CN112906020A - Grid-based distributed re-linearization public key generation method - Google Patents

Grid-based distributed re-linearization public key generation method Download PDF

Info

Publication number
CN112906020A
CN112906020A CN202110160700.7A CN202110160700A CN112906020A CN 112906020 A CN112906020 A CN 112906020A CN 202110160700 A CN202110160700 A CN 202110160700A CN 112906020 A CN112906020 A CN 112906020A
Authority
CN
China
Prior art keywords
polynomial
public key
linearization
user
share
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110160700.7A
Other languages
Chinese (zh)
Other versions
CN112906020B (en
Inventor
田海博
林会智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Yat Sen University
Original Assignee
Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Yat Sen University filed Critical Sun Yat Sen University
Priority to CN202110160700.7A priority Critical patent/CN112906020B/en
Publication of CN112906020A publication Critical patent/CN112906020A/en
Application granted granted Critical
Publication of CN112906020B publication Critical patent/CN112906020B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of safe multi-party computing based on fully homomorphic encryption, in particular to a grid-based distributed re-linearization public key generation method. On the basis of a grid-based public and private key generation method provided by BFV, a re-linearization public key generation initialization algorithm, a re-linearization public key share generation algorithm and a re-linearization public key generation algorithm are provided; the sharing of the private key of the user is completed based on the analytic polynomial, and the calculation of the share of the re-linearized public key of the user is completed through number theory transformation. Before finally submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after addition, and preventing an adversary from obtaining the private key by analyzing the shares when collecting the re-linearization public key share. The method utilizes less noise and achieves the effect of safety.

Description

Grid-based distributed re-linearization public key generation method
Technical Field
The invention relates to the technical field of safe multi-party computing based on fully homomorphic encryption, in particular to a grid-based distributed re-linearization public key generation method.
Background
Nowadays, big data technology is really influencing and guiding aspects of life such as clothes and eating and housing. However, the personal data of the user is inevitably mixed with privacy, and cannot be directly collected when the data is actually aggregated. How to aggregate data of all parties to complete calculation under the condition of protecting the information security and privacy of users is the main research content of multi-party security calculation. The proposal of the fully homomorphic encryption technology can practically solve the problem and bring forth a new mode of data distributed computation. The fully homomorphic encryption can support the addition or multiplication operation of the ciphertext and has strong cryptographic calculation capacity. Where the multiplication operation is performed in dependence on a re-linearized public key, the generation of this public key is dependent on the private key. In the distributed computing environment, how to generate the reproducible public key without revealing the personal private key of the user is a difficult point of research. However, Ivan et al, in the thesis "Practical coverage Secure MPC for variance probability Or: Breaking the SPDZ Limits" proposed that the lattice-based distributed re-linearization public key generation method has the problem of larger noise, and can directly reduce the number of homomorphic operations, which needs to be further improved.
Disclosure of Invention
In order to overcome at least one defect in the prior art, the invention provides a grid-based distributed re-linearization public key generation method, which utilizes less noise and achieves the effect of safety.
In order to solve the technical problems, the invention adopts the technical scheme that: a grid-based distributed re-linearization public key generation method comprises the following steps:
s1, system initial setting: setting initial parameters of a lattice cipher body system and a re-linearization public key generation process;
s2, generating a user key: generating a private and public key pair of a user person through a mixed encryption system;
s3, generating and initializing a re-linearization public key: the private key polynomial is split to complete the generation and sharing of the personal private key share of the user;
s4, generating a double linear public key share: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key shares is completed through number theory transformation; protecting the user shares with two additively cancelable noises before submitting the user's personal re-linearized public key shares;
s5, generating a double linear public key: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key.
On the basis that a BFV scheme provides a lattice-based public and private key generation method, the invention provides a lattice-based distributed re-linearization public key generation method in an expanded way, and aims to reduce noise injection and increase homomorphic calculation times while ensuring the overall safety performance of the method.
Further, the system initialization includes setting system parameters params ═ param0, param1, where param0 is the lattice-based system initialization parameter set, and param1 is the parameter set of the distributed generation heavy linearized public key phase.
Further, for
Figure BDA0002936492330000021
Specifically setting a safety parameter lambda and the number m of participating users; ordered set U of all participating users, modulus q of polynomial coefficient of polynomial degree d, plaintext polynomial modulus t, cyclotomic polynomial f (x), ring
Figure BDA0002936492330000022
And expressing a polynomial with coefficients modulo q by Rq; then setting chi distribution and uniform distribution mu, and selecting polynomial from Rq according to uniform distribution
Figure BDA0002936492330000023
Finally, determining a hybrid encryption system HPKE ({ HPKE.Gen ()), HPKE.Enc (), and HPKE.Dec () }, wherein the HPKE.Gen () is a key generation algorithm of the hybrid encryption system, the input is a security parameter, and the output is an encryption and decryption key pair; enc () is an encryption algorithm of a mixed encryption system, the input is an encryption key and a plaintext, and the output is a ciphertext; dec () is a decryption algorithm of a hybrid encryption system, with inputs of ciphertext and decryption key, and outputs of plaintext.
Further, for param1 { (T, l, a _ list, NTT }, the re-linearization public key parameter is set to be an integer T, and then the integer T is calculated
Figure BDA0002936492330000024
For i ═ 0.. times.l, polynomials are selected from Rq in a uniformly distributed manner in each case
Figure BDA0002936492330000025
Composition set
Figure BDA0002936492330000026
Finally determining the number theory transformation algorithm NTTNtt.tontt (), ntt.topy () }, where ntt.tontt () has as input a polynomial of d +1 term coefficient representation and as output a polynomial of d +1 term point value representation; ToPoly () is input as a polynomial of d +1 term point value representation and output as a polynomial of d +1 term coefficient representation.
Further, the system initially sets the final output
Figure BDA0002936492330000027
Further, the user key generation specifically includes: inputting params, and uniformly and randomly selecting a d +1 polynomial from a polynomial ring with coefficients of-1, 0,1 {
Figure BDA0002936492330000028
Then, a d +1 term noise polynomial is selected according to the chi-distribution
Figure BDA0002936492330000029
Is provided with
Figure BDA00029364923300000210
And is
Figure BDA00029364923300000211
Wherein [. ]]qShowing that the polynomial coefficients in brackets are subjected to modulo-q operation one by one; operation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) And outputting public and private key pair (pk)u,sku)。
Further, the initialization of generating the re-linearized public key specifically includes:
s31, inputting the private keys sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order du0Splitting into two highest orders of
Figure BDA0002936492330000031
The sub-private key polynomial asku0And bsku0Satisfy the following requirements
Figure BDA0002936492330000032
Let the argument in the polynomial be x, at which time asku0And bsku0Has a maximum degree of non-0 coefficient terms of
Figure BDA0002936492330000033
Finally, the
Figure BDA0002936492330000034
The coefficients of the terms are all 0; then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku0D +1 terms are respectively provided, and d is provided at the highest level;
s32, enabling the sub private key nnasku0、nnbsku0Splitting into m sub private key shares respectively according to the ordered set U of the user, specifically from polynomial nnasku0Beginning with item 1 of (1), will each
Figure BDA0002936492330000035
Item fetching is 1 share and is assigned to each user in the ordered set U in order, i.e. to the sub-private key share nnSa of user number 1u1Is nnasku0Front of
Figure BDA0002936492330000036
Item, and so on, the sub-private key share nnSa of the mth userumIs nnasku0To last
Figure BDA0002936492330000037
An item; similarly, the pair private key nnbsku0Share splitting and sub private key nnask ofu0The splitting mode is the same, and finally the requirement is met
Figure BDA0002936492330000038
S33, packaging the shares sent to the user v into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv(ii) a Output is the set of encrypted shares { nnES) distributed to all users in set U for user Uuv}v∈UThere are a total of m elements in the set.
Further, the generating of the heavily linearized public key share specifically includes:
s41, input params and user U receive encrypted share set { nnES) from all users in ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UObtaining a share set; then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},{nnSa2u,nnSb2u},...,{nnSamu,nnSbmu}; finally, the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculated
Figure BDA0002936492330000041
Polynomial nnSa at this timeuAnd nnSbuIt is the summary share owned by user u;
s42, randomly selecting a d +1 term noise polynomial according to the chi distribution
Figure BDA0002936492330000042
And a non-0 coefficient term of highest degree
Figure BDA0002936492330000043
Is a noise polynomial
Figure BDA0002936492330000044
Rear end
Figure BDA0002936492330000045
The coefficients of the terms are all 0, calculate
Figure BDA0002936492330000046
Inputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectively
Figure BDA0002936492330000047
Polynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representation
Figure BDA0002936492330000048
Polynomial nnei of output point value representation1(ii) a Polynomial of input coefficient representation
Figure BDA0002936492330000049
Polynomial nnei of output point value representation2
S43. for i ═ 0.. times.l, the polynomial of degree d in a _ list is used
Figure BDA00029364923300000410
Splitting into two non-0 coefficient terms with the highest order of
Figure BDA00029364923300000411
Polynomial Aa ofiAnd BaiAfter, after
Figure BDA00029364923300000412
The coefficients of the terms are all 0 and satisfy
Figure BDA00029364923300000413
The polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiCalculating nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},{nnrlk0u1,nnrlk1u1},...,{nnrlk0ul,nnrlk1ul}}。
Further, the generating of the re-linearized public key specifically includes: the incoming params and the re-linearized public key share set of all users { { nnrlk01i,nnrlk11i}}i∈[0,l],{{nnrlk02i,nnrlk12i}}i∈[0,l],...,{{nnrlk0mi,nnrlk1mi}}i∈[0,l]}; for i ═ 0.. times.l, calculations were made
Figure BDA00029364923300000414
Respectively inputting a polynomial nnrlk0 of a point value representation method by using an NTT.ToPoly () algorithm in a number theory transformation algorithmiAnd nnrlk1iPolynomial rlk0_ i, rlk1_ i of coefficient representation are output, and calculation is performed
Figure BDA0002936492330000051
Let the independent variable in the polynomial bexFinally, the re-linearization public key set rlk _ list is output as { rlk _ i }, where i ∈ [0, l ∈ l }]。
Further, the value of the user number m is an integer power of 2; the polynomial degree d takes a value of 1 less than an integer power of 2; the modulus q of the polynomial coefficient takes the value of a large integer prime number.
Compared with the prior art, the beneficial effects are: the invention provides a grid-based distributed re-linearization public key generation method, which provides a re-linearization public key generation initialization algorithm, a re-linearization public key share generation algorithm and a re-linearization public key generation algorithm on the basis of a grid-based public and private key generation method provided by BFV; the sharing of the private key of the user is completed based on the analytic polynomial, and the calculation of the share of the re-linearized public key of the user is completed through number theory transformation. Before finally submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after being added, and obtaining the private key by analyzing the shares when preventing an adversary from collecting the re-linearization public key share. The method utilizes less noise and achieves the effect of safety.
Detailed Description
Example 1:
a grid-based distributed re-linearization public key generation method comprises the following steps:
step 1: initial setting of a system: setting initial parameters of a lattice cipher body system and a re-linearization public key generation process, specifically as follows:
the system parameters params are set { param0, param1 }.
For the
Figure BDA0002936492330000052
Setting a security parameter λ as 128, setting the number m of participating users as 4 (according to the actual situation, the number of users may be power of 2, and 4 is adopted in this embodiment), setting the ordered set U of all participating users as { a, B, C, D }, setting the polynomial degree D as 2047, setting the modulus q of polynomial coefficient as 18014398492704769, setting the plaintext polynomial modulus t as 114689, and setting the cyclotomic polynomial f (x) as x2047+1, ring
Figure BDA0002936492330000053
And the coefficients are expressed by Rq as polynomials modulo q. Then setting chi distribution and uniform distribution mu, and selecting polynomial from Rq according to uniform distribution
Figure BDA0002936492330000054
And finally, determining a hybrid encryption system HPKE ═ HPKE.Gen (), HPKE.Enc (), HPKE.Dec () }basedon an Elliptic Curve Integrated Encryption Scheme (ECIES).
For param1 ═ { T, l, a _ list, NTT }, the re-linearization public key parameter is set to the integer T ═ 256, and then the calculation is performed
Figure BDA0002936492330000061
For i 0,6, a polynomial is selected from Rq in a uniform distribution
Figure BDA0002936492330000062
Composition set
Figure BDA0002936492330000063
Finally, the number theory transformation algorithm NTT ═ { ntt.tontt (), ntt.topy () }isdetermined.
Step 2: and (3) generating a user key: generating a private and public key pair of a user person through a mixed encryption system; the method comprises the following specific steps:
inputting params, and uniformly and randomly selecting a 2048-term polynomial from a polynomial ring with coefficients of-1, 0,1 {
Figure BDA0002936492330000064
Then a 2048 term noise polynomial is selected according to the χ distribution
Figure BDA0002936492330000065
Is provided with
Figure BDA0002936492330000066
And is
Figure BDA0002936492330000067
Operation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) Outputting the public-private key pair (pk)u,sku)。
And step 3: re-linearization public key generation initialization: the private key polynomial is split to complete the generation and sharing of the private key share of the user; the method comprises the following specific steps:
inputting private key sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order of 2047 is setu0Splitting into two sub-private key polynomials ask of 1023u0And bsku0Satisfy sku0=asku0+bsku0·x1024(let the argument in the polynomial be x), at which time asku0And bsku0The highest order is 1023 and the coefficients of the last 1024 terms are 0. Then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku0Each having 2048 terms and a highest order of 2047.
Then the sub private key nnasku0,nnbsku0Splitting the ordered set U of the user into 4 sub private key shares respectively according to { A, B, C, D }, specifically from polynomial nnasku0Starting with item 1 of (1), every 512 items are taken as 1 share and assigned to each user in the ordered set U in order, i.e. as the sub-private key share nnSa of user au1Is nnasku0The first 512 of (1), and so on, the sub-private key share nnSa of user DumIs nnasku0The last 512 entries of (a). Similarly, the pair private key nnbsku0So is the share split of
Figure BDA0002936492330000068
Finally, the shares sent to user v are packaged into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv. The output is the encrypted share set { nnES) distributed to all users in the set U for user Uuv}v∈UThere are a total of 4 elements in the set.
And 4, step 4: re-linearized public key share generation: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key share is completed through number theory transformation; before submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after addition, and preventing an adversary from stealing a private key by analyzing the share when collecting the re-linearization public key share; the method comprises the following specific steps:
the input params and user U receive a set of encrypted shares { nnES) from all users (including themselves) in the ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UA set of shares is obtained. Then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},...,{nnSa4u,nnSb4u}}. Then the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculated
Figure BDA0002936492330000071
Figure BDA0002936492330000072
Polynomial nnSa at this timeuAnd nnSbuIs the aggregate share owned by user u.
Randomly selecting a 2048 term noise polynomial according to a chi distribution
Figure BDA0002936492330000073
And a 2048 term noise polynomial of which the highest order is 1023
Figure BDA0002936492330000074
(the coefficients of the last 1024 terms are all 0), calculating
Figure BDA0002936492330000075
Inputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectively
Figure BDA0002936492330000076
Polynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representation
Figure BDA0002936492330000077
Polynomial nnei of output point value representation1. Multiple entries of input coefficient representationFormula (II)
Figure BDA0002936492330000078
Polynomial nnei of output point value representation2
For i 0.., 6, a polynomial of degree 2047 in a _ list is given
Figure BDA0002936492330000079
Split into two 2048-term polynomials Aa with the highest order of 1023iAnd BaiAnd satisfy
Figure BDA00029364923300000710
The polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiCalculating nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},...,{nnrlk0u6,nnrlk1u6}}。
And 5: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key, which comprises the following specific steps:
import params and a set of heavily linearized public key shares for all users: { { nnrlk01i,nnrlk11i}}i∈[0,6],{{nnrlk02i,nnrlk12i}}i∈[0,6],...,{{nnrlk04i,nnrlk14i}}i∈[0,6]}. For i ═ 0.., 6, calculations were made
Figure BDA0002936492330000081
Respectively inputting by NTT.ToPoly () algorithm in number theory conversion methodPoint-value representation polynomial nnrlk0iAnd nnrlk1iPolynomial rlk0_ i and rlk1_ i of the output coefficient representation, and rlk _ i is calculated to rlk0_ i + rlk1_ i · x1024(let the argument in the polynomial be x), and finally output the re-linearized public key set rlk _ list ═ rlk _ i, where i ∈ [0,6 }]。
Example 2
A grid-based distributed re-linearization public key generation method comprises the following steps:
step 1: initial setting of a system: setting initial parameters of a grid password body system and a re-linearization public key generation process; the method comprises the following specific steps:
the system parameters params are set { param0, param1 }.
For the
Figure BDA0002936492330000082
Setting a security parameter λ 128, a number m of participating users 4 (the number of users may be a power of 2 according to practical situations, and 4 is adopted in this embodiment), an ordered set U of all participating users { a, B, C, D }, a polynomial degree D4095, a modulus q of a polynomial coefficient 324518553658426726783156032454657, a modulus t of a plaintext polynomial t 114689, and a cyclotomic polynomial f (x) ═ x4095+1, ring
Figure BDA0002936492330000083
And Rq represents a polynomial of the coefficient modulo q. Then setting chi distribution and even distribution mu, and selecting polynomial from Rq according to even distribution
Figure BDA0002936492330000084
And finally, determining a hybrid encryption system HPKE ═ HPKE.Gen (), HPKE.Enc (), HPKE.Dec () }basedon an Elliptic Curve Integrated Encryption Scheme (ECIES).
For param1 ═ { T, l, a _ list, NTT }, the re-linearization public key parameter is set to the integer T ═ 256, and then the calculation is performed
Figure BDA0002936492330000085
For i 0,13, a number of Rq is selected in each case with a uniform distributionPolynomial
Figure BDA0002936492330000086
Composition set
Figure BDA0002936492330000087
Finally, the number theory transformation algorithm NTT ═ { ntt.tontt (), ntt.topy () }isdetermined.
Step 2: and (3) generating a user key: generating a private and public key pair of a user person through a mixed encryption system; the method comprises the following specific steps:
inputs params and then selects a 4096-term polynomial uniformly and randomly from a polynomial ring whose coefficients are { -1,0,1}
Figure BDA0002936492330000088
Then selecting a 4096 term noise polynomial according to the chi-distribution
Figure BDA0002936492330000089
Setting device
Figure BDA00029364923300000810
And is
Figure BDA00029364923300000811
Operation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) And outputting public and private key pair (pk)u,sku)。
And step 3: re-linearization public key generation initialization: the private key polynomial is split to complete the generation and sharing of the private key share of the user; the method comprises the following specific steps:
inputting private key sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order of 4095 is setu0Splitting into two sub-private key polynomials ask of the highest order 2047u0And bsku0Satisfy sku0=asku0+bsku0·x2048(let the argument in the polynomial be x), at which time asku0And bsku0The highest order is 2047, and the coefficients of the last 2048 terms are 0. Then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku04096 entries each, with the highest order being 4095.
Then the sub private key nnasku0,nnbsku0Splitting the ordered set U of the user into 4 sub private key shares respectively according to { A, B, C and D }, specifically according to a polynomial nnasku0Starting with entry 1 of (1), every 1024 entries are taken as 1 share and assigned to each user in the ordered set U in order, i.e. as the sub-private key share nnSa of user au1Is nnasku0The first 1024 entries of (1), and so on, the sub private key share nnSa of user DumIs nnasku0Last 1024 entries of. Similarly, the pair private key nnbsku0So is the share split of
Figure BDA0002936492330000091
Finally, the shares sent to user v are packaged into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv. The output is the encrypted share set { nnES) distributed to all users in the set U for user Uuv}v∈UThere are a total of 4 elements in the set.
And 4, step 4: re-linearized public key share generation: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key share is completed through number theory transformation; before submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after addition, and preventing an adversary from stealing a private key by analyzing the share when collecting the re-linearization public key share; the method comprises the following specific steps:
the input params and user U receive a set of encrypted shares { nnES) from all users (including themselves) in the ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UA set of shares is obtained. Then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},{nnSa2u,nnSb2u},...,{nnSa4u,nnSb4u}}. Then the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculated
Figure BDA0002936492330000092
Polynomial nnSa at this timeuAnd nnSbuIs the aggregate share owned by user u.
Randomly selecting a 4096 term noise polynomial according to a chi distribution
Figure BDA0002936492330000101
And a 4096 term noise polynomial of which the highest order is 2047
Figure BDA0002936492330000102
(the coefficients of the last 2048 terms are all 0), and calculation is performed
Figure BDA0002936492330000103
Inputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectively
Figure BDA0002936492330000104
Polynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representation
Figure BDA0002936492330000105
Polynomial nnei of output point value representation1. Polynomial of input coefficient representation
Figure BDA0002936492330000106
Polynomial nnei of output point value representation2
For i 0.., 13, 4096 terms polynomial in a _ list is used
Figure BDA0002936492330000107
Split into two 4096-term polynomials Aa of highest order 2047iAnd BaiAnd satisfy
Figure BDA0002936492330000108
The polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiAnd calculating: nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},...,{nnrlk0u13,nnrlk1u13}}。
And 5: re-linearization public key generation: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key; the method comprises the following specific steps:
import params and a set of heavily linearized public key shares for all users: { { nnrlk01i,nnrlk11i}}i∈[0,13],{{nnrlk02i,nnrlk12i}}i∈[0,13],...,{{nnrlk04i,nnrlk14i}}i∈[0,13]}. For i ═ 0.., 13, calculations were made
Figure BDA0002936492330000109
Respectively inputting a polynomial nnrlk0 of a point value representation method by using an NTT.ToPoly () algorithm in a number theory conversion methodiAnd nnrlk1iPolynomial rlk0_ i and rlk1_ i of the output coefficient representation, and rlk _ i is calculated to rlk0_ i + rlk1_ i · x2048(is provided withThe argument in the polynomial is x), and finally the re-linearized public key set rlk _ list is output { rlk _ i }, where i ∈ [0,13 })]。
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
It should be understood that the above-described examples are merely illustrative for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (10)

1. A grid-based distributed re-linearization public key generation method is characterized by comprising the following steps:
s1, system initial setting: setting initial parameters of a grid password body system and a re-linearization public key generation process;
s2, generating a user key: generating a private and public key pair of a user person through a mixed encryption system;
s3, generating and initializing a re-linearization public key: the private key polynomial is split to complete the generation and sharing of the personal private key share of the user;
s4, generating a double linear public key share: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key shares is completed through number theory transformation; protecting the user shares with two additively cancelable noises before submitting the user's personal re-linearized public key shares;
s5, generating a double linear public key: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key.
2. The method of claim 1, wherein the system initialization comprises setting system parameters params { param0, param1}, wherein param0 is a set of grid-based system initialization parameters and param1 is a set of parameters of the distributed heavy linearization public key generation phase.
3. The lattice-based distributed re-linearization public key generation method of claim 2, wherein the method is applied to
Figure FDA0002936492320000011
Specifically setting a safety parameter lambda and the number m of participating users; ordered set U of all participating users, modulus q of polynomial coefficient of polynomial degree d, plaintext polynomial modulus t, cyclotomic polynomial f (x), ring
Figure FDA0002936492320000012
And expressing a polynomial with coefficients modulo q by Rq; then setting chi distribution and uniform distribution mu, and selecting polynomial from Rq according to uniform distribution
Figure FDA0002936492320000013
Finally, determining a hybrid encryption system HPKE ({ HPKE.Gen ()), HPKE.Enc (), and HPKE.Dec () }, wherein the HPKE.Gen () is a key generation algorithm of the hybrid encryption system, the input is a security parameter, and the output is an encryption and decryption key pair; enc () is an encryption algorithm of a mixed encryption system, the input is an encryption key and a plaintext, and the output is a ciphertext; dec () is a decryption algorithm of a hybrid encryption system, with inputs of ciphertext and decryption key, and outputs of plaintext.
4. The lattice-based distributed re-linearization public key generation method of claim 3, wherein for param1 ═ { T, l, a _ list, NTT }, the re-linearization public key parameter is set to be integer T, and then the re-linearization public key is calculated
Figure FDA0002936492320000021
For i ═ 0.. times.l, polynomials are selected from Rq in a uniform distribution
Figure FDA00029364923200000213
Composition set
Figure FDA0002936492320000022
Finally, determining a number theory transformation algorithm NTT ═ { NTT.ToNtt (), NTT.ToPoly () }, wherein the input of NTT.ToNtt () is a polynomial of d +1 term coefficient representation, and the output is a polynomial of d +1 term point value representation; ToPoly () is input as a polynomial of d +1 term point value representation and output as a polynomial of d +1 term coefficient representation.
5. The lattice-based distributed re-linearization public key generation method of claim 4, wherein the system initial setting final output
Figure FDA0002936492320000023
6. The lattice-based distributed re-linearization public key generation method of claim 5, wherein the user key generation specifically comprises: inputting params, and uniformly and randomly selecting a d +1 polynomial from a polynomial ring with coefficients of-1, 0,1 {
Figure FDA0002936492320000024
Then, a d +1 term noise polynomial is selected according to the Chi distribution
Figure FDA0002936492320000025
Is provided with
Figure FDA0002936492320000026
And is
Figure FDA0002936492320000027
Wherein [. ]]qShowing that the polynomial coefficients in brackets are subjected to modulo-q operation one by one; operation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) And outputting public and private key pair (pk)u,sku)。
7. The lattice-based distributed re-linearization public key generation method of claim 6, wherein the initialization of the re-linearization public key generation specifically comprises:
s31, inputting the private keys sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order du0Splitting into two highest orders of
Figure FDA0002936492320000028
The sub-private key polynomial asku0And bsku0Satisfy the following requirements
Figure FDA0002936492320000029
Let the argument in the polynomial be x, at which time asku0And bsku0Has a maximum degree of non-0 coefficient terms of
Figure FDA00029364923200000210
Finally, the
Figure FDA00029364923200000211
The coefficients of the terms are all 0; then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku0D +1 terms are respectively provided, and d is provided at the highest level;
s32, enabling the sub private key nnasku0、nnbsku0Splitting into m sub private key shares respectively according to the ordered set U of the user, specifically from polynomial nnasku0Beginning with item 1 of (1), will each
Figure FDA00029364923200000212
Item fetching is 1 share, assigned to each user in the ordered set U in order, i.e. assigned as the sub-private key share nnSa of user number 1u1Is nnasku0Front of
Figure FDA0002936492320000031
Item, and so on, the sub-private key share nnSa of the mth userumIs nnasku0To last
Figure FDA0002936492320000032
An item; similarly, the pair private key nnbsku0Share splitting and sub private key nnask ofu0The splitting mode is the same, and finally the requirement is met
Figure FDA0002936492320000033
S33, packaging the shares sent to the user v into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv(ii) a The output is the encrypted share set { nnES) distributed to all users in the set U for user Uuv}v∈UThere are a total of m elements in the set.
8. The lattice-based distributed re-linearization public key generation method of claim 7, wherein the re-linearization public key share generation specifically includes:
s41, input params and user U receive encrypted share set { nnES) from all users in ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UObtaining a share set; then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},{nnSa2u,nnSb2u},...,{nnSamu,nnSbmu}; finally, the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculated
Figure FDA0002936492320000034
Polynomial nnSa at this timeuAnd nnSbuIt is the summary share owned by user u;
s42, randomly selecting a d +1 term noise polynomial according to the chi distribution
Figure FDA0002936492320000035
And a maximum order of a non-0 coefficient term of
Figure FDA0002936492320000036
Is a noise polynomial
Figure FDA0002936492320000037
Rear end
Figure FDA0002936492320000038
The coefficients of the terms are all 0, calculate
Figure FDA0002936492320000039
Inputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectively
Figure FDA00029364923200000310
Polynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representation
Figure FDA00029364923200000311
Polynomial nnei of output point value representation1(ii) a Polynomial of input coefficient representation
Figure FDA00029364923200000312
Polynomial nnei of output point value representation2
S43. for i ═ 0.. times.l, the polynomial of degree d in a _ list is used
Figure FDA00029364923200000313
Splitting into two non-0 coefficient terms with the highest order of
Figure FDA00029364923200000314
Polynomial Aa ofiAnd BaiAfter, after
Figure FDA00029364923200000315
The coefficients of the terms are all 0 and satisfy
Figure FDA0002936492320000041
The polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiCalculating nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},{nnrlk0u1,nnrlk1u1},...,{nnrlk0ul,nnrlk1ul}}。
9. The lattice-based distributed re-linearization public key generation method of claim 8, wherein the re-linearization public key generation specifically includes: import params and a set of heavily linearized public key shares for all users
{{{nnrlk01i,nnrlk11i}}i∈[0,l],{{nnrlk02i,nnrlk12i}}i∈[0,l],...,{{nnrlk0mi,nnrlk1mi}}i∈[0,l]};
For i ═ 0.. times.l, calculations were made
Figure FDA0002936492320000042
Respectively inputting a polynomial nnrlk0 of a point value representation method by using an NTT.ToPoly () algorithm in a number theory transformation algorithmiAnd nnrlk1iAnd outputs polynomials rlk0_ i and rlk1_ i of coefficient representation, and calculates
Figure FDA0002936492320000043
And (4) setting the independent variable in the polynomial as x, and finally outputting a re-linearization public key set rlk _ list ═ rlk _ i, wherein i belongs to [0, l ∈ l]。
10. The lattice-based distributed re-linearization public key generation method of any one of claims 3 to 9, characterized in that the value of the number m of users is an integer power of 2; the polynomial degree d takes a value of 1 less than an integer power of 2; the modulus q of the polynomial coefficient takes the value of a large integer prime number.
CN202110160700.7A 2021-02-05 2021-02-05 Grid-based distributed re-linearization public key generation method Active CN112906020B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110160700.7A CN112906020B (en) 2021-02-05 2021-02-05 Grid-based distributed re-linearization public key generation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110160700.7A CN112906020B (en) 2021-02-05 2021-02-05 Grid-based distributed re-linearization public key generation method

Publications (2)

Publication Number Publication Date
CN112906020A true CN112906020A (en) 2021-06-04
CN112906020B CN112906020B (en) 2023-07-21

Family

ID=76122804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110160700.7A Active CN112906020B (en) 2021-02-05 2021-02-05 Grid-based distributed re-linearization public key generation method

Country Status (1)

Country Link
CN (1) CN112906020B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591102A (en) * 2021-06-25 2021-11-02 中山大学 Lattice-based distributed threshold addition homomorphic encryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180259737A1 (en) * 2015-08-24 2018-09-13 Korea Advanced Institute Of Science And Technology High-Speed Communication System and Method with Enhanced Security
US20190342080A1 (en) * 2018-05-01 2019-11-07 Huawei Technologies Co., Ltd. Systems, Devices, and Methods for Hybrid Secret Sharing
CN111342976A (en) * 2020-03-04 2020-06-26 中国人民武装警察部队工程大学 Verifiable ideal lattice upper threshold proxy re-encryption method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180259737A1 (en) * 2015-08-24 2018-09-13 Korea Advanced Institute Of Science And Technology High-Speed Communication System and Method with Enhanced Security
US20190342080A1 (en) * 2018-05-01 2019-11-07 Huawei Technologies Co., Ltd. Systems, Devices, and Methods for Hybrid Secret Sharing
CN111342976A (en) * 2020-03-04 2020-06-26 中国人民武装警察部队工程大学 Verifiable ideal lattice upper threshold proxy re-encryption method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JUNFENG FAN 等: "Somewhat Practical Fully Homomorphic", 《LACR CRYPTOLOGY EPRINT ARCHIVE》 *
SHAI HALEVI 等: "An Improved RNS Variant of the BFV", 《CRYPTOGRAPHERS TRACK AT THE RSA CONFERENCE 2019》 *
孙小强: "基于格的全同态加密及其应用研究", 《中国博士学位论文全文数据库》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591102A (en) * 2021-06-25 2021-11-02 中山大学 Lattice-based distributed threshold addition homomorphic encryption method
CN113591102B (en) * 2021-06-25 2023-05-26 中山大学 Grid-based distributed threshold addition homomorphic encryption method

Also Published As

Publication number Publication date
CN112906020B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
Liu et al. An efficient privacy-preserving outsourced calculation toolkit with multiple keys
CA2806357C (en) Authenticated encryption for digital signatures with message recovery
EP1844392B1 (en) Elliptic curve random number generation
CA2808701C (en) Authenticated encryption for digital signatures with message recovery
US4306111A (en) Simple and effective public-key cryptosystem
CN111162894B (en) Statistical analysis method for outsourcing cloud storage medical data aggregation with privacy protection
WO1997031449A1 (en) Communication method using common cryptographic key
US20110060901A1 (en) Cryptographic System for Performing Secure Iterative Matrix Inversions and Solving Systems of Linear Equations
CN110851845A (en) Light-weight single-user multi-data all-homomorphic data packaging method
CN115842617A (en) Security homomorphic calculation method supporting batch processing, storage device and equipment
Raghunandan et al. Comparative analysis of encryption and decryption techniques using mersenne prime numbers and phony modulus to avoid factorization attack of RSA
Kara et al. A Probabilistic Public-Key Encryption with Ensuring Data Integrity in Cloud Computing
Rui et al. A k-RSA algorithm
CN112906020A (en) Grid-based distributed re-linearization public key generation method
CN116938450A (en) Paillier encryption-based privacy protection Bayesian robust federal learning method and system
CN114362912A (en) Identification password generation method based on distributed key center, electronic device and medium
Li et al. Privacy-preserving large-scale systems of linear equations in outsourcing storage and computation
Shijin et al. Security analysis and improvement of hybrid signcryption scheme based on heterogeneous system
WO2022172041A1 (en) Asymmetric cryptographic schemes
JP4563037B2 (en) ENCRYPTION APPARATUS, DECRYPTION APPARATUS, ENCRYPTION SYSTEM HAVING THEM, ENCRYPTION METHOD, AND DECRYPTION METHOD
CN114900283A (en) Deep learning user gradient aggregation method based on multi-party security calculation
CN109787773B (en) Anti-quantum computation signcryption method and system based on private key pool and Elgamal
CN102394747B (en) Method for rapidly embedding plaintext on one point of elliptic curve
CN116471051B (en) Secure multiparty data ordering method based on careless transmission protocol
Beck Randomized decryption (RD) mode of operation for homomorphic cryptography-increasing encryption, communication and storage efficiency

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant