CN111526002A - Lattice-based multi-identity fully homomorphic encryption method - Google Patents

Lattice-based multi-identity fully homomorphic encryption method Download PDF

Info

Publication number
CN111526002A
CN111526002A CN202010578978.1A CN202010578978A CN111526002A CN 111526002 A CN111526002 A CN 111526002A CN 202010578978 A CN202010578978 A CN 202010578978A CN 111526002 A CN111526002 A CN 111526002A
Authority
CN
China
Prior art keywords
identity
ciphertext
matrix
user identity
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010578978.1A
Other languages
Chinese (zh)
Other versions
CN111526002B (en
Inventor
成玉丹
翁健
刘志全
马建峰
颉满刚
孙红亮
殷菊笠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan University
Original Assignee
Jinan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan University filed Critical Jinan University
Publication of CN111526002A publication Critical patent/CN111526002A/en
Application granted granted Critical
Publication of CN111526002B publication Critical patent/CN111526002B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Collating Specific Patterns (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a lattice-based multi-identity fully homomorphic encryption method, which comprises the following steps of: initializing a system; extracting a user key: mapping the first user identity and the second user identity into a reversible matrix by using a full-rank function, and generating a first private key corresponding to the first user identity and a second private key corresponding to the second user identity through vector operation; and (3) generating a ciphertext: acquiring encryption selection of a first user identity, selecting a plaintext message to be encrypted, and encrypting to obtain a first ciphertext; decrypting the single identity: for the first user identity, decrypting through a first private key to obtain a plaintext message; identity conversion: converting a first ciphertext of the first user identity into a second ciphertext corresponding to a second user identity through an identity conversion algorithm; evaluation of full homomorphism: and carrying out full homomorphic operation on the ciphertext subjected to identity conversion and then decrypting the ciphertext. The invention converts the encryption and decryption of the ciphertext with single identity into the encryption and decryption of the ciphertexts with multiple identities, and can realize correct homomorphic operation.

Description

Lattice-based multi-identity fully homomorphic encryption method
Technical Field
The invention relates to the technical field of fully homomorphic encryption security, in particular to a multi-identity fully homomorphic encryption method based on lattices.
Background
Based on the multiplication homomorphism of RSA public key encryption system, Rivest et al [ Rivest R L, Adleman L, Dertozos M L.on data banks and privacy homomorphism [ J ]. Foundation of secure Computation,1978:169-179 ] propose the concept of homomorphic encryption, that is, under the condition of not decrypting ciphertext, the operation on plaintext is realized by executing operation on ciphertext, and the results are consistent. The proposal of homomorphic encryption is widely concerned by domestic and foreign scholars, but the scheme does not completely realize homomorphism and can not operate and process ciphertext any times. And the unique identity of the user is used as a public key based on the identity encryption system, and the private key generation center generates the private key of the user by using the system master private key. In order to reduce the key length of the fully homomorphic encryption, researchers combine the ideas of identity encryption and fully homomorphic encryption to construct a fully homomorphic encryption system based on identity.
Based on the study of Gentry, scholars at home and abroad propose a plurality of improvement schemes. In 2017, the new lattice identity-based all homomorphic encryption scheme is proposed in Tang Yongli and the like [ Tang Yongli, Summin, Liu beautiful, and the like ] in the new lattice identity-based all homomorphic encryption scheme [ J ] in the Communications, 2017,38(5):39-47 ]. With the advent of obfuscation models, Zhang Mingwu et al [ Zhang Mingwu, Shenhua, Muyi. procedure obfuscation of virtual black box Security [ model, progress and challenge [ J ]. computer science, 2017,40(12) ], a multi-identity homomorphic cryptosystem was constructed using obfuscators on the basis of obfuscation. Although the scheme provides a new identity-based fully homomorphic encryption scheme, in actual life, the requirement of people on big data and cloud computing cannot be met at all for single identity operation.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a lattice-based multi-identity fully homomorphic encryption method, which can convert the encryption and decryption of a ciphertext with a single identity into the encryption and decryption of ciphertexts with multiple identities and can realize correct fully homomorphic operation.
The purpose of the invention is realized by the following technical scheme:
a lattice-based multi-identity fully homomorphic encryption method comprises the following steps:
initializing a system: firstly, generating a public key and a private key of a system;
extracting a user key: mapping the first user identity and the second user identity into a reversible matrix by using a full-rank function, and generating a first private key corresponding to the first user identity and a second private key corresponding to the second user identity through vector operation;
and (3) generating a ciphertext: acquiring encryption selection of a first user identity, selecting a plaintext message to be encrypted, and encrypting to obtain a first ciphertext;
decrypting the single identity: for the first user identity, decrypting through a first private key to obtain a plaintext message;
identity conversion: converting a first ciphertext of the first user identity into a second ciphertext corresponding to a second user identity through an identity conversion algorithm;
evaluation of full homomorphism: and inputting a group of ciphertexts after identity conversion, and carrying out decryption after fully homomorphic operation.
Preferably, system parameters are input, and two matrices are generated through a trapdoor generation algorithm, wherein one matrix is a trapdoor matrix, the trapdoor matrix is used as a system private key, and the other matrix is used as a system public key.
Further, in the system initialization step, the generation of the public and private keys of the system includes the following sub-steps:
selecting a uniform random matrix
Figure BDA0002552427170000021
n-dimensional uniform random vector
Figure BDA0002552427170000022
Trap door generation algorithm TrapGen (1)n1m, q, H), output matrix
Figure BDA0002552427170000023
And trapdoor matrix thereof
Figure BDA0002552427170000024
Outputting a system public key MPK ═ B, t, and a system private key MSK ═ R; thereby generating uniform and random system public and private keys;
wherein the ratio of n, m,
Figure BDA0002552427170000031
representing the dimension of the system public and private key vector, wherein n is an integer and has a range of n more than or equal to 1, q is a modulus, and q is an integer and has a range of q more than or equal to 2, m,
Figure BDA0002552427170000032
And n, q have a relationship of
Figure BDA0002552427170000033
O () represents the higher order infinitesimal magnitude of the base-2 q logarithm of m equal to n, used here to compute the row of the public key vectorNumber and column number; k represents the upper rounding of the base 2 q logarithm, used here to compute the dimension of the private key vector
Figure BDA0002552427170000034
H is expressed as a random invertible matrix
Figure BDA0002552427170000035
Here, a randomly and uniformly distributed matrix can be generated by using a trapdoor generation algorithm, and public keys constructed by using the matrix are also randomly and uniformly distributed.
Preferably, in the step of extracting the user key, the obtaining of the private key of the user includes the following sub-steps:
using full rank coding functions
Figure BDA0002552427170000036
Mapping user identity id to a reversible matrix
Figure BDA0002552427170000037
Run left sample function output vector e ← SampleL (B, H)idG, R, t, σ), and such that the vector satisfies Bide ═ t, where
Figure BDA0002552427170000038
Order to
Figure BDA0002552427170000039
Outputting user identity keys
Figure BDA00025524271700000310
Where B and t represent the system public key,
Figure BDA00025524271700000311
is a public primitive matrix, w represents the column number of the matrix G, and the expression is w ═ nk, HidA reversible matrix representing the identity of the user, ← representing the result output by this function as a vector e, σ representing the gaussian in the sampling functionThe noise is generated by the noise-generating device,
Figure BDA00025524271700000312
representing a decimal user identity key vector, which is then converted to a binary user identity key v by means of the function Powersof2(),
Figure BDA00025524271700000313
is a system private key; the left sampling function is adopted, so that the vector e generated by the function has indistinguishability with certain distribution, the output user identity private key is indistinguishable from certain distribution, and the difficulty of an adversary in obtaining the private key is increased; the function Powersof2() operates as follows: for any purpose
Figure BDA00025524271700000314
The vector a of dimensions, the following equation holds:
Figure BDA00025524271700000315
preferably, in the step of generating the ciphertext, the encryption method involved is:
Figure BDA0002552427170000041
where μ ∈ {0,1} is the plaintext to be encrypted, C' represents the ciphertext resulting from a single encryption of the plaintext μ by an encryption algorithm constructed by an obfuscator, INIs an N-dimensional unit matrix;
the function bitdecmp () operates as follows: for any purpose
Figure BDA0002552427170000042
The vector of the dimension a is then,
Figure BDA0002552427170000043
wherein, ai,jDenotes aiThe jth binary bit of the component; the function Flatten () operates as follows: is provided with
Figure BDA0002552427170000044
Then there is flat (a') ═ BitDecomp (BitDecomp)-1(a')), wherein the function BitDecomp-1() Is operated as
Figure BDA0002552427170000045
Preferably, in the step of decrypting the single identity, the specific decryption step is as follows:
computing
Figure BDA0002552427170000046
Outputting plaintext mu as xi/v[i];
Let skidThe first i coefficients of the known vector v are 1,2, …,2l-1Let v [ i ]]=2i∈(q/4,q/2],CiFor line i of ciphertext C, get xi←<Ci,v>。
Preferably, in the step of converting identities, the step of converting a first ciphertext of a first user identity into a second ciphertext corresponding to a second user identity through an identity conversion algorithm is as follows:
input ciphertext of first user identity id
Figure BDA0002552427170000047
And passing the identity id of the first user through an encoding function
Figure BDA0002552427170000048
Mapping from binary to invertible matrix
Figure BDA0002552427170000049
(1) If the identity before and after the conversion is the same, namely id ═ id', the ciphertext is output
Figure BDA00025524271700000410
The identity conversion algorithm is suitable for ciphertext conversion among different identities; otherwise, the following operation is carried out:
1) computing a reversible matrix of id' identities:
Figure BDA00025524271700000411
2) the identity id and the plaintext mu are calculated as follows:
a. randomly selecting a vector
Figure BDA00025524271700000412
Random matrix
Figure BDA00025524271700000413
b. Encrypting the plaintext mu by using an identity-based encryption algorithm IBE-Enc () to obtain a ciphertext obtained by encrypting the plaintext of the first user identity once:
Figure BDA0002552427170000051
wherein MPK is the system public key of the encryption system, id is the user identity, mu ∈ {0,1} is the encrypted plaintext, the first ciphertext obtained after encryption is divided into two parts c0And
Figure BDA0002552427170000052
3) executing the steps in the step 2) for N times to obtain an N-dimensional ciphertext matrix with the identity id, and using the matrix C'idTo show that:
Figure BDA0002552427170000053
4) it is checked whether some plaintext p ∈ {0,1} exists, so that equation Cid=Flatten(p·IN+BitDecomp(C'id) True), if present, output p, if not present, output ⊥;
where p denotes whether some plaintext exists in the conversion process such that the conversion equation holds, equation Cid=Flatten(p·IN+BitDecomp(C'id) Represents ciphertext C of n dimensionsi'dConversion to binary, INRepresenting the unit vector of dimension N, ⊥ representing the output symbol of the algorithm when p is not present;
(2) and performing the following operation on the corresponding second user identity id 'and the plaintext mu' e {0,1} after conversion:
1) randomly selecting a vector
Figure BDA0002552427170000054
Random matrix
Figure BDA0002552427170000055
2) Encrypting the plaintext mu' by using an identity-based encryption algorithm IBE-Enc () to obtain a ciphertext obtained by encrypting the plaintext of the second user identity once: c'i=(c'0,c'i T)←IBE-Enc(MPK,id',μ'∈{0,1});
3) Executing the steps in 2) for N times to obtain an N-dimensional ciphertext matrix with the identity of id ', and using C'id'To show that:
Figure BDA0002552427170000056
4) using the plaintext p obtained in step (1) 4), and adding the ciphertext C "id'Converted to binary C'id',C'id'=Flatten(p·IN+BitDecomp(C”id'));
(3) Outputting the ciphertext Ci'd'
So far, the ciphertext with the first user identity id is converted into the ciphertext with the second user identity id'; through the identity conversion algorithm, the second user identity can firstly convert the ciphertext of the first user identity into the ciphertext of the second user identity, and then homomorphic evaluation operation is carried out instead of independently carrying out decryption operation on the ciphertext of the first user identity, so that the decryption time is saved, and the decryption efficiency is improved.
Preferably, in the fully homomorphic evaluation step, the fully homomorphic operation performed by the user who satisfies the plurality of different identities is as follows:
firstly, the cryptographs of different identities are converted into the cryptograph C of the same identity through an identity conversion algorithmid
Then inputting a system public key MPK, a Boolean circuit f and a ciphertext group (C) with the same identity in a full homomorphic evaluation algorithm1,C2,…,Ct) The homomorphic evaluation algorithm outputs a new group of ciphertext CfIt is satisfied that there is Dec (sk) for any F ∈ F in the circuit set Fid,Cf)=f(μ1,…,μt) To facilitate the operation of the skid=v;
The homomorphic addition formula is (C)1+C2)v=(μ12)v+(z1,z2);
The homomorphic multiplication formula is (C)1C2)v=C12v+z2)=μ21v+z1)+C1z2=μ1μ2v mod q;
Wherein, CidIs a ciphertext with user identity id, Cid'Is the cipher text with user identity ididIs the private key of the user and is,
Figure BDA0002552427170000061
a fault-tolerant vector is represented that is,
Figure BDA0002552427170000062
is shown in distribution
Figure BDA0002552427170000063
In the case of a randomly taken N-dimensional fault-tolerant vector,
Figure BDA0002552427170000064
denotes a center of 0 and a standard deviation of
Figure BDA0002552427170000065
Corresponding to a normal distribution on [0,1) ]
Figure BDA0002552427170000066
A discrete distribution of.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1) the lattice-based multi-identity fully homomorphic encryption algorithm converts the encryption and decryption of a ciphertext with a single identity into the encryption and decryption of a plurality of identity ciphertexts, and can realize correct fully homomorphic operation, thereby increasing the transmission quantity of data and improving the operation efficiency.
2) The scheme provided by the invention can carry out fully homomorphic encryption and decryption on a plurality of messages with different identities, thereby improving the calculation efficiency.
Drawings
Fig. 1 is a schematic diagram of a server-client communication system architecture to which the fully homomorphic encryption method of the present invention is applied.
FIG. 2 is a flow chart of the lattice-based multi-identity fully homomorphic encryption method of the present invention.
Detailed Description
For better understanding of the technical solutions of the present invention, the following detailed description is provided for the embodiments of the present invention with reference to the accompanying drawings, but the embodiments of the present invention are not limited thereto.
The embodiment of the invention provides a lattice-based multi-identity fully homomorphic encryption method, and solves the problems that in the prior art, only a single user identity can be subjected to homomorphic operation of a ciphertext, the data transmission quantity is small, and the efficiency is low.
The quantum computer is rapidly developed, the quantum algorithm is greatly broken through, under a quantum computing model, the polynomial time algorithm can solve the difficult problem under a cryptosystem assumed by classical number theory, so that the later quantum cryptography is generated, the lattice is a common mathematical tool for the constructed quantum cryptography, namely, the cryptographic algorithm is constructed on a vector space with coefficients being integers for operation, and therefore, in the construction of the scheme, the generation and the operation of public and private keys are operated in vectors and matrixes.
In order to solve the problem that only a single identity can be subjected to ciphertext operation on the above lattice, the technical scheme in the embodiment of the present invention has the following general idea:
the method comprises the steps of generating uniform and random system public and private keys, generating an indistinguishable user identity key, encrypting a plaintext by using an identity-based encryption algorithm to obtain a ciphertext, executing an identity conversion algorithm to convert the ciphertext with a single identity into a ciphertext with multiple identities, and then decrypting by using a full homomorphic evaluation algorithm to obtain the plaintext, so that the decryption time is saved, and the algorithm efficiency is improved.
Examples
The technical solution of the present invention will be described in detail with reference to fig. 1.
The technical scheme is applied to a server-client communication system, the client encrypts own plaintext information and uploads the encrypted plaintext information to the server, and the server performs statistical operation on ciphertext data. The communication between them can be wireless communication or wired communication.
In the system initialization stage, a server side public and private key and a client side identity key are generated, a client R and a client S encrypt and upload own plaintext information to the server side through a system of the client R and the client S, and a client J needs to obtain a ciphertext from the server, firstly converts the ciphertext into the ciphertext and then decrypts the ciphertext to obtain the plaintext.
The identity key of client J as the decrypter is skJidIdentity key sk of client RRidThe identity key of client S is skSid
Step S1, the step first generates a server-side public-private key MPK, MSK by the following algorithm, and the specific steps are as follows:
step S11, selecting a uniform random matrix
Figure BDA0002552427170000081
n-dimensional uniform random vector
Figure BDA0002552427170000082
Step S12, operation trapdoor generation algorithm TrapGen (1)n,1mQ, H), output matrix
Figure BDA0002552427170000083
And trapdoor matrix thereof
Figure BDA0002552427170000084
The output public key MPK ═ (B, t), and the private key MSK ═ R. Wherein n and q are respectively represented by integers n.gtoreq.1, q.gtoreq.2,
Figure BDA0002552427170000085
and m is respectively represented as
Figure BDA0002552427170000086
Figure BDA0002552427170000087
H is expressed as a reversible matrix
Figure BDA0002552427170000088
Step S2, the steps of extracting the identity key of the client J and the client R, S, the specific steps are as follows:
step S21, utilizing full rank coding function
Figure BDA0002552427170000089
Mapping the user identities Jid, Rid, Sid into a reversible matrix HJid,HRid,HSid
Step S22, operating left sampling function output vector eJid←SampleL(B,HJidG, R, t, σ), and such that the vector satisfies BJideJidT, wherein
Figure BDA00025524271700000810
Order to
Figure BDA00025524271700000811
Exporting user keys
Figure BDA00025524271700000812
Wherein
Figure BDA00025524271700000813
Is a published primitive matrix, w is nk,
Figure BDA00025524271700000814
a trapdoor function generated for the trapdoor algorithm. The function Powersof2() operates as follows: for any purpose
Figure BDA00025524271700000815
The vector a of dimension is satisfied by the following equation:
Figure BDA00025524271700000816
step S23, synchronizing step S22 to generate the identity private key sk of the client R, SRid,skSid
Step S3, the client R, S encrypts own plaintext information to obtain a corresponding ciphertext, uploads the generated ciphertext to the server and stores the generated ciphertext, and the specific steps are as follows:
step S31, plaintext information mu for client RRidThe encryption is carried out, and the encryption mode related to the generation of the ciphertext is as follows:
Figure BDA0002552427170000091
wherein muRid∈ {0,1} is the plaintext, C 'to be encrypted'RidRepresenting the client R versus the plaintext muRidEncrypting the ciphertext obtained once, N representing the number of executions of the process, INIs an N-dimensional identity matrix. The function bitdecmp () operates as follows: for any purpose
Figure BDA0002552427170000092
The vector of the dimension a is then,
Figure BDA0002552427170000093
wherein, ai,jDenotes aiThe jth binary bit of the component. The function Flatten () operates as follows: is provided with
Figure BDA0002552427170000094
Then there is flat (a') ═ BitDecomp (BitDecomp)-1(a')), wherein the function BitDecomp-1() Is operated as
Figure BDA0002552427170000095
Step S32, synchronization step S31 generates ciphertext C corresponding to plaintext information of client SSid
And step S4, decryption of the client R, S ciphertext to obtain a plaintext message.
Step S41, the client R calculates the following equation:
Figure BDA0002552427170000096
plaintext is muRid=xi/vRid[i]. Wherein, in order to facilitate the operation of the command skRid=vRidKnown vector vRidThe first coefficients of (1), (2), (…), (2)l-1Let v [ i ]]=2i∈(q/4,q/2],CiAs a ciphertext CRidLine i of (1), get xi←<Ci,vRid>。
Step S42, and step S41, the client S can decrypt the ciphertext to obtain the corresponding plaintext.
Step S5, the cryptograph of the client R, S is converted into the cryptograph of the client J with the identity of Jid, and the specific steps are as follows:
step S51, input ciphertext of client R
Figure BDA0002552427170000097
Passing the identity Rid of the client R through an encoding function
Figure BDA0002552427170000098
Mapping from binary to invertible matrix
Figure BDA0002552427170000099
And calculates a reversible matrix of identities of client J
Figure BDA00025524271700000910
Step S52, randomly selecting vector
Figure BDA00025524271700000911
Random matrix
Figure BDA00025524271700000912
Clear text mu for client R using identity-based encryption algorithmRidEncrypting by using the public key MPK of the server side to obtain a ciphertext
Figure BDA00025524271700000913
Step S53, executing step S52N times to obtain the ciphertext matrix of the client R:
Figure BDA0002552427170000101
step S54, checking whether there is some plaintext p ∈ {0,1}, so that the following equation holdsRid=Flatten(p·IN+BitDecomp(C'Rid) P if present, and ⊥ if not present.
Step S55, randomly selecting vector
Figure BDA0002552427170000102
Random matrix
Figure BDA0002552427170000103
Plaintext mu for client J using identity-based encryption algorithmJidEncrypting by using the public key MPK of the server side to obtain a ciphertext
Figure BDA0002552427170000104
Step S56, the ciphertext matrix of the client J is obtained by executing step S55N times:
Figure BDA0002552427170000105
step S57, using the plaintext p obtained in step S54 to obtain ciphertext C'JidConversion to binary Cid1,Cid1=Flatten(p·IN+BitDecomp(C'Jid))。
Step S58, outputting ciphertext C converted by client Rid1
Step S59, the same method can convert the ciphertext of the client S into the ciphertext corresponding to the identity id of the client J, and the ciphertext is recorded as Cid2
Step S6, in the step of evaluating the full homomorphism, the user who satisfies a plurality of different identities performs the full homomorphic operation and can correctly decrypt the data, and the specific steps are as follows:
step S61, step 5 has already converted the ciphertext of client R, S into ciphertext C corresponding to identity id of client Jid1,Cid2
Step S62, inputting the master public key MPK, the Boolean circuit f and the converted cipher text group C of the doctor in the homomorphic evaluation algorithmf=(Cid1,Cid2) For the circuit set F, there is Dec (sk) for any F ∈ Fid,Cf)=f(μ1,…,μt) To facilitate the operation of the skid=v。
Step S63, homomorphic addition formula is (C)id1+Cid2)vid=(μRidSid)vid+(zRid,zSid)。
Step S64, homomorphic multiplication formula is
(Cid1Cid2)vid=Cid1Sidvid+zSid)=μSidRidvid+zRid)+Cid1zRid=μRidμSidvidmod q。
Wherein z isRid,zSidFault tolerant vectors representing customer R and customer S, satisfy
Figure BDA0002552427170000111
Distribution, the distribution being indicated in the distribution
Figure BDA0002552427170000112
In the case of a randomly taken N-dimensional fault-tolerant vector,
Figure BDA0002552427170000113
denotes a center of 0 and a standard deviation of
Figure BDA0002552427170000114
Corresponding to a normal distribution on [0,1) ]
Figure BDA0002552427170000115
A discrete distribution of.
In the embodiment, a uniform and random system public and private key is generated through a trapdoor function, a user identity key with indistinguishability is generated by adopting a left sampling algorithm, a plaintext is encrypted by utilizing an identity-based encryption algorithm to obtain a ciphertext, an identity conversion algorithm is executed to convert the ciphertext with a single identity into the ciphertext with multiple identities for operation, then a plaintext is obtained by carrying out decryption through a homomorphic evaluation algorithm, the decryption time is saved, and the algorithm efficiency is improved. In the method of the embodiment, the decryption party can decrypt the ciphertexts with a plurality of identities, and performance analysis shows that the method is superior to the existing scheme in efficiency and performance. The invention provides an application method of a multi-identity full homomorphic encryption algorithm on grids for communication between users, which increases the transmission quantity of information, improves the transmission speed and better meets the requirements of the existing big data society.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.

Claims (8)

1. A lattice-based multi-identity fully homomorphic encryption method is characterized by comprising the following steps:
initializing a system: firstly, generating a public key and a private key of a system;
extracting a user key: mapping the first user identity and the second user identity into a reversible matrix by using a full-rank function, and generating a first private key corresponding to the first user identity and a second private key corresponding to the second user identity through vector operation;
and (3) generating a ciphertext: acquiring encryption selection of a first user identity, selecting a plaintext message to be encrypted, and encrypting to obtain a first ciphertext;
decrypting the single identity: for the first user identity, decrypting through a first private key to obtain a plaintext message;
identity conversion: converting a first ciphertext of the first user identity into a second ciphertext corresponding to a second user identity through an identity conversion algorithm;
evaluation of full homomorphism: and inputting a group of ciphertexts after identity conversion, and carrying out decryption after fully homomorphic operation.
2. The fully homomorphic encryption method of claim 1, wherein system parameters are input, and two matrices are generated by a trapdoor generation algorithm, wherein one matrix is a trapdoor matrix, the trapdoor matrix is used as a system private key, and the other matrix is used as a system public key.
3. The fully homomorphic encryption method according to claim 2, wherein in said system initialization step, the generation of the public-private key of the system comprises the following sub-steps:
selecting a uniform random matrix
Figure FDA0002552427160000011
n-dimensional uniform random vector
Figure FDA0002552427160000012
Trap door generation algorithm TrapGen (1)n,1mQ, H), output matrix
Figure FDA0002552427160000013
And trapdoor matrix thereof
Figure FDA0002552427160000014
Outputting a system public key MPK ═ B, t, and a system private key MSK ═ R;
wherein the ratio of n, m,
Figure FDA0002552427160000015
the dimension of the system public and private key vector is represented, the value of n is an integer and the range of n is more than or equal to 1, q represents modulus, the value of q is an integer and the range of q is more than or equal to 2,
Figure FDA0002552427160000016
and n and q are in the relationship of m ═ o (nlbq),
Figure FDA0002552427160000017
o () represents the high order infinitesimal of the base-2 q logarithm with m equal to n times, used here to compute the number of rows and columns of the public key vector; k represents the upper rounding of the base 2 q logarithm, used here to compute the dimension of the private key vector
Figure FDA0002552427160000018
H is expressed as a random invertible matrix
Figure FDA0002552427160000019
Here, a randomly and uniformly distributed matrix can be generated by using a trapdoor generation algorithm, and public keys constructed by using the matrix are also randomly and uniformly distributed.
4. The fully homomorphic encryption method according to claim 1, wherein in the step of extracting the user key, the obtaining of the user's private key comprises the sub-steps of:
with the full rank coding function F:
Figure FDA0002552427160000021
mapping user identity id to a reversible matrix
Figure FDA0002552427160000022
Run left sample function output vector e ← SampleL (B, H)idG, R, t, σ), and such that the vector satisfies Bide ═ t, where
Figure FDA0002552427160000023
Order to
Figure FDA0002552427160000024
Outputting the user identity key skid:
Figure FDA0002552427160000025
Where B and t represent the system public key,
Figure FDA0002552427160000026
is a public primitive matrix, w represents the column number of the matrix G, and the expression is w ═ nk, HidA reversible matrix representing the identity of the user, ← representing the result output by this function as a vector e, σ representing gaussian noise in the sampling function,
Figure FDA0002552427160000027
representing a decimal user identity key vector, which is then converted to a binary user identity key v by means of the function Powersof2(),
Figure FDA0002552427160000028
is a system private key; the function Powersof2() operates as follows: for any purpose
Figure FDA0002552427160000029
The vector a of dimensions, the following equation holds:
Figure FDA00025524271600000210
5. the fully homomorphic encryption method according to claim 1, wherein in the step of generating the ciphertext, the encryption method involved is:
Figure FDA00025524271600000211
where μ ∈ {0,1} is the plaintext to be encrypted, C' represents the ciphertext resulting from a single encryption of the plaintext μ by an encryption algorithm constructed by an obfuscator, INIs an N-dimensional unit matrix;
the function bitdecmp () operates as follows: for any purpose
Figure FDA00025524271600000212
The vector of the dimension a is then,
Figure FDA00025524271600000213
wherein, ai,jDenotes aiThe jth binary bit of the component; the function Flatten () operates as follows: is provided with
Figure FDA00025524271600000214
Then there is flat (a') ═ BitDecomp (BitDecomp)-1(a')), wherein the function BitDecomp-1() Is operated as
Figure FDA00025524271600000215
6. The fully homomorphic encryption method according to claim 1, wherein in the decrypting the single identity step, the specific decrypting step is:
computing
Figure FDA0002552427160000031
Outputting plaintext mu as xi/v[i];
Let skidThe first i coefficients of the known vector v are 1,2, …,2l-1Let v [ i ]]=2i∈(q/4,q/2],CiFor line i of ciphertext C, get xi←<Ci,v>。
7. The fully homomorphic encryption method according to claim 5, wherein in the identity transformation step, the step of transforming the first ciphertext of the first user identity into the second ciphertext corresponding to the second user identity by using an identity transformation algorithm comprises:
input ciphertext of first user identity id
Figure FDA0002552427160000032
And passing the identity id of the first user through a code letterNumber F:
Figure FDA0002552427160000033
mapping from binary to invertible matrix
Figure FDA0002552427160000034
(1) If the identity before and after the conversion is the same, namely id ═ id', the ciphertext is output
Figure FDA0002552427160000035
Otherwise, the following operation is carried out:
1) computing a reversible matrix of id' identities:
Figure FDA0002552427160000036
2) the identity id and the plaintext mu are calculated as follows:
a. randomly selecting a vector
Figure FDA0002552427160000037
Random matrix
Figure FDA0002552427160000038
b. Encrypting the plaintext mu by using an identity-based encryption algorithm IBE-Enc () to obtain a ciphertext obtained by encrypting the plaintext of the first user identity once:
Figure FDA0002552427160000039
wherein MPK is the system public key of the encryption system, id is the user identity, mu ∈ {0,1} is the encrypted plaintext, the first ciphertext obtained after encryption is divided into two parts c0And
Figure FDA00025524271600000310
3) executing the steps in the step 2) for N times to obtain an N-dimensional ciphertext matrix with the identity id, and using the matrix C'idTo show that:
Figure FDA00025524271600000311
4) it is checked whether some plaintext p ∈ {0,1} exists, so that equation Cid=Flatten(p·IN+BitDecomp(C′id) True), if present, output p, if not present, output ⊥;
where p denotes whether some plaintext exists in the conversion process such that the conversion equation holds, equation Cid=Flatten(p·IN+BitDecomp(C′id) Is represented by n-dimensional ciphertext C'idConversion to binary, INRepresenting the unit vector of dimension N, ⊥ representing the output symbol of the algorithm when p is not present;
(2) and performing the following operation on the corresponding second user identity id 'and the plaintext mu' e {0,1} after conversion:
1) randomly selecting a vector
Figure FDA0002552427160000041
Random matrix
Figure FDA0002552427160000042
2) Encrypting the plaintext mu' by using an identity-based encryption algorithm IBE-Enc () to obtain a ciphertext obtained by encrypting the plaintext of the second user identity once:
Figure FDA0002552427160000043
3) executing the steps in the step 2) for N times to obtain an N-dimensional ciphertext matrix with the identity id', and using C ″id'To show that:
Figure FDA0002552427160000044
4) utilizing the plaintext p obtained in the step (1) 4) to obtain a ciphertext C ″)id'Converted to binary C'id',C′id'=Flatten(p·IN+BitDecomp(C″id'));
(3) Output ciphertext C'id'
At this point, the ciphertext with the first user identity id is converted into the ciphertext with the second user identity id'.
8. The fully homomorphic encryption method according to claim 1, wherein in the fully homomorphic evaluation step, the fully homomorphic calculation step performed by the users with different identities is as follows:
firstly, the cryptographs of different identities are converted into the cryptograph C of the same identity through an identity conversion algorithmid
Then inputting a system public key MPK, a Boolean circuit f and a ciphertext group (C) with the same identity in a full homomorphic evaluation algorithm1,C2,…,Ct) The homomorphic evaluation algorithm outputs a new group of ciphertext CfIt is satisfied that there is Dec (sk) for any F ∈ F in the circuit set Fid,Cf)=f(μ1,…,μt) To facilitate the operation of the skid=v;
The homomorphic addition formula is (C)1+C2)v=(μ12)v+(z1,z2);
The homomorphic multiplication formula is (C)1C2)v=C12v+z2)=μ21v+z1)+C1z2=μ1μ2vmodq;
Wherein, CidIs a ciphertext with user identity id, Cid'Is the cipher text with user identity ididAs a user private key, C1v=μ1v+z1,C2v=μ2v+z2
Figure FDA0002552427160000045
A fault-tolerant vector is represented that is,
Figure FDA0002552427160000046
is shown in distribution
Figure FDA0002552427160000047
In the case of a randomly taken N-dimensional fault-tolerant vector,
Figure FDA0002552427160000051
denotes a center of 0 and a standard deviation of
Figure FDA0002552427160000052
Corresponding to a normal distribution on [0,1) ]
Figure FDA0002552427160000053
A discrete distribution of.
CN202010578978.1A 2019-11-18 2020-06-23 Fully homomorphic encryption method for multiple identities based on lattice Active CN111526002B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911125694 2019-11-18
CN2019111256940 2019-11-18

Publications (2)

Publication Number Publication Date
CN111526002A true CN111526002A (en) 2020-08-11
CN111526002B CN111526002B (en) 2023-11-14

Family

ID=71910171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010578978.1A Active CN111526002B (en) 2019-11-18 2020-06-23 Fully homomorphic encryption method for multiple identities based on lattice

Country Status (1)

Country Link
CN (1) CN111526002B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112016120A (en) * 2020-08-26 2020-12-01 支付宝(杭州)信息技术有限公司 Event prediction method and device based on user privacy protection
CN112039653A (en) * 2020-08-28 2020-12-04 西安电子科技大学 Cloud outsourcing data encryption and decryption method based on neural network activation unit
CN112073172A (en) * 2020-09-02 2020-12-11 北京邮电大学 Grid identity-based dual-receiver fully homomorphic encryption method and system
CN112929153A (en) * 2021-02-23 2021-06-08 上海麟羿信息科技有限公司 Data multi-stage encryption system and method based on complete homomorphic encryption
CN113204755A (en) * 2021-04-20 2021-08-03 重庆工业职业技术学院 English data capture method for block chain big data security
CN114422107A (en) * 2022-03-31 2022-04-29 四川高速公路建设开发集团有限公司 Fault-tolerant ciphertext data aggregation method based on intelligent engineering construction system platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933102A (en) * 2016-04-06 2016-09-07 重庆大学 Identity-based and hidden matrix-constructed fully homomorphic encryption method
US20170134158A1 (en) * 2015-11-09 2017-05-11 CertSIGN S.A. Fully Homomorphic Encryption from Monoid Algebras
CN106788963A (en) * 2017-01-05 2017-05-31 河南理工大学 A kind of full homomorphic cryptography method of identity-based on improved lattice
US20190036678A1 (en) * 2015-01-12 2019-01-31 Morphology, LLC Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
CN109831297A (en) * 2019-01-24 2019-05-31 中国人民武装警察部队工程大学 A kind of full homomorphic cryptography method of more identity for supporting thresholding to decrypt

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190036678A1 (en) * 2015-01-12 2019-01-31 Morphology, LLC Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
US20170134158A1 (en) * 2015-11-09 2017-05-11 CertSIGN S.A. Fully Homomorphic Encryption from Monoid Algebras
CN105933102A (en) * 2016-04-06 2016-09-07 重庆大学 Identity-based and hidden matrix-constructed fully homomorphic encryption method
CN106788963A (en) * 2017-01-05 2017-05-31 河南理工大学 A kind of full homomorphic cryptography method of identity-based on improved lattice
CN109831297A (en) * 2019-01-24 2019-05-31 中国人民武装警察部队工程大学 A kind of full homomorphic cryptography method of more identity for supporting thresholding to decrypt

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汤永利;胡明星;叶青;秦攀科;于金霞;: ""改进的格上基于多身份全同态加密方案"" *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112016120A (en) * 2020-08-26 2020-12-01 支付宝(杭州)信息技术有限公司 Event prediction method and device based on user privacy protection
CN112016120B (en) * 2020-08-26 2024-03-26 支付宝(杭州)信息技术有限公司 Event prediction method and device based on user privacy protection
CN112039653A (en) * 2020-08-28 2020-12-04 西安电子科技大学 Cloud outsourcing data encryption and decryption method based on neural network activation unit
CN112073172A (en) * 2020-09-02 2020-12-11 北京邮电大学 Grid identity-based dual-receiver fully homomorphic encryption method and system
CN112073172B (en) * 2020-09-02 2021-11-05 北京邮电大学 Grid identity-based dual-receiver fully homomorphic encryption method and system
CN112929153A (en) * 2021-02-23 2021-06-08 上海麟羿信息科技有限公司 Data multi-stage encryption system and method based on complete homomorphic encryption
CN113204755A (en) * 2021-04-20 2021-08-03 重庆工业职业技术学院 English data capture method for block chain big data security
CN114422107A (en) * 2022-03-31 2022-04-29 四川高速公路建设开发集团有限公司 Fault-tolerant ciphertext data aggregation method based on intelligent engineering construction system platform
CN114422107B (en) * 2022-03-31 2022-06-17 四川高速公路建设开发集团有限公司 Fault-tolerant ciphertext data aggregation method based on intelligent engineering construction system platform

Also Published As

Publication number Publication date
CN111526002B (en) 2023-11-14

Similar Documents

Publication Publication Date Title
CN111526002B (en) Fully homomorphic encryption method for multiple identities based on lattice
Liu et al. An efficient privacy-preserving outsourced calculation toolkit with multiple keys
JP6934963B2 (en) Data encryption methods and systems
JP6083234B2 (en) Cryptographic processing device
CN108737115B (en) Private attribute set intersection solving method with privacy protection
CN110113155B (en) High-efficiency certificateless public key encryption method
CN110635909B (en) Attribute-based collusion attack resistant proxy re-encryption method
CN104320393B (en) The controllable efficient attribute base proxy re-encryption method of re-encryption
CN103401871A (en) Method and system for sequencing ciphertexts orienting to homomorphic encryption
JP5852551B2 (en) Functional encryption system, key generation device, encryption device, decryption device, functional encryption method, and program
JP4869824B2 (en) Receiver device, sender device, cryptographic communication system, and program
CN105933101B (en) A kind of full homomorphic cryptography public key compression method based on the offset of parameter high order
CN113660226A (en) Energy data credible sharing system and method based on block chain
Zhao et al. Quantum-safe HIBE: does it cost a Latte?
CN114095171A (en) Identity-based wearable proxy re-encryption method
Nayak et al. SEMKC: secure and efficient computation over outsourced data encrypted under multiple keys
CN110247761B (en) Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner
CN116684062A (en) Cloud computing outsourcing and data dynamic sharing method and system based on proxy re-encryption
CN113259107B (en) Grid-based dual-mode encryption method
CN107425972B (en) Graded encryption method based on identity
CN113343258B (en) Attribute-based agent re-encryption method applicable to lattice-based ciphertext strategy shared by body test result cloud
CN115865302A (en) Multi-party matrix multiplication method with privacy protection attribute
CN111797907B (en) Safe and efficient SVM privacy protection training and classification method for medical Internet of things
Wang et al. Secure outsourced calculations with homomorphic encryption
CN110912673B (en) Additive homomorphic encryption and decryption method with double decryption mechanisms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant