ELECTRIC DEVICE AND KEY SWITCHING METHOD THEREOF

Abstract

Disclosed is an electronic device. The electronic device includes: a memory in which an input encrypted message with dimension N is stored; and a processor configured to transform the input encrypted message with dimension N into an encrypted message with dimension N′, perform linear transformation on the encrypted message with dimension N′, and transform the encrypted message corresponding to a result value of the linear transformation into an output encrypted message with dimension N. The N is a value smaller than N′.

Description

TECHNICAL FIELD

The present disclosure relates to an electronic device and a key switching method thereof.

BACKGROUND ART

As communication technology develops and electronic devices spread, efforts are continuously made to maintain communication security between the electronic devices. Accordingly, encryption/decryption technology is used in most communication environments.

When messages encrypted by the encryption technology are delivered to the other party, the other party needs to perform decryption in order to use the messages. In this case, the other party wastes resources and time during decrypting the encrypted data. In addition, when the third party hacks messages while the other party temporarily decrypts the messages for calculation, there is a problem in that the messages may be easily leaked to the third party.

In order to solve this problem, a homomorphic encryption method is being studied. According to the homomorphic encryption method, even if a calculation is performed on encrypted messages themselves without decrypting the encrypted information, it is possible to obtain the same result as the encrypted value after a calculation on a plain text. Accordingly, various types of calculations may be performed without decrypting the encrypted messages. In this regard, a method for more effectively processing data in an encrypted state by homomorphic encryption is required.

DISCLOSURE

Technical Problem

An object of the present disclosure is to provide an electronic device capable of performing linear transformation by reducing the capacity of a switching key and a key switching method thereof.

Technical Solution

According to an aspect of the present disclosure, an electronic device includes: a memory in which an input encrypted message with dimension N is stored; and a processor configured to transform the input encrypted message with dimension N into an encrypted message with dimension N′, perform linear transformation on the encrypted message with dimension N′, and transform the encrypted message corresponding to a result value of the linear transformation into an output encrypted message with dimension N. The N is a value smaller than N′.

The input encrypted message may be a ring learning with error (RLWE) encrypted message. The processor may be configured to use module learning with error (MLWE) key switching to transform the RLWE encrypted message with dimension N into an MLWE encrypted message with dimension N′.

The processor may be configured to perform a rotate-sum operation on the MLWE encrypted message with dimension N′.

The processor may be configured to transform the MLWE encrypted message corresponding to the result value of the linear transformation into the RLWE encrypted message with dimension N using RLWE key switching.

The input encrypted message may be a multi-secret ring learning with error (MSRLWE) encrypted message. The processor may be configured to transform the MSRLWE encrypted message with dimension N into an MSRLWE encrypted message with dimension N′ using homomorphism and MSRLWE key switching.

The processor may be configured to perform a rotate-sum operation on the MSRLWE encrypted message with dimension N′.

The processor may be configured to transform the MSRLWE encrypted message corresponding to the result value of the linear transformation into the MSRLWE encrypted message with dimension N using MSRLWE key switching.

According to another aspect of the present disclosure, a key switching method of an electronic device includes: transforming the input encrypted message with dimension N into an encrypted message with dimension N′; performing linear transformation on the encrypted message with dimension N′; and transforming the encrypted message corresponding to a result value of the linear transformation into an output encrypted message with dimension N, in which the Nis a value smaller than N′.

The input encrypted message may be an RLWE encrypted message. In the transforming into the encrypted message with dimension N′, the RLWE encrypted message with dimension N may be transformed into the MLWE encrypted message with dimension N′ using the MLWE key switching.

In the performing, a rotate-sum operation may be performed on the MLWE encrypted message with dimension N′.

In the transforming into the output encrypted message with dimension N, the MLWE encrypted message corresponding to the result value of the linear transformation may be transformed into the RLWE encrypted message with dimension N using the RLWE key switching.

The input encrypted message may be a MSRLWE encrypted message. In the transforming into the encrypted message with dimension N′, the MSRLWE encrypted message with dimension N may be transformed into a MSRLWE encrypted message with dimension N′ using homomorphism and MSRLWE key switching.

In the performing, a rotate-sum operation may be performed on the MSRLWE encrypted message with dimension N′.

In the transforming into the output encrypted message with dimension N, the MSRLWE encrypted message corresponding to the result value of the linear transformation may be transformed into the MSRLWE encrypted message with dimension N using the MSRLWE key switching.

Advantageous Effects

According to various embodiments of the present disclosure, it is possible to increase efficiency in homomorphic encryption in that the capacity of a switching key required for linear transformation may be reduced.

DESCRIPTION OF DRAWINGS

The above and other aspects, features and advantages of characteristic embodiments of the present disclosure will become more apparent from the following description in conjunction with the accompanying drawings:

FIG. 1 is a diagram for describing a structure of a network system according to an embodiment of the present disclosure;

FIG. 2 is a block diagram illustrating a configuration of the electronic device according to an embodiment of the present disclosure;

FIG. 3 is a block diagram illustrating a detailed configuration of the electronic device according to an embodiment of the present disclosure;

FIG. 4 is a flowchart illustrating a key switching method of an electronic device according to an embodiment of the present disclosure;

FIG. 5 is a flowchart illustrating a method of performing, by an electronic device, key switching on an RLWE encrypted message according to an embodiment of the present disclosure; and

FIG. 6 is a flowchart illustrating a method of performing, by an electronic device, key switching on a MSRLWE encrypted message according to an embodiment of the present disclosure.

MODE FOR INVENTION

Hereinafter, the present disclosure will be described in detail with reference to the accompanying drawings. Encryption/decryption may be applied to an information (data) transmission process performed in the present disclosure if necessary, and all expressions describing the information (data) transmission process in the present disclosure and claims should be interpreted as including cases of encryption/decryption even if not separately stated. In the present disclosure, expressions such as “transmission (delivery) from A to B” or “A receiving from B” include transmission (delivery) or reception with another medium included therebetween, and does not necessarily express only what is directly transmitted (delivered) or received from A to B.

In the description of the present disclosure, the order of each step should be understood as non-limiting unless the preceding step needs to be logically and temporally performed necessarily before the following step. In other words, except for the above exceptional cases, even if the process described as the following step is performed before the process described as the preceding step, the nature of the disclosure is not affected, and the scope should also be defined regardless of the order of the steps. In the present disclosure, “A or B” is defined to mean not only selectively indicating either one of A and B, but also including both A and B. In addition, in the present disclosure, the term “include” has a meaning encompassing further including other components in addition to elements listed as included.

In this disclosure, only essential components necessary for the description of the present disclosure are described, and components unrelated to the essence of the present disclosure are not mentioned. In addition, it should not be interpreted as an exclusive meaning that includes only the mentioned components, but should be interpreted as a non-exclusive meaning that may include other components.

In addition, in the present disclosure, “value” is defined as a concept including a vector as well as a scalar value. In the present disclosure, the expressions such as “calculate,” and “compute” may be replaced by an expression that produces a result of the corresponding calculation or computation. In addition, unless otherwise stated, a calculation on an encrypted message to be described below means a homomorphic calculation. For example, an addition of a homomorphic encrypted message means a homomorphic addition of two homomorphic encrypted messages.

Terms including an ordinal number such as first, second, or the like, used in the present disclosure may be used to describe various components. However, these components are not limited to these terms. The terms are used only in order to distinguish one component from another component.

Mathematical operations and calculations of each step of the present disclosure to be described below may be implemented as computer calculations by the known coding method and/or coding designed to suit the present disclosure in order to perform the corresponding operations or calculations.

Singular forms may include plural forms unless the context clearly indicates otherwise.

Specific equations to be described below are illustratively described among possible alternatives, and the scope of the present disclosure should not be construed as being limited to equations mentioned in the present disclosure.

For convenience of description, the present disclosure may include the following marks and definitions.

• • s₁, s₂∈R: Each of s₁ and s₂ is an element belonging to set R.
  • mod(q): Modular operation with element q
  • └·┐: └·┐: Round-off internal value
  • m: Message
  • When encrypted message ct=(α,β), an a-part of ct is α, and a b-part of ct is β.
  • R: Ring
  • Z: Set of integers
  • Z[x]: Set of integer coefficient polynomials Z[x]=(a₀+a₁x+ . . . +a_kx^k|∀j, a_j∈Z)
  • Z_Q[x]: Set of remainders obtained by dividing set of integer coefficient polynomials by Q
  • R=Z[x]/(f(x)): For integer coefficient polynomial f(x), it is a quotient ring obtained by assigning rule f(x)=0 to Z[x] and set of remainders divided by dividing Z[x] by f(x). For example, it is R_N=Z[x_N]/(x_N^N+1) and R_Q,N=Z_Q[X_N]/(X_N^N+1).

For modulus Q Q₀Q₁ . . . Q_d−1, map[·]_Qj: R_Q,N→R_N is the remainder obtained by being divided by Q_j. That is, [a]_Qj=a(mod Q_j) and a coefficient of [a]_Qj belongs to (−Q_j/2, Q_j/2).

The switching key refers to a public key required to restore the original structure of the encrypted message that has been transformed by a calculation in homomorphic encryption. The process of transforming an encrypted message encrypted with a secret key s into an encrypted message encrypted with another secret key s′ is called key switching.

A modulus QP of the switching key is composed of Q, which is a modulus of the encrypted message for key switching, and a temporary modulus P. In this case, the product QP should be lower than a modulus limit determined by a degree N. In this case, gadget rank d=log(Q)/log(P).

Residual number system (RNS) gadget decomposition: Given R_N=Z[x_N]/(x_N^N+1), R_Q,N=Z_Q[X_N]/(X_N^N+1), modulus Q=Q0Q1 . . . . Qd−1, function h: R_Q,N→R_N^d may be defined as h(a)=([a]_Q0, . . . [a]_Qd−1) Here, [a]_Qj is the remainder obtained by dividing a by Q_j. In this case, h may be expressed as RNS gadget decomposition which is the gadget rank d of the given modulus Q.

Hereinafter, diverse embodiments of the present disclosure will be described in detail with reference to the accompanying drawings.

FIG. 1 is a diagram for describing a structure of a network system according to an embodiment of the present disclosure.

Referring to FIG. 1, a network system may include a plurality of electronic devices 10-1 to 10-n, a first server device 20, and a second server device 30, and devices may be connected to each other through a network 1.

The network 1 may be implemented in various types of wired and wireless communication networks, broadcasting communication networks, optical communication networks, cloud networks, etc., and each device may also be connected through methods such as Wi-Fi, Bluetooth, Near Field Communication (NFC), etc., without a separate medium.

Although FIG. 1 illustrates a plurality of electronic devices 10-1 to 10-n, the plurality of electronic devices are not necessarily used, and one device may be used. For example, the electronic devices 10-1 to 10-n may be implemented as various types of devices such as smart phones, tablets, game players, PCs, laptop PCs, home servers, and kiosks. In addition, the electronic devices 100-1 to 100-n may be implemented in the form of home appliances to which an IoT function is applied.

Users may input various information through the electronic devices 10-1 to 10-n they use. The input information may be stored in the electronic devices 10-1 to 10-n themselves, but may also be transmitted to and stored in an external electronic device for storage capacity and security reasons. In FIG. 1, the first server device 20 may serve to store such information, and the second server device 30 may serve to use some or all of the information stored in the first server device 20.

Each of the electronic devices 10-1 to 10-n may perform homomorphic encryption on the input information and transmit the homomorphic encrypted message to the first server device 20.

Each of the electronic devices 10-1 to 10-n may include encryption noise, i.e., an error, calculated in the process of performing homomorphic encryption in an encrypted message. Specifically, the homomorphic encrypted messages generated by each of the electronic devices 10-1 to 10-n may be generated in a form in which a result value including a message and an error value is restored when decrypted later using a secret key.

For example, when the homomorphic encrypted messages generated by the electronic devices 10-1 to 10-n are decrypted using a secret key, the homomorphic encrypted messages may be generated in a form that satisfies natures as in the following Equation 1.

Dec(ct,sk)=<ct,sk>=M+e(mod q)  [Equation 1]

Here, <,> denotes a usual inner product, ct denotes an encrypted message, sk denotes a secret key, M denotes a message, e denotes an encryption error value, and mod q denotes a modulus of an encrypted message. q should be selected to be greater larger than a result value M obtained by multiplying a scaling factor Δ by a message. When an absolute value of the error value e is sufficiently small compared to M, a decryption value M+e of the encrypted message is a value that may replace the original message with the same precision in significant figure calculation. Among the decrypted data, an error may be arranged on the least significant bit (LSB) side, and M may be arranged on the next least significant bit side.

When the size of the message is too small or too large, the size may be adjusted using the scaling factor. When the scaling factor is used, not only an integer type message but also a real number type message may be encrypted, and thus, the usability of the message may be greatly increased. In addition, by adjusting the size of the message using the scaling factor, a size of an area where messages exist in the encrypted message after the calculation is made, that is, a size of an effective area may also be adjusted.

According to the embodiment, a modulus q of the encrypted message may be set and used in various forms. For example, the modulus of the encrypted message may be set in the form of an exponential power q=Δ^L of the scaling factor Δ. When Δ is 2, Δ may be set to a value such as q=2¹⁰.

In addition, the homomorphic encrypted message according to the present disclosure is described on the assumption that a fixed point is used, but may be applied even when a floating point is used.

The first server device 20 may store the received homomorphic encrypted message in an encrypted message state without decrypting.

The second server device 30 may request a specific processing result for the homomorphic encrypted message from the first server device 20. The first server device 20 may perform specific calculation according to the request of the second server device 30 and then transmit the result to the second server device 30.

For example, when encrypted messages ct1 and ct2 transmitted by the two electronic devices 10-1 and 10-2 are stored in the first server device 20, the second server device 30 may request, from the first server device 20, a value obtained by summing information provided from the two electronic devices 10-1 and 10-2. The first server device 20 may perform a calculation for summing the two encrypted messages according to the request, and then transmit the result value ct₁+ct₂ to the second server device 30.

Due to the nature of the homomorphic encrypted message, the first server device 20 may perform the calculation without the decryption, and the result value is also in the form of an encrypted message. In the present disclosure, the result value acquired by the calculation is referred to as a calculation result encrypted message.

The first server device 20 may transmit the calculation result encrypted message to the second server device 30. The second server device 30 may decrypt the received calculation result encrypted message and acquire calculation result values of data included in each homomorphic encrypted message.

The first server device 20 may perform the calculation several times according to a user request. In this case, proportions of approximate messages within the calculation result encrypted messages acquired for each calculation are different. The first server device 20 may perform a bootstrapping operation when the proportions of the approximate messages exceed a threshold value. In this way, the first server device 20 may be referred to as a calculation device in that it may perform a calculation operation.

Specifically, when q is less than M in Equation 1 described above, since M+e (mod q) has a different value from M+e, the decryption becomes impossible. Therefore, the q value should always be kept greater than M. However, as the calculation progresses, the q value gradually decreases. Therefore, an operation of changing the q value so that the q value is always greater than M is required, and this operation is called the bootstrapping operation. As the bootstrapping operation is performed, the encrypted message may become calculable again.

Meanwhile, FIG. 1 illustrates a case where the electronic devices 10-1 to 10-n perform the encryption and the second server device 30 performs the decryption, but is not necessarily limited thereto.

FIG. 2 is a block diagram illustrating a configuration of the electronic device according to an embodiment of the present disclosure.

Referring to FIG. 2, the electronic device 100 may include a memory 110 and a processor 120. The electronic device 100 according to the present disclosure may be the electronic devices 10-1 to 10-n illustrated in FIG. 1, the first server device 20, or the second server device 30.

The memory 110 is a component for storing an O/S for driving the electronic device 100 or various instructions and/or software, data, etc., related to the generation and calculation processing of the homomorphic encrypted message to be described later. The memory 110 may be implemented in various forms such as RAM, ROM, flash memory, HDD, external memory, and memory card, but is not limited to any one.

The memory 110 stores the message to be encrypted. The message may be replaced by an expression, for example, plain text, plain text message, etc.

For example, the message may be various types of credit information, personal information, and the like by a user, and may also be information related to location information used in the electronic device 100 and a use history such as Internet usage time information. However, the present disclosure is not limited thereto, and the message may include various types of information.

The memory 110 may store a public key. When the electronic device 100 directly generates the public key, the memory 110 may store not only a secret key, but also various parameters necessary for generating the public key and the secret key.

In addition, the memory 110 may store an encrypted message (e.g., a homomorphic encrypted message). The encrypted message may be generated by the electronic device 100 or may be generated by an external electronic device.

The processor 120 may control the overall operation of the electronic device 100. For example, the processor 120 may control to perform various operations of the electronic device 100 by executing at least one instruction stored in the memory 110. For example, the electronic device 100 may generate a homomorphic encrypted message and store the generated homomorphic encrypted message. In addition, the electronic device 100 may acquire the message by decrypting the homomorphic encrypted message. In addition, the electronic device 100 may transmit the homomorphic encrypted message to an external electronic device. In addition, the electronic device 100 may perform the calculation on the homomorphic encrypted message to acquire the operation result value and transmit the calculation result value to the external electronic device. In addition, the electronic device 100 may receive the homomorphic encrypted message from the external electronic device and store the received homomorphic encrypted message. For example, the processor 120 may be composed of a single device such as a central processing unit (CPU) and an application-specific integrated circuit (ASIC), or may be composed of a plurality of devices such as a CPU and a graphics processing unit (GPU).

For example, when the message is input, the processor 120 stores the message in the memory 110. The processor 120 may use various setting values and programs stored in the memory 110 to homomorphically encrypt the message. In this case, the public key may be used.

The processor 120 may generate and use a public key required to perform encryption by itself, or may receive and use the public key from an external electronic device. For example, the second server device 30 that performs the decryption may distribute a public key to other devices.

When generating a key by itself, the processor 120 may generate a public key using a ring learning with error (RLWE) technique. Specifically, the processor 120 may first set various parameters and rings and store the parameters and rings in the memory 110. Examples of the parameters may include a length of a message bit, a dimension, a rank, sizes of public and secret keys, and the like. There are various formats for the homomorphic encrypted message, and the processor 120 may set the ring according to the encrypted message method according to the method set by the user or the predetermined method. For example, the above-described homomorphic encrypted message method may be a CKKS scheme, a RLWE scheme, etc.

The ring may be expressed as Equation 2 below:

$\begin{array}{cc}R=Z_q\left[X\right]/f\left(x\right)& \left[\mathrm{Equation}2\right]\end{array}$

Here, R denotes a ring, Z_q denotes a coefficient, and f(x) denotes an n-th polynomial.

The ring is a set of polynomials having predetermined coefficients, and means a set in which addition and multiplication are defined between elements and which is closed for addition and multiplication. Such a ring may be referred to as an annulus.

For example, the ring means a set of n-th polynomials having a coefficient Z_q. Specifically, when n is Φ(N), it refers to polynomials that may be calculated as the remainder of dividing the polynomial by an N-th cyclotomic polynomial. f(x) denotes ideal of Z_q[x] generated by the f(x). The Euler totient function Φ(N) means the number of natural numbers that is coprime to N and smaller than N. When Φ_N(x) is defined as an N-th cyclotomic polynomial, the ring may also be represented by Equation 3 as follows.

$\begin{array}{cc}R=Z_q\left[X\right]/{\Phi }_N\left(x\right)& \left[\mathrm{Equation}3\right]\end{array}$

When such a ring is established, the processor 120 may calculate the secret key sk from the ring as Equation 4 below.

$\begin{array}{cc}\mathrm{sk}\leftarrow \left(1,s\left(x\right)\right),s\left(x\right)\in R& \left[\mathrm{Equation}4\right]\end{array}$

Here, s(x) means a polynomial generated randomly with small coefficients.

When the ring and secret key are selected, the processor 120 calculates a first random polynomial a(x) from the ring. The first random polynomial may be expressed by Equation 5 below.

$\begin{array}{cc}a\left(x\right)\leftarrow R& \left[\mathrm{Equation}5\right]\end{array}$

In addition, the processor 120 may calculate an error. Specifically, the processor 120 may extract an error from a discrete Gaussian distribution or a distribution statistically close to the discrete Gaussian distribution. This error may be expressed by Equation 6 below.

$\begin{array}{cc}e\left(x\right)\leftarrow D_{\alpha q}^n& \left[\mathrm{Equation}6\right]\end{array}$

When the error is calculated, the processor 120 may calculate a second random polynomial by performing a modular operation on the error in the first random polynomial and the secret key. The second random polynomial may be expressed by Equation 7 below.

$\begin{array}{cc}b\left(x\right)=-a\left(x\right)s\left(x\right)+e\left(x\right)\left(\mathrm{mod}q\right)& \left[\mathrm{Equation}7\right]\end{array}$

Finally, the public key pk is set to include the first random polynomial and the second random polynomial, as Equation 8 below.

$\begin{array}{cc}\mathrm{pk}=\left(b\left(x\right),a\left(x\right)\right)& \left[\mathrm{Equation}8\right]\end{array}$

Since the above-described key generation method is only an example, it is not necessarily limited thereto, and it goes without saying that the public key and the secret key may be generated by other methods.

The processor 120 may homomorphically encrypt the message and generate the homomorphic encrypted message for the message. Specifically, the processor 120 may generate the homomorphic encrypted message by applying the previously generated public key to the message. In this case, the processor 120 may generate the length of the encrypted message to correspond to the size of the scaling factor.

For example, the processor 120 may generate the secret key and the public key based on various parameters. Also, when it is necessary to generate the encrypted message for the message, the processor 120 may apply the public key to the message to generate the homomorphic encrypted message. For example, the processor 120 may transform a message into a polynomial form and apply the public key to the message in the transformed polynomial form to generate the homomorphic encrypted message.

The processor 120 may store the generated homomorphic encrypted message in the memory 110. In addition, the processor 120 may transmit the homomorphic encrypted message to the external electronic device according to a user request or a preset default command. For example, the processor 120 may transmit the homomorphic encrypted message to the first server device 20.

The processor 120 may decrypt the homomorphic encrypted message to generate the message. For example, when the homomorphic encrypted message needs to be decrypted, the processor 120 may apply a secret key to the homomorphic encrypted message to generate a polynomial-type decrypted message, and decode the polynomial-type decrypted message to generate a message. In this case, the generated message may include an error as mentioned in Equation 1 described above.

In addition, the processor 120 may perform the calculation on the encrypted message. In this case, the processor 120 may perform calculations such as addition or multiplication on the homomorphic encrypted message while maintaining the encrypted state. For example, when the calculation on the homomorphic encrypted message is required, the processor 120 may perform the addition or multiplication calculation on the plurality of homomorphic encrypted messages that the user requests.

As described above, the electronic device 100 according to the present embodiment may generate the homomorphic encrypted message in the message, and may improve the stability of the message even when the calculation is required. In addition, since the generated homomorphic encrypted message includes errors, the stable security may be maintained even for biometric information that requires high security.

Meanwhile, when the calculation is completed, the processor 120 may detect data in an effective area from the calculation result data. Specifically, the processor 120 may detect the data in the effective area by performing rounding processing on the calculation result data. The rounding processing means rounding-off a message in an encrypted state, and may also be referred to as rescaling.

Specifically, the processor 120 removes a noise area by multiplying each component of the encrypted message by Δ⁻¹ which is the reciprocal of the scaling factor, and rounding-off each component of the encrypted message. The noise area may be determined to correspond to the size of the scaling factor. As a result, it is possible to detect a message in the effective area from which the noise area is excluded. Since it proceeds in the encrypted state, an additional error occurs, but the size is small enough to be ignored.

FIG. 3 is a block diagram illustrating a detailed configuration of the electronic device according to an embodiment of the present disclosure.

Referring to FIG. 3, the electronic device 100 may include the memory 110, the processor 120, a communication device 130, a manipulation input device 140, and a display 150. However, such components are only examples, and new components may be added to such components or some of such components may be omitted in practicing the disclosure. A detailed description for components overlapping components illustrated in FIG. 2 among components illustrated in FIG. 3 will be omitted.

The communication device 130 may perform data communication with the external electronic device under the control of the processor 120. The external electronic device may include the electronic device (e.g., electronic devices 10-1 to 10-n in FIG. 1), the server device (e.g., the first server device 20 and the second server device 30 in FIG. 1), etc.

The communication device 130 may connect the electronic device 100 to the external electronic device. For example, the electronic device 100 may be connected to the external electronic device through a local area network (LAN) or an Internet network, or connected to the external electronic device via a universal serial bus (USB) port or a wireless communication (e.g., WiFi 802.11a/b/g/n, NFC, Bluetooth) port. Such a communication device 100 may also be referred to as a transceiver.

For example, the communication device 130 may include a communication circuit that uses at least one of the data communication methods including wired LAN, wireless LAN, Wi-Fi, Wi-Fi Direct, Bluetooth, ZigBee, Wi-Fi direct (WFD), and infrared data association (IrDA), Bluetooth low energy (BLE), near field communication (NFC), wireless broadband Internet (Wibro), world interoperability for microwave access (WiMAX), shared wireless access protocol (SWAP), wireless gigabit alliances (WiGig), and RF communications to perform data communication between the electronic device 100 and the external electronic device.

The communication device 130 may receive the public key from the external device and may transmit the public key generated by the electronic device 100 to the external electronic device.

The communication device 130 may receive a message from an external electronic device and transmit the generated homomorphic encrypted message to the external electronic device. Also, the communication device 130 may receive various parameters required for generating an encrypted message from the external electronic device. In addition, the communication device 130 may transmit the calculation result encrypted message to the external electronic device. In addition, the communication device 130 may receive the homomorphic encrypted message from the external electronic device.

The manipulation input device 140 may select a function of the electronic device 100 and receive a control command for the function from the user. For example, the manipulation input device 140 may receive parameters necessary for generating a secret key and a public key from the user. Also, the manipulation input device 140 may receive the message to be encrypted from the user.

The manipulation input device 140 may include various types of input devices. For example, the manipulation input device 140 may be implemented as a keyboard, a mouse, a touch screen, etc.

The display 150 displays a user interface window for selecting a function supported by the electronic device 100. For example, the display 150 may display a user interface window for selecting various functions provided by the electronic device 100. This display 150 may be a monitor such as LCD, CRT, OLED, etc., and may also be implemented as a touch screen that may simultaneously perform the functions of the manipulation input device 140.

The display 150 may display a user interface for requesting input of parameters necessary for generating a secret key and a public key. In addition, the display 150 may display a user interface for the encryption target to select a message. Meanwhile, in implementation, the encryption target may be directly selected by a user or may be automatically selected. That is, personal information or the like that requires encryption may be automatically set even if a user does not directly select a message.

Meanwhile, in a homomorphic encryption scheme such as CKKS based on RLWE, the maximum modulus of the encrypted message and the public key (e.g., switching key) may be determined according to the degree (e.g., ring degree) N. For example, the higher the degree, the higher the maximum modulus may be. Accordingly, the gadget decomposition may be used to design practical homomorphic encryption parameters without excessively increasing the degree. In this case, the capacity (e.g., size) of the switching key increases in proportion to the gadget rank.

In the homomorphic encryption, each time the multiplication operation is performed, some of the storage capacity (e.g., modulus) of the encrypted message is consumed. Therefore, when the modulus becomes too low, the multiplication operation may no longer be performed. To compensate for this, the modulus may be restored through the bootstrapping process so that the multiplication operation may continue to be performed. The homomorphic encryption to which the bootstrapping is applied is called fully homomorphic encryption.

Meanwhile, the gadget rank increases to maximize the number of times of possible operations (e.g., multiplication) after the bootstrapping. As a result, the capacity of the switching key increases, and thus, the efficiency decreases.

To solve this problem, in the present disclosure, the key switching may be performed using the switching key with a higher degree and a lower gadget rank. Accordingly, there is an advantage in that the capacity of the switching key decreases. The method may be particularly effective in reducing the capacity of the switching key required for linear transformation during the bootstrapping process. However, the present disclosure is not limited thereto.

FIG. 4 is a flowchart illustrating a key switching method of an electronic device according to an embodiment of the present disclosure.

In operation S410, the processor 120 may transform an input encrypted message with dimension N into an encrypted message with dimension N′. Here, N may be a value smaller than N′. That is, dimension N′ may be a higher dimension than dimension N. For example, N′=2N. However, the present disclosure is not limited thereto, and N<N′. The encrypted message with dimension N is an encrypted message encrypted with a secret key of dimension N, and the encrypted message with dimension N′ is an encrypted message encrypted with a secret key of dimension N′.

In operation S420, the processor 120 may perform the linear transformation on the encrypted message with dimension N′.

In operation S430, the processor 120 may transform the encrypted message corresponding to the result value of the linear transformation into the output encrypted message with dimension N.

Hereinafter, the method of performing, by the electronic device 100, key switching will be described in more detail.

In the present disclosure, for the modulus Q of the input encrypted message and the modulus Q′ of the output encrypted message, Q=Q₀Q₁ . . . . Q_d−1=Q′₀Q′₁ . . . Q′_d−1=Q′, and the temporary modulus corresponding to dimensions N and N′ are called P and P′, respectively. The gadget decomposition corresponding to the dimensions N and N′, respectively, is called h(a)=([a]Q₀, . . . [a]_Qd−1) and h′(a)=([a]_Q′0, . . . [a]Q′_d′−1) In the dimensions N and N′, the gadget ranks are d and d′, respectively. Here, d>d′.

According to embodiments of the present disclosure, the input encrypted message may be an RLWE encrypted message with dimension N or a multi-secret RLWE (MSRLWE) encrypted message with dimension N.

Hereinafter, a method of performing, by the electronic device 100, key switching on an RLWE encrypted message with dimension N will be described with reference to FIG. 5, and a method of performing, by the electronic device 100, key switching on a MSRLWE encrypted message with dimension N will be described with reference to FIG. 6.

FIG. 5 is a flowchart illustrating a method of performing, by an electronic device, key switching on an RLWE encrypted message according to an embodiment of the present disclosure.

When RLWE encrypted message ct=(a, b)∈ct=(a, b)∈R²_Q,N is the encrypted message encrypting a message m∈R_N using a secret key s∈R_N, for a small error e∈R_N, b=−as+m+e, and it may be expressed as ct=RLWE_Q,N.Enc_s(m) The degree of the RLWE encrypted message is N, and the modulus is Q. The dimension of the RLWE encrypted message is the same as the degree.

In operation S510, the processor 120 may transform the RLWE encrypted message with dimension N into the MLWE encrypted message with dimension N′ using the MLWE key switching.

When the MLWE encrypted message ct=({right arrow over (a)}, b)∈R_Q,N^r+1 is the encrypted message encrypting the message m∈R_N using the secret key {right arrow over (s)}∈R_N^r, for small error e∈R_N, b=−{right arrow over (a)}, {right arrow over (s)}+m+e and it may be expressed as ct=MLWE_Q,N,r.Enc_{{right arrow over (s)}}(m). The degree of the MLWE encrypted message is N, the rank is r, and the modulus is Q. The dimension of the MLWE encrypted message is a value by multiplying the degree and rank (=N×r).

Specifically, the processor 120 may apply MLWE naive key switching using DimensionSwitchKey to the RLWE encrypted message with dimension N, thereby transforming the RLWE encrypted message with dimension N into the MLWE encrypted message with dimension N′.

Hereinafter, the MLWE naive key switching will be described.

To describe the MLWE naive key switching, first, the MLWE switching key will be described.

For example, the MLWE switching key (e.g., RNS-gadget decomposed MLWE switching key) with degree N and rank r may be defined as Equation 9 below.

$\begin{array}{cc}\mathrm{SwitchingKey}={\left\{\left({\overrightarrow{a}}_k,-\langle {\overrightarrow{a}}_k,{\overrightarrow{s}}^{\prime }\rangle +P{\hat{Q}}_{k}s+e_k\right)\right\}}_{0\le k<d}& \left[\mathrm{Equation}9\right]\end{array}$

Here,

${\hat{Q}}_k=\prod _{j=0,j\ne k}^{d-1}{Q}_j$

and {right arrow over (a)}_k∈R_QP,N^r, {right arrow over (s)}′∈R_N^r, s∈R_N. d is the gadget rank. The MLWE switching key in Equation 9 above may be a switching key for transforming an encrypted message encrypted with the secret key s into an encrypted message encrypted with a secret key {right arrow over (s)}′. This MLWE switching key may be expressed as MLWE.SwitchingKey_{{right arrow over (s)}→{right arrow over (s)}′}^h,N,r:

In this case, the MLWE naive key switching may be composed of the following processes 1) to 3). Here, it is assumed that the input encrypted message of the MLWE naive key switching is ct_input=(α, β)=RLWE_Q,N.Enc_s(m), the output encrypted message is ct_output=({right arrow over (α)}′, β′)=MLWE_Q,N.Enc_{{right arrow over (s)}′}(m), and the switching key is MLWE.SwitchingKey_{s→{right arrow over (s)}′}^h,N,r. The dimension of the input encrypted message (i.e., RLWE encrypted message) is N. The degree of the output encrypted message (i.e., MLWE encrypted message) is N, and the rank is r. The degree of the switching key (i.e., MLWE switching key) is N, and the rank is r.

Process 1) is the process of calculating modUP of an a-part of the input encrypted message, that is, the RLWE encrypted message. For example, when the RLWE encrypted message ct_input=(α, β), the a-part of RLWE encrypted message ct_input is α∈R_Q,N. In this case, for α, the modUP(α) may be calculated. The process of calculating the modUP(α) is the process of calculating modUp(α)_k=BaseConvo_Qk→QP([α·{circumflex over (Q)}_k⁻¹]_Qk)∈R_QP,N for 0≤k<d. Here, BaseConv_Qk→QP may refer to a transformation that assumes that a value [a]_Qk obtained by dividing α by Q_k belongs to R_N, and embeds [a]_Qk belonging to R_N into R_QP,N.

Process 2) is the process of performing the dot product on the modUP value and the switching key, that is, the MLWE switching key. For example, the process of performing the dot product on the modUP value and the MLWE switching key may be expressed as Equation 10 below.

$\begin{array}{cc}{\mathrm{ct}}_2\leftarrow \mathrm{mod}\mathrm{Up}\left(\alpha \right)·\mathrm{MLWE}.{\mathrm{SwitchingKey}}_{s\to \overrightarrow{s}}^{h,N,r}={\sum }_{0\le k<d}\mathrm{mod}{\mathrm{Up}\left(\alpha \right)}_k·\left({\overrightarrow{a}}_k,-\langle {\overrightarrow{a}}_k,{\overrightarrow{s}}^{\prime }\rangle +P{\hat{Q}}_{k}s+e_k\right)& \left[\mathrm{Equation}10\right]\end{array}$

Process 3) is the process of calculating the modDown value of the dot product result value and combining the modDown value with a b-part of the RLWE encrypted message ct_input.

For example, when the dot product result value is ct₂=({right arrow over (A)}, B) the modDown value may be calculated as Equation 11 below. Here, {right arrow over (A)}=(A₀, . . . , A_r−1).

$\begin{array}{cc}\mathrm{mod}\mathrm{Down}\left(A_j\right)={\left[P\right]}_Q^{-1}·\left({\left[A_j\right]}_Q-{\mathrm{BaseConv}}_{P\to Q}\left({\left[A_j\right]}_P\right)\right)\mathrm{mod}\mathrm{Down}\left(B\right)={\left[P\right]}_Q^{-1}·\left({\left[B\right]}_Q-{\mathrm{BaseConv}}_{P\to Q}\left({\left[B\right]}_P\right)\right)& \left[\mathrm{Equation}11\right]\end{array}$

Thereafter, by combining the modDown value with the b-part of the RLWE encrypted message ct_input, the output encrypted message, that is, the MLWE encrypted message, may be acquired. For example, when the RLWE encrypted message ct_input=(α, β), the b-part of RLWE encrypted message ct_input=(α, β) is β. In this case, when the output encrypted message, that is, the MLWE encrypted message ct_output=({right arrow over (α)}′, β′), the MLWE encrypted message ct_output=({right arrow over (α)}′, β′) may be acquired as Equation 12 below.

$\begin{array}{cc}{\overrightarrow{\alpha }}^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(\overrightarrow{A}\right){\beta }^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(B\right)+\beta & \left[\mathrm{Equation}12\right]\end{array}$

The processor 120 may transform the RLWE encrypted message with dimension N into the MLWE encrypted message with dimension N′ using the MLWE naive key switching described above.

Specifically, the processor 120 may apply MLWE naive key switching using DimensionSwitchKey to the RLWE encrypted message with dimension N, thereby transforming the RLWE encrypted message with dimension N into the MLWE encrypted message with dimension N′.

In this case, the DimensionSwitchKey such as the DimensionSwitchKey=MLWE.SwitchingKey_{s→{right arrow over (s)}′}^{h′,N,N′/N} may be used as the switching key in the above-described MLWE naive key switching. In addition, when the input encrypted message of the MLWE naive key switching using the DimensionSwitchKey is ct_input=RLWE_Q,N.Enc_s(m), the output encrypted message of the MLWE naive key switching using the DimensionSwitchKey may be expressed as ct₁=MLWE_Q,N,N′/N.Enc_{{right arrow over (s)}*}(m).

Through the MLWE naive key switching, the RLWE encrypted message encrypted with the secret key s may be transformed into the MLWE encrypted message encrypted with the secret key {right arrow over (s)}*. In this case, the dimension of the RLWE encrypted message ct_input is N, the rank is 1, and the degree is N. The dimension of the MLWE encrypted message ct₁ is N′, the rank is N′/N, and the degree is N. The temporary secret key {right arrow over (s)}*∈R_N^N′/N is an MLWE secret key with degree N and rank N′/N, which are valid in dimension N′. Transforming the temporary secret key {right arrow over (s)}* into a compatible RLWE secret key through the process such as the linear transformation is expressed as s*∈R_N′.

In operation S520, the processor 120 may perform the linear transformation on the encrypted message with dimension N′.

For example, the linear transformation may include the rotate-sum operation. That is, the processor 120 may perform the rotate-sum operation on the MLWE encrypted message with dimension N′.

The rotate-sum operation may be defined as Equation 13 below.

$\begin{array}{cc}{\mathrm{RotSum}}_{\mathrm{idx}}\left(m\right)={\sum }_{0\le j<l}{m}^{{\rho }^{{\mathrm{idx}}_j}}& \left[\mathrm{Equation}13\right]\end{array}$

Here, idx={idx₀, . . . , idx_l}⊂Z_N/2. When the rotation in the CKKS scheme is ρ:R_N→R_N,ρ(a(x))=a^ρ=a(x⁵), ρ is a transformation that permutes the coefficient of the polynomial, and therefore, may be equally applied to R_Q,N. Here, ρ^j (a)=a^ρj is the rotation of a(x) by index j.

However, the present disclosure is not limited thereto, and other linear transformations may be performed in addition to the rotate-sum operation. In the present disclosure, the rotate-sum operation may be expressed as Rotsum.

Specifically, the processor 120 may calculate the Rotsum for the encrypted message by applying a MLWE compact key switching using RotKeys to the encrypted message with dimension N′. Here, RotKeys are the switching keys required for the Rotsum.

Hereinafter, the MLWE compact key switching will be described.

To describe the MLWE compact key switching, first, the RLWE switching key and the RLWE key switching using RLWE switching key will be described.

First, the RLWE switching key (e.g. RNS-gadget decomposed RLWE switching key) in which the modulus Q=Q₀Q₁ . . . Q_d−1 of the encrypted message, the temporary modulus P, and the corresponding gadget decomposition h: R_Q,N→R_N^d is h(a)=([a]_Q0, . . . [a]_Qd−1) may be defined as Equation 14 below.

$\begin{array}{cc}\mathrm{SwitchingKey}={\left\{\left(a_k,-a_k{s}^{\prime }+P{\hat{Q}}_{k}s+e_k\right)\right\}}_{0\le k<d}& \left[\mathrm{Equation}14\right]\end{array}$

Here,

${\hat{Q}}_k=\prod _{j=0,j\ne k}^{d-1}{Q}_j.$

d is the gadget rank. The RLWE switching key in Equation 14 above may be composed of RLWE samples of d modulus QP. In addition, the RLWE switching key may be the switching key for transforming the encrypted message encrypted with the secret key s into the encrypted message encrypted with the secret key s′. When the degree of the RLWE switching key is N, the RLWE switching key may be expressed as RLWE.SwitchingKey_{s→{right arrow over (s)}′}^h,N.

The RLWE key switching may be composed of the following processes 1) to 3). Here, it is assumed that the input encrypted message of the RLWE key switching is ct_input=(α,β)=RLWE_Q,N.Enc_s(m), the output encrypted message is ct_output(α′, B′)=RLWE_Q,N.Enc_s′(m), and the switching key is RLWE.SwitchingKey_{s→{right arrow over (s)}′}^h,N. The dimension of the input encrypted message (i.e., RLWE encrypted message) is N. The dimension of the output encrypted message (i.e., RLWE encrypted message) is N. The dimension of the switching key (i.e., RLWE switching key) is N.

Process 1) is the process of calculating modUP of an a-part of the input encrypted message, that is, the RLWE encrypted message. For example, when the RLWE encrypted message ct_input=(α, β), the a-part of RLWE encrypted message ct_input is α∈R_Q,N. In this case, for α, the modUP(α) may be calculated. The process of calculating the modUP(α) is the process of calculating modUp(α)_k=BaseConvo_Qk→QP([α·{circumflex over (Q)}_k⁻¹]_Qk)∈R_QP,N for 0≤k<d. Here, BaseConv_Qk→OP may refer to a transformation that assumes that a value Q_k obtained by dividing α by [α]_Qk belongs to R_N, and embeds R_N belonging to [α]_Qk into R_QP,N.

Process 2) is the process of performing the dot product on the modUP value and the switching key, that is, the RLWE switching key. For example, the process of performing the dot product on the modUP value and the RLWE switching key may be expressed as Equation 15 below.

$\begin{array}{cc}{\mathrm{ct}}_2\leftarrow \mathrm{mod}\mathrm{Up}\left(\alpha \right)·\mathrm{RLWE}·{\mathrm{SwitchingKey}}_{s\to s^{\prime }}^{h,N}={\sum }_{0\le k<d}\mathrm{mod}{\mathrm{Up}\left(\alpha \right)}_k·\left(a_k,-a_k{s}^{\prime }+P{\hat{Q}}_{k}s+e_k\right)& \left[\mathrm{Equation}15\right]\end{array}$

Process 3) is the process of calculating the modDown value of the dot product result value and combining the modDown value with the b-part of the RLWE encrypted message ct_input.

For example, when the dot product result value is ct₂=(A, B), the modDown value may be calculated as Equation 16 below.

$$\begin{gathered} \begin{array}{cc}\mathrm{mod}\mathrm{Down}\left(A\right)={\left[P\right]}_Q^{-1}·\left({\left[A\right]}_Q-{\mathrm{BaseConv}}_{P\to Q}\left({\left[A\right]}_P\right)\right)\text{ \\ mod⁢Down⁡(B)=[P]Q-1·([B]Q-BaseConvP→Q([B]P))}& \left[\mathrm{Equation}16\right]\end{array} \end{gathered}$$

Thereafter, by combining the modDown value with the b-part of the RLWE encrypted message ct_input, the output encrypted message, that is, the RLWE encrypted message, may be acquired. For example, when the RLWE encrypted message ct_input=(α, β), the b-part of RLWE encrypted message ct_input(α, β) is β. In this case, when the output encrypted message, that is, the RLWE encrypted message ct_output=(α′, β′), the RLWE encrypted message ct_output(α′, β′) may be acquired as Equation 17 below.

$\begin{array}{cc}{\alpha }^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(A\right){\beta }^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(B\right)+\beta & \left[\mathrm{Equation}17\right]\end{array}$

Hereinafter, the MLWE compact key switching will be described.

For R_q,N=Z_q[X_N]/(X_N^N+1) and R_q,N/r=Z_q[X_N/r]/(X_N/r^N/r+1), it is defined as β_i=X_Nⁱ (0≤i<r), {β_i}_i is the R_q,N/r-basis of R_q,N. That is, R_q,N≃Σ_0≤i<kR_q,N/r·β_i. In addition, any a∈R_q,N may be expressed as a=Σ_jα_jβ_j. In this case, module-decomposition map π_q,N^r: R_q,N→(R_q,N/r) may be defined as π_q,N^r(a)=(a₀, . . . , a_k−1).

Also, ring embedding map ι_q,N^r: R_q,N/r→R_q,N is R_q,N/r-homomorphism defined as ι_q,N^r(X_N/r)=X_N^r. Map ε_q,N^k extracting a first coefficient: R_q,N→R_q,N/k may be defined as ε_q,N^k(a)=a₀.

Also, for {right arrow over (a)}=(a₀, . . . , a_k−1)∈R_q,N/k)^k, a twist ({right arrow over (a)})^tw of {right arrow over (a)} may be defined as ({right arrow over (a)})^tw=(a₀, a_k−1·X_N/k⁻¹, a_k−2·X_N/k⁻¹, . . . , a₁·X_N/k⁻¹). In this case, the inverse transform {right arrow over (a)}^tw−1 of the twist is {right arrow over (a)}^tw−1:=(a₀, a_k−1·X_N/k, a_k−2·X_N/k, . . . a₁·X_N/k). Given the rank k in the R_q,N, the twist a^tw,k of a∈R_q,N can be defined as a^tw,k=(π_q,N^k)⁻¹∘(π_q,N^k(a))^tw.

Additionally, MLWE embedding map Embed_q,N^k(R_q,N/k)^k+1→(R_q,N)² may be defined as Embed_q,N^k(b, {right arrow over (a)})=(ι_q,N^k(b), (π_q,N^k)⁻¹({right arrow over (a)}^tw).

In addition, MLWE extraction map Extract_q,N^k: (R_q,N)²→(R_q,N/k)^k+1 may be defined as Extract_q,N^k(B, A)=(ε_q,N^k(B), (π_q,N^k(A))^(tw,k)−1).

In addition, the RLWE-compatible secret key S,S′∈R_N may be defined as S=(π_q,N^k)⁻¹({right arrow over (s)}), S′=(π_q,N^k)⁻¹({right arrow over (s)}″).

In this case, the MLWE compact key switching may be composed of the following processes 1) to 3). Here, it is assumed that the input encrypted message of the MLWE compact key switching is ct_input=({right arrow over (α)}, β)=MLWE_Q,N/r,r.Enc_{{right arrow over (s)}}(m), the output encrypted message is ct_output=({right arrow over (α)}′, β′)=MLWE_Q,N/r,r.Enc_{{right arrow over (s)}′}(m), and the switching key is RLWE.SwitchingKey_S→S′^h,N. The dimension of the input encrypted message (i.e., MLWE encrypted message) is N/r, and the rank is r. The dimension of the output encrypted message (i.e., MLWE encrypted message) is N/r, and the rank is r. The dimension of the switching key (i.e., RLWE switching key) is N.

Process 1) is the process of embedding the input encrypted message, that is, the MLWE encrypted message ct_input and transforming the input encrypted message ct_input into the RLWE encrypted message ct₁. This process may be expressed as ct₁=Embed_Q,N^r(ct_input)=RLWE_Q,N.Enc_s(M). Here, M∈R_Q,N may satisfy ε_Q,N^r(M)=m.

Process 2) is the process of acquiring ct₂ by applying the RLWE key switching using RLWE.SwitchingKey_S→S′^h,N as the switching key to the RLWE encrypted message ct₁. This process may be expressed as ct₂=RLWE_Q,N.Enc_S′(M).

Process 3) is the process of extracting the MLWE encrypted message from the result value of process 2). This process may be expressed as ct_output=Extract_Q,N^r(ct₂)=MLWE_Q,N/r,r.Enc_{{right arrow over (s)}′}(m).

The processor 120 may calculate the RotSum for the encrypted message with dimension N′ using the MLWE compact key switching described above.

Specifically, the processor 120 may calculate RotSum by applying the MLWE compact key switching using RotKeys to the MLWE encrypted message with dimension N′. Here, the MLWE encrypted message with dimension N′ may be the encrypted message acquired through the MLWE naive key switching using DimensionSwitchKey, as described above.

In this case, the RotKeys such as the RotKey_j=RLWE.SwitchingKey_{ρidxj(s*)→s*}^h′,N′ (0≤j<l) may be used as the switching key in the above-described MLWE compact key switching. In addition, when the input encrypted message ct₁ of the MLWE compact key switching using the RotKeys is ct₁=MLWE_Q,N,N′/N.Enc_{{right arrow over (s)}*}(m) the output encrypted message ct₂ of the MLWE compact key switching using the RotKeys may be expressed as ct₂=MLWE_Q,N,N′/N.Enc_{{right arrow over (s)}*}(RotSum(m)) In this case, the dimension of the MLWE encrypted message ct₁ is N′, the rank is N′/N, and the degree is N. The dimension of the MLWE encrypted message ct₂ is N′, the rank is N′/N, and the degree is N.

In operation S530, the processor 120 may transform the MLWE encrypted message into the RLWE encrypted message with dimension N using the RLWE key switching.

Here, the MLWE encrypted message is the result value of the linear transformation. As described above, the MLWE encrypted message may be the output encrypted message ct₂ of the MLWE compact key switching using the RotKeys.

Specifically, the processor 120 may transform the MLWE encrypted message into the RLWE encrypted message by applying RLWE hoist key switching using HomingKeys to the MLWE encrypted message. In this case, the degree of the MLWE encrypted message is N, and the rank is N′/N. The degree of the RLWE encrypted message is N.

Hereinafter, the RLWE hoist key switching will be described.

The RLWE hoist key switching may be composed of the following processes 1) to 3). Here, it is assumed that the input encrypted message of the RLWE key switching is ct_input=({right arrow over (α)}, β)=MLWE_Q,N,r.Enc_{{right arrow over (s)}}(m) the output encrypted message is ct_output(α′, β′)=RLWE_Q,N.Enc_s′(m), and the r switching keys are RLWE.SwitchingKey_sj→s′^h,N (0≤j<r). The dimension of the input encrypted message (i.e., MLWE encrypted message) is N, and the rank is r. The secret key of the input encrypted message is {right arrow over (s)}=(s₀, . . . , s_r−1)∈R_N^r. The dimension of the output encrypted message (i.e., RLWE encrypted message) is N.

Process 1) is the process of calculating the modUP of the a-part of the input encrypted message, that is, the MLWE encrypted message. For example, when the MLWE encrypted message ct_input=({right arrow over (α)}, β), the a-part of the MLWE encrypted message ct_input is {right arrow over (a)}=(α₀, . . . , α_r−1)∈R_Q,N^r. In this case, for {right arrow over (α)}, the modUP({right arrow over (α)}) may be calculated. The process of calculating the modUP({right arrow over (a)}) is the process of calculating modUp(α_j)_k=BaseConv_Qk→QP([α_j·{circumflex over (Q)}_k⁻¹]_Qk)∈R_QP,N for 0≤k<d and 0≤j<r. Here, BaseConv_Qk→QP may refer to a transformation that assumes that a value [α]_Qk obtained by dividing α by [α]_Qk belongs to R_N, and embeds [α]_Qk belonging to R_N into R_QP,N.

Process 2) is the process of performing the dot product on the modUP value and the switching key, that is, the RLWE switching key. For example, the process of performing the dot product on the modUP value and the RLWE switching key may be expressed as Equation 18 below.

$\begin{array}{cc}{\mathrm{ct}}_2\leftarrow \mathrm{mod}{\mathrm{Up}\left({\alpha }_j\right)}_k·\mathrm{RLWE}·{\mathrm{SwitchingKey}}_{s_j\to s^{\prime }}^{h,N}={\sum }_{0\le k<d}\mathrm{mod}{\mathrm{Up}\left({\alpha }_j\right)}_k·\left(a_{j,k},-a_{j,k}{s}^{\prime }+P{\hat{Q}}_k{s}_j+e_{j,k}\right)& \left[\mathrm{Equation}18\right]\end{array}$

Process 3) is the process of calculating the modDown value of the dot product result value and combining the modDown value with a b-part of the MLWE encrypted message ct_input.

For example, when the dot product result value is (A, B), the modDown value may be calculated as Equation 19 below.

$$\begin{gathered} \begin{array}{cc}\mathrm{mod}\mathrm{Down}\left(A\right)={\left[P\right]}_Q^{-1}·\left({\left[A\right]}_Q-{\mathrm{BaseConv}}_{P\to Q}\left({\left[A\right]}_P\right)\right)\text{ \\ mod⁢Down⁡(B)=[P]Q-1·([B]Q-BaseConvP→Q([B]P))}& \left[\mathrm{Equation}19\right]\end{array} \end{gathered}$$

Thereafter, by combining the modDown value with the b-part of the MLWE encrypted message ct_input, the output encrypted message, that is, the RLWE encrypted message, may be acquired. For example, when the MLWE encrypted message ct_input=({right arrow over (α)}, β) the b-part of the MLWE encrypted message ct_input=({right arrow over (α)}, β) is β. In this case, when the output encrypted message, that is, the RLWE encrypted message ct_output=(α′, β′), the RLWE encrypted message ct_output=(α′, β′) may be acquired as Equation 20 below.

$\begin{array}{cc}{\alpha }^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(A\right){\beta }^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(B\right)+\beta & \left[\mathrm{Equation}20\right]\end{array}$

The processor 120 may transform the MLWE encrypted message, which is the result value of the linear transformation, into the RLWE encrypted message using the MLWE hoist key switching described above. Here, the degree of the MLWE encrypted message is N, and the rank is N′/N. The degree of the RLWE encrypted message is N.

In this case, the HomingKeys such as the HomingKey_j=RLWE.SwitchingKey_{({right arrow over (s)}*)j}→s^h,N(0≤j<N′/N) may be used as the switching key in the above-described MLWE hoist key switching. In addition, when the input encrypted message of the MLWE hoist key switching using the HomingKeys is ct₂=MLWE_Q,N,N′/N.Enc_{{right arrow over (s)}*}(RotSum(m)), the output encrypted message of the MLWE hoist key switching using the HomingKeys may be expressed as ct_output=RLWE_Q,N.Enc_s(RotSum_idx(m)) In this case, the dimension of the MLWE encrypted message ct₂ is N′, the rank is N′/N, and the degree is N. In this case, the dimension of the RLWE encrypted message ct_output is N, the rank is 1, and the degree is N.

In this way, when the input encrypted message is the RLWE encrypted message with dimension N, the processor 120 may transform the input encrypted message (i.e., RLWE encrypted message with dimension N) into the MLWE encrypted message with dimension N′ to perform the linear transformation, and transform the MLWE encrypted message corresponding to the result value of the linear transformation back into the RLWE encrypted message with dimension N, thereby acquiring the output encrypted message (i.e., RLWE encrypted message with dimension N).

FIG. 6 is a flowchart illustrating a method of performing, by an electronic device, key switching on an MSRLWE encrypted message according to an embodiment of the present disclosure.

The MSRLWE encrypted message refers to the encrypted message with multiple b-parts using multiple secret keys in one a-part. For example, the MSRLWE encrypted message may have the form of a, b₀=−as₀+m₀+e₀, . . . , b_u−1=−as_u−1+m_u−1+e_u−1. Here, a, b_j, s_j, m_j, e_j∈R_Q,N. When the key switching is performed on the MSRLWE encrypted message using the Multi-secret type switching key, the result is still the MSRLWE encrypted message, which is more efficient than key switching the u general RLWE encrypted messages, respectively. Here, u is the secret size. The dimension of the MSRLWE encrypted message is the same as the degree.

When the MSRLWE encrypted message ct=(a, {right arrow over (b)})∈R_Q,N^u+1 is the encrypted using the secret key message {right arrow over (m)}∈R_N^u that encrypts the message {right arrow over (s)}∈R_N^u, for a small error {right arrow over (e)}∈R_N^u, b_j=−as_j+m_j+e_j, and it may be expressed as ct=MSRLWE_Q,N,(u).Enc_{{right arrow over (s)}}({right arrow over (m)}).

In operation S610, the processor 120 may transform the MSRLWE encrypted message with dimension N into the MSRLWE encrypted message with dimension N′ using the homomorphism and the MSRLWE key switching.

Here, the homomorphism is an injective ring homomorphism Φ_N→N′: R_N→R_N′ defined as x_N→x_N′^N′/N. Through this homomorphism, Φ({right arrow over (s)})∈R_N′^uN/N′, which is the lifting of {right arrow over (s)} and Ψ({right arrow over (s)}*), which is the flooring of {right arrow over (s)}*, may be defined. For example, it is Φ({right arrow over (s)})_t=Σ_0≤j<N′/NΦ_N→N′(s_t·N′/N+j)x_N′^j. Here, when ({right arrow over (s)}*)_t=Σ_0≤j<N′/NΦ_N→N′(s_t·N′/N+j)x_N′^j, Ψ({right arrow over (s)}*)_t=s_t*.

For example, when the input encrypted message is the MSRLWE encrypted message ct_input=MSRLWE_Q,N,(u).Enc_{{right arrow over (s)}}({right arrow over (m)}), the processor 120 may transform ct_input into the MSRLWE encrypted message ct₁ through Φ_N→N′. Here, it may be expressed as ct₁=MSRLWE_{Q,N′,(uN/N′)}.Enc_{Φ({right arrow over (s)})}(Φ({right arrow over (m)})) In this case, the dimension of the MSRLWE encrypted message ct_input is N, the secret size is u, and the degree is N. The dimension of the MSRLWE encrypted message ct₁ is N′, the secret size is uN/N′, and the degree is N′.

The processor 120 may apply the MSRLWE key switching using the DimensionSwitchKey to the MSRLWE encrypted message ct₁ to transform the MSRLWE encrypted message ct₁ into the MSRLWE encrypted message ct₂ encrypted with the secret key {right arrow over (s)}*.

Hereinafter, the MSRLWE key switching will be described.

First, the MSRLWE switching key (e.g. RNS-gadget decomposed MSRLWE switching key) in which the modulus Q=Q₀Q₁ . . . Q_d−1 of the encrypted message, the temporary modulus P, and the corresponding gadget decomposition h: R_Q,N→R_N^d is h(a)=([α]_Q0, . . . [α]_Qd−1) may be defined as Equation 21 below.

$\left[\mathrm{Equation}21\right]$ $\mathrm{SwitchingKey}={\left\{\left(a_k,-a_k{s}_0^{\prime }+P{\hat{Q}}_k{s}_0+e_{k,0},\dots ,-a_k{s}_{u-1}^{\prime }+P{\hat{Q}}_k{s}_{u-1}+e_{k,u-1}\right)\right\}}_{0\le k<d}$

Here,

${\hat{Q}}_k=\prod _{j=0,j\ne k}^{d-1}{Q}_j.$

d is the gadget rank. The MSRLWE switching key in Equation 21 above may be composed of MSRLWE samples of d modulus QP. In addition, the MSRLWE switching key may be the switching key for transforming the encrypted message encrypted with a secret key {right arrow over (s)}=(s₀, . . . , s_u−1) into the encrypted message encrypted with a secret key {right arrow over (s)}′=(s₀′, . . . , s_u−1′). When the degree of the MSRLWE switching key is N, the MSRLWE switching key may be expressed as MSRLWE.SwitchingKey_{{right arrow over (s)}→{right arrow over (s)}′}^h,N,(u).

The MSRLWE key switching may be composed of the following processes 1) to 3). Here, it is assumed that the input encrypted message of the MSRLWE key switching is ct_input=({right arrow over (α)}, {right arrow over (β)})=MSRLWE_Q,N,r,(u).Enc_{{right arrow over (S)}}({right arrow over (m)}), the output encrypted message is ct_output=(α′, {right arrow over (β)}′)=MSRLWE_Q,N,(u).Enc_{{right arrow over (s)}}({right arrow over (m)}), and the r switching key is MSRLWE.SwitchingKey_{{right arrow over (s)}j→{right arrow over (s)}′}^h,N,(u) (0≤j<r). The dimension of the input encrypted message (i.e., MSRLWE encrypted message) is N, the rank is r, and the secret size is u. The secret key of the input encrypted message is {right arrow over (S)}=({right arrow over (s)}₀, . . . , {right arrow over (s)}_u−1)∈R_N^u, where {right arrow over (s)}_j=(s_j,0, . . . , s_j,r−1) (0≤j<u).

Process 1) is the process of calculating the modUP of the a-part of the input encrypted message, that is, the MSRLWE encrypted message. For example, when the MSRLWE encrypted message ct_input=({right arrow over (α)}, {right arrow over (β)}) the a-part of the MSRLWE encrypted message ct_input is {right arrow over (α)}=(α₀, . . . , α_r−1)∈R_QP,N^r. In this case, for {right arrow over (α)}, the modUP({right arrow over (α)}) may be calculated. The process of calculating the modUP({right arrow over (α)}) is the process of calculating modUp(α_j)_k=BaseConv_Qk→QP([α_j·{circumflex over (Q)}_k⁻¹]_Qk)∈R_QP,N for 0≤k<d and 0≤j<r. Here, BaseConv_Qk→QP may refer to a transformation that assumes that a value [α]_Qk obtained by dividing α by Q_k belongs to R_N, and embeds [α]_Qk belonging to R_N into R_QP,N.

Process 2) is the process of performing the dot product on the modUP value and the switching key, that is, the MSRLWE switching key. For example, the process of performing the dot product on the modUP value and the MSRLWE switching key may be expressed as Equation 22 below.

$\begin{array}{cc}c{t}_2\leftarrow \mathrm{mod}{\mathrm{Up}\left({\alpha }_j\right)}_k·\mathrm{MSRLWE}·{\mathrm{SwitchingKey}}_{{\overrightarrow{s}}_j\to {\overrightarrow{s}}^{\prime }}^{h,N,\left(u\right)}& \left[\mathrm{Equation}22\right]\end{array}$

Process 3) is the process of calculating the modDown value of the dot product result value and combining the modDown value with the b-part of the MSRLWE encrypted message ct_input.

For example, when the dot product result value is ct₂=({right arrow over (A)}, {right arrow over (B)}), the modDown value may be calculated as Equation 23 below. Here, {right arrow over (A)}=(A₀, . . . , A_r−1) and {right arrow over (B)}=(B₀, . . . , B_r−1).

$$\begin{gathered} \begin{array}{cc}\mathrm{mod}\mathrm{Down}\left(A_j\right)={\left[P\right]}_Q^{-1}·\left({\left[A_j\right]}_Q-{\mathrm{BaseConv}}_{P\to Q}\left({\left[A_j\right]}_P\right)\right)\text{ \\ mod⁢Down⁡(Bj)=[P]Q-1·([Bj]Q-BaseConvP→Q([Bj]P))}& \left[\mathrm{Equation}23\right]\end{array} \end{gathered}$$

Thereafter, by combining the modDown value with the b-part of the MSRLWE encrypted message ct_input, the output encrypted message, that is, the MSRLWE encrypted message, may be acquired. For example, when the MSRLWE encrypted message ct_input=({right arrow over (α)}, {right arrow over (β)}), the b-part of the MSRLWE encrypted message ct_input=({right arrow over (α)}, {right arrow over (β)}) is {right arrow over (β)}. In this case, when the output encrypted message, that is, the MSRLWE ct_output=({right arrow over (a)}′, {right arrow over (β)}′), the MSRLWE encrypted message ct_output=({right arrow over (α)}′, {right arrow over (β)}′) may be acquired as Equation 24 below.

$\begin{array}{cc}{\overrightarrow{\alpha }}^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(\overrightarrow{A}\right){\overrightarrow{\beta }}^{\prime }\leftarrow \mathrm{mod}\mathrm{Down}\left(\overrightarrow{B}\right)+\overrightarrow{\beta }& \left[\mathrm{Equation}24\right]\end{array}$

In the present disclosure, when r=1 in the MSRLWE key switching processes, the above-described MSRLWE key switching process is referred to as the MSRLWE key switching, and when r≥2 in the above-described MSRLWE key switching processes, the above-described MSRLWE key switching process is referred to as the MSRLWE hoist key switching.

The processor 120 may use the above-described MSRLWE key switching to transform the MSRLWE encrypted message ct₁ into the MSRLWE encrypted message ct₂ encrypted with the secret key {right arrow over (s)}*.

Specifically, the processor 120 may apply the MSRLWE key switching using the DimensionSwitchKey to the MSRLWE encrypted message ct₁ to transform the MSRLWE encrypted message ct₁ into the MSRLWE encrypted message ct₂ encrypted with the secret key {right arrow over (s)}*.

In this case, the DimensionSwitchKey such as the DimensionSwitchKey=MSRLWE.SwitchingKey_{Φ({right arrow over (s)})→{right arrow over (s)}*}^{h′,N′,(uN/N′)} may be used as the switching key in the above-described MSRLWE key switching. In addition, when the input encrypted message of the MSRLWE key switching using the DimensionSwitchKey is ct₁=MSRLWE_{Q,N′,(uN/N′)}.Enc_{Φ({right arrow over (s)})}(Φ({right arrow over (m)})), the output encrypted message of the MSRLWE key switching using the DimensionSwitchKey may be expressed as ct₂=MSRLWE_{Q,N′,(uN/N′)}.Enc_{{right arrow over (s)}*}(Φ({right arrow over (m)})).

Through the MSRLWE key switching, the MSRLWE encrypted message ct₁ may be transformed into the MSRLWE encrypted message ct₂ encrypted with the secret key {right arrow over (s)}*. The dimension of the MSRLWE encrypted message ct₁ is N′, the secret size is uN/N′, and the degree is N′. The dimension of the MSRLWE encrypted message ct₂ is N′, the secret size is uN/N′, and the degree is N′. The temporary secret key {right arrow over (s)}*∈R_N′^uN/N′ is the MSRLWE secret key with a valid secret size of uN/N′ in the dimension N′.

In operation S620, the processor 120 may perform the linear transformation on the encrypted message with dimension N′.

For example, the linear transformation may include the rotate-sum operation. That is, the processor 120 may perform the rotate-sum operation on the MLWE encrypted message with dimension N′. Meanwhile, the rotate-sum operation has been described above.

Specifically, the processor 120 may calculate the RotSum by applying the MSRLWE key switching using the RotKeys to the MLWE encrypted message with dimension N′. Here, the MLWE encrypted message with dimension N′ may be the encrypted message acquired through the MSRLWE key switching using DimensionSwitchKey, as described above.

In this case, the RotKeys such as the RotKey_j=MSRLWE.SwitchingKey_{ρidxj({right arrow over (s)}*)→{right arrow over (s)}*}^{h′,N′,(uN/N′)} (0≤j<l) may be used as the switching key in the above-described MSRLWE key switching. In addition, when the input encrypted message ct₂ of the MSRLWE key switching using the RotKeys is ct₂=MSRLWE_{Q,N′,(uN/N′)}.Enc_{{right arrow over (s)}*}(Φ({right arrow over (m)})), the output encrypted message ct₃ of the MSRLWE key switching using the RotKeys may be expressed as ct₃=MSRLWE_{Q,N′,(uN/N′)}.Enc_{{right arrow over (s)}*}(RotSum_idx(Φ({right arrow over (m)}))). In this case, the dimension of the MSRLWE encrypted message ct₂ is N′, the secret size is uN/N′, and the degree is N′. The dimension of the MSRLWE encrypted message ct₃ is N′, the secret size is uN/N′, and the degree is N′.

In operation S530, the processor 120 may transform the MSRLWE encrypted message into the MSRLWE encrypted message with dimension N using the MSRLWE key switching.

Here, the MSRLWE encrypted message is the result value of the linear transformation. As described above, the MSRLWE encrypted message may be the output encrypted message ct₃ of the MSRLWE key switching using the RotKeys.

Specifically, the processor 120 may transform the MSRLWE encrypted message into the MSRLWE encrypted message with dimension N by applying the MSRLWE hoist key switching using the HomingKeys to the MSRLWE encrypted message.

In this case, the HomingKeys such as the HomingKey_j=MSRLWE.SwitchingKey_{Ψ({right arrow over (s)}*)→{right arrow over (s)}}^h,N,u (0≤j<N′/N) may be used as the switching key in the above-described MSRLWE hoist key switching. In addition, when the input encrypted message of the MSRLWE hoist key switching using the HomingKeys is ct₃=MSRLWE_{Q,N′,(uN/N′)}.Enc_{{right arrow over (s)}*}(RotSum_idx(Φ({right arrow over (m)})), the output encrypted message of the MSRLWE hoist key switching using the HomingKeys may be expressed as ct_output=MSRLWE_Q,N,(u).Enc_{{right arrow over (s)}}(RotSum_idx({right arrow over (m)})). In this case, the dimension of the MSRLWE encrypted message ct₃ is N′, the secret size is uN/N′, and the degree is N′. The dimension of the MSRLWE encrypted message ct_output is N, the secret size is u, and the degree is N. In this way, when the input encrypted message is the MSRLWE encrypted message with dimension N, the processor 120 may transform the input encrypted message (i.e., MSRLWE encrypted message with dimension N) into the MSRLWE encrypted message with dimension N′ to perform the linear transformation, and transform the MSRLWE encrypted message corresponding to the result value of the linear transformation back into the MSRLWE encrypted message with dimension N, thereby acquiring the output encrypted message (i.e., MSRLWE encrypted message with dimension N).

Meanwhile, various embodiments of the present disclosure described above may be implemented in a computer or a computer readable recording medium using software, hardware, or a combination of software and hardware. In some cases, embodiments described in the disclosure may be implemented as a processor itself. According to a software implementation, embodiments such as procedures and functions described in the specification may be implemented as separate software modules. Each of the software modules may perform one or more functions and operations described in the disclosure.

Meanwhile, computer instructions for performing processing operations of the electronic devices according to the diverse embodiments of the disclosure described above may be stored in a non-transitory computer-readable medium. The computer instructions stored in the non-transitory computer-readable medium allow a specific device to perform the processing operations in the electronic device 100 according to the diverse embodiments described above when they are executed by a processor of the specific device.

The non-transitory computer-readable medium is not a medium that stores data for a while, such as a register, a cache, a memory, or the like, but means a medium that semi-permanently stores data and is readable by the device. Specific examples of the non-transitory computer-readable medium may include a compact disk (CD), a digital versatile disk (DVD), a hard disk, a Blu-ray disk, a USB, a memory card, a read only memory (ROM), and the like.

Although the embodiments of the disclosure have been illustrated and described hereinabove, the disclosure is not limited to the specific embodiments described above, but may be variously modified by those skilled in the art to which the disclosure pertains without departing from the gist of the disclosure as disclosed in the accompanying claims. These modifications should also be understood to fall within the scope and spirit of the disclosure.

Claims

1. An electronic device, comprising: a memory in which an input encrypted message with dimension N is stored; anda processor configured to transform the input encrypted message with dimension N into an encrypted message with dimension N′,perform linear transformation on the encrypted message with dimension N′, andtransform the encrypted message corresponding to a result value of the linear transformation into an output encrypted message with dimension N,wherein the Nis smaller than N′.

2. The electronic device as claimed in claim 1, wherein the input encrypted message is a ring learning with error (RLWE) encrypted message, and the processor is configured to use module learning with error (MLWE) key switching to transform the RLWE encrypted message with dimension N into an MLWE encrypted message with dimension N′.

3. The electronic device as claimed in claim 2, wherein the processor is configured to perform a rotate-sum operation on the MLWE encrypted message with dimension N′.

4. The electronic device as claimed in claim 3, wherein the processor is configured to transform the MLWE encrypted message corresponding to the result value of the linear transformation into the RLWE encrypted message with dimension N using RLWE key switching.

5. The electronic device as claimed in claim 1, wherein the input encrypted message is a multi-secret ring learning with error (MSRLWE) encrypted message, and the processor is configured to transform the MSRLWE encrypted message with dimension N into a MSRLWE encrypted message with dimension N′ using homomorphism and MSRLWE key switching.

6. The electronic device as claimed in claim 5, wherein the processor is configured to perform a rotate-sum operation on the MSRLWE encrypted message with dimension N′.

7. The electronic device as claimed in claim 6, wherein the processor is configured to transform the MSRLWE encrypted message corresponding to the result value of the linear transformation into the MSRLWE encrypted message with dimension N using MSRLWE key switching.

8. A key switching method of an electronic device, comprising: transforming an input encrypted message with dimension N into an encrypted message with dimension N′;performing linear transformation on the encrypted message with dimension N′; andtransforming the encrypted message corresponding to a result value of the linear transformation into an output encrypted message with dimension N,wherein the N is smaller than N′.

9. The key switching method as claimed in claim 8, wherein the input encrypted message is an RLWE encrypted message, and in the transforming into the encrypted message with dimension N′, the RLWE encrypted message with dimension N is transformed into an MLWE encrypted message with dimension N′ using MLWE key switching.

10. The key switching method as claimed in claim 9, wherein in the performing, a rotate-sum operation is performed on the MLWE encrypted message with dimension N′.

11. The key switching method as claimed in claim 10, wherein in the transforming into the output encrypted message with dimension N, the MLWE encrypted message corresponding to the result value of the linear transformation is transformed into the RLWE encrypted message with dimension N using the RLWE key switching.

12. The key switching method as claimed in claim 8, wherein the input encrypted message is an MSRLWE encrypted message, and in the transforming into the encrypted message with dimension N′, the MSRLWE encrypted message with dimension N is transformed into a MSRLWE encrypted message with dimension N′ using homomorphism and MSRLWE key switching.

13. The key switching method as claimed in claim 12, wherein in the performing, a rotate-sum operation is performed on the MSRLWE encrypted message with dimension N′.

14. The key switching method as claimed in claim 13, wherein in the transforming into the output encrypted message with dimension N, the MSRLWE encrypted message corresponding to the result value of the linear transformation is transformed into the MSRLWE encrypted message with dimension N using the MSRLWE key switching.