KR20210136815A - Encryption method and apparatus using homomorhpic encryption - Google Patents

Abstract

Disclosed are an encryption method and device. In an encryption method using homomorphic encryption, according to an embodiment of the present invention, the encryption method includes the steps of: generating a ciphertext by encrypting data; and bootstrapping the ciphertext by performing a modular reduction based on selection of the one or more target points for the modulus corresponding to the ciphertext.

Description

Encryption method and device using homomorphic encryption

The following embodiments relate to an encryption method and apparatus using homomorphic encryption.

Fully homomorphic encryption is an encryption method that enables arbitrary logical or mathematical operations using encrypted data. Fully homogeneous encryption ensures security in data processing.

However, since the conventional encryption method is difficult to process encrypted data, the protection of customer privacy was inevitably insufficient.

Fully homogeneous encryption enables customers to receive many services while maintaining their privacy.

In the encryption method using homomorphic encryption, the encryption method according to an embodiment includes generating a ciphertext by encrypting data, and one for a modulus corresponding to the ciphertext. and performing bootstrapping on the ciphertext by performing modular reduction based on the selection of the above target point.

The performing may include performing the bootstrapping by approximating a function corresponding to the modular reduction.

The step of performing the bootstrapping by approximating the function corresponding to the modular reduction may include generating a target approximation polynomial that approximates the function corresponding to the modular reduction.

The generating a target approximation polynomial approximating a function corresponding to the modular reduction includes: determining one or more reference points based on an order of the target approximation polynomial; and obtaining an arbitrary polynomial based on the one or more reference points. and generating the target approximation polynomial based on one or more poles selected from the arbitrary polynomial.

The obtaining may include obtaining a piecewise continuous function passing through the one or more reference points, and generating a polynomial such that an absolute value of an error with the piecewise continuous function at the one or more reference points is a predetermined value. and obtaining any of the polynomials.

The obtaining of the arbitrary polynomial by generating a polynomial in which the absolute value of the error with the piecewise continuous function is a predetermined value may include: an error at a first reference point included in the one or more reference points and an error at the first reference point adjacent to the first reference point and obtaining the arbitrary polynomial by generating a polynomial in which the sign of the error of the second reference point is different and the absolute value is the predetermined value.

The generating of the target approximation polynomial based on one or more poles selected from the arbitrary polynomials may include: an absolute value of the poles of the error between the arbitrary polynomial and the fragment continuous function passing through the one or more reference points is greater than a predetermined value, or The method may include obtaining the same candidate points, selecting a number of target points based on the order from among the candidate points, and generating the target approximation polynomial based on the target points.

The selecting of the target points may include selecting the target points so that a maximum and a minimum appear alternately among the candidate points.

The selecting of the target points may include selecting the target points such that the sum of the absolute values of the errors becomes a maximum.

The generating of the target approximation polynomial based on the one or more poles selected from the arbitrary polynomials may include: converting the polynomial when the relative error between the maximum and minimum absolute values of the one or more poles is less than a threshold value as the target approximate polynomial. It may include the step of generating

The basis of the target approximation polynomial may be a basis of a Chebyshev polynomial.

In an encryption device using homomorphic encryption, the encryption device according to an embodiment generates a ciphertext by encrypting data, and at least one target for a modulus corresponding to the ciphertext. and a processor that bootstraps the ciphertext by performing modular reduction based on selection of a point, and a memory that stores instructions executable by the processor.

The processor may perform the bootstrapping by approximating a function corresponding to the modular reduction.

The processor may generate a target approximation polynomial that approximates a function corresponding to the modular reduction.

The processor is configured to determine one or more reference points based on the order of the target approximation polynomial, obtain a random polynomial based on the one or more reference points, and the target approximation polynomial based on one or more poles selected from the arbitrary polynomial. can create

The processor is configured to obtain a piecewise continuous function passing through the one or more reference points, and generate a polynomial such that an absolute value of an error from the piecewise continuous function at the one or more reference points is a predetermined value. can be obtained.

The processor is configured to generate a polynomial in which an error at a first reference point included in the one or more reference points is different from an error of a second reference point adjacent to the first reference point and an absolute value becomes the predetermined value by generating a polynomial. polynomials can be obtained.

The processor is configured to obtain candidate points whose absolute value is greater than or equal to a predetermined value from among the poles of the error between the arbitrary polynomial and the fragment continuous function passing through the one or more reference points, and among the candidate points, the number of points based on the degree Target points may be selected, and the target approximation polynomial may be generated based on the target points.

The processor may select the target points such that a maximum and a minimum appear alternately among the candidate points.

The processor may select the target points such that the sum of the absolute values of the errors is a maximum.

The processor may generate a polynomial when a relative error between a maximum value and a minimum value of the absolute values of the one or more poles is smaller than a threshold value as the target approximation polynomial.

The basis of the target approximation polynomial may be a basis of a Chebyshev polynomial.

1 shows a schematic block diagram of an encryption apparatus according to an embodiment.
FIG. 2A shows an example of an algorithm in which the encryption device shown in FIG. 1 generates a target approximation polynomial.
FIG. 2B shows another example of an algorithm in which the encryption device shown in FIG. 1 generates a target approximation polynomial.
FIG. 2C shows a flowchart of an operation in which the encryption device shown in FIG. 1 generates a target approximation polynomial.
FIG. 3 is a flowchart of an operation in which the encryption device shown in FIG. 1 searches for a pole.
FIG. 4A shows an example of an algorithm in which the encryption device shown in FIG. 1 selects target points.
FIG. 4B is a flowchart of an operation in which the encryption device shown in FIG. 1 selects target points.
FIG. 5 shows a sequence of overall operations of the encryption device shown in FIG. 1 .

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. However, since various changes may be made to the embodiments, the scope of the patent application is not limited or limited by these embodiments. It should be understood that all modifications, equivalents and substitutes for the embodiments are included in the scope of the rights.

The terms used in the examples are used for description purposes only, and should not be construed as limiting. The singular expression includes the plural expression unless the context clearly dictates otherwise. In the present specification, terms such as “comprise” or “have” are intended to designate that a feature, number, step, operation, component, part, or combination thereof described in the specification exists, but one or more other features It should be understood that this does not preclude the existence or addition of numbers, steps, operations, components, parts, or combinations thereof.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the embodiment belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and should not be interpreted in an ideal or excessively formal meaning unless explicitly defined in the present application. does not

In addition, in the description with reference to the accompanying drawings, the same components are given the same reference numerals regardless of the reference numerals, and the overlapping description thereof will be omitted. In the description of the embodiment, if it is determined that a detailed description of a related known technology may unnecessarily obscure the gist of the embodiment, the detailed description thereof will be omitted.

In addition, in describing the components of the embodiment, terms such as first, second, A, B, (a), (b), etc. may be used. These terms are only for distinguishing the components from other components, and the essence, order, or order of the components are not limited by the terms. When it is described that a component is “connected”, “coupled” or “connected” to another component, the component may be directly connected or connected to the other component, but another component is between each component. It will be understood that may also be "connected", "coupled" or "connected".

Components included in one embodiment and components having a common function will be described using the same names in other embodiments. Unless otherwise stated, a description described in one embodiment may be applied to another embodiment, and a detailed description in the overlapping range will be omitted.

1 shows a schematic block diagram of an encryption apparatus according to an embodiment.

Referring to FIG. 1 , an encryption device 10 may perform data encryption. The encryption device 10 may generate encrypted data through data encryption. Hereinafter, encrypted data may be referred to as ciphertext.

The encryption device 10 may provide an encryption technology capable of calculating data encrypted using homomorphic encryption without decryption. For example, the encryption device 10 may derive the same result as the result of calculating data in a plain text state by decrypting the result of the operation in the encrypted state using the homomorphic encryption. The encryption device 10 may provide a homomorphic encryption operation for any real number or complex number.

The encryption device 10 may perform bootstrapping necessary for homomorphic encryption. The encryption apparatus 10 may generate a target approximation polynomial to approximate a function corresponding to a modular reduction required for homomorphic encryption.

The cryptographic device 10 may find a minimax approximation error for each order of an optimal minimax approximate polynomial.

The encryption device 10 can provide excellent performance in terms of the minimum and maximum approximation error of the homomorphic encryption method by finding the optimal approximation polynomial as the target approximation polynomial.

The encryption device 10 may generate a target approximation polynomial for approximating the modular reduction function by using the approximate region information for approximating the modular reduction function.

The encryption device 10 includes a processor 100 and a memory 200 .

The processor 100 may process data stored in the memory 200 . The processor 100 may execute computer-readable codes (eg, software) stored in the memory 200 and instructions induced by the processor 100 .

The “processor 100” may be a data processing device implemented in hardware having circuitry having a physical structure for executing desired operations. For example, desired operations may include code or instructions included in a program.

For example, a data processing device implemented as hardware includes a microprocessor, a central processing unit, a processor core, a multi-core processor, and a multiprocessor. , an Application-Specific Integrated Circuit (ASIC), and a Field Programmable Gate Array (FPGA).

The processor 100 may generate ciphertext by encrypting data. The processor 100 may perform bootstrapping on the ciphertext by performing modular reduction on a modulus corresponding to the generated ciphertext.

The processor 100 may perform bootstrapping by approximating a function corresponding to the modular reduction. The processor 100 may generate a target approximation polynomial approximating a function corresponding to the modular reduction.

The processor 100 may determine one or more reference points based on a degree of polynomial of the target approximation polynomial.

The processor 100 may obtain an arbitrary polynomial based on the determined one or more reference points. The processor 100 may obtain a piecewise continuous function passing through one or more reference points. The processor 100 may obtain an arbitrary polynomial by generating a polynomial in which the absolute value of the error with the piece continuity function at one or more reference points is a predetermined value.

The processor 100 obtains an arbitrary polynomial by generating a polynomial in which the sign of the error at the first reference point included in one or more reference points and the error of the second reference point adjacent to the first reference point are different and the absolute value is a predetermined value. can do.

The processor 100 may generate a target approximation polynomial based on one or more extreme points selected from any polynomial. Specifically, the processor 100 may obtain candidate points whose absolute value is greater than or equal to a predetermined value among the poles of the error between the arbitrary polynomial and the fragment continuous function passing through one or more reference points.

The processor 100 may select a number of target points based on the order of the target approximation polynomial from among the obtained candidate points. The processor 100 may select target points so that maxima and minima are alternately displayed among the candidate points. The processor 100 may select the target points such that the sum of the absolute values of the errors between the arbitrary polynomial and the fragment continuous function passing through one or more reference points is the maximum.

The processor 100 may generate a target approximation polynomial based on the selected target points. The processor 100 may generate a polynomial when the relative error between the maximum and minimum absolute values of one or more poles is smaller than a threshold value as a target approximation polynomial.

In this case, the basis of the target approximation polynomial may be the basis of the Chebyshev polynomial.

The memory 200 may store instructions (or programs) executable by the processor. For example, the instructions may include instructions for executing an operation of a processor and/or an operation of each component of the processor.

The memory 200 may be implemented as a volatile memory device or a nonvolatile memory device.

The volatile memory device may be implemented as dynamic random access memory (DRAM), static random access memory (SRAM), thyristor RAM (T-RAM), zero capacitor RAM (Z-RAM), or twin transistor RAM (TTRAM).

Nonvolatile memory devices include EEPROM (Electrically Erasable Programmable Read-Only Memory), Flash memory, MRAM (Magnetic RAM), Spin-Transfer Torque (STT)-MRAM (Spin-Transfer Torque (STT)-MRAM), Conductive Bridging RAM (CBRAM). , FeRAM (Ferroelectric RAM), PRAM (Phase change RAM), Resistive RAM (RRAM), Nanotube RRAM (Nanotube RRAM), Polymer RAM (PoRAM), Nano Floating Gate Memory Memory (NFGM)), a holographic memory, a molecular electronic memory device, or an Insulator Resistance Change Memory.

Hereinafter, a process in which the encryption device 10 performs encryption and bootstrapping will be described in detail with reference to FIGS. 2A to 2C . Hereinafter, after the encryption operation performed by the encryption device 10 is described, the bootstrapping process will be described in more detail.

2A and 2B show examples of an algorithm in which the encryption device shown in FIG. 1 generates a target approximation polynomial, and FIG. 2C shows a flowchart of an operation in which the encryption device shown in FIG. 1 generates a target approximation polynomial.

2A to 2C , the processor 100 may perform encryption on data.

Hereinafter, notation for describing the encryption operation of the processor 100 will be described.

,

,

및

는 각각 정수, 유리수, 실수 및 복소수의 집합을 나타낼 수 있다. C[D]는 도메인 D 상의 연속 함수의 집합을 의미할 수 있다. [d]는 d 이하의 양의 정수의 집합을 의미할 수 있다. 예를 들어, [d]는 {1, 2, ??, d}를 의미할 수 있다.

,

,

and

may represent sets of integers, rational numbers, real numbers, and complex numbers, respectively. C[D] may mean a set of continuous functions on domain D. [d] may mean a set of positive integers less than or equal to d. For example, [d] may mean {1, 2, ??, d}.

는 M 번째 원분 다항식(cyclotomic polynomial)을 의미하고, M=2N일 수 있다.round(x) may mean a function that outputs the nearest integer to x. For M, which is a power of 2

denotes an M-th cyclotomic polynomial, and may be M=2N.

및

는 각각

및

를 의미할 수 있다.

는 M 번째 원분체(cyclotomic field)를 의미할 수 있다.

and

are each

and

can mean

may refer to the M-th cyclotomic field.

는

에서의 분포(distribution)로 정의되고, 그 엔트리들(entries)은 분산 α2의 이산 가우스 분포(discrete gaussian distribution)로부터 독립적으로 샘플링될 수 있다.For a positive real α,

Is

is defined as a distribution in , and its entries can be sampled independently from a discrete Gaussian distribution of variance α2.

는 해밍 가중치(Hamming weight) h를 갖는

의 부분집합을 의미할 수 있다.

는

에서의 분포(distribution)를 의미하고, 그 엔트리들은 각각의 ±1에 대하여 ρ/2의 확률을 갖고, 0이될 확률로 1-ρ를 갖고 독립적으로 샘플링될 수 있다.

has a Hamming weight h

may mean a subset of

Is

means the distribution in , and the entries can be independently sampled with a probability of ρ/2 for each ±1, and 1-ρ with a probability of being zero.

는

로 정의될 수 있고, 이하에서 기재되는 로그(logarithm)의 밑(base)은 2이다.Chebyshev polynomials

Is

may be defined, and the base of the logarithm described below is 2.

Hereinafter, an encryption operation performed by the processor 100 will be described.

The processor 100 may support several operations on encrypted data of real or complex numbers. Since the encryption device 10 mainly deals with mistakes, noise that ensures the security of the encryption method may be embedded outside of a significant figure of data.

는

를

의 원소(element)에 저장하고,

의 원소들은

의 개별 근에서 구해진

의 값을 의미할 수 있다.Several independent messages can be encoded into a single polynomial by canonical embedding before encryption. default store

Is

cast

stored in an element of

the elements of

obtained from the individual roots of

can mean the value of

의 근은 M 거듭 제곱근(M-th root of unity)의 홀수의 거듭제곱(power of odd integer)이고,

일 수 있다.

The root of is the power of odd integer of M-th root of unity,

can be

는

이고,

는

로부터

에 대한 자연 퉁영(natural projection)을 의미할 수 있다.

의 범위(range)는

일 수 있다.

Is

ego,

Is

from

It can mean a natural projection of

the range of

can be

에서 원소를 구성하고, 각각의 좌표는 슬롯(slot)으로 지칭될 수 있다. 인코딩 및 디코딩 과정은 아래와 같이 주어질 수 있다.N/2 complex number messages are

constituting an element in , and each coordinate may be referred to as a slot. The encoding and decoding process can be given as follows.

에 대해서, 인코딩

는 수학식1의 값을 반환(return)할 수 있다.vector

About encoding

may return the value of Equation 1.

는 스케일링 팩터(scaling factor)를 나타내고,

는

을

의 원소로 이산화(discretization) 또는 반올림(rounding)하는 연산을 나타낼 수 있다.here,

represents a scaling factor,

Is

second

It can represent the operation of discretization or rounding with the elements of .

에 대해서, 디코딩

는 벡터

를 반환할 수 있고, 벡터의 인덱스(index)의 엔트리

는

에 대해

를 만족하고,

은 M 제곱근(M-th root of unity)을 나타낼 수 있다.polynomial

about, decoding

is vector

can return, and the entry at the index of the vector

Is

About

satisfied with

may represent M-th root of unity.

에 대해서, 암호화 장치(10)는 M의 거듭 제곱, 정수

, 정수

, 양의 실수

, 프레쉬 사이퍼텍스트 모듈러스(fresh ciphertext modulus)

및 최대 사이퍼텍스트 모듈러스가 되는 빅 사이퍼텍스트 모듈러스(big ciphertext modulus)

를 선택할 수 있다.The encryption device 10 may generate a key. given security parameters

For , the cryptographic device 10 is a power of M, an integer

, essence

, positive real

, fresh ciphertext modulus

and a big ciphertext modulus being the maximum ciphertext modulus.

can be selected.

Fresh ciphertext may refer to encrypted data on which no operation is performed or initially encrypted data.

The processor 100 may set a public key (pk) and a secret key (sk) as in Equation (2).

,

및

를 의미할 수 있다.where s, a and e are each

,

and

can mean

The processor 100 may set the calculation key (evaluation key) as in Equation (3).

및

는 각각

,

를 의미할 수 있다.

and

are each

,

can mean

를 수행함으로써 수학식 4와 같은 반환할 수 있다.Processor 100 encodes

It is possible to return the same as in Equation 4 by performing .

,

및

는 각각

,

와 같이 샘플링될 수 있다.here,

,

and

are each

,

can be sampled as

을 수행하여

를 반환할 수 있다.The processor 100 decodes

by doing

can return

을 수행함으로써 수학식 5의 결과를 반환할 수 있다.The processor 100 adds two ciphertexts

By performing Equation 5, the result of Equation 5 may be returned.

,

에 대한 곱셈

을 수행하여 수학식 6의 결과를 반환할 수 있다.The processor 100 has two ciphertexts

,

multiplication for

can be performed to return the result of Equation (6).

일 수 있다.here,

can be

를 수행하여 수학식 7의 결과를 반환할 수 있다.In addition, the processor 100

can be performed to return the result of Equation (7).

을 가질 수 있다. 레벨

의 각 사이퍼텍스트에 대한 모듈러스

은 스케일링 팩터가

이고, 베이스 모듈러스가

일 때,

의 값을 가질 수 있다.Each ciphertext has a level representing the maximum number of possible multiplications without bootstrapping.

can have level

modulus for each ciphertext in

is the scaling factor

and the base modulus is

when,

can have a value of

Additionally, the processor 100 may perform a complex conjugation operation and a rotation operation used for isolinear transformation in bootstrapping.

Hereinafter, a bootstrapping operation performed by the encryption device 10 will be described.

The purpose of bootstrapping may be to refresh the level 0 ciphertext in which multiplication can no longer be performed, thereby generating a level L ciphertext with the same message.

The ciphertext may mean encrypted data. The level of ciphertext may mean the number of possible multiplications without bootstrapping.

Bootstrapping may include four operations. First, the bootstrapping may include a modulus rasing operation, and secondly, it may include a homomorphic linear transformation operation. Third, it may include a homomorphic modular reduction operation, and fourthly, it may include a homomorphic linear transformation operation.

대신에

의 원소로 레벨 0의 사이퍼텍스트가 사용될 수 있다.The processor 100 may perform a modulus increase. To explain the modulus increasing behavior,

Instead of

A ciphertext of level 0 may be used as an element of .

의 상태일 수 있다. 여기서, ct는 사이퍼텍스트를 의미하고, sk는 시크릿 키를 의미할 수 있다. 프로세서(100)가 사이퍼텍스트를 복호화(decrypt)할 때에는 어떠한

에 대하여

의 형태를 가질 수 있다.Level 0 ciphertext is

may be in the state of Here, ct may mean ciphertext, and sk may mean a secret key. When the processor 100 decrypts the ciphertext, any

about

may have the form of

의 계수의 절대값(absolute values of coefficient)은 작은 수를 가질 수 있다. 예를 들어,

의 계수의 절대값은 12 보다 작은 값을 가질 수 있다.Here, since the coefficient of sk has a small number,

The absolute values of the coefficient of may have a small number. E.g,

The absolute value of the coefficient of may have a value less than 12.

을 만족하는

를 만들 수 있다. 이를 위해, 프로세서(100)는 동형 선형 변환 및 모듈러 리덕션 함수의 동형 계산(homomorphic evaluation)을 수행할 수 있다.The processor 100 performs bootstrapping on the level 0 ciphertext.

to satisfy

can make To this end, the processor 100 may perform homomorphic evaluation of the homolinear transformation and the modular reduction function.

를 암호화하는 사이퍼텍스트로 간주될 수 있다. 프로세서(100)는 메시지(message) 다항식의 계수에 모듈러 리덕션을 동형적으로 수행할 수 있다.Hereinafter, an isolinear transformation operation of the processor 100 will be described. After the modulus increase is performed, the ciphertext ct is

can be considered as ciphertext that encrypts The processor 100 may uniformly perform modular reduction on coefficients of a message polynomial.

의 계수를 그 슬롯(slot)으로 암호화하는 사이퍼텍스트로 변환할 수 있다.Since the operations are for slots and not coefficients of the message polynomial, the processor 100 sets ct to perform meaningful operations on the coefficients.

can be converted into ciphertext that is encrypted with that slot.

로 역변환할 수 있다. 이하에서, 이러한 변환 및 역변환 연산을 각각

및

로 지칭한다.The processor 100 encodes the converted ciphertext after the calculation of the isomorphic modular reduction function into another ciphertext that encrypts the slots of the previous ciphertex with the coefficients of the message.

can be inversely transformed into Hereinafter, these transform and inverse transform operations are respectively

and

is referred to as

의 근에 대한 방데르몽드(Vandermonte) 행렬의 일부 변수에 의한 선형 변환일 수 있다. 또한, 변환 연산들은 일반적인 동형 행렬 곱셈 또는 FFT-유사(fast Fourier transform-like) 연산에 의해 수행될 수 있다.The two transform operations described above can be considered as isomorphic calculations of encoding and decoding of messages,

It may be a linear transformation by some variables of the Vandermonte matrix for the root of . In addition, the transform operations may be performed by a general isomorphic matrix multiplication or a fast Fourier transform-like operation.

The processor 100 may perform an isomorphic modular reduction (or a modular reduction) operation. Specifically, the processor 100 may perform a modular reduction operation using a homomorphic modular reduction function.

변환이 수행된 이후에 프로세서(100)는 모듈러스

에서 각 슬롯 상에 모듈러 리덕션을 동형적으로 수행할 수 있다. 이하에서, 이러한 과정은

로 지칭될 수 있다.

After the conversion is performed, the processor 100 modulus

Modular reduction can be performed homogeneously on each slot. In the following, this process is

may be referred to as

를 충분히 작게 하는 것과 같이 제한함으로써, 근사 영역(approximation region)을

의 배수의 근처로 제한할 수 있다. 이러한 범위의 제한을 통해, 프로세서(100)는 모듈러 리덕션을 보다 효과적으로 수행할 수 있다.The processor 100 determines the scope of the message.

By constraining to be small enough, the approximation region

may be limited to near multiples of . Through the limitation of this range, the processor 100 may more effectively perform the modular reduction.

Hereinafter, the algorithm of FIG. 2A will be described in detail.

The processor 100 may generate the target approximate polynomial by finding the minimum and maximum approximate polynomial for any continuous function on the interval [a, b] using Algorithm 1 of FIG. 2A . The processor 100 may generate a target approximation polynomial that satisfies an equioscillation condition by using the Chebyshev alternation theorem.

를 갖는 타겟 근사 다항식을 생성할 수 있다. 프로세서(100)는 차수가 d인 타겟 근사 다항식을 생성하기 위해서, 기저 함수

를 멱 기저(power basis)

로 선택할 수 있다. 여기서, n=d+1일 수 있다.The processor 100 is a basis function that satisfies a Haar condition

It is possible to generate a target approximation polynomial with The processor 100 generates a target approximation polynomial of degree d, the basis function

is the power basis

can be selected as Here, n=d+1 may be present.

The processor 100 may initialize a set of reference points converging to the poles of the minimum and maximum approximate polynomials. The processor 100 may obtain a minimum and maximum polynomial for a set of reference points. Since the set of reference points is a set of finite points in [a, b], it can be a closed subset of [a, b], and the Chebyshev alternating theorem can be satisfied for the set of reference points.

가 [a, b] 상의 연속함수라고 할 때, 기준점의 집합 상의 최소최대 근사 다항식은 기저

를 갖는 일반화된 다항식

이고, 임의의 E 값에 대하여 수학식 8의 조건을 만족할 수 있다.

When is a continuous function on [a, b], the minimum and maximum approximate polynomial on the set of reference points is the basis

generalized polynomial with

, and the condition of Equation 8 may be satisfied for any E value.

를 획득할 수 있다. 수학식 8에 따라,

및 E의 n 계수의 n+1 변수들 및 n+1 방정식들을 갖는 선형 방적식의 시스템이 형성되고, 선형 방적식은 하르 조건에 의해 특이적(singular)이지 않으므로, 프로세서(100)는 수학식 8의 조건을 만족하는 다항식

를 획득할 수 있다.The processor 100 uses Equation (8) to obtain an arbitrary polynomial

can be obtained. According to Equation 8,

And since a system of linear equations with n+1 variables and n+1 equations of n coefficients of E is formed, and the linear equation is not singular by the Harr condition, the processor 100 is polynomial that satisfies the condition

can be obtained.

,

일 때,

와

사이에서

의 n 개의 영점들(zeros)

를 획득할 수 있고, 각각의

에서

의 n+1 개의 극점(extreme point)들인

를 획득할 수 있다.The processor 100

,

when,

Wow

between

n zeros of

can be obtained, and each

at

n+1 extreme points of

can be obtained.

일 때,

에서

의 최소점(minimum point)을 선택하고,

일 때,

에서

의 최대점을 선택할 수 있다.The processor 100

when,

at

Choose the minimum point of

when,

at

You can choose the maximum point of

을 후보점으로 선택할 수 있다. 이러한 후보점들이 이퀴오실레이션 컨디션을 만족한다면 프로세서(100)는 체비셰프 교번 정리로부터 최소 최대 근사 다항식을 반환함으로써 타겟 근사 다항식을 생성할 수 있다.Through this, the processor 100 sets a new pole

can be selected as a candidate point. If these candidate points satisfy the equioscillation condition, the processor 100 may generate the target approximate polynomial by returning the minimum and maximum approximate polynomial from Chebyshev's alternating theorem.

로 대체하고, 상술한 다항식의 생성 과정을 반복적으로 수행할 수 있다.In addition, the processor 100 is a set of new pole points obtained through the above-described process for the set of reference points.

, and the above-described polynomial generation process may be repeatedly performed.

Algorithm 1 shown in FIG. 2A may be extended to multiple sub-intervals of one interval. When applied by extending to multiple partial sections, steps 3 and 4 of FIG. 2A may be changed.

의 모든 지역 극점(local extreme point)들을 획득할 수 있고, 이러한 지역 극점들의 절대 오차값은 현재 기준점들에서의 절대 오차값 보다 클 수 있다.At each iteration, the processor 100 returns an error function

It is possible to obtain all local extreme points of , and the absolute error value of these local extreme points may be greater than the absolute error value at the current reference points.

Thereafter, the processor 100 may select n+1 new poles that satisfy the following two conditions from among all the acquired local poles.

1. Error values are indicated by alternating signs.

2. The set of new poles contains a global extreme point.

The above two conditions can ensure convergence of the minimum and maximum generalized polynomials.

2B and 2C may show a polynomial generating method by modifying the algorithm of FIG. 2A. The processor 100 may change a method of selecting a new pole among all local poles.

When the algorithm of FIG. 2B is shown as a flowchart, it may be the same as that of FIG. 2C. The processor 100 may set d+2 points in the approximate region ( 210 ). d+2 points may mean one or more reference points described above.

와 E 값을 찾을 수 있다(220).The processor 100 may obtain an arbitrary polynomial based on d+2 reference points. For example, the processor 100 is a polynomial that satisfies Equation (8).

and E values can be found (220).

의 국소 극대점과 국소 극소점 중 절대값이 E보다 크거나 같은 점을 획득할 수 있다(230). 여기서, E 값은 상술한 미리 결정된 값을 의미하고, 획득된 국소 극대점과 국소 극소점은 위에서 설명한 후보점을 의미할 수 있다.The processor 100

Among the local maxima and local minima of , a point having an absolute value greater than or equal to E may be obtained ( 230 ). Here, the E value may mean the above-described predetermined value, and the obtained local maxima and local minima may mean the candidate points described above.

의 절대값의 합이 최대가 되도록 d+2 개의 점을 선택할 수 있다. 절대값이 합이 최대가 되는 d+2 개의 점은 위에서 설명한 타겟점을 의미할 수 있다. 절대값의 합이 최대가 되도록 d+2 개의 점을 선택하는 과정은 도 4a, 4b를 참조하여 자세하게 설명한다.The processor 100 draws d + 2 points so that the maximum and minimum appear alternately among the obtained points,

d+2 points can be selected so that the sum of the absolute values of is maximum. The d+2 points at which the sum of the absolute values is the maximum may mean the target points described above. The process of selecting d+2 points so that the sum of absolute values becomes the maximum will be described in detail with reference to FIGS. 4A and 4B .

보다 작은지를 판별할 수 있다(250).

는 위에서 설명한 임계값을 의미할 수 있다.The processor 100 determines that the relative error of the maximum value and the minimum value of the absolute value among the selected d + 2 target points is

It can be determined whether it is smaller than 250 .

may mean the threshold value described above.

보다 작은 경우 임의의 다항식

를 타겟 근사 다항식으로 출력할 수 있다(260). 그렇지 않은 경우, 프로세서(100)는 220 내지 250의 과정을 반복적으로 수행할 수 있다.The processor 100 determines that the relative errors of the maximum and minimum absolute values corresponding to the target points are

Any polynomial if less than

may be output as a target approximation polynomial (260). Otherwise, the processor 100 may repeatedly perform steps 220 to 250 .

Hereinafter, the operation of FIGS. 2B and 2C will be described in more detail.

The function to be approximated by the processor 100 may be a normalized modular reduction function defined only near the finite number of integers expressed by Equation (9).

Equation 9 may represent a scaled modular reduction function with respect to a domain and a range.

를 근사하기 위해 코사인 함수를 배각 공식(double-angle formula)을 이용하여 근사할 수 있다.The processor 100 is configured to efficiently perform homomorphic evaluation,

To approximate , the cosine function can be approximated using the double-angle formula.

번 사용하면 수학식 10의 코사인 함수가 근사되어야 할 수 있다.doubling formula

Once used, the cosine function of Equation 10 may have to be approximated.

In order to approximate a piecewise continuous function including the functions of Equations 9 and 10, the processor 100 is defined on the union of a finite number of closed intervals given as Equation 11. A general fragmentary continuous function can be assumed.

에 대해서,

일 수 있다.here, all

about,

can be

The processor 100 sets a criterion for selecting new d+2 reference points from among a plurality of poles in order to approximate a fragment continuous function given by a polynomial having a degree of d or less on D of Equation 11. can

를 다항식의 기저로 하여 타겟 근사 다항식을 생성할 수 있다. 프로세서(100)는 각 반복에서 기준점들의 집합에 따른 최소최대 근사 다항식을 획득할 수 있고, 다음 반복에서 새로운 기준점의 집합을 선택할 수 있다.The processor 100 satisfies the Haar condition on [a, b]

A target approximation polynomial can be generated by using as a basis of the polynomial. The processor 100 may obtain a minimum-maximum approximate polynomial according to the set of reference points in each iteration, and may select a new set of reference points in the next iteration.

The number of cases in which the processor 100 selects n+1 points from among poles of an error function calculated using an arbitrary polynomial obtained by using a set of reference points may be very large. Since many sections may be considered in the encryption process performed by the processor 100, the number of candidate poles may be very large.

The processor 100 may select n+1 target points from among a large number of candidate points in each iteration in order to minimize the number of iterations. Through this, the processor 100 converges the approximate polynomial generated in each iteration to generate the minimum and maximum approximate polynomial.

In order to set a criterion for selecting n+1 target points, the processor 100 may define a function of Equation (12).

각 반복에서 획득한 임의의 다항식을 의미하고,

는 근사될 조각 연속 함수를 의미할 수 있다. 이하에서 편의를 위해

는

로 지칭될 수 있다.here,

means any polynomial obtained at each iteration,

may mean a fragment continuous function to be approximated. Below for convenience

Is

may be referred to as

의 모든 극점을 획득하여 집합

를 생성할 수 있다.

는 유한 집합으로

와 같이 나타낼 수 있다. 프로세서(100)는

에 속한 하나의 구간에서 한 점을 선택할 수 있다.The processor 100

Set by obtaining all poles of

can create

is a finite set

can be expressed as The processor 100

You can select a point in one interval belonging to .

가

와 같이 오름차순으로 정렬되어 있다고 가정하면,

의 값은 1 또는 -1일 수 있다. 극점의 수는

를 만족할 수 있다.

go

Assuming they are sorted in ascending order,

The value of may be 1 or -1. number of poles

can be satisfied

를 수학식 13과 같이 정의할 수 있다.The processor 100 is a set of functions

can be defined as in Equation 13.

는 항등 함수(identity function)만을 포함할 수 있다. At this time, if n+1=m, set

may include only an identity function.

The processor 100 may set three criteria to select n+1 poles.

가 설정된 기준점들에서의 절대 오차라면, 수학식 14의 조건이 설정될 수 있다.As a first condition, the processor 100 may set a condition of a local extreme value. if,

If is an absolute error at the set reference points, the condition of Equation 14 may be set.

의 지역 최대값이 음수이거나

의 지역 최소값이 양수인 경우에 그 극점을 버릴 수 있다.The processor 100 is configured to satisfy the local extrema condition.

If the local maximum of is negative, or

If the local minimum of is positive, the pole can be discarded.

Second, the processor 100 may set an alternating condition. In other words, the condition of Equation 15 may be set. In other words, if one of the two adjacent poles is a local maximum, the other pole may be a local minimum.

들 중에서 수학식 16의 값을 최대화하는

를 선택할 수 있다.Third, the processor 100 may set a maximum absolute sum condition. The processor 100 is configured to satisfy the local extrema condition and the alternating condition.

Among them, which maximizes the value of Equation 16

can be selected.

에서의 절대 오차 값은 최소최대 근사 오차보다 작고, 반복 횟수가 증가할수록 최소최대 근사 오차로 수렴할 수 있다.current reference points

The absolute error value at is smaller than the minimum and maximum approximation error, and as the number of iterations increases, it can converge to the minimum and maximum approximation error.

에서 이전 반복에서의 근사 다항식의 절대 오차값의 가중 평균(weighted average)일 수 있다.In addition, the absolute error value of the current reference points is

may be a weighted average of the absolute error values of the approximate polynomials in the previous iteration.

The processor 100 may allow the absolute error values of current reference points to quickly converge to the minimum maximum approximate error using the maximum absolute sum condition.

The local extrema condition and the alternating condition can be applied to both algorithms of FIGS. 2A and 2B, and the maximum absolute sum condition can be applied to Algorithm 2 of FIG. 2B. The processor 100 may accelerate the convergence of the minimum maximum approximate polynomial by applying the maximum absolute sum condition.

는 지역 극값 조건 및 교번 조건을 만족하는 적어도 하나의 원소

를 항상 포함하고, 어떠한

에 대하여,

를 만족하는

를 가질 수 있다.set

is at least one element that satisfies the local extrema condition and the alternating condition

always include, and any

about,

to satisfy

can have

에 대한 현재의 기준점에서의 멱 기저를 갖는 근사 다항식의 계수들을 찾아낼 수 있다.The processor 100 may more efficiently perform steps 2, 3, and 4 of Algorithm 2 of FIG. 2B as follows. The processor 100 is a continuous function

We can find the coefficients of an approximate polynomial with a power basis at the current reference point for .

값들을 획득함으로써 타겟 근사 다항식을 생성할 수 있다. In other words, the processor 100 is a coefficient of Equation 17

A target approximation polynomial can be generated by obtaining the values.

Here, E may be any unknown of the linear equation. As the order of the basis of the approximate polynomial increases, the coefficients may decrease. The processor 100 may need to set higher accuracy for higher-order basis coefficients.

Accordingly, the processor 100 can effectively solve the accuracy problem by using the basis of the Chebyshev polynomial as the basis of the target approximation polynomial. Since most coefficients of the polynomial using the Chebyshev basis have the same order, the processor 100 may generate the target approximation polynomial using the Chebyshev basis instead of the power basis.

및 E를 계산함으로써 타겟 근사 다항식을 획득할 수 있다.The Chebyshev polynomial satisfies the above-mentioned Harr condition, and the processor 100 solves the system of d+2 linear equations in Equation 18 using d+2 reference points.

and E, to obtain a target approximation polynomial.

FIG. 3 is a flowchart of an operation in which the encryption device shown in FIG. 1 searches for a pole.

Referring to FIG. 3 , the processor 100 may obtain an arbitrary polynomial based on a reference point, and search for a pole of an error between the arbitrary polynomial and a fragment continuous function passing through the reference point. The processor 100 may obtain candidate points whose absolute value is greater than or equal to a predetermined value among the poles of the error between the arbitrary polynomial and the fragment continuous function passing through the reference point. Hereinafter, a process in which the processor 100 searches for a pole to obtain a candidate point will be described.

를 작은 스텝(step)으로 스캔하여 증가와 감소가 변하는 극점들을 획득할 수 있다.The processor 100 is the error between the arbitrary polynomial and the fragment continuous function.

can be scanned in small steps to obtain poles with varying increments and decrements.

비트의 정확도로 극점을 획득하기 위해서는

에 비례하는 시간이 소요될 수 있다.In general, small steps can increase the accuracy of the pole search, but the scan time can be increased. Specifically,

In order to obtain the poles with bit accuracy,

It may take time proportional to

시간 대신에

의 선형 시간(linear time) 내에 극점들을 탐색할 수 있다.However, the processor 100 performs a search operation to be described later.

instead of time

It is possible to search for poles within a linear time of .

와 같이 나타내고, sc는 스캔 스텝을 나타낼 수 있다.The processor 100 may reduce the search time of the pole in which the increase and the decrease change by using a binary search method. Hereinafter, the errors of arbitrary polynomials and fragmentary continuous functions are

and sc may represent a scan step.

및

를 만족하는

를 탐색하고, 수학식 19의 과정을 연속해서

번 수행함으로써 i 번째 극점을 획득할 수 있다.The processor 100

and

to satisfy

, and successively repeat the process of Equation 19

It is possible to obtain the i-th pole by performing

비트의 정확도(precision)로 극점을 획득할 수 있다.Through the process of Equation 19, the processor 100

The pole can be obtained with bit precision.

가 E의 절대값 보다 크거나 같은지, x가 극소값일 경우

가 E의 절대값에 -1을 곱한 값보다 작은지를 판단할 수 있다(320)Hereinafter, a process of obtaining a candidate point through the above-described pole search will be described in detail. The processor 100 may obtain the smallest point x among the approximate regions ( 310 ). The processor 100 determines that when x is a local maximum,

is greater than or equal to the absolute value of E, and if x is minimal

It can be determined whether is smaller than the value obtained by multiplying the absolute value of E by -1 ( 320 ).

When the condition of 320 is satisfied, the processor 100 may add x0 to the array B ( 321 ). If the condition of 320 is not satisfied, the processor 100 may substitute x+sc into x ( 330 ).

Thereafter, the processor 100 may determine whether x is included in the approximate region ( 340 ). When X is included in the approximate region, the processor 100 may determine whether signs of r(x)-r(x-sc) and r(x+sc)-r(x) are different ( 350 ).

가 E의 절대값 보다 크거나 같은지, x가 극소값일 경우

가 E의 절대값에 -1을 곱한 값보다 작은지를 판단할 수 있다(342).When x is not included in the approximate region, the processor 100 may substitute the largest value of the corresponding section for x ( 341 ). At this time, when x is the maximum value, the processor 100

is greater than or equal to the absolute value of E, and if x is minimal

It may be determined whether is smaller than a value obtained by multiplying the absolute value of E by -1 (342).

If the condition of 342 is satisfied, the processor 100 may add x0 to the array B. If the condition of 342 is not satisfied, the processor 100 may determine whether x is the maximum value of the approximate region ( 344 ). At this time, when x is the maximum value of the approximate region, the processor 100 may end the operation, and if x is not the maximum value of the approximate region, x may be substituted with the smallest value of the next section ( 345 ). .

에 0을 대입하고, t에 sc/2를 대입할 수 있다(360).If the signs of r(x)-r(x-sc) and r(x+sc)-r(x) are the same, the processor 100 may perform operation 330 again, and r(x)-r( x-sc) and r(x+sc)-r(x) have different signs

0 can be substituted for , and sc/2 can be substituted for t (360).

에

+1을 대입하고, t에 t/2를 대입할 수 있다(372).The processor 100 may determine whether a value of r(x)-r(x-sc) is greater than 0 ( 370 ). When the condition of 370 is satisfied, the processor 100 may select a value having a larger r(x) from among xt, x, and x+t and substitute it for x ( 371 ). After that, the processor 100

to

+1 may be substituted, and t/2 may be substituted for t (372).

이 정확도(precision) 값인지를 비교할 수 있다(373, 374). 프로세서(100)는

이 정확도 값이 아닌 경우에 371의 과정을 다시 수행할 수 있다. 프로세서(100)는

이 정확도 값인 경우 x-t, x, x+t 중에서 r(x) 값이 작은 것을 선택하여 x에 대입할 수 있다(375). 그 후, 프로세서(100)는

에

+1을 대입하고, t에 t/2를 대입할 수 있다(376).The processor 100

It can be compared whether this is a precision value (373, 374). The processor 100

If this is not the accuracy value, the process of 371 may be performed again. The processor 100

In the case of this accuracy value, one having a smaller r(x) value among xt, x, and x+t may be selected and substituted into x (375). After that, the processor 100

to

+1 can be substituted, and t/2 can be substituted for t (376).

When the conditions 373 and 374 are satisfied, the processor 100 may perform the operation 320 again. Finally, the processor 100 may obtain the poles belonging to the array B as candidate points.

는

이고,

근처의

에 대하여

와 유사하게 동작할 수 있다. 이러한, 동작을 통해, 프로세서(100)는

근처에서

일 경우,

를 보장할 수 있고, 그 역도 보장할 수 있다.If the value of sc is small enough

Is

ego,

nearby

about

can operate similarly to Through this operation, the processor 100 is

near

In case,

can be guaranteed, and vice versa.

비트 정확도를 가지는 극점들을

시간 대신에

의 선형 시간(linear time) 내에 탐색하여 후보점을 획득 수 있다.Through the operation of obtaining a candidate point through the above-described pole search, the processor 100

poles with bit accuracy

instead of time

A candidate point can be obtained by searching within a linear time of .

FIG. 4A shows an example of an algorithm in which the encryption device shown in FIG. 1 selects target points, and FIG. 4B shows a flowchart of an operation in which the encryption device shown in FIG. 1 selects target points.

4A and 4B , the processor 100 may select a number of target points based on the order of the target approximation polynomial from among the candidate points found through the search operation of FIG. 3 .

The processor 100 may select target points so that maxima and minima from among the candidate points appear alternately, and select the target points so that the sum of absolute values of errors becomes the maximum. The target points may become new reference points in the next iteration operation.

Hereinafter, a process of acquiring the target points will be described in detail. In order to find target points (or new reference points), the processor 100 may select points satisfying the local extrema condition, the alternating condition, and the maximum absolute sum condition described above in a naive manner.

개의 점을 모두 조사해야 할 수 있다.The naive selection method may be to select n+1 points having the maximum absolute sum by calculating the absolute sum of all n+1 points satisfying the alternating condition. For the naive selection method, if the number of local poles is m,

You may have to check all the dots.

The processor 100 may reduce the time for selecting the target point compared to the naive method through the operation of FIGS. 4A and 4B . Hereinafter, an operation for effectively selecting a target point will be described.

인 경우라면 타겟점에 포함되지 않을 점이 적어도 하나는 존재하는 상태일 수 있다.The processor 100 may finally obtain n+1 target points by removing some elements from the candidate points for each repetition operation.

In the case of , at least one point not included in the target point may exist.

시간 내에 타겟점을 선택할 수 있다. 다시 말해, 프로세서(100)는 준선형(quasi-linear) 시간 안에 타겟점을 선택할 수 있다.Through the algorithm of Figure 4a, the processor 100

You can select a target point in time. In other words, the processor 100 may select the target point within a quasi-linear time.

Whenever an element is removed from an ordered set B, the remaining elements can be sorted and relabeled in ascending order of indices.

When comparing values to remove some poles in Algorithm 4a, the processor 100 may randomly remove these elements when the compared values are equal to or the smallest element is one or more.

The flowchart of FIG. 4B may represent a sequence of operations of the algorithm of FIG. 4A . 4A and 4B , the processor 100 may obtain an array B having target points as elements.

The processor 100 may substitute 1 for i ( 410 ). The processor 100 may _{determine whether both x i} and x _i+1 are maximum or minimum ( 420 ).

값이 작은 값은 배열에서 제거하고 배열의 원소들을 재배열할 수 있다(421).

값은 상술한 임의의 다항식과 조각 연속 함수의 오차 값을 의미할 수 있다. 420의 조건이 만족되지 않을 경우, 프로세서(100)는 i에 i+1을 대입할 수 있다(422).When the condition of 420 is satisfied, the processor 100 selects one of x _i and x _i+1 .

The smaller value may be removed from the array and the elements of the array may be rearranged ( 421 ).

The value may mean an error value of any polynomial and fragment continuous function described above. When the condition of 420 is not satisfied, the processor 100 may substitute i+1 for i ( 422 ).

After performing the rearrangement, the processor 100 may _{determine whether x i} is the largest point in the array B ( 430 ). If x _i is not the largest point, the processor 100 may perform operation 420 again.

Operations 410 to 430 may correspond to operations 1 to 7 of Algorithm 3 of FIG. 4A .

When xi is the largest point, the processor 100 may determine whether the number of elements of B is d+2 ( 440 ). When the number of elements of B is d+2, the processor 100 may end the selection operation of the target point.

값을 더한 값을 모두 배열 T에 넣고 정렬할 수 있다(450). 다시 말해,

를 T에 넣고 정렬할 수 있다.If the number of elements of B is not d+2, the processor 100 is

All of the summed values can be put into the array T and sorted (450). In other words,

can be put into T and sorted.

Operations 440 to 450 may correspond to operations 9 to 10 of the algorithm of FIG. 4A .

값이 작은 값을 배열에서 버리고 배열의 재배열을 수행하고 동작을 종료할 수 있다(461).The processor 100 may determine whether the number of elements of B is d+3 ( 460 ). If the number of elements in B is d+3, the processor 100 selects one of x1 and xd+3.

A value having a small value may be discarded from the array, the array may be rearranged, and the operation may be terminated ( 461 ).

를 추가하고 재정렬할 수 있다(471). 그 후, 프로세서(100)는 T에서 가장 작은 값에 해당되는 두 점을 B에서 제거하고 재배열한 후 동작을 종료할 수 있다(472).The processor 100 may determine whether the number of elements of B is d+4 ( 470 ). If the number of elements in B is d+4, the processor 100 in T

can be added and rearranged (471). Thereafter, the processor 100 may terminate the operation after removing and rearranging two points corresponding to the smallest value in T from B ( 472 ).

When the number of elements of B is not d+4, the processor 100 may determine whether one of two points at both ends is included among two points corresponding to the smallest value in T ( 480 ). When the condition of 480 is satisfied, the processor 100 may rearrange one of the two end points from B ( 481 ). If the condition of 480 is not satisfied, the processor 100 may rearrange both points corresponding to the smallest value in T by discarding them from B ( 482 ).

값을 더한 값들을 추가하여 재정렬 한 후의 460의 동작을 다시 수행할 수 있다(490). 460 내지 490의 동작은 도 4a의 단계 11 내지 23의 동작에 대응될 수 있다.Thereafter, the processor 100 discards the value including the discarded element in T and returns the value of the two newly adjacent points.

After rearranging by adding values to which values are added, operation 460 may be performed again ( 490 ). Operations 460 to 490 may correspond to operations 11 to 23 of FIG. 4A .

는

와 같이 변경될 수 있다.Taking the case where the pole x2 is removed in the last part of the algorithm of FIG. 4A as an example,

Is

can be changed as

Through the operation of selecting the target point of FIGS. 4A and 4B , the processor 100 may select the target point from the candidate points within a quasi-linear time.

The processor 100 may generate a target approximation polynomial that optimally approximates the modular reduction function based on the selected target points. In other words, the processor 100 may generate a d-order polynomial passing through the selected target points as a target approximation polynomial.

FIG. 5 shows a sequence of overall operations of the encryption device shown in FIG. 1 .

The processor 100 may encrypt data using homomorphic encryption. The processor 100 may generate ciphertext by encrypting the data ( 510 ).

The processor 100 may perform bootstrapping on the ciphertext by performing modular reduction based on the selection of one or more target points on the modulus corresponding to the generated ciphertext (530). ).

The processor 100 may perform bootstrapping by approximating a function corresponding to the modular reduction. The processor 100 may generate a target approximation polynomial that approximates a function corresponding to the modular reduction.

The processor 100 may determine one or more reference points based on the order of the target approximation polynomial. The processor 100 may obtain an arbitrary polynomial based on the determined one or more reference points.

Specifically, the processor 100 obtains a piecewise continuous function passing through one or more reference points, and generates a polynomial such that the absolute value of the error with the piecewise continuous function at the one or more reference points is a predetermined value. can be obtained.

The processor 100 obtains an arbitrary polynomial by generating a polynomial in which the sign of the error at the first reference point included in one or more reference points and the error of the second reference point adjacent to the first reference point are different and the absolute value is a predetermined value. can do.

The processor 100 may generate a target approximation polynomial based on one or more poles selected from the obtained arbitrary polynomials. The processor 100 may obtain candidate points whose absolute value is greater than or equal to a predetermined value among the poles of the error between the arbitrary polynomial and the fragment continuous function passing through one or more reference points.

The processor 100 may select a number of target points based on the order of the target approximation polynomial from among the obtained candidate points. Specifically, the processor 100 may select target points so that maxima and minima are alternately displayed among the candidate points. The processor 100 may select the target points such that the sum of the absolute values of the errors of any polynomial of the fragment continuity function is the maximum.

The processor 100 may generate a target approximation polynomial based on the selected target points. The processor 100 may generate a polynomial when the relative error between the maximum and minimum absolute values of one or more poles is smaller than a threshold value as a target approximation polynomial.

In this case, the basis of the target approximation polynomial may be the basis of the Chebyshev polynomial.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Software may comprise a computer program, code, instructions, or a combination of one or more of these, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. , or may be permanently or temporarily embody in a transmitted signal wave. The software may be distributed over networked computer systems, and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

As described above, although the embodiments have been described with reference to the limited drawings, those skilled in the art may apply various technical modifications and variations based on the above. For example, the described techniques are performed in a different order than the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (22)

In the encryption method using homomorphic encryption,
generating ciphertext by encrypting the data; and
performing bootstrapping on the ciphertext by performing modular reduction based on selection of one or more target points on a modulus corresponding to the ciphertext;
An encryption method comprising
According to claim 1,
The performing step is,
performing the bootstrapping by approximating a function corresponding to the modular reduction;
An encryption method comprising
3. The method of claim 2,
The step of performing the bootstrapping by approximating the function corresponding to the modular reduction,
generating a target approximation polynomial that approximates a function corresponding to the modular reduction;
An encryption method comprising
4. The method of claim 3,
Generating a target approximation polynomial approximating a function corresponding to the modular reduction comprises:
determining one or more reference points based on the order of the target approximation polynomial;
obtaining an arbitrary polynomial based on the one or more reference points;
generating the target approximation polynomial based on one or more poles selected from the arbitrary polynomial;
An encryption method comprising
5. The method of claim 4,
The obtaining step is
obtaining a piecewise continuous function passing through the one or more reference points; and
obtaining the arbitrary polynomial by generating a polynomial in which the absolute value of the error with the piecewise continuous function at the one or more reference points is a predetermined value;
An encryption method comprising
6. The method of claim 5,
Obtaining the arbitrary polynomial by generating a polynomial in which the absolute value of the error with the piecewise continuous function is a predetermined value comprises:
Obtaining the arbitrary polynomial by generating a polynomial whose sign is different from an error at a first reference point included in the one or more reference points and an error of a second reference point adjacent to the first reference point and whose absolute value is the predetermined value step
An encryption method comprising
5. The method of claim 4,
generating the target approximation polynomial based on one or more poles selected from the arbitrary polynomials,
obtaining candidate points whose absolute value is greater than or equal to a predetermined value among the poles of the error between the arbitrary polynomial and the fragment continuous function passing through the one or more reference points;
selecting a number of target points based on the order from among the candidate points; and
generating the target approximation polynomial based on the target points;
An encryption method comprising
8. The method of claim 7,
The step of selecting the target points comprises:
selecting the target points so that maxima and minima are alternately displayed among the candidate points
An encryption method comprising
8. The method of claim 7,
The step of selecting the target points comprises:
selecting the target points such that the sum of the absolute values of the errors is a maximum;
An encryption method comprising
5. The method of claim 4,
generating the target approximation polynomial based on one or more poles selected from the arbitrary polynomials,
generating a polynomial when the relative error between the maximum and minimum absolute values of the one or more poles is smaller than a threshold value as the target approximation polynomial
An encryption method comprising
4. The method of claim 3,
The basis of the target approximation polynomial is the basis of the Chebyshev polynomial.
encryption method.
In the encryption device using homomorphic encryption,
Generate ciphertext by encrypting data, and bootstrapping the ciphertext by performing modular reduction based on selection of one or more target points on the modulus corresponding to the ciphertext. ) a processor that performs; and
a memory storing instructions executable by the processor
Encryption device comprising.
13. The method of claim 12,
The processor is
performing the bootstrapping by approximating a function corresponding to the modular reduction
encryption device.
14. The method of claim 13,
The processor is
generating a target approximation polynomial that approximates a function corresponding to the modular reduction
encryption device.
15. The method of claim 14,
The processor is
determine one or more reference points based on the order of the target approximation polynomial;
obtain an arbitrary polynomial based on the one or more reference points,
generating the target approximation polynomial based on one or more poles selected from the arbitrary polynomial.
encryption device.
16. The method of claim 15,
The processor is
obtaining a piecewise continuous function passing through the one or more reference points;
obtaining the arbitrary polynomial by generating a polynomial in which the absolute value of the error with the fragment continuous function at the one or more reference points is a predetermined value
encryption device.
17. The method of claim 16,
The processor is
Obtaining the arbitrary polynomial by generating a polynomial whose sign is different from an error at a first reference point included in the one or more reference points and an error of a second reference point adjacent to the first reference point and whose absolute value is the predetermined value
encryption device.
16. The method of claim 15,
The processor is
obtain candidate points whose absolute value is greater than or equal to a predetermined value among the poles of the error between the arbitrary polynomial and the fragment continuous function passing through the one or more reference points,
selecting a number of target points based on the order from among the candidate points;
generating the target approximation polynomial based on the target points
encryption device.
19. The method of claim 18,
The processor is
selecting the target points so that maxima and minima appear alternately among the candidate points
encryption device.
19. The method of claim 18,
The processor is
selecting the target points so that the sum of the absolute values of the errors is maximum
encryption device.
16. The method of claim 15,
The processor is
Generating a polynomial when the relative error of the maximum value and the minimum value of the absolute value of the one or more poles is smaller than a threshold value as the target approximation polynomial
encryption device.
15. The method of claim 14,
The basis of the target approximation polynomial is the basis of the Chebyshev polynomial.
encryption device.

Images