KR102633416B1 - Method for privacy preserving using homomorphic encryption with private variables and apparatus theroef - Google Patents

Abstract

A ciphertext processing method is disclosed. This ciphertext processing method includes the steps of storing a data set containing homomorphically encrypted messages and non-homomorphically encrypted messages as slots, applying the homomorphically encrypted messages and non-homomorphically encrypted messages in the data set to a previously stored linear model to model the linear model. It includes calculating an estimated value for and transmitting the calculated estimated value to an external device.

Description

Method and device for securing private variables using homomorphic encryption {METHOD FOR PRIVACY PRESERVING USING HOMOMORPHIC ENCRYPTION WITH PRIVATE VARIABLES AND APPARATUS THEROEF}

The present disclosure relates to a method and device for securing private variables using homomorphic encryption, and more specifically, to a method and device for performing regression analysis by encrypting only private variables that require security among various variables. It's about.

Over the past few years, machine learning has shown remarkable achievements in almost every sector, including autonomous driving, marketing, and finance. The success of machine learning is due not only to improved performance of calculation and storage functions represented by GPUs, but also to the explosive increase in the number of open data.

In this regard, companies and organizations are doing their best to collect data from various sources, especially individuals. However, individual data contains personal information, raising concerns about privacy infringement. Individuals may not want their personal information available to others for any reason, and even if they agree to provide such information, an unwanted leak of personal information may occur if the database is attacked.

Therefore, applying security technologies to data disclosure is no longer an option but a necessity. Therefore, various security technologies for personal information have been proposed, and recently, homomorphic encryption methods have been widely studied as a method to solve this problem.

Homomorphic encryption can perform addition and multiplication on encrypted data without a decryption process. Therefore, by utilizing homomorphic encryption, the client can delegate computations to an untrusted cloud server, transmit encrypted input data to the server, and perform all computations without any additional queries. In this way, homomorphic encryption provides a simple and secure delegation structure for calculating personal data.

However, when using homomorphic encryption for machine learning, there were problems in terms of time and storage efficiency. For example, a learning process that could be accomplished in minutes with plaintext took days using homomorphic ciphertext.

Therefore, the present disclosure is designed to solve the problems described above, and aims to provide a method and device for performing regression analysis by encrypting only private variables that require security among various variables.

The present disclosure is intended to achieve the above object, and includes a method of processing ciphertext in an arithmetic processing device, including storing a data set including a homomorphically encrypted message and a non-homomorphically encrypted message as a slot, and homomorphically encrypting the data set. Applying the encrypted message and the non-homomorphically encrypted message to a pre-stored linear model to calculate an estimate value for the linear model, and transmitting the calculated estimate value to an external device.

In this case, the step of calculating the estimated value extracts a term using the homomorphically encrypted message from the polynomial required for calculating the estimated value of the preceding model, performs a homomorphic operation on the extracted term, and performs a homomorphic operation on the extracted term. An estimated value can be calculated.

Meanwhile, the step of calculating the estimated value generates a matrix corresponding to the data set, and the matrix is divided into a first matrix including the homomorphically encrypted message and a second matrix not including the homomorphically encrypted message. Decomposition, the second matrix can be orthogonal to the first matrix, and an estimate value for the linear model can be calculated using the first matrix and the second matrix.

Meanwhile, the data set may include a plurality of different variables, each of which is homomorphically encrypted.

Meanwhile, the linear model may be a ridge regression linear model.

Meanwhile, a computing device according to an embodiment of the present disclosure includes a memory that stores at least one instruction, and a processor that executes the at least one instruction, and the processor executes the at least one instruction. , store a data set containing homomorphically encrypted messages and non-homomorphically encrypted messages as slots, and apply the homomorphically encrypted messages and non-homomorphically encrypted messages in the data set to a pre-stored linear model to estimate the linear model. Calculate the value.

In this case, the processor extracts a term using the homomorphically encrypted message from the polynomials needed to calculate the estimated value of the preceding model, performs a homomorphic operation on the extracted term, and calculates the estimated value. can do.

Meanwhile, the processor generates a matrix corresponding to the data set, decomposes the matrix into a first matrix including the homomorphically encrypted message and a second matrix not including the homomorphically encrypted message, and 2 The matrix may be orthogonal to the first matrix, and an estimated value for the linear model may be calculated using the first matrix and the second matrix.

Meanwhile, the data set may include a plurality of different variables, each of which is homomorphically encrypted.

Meanwhile, the linear model may be a ridge regression linear model.

According to the various embodiments of the present disclosure as described above, private variables that require personal protection and variables that do not are differentiated and homomorphically encrypted to process the calculation, allowing faster calculation. Specifically, the complexity when encrypting the entire data is O(p ² log n), whereas the complexity of the method according to the present disclosure is O(p log n).

In addition, by not using gradient descent in the learning process, not only can more accurate solutions be obtained efficiently, but the learning rate search required to optimize the performance of gradient descent can be omitted, enabling faster machine learning learning. It works.

1 is a diagram for explaining the structure of a network system according to an embodiment of the present disclosure;
2 is a block diagram showing the configuration of an arithmetic device according to an embodiment of the present disclosure;
3 is a diagram for explaining the basic operation of a homomorphic ciphertext according to an embodiment of the present disclosure;
4 is a diagram illustrating an example of a processing function for homomorphic ciphertext according to an embodiment of the present disclosure;
5 is a diagram for explaining an intermediate value calculation algorithm for ridge regression according to an embodiment of the present disclosure;
6 is a diagram illustrating an algorithm for calculating the result of ridge regression using the calculated median value according to an embodiment of the present disclosure;
7 is a diagram for explaining an operation operation using a packing operation for homomorphic ciphertext according to an embodiment of the present disclosure;
8 is a diagram for explaining the performance of a ridge regression operation according to the present disclosure;
Figure 9 is a flowchart illustrating a method of processing ciphertext according to an embodiment of the present disclosure.

Hereinafter, the present disclosure will be described in detail with reference to the accompanying drawings. Encryption/decryption may be applied to the information (data) transmission process performed in the present disclosure as necessary, and expressions describing the information (data) transmission process in the present disclosure and patent claims are all encryption/decryption even if not separately mentioned. It should be interpreted to include cases as well. In the present disclosure, expressions of the form “transmitted (transmitted) from A to B” or “received by A from B” also include transmission (transmission) or reception with other media in the middle, and must be transmitted (transmitted) from A to B. It does not express only what is directly transmitted (delivered) or received.

In the description of the present disclosure, the order of each step should be understood as non-limiting unless the preceding step must be performed logically and temporally prior to the subsequent step. In other words, except for the above exceptional cases, even if the process described as a subsequent step is performed before the process described as a preceding step, the nature of disclosure is not affected, and the scope of rights must also be defined regardless of the order of the steps. In this specification, the term “A or B” is defined not only to selectively indicate either A or B, but also to include both A and B. In addition, in the present disclosure, the term “includes” has the meaning of including additional components other than those listed as included.

In this disclosure, only essential elements necessary for description of the present disclosure are described, and components that are unrelated to the essence of the present disclosure are not mentioned. And it should not be interpreted in an exclusive sense that includes only the mentioned components, but in a non-exclusive sense that can include other components as well.

And in this disclosure, “value” is defined as a concept that includes not only scalar values but also vectors.

The mathematical operations and calculations of each step of the present disclosure described later may be implemented in computer operations by known coding methods and/or coding designed to be suitable for the present disclosure to perform the corresponding operations or calculations.

The specific mathematical equations described below are explained as examples among various possible alternatives, and the scope of rights of the present disclosure should not be construed as being limited to the mathematical equations mentioned in the present disclosure.

Hereinafter, various embodiments of the present disclosure will be described in detail using the attached drawings.

1 is a diagram for explaining the structure of a network system according to an embodiment of the present disclosure.

Referring to FIG. 1, the network system 1000 may include a user terminal device 100, a first server 200, and a second server 300, and each component may be connected through a network.

Here, the network can be implemented as various types of wired and wireless communication networks, broadcasting communication networks, optical communication networks, cloud networks, etc., and each device may be connected without a separate medium through methods such as Wi-Fi, Bluetooth, NFC (Near Field Communication), etc. .

Although FIG. 1 shows one user terminal device 100, a plurality of user terminal devices 100 may be used in the network system 1000 when implemented. As an example, the user terminal device 100 may be implemented as various types of devices such as smartphones, tablets, game players, PCs, laptop PCs, home servers, kiosks, etc., and may also be implemented in the form of home appliances with IoT functions applied. It can be implemented.

The user terminal device 100 shown in FIG. 1 is the data owner, the first server 200 is a crypto-service provider (CSP, Crypto-service provider), and the second server 300 is a machine learning service provider (MLSP, Machin learning). It may also be referred to as a service provider.

The first server 200 may generate a secret key and a public key required for homomorphic encryption, and provide the generated public key to the second server 300 and the user terminal device 100. Specifically, the first server 200 may generate a secret key and a public key based on various parameters required for homomorphic encryption. Specific secret key and public key generation operations will be described later with reference to FIG. 3.

A user can input various information through the user terminal device 100 that he or she uses. The input information may be stored in the user terminal device 100 itself, but may also be transmitted to and stored in an external device for reasons such as storage capacity and security. In FIG. 2, the second server 300 may serve to store such information.

The user terminal device 100 may encrypt personal information using the provided public key and provide the encrypted personal information to the second server 300. At this time, the user terminal device 100 encrypts only the personal information requiring information reporting among various information to be provided to the second server 300 using homomorphic encryption, and the remaining information is sent to the second server 300 without homomorphic encryption processing. can be provided.

That is, the user terminal device 100 may encrypt personal information (or private variables) using a public key and provide the encrypted personal information and unencrypted information (or variables) to the second server 300. . Here, information requiring personal information protection may be referred to as a private variable, and may be one piece of information (or item) or plural pieces of information (or multiple items). For example, these private variables could be age, gender, race, etc. Items that require privacy protection can be automatically selected, and items pointed out by the user may become private variables.

The user terminal device 100 may include encryption noise, that is, an error calculated in the process of performing homomorphic encryption, in the ciphertext. Specifically, the homomorphic ciphertext generated by each user terminal device 100 may be generated in such a way that the resulting value including the message and error value is restored when the homomorphic ciphertext is later decrypted using a secret key. For example, homomorphic encryption as described above may be generated using the HEAAN scheme, but is not limited to this. The detailed operation of the HEAAN scheme will be described later.

The user terminal device 100 that has received the public key performs homomorphic encryption on variables requiring security among a plurality of variables (or a plurality of personal information or a plurality of information) using the provided public key, and homomorphically encrypts the variable. Data including variables and unencrypted variables may be transmitted to the second server 300.

When the second server 300 receives data from the user terminal device 100, it can store the received data.

And the second server 300 may perform calculation processing using the stored data according to an external request or a request from the user terminal device 100. Here, the computational processing may be a machine learning operation such as regression analysis. This machine learning operation will be described later with reference to FIG. 2.

And the second server 300 may provide the calculation processing result to the first server 200. The first server 200, which has received the calculation processing result, can decrypt the calculation result using a secret key and transmit the result to the user terminal device 100.

Hereinafter, it is assumed that the above-described first server 200 and second server 300 are honest, but curious, devices that do not collude with each other. Since machine learning service providers and encryption service providers are generally different companies that earn revenue by providing services to consumers, the above assumption is reasonable.

Meanwhile, for personal information security, the above-described first server 200 and second server 300 should not be able to know personal information (i.e., the above-described private variables). The first server 200 must not be able to know the final result during the decryption process for the calculation result, and the second server 300 must also be able to infer private variables using information from the learning process using unencrypted variables. There shouldn't be any.

Specifically, if appropriate security parameters are used, encrypted variables cannot be decrypted directly. However, there is room for inferring private variables using unencrypted variables with the help of external knowledge using concatenation attacks or attribute inference attacks. In order to prepare for this, the user terminal device 100 may delete some data or add randomness when providing the above-described data to lower the predictability of personal variables. Hereinafter, it is assumed that randomness is added to the unencrypted variable in advance so that the second server 300 cannot effectively perform an attribute inference attack on the private variable.

Meanwhile, since the first server 200 has a secret key, it is possible to check the final result by directly decoding it. To prevent this, the user terminal device 100 may determine a random vector value, called a mask, with the same length as the final result, encrypt the mask, and transmit the data to the second server 300. In this way, the user terminal device 100 masks the data and provides it to the second server 300, so even if the first server 200 decrypts the calculation result using the secret key, it becomes difficult to obtain the private variable. .

At this time, the user terminal device 100 may perform masking processing on the data to be transmitted before transmitting the data and provide the masked data to the second server 300. Specific details about masking processing will be described later.

As described above, the network system 1000 according to this embodiment encrypts only items requiring personal information protection, enabling secure processing. In addition, rather than encrypting and processing all of the user's information, only items that require personal information are homomorphically encrypted, enabling more accurate calculations during the analysis process.

Meanwhile, in showing and explaining FIG. 1, a separate first server 200 generates a public key and a secret key required for the ciphertext, and the user terminal device 100 receives the public key and performs homomorphic ciphertext processing. Although it has been described as such, when implemented, the user terminal device 100 may perform the functions of the first server 200. That is, the user terminal device 100 directly generates a secret key and a public key, homomorphically encrypts the information using the generated public key, provides it to the second server 200, and performs calculations on the second server 200. It can also be implemented in a way that the user terminal device 100 receives the result and directly restores it with the secret key.

Figure 2 is a block diagram showing the configuration of an arithmetic device according to an embodiment of the present disclosure.

Specifically, in the system of FIG. 1, a device that performs homomorphic encryption, such as a user terminal device, a first server that calculates the key value required for the homomorphic ciphertext, such as a first server device, and a second server that perform operations on the homomorphic ciphertext. The device that performs the operation may be referred to as an arithmetic device. These computing devices may be various devices such as personal computers (PCs), laptops, smartphones, tablets, and servers.

Referring to FIG. 2 , the computing device 400 may include a communication device 410, a memory 420, a display 430, a manipulation input device 440, and a processor 450.

The communication device 410 is formed to connect the computing device 400 with an external device (not shown), and is not only connected to an external device through a local area network (LAN) and the Internet, but also through a USB ( It is also possible to connect through a Universal Serial Bus) port or a wireless communication (e.g., WiFi 802.11a/b/g/n, NFC, Bluetooth) port. This communication device 410 may also be referred to as a transceiver.

The communication device 410 can receive a public key from an external device, and the computing device 400 can transmit the public key generated by itself to the external device.

Additionally, the communication device 410 can receive a message from an external device and transmit the generated homomorphic encrypted text to the external device.

Additionally, the communication device 410 can receive various parameters necessary for generating encrypted text from an external device. Meanwhile, during implementation, various parameters can be directly input from the user through the manipulation input device 440, which will be described later.

Additionally, the communication device 410 may receive a request for an operation on a homomorphic ciphertext from an external device, and may transmit the calculated result accordingly to the external device. The operation requested here may be an operation such as addition, subtraction, or multiplication, or may be a regression analysis operation on multiple data.

At least one instruction regarding the computing device 400 may be stored in the memory 420 . Specifically, the memory 420 may store various programs (or software) for operating the computing device 400 according to various embodiments of the present disclosure.

This memory 420 may be implemented in various forms such as RAM, ROM, flash memory, HDD, external memory, memory card, etc., and is not limited to any one.

Memory 420 may store messages to be encrypted. Here, the message may be various types of credit information and personal information cited by the user, and may also be information related to usage history, such as location information used in the computing device 400 and information on Internet usage time.

Additionally, the memory 420 can store the public key, and if the computing device 400 is a device that directly generates the public key, it can store not only the secret key but also various parameters necessary for generating the public key and secret key.

And the memory 420 can store the homomorphic ciphertext generated in the process described later. Additionally, the memory 420 may store homomorphic ciphertext transmitted from an external device. Additionally, the memory 420 may store the operation result ciphertext that is the result of the operation process described later.

And the memory 420 can store learning models necessary for machine learning. Additionally, the memory 420 may store the operation function used in the corresponding learning model and its approximate polynomial. For example, the memory 420 may store functions for linear models such as Equations 10 and 15, which will be described later.

The display 430 displays a user interface window for selecting a function supported by the computing device 400. Specifically, the display 430 may display a user interface window for selecting various functions provided by the computing device 400. This display 430 may be a monitor such as a liquid crystal display (LCD), an organic light emitting diode (OLED), etc., and may also be implemented as a touch screen that can simultaneously perform the functions of the manipulation input device 440, which will be described later. .

The display 430 may display a message requesting input of parameters necessary for generating a private key and a public key. Additionally, the display 430 may display a message for the encryption target to select a message, or display a message for selecting a private variable. Meanwhile, at the time of implementation, the encryption target (i.e., private variable) can be selected directly by the user or selected automatically. In other words, personal information that requires encryption can be set automatically even if the user does not directly select the message.

The manipulation input device 440 may select a function of the computing device 400 and receive a control command for the corresponding function from the user. Specifically, the manipulation input device 440 may receive input from the user of parameters necessary for generating a private key and a public key. Additionally, the manipulation input device 440 can receive a message to be encrypted from the user.

The processor 450 controls the overall operation of the computing device 400. Specifically, the processor 450 may generally control the operation of the computing device 400 by executing at least one instruction stored in the memory 420. The processor 450 may be composed of a single device such as a central processing unit (CPU) or an application-specific integrated circuit (ASIC), or may be composed of a plurality of devices such as a CPU or a graphics processing unit (GPU).

The processor 450 may store the message to be transmitted in the memory 420 when it is input. And the processor 450 can homomorphically encrypt the message using various setting values and programs stored in the memory 420. In this case, a public key may be used. At this time, homomorphic encryption may be performed on items that require personal information protection (private variables) among a plurality of messages, and encryption processing may not be performed on items that do not require personal information.

Additionally, the processor 450 may perform mask processing on a plurality of messages and transmit the masked data to an external device before transmitting the above-described plurality of messages to an external device.

The processor 450 may generate and use the public key required to perform encryption on its own, or may receive it from an external device and use it. For example, when the computing device is the first server device 200 of FIG. 1, a secret key and a public key may be generated, and the generated public key may be transmitted to the user terminal device 100 of FIG. 1.

And the processor 450 can generate a homomorphic ciphertext for the message. Specifically, the processor 450 can generate homomorphic ciphertext by applying a public key to items that require private protection among messages. Meanwhile, when processing the ciphertext using the HEAAN method, the processor 450 can convert the message into a polynomial (or vector) belonging to a ring and then generate a homomorphic ciphertext using the public key.

Additionally, the processor 450 can control the communication device 410 to store the homomorphic ciphertext in the memory 420 once it is generated, or to transmit the homomorphic ciphertext to another device according to a user request or a preset default command.

Meanwhile, according to an embodiment of the present disclosure, packing may be performed. When packing is used in homomorphic encryption, it becomes possible to encrypt multiple messages into one ciphertext. In this case, when the calculation unit 400 performs calculations between each ciphertext, calculations for multiple messages are processed in parallel, thereby greatly reducing the computational burden.

Specifically, when a message consists of a plurality of message vectors, the processor 450 converts the plurality of message vectors into a polynomial in a form that can be encrypted in parallel, then multiplies the polynomial by a scaling factor and generates the public key. You can also use homomorphic encryption. Accordingly, it is possible to generate ciphertext by packing a plurality of message vectors.

In addition, when decryption of the homomorphic ciphertext is necessary, the processor 450 may apply a secret key to the homomorphic ciphertext to generate a decrypted text in the form of a polynomial, and generate a message by decoding the decrypted text in the polynomial form.

And the processor 450 can perform operations on the ciphertext. Specifically, the processor 450 can perform operations such as addition, subtraction, or multiplication on the homomorphic ciphertext while maintaining the encrypted state.

Additionally, the processor 450 may perform ridge regression on the ciphertext. Ridge regression is a linear regression model with added regulation. A linear regression model is a model that performs predictions by creating a linear function for input characteristics. General prior regression is a model with an added regulation term in that overfitting may occur. More specific details about ridge regression are described later.

And when the calculation is completed, the calculation device 400 can detect data in the effective area from the calculation result data. Specifically, the calculation device 400 may detect data in the effective area by performing a rounding process on the calculation result data. Rounding processing refers to rounding off a message in an encrypted state, and can also be called rescaling.

Additionally, if the proportion of approximate messages in the ciphertext as a result of the calculation exceeds the threshold, the computing device 400 may perform a reboot operation on the ciphertext.

The computing device 400 according to the present disclosure as described above distinguishes between private variables that require personal protection and variables that do not, and performs computation by homomorphically encrypting them, thereby enabling faster computation. In addition, by not using gradient descent in the learning process, not only can more accurate solutions be obtained efficiently, but the learning rate search required to optimize the performance of gradient descent can be omitted, enabling faster machine learning learning. It works.

Below, the ridge regression used in this disclosure will first be briefly described.

Ridge regression is an essential component of various machine learning techniques that model linear relationships between input and dependent variables. The most resource-consuming process in the ridge regression learning process is the matrix inversion operation.

This disclosure describes a ridge regression analysis method that encrypts only private variables using homomorphic encryption. The work related to the ciphertext is minimized by dividing the ridge estimation formula into parts with and without private attributes. Optimization of the computation is then performed by forcing the redundant columns of the decomposed matrix to be orthogonal to the individual attributes.

The method according to the present disclosure can obtain an accurate solution more efficiently by not using gradient descent. Additionally, the learning rate search required to optimize the performance of the gradient descent method is omitted, enabling fast processing.

Meanwhile, because searching parameters in an encrypted domain requires a lot of calculations, related parameters are searched in advance using plain text. However, this is not a practical method.

Below, the operation of the homomorphic encryption used in this disclosure will be described.

A homomorphic encryption scheme generally has the following structure.

KeyGen(I ^λ , I ^τ )→(sKey, pKey): Enter security parameters (λ) and function parameters (τ), and output secret key (sKey) and public key (pKey).

Encrypt(pKey, m) → c: Outputs ciphertext (c) using the public key and input text (m).

Decrypt(sKey, c) → m: Enter the secret key and ciphertext and output the decrypted text (m).

Evaluate(pKey, f, c) → c _f : Outputs the ciphertext vector for the output of f in relation to the ciphertext vector as the input of the circuit (f).

Homomorphic encryption has a variety of applications, ranging from simple queries such as information retrieval to complex machine learning algorithms. The functional parameter (τ) determines the depth boundary of the circuit in operations using the scheme.

The encryption systems used to realize homomorphic encryption have been under development for several years, and initial schemes only support addition or multiplication, and these homomorphic encryption are referred to as partially homomorphic encryption.

Recently, both addition and multiplication are supported, and noise is added to the ciphertext during the encryption process. In particular, multiplication increases noise more than addition operation. If the noise exceeds the threshold, the ciphertext can no longer be decrypted. In this way, a system that allows only a certain number of operations as noise increases is called SHE (Some homomorphic encryption). Among the SHE methods, the method that can accurately perform calculations at a certain level of depth is called LHE (Leveled Homomorphic Encryption). In contrast, fully homomorphic encryption (FHE) schemes can handle any function with arbitrary multiplication depth.

The technique that allows you to perform this unlimited number of operations is bootstrapping. Bootstrapping evaluates the decryption of the ciphertext and generates a new homomorphic ciphertext with reduced noise. However, this decryption method is complex and non-linear, so it requires a lot of resources.

Meanwhile, when using homomorphic encryption, one thing to consider is using a non-polynomial function. Non-polynomial functions, such as exponential functions, must be approximated by polynomial functions consisting only of addition and multiplication, and higher-order polynomial operations are required to ensure high precision.

Recently, iterative methods are used to approximate higher-order polynomials, but these iterative methods increase the multiplication depth. Meanwhile, the matrix inversion operation requires multiple matrix multiplications, and can be approximated using known algorithms such as the Schulz algorithm for numerical stability, but many approximations require a lot of resources.

As described above, a homomorphic encryption scheme must be used for machine learning while protecting personal information. However, existing machine learning requires a lot of matrix multiplication to increase the multiplication depth in homomorphic encryption. There is a problem that a lot of resources are required to process the algorithm used in the homomorphic encryption method as is.

Hereinafter, a regression analysis method using homomorphic encryption according to the present disclosure to solve the problems described above will be described.

조각으로 분할하고, 마지막 조각을 0으로 채울 필요가 있다. 여기서 길이는 N이다. Meanwhile, for operations between ciphertexts, the number of plaintext slots for each ciphertext must be the same. That is, since the number of data may vary depending on the data owner, the user terminal device 100 needs to determine the size of the plain text slot in advance. That is, if the number of data points held by the user terminal device 100 is r and the size of the plain text slot is N, the data owner

We need to split it into pieces and pad the last piece with zeros. Here the length is N.

This setting is no different from the user terminal device 100 owning multiple data. Therefore, the regression analysis method will be described below assuming that the second server 300 of FIG. 1 owns all data.

A linear model is a method of making predictions by creating a linear function for input characteristics. Several normalization methods can be used to increase the accuracy of these priors. In the present disclosure, the description is made using ridge regression (or ridge regression) among several regularization methods, but the present disclosure can be applied to other regression methods as well as the ridge regression method described above.

Below, we will first describe the case where there is one private variable. For example, if you use one dependent variable (Y), p independent _non -private variables _{( X 1} , Can be expressed as Equation 1 below:

는 추정할 회귀 계수이며, ε는 에러 항이다. 그리고, X₁, X₂,..., X_p, X_s, Y에 대한 i 번째 관측 값은 (x_il, ..., x_ip,x_is y_i)(여기서, i = 1, ..., n)로 표시한다. n > p+1임을 가정하며, 이는 독립 변수의 수보다 더 많은 관측 값이 있다는 가정이다. Here, Y is a _dependent variable, where X _{1 ,} X ₂ ,...,

is the regression coefficient to be estimated, and ε is the error term. And, the ith _observed value _for X _{1 , X 2} , _{... ,} It is displayed as .., n). It is assumed that n > p+1, which is the assumption that there are more observed values than the number of independent variables.

In the case where there is one private variable and a plurality of non-private variables as described above, if homomorphic encryption is applied to the private variable, the data to be transmitted from the user terminal device 100 to the second server 300 is (x _il , ..., x _ip , h(x _is ) y _i ). here,

Below, a case where homomorphic encryption is applied to such data will be described. h _i = h(x _is ) is a completely homomorphic cipher for the private variable x _is . Hereinafter, for convenience, all operations between plain text and cipher text or between cipher text are displayed as plain text.

를 사용하여 각 x_ij를

로 교체하고,

로 β₀을 추정하며, 다음의 수학식 2와 같이 인터셉트가 없는 회귀 모델을 나타낼 수 있다. In cases like this,

For each x _ij using

Replace with

β ₀ is estimated, and a regression model without intercept can be expressed as shown in Equation 2 below.

here, X is a matrix with private and non-private variables (can be referred to as the matrix corresponding to the data set), β is the regression coefficient, and ε is the error term.

To control overfitting, by adding a regularization term to the error function, the total error function can be minimized as shown in Equation 3 below.

Here, ε(β) is the total error term, ε _D (β) is the error for the regularization term, and ε _W (β) is the error term for regulation.

The solution to Ridge regression according to this is given in Equation 4 below.

_RLS 은 리지 회귀의 해이고, I_p+1은 (p+1)×(p+1)에 대한 항등 행렬(identity matrix)이다. 인터셉트 β₀ 는 변수의 중심화때문에 정규화되지 않는다. 따라서, 리지 추정 값은 다음과 같은 수학식 5와 같이 나타낼 수 있다. here,

_RLS is the solution of Ridge regression, and I _p+1 is the identity matrix for (p+1)×(p+1). The intercept β ₀ is not normalized due to the centering of the variables. Therefore, the ridge estimate value can be expressed as Equation 5 below.

은 리지 추정 값이고,, XX^T는 n×n 행렬이다. 수학식 5의 뒷부분은 와 같다. 그 이유는 수학식 6과 같다. 따라서, 이다. here

is the ridge estimate value, and XX ^T is an n×n matrix. The latter part of equation 5 is It's the same. The reason is the same as Equation 6. thus, am.

Here, h _s is (h(x _1s ), ...h(x _ns )) ^T , and X _(-s) is another part of X. Using the Sherman-Woobury inversion formula, it is equivalent to equation 7.

here, am. (here, , is an orthogonal matrix, is a diagonal matrix with diagonal components (σ ₁ ≥... ≥σ _p ). Using singular vector decomposition (SVD), it can be expressed as Equation 8.

Here, σ _p+1 = … = σ _n =0, defined by the following terms.

Therefore, the ridge estimation is expressed as Equation 10 below.

Here u _j is It is a column of , am.

The above calculation includes n summations. To simplify calculations, (here, , ) Use facts.

To reduce SVD, , u ₂ can be selected within the range that satisfies . And up ₊₁ can be selected so that uj is orthogonal to h _s , and u _p+1 can be selected orthogonal to h _s for all j=p+2, ..., n. Here, U ₁ is equal to Equation 11.

thus, , η can be simplified as follows.

Therefore, the ridge estimate value can be simplified and expressed as follows.

Here we only include p sums.

When all data used in regression analysis is homomorphically encrypted, it is difficult to decompose the polynomial required to calculate the estimated value of the linear model, as described above. However, in the present disclosure, only items that require private protection are homomorphically encrypted, and general variables that do not require private protection can be quickly processed through general matrix operations, etc., so as described above, the estimated value of the linear model can be calculated. Among the necessary polynomials, the number of homomorphic operations can be minimized by separately extracting terms that use homomorphically encrypted messages and performing homomorphic operations only on those terms.

In addition, in order to reduce the computational complexity in the homomorphic operation process, the matrix constituting the data set is decomposed into a first matrix containing the homomorphic ciphertext and a second matrix that does not contain the homomorphic ciphertext, and the second matrix is the first matrix. By making it orthogonal to , it is possible to process the homomorphic operation more quickly in the above-described homomorphic operation process.

Meanwhile, although it has been described above that the above-described data set includes only one private variable, the data set may include a plurality of private variables. For example, if gender and race are included in the same data set, both may need to be treated as private variables. Below, the previous case where there is one private variable will be explained by expanding it to where there are two private variables.

The case where there are two private variables can be expressed as Equation 14 below.

here , g = , and each is an encrypted private variable.

In the same way as the previous method, the estimated value of Ridge regression can be expressed as Equation 15 below.

Here, the intermediate value can be defined as follows in Equation 16.

Expanding on the previous results, U2 can be freely selected first, orthogonal processing is performed, h is processed first, and g can be applied later.

Each item in the above-described process is as follows.

Therefore, referring to Equation 12 in the preceding private variable, Each can be simply expressed as Equation 17 below.

however The calculation seems more complicated because it involves u _p+2 being calculated using u _p+1 . however, can be expressed simply in a way that does not use up+2. For this purpose, without loss of generality, the following method can be used in which orthogonal processing is applied to g first and h is processed later.

thus, can be simplified as shown in Equation 19 below.

Therefore, ridge estimation can be simply expressed as Equation 20 below.

In this way, even when there are two private variables, it is possible to calculate the solution using only multiple operations. In the above, only the cases where there is one and two private variables were explained, but the case where there are three or more private variables can also be implemented by applying the same method.

Hereinafter, the case where the above-described ridge estimation is applied to the HEAAN scheme will be described with reference to FIG. 3.

Figure 3 is a diagram for explaining the basic operation of homomorphic ciphertext according to an embodiment of the present disclosure.

The main feature of the HEAAN scheme is the unique operation of encoding a plain text vector into a ring (or circle) before encryption. Specifically, a message can be encoded as a vector belonging to a ring, and the encoded message can be converted into homomorphic ciphertext using a public key. Conversely, in the decoding process, a decoding procedure is performed to convert the ciphertext into a vector, and the converted vector can be decrypted with a secret key and restored to the message.

Through this encoding, the HEAAN scheme supports encryption of complex vectors and SMID operations are also possible.

Decoding is the same as the reverse operation of encoding and is performed after the decoding operation.

Figure 4 is a diagram for explaining an example of a processing function for homomorphic ciphertext according to an embodiment of the present disclosure.

Referring to Figure 4, it shows operation operations for integer addition, addition, integer multiplication, and multiplication operations in the HEAAN scheme. By combining these basic operations, you can perform operations on specific functions.

In the example shown, Add and Mult represent addition and multiplication between ciphertexts, while ConstaAdd and ConsMult represent operations between ciphertexts and constant polynomials. In addition to the HEAAN scheme, in methods that support parallel computation, these computations are performed in a slot manner, so computations as many as the number of regular text slots can be performed at once.

Meanwhile, in the HEAAN scheme, in addition to the above-mentioned operations, left rotation, right rotation, and rescale processing are also possible. Here, left Rotate applies rotation to the left of each slot direction, and Right Rotate applies rotation to the right of each slot direction.

This method is useful when adding the same value to the ciphertext and enables efficient parallel work. Rescale can be performed after every ConsMult or Mult to reduce the size of the error. However, since Rescale reduces the ciphertext modulus, the number of operations can be proposed without bootstrapping.

On the other hand, since the above-described ridge regression requires as many summation operations as the number of variables, each private variable can be put into a ciphertext and all values of each column can be grouped into one ciphertext. Here, the maximum number of plaintexts that can be compressed into one ciphertext is determined by the security parameters of the homomorphic ciphertext. Hereinafter, it is assumed that the length of the column does not exceed the value of the security parameter. If the length of the column exceeds the value of the security parameter, each column must be decomposed into multiple ciphertexts, but even if the ciphertext is decomposed into multiple ciphertexts, this does not significantly affect the complexity of the ridge regression algorithm described above. Meanwhile, the ciphertext may include scalar values such as η and ξ, which can be treated as a vector that repeats the same value as many times as the number of slows.

Meanwhile, packing is applied to homomorphic ciphertext. When packing is used in homomorphic encryption, it becomes possible to encrypt multiple messages into one ciphertext. In this case, the computing device performs operations on each ciphertext, resulting in operations on multiple messages in parallel. As it is processed, the computational burden is greatly reduced. As shown in FIG. 7, an addition or multiplication operation on a plurality of messages can be performed through an addition or multiplication operation on two packed ciphertexts.

Figure 5 is a diagram for explaining an intermediate value calculation algorithm for ridge regression according to an embodiment of the present disclosure. Specifically, Figure 5 shows a method for calculating the median value for estimation of Ridge regression when only one private variable is included.

Referring to FIG. 5, the intermediate value included in Equation 15 or Equation 20 described above can be calculated using ConstMult, Mult, IRotate, ADD, etc. supported by the HEANN scheme.

Figure 6 is a diagram for explaining an operation of calculating a ridge estimate value according to an embodiment of the present disclosure.

Referring to FIG. 6, the final ridge regression estimate value is calculated using the intermediate value calculated in FIG. 5. For convenience, the rescale operation after the multiplication operation is omitted. Using homomorphic rotation, the sum of n elements in the ciphertext can be calculated log n times. Therefore, the complexity of the algorithm shown in Figure 5 is o(p lon n).

Figure 8 is a diagram for explaining the performance of a ridge regression operation according to the present disclosure. Specifically, each point in Figure 8 represents the results for one data set, and the x and y axes represent the number of columns and performance ratio, respectively.

Referring to Figure 8, it can be seen that there is a linear relationship between the number of columns and the performance ratio. And it can be confirmed that when the number of rows in the dataset is small, the method according to the present disclosure can be used more efficiently. Conversely, it may be interpreted as being inefficient as the number of columns in the data set increases, but the method according to the present disclosure does not use gradient descent and therefore does not need to search for the learning rate, so it is faster than existing methods. This is possible.

Figure 9 is a flowchart illustrating a method of processing ciphertext according to an embodiment of the present disclosure.

First, a data set containing homomorphically encrypted messages and non-homomorphically encrypted messages as slots is received and stored (S910). Such a data set may be masked as described above, and may include only one private variable or multiple private variables within the data set. And since the included private variables are homomorphically encrypted, personal information can be protected on the device receiving the data set.

The homomorphically encrypted and non-homomorphically encrypted messages in the data set are applied to a pre-stored linear model to calculate an estimated value for the linear model. Specifically, a term using a homomorphically encrypted message can be extracted from the polynomials needed to calculate the estimated value of the preceding model, and a homomorphic operation on the extracted term can be performed to calculate the estimated value. As such, not all variables in the data set are homomorphically encrypted, and only private variables that require personal protection are homomorphically encrypted. Therefore, among the polynomials required to calculate the estimated value of the linear model, one term uses a homomorphically encrypted message and the other term uses the homomorphically encrypted message. It is possible to distinguish terms, and only terms that use homomorphically encrypted messages can be processed by performing homomorphic calculation methods.

In addition, for faster calculation in the homomorphic calculation process, the matrix corresponding to the data set is decomposed into a first matrix containing a homomorphically encrypted message and a second matrix that does not, and the second matrix is made orthogonal to the first matrix. By processing (S920), the estimation value for the linear model can be calculated more quickly during the calculation process (S930).

After completing the above-described calculation, the calculation result can be transmitted to another device, or the calculation result can be decrypted with a secret key.

As described above, the ciphertext processing method according to the present disclosure distinguishes between private variables that require personal protection and variables that do not, and performs calculations by homomorphically encrypting them, allowing faster calculations. In addition, by not using gradient descent in the learning process, not only can more accurate solutions be obtained efficiently, but the learning rate search required to optimize the performance of gradient descent can be omitted, enabling faster machine learning learning. It works.

Meanwhile, the ciphertext processing method according to the various embodiments described above may be implemented in the form of program code for performing each step, and may be stored and distributed in a recording medium. In this case, a device equipped with a recording medium can perform operations such as the above-described encryption or ciphertext processing.

These recording media may be various types of computer-readable media such as ROM, RAM, memory chips, memory cards, external hard drives, hard drives, CDs, DVDs, magnetic disks, or magnetic tapes.

Although the present disclosure has been described above with reference to the accompanying drawings, the scope of the present disclosure is determined by the scope of the patent claims described later and should not be construed as being limited to the above-described embodiments and/or drawings. In addition, it should be clearly understood that improvements, changes and modifications of the disclosure described in the patent claims, which are obvious to those skilled in the art, are also included in the scope of rights of the present disclosure.

1000: Network system 100: User terminal device
200: first server 300: second server
400: computing device 410: communication device
420: Memory 430: Display
440: manipulation input device 450: processor

Claims (10)

In a method of processing ciphertext in an arithmetic processing unit,
storing a data set containing homomorphically encrypted messages and non-homomorphically encrypted messages as slots;
Applying the homomorphically encrypted message and the non-homomorphically encrypted message in the data set to a pre-stored linear model to calculate an estimate value for the linear model; and
A step of transmitting the calculated estimated value to an external device;
The data set includes a plurality of different variables,
A ciphertext processing method wherein at least one variable among the plurality of different variables is a homomorphically encrypted private variable, and at least one other variable among the plurality of different variables is a non-private variable that is not homomorphically encrypted. According to paragraph 1,
The step of calculating the estimated value is,
A ciphertext processing method for extracting a term that uses the homomorphically encrypted message from among polynomials required to calculate the estimated value of the linear model, performing a homomorphic operation on the extracted term, and calculating the estimated value. According to paragraph 1,
The step of calculating the estimated value is,
Generate a matrix corresponding to the data set, decompose the matrix into a first matrix including the homomorphically encrypted message and a second matrix not including the homomorphically encrypted message, and the second matrix is the first matrix. 1 A ciphertext processing method that is orthogonal to a matrix and calculates an estimate value for the linear model using the first matrix and the second matrix. According to paragraph 1,
A ciphertext processing method wherein the data set includes a plurality of different variables, each of which is homomorphically encrypted. According to paragraph 1,
The linear model is,
A ciphertext processing method that is a ridge regression linear model. In the computing device,
a memory storing at least one instruction; and
Including a processor executing the at least one instruction,
The processor,
By executing the at least one instruction,
Store a data set containing homomorphically encrypted messages and non-homomorphically encrypted messages as slots, and apply the homomorphically encrypted messages and non-homomorphically encrypted messages in the data set to a pre-stored linear model to obtain an estimated value for the linear model. Calculate ,
The data set includes a plurality of different variables,
A computing device wherein at least one variable among the plurality of different variables is a homomorphically encrypted private variable, and at least one other variable among the plurality of different variables is a non-private variable that is not homomorphically encrypted. According to clause 6,
The processor,
A computing device that extracts a term using the homomorphically encrypted message from among the polynomials needed to calculate the estimated value of the linear model, performs a homomorphic operation on the extracted term, and calculates the estimated value. According to clause 6,
The processor,
Generate a matrix corresponding to the data set, decompose the matrix into a first matrix including the homomorphically encrypted message and a second matrix not including the homomorphically encrypted message, and the second matrix is the first matrix. 1 An arithmetic device that is orthogonal to a matrix and calculates an estimated value for the linear model using the first matrix and the second matrix. According to clause 6,
A computing device wherein the data set includes a plurality of different variables, each of which is homomorphically encrypted. According to clause 6,
The linear model is,
A computational unit that is a ridge regression linear model.

Images