Efficient compact encryption method based on grids
Technical Field
The invention relates to a cryptographic technology, in particular to a post quantum encryption method based on a lattice.
Background
IBM engineers predict that quantum computers must be applied on a large scale in the next twenty years. Once quantum computers are mass-produced, most public key cryptosystems based on discrete logarithms, elliptic curve discrete logarithms, or large integer decomposition will be compromised. Therefore, whether we can accurately predict the arrival time of the quantum computing age or not, we need to boost the current information security system to the anti-quantum level.
Lattice cryptography is one of the main mathematical methods to combat quantum attacks today. In cryptography, the LWE (Learning With Error) problem has proven to be more comprehensive than other classical lattice-difficult problems (e.g., SVP and CVP).
For positive continuous numbers sigma > 0 and x εR, define a Gaussian functionLet->Representation->The one-dimensional discrete Gaussian distribution is represented by probability density function +.>And (5) determining. Let->Is shown inAn n-dimensional spherical discrete Gaussian distribution over the surface, wherein each coordinate is independent of +.>Given positive integers n and q, which are parameters in the polynomial in the security parameter λ, and given the integer vector +.>And a definition of->Probability distribution χ on the matrix, randomly and uniformly select +.>Noise e≡χ, let A q,x,χ Is->Distribution of upper, and output->The noise distribution χ is generally considered to be a discrete Gaussian probability distribution +.>Other distributions may be used.
In the deterministic LWE hypothesis, the probability polynomial time algorithm cannot distinguish A with non-negligible probability for a sufficiently large security parameter λ q,s,χ Anduniformly distributed on the surface. Even if the adversary sees multiple samples of the polynomial and the secret vector x is taken from χ n This is also true, chosen randomly.
The MLWE problem is a variant of the LWE problem. The samples from the MLWE distribution are in the form ofWherein->Is a ring (or a rope)>For m-order semicircle polynomials, l and h are dimensions of matrix samples, randomly select +.>Calculating to obtain Y i =A i X+E i All samples were used with the same +.>And are the same or differentWherein i is used for marking the number of times, ">And->Respectively two distributions, the distribution parameter is marked as eta 1 And eta 2 The distribution may be the same or different. The MLWE problem is to recover X from the polynomial samples from the MLWE distribution. Specifically, for adversary A, define
If the advantage of algorithm A without the maximum run time t is greater than ε, we call (t, ε) -MLWE h,l,η The difficulty assumption holds.
Based on the difficulty of MLWE, a public key encryption mechanism can be constructed. A public key encryption mechanism can be given by the algorithm formed triplet pke= (Gen, enc, dec), for any κ e N
1) Gen: the key generation algorithm is a probability polynomial time algorithm, input 1 κ And outputs a pair of strings (pk, sk) called public and private keys, respectively, which can be written as (pk, sk) ≡Gen (1) κ )。
2) Enc: the encryption algorithm is a probabilistic polynomial time algorithm that takes the public key message M from the plaintext space MSP, randomly selects r from the random number space, and generates the ciphertext C ε {0,1} * This process is denoted as C+.Enc pk (M;r)。
3) Dec: the decryption algorithm is a deterministic polynomial time algorithm, and inputs the secret key sk and the ciphertext C epsilon {0,1} * And returns message M.epsilon.MSP.
If for any kappa E N, each pair (pk, sk) is defined by Gen (1 κ ) Generates and each M epsilon MSP, all have E [ max ] M∈ MSP Pr[Dec sk (Enc pk (M))≠M]]And less than or equal to delta, the PKE mechanism is said to be delta correct.
A key encapsulation mechanism kem= (Cen, encaps, decaps) includes three algorithms. The key generation algorithm Gen outputs a key pair (pk, sk) that also defines a limited key space k, by inputting the security parameter k. The encapsulation algorithm Encaps outputs a tuple (K, C) when pk is input, where C is an encapsulation of the key K, which is contained in the key space K. After inputting sk and a key package C, the determined decapsulation algorithm decapsulates outputs a key k=decapsulas (sk, C) ∈κ, or the symbol Σ to indicate that C is not a valid key package.
If Pr [ Decaps (sk, C) noteqK| (pk, sk) ≡Gen (1) κ );(K,C)←Encaps(pk)]Let us say that delta is correct.
Disclosure of Invention
A lattice-based efficient compact encryption method, wherein one string or value α represents a binary value, |α| represents the length of the α binary; for any real number x,represents a maximum integer less than or equal to x, < >>Represents a minimum integer greater than or equal to x, < >>For any positive integer a and b, lcm (a, b) represents the least common multiple of a and b; for arbitrary +.>And i < j, using [ i, j ]]Represents a set of integers { i, i+1,., j-1, j }; for any positive integer t, let +.>Representation-> The elements in (a) are represented as [0, t-1 ] by default]But sometimes->Will be explicitly expressed as Representation group->A binary length n element set;
if S is a finite set, then |S| represents its radix, and x+.S represents uniformly random taking an element from S; for two setsWe define a+b= { a+b|a e a, B e B }; for an addition group (G, +) the element x ε G and the subset +.>x+S represents a set of addition results of each element in S to x; for a set S, a uniform distribution of S is denoted by u (S); for a discrete random variable X in arbitrary R, support (X) = { X e r|pr [ x=x)]>0};
If D represents a probability distribution, x+.D represents selecting an element based on D and assigning to x; if α is neither an algorithm nor a set, x+.α represents a simple assignment operation; if A is a probabilistic algorithm, then A (x 1 ,x 2 ,.; r) represents X 1 ,x 2 ,. as input, r is the result of the operation of random seed A; we use y+.A (x) 1 ,x 2 ,.; r) represents randomly choosing r and letting y be A (x) 1 ,x 2 ,.; r) experiment; by Pr [ R ] 1 ;...;R n :E]Representing event E in a series of ordered random processes R 1 ,...,R n Probability of occurrence thereafter; if for any c > 0, for all λ > λ c All have a lambda c Such that f (lambda) < 1/lambda c Then the function f (λ) is negligible; definition ringWherein (1)>Is an m-order rounding polynomial; r is R q The element in (a) is an N-dimensional polynomial in the form of a 0 +a 1 x 1 +a 2 x 2 +...+a N-1 x N-1 Wherein N is a positive integer; positive integers l and h are the dimensions of the matrix samples, < >>Representing a matrix of dimension h x l, each element being a ring R q An upper N-dimensional polynomial; for the function of which the input is a vector, the operation is to process the calculation separately for each dimension of the vector;
the samples in the MLWE distribution are in the form ofThe MLWE problem is to recover the secret value X from the polynomial number of samples from the MLWE distribution; specifically, randomly select +.>Calculating to obtain Y i =A i X+E i All samples were used with the same +.>And the same or different->Wherein a positive integer i is used for the number of marks, +.>And->Respectively two probability distributions, and the distribution parameter is marked as eta 1 And eta 2 The distribution can be the same or different; definition for adversary A
If there is no algorithm A with maximum run time τ and advantage greater than ε, we call (τ, ε) -MLWE h,l,η The difficulty assumption holds; where τ is a polynomial about N and ε is a negligible function about N;
an asymmetric consensus algorithm akc= (params, con, rec), wherein the parameters are defined as follows:
1) params= (q, m, g, d, aux) represents a system parameter, 2.ltoreq.m, g.ltoreq.q,and are all positive integers, aux represents auxiliary information determined by (q, m, g, d), and the value of the auxiliary information may be null; unless specifically stated, m=2 or 4 in the process of the invention;
2)V←Con(Σ 2 ,K 2 params), con () is a polynomial time algorithm, and is applied to the input (Σ 2 ,K 2 Params) algorithm outputs a signalWherein (1)> Wherein N and N' and N are positive integers, and the values are equal or unequal;
3)K 1 =Rec(Σ 1 v, params), rec () is a deterministic polynomial algorithm, and the input is (Σ 1 V, params), the result of the Rec () output isWherein (1)>
In a first aspect of the invention, the method comprises:
generating system parameters (lambda, n, q, χ, AKC, l, h, t) required for encryption 1 ,t 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein lambda is a safety parameter, q is more than or equal to 2, χ is noise distribution, l and h are positive integers and are polynomials of lambda, which represent dimension, t 1 And t 2 An operation for reducing a bandwidth when transmitting ciphertext, the operation being performed for compressing parameters used in the function;
public and private key generation: decryptor samples to obtain random seed {0,1} κ The length of seed is a positive integer k, the seed generator matrix a is entered using Gen, where,is a pseudo-random generator mapping a random string of length kappa to +.>Is a matrix a of (a); the decryptor samples->Is->Wherein (1)>And->Respectively two distributions for sampling l×1-dimensional vectors, wherein each dimension element of the vector is R q The polynomials of the above, the distributions being the same or different; />And/or +.>As part of the private key; the decryptor calculates a public key Y 1 =Compress 1 (AX 1 +E 1 ) And Y is taken 1 The seed is sent to the encryptor as part of the public key; wherein, compresss 1 () Is a compression function, the input of which is +.>Output is->Both are ring R q Vector of the upper l×1 dimension, each dimension being an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 1 Bit, where t 1 0 or more is an integer;
the encryption method comprises the following steps: the encryptor slaveSelecting K 2 As a message to be encrypted, and according to the resulting random seed, a matrix a=gen (seed) is generated using the same pseudo-random number generator Gen; the encryptor samplingAnd +.>Wherein (1)>And->Respectively two identical or different distributions for sampling the vector of dimension l×1, distribution +.>For sampling N-dimensional polynomials, eta 1 ,η 2 ,η 3 Equal or unequal; the encryptor calculates:
1)Y 2 =Compress 2 (A T X 2 +E 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, compresss 2 () Is a compression function, the input of the compression functionOutput is->Are all ring R q Vector of the upper l×1 dimension, each dimension is an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 2 Bit, where t 2 0 or more is an integer; compression used by encryptor 2 () Compression for use with decryptor 1 () The functions are the same or different;
2)Σ 2 =Decompress 1 (Y 1 ) T ·X 2 +E σ the method comprises the steps of carrying out a first treatment on the surface of the Wherein, decompensation 1 () Decompacts used by encryptors as a decompression function 1 () Compression to be used by decryptor 1 () The input of the decompression function isOutputting decompression results, both of which are the rings R q L×1-dimensional vector above, and E σ ∈R q Adding to obtain Sigma 2 ∈R q Is an N-dimensional polynomial;
3)V←Con(Σ 2 ,K 2 params); wherein Con () is a multiple defined in the asymmetric Key consensus AKCPolynomial algorithm, input as (Σ 2 ,K 2 Params), algorithm Con () output
The encryptor willAnd->Sending to the decryptor as part of the ciphertext;
the decryption method comprises the following steps: the decryptor receives Y 2 After V, the following steps are performed:
1)wherein, decompensation 2 () Is a decompression function, and is used with encryptor 2 () Correspondingly, the input of the decompression function +.>Outputting decompression results, both of which are the rings R q Multiplying the vector of dimension l×1 to obtain Σ 1 ∈R q Is an N-dimensional polynomial;
2)K 1 =Rec(Σ 1 v, params); where Rec () is a deterministic polynomial algorithm, where the input is (Σ 1 V, params), the result of the Rec () output is
Con () and Rec () have the following calculation methods: for each coefficient of the polynomialAnd->And K 2 Each dimension coefficient +.>
1) Consensus scheme-1:or alternativelyWherein->Is the value of the corresponding dimension in V; and/or
2) Consensus method-2:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
3) Consensus method-3:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
4) Consensus manner-4:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
5) Consensus manner-5:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
6) Consensus manner-6:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
7) Consensus manner-7:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
Compress 1 () And/or compression 2 () The calculation mode of (2) is as follows; decompacts 1 () And/or decompensation 2 () The calculation mode of (a) is Decompacts as follows() The method comprises the steps of carrying out a first treatment on the surface of the Let t not less than 0 be an integer and t epsilon { t } 1 ,t 2 -if t=0 represents not to be used for compression and decompression; note that for the compression in the practical application of the inventive method 1 () And/or compression 2 () The particular value of t employed may equally correspond to t 1 =t 2 May not correspond to t 1 ≠t 2 The method comprises the steps of carrying out a first treatment on the surface of the For each coefficient of the polynomial, we note
1) Compression and decompression mode-1:Decompress(y)=2 t y;
2) Compression and decompression mode-2:Decompress(y)=2 t y+2 t-1 ;
3) Compression and decompression mode-3:Decompress(y)=2 t y-2 t-1 ;
the above three ways, but if y=2 t-1 The time compression function additionally outputs an identifier, the decompression function inputs this identifier in addition to y, at which time the decompression output 2 t y+2 t-1 Or 2 t y-2 t-1
4) Compression and decompression mode-4: y=compression (x) = |2 t x/q|or Decompress(y)=|qx/2 t I or +.>
5) Compression and decompression mode-5:
let n=256 or n=512, l e {1,2,3,4}, m e {2,4,8, 16,32,64,128,256 }, g=2 δ Delta is more than or equal to 1 and is a positive integer; order theA central binomial distribution or a uniform distribution or a discrete gaussian distribution defined in a finite interval or a discrete distribution defined in a finite interval or a combined distribution comprising the above distributions defined in a finite interval, respectively;
specifically, the parameters were selected as follows:
parameter set-1: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-2: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-3: n=256, l=2, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-4: n=256, l=4, m=4, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-5: η (eta) 1 ≠η 2 Q is less than or equal to 3329 or t 1 =0 or q+7681and n=512;
parameter set-6: η (eta) 1 ≠η 2 Q.ltoreq.7681 and using the compression or decompression functions of 1) -3) above;
parameter set-7: η (eta) 1 =η 2 =2 and q+.3329, or η 1 =η 2 =4 and q+7681, and using the compression or decompression functions of 1) -4) above;
parameter set-8: n=256, l=3, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or16 and using the compression or decompression functions of 1) -3) above; or n=256, l=2, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16 or 4, and using 1) -4) compression or decompression functions above;
parameter set-9: n=256, l=3, m=2, t 1 =t 2 =4,η 1 =1,η 2 =η 3 =4, q+7681, g=8 or 16, and using the above 1) -5) compression or decompression function;
parameter set-10: m.gtoreq.3, or using consensus-3 or 4 or 5 or 6 or 7, or using Con or Rec consensus mechanism of consensus-1 and using compression and decompression-3 or 4 or 5, or using Con or Rec consensus mechanism of consensus-2 and using compression and decompression-1 or 2 or 3 or 4, N=256 or 512, l.gtoreq.2, m.gtoreq.2, t 1 ≥0,t 2 ,≥0,η 1 >0,η 2 >0,η 3 >0,q≤7681,g≥2。
In a second aspect of the invention, the method comprises:and->And->Respectively three distributions, which are the same or different, let eta e { eta } 1 ,η 2 ,η 3 Each of the distributions is one of the following:
1) -uniform distribution over [ - η, η ];
2) Center binomial distribution B η Definition B η Sample (a) 0 ,…,a η ,b 1 ,…,b η )←{0,1} 2η And outputResults of (2);
3) -a discrete gaussian distribution over [ - η, η ];
4) A combined distribution over a finite interval, such as the sum or difference of the central binomial distribution and the uniform distribution, containing the above-mentioned distributions.
In a third aspect of the invention, the method comprises:
parameter set-11: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=8;
Parameter set-12: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3 or 4, g=4 or 8 or 16 or 32;
parameter set-13: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=32;
Parameter set-14: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3,g=8;
Parameter set-15: n=512, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16,32,64};
Parameter set-16: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =2,g=8;
Parameter set-17: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =2,g=8;
Parameter set-18: n=256, l=4, m=4, η 1 =η 2 =η 3 =2 or 4, q+7681;
parameter set-19: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =1,g∈{16,32};
Parameter set-20: n=256, l=4,η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16};
Parameter set-21: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =4, g e {8, 16}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {4,8}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {8, 16,32 }; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329, t 1 =0,t 2 ∈{0,1},g∈{32,64,128};
Parameter set-22: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3, g e {4,8}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329, t 1 ∈{3,4},t 2 E {3,4}, g e {8, 16,32,64}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1, q≤3329,t 1 =t 2 =2, g e {4,8, 16}; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1, q≤3329,t 1 ∈{0,1},t 2 ∈{0,1},g∈{16.32};
Parameter set-23: n=256, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =4, g e {4,8, 16}; or n=256, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681, t 1 ∈{3,4,5},t 2 ∈{4,5},g∈{4,8,16};
Parameter set-24: n=512, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{2,3},t 2 ∈{2,3, g e {4,8, 16,32,64}; or n=512, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4},g∈{2,4,8,16,32,64,128,256};
Parameter set-25: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{0,1,2},t 2 E {0,1,2}, g e {4,8, 16,32,64}; or n=256, l=4, m=4, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4}, g∈{2,4,8,16,32,64,128,256}。
In a fourth aspect of the invention, the method comprises: when m.gtoreq.3, either using the consensus scheme-3 or 4 or 5 or 6 or 7, or using the Con or Rec consensus scheme of the consensus scheme-1 and using the compression and decompression scheme-3 or 4 or 5, or using the Con or Rec consensus scheme of the consensus scheme-2 and using the compression and decompression scheme-1 or 2 or 3 or 4, the parameters are set as follows:
parameter set-26: n=256, l=2, η 1 =2,η 2 =η 3 =12,,q≤7681,t 1 =3,t 2 =4,,g=8;
Parameter set-27: n=256, l=3, η 1 =1,η 2 =η 3 =4,,q≤7681,t 1 =4,t 2 =4,g=16;
Parameter set-28: n=512, l=2, η 1 =2,η 2 =η 3 =8,,q≤12289,t 1 =2 or 3, t 2 =3 or 4, g=16;
parameter set-29: n=256, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=8;
parameter set-30: n=256, l=3, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=16;
parameter set-31: n=256, l=4, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =1 or 2, g=32;
parameter set-32: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 =2, g=32 or 64 or 128;
parameter set-33: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =1 or 2, g=32 or 64 or 128 or 256;
parameter set-34: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =1,t 2 =1, g=1024 or 512 or 2048;
parameter set-35: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329, t 1 =0,t 2 =0, g=8 or 16 or 32 or 64 or 128 or 256.
In the method described above, when multiplication of two polynomials is specifically calculated, a fast number-theory transformation (NTT transformation) is required for the polynomials. Among the parameters, a part of the parameters cannot be subjected to complete traditional NTT transformation, and a novel NTT transformation can be adopted for processing.
Drawings
FIG. 1 illustrates schematically the process of an asymmetric consensus algorithm;
fig. 2 illustrates an exemplary trellis-based encryption method of the present invention.
Detailed Description
Generating system parameters (lambda, n, q, χ, AKC, l, h, t) required for encryption 1 ,t 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein lambda is a safety parameter, q is more than or equal to 2, χ is noise distribution, l and h are positive integers and are polynomials of lambda, which represent dimension, t 1 And t 2 An operation for reducing a bandwidth when transmitting ciphertext, the operation being performed for compressing parameters used in the function;
public-private key generation (see fig. 2): decryptor samples to get the followingSeed of machine {0,1} κ The length of seed is a positive integer k, the seed generator matrix a is entered using Gen, where,is a pseudo-random generator mapping a random string of length kappa to +.>Is a matrix a of (a); the decryptor samples->Is->Wherein (1)>And->Respectively two distributions for sampling l×1-dimensional vectors, wherein each dimension element of the vector is R q The polynomials of the above, the distributions being the same or different; />And/or +.>As part of the private key; the decryptor calculates a public key Y 1 =Compress 1 (AX 1 +E 1 ) And Y is taken 1 The seed is sent to the encryptor as part of the public key; wherein, compresss 1 () Is a compression function, the input of which is +.>Output is->Both are ring R q Vector of the upper l×1 dimension, each dimension being an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 1 Bit, where t 1 0 or more is an integer;
encryption method (see fig. 2): the encryptor slaveSelecting K 2 As a message to be encrypted, and according to the resulting random seed, a matrix a=gen (seed) is generated using the same pseudo-random number generator Gen; the encryptor samplingAnd +.>Wherein (1)>And->Respectively two identical or different distributions for sampling the vector of dimension l×1, distribution +.>For sampling N-dimensional polynomials, eta 1 ,η 2 ,η 3 Equal or unequal; the encryptor calculates:
1)Y 2 =Compress 2 (A T X 2 +E 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, compresss 2 () Is a compression function, the input of the compression functionOutput is->Are all ring R q An upper l x 1 dimension vector, each dimension being an N dimension polynomial but a polynomialCoefficient reduction t for each dimension 2 Bit, where t 2 0 or more is an integer; compression used by encryptor 2 () Compression for use with decryptor 1 () The functions are the same or different;
2)Σ 2 =Decompress 1 (Y 1 ) T ·X 2 +E σ the method comprises the steps of carrying out a first treatment on the surface of the Wherein, decompensation 1 () Decompacts used by encryptors as a decompression function 1 () Compression to be used by decryptor 1 () The input of the decompression function isOutputting decompression results, both of which are the rings R q L×1-dimensional vector above, and E σ ∈R q Adding to obtain Sigma 2 ∈R q Is an N-dimensional polynomial;
3)V←Con(Σ 2 ,K 2 params); wherein Con () is a polynomial algorithm defined in the asymmetric key consensus AKC, and is input as (Σ 2 ,K 2 Params), algorithm Con () output
The encryptor willAnd->Sending to the decryptor as part of the ciphertext;
decryption method (see fig. 2): the decryptor receives Y 2 After V, the following steps are performed:
1)wherein, decompensation 2 () Is a decompression function, and is used with encryptor 2 () Correspondingly, the input of the decompression function +.>Outputting decompression results, both of which are the rings R q Multiplying the vector of dimension l×1 to obtain Σ 1 ∈R q Is an N-dimensional polynomial;
2)K 1 =Rec(Σ 1 v, params); where Rec () is a deterministic polynomial algorithm, where the input is (Σ 1 V, params), the result of the Rec () output is
Con () and Rec () have the following calculation methods (see FIG. 1): for each coefficient of the polynomialAndand K 2 Each dimension coefficient +.>
1) Consensus scheme-1:or alternativelyWherein->Is the value of the corresponding dimension in V; and/or
2) Consensus method-2:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
3) Consensus method-3:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
4) Consensus manner-4:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
5) Consensus manner-5:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
6) Consensus manner-6:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
7) Consensus manner-7:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
Compress 1 () And/or compression 2 () The calculation mode of (2) is as follows; decompacts 1 () And/or decompensation 2 () The calculation mode of (2) is Decompacts (); let t not less than 0 be an integer and t epsilon { t } 1 ,t 2 -if t=0 represents not to be used for compression and decompression; note that for the compression in the practical application of the inventive method 1 () And/or compression 2 () The particular value of t employed may equally correspond to t 1 =t 2 May not correspond to t 1 ≠t 2 The method comprises the steps of carrying out a first treatment on the surface of the For each coefficient of the polynomial, we note
1) Compression and decompression mode-1:Decompress(y)=2 t y;
2) Compression and decompression mode-2:Decompress(y)=2 t y+2 t-1 ;
3) Compression and decompression modes-3:Decompress(y)=2 t y-2 t-1 ;
The above three ways, but if y=2 t-1 The time compression function additionally outputs an identifier, the decompression function inputs this identifier in addition to y, at which time the decompression output 2 t y+2 t-1 Or 2 t y-2 t-1
4) Compression and decompression mode-4: y=compression (x) = |2 t x/q|or Decompress(y)=|qx/2 t I or +.>
5) Compression and decompression mode-5:
let n=256 or n=512, l e {1,2,3,4}, m e {2,4,8, 16,32,64,128,256 }, g=2 δ Delta is more than or equal to 1 and is a positive integer; order theA central binomial distribution or a uniform distribution or a discrete gaussian distribution defined in a finite interval or a discrete distribution defined in a finite interval or a combined distribution comprising the above distributions defined in a finite interval, respectively;
specifically, the parameters were selected as follows:
parameter set-1: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-2: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-3: n=256, l=2, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-4: n=256, l=4, m=4, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-5: η (eta) 1 ≠η 2 Q is less than or equal to 3329 or t 1 =0 or q+7681and n=512;
parameter set-6: η (eta) 1 ≠η 2 Q.ltoreq.7681 and using the compression or decompression functions of 1) -3) above;
parameter set-7: η (eta) 1 =η 2 =2 and q+.3329, or η 1 =η 2 =4 and q+7681, and using the compression or decompression functions of 1) -4) above;
parameter set-8: n=256, l=3, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16, and using 1) -3) compression or decompression functions above; or n=256, l=2, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16 or 4, and using 1) -4) compression or decompression functions above;
parameter set-9: n=256, l=3, m=2, t 1 =t 2 =4,η 1 =1,η 2 =η 3 =4, q+7681, g=8 or 16, and using the above 1) -5) compression or decompression function;
parameter set-10: m.gtoreq.3, or using consensus-3 or 4 or 5 or 6 or 7, or using Con or Rec consensus mechanism of consensus-1 and using compression and decompression-3 or 4 or 5, or using Con or Rec consensus mechanism of consensus-2 and using compression and decompression-1 or 2 or 3 or 4, N=256 or 512, l.gtoreq.2, m.gtoreq.2, t 1 ≥0,t 2 ,≥0,η 1 >0,η 2 >0,η 3 >0,q≤7681,g≥2。
In a second aspect of the invention, the method comprises:and->And->Respectively three distributions, which are the same or different, let eta e { eta } 1 ,η 2 ,η 3 Each of the distributions is one of the following:
1) -uniform distribution over [ - η, η ];
2) Center binomial distribution B η Definition B η Sample (a) 0 ,…,a η ,b 1 ,…,b η )←{0,1} 2η And outputResults of (2);
3) -a discrete gaussian distribution over [ - η, η ];
4) A combined distribution over a finite interval, such as the sum or difference of the central binomial distribution and the uniform distribution, containing the above-mentioned distributions.
In a third aspect of the invention, the method comprises:
parameter set-11: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=8;
Parameter set-12: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3 or 4, g=4 or 8 or 16 or 32;
parameter set-13: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=32;
Parameter set-14: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3,g=8;
Parameter set-15: n=512, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16,32,64};
Parameter set-16: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =2,g=8;
Parameter set-17: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =2,g=8;
Parameter set-18: n=256, l=4, m=4, η 1 =η 2 =η 3 =2 or 4, q+7681;
parameter set-19: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =1,g∈{16,32};
Parameter set-20: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16};
Parameter set-21: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =4, g e {8, 16}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {4,8}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {8, 16,32 }; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329, t 1 =0,t 2 ∈{0,1},g∈{32,64,128};
Parameter set-22: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3, g e {4,8}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329, t 1 ∈{3,4},t 2 E {3,4}, g e {8, 16,32,64}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1, q≤3329,t 1 =t 2 =2, g e {4,8, 16}; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1, q≤3329,t 1 ∈{0,1},t 2 ∈{0,1},g∈{16.32};
Parameter set-23: n=256, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =4, g e {4,8, 16}; or n=256, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{3,4,5},t 2 ∈{4,5},g∈{4,8,16};
Parameter set-24: n=512, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{2,3},t 2 E {2,3}, g e {4,8, 16,32,64}; or n=512, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4}, g∈{2,4,8,16,32,64,128,256};
Parameter set-25: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{0,1,2},t 2 E {0,1,2}, g e {4,8, 16,32,64}; or n=256, l=4, m=4, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4}, g∈{2,4,8,16,32,64,128,256}。
In a fourth aspect of the invention, the method comprises: when m.gtoreq.3, either using the consensus scheme-3 or 4 or 5 or 6 or 7, or using the Con or Rec consensus scheme of the consensus scheme-1 and using the compression and decompression scheme-3 or 4 or 5, or using the Con or Rec consensus scheme of the consensus scheme-2 and using the compression and decompression scheme-1 or 2 or 3 or 4, the parameters are set as follows:
parameter set-26: n=256, l=2, η 1 =2,η 2 =η 3 =12,,q≤7681,t 1 =3,t 2 =4,,g=8;
Parameter set-27: n=256, l=3, η 1 =1,η 2 =η 3 =4,,q≤7681,t 1 =4,t 2 =4,g=16;
Parameter set-28: n=512, l=2, η 1 =2,η 2 =η 3 =8,,q≤12289,t 1 =2 or 3, t 2 =3 or 4, g=16;
parameter set-29: n=256, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=8;
parameter set-30: n=256, l=3, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=16;
parameter set-31: n=256, l=4, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =1 or 2, g=32;
parameter set-32: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 =2, g=32 or 64 or 128;
parameter set-33: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =1 or 2, g=32 or 64 or 128 or 256;
parameter set-34: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =1,t 2 =1, g=1024 or 512 or 2048;
parameter set-35: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =0, g=8 or 16 or 32 or 64 or 128 or 256.
In the method described above, when multiplication of two polynomials is specifically calculated, a fast number-theory transformation (NTT transformation) is required for the polynomials. Among the parameters, a part of the parameters cannot be subjected to complete traditional NTT transformation, and a novel NTT transformation can be adopted for processing.
Innovative and difficult description of the inventive method
The effectiveness of the method in practical application (including calculation efficiency, bandwidth, error rate and the like) is seriously dependent on the selection of specific parameters. The selection of these parameters requires a number of factors to be considered in combination and requires programming testing. One of the important difficulties is the analysis of error rates. The specific error rate of the inventive method depends on the compression function compression and decompression function de compression employed, as well as on the Con and Rec algorithms in the specific asymmetric consensus mechanism employed. To our knowledge, the error rate analysis for different compression schemes and consensus mechanisms is currently incomplete, and in particular, the exact error rate and procedure for the compression scheme of the hacking bit scheme of the inventive method are blank.
We review the compression described in the second aspect of the invention:
the consensus mechanism described in the third aspect of the present invention (mode 2) is first demonstrated by the following quotation:
index 1.1 recordThe consensus algorithm is required to meet the correctness, and the required parameters meet the condition (2d+2). 2 < q.cndot.1-2/g.
And (3) proving: by definition, there isε 1 ∈{0,1/2},ε 2 ∈(-1/2,1/2]So that v=g (σ 2 +qk 2 /2+ε 1 )/q+ε 2 +θ·g. Substitution of k 1 Expression of (2)Is available in the form of
So epsilon exists 3 ∈(-1/2,1/2]So that
According to the assumption, there isAnd delta epsilon [ -d, d]So that sigma 2 =σ 1 +θ'. Q+δ. Therefore we have
To achieve correctness, |2.delta/q+2 (. Epsilon.) is required 1 +ε 3 )/g+2ε 2 The ratio of the total to the total of the total and the total of the total is less than or equal to 2d/q+2/q+1/g and less than 1/2. The finishing can obtain (2d+2). 2 < q.cndot.1-2/g.
When q=7681, g=8, the condition that this consensus should satisfy is calculated as d < 1439.6875 < 1440.
We remember e 1 =A·X 1 +E 1 -Decompress(Compress(A·X 1 +E 1 )),∈ 2 =A T ·X 2 +E 2 - Decompress(Compress(A T ·X 2 +E 2 ) Sigma in the graph) 1 -Σ 2 Is that
When the compression function of mode 1 of the second aspect of the present invention is employed, there are
When the compression function of mode 4 of the second aspect of the present invention is employed, there are
Here the number of the elements is the number,we have
Epsilon-recording 2 =A T ·X 2 +E 2 -Decompress(Compress(A T ·X 2 +E 2 )),ε 1 =A·X 1 +E 1 -Decompress(Compress(AX 1 +E 1 ) And) then
Here, ε' ε [ -1/2, 1/2),
when |Err| < q/4-1/2, the decryption can be performed correctly.
The error rate of the set of parameters of n=256 and l=3 is mainly analyzed, which is also a common parameter in the practical application of the inventive method.
Below we compare the error expressions in both cases.
Case l: mode 4 compression with the second aspect of the present invention and mode 2 consensus mechanism with the third aspect of the present invention, the error of the original encryption algorithm is Wherein, the liquid crystal display device comprises a liquid crystal display device, y here 1 Corresponding to t 1 Decompacts (compression (AX) 1 +E 1 ) Or corresponding to t) 1 AX for equal zero case 1 +E 1 . Will c according to the modulo LWE assumption v The coefficients are considered to be subject to distribution +.> (/>In the Python code, +.>). When the Err is smaller than q/4, the decryption can be performed correctly, namely Err is smaller than 1920.25 (the decryption can be performed correctly when Err is smaller than q/4-1/2).
Case 2: mode 4 compression using the second aspect of the present invention and mode 1 consensus mechanism using the third aspect of the present invention, the error isWhen Err < d < (q (1-2/g)/2-1)/2= 1439.7, the consensus algorithm satisfies correctness, i.e. proper decryption.
Definition: we call oneThe above discrete probability distribution D is centrosymmetric, if-d=d, i.e. the discrete probability distribution D is centrosymmetric, if for any x≡D,Pr[x]=Pr[-x]All are true.
Note that the above-described error calculation can be regarded asThe above is performed without mod operation. The calculation logic of the error rate is: under the assumption of modulo LWE, ε will be 1 ,ε 2 ,ε v The coefficients of (1) are regarded as obeying the distribution: x-Decompress Compress x, < >>Then by enumeration, calculate X by program 1 ,X 2 ,E 1 ,E 2 ,E σ Obeying center binomial distribution column and epsilon 1 ,ε 2 ,ε v Corresponding distribution columns. Re-enumerating computation E i -ε i ,(E i -ε i )X j Is arranged in the row of the distribution column. Note (E i -ε i )X j Is taken by l.n independently summed with the coefficients from this distribution.
We use delta to representThe error rate calculation corresponding to case 2 is to estimate the probability that the distribution delta takes a value greater than (q (1-2/g)/2-2)/2= 1439.1875, case 1 is to calculate delta-epsilon v Probability of a value greater than q/4= 1920.25. The proof of the quotation will now be reviewed again, using the consensus algorithm of case 1, K 1 The expression of (2) is
We can actually trade a proof of upper bound of consensus, note that Sigma according to our symbolic representation 2 For Rec input we can assume Σ 2 Is uniformly distributed. At this time, the liquid crystal display device,
here the number of the elements is the number,obeying the distribution according to the assumption:when Σ 2 -Σ 1 -ε v || ∞ When the ratio is less than q/4-1/2, K can be deduced 1 =K 2 . The testimonials of the quotation are equivalent to taking epsilon v Is derived from the absolute upper bound of (2) 1 -Σ 2 The condition that the upper bound d of i should satisfy. However, ε v Is a probability distribution. Taking specific parameters as examples, ε v The value of (2) is within the range of-480,480]Each value is taken with a certain probability. Thus, |Σ 1 -Σ 2 When I is smaller than 1440, K can be pushed out in a certain way 1 =K 2 . However, 1440 < |Σ 1 -Σ 2 When < 1920, due to ε v Is also possible to make K 1 =K 2 . In practical use, the->Also calculated from the modulo LWE hypothesis, subject to a certain probability distribution. Therefore, calculating the error in a manner directly from the LWE decryption angle is a more direct calculation variable +.>The probability distribution obeyed is then enumerated to calculate the probability of decryption errors occurring. In this way, the probability is "scattered" in an equivalent to a more direct calculation. For different parameters (mainly +.>),ε v Is different. Based on the above reasoning and observations, we performed programming experiments and conducted a number of tests to determine the values of specific parameters of the inventive method to obtain the best efficiency, bandWide and error rate effects. />