CN113472525A - Low-memory-occupation implementation technology based on post-quantum cryptography Saber algorithm - Google Patents

Low-memory-occupation implementation technology based on post-quantum cryptography Saber algorithm Download PDF

Info

Publication number
CN113472525A
CN113472525A CN202110704531.9A CN202110704531A CN113472525A CN 113472525 A CN113472525 A CN 113472525A CN 202110704531 A CN202110704531 A CN 202110704531A CN 113472525 A CN113472525 A CN 113472525A
Authority
CN
China
Prior art keywords
polynomial
vector
pseudo
random number
storage unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110704531.9A
Other languages
Chinese (zh)
Other versions
CN113472525B (en
Inventor
刘哲
张吉鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN202110704531.9A priority Critical patent/CN113472525B/en
Publication of CN113472525A publication Critical patent/CN113472525A/en
Application granted granted Critical
Publication of CN113472525B publication Critical patent/CN113472525B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
  • Complex Calculations (AREA)

Abstract

The invention discloses a low-memory-occupation implementation technology based on a post-quantum cryptography Saber algorithm, which comprises a secret key generation method and system, an encryption method and system, and a decryption method and system. The polynomial matrix vector multiplication is calculated by adopting the immediate matrix generation, the memory space occupied by the polynomial matrix is reduced to the memory size occupied by a single element, the memory occupation of the Saber scheme is remarkably reduced, and the deployment of the Saber scheme in the Internet of things equipment is facilitated.

Description

Low-memory-occupation implementation technology based on post-quantum cryptography Saber algorithm
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a low-memory-occupation secret key generation method, an encryption method and a decryption method based on a post-quantum-password Saber algorithm.
Background
With the rapid development of quantum computers, traditional public key cryptography is under an unprecedented threat. Therefore, the development of the post-quantum cryptography which is a type of cryptography capable of resisting quantum computer attacks is more and more emphasized at home and abroad, and the operation efficiency of the post-quantum cryptography is generally superior to that of the traditional public key cryptography. Among the latter quantum cryptography, lattice cryptography is a class of cryptography most promising as the standard for future later quantum-time public key cryptography, and among them, lattice-based cryptographic algorithms are receiving much attention because of their better flexibility and efficiency. The post-quantum cryptography Saber is a key encapsulation scheme constructed based on a lattice, and has the advantages of simplicity and high efficiency compared with other schemes.
The Saber algorithm key generation, encryption and decryption process is described in the document Mod-LWR based KEM (Round 3 subscription), see 2.4.1-2.4.3. It is composed ofThe middle secret key generating part generates a public key and a private key through operation, the encrypting part encrypts the message polynomial by adopting the public key to obtain a ciphertext, and the decrypting part decrypts the ciphertext by using the private key. In this scheme, the most computationally intensive module is the matrix vector multiplication, the bottom layer of which relies on polynomial multiplication. Due to the large calculation amount, the occupied memory space is large. The matrix vector multiplication occurs twice in the Saber scheme, a for computing the key generation algorithmTs and As' of the encryption algorithm. Wherein A represents a polynomial matrix of dimension l x l, each element in the matrix being a polynomial of term n, ATRepresenting the transpose of the matrix a, s represents a polynomial column vector of dimension l, each element in the vector being a polynomial. Assuming that the coefficients of each polynomial are the data type of kBytes in the elements of the matrix a, the memory size occupied by the matrix a is l × l × n × k Bytes. In the scheme described in the above document, if l is 3, n is 256, and k is 2, the matrix a occupies 4.5KB of memory. There are hundreds of millions of resource-constrained embedded devices in an internet of things (IoT) scenario, and such devices are characterized by weak computing power and limited memory resources. Some devices have a memory of only 8KB to 64KB, and these memory resources are required to deploy not only an operating system and business logic but also complex cryptographic components to secure data transmission. The large memory footprint of Saber severely hinders its deployment in IoT scenarios.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problems in the prior art, the invention provides a technology for realizing low memory occupation based on a post-quantum cryptography Saber algorithm, which comprises a key generation method and system, an encryption method and system and a decryption method and system, and can reduce the memory occupation of a Saber scheme.
The technical scheme is as follows: the invention provides a low-memory-occupation secret key generation method based on a post-quantum cryptography Saber algorithm, which comprises the following steps:
s101, generating random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000021
All elements are 0;
s102, generating a plurality of pseudo random numbers according to the sum random variable r, and storing the pseudo random numbers into a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
s103, Seed is selected according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating temporary public key vectors
Figure BDA0003130626300000022
The j element
Figure BDA0003130626300000023
The value of (c):
Figure BDA0003130626300000024
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure BDA0003130626300000025
as a temporary public key vector
Figure BDA0003130626300000026
The value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to step S103, and updating the temporary public key vector
Figure BDA0003130626300000027
The value of the middle element; l is the dimension of the polynomial vector s;
If j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, and update the temporary public key vector
Figure BDA0003130626300000028
The value of the middle element;
if j ═ l-1 and i ═ l-1, the public key vector b is calculated:
Figure BDA0003130626300000029
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
Returning the public and private keys, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
The invention provides an encryption method based on the key generation method, which comprises the following steps:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000031
All element values of (a) are 0; generating a random variable r';
s202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
s203, Seed according to random Seed in public keyAGeneratingA pseudo-random number corresponding to the polynomial coefficient of the element in the ith row and the j column of the polynomial matrix A is stored in a fifth storage unit, and if data exist in the fifth storage unit, the data are covered; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating the temporary second ciphertext vector
Figure BDA0003130626300000032
The ith element of
Figure BDA0003130626300000033
The value of (c):
Figure BDA0003130626300000034
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure BDA0003130626300000035
as a temporary second ciphertext vector
Figure BDA0003130626300000036
The value of the ith element before updating;
s204, if i is less than l-1, the value of i is increased by one, the step S203 is skipped to, and the temporary second ciphertext vector is updated
Figure BDA0003130626300000037
The value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, let i be 0, add one to the value of j, go to step S203, and update the temporary second ciphertext vector
Figure BDA0003130626300000038
The value of the middle element;
if i-l-1 and j-l-1, a second ciphertext vector c is calculated2
Figure BDA0003130626300000039
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
S205, calculating a first encryption parameter v' from the vector b in the public key: v' ═ bT(s' mod p); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000041
Wherein h is1Is a preset constant, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
The invention provides a decryption method based on the encryption method, which comprises the following steps:
s301, according to the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000042
s302, calculating a decrypted message polynomial m':
Figure BDA0003130626300000043
wherein h is2Is a preset second constant term.
The invention provides a key generation system for realizing the key generation method, which comprises the following steps:
a first initialization module for generating a random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000044
All elements are 0;
the first polynomial vector s generating module is used for generating a plurality of pseudo random numbers according to the random variable r and storing the pseudo random numbers into the first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module for generating a first polynomial matrix A according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module for updating the temporary public key vector
Figure BDA0003130626300000051
The j element
Figure BDA0003130626300000052
The value of (c):
Figure BDA0003130626300000053
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure BDA0003130626300000054
as a temporary public key vector
Figure BDA0003130626300000055
The value of the jth element before update;
a public key calculation module, configured to calculate a public key vector b:
Figure BDA0003130626300000056
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
A key output module for returning the public key and the private key, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
The invention provides an encryption system for realizing the encryption method, which comprises the following steps:
a second initialization module, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000057
All the element values of (1) are 0, and a random variable r' is generated;
the second polynomial vector s 'generating module is used for generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers into the fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module for generating a random Seed according to the public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
temporary second ciphertext vector
Figure BDA0003130626300000058
An update module for updating the temporary second ciphertext vector
Figure BDA0003130626300000059
The ith element of
Figure BDA00031306263000000510
The value of (c):
Figure BDA00031306263000000511
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure BDA00031306263000000512
as a temporary second ciphertext vector
Figure BDA00031306263000000513
The value of the ith element before updating;
second ciphertext vector c2A calculation module for calculating a second ciphertext vector c2
Figure BDA0003130626300000061
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; [ solution ] A method for producing a polymerIs logic right shift, right shift number is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
The ciphertext calculation module is used for calculating a first encryption parameter v' according to the vector b in the public key: v' ═ bT(s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000062
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
The invention provides a decryption system for realizing the decryption method, which comprises the following steps:
a first decryption parameter calculation module for calculating a first decryption parameter based on the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000063
a decrypted message polynomial calculation module for calculating a decrypted message polynomial m':
Figure BDA0003130626300000064
wherein h is2Is a preset second constant term.
Has the advantages that: compared with the prior art, the low-memory-occupation implementation technology based on the post-quantum-password Saber algorithm provided by the invention has the advantages that the polynomial matrix is generated in real time, and the memory occupied by the polynomial matrix in the key generation and encryption processes is reduced to the size of the memory occupied by a single polynomial, so that the memory occupation of the Saber scheme is reduced, and the deployment difficulty and the deployment cost of the Saber scheme in the internet-of-things equipment are reduced.
Drawings
Fig. 1 is a flowchart of a key generation method in embodiment 1;
FIG. 2 is a schematic diagram showing the constitution of a key generation system in embodiment 1;
FIG. 3 is a flowchart of an encryption method in example 4;
FIG. 4 is a schematic diagram showing the composition of the encryption system in example 4;
FIG. 5 is a flowchart of a decryption method in embodiment 7;
fig. 6 is a schematic diagram showing the composition of the decryption system in embodiment 7.
Detailed Description
The invention is further elucidated with reference to the drawings and the detailed description. In the following embodiments, the polynomial matrix a has 3 × 3 dimensions, the number of terms is 256, and the polynomial coefficient value range of each element in the polynomial matrix is [0,8191 ]],8191<213Therefore, the effective bit number in each polynomial coefficient in A is 13 bits; the polynomial coefficient of each element in the polynomial vector s has a value range of [ -4,4],4<23And thus the number of effective bits in each polynomial coefficient in s is 3 bits. The shift algorithm is used in the following embodiments to generate pseudo-random numbers, thereby generating polynomial coefficients in a and s. Execution of the SHAKE algorithm involves two steps, first calling the absorb () function to initialize the internal state of the SHAKE algorithm, and second calling the squeezeblock () function to output pseudo-random data, each time a 168 byte pseudo-random number is generated.
Example 1
The embodiment discloses a method for generating a low-memory-occupation key based on a post-quantum cryptography Saber algorithm, as shown in fig. 1, including:
s101, generating random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000071
All elements are 0;
random Seed in this exampleAAnd r are both 256bits in length, i.e., 32 bytes, where each bit is uniformly randomly selected from 0 and 1;
step S101 initializes only the index of a without allocating the space occupied by a.
S102, generating a plurality of pseudo random numbers according to a random variable r, and storing the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
in this embodiment, the polynomial vector s has 3 elements, each element is a 256-term polynomial, and each polynomial coefficient occupies 1byte length (its significances are 3), so that one element of s occupies 256Bytes, and the size of the space of the first storage unit should be greater than or equal to 3 × 256Bytes, which is set to 3 × 256 — 768Bytes in this embodiment. Firstly, calling an absorb () function once as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 5 times to generate 168 × 5 ═ 840Bytes pseudo-random numbers, storing the data of the first 768Bytes in a first storage unit, and discarding the rest 72 Bytes; the elements in the polynomial vector s are then generated from the pseudo-random number in the first memory location.
S103, Seed is selected according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
in this embodiment, A has 9 elements, each element is a 256-term polynomial, and each polynomial coefficient occupies 2Bytes length data (the number of significant digits is 13), so A' sOne element occupies 256 × 2 ═ 512Bytes, and the space size of the second storage unit should be equal to or larger than 512Bytes, which is set to 512Bytes in this embodiment. Firstly SeedAI and j as input, calling an absorb () function once for initializing the internal state of the SHAKE algorithm, then calling a 4-time squeezeblock () function to generate 168-4-672 Bytes pseudo random numbers, storing the data of the first 512Bytes in a second storage unit, and discarding the rest 160Bytes data; then generating a polynomial matrix A according to the pseudo random number in the second storage unit, wherein the polynomial matrix A is ith, row and column elements ai,j
Updating temporary public key vectors
Figure BDA0003130626300000081
The j element
Figure BDA0003130626300000082
The value of (c):
Figure BDA0003130626300000083
wherein s isiFor the ith element of the polynomial vector s,
Figure BDA0003130626300000084
as a temporary public key vector
Figure BDA0003130626300000085
The value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to step S103, generating the next column element of the ith row A, and updating the temporary public key vector
Figure BDA0003130626300000086
The value of the middle element; l is the dimension of the polynomial vector s;
if j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, generate the element of the next row a, update the temporary public key vector
Figure BDA0003130626300000087
The value of the middle element;
if j ═ l-1 and i ═ l-1, the calculations involving the elements in a are all completed, the public key vector b is calculated:
Figure BDA0003130626300000091
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp(ii) a In this embodiment,. epsilonqThe value is 13, epsilonpTaking the value of 10 and thus shifting 3 bits to the right.
Returning the public and private keys, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
The matrix vector multiplication needing to be calculated during key generation in the Saber scheme is the multiplication of a transposed matrix of a polynomial matrix A and a polynomial vector s, namely ATs;
Figure BDA0003130626300000092
In steps S103 and S104, the generation order of a is prioritized by controlling the change of the indexes i and j of a, that is, the calculation of the next row element is performed after each row element is calculated for a certain row element. In the embodiment, the final result does not need to return to A, so that the final result does not need to be distributed to A storage space; the elements in the polynomial matrix A are generated in real time, the storage space occupied by A is reduced, and compared with the storage space needing 4.5KB in the prior art, only 512B, namely 0.5KB is needed in the embodiment, so that the memory needed in the calculation process of the Saber scheme is obviously reduced.
The embodiment also discloses a key generation system for implementing the method, as shown in fig. 2, including:
a first initialization module 1-1 for generating a random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000093
All elements are 0;
a first polynomial vector s generating module 1-2, configured to generate a plurality of pseudo random numbers from a random variable r, and store the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module 1-3 for generating a first polynomial matrix A based on a random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module 1-4 for updating the temporary public key vector
Figure BDA0003130626300000101
The j element
Figure BDA0003130626300000102
The value of (c):
Figure BDA0003130626300000103
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure BDA0003130626300000104
as a temporary public key vector
Figure BDA0003130626300000105
The value of the jth element before update;
a public key calculation module 1-5, configured to calculate a public key vector b:
Figure BDA0003130626300000106
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAll preset positive integer constants, and satisfy epsilonq>εp
A key output module 1-6 for returning the public key and the private key, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
Example 2
The difference between this embodiment and embodiment 1 is that pseudo random numbers corresponding to polynomial coefficients of elements in a polynomial vector s are generated in real time, specifically:
in step S102, a plurality of pseudo random numbers corresponding to the polynomial coefficient of the ith element of the polynomial vector S are generated according to the random variable r and stored in a third storage unit, where the space size of the third storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element of the polynomial vector S; generating an ith element s of a polynomial vector s from the pseudo-random number in the third storage uniti
In this embodiment, the space size of the third storage unit is set to 256 Bytes. Firstly, calling an absorb () function once by taking a random variable r as an input for initializing an internal state of a SHAKE algorithm, then calling a 2-time squeezeblock () function to generate 168-2-336 Bytes pseudo-random numbers, storing the data of the first 256Bytes in a third storage unit, and discarding the rest 80 Bytes; and then generates a pseudo random number according to the pseudo random number in the third storage unitElement s in polynomial vector si
In step S104, when j is l-1 and i < l-1, the step of adding one to the value of i further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of the ith element of the polynomial vector s according to the random variable r, storing the pseudo random numbers in a third storage unit, and generating the ith element s of the polynomial vector s according to the pseudo random numbers in the third storage uniti(ii) a And then jumps to step S103.
From the calculation formula (3), siWill be used 3 times, therefore, the present embodiment employs the generation siAnd then, the calculation which participates in the polynomial vector s is completed and then the next element is generated, so that the space occupied by the intermediate result which is needed for generating the polynomial vector s is reduced from 840Bytes to 256Bytes in the embodiment 1, and the memory needed in the implementation process of the Saber scheme is further reduced. However, the cost is that the generation of s in embodiment 1 requires a total of 5 calls of the squeezeblock () function, whereas in this embodiment, a total of 6 calls are required.
Example 3
The present embodiment is an improvement on the basis of embodiment 2, and is different from embodiment 2 in that the third storage unit is divided into two parts, and one part of the third storage unit is used for storing an unused pseudo random number to be used when a next element is generated together, so that data discarding is reduced, and the number of calls of the squeezeblock () function is reduced. The method specifically comprises the following steps:
the space size of the third storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s;
the third storage unit is divided into a first subunit and a second subunit, and the space size of the first subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when generating the values of the elements in the polynomial vector s:
if the second subunit has the pseudo-random number, extracting the pseudo-random number in the second subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a first subunit, and extracting the pseudo-random number in the first subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in the first subunit, and extracting the pseudo-random number with the required length from the first subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the first subunit is not extracted, storing the pseudo random number in the second subunit; if the length of the data which is not extracted is larger than the space size of the second subunit, the excess part is discarded.
In this embodiment, the size of the third storage unit is 256bytes, wherein 168 bytes is the first subunit and 88 bytes is the second subunit. When generating s0When there is no data in both the first subunit and the second subunit. Calling the function of squeezeblock () once to generate 168 bytes of pseudo random number, storing the pseudo random number in the first subunit, and determining s according to the data in the first subunit0A middle part polynomial coefficient; then, calling the function of squeezeblock () for the second time, overwriting the generated 168 bytes of data into the first subunit, extracting 88 bytes of data to determine s0The coefficients of the other polynomials; the remaining 80bytes of data are stored in the second subunit.
When s is0When all the involved calculations are completed, i.e. when j is l-1 and i is less than l-1 in step S104, the value of i is increased by one, and S is generated1. First, 80bytes of data in the second subunit are extracted to determine s1A middle part polynomial coefficient; then, the function of squeezeblock () is called for the third time, the generated 168 bytes of data are written into the first subunit in an overlaying mode, and s is determined according to the content of the data1A middle part polynomial coefficient; then, calling the function of squeezeblock () for the fourth time, overwriting the generated 168 bytes of data into the first subunit, and only extracting 8bytes of data to determine s1The coefficients of the other polynomials; 160bytes of data remain, 88 bytes of which are stored in the second subunit for the next use, and 72bytes of data remainAnd (5) abandoning.
When s is1When all the involved calculations are completed, i.e. when j is l-1 and i is less than l-1 in step S104, the value of i is increased by one, and S is generated2. First, 88 bytes of data in the second subunit are extracted to determine s2A middle part polynomial coefficient; then, the function of squeezeblock () is called for the fifth time, the generated 168 bytes of data are written into the first subunit in an overlaying mode, and s is determined according to the content of the data2The remaining undetermined polynomial coefficients. Then s2And (4) participating in calculation.
In this embodiment, the squeezeblock () function is called 5 times, the discarded data is 72bytes, and the memory occupied by the intermediate process is 256 bytes.
Example 4
The present embodiment discloses an encryption method based on the key generation method in the foregoing embodiments, as shown in fig. 3, the encryption method includes:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000121
All element values of (a) are 0; generating a random variable r';
step S201 initializes only the index of a without allocating the space occupied by a.
S202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
similar to s in embodiment 1, the polynomial vector s' in this embodiment occupies a total space of 3 × 256Bytes, and the size of the space of the fourth storage unit is set to 768 Bytes. Firstly, calling an absorb () function once as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 5 times to generate 168 x 5 ═ 840Bytes pseudo-random numbers, storing the data of the first 768Bytes in a fourth storage unit, and discarding the rest 72 Bytes; the elements in the polynomial vector s' are then generated from the pseudo-random number in the fourth storage unit.
S203, Seed according to random Seed in public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
similar to embodiment 1, the space size of the fifth storage unit in this embodiment is 512 Bytes. Generating 672Bytes of pseudo-random numbers by calling an absorb () function and an squeezeblock () function 4 times, wherein 512Bytes of data are stored in a fifth storage unit, and the rest 160Bytes of data are discarded; then generating a polynomial matrix A according to the pseudo random number in the fifth storage unit, wherein the polynomial matrix A is ith, row and j column elements ai,j
Updating the temporary second ciphertext vector
Figure BDA0003130626300000131
The ith element of
Figure BDA0003130626300000132
The value of (c):
Figure BDA0003130626300000133
wherein s'jFor the jth element of the polynomial vector s',
Figure BDA0003130626300000134
as a temporary second ciphertext vector
Figure BDA0003130626300000135
The value of the ith element before updating;
s204, if i is less than l-1, adding one to the value of i, and jumping to the step S203, generating the elements of the line next to the jth column A, and updating the temporary second ciphertext vector
Figure BDA0003130626300000136
The value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, the value of i is 0 and j is added by one, the process goes to step S203 to generate the elements of the next column a, and the temporary second ciphertext vector is updated
Figure BDA0003130626300000137
The value of the middle element;
if the calculation of the element in A is completed, i-l-1 and j-l-1, calculating a second ciphertext vector c2
Figure BDA0003130626300000138
Wherein h is a preset constant polynomial; mod is a modulus operation, and polynomial coefficients in elements of the q polynomial matrix A take an upper bound which is a positive integer; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
The matrix vector multiplication required to be calculated in the encryption process in the Saber scheme is the multiplication of a polynomial matrix a and a polynomial vector s, namely As:
Figure BDA0003130626300000141
in steps S203 and S204, the generation order of a is given row priority by controlling the change of the indexes i and j of a, that is, the calculation of the next column element is performed after the row element of a column is calculated. In the embodiment, the final result does not need to return to A, so that the final result does not need to be distributed to A storage space; the elements in the polynomial matrix A are generated in real time, the storage space occupied by A is reduced, and compared with the storage space needing 4.5KB in the prior art, only 512B, namely 0.5KB is needed in the embodiment, so that the memory needed in the calculation process of the Saber scheme is obviously reduced.
S205, calculating a first encryption parameter v' from the vector b in the public key:
v′=bT(s′modp)(7)
wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000142
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT(ii) a In this example,. epsilonTIs 4, namely, is shifted to the right by 6 bits;
returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
The embodiment also discloses an encryption system for implementing the encryption method, as shown in fig. 4, including:
a second initializing module 2-1, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000143
All element values of (a) are 0; generating a random variable r';
a second polynomial vector s 'generating module 2-2 for generating a plurality of pseudo random numbers from the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module 2-3 for generating a random Seed from the public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
temporary second ciphertext vector
Figure BDA0003130626300000151
An updating module 2-4 for updating the temporary second ciphertext vector
Figure BDA0003130626300000152
The ith element of
Figure BDA0003130626300000153
The value of (c):
Figure BDA0003130626300000154
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure BDA0003130626300000155
as a temporary second ciphertext vector
Figure BDA0003130626300000156
The value of the ith element before updating;
second ciphertext vector c2A calculation module 2-5 for calculating a second ciphertext vector c2
Figure BDA0003130626300000157
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; is asLogic right shift with right shift number of epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
A ciphertext calculation module 2-6, configured to calculate a first encryption parameter v' according to the vector b in the public key: v' ═ bT(s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000158
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
Example 5
The difference between this embodiment and embodiment 4 is that pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s' are generated in real time, specifically:
in step S202, a polynomial vector S ' j-th element S ' is generated from a random variable r 'jA plurality of pseudo random numbers corresponding to the polynomial coefficients of (a) are stored in a sixth storage unit, and the space size of the sixth storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element in the polynomial vector s'; generating a polynomial vector s ' jth element s ' from the pseudo-random number in the sixth storage unit 'j
In this embodiment, the space size of the sixth storage unit is set to 256 Bytes. Firstly, calling an absorb () function once by taking a random variable r' as an input for initializing the internal state of the SHAKE algorithm, then calling a 2-time squeezeblock () function to generate 168-2-336 Bytes pseudo-random numbers, and enabling the data of the first 256Bytes to be in the pseudo-random numbersStoring the data in a sixth storage unit, and discarding the rest 80Bytes data; and then generates an element s ' from the pseudo random number generator polynomial vector s ' in the sixth storage unit 'j
In step S204, when i is l-1 and j is less than l-1, the step of adding one to the value of j further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of jth element of polynomial vector s ' from random variable r ', storing the pseudo random numbers in sixth storage means, and generating polynomial vector s ' jth element s ' from the pseudo random numbers in sixth storage means 'j(ii) a And then jumps to step S203.
S 'is clear from formula (6)'jWill be used 3 times. Similar to embodiment 2, this embodiment reduces the space occupied by the intermediate result required for generating the polynomial vector s' from 840Bytes to 256Bytes in embodiment 1, further reducing the memory required in the implementation of the Saber scheme. Likewise, the cost is one more call to the squeezeblock () function.
Example 6
The present embodiment is an improvement made on the basis of embodiment 5, and the improvement point is similar to embodiment 3, that is, the sixth storage unit is divided into two parts, specifically:
the space size of the sixth storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s';
the sixth storage unit is divided into a third subunit and a fourth subunit, and the space size of the third subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when calculating the values of the elements in the polynomial vector s':
if the fourth subunit has the pseudo-random number, extracting the pseudo-random number in the fourth subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number in the third subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number with the required length from the third subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the third subunit is not extracted, storing it in the fourth subunit; if the length of the data which is not extracted is larger than the space size of the fourth subunit, the excess part is discarded.
Example 7
The present embodiment discloses a decryption method using the encryption method described in embodiments 4 to 6, as shown in fig. 5, including:
s301, according to the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000171
s302, calculating a decrypted message polynomial m':
Figure BDA0003130626300000172
as shown in fig. 6, the decryption system implementing the decryption method includes:
a first decryption parameter calculation module 3-1 for calculating a first decryption parameter based on the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000173
a decrypted message polynomial calculation module 3-2 for calculating a decrypted message polynomial m':
Figure BDA0003130626300000174
wherein h is2Is a preset second constant term.

Claims (10)

1. A low-memory-occupation secret key generation method based on a post-quantum cryptography Saber algorithm is characterized by comprising the following steps:
s101, generating random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure FDA0003130626290000011
All elements are 0;
s102, generating a plurality of pseudo random numbers according to a random variable r, and storing the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
s103, Seed is selected according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating temporary public key vectors
Figure FDA0003130626290000012
The j element
Figure FDA0003130626290000013
The value of (c):
Figure FDA0003130626290000014
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliIs a polynomial vector sthThe number of the i elements is such that,
Figure FDA0003130626290000015
as a temporary public key vector
Figure FDA0003130626290000016
The value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to step S103, and updating the temporary public key vector
Figure FDA0003130626290000017
The value of the middle element; l is the dimension of the polynomial vector s;
if j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, and update the temporary public key vector
Figure FDA0003130626290000018
The value of the middle element;
if j ═ l-1 and i ═ l-1, the public key vector b is calculated:
Figure FDA0003130626290000019
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
Returning the public and private keys, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
2. The key generation method according to claim 1, wherein pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s are generated in real time, specifically:
in step S102, a plurality of pseudo random numbers corresponding to the polynomial coefficient of the ith element of the polynomial vector S are generated according to the random variable r and stored in a third storage unit, where the space size of the third storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element of the polynomial vector S; computing the ith element s of the polynomial vector s from the pseudo-random number in the third storage uniti
In step S104, when j is l-1 and i < l-1, the step of adding one to the value of i further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of the ith element of the polynomial vector s according to the random variable r, storing the pseudo random numbers in a third storage unit, and calculating the ith element s of the polynomial vector s according to the pseudo random numbers in the third storage uniti(ii) a And then jumps to step S103.
3. The key generation method of claim 2, wherein a shift algorithm is used to generate the pseudo random number;
the space size of the third storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s;
the third storage unit is divided into a first subunit and a second subunit, and the space size of the first subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when calculating the values of the elements in the polynomial vector s:
if the second subunit has the pseudo-random number, extracting the pseudo-random number in the second subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a first subunit, and extracting the pseudo-random number in the first subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in the first subunit, and extracting the pseudo-random number with the required length from the first subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the first subunit is not extracted, storing the pseudo random number in the second subunit; if the length of the data which is not extracted is larger than the space size of the second subunit, the excess part is discarded.
4. The encryption method of the key generation method according to any one of claims 1 to 3, comprising:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure FDA0003130626290000031
All element values of (a) are 0; generating a random variable r';
s202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
s203, Seed according to random Seed in public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating the temporary second ciphertext vector
Figure FDA0003130626290000032
The ith element of
Figure FDA0003130626290000033
The value of (c):
Figure FDA0003130626290000034
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure FDA0003130626290000035
as a temporary second ciphertext vector
Figure FDA0003130626290000036
The value of the ith element before updating;
s204, if i is less than l-1, the value of i is increased by one, the step S203 is skipped to, and the temporary second ciphertext vector is updated
Figure FDA0003130626290000037
The value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, let i be 0, add one to the value of j, go to step S203, and update the temporary second ciphertext vector
Figure FDA0003130626290000038
The value of the middle element;
if i-l-1 and j-l-1, a second ciphertext vector c is calculated2
Figure FDA0003130626290000039
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
S205, calculating a first encryption according to the vector b in the public keyThe parameter v': v' ═ bT(s' mod p); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure FDA0003130626290000041
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
5. The encryption method according to claim 4, wherein pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s' are generated in real time, specifically:
in step S202, a polynomial vector S ' j-th element S ' is generated from a random variable r 'jA plurality of pseudo random numbers corresponding to the polynomial coefficients of (a) are stored in a sixth storage unit, and the space size of the sixth storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element in the polynomial vector s'; generating a polynomial vector s ' jth element s ' from the pseudo-random number in the sixth storage unit 'j
In step S204, when i is l-1 and j is less than l-1, the step of adding one to the value of j further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of jth element of polynomial vector s ' from random variable r ', storing the pseudo random numbers in sixth storage means, and generating polynomial vector s ' jth element s ' from the pseudo random numbers in sixth storage means 'j(ii) a And then jumps to step S203.
6. The encryption method according to claim 5, wherein a pseudo random number is generated using a SHAKE algorithm;
the space size of the sixth storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s';
the sixth storage unit is divided into a third subunit and a fourth subunit, and the space size of the third subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when generating the values of the elements in the polynomial vector s':
if the fourth subunit has the pseudo-random number, extracting the pseudo-random number in the fourth subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number in the third subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number with the required length from the third subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the third subunit is not extracted, storing it in the fourth subunit; if the length of the data which is not extracted is larger than the space size of the fourth subunit, the excess part is discarded.
7. A decryption method of the encryption method according to any one of claims 4 to 6, comprising:
s301, according to the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure FDA0003130626290000051
s302, calculating a decrypted message polynomial m':
Figure FDA0003130626290000052
wherein h is2Is a preset second constant term.
8. A low-memory-occupation key generation system based on a post-quantum cryptography Saber algorithm is characterized by comprising:
a first initialization module for generating a random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure FDA0003130626290000053
All elements are 0;
the first polynomial vector s generating module is used for generating a plurality of pseudo random numbers according to the random variable r and storing the pseudo random numbers into the first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module for generating a first polynomial matrix A according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module for updating the temporary public key vector
Figure FDA0003130626290000054
The j element
Figure FDA0003130626290000055
The value of (c):
Figure FDA0003130626290000056
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure FDA0003130626290000057
as a temporary public key vector
Figure FDA0003130626290000058
The value of the jth element before update;
a public key calculation module, configured to calculate a public key vector b:
Figure FDA0003130626290000061
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
A key output module for returning the public key and the private key, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
9. A low memory usage encryption system based on post-quantum cryptography Saber algorithm, comprising:
a second initialization module, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure FDA0003130626290000062
All the element values of (1) are 0, and a random variable r' is generated;
the second polynomial vector s 'generating module is used for generating a plurality of pseudo random numbers by the random variable r' and storing the pseudo random numbers into the fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module for generating a random Seed according to the public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
temporary second ciphertext vector
Figure FDA0003130626290000063
An update module for updating the temporary second ciphertext vector
Figure FDA0003130626290000064
The ith element of
Figure FDA0003130626290000065
The value of (c):
Figure FDA0003130626290000066
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure FDA0003130626290000067
as a temporary second ciphertext vector
Figure FDA0003130626290000068
The value of the ith element before updating;
second ciphertext vector c2A calculation module for calculating a second ciphertext vector c2
Figure FDA0003130626290000071
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
The ciphertext calculation module is used for calculating a first encryption parameter v' according to the vector b in the public key: v' ═ bT(s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure FDA0003130626290000072
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
10. A low memory occupation decryption system based on a post-quantum cryptography Saber algorithm is characterized by comprising:
a first decryption parameter calculation module for calculating a first decryption parameter based on the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure FDA0003130626290000073
a decrypted message polynomial calculation module for calculating a decrypted message polynomial m':
Figure FDA0003130626290000074
wherein h is2Is a preset second constant term.
CN202110704531.9A 2021-06-24 2021-06-24 Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof Active CN113472525B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110704531.9A CN113472525B (en) 2021-06-24 2021-06-24 Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110704531.9A CN113472525B (en) 2021-06-24 2021-06-24 Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof

Publications (2)

Publication Number Publication Date
CN113472525A true CN113472525A (en) 2021-10-01
CN113472525B CN113472525B (en) 2022-07-26

Family

ID=77872724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110704531.9A Active CN113472525B (en) 2021-06-24 2021-06-24 Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof

Country Status (1)

Country Link
CN (1) CN113472525B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115348017A (en) * 2022-10-18 2022-11-15 阿里巴巴(中国)有限公司 Ciphertext processing method and device
CN115412241A (en) * 2022-07-25 2022-11-29 华中科技大学 Fusion password security processor for realizing post-quantum password algorithm Kyber and Saber

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266481A (en) * 2019-06-14 2019-09-20 深圳职业技术学院 Rear quantum Encrypt and Decrypt method and decryption device based on matrix
WO2020188269A1 (en) * 2019-03-18 2020-09-24 Pqshield Ltd Cryptography using a cryptographic state
WO2021032946A1 (en) * 2019-08-16 2021-02-25 Pqshield Ltd Co-processor for cryptographic operations
CN112511170A (en) * 2020-11-10 2021-03-16 南京航空航天大学 Parallel implementation method for polynomial compression in lattice code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020188269A1 (en) * 2019-03-18 2020-09-24 Pqshield Ltd Cryptography using a cryptographic state
CN110266481A (en) * 2019-06-14 2019-09-20 深圳职业技术学院 Rear quantum Encrypt and Decrypt method and decryption device based on matrix
WO2021032946A1 (en) * 2019-08-16 2021-02-25 Pqshield Ltd Co-processor for cryptographic operations
CN112511170A (en) * 2020-11-10 2021-03-16 南京航空航天大学 Parallel implementation method for polynomial compression in lattice code

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ANDREA BASSO ET AL.: "《SABER:Mod-LWR based KEM(Round 3 Submission)》", 《HTTP://WWW.ESAT.KULEUVEN.BE/COSIC/PQCRYPTO/SABER/FILES/SABERSPECROUND3.PDF》 *
ANGSHUMAN KARMAKAR ET AL.: "《Saber on ARM CCA-secure module lattice-based key encapsulation on ARM》", 《IACR-CHES-2018》 *
JOSE MARIA BERMUDO MERA ET AL.: "《Time-Memory trade-off in Toom-Cook multiplication:an application to module-lattice based cryptography》", 《IACR TRANSACTIONS ON CRYPTOGRAPHY HARDWARE AND EMBEDDED SYSTEMS》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412241A (en) * 2022-07-25 2022-11-29 华中科技大学 Fusion password security processor for realizing post-quantum password algorithm Kyber and Saber
CN115412241B (en) * 2022-07-25 2024-02-06 华中科技大学 Fusion cipher safety processor for realizing postquantum cipher algorithm Kyber and Saber
CN115348017A (en) * 2022-10-18 2022-11-15 阿里巴巴(中国)有限公司 Ciphertext processing method and device
CN115348017B (en) * 2022-10-18 2023-02-07 阿里巴巴(中国)有限公司 Ciphertext processing method and device

Also Published As

Publication number Publication date
CN113472525B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
Saeednia How to make the Hill cipher secure
JP4774509B2 (en) Pseudo random number generation system
CN113472525B (en) Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof
KR101594553B1 (en) Method of generating a cryptographic key, network and computer program therefor
US11606189B2 (en) Method and apparatus for improving the speed of advanced encryption standard (AES) decryption algorithm
WO2006063275A1 (en) Method and apparatus for increasing the speed of cryptographic processing
JP2001517897A (en) Method and apparatus for generating a cryptographic decryption key
US10567158B2 (en) Cryptographic device and an encoding device
Di Crescenzo et al. Practical implementations of program obfuscators for point functions
KR101923293B1 (en) Apparatus and method for adding data
US7103180B1 (en) Method of implementing the data encryption standard with reduced computation
CN110034918B (en) SM4 acceleration method and device
US7215769B2 (en) Non-autonomous dynamical orbit cryptography
CN115811398A (en) Dynamic S-box-based block cipher algorithm, device, system and storage medium
Loidreau Analysis of a public-key encryption scheme based on distorted Gabidulin codes
RU2188513C2 (en) Method for cryptographic conversion of l-bit digital-data input blocks into l-bit output blocks
Naito et al. LM-DAE: low-memory deterministic authenticated encryption for 128-bit security
EP3419213B1 (en) Computer implemented method, computer system and computer readable computer program product
ES2293665T3 (en) METHOD FOR THE CRYPTOGRAPHIC CONVERSION OF INPUT BLOCKS OF L DIGITAL DATA INFORMATION BITS IN OUTPUT BLOCKS OF L BITS.
Simpson et al. Improved cryptanalysis of the common scrambling algorithm stream cipher
CN116938454B (en) Key processing method, device, medium and system
CN117978373A (en) Lightweight sequence encryption method and device for resource-constrained Internet of things device
Kumar et al. FPGA Implementation of High Performance Hybrid Encryption Standard
KR100308893B1 (en) Extended rc4 chipher algorithm using lfsr
CN115801227B (en) Method and device for generating substitution table

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant