CN115150094A - Verifiable decryption method based on MLWE and MSIS - Google Patents
Verifiable decryption method based on MLWE and MSIS Download PDFInfo
- Publication number
- CN115150094A CN115150094A CN202210739095.3A CN202210739095A CN115150094A CN 115150094 A CN115150094 A CN 115150094A CN 202210739095 A CN202210739095 A CN 202210739095A CN 115150094 A CN115150094 A CN 115150094A
- Authority
- CN
- China
- Prior art keywords
- verifier
- prover
- data
- ciphertext
- vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 239000013598 vector Substances 0.000 claims abstract description 50
- 238000004364 calculation method Methods 0.000 claims abstract description 19
- 238000007906 compression Methods 0.000 claims abstract description 17
- 230000006835 compression Effects 0.000 claims abstract description 17
- 230000006870 function Effects 0.000 claims description 29
- 238000009826 distribution Methods 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 14
- 230000006837 decompression Effects 0.000 claims description 10
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 8
- OAICVXFJPJFONN-UHFFFAOYSA-N Phosphorus Chemical compound [P] OAICVXFJPJFONN-UHFFFAOYSA-N 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 7
- 238000005070 sampling Methods 0.000 claims description 6
- 230000002427 irreversible effect Effects 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 239000000126 substance Substances 0.000 claims description 3
- 150000001875 compounds Chemical class 0.000 claims description 2
- 238000004519 manufacturing process Methods 0.000 claims description 2
- 230000004083 survival effect Effects 0.000 claims description 2
- 230000007704 transition Effects 0.000 claims description 2
- 238000013144 data compression Methods 0.000 claims 1
- 230000010354 integration Effects 0.000 claims 1
- 230000002452 interceptive effect Effects 0.000 abstract description 6
- SMBQBQBNOXIFSF-UHFFFAOYSA-N dilithium Chemical compound [Li][Li] SMBQBQBNOXIFSF-UHFFFAOYSA-N 0.000 abstract description 3
- 238000011160 research Methods 0.000 description 5
- 238000002474 experimental method Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 206010000210 abortion Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000009827 uniform distribution Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses a verifiable decryption method based on MLWE and MSIS, belonging to the field of information security. The method comprises the following steps: s1: setting relevant parameters of a verifiable decryption method; s2: generating a key according to the security parameters; s3: encrypting and disclosing a plaintext vector by using a public key; s4: the verifier carries out homomorphic calculation; s5: the prover decrypts with the private key; s6 the prover and verifier perform non-interactive zero knowledge proof. The invention reforms the public key-free compression framework of the digital signature scheme Dilithium with zero knowledge characteristic, constructs a practical, efficient and simple verifiable decryption scheme based on the lattice difficulty hypothesis MLWE and MSIS for the decryption correctness of the IND-CPA security public key encryption scheme of Kyber, and can be used for solving the verifiable decryption problem related in the two-party security calculation scene.
Description
Technical Field
The invention relates to a verifiable decryption method based on MLWE and MSIS, belongs to the field of information security, and is particularly suitable for verifiable decryption based on MLWE and MSIS.
Background
Consider the following two-party secure computing scenario: two parties holding private secret data and not trusting each other want to perform cooperative calculation on the data owned by each other but do not want to reveal the respective data. And one party executing the calculation performs homomorphic operation on the encrypted data of the two parties by using the public key of the other party to obtain homomorphic ciphertext. After the party holding the private key obtains the homomorphic ciphertext, the private key is used for decrypting the ciphertext to obtain a calculation result, the calculation result needs to be provided for the calculating party, and the calculation result is proved to be a plaintext corresponding to the homomorphic ciphertext in a zero-knowledge mode. In this scenario, the decrypting party needs to provide not only the decryption result to the computing party, but also a zero-knowledge proof of correct decryption, which is a problem of verifiable decryption. The problem of verifiable decryption is also common in the fields of medicine, industry, finance, government affairs and the like. For example, medical research data sharing among hospitals under the premise of not revealing individual privacy of patients realizes prevention of certain diseases; and performing credit risk assessment and the like on the user by data joint modeling between banks.
Zero knowledge proof of knowledge in combination with homomorphic encryption techniques can be used to construct verifiable decryption schemes. For example, the article "Verifiable decryption for full homorphic encryption" published by Luo et al in 2018, based on RLWE and RSIS problems, will transform the provided Verifiable decryption problem for the BGV scheme into a linear relationship shaped As =0, and combine the linear relationship with the "Fiat-Shamir with Aborts" zero knowledge proof technique, resulting in a Verifiable decryption scheme that is almost "one shot", but this scheme also has some problems: firstly, in the BGV scheme, plaintext is placed at a low position, plaintext space is small, and encryption efficiency and ciphertext expansion rate need to be further optimized; second, to hide the private key, the scheme uses a gaussian-distributed based downsampling technique, but gaussian-distributed sampling is vulnerable to side-channel attacks. A document, "short-based zero-knowledge of the fields of view a one-time metrics," published by lyubaschevsky et al in 2021, constructs a proof of knowledge of a ternary secret vector s that satisfies Bs = t, including a verifiable decryption scheme constructed for Kyber, which, although advantageous in the proof of a single ciphertext, can be generalized to some other lattice-based key encapsulation schemes, is complicated by the proof of linearity, the proof of short elements, and the range proof. Therefore, at present, there is no efficient and concise zero-knowledge proof of correct decryption for lattice-based post-quantum encryption schemes.
Disclosure of Invention
In view of this, the present invention aims to provide a verifiable decryption method based on the Module Learning With Errors (MLWE) and the Module Short Integer Solution (MSIS) for Kyber. Specifically, a public key-free compression framework of a digital signature scheme Dilithium with zero knowledge characteristics is modified, and a non-interactive zero knowledge proof is constructed for the decryption correctness of the IND-CPA secure public key encryption scheme of Kyber. The method can be further applied to the practical scenes with privacy protection requirements, such as medical research data sharing, model training by cooperation among mechanisms and the like, and is beneficial to further breaking data islands and guaranteeing data safety.
In order to achieve the purpose, the invention provides the following technical scheme:
a verifiable decryption method based on MLWE and MSIS, which is provided for proverAnd verifierThe two parties participate in the implementation without the participation of a trusted third party, wherein,in order for the party to hold the private key,to perform a calculation, the method comprises the following steps:
s1: setting relevant parameters of a verifiable decryption method based on a Module Learning With Errors (MLWE) problem and a Module Short Integer Solution (MSIS) problem: lambda, n, q, k, d u ,d v ,d h ,γ,η 1 ,η 2 ,τ,l;
Wherein, λ is a security parameter, and the attack frequency of prejudged adversary is less than or equal to 2 λ Calculating to obtain; n is a polynomial ringOf the order of (2); q is a modulus, and q ≡ 1 mod 2 · n is satisfied; k is a vector dimension and is a positive integer selected according to a safety parameter lambda; d is a radical of u 、d v Respectively and correspondingly calling the bit number of ciphertexts c = (u, v) generated by the IND-CPA security public key encryption scheme of Kyber after compression; d h The parameter of the compression function represents the bit number of the compressed data; gamma is the coefficient boundary of the k + 1-dimensional polynomial vector y; eta 1 Coefficient boundaries of a private key s, a noise vector e and a random vector r in Kyber; eta 2 As ciphertext noise e in Kyber 1 、e 2 A coefficient boundary of (d); tau is the number of the challenge value h containing +/-1 according to the safety parameters lambda and R q The degree n of the polynomial is selected to satisfyl is | (-s, 1) · h | non-conducting ∞ According to the coefficient bound eta of the private key s 1 And the parameter tau is calculated to obtain | · |. Non-woven vision ∞ Is an infinite norm;
s2: proverCalling a key generation algorithm in an IND-CPA security public key encryption scheme of Kyber to generate a public and private key pair (pk, sk), and proving a personHolding a private keyAnd will public keyDisclosed is a method for producing a compound;
the IND-CPA secure public key encryption scheme of Kyber can be referred to as follows:
BOS J,DUCAS L,KILTZ E,et al.CRYSTALS-Kyber:a CCA-secure module-lattice-based KEM[C].In:2018 IEEE European Symposium on Security and Privacy(EuroS&P),2018:353-367.[DOI:10.1109/EuroSP.2018.00032]
s3: proverAnd verifierCalling an encryption algorithm in an IND-CPA (Indo-cross connect with continuous encryption) security public key encryption scheme of Kyber, and encrypting respective plaintext vectors by using public keys respectively to obtain ciphertext vectors and disclose the ciphertext vectors;
s4: verifierHomomorphic calculation is carried out on each component in the ciphertext vector to generate homomorphic ciphertext, bootstrap refreshing the homomorphic ciphertext is utilized after the homomorphic calculation is completed, and the refreshed homomorphic ciphertext is disclosed
S5: proverCalling a decryption algorithm in an IND-CPA (Indo-client-server encryption) security public key encryption scheme of Kyber, decrypting a homomorphic ciphertext c by using a private key s to obtain a plaintext m = compresses corresponding to c q (v-s T u,1)∈R 2 ;
Wherein the compression function is defined as y = Compress q (x,d)=「(2 d /q)·x」mod + 2 d (ii) a Input is asd<「log 2 (q) ", with the output of y ∈ { 0., 2 ∈ · d -1}, "meaning rounded off; mod + Let alpha be a positive integer for the modulo operator, define r' = rmod + Alpha represents the value range of r' is [0, alpha ];
s6: proverConstruct plaintext 0 ∈ R 2 Corresponding Kyber ciphertext vectorRandomly selecting a k + 1-dimensional polynomial vector y with a coefficient boundary of gamma, and taking the front k of the y as a vector
S7: proverFirstly, toEstimating the distribution of difference values between the two data, taking the corresponding independent variable value point as the jump center when the function value of the compression function jumps, constructing a jump interval by taking the intercepted boundary of the difference values as the radiusHeld data c ′T Y andcoefficient subscripts in the hopping interval are respectively stored in the set E 1 、E 2 In the method, the coefficients are collocated, then a challenge value h is calculated through a hash function, and then a response value is calculatedAnd only if z does not shade ∞ Is accepted when the gamma-l is less than the threshold value, otherwise, the step S6 is returned to be executed again,m, h, z, E 1 、E 2 Ligation was performed to confirm that π = (m, h, z, E) 1 ,E 2 ) And sends the proof to the verifier over a secure channel
S8: verifierAfter receiving the proof pi, calculating the plaintext 0 epsilon R 2 Corresponding Kyber ciphertext vectorTaking the first k dimension of the response value z as a vectorReuse set E 1 、E 2 The index of (1) willHeld data c ′T ·z、Setting corresponding coefficients to zero and calculating a hash value, comparing and verifying the hash value with a challenge value h in proof pi, and simultaneously verifying | | z | | non-woven cells ∞ If, ifThe computed hash value is not equal to the challenge value h in proof pi or | z | survival ∞ And if the verification is more than or equal to gamma-l, the verification fails, 0 is output to indicate rejection, otherwise, the verification is successful, and 1 is output to indicate acceptance.
s201: in a polynomial ring R q A matrix A is formed by randomly selecting k multiplied by k polynomials,
s202: the private key and noise are sampled uniformly and randomly from the central binomial distribution,
Wherein, the central binomial distribution B of the step S202 η Is defined as: sampling (a) 1 ,...,a η ,b 1 ,...,b η )←{0,1} 2η Output ofIf v ∈ R, v ← beta η Each coefficient representing a sample v obeys distribution B η Polynomial ringAnd ← denotes a random sampling operation.
Further, the encryption process in step S3 specifically includes: proverAnd verifierInvoking the encryption algorithm Enc (pk, m) in Kyber's IND-CPA secure public key encryption scheme i ) For data (m) i ) 1≤i≤t Wherein t varies according to data length to obtain ciphertextAnd discloses.
Further, step S4 is performed by the verifierThe step S4 is specifically executed as follows: arbitrarily constructing t-dimensional input from ciphertext dimensions t disclosed by both partiesFunction f (-) to compute homomorphic ciphertextThen, the homomorphic ciphertext is refreshed by bootstrap, and the refreshed ciphertext is outputAnd discloses the value of the ciphertext c.
Further, step S5 is certified by a proverExecuting, wherein the decryption process specifically comprises:
s501: firstly, decompressing u and v in the homomorphic ciphertext c generated in the step S4 by using a decompressing function to obtainWherein the content of the first and second substances,representing an assignment operation;
s502: then, the plaintext m = Compress is obtained by decryption by using a compression function q (vs T u,1)∈R 2 ;
Wherein the decompression function is defined as x' = Decompress q (y,d)=「(q/2 d ) Y "; the input is y ∈ { 0.,. 2 d -1}、d<「log 2 (q) with an output of
S603: if each component of y is irreversible, returning to step S602;
Wherein, the step S602 isSet S γ Any element t in (1) belongs to R, | | t | | non-woven phosphor ∞ Less than or equal to gamma, useRepresentation set { t mpd ± 2γ:t∈R};Representing a k +1 dimensional vector, each component taken from the setmod ± For the modulo operator, let α be a positive even number (or a positive odd number), define r' = r mod ± Alpha represents r' and has a value range of (-alpha/2, alpha/2)](or)。
Further, step S7 is performed by the proverExecuting, wherein the certification generating process specifically comprises:
s701: calculating the radius of a jump interval corresponding to the difference value of the first part of data held by the prover and the verifier according to the conversation format agreed by the prover and the verifier in advance
S702: calculating the radius of the jump interval corresponding to the difference value of the second part of data held by the prover and the verifier according to the conversation format agreed by the prover and the verifier in advance
S703: calculating the first part of data driver-data held by prover 1 =c ′T ·y∈R q ;
S704: traversing the first part of data pro-data held by prover 1 Each coefficient and all jump centers ofIf the ith coefficient is in the jump interval [ -I ] formed by the jth jump center L1 +pos,I L1 +pos]If so, the player-data will be updated 1 Is set to zero and its index i is put into the set E 1 Where i ∈ {0,1, 2.., n-1},
s706: traversing prover held second part data driver-data 2 Each coefficient and all transition centers for each componentIf the ith coefficient of the ith' component is in the jump interval [ -I ] formed by the jth jump center L2 +pos,I L2 +pos]If not, then forward-data will be transmitted 2 Is set to zero and its joint index (i', i) is put into the set E 2 Where i' is e {0,1, 2.., k }, i is e {0,1,2,...,n-1},
S709: if | | z | non-conducting phosphor ∞ ≥γ 1 1, returning to step S602;
s710: output proof pi = (m, h, z, E) 1 ,E 2 ) And send it to the verifier;
further, the step S701 is specifically:
(1) According to the conversation format agreed in advance by both parties in the non-interactive zero-knowledge proof protocol constructed by the verifiable decryption method, the first part data held by the prover and the verifier are respectively c ′T ·y∈R q 、c ′T ·z∈R q The difference between the two is h.w; wherein w is decryption noise in the kyber public key scheme, and the specific expression isWherein c u 、c v Noise, c, respectively, generated for decompressing the ciphertext l Noise generated for decompressing the public key;
(2) When estimating the distribution of the difference h.w, firstly using the central limit theorem to obtain the approximate normal distribution, and then taking the tail probability of the approximate normal distribution as 10 -58 (corresponding to the probability that the random variable is more than 16 times of the standard deviation in the standard normal distribution) as the boundary of the difference value h.w estimation, and the obtained result is the radius I of the jump interval L1 ;
Further, the step S702 specifically includes:
(1) Non-interactive structured based on verifiable decryption methodsThe second part of data held by the prover and the verifier are respectively in the conversation format agreed by the two parties in the zero-knowledge proof protocolThe difference value between the two is h.e; wherein e is the noise selected in step S202;
(2) Similarly, when estimating the distribution of the difference h · e, the central limit theorem is used to obtain the approximate normal distribution, and then the tail probability of the approximate normal distribution is about 10 -58 (corresponding to the probability that the random variable is more than 16 times of the standard deviation in the standard normal distribution) as the boundary of the difference value h.e estimation, and the obtained result is the radius I of the jump interval L2 ;
In step S704: the jump center means that the function value jumps at some independent variable value points according to the characteristics of the compression function, for example, when d is equal to h When =3, compress q (x,d h ) The independent variable values of the jump of the function value are respectively Andnumber of hop centers and parameter d h And to related;
Further, step S8 is performed by the verifierExecution ofThe process of verifying the received proof pi specifically comprises the following steps:
s801: firstly, decompression processing is respectively carried out on u and v in the homomorphic ciphertext c generated in the step S4 by using a decompression function to obtainWherein,representing an assignment operation;
S803: taking the first k components of k + 1-dimensional polynomial vector z in the proof pi to form a new vector
S804: computing the verifier-data of the first part of data held by the verifier 1 =c ′T ·z∈R q ;
S805: traverse set E 1 Every element j of the verifier, verify-data of the data held by the verifier 1 Setting the jth coefficient to zero;
S807: traverse set E 2 Each element (j', j) of (a), verify the data verifier-data held by the verifier 2 Setting the jth coefficient of the jth component to zero;
s808: if H ≠ H (Compress) q (verifier-data 1 ,d h ),Compress q (verifier-data 2 ,d h ) Is a) or- | z | purple hair ∞ And if the output value is more than or equal to gamma-l, outputting 0 to indicate rejection, otherwise, outputting 1 to indicate acceptance.
The correctness and safety of the invention are as follows: through theoretical derivation, the non-interactive zero knowledge constructed by the invention is proved to meet the requirements of completeness, rationality and zero knowledge. And its reasonableness and zero knowledge can be fit into the MLWE and MSIS difficult assumptions.
The invention has the beneficial effects that: the invention reforms the public key-free compression framework of the digital signature scheme Dilithium with zero knowledge characteristic, constructs a practical, efficient and simple verifiable decryption scheme based on the lattice difficulty hypothesis MLWE and MSIS for the decryption correctness of the IND-CPA security public key encryption scheme of Kyber, and can be used for solving the verifiable decryption problem related in the two-party security calculation scene.
Drawings
In order to make the object and technical solution of the present invention more clear, the present invention provides the following drawings for explanation:
FIG. 1 is a top-level flow diagram of the process of the present invention;
FIG. 2 is a proportion statistic of the number of iterations and occurrences of the proof process generated by a prover for an embodiment of the present invention.
Detailed Description
The implementation case is as follows: in the field of medical research, multicenter medical research is becoming a new trend in medical research, with larger samples, more representative data yielding better results. However, because the medical field data has the characteristics of special dispersity, sensitivity and the like, the contradiction between the data value and the privacy protection can occur. Therefore, a platform for efficiently sharing information on the premise of protecting information safety and privacy needs to be built for different medical institutions. The invention can provide an effective technical path for the construction of the platform, and solves the contradiction between data value and privacy protection.
Suppose that two hospitals A and B want to perform joint calculation and joint modeling on the premise that the original data owned by the hospitals A and B are safe and not shared. Hospital A (prover) with public and private keys) Generation, hospital B (verifier)) And (4) performing calculation, wherein final calculation results are required by both hospitals. The present embodiment proposes "a verifiable decryption method based on MLWE and MSIS".
Examples of the present invention will be described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the specific steps of this embodiment are as follows:
step 1: related parameters of the verifiable decryption scheme based on MLWE and MSIS are set.
(1) Setting a safety parameter lambda =128; selecting R and R q Degree n =256 of the upper polynomial; selected modulus q =8380417; selecting a vector dimension k =6 determined by a safety parameter λ; selecting ciphertext compression parameter (d) u ,d v ) = (21, 15); selecting a parameter d of a compression function h =3; coefficient bound γ =2 for the chosen k +1 random vector y 19 (ii) a Selecting coefficient boundary eta of private key s, noise vector e and random vector r in Kyber 1 Ciphertext noise e in =2,kyber 1 、e 2 Coefficient bound η of 2 =2; calculating the number tau =60 of +/-1 in the challenge value h; coefficient bound eta based on private key s in Kyber 1 And calculating | (| (-s, 1) & h | calculation by parameter tau ∞ L =120;
(2) Calculating the distribution Z from the uniform distribution according to the basic parameters set in (1) q Selecting x at random, x being in radius I of jump interval L1 And I L2 The probabilities of the formed hopping intervals are 0.0350 and 0.0002, respectively, and can be used for further estimating the index set E of the coefficient stored in the hopping interval 1 、E 2 The communication overhead of (c);
(3) Calculating the expectation of the number of repetitions, i.e., based on the basic parameters set in (1)
(2) The private key and noise are sampled uniformly and randomly from the central binomial distribution,in the embodiment, s and e are 256-degree polynomial vectors with dimension of 6 and coefficient boundary of 2 respectively;
(3) Calculate t = As + e, output public key pk = (t = As + e, a), private key sk = s.
And step 3: the hospital A and the hospital B encrypt respective private data by using a public key generated by the A, and the encrypted results are gathered to the hospital B;
hospital A and Hospital B call the encryption algorithm Enc (pk, m) in Kyber's IND-CPA public key encryption scheme i ) For respective data m 1 ,...,m t And encrypting, wherein i belongs to { 1.,. T }, to obtain a ciphertext
And 4, step 4: and the hospital B performs homomorphic operation on the encryption result, refreshes the homomorphic ciphertext by using bootstrap and discloses the value of the homomorphic ciphertext.
Setting f as a public function without revealing private input, and using f to calculate the ciphertext by hospital B to generate homomorphic ciphertextThen, the homomorphic ciphertext is refreshed by bootstrapping, and the refreshed ciphertext is outputAnd discloses the value of the ciphertext c.
And 5: and the hospital A decrypts the bootstrap refreshed homomorphic ciphertext c.
(1) Using the decompression function Decompress q (x, d) decompressing the homomorphic ciphertext c to obtain c = (u, v) =(Decompress q (u,21),Decompress q (v,15));
(2) Decrypting by using a compression function to obtain a plaintext m = Compress 8380417 (v-s T u,1)∈R 2 ;
Step 6: hospital A (prover)) And hospital B (verifier)) A non-interactive zero knowledge proof is performed.
First, a proof pi of correct decryption is generated by hospital a, which contains the decryption result m, and is sent to hospital B. The method specifically comprises the following steps:
(3) If each component of y is irreversible, returning to (2);
(5) Calculating the radius of a jump section corresponding to the difference value of the first part of data held by the hospital A and the hospital B according to a conversation format agreed in advance by the hospital A and the hospital B
(6) Calculating the radius of a jump section corresponding to the difference value of the second part of data held by the hospital A and the hospital B according to the conversation format agreed in advance by the hospital A and the hospital B
(7) Calculating the first part of data driver-data held by hospital A 1 =c ′T ·y∈R 8380417 ;
(8) Traversing first part of data server-data held by hospital A 1 And all hopping centers pos = [ q/2 ] 4 +q/2 3 ·j]If the ith coefficient is in the jump interval [ -I ] formed by the jth jump center L1 +pos,I L1 +pos]If so, the player-data will be updated 1 Is set to zero and its index i is put into the set E 1 In (1). Wherein i belongs to {0,1, 2.., 255}, and j belongs to {0,1, 2.., 7};
(10) Traversing the second part of data server-data held by hospital A 2 Each coefficient and all trip points pos = [ q/2 ] for each component 4 +q/2 3 ·j]If the ith coefficient of the ith' component is in the jump interval [ -I ] formed by the jth jump point L2 +pos,I L2 +pos]If so, the player-data will be updated 2 Is set to zero and its joint index (i', i) is put into the set E 2 In (1). Wherein i' belongs to {0,1, 2., 5}, i belongs to {0,1, 2., 255}, and j belongs to {0,1, 2., 7};
(13) If | | z | non-conducting phosphor ∞ ≥2 19 -120, return (2);
(14) Output proof pi = (m, h, z, E) 1 ,E 2 ) And sends the proof pi to hospital B;
subsequently, the hospital B verifies the received proof pi, and if the verification is passed, 1 is output, otherwise, 0 is output. The method specifically comprises the following steps:
(1) Using the decompression function Decompress q (x, d) decompressing the homomorphic ciphertext c generated in the step four to obtain c = (u, v) = (decompresss) q (u,21),Decompress q (v,15));
(3) Taking the first 6 components of the 7-dimensional polynomial vector z in the proof pi to form a new vector
(4) Computing verifier-data of first part data held by verifier 1 =c ′T ·z∈R 8380417 ;
(5) Traverse set E 1 Will verify the first partial data verifier-data held by the verifier 1 Setting the jth coefficient to zero;
(7) Traverse set E 2 Will verify the second partial data verifier-data held by the verifier 2 Zeroing the jth coefficient of the jth component;
(8) If H ≠ H (Compress) 8380417 (verifier-data 1 ,3),Compress 8380417 (verifier-data 2 3), or | z | non-woven phosphor ∞ ≥2 19 And 120, outputting 0 to indicate rejection, otherwise, outputting 1 to indicate acceptance.
The experimental environment of the invention is a notebook with a CPU of Intel Core i5-7200U and an internal memory of 8GB, and an operating system of Ubuntu20.04.2LTS. 10000 test experiments were performed on the parameter settings of the implementation case, and the following were examined:
a) Verifying the correctness of the scheme constructed by the invention, including whether the decryption of the Kyber ciphertext is correct, whether an honest prover is accepted by a verifier or not and whether a malicious prover falses the proof to be rejected by the verifier or not;
b) Verifying a theoretical analysis result of a difference value between data held by a prover and data held by a verifier;
c) The prover generates an average number of iterations of the attestation process;
d) The communication overhead, i.e., the proof size, during the execution of the test scheme.
Since refusing to use the sampling technique results in the prover's process of generating proof needing to be repeated several times to output a valid proof, the ratio of the number of repetitions of the prover's process of generating proof and the number of occurrences thereof in 10000 experiments was tested. In fact, the prover generated the proof process with a number of repetitions obeying the geometric distribution, the test results are shown in fig. 2, with an average number of repetitions of 1.52, which corroborates the parameters set in step 1.
In order to better demonstrate the characteristics of the method of the present invention, in this example, comparative experiments with the prior art are provided, wherein representative prior art schemes 2 were selected, respectively from the references:
[1]SILDE T.Verifiable Decryption for-BGV[J].Cryptology ePrint Archive,2021.
[2]LYUBASHEVSKY V,NGUYEN N K,SEILER G.Shorter lattice-based zero-knowledge proofs via one-time commitments[C].In:IACR International Conference on Public-Key Cryptography,2021:215-241.[DOI:10.1007/978-3-030-75245-3_9].
through program implementation, under the classical and quantum security of about 128 bits, the comparison result of the security attributes of the verifiable decryption method based on MLWE and MSIS and the related scheme provided by the invention is shown in Table 1, and the comparison result of the performance is shown in Table 2.
TABLE 1 comparison of safety attributes experimental results
Table 2 results of performance comparison experiments
The experimental result shows that the scheme of the invention is a non-interactive verifiable decryption scheme without a trusted third party, and is far superior to the prior art scheme in terms of repetition times and verification time consumption.
Finally, it is noted that the above-mentioned preferred embodiments illustrate rather than limit the invention, and that, although the invention has been described in detail with reference to the above-mentioned preferred embodiments, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the scope of the invention as defined by the appended claims.
Claims (8)
1. A verifiable decryption method based on MLWE and MSIS, which is provided for proverAnd verifierThe two parties participate in the implementation without the participation of a trusted third party, wherein,in order for the party to hold the private key,to perform a calculation, characterized by: the method comprises the following steps:
s1: setting related parameters of verifiable decryption methods of MLWE and MSIS: λ, n, q, k, d u ,d v ,d h ,γ,η 1 ,η 2 ,τ,l;
Wherein, λ is a security parameter, and the attack frequency of prejudged adversary is less than or equal to 2 λ Calculating to obtain; n is a polynomial ringOf the order of (2); q is a modulus, and q is equal to 1 mod 2. N; k is a vector dimension and is a positive integer selected according to a safety parameter lambda; d is a radical of u 、d v Respectively and correspondingly calling the bit number of ciphertexts c = (u, v) generated by the IND-CPA security public key encryption scheme of Kyber after compression; d is a radical of h The parameter of the compression function represents the bit number after data compression; gamma is the coefficient bound of the k +1 dimensional polynomial vector y; eta 1 The coefficient boundaries of a private key s, a noise vector e and a random vector r in Kyber; eta 2 As ciphertext noise e in Kyber 1 、e 2 A coefficient boundary of (d); tau is the number of the challenge value h containing plus or minus 1 according to the safety parameters lambda and R q The degree n of the polynomial is selected to satisfyl is | (-s, 1) · h | non-conducting ∞ According to the coefficient bound eta of the private key s 1 And the parameter tau is calculated to obtain | · | | non-calculation ∞ Is an infinite norm;
s2: proverCalling a key generation algorithm in the IND-CPA security public key encryption scheme of Kyber to generate a public and private key pair (pk, sk), and proving a personHolding a private keyAnd will public keyDisclosed is a method for producing a compound;
s3: proverAnd verifierCalling an encryption algorithm in an IND-CPA (Indo-cross connect with continuous encryption) security public key encryption scheme of Kyber, and encrypting respective plaintext vectors by using public keys respectively to obtain ciphertext vectors and disclose the ciphertext vectors;
s4: verifierHomomorphic calculation is carried out on each component in the ciphertext vector to generate homomorphic ciphertext, bootstrap refreshing the homomorphic ciphertext is utilized after the homomorphic calculation is completed, and the refreshed homomorphic ciphertext is disclosed
S5: proverCalling a decryption algorithm in an IND-CPA (Indo-client-server encryption) security public key encryption scheme of Kyber, decrypting a homomorphic ciphertext c by using a private key s to obtain a plaintext m = compresses corresponding to c q (v-s T u,1)∈R 2 ;
Wherein the compression function is defined as y = Compress q (x,d)=「(2 d /q)·x」mod + 2 d (ii) a Input is asd<「log 2 (q) ", with the output of y ∈ { 0., 2 ∈ · d -1},Represents a rounding off; mod + Setting alpha as positive integer for modulo operatorMeaning r' = r mod + Alpha represents the value range of r' is [0, alpha ];
s6: proverConstructing a plaintext 0E R 2 Corresponding Kyber ciphertext vectorRandomly selecting a k + 1-dimensional polynomial vector y with a coefficient boundary of gamma, and taking the front k of the y as a vector
S7: proverFirstly, toEstimating the distribution of difference values between the two data, taking the corresponding independent variable value taking point when the function value of the compression function jumps as the center, taking the intercepted boundary of the difference values as the radius to construct a jump interval, and estimating the distribution of the difference values between the two dataData c' T Y andcoefficient subscripts in the hopping interval are respectively stored in the set E 1 、E 2 In which the coefficients are concatenated, then the challenge value h is calculated by means of a hash function, and subsequently the response value is calculatedAnd only if z does not count ∞ Is accepted when the gamma-l is less than the threshold value, otherwise, the step S6 is returned to be executed again,m, h, z, E 1 、E 2 Ligation integration was carried out to demonstrate π = (m, h, z, E) 1 ,E 2 ) And sends the proof to the verifier over a secure channel
S8: verifierAfter receiving the proof pi, calculating the plaintext 0 epsilon R 2 Corresponding Kyber ciphertext vectorTaking the first k dimensions of the response value z as a vectorReuse set E 1 、E 2 Index of (1) willData c' T ·z、Setting corresponding coefficients to zero and calculating a hash value, comparing and verifying the hash value with a challenge value h in proof pi, and simultaneously verifying | | z | | non-woven cells ∞ If at allThe computed hash value is not equal to the challenge value h in proof pi or | z | survival ∞ If the verification is not less than gamma-l, the verification is failed, 0 is output to indicate rejection, otherwise, the verification is successful, and 1 is output to indicate acceptance.
2. The MLWE and MSIS-based verifiable decryption method of claim 1, wherein step S2 is performed by a proverThe step S2 is specifically:
s202: the private key and noise are sampled uniformly and randomly from the central binomial distribution,
3. The method of claim 1, wherein the encryption process of step S3 is specifically as follows: proverAnd verifierInvoking the encryption algorithm Enc (pk, m) in Kyber's IND-CPA secure public key encryption scheme i ) For data (m) i ) 1≤j≤t Wherein t varies according to data length to obtain ciphertextAnd discloses.
4. The MLWE and MSIS-based verifiable decryption method of claim 1, wherein step S4 is performed by a verifierThe step S4 is specifically executed as follows: according to the ciphertext dimensionality t disclosed by the two parties, a homomorphic ciphertext is calculated by arbitrarily constructing a function f (-) of the t dimensionality inputThen, the homomorphic ciphertext is refreshed by bootstrap, and the refreshed ciphertext is outputAnd discloses the value of the ciphertext c.
5. The MLWE and MSIS-based verifiable decryption method of claim 1, whereby step S5 is performed by a proverExecuting, wherein the decryption process specifically comprises:
s501: firstly, decompression processing is respectively carried out on u and v in the homomorphic ciphertext c generated in the step S4 by using a decompression function to obtainWherein the content of the first and second substances,representing an assignment operation;
s502: then, the plaintext m = Compress is obtained by decryption using a compression function q (v-s T u,1)∈R 2 ;
6. The MLWE and MSIS-based verifiable decryption method of claim 1, whereby step S6 is performed by a proverThe step S6 is specifically:
S603: if each component of y is irreversible, returning to step S602;
Wherein, the step S602Set S γ Any element t in (1) belongs to R, | | t | | non-woven phosphor ∞ Less than or equal to gamma, useSet of representations (t mod) ± 2γ:t∈R};Representing a k +1 dimensional vector, each component taken from the setmod ± Let α be a positive even number (or a positive odd number) for the modulo operator, define r' = rmod ± Alpha represents r' and has a value range of (-alpha/2, alpha/2)](or)。
7. The MLWE and MSIS-based verifiable decryption method of claim 1, whereby step S7 is performed by a proverExecuting, wherein the certification generating process specifically comprises:
s701: calculating the radius of the jump interval corresponding to the difference value of the first part of data held by the prover and the verifier according to the conversation format agreed by the prover and the verifier in advance
S702: calculating the radius of the jump interval corresponding to the difference value of the second part of data held by the prover and the verifier according to the conversation format agreed by the prover and the verifier in advance
S703: calculating the first part of data product-data held by prover 1 =c′ T ·y∈R q ;
S704: traversing the first part of data driver-data held by prover 1 Each coefficient and all transition centers ofIf the ith coefficient is in the jump interval [ -I ] formed by the jth jump center L1 +pos,I L1 +pos]If so, the player-data will be updated 1 Is set to zero and its index i is put into the set E 1 Where i ∈ {0,1, 2.., n-1},
s706: traversing prover held second part data driver-data 2 Each coefficient and all jump centers of each componentIf the ith coefficient of the ith' component is in the jump interval [ -I ] formed by the jth jump center L2 +pos,I L2 +pos]If so, the player-data will be updated 2 Has its ith coefficient set to zero and its joint index (i', i) is put into the set E 2 Wherein i' is an element {0,1,2,. Eta., k }, i is an element {0,1,2,. Eta., n-1},
S709: if | | z | non-conducting phosphor ∞ ≥γ 1 -1, return to step S602;
s710: output proof pi = (m, h, z, E) 1 ,E 2 ) And sends it to the verifier;
8. The MLWE and MSIS based verifiable decryption method of claim 1, whereby step S8 is performed by a verifierExecuting, wherein the process of verifying the received proof pi specifically comprises the following steps:
s801: firstly, decompression processing is respectively carried out on u and v in the homomorphic ciphertext c generated in the step S4 by using a decompression function to obtainWherein the content of the first and second substances,representing an assignment operation;
S803: taking k +1 dimensional polynomial vector in proof piThe first k components of z constitute a new vector
S804: computing the verifier-data of the first part of data held by the verifier 1 =c′ T ·z∈R q ;
S805: traverse set E 1 Each element j of the verifier is verifier-data held by the verifier 1 Setting the jth coefficient to zero;
S807: traverse set E 2 Each element (j', j) of (a), verify the data verifier-data held by the verifier 2 Setting the jth coefficient of the jth' component to zero;
s808: if H ≠ H (Compress) q (verifier-data 1 ,d h ),Compress q (verifier-data 2 ,d h ) Either | z | non-conducting phosphor ∞ And if not, outputting 1 to indicate acceptance.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210739095.3A CN115150094B (en) | 2022-06-12 | 2022-06-12 | Verifiable decryption method based on MLWE and MSIS |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210739095.3A CN115150094B (en) | 2022-06-12 | 2022-06-12 | Verifiable decryption method based on MLWE and MSIS |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115150094A true CN115150094A (en) | 2022-10-04 |
CN115150094B CN115150094B (en) | 2024-04-16 |
Family
ID=83408783
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210739095.3A Active CN115150094B (en) | 2022-06-12 | 2022-06-12 | Verifiable decryption method based on MLWE and MSIS |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115150094B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117726421A (en) * | 2024-02-07 | 2024-03-19 | 湖南三湘银行股份有限公司 | Rights management method applied to bank |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170366349A1 (en) * | 2016-06-16 | 2017-12-21 | International Business Machines Corporation | Proofs of Plaintext Knowledge and Group Signatures Incorporating Same |
US20180309574A1 (en) * | 2017-04-25 | 2018-10-25 | International Business Machines Corporation | One-shot verifiable encryption from lattices |
CN108923907A (en) * | 2018-06-20 | 2018-11-30 | 中国科学院重庆绿色智能技术研究院 | A kind of homomorphism Inner product method based on the fault-tolerant problem concerning study of mould |
CN109787743A (en) * | 2019-01-17 | 2019-05-21 | 广西大学 | A kind of full homomorphic cryptography method that can verify that based on matrix operation |
-
2022
- 2022-06-12 CN CN202210739095.3A patent/CN115150094B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170366349A1 (en) * | 2016-06-16 | 2017-12-21 | International Business Machines Corporation | Proofs of Plaintext Knowledge and Group Signatures Incorporating Same |
US20180309574A1 (en) * | 2017-04-25 | 2018-10-25 | International Business Machines Corporation | One-shot verifiable encryption from lattices |
CN108923907A (en) * | 2018-06-20 | 2018-11-30 | 中国科学院重庆绿色智能技术研究院 | A kind of homomorphism Inner product method based on the fault-tolerant problem concerning study of mould |
CN109787743A (en) * | 2019-01-17 | 2019-05-21 | 广西大学 | A kind of full homomorphic cryptography method that can verify that based on matrix operation |
Non-Patent Citations (3)
Title |
---|
CHANGBO CHEN: "A Numerical Method for Analyzing the Stability of Bi-parametric Biological Systems", 《18TH INTERNATIONAL SYMPOSIUM ON SYMBOLIC AND NUMERIC ALGORITHMS FOR SCIENTIFIC COMPUTING》, 26 January 2017 (2017-01-26) * |
吴立强;杨晓元;张敏情;: "标准模型下格上基于身份的门限解密方案", 计算机研究与发展, no. 10, 15 October 2018 (2018-10-15) * |
柯程松: "基于MLWE的低膨胀率加密算法", 《计算机科学》, vol. 46, no. 4, 15 April 2019 (2019-04-15) * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117726421A (en) * | 2024-02-07 | 2024-03-19 | 湖南三湘银行股份有限公司 | Rights management method applied to bank |
Also Published As
Publication number | Publication date |
---|---|
CN115150094B (en) | 2024-04-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ling et al. | Group signatures from lattices: simpler, tighter, shorter, ring-based | |
Schoenmakers et al. | Practical two-party computation based on the conditional gate | |
Rodriguez-Henriquez et al. | A brief introduction to modern cryptography | |
Brandt | Efficient cryptographic protocol design based on distributed El Gamal encryption | |
US8184803B2 (en) | Hash functions using elliptic curve cryptography | |
CN114157427B (en) | SM2 digital signature-based threshold signature method | |
Hazay et al. | Computationally secure pattern matching in the presence of malicious adversaries | |
Li et al. | Maximal correlation secrecy | |
Veugen | Comparing encrypted data | |
EP2966802A1 (en) | Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context | |
CN115150094B (en) | Verifiable decryption method based on MLWE and MSIS | |
Xue et al. | Efficient Multiplicative-to-Additive Function from Joye-Libert Cryptosystem and Its Application to Threshold ECDSA | |
Kiltz et al. | Secure linear algebra using linearly recurrent sequences | |
US20170359177A1 (en) | Method and System for Cryptographic Decision-making of Set Membership | |
Lai et al. | Efficient k-out-of-n oblivious transfer scheme with the ideal communication cost | |
Lizama-Perez | Non-invertible key exchange protocol | |
Gennaro et al. | Automata evaluation and text search protocols with simulation based security | |
Liu et al. | Quantum-resistant anonymous IBE with traceable identities | |
Vambol | Polynomial-Time Plaintext-Recovery Attack on the Matrix-Based Knapsack Cipher | |
Shin et al. | An efficient and leakage-resilient RSA-based authenticated key exchange protocol with tight security reduction | |
Zhang et al. | Server-Aided Multi-Secret Sharing Scheme for Weak Computational Devices. | |
Kim et al. | Experimenting with non-interactive range proofs based on the strong RSA assumption | |
England | Elliptic curve cryptography | |
Silaghi | Zero-knowledge proofs for mix-nets of secret shares and a version of ElGamal with modular homomorphism | |
Xie et al. | It all Started with Compression: Another Look at Reconciliation Mechanism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |