CN113472525B - Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof - Google Patents
Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof Download PDFInfo
- Publication number
- CN113472525B CN113472525B CN202110704531.9A CN202110704531A CN113472525B CN 113472525 B CN113472525 B CN 113472525B CN 202110704531 A CN202110704531 A CN 202110704531A CN 113472525 B CN113472525 B CN 113472525B
- Authority
- CN
- China
- Prior art keywords
- polynomial
- vector
- pseudo
- random number
- storage unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 239000013598 vector Substances 0.000 claims abstract description 226
- 239000011159 matrix material Substances 0.000 claims abstract description 110
- 230000006870 function Effects 0.000 claims description 35
- 238000004364 calculation method Methods 0.000 claims description 26
- 230000008859 change Effects 0.000 claims description 4
- 230000009191 jumping Effects 0.000 claims description 4
- 230000000977 initiatory effect Effects 0.000 claims 1
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
- Complex Calculations (AREA)
Abstract
The invention discloses a low-memory-occupation implementation technology based on a post-quantum cryptography Saber algorithm, which comprises a secret key generation method and system, an encryption method and system, and a decryption method and system. The polynomial matrix vector multiplication is calculated by adopting the real-time matrix generation, the memory space occupied by the polynomial matrix is reduced to the memory size occupied by a single element, the memory occupation of the Saber scheme is obviously reduced, and the deployment of the Saber scheme in the equipment of the Internet of things is facilitated.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a low-memory-occupation secret key generation method, an encryption method and a decryption method based on a post-quantum-password Saber algorithm.
Background
With the rapid development of quantum computers, traditional public key cryptography is under an unprecedented threat. Therefore, the development of the post-quantum cryptography which is a type of cryptography capable of resisting quantum computer attacks is more and more emphasized at home and abroad, and the operation efficiency of the post-quantum cryptography is generally superior to that of the traditional public key cryptography. Among the latter quantum cryptography, lattice cryptography is a class of cryptography most promising as the standard for future later quantum-time public key cryptography, and among them, lattice-based cryptographic algorithms are receiving much attention because of their better flexibility and efficiency. The post-quantum cryptography Saber is a key encapsulation scheme constructed based on a lattice, and has the advantages of simplicity and high efficiency compared with other schemes.
The Saber algorithm key generation, encryption and decryption process is described in the document Mod-LWR based KEM (Round 3 subscription), see 2.4.1-2.4.3. The key generation part generates a public key and a private key through operation, the encryption part adopts the public key to encrypt the message polynomial to obtain a ciphertext, and the decryption part decrypts the ciphertext by using the private key. In this scheme, the most computationally intensive module is the matrix vector multiplication, the bottom layer of which relies on polynomial multiplication. Due to the large calculation amount, the occupied memory space is large. Matrix vector multiplication occurs twice in the Saber scheme, respectively for computing the key generation algorithmA of (A) T s and As' of the encryption algorithm. Wherein A represents a polynomial matrix of dimension l x l, each element in the matrix being a polynomial of term n, A T Representing the transpose of the matrix a, s represents a polynomial column vector of dimension l, each element in the vector being a polynomial. Assuming that the elements in the matrix a are data types of kBytes in each polynomial coefficient, the size of the memory occupied by the matrix a is l × l × n × k Bytes. In the scheme described in the above document, if l is 3, n is 256, and k is 2, the matrix a occupies 4.5KB of memory. There are hundreds of millions of resource-constrained embedded devices in an internet of things (IoT) scenario, and such devices are characterized by weak computing power and limited memory resources. Some devices have a memory of only 8KB to 64KB, and these memory resources are required to deploy not only an operating system and business logic but also complex cryptography components to secure data transmission. The large memory footprint of Saber severely hinders its deployment in IoT scenarios.
Disclosure of Invention
The invention aims to: aiming at the problems in the prior art, the invention provides a technology for realizing low memory occupation based on a post-quantum cryptography Saber algorithm, which comprises a key generation method and system, an encryption method and system and a decryption method and system, and can reduce the memory occupation of the Saber scheme.
The technical scheme is as follows: the invention provides a low-memory-occupation secret key generation method based on a post-quantum cryptography Saber algorithm, which comprises the following steps:
s101, generating random Seed A And a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vectorAll elements are 0;
s102, generating a plurality of pseudo random numbers according to the sum random variable r, and storing the pseudo random numbers into a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by pseudo-random numbers corresponding to polynomial coefficients of all elements in a polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
s103, Seed according to the random Seed A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating temporary public key vectorsThe j elementThe value of (c):wherein a is i,j Is the ith row and j column elements, s of the polynomial matrix A generated according to the second memory cell i For the ith element of the polynomial vector s,as a temporary public key vectorThe value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to the step S103, and updating the temporary public key vectorThe value of the middle element; l is the dimension of the polynomial vector s;
if j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, update the temporary public key vectorThe value of the middle element;
if j-l-1 and i-l-1, the public key vector b is calculated:
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is a value upper bound and is a positive integer, and mod is a modular operation; the number of right shifts is epsilon q -ε p ,ε q And ε p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
Returning the public and private keys, wherein the random Seed is Seed A And the public key vector b form a public key (Seed) A B); the polynomial vector s is the private key.
The invention provides an encryption method based on the key generation method, which comprises the following steps:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c 1 A second ciphertext vector c 2 Temporary second ciphertext vectorAll element values of (a) are 0; generating a random variable r';
s202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo-random number in the fourth storage unit;
s203, Seed according to random Seed in public key A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by a pseudo-random number corresponding to a polynomial coefficient of one element of the polynomial matrix A;
updating the temporary second ciphertext vectorThe ith element ofThe value of (c):wherein a is i,j Is the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit' j For the jth element of the polynomial vector s',as a temporary second ciphertext vectorThe value of the ith element before updating;
s204, if i is less than l-1, the value of i is increased by one, the step S203 is skipped to, and the temporary second ciphertext vector is updatedThe value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, let i be 0, add one to the value of j, go to step S203, and update the temporary second ciphertext vectorThe value of the middle element;
if i-l-1 and j-l-1, a second ciphertext vector c is computed 2 :
Wherein h is a preset constant polynomial; mod is a modular operation, q is the upper bound of polynomial coefficients in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilon q -ε p ,ε q And epsilon p Are all preset positive integersConstant and satisfy epsilon q >ε p ;
S205, calculating a first encryption parameter v' according to the vector b in the public key: v' ═ b T (s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial c m :
Wherein h is 1 Is a preset constant, m is a message polynomial to be encrypted, epsilon T Is a preset positive integer constant, and takes values satisfying epsilon p >ε T 。
Returning the encrypted message polynomial c m And a second ciphertext vector c 2 The ciphertext (c) of the composition m ,c 2 )。
The invention provides a decryption method based on the encryption method, which comprises the following steps:
s301, according to the ciphertext (c) m ,c 2 ) Second ciphertext vector c of 2 And calculating a first decryption parameter v by a private key s:
s302, calculating a decrypted message polynomial m':
wherein h is 2 Is a preset second constant term.
The invention provides a key generation system for realizing the key generation method, which comprises the following steps:
a first initialization module for generating a random Seed A And a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vectorAll elements are 0;
the first polynomial vector s generating module is used for generating a plurality of pseudo random numbers according to the random variable r and storing the pseudo random numbers into the first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by pseudo-random numbers corresponding to polynomial coefficients of all elements in a polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module for Seed according to the random Seed A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by a pseudo-random number corresponding to a polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module for updating the temporary public key vectorThe j elementThe value of (c):wherein a is i,j For the ith row and j column elements, s, of the polynomial matrix A generated from the second memory cell i For the ith element of the polynomial vector s,as a temporary public key vectorThe value of the jth element before update;
a public key calculation module, configured to calculate a public key vector b:
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is a value upper bound and is a positive integer, and mod is a modular operation; the "is the logical right shift, the right shift is ε q -ε p ,ε q And epsilon p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
A key output module for returning the public key and the private key, wherein the random Seed is Seed A And the public key vector b form a public key (Seed) A B); the polynomial vector s is the private key.
The invention provides an encryption system for realizing the encryption method, which comprises the following steps:
a second initialization module, configured to initialize the index i equal to 0 and j equal to 0 of the polynomial matrix a, and initialize the first ciphertext polynomial c 1 A second ciphertext vector c 2 Temporary second ciphertext vectorAll the element values of (1) are 0, and a random variable r' is generated;
the second polynomial vector s 'generating module is used for generating a plurality of pseudo-random numbers according to the random variable r' and storing the pseudo-random numbers into the fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module for generating a random Seed according to the public key A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix ASize;
temporary second ciphertext vectorAn update module for updating the temporary second ciphertext vectorThe ith element of (2)The value of (c):wherein a is i,j Is the element, s 'of ith row and j column of polynomial matrix A generated from the fifth memory cell' j For the jth element of the polynomial vector s',as a temporary second ciphertext vectorThe value of the ith element before updating;
second ciphertext vector c 2 A calculation module for calculating a second ciphertext vector c 2 :
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; the "is the logical right shift, the right shift is ε q -ε p ,ε q And ε p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
The ciphertext calculation module is used for calculating a first encryption parameter v' according to the vector b in the public key: v' ═ b T (s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial c m :
Wherein h is 1 Is a preset first constant term, m is a message polynomial to be encrypted, epsilon T The value of the preset positive integer constant satisfies epsilon p >ε T 。
Returning the encrypted message polynomial c m And a second ciphertext vector c 2 The ciphertext (c) formed m ,c 2 )。
The invention provides a decryption system for realizing the decryption method, which comprises the following steps:
a first decryption parameter calculation module for calculating a first decryption parameter based on the ciphertext (c) m ,c 2 ) Second ciphertext vector c of 2 And calculating a first decryption parameter v by using a private key s:
a decrypted message polynomial calculation module for calculating a decrypted message polynomial m':
wherein h is 2 Is a preset second constant term.
Has the beneficial effects that: compared with the prior art, the low-memory-occupation implementation technology based on the post-quantum-password Saber algorithm provided by the invention has the advantages that the polynomial matrix is generated in real time, and the memory occupied by the polynomial matrix in the key generation and encryption processes is reduced to the size of the memory occupied by a single polynomial, so that the memory occupation of the Saber scheme is reduced, and the deployment difficulty and the deployment cost of the Saber scheme in the internet-of-things equipment are reduced.
Drawings
Fig. 1 is a flowchart of a key generation method in embodiment 1;
FIG. 2 is a schematic diagram showing the constitution of a key generation system in embodiment 1;
FIG. 3 is a flowchart of an encryption method in example 4;
FIG. 4 is a schematic diagram showing the composition of the encryption system in example 4;
FIG. 5 is a flowchart of a decryption method in embodiment 7;
fig. 6 is a schematic diagram showing the composition of a decryption system in embodiment 7.
Detailed Description
The invention is further elucidated with reference to the drawings and the detailed description. In the following embodiments, the polynomial matrix a has 3 × 3 dimensions, the number of terms is 256, and the polynomial coefficient value range of each element in the polynomial matrix is [0,8191 ]],8191<2 13 Therefore, the effective bit number in each polynomial coefficient in A is 13 bits; the polynomial coefficient of each element in the polynomial vector s has a value range of [ -4,4],4<2 3 Thus the number of effective bits in each polynomial coefficient in s is 3 bits. The shift algorithm is used in the following embodiments to generate pseudo-random numbers, thereby generating polynomial coefficients in a and s. The execution of the SHAKE algorithm comprises two steps, firstly, invoking the absorb () function to initialize the internal state of the SHAKE algorithm, and secondly, invoking the squeezeblock () function to output pseudo-random data, and 168 bytes of pseudo-random numbers can be generated each time.
Example 1
The embodiment discloses a low memory occupation key generation method based on a post-quantum cryptography Saber algorithm, as shown in fig. 1, including:
s101, generating random Seed A And a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vectorAll elements are 0;
random Seed in this example A And r are both 256bits in length, i.e., 32 bytes, where each bit is uniformly randomly selected from 0 and 1;
step S101 initializes only the index of a without allocating the space occupied by a.
S102, generating a plurality of pseudo random numbers according to a random variable r, and storing the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
in this embodiment, the polynomial vector s has 3 elements, each element is a 256-term polynomial, and each polynomial coefficient occupies 1byte length (the significand of the polynomial is 3), so that one element of s occupies 256Bytes, and the space size of the first storage unit should be greater than or equal to 3 × 256Bytes, which is set to 3 × 256 × 768Bytes in this embodiment. Firstly, calling an absorb () function as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 5 times to generate 168 x 5 ═ 840Bytes pseudo random numbers, storing the data of the first 768Bytes in a first storage unit, and discarding the rest 72 Bytes; the elements in the polynomial vector s are then generated from the pseudo-random number in the first memory location.
S103, Seed according to the random Seed A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
in this embodiment, a has 9 elements, each element is a polynomial of 256 terms, and each polynomial coefficient occupies 2Bytes length data (the significant digit is 13), so that one element of a occupies 256 × 2 ═ 512Bytes, the space size of the second storage unit should be greater than or equal to 512Bytes, and in this embodiment, it is set to 512 Bytes. Firstly Seed A I, j as input, calling an absorb () function for initializing internal state of SHAKE algorithm, then calling an squeezeblock () function 4 times to generate 168 x 4 ═ 672Bytes pseudo random number, storing the first 512Bytes data in the second storage unit, and the rest 160Bytes data lost in the second storage unitAbandoning; then generating a polynomial matrix A according to the pseudo random number in the second storage unit, wherein the polynomial matrix A is ith, row and column elements a i,j 。
wherein s is i For the ith element of the polynomial vector s,as a temporary public key vectorThe value of the jth element before update;
s104, if j is less than l-1, adding one to the value of j, jumping to S103, generating the next column element of the ith row of A, and updating the temporary public key vectorThe value of the middle element; l is the dimension of the polynomial vector s;
if j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, generate the element of the next row a, update the temporary public key vectorThe value of the middle element;
if j-l-1 and i-l-1, the computation of the element in a is completed, the public key vector b is calculated:
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is a value upper bound and is a positive integer, and mod is a modular operation; the number of right shifts is epsilon q -ε p ,ε q And epsilon p Are all preset positive integer constants, and satisfy epsilon q >ε p (ii) a In this embodiment,. epsilon q The value is 13, epsilon p Taking the value 10 and thus shifting it right by 3 bits.
Returning the public and private keys, wherein the random Seed is Seed A And the public key vector b form a public key (Seed) A B); the polynomial vector s is the private key.
The matrix vector multiplication needing to be calculated during key generation in the Saber scheme is the multiplication of a transposed matrix of a polynomial matrix A and a polynomial vector s, namely A T s;
In steps S103 and S104, the generation order of a is prioritized by controlling the change of the indexes i and j of a, that is, the calculation of the next row element is performed after each row element is calculated for a certain row element. In the embodiment, the final result does not need to be returned to A, so that the final result does not need to be distributed to A storage space; the elements in the polynomial matrix a are generated in real time, the storage space occupied by a is reduced, and compared with the storage space needing 4.5KB in the prior art, only 512B, namely 0.5KB, is needed in the embodiment, so that the memory needed in the calculation process of the Saber scheme is obviously reduced.
The embodiment also discloses a key generation system for implementing the method, as shown in fig. 2, including:
a first initialization module 1-1 for generating a random Seed A And a random variable r; initializing index i of polynomial matrix A as 0, j as 0, initializing temporary public key vectorAll elements are 0;
a first polynomial vector s generating module 1-2, configured to generate a plurality of pseudo-random numbers from a random variable r, and store the pseudo-random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first storage unit;
a first polynomial matrix A generating module 1-3 for generating a first polynomial matrix A based on a random Seed A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module 1-4 for updating the temporary public key vectorJ element(s)The value of (c):wherein a is i,j For the ith row and j column elements, s, of the polynomial matrix A generated from the second memory cell i For the ith element of the polynomial vector s,as a temporary public key vectorThe value of the jth element before update;
a public key calculation module 1-5, configured to calculate a public key vector b:
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilon q -ε p ,ε q And epsilon p All preset positive integer constants, and satisfy epsilon q >ε p ;
A key output module 1-6 for returning the public key and the private key, wherein the random Seed is Seed A And the public key vector b form a public key (Seed) A B); the polynomial vector s is the private key.
Example 2
The difference between this embodiment and embodiment 1 is that pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s are generated in real time, specifically:
in step S102, a plurality of pseudo random numbers corresponding to the polynomial coefficient of the ith element of the polynomial vector S are generated according to the random variable r and stored in a third storage unit, where the space size of the third storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element of the polynomial vector S; generating an ith element s of a polynomial vector s from the pseudo-random number in the third storage unit i ;
In this embodiment, the space size of the third storage unit is set to 256 Bytes. Firstly, calling an absorb () function once by taking a random variable r as an input for initializing an internal state of a SHAKE algorithm, then calling a 2-time squeezeblock () function to generate 168-2-336 Bytes pseudo-random numbers, storing the data of the first 256Bytes in a third storage unit, and discarding the rest 80 Bytes; then, elements s in a polynomial vector s are generated from the pseudo-random number in the third storage unit i 。
In step S104, when j is l-1 and i < l-1, the step of adding one to the value of i further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of the ith element of the polynomial vector s according to the random variable r, storing the pseudo random numbers in a third storage unit, and generating the ith element s of the polynomial vector s according to the pseudo random numbers in the third storage unit i (ii) a And then jumps to step S103.
From the calculation formula (3), s i Will be used 3 times, therefore, the present embodiment employs generation s i And then, the calculation which participates in the polynomial vector s is completed and then the next element is generated, so that the space occupied by the intermediate result required by generating the polynomial vector s is reduced from 840Bytes in the embodiment 1 to 256Bytes, and the memory required in the implementation process of the Saber scheme is further reduced. However, the cost is that in embodiment 1, generating s requires a total of 5 squeezeblock () functions to be called, whereas in this embodiment, a total of 6 calls are required.
Example 3
The present embodiment is an improvement made on the basis of the embodiment 2, and is different from the embodiment 2 in that the third storage unit is divided into two parts, wherein one part is used for storing an unused pseudo random number and is used when a next element is generated together, so that data discarding is reduced, and the number of times of calling the squeezeblock () function is reduced. The method comprises the following specific steps:
the space size of the third storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s;
the third storage unit is divided into a first subunit and a second subunit, and the space size of the first subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when generating the values of the elements in the polynomial vector s:
if the second subunit has the pseudo-random number, extracting the pseudo-random number in the second subunit as a part of polynomial coefficients of the current element to be generated;
then calling a pseudo-random number generating function, storing the generated pseudo-random number in the first subunit, and extracting the pseudo-random number in the first subunit to be used as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in the first subunit, and extracting the pseudo-random number with the required length from the first subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the first subunit is not extracted, storing the pseudo random number in the second subunit; if the length of the data which is not extracted is larger than the space size of the second subunit, the excess part is discarded.
In this embodiment, the size of the third storage unit is 256bytes, wherein 168 bytes is the first subunit and 88 bytes is the second subunit. When generating s 0 When there is no data in both the first subunit and the second subunit. Calling the function of squeezeblock () once to generate 168 bytes of pseudo random number, storing the pseudo random number in the first subunit, and determining s according to the data in the first subunit 0 A partial polynomial coefficient; then, calling the function of squeezeblock () for the second time, overwriting the generated 168 bytes of data into the first subunit, extracting 88 bytes of data to determine s 0 The other polynomial coefficients; the remaining 80bytes of data are stored in the second subunit.
When s is 0 When all the involved calculations are completed, i.e. when j is l-1 and i is less than l-1 in step S104, the value of i is increased by one, and S is generated 1 . First, 80bytes of data in the second subunit are extracted to determine s 1 A middle part polynomial coefficient; then, the function of squeezeblock () is called for the third time, the generated 168 bytes of data are written into the first subunit in an overlaying mode, and s is determined according to the content of the data 1 A middle part polynomial coefficient; then, the function of squeezeblock () is called for the fourth time, the generated 168 bytes data are overwritten and written into the first subunit, and at this time, only 8bytes of data are required to be extracted to determine s 1 The coefficients of the other polynomials; the remaining 160bytes of data, of which 88 bytes are stored in the second subunit for the next use, and the remaining 72bytes of data are discarded.
When s 1 When all the involved calculations are completed, i.e. when j is l-1 and i is less than l-1 in step S104, the value of i is incremented by one, and S is generated 2 . First, 88 bytes of data in the second subunit are extracted to determine s 2 A middle part polynomial coefficient; then, the function of squeezeblock () is called for the fifth time, the generated 168 bytes of data are written into the first subunit in an overlaying mode, and s is determined according to the content of the data 2 The rest of Chinese medicineThe determined polynomial coefficients. Then s 2 And (4) participating in calculation.
In this embodiment, the squeezeblock () function is called 5 times, the discarded data is 72bytes, and the memory occupied by the intermediate process is 256 bytes.
Example 4
The present embodiment discloses an encryption method based on the key generation method in the foregoing embodiments, as shown in fig. 3, the encryption method includes:
s201, initializing the index i of the polynomial matrix a to 0, and initializing the first ciphertext polynomial c 1 And a second ciphertext vector c 2 The temporary second ciphertext vectorAll element values of (a) are 0; generating a random variable r';
step S201 initializes only the index of a without allocating the space occupied by a.
S202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo-random number in the fourth storage unit;
similar to s in embodiment 1, the polynomial vector s' in this embodiment occupies a total space of 3 × 256Bytes, and the size of the space of the fourth storage unit is set to 768 Bytes. Firstly, calling an absorb () function once as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 5 times to generate 168 x 5 ═ 840Bytes pseudo-random numbers, storing the data of the first 768Bytes in a fourth storage unit, and discarding the rest 72 Bytes; the elements in the polynomial vector s' are then generated from the pseudo-random number in the fourth memory cell.
S203, Seed according to random Seed in public key A Generating a pseudo-random number corresponding to the polynomial coefficient of the element in the ith row and the j columns of the polynomial matrix A, storing the pseudo-random number in a fifth storage unit, and if the fifth storage unit has data, storing the pseudo-random number in the fifth storage unitThe data overlay; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
similar to embodiment 1, the space size of the fifth storage unit in this embodiment is 512 Bytes. Generating 672Bytes of pseudo-random numbers by calling an absorb () function and an squeezeblock () function for 4 times, wherein 512Bytes of data are stored in a fifth storage unit, and the rest 160Bytes of data are discarded; then generating a polynomial matrix A according to the ith row and j column elements a of the pseudo-random number in the fifth storage unit i,j 。
wherein s' j For the jth element of the polynomial vector s',as a temporary second ciphertext vectorThe value of the ith element before updating;
s204, if i is less than l-1, adding one to the value of i, jumping to the step S203, generating the elements of the next line of the jth column A, and updating the temporary second ciphertext vectorThe value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, make i 0, add one to the value of j, go to step S203, generate the element of the next column a, and update the temporary second ciphertext vectorThe value of the middle element;
if the calculation of the element in A is completed when the i is equal to l-1 and the j is equal to l-1, a second ciphertext vector c is calculated 2 :
Wherein h is a preset constant polynomial; mod is a modular operation, and polynomial coefficients in elements of the q polynomial matrix A take an upper bound and are positive integers; the number of right shifts is epsilon q -ε p ,ε q And epsilon p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
The matrix vector multiplication required to be calculated in the encryption process in the Saber scheme is the multiplication of a polynomial matrix a and a polynomial vector s, namely As:
in steps S203 and S204, the generation order of a is line-first by controlling the change of the indexes i and j of a, that is, the calculation of the next column of elements is performed after each line of elements of a column is calculated. In the embodiment, the final result does not need to be returned to A, so that the final result does not need to be distributed to A storage space; the elements in the polynomial matrix A are generated in real time, the storage space occupied by A is reduced, and compared with the storage space needing 4.5KB in the prior art, only 512B, namely 0.5KB is needed in the embodiment, so that the memory needed in the calculation process of the Saber scheme is obviously reduced.
S205, calculating a first encryption parameter v' from the vector b in the public key:
v′=b T (s′modp) (7)
wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing encrypted message itemsFormula c m :
Wherein h is 1 Is a preset first constant term, m is a message polynomial to be encrypted, epsilon T The value of the preset positive integer constant satisfies epsilon p >ε T (ii) a In this example,. epsilon T Is 4, namely, is shifted to the right by 6 bits;
returning the encrypted message polynomial c m And a second ciphertext vector c 2 The ciphertext (c) of the composition m ,c 2 )。
The embodiment also discloses an encryption system for implementing the encryption method, as shown in fig. 4, including:
a second initializing module 2-1, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c 1 A second ciphertext vector c 2 Temporary second ciphertext vectorAll element values of (a) are 0; generating a random variable r';
a second polynomial vector s 'generating module 2-2 for generating a plurality of pseudo random numbers by the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module 2-3 for generating a random Seed according to the public key A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
temporary second ciphertext vectorAn updating module 2-4 for updating the temporary second ciphertext vectorThe ith element of (2)The value of (c):wherein a is i,j Is the ith row and j column elements, s 'of the polynomial matrix A generated according to the fifth storage unit' j For the jth element of the polynomial vector s',as a temporary second ciphertext vectorThe value of the ith element before updating;
second ciphertext vector c 2 A calculation module 2-5 for calculating a second ciphertext vector c 2 :
Wherein h is a preset constant polynomial; mod is a modular operation, q is the upper bound of polynomial coefficients in elements of the polynomial matrix A and is a positive integer; the "is the logical right shift, the right shift is ε q -ε p ,ε q And ε p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
A ciphertext calculation module 2-6, configured to calculate a first encryption parameter v' according to the vector b in the public key: v' ═ b T (s' modp); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computingEncrypted message polynomial c m :
Wherein h is 1 Is a preset first constant term, m is a message polynomial to be encrypted, epsilon T The value of the preset positive integer constant satisfies epsilon p >ε T ;
Returning the encrypted message polynomial c m And a second ciphertext vector c 2 The ciphertext (c) formed m ,c 2 )。
Example 5
The difference between this embodiment and embodiment 4 is that the pseudo random numbers corresponding to the polynomial coefficients of the elements in the polynomial vector s' are generated in real time, specifically:
in step S202, a polynomial vector S ' j-th element S ' is generated from a random variable r ' j A plurality of pseudo random numbers corresponding to the polynomial coefficients of (a) are stored in a sixth storage unit, and the space size of the sixth storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element in the polynomial vector s'; generating a polynomial vector s ' jth element s ' from the pseudorandom number in the sixth storage unit ' j ;
In this embodiment, the space size of the sixth storage unit is set to 256 Bytes. Firstly, calling an absorb () function once by taking a random variable r' as an input for initializing an internal state of a SHAKE algorithm, then calling an squeezeblock () function 2 times to generate 168 x 2 ═ 336Bytes pseudo random numbers, storing the data of the first 256Bytes in a sixth storage unit, and discarding the rest 80 Bytes; then, element s ' in polynomial vector s ' is generated from the pseudo-random number in the sixth storage unit ' j 。
In step S204, when i is l-1 and j is less than l-1, the step of adding one to the value of j further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of jth element of polynomial vector s 'according to random variable r', storing the pseudo random numbers in a sixth storage unit, and storing the pseudo random numbers in a rootGenerating a polynomial vector s ' jth element s ' from a pseudo-random number in a sixth memory unit ' j (ii) a And then jumps to step S203.
S 'according to formula (6)' j Will be used 3 times. Similar to embodiment 2, this embodiment reduces the space occupied by the intermediate result required for generating the polynomial vector s' from 840Bytes to 256Bytes in embodiment 1, further reducing the memory required in the implementation process of the Saber scheme. Likewise, the cost is one more call of the squeezeblock () function.
Example 6
The present embodiment is an improvement made on the basis of embodiment 5, and the improvement point is similar to embodiment 3, that is, the sixth storage unit is divided into two parts, specifically:
the space size of the sixth storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s';
the sixth storage unit is divided into a third subunit and a fourth subunit, and the space size of the third subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when calculating the values of the elements in the polynomial vector s':
if the fourth subunit has the pseudo-random number, extracting the pseudo-random number in the fourth subunit as a part of polynomial coefficients of the current element to be generated;
then calling a pseudo-random number generating function, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number in the third subunit to be used as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number with the required length from the third subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo-random number in the third subunit is not extracted, storing it in the fourth subunit; if the length of the data which is not extracted is larger than the space size of the fourth subunit, the excess part is discarded.
Example 7
The present embodiment discloses a decryption method using the encryption method described in embodiments 4 to 6, as shown in fig. 5, including:
s301, according to the ciphertext (c) m ,c 2 ) Second ciphertext vector c of 2 And calculating a first decryption parameter v by using a private key s:
s302, calculating a decrypted message polynomial m':
as shown in fig. 6, a decryption system implementing the decryption method includes:
a first decryption parameter calculation module 3-1 for calculating a first decryption parameter based on the ciphertext (c) m ,c 2 ) Second ciphertext vector c of 2 And calculating a first decryption parameter v by using a private key s:
a decrypted message polynomial calculation module 3-2 for calculating a decrypted message polynomial m':
wherein h is 2 Is a preset second constant term.
Claims (10)
1. A low-memory-occupation secret key generation method based on a post-quantum cryptography Saber algorithm is characterized by comprising the following steps:
s101, generating random Seed A And a random variable r; initiation ofInitializing temporary public key vector when index i equals 0 and j equals 0 of polynomial matrix AAll elements are 0;
s102, generating a plurality of pseudo random numbers according to a random variable r, and storing the pseudo random numbers in a first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by the pseudo-random numbers corresponding to the polynomial coefficients of all elements in the polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first memory cell;
s103, Seed according to the random Seed A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element of the polynomial matrix A;
updating temporary public key vectorsJ element(s)The value of (c):wherein a is i,j Is the ith row and j column elements, s of the polynomial matrix A generated according to the second memory cell i For the ith element of the polynomial vector s,as a temporary public key vectorThe value of the jth element before update;
s104, if j is less than l-1, making the value of jPlus one, jumping to step S103, updating the temporary public key vectorThe value of the middle element; l is the dimension of the polynomial vector s;
if j is l-1 and i is less than l-1, let j be 0, add one to the value of i, go to step S103, update the temporary public key vectorThe value of the middle element;
if j-l-1 and i-l-1, the public key vector b is calculated:
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is a value upper bound and is a positive integer, and mod is a modular operation; the number of right shifts is epsilon q -ε p ,ε q And epsilon p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
Returning the public and private keys, wherein the random Seed is Seed A And the public key vector b form a public key (Seed) A B); the polynomial vector s is the private key.
2. The key generation method according to claim 1, wherein pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s are generated in real time, specifically:
in step S102, a plurality of pseudo random numbers corresponding to polynomial coefficients of an ith element of the polynomial vector S are generated according to the random variable r and stored in a third storage unit, where the space size of the third storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of an element in the polynomial vector S; computing the ith element s of the polynomial vector s from the pseudo-random number in the third storage unit i ;
In step S104, when j is l-1 and i < l-1, the step of adding one to the value of i further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of the ith element of the polynomial vector s according to the random variable r, storing the pseudo random numbers into a third storage unit, and calculating the ith element s of the polynomial vector s according to the pseudo random numbers in the third storage unit i (ii) a And then jumps to step S103.
3. The key generation method of claim 2, wherein a shift algorithm is used to generate the pseudo random number;
the space size of the third storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s;
the third storage unit is divided into a first subunit and a second subunit, and the space size of the first subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when calculating the values of the elements in the polynomial vector s:
if the second subunit has the pseudo-random number, extracting the pseudo-random number in the second subunit to be used as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a first subunit, and extracting the pseudo-random number in the first subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in the first subunit, and extracting the pseudo-random number with the required length from the first subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo random number in the first subunit is not extracted, storing the pseudo random number in the second subunit; if the length of the data which is not extracted is larger than the space size of the second subunit, the excess part is discarded.
4. The encryption method of the key generation method according to any one of claims 1 to 3, comprising:
s201, initializing the first ciphertext polynomial c with the index i equal to 0 and j equal to 0 of the polynomial matrix a 1 A second ciphertext vector c 2 Temporary second ciphertext vectorAll element values of (a) are 0; generating a random variable r';
s202, generating a plurality of pseudo random numbers according to the random variable r' and storing the pseudo random numbers in a fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by pseudo-random numbers corresponding to polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
s203, Seed according to random Seed in public key A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by a pseudo-random number corresponding to a polynomial coefficient of one element of the polynomial matrix A;
updating the temporary second ciphertext vectorThe ith element ofThe value of (c):wherein a is i,j Is the element, s 'of ith row and j column of polynomial matrix A generated from the fifth memory cell' j For the jth element of the polynomial vector s',as a temporary second ciphertext vectorThe value of the ith element before updating;
s204, if i is less than l-1, the value of i is increased by one, the step S203 is skipped to, and the temporary second ciphertext vector is updatedThe value of the middle element; l is the dimension of the private key polynomial vector s;
if i is l-1 and j is less than l-1, make i 0, add one to the value of j, go to step S203, update the temporary second ciphertext vectorThe value of the middle element;
if i-l-1 and j-l-1, a second ciphertext vector c is computed 2 :
Wherein h is a preset constant polynomial; mod is a modular operation, q is the upper bound of polynomial coefficients in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilon q -ε p ,ε q And epsilon p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
S205, calculating a first encryption parameter v' according to the vector b in the public key: v' ═ b T (s' mod p); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial c m :
Wherein h is 1 Is a preset first constant term, m is a message polynomial to be encrypted, epsilon T Is a preset positive integer constant, and takes values satisfying epsilon p >ε T ;
Returning the encrypted message polynomial c m And a second ciphertext vector c 2 The ciphertext (c) formed m ,c 2 )。
5. The encryption method according to claim 4, wherein pseudo random numbers corresponding to polynomial coefficients of elements in the polynomial vector s' are generated in real time, specifically:
in step S202, a polynomial vector S ' j-th element S ' is generated from a random variable r ' j A plurality of pseudo random numbers corresponding to the polynomial coefficients of (a) are stored in a sixth storage unit, and the space size of the sixth storage unit is greater than or equal to the space size occupied by the pseudo random number corresponding to the polynomial coefficient of one element in the polynomial vector s'; generating a polynomial vector s ' jth element s ' from the pseudorandom number in the sixth storage unit ' j ;
In step S204, when i is l-1 and j is less than l-1, the step of adding one to the value of j further includes: generating a plurality of pseudo random numbers corresponding to polynomial coefficients of jth element of polynomial vector s ' from random variable r ', storing the pseudo random numbers in sixth storage means, and generating polynomial vector s ' jth element s ' from the pseudo random numbers in sixth storage means ' j (ii) a And then jumps to step S203.
6. The encryption method according to claim 5, wherein a pseudo random number is generated using a SHAKE algorithm;
the space size of the sixth storage unit is equal to the space size occupied by the pseudo-random number corresponding to the polynomial coefficient of one element in the polynomial vector s';
the sixth storage unit is divided into a third subunit and a fourth subunit, and the space size of the third subunit is the space size occupied by the pseudo random number generated by calling the pseudo random number generation function once;
when generating the values of the elements in the polynomial vector s':
if the fourth subunit has the pseudo-random number, extracting the pseudo-random number in the fourth subunit as a part of polynomial coefficients of the current element to be generated;
calling a pseudo-random number generation function, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number in the third subunit as a part of polynomial coefficients of the current element to be generated;
if the polynomial coefficient of the current element to be generated is still undetermined, calling the pseudo-random number generation function again, storing the generated pseudo-random number in a third subunit, and extracting the pseudo-random number with the required length from the third subunit to be used as the undetermined polynomial coefficient of the current element to be generated;
if the pseudo-random number in the third subunit is not extracted, storing it in the fourth subunit; if the length of the data which is not extracted is larger than the space size of the fourth subunit, the excess part is discarded.
7. A decryption method of the encryption method according to claim 4, comprising:
s301, according to the ciphertext (c) m ,c 2 ) Second ciphertext vector c of 2 And calculating a first decryption parameter v by a private key s:
s302, calculating a decrypted message polynomial m':
wherein h is 2 Is a preset second constant term.
8. A low-memory-occupation key generation system based on a post-quantum cryptography Saber algorithm is characterized by comprising:
a first initialization module for generating a random Seed A And a random variable r; initializing the index i of the polynomial matrix a to 0, and j to 0, and initializing the temporary public key vectorAll elements are 0;
the first polynomial vector s generating module is used for generating a plurality of pseudo-random numbers according to the random variable r and storing the pseudo-random numbers into the first storage unit; the space size of the first storage unit is larger than or equal to the space size occupied by pseudo-random numbers corresponding to polynomial coefficients of all elements in a polynomial vector s; generating elements in a polynomial vector s from the pseudo-random number in the first memory cell;
a first polynomial matrix A generating module for Seed according to the random Seed A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a second storage unit, and if data exist in the second storage unit, covering the data; the space size of the second storage unit is larger than or equal to the space size occupied by a pseudo-random number corresponding to a polynomial coefficient of one element of the polynomial matrix A;
a temporary public key vector updating module for updating the temporary public key vectorThe j elementThe value of (c):wherein a is i,j Is the ith row and j column elements, s of the polynomial matrix A generated according to the second memory cell i For the ith element of the polynomial vector s,as a temporary public key vectorThe value of the jth element before update;
the temporary public key vector updating module is matched with the first polynomial matrix A generating module to update the temporary public key vector by controlling the change of the index i, j of the A, and specifically comprises the following steps:
(81) when i is 0 and j is 0, the first polynomial matrix A generation module generates a pseudo-random number corresponding to polynomial coefficients of 0 th row and 0 th column elements of the polynomial matrix A; temporary public key vector update module updateA value of (d);
(82) if j is less than l-1, adding one to the value of j; a first polynomial matrix A generating module generates a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A; the temporary public key vector updating module updates the temporary public key vector againThe value of the middle element; l is the dimension of the polynomial vector s; repeating the step until j-l-1;
(83) if j is l-1 and i is less than l-1, let j be 0, the value of i is increased by one; a first polynomial matrix A generating module generates a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A; the temporary public key vector updating module updates the temporary public key vector againThe value of the middle element; skipping to step (82) until j ═ l-1 and i ═ l-1;
a public key calculation module for calculating a public key vector b when j ═ l-1 and i ═ l-1:
wherein h is a preset constant polynomial; polynomial coefficients in elements of the polynomial matrix A take values of [0, q), q is an upper value boundary and is a positive integer, and mod is modular operation; the number of right shifts is epsilon q -ε p ,ε q And ε p Are all preset positive integer constants, and satisfy epsilon q >ε p ;
A key output module for returning the public key and the private key, wherein the random Seed is Seed A And the public key vector b form a public key (Seed) A B); the polynomial vector s is the private key.
9. A low memory usage encryption system based on post-quantum cryptography Saber algorithm, comprising:
a second initialization module, configured to initialize the polynomial matrix a with the index i equal to 0 and j equal to 0, and initialize the first ciphertext polynomial c 1 A second ciphertext vector c 2 The temporary second ciphertext vectorIs 0, generating a random variable r';
the second polynomial vector s 'generating module is used for generating a plurality of pseudo random numbers by the random variable r' and storing the pseudo random numbers into the fourth storage unit; the space size of the fourth storage unit is larger than or equal to the space size occupied by pseudo-random numbers corresponding to polynomial coefficients of all elements in the polynomial vector s'; generating elements in a polynomial vector s' from the pseudo random number in the fourth storage unit;
a second polynomial matrix A generating module for generating a random Seed according to the public key A Generating a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of the polynomial matrix A, storing the pseudo-random number into a fifth storage unit, and if data exist in the fifth storage unit, covering the data; the space size of the fifth storage unit is larger than or equal to the space size occupied by a pseudo-random number corresponding to a polynomial coefficient of one element of the polynomial matrix A;
temporary toTwo cipher text vectorsAn update module for updating the temporary second ciphertext vectorThe ith element of (2)The value of (c):wherein a is i,j Is the element, s 'of ith row and j column of polynomial matrix A generated from the fifth memory cell' j For the jth element of the polynomial vector s',as a temporary second ciphertext vectorThe value of the ith element before updating;
the temporary second ciphertext vectorThe updating module is matched with the second polynomial matrix A generating module to update the temporary second ciphertext vector by controlling the change of the index i, j of AThe method specifically comprises the following steps:
(91) when i is 0 and j is 0, the second polynomial matrix A generation module generates a pseudo-random number corresponding to polynomial coefficients of 0 th row and 0 th column elements of the polynomial matrix A; temporary second ciphertext vectorUpdate module update
(92) If i is less than l-1, adding one to the value of i; a second polynomial matrix A generating module generates a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of elements of the polynomial matrix A; temporary second ciphertext vectorThe updating module updates the temporary second ciphertext vectorThe value of the middle element; l is the dimension of the private key polynomial vector s; repeating the step until i-l-1;
(93) if i is l-1 and j is less than l-1, making i 0 and j adding one; a second polynomial matrix A generating module generates a pseudo-random number corresponding to the polynomial coefficient of the ith row and j columns of elements of the polynomial matrix A; temporary second ciphertext vectorThe updating module updates the temporary second ciphertext vector againThe value of the middle element; skipping to step (92) until i ═ l-1 and j ═ l-1;
second ciphertext vector c 2 A calculation module for calculating a second ciphertext vector c when i-1 and j-1 2 :
Wherein h is a preset constant polynomial; mod is a modulus operation, q is an upper bound of polynomial coefficient values in elements of the polynomial matrix A and is a positive integer; the number of right shifts is epsilon q -ε p ,ε q And ε p Are all preset positive integer constants, and are all preset positive integer constants,and satisfy epsilon q >ε p ;
The ciphertext calculation module is used for calculating a first encryption parameter v' according to the vector b in the public key: v' ═ b T (s' mod p); wherein p is a second modulus, and superscript T represents the transpose of a vector or matrix;
computing an encrypted message polynomial c m :
Wherein h is 1 Is a preset first constant term, m is a message polynomial to be encrypted, epsilon T Is a preset positive integer constant, and takes values satisfying epsilon p >ε T ;
Returning the encrypted message polynomial c m And a second ciphertext vector c 2 The ciphertext (c) of the composition m ,c 2 )。
10. A decryption system of a post-quantum cryptography Saber algorithm based low-memory-footprint encryption system as claimed in claim 9, comprising:
a first decryption parameter calculation module for calculating a first decryption parameter based on the ciphertext (c) m ,c 2 ) Second ciphertext vector c of (1) 2 And calculating a first decryption parameter v by a private key s:wherein c is m Is a message polynomial after encryption;
a decrypted message polynomial calculation module for calculating a decrypted message polynomial m':
wherein h is 2 Is a predetermined second constant term, p is a second modulus, ε p And epsilon T Are all preset positive integer constants, and the values satisfy epsilon p >ε T 。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110704531.9A CN113472525B (en) | 2021-06-24 | 2021-06-24 | Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110704531.9A CN113472525B (en) | 2021-06-24 | 2021-06-24 | Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113472525A CN113472525A (en) | 2021-10-01 |
CN113472525B true CN113472525B (en) | 2022-07-26 |
Family
ID=77872724
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110704531.9A Active CN113472525B (en) | 2021-06-24 | 2021-06-24 | Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113472525B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115412241B (en) * | 2022-07-25 | 2024-02-06 | 华中科技大学 | Fusion cipher safety processor for realizing postquantum cipher algorithm Kyber and Saber |
CN115348017B (en) * | 2022-10-18 | 2023-02-07 | 阿里巴巴(中国)有限公司 | Ciphertext processing method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020188269A1 (en) * | 2019-03-18 | 2020-09-24 | Pqshield Ltd | Cryptography using a cryptographic state |
WO2021032946A1 (en) * | 2019-08-16 | 2021-02-25 | Pqshield Ltd | Co-processor for cryptographic operations |
CN112511170A (en) * | 2020-11-10 | 2021-03-16 | 南京航空航天大学 | Parallel implementation method for polynomial compression in lattice code |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110266481B (en) * | 2019-06-14 | 2022-05-20 | 深圳职业技术学院 | Post-quantum encryption and decryption method and device based on matrix |
-
2021
- 2021-06-24 CN CN202110704531.9A patent/CN113472525B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020188269A1 (en) * | 2019-03-18 | 2020-09-24 | Pqshield Ltd | Cryptography using a cryptographic state |
WO2021032946A1 (en) * | 2019-08-16 | 2021-02-25 | Pqshield Ltd | Co-processor for cryptographic operations |
CN112511170A (en) * | 2020-11-10 | 2021-03-16 | 南京航空航天大学 | Parallel implementation method for polynomial compression in lattice code |
Non-Patent Citations (3)
Title |
---|
《Saber on ARM CCA-secure module lattice-based key encapsulation on ARM》;Angshuman Karmakar et al.;《IACR-CHES-2018》;20200305;全文 * |
《SABER:Mod-LWR based KEM(Round 3 Submission)》;Andrea Basso et al.;《http://www.esat.kuleuven.be/cosic/pqcrypto/saber/files/saberspecround3.pdf》;20170923;正文1-8节 * |
《Time-Memory trade-off in Toom-Cook multiplication:an application to module-lattice based cryptography》;Jose Maria Bermudo Mera et al.;《IACR Transactions on Cryptography Hardware and Embedded Systems》;20200302;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113472525A (en) | 2021-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113472525B (en) | Low-memory-occupation secret key generation method based on post-quantum cryptography Saber algorithm, encryption and decryption method and system thereof | |
US20090296928A1 (en) | Pseudorandom number generating system, encryption system, and decryption system | |
US11606189B2 (en) | Method and apparatus for improving the speed of advanced encryption standard (AES) decryption algorithm | |
EP1583278A1 (en) | Stream Cipher Design with Revolving Buffers | |
US10567158B2 (en) | Cryptographic device and an encoding device | |
KR20050078271A (en) | Hardware cryptographic engine and method improving power consumption and operation speed | |
Coron et al. | High-order table-based conversion algorithms and masking lattice-based encryption | |
Di Crescenzo et al. | Practical implementations of program obfuscators for point functions | |
CN111241568A (en) | Encryption method, decryption device, computer equipment and storage medium | |
KR101923293B1 (en) | Apparatus and method for adding data | |
US20040120521A1 (en) | Method and system for data encryption and decryption | |
EP1875405B1 (en) | Improved cipher system | |
US7103180B1 (en) | Method of implementing the data encryption standard with reduced computation | |
US7215769B2 (en) | Non-autonomous dynamical orbit cryptography | |
Mohaisen et al. | Improving Salsa20 stream cipher using random chaotic maps | |
CN115811398A (en) | Dynamic S-box-based block cipher algorithm, device, system and storage medium | |
US20090022310A1 (en) | Cryptographic device and method for generating pseudo-random numbers | |
Moataz et al. | Chf-oram: a constant communication oram without homomorphic encryption | |
Naito et al. | LM-DAE: low-memory deterministic authenticated encryption for 128-bit security | |
RU2188513C2 (en) | Method for cryptographic conversion of l-bit digital-data input blocks into l-bit output blocks | |
CN110071927B (en) | Information encryption method, system and related components | |
CA2391997C (en) | Methods and apparatus for keystream generation | |
KR100350207B1 (en) | Method for cryptographic conversion of l-bit input blocks of digital data into l-bit output blocks | |
Simpson et al. | Improved cryptanalysis of the common scrambling algorithm stream cipher | |
Wei et al. | Related-key impossible differential cryptanalysis on crypton and crypton v1. 0 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |