Secure computing device, secure computing method, and secure computing program

The secure computing device optimizes CMux Tree execution by replacing and omitting CMux gates based on binary string patterns, efficiently evaluating n-bit discrete functions on TFHE with reduced computational complexity.

JP7883472B2Active Publication Date: 2026-07-01KDDI CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
KDDI CORP
Filing Date
2023-09-15
Publication Date
2026-07-01

AI Technical Summary

Technical Problem

Existing methods for applying an arbitrary n-bit discrete function on TFHE require space complexity of O(2^n) and time complexity of O(1), and there is a need for a more efficient exponential-time algorithm.

Method used

A secure computing device and method that utilizes a CMux Tree with a setting unit and arithmetic execution unit to optimize CMux gate execution by replacing the deepest CMux gate with ciphertexts and omitting redundant CMux gate executions based on binary string patterns in the lookup table.

Benefits of technology

Efficient evaluation of any n-bit discrete function on TFHE is achieved by reducing CMux gate executions, significantly lowering computational complexity from O(2^n) to O(2^28) for a 32-bit function, thereby enhancing computational efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007883472000001
    Figure 0007883472000001
  • Figure 0007883472000002
    Figure 0007883472000002
  • Figure 0007883472000003
    Figure 0007883472000003
Patent Text Reader

Abstract

To provide a secret calculation device capable of efficiently evaluating an arbitrary n-bit discrete function on TFHE, a secret calculation method and a secret calculation program.SOLUTION: A secret calculation device 1 includes: a setting unit 11 which, in CMux Tree for evaluating a discreet function on TFHE, sets an encrypted text of any one of a constant number 0 or 1, or a constant number x corresponding to a selector x or 1-x, in place of CMux gate in the deepest part, with respect to four types of patterns of binary character strings of a look-up table corresponding to the CMux gate in the deepest part; and a calculation execution unit 12 for executing only the CMux gate in the upper rank than the CMux gate in the deepest part.SELECTED DRAWING: Figure 1
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] This invention relates to a method for evaluating an arbitrary n-bit discrete function on a fully homomorphic encryption (FHE) system. [Background technology]

[0002] FHE is a cryptographic scheme that, in theory, allows arbitrary computations to be performed on ciphertext, making it an important technology in the fields of privacy protection and secure computation. However, computations on FHE are more computationally intensive than those on ordinary plaintext, so improving their speed remains a challenge. Furthermore, FHE includes a certain amount of noise in the ciphertext to maintain security. Therefore, repeated calculations on the ciphertext increase the noise. Bootstrapping (BS) is a known technique for initializing the noise accumulated in the ciphertext, but it is computationally expensive.

[0003] TFHE (see Non-Patent Document 1) is known as an FHE method for efficiently performing BS. A key feature of BS in TFHE is that it initializes the noise in the ciphertext while simultaneously allowing the application of an arbitrary discrete function to the ciphertext without additional cost. That is, the input to BS in TFHE is a single ciphertext x, and the output is a ciphertext f(x) to which a discrete function f has been applied and the noise has been initialized. BS in TFHE with these properties is called PBS (Programmable BS). PBS is important for TFHE to enable arbitrary computation on the ciphertext.

[0004] However, TFHE can only store a maximum of 8 bits of data in a single ciphertext. Therefore, to apply an n-bit discrete function of arbitrary precision (number of bits n), multiple ciphertexts must be combined. Here, a general way to apply an n-bit discrete function to plaintext is to use a function of length 2 n Prepare a Look-up Table (LUT) and for each i in the LUT (0 ≤ i ≤ 2 n-1) Store the n-bit output f(i) and refer to the LUT when necessary. In this case, memory of size O(2 n ) and query time of O(1) are required. On the other hand, in TFHE, the following exponential-time algorithms with space complexity O(2 n ) and time complexity O(2 n ) are known. CMux Tree (see Non-Patent Document 1) Tree-based PBS (see Non-Patent Document 2) WoP-PBS (see Non-Patent Document 3)

Prior Art Documents

Non-Patent Documents

[0005]

Non-Patent Document 1

Non-Patent Document 2

Non-Patent Document 3

Summary of the Invention

Problems to be Solved by the Invention

[0006] However, there is no method for applying an arbitrary n-bit discrete function with a space complexity of O(2 n ) equivalent to the plaintext and a time complexity of O(1) on TFHE, and an exponential-time algorithm more efficient than existing methods is desired.

[0007] An object of the present invention is to provide a secure computing device, a secure computing method, and a secure computing program that can efficiently evaluate an arbitrary n-bit discrete function on TFHE.

Means for Solving the Problems

[0008] The secure computing device according to the present invention, in a CMux Tree for evaluating a discrete function on TFHE, instead of the deepest CMux gate, for each of four patterns of binary strings of a lookup table corresponding to the deepest CMux gate, a setting unit that sets either a ciphertext of a constant 0 or 1, or a constant x or 1 - x according to the selector x, and an arithmetic execution unit that executes only the CMux gates above the deepest CMux gate.

[0009] In each of the CMux gates above the deepest one, the arithmetic execution unit may omit the execution of the CMux gate and output one of two input values from below when the binary string of the lookup table corresponding to the CMux gate is equal on the left and right. [[ID=E19]]

[0010] In each of the CMux gates above the deepest one, the arithmetic execution unit may omit the execution of the CMux gate and output the same value as the other CMux gate when the binary string of the lookup table corresponding to the CMux gate is equal to that of another CMux gate for which the execution has already been performed.

[0011] The confidential arithmetic method according to the present invention involves a computer performing the following steps in a CMux Tree for evaluating discrete functions on a TFHE: a setting step in which, instead of the deepest CMux gate, a ciphertext is set for each of the four types of binary string patterns of the lookup table corresponding to the deepest CMux gate, to be either a constant 0 or 1, or a constant x or 1-x corresponding to selector x; and an arithmetic execution step in which only CMux gates higher than the deepest CMux gate are executed.

[0012] The confidential computing program according to the present invention is for causing a computer to function as the confidential computing device. [Effects of the Invention]

[0013] According to the present invention, any n-bit discrete function can be efficiently evaluated on TFHE. [Brief explanation of the drawing]

[0014] [Figure 1] Block diagram showing the functional configuration of a secure computing device in an embodiment. [Figure 2] This figure shows the algorithm of the secure calculation method implemented in the secure calculation device in the embodiment. [Figure 3] This figure shows a specific example of a confidential calculation method in an embodiment. [Figure 4] This figure shows the number of patterns and the number of tree nodes at each depth of the CMux Tree in the embodiment. [Modes for carrying out the invention]

[0015] An example of an embodiment of the present invention will be described below. The most efficient existing method for applying arbitrary n-bit discrete functions on a TFHE is known as the CMux Tree. A CMux Tree is a binary tree of depth n, where at each depth i, there are a total of 2 3-input, 1-output processes called CMux gates. iIt is executed repeatedly. The inputs of the CMux gate are the GSW ciphertexts of two out of the 2 n LWE ciphertexts of the values stored in the LUT, y1 and y2, and the selector x ∈ {0, 1}, and the output is the LWE ciphertext of (1 - x)y1 + xy2. That is, the CMux gate outputs y1 to the upper node if x is 0 and y2 if x is 1. Since the CMux gate is a costly operation similar to PBS, the computational complexity of the CMux Tree is evaluated by the total number of executions of the CMux gate.

[0016] Here, one CMux Tree outputs 1 bit of the n-bit discrete function. That is, for the discrete function f(x = [x0, x1, …, x n-1 ) = [f0(x), f1(x), …, f n-1 (x)], the j-th CMux Tree outputs y j = f j (x). The outline of the CMux Tree algorithm is as follows. 1. Store the j-th bit LUT of the n-bit discrete function in the 2 n leaves of the CMux Tree. 2. Each node at depth i = n - 1 is a CMux gate with selector x n-1-i = x0. When all the CMux gates at depth i are executed, 2 i values including the correct value in the LUT are selected and transition from the child nodes to the parent node. 3. Repeat step 2 from i = n - 2 to i = 0. 4. The value of the LUT for the input [x0, x1, …, x n-1 is stored at the root of the CMux Tree.

[0017] The problem with this conventional CMux Tree is the large number of executions of the CMux gate. The number of executions of the CMux gate for evaluating an n-bit discrete function is, for one CMux Tree, 2 n-1 + … + 2 1 + 2 0 = 2 n-1 times. Since an n-bit output requires n CMux Trees, the total number of CMux gate executions is n(2 n -1) times. In this embodiment, the conventional CMux Tree is improved by utilizing the binary pattern of the LUT, thereby reducing the number of CMux gate executions.

[0018] Figure 1 is a block diagram showing the functional configuration of the secure computing device 1 in this embodiment. The secure computing device 1 is an information processing device (computer) such as a server or personal computer, equipped with a control unit 10 and a storage unit 20, as well as various input / output interfaces.

[0019] The control unit 10 is the part that controls the entire secure computing device 1, and realizes each function in this embodiment by appropriately reading and executing various programs stored in the memory unit 20. The control unit 10 may be a CPU.

[0020] The memory unit 20 is a storage area for various programs and data that enable the hardware group to function as a secure computing device 1, and may be ROM, RAM, flash memory, or a hard disk drive (HDD). Specifically, the storage unit 20 stores programs (confidential calculation programs) for causing the control unit 10 to execute each of the functions of this embodiment, as well as various CMux Tree data and LUTs, etc.

[0021] The control unit 10 comprises a setting unit 11 and an operation execution unit 12, and by operating these functional units, it evaluates an n-bit discrete function on TFHE using an improved CMux Tree.

[0022] The setting unit 11 replaces the deepest CMux gate with a ciphertext of either a constant 0 or 1, or a constant x or 1-x corresponding to the selector x (the first bit of the discrete function input), for each of the four patterns (00, 11, 01, 10) of the binary string in the lookup table corresponding to this deepest CMux gate.

[0023] The calculation execution unit 12 executes only the CMux gates above the deepest CMux gate that was reduced by the setting unit 11. In this case, the arithmetic execution unit 12 may, in each of the CMux gates above the deepest part, omit the execution of the CMux gate and output one of the two input values ​​from the lower part as is if the binary strings of the LUT corresponding to the CMux gate are equal on the left and right. Furthermore, the arithmetic execution unit 12 may, for each CMux gate above the deepest part, omit the execution of this CMux gate and output the same value as the other CMux gates if other CMux gates with the same binary string of the LUT corresponding to this CMux gate have already been executed.

[0024] Figure 2 shows the algorithm (Reduced CMux Tree) of the secure calculation method implemented in the secure calculation device 1 in this embodiment. Figure 3 shows a specific example of the secure calculation method using this algorithm.

[0025] Here, we show an example of a LUT for one bit of a 4-bit discrete function (n=4), lut=1100101110111010. In Figure 3, for example, when the input x=[x0,x1,x2,x3]=[0,0,0,0], f(x)=1; when x=[1,0,0,0], f(x)=1; and when x=[0,1,0,0], f(x)=0.

[0026] First, the configuration unit 11 replaces the execution of a CMux gate with a depth of n-1 (=3) with the preparation of four LWE ciphertexts (steps 1-5). This is because, even without a CMux gate, the value of the LUT to transition to the next depth (upper level) can be uniquely determined according to the binary pattern of the LUT with length 2. Specifically, the value to be stored in the leaf can be uniquely determined by the binary string pattern (11, 00, 10, ...) when the LUT is divided into two sections from the top. In other words, there are four types of LUT patterns: 00 (always 0 regardless of x0), 01 (equivalent to x0), 10 (inverted x0), and 11 (always 1 regardless of x0), and for each of these, the LWE ciphertexts 0, x0, 1-x0, and 1 should be assigned respectively. Therefore, the configuration unit 11 stores these four types of ciphertexts in the buffer.

[0027] The output of a CMux gate at depth n-2 and beyond is uniquely determined by the binary string of the LUT formed by the subtree rooted in itself. Let this binary string be s (step 8). For example, in the example in Figure 3, at depth n-2 (=2), the CMux gates from top to bottom are s = 1100, 1011, 1011, 1010. If the CMux gate on s has not yet been executed, buffer[s] is empty. In this case, the arithmetic execution unit 12 executes the CMux gate and stores the result in buffer[s] (steps 15-16).

[0028] On the other hand, if a CMux gate has already been executed on s, then buffer[s] will contain the element. In this case, the arithmetic execution unit 12 omits the execution of the CMux gate (steps 11-12).

[0029] Also, divide s in half and s left ,s right When this is done (steps 9-10), s left ,=s right Then (for example, when s = 10¹⁰, s left ,=s right =10), since the LWE ciphertexts of the left and right (two child) nodes are identical, there is no need to execute the CMux gate, and the output is determined. Therefore, in this case as well, the calculation execution unit 12 omits the execution of the CMux gate and sets buffer[s]left ](or buffer[s right Store ]) (steps 13-14).

[0030] At depth i=0, s=lut[0:2 n ]. In other words, s is of length 2 n This is the lut itself, expressed as a string. Then, by executing the CMux gate, the corresponding buffer[s] is set to lut[x0,x1,…,x n-1 Since ] is stored, the calculation execution unit 12 outputs it (step 17).

[0031] This algorithm, for example, in Figure 3, when [x0,x1,x2,x3]=[0,0,1,1] is input, f(0,0,1,1)=1 is output.

[0032] According to this embodiment, the secure arithmetic unit 1 improves upon the conventional CMux Tree, and at depth n-1 (deepest part), the number of CMux gate executions is reduced to 2 compared to the conventional method. n-1 The number of iterations was reduced from one to zero. This eliminated the need for the most costly CMux gate at the deepest part, allowing the secure arithmetic unit 1 to efficiently evaluate any n-bit discrete function on TFHE.

[0033] Furthermore, the secure arithmetic unit 1 omits the execution of the CMux gate when the binary patterns of the LUT are duplicated (left and right are the same) at a depth ni close to the leaves of the CMux Tree, thereby reducing the number of CMux gate executions to 2. n-i The value was replaced with a constant value independent of n. As a result, the secure arithmetic unit 1 was able to significantly reduce the overall cost of the CMux Tree.

[0034] Here, the number of CMux gates that can be omitted can be calculated by counting the number of binary string patterns that require a CMux gate at a depth of ni-1. When i=1, (2 2 ) 2 -2 2 =16-4=12 patterns, when i=2, (2 4 ) 2 -24 =126-16=240 patterns, i is (2 2^i ) 2 -2 2^i This is a pattern, and it increases rapidly with respect to i by exponential multiples of the exponent. On the other hand, as i becomes smaller (shallower depth), the number of nodes in the tree decreases, so the worst-case number of executions for the CMux gate is the minimum of these.

[0035] Figure 4 shows the number of patterns and the number of tree nodes at each depth (i-th layer) of a 32-bit CMux Tree. The total number of CMux gates required for a 32-bit CMux Tree is 2 for a conventional CMux Tree. 0 +2 1 +...+2 31 =2 32 -1 = 4,294,967,295 times (4.2 billion times). On the other hand, in this embodiment, 2 0 +2 1 +...+2 27 +65280+240+12=2 28 -1 + 65532 = 268,500,987 times (260 million times), a significant reduction.

[0036] Furthermore, the secure arithmetic unit 1 omitted the execution of CMux gates at each depth of the CMux Tree by reusing the results of CMux gates at other nodes where the LUT binary pattern was common. As a result, the secure arithmetic unit 1 was able to further reduce the number of CMux gate executions and reduce the overall cost of the CMux Tree.

[0037] Furthermore, this embodiment enables the efficient execution of, for example, secure computations, thereby contributing to Goal 9 of the United Nations-led Sustainable Development Goals (SDGs), "Build resilient infrastructure, promote sustainable industrialization and foster innovation."

[0038] Although embodiments of the present invention have been described above, the present invention is not limited to the embodiments described above. Furthermore, the effects described in the embodiments described above are merely a list of the most preferred effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiments.

[0039] The secure calculation method used by the secure calculation device 1 is implemented by software. When implemented by software, the programs constituting this software are installed on an information processing device (computer). These programs may be distributed to users by being recorded on removable media such as a CD-ROM, or by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded. [Explanation of Symbols]

[0040] 1. Confidential computing device 10 Control Unit 11. Settings section 12. Execution Unit 20 Memory section

Claims

1. In the CMux Tree for evaluating discrete functions on TFHE, A setting unit that, instead of the deepest CMux gate, sets a ciphertext of either the constant 0 or 1, or the constant x or 1-x corresponding to the selector x, for each of the four patterns of binary strings in the lookup table corresponding to the deepest CMux gate, A secure arithmetic device comprising: an arithmetic execution unit that executes only CMux gates above the deepest CMux gate;

2. The confidential arithmetic device according to claim 1, wherein the calculation execution unit, in each of the CMux gates above the deepest part, omits the execution of the CMux gate and outputs one of the two input values ​​from the lower part when the binary strings of the lookup table corresponding to the CMux gate are equal on the left and right.

3. The confidential arithmetic device according to claim 1 or 2, wherein the calculation execution unit omits the execution of the CMux gate and outputs the same value as the other CMux gate if the binary string of the lookup table corresponding to the CMux gate has already been executed in each of the CMux gates above the deepest part, and the binary string of the lookup table corresponding to the CMux gate has already been executed.

4. In the CMux Tree for evaluating discrete functions on TFHE, A setting step in which, instead of the deepest CMux gate, a constant 0 or 1, or a constant x or 1-x corresponding to the selector x, is set as the ciphertext for each of the four patterns of binary strings in the lookup table corresponding to the deepest CMux gate, A confidential calculation method in which a computer performs an operation execution step that executes only the CMux gates above the deepest CMux gate.

5. A secure computing program for causing a computer to function as a secure computing device according to claim 1.