CN113591102B - Grid-based distributed threshold addition homomorphic encryption method - Google Patents

Grid-based distributed threshold addition homomorphic encryption method Download PDF

Info

Publication number
CN113591102B
CN113591102B CN202110713307.6A CN202110713307A CN113591102B CN 113591102 B CN113591102 B CN 113591102B CN 202110713307 A CN202110713307 A CN 202110713307A CN 113591102 B CN113591102 B CN 113591102B
Authority
CN
China
Prior art keywords
secret
user
share
public
polynomial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110713307.6A
Other languages
Chinese (zh)
Other versions
CN113591102A (en
Inventor
田海博
林会智
李茂楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Yat Sen University
Original Assignee
Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Yat Sen University filed Critical Sun Yat Sen University
Priority to CN202110713307.6A priority Critical patent/CN113591102B/en
Publication of CN113591102A publication Critical patent/CN113591102A/en
Application granted granted Critical
Publication of CN113591102B publication Critical patent/CN113591102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of secure multiparty computing based on homomorphic encryption, in particular to a grid-based distributed threshold addition homomorphic encryption method. The method comprises the following steps: system initial setting, user key generation, user private key share generation, system public key synthesis, data encryption, addition homomorphic operation, partial decryption and final decryption. The grid-based distributed threshold addition homomorphic encryption method provided by the invention reduces the local share quantity of the user side, further reduces the traffic of the whole protocol, reduces the calculation time of the algorithm of the user side, and allows the user side to participate in the whole protocol by using lightweight calculation equipment.

Description

Grid-based distributed threshold addition homomorphic encryption method
Technical Field
The invention relates to the technical field of secure multiparty computing based on homomorphic encryption, in particular to a grid-based distributed threshold addition homomorphic encryption method.
Background
The attribute-based encryption mechanism is an extension of the identity-based encryption mechanism, and basically, the attribute-based encryption mechanism introduces the concept of an access structure into the identity-based encryption mechanism, so that the control of decryption rights and access rights is realized. The earliest public research originated from simple attribute encryption and later extended to the content of research in front of attributes, attribute security protocols, etc. Compared with traditional cryptography, the attribute encryption mechanism greatly enriches the flexibility of encryption strategies and the descriptability of user rights, and expands from one-to-one mode to one-to-many mode, and has the characteristics of high efficiency and flexibility; the encryption cost is only related to the number of the corresponding attributes, and is not related to the number of users in the system; whether a user can decrypt a ciphertext depends only on whether his properties meet the policy of the ciphertext, regardless of whether he joins the system before ciphertext production; the base meter policy can support complex access structures, such as threshold-type and boolean expressions; encrypting this does not require knowledge of the identity information of the decryptor. Based on the excellent characteristics, the attribute encryption mechanism can effectively realize non-interactive access control.
The current mainstream cryptographic techniques for implementing secure multi-party computing include threshold secret sharing and homomorphic encryption. Homomorphic encryption allows for specific algebraic operations to be performed on ciphertext domain data, the result of which is the same or similar to the result of the same computation performed on the ciphertext domain. The feature of the method is widely applied to cloud service computing, outsourcing computing and the Lianbang learning scene of privacy protection, and is one direction of the emerging privacy technology. The Shamir's threshold secret sharing scheme divides a secret into n secret shares, respectively, to multiple participants by constructing a k-1 th order polynomial and taking the shared secret as a constant term for this polynomial. k or more participants cooperate to recover the shared secret using interpolation formulas, but less than k participants cooperate to not obtain any information about the shared secret. Blakley independently proposes another threshold secret sharing scheme that uses points in multidimensional space to establish a threshold scheme that is seen as a point in k-dimensional space via a shared secret s, each sub-secret is a k-1-dimensional hyperplane equation containing this point, the intersection of any k-1-dimensional hyperplanes just determines the shared secret, and k-1 sub-secrets, i.e., hyperplanes, can only determine their intersection, thus not obtaining any information of the shared secret. Some lattice-based encryption methods proposed by the current shamir secret sharing scheme have the problems of larger local share, larger occupied memory, more traffic and the like, and further improvement is needed.
Disclosure of Invention
The invention provides a grid-based distributed threshold addition homomorphic encryption method for overcoming the defects in the prior art, which reduces the local share quantity of a user terminal, reduces the traffic of the whole protocol and reduces the calculation time of a user terminal algorithm.
In order to solve the technical problems, the invention adopts the following technical scheme: a distributed threshold addition homomorphic encryption method based on a lattice comprises the following steps:
s1, system initial setting: inputting a security parameter lambda, and outputting a system parameter params= { param0, paramSS }, wherein param0 is a system initialization related parameter set, and paramSS is a multi-secret sharing related parameter set;
s2, generating a user secret key: input system parameter params, output public-private key pair (pk u ,sk u );
S3, generating a user private key share: inputting system parameters params and private key sk of user u u0 And public key set { pk in user set U v1 } v∈U Output as set of encrypted messages { e uv } v∈U And an ordered set of public shares of user u
Figure SMS_1
S4, synthesizing a system public key: inputting system parameter params, public key set { pk of all users u0 } u∈U Calculate pk= [ Σ u∈U pk u0 ] q Outputting a system public key pk;
s5, data encryption: inputting system parameter params, system public key pk, plaintext data m of user u u Output ciphertext data c of user u u =(c u0 ,c u1 );
S6, addition homomorphic operation: inputting system parameter params, user ciphertext data set { c } u } u∈U User weight coefficient set { w u } u∈U Then calculate ct respectively 0 =[∑ u∈U c u0 ·w u ] q 、ct 1 =[∑ u∈U c u1 ·w u ] q Finally, the system ciphertext ct= (ct) 0 ,ct 1 );
S7, partial decryption: inputting system parameters params, system ciphertext ct and public key pk of user u u And user U receives the encrypted message set { e } of other users in set U vu } v∈U\{u} Outputting the partial decryption value pm of user u u
S8, final decryption: inputting a system parameter params and a system ciphertext ct= (ct) 0 ,ct 1 ) User's partial decryption value set P 1 ={pm u } u∈V Wherein |P 1 The I is not less than th, and the system discloses a share set OS sys All users in set U disclose a share set
Figure SMS_2
And->
Figure SMS_3
And outputting a polynomial M consisting of the final decryption values.
Further, the method comprises the steps of,
Figure SMS_4
specific arrangementPolynomial degree d, polynomial coefficient modulus q, plaintext polynomial modulus t, irreducible circular polynomial f (x), integer polynomial ring
Figure SMS_5
Rq represents the ring R, normal distribution χ, uniform distribution μ of all element coefficients modulo q, any element on the ring R
Figure SMS_6
Hybrid encryption system
Hpke= { HPKE.Gen, HPKE.Enc, HPKE.Dec } and multi-secret sharing scheme MultiSS =
{ MultiSS.Setup, multiSS.Split, multiSS.Recover }; wherein HPKE.Gen is a key generation algorithm, and is input as a security parameter and output as an encrypted and decrypted key pair; HPKE.Enc is an encryption algorithm, and is input as an encryption key and a plaintext and output as a ciphertext; HPKE.Dec is a decryption algorithm, and is input into ciphertext and a decryption key and output into plaintext; multiSS.setup is a system initialization algorithm, input is a security parameter, and output is a system parameter; multiSS.split is a secret distribution algorithm, input is a system parameter and an ordered secret set, and output is a secret share set and a user public share; multiss.recovery is a secret reconstruction algorithm, input as a system parameter and a secret share set, and output as an ordered secret set;
then randomly select
Figure SMS_7
For paramss= { n, th, m, U, V, PList, GList, BList, OS sys Then execute algorithm MultiSS. Setup (1) λ ) The paramSS is available; wherein q is a large integer prime number, th is a threshold value, and m is the number of secret to be shared at a time, and m is required to be more than or equal to th; the set of all the participants is U, and the set of users meeting the threshold number is V, namely n is more than or equal to |V| is more than or equal to th; then in [ n+2m+th, q-1]Randomly selects n mutually different integers p 1 ,p 2 ,p 3 ,…,p n As personal identity of the individual participants, the collection is denoted PList; set interval [ m, m+n-1]N consecutive integers g 1 ,g 2 ,g 3 ,…,g n Public shares for systemsIs denoted as GList; finally at [0, q-1]Randomly selecting n random integers k in range 1 ,k 2 ,k 3 ,…,k n Its system public share, its set is named OS sys
Further, the secret distribution algorithm MultiSS. Split is executed by a secret distributor, inputs the system parameters paramSS and the ordered secret set mList, outputs the secret share set SList and the user public share OS u The method comprises the steps of carrying out a first treatment on the surface of the Let m secrets to be shared be C in particular 1 ,C 2 ,C 3 ,…,C m The method comprises the following specific steps:
interpolation generates an n+m-1 th order polynomial h (x): value pairs (0, C) composed of m secrets 1 ),(1,C 2 ),(2,C 3 ),…(m-1,C m ) And the number of n system public shares (g 1 ,k 1 ),(g 2 ,k 2 ),(g 3 ,k 3 ),…,(g n ,k n ) N+m number of value pairs, and calculating to obtain n+m-1 degree polynomial h (x) =a by using Lagrangian polynomial interpolation algorithm 0 +a 1 x+a 2 x 2 +…+a n+m-1 x n+m-1
Generating a secret share set SList of the participants: calculating secret shares of the participants respectively by using the obtained n+m-1 degree polynomial h (x); personal identity mark p of user i The polynomial h (x) is input as an argument, and the function value h (p) i ) Namely, secret shares of the participants are set as SList;
when m is>th, the public share set OS of the secret distributor needs to be generated u : set interval [ m+n, m+2n-th-1]M-th integers b 1 ,b 2 ,b 3 ,…,b m-th Disclosing the identity of the shares for the secret distributor, the collection of which is noted as BList; respectively inputting the identification set BList of the public share of the secret distributor into a polynomial h (x) to obtain a corresponding value h (b) i ) Its set is denoted as OS u
Further, the secret reconstruction algorithm MultiSS. Recovery is executed by any party with secret recovery requirement, and the system parameter para is inputmSS a secret share set SList, a public share set OS requiring no less than th and a secret distributor in number in the set u An ordered secret set mList is output, and the specific steps are as follows:
interpolation recovers the polynomial h (x) of degree n+m-1: from the secret share set SList, not less than th number pairs (p i ,h(p i ) A) is provided; OS according to System disclosure shares sys Obtaining n number pairs (g n ,k n ) The method comprises the steps of carrying out a first treatment on the surface of the If m is>th, then the OS is also required to be combined with the public share set of the secret distributor u Obtaining m-th number pairs (b i ,h(b i ) A) is provided; recovering h (x) by using a Lagrangian polynomial interpolation algorithm with a total of not less than m+n number of value pairs;
generating an ordered secret set mList: respectively calculate C i =h (i-1) to recover the secret, where i=1, 2, …, m, the set is denoted mList.
Further, the step S2 specifically includes: first from a polynomial ring R with coefficients { -1,0,1} 3 Uniformly and randomly selecting a polynomial
Figure SMS_8
Then selecting a noise polynomial ++according to χ distribution>
Figure SMS_9
Set->
Figure SMS_10
And->
Figure SMS_11
Run->
Figure SMS_12
Figure SMS_13
Obtaining an encryption and decryption key pair of an HPKE system, and setting sk u =(sk u0 ,k u1 ) And pk u =(pk u0 ,pk u1 ) Outputs public-private key pair (pk u ,sk u )。
Further, the step S3 specifically includes:
first select a noise
Figure SMS_16
For sk u0 And->
Figure SMS_18
Every m continuous coefficients in the system, executing a secret distribution algorithm MultiSS. Split, and completely sharing the whole private key and noise are all needed to be executed respectively +.>
Figure SMS_19
A sub-multiple secret sharing algorithm resulting in an ordered set of secret shares about user u's private key and noise>
Figure SMS_15
And->
Figure SMS_17
Ordered set of user public shares +.>
Figure SMS_20
And
Figure SMS_21
each of the four ordered sets contains +.>
Figure SMS_14
An element; then, the following processes are respectively executed by taking each user in the plurality of sets U as a unit:
a) Ordered set of two secret shares { Ssk > sent to user v uv ,Seu uv Packing into messages s uv Wherein Ssk uv Seu for a set of secret shares with respect to a private key uv For the set of secret shares with respect to noise, assume that user v's identity is p 0 Then
Figure SMS_22
Figure SMS_23
b) Using public key pk of user v v1 An encryption algorithm hpke.enc (pk) v1 ,s uv ) Obtaining an encrypted message e uv The method comprises the steps of carrying out a first treatment on the surface of the Finally output as a set { e } of encrypted messages containing individual users uv } v∈U And an ordered set of public shares of user u
Figure SMS_24
Where the user u's own share remains local.
Further, the step S5 specifically includes: first, plaintext data m u Embedding a polynomial X of highest degree d as coefficient u Then randomly select
Figure SMS_25
Two noise->
Figure SMS_26
Separately calculate
Figure SMS_27
Output ciphertext data c of user u u =(c u0 ,c u1 )。
Further, the step S7 specifically includes: first a decryption algorithm hpke.dec (sk) u1 ,e vu ) Obtaining a message set { s } vu } v∈U\{u} After parsing the message one by one, a set { Ssk > of ordered sets of secret shares about the private key is obtained vu } v∈U\{u} And a set { Seu of ordered sets of secret shares with respect to noise vu } v∈U\{u} Both contain n-1 aggregate elements, each aggregate element in turn consisting of
Figure SMS_28
The secret shares are orderly formed; adding two secret share ordered sets reserved for the user u when sharing the local private key and noise, and summarizing the two secret share ordered sets into a total share ordered set respectively; computing Ssk uv =∑ v∈ U Ssk vu ,Seu uv =∑ v∈U Seu vu Then, a partial decryption value calculation method is executed, and the ordered set Ssk is collected u Performing modulo-m interval embedding of d-degree polynomials to obtain SK, and collecting the ordered set Seu u Performing m-mode continuous embedding d times of polynomials to obtain SE; extracting ct from ciphertext ct 0 Calculate pm u =[ct 0 ·SK+SE] q Finally, the partial decryption value pm of the user u is output u
Further, the step S8 specifically includes: first, share set H is disclosed for a user 2 And H 3 Wherein each set element comprises n set elements, each set element is composed of
Figure SMS_29
The user public share sets are orderly composed, n set elements are respectively added in sequence, namely +.>
Figure SMS_30
And->
Figure SMS_31
Obtaining a user share summarization set:
Figure SMS_32
Figure SMS_33
SH at this time 0 And SH 1 Are all respectively composed of
Figure SMS_34
The sets of shares are organized in order, each set of shares containing m-th shares, then m-th according to i=1, 2, …, each time from SH 0 And SH 1 Respectively take out the collection->
Figure SMS_35
And
Figure SMS_36
then calculating a partial decryption value for the user public share according to the partial decryption method in step S7, wherein the ordered set +.>
Figure SMS_37
Performing modulo-m space embedding->
Figure SMS_38
Performing continuous embedding of the mould m; after m-th execution, a partial decryption value set P is obtained for the user public shares 2
Also for the system public share set { k 1 ,k 2 ,k 3 ,…,k n -calculating K from i=1, 2, …, n i =n*k i The number of the structural elements is
Figure SMS_39
Is>
Figure SMS_40
Figure SMS_41
According to the partial decryption method summarized in step S7, a partial decryption value is calculated for the public share of the system, wherein the set
Figure SMS_42
Performing modulo-m space embedding->
Figure SMS_43
Performing continuous embedding of the mould m; after n execution times, a partial decryption value set P about the public share of the system is obtained 3 Combining three partial decrypted value sets P 1 、P 2 、P 3 To obtain P= { pm i -corresponding identification set
Figure SMS_44
Abbreviated as a= { a1, …, ai }, i e [1, |p|]Wherein each term corresponds to a Lagrange interpolation basis function of LA ai (x);
For i=1, 2,3, …, |p|, the corresponding will set { LA ai (0),LA ai (1),...,LA ai (m-1) } modulo-m interval embedding the d-th order polynomial to obtain L i The method comprises the steps of carrying out a first treatment on the surface of the Then a polynomial M consisting of the final decryption values is calculated, wherein:
Figure SMS_45
/>
further, (1) for any set X, define |x| as the number of elements in set X; if x is a vector, |x| is the dimension of this vector;
(2) for a given irreducible circular polynomial f (x) of highest degree d, an integer polynomial ring is defined as
Figure SMS_47
All elements on the ring R are vectors, also called polynomials; rq represents the ring R of all element coefficients modulo q, wherein +.>
Figure SMS_51
Represents R from q Selecting a +/according to uniform distribution>
Figure SMS_53
Arbitrary element on the ring R->
Figure SMS_48
The coefficient of the ith item is a i I.e. satisfy the formula->
Figure SMS_49
Wherein x is an independent variable; its infinity->
Figure SMS_52
Satisfy the formula->
Figure SMS_54
For the following
Figure SMS_46
Expansion factor delta of R R Satisfy the formula->
Figure SMS_50
(3) For any integer h>1, definition of
Figure SMS_55
Is an integer set +.>
Figure SMS_56
Represents an integer ring {0,1,2 …, q-1}, for any ∈>
Figure SMS_57
[x] h =xmodh; for arbitrary->
Figure SMS_58
[x]Meaning rounding down, [ x ]]Meaning rounding up, [ x ]]Meaning that the nearest integer is taken; for any x ε R, +.>
Figure SMS_59
Meaning +.>
Figure SMS_60
Performing a modulo h operation on all coefficients in (a);
(4) for a given security parameter lambda, if for all
Figure SMS_61
All satisfy negl (lambda) =o (1/lambda) c ) The function negl (λ) is said to be negligible;
(5) probability distribution for a given parameter
Figure SMS_62
Use->
Figure SMS_63
Represents x is from->
Figure SMS_64
Randomly sampling; for the set X, X is uniformly sampled from the set by x+.X; for distribution χ on integer, if satisfying the value range [ -, B]Within the range, the limit is called B;
(6) for a polynomial Poly with the highest degree d to embed a Set of elements m, it is required that m be divisible by d+1 and d.ltoreq.m 2 -1; comprises the following two partsThe method comprises the following steps:
1) And (3) continuously embedding the die m: embedding the first element in the ordered Set into the coefficient of the corresponding term when the ith term in the polynomial Poly satisfies i% m=1 (i=1, …, d+1), and embedding the same coefficient in each subsequent term until the new term satisfies i% m=1 again, deleting the last element from the Set, embedding the first element in the corresponding term again, and repeating until traversing the entire polynomial is finished;
2) And (3) embedding a mode m interval: when the ith term in the polynomial Poly meets the condition that i% m=1 (i=1, …, d+1), embedding the element arranged at the first position in the ordered Set into the coefficient of the corresponding term, deleting the element from the Set, and repeating until traversing the whole polynomial is finished;
(7) for the integer set { a, b, c, d }, the corresponding Lagrangian basis functions are agreed herein, let the argument be x, and the set be { LA } a (x),LA b (x),LA c (x),LA d (x) The specific steps are:
Figure SMS_65
Figure SMS_66
compared with the prior art, the beneficial effects are that: the grid-based distributed threshold addition homomorphic encryption method provided by the invention reduces the local share quantity of the user side, further reduces the traffic of the whole protocol, reduces the calculation time of the user side algorithm, and allows the user side to participate in the whole protocol by using lightweight calculation equipment.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention.
Detailed Description
In this embodiment, first, a unified contract is made for a part of symbols and algorithms that appear multiple times in this embodiment. The convention is as follows:
(1) For any set X, define |X| as the number of elements in set X; if x is a vector, |x| is the dimension of this vector.
(2) For a given irreducible circular polynomial f (x) of highest degree d, an integer polynomial ring is defined as
Figure SMS_67
All elements on the ring R are vectors, also called polynomials. Rq represents the ring R of all element coefficients modulo q, wherein +.>
Figure SMS_68
Represents R from q Selecting a +/according to uniform distribution>
Figure SMS_69
Arbitrary element on the ring R->
Figure SMS_70
The coefficient of the ith item is a i I.e., satisfies equation (1), wherein x is an argument; its infinity->
Figure SMS_71
Satisfy formula (2); for->
Figure SMS_72
Expansion factor delta of R R Satisfy formula (3):
Figure SMS_73
Figure SMS_74
Figure SMS_75
(3) For any integer h>1, definition of
Figure SMS_76
Is an integer set +.>
Figure SMS_77
Represents an integer ring {0,1,2 …, q-1}, for any ∈>
Figure SMS_78
[x] h =xmodh; for arbitrary->
Figure SMS_79
[x]Meaning rounding down, [ x ]]Meaning round up, "x" means taking the nearest integer; for any x ε R, +.>
Figure SMS_80
Meaning +.>
Figure SMS_81
The modulo-h operation is performed on all coefficients in (a).
(4) For a given security parameter lambda, if for all
Figure SMS_82
All satisfy negl (lambda) =o (1/lambda) c ) The function negl (lambda) is said to be negligible. If the probability of an event is negl (lambda), it is meant that it occurs with negligible probability.
(5) For a given parameter probability distribution D, use is made here of
Figure SMS_83
Represents x is from->
Figure SMS_84
Randomly sampling; for the set X, X is uniformly sampled from the set by x+.X; for distribution χ on integer, if satisfying the value range [ -B, B]Within the range, the limit is referred to as B.
(6) For a hybrid encryption system HPKE= { HPKE.Gen, HPKE.Enc, HPKE.Dec }, wherein the key generation algorithm is HPKE.Gen, the input is a security parameter, and the output is an encrypted and decrypted key pair; the encryption algorithm is HPKE.Enc, and is input into an encryption key and a plaintext and output into a ciphertext; the decryption algorithm is hpke.dec, which is input as ciphertext and decryption key, and output as plaintext.
(7) For a polynomial Poly with the highest degree d embedded in a Set of elements m (where m is integer divided by d+1 and d.ltoreq.m 2 -1) the following two methods are agreed:
a) And (3) continuously embedding the die m: when the ith term in the polynomial Poly satisfies i% m=1 (i=1, …, d+1), embedding the first element in the ordered Set into the coefficient of the corresponding term, and embedding the same coefficient in each subsequent term until the new term satisfies i% m=1 again, deleting the last element from the Set, embedding the first element in the corresponding term again, and repeating until traversing the entire polynomial is finished.
Examples: set= { a, b, c }, the highest degree of Poly is d=8, then the polynomial after embedding (argument is x):
Poly=a+ax+ax 2 ++bx 3 +bx 4 +bx 5 +cx 6 +cx 7 +cx 8
b) And (3) embedding a mode m interval: when the ith term in the polynomial Poly satisfies i% m=1 (i=1, …, d+1), embedding the element arranged first in the ordered Set into the coefficient of the corresponding term, deleting the element from the Set, and repeating until traversing the whole polynomial is finished.
Examples: set= { a, b, c }, the highest degree of Poly is d=8, then the polynomial after embedding (argument is x):
Poly=a+0x+0x 2 ++bx 3 +0x 4 +0x 5 +cx 6 +0x 7 +0x 8
(8) For the integer set { a, b, c, d }, the corresponding set of Lagrangian basis functions (with the argument x) is contracted to { LA } a (x),LA b (x),LA c (x),LA d (x) The specific steps are:
Figure SMS_85
Figure SMS_86
(9) Scheme for multi-secret sharing
Multiss= { MultiSS.Setup, multiSS.Split, multiSS.Recover }, wherein the system initialization algorithm is multiss.setup, input is a security parameter, and output is a system parameter; the secret distribution algorithm is MultiSS. Split, inputs are system parameters and ordered secret sets, and outputs are a secret share set and user public shares; the secret reconstruction algorithm is a multiss.recovery, inputs as a set of system parameters and secret shares, and outputs as an ordered set of secrets.
a) System initialization algorithm MultiSS. Setup
The algorithm inputs the safety parameter lambda and outputs the system parameter paramSS= { q, n, th, m, U, V, PList, GList, OS sys And q is a large integer prime number, th is a threshold value, and m is the number of secret to be shared at one time, wherein m is required to be larger than or equal to th. The set of all participants is U, and the set of users meeting the threshold number is V, namely n is not less than |V|is not less than th. Then in [ n+2m+th, q-1]Randomly selects n mutually different integers p 1 ,p 2 ,p 3 ,…,p n As personal identity of the individual participants, the collection is denoted PList; setting interval [ m, m+ -1 ]]N consecutive integers g 1 ,g 2 ,g 3 ,…,g n An identification of a share for system disclosure, the collection of which is denoted GList; finally at [0, q-1]Randomly selecting n random integers k in range 1 ,k 2 ,k 3 ,…,k n Its system public share, its set is named OS sys
b) Secret distribution algorithm: multiSS. Split
The algorithm is executed by a secret distributor, inputs a system parameter paramSS and an ordered secret set mList, outputs a secret share set SList and a user public share OS u . Let m secrets to be shared be C in particular 1 ,C 2 ,C 3 ,…,C m The method comprises the following specific steps:
1. interpolation generates an n+m-1 th order polynomial h (x): value pairs (0, C) composed of m secrets 1 ),(1,C 2 ),(2,C 3 ),…(m-1,C m ) And the number of n system public shares (g 1 ,k 1 ),(g 2 ,k 2 ),(g 3 ,k 3 ),…,(g n ,k n ) N+m number of value pairs, and calculating to obtain n+m-1 degree polynomial h (x) =a by using Lagrangian polynomial interpolation algorithm 0 +a 1 x+a 2 x 2 +…+a n+m-1 x n+m-1
2. Generating a secret share set SList of the participants: calculating secret shares of the participants respectively by using the obtained n+m-1 degree polynomial h (x); personal identity mark p of user i The polynomial h (x) is input as an argument, and the function value h (p) i ) Namely, secret shares of the participants are set as SList;
3. when m is>th, the public share set OS of the secret distributor needs to be generated u : set interval [ m+n, m+2n-th-1]M-th integers b 1 ,b 2 ,b 3 ,…,b m-th Disclosing the identity of the shares for the secret distributor, the collection of which is noted as BList; respectively inputting the identification set BList of the public share of the secret distributor into a polynomial h (x) to obtain a corresponding value h (b) i ) Its set is denoted as OS u
c) Secret reconstruction algorithm: multiSS. Recovery
The algorithm can be executed by any party with a secret recovery requirement, and inputs the system parameters paramSS, a secret share set SList, the number in the required set is not less than th and the public share set OS of the secret distributor u An ordered secret set mList is output, and the specific steps are as follows:
interpolation recovers the polynomial h (x) of degree n+m-1: from the secret share set SList, not less than th number pairs (p i ,h(p i ) A) is provided; OS according to System disclosure shares sys Obtaining n number pairs (g n ,k n ) The method comprises the steps of carrying out a first treatment on the surface of the If m is>th, then the OS is also required to be combined with the public share set of the secret distributor u Obtaining m-th number pairs (b i ,h(b i ) A) is provided; recovering h (x) by using a Lagrangian polynomial interpolation algorithm with a total of not less than m+n number of value pairs;
generating an ordered secret set mList: respectively calculate C i =h (i-1) to recover the secret, where i=1, 2, …, m, the set is denoted mList
The method for homomorphic encryption based on grid distributed threshold addition provided by the embodiment comprises the following steps: system initial setting, user key generation, user private key share generation, system public key synthesis, data encryption, addition homomorphic operation, partial decryption and final decryption;
step 1, system initial setting: DTAHE.setup
The step inputs the security parameter lambda, outputs the system parameter params= { param0, paramSS }, where params 0 is the system initialization related parameter set and paramSS is the multi-secret sharing related parameter set. For the following
Figure SMS_87
Specifically setting polynomial degree d, polynomial coefficient modulus q, plaintext polynomial modulus t, normal distribution χ, uniform distribution μ and multi-secret sharing scheme MultiSS= { MultiSS.Setup, multiSS.Split, multiSS.Recover }, and then randomly selecting +.>
Figure SMS_88
For paramss= { n, th, m, U, V, PList, GList, BList, OS sys Then execute algorithm MultiSS. Setup (1) λ ) paramSS is available. Specifically, the results are shown in Table 1.
Table 1 scheme specific parameter list
Figure SMS_89
Figure SMS_90
Step 2, generating a user key: DTAHE. KeyGen
The step inputs the system parameter params, outputs public-private key pair (pk u ,sk u ) First from a polynomial ring R with coefficients { -1,0,1} 3 Uniformly and randomly select one or more itemsA kind of electronic device with high-pressure air-conditioning system
Figure SMS_91
Then selecting a noise polynomial ++according to χ distribution>
Figure SMS_92
Set->
Figure SMS_93
And->
Figure SMS_94
Run (pk) u1 ,sk u1 )←HPKE.Gen(1 λ ) Obtaining an encryption and decryption key pair of an HPKE system, and setting sk u =(sk u0 ,sk u1 ) And pk u =(pk u0 ,pk u1 ) Outputs public-private key pair (pk u ,sk u )。
Step 3, generating user private key share: DTAHE.ShareGen
The step inputs system parameters params and private key sk of user u u0 And public key set { pk in user set U v1 } v∈U Output as set of encrypted messages { e uv } v∈U And an ordered set of public shares of user u
Figure SMS_95
Figure SMS_96
First randomly selecting a noise
Figure SMS_98
For sk u0 And->
Figure SMS_101
Every m consecutive coefficients in the system, executing the algorithm MultiSS. Split, the complete sharing of the whole private key and noise are all required to be executed separately +.>
Figure SMS_102
A secondary multiple secret sharing algorithm resulting in an ordered set of secret shares about user u's private key and noise/>
Figure SMS_99
And->
Figure SMS_100
Ordered set of user public shares +.>
Figure SMS_103
And
Figure SMS_104
each of the four ordered sets contains +.>
Figure SMS_97
A number of elements, wherein:
Figure SMS_105
Figure SMS_106
Figure SMS_107
Figure SMS_108
then, taking each user in the set U as a unit, respectively executing the following procedures:
a) Ordered set of two secret shares { Ssk > sent to user v uv ,Seu uv Packing into messages s uv Wherein Ssk uv Seu for a set of secret shares with respect to a private key uv For the set of secret shares with respect to noise, assume that user v's identity is p 0 Then
Figure SMS_109
Figure SMS_110
b) Using public key pk of user v v1 An encryption algorithm hpke.enc (pk) v1 ,s uv ) Obtaining an encrypted message e uv . Finally output as a set { e } of encrypted messages containing individual users uv } v∈U (user u's own share is left local) and an ordered set of public shares of user u
Figure SMS_111
Step 4, synthesizing a system public key: DTAHE. ComKey
The step inputs system parameter params, public key set { pk of all users u0 } u∈U Calculate pk= [ Σ u∈ U pk u0 ] q The system public key pk is output.
Step 5, data encryption algorithm: DTAHE. DataEnc
The step inputs system parameter params, system public key pk, plaintext data m of user u u Output ciphertext data c of user u u =(c u0 ,c u1 )。
First, plaintext data m u Embedding a polynomial X of highest degree d as coefficient u Then randomly select
Figure SMS_112
Two noise->
Figure SMS_113
Separately calculate->
Figure SMS_114
Figure SMS_115
Output ciphertext data c of user u u =(c u0 ,c u1 )。
Step 6, addition homomorphic operation: DTAHE.Evaladd
The step inputs the system parameter params, the ciphertext data set { c }, of the user u } u∈U User weight coefficient set { w u } u∈U Then calculate ct respectively 0 =[∑ u∈U c u0 ·w u ] q 、ct 1 =[∑ u∈U c u1 ·w u ] q Finally, the system ciphertext ct= (ct) 0 ,ct 1 )。
Step 7, partial decryption: DTAHE.ParDec
The step inputs the system parameter params, the system ciphertext ct and the public key pk of the user u u And user U receives the encrypted message set { e } of other users in set U vu } v∈U\{u} Outputting the partial decryption value pm of user u u
The partial decryption step is divided into three stages of decryption share, aggregation share and calculation of partial decryption value; first a decryption algorithm hpke.dec (sk) u1 ,e vu ) Obtaining a message set { s } vu } v∈U\{u} After parsing the message one by one, a set { Ssk > of ordered sets of secret shares about the private key is obtained vu } v∈U\{u} And a set { Seu of ordered sets of secret shares with respect to noise vv } v∈U\{u} Both contain n-1 aggregate elements, each aggregate element in turn consisting of
Figure SMS_116
The individual secret shares are organized. And adding two secret share ordered sets reserved for the user u when the user u shares the local private key and noise, and respectively summarizing the two secret share ordered sets into a total share ordered set. Specific calculation of Ssk uv =∑ v∈U Ssk vu ,Seu uv =∑ v∈U Seu vu Then, a partial decryption value calculation method is executed, and the ordered set Ssk is collected u Performing modulo-m interval embedding of d-degree polynomials to obtain SK, and collecting the ordered set Seu u And performing m-mode continuous embedding on the d-degree polynomial to obtain SE. Extracting ct from ciphertext ct 0 Calculate pm u =[ct 0 ·SK+SE] q Finally, the partial decryption value pm of the user u is output u
Step 8, final decryption algorithm: DTAHE. FinDec
In this step, the system parameter params and the system ciphertext ct=are input(ct 0 ,ct 1 ) User's partial decryption value set P 1 ={pm u } u∈V Wherein |P 1 The I is not less than th, and the system discloses a share set OS sys All users in set U disclose a share set
Figure SMS_117
And->
Figure SMS_118
And outputting a polynomial M consisting of the final decryption values.
The final decryption step comprises five stages of aggregating user public shares, calculating user public part decryption values, aggregating system public shares, calculating system public part decryption values and interpolating decrypted data. First, share set H is disclosed for a user 2 And H 3 Wherein each set element comprises n set elements, each set element is composed of
Figure SMS_119
The user public share sets are orderly composed, n set elements are respectively added in sequence, namely +.>
Figure SMS_120
And->
Figure SMS_121
Obtaining a user share summarization set:
Figure SMS_122
Figure SMS_123
SH at this time 0 And SH 1 Are all respectively composed of
Figure SMS_124
The sets of shares are organized, each set of shares containing m-th shares. Then according to i=1, 2, …, m-th, each time from SH 0 And SH 1 Respectively take out the collection->
Figure SMS_125
And
Figure SMS_126
then calculate the partial decryption value for the user's public share with reference to the partial decryption value calculation method in DTAHE. ParDec, wherein the ordered set +.>
Figure SMS_127
Performing modulo-m space embedding->
Figure SMS_128
And performing m-mode continuous embedding. After m-th execution, a partial decryption value set P for the user's public share can be obtained 2
Also for the system public share set { k 1 ,k 2 ,k 3 ,…,k n -calculating K from i=1, 2, …, n i =n*k i The number of the structural elements is
Figure SMS_129
Is>
Figure SMS_130
Figure SMS_131
Calculating a partial decryption value with respect to a system public share by referring to a partial decryption value calculation method in DTAHE.ParDec, wherein the set +.>
Figure SMS_132
Performing modulo-m space embedding->
Figure SMS_133
And performing m-mode continuous embedding. After n execution times, a partial decryption value set P about the public share of the system can be obtained 3 Combining three partial decrypted value sets P 1 、P 2 、P 3 Obtain = { pm i -corresponding identification set ∈ }>
Figure SMS_134
Abbreviated as a= { a1, …, ai }, i e [1, |p|]. Wherein each term corresponds to a Lagrange interpolation basis function of LA ai (x)。/>
For i=1, 2,3, …, |p|, the corresponding will set { LA ai (0),LA ai (1),...,LA ai (m-1) } modulo-m interval embedding the d-th order polynomial to obtain L i . Then a polynomial M consisting of the final decryption values is calculated, wherein:
Figure SMS_135
while embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
It is to be understood that the above examples of the present invention are provided by way of illustration only and not by way of limitation of the embodiments of the present invention. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are desired to be protected by the following claims.

Claims (5)

1. A lattice-based distributed threshold addition homomorphic encryption method, comprising:
s1, system initial setting: inputting a security parameter lambda, and outputting a system parameter params= { param0, paramSS }, wherein param0 is a system initialization related parameter set, and paramSS is a multi-secret sharing related parameter set;
s2, generating a user secret key: input system parameter params, output public-private key pair (pk u ,sk u );
S3, generating a user private key share: inputting system parameters params and private key sk of user u u0 And public key set { pk in user set U v1 } v∈U Output as set of encrypted messages { e uv } v∈U And an ordered set of public shares of user u
Figure FDA0004177247520000011
S4, synthesizing a system public key: inputting system parameter params, public key set { pk of all users u0 } u∈U Calculate pk= [ Σ u∈U pk u0 ] q Outputting a system public key pk;
s5, data encryption: inputting system parameter params, system public key pk, plaintext data m of user u u Output ciphertext data c of user u u =(c u0 ,c u1 );
S6, addition homomorphic operation: inputting system parameter params, user ciphertext data set { c } u } u∈U User weight coefficient set { w u } u∈U Then calculate ct respectively 0 =[∑ u∈U c u0 ·w u ] q 、ct 1 =[∑ u∈U c u1 ·w u ] q Finally, the system ciphertext ct= (ct) 0 ,ct 1 );
S7, partial decryption: inputting system parameters params, system ciphertext ct and public key pk of user u u And user U receives the encrypted message set { e } of other users in set U vu } v∈U\{u} Outputting the partial decryption value pm of user u u
S8, final decryption: inputting a system parameter params and a system ciphertext ct= (ct) 0 ,ct 1 ) User's partial decryption value set P 1 ={pm u } u∈V Wherein |P 1 The I is not less than th, th is a threshold value, and the system discloses a share set OS sys All users in set U disclose a share set
Figure FDA0004177247520000012
And->
Figure FDA0004177247520000013
And outputting a polynomial M consisting of the final decryption values.
2. The trellis-based distributed threshold addition homomorphic encryption method of claim 1, wherein,
Figure FDA0004177247520000014
specifically, a polynomial degree d, a polynomial coefficient modulus q, a plaintext polynomial modulus t, an irreducible round polynomial f (x) and an integer polynomial ring->
Figure FDA0004177247520000015
Rq represents the ring R of the modulus q of all elements, normal distribution χ, uniform distribution μ, arbitrary element +.>
Figure FDA0004177247520000016
Hybrid cryptosystem hpke= { HPKE.Gen, HPKE.Enc, HPKE.Dec } and multi-secret sharing scheme multiss= { MultiSS.Setup, multiSS.Split, multiSS.Recover }; wherein HPKE.Gen is a key generation algorithm, and is input as a security parameter and output as an encrypted and decrypted key pair; HPKE.Enc is an encryption algorithm, and is input as an encryption key and a plaintext and output as a ciphertext; HPKE.Dec is a decryption algorithm, and is input into ciphertext and a decryption key and output into plaintext; multiSS.setup is a system initialization algorithm, input is a security parameter, and output is a system parameter; multiSS.split is a secret distribution algorithm, input is a system parameter and an ordered secret set, and output is a secret share set and a user public share; multiss.recovery is a secret reconstruction algorithm, input as a system parameter and a secret share set, and output as an ordered secret set;
then randomly select
Figure FDA0004177247520000021
For paramss= { n, th, m, U, V,PList,GList,BList,OS sys then execute algorithm MultiSS. Setup (1) λ ) The paramSS is available; wherein q is a large integer prime number, n is the number of participants, th is a threshold value, and m is the number of secret to be shared at a time, and m is required to be more than or equal to th; the set of all the participants is U, and the set of users meeting the threshold number is V, namely n is more than or equal to |V| is more than or equal to th; then in [ n+2m+th, q-1]Randomly selects n mutually different integers p 1 ,p 2 ,p 3 ,…,p n As personal identity of n participants, the collection is denoted as PList; set interval [ m, m+n-1]N consecutive integers g 1 ,g 2 ,g 3 ,…,g n An identification of a share for system disclosure, the collection of which is denoted GList; finally at [0, q-1]Randomly selecting n random integers k in range 1 ,k 2 ,k 3 ,…,k n Its system public share, its set is named OS sys
3. The grid-based distributed threshold addition homomorphic encryption method of claim 2, wherein the secret distribution algorithm MultiSS. Split is performed by a secret distributor, inputs system parameters paramSS and ordered secret set mList, outputs secret share set SList and user public share OS u The method comprises the steps of carrying out a first treatment on the surface of the Let m secrets to be shared be C in particular 1 ,C 2 ,C 3 ,…,C m The method comprises the following specific steps:
interpolation generates an n+m-1 th order polynomial h (x): value pairs (0, C) composed of m secrets 1 ),(1,C 2 ),(2,C 3 ),…(m-1,C m ) And the number of n system public shares (g 1 ,k 1 ),(g 2 ,k 2 ),(g 3 ,k 3 ),…,(g n ,k n ) N+m number of value pairs, and calculating to obtain n+m-1 degree polynomial h (x) =a by using Lagrangian polynomial interpolation algorithm 0 +a 1 x+a 2 x 2 +…+a n+m- 1 x n+m-1
Generating a secret share set SList of the participants: by using the obtainedA polynomial h (x) of degree n+m-1, respectively calculating secret shares of the participants; personal identity mark p of user i The polynomial h (x) is input as an argument, and the function value h (p) i ) Namely, secret shares of the participants are set as SList;
when m > th, a public share set OS of a secret distributor needs to be generated u : set interval [ m+n, m+2n-th-1]M-th integers b 1 ,b 2 ,b 3 ,…,b m-th Disclosing the identity of the shares for the secret distributor, the collection of which is noted as BList; respectively inputting the identification set BList of the public share of the secret distributor into a polynomial h (x) to obtain a corresponding value h (b) i ) Its set is denoted as OS u
4. The method of claim 3, wherein the secret reconstruction algorithm MultiSS.Recoverer is executed by any party with secret recovery requirements, input system parameters ParamSS, secret share set SList, number of requirement sets not less than th and public share set OS of secret distributor u An ordered secret set mList is output, and the specific steps are as follows:
interpolation recovers the polynomial h (x) of degree n+m-1: from the secret share set SList, not less than th number pairs (ρ i h(p i ) A) is provided; OS according to System disclosure shares sys Obtaining n number pairs (g n ,k n ) The method comprises the steps of carrying out a first treatment on the surface of the If m > th, then the public share set OS of the secret distributor is also combined u Obtaining m-th number pairs (b i ,h(b i ) A) is provided; recovering h (x) by using a Lagrangian polynomial interpolation algorithm with a total of not less than m+n number of value pairs;
generating an ordered secret set mList: respectively calculate C i =h (i-1) to recover the secret, where i=1, 2, …, m, the set is denoted mList.
5. The method of homomorphic encryption based on lattice-based distributed threshold addition of claim 1, wherein the step S3 specifically comprises:
first select a noise
Figure FDA0004177247520000031
For sk u0 And->
Figure FDA0004177247520000032
Every m continuous coefficients in the system, executing a secret distribution algorithm MultiSS. Split, and completely sharing the whole private key and noise are all needed to be executed respectively +.>
Figure FDA0004177247520000033
A sub-multiple secret sharing algorithm resulting in an ordered set of secret shares about user u's private key and noise>
Figure FDA0004177247520000034
And->
Figure FDA0004177247520000035
Ordered set of user public shares +.>
Figure FDA00041772475200000310
And
Figure FDA00041772475200000311
each of the four ordered sets contains +.>
Figure FDA0004177247520000036
An element; then, the following processes are respectively executed by taking each user in the plurality of sets U as a unit:
a) Ordered set of two secret shares { Ssk > sent to user v uv ,Seu uv Packing into messages s uv Wherein Ssk uv Seu for a set of secret shares with respect to a private key uv For the set of secret shares with respect to noise, assume that user v's identity is p 0 Then
Figure FDA0004177247520000037
Figure FDA0004177247520000038
b) Using public key pk of user v v1 An encryption algorithm hpke.enc (pk) v1 ,s uv ) Obtaining an encrypted message e uv The method comprises the steps of carrying out a first treatment on the surface of the Finally output as a set { e } of encrypted messages containing individual users uv } v∈U And an ordered set of public shares of user u
Figure FDA0004177247520000039
Where the user u's own share remains local. />
CN202110713307.6A 2021-06-25 2021-06-25 Grid-based distributed threshold addition homomorphic encryption method Active CN113591102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110713307.6A CN113591102B (en) 2021-06-25 2021-06-25 Grid-based distributed threshold addition homomorphic encryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110713307.6A CN113591102B (en) 2021-06-25 2021-06-25 Grid-based distributed threshold addition homomorphic encryption method

Publications (2)

Publication Number Publication Date
CN113591102A CN113591102A (en) 2021-11-02
CN113591102B true CN113591102B (en) 2023-05-26

Family

ID=78244633

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110713307.6A Active CN113591102B (en) 2021-06-25 2021-06-25 Grid-based distributed threshold addition homomorphic encryption method

Country Status (1)

Country Link
CN (1) CN113591102B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091089A (en) * 2022-01-20 2022-02-25 北京信安世纪科技股份有限公司 Data processing method, device, system and computer readable storage medium
CN114553408B (en) * 2022-02-21 2023-11-03 上海交通大学 Galois ring-based threshold linear encryption and decryption method for RS code

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342976A (en) * 2020-03-04 2020-06-26 中国人民武装警察部队工程大学 Verifiable ideal lattice upper threshold proxy re-encryption method and system
CN112906020A (en) * 2021-02-05 2021-06-04 中山大学 Grid-based distributed re-linearization public key generation method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9264407B2 (en) * 2014-04-03 2016-02-16 Palo Alto Research Center Incorporated Computer-implemented system and method for establishing distributed secret shares in a private data aggregation scheme

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342976A (en) * 2020-03-04 2020-06-26 中国人民武装警察部队工程大学 Verifiable ideal lattice upper threshold proxy re-encryption method and system
CN112906020A (en) * 2021-02-05 2021-06-04 中山大学 Grid-based distributed re-linearization public key generation method

Also Published As

Publication number Publication date
CN113591102A (en) 2021-11-02

Similar Documents

Publication Publication Date Title
Xiong et al. Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing
KR102116877B1 (en) New cryptographic systems using pairing with errors
CN107196926B (en) Cloud outsourcing privacy set comparison method and device
KR101639051B1 (en) A method for secure communication in a network, a communication device, a network and a computer program therefor
CN113591102B (en) Grid-based distributed threshold addition homomorphic encryption method
WO2015184991A1 (en) Improvements on cryptographic systems using pairing with errors
Wang et al. An efficient cloud-based personal health records system using attribute-based encryption and anonymous multi-receiver identity-based encryption
Harn et al. How to share secret efficiently over networks
Ranjani et al. An Extended Identity Based Authenticated Asymmetric Group Key Agreement Protocol.
Huang et al. A Conference Key Scheme Based on the Diffie-Hellman Key Exchange.
WO2015081505A1 (en) Method for establishing public key cryptogram against quantum computing attack
CN108880782A (en) The secrecy calculation method of minimum value under a kind of cloud computing platform
CN117353912A (en) Three-party privacy set intersection base number calculation method and system based on bilinear mapping
Zhang et al. Verifiable rational secret sharing scheme in mobile networks
Han et al. Attribute-based signcryption scheme with non-monotonic access structure
Liao et al. Cryptanalysis of an identity-based encryption scheme with equality test and improvement
CN109981254A (en) A kind of miniature public key encryption method based on limited Lee's type group's resolution problem
Aragona et al. An authenticated key scheme over elliptic curves for topological networks
Amounas et al. An efficient signcryption scheme based on the elliptic curve discrete logarithm problem
Zhang et al. A new construction of threshold cryptosystems based on RSA
CN114244567A (en) CP-ABE method for supporting circuit structure in cloud environment
Hsu et al. Efficient group key transfer protocol for WSNs
Patel et al. A novel verifiable multi-secret sharing scheme based on elliptic curve cryptography
CN114138823A (en) Encrypted file retrieval method and system
Kester A public-key exchange cryptographic technique using matrix

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant