CN113541933B - Efficient compact encryption method based on grids - Google Patents

Efficient compact encryption method based on grids Download PDF

Info

Publication number
CN113541933B
CN113541933B CN202010382073.7A CN202010382073A CN113541933B CN 113541933 B CN113541933 B CN 113541933B CN 202010382073 A CN202010382073 A CN 202010382073A CN 113541933 B CN113541933 B CN 113541933B
Authority
CN
China
Prior art keywords
parameter set
compression
decompression
consensus
dimension
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010382073.7A
Other languages
Chinese (zh)
Other versions
CN113541933A (en
Inventor
赵运磊
黄兴忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CN113541933A publication Critical patent/CN113541933A/en
Application granted granted Critical
Publication of CN113541933B publication Critical patent/CN113541933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Abstract

A highly efficient compact encryption method based on a lattice. The public key of decryptor is Y 1 =Compress 1 (AX 1 +E 1 ) The private key is X 1 ,Compress 1 ()、Decompress 1 () And compression 2 ()、Decompress 2 () Respectively two groups of compression and decompression functions, con () and Rec () are consensus algorithm of two parties, and the message to be encrypted is K 2 . The ciphertext sent by the encryptor is composed of two parts, one part is Y 2 =Compress 2 (A T X 2 +E 2 ) The other part is V Σcon (Σ) 2 ,K 2 Params), wherein Σ 2 =Decompress 1 (Y 1 ) T ·X 2 +E σ Params is a system parameter. After receiving, decryptor first decompresses to obtainAnd then the K is recovered by using the consensus algorithm 1 =Rec(Σ 1 V, params). The specific parameters of the method are selected to carry out deep mathematical analysis on the error rates of different compression and consensus mechanisms and program a large number of tests so as to obtain the optimal balance of the method in the methods of efficiency, bandwidth and error rate.

Description

Efficient compact encryption method based on grids
Technical Field
The invention relates to a cryptographic technology, in particular to a post quantum encryption method based on a lattice.
Background
IBM engineers predict that quantum computers must be applied on a large scale in the next twenty years. Once quantum computers are mass-produced, most public key cryptosystems based on discrete logarithms, elliptic curve discrete logarithms, or large integer decomposition will be compromised. Therefore, whether we can accurately predict the arrival time of the quantum computing age or not, we need to boost the current information security system to the anti-quantum level.
Lattice cryptography is one of the main mathematical methods to combat quantum attacks today. In cryptography, the LWE (Learning With Error) problem has proven to be more comprehensive than other classical lattice-difficult problems (e.g., SVP and CVP).
For positive continuous numbers sigma > 0 and x εR, define a Gaussian functionLet->Representation->The one-dimensional discrete Gaussian distribution is represented by probability density function +.>And (5) determining. Let->Is shown inAn n-dimensional spherical discrete Gaussian distribution over the surface, wherein each coordinate is independent of +.>Given positive integers n and q, which are parameters in the polynomial in the security parameter λ, and given the integer vector +.>And a definition of->Probability distribution χ on the matrix, randomly and uniformly select +.>Noise e≡χ, let A q,x,χ Is->Distribution of upper, and output->The noise distribution χ is generally considered to be a discrete Gaussian probability distribution +.>Other distributions may be used.
In the deterministic LWE hypothesis, the probability polynomial time algorithm cannot distinguish A with non-negligible probability for a sufficiently large security parameter λ q,s,χ Anduniformly distributed on the surface. Even if the adversary sees multiple samples of the polynomial and the secret vector x is taken from χ n This is also true, chosen randomly.
The MLWE problem is a variant of the LWE problem. The samples from the MLWE distribution are in the form ofWherein->Is a ring (or a rope)>For m-order semicircle polynomials, l and h are dimensions of matrix samples, randomly select +.>Calculating to obtain Y i =A i X+E i All samples were used with the same +.>And are the same or differentWherein i is used for marking the number of times, ">And->Respectively two distributions, the distribution parameter is marked as eta 1 And eta 2 The distribution may be the same or different. The MLWE problem is to recover X from the polynomial samples from the MLWE distribution. Specifically, for adversary A, define
If the advantage of algorithm A without the maximum run time t is greater than ε, we call (t, ε) -MLWE h,l,η The difficulty assumption holds.
Based on the difficulty of MLWE, a public key encryption mechanism can be constructed. A public key encryption mechanism can be given by the algorithm formed triplet pke= (Gen, enc, dec), for any κ e N
1) Gen: the key generation algorithm is a probability polynomial time algorithm, input 1 κ And outputs a pair of strings (pk, sk) called public and private keys, respectively, which can be written as (pk, sk) ≡Gen (1) κ )。
2) Enc: the encryption algorithm is a probabilistic polynomial time algorithm that takes the public key message M from the plaintext space MSP, randomly selects r from the random number space, and generates the ciphertext C ε {0,1} * This process is denoted as C+.Enc pk (M;r)。
3) Dec: the decryption algorithm is a deterministic polynomial time algorithm, and inputs the secret key sk and the ciphertext C epsilon {0,1} * And returns message M.epsilon.MSP.
If for any kappa E N, each pair (pk, sk) is defined by Gen (1 κ ) Generates and each M epsilon MSP, all have E [ max ] M∈ MSP Pr[Dec sk (Enc pk (M))≠M]]And less than or equal to delta, the PKE mechanism is said to be delta correct.
A key encapsulation mechanism kem= (Cen, encaps, decaps) includes three algorithms. The key generation algorithm Gen outputs a key pair (pk, sk) that also defines a limited key space k, by inputting the security parameter k. The encapsulation algorithm Encaps outputs a tuple (K, C) when pk is input, where C is an encapsulation of the key K, which is contained in the key space K. After inputting sk and a key package C, the determined decapsulation algorithm decapsulates outputs a key k=decapsulas (sk, C) ∈κ, or the symbol Σ to indicate that C is not a valid key package.
If Pr [ Decaps (sk, C) noteqK| (pk, sk) ≡Gen (1) κ );(K,C)←Encaps(pk)]Let us say that delta is correct.
Disclosure of Invention
A lattice-based efficient compact encryption method, wherein one string or value α represents a binary value, |α| represents the length of the α binary; for any real number x,represents a maximum integer less than or equal to x, < >>Represents a minimum integer greater than or equal to x, < >>For any positive integer a and b, lcm (a, b) represents the least common multiple of a and b; for arbitrary +.>And i < j, using [ i, j ]]Represents a set of integers { i, i+1,., j-1, j }; for any positive integer t, let +.>Representation-> The elements in (a) are represented as [0, t-1 ] by default]But sometimes->Will be explicitly expressed as Representation group->A binary length n element set;
if S is a finite set, then |S| represents its radix, and x+.S represents uniformly random taking an element from S; for two setsWe define a+b= { a+b|a e a, B e B }; for an addition group (G, +) the element x ε G and the subset +.>x+S represents a set of addition results of each element in S to x; for a set S, a uniform distribution of S is denoted by u (S); for a discrete random variable X in arbitrary R, support (X) = { X e r|pr [ x=x)]>0};
If D represents a probability distribution, x+.D represents selecting an element based on D and assigning to x; if α is neither an algorithm nor a set, x+.α represents a simple assignment operation; if A is a probabilistic algorithm, then A (x 1 ,x 2 ,.; r) represents X 1 ,x 2 ,. as input, r is the result of the operation of random seed A; we use y+.A (x) 1 ,x 2 ,.; r) represents randomly choosing r and letting y be A (x) 1 ,x 2 ,.; r) experiment; by Pr [ R ] 1 ;...;R n :E]Representing event E in a series of ordered random processes R 1 ,...,R n Probability of occurrence thereafter; if for any c > 0, for all λ > λ c All have a lambda c Such that f (lambda) < 1/lambda c Then the function f (λ) is negligible; definition ringWherein (1)>Is an m-order rounding polynomial; r is R q The element in (a) is an N-dimensional polynomial in the form of a 0 +a 1 x 1 +a 2 x 2 +...+a N-1 x N-1 Wherein N is a positive integer; positive integers l and h are the dimensions of the matrix samples, < >>Representing a matrix of dimension h x l, each element being a ring R q An upper N-dimensional polynomial; for the function of which the input is a vector, the operation is to process the calculation separately for each dimension of the vector;
the samples in the MLWE distribution are in the form ofThe MLWE problem is to recover the secret value X from the polynomial number of samples from the MLWE distribution; specifically, randomly select +.>Calculating to obtain Y i =A i X+E i All samples were used with the same +.>And the same or different->Wherein a positive integer i is used for the number of marks, +.>And->Respectively two probability distributions, and the distribution parameter is marked as eta 1 And eta 2 The distribution can be the same or different; definition for adversary A
If there is no algorithm A with maximum run time τ and advantage greater than ε, we call (τ, ε) -MLWE h,l,η The difficulty assumption holds; where τ is a polynomial about N and ε is a negligible function about N;
an asymmetric consensus algorithm akc= (params, con, rec), wherein the parameters are defined as follows:
1) params= (q, m, g, d, aux) represents a system parameter, 2.ltoreq.m, g.ltoreq.q,and are all positive integers, aux represents auxiliary information determined by (q, m, g, d), and the value of the auxiliary information may be null; unless specifically stated, m=2 or 4 in the process of the invention;
2)V←Con(Σ 2 ,K 2 params), con () is a polynomial time algorithm, and is applied to the input (Σ 2 ,K 2 Params) algorithm outputs a signalWherein (1)> Wherein N and N' and N are positive integers, and the values are equal or unequal;
3)K 1 =Rec(Σ 1 v, params), rec () is a deterministic polynomial algorithm, and the input is (Σ 1 V, params), the result of the Rec () output isWherein (1)>
In a first aspect of the invention, the method comprises:
generating system parameters (lambda, n, q, χ, AKC, l, h, t) required for encryption 1 ,t 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein lambda is a safety parameter, q is more than or equal to 2, χ is noise distribution, l and h are positive integers and are polynomials of lambda, which represent dimension, t 1 And t 2 An operation for reducing a bandwidth when transmitting ciphertext, the operation being performed for compressing parameters used in the function;
public and private key generation: decryptor samples to obtain random seed {0,1} κ The length of seed is a positive integer k, the seed generator matrix a is entered using Gen, where,is a pseudo-random generator mapping a random string of length kappa to +.>Is a matrix a of (a); the decryptor samples->Is->Wherein (1)>And->Respectively two distributions for sampling l×1-dimensional vectors, wherein each dimension element of the vector is R q The polynomials of the above, the distributions being the same or different; />And/or +.>As part of the private key; the decryptor calculates a public key Y 1 =Compress 1 (AX 1 +E 1 ) And Y is taken 1 The seed is sent to the encryptor as part of the public key; wherein, compresss 1 () Is a compression function, the input of which is +.>Output is->Both are ring R q Vector of the upper l×1 dimension, each dimension being an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 1 Bit, where t 1 0 or more is an integer;
the encryption method comprises the following steps: the encryptor slaveSelecting K 2 As a message to be encrypted, and according to the resulting random seed, a matrix a=gen (seed) is generated using the same pseudo-random number generator Gen; the encryptor samplingAnd +.>Wherein (1)>And->Respectively two identical or different distributions for sampling the vector of dimension l×1, distribution +.>For sampling N-dimensional polynomials, eta 1 ,η 2 ,η 3 Equal or unequal; the encryptor calculates:
1)Y 2 =Compress 2 (A T X 2 +E 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, compresss 2 () Is a compression function, the input of the compression functionOutput is->Are all ring R q Vector of the upper l×1 dimension, each dimension is an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 2 Bit, where t 2 0 or more is an integer; compression used by encryptor 2 () Compression for use with decryptor 1 () The functions are the same or different;
2)Σ 2 =Decompress 1 (Y 1 ) T ·X 2 +E σ the method comprises the steps of carrying out a first treatment on the surface of the Wherein, decompensation 1 () Decompacts used by encryptors as a decompression function 1 () Compression to be used by decryptor 1 () The input of the decompression function isOutputting decompression results, both of which are the rings R q L×1-dimensional vector above, and E σ ∈R q Adding to obtain Sigma 2 ∈R q Is an N-dimensional polynomial;
3)V←Con(Σ 2 ,K 2 params); wherein Con () is a multiple defined in the asymmetric Key consensus AKCPolynomial algorithm, input as (Σ 2 ,K 2 Params), algorithm Con () output
The encryptor willAnd->Sending to the decryptor as part of the ciphertext;
the decryption method comprises the following steps: the decryptor receives Y 2 After V, the following steps are performed:
1)wherein, decompensation 2 () Is a decompression function, and is used with encryptor 2 () Correspondingly, the input of the decompression function +.>Outputting decompression results, both of which are the rings R q Multiplying the vector of dimension l×1 to obtain Σ 1 ∈R q Is an N-dimensional polynomial;
2)K 1 =Rec(Σ 1 v, params); where Rec () is a deterministic polynomial algorithm, where the input is (Σ 1 V, params), the result of the Rec () output is
Con () and Rec () have the following calculation methods: for each coefficient of the polynomialAnd->And K 2 Each dimension coefficient +.>
1) Consensus scheme-1:or alternativelyWherein->Is the value of the corresponding dimension in V; and/or
2) Consensus method-2:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
3) Consensus method-3:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
4) Consensus manner-4:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
5) Consensus manner-5:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
6) Consensus manner-6:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
7) Consensus manner-7:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
Compress 1 () And/or compression 2 () The calculation mode of (2) is as follows; decompacts 1 () And/or decompensation 2 () The calculation mode of (a) is Decompacts as follows() The method comprises the steps of carrying out a first treatment on the surface of the Let t not less than 0 be an integer and t epsilon { t } 1 ,t 2 -if t=0 represents not to be used for compression and decompression; note that for the compression in the practical application of the inventive method 1 () And/or compression 2 () The particular value of t employed may equally correspond to t 1 =t 2 May not correspond to t 1 ≠t 2 The method comprises the steps of carrying out a first treatment on the surface of the For each coefficient of the polynomial, we note
1) Compression and decompression mode-1:Decompress(y)=2 t y;
2) Compression and decompression mode-2:Decompress(y)=2 t y+2 t-1
3) Compression and decompression mode-3:Decompress(y)=2 t y-2 t-1
the above three ways, but if y=2 t-1 The time compression function additionally outputs an identifier, the decompression function inputs this identifier in addition to y, at which time the decompression output 2 t y+2 t-1 Or 2 t y-2 t-1
4) Compression and decompression mode-4: y=compression (x) = |2 t x/q|or Decompress(y)=|qx/2 t I or +.>
5) Compression and decompression mode-5:
let n=256 or n=512, l e {1,2,3,4}, m e {2,4,8, 16,32,64,128,256 }, g=2 δ Delta is more than or equal to 1 and is a positive integer; order theA central binomial distribution or a uniform distribution or a discrete gaussian distribution defined in a finite interval or a discrete distribution defined in a finite interval or a combined distribution comprising the above distributions defined in a finite interval, respectively;
specifically, the parameters were selected as follows:
parameter set-1: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-2: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-3: n=256, l=2, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-4: n=256, l=4, m=4, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-5: η (eta) 1 ≠η 2 Q is less than or equal to 3329 or t 1 =0 or q+7681and n=512;
parameter set-6: η (eta) 1 ≠η 2 Q.ltoreq.7681 and using the compression or decompression functions of 1) -3) above;
parameter set-7: η (eta) 1 =η 2 =2 and q+.3329, or η 1 =η 2 =4 and q+7681, and using the compression or decompression functions of 1) -4) above;
parameter set-8: n=256, l=3, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or16 and using the compression or decompression functions of 1) -3) above; or n=256, l=2, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16 or 4, and using 1) -4) compression or decompression functions above;
parameter set-9: n=256, l=3, m=2, t 1 =t 2 =4,η 1 =1,η 2 =η 3 =4, q+7681, g=8 or 16, and using the above 1) -5) compression or decompression function;
parameter set-10: m.gtoreq.3, or using consensus-3 or 4 or 5 or 6 or 7, or using Con or Rec consensus mechanism of consensus-1 and using compression and decompression-3 or 4 or 5, or using Con or Rec consensus mechanism of consensus-2 and using compression and decompression-1 or 2 or 3 or 4, N=256 or 512, l.gtoreq.2, m.gtoreq.2, t 1 ≥0,t 2 ,≥0,η 1 >0,η 2 >0,η 3 >0,q≤7681,g≥2。
In a second aspect of the invention, the method comprises:and->And->Respectively three distributions, which are the same or different, let eta e { eta } 123 Each of the distributions is one of the following:
1) -uniform distribution over [ - η, η ];
2) Center binomial distribution B η Definition B η Sample (a) 0 ,…,a η ,b 1 ,…,b η )←{0,1} And outputResults of (2);
3) -a discrete gaussian distribution over [ - η, η ];
4) A combined distribution over a finite interval, such as the sum or difference of the central binomial distribution and the uniform distribution, containing the above-mentioned distributions.
In a third aspect of the invention, the method comprises:
parameter set-11: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=8;
Parameter set-12: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3 or 4, g=4 or 8 or 16 or 32;
parameter set-13: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=32;
Parameter set-14: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3,g=8;
Parameter set-15: n=512, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16,32,64};
Parameter set-16: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =2,g=8;
Parameter set-17: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =2,g=8;
Parameter set-18: n=256, l=4, m=4, η 1 =η 2 =η 3 =2 or 4, q+7681;
parameter set-19: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =1,g∈{16,32};
Parameter set-20: n=256, l=4,η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16};
Parameter set-21: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =4, g e {8, 16}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {4,8}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {8, 16,32 }; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329, t 1 =0,t 2 ∈{0,1},g∈{32,64,128};
Parameter set-22: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3, g e {4,8}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329, t 1 ∈{3,4},t 2 E {3,4}, g e {8, 16,32,64}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1, q≤3329,t 1 =t 2 =2, g e {4,8, 16}; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1, q≤3329,t 1 ∈{0,1},t 2 ∈{0,1},g∈{16.32};
Parameter set-23: n=256, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =4, g e {4,8, 16}; or n=256, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681, t 1 ∈{3,4,5},t 2 ∈{4,5},g∈{4,8,16};
Parameter set-24: n=512, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{2,3},t 2 ∈{2,3, g e {4,8, 16,32,64}; or n=512, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4},g∈{2,4,8,16,32,64,128,256};
Parameter set-25: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{0,1,2},t 2 E {0,1,2}, g e {4,8, 16,32,64}; or n=256, l=4, m=4, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4}, g∈{2,4,8,16,32,64,128,256}。
In a fourth aspect of the invention, the method comprises: when m.gtoreq.3, either using the consensus scheme-3 or 4 or 5 or 6 or 7, or using the Con or Rec consensus scheme of the consensus scheme-1 and using the compression and decompression scheme-3 or 4 or 5, or using the Con or Rec consensus scheme of the consensus scheme-2 and using the compression and decompression scheme-1 or 2 or 3 or 4, the parameters are set as follows:
parameter set-26: n=256, l=2, η 1 =2,η 2 =η 3 =12,,q≤7681,t 1 =3,t 2 =4,,g=8;
Parameter set-27: n=256, l=3, η 1 =1,η 2 =η 3 =4,,q≤7681,t 1 =4,t 2 =4,g=16;
Parameter set-28: n=512, l=2, η 1 =2,η 2 =η 3 =8,,q≤12289,t 1 =2 or 3, t 2 =3 or 4, g=16;
parameter set-29: n=256, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=8;
parameter set-30: n=256, l=3, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=16;
parameter set-31: n=256, l=4, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =1 or 2, g=32;
parameter set-32: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 =2, g=32 or 64 or 128;
parameter set-33: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =1 or 2, g=32 or 64 or 128 or 256;
parameter set-34: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =1,t 2 =1, g=1024 or 512 or 2048;
parameter set-35: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329, t 1 =0,t 2 =0, g=8 or 16 or 32 or 64 or 128 or 256.
In the method described above, when multiplication of two polynomials is specifically calculated, a fast number-theory transformation (NTT transformation) is required for the polynomials. Among the parameters, a part of the parameters cannot be subjected to complete traditional NTT transformation, and a novel NTT transformation can be adopted for processing.
Drawings
FIG. 1 illustrates schematically the process of an asymmetric consensus algorithm;
fig. 2 illustrates an exemplary trellis-based encryption method of the present invention.
Detailed Description
Generating system parameters (lambda, n, q, χ, AKC, l, h, t) required for encryption 1 ,t 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein lambda is a safety parameter, q is more than or equal to 2, χ is noise distribution, l and h are positive integers and are polynomials of lambda, which represent dimension, t 1 And t 2 An operation for reducing a bandwidth when transmitting ciphertext, the operation being performed for compressing parameters used in the function;
public-private key generation (see fig. 2): decryptor samples to get the followingSeed of machine {0,1} κ The length of seed is a positive integer k, the seed generator matrix a is entered using Gen, where,is a pseudo-random generator mapping a random string of length kappa to +.>Is a matrix a of (a); the decryptor samples->Is->Wherein (1)>And->Respectively two distributions for sampling l×1-dimensional vectors, wherein each dimension element of the vector is R q The polynomials of the above, the distributions being the same or different; />And/or +.>As part of the private key; the decryptor calculates a public key Y 1 =Compress 1 (AX 1 +E 1 ) And Y is taken 1 The seed is sent to the encryptor as part of the public key; wherein, compresss 1 () Is a compression function, the input of which is +.>Output is->Both are ring R q Vector of the upper l×1 dimension, each dimension being an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 1 Bit, where t 1 0 or more is an integer;
encryption method (see fig. 2): the encryptor slaveSelecting K 2 As a message to be encrypted, and according to the resulting random seed, a matrix a=gen (seed) is generated using the same pseudo-random number generator Gen; the encryptor samplingAnd +.>Wherein (1)>And->Respectively two identical or different distributions for sampling the vector of dimension l×1, distribution +.>For sampling N-dimensional polynomials, eta 1 ,η 2 ,η 3 Equal or unequal; the encryptor calculates:
1)Y 2 =Compress 2 (A T X 2 +E 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, compresss 2 () Is a compression function, the input of the compression functionOutput is->Are all ring R q An upper l x 1 dimension vector, each dimension being an N dimension polynomial but a polynomialCoefficient reduction t for each dimension 2 Bit, where t 2 0 or more is an integer; compression used by encryptor 2 () Compression for use with decryptor 1 () The functions are the same or different;
2)Σ 2 =Decompress 1 (Y 1 ) T ·X 2 +E σ the method comprises the steps of carrying out a first treatment on the surface of the Wherein, decompensation 1 () Decompacts used by encryptors as a decompression function 1 () Compression to be used by decryptor 1 () The input of the decompression function isOutputting decompression results, both of which are the rings R q L×1-dimensional vector above, and E σ ∈R q Adding to obtain Sigma 2 ∈R q Is an N-dimensional polynomial;
3)V←Con(Σ 2 ,K 2 params); wherein Con () is a polynomial algorithm defined in the asymmetric key consensus AKC, and is input as (Σ 2 ,K 2 Params), algorithm Con () output
The encryptor willAnd->Sending to the decryptor as part of the ciphertext;
decryption method (see fig. 2): the decryptor receives Y 2 After V, the following steps are performed:
1)wherein, decompensation 2 () Is a decompression function, and is used with encryptor 2 () Correspondingly, the input of the decompression function +.>Outputting decompression results, both of which are the rings R q Multiplying the vector of dimension l×1 to obtain Σ 1 ∈R q Is an N-dimensional polynomial;
2)K 1 =Rec(Σ 1 v, params); where Rec () is a deterministic polynomial algorithm, where the input is (Σ 1 V, params), the result of the Rec () output is
Con () and Rec () have the following calculation methods (see FIG. 1): for each coefficient of the polynomialAndand K 2 Each dimension coefficient +.>
1) Consensus scheme-1:or alternativelyWherein->Is the value of the corresponding dimension in V; and/or
2) Consensus method-2:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
3) Consensus method-3:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
4) Consensus manner-4:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
5) Consensus manner-5:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
6) Consensus manner-6:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
7) Consensus manner-7:wherein the method comprises the steps ofIs the value of the corresponding dimension in V; and/or +.>
Compress 1 () And/or compression 2 () The calculation mode of (2) is as follows; decompacts 1 () And/or decompensation 2 () The calculation mode of (2) is Decompacts (); let t not less than 0 be an integer and t epsilon { t } 1 ,t 2 -if t=0 represents not to be used for compression and decompression; note that for the compression in the practical application of the inventive method 1 () And/or compression 2 () The particular value of t employed may equally correspond to t 1 =t 2 May not correspond to t 1 ≠t 2 The method comprises the steps of carrying out a first treatment on the surface of the For each coefficient of the polynomial, we note
1) Compression and decompression mode-1:Decompress(y)=2 t y;
2) Compression and decompression mode-2:Decompress(y)=2 t y+2 t-1
3) Compression and decompression modes-3:Decompress(y)=2 t y-2 t-1
The above three ways, but if y=2 t-1 The time compression function additionally outputs an identifier, the decompression function inputs this identifier in addition to y, at which time the decompression output 2 t y+2 t-1 Or 2 t y-2 t-1
4) Compression and decompression mode-4: y=compression (x) = |2 t x/q|or Decompress(y)=|qx/2 t I or +.>
5) Compression and decompression mode-5:
let n=256 or n=512, l e {1,2,3,4}, m e {2,4,8, 16,32,64,128,256 }, g=2 δ Delta is more than or equal to 1 and is a positive integer; order theA central binomial distribution or a uniform distribution or a discrete gaussian distribution defined in a finite interval or a discrete distribution defined in a finite interval or a combined distribution comprising the above distributions defined in a finite interval, respectively;
specifically, the parameters were selected as follows:
parameter set-1: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-2: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-3: n=256, l=2, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-4: n=256, l=4, m=4, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-5: η (eta) 1 ≠η 2 Q is less than or equal to 3329 or t 1 =0 or q+7681and n=512;
parameter set-6: η (eta) 1 ≠η 2 Q.ltoreq.7681 and using the compression or decompression functions of 1) -3) above;
parameter set-7: η (eta) 1 =η 2 =2 and q+.3329, or η 1 =η 2 =4 and q+7681, and using the compression or decompression functions of 1) -4) above;
parameter set-8: n=256, l=3, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16, and using 1) -3) compression or decompression functions above; or n=256, l=2, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16 or 4, and using 1) -4) compression or decompression functions above;
parameter set-9: n=256, l=3, m=2, t 1 =t 2 =4,η 1 =1,η 2 =η 3 =4, q+7681, g=8 or 16, and using the above 1) -5) compression or decompression function;
parameter set-10: m.gtoreq.3, or using consensus-3 or 4 or 5 or 6 or 7, or using Con or Rec consensus mechanism of consensus-1 and using compression and decompression-3 or 4 or 5, or using Con or Rec consensus mechanism of consensus-2 and using compression and decompression-1 or 2 or 3 or 4, N=256 or 512, l.gtoreq.2, m.gtoreq.2, t 1 ≥0,t 2 ,≥0,η 1 >0,η 2 >0,η 3 >0,q≤7681,g≥2。
In a second aspect of the invention, the method comprises:and->And->Respectively three distributions, which are the same or different, let eta e { eta } 123 Each of the distributions is one of the following:
1) -uniform distribution over [ - η, η ];
2) Center binomial distribution B η Definition B η Sample (a) 0 ,…,a η ,b 1 ,…,b η )←{0,1} And outputResults of (2);
3) -a discrete gaussian distribution over [ - η, η ];
4) A combined distribution over a finite interval, such as the sum or difference of the central binomial distribution and the uniform distribution, containing the above-mentioned distributions.
In a third aspect of the invention, the method comprises:
parameter set-11: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=8;
Parameter set-12: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3 or 4, g=4 or 8 or 16 or 32;
parameter set-13: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=32;
Parameter set-14: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3,g=8;
Parameter set-15: n=512, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16,32,64};
Parameter set-16: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =2,g=8;
Parameter set-17: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =2,g=8;
Parameter set-18: n=256, l=4, m=4, η 1 =η 2 =η 3 =2 or 4, q+7681;
parameter set-19: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =1,g∈{16,32};
Parameter set-20: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 ∈{0,1,2}, g∈{8,16};
Parameter set-21: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =4, g e {8, 16}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {4,8}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {8, 16,32 }; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329, t 1 =0,t 2 ∈{0,1},g∈{32,64,128};
Parameter set-22: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3, g e {4,8}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329, t 1 ∈{3,4},t 2 E {3,4}, g e {8, 16,32,64}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1, q≤3329,t 1 =t 2 =2, g e {4,8, 16}; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1, q≤3329,t 1 ∈{0,1},t 2 ∈{0,1},g∈{16.32};
Parameter set-23: n=256, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =4, g e {4,8, 16}; or n=256, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{3,4,5},t 2 ∈{4,5},g∈{4,8,16};
Parameter set-24: n=512, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{2,3},t 2 E {2,3}, g e {4,8, 16,32,64}; or n=512, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4}, g∈{2,4,8,16,32,64,128,256};
Parameter set-25: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681, t 1 ∈{0,1,2},t 2 E {0,1,2}, g e {4,8, 16,32,64}; or n=256, l=4, m=4, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4}, g∈{2,4,8,16,32,64,128,256}。
In a fourth aspect of the invention, the method comprises: when m.gtoreq.3, either using the consensus scheme-3 or 4 or 5 or 6 or 7, or using the Con or Rec consensus scheme of the consensus scheme-1 and using the compression and decompression scheme-3 or 4 or 5, or using the Con or Rec consensus scheme of the consensus scheme-2 and using the compression and decompression scheme-1 or 2 or 3 or 4, the parameters are set as follows:
parameter set-26: n=256, l=2, η 1 =2,η 2 =η 3 =12,,q≤7681,t 1 =3,t 2 =4,,g=8;
Parameter set-27: n=256, l=3, η 1 =1,η 2 =η 3 =4,,q≤7681,t 1 =4,t 2 =4,g=16;
Parameter set-28: n=512, l=2, η 1 =2,η 2 =η 3 =8,,q≤12289,t 1 =2 or 3, t 2 =3 or 4, g=16;
parameter set-29: n=256, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=8;
parameter set-30: n=256, l=3, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =2 or 3, g=16;
parameter set-31: n=256, l=4, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 =1 or 2, g=32;
parameter set-32: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 =2, g=32 or 64 or 128;
parameter set-33: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =1 or 2, g=32 or 64 or 128 or 256;
parameter set-34: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =1,t 2 =1, g=1024 or 512 or 2048;
parameter set-35: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =0, g=8 or 16 or 32 or 64 or 128 or 256.
In the method described above, when multiplication of two polynomials is specifically calculated, a fast number-theory transformation (NTT transformation) is required for the polynomials. Among the parameters, a part of the parameters cannot be subjected to complete traditional NTT transformation, and a novel NTT transformation can be adopted for processing.
Innovative and difficult description of the inventive method
The effectiveness of the method in practical application (including calculation efficiency, bandwidth, error rate and the like) is seriously dependent on the selection of specific parameters. The selection of these parameters requires a number of factors to be considered in combination and requires programming testing. One of the important difficulties is the analysis of error rates. The specific error rate of the inventive method depends on the compression function compression and decompression function de compression employed, as well as on the Con and Rec algorithms in the specific asymmetric consensus mechanism employed. To our knowledge, the error rate analysis for different compression schemes and consensus mechanisms is currently incomplete, and in particular, the exact error rate and procedure for the compression scheme of the hacking bit scheme of the inventive method are blank.
We review the compression described in the second aspect of the invention:
the consensus mechanism described in the third aspect of the present invention (mode 2) is first demonstrated by the following quotation:
index 1.1 recordThe consensus algorithm is required to meet the correctness, and the required parameters meet the condition (2d+2). 2 < q.cndot.1-2/g.
And (3) proving: by definition, there isε 1 ∈{0,1/2},ε 2 ∈(-1/2,1/2]So that v=g (σ 2 +qk 2 /2+ε 1 )/q+ε 2 +θ·g. Substitution of k 1 Expression of (2)Is available in the form of
So epsilon exists 3 ∈(-1/2,1/2]So that
According to the assumption, there isAnd delta epsilon [ -d, d]So that sigma 2 =σ 1 +θ'. Q+δ. Therefore we have
To achieve correctness, |2.delta/q+2 (. Epsilon.) is required 13 )/g+2ε 2 The ratio of the total to the total of the total and the total of the total is less than or equal to 2d/q+2/q+1/g and less than 1/2. The finishing can obtain (2d+2). 2 < q.cndot.1-2/g.
When q=7681, g=8, the condition that this consensus should satisfy is calculated as d < 1439.6875 < 1440.
We remember e 1 =A·X 1 +E 1 -Decompress(Compress(A·X 1 +E 1 )),∈ 2 =A T ·X 2 +E 2 - Decompress(Compress(A T ·X 2 +E 2 ) Sigma in the graph) 12 Is that
When the compression function of mode 1 of the second aspect of the present invention is employed, there are
When the compression function of mode 4 of the second aspect of the present invention is employed, there are
Here the number of the elements is the number,we have
Epsilon-recording 2 =A T ·X 2 +E 2 -Decompress(Compress(A T ·X 2 +E 2 )),ε 1 =A·X 1 +E 1 -Decompress(Compress(AX 1 +E 1 ) And) then
Here, ε' ε [ -1/2, 1/2),
when |Err| < q/4-1/2, the decryption can be performed correctly.
The error rate of the set of parameters of n=256 and l=3 is mainly analyzed, which is also a common parameter in the practical application of the inventive method.
Below we compare the error expressions in both cases.
Case l: mode 4 compression with the second aspect of the present invention and mode 2 consensus mechanism with the third aspect of the present invention, the error of the original encryption algorithm is Wherein, the liquid crystal display device comprises a liquid crystal display device, y here 1 Corresponding to t 1 Decompacts (compression (AX) 1 +E 1 ) Or corresponding to t) 1 AX for equal zero case 1 +E 1 . Will c according to the modulo LWE assumption v The coefficients are considered to be subject to distribution +.> (/>In the Python code, +.>). When the Err is smaller than q/4, the decryption can be performed correctly, namely Err is smaller than 1920.25 (the decryption can be performed correctly when Err is smaller than q/4-1/2).
Case 2: mode 4 compression using the second aspect of the present invention and mode 1 consensus mechanism using the third aspect of the present invention, the error isWhen Err < d < (q (1-2/g)/2-1)/2= 1439.7, the consensus algorithm satisfies correctness, i.e. proper decryption.
Definition: we call oneThe above discrete probability distribution D is centrosymmetric, if-d=d, i.e. the discrete probability distribution D is centrosymmetric, if for any x≡D,Pr[x]=Pr[-x]All are true.
Note that the above-described error calculation can be regarded asThe above is performed without mod operation. The calculation logic of the error rate is: under the assumption of modulo LWE, ε will be 12v The coefficients of (1) are regarded as obeying the distribution: x-Decompress Compress x, < >>Then by enumeration, calculate X by program 1 ,X 2 ,E 1 ,E 2 ,E σ Obeying center binomial distribution column and epsilon 12v Corresponding distribution columns. Re-enumerating computation E ii ,(E ii )X j Is arranged in the row of the distribution column. Note (E ii )X j Is taken by l.n independently summed with the coefficients from this distribution.
We use delta to representThe error rate calculation corresponding to case 2 is to estimate the probability that the distribution delta takes a value greater than (q (1-2/g)/2-2)/2= 1439.1875, case 1 is to calculate delta-epsilon v Probability of a value greater than q/4= 1920.25. The proof of the quotation will now be reviewed again, using the consensus algorithm of case 1, K 1 The expression of (2) is
We can actually trade a proof of upper bound of consensus, note that Sigma according to our symbolic representation 2 For Rec input we can assume Σ 2 Is uniformly distributed. At this time, the liquid crystal display device,
here the number of the elements is the number,obeying the distribution according to the assumption:when Σ 21v || When the ratio is less than q/4-1/2, K can be deduced 1 =K 2 . The testimonials of the quotation are equivalent to taking epsilon v Is derived from the absolute upper bound of (2) 12 The condition that the upper bound d of i should satisfy. However, ε v Is a probability distribution. Taking specific parameters as examples, ε v The value of (2) is within the range of-480,480]Each value is taken with a certain probability. Thus, |Σ 12 When I is smaller than 1440, K can be pushed out in a certain way 1 =K 2 . However, 1440 < |Σ 12 When < 1920, due to ε v Is also possible to make K 1 =K 2 . In practical use, the->Also calculated from the modulo LWE hypothesis, subject to a certain probability distribution. Therefore, calculating the error in a manner directly from the LWE decryption angle is a more direct calculation variable +.>The probability distribution obeyed is then enumerated to calculate the probability of decryption errors occurring. In this way, the probability is "scattered" in an equivalent to a more direct calculation. For different parameters (mainly +.>),ε v Is different. Based on the above reasoning and observations, we performed programming experiments and conducted a number of tests to determine the values of specific parameters of the inventive method to obtain the best efficiency, bandWide and error rate effects. />

Claims (4)

1. A lattice-based efficient compact encryption method, wherein one string or value α represents a binary value, |α| represents the length of the α binary; for any real number x,represents a maximum integer less than or equal to x, < >>Represents a minimum integer greater than or equal to x, < >>For any positive integer a and b, lcm (a, b) represents the least common multiple of a and b; for any i, j ε Z, and i < j, use [ i, j ]]Represents a set of integers { i, i+1,., j-1, j }; for any positive integer t, let Z t Represents Z/tZ; z is Z t The elements in (2) are represented as [0, t-1 ]]But can also be equivalently expressed asRepresentation group Z m A binary length n element set;
if S is a finite set, then |S| represents its radix, and x+.S represents uniformly random taking an element from S; for two sets A, B ε Z q We define a+b= { a+b|a e a, B e B }; for an addition group (G, +) element x ε G and subsetx+S represents a set of addition results of each element in S to x; for a set S, a uniform distribution of S is denoted by u (S); for a discrete random variable X in arbitrary R, support (X) = { X e r|pr [ x=x)]>0};
If D represents a probability distribution, x+.D represents selecting an element based on D and assigning to x;if α is neither an algorithm nor a set, x+.α represents a simple assignment operation; if A is a probabilistic algorithm, then A (x 1 ,x 2 ,.; r) represents X 1 ,x 2 ,. as input, r is the result of the operation of random seed A; we use y+.A (x) 1 ,x 2 ,.; r) represents randomly choosing r and letting y be A (x) 1 ,x 2 ,.; r) experiment; by Pr [ R ] 1 ;...;R n :E]Representing event E in a series of ordered random processes R 1 ,...,R n Probability of occurrence thereafter; if for any c > 0, for all λ > λ c All have a lambda c Such that f (lambda) < 1/lambda c Then the function f (λ) is negligible; definition of the ring R q =Z qm (x) Wherein Φ is m (x)∈Z[x]Is an m-order rounding polynomial; r is R q The element in (a) is an N-dimensional polynomial in the form of a 0 +a 1 x 1 +a 2 x 2 +…+a N-1 x N -1 Wherein N is a positive integer; positive integers l and h are the dimensions of the matrix samples,representing a matrix of dimension h x l, each element being a ring R q An upper N-dimensional polynomial; for the function of which the input is a vector, the operation is to process the calculation separately for each dimension of the vector;
the samples in the MLWE distribution are in the form ofThe MLWE problem is to recover the secret value X from the polynomial number of samples from the MLWE distribution; specifically, randomly select +.>Calculating to obtain Y i =A i X+E i All samples were used with the same +.>And the same or different->Wherein a positive integer i is used for the number of marks, +.>And->Respectively two probability distributions, and the distribution parameter is marked as eta 1 And eta 2 The distribution can be the same or different; definition for adversary A
If there is no algorithm A with maximum run time τ and advantage greater than ε, (τ, co) MLWE h,l,η The difficulty assumption holds; where τ is a polynomial about N and ε is a negligible function about N;
an asymmetric consensus algorithm akc= (params, con, rec), wherein the parameters are defined as follows:
1) params= (q, m, g, d, aux) represents a system parameter, 2.ltoreq.m, g.ltoreq.q,and are all positive integers, aux represents auxiliary information determined by (q, m, g, d); m=2 or 4;
2)V←Con(Σ 2 ,K 2 params), con () is a polynomial time algorithm, and is applied to the input (Σ 2 ,K 2 Params) algorithm outputs a signalWherein (1)> Wherein N and N' and N are positive integers, and the values are equal or unequal;
3)K 1 =Rec(Σ 1 v, params), rec () is a deterministic polynomial algorithm, and the input is (Σ 1 V, params), the result of the Rec () output isWherein (1)>
The method comprises the following steps:
generating system parameters (lambda, n, q, χ, AKC, l, h, t) required for encryption 1 ,t 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein lambda is a safety parameter, q is more than or equal to 2, χ is noise distribution, l and h are positive integers and are polynomials of lambda, which represent dimension, t 1 And t 2 An operation for reducing a bandwidth when transmitting ciphertext, the operation being performed for compressing parameters used in the function;
public and private key generation: decryptor samples to obtain random seed {0,1} κ The length of seed is a positive integer k, the seed generator matrix a is entered using Gen, where,is a pseudo-random generator mapping a random string of length kappa to +.>Is a matrix a of (a); the decryptor samples->Is->Wherein (1)>And->Respectively two distributions for sampling l×1-dimensional vectors, wherein each dimension element of the vector is R q The polynomials of the above, the distributions being the same or different; />And/or +.>As part of the private key; the decryptor calculates a public key Y 1 =Compress 1 (AX 1 +E 1 ) And Y is taken 1 The seed is sent to the encryptor as part of the public key; wherein, compresss 1 () Is a compression function, the input of which is +.>Output is->Both are ring R q Vector of the upper l×1 dimension, each dimension being an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 1 Bit, where t 1 0 or more is an integer;
the encryption method comprises the following steps: the encryptor slaveSelecting K 2 As a message to be encrypted, and according to the resulting random seed, a matrix a=gen (seed) is generated using the same pseudo-random number generator Gen; the encryptor samplingAnd +.>Wherein (1)>And->Respectively two identical or different distributions for sampling the vector of dimension l×1, distribution +.>For sampling N-dimensional polynomials, eta 1 ,η 2 ,η 3 Equal or unequal; the encryptor calculates:
1)Y 2 =Compress 2 (A T X 2 +E 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, compresss 2 () Is a compression function, the input of the compression functionOutput is->Are all ring R q Vector of the upper l×1 dimension, each dimension is an N-dimensional polynomial but coefficient reduction t of each dimension of the polynomial 2 Bit, where t 2 0 or more is an integer; compression used by encryptor 2 () Compression for use with decryptor 1 () The functions are the same or different;
2)Σ 2 =Decompress 1 (Y 1 ) T ·X 2 +E σ the method comprises the steps of carrying out a first treatment on the surface of the Wherein, decompensation 1 () Decompacts used by encryptors as a decompression function 1 () Compression to be used by decryptor 1 () The input of the decompression function isOutputting decompression results, both of which areAre all ring R q L×1-dimensional vector above, and E σ ∈R q Adding to obtain Sigma 2 ∈R q Is an N-dimensional polynomial;
3)V←Con(Σ 2 ,K 2 params); wherein Con () is a polynomial algorithm defined in the asymmetric key consensus AKC, and is input as (Σ 2 ,K 2 Params), algorithm Con () output
The encryptor willAnd->Sending to the decryptor as part of the ciphertext;
the decryption method comprises the following steps: the decryptor receives Y 2 After V, the following steps are performed:
1)wherein, decompensation 2 () Is a decompression function, and is used with encryptor 2 () Correspondingly, the input of the decompression function +.>Outputting decompression results, both of which are the rings R q Multiplying the vector of dimension l×1 to obtain Σ 1 ∈R q
Is an N-dimensional polynomial;
2)K 1 =Rec(Σ 1 v, params); where Rec () is a deterministic polynomial algorithm, where the input is (Σ 1 V, params), the result of the Rec () output is
Con () and Rec () have the following calculation methods: for each coefficient sigma of the polynomial 2 ∈Z q Sum sigma 1 ∈Z q And K 2 Each one-dimensional coefficient k in (a) 2 ∈Z m
1) Consensus scheme-1:or alternativelyWherein v is E Z g Is the value of the corresponding dimension in V; and/or
2) Consensus method-2:wherein v is E Z g Is the value of the corresponding dimension in V; and/or
3) Consensus method-3:wherein v is E Z g Is the value of the corresponding dimension in V; and/or
4) Consensus manner-4:wherein v is E Z g Is the value of the corresponding dimension in V; and/or
5) Consensus manner-5:wherein v is E Z g Is the value of the corresponding dimension in V; and/or
6) Consensus manner-6:wherein v is E Z g Is the value of the corresponding dimension in V; and/or
7) Consensus manner-7:wherein v is E Z g Is the value of the corresponding dimension in V; and/or
Compress 1 () And/or compression 2 () The calculation mode of (2) is as follows; decompacts 1 () And/or decompensation 2 () The calculation mode of (2) is Decompacts (); let t not less than 0 be an integer and t epsilon { t } 1 ,t 2 -if t=0 represents not to be used for compression and decompression; compresss 1 () And/or compression 2 () The particular value of t employed may equally correspond to t 1 =t 2 Or does not need toIs equal to t 1 ≠t 2 The method comprises the steps of carrying out a first treatment on the surface of the For each coefficient of the polynomial, we note x ε Z q
1) Compression and decompression mode-1:Decompress(y)=2 t y;
2) Compression and decompression mode-2:Decompress(y)=2 t y+2 t-1
3) Compression and decompression mode-3:Decompress(y)=2 t y-2 t-1
the above three ways, but if y=2 t-1 The time compression function additionally outputs an identifier, the decompression function inputs this identifier in addition to y, at which time the decompression output 2 t y+2 t-1 Or 2 t y-2 t-1
4) Compression and decompression mode-4:or->
Or->
5) Compression and decompression mode-5:
let n=256 or n=512, l e {1,2,3,4}, m e {2,4,8, 16,32,64,128,256 }, g=2 δ Delta is more than or equal to 1 and is a positive integer; order theA central binomial distribution or a uniform distribution or a discrete gaussian distribution defined in a finite interval or a discrete distribution defined in a finite interval or a combined distribution comprising the above distributions defined in a finite interval, respectively;
specifically, the parameters were selected as follows:
parameter set-1: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-2: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329;
Parameter set-3: n=256, l=2, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-4: n=256, l=4, m=4, η 1 =η 2 =η 3 Not less than 4, q not less than 3329 or q not less than 7681;
parameter set-5: η (eta) 1 ≠η 2 Q is less than or equal to 3329 or t 1 =0 or q+7681and n=512;
parameter set-6: η (eta) 1 ≠η 2 Q.ltoreq.7681 and using the compression or decompression functions of 1) -3) above;
parameter set-7: η (eta) 1 =η 2 =2 and q+.3329, or η 1 =η 2 =4 and q+7681, and using the compression or decompression functions of 1) -4) above;
parameter set-8: n=256, l=3, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16, and using the above 1) -3) compression or decompression function; or n=256, l=2, m=2, t 1 =0,t 2 =2,η 1 =η 2 =η 3 =2, q+.3329, g=8 or 16 or 4, and using 1) -4) compression or decompression aboveShrinking the function;
parameter set-9: n=256, l=3, m=2, t 1 =t 2 =4,η 1 =1,η 2 =η 3 =4, q+7681, g=8 or 16, and using the above 1) -5) compression or decompression function;
parameter set-10: m.gtoreq.3, or using consensus-3 or-4 or-5 or-6 or-7, or using Con or Rec consensus mechanism of consensus-1 and using compression and decompression-3 or-4 or-5, or using Con or Rec consensus mechanism of consensus-2 and using compression and decompression-1 or-2 or-3 or-4, N=256 or 512, l.gtoreq.2, m.gtoreq.2, t 1 ≥0,t 2 ,≥0,η 1 >0,η 2 >0,η 3 >0,q≤7681,g≥2。
2. The method of claim 1, wherein,and->And->Respectively three distributions, which are the same or different, let eta e { eta } 123 Each of the distributions is one of the following:
1) -uniform distribution over [ - η, η ];
2) Center binomial distribution B η Definition B η Is { a } 1 ,...,a η ,b 1 ,...,b η }←{0,1} And outputResults of (2);
3) -a discrete gaussian distribution over [ - η, η ];
4) A combined distribution comprising the above distributions over a limited interval.
3. The method of claim 2, wherein the parameter settings are as follows:
parameter set-11: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=8;
Parameter set-12: n=256, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3 or 4, g=4 or 8 or 16 or 32;
parameter set-13: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3,g=32;
Parameter set-14: n=256, l=3, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3,g=8;
Parameter set-15: n=512, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 ∈{0,1,2},g∈{8,16,32,64};
Parameter set-16: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =2,g=8;
Parameter set-17: n=512, l=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =2,g=8;
Parameter set-18: n=256, l=4, m=4, η 1 =η 2 =η 3 =2 or 4, q+7681;
parameter set-19: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =1,g∈{16,32};
Parameter set-20: n=256, l=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 ∈{0,1,2},g∈{8,16};
Parameter set-21: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =4, g e {8, 16}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3,
g.epsilon {4,8}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =3, g e {8, 16,32 }; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 ∈{0,1},g∈{32,64,128};
Parameter set-22: n=256, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =3, g e {4,8}; or n=256, l=3, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 ∈{3,4},t 2 E {3,4}, g e {8, 16,32,64}; or n=512, l=2, m=2, η 1 =η 2 =η 3 =1,q≤3329,t 1 =t 2 =2, g e {4,8, 16}; or n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 ∈{0,1},t 2 ∈{0,1},g∈{16.32};
Parameter set-23: n=256, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681,t 1 =t 2 =4, g e {4,8, 16}; or n=256, l=2, m=2, η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{3,4,5},t 2 ∈{4,5},g∈{4,8,16};
Parameter set-24: n=512, l=2, m=2, η 1 =η 2 =η 3 =2,q≤7681,
t 1 ∈{2,3},t 2 E {2,3}, g e {4,8, 16,32,64}; or n=512,
l=2,m=2,η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4},
g∈{2,4,8,16,32,64,128,256};
parameter set-25: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681,
t 1 ∈{0,1,2},t 2 E {0,1,2}, g e {4,8, 16,32,64}; or n=256,
l=4,m=4,η 1 ∈{1,4},η 2 =η 3 ∈{4,1},q≤7681,t 1 ∈{0,1,2,3,4},t 2 ∈{0,1,2,3,4},
g∈{2,4,8,16,32,64,128,256}。
4. the method according to claim 1 or 2, wherein when m is ≡3, or using the consensus-3 or-4 or-5 or-6 or-7, or using the Con or Rec consensus mechanism of the consensus-1 and using the compression and decompression scheme-3 or-4 or-5, or using the Con or Rec consensus mechanism of the consensus-2 and using the compression and decompression scheme-1 or-2 or-3 or-4, the parameters are set as follows:
parameter set-26: n=256, l=2, η 1 =2,η 2 =η 3 =12,q≤7681,t 1 =3,t 2 =4,g=8;
Parameter set-27: n=256, l=3, η 1 =1,η 2 =η 3 =4,q≤7681,t 1 =4,t 2 =4,g=16;
Parameter set-28: n=512, l=2, η 1 =2,η 2 =η 3 =8,q≤12289,t 1 =2 or 3, t 2 =3 or 4, g=16;
parameter set-29: n=256, l=2, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 The number of times of,
g=8;
parameter set-30: n=256, l=3, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 The number of times of,
g=16;
parameter set-31: n=256, l=4, η 1 =η 2 =η 3 =2,q≤3329,t 1 =0,t 2 The number of times of 1 or 2,
g=32;
parameter set-32: n=256, l=4, m=4, η 1 =η 2 =η 3 =2,q≤7681,t 1 =0,t 2 =2,
g=32 or 64 or 128;
parameter set-33: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =1 or 2, g=32 or 64 or 128 or 256;
parameter set-34: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =1,t 2 =1,
g=1024 or 512 or 2048;
parameter set-35: n=256, l=4, m=4, η 1 =η 2 =η 3 =1,q≤3329,t 1 =0,t 2 =0, g=8 or 16 or 32 or 64 or 128 or 256.
CN202010382073.7A 2020-04-17 2020-05-08 Efficient compact encryption method based on grids Active CN113541933B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2020103041530 2020-04-17
CN202010304153 2020-04-17

Publications (2)

Publication Number Publication Date
CN113541933A CN113541933A (en) 2021-10-22
CN113541933B true CN113541933B (en) 2023-07-25

Family

ID=78094227

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010382073.7A Active CN113541933B (en) 2020-04-17 2020-05-08 Efficient compact encryption method based on grids

Country Status (1)

Country Link
CN (1) CN113541933B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138752A (en) * 2019-04-19 2019-08-16 北京信息科学技术研究院 A kind of public key encryption method based on lattice
CN110474772A (en) * 2019-07-01 2019-11-19 中国科学院数学与系统科学研究院 A kind of encryption method based on lattice

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104396184B (en) * 2012-04-12 2017-12-01 丁津泰 Xinmi City's code system based on wrong pairing
US10581604B2 (en) * 2017-10-17 2020-03-03 Comsats Institute Of Information Technology Post-quantum cryptographic communication protocol

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138752A (en) * 2019-04-19 2019-08-16 北京信息科学技术研究院 A kind of public key encryption method based on lattice
CN110474772A (en) * 2019-07-01 2019-11-19 中国科学院数学与系统科学研究院 A kind of encryption method based on lattice

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Generic and Practical Key Establishment from Lattice;Yunlei Zhao etc;《ACNS》;20190529;全文 *
Optimal Key Consensus in Presence of Noise;Yunlei Zhao etc;《arXiv》;20171006;全文 *

Also Published As

Publication number Publication date
CN113541933A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN112989368B (en) Method and device for processing private data by combining multiple parties
Jasra et al. Color image encryption and authentication using dynamic DNA encoding and hyper chaotic system
Liu et al. Privacy-preserving outsourced calculation toolkit in the cloud
Smart et al. Fully homomorphic encryption with relatively small key and ciphertext sizes
WO2011052056A1 (en) Data processing device
Belaïd et al. Side-Channel Analysis of Multiplications in GF (2128) Application to AES-GCM
CN115276947B (en) Private data processing method, device, system and storage medium
CN111143865B (en) User behavior analysis system and method for automatically generating label on ciphertext data
JP2007510947A (en) Method and apparatus for efficient multi-party multiplication
EP2742644B1 (en) Encryption and decryption method
US9893880B2 (en) Method for secure symbol comparison
Burek et al. Algebraic attacks on block ciphers using quantum annealing
Dowerah et al. Towards an efficient LWE‐based fully homomorphic encryption scheme
CN116094686B (en) Homomorphic encryption method, homomorphic encryption system, homomorphic encryption equipment and homomorphic encryption terminal for quantum convolution calculation
CN113541933B (en) Efficient compact encryption method based on grids
Takagi Recent developments in post-quantum cryptography
JP5208796B2 (en) Integer encryption and decryption methods
CN114465708A (en) Private data processing method, device, system, electronic equipment and storage medium
Saha et al. Outsourcing private equality tests to the cloud
Theramban et al. Colour image encryption using dna coding and logistic diffusion
CN113268707B (en) Ciphertext covariance matrix calculation method based on row coding
CN116455575B (en) Key generation, encryption and decryption methods, electronic equipment and storage medium
Srinivasan et al. Secured Data Transmission in IoT using Homomorphic Encryption
CN117234457B (en) Data subtraction operation method for privacy calculation
Zhang et al. Speech Encryption Scheme Based on BFV Homomorphic Encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220825

Address after: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438

Applicant after: Zhao Yunlei

Address before: Room 345, No.5, Lane 786, Xinzhong Road, Xinhe Town, Chongming District, Shanghai 202156

Applicant before: SHANGHAI HUMIN BLOCKCHAIN TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240112

Address after: 200433 No. 220, Handan Road, Shanghai, Yangpu District

Patentee after: FUDAN University

Address before: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438

Patentee before: Zhao Yunlei

TR01 Transfer of patent right