CN113472525A - Low-memory-occupation implementation technology based on post-quantum cryptography Saber algorithm - Google Patents

Low-memory-occupation implementation technology based on post-quantum cryptography Saber algorithm Download PDF

Info

Publication number
CN113472525A
CN113472525A CN202110704531.9A CN202110704531A CN113472525A CN 113472525 A CN113472525 A CN 113472525A CN 202110704531 A CN202110704531 A CN 202110704531A CN 113472525 A CN113472525 A CN 113472525A
Authority
CN
China
Prior art keywords
polynomial
vector
pseudo
storage unit
random
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110704531.9A
Other languages
Chinese (zh)
Other versions
CN113472525B (en
Inventor
刘哲
张吉鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN202110704531.9A priority Critical patent/CN113472525B/en
Publication of CN113472525A publication Critical patent/CN113472525A/en
Application granted granted Critical
Publication of CN113472525B publication Critical patent/CN113472525B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Complex Calculations (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于后量子密码Saber算法的低内存占用实现技术,包括密钥生成方法及系统、加密方法及系统、解密方法及系统。其中采用矩阵即时生成来计算多项式矩阵向量乘法,将多项式矩阵所占用的内存空间降低为单个元素所占用的内存大小,显著地降低了Saber方案的内存占用,有利于Saber方案在物联网设备中的部署。

Figure 202110704531

The invention discloses a low-memory-occupancy realization technology based on a post-quantum cryptographic Saber algorithm, including a key generation method and system, an encryption method and system, and a decryption method and system. Among them, the instant matrix generation is used to calculate the polynomial matrix-vector multiplication, and the memory space occupied by the polynomial matrix is reduced to the memory size occupied by a single element, which significantly reduces the memory occupation of the Saber scheme and is beneficial to the Saber scheme in IoT devices. deploy.

Figure 202110704531

Description

Low-memory-occupation implementation technology based on post-quantum cryptography Saber algorithm
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a low-memory-occupation secret key generation method, an encryption method and a decryption method based on a post-quantum-password Saber algorithm.
Background
With the rapid development of quantum computers, traditional public key cryptography is under an unprecedented threat. Therefore, the development of the post-quantum cryptography which is a type of cryptography capable of resisting quantum computer attacks is more and more emphasized at home and abroad, and the operation efficiency of the post-quantum cryptography is generally superior to that of the traditional public key cryptography. Among the latter quantum cryptography, lattice cryptography is a class of cryptography most promising as the standard for future later quantum-time public key cryptography, and among them, lattice-based cryptographic algorithms are receiving much attention because of their better flexibility and efficiency. The post-quantum cryptography Saber is a key encapsulation scheme constructed based on a lattice, and has the advantages of simplicity and high efficiency compared with other schemes.
The Saber algorithm key generation, encryption and decryption process is described in the document Mod-LWR based KEM (Round 3 subscription), see 2.4.1-2.4.3. It is composed ofThe middle secret key generating part generates a public key and a private key through operation, the encrypting part encrypts the message polynomial by adopting the public key to obtain a ciphertext, and the decrypting part decrypts the ciphertext by using the private key. In this scheme, the most computationally intensive module is the matrix vector multiplication, the bottom layer of which relies on polynomial multiplication. Due to the large calculation amount, the occupied memory space is large. The matrix vector multiplication occurs twice in the Saber scheme, a for computing the key generation algorithmTs and As' of the encryption algorithm. Wherein A represents a polynomial matrix of dimension l x l, each element in the matrix being a polynomial of term n, ATRepresenting the transpose of the matrix a, s represents a polynomial column vector of dimension l, each element in the vector being a polynomial. Assuming that the coefficients of each polynomial are the data type of kBytes in the elements of the matrix a, the memory size occupied by the matrix a is l × l × n × k Bytes. In the scheme described in the above document, if l is 3, n is 256, and k is 2, the matrix a occupies 4.5KB of memory. There are hundreds of millions of resource-constrained embedded devices in an internet of things (IoT) scenario, and such devices are characterized by weak computing power and limited memory resources. Some devices have a memory of only 8KB to 64KB, and these memory resources are required to deploy not only an operating system and business logic but also complex cryptographic components to secure data transmission. The large memory footprint of Saber severely hinders its deployment in IoT scenarios.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problems in the prior art, the invention provides a technology for realizing low memory occupation based on a post-quantum cryptography Saber algorithm, which comprises a key generation method and system, an encryption method and system and a decryption method and system, and can reduce the memory occupation of a Saber scheme.
The technical scheme is as follows: the invention provides a low-memory-occupation secret key generation method based on a post-quantum cryptography Saber algorithm, which comprises the following steps:
s101, generating random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000021
All elements are 0;
s102, generating a plurality of pseudo random numbers according to the sum random variable r, and storing the pseudo random numbers into a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
s103, Seed is selected according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating temporary public key vectors
Figure BDA0003130626300000022
The j element
Figure BDA0003130626300000023
The value of (c):
Figure BDA0003130626300000024
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure BDA0003130626300000025
as a temporary public key vector
Figure BDA0003130626300000026
The value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to step S103, and updating the temporary public key vector
Figure BDA0003130626300000027
The value of the middle element; l is the dimension of the polynomial vector s;
If j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, and update the temporary public key vector
Figure BDA0003130626300000028
The value of the middle element;
if j ═ l-1 and i ═ l-1, the public key vector b is calculated:
Figure BDA0003130626300000029
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
Returning the public and private keys, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
The invention provides an encryption method based on the key generation method, which comprises the following steps:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000031
All element values of (a) are 0; generating a random variable r';
s202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
s203, Seed according to random Seed in public keyAGeneratingA pseudo-random number corresponding to the polynomial coefficient of the element in the ith row and the j column of the polynomial matrix A is stored in a fifth storage unit, and if data exist in the fifth storage unit, the data are covered; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating the temporary second ciphertext vector
Figure BDA0003130626300000032
The ith element of
Figure BDA0003130626300000033
The value of (c):
Figure BDA0003130626300000034
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure BDA0003130626300000035
as a temporary second ciphertext vector
Figure BDA0003130626300000036
The value of the ith element before updating;
s204, if i is less than l-1, the value of i is increased by one, the step S203 is skipped to, and the temporary second ciphertext vector is updated
Figure BDA0003130626300000037
The value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, let i be 0, add one to the value of j, go to step S203, and update the temporary second ciphertext vector
Figure BDA0003130626300000038
The value of the middle element;
if i-l-1 and j-l-1, a second ciphertext vector c is calculated2
Figure BDA0003130626300000039
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
S205, calculating a first encryption parameter v' from the vector b in the public key: v' ═ bT(s' mod p); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000041
Wherein h is1Is a preset constant, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
The invention provides a decryption method based on the encryption method, which comprises the following steps:
s301, according to the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000042
s302, calculating a decrypted message polynomial m':
Figure BDA0003130626300000043
wherein h is2Is a preset second constant term.
The invention provides a key generation system for realizing the key generation method, which comprises the following steps:
a first initialization module for generating a random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000044
All elements are 0;
the first polynomial vector s generating module is used for generating a plurality of pseudo random numbers according to the random variable r and storing the pseudo random numbers into the first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module for generating a first polynomial matrix A according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module for updating the temporary public key vector
Figure BDA0003130626300000051
The j element
Figure BDA0003130626300000052
The value of (c):
Figure BDA0003130626300000053
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure BDA0003130626300000054
as a temporary public key vector
Figure BDA0003130626300000055
The value of the jth element before update;
a public key calculation module, configured to calculate a public key vector b:
Figure BDA0003130626300000056
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
A key output module for returning the public key and the private key, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
The invention provides an encryption system for realizing the encryption method, which comprises the following steps:
a second initialization module, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000057
All the element values of (1) are 0, and a random variable r' is generated;
the second polynomial vector s 'generating module is used for generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers into the fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module for generating a random Seed according to the public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
temporary second ciphertext vector
Figure BDA0003130626300000058
An update module for updating the temporary second ciphertext vector
Figure BDA0003130626300000059
The ith element of
Figure BDA00031306263000000510
The value of (c):
Figure BDA00031306263000000511
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure BDA00031306263000000512
as a temporary second ciphertext vector
Figure BDA00031306263000000513
The value of the ith element before updating;
second ciphertext vector c2A calculation module for calculating a second ciphertext vector c2
Figure BDA0003130626300000061
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; [ solution ] A method for producing a polymerIs logic right shift, right shift number is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
The ciphertext calculation module is used for calculating a first encryption parameter v' according to the vector b in the public key: v' ═ bT(s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000062
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
The invention provides a decryption system for realizing the decryption method, which comprises the following steps:
a first decryption parameter calculation module for calculating a first decryption parameter based on the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000063
a decrypted message polynomial calculation module for calculating a decrypted message polynomial m':
Figure BDA0003130626300000064
wherein h is2Is a preset second constant term.
Has the advantages that: compared with the prior art, the low-memory-occupation implementation technology based on the post-quantum-password Saber algorithm provided by the invention has the advantages that the polynomial matrix is generated in real time, and the memory occupied by the polynomial matrix in the key generation and encryption processes is reduced to the size of the memory occupied by a single polynomial, so that the memory occupation of the Saber scheme is reduced, and the deployment difficulty and the deployment cost of the Saber scheme in the internet-of-things equipment are reduced.
Drawings
Fig. 1 is a flowchart of a key generation method in embodiment 1;
FIG. 2 is a schematic diagram showing the constitution of a key generation system in embodiment 1;
FIG. 3 is a flowchart of an encryption method in example 4;
FIG. 4 is a schematic diagram showing the composition of the encryption system in example 4;
FIG. 5 is a flowchart of a decryption method in embodiment 7;
fig. 6 is a schematic diagram showing the composition of the decryption system in embodiment 7.
Detailed Description
The invention is further elucidated with reference to the drawings and the detailed description. In the following embodiments, the polynomial matrix a has 3 × 3 dimensions, the number of terms is 256, and the polynomial coefficient value range of each element in the polynomial matrix is [0,8191 ]],8191<213Therefore, the effective bit number in each polynomial coefficient in A is 13 bits; the polynomial coefficient of each element in the polynomial vector s has a value range of [ -4,4],4<23And thus the number of effective bits in each polynomial coefficient in s is 3 bits. The shift algorithm is used in the following embodiments to generate pseudo-random numbers, thereby generating polynomial coefficients in a and s. Execution of the SHAKE algorithm involves two steps, first calling the absorb () function to initialize the internal state of the SHAKE algorithm, and second calling the squeezeblock () function to output pseudo-random data, each time a 168 byte pseudo-random number is generated.
Example 1
The embodiment discloses a method for generating a low-memory-occupation key based on a post-quantum cryptography Saber algorithm, as shown in fig. 1, including:
s101, generating random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000071
All elements are 0;
random Seed in this exampleAAnd r are both 256bits in length, i.e., 32 bytes, where each bit is uniformly randomly selected from 0 and 1;
step S101 initializes only the index of a without allocating the space occupied by a.
S102, generating a plurality of pseudo random numbers according to a random variable r, and storing the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
in this embodiment, the polynomial vector s has 3 elements, each element is a 256-term polynomial, and each polynomial coefficient occupies 1byte length (its significances are 3), so that one element of s occupies 256Bytes, and the size of the space of the first storage unit should be greater than or equal to 3 × 256Bytes, which is set to 3 × 256 — 768Bytes in this embodiment. Firstly, calling an absorb () function once as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 5 times to generate 168 × 5 ═ 840Bytes pseudo-random numbers, storing the data of the first 768Bytes in a first storage unit, and discarding the rest 72 Bytes; the elements in the polynomial vector s are then generated from the pseudo-random number in the first memory location.
S103, Seed is selected according to the random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
in this embodiment, A has 9 elements, each element is a 256-term polynomial, and each polynomial coefficient occupies 2Bytes length data (the number of significant digits is 13), so A' sOne element occupies 256 × 2 ═ 512Bytes, and the space size of the second storage unit should be equal to or larger than 512Bytes, which is set to 512Bytes in this embodiment. Firstly SeedAI and j as input, calling an absorb () function once for initializing the internal state of the SHAKE algorithm, then calling a 4-time squeezeblock () function to generate 168-4-672 Bytes pseudo random numbers, storing the data of the first 512Bytes in a second storage unit, and discarding the rest 160Bytes data; then generating a polynomial matrix A according to the pseudo random number in the second storage unit, wherein the polynomial matrix A is ith, row and column elements ai,j
Updating temporary public key vectors
Figure BDA0003130626300000081
The j element
Figure BDA0003130626300000082
The value of (c):
Figure BDA0003130626300000083
wherein s isiFor the ith element of the polynomial vector s,
Figure BDA0003130626300000084
as a temporary public key vector
Figure BDA0003130626300000085
The value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to step S103, generating the next column element of the ith row A, and updating the temporary public key vector
Figure BDA0003130626300000086
The value of the middle element; l is the dimension of the polynomial vector s;
if j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, generate the element of the next row a, update the temporary public key vector
Figure BDA0003130626300000087
The value of the middle element;
if j ═ l-1 and i ═ l-1, the calculations involving the elements in a are all completed, the public key vector b is calculated:
Figure BDA0003130626300000091
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp(ii) a In this embodiment,. epsilonqThe value is 13, epsilonpTaking the value of 10 and thus shifting 3 bits to the right.
Returning the public and private keys, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
The matrix vector multiplication needing to be calculated during key generation in the Saber scheme is the multiplication of a transposed matrix of a polynomial matrix A and a polynomial vector s, namely ATs;
Figure BDA0003130626300000092
In steps S103 and S104, the generation order of a is prioritized by controlling the change of the indexes i and j of a, that is, the calculation of the next row element is performed after each row element is calculated for a certain row element. In the embodiment, the final result does not need to return to A, so that the final result does not need to be distributed to A storage space; the elements in the polynomial matrix A are generated in real time, the storage space occupied by A is reduced, and compared with the storage space needing 4.5KB in the prior art, only 512B, namely 0.5KB is needed in the embodiment, so that the memory needed in the calculation process of the Saber scheme is obviously reduced.
The embodiment also discloses a key generation system for implementing the method, as shown in fig. 2, including:
a first initialization module 1-1 for generating a random SeedAAnd a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vector
Figure BDA0003130626300000093
All elements are 0;
a first polynomial vector s generating module 1-2, configured to generate a plurality of pseudo random numbers from a random variable r, and store the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module 1-3 for generating a first polynomial matrix A based on a random SeedAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module 1-4 for updating the temporary public key vector
Figure BDA0003130626300000101
The j element
Figure BDA0003130626300000102
The value of (c):
Figure BDA0003130626300000103
wherein a isi,jIs the ith row and j column elements, s of the polynomial matrix A generated according to the second memory celliFor the ith element of the polynomial vector s,
Figure BDA0003130626300000104
as a temporary public key vector
Figure BDA0003130626300000105
The value of the jth element before update;
a public key calculation module 1-5, configured to calculate a public key vector b:
Figure BDA0003130626300000106
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilonqp,εqAnd εpAll preset positive integer constants, and satisfy epsilonq>εp
A key output module 1-6 for returning the public key and the private key, wherein the random Seed is SeedAAnd the public key vector b form a public key (Seed)AB); the polynomial vector s is the private key.
Example 2
The difference between this embodiment and embodiment 1 is that pseudo random numbers corresponding to polynomial coefficients of elements in a polynomial vector s are generated in real time, specifically:
in step S102, a plurality of pseudo random numbers corresponding to the polynomial coefficient of the ith element of the polynomial vector S are generated according to the random variable r and stored in a third storage unit, where the space size of the third storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element of the polynomial vector S; generating an ith element s of a polynomial vector s from the pseudo-random number in the third storage uniti
In this embodiment, the space size of the third storage unit is set to 256 Bytes. Firstly, calling an absorb () function once by taking a random variable r as an input for initializing an internal state of a SHAKE algorithm, then calling a 2-time squeezeblock () function to generate 168-2-336 Bytes pseudo-random numbers, storing the data of the first 256Bytes in a third storage unit, and discarding the rest 80 Bytes; and then generates a pseudo random number according to the pseudo random number in the third storage unitElement s in polynomial vector si
In step S104, when j is l-1 and i < l-1, the step of adding one to the value of i further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of the ith element of the polynomial vector s according to the random variable r, storing the pseudo random numbers in a third storage unit, and generating the ith element s of the polynomial vector s according to the pseudo random numbers in the third storage uniti(ii) a And then jumps to step S103.
From the calculation formula (3), siWill be used 3 times, therefore, the present embodiment employs the generation siAnd then, the calculation which participates in the polynomial vector s is completed and then the next element is generated, so that the space occupied by the intermediate result which is needed for generating the polynomial vector s is reduced from 840Bytes to 256Bytes in the embodiment 1, and the memory needed in the implementation process of the Saber scheme is further reduced. However, the cost is that the generation of s in embodiment 1 requires a total of 5 calls of the squeezeblock () function, whereas in this embodiment, a total of 6 calls are required.
Example 3
The present embodiment is an improvement on the basis of embodiment 2, and is different from embodiment 2 in that the third storage unit is divided into two parts, and one part of the third storage unit is used for storing an unused pseudo random number to be used when a next element is generated together, so that data discarding is reduced, and the number of calls of the squeezeblock () function is reduced. The method specifically comprises the following steps:
the space size of the third storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s;
the third storage unit is divided into a first subunit and a second subunit, and the space size of the first subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when generating the values of the elements in the polynomial vector s:
if the second subunit has the pseudo-random number, extracting the pseudo-random number in the second subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a first subunit, and extracting the pseudo-random number in the first subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in the first subunit, and extracting the pseudo-random number with the required length from the first subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the first subunit is not extracted, storing the pseudo random number in the second subunit; if the length of the data which is not extracted is larger than the space size of the second subunit, the excess part is discarded.
In this embodiment, the size of the third storage unit is 256bytes, wherein 168 bytes is the first subunit and 88 bytes is the second subunit. When generating s0When there is no data in both the first subunit and the second subunit. Calling the function of squeezeblock () once to generate 168 bytes of pseudo random number, storing the pseudo random number in the first subunit, and determining s according to the data in the first subunit0A middle part polynomial coefficient; then, calling the function of squeezeblock () for the second time, overwriting the generated 168 bytes of data into the first subunit, extracting 88 bytes of data to determine s0The coefficients of the other polynomials; the remaining 80bytes of data are stored in the second subunit.
When s is0When all the involved calculations are completed, i.e. when j is l-1 and i is less than l-1 in step S104, the value of i is increased by one, and S is generated1. First, 80bytes of data in the second subunit are extracted to determine s1A middle part polynomial coefficient; then, the function of squeezeblock () is called for the third time, the generated 168 bytes of data are written into the first subunit in an overlaying mode, and s is determined according to the content of the data1A middle part polynomial coefficient; then, calling the function of squeezeblock () for the fourth time, overwriting the generated 168 bytes of data into the first subunit, and only extracting 8bytes of data to determine s1The coefficients of the other polynomials; 160bytes of data remain, 88 bytes of which are stored in the second subunit for the next use, and 72bytes of data remainAnd (5) abandoning.
When s is1When all the involved calculations are completed, i.e. when j is l-1 and i is less than l-1 in step S104, the value of i is increased by one, and S is generated2. First, 88 bytes of data in the second subunit are extracted to determine s2A middle part polynomial coefficient; then, the function of squeezeblock () is called for the fifth time, the generated 168 bytes of data are written into the first subunit in an overlaying mode, and s is determined according to the content of the data2The remaining undetermined polynomial coefficients. Then s2And (4) participating in calculation.
In this embodiment, the squeezeblock () function is called 5 times, the discarded data is 72bytes, and the memory occupied by the intermediate process is 256 bytes.
Example 4
The present embodiment discloses an encryption method based on the key generation method in the foregoing embodiments, as shown in fig. 3, the encryption method includes:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000121
All element values of (a) are 0; generating a random variable r';
step S201 initializes only the index of a without allocating the space occupied by a.
S202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
similar to s in embodiment 1, the polynomial vector s' in this embodiment occupies a total space of 3 × 256Bytes, and the size of the space of the fourth storage unit is set to 768 Bytes. Firstly, calling an absorb () function once as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 5 times to generate 168 x 5 ═ 840Bytes pseudo-random numbers, storing the data of the first 768Bytes in a fourth storage unit, and discarding the rest 72 Bytes; the elements in the polynomial vector s' are then generated from the pseudo-random number in the fourth storage unit.
S203, Seed according to random Seed in public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
similar to embodiment 1, the space size of the fifth storage unit in this embodiment is 512 Bytes. Generating 672Bytes of pseudo-random numbers by calling an absorb () function and an squeezeblock () function 4 times, wherein 512Bytes of data are stored in a fifth storage unit, and the rest 160Bytes of data are discarded; then generating a polynomial matrix A according to the pseudo random number in the fifth storage unit, wherein the polynomial matrix A is ith, row and j column elements ai,j
Updating the temporary second ciphertext vector
Figure BDA0003130626300000131
The ith element of
Figure BDA0003130626300000132
The value of (c):
Figure BDA0003130626300000133
wherein s'jFor the jth element of the polynomial vector s',
Figure BDA0003130626300000134
as a temporary second ciphertext vector
Figure BDA0003130626300000135
The value of the ith element before updating;
s204, if i is less than l-1, adding one to the value of i, and jumping to the step S203, generating the elements of the line next to the jth column A, and updating the temporary second ciphertext vector
Figure BDA0003130626300000136
The value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, the value of i is 0 and j is added by one, the process goes to step S203 to generate the elements of the next column a, and the temporary second ciphertext vector is updated
Figure BDA0003130626300000137
The value of the middle element;
if the calculation of the element in A is completed, i-l-1 and j-l-1, calculating a second ciphertext vector c2
Figure BDA0003130626300000138
Wherein h is a preset constant polynomial; mod is a modulus operation, and polynomial coefficients in elements of the q polynomial matrix A take an upper bound which is a positive integer; the number of right shifts is epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
The matrix vector multiplication required to be calculated in the encryption process in the Saber scheme is the multiplication of a polynomial matrix a and a polynomial vector s, namely As:
Figure BDA0003130626300000141
in steps S203 and S204, the generation order of a is given row priority by controlling the change of the indexes i and j of a, that is, the calculation of the next column element is performed after the row element of a column is calculated. In the embodiment, the final result does not need to return to A, so that the final result does not need to be distributed to A storage space; the elements in the polynomial matrix A are generated in real time, the storage space occupied by A is reduced, and compared with the storage space needing 4.5KB in the prior art, only 512B, namely 0.5KB is needed in the embodiment, so that the memory needed in the calculation process of the Saber scheme is obviously reduced.
S205, calculating a first encryption parameter v' from the vector b in the public key:
v′=bT(s′modp)(7)
wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000142
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT(ii) a In this example,. epsilonTIs 4, namely, is shifted to the right by 6 bits;
returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
The embodiment also discloses an encryption system for implementing the encryption method, as shown in fig. 4, including:
a second initializing module 2-1, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c1A second ciphertext vector c2The temporary second ciphertext vector
Figure BDA0003130626300000143
All element values of (a) are 0; generating a random variable r';
a second polynomial vector s 'generating module 2-2 for generating a plurality of pseudo random numbers from the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module 2-3 for generating a random Seed from the public keyAGenerating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
temporary second ciphertext vector
Figure BDA0003130626300000151
An updating module 2-4 for updating the temporary second ciphertext vector
Figure BDA0003130626300000152
The ith element of
Figure BDA0003130626300000153
The value of (c):
Figure BDA0003130626300000154
wherein a isi,jIs the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit'jFor the jth element of the polynomial vector s',
Figure BDA0003130626300000155
as a temporary second ciphertext vector
Figure BDA0003130626300000156
The value of the ith element before updating;
second ciphertext vector c2A calculation module 2-5 for calculating a second ciphertext vector c2
Figure BDA0003130626300000157
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; is asLogic right shift with right shift number of epsilonqp,εqAnd εpAre all preset positive integer constants, and satisfy epsilonq>εp
A ciphertext calculation module 2-6, configured to calculate a first encryption parameter v' according to the vector b in the public key: v' ═ bT(s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial cm
Figure BDA0003130626300000158
Wherein h is1Is a preset first constant term, m is a message polynomial to be encrypted, epsilonTIs a preset positive integer constant, and takes values satisfying epsilonp>εT
Returning the encrypted message polynomial cmAnd a second ciphertext vector c2The ciphertext (c) formedm,c2)。
Example 5
The difference between this embodiment and embodiment 4 is that pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s' are generated in real time, specifically:
in step S202, a polynomial vector S ' j-th element S ' is generated from a random variable r 'jA plurality of pseudo random numbers corresponding to the polynomial coefficients of (a) are stored in a sixth storage unit, and the space size of the sixth storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element in the polynomial vector s'; generating a polynomial vector s ' jth element s ' from the pseudo-random number in the sixth storage unit 'j
In this embodiment, the space size of the sixth storage unit is set to 256 Bytes. Firstly, calling an absorb () function once by taking a random variable r' as an input for initializing the internal state of the SHAKE algorithm, then calling a 2-time squeezeblock () function to generate 168-2-336 Bytes pseudo-random numbers, and enabling the data of the first 256Bytes to be in the pseudo-random numbersStoring the data in a sixth storage unit, and discarding the rest 80Bytes data; and then generates an element s ' from the pseudo random number generator polynomial vector s ' in the sixth storage unit 'j
In step S204, when i is l-1 and j is less than l-1, the step of adding one to the value of j further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of jth element of polynomial vector s ' from random variable r ', storing the pseudo random numbers in sixth storage means, and generating polynomial vector s ' jth element s ' from the pseudo random numbers in sixth storage means 'j(ii) a And then jumps to step S203.
S 'is clear from formula (6)'jWill be used 3 times. Similar to embodiment 2, this embodiment reduces the space occupied by the intermediate result required for generating the polynomial vector s' from 840Bytes to 256Bytes in embodiment 1, further reducing the memory required in the implementation of the Saber scheme. Likewise, the cost is one more call to the squeezeblock () function.
Example 6
The present embodiment is an improvement made on the basis of embodiment 5, and the improvement point is similar to embodiment 3, that is, the sixth storage unit is divided into two parts, specifically:
the space size of the sixth storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s';
the sixth storage unit is divided into a third subunit and a fourth subunit, and the space size of the third subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when calculating the values of the elements in the polynomial vector s':
if the fourth subunit has the pseudo-random number, extracting the pseudo-random number in the fourth subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number in the third subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number with the required length from the third subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the third subunit is not extracted, storing it in the fourth subunit; if the length of the data which is not extracted is larger than the space size of the fourth subunit, the excess part is discarded.
Example 7
The present embodiment discloses a decryption method using the encryption method described in embodiments 4 to 6, as shown in fig. 5, including:
s301, according to the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000171
s302, calculating a decrypted message polynomial m':
Figure BDA0003130626300000172
as shown in fig. 6, the decryption system implementing the decryption method includes:
a first decryption parameter calculation module 3-1 for calculating a first decryption parameter based on the ciphertext (c)m,c2) Second ciphertext vector c of2And calculating a first decryption parameter v by using a private key s:
Figure BDA0003130626300000173
a decrypted message polynomial calculation module 3-2 for calculating a decrypted message polynomial m':
Figure BDA0003130626300000174
wherein h is2Is a preset second constant term.

Claims (10)

1.一种基于后量子密码Saber算法的低内存占用密钥生成方法,其特征在于,包括:1. a low-memory occupancy key generation method based on post-quantum cryptographic Saber algorithm, is characterized in that, comprises: S101、生成随机种子SeedA和随机变量r;初始化多项式矩阵A的索引i=0,j=0,初始化临时公钥向量
Figure FDA0003130626290000011
所有元素为0;S101. Generate a random seed Seed A and a random variable r; initialize the indices i=0, j=0 of the polynomial matrix A, and initialize the temporary public key vector
Figure FDA0003130626290000011
all elements are 0; S102、根据随机变量r生成多个伪随机数,并存储到第一存储单元中;所述第一存储单元的空间大小大于等于多项式向量s中所有元素的多项式系数对应的伪随机数所占用的空间大小;根据所述第一存储单元中的伪随机数生成多项式向量s中的元素;S102. Generate a plurality of pseudo-random numbers according to the random variable r, and store them in a first storage unit; the space size of the first storage unit is greater than or equal to the space occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s Space size; elements in the polynomial vector s are generated according to the pseudo-random numbers in the first storage unit; S103、根据随机种子SeedA生成多项式矩阵A第i行j列元素多项式系数对应的伪随机数,并存储到第二存储单元中,如果第二存储单元中有数据,将所述数据覆盖;所述第二存储单元的空间大小大于等于多项式矩阵A一个元素的多项式系数对应的伪随机数所占用的空间大小;S103, according to the random seed Seed A , generate the pseudorandom number corresponding to the polynomial coefficient of the polynomial matrix A in the i-th row and the j-column, and store it in the second storage unit, if there is data in the second storage unit, cover the data; The space size of the second storage unit is greater than or equal to the space size occupied by the pseudorandom number corresponding to the polynomial coefficient of an element of the polynomial matrix A; 更新临时公钥向量
Figure FDA0003130626290000012
第j个元素
Figure FDA0003130626290000013
的值:
Figure FDA0003130626290000014
其中ai,j为根据第二存储单元生成的多项式矩阵A第i行j列元素,si为多项式向量s第i个元素,
Figure FDA0003130626290000015
为临时公钥向量
Figure FDA0003130626290000016
第j个元素更新前的值;Update temporary public key vector
Figure FDA0003130626290000012
the jth element
Figure FDA0003130626290000013
The value of:
Figure FDA0003130626290000014
where a i,j are the i-th row and j-column elements of the polynomial matrix A generated according to the second storage unit, s i is the i-th element of the polynomial vector s,
Figure FDA0003130626290000015
is the temporary public key vector
Figure FDA0003130626290000016
The value of the jth element before the update; S104、如果j<l-1,令j的值加一,跳转到步骤S103,更新临时公钥向量
Figure FDA0003130626290000017
中元素的值;l为多项式向量s的维数;S104. If j<l-1, add one to the value of j, and jump to step S103 to update the temporary public key vector
Figure FDA0003130626290000017
The value of the element in; l is the dimension of the polynomial vector s; 如果j=l-1且i<l-1,令j=0,i的值加一,跳转到步骤S103,更新临时公钥向量
Figure FDA0003130626290000018
中元素的值;If j=l-1 and i<l-1, set j=0, add one to the value of i, and jump to step S103 to update the temporary public key vector
Figure FDA0003130626290000018
the value of the element in; 如果j=l-1且i=l-1,计算公钥向量b:If j=l-1 and i=l-1, calculate the public key vector b:
Figure FDA0003130626290000019
Figure FDA0003130626290000019
 其中h为预设的常数多项式;多项式矩阵A的元素中多项式系数取值为[0,q),q为取值上界,为正整数,mod为取模运算;>>为逻辑右移,右移位数为εqp,εq和εp均为预设的正整数常数,且满足εq>εpWhere h is the preset constant polynomial; the polynomial coefficients in the elements of the polynomial matrix A are [0, q), q is the upper bound of the value, a positive integer, mod is the modulo operation; >> is the logical right shift, The right shift number is ε qp , both ε q and ε p are preset positive integer constants, and satisfy ε qp ; 返回公钥和私钥,其中随机种子SeedA和公钥向量b构成公钥(SeedA,b);多项式向量s为私钥。Returns the public key and private key, where the random seed Seed A and the public key vector b constitute the public key (Seed A ,b); the polynomial vector s is the private key. 2.根据权利要求1所述的密钥生成方法,其特征在于,所述多项式向量s中元素的多项式系数对应的伪随机数采用即时生成,具体为:2. The key generation method according to claim 1, wherein the pseudorandom number corresponding to the polynomial coefficient of the element in the polynomial vector s is generated in real time, and is specifically: 所述步骤S102中,先根据随机变量r生成多项式向量s第i个元素的多项式系数对应的多个伪随机数,并存储到第三存储单元中,所述第三存储单元的空间大小大于等于多项式向量s中一个元素的多项式系数对应的伪随机数所占用的空间大小;根据第三存储单元中的伪随机数计算多项式向量s第i个元素siIn the step S102, first generate a plurality of pseudorandom numbers corresponding to the polynomial coefficients of the ith element of the polynomial vector s according to the random variable r, and store them in a third storage unit, where the space size of the third storage unit is greater than or equal to The size of the space occupied by the pseudo-random number corresponding to the polynomial coefficient of an element in the polynomial vector s; the ith element s i of the polynomial vector s is calculated according to the pseudo-random number in the third storage unit; 所述步骤S104中,当j=l-1且i<l-1时,i的值加一之后还包括:根据随机变量r生成多项式向量s第i个元素的多项式系数对应的多个伪随机数,并存储到第三存储单元中,根据第三存储单元中的伪随机数计算多项式向量s第i个元素si;然后再跳转到步骤S103。In the step S104, when j=l-1 and i<l-1, adding one to the value of i further includes: generating a plurality of pseudo-random numbers corresponding to the polynomial coefficients of the i-th element of the polynomial vector s according to the random variable r. The number is stored in the third storage unit, and the i -th element si of the polynomial vector s is calculated according to the pseudo-random number in the third storage unit; and then jumps to step S103. 3.根据权利要求2所述的密钥生成方法,其特征在于,采用SHAKE算法生成伪随机数;3. key generation method according to claim 2, is characterized in that, adopts SHAKE algorithm to generate pseudo-random number; 所述第三存储单元的空间大小等于多项式向量s中一个元素的多项式系数对应的伪随机数所占用的空间大小;The space size of the third storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of an element in the polynomial vector s; 所述第三存储单元划分为第一子单元和第二子单元,所述第一子单元的空间大小为调用一次伪随机数生成函数所产生的伪随机数占用的空间大小;The third storage unit is divided into a first subunit and a second subunit, and the space size of the first subunit is the size of the space occupied by the pseudorandom number generated by calling the pseudorandom number generating function once; 当计算多项式向量s中元素值时:When computing element values in polynomial vector s: 如果第二子单元中有伪随机数,提取第二子单元中的伪随机数作为当前待生成元素的多项式系数的一部分;If there is a pseudo-random number in the second sub-unit, extract the pseudo-random number in the second sub-unit as a part of the polynomial coefficient of the current element to be generated; 再调用伪随机数生成函数,生成的伪随机数存储在第一子单元中,提取第一子单元中的伪随机数作为当前待生成元素的多项式系数的一部分;The pseudo-random number generation function is called again, the generated pseudo-random number is stored in the first subunit, and the pseudo-random number in the first subunit is extracted as a part of the polynomial coefficient of the current element to be generated; 如果当前待生成元素的多项式系数仍有未确定的,再次调用伪随机数生成函数,生成的伪随机数存储在第一子单元中,从第一子单元中提取需要长度的伪随机数作为当前待生成元素的未确定的多项式系数;If the polynomial coefficient of the current element to be generated is still undetermined, the pseudo-random number generation function is called again, the generated pseudo-random number is stored in the first subunit, and the pseudo-random number of the required length is extracted from the first subunit as the current Undetermined polynomial coefficients of the element to be generated; 如果第一子单元中的伪随机数有未被提取的,将其存储在第二子单元中;如未被提取的数据长度大于第二子单元的空间大小,则将超出部分丢弃。If there are unextracted pseudo-random numbers in the first subunit, they are stored in the second subunit; if the length of the unextracted data is greater than the space size of the second subunit, the excess part will be discarded. 4.根据权利要求1-3中任一项所述密钥生成方法的加密方法,其特征在于,包括:4. according to the encryption method of the key generation method described in any one of claim 1-3, it is characterized in that, comprising: S201、初始化多项式矩阵A的索引i=0,j=0,初始化第一密文多项式c1、第二密文向量c2、临时第二密文向量
Figure FDA0003130626290000031
的所有元素值为0;生成随机变量r′;S201, initialize the index i=0, j=0 of the polynomial matrix A, initialize the first ciphertext polynomial c 1 , the second ciphertext vector c 2 , and the temporary second ciphertext vector
Figure FDA0003130626290000031
All elements of the value are 0; generate a random variable r'; S202、根据随机变量r′生成多个伪随机数,并存储到第四存储单元中;所述第四存储单元的空间大小大于等于多项式向量s′中所有元素的多项式系数对应的伪随机数所占用的空间大小;根据所述第四存储单元中的伪随机数生成多项式向量s′中的元素;S202. Generate a plurality of pseudo-random numbers according to the random variable r' and store them in a fourth storage unit; the space size of the fourth storage unit is greater than or equal to the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'. The size of the space occupied; the elements in the polynomial vector s' are generated according to the pseudo-random numbers in the fourth storage unit; S203、根据公钥中的随机种子SeedA生成多项式矩阵A第i行j列元素多项式系数对应的伪随机数,并存储到第五存储单元中,如果第五存储单元中有数据,将所述数据覆盖;所述第五存储单元的空间大小大于等于多项式矩阵A一个元素的多项式系数对应的伪随机数所占用的空间大小;S203, according to the random seed Seed A in the public key, generate a pseudo-random number corresponding to the polynomial coefficient of the element in the ith row and j column of the polynomial matrix A, and store it in the fifth storage unit. If there is data in the fifth storage unit, store the Data coverage; the space size of the fifth storage unit is greater than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A; 更新临时第二密文向量
Figure FDA0003130626290000032
的第i个元素
Figure FDA0003130626290000033
的值:
Figure FDA0003130626290000034
其中ai,j为根据第五存储单元生成的多项式矩阵A第i行j列元素,s′j为多项式向量s′第j个元素,
Figure FDA0003130626290000035
为临时第二密文向量
Figure FDA0003130626290000036
第i个元素更新前的值;Update the temporary second ciphertext vector
Figure FDA0003130626290000032
the ith element of
Figure FDA0003130626290000033
The value of:
Figure FDA0003130626290000034
where a i,j are the elements of the i-th row and the j-th column of the polynomial matrix A generated according to the fifth storage unit, and s′ j is the j-th element of the polynomial vector s′,
Figure FDA0003130626290000035
is the temporary second ciphertext vector
Figure FDA0003130626290000036
The value of the i-th element before the update; S204、如果i<l-1,令i的值加一,跳转到步骤S203,更新临时第二密文向量
Figure FDA0003130626290000037
中元素的值;l为私钥多项式向量s的维数;S204. If i<1-1, add one to the value of i, and jump to step S203 to update the temporary second ciphertext vector
Figure FDA0003130626290000037
The value of the element in ; l is the dimension of the private key polynomial vector s; 如果i=l-1且j<l-1,令i=0,j的值加一,跳转到步骤S203,更新临时第二密文向量
Figure FDA0003130626290000038
中元素的值;If i=l-1 and j<l-1, set i=0, add one to the value of j, jump to step S203, update the temporary second ciphertext vector
Figure FDA0003130626290000038
the value of the element in; 如果i=l-1且j=l-1,计算第二密文向量c2If i=l-1 and j=l-1, compute the second ciphertext vector c 2 :
Figure FDA0003130626290000039
Figure FDA0003130626290000039
 其中h为预设的常数多项式;mod为取模运算,q为多项式矩阵A的元素中多项式系数取值上界,为正整数;>>为逻辑右移,右移位数为εqp,εq和εp均为预设的正整数常数,且满足εq>εpWhere h is the preset constant polynomial; mod is the modulo operation, q is the upper bound of the polynomial coefficient in the elements of the polynomial matrix A, which is a positive integer; >> is the logical right shift, and the right shift number is ε qp , ε q and ε p are all preset positive integer constants, and satisfy ε qp ; S205、根据公钥中的向量b计算第一加密参数v′:v′=bT(s′mod p);其中p为第二模数,上标T表示向量或矩阵的转置;S205, calculate the first encryption parameter v' according to the vector b in the public key: v'=b T (s' mod p); wherein p is the second modulus, and the superscript T represents the transposition of the vector or matrix; 计算加密后的消息多项式cmCompute the encrypted message polynomial cm :
Figure FDA0003130626290000041
Figure FDA0003130626290000041
 其中h1为预设的第一常数项,m为待加密的消息多项式,εT为预设的正整数常数,取值满足εp>εTWherein h 1 is a preset first constant term, m is a message polynomial to be encrypted, ε T is a preset positive integer constant, and the value satisfies ε pT ; 返回加密后的消息多项式cm和第二密文向量c2构成的密文(cm,c2)。Returns the ciphertext ( cm , c 2 ) composed of the encrypted message polynomial cm and the second ciphertext vector c 2 . 5.根据权利要求4所述的加密方法,其特征在于,所述多项式向量s′中元素的多项式系数对应的伪随机数采用即时生成,具体为:5. The encryption method according to claim 4, wherein the pseudo-random numbers corresponding to the polynomial coefficients of the elements in the polynomial vector s' are generated in real time, and are specifically: 所述步骤S202中,先根据随机变量r′生成多项式向量s′第j个元素s′j的多项式系数对应的多个伪随机数,并存储到第六存储单元中,所述第六存储单元的空间大小大于等于多项式向量s′中一个元素的多项式系数对应的伪随机数所占用的空间大小;根据第六存储单元中的伪随机数生成多项式向量s′第j个元素s′jIn the step S202, a plurality of pseudorandom numbers corresponding to the polynomial coefficients of the jth element s'j of the polynomial vector s' are first generated according to the random variable r', and stored in the sixth storage unit. The space size of the polynomial vector s' is greater than or equal to the space occupied by the pseudo-random number corresponding to the polynomial coefficient of an element in the polynomial vector s'; the j-th element s' j of the polynomial vector s' is generated according to the pseudo-random number in the sixth storage unit; 所述步骤S204中,当i=l-1且j<l-1时,j的值加一之后还包括:根据随机变量r′生成多项式向量s′第j个元素的多项式系数对应的多个伪随机数,并存储到第六存储单元中,根据第六存储单元中的伪随机数生成多项式向量s′第j个元素s′j;然后再跳转到步骤S203。In the step S204, when i=l-1 and j<l-1, adding one to the value of j further includes: generating a plurality of polynomial coefficients corresponding to the jth element of the polynomial vector s' according to the random variable r'; The pseudo-random number is stored in the sixth storage unit, and the j-th element s' j of the polynomial vector s' is generated according to the pseudo-random number in the sixth storage unit; then jump to step S203. 6.根据权利要求5所述的加密方法,其特征在于,采用SHAKE算法生成伪随机数;6. encryption method according to claim 5 is characterized in that, adopts SHAKE algorithm to generate pseudo-random number; 所述第六存储单元的空间大小等于多项式向量s′中一个元素的多项式系数对应的伪随机数所占用的空间大小;The space size of the sixth storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of an element in the polynomial vector s'; 所述第六存储单元划分为第三子单元和第四子单元,所述第三子单元的空间大小为调用一次伪随机数生成函数所产生的伪随机数占用的空间大小;The sixth storage unit is divided into a third subunit and a fourth subunit, and the space size of the third subunit is the size of the space occupied by the pseudorandom number generated by calling the pseudorandom number generation function once; 当生成多项式向量s′中元素值时:When generating element values in the polynomial vector s': 如果第四子单元中有伪随机数,提取第四子单元中的伪随机数作为当前待生成元素的多项式系数的一部分;If there is a pseudo-random number in the fourth sub-unit, extract the pseudo-random number in the fourth sub-unit as a part of the polynomial coefficient of the current element to be generated; 再调用伪随机数生成函数,生成的伪随机数存储在第三子单元中,提取第三子单元中的伪随机数作为当前待生成元素的多项式系数的一部分;The pseudo-random number generation function is called again, the generated pseudo-random number is stored in the third subunit, and the pseudo-random number in the third subunit is extracted as a part of the polynomial coefficient of the current element to be generated; 如果当前待生成元素的多项式系数仍有未确定的,再次调用伪随机数生成函数,生成的伪随机数存储在第三子单元中,从第三子单元中提取需要长度的伪随机数作为当前待生成元素的未确定的多项式系数;If the polynomial coefficient of the current element to be generated is still undetermined, the pseudo-random number generation function is called again, the generated pseudo-random number is stored in the third sub-unit, and the pseudo-random number of the required length is extracted from the third sub-unit as the current Undetermined polynomial coefficients of the element to be generated; 如果第三子单元中的伪随机数有未被提取的,将其存储在第四子单元中;如未被提取的数据长度大于第四子单元的空间大小,则将超出部分丢弃。If there are unextracted pseudo-random numbers in the third subunit, they are stored in the fourth subunit; if the length of the unextracted data is greater than the space size of the fourth subunit, the excess part is discarded. 7.根据权利要求4-6中任一项所述加密方法的解密方法,其特征在于,包括:7. according to the decryption method of the encryption method described in any one of claim 4-6, it is characterised in that comprising: S301、根据密文(cm,c2)中的第二密文向量c2和私钥s计算第一解密参数v:S301. Calculate the first decryption parameter v according to the second ciphertext vector c2 and the private key s in the ciphertext (cm, c2 ) :
Figure FDA0003130626290000051
Figure FDA0003130626290000051
 S302、计算解密后的消息多项式m′:S302. Calculate the decrypted message polynomial m':
Figure FDA0003130626290000052
Figure FDA0003130626290000052
 其中h2为预设的第二常数项。Wherein h 2 is a preset second constant term. 8.一种基于后量子密码Saber算法的低内存占用密钥生成系统,其特征在于,包括:8. a low memory occupancy key generation system based on post-quantum cryptographic Saber algorithm, is characterized in that, comprises: 第一初始化模块,用于生成随机种子SeedA和随机变量r;初始化多项式矩阵A的索引i=0,j=0,初始化临时公钥向量
Figure FDA0003130626290000053
所有元素为0;The first initialization module is used to generate a random seed Seed A and a random variable r; initialize the index i=0, j=0 of the polynomial matrix A, and initialize the temporary public key vector
Figure FDA0003130626290000053
all elements are 0; 第一多项式向量s生成模块,用于根据随机变量r生成多个伪随机数,并存储到第一存储单元中;所述第一存储单元的空间大小大于等于多项式向量s中所有元素的多项式系数对应的伪随机数所占用的空间大小;根据所述第一存储单元中的伪随机数生成多项式向量s中的元素;The first polynomial vector s generating module is used to generate a plurality of pseudo-random numbers according to the random variable r and store them in the first storage unit; the space size of the first storage unit is greater than or equal to the size of all elements in the polynomial vector s. The size of the space occupied by the pseudo-random numbers corresponding to the polynomial coefficients; the elements in the polynomial vector s are generated according to the pseudo-random numbers in the first storage unit; 第一多项式矩阵A生成模块,用于根据随机种子SeedA生成多项式矩阵A第i行j列元素多项式系数对应的伪随机数,并存储到第二存储单元中,如果第二存储单元中有数据,将所述数据覆盖;所述第二存储单元的空间大小大于等于多项式矩阵A一个元素的多项式系数对应的伪随机数所占用的空间大小;The first polynomial matrix A generation module is used to generate pseudo-random numbers corresponding to the polynomial coefficients of the elements in the i-th row and j-column of the polynomial matrix A according to the random seed Seed A , and store them in the second storage unit. If there is data, cover the data; the space size of the second storage unit is greater than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A; 临时公钥向量更新模块,用于更新临时公钥向量
Figure FDA0003130626290000054
第j个元素
Figure FDA0003130626290000055
的值:
Figure FDA0003130626290000056
其中ai,j为根据第二存储单元生成的多项式矩阵A第i行j列元素,si为多项式向量s第i个元素,
Figure FDA0003130626290000057
为临时公钥向量
Figure FDA0003130626290000058
第j个元素更新前的值;Temporary public key vector update module, used to update the temporary public key vector
Figure FDA0003130626290000054
the jth element
Figure FDA0003130626290000055
The value of:
Figure FDA0003130626290000056
where a i,j are the i-th row and j-column elements of the polynomial matrix A generated according to the second storage unit, s i is the i-th element of the polynomial vector s,
Figure FDA0003130626290000057
is the temporary public key vector
Figure FDA0003130626290000058
The value of the jth element before the update; 公钥计算模块,用于计算公钥向量b:The public key calculation module is used to calculate the public key vector b:
Figure FDA0003130626290000061
Figure FDA0003130626290000061
 其中h为预设的常数多项式;多项式矩阵A的元素中多项式系数取值为[0,q),q为取值上界,为正整数,mod为取模运算;>>为逻辑右移,右移位数为εqp,εq和εp均为预设的正整数常数,且满足εq>εpWhere h is the preset constant polynomial; the polynomial coefficients in the elements of the polynomial matrix A are [0, q), q is the upper bound of the value, a positive integer, mod is the modulo operation; >> is the logical right shift, The right shift number is ε qp , both ε q and ε p are preset positive integer constants, and satisfy ε qp ; 密钥输出模块,用于返回公钥和私钥,其中随机种子SeedA和公钥向量b构成公钥(SeedA,b);多项式向量s为私钥。The key output module is used to return the public key and the private key, wherein the random seed Seed A and the public key vector b constitute the public key (Seed A , b); the polynomial vector s is the private key. 9.一种基于后量子密码Saber算法的低内存占用加密系统,其特征在于,包括:9. A low memory occupancy encryption system based on post-quantum cryptographic Saber algorithm, is characterized in that, comprises: 第二初始化模块,用于初始化多项式矩阵A的索引i=0,j=0,初始化第一密文多项式c1、第二密文向量c2、临时第二密文向量
Figure FDA0003130626290000062
的所有元素值为0,生成随机变量r′;The second initialization module is used to initialize the indices i=0, j=0 of the polynomial matrix A, initialize the first ciphertext polynomial c 1 , the second ciphertext vector c 2 , and the temporary second ciphertext vector
Figure FDA0003130626290000062
All elements of the value are 0, generating a random variable r'; 第二多项式向量s′生成模块,用于随机变量r′生成多个伪随机数,并存储到第四存储单元中;所述第四存储单元的空间大小大于等于多项式向量s′中所有元素的多项式系数对应的伪随机数所占用的空间大小;根据所述第四存储单元中的伪随机数生成多项式向量s′中的元素;The second polynomial vector s' generating module is used for random variable r' to generate multiple pseudo-random numbers and store them in the fourth storage unit; the space size of the fourth storage unit is greater than or equal to all the numbers in the polynomial vector s' The size of the space occupied by the pseudo-random numbers corresponding to the polynomial coefficients of the elements; the elements in the polynomial vector s' are generated according to the pseudo-random numbers in the fourth storage unit; 第二多项式矩阵A生成模块,用于根据公钥中的随机种子SeedA生成多项式矩阵A第i行j列元素多项式系数对应的伪随机数,并存储到第五存储单元中,如果第五存储单元中有数据,将所述数据覆盖;所述第五存储单元的空间大小大于等于多项式矩阵A一个元素的多项式系数对应的伪随机数所占用的空间大小;The second polynomial matrix A generation module is used to generate pseudo-random numbers corresponding to the polynomial coefficients of the elements in the i-th row and j-column of the polynomial matrix A according to the random seed Seed A in the public key, and store them in the fifth storage unit. There is data in the five storage units, and the data is covered; the space size of the fifth storage unit is greater than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A; 临时第二密文向量
Figure FDA0003130626290000063
更新模块,用于更新临时第二密文向量
Figure FDA0003130626290000064
的第i个元素
Figure FDA0003130626290000065
的值:
Figure FDA0003130626290000066
其中ai,j为根据第五存储单元生成的多项式矩阵A第i行j列元素,s′j为多项式向量s′第j个元素,
Figure FDA0003130626290000067
为临时第二密文向量
Figure FDA0003130626290000068
第i个元素更新前的值;Temporary second ciphertext vector
Figure FDA0003130626290000063
update module for updating the temporary second ciphertext vector
Figure FDA0003130626290000064
the ith element of
Figure FDA0003130626290000065
The value of:
Figure FDA0003130626290000066
where a i,j are the elements of the i-th row and the j-th column of the polynomial matrix A generated according to the fifth storage unit, and s′ j is the j-th element of the polynomial vector s′,
Figure FDA0003130626290000067
is the temporary second ciphertext vector
Figure FDA0003130626290000068
The value of the i-th element before the update; 第二密文向量c2计算模块,用于计算第二密文向量c2The second ciphertext vector c 2 calculation module is used to calculate the second ciphertext vector c 2 :
Figure FDA0003130626290000071
Figure FDA0003130626290000071
 其中h为预设的常数多项式;mod为取模运算,q为多项式矩阵A的元素中多项式系数取值上界,为正整数;>>为逻辑右移,右移位数为εqp,εq和εp均为预设的正整数常数,且满足εq>εpWhere h is the preset constant polynomial; mod is the modulo operation, q is the upper bound of the polynomial coefficient in the elements of the polynomial matrix A, which is a positive integer; >> is the logical right shift, and the right shift number is ε qp , ε q and ε p are all preset positive integer constants, and satisfy ε qp ; 密文计算模块,用于根据公钥中的向量b计算第一加密参数v′:v′=bT(s′modp);其中p为第二模数,上标T表示向量或矩阵的转置;The ciphertext calculation module is used to calculate the first encryption parameter v' according to the vector b in the public key: v'=b T (s'modp); where p is the second modulus, and the superscript T represents the transformation of the vector or matrix. set; 计算加密后的消息多项式cmCompute the encrypted message polynomial cm :
Figure FDA0003130626290000072
Figure FDA0003130626290000072
 其中h1为预设的第一常数项,m为待加密的消息多项式,εT为预设的正整数常数,取值满足εp>εTWherein h 1 is a preset first constant term, m is a message polynomial to be encrypted, ε T is a preset positive integer constant, and the value satisfies ε pT ; 返回加密后的消息多项式cm和第二密文向量c2构成的密文(cm,c2)。Returns the ciphertext ( cm , c 2 ) composed of the encrypted message polynomial cm and the second ciphertext vector c 2 . 10.一种基于后量子密码Saber算法的低内存占用解密系统,其特征在于,包括:10. A low-memory-occupancy decryption system based on post-quantum cryptographic Saber algorithm, characterized in that, comprising: 第一解密参数计算模块,用于根据密文(cm,c2)中的第二密文向量c2和私钥s计算第一解密参数v:
Figure FDA0003130626290000073
The first decryption parameter calculation module is used to calculate the first decryption parameter v according to the second ciphertext vector c2 and the private key s in the ciphertext (cm, c2 ) :
Figure FDA0003130626290000073
 解密后的消息多项式计算模块,用于计算解密后的消息多项式m′:The decrypted message polynomial calculation module is used to calculate the decrypted message polynomial m':
Figure FDA0003130626290000074
Figure FDA0003130626290000074
 其中h2为预设的第二常数项。Wherein h 2 is a preset second constant term.
CN202110704531.9A 2021-06-24 2021-06-24 Low-memory-occupancy key generation method, encryption and decryption method and system based on post-quantum cryptographic Saber algorithm Active CN113472525B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110704531.9A CN113472525B (en) 2021-06-24 2021-06-24 Low-memory-occupancy key generation method, encryption and decryption method and system based on post-quantum cryptographic Saber algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110704531.9A CN113472525B (en) 2021-06-24 2021-06-24 Low-memory-occupancy key generation method, encryption and decryption method and system based on post-quantum cryptographic Saber algorithm

Publications (2)

Publication Number Publication Date
CN113472525A true CN113472525A (en) 2021-10-01
CN113472525B CN113472525B (en) 2022-07-26

Family

ID=77872724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110704531.9A Active CN113472525B (en) 2021-06-24 2021-06-24 Low-memory-occupancy key generation method, encryption and decryption method and system based on post-quantum cryptographic Saber algorithm

Country Status (1)

Country Link
CN (1) CN113472525B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114154640A (en) * 2021-11-25 2022-03-08 华中科技大学 A processor for implementing the Saber algorithm for post-quantum cryptography
CN114371828A (en) * 2022-01-05 2022-04-19 华中科技大学 Polynomial multiplier and processor having the same
CN114866231A (en) * 2022-04-06 2022-08-05 中山大学 Cryptosystem based on Classic McElience cryptosystem
CN115348017A (en) * 2022-10-18 2022-11-15 阿里巴巴(中国)有限公司 Ciphertext processing method and device
CN115412241A (en) * 2022-07-25 2022-11-29 华中科技大学 Fusion password security processor for realizing post-quantum password algorithm Kyber and Saber

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266481A (en) * 2019-06-14 2019-09-20 深圳职业技术学院 Matrix-based post-quantum encryption and decryption method and decryption device
WO2020188269A1 (en) * 2019-03-18 2020-09-24 Pqshield Ltd Cryptography using a cryptographic state
WO2021032946A1 (en) * 2019-08-16 2021-02-25 Pqshield Ltd Co-processor for cryptographic operations
CN112511170A (en) * 2020-11-10 2021-03-16 南京航空航天大学 Parallel implementation method for polynomial compression in lattice code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020188269A1 (en) * 2019-03-18 2020-09-24 Pqshield Ltd Cryptography using a cryptographic state
CN110266481A (en) * 2019-06-14 2019-09-20 深圳职业技术学院 Matrix-based post-quantum encryption and decryption method and decryption device
WO2021032946A1 (en) * 2019-08-16 2021-02-25 Pqshield Ltd Co-processor for cryptographic operations
CN112511170A (en) * 2020-11-10 2021-03-16 南京航空航天大学 Parallel implementation method for polynomial compression in lattice code

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ANDREA BASSO ET AL.: "《SABER:Mod-LWR based KEM(Round 3 Submission)》", 《HTTP://WWW.ESAT.KULEUVEN.BE/COSIC/PQCRYPTO/SABER/FILES/SABERSPECROUND3.PDF》 *
ANGSHUMAN KARMAKAR ET AL.: "《Saber on ARM CCA-secure module lattice-based key encapsulation on ARM》", 《IACR-CHES-2018》 *
JOSE MARIA BERMUDO MERA ET AL.: "《Time-Memory trade-off in Toom-Cook multiplication:an application to module-lattice based cryptography》", 《IACR TRANSACTIONS ON CRYPTOGRAPHY HARDWARE AND EMBEDDED SYSTEMS》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114154640A (en) * 2021-11-25 2022-03-08 华中科技大学 A processor for implementing the Saber algorithm for post-quantum cryptography
CN114371828A (en) * 2022-01-05 2022-04-19 华中科技大学 Polynomial multiplier and processor having the same
CN114866231A (en) * 2022-04-06 2022-08-05 中山大学 Cryptosystem based on Classic McElience cryptosystem
CN115412241A (en) * 2022-07-25 2022-11-29 华中科技大学 Fusion password security processor for realizing post-quantum password algorithm Kyber and Saber
CN115412241B (en) * 2022-07-25 2024-02-06 华中科技大学 Fusion cryptographic security processor that implements post-quantum cryptographic algorithms Kyber and Saber
CN115348017A (en) * 2022-10-18 2022-11-15 阿里巴巴(中国)有限公司 Ciphertext processing method and device
CN115348017B (en) * 2022-10-18 2023-02-07 阿里巴巴(中国)有限公司 Ciphertext processing method and device

Also Published As

Publication number Publication date
CN113472525B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
CN113472525B (en) Low-memory-occupancy key generation method, encryption and decryption method and system based on post-quantum cryptographic Saber algorithm
CN102356597B (en) A method for secure communication in a network, a communication device, a network and a computer program therefor
US11606189B2 (en) Method and apparatus for improving the speed of advanced encryption standard (AES) decryption algorithm
CN109660555A (en) Content safety sharing method and system based on proxy re-encryption
CN101394268B (en) Advanced ciphering system and method based on broad sense information field
KR102169369B1 (en) Countermeasure method of first-order side-channel attack on lightweight block cipher and apparatus using the same
CN117440103B (en) Privacy data processing method and system based on homomorphic encryption and space optimization
US20080243977A1 (en) Pseudorandom number generator and encrytion device using the same
CN117318986A (en) Data transmission method and system based on multiple encryption
CN115811398A (en) Dynamic S-box-based block cipher algorithm, device, system and storage medium
US20250013430A1 (en) Reconfigurable architecture for improvement and optimization of advanced encryption standard
US7103180B1 (en) Method of implementing the data encryption standard with reduced computation
US20040120521A1 (en) Method and system for data encryption and decryption
Naito et al. LM-DAE: low-memory deterministic authenticated encryption for 128-bit security
CN114282922B (en) Block chain transaction processing method and device based on cold wallet
CN115484019A (en) An Improved Algorithm for AES Key Expansion with Weak Correlation
CN115801227A (en) Method and device for generating substitution table
Hirner et al. A Hardware Implementation of MAYO Signature Scheme.
JP2011128655A (en) Pseudo random number generation system
EP4498631A1 (en) Methods, unit and device for successively executing first and next block cryptographic computations
ES2293665T3 (en) METHOD FOR THE CRYPTOGRAPHIC CONVERSION OF INPUT BLOCKS OF L DIGITAL DATA INFORMATION BITS IN OUTPUT BLOCKS OF L BITS.
US20250038950A1 (en) Methods, unit and device for concurrently executing first and second block cryptographic computations
Simpson et al. Improved cryptanalysis of the common scrambling algorithm stream cipher
Kumar et al. FPGA Implementation of High Performance Hybrid Encryption Standard
CN116938454B (en) Key processing method, device, medium and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant