CN112906020B - Grid-based distributed re-linearization public key generation method - Google Patents
Grid-based distributed re-linearization public key generation method Download PDFInfo
- Publication number
- CN112906020B CN112906020B CN202110160700.7A CN202110160700A CN112906020B CN 112906020 B CN112906020 B CN 112906020B CN 202110160700 A CN202110160700 A CN 202110160700A CN 112906020 B CN112906020 B CN 112906020B
- Authority
- CN
- China
- Prior art keywords
- polynomial
- public key
- user
- linearization
- share
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of secure multiparty computing based on isomorphic encryption, in particular to a grid-based distributed re-linearization public key generation method. On the basis of a grid-based public and private key generation method provided by BFV, a re-linearization public key generation initialization algorithm, a re-linearization public key share generation algorithm and a re-linearization public key generation algorithm are provided; firstly, sharing of a user private key is completed based on an analytic polynomial, and calculation of the user on the share of the re-linearization public key is completed through number theory transformation. Before the user individual re-linearized public key share is submitted finally, the user share is protected by using two added and offset noises, so that when the adversary is prevented from collecting the re-linearized public key share, the private key can be obtained by analyzing the share. The method utilizes less noise and achieves the effect of safety.
Description
Technical Field
The invention relates to the technical field of secure multiparty computing based on isomorphic encryption, in particular to a grid-based distributed re-linearization public key generation method.
Background
Today, big data technology positively affects and guides people's aspects in life, such as clothing and eating houses. However, personal data of users is inevitably mixed with privacy, and cannot be directly collected when the data are actually aggregated. How to integrate data of each party to complete calculation under the condition of protecting the safety and privacy of user information is the main research content of multiparty safety calculation. The proposal of the full homomorphic encryption technology can practically solve the problem, and a new mode of data distributed computation is induced. Fully homomorphic encryption can support addition or multiplication operation on ciphertext, and has strong secret state computing capability. Where the multiplication operation is performed in dependence on a re-linearized public key, the generation of this public key is dependent on the private key. In the context of distributed computing, how to generate a reproducible public key without revealing the user's personal private key is a difficulty of research. However, the present Ivan et al in paper Practical Covertly Secure MPC for Dishonest Majority Or: breaking the SPDZ Limits proposes that the grid-based distributed re-linearization public key generation method has a problem of large noise, and can directly reduce the times of homomorphic operation, so that further improvement is required.
Disclosure of Invention
The invention provides a grid-based distributed re-linearization public key generation method, which overcomes at least one defect in the prior art, utilizes less noise and achieves the effect of safety.
In order to solve the technical problems, the invention adopts the following technical scheme: a method of generating a grid-based distributed re-linearization public key, comprising the steps of:
s1, system initial setting: setting initial parameters of a grid cipher body system and a re-linearization public key generation process;
s2, generating a user key: generating a public and private key pair of a user person through a hybrid encryption system;
s3, generating and initializing a re-linearization public key: the generation and sharing of the user personal private key share are completed in a mode of splitting the private key polynomial;
s4, generating a re-linearization public key share: after the user collects the private key shares sent by all other users, the calculation of the user about the re-linearization public key shares is completed through number theory transformation; before submitting the user's personal re-linearized public key share, protecting the user share with two added-up, nullable noises;
s5, generating a re-linearization public key: the server gathers the re-linearized public key shares of each user, synthesizes and discloses the re-linearized public key.
The invention provides a distributed re-linearization public key generation method of a base Yu Ge on the basis of a grid-based public-private key generation method provided by a BFV scheme, and aims at reducing noise injection and increasing homomorphic calculation times while guaranteeing the overall safety performance of the method.
Further, the system initialization includes setting system parameters params= { param0, param1}, where param0 is a grid-based system initialization parameter set, and param1 is a parameter set in the stage of generating the re-linearization public key in a distributed manner.
Further, for the case ofSetting a security parameter lambda specifically, and the number m of participating users; ordered set U of all participating users, modulus q of polynomial degree d polynomial coefficient, plaintext polynomial modulus t, circular polynomial f (x), ring r=z [ x ]]/(f (x)) and represents a polynomial with the coefficient modulo q by Rq; then arranging χ distribution and uniform distributionMu, selecting polynomials from Rq according to a uniform distribution +.>Finally, determining a mixed encryption system HPKE= { HPKE.Gen (), HPKE.enc (), HPKE.Dec () }, wherein HPKE.Gen () is a key generation algorithm of the mixed encryption system, is input as a security parameter, and is output as an encryption and decryption key pair; hpke.enc () is an encryption algorithm of a hybrid encryption system, input as an encryption key and plaintext, and output as ciphertext; hpke.dec () is a decryption algorithm of a hybrid cryptosystem, input as ciphertext and decryption key, output as plaintext.
Further, for param1= { T, l, a_list, NTT }, the re-linearized public key parameter is set to an integer T, and then calculatedFor i=0, the combination of the first and second parts, l, the polynomials are chosen from Rq according to a uniform distribution, respectively>Make up a collectionFinally, determining a number theory transformation algorithm NTT= { NTT.ToNtt (), NTT.ToPoly () }, wherein the input of NTT.ToNtt () is a polynomial of a d+1 item coefficient representation, and the input is a polynomial of a d+1 item point value representation; ntt.to () inputs a polynomial of the d+1 term point value representation and outputs a polynomial of the d+1 term coefficient representation.
Further, the system initially sets the final output
Further, the user key generation specifically includes: inputting params, and then uniformly and randomly selecting a d+1 polynomial from polynomial rings with coefficients of { -1,0,1}Then according to χ distributionD+1 term noise polynomial +.>Set->And->Wherein [] q The polynomial coefficient in the brackets of each other is expressed to carry out modular q operation one by one; run (pk) u1 ,sk u1 )←HPKE.Gen(1 λ ) Obtaining an encryption and decryption key pair of an HPKE system, and setting sk u =(sk u0 ,sk u1 ) And pk u =(pk u0 ,pk u1 ) Outputs public-private key pair (pk u ,sk u )。
Further, the generating and initializing the re-linearization public key specifically includes:
s31, inputting params and private key sk of user u u0 And public key set { pk in user set U v1 } v∈U First, the private key polynomial sk with the highest degree d is obtained u0 Split into two highest ordersIs a sub-private key polynomial ask of (2) u0 And bsk u0 Satisfies the following conditionsLet the argument in the polynomial be x, at which time ask u0 And bsk u0 The non-0 coefficient terms of (2) are all +.>Finally->The coefficients of the terms are all 0; then respectively inputting the polynomials ask of the coefficient representation by using an NTT.ToNtt () algorithm in the number theory transformation algorithm u0 And bsk u0 Multiple output point value representationPolynomial nnask u0 ,nnbsk u0 At this time, nnask u0 And nnbsk u0 D+1 items are respectively arranged, and d is the highest order;
s32, the sub private key nnask is used for u0 、nnbsk u0 Dividing the ordered set U of the user into m sub private key shares respectively, specifically from polynomial nnask u0 Starting from item 1 of (2), will eachThe term is taken as 1 share, allocated to each user in the ordered set U in sequence, namely the sub-private key share nnSa allocated as user number 1 u1 For nnask u0 Before->Item, and so on, user # m's sub-private key share nnSa um For nnask u0 Last->An item; similarly, the child private key nnbsk u0 Is divided into shares and sub-private key (nnask) u0 In the same way as the splitting, finally satisfy +.>
S33, packaging the share sent to the user v as nnS uv ={nnSa uv ,nnSb uv } v∈U Simultaneously using public key pk of user v v1 HPKE.Enc (pk) was run v1 ,nnS uv ) Encryption to obtain encrypted secret share nnES uv The method comprises the steps of carrying out a first treatment on the surface of the Output of the set of encrypted shares { nnES ] distributed to all users in the set U for user U uv } v∈U There are a total of m elements in the collection.
Further, the re-linearization public key share generation specifically includes:
s41, inputting params and receiving encrypted share sets { nnES) from all users in the ordered set U by the user U vu } v∈U Then decrypt first, run { nnS ] vu ←HPKC.Dec(sk u1 ,nnES vu )} v∈U Obtaining a share set; then analyze { nnS ] vu } v∈U Obtaining { { nnSa 1u ,nnSb 1u },{nnSa 2u ,nnSb 2u },...,{nnSa mu ,nnSb mu -x }; finally, the share nnSa vu And nnSb vu (v. Epsilon. U) summarizing respectively, calculatingAt this time, polynomial nnSa u And nnSb u The summary share owned by user u;
s42, randomly selecting a d+1 term noise polynomial according to χ distributionAnd a non-0 coefficient term highest order ofNoise polynomial->Back->The coefficients of the terms are all 0, calculate +.>Then respectively using NTT.ToNtt () algorithm in the number theory transformation algorithm to input polynomial ++of coefficient expression>Polynomial nnei of output point value representation 0 The method comprises the steps of carrying out a first treatment on the surface of the Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 1 The method comprises the steps of carrying out a first treatment on the surface of the Polynomial of input coefficient representationPolynomial nnei of output point value representation 2 ;
S43. for i=0, the combination of the first and second parts, l, the d degree polynomial in a_listSplit into two non-0 coefficient terms with the highest order ofA polynomial Aa of (a) i And Ba (beta) i Back->The coefficients of the terms are all 0 and satisfy +.>The polynomial Aa as the coefficient representation is input by using NTT.ToNtt () algorithm in the number theory transformation algorithm i And Ba (beta) i A polynomial nnAa with the output of the point value representation i ,nnBa i Calculation of nnrlk0 ui =nnSb u ·nnBa i -nnSa u ·nnAa i +T i (nnSa u ·nnSa u -nnSb u ·nnSb u )-nnei 0 +nnei 2 ,nnrlk1 ui =2T i (nnSa u ·nnSb u )-nnSa u ·nnBa i -nnSb u ·nnAa i +nnei 1 Finally, the re-linearized public key share of the user u is output { { { nnrlk0 u0 ,nnrlk1 u0 },{nnrlk0 u1 ,nnrlk1 u1 },...,{nnrlk0 ul ,nnrlk1 ul }}。
Further, the generating of the re-linearized public key specifically includes: input params and the re-linearized public key share set of all users { { { { { nnrlk0 1i ,nnrlk1 1i }} i∈[0,l] ,{{nnrlk0 2i ,nnrlk1 2i }} i∈[0,l] ,...,{{nnrlk0 mi ,nnrlk1 mi }} i∈[0,l] -a }; for i=0.. l, calculateRespectively inputting point value representation polynomial nnrlk0 by using NTT.ToPoly () algorithm in number theory transformation algorithm i And nnrlk1 i Polynomial rlk0_i, rlk1_i of output coefficient representation, calculationLet the argument in the polynomial be x, finally output the re-linearized public key set rlk _list= { rlk _i }, where i e [0,l ]]。
Further, the value of the user number m is an integer power of 2; the polynomial degree d is a number 1 less than the integer power of 2; the modulus q of the polynomial coefficient takes the value of a large integer prime number.
Compared with the prior art, the beneficial effects are that: the invention provides a grid-based distributed re-linearization public key generation method, which provides a re-linearization public key generation initialization algorithm, a re-linearization public key share generation algorithm and a re-linearization public key generation algorithm on the basis of a grid-based public-private key generation method provided by BFV; firstly, sharing of a user private key is completed based on an analytic polynomial, and calculation of the user on the share of the re-linearization public key is completed through number theory transformation. Before the user individual re-linearized public key share is submitted finally, the user share is protected by using two added and offset noises, so that when the adversary is prevented from collecting the re-linearized public key share, the private key can be obtained by analyzing the share. The method utilizes less noise and achieves the effect of safety.
Detailed Description
Example 1:
a method of generating a grid-based distributed re-linearization public key, comprising the steps of:
step 1: and (3) system initial setting: initial parameters of a grid cipher body system and a re-linearization public key generation process are set, and the initial parameters are specifically as follows:
the system parameter params= { param0, param1}, is set.
For the followingSetting a security parameter λ=128, the number of participating users m=4 (according to practical situations, the number of users is a power of 2, in this embodiment, 4 is adopted), the ordered set u= { a, B, C, D } of all participating users, the polynomial degree d=2047, the modulus q= 18014398492704769 of the polynomial coefficient, the plaintext polynomial modulus t= 114689, the circular polynomial f (x) =x 2047 +1, ring r=z [ x ]]/(f (x)) and represents a polynomial with the coefficient modulo q by Rq. Then setting χ distribution and uniform distribution μ, selecting polynomial ++from Rq according to uniform distribution>Finally, a hybrid encryption system HPKE= { HPKE. Gen (), HPKE. Enc (), HPKE. Dec () } based on an Elliptic Curve Integrated Encryption Scheme (ECIES) is determined.
For param1= { T, l, a_list, NTT }, the re-linearized public key parameter is set to the integer t=256, and then calculatedFor i=0..6, the polynomial +.6 is chosen from Rq according to a uniform distribution, respectively>Make up a collectionFinally, the number theory transformation algorithm ntt= { ntt.tontt (), ntt.to () }.
Step 2: user key generation: generating a public and private key pair of a user person through a hybrid encryption system; the method comprises the following steps:
inputting params, and then uniformly and randomly selecting 2048 polynomials from polynomial rings with coefficients of { -1,0,1}Then select a 2048-term noise polynomial according to χ distribution>Set->And is also provided withRun (pk) u1 ,sk u1 )←HPKE.Gen(1 λ ) Obtaining an encryption and decryption key pair of an HPKE system, and setting sk u =(sk u0 ,sk u1 ) And pk u =(pk u0 ,pk u1 ) Outputs public-private key pair (pk u ,sk u )。
Step 3: re-linearization public key generation initialization: the generation and sharing of the user personal private key share are completed in a mode of splitting the private key polynomial; the method comprises the following steps:
input params, private key sk of user u u0 And public key set { pk in user set U v1 } v∈U First, the highest order 2047 private key polynomial sk is used u0 Split into two highest order 1023 subprivate key polynomials ask u0 And bsk u0 Satisfy sk u0 =ask u0 +bsk u0 ·x 1024 (let the argument in the polynomial be x) at this time ask u0 And bsk u0 The highest order is 1023, and the last 1024 coefficients are 0. Then respectively inputting the polynomials ask of the coefficient representation by using an NTT.ToNtt () algorithm in the number theory transformation algorithm u0 And bsk u0 Polynomial niak of output point value representation u0 ,nnbsk u0 At this time, nnask u0 And nnbsk u0 There are 2048 items each, and 2047 is the highest order.
Then the sub private key nnask is used u0 ,nnbsk u0 Splitting into 4 sub-private key shares according to the ordered set U= { A, B, C, D } of the user, specifically from polynomial nnask u0 Every 512 items are taken as 1 share, allocated to each user in the ordered set U in sequence, i.e. as the subprivate key share nnSa of user a u1 For nnask u0 Similarly, user D's sub-private key share nnSa um For nnask u0 Last 512 items of (2).Similarly, the child private key nnbsk u0 As does the share splitting of (3), finally satisfying
Finally, the share sent to the user v is packed as nnS uv ={nnSa uv ,nnSb uv } v∈U Simultaneously using public key pk of user v v1 HPKE.Enc (pk) was run v1 ,nnS uv ) Encryption to obtain encrypted secret share nnES uv . Output of the set of encrypted shares { nnES ] distributed to all users in the set U for user U uv } v∈U There are a total of 4 elements in the set.
Step 4: re-linearizing public key share generation: after the user collects the private key shares sent by all other users, the calculation of the user about the re-linearization public key shares is completed through number theory transformation; before submitting the user individual re-linearization public key share, the user share is protected by utilizing two added and counteracted noises, so that the private key can be stolen by analyzing the share when the adversary collects the re-linearization public key share; the method comprises the following steps:
inputting params and user U receives a set of encrypted shares { nnES } from all users (including themselves) in the ordered set U vu } v∈U Then decrypt first, run { nnS ] vu ←HPKC.Dec(sk u1 ,nnES vu )} v∈U A set of shares is obtained. Then parse { nnS ] vu } v∈U Obtaining { { nnSa 1u ,nnSb 1u },...,{nnSa 4u ,nnSb 4u }}. The share nnSa is then added vu And nnSb vu (v. Epsilon. U) summarizing respectively, calculating At this time, polynomial nnSa u And nnSb u The aggregate share owned by user u.
Random selection of 2048-term noise polynomial according to χ distributionAnd a 2048-term noise polynomial with highest degree 1023 +.>(the coefficients of the last 1024 are all 0), calculating +.>Then respectively using NTT.ToNtt () algorithm in the number theory transformation algorithm to input polynomial ++of coefficient expression>Polynomial nnei of output point value representation 0 The method comprises the steps of carrying out a first treatment on the surface of the Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 1 . Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 2 。
For i=0..6, the 2047 th degree polynomial in a_list is used2048-term polynomial Aa split into two highest degree 1023 i And Ba (beta) i And satisfy->The polynomial Aa as the coefficient representation is input by using NTT.ToNtt () algorithm in the number theory transformation algorithm i And Ba (beta) i A polynomial nnAa with the output of the point value representation i ,nnBa i Calculation of nnrlk0 ui =nnSb u ·nnBa i -nnSa u ·nnAa i +T i (nnSa u ·nnSa u -nnSb u ·nnSb u )-nnei 0 +nnei 2 ,nnrlk1 ui =2T i (nnSa u ·nnSb u )-nnSa u ·nnBa i -nnSb u ·nnAa i +nnei 1 Finally, the re-linearized public key share of the user u is output { { { nnrlk0 u0 ,nnrlk1 u0 },...,{nnrlk0 u6 ,nnrlk1 u6 }}。
Step 5: the server gathers the share of the re-linearization public key of each user, synthesizes and discloses the re-linearization public key, and is concretely as follows:
input params and a re-linearized public key share set for all users: { { { nnrlk0 1i ,nnrlk1 1i }} i∈[0,6] ,{{nnrlk0 2i ,nnrlk1 2i }} i∈[0,6] ,...,{{nnrlk0 4i ,nnrlk1 4i }} i∈[0,6] }. For i=0..6, calculationRespectively inputting point value representation polynomial nnrlk0 by using NTT.ToPoly () algorithm in number theory transformation algorithm i And nnrlk1 i Polynomials rlk0_i, rlk1_i of the output coefficient representation are calculated rlk _i= rlk0 _0_i+ rlk1 _i.x 1024 (let the argument in the polynomial be x), the final output is a re-linearized public key set rlk _list= { rlk _i }, where i e [0,6 ]]。
Example 2
A method of generating a grid-based distributed re-linearization public key, comprising the steps of:
step 1: and (3) system initial setting: setting initial parameters of a grid cipher body system and a re-linearization public key generation process; the method comprises the following steps:
the system parameter params= { param0, param1}, is set.
For the followingSetting a security parameter λ=128, the number of participating users m=4 (according to practical situations, the number of users is a power of 2, in this embodiment 4 is used), and an ordered set of all participating usersThe sum u= { a, B, C, D }, polynomial degree d=4095, modulus q= 324518553658426726783156032454657 of polynomial coefficients, plaintext polynomial modulus t= 114689, circular polynomial f (x) =x 4095 +1, ring r=z [ x ]]/(f (x)) and represents a polynomial with the coefficient modulo q by Rq. Then setting χ distribution and uniform distribution μ, selecting polynomial ++from Rq according to uniform distribution>Finally, a hybrid encryption system HPKE= { HPKE. Gen (), HPKE. Enc (), HPKE. Dec () } based on an Elliptic Curve Integrated Encryption Scheme (ECIES) is determined.
For param1= { T, l, a_list, NTT }, the re-linearized public key parameter is set to the integer t=256, and then calculatedFor i=0..13, the polynomials +.f are selected from Rq according to a uniform distribution, respectively>Make up the collection->Finally, the number theory transformation algorithm ntt= { ntt.tontt (), ntt.to () }.
Step 2: user key generation: generating a public and private key pair of a user person through a hybrid encryption system; the method comprises the following steps:
inputting params, and then uniformly and randomly selecting a 4096 polynomial from polynomial rings with coefficients of { -1,0,1}Then selecting a 4096-term noise polynomial according to χ distribution>Set->And is also provided withRun (pk) u1 ,sk u1 )←HPKE.Gen(1 λ ) Obtaining an encryption and decryption key pair of an HPKE system, and setting sk u =(sk u0 ,sk u1 ) And pk u =(pk u0 ,pk u1 ) Outputs public-private key pair (pk u ,sk u )。
Step 3: re-linearization public key generation initialization: the generation and sharing of the user personal private key share are completed in a mode of splitting the private key polynomial; the method comprises the following steps:
input params, private key sk of user u u0 And public key set { pk in user set U v1 } v∈U First, a private key polynomial sk with the highest degree of 4095 is obtained u0 Split into two highest order 2047 subprivate key polynomials ask u0 And bsk u0 Satisfy sk u0 =ask u0 +bsk u0 ·x 2048 (let the argument in the polynomial be x) at this time ask u0 And bsk u0 The highest order is 2047, and the coefficients of the following 2048 terms are 0. Then respectively inputting the polynomials ask of the coefficient representation by using an NTT.ToNtt () algorithm in the number theory transformation algorithm u0 And bsk u0 Polynomial niak of output point value representation u0 ,nnbsk u0 At this time, nnask u0 And nnbsk u0 There are 4096 items each, and the highest order is 4095.
Then the sub private key nnask is used u0 ,nnbsk u0 Splitting into 4 sub-private key shares according to the ordered set U= { A, B, C, D } of the user, specifically from polynomial nnask u0 Taking every 1024 items as 1 share, sequentially assigning to each user in the ordered set U, i.e. as the sub-private key share nnSa of user a u1 For nnask u0 Similarly, user D's sub-private key share nnSa um For nnask u0 Is the last 1024 items of (2). Similarly, the child private key nnbsk u0 As does the share splitting of (3), finally satisfying
Finally, the share sent to the user v is packed as nnS uv ={nnSa uv ,nnSb uv } v∈U Simultaneously using public key pk of user v v1 HPKE.Enc (pk) was run v1 ,nnS uv ) Encryption to obtain encrypted secret share nnES uv . Output of the set of encrypted shares { nnES ] distributed to all users in the set U for user U uv } v∈U There are a total of 4 elements in the set.
Step 4: re-linearizing public key share generation: after the user collects the private key shares sent by all other users, the calculation of the user about the re-linearization public key shares is completed through number theory transformation; before submitting the user individual re-linearization public key share, the user share is protected by utilizing two added and counteracted noises, so that the private key can be stolen by analyzing the share when the adversary collects the re-linearization public key share; the method comprises the following steps:
inputting params and user U receives a set of encrypted shares { nnES } from all users (including themselves) in the ordered set U vu } v∈U Then decrypt first, run { nnS ] vu ←HPKC.Dec(sk u1 ,nnES vu )} v∈U A set of shares is obtained. Then parse { nnS ] vu } v∈U Obtaining { { nnSa 1u ,nnSb 1u },{nnSa 2u ,nnSb 2u },...,{nnSa 4u ,nnSb 4u }}. The share nnSa is then added vu And nnSb vu (v. Epsilon. U) summarizing respectively, calculatingAt this time, polynomial nnSa u And nnSb u The aggregate share owned by user u.
Randomly selecting a 4096-term noise polynomial according to χ distributionAnd a 4096 noise polynomial with highest degree 2047 ++>(the coefficients of the 2048 items are all 0), calculating +.>Then respectively using NTT.ToNtt () algorithm in the number theory transformation algorithm to input polynomial ++of coefficient expression>Polynomial nnei of output point value representation 0 The method comprises the steps of carrying out a first treatment on the surface of the Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 1 . Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 2 。
For i=0..13, polynomial 4096 terms in a_list are takenSplit into two polynomials Aa of 4096 with highest degree 2047 i And Ba (beta) i And satisfy->The polynomial Aa as the coefficient representation is input by using NTT.ToNtt () algorithm in the number theory transformation algorithm i And Ba (beta) i A polynomial nnAa with the output of the point value representation i ,nnBa i And (3) calculating: nnrlk0 ui =nnSb u ·nnBa i -nnSa u ·nnAa i +T i (nnSa u ·nnSa u -nnSb u ·nnSb u )-nnei 0 +nnei 2 ,nnrlk1 ui =2T i (nnSa u ·nnSb u )-nnSa u ·nnBa i -nnSb u ·nnAa i +nnei 1 Finally, the re-linearized public key share of the user u is output { { { nnrlk0 u0 ,nnrlk1 u0 },...,{nnrlk0 u13 ,nnrlk1 u13 }}。
Step 5: and (3) generating a re-linearization public key: the server gathers the share of the re-linearization public key of each user, synthesizes and discloses the re-linearization public key; the method comprises the following steps:
input params and a re-linearized public key share set for all users: { { { nnrlk0 1i ,nnrlk1 1i }} i∈[0,13] ,{{nnrlk0 2i ,nnrlk1 2i }} i∈[0,13] ,...,{{nnrlk0 4i ,nnrlk1 4i }} i∈[0,13] }. For i=0..13, calculationRespectively inputting point value representation polynomial nnrlk0 by using NTT.ToPoly () algorithm in number theory transformation algorithm i And nnrlk1 i Polynomials rlk0_i, rlk1_i of the output coefficient representation are calculated rlk _i= rlk0 _0_i+ rlk1 _i.x 2048 (let the argument in the polynomial be x), the final output is a re-linearized public key set rlk _list= { rlk _i }, where i e [0,13 ]]。
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
It is to be understood that the above examples of the present invention are provided by way of illustration only and not by way of limitation of the embodiments of the present invention. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are desired to be protected by the following claims.
Claims (9)
1. A method for generating a grid-based distributed re-linearization public key, comprising the steps of:
s1, initializing a system: setting initial parameters of a grid cipher body system and a re-linearization public key generation process;
s2, generating a user key: generating a public and private key pair of a user person through a hybrid encryption system;
s3, generating and initializing a re-linearization public key: the generation and sharing of the user personal private key share are completed in a mode of splitting the private key polynomial; the generation and initialization of the re-linearization public key specifically comprises the following steps:
s31, inputting system parameters params and private key sk of user u u0 And public key set { pk in user set U v1 } v∈U First, the private key polynomial sk with the highest degree d is obtained u0 Split into two highest ordersIs a sub-private key polynomial ask of (2) u0 And bsk u0 Satisfy->Let the argument in the polynomial be x, at which time ask u0 And bsk u0 The non-0 coefficient terms of (2) are all +.>Finally->The coefficients of the terms are all 0; then respectively inputting the polynomials ask of the coefficient representation by using an NTT.ToNtt () algorithm in the number theory transformation algorithm u0 And bsk u0 Polynomial niak of output point value representation u0 ,nnbsk u0 At this time, nnask u0 And nnbsk u0 D+1 items are respectively arranged, and d is the highest order;
s32, the sub private key nnask is used for u0 、nnbsk u0 Dividing the ordered set U of the user into m sub private key shares respectively, specifically from polynomial nnask u0 Starting from item 1 of (2), will eachThe term is taken as 1 share, allocated to each user in the ordered set U in sequence, namely the sub-private key share nnSa allocated as user number 1 u1 For nnask u0 Before->Item, and so on, user # m's sub-private key share nnSa um For nnask u0 Last->An item; similarly, the child private key nnbsk u0 Is divided into shares and sub-private key (nnask) u0 In the same way as the splitting, finally satisfy +.>
S33, packaging the share sent to the user v as nnS uv ={nnSa uv ,nnSb uv } v∈U Simultaneously using public key pk of user v v1 Encryption algorithm HPKE.Enc (pk) running hybrid encryption system v1 ,nnS uv ) Encryption to obtain encrypted secret share nnES uv The method comprises the steps of carrying out a first treatment on the surface of the Output of the set of encrypted shares { nnES ] distributed to all users in the set U for user U uv } v∈U M elements are in total in the set;
s4, generating a re-linearization public key share: after the user collects the private key shares sent by all other users, the calculation of the user about the re-linearization public key shares is completed through number theory transformation; before submitting the user's personal re-linearized public key share, protecting the user share with two added-up, nullable noises;
s5, generating a re-linearization public key: the server gathers the re-linearized public key shares of each user, synthesizes and discloses the re-linearized public key.
2. The method of claim 1, wherein the system initialization includes setting system parameters params= { param0, param1}, where param0 is a set of parameters of the grid-based system initialization, and param1 is a set of parameters of the stage of the distributed generation of the re-linearized public key.
3. The method of generating a grid-based distributed re-linearization public key in accordance with claim 2, wherein for the method of generating the grid-based distributed re-linearization public key in accordance with claim 2, the method comprisesSetting a security parameter lambda specifically, and the number m of participating users; ordered set U of all participating users, polynomial degree d, modulus of polynomial coefficient q, plaintext polynomial modulus t, circular polynomial f (x), cyclic r=z [ x ]]/(f(x)),R q A polynomial representing the modulus q; then setting χ distribution and uniform distribution mu, R q In selecting polynomials according to a uniform distribution +.>Finally, determining a mixed encryption system HPKE= { HPKE.Gen (), HPKE.enc (), HPKE.Dec () }, wherein HPKE.Gen () is a key generation algorithm of the mixed encryption system, is input as a security parameter, and is output as an encryption and decryption key pair; hpke.enc () is an encryption algorithm of a hybrid encryption system, input as an encryption key and plaintext, and output as ciphertext; hpke.dec () is a decryption algorithm of a hybrid cryptosystem, input as ciphertext and decryption key, output as plaintext.
4. A method for generating a grid-based distributed re-linearization public key as in claim 3, wherein for param1= { T, l, a_list, NTT }, the re-linearization public key parameter is set to an integer T, and then calculatedFor i=0.. l is respectively from R q In selecting polynomials according to a uniform distribution +.>Make up the collection->Finally, determining a number theory transformation algorithm NTT= { NTT.ToNtt (), NTT.ToPoly () }, wherein the input of NTT.ToNtt () is a polynomial of a d+1 term coefficient representation, and the input is a polynomial of a d+1 term point value representation; ntt.to () inputs a polynomial of the d+1 term point value representation and outputs a polynomial of the d+1 term coefficient representation.
5. The method for generating a grid-based distributed re-linearization public key in claim 4, wherein the system initially sets the final output
6. The grid-based distributed re-linearization public key generation method of claim 5, wherein the user key generation comprises: inputting params, and then uniformly and randomly selecting a d+1 polynomial from polynomial rings with coefficients of { -1,0,1}Then a d+1 term noise polynomial is selected according to the χ distribution>Setting upAnd->Wherein [] q The polynomial coefficient in the brackets of each other is expressed to carry out modular q operation one by one; run (pk) u1 ,sk u1 )←HPKE.Gen(1 λ ) Obtaining an encryption and decryption key pair of an HPKE system, and setting sk u =(sk u0 ,sk u1 ) And pk u =(pk u0 ,pk u1 ) Outputs public-private key pair (pk u ,sk u )。
7. The method for generating a grid-based distributed re-linearization public key as in claim 6, wherein the re-linearization public key share generation comprises:
s41, inputting params and receiving encrypted share sets { nnES) from all users in the ordered set U by the user U vu } v∈U Then first decrypt, run the decryption algorithm { nnS of the hybrid cryptosystem vu ←HPKE.Dec(sk u1 ,nnES vu )} v∈U Obtaining a share set; then analyze { nnS ] vu } v∈U Obtaining { { nnSa 1u ,nnSb 1u },{nnSa 2u ,nnSb 2u },...,{nnSa mu ,nnSb mu -x }; finally, the share nnSa vu And nnSb vu (v. Epsilon. U) summarizing respectively, calculatingAt this time, polynomial nnSa u And nnSb u The summary share owned by user u;
s42, randomly selecting a d+1 term noise polynomial according to χ distributionAnd a non-0 coefficient term having a highest degree of +.>Noise polynomial->Back->The coefficients of the terms are all 0, calculate +.>Then respectively using NTT.ToNtt () algorithm in the number theory transformation algorithm to input polynomial ++of coefficient expression>Polynomial nnei of output point value representation 0 The method comprises the steps of carrying out a first treatment on the surface of the Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 1 The method comprises the steps of carrying out a first treatment on the surface of the Polynomial of input coefficient representation ++>Polynomial nnei of output point value representation 2 ;
S43. for i=0, the combination of the first and second parts, l, the d degree polynomial in a_listSplit into two non-0 coefficient terms with the highest order ofA polynomial Aa of (a) i And Ba (beta) i Back->The coefficients of the terms are all 0 and satisfy +.>The polynomial Aa as the coefficient representation is input by using NTT.ToNtt () algorithm in the number theory transformation algorithm i And Ba (beta) i A polynomial nnAa with the output of the point value representation i ,nnBa i Calculation of nnrlk0 ui =nnSb u ·nnBa i -nnSa u ·nnAa i +T i (nnSa u ·nnSa u -nnSb u ·nnSb u )-nnei 0 +nnei 2 ,nnrlk1 ui =2T i (nnSa u ·nnSb u )-nnSa u ·nnBa i -nnSb u ·nnAa i +nnei 1 Finally, output the user u Is a re-linearized public key share of { { { nnrlk0 u0 ,nnrlk1 u0 },{nnrlk0 u1 ,nnrlk1 u1 },...,{nnrlk0 ul ,nnrlk1 ul }}。
8. The method for generating a grid-based distributed re-linearization public key in accordance with claim 7, wherein the re-linearization public key generation comprises: input params and the re-linearized public key share set of all users { { { { { nnrlk0 1i ,nnrlk1 1i }} i∈[0,l] ,{{nnrlk0 2i ,nnrlk1 2i }} i∈[0,l] ,...,{{nnrlk0 mi ,nnrlk1 mi }} i∈[0,l] -a }; for i=0.. l, calculateRespectively inputting point value representation polynomial nnrlk0 by using NTT.ToPoly () algorithm in number theory transformation algorithm i And nnrlk1 i Polynomial rlk0_i, rlk1_i of output coefficient representation, calculate +.>Let the argument in the polynomial be x, finally output the re-linearized public key set rlk _list= { rlk _i }, where i e [0,l ]]。
9. A method of generating a grid-based distributed re-linearization public key in accordance with any of claims 3 to 8, wherein the number of users m has a value of an integer power of 2; the polynomial degree d is a number 1 less than the integer power of 2; the modulus q of the polynomial coefficient takes the value of a large integer prime number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160700.7A CN112906020B (en) | 2021-02-05 | 2021-02-05 | Grid-based distributed re-linearization public key generation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160700.7A CN112906020B (en) | 2021-02-05 | 2021-02-05 | Grid-based distributed re-linearization public key generation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112906020A CN112906020A (en) | 2021-06-04 |
| CN112906020B true CN112906020B (en) | 2023-07-21 |
Family
ID=76122804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110160700.7A Active CN112906020B (en) | 2021-02-05 | 2021-02-05 | Grid-based distributed re-linearization public key generation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112906020B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113591102B (en) * | 2021-06-25 | 2023-05-26 | 中山大学 | Grid-based distributed threshold addition homomorphic encryption method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111342976A (en) * | 2020-03-04 | 2020-06-26 | 中国人民武装警察部队工程大学 | Verifiable ideal lattice upper threshold proxy re-encryption method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108141288A (en) * | 2015-08-24 | 2018-06-08 | 韩国科学技术院 | High-speed communication system and method with enhancing safety |
| US11063754B2 (en) * | 2018-05-01 | 2021-07-13 | Huawei Technologies Co., Ltd. | Systems, devices, and methods for hybrid secret sharing |
-
2021
- 2021-02-05 CN CN202110160700.7A patent/CN112906020B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111342976A (en) * | 2020-03-04 | 2020-06-26 | 中国人民武装警察部队工程大学 | Verifiable ideal lattice upper threshold proxy re-encryption method and system |
Non-Patent Citations (3)
| Title |
|---|
| An Improved RNS Variant of the BFV;Shai Halevi 等;《Cryptographers Track at the RSA Conference 2019》;20181205;第1-26页 * |
| Somewhat Practical Fully Homomorphic;Junfeng Fan 等;《lacr Cryptology Eprint Archive》;20121231;第1-19页 * |
| 基于格的全同态加密及其应用研究;孙小强;《中国博士学位论文全文数据库》;20190715;第A005-9页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112906020A (en) | 2021-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Yang et al. | Lightweight sharable and traceable secure mobile health system | |
| Liu et al. | An efficient privacy-preserving outsourced calculation toolkit with multiple keys | |
| CN111162894B (en) | Statistical analysis method for outsourcing cloud storage medical data aggregation with privacy protection | |
| Hassan et al. | An efficient outsourced privacy preserving machine learning scheme with public verifiability | |
| WO1997031449A1 (en) | Communication method using common cryptographic key | |
| CN110120873B (en) | Frequent item set mining method based on cloud outsourcing transaction data | |
| Liu et al. | A privacy-preserving outsourced functional computation framework across large-scale multiple encrypted domains | |
| Hofheinz et al. | Practical chosen ciphertext secure encryption from factoring | |
| Lu et al. | Constructing pairing-free certificateless public key encryption with keyword search | |
| Kim et al. | An efficient predicate encryption with constant pairing computations and minimum costs | |
| CN112383397B (en) | Heterogeneous signcryption communication method based on biological characteristics | |
| Gao et al. | Efficient certificateless anonymous multi‐receiver encryption scheme without bilinear parings | |
| Huang et al. | A Conference Key Scheme Based on the Diffie-Hellman Key Exchange. | |
| Lawnik et al. | Application of modified Chebyshev polynomials in asymmetric cryptography | |
| Yang et al. | Dual traceable distributed attribute-based searchable encryption and ownership transfer | |
| CN112906020B (en) | Grid-based distributed re-linearization public key generation method | |
| CN115842617A (en) | Security homomorphic calculation method supporting batch processing, storage device and equipment | |
| Raghunandan et al. | Comparative analysis of encryption and decryption techniques using mersenne prime numbers and phony modulus to avoid factorization attack of RSA | |
| CN110110537A (en) | The polymerization of multidimensional data encryption and decryption in smart grid | |
| Kibiwott et al. | Privacy Preservation for eHealth Big Data in Cloud Accessed Using Resource-Constrained Devices: Survey. | |
| Zhang et al. | FSDA: flexible subset data aggregation for smart grid | |
| Lai et al. | Efficient k-out-of-n oblivious transfer scheme with the ideal communication cost | |
| Iwamura et al. | Communication-efficient secure computation of encrypted inputs using (k, n) threshold secret sharing | |
| Jin et al. | Towards end-to-end secure and efficient federated learning for xgboost | |
| Zhan et al. | Improved proxy re-encryption with delegatable verifiability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |