Efficient-Fully-Homomorphic-Encryption-from-Standard-LWE (2)

tfhe 全同态白话文
TFHE是Fully Homomorphic Encryption的缩写，全同态加密
的意思是一种特殊的加密方式，它允许在加密状态下进行计算操作，而无需解密数据。

下面我将以白话文的方式解释TFHE全同态加密的
概念。

传统的加密方式，比如对称加密和公钥加密，都需要在解密之
后才能对数据进行计算操作。

这意味着，如果我们想对加密数据进
行计算，就需要先解密数据，然后再进行计算，最后再重新加密。

这样的过程可能会导致数据的安全性受到威胁，因为在解密和计算
的过程中，数据可能会暴露在不安全的环境中。

而全同态加密的概念就是为了解决这个问题而提出的。

全同态
加密允许在加密状态下对数据进行计算操作，而无需解密数据。

这
意味着，在使用全同态加密的情况下，数据可以一直保持加密状态，不会暴露在不安全的环境中。

TFHE是一种实现全同态加密的工具库。

它使用了一种特殊的加
密算法，可以在加密状态下进行各种计算操作，比如加法、乘法、
逻辑运算等。

TFHE的设计目标是高效、安全和可扩展的全同态加密。

全同态加密在实际应用中有很多潜在的用途。

比如，在云计算中，用户可以将数据加密后上传到云端，而云端可以在不解密数据的情况下对其进行计算，从而保护用户数据的隐私性。

另外，全同态加密还可以用于保护机密计算任务的隐私，比如医疗数据分析、金融数据处理等。

总结来说，TFHE是一种实现全同态加密的工具库，全同态加密是一种特殊的加密方式，可以在加密状态下进行计算操作，而无需解密数据。

全同态加密在保护数据隐私和实现安全计算方面具有重要的应用前景。

Vol.48，No.6Jun. 202 1第48卷第6期2 0 2 1年6月湖南大学学报)自然科学版)Journal of Hunan University (Natural Sciences )文章编号：1674-2974(2021 )06-0058-09 DOI ： 10.16339/ki.hdxbzkb.2021.06.009深度优先局艺B 聚合哈希龙显忠g,程成李云12(1.南京邮电大学计算机学院，江苏南京210023；2.江苏省大数据安全与智能处理重点实验室，江苏南京210023)摘 要：已有的深度监督哈希方法不能有效地利用提取到的卷积特征，同时，也忽视了数据对之间相似性信息分布对于哈希网络的作用，最终导致学到的哈希编码之间的区分性不足.为了解决该问题，提出了一种新颖的深度监督哈希方法，称之为深度优先局部聚合哈希(DeepPriority Local Aggregated Hashing , DPLAH ). DPLAH 将局部聚合描述子向量嵌入到哈希网络 中，提高网络对同类数据的表达能力，并且通过在数据对之间施加不同权重，从而减少相似性 信息分布倾斜对哈希网络的影响.利用Pytorch 深度框架进行DPLAH 实验，使用NetVLAD 层 对Resnet18网络模型输出的卷积特征进行聚合，将聚合得到的特征进行哈希编码学习.在CI-FAR-10和NUS-WIDE 数据集上的图像检索实验表明，与使用手工特征和卷积神经网络特征的非深度哈希学习算法的最好结果相比,DPLAH 的平均准确率均值要高出11%，同时，DPLAH 的平均准确率均值比非对称深度监督哈希方法高出2%.关键词：深度哈希学习；卷积神经网络；图像检索；局部聚合描述子向量中图分类号:TP391.4文献标志码:ADeep Priority Local Aggregated HashingLONG Xianzhong 1，覮，CHENG Cheng1,2,LI Yun 1,2(1. School of Computer Science & Technology ,Nanjing University of Posts and Telecommunications ,Nanjing 210023, China ;2. Key Laboratory of Jiangsu Big Data Security and Intelligent Processing ,Nanjing 210023, China )Abstract : The existing deep supervised hashing methods cannot effectively utilize the extracted convolution fea ­tures, but also ignore the role of the similarity information distribution between data pairs on the hash network, result ­ing in insufficient discrimination between the learned hash codes. In order to solve this problem, a novel deep super ­vised hashing method called deep priority locally aggregated hashing (DPLAH) is proposed in this paper, which em ­beds the vector of locally aggregated descriptors (VLAD) into the hash network, so as to improve the ability of the hashnetwork to express the similar data, and reduce the impact of similarity distribution skew on the hash network by im ­posing different weights on the data pairs. DPLAH experiment is carried out by using the Pytorch deep framework. Theconvolution features of the Resnet18 network model output are aggregated by using the NetVLAD layer, and the hashcoding is learned by using the aggregated features. The image retrieval experiments on the CIFAR-10 and NUS - WIDE datasets show that the mean average precision (MAP) of DPLAH is11 percentage points higher than that of* 收稿日期：2020-04-26基金项目：国家自然科学基金资助项目(61906098,61772284),National Natural Science Foundation of China(61906098, 61772284);国家重 点研发计划项目(2018YFB 1003702) , National Key Research and Development Program of China (2018YFB1003702)作者简介:龙显忠(1985—),男，河南信阳人，南京邮电大学讲师，工学博士，硕士生导师覮 通信联系人,E-mail ： *************.cn第6期龙显忠等:深度优先局部聚合哈希59non-deep hash learning algorithms using manual features and convolution neural network features,and the MAP of DPLAH is2percentage points higher than that of asymmetric deep supervised hashing method.Key words:deep Hash learning;convolutional neural network;image retrieval;vector of locally aggregated de-scriptors(VLAD)随着信息检索技术的不断发展和完善，如今人们可以利用互联网轻易获取感兴趣的数据内容，然而，信息技术的发展同时导致了数据规模的迅猛增长.面对海量的数据以及超大规模的数据集，利用最近邻搜索［1(Nearest Neighbor Search,NN)的检索技术已经无法获得理想的检索效果与可接受的检索时间.因此,近年来,近似最近邻搜索［2(Approximate Near­est Neighbor Search,ANN)变得越来越流行,它通过搜索可能相似的几个数据而不再局限于返回最相似的数据，在牺牲可接受范围的精度下提高了检索效率.作为一种广泛使用的ANN搜索技术，哈希方法(Hashing)［3］将数据转换为紧凑的二进制编码(哈希编码)表示，同时保证相似的数据对生成相似的二进制编码.利用哈希编码来表示原始数据，显著减少了数据的存储和查询开销，从而可以应对大规模数据中的检索问题.因此，哈希方法吸引了越来越多学者的关注.当前哈希方法主要分为两类：数据独立的哈希方法和数据依赖的哈希方法，这两类哈希方法的区别在于哈希函数是否需要训练数据来定义.局部敏感哈希(Locality Sensitive Hashing,LSH)［4］作为数据独立的哈希代表，它利用独立于训练数据的随机投影作为哈希函数•相反，数据依赖哈希的哈希函数需要通过训练数据学习出来，因此，数据依赖的哈希也被称为哈希学习，数据依赖的哈希通常具有更好的性能.近年来，哈希方法的研究主要侧重于哈希学习方面.根据哈希学习过程中是否使用标签，哈希学习方法可以进一步分为：监督哈希学习和无监督哈希学习.典型的无监督哈希学习包括:谱哈希［5(Spectral Hashing,SH);迭代量化哈希［6］(Iterative Quantization, ITQ);离散图哈希［7(Discrete Graph Hashing,DGH);有序嵌入哈希［8］(Ordinal Embedding Hashing,OEH)等.无监督哈希学习方法仅使用无标签的数据来学习哈希函数，将输入的数据映射为哈希编码的形式.相反,监督哈希学习方法通过利用监督信息来学习哈希函数,由于利用了带有标签的数据,监督哈希方法往往比无监督哈希方法具有更好的准确性，本文的研究主要针对监督哈希学习方法.传统的监督哈希方法包括：核监督哈希［9］(Su­pervised Hashing with Kernels,KSH);潜在因子哈希［10］(Latent Factor Hashing,LFH);快速监督哈希［11］(Fast Supervised Hashing,FastH);监督离散哈希［1(Super-vised Discrete Hashing,SDH)等.随着深度学习技术的发展［13］,利用神经网络提取的特征已经逐渐替代手工特征，推动了深度监督哈希的进步.具有代表性的深度监督哈希方法包括:卷积神经网络哈希［1(Con­volutional Neural Networks Hashing,CNNH);深度语义排序哈希［15］(Deep Semantic Ranking Based Hash-ing,DSRH);深度成对监督哈希［16］(Deep Pairwise-Supervised Hashing,DPSH);深度监督离散哈希［17］(Deep Supervised Discrete Hashing,DSDH);深度优先哈希［18］(Deep Priority Hashing,DPH)等.通过将特征学习和哈希编码学习(或哈希函数学习)集成到一个端到端网络中，深度监督哈希方法可以显著优于非深度监督哈希方法.到目前为止，大多数现有的深度哈希方法都采用对称策略来学习查询数据和数据集的哈希编码以及深度哈希函数.相反，非对称深度监督哈希［19］(Asymmetric Deep Supervised Hashing,ADSH)以非对称的方式处理查询数据和整个数据库数据，解决了对称方式中训练开销较大的问题，仅仅通过查询数据就可以对神经网络进行训练来学习哈希函数，整个数据库的哈希编码可以通过优化直接得到.本文的模型同样利用了ADSH的非对称训练策略.然而，现有的非对称深度监督哈希方法并没有考虑到数据之间的相似性分布对于哈希网络的影响,可能导致结果是:容易在汉明空间中保持相似关系的数据对,往往会被训练得越来越好;相反,那些难以在汉明空间中保持相似关系的数据对，往往在训练后得到的提升并不显著.同时大部分现有的深度监督哈希方法在哈希网络中没有充分有效利用提60湖南大学学报(自然科学版)2021年取到的卷积特征.本文提出了一种新的深度监督哈希方法，称为深度优先局部聚合哈希(Deep Priority Local Aggre­gated Hashing,DPLAH).DPLAH的贡献主要有三个方面:1)DPLAH采用非对称的方式处理查询数据和数据库数据，同时DPLAH网络会优先学习查询数据和数据库数据之间困难的数据对，从而减轻相似性分布倾斜对哈希网络的影响.2)DPLAH设计了全新的深度哈希网络，具体来说,DPLAH将局部聚合表示融入到哈希网络中，提高了哈希网络对同类数据的表达能力.同时考虑到数据的局部聚合表示对于分类任务的有效性.3)在两个大型数据集上的实验结果表明，DPLAH在实际应用中性能优越.1相关工作本节分别对哈希学习［3］、NetVLAD［20］和Focal Loss［21］进行介绍.DPLAH分别利用NetVLAD和Fo­cal Loss提高哈希网络对同类数据的表达能力及减轻数据之间相似性分布倾斜对于哈希网络的影响. 1.1哈希学习哈希学习［3］的任务是学习查询数据和数据库数据的哈希编码表示，同时要满足原始数据之间的近邻关系与数据哈希编码之间的近邻关系相一致的条件.具体来说，利用机器学习方法将所有数据映射成{0,1}r形式的二进制编码(r表示哈希编码长度)，在原空间中不相似的数据点将被映射成不相似)即汉明距离较大)的两个二进制编码，而原空间中相似的两个数据点将被映射成相似(即汉明距离较小)的两个二进制编码.为了便于计算，大部分哈希方法学习{-1,1}r形式的哈希编码，这是因为{-1,1}r形式的哈希编码对之间的内积等于哈希编码的长度减去汉明距离的两倍，同时{-1,1}r形式的哈希编码可以容易转化为{0,1}r形式的二进制编码.图1是哈希学习的示意图.经过特征提取后的高维向量被用来表示原始图像，哈希函数h将每张图像映射成8bits的哈希编码,使原来相似的数据对(图中老虎1和老虎2)之间的哈希编码汉明距离尽可能小，原来不相似的数据对(图中大象和老虎1)之间的哈希编码汉明距离尽可能大.h（大象）=10001010h（老虎1）=01100001h（老虎2）=01100101相似度尽可能小相似度尽可能大图1哈希学习示意图Fig.1Hashing learning diagram1.2NetVLADNetVLAD的提出是用于解决端到端的场景识别问题［20(场景识别被当作一个实例检索任务),它将传统的局部聚合描述子向量(Vector of Locally Aggre­gated Descriptors,VLAD［22］)结构嵌入到CNN网络中，得到了一个新的VLAD层.可以容易地将NetVLAD 使用在任意CNN结构中，利用反向传播算法进行优化，它能够有效地提高对同类别图像的表达能力，并提高分类的性能.NetVLAD的编码步骤为：利用卷积神经网络提取图像的卷积特征;利用NetVLAD层对卷积特征进行聚合操作.图2为NetVLAD层的示意图.在特征提取阶段,NetVLAD会在最后一个卷积层上裁剪卷积特征，并将其视为密集的描述符提取器，最后一个卷积层的输出是H伊W伊D映射，可以将其视为在H伊W空间位置提取的一组D维特征,该方法在实例检索和纹理识别任务［23別中都表现出了很好的效果.NetVLAD layer（KxD）x lVLADvectorh------->图2NetVLAD层示意图⑷Fig.2NetVLAD layer diagram1201NetVLAD在特征聚合阶段，利用一个新的池化层对裁剪的CNN特征进行聚合，这个新的池化层被称为NetVLAD层.NetVLAD的聚合操作公式如下：NV((，k)二移a(x)(血⑺-C((j))(1)i=1式中:血(j)和C)(j)分别表示第i个特征的第j维和第k个聚类中心的第j维；恣&)表示特征您与第k个视觉单词之间的权.NetVLAD特征聚合的输入为：NetVLAD裁剪得到的N个D维的卷积特征,K个聚第6期龙显忠等:深度优先局部聚合哈希61类中心.VLAD的特征分配方式是硬分配,即每个特征只和对应的最近邻聚类中心相关联，这种分配方式会造成较大的量化误差，并且，这种分配方式嵌入到卷积神经网络中无法进行反向传播更新参数.因此,NetVLAD采用软分配的方式进行特征分配，软分配对应的公式如下：-琢II Xi-C*II 2=—e(2)-琢II X-Ck，II2k，如果琢寅+肄,那么对于最接近的聚类中心,龟&)的值为1,其他为0.aS)可以进一步重写为：w j X i+b ka(x i)=—e-)3)w J'X i+b kk，式中:W k=2琢C k；b k=-琢||C k||2.最终的NetVLAD的聚合表示可以写为：N w；x+b kv(j，k)=移—----(x(j)-Ck(j))(4)i=1w j.X i+b k移ek，1.3Focal Loss对于目标检测方法,一般可以分为两种类型:单阶段目标检测和两阶段目标检测,通常情况下，两阶段的目标检测效果要优于单阶段的目标检测.Lin等人［21］揭示了前景和背景的极度不平衡导致了单阶段目标检测的效果无法令人满意,具体而言，容易被分类的背景虽然对应的损失很低，但由于图像中背景的比重很大,对于损失依旧有很大的贡献,从而导致收敛到不够好的一个结果.Lin等人［21］提出了Fo­cal Loss应对这一问题，图3是对应的示意图.使用交叉爛作为目标检测中的分类损失，对于易分类的样本,它的损失虽然很低，但数据的不平衡导致大量易分类的损失之和压倒了难分类的样本损失,最终难分类的样本不能在神经网络中得到有效的训练.Focal Loss的本质是一种加权思想，权重可根据分类正确的概率p得到，利用酌可以对该权重的强度进行调整.针对非对称深度哈希方法，希望难以在汉明空间中保持相似关系的数据对优先训练,具体来说,对于DPLAH的整体训练损失，通过施加权重的方式,相对提高难以在汉明空间中保持相似关系的数据对之间的训练损失.然而深度哈希学习并不是一个分类任务,因此无法像Focal Loss一样根据分类正确的概率设计权重，哈希学习的目的是学到保相似性的哈希编码，本文最终利用数据对哈希编码的相似度作为权重的设计依据具体的权重形式将在模型部分详细介绍.正确分类的概率图3Focal Loss示意图［21】Fig.3Focal Loss diagram12112深度优先局部聚合哈希2.1基本定义DPLAH模型采用非对称的网络设计.Q={0},=1表示n张查询图像,X={X i}m1表示数据库有m张图像；查询图像和数据库图像的标签分别用Z={Z i},=1和Y ={川1表示；i=［Z i1，…,zj1,i=1，…,n;c表示类另数；如果查询图像0属于类别j,j=1，…,c;那么z”=1,否则=0.利用标签信息，可以构造图像对的相似性矩阵S沂{-1,1}"伊”,s”=1表示查询图像q,和数据库中的图像X j语义相似,S j=-1表示查询图像和数据库中的图像X j语义不相似.深度哈希方法的目标是学习查询图像和数据库中图像的哈希编码，查询图像的哈希编码用U沂{-1,1}""，表示,数据库中图像的哈希编码用B沂{-1,1}m伊r表示，其中r表示哈希编码的长度.对于DPLAH模型,它在特征提取部分采用预训练好的Resnet18网络［25］.图4为DPLAH网络的结构示意图，利用NetVLAD层聚合Resnet18网络提取到的卷积特征，哈希编码通过VLAD编码得到，由于VLAD编码在分类任务中被广泛使用，于是本文将NetVLAD层的输出作为分类任务的输入，利用图像的标签信息监督NetVLAD层对卷积特征的利用.事实上，任何一种CNN模型都能实现图像特征提取的功能，所以对于选用哪种网络进行特征学习并不是本文的重点.62湖南大学学报(自然科学版)2021年conv1图4DPLAH结构Fig.4DPLAH structure图像标签soft-max1,0,1,1,0□1,0,0,0,11,1,0,1,0---------*----------VLADVLAD core)c)l・>:i>数据库图像的哈希编码2.2DPLAH模型的目标函数为了学习可以保留查询图像与数据库图像之间相似性的哈希编码，一种常见的方法是利用相似性的监督信息S e{-1,1}n伊"、生成的哈希编码长度r,以及查询图像的哈希编码仏和数据库中图像的哈希编码b三者之间的关系[9],即最小化相似性的监督信息与哈希编码对内积之间的L损失.考虑到相似性分布的倾斜问题，本文通过施加权重来调节查询图像和数据库图像之间的损失，其公式可以表示为：min J=移移(1-w)(u T b j-rs)专,B i=1j=1s.t.U沂{-1,1}n伊r,B沂{-1,1}m伊r,W沂R n伊m(5)受FocalLoss启发,希望深度哈希网络优先训练相似性不容易保留图像对，然而Focal Loss利用图像的分类结果对损失进行调整，因此，需要重新进行设计，由于哈希学习的目的是为了保留图像在汉明空间中的相似性关系，本文利用哈希编码的余弦相似度来设计权重,其表达式为：1+。

全同态加密技术的历史、发展和数学理论一、前言完全同态加密（Fully Homomorphic Encryption，FHE）技术是近年来迅猛发展的一项重要技术，是对外部数据和算法进行加密，保护数据隐私的一种技术。

它可以在加密的数据上进行全部的计算，而不会暴露其本质，为数据隐私保密提供了新的保障方法。

二、历史发展1. 1978年，G.R.Blakleyne在“计算机世界”杂志发表了“多轮密码”算法，这是完全同态加密技术的先声。

2. 2009年，A.Gentry提出了完全同态加密，设计出了完全同态加密系统，也是完全同态加密发展的重要标志。

3. 2016年，通过对完全同态加密技术的实验证明，完全同态加密技术取得了显著的研究成果，突破原来的局限。

4. 2018年至今，完全同态加密技术的应用及其发展逐渐受到誉和，已成为保护数据隐私的重要手段。

三、数学理论完全同态加密技术是基于困难猜测分离问题（Guessable Separation Problem，GSP）以及困难中间性质（Hard Middle Problem，HMP）的数学研究。

GSP问题指的是给定的钥匙只能用有限试探的方式猜出钥匙的明文内容。

HMP问题则是在一定范围内改变钥匙的内容，以及钥匙本身的数据进行破解，也就是给定的一组数据，需要找出中间的一个数字研究，当改变这个数字的大小即可破解钥匙，这就是HMP问题。

有了上述理论研究，完全同态加密就实现了在全加密的状态下，完成对加密数据的算法运算，而不必暴露原有的数据，从而保证了数据的隐私，使完全同态加密技术得以应用于人们的日常生活中。

四、结论完全同态加密技术在近几年发展迅猛，已成为数据隐私保护的有效手段。

它的基础理论是困难猜测分离问题（GSP）与中间性质问题（HMP），使我们能够对加密的数据进行猜测分离和中间计算，保护数据的隐私，更好的服务人们的日常生活。

encryptedEncryptedIntroduction:In today's digital age, the security and confidentiality of personal and sensitive data have become a top priority. One of the most effective methods utilized for safeguarding data is encryption. Encryption refers to the process of converting plain text or data into an unreadable format, known as ciphertext. This method ensures that even if unauthorized individuals gain access to the data, they would not be able to comprehend or utilize it without the appropriate decryption key.Understanding Encryption:Encryption works on the principle of using a complex algorithm to scramble the original data into ciphertext. The algorithm is essentially a mathematical function that performs numerous iterations on the data, making it extremely difficult to reverse-engineer and decipher the original information. The only way to access the informationis by using the corresponding decryption key, which reverses the encryption process and transforms the ciphertext back into its original form.Types of Encryption:There are various types of encryption techniques employed today, including symmetric key encryption, asymmetric key encryption, and hashing algorithms.1. Symmetric Key Encryption:Symmetric key encryption, also known as secret key encryption, utilizes the same secret key for both encryption and decryption processes. The key is shared between the sender and receiver, ensuring that both parties can access and understand the encrypted data. However, the challenge lies in securely exchanging the key without intercepting it by unauthorized individuals.2. Asymmetric Key Encryption:Asymmetric key encryption, also referred to as public-key encryption, involves the use of two different keys – public key and private key. The public key is freely available to anyone, while the private key remains confidential and is only knownto the recipient. The sender encrypts the message using the recipient's public key, and the recipient decrypts it using their private key. Asymmetric key encryption eliminates the need for securely exchanging keys, as the private key remains securely with the recipient.3. Hashing Algorithms:Hashing algorithms are a type of encryption that produces a fixed-size string of characters, known as a hash value, from any input data. This hash value is unique to the specific input data. Hashing algorithms are commonly used for data integrity verification and password storage. However, unlike symmetric and asymmetric key encryption, hashing algorithms are one-way, meaning they cannot be reversed to obtain the original data.Applications of Encryption:Encryption is extensively used in various domains to protect confidential data and ensure privacy. Some of the notable applications include:1. Secure Communication:Encryption is employed in securing emails, instant messages, and internet browsing. It ensures that the content transmitted between parties remains confidential and could only be accessed by the intended recipient.2. Data Storage and Cloud Security:Encryption is crucial for safeguarding sensitive data stored on local devices or in cloud storage services. It prevents unauthorized access to personal files, financial information, and other confidential records.3. E-commerce and Online Transactions:Encryption plays a pivotal role in online transactions, such as banking, e-commerce, and online payment systems. It ensures that sensitive financial data, including credit card details and passwords, are protected during transmission.4. Password Protection:Encryption is utilized to store user passwords securely. Password hashing algorithms ensure that even if the password database is compromised, it is nearly impossible for attackers to decipher the original passwords.Challenges of Encryption:While encryption techniques are highly effective, they are not without challenges. Some of the common challenges associated with encryption include:1. Key Management:Encryption requires secure key management techniques to ensure the confidentiality of the keys. Safely storing and sharing keys can be complex and demanding, especially in situations involving large-scale encryption.2. Performance Impact:Encryption introduces a performance overhead due to the computational resources required to perform the encryption and decryption processes. This can be a concern in situations where real-time data processing is required.3. Quantum Computing Threat:The advent of quantum computers poses a potential threat to current encryption methods. Quantum computers have the capability to break some of the existing encryption algorithms, necessitating the development of quantum-resistant encryption techniques.Conclusion:Encryption is a vital component of modern data security, providing a robust defense against unauthorized access and data breaches. By implementing encryption techniques such as symmetric key encryption, asymmetric key encryption, and hashing algorithms, sensitive information can be kept confidential and private. The continued advancements in encryption technologies are essential to stay ahead of potential threats and ensure the protection of critical data in today's digital world.。

第35卷第4期电子与信息学报Vol.35No.4 2013年4月Journal of Electronics & Information Technology Apr. 2013一种基于LWE问题的无证书全同态加密体制光焱*顾纯祥祝跃飞郑永辉费金龙(信息工程大学网络空间安全学院郑州 450002)摘要：全同态加密在云计算等领域具有重要的应用价值，然而，现有全同态加密体制普遍存在公钥尺寸较大的缺陷，严重影响密钥管理与身份认证的效率。

为解决这一问题，该文将无证书公钥加密的思想与全同态加密体制相结合，提出一种基于容错学习(LWE)问题的无证书全同态加密体制，利用前像可采样陷门单向函数建立用户身份信息与公钥之间的联系，无须使用公钥证书进行身份认证；用户私钥由用户自行选定，不存在密钥托管问题。

体制的安全性在随机喻示模型下归约到判定性LWE问题难解性，并包含严格的可证安全证明。

关键词：全同态加密；无证书公钥加密；容错学习问题；前像可采样陷门单向函数中图分类号：TP309 文献标识码：A 文章编号：1009-5896(2013)04-0988-06 DOI: 10.3724/SP.J.1146.2012.01102Certificateless Fully Homomorphic Encryption Based on LWE ProblemGuang Yan Gu Chun-xiang Zhu Yue-fei Zheng Yong-hui Fei Jin-long(Institute of Cyberspace Security, Information Engineering University, Zhengzhou 450002, China)Abstract: Fully homomorphic encryption has important application in cloud computing. However, the existing fully homomorphic encryption schemes share a common flaw that they all use public keys of large scales. And this flaw may cause inefficiency of these schemes in the key and identity management. To solve this problem, a certificateless fully homomorphic encryption scheme is presented based on Learning With Errors (LWE) problem.The scheme builds the connection between the user’s identity and its public key with the trapdoor one-way function with preimage sampling so that the certificates are no longer necessary. The private keys are chosen by the users without key escrow. In the random oracle model, the security of the scheme strictly reduces to hardness of decisional LWE problem.Key words:Fully homomorphic encryption; Certificateless public-key encryption; Learning With Errors (LWE) problem; Trapdoor one-way function with preimage sampling1引言全同态加密又称隐私同态[1]，其思想源自RSA 公钥加密所具备的乘法同态特性：将同一公钥加密下的若干密文相乘，乘积解密所得的明文恰好等于原密文各自对应明文的乘积。

密码科技算法
密码科技算法是一种用于保护数据安全和隐私的技术手段。

它使用特定的数学和计算方法，将原始数据转化为密文，以防止未经授权的访问和篡改。

密码科技算法包括对称加密算法、非对称加密算法和哈希算法等。

对称加密算法使用同一个密钥进行加密和解密，常见的对称加密算法有DES、AES等。

它们适用于需要高效加密和解密的场景，但密钥的传递和管理可能存在一定的安全风险。

非对称加密算法使用一对不同的密钥，分别为公钥和私钥。

公钥可以公开分享给他人，而私钥则保密。

常见的非对称加密算法有RSA、Diffie-Hellman等。

非对称加密算法常用于数字签名、密钥交换等场景，能够提供更好的安全性。

哈希算法将任意长度的输入数据转化为固定长度的输出值，称为哈希值。

常见的哈希算法有MD5、SHA-1、SHA-256等。

哈希算法主要用于数据完整性验证和密码存储等场景，不可逆的特性使得哈希算法在密码学中具有重要作用。

密码科技算法的选择应根据具体的安全需求和使用场景来决定，常见的应用包括网络通信安全、数据存储安全、身份认证等。

同时，在实际应用中还需要注意密钥的安全管理、算法的强度和可靠性等方面的问题，以确保数据的安全性。

一种基于LWE的BGN加密及门限加密方案李菊雁;马春光;袁琪【摘要】The BGN (Boneh-Goh-Nissim) cryptosystem is a cryptosystem that permits arbitrary number of additions and one multiplication of ciphertext without growing the size of ciphertext. The scheme of BGV12 is a fully homomorphic encryption from (G)LWE which needs key switching, modulus switching and other technologies for the multiplicative homomorphism. This paper describes a BGN scheme based on BGV12. Although our constructed scheme only permits one multiplication, it does not need other technologies, so it is more efficient. Comparing with the scheme of GVH10, our scheme has better size of parameter. In addition, we extend our scheme to a threshold encryption scheme, which allows parties to cooperatively decrypt a ciphertext without learning anything but the plaintext, and can be protected from related-key attacks.%BGN加密方案是指允许密文任意次加法和一次乘法运算的加密方案,并且在密文的运算中,密文的规模没有增长.BGV12加密方案是基于(G)LWE的全同态加密方案,为了实现乘法同态,需要用到密钥交换、模转换等技术.该文在BGV12基础上构造了一种BGN加密方案.虽然只能支持密文的一次乘法运算,但不需要其他技术的支持,因而更快捷.与GVH10加密方案相比,有更好的参数规模.此外,将BGN加密方案扩展成一种门限加密方案,该门限加密方案同样允许所有参与者共同解密一个密文而没有泄露明文的任何信息,并且能抵抗密钥泄露攻击.【期刊名称】《电子科技大学学报》【年(卷),期】2018(047)001【总页数】5页(P95-98,111)【关键词】BGN加密;密钥同态;LWE问题;门限加密【作者】李菊雁;马春光;袁琪【作者单位】哈尔滨工程大学计算机科学与技术学院哈尔滨 150001;哈尔滨工程大学计算机科学与技术学院哈尔滨 150001;中国科学院信息工程研究所信息安全国家重点实验室北京西城区 100093;哈尔滨工程大学计算机科学与技术学院哈尔滨 150001;齐齐哈尔大学通信与电子工程学院黑龙江齐齐哈尔 161006【正文语种】中文【中图分类】TN918基于容错学习(learning with error problem, LWE)的密码是一类备受关注的抗量子计算攻击的公钥密码体制[1]。

doi ：10.3969/j.issn.1671-1122.2014.05.016可计算密文加密体制研究杨晨，游林（杭州电子科技大学密码与信息安全研究所，浙江杭州310018）摘要：可计算密文加密体制是指对密文可以进行的一系列指定函数运算的加密体制，与传统加密体制最大的不同是加密后的密文不再是“混乱”的，而是具有某些隐含关系，其可成为某些特定函数的有效输入并且经过函数计算后可成为用户的有效信息。

由于可直接对密文进行操作，可计算密文加密体制在保证信息机密性的前提下大大提高了信息的可用性效率，已经成为现代公钥密码学研究的热点方向。

文章对谓词加密、全同态加密、函数加密3 类可计算密文加密技术做了具体概述，介绍了各类可计算密文加密体制的关系，分析了可计算密文加密体制的计算隐私与应用要求，为以后研究可计算密文加密技术提供了指导。

关键词：可计算密文加密；函数加密；全同态加密；谓词加密中图分类号：TP309 文献标识码：A文章编号：1671-1122（2014）05-0078-04Research on the Cipher Computable Encryption SystemYANG Chen, YOU Lin(Institute of Cryptography and Information Security, Hangzhou Dianzi University, Hangzhou Zhejiang310018,China)Abstract: Cipher computable encryption system refers to a series of designated functional operation which can be performed on encrypted data. The biggest difference with the traditional encryption system is the ciphertext is nolonger "chaos", but has some hidden relations. The ciphertext can be the input of specific function and after functioncalculates the encrypted input, the output can become the effective information of users. Due to the direct computationon encrypted data, cipher compu table encryption system greatly improves the efficiency of the availability ofinformation under the encrypted condition, it has become the hot direction of modern public key cryptographyresearch. This paper gives the detailed overview on three cipher computable encryption schemes of the predicateencryption, fully homomorphic encryption and functional encryption, introducing relations among different ciphercomputable encryption systems, analyzing the function privacy and application requirements about practical ciphercomputable encryption system and providing guidance for future r esearch.Key words: ciph er comp utable en crypt ion; f un ction al encryption; f ully homom orph ic en crypt ion;predicate encryption0 引言越来越多的个人用户把自己的数据存放在第三方服务器上，如个人邮件、网络硬盘等，但第三方服务器并不总是可信的，为了保护隐私，用户不得不把自己的数据进行加密。

密码学高级算法
一些常见的密码学高级算法包括：
1. 高级加密标准（Advanced Encryption Standard，AES）：一种对称密钥加密算法，用于替代DES加密算法。

2. 椭圆曲线密码学（Elliptic Curve Cryptography，ECC）：一种非对称密钥加密算法，具有相同的安全性能却使用更短的密钥。

3. 公钥基础设施（Public Key Infrastructure，PKI）：用于建立和管理公钥密码体系结构，包括数字证书、证书颁发机构等。

4. RSA加密算法：一种非对称密钥加密算法，广泛用于数据加密和数字签名中。

5. Diffie-Hellman密钥交换：一种协议，用于在通信双方之间安全地共享密码。

6. 密码哈希函数（Cryptographic Hash Function）：用于将数据转换为固定长度的哈希值，常用于密码验证和数字签名中。

7. 高级消息认证码（HMAC）：一种用于验证消息完整性和真实性的算法，结合了密钥和哈希函数。

8. 蜜罐技术（Honeypot）：一种诱骗黑客攻击的虚拟环境，用于收集攻击者的信息和行为。

以上只是一些常见的密码学高级算法，随着技术的不断发展，还会涌现出更多新的算法。

高效零知识证明及其应用
高效零知识证明（Efficient Zero-Knowledge Proofs）是一种密码学技术，用于证明某个陈述是正确的，同时不泄露任何关于陈述的具体信息，即不泄露任何有关于证明的知识。

它是一种交互式的协议，其中证明者试图说服验证者某个陈述是真实的，而验证者只会接受正确的陈述，但不能得知任何关于陈述的具体信息。

高效零知识证明具有以下应用领域：
1. 加密货币：在加密货币领域，高效零知识证明用于保护隐私和匿名性。

例如，Zcash就使用了零知识证明技术，允许用户进行匿名交易，同时保持交易的可验证性。

2. 身份认证：高效零知识证明可用于身份认证系统，例如在无需披露敏感信息的情况下证明自己的年龄、资格或其他身份属性。

3. 数据隐私保护：零知识证明可用于验证某些数据的属性而不泄露实际数据本身。

例如，可以证明某个数字在一个范围内而不泄露具体数字。

4. 零知识密码学：高效零知识证明可用于构建各种零知识密码学协议，如零知识交互式证明、零知识证明的紧凑性和零知识证明的可组合性等。

总之，高效零知识证明在保护隐私和数据完整性的同时，提供了一种有效的方式来证明某个陈述的真实性，而不需要披露具
体的信息，因此在密码学、隐私保护和身份认证等领域具有广泛的应用潜力。

Protecting Data Confidentiality in Cloud SystemsLi Tao, Ye Xiaojun, Wang JianminSchool of SoftwareTsinghua UniversityBeijing, 100084,Chinalitao006@, {yexj,jimwang}@ABSTRACTTo achieve a trustworthy cloud data service, there is a need to both provide the right services from a security engineering perspective, as well as to allows specific types of computations to be carried out on encrypted cloud data. However, traditional encryption solutions can’t be used to process outsourcing encrypted data hosting to an untrusted cloud provider. A novel encryption scheme, called fully homomorphic encryption (FHE), could afford the circuit ability over encrypted data without decrypting it. In this paper, we deliver a universal construction framework for fully homomorphic encryption schemes. At first, this framework initializes a somewhat homomorphic encryption scheme based on the concept of metric space in abstract algebra which encodes the plaintext into a offset vector and generates a ciphertext by adding theo ffset vector to a random eigenvector in the metric space. As an abelian group, the ring is closed under addition and multiplication, this abstract algebra assume the metric space could forma ring and the eigenvectors belong to an ideal of this ring, then this framework could achieve homomorphism by having the scheme live in rings. We also deduce some well-known fully homomorphic schemes from the construction framework, and propose a prototype with an FHE encryption proxy to solve confidentiality problems in cloud systems. At last, we show the performance of FHE with some experiments, and speed the performance of fully homomorphic encryption up with cloud computing (parallel computing, distribute computing, etc.).We also discuss some opening issues and directions for future fully homomorphic encryption researches. Categories and Subject DescriptorsH.2.3[-Information Systems]: Database Management –database security, data encryption, cloud data managementGeneral TermsSecurityKeywordsCloud Computing Security; Fully Homomorphic Encryption; Circuit Privacy; Ring; Ideal1.INTRODUCTIONInternetware, as a cloud computing scenario, is envisioned as a new software paradigm for resource integration and sharing in the open, dynamic and autonomous network environment[1]. Computing resources can be dynamically configured to adjust to a variable load (scale), allowing also for optimum resource utilization in the Internetware. The emerging cloud computing abstracts the Internetware infrastructure complexities of servers, applications, data, heterogeneous platforms, and enables convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned andreleased with minimal management efforts or service provider interactions. However, Internetware users lose the physical control of these computing resources in the cloud computing environment, and this reveals more security and privacy risks forthe data resources managed by cloud systems[2].The security objective is to guarantee data confidentiality, integrity and availability in data processing systems. Moreover,storing privacy sensitive data, such as medical data, financial records or high impact business data, etc., unencrypted in the cloud infrastructure may be illegal. So, symmetric and asymmetric cryptography have been used to provide data confidentiality andprivacy in outsourcing database systems. These traditional encryption solutions could be used to provide confidentiality by concealing information of plaintexts behind unrecognized ciphertexts. However, encryption schemes render user data andmake others lose the ability to operate directly on it, such as various queries or statistic analysis on encrypted data[3][4]. There is therefore a large challenges lying in the tension between data confidentiality and availability in encryption scheme. Encryptingdata with a strong cryptosystem, such as AES, could enhance the data confidentiality, but would prevent cloud users from executing efficient operations over encrypted data, which leads to low convenience. For example, how could data owners invoke statistical analysis applications on encrypted data stored in cloudstorage without ever decrypting it? Usually encrypted data must be decrypted before their processing; however, data owners won’t reveal any information of their confidential data, including decryption keys, to data users (manipulators), theservice/application providers. Is it possible to manipulate encrypted data without decrypting it?Fortunately, there’re some homomorphic schemes to support transparent data encryption and decryption to cloud/internetware users: anyone can manipulate encrypted data even without knowing their decryption keys[5]. In these homomorphicencryption schemes, given ciphertexts that encrypts plaintexts , one could accomplish the computing function f over the plaintexts by computing the function g over ciphertexts. In general, this scheme maps the function to another function, and no informationabout and is compromised. Moreover, fully homomorphic schemes support any operations over the encrypted data[6]. Image that data owner gets his data encrypted under fullyhomomorphic encryption scheme, and anyone could apply any function f over the plaintext by computing corresponding homomorphic function g over its ciphertext, but only the data owner (secret key holder) can know the result of the function after he decrypts the output of function g.The fully homomorphic encryption scheme is capable of processing the encrypted data and then bringing back the data into its original form. It could be the perfect solution for security and privacy issues for cloud data storage, transmission and manipulation[2,3]. In this paper we propose a universal construction framework for fully homomorphic encryption scheme producing with two key works as follow:First, we propose an abstract encryption scheme in abstract algebra metric space, then we base the model on rings and ideals to achieve somewhat homomorphism, and we finally can gain a construction framework for fully homomorphic encryption scheme producingbased on the method of bootstrapping[6]. We also analyse the security issues of this construction framework. At last, we deduce some available fully homomorphic encryption scheme from the construction framework with some specified algebraic structures.Second, we sketch out a prototype which could protect data confidentiality in cloud systems. This prototype brings in a fully homomorphic encryption proxy among data owners, cloud storage providers and cloud services/applications. Data owners write/read data into/from cloud storage through the encryption proxy, which makes sure the data remain encrypted in the cloud storage. A novel idea is that the data owner still could invoke other cloud services/applications to manipulate the encrypted data in cloud storage. When the cloud service/application tries to apply operation f on plaintexts, it asks the encryption proxy to map the operation f to another operation g over ciphertexts. After the description of the architecture, implementation and performance is illustrated in details.This paper is organized as follows. We’ll describe the fully homomorphic encryption framework in the Section 2.1 step by step. In 2.1.1 we’ll address a construction framework based on abstract metric space, and in Section 2.1.2 we’ll have the construction framework in ring and ideal to achieve homomorphism. We’ll describe the idea of bootstrapping in Section 2.1.3. We discuss the security of this construction framework in Section 2.2. In Section 2.3 we specify the ring in the framework with integer ring, and get an available fully homomorphic encryption scheme over the integers. In Section 3.1 we address the security problem in the cloud scenario among data owner, cloud storage system, and cloud service/application, and illustrate a prototype with FHE proxy to guarantee the security in Section 3.2. We also show how to use cloud computing to speed up the FHE scheme in Section 3.3. At last, we do some performance experiments about FHE in Section 4.2.FULLY HOMOMORHPIC ENCRYPTIONIn mathematics, homomorphism is a structure-preserving map between two algebraic structures. Given two algebraic set G,H, the map function between the two set (namely,), and its reverse function, the algebraic system is homomorphism for operation set C, only if for any operation there is a corresponding operation that holds. Thus a homomorphic crypto-system could be described as a tuple, where G and H denote the plaintext space and ciphertext space, and denote the encryption and decryption function, C denotes permitted operations on G (Shortly we take a homomorphic crypto-system as).This useful homomorphism in crypto-systems, originally called privacy homomorphism, wasintroduced by the RSA inventor Rivest, Adleman and Dertouzos[5]. The basic RSA is a multiplicatively homomorphic encryption scheme –i.e., given RSA public key pk=(N,e) andciphertexts, if we compute the product of ciphertexts, ∏∏, we’ll gladly find that it’s totally a ciphertext that encrypt the product of the corresponding plaintexts. Such encryption scheme could map theoperation multiplication over plaintexts to multiplication (generally it may be another operation) over corresponding ciphertexts. If one has his data encrypted with basic RSA and wants to perform multiplication over plaintexts without decrypt the ciphertext, he could do this by computing the product of ciphertext directly! RSA’s multiplicative homomorphism is an accidental but useful property, that led Rivest propose an open question: Is there one encryption scheme could achieve full homomorphism, namely in the encryption schemeif there is an efficientalgorithm, which could map any circuit over plaintexts to another operation over ciphertexts.Therefore, different from traditional encryption schemes, ahomomorphic public key encryption scheme not only has three basic algorithms, key generation algorithm, encryption algorithm, and decryption algorithm, but also holds an additional algorithm that could map operations over plaintexts to another functions over ciphertexts and takes the public key pk, a circuit C and a tuple of ciphertexts as input and outputs a ciphertext.can be explained as homomorphically doing operation C on ciphertext . If data is encrypted under scheme and one wants to perform circuit C over plaintext without decrypting the encrypted data, he could accomplish this by directly computing, however, the result ofis actually a ciphertext which encrypts the result of. This algorithm enables manipulations over encrypted data without decrypting it. Now, a scheme is homomorphic for circuits in, if and only if for any key pair (sk,pk) generated by , any plaintexts , and the corresponding ciphertexts it holds:( )If the circuit set in homomorphic scheme contains all circuits, scheme is a fully homomorphic scheme, otherwise, it’s a somewhat homomorphic scheme for circuits in[6].In the next sections, we use ring and ideal theory to propose a construction framework for fully homomorphic encryption producing. If the abstract ring and ideal in the construction framework is specified with available ring and ideal (i.e. integer ring), this construction framework could produce a fresh fully homomorphic encryption scheme.2.1Construction FrameworkWe describe the construction model in the order how to actually achieve a fully homomorphic encryption scheme. First, we address a basic and general encryption scheme in the metric space.A metric space is a basic algebraic space with the distance defined.Next, as ring is a closed algebraic structure that holdshomomorphism, we extend the encryption scheme to ring and ideal, and make the scheme somewhat homomorphic. At last, wedescribe how to achieve a fully homomorphic encryption schemeby bootstrapping[6].In the following, we consider the plaintext space is {0,1}, and the circuits are Boolean operation on , because all the data types could be expressed as , and all the operations inTuring Machine could be represented as a polynomial function of Boolean circuit over , i.e. addition on integer could be accomplished by an adder, which requires the homomorphicencryption scheme to support multi-hop homomorphism[7].An i-hop homomorphic encryption scheme is one where can be called on its own output up to i times, while still being able to decrypt the output, and a multi-hop homomorphic encryption is a scheme which is i-hop for all i, therefore, this scheme is able to build up a high level operation as a polynomial function of GF(2) circuits by connecting supported circuits in , i.e. in an adder circuit, each gate takes the output of previous gates as its input, and if the scheme supports multi-hop, it could do each gate in the circuit homomorphically. Hence we simply start with basic GF(2) circuits, then we shortly expand the set to all circuit operations.2.1.1Initial Encryption Framework in Metric Space In mathematics, a metric space M is a set where a notion of distance (called a metric) between elements of the set is defined. Distance between elements of M is defined by function d which holds non-negative, identity of indiscernibles, symmetry, and triangle inequality. For any element of M, denotes the distance between x and y, for instance, in normed vector space the distance is defined by‖‖.Similar to Error-Correcting Coding, to encrypt a bit, we can form an error or offset vector e that encodes the plaintext, and then get the ciphertext by adding the offset vector v to a random vector chosen from an eigenvector set J. To decrypt a ciphertext , the key-holder recovers the offset vector e by computing the offset between the ciphertext vector and the eigenvector which has the smallest distance to the ciphertext vector in the eigenvector set J(the constraint of offset vector will be discussed later), and then recovers the plaintext from e. Here, the eigenvector set J must be a sub set of M. Therefore, we could describe the main idea of the simple encryption frameworkas follow:●Ke en λ M :Generate an eigenvector set J of metric space M according to the security parameter λOutput sk J●Encr t :Encode en etOutput , random choose J●Decr t :Recover , while J and ||||||||Recover from eAlgorithm GenOffset in Encr t means to generate arandom offset vector from the plaintext. As the plaintext space , an easy way to encode a bit is set while is a random vector in metric space M, and the plaintext could berecovered by compute e mod2. While the offset vector and eigenvector are randomly chosen, the key-holder still could find which eigenvector in set J is the nearest to the ciphertext and apply associated decryption ually the eigenvector set is infinite, and the secret key should be a good representation of the secret key (while one is hard to guess the secret key from a bad representation), i.e. in the lattice the sk may be a basis of lattice. In metric space, just a little like open ball, we define the open parallelepiped area about eigenvector point j in J as|| |||| ||This means eigenvector point j is closer to all the point of openarea than other eigenvector in set J. Figure 1 shows the open parallelepiped area about eigenvector point j in normed vector space with Euclidean distance. Of course, the open parallelepiped areas about each element never overlap, such that the ciphertext vector is located in a unique open parallelepiped area, and during the decryption the closest eigenvector to the ciphertext must be just the one chosen during encrypting. Then the offset vector e must be enough short to make sure the ciphertext vector j+e is contained by the open parallelepiped area . Otherwise, when encrypting a plaintext as, if |||| is too long and cause the ciphertext vector outside of the open parallelepiped area (),the ciphertext may be contained by another open parallelepiped area (), not (), which leads to wrong offset vector during the decryption process. However, the shape of the open parallelepiped area depends on the distance function in the metric space; Figure 1 shows the open parallelepiped area in normed vector space with Euclidean distance, and Figure 2 shows the open parallelepiped area in lattice.The security of this construction of encryption models is built on the hardness that one is hard to recognize the secret key, eigenvector set J, from a sequence of ciphertexts. This requires the encryption model to be probabilistic[8]. Image that if this encryption model is a probabilistic encryption scheme (namely the ciphertext is evenly distributed in the metric space M), even though the attacker gets some ciphertexts which the corresponding plaintexts are known, the attacker couldn’t recognize the eigenvector set from the evenly distributed and irregularM offset vector eciphertextφe jrandom eigenvector jFigure 1.Encryption Illustartion in Metric Spaceciphertext vectors. To achieve a probabilistic encryption scheme, the open parallelepiped areas of all the eigenvector j in J must make up the whole metric space M, namely each vector in metric space may be a ciphertext produced by the encryption model. Moreover, this requires the algorithm GenOffset is possible to generate each offset vector in ,and we must choose some regular eigenvectors in the metric space to make about each eigenvector j in J homologic. For example, wespecify the metric space with integer space , and take prime ideal(p)={np:n}as the eigenvector set J, en et outputs while r is a random integer, thus ciphertext ncould express all the integer. Here, n n , the openparallelepiped area is open interval (j-p/2,j+p/2), and thelength of offset vector must be shorter than p/2 to makesure the ciphertext n contained in the open parallelepiped area p. Of course, this encryption framework could be transformed to a public key crypto-system [9].2.1.2Homomorphic Encryption Framework based on IdealAs highlighted in the previous paragraph, if the encryption scheme is homomorphic for Boolean circuits, we could build up high level operations with these Boolean circuits. To achieve this assumption, we’ll have the above framework achieve somewhat homomorphism for Boolean circuits.We could express the ciphertext in previous encryption framework as , where j is a random eigenvector in set J, and x is the additional vector to form the offset vector with . As ring is closed under addition and multiplication，to achieve homomorphism, we could bring in rings and ideals to the initial encryption framework. Ideal I is a special subset of a ring R and satisfies following condition: (I,+) is a subgroup of (R,+);r r r. We assume that is a basis of an ideal I.Image that if metric space M forms a ring R on addition and multiplication, eigenvector set J forms an ideal of R, and the additional vector belongs to an ideal I, such that J+I=R ( i.e.J and I are relatively prime), could the initial encryption framework be a homomorphic? This question could be proved true as follows.Given two ciphertexts and , we can compute the addition of and as follow:As ideal J is a closed under addition, , then if ‖‖ is short enough to make contained in the open parallelepiped area , one could recover the offset vector correctly by computing the offset between the ciphertext and the nearest eigenvector . As mentioned above, if we take x in an even ring, we could recover the plaintext from the offset vector by computing mod2. As such, this encryption framework could map XOR circuit operation over plaintexts to operation of addition over ciphertexts. Figure 2 shows the homomorphic addition in ring: two ciphertext vectors and the result vector of addition. Similarly, we compute the operation multiplication of c erte t and as follow:As ideal J is a two-sided ideal J, and ，, we can conclude that . Similarly, we can prove thatand . Then if the offset vector ‖‖ is short enough to make contained in the open parallelepiped area, we could recover the offset vector correctly by computing the offset between the ciphertext and the nearest eigenvector. Furthermore, we could recover the plaintext from the offset vector by computingmod2. This encryption framework could map AND circuit operation over plaintexts to the operation of multiplication over ciphertexts.We have proven the encryption framework based on ring and ideal is homomorphic for circuits, if the input ciphertexts have short offset vector. How about other circuit operations? We could expand the circuits set by bringing in other circuit operations composed of XOR and AND gates.As an instance, for OR gate, we could express OR as (AND) XOR (XOR ). And the encryption scheme is homomorphic for XOR and AND circuits,if the scheme supports multi-hop homomorphism[7],the scheme could map the OR circuit over plaintexts ,to polynomial operationover corresponding ciphertexts. Moreover, if we represent an integer as, the scheme could map the integer addition over plaintexts to the adder circuit over corresponding ciphertexts.We use algorithm that outputs public and secret bases and of some eigenvector ideal J, such that I + J = R, an algorithm to sample from the coset x+I (In mathematics, if G is a group, and H is a subgroup of G, and g is an element of G, then g+H = {g+h : h an element of H } is a left coset of H in G, and H+g= {h+g :h an element of H } is a right coset of H in G ), namely randomly choose i from ideal I and compute x+i, and use algorithm to remove the eigenvector of J from . After bringing in rings and ideals, this Figure 2.Homomorphic Addition in RingRφ1e1j1φ2e2j2φe1e2j1j2encryptionframework E te could be described as follow:●Ke en R .Set I e en Rb re re et t n ere re ent t n eOutput R●Encr t .Set eOutput e●Decr t .Output ( )● E te C .Express C as circuits composed ofXOR, NAND or other permitted circuit inReplace XOR, NAND by addition and multiplication over ringThe key generation algorithm takes the ring and the ideal I as input, and outputs the key pair (pk, sk) that represents eigenvector ideal. Bad representation of ideal J means that one couldn’t or is hard to recognize the ideal J from representation. For example, hard problem approx-GCD[10] is used to generate the public key in integer ideal (p). To encrypt a bit, we add the offset vector that encodes the plaintext to a random eigenvector of J. To decrypt it, we just remove the eigenvector from the ciphertext. However, there is more efficient way to remove the eigenvector in specified rings, i.e. in integer ring and ideal lattice we can just perform the mod operation. To perform circuits C composed of XOR, NAND or other permitted circuits in on the plaintexts, we just replace the circuits in C with corresponding homomorphic operations over ciphertexts, if the new offset vector of the result ciphertext is still short enough.2.1.3Bootstrap to Fully Homomorphic Encryption Notice that the above encryption framework must support multi-hop homomorphism, namely framework could take the output of circuit C as the input of another circuit C. However, the framework can only evaluate shallow circuits, as the offset vector grows with addition and (especially) multiplication; eventually, it becomes too long, and when the offset vector has the ciphertext out of the open parallelepiped area , the ciphertext couldn’t be decrypted correctly. Hence the permitted circuit set only contains some shallow operations, and the above proposed encryption framework is a somewhat homomorphic crypto-system.Complex operations on Turing Machine are often composed of multi-level circuits. A natural solution is to refresh the ciphertext whose offset vector is almost too long by removing the old offset vector and to obtain a new offset vector. Obviously, we can do this by decrypting ciphertext and shortly encrypting it. However, homomorphic encryption aims at manipulating encrypted data without decryption, then revealing decrypting function to data operator is dangerous for data owners. If the circuit set contains decrypt circuit, this problem could be solved. This’s the idea behind bootstrapping[6]: we do decrypt the ciphertext, but homomorphically.Suppose the ciphertext, which we want to refresh, encrypts under. To decrypt homomorphically, suppose we also have another key pair , and encrypt the first secret key under the second public key : let ̅̅̅̅̅̅ be the encrypted secret key bits. Consider the secret key sk and ciphertext as a sequence of bits, then the function is just a normal polynomial circuit which take the bits of secret key sk and ciphertext as input and output the plaintext. To decrypt homomorphically, we just replace the XOR, NAND or other circuits in polynomial circuit with corresponding homomorphic operations. The details are shown as the Recrypt algorithm.Recr t Decr t̅̅̅̅̅̅̅̅̅̅̅̅For each bit of ciphertext,set̅̅̅̅̅Encr tOutputE te( Decr t̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅)The Recrypt algorithm takes the ciphertext, secret key encrypted under first public key , the second public keyas input, and outputs the fresh ciphertext encrypted under second public key . You can consider the Recrypt algorithm as that: plaintext is doubly encrypted, first under and next under, and then homomorphic decryption tries to peel off the inner encryption.However, what if the polynomial circuit itself is not a shallow circuit? What if the output ciphertext of some circuit in has too long offset vector? In some encryption schemes, this wouldn’t happen; in others, we need to squash the decrypt function to avoid this bad case, namely optimize and simplify the decrypt circuits to a shallow circuit. The main idea is to minimize the levels of decrypt circuits, and there is no common way to squash decrypt circuits. In example of Section2.3, some tips for integer ring would be illustrated.Figure 3.Recrypt AlgorithmππEncrypt underπDecrypt homomorphicallyAfter squashing the decrypt algorithm, we can go through a d-depth circuit as follow: use Recrypt to refresh the input ciphertext of circuit C at a given level i , and perform the homomorphic operation of circuit C , then recurse for the next level.If scheme generates a chain key pair ( and outputs̅̅̅̅̅ ̅̅̅̅̅ (secret key encrypted under) as public key, by using the recursion shown as Figure 4, scheme can achieve homomorphism for all d -depth circuits. Furthermore, if the chain of encrypted secret keys is acyclic ( is encrypted under ), the above scheme is fully homomorphic ; if the scheme is circular secure [11][12], we can take in Figure 4 (namely only a key pair in the acyclic chain, then Figure 4 will encrypt all plaintext in the same box), and the above scheme is fully homomorphic .This construction framework is a heuristic method. One may ask whether the plaintext space could be larger. Of course, image that we replace with aquotient ring, and then we could simply take the plaintext vector as the offset vector.And if we fill the algebraic structure in the construction framework with some specified rings and ideals, we could deduce an available fully homomorphic encryption scheme from the model, and we show an example in Section 2.3.2.2 SecurityIn terms of secure encryption scheme, the basic requirement for encryption scheme is that given public key pk and a ciphertext that encrypts unknown plaintext , it ’s hard to recognize the plaintext. This means that the encryption scheme issecure if any polynomial time adversary has a negligible probability of success.If an encryption scheme is deterministic, i.e. the encryption maps each plaintext to a unique corresponding ciphertext, and then it cannot be semantically secure. Adversary easily tells whether ciphertext encrypts plaintext by checking and .To be semantically secure, that is, to hide even partial information about the plaintext, an encryption scheme must by definition be probabilistic, i.e. the encryption must maps one plaintext to many ciphertexts, and some random factor should be chosen according to some distribution during encrypting. Obviously, the above proposed FHE construction model is semantically secure. Here, we focus on a stronger security property, called chosen plaintext attacks (CPA): given some ciphertexts whose corresponding plaintexts are known, it is hard for the adversaryto gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme's secret key. In above model, this security property could be illustrated as whether the adversary can gain the basis of eigenvector ideal J from a set of ciphertexts ( ). We can reduce the problem to distinguish the ideal J from a set of . If we specify the actual ring and ideal in the model, this problem could be reduced to be hard on the actual ring. For example, if we put the framework into integer ring, this hard problem could be approx-GCD [10] problem (approximate greatest common divisors problem, it ’s hard to distinguish p from a set of { }), which is proven to be hard [13][14]; if we bring the ideal lattice into the model, this hard problem could be Closest Vector Problem [15]. Another security problem is circular security [11]. Circular security is the security with respect to a basic KDM (Key-dependent messages)[16][12] attack in which the attacker is just given an encryption of the entire decryption-key. Can we distinct the secret key sk from the ciphertext encrypted sk under public key pk ? As far as we know, for most schemes, this won ’t reveal any information about secret key; however, there isn ’t a common way to prove this for different algebraic structures. We could explain circular security with physical analogy. Suppose the encryption is to lock something into box, while pk is the key to close box and sk is the key to open box. If sk and pk are relatively independent (can ’t deduce sk from pk ), after we use pk to close box, can we get the sk locked in box? Of course, we can ’t. Thus the scheme does not need distinct public keys pk i for each circuit level and an acyclic chain ofencrypted secret keys. Instead, the public key can consist merely of a single public key pk and a single encrypted secret key sk (sk under pk ), where pk is associated to all levels of the circuit. This approach has the additional advantage that we do not need to decide beforehand the maximal circuit depth complexity of the functions that we want to beable to evaluate.2.3 ExampleWe could fill the above construction framework with specified algebraic structures, and achieve an available FHE scheme. If we fulfill the ring and ideal of the fully homomorphic construction framework proposed in 2.1 with integer ring, we could get a fully homomorphic scheme over integer [17].In the scheme over integer, the ring R is integer ring , the eigenvector ideal J is prime ideal (p) of integer ring (ideal (p)={np:p ∈ }), ideal X is (2).Figure 4.Recursion for circuit . The different kind of box means the ciphertext encryptedunder different public key.πDecryptπsk 1sk 1 pk 2pk 2πC πCC πSk 22DecryptC πC C π C πpk 3pk 3π。

梯度加密与全密文训练的组合梯度加密（Gradient Encryption）和全密文训练（Fully Homomorphic Encryption）是两个在隐私保护和数据安全领域中备受关注的技术。

这两个技术的组合可以有效地保护数据隐私，同时实现机器学习模型的训练和推理。

梯度加密是一种用于保护数据隐私的加密方法。

在传统的机器学习中，模型的训练通常需要收集和处理大量的用户数据，然而这些数据中可能包含敏感信息。

梯度加密通过对数据进行加密，使得在训练过程中，数据只能以加密形式进行传输和处理，从而有效地防止了数据泄露的风险。

全密文训练是一种特殊的加密技术，它可以在数据加密的情况下进行模型的训练和推理。

在传统的机器学习中，模型的训练通常需要对数据进行解密，从而导致数据隐私的泄露。

而全密文训练则可以在数据保持加密状态的情况下进行模型的训练和推理，不需要对数据进行解密，从而实现了数据隐私的保护。

梯度加密和全密文训练的组合可以在保护数据隐私的同时，实现机器学习模型的高效训练和推理。

具体来说，梯度加密可以保护数据在训练过程中的隐私，防止数据泄露的风险。

而全密文训练则可以在数据加密的情况下进行模型的训练和推理，避免了数据解密带来的隐私泄露风险。

在梯度加密和全密文训练的组合中，模型的训练和推理过程都是在加密的数据上进行的。

具体来说，梯度加密将训练数据加密成密文，并在加密的密文上计算模型的梯度。

然后，使用全密文训练的技术，在加密的密文上进行模型的参数更新和优化。

最后，使用加密的密文进行推理，得到最终的预测结果。

整个过程中，数据一直保持加密状态，保护了数据的隐私。

梯度加密和全密文训练的组合在许多实际应用中都具有重要的意义。

例如，在医疗领域中，医院可能需要共享患者的敏感数据进行疾病预测和治疗方案制定，但同时需要保护患者的隐私。

梯度加密和全密文训练可以实现医院之间在加密数据上进行模型的训练和推理，保护患者的隐私。

另外，在金融领域中，银行可能需要共享客户的交易数据进行欺诈检测，但同样需要保护客户的隐私。

如何学习全同态加密学习全同态加密需要三部分知识：数学基础，格密码基础，全同态加密。

许多研究生在学习全同态加密时，以为只是学习全同态加密，所以看第一篇文章时，从入门直接到放弃。

这是因为任何知识都需要其它的知识作为基础，而全同态加密属于公钥密码学，所以首先它是一个加密算法，然后具有同态属性。

因此，必须熟悉格加密算法，以及相关的数学知识。

下面我们分别说说这三部分。

数学基础因为目前全同态加密都是构建在格密码算法之上的，所以格密码需要哪些数学知识，以及全同态加密本身需要哪些数学知识就构成了整个学习所需的数学基础。

格密码需要哪些数学基础呢？主要需要线性代数和抽象代数的基础。

线性代数一般理工科都学过，例如矩阵，行列式等计算，向量空间的基等。

格加密算法里的计算都是矩阵行列式计算。

抽象代数估计不是数学专业的，有可能没学过。

抽象代数里的群、环、域等知识非常重要，尤其是环，是格加密的数学基础。

抽象代数中一般还会涉及到数论一些知识，也在全同态加密中会使用，例如模计算等。

初学者可以看：An Introduction to Mathematical Cryptography 补充相关数学知识。

当然公认的最好的密码学教材当属Jonathan Katz的INTRODUCTION TO MODERN CRYPTOGRAPHY。

如果你想全面而深入的学习密码学可以看这本书。

里面都有相关的数学知识。

格密码学习全同态加密必须熟悉格密码，这是绕不开的。

因为本身全同态加密就是格密码算法上进行构造的。

那么如何学习格密码呢？应该从LWE加密算法开始学习，然后过渡到环LWE加密算法上。

一定要把LWE 加密算法的过程搞清楚，这样学习全同态加密会轻松许多。

如何学习LWE加密算法呢？建议看Oded Regev的一篇综述文章：The Learning with Errors Problem 。

这篇文章相对写的轻松一些。

不过不要忘了，如果想一下看懂是不可能的。

DATASHEETWeb ApplicationFirewall (WAF) GatewayImperva WAF Gateway - Datasheetimperva .comProtect your critical web applicationsWeb Applications are a prime target of cyber-attacks because they are readily accessible and offer an easy entry point to valuable data. Organizations need to protect web applications from existing and emerging cyber-threats without affecting performance, time to market, or uptime. The rapid pace of application changes can make it very difficult for security teams to keep up with updating rules that properly secure web assets. This can create security gaps and vulnerabilities that cybercriminals can exploit, leading to costly data breaches. Additionally, organizations look to deploy security solutions that can scale with their applications to match growth in user demand, ensuring that web assets are properly secured while preserving the end-user experience.Imperva WAF GatewayThe market-leading Imperva WAF Gateway empowers organizations to protect their applications through automated web security and flexible deployment. WAF Gateway provides comprehensive protection and granular capabilities, making it the ideal solution to secure valuable web assets, achieve PCI compliance and provide iron-clad protection against OWASP Top Ten security attacks.KEY CAPABILITIES:Dynamic profiling learns protected applications and user behavior, automatically applying a positive security modelFlexible deployment tosupport hybrid to cloud-native environmentsCan be deployed in-band and as a listener with support for Envoy and NginxUpdates web defenses with research-driven intelligence on current threatsCorrelates security violations to detect sophisticated, multi-stage attacks Automated virtual patching High performance; transparent, drop-in deployment Fully PCI compliantSimplified event investigation with Attack AnalyticsFigure 1: Imperva WAF Gateway protects applications from web based attacks leveraging researchdriven intelligence.Legit TrafficMalicious TrafficAnalytics & InsightsNG Firewall IPS/IDSImperva Management Server (MX)Imperva ThreatRadarWAF GatewayWeb ServersGood TrafficDataCopyright © 2020 Imperva. All rights reservedimperva .com+1.866.926.4678Imperva WAF Gateway - DatasheetImperva is ananalyst-recognized, cybersecurity leader championing the fight to secure data and applications wherever they reside.Protect critical web applications and dataImperva WAF Gateway can identify and act on dangers maliciously woven into seemingly innocuous website traffic – traffic that slips through other layers of defense – preventing application vulnerability attacks such as SQL injection, cross-site scripting and remote file inclusion or business logic attacks such as site scraping or comment spam.Automated application learningWAF Gateway uses patented Dynamic Profiling technology to automate the process of profiling applications and building a baseline or “whitelist” of acceptable user behavior. This positive security model approach is benefited by automatic incorporation of valid changes on the application profile over time. Dynamic Profiling eliminates the need to manually configure and update countless application URLs, parameters, cookies and methods in your security rules.DevOps automationA robust set of APIs enables DevOps and Security teams to integrate WAF Gateway deployment and day-to-day tuning activities into existing DevOps processes.Flexible deployment optionsWAF Gateway can be deployed as a physical appliance, a virtual appliance or in the cloud via Amazon Web Services or the Azure marketplace. Additionally, WAF Gateway can be deployed transparently, requiring virtually no changes to the network. Granular policy controls enable superior accuracy and unequaled control to match eachorganization’s specific protection requirements.Figure 2: Imperva WAF Gateway can be deployed as a physical appliance, virtual appliance or in the cloud.DatacenterWeb Servers。

数学创新英文文献Title: Mathematical Innovations: Exploring New Frontiers Abstract:Mathematics has always been at the forefront of innovation, driving breakthroughs in various disciplines. This paper presents a comprehensive review of recent literature on mathematical innovations, discussing their impacts and potential future directions. The focus is on key areas including algorithms, numerical methods, modeling, and cryptography, providing insights into their transformative potential across fields such as technology, finance, medicine, and engineering.Introduction:Mathematical innovations have revolutionized our understandingof the world and provided powerful tools for solving complex problems. This paper explores recent developments in the field, shedding light on their relevance and significance in various domains. By analyzing the key advancements, this study aims to inspire further research and innovation in the realm of mathematics. Algorithms:Algorithms form the backbone of many technological advancements, enabling efficient problem-solving and decision-making. Recent innovations in this area include the development of machine learning algorithms, deep learning neural networks, and quantum computing algorithms. These breakthroughs have the potential to transform industries such as healthcare, finance, and logistics, by optimizing processes, improving accuracy, and enabling predictive analytics.Numerical Methods:Numerical methods play a crucial role in computational mathematics, allowing researchers to solve complex mathematical problems using numerical approximations. Recent innovations in this area include adaptive numerical methods, high-precision computations, and parallel computing techniques. These advancements have the potential to enhance the accuracy and efficiency of computational models, enabling the simulation and optimization of complex systems.Modeling:Mathematical modeling allows us to study and understand real-world phenomena by converting them into mathematical equations. Recent innovations in modeling techniques include stochastic modeling, agent-based modeling, and machine learning-based modeling. These improvements provide frameworks for analyzing complex systems, simulating the effects of interventions, and predicting future outcomes, contributing to advancements in fields such as epidemiology, ecology, and economics. Cryptography:Cryptography is concerned with securing information and communication through encryption methods. Recent innovations in this field include homomorphic encryption, quantum-resistant cryptography, and secure multi-party computation. These innovations address the emerging challenges of data privacy and security, ensuring the confidentiality and integrity of sensitive information in an increasingly interconnected world.Conclusion:Mathematical innovations continue to drive progress in various disciplines, shaping the future of technology, finance, medicine, and engineering. The advancements discussed in this paper represent a glimpse into the transformative potential of mathematics. Further research and collaboration across domains are needed to fully harness these innovations and explore new frontiers in mathematics. By embracing and building upon these advancements, we can unlock unprecedented possibilities and push the boundaries of human achievement.。

信息安全的密码学名词解释以下是一些信息安全中常用的密码学术语的解释：1. 加密算法（Encryption Algorithm）：一种数学函数，用于将明文转换为密文的过程。

加密算法通常包括对称加密算法和公钥加密算法。

2. 对称加密算法（Symmetric Encryption Algorithm）：一种使用相同密钥进行加密和解密的加密算法，如DES、AES等。

对称加密算法的特点是加密速度快，但密钥的安全性需要保证。

3. 公钥加密算法（Public Key Encryption Algorithm）：一种使用不同的密钥进行加密和解密的加密算法，如RSA、ElGamal 等。

公钥加密算法的特点是加密和解密使用不同的密钥，其中一个密钥（公钥）用于加密，另一个密钥（私钥）用于解密。

4. 散列函数（Hash Function）：一种将任意长度的输入数据转换为固定长度的输出数据的函数。

散列函数通常用于数据完整性检测、密码存储等领域，常见的散列函数有MD5、SHA-1、SHA-256等。

5. 数字签名（Digital Signature）：使用私钥对数据进行加密生成的一段密文，用于验证数据的完整性和身份。

数字签名可以用于验证数据是否经过篡改，是非常重要的数据完整性保护手段。

6. 密钥交换（Key Exchange）：在通信双方之间安全地交换密钥的过程。

密钥交换协议通常用于保证通信中的密钥安全性，使得只有通信双方才能获取密钥。

7. 数字证书（Digital Certificate）：用于验证实体身份和数据完整性的电子文件。

数字证书包含公钥、证书持有者的身份信息以及签名等内容，由权威机构颁发，用于确保数据传输的安全性。

8. 密钥管理（Key Management）：一套用于生成、分发、存储和撤销密钥的策略和流程。

密钥管理是保证加密系统安全和可靠运行的重要组成部分。

9. 安全协议（Security Protocol）：用于保证网络通信安全性的规范和机制。