CN117337553A - Blind rotation for full homomorphic encryption - Google Patents

Blind rotation for full homomorphic encryption Download PDF

Info

Publication number
CN117337553A
CN117337553A CN202280032403.7A CN202280032403A CN117337553A CN 117337553 A CN117337553 A CN 117337553A CN 202280032403 A CN202280032403 A CN 202280032403A CN 117337553 A CN117337553 A CN 117337553A
Authority
CN
China
Prior art keywords
key
encryption
polynomial
value
bootstrap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202280032403.7A
Other languages
Chinese (zh)
Inventor
M·乔伊
P·G·Y·帕里耶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zama Jianyi Co ltd
Original Assignee
Zama Jianyi Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP21197775.6A external-priority patent/EP4087177A1/en
Application filed by Zama Jianyi Co ltd filed Critical Zama Jianyi Co ltd
Priority claimed from PCT/EP2022/060745 external-priority patent/WO2022233605A1/en
Publication of CN117337553A publication Critical patent/CN117337553A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

Some implementations are directed to a computer-implemented blind rotation method for Full Homomorphic Encryption (FHE). The method includes rotating the polynomials (210) over masked values and iterating over the key numbers, e.g., they may be ternary. The key number may have at least three different values. The further blind rotation polynomial is iterated as represented by the current key number and the corresponding masking value. In an iteration, an encryption multiplier polynomial may be calculated from the bootstrap key and the masking value. In the iteration, the outer product may be performed once with an encryption multiplier polynomial to further blind rotate the polynomial.

Description

Blind rotation for full homomorphic encryption
Technical Field
The disclosed subject matter relates to a computer-implemented blind rotation method, a computer-readable medium, and a computing system for homomorphic encryption.
Background
Since the breakthrough paper "Fully Homomorphic Encryption Using Ideal Lattices" by Craig gateway (complete edition in Commun. ACM 53 (3): 97-105, 2010, incorporated herein by reference), efforts have been made to make Fully Homomorphic Encryption (FHE) sufficiently secure and effective for real world applications. FHE allows one to calculate (e.g., evaluate the circuit) on the encrypted data without decrypting. For example, the input data and the calculation result may be received and returned in encrypted form. The intermediate data (e.g., the computed internal state) may also be in encrypted form.
Even if the calculation result is returned in encrypted form, when decrypted, the output is the same as the operation performed on the unencrypted data. Homomorphic encryption can be used for privacy preserving outsourced storage and computation. This allows data to be encrypted and outsourced to a cloud environment for processing and/or storage, all of which are encrypted.
For example, homomorphic cryptography may be applied in fields such as healthcare where privacy rules may make it difficult to share clear data, but computation on encrypted medical data may be allowed. For example, a medical model developed for classifying medical data, for example, may be configured to receive medical data in encrypted form from a third party (e.g., a hospital). The medical model may, for example, classify medical data as, for example, normal or abnormal, or as having a particular medical syndrome, disease, or other condition. Using homomorphic encryption, a medical model may be applied to medical data received in encrypted form. This means that the party evaluating the medical model has no rights to access the plain medical data corresponding to the encrypted medical data. The user of the service may decrypt the results of the medical model application.
A cryptographic system that supports arbitrary computation on ciphertext is referred to as an Fully Homomorphic Encryption (FHE) scheme. Such a scheme can evaluate a wide variety of functions and can be run on encrypted inputs to produce encryption of the results. For example, once the combination of and or gates is available, so-called functional integrity can be obtained, as this allows one to implement any boolean circuit. This can be done by an untrusted party without leaking its inputs and internal states and outputs. The homomorphic encryption may be hierarchical, in which case the number of certain operations cannot exceed a predetermined threshold. The hierarchical isomorphic scheme can be converted to a non-hierarchical FHE scheme by performing a bootstrap operation. Bootstrap operations increase the number of operations that can be performed on encrypted data items.
The homomorphic encryption scheme may support computations expressed in some special form (e.g., as a boolean circuit or an arithmetic circuit). For example, a hierarchical fully homomorphic encryption scheme may support evaluation of arbitrary circuits (but with bounded, predetermined depths). Non-hierarchical Fully Homomorphic Encryption (FHE) allows evaluation of arbitrary circuits with unbounded depth. The hierarchical FHE scheme may be converted to a non-hierarchical FHE scheme by periodically performing bootstrap operations on the data. It is known how to compile calculations (e.g., functions) in the form of circuits.
Since the Gentry paper, many FHE schemes have been developed that reduce computation time by orders of magnitude. Many FHE schemes are known today. The paper "TFHE" by Ilaria Chillotti et al: an example of a recent FHE scheme is described in Fast Fully Homomorphic Encryption over the Torus "(J.Cryptology 33 (1): 34-91, 2020), which is incorporated herein by reference.
A further FHE scheme is described in the paper "Programmable Bootstrapping Enables Efficient Homomorphic Inference 0f Deep Neural Networks" by Illar Chillotti, marc Joye and Pascal Paillier (see Cryptology ePrint Archive: report 202I/091, incorporated herein by reference).
However, there is still a need for further improvements of FHE schemes.
Disclosure of Invention
The inventors have noted that in existing FHE schemes, the key is typically represented in bits. In a conventional environment, increasing the number of possible values, e.g. from bits to digits, e.g. by increasing the radix from 2 to a higher number (e.g. 3 or more), would greatly increase the computational effort of the FHE scheme; in particular, the computational cost of bootstrap operation will increase. For example, the number of so-called outer products available for performing bootstrap operations may increase. The outer products are the bottleneck for some important FHE operations (e.g. bootstrap operations), so increasing the number of outer products is not desirable.
The outer product computes a multiplication between a multiplier and a multiplicand (e.g., a torus element or a polynomial on the torus). Both the multiplier and the multiplicand are encrypted, even though different encryption schemes are typically used. The multiplicand may be one of the encryption values of the FHE scheme, for example, may be an intermediate value that may be dynamically dependent on the input value of the FHE calculation, a typical example being LWE encryption, even though other encryption schemes are possible. The multiplier is typically fixed prior to FHE computation and does not dynamically depend on the FHE computed input value. The multiplier may be encrypted with an encryption scheme arranged to support multiplication, which may be different from the scheme used to encrypt the multiplicand. Thus, an FHE system (e.g., a computing system configured for computation encrypted according to an FHE scheme) can access the multiplier and multiplicand, even if both are in encrypted form, and can compute the multiplication while encrypting. If the FHE system obtains the multiplication result in encrypted form (typically in an encrypted type suitable for intermediate values, such as LWE). The external multiplication is typically performed with polynomials, which means that if digits are to be multiplied, these digits can be temporarily converted into polynomials and converted back into digits after multiplication.
The inventors have found how to increase the number of possible values of the key number (secret key digit) without increasing the number of external multiplications.
A computer-implemented blind rotation method for full homomorphic encryption is provided. The method iterates on the key number; however, each iteration includes at most one outer product. Interestingly, the number of external multiplications is at most the number of secret digits (secret digits), independent of the range of possible values each secret digit has. A secret number with 3 possible values and a secret number with 4 or 5 (etc.) possible values require as many external multiplications. If the secret number is allowed to have more possible values, then a given number of secret number sequences will be more. This in turn gives more freedom in choosing parameters to achieve the desired level of security.
For example, the encryption value may include one masked value (masking value) and a plurality of masking values (masking values). In one iteration, the accumulator may be rotated in one direction over the masked value. This will give the correct rotation if only the masked values are not masked. To correct the masking, the accumulator may be rotated again in the opposite direction on the amount represented by the secret number and the masking value (e.g., their product). For example, for each pair of secret number and mask value, the accumulator may be rotated in the opposite direction as represented by the combination of the secret number and mask value. An efficient implementation may combine more than one pair of secret numbers and masking values in a single opposite direction rotation.
This may be accomplished by calculating a multiplier polynomial that represents the amount of rotation desired in a given iteration. The multiplier polynomial refers to a key number and therefore cannot be provided to the FHE system in plain form, but is calculated in encrypted form. To emphasize the distinction between the multiplier polynomial in encrypted form (the form that the system gets it) and the multiplier polynomial that it encrypts, the former is denoted as the encryption multiplier polynomial and the latter as the plaintext multiplier polynomial. The encryption multiplier polynomial may be expressed as
One method of constructing an encryption multiplier polynomial is to construct the encryption multiplier polynomial from a plurality of possible plaintext multiplier polynomials (e.g., multiplier polynomials corresponding to possible values of key numbers).
Interestingly, the inventors found that such encryption multiplier polynomials could be calculated without further external multiplication. Instead, the encryption multiplier polynomial may be calculated as an encryption of a linear combination of possible plaintext multiplier polynomials, the coefficients of the linear combination being encrypted in the form of a bootstrap key. Since the bootstrap key itself is encrypted, the resulting multiplier polynomial is encrypted, but still represents the desired amount of rotation. For example, a bootstrap key for a particular secret number may be considered to be a component form encryption of a vector of at most one non-zero value (i.e., 1). Each bootstrap key encrypts data that indicates whether a particular key number has a particular value. The length of the vector may be less than or equal to the number of possible values for the key number.
The principles of the present invention are applicable to any FHE scheme that relies on external multiplication to implement bootstrap operations, which allows combining a (plaintext) polynomial with a bootstrap key to obtain an encryption multiplier polynomial.
One particularly useful application of blind rotation is bootstrap and/or function evaluation. By performing a blind rotation on a so-called test polynomial, the coefficients of the test polynomial corresponding to a particular exponent can be found while encrypting. Such blind rotation may be used for noise reduction and/or function evaluation. Function evaluation may in turn be used in a wide variety of applications, for example, to implement other arithmetic operations, to implement node evaluation functions of neural networks, and the like.
Another aspect is an electronic device, such as a computer, configured for blind rotation. The blind rotation method described herein is applicable in a wide range of practical applications. These include the cryptographic evaluation of software programs without the need to access clear data. For example, one may evaluate medical diagnostic software on medical data without actually accessing the medical data or medical results.
The medical data may include medical images. Medical images may include, for example, multi-dimensional image data acquired through a variety of acquisition modalities, such as, but not limited to, standard X-ray imaging, computed Tomography (CT), magnetic Resonance Imaging (MRI), ultrasound (US), positron Emission Tomography (PET), single Photon Emission Computed Tomography (SPECT), and Nuclear Medicine (NM), for example, two-dimensional (2D), three-dimensional (3D), or four-dimensional (4D) images.
One embodiment of the method may be implemented on a computer as a computer-implemented method, or in dedicated hardware, or in a combination of both. Executable code for one embodiment of the method may be stored on a computer program product. Embodiments of the computer program product include memory devices, optical storage devices, integrated circuits, servers, online software, and the like. Preferably, the computer program product comprises non-transitory program code stored on a computer readable medium for performing one embodiment of the method when said program product is executed on a computer.
In an embodiment, the computer program comprises computer program code adapted to perform all or part of the steps of an embodiment of the method when the computer program is run on a computer. Preferably, the computer program is embodied on a computer readable medium.
Drawings
Further details, aspects and embodiments will be described, by way of example only, with reference to the accompanying drawings. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. In the figures, elements corresponding to elements already described may have the same reference numerals. In the drawings of which there are shown,
FIG. 1a schematically shows an example of one embodiment of a system for performing calculations using isomorphic encryption (FHE);
figure 1b schematically shows an example of one embodiment of a system for performing calculations using FHE;
figure 1c schematically shows an example of one embodiment of a system for performing calculations using FHE;
FIG. 2a schematically illustrates an example of one implementation of a computing device;
FIG. 2b schematically illustrates an example of one implementation of a computing device;
fig. 3 schematically shows an example of an embodiment of an encryption value, a key and a bootstrap key;
FIG. 4 schematically illustrates an example of one embodiment of a rotation test polynomial;
FIG. 5 schematically illustrates an example of one embodiment of a computing method;
FIG. 6a schematically illustrates a computer readable medium having a writable portion including a computer program according to one embodiment;
fig. 6b schematically shows a representation of a processor system according to an embodiment.
List of reference numerals:
the following list of labels and abbreviations is provided for ease of explanation of the drawings and should not be construed as limiting the claims. This list relates to fig. 1a to 4.
110 FHE computing system
111-113 FHE computing system
130. Processor system
140. Memory device
150. Communication interface
160. Data provider system
200. Computing system
210. Polynomial expression
221. Accumulator starting unit
222. Multiplier polynomial unit
223. Accumulator update unit
224. External multiplier
231. Encryption value
232. Bootstrap key
233. Secret multiplier polynomial
234. Accumulator
300. Encryption value
360. Multiple masking values
301-303 masking values
304. Masked values
310. Key(s)
311-313 key number
320. Bootstrap key for 330, 340 key digits
321-353 bootstrap key
350. Possible values of key numbers
411. Position of coefficient before rotation
412. Position of coefficient after rotation
1000. Computer readable medium
1010. Writable portion
1020. Computer program
1110. Integrated circuit
1120. Processing unit
1122. Memory
1124. Application specific integrated circuit
1126. Communication element
1130. Interconnection of
1140. Processor system
Detailed Description
While the presently disclosed subject matter may be embodied in many different forms, there is shown in the drawings and will herein be described in detail one or more specific embodiments, with the understanding that the present disclosure is to be considered as an exemplification of the principles of the presently disclosed subject matter and is not intended to limit it to the specific embodiments illustrated and described.
Hereinafter, for ease of understanding, a plurality of elements of the embodiments are described in operations. It is however evident that the corresponding elements are arranged to perform the functions described as being performed by them.
Furthermore, the presently disclosed subject matter is not limited to the embodiments, but also includes combinations of each of the other features described herein or recited in mutually different dependent claims.
Figure 1a schematically shows an example of one implementation of an FHE computing system 110, e.g. a system for performing computation using isomorphic encryption (FHE). For example, the system 110 of FIG. 1a may be used to perform calculations on data, even if the data is received in encrypted form, e.g., from a data provider.
The system 110 may include a processor system 130, a memoryA reservoir 140 and a communication interface 150. Memory 140 may include local memory, such as a local hard drive or electronic memory. Memory 140 may include non-local memory, such as cloud memory. In the latter case, memory 140 may include a memory interface with non-local memory. For example, the memory 140 may store encrypted data items that are received, for example, from one or more data providers or generated as intermediate or final results (e.g., output) of a calculation. Typically, most or all of the data items on which the computation of system 110 is performed are encrypted with a key unknown to system 110, i.e., system 110 may not be configured to obtain a clear data item corresponding to the encrypted data item (e.g., such as stored in memory 140). The decryption key in clear form is kept secret from the system 110 even though the encryption/decryption key may be available in encrypted form. For example, the processor system may be configured to perform a sequence of FHE operations, which may include arithmetic operations on the encrypted value, such as addition and multiplication, and may also include arithmetic operations on the encrypted polynomial. FHE operations may also include blind rotation of the polynomial, bootstrap, etc. Rotation of the polynomial moves the coefficients of the individual ones of the polynomials to the next exponent. For example, by calculation with (x n +1) x is modulo α f (x) will be expressed as (x n +1) polynomial f (x) modulo alpha rotates in alpha positions or if rotation in the other direction is desired, is calculated as (x) n +1) x is modulo f (x). The blind rotation calculates the same procedure on the polynomial except under the encrypted mask. In addition to being the encryption operation itself, blind rotation has important applications in FHE, particularly as a building block for bootstrap operation with or without function evaluation.
The system 110 may communicate internally over a computer network with other systems, external memory, input devices, output devices, and/or one or more sensors. The computer network may be the internet, an intranet, a LAN, a WLAN, etc. The computer network may be the internet. The system comprises a connection interface arranged to communicate within the system or outside the system as required. For example, the connection interface may include a connector, such as a wired connector (e.g., an ethernet connector, an optical connector, etc.) or a wireless connector (e.g., an antenna, such as a Wi-Fi, 4G, or 5G antenna). The communication (e.g., internal communication) may use other communication protocols or media, such as an internal data bus.
In system 110, communication interface 150 may be used to transmit or receive digital data. For example, the system 110 may be configured to receive encrypted data items from an external computer (e.g., a computer of a data provider). For example, the system 110 may be configured to transmit the results of the computation to an external computer, typically in an encrypted format. For example, the communication interface 150 may be used for internal communication in the system 110, such as to allocate computing of multiple computing entities (e.g., computing devices).
Execution of system 110 may be implemented in a processor system (e.g., one or more processor circuits, such as a microprocessor), embodiments of which are shown herein. The system 110 may include multiple processors, which may be distributed across different locations. For example, system 110 may use cloud computing.
Some of the functional units shown in the figures may be functional units of a processor system. For example, the graph may be used as a blueprint for possible functional organizations of the processor system. In most of the figures, the processor circuitry is not shown separately from the elements. For example, the functional units shown in fig. 2 (see below) may be implemented in whole or in part in computer instructions that are stored at a system, such as system 110 (e.g., stored in electronic memory of system 110), and that are executable by a microprocessor of system 110. In a hybrid implementation, the functional units are implemented partially in hardware (e.g., as coprocessors, such as arithmetic and/or cryptographic coprocessors) and partially in software stored and executed on system 110.
Figure 1b schematically shows an example of an embodiment of a system for performing calculations using FHE. Figure 1b shows the FHE system of figure 1a in the context of a data provider system 160. The FHE system 110 is configured to perform computations using isomorphic encryption (FHE).
For example, the system 110 may be configured to receive encrypted data items from the data provider 160. At least some of the data items may be received in encrypted form. Some data items may be received in a clear format. The calculation runs on the received data item and possibly also on the stored data item. Interestingly, the computation can be performed on encrypted data without decrypting the data, e.g., without converting the encrypted data item into clear format data.
The system 110 may be configured for FHE schemes, e.g., several FHE operations. The FHE operation may include a gate. For example, FHE systems may be configured for so-called NAND-gates. For example, FHE systems may have addition and multiplication operations, such as in finite fields or finite rings, etc. The operation of the FHE scheme is in principle sufficient to perform a wide range of calculations, but the size of the calculations may be limited, for example if the FHE scheme is a hierarchical scheme without bootstrap operation or without bootstrap operation.
Typically, the encryption data implemented in FHE schemes and FHE systems involves some measure of noise. For example, encryption of a data item may include mapping the data item to a point in a key-dependent lattice (1 atice) and adding some noise thereto.
When the data item has just been encrypted, the noise is low (encryption is new). For example, the amount of noise is so low that if the data item is decrypted, the noise may be removed at some point in the decryption process (e.g., by rounding). On the other hand, the noise should be high enough to make attack on the system difficult enough. For example, many FHE schemes may be attacked using linear algebra or other efficient algorithms (e.g., lattice-based algorithms) assuming no noise. When the data item is encrypted, noise is added, which is chosen to make the attack difficult while the FHE operation can still be performed. Most FHE operations will add to the noise inherent in the encrypted FHE data item. When many such operations are performed, the noise will reach a level that makes correct decryption no longer possible. At this point, the scheme fails. In general, two methods have been developed in the art to deal with this phenomenon. The first is a hierarchical FHE scheme. The hierarchical FHE scheme may perform some number of operations one after the other. The hierarchical FHE scheme is designed such that the worst-case noise at the end of such a number of operations is below the limit required for decryption. Another approach is the so-called bootstrap operation. The bootstrapping operation may reduce noise in the encrypted data item. Bootstrap operation is possible if the FHE scheme is sufficiently capable to homomorphically evaluate the decryption algorithm in the encrypted domain (sometimes referred to as bootstrapped FHE scheme). For example, the bootstrapping operation receives helper data associated with the encryption key that allows noise reduction without decrypting the encrypted data item. Typically, the auxiliary data is an encrypted version of the key used to decrypt the data item. It should be noted that in the case of the FHE scheme of a symmetric key, the decryption key may be the same as the encryption key, or in the case of the FHE scheme, e.g. an asymmetric key, the decryption key may be different from the encryption key. In addition to encryption keys and decryption keys, FHE schemes may use other keys, such as keys for homomorphic evaluation. The latter is typically a public key corresponding to a private key, which may be stored at the data provider.
Although the bootstrap operation performs decryption of the encrypted data item, the decryption is performed in the encrypted domain as is common sense, so homomorphic decryption does not actually disclose any information about the plaintext data item. The bootstrap operation then performs noise reduction (typically by homomorphism rounding). The result is an encrypted data item with a lower, fixed noise level. Typically, the noise present in the context generated by bootstrapping is generated by a bootstrapping operation. One element of the bootstrap operation may be blind rotation.
After the bootstrap operation, a new sequence of FHE operations may be performed until the noise level becomes so high that a new bootstrap operation is required.
Determining when bootstrapping is needed may be done by tracking how much the noise level is to be, e.g. assuming worst case. Instead of the worst case, an average case may be assumed, although this may increase the risk of calculation results that cannot be decrypted. For example, calculations with inherent robustness to occasional errors (such as neural network evaluations) may be performed using an average case analysis of noise propagation.
Noise analysis (e.g., worst case or average case analysis) may be done in advance or may be done dynamically. The noise increase may depend on the particular calculation. For example, the amount of noise that FHE scalar multiplication increases depends on the multiplicand. One approach is to perform bootstrap operations often, e.g., after each operation, or after each set of numbers of operations, e.g., after every two operations.
The FHE scheme may be applied in many environments. For example, the FHE system 110 may be operated by a cloud provider. The cloud provider may provide computing and storage services to its customers. By employing FHE encryption, the data provider 160 (e.g., a customer of the cloud provider) can send their data in encrypted form. The cloud provider may still perform the required calculations, and/or the required storage, but will not be aware of the corresponding cleartext data or calculation results. For example, the data provider 160 can encrypt the data item using a type of encryption key that corresponds to a particular FHE scheme used in the FHE system. When the data provider 160 receives the calculation from the FHE system 110, the encrypted data item may be decrypted using the corresponding decryption key. The encryption and decryption keys may be identical, typically.
For example, the system 110 may be configured to train a machine learning model (e.g., an image classifier, e.g., a medical model) without accessing the cleartext data item. For example, linear regression may be performed on the input data, possibly even without bootstrapping. For example, back propagation may be performed on the input data, possibly requiring bootstrapping. The resulting model parameters may be returned to the entity that owns the decryption key. This enables multiple providers of medical data to aggregate their data by sending the data to the cloud provider. The cloud provider then returns the model parameters without accessing the cleartext data.
After the model is trained, the FHE system 110 may be used to provide the model, for example, for use with medical data. This can be done with either plaintext model parameters or cryptographic model parameters, in both cases with cryptographic data, e.g. with cryptographic input, intermediate and output data. The use of explicit model parameters is generally more efficient. In both cases, one effect of the system is that the computation (e.g., image classification, such as medical image classification) is performed without the computer knowing the clear data item. For example, mammography can be used to assess cancer without the need for images to appear in plain form at the system 110, and the system 110 is also unaware of what the outcome of the cancer assessment is. From a privacy perspective, it may be acceptable to operate a plaintext model over encrypted privacy-sensitive data, while it may not be acceptable to operate on plaintext privacy-sensitive data.
Other applications involve database services, such as looking up encrypted data in an encrypted database; for example, the computation may be a comparison between an input item and a database item. For example, multiple computations may be combined to generate a database index that matches the index. For example, the database may be a genomic database and the input is a gene sequence. For example, the system 110 may be used for protective control of a device. For example, a device (even a large device such as a power plant) may send a sensor value to the system 110 and receive an encrypted control signal as a return, the control signal being calculated from the sensor signal. An attacker of the system may be able to determine the data content coming in and out of the system 110, or even obtain intermediate data of the system 110, but this would not help him as the data is encrypted. Since the decryption key is unknown to the system 100, even a complete hack of the system 110 will not disclose the data. Computing the control signal may involve mathematical operations such as linear algebra, average, matrix multiplication, polynomial evaluation, etc., all of which may be performed using FHE operations.
For example, a pool of encrypted data items may be maintained in an FHE system; some of which may be received and some may be the result of FHE calculations, e.g. intermediate results. For example, the FHE system may be configured to apply FHE operations to one, two, or more encrypted data items in a pool (e.g., a set of input values and/or intermediate values and/or output values). The result will be a new encrypted data item that can be stored in the pool. The pool may be stored in a memory of the FHE system. This may be local memory or distributed memory. In the latter case, it may happen that one or more encrypted data items are represented multiple times in the pool. For example, if the value of the encrypted data item is desired elsewhere, the encrypted data item may be sent from one computing device to another. The pool may be implemented in a variety of ways, e.g., as a register file, an array, a variety of data structures, etc.
For example, in FHE schemes based on fault tolerant Learning (LWE) problems, such as the Torus-FHE (TFHE) scheme mentioned in the background, the encryption key may be a string of n numbers s i The ciphertext may be tuple (a 1 ,...,a n B), whereinIn the latter, +and represents the sum between torus elements and the product between integers and torus elements, a, respectively i Is n numbers, μ is the plaintext data item, e is noise, e.g. extracted from a probability distribution (e.g. gaussian distribution). For example, a torus may refer to a real set modulo, for example, 1, or for some integers q, a torus may refer to an integer set modulo q divided by q. Conventionally, the secret number s of the key s 1 ,...,s n Is a bit. The inventors have realized that extending it to a secret number s j It would be advantageous to have the secret number s i More than 2 values may be taken, for example 3 values (triples), 4 values or even more.
The scheme naturally extends to other mathematical structures, including polynomial-based mathematical structures. Thus, the number s i ,a i B, u, e may be taken from different mathematical structures. Not all encrypted data items need to be encrypted under the same key, in fact, re-encryption with a different key is one possible FHE operation. To transfer from one key to another, a so-called key transfer procedure may be used, or a so-called key transfer key may be used. The key conversion key provides information on how elements encrypted with the first key can be re-encrypted with the second key without revealing either key.
The encrypted data item may represent all kinds of data. For example, the encrypted data item may represent a number that needs to be averaged or used for linear regression or the like. For example, the encrypted data item may represent an image. For example, each pixel of the image may correspond to one or more encrypted data items. For example, a gray pixel may be represented by a gray level, which in turn may be represented by a single encrypted data item. For example, 256 gray levels may be encoded in a single encrypted data item. For example, a color pixel may be represented as multiple color levels (e.g., RGB levels), which in turn may be represented by tuples of encrypted data items. For example, three 256-level colors may be encoded with three encrypted data items. How many encrypted data items are used to represent a certain type of data depends on the capacity of the FHE scheme. For example, a more restrictive FHE scheme may only be able to encode one bit per encrypted data item. In this case, one color pixel may require 24 encrypted data items.
Although it may not be possible to speak exactly how much noise is without accessing the decryption key, one may typically limit the noise, for example, because the initial noise level is known for new encryption and the noise increase for various operations is also known. The noise increase may depend on the type of operation (e.g., addition and multiplication) and other parameters, if any. For example, the FHE operation may be a multiplication with a known, e.g., plaintext value (e.g., multiplied by 2), a multiplication with a known polynomial, and so forth. For example, multiplication with larger values may add more noise than multiplication with smaller values. Specifically, given the operations performed, the amount of noise increase may be calculated mathematically or may be estimated empirically. While some operations may add a significant amount of noise, other operations may not add noise, e.g., with a plaintext constant.
A set of FHE operations may be defined for computation. For example, an arithmetic network or circuit that collectively performs the calculation may be constructed from the target FHE calculation. For example, these operations may be boolean operations. For example, these operations may all be NAND operations. The manner in which the FHE operations are combined (e.g., which operation is applied to which operand in the pool) determines the computation being performed. For example, the computations may be represented as a list of FHE operations to be performed, while indicating on which FHE encrypted data item they are to be performed.
As operations are performed, noise associated with newly calculated (non-up-to-date) encrypted data items may grow. This is not a problem as long as the noise remains within the limits required for decryption. If more operations are to be performed, a bootstrap operation may be performed.
The size of the encrypted data item in the FHE scheme may be quite large. Furthermore, the more operations that the FHE scheme performs without a bootstrapping operation, the larger the size of the encrypted data item will typically be. Also, a higher resistance to attacks can be obtained with larger FHE parameters and larger encrypted data items. For example, the data item may be mapped to an FHE system with larger FHE parameters so that more noise may be added while still being able to successfully perform the operation. Increasing the range of values that the key number can take will increase entropy, thereby increasing the security of FHE.
Figure 1c schematically shows an example of an embodiment of a system for performing calculations using FHE. Shown in figure 1c are data provider system 160, and three FHE devices. Devices 111, 112 and 113. Each of the devices 111, 112 and 113 is capable of performing FHE operations on the encrypted data item. These three devices together constitute an FHE system. There may be two or more FHE devices cooperating to form a FHE system.
In the case of figure 1c, the computation is distributed over a plurality of FHE devices (in the embodiment shown, three FHE devices). For example, one of the plurality of FHE devices may transmit an encrypted data item, such as a received encrypted data item or an intermediate encrypted data item, such as a partial calculation, to one or more of the other plurality of FHE devices. Also, each of the plurality of FHE devices may be configured to receive encrypted data items from other devices.
Blind rotation can be used in Fully Homomorphic Encryption (FHE) systems and can operate on an encryption value received or calculated, such as in FHE systems. The encryption value includes a masked value and a masked value. In processing the numbers, the system may discretize the numbers. The discretized numbers are represented by wavy lines. Discretization is typically performed with q > 2N; this may also be required when dealing with non-integer numbers. Discretization is not necessary; for example, if q.ltoreq.2N and the number is an integer, discretization is not required. The masked value is almost equal to the plaintext value and the mask, however some noise is typically added. The key s cannot be provided in clear form to the FHE system, however, to reduce noise, the key s may be provided in the form of a plurality of bootstrap keys. The bootstrap key is an encryption of a plurality of data items that together represent a key number. Some operations (such as blind rotation or bootstrapping) may perform calculations on encrypted data using an encryption key in the form of a bootstrap key.
The polynomial may be blind rotated in two stages: the first stage involves a rotation on the masked values, which can be done in plain form; and the second stage includes compensating for the rotation on the masking value. The latter rotation is performed at encryption, depending on the bootstrap key and the key number represented by the masking value. In one iteration of the key numbers, each key number and corresponding masking value are processed. Only one external multiplication is required per key number. To process one or more key digits using a single external multiplication, an encryption multiplier polynomial may first be constructed. The corresponding plaintext multiplier polynomial comprises at least a single term (X d ) The index of the single expression indicates a further rotation amount. The encryption multiplier polynomial is then used for external multiplication.
Other singletons may exist in the polynomial, which can be used for further functions (e.g., reducing the number of bootstrap keys) and/or can be compensated in the algorithm to update the accumulator. The preferred form of the plaintext multiplier polynomial is X d -X e 、X d -1 or X d Even though other polynomials may be employed. For example, the encryption multiplier polynomial may be calculated as a dot product of a bootstrap key sequence of a particular key number and a clear polynomial sequence of a plurality of possible values (a (i)) of the current key number. For example, possible plaintext multiplier polynomials may be For example, the encryption multiplier polynomial may be calculated as:
·or alternatively
·Or alternatively
· Or alternatively
·
The encryption multiplier polynomial is externally multiplied with the accumulator. In the above-mentioned formula(s),represents a masking value, bsk [ []Representing the bootstrap key, a (i) represents the possible value of the secret number. These formulas refer to discrete values, although this is not required.
The effective choice of encryption used may be LWE encryption or GLWE encryption of the values, and/or GGSW encryption of the encryption multiplier polynomial, and/or GGSW encryption of the bootstrap key, and/or GLWE encryption of the blind rotation polynomial. For example, the plaintext multiplier polynomial Pj may beThe corresponding encryption multiplier polynomial may be encrypted, for example with GGSW or the like, and may be expressed as +.>The encryption multiplier polynomial is an encryption of the multiplier polynomial. Computing the encryption multiplier polynomial does not require accessing the plaintext multiplier polynomial. Note that in GGSW, the encryption multiplier polynomial may be a matrix.
Note, however, that other choices of encryption schemes may be used if they support external multiplications. Interestingly, regardless of the number of possible values of the key digits, only one outer product is required for each key digit.
Fig. 2a schematically illustrates an example of one implementation of a computing system 200. For example, the computing system 200 may be the FHE computing system 100 or implemented on the FHE computing systems 111-113, or on the FHE computing system 100 or on the FHE computing systems 111-113. The system 200 may access encrypted values, one of which is shown as encrypted value 231. For example, the encrypted value may be received through a communication interface and/or may be stored in a memory of system 200. The encrypted value represents some plaintext value encrypted with the key s. However, in general, the system 200 cannot access the key s.
The system 200 may also access, for example, the polynomial 210 received and/or stored at the system 200. Polynomial 210 may be a plaintext polynomial and will be blind rotated. The degree of rotation is represented by the encrypted value 231. Although the polynomial 210 may be in clear form, after a blind rotation procedure, the rotation result will be encrypted under a key that is not known to the system 200, i.e., the rotation is blind to the system 200. Polynomial 210 may also be an encryption polynomial, but this is not necessary for many applications.
The encrypted value 231 includes a sequence of masking values (a i ) And a masked value (b). There is a relationship between the masked value (b) and the plaintext value it represents. The masked values may be calculated from the mask and clear values and added noise. For example, the mask may be calculated from the key(s) and the sequence of masking values. The key(s) comprises a sequence of key digits (s j ). The confidential number may beTernary numbers (e.g., possible values of-1, 0, or 1), decimal numbers (e.g., possible values of 0, 1, 2, 3, &..times., 9), etc. The random noise may be initially extracted from a noise distribution (e.g., gaussian noise), such as when a new encryption is performed. When calculating a new encrypted value as a result of calculation on a previous value, noise of the new value generally depends on noise in the calculated input value and the nature of the calculation, e.g., multiplication is easier to increase noise than addition. Noise may also vary due to bootstrap operations, in which case noise may be reduced. It is desirable to control the amount of noise within a decryption limit within which the value can still be correctly decrypted.
The system 200 may also access a plurality of bootstrap keys corresponding to each key number, the plurality of bootstrap keys being encryption of a plurality of data items representative of the key number. Like the encryption value, the encryption of the bootstrap key by the system 200 is also unknown. Typically, the bootstrap key is encrypted under a different key than the encryption value, e.g. key s and key s', respectively.
Fig. 2a shows a blind rotation procedure using an operation called ciphertext external multiplication. While multiplication of two encrypted values is often difficult, it may be relatively easy to multiply the encrypted value with a predetermined value that is encrypted in a manner that facilitates multiplication.
Blind rotation may be performed using the structure of the encryption value. The accumulator may be initialized by rotating the polynomial 210 over the masked one of the encrypted values 231. The accumulator activation unit may be configured to do this. This portion of the rotation is blind because the masked values are blind, e.g., corresponding to clear code values that are not known to the system 200. The accumulator is now rotated in the other direction with the masking value to leave a blind rotation polynomial. The latter may be done by rotating over the masking value and the amount represented by the secret number. Typically, this amount is the product of the masking value and the corresponding key number.
The system 200 is known to the masking value, and the secret number has been used in encrypted form as the bootstrap key 232It is known that. The multiplier polynomial unit generates an encrypted multiplier polynomial using the masking value and the bootstrap key 232. The encryption multiplier polynomial is used to rotate on the masking value and the amount represented by the secret number. Interestingly, the encryption multiplier polynomial is calculated in the encryption domain, which allows the multiplier polynomial to be calculated while encrypting. For example, such an encryption domain may support addition and multiplication of a plaintext polynomial and an encrypted polynomial. Since the bootstrap key is an encryption of a 0 degree polynomial, this effectively allows constructing an encryption multiplier polynomial that represents a rotation. For example, encryption multiplier polynomialsMay be calculated by a multiplier polynomial unit. For example, encryption multiplier polynomial +>May be in the form +.>Or in the form of->Where aj is the secret number s j Corresponding masking values. To rotate the accumulator, the calculation may be performed under encryption masking, e.g.,or->This operation may be done in the accumulator update unit 233. Structure encryption multiplier polynomial->The process can be performed in the following manner: the plaintext multiplier polynomial for all possible values of the key number is calculated and the bootstrap key is used to select the correct plaintext multiplier polynomial and generate its encrypted form. For example, if the bootstrapping key bsk is for s j Wherein s is j 0 or 1, then->Namely to 0 or->To add these terms to all bootstrap keys, an encryption multiplier polynomial can be obtained. The accumulator update unit 233 may use an external multiplication unit 224, which external multiplication unit 224 is configured to calculate an external multiplication between the multiplier polynomial and the accumulator.
Various encryption objects, such as encryption values, such as value 231, bootstrap key 232, accumulator 234, multiplier polynomial 233, etc., may appear in system 200. While these may all be encrypted under the same key (e.g., a key known to the client of system 200 (e.g., data provider system 160)), it may be easier to use different encryption schemes and different keys to optimize the various steps. An embodiment of such a system is provided below in fig. 2 b.
For example, this embodiment may be implemented in the context of the FHE scheme described in the paper "Programmable Bootstrapping Enables Efficient Homomorphic Inference of Deep Neural Networks" by Illar Chillotti, marc Joye and Pascal Paillier, see Cryptology ePrint Archive: report 202I/091. The key numbers used in this reference can only assume two values; using the embodiments herein, the described schemes may be implemented using key numbers that may assume more than two values without increasing the number of external multiplications.
Fig. 3 illustrates one embodiment of an encryption value 300, a key 310, and bootstrap keys 321-353. This embodiment may be used, for example, for bootstrap key 232 in system 200 or system 201, etc. The encryption value 300 includes a sequence of masking values 360 and masked values 304; shown as masking values 301-303. Key 310 includes a secret digital sequence; shown as confidential numbers 311-313. The mask may be calculated from the key and the sequence of masking values. For example, the mask may be a dot product of the confidential digital sequence and the masking value. The mask may be added (orSubtracted) the plaintext value. In addition to the mask, some noise will be added (or subtracted) to avoid a linear relationship. Typically, these and other values will be calculated in a finite loop or finite field. If polynomials are used, they can furthermore be modulo polynomials, e.g. X N +1, etc.
The secret numbers 311-313 may assume more than two values. In the embodiment illustrated in FIG. 3, the values of the secret digits may be-2, -1, 0, 1, and 2. Any other list of possible values may also be supported. The list need not be contiguous. For each combination of possible values and key numbers, a bootstrap key may be calculated. According to an optimization, no bootstrap key is required to encode a particular value-typically a value of zero is chosen. For example, the bootstrap key may encrypt a binary value that represents whether the corresponding key number has a corresponding possible value. For example, if the value of the key number 311 is '-2', the bootstrap key 321 may be an encryption of '1', and if the value of the key number 311 is not '-2', the bootstrap key 321 may be an encryption of '0'; if the value of the key number 311 is '-1', the bootstrap key 331 may be an encryption of '-1', and if the value of the key number 311 is not '-1', the bootstrap key 331 may be an encryption of '0'; if the value of the key number 311 is '1', the bootstrap key 341 may be an encryption of '1', and if the value of the key number 311 is not '1', the bootstrap key 341 may be an encryption of '0'; if the value of the key number 311 is '2', the bootstrap key 351 may be an encryption of '2', and if the value of the key number 311 is not '1', the bootstrap key 351 may be an encryption of '0'. If none of the bootstrap keys 321-351 are '1' encryption, e.g., they are '0' encryption, then the value of the key number 311 is zero (any other value may be used instead of zero, but zero is convenient). Other key numbers may also have corresponding bootstrap keys that also encode the values of the corresponding key numbers in encrypted form. Thus, we can use (n-1) data items (e.g., bits) to encode n possible values of the secret number—with one possible value, since if all other possible values are used, the remaining single value must be the encoded value. This saves one bootstrap key, but such optimization is not necessary. For example, we can use n data items (e.g., bits) to encode n possible values of the secret number (e.g., one bit for each possible value).
For example, the bootstrap key for a particular key number may encrypt a binary value, e.g., a bit, that represents the key number (s j ) Whether or not there is a value corresponding to the bootstrap key. For example, the key number s j Bootstrapping key bsk of (a) i (i) Can be according to s i Whether 0 or 1 is encrypted equal to the ith possible value (e.g., equal to a (i)). A 0 is encoded for all other values using a bit, a preferred method of encoding one possible value. In this way, the number of bootstrap keys for the key number is one less than the number of possible values for the key number, while also enabling efficient computation of the encryption multiplier polynomial. For example, the bootstrap key may encode a zero value by any other value that does not represent a key number. For example, one (e.g., client) may calculate the bootstrap key using the following pseudo code:
in the above code, bsk j (0)、...、bsk j (m-1) is the key number s j Is provided. A () represents the possible value of the key number and m represents the number of possible values. Note that this uses as many bootstrap keys as possible, but this is not preferred-e.g. we can skip bsk i (0). An alternative representation of bootstrap keys is to arrange them in a single array, e.g., bsk [ for example ] ]。
Fig. 2b schematically illustrates an example of an implementation of the computing system 201. For example, the computing system 201 may be the FHE computing system 110 or implemented on the FHE computing systems 111-113, or on the FHE computing system 110 or on the FHE computing systems 111-113. System 201 is similar to system 200 except that some specific options are presented in implementing the system. The system 201 is configured to perform blindnessThe polynomial is rotated, for example, in encrypted form. In particular, the system 201 may be configured as Fully Homomorphic Encryption (FHE). For example, the system 201 may store FHE operations to be performed on encrypted values, at least some of which may be received from outside the system 201, such as from the device 160. For example, system 201 may include a communication device configured to receive an encrypted value. One such encrypted value, encrypted value 231, is shown in fig. 2 b. The system 201 may employ different types of encryption. The encrypted value 231 is marked with a 'v'. The encrypted value may be encrypted as the encrypted value 300. For example, the encrypted value 231 may include a sequence of masking values (sometimes referred to as a j ) And a masked value (sometimes referred to as b). The masked value may be calculated from the noise, the clear value, and the mask, for example, using a masking function, for example, by modulo addition or subtraction, and the like. The mask is unknown to the system 201. The mask may be calculated from the masking value provided that the key (generally denoted s) is accessible-nor is the system 201 able to access the key s. The key(s) comprises a sequence of key digits (s j ) One number has one of at least three possible values. For example, the mask may be calculated as a dot product of the confidential digital sequence and the masking value. The masking value and key number may be randomly selected for new encryption.
To obtain the masked value, some noise is added in addition to combining the masked value and the plaintext value to avoid the linear relationship. The encrypted values will typically be obtained from outside the system 201, or they will be the result of a calculation on the system 201, e.g., an output value or an intermediate result. For example, the encryption of the value 231 may be a so-called fault tolerant learning encryption (LWE) encryption.
The polynomial 210 is stored in the system 201. Note that polynomial 210 does not require encryption. This is indicated by a circle in fig. 2 b. Polynomial 210 may be encrypted, but is generally not necessary. In application, the polynomial 210 may represent an input-output relationship, e.g., an exponent of the polynomial 210 may represent an input value, and a coefficient corresponding to a particular exponent may represent a corresponding output value. Polynomial 210 is sometimes referred to as a test polynomial. For example, test polynomials may be used to implement bootstrap operations and more generally function evaluation operations.
To rotate the polynomial 210, the accumulator may be initialized, for example, by an accumulator activation unit 221. The accumulator may hold the intermediate result of the rotation polynomial 210. Note that the accumulator 234 may be encrypted in a different manner than the encrypted value 231. This encryption type is denoted by G, i.e. "general". This may be a similar type of encryption as the encrypted value 231, except that a polynomial is used instead of the value. The type G encryption may use the same key and the same number of mask polynomials as the number of mask values, but this is not necessary.
For example, instead of a plurality of masking values, one masked value, and one masking value, all three may be polynomials. For example, these values may be GLWE values. Note that the key used to encrypt accumulator 234 may also be different from the key used for the encrypted value, e.g., s' instead of s, both of which are unknown to system 201. In fact, instead of bits, the key for the GLWE value may use a polynomial with binary coefficients.
For example, accumulator 234 may be pressedIs started by means of the method. The sequence of 0 represents a masking value. Since the masking value is 0, in this case, it is not important what key is used. Item->Is indicated at->Rotation on; for example, it is X N +1 is calculated modulo. Where N-1 is the maximum exponent used in polynomial 210. The rotation may be performed directly on the masked value b or may be performed on the discrete value +.>And (3) performing the process. For example, it may be preferable if the number of indices does not support the full size of b.
The rotation on the masked value includes rotation of the plaintext value and rotation of the mask. The latter rotation is recovered in multiple iterations of the masking values. In each iteration, the accumulator rotates one more secret number/masking value. For example, in one embodiment, at the beginning and end of each iteration, the accumulator includes an encryption of the polynomial 210 that rotates over some number of places. The specific method is as follows. In one iteration, an encryption multiplier polynomial 233 is calculated. Multiplication with the encryption multiplier polynomial is used to rotate the accumulator. However, since the encryption multiplier polynomial 233 is encrypted, the system 201 does not know where to rotate. To facilitate multiplication, encryption of the polynomial 233 may use an encryption scheme that facilitates such multiplication. In particular, so-called external multiplications may be used, in which one operand is a polynomial encrypted in a conventional way (e.g. like an accumulator) and the other exponent is encrypted in a special way. The external multiplication is denoted by 'Ext' in fig. 2 b. External multiplication is typically a resource intensive step. For example, this further encryption field (e.g., selecting a polynomial because of its efficient multiplication) may be GGSW encryption.
After constructing the encryption multiplier polynomial P, it can be used to rotate the accumulator. Different options are possible. P may be arranged to be equal to a single encryption, for example,wherein s is j Is a confidential number,/->Is a masking value # -The wavy line representation of (if it needs to be adapted to) can discretize the value; can be +.>May also be obtained by scaling aj>b and->As well as the same. For example, if a binary bootstrap key is used for each possible value of the key number, then a single expression may be used to represent P. The accumulator can be updated by calculating the product acc·p, usually using an external multiplication.
For example, P may be arranged to be equal to a single item minus 1, e.gWherein s is j Is a confidential number that is to be read,is a masking value, which is preferred. For example, if a binary bootstrap key is used for each possible value of the key number (except for one value, e.g., zero), then P may be represented using a single equation minus 1. The accumulator may be updated by calculating the product Acc P and adding the accumulator (e.g., acc + Acc P), again typically using external multiplication, which may be performed in the same encryption domain as used by the accumulator, e.g., the same encryption/decryption algorithm and the same key. Alternatively, it is also possible to use And updates the accumulator to-a. Acc + Acc P, where a is a scalar, e.g., -1, 2, etc. Note that in the above selection, the plaintext multiplier polynomial comprises a single term having an exponent equal to the blind rotation amount required to correct the combination of the masking value and the secret number, e.g. < + >, for example>
Thus, blind rotation on the encrypted value 231 (e.g., encryption of the value μ, which may be a pair of valuesMasking, e.g., scaled version of μ and noisy version) can be divided intoRotation on the masked value (in plain form), and the value of the current key number (s j ) And the corresponding masking value->Further blind rotations are represented. The latter series of further blind rotations will correct the initial rotation of the masked value, remove the mask and obtain the correct rotation value, albeit in encrypted form. Then, a series of iterations is completed in encrypted form using homomorphic operations. Note that the encryption value ++>May be discretized (as shown by the wavy line) or contain noise (as shown by the asterisk).
Note that we can correct multiple mask value and secret number combinations in one iteration, e.g., by including a single formula for two or more pairs of corresponding secret numbers and mask valuesIf another combination function is chosen than multiplication, a combination function may be included, e.g. -, for example +. >Etc. For example, the combining function may be, for example, xor.
In yet another variation, the multiplier polynomial may have more than one single term. For example, for some e 1 And e 2 The plaintext multiplier polynomial may be in the form ofThis form may be convenient in reducing the number of bootstrap keys, but does not give a special place to a value of zero. Other terms in the multiplier polynomial may be considered during the update. The multiplier polynomial is typically only accessible in encrypted form by the system performing the computation.
Constructing the multiplier polynomial is done in an encrypted state. The details of constructing the multiplier polynomial depend on the particular encryption domain selected, e.g., the particular set of algorithms used for encryption, decryption, combining, etc. Typically, constructing the encryption multiplier polynomial is done on system 201, e.g., the masking value may vary depending on the operating conditions. For example, constructing the encryption multiplier polynomial may use, as inputs, masking values corrected in a particular iteration (which masking values may be obtained from memory on system 201) and a bootstrap key that provides encrypted data items that together determine a particular value of the key number. For example, one approach is to calculate a plaintext multiplier polynomial for all possible values of the key number and use the bootstrap key to select the correct one; the former may be done in plain form while the latter is done under encryption masking.
For example, in one possible structure, all plaintext multiplier polynomials may be generated for all possible values of a particular secret number and a particular masking value (which may be discretized). The bootstrap key may then be used to select multiple plaintext multiplier polynomials as a single encrypted multiplier polynomial for selection under encryption. In one possible choice of multiplier polynomials, for example, all plaintext polynomials may be generated for all i and a given j, e.g.,wherein->Is a masking value, possibly scaled, A (i) represents the secret number s j Is a possible value of (c). For example, for a ternary key, a (0) = -1 may be taken; a (1) =0; a (1) = +1. The order of A (i) among the possible values of the secret numbers is not important. Typically, we will choose consecutive values and/or values balanced around zero, if this is not the case, the technique will work as well, e.g. a (0) =0; a (1) =1; a (2) =2; ..; a (9) =9 or a (0) = -1; a (1) =2; a (2) =3. The plaintext polynomial may now be combined in the encryption domain where the bootstrap key is located. For example, it is possible to select from the bootstrap key, the masking value +.>And the current key number (s j ) The multiple possible values (A (i)) of iteration j are calculated as an encryption multiplier polynomial +. > And performs an outer product with the encryption multiplier polynomial to further blind rotate the polynomial. In other words, various individual expressions +.>Is multiplied (e.g., as a dot product) by a bootstrapping key sequence that indicates which plaintext polynomial in the sequence is the actual polynomial. However, the result of the multiplication of the bootstrap key and the clear polynomial is an encryption polynomial, and the system 201 cannot further distinguish whether the result is 0 or another polynomial. Value e i May be a combination of possible values of the secret number and the masking value.
An interesting side effect of the type multiplication is that the result can be found in a bootstrapping key bsk i (i) The same encryption domain is encrypted. Different encryption domains will typically mean different keys and different encryption schemes.
Finally, the encryption multiplier polynomial 233 is a pair containing a single term X e To rotate the accumulator 234 by e steps. For example, the encryption multiplier polynomial 233 may be X e -1 or X e +1 or X e 、X e -X d Etc. Interestingly, the encryption multiplier polynomial 233 is in an encryption domain suitable for multiplication, such as the outer domain, while the accumulator may be in the general domain where the polynomial is generally encrypted.
The system 201 may be configured to update the accumulator, for example, using the accumulator update unit 223. For example, the accumulator update unit 223 may multiply the encryption polynomial multiplier with the accumulator. The latter may be done using external multiplication, for example using external multiplier 224. The external multiplier is external in that it implements a so-called external multiplication, e.g. outside the encryption domain of the accumulator 234 or the value 231. The encryption multiplier polynomial 233 may perform further steps such as adding an accumulator to the external multiplication result. Thus, the input to the external multiplication may be an encrypted multiplier polynomial encrypted in the external encryption domainAnd an accumulator encrypted in the general encryption domain. The result of the external multiplication is in the general encryption domain. If the external multiplier polynomial is in a different encryption domain and uses a different key (e.g., s'), the external multiplication may include a key conversion step to return to key s. The key conversion may include a key conversion key that may be provided by a client (e.g., data provider 160). For example, the encryption multiplier polynomial may be GGSW encryption, while the blind rotation polynomial (e.g., accumulator) may be GLWE encryption. Since the side effect of blind rotation may be a conversion from a key for an encrypted value to a key for an encrypted bootstrap key, key conversion may also be employed after blind rotation.
Interestingly, only one external multiplication is required in one iteration. Furthermore, the number of external multiplications is independent of the number of possible values of the secret number and the number of bootstrap keys used. In fact, in one embodiment, one external multiplication is used for each key number. The number of external multiplications may be further reduced, for example by processing multiple secret numbers in one iteration. The latter may require more bootstrap keys while reducing the number of external multiplications. For example, for a ternary key, each secret number may use 2= (3 1 -1) bootstrap keys, and each secret number may use an external multiplication. However, 8=3 may also be used per two key digits 2 -1 bootstrap key and one external multiplication; i.e. the number of bootstrap keys is twice the original, but the number of external multiplications is half the original.
Fig. 4 schematically shows an example of an embodiment of the rotation of the test polynomial. The test polynomial encodes a mapping between input values and output values by representing possible input values represented by exponents of the single-term of the test polynomial and coefficients representing corresponding output values. Such a polynomial is called a test polynomial. For example, it may be used for bootstrap operations. The exponent represents a high noise level value, where the coefficient represents the same value but without noise or with a lower noise level. This can be used, for example, to evaluate arbitrary functions in a homomorphic manner. For example, an exponent represents a value that may have a high noise level, while a coefficient represents a function applied to the value and some applied noise, typically a lower amount of noise than at the time of input. The latter thus combines function evaluation and bootstrapping.
Fig. 4 shows a coefficient sequence of the test polynomial at 410. For example, the leftmost square represents X 0 The next square on the right represents X 1 Coefficients of (c), etc. Test polynomial 410 blindly rotates to the leftStep, i.e. test polynomial andmultiplying; polynomial multiplication by X N +1 is the modulus. Note that in the test polynomial, some coefficients are associated with the exponent +.>Correspondingly, this is indicated by arrow 411. The coefficients shown in the squares are the desired results; in the illustrated case, this may be a bootstrap operation. The desired result in this case is +.>For example, and->Corresponding plain code noise reduction values. Note that (I) is->And->Representing particular plaintext values, which are typically not available to the system 201. The system 201 will have->Is a version of the encryption of (c). However, the test polynomial itself may be in a plaintext form, as it records the plaintext form relationship between the input value and the output value. For example, at arrow 412 +.>To encode the function f.
And (3) withMultiplying by index->The corresponding coefficients become constant terms. The constant term is indicated by arrow 412 on the right after blind rotation. Note that the rotation itself is performed in an encrypted state. The end result after rotation is also an encryption polynomial. By selection of constant terms (also referred to as sampling), encryption, e.g., bootstrapping, of the function defined by the test polynomial may be obtained. It is not necessary that the blind rotation and test polynomial be configured such that the desired result is obtained at a constant term, but rather, any fixed location in the coefficients may be selected for blind rotation such that the desired result is obtained at that fixed location.
For example, function evaluation may be used to implement multiplication in square operations. Consider a test polynomial in which coefficients represent the squares of the exponents; noise reduction may also be incorporated in the coefficients. This test polynomial may be used for the square of the value as shown herein. To multiply two numbers x and y (e.g., an encrypted value, e.g., a value such as value 231, e.g., an LWE value), the product may be calculated as (x+y) 2 -x 2 -y 2 And divided by 2, or calculated asEtc. The divide by 4 operation may be incorporated into the squaring operation. Dividing by 2 may also be implemented as programmable bootstrapping.
For example, FHE systems 110, 111-113, 200, and 201 may include a communications interface. The communication interface may be selected from a variety of alternatives. For example, the interface may be a network interface with a local or wide area network (e.g., the Internet), a memory interface with internal or external data storage, a keyboard, an application interface (API), etc. In particular, the communication interface may be configured to connect to a computer network. The communication interface may be used to receive a digital data set. The data set may include data items (e.g., parameters, values, etc.) on which the FHE system will perform calculations. The data set may include instructions, for example, instructions indicating which FHE operations to perform. The data set may contain both data items and instructions, but this is not required. For example, in a first embodiment, the FHE may be configured with an FHE program, e.g. an FHE operation sequence, possibly together with control commands. The configured FHE procedure may be performed on the data received in the dataset. For example, the data set may include encrypted sensor values, e.g., obtained from a sensor. For example, the data set may include assistance data configured to improve the FHE system, e.g., bootstrap key, e.g., to reduce noise accumulation, e.g., handover key, to handover key, etc. The partial data items may be in plain form, but this is not essential. Operations on plaintext data may be performed more efficiently. It is not uncommon for data to be a mix of privacy sensitive information and non-privacy sensitive data, for example. For example, the data set may contain medical information related to certain individuals on the one hand and a threshold value according to which the medical information needs to be evaluated on the other hand. In one embodiment, the threshold may be communicated in clear form, while the medical information is encrypted.
For example, in a second embodiment, the FHE system may configure data, such as a sequence of test values, and operations performed on the data are communicated in the form of a data set. In a third embodiment, the FHE system may receive both data items and instructions in the data set.
The FHE system may have a user interface, which may comprise well known elements such as one or more buttons, a keyboard, a display, a touch screen, etc. The user interface may be arranged for accommodating user interactions to configure the system, apply the system to new data, etc. The memory may be implemented as electronic memory (such as flash memory) or magnetic memory (such as a hard disk or the like). The memory may include a plurality of separate memories that together comprise the memory. The memory may include temporary memory, such as RAM. The memory may be cloud memory.
These systems (e.g., systems 110, 200, and 201) may be implemented in a single device. Typically, the system includes one or more microprocessors that execute appropriate software stored in the system; for example, the software may have been downloaded and/or stored in a corresponding memory, e.g., volatile memory (such as RAM) or non-volatile memory (such as Flash). Alternatively, the system may be implemented in whole or in part in programmable logic (e.g., as a Field Programmable Gate Array (FPGA)). The system may be implemented in whole or in part as a so-called Application Specific Integrated Circuit (ASIC), such as an Integrated Circuit (IC) tailored for its particular use. For example, the circuitry may be implemented in CMOS, e.g., using hardware description languages such as Verilog, VHDL, etc. In particular, the system may include circuitry for evaluating cryptographic primitives.
The processor circuits may be implemented in a distributed manner (e.g., as a plurality of sub-processor circuits). The memory may be distributed over a plurality of distributed sub-memories. Some or all of the memory may be electronic memory, magnetic memory, etc. For example, the memory may have volatile and nonvolatile portions. A portion of the storage may be read-only.
Several further optional refinements, details and embodiments are exemplified below.
Definition of the definitionWhere q and N are both powers of 2. Defining binary setsAnd->For key->Plaintext->Is->Encryption by->Given, wherein->Wherein ∈1 for some random noise-> We write +.>When (N, k) = (1, N), the result proves +.>And the procedure described above is->Ciphertext. Then we write outAs a means ofIn key-> Lower to plaintext->Wherein->And->Wherein ∈1 for some random noise->
Bootstrapping may involve so-called blind rotation. It will beCiphertext-> Conversion to->I.e. at key +.>Lower pair->Go on->Encryption, wherein->Is->Discrete values of>Is a test polynomial. In particular, ifThen
Test polynomialProgrammed as a look-up table, thereby +.>Drift, coding +.for selected function f>Algorithm 1 below shows a blind rotation algorithm, which uses n bootstrap keys, Wherein j is more than or equal to 1 and n is more than or equal to n.
Algorithm 1: blind rotation (binary case).
The blind rotation can be calculated as a series of CMux operations. Input an encrypted bit b e {0,1}, andciphertext (ciphertext)And two->Ciphertext->And->The CMux operation outputs an encryption and +.>The cipher text of the same plain text,
wherein,representing the outer product of the ciphertext. It can be verified that at the end of the cycle the accumulator ACC is contained in the key +.>Lower pair->Is->Encryption. Conventional FHE systems are essentially limited to binary keys. Algorithm 1 above is the paper "TFHE" by Illar Chillotti, nicolas Gama, mariya Georgieva and Malika Izabach re: fast Fully Homomorphic Encryption over the Torus ", algorithm 4. The inventors found that if algorithm 1 is extended to e.g. ternary keys +.>2n outer products will be involved. For the same value of n, this is twice more than in the binary case. This is almost twice as much as the amount of work. It would be advantageous if the range of key numbers could be expanded without suffering the adverse consequences of the form of the number of outer products.
In one embodiment, blind rotation of the ternary key may be greatly improved. It is observed that the single item(wherein->) Can be expressed in an additive manner as: For all 1.ltoreq.j.ltoreq.n and all 1.ltoreq.i.ltoreq.2, 2n bootstrap keys may be defined as +.>Will->Encryption is applied to the above relationship yields:
thus, the following exemplary embodiment a may be described as follows:
embodiment a: blind rotation (ternary case)
Interestingly, in embodiment a, for a key with n ternary numbers, the calculation of blind rotations with ternary keys requires only n outer products. The inventors have appreciated that this approach may be used to allow numbers above 3 values. In fact, the proposed method may be adapted to support keys in arbitrary formats.
To fully consider the commonality, we assume that the key is from an arbitrary set(e.g., a set of ternary keysExtracting. Let us set->Representation->Is a base of (c). Single item->The addition can be written as:
herein, the decision function 1 is defined as: when t=s j When 1{t =s j } =1; otherwise, 1{t =s j } =0. Define set i= {0,..m-1 }. The base elements may be defined as vectorsIts component is->Is a different element of (a). For example, for a ternary key, it is possible to set m=3 and write a= (0, 1, -1) so that a [0 ]]=0,A[1]=1,A[2]= -1. Vector a produces a function: />The index I e I is taken as input and the I-th component of a is returned, e.g. starting from i=0. Therefore, write +. > With τ 0 =A[0]=a (0) represents the first number in the basic element, and can be written: />
With previous expressionsIn contrast, this expression uses one less decision function. One advantageous option is to take τ 0 =0, so that the expression becomes:
thus, n (m-1) bootstrap keys are defined for all 1.ltoreq.j.ltoreq.n and all 1.ltoreq.i.ltoreq.m-1Wherein sigma j,t =1{t=s j T=a (i), the following algorithm can be obtained. Surprisingly, the number of outer products is still equal to n—the number of secret numbers. For a given security level, we note that the value of n is a decreasing function of m.
Embodiment b1 blind rotation (high radix case).
By choosing one of the possible values of the secret number to be 0, the following optimizations can be obtained:
embodiment b2 blind rotation (high radix case).
By processing multiple numbers of keys simultaneously, the number of external multiplications can be reduced. The processing method of the two-digit key is described in detail below. As shown above, the single item typeCan be represented by +.>σ j,t =1{t=s j }. In the case of two numbers, it can be generalized to:
/>
when τ is 0 When=0, it can be simplified as:
more generally, for d numbers, one can obtain:
for ease of description we assume d|n. We can write out Definitions->The individual bootstrap keys are:
wherein (t) 1 ,...,t d )=(A(i 1 ),...,A(i d ) For all 1.ltoreq.h.ltoreq.n/d and all (i) 1 ,...,i d )∈{0,...,m-1} d And (i) 1 ,...,i d ) Not (0., 0). The number of outer products is reduced to n/d.
Embodiment C1: blind rotation (general cardinal case).
Embodiment C2: blind rotation (general cardinal case).
Embodiment C2 assumes that one of the possible values of the secret number is 0, e.g., τ 0 =0. Even if this is not necessary. In embodiments C1 and C2, d secret numbers are processed in one iteration, e.g., with one external multiplication. The numbers processed need not be consecutive. For example, d may be 2 or more, 3 or more, etc.
One encryption value may use n masking value sequences (a j ). To mask the plaintext values, some noise is also added with the noise parameter sigma. This encryption is sometimes referred to as noise encryption. Some possible values of n and σ are as follows:
table 1: possible values of n and sigma in a 32-bit implementation
n σ
630 2 -15
567 2 -13.35
606 2 -14.37
The above numbers can be used for LWE encryption. These values are suggestions for acceptable combinations of performance, safety, and reliability. Particular embodiments having particular requirements in terms of performance, security, and risk of failure may wish to select, for example, a lower n to achieve higher performance; higher n and/or higher σ to obtain higher security; and lower sigma to obtain higher reliability. Note that GLWE encryption uses polynomials and that GLWE may use similar numbers.
There are more than two possible values for the secret number. The suggestion includes ternary numbers, e.g., numbers-1, 0, 1; in one embodiment, the possible values of the secret number are balanced around zero, e.g., for some integer h, the secret number may have the following values: { -h, -h+1,..0, 1,..h-1, h }. For example, h may be 1, 2, 3, or the like. Typically, all confidential numbers are allowed to have the same number of possible values, but this is not necessary. The advantage of balanced possible values is that they reduce the increase of noise during FHE operation.
The value of the key may be encoded by a plurality of data items representing the number of keys. The best choice for the plurality of data items is bits. Multiple data items may be implemented as a vector of 0 bits and up to one 1; where 1 represents the value of the key digit. Encrypting the elements of the vector provides the bootstrap key.
For completeness, some possible implementations of FHE operations involving external multiplications are given below. FHE can operate directly on ciphertext. Depending on the type of operation, the noise level generated will also increase more or less.
Addition method
And->Ciphertext is homomorphic in terms of addition. For example, let- > And(wherein->) Respectively plain text->Is an encryption of (2); i.e.
/>
Wherein,then
Is thatIs->Encryption, provided that the noise generated is +.>Remain small.
Scalar multiplication
By means of the extension the number of the cells,and->Ciphertext is homomorphic in terms of multiplication by a constant. For example, let->Andwherein->Then
Is thatIs provided that->Remain small. If K < 0More generally, if->Then->Is->Is provided that->Kept small.
Outer product
And->Ciphertext does not support local internal multiplication, which in fact means two +.>Ciphertext cannot be multiplied directly. To perform the multiplication, external multiplication may be used. External multiplication of ciphertext, for example +.>Ciphertext and encryption of multiplier m are input. The latter may be encrypted using a different type of encryption that is more suitable for multiplication. In turn, this external multiplication may be used to define a more general multiplication. For example, one matrix-based approach to external multiplication is the GSW structure, e.g., as described in Craig gateway paper "Computing Arbitrary Functions of Encrypted Data," which is incorporated herein by reference. We write +.>Andspecial case (k, N) = (N, 1) use +.>And (3) representing.
Using the previous Symbol, set parameter b=2 β And l, wherein β, l is greater than or equal to 1 and thus lβ is less than or equal to Ω, where Ω represents bit precision; q=2 Ω . At the same time define vector g= (2 Ω-β ,2 Ω-2β ,...,2 Ω-lβ ). About->Encryption keyPlaintext->Is->Encryption is defined as:
wherein,
is a matrix containing a new 0 in each rowEncryption, and wherein->
Is a so-called small matrix (gadget matrix), where I k+1 Is an identity matrix of size k+1. Notably, it is regarded asInteger>Always can be approximated by a signed digital technique-B of size l:
wherein the method comprises the steps ofWherein the number->And the approximation error is bounded by |g -1 (d)g T -d|≤q/(2B l )=2 Ω-βl-1
By inference, for polynomialsIts coefficient is regarded asInteger in>Defined as-> It is obvious that the process is not limited to,this is true. Finally, vectors for the k+1 polynomialDecomposition-> Is defined asAnd->
It is interesting to note that,small decomposition of ciphertext (gadget decomposition) yields AND +.>Outer product of ciphertext. Specifically, for plaintext->And->If it isAnd->Then their outer products (use +.>Represented) is given by:
the product can be obtained by slightly adding algebra,
is thatIs->Encryption, provided that the noise generated (including approximation errors) remains small.
CMux gate
Starting from the outer product, a new hierarchical operation can be defined: "controlled" multiplexers or CMux. CMux acts as a selector according to the bits, but on the encrypted data. Its input is two separately encrypted plain textsAnd->A kind of electronic deviceCiphertext->And->And +.about.one encryption bit b>Ciphertext->The result is encryption->Is->Ciphertext (ciphertext)Provided that the noise generated remains small. The CMux gate is given by:
it can be used in homomorphic calculations, and in particular in bootstrapping.
At the end of the loop of embodiments A, B, B2 and C, ACC is contained in the keyLower pair->Is->Encryption. In fact, let->Representing the value of accumulator ACC at iteration i=j, i.e. +.>Therefore, let->We can obtain:
for some polynomialsIts constant term is->I.e. < -> Wherein->As desired. The remaining steps of bootstrapping include extractionConstant coefficient of (2) as->Is->Ciphertext. This is a simple operation called sample extraction (sample extraction) by simple extraction +.>Some coefficients of ciphertext.
In more detail, set upWherein-> Will->Analysis intoWherein->And is also provided withIt can verify that:is in the key->Lower pair->Is->Encryption, wherein s' l+1+(j-1)N :=s′ j,l J is more than or equal to 1 and less than or equal to k, and l is more than or equal to 0 and less than or equal to N-1.
Key conversion may be performed if desired. For example, if blind rotation results in a key conversion, this can be done to switch back to the original key. For example, with the above procedure, ciphertext is inputAnd the generated output ciphertext-> Hao Jiami plaintext->But the keys used are different and the formats are also different.
To be connected withTurning back to the initial setting, an operation called key switching (key switching) may be performed. The key conversion technique is the classical technique of FHE; it can be used to transform encryption keys for different parameter sets. Its implementation may use key-switching keys: they may include key bits for s' with respect to the initial key sEncryption. The process is very similar in concept to bootstrapping, but there is a substantial distinction between these two technologies: bootstrapping reduces noise (and computational requirements are high), while key conversion increases noise (but the evaluation cost is low). For example, assume that the key conversion key is given +.>For all 1.ltoreq.i.ltoreq.kN and 1.ltoreq.i.ltoreq.l ks For some parameters B defining a small decomposition: = Bks and l: = lks. Input at key->Lower->Ciphertext-> Wherein->Is to ∈under the key s>Is->Encryption provided that the noise generated remains small.
Further details regarding bootstrapping, programmable bootstrapping, and their use in homomorphic assessment of neural networks can be found in the above-referenced "Programmable Bootstrapping Enables Efficient Homomorphic Inference of Deep Neural Networks," which is incorporated herein by reference.
Fig. 5 schematically illustrates an example of one implementation of a computing method 500. The method 500 implements blind rotation of the polynomial in a homomorphic manner. That is, the calculation of the rotation and the final result are performed in the case of encryption. The rotated polynomial (e.g., one of the inputs to the method) may be in a plaintext form, although the rotated polynomial is encrypted. The method may be implemented on a computer. The method may include:
an encrypted value is received 510. For example, the encrypted value may be received over a communication interface, such as a communication interface of a computer network. The cryptographic values may represent all types of data, in particular they may represent technical data, e.g. sensor values obtained from the values. FHE operations may be performed on the received encrypted values. Further, FHE operations may also be performed on other encrypted values (e.g., intermediate results or previously stored values, etc.).
Also received are auxiliary FHE data which may be encrypted with the same key as the encryption value and may be used to perform or optimise FHE operations etc. In particular, a bootstrap key is received.
As represented by the encryption value, blind rotation selectively rotates the coefficients of the polynomial. For example, blind rotation can be seen as modulo a polynomial (typically in X N +1 is modulo) X -u Multiplication of the f (X) type, where f is a polynomial and u is a value, except that u can only be provided in encrypted form. The output of the blind rotation is also encrypted. The method includes rotating 520 the polynomial over the masked ones of the encrypted values and iterating 530 over the key numbers. For example, portion 530 may implement a method such as "For j=1 to n do" (if the iteration is atEach key is numerically done separately), or "For j=1 to n/d do" (if the iterations are done with some numbers together).
The iteration may use an external multiplication 544 and an encryption multiplier polynomial to implement the iteration. For example, in the calculation section 542, an encryption multiplier polynomial is constructed from the bootstrap key and the masking value. External multiplication 544 may also include other arithmetic operations (e.g., addition), as in one implementation.
Many different ways of performing the method are possible, as will be apparent to a person skilled in the art. For example, the order of steps may be performed in the order shown, the order of steps may be changed, or some steps may be performed in parallel. Furthermore, other method steps may be interposed between the steps. The inserted steps may represent refinements of the method, as described herein, or may be unrelated to the method. For example, some steps may be performed at least partially in parallel. Furthermore, a given step may not be completed completely before starting the next step.
Embodiments of the method may be performed using software that includes instructions for causing a processor system to perform the method 500. The software may include only those steps taken by a particular sub-entity of the system. The software may be stored on a suitable storage medium such as a hard disk, floppy disk, memory, optical disk, etc. The software may be transmitted as a signal, either wired or wireless, or using a data network (e.g., the internet). The software may be available for download and/or remote use on a server. Embodiments of the method may be performed using a bit stream arranged to configure programmable logic, such as a Field Programmable Gate Array (FPGA), to perform the method.
It will be appreciated that the presently disclosed subject matter also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the presently disclosed subject matter into practice. The program may be in the form of source code, object code, a code intermediate source, and object code (such as in partially compiled form), or in any other form suitable for use in the implementation of the method. One embodiment relating to a computer program product includes computer-executable instructions corresponding to each of the processing steps of the at least one method set forth. The instructions may be subdivided into subroutines and/or stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer-executable instructions corresponding to each device, unit and/or portion of at least one of the systems and/or products set forth.
Fig. 6a shows a computer readable medium 1000 having a writable portion 1010, and a computer readable medium 1001 also having a writable portion. Computer readable medium 1000 is shown in the form of an optically readable medium. The computer readable medium 1001 is shown in the form of an electronic memory, in this case a memory card. Computer readable media 1000 and 1001 may store data 1020, where the data may represent instructions that, when executed by a processor system, cause the processor system to perform one embodiment of a blind rotation method according to one embodiment. The computer program 1020 may be embodied on the computer readable medium 1000 as physical markers or by magnetization of the computer readable medium 1000. However, any other suitable embodiment is also conceivable. Furthermore, it will be appreciated that although computer-readable medium 1000 is illustrated herein as an optical disk, computer-readable medium 1000 may be any suitable computer-readable medium, such as a hard disk, solid state memory, flash memory, etc., and may be non-recordable or recordable. The computer program 1020 includes instructions for causing a processor system to perform the blind rotation method.
Figure 6b shows in schematic representation a processor system 1140 according to one embodiment of the FHE device or system. The processor system includes one or more integrated circuits 1110. The architecture implementing one or more integrated circuits 1110 is schematically shown in fig. 6 b. The circuit 1110 includes a processing unit 1120 (e.g., a CPU) for running computer program components to perform the methods according to one embodiment and/or to implement modules or units thereof. The circuit 1110 includes a memory 1122 for storing programming code, data, and the like. A portion of memory 1122 may be read-only. The circuit 1110 may include a communication element 1126, such as an antenna, a connector, or both, or the like. Circuitry 1110 may include application specific integrated circuit 1124 for performing some or all of the processes defined in the method. The processor 1120, memory 1122, application specific integrated circuit 1124 and communication element 1126 may be connected to each other by an interconnect 1130, such as a bus. The processor system 1110 may be arranged for contact and/or contactless communication using an antenna and/or connector, respectively.
For example, in one embodiment, the processor system 1140 (e.g., an FHE system or device) may include a processor circuit and a memory circuit, the processor being arranged to execute software stored in the memory circuit. For example, the processor circuit may be an Intel Core i7 processor, ARM Cortex-R8, or the like. In one embodiment, the processor circuit may be ARM Cortex M0. The memory circuit may be a ROM circuit or a non-volatile memory (e.g., flash memory). The memory circuit may be a volatile memory (e.g., SRAM memory). In the latter case, the device may comprise a non-volatile software interface (e.g. a hard disk, a network interface, etc.) arranged for providing the software.
Although device 1110 is shown as including one of each of the described components, multiple components may be duplicated in multiple embodiments. For example, the processor 1120 may include a plurality of microprocessors configured to independently perform the methods described herein, or to perform the steps or subroutines of the methods described herein, such that the plurality of processors cooperate to implement the functions described herein. Furthermore, where the device 1110 is implemented in a cloud computing system, the various hardware components may belong to separate physical systems. For example, the processor 1120 may include a first processor in a first server and a second processor in a second server.
The following numbered clauses include contemplated non-limiting embodiments.
1. A computer-implemented blind rotation method for Fully Homomorphic Encryption (FHE), the method comprising:
-receiving an encryption value (LWE) and a bootstrap key;
-performing a blind rotation, the blind rotation selectively rotating the polynomial as represented by the encryption valueThe encryption value comprising a sequence of masking values +.>And a masked value (b) which can be obtained from the plaintext value, the mask (Σa) i s i ) And noise calculation, the mask being capable of being calculated from a key(s) and a sequence of masking values, the key(s) comprising a sequence of key digits (s i ) A number having one of at least three possible values, a plurality of bootstrap keys corresponding to each key number, the plurality of bootstrap keys being encryption of a plurality of data items representative of the key number, performing a blind rotation comprising: />
-rotating the polynomial over the masked value (b) and iterating once over the key number (For j=1 to n do; for j=1 to n/d do), like the current key number (s j ) And corresponding masking valuesRepresented, the iteration further blindly rotates the polynomial, the iteration comprising +_with the encryption multiplier polynomial>To further blindly rotate the polynomial, the encryption multiplier polynomial being composed of a bootstrap key (bsk), a masking value +.>And the current key number (s j ) Is calculated from a plurality of possible values (a (i)).
2. A computing system for homomorphic encryption (FHE), comprising:
-a communication interface for receiving an encrypted value (231; lwe) and a bootstrapping key;
-a processor system configured to:
-performing a blind rotation, the blind rotation selectively rotating the polynomial as represented by the encryption valueThe encryption value comprising a sequence of masking values +.>And a masked value (b) which can be obtained from the plaintext value, the mask (Σa) i s i ) And noise calculation, the mask may be calculated from a key(s) and a sequence of masking values, the key(s) comprising a sequence of key digits (s i ) A number having one of at least three possible values, a plurality of bootstrap keys corresponding to each key number, the plurality of bootstrap keys being encryption of a plurality of data items representative of the key number, performing a blind rotation comprising:
-rotating the polynomial over the masked value (b) and iterating once over the key number (For j=1 to n do; for j=1 to n/d do), like the current key number (s j ) And corresponding masking valuesRepresented, the iteration further blindly rotates the polynomial, the iteration comprising +_with the encryption multiplier polynomial>To further blindly rotate the polynomial, the encryption multiplier polynomial being composed of a bootstrap key (bsk), a masking value +.>And the current key number (s j ) Is calculated from a plurality of possible values (a (i)).
It should be noted that the above-mentioned embodiments illustrate rather than limit the presently disclosed subject matter, and that those skilled in the art will be able to design many alternative embodiments.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb "comprise" and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. When an expression such as "at least one" is placed before a list of elements, it means that all elements or any subset thereof are selected from the list. For example, the expression "at least one of A, B and C" should be understood to include a alone, B alone, C alone, both a and B, both a and C, both B and C, or all of A, B and C. The presently disclosed subject matter can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
In the claims, any reference signs placed between parentheses refer to reference signs in the exemplary embodiment figures or formulas of the embodiments, thereby improving the understandability of the claims. These reference signs should not be construed as limiting the scope of the claims.

Claims (16)

1. A computer-implemented blind rotation method (500) for Fully Homomorphic Encryption (FHE), the method comprising:
-receiving (510) an encrypted value (231; lwe) and a bootstrap key (232);
-performing a blind rotation, the blind rotation selectively rotating the polynomial (210;) The encryption value comprising a sequence of masking values +.>And a masked value (b) which can be obtained byPlaintext value, mask (Σa) i s i ) And noise calculation, the mask being capable of being calculated from a key(s) and a sequence of masking values, the key(s) comprising a sequence of key digits (s i ) A key number having one of at least three possible values, a plurality of bootstrap keys corresponding to each key number, the plurality of bootstrap keys being encryption of a plurality of data items representative of the key number, performing a blind rotation comprising:
-rotating (520) the polynomial (210) over the masked value (b) and iterating (530) once over the key number, according to the current key number (s j ) And corresponding masking valuesRepresented, the iteration further blindly rotates the polynomial, the iteration comprising +_with the encryption multiplier polynomial>To rotate the encrypted accumulator, said encryption multiplier polynomial being composed of a bootstrap key (bsk), a masking value +.>And the current key number (s j ) Is calculated from at least three possible values (a (i)).
2. The method of claim 1, wherein the encryption multiplier polynomial expression pair comprises a single term (X d ) Of the plaintext polynomial (P) j (X)) encryption, wherein the exponent of the single expression is derived from the current key number (s j ) And corresponding masking valuesFurther rotation amounts are indicated.
3. The method of any of the preceding claims, wherein the encryption multiplier polynomialThe representation pair is of the form X d –X e 、X d -1 or X d Is an encryption of the plaintext polynomial.
4. The method of any of the preceding claims, comprising computing the encryption multiplier polynomial, the computing comprising:
-for the current key number (s j ) A plurality of possible plaintext multiplier polynomials (P) are calculated from a plurality of possible values (A (i)) j (X));
-computing the encryption multiplier polynomial from a plurality of possible plaintext multiplier polynomials and a corresponding plurality of bootstrap keys.
5. The method of claim 4, wherein,
-calculating the encryption multiplier polynomial for a plurality of possible values (a (i)) of the current key number comprises calculating a bootstrapping key sequence and a plaintext polynomial sequence Is a dot product of (a).
6. The method according to any of the preceding claims, wherein,
-the encrypted value is LWE or GLWE encryption; and/or
-the encryption multiplier polynomial is GGSW encryption; and/or
-the bootstrap key is a GGSW encryption; and/or
The blind rotation polynomial, e.g. accumulator, is GLWE encryption.
7. The method according to any of the preceding claims, wherein,
-prior to rotating (520) the polynomial (210) over the masked valueThe masked value (b) is discretizedAnd/or
Masking values (a j ) Is discretized
8. The method of any one of the preceding claims, wherein the Accumulator (ACC) uses a polynomialStart-upPolynomial +.>Rotated on the masked value, the iteration is further blindly rotated by the current key number (s j ) And the corresponding masking value->The accumulator represented.
9. A method according to any one of the preceding claims, wherein the bootstrap key encrypts a binary value, said binary value representing the number (s j ) Whether or not there is a value corresponding to the bootstrap key.
10. A method according to any one of the preceding claims, wherein the number of bootstrap keys for the key number is one less than the number of possible values for the key number.
11. A method according to claim 9 or 10, wherein one particular possible value of the key number does not correspond to one particular bootstrap key, and each of the other possible values of the key number is represented by a particular bootstrap key, said one particular possible value being represented by a bootstrap key that does not represent any other value.
12. A method of performing a bootstrap operation, the bootstrap operation comprising:
-blind rotation with a test polynomial, wherein the blind rotation is performed according to the method of any one of claims 1-11, the test polynomial comprising a sum of singlets, an exponent of the singlets representing an input value of the bootstrap operation, a coefficient of the singlets representing an output of the bootstrap operation, the blind rotation resulting in the singlets representing the output being rotated to a fixed position.
13. The method of claim 12, wherein,
-noise level reduction of the output value of the bootstrap operation; and/or
The output value of the bootstrap operation is the output of a further function applied to the encrypted value.
14. The method according to any of the preceding claims, wherein,
Each iteration corresponds to exactly one key number; or (b)
Each iteration corresponds to a number of key digits.
15. A transitory or non-transitory computer readable medium (1000) comprising data (1020) representing instructions that, when executed by a processor system, cause the processor system to perform the method of any one of claims 1-14.
16. A computing system (100; 111, 112, 113;200; 201) for homomorphic encryption (FHE), comprising:
-a communication interface for receiving an encrypted value (231; lwe) and a bootstrapping key;
-a processor system configured to:
-performing a blind rotation, the blind rotation selectively rotating the polynomial (210;) The encryption value comprising a sequence of masking values +.>And a masked value (b) which can be obtained from the plaintext value, the mask (Σa) i s i ) And noise calculation, the mask being capable of being calculated from a key(s) and a sequence of masking values, the key(s) comprising a sequence of key digits (s i ) A key number having one of at least three possible values, a plurality of bootstrap keys corresponding to each key number, the plurality of bootstrap keys being encryption of a plurality of data items representative of the key number, performing a blind rotation comprising:
-rotating (520) the polynomial (210) over the masked value (b) and iterating (530) once over the key number, according to the current key number (s j ) And corresponding masking valuesRepresented, the iteration further blindly rotates the polynomial, the iteration comprising +_with the encryption multiplier polynomial>To rotate the encrypted accumulator, said encryption multiplier polynomial being composed of a bootstrap key (bsk), a masking value +.>And the current key number (s j ) Is calculated from at least three possible values (a (i)).
CN202280032403.7A 2021-05-04 2022-04-22 Blind rotation for full homomorphic encryption Pending CN117337553A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP21290025.2 2021-05-04
EP21197775.6 2021-09-20
EP21197775.6A EP4087177A1 (en) 2021-05-04 2021-09-20 Blind rotation for use in fully homomorphic encryption
PCT/EP2022/060745 WO2022233605A1 (en) 2021-05-04 2022-04-22 Blind rotation for use in fully homomorphic encryption

Publications (1)

Publication Number Publication Date
CN117337553A true CN117337553A (en) 2024-01-02

Family

ID=89283500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202280032403.7A Pending CN117337553A (en) 2021-05-04 2022-04-22 Blind rotation for full homomorphic encryption

Country Status (1)

Country Link
CN (1) CN117337553A (en)

Similar Documents

Publication Publication Date Title
CN117461021A (en) Computing network conversion for full homomorphism assessment
CN113849828B (en) Anonymous generation and attestation of processed data
US20240259180A1 (en) Blind rotation for use in fully homomorphic encryption
EP4087177A1 (en) Blind rotation for use in fully homomorphic encryption
CN118402204A (en) Polynomial multiplication of encrypted values
EP4195577A1 (en) Encrypted computation comprising a blind rotation
Liu et al. Secure medical data on cloud storage via DNA homomorphic encryption technique
CN117337553A (en) Blind rotation for full homomorphic encryption
CN116508288B (en) Isomorphic passwords with improved data item representations
KR102653914B1 (en) Encrypted scalar multiplication
CN116964554B (en) Encryption scalar multiplication
CN117425876A (en) Computing network coding for full homomorphism assessment
EP4099149A1 (en) Computational network encoding for fully homomorphic evaluation
JP2024522361A (en) Computational Network Encoding for Fully Homomorphic Evaluation
JP2024521787A (en) Calculations on LWE Encrypted Values
KR20240112988A (en) Polynomial multiplication of encrypted values
EP4352913A1 (en) Encrypted computation comprising a blind rotation
CN117643012A (en) Calculation of LWE encryption values
CN118369889A (en) Encryption computation including blind rotation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination