WO2021256843A1 - 동형 암호문에 대한 통계 연산 수행하는 장치 및 방법 - Google Patents
동형 암호문에 대한 통계 연산 수행하는 장치 및 방법 Download PDFInfo
- Publication number
- WO2021256843A1 WO2021256843A1 PCT/KR2021/007517 KR2021007517W WO2021256843A1 WO 2021256843 A1 WO2021256843 A1 WO 2021256843A1 KR 2021007517 W KR2021007517 W KR 2021007517W WO 2021256843 A1 WO2021256843 A1 WO 2021256843A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- homomorphic
- ciphertext
- information
- empty
- mask
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 131
- 238000004364 calculation method Methods 0.000 title abstract description 45
- 238000003672 processing method Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 description 67
- 238000010586 diagram Methods 0.000 description 45
- 238000004422 calculation algorithm Methods 0.000 description 21
- 230000006870 function Effects 0.000 description 21
- 238000004891 communication Methods 0.000 description 15
- 238000012545 processing Methods 0.000 description 10
- 239000013598 vector Substances 0.000 description 10
- 230000014509 gene expression Effects 0.000 description 8
- 241000282472 Canis lupus familiaris Species 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 101100269850 Caenorhabditis elegans mask-1 gene Proteins 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012856 packing Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 description 1
- 238000012935 Averaging Methods 0.000 description 1
- 235000010627 Phaseolus vulgaris Nutrition 0.000 description 1
- 244000046052 Phaseolus vulgaris Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000009365 direct transmission Effects 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
- G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
- G06F7/52—Multiplying; Dividing
- G06F7/523—Multiplying only
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
Definitions
- the present disclosure relates to an apparatus and method for performing statistical calculation on homomorphic ciphertext, and more particularly, to an electronic device and method for efficiently performing statistical calculation on homomorphic ciphertext.
- a cloud computing service in which a user stores his/her personal information and the like in a server and uses the information of the server is also being actively used.
- the server stores the encrypted data.
- the server whenever the server searches for stored data or performs a series of operations based on the data, it must decrypt the encrypted data, resulting in wasted resources and time.
- homomorphic encryption methods are being studied. If the homomorphic encryption method is used, even if an operation is performed on the ciphertext itself without decrypting the encrypted information, the same result as the encrypted value after operation on the plaintext can be obtained. Accordingly, various operations can be performed without decrypting the ciphertext.
- an object of the present disclosure is to provide an electronic device and method capable of efficiently performing statistical calculations on homomorphic ciphertext.
- the electronic device stores at least one instruction (instruction) and stores a plurality of isomorphic ciphertext for storing a plurality of variable information in an encrypted state; and a processor that executes the at least one instruction, wherein the processor executes the at least one instruction, so that when an operation command for the plurality of homomorphic ciphertexts is received, different variable information for each of the homomorphic ciphertexts is distinguished.
- the number information corresponding to the variable combination may be generated by using the blank mask having the void mask.
- the homomorphic cipher text includes a plurality of slots, and each of the plurality of slots may have one variable information.
- the blank mask includes a plurality of slots, each of the plurality of slots includes information on the existence of one variable value, and the processor is configured for each of the isomorphic ciphertext by variable information included in the isomorphic ciphertext.
- a plurality of empty masks may be generated, an empty mask corresponding to the variable combination may be selected from among the plurality of generated empty masks, and number information having the variable combination may be generated by using a product between the selected empty masks.
- the blank mask includes a plurality of slots, each of the plurality of slots includes a plurality of sub-slots including information on the existence of one variable value, and the processor generates one An empty mask may be generated, and number information having the variable combination may be generated by using a sub-slot in the empty mask corresponding to the variable combination among the plurality of empty masks.
- the plurality of sub-slots may be arranged in one slot with a predetermined bit interval.
- the processor may combine a first homomorphic ciphertext and a second homomorphic ciphertext including a plurality of pieces of information on the same characteristic into one homomorphic ciphertext.
- the processor uses the first location information in the first figure ciphertext and the second location information in the second isomorphic ciphertext for information common in the first isomorphic ciphertext and the second isomorphic ciphertext, the first isomorphic ciphertext
- the ciphertext and the second homomorphic ciphertext may be combined into one.
- the processor when the processor receives data encrypted by a one-way encryption method with a common key preset for each of a plurality of pieces of information included in the first and second homomorphic ciphertexts and location information in the homomorphic ciphertext for the encrypted data, By comparing the encrypted data for the first homomorphic ciphertext and the encrypted data for the second homomorphic ciphertext, the first location information and the second location information having information common between the two homomorphic ciphertexts may be confirmed.
- the ciphertext processing method for the homomorphic ciphertext includes storing a plurality of homomorphic ciphertexts for storing a plurality of variable information in an encrypted state, and receiving an operation command for the plurality of homomorphic ciphertexts; generating an empty mask having different variable information for each of the plurality of homomorphic ciphertexts, generating number information corresponding to a variable combination using the empty mask, and outputting the generated number information includes
- the homomorphic ciphertext may include a plurality of slots and may have one variable information in each of the plurality of slots.
- the empty mask includes a plurality of slots, each of the plurality of slots includes information on the existence of one variable value, and the step of generating the empty mask includes: generating a plurality of bin masks for each variable information included in Number information having the above variable combinations may be generated.
- the empty mask includes a plurality of slots, and each of the plurality of slots includes a plurality of sub-slots including information on the existence of one variable value, and the generating of the empty mask includes isomorphic ciphertext.
- the number information having the variable combination is generated by using a sub-slot in the bin mask corresponding to the variable combination among the plurality of empty masks.
- the plurality of sub-slots may be arranged in one slot with a predetermined bit interval.
- the encryption processing method may further include combining the first homomorphic ciphertext and the second homomorphic ciphertext including a plurality of pieces of information for the same characteristic into one homomorphic ciphertext.
- the first position information in the first figure cipher text and the second position information in the second homomorphic cipher text for common information in the first isomorphic cipher text and the second isomorphic cipher text are used to obtain the second
- the first homomorphic ciphertext and the second homomorphic ciphertext may be combined into one.
- data encrypted by a one-way encryption method with a common key preset for each of a plurality of pieces of information included in the first and second homomorphic ciphertexts and location information within the homomorphic ciphertext for the encrypted data is input , by comparing the encrypted data for the first isomorphic cipher text and the encrypted data for the second isomorphic cipher text, the first location information and the second location information having information common between the two isomorphic cipher texts may be confirmed.
- the cipher text processing method stores a plurality of isomorphic cipher texts for storing a plurality of variable information in an encrypted state and receiving an operation command for the plurality of homomorphic ciphertexts, generating an empty mask having different variable information for each of the plurality of isomorphic ciphertexts, using the empty mask, the number corresponding to a variable combination generating information, and outputting the generated number information.
- various statistical processing is possible using the homomorphic ciphertext, and statistical processing is possible by merging homomorphic ciphertexts having different data structures.
- FIG. 1 is a diagram for explaining the structure of a network system according to an embodiment of the present disclosure
- FIG. 2 is a block diagram illustrating a simple configuration of an electronic device according to an embodiment of the present disclosure
- 3 and 4 are diagrams for explaining a bin count calculation method according to an embodiment of the present disclosure
- FIGS. 5 and 6 are diagrams for explaining an extended bin count operation operation according to an embodiment of the present disclosure.
- FIG. 7 is a view for explaining a method of combining a plurality of encryption tables
- FIG. 8 is a view for explaining a statistical calculation method using an empty mask according to an embodiment of the present disclosure.
- 9 and 10 are diagrams for explaining a process of generating an empty mask using plain text according to an embodiment of the present disclosure.
- FIG. 11 is a diagram illustrating an approximation algorithm according to an embodiment of the present disclosure.
- FIG. 12 is a view for explaining an operation of generating an empty mask using a homomorphic cipher text according to an embodiment of the present disclosure
- FIG. 13 is a view for explaining an operation of an bin count operation according to an embodiment of the present disclosure.
- FIG. 14 is a diagram for explaining original data and a goal of a large bin count operation according to an embodiment of the present disclosure
- 15 is a view for explaining a method of calculating the number of numbers in a specific case using an empty mask
- 16 is a view for explaining a bin count operation using a power bin mask according to an embodiment of the present disclosure
- 17 is a view for explaining a bin count operation in consideration of an error term according to an embodiment of the present disclosure.
- FIG. 18 is a view for explaining an operation of generating a power bin mask according to an embodiment of the present disclosure
- 19 is a view for explaining an operation of generating a power bin mask according to another embodiment of the present disclosure.
- 20 is a diagram for explaining a multiplication operation between a plurality of bin masks according to an embodiment of the present disclosure
- 21 is a diagram for explaining a multiplication operation using a plurality of GPUs
- 22 is a diagram for explaining a decoding operation after a multiplication operation according to an embodiment of the present disclosure
- FIG. 23 is a diagram illustrating a data structure of an empty mask according to an embodiment of the present disclosure.
- 24 is a diagram illustrating a data structure of a result of a multiplication operation according to an embodiment of the present disclosure
- 25 is a view for explaining a comparison operation according to the present disclosure.
- 26 to 28 are views for explaining various statistical calculation methods according to an embodiment of the present disclosure.
- 29 is a diagram for explaining an operation of calculating a maximum value in a slot according to the present disclosure.
- FIG. 30 is a diagram for explaining an operation of calculating a maximum value in several columns in a plurality of blocks
- 31 is a diagram illustrating a method of calculating a value of a specific rank according to an embodiment of the present disclosure.
- 32 is a flowchart illustrating a cipher text processing method according to an embodiment of the present disclosure.
- Encryption/decryption may be applied as needed to the information (data) transmission process performed in the present disclosure, and the expressions describing the information (data) transmission process in the present disclosure and claims are all encrypted/decrypted, even if not separately mentioned. It should be construed as including cases.
- expressions such as "transfer from A to B (transfer)" or "A receives from B” include transmission (transmission) or reception with another medium included in the middle, and must be from A to B. It does not represent only direct transmission (delivery) or reception.
- value is defined as a concept including not only a scalar value but also a vector and polynomial form.
- Each of S1 and S2 is an element in the R set.
- FIG. 1 is a diagram for explaining the structure of a network system according to an embodiment of the present disclosure.
- a network system may include a plurality of electronic devices 100-1 to 100-n, a first server device 200, and a second server device 300, and each configuration includes a network 10 ) can be connected to each other.
- the network 10 may be implemented as various types of wired and wireless communication networks, broadcast communication networks, optical communication networks, cloud networks, etc., and each device may be connected in a manner such as Wi-Fi, Bluetooth, NFC (Near Field Communication), etc. without a separate medium. may be
- FIG. 1 Although it is illustrated in FIG. 1 that there are a plurality of electronic devices (100-1 to 100-n), a plurality of electronic devices is not necessarily used, and one device may be used.
- the electronic devices 100-1 to 100-n may be implemented as various types of devices such as smartphones, tablets, game players, PCs, laptop PCs, home servers, kiosks, etc. It can also be implemented in the form of home appliances.
- the user may input various information through the electronic devices 100-1 to 100-n used by the user.
- the input information may be stored in the electronic devices 100-1 to 100-n itself, or may be transmitted to and stored in an external device for reasons such as storage capacity and security.
- the first server device 200 serves to store such information
- the second server device 300 may serve to use some or all of the information stored in the first server device 200 . have.
- Each of the electronic devices 100 - 1 to 100 - n may homomorphically encrypt the input information and transmit the same type ciphertext to the first server device 200 .
- Each of the electronic devices 100-1 to 100-n may include encryption noise, that is, an error, calculated in the process of performing homomorphic encryption, in the ciphertext.
- the homomorphic cipher text generated by each electronic device 100-1 to 100-n may be generated in a form in which a result value including a message and an error value is restored when it is later decrypted using a secret key. have.
- the homomorphic ciphertext generated by the electronic devices 100-1 to 100-n may be generated in a form satisfying the following properties when it is decrypted using a secret key.
- ⁇ > denotes a normal inner product
- ct denotes ciphertext
- sk denotes a secret key
- M denotes a plaintext message
- e denotes an encryption error value
- mod q denotes the modulus of the ciphertext. q should be chosen to be greater than M, the result of which the scaling factor ( ⁇ ) is multiplied by the message. If the absolute value of the error value e is sufficiently small compared to M, the decryption value M+e of the ciphertext is a value that can replace the original message with the same precision in significant digit operation.
- an error may be disposed on the least significant bit (LSB) side
- M may be disposed on the least significant bit side.
- the size of the message may be adjusted using a scaling factor.
- the scaling factor is used, not only integer messages but also real number messages can be encrypted, so that usability can be greatly increased.
- the size of the message using the scaling factor the size of the area in which messages exist in the ciphertext after the operation is performed, that is, the size of the effective area can also be adjusted.
- the ciphertext modulus q may be set and used in various forms.
- the ciphertext modulus may be set to a value obtained by multiplying a plurality of different scaling factors.
- Each factor may be set to a value within a similar range, that is, a value having a similar size to each other.
- q q 1 q 2 q 3 ...
- q x each have a size similar to the scaling factor ⁇ and can be set to a value with a small relationship to each other.
- the entire calculation can be divided into a plurality of modulus calculations according to CRT (Chinese Remainder Theorem), so that the calculation burden can be reduced.
- CRT Choinese Remainder Theorem
- the first server device 200 may store the received homomorphic ciphertext as an ciphertext without decrypting it.
- the second server device 300 may request a specific processing result for the homomorphic ciphertext from the first server device 200 .
- the first server device 200 may perform a specific operation according to the request of the second server device 300 , and then transmit the result to the second server device 300 .
- the specific operation may be not only general operations such as addition and isomorphic product of a plurality of isomorphic ciphertexts, but also statistical operations, for example, operations such as mean, frequency distribution, linear regression, covariance, etc. .
- the second server device 300 may perform a combining operation for a plurality of homomorphic ciphertexts.
- the second server device 300 transmits the two electronic devices 100 A value obtained by adding up information provided from -1 and 100-2) may be requested from the first server device 200 .
- the first server device 200 may perform an operation of summing two ciphertexts according to a request, and then transmit the result value (ct 1 + ct 2 ) to the second server device 300 .
- the first server device 200 may perform an operation without decryption, and the result value may also be in the form of an ciphertext. In this case, the first server device 200 may perform boot strapping on the operation result.
- the first server device 200 may transmit the operation result ciphertext to the second server device 300 .
- the second server device 300 may decrypt the received operation result ciphertext to obtain operation result values of data included in each homomorphic ciphertext.
- the first server device 200 may perform an operation several times according to a user request.
- FIG. 1 illustrates a case in which encryption is performed by the first electronic device and the second electronic device and decryption is performed by the second server device, the present invention is not limited thereto.
- FIG. 2 is a block diagram illustrating a configuration of an electronic device according to an embodiment of the present disclosure.
- the electronic device 100 may include a memory 110 , a processor 120 , a communication device 130 , a display 140 , and a manipulation input device 150 .
- the electronic device may be a personal computer (PC), a laptop computer, a smart phone, a tablet, a server, and the like.
- At least one instruction related to the electronic device 100 may be stored in the memory 110 .
- various programs (or software) for operating the electronic device 100 according to various embodiments of the present disclosure may be stored in the memory 110 .
- the memory 110 may be implemented in various forms such as RAM, ROM, Buffer, cache, flash memory, HDD, external memory, memory card, etc., but is not limited thereto.
- the memory 110 may store a message to be encrypted.
- the message may be various types of credit information and personal information cited by the user, or information related to a usage history such as location information used in the electronic device 100 and Internet use time information.
- the memory 110 may store the public key, and when the electronic device 100 directly generates the public key, it may store the public key and various parameters necessary for generating the private key as well as the private key.
- the memory 110 may store the isomorphic ciphertext generated in the process described below.
- the memory 110 may store the same type cipher text transmitted from the external device.
- the memory 110 may store an operation result ciphertext that is a result of an operation process to be described later.
- the communication device 130 is formed to connect the electronic device 100 with an external device (not shown), and is connected to an external device through a local area network (LAN) and the Internet network, as well as a USB (USB) device.
- Universal Serial Bus) port or a wireless communication (eg, WiFi 802.11a/b/g/n, NFC, Bluetooth) port may be connected through the port.
- a communication device 130 may be referred to as a transceiver.
- the communication device 130 may receive the public key from the external device, and may transmit the public key generated by the electronic device 100 itself to the external device.
- the communication device 130 may receive a message from the external device, and may transmit the generated homomorphic ciphertext or operation result to the external device.
- the communication device 130 may receive various parameters necessary for generating the ciphertext from the external device. Meanwhile, in implementation, various parameters may be directly input from the user through the manipulation input device 150 to be described later.
- the communication device 130 may receive a request for an operation on the homomorphic ciphertext from the external device, and may transmit the calculated result to the external device.
- the requested operation may be an operation such as addition, subtraction, multiplication (eg, a modular multiplication operation), or may be a statistical operation.
- the modular multiplication operation means performing a modular operation with q elements.
- the display 140 displays a user interface window for receiving a selection of a function supported by the electronic device 100 .
- the display 140 may display a user interface window for receiving selections of various functions provided by the electronic device 100 .
- the display 140 may be a monitor such as a liquid crystal display (LCD), organic light emitting diodes (OLED), etc., and may be implemented as a touch screen capable of simultaneously performing the functions of the manipulation input device 150 to be described later. .
- the display 140 may display a message requesting input of parameters necessary for generating a private key and a public key.
- the display 140 may display a message in which the encryption target selects a message.
- the encryption target may be directly selected by the user or may be automatically selected. That is, personal information that requires encryption may be automatically set even if the user does not directly select a message.
- the manipulation input device 150 may receive, from a user, a function selection of the electronic device 100 and a control command for the corresponding function. For example, the manipulation input device 150 may receive parameters necessary for generating a private key and a public key from a user. Also, the manipulation input device 150 may receive a set message to be encrypted from the user.
- the processor 120 controls the overall operation of the electronic device 100 .
- the processor 120 may control the overall operation of the electronic device 100 by executing at least one instruction stored in the memory 110 .
- the processor 120 may be configured as a single device such as a central processing unit (CPU) and an application-specific integrated circuit (ASIC), or may be configured as a plurality of components such as a CPU and a graphics processing unit (GPU).
- the processor 120 may store it in the memory 110 .
- the processor 120 may homogeneously encrypt the message by using various setting values and programs stored in the memory 110 .
- the public key may be used.
- the processor 120 may generate and use the public key required to perform encryption by itself, or may receive and use the public key from an external device.
- the second server device 300 performing decryption may distribute the public key to other devices.
- the processor 120 may generate a public key using the Ring-LWE technique. For example, the processor 120 may first set various parameters and rings, and store them in the memory 110 . Examples of parameters may include the length of a plaintext message bit, the size of a public key and a private key, and the like.
- the ring can be expressed by Equation 2 as follows.
- R is a ring
- Zq is a coefficient
- f(x) is an nth-order polynomial
- a ring is a set of polynomials having predetermined coefficients, and means a set in which addition and multiplication are defined between elements and closed to addition and multiplication. Such rings may be referred to as rings.
- the ring means a set of nth-order polynomials having a coefficient Zq.
- n when n is ⁇ (N), it may mean an N-th cyclotomic polynomial.
- (f(x)) represents the ideal of Zq[x] generated by f(x).
- the Euler totient function ⁇ (N) means the number of natural numbers that are prime to N and smaller than N. If ⁇ N (x) is defined as an Nth-order cyclotonic polynomial, the ring can also be expressed as the following Equation (3). Here, N may be 2 17 .
- the secret key sk may be expressed as follows.
- the ring of Equation 3 described above has a complex number in the plaintext space. Meanwhile, in order to improve the operation speed for homomorphic cipher text, only a set having a real space in the plaintext space among the set of rings described above may be used.
- the processor 120 may calculate a secret key sk from the ring.
- s(x) denotes a polynomial randomly generated with small coefficients.
- the processor 120 may calculate a first random polynomial (a(x)) from the ring.
- the first random polynomial can be expressed as follows.
- the processor 120 may calculate an error.
- the processor 120 may extract an error from a discrete Gaussian distribution or a distribution having a close statistical distance thereto. This error can be expressed as follows.
- the processor 120 may calculate the second random polynomial by modularly calculating the error on the first random polynomial and the secret key.
- the second random polynomial can be expressed as follows.
- the public key pk is set in a form including the first random polynomial and the second random polynomial as follows.
- the processor 120 may control the communication device 130 to be transmitted to other devices.
- the processor 120 may generate a homomorphic cipher text for the message.
- the processor 120 may generate a homomorphic ciphertext by applying the previously generated public key to the message.
- the message to be decoded may be received from an external source or may be input from an input device directly provided or connected to the electronic device 100 .
- the processor 120 may store data input by the user through the touch screen or the keypad in the memory 110 and then encrypt it. have.
- the generated homomorphic ciphertext is decrypted, it may be restored as a result value obtained by adding an error to a value reflecting the scaling factor in the message.
- the scaling factor may be input and set in advance to be used as it is.
- the processor 120 may directly encrypt the message using the public key while multiplying the message and the scaling factor.
- an error calculated in the encryption process may be added to a result value obtained by multiplying the message and the scaling factor.
- the processor 120 may generate the length of the ciphertext to correspond to the size of the scaling factor.
- the processor 120 may control the communication device 130 to store the homomorphic ciphertext in the memory 110 or transmit the homomorphic ciphertext to another device according to a user request or a preset default command when the homomorphic ciphertext is generated.
- packing may be performed. If packing is used in homomorphic encryption, it becomes possible to encrypt multiple messages with one ciphertext. In this case, when the electronic device 100 performs an operation between each ciphertext, as a result, the operation is processed in parallel for a plurality of messages, thereby greatly reducing the operation burden.
- the processor 120 converts the plurality of message vectors into a polynomial in a form that can be encrypted in parallel, then multiplies the polynomial by a scaling factor and generates a public key. It can also be used for homomorphic encryption. Accordingly, the processor 120 may generate a ciphertext in which a plurality of message vectors are packed.
- the processor 120 may generate an isomorphic ciphertext including variable information in a plurality of slots in the ciphertext in the process of generating the homomorphic ciphertext. Also, in the process of generating the homomorphic ciphertext, the processor 120 may generate an empty mask for the corresponding homomorphic ciphertext. A detailed blank mask generating operation will be described later with reference to FIG. 3 .
- the processor 120 may apply a secret key to the homomorphic ciphertext to generate a polynomial-type decrypted text, and decode the polynomial-type decrypted text to generate a message.
- the generated message may include an error as described in Equation 1 described above.
- the processor 120 may perform an operation on the ciphertext.
- the processor 120 performs various statistical operations such as an average and frequency distribution for a plurality of pieces of information as well as operations such as addition, subtraction, or multiplication while maintaining an encrypted state for the homomorphic ciphertext.
- various statistical operations such as an average and frequency distribution for a plurality of pieces of information as well as operations such as addition, subtraction, or multiplication while maintaining an encrypted state for the homomorphic ciphertext. can A detailed statistical calculation method will be described later with reference to FIG. 3 .
- the electronic device 100 may detect data of the effective area from the operation result data. For example, the electronic device 100 may detect data of an effective area by performing a rounding process on the operation result data.
- the rounding process refers to performing round-off of a message in an encrypted state, and may alternatively be referred to as rescaling.
- the electronic device 100 may remove the noise region by multiplying each component of the ciphertext by ⁇ 1, which is the reciprocal of the scaling factor, and rounding it.
- the noise region may be determined to correspond to the size of the scaling factor. As a result, it is possible to detect a message in the effective region from which the noise region is excluded. Since it proceeds in the encrypted state, an additional error occurs, but the size is small enough and can be ignored.
- the electronic device 100 may expand the plaintext space of the ciphertext as a result of the operation. For example, if q is less than M in Equation 1, M+e (mod q) has a different value from M+e, and thus decoding becomes impossible. Therefore, the value of q should always be kept greater than M. However, as the operation proceeds, the value of q gradually decreases. Expansion of the plaintext space means changing the ciphertext ct into a ciphertext having a larger modulus.
- the operation of extending the plaintext space may be referred to as rebooting otherwise. As the reboot is performed, the ciphertext may be in a state where computation is possible again.
- the electronic device 100 can efficiently perform a complex statistical operation as well as an operation operation on the homomorphic ciphertext.
- the electronic device 100 can manage the same type ciphertext provided by a plurality of devices as one DB.
- homomorphic ciphertext is generated to have the following data structure.
- a plurality of slots may be included, and a plurality of pieces of information may be stored in each slot in each slot. Therefore, using this point, values for one feature (ie, information about the same column in a table) can be stored in each of a plurality of slots.
- table data can be stored and managed in the following format.
- the encryption table including encrypted data may include the following contents.
- ciphertext is the (j-1)th ciphertext containing the i+1th feature, and the number of ciphertexts is ego,
- the homomorphic ciphertext can be operated in an encrypted state, but since the operation in the encryption process takes a lot of time, an efficient calculation method is required.
- the bin count operation is an operation that counts the number of cases for combinations of values of each variable in the data by inputting data of two or more bin variables.
- blank data 310 blank data 310 , intermediate data 320 , and result data 330 are shown.
- the blank values in each of the three variables (A, B, C) are ⁇ 1, 2, 3, 4 ⁇ (A), ⁇ 1, 2, 3, 4 ⁇ (B), respectively.
- ⁇ 1, 2 ⁇ (C) intermediate data according to the combination of three variables may be generated.
- result data 330 indicating possible combinations of three variables and the number of the corresponding combinations may be generated using the intermediate data having a count value.
- FIG. 4 first, it is a process of calculating an empty count when the values of variables A, B, and C are 1, respectively.
- Each variable 410 , 420 , 430 includes a plurality of slots. Although the illustrated example is illustrated as having eight slots, implementations may have more or fewer than nine slots.
- each variable you can create an empty mask for each variable value. For example, since the variable A 410 has four values, it is possible to create an empty mask 420 corresponding to each of the four values. And in the case of the variable B (430), since it has four values, an empty mask 420 for each of the four values can be made, and in the case of the variable C (45), since it has two values, the two values are applied to each of the two values. An empty mask 460 may be created for
- Such an empty mask can be created at the time of encryption or calculated after encryption using a table lookup table function to create an empty mask. A more detailed operation of generating an empty mask will be described with reference to FIGS. 9 to 12 .
- the bin mask corresponding to the corresponding combination is selected, and the result can be confirmed by multiplying the selected bin masks. For example, if it is necessary to check the combination of 1, 1, 1, the empty mask 471 of the empty mask for the variable A 420 and the empty mask 471 with the value of 1 among the empty masks for the variable B 430 An operation of multiplying 472 and an empty mask 473 having a value of 1 among the empty masks for the variable C 4500 may be performed.
- the output mask 480 generated by such an operation has a value of 1 at a position corresponding to the corresponding combination. Through this, the position in each variable constituting the corresponding combination and the number of the corresponding combinations can be checked.
- Bin average is an operation that obtains the average of another variable of data having a specific combination of bin variables.
- empty variance is an operation to obtain variance for data.
- the method of performing the operation is to multiply the bin mask value for the intermediate data 320 of FIG. 3 by the value of another variable for which we want to obtain an average, and extract only the values for the row having the desired combination of bin values. You can add them all up. Then, the average can be obtained by adding all the blank mask values and dividing these two values by the previous value to the last value.
- a variance calculation can be performed using this method. A more detailed statistical calculation operation will be described with reference to FIGS. 26 to 30 .
- Such a bin count may be used in a classification process, and may be used in a method such as association rule mining.
- association rule mining a method such as association rule mining.
- the number of cases of classification must be large, and the data analyst may want to calculate the bin count by combining many variables having a wider range of bin values.
- data of various continuous values can be expressed as quantile data for convenience of analysis, for example, there may be 50 variable values for one.
- the number of possible cases is quite large.
- the total number of operations is (here, the number of n variables, w is the number of combinations, the number of slots in M ciphertext, u the length of the entire data row).
- n is less than 10
- M is in tens of thousands of units, the required number of multiplications becomes billions of times. do.
- the bin mask is expressed in an encoded form of the bin value.
- the empty value can be expressed by 10 bytes. If you want to express the empty value i( ⁇ [1,10]), you can set the i-th byte among 10 bytes to 1 and set the rest to 0.
- Blank masks set in this way can be added to each other. This will be described with reference to FIG. 5 .
- FIG. 5 is a diagram for explaining an extended bin count operation operation according to an embodiment of the present disclosure.
- one power bin mask 502 and 512 may include a plurality of slots, and each of the plurality of slots may include a plurality of sub-slots. Since the first variable 501 has four different variable values, the first power bin mask 502 may include four sub-slots, and each sub-slot includes information on whether a specific variable value exists. may include An operation of generating such a power bin mask will be described later.
- the calculation method is the same as that of the bin mask method, and when a specific combination is required, the output data 520 may be generated by using a sub-slot of the power bin mask corresponding to the corresponding combination. And by decoding the output data 520, it is possible to calculate a value of each combination (530).
- the scheme of FIG. 5 combines a plurality of bin masks into one using sub-slots in which the slots are subdivided as shown in FIGS. 3 and 4 . it can be said
- a bin operation is performed on two variables 601 and 604 having bin values of 1 to 4, and 16 multiplications are required when an existing bin mask is used. Accordingly, the final result can be known only when decryption of 16 ciphertexts is performed.
- the extended bin mask 602 when the extended bin mask 602 is used, a result can be obtained only by multiplying 4 times and decoding 4 times. This is because, in the multiplication result, all location information for variables 1 to 4 is included.
- Different DBs may store homomorphic encrypted data in different ways. However, if each of the different DBs is divided by characteristics and stored separately according to the characteristics of the table, it is possible to easily combine the two tables.
- the encrypted table is owned by different first electronic devices 100 - 1 and 100 - 2 , and that key information for binding is shared with each other. If there is a third electronic device 100 - 3 that honestly performs the protocol, two encrypted tables can be combined with the help of the third electronic device 100 - 3 .
- Such a method can be efficiently performed in that data can be combined without an additional homomorphic encryption operation except for table encryption. Also, in terms of security, in the process of combining multiple tables, there is no information except for the number of common data (Inner-Join) or the number of data that the other party does not own (Outer-join). It also has the advantage of not being exposed.
- one-way encryption that cannot be decrypted can be performed using a separate HMAC function instead of homomorphic encryption for column values corresponding to the key for combination.
- HMAC performance results for the same key value are the same.
- HMAC result also depends on the shared key value, even if the same key value is used, different HMAC values will be obtained if different HMAC keys are used.
- a pair of data is created by tying the row position values in the table of the HMAC value and the original combination key used to create the HMAC value, and after sorting the set of these data using the HMAC key value, the third electronic device It can be sent to (100-3).
- the position value means the row number of the combination key value and other data connected thereto.
- the binding organization identifies matching keys using the HMAC value, and when each electronic device sends row value information attached together, the first and second electronic devices transmit the data obtained by encrypting the rows to the third electronic device (100- 3), and the third electronic device combines the metadata of the data sent from the two devices to create one combined table metadata, thereby performing the combination.
- FIG. 7 is a diagram for explaining a method of combining a plurality of encryption tables.
- the two electronic devices 100-1 and 100-3 each own tables having different row and column values, and a join key close to 1:1 join capable of combining the two tables (eg, For example, in the case of two tables containing human-related information, if resident registration numbers, etc.) exist in both tables, it means a protocol for creating an encryption table of the form 1) for a combined table that combines two tables.
- D 1 and D 2 may be the electronic device or server illustrated in FIG. 1 .
- the data combiner may be the electronic device or server shown in FIG. 1 .
- Data-owning organizations D 1 and D 2 have the same homomorphic encryption key instance ( ), and also have the same MAC key (symmetric key : 256 bit random bits).
- Data Analytics Agency Z A calculation key that can perform calculations on data encrypted with has a
- Homomorphic encryption-related parameters and algorithms are shared by D 1 , D 2 , and Z, and the MAC algorithm ( ) is shared by A and B.
- Data owned by data-owning organizations D 1 , D 2 can be described as follows.
- Data-owning organizations D 1 and D 2 are each There is data of size, the first feature represents the ID of the owner of each data (used as a binding key) can be expressed as
- the data tuple for can be defined as
- Each institution ( ) adds a new column to that column is performed for all i and X. that value It can be added to the line represented by . that value described as
- Each institution Is can be passed to F in order by l.
- Permutation seed a random number to use to create using this , by doing , shuffle the values of here silver the order of the values of It means safe permutation in which the order is mixed using the randomness provided by If you don't know, the original ordered data can't find information about Also if you know can be performed.
- F is to UID 1 , pass UID 2 to .
- F is to
- Received UID X arranges the data according to the order of the values in the corresponding sequence. in other words, In case, (( Data is arranged in order. here means
- X is Encryption table object by encrypting column by column using the method of 1) After creating , it is transmitted to F along with meta information.
- F is each , delivered from cast to restore the order.
- role is It receives the order of each element of , and sends the entire encoded element to the line position corresponding to the result number.
- the ciphertexts for the data attached in step g) do not go through this process.
- Inner-Join is similar to Outer-Join above, but only the processes a), b), d) are different as follows. Also, process f) is not performed.
- F is to UID 1 , pass UID 2 to .
- FIG. 8 is a diagram for explaining a statistical calculation method using a bin mask according to an embodiment of the present disclosure.
- raw data and numerical data for the corresponding raw data are displayed.
- the operation of converting the numerical data with respect to the raw data is general, and thus a detailed description thereof will be omitted. Meanwhile, in the illustrated example, numerical data is displayed in plain text for ease of explanation, but actual data is in the isomorphic encrypted cipher text state.
- counting may be performed using an empty mask having 3 for age and 2 for region.
- categorical variables are called 'empty variables' (or empty features), and for convenience of operation, empty features are represented by continuous positive integers from 1. For example, an empty variable column with 3 categories would have a value of 1 or 2 or 3 in each row.
- a system according to the present disclosure may provide statistical calculations for data in which a certain bin variable has a specific value, ie, belongs to a specific category. This is because the above average, variance, and standard deviation calculations are for all data, so statistical characteristics may differ from data in a specific category.
- Bin Count A function that counts the number of cases in a data table that satisfy a condition
- the comparison results can be stored in an empty mask in advance and used for the operation.
- any blank features is the largest empty variable has i.e. one column of data each row of It can have one of the values.
- the blank mask created at this time is with two encrypted columns, can be expressed as here, is one encrypted column, each row is an empty feature the corresponding row of If it is, it is displayed as 1, otherwise it is displayed as 0. and Is of means the second block.
- the empty mask may be generated in the encryption step or may be generated after the encryption step.
- an operation of generating an empty mask in the encryption step will be described with reference to FIG. 9 .
- FIGS. 9 and 10 are diagrams for explaining a process of generating an empty mask using plain text according to an embodiment of the present disclosure. Specifically, it is a diagram to explain a process of generating an empty mask by referring to data in a plaintext state when encryption is performed on the data owner side. Specifically, FIG. 9 shows a case in which a v-bit table is used, and FIG. 10 shows a case in which a v-bit table is not used.
- the indices of the bin features for which the bin mask is to be made are vector , the maximum bin value of each bin feature is indicated as
- the data table in plaintext is , the v-bit table is indicated as output value b to be.
- the generation of the empty mask after the encryption operation can be used when the data in the plaintext state cannot be accessed, or when the empty mask is created using the isomorphism operation in the encrypted state.
- the sinc function can be changed to the following Equation 13.
- Is Primary Chevyshev is a polynomial.
- the polynomial generated according to this approximation method is is a quadratic polynomial.
- FIG. 11 is a diagram illustrating an approximation algorithm according to an embodiment of the present disclosure. Specifically, in FIG. 11 Algorithm using the above method Represents a function approximation algorithm.
- Each slot of is a value in the range, is the degree of the approximate polynomial, which is even.
- M of the process is the number of slots in one ciphertext.
- the multiplication operation is it's burn
- FIG. 12 is a diagram for explaining an operation of generating an empty mask using a homomorphic ciphertext according to an embodiment of the present disclosure.
- the indices of the bin features for which the bin mask is to be created are vector , the maximum bin value of each bin feature is indicated as
- the output value is b to be. If the values of all slots are valid in the encrypted state, one multiplication operation can be reduced in lines 8 and 9 of FIG. 12 .
- FIG. 13 is a diagram for describing an operation of a bin count operation according to an embodiment of the present disclosure.
- the bin count operation is a function of counting the number of rows that satisfy conditions for various bin features.
- the empty count operation is the second feature value , ... the second feature value is to count the number of valid data satisfying m conditions of
- the empty count operation is performed by adding the values of all slots of this multiplication result.
- FIG. 13 which is a set of bin masks that are output values in the previous bin count generation process.
- the modified bin count method calculates the number of all cases made by various bin features of certain data and displays the results in a table format.
- FIG. 14 is a diagram for explaining original data and a goal of a large bin count operation according to an embodiment of the present disclosure.
- the bin count method uses a pre-made bin mask as described above.
- blank mask is any empty feature It is an encrypted column indicating whether the value of each row of is equal to i (i is a positive integer) or not. (1 if it matches i, 0 otherwise.)
- a method for counting the number of cases in which all five features have a value of 1 is as follows. The method will be described with reference to FIG. 15 .
- 15 is a diagram for explaining a method of calculating the number of numbers in a specific case using an empty mask.
- each column is has blocks. So the total multiplication is required.
- a power bin mask may be used instead of the bin mask.
- Each row of the power bin mask is defined when the value of the corresponding bin feature is i. has a value of i.e. for each empty value It will give you enough leeway.
- 16 is a diagram for explaining a bin count operation using a power bin mask according to an embodiment of the present disclosure.
- each row of the multiplication result will be 0 when features B, C, D, and E are not all 1. And add the values of all rows.
- the number of rows to be added is If less than is guaranteed, the result of the addition is each It is stored in an area corresponding to bits.
- FIG. 16 is a result of adding only the six columns 1640 presented. At this time, the value in the lowest 3 bits shows the number of cases where all features are 1, and the value stored in the highest 3 bits shows the number of cases where feature A is 5 and the rest are 1.
- each row of the bin mask is set to 0 or 1 instead of 0 or 1 in consideration of the error term of the homomorphic encryption method. (here must be expressed as a positive integer).
- the total bin count operation in consideration of such an error term is shown in FIG. 17 .
- 17 is a diagram for explaining a bin count operation in consideration of an error term according to an embodiment of the present disclosure.
- four bin features 1740 and 1750 B, C, D, and E are made into two new bin features and a new big bin mask is raised.
- the big bin mask is generated as described above, the previously generated power big mask 1730 may be multiplied by this to obtain the number of cases.
- a power bin mask and a big bin mask can be generated in advance.
- Such an empty mask process may be performed during an encryption process. Alternatively, it may be performed after the encryption process.
- a multiplication operation between the corresponding masks may be performed.
- a decoding process for confirming the operation result may be performed.
- an extended bin mask may be generated with one feature (f 0 ).
- the generated expanded empty mask, big empty mask 1, and big empty mask 2 are each , , is indicated by ( , , is equal to one column, each encrypted. So, the number of blocks per column ( ) is composed of as many ciphertexts. )
- FIG. 18 is a diagram for describing an operation of generating a power bin mask according to an embodiment of the present disclosure.
- the extended empty mask indicates that the value of each slot is , is expressed as
- the lower value of each slot of the power bin mask is bit offset.
- the data table in the plaintext state is the data table in the plaintext state, the v-bit table in the plaintext state, and the index of the bin feature for which the power bin mask is to be created, respectively.
- n is the number of data rows
- M is the number of slots in one ciphertext.
- 19 is a diagram for explaining an operation of generating a power bin mask according to another embodiment of the present disclosure.
- a typical blank mask indicates whether a specific value corresponds to 0 or 1, but in this case 0 or is indicated by
- Each characteristic index is , and the maximum bin value of each feature is , the two new variables are each is the largest empty variable.
- the two new variables are each is the largest empty variable.
- This process is to ensure that the value stored in each slot does not exceed the modulus bit during the multiplication process of the large bin count.
- a multiplication operation may be performed.
- all , ( , ) can be calculated.
- a GPU is used for the homogeneous multiplication operation, and each GPU can perform the multiplication operation in block units. A detailed operation will be described below with reference to FIG. 20 .
- FIG. 20 is a diagram for explaining a multiplication operation between a plurality of bin masks according to an embodiment of the present disclosure.
- FIG. 21 is a diagram for explaining a multiplication operation using a plurality of GPUs.
- each GPU 2010 , 2020 , 2030 , and 2040 may operate in parallel. So the number of GPUs is For dogs, 1 block each Blocks can be processed simultaneously. GPUs (2010, 2020, 2030, 2040) are the first You are assigned a work block of blocks, and when you finish work, the next Work can be done in such a way that each block of work is assigned one after the other. And the number of ciphertexts to be loaded into the GPU at one time can be limited according to the memory capacity of the GPU.
- the number of blocks is the number of GPUs ( ), it is possible to retrieve the result ciphertext of the previously processed block, add it to the new result ciphertext, and store it. Therefore, the maximum number of stored ciphertexts is can be limited to
- c is a positive integer and is determined according to the memory size of the GPU to be used.
- 22 is a diagram for explaining a decoding operation after a multiplication operation according to an embodiment of the present disclosure.
- the output value of the previous operation is Looking at the elements of , the value of BigBin1 , the value of BigBin2 About The number of cases of to be.
- BigBin1 and BigBin2 represent m-1 features as two features, each pair It is mapped to one of the combinations of Gavin features.
- the value of BigBin1 is
- the value of BigBin2 is
- the ciphertext is there is a dog
- the value of each slot is cut into bits of Bin features that create an extended bin mask by adding only the values of bits The number of cases where the value is l can be found.
- FIG. 23 is a diagram illustrating a data structure of an empty mask according to an embodiment of the present disclosure. Specifically, FIG. 23 is a diagram illustrating regions occupied by values in respective slots when the power bin mask 2310 and the big bin masks 2320 and 2330 are generated.
- the feature is the value of the maximum bin of So
- the power bin mask is has one of the values.
- Big Bean Mask Is or 0. thus It is equivalent to displaying only one bit as 0 or 1.
- FIG. 24 is a diagram illustrating a data structure of a result of a multiplication operation according to an embodiment of the present disclosure. Specifically, FIG. 24 shows the use of the modulus bit of an arbitrary slot obtained as a result of the multiplication operation process.
- Equation 17 The multiplication result of an arbitrary slot can be expressed as Equation 17 below.
- the error of the multiplication result must not exceed the lower bit of the desired value, and the upper bit of the value must not exceed the modulus bit. That is, the error term of the multiplication result Is cannot be violated, and the maximum bit It cannot be larger than the modulus bit used in the flexible encryption system.
- Equation 18 Equation 18 below is an equation for an error term
- Equation 19 is an equation for a modulus bit.
- 25 is a diagram for explaining a comparison operation according to the present disclosure.
- Comparison of values within isomorphic ciphertext is required to produce statistical calculations. That is, it is necessary to check whether the ciphertext value in the homomorphic ciphertext corresponds to a specific variable value. 25 is a comparison algorithm for this purpose.
- a comparison result may be calculated by calculating the two variables.
- a comparison result can be calculated using an approximation function for the sinc function as described above.
- 26 to 28 are diagrams for explaining various statistical calculation methods according to an embodiment of the present disclosure.
- FIG. 26 is an algorithm 2600 for an average calculation method.
- the index vector of the bin feature and the vector representing the conditional blank value when there is the second feature value ... the second feature value Characteristics of rows that satisfy m conditions of can calculate the average value of this is data Average ( ) is equivalent to taking the process.
- the temporary feature about the data column and v-bit columns go through the process of determining
- BinMask represents the condition for the bin variable, is the index of the column to be averaged, is an index of a column temporarily created in the process of finding the average.
- the average operation is the number of iterations of
- the above process is an average process It is equivalent to adding one multiplication. thus multiplication of and Rotation processing is required. ( is the number of blocks in a row, k is the number of iterations in the inverse process of average operation, and M is the number of slots per ciphertext. )
- FIG. 27 is a diagram for explaining an algorithm 2700 for a method of calculating variance.
- a temporary data column and v-bit columns can take the preceding variance operation by creating The process is as follows.
- X and Y are data table and v-bit table, respectively, and b is a set of BinMask. represents the condition for the bin variable, is the index of the column to be averaged, is the index of a column temporarily created in the process of finding the average.
- k is the averaging is the number of iterations of
- 28 is a diagram for explaining an algorithm 2800 for a method of calculating a correlation coefficient.
- the difficult part of the above task is finding the reciprocal of the number associated with the task.
- the reason it is difficult to find the reciprocal is that the inverse calculation is to set the range of values that need to be calculated, and to set the parameters so that the result does not diverge within the range, and the approximation algorithm is mainly composed of iterative algorithms. Therefore, it is necessary to increase the number of iterations for the sake of accuracy of the results.
- the computation cost increases when the number of iterations increases, an appropriate number of iterations must be performed.
- the homomorphic cipher text contains errors, a reboot operation must be performed after a certain number of calculations.
- 29 is a diagram for explaining an operation of calculating a maximum value in a slot according to the present disclosure.
- the algorithm 2900 may store the value of one slot in the isomorphic ciphertext, and may calculate the maximum value by sequentially comparing the stored value with the value of another slot.
- the comparison algorithm shown above may be used.
- FIG. 30 is a diagram for explaining an operation of calculating a maximum value in several columns in a plurality of blocks.
- the corresponding algorithm 3000 first calculates the maximum value having the highest value for each block using the algorithm shown in FIG. 29 , and compares the calculated maximum values to the maximum value within a plurality of blocks. value can be calculated.
- 31 is a diagram illustrating a method of calculating a value of a specific rank according to an embodiment of the present disclosure.
- the percentile algorithm 3100 is similar to a method of sorting data in ascending order. A sorting process is performed preferentially, and a value corresponding to the requested percentile can be calculated accordingly.
- 32 is a flowchart illustrating a cipher text processing method according to an embodiment of the present disclosure.
- a statistical calculation command for a plurality of homomorphic cipher texts is received ( S3210 ).
- Such a statistical calculation command may include calculating the number of variables having a specific value, an average of values satisfying a specific condition, a variance, and the like.
- the plurality of homomorphic ciphertexts may store the encrypted state of the plurality of variable information.
- an empty mask having different variable information is generated for each homomorphic ciphertext (S3220).
- Such empty mask generation may be generated in the process of generating a homomorphic ciphertext as described above, or may be generated in a homomorphic ciphertext state.
- the bin mask may be an bin mask having only one variable information per slot, and may be an extended bin mask including the presence or absence of a plurality of variable values, or the power bin mask or big bin mask described above.
- number information corresponding to the variable combination is generated using the blank mask (S3230). Specifically, a count value that satisfies a specific condition may be calculated by using the product of the generated empty mask.
- Such output may be performed in an encrypted state, a process of decrypting the corresponding information may be performed, and may also be output as a decrypted result.
- the encryption processing method according to the present embodiment enables efficient statistical calculation on homomorphic ciphertext.
- the cipher text processing method shown in FIG. 32 may be executed on the electronic device having the configuration of FIG. 2 and may also be executed on the electronic device having other configurations.
- the cipher text processing method as described above may be implemented as a program including an executable algorithm that can be executed on a computer, and the above-described program is stored in a non-transitory computer readable medium.
- the non-transitory readable medium refers to a medium that stores data semi-permanently, rather than a medium that stores data for a short moment, such as a register, cache, memory, and the like, and can be read by a device.
- programs for performing the above-described various methods may be provided by being stored in a non-transitory readable medium such as a CD, DVD, hard disk, Blu-ray disk, USB, memory card, ROM, and the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- Computational Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims (17)
- 전자 장치에 있어서,적어도 하나의 인스트럭션(instruction)을 저장하고, 복수의 변수 정보를 암호화된 상태를 저장하는 동형 암호문을 복수개 저장하는 메모리; 및상기 적어도 하나의 인스트럭션을 실행하는 프로세서;를 포함하고,상기 프로세서는,상기 적어도 하나의 인스트럭션을 실행함으로써, 상기 복수의 동형 암호문에 대한 연산 명령이 수신되면 상기 동형 암호문 각각에 대해서 서로 다른 변수 정보 구분하여 갖는 빈 마스크를 이용하여 변수 조합에 대응되는 개수 정보를 생성하는 전자 장치.
- 제1항에 있어서,상기 동형 암호문은 복수의 슬롯을 포함하며,상기 복수의 슬롯 각각에 하나의 변수 정보를 갖는 전자 장치.
- 제1항에 있어서,상기 빈 마스크는,복수의 슬롯을 포함하며,상기 복수의 슬롯 각각은 하나의 변수 값의 존재 여부에 대한 정보를 포함하며,상기 프로세서는,동형 암호문 각각에 대해서 상기 동형 암호문에 포함된 변수 정보별 복수의 빈 마스크를 생성하고, 생성된 복수의 빈 마스크 중 상기 변수 조합에 대응되는 빈 마스크를 선별하고, 상기 선별된 빈 마스크 간의 곱을 이용하여 상기 변수 조합을 갖는 개수 정보를 생성하는 전자 장치.
- 제1항에 있어서,상기 빈 마스크는,복수의 슬롯을 포함하며,상기 복수의 슬롯 각각은 하나의 변수 값의 존재 여부에 대한 정보를 포함하는 복수의 서브 슬롯을 포함하고,상기 프로세서는,동형 암호문 각각에 대해서 하나의 빈 마스크를 생성하고, 상기 복수의 빈 마스크 중 상기 변수 조합에 대응되는 상기 빈 마스크 내의 서브 슬롯을 이용하여 상기 변수 조합을 갖는 개수 정보를 생성하는 전자 장치.
- 제4항에 있어서,상기 복수의 서브 슬롯은, 기설정된 비트 간격을 갖고 하나의 슬롯 내에 배치되는 전자 장치.
- 제1항에 있어서,상기 프로세서는,동일한 특징에 대한 복수의 정보를 포함하는 제1 동형 암호문 및 제2 동형 암호문를 하나의 동형 암호문으로 결합하는 전자 장치.
- 제6항에 있어서,상기 프로세서는,상기 제1 동형 암호문과 상기 제2 동형 암호문 내의 공통된 정보에 대한 제1 도형 암호문 내의 제1 위치 정보와 상기 제2 동형 암호문 내의 제2 위치 정보를 이용하여, 상기 제1 동형 암호문과 제2 동형 암호문을 하나로 결합하는 전자 장치.
- 제7항에 있어서,상기 프로세서는,제1 및 제2 동형 암호문 내에 포함된 복수의 정보 각각에 대해서 기설정된 공통된 키로 일방향 암호화 방식으로 암호화된 데이터와 상기 암호화된 데이터에 대한 동형 암호문 내의 위치 정보가 입력되면, 상기 제1 동형 암호문에 대한 암호화된 데이터와 상기 제2 동형 암호문에 대한 암호화된 데이터를 비교하여, 두 동형 암호문 간에 공통된 정보를 갖는 상기 제1 위치 정보와 상기 제2 위치 정보를 확인하는 전자 장치.
- 동형 암호문에 대한 암호문 처리 방법에 있어서,복수의 변수 정보를 암호화된 상태를 저장하는 동형 암호문을 복수개 저장하고, 상기 복수의 동형 암호문에 대한 연산 명령을 수신하는 단계;상기 복수의 동형 암호문 각각에 대해서 서로 다른 변수 정보 구분하여 갖는 빈 마스크를 생성하는 단계;상기 빈 마스크를 이용하여 변수 조합에 대응되는 개수 정보를 생성하는 단계; 및상기 생성된 개수 정보를 출력하는 단계;를 포함하는 암호문 처리 방법.
- 제9항에 있어서,상기 동형 암호문은 복수의 슬롯을 포함하며,상기 복수의 슬롯 각각에 하나의 변수 정보를 갖는 암호문 처리 방법.
- 제9항에 있어서,상기 빈 마스크는,복수의 슬롯을 포함하며,상기 복수의 슬롯 각각은 하나의 변수 값의 존재 여부에 대한 정보를 포함하며,상기 빈 마스크를 생성하는 단계는,동형 암호문 각각에 대해서 상기 동형 암호문에 포함된 변수 정보별 복수의 빈 마스크를 생성하고,상기 개수 정보를 생성하는 단계는,생성된 복수의 빈 마스크 중 상기 변수 조합에 대응되는 빈 마스크를 선별하고, 상기 선별된 빈 마스크 간의 곱을 이용하여 상기 변수 조합을 갖는 개수 정보를 생성하는 암호문 처리 방법.
- 제9항에 있어서,상기 빈 마스크는,복수의 슬롯을 포함하며,상기 복수의 슬롯 각각은 하나의 변수 값의 존재 여부에 대한 정보를 포함하는 복수의 서브 슬롯을 포함하고,상기 빈 마스크를 생성하는 단계는,동형 암호문 각각에 대해서 하나의 빈 마스크를 생성하고,상기 개수 정보를 생성하는 단계는,상기 복수의 빈 마스크 중 상기 변수 조합에 대응되는 상기 빈 마스크 내의 서브 슬롯을 이용하여 상기 변수 조합을 갖는 개수 정보를 생성하는 암호문 처리 방법.
- 제12항에 있어서,상기 복수의 서브 슬롯은, 기설정된 비트 간격을 갖고 하나의 슬롯 내에 배치되는 암호문 처리 방법.
- 제9항에 있어서,동일한 특징에 대한 복수의 정보를 포함하는 제1 동형 암호문 및 제2 동형 암호문을 하나의 동형 암호문으로 결합하는 단계;를 더 포함하는 암호문 처리 방법.
- 제14항에 있어서,상기 결합하는 단계는,상기 제1 동형 암호문과 상기 제2 동형 암호문 내의 공통된 정보에 대한 제1 도형 암호문 내의 제1 위치 정보와 상기 제2 동형 암호문 내의 제2 위치 정보를 이용하여, 상기 제1 동형 암호문과 제2 동형 암호문을 하나로 결합하는 암호문 처리 방법.
- 제15항에 있어서,상기 결합하는 단계는,제1 및 제2 동형 암호문 내에 포함된 복수의 정보 각각에 대해서 기설정된 공통된 키로 일방향 암호화 방식으로 암호화된 데이터와 상기 암호화된 데이터에 대한 동형 암호문 내의 위치 정보가 입력되면, 상기 제1 동형 암호문에 대한 암호화된 데이터와 상기 제2 동형 암호문에 대한 암호화된 데이터를 비교하여, 두 동형 암호문 간에 공통된 정보를 갖는 상기 제1 위치 정보와 상기 제2 위치 정보를 확인하는 암호문 처리 방법.
- 암호문 처리 방법을 실행하기 위한 프로그램을 포함하는 컴퓨터 판독가능 기록매체에 있어서,상기 암호문 처리 방법은,복수의 변수 정보를 암호화된 상태를 저장하는 동형 암호문을 복수개 저장하고, 상기 복수의 동형 암호문에 대한 연산 명령을 수신하는 단계;상기 복수의 동형 암호문 각각에 대해서 서로 다른 변수 정보 구분하여 갖는 빈 마스크를 생성하는 단계;상기 빈 마스크를 이용하여 변수 조합에 대응되는 개수 정보를 생성하는 단계; 및상기 생성된 개수 정보를 출력하는 단계;를 포함하는 컴퓨터 판독가능 기록매체.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2022575885A JP2023529690A (ja) | 2020-06-15 | 2021-06-15 | 同型暗号文に対する統計演算を行う装置及び方法 |
CN202180042724.0A CN115918028A (zh) | 2020-06-15 | 2021-06-15 | 对同态密文执行统计操作的装置及其方法 |
KR1020227040329A KR102522708B1 (ko) | 2020-06-15 | 2021-06-15 | 동형 암호문에 대한 통계 연산 수행하는 장치 및 방법 |
EP21826346.5A EP4149045A4 (en) | 2020-06-15 | 2021-06-15 | DEVICE AND METHOD FOR PERFORMING STATISTICAL CALCULATIONS ON HOMOMORPHEUS CIPHERTEXT |
US17/999,389 US20230208611A1 (en) | 2020-06-15 | 2021-06-15 | Device and method for performing statistical calculation on homomorphic ciphertext |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202063039086P | 2020-06-15 | 2020-06-15 | |
US63/039,086 | 2020-06-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021256843A1 true WO2021256843A1 (ko) | 2021-12-23 |
Family
ID=79268138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2021/007517 WO2021256843A1 (ko) | 2020-06-15 | 2021-06-15 | 동형 암호문에 대한 통계 연산 수행하는 장치 및 방법 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20230208611A1 (ko) |
EP (1) | EP4149045A4 (ko) |
JP (1) | JP2023529690A (ko) |
KR (1) | KR102522708B1 (ko) |
CN (1) | CN115918028A (ko) |
WO (1) | WO2021256843A1 (ko) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114978603A (zh) * | 2022-04-25 | 2022-08-30 | 福建师范大学 | 一种具有接收判定能力的数据合并传输方法及其系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20150122494A (ko) * | 2014-04-23 | 2015-11-02 | 삼성전자주식회사 | 암호화 장치, 암호화 방법, 복호화 방법 및 컴퓨터 판독가능 기록매체 |
US20170180115A1 (en) * | 2015-12-18 | 2017-06-22 | Microsoft Technology Licensing, Llc | Homomorphic Encryption with Optimized Homomorphic Operations |
KR101965628B1 (ko) * | 2017-12-15 | 2019-04-04 | 서울대학교산학협력단 | 동형 암호화를 수행하는 단말 장치와 그 암호문을 처리하는 서버 장치 및 그 방법들 |
KR20190117286A (ko) * | 2018-04-06 | 2019-10-16 | 서울대학교산학협력단 | 블록체인 및 동형암호 기술을 이용하여 데이터를 공유하는 사용자 장치와 전자장치 및 그 방법들 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US12045364B1 (en) * | 2010-04-21 | 2024-07-23 | Stanley Trepetin | Mathematical method for performing homomorphic operations |
US10673614B2 (en) * | 2015-10-09 | 2020-06-02 | Mitsubishi Electric Corporation | Secret search system, management device, secret search method and computer readable medium |
US10015007B2 (en) * | 2015-11-25 | 2018-07-03 | International Business Machines Corporation | Performing efficient comparison operations on encrypted data |
US10812252B2 (en) * | 2017-01-09 | 2020-10-20 | Microsoft Technology Licensing, Llc | String matching in encrypted data |
US10728018B2 (en) * | 2017-01-20 | 2020-07-28 | Enveil, Inc. | Secure probabilistic analytics using homomorphic encryption |
US10728017B2 (en) * | 2017-11-03 | 2020-07-28 | International Business Machines Corporation | Performing vector comparison operations in fully homomorphic encryption |
EP3731107B1 (en) * | 2018-01-17 | 2021-10-27 | Mitsubishi Electric Corporation | Data management device, search device, registration device, data management method, and data management program |
WO2019172837A1 (en) * | 2018-03-05 | 2019-09-12 | Agency For Science, Technology And Research | Method and system for deriving statistical information from encrypted data |
KR102040120B1 (ko) * | 2018-07-27 | 2019-11-05 | 주식회사 크립토랩 | 근사 암호화된 암호문에 대한 연산을 수행하는 장치 및 방법 |
US11429730B2 (en) * | 2019-11-25 | 2022-08-30 | Duality Technologies, Inc. | Linking encrypted datasets using common identifiers |
US11239996B2 (en) * | 2019-12-18 | 2022-02-01 | International Business Machines Corporation | Weighted partial matching under homomorphic encryption |
-
2021
- 2021-06-15 WO PCT/KR2021/007517 patent/WO2021256843A1/ko unknown
- 2021-06-15 US US17/999,389 patent/US20230208611A1/en active Pending
- 2021-06-15 CN CN202180042724.0A patent/CN115918028A/zh active Pending
- 2021-06-15 EP EP21826346.5A patent/EP4149045A4/en active Pending
- 2021-06-15 KR KR1020227040329A patent/KR102522708B1/ko active IP Right Grant
- 2021-06-15 JP JP2022575885A patent/JP2023529690A/ja active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20150122494A (ko) * | 2014-04-23 | 2015-11-02 | 삼성전자주식회사 | 암호화 장치, 암호화 방법, 복호화 방법 및 컴퓨터 판독가능 기록매체 |
US20170180115A1 (en) * | 2015-12-18 | 2017-06-22 | Microsoft Technology Licensing, Llc | Homomorphic Encryption with Optimized Homomorphic Operations |
KR101965628B1 (ko) * | 2017-12-15 | 2019-04-04 | 서울대학교산학협력단 | 동형 암호화를 수행하는 단말 장치와 그 암호문을 처리하는 서버 장치 및 그 방법들 |
KR20190117286A (ko) * | 2018-04-06 | 2019-10-16 | 서울대학교산학협력단 | 블록체인 및 동형암호 기술을 이용하여 데이터를 공유하는 사용자 장치와 전자장치 및 그 방법들 |
Non-Patent Citations (2)
Title |
---|
See also references of EP4149045A4 * |
SEO KYONGJIN, PYONG KIM, YOUNHO LEE: "Implementation and Performance Enhancement of Arithmetic Adder for Fully Homomorphic Encrypted Data.", JOURNAL OF THE KOREA INSTITUTE OF INFORMATION SECURITY AND CRYPTOLOGY, vol. 27, no. 3, 30 June 2017 (2017-06-30), pages 413 - 426, XP055881582, ISSN: 1598-3986, DOI: 10.13089/JKIISC.2017.27.3.413 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114978603A (zh) * | 2022-04-25 | 2022-08-30 | 福建师范大学 | 一种具有接收判定能力的数据合并传输方法及其系统 |
CN114978603B (zh) * | 2022-04-25 | 2023-12-29 | 福建师范大学 | 一种具有接收判定能力的数据合并传输方法及其系统 |
Also Published As
Publication number | Publication date |
---|---|
CN115918028A (zh) | 2023-04-04 |
EP4149045A1 (en) | 2023-03-15 |
JP2023529690A (ja) | 2023-07-11 |
US20230208611A1 (en) | 2023-06-29 |
KR20220163493A (ko) | 2022-12-09 |
EP4149045A4 (en) | 2024-04-24 |
KR102522708B1 (ko) | 2023-04-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019117694A1 (ko) | 동형 암호화를 수행하는 단말 장치와 그 암호문을 처리하는 서버 장치 및 그 방법들 | |
WO2020235797A1 (en) | Apparatus for processing modular multiply operation and methods thereof | |
WO2009157715A2 (en) | Codebook design method for multiple input multiple output system and method for using the codebook | |
WO2020145503A1 (en) | Apparatus for processing approximately encrypted messages and methods thereof | |
WO2020117015A1 (ko) | 다변수 패킹을 이용하는 연산 장치 및 방법 | |
WO2017222140A1 (ko) | Cnn 기반 인루프 필터를 포함하는 부호화 방법과 장치 및 복호화 방법과 장치 | |
WO2014137159A1 (en) | Method and apparatus for applying secondary transforms on enhancement-layer residuals | |
WO2016186241A1 (ko) | 데이터 암호화 장치 및 방법과 및 데이터 복호화 장치 및 방법 | |
WO2020166879A1 (en) | Apparatus for performing threshold design on secret key and method thereof | |
EP2272181A2 (en) | Multiple antenna communication system including adaptive updating and changing of codebooks | |
WO2011053101A2 (en) | Apparatus and method for generating a parity check matrix in a communication system using linear block codes, and a transmission/reception apparatus and method using the same | |
WO2017155137A1 (ko) | 빔포밍 방법 및 이를 위한 장치 | |
EP3909193A1 (en) | Apparatus for processing approximately encrypted messages and methods thereof | |
WO2020242260A1 (ko) | 전역적 문맥을 이용하는 기계 학습 기반의 이미지 압축을 위한 방법 및 장치 | |
WO2020145759A1 (ko) | 근사 계산에 대한 계산 검증 | |
WO2021256843A1 (ko) | 동형 암호문에 대한 통계 연산 수행하는 장치 및 방법 | |
WO2017111362A1 (ko) | 임의의 길이를 가지는 폴라 코드를 이용한 harq 수행 방법 | |
WO2011021917A2 (en) | Method and system for handling security synchronization for prolonged periods of no-reception of voice frames | |
WO2020116807A1 (ko) | 암호문에 대한 비다항식 연산을 수행하는 장치 및 방법 | |
WO2020246848A1 (ko) | 근사 암호화된 암호문에 대한 정렬 장치 및 방법 | |
WO2021107515A1 (en) | Identity-based encryption method based on lattices | |
WO2017188497A1 (ko) | 무결성 및 보안성이 강화된 사용자 인증방법 | |
WO2011002260A2 (en) | Rotating reference codebook that is used in a multiple-input multiple-output (mimo) communication system | |
WO2018199442A1 (en) | Apparatus and method for performing operation being secure against side channel attack | |
WO2023282359A1 (ko) | 공간 복잡도를 고려한 동형 암호화 또는 복호화 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21826346 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20227040329 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2022575885 Country of ref document: JP Kind code of ref document: A Ref document number: 2021826346 Country of ref document: EP Effective date: 20221206 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |