CN108234108B - High-efficiency de-ordering encryption method for weak leakage - Google Patents

High-efficiency de-ordering encryption method for weak leakage Download PDF

Info

Publication number
CN108234108B
CN108234108B CN201711345316.4A CN201711345316A CN108234108B CN 108234108 B CN108234108 B CN 108234108B CN 201711345316 A CN201711345316 A CN 201711345316A CN 108234108 B CN108234108 B CN 108234108B
Authority
CN
China
Prior art keywords
plaintext
ciphertexts
sub
bit
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711345316.4A
Other languages
Chinese (zh)
Other versions
CN108234108A (en
Inventor
黎源
赵运磊
朱扬勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CN201711345316.4A priority Critical patent/CN108234108B/en
Publication of CN108234108A publication Critical patent/CN108234108A/en
Application granted granted Critical
Publication of CN108234108B publication Critical patent/CN108234108B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention belongs to the technical field of passwords, and particularly relates to a high-efficiency de-sequencing encryption method for weak leakage. The invention comprises an initialization, encryption and comparison algorithm triplet, denoted as

Description

High-efficiency de-ordering encryption method for weak leakage
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to an order uncovering encryption method in private key encryption.
Background
Preparatory knowledge and symbol marking:
the hash function H is a mapping from a domain to a value domain, i.e. H: {0,1}m→{0,1}n. Wherein, the domain can be a bit string set {0,1} with any length*Or a bit string set {0,1} of fixed lengthmThe value range is usually a bit string set {0,1} of a fixed lengthn. Here, m is required to be larger than n, i.e., to exhibit the compressibility of the hash function. A hash function is collision resistant, requiring two different values x and x 'to be found from the domain of definition, so that it is computationally infeasible to satisfy H (x) ═ H (x'). A hash function that is unidirectional (also known as an antigen-like attack) requires that for any given y from the range, x be found and that it is computationally infeasible to satisfy h (x) y. There are several hash functions widely used in cryptography: for example, MD5 converts data of arbitrary length into a 128-bit 0-1 string, while the output of another common hash function SHA is a 160-bit 0-1 string. The hash function can be very extensive: from a simple mixing (mixing) function to a function with pseudo-random output properties. Hash function with pseudo-random output property in cipherThe mathematical analysis is often idealized as a "random oracle". A commonly used pseudo-random function is also used for this. A keyed function F: {0,1}n×{0,1}m→{0,1}nIs a pseudo-random function, F cannot be distinguished by adversaries needing to meet the requirement of any polynomial timekAnd fnWhere k is from {0,1}mMedium is uniformly selected at random, and fnIt is chosen uniformly and randomly from a set of functions that have both a domain and a value domain of n.
The main application direction of the de-scrambling and the scrambling is a secure database system, such as CryptDB proposed by Popa. With the two cryptographic tools, database operations based on the size relationship, such as range search and sorting, can directly act on the ciphertext, thereby providing a database system meeting the security requirement. The original purpose of the proposed de-ordering encryption scheme is to bypass a negative conclusion in the de-ordering encryption, i.e. there is no efficient and desirable security scheme for the de-ordering encryption. The de-sequenced encryption was originally proposed by Boneh et al, however, the scheme is based on the construction of a multi-linear mapping and the current immaturity of multi-linear mapping technology makes the scheme inefficient. Subsequently, Chenette et al constructed an efficient de-sequenced encryption scheme, but it leaked a large amount of information, including the size of the plaintext and the highest different bits. In order to reduce the information amount leaked by the scheme, namely improve the safety of the scheme, Cash et al constructs an out-of-order encryption scheme by using bilinear mapping, wherein the leaked information amount of the scheme comprises the same mode of the plaintext size order and the highest different bit positions, and is strictly less than that leaked by the scheme of Chenete et al, but the efficiency of the scheme is reduced by using a large amount of bilinear mapping operation in a comparison algorithm. Therefore, de-scrambling encryption has received a wide range of attention from the public in recent years, based on the important applications in encrypting databases.
An open encryption scheme involves initializing, encrypting, and comparing three algorithm tuples ORE ═ or.
ORE.Setup(1λ) → sk. The algorithm inputs oneAnd outputting a private key as a secret key in an encryption algorithm according to the security parameter lambda.
Encryption (sk, m) → ct. The algorithm inputs a private key and a plaintext, generates a ciphertext c and uses the ciphertext c as an output of the algorithm.
ORE.Compare(ct1,ct2) → b. The algorithm inputs two ciphertexts and outputs a bit b e {0,1} which is used for representing the size relation of the ciphertexts and corresponding plaintexts.
Here, the general de-sequenced encryption scheme does not give a description particularly about the decryption algorithm ore.
Although the information amount leaked by the scheme of Cash et al is less than that of the scheme of Chenette et al, the efficiency is low due to the fact that a large number of bilinear mapping operations are used in a comparison algorithm, and therefore the invention provides an uncleaved encryption scheme which is safer than the scheme of Cash et al and meets the requirement of high efficiency. In fact, the de-ordering encryption scheme of the invention mainly considers the trade-off of the de-ordering encryption in two aspects of safety and efficiency, thereby providing a more reasonable de-ordering encryption scheme.
Disclosure of Invention
The invention aims to provide an efficient de-scrambling encryption method for weak leakage (namely leakage of only the size of a plaintext, an equal mode of the highest different bits of the plaintext and part information of the highest different bits of the plaintext).
The invention provides a weak leakage efficient de-ordering encryption method II which comprises an initialization, encryption and comparison algorithm triple group, and the triple group is expressed as (ORE)Setup,OREEncrypt,ORECompare). Let H be from {0,1}λ×{0,1}nMapping to {0,1}λThe hash function of (1); PRF is a pseudo-random function, F, F' are two pseudo-random functions with different definition domain and value domain, wherein, F: {0,1}λ×([n]×{0,1}n-1)→{0,1}λ,F′:{0,1}λ×{0,1}λ→{0,1}。
The invention provides a high-efficiency order-uncovering encryption method for weak leakage, which comprises the following specific steps:
firstly, executing an initialization algorithm Setup, inputting a security parameter lambda by the algorithm, generating a key k required by subsequent encryption, selecting a mapping belonging to the family, and outputting the k and the belonging to the family as a key sk of a user;
secondly, the authorized user needs to input the key sk and the plaintext m and execute the encryption algorithm Encrypt. The algorithm selects a random number r, and then generates a sub-ciphertext subbt corresponding to each bit i from 1 to n through a specific strategyi. Sub-ciphertext subbt for ith bitiFirst, mb (m, i, e) is calculated, and then sub ciphertext parts tc with verification function are respectively generated according to corresponding strategies according to the value of 0 or 1iAnd a sub ciphertext part cc having a calculation functioni,tciAnd cciTogether forming the i-th bit of the sub-ciphertext. Selecting a random permutation pair subct1,…,subctnAnd (5) performing replacement, and outputting the replacement result and the random number r as the ciphertext of the plaintext m.
Then, a comparison algorithm is performed, i.e. if two ciphertexts ct need to be compared1,ct2The size of the sub-ciphertext is analyzed, and the sub-ciphertext is further analyzed. If the sub-ciphertexts of the two ciphertexts have the mutually verifiable sub-ciphertexts, the key bit gamma is calculated by the calculation part of the corresponding sub-ciphertexts, and the sizes of the corresponding plaintexts of the two ciphertexts are judged according to the gamma. Otherwise, if there is no sub-ciphertext that can be verified, it means that the plaintexts corresponding to the two ciphertexts are equal.
The invention relates to a high-efficiency de-sequencing encryption method, wherein three algorithms specifically comprise the following steps:
Setup(1λ) And initializing an algorithm: according to the input safety parameter lambda, the following operations are carried out:
i, generating a key k for an encryption algorithm;
ii, selecting a function e: [ n ]]×{0,1}n-1→{0,1};
And iii, setting the key sk as (k, ∈) and outputting.
Encrypt (sk, m), encryption algorithm: based on the inputted key and plaintext, the following operation is performed (let a be)1a2…anIn binary coded form of m) plaintext, a random number is selected
Figure BDA0001509223140000031
For each i e n]The following operations are performed:
i, calculating mb (m, i, ∈) ∈ (i, a)1a2…ai-1||0n-i);
Ii, if mb (m, i, e) ═ aiThen calculate:
tci=F(k,i-1,a1a2…ai-1||0n-i+1);
otherwise, calculating:
tci=H(F(k,i-1,a1a2…ai-1||0n-i+1),r);
iii, if mb (m, i, ∈) is 0, randomly selecting one bit as cciI.e. by
Figure BDA0001509223140000032
If mb (m, i, e) is 1, then calculate:
Figure BDA0001509223140000033
for each i e n]Set Subcti=(tci,cci). Then, a random permutation pi is selected and the ciphertext is set to ct ═ r, subctπ(1),…,subctπ(n)And as an output.
Compare(ct1,ct2) And comparing the algorithm: first, for two ciphertexts ct1,ct2The analysis was as follows:
Figure BDA0001509223140000034
Figure BDA0001509223140000035
wherein, for e ∈ {1,2}, i ∈ {1,2, …, n }, the condition is satisfied
Figure BDA0001509223140000036
Then, comparing the sizes of the plaintexts corresponding to the two ciphertexts according to the following steps:
i, if there is i, k ∈ [ n ]]So that
Figure BDA0001509223140000037
And
Figure BDA0001509223140000038
are mutually "verifiable", i.e. are
Figure BDA0001509223140000039
Or is provided with
Figure BDA00015092231400000310
Then entering the next step;
otherwise, 0 is output, which indicates that the plaintexts corresponding to the two ciphertexts are equal. Here, we assume that
Figure BDA0001509223140000041
Ii, for sub-ciphertexts satisfying the relationship of' verification
Figure BDA0001509223140000042
And
Figure BDA0001509223140000043
and (3) calculating:
Figure BDA0001509223140000044
if γ is equal to 0,1 is output, indicating ct1Corresponding plaintext greater than ct2Corresponding plaintext; otherwise, if γ is equal to 1,2 is output, which indicates ct1Corresponding plaintext less than ct2The corresponding plain text.
For the
Figure BDA0001509223140000045
In case of (2), processing method for judging size relationship of plaintext and processing method for judging size relationship of plaintext
Figure BDA0001509223140000046
Similarly.
Here, let L be the leakage function in the sequential encryption method, the function includes three parts of information, the size of the plaintext, the mode of the highest different bits in the plaintext, etc., and the part of information of the highest different bits in the plaintext. Note that if a comparison algorithm is run on the ciphertext, the relevant information leaked to the plaintext can be represented by a leakage function.
The leakage function L is described below. Before this, several terms are introduced, respectively size Comparison (CMP), highest different bit (msdb) and highest different bit part information (pmsdb).
Size Comparison (CMP), which is the comparison result of plaintext size, is defined as:
Figure BDA0001509223140000047
the highest distinct bit (msdb), defined as:
msdb(m1,m2)=min{i:m1[i]≠m2[i]in which the sign min denotes taking the minimum value, m [ i }]Representing the ith bit of the plaintext m.
The highest different bit part information (pmsdb), defined as:
inputting: m is1,m2
And (3) outputting: pmsdb (m)1,m2)
1. The pmsdb (m)1,m2) Initializing to 1;
2. from 1 to msdb (m) for i1,m2) -1, performed as follows:
a. if ∈ (i, a)1a2…ai-1||0n-i) When the value is 0, then:
pmsdb(m1,m2)=pmsdb(m1,m2)+1;
b. otherwise, continuing to execute;
3. return pmsdb (m)1,m2)。
The leakage function is then defined as follows:
Figure BDA0001509223140000051
wherein, i is more than or equal to 1, and q is more than or equal to k.
The invention provides an efficient de-ordering encryption scheme. The scheme is constructed by using two efficient cryptographic primitives, namely a pseudo-random function and a hash function, which are the basis for being applied to an encrypted database. Meanwhile, the de-sequencing encryption scheme only reveals three parts of information, namely the size of a plaintext, an equal mode of the highest different bits of the plaintext and part of information of the highest different bits of the plaintext, and the revealing amount of the information is strictly smaller than that of the scheme of Chenete and the like, so that the considerable security guarantee is provided. Although the scheme of the present invention is slightly more computationally efficient than the scheme of Cash et al in the amount of information leakage. The scheme of Cash et al is not well applicable to the encryption database system because a large number of bilinear operations are required in the comparison algorithm, so that the efficiency of the scheme is low compared with that of the scheme.
Detailed Description
The following describes an embodiment of the algorithm in detail, taking as an example the database encrypting and comparing the integer data "1011" and "987".
In view of practical applications, there are many schemes that can be adopted by the key hash algorithm and the pseudo random function, and the trapdoor replacement function, and the SHA256 is exemplarily adopted as the algorithm of the pseudo random function and the key hash function in the following description. The data is represented in 16-ary, the security parameter λ is 128, and the plaintext space is assumed to be 10 bits.
First, algorithm initialization phase
Randomly selecting a subkey k with the length of 128 bits as;
2A8D8F6503CF1A36CC548712AB840D52。
then, another subkey with a length of 128 bits is randomly selected as:
A6810D0C6EF46EF324CC513D28650005,
the combination HMAC-SHA256 is used to generate e (different data length requirements can be met by simply truncating the output).
Binary, decimal integer data "1011" encryption stage:
1. 123 is represented in binary form 1111110011.
2. A128-bit random number 4575F8DAD76981BFF081C911AB6B601C is selected.
3. The sub-ciphertexts are computed bit by bit from high to low.
For example, for the highest bit, first, mb (123,1, ∈) is calculated as ∈ (1,000000000), and the calculation result is 0. Next, calculate:
f (k,1,000000000) is:
14963467c6a2a4babd81cb6edc7620f078986ed083a52b81934db22332eff9e3。
then, calculating: h (F (k,1,1110000000), 4575F8DAD76981BFF081C911AB6B601C), ddb57266534B3654da411dc4a2F68571026d6398F1e0ba7AB2fba62ca819B7e 4.
Then, calculating:
f' (14963467 c6a2a4babd81cb6edc7620f078986ed083a52b81934db22332ef9e3, 4575F8DAD76981BFF081C911AB6B601C) } 1 is 0.
The first bit of sub-ciphertext is:
(ddb57266534b3654da411dc4a2f68571026d6398f1e0ba7ab2fba62ca819b7e4,0)
similarly, the sub-ciphertexts corresponding to the next nine bits can be calculated as:
(c6bab995ea2e8a3a902a5019b719b1aef46e6d90da22fcee1c9c1f6b73fce725,0),
(1d29992e714404529e7a6b764434bd1029db0f5d4679a69961873fdb2ec2fcc6,1),
(c938273a3cf72c5e417ecce3b5e81c3362f8014013d16694d445b70b99b24e52,0),
(5bc27762abc0b0d9db0b447f9ddaa31ca5cd5d9a0edc40525efafedddd59b497,0),
(a8ca3024ee214aaeba3da1bc314a30acf4325d6578a6bcb6015e1ca0d0e9337e,1),
(5b50f7213227ab4a5749cee14a986c17fd5dd188498d67d67a489a8e80beabbe,1),
(40c461f8f849110223c31d31f0cf6f73909621a75c251970750955371ed4ba81,0),
(a823032101d5d3712ff26cf444e90aa85d858d340b7a42995114c54bbb2fe0d6,1),
(ef49759c1abe501794cb15066d44d4e77ced968437808186c1b863a230c3c9c4,0)。
4. selecting a random permutation, and permuting the sequence of the sub-ciphertexts to obtain a cipher text:
4575F8DAD76981BFF081C911AB6B601C,
(5b50f7213227ab4a5749cee14a986c17fd5dd188498d67d67a489a8e80beabbe,1),
(1d29992e714404529e7a6b764434bd1029db0f5d4679a69961873fdb2ec2fcc6,1),
(c938273a3cf72c5e417ecce3b5e81c3362f8014013d16694d445b70b99b24e52,0),
(ef49759c1abe501794cb15066d44d4e77ced968437808186c1b863a230c3c9c4,0),
(a8ca3024ee214aaeba3da1bc314a30acf4325d6578a6bcb6015e1ca0d0e9337e,1),
(ddb57266534b3654da411dc4a2f68571026d6398f1e0ba7ab2fba62ca819b7e4,0),
(40c461f8f849110223c31d31f0cf6f73909621a75c251970750955371ed4ba81,0),
(5bc27762abc0b0d9db0b447f9ddaa31ca5cd5d9a0edc40525efafedddd59b497,0),
(a823032101d5d3712ff26cf444e90aa85d858d340b7a42995114c54bbb2fe0d6,1),
(c6bab995ea2e8a3a902a5019b719b1aef46e6d90da22fcee1c9c1f6b73fce725,0),
and III, decimal integer data '987' encryption stage:
1. 987 is represented as binary form 1111011011.
2. A 128-bit random number AB76AF098185B17a6597F61005BDD541 is selected.
3. The sub-ciphertexts are computed bit by bit from high to low.
For example, for the highest bit, first, mb (123,1, ∈) is calculated as ∈ (1,000000000), and the calculation result is 0. Next, calculate:
f (k,1,000000000) is:
14963467c6a2a4babd81cb6edc7620f078986ed083a52b81934db22332eff9e3。
then, calculate: h (F (k,1,1110000000), AB76AF098185B17a6597F61005BDD541), 9238B2B7cc25101e447F7058fb3F15AF26F860c19bb2F4020B3F486F73174d4 e.
Then, calculating:
f' (9238B2B7cc25101e447F7058fb3F15AF26F860c19bb2F4020B3F486F73174d4e, AB76AF098185B17A6597F61005BDD541) ^ 1 is 1.
The first bit of sub-ciphertext is:
(9238b2b7cc25101e447f7058fb3f15af26f860c19bb2f4020b3f486f73174d4e,1)。
similarly, the sub-ciphertexts corresponding to the next nine bits can be calculated as:
(995a148417c9b57345f1e3ed6e87d00c6d279f4274d9ebdc3757175f8b700653,0),
(1d29992e714404529e7a6b764434bd1029db0f5d4679a69961873fdb2ec2fcc6,0),
(c938273a3cf72c5e417ecce3b5e81c3362f8014013d16694d445b70b99b24e52,1),
(c030c851817ca02f339b6a49daee7aa49d4bf0ffa25531cb5bb5155ca01ff07f,1),
(f9bbc5905b743a6a8b63134900ab85b6c39d2f9afc6bdf3d0e7da6709e7c0684,0),
(51c9d8ef7a981e0b75251ffe3f97638d87a428e39d15209beb03c8117e412746,1),
(8208be7415566251b93b696a43ecaff9d31d82bdc1f5baae40e97d8fee3e235b,0),
(ed8f2af9f682dc63c2f15f0b1424904dbdd74b3d6b5046b752f8278aa7eb5767,1),
(6066f821e33d7d8836b9688adac986bb10aac4617e0905a6e7447ce772f2dbbd,1)
4. selecting a random permutation, and permuting the sequence of the sub-ciphertexts to obtain a cipher text:
AB76AF098185B17A6597F61005BDD541,
(c030c851817ca02f339b6a49daee7aa49d4bf0ffa25531cb5bb5155ca01ff07f,1),
(9238b2b7cc25101e447f7058fb3f15af26f860c19bb2f4020b3f486f73174d4e,1),
(995a148417c9b57345f1e3ed6e87d00c6d279f4274d9ebdc3757175f8b700653,0),
(51c9d8ef7a981e0b75251ffe3f97638d87a428e39d15209beb03c8117e412746,1),
(1d29992e714404529e7a6b764434bd1029db0f5d4679a69961873fdb2ec2fcc6,0),
(c938273a3cf72c5e417ecce3b5e81c3362f8014013d16694d445b70b99b24e52,1),
(6066f821e33d7d8836b9688adac986bb10aac4617e0905a6e7447ce772f2dbbd,1),
(f9bbc5905b743a6a8b63134900ab85b6c39d2f9afc6bdf3d0e7da6709e7c0684,0),
(8208be7415566251b93b696a43ecaff9d31d82bdc1f5baae40e97d8fee3e235b,0),
(ed8f2af9f682dc63c2f15f0b1424904dbdd74b3d6b5046b752f8278aa7eb5767,1)
and fourthly, comparing the two ciphertexts obtained by the previous step:
1. firstly, verifying the sub-ciphertexts bit by bit, and finally:
H(5bc27762abc0b0d9db0b447f9ddaa31ca5cd5d9a0edc40525efafedddd59b49,
AB76AF098185B17A6597F61005BDD541)
=c030c851817ca02f339b6a49daee7aa49d4bf0ffa25531cb5bb5155ca01ff07f。
2. then, by calculating:
F`(5bc27762abc0b0d9db0b447f9ddaa31ca5cd5d9a0edc40525efafedddd59b49,AB76AF098185B17A6597F61005BDD541)⊕1=0,
the key bit of the plaintext corresponding to the ciphertext is 0, so that the ciphertext corresponding to the plaintext is larger than the ciphertext corresponding to the plaintext.

Claims (2)

1. A method for efficient de-sequencing encryption of weak leakage comprises the steps of initializing, encrypting and comparing algorithm triplets, and expressing the triplets as (ORE)Setup,OREEncrypt,ORECompare) (ii) a Let H be from {0,1}λ×{0,1}nMapping to {0,1}λThe hash function of (1); PRF is a pseudo-random function, and F, F' are two pseudo-random functions with different definition domains and value domains, where F: {0,1}λ×([n]×{0,1}n-1)→{0,1}λ,F′:{0,1}λ×{0,1}λ→ 0, 1; n represents the bit length of the plaintext to be encrypted, and is characterized by comprising the following specific steps:
(1) firstly, an initialization algorithm Setup is executed, which inputs a security parameter λ, generates a key k required for subsequent encryption, and selects a mapping, e: [ n ] of]×{0,1}n-1→ 0, 1; taking k and the e as a key sk of the user, wherein the key sk is (k and the e) and outputting the key sk;
(2) secondly, the authorized user needs to input a key sk and a plaintext m for encryption and execute an encryption algorithm Encrypt; the algorithm selects a random number r, and then generates a sub-ciphertext subbt corresponding to each bit i from 1 to ni(ii) a Sub-ciphertext subbt for ith bitiFirst, mb (m, i, e) is calculated, and then sub ciphertext parts tc with verification function are respectively generated according to corresponding strategies according to the value of 0 or 1iAnd a sub ciphertext part cc having a calculation functioni,tciAnd cciThe sub-ciphertexts which form the ith bit together; selecting a random permutation pair subct1,…,subctnPerforming replacement, and outputting a result obtained by the replacement and the random number r as a ciphertext of a plaintext m;
(3) then, a comparison algorithm is executed to Compare the two ciphertexts ct if necessary1,ct2The size of (2) is to analyze the ciphertext first and thenThe obtained sub-ciphertexts are further analyzed: if the sub-ciphertexts of the two ciphertexts have the mutually verifiable sub-ciphertexts, calculating a key bit gamma through a calculation part of the corresponding sub-ciphertexts, and judging the sizes of the corresponding plaintexts of the two ciphertexts according to the gamma; otherwise, if the child ciphertexts which can be verified mutually do not exist, the corresponding plaintexts of the two ciphertexts are equal;
the encryption algorithm is as follows: according to the input key sk and the plaintext m, the following operation is performed, set a1a2...anSelecting a random number for binary coding of plaintext m
Figure FDA0003022500200000011
For each i e n]The following operations are performed:
i, calculating mb (m, i, ∈) ∈ (i, a)1a2...ai-1||0n-i);
Ii, if mb (m, i, e) ═ aiThen calculate:
tci=F(k,i-1,a1a2...ai-1||0n-i+1);
otherwise, calculating:
tci=H(F(k,i-1,a1a2...ai-1||0n-i+1),r);
and iii, if mb (m, i, ∈) is 0, randomly selecting one bit as the bit,
Figure FDA0003022500200000012
if mb (m, i, e) is 1, then calculate:
Figure FDA0003022500200000013
for each i e n]Set Subcti=(tci,cci) Then, a random permutation pi is chosen and the ciphertext is set to ct ═ r, subctπ(1),…,subctπ(n)And take it as output;
the Compare, comparison algorithm: first, for two ciphertexts ct1,ct2The analysis was as follows:
Figure FDA0003022500200000021
Figure FDA0003022500200000022
wherein, for e ∈ {1,2}, i ∈ {1,2
Figure FDA0003022500200000023
Then, comparing the sizes of the plaintexts corresponding to the two ciphertexts according to the following steps:
i, if there is i, k ∈ [ n ]]So that
Figure FDA0003022500200000024
And
Figure FDA0003022500200000025
are mutually "verifiable",
Figure FDA0003022500200000026
or is provided with
Figure FDA00030225002000000214
Then entering the next step;
otherwise, outputting 0, which indicates that the plaintexts corresponding to the two ciphertexts are equal;
ii when
Figure FDA0003022500200000027
For sub-ciphertexts satisfying 'verifiable' relationship
Figure FDA0003022500200000028
And
Figure FDA0003022500200000029
and (3) calculating:
Figure FDA00030225002000000210
if γ is equal to 0,1 is output, indicating ct1Corresponding plaintext greater than ct2Corresponding plaintext; otherwise, if γ is equal to 1,2 is output, which indicates ct1Corresponding plaintext less than ct2Corresponding plaintext;
for the
Figure FDA00030225002000000211
In case of (2), processing method for judging size relationship of plaintext and processing method for judging size relationship of plaintext
Figure FDA00030225002000000212
Are the same as above.
2. The method for efficient de-scrambling encryption of weak leakage according to claim 1, wherein the related information related to leakage of the corresponding plaintext in the comparison algorithm is represented by a leakage function L, which includes three parts of information: the comparison result CMP of the sizes of the plaintexts, the information whether the highest different bits of the plaintexts are equal and the partial information pmsdb of the highest different bits of the plaintexts; the leakage function is defined as follows:
CMP is the result of plaintext size comparison, defined as:
Figure FDA00030225002000000213
msdb is the highest distinct bit, defined as:
msdb(m1,m2)=min{i:m1[i]≠m2[i]in which the sign min denotes taking the minimum value, m [ i }]The ith bit representing plaintext m;
pmsdb is the highest different bit part information, defined as:
inputting: m is1,m2
And (3) outputting: pmsdb (m)1,m2)
(1) The pmsdb (m)1,m2) Initializing to 1;
(2) from 1 to msdb (m) for i1,m2) -1, performed as follows:
(a) if e is (i, a)1a2...ai-1||0n-i) When the value is equal to 0, then
pmsdb(m1,m2)=pmsdb(m1,m2)+1;
(b) Otherwise, increasing the value of i by 1, and continuing to execute the step (2);
(3) return pmsdb (m)1,m2)。
CN201711345316.4A 2017-12-15 2017-12-15 High-efficiency de-ordering encryption method for weak leakage Active CN108234108B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711345316.4A CN108234108B (en) 2017-12-15 2017-12-15 High-efficiency de-ordering encryption method for weak leakage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711345316.4A CN108234108B (en) 2017-12-15 2017-12-15 High-efficiency de-ordering encryption method for weak leakage

Publications (2)

Publication Number Publication Date
CN108234108A CN108234108A (en) 2018-06-29
CN108234108B true CN108234108B (en) 2021-06-22

Family

ID=62649602

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711345316.4A Active CN108234108B (en) 2017-12-15 2017-12-15 High-efficiency de-ordering encryption method for weak leakage

Country Status (1)

Country Link
CN (1) CN108234108B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109088721B (en) * 2018-10-02 2022-01-28 复旦大学 Entrustable uncovering and encrypting method
CN110399735A (en) * 2019-06-21 2019-11-01 深圳壹账通智能科技有限公司 Encryption data size relation method of proof, device, equipment and storage medium
CN113254971B (en) * 2021-06-09 2022-07-05 中国电子科技集团公司第三十研究所 Multi-data type ciphertext comparison method based on de-scrambling encryption

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7725397B2 (en) * 2005-04-13 2010-05-25 Hewlett-Packard Development Company, L.P. Method and system for time-sequential authentication of shipments in supply chains
WO2010115063A1 (en) * 2009-04-03 2010-10-07 Wms Gaming, Inc. Integrating social networks and wagering games
CN107147487A (en) * 2017-05-23 2017-09-08 高胜法 The random block cipher of symmetric key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7725397B2 (en) * 2005-04-13 2010-05-25 Hewlett-Packard Development Company, L.P. Method and system for time-sequential authentication of shipments in supply chains
WO2010115063A1 (en) * 2009-04-03 2010-10-07 Wms Gaming, Inc. Integrating social networks and wagering games
CN107147487A (en) * 2017-05-23 2017-09-08 高胜法 The random block cipher of symmetric key

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Practical Order-Revealing Encryption with Limited Leakage;Nathan Chenette等;《Fast Software Encryption-FSE 2016,Springer Berlin Heidelberg》;20160720;474-493页 *
Reducing the Leakage in Practical Order-Revealing Encryption;David Cash等;《IACR Cryptology ePrint Archive》;20161231;全文 *

Also Published As

Publication number Publication date
CN108234108A (en) 2018-06-29

Similar Documents

Publication Publication Date Title
CN107147484B (en) Floating point number fully homomorphic encryption method facing privacy protection
US10009171B2 (en) Construction and uses of variable-input-length tweakable ciphers
AU2011363942B2 (en) Method and system for protecting execution of cryptographic hash functions
JP4712017B2 (en) Message authentication code generation method using stream cipher, authentication encryption method using stream cipher, and authentication decryption method using stream cipher
US11546135B2 (en) Key sequence generation for cryptographic operations
KR100930577B1 (en) Message authentication code generation method using stream cipher, authentication encryption method using stream cipher, and authentication decryption method using stream cipher
TWI571091B (en) Technologies for modifying a first cryptographic cipher with operations of a second cryptographic cipher
CN108234108B (en) High-efficiency de-ordering encryption method for weak leakage
CN113098675B (en) Binary data encryption system and method based on polynomial complete homomorphism
Gafsi et al. High securing cryptography system for digital image transmission
CN112187461A (en) Weapon equipment data hybrid encryption method based on encryption algorithm
Walia et al. Implementation of new modified MD5-512 bit algorithm for cryptography
Dmukh et al. A lightweight-friendly modification of GOST block cipher
CN105184115A (en) Method For Including An Implicit Integrity Or Authenticity Check Into A White-box Implementation
CN109088721B (en) Entrustable uncovering and encrypting method
Alemami et al. Advanced approach for encryption using advanced encryption standard with chaotic map
WO2020213114A1 (en) Mac tag list generation device, mac tag list verification device, method, and program
CN111314051A (en) Encryption and decryption method and device
Singh et al. Random Key Generation based Double Image Encryption System
Joseph et al. Enhanced message digest version 5 architecture for secure hashing
Al Shahrani BHA-160: constructional design of hash function based on NP-hard problem
Al-Wattar A NEW APPROACH FOR THE IMAGE ENCRYPTION USING AES CIPHER IN ECB MODE
Smyshlyaeva Network Working Group S. Smyshlyaev, Ed. Internet-Draft E. Alekseev Intended status: Informational I. Oshkin Expires: April 24, 2017 L. Ahmetzyanova
CN117499010A (en) Data processing method and device
Kim et al. Performance analysis of format-preserving encryption based on unbalanced-feistel structure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant