HOMOMORPHIC CYCLIC OPERATION SYSTEM, HOMOMORPHIC CYCLIC OPERATION APPARATUS, HOMOMORPHIC CYCLIC OPERATION METHOD, AND HOMOMORPHIC CYCLIC OPERATION PROGRAM

TECHNICAL FIELD

The present invention relates to a homomorphic cyclic operation system, homomorphic cyclic operation apparatus, homomorphic cyclic operation method, and homomorphic cyclic operation program.

BACKGROUND ART

Homomorphic encryption is a cryptographic technique. When ciphertexts Enc(m₁), Enc(m₂) of plaintexts m₁, m₂are given, homomorphic encryption allows a ciphertext Enc(m₁◯m₂) of a binary operation m₁◯m₂of the plaintexts m₁, m₂to be computed without the ciphertext Enc(m₁◯m₂) being decrypted back into the plaintexts m₁, m₂. Here, “◯” is a binary operation such as addition “+” or multiplication “x.” Homomorphic encryption related to addition “+” is called additive homomorphic encryption. Further, homomorphic encryption that is also homomorphic with respect to multiplication “x” is called fully homomorphic encryption.

Fully homomorphic encryption has the best properties because it is homomorphic with respect to both addition and multiplication. However, fully homomorphic encryption presents difficulties in practical use as it requires a large amount of computation. Therefore, homomorphic encryptions with intermediate properties between additive and fully homomorphic encryptions have also been developed. For instance, a cryptosystem called somewhat homomorphic encryption is an encryption scheme homomorphic with respect to a finite number of additions and multiplications (for instance, refer to Non-Patent Literature 1).

CITATION LIST
Non-Patent Literature
[Non-Patent Literature 1]

Yasuda M., Shimoyama T., Kogure J., Yokoyama K., Koshiba T. (2013) “Packed Homomorphic Encryption Based on Ideal Lattices and Its Application to Biometrics,” In: Cuzzocrea A., Kittl C., Simos D. E., Weippl E., Xu L. (eds), Security Engineering and Intelligence Informatics, CD-ARES 2013, Lecture Notes in Computer Science, vol 8128, Springer, Berlin, Heidelberg.

SUMMARY
Technical Problem

The disclosure of the literature in Citation List above is incorporated herein in its entirety by reference thereto. The following analysis is given by the present inventors.

In a real computer system, it is common to provide not only addition and multiplication but also other frequently used operations. This is because it is more convenient to provide a user with a predetermined operation as a protocol than to provide an operation that can theoretically be achieved by a combination of addition and multiplication. An example of such an operation is a cyclic operation. The cyclic operation moves storage locations of a periodic array of data while maintaining the order of the data array. The operation that moves storage locations while maintaining the order of data is generally referred to as a shift, and the cyclic operation shifts a periodic array.

It goes without saying that, performing a cyclic operation in a homomorphic encryption system requires not only simply implementing the cyclic operation but also shifting the storage locations of data without decrypting a periodic array of the encrypted data. Moreover, to implement a cyclic operation in homomorphic encryption, it is also necessary to address the computational cost, which is a problem unique to homomorphic encryption.

In view of the problem above, it is an object of the present invention to provide a homomorphic cyclic operation system, homomorphic cyclic operation apparatus, homomorphic cyclic operation method, and homomorphic cyclic operation program that shift data storage locations without decrypting a periodic array of encrypted data.

Solution to Problem

According to a first aspect of the present invention, there is provided a homomorphic cyclic operation system performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, the homomorphic cyclic operation system comprising: an encryption apparatus that encrypts the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate a ciphertext of periodic data; and a homomorphic cyclic operation apparatus that shifts the periodic array of data in the ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext of the periodic data.

According to a second aspect of the present invention, there is provided a homomorphic cyclic operation apparatus performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, wherein the homomorphic cyclic operation apparatus shifts the periodic array of data in a ciphertext of the periodic data by encrypting the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate the ciphertext and applying the indeterminate raised to the power of a shift amount to the ciphertext.

According to a third aspect of the present invention, there is provided a homomorphic cyclic operation method performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, the homomorphic cyclic operation method comprising: a step of encrypting the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate a ciphertext of periodic data; and a step of shifting the periodic array of data in the ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext of the periodic data.

According to a fourth aspect of the present invention, there is provided a program causing a computer to perform a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, wherein the program shifts the periodic array of data in a ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext, wherein the ciphertext of the periodic data is encrypted by storing it in the coefficients of an indeterminate polynomial. Further, this program can be stored in a computer-readable storage medium. The storage medium may be a non-transitory one such as a semiconductor memory, a hard disk, a magnetic recording medium, an optical recording medium, and the like. The present invention can also be realized as a computer program product.

Advantageous Effects of Invention

According to each aspect of the present invention, it becomes possible to provide a homomorphic cyclic operation system, homomorphic cyclic operation apparatus, homomorphic cyclic operation method, and homomorphic cyclic operation program that shift data storage locations without decrypting a periodic array of encrypted data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing a schematic configuration example of a homomorphic cyclic operation system in a first example embodiment.

FIG. 2 is a block diagram showing a schematic configuration example of a homomorphic cyclic operation apparatus in the first example embodiment.

FIG. 3 is a system flowchart of the system in the first example embodiment.

FIG. 4 is a drawing showing an example of the hardware configuration of the homomorphic cyclic operation apparatus.

FIG. 5 is a drawing illustrating a concept of securely calculating similarity between heterocyclic compounds.

EXAMPLE EMBODIMENTS

Example embodiments of the present invention will be described with reference to the drawings. The present invention, however, is not limited to the example embodiments described below. Further, in each drawing, the same or corresponding elements are appropriately designated by the same reference signs. It should also be noted that the drawings are schematic, and the dimensional relationships and the ratios between the elements may differ from the actual ones. The dimensional relationships and the ratios between drawings may also be different in some sections.

First Example Embodiment

The following describes a homomorphic cyclic operation system relating to a first example embodiment with reference to FIGS. 1 and 2. In the first example embodiment, only the basic concept of the present invention is described.

FIG. 1 is a block diagram showing a schematic configuration example of the homomorphic cyclic operation system in the first example embodiment. As shown in FIG. 1, the homomorphic cyclic operation system 100 relating to the first example embodiment comprises an encryption apparatus 110 and a homomorphic cyclic operation apparatus 120. The encryption apparatus 110 and the homomorphic cyclic operation apparatus 120 are information processing apparatuses (computers), the hardware configuration of which will be described using an example later. The encryption apparatus 110 and the homomorphic cyclic operation apparatus 120 may be connected by wired or wireless communication. For instance, the encryption apparatus 110 may be a general-purpose personal computer or a mobile terminal such as a smartphone.

The homomorphic cyclic operation system 100 relating to the first example embodiment shown in FIG. 1 performs a cyclic operation on a periodic array of data using homomorphic encryption capable of encrypting a data array and having a homomorphic operation defined with respect to at least one multiplication. The encryption apparatus 110 encrypts the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate a ciphertext of periodic data, and the homomorphic cyclic operation apparatus 120 shifts the periodic array of data in the ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext of the periodic data.

Further, the homomorphic cyclic operation apparatus 120 shifts the periodic array of data without decrypting it. Therefore, an output of the homomorphic cyclic operation apparatus 120 is also a ciphertext. There are various ways to use the obtained ciphertext, as illustrated by the example embodiments below. It is preferred that a decryption apparatus for decrypting the obtained ciphertext be provided separately from the homomorphic cyclic operation apparatus 120 because the secret and public keys of homomorphic encryption can be managed separately by different apparatuses with increased security.

The homomorphic encryption used in the first example embodiment can encrypt a data array and has a homomorphic operation defined with respect to at least one multiplication. Further, it is preferable that homomorphic operations be also defined for addition, although it is not directly used in the example embodiment. In other words, in the homomorphic encryption used in the first example embodiment, homomorphic addition and homomorphic multiplication that satisfy the following relational expressions are defined:

HomAdd(Enc(m),Enc(m′))=Enc(m+m′) Homomorphic Addition

HomMu1(Enc(m),Enc(m′))=Enc(m*m′) Homomorphic Multiplication

FIG. 2 is a block diagram showing a schematic configuration example of the homomorphic cyclic operation apparatus in the first example embodiment. As shown in FIG. 2, the homomorphic cyclic operation apparatus 120 comprises a storage part 121, a reception part 122, and an operation part 123. The storage part 121 stores homomorphic cyclic operations and various information used in connection with the homomorphic cyclic operations. The reception part 122 receives a ciphertext of periodic data from the encryption apparatus 110. The operation part 123 uses the homomorphic operations above to perform a cyclic operation without decrypting the ciphertext of the periodic data.

Next, with reference to FIG. 3, processes between the encryption apparatus 110 and the homomorphic cyclic operation apparatus 120 will be described. FIG. 3 is a system flowchart of the system in the first example embodiment. The system flowchart in FIG. 3 shows the procedure of a homomorphic cyclic operation method for performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption capable of encrypting a data array and having a homomorphic operation defined with respect to at least one multiplication.

In step S1, the encryption apparatus 110 encrypts a periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate a ciphertext of periodic data. The encryption apparatus 110 transmits the generated ciphertext of the period data to the homomorphic cyclic operation apparatus 120.

In step S2, the homomorphic cyclic operation apparatus 120 shifts the periodic array of data in the ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext of the periodic data received from the encryption apparatus 110.

There are various ways of using the ciphertext obtained in the step S2, as illustrated by the example embodiments below.

[Hardware Configuration]

FIG. 4 is a drawing showing an example of the hardware configuration of the homomorphic cyclic operation apparatus. In other words, the hardware configuration shown in FIG. 4 is an example of the hardware configuration of the homomorphic cyclic operation apparatus 120.

An information processing apparatus (computer) employing the hardware configuration shown in FIG. 4 can achieve the functions of the homomorphic cyclic operation apparatus 120 by executing the homomorphic cyclic operation method described above as a program. It should be noted that the hardware configuration example shown in FIG. 4 is merely an example of the hardware configuration that achieves the functions of the homomorphic cyclic operation apparatus 120 and is not intended to limit the hardware configuration of the homomorphic cyclic operation apparatus 120. The homomorphic cyclic operation apparatus 120 may include hardware not shown in FIG. 4.

As shown in FIG. 4, the hardware configuration 10 that may be employed by the homomorphic cyclic operation apparatus 120 comprises a CPU (Central Processing Unit) 11, a primary storage device 12, an auxiliary storage device 13, and an IF (interface) part 14, which are connected to each other by, for instance, an internal bus.

The CPU 11 executes each instruction included in the homomorphic cyclic operation program executed by the homomorphic cyclic operation apparatus 120. The primary storage device 12 is, for instance, a RAM (Random Access Memory) and temporarily stores various programs such as the homomorphic cyclic operation program executed by the homomorphic cyclic operation apparatus 120 so that the CPU 11 can process the programs.

The auxiliary storage device 13 is, for instance, an HDD (Hard Disk Drive) and is capable of storing the various programs, such as the homomorphic cyclic operation program executed by the homomorphic cyclic operation apparatus 120, in the medium to long term. The various programs such as the homomorphic cyclic operation program may be provided as a program product stored in a non-transitory computer-readable storage medium. The auxiliary storage device 13 can be used to store the various programs such as the homomorphic cyclic operation program stored in the non-transitory computer-readable storage medium in the medium to long term. The IF part 14 provides an interface to the input and output between, for instance, the homomorphic cyclic operation apparatus 120 and the encryption apparatus 110.

The information processing apparatus employing the hardware configuration 10 described above achieves the functions of the homomorphic cyclic operation apparatus 120 by executing the homomorphic cyclic operation method described above as a program.

The homomorphic cyclic operation system in the first example embodiment is thus able to contribute to shifting data storage locations without decrypting a periodic array of encrypted data. Further, the homomorphic cyclic operation system in the first example embodiment can be implemented as a homomorphic cyclic operation method, and the homomorphic cyclic operation method in the first example embodiment can be implemented as a program executed by an information processing apparatus (computer) having the hardware configuration described above.

Second Example Embodiment

The following describes a homomorphic cyclic operation system relating to a second example embodiment. The second example embodiment describes a method for performing a homomorphic cyclic operation on a periodic array of data while using an example of the homomorphic encryption used in the first example embodiment. The homomorphic encryption described below is capable of encrypting a data array and has a homomorphic operation defined with respect to at least one multiplication.

First, one cycle of a periodic array of data can be regarded as a vector. Then, a vector a=(a₀, a₁, . . . , a_n−1) and a polynomial a(x)=Σ_i=0ⁿ⁻¹a_i*xⁱcan be equated. For the vector a=(a₀, a₁, . . . , aⁿ⁻¹) and a vector b=(b₀, b₁, . . . , b_n−1), this equation results in defining a multiplication a(x)*b(x) as a polynomial and an inner product <a, b>=Σ_i=0ⁿ⁻¹a_i*b_ias a vector.

Then, a noise vector u=(u₀, u₁, . . . , u_n−1) is prepared. u_i(i=0, 1, . . . , n−1) is one of {0, 1, −1}. The probability of u_i=0 is q, the probability of u_i=1 is (1−q)/2, and the probability of u_i=−1 is (1−q)/2.

Using this noise vector u=(u₀, u₁, . . . , u_n−1), a ciphertext of a plaintext vector m=(m₀, m₁, . . . , m_n−1) is defined as follows:

$\begin{matrix} Enc (m) = {[\sum_{i = 0}^{n - 1} (m_{i} + t * u_{i}) * r^{i}]}_{d} & [Math . 1] \end{matrix}$

Note that, in the above definition of the ciphertext, t is the plaintext space size, d is the ciphertext space size, and r is the base that satisfies rⁿ=−1 mod d. Further, [ ]_dis a reduction to an interval [−d/2, d/2), that is, a reduction such that the remainder when divided by d is included in the interval [−d/2, d/2).

If the noise vector u=(u₀, u₁, . . . , u_n−1) and the plaintext vector m=(m₀, m₁, . . . , m_n−1) are respectively regarded as a polynomial u(x)=Σ_i=0ⁿ⁻¹u_i*xⁱand a polynomial m(x)=Σ_i=0ⁿ⁻¹m_i*xⁱ, the ciphertext above can be expressed as follows:

$\begin{matrix} Enc (m (x)) = {[m (r) + t * u (r)]}_{d} & [Math . 2] \end{matrix}$

Next, we will demonstrate the ciphertext defined as above is homomorphic encryption.

Homomorphic Addition

For ciphertexts Enc(m(x)) and Enc(m′(x)) of the plaintext vectors m(x) and m′(x) expressed as polynomials, additive homomorphism holds as shown below.

[Enc(m(x))+Enc(m′(x))]_d=[[m(r)+t*u(r)]_d+[m′(r)+t*u′(r)]_d]_d=[[m(r)+m′(r)+t*(u(r)+u′(r))]_d=Enc(m(x)+m′(x)mod t)

Here, note that mod t is absorbed by t*(u(r)+u′(r)) when each coefficient of m(r)+m(r) becomes larger than t.

Homomorphic Multiplication

For the ciphertexts Enc(m(x)) and Enc(m′(x)) of the plaintext vectors m(x) and m′(x) expressed as polynomials, multiplicative homomorphism holds as shown below.

[Enc(m(x))*Enc(m′(x))]_d=[[m(r)+t*u(r)]_d*[m′(r)+t*u′(r)]_d]_d=[(m(r)+t*u(r))*(m′(r)+t*u′(r))]_d=[m(r)*m′(r)+t*(m(r)*u′(r)+m′(r)*u(r)+t*u(r)*u′(r))]_d=[m(r)*m′(r)+t*u″(r)mod rⁿ+1]_d=Enc(m(x)*m′(x)mod(t,xⁿ+1))

Note that, as a transformation of the above, u″(r)=m(r)*u′(r)+m′(r)*u(r)+t*u(r)*u′(r). Also note that rⁿ=−1 mod d. Further, f(x) mod (t, xⁿ+1) represents f(x) mod t mod (xⁿ+1). In other words, f(x) is converted to a polynomial f′ (x) of a degree smaller than n using the relationship xⁿ=−1, and f(x) mod t mod (xⁿ+1) is a polynomial of the remainders obtained by dividing the coefficients of f′(x) by t.

Homomorphic Inner Product

For the plaintext vector m=(m₀, m₁, . . . , m_n−1), an inner product vector m2=(m2₀, m2₁, . . . , m2_n−1)=(m₀, −m_n−1, −m_n−2, . . . , −m₁) is prepared. An inner product ciphertext Enc2(m) is defined as Enc(m2), and a polynomial having the inner product vector m2 as a coefficient is defined as m2(x). At this time, for the ciphertext Enc(m(x)) of the plaintext vector m(x) expressed as a polynomial and an inner product ciphertext Enc2(m′(x)) of the plaintext vector m′(x), the following holds true:

HomMu1(Enc(m(x)),Enc2(m′(x)))=Enc(m(x)*m2′(x)mod(t,xⁿ⁺¹))=Enc(<m,m′>+m″(x)mod t)

This is because, if we note that xⁿ=−1, Σ_i=1ⁿ⁻¹−m_i*m′_i*xⁿ=Σ_i=1ⁿ⁻¹m_i*m′_i, so the following computation holds true:

m(x)=m₀+m₁*x+m₂*x²+ . . . +m_n−1*xⁿ⁻¹×m2′(x)=m′₀−m′₁*xⁿ⁻¹−m′₂*xⁿ⁻²− . . . −m′_n−1*x¹=m₀*m′₀+Σ_i=1ⁿ⁻¹−m_i*m′_i*xⁿ+m″(x)=Σ_i=0ⁿ⁻¹m_i*m′_i+m″(x)=<m,m′>+m″(x)

The Homomorphic operations above enable shifting the periodic array of data in the ciphertext Enc(m(x)) of the periodic data m(x) by homomorphically multiplying Enc(x^s) obtained by encrypting the indeterminate x raised to the power of a shift amount s, i.e., x^s, by the ciphertext Enc(m(x)) of the periodic data m(x). This is because the following relational expression holds true:

HomMu1(Enc(m(x)),Enc(x^s))=Enc(m(x)*x^smod(t,xⁿ⁺¹))=Enc((m>>_s)mod t)

Note that, in the above equation, >>_ represents a negative cyclic operation (cyclic operation that multiplies the data by −1 when performing a shift) that shifts the vector to the right. In other words, when the ciphertext of the plaintext vector m=(m₀, m₁, . . . , m_n−1) is Enc(m) and the shift amount is s, a ciphertext HomCycle(Enc (m), s) after the shifting is obtained as follows in the above homomorphic cyclic operation:

HomCycle(Enc(m),s)=Enc((−m_n−s, . . . ,−m_n−1,m₀, . . . ,m^n−1−s))

Note that, in the homomorphic cyclic operation above, the data is multiplied by −1 during the shifting, but as can be seen from the example embodiments described later, there is no problem in practical use. Further, the homomorphic cyclic operation described above in combination with the homomorphic cyclic operation system, the homomorphic cyclic operation apparatus, the homomorphic cyclic operation method, and the homomorphic cyclic operation program of the first example embodiment realize the homomorphic cyclic operation system, a homomorphic cyclic operation apparatus, a homomorphic cyclic operation method, and a homomorphic cyclic operation program of the second example embodiment.

Third Example Embodiment

The following describes an improvement on the homomorphic cyclic operation in the second example embodiment. Since a homomorphic cyclic operation in a third example embodiment can use homomorphic operations different from the encryption and the homomorphic cyclic operation in the second embodiment, the following description of the third example embodiment only discusses the homomorphic cyclic operation in the third example embodiment.

The homomorphic cyclic operation in the third example embodiment shifts the periodic array of data in the ciphertext Enc(m(x)) of the periodic data m(x) by scalar multiplying the ciphertext Enc(m(x)) of the periodic data m(x) by a value obtained by substituting the base r for the indeterminate x raised to the power of the shift amount s, i.e., r^s.

More concretely, for the ciphertext Enc(m(x)) of the plaintext m(x) expressed as a polynomial, the homomorphic cyclic operation with the shift amount s can be computed as follows. Note that, as a transformation of the below, u′(r))=u(r)*r^s.

[Enc(m(x))*r^s]_d=[[m(r)+t*u(r)]_d*r^s]_d=[m(r)*r^s+t*u(r)*r^s]_d=[m₀*r^s+m₁*r^1+s+ . . . +m_n−1*r^n−1+s+t*u′(r)]_d=[−m^n−s+(−m^n−s+1)*r+ . . . +(−m_n−1)*r^s−1+m₀*r^s+m₁*r^s+1+ . . . +m_n−s−1*rⁿ⁻¹+t*u′(r)]_d=Enc((m>>_s)mod t)

Note that, since r⁻¹=−rⁿ⁻¹mod d from rⁿ=−1 mod d, if the shift amount s is negative, the cyclic operation is negative with a shift to the left.

The following describes the difference between the homomorphic cyclic operation in the second example embodiment and that in the third example embodiment.

Since the homomorphic cyclic operation in the second example embodiment computes HomMu1(Enc(m(x)), Enc(x^s)), Enc(x^s) needs to be stored or computed every time. Meanwhile, since rⁱused in the homomorphic cyclic operation in the third example embodiment is also used in the encryption, it is often computed in advance and the computation result is stored in memory. In this case, no additional storage and computational costs are incurred because the computed rⁱcan be reused.

Moreover, even if one ends up having to compute rⁱused in the homomorphic cyclic operation in the third example embodiment because it cannot be reused, the cost of computing rⁱis smaller than the cost of computing Enc(x^s). This is because rⁱis included in the definition of the encryption Enc(m)=[Σ_i=0ⁿ⁻¹(m_i+t*u_i)*rⁱ]_d.

Further, the homomorphic cyclic operation in the second example embodiment brings about an increase in noise that may cause a decoding error when the homomorphic multiplication HomMu1 is used. Here, the increase in noise means an increased absolute value of the coefficient of the polynomial u(x) corresponding to u(r) in the ciphertext Enc(m(x))=[m(r)+t*u(r)]_d. Meanwhile, in the homomorphic cyclic operation in the third example embodiment, the noise after the homomorphic cyclic operation is u′(r)=u(r)*r^s, which is a polynomial having the corresponding u>>_s as a coefficient. Although the signs of the shifted elements are inverted, the absolute value of the coefficient remains the same. Therefore, no increase in noise occurs.

In other words, as compared with the homomorphic cyclic operation in the second example embodiment, the homomorphic cyclic operation in the third example embodiment has the advantage of having a lower additional memory or computational cost and a lower overall cryptographic computational cost stemming from an increased decoding error probability or larger encryption scheme parameters to address it.

Further, the homomorphic cyclic operation in the third example embodiment in combination with the homomorphic cyclic operation system, the homomorphic cyclic operation apparatus, the homomorphic cyclic operation method, and the homomorphic cyclic operation program of the first example embodiment are also able to realize a homomorphic cyclic operation system, a homomorphic cyclic operation apparatus, a homomorphic cyclic operation method, and a homomorphic cyclic operation program of the third example embodiment.

Fourth Example Embodiment

The homomorphic cyclic operation described above is a negative cyclic operation that multiplies the data by −1 when performing a shift. Using similarity calculation as an example, the fourth example embodiment describes how even the negative cyclic operation that multiplies the data by −1 when performing a shift can be put to practical use with some ingenuity. Even the negative cyclic operation that multiplies data by −1 when performing a shift by encrypting a periodic array of data by storing it in the coefficients of an indeterminate polynomial after making the periodic array of data periodically redundant is able to calculate similarity accurately.

FIG. 5 is a drawing illustrating a concept of securely calculating similarity between heterocyclic compounds. FIG. 5 assumes that there is a database in which the structure of a heterocyclic compound A is encrypted and registered by a plurality of pharmaceutical companies. Then, let's say a user wants to know how similar a heterocyclic compound B discovered by the user is to previously registered heterocyclic compounds. We will assume that the similarity between heterocyclic compounds is determined by the associations between atoms contained in heterocyclic compounds, for instance, as shown in the score table below.

TABLE 1

Heterocyclic Compound B

C—H
C—OH
N

Heterocyclic
C—H
+5
+1
+0

Compound A
C—OH
+1
+5
+0

N
+0
+0
+10

Then, one can calculate the similarity applying an inner product operation to the score table. For instance, in the example shown in FIG. 5, rows in the score table are selected according to the atoms contained in the heterocyclic compound A, and an array A is created in which the selected rows of the score table are connected in a line. Here, we will sequentially connect them from the top left clockwise. For the other heterocyclic compound B, an array B is created by assigning 1 to matches and 0 to non-matches according to the atoms contained in the heterocyclic compound B. We will sequentially connect them from the top left clockwise, as with the array A.

The similarity can be calculated by performing an inner product operation on these two arrays A and B as vectors. Since the inner product operation here can use a homomorphic operation as explained above, one can calculate the similarity while keeping the structures of the heterocyclic compounds A and B secret.

Meanwhile, since heterocyclic compounds are cyclically structured, the value of the similarity between two given compounds changes depending on the starting point from which the similarity calculation is performed. As a matter of fact, although the heterocyclic compounds A and B are the same heterocyclic compounds, the calculated similarity above is low because the starting points of their cyclic structures are different. Without a homomorphic cyclic operation, it is necessary to repeatedly encrypt the data of the heterocyclic compounds as many times as the number of possible combinations of the starting points of the cyclic structures. A homomorphic cyclic operation enables changing the starting point in an encrypted state after the starting point of a cyclic structure is set to any one point and the data is encrypted.

Since the homomorphic cyclic operation described above, however, is a negative cyclic operation that multiplies the data by −1 when performing a shift, problems arise in the following two cases:

- Case 1: If the dimensionality of a plaintext handled by somewhat homomorphic encryption is different from the length of the vector to be encrypted, a shift cannot be performed.

For instance, as shown below, when the dimensionality of a plaintext handled by homomorphic encryption differs from the length of the vector to be encrypted, the remaining dimensions are filled with zeros. In this case, the correct result cannot be obtained from a homomorphic inner product operation.

- Case 2: Even when the dimensionality of a plaintext handled by somewhat homomorphic encryption is the same as the length of the vector to be encrypted, a value obtained from multiplication by −1 is used for calculation since a negative shift is performed.

For instance, as shown below, even if the dimensionality of a plaintext handled by homomorphic encryption is the same as the length of the vector to be encrypted, a value obtained from multiplication by −1 is used for calculation since a negative shift is performed. As a result, the correct result cannot be obtained from a homomorphic inner product operation.

Therefore, the homomorphic cyclic operation of the fourth example embodiment encrypts a periodic array of data by storing it in the coefficients of an indeterminate polynomial after making the periodic array of data periodically redundant. As a result, the homomorphic cyclic operation of the fourth example embodiment is able to accurately perform a homomorphic inner product operation, even if it is a negative cyclic operation that multiplies the data by −1 when performing a shift, thereby being able to accurately calculate similarity. Further, as can be seen from the example below, the portions of the other vector that correspond to the periodically redundant portions are filled with zeros. Note that the redundant portions are indicated by white numbers.

Further, even when the dimensionality of a plaintext handled by homomorphic encryption is the same as the length of the vector to be encrypted, by encrypting a periodic array of data by storing it in the coefficients of an indeterminate polynomial after making the periodic array of data periodically redundant, even a negative cyclic operation that multiplies the data by −1 when performing a shift can accurately perform a homomorphic inner product operation, thereby being able to accurately calculate similarity.

The following describes in more detail the homomorphic cyclic operation of the fourth example embodiment. The description below refers to the encryption apparatus 110 and the homomorphic cyclic operation apparatus 120 discussed in the description of the first example embodiment, however, the apparatus configuration is not necessarily limited thereto.

Premise

First, as a premise, each element is encoded using 0 to 1-1. The size of the score space is s_size, and the length of the periodic array of data is r_size. The cyclic operation here allows both left and right shifts, the amount of a left shift is set to s_l, and the amount of a right shift s_r. Further, the i-th row of the score table below is regarded as a vector T_i.

TABLE 7

0
1
. . .
1 − 1

T₀
0
t_{0, 0}
t_{1, 0}
. . .
t_{1−1, 0}

T1
1
t_{0, 0}
t_{1, 1}
. . .
t_{1−1, 1}

.
.
.

custom-character

.

.
.
.

.

.
.
.

.

T₁₋₁
1 − 1
t_{1−1, 0}
t_{1−1, 1}
. . .
t_{1−1, 1−1}

Setup

Taking a security parameter as an input, generate a public key pk and a secret key sk for a somewhat homomorphic encryption scheme that can treat an n−1 degree polynomial having a coefficient space size s>s_sizeas a plaintext, where n≥(r_size+s_l+s_r)×1. Here, s>s_sizesignifies the ability to handle all potential scores that may be outputted. Further, the condition n≥(r_size+s_l+s_r)×1 is required to encrypt the length of a vector to be encrypted.

Registration

In the registration phase, with the public key pk and a periodic array (vector) of data x=(x₀, x₁, . . . , x_{r_size−1}) as inputs, the following computation is performed. Note that, although this process is typically performed by the encryption apparatus 110, the apparatus used is not limited as long as the process can be registered in the homomorphic cyclic operation apparatus 120 in advance.

- 1. A vector obtained by making the periodic array (vector) of data x redundant is denoted as x′=(x_{r_size−s_r}, . . . , x_{r_size−1}, x₀, . . . , x_{r_size−1}, x₀, . . . , x_{s_1}).
- 2. A vector formed by concatenating the row vectors corresponding to each element of the vector x′ in the score table is denoted as T=(T_{x_{r_size−s_r}}, . . . , T_{x_{r_size−1}}, T_{x_0}, . . . , T_{x_{r_size−1}}, T_{x_0}, . . . , T_{x_{s_1}}) (refer to the table below).
- 3. Calculate and output c₁=Enc(T).

TABLE 8

Redundant portion
1 cycle of data
Redundant portion

T
T text missing or illegible when filed

. . .
T text missing or illegible when filed

indicates data missing or illegible when filed

Query

In the query phase, the encryption apparatus 110 takes the public key pk and a periodic array (vector) of data y=(y₀, y₁, . . . , y_{r_size−1}) as inputs and performs the following computation:

- 1. A vector B is formed by concatenating vectors where only the dimension of the value of each element of the vector y is 1 and the rest are zero. B is defined as B=(B_{y_0}, . . . , B_{y_{r_size−1}}), B_i=(b₀, b₁, . . . , b_1-1) where b_j={0 if j≠y_i, 1 if j=y_i}.
- 2. A vector B′=(0^s_r*1, B_{y_0}, . . . , B_{y_{r_size−1}}, 0^s_1*1) is formed by adding s_rand s_lzero vectors of dimension 1 to the left and right of the vector B, where 0^adenotes a zero vector of dimension a (refer to the table below).
- 3. Calculate c₂=Enc2(B′) and transmit the output to the homomorphic cyclic operation apparatus 120.

TABLE 9

Zero vectors
1 cycle of data
Zero vectors

B
0
. . .
0
B text missing or illegible when filed

. . .
B text missing or illegible when filed

0
. . .
0

text missing or illegible when filed

indicates data missing or illegible when filed

Similarity Calculation

In the similarity calculation phase, the homomorphic cyclic operation apparatus 120 takes the public key pk, the ciphertext c₁generated during the registration, and the ciphertext c₂generated during the query as inputs and performs the following computation:

- 1. Prepare an empty set C={ }.
- 2. For j=−s₁, . . . , s_r, calculate a to d as follows:
- a. c=HomCycle(c₁, l*j)
- b. c_{i p}=HomIP_{p k}(c, c₂)
- c. Generate r=(0, r₁, r₂, . . . , r_n−1) (r_iis uniformly random over the plaintext space of the encryption scheme).
- d. c_r=Enc(r)
- e. Add c=HomAdd(c_ip, c_r) to C.
- 3. Output C and transmit it to the encryption apparatus 110.

Note that the calculations of a and b in the similarity calculation above may be c=HomCycle(c₂, l*j) and c_ip=HomIP_{p k}(c, c₁). Further, the calculations from c to e in the similarity calculation above are for masking in order to prevent information leakage from non-constant terms in the homomorphic inner product operation. Therefore, these calculations may be omitted when there is no need to prevent information leakage.

Decryption

In the decryption phase, the encryption apparatus 110 takes the secret key sk and the ciphertext set C generated during the similarity calculation as inputs and performs the following computation:

- 1. Prepare an empty set M={ }.
- 2. For all c∈C, perform the following calculations:
- a. Let m=(m₀, m₁, . . . , m_n−1) be Dec(c).
- b. Add m₀to M.
- 3. Output M.

Although the homomorphic cyclic operation described in the second and the third example embodiments is a negative cyclic operation that multiplies the data by −1 when performing a shift, the above description has shown that they can be used to calculate similarity with modification. It should be noted that similarity calculation is merely an example to which a negative cyclic operation that multiplies the data by −1 when performing a shift can be applied and that the application examples of the homomorphic cyclic operation described in the second and the third example embodiment are not limited thereto.

Further, the homomorphic cyclic operation in the fourth example embodiment in combination with the homomorphic cyclic operation system, the homomorphic cyclic operation apparatus, the homomorphic cyclic operation method, and the homomorphic cyclic operation program of the first example embodiment are also able to realize a homomorphic cyclic operation system, a homomorphic cyclic operation apparatus, a homomorphic cyclic operation method, and a homomorphic cyclic operation program of the fourth example embodiment. Therefore, the homomorphic cyclic operation system, the homomorphic cyclic operation apparatus, the homomorphic cyclic operation method, and the homomorphic cyclic operation program of the fourth example embodiment are suitable for calculating the similarity between periodic arrays of data.

Fifth Example Embodiment

The following describes another application example of the homomorphic cyclic operations discussed in the second and the third example embodiment. A homomorphic cyclic operation in a fifth example embodiment is used for secure function evaluation. The following description refers to the encryption apparatus 110 and the homomorphic cyclic operation apparatus 120 discussed in the description of the first example embodiment, however, the apparatus configuration is not necessarily limited thereto.

The secure function evaluation is a process where a ciphertext Enc(m) of data m is registered in a database server, and while keeping a polynomial function with integer coefficients f(x)=a₀+a₁*x+a₂*x²+ . . . +a_N*x^Nhidden in the database, a user computes a function evaluation value f(m)=a₀+a₁*m+a₂*m²+ . . . +a_N*m^N. Note that it is permissible to publicly disclose the degree N of the polynomial to be evaluated and a secret key will be provided to the user through another secure means.

First, secure function evaluation that does not use any homomorphic cyclic operation will be described for comparison. This secure function evaluation without a homomorphic cyclic operation employs Horner's rule and utilizes the fact that f(x)=a₀+a₁*x+a₂*x²+ . . . +a_N*x^Ncan be written as f(x)=a₀+x*(a₁+x*(a₂+ . . . x(a_N−1+x*a_N))). It is known that this Horner's rule allows for evaluating an n-degree polynomial with the minimum number of addition and multiplication operations.

- 1. The user calculates Enc(a₀), Enc(a₁), . . . , Enc(a_N) and sends the results to the database server.
- 2. The database server computes Enc(f(m)) using homomorphic operations as follows and sends the result to the user:
- a. c=Enc(a_N)
- b. For i=N−1, N−2, . . . , 0, calculate the following:
  - 1. c=HomMu1(c, Enc(m))
  - 2. c=HomAdd(c, Enc(a_i))
- 3. Let m′=(m′₀, m′₁, . . . , m′_n−1) be Dec(c).
- 4. Let m′₀be the evaluation value f(m)=a₀+a₁*m+a₂*m²+ . . . +a^N*m^N.

As can be seen from the computation above, in the secure function evaluation using the Horner's rule, for the degree N of the polynomial to be evaluated, the user calculates and sends the N+1 ciphertexts Enc(a₀), Enc(a₁), . . . , Enc(a_N) to the database server. Therefore, as the degree N of the polynomial to be evaluated increases, both the user's encryption cost and the communication volume between the database servers will increase.

Even when the degree N of the polynomial to be evaluated is large, using a homomorphic cyclic operation will prevent the user's encryption cost and the communication volume between the database servers from increasing.

More concretely, the user calculates the function evaluation value f(m)=a₀+a₁*m+a₂*m²+ . . . +a^N*m^Nwhile keeping the polynomial function f(x)=a₀+a₁*x+a₂*x²+ . . . +a_N*x^Nhidden in the database server as follows:

- 1. First, the user calculates an inner product ciphertext Enc2((a₀, a₁, . . . , a_N)) using a user terminal (the encryption apparatus 110) and sends the result to the database server.
- 2. The database server (the homomorphic cyclic operation apparatus 120) computes Enc(f(m)) using homomorphic operations as follows:
- A. c=Enc(m)
- B. Repeat the following process N−1 times to compute Enc((m, m², . . . , m^N.
  - a. c=HomMu1(c, Enc(m))
  - b. c=HomCycle(c, 1)
  - c. c=HomAdd(c, Enc(m))
- C. Compute Enc((1, m, m², . . . , m^N)) in the following process:
  - a. c=HomCycle(c, 1)
  - b. c=HomAdd(c, Enc(1)) (calculate Enc(1) in advance)
- D. Calculate the homomorphic inner product c=HomIP(c, Enc2((a₀, a₁, . . . , a_N))) of c=Enc((m, m², . . . , m^N)) computed as described above and Enc2((a₀, a₁, . . . , a_N)) sent by the user. After this calculation, c=Enc(a₀+a₁*m+a₂*m²+ . . . +a^N*m^N)=Enc(f(m)).
- 3. The user decrypts c using the user terminal (the encryption apparatus 110) and the secret key to extract the evaluation value f(m).

Now we will compare the secure function evaluation method (Horner's rule) without using a homomorphic cyclic operation with the secure function evaluation method using homomorphic cyclic operations according to the fifth example embodiment. The table below compares the secure function evaluation method (Horner's rule) without a homomorphic cyclic operation with the secure function evaluation method using homomorphic cyclic operations according to the fifth example embodiment. Note that the calculation costs of HomMu1 and HomCycle are the same, and so are the calculation costs of Enc and Enc2. The calculation costs can be compared by comparing the number of processes.

TABLE 10

No homomorphic
Using homomorphic

cyclic operations
cyclic operations

Encryption (user)
N + 1 times
Once

Communication volume
N + 1 ciphertexts
1 ciphertext

from user to database

server

Homomorphic processing
HomMul: N times
HomMul: N − 1 times

(database server)
HomAdd: N times
HomCycle: N times

HomAdd: N times

Communication volume
1 ciphertext
1 ciphertext

from database server to

user

Decrypt (user)
Once
Once

As evident from the comparison table above, the secure function evaluation using homomorphic cyclic operations according to the fifth example embodiment requires less encryption computational cost and less communication volume from the user to the database server than the secure function evaluation that does not use a homomorphic cyclic operation. On the other hand, the computational cost of the homomorphic processing performed by the database server is higher in the secure function evaluation using homomorphic cyclic operations according to the fifth example embodiment than in the secure function evaluation without homomorphic cyclic operations. Therefore, the secure function evaluation using homomorphic cyclic operations according to the fifth example embodiment can be effectively utilized in cases where the user's terminal (the encryption apparatus 110) is underpowered, for example.

Further, the homomorphic cyclic operation in the fifth example embodiment in combination with the homomorphic cyclic operation system, the homomorphic cyclic operation apparatus, the homomorphic cyclic operation method, and the homomorphic cyclic operation program of the first example embodiment are also able to realize a homomorphic cyclic operation system, a homomorphic cyclic operation apparatus, a homomorphic cyclic operation method, and a homomorphic cyclic operation program of the fifth example embodiment. Therefore, the homomorphic cyclic operation system, the homomorphic cyclic operation apparatus, the homomorphic cyclic operation method, and the homomorphic cyclic operation program of the fifth example embodiment are suitable for performing secure function evaluation.

Some or all of the example embodiments above can be described as (but not limited to) the following Supplementary Notes.

[Supplementary Note 1]

A homomorphic cyclic operation system performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, the homomorphic cyclic operation system comprising:

an encryption apparatus that encrypts the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate a ciphertext of periodic data; and

a homomorphic cyclic operation apparatus that shifts the periodic array of data in the ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext of the periodic data.

[Supplementary Note 2]

The homomorphic cyclic operation system according to Supplementary Note 1, wherein

the homomorphic cyclic operation apparatus shifts the periodic array of data in the ciphertext of the periodic data by homomorphically multiplying a value obtained by encrypting the indeterminate raised to the power of the shift amount by the ciphertext of the periodic data.

[Supplementary Note 3]

The homomorphic cyclic operation system according to Supplementary Note 1, wherein

the homomorphic cyclic operation apparatus shifts the periodic array of data in the ciphertext of the periodic data by scalar multiplying the ciphertext of the periodic data by the indeterminate substituted by the base raised to the power of the shift amount.

[Supplementary Note 4]

The homomorphic cyclic operation system according to Supplementary Note 3, wherein

the base r is a number that satisfies rⁿ≡−1 mod d when a cycle n of the array and a ciphertext space size d are used.

[Supplementary Note 5]

The homomorphic cyclic operation system according to any one of Supplementary Notes 1 to 4, wherein

the encryption apparatus adds a noise vector to the periodic array of data before encrypting the periodic array of data by storing it in the coefficients of an indeterminate polynomial.

[Supplementary Note 6]

The homomorphic cyclic operation system according to any one of Supplementary Notes 1 to 5, wherein

the encryption apparatus makes the periodic array of data periodically redundant before encrypting the periodic array of data by storing it in the coefficients of an indeterminate polynomial.

[Supplementary Note 7]

The homomorphic cyclic operation system according to any one of Supplementary Notes 1 to 5, wherein

the periodic array represents the coefficients of an evaluation polynomial to be evaluated by substituting values for evaluation purposes,

the encryption apparatus encrypts the coefficients of the evaluation polynomial, and

the homomorphic cyclic operation apparatus obtains a ciphertext of the evaluation polynomial substituted with the values for evaluation purposes by repeatedly shifting by one a ciphertext obtained by encrypting the values for evaluation purposes, repeatedly multiplying the ciphertext by itself, and calculating the inner product of the result of the shifting and the multiplying and a ciphertext of the coefficients of the evaluation polynomial.

[Supplementary Note 8]

A homomorphic cyclic operation apparatus performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, wherein

the homomorphic cyclic operation apparatus shifts the periodic array of data in a ciphertext of periodic data by encrypting the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate the ciphertext and applying the indeterminate raised to the power of a shift amount to the ciphertext.

[Supplementary Note 9]

A homomorphic cyclic operation method performing a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, the homomorphic cyclic operation method comprising:

a step of encrypting the periodic array of data by storing it in the coefficients of an indeterminate polynomial to generate a ciphertext of periodic data; and

a step of shifting the periodic array of data in the ciphertext of the periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext of the periodic data.

[Supplementary Note 10]

A program causing a computer to perform a homomorphic cyclic operation on a periodic array of data using homomorphic encryption having a homomorphic operation defined with respect to at least one multiplication, wherein

the program shifts the periodic array of data in a ciphertext of periodic data by applying the indeterminate raised to the power of a shift amount to the ciphertext, wherein the ciphertext of the periodic data is encrypted by storing it in the coefficients of an indeterminate polynomial.

Further, the disclosure of Non-Patent Literature cited above is incorporated herein in its entirety by reference thereto. It is to be noted that it is possible to modify or adjust the example embodiments or examples within the scope of the whole disclosure of the present invention (including the Claims) and based on the basic technical concept thereof. Further, it is possible to variously combine or select (or partially omit) a wide variety of the disclosed elements (including the individual elements of the individual claims, the individual elements of the individual example embodiments or examples, and the individual elements of the individual figures) within the scope of the whole disclosure of the present invention. That is, it is self-explanatory that the present invention includes any types of variations and modifications to be done by a skilled person according to the whole disclosure including the Claims and the technical concept of the present invention. Particularly, any numerical ranges disclosed herein should be interpreted that any intermediate values or subranges falling within the disclosed ranges are also concretely disclosed even without specific recital thereof. In addition, using some or all of the disclosed matters in the literatures cited above as necessary, in combination with the matters described herein, as part of the disclosure of the present invention in accordance with the object thereof shall be considered to be included in the disclosed matters of the present application.

REFERENCE SIGNS LIST

- 100: homomorphic cyclic operation system
- 110: encryption apparatus
- 120: homomorphic cyclic operation apparatus
- 121: storage part
- 122: reception part
- 123: operation part
- 10: hardware configuration
- 11: CPU (Central Processing Unit)
- 12: primary storage device
- 13: auxiliary storage device
- 14: IF (interface) part

HOMOMORPHIC CYCLIC OPERATION SYSTEM, HOMOMORPHIC CYCLIC OPERATION APPARATUS, HOMOMORPHIC CYCLIC OPERATION METHOD, AND HOMOMORPHIC CYCLIC OPERATION PROGRAM

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

PCT Information