CN116132046A - Estimation method, medium, equipment and system for decryption error rate of lattice-based encryption algorithm - Google Patents
Estimation method, medium, equipment and system for decryption error rate of lattice-based encryption algorithm Download PDFInfo
- Publication number
- CN116132046A CN116132046A CN202211579091.XA CN202211579091A CN116132046A CN 116132046 A CN116132046 A CN 116132046A CN 202211579091 A CN202211579091 A CN 202211579091A CN 116132046 A CN116132046 A CN 116132046A
- Authority
- CN
- China
- Prior art keywords
- distribution table
- decryption
- probability
- decryption error
- error rate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/26—Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, medium, equipment and system for estimating decryption error rate of a lattice-based encryption algorithm, belonging to the technical field of password security, comprising the following steps: determining the floating point data type required by estimating the decryption error rate by using the self parameters of the lattice cryptographic algorithm; and running heuristic rough estimation password detection program codes or computing equipment to give a small probability critical value which can be cut off in fine calculation, and finally running fine estimation password detection program codes or computing equipment to quickly acquire a decryption error rate target value. The invention can definitely adopt the calculation data type, and ensure that the machine error does not influence the decryption error probability on the estimation result in the input appointed precision range; the truncated partial data of the distribution table can be ensured not to influence the decryption error probability estimation result within the input appointed precision range; the estimation process of the algorithm decryption error probability can be quickened.
Description
Technical Field
The invention relates to the technical field of password security, in particular to a method, medium, equipment and system for estimating decryption error rate of a lattice-based encryption algorithm.
Background
The quantum computing seriously threatens the security of the existing public key cryptography [1], so the field of cryptography is researching the quantum cryptography and developing standardized work [2] so as to still protect the security of information when the quantum computer can be practical. In post quantum cryptography, lattice-based encryption is an extremely important technique. The only post-quantum encryption algorithm CRYSTALS-Kyber [4] published by the National Institute of Standards and Technology (NIST) at 7 in 2022 is the lattice encryption algorithm [3], and the encryption SABER [6], frodoKEM [7] and the like of the third round of evaluation of the quantum cryptography standardization after entering NIST are also lattice encryption algorithms.
Under the framework of the existing Lindner-Peikert lattice-based encryption algorithm [8], the algorithms comprise Kyber [4], saber [6], frodoKEM [7] and the like, the decryption of the algorithm has error probability, and the decryption error probability influences the security of the encryption algorithm to a certain extent [8]. Therefore, there is a need for accurate and rapid estimation of the decryption error rate of such trellis encryption algorithms.
In the field of lattice cryptography, the decryption error rate is typically a computational form such as
Probability of establishment of an expression of (1), wherein s 1 ,e 1 ,s 2 ,e 2 E is a secret vector or a disturbance vector randomly generated by a cryptographic algorithm according to a specified distribution; in order to quantify the decryption error probability, the logarithm of the decryption error rate, which is based on 2, is generally taken as the target value for comparison. For example, the decryption error probability is 2 -136.87 The target value of the decryption error probability is-136.87. At present mainlyThere are three estimation modes, the first is a coarse estimation based on the Chernoff inequality, the second is an approximation of Gaussian distribution based on the central limit theorem (including the Lyapunov theorem) [6]]Third is to calculate the sum of random distributions using convolution according to the discrete distributions employed in the cryptographic algorithm [4]][6][7]. In order to increase the estimation speed, the third method usually adopts a tail-biting method to remove some smaller probability distribution data [4] in the calculation process][6][7]。
Reference to the literature
[1]Peter Shor,Polynomial-time algorithms for prime factorization and discrete logarithms ona quantum computer,1994Symposium of Foundations on Computer Science,SIAMJournal of Computing 26,pp.1484-1509(1997).
[2]National Institute of Standards and Technology-NIST,Post-QuantumCryptography PQC,https://csrc.nist.gov/projects/post-quantum-cryptography
[3]NIST,Post-Quantum Cryptography PQC Round 3Submissions,https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
[4]Peter Schwabe et al.,CRYSTALS cryptographic suite for algebraic lattices,
https://pq-crystals.org/kyber/index.shtml
[5]GitHub-pq-crystals/kyber,https://github.com/pq-crystals/kyber
[6]D’Anvers,JP.,Karmakar,A.,Sinha Roy,S.,Vercauteren,F.(2018).Saber:Module-LWRBased Key Exchange,CPA-Secure Encryption and CCA-Secure KEM.In:Joux,A.,Nitaj,A.,Rachidi,T.(eds)Progress in Cryptology–AFRICACRYPT 2018.AFRICACRYPT
2018.Lecture Notes in Computer Science(),vol 10831.Springer,Cham.
https://doi.org/10.1007/978-3-319-89339-6_16
[7]Erdem Alkim et al.,FrodoKEM,practical quantum-secure key encapsulation fromgeneric lattices,https://frodokem.org/
[8]R.Lindner and C.Peikert.Better key sizes(and attacks)for LWE-based encryption.InCT-RSA,pages 319–339.2011.
[9]D’Anvers,JP.,Guo,Q.,Johansson,T.,Nilsson,A.,Vercauteren,F.,Verbauwhede,I.
(2019).Decryption Failure Attacks on IND-CCASecure Lattice-Based Schemes.In:Lin,D.,Sako,K.(eds)Public-Key Cryptography–PKC 2019.PKC 2019.Lecture Notes inComputer Science(),vol 11443.Springer,Cham.
https://doi.org/10.1007/978-3-030-17259-6_19
Disclosure of Invention
The invention aims to overcome the defects of the prior art, and provides a method, a medium, a device and a system for estimating the decryption error rate of a lattice-based encryption algorithm, which can definitely adopt the calculation data type and ensure that the machine error does not influence the decryption error probability on an estimation result in the input specified precision range; the truncated partial data of the distribution table can be ensured not to influence the decryption error probability estimation result within the input appointed precision range; the estimation process of the algorithm decryption error probability can be quickened.
The invention aims at realizing the following scheme:
a method for estimating decryption error rate of a lattice-based encryption algorithm comprises the following steps:
determining the floating point data type required by estimating the decryption error rate by using the self parameters of the lattice cryptographic algorithm;
and running heuristic rough estimation password detection program codes or computing equipment to give a small probability critical value which can be cut off in fine calculation, and finally running fine estimation password detection program codes or computing equipment to quickly acquire a decryption error rate target value.
Further, the floating point data type required by estimating the decryption error rate is determined by utilizing the self parameters of the lattice cryptographic algorithm; determining the floating point data type required by estimating the decryption error rate by using the self parameters of the lattice cryptographic algorithm; the heuristic rough estimation password detection program code or the computing equipment is operated to give a small probability critical value which can be cut off in fine calculation, and finally the fine estimation password detection program code or the computing equipment is operated to quickly acquire the target value of the decryption error rate, and the method comprises the following substeps:
step S0: starting: inputting modulus q of a lattice cryptographic algorithm to a cryptographic detection program code or computing device, representing a private key or a distribution table corresponding to random perturbations
Random variable s determined by cryptographic operations 1 e 2 -e 1 s 2 Judging whether the decryption is wrong or not by the accumulated times r of the number of the final plaintext output units n of each encryption operation, and judging the relative error upper bound epsilon of the decryption error rate target value r Or an absolute error upper bound ε a ;
Step S1: according to a distribution table
Determining an estimated boundary index m0 according to the calculation mode of the distribution table D e Determining an estimated boundary index m by means of calculation 1 Calculating an index m= (m) for measuring the expansion speed of the disturbance error 0 +q)r-q+m 1 ;/>
Step S2: selecting the type of floating point operation data of a cryptographic detection program code or computing device always results in a relative error precision epsilon of the floating point operation M No more than
Or not more than +.>
Step S3: computing distribution table
Step S4: roughly estimating probability p of decryption error of single output unit of detected cryptographic algorithm clt ;
Step S5: starting trial calculation of the probability of decryption errors of a single output unit of the detected cryptographic algorithm; setting the upper bound of interception as
Or->
Step S6: selecting a floating point data type of the cryptographic detection program code or computing device such that a normal minimum number of positive floating points that the machine can represent is not exceeded
Or->
Step S7: with the upper bound of interception B abscnt Or B relcnt Calculating the probability p of decryption errors for a single output unit using simulation abscnt Or p relcnt ;
Step S8: starting to calculate the probability of decryption errors of a single output unit of the detected cryptographic algorithm, and setting the upper bound of interception as follows:
or alternatively, the process may be performed,
step S9: if B is abscnf ≥B abscnt Or B relcnf ≥B relcnt Then set p abscnf =p abscnt Or p relcnf =p relcnt Step S12 is entered;
step S10: selecting a floating point data type of the cryptographic detection program code or computing device such that a normal minimum number of positive floating points that the machine can represent is not exceeded
Or->
Step S11: with the upper bound of interception B abscnf Or B relcnf Calculating the probability p of decryption errors of a single output unit of a detected cryptographic algorithm using simulation abscnf Or p relcnf ;
Step S12: outputting the target value log of the decryption error probability of the detected cryptographic algorithm according to the independence assumption of the output bits 2 (np abscnf ) Or log of 2 (np relcnf ) And (5) ending.
Further, in step S3, the computation distribution table
The method comprises the following substeps:
Step S31: computing distribution table
For any->
Calculation of
For any->
Step S32: computing distribution table
For any->
Step S33: computing distribution table
Mean. Mu.of (A) 0 Variance sigma 0 ,
Further, in step 4, the rough estimate is made of the probability p of decryption errors of the single output unit of the detected cryptographic algorithm clt The method comprises the following substeps:
step S41: selecting a lower bound of the decryption error probability by adopting a single output unit, or selecting an approximation value of the decryption error probability by adopting a central limit theorem to estimate the single output unit of the detected cryptographic algorithm; if the former is selected, then step S42 is entered; if the center limit theorem is selected, then step S43 is entered;
step S42: estimating the lower bound of the probability of decryption error of a single output unit or selecting inequality according to specific conditions, and setting the inequality as an estimated value p of the probability of decryption error of the single output unit clt ;
Step S43: estimating an approximation p of the probability of decryption errors of a single output unit using the central limit theorem or selecting the manner of use of the central limit theorem according to specific conditions clt 。
Further, step S7 includes the steps of:
step S71: upper bound B, distribution table of input intercept
And D e ;
Step S72: computing a binary representation sequence r of r without the most significant bits k-1 …r 1 r 0 I.e. satisfying r=r 0 +2r 1 +…2 k-1 r k-1 +2 k Wherein r is 0 ,r 1 ,...,r k-1 ∈{0,1};
Step S73: setting l=k, distribution table
Step S75: calculate distribution table D l And distribution table D l Convolution distribution table D of (2) bl Namely satisfy
Step S76: cut off distribution table D bl Values well below boundary B, giving a distribution table D' bl The method comprises the steps of carrying out a first treatment on the surface of the That is to say,
step S77: if r l =1, then step S78 is entered, otherwise the distribution table D is set l-1 =D′ bl Step S711;
step S78: calculate distribution table D' bl And distribution table
Convolution distribution table D of (2) al I.e. satisfy->
Step S79: cut off distribution table D al A value well below boundary B; that is to say,
step S710: setting a discrete probability distribution D l-1 =D′ al ;
Step S711: if l >1, then set l = l-1 and then proceed to step S7.5;
step S712: calculate distribution table D 0 And distribution table D e Convolution distribution table D of (2) 1 Namely satisfy
Step S714: calculation of
Step S715: returning a value p;
step S11 includes the steps of:
step S111: upper bound B, distribution table of input intercept
And D e ;
Step S112: computing a binary representation sequence r of r without the most significant bits k-1 …r 1 r 0 I.e. satisfying r=r 0 +2r 1 +…2 k-1 r k-1 +2 k Wherein r is 0 ,r 1 ,...,r k-1 ∈{0,1};
Step S113: setting l=k, distribution table
Step S115: calculate distribution table D l And distribution table D l Convolution distribution table D of (2) bl Namely satisfy
Step S116: cut off distribution table D bl Values well below boundary B, giving a distribution table D' bl The method comprises the steps of carrying out a first treatment on the surface of the That is to say,
step S117: if r l =1, then step S78 is entered, otherwise the distribution table D is set l-1 =D′ bl Step S1111 is entered;
step S118: calculate distribution table D' bl And distribution table
Convolution distribution table D of (2) al Namely, the following conditions are satisfied: />
Step S119: cut off distribution table D al A value well below boundary B; namely:
step S1110: setting a discrete probability distribution D l-1 =D′ al ;
Step S1111: if l >1, then l=l-1 is set and then step S115 is entered;
step S1112: calculate distribution table D 0 And distribution table D e Convolution distribution table D of (2) 1 Namely satisfy
Step S1114: calculation of
Step S1115: a value p is returned.
Further, in step S43, the approximation p of the probability of decryption errors of the detected individual output units of the cryptographic algorithm is estimated by means of the central limit theorem clt When in use, the method comprises the following substeps:
first calculate the discrete probability distribution D e Mean. Mu.of (A) e Variance sigma e Calculating the mean μ=rμ of the sum of the random variables 0 +μ e Variance σ=rσ 0 +σ e ;
And then calculating an estimated value of the decryption error probability of the single output unit of the detected cryptographic algorithm:
it is generally simpler to calculate under specific parameters:
in practice this step is calculated by an error function, a complementary error function or an integral.
Further, the method comprises the steps of,
between step S73 and step S75, the steps are included:
step S74: cut off distribution table D l A value well below boundary B; i.e. set up
Between step S712 and step S714, the steps are included:
step S713: cut off distribution table D 1 A value well below boundary B; that is to say,
between step S113 to step S115, the steps of:
step S114: cut-off distributionTable D l A value well below boundary B; i.e. set up
Between step S1112 to step S1114, the steps are included:
step S1113: cut off distribution table D 1 A value well below boundary B; that is to say,
a readable storage medium having stored therein a computer program, the computer program being loaded by a processor and executing the method according to any of the preceding claims.
A computer device comprising a processor and a memory, the memory having stored therein a computer program which, when loaded by the processor, performs the method of any of the preceding claims.
A system for estimating the decryption error rate of a trellis-based encryption algorithm, comprising a computer device as described above, or comprising a detection device for performing the method of any of claims 1-7.
The beneficial effects of the invention include:
aiming at the defects of the prior grid-based encryption algorithm decryption error rate evaluation technology, the technical scheme of the invention has the following beneficial effects and advantages:
(1) The calculation data type adopted can be clarified, and the machine error is ensured to have no influence on the estimation result on decryption error probability within the input specified precision range.
(2) The boundary value of the small probability data cut off in the acceleration of the calculation process is given, and the cut-off part data of the distribution table can be ensured not to influence the decryption error probability estimation result within the input specified precision range.
(3) The strategy of 'rough estimation and then fine calculation, rough estimation assisted fine calculation' is used, so that algorithm decryption error probability can be quickenedAnd (3) a rate estimation process. For example, in the calculation of the decryption error rate of the Frodo-640 algorithm, 2 can be cut off according to the method -181.04 Not necessarily less than 10 -200 Therefore, compared with the prior count, more distribution table data can be cut off in the calculation process, and the calculation speed of decryption error probability is faster.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a flow chart of the general steps of a method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method of calculating basic distribution table information according to an embodiment of the present invention;
FIG. 3 is a flow chart of a method of estimating a probability of decryption errors for a single output unit according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method for simulating and calculating a target value of decryption error rate according to an embodiment of the invention.
Detailed Description
All of the features disclosed in all of the embodiments of this specification, or all of the steps in any method or process disclosed implicitly, except for the mutually exclusive features and/or steps, may be combined and/or expanded and substituted in any way.
Interpretation of the terms
Distribution table: for specifying data structures that take non-negative values on integers for recording all or part of a discrete probability distribution.
In view of the problems in the background, the inventors of the present invention have further found after having undergone inventive analysis and thought that: according to the published literature and open source codes, the existing lattice encryption algorithm decryption error rate calculation method still has the following defects:
(1) The choice of data type and its basis cannot be explicitly calculated.
In order to make the estimation process viable on both time and space resources, floating point operations are typically employed. However, there are different accuracies in the floating point data types, and the consumed storage space and calculation time are different, and the existing method does not have a clear basis for how the floating point operation data types to be adopted and the selection should be selected.
(2) The selection of the threshold value of the cut-off data in the calculation process cannot be explicitly accelerated.
In order to reduce the evaluation time, the distribution values which are not explicitly small at present can be cut off when the convolution of the discrete distribution is calculated in succession, and the selection basis of the cut-off threshold value is also used. For example, in the decryption error rate test code of CRYSTALS-Kyber, saber algorithm, the cutoff is less than or equal to 2- 300 Discrete probability value [3]][6][4][5]The method comprises the steps of carrying out a first treatment on the surface of the In the decryption error rate test code of the FrodoKEM algorithm, the cut-off is smaller than 10 -200 (comment code 2) -650 ) Discrete probability value of [7]][3]。
(3) The different calculation modes and results of the decryption error rate cannot be correlated.
In the calculation of the existing lattice password decryption error rate, the three different calculation modes are mutually independent, and the inherent relation of the obtained data results cannot be described or utilized, so that the integral uniform decryption error rate evaluation is not formed.
Aiming at the problem of estimating the decryption error rate of a lattice-based encryption algorithm, the technical scheme of the invention provides an estimation technical scheme of the decryption error rate of the lattice-based encryption algorithm, which comprises a corresponding method, a medium, equipment and a system, wherein the method can determine the floating point data type required by estimating the decryption error rate by utilizing the parameters of the lattice-based encryption algorithm, the calculation mode of the existing decryption error rate is cooperatively used, heuristic rough estimation is operated firstly, then a small probability critical value which can be cut off in fine calculation is given, and finally the fine estimation is operated to rapidly acquire the target value of the decryption error rate. The method improves the known decryption error rate calculation method and is also suitable for a grid-based key exchange protocol, key encapsulation and the like.
The technical innovation point of the technical scheme of the embodiment of the invention is as follows: (1) Firstly, estimating decryption error probability, and then utilizing the pre-estimated value to help accurately evaluate the decryption error probability; (2) Judging the data type required by accurately calculating the decryption error rate in a quantization mode, and pre-judging the decision boundary value for cutting off part of probability by accelerating the accurate calculation of the decryption error rate; (3) The absolute error and the relative error of the given decryption error rate are within the specified precision range.
Example 1
Further, the technical scheme of the embodiment of the invention is detailed as follows: the basic concepts of the parts involved are as follows.
Distribution table: for specifying data structures that take non-negative values on integers for recording all or part of a discrete probability distribution.
The method for estimating the decryption error rate of the lattice-based encryption algorithm provided by the technical scheme of the invention comprises the following steps:
starting: inputting modulus q of a lattice cryptographic algorithm into a cryptographic detection program code or a computing device, and describing a distribution table corresponding to a private key or random disturbance
Random variable s determined by cryptographic operations 1 e 2 -e 1 s 2 Judging whether the decryption is error boundary value b, and calculating the final plaintext output unit number n for each encryption, and the accuracy requirement (relative error upper bound epsilon) of the decryption error rate target value r Or an absolute error upper bound ε a )。
Step 1: according to a distribution table
Determining an estimated boundary index m0 according to the calculation mode of the last step of distribution D e Determining an estimated boundary index m by means of calculation 1 Calculate m= (m 0 +q)r-q+m 1 . For example, CRYSTALS-Kyber may select m 0 =5q+2,m=6qr+2r。
Step 2: selecting the type of floating point operation data of a cryptographic detection program code or computing device always results in a relative error precision epsilon of the floating point operation M No more than
(or not more than->
)。
Step 3: computing distribution table
Step 4: roughly estimating probability p of decryption error of single output unit of detected cryptographic algorithm clt 。
Step 5: the probability of decryption errors of a single output unit of the detected cryptographic algorithm is calculated. Setting the upper bound of interception as
(or->
)。
Step 6: selecting a floating point data type of the cryptographic detection program code or computing device such that a normal minimum number of positive floating points that the machine can represent is not exceeded
(or->
)。
Step 7: with the upper bound of interception B abscnt (or B) relcnt ) Calculating the probability p of decryption errors for a single output unit using simulation abscnt (or p) relcnt )。
Step 8: the probability of decryption errors of a single output unit of the detected cryptographic algorithm is initially calculated. Setting the upper bound of interception as follows:
(or
)
Step 9: if B is abscnf ≥B abscnt (or B) relcnf ≥B relcnt ) Then set p abscnf =p abscnt (or p) relcnf =p relcnt ) Step 12 is entered.
Step 10: selecting the cryptographic detection program code or the floating point data type of the computing device such that the normal minimum number of positive floating points that the computing device can represent does not exceed
(or->
)。
Step 11: with the upper bound of interception B abscnf (or B) relcnf ) Calculating the probability p of decryption errors of a single output unit of a detected cryptographic algorithm using simulation abscnf (or p) relcnf )。
Step 12: outputting the target value log of the decryption error probability of the detected cryptographic algorithm according to the independence assumption of the output bits 2 (np abscnf ) (or log) 2 (np relcnf ) And) end.
Example 2
Based on embodiment 1, in the estimation method of the decryption error rate of the lattice-based encryption algorithm provided by the technical scheme of the embodiment of the invention, step 3 includes the following sub-steps:
step 3.1: computing distribution table
For any->
Step 3.2: calculation of
For any->
Step 3.3: computing distribution table
For any->
Step 3.4: computing distribution table
Mean. Mu.of (A) 0 Variance sigma 0 ,
Example 3
Based on embodiment 1, in the estimation method of the decryption error rate of the lattice-based encryption algorithm provided by the technical scheme of the embodiment of the invention, step 4 includes the following sub-steps:
step 4.1: in order to estimate the probability of decryption error of a single output unit of the detected cryptographic algorithm, a lower bound of the probability of decryption error of the single output unit is selected, or a central limit theorem (including Lyapunov theorem) is selected to estimate an approximation value of the probability of decryption error of the single output unit of the detected cryptographic algorithm. If the former is selected, then step 4.2 is entered; if the central limit theorem (including lyapunov theorem) is selected, step 4.3 is entered.
Step 4.2: estimating the lower bound of the probability of decryption errors of a single output unit, and setting the lower bound as an estimated value p of the probability of decryption errors of the single output unit of the detected cryptographic algorithm clt . For example, set up
The value pclt is returned.
Step 4.3: estimating an approximation p of the probability of decryption errors of a single output unit of a detected cryptographic algorithm using the central limit theorem (including the lyapunov theorem) clt . For example, in the following manner (step 4.4 to step 4.5):
step 4.4: calculating a discrete probability distribution D e Mean. Mu.of (A) e Variance sigma e Calculating the mean μ=rμ of the sum of the random variables 0 +μ e Variance σ=rσ 0 +σ e 。
Step 4.5: calculating an estimated value of the probability of decryption errors of a single output unit of the detected cryptographic algorithm:
it is generally simpler to calculate under specific parameters:
in practice this step may be calculated by an error function, a complementary error function or an integral.
Example 4
Based on embodiment 1, in the method for estimating the decryption error rate of the trellis encryption algorithm provided by the technical scheme of the embodiment of the present invention, step 7 or step 11 is completed by the following steps:
step 7.1: inputting the intercepted upper bound B in step 7 or step 11, and distributing the table
And D e 。
Step 7.2: computing a binary representation sequence r of r without the most significant bits k-1 …r 1 r 0 I.e. satisfying r=r 0 +2r 1 +…2 k-1 r k-1 +2 k Wherein r is 0 ,r 1 ,...,r k-1 ∈{0,1}。
Step 7.3: setting l=k, distribution table
Step 7.4: cut off distribution table D l Lower than the value of boundary B. I.e. set up
Step 7.5: calculate distribution table D l And distribution table D l Convolution distribution table D of (2) bl Namely satisfy
Step 7.6: cut off distribution table D bl Values well below boundary B, giving a distribution table D' bl . That is to say,
step 7.7: if r l =1, then go to step 7.8, otherwise set distribution table D l-1 =D′ bl Step 7.11 is entered.
Step 7.8: calculate distribution table D' bl And distribution table
Convolution distribution table D of (2) al Namely satisfy
Step 7.9: cut off distribution table D al Lower than the value of boundary B. That is to say,
step 7.10: setting a discrete probability distribution D l - 1 =D′ al 。
Step 7.11: if l >1, then set l=l-1 and then go to step 7.5.
Step 7.12: calculate distribution table D 0 And distribution table D e Convolution distribution table D of (2) 1 Namely satisfy
Step 7.13: cut off distribution table D 1 Lower than the value of boundary B. That is to say,
step 7.14: calculation of
Step 7.15: a value p is returned.
Further, in other embodiments, in the method for estimating the decryption error rate of the trellis encryption algorithm provided by the embodiment of the present invention, the estimated object distribution is described
In general, the specific scheme is correspondingly adjusted, but if the key link of the decryption error rate estimation after adjustment is still the cumulative convolution with the same distribution, the technical scheme of the invention is still applicable.
Further, in other embodiments, in the method for estimating the decryption error rate of the trellis encryption algorithm provided by the embodiment of the present invention, the number of output units is not necessarily the number of bits of the plaintext. Note that the number of output units generally refers to the number of ciphertext vector coefficients that are used to load plaintext at a time of encryption or key encapsulation, without the use of transcoding techniques within the cryptographic algorithm. Where coding techniques are used within the cryptographic algorithm, it is necessary to combine the coding techniques.
Further, in other embodiments, in the method for estimating the decryption error rate of the trellis encryption algorithm provided by the embodiment of the present invention, the step 3.1 and the step 3.2 may be performed in parallel, the sequence may be exchanged, and the calculation may be performed once under certain specific parameters.
Further, in other embodiments, in the method for estimating the decryption error rate of the trellis encryption algorithm provided by the embodiment of the present invention, the lower bound of step 4.2 is not the only way, and the inequality may be selected according to specific conditions.
Further, in other embodiments, in the method for estimating the decryption error rate of the lattice-based encryption algorithm provided by the embodiment of the present invention, step 4.4 and step 4.5 are not the only methods for using the central limit theorem (including lyapunov theorem), and the use mode of the central limit theorem (including lyapunov theorem) may be selected according to specific conditions.
Further, in other embodiments, in the method for estimating the decryption error rate of the trellis-based encryption algorithm provided by the embodiment of the present invention, the steps 7.4 and 7.13 are optional steps, and may be skipped, if the selection is not performed, the data type selection and the interception value boundary B setting are affected, but the generated effect is usually smaller.
The method for estimating the decryption error rate of the lattice-based encryption algorithm is also applicable to a lattice-based key exchange protocol, a key encapsulation mechanism and the like which are similar to those required to estimate the decryption error rate.
It should be noted that, within the scope of protection defined in the claims of the present invention, the following embodiments may be combined and/or expanded, and replaced in any manner that is logical from the above specific embodiments, such as the disclosed technical principles, the disclosed technical features or the implicitly disclosed technical features, etc.
The units involved in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
According to an aspect of embodiments of the present invention, there is provided a computer program product or computer program or password detection program code or computing device comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the methods provided in the various alternative implementations described above.
As another aspect, the embodiment of the present invention also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the methods described in the above embodiments.
The invention is not related in part to the same as or can be practiced with the prior art.
The foregoing technical solution is only one embodiment of the present invention, and various modifications and variations can be easily made by those skilled in the art based on the application methods and principles disclosed in the present invention, not limited to the methods described in the foregoing specific embodiments of the present invention, so that the foregoing description is only preferred and not in a limiting sense.
In addition to the foregoing examples, those skilled in the art will recognize from the foregoing disclosure that other embodiments can be made and in which various features of the embodiments can be interchanged or substituted, and that such modifications and changes can be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. The method for estimating the decryption error rate of the lattice-based encryption algorithm is characterized by comprising the following steps of:
determining the floating point data type required by estimating the decryption error rate by using the self parameters of the lattice cryptographic algorithm;
and running heuristic rough estimation password detection program codes or computing equipment to give a small probability critical value which can be cut off in fine calculation, and finally running fine estimation password detection program codes or computing equipment to quickly acquire a decryption error rate target value.
2. The method for estimating a decryption error rate according to claim 1, wherein the floating point data type required for estimating the decryption error rate is determined by using parameters of the lattice cryptographic algorithm itself; determining the floating point data type required by estimating the decryption error rate by using the self parameters of the lattice cryptographic algorithm; the heuristic rough estimation password detection program code or the computing equipment is operated to give a small probability critical value which can be cut off in fine calculation, and finally the fine estimation password detection program code or the computing equipment is operated to quickly acquire the target value of the decryption error rate, and the method comprises the following substeps:
step S0: starting: inputting modulus q of a lattice cryptographic algorithm to a cryptographic detection program code or computing device, representing a private key or a distribution table corresponding to random perturbations
D e Random variable s determined by cryptographic operations 1 e 2 -e 1 s 2 Judging whether the decryption is wrong or not by the accumulated times r of the number of the final plaintext output units n of each encryption operation, and judging the relative error upper bound epsilon of the decryption error rate target value r Or an absolute error upper bound ε a ;
Step S1: according to a distribution table
Determining an estimated boundary index m by means of calculation 0 According to distribution table D e Determining an estimated boundary index m by means of calculation 1 Calculating an index m= (m) for measuring the expansion speed of the disturbance error 0 +q)r-q+m 1 ;
Step S2: selecting the type of floating point operation data of a cryptographic detection program code or computing device always results in a relative error precision epsilon of the floating point operation M No more than
Or not more than +.>
Step S3: computing distribution table
Step S4: rough estimate of detected cryptographic algorithmProbability p of decryption error for single output unit clt ;
Step S5: starting trial calculation of the probability of decryption errors of a single output unit of the detected cryptographic algorithm; setting the upper bound of interception as
Or->
Step S6: selecting a floating point data type of the cryptographic detection program code or computing device such that a normal minimum number of positive floating points that the machine can represent is not exceeded
Or->
Step S7: with the upper bound of interception B abscnt Or B relcnt Calculating the probability p of decryption errors of a single output unit of a detected cryptographic algorithm using simulation abscnt Or p relcnt ;
Step S8: starting to calculate the probability of decryption errors of a single output unit of the detected cryptographic algorithm, and setting the upper bound of interception as follows:
or alternatively, the process may be performed,
step S9: if B is abscnf ≥B abscnt Or B relcnf ≥B relcnt Then set p abscnf = abscnt Or p relcnf = relcnt Step S12 is entered;
step S10: selecting the cryptographic detection program code or the floating point data type of the computing device such that the normal minimum number of positive floating points that the computing device can represent does not exceed
Or->
Step S11: with the upper bound of interception B abscnf Or B relcnf Calculating the probability p of decryption errors of a single output unit of a detected cryptographic algorithm using simulation abscnf Or p relcnf ;
Step S12: outputting the target value log of the decryption error probability of the detected cryptographic algorithm according to the independence assumption of the output bits 2 (np abscnf ) Or log of 2 (np relcnf ) And (5) ending.
3. The method for estimating a decryption error rate according to claim 2, wherein in step S3, the calculation distribution table
The method comprises the following substeps:
Step S31: computing distribution table
For any->
Calculation of
For any->
Step S32: computing distribution table
For any->
Step S33: computing distribution table
Mean. Mu.of (A) 0 Variance sigma 0 ,
4. The method for estimating a decryption error rate of a trellis-based encryption algorithm according to claim 2, wherein in step 4, the probability p of decryption errors of a single output unit of the detected cryptographic algorithm is roughly estimated clt The method comprises the following substeps:
step S41: selecting a lower bound of the decryption error probability by adopting a single output unit, or selecting an approximation value of the decryption error probability by adopting a central limit theorem to estimate the single output unit of the detected cryptographic algorithm; if the former is selected, then step S42 is entered; if the center limit theorem is selected, then step S43 is entered;
step S42: estimating the lower bound of the probability of decryption error of a single output unit or selecting inequality according to specific conditions, and setting the inequality as an estimated value p of the probability of decryption error of the single output unit clt ;
Step S43: estimating an approximation p of the probability of decryption errors of a single output unit using the central limit theorem or selecting the manner of use of the central limit theorem according to specific conditions clt 。
5. The method for estimating a decryption error rate by a trellis encryption algorithm of claim 2, wherein,
step S7 includes the steps of:
step S71: upper bound B, distribution table of input intercept
And D e ;/>
Step S72: computing a binary representation sequence r of r without the most significant bits k-1 …r 1 r 0 I.e. satisfying r=r 0 +2r 1 +…2 k-1 r k-1 +2 k Wherein r is 0 ,r 1 ,…,r k-1 ∈{0,1};
Step S73: setting l=k, distribution table
Step S75: calculate distribution table D l And distribution table D l Convolution distribution table D of (2) bl Namely satisfy
Step S76: cut off distribution table D bl Values well below boundary B, giving a distribution table D' bl The method comprises the steps of carrying out a first treatment on the surface of the That is to say,
step S77: if r l =1, then step S78 is entered, otherwise the distribution table D is set l-1 =D′ bl Step S711;
step S78: calculate distribution table D' bl And distribution table
Convolution distribution table D of (2) al Namely satisfy
Step S79: cut off distribution table D al A value well below boundary B; that is to say,
step S710: setting a discrete probability distribution D l-1 =D′ al ;
Step S711: if l >1, then set l = l-1 and then proceed to step S7.5;
step S712: calculate distribution table D 0 And distribution table D e Convolution distribution table D of (2) 1 I.e. full ofFoot support
Step S714: calculation of
Step S715: returning a value p;
step S11 includes the steps of:
step S111: upper bound B, distribution table of input intercept
And D e ;
Step S112: computing a binary representation sequence r of r without the most significant bits k-1 …r 1 r 0 I.e. satisfying r=r 0 +2r 1 +…2 k-1 r k-1 +2 k Wherein r is 0 ,r 1 ,…,r k-1 ∈{0,1};
Step S113: setting l=k, distribution table
Step S115: calculate distribution table D l And distribution table D l Convolution distribution table D of (2) bl Namely satisfy
Step S116: cut off distribution table D bl Values well below boundary B, obtain distribution table D b ′ l The method comprises the steps of carrying out a first treatment on the surface of the That is to say,
step S117: if r l =1, then step S78 is entered, otherwise the distribution table D is set l-1 = b ′ l Step S1111 is entered;
step S118: calculate distribution table D b ′ l And distribution table
Convolution distribution table D of (2) al Namely, the following conditions are satisfied:
step S119: cut off distribution table D al A value well below boundary B; namely:
step S1110: setting a discrete probability distribution D l-1 = ′ al ;
Step S1111: if l >1, then l=l-1 is set and then step S115 is entered;
step S1112: calculate distribution table D 0 And distribution table D e Convolution distribution table D of (2) 1 Namely satisfy
Step S1114: calculation of
Step S1115: a value p is returned.
6. Root of Chinese characterThe method for estimating a decryption error rate of a trellis encryption algorithm according to claim 1, wherein in step S43, the approximation p of the probability of decryption error of the single output unit of the detected cryptographic algorithm is estimated by using the central limit theorem clt When in use, the method comprises the following substeps:
first calculate distribution table D e Mean. Mu.of (A) e Variance sigma e Calculating the mean μ=rμ of the sum of the random variables 0 + e Variance σ=rσ 0 + e ;
And then calculating an estimated value of the decryption error probability of the single output unit of the detected cryptographic algorithm:
it is generally simpler to calculate under specific parameters:
in practice this step is calculated by an error function, a complementary error function or an integral.
7. The method for estimating a decryption error rate by a trellis encryption algorithm of claim 5, wherein,
between step S73 and step S75, the steps are included:
step S74: cut off distribution table D l A value well below boundary B; i.e. set up
Between step S712 and step S714, the steps are included:
step S713: cut off distribution table D 1 A value well below boundary B; that is to say,
between step S113 to step S115, the steps of:
step S114: cut off distribution table D l A value well below boundary B; i.e. set up
Between step S1112 to step S1114, the steps are included:
step S1113: cut off distribution table D 1 A value well below boundary B; that is to say,
8. a readable storage medium, characterized in that a computer program is stored in the readable storage medium, which computer program is loaded by a processor and carries out the method according to any one of claims 1 to 7.
9. A computer device, characterized in that it comprises a processor and a memory, in which a computer program is stored, which computer program is loaded by the processor and carries out the method according to any of claims 1-7.
10. A system for estimating the decryption error rate of a trellis encryption algorithm, comprising a computer device, program code, and a computing device as claimed in claim 9; or comprises a detection device for performing the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211579091.XA CN116132046A (en) | 2022-12-07 | 2022-12-07 | Estimation method, medium, equipment and system for decryption error rate of lattice-based encryption algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211579091.XA CN116132046A (en) | 2022-12-07 | 2022-12-07 | Estimation method, medium, equipment and system for decryption error rate of lattice-based encryption algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116132046A true CN116132046A (en) | 2023-05-16 |
Family
ID=86294789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211579091.XA Pending CN116132046A (en) | 2022-12-07 | 2022-12-07 | Estimation method, medium, equipment and system for decryption error rate of lattice-based encryption algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116132046A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117081724A (en) * | 2023-10-18 | 2023-11-17 | 中国电子科技集团公司第三十研究所 | Estimation method for instance calculated amount of problem with error learning |
-
2022
- 2022-12-07 CN CN202211579091.XA patent/CN116132046A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117081724A (en) * | 2023-10-18 | 2023-11-17 | 中国电子科技集团公司第三十研究所 | Estimation method for instance calculated amount of problem with error learning |
| CN117081724B (en) * | 2023-10-18 | 2023-12-26 | 中国电子科技集团公司第三十研究所 | Estimation method for instance calculated amount of problem with error learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Albrecht | On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL | |
| US10910087B2 (en) | Secure secret-sharing-based crowdsourcing for large-scale association studies of genomic and phenotypic data | |
| Sendrier | Decoding one out of many | |
| Li et al. | Securing approximate homomorphic encryption using differential privacy | |
| EP3673386B1 (en) | Edit script verification for nucleic acid sequences with match operations and difference operations | |
| JP6260442B2 (en) | Information processing method and program | |
| D’Anvers et al. | (One) failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes | |
| WO2010137508A1 (en) | Signature device, signature verification device, anonymous authentication system, signing method, signature authentication method, and programs therefor | |
| US20010024501A1 (en) | Method and apparatus for shuffle with proof, method and apparatus for shuffle verification, method and apparatus for generating input message sequence and program for same | |
| US8397142B2 (en) | Shared information generating apparatus and recovering apparatus | |
| CN116132046A (en) | Estimation method, medium, equipment and system for decryption error rate of lattice-based encryption algorithm | |
| Curtis et al. | On the feasibility and impact of standardising sparse-secret LWE parameter sets for homomorphic encryption | |
| Postlethwaite et al. | On the success probability of solving unique SVP via BKZ | |
| Trepacheva et al. | Known plaintexts attack on polynomial based homomorphic encryption | |
| CN116488791A (en) | Method for estimating capability of lattice-based encryption algorithm in resisting decryption error attack | |
| Dachman-Soled et al. | Revisiting security estimation for LWE with hints from a geometric perspective | |
| Goudarzi et al. | Lattice attacks against elliptic-curve signatures with blinded scalar multiplication | |
| EP3633656B1 (en) | Secret tampering detection system, secret tampering detection apparatus, secret tampering detection method, and program | |
| D’Anvers et al. | Multitarget decryption failure attacks and their application to saber and kyber | |
| CN113541952B (en) | Digital signature method based on lattice | |
| US9735963B2 (en) | Decryption service providing device, processing device, safety evaluation device, program, and recording medium | |
| Wilde et al. | Efficient bound for conditional min-entropy of physical unclonable functions beyond iid | |
| US11502856B2 (en) | Method for providing information to be stored and method for providing a proof of retrievability | |
| Sarkar et al. | Fine tuning the function field sieve algorithm for the medium prime case | |
| Wang et al. | Facilitating privacy-preserving recommendation-as-a-service with machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |