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  • the step of linearly transforming a homomorphic encryption may include the steps of converting the homomorphic encryption into a form of polynomial, and applying the converted homomorphic encryption to a predefined matrix.
  • the predefined matrix may be decomposed into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and the homomorphic encryption may be applied sequentially to the plurality of block diagonal matrices.
  • the homomorphic encryption may be applied to the plurality of block diagonal matrices in units of two continuous matrices.
  • an operation apparatus may include a memory storing a homomorphic encryption for an approximate message including an error, and a processor performing an operation for the homomorphic encryption.
  • the processor may linearly transform the homomorphic encryption for an approximate message including an error, perform an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transform the homomorphic encryption which was approximately modulus operated into a form of encryption.
  • the multi-degree polynomial may be a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range may be from -12 to 12.
  • the processor may set a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times, and perform an approximate modulus operation by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  • the processor may convert the homomorphic encryption into a form of polynomial, and linearly transform the homomorphic encryption by applying the converted homomorphic encryption to a predefined matrix.
  • the processor may decompose the predefined matrix into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and linearly transform the homomorphic encryption by applying the homomorphic encryption sequentially to the plurality of block diagonal matrices.
  • the processor may linearly transform the homomorphic encryption by applying the homomorphic encryption to the plurality of block diagonal matrices in units of two continuous matrices.
  • FIG. 1 is a diagram for illustrating a configuration of a network system according to an embodiment of the disclosure
  • FIG. 2 is a block diagram illustrating a configuration of an operation apparatus according to an embodiment of the disclosure
  • FIG. 3 is a diagram for illustrating an operating operation of an operation apparatus according to the disclosure.
  • FIG. 4 is a diagram for illustrating a rebooting method according to the disclosure.
  • FIG. 5 is a diagram for illustrating a specific operation of a rebooting method according to the disclosure.
  • FIG. 6 is a diagram for illustrating a linear calculating operation according to the disclosure.
  • FIG. 7 is a diagram for illustrating an effect of a linear calculating operation according to the disclosure.
  • FIG. 8 is a diagram for illustrating an effect of a linear calculating operation according to the disclosure.
  • FIG. 9 is a diagram for illustrating a method for calculating a coefficient of an approximate polynomial according to the disclosure.
  • FIG. 10 is a diagram for illustrating an effect of an approximate modulus operation according to the disclosure.
  • FIG. 11 is a diagram for illustrating an effect of an approximate modulus operation according to the disclosure.
  • each step should be understood in a nonrestrictive way, unless a preceding step should necessarily be performed prior to a subsequent step in a logical and temporal sense. That is, excluding an exceptional case as above, even if a process described as a subsequent step is performed prior to a process described as a preceding step, there would be no influence on the essence of the disclosure, and the scope of the disclosure should also be defined regardless of the orders of steps.
  • the description "A or B" in this specification is defined to include not only a case wherein one of A or B is selectively referred to, but also a case wherein both of A and B are included.
  • the term "include” in this specification has a meaning including a case wherein elements other than elements listed as being included are further included.
  • a value is defined as a concept including a vector as well as a scalar value.
  • Element a is selected according to distribution D.
  • Each of S1 and S2 is an element belonging to group R.
  • ⁇ - ⁇ The internal value is rounded off.
  • FIG. 1 is a diagram for illustrating a configuration of a network system according to an embodiment of the disclosure.
  • a network system may include a plurality of electronic apparatuses 100-1 ⁇ 100-n, a first server apparatus 200, and a second server apparatus 300, and each component may be connected with one another through a network 10.
  • the network 10 may be implemented as various forms of wired and wireless communication networks, broadcasting communication networks, optical communication networks, cloud networks, etc., and each apparatus may be connected by methods such as WiFi, Bluetooth, Near Field Communication (NFC), etc. without a separate medium.
  • WiFi Wireless Fidelity
  • NFC Near Field Communication
  • FIG. 1 it was illustrated that there are a plurality of electronic apparatuses 100-1 ⁇ 100-n, but a plurality of electronic apparatuses do not necessarily have to be used, and one apparatus may be used.
  • the electronic apparatuses 100-1 ⁇ 100-n may be implemented as various forms of apparatuses such as a smartphone, a tablet, a game player, a PC, a laptop PC, a home server, a kiosk, etc., and other than the above, the electronic apparatuses may also be implemented in the form of home appliances to which an IoT function has been applied.
  • a user may input various information through the electronic apparatuses 100-1 ⁇ 100-n he or she uses.
  • the information input may be stored in the electronic apparatuses 100-1 ⁇ 100-n themselves, but it may also be transferred to an external apparatus and stored for reasons such as the storage capacity and security, etc.
  • the first server apparatus 200 may perform a role of storing such information
  • the second server apparatus 300 may perform a role of using a portion or all of the stored information.
  • Each electronic apparatus 100-1 ⁇ 100-n may homomorphically encrypt the information input and transfer the homomorphic encryption to the first server apparatus 200.
  • each electronic apparatus 100-1 ⁇ 100-n may include an encryption noise calculated in the process of performing homomorphic encryption, i.e., an error in an encryption.
  • a homomorphic encryption generated in each electronic apparatus 100-1 ⁇ 100-n may be generated in a form wherein a result value including a message and an error value is restored when the encryption is decrypted by using a secret key later.
  • homomorphic encryptions generated in the electronic apparatuses 100-1 ⁇ 100-n may be generated in forms satisfying a property as follows when they are decrypted by using a secret key.
  • ⁇ , > mean a usual inner product
  • ct means an encryption
  • sk means a secret key
  • M means a plain text message
  • e means an encryption error value
  • mod q means a modulus of the encryption. q should be selected to be bigger than the result value M of multiplying a scaling factor ⁇ and the message. If the absolute value of the error value e is sufficiently smaller than M, the decryption value M+e of the encryption is a value that can replace the original message with the same degree of precision in a significant figure operation.
  • the error may be arranged on the side of the least significant beat (LSB), and M may be arranged on the side of the second least significant beat.
  • the size of a message may be adjusted by using a scaling factor. If a scaling factor is used, not only a message in the form of an integer but also a message in the form of a real number can be encrypted, and thus usability can be improved greatly. Also, by adjusting the size of a message by using a scaling factor, the size of an area wherein messages exist in an encryption after an operation is performed, i.e., an effective area can be adjusted.
  • an encryption modulus q may be used while being set in various forms.
  • the first sever apparatus 200 may not decrypt a received homomorphic encryption, but store it in a state of an encryption.
  • the second server apparatus 300 may request a result of specific processing for the homomorphic encryption to the first server apparatus 200.
  • the first server apparatus 200 may perform a specific operation according to the request of the second server apparatus 300, and transfer the result to the second server apparatus 300.
  • the second server apparatus 300 may request a value of summing up the information provided from the two electronic apparatuses 100-1, 100-2 to the first server apparatus 200.
  • the first server apparatus 200 may perform an operation of summing up the two encryptions according to the request, and then transfer the result value (ct1 + ct2) to the second server apparatus 300.
  • the first server apparatus 200 may perform an operation while a homomorphic encryption is not decrypted, and a result value thereof also becomes a form of encryption.
  • a result value acquired by an operation is referred to as an operation result encryption.
  • the first server apparatus 200 may transfer an operation result encryption to the second server apparatus 300.
  • the second server apparatus 300 may decrypt the received operation result encryption, and acquire an operation result value of data included in each homomorphic encryption.
  • the first server apparatus 200 may perform operations a number of times according to a user request. In this case, the proportion of an approximate message in an operation result encryption acquired for each operation varies. If the proportion of an approximate message exceeds a threshold, the first server apparatus 200 may perform a rebooting operation. As described above, the first server apparatus 200 may perform an operating operation, and thus it may also be referred to as an operation apparatus.
  • FIG. 1 a case wherein encryption is performed at a first electronic apparatus and a second electronic apparatus, and the second server apparatus performs decryption is illustrated, but the disclosure is not necessarily limited thereto.
  • FIG. 2 is a block diagram illustrating a configuration of an operation apparatus according to an embodiment of the disclosure.
  • apparatuses performing homomorphic encryption as the first electronic apparatus, the second electronic apparatus, etc., apparatuses operating a homomorphic encryption such as the first server apparatus, etc., and apparatuses decrypting a homomorphic encryption such as the second server apparatus, etc. in the system in FIG. 1 may be referred to as operation apparatuses.
  • Such operation apparatuses may be various apparatuses like personal computers (PCs), laptop computers, smartphones, tablets, servers, etc.
  • an operation apparatus 400 may include a communication device 410, a memory 420, a display 430, a manipulation input device 440, and a processor 450.
  • the communication device 410 is formed to connect the operation apparatus 400 with an external apparatus (not shown), and it may not only be a form of being connected with an external apparatus through a Local Area Network (LAN) and an Internet network, but also a form of being connected through a Universal Serial Bus (USB) port or a wireless communication (e.g., WiFi 802.11a/b/g/n, NFC, Bluetooth) port.
  • LAN Local Area Network
  • USB Universal Serial Bus
  • WiFi 802.11a/b/g/n, NFC, Bluetooth wireless communication
  • the communication device 410 may receive a public key from an external apparatus, and transfer a public key generated by the operation apparatus 400 itself to an external apparatus.
  • the communication device 410 may receive a message from an external apparatus, and transmit a generated homomorphic encryption to an external apparatus.
  • the communication device 410 may receive various types of parameters necessary for generating an encryption from an external apparatus. Meanwhile, in implementation, various types of parameters may be directly input from a user through the manipulation input device 440 that will be described below.
  • the communication device 410 may receive a request for an operation for a homomorphic encryption from an external apparatus, and transfer a result calculated accordingly to an external apparatus.
  • the memory 420 is a component for storing an O/S for operating the operation apparatus 400 or various types of software, data, etc.
  • the memory 420 may be implemented in various forms such as a RAM or a ROM, a flash memory, an HDD, an external memory, a memory card, and the like, but is not limited to a specific one.
  • the memory 420 stores a message to be encrypted.
  • a message may be various types of credit information, personal information, etc. that a user cited in various ways, or it may be information related to use history such as location information used at the operation apparatus 400, information on the use time of the Internet, etc.
  • the memory 420 may store a public key, and in case the operation apparatus 400 is an apparatus that directly generated a public key, the memory 420 may store not only a secret key, but also various types of parameters necessary for generating a public key and a secret key.
  • the memory 420 may store a homomorphic encryption generated in a process that will be described below. Also, the memory 420 may store a homomorphic encryption transferred from an external apparatus. In addition, the memory 420 may store an operation result encryption which is a result of an operation process that will be described below.
  • the display 430 displays a user interface window for receiving selection of functions supported by the operation apparatus 400.
  • the display 430 may display a user interface window for receiving selection of various functions provided by the operation apparatus 400.
  • Such a display 430 may be a monitor such as a liquid crystal display (LCD) and organic light emitting diodes (OLEDs), and it may be implemented as a touch screen that can simultaneously perform the function of the manipulation input device 440 that will be described below.
  • LCD liquid crystal display
  • OLEDs organic light emitting diodes
  • the display 430 may display a message requesting input of a parameter necessary for generating a secret key and a public key.
  • the display 430 may display a message wherein a subject to be encrypted selects a message.
  • a subject to be encrypted may be directly selected by a user, or selected automatically. That is, personal information, etc. which need to be encrypted may be set automatically even if a user does not directly select a message.
  • the manipulation input device 440 may receive selection of a function of the operation apparatus 400 and input of a control command for the function from a user. Specifically, the manipulation input device 440 may receive input of a parameter necessary for generating a secret key and a public key. Also, the manipulation input device 440 may receive setting of a message to be encrypted from a user.
  • the processor 450 controls each component inside the operation apparatus 400.
  • a processor 450 may be constituted as a single device such as a central processing unit (CPU) and an application-specific integrated circuit (ASIC), or it may be constituted as a plurality of devices such as a CPU and a graphics processing unit (GPU).
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • GPU graphics processing unit
  • the processor 450 stores the message in the memory 420. Then, the processor 450 homomorphically encrypts the message by using various setting values and programs stored in the memory 420. In this case, a public key may be used.
  • the processor 450 may generate a public key necessary for performing encryption by itself and use it, or receive a public key from an external apparatus and use it.
  • the second server apparatus 300 performing decryption may distribute a public key to other apparatuses.
  • the processor 450 may generate a public key by using a Ring-LWE technic.
  • the processor 450 may set various types of parameters and rings first, and store them in the memory 420.
  • parameters there may be the length of a plain text message bit, the sizes of a public key and a secret key, and the like.
  • a ring may be expressed with a formula as below.
  • R means a ring
  • Zq means a coefficient
  • f(x) means an n-th polynomial.
  • a ring is a group of polynomials having preset coefficients, and means a group wherein additions and multiplications are defined among elements, and which is closed with respect to additions and multiplications.
  • a ring means a group of n-th polynomials of which coefficients are Zqs.
  • n ⁇ (N)
  • (f(x)) means an ideal of Zq[x] generated as f(x)).
  • an Euler totient function ⁇ (N) means the number of natural numbers which are mutual primes with N, and are smaller than N.
  • ⁇ N (x) is defined as an N-th cyclotomic polynomial
  • a ring may also be expressed as formula 3 as below.
  • a secret key sk may be expressed as below.
  • the ring in the aforementioned formula 3 has a complex number in a plain text space. Meanwhile, for improving the operation speed for a homomorphic encryption, only a group wherein a plain text space is a real number may be used among the aforementioned groups of rings.
  • the processor 450 may calculate a secret key sk from the ring.
  • s(x) means a polynomial which was randomly generated with a small coefficient.
  • the processor 450 calculates a first random polynomial a(x) from the ring.
  • the first random polynomial may be expressed as below.
  • the processor 450 may calculate an error. Specifically, the processor 450 may extract an error from discrete Gaussian distribution or distribution of which statistical distance thereto is close. Such an error may be expressed as below.
  • the processor 450 may perform a modular operation on the first random polynomial and the error in the secret key and calculate a second random polynomial.
  • the second random polynomial may be expressed as below.
  • a public key pk is set in the form of including the first random polynomial and the second random polynomial as below.
  • the aforementioned key generating method is merely an example, and thus the disclosure is not necessarily limited thereto, and a public key and a secret key can obviously be generated by methods other than the above.
  • the processor 450 may control the communication device 410 such that the public key is transferred to other apparatuses.
  • the processor 450 may generate a homomorphic encryption for a message. Specifically, the processor 450 may generate a homomorphic encryption by applying the public key generated previously to a message. Here, the processor 450 may generate the length of the encryption to correspond to the size of the scaling factor.
  • the processor 450 may store the homomorphic encryption in the memory 420, or control the communication device 410 to transfer the homomorphic encryption to another apparatus according to a user request or a preset default command.
  • packing may be performed. If packing is used in homomorphic encryption, it becomes possible to encrypt a plurality of messages into one encryption. In this case, if operations among each encryption are performed at the operation apparatus 400, operations for a plurality of messages are ultimately processed in parallel, and thus burden of operations gets to be reduced greatly.
  • the processor 450 may convert the message into a polynomial in a form which can encrypt the plurality of message vectors in parallel, and then multiply the polynomial with the scaling factor and perform homomorphic encryption by using a public key. Accordingly, an encryption wherein a plurality of message vectors are packed may be generated.
  • the processor 450 may generate a decryption in the form of a polynomial by applying a secret key to the homomorphic encryption, and generate a message by decoding the decryption in the form of a polynomial.
  • the generated message may include an error as mentioned in formula 1 described above.
  • the processor 450 may perform an operation for an encryption. Specifically, the processor 450 may perform an operation such as an addition and a multiplication for a homomorphic encryption while the homomorphic encryption is maintained in an encrypted state. Specifically, the processor 450 may process each homomorphic encryption to be used for an operation as a first function, and perform an operation such as an addition and a multiplication between homomorphic encryptions processed as first functions, and process the homomorphic encryptions for which an operation was performed as second functions which are reverse functions of the first functions. For such first function processing and second function processing, a linear transformation technology in a rebooting process that will be described below may be used.
  • the operation apparatus 400 may detect data in an effective area from the operation result data. Specifically, the operation apparatus 400 may detect data in an effective area by performing rounding processing for the operation result data. Rounding processing means proceeding round-off of a message in an encrypted state, and it may also be referred to differently as rescaling. Specifically, the operation apparatus 400 multiplies each component of an encryption with ⁇ -1 which is a reciprocal number of a scaling factor and performs round-off, and thereby removes a noise area. A noise area may be determined to correspond to the size of the scaling factor. Ultimately, a message in an effective area from which a noise area has been removed can be detected. As the above process proceeds in an encrypted state, an additional error occurs, but the size of the error is sufficiently small, and thus it can be ignored.
  • the operation apparatus 400 may perform a rebooting operation for the encryption.
  • a rebooting operation will be described below with reference to FIGS. 3 to 5.
  • FIG. 3 is a diagram for illustrating an operating operation of an operation apparatus according to the disclosure. Specifically, in FIG. 3, operation and rebooting processes for two homomorphic encryptions 10, 20 are illustrated.
  • Each homomorphic encryption 10, 20 may respectively include approximate message areas 11, 21.
  • the operation apparatus 400 may perform a specific operation by using the two homomorphic encryptions 10, 20 as input values.
  • the operation result encryption 30 may include an approximate message area 31 including the operation result m3+e3 between each approximate message. As the operation result becomes bigger than the input value, an approximate message area also becomes bigger, and accordingly, the remaining plain text space 32 decreases. If such an operation is performed several times, the remaining plain text space 32 ultimately disappears or becomes smaller than the threshold, and thus an operation cannot be performed. If such a state is determined, the operation apparatus 400 can perform a rebooting operation. A specific rebooting operation will be described with reference to FIG. 5.
  • a conventional encryption/decryption mechanism is designed such that data after decryption becomes the same as the original plain text, but according to an embodiment of the disclosure, an approximate message is output instead of exactly the same plain text.
  • an error necessary for safety and an error generated through an operation of effective numbers are included and treated as a noise, and thus an operation of real numbers becomes possible in an encrypted state, and efficiency of encryption/decryption can be increased.
  • FIG. 4 is a diagram for illustrating a rebooting method according to the disclosure.
  • the first operation apparatus 400-1 and the second operation apparatus 400-2 may homomorphically encrypt a message m1 and a message m2 respectively, and output homomorphic encryptions E L (m1') and E L (m2').
  • the third operation apparatus 400-3 may perform an operation for the homomorphic encryptions E L (m1') and E L (m2'), and output an operation result encryption E L-i (m3').
  • L means a modulus level of the encryption.
  • the modulus level continuously decreases. For example, if the depth of an operation that the third operation apparatus 400-3 seeks to perform in an encrypted state is i, the modulus level decreases as much as i. Accordingly, if a modulus level drops below the threshold, a further operation for the homomorphic encryptions becomes impossible.
  • the threshold was set as level 1. Accordingly, it can be seen that the homomorphic encryptions E 1 (m4') and E 1 (m5') of level 1 cannot be operated.
  • the third operation apparatus 400-3 may reboot each of E 1 (m4') and E 1 (m5'), and generate E L' (m4") and E L' (m5"). By rebooting, the modulus level becomes level L' which is almost similar to L, and the approximate message also changes from m4' and m5' to m4" and m5" which are almost similar.
  • the third operation apparatus 400-3 may operate the rebooted encryptions, and provide an operation result encryption E L'-i (m6") to the fourth operation apparatus 400-4.
  • the operation result encryption ultimately operated may be expressed as the following formula.
  • the fourth operation apparatus 400-4 may decrypt the operation result encryption and acquire an approximate message m6".
  • the fourth operation apparatus 400-4 may use additional information.
  • additional information may be a scaling factor changed during an operation process, a modulus value used for extension of a plain text space, etc. If a changed scaling factor is ⁇ ', a decrypted approximate message may be m6"/ ⁇ '. Accordingly, even if a plain text in a real number is integerized in an encryption process, it can be restored to a real number again in decryption.
  • a modulus value in additional information may be used as a modulus of a ring R in formula 9.
  • the fourth operation apparatus 400-4 may ultimately acquire m6" through decryption.
  • a rebooting operation for input homomorphic encryptions is performed before an operation of two encryptions, but in implementation, a rebooting operation for an operation result may be performed as in FIG. 3.
  • FIG. 5 is a diagram for illustrating a specific operation of a rebooting method according to the disclosure.
  • a homomorphic encryption for an approximate message including an error is linearly transformed at operation S510.
  • a homomorphic encryption a plurality of encryptions may be packed as described above.
  • the homomorphic encryption may be converted into a form of polynomial for calculating the plurality of encryptions.
  • the homomorphic encryption converted into a form of polynomial may be applied to a predefined matrix (specifically, formula 10 below).
  • a polynomial of a homomorphic encryption consists of complex numbers as explained above.
  • linear transformation may be performed by using a predefined matrix for converting each coefficient of the polynomial into a form of being put in a slot.
  • a predefined matrix may be a discrete Fourier transform (DFT) matrix.
  • linear transformation may be performed by using a plurality of block diagonal matrices for performing linear transformation faster.
  • a block diagonal matrix is a matrix wherein there is a value in the diagonal component, and the other values are 0. The reason that a plurality of block diagonal matrices may be used and an effect thereof will be described in detail in the lower part of FIG. 5.
  • an approximate modulus operation may be performed at operation S520.
  • the linearly transformed homomorphic encryption may be approximately modulus operated by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point.
  • An approximate modulus operating operation according to the disclosure will be described later with reference to FIG. 9.
  • the homomorphic encryption that was approximately modulus operated is linearly transformed in a form of encryption at operation S530.
  • the homomorphic encryption that was approximately modulus operated may be converted into a form of polynomial by using an inverse matrix corresponding to the matrix used in linear transformation of the homomorphic encryption previously, and the converted polynomial may be converted into a form of encryption.
  • an approximate modulus operation is performed through a multi-degree polynomial calculated by a characteristic of a homomorphic encryption. Accordingly, a faster rebooting operation can be performed. Also, in linear transformation, operation processing is performed by decomposing a preset matrix into a plurality of block diagonal matrices, and thus it is possible to perform an operation with low operation complexity.
  • packing may be applied. That is, several messages are encrypted into one message.
  • an operation of linearly transforming a packed homomorphic encryption is an important operation in homomorphic encryption.
  • Such linear transformation is modification of coefficients of a homomorphic encryption expressed as a polynomial into slots.
  • a discrete Fourier transform (DFT) matrix may be used.
  • the aforementioned DFT matrix may be indicated as formula 10 below.
  • U means a DFT matrix, and , and .
  • N means a polynomial ring dimension.
  • a matrix as the aforementioned formula 10 may be factorized and decomposed into a plurality of sparse matrices.
  • a recursive FFT Cooley-Tukey algorithm may be used, and the method thereof is as formula 11.
  • a DFT matrix may be decomposed into a log 2 n number.
  • the following formula 12 indicates the form of recursive matrice.
  • k/2 is a diagonal block
  • a DFT matrix can be expressed as formula 13 as follows.
  • a DFT matrix may be decomposed into sparse diagonal matrices, and in the disclosure, linear transformation may be performed by using decomposed sparse diagonal matrices (or block diagonal matrices).
  • decomposed sparse diagonal matrices or block diagonal matrices.
  • a matrix-vector multiplication algorithm as described above is effective for a matrix M which is a diagonal vector of a small number which is not 0. That is, diag i (M) is a non-zero vector for a small number i. Such a matrix is referred to as a sparse diagonal matrix.
  • diag i (M) is a non-zero vector for a small number i.
  • Such a matrix is referred to as a sparse diagonal matrix.
  • calculation complexity can be reduced to 0(log n).
  • a calculation process using a decomposed matrix may be performed as in FIG. 6.
  • a calculation method using a decomposed matrix will be explained below with reference to FIG. 6.
  • FIG. 6 is a diagram for illustrating a linear calculating operation according to the disclosure.
  • linear transformation can be expressed as formula 18 as follows.
  • a linear transformation operation as above may be used not only in linear transformation in a rebooting process, but in various processes wherein there is a need to convert a coefficient of a polynomial into a slot such as an encoding process in a process of generating a homomorphic encryption.
  • an inverse matrix of a matrix described above may be used, and an inverse matrix may also be decomposed into block diagonal matrices as below, and an operation may be performed with a plurality of decomposed block diagonal matrices.
  • Formula 19 may be decomposed into matrices in specific forms having useful attributes as in formula 20 below.
  • 2 i which is a divisor of n may be expressed as a formula as below.
  • an iDFT n RN matrix may also be decomposed into sparse diagonal matrices as DFT n NR , and it enables a fast operation.
  • a target to be calculated is determined in advance, there may be a little need for a rebooting method, but in a machine learning process which is becoming an issue recently, there are many situations wherein it cannot be figured out when processes of learning will end. Accordingly, in the case of performing machine learning for encrypted data, the performance of a rebooting method is very important.
  • a decryption function For a rebooting method, a decryption function should be calculated in an encrypted state.
  • a decryption function is expressed as the aforementioned formula 7.
  • the main point is calculating mod q which is a modulus operation in an encrypted state.
  • each coefficient has a property that it is very small compared to a modulus value of an encryption which is q.
  • a modulus operation is approximated as a sine function.
  • Such a sine function can be expressed as formula 22 as follows.
  • a given range may be [-12, 12], but in case the environment changes, a different range may be used.
  • an error value can be calculated as formula 24 as follows.
  • formula 22 is expressed as a sine function, but a sine function and a cosine function can be converted only with a x ⁇ x - 1/4 shifting operation. Also, hereinafter, calculation of an approximate polynomial for a cosine function as in formula 23 as follows by using a double angle formula will be described.
  • x 0 , x 1 , ..., x n ⁇ [a, b] are determined in advance, and are referred to as nodes. Accordingly, there is a need to select ⁇ x i ⁇ 1 ⁇ i ⁇ n such that the maximum value of w(x) in a specific domain for x is minimized.
  • a node is selected at each interval within a -K ⁇ i ⁇ K range of all input values i.
  • a node d i satisfying in a i ⁇ j ⁇ d i range in an interval I i is selected.
  • P n satisfies the following.
  • f(x) is a specific function (i.e., a sine function or a cosine function), and Pn(x) is an approximate polynomial.
  • formula 27 has a condition of .
  • FIG. 9 is a diagram for illustrating a method for calculating a coefficient of an approximate polynomial according to the disclosure.
  • an approximate modulus operation for a homomorphic encryption that was linearly transformed previously may be performed by using an approximate polynomial to which the calculated coefficient is reflected.
  • the number of the aforementioned coefficient of an approximate polynomial i.e., the degree of an approximate polynomial may be varied according to a user's selection, and it is preferable that one degree among 7 th to 80 th degrees is used. Such a degree may be determined by a result of various simulations, and in addition to the aforementioned degree, a range may be used.
  • an approximate modulus operation may be performed through an operating operation of repeating a homomorphic encryption for the calculated approximate polynomial as many as the double angle number of times.
  • the value in a method according to the disclosure is much smaller than the value in the conventional Chebyshev method. Also, it can be seen that the value in a method according to the disclosure is also smaller than the value in the conventional Hermite method having superior performance.
  • the method for processing an encryption may be implemented in the form of a program code for performing each step, and stored in a recording medium and distributed.
  • an apparatus on which the recording medium is mounted may perform operations such as the aforementioned encryption and encryption processing, etc.
  • Such a recording medium may be various types of computer readable media such as a ROM, a RAM, a memory chip, a memory card, an external hard, a hard, a CD, a DVD, a magnetic disk or a magnetic tape, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method for processing an encryption is provided. The method for processing an encryption includes the steps of linearly transforming a homomorphic encryption for an approximate message including an error, performing an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transforming the homomorphic encryption which was approximately modulus operated into a form of encryption.

Description

    APPARATUS FOR PROCESSING APPROXIMATELY ENCRYPTED MESSAGES AND METHODS THEREOF
  • The disclosure relates to an apparatus for performing a rebooting method for an approximately encrypted encryption effectively, and a method thereof.
  • As communication technologies are being developed, and distribution of electronic apparatuses are becoming active, continuous efforts for maintaining communication security among electronic apparatuses are being made. Accordingly, in most communication environments, encryption/decryption technologies are being used.
  • When a message encrypted by an encryption technology is transmitted to a counterpart, the counterpart has to perform decryption to use the message. In this case, waste of resources and time occurs in the process that the counterpart decrypts the encrypted data. Also, there is a problem that, in case hacking by a third party occurs while the counterpart temporarily decrypted the message for an operation, the message can be easily leaked to the third party.
  • For overcoming such a problem, a homomorphic encryption method is being researched. According to homomorphic encryption, even if an operation is performed in an encryption itself without decrypting encrypted information, the same result as a value which is a result of performing an operation for a plain text and encrypting the text can be achieved. Accordingly, various types of operations can be performed while an encryption is not decrypted.
  • However, as an operation proceeds, q in a homomorphic encryption is reduced, and thus it becomes impossible to proceed with the operation anymore. For preventing this, a rebooting method is being applied.
  • However, a conventional rebooting method requires a large amount of calculation or the accuracy of calculation is low. Accordingly, there is a demand for a rebooting method which can reduce the amount of calculation, and at the same time, of which accuracy of calculation is high.
  • Accordingly, the disclosure was devised for overcoming the aforementioned problem, and the purpose of the disclosure is in providing an apparatus for performing a rebooting operation for an approximately encrypted encryption effectively, and a method thereof.
  • The disclosure is for achieving the aforementioned purpose, and a method for processing a homomorphic encryption according to an embodiment of the disclosure includes the steps of linearly transforming a homomorphic encryption for an approximate message including an error, performing an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transforming the homomorphic encryption which was approximately modulus operated into a form of encryption.
  • In this case, the multi-degree polynomial may be a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range may be from -12 to 12.
  • Meanwhile, in the step of performing an approximate modulus operation, a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times may be set, and an approximate modulus operation may be performed by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  • Meanwhile, the step of linearly transforming a homomorphic encryption may include the steps of converting the homomorphic encryption into a form of polynomial, and applying the converted homomorphic encryption to a predefined matrix.
  • In this case, in the applying step, the predefined matrix may be decomposed into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and the homomorphic encryption may be applied sequentially to the plurality of block diagonal matrices.
  • In this case, in the applying step, the homomorphic encryption may be applied to the plurality of block diagonal matrices in units of two continuous matrices.
  • Meanwhile, an operation apparatus according to an embodiment of the disclosure may include a memory storing a homomorphic encryption for an approximate message including an error, and a processor performing an operation for the homomorphic encryption. The processor may linearly transform the homomorphic encryption for an approximate message including an error, perform an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transform the homomorphic encryption which was approximately modulus operated into a form of encryption.
  • In this case, the multi-degree polynomial may be a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range may be from -12 to 12.
  • Meanwhile, the processor may set a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times, and perform an approximate modulus operation by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  • Meanwhile, the processor may convert the homomorphic encryption into a form of polynomial, and linearly transform the homomorphic encryption by applying the converted homomorphic encryption to a predefined matrix.
  • In this case, the processor may decompose the predefined matrix into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and linearly transform the homomorphic encryption by applying the homomorphic encryption sequentially to the plurality of block diagonal matrices.
  • Meanwhile, the processor may linearly transform the homomorphic encryption by applying the homomorphic encryption to the plurality of block diagonal matrices in units of two continuous matrices.
  • According to the aforementioned various embodiments of the disclosure, as an approximate polynomial optimized for homomorphic encryptions is used, it is possible to perform a modulus operation faster and with high accuracy. Also, as linear transformation is performed by using a plurality of block diagonal matrices, it is possible to operate with low operation complexity, and accordingly, a faster operation becomes possible.
  • FIG. 1 is a diagram for illustrating a configuration of a network system according to an embodiment of the disclosure;
  • FIG. 2 is a block diagram illustrating a configuration of an operation apparatus according to an embodiment of the disclosure;
  • FIG. 3 is a diagram for illustrating an operating operation of an operation apparatus according to the disclosure;
  • FIG. 4 is a diagram for illustrating a rebooting method according to the disclosure;
  • FIG. 5 is a diagram for illustrating a specific operation of a rebooting method according to the disclosure;
  • FIG. 6 is a diagram for illustrating a linear calculating operation according to the disclosure;
  • FIG. 7 is a diagram for illustrating an effect of a linear calculating operation according to the disclosure;
  • FIG. 8 is a diagram for illustrating an effect of a linear calculating operation according to the disclosure;
  • FIG. 9 is a diagram for illustrating a method for calculating a coefficient of an approximate polynomial according to the disclosure;
  • FIG. 10 is a diagram for illustrating an effect of an approximate modulus operation according to the disclosure; and
  • FIG. 11 is a diagram for illustrating an effect of an approximate modulus operation according to the disclosure.
  • -
  • Hereinafter, the disclosure will be described in detail with reference to the accompanying drawings. Meanwhile, for the information (data) transferring process performed in the disclosure, encryption/decryption may be applied depending on needs, and all the expressions explaining the information (data) transferring process in the disclosure and the appended claims are to be interpreted to include cases of performing encryption/decryption, even if there is no separate mention in that regard. Also, in the disclosure, expressions such as "transfer (transmit) from A to B" and "A receives from B" include the case wherein an object is transferred (transmitted) or received with another medium included in between, and does not necessarily express only the case wherein an object is directly transferred (transmitted) from A to B.
  • In the description of the disclosure, the order of each step should be understood in a nonrestrictive way, unless a preceding step should necessarily be performed prior to a subsequent step in a logical and temporal sense. That is, excluding an exceptional case as above, even if a process described as a subsequent step is performed prior to a process described as a preceding step, there would be no influence on the essence of the disclosure, and the scope of the disclosure should also be defined regardless of the orders of steps. Further, the description "A or B" in this specification is defined to include not only a case wherein one of A or B is selectively referred to, but also a case wherein both of A and B are included. In addition, the term "include" in this specification has a meaning including a case wherein elements other than elements listed as being included are further included.
  • In addition, in the disclosure, only essential elements necessary for describing the disclosure are described, and elements not related to the essence of the disclosure are not mentioned. Also, the descriptions of the disclosure should not be interpreted to have an exclusive meaning of including only the elements mentioned, but to have a non-exclusive meaning of also including other elements.
  • Also, in the disclosure, "a value" is defined as a concept including a vector as well as a scalar value.
  • In addition, the mathematical operations and calculations in each step of the disclosure that will be described below may be implemented as computer operations by a known coding method for performing the operations or calculations and/or coding devised to be appropriate for the disclosure.
  • Further, the specific mathematical formulae that will be described below are suggested as examples among several possible alternatives, and the scope of the disclosure is not intended to be interpreted to be limited to the mathematical formulae mentioned in the disclosure.
  • For the convenience of explanation, symbols in the disclosure are defined as follows.
  • a ← D : Element a is selected according to distribution D.
  • s 1, s 2 ∈ R : Each of S1 and S2 is an element belonging to group R.
  • mod(q) : A modular operation is performed with element q.
  • 「-」: The internal value is rounded off.
  • Hereinafter, various embodiments of the disclosure will be described in detail with reference to the accompanying drawings.
  • FIG. 1 is a diagram for illustrating a configuration of a network system according to an embodiment of the disclosure.
  • Referring to FIG. 1, a network system may include a plurality of electronic apparatuses 100-1 ~ 100-n, a first server apparatus 200, and a second server apparatus 300, and each component may be connected with one another through a network 10.
  • The network 10 may be implemented as various forms of wired and wireless communication networks, broadcasting communication networks, optical communication networks, cloud networks, etc., and each apparatus may be connected by methods such as WiFi, Bluetooth, Near Field Communication (NFC), etc. without a separate medium.
  • In FIG. 1, it was illustrated that there are a plurality of electronic apparatuses 100-1 ~ 100-n, but a plurality of electronic apparatuses do not necessarily have to be used, and one apparatus may be used. As an example, the electronic apparatuses 100-1 ~ 100-n may be implemented as various forms of apparatuses such as a smartphone, a tablet, a game player, a PC, a laptop PC, a home server, a kiosk, etc., and other than the above, the electronic apparatuses may also be implemented in the form of home appliances to which an IoT function has been applied.
  • A user may input various information through the electronic apparatuses 100-1 ~ 100-n he or she uses. The information input may be stored in the electronic apparatuses 100-1 ~ 100-n themselves, but it may also be transferred to an external apparatus and stored for reasons such as the storage capacity and security, etc. In FIG. 1, the first server apparatus 200 may perform a role of storing such information, and the second server apparatus 300 may perform a role of using a portion or all of the stored information.
  • Each electronic apparatus 100-1 ~ 100-n may homomorphically encrypt the information input and transfer the homomorphic encryption to the first server apparatus 200.
  • Also, each electronic apparatus 100-1 ~ 100-n may include an encryption noise calculated in the process of performing homomorphic encryption, i.e., an error in an encryption. Specifically, a homomorphic encryption generated in each electronic apparatus 100-1 ~ 100-n may be generated in a form wherein a result value including a message and an error value is restored when the encryption is decrypted by using a secret key later.
  • As an example, homomorphic encryptions generated in the electronic apparatuses 100-1 ~ 100-n may be generated in forms satisfying a property as follows when they are decrypted by using a secret key.
  • [Formula 1]
  • Dec(ct, sk) = <ct, sk> = M+e(mod q)
  • Here, < , > mean a usual inner product, ct means an encryption, sk means a secret key, M means a plain text message, e means an encryption error value, and mod q means a modulus of the encryption. q should be selected to be bigger than the result value M of multiplying a scaling factor △ and the message. If the absolute value of the error value e is sufficiently smaller than M, the decryption value M+e of the encryption is a value that can replace the original message with the same degree of precision in a significant figure operation. In the decrypted data, the error may be arranged on the side of the least significant beat (LSB), and M may be arranged on the side of the second least significant beat.
  • In case the size of a message is too small or too big, the size may be adjusted by using a scaling factor. If a scaling factor is used, not only a message in the form of an integer but also a message in the form of a real number can be encrypted, and thus usability can be improved greatly. Also, by adjusting the size of a message by using a scaling factor, the size of an area wherein messages exist in an encryption after an operation is performed, i.e., an effective area can be adjusted.
  • Depending on embodiments, an encryption modulus q may be used while being set in various forms. As an example, a modulus of an encryption may be set in the form of q=△ L which is an exponentiation of a scaling factor △. If △ is 2, the modulus may be set as a value such as q=2 10.
  • The first sever apparatus 200 may not decrypt a received homomorphic encryption, but store it in a state of an encryption.
  • The second server apparatus 300 may request a result of specific processing for the homomorphic encryption to the first server apparatus 200. The first server apparatus 200 may perform a specific operation according to the request of the second server apparatus 300, and transfer the result to the second server apparatus 300.
  • As an example, in case encryptions ct1, ct2 transferred from two electronic apparatuses 100-1, 100-2 are stored in the first server apparatus 200, the second server apparatus 300 may request a value of summing up the information provided from the two electronic apparatuses 100-1, 100-2 to the first server apparatus 200. The first server apparatus 200 may perform an operation of summing up the two encryptions according to the request, and then transfer the result value (ct1 + ct2) to the second server apparatus 300.
  • By virtue of the property of a homomorphic encryption, the first server apparatus 200 may perform an operation while a homomorphic encryption is not decrypted, and a result value thereof also becomes a form of encryption. In the disclosure, a result value acquired by an operation is referred to as an operation result encryption.
  • The first server apparatus 200 may transfer an operation result encryption to the second server apparatus 300. The second server apparatus 300 may decrypt the received operation result encryption, and acquire an operation result value of data included in each homomorphic encryption.
  • The first server apparatus 200 may perform operations a number of times according to a user request. In this case, the proportion of an approximate message in an operation result encryption acquired for each operation varies. If the proportion of an approximate message exceeds a threshold, the first server apparatus 200 may perform a rebooting operation. As described above, the first server apparatus 200 may perform an operating operation, and thus it may also be referred to as an operation apparatus.
  • Specifically, if q is smaller than M in the aforementioned formula 1, M+e(mod q) will have a different value from M+e, and thus decryption becomes impossible. Accordingly, the q value should always be maintained to be bigger than M. However, as an operation proceeds, the q value decreases gradually. Accordingly, an operation of changing the q value to be always bigger than M is needed, and such an operation is referred to as a rebooting operation. As such a rebooting operation is performed, the encryption may become a state of being operable again. Specific operations related to rebooting will be described later with reference to FIGS. 3 to 6.
  • Meanwhile, in FIG. 1, a case wherein encryption is performed at a first electronic apparatus and a second electronic apparatus, and the second server apparatus performs decryption is illustrated, but the disclosure is not necessarily limited thereto.
  • FIG. 2 is a block diagram illustrating a configuration of an operation apparatus according to an embodiment of the disclosure.
  • Specifically, apparatuses performing homomorphic encryption as the first electronic apparatus, the second electronic apparatus, etc., apparatuses operating a homomorphic encryption such as the first server apparatus, etc., and apparatuses decrypting a homomorphic encryption such as the second server apparatus, etc. in the system in FIG. 1 may be referred to as operation apparatuses. Such operation apparatuses may be various apparatuses like personal computers (PCs), laptop computers, smartphones, tablets, servers, etc.
  • Referring to FIG. 2, an operation apparatus 400 may include a communication device 410, a memory 420, a display 430, a manipulation input device 440, and a processor 450.
  • The communication device 410 is formed to connect the operation apparatus 400 with an external apparatus (not shown), and it may not only be a form of being connected with an external apparatus through a Local Area Network (LAN) and an Internet network, but also a form of being connected through a Universal Serial Bus (USB) port or a wireless communication (e.g., WiFi 802.11a/b/g/n, NFC, Bluetooth) port. Such a communication device 410 may also be referred to as a transceiver.
  • The communication device 410 may receive a public key from an external apparatus, and transfer a public key generated by the operation apparatus 400 itself to an external apparatus.
  • Also, the communication device 410 may receive a message from an external apparatus, and transmit a generated homomorphic encryption to an external apparatus.
  • In addition, the communication device 410 may receive various types of parameters necessary for generating an encryption from an external apparatus. Meanwhile, in implementation, various types of parameters may be directly input from a user through the manipulation input device 440 that will be described below.
  • Further, the communication device 410 may receive a request for an operation for a homomorphic encryption from an external apparatus, and transfer a result calculated accordingly to an external apparatus.
  • The memory 420 is a component for storing an O/S for operating the operation apparatus 400 or various types of software, data, etc. The memory 420 may be implemented in various forms such as a RAM or a ROM, a flash memory, an HDD, an external memory, a memory card, and the like, but is not limited to a specific one.
  • Also, the memory 420 stores a message to be encrypted. Here, a message may be various types of credit information, personal information, etc. that a user cited in various ways, or it may be information related to use history such as location information used at the operation apparatus 400, information on the use time of the Internet, etc.
  • In addition, the memory 420 may store a public key, and in case the operation apparatus 400 is an apparatus that directly generated a public key, the memory 420 may store not only a secret key, but also various types of parameters necessary for generating a public key and a secret key.
  • Further, the memory 420 may store a homomorphic encryption generated in a process that will be described below. Also, the memory 420 may store a homomorphic encryption transferred from an external apparatus. In addition, the memory 420 may store an operation result encryption which is a result of an operation process that will be described below.
  • The display 430 displays a user interface window for receiving selection of functions supported by the operation apparatus 400. Specifically, the display 430 may display a user interface window for receiving selection of various functions provided by the operation apparatus 400. Such a display 430 may be a monitor such as a liquid crystal display (LCD) and organic light emitting diodes (OLEDs), and it may be implemented as a touch screen that can simultaneously perform the function of the manipulation input device 440 that will be described below.
  • Also, the display 430 may display a message requesting input of a parameter necessary for generating a secret key and a public key. In addition, the display 430 may display a message wherein a subject to be encrypted selects a message. Meanwhile, in implementation, a subject to be encrypted may be directly selected by a user, or selected automatically. That is, personal information, etc. which need to be encrypted may be set automatically even if a user does not directly select a message.
  • The manipulation input device 440 may receive selection of a function of the operation apparatus 400 and input of a control command for the function from a user. Specifically, the manipulation input device 440 may receive input of a parameter necessary for generating a secret key and a public key. Also, the manipulation input device 440 may receive setting of a message to be encrypted from a user.
  • The processor 450 controls each component inside the operation apparatus 400. Such a processor 450 may be constituted as a single device such as a central processing unit (CPU) and an application-specific integrated circuit (ASIC), or it may be constituted as a plurality of devices such as a CPU and a graphics processing unit (GPU).
  • When a message to be transferred is input, the processor 450 stores the message in the memory 420. Then, the processor 450 homomorphically encrypts the message by using various setting values and programs stored in the memory 420. In this case, a public key may be used.
  • The processor 450 may generate a public key necessary for performing encryption by itself and use it, or receive a public key from an external apparatus and use it. As an example, the second server apparatus 300 performing decryption may distribute a public key to other apparatuses.
  • In case the processor 450 generates a key by itself, the processor 450 may generate a public key by using a Ring-LWE technic. To explain in detail, the processor 450 may set various types of parameters and rings first, and store them in the memory 420. As examples of parameters, there may be the length of a plain text message bit, the sizes of a public key and a secret key, and the like.
  • A ring may be expressed with a formula as below.
  • [Formula 2]
  • Here, R means a ring, Zq means a coefficient, and f(x) means an n-th polynomial.
  • A ring is a group of polynomials having preset coefficients, and means a group wherein additions and multiplications are defined among elements, and which is closed with respect to additions and multiplications.
  • As an example, a ring means a group of n-th polynomials of which coefficients are Zqs. Specifically, when n is Φ(N), it means an N-th cyclotomic polynomial. Meanwhile, (f(x)) means an ideal of Zq[x] generated as f(x)). Also, an Euler totient function Φ(N) means the number of natural numbers which are mutual primes with N, and are smaller than N. When Φ N(x) is defined as an N-th cyclotomic polynomial, a ring may also be expressed as formula 3 as below.
  • [Formula 3]
  • A secret key sk may be expressed as below.
  • Meanwhile, the ring in the aforementioned formula 3 has a complex number in a plain text space. Meanwhile, for improving the operation speed for a homomorphic encryption, only a group wherein a plain text space is a real number may be used among the aforementioned groups of rings.
  • When a ring as described above is set, the processor 450 may calculate a secret key sk from the ring.
  • [Formula 4]
  • Here, s(x) means a polynomial which was randomly generated with a small coefficient.
  • Then, the processor 450 calculates a first random polynomial a(x) from the ring. The first random polynomial may be expressed as below.
  • [Formula 5]
  • Also, the processor 450 may calculate an error. Specifically, the processor 450 may extract an error from discrete Gaussian distribution or distribution of which statistical distance thereto is close. Such an error may be expressed as below.
  • [Formula 6]
  • When an error is calculated, the processor 450 may perform a modular operation on the first random polynomial and the error in the secret key and calculate a second random polynomial. The second random polynomial may be expressed as below.
  • [Formula 7]
  • Ultimately, a public key pk is set in the form of including the first random polynomial and the second random polynomial as below.
  • [Formula 8]
  • The aforementioned key generating method is merely an example, and thus the disclosure is not necessarily limited thereto, and a public key and a secret key can obviously be generated by methods other than the above.
  • Meanwhile, when a public key is generated, the processor 450 may control the communication device 410 such that the public key is transferred to other apparatuses.
  • Also, the processor 450 may generate a homomorphic encryption for a message. Specifically, the processor 450 may generate a homomorphic encryption by applying the public key generated previously to a message. Here, the processor 450 may generate the length of the encryption to correspond to the size of the scaling factor.
  • Then, when a homomorphic encryption is generated, the processor 450 may store the homomorphic encryption in the memory 420, or control the communication device 410 to transfer the homomorphic encryption to another apparatus according to a user request or a preset default command.
  • Meanwhile, according to an embodiment of the disclosure, packing may be performed. If packing is used in homomorphic encryption, it becomes possible to encrypt a plurality of messages into one encryption. In this case, if operations among each encryption are performed at the operation apparatus 400, operations for a plurality of messages are ultimately processed in parallel, and thus burden of operations gets to be reduced greatly.
  • Specifically, in case a message consists of a plurality of message vectors, the processor 450 may convert the message into a polynomial in a form which can encrypt the plurality of message vectors in parallel, and then multiply the polynomial with the scaling factor and perform homomorphic encryption by using a public key. Accordingly, an encryption wherein a plurality of message vectors are packed may be generated.
  • Then, in case decryption of the homomorphic encryption is necessary, the processor 450 may generate a decryption in the form of a polynomial by applying a secret key to the homomorphic encryption, and generate a message by decoding the decryption in the form of a polynomial. Here, the generated message may include an error as mentioned in formula 1 described above.
  • Also, the processor 450 may perform an operation for an encryption. Specifically, the processor 450 may perform an operation such as an addition and a multiplication for a homomorphic encryption while the homomorphic encryption is maintained in an encrypted state. Specifically, the processor 450 may process each homomorphic encryption to be used for an operation as a first function, and perform an operation such as an addition and a multiplication between homomorphic encryptions processed as first functions, and process the homomorphic encryptions for which an operation was performed as second functions which are reverse functions of the first functions. For such first function processing and second function processing, a linear transformation technology in a rebooting process that will be described below may be used.
  • Meanwhile, when an operation is completed, the operation apparatus 400 may detect data in an effective area from the operation result data. Specifically, the operation apparatus 400 may detect data in an effective area by performing rounding processing for the operation result data. Rounding processing means proceeding round-off of a message in an encrypted state, and it may also be referred to differently as rescaling. Specifically, the operation apparatus 400 multiplies each component of an encryption with △ -1 which is a reciprocal number of a scaling factor and performs round-off, and thereby removes a noise area. A noise area may be determined to correspond to the size of the scaling factor. Ultimately, a message in an effective area from which a noise area has been removed can be detected. As the above process proceeds in an encrypted state, an additional error occurs, but the size of the error is sufficiently small, and thus it can be ignored.
  • Also, if the proportion of an approximate message in an operation result encryption exceeds a threshold, the operation apparatus 400 may perform a rebooting operation for the encryption. A rebooting operation will be described below with reference to FIGS. 3 to 5.
  • FIG. 3 is a diagram for illustrating an operating operation of an operation apparatus according to the disclosure. Specifically, in FIG. 3, operation and rebooting processes for two homomorphic encryptions 10, 20 are illustrated.
  • Each homomorphic encryption 10, 20 may respectively include approximate message areas 11, 21. In the approximate message areas 11, 21, messages and errors m1+e1, m2+e2 are included together.
  • The operation apparatus 400 may perform a specific operation by using the two homomorphic encryptions 10, 20 as input values.
  • The operation result encryption 30 may include an approximate message area 31 including the operation result m3+e3 between each approximate message. As the operation result becomes bigger than the input value, an approximate message area also becomes bigger, and accordingly, the remaining plain text space 32 decreases. If such an operation is performed several times, the remaining plain text space 32 ultimately disappears or becomes smaller than the threshold, and thus an operation cannot be performed. If such a state is determined, the operation apparatus 400 can perform a rebooting operation. A specific rebooting operation will be described with reference to FIG. 5.
  • It can be seen that in an encryption 40 for which rebooting was performed, an approximate message area 41 was decreased, but instead, a plain text space 42 was extended. There is a slight difference between the approximate message m3+e3 in the encryption before rebooting and the approximate message m3'+e3' in the encryption after rebooting, but the difference in the size of an error is small, and thus there is no big difference compared to the original message.
  • A conventional encryption/decryption mechanism is designed such that data after decryption becomes the same as the original plain text, but according to an embodiment of the disclosure, an approximate message is output instead of exactly the same plain text. Ultimately, an error necessary for safety and an error generated through an operation of effective numbers are included and treated as a noise, and thus an operation of real numbers becomes possible in an encrypted state, and efficiency of encryption/decryption can be increased.
  • FIG. 4 is a diagram for illustrating a rebooting method according to the disclosure.
  • Referring to FIG. 4, the first operation apparatus 400-1 and the second operation apparatus 400-2 may homomorphically encrypt a message m1 and a message m2 respectively, and output homomorphic encryptions E L(m1') and E L(m2').
  • The third operation apparatus 400-3 may perform an operation for the homomorphic encryptions E L(m1') and E L(m2'), and output an operation result encryption E L-i(m3'). Here, L means a modulus level of the encryption. As the operation is repeated, the modulus level continuously decreases. For example, if the depth of an operation that the third operation apparatus 400-3 seeks to perform in an encrypted state is i, the modulus level decreases as much as i. Accordingly, if a modulus level drops below the threshold, a further operation for the homomorphic encryptions becomes impossible.
  • In FIG. 4, the threshold was set as level 1. Accordingly, it can be seen that the homomorphic encryptions E 1(m4') and E 1(m5') of level 1 cannot be operated.
  • In case the modulus level is lower than the threshold, the third operation apparatus 400-3 may reboot each of E 1(m4') and E 1(m5'), and generate E L'(m4") and E L'(m5"). By rebooting, the modulus level becomes level L' which is almost similar to L, and the approximate message also changes from m4' and m5' to m4" and m5" which are almost similar.
  • The third operation apparatus 400-3 may operate the rebooted encryptions, and provide an operation result encryption E L'-i(m6") to the fourth operation apparatus 400-4. The operation result encryption ultimately operated may be expressed as the following formula.
  • [Formula 9]
  • The fourth operation apparatus 400-4 may decrypt the operation result encryption and acquire an approximate message m6".
  • For decryption, the fourth operation apparatus 400-4 may use additional information. As described above, additional information may be a scaling factor changed during an operation process, a modulus value used for extension of a plain text space, etc. If a changed scaling factor is △', a decrypted approximate message may be m6"/△'. Accordingly, even if a plain text in a real number is integerized in an encryption process, it can be restored to a real number again in decryption. Also, a modulus value in additional information may be used as a modulus of a ring R in formula 9.
  • The fourth operation apparatus 400-4 may ultimately acquire m6" through decryption.
  • Meanwhile, in illustrating and explaining FIG. 4, it was explained that a rebooting operation for input homomorphic encryptions is performed before an operation of two encryptions, but in implementation, a rebooting operation for an operation result may be performed as in FIG. 3.
  • Hereinafter, a specific rebooting operation will be explained with reference to FIG. 5.
  • FIG. 5 is a diagram for illustrating a specific operation of a rebooting method according to the disclosure.
  • Referring to FIG. 5, a homomorphic encryption for an approximate message including an error is linearly transformed at operation S510. Specifically, in a homomorphic encryption, a plurality of encryptions may be packed as described above. Thus, the homomorphic encryption may be converted into a form of polynomial for calculating the plurality of encryptions.
  • Next, the homomorphic encryption converted into a form of polynomial may be applied to a predefined matrix (specifically, formula 10 below). Specifically, a polynomial of a homomorphic encryption consists of complex numbers as explained above. Thus, linear transformation may be performed by using a predefined matrix for converting each coefficient of the polynomial into a form of being put in a slot. Here, a predefined matrix may be a discrete Fourier transform (DFT) matrix.
  • Meanwhile, in implementation, linear transformation may be performed by using a plurality of block diagonal matrices for performing linear transformation faster. Here, a block diagonal matrix is a matrix wherein there is a value in the diagonal component, and the other values are 0. The reason that a plurality of block diagonal matrices may be used and an effect thereof will be described in detail in the lower part of FIG. 5.
  • When linear transformation is completed, an approximate modulus operation may be performed at operation S520. Specifically, the linearly transformed homomorphic encryption may be approximately modulus operated by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point. An approximate modulus operating operation according to the disclosure will be described later with reference to FIG. 9.
  • When an approximate modulus operation is completed, the homomorphic encryption that was approximately modulus operated is linearly transformed in a form of encryption at operation S530. Specifically, the homomorphic encryption that was approximately modulus operated may be converted into a form of polynomial by using an inverse matrix corresponding to the matrix used in linear transformation of the homomorphic encryption previously, and the converted polynomial may be converted into a form of encryption.
  • As described above, in a rebooting operation according to an embodiment of the disclosure, an approximate modulus operation is performed through a multi-degree polynomial calculated by a characteristic of a homomorphic encryption. Accordingly, a faster rebooting operation can be performed. Also, in linear transformation, operation processing is performed by decomposing a preset matrix into a plurality of block diagonal matrices, and thus it is possible to perform an operation with low operation complexity.
  • Hereinafter, the aforementioned linear transformation operation will be described in more detail.
  • For a homomorphic encryption, packing may be applied. That is, several messages are encrypted into one message. In this aspect, an operation of linearly transforming a packed homomorphic encryption is an important operation in homomorphic encryption.
  • Such linear transformation is modification of coefficients of a homomorphic encryption expressed as a polynomial into slots. For such an operation, a discrete Fourier transform (DFT) matrix may be used. The aforementioned DFT matrix may be indicated as formula 10 below.
  • [Formula 10]
  • Here, U means a DFT matrix, and , and . Also, N means a polynomial ring dimension.
  • Meanwhile, if a homomorphic encryption is applied to such a DFT matrix as it is, the calculation complexity gets to have 0(n). As can be seen above, in case a DFT matrix is applied as it is, the calculation complexity is high.
  • Meanwhile, in case there are only small numbers in a matrix, a multiplication operation between the matrix and a vector may become fast. For this, a matrix as the aforementioned formula 10 may be factorized and decomposed into a plurality of sparse matrices. Specifically, for decomposing a matrix, a recursive FFT Cooley-Tukey algorithm may be used, and the method thereof is as formula 11.
  • [Formula 11]
  • Here, , and .
  • If a method as above is repeatedly applied, a DFT matrix may be decomposed into a log 2n number. The following formula 12 indicates the form of recursive matrice.
  • [Formula 12]
  • Here, k/2 is a diagonal block, and a DFT matrix can be expressed as formula 13 as follows.
  • [Formula 13]
  • As described above, a DFT matrix may be decomposed into sparse diagonal matrices, and in the disclosure, linear transformation may be performed by using decomposed sparse diagonal matrices (or block diagonal matrices). Hereinafter, it will be explained why an operation using a plurality of sparse diagonal matrices is more effective than using one DFT matrix.
  • If a multiplication of a matrix and a vector is expressed as a Hadamard multiplication and a vector movement, it is as formula 14 as follows.
  • [Formula 14]
  • A matrix-vector multiplication algorithm as described above is effective for a matrix M which is a diagonal vector of a small number which is not 0. That is, diag i(M) is a non-zero vector for a small number i. Such a matrix is referred to as a sparse diagonal matrix. In case a sparse diagonal matrix M satisfies diag i(M)=0 for i, there is no need to calculate rot i(v). That is, the number of movements in this process becomes the number of diagonal lines.
  • Accordingly, in a calculation for a homomorphic encryption for a decomposed matrix, calculation complexity can be reduced to 0(log n). A calculation process using a decomposed matrix may be performed as in FIG. 6. A calculation method using a decomposed matrix will be explained below with reference to FIG. 6.
  • FIG. 6 is a diagram for illustrating a linear calculating operation according to the disclosure.
  • Referring to FIG. 6, each loop includes two homomorphic rotations and three constant vector multiplications. Specifically, a left rotation operation for n/2 is identical to a right rotation operation for n/2. For this reason, in case i=1, there is no need to calculate a left rotation and a right rotation. Accordingly, homomorphic rotations can be reduced, and thus the operation in FIG. 6 includes only homomorphic rotations as many as (2log 2n-1) and constant calculations as many as (3log 2n).
  • Meanwhile, in case a homomorphic encryption is linearly transformed by the aforementioned method, complexity becomes low, but instead, depth increases. Accordingly, for adjusting complexity and depth appropriately, two block diagonal matrices may be grouped into one as in formula 15 below.
  • [Formula 15]
  • In formula 15 as above, an original matrix is decomposed by a log 4n number as in formula 16 below.
  • [Formula 16]
  • Here, if formula 16 is expressed again by using r=2 k, it is as follows.
  • [Formula 17]
  • If a content as above is reflected to formula 14, linear transformation can be expressed as formula 18 as follows.
  • [Formula 18]
  • Here, m i = diag ℓi(M), and k 1 k 2 = t.
  • For an operation as above, homomorphic rotations as many as and constant vector calculations as many as are needed. Through such an operation, complexity slightly increases compared to the previous method, but the depth becomes lower than in the previous method. Here, a slight increase in complexity just means that complexity increases compared to a method of using a DFT matrix by converting it into a plurality of block diagonal matrices by a method as in formula 13, and complexity is lower than the case of using a DFT matrix as it is.
  • A linear transformation operation as above may be used not only in linear transformation in a rebooting process, but in various processes wherein there is a need to convert a coefficient of a polynomial into a slot such as an encoding process in a process of generating a homomorphic encryption.
  • Meanwhile, for linear transformation after an approximate modulus operation, an inverse matrix of a matrix described above may be used, and an inverse matrix may also be decomposed into block diagonal matrices as below, and an operation may be performed with a plurality of decomposed block diagonal matrices.
  • [Formula 19]
  • Formula 19 may be decomposed into matrices in specific forms having useful attributes as in formula 20 below.
  • [Formula 20]
  • To express in a different way, 2 i which is a divisor of n may be expressed as a formula as below.
  • [Formula 21]
  • That is, an iDFT n RN matrix may also be decomposed into sparse diagonal matrices as DFT n NR, and it enables a fast operation.
  • FIGS. 7 and 8 are diagrams for illustrating an effect of a linear calculating operation according to the disclosure. Specifically, FIG. 7 is a diagram illustrating a timing result of setting of various radixes for an n=2 12 dimension, and FIG. 8 is a diagram illustrating a timing result of various degrees having a radix 4.
  • Referring to FIG. 7, it can be seen that even if a radix increases, timing does not increase greatly.
  • Also, referring to FIG. 8, it can be seen that timing increases in a log way of a dimension n. That is, it can be seen that a calculation is performed with a depth which is fairly fast and similar.
  • A result of an experiment in case linear transformation as described above is applied to each step of a homomorphic encryption operation is as shown in table 1 below.
  • [Table 1]
  • Referring to table 1, it can be seen that a linear transformation process is faster by 700 times compared to a conventional method, and a dramatic saving of time occurs not only in linear transformation but also in a key generating process.
  • Hereinafter, the aforementioned approximate modulus operating operation will be explained in detail.
  • If a target to be calculated is determined in advance, there may be a little need for a rebooting method, but in a machine learning process which is becoming an issue recently, there are many situations wherein it cannot be figured out when processes of learning will end. Accordingly, in the case of performing machine learning for encrypted data, the performance of a rebooting method is very important.
  • For a rebooting method, a decryption function should be calculated in an encrypted state. A decryption function is expressed as the aforementioned formula 7. Here, the main point is calculating mod q which is a modulus operation in an encrypted state.
  • In formula 7, each coefficient has a property that it is very small compared to a modulus value of an encryption which is q. Thus, when this property is used, a modulus operation is approximated as a sine function. Such a sine function can be expressed as formula 22 as follows.
  • [Formula 22]
  • For an approximate modulus operation, in order to operate a sine function in a homomorphically encrypted state, it is important to express the function as an addition and a multiplication in a given range [-K, K]. That is, as operations for a homomorphic encryption, only additions, subtractions, and multiplications are possible, and thus there is a need to replace a sine operation with an addition, a subtraction, and a multiplication for which a homomorphic encryption is possible. Here, a given range may be [-12, 12], but in case the environment changes, a different range may be used.
  • In the past, an approximate polynomial for a sine function was calculated by using a taylor method, a chebyshev method, etc., and the polynomial was used, but these methods could not use the characteristic that an input value of a sine function is very close to an integer point, and accordingly, there was a problem that the accuracy of a calculation is low or the depth of an operation is high.
  • Accordingly, in the disclosure, an approximate modulus operation method in consideration of the aforementioned characteristic is used.
  • If f refers to a function in C n+1[a,b], and Pn(x) refers to a polynomial satisfying degree ≤ n interpolating sin(2πx) (or cos(2πx)) in distinguished points in an n+1 number (x 0, x 1, …, x n ∈ [a, b]), an error value can be calculated as formula 24 as follows. Meanwhile, formula 22 is expressed as a sine function, but a sine function and a cosine function can be converted only with a x ← x - 1/4 shifting operation. Also, hereinafter, calculation of an approximate polynomial for a cosine function as in formula 23 as follows by using a double angle formula will be described.
  • [Formula 23]
  • [Formula 24]
  • In formula 24, it is difficult to exactly presume the term, but in case the function f is sin(2πx) (or cos(2πx)), it is limited by a constant. Accordingly, an error boundary of a polynomial is dependent on a different term, i.e., formula 25 as follows.
  • [Formula 25]
  • Here, x 0, x 1, …, x n ∈ [a, b] are determined in advance, and are referred to as nodes. Accordingly, there is a need to select {x i} 1≤i≤n such that the maximum value of w(x) in a specific domain for x is minimized.
  • In the disclosure, a node is selected at each interval within a -K < i < K range of all input values i. To be more exact, a node d i satisfying in a i ≤ j ≤ d i range in an interval I i is selected.
  • If a polynomial P n of an n-th degree wherein n = Σd i - 1, and which approximates a cos(2πx) function at n+1 points is assumed, P n satisfies the following.
  • [Formula 26]
  • If formula 26 as described above is reflected to the following formula 27, the upper boundary is as formula 28.
  • [Formula 27]
  • Here, f(x) is a specific function (i.e., a sine function or a cosine function), and Pn(x) is an approximate polynomial.
  • [Formula 28]
  • Here, formula 27 has a condition of .
  • Referring to formula 28, it can be seen that the error boundary is reduced as a factor, and if is indicated, formula 29 as follows can be achieved.
  • [Formula 29]
  • Meanwhile, for each integer i, it is necessary to determine each coefficient d i. A method of determining a coefficient of a designed approximate polynomial will be explained below with reference to FIG. 9.
  • FIG. 9 is a diagram for illustrating a method for calculating a coefficient of an approximate polynomial according to the disclosure.
  • Referring to FIG. 9, in the initial stage, all Is are initialized as d i = 1.
  • Then, each M i is found, and an index having the maximum M i is found. Afterwards, if i 0=argmaxM i, d io is increased by 1, and this operation is repeated until the total level (=Σd i-1) becomes the target level.
  • If a coefficient of an approximate polynomial is calculated by a method as above, an approximate modulus operation for a homomorphic encryption that was linearly transformed previously may be performed by using an approximate polynomial to which the calculated coefficient is reflected.
  • Meanwhile, the number of the aforementioned coefficient of an approximate polynomial, i.e., the degree of an approximate polynomial may be varied according to a user's selection, and it is preferable that one degree among 7 th to 80 th degrees is used. Such a degree may be determined by a result of various simulations, and in addition to the aforementioned degree, a range may be used.
  • Also, as an approximate polynomial calculated by the aforementioned process was calculated by applying a double angle operation, an approximate modulus operation may be performed through an operating operation of repeating a homomorphic encryption for the calculated approximate polynomial as many as the double angle number of times. Here, a double angle operation uses the property that sin(2x)=2sin(x)cos(x).
  • For example, in case the q value of formula 22 is 32(2^5), and if it is assumed that y=x/32, and an operation using an approximate polynomial calculated in the previous process for cos(2πy) is repeated five times, the value of cos(2πx/32) can be achieved, and through a rotation operation of this, the value of sin(2πx/32) can be calculated.
  • Hereinafter, the effect of an approximate modulus operation method using the aforementioned approximate polynomial will be explained.
  • FIGS. 10 and 11 are diagrams for illustrating an effect of an approximate modulus operation according to the disclosure. Specifically, FIGS. 10 and 11 are graphs indicating logical errors for a cosine function with respect to each of the disclosure and a conventional method, and FIG. 10 illustrates a result of an experiment in case n=86 is fixed, and ∈ is changed, and FIG. 11 illustrates a result of an experiment in case log 2∈ = -10 is fixed, and n is changed.
  • Referring to FIGS. 10 and 11, it can be seen that the value in a method according to the disclosure is much smaller than the value in the conventional Chebyshev method. Also, it can be seen that the value in a method according to the disclosure is also smaller than the value in the conventional Hermite method having superior performance.
  • Meanwhile, the method for processing an encryption according to the aforementioned various embodiments may be implemented in the form of a program code for performing each step, and stored in a recording medium and distributed. In this case, an apparatus on which the recording medium is mounted may perform operations such as the aforementioned encryption and encryption processing, etc.
  • Such a recording medium may be various types of computer readable media such as a ROM, a RAM, a memory chip, a memory card, an external hard, a hard, a CD, a DVD, a magnetic disk or a magnetic tape, etc.
  • So far, the disclosure has been described with reference to the accompanying drawings, but the scope of the disclosure is intended to be determined by the appended claims, and is not intended to be interpreted as being limited to the aforementioned embodiments and/or drawings. Also, it should be clearly understood that alterations, modifications, and amendments of the disclosure described in the claims that are obvious to a person skilled in the art are also included in the scope of the disclosure.

Claims (12)

  1. A method for processing a homomorphic encryption comprising:
    linearly transforming a homomorphic encryption for an approximate message including an error;
    performing an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point; and
    linearly transforming the homomorphic encryption which was approximately modulus operated into a form of encryption.
  2. The method for processing a homomorphic encryption of claim 1,
    wherein the multi-degree polynomial is a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range is from -12 to 12.
  3. The method for processing a homomorphic encryption of claim 1,
    wherein the performing an approximate modulus operation comprises:
    setting a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times, and performing an approximate modulus operation by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  4. The method for processing a homomorphic encryption of claim 1,
    wherein the linearly transforming a homomorphic encryption comprises:
    converting the homomorphic encryption into a form of polynomial; and
    applying the converted homomorphic encryption to a predefined matrix.
  5. The method for processing a homomorphic encryption of claim 4,
    wherein the applying comprises:
    decomposing the predefined matrix into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and applying the homomorphic encryption sequentially to the plurality of block diagonal matrices.
  6. The method for processing a homomorphic encryption of claim 5,
    wherein the applying comprises:
    applying the homomorphic encryption to the plurality of block diagonal matrices in units of two continuous matrices.
  7. An operation apparatus comprising:
    a memory storing a homomorphic encryption for an approximate message including an error; and
    a processor performing an operation for the homomorphic encryption,
    wherein the processor is configured to:
    linearly transform the homomorphic encryption for an approximate message including an error, perform an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transform the homomorphic encryption which was approximately modulus operated into a form of encryption.
  8. The operation apparatus of claim 7,
    wherein the multi-degree polynomial is a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range is from -12 to 12.
  9. The operation apparatus of claim 7,
    wherein the processor is configured to:
    set a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times, and perform an approximate modulus operation by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  10. The operation apparatus of claim 7,
    wherein the processor is configured to:
    convert the homomorphic encryption into a form of polynomial, and linearly transform the homomorphic encryption by applying the converted homomorphic encryption to a predefined matrix.
  11. The operation apparatus of claim 10,
    wherein the processor is configured to:
    decompose the predefined matrix into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and linearly transform the homomorphic encryption by applying the homomorphic encryption sequentially to the plurality of block diagonal matrices.
  12. The operation apparatus of claim 11:
    wherein the processor is configured to:
    linearly transform the homomorphic encryption by applying the homomorphic encryption to the plurality of block diagonal matrices in units of two continuous matrices.
EP19908950.9A 2019-01-10 2019-11-21 Apparatus for processing approximately encrypted messages and methods thereof Withdrawn EP3909193A4 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201962790806P 2019-01-10 2019-01-10
KR20190066572 2019-06-05
KR1020190112292A KR102167565B1 (en) 2019-01-10 2019-09-10 Apparatus for processing approximate encripted messages and methods thereof
PCT/KR2019/016001 WO2020145503A1 (en) 2019-01-10 2019-11-21 Apparatus for processing approximately encrypted messages and methods thereof

Publications (2)

Publication Number Publication Date
EP3909193A1 true EP3909193A1 (en) 2021-11-17
EP3909193A4 EP3909193A4 (en) 2022-09-28

Family

ID=71832118

Family Applications (1)

Application Number Title Priority Date Filing Date
EP19908950.9A Withdrawn EP3909193A4 (en) 2019-01-10 2019-11-21 Apparatus for processing approximately encrypted messages and methods thereof

Country Status (2)

Country Link
EP (1) EP3909193A4 (en)
KR (1) KR102167565B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117353898A (en) * 2023-12-04 2024-01-05 粤港澳大湾区数字经济研究院(福田) Fully homomorphic encryption method, system, terminal and medium for floating point number plaintext
CN117440103A (en) * 2023-12-20 2024-01-23 山东大学 Privacy data processing method and system based on homomorphic encryption and space optimization

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11637700B2 (en) 2020-08-14 2023-04-25 Samsung Electronics Co., Ltd. Method and apparatus with encryption based on error variance in homomorphic encryption
KR102304992B1 (en) * 2021-04-07 2021-09-27 서울대학교산학협력단 Apparatus for processing non-polynomial operation on homoprophic encrypted messages and methods thereof
US20240235809A1 (en) * 2021-07-05 2024-07-11 Crypto Lab Inc. Method for homomorphic encryption or decryption in consideration of spatial complexity
CN114745116B (en) * 2022-04-27 2024-04-05 浙江数秦科技有限公司 Method for safely exchanging secret key

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117353898A (en) * 2023-12-04 2024-01-05 粤港澳大湾区数字经济研究院(福田) Fully homomorphic encryption method, system, terminal and medium for floating point number plaintext
CN117353898B (en) * 2023-12-04 2024-03-26 粤港澳大湾区数字经济研究院(福田) Fully homomorphic encryption method, system, terminal and medium for floating point number plaintext
CN117440103A (en) * 2023-12-20 2024-01-23 山东大学 Privacy data processing method and system based on homomorphic encryption and space optimization
CN117440103B (en) * 2023-12-20 2024-03-08 山东大学 Privacy data processing method and system based on homomorphic encryption and space optimization

Also Published As

Publication number Publication date
EP3909193A4 (en) 2022-09-28
KR102167565B1 (en) 2020-10-19
KR20200087061A (en) 2020-07-20

Similar Documents

Publication Publication Date Title
WO2020145503A1 (en) Apparatus for processing approximately encrypted messages and methods thereof
EP3909193A1 (en) Apparatus for processing approximately encrypted messages and methods thereof
WO2020235797A1 (en) Apparatus for processing modular multiply operation and methods thereof
WO2020166879A1 (en) Apparatus for performing threshold design on secret key and method thereof
WO2019117694A1 (en) Terminal device for performing homomorphic encryption, server device for processing cipher text thereof, and methods therefor
WO2020117015A1 (en) Operating device and method using multivariate packing
WO2020145759A1 (en) Calculation verification for approximate calculation
WO2020022598A1 (en) Apparatus and method for performing approximation calculation on cryptograms
WO2017003243A1 (en) Electronic device for generating random and unique code, and method for controlling same
WO2020116807A1 (en) Apparatus and method for performing non-polynomial calculation on cryptogram
WO2018199443A1 (en) Apparatus and method for performing operation being secure against side channel attack
WO2020231049A1 (en) Neural network model apparatus and compressing method of neural network model
WO2016036048A1 (en) Method and device for data encrypting
WO2018093203A1 (en) Calculation device for encryption using public key and encryption method thereof
WO2017071352A1 (en) Password push method, push system, and terminal device
EP3935578A1 (en) Neural network model apparatus and compressing method of neural network model
WO2021107515A1 (en) Identity-based encryption method based on lattices
WO2020246848A1 (en) Device and method for sorting approximately encrypted ciphertext
CN113169860A (en) Apparatus and method for non-polynomial computation of ciphertext
WO2023282359A1 (en) Method for homomorphic encryption or decryption considering space complexity
WO2021206275A1 (en) Encoding or decoding for approximate encrypted ciphertext
WO2010147410A2 (en) Method and device for upgrading rights object that was stored in memory card
WO2021256841A1 (en) Simulation device and method for homomorphic cryptosystem
WO2018110775A1 (en) Electronic device authentication managing apparatus
WO2020218708A1 (en) Method for encrypting and decrypting prescription information for providing home rehabilitation service, and doctor terminal

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210810

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20220829

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/00 20060101AFI20220823BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20230116