CN112906020A - Grid-based distributed re-linearization public key generation method - Google Patents
Grid-based distributed re-linearization public key generation method Download PDFInfo
- Publication number
- CN112906020A CN112906020A CN202110160700.7A CN202110160700A CN112906020A CN 112906020 A CN112906020 A CN 112906020A CN 202110160700 A CN202110160700 A CN 202110160700A CN 112906020 A CN112906020 A CN 112906020A
- Authority
- CN
- China
- Prior art keywords
- polynomial
- public key
- linearization
- user
- share
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of safe multi-party computing based on fully homomorphic encryption, in particular to a grid-based distributed re-linearization public key generation method. On the basis of a grid-based public and private key generation method provided by BFV, a re-linearization public key generation initialization algorithm, a re-linearization public key share generation algorithm and a re-linearization public key generation algorithm are provided; the sharing of the private key of the user is completed based on the analytic polynomial, and the calculation of the share of the re-linearized public key of the user is completed through number theory transformation. Before finally submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after addition, and preventing an adversary from obtaining the private key by analyzing the shares when collecting the re-linearization public key share. The method utilizes less noise and achieves the effect of safety.
Description
Technical Field
The invention relates to the technical field of safe multi-party computing based on fully homomorphic encryption, in particular to a grid-based distributed re-linearization public key generation method.
Background
Nowadays, big data technology is really influencing and guiding aspects of life such as clothes and eating and housing. However, the personal data of the user is inevitably mixed with privacy, and cannot be directly collected when the data is actually aggregated. How to aggregate data of all parties to complete calculation under the condition of protecting the information security and privacy of users is the main research content of multi-party security calculation. The proposal of the fully homomorphic encryption technology can practically solve the problem and bring forth a new mode of data distributed computation. The fully homomorphic encryption can support the addition or multiplication operation of the ciphertext and has strong cryptographic calculation capacity. Where the multiplication operation is performed in dependence on a re-linearized public key, the generation of this public key is dependent on the private key. In the distributed computing environment, how to generate the reproducible public key without revealing the personal private key of the user is a difficult point of research. However, Ivan et al, in the thesis "Practical coverage Secure MPC for variance probability Or: Breaking the SPDZ Limits" proposed that the lattice-based distributed re-linearization public key generation method has the problem of larger noise, and can directly reduce the number of homomorphic operations, which needs to be further improved.
Disclosure of Invention
In order to overcome at least one defect in the prior art, the invention provides a grid-based distributed re-linearization public key generation method, which utilizes less noise and achieves the effect of safety.
In order to solve the technical problems, the invention adopts the technical scheme that: a grid-based distributed re-linearization public key generation method comprises the following steps:
s1, system initial setting: setting initial parameters of a lattice cipher body system and a re-linearization public key generation process;
s2, generating a user key: generating a private and public key pair of a user person through a mixed encryption system;
s3, generating and initializing a re-linearization public key: the private key polynomial is split to complete the generation and sharing of the personal private key share of the user;
s4, generating a double linear public key share: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key shares is completed through number theory transformation; protecting the user shares with two additively cancelable noises before submitting the user's personal re-linearized public key shares;
s5, generating a double linear public key: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key.
On the basis that a BFV scheme provides a lattice-based public and private key generation method, the invention provides a lattice-based distributed re-linearization public key generation method in an expanded way, and aims to reduce noise injection and increase homomorphic calculation times while ensuring the overall safety performance of the method.
Further, the system initialization includes setting system parameters params ═ param0, param1, where param0 is the lattice-based system initialization parameter set, and param1 is the parameter set of the distributed generation heavy linearized public key phase.
Further, forSpecifically setting a safety parameter lambda and the number m of participating users; ordered set U of all participating users, modulus q of polynomial coefficient of polynomial degree d, plaintext polynomial modulus t, cyclotomic polynomial f (x), ringAnd expressing a polynomial with coefficients modulo q by Rq; then setting chi distribution and uniform distribution mu, and selecting polynomial from Rq according to uniform distributionFinally, determining a hybrid encryption system HPKE ({ HPKE.Gen ()), HPKE.Enc (), and HPKE.Dec () }, wherein the HPKE.Gen () is a key generation algorithm of the hybrid encryption system, the input is a security parameter, and the output is an encryption and decryption key pair; enc () is an encryption algorithm of a mixed encryption system, the input is an encryption key and a plaintext, and the output is a ciphertext; dec () is a decryption algorithm of a hybrid encryption system, with inputs of ciphertext and decryption key, and outputs of plaintext.
Further, for param1 { (T, l, a _ list, NTT }, the re-linearization public key parameter is set to be an integer T, and then the integer T is calculatedFor i ═ 0.. times.l, polynomials are selected from Rq in a uniformly distributed manner in each caseComposition setFinally determining the number theory transformation algorithm NTTNtt.tontt (), ntt.topy () }, where ntt.tontt () has as input a polynomial of d +1 term coefficient representation and as output a polynomial of d +1 term point value representation; ToPoly () is input as a polynomial of d +1 term point value representation and output as a polynomial of d +1 term coefficient representation.
Further, the system initially sets the final output
Further, the user key generation specifically includes: inputting params, and uniformly and randomly selecting a d +1 polynomial from a polynomial ring with coefficients of-1, 0,1 {Then, a d +1 term noise polynomial is selected according to the chi-distributionIs provided withAnd isWherein [. ]]qShowing that the polynomial coefficients in brackets are subjected to modulo-q operation one by one; operation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) And outputting public and private key pair (pk)u,sku)。
Further, the initialization of generating the re-linearized public key specifically includes:
s31, inputting the private keys sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order du0Splitting into two highest orders ofThe sub-private key polynomial asku0And bsku0Satisfy the following requirementsLet the argument in the polynomial be x, at which time asku0And bsku0Has a maximum degree of non-0 coefficient terms ofFinally, theThe coefficients of the terms are all 0; then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku0D +1 terms are respectively provided, and d is provided at the highest level;
s32, enabling the sub private key nnasku0、nnbsku0Splitting into m sub private key shares respectively according to the ordered set U of the user, specifically from polynomial nnasku0Beginning with item 1 of (1), will eachItem fetching is 1 share and is assigned to each user in the ordered set U in order, i.e. to the sub-private key share nnSa of user number 1u1Is nnasku0Front ofItem, and so on, the sub-private key share nnSa of the mth userumIs nnasku0To lastAn item; similarly, the pair private key nnbsku0Share splitting and sub private key nnask ofu0The splitting mode is the same, and finally the requirement is met
S33, packaging the shares sent to the user v into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv(ii) a Output is the set of encrypted shares { nnES) distributed to all users in set U for user Uuv}v∈UThere are a total of m elements in the set.
Further, the generating of the heavily linearized public key share specifically includes:
s41, input params and user U receive encrypted share set { nnES) from all users in ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UObtaining a share set; then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},{nnSa2u,nnSb2u},...,{nnSamu,nnSbmu}; finally, the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculatedPolynomial nnSa at this timeuAnd nnSbuIt is the summary share owned by user u;
s42, randomly selecting a d +1 term noise polynomial according to the chi distributionAnd a non-0 coefficient term of highest degreeIs a noise polynomialRear endThe coefficients of the terms are all 0, calculateInputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectivelyPolynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representationPolynomial nnei of output point value representation1(ii) a Polynomial of input coefficient representationPolynomial nnei of output point value representation2;
S43. for i ═ 0.. times.l, the polynomial of degree d in a _ list is usedSplitting into two non-0 coefficient terms with the highest order ofPolynomial Aa ofiAnd BaiAfter, afterThe coefficients of the terms are all 0 and satisfyThe polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiCalculating nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},{nnrlk0u1,nnrlk1u1},...,{nnrlk0ul,nnrlk1ul}}。
Further, the generating of the re-linearized public key specifically includes: the incoming params and the re-linearized public key share set of all users { { nnrlk01i,nnrlk11i}}i∈[0,l],{{nnrlk02i,nnrlk12i}}i∈[0,l],...,{{nnrlk0mi,nnrlk1mi}}i∈[0,l]}; for i ═ 0.. times.l, calculations were madeRespectively inputting a polynomial nnrlk0 of a point value representation method by using an NTT.ToPoly () algorithm in a number theory transformation algorithmiAnd nnrlk1iPolynomial rlk0_ i, rlk1_ i of coefficient representation are output, and calculation is performedLet the independent variable in the polynomial bexFinally, the re-linearization public key set rlk _ list is output as { rlk _ i }, where i ∈ [0, l ∈ l }]。
Further, the value of the user number m is an integer power of 2; the polynomial degree d takes a value of 1 less than an integer power of 2; the modulus q of the polynomial coefficient takes the value of a large integer prime number.
Compared with the prior art, the beneficial effects are: the invention provides a grid-based distributed re-linearization public key generation method, which provides a re-linearization public key generation initialization algorithm, a re-linearization public key share generation algorithm and a re-linearization public key generation algorithm on the basis of a grid-based public and private key generation method provided by BFV; the sharing of the private key of the user is completed based on the analytic polynomial, and the calculation of the share of the re-linearized public key of the user is completed through number theory transformation. Before finally submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after being added, and obtaining the private key by analyzing the shares when preventing an adversary from collecting the re-linearization public key share. The method utilizes less noise and achieves the effect of safety.
Detailed Description
Example 1:
a grid-based distributed re-linearization public key generation method comprises the following steps:
step 1: initial setting of a system: setting initial parameters of a lattice cipher body system and a re-linearization public key generation process, specifically as follows:
the system parameters params are set { param0, param1 }.
For theSetting a security parameter λ as 128, setting the number m of participating users as 4 (according to the actual situation, the number of users may be power of 2, and 4 is adopted in this embodiment), setting the ordered set U of all participating users as { a, B, C, D }, setting the polynomial degree D as 2047, setting the modulus q of polynomial coefficient as 18014398492704769, setting the plaintext polynomial modulus t as 114689, and setting the cyclotomic polynomial f (x) as x2047+1, ringAnd the coefficients are expressed by Rq as polynomials modulo q. Then setting chi distribution and uniform distribution mu, and selecting polynomial from Rq according to uniform distributionAnd finally, determining a hybrid encryption system HPKE ═ HPKE.Gen (), HPKE.Enc (), HPKE.Dec () }basedon an Elliptic Curve Integrated Encryption Scheme (ECIES).
For param1 ═ { T, l, a _ list, NTT }, the re-linearization public key parameter is set to the integer T ═ 256, and then the calculation is performedFor i 0,6, a polynomial is selected from Rq in a uniform distributionComposition setFinally, the number theory transformation algorithm NTT ═ { ntt.tontt (), ntt.topy () }isdetermined.
Step 2: and (3) generating a user key: generating a private and public key pair of a user person through a mixed encryption system; the method comprises the following specific steps:
inputting params, and uniformly and randomly selecting a 2048-term polynomial from a polynomial ring with coefficients of-1, 0,1 {Then a 2048 term noise polynomial is selected according to the χ distributionIs provided withAnd isOperation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) Outputting the public-private key pair (pk)u,sku)。
And step 3: re-linearization public key generation initialization: the private key polynomial is split to complete the generation and sharing of the private key share of the user; the method comprises the following specific steps:
inputting private key sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order of 2047 is setu0Splitting into two sub-private key polynomials ask of 1023u0And bsku0Satisfy sku0=asku0+bsku0·x1024(let the argument in the polynomial be x), at which time asku0And bsku0The highest order is 1023 and the coefficients of the last 1024 terms are 0. Then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku0Each having 2048 terms and a highest order of 2047.
Then the sub private key nnasku0,nnbsku0Splitting the ordered set U of the user into 4 sub private key shares respectively according to { A, B, C, D }, specifically from polynomial nnasku0Starting with item 1 of (1), every 512 items are taken as 1 share and assigned to each user in the ordered set U in order, i.e. as the sub-private key share nnSa of user au1Is nnasku0The first 512 of (1), and so on, the sub-private key share nnSa of user DumIs nnasku0The last 512 entries of (a). Similarly, the pair private key nnbsku0So is the share split of
Finally, the shares sent to user v are packaged into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv. The output is the encrypted share set { nnES) distributed to all users in the set U for user Uuv}v∈UThere are a total of 4 elements in the set.
And 4, step 4: re-linearized public key share generation: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key share is completed through number theory transformation; before submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after addition, and preventing an adversary from stealing a private key by analyzing the share when collecting the re-linearization public key share; the method comprises the following specific steps:
the input params and user U receive a set of encrypted shares { nnES) from all users (including themselves) in the ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UA set of shares is obtained. Then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},...,{nnSa4u,nnSb4u}}. Then the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculated Polynomial nnSa at this timeuAnd nnSbuIs the aggregate share owned by user u.
Randomly selecting a 2048 term noise polynomial according to a chi distributionAnd a 2048 term noise polynomial of which the highest order is 1023(the coefficients of the last 1024 terms are all 0), calculatingInputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectivelyPolynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representationPolynomial nnei of output point value representation1. Multiple entries of input coefficient representationFormula (II)Polynomial nnei of output point value representation2。
For i 0.., 6, a polynomial of degree 2047 in a _ list is givenSplit into two 2048-term polynomials Aa with the highest order of 1023iAnd BaiAnd satisfyThe polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiCalculating nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},...,{nnrlk0u6,nnrlk1u6}}。
And 5: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key, which comprises the following specific steps:
import params and a set of heavily linearized public key shares for all users: { { nnrlk01i,nnrlk11i}}i∈[0,6],{{nnrlk02i,nnrlk12i}}i∈[0,6],...,{{nnrlk04i,nnrlk14i}}i∈[0,6]}. For i ═ 0.., 6, calculations were madeRespectively inputting by NTT.ToPoly () algorithm in number theory conversion methodPoint-value representation polynomial nnrlk0iAnd nnrlk1iPolynomial rlk0_ i and rlk1_ i of the output coefficient representation, and rlk _ i is calculated to rlk0_ i + rlk1_ i · x1024(let the argument in the polynomial be x), and finally output the re-linearized public key set rlk _ list ═ rlk _ i, where i ∈ [0,6 }]。
Example 2
A grid-based distributed re-linearization public key generation method comprises the following steps:
step 1: initial setting of a system: setting initial parameters of a grid password body system and a re-linearization public key generation process; the method comprises the following specific steps:
the system parameters params are set { param0, param1 }.
For theSetting a security parameter λ 128, a number m of participating users 4 (the number of users may be a power of 2 according to practical situations, and 4 is adopted in this embodiment), an ordered set U of all participating users { a, B, C, D }, a polynomial degree D4095, a modulus q of a polynomial coefficient 324518553658426726783156032454657, a modulus t of a plaintext polynomial t 114689, and a cyclotomic polynomial f (x) ═ x4095+1, ringAnd Rq represents a polynomial of the coefficient modulo q. Then setting chi distribution and even distribution mu, and selecting polynomial from Rq according to even distributionAnd finally, determining a hybrid encryption system HPKE ═ HPKE.Gen (), HPKE.Enc (), HPKE.Dec () }basedon an Elliptic Curve Integrated Encryption Scheme (ECIES).
For param1 ═ { T, l, a _ list, NTT }, the re-linearization public key parameter is set to the integer T ═ 256, and then the calculation is performedFor i 0,13, a number of Rq is selected in each case with a uniform distributionPolynomialComposition setFinally, the number theory transformation algorithm NTT ═ { ntt.tontt (), ntt.topy () }isdetermined.
Step 2: and (3) generating a user key: generating a private and public key pair of a user person through a mixed encryption system; the method comprises the following specific steps:
inputs params and then selects a 4096-term polynomial uniformly and randomly from a polynomial ring whose coefficients are { -1,0,1}Then selecting a 4096 term noise polynomial according to the chi-distributionSetting deviceAnd isOperation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) And outputting public and private key pair (pk)u,sku)。
And step 3: re-linearization public key generation initialization: the private key polynomial is split to complete the generation and sharing of the private key share of the user; the method comprises the following specific steps:
inputting private key sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order of 4095 is setu0Splitting into two sub-private key polynomials ask of the highest order 2047u0And bsku0Satisfy sku0=asku0+bsku0·x2048(let the argument in the polynomial be x), at which time asku0And bsku0The highest order is 2047, and the coefficients of the last 2048 terms are 0. Then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku04096 entries each, with the highest order being 4095.
Then the sub private key nnasku0,nnbsku0Splitting the ordered set U of the user into 4 sub private key shares respectively according to { A, B, C and D }, specifically according to a polynomial nnasku0Starting with entry 1 of (1), every 1024 entries are taken as 1 share and assigned to each user in the ordered set U in order, i.e. as the sub-private key share nnSa of user au1Is nnasku0The first 1024 entries of (1), and so on, the sub private key share nnSa of user DumIs nnasku0Last 1024 entries of. Similarly, the pair private key nnbsku0So is the share split of
Finally, the shares sent to user v are packaged into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv. The output is the encrypted share set { nnES) distributed to all users in the set U for user Uuv}v∈UThere are a total of 4 elements in the set.
And 4, step 4: re-linearized public key share generation: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key share is completed through number theory transformation; before submitting the personal re-linearization public key share of the user, protecting the user share by using two noises which can be counteracted after addition, and preventing an adversary from stealing a private key by analyzing the share when collecting the re-linearization public key share; the method comprises the following specific steps:
the input params and user U receive a set of encrypted shares { nnES) from all users (including themselves) in the ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UA set of shares is obtained. Then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},{nnSa2u,nnSb2u},...,{nnSa4u,nnSb4u}}. Then the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculatedPolynomial nnSa at this timeuAnd nnSbuIs the aggregate share owned by user u.
Randomly selecting a 4096 term noise polynomial according to a chi distributionAnd a 4096 term noise polynomial of which the highest order is 2047(the coefficients of the last 2048 terms are all 0), and calculation is performedInputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectivelyPolynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representationPolynomial nnei of output point value representation1. Polynomial of input coefficient representationPolynomial nnei of output point value representation2。
For i 0.., 13, 4096 terms polynomial in a _ list is usedSplit into two 4096-term polynomials Aa of highest order 2047iAnd BaiAnd satisfyThe polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiAnd calculating: nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},...,{nnrlk0u13,nnrlk1u13}}。
And 5: re-linearization public key generation: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key; the method comprises the following specific steps:
import params and a set of heavily linearized public key shares for all users: { { nnrlk01i,nnrlk11i}}i∈[0,13],{{nnrlk02i,nnrlk12i}}i∈[0,13],...,{{nnrlk04i,nnrlk14i}}i∈[0,13]}. For i ═ 0.., 13, calculations were madeRespectively inputting a polynomial nnrlk0 of a point value representation method by using an NTT.ToPoly () algorithm in a number theory conversion methodiAnd nnrlk1iPolynomial rlk0_ i and rlk1_ i of the output coefficient representation, and rlk _ i is calculated to rlk0_ i + rlk1_ i · x2048(is provided withThe argument in the polynomial is x), and finally the re-linearized public key set rlk _ list is output { rlk _ i }, where i ∈ [0,13 })]。
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
It should be understood that the above-described examples are merely illustrative for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (10)
1. A grid-based distributed re-linearization public key generation method is characterized by comprising the following steps:
s1, system initial setting: setting initial parameters of a grid password body system and a re-linearization public key generation process;
s2, generating a user key: generating a private and public key pair of a user person through a mixed encryption system;
s3, generating and initializing a re-linearization public key: the private key polynomial is split to complete the generation and sharing of the personal private key share of the user;
s4, generating a double linear public key share: after the user collects the private key shares sent by all other users, the calculation of the user on the re-linearization public key shares is completed through number theory transformation; protecting the user shares with two additively cancelable noises before submitting the user's personal re-linearized public key shares;
s5, generating a double linear public key: the server collects the share of the re-linearization public key of each user, and synthesizes and discloses the re-linearization public key.
2. The method of claim 1, wherein the system initialization comprises setting system parameters params { param0, param1}, wherein param0 is a set of grid-based system initialization parameters and param1 is a set of parameters of the distributed heavy linearization public key generation phase.
3. The lattice-based distributed re-linearization public key generation method of claim 2, wherein the method is applied toSpecifically setting a safety parameter lambda and the number m of participating users; ordered set U of all participating users, modulus q of polynomial coefficient of polynomial degree d, plaintext polynomial modulus t, cyclotomic polynomial f (x), ringAnd expressing a polynomial with coefficients modulo q by Rq; then setting chi distribution and uniform distribution mu, and selecting polynomial from Rq according to uniform distributionFinally, determining a hybrid encryption system HPKE ({ HPKE.Gen ()), HPKE.Enc (), and HPKE.Dec () }, wherein the HPKE.Gen () is a key generation algorithm of the hybrid encryption system, the input is a security parameter, and the output is an encryption and decryption key pair; enc () is an encryption algorithm of a mixed encryption system, the input is an encryption key and a plaintext, and the output is a ciphertext; dec () is a decryption algorithm of a hybrid encryption system, with inputs of ciphertext and decryption key, and outputs of plaintext.
4. The lattice-based distributed re-linearization public key generation method of claim 3, wherein for param1 ═ { T, l, a _ list, NTT }, the re-linearization public key parameter is set to be integer T, and then the re-linearization public key is calculatedFor i ═ 0.. times.l, polynomials are selected from Rq in a uniform distributionComposition setFinally, determining a number theory transformation algorithm NTT ═ { NTT.ToNtt (), NTT.ToPoly () }, wherein the input of NTT.ToNtt () is a polynomial of d +1 term coefficient representation, and the output is a polynomial of d +1 term point value representation; ToPoly () is input as a polynomial of d +1 term point value representation and output as a polynomial of d +1 term coefficient representation.
6. The lattice-based distributed re-linearization public key generation method of claim 5, wherein the user key generation specifically comprises: inputting params, and uniformly and randomly selecting a d +1 polynomial from a polynomial ring with coefficients of-1, 0,1 {Then, a d +1 term noise polynomial is selected according to the Chi distributionIs provided withAnd isWherein [. ]]qShowing that the polynomial coefficients in brackets are subjected to modulo-q operation one by one; operation (pk)u1,sku1)←HPKE.Gen(1λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sku=(sku0,sku1) And pku=(pku0,pku1) And outputting public and private key pair (pk)u,sku)。
7. The lattice-based distributed re-linearization public key generation method of claim 6, wherein the initialization of the re-linearization public key generation specifically comprises:
s31, inputting the private keys sk of params and user uu0And the set of public keys pk in the user set Uv1}v∈UFirst, the private key polynomial sk with the highest order du0Splitting into two highest orders ofThe sub-private key polynomial asku0And bsku0Satisfy the following requirementsLet the argument in the polynomial be x, at which time asku0And bsku0Has a maximum degree of non-0 coefficient terms ofFinally, theThe coefficients of the terms are all 0; then, utilizing NTT.ToNtt () algorithm in number theory conversion algorithm to respectively input polynomial ask of coefficient representation methodu0And bsku0Polynomial nnask of output point value representationu0,nnbsku0At this time nnasku0And nnbsku0D +1 terms are respectively provided, and d is provided at the highest level;
s32, enabling the sub private key nnasku0、nnbsku0Splitting into m sub private key shares respectively according to the ordered set U of the user, specifically from polynomial nnasku0Beginning with item 1 of (1), will eachItem fetching is 1 share, assigned to each user in the ordered set U in order, i.e. assigned as the sub-private key share nnSa of user number 1u1Is nnasku0Front ofItem, and so on, the sub-private key share nnSa of the mth userumIs nnasku0To lastAn item; similarly, the pair private key nnbsku0Share splitting and sub private key nnask ofu0The splitting mode is the same, and finally the requirement is met
S33, packaging the shares sent to the user v into nnSuv={nnSauv,nnSbuv}v∈UWhile using the public key pk of user vv1Run hpkev1,nnSuv) Encryption to obtain an encrypted secret share nnESuv(ii) a The output is the encrypted share set { nnES) distributed to all users in the set U for user Uuv}v∈UThere are a total of m elements in the set.
8. The lattice-based distributed re-linearization public key generation method of claim 7, wherein the re-linearization public key share generation specifically includes:
s41, input params and user U receive encrypted share set { nnES) from all users in ordered set Uvu}v∈UThen first decrypted, run { nnS }vu←HPKC.Dec(sku1,nnESvu)}v∈UObtaining a share set; then resolve { nnSvu}v∈UTo obtain { { nnSa1u,nnSb1u},{nnSa2u,nnSb2u},...,{nnSamu,nnSbmu}; finally, the share nnSavuAnd nnSbvu(v. epsilon. U) are respectively collected and calculatedPolynomial nnSa at this timeuAnd nnSbuIt is the summary share owned by user u;
s42, randomly selecting a d +1 term noise polynomial according to the chi distributionAnd a maximum order of a non-0 coefficient term ofIs a noise polynomialRear endThe coefficients of the terms are all 0, calculateInputting a polynomial of a coefficient representation by using an NTT & ToNtt () algorithm in a number theory transformation algorithm respectivelyPolynomial nnei of output point value representation0(ii) a Polynomial of input coefficient representationPolynomial nnei of output point value representation1(ii) a Polynomial of input coefficient representationPolynomial nnei of output point value representation2;
S43. for i ═ 0.. times.l, the polynomial of degree d in a _ list is usedSplitting into two non-0 coefficient terms with the highest order ofPolynomial Aa ofiAnd BaiAfter, afterThe coefficients of the terms are all 0 and satisfyThe polynomial Aa input as a coefficient representation using ntt. tontt () algorithm in number-theoretic transformation algorithmiAnd BaiPolynomial nnAa with output as point value representationi,nnBaiCalculating nnrlk0ui=nnSbu·nnBai-nnSau·nnAai+Ti(nnSau·nnSau-nnSbu·nnSbu)-nnei0+nnei2,nnrlk1ui=2Ti(nnSau·nnSbu)-nnSau·nnBai-nnSbu·nnAai+nnei1Finally, the re-linearized public key share { { nnrlk0 for user u is outputu0,nnrlk1u0},{nnrlk0u1,nnrlk1u1},...,{nnrlk0ul,nnrlk1ul}}。
9. The lattice-based distributed re-linearization public key generation method of claim 8, wherein the re-linearization public key generation specifically includes: import params and a set of heavily linearized public key shares for all users
{{{nnrlk01i,nnrlk11i}}i∈[0,l],{{nnrlk02i,nnrlk12i}}i∈[0,l],...,{{nnrlk0mi,nnrlk1mi}}i∈[0,l]};
For i ═ 0.. times.l, calculations were madeRespectively inputting a polynomial nnrlk0 of a point value representation method by using an NTT.ToPoly () algorithm in a number theory transformation algorithmiAnd nnrlk1iAnd outputs polynomials rlk0_ i and rlk1_ i of coefficient representation, and calculatesAnd (4) setting the independent variable in the polynomial as x, and finally outputting a re-linearization public key set rlk _ list ═ rlk _ i, wherein i belongs to [0, l ∈ l]。
10. The lattice-based distributed re-linearization public key generation method of any one of claims 3 to 9, characterized in that the value of the number m of users is an integer power of 2; the polynomial degree d takes a value of 1 less than an integer power of 2; the modulus q of the polynomial coefficient takes the value of a large integer prime number.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110160700.7A CN112906020B (en) | 2021-02-05 | 2021-02-05 | Grid-based distributed re-linearization public key generation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110160700.7A CN112906020B (en) | 2021-02-05 | 2021-02-05 | Grid-based distributed re-linearization public key generation method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112906020A true CN112906020A (en) | 2021-06-04 |
CN112906020B CN112906020B (en) | 2023-07-21 |
Family
ID=76122804
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110160700.7A Active CN112906020B (en) | 2021-02-05 | 2021-02-05 | Grid-based distributed re-linearization public key generation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112906020B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113591102A (en) * | 2021-06-25 | 2021-11-02 | 中山大学 | Lattice-based distributed threshold addition homomorphic encryption method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180259737A1 (en) * | 2015-08-24 | 2018-09-13 | Korea Advanced Institute Of Science And Technology | High-Speed Communication System and Method with Enhanced Security |
US20190342080A1 (en) * | 2018-05-01 | 2019-11-07 | Huawei Technologies Co., Ltd. | Systems, Devices, and Methods for Hybrid Secret Sharing |
CN111342976A (en) * | 2020-03-04 | 2020-06-26 | 中国人民武装警察部队工程大学 | Verifiable ideal lattice upper threshold proxy re-encryption method and system |
-
2021
- 2021-02-05 CN CN202110160700.7A patent/CN112906020B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180259737A1 (en) * | 2015-08-24 | 2018-09-13 | Korea Advanced Institute Of Science And Technology | High-Speed Communication System and Method with Enhanced Security |
US20190342080A1 (en) * | 2018-05-01 | 2019-11-07 | Huawei Technologies Co., Ltd. | Systems, Devices, and Methods for Hybrid Secret Sharing |
CN111342976A (en) * | 2020-03-04 | 2020-06-26 | 中国人民武装警察部队工程大学 | Verifiable ideal lattice upper threshold proxy re-encryption method and system |
Non-Patent Citations (3)
Title |
---|
JUNFENG FAN 等: "Somewhat Practical Fully Homomorphic", 《LACR CRYPTOLOGY EPRINT ARCHIVE》 * |
SHAI HALEVI 等: "An Improved RNS Variant of the BFV", 《CRYPTOGRAPHERS TRACK AT THE RSA CONFERENCE 2019》 * |
孙小强: "基于格的全同态加密及其应用研究", 《中国博士学位论文全文数据库》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113591102A (en) * | 2021-06-25 | 2021-11-02 | 中山大学 | Lattice-based distributed threshold addition homomorphic encryption method |
CN113591102B (en) * | 2021-06-25 | 2023-05-26 | 中山大学 | Grid-based distributed threshold addition homomorphic encryption method |
Also Published As
Publication number | Publication date |
---|---|
CN112906020B (en) | 2023-07-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Liu et al. | An efficient privacy-preserving outsourced calculation toolkit with multiple keys | |
CA2806357C (en) | Authenticated encryption for digital signatures with message recovery | |
EP1844392B1 (en) | Elliptic curve random number generation | |
CA2808701C (en) | Authenticated encryption for digital signatures with message recovery | |
US4306111A (en) | Simple and effective public-key cryptosystem | |
CN111162894B (en) | Statistical analysis method for outsourcing cloud storage medical data aggregation with privacy protection | |
WO1997031449A1 (en) | Communication method using common cryptographic key | |
US20110060901A1 (en) | Cryptographic System for Performing Secure Iterative Matrix Inversions and Solving Systems of Linear Equations | |
CN110851845A (en) | Light-weight single-user multi-data all-homomorphic data packaging method | |
CN115842617A (en) | Security homomorphic calculation method supporting batch processing, storage device and equipment | |
Raghunandan et al. | Comparative analysis of encryption and decryption techniques using mersenne prime numbers and phony modulus to avoid factorization attack of RSA | |
Kara et al. | A Probabilistic Public-Key Encryption with Ensuring Data Integrity in Cloud Computing | |
Rui et al. | A k-RSA algorithm | |
CN112906020A (en) | Grid-based distributed re-linearization public key generation method | |
CN116938450A (en) | Paillier encryption-based privacy protection Bayesian robust federal learning method and system | |
CN114362912A (en) | Identification password generation method based on distributed key center, electronic device and medium | |
Li et al. | Privacy-preserving large-scale systems of linear equations in outsourcing storage and computation | |
Shijin et al. | Security analysis and improvement of hybrid signcryption scheme based on heterogeneous system | |
WO2022172041A1 (en) | Asymmetric cryptographic schemes | |
JP4563037B2 (en) | ENCRYPTION APPARATUS, DECRYPTION APPARATUS, ENCRYPTION SYSTEM HAVING THEM, ENCRYPTION METHOD, AND DECRYPTION METHOD | |
CN114900283A (en) | Deep learning user gradient aggregation method based on multi-party security calculation | |
CN109787773B (en) | Anti-quantum computation signcryption method and system based on private key pool and Elgamal | |
CN102394747B (en) | Method for rapidly embedding plaintext on one point of elliptic curve | |
CN116471051B (en) | Secure multiparty data ordering method based on careless transmission protocol | |
Beck | Randomized decryption (RD) mode of operation for homomorphic cryptography-increasing encryption, communication and storage efficiency |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |