EP3909193A1 - Appareil de traitement de messages approximativement chiffrés et procédés associés - Google Patents

Appareil de traitement de messages approximativement chiffrés et procédés associés

Info

Publication number
EP3909193A1
EP3909193A1 EP19908950.9A EP19908950A EP3909193A1 EP 3909193 A1 EP3909193 A1 EP 3909193A1 EP 19908950 A EP19908950 A EP 19908950A EP 3909193 A1 EP3909193 A1 EP 3909193A1
Authority
EP
European Patent Office
Prior art keywords
homomorphic encryption
encryption
approximate
polynomial
homomorphic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP19908950.9A
Other languages
German (de)
English (en)
Other versions
EP3909193A4 (fr
Inventor
Jung Hee Cheon
Kyoo Hyung Han
Do Hyeong KI
Minki HHAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Crypto Lab Inc
Original Assignee
Crypto Lab Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Crypto Lab Inc filed Critical Crypto Lab Inc
Priority claimed from PCT/KR2019/016001 external-priority patent/WO2020145503A1/fr
Publication of EP3909193A1 publication Critical patent/EP3909193A1/fr
Publication of EP3909193A4 publication Critical patent/EP3909193A4/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3026Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials

Definitions

  • the disclosure relates to an apparatus for performing a rebooting method for an approximately encrypted encryption effectively, and a method thereof.
  • homomorphic encryption For overcoming such a problem, a homomorphic encryption method is being researched. According to homomorphic encryption, even if an operation is performed in an encryption itself without decrypting encrypted information, the same result as a value which is a result of performing an operation for a plain text and encrypting the text can be achieved. Accordingly, various types of operations can be performed while an encryption is not decrypted.
  • a conventional rebooting method requires a large amount of calculation or the accuracy of calculation is low. Accordingly, there is a demand for a rebooting method which can reduce the amount of calculation, and at the same time, of which accuracy of calculation is high.
  • the disclosure was devised for overcoming the aforementioned problem, and the purpose of the disclosure is in providing an apparatus for performing a rebooting operation for an approximately encrypted encryption effectively, and a method thereof.
  • a method for processing a homomorphic encryption includes the steps of linearly transforming a homomorphic encryption for an approximate message including an error, performing an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transforming the homomorphic encryption which was approximately modulus operated into a form of encryption.
  • the multi-degree polynomial may be a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range may be from -12 to 12.
  • a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times may be set, and an approximate modulus operation may be performed by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  • the step of linearly transforming a homomorphic encryption may include the steps of converting the homomorphic encryption into a form of polynomial, and applying the converted homomorphic encryption to a predefined matrix.
  • the predefined matrix may be decomposed into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and the homomorphic encryption may be applied sequentially to the plurality of block diagonal matrices.
  • the homomorphic encryption may be applied to the plurality of block diagonal matrices in units of two continuous matrices.
  • an operation apparatus may include a memory storing a homomorphic encryption for an approximate message including an error, and a processor performing an operation for the homomorphic encryption.
  • the processor may linearly transform the homomorphic encryption for an approximate message including an error, perform an approximate modulus operation for the linearly transformed homomorphic encryption by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point, and linearly transform the homomorphic encryption which was approximately modulus operated into a form of encryption.
  • the multi-degree polynomial may be a polynomial having a degree among any one of a 7th degree to an 80th degree, and the predetermined range may be from -12 to 12.
  • the processor may set a double-angle number of times and a multi-degree polynomial corresponding to the double-angle number of times, and perform an approximate modulus operation by operating the linearly transformed homomorphic encryption as many times as the set double-angle number of times by using the set multi-degree polynomial.
  • the processor may convert the homomorphic encryption into a form of polynomial, and linearly transform the homomorphic encryption by applying the converted homomorphic encryption to a predefined matrix.
  • the processor may decompose the predefined matrix into a plurality of block diagonal matrices wherein there is a value in a diagonal component and the other values are 0, and linearly transform the homomorphic encryption by applying the homomorphic encryption sequentially to the plurality of block diagonal matrices.
  • the processor may linearly transform the homomorphic encryption by applying the homomorphic encryption to the plurality of block diagonal matrices in units of two continuous matrices.
  • FIG. 1 is a diagram for illustrating a configuration of a network system according to an embodiment of the disclosure
  • FIG. 2 is a block diagram illustrating a configuration of an operation apparatus according to an embodiment of the disclosure
  • FIG. 3 is a diagram for illustrating an operating operation of an operation apparatus according to the disclosure.
  • FIG. 4 is a diagram for illustrating a rebooting method according to the disclosure.
  • FIG. 5 is a diagram for illustrating a specific operation of a rebooting method according to the disclosure.
  • FIG. 6 is a diagram for illustrating a linear calculating operation according to the disclosure.
  • FIG. 7 is a diagram for illustrating an effect of a linear calculating operation according to the disclosure.
  • FIG. 8 is a diagram for illustrating an effect of a linear calculating operation according to the disclosure.
  • FIG. 9 is a diagram for illustrating a method for calculating a coefficient of an approximate polynomial according to the disclosure.
  • FIG. 10 is a diagram for illustrating an effect of an approximate modulus operation according to the disclosure.
  • FIG. 11 is a diagram for illustrating an effect of an approximate modulus operation according to the disclosure.
  • each step should be understood in a nonrestrictive way, unless a preceding step should necessarily be performed prior to a subsequent step in a logical and temporal sense. That is, excluding an exceptional case as above, even if a process described as a subsequent step is performed prior to a process described as a preceding step, there would be no influence on the essence of the disclosure, and the scope of the disclosure should also be defined regardless of the orders of steps.
  • the description "A or B" in this specification is defined to include not only a case wherein one of A or B is selectively referred to, but also a case wherein both of A and B are included.
  • the term "include” in this specification has a meaning including a case wherein elements other than elements listed as being included are further included.
  • a value is defined as a concept including a vector as well as a scalar value.
  • Element a is selected according to distribution D.
  • Each of S1 and S2 is an element belonging to group R.
  • ⁇ - ⁇ The internal value is rounded off.
  • FIG. 1 is a diagram for illustrating a configuration of a network system according to an embodiment of the disclosure.
  • a network system may include a plurality of electronic apparatuses 100-1 ⁇ 100-n, a first server apparatus 200, and a second server apparatus 300, and each component may be connected with one another through a network 10.
  • the network 10 may be implemented as various forms of wired and wireless communication networks, broadcasting communication networks, optical communication networks, cloud networks, etc., and each apparatus may be connected by methods such as WiFi, Bluetooth, Near Field Communication (NFC), etc. without a separate medium.
  • WiFi Wireless Fidelity
  • NFC Near Field Communication
  • FIG. 1 it was illustrated that there are a plurality of electronic apparatuses 100-1 ⁇ 100-n, but a plurality of electronic apparatuses do not necessarily have to be used, and one apparatus may be used.
  • the electronic apparatuses 100-1 ⁇ 100-n may be implemented as various forms of apparatuses such as a smartphone, a tablet, a game player, a PC, a laptop PC, a home server, a kiosk, etc., and other than the above, the electronic apparatuses may also be implemented in the form of home appliances to which an IoT function has been applied.
  • a user may input various information through the electronic apparatuses 100-1 ⁇ 100-n he or she uses.
  • the information input may be stored in the electronic apparatuses 100-1 ⁇ 100-n themselves, but it may also be transferred to an external apparatus and stored for reasons such as the storage capacity and security, etc.
  • the first server apparatus 200 may perform a role of storing such information
  • the second server apparatus 300 may perform a role of using a portion or all of the stored information.
  • Each electronic apparatus 100-1 ⁇ 100-n may homomorphically encrypt the information input and transfer the homomorphic encryption to the first server apparatus 200.
  • each electronic apparatus 100-1 ⁇ 100-n may include an encryption noise calculated in the process of performing homomorphic encryption, i.e., an error in an encryption.
  • a homomorphic encryption generated in each electronic apparatus 100-1 ⁇ 100-n may be generated in a form wherein a result value including a message and an error value is restored when the encryption is decrypted by using a secret key later.
  • homomorphic encryptions generated in the electronic apparatuses 100-1 ⁇ 100-n may be generated in forms satisfying a property as follows when they are decrypted by using a secret key.
  • ⁇ , > mean a usual inner product
  • ct means an encryption
  • sk means a secret key
  • M means a plain text message
  • e means an encryption error value
  • mod q means a modulus of the encryption. q should be selected to be bigger than the result value M of multiplying a scaling factor ⁇ and the message. If the absolute value of the error value e is sufficiently smaller than M, the decryption value M+e of the encryption is a value that can replace the original message with the same degree of precision in a significant figure operation.
  • the error may be arranged on the side of the least significant beat (LSB), and M may be arranged on the side of the second least significant beat.
  • the size of a message may be adjusted by using a scaling factor. If a scaling factor is used, not only a message in the form of an integer but also a message in the form of a real number can be encrypted, and thus usability can be improved greatly. Also, by adjusting the size of a message by using a scaling factor, the size of an area wherein messages exist in an encryption after an operation is performed, i.e., an effective area can be adjusted.
  • an encryption modulus q may be used while being set in various forms.
  • the first sever apparatus 200 may not decrypt a received homomorphic encryption, but store it in a state of an encryption.
  • the second server apparatus 300 may request a result of specific processing for the homomorphic encryption to the first server apparatus 200.
  • the first server apparatus 200 may perform a specific operation according to the request of the second server apparatus 300, and transfer the result to the second server apparatus 300.
  • the second server apparatus 300 may request a value of summing up the information provided from the two electronic apparatuses 100-1, 100-2 to the first server apparatus 200.
  • the first server apparatus 200 may perform an operation of summing up the two encryptions according to the request, and then transfer the result value (ct1 + ct2) to the second server apparatus 300.
  • the first server apparatus 200 may perform an operation while a homomorphic encryption is not decrypted, and a result value thereof also becomes a form of encryption.
  • a result value acquired by an operation is referred to as an operation result encryption.
  • the first server apparatus 200 may transfer an operation result encryption to the second server apparatus 300.
  • the second server apparatus 300 may decrypt the received operation result encryption, and acquire an operation result value of data included in each homomorphic encryption.
  • the first server apparatus 200 may perform operations a number of times according to a user request. In this case, the proportion of an approximate message in an operation result encryption acquired for each operation varies. If the proportion of an approximate message exceeds a threshold, the first server apparatus 200 may perform a rebooting operation. As described above, the first server apparatus 200 may perform an operating operation, and thus it may also be referred to as an operation apparatus.
  • FIG. 1 a case wherein encryption is performed at a first electronic apparatus and a second electronic apparatus, and the second server apparatus performs decryption is illustrated, but the disclosure is not necessarily limited thereto.
  • FIG. 2 is a block diagram illustrating a configuration of an operation apparatus according to an embodiment of the disclosure.
  • apparatuses performing homomorphic encryption as the first electronic apparatus, the second electronic apparatus, etc., apparatuses operating a homomorphic encryption such as the first server apparatus, etc., and apparatuses decrypting a homomorphic encryption such as the second server apparatus, etc. in the system in FIG. 1 may be referred to as operation apparatuses.
  • Such operation apparatuses may be various apparatuses like personal computers (PCs), laptop computers, smartphones, tablets, servers, etc.
  • an operation apparatus 400 may include a communication device 410, a memory 420, a display 430, a manipulation input device 440, and a processor 450.
  • the communication device 410 is formed to connect the operation apparatus 400 with an external apparatus (not shown), and it may not only be a form of being connected with an external apparatus through a Local Area Network (LAN) and an Internet network, but also a form of being connected through a Universal Serial Bus (USB) port or a wireless communication (e.g., WiFi 802.11a/b/g/n, NFC, Bluetooth) port.
  • LAN Local Area Network
  • USB Universal Serial Bus
  • WiFi 802.11a/b/g/n, NFC, Bluetooth wireless communication
  • the communication device 410 may receive a public key from an external apparatus, and transfer a public key generated by the operation apparatus 400 itself to an external apparatus.
  • the communication device 410 may receive a message from an external apparatus, and transmit a generated homomorphic encryption to an external apparatus.
  • the communication device 410 may receive various types of parameters necessary for generating an encryption from an external apparatus. Meanwhile, in implementation, various types of parameters may be directly input from a user through the manipulation input device 440 that will be described below.
  • the communication device 410 may receive a request for an operation for a homomorphic encryption from an external apparatus, and transfer a result calculated accordingly to an external apparatus.
  • the memory 420 is a component for storing an O/S for operating the operation apparatus 400 or various types of software, data, etc.
  • the memory 420 may be implemented in various forms such as a RAM or a ROM, a flash memory, an HDD, an external memory, a memory card, and the like, but is not limited to a specific one.
  • the memory 420 stores a message to be encrypted.
  • a message may be various types of credit information, personal information, etc. that a user cited in various ways, or it may be information related to use history such as location information used at the operation apparatus 400, information on the use time of the Internet, etc.
  • the memory 420 may store a public key, and in case the operation apparatus 400 is an apparatus that directly generated a public key, the memory 420 may store not only a secret key, but also various types of parameters necessary for generating a public key and a secret key.
  • the memory 420 may store a homomorphic encryption generated in a process that will be described below. Also, the memory 420 may store a homomorphic encryption transferred from an external apparatus. In addition, the memory 420 may store an operation result encryption which is a result of an operation process that will be described below.
  • the display 430 displays a user interface window for receiving selection of functions supported by the operation apparatus 400.
  • the display 430 may display a user interface window for receiving selection of various functions provided by the operation apparatus 400.
  • Such a display 430 may be a monitor such as a liquid crystal display (LCD) and organic light emitting diodes (OLEDs), and it may be implemented as a touch screen that can simultaneously perform the function of the manipulation input device 440 that will be described below.
  • LCD liquid crystal display
  • OLEDs organic light emitting diodes
  • the display 430 may display a message requesting input of a parameter necessary for generating a secret key and a public key.
  • the display 430 may display a message wherein a subject to be encrypted selects a message.
  • a subject to be encrypted may be directly selected by a user, or selected automatically. That is, personal information, etc. which need to be encrypted may be set automatically even if a user does not directly select a message.
  • the manipulation input device 440 may receive selection of a function of the operation apparatus 400 and input of a control command for the function from a user. Specifically, the manipulation input device 440 may receive input of a parameter necessary for generating a secret key and a public key. Also, the manipulation input device 440 may receive setting of a message to be encrypted from a user.
  • the processor 450 controls each component inside the operation apparatus 400.
  • a processor 450 may be constituted as a single device such as a central processing unit (CPU) and an application-specific integrated circuit (ASIC), or it may be constituted as a plurality of devices such as a CPU and a graphics processing unit (GPU).
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • GPU graphics processing unit
  • the processor 450 stores the message in the memory 420. Then, the processor 450 homomorphically encrypts the message by using various setting values and programs stored in the memory 420. In this case, a public key may be used.
  • the processor 450 may generate a public key necessary for performing encryption by itself and use it, or receive a public key from an external apparatus and use it.
  • the second server apparatus 300 performing decryption may distribute a public key to other apparatuses.
  • the processor 450 may generate a public key by using a Ring-LWE technic.
  • the processor 450 may set various types of parameters and rings first, and store them in the memory 420.
  • parameters there may be the length of a plain text message bit, the sizes of a public key and a secret key, and the like.
  • a ring may be expressed with a formula as below.
  • R means a ring
  • Zq means a coefficient
  • f(x) means an n-th polynomial.
  • a ring is a group of polynomials having preset coefficients, and means a group wherein additions and multiplications are defined among elements, and which is closed with respect to additions and multiplications.
  • a ring means a group of n-th polynomials of which coefficients are Zqs.
  • n ⁇ (N)
  • (f(x)) means an ideal of Zq[x] generated as f(x)).
  • an Euler totient function ⁇ (N) means the number of natural numbers which are mutual primes with N, and are smaller than N.
  • ⁇ N (x) is defined as an N-th cyclotomic polynomial
  • a ring may also be expressed as formula 3 as below.
  • a secret key sk may be expressed as below.
  • the ring in the aforementioned formula 3 has a complex number in a plain text space. Meanwhile, for improving the operation speed for a homomorphic encryption, only a group wherein a plain text space is a real number may be used among the aforementioned groups of rings.
  • the processor 450 may calculate a secret key sk from the ring.
  • s(x) means a polynomial which was randomly generated with a small coefficient.
  • the processor 450 calculates a first random polynomial a(x) from the ring.
  • the first random polynomial may be expressed as below.
  • the processor 450 may calculate an error. Specifically, the processor 450 may extract an error from discrete Gaussian distribution or distribution of which statistical distance thereto is close. Such an error may be expressed as below.
  • the processor 450 may perform a modular operation on the first random polynomial and the error in the secret key and calculate a second random polynomial.
  • the second random polynomial may be expressed as below.
  • a public key pk is set in the form of including the first random polynomial and the second random polynomial as below.
  • the aforementioned key generating method is merely an example, and thus the disclosure is not necessarily limited thereto, and a public key and a secret key can obviously be generated by methods other than the above.
  • the processor 450 may control the communication device 410 such that the public key is transferred to other apparatuses.
  • the processor 450 may generate a homomorphic encryption for a message. Specifically, the processor 450 may generate a homomorphic encryption by applying the public key generated previously to a message. Here, the processor 450 may generate the length of the encryption to correspond to the size of the scaling factor.
  • the processor 450 may store the homomorphic encryption in the memory 420, or control the communication device 410 to transfer the homomorphic encryption to another apparatus according to a user request or a preset default command.
  • packing may be performed. If packing is used in homomorphic encryption, it becomes possible to encrypt a plurality of messages into one encryption. In this case, if operations among each encryption are performed at the operation apparatus 400, operations for a plurality of messages are ultimately processed in parallel, and thus burden of operations gets to be reduced greatly.
  • the processor 450 may convert the message into a polynomial in a form which can encrypt the plurality of message vectors in parallel, and then multiply the polynomial with the scaling factor and perform homomorphic encryption by using a public key. Accordingly, an encryption wherein a plurality of message vectors are packed may be generated.
  • the processor 450 may generate a decryption in the form of a polynomial by applying a secret key to the homomorphic encryption, and generate a message by decoding the decryption in the form of a polynomial.
  • the generated message may include an error as mentioned in formula 1 described above.
  • the processor 450 may perform an operation for an encryption. Specifically, the processor 450 may perform an operation such as an addition and a multiplication for a homomorphic encryption while the homomorphic encryption is maintained in an encrypted state. Specifically, the processor 450 may process each homomorphic encryption to be used for an operation as a first function, and perform an operation such as an addition and a multiplication between homomorphic encryptions processed as first functions, and process the homomorphic encryptions for which an operation was performed as second functions which are reverse functions of the first functions. For such first function processing and second function processing, a linear transformation technology in a rebooting process that will be described below may be used.
  • the operation apparatus 400 may detect data in an effective area from the operation result data. Specifically, the operation apparatus 400 may detect data in an effective area by performing rounding processing for the operation result data. Rounding processing means proceeding round-off of a message in an encrypted state, and it may also be referred to differently as rescaling. Specifically, the operation apparatus 400 multiplies each component of an encryption with ⁇ -1 which is a reciprocal number of a scaling factor and performs round-off, and thereby removes a noise area. A noise area may be determined to correspond to the size of the scaling factor. Ultimately, a message in an effective area from which a noise area has been removed can be detected. As the above process proceeds in an encrypted state, an additional error occurs, but the size of the error is sufficiently small, and thus it can be ignored.
  • the operation apparatus 400 may perform a rebooting operation for the encryption.
  • a rebooting operation will be described below with reference to FIGS. 3 to 5.
  • FIG. 3 is a diagram for illustrating an operating operation of an operation apparatus according to the disclosure. Specifically, in FIG. 3, operation and rebooting processes for two homomorphic encryptions 10, 20 are illustrated.
  • Each homomorphic encryption 10, 20 may respectively include approximate message areas 11, 21.
  • the operation apparatus 400 may perform a specific operation by using the two homomorphic encryptions 10, 20 as input values.
  • the operation result encryption 30 may include an approximate message area 31 including the operation result m3+e3 between each approximate message. As the operation result becomes bigger than the input value, an approximate message area also becomes bigger, and accordingly, the remaining plain text space 32 decreases. If such an operation is performed several times, the remaining plain text space 32 ultimately disappears or becomes smaller than the threshold, and thus an operation cannot be performed. If such a state is determined, the operation apparatus 400 can perform a rebooting operation. A specific rebooting operation will be described with reference to FIG. 5.
  • a conventional encryption/decryption mechanism is designed such that data after decryption becomes the same as the original plain text, but according to an embodiment of the disclosure, an approximate message is output instead of exactly the same plain text.
  • an error necessary for safety and an error generated through an operation of effective numbers are included and treated as a noise, and thus an operation of real numbers becomes possible in an encrypted state, and efficiency of encryption/decryption can be increased.
  • FIG. 4 is a diagram for illustrating a rebooting method according to the disclosure.
  • the first operation apparatus 400-1 and the second operation apparatus 400-2 may homomorphically encrypt a message m1 and a message m2 respectively, and output homomorphic encryptions E L (m1') and E L (m2').
  • the third operation apparatus 400-3 may perform an operation for the homomorphic encryptions E L (m1') and E L (m2'), and output an operation result encryption E L-i (m3').
  • L means a modulus level of the encryption.
  • the modulus level continuously decreases. For example, if the depth of an operation that the third operation apparatus 400-3 seeks to perform in an encrypted state is i, the modulus level decreases as much as i. Accordingly, if a modulus level drops below the threshold, a further operation for the homomorphic encryptions becomes impossible.
  • the threshold was set as level 1. Accordingly, it can be seen that the homomorphic encryptions E 1 (m4') and E 1 (m5') of level 1 cannot be operated.
  • the third operation apparatus 400-3 may reboot each of E 1 (m4') and E 1 (m5'), and generate E L' (m4") and E L' (m5"). By rebooting, the modulus level becomes level L' which is almost similar to L, and the approximate message also changes from m4' and m5' to m4" and m5" which are almost similar.
  • the third operation apparatus 400-3 may operate the rebooted encryptions, and provide an operation result encryption E L'-i (m6") to the fourth operation apparatus 400-4.
  • the operation result encryption ultimately operated may be expressed as the following formula.
  • the fourth operation apparatus 400-4 may decrypt the operation result encryption and acquire an approximate message m6".
  • the fourth operation apparatus 400-4 may use additional information.
  • additional information may be a scaling factor changed during an operation process, a modulus value used for extension of a plain text space, etc. If a changed scaling factor is ⁇ ', a decrypted approximate message may be m6"/ ⁇ '. Accordingly, even if a plain text in a real number is integerized in an encryption process, it can be restored to a real number again in decryption.
  • a modulus value in additional information may be used as a modulus of a ring R in formula 9.
  • the fourth operation apparatus 400-4 may ultimately acquire m6" through decryption.
  • a rebooting operation for input homomorphic encryptions is performed before an operation of two encryptions, but in implementation, a rebooting operation for an operation result may be performed as in FIG. 3.
  • FIG. 5 is a diagram for illustrating a specific operation of a rebooting method according to the disclosure.
  • a homomorphic encryption for an approximate message including an error is linearly transformed at operation S510.
  • a homomorphic encryption a plurality of encryptions may be packed as described above.
  • the homomorphic encryption may be converted into a form of polynomial for calculating the plurality of encryptions.
  • the homomorphic encryption converted into a form of polynomial may be applied to a predefined matrix (specifically, formula 10 below).
  • a polynomial of a homomorphic encryption consists of complex numbers as explained above.
  • linear transformation may be performed by using a predefined matrix for converting each coefficient of the polynomial into a form of being put in a slot.
  • a predefined matrix may be a discrete Fourier transform (DFT) matrix.
  • linear transformation may be performed by using a plurality of block diagonal matrices for performing linear transformation faster.
  • a block diagonal matrix is a matrix wherein there is a value in the diagonal component, and the other values are 0. The reason that a plurality of block diagonal matrices may be used and an effect thereof will be described in detail in the lower part of FIG. 5.
  • an approximate modulus operation may be performed at operation S520.
  • the linearly transformed homomorphic encryption may be approximately modulus operated by using a multi-degree polynomial set such that input values within a predetermined range are approximate to an integer point.
  • An approximate modulus operating operation according to the disclosure will be described later with reference to FIG. 9.
  • the homomorphic encryption that was approximately modulus operated is linearly transformed in a form of encryption at operation S530.
  • the homomorphic encryption that was approximately modulus operated may be converted into a form of polynomial by using an inverse matrix corresponding to the matrix used in linear transformation of the homomorphic encryption previously, and the converted polynomial may be converted into a form of encryption.
  • an approximate modulus operation is performed through a multi-degree polynomial calculated by a characteristic of a homomorphic encryption. Accordingly, a faster rebooting operation can be performed. Also, in linear transformation, operation processing is performed by decomposing a preset matrix into a plurality of block diagonal matrices, and thus it is possible to perform an operation with low operation complexity.
  • packing may be applied. That is, several messages are encrypted into one message.
  • an operation of linearly transforming a packed homomorphic encryption is an important operation in homomorphic encryption.
  • Such linear transformation is modification of coefficients of a homomorphic encryption expressed as a polynomial into slots.
  • a discrete Fourier transform (DFT) matrix may be used.
  • the aforementioned DFT matrix may be indicated as formula 10 below.
  • U means a DFT matrix, and , and .
  • N means a polynomial ring dimension.
  • a matrix as the aforementioned formula 10 may be factorized and decomposed into a plurality of sparse matrices.
  • a recursive FFT Cooley-Tukey algorithm may be used, and the method thereof is as formula 11.
  • a DFT matrix may be decomposed into a log 2 n number.
  • the following formula 12 indicates the form of recursive matrice.
  • k/2 is a diagonal block
  • a DFT matrix can be expressed as formula 13 as follows.
  • a DFT matrix may be decomposed into sparse diagonal matrices, and in the disclosure, linear transformation may be performed by using decomposed sparse diagonal matrices (or block diagonal matrices).
  • decomposed sparse diagonal matrices or block diagonal matrices.
  • a matrix-vector multiplication algorithm as described above is effective for a matrix M which is a diagonal vector of a small number which is not 0. That is, diag i (M) is a non-zero vector for a small number i. Such a matrix is referred to as a sparse diagonal matrix.
  • diag i (M) is a non-zero vector for a small number i.
  • Such a matrix is referred to as a sparse diagonal matrix.
  • calculation complexity can be reduced to 0(log n).
  • a calculation process using a decomposed matrix may be performed as in FIG. 6.
  • a calculation method using a decomposed matrix will be explained below with reference to FIG. 6.
  • FIG. 6 is a diagram for illustrating a linear calculating operation according to the disclosure.
  • linear transformation can be expressed as formula 18 as follows.
  • a linear transformation operation as above may be used not only in linear transformation in a rebooting process, but in various processes wherein there is a need to convert a coefficient of a polynomial into a slot such as an encoding process in a process of generating a homomorphic encryption.
  • an inverse matrix of a matrix described above may be used, and an inverse matrix may also be decomposed into block diagonal matrices as below, and an operation may be performed with a plurality of decomposed block diagonal matrices.
  • Formula 19 may be decomposed into matrices in specific forms having useful attributes as in formula 20 below.
  • 2 i which is a divisor of n may be expressed as a formula as below.
  • an iDFT n RN matrix may also be decomposed into sparse diagonal matrices as DFT n NR , and it enables a fast operation.
  • a target to be calculated is determined in advance, there may be a little need for a rebooting method, but in a machine learning process which is becoming an issue recently, there are many situations wherein it cannot be figured out when processes of learning will end. Accordingly, in the case of performing machine learning for encrypted data, the performance of a rebooting method is very important.
  • a decryption function For a rebooting method, a decryption function should be calculated in an encrypted state.
  • a decryption function is expressed as the aforementioned formula 7.
  • the main point is calculating mod q which is a modulus operation in an encrypted state.
  • each coefficient has a property that it is very small compared to a modulus value of an encryption which is q.
  • a modulus operation is approximated as a sine function.
  • Such a sine function can be expressed as formula 22 as follows.
  • a given range may be [-12, 12], but in case the environment changes, a different range may be used.
  • an error value can be calculated as formula 24 as follows.
  • formula 22 is expressed as a sine function, but a sine function and a cosine function can be converted only with a x ⁇ x - 1/4 shifting operation. Also, hereinafter, calculation of an approximate polynomial for a cosine function as in formula 23 as follows by using a double angle formula will be described.
  • x 0 , x 1 , ..., x n ⁇ [a, b] are determined in advance, and are referred to as nodes. Accordingly, there is a need to select ⁇ x i ⁇ 1 ⁇ i ⁇ n such that the maximum value of w(x) in a specific domain for x is minimized.
  • a node is selected at each interval within a -K ⁇ i ⁇ K range of all input values i.
  • a node d i satisfying in a i ⁇ j ⁇ d i range in an interval I i is selected.
  • P n satisfies the following.
  • f(x) is a specific function (i.e., a sine function or a cosine function), and Pn(x) is an approximate polynomial.
  • formula 27 has a condition of .
  • FIG. 9 is a diagram for illustrating a method for calculating a coefficient of an approximate polynomial according to the disclosure.
  • an approximate modulus operation for a homomorphic encryption that was linearly transformed previously may be performed by using an approximate polynomial to which the calculated coefficient is reflected.
  • the number of the aforementioned coefficient of an approximate polynomial i.e., the degree of an approximate polynomial may be varied according to a user's selection, and it is preferable that one degree among 7 th to 80 th degrees is used. Such a degree may be determined by a result of various simulations, and in addition to the aforementioned degree, a range may be used.
  • an approximate modulus operation may be performed through an operating operation of repeating a homomorphic encryption for the calculated approximate polynomial as many as the double angle number of times.
  • the value in a method according to the disclosure is much smaller than the value in the conventional Chebyshev method. Also, it can be seen that the value in a method according to the disclosure is also smaller than the value in the conventional Hermite method having superior performance.
  • the method for processing an encryption may be implemented in the form of a program code for performing each step, and stored in a recording medium and distributed.
  • an apparatus on which the recording medium is mounted may perform operations such as the aforementioned encryption and encryption processing, etc.
  • Such a recording medium may be various types of computer readable media such as a ROM, a RAM, a memory chip, a memory card, an external hard, a hard, a CD, a DVD, a magnetic disk or a magnetic tape, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention concerne un procédé permettant de traiter un chiffrement. Le procédé de traitement d'un chiffrement comprend les étapes consistant à transformer linéairement un chiffrement homomorphique d'un message approximatif comprenant une erreur, à réaliser une opération de module approximatif destinée au chiffrement homomorphique transformé linéairement à l'aide d'un ensemble polynomial à degrés multiples de telle sorte que des valeurs d'entrée dans une plage prédéterminée soient approximatives à un point entier, et à transformer linéairement le chiffrement homomorphique qui a été approximativement commandé par module en une forme de chiffrement.
EP19908950.9A 2019-01-10 2019-11-21 Appareil de traitement de messages approximativement chiffrés et procédés associés Withdrawn EP3909193A4 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201962790806P 2019-01-10 2019-01-10
KR20190066572 2019-06-05
KR1020190112292A KR102167565B1 (ko) 2019-01-10 2019-09-10 근사 암호화된 암호문에 대한 재부팅 연산을 수행하는 장치 및 방법
PCT/KR2019/016001 WO2020145503A1 (fr) 2019-01-10 2019-11-21 Appareil de traitement de messages approximativement chiffrés et procédés associés

Publications (2)

Publication Number Publication Date
EP3909193A1 true EP3909193A1 (fr) 2021-11-17
EP3909193A4 EP3909193A4 (fr) 2022-09-28

Family

ID=71832118

Family Applications (1)

Application Number Title Priority Date Filing Date
EP19908950.9A Withdrawn EP3909193A4 (fr) 2019-01-10 2019-11-21 Appareil de traitement de messages approximativement chiffrés et procédés associés

Country Status (2)

Country Link
EP (1) EP3909193A4 (fr)
KR (1) KR102167565B1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117353898A (zh) * 2023-12-04 2024-01-05 粤港澳大湾区数字经济研究院(福田) 用于浮点数明文的全同态加密方法、系统、终端及介质
CN117440103A (zh) * 2023-12-20 2024-01-23 山东大学 基于同态加密和空间优化的隐私数据处理方法及系统

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11637700B2 (en) 2020-08-14 2023-04-25 Samsung Electronics Co., Ltd. Method and apparatus with encryption based on error variance in homomorphic encryption
KR102304992B1 (ko) 2021-04-07 2021-09-27 서울대학교산학협력단 동형 암호문에 대한 비다항식 연산을 수행하는 장치 및 방법
US20240235809A1 (en) * 2021-07-05 2024-07-11 Crypto Lab Inc. Method for homomorphic encryption or decryption in consideration of spatial complexity
CN114745116B (zh) * 2022-04-27 2024-04-05 浙江数秦科技有限公司 一种安全交换秘钥的方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117353898A (zh) * 2023-12-04 2024-01-05 粤港澳大湾区数字经济研究院(福田) 用于浮点数明文的全同态加密方法、系统、终端及介质
CN117353898B (zh) * 2023-12-04 2024-03-26 粤港澳大湾区数字经济研究院(福田) 用于浮点数明文的全同态加密方法、系统、终端及介质
CN117440103A (zh) * 2023-12-20 2024-01-23 山东大学 基于同态加密和空间优化的隐私数据处理方法及系统
CN117440103B (zh) * 2023-12-20 2024-03-08 山东大学 基于同态加密和空间优化的隐私数据处理方法及系统

Also Published As

Publication number Publication date
KR102167565B1 (ko) 2020-10-19
KR20200087061A (ko) 2020-07-20
EP3909193A4 (fr) 2022-09-28

Similar Documents

Publication Publication Date Title
WO2020145503A1 (fr) Appareil de traitement de messages approximativement chiffrés et procédés associés
EP3909193A1 (fr) Appareil de traitement de messages approximativement chiffrés et procédés associés
WO2020235797A1 (fr) Appareil de traitement d'opération de multiplication modulaire et procédés associés
WO2020166879A1 (fr) Appareil permettant de réaliser une conception de seuil sur une clé secrète et son procédé
WO2019117694A1 (fr) Dispositif terminal pour effectuer un chiffrement homomorphique, dispositif serveur pour traiter un texte chiffré de celui-ci, et procédés associés
WO2020117015A1 (fr) Dispositif fonctionnel et procédé utilisant un conditionnement à plusieurs variables
WO2020145759A1 (fr) Vérification de calcul pour calcul approximatif
WO2020022598A1 (fr) Appareil et procédé pour réaliser un calcul d'approximation sur des cryptogrammes
WO2017003243A1 (fr) Dispositif électronique pour générer un code aléatoire et unique, et son procédé de commande
WO2020116807A1 (fr) Appareil et procédé pour effectuer un calcul non polynomial sur un cryptogramme
WO2018199443A1 (fr) Appareil et procédé de mise en œuvre d'une opération sécurisée contre une attaque par canal latéral
WO2020231049A1 (fr) Appareil de modèle de réseau neuronal et procédé de compression de modèle de réseau neuronal
WO2016036048A1 (fr) Procédé et dispositif de chiffrement de données
WO2018093203A1 (fr) Dispositif de calcul de chiffrement utilisant une clé publique et procédé de chiffrement associé
WO2017071352A1 (fr) Procédé de poussée de mot de passe, système de poussée, et dispositif terminal
EP3935578A1 (fr) Appareil de modèle de réseau neuronal et procédé de compression de modèle de réseau neuronal
WO2021107515A1 (fr) Procédé de chiffrement basé sur l'identité basé sur des réseaux
WO2020246848A1 (fr) Dispositif et procédé de tri d'un texte chiffré approximativement chiffré
CN113169860A (zh) 用于对密文进行非多项式计算的装置和方法
WO2021256841A1 (fr) Dispositif de simulation et procédé pour système de chiffrement homomorphe
WO2023282359A1 (fr) Procédé de chiffrement ou de déchiffrement homomorphique tenant compte de la complexité de l'espace
WO2024112108A1 (fr) Système de diffusion en continu de vidéo basé sur une drm en temps réel et procédé de diffusion en continu de vidéo associé
WO2021206275A1 (fr) Codage ou décodage pour un cryptogramme chiffré approximatif
WO2010147410A2 (fr) Procédé et dispositif de mise à niveau d'un objet de droits stocké dans une carte mémoire
WO2018110775A1 (fr) Appareil de gestion d'authentification de dispositif électronique

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210810

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20220829

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/00 20060101AFI20220823BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20230116