KR101906363B1 - ACD Instance Hardening Process, Hardening Recovery Process And Device Which Utilize - Google Patents

Abstract

The present invention relates to an ACD instance hardening method and a hardening restoration method, and a device using the same. According to the embodiment of the present invention, it is possible to reduce the length of the ACD instance while shortening the ring structure of the ACD instance while maintaining the security, and the cipher text can also be shortened, thereby improving the efficiency of the cryptosystem.

Description

ACD Instance hardening method and hardening restoration method and device using it. {ACD Instance Hardening Process, Hardening Recovery Process And Device Which Utilize}

And more particularly to an ACD instance hardening method and a hardening method for making an ACD problem more difficult and designing a symmetric key-based homogeneous password having a shorter cipher text, and more particularly, And a device using the same.

에 대해

인 p의 근접 곱들(Approximate multiples) 사이의 공통 정수(common integer) p를 찾기 위해 2001년경 도입되었다.The ACD problem was introduced by Howgrave-Graham,

About

Was introduced around 2001 to find a common integer p between the approximate multiples of p.

}

인 샘플들을 말하고, 위와 같은 샘플의 합은 작은 노이즈

에 대해

과 같이 샘플과 같은 형태를 보존하는 유용한 특성이 있다.The approximate products of the ACD problem are {

}

, And the sum of the above samples is a small noise

About

There is a useful property of preserving the shape of the sample as shown in Fig.

과

의 곱은 또한 충분히 작은

라면

과 같이 샘플과 같은 형태를 가진다. 이러한 동형성은 정수에 대한 FHE(Fully Homomorphic Encryptions)의 설계에 매우 유용한 성질이다.Similarly, two samples

and

Is also small enough

Ramen

And has the same shape as the sample. This is a very useful property for the design of FHM (Fully Homomorphic Encryptions) for integers.

There have been many studies to improve the efficiency of homogeneous cryptosystems since the homogeneous ciphers proposed by Van Dijk, Gentry, Halevi, and Vaikuntanathan, which were designed based on the ACD problem for the first time. For example, some studies have attempted to improve efficiency by shortening the size of a public key or expanding it to a batch version.

보다 작아질 수 없는 문제가 있다.However, the existing ACD problem-based cryptos can be applied to some useful theoretical tools because of the ring structure of the ACD instance. By using some known attacks and Orthogonal Lattice Attack,

There is a problem that can not be made smaller.

1. Korean Patent Publication No. 10-2016-0017226

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and it is an object of the present invention to provide an ACD instance hardening method and a hardening restoration method capable of increasing the efficiency of cryptographic operation using cipher text reduced in size through hardening of ACD problem, .

According to an aspect of the present invention, there is provided a method for managing a data structure, the method comprising: inputting data to be hardened and a randomly selected permutation; And performing a hardening operation on the received data to be hardened according to the permutation sequence to collapse the ring structure of the ACD instance.

According to another embodiment of the present invention, there is provided a method comprising: inputting data that is hardened to conceal a ring structure of an ACD instance and a reverse sequence of permutations used for a hardening operation of the data; And performing a hardening restoration operation according to the reverse sequence inputted to the hardened data.

According to the above, high security can be provided even with a shorter-length cipher text through a hardening operation which makes the ACD problem difficult, and there is an advantage that the encryption and decryption operation speed can be improved.

1 is a flow chart of a method for hard disk ACD instance hardening according to an embodiment of the present invention.
FIG. 2 is a flowchart of a method for recovering an ACD instance hardening according to an embodiment of the present invention.
3 is a block diagram of an ACD instance hardening device in accordance with an embodiment of the present invention.
FIG. 4 is a block diagram of an ACD instance hardening recovery apparatus according to an embodiment of the present invention.
5 is a block diagram of a hardening ACD instance-based homogeneous cryptosystem according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features, and advantages of the present invention will become more readily apparent from the following description of preferred embodiments with reference to the accompanying drawings. However, the present invention is not limited to the embodiments described herein but may be embodied in other forms. Rather, the embodiments disclosed herein are provided so that the disclosure can be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. In this specification, when an element is referred to as being on another element, it means that it can be formed directly on the other element, or a third element may be placed therebetween.

It is to be understood that when an element, component, apparatus, or system is referred to as comprising a program or a component made up of software, it is not explicitly stated that the element, component, (E.g., memory, CPU, etc.) or other programs or software (e.g., drivers necessary to drive an operating system or hardware, etc.)

It is also to be understood that the elements (or components) may be implemented in software, hardware, or any form of software and hardware, unless the context clearly dictates otherwise.

The terminology used herein is for the purpose of illustrating embodiments and is not intended to be limiting of the present invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. The terms "comprises" and / or "comprising" used in the specification do not exclude the presence or addition of one or more other elements.

Hereinafter, the present invention will be described in detail with reference to the drawings. In describing the specific embodiments below, various specific details have been set forth in order to explain the invention in greater detail and to assist in understanding it. However, it will be appreciated by those skilled in the art that the present invention may be understood by those skilled in the art without departing from such specific details. In some instances, it should be noted that portions of the invention that are not commonly known in the description of the invention and are not significantly related to the invention do not describe confusing reasons for explaining the present invention.

The present invention relates to a method and apparatus for detecting a known attack such as SDA (Simultaneous Diophantine Approximation), Coppersmith`s Technique, Chen-Nguyen Exhaustive Search for Noise, and the like, To overcome the limitations. Applying the inventive hardening technique to an ACD problem based cryptosystem limits the application of useful statistical tools by destroying the ring structure of ACD instances. In addition, the time taken to apply the orthogonal grid attack is greatly influenced by the dimension of a given grid. By applying the hardening technique of the present invention, the attacker is constrained to select a grid of a high dimension. This gives the same security with the size of the shorter instance, and can obtain a homogeneous cipher with a short cipher size.

비트 정수를 비트단위로 쪼개서 섞는 과정을 하드닝 방법(Hardening Process), 이것의 역과정을 하드닝 복구 방법(Hardening Recovery Process)이라고 할 수 있다.In the cryptosystem according to the invention

The process of splitting and mixing bit integers into bits is called the Hardening Process, and the reverse of this is called the Hardening Recovery Process.

You can design a password using the result of performing the above hardening method on an existing ACD problem instance.

This technique of the present invention makes ACD problems more difficult. In the conventional cryptosystem, efficiency is improved by using a problem that is easier than the problem of the base, while the present invention is unique compared with the existing method in that the present invention improves efficiency by using a more difficult problem.

The ACD instance hardening method according to the present invention can be implemented according to the following algorithm.

에 따라 순열 집합

로 부터 랜덤하게 선택된 순열

과 그 역순열

을 생성한다. 보안 파라미터는 암호문제에 있어서 계산 문제의 입력 크기를 말한다.First, the Setup algorithm uses security parameters

According to the permutation set

Randomly selected permutations from

And the reverse order column

. The security parameter is the input size of the calculation problem in the cryptographic problem.

는

-비트 정수

와 순열

을 입력 받아 하드닝 연산 결과인

를 ACD 인스턴스로서 생성한다. 또한, 이와 같이 하드닝 처리된 ACD 인스턴스를 동형 암호 설계에 이용할 수 있다.Then, the hardening algorithm

The

- bit integer

And permutations

And receives the result of the hardening operation

As an ACD instance. In addition, the thus-hardened ACD instance can be used for the same type of encryption design.

는 비트 분해 함수로서

과 같이 정의될 수 있으며 여기서,

일 수 있다.

Is a bit decomposition function

, ≪ / RTI > where < RTI ID =

Lt; / RTI >

이라고 할 때, 아래와 같이 정의되는 위치-치환(position-permuting) 함수

은 다음 수학식 1과같이 정의될 수 있다. 여기서

은 벡터 공간을 의미한다.Also,

, A position-permuting function defined as < RTI ID = 0.0 >

Can be defined by the following equation (1). here

Denotes a vector space.

&Quot; (1) "

는 벡터

과 역순열

을 입력 받아 생성된 결과인

을 반환한다. 벡터

는 ACD 인스턴스의 링 구조를 은닉하도록 하드닝된 것이다.The hardening recovery algorithm

Vector

And reverse order

And the generated result

. vector

Is hardened to conceal the ring structure of the ACD instance.

는 합성 함수로서 <,>를 유클리드 공간(Euclidean space)의 표준 내적 곱(standard inner product)라고 할 때

이고,

로 정의되는 것일 수 있다.here,

Is a composite function, where <,> is the standard inner product of the Euclidean space

ego,

Lt; / RTI &gt;

이고, 여기서

은 함수의 합성을 뜻한다. 본 명세서에서는

이 문맥상 자명한 경우에는 생략되었을 수 있다.Also

, Where

Is the synthesis of a function. In this specification

It may have been omitted if it is self-evident in this context.

The hardening algorithm and the hardening restoration algorithm can be represented by the following equation (2).

&Quot; (2) &quot;

The ACD instance that has been subjected to the hardening operation, which can be defined as above, still retains the additive structure, but the multiplicative structure is collapsed.

As a result, the ring structure is collapsed in the ACD instance to which the hardening operation is applied.

Therefore, it is not possible to apply the useful numerical tools that were applied in the ring structure to the instances that have been subjected to the hardening process, and it is difficult to apply the known attacks.

개의 인스턴스를 선택해야 한다. Nevertheless, an attacker can still apply an orthogonal grid attack, but in order to ensure the independence of the constructors of the selected grid

You need to select instances.

This greatly restricts the time it takes to apply an attack to apply an orthogonal grid attack that is highly dependent on the dimension of the selected grid.

은 랜덤하게 선택된 순열이다.1 illustrates a flow diagram of a method for hardening an ACD instance in accordance with an embodiment of the present invention. Less permutation

Is a randomly selected permutation.

을 입력 받는 단계(S101)와 입력 받은 상기 하드닝하고자 하는 데이터에 대하여 순열

에 따라 하드닝 연산하여 ACD 인스턴스의 링 구조를 무너뜨리는 단계(S103)를 포함한다.Referring to FIG. 1, an ACD instance hardening method according to the present invention includes:

(S101) for inputting the data to be hardened and a permutation

(Step S103) of performing a hardening operation on the ACD instance to break the ring structure of the ACD instance.

을 입력 받는 단계(S101)에서, 하드닝하고자 하는 데이터는 정보 처리 장치에 의하여 처리될 수 있는

-비트 정수

일 수 있고, 순열

는 상술한 Setup 알고리즘을 보안 파라미터

에 따라 수행하여 순열 집합

로 부터 랜덤하게 선택된 순열일 수 있다.Data to be hardened and permutation

(S101), the data to be hardened can be processed by the information processing apparatus

- bit integer

, And permutations

The above-described Setup algorithm as a security parameter

And the set of permutations

Lt; / RTI &gt; may be a randomly selected permutation from &lt; RTI ID =

Step S103 of allowing the ring structure of the ACD instance to be concealed may be performed according to the HD algorithm described above.

FIG. 2 illustrates a flowchart of a method for recovering an ACD instance hardening according to an embodiment of the present invention.

의 역순열

을 입력 받는 단계(S201)와 상기 하드닝된 데이터에 대하여 입력 받은 상기 역순열

에 따라 하드닝 복구 연산을 수행하는 단계(S203)를 포함한다.Referring to FIG. 2, the ACD instance hardening restoration method according to the present invention includes data hardened to conceal the ring structure of the ACD instance, permutation used for hardening the data,

Reverse order column

(S201) of receiving the hardened data and a step

(Step S203).

의 역순열

을 입력 받는 단계(S201)에서, 하드닝된 데이터는 상술한 하드닝 연산을 거쳐 생성된 벡터

일 수 있고, 순열

의 역순열

은 Setup 알고리즘을 보안 파라미터

에 따라 수행하여 순열 집합

로 부터 랜덤하게 선택된 순열일 수 있다.Hardened data and permutations

Reverse order column

In step S201, the hardened data is subjected to the hardening operation,

, And permutations

Reverse order column

The Setup algorithm may be used as a security parameter

And the set of permutations

Lt; / RTI &gt; may be a randomly selected permutation from &lt; RTI ID =

The step of performing the hardening recovery operation (S203) may be performed according to the RC algorithm described above.

The operations for hardening and hardening restoration described with reference to FIGS. 1 and 2 may be implemented in a computer device, for example, implemented within one computer device or distributed over two or more computer devices And each step may be implemented by hardware (e.g., a chip) and / or computer program code.

3 is a diagram for explaining an apparatus using an ACD instance hardening method according to an embodiment of the present invention.

Referring to FIG. 3, an ACD instance hardening apparatus 100 according to an embodiment of the present invention includes a hardening data input unit 110 and a hardening operation unit 120.

을 입력 받는다. The hardening data input unit 110 receives data to be hardened and a permutation

.

에 따라 하드닝 연산을 수행하여 ACD 인스턴스의 링 구조를 은닉하도록 한다.The hardening operation unit 120 performs a permutation operation on the input data to be hardened

To perform a hardening operation to conceal the ring structure of the ACD instance.

The hardening operation can be performed according to the HD algorithm described above.

4 is a diagram illustrating an apparatus using an ACD instance hardening restoration method according to an embodiment of the present invention.

Referring to FIG. 4, the ACD instance hardening apparatus 200 according to an embodiment of the present invention includes a hardening restoration data input unit 210 and a hardening restoration operation unit 220.

의 역순열

을 입력 받는다.The hardening restoration data input unit 210 may include data hardened to conceal the ring structure of the ACD instance,

Reverse order column

.

에 따라 하드닝 복구 연산을 수행한다.The hardening restoring operation unit 220 performs a hardening restoring operation on the hardened data,

To perform a hardening repair operation.

The hardening repair operation can be performed according to the RC algorithm described above.

The hardening method according to the present invention can be specifically applied to the cryptographic system.

First, a Cheon-Stehle (CS) scheme for implementing an encryption system according to the present invention will be described below.

Also in the following, sk (secret key) is a secret key (also called a symmetric key), and ek (evaluation key) represents an operation key.

The CS scheme may be configured to include algorithms such as Setup, Enc, Add, Mult, ConOp, and Dec as is well known.

Here, the Setup algorithm creates the original instance of the ACD problem. The Enc algorithm generates a ciphertext in which the message m is encrypted. The Dec algorithm receives ciphertexts c and sk and decodes them according to modular operations. The Add, Mult, and ConOp algorithms define sum, multiply, and ConOp operations, respectively, in the CS diagram.

The parameters of the cryptosystem can be defined as follows.

: 보안 파라미터(security parameter)

: Security parameter

: 에러의 비트 길이(bit length of error)

: Bit length of error

: 홀수인 비밀 정수의 비트 길이(bit length of secret odd integer)

: Bit length of secret odd integer

: ACD 인스턴스의 비트 길이(bit length of ACD instances)

: Bit length of ACD instances (bit length of ACD instances)

은 아래 수학식 3과 같이 정의될 수 있다.Also,

Can be defined as Equation (3) below.

&Quot; (3) &quot;

과

사이의 관계는

와 같이 나타낼 수 있다. 본 명세서에서

비트 메세지에 대하여 변형된 CS 도식은 다음과 같다.And,

and

The relationship between

As shown in Fig. In this specification

The modified CS scheme for the bit message is as follows.

)는

를

이라고 할 때의 메세지 공간이라고 할 때, (

)-ACD 문제의 원본 인스턴스를 생성하며, 랜덤의

-비트 홀수(odd) 정수 p와 아래 수학식 4와 같은 샘플들을 생성한다.Setup (

)

To

When we say message space when we say, (

) -Generate the original instance of the ACD problem,

- generates a bit odd integer p and samples as in Equation 4 below.

&Quot; (4) &quot;

에 따라 세팅되는 벡터 z를 아래 수학식 6에 따라 산출한다.Is calculated according to the following equation (5)

Is calculated according to Equation (6) below.

Equation (5)

&Quot; (6) &quot;

에 따라 산출되고, 비밀키인 sk = p는 비밀로 유지된다.Finally,

, And the secret key sk = p is kept secret.

를 선택하고,

연산을 수행한다.Enc (m, sk)

&Lt; / RTI &gt;

.

,

에 대하여,cryptogram

,

about,

,

)는

연산을 수행한다.Add (

,

)

.

,

,ek)는

연산을 수행한다.Mult (

,

, ek)

.

연산을 수행한다.ConOp (m, ek)

.

연산을 수행한다.Dec (c, sk)

.

The hardening method of the present invention can be applied very harmoniously to the FHE system and can provide the advantage of short ciphertexts.

The CS FHE scheme implemented in the FHE system described above can be represented as CS = (CS.Setup, CS.Enc, CS.Add, CS.Mult, CS.ConOp, Cs.Dec). The previous H, such as HCS.Setup below, indicates that the hardening method and apparatus of the present invention is applied to the FHE system in which the CS scheme is implemented.

The hardening method according to the present invention can be applied to a method in which a CS FHE scheme is generally implemented as follows.

) :HCS.Setup (

):

이라고 할 때

를 메세지 공간으로 한다. CS.Setup(

)을 실행하고, 평가키와 비밀키인

와 p를 얻는다.One.

When

As a message space. CS.Setup (

), And executes the evaluation key and the secret key

And p.

과 그 역순열인

를 선택한다.2. Random permutation

And the reverse order

.

3. Hare the evaluation parameter (evaluation parmeter) as follows.

을 계산한다. 여기서

이고,

로 정한다. 그리고 아래 수학식 7을 계산한다.Let j = 0, ..., l-1,

. here

ego,

. Then, the following equation (7) is calculated.

&Quot; (7) &quot;

이고, 비밀로 유지되는

이다.4. Finally,

And is kept secret

to be.

HCS.Enc (m, sk):

비트의

로 파싱한다. 즉

로 나타낼 수 있다. I를

=1 과 같이 나타낼 수 있는 i들의 집합이라고 한다.The data m to be encrypted

Bit

. In other words

. I

= 1 is called a set of i.

를 선택하고, now

&Lt; / RTI &gt;

를 출력한다.

.

,

) :HCS.Add (

,

):

+

연산을 수행하고, 여기서 ‘+’는 벡터공간

위에서의 합을 뜻한다.

+

&Lt; / RTI &gt; where &lt; RTI ID = 0.0 &gt;

It means sum above.

,

,ek) :HCS.Mult (

,

, supplement):

연산을 수행한다. 여기서 이진 연산자인

는

로서 정의된다.

. Here, the binary operator

The

.

HCS.ConOp (m, appendix):

연산을 수행하며 여기서

이다.

Operation, where

to be.

HCS.Dec (c, sk):

연산을 수행하며 이에 따라 암호문

를 복호와 한다.

And performs a cryptographic operation

Is decoded.

As described above, the symmetric key-based isochronous encryption system including the hardening method according to the present invention can still maintain the multiplication property using the scale-invariant technique even though the multiplication structure is collapsed through the hardening operation process, Can be designed.

The cryptographic method to which the above-described hardening method is applied may be implemented in a computer device, for example, implemented in one computer device or distributed in two or more computer devices, and each step may be implemented in hardware For example, chips) and / or computer program code.

The hardening ACD instance-based isochronous encryption system 300, which is an FHE encryption system using the hardening method according to the present invention, includes a setup operation unit 310, an encryption unit 320, and a decryption unit 330. In addition, it may further include a CS calculation unit 340.

) 알고리즘에 따른 연산을 수행할 수 있다. 암호화부(320)는 HCS.Enc(m,sk) 알고리즘에 따른 연산을 수행할 수 있다. 복호화부(330)는 HCS.Dec(c,sk) 알고리즘에 따른 연산을 수행할 수 있다. CS연산부(340)는 HCS.Add(

,

), HCS.Mult(

,

,ek), HCS.ConOp(m,ek) 알고리즘에 따른 연산을 수행할 수 있다. 여기서 셋업연산부(310), 암호화부(320)는 본 발명에 따른 ACD 인스턴스 하드닝 장치(100)를 이용한다. 복호화부(330)는 본 발명에 따른 ACD 인스턴스 하드닝 복구 장치(200)를 이용한다.The setup operation unit 310 receives the HCS setup (

) Algorithm. &Lt; / RTI &gt; The encryption unit 320 may perform an operation according to the HCS.Enc (m, sk) algorithm. The decoding unit 330 may perform an operation according to the HCS.Dec (c, sk) algorithm. The CS calculating unit 340 calculates the HCS.Add (

,

), HCS.Mult (

,

, ek), and HCS.ConOp (m, ek) algorithms. Here, the setup operation unit 310 and the encryption unit 320 use the ACD instance hardening apparatus 100 according to the present invention. The decryption unit 330 uses the ACD instance hardening restoration apparatus 200 according to the present invention.

로 기존 CS 도식에서

의 크기를 가졌던 것에 비해 암호문의 크기를 매우 짧게 할 수 있다. 아래 표 1은 다른 ACD 기반의 동형 암호와 암호문 크기를 비교한 표이다. The ciphertext of the Hardened CS scheme, which is designed using an ACD instance applying the hardening operation method according to the present invention,

From existing CS schematics

The size of the cipher text can be made very short. Table 1 below compares the sizes of ciphertexts and ciphertexts based on other ACDs.

<Table 1>

In addition, we can apply the hardening method to the same password based on the ACD to efficiently shorten the size of the ciphertext, and apply the hardening method to the LWE, RLWE, etc. used as a tool for designing the same password .

It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.

The scope of the present invention is defined by the appended claims rather than the detailed description and all changes or modifications derived from the meaning and scope of the claims and their equivalents are to be construed as being included within the scope of the present invention do.

100: ACD Instance Harding Device
110: Harding data input unit
120: Harding operation unit
200: ACD Instance Harding Recovery Device
210: a hardened data input unit
220: Harding recovery operation unit
300: Harding ACD instance-based homogeneous cryptosystem
310:
320:
330:
340: CS operator

Claims (2)

Receiving data to be hardened and a randomly selected permutation; And
And hiding the ring structure of the ACD instance by performing a hardening operation on the received data with respect to the data to be hardened according to the permutation sequence.
Receiving data that is hardened to conceal a ring structure of an ACD instance and a reverse sequence of permutations used for a hardening operation of the data; And
And performing a hardening recovery operation according to the reverse sequence inputted to the data that is hardened to conceal the ring structure.

Images