COMPUTER-IMPLEMENTED METHOD BASED ON FRAMEWORK OF EXACT HOMOMORPHIC ENCRYPTION AND SYSTEM ON FRAMEWORK OF EXACT HOMOMORPHIC ENCRYPTION

BACKGROUND OF THE INVENTION
1. Field of the Invention

The present disclosure generally relates to a method for constructing a method based on a framework of exact homomorphic encryption, particularly, to a method based on a framework of exact homomorphic encryption for encryption and computation.

2. Description of the Related Art

Homomorphic Encryption (HE) permits users to compute on encrypted messages without prior decryption, thus rendering a high level of security for the data processing. Over the next 30 years, improvements in HE remained rather constrained until Gentry's proposal in 2009. His dissertation theoretically allowed arbitrary encrypted computation contingent upon unlimited resources. While, the accumulation of noise poses a hindrance to execute this technique. The predicament is especially pronounced by dint of the exponential growth of noise with the number of multiplications.

Quantum computing has garnered much attention recently inasmuch as its momentous influence not only on data processing, but also on information protection. An intriguing field of study in relation to the security hazard is Quantum Public-Key Encryption (QPKE). The core approach entails the production of one-way functions to generate a quantum state that plays the role of a public key for encrypting message. QPKE is impeded mainly by necessitating sizable quantum operations, which falls into the hurdle of scaling up quantum computers.

Quantum Homomorphic Encryption (QHE) is another research area that has become increasingly appealing to safeguard data manipulation. Typically, an encrypted computation is exercised with a fault-tolerant Clifford+T circuit. Explicitly, physical qubits outnumber logical qubits by at least several hundred times, refuting the accessibility of QHE. An alternative rephrases a present HE to its quantum version. Aside from receiving the demerits of HE schemes aforesaid, the method in view consumes numerous qubits and then encounters the scalability barrier of quantum computers.

A serial of episodes elucidates a structure called the Quotient Algebra Partition, QAP, universally existing in finite-dimensional unitary Lie algebras. Given this structure inherited by every stabilizer code, a general methodology of Fault Tolerance Quantum Computation in QAP, abbreviated as QAPFTQC, elicits an algorithmic procedure achieving the acquirement that every action in every error-correcting code is fault tolerant. A fault tolerance quantum computation is thence derived by applying this encode on the codeword.

SUMMARY OF THE INVENTION

Accordingly, inventors of the present inventive concept introduce a computer-implemented method based on a framework of exact homomorphic encryption and a system for encryption and computation on a framework of exact homomorphic encryption which are stemming from the concept of QAPFTQC. The framework Exact Homomorphic Encryption, EHE, is proposed to admit computations on encrypted data. The message encryption and the computation encryption of EHE are thought of as analogous to the cryptograph of a quantum state and the fault-tolerant counterpart of a computation in QAPFTQC.

The present inventive concept provides a computer-implemented method based on a framework of exact homomorphic encryption (EHE), wherein the method comprises:

S10. providing a multivariate polynomial of k variables ƒ(x)=Σ_τ∈Z₂_kc_τc^τ wherein ƒ(x) is a linear combination of monomials x^τ of degrees≤k with coefficients c_τ∈Z₂, and each monomial x^τ is expressed as x^τ=x₁^σ1x₂^σ2. . . x_k^σk, where x_r∈Z₂, τ=σ₁σ₂. . . σ_r. . . σ_k∈Z₂^kand r∈[k], with [k] denoting a set of positive integers from 1 to k;

S20. introducing elementary gates Λ_r^θ of k qubits, where the integer r signifies the r-th qubit as a target qubit of the elementary gate, and nonzero entities of k-bit binary string θ=ϵ₁ϵ₂. . . ϵ_k∈Z₂^kindicate positions of qubits serving as control bits;

S30. applying elementary gates on quantum states;

S40. applying elementary gates on the variables to generate multivariate polynomials over a binary field Z₂, formulated as the following transformation rule,

$\begin{matrix} Λ_{r}^{θ} x_{s} = x_{s} + δ_{rs} x^{θ} & Eq . 1 \end{matrix}$

wherein x_s∈Z₂is a binary variable and x^θ=x₁^ϵ¹x₂^ϵ². . . x_k^ϵ^ka monomial of k variables;

S50. defining a first encryption mapping custom-character _enwhich is an ordered product of elementary gates randomly chosen; and

S60. applying the first encryption operator custom-character _ento generate a set of w multivariate polynomials that serves as a public encryption key for encoding a k-qubit plaintext into a w-qubit ciphertext, w≥k, for message encryption.

According to the present inventive concept, the elementary gates comprises the negation, the CNOT, the Toffoli, and the multi-controlled gates.

According to the present inventive concept, wherein the method further comprises:

S70. introducing a desired operation M of n qubits, n>w, wherein M is represented as a circuit composed of n-qubit elementary gates;

S80. defining a second encryption mapping custom-character _cv, wherein _cvis an ordered product of n-qubit elementary gates randomly chosen;

S90. encoding the desired operation M into an encrypted action, wherein the desired operation M is cryptified into an encrypted action U through the first encryption operator custom-character _enand the second encryption operator _cv;

S100. generating an encrypted polynomial set from the encrypted action U; and

S110. evaluating the encrypted polynomial set on the ciphertext to yield an encrypted computation.

According to the present inventive concept, wherein the step S40 further comprises:

S41. giving a second binary string ζ, wherein the second binary string ζ determines how variables interact within the monomial;

S42. modifying the monomial x^θ based on the second binary string ζ into a modified form x_ζ^θ; and

S43. expanding the Eq. 1 to a formation

$\begin{matrix} Λ_{r}^{θ, ζ} x_{s} = x_{s} + δ_{rs} {\overline{x}}_{ζ}^{θ} & Eq . 2 \end{matrix}$

where s∈[k] and x_ζ^θ is defined as x_ζ^θ=Π_i=1^k(x_i+ç_i)^ϵⁱ.

According to the present inventive concept, wherein the step S50 further comprises:

S51. defining the first encryption operator custom-character _enas a product operation which is a k-qubit ordered product of elementary gates, as:

$ℛ = \prod_{i = 1}^{n} Λ_{r_{i}}^{θ_{i}},$

where Λ_r_i^θⁱdenotes the i-th elementary gate acting on the r_i-th qubit with a control string θ_i∈ custom-character ₂^k;

S52. defining a reverse product operation custom-character , wherein is the order-reversed product of , which is expressed as:

custom-character =Π_i=n¹Λ_r_i^θⁱ; and

S53. establishing an equality between the product operation custom-character and its reverse for each basis state |x:

custom-character |x=|x, where x∈₂^k.

According to the present inventive concept, wherein the step S50 further comprises:

S54. preparing an initial set of the multivariable polynomials custom-character _in={g_j(x)|j∈[w]}, wherein g_j(x) corresponds to each of ƒ(x), wherein each of g_j(x) is expressed as:

g_j(x)=Σ_r∈Z₂_kc_τ,jx^τ,

where c_τ,j∈Z₂are binary coefficients;

S55. applying the product operation custom-character _enon each polynomial in the initial polynomial set _in; and

S56. outputting an ordered set of polynomials custom-character _w,k(_en; x)={ƒ(x)=_en|├g_j(x): j∈[w]}, serving as a public encryption key, where w≥k is the number of the polynomials.

According to the present inventive concept, wherein the step S60 further comprises:

S61. providing the plaintext |m custom-character , wherein the plaintext is of k qubits; and

S62. encoding the plaintext to the ciphertext |c custom-character , wherein the ciphertext is of w qubits, generated by evaluating the public encryption _w,k(_en;x) on the plaintext, such that

$❘ c 〉 = ❘ f_{1} (m) f_{2} (m) \dots f_{w} (m) 〉,$

where m∈Z₂^k, c∈Z₂^wand ƒ_j(m)∈Z₂is the evaluation of the j-th polynomial ƒ_j(x)∈ custom-character _w,k(_en; x) on the plaintext, 1≤j≤w.

According to the present inventive concept, wherein the number of different polynomial sets, generated by all permutations of the elementary gates composing the operator custom-character , is a minimum of h!, where h is a size of a maximal set of pairwise noncommuting gates in .

According the present inventive concept, wherein the step S60 further comprises:

S63. decrypting the w-qubit ciphertext |c custom-character to |m⊗|r=_en|c by the first encryption mapping _ento recover the plaintext m.

According to the present inventive concept, wherein the method further comprises:

S120. defining an encrypted action custom-character _cv, wherein _cv=(_en⁻¹⊗I){circumflex over (M)}_cv, with {circumflex over (M)} is an order-reversed product of M, n≥w, and I is an identity operator of n−w qubits; and

S130. given the w-qubit ciphertext |c custom-character of the k-qubit plaintext |m derived from the second encryption operator _cvand an n-qubit action M, n=w≥k, generating an encrypted polynomial set

$\begin{matrix} 𝒫_{n, n} (𝒰_{cv}^{‡}; z) = {α_{i} (z) = 𝒰_{cv}^{‡} z_{i} : i \in [n]}, & Eq . 3 \end{matrix}$

wherein custom-character _cv^‡ is an encrypted action, and expressed as _cv^‡=_cv⁻{circumflex over (M)}_cv, and α_i(z) is the i-th polynomial of _n,n(_cv^‡;z), z=z₁z₂. . . z_n∈Z₂ⁿ.

According to the present inventive concept, wherein the method further comprises:

S140. given the w-qubit ciphertext |c custom-character of the k-qubit plaintext |m derived from the first encryption operator _enand an n-qubit action M, n>w≥k, generating an encrypted polynomial set

$\begin{matrix} 𝒫_{n, w} (𝒰_{cv}; z) = {β_{i} (z) = 𝒰_{cv} z_{i} : i \in [n]}, & Eq . 4 \end{matrix}$

wherein β_i(z) is the i-th polynomial of custom-character _n,w(_cv; z), z=z₁z₂. . . z_n∈Z₂ⁿ.

According to the present inventive concept, wherein the method further comprises:

S150. parallelling a number e of sectional encrypted circuits custom-character _cv,qcomposing _cv, q∈[e];

S160. generating a sequential evaluation of encrypted polynomial sets

$\begin{matrix} 𝒫_{n, w} (𝒰_{cv, q}; z) = {β_{i, q} (z) = 𝒰_{cv, q} z_{i} : i \in [n]} . & Eq . 5 \end{matrix}$

The present inventive concept further provides a system for encryption and computation on a framework of exact homomorphic encryption, comprising:

a program for executing the computer-implemented method based on a framework of exact homomorphic encryption according to the present inventive concept; and

a computing architecture comprising a processing unit, wherein the program is deployed on the computing architecture.

According to the present inventive concept, wherein the program for executing the computer-implemented method comprising a software for exact homomorphic encryption, wherein the software comprises a first code and a second code.

According to the present inventive concept, wherein the first code is for the message encryption.

According to the present inventive concept, wherein the second code is for executing the computer-implemented method based on a framework of exact homomorphic encryption.

According to the present inventive concept, wherein the computing architecture comprises a CPU, GPU, or a combination thereof.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic flow diagrams according to an embodiment of the present inventive concept;

FIG. 2 is a schematic diagram of the elementary gate used in the algorithm according to the present inventive concept;

FIG. 3 is a schematic flow diagrams according to another embodiment of the present inventive concept;

FIG. 4 is a schematic flow diagrams according to another embodiment of the present inventive concept;

FIG. 5 is a schematic flow diagrams according to another embodiment of the present inventive concept;

FIG. 6 is a schematic flow diagrams according to another embodiment of the present inventive concept;

FIG. 7 is a schematic flow diagrams according to another embodiment of the present inventive concept;

FIG. 8 shows (a) the process of an embodiment of the present inventive concept where the message and computation are mapped to an identical space; and (b) the process of another embodiment of the present inventive concept that the message and computation are mapped to different spaces of encryption;

FIG. 9 is a block diagrams according to an embodiment of the present inventive concept;

FIG. 10 shows test data of the message encryption according to an embodiment of the present inventive concept; and

FIG. 11 shows test data of the cryptovaluations according to another embodiment of the present inventive concept. according to an embodiment of the present inventive concept.

DETAILED DESCRIPTION

The present inventive concept is described by the following specific embodiments. Those with ordinary skills in the arts can readily understand other advantages and functions of the present inventive concept after reading the disclosure of this specification. Any changes or adjustments made to their relative relationships, without modifying the substantial technical contents, are also to be construed as within the range implementable by the present inventive concept.

Moreover, the word “exemplary” or “embodiment” is used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as exemplary or an embodiment is not necessarily to be construed as preferred or advantageous over other aspects or designs. Rather, use of the word “exemplary” or “embodiment” is intended to present concepts and techniques in a concrete fashion.

As used in this application, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or.” That is, unless specified otherwise or clear from context, “X employs A or B” is intended to mean any of the natural inclusive permutations. That is, if X employs A; X employs B; or X employs both A and B, then “X employs A or B” is satisfied under any of the foregoing instances. In addition, the articles “a” and “an” as used in this application and the appended claims should generally be construed to mean “one or more,” unless specified otherwise or clear from context to be directed to a singular form.

Please refer to FIG. 1 which is a schematic flow diagrams according to an embodiment of the method of the present inventive concept. The present inventive concept provides a computer-implemented method based on a framework of exact homomorphic encryption (EHE), wherein the method may comprise:

S10. providing a multivariate polynomial of k variables ƒ(x)=Σ_τ∈Z₂_kc_τx^τ.

According to the present inventive concept, ƒ(x) is a linear combination of monomials x^τ of degrees≤k with coefficients c_τ∈Z₂. Each monomial x^τ may be expressed as x^τ=x₁^σ1x₂^σ2. . . x_k^σk, where x_r∈Z₂, τ=σ₁σ₂. . . σ_r. . . σ_k∈Z₂^kand r∈[k], with [k] denoting a set of positive integers from 1 to k.

According to the present inventive concept, the formulation provides the foundational representation of polynomials in the binary field Z₂.

The polynomial ƒ(x) may serve as the foundation for encoding and transforming data in the EHE framework.

According to the present inventive concept, the method may further comprise:

According to the present inventive concept, the elementary gates may act on k-qubit quantum states and the gates may be represented by the transformation Λ_r^θ, wherein r may identify the target qubit and θ=ϵ₁ϵ₂. . . ϵ_k∈Z₂^kmay specify the control bits.

According to the present inventive concept, the elementary gates may comprise the negation, the CNOT, the Toffoli, and the multi-controlled gates as shown in FIG. 2.

Every elementary gate is a transformation of dimension-one preserving that maps a basis quantum state into another, referring to FIG. 2 for the diagrammatic exemplification. Since AND and OR can be rephrased in Toffoli gates attended with ancilla qubits, this set vouches for the computational universality. These gates may operate on quantum states to enable transformations within the EHE framework. The method of the present inventive concept leverages fundamental quantum operations to manipulate data securely and make the transformation flexibly by including these gates.

Each of elementary gates used in the present inventive concept is dimension-one preserving. This design avoids the heavy memory demands associated with simulating full quantum states, making it feasible on both CPU and GPU without the need for quantum computers.

According to the present inventive concept, the method may further comprise: S30. applying elementary gates on quantum states;

S40. applying elementary gates on the variables to generate multivariate polynomials over a binary field Z₂, formulated as the following transformation rule,

$\begin{matrix} Λ_{r}^{θ} x_{s} = x_{s} + δ_{rs} x^{θ} & Eq . 1 \end{matrix}$

wherein x_s∈Z₂is a binary variable and x^θ=x₁^ϵ¹x₂^ϵ². . . x_k^ϵ^krepresents the monomial transformation of k variables which induced by the gate.

According to the present inventive concept, these steps may provide a precise mechanism for transforming quantum states into multivariate polynomials over the binary field Z₂.

According to the present inventive concept, the method may further comprise:

S50. defining a first encryption mapping custom-character _enwhich is an ordered product of elementary gates randomly chosen; and

The first encryption mapping is constructed to encode plaintext into ciphertext by applying transformations to the input polynomials. According to the precent inventive concept, the output may be a set of w-multivariate polynomials, which may form a public encryption key.

The mapping of Eq. 1 de facto unveils the polynomial representation of elementary gates. Applied by this mapping, the variable x_sreceives a shift of the product x^θ if the s-th qubit is identical to the target bit, or remains intact otherwise. In practical maneuvers, elementary gates operate on variables of monomials. The gate Λ_r^θ is said to be of rank t if 0 contains a number t of nonzero bits. That is, a negation is of rank zero, a CNOT rank one, a Toffoli rank two, and a multi-controlled gate is of rank t≥3. Notice that every elementary gate defined here is unitary and involutory.

Please refer to FIG. 3 which is a schematic flow diagrams according to another embodiment of the method of the present inventive concept.

According to the present inventive concept, wherein the method may further comprise:

S70. introducing a desired operation M of n qubits, n>w, wherein M is represented as a circuit composed of n-qubit elementary gates.

According to the present inventive concept, the operation may be represented as a circuit composed of n-qubit elementary gates and may serve as the computation to be encrypted and performed homomorphically.

According to the present inventive concept, the method may further comprise:

S80. defining a second encryption mapping custom-character _cv, wherein _cvis an ordered product of n-qubit elementary gates randomly chosen.

According to the present inventive concept, the second encryption mapping custom-character _cvmay introduce cryptographic complexity.

According to the present inventive concept, the method may further comprise:

According to the present inventive concept, the process ensures that the operation M is transformed into a secure, encrypted form compatible with ciphertext computations.

According to the present inventive concept, the method may further comprise:

S100. generating an encrypted polynomial set from the encrypted action U; and

S110. evaluating the encrypted polynomial set on the ciphertext to yield an encrypted computation.

According to the present inventive concept, the encrypted action U may enable computations to be performed in the encrypted domain. The polynomial sets may serve as intermediaries to evaluate encrypted operations.

The computation can be performed homomorphically without decrypting the ciphertext by the present inventive concept. The evaluation process, referred to as cryptovaluation, may establish the duality between polynomial evaluation and state computation, validating the integrity of the encrypted computation.

Please refer to FIG. 4 which is a schematic flow diagrams according to an embodiment of the method of the present inventive concept.

According to the present inventive concept, wherein the step S40 may further comprise:

S41. giving a second binary string ζ, wherein the second binary string ζ determines how variables interact within the monomial;

S42. modifying the monomial x^θ based on the second binary string ζ into a modified form x_ζ^θ; and

S43. expanding the Eq. 1 to a formation

$\begin{matrix} Λ_{r}^{θ, ζ} x_{s} = x_{s} + δ_{rs} {\overline{x}}_{ζ}^{θ} & Eq . 2 \end{matrix}$

where s∈[k] and x_ζ^θ is defined as x_ζ^θ=Π_i=1^k(x_i+ç_i)^ϵⁱ.

According to the present inventive concept, the second binary string ζ is introduced to modify the monomial interactions through control bits. The second binary string ζ may be used to augment the role of control bits by introducing an additional degree of freedom for variable modification.

According to the present inventive concept, the monomial x^θ may be transformed into the modified form x_ζ^θ, defined as

${\overline{x}}_{ζ}^{θ} = \prod_{i = 1}^{k} {(x_{i} + ς_{i})}^{ϵ_{i}},$

where x_i∈Z₂may represent the variables, ζ_i∈Z₂may modify the interaction for each variable based on its binary value, and ϵ_imay determine the control bit configuration.

According to the present inventive concept, the most general definition of an elementary gate of k variables over Z₂may be written as Eq. 2.

According to the present inventive concept, expanding the Eq. 1 to Eq. 2 is to generalize the transformation rule, where x_ζ^θ may incorporate the second binary string ζ.

According to the present inventive concept, the generalization may support more complex polynomial transformations and enhance the framework's ability to represent and process non-linear relationships.

Please refer to FIG. 5 which is a schematic flow diagrams according to an embodiment of the method of the present inventive concept.

According to the present inventive concept, wherein the step S50 may further comprise:

S51. defining the first encryption operator custom-character _enas a product operation which is a k-qubit ordered product of elementary gates, as:

$ℛ = \prod_{i = 1}^{n} Λ_{r_{i}}^{θ_{i}},$

where Λ_r_i^θⁱdenotes the i-th elementary gate acting on the r_i-th qubit with a control string θ_i∈ custom-character ₂^k.

According to the present inventive concept, θ_i∈ custom-character ₂^kmay represent he control string, specifying which qubits interact during the operation.

According to the present inventive concept, the ordered product custom-character may encapsulate the sequential application of these gates to transform states into encrypted representations.

According to the present inventive concept, the use of elementary gates, e.g., negation, CNOT, Toffoli, may be used as the building blocks of encryption mappings.

According to the present inventive concept, wherein the step S50 may further comprise:

S52. defining a reverse product operation custom-character , wherein is the order-reversed product of , which is expressed as:

custom-character =Π_i=n¹Λ_r_i^θⁱ.

In this embodiment, the reverse operation may ensure symmetry and facilitates invariance properties essential for encryption and decryption processes in the method of the present inventive concept.

According to the present inventive concept, wherein the step S50 may further comprise:

S53. establishing an equality between the product operation custom-character and its reverse for each basis state |x:

$\begin{matrix} ❘ ℛ x 〉 = \hat{ℛ} ❘ x 〉, & Eq . 3 \end{matrix}$

where x∈ custom-character ₂^k.

According to the present inventive concept, an elementary gate of k qubits Λ_r^θ sends a basis state of the same number of qubits |α₁α₂. . . α_r. . . α_k) to

$\begin{matrix} Λ_{r}^{θ} ❘ a_{1} a_{2} \dots a_{r} \dots a_{k} 〉 = a_{1} a_{2} \dots (a_{r} + a^{θ}) \dots a_{k} 〉 . & Eq . 2 - 1 \end{matrix}$

$here r \in [k], θ = ϵ_{1} ϵ_{2} \dots ϵ_{k} and a^{θ} = a_{1}^{ϵ_{1}} a_{2}^{ϵ_{2}} \dots a_{k}^{ϵ_{k}} \in Z_{2}^{k} .$

The equality of Eq. 3 is deemed as the evaluation duality between a state and its associated polynomials. Specifically, | custom-character |├x=|y₁(x)y₂(x) . . . y_k(x) stands for a sequence of ordered polynomials written in a state. The s-th member, y_s(x)=|├x, is the polynomial reaped by acting the product operation =Λ_r_u^θ^u. . . Λ_A₂^θ²Λ_r₁^θ¹embracing u≥1 elementary gates on the s-th variable x_sof x=x₁x₂. . . x_k∈Z₂^k, s∈[k]. The state custom-character |x is the resultant of activating the order-reversed product =Λ_r₁^θ¹Λ_r₂^θ². . . Λ_r_u^θ^uof e R on |x. This equality elucidates the equivalence of the polynomial evaluation and the state computation, namely |x_=a=|a by substituting a multi-valued string α for the input x of polynomials y_s(x) respectively. The validness of Eq. 3 will be confirmed through the process that repetitively employs Eq. 1 to generate polynomial monomials and Eq. 2-1 to calculate state components.

The transformations applied by custom-character and its reverse may yield equivalent outcomes, regardless of the order of gate application.

According to the present inventive concept, the sequential application of gates in custom-character may introduce layers of complexity, leveraging the noncommutative properties of elementary gates for enhanced security.

The equality custom-character |x=|x establishes an invariant property that strengthens the theoretical foundation of the encryption process.

Please further refer to FIG. 5. According to the present inventive concept, wherein the step S50 may further comprises:

S54. preparing an initial set of the multivariable polynomials custom-character _in={g_j(x)|j∈[w]}, wherein g_j(x) corresponds to each of ƒ(x), wherein each of g_j(x) is expressed as:

g_j(x)=Σ_r∈Z₂_kc_τ,jx^τ,

where c_τ,j∈Z₂are binary coefficients and x^τ=x₁^σ¹x₂^σ². . . x_k^σ^kare monomials of degree≤k.

According to the present inventive concept, the polynomial set may be structured and compatible with subsequent encryption transformations.

According to the present inventive concept, wherein the step S50 may further comprises:

S55. applying the product operation custom-character _enon each polynomial in the initial polynomial set _in; and

S56. outputting an ordered set of polynomials custom-character _w,k(_en; x)={ƒ_j(x)=_en|├g_j(x):j∈[w]}, serving as a public encryption key, where w≥k is the number of the polynomials.

In this embodiment, the first encryption operator custom-character _enmay be applied to each polynomial g_j(x) in _in. The transformation is expressed as: ƒ_j(x)=_en|├g_j(x), ∀j∈[w], where ƒ_j(x) represents the encrypted polynomial.

The polynomials may be transformed into secure forms while retaining their structural consistency.

The algorithm favors the first encryption operator custom-character _enincluding a certain number of multi-controlled gates of higher ranks≥2 for the purpose of breeding polynomials of higher degrees in _w,k(_en;z). Within the composition of _en, a pair of gates Λ_r^θ and Λ_s^τ are noncommuting if the r-th digit in τ or the s-th digit in θ is non-null, r and s∈[k].

In this embodiment, w≥k ensures sufficient encoding capacity for the plaintext. And the set custom-character _w,k(_en;x) may serve as a reusable key for encoding plaintexts into ciphertexts.

Please refer to FIG. 6 which is a schematic flow diagrams according to an embodiment of the method of the present inventive concept.

According to the present inventive concept, wherein the step S60 may further comprises:

S61. providing the plaintext |m custom-character , wherein the plaintext is of k qubits; and

S62. encoding the plaintext to the ciphertext |c custom-character , wherein the ciphertext is of w qubits, generated by evaluating the public encryption _w,k(_en;x) on the plaintext, such that

$❘ c 〉 = ❘ f_{1} (m) f_{2} (m) \dots f_{w} (m) 〉,$

where m∈Z₂^k, c∈Z₂^wand ƒ_j(m)∈Z₂is the evaluation of the j-th polynomial ƒ_j(x)∈Ψ_w,k(∩_en;x) on the plaintext, 1≤j≤w.

In this embodiment, the plaintext |m custom-character may be served as the data to be encrypted using the EHE framework of the present inventive concept and the public encryption _w,k(_en;x) may be serves as the functional basis for encoding the plaintexts into the ciphertexts. Specifically, the ciphertext |c is the evaluation of the public key custom-character _w,k(_en;x), a multivariate polynomial set, on the input message x=m.

In an embodiment of the present inventive concept, the concept of a maximal set of pairwise noncommuting gates within custom-character is introduced, wherein pairwise noncommuting gates satisfy A·B≠B·A, ensuring that their order impacts the resulting transformations. Besides, the size of the maximal set is denoted as h, capturing the structural complexity of .

As an implication, cracking the public key custom-character _w,k(_en;x) generated by an encryption mapping , whose maximal set of pairwise noncommuting gates is of size h, costs a combinatorial complexity comparable to h!.

The overall complexity is given by h₁!·h_l-1! . . . h₁! for encryption mappings custom-character _encomposed of multiple disjoint subsets of mutually noncommuting gates (h_r, r∈[l]). By doing so, a cryptographic complexity criterion may be established based on the structural properties of the encryption operator . This result may directly quantify the security strength of the encryption mapping of the present inventive concept.

Please further refer to FIG. 6. According to the present inventive concept, wherein the step S60 may further comprises:

S63. decrypting the w-qubit ciphertext |c custom-character to |m⊗|r=_en|c by the first encryption mapping _ento recover the plaintext m.

Due to the duality, the ciphertext |c custom-character =|_en|├x_x=e, through evaluating _w,k(_en;x) over a w-qubit state |e to |m⊗|r, equals _en|e. Here, |r is a basis state of w−k qubits randomly assigned and _enthe order-reversed product of _en. Since every elementary gate is its own inverse, _en⁻¹=_en. The plaintext |m is thereby recovered from custom-character _en⁻|c=_en|c=|e.

According to the present inventive concept, the duality relationship and the invertibility of elementary gates used in Ren lead to the exactness of decryption, so that the plaintext is able to be accurately recovered from the ciphertext without error, which may distinguish the method of the present inventive concept from the noisy decryption methods in traditional systems.

The complexities of attacking the invertible message encryption, IME, of w qubits is proven to satisfy the complexity criteria T_de-NC>T_ICRP>T_XL>2^w, where T_de-NCis the decompositional noncommutativity complexity for this IME, T_ICRPis the complexity of solving Invertible Circuit Reconstruction Problem (ICRP) for this IME, T_XLis the complexity of attacking this IME via the XL algorithm, and 2^wis the complexity of attacking this IME via the brute-force method.

The complexity criteria of IME suggest that attacking the private key is more difficult than breaking the public key or the ciphertext.

Grounded on the complexity criteria, the security strength of IME may be straightforwardly increased with moderate efforts, whose minimum strength grows linearly with the length of input plaintext.

Based on the complexity criteria, the security of IME with a public key custom-character _w,k(_en;x) surpasses the post-quantum standard 2¹²⁸, and further attains the suggested threshold 2¹⁰²⁴of hyper quantum resilience.

The security requirements of IME fulfill the advanced privacy demands beyond the post-quantum standards.

The security requirements of IME prevent information from quantum attacks, including Grover's algorithm, quantum annealing and quantum Groebner-basis algorithm.

Please refer to FIG. 7 which is a schematic flow diagrams according to an embodiment of the method of the present inventive concept.

According to the present inventive concept, wherein the method may further comprises:

$\begin{matrix} 𝒫_{n, n} (𝒰_{cv}^{‡}; z) = {α_{i} (z) = 𝒰_{cv}^{‡} z_{i} : i \in [n]}, & Eq . 3 \end{matrix}$

wherein custom-character _cv^‡ is an encrypted action, and expressed as _cv^‡=_cv⁻¹{circumflex over (M)}_cv, which is the adjoint of the encrypted action. Besides, α_i(z) is the i-th polynomial in the encrypted polynomial set _n,n(_cv^‡;z), z=z₁z₂. . . z_n∈Z₂ⁿwhich is derived by applying custom-character _cv^‡ on the variables z.

The present inventive concept borrows the mechanism of QAPFTQC to encipher computations.

Assume that a k-qubit plaintext is encoded into a w-qubit ciphertext via a multivariate polynomial set generated by the first encryption operator custom-character _en, which is the encryption mapping, k≤w. Accompanied by the second encryption operator _cv, an n-qubit operation M, a circuit of elementary gates, is concealed into the encrypted action _cv=(_en⁻¹⊗I){circumflex over (M)}_cvwith {circumflex over (M)} is an order-reversed product of M, n≥w.

This encrypted action is a simplified form of the fault tolerant encode in QAPFTQC. Let the circuit of custom-character _cvbe rephrased as a set of n multivariate polynomials. Grounded on the poetic duality, evaluating this polynomial set on the ciphertext yields the cryptovaluation. Finally, _cvmay serve as the private cryptovaluation key to decrypt the encrypted computation.

To begin with, consider w=n. In this scenario, the message and computation are mapped into an identical space of encryption as depicted in FIG. 8(a).

In this embodiment, the polynomial set custom-character _w,k(‰_cv;x) generated by _cv, which is the public key for invertible message encryption, IME, encodes |m into a ciphertext |c. On the strength of the duality relation, this ciphertext is alternatively written as |c=_cv|m⊗|0 from exercising the order-reversed product _cvof _cvon the product state |m custom-character ⊗|0 of |m and the (n−k)-qubit null state |0. A step further is drawing _cvthat encodes M into the composition _cv^‡=_cvM_cv⁻¹, resulting in the encrypted computation _cv^‡|c=_cvM|m⊗|0 called the cryptovaluation. Here, _cv^‡ is the order-reversed product of the encrypted action custom-character _cv^‡.

With the associated state custom-character _cv^‡|├z=|α₁(z)α₂(z) . . . α_n(z)) and i∈[n], it relishes the duality _cv^‡|c=_cv^‡|├z_z=cbetween the state computation and the polynomial evaluation. Thus, the cryptovaluation is engaged in _cv^‡|├z_z=cof calculating the polynomial set _n,n(_cv^‡;z) on the ciphertext |c custom-character . The operator _cv⁻=_cvworks as the private cryptovaluation key of the decryption, namely _cv|_cv^‡|├z_z=c=_cv_cv^‡|c=M|m⊗|0. Refer to FIG. 8(a) for the diagram outlining the process. In the scenario n=w, the message and computation are elegantly sent into an identical space of encryption under the same encryption operator custom-character _cv.

According to the present inventive concept, custom-character _en⁻¹is the inverse of the first encryption operator, which decodes the ciphertext into a form compatible with {circumflex over (M)}. The use of {circumflex over (M)} make sure the invertibility of the computation and the consistency with the EHE framework's duality principles in the present inventive concept.

Besides, the encrypted action custom-character _cvenables secure computation by maintaining the encrypted state throughout the process, preserving data confidentiality.

Please further refer to FIG. 7. According to the present inventive concept, wherein the method may further comprises:

S140. given the w-qubit ciphertext |c custom-character of the k-qubit plaintext |m derived from the first encryption operator Ren and an n-qubit action M, n>w≥k, generating an encrypted polynomial set

$\begin{matrix} 𝒫_{n, w} (𝒰_{cv}; z) = {β_{i} (z) = 𝒰_{cv} z_{i} : i \in [n]}, & Eq . 4 \end{matrix}$

wherein β_i(z) is the i-th polynomial in the encrypted polynomial set custom-character _n,w(_cv;z), z=z₁z₂. . . z_n∈Z₂ⁿ, encapsulating the transformation applied by _cv.

Here, the encode custom-character _cv=_cvM(_en⁻¹⊗I) is the order-reversed product of encrypted action _cv, with M sandwiched by the operator of input errors _en⁻¹⊗I and the operator of output errors _cv.

The proof is similar as mentioned above, but replacing the encryption operator custom-character _cv⁻¹of _cv^‡by _en⁻¹⊗I, the encrypted polynomial set _n,n(_cv^‡;z) by _n,w(_cv;z), and the polynomial state |_cv^‡|├z by |_cv|├z. Similarly, ascertained from the duality relation, the output of the cryptovaluation is the polynomial evaluation |_cv|├z_z=c on the product state |c custom-character =|c⊗|0′ of |c and a null basis state |0′ of n−w qubits. Likewise, the operator _cvdecrypts the evaluation. Please refer to FIG. 8(b) which pictures this process.

According to the present inventive concept, wherein the method further comprises:

S150. parallelling a number e of sectional encrypted circuits custom-character _cv,qcomposing _cv,q∈[e]; and

S160. generating a sequential evaluation of encrypted polynomial sets

$\begin{matrix} 𝒫_{n, w} (𝒰_{cv, q}; z) = {β_{i, q} (z) = 𝒰_{cv, q} z_{i} : i \in [n]} & Eq . 5 \end{matrix}$

In an embodiment of the present inventive concept, ciphertext |c custom-character , a w-qubit ciphertext derived from the first encryption mapping _en, encodes the k-qubit plaintext |m, wherein |c may serve as the input for the encrypted computational action. Then, _cvmay further transform the ciphertext |c within the encrypted domain. Next, the encrypted polynomial set custom-character _n,w(_cv;z) is generated, where each β_i(z) may correspond to a transformed variable z_iunder the action of _cv.

In another embodiment of the present inventive concept, the encrypted action custom-character _cvmay be partitioned into e sectional encrypted circuits _cv,q, each of the sectional circuit may independently handle a subset of the computations, facilitating the parallelized execution. Each of the sectional circuit _cvmay be applied to the variables z_iin the encrypted domain.

For every circuit q, an encrypted polynomial set custom-character _n,w(_cv,q;z) is generated _n,w(_cv,q;z)={β_i,q(z)=_cv,q|├z_i├z_i;i∈[n]}, where each β_i,q(z) may correspond to a transformed variable z_iby the sectional circuit _cv,q.

After all sectional circuits custom-character _cv,qhave been applied, their outputs, the polynomial sets, may be sequentially combined. The sequential evaluation consolidates the partial results from each _n,w(_cv,q;z) into the final encrypted polynomial set to complete the computation.

More specifically, depending on computing environments, the number e ranges from n/2 to 4n on the single-CPU and from n/8 to n on the multiple cores. Due to this division, the circuit is factorized into a product custom-character _cv=_e_e-1. . . . ₂₁of e component actions _q, q∈[e]. By arbitrarily taking a number e of sectional encryption operators _qindividually comprising elementary gates randomly generated, each member _qis converted into a sectional encrypted circuit _cv,q=_q_q_q-1⁻¹for 2≤q≤e−1, with custom-character _cv,1=₁₁and _cv,e=_e_e⁻¹. That is, the encrypted action is rewritten as

$𝒰_{cv} = (𝒰_{e} ℛ_{e}^{- 1}) (ℛ_{e} 𝒰_{e - 1} ℛ_{e - 1}^{- 1}) \dots (ℛ_{2} 𝒰_{2} ℛ_{1}^{- 1}) (ℛ_{1} 𝒰_{1}) .$

Since encrypted polynomial sets custom-character _n,w(_cv,q;z) are engendered independently from the encrypted circuits _sv,qit enables a highly concurrent generation of polynomial sets. Founded on the duality, the sequential evaluation of polynomial states |_cv,q|├z) educes the harvest of the cryptovaluation. With the initial input |c custom-character , a prior output is tapped as the subsequent input of steps from q′=1 to q′=eq, i.e., |c₁=|_cv,1|├z_z=c and |c_q′+1=|_cv,q′+1|├z_z=c_q′, for q′<e. The final evaluation |c is the consequent of this encrypted computation.

The complexity of attacking the computation encryption, cryptovaluation, of n qubits on w-qubit ciphertexts is greater than 2^w.

In a cryptovaluation, attacking the private key is more difficult than breaking the public key or the ciphertext.

In a cryptovaluation, the security strength may be straightforwardly increased with moderate efforts, whose minimum strength grows linearly with the length of input ciphertext.

In a cryptovaluation, the security surpasses the post-quantum standard 2¹²⁸, and further attains the suggested threshold 2¹⁰²⁴of hyper quantum resilience.

The security requirements of cryptovaluation fulfill the advanced privacy demands beyond the post-quantum standards.

The security requirements of cryptovaluation prevent information from quantum attacks, including Grover's algorithm, quantum annealing and quantum Groebner-basis algorithm.

Please refer to FIG. 9. The present inventive concept further provides a system 10 for encryption and computation on a framework of exact homomorphic encryption, comprising:

a program 11 for executing the computer-implemented method based on a framework of exact homomorphic encryption according to the present inventive concept; and

a computing architecture 12, wherein the program 11 is deployed on the computing architecture 12.

According to the inventive concept, the computing architecture 12 may comprise a processing unit 121. The processing unit may be, but not limited to, for example, CPU, GPU, Tensor Processing Unit, Field Programmable Gate Array, Application-Specific Integrated Circuit, Quantum Processing Units, Neural Processing Unit, Trusted Platform Architecture, High-Bandwidth Memory, or the similar, or a combination thereof.

According to the present inventive concept, the program 11 for executing the computer-implemented method comprises a software 110 for exact homomorphic encryption, wherein the software 110 may comprise a first code 111 and a second code 112.

According to the present inventive concept, the first code 111 may be used for the message encryption.

According to the present inventive concept, the second code 112 may be used for executing the computer-implemented method based on a framework of exact homomorphic encryption.

In an embodiment of the present inventive concept, system for encryption and computation on a framework of exact homomorphic encryption may comprise a program comprising a EHE software for executing the method based on a framework of exact homomorphic encryption according to the present inventive concept; and a 64-bit computing architecture, wherein the program is deployed on the computing architecture.

In this embodiment, the EHE software may consist of two codes. The first code may be for IME and the second code may be for executing EHE inclusive of both encryptions of the message and computation.

Please refer to FIG. 10 which shows the test data of the message encryption according to an embodiment of the present inventive concept.

In this embodiment, two parameters of the public key custom-character _w,k(_en;z)P are put into the pair (k,w). As shown in Table 1, t_kg-sc, t_kg-mcand t_kg-sgdenote the key-generation times, t_en-sc, t_en-mcand t_en-sgdenote the encoding times, and t_de-sc, t_de-mcand t_de-sgdenotes the decoding times on the single-CPU, multi-CPUs and single-node GPU, respectively. The duration of reading and exchange of data is absorbed, which occupies around 4% in the key generation, 90% in the encoding and 2% in the decoding.

Due to their significantly higher degree of parallelism, larger memory capacity, and faster data transfer rates, the multi-CPU and single-node GPU platforms may achieve approximately a tenfold to twentyfold increase in efficiency for key generation and encoding compared to single-CPU systems. Nevertheless, regarding the decoding process involving elementary gates numbered linearly in w, operating on ciphertexts, it exhibits short and comparable execution times across all three platforms.

In this embodiment, a case involving the maximum parameter pair (6400,6440) is presented, which offers a robust encryption with a high level of security that remains challenging to achieve for existing post-quantum cryptosystems. Implemented within reasonable time increments of the key generation and the encoding, the sectional stratagem is equally well-adapted for the message encryption and is anticipated to further heighten the level of security.

Please refer to FIG. 11 which shows the test data of the cryptovaluations according to another embodiment of the present inventive concept.

Regarding the sectional cryptovaluation governed by the second code, the triplet (k, w, n) encodes the three parameters of the encrypted polynomial sets custom-character _n,w(_cv,q;z). To enable blind computation, it is essential that the encrypted functions remain indistinguishable during the computational process. To achieve this, the runtimes for generating the encrypted polynomials are carefully calibrated to be nearly identical.

In this embodiment, The number of sections is in the range n/2≤e≤4n on the single-CPU and n/8≤e≤n on the multi-CPUs and single-node GPU.

T_kg-sc, T_kg-mcand T_kg-sgdenote the longest task span of the polynomial generation among sections, T_evl-sc, T_evl-mcand T_evl-sgdenote the evaluation times, and T_de-sc, T_de-mcand T_de-sgdenote the decoding times on the single-CPU, multiple CPUs and single-node GPU, respectively.

The entire temporal course covers the time of data reading and communication, which conforms to the proportions the same as those of IME. As shown in FIG. 10, the increased parallelism, memory capacity, and bandwidth of multi-CPU and single-node GPU platforms result in a performance boost of 10 to 20 times for generating encrypted polynomial sets and performing polynomial evaluations compared to the baseline single-CPU system. Existing homomorphic encryption (HE) systems struggle to achieve similar efficiency gains, as their parallelism is largely constrained by the inherently sequential nature of recursive noise reduction.

In this embodiment, the deciphering times are comparable across the three computing platforms. The parameter triplet reaches a maximum of (256, 280, 400) on the single-CPU, (1536, 1560, 2400) on multiple CPUs and (1024, 1050, 1600) on the single-node GPU, respectively.

The method and system based on a framework of exact homomorphic encryption of the present inventive concept demonstrate a clear advantage in handling encrypted computations of significantly larger sizes, far surpassing the limitations of existing HE systems.

According to the present inventive concept, if the blindness is lifted from cryptovaluations of linear-k functions, conducted in simpler encryptions with fewer sections, the key-generation and encoding times may reduce by a factor of ten or more, and the plaintext size undergoes a minimum 1.5-fold expansion.

Additional improvements in processing speed and memory efficiency can be achieved with precise single-bit operations, rather than 64-bit computing units.

It is clearly that the performance of the present inventive concept becomes increasingly great as the scale of the problem grows, significantly outperforming existing HE systems. This superiority stems from the ability of the present inventive concept to leverage intrinsic parallelism across multiple stages, including circuit segmentation, polynomial generation, polynomial evaluation, and monomial calculation. Additionally, at the foundational level of machine code, the use of invertible gates proves highly suitable for developing energy-efficient systems.

Experimental findings showcase that EHE possesses the capability of performing encrypted computations of large sizes and sophistication over diverse functions.

The present inventive concept provides a method and a system based on a framework of exact homomorphic encryption, EHE, which merges two concepts, quantum computation and cryptography. Quantum gates are introduced to EHE, substituting for non-invertible logic operations used in finite computations. Each quantum gate acts on not only on quantum states conventionally, but also on variables to generate polynomials. This approach enables the implementation of message and computation encryption through an encryption transformation constructed from a randomly chosen product of quantum gates.

Due to the succinct duality relation of the EHE framework, the ciphertext is generated by evaluating a polynomial set on the input plaintext, while the result of an encrypted computation is obtained by evaluating an encrypted polynomial set on the ciphertext. Disparate to prolix cryptograms of the two major existing post-quantum cryptosystems, the size of ciphertext provided by the present inventive concept is compact.

The success of the method and the system based on a framework of EHE of the present inventive concept lies in two fundamental properties of quantum gates: invertibility and noncommutativity. Unlike the noisy schemes of existing homomorphic encryption, the present inventive concept achieves exact encrypted computations through the use of invertible gates, ensuring precise decryption that surpasses the noisy deciphering methods of current encryption systems.

Furthermore, blindness in homomorphic computations is achieved through the indiscernibility of encoded functions, thus protecting both data and operations, a feat not achievable in current HE When facing quantum adversarial attacks, the present inventive concept exceeds the standard quantum resilience threshold of 2¹²⁸and surpass the suggested hyper-quantum resilience benchmark of 2¹⁰²⁴. Since each activated gate preserves dimensionality, i.e., is dimension-one preserving, the present inventive concept is seamlessly implementable on classical computing environments without requiring quantum computers.

It is suggested to build EHE dedicated hardware holding the Massive Parallelism, Great Amount of Memory, Rapid Data Access-Transfer, Cores Affording Minimal Functionalities, and Accurate Single-Bit Computation through collaborative efforts with multinational corporations.

The EHE framework is deployable on a magnitude of applications, including, but no limited to, Military Defence, Governmental Affairs, Financial Services, Trustworthy AI, Medical Healthcare, Next-Generation Telecommunication, Low-Earth Orbit (LEO), Unmanned Aerial Vehicle (UAV), etc.; the strengths of EHE in each subject appreciably enhanced with dedicated hardware of portable devices forged via the miniaturization technology founded on Taiwan's leading semiconductor industry.

The foregoing descriptions of the detailed embodiments are only illustrated to disclose the features and functions of the present inventive concept and not restrictive of the scope of the present inventive concept. It should be understood to those in the art that all modifications and variations according to the spirit and principle in the disclosure of the present inventive concept should fall within the scope of the appended claims.

COMPUTER-IMPLEMENTED METHOD BASED ON FRAMEWORK OF EXACT HOMOMORPHIC ENCRYPTION AND SYSTEM ON FRAMEWORK OF EXACT HOMOMORPHIC ENCRYPTION

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

RELATED APPLICATIONS

Provisional Applications (1)