KR102599406B1 - Ciphertext processing method for zero-knowledge proof and apparatus thereof - Google Patents

Abstract

A ciphertext processing method is disclosed. This ciphertext processing method includes the steps of generating a homomorphic ciphertext for the plaintext using a ring, which is a set that is closed for addition and multiplication, in which addition and multiplication are defined between elements, and a ciphertext that satisfies a preset challenge space. It includes receiving a challenge matrix, generating a response ciphertext using the received challenge matrix and the homomorphic ciphertext, and transmitting the generated response ciphertext.

Description

Ciphertext processing method and device for zero-knowledge proof {CIPHERTEXT PROCESSING METHOD FOR ZERO-KNOWLEDGE PROOF AND APPARATUS THEREOF}

This disclosure relates to a ciphertext processing method and device for zero-knowledge proof. More specifically, the present disclosure relates to an efficient zero-knowledge proof by utilizing the fact that even circular polynomials that are not powers of 2 have the good properties of power-2 circular polynomials. It relates to a method and device for processing ciphertext.

Secure Multiparty Computation is a cryptographic technology that allows multiple distributed nodes to jointly calculate arbitrary functions without disclosing individual input and output contents. Such multi-party calculations are currently being applied to various fields such as auctions, security statistical analysis, personal information protection, and machine learning.

Existing multi-party computation operated in modulo p, but since modern computers operate in binary arithmetic, multi-party computation protocols in modulo a power-of-two are being proposed. .

Zero-knowledge proof of plaintext knowledge in homomorphic encryption on a power-of-two Cyclotomic Polynomial is an efficient method of expanding the challenge space by utilizing the good properties of the power-of-two Cyclotomic Polynomial. can be used.

로 설정할 경우에는 위의 방법을 적용할 수 없었다. However, if you cannot use a power-of-2 circular polynomial, for example,

If set to , the above method could not be applied.

Accordingly, in the past, it was necessary to perform a zero-knowledge proof for the lattice-based homomorphic encryption plaintext knowledge on a circular polynomial rather than a power of 2 in an inefficient manner using an extremely small problem space.

The present invention proposes an efficient zero-knowledge proof of homomorphic encryption plaintext knowledge by taking advantage of the fact that some circular polynomials that are not powers of 2 also have good properties of power-2 circular polynomials.

This disclosure was designed to solve the problems described above, and the purpose of the present disclosure is to provide efficient zero-knowledge proof by utilizing the fact that even circular polynomials that are not powers of 2 have the good properties of circular division polynomials of powers of 2. The purpose is to provide a method and device for processing ciphertext.

In order to achieve the above object, the ciphertext processing method according to an embodiment of the present disclosure uses a ring, a set in which addition and multiplication are defined between elements, and is closed for addition and multiplication, to generate plaintext generating a homomorphic ciphertext, receiving a challenge matrix that satisfies a preset challenge space, generating a response ciphertext using the received challenge matrix and the homomorphic ciphertext, and transmitting the generated response ciphertext. The ring is a set of prime plain text spaces among the sets, and the preset challenge space is a space having an integer value of 0 or 2 or more.

In this case, the integer value of 2 or more may be a factor value that acts as a coefficient shifting movement for the ring.

Meanwhile, in the step of generating the homomorphic ciphertext, a preset operation process may be performed on the generated homomorphic ciphertext to generate a masked homomorphic ciphertext.

Meanwhile, the step of generating the homomorphic ciphertext may generate a homomorphic ciphertext for the message using a power of 2 (2 ^δ ) of a preset size and the ring.

Meanwhile, the ciphertext processing method according to another embodiment of the present disclosure uses a ring, a set in which addition and multiplication are defined between elements, and is closed for addition and multiplication, to receive homomorphic ciphertext for the plaintext. Step, generating and transmitting a challenge matrix that satisfies a preset challenge space, receiving the homomorphic ciphertext and a response ciphertext corresponding to the challenge matrix, the operation result of the homomorphic ciphertext and the challenge matrix is the received response. It includes the step of determining whether it corresponds to a ciphertext, wherein the ring is a set of prime plaintext spaces among the set, and the preset challenge space is a space having an integer value of 0 or 2 or more.

In this case, the integer value of 2 or more may be a factor value that acts as a coefficient shifting movement for the ring.

Meanwhile, the present ciphertext processing method may further include verifying the homomorphic ciphertext by repeating the transmitting step, the receiving step, and the determining step using a challenge matrix different from the transmitted challenge matrix. there is.

In this case, the verification step may repeat the above-described steps fewer times than when the challenge space is {0, 1}.

Meanwhile, a computing device according to an embodiment of the present disclosure includes a communication device that communicates with an external device, a memory that stores at least one instruction, and a processor that executes the at least one instruction, the processor By executing the at least one instruction, a homomorphic ciphertext for the plaintext is generated using a ring, which is a set in which addition and multiplication are defined between elements and is closed for addition and multiplication, and is transmitted from the external device. When receiving a challenge matrix that satisfies a preset challenge space, generate a response ciphertext using the received challenge matrix and the homomorphic ciphertext, and control the communication device to transmit the generated response ciphertext to the external device, The ring is a set of prime plaintext spaces among the sets, and the preset challenge space is a space having an integer value of 0 or 2 or more.

In this case, the integer value of 2 or more may be a factor value that acts as a coefficient shifting movement for the ring.

Meanwhile, the processor may perform a preset operation process on the generated homomorphic ciphertext to generate a masked homomorphic ciphertext.

Meanwhile, the processor can generate a homomorphic ciphertext for a message using a power of 2 (2 ^δ ) of a preset size and the ring.

Meanwhile, a computing device according to another embodiment of the present disclosure includes a communication device that communicates with an external device, a memory that stores at least one instruction, and a processor that executes the at least one instruction, the processor By executing the at least one instruction, receiving a homomorphic ciphertext generated using a ring, which is a set in which addition and multiplication are defined between elements and is closed for addition and multiplication, satisfies the preset challenge space. generate a challenge matrix, control the communication device to transmit the generated challenge matrix to the external device, and upon receiving the homomorphic ciphertext and the response ciphertext corresponding to the challenge matrix, the homomorphic ciphertext and the challenge matrix are It is determined whether the operation result corresponds to the received response ciphertext, and the ring is a set of prime plaintext spaces among the sets, and the preset challenge space is a space having an integer value of 0 or 2 or more.

In this case, the integer value of 2 or more may be a factor value that acts as a coefficient shifting movement for the ring.

Meanwhile, the processor may verify the homomorphic ciphertext by repeatedly determining the response ciphertext that has been transmitted and received with a challenge matrix different from the transmitted challenge matrix.

In this case, the processor can repeat the above-described operation fewer times than when using the case where the challenge space is {0, 1}.

According to the various embodiments of the present disclosure as described above, the zero-knowledge proof method according to the present disclosure can perform a zero-knowledge proof operation using a large problem space even on circle polynomials that are not powers of 2.

1 is a diagram for explaining the structure of a network system according to an embodiment of the present disclosure;
Figure 2 is a diagram for explaining the multi-party calculation operation using product pairs for the prime p method and the power of 2 method, respectively;
3 is a diagram for explaining the packing method according to the present disclosure;
4 is a diagram illustrating an authenticated product pair generation operation according to an embodiment of the present disclosure;
5 is a diagram illustrating a zero-knowledge proof operation according to an embodiment of the present disclosure;
Figure 6 is a diagram for explaining a zero-knowledge proof operation according to an embodiment of the present disclosure;
7 is a block diagram showing the configuration of a computing device according to an embodiment of the present disclosure, and
Figure 8 is a diagram for explaining the ciphertext processing method from the prover's perspective, and
Figure 9 is a diagram to explain the ciphertext processing method from the verifier's perspective.

Hereinafter, the present disclosure will be described in detail with reference to the accompanying drawings. Encryption/decryption may be applied to the information (data) transmission process performed in the present disclosure as necessary, and expressions describing the information (data) transmission process in the present disclosure and patent claims are all encryption/decryption even if not separately mentioned. It should be interpreted to include cases as well. In the present disclosure, expressions of the form “transmitted (transmitted) from A to B” or “received by A from B” also include transmission (transmission) or reception with other media in the middle, and must be transmitted (transmitted) from A to B. It does not express only what is directly transmitted (delivered) or received.

In the description of the present disclosure, the order of each step should be understood as non-limiting unless the preceding step must be performed logically and temporally prior to the subsequent step. In other words, except for the above exceptional cases, even if the process described as a subsequent step is performed before the process described as a preceding step, the nature of disclosure is not affected, and the scope of rights must also be defined regardless of the order of the steps. In this specification, the term “A or B” is defined not only to selectively indicate either A or B, but also to include both A and B. In addition, in the present disclosure, the term "comprising" has the meaning of encompassing further inclusion of other constituent elements in addition to the elements listed as being included.

In this disclosure, only essential elements necessary for explanation of the present disclosure are described, and component elements that are unrelated to the essence of the present disclosure are not mentioned. And it should not be interpreted in an exclusive sense that includes only the mentioned member elements, but should be interpreted in a non-exclusive sense that can also include other member elements.

And in this disclosure, “value” is defined as a concept that includes not only scalar values but also vectors.

The mathematical operations and calculations of each step of the present disclosure described later may be implemented in computer operations by known coding methods and/or coding designed to be suitable for the present disclosure to perform the corresponding operations or calculations.

The specific mathematical equations described below are explained as examples among various possible alternatives, and the scope of rights of the present disclosure should not be construed as being limited to the mathematical equations mentioned in the present disclosure.

For convenience of explanation, in this disclosure, the notation is set as follows.

a ← D: Select element (a) according to distribution (D)

s1, s2 ∈ R: S1 and S2 are each elements belonging to the set R.

mod(q): Modular operation with q elements

: 내부 값을 반올림함

: Rounds the internal value.

Hereinafter, various embodiments of the present disclosure will be described in detail using the attached drawings.

1 is a diagram for explaining the structure of a network system according to an embodiment of the present disclosure.

Referring to FIG. 1, the network system may include a plurality of electronic devices 100-1 to 100-n, a first server device 200, and a second server device 300, and each component is connected to the network 10 ) can be connected to each other.

The network 10 can be implemented as various types of wired and wireless communication networks, broadcasting communication networks, optical communication networks, cloud networks, etc., and each device can be connected through methods such as Wi-Fi, Bluetooth, NFC (Near Field Communication), etc. without a separate medium. It may be possible.

Although FIG. 1 shows a plurality of electronic devices (100-1 to 100-n), a plurality of electronic devices do not necessarily have to be used, and a single device may be used. As an example, electronic devices (100-1 to 100-n) may be implemented as various types of devices such as smartphones, tablets, game players, PCs, laptop PCs, home servers, kiosks, etc., and other devices with IoT functions applied. It can also be implemented in the form of home appliances.

Users can input various information through the electronic devices (100-1 to 100-n) they use. The input information may be stored in the electronic devices 100-1 to 100-n themselves, but may also be transmitted to and stored in an external device for reasons such as storage capacity and security. In FIG. 1, the first server device 200 may play the role of storing such information, and the second server device 300 may play the role of using some or all of the information stored in the first server device 200. there is.

Each electronic device 100 - 1 to 100 - n may perform calculations based on information provided by the first server device 200 and provide the calculation results to the first server device 200 . That is, each electronic device 100-1 to 100-n may be a party (or user) in a distributed computing system in a multi-party computing system. At this time, the operation may be a ciphertext generation operation for zero-knowledge proof or a challenge matrix generation operation.

The first server device 200 may store the received homomorphic ciphertext as ciphertext without decrypting it.

The second server device 300 may request a specific processing result for the homomorphic ciphertext from the first server device 200. The first server device 200 may perform a specific operation at the request of the second server device 300 and then transmit the result to the second server device 300. At this time, the first server device 200 may perform the requested operation using a plurality of electronic devices 100-1 to 100-n.

Specifically, the first server device 200 may generate the product pairs necessary for calculating the ciphertext together with other electronic devices (100-1 to 100-n) and share the generated product pairs. At this time, the first server device 200 may generate, together with other devices, a triple that can be calculated using the power of 2 method. Additionally, the first server device 200 may use a pseudopolynomial interpolation method when generating a product pair. The specific pseudopolynomial interpolation method is explained in detail below.

When the first server device 200 receives the result of an operation performed by each electronic device, it performs verification through zero knowledge proof of the received calculation result and responds to the requested operation using the result of the calculation for which the zero knowledge proof has been completed. A result value can be generated. And the first server device 200 may provide the calculation result to the second server device 300 that requested the calculation.

As described above, the network system according to the present disclosure generates ciphertext for a plurality of messages using similar interpolation and performs multi-party calculations using this, so calculation tasks can be performed at low communication costs, and the generated product pair is Because it requires less zero knowledge proof than before, faster computation is possible.

Additionally, the network system according to the present disclosure can perform a zero-knowledge proof operation using a large problem space even on a circular polynomial other than a power of 2.

Meanwhile, in showing and describing FIG. 1, the first server device 200 is shown and described as generating a product pair; however, when implemented, the above-described second server device 300 or the plurality of electronic devices 100-1 ~ 100-n) may generate a product pair.

Below, the multi-party calculation method will first be described in detail.

In the following, it is assumed that n parties (P ₁ , ..., P _n ) each have a secret (x ₁ , ..., x _n ). Here, each party may be one of the electronic devices 100-1 to 100-n in FIG. 1.

The purpose of Secure Multi-Party Computation (SMPC) is to calculate the function f for the inputs (x ₁ ,…, x _n ) together without disclosing information other than the desired output to each other.

Among the various settings of MPC, the most common setting is one with multiple active, corrupt, and dishonest parties. Having multiple dishonest parties is a meaningful goal only in two cases, and modeling security threats as honest but curious adversaries is unrealistic in real-world applications.

However, it is very difficult to efficiently handle multiple malicious attackers at the same time. It is a known fact that information-light theoretical security primitives are not sufficient in this setting, and heavy public key primitives are needed.

On the other hand, if the heavy public key system can be performed in the preprocessing process, there is no need to know the inputs or functions required for calculation in the preprocessing process. In other words, in the online process of MPC, function calculations can be performed safely using only lightweight primitives.

This method makes it possible to design multi-party computations effectively even in settings with many dishonest participants. Accordingly, various studies are currently in progress to improve the efficiency of the MPC protocol.

Meanwhile, existing research considered improving efficiency in a finite field. This is because the arithmetic message authentication code (MAC), one of the main components of the existing protocol, provided soundness only in finite fields.

에서 동작하도록 할 필요가 있다. 2의 거듭제곱을 이용한 연산 동작에 대해서는 이하에서 도 2를 참조하여 자세히 설명한다. However, the fact that CPUs perform in powers of 2 ^k (e.g. k = 32, 64, 128) makes MPC

You need to make it work. The calculation operation using a power of 2 will be described in detail below with reference to FIG. 2.

Figure 2 is a diagram for explaining a multi-party calculation operation using product pairs for the prime p method and the exponent of 2 method, respectively.

Referring to FIG. 2, the upper part of FIG. 2 shows the operation of a multi-party calculation designed according to the prime p method, and the lower part of FIG. 2 shows the calculation operation of a multi-party calculation designed according to the power of 2 method.

Referring to the top of FIG. 2, it can be seen that in order to operate a multi-party calculation designed in the decimal p method on the CPU, emulation is required to change the data designed in the decimal p method to the power of 2 method.

Conversely, referring to the bottom of FIG. 2, it can be seen that when designed using the exponential multiplication method of 2, calculation is possible without an emulation process in the final calculation process.

In this way, the power of 2 method has a significant advantage in that there is no need to emulate the modular prime (p) to drive the CPU.

에 대한 새로운 MAC에 의한 손실을 간과하더라도 유한체 경우와

경우 사이에는 실질적인 갭이 존재한다. 특히, 현재 유한체에서 최고의 성능을 제공하는 접근 방식인 동형 암호화(HE)에서

상의 효율적인 MPC 프로토콜은 아직 제안된 적이 없다. However, in terms of communication costs,

Even if we overlook the loss due to the new MAC for

There is a real gap between the cases. In particular, in homomorphic encryption (HE), which is currently the approach that provides the best performance in finite fields.

An efficient MPC protocol has not yet been proposed.

In this respect, the present disclosure proposes an efficient MPC protocol in the power of 2 method. The main process in this efficient MPC protocol is the operation of packing multiple messages, and the packing operation in the MPC protocol will be described in detail below.

의 원소와 전처리 단계에 맞게 새롭고 효율적인 패킹 방법을 이용한다. The efficient MPC method according to the present disclosure is

A new and efficient packing method is used according to the elements and pretreatment steps.

에 대한 패킹 방법은

상의 보간 문제에서 시작된다. 예를 들어, 주어진 포인트 m_i∈

(i ∈{1, 2, ...,d})에 있어서, f(i)=m_i인 다항식(f(t) ∈

)을 찾는 데 있다. 유한체와 달리, 링

에서는 2의 배수인 많은 영인자가 존재하기 때문에, d > 2인 경우

에 대한 보간이 불가능하다.

Packing method for

It starts with an interpolation problem. For example, given a point m _i ∈

For (i ∈{1, 2, ...,d}), the polynomial (f(t) ∈ with f(i)=m _i

) is to find. Unlike finite fields, rings

Since there are many zero factors that are multiples of 2, when d > 2

Interpolation is impossible.

의 원소로 간주한다면 보간이 가능하다. 즉, 링

상의 포인트(m_i·2^δ )를 보간하는 것이다. 이것은 영인자(2의 배수)의 효과가 2^δ 원소에 의해 취소되기 때문이다. 간단한 예로, 1·4^-1은

의 원소로 표현할 수 없는데 반해, 1·4^-1·2²는

의 원소 1로 표현될 수 있다.

의 n+1 개의 원소(m_i)가 주어지고, δ ≥v ₂(n!)이고, n!의 인수분해 내에서 2의 배수를 취하면, n차 다항식 x(t) ∈

를 m_i·2^δ 로 보간할 수 있다. However, for a given point, 2 ^δ is multiplied by the given point (m _i ), and the message is

Interpolation is possible if it is considered an element of . That is, ring

The point on the image (m _i ·2 ^δ ) is interpolated. This is because the effect of the zero factor (multiple of 2) is canceled by the 2 ^δ element. As a simple example, 1·4 ^-1 is

While it cannot be expressed as an element of , 1·4 ^-1 ·2 ² is

It can be expressed as element 1 of .

Given n ₊ 1 elements (m _i ) of

can be interpolated as m _i ·2 ^δ .

However, as n increases, efficiency issues may arise because v ₂ (n!) approaches n. That is, δ This means that we need to take n, and limit the size of the ring (e.g., to realize the packing method for homomorphic encryption with general parameters, we need to interpolate points for n≥2 ¹⁴ or more).

)이 몫 다항식 링(

)과 작은 차수의 다항식(F_i(t))의 곱으로 잘 나눠진다는 관찰에 의해 해결할 수 있다. F_i(t)의 차수(d)가 매우 작으면,

를 취하는 각 링

에서 d-1 차수의 다항식(여기서, 최대 N=degφ_M 포인트를 검색할 수 있는 다항식은 X(t)∈

N=degφ_M 포인트)을 보간할 수 있다. Problems like this have cyclic polynomial rings (

) is the quotient polynomial ring (

) and a polynomial of small degree (F _i (t)). If the order (d) of F _i (t) is very small,

Each ring takes

A polynomial _of degree d-1 in

N=degϕ _M points) can be interpolated.

Hereinafter, unless otherwise noted, the base (or base) is the logarithm of the concrete function log(), which is base 2. The ring (Z _q ) is identified as Z∩(-q/2, q/2) as the representative set. The set of integers is {1,… A set of integers such as , d} is represented as [0;d].

The cyclic polynomial (of degree N) ϕ _M (t) is Π ^r _i=1 f _i (t) in Z ₂ [t], where each f _i (t) has the same degree d = ord _M (2) , and can be factorized accordingly as N = r·d ). Factorization means the following ring isomorphism:

[Equation 1]

[t]은 d 차수를 갖고, 비환원 원소 f_i(t)∈Z₂[t]의 헨셀 리프팅(Hansel lifting)이다. Here, each polynomial F _i (t)∈

[t] has order d, and is the Hansel lifting of the non-reducing element f _i (t)∈Z ₂ [t].

When using a lattice-based HE scheme, it is common to choose a plaintext modulus p that is prime so that ϕ _M (t) is completely divisible by Z _p .

Identify each message by a constant term in each Z _p [t]/F _i (t) (called a slot), and apply it to a ring cycle to transform the N messages in Z p into the plaintext within Z _p [t]/ϕ _M (t). It can be encoded as This approach achieves an optimal packing density of 1 and full homomorphism between message and plaintext.

내에서 φ_M(t)는 완전히 분할되지 않는다는 것이다. 이 문제를 우회하는 한가지 방법은 Z_p[t]/F_i(t) 내의 상수를 갖는

내의 r 메시지를 식별하는 것이다. 이 접근 방식은 메시지와 일반 텍스트 간의 완전한 동형 대응을 제공하지만 매우 낮은 패킹 밀도 1/d를 달성한다. However, if the plaintext modulus is fixed to ^2k , it cannot be used in the same way as before. the problem is

within ϕ _M (t) is completely indivisible. One way to circumvent this problem is to have a constant in _Zp [t]/ _Fi (t)

It identifies the r message within. This approach provides fully homomorphic correspondence between message and plain text, but achieves a very low packing density 1/d.

의 n+1 포인트가 주어지면,

상의 n차 다항식의 존재를 보간할 수 없다는 점이다. In other words, the difficulty in applying the packing method of the prime p method to the exponentiation method of 2 is,

Given n+1 points of

The point is that the existence of an n-th degree polynomial cannot be interpolated.

의 타켓 포인트를 더 큰 링

에 임베딩하면,

에 대한 보간이 가능하게 된다는 점을 통하여 해결할 수 있다. However, these problems

The target point of the larger ring

If you embed it in,

This can be solved by making interpolation possible.

에 대한 보간이 유한체에 대한 보간과 유사하게 작동하도록 만들 수 있다는 것이다. 구체적으로, 2의 거듭제곱을 곱하고, 비가역 요소의 효과를 제거함으로써, 유한체에 대한 행위 것과 같이 유사하게 작동하도록 할 수 있다. The main point is

The point is that interpolation for can be made to work similarly to interpolation for finite fields. Specifically, by multiplying by powers of 2 and removing the effects of irreversible components, we can make it behave similarly to the behavior for finite fields.

Below, by combining the above-mentioned information, a packing method applying the pseudo-interpolation method according to the present disclosure will be described in detail.

3 is a diagram for explaining the packing method according to the present disclosure.

의 n+1개 원소라고 하고, n!의 인수분해에서 2의 배수인 v ₂(n!)가 δ보다 작거나 같다고 가정한다. 그러면 n차 다항식(x(t) ∈

)은 아래의 수학식 2와 같다 Hereinafter, m ₀ , m ₁ , .., m _n-1 , m _n

Let's say there are n+1 elements, and in the factorization of n!, assume that v ₂ (n!), which is a multiple of 2, is less than or equal to δ. Then the nth degree polynomial (x(t) ∈

) is equivalent to Equation 2 below:

[Equation 2]

라 하고, 상술한 n차 다항식은 다음과 같이 정의 될 수 있다. For x ₀ (t) = 1 and i > 0 large, x _i (t)=

, and the nth degree polynomial described above can be defined as follows.

[Equation 3]

내에서 가역적이다. 이를 통해 다음과 같이 각 값 a_i∈

을 반복적으로 할당하여 다항식

을 구성할 수 있다. If v ₂ (n!) is a multiple of 2 in the factorization of i!, then x _i (i) = c _i 2 ^v2(i!) and c _i

It is reversible within This allows each value a _i ∈

By repeatedly assigning the polynomial

can be configured.

1. First, assign a ₀ = m ₀ 2 ^δ so that X(0) = m ₀ 2 ^δ .

2. For i > 0, assume the following.

a) For all 0 ≤ j < i, assign an appropriate value to each a _j such that X(j) = m _j 2 ^δ .

b) Each a _j (0 ≤ j < i) satisfies that 2 ^δ divides a _j x _j (i).

을 만족하도록, 를 할당한다. a_i의 할당은 δ ≥v ₂(n!) 및 가정(b)에 의하여 가능하다. 3.

To satisfy, Allocate . Assignment of a _i is possible by δ ≥ v ₂ (n!) and assumption (b).

4. Verify that the above-mentioned assumption holds even after the assignment of a _i .

(a) x _i (t) does not affect the value of X(j), and then after assignment, X(j) = m _j 2 ^δ .

(b) Since v ₂ ((i+1)!) ≥ v ₂ (i!), 2 ^δ divides a _i x _i (i+1). Similarly, since a _i x _i (i), a _j x _j (i+1) can be divided by 2 ^δ .

Starting from step 1 described above, step 3 can be repeated to assign each coefficient (a _i ) of the polynomial. By performing this assignment, a polynomial that satisfies the above-mentioned conditions can be obtained.

Below, a method for selecting the degree (n) of the above-described polynomial will be described.

을 통하여 쉽게 계산될 수 있다. For positive integers, the value is v ₂ (n!)=

It can be easily calculated through .

비율이 본 개시에 따른 패킹 방법의 의미 있는 요소 중 하나이다. When n∈[2 ^r ,2 ^r+1 ),2 ^r - 1 ≤ v ₂ (n!) ≤ 2 ^r+1 - Referring to r - 2, n = 2 ^r to interpolate many points without seriously increasing the size of the ring. - It is desirable to take 1. This fact

Ratio is one of the meaningful factors of the packing method according to the present disclosure.

상의 유사 보간 방법은

상의 많은 포인트에 대해서 몫 다항식 링 (

, 여기서, φ_M(t)는 사이클로토믹 다항식)의 원소로 효율적인 패킹을 제공한다. of this disclosure

The pseudo interpolation method on

For many points on the quotient polynomial ring (

, where ϕ _M (t) is an element of the cyclotomic polynomial, providing efficient packing.

Summary 1

의 r(

) 지점 {

}에 대해서, 다음을 만족하는 양수 δ와 다항식

이 존재한다. ϕ _M (t)∈Z[t] is of degree N(N=rd, where d is the degree of each irreducible argument of ϕ _M (t) on Z2[t], r is the order of each irreducible argument of ϕ _M (t) Assume that it is an M-th cyclotomic polynomial. positive integer z,

of r(

) Point {

}, a positive integer δ and a polynomial satisfying

This exists.

)

의 인수분해 내의 2의 중복도.(i) δ ≥ v ₂ (

)

The degree of multiplicity of 2 within the factorization of .

에 대해서, (ii) Let L _i (t) be the projection of L (t) onto the ith ring in the CRT heterogeneity, then i ∈ [n] and j ∈

about,

는 m=

차수이다. (ii)-(i) L _i (t) ∈

is m=

It is the order.

(ii)-(ii) L _i (j) = μ _(m+1)(i-1)+j ·2 ^δ

}에 대한 유사 보간(tweaked interpolation)이라고 지칭한다. This is the polynomial L(t) as point {

} is called pseudo-interpolation (tweaked interpolation).

은 CRT 동형(isomorphism)으로부터 (L₁(t), L₂(t), ..., L_r(t))∈

의 동형 이미지로 정의될 수 있다. Now the above-mentioned polynomial

From the CRT isomorphism, (L ₁ (t), L ₂ (t), ..., L _r (t))∈

It can be defined as an isomorphic image of .

의 d 개의 포인트를 각 L_i(t)로 패킹하여,

의 N개 포인트를

의 한 원소로 패킹할 수 있음을 암시한다. 그러나, (동형) 깊이-1 특성은

의 r(

)개의 포인트를 패킹하는 경우(즉, 상술한 정리 1에서 z=2로 적용하는 경우)에만 유지된다. In fact, Theorem 1 (z=1) makes δ larger than v ₂ ((d-1)!),

By packing the d points of each L _i (t),

N points of

This implies that it can be packed with one element of . However, the (homomorphic) depth-1 feature is

of r(

) is maintained only when packing points (i.e., applying z=2 in Theorem 1 described above).

라면, 보간 다항식에 대한 계산이 각 패킹된 포인트들 사이에 덧셈 및 하나의 곱셈에 대해서 동형적인 보존한다는 사실에서 시작한다. 각 i번째 CRT 링 내에서 다항식의 곱셈은 F_i(t)에 의한 모듈러 축소 없이

상에 있기 때문이다. 이러한 패킹 방법으로 평문 공간

을 갖는 하나의 암호문 생성 암호문 내의

의 대략적인 N/2 원소를 패킹할 수 있다. Additionally, this disclosure additionally proposes an interpolation idea for a packing method for homomorphic encryption with a multiplication depth of 1. That means if the degree of the polynomial is d-1 instead of

, we start from the fact that the computation of the interpolation polynomial preserves isomorphism for addition and one multiplication between each packed point. Multiplication of polynomials within each ith CRT ring can be done without modular reduction by F _i (t).

Because it is on the table. With this packing method, the plaintext space

Generate one ciphertext with

Approximately N/2 elements can be packed.

내의 N/5 원소를 패킹하는 것이 가능하였지만, 레벨 0 및 레벨 1 암호문의 패킹이 매우 다른 기존의 방식에서 필요로 하는 추가적인 영 제로 증명이 본 개시에 따른 패킹 방법은 필요로 하지 않는바, MPC의 전처리 단계 적용할때 더 좋은 효과를 갖는다. The existing method generates a single ciphertext.

Although it was possible to pack N/5 elements in the MPC, the packing method according to the present disclosure does not require the additional zero-zero proof required in existing methods where the packing of level 0 and level 1 ciphertexts is very different. It has a better effect when applied as a pre-processing step.

Corollary 1

)라고 한다. 그리고 {μ_I,ι∈

| I∈, ι∈[N₂]}는

의 포인트로 하고, 유한 서로소 세트 L 및 R로 인덱스 되고,≡ μ_I,ιmod 2^k되도록 {∈

| I∈, ι∈[N₂]}는

의 포인트라 한다. Given a cyclotomic polynomial (ϕ _M (t)∈Z[t]) of N degree (N-rd), N ₂ = r(

). And {μ _I,ι ∈

| I∈ , ι∈[N ₂ ]} is

Let be a point of , indexed by finite disjoint sets L and R, ≡ μ _I,ι mod 2 ^k { ∈

| I∈ , ι∈[N ₂ ]} is

It is said to be the point of

| I∈A}가

의 포인트이고, ,≡ α_I,ιmod 2^k되도록 {∈

| I∈A}가

의 포인트가 된다. Here, δ is a positive number selected from Theorem 1 (with z=2) described above. For another finite set A {α _I ∈

| I∈A}

is the point of , ≡ α _I,ι mod 2 ^k so that { ∈

| I∈A}

becomes the point of

는 포인트의

는 {∈

| I∈, ι∈[N₂]} 포인트의 유사 보간이 될 수 있다. I∈R에 대해서

가 대응되는 포인트에 대한 유사 보간으로서 정의된다. For I∈L

is the point of

Is { ∈

| I∈ , ι∈[N ₂ ]} can be a pseudo-interpolation of points. For I∈R

is defined as pseudo-interpolation for the corresponding point.

으로부터

의 포인트{

}를 복원할 수 있다. 추가로

으로부터

의 포인트{

}를 복원할 수 있다.and,

from

point of {

} can be restored. Add to

from

point of {

} can be restored.

Therefore, within the ith ring, the following can be displayed.

[Equation 4]

을 취하므로 이들의 합계는 F_i(t)의 차수보다 작은 차수를 갖기 때문에, 상술한 수학식은

인 경우에 유효하다. 이에 따라, 상술한 수학식 4를 j∈[

]에서 이벨류에이션 하면, 각

에 대해서, The orders of L _I,i (t) and R _I,i (t) are almost

Since the sum of these has an order smaller than the order of F _i (t), the above-mentioned equation is

It is valid if . Accordingly, the above-mentioned Equation 4 is converted to j∈[

When evaluating in ], each

about,

[Equation 5]

Here, the second line of Equation 5 is , and you can recover the desired value from here.

을 곱하면, 다음의 수학식을 얻을 수 있다. Similarly in LR(t)

By multiplying, you can get the following equation.

[Equation 6]

The math equation above is Follow and prove the above.

의 deg(φ_M(t)) 지점의 절반 가까이를 하나의 곱셈과 스칼라 곱셈의 계산으로

의 하나의 원소로 패킹하며,

내의 패킹된 포인트들 사이의 그들의 계산에서 동형적인 보전을 위하여, 각 원소들

사이에 많은 추가 동작이 뒤따를 수 있다. Simply put, Corollary 1 described above is

With a single multiplication and a scalar multiplication of nearly half of the point of deg(ϕ _M (t))

Packed with one element of

To preserve isomorphism in their calculations between packed points within each element

Many additional actions may follow in between.

의 포인트에 대한 계산 결과는

상의 결과로부터 쉽게 도출된다. 이러한 특성은 유사 보간 2 단계 암호문 생성 스킴에 대한 패킹 방법이 될 수 있음을 의미한다.

The calculation result for the points is

It can be easily derived from the above results. These characteristics mean that it can be a packing method for a pseudo-interpolation two-stage ciphertext generation scheme.

개의 복수의 메시지를 유사 보간을 이용하여 d의 길이를 가지며, r개의

상의 메시지로 보간할 수 있다. 이후에 CRT를 이용하여 1개의 다항식으로 패킹을 수행할 수 있다.

내의 r, d는 패킹된 메시지의 N개에 기초하여 결정될 수 있으며, 반대로 복수의 메시지의 개수에 따라 N개가 결정될 수도 있다. 즉, 다항식의 크기에 기초하여 패킹될 메시지의 수가 결정될 수도 있으며, 메시지의 수에 기초하여 다항식의 크기가 결정될 수도 있다. Referring to the above and Figure 3,

Multiple messages have a length of d using pseudo-interpolation, and r

It can be interpolated with the above message. Afterwards, packing can be performed with one polynomial using CRT.

r and d within may be determined based on the N number of packed messages, and conversely, N number may be determined depending on the number of plural messages. That is, the number of messages to be packed may be determined based on the size of the polynomial, and the size of the polynomial may be determined based on the number of messages.

Meanwhile, in FIG. 3, pseudo-interpolation of a plurality of polynomials is performed and a packing operation is performed thereafter. However, the above-described pseudo-interpolation and packing may be performed through a single operation.

에 대해서 곱셈 깊이 1까지 동형 대응을 제공할 수 있다. 이와 같은 점은 종래 N=5 폴드 병렬성인 것과 대비하였을 때, 2.5배 이상의 효율을 갖게 된다. The above-described packing method achieves N/2 fold parallelism while simultaneously

can provide homomorphic correspondence up to a multiplication depth of 1. This makes it more than 2.5 times more efficient than the conventional N=5 fold parallelism.

In addition, the packing method according to the present disclosure is structurally simple, and in particular, when implemented as a plaintext packing method using a ciphertext generation method, the packing structures of level 1 and level 0 ciphertext are almost identical.

Meanwhile, the same properties as herein can be applied to the general message packing of the ciphertext generation scheme and allow efficient preprocessing. Accordingly, the number of zero-knowledge proofs required in the existing method can be reduced (for example, from 4 to 3), thereby improving the efficiency by 1.3 times in the preprocessing stage. .

In these two aspects, the method according to the present disclosure can improve cost by more than 3.3 times compared to the existing method.

In addition, the present disclosure also describes an optimization method for the above-described method, using a composite cyclic polynomial as a quotient polynomial to increase the packing density through the optimization method, and increasing the multiplication depth to reduce additional zero knowledge proofs. The sharing process can also be avoided. Meanwhile, the method in this disclosure is more efficient when there are more participants, but has high efficiency even when there are two participants.

Below, with reference to FIG. 4, a product pair generation operation using the packing method according to the present disclosure will be described.

Figure 4 is a diagram for explaining an authenticated product pair generation operation according to an embodiment of the present disclosure.

Referring to Figure 4, the multiplication pair is a process of generating three multiplication pairs (30, 40, 50) in response to the two input secrets (10, 20). Multiplication Multiply pairs allow you to perform multiplication operations while minimizing the amount of communication between users.

In the following, we assume that the protocol is secure in a universal composition (UC) framework, operates with n parties (P1, ..., Pn), and considers security against up to n-1 malicious attackers. do.

Since it is impossible to configure a UC secure MPC in a dishonest majority situation without setup assumptions, the present disclosure uses an existing public key model. In particular, we assume the F _KeyGen function that generates the correct key in the encryption scheme.

When we say that a protocol Π securely implements a function F using a security parameter λ, the benefit of any environment Z in the difference between ideal and actual execution is guaranteed to be O(2 ^-λ ).

상의 효율적인 MPC을 구현하기 위해서,

내에서 새로운 정보 이론 MAC 스킴을 이용할 수 있다.In response to an environment where the majority is dishonest

In order to implement efficient MPC,

A new information theoretic MAC scheme can be used within

는 MPC 프로토콜에서 실행되는 링이고, s는 통계적 안정성과 관련된 파라미터이다. 간략하게 을 나타낼 수 있다. This scheme is parameterized by k, s, where

is a ring running in the MPC protocol, and s is a parameter related to statistical stability. Briefly can indicate.

가 있으며, 여기서 각 당사자는 임의의 추가 공유 [α]_i∈

(예를 들어, α=Σ_i[α]_i )를 갖는다. 모든 인증된 비밀 값 x∈

에 대해서, 각 참가자는 이 값(예를 들어, x=Σ_i[x]_i(mod 2^k))에 추가 공유

를 갖게 된다. 여기서 키(α) 상의 x의 MAC(m)는 m=α·Σ_i[x]_i(mod 2^k)로 정의된다. 참가자들은 또한, m 모듈러 각 참가자는 또한 m 모듈로 의 추가적인 공유 [m]_i를 갖는다. Single global MAC key

, where each party has a random additional share [α] _i ∈

(e.g., α=Σ _i [α] _i ). All authenticated secret values x∈

For , each participant shares an addition to this value (e.g., x=Σ _i [x] _i (mod 2 ^k ))

You will have Here, MAC(m) of x on key (α) is defined as m=α·Σ _i [x] _i (mod 2 ^k ). The participants are also m modular. Each participant is also m modulo has an additional share of [m] _i .

Unlike MAC, which was frequently used in previous studies, the above-described MAC key (α), secret key (x), MAC (m), and additional shares are elements of different spaces. Note that we use the single notation [·] _i to denote different kinds of additive shares.

The authorized sharing of x by <x> for each party P _i holding <x> _i can be expressed as follows.

[Equation 7]

[Equation 8]

상의 인증된 비밀 공유 스킴을 이용하면, 모든 선형 함수는 간단한 방법으로 당사자에 할당되는 공유된 비밀 키를 계산할 수 있다.

Using the authenticated secret sharing scheme above, any linear function can compute the shared secret key assigned to the parties in a simple way.

Nonlinear arithmetic functions can be safely computed with the help of multipliers generated and authenticated in the preprocessing stage through Beaver's trick.

Homomorphic encryption is used for an efficient preprocessing step. The preprocessing step only requires computation of low multiplication depths (2 or 3) and thus can be effectively instantiated by HE using low-level parameters. Below, the use of a homomorphic encryption scheme for generating ciphertext is explained, but it is also possible to use other types of encryption schemes when implementing.

R:=Z[t]/(ϕ _M (t)) and ϕ _M (t)∈Z[t] respectively as a cyclotomic ring and N:= Define M cyclotomic polynomials of order (M). here is the Euler torrent function. For a positive integer (η), (if η = q), specify R _η :=R/η=Z _η [t]/(ϕ _M (t)) to construct the ciphertext space, or (if η = 2 ^k) ) Represents the plain text space.

The following distribution on Rq, with N-dimensional vectors identified on Z _q , is needed to describe the ciphertext generation scheme.

- U(q): Randomly and uniformly samples N-dimensional vectors on Z _q

- HWT(h): Samples an N-dimensional vector with elements selected from {-1, 0, 1} such that the number of non-zero elements is h.

- Zo(ρ): samples an N-dimensional vector with elements selected from {-1, 0, 1} such that each has probability ρ for -1, 1 and probability 1-ρ for 0.

- DG(σ ² ): Sampling an N-dimensional vector with elements selected from a discrete Gaussian distribution with variance σ ² .

을 가지며 6개의 알고리즘(KeyGen, Enc, ModSwitch, Dec, Add, Mult)로 구성된다. L∈Z>0이 최대 레벨이면, 산술 회로의 최대 계산 깊이(L-1)를 결정할 수 있다. 각 암호문은ℓ∈{0, 1,…., L} 레벨을 갖는다. The ciphertext generation scheme is linked to the message space.

It consists of 6 algorithms (KeyGen, Enc, ModSwitch, Dec, Add, Mult). If L∈Z>0 is the maximum level, the maximum computational depth (L-1) of the arithmetic circuit can be determined. Each ciphertext is ℓ∈{0, 1,… ., L} level.

Given the security parameter λ, the public parameter pp _λ has a cyclotomic polynomial Φ _M (t). Here, the cyclotomic polynomial has a sufficiently large degree, the cryptographic modulus is q ₂ =p ₀ p ₁ p ₂ , q ₁ =p _o p ₁ , q ₀ =p ₀ , and each of p ₀ , p ₁ , and p ₂ is a prime number. , p ₁ ≡ p ₁ ≡1(mod 2 ^k ),p ₀ -1 ≡ p ₁ -1 ≡ p ₂ -1 ≡ 0(mod M).

Here, the former condition is related to effective modulus switching, and the latter is related to fast calculation through Number Theoretic Transform (NTT).

Each algorithm is as follows.

- KeyGen(pp _λ ): Given the public parameter pp _λ , outputs the secret key (sk ← HWT(h)) and the public key (pk=(a,b) ∈ R ² _q2 ).

Here, a←U(q ₂ ),b=a·sk + 2 ^k ·e(mod q ₂ ), e←DG(σ ² ).

,

)를 출력할 수 있다. Additionally, re-linearization data (

,

) can be output.

← U(q2) and

=

·sk +2^k·

- p₁·sk²(mod q₂),

←DG(σ²)이다. 재선형 데이터는 대중에게 공개되고 곱셈 알고리즘에서 활용된다. here,

← U(q2) and

=

·sk +2 ^k ·

-p ₁ ·sk ² (mod q ₂ ),

←DG(σ ² ). The re-linearization data is made available to the public and used in the multiplication algorithm.

이 주어지면, r=(v, e₀, e₁)을 샘플링하고, 여기서, v←ZO(0.5)이고, e₀, e₁←DG(σ²), 다음을 연산하고. - Enc(m, r;pk): Plaintext m∈

Given, sample r=(v, e ₀ , e ₁ ), where v←ZO(0.5), and e ₀ , e ₁ ←DG(σ ² ), and compute

c ₀ = b·v + 2 ^k ·e ₀ + m (mod q ₂ ), c1 = a·v + 2 ^k ·e ₁ (mod q ₂ )

Then, the ciphertext ct = (L, c ₀ , c ₁ ) is output. Here the first item defines the level.

-ModSwich(ct=(ℓ,c _o , c ₁ )ℓ'): Given a ciphertext of level ℓ, without changing the message, ct'=(ℓ', c' ₀ , c of a low level ℓ') It can be converted to ' ₁ ).

-Dec(ct=(ℓ,c _o , c ₁ );sk): The ciphertext can be converted to level 0 ciphertext using the ModSwich described above, and decryption can be performed as follows.

(C _o - sk·c ₁ (cmod q ₀ )(mod 2 ^k )

원소를 출력할 수 있다. 여기서 cmod는 중앙 모듈러 축소를 의미하며, 각 계수는 (-q₂/2, q₀/2] ∩ Z로 축소된다. and,

Elements can be printed. Here, cmod means central modular reduction, and each coefficient is reduced to (-q ₂ /2, q ₀ /2] ∩ Z.

-Homomorphic Operation: Operation processing on ciphertext. Hereinafter, only addition and multiplication operations will be explained. In actual implementation, various operations may be performed based on addition and multiplication operations.

Add(ct1, ct2): Given two ciphertexts of the same level ℓ, the following ciphertext ct _add of the same level can be output,

[Equation 9]

here, represents a homomorphic addition operation.

Mult(ct ₁ , ct ₂ ): Given two ciphertexts with levels greater than 0, the following ciphertext Ct _mult of ℓ-1 can be output.

[Equation 10]

here, represents a homomorphic multiplication operation.

If σ = 3.16 and has general noise, the present disclosure uses a ciphertext generation scheme with small levels, for example, L = 2, 3.

Meanwhile, in the following, it is assumed that the ciphertext generation system according to the present disclosure is level 2 or 3.

가 원소가 인코딩되는 링이라고 하면, φ_M(t)∈Z[t]는 순환 다항식이며, δ는 앞선 정의 1을 만족하는 최소 양수이다.

If is a ring in which elements are encoded, then ϕ _M (t)∈Z[t] is a cyclic polynomial, and δ is the minimum positive number that satisfies the preceding Definition 1.

을 취하고, 다음과 같은 인코딩 및 디코딩 알고리즘을 적용할 수 있다.As the plaintext space of the ciphertext generation scheme, P:=

, the following encoding and decoding algorithms can be applied.

의 N₂ 포인트가 주어지면, 주어진 포인트에 대응되는 U(t)의 원소를 출력. -Encode( ),

Given N ₂ points, output the elements of U(t) corresponding to the given points.

-Decode(U(t)): When the elements of U(t) in the plaintext space and the number of multiplications that can be performed on the ciphertext are input, the message is restored.

Prepossessing phase

The goal of the preprocessing step is to generate many (authenticated) product pairs (or squares or inputs), and for the online stage of the MPC protocol, the product pairs are generated and divided between the parties. In this disclosure, steps 2 or 3 are performed according to the packing method as follows. Two types of preprocessing steps can be performed using the step ciphertext generation method.

a) Preprocessing method using a two-step ciphertext generation method

b) Preprocessing method using a three-step ciphertext generation method

In case a), the overall operation is similar to the existing preprocessing method. The main difference is in the distributed decoding protocol, and the preprocessing method according to the present disclosure enables simpler and more efficient operation because it uses the above-described packing method.

Case b) is similar to the case where a two-stage or more HE scheme is used to eliminate the re-sharing protocol, but one of the necessary ciphertext multiplications can be replaced with a ciphertext having a scalar message in each slot.

Below, method a) will be described in detail based on the differences described above.

first, and (Here, δ selected in Theorem 1 (z=1) according to Φ _M (t) is taken as a positive number). This is intended to link the above-described packing operation with the online phase of multi-party computation.

(k=32, 64, 128)에서 온 것이고, MAC는 보안을 위한 s가 32, 64로 설정될 수 있다.

. 마지막으로 암호문 생성 스킴의 평문 공간을

로 정의한다. MPC's message is

It comes from (k=32, 64, 128), and MAC s can be set to 32 or 64 for security.

. Lastly, the plaintext space of the ciphertext generation scheme is

It is defined as

Meanwhile, one of the methods of the above-described multi-party computation is zero knowledge proof. Zero-knowledge proof can be performed between two devices, and can also be performed on three or more devices using the multi-party calculation method described above.

First, we will briefly explain the contents of the zero-knowledge proof.

Two-step ciphertext generation encryption is an honest zero-knowledge proof of the following relation. Here, we consider many u ciphertexts and Ct _i = Enc(x _i ,r _i ;pk) (where r _i =(v _i , e _o,i e _1,i ).

[Equation 11]

Here, P : R → {true, false} is a predicate for the ciphertext message, n is the number of parties, and S is the soundness slack given as τ,ρ ₁ and ρ ₂ in the protocol.

The above-described relation required in the distributed decryption protocol according to the present disclosure ( ) is given specific predicates P _ecd and P _diag . Here, P _ecd indicates whether each ciphertext has been correctly encoded by the packing method of the present disclosure, and P _diag indicates whether the same scalar message is present in each slot.

[Equation 12]

[Equation 13]

Both predicates described above are restricted to linear isomorphism from CRT projections and pseudo-interpolation.

)은 본 개시에 따른 암호문 상의 릴레이션(

)에도 적용이 가능하다. Therefore, the protocol (

) is a relation (

) can also be applied.

Meanwhile, the above zero-knowledge proof was explained as being performed on powers of 2. However, zero-knowledge proof needs to be performed even in a space composed of prime numbers, and existing zero-knowledge proof has the problem of increasing communication costs by using a small challenge space. Below, we will describe a zero-knowledge proof that can be performed even in a space with few numbers and a method to reduce communication costs.

Figure 5 is a diagram for explaining a zero-knowledge proof operation according to an embodiment of the present disclosure.

Zero-knowledge proof refers to an interactive procedure in which nothing is revealed except whether the statement is true or false when proving to someone else that something is true.

Here, the side that proves that the sentence is true is called the prover, and the side that exchanges information with the prover by referring to it in the proof process is called the verifier. Hereinafter, the first electronic device 100-1 is regarded as the above-described prover, and the second electronic device 100-2 is assumed to be the verifier.

We first explain the basics of prime numbers of cyclotomic polynomials.

상의 상술한 바와 같은 영지식 증명을 위한 프로토콜을 설명한다. 먼저, 링()(여기서 M은 2의 거듭제곱)을 이용하는 경우에서의 영지식 증명의 동작은 다음과 같이 표현할 수 있다.

The protocol for zero-knowledge proof as described above is explained. First, the ring ( ) (where M is a power of 2), the operation of the zero-knowledge proof can be expressed as follows.

[Equation 14]

Here, (a) means that the coefficient does not increase even if X ⁱ is multiplied, which causes coefficient shifting skew on the ring when X ⁱ is multiplied. Meanwhile, (b) means that there is a scaled inverse of (X ⁱ -X ^j ) in the ring with small coefficients.

When applied to the space of a prime number (p) that is not a power of 2, it can be expressed as follows. Here, p is a prime number and the ring is am.

[Equation 15]

First, the prover (100-1) must disclose the vector (Enc(y,s)) of the masked ciphertext (S510). To this end, the prover 100-1 may generate a homomorphic ciphertext for the plaintext, perform masking processing on the generated homomorphic ciphertext, and generate a masked ciphertext (or vector).

Afterwards, the verifier (100-2) queries the prover (100-1) for the challenge matrix (c) (S520). Specifically, the verifier can select a challenge matrix using a preset challenge space. The existing challenge matrix is extracted from the space of {0, 1}, but in this disclosure, A challenge matrix can be created in a space that satisfies .

When the challenge matrix is received, the prover 100-1 can generate a plaintext vector using the challenge matrix and the vector and provide it to the verifier 100-2 (S530). Afterwards, the verifier 100-2 can perform verification using the received plaintext vector.

Then the typical rewinding argument is a( ) or P (prediction) is guaranteed to be satisfied.

The prover 100-2 can perform a verification operation using two ciphertexts, that is, by comparing the two pieces of information provided.

Meanwhile, this operation must satisfy the following two conditions. First, the difference (W-W') of the challenge matrix must satisfy invariability, and multiplication of the challenge matrix must have isomorphic properties.

Here, the challenge must be sampled on a challenge space that satisfies all of the above conditions. Previously the challenge space was limited to the set {0,1}. In this case, v (size of the masked ciphertext vector) must be as large as the security parameter, resulting in inefficiencies such as communication costs.

)은 0 또는 2이상의 정수 값을 가지며, 평문 공간이 소수의 집합인 링(

, 여기서 M는 소수)으로부터 얻을 수 있다. Therefore, in this disclosure, a challenge space larger than {0, 1} is used. Here is the challenge space (

) has an integer value of 0 or 2 or more, and the plaintext space is a ring (

, where M is a prime number).

The specific operation algorithm is shown in FIG. 6, and will be described below with reference to FIG. 6.

Figure 6 is a diagram for explaining a zero-knowledge proof operation according to an embodiment of the present disclosure.

Referring to FIG. 6, the purpose of the algorithm according to the present disclosure is to provide plaintext of an appropriate size and ciphertext proof that guarantees randomness.

If all parties perform sampling honestly, the sampling output satisfies Equation 16:

[Equation 16]

Here, p1, p2 = 20, p3 is 1, which is the bound of noise and randomness when the plaintext modulus is 2 ^t (power of 2).

In the algorithm according to the present disclosure as described above, a given ciphertext satisfies the following relationship.

[Equation 17]

Here, S refers to soundness slack, and when soundness slack originates from a rewinding processor, it is also used in general zero-knowledge proofs.

After such sampling, a masking operation on the ciphertext may be performed. Once this masking operation is completed, the masked homomorphic ciphertext can be transmitted to the verifier 100-2.

And a challenge matrix can be created using the challenge space.

When the challenge matrix is transmitted, the prover 100-1 can generate a response ciphertext (or computed ciphertext) by calculating the masked homomorphic ciphertext and the challenge matrix.

The verifier (100-2), which has received the response ciphertext, performs an operation on the previously received homomorphic ciphertext and the newly received response ciphertext, or compares the result of the operation of the homomorphic ciphertext and the challenge matrix with the response ciphertext to match the values. A zero-knowledge proof can be performed.

On the other hand, when the challenge space is small, many of the above-described operations must be performed, but stability below the preset probability is secured. However, when using a large challenge space as in the present disclosure, the stability of the preset probability can be secured with only fewer repetitions than before.

Figure 7 is a block diagram showing the configuration of an arithmetic device according to an embodiment of the present disclosure. Specifically, in the system of FIG. 1, a device that performs homomorphic encryption, such as a first electronic device and a second electronic device, a device that calculates a homomorphic ciphertext, such as a first server device, and a device that decrypts a homomorphic ciphertext, such as a second server device. The device may be referred to as an arithmetic device. These computing devices may be various devices such as personal computers (PCs), laptops, smartphones, tablets, and servers.

Referring to FIG. 10 , the computing device 400 may include a communication device 410, a memory 420, a display 430, a manipulation input device 440, and a processor 450.

The communication device 410 is formed to connect the computing device 400 with an external device (not shown), and is not only connected to an external device through a local area network (LAN) and the Internet, but also through a USB ( It is also possible to connect through a Universal Serial Bus) port or a wireless communication (e.g., WiFi 802.11a/b/g/n, NFC, Bluetooth) port. This communication device 410 may also be referred to as a transceiver.

The communication device 410 can receive a public key from an external device, and the computing device 400 can transmit the public key generated by itself to an external device.

Additionally, the communication device 410 can receive a message from an external device and transmit the generated encrypted text to the external device.

Additionally, the communication device 410 can receive various parameters necessary for generating encrypted text from an external device. Meanwhile, during implementation, various parameters can be directly input from the user through the manipulation input device 440, which will be described later.

Additionally, the communication device 410 may receive a request for an operation on a homomorphic ciphertext from an external device, and may transmit the calculated result accordingly to the external device.

Additionally, the communication device 410 may receive homomorphic encrypted text.

Additionally, the communication device 410 can transmit the generated product pair to another device and receive the operation result for the product pair from each device.

Additionally, the communication device 410 may transmit masked homomorphic ciphertext for zero-knowledge proof to an external device or receive masked homomorphic ciphertext from an external device.

Additionally, the communication device 410 may transmit or receive a challenge matrix used for zero-knowledge proof, and may receive or transmit a response ciphertext corresponding thereto.

The memory 420 is a component for storing O/S, various software, and data for driving the computing device 400. The memory 420 may be implemented in various forms such as RAM, ROM, flash memory, HDD, external memory, memory card, etc., and is not limited to any one.

Memory 420 stores messages to be encrypted. Here, the message may be various types of credit information and personal information cited by the user, and may also be information related to usage history, such as location information used in the computing device 400 and information on Internet usage time.

Additionally, the memory 420 can store the public key, and if the computing device 400 is a device that directly generates the public key, it can store not only the private key but also various parameters necessary for generating the public key and private key.

And the memory 420 can store the homomorphic ciphertext generated in the process described later. Additionally, the memory 420 may store intermediate data (e.g., polynomials, product pairs, etc. that are results of pseudo-interpolation) in the process of generating the homomorphic ciphertext.

The display 430 displays a user interface window for selecting a function supported by the computing device 400. Specifically, the display 430 may display a user interface window for selecting various functions provided by the computing device 400. This display 430 may be a monitor such as a liquid crystal display (LCD), an organic light emitting diode (OLED), etc., and may also be implemented as a touch screen that can simultaneously perform the functions of the manipulation input device 440, which will be described later. .

The display 430 may display a message requesting input of parameters necessary for generating a private key and a public key. And the display 430 can display a message in which the encryption target selects the message. Meanwhile, at the time of implementation, the encryption target can be selected directly by the user or automatically. In other words, personal information that requires encryption can be set automatically even if the user does not directly select the message.

The manipulation input device 440 may select a function of the computing device 400 and receive a control command for the corresponding function from the user. Specifically, the manipulation input device 440 can receive input of parameters necessary for generating a private key and a public key from the user. Additionally, the manipulation input device 440 can receive a message to be encrypted from the user.

The processor 450 controls each component within the computing device 400. The processor 450 may be composed of a single device such as a central processing unit (CPU) or an application-specific integrated circuit (ASIC), or may be composed of a plurality of devices such as a CPU or a graphics processing unit (GPU).

When a message to be transmitted is input, the processor 450 stores it in the memory 420. The processor 450 can homomorphically encrypt the message using various setting values and programs stored in the memory 420. In this case, a public key may be used.

The processor 450 may generate and use the public key necessary to perform encryption on its own, or may receive it from an external device and use it. As an example, the second server device 300 that performs decryption may distribute the public key to other devices.

When generating a key on its own, the processor 450 can generate a public key using the Ring-LWE technique. Specifically, the processor 450 may first set various parameters and rings and store them in the memory 420. Examples of parameters may include the length of plaintext message bits and the sizes of public and private keys.

A ring can be expressed by the following mathematical equation.

[Equation 18]

는 2의 지수승으로 표현되는 계수, φ_M (t)는 N차 사이클로토믹 다항식 (N-th cyclotomic polynomial)이다. Here R is ring,

is a coefficient expressed as a power of 2, and ϕ _M (t) is an N-th cyclotomic polynomial.

A ring is a set of polynomials with preset coefficients, in which addition and multiplication are defined between elements, and is a set that is closed with respect to addition and multiplication. In the present disclosure, a ring is a set of exponents of 2 in the plain text space. means. And the Euler totient function Φ(N) means the number of natural numbers that are coprime with N and are smaller than N.

Once the ring is established, processor 450 can calculate the secret key (sk), given the public parameter pp _λ .

[Equation 19]

sk ← HWT(h)

Here, s(x) means a polynomial randomly generated with small coefficients.

And the processor 450 can calculate a public key using the generated private key.

[Equation 20]

pk=(a, b) ∈ R ² _q2

Here, a←U(q ₂ ), b=a·sk + 2 ^k ·e(mod q ₂ ), e←DG(σ ² ).

Additionally, the processor 450 can also calculate re-linearization data to be used to generate a product pair, which will be described later.

Since the above-described key generation method is only an example, it is not necessarily limited to this, and of course, the public key and private key can be generated by other methods.

Meanwhile, the processor 450 can control the communication device 410 so that once the public key is generated, it is transmitted to other devices.

And the processor 450 can generate a homomorphic ciphertext for the message. At this time, the processor 450 may perform an encoding operation (or packing operation) to proactively convert a plurality of messages into a polynomial.

Specifically, the processor 450 may encode a plurality of messages into one polynomial using a power of 2 (2 ^δ ) and a ring of a preset size. For example, the processor 450 assigns the coefficients of the polynomial so that the resulting value of the polynomial according to the change in the variable of the polynomial has a value multiplied by the power of 2 of the preset size to the message value corresponding to the variable value among the plurality of messages. Thus, a polynomial corresponding to a plurality of messages can be generated.

일 수 있으며, 상술한 수학식 21을 만족할 수 있다. 여기서, r은 링의 사이클로토믹 다항식의 기약 인자(irreducible factor)의 수이다. The polynomial generated accordingly has the highest degree 2 ^r -1 or

, and can satisfy Equation 21 described above. Here, r is the number of irreducible factors of the cyclotomic polynomial of the ring.

[Equation 21]

,, a_j는 다항식의 계수,

는 2의 지수승으로 표현되는 계수이다. Here, X(i) is i-1st degree polynomial, i is a _positive integer,

,, a _j is the coefficient of the polynomial,

is a coefficient expressed as the power of 2.

And the number of packed messages may be a number that satisfies Equation 22 or Equation 23 below.

[Equation 22]

Here, N is the degree of the polynomial.

[Equation 23]

Here, r is the number of irreducible factors of the cyclotomic polynomial of the ring, and d is the degree of the irreducible factor of the cyclotomic polynomial of the ring.

And the processor 450 can generate the generated polynomial as ciphertext. Specifically, the processor 450 may calculate c ₀ and c ₁ as shown in Equation 20 below and generate the ciphertext ct = (ℓ, c ₀ , c ₁ ) as the ciphertext. Here, ℓ is the level in the ciphertext.

Meanwhile, the exponent of the power of 2 of the above-mentioned preset size may be the degree of redundancy of 2 in the prime factorization of (d-1)!, and this value can be calculated in advance, and is calculated based on the number of messages given in the packing process. Correspondingly, it can be calculated for each packing process.

[Equation 24]

c ₀ = b·v + 2 ^k ·e ₀ + m (mod q ₂ ), c1 = a ·v + 2 ^k ·e ₁ (mod q ₂ )

Here, v←ZO(0.5), e ₀ , e ₁ ←DG(σ ² ).

And the processor 450 can generate ciphertext by applying the public key to the message converted into polynomial form.

Meanwhile, when an operation on a plurality of ciphertexts is required, the processor 450 may control the communication device 410 to generate product pairs for a plurality of ciphertexts and transmit the generated product pairs to a plurality of electronic devices.

When the processor 450 receives calculation results from a plurality of electronic devices, the processor 450 can perform verification (e.g., zero knowledge proof) on the received calculation results and generate the final calculation result using the verified value. there is. Specifically, when zero-knowledge proof is required, the processor 450 can sample the stored message and generate a homomorphic ciphertext for the sampled message.

Additionally, the processor 450 may control the communication device 410 to transmit the generated homomorphic ciphertext to a device that wishes to perform verification. At this time, the processor 450 may perform preset operation processing on the homomorphic ciphertext, that is, perform masking processing, and transmit the masked result to an external device.

When the processor 450 receives a challenge matrix from an external device, the processor 450 generates a response ciphertext using the received challenge matrix and the homomorphic ciphertext (or masked homomorphic ciphertext), and transmits the result to the corresponding device. 410) can be controlled.

If the computing device 450 operates as a verifier, the processor 450 may extract (or generate) a challenge matrix using a preset challenge space and control the communication device 410 to transmit the challenge matrix. there is. Correspondingly, when the response ciphertext is received, verification can be performed using the received response ciphertext, challenge matrix, and previously received homomorphic ciphertext.

And the processor 450 may repeatedly perform the above-described operation a preset number of times.

In addition, when decryption of the homomorphic ciphertext is necessary, the processor 450 can apply a secret key to the homomorphic ciphertext to generate a decrypted text in the form of a polynomial, and generate a message by decoding the decrypted text in the polynomial form.

As described above, the computing device according to the present disclosure generates data that operates in a power of 2 method that can be calculated by the CPU, so there is no need for separate emulation. In addition, by using the above-described packing method, the number of zero-knowledge proofs is reduced compared to the existing method, and a high computational cost reduction is possible in that it has high fold parallelism. Additionally, by using a large challenge matrix, zero-knowledge proof can be performed using a low number of iterations.

Meanwhile, in showing and explaining FIG. 7, it is shown and described that an encryption operation, that is, both encoding and encryption operations, are performed in one device. However, when implemented, a key generation is performed in one device and only an encoding operation is performed in another device. , encryption can also be performed by receiving the encoding result from another device. Additionally, during the decoding process, both the decoding and decoding operations may be performed in one device, or the decoding and decoding operations may be performed separately in two devices.

In addition, in showing and explaining FIG. 7, an asymmetric encryption method (i.e., a secret key and a public key) is used, but when implemented, encryption and decryption operations may be performed using a symmetric encryption method.

Figure 8 is a diagram to explain the ciphertext processing method from the prover's perspective.

Addition and multiplication are defined between elements, and using a ring, which is a closed set for addition and multiplication, a homomorphic ciphertext for the plaintext is generated and transmitted to an external device (S810). Here, the ring may be a set of prime plaintext spaces. At this time, a preset operation process for the homomorphic ciphertext may be performed to generate and transmit a masked homomorphic ciphertext.

And when a challenge matrix that satisfies the preset challenge space is received (S820). A response ciphertext is generated using the received challenge matrix and the homomorphic ciphertext, and the generated response ciphertext is transmitted to the relevant external device (S830). Here, the preset challenge space has an integer value of 0 or 2 or more, and the corresponding integer value is a factor value that acts as a coefficient shifting movement for the ring.

Figure 9 is a diagram to explain the ciphertext processing method from the verifier's perspective.

Referring to FIG. 9, addition and multiplication are defined between elements, and a homomorphic ciphertext for the plaintext is received using a ring, which is a set closed for addition and multiplication (S910). At this time, the homomorphic ciphertext may be a masked ciphertext in which a preset operation has been performed.

Then, a challenge matrix that satisfies the preset challenge space is generated and transmitted (S920). Here, the preset challenge space is a space with an integer value of 0 or 2 or more, and has a wider range than the existing {0,1}, so the same stability can be secured with a smaller number of times than before.

And, upon receiving the response ciphertext corresponding to the homomorphic ciphertext and the challenge matrix (S930), it is determined whether the operation result of the homomorphic ciphertext and the challenge matrix corresponds to the received response ciphertext.

And the homomorphic ciphertext can be verified by repeatedly performing the above-described operations (transmitting the challenge matrix and receiving and judging the response ciphertext) (S940). This repetitive operation may be performed as many times as necessary to secure a preset stability (or ratio).

As described above, the ciphertext processing method according to this embodiment performs zero-knowledge proof using a large challenge space, so it is possible to secure the preset stability even if the number of repetitions is small. In addition, operation is possible not only on rings with powers of 2, but also on rings with prime numbers.

Meanwhile, the ciphertext processing method according to the various embodiments described above may be implemented in the form of program code for performing each step, and may be stored and distributed in a recording medium. In this case, a device equipped with a recording medium can perform operations such as the above-described encrypted text processing method.

These recording media may be various types of computer-readable media such as ROM, RAM, memory chips, memory cards, external hard drives, hard drives, CDs, DVDs, magnetic disks, or magnetic tapes.

Although the present disclosure has been described above with reference to the accompanying drawings, the scope of rights of the present disclosure is determined by the scope of the patent claims described later and should not be construed as being limited to the above-described embodiments and/or drawings. In addition, it should be clearly understood that improvements, changes and modifications of the disclosure described in the patent claims, which are obvious to those skilled in the art, are also included in the scope of rights of the present disclosure.

100: electronic device 200: first server device
300: second server device 400: computing device
410: Communication device 420: Memory
430: Display 440: Manipulation input device
450: processor

Claims (16)

Creating a homomorphic ciphertext for the plaintext using a ring, which is a set in which addition and multiplication are defined between elements and is closed for addition and multiplication;
Receiving a challenge matrix satisfying a preset challenge space;
generating a response ciphertext using the received challenge matrix and the homomorphic ciphertext; and
Transmitting the generated response ciphertext; including,
The ring is a set of prime plaintext spaces among the sets,
The preset challenge space is,
A method of processing ciphertext, which is a space with an integer value of 0 or 2 or more. According to paragraph 1,
The ciphertext processing method wherein the integer value of 2 or more is a factor value that acts as a coefficient shifting movement for the ring. According to paragraph 1,
The step of generating the homomorphic ciphertext is,
A ciphertext processing method for generating a masked homomorphic ciphertext by performing a preset operation process on the generated homomorphic ciphertext. According to paragraph 1,
The step of generating the homomorphic ciphertext is,
A ciphertext processing method that generates a homomorphic ciphertext for a message using a power of 2 (2 ^δ ) of a preset size and the ring. Receiving a homomorphic ciphertext generated using a ring and plaintext, which is a set in which addition and multiplication are defined between elements and is closed for addition and multiplication;
Generating and transmitting a challenge matrix that satisfies a preset challenge space;
Receiving a response ciphertext corresponding to the homomorphic ciphertext and the challenge matrix;
A step of determining whether the operation result of the homomorphic ciphertext and the challenge matrix corresponds to the received response ciphertext,
The ring is a set of prime plaintext spaces among the sets,
The preset challenge space is,
A method of processing ciphertext, which is a space with an integer value of 0 or 2 or more. According to clause 5,
The ciphertext processing method wherein the integer value of 2 or more is a factor value that acts as a coefficient shifting movement for the ring. According to clause 5,
An operation of transmitting a challenge matrix different from the previously transmitted challenge matrix, an operation of receiving a response ciphertext corresponding to the different challenge matrix, and whether the operation result of the homomorphic ciphertext and the different challenge matrix corresponds to the response ciphertext corresponding to the different challenge matrix. A ciphertext processing method further comprising: verifying the homomorphic ciphertext by repeating the operation of determining . In clause 7,
The verification step is,
A ciphertext processing method that repeats the above-described steps fewer times than when using the challenge space of {0, 1}. In the computing device,
A communication device that communicates with an external device;
a memory storing at least one instruction; and
A processor executing the at least one instruction;
The processor,
By executing the at least one instruction,
Addition and multiplication are defined between elements, and a homomorphic ciphertext for the plaintext is generated using a ring, which is a closed set for addition and multiplication.
When receiving a challenge matrix that satisfies a preset challenge space from the external device, generate a response ciphertext using the received challenge matrix and the homomorphic ciphertext,
Controlling the communication device to transmit the generated response ciphertext to the external device,
The ring is a set of prime plaintext spaces among the sets,
The preset challenge space is,
An arithmetic unit that is a space with integer values of 0 or 2 or more. According to clause 9,
The integer value of 2 or more is a factor value that acts as a coefficient shifting movement for the ring. According to clause 9,
The processor,
An arithmetic device that generates a masked homomorphic ciphertext by performing a preset operation process on the generated homomorphic ciphertext. According to clause 9,
The processor,
An arithmetic device that generates a homomorphic ciphertext for a message using a power of 2 (2 ^δ ) of a preset size and the ring. In the computing device,
A communication device that communicates with an external device;
a memory storing at least one instruction; and
Including a processor executing the at least one instruction,
The processor,
By executing the at least one instruction,
When receiving a homomorphic ciphertext generated using a ring, which is a set in which addition and multiplication are defined between elements and is closed for addition and multiplication,
Create a challenge matrix that satisfies the preset challenge space,
Controlling the communication device to transmit the generated challenge matrix to the external device,
When receiving a response ciphertext corresponding to the homomorphic ciphertext and the challenge matrix, determine whether an operation result of the homomorphic ciphertext and the challenge matrix corresponds to the received response ciphertext,
The ring is a set of prime plaintext spaces among the sets,
The preset challenge space is,
An arithmetic unit that is a space with integer values of 0 or 2 or more. According to clause 13,
The integer value of 2 or more is a factor value that acts as a coefficient shifting movement for the ring. According to clause 13,
The processor,
An operation of transmitting a challenge matrix different from the previously transmitted challenge matrix, an operation of receiving a response ciphertext corresponding to the different challenge matrix, and whether the operation result of the homomorphic ciphertext and the different challenge matrix corresponds to the response ciphertext corresponding to the different challenge matrix. A computing device that verifies the homomorphic ciphertext by repeating the operation of determining . According to clause 15,
The processor,
An arithmetic device that repeats the above-described operation fewer times than when using the challenge space of {0, 1}.

Images