CN-121984655-A - Batch function bootstrapping method and computing device

Abstract

A method and computing device for batch function bootstrapping includes obtaining a first RLWE ciphertext of a first polynomial, generating MLWE ciphertext based on the first RLWE ciphertext, and obtaining Obtaining test polynomials / Group key ciphertext based on a fifth polynomial The coefficient and the Generating a second RLWE ciphertext sequence based on the second RLWE ciphertext sequence by using the test polynomials / Secondary preset algorithm, h+ / The secondary preset algorithm comprises the following steps of / The first key polynomials respectively correspond to / Group preset algorithm, / The j-th preset algorithm in the preset group algorithm comprises the steps of acquiring the corresponding preset group algorithm from a plurality of groups of key ciphertext A group key ciphertext, wherein, Based on the degree of the term in the first key polynomial corresponding to the j-th preset algorithm Group key ciphertext pair comprising Sequence of fourth RLWE ciphertext Secondary rotation processing based on inclusion of A third RLWE ciphertext sequence to obtain And ciphertext.

Inventors

• LI ZHIHAO
• ZHAO YUAN
• LI LICHUN

Assignees

• 蚂蚁区块链科技(上海)有限公司

Dates

Publication Date

20260505

Application Date

20260116

Claims (10)

1. 1. A method of batch function bootstrapping, the method comprising: Obtaining a first RLWE ciphertext of a first polynomial, the first polynomial being A polynomial in a space of degree polynomials, the first polynomial comprising A first number as it A coefficient, the first RLWE ciphertext including a second polynomial and a third polynomial; generating MLWE ciphertext based on the first RLWE ciphertext, the MLWE ciphertext comprising A fourth polynomial and a fifth polynomial, wherein the fourth polynomial and the fifth polynomial are Polynomial in degree polynomial space, said A fourth polynomial is obtained based on the second polynomial, and a fifth polynomial is obtained based on the third polynomial; acquisition and acquisition of Corresponding to the individual function A plurality of test polynomials, the A function and the The first numerical values respectively correspond to each other; acquisition and the described The fourth polynomials respectively correspond to A group key ciphertext, each group key ciphertext comprising a plurality RGSW ciphertexts, each RGSW ciphertext being a RGSW ciphertext of 0 or 1, the group key ciphertext Group key ciphertext based A first key polynomial is generated, said first key polynomial Generating a first key polynomial based on a second key polynomial corresponding to the first RLWE ciphertext; based on the fifth polynomial The coefficient and the Generating a sequence of second RLWE ciphertexts by using test polynomials, wherein the plaintext corresponding to each second RLWE ciphertext is the product of the ith test polynomial and a single-term expression taking the ith coefficient of the fifth polynomial as an index; H+based on the sequence of the second RLWE ciphertext A secondary preset algorithm is obtained, including A third RLWE ciphertext sequence, wherein h is the number of terms of the second key polynomial, and the plaintext corresponding to the ith third RLWE ciphertext is the product of the ith test polynomial and a single term with the ith first value as an index; Wherein the h+ The secondary preset algorithm comprises the following steps of The first key polynomials respectively correspond to A group preset algorithm, said The j-th preset algorithm in the group preset algorithm comprises the steps of acquiring the corresponding algorithm from the key ciphertext of the j-th group A group key ciphertext, wherein, Based on the degree of the term in the first key polynomial corresponding to the j-th set of preset algorithms, Is a preset natural number based on the Group key ciphertext pair comprising Sequence of fourth RLWE ciphertext Performing secondary rotation processing, wherein the fourth RLWE ciphertext is obtained based on a last preset algorithm; Based on the inclusion A third RLWE ciphertext sequence to obtain Ciphertext of The ciphertext corresponds to And each second value is a function value obtained by inputting each first value into a corresponding function.
2. 2. The method of claim 1 wherein each plaintext corresponding to each of the fourth RLWE ciphertext includes a first polynomial having each coefficient of a sixth polynomial as a first exponent, A binary digit of a second exponent of a second single form, the second exponent of the second single form being determined based on terms in the first key polynomial corresponding to the jth preset algorithm, the second exponent of the second single form being based on terms in the first key polynomial corresponding to the jth preset algorithm, the second key polynomial An ith group key ciphertext in a group key ciphertext and an ith in the second exponent The value of the bit corresponds; The pair comprises Sequence of fourth RLWE ciphertext The secondary rotation process comprises Sequence of fourth RLWE ciphertext Performing secondary rotation treatment to obtain the final product comprising A sequence of fifth RLWE ciphertext; The plaintext corresponding to each fifth RLWE ciphertext includes a third polynomial with each coefficient of a seventh polynomial as a third exponent, where the seventh polynomial is equal to a polynomial obtained by multiplying the sixth polynomial by the second polynomial.
3. 3. The method of claim 1, the The j-th preset algorithm in the preset algorithm groups comprises The algorithm is preset for a second time and, The number of terms of the j-th first key polynomial is that Of a first key polynomial The sum is equal to h, The method further includes, for a front in the j-th set of preset algorithms And multiplying the ith sixth RLWE ciphertext obtained by executing the preset algorithm by a single formula with the negative number of the ith coefficient of the jth fourth polynomial as an index to obtain a RLWE ciphertext sequence for the next preset algorithm.
4. 4. The method of claim 1, for the front in the j-th set of preset algorithms A second preset algorithm, corresponding to the p-th preset algorithm A binary number equal to a first number equal to the difference between the degree of the p-1 th term and the degree of the p-1 th term of the j-th first key polynomial, wherein when p is equal to 1, the 1 st preset algorithm corresponds to A binary digit equal to a second value equal to the negative of the 1 st degree of the j-th first key polynomial, equal to the value of p At +1, the first Corresponding to +1 times of preset algorithm A binary digit equal to a third value equal to a j-th first key polynomial of the j-th first key polynomial Number of times of items.
5. 5. The method of claim 4, wherein m = 2, the p-th preset algorithm corresponds to And the group key ciphertext is determined based on the values of two bits corresponding to the p-th preset algorithm in the first numerical value, the second numerical value or the third numerical value.
6. 6. The method of claim 5, wherein the p-th preset algorithm is based on the following when it corresponds to the kth bit and the k+1 th bit Group key ciphertext of the sequence of fourth RLWE ciphertext The secondary rotation process includes: when the k bit is equal to 0 and the k+1 bit is equal to 0, based on the following Processing the sequence of the fourth RLWE ciphertext by the p-th group key ciphertext in the group key ciphertext so as not to rotate the sequence of the fourth RLWE ciphertext; when the k bit is equal to 1 and the k+1 bit is equal to 0, the method comprises the following steps of Items to the first -1 Performing self-isomorphism processing to convert the single-form index in the plaintext corresponding to each term into negative number, and then rotating the sequence of the fourth RLWE ciphertext after conversion to the right based on the p-th group key ciphertext A bit; when the k bit is equal to 0 and the k+1 bit is equal to 1, the method comprises the following steps of Items to the first -1 Performing self-isomorphism processing to convert the single-form index in the plaintext corresponding to each term into negative number, and then rotating the sequence of the fourth RLWE ciphertext after conversion to the right based on the p-th group key ciphertext A bit; When the k bit is equal to 1 and the k+1 bit is equal to 1, the method comprises the following steps of Items to the first -1 Performing self-isomorphism processing to convert the single-form index in the plaintext corresponding to each term into negative number, and then rotating the sequence of the fourth RLWE ciphertext after conversion to the right based on the p-th group key ciphertext Bits.
7. 7. The method of claim 6, each set of key ciphertexts including first to fourth rotating key ciphertexts and first to fourth self-isomorphic rotating key ciphertexts, the based on the Group key ciphertext of the sequence of fourth RLWE ciphertext The secondary rotation process includes: At the position of ≤i≤ -1, Calculating the ith item, ith-and-socket in the sequence of the fourth RLWE ciphertext Item, i- Item and i- - The item is respectively summed with the outer products of the first rotation key ciphertext to the fourth rotation key ciphertext to obtain a rotated ith item; In i is less than or equal to At-1, the sum of the i-th item after rotation is calculated - Self-isomorphic outer product of i item and first self-isomorphic rotating key ciphertext - Self-isomorphic outer product of term and second self-isomorphic rotating key ciphertext - - A self-isomorphic outer product of the +i term and the third self-isomorphic rotating key ciphertext, and an outer product of the i term and the fourth rotating key ciphertext; At the position of ≤i≤ At-1, the sum of the i-th item after rotation is calculated - Outer product of term and first rotation key ciphertext, th - Self-isomorphic outer product of term and second self-isomorphic rotating key ciphertext - - A self-isomorphic outer product of the +i term and the third self-isomorphic rotating key ciphertext, and an outer product of the i term and the fourth rotating key ciphertext; At the position of ≤i≤ At-1, the sum of the i-th item after rotation is calculated - Outer product of term and first rotation key ciphertext, th - Outer product of term and second rotation key ciphertext, th - - The self-isomorphic outer product of the +i term and the third self-isomorphic rotating key ciphertext, and the outer product of the i term and the fourth rotating key ciphertext.
8. 8. The method of claim 7, the first self-isomorphic rotating key ciphertext generated based on ciphertext of the second key polynomial and the first rotating key ciphertext.
9. 9. The method according to claim 7, the th - The self-isomorphic outer product of the i term and the first self-isomorphic rotating key ciphertext is calculated by the following steps: For the first - The two ciphertext polynomials corresponding to the terms are respectively subjected to self-isomorphism processing to obtain two self-isomorphism ciphertext polynomials; A self-isomorphic outer product is calculated based on the two self-isomorphic ciphertext polynomials and the first self-isomorphic rotating key ciphertext.
10. 10. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 1-9.

Description

Batch function bootstrapping method and computing device Technical Field The embodiment of the specification belongs to the technical field of homomorphic encryption, and particularly relates to a batch function bootstrapping method and computing equipment. Background Homomorphic encryption algorithms can theoretically support arbitrary computations, such as matrix vector multiplication operations, activation functions in neural networks, and private information retrieval and private information exchange, etc. When dealing with large precision and complex task circuits, the fully homomorphic encryption (Fully homomorphic encryption, FHE) scheme relies on a core operation, bootstrapping, which is the concept defined in the first FHE solution proposed by Gentry in 2009. The purpose of bootstrapping is to refresh the ciphertext, reduce the noise level of ciphertext, prevent that noise expansion is too big in homomorphic calculation process from leading to decryption failure. Bootstrap algorithms are always the most time-consuming part of FHE applications. FHEW and TFHE are among the most practical FHE schemes at present, the fully homomorphic encryption algorithms of the Boolean type. TFHE is currently the lowest bootstrap delay in all isomorphic encryption schemes, and only about 13ms is required for gate bootstrap. In contrast, the bootstrap algorithm of the BFV, BGV scheme takes several minutes, CKKS takes several seconds, and comes at the cost of loss of accuracy. The FHEW and TFHE schemes are advantageous in handling large-precision function operations, and essentially, they can embed any look-up table function at the time of bootstrapping, i.e., function bootstrapping (Functional bootstrapping, FBS). The scheme of function bootstrapping can be used, for example, to evaluate nonlinear functions in neural networks, such as sigmoid, reLU, etc. In the existing scheme of performing function bootstrap in batches, multiple times of multiplication of polynomials and single-term formulas are needed, wherein multiple times of outer product calculation are included, and time is consumed. Disclosure of Invention The invention aims to provide a method for carrying out batch function bootstrap, which is used for reducing the calculated amount in the batch function bootstrap. A first aspect of the present specification provides a method of batch function bootstrapping, the method comprising: Obtaining a first RLWE ciphertext of a first polynomial, the first polynomial being A polynomial in a space of degree polynomials, the first polynomial comprisingA first number as itA coefficient, the first RLWE ciphertext including a second polynomial and a third polynomial; generating MLWE ciphertext based on the first RLWE ciphertext, the MLWE ciphertext comprising /A fourth polynomial and a fifth polynomial, wherein the fourth polynomial and the fifth polynomial arePolynomial in degree polynomial space, said/A fourth polynomial is obtained based on the second polynomial, and a fifth polynomial is obtained based on the third polynomial; acquisition and acquisition of Corresponding to the individual functionA plurality of test polynomials, theA function and theThe first numerical values respectively correspond to each other; acquisition and the described /The fourth polynomials respectively correspond to/A group key ciphertext, each group key ciphertext comprising a plurality RGSW ciphertexts, each RGSW ciphertext being a RGSW ciphertext of 0 or 1, the group key ciphertext/Group key ciphertext based/A first key polynomial is generated, said first key polynomial/Generating a first key polynomial based on a second key polynomial corresponding to the first RLWE ciphertext; based on the fifth polynomial The coefficient and theGenerating a sequence of second RLWE ciphertexts by using test polynomials, wherein the plaintext corresponding to each second RLWE ciphertext is the product of the ith test polynomial and a single-term expression taking the ith coefficient of the fifth polynomial as an index; H+based on the sequence of the second RLWE ciphertext /A secondary preset algorithm is obtained, includingA third RLWE ciphertext sequence, wherein h is the number of terms of the second key polynomial, and the plaintext corresponding to the ith third RLWE ciphertext is the product of the ith test polynomial and a single term with the ith first value as an index; Wherein the h+ /The secondary preset algorithm comprises the following steps of/The first key polynomials respectively correspond to/A group preset algorithm, said/The j-th preset algorithm in the group preset algorithm comprises the steps of acquiring the corresponding algorithm from the key ciphertext of the j-th groupA group key ciphertext, wherein,Based on the degree of the term in the first key polynomial corresponding to the j-th preset algorithmGroup key ciphertext pair comprisingSequence of fourth RLWE ciphertextPerforming secondary rotation processing, wherein the fourth