阅读说明：本技术 一种基于格的分布式门限加法同态加密方法 (Lattice-based distributed threshold addition homomorphic encryption method ) 是由 田海博 林会智 李茂楠 于 2021-06-25 设计创作，主要内容包括：本发明涉及基于同态加密的安全多方计算技术领域,更具体地,涉及一种基于格的分布式门限加法同态加密方法。包括以下步骤：系统初始设置、用户密钥生成、用户私钥份额生成、系统公钥合成、数据加密、加法同态运算、部分解密和最终解密。发明提供的一种基于格的分布式门限加法同态加密方法,减少了用户端本地的份额数量,进一步减小了整个协议的通信量,同时减少了用户端算法的计算时间,允许用户端利用轻量级计算设备参与整个协议。(The invention relates to the technical field of secure multiparty computation based on homomorphic encryption, in particular to a lattice-based distributed threshold addition homomorphic encryption method. The method comprises the following steps: the method comprises the steps of initial setting of a system, generation of a user secret key, generation of a user private key share, synthesis of a system public key, data encryption, addition homomorphic operation, partial decryption and final decryption. The grid-based distributed threshold addition homomorphic encryption method provided by the invention reduces the local share number of the user side, further reduces the communication traffic of the whole protocol, simultaneously reduces the calculation time of the user side algorithm, and allows the user side to participate in the whole protocol by utilizing lightweight computing equipment.)

1. A lattice-based distributed threshold addition homomorphic encryption method is characterized by comprising the following steps:

s1, system initial setting: inputting a security parameter lambda, and outputting a system parameter params ═ { param0, paramSS }, wherein param0 is a system initialization related parameter set, and paramSS is a multi-secret sharing related parameter set;

s2, generating a user secret key: inputting system parameter params and outputting public and private key pair (pk)_u，sk_u)；

S3, generating a user private key share: inputting system parameter params and private key sk of user u_u0And the set of public keys pk in the user set U_v1}_v∈UThe output is a set of encrypted messages { e }_uv}_v∈UAnd an ordered set of public shares of user u

S4, system public key synthesis: import system parameter params, public key set of all users pk_u0}_u∈UCalculating pk [ ∑_u∈Upk_u0]_qOutputting a system public key pk;

s5, data encryption: inputting system parameters params, a system public key pk and plaintext data m of a user u_uOutputting ciphertext data c of user u_u＝(c_u0，c_u1)；

S6, addition homomorphic operation: inputting system parameter params, user ciphertext data set { c_u}_u∈USet of weighting coefficients for user { w_u}_u∈UThen ct is calculated separately₀＝[∑_u∈Uc_u0·w_u]_q、ct₁＝[∑_u∈Uc_u1·w_u]_qFinally, the medicine is deliveredOutputting system cipher text ct ═ ct (ct)₀，ct₁)；

S7, partial decryption: inputting system parameters params, system ciphertext ct and public key pk of user u_uAnd user U receives the encrypted message sets { e) of other users in set U_vu}_v∈U\{u}Outputting the partial decoded value pm of the user u_u；

S8, final decryption: inputting system parameter params, system cipher text ct ═ ct (ct)₀，ct₁) Partial decryption value set P of a user₁＝{pm_u}_u∈VWherein | P₁| is greater than or equal to th, the system open share set OS_sysPublic set of shares for all users in set UAnda polynomial M consisting of the final decrypted values is output.

2. The lattice-based distributed threshold-addition homomorphic encryption method of claim 1,specifically, a polynomial degree d, a polynomial coefficient modulus q, a plaintext polynomial modulus t, an irreducible cyclotomic polynomial f (x), an integer polynomial ring are setRq represents the ring R of all element coefficient modulus q, normal distribution chi, uniform distribution mu and any element on the ring RA hybrid encryption system HPKE ═ hpke.gen, hpke.enc, hpke.dec } and a multiple secret sharing scheme MultiSS ═ multiss.setup, multiss.split, multiss.recovery }; gen is a key generation algorithm, input is a security parameter, and outputIs a key pair for encryption and decryption; enc is an encryption algorithm, the input is an encryption key and a plaintext, and the output is a ciphertext; dec is a decryption algorithm, the input is a ciphertext and a decryption key, and the output is a plaintext; setup is a system initialization algorithm, the input is a safety parameter, and the output is a system parameter; spread is a secret distribution algorithm, the input is system parameters and an ordered secret set, and the output is a secret share set and a user public share; the recovery is a secret reconstruction algorithm, the input is a system parameter and secret share set, and the output is an ordered secret set;

then randomly selectFor paramSS ═ n, th, m, U, V, PList, GList, BList, OS_sysSetup (1) then the algorithm is executed^λ) Available as → paramSS; wherein q is a large integer prime number, n is the number of participants, th is a threshold value, m is the number of secrets to be shared at a time, and m is required to be more than or equal to th; the set of all participants is U, the user set meeting the threshold number is V, namely n is more than or equal to | V | > th; then in [ n +2m + th, q-1 ]]In the method, n mutually different integers p are randomly selected₁，p₂，p₃，…，p_nAs the personal identification of n participants, the set of the personal identification is marked as PList; setting the interval [ m, m + n-1]In a sequence of n integers g₁，g₂，g₃，…，g_nThe identification of shares is disclosed for the system, and the set of the shares is recorded as GList; finally in [0, q-1 ]]Randomly selecting n random integers k in the range₁，k₂，k₃，…，k_nIts system public share is called, its set is denoted as OS_sys。

3. The lattice-based distributed threshold-addition homomorphic encryption method of claim 2, characterized in that the secret distribution algorithm multiss. split is executed by the secret distributor, inputting system parameter paramSS and ordered secret set mList, outputting secret share set SList and user public share OS_u(ii) a Let m secrets to be shared be specified as C₁，C₂，C₃，…，C_mThe method comprises the following specific steps:

interpolation generates a polynomial h (x) of degree n + m-1: value pair (0, C) composed of m secrets₁)，(1，C₂)，(2，C₃)，…(m-1，C_m) And n number of value pairs (g) of system public shares₁，k₁)，(g₂，k₂)，(g₃，k₃)，…，(g_n，k_n) N + m number value pairs are calculated by utilizing a Lagrange polynomial interpolation algorithm to obtain n + m-1 degree polynomial h (x) -a₀+a₁x+a₂x²+…+a_{n+m- 1}x^n+m-1；

Generating a secret share set SList of participants: respectively calculating secret shares of participants by using the obtained n + m-1 degree polynomial h (x); identifying the personal identity p of the user_iInputting a polynomial h (x) as an independent variable to obtain a function value h (p)_i) Namely the secret share of the participant, and the set of the secret share is SList;

when m > th, a public share set OS of the secret distributor needs to be generated_u: setting the interval [ m + n, m +2n-th-1]M-th continuous integers of b₁，b₂，b₃，…，b_m-thDisclosing the identity of the share for the secret distributor, the set of which is denoted as BList; respectively inputting the identification set BList of the secret distributor public share into a polynomial h (x) to obtain a corresponding value h (b)_i) The set of which is denoted as OS_u。

4. The lattice-based distributed threshold-addition homomorphic encryption method of claim 3, characterized in that the secret reconstruction algorithm MultiSS. Recover is executed by any party with secret recovery requirement, the system parameters paramSS, secret share set SList are input, the number in the set is not less than th, and the public share set OS of the secret distributor_uOutputting an ordered secret set mList, which comprises the following steps:

interpolation restores the polynomial h (x) of degree n + m-1: obtaining not less than th number value pair (p) according to secret share set SList_i，h(p_i) ); exposing a share OS according to a system_sysObtaining n number value pairs (g)_n，k_n) (ii) a If m > th, then the public share set OS of the secret distributor needs to be combined_uObtaining m-th numerical value pair (b)_i，h(b_i) ); recovering h (x) by using a Lagrange polynomial interpolation algorithm by using a total number value pair of not less than m + n;

generating an ordered set of secrets mList: respectively calculate C_iThe secret is recovered h (i-1), where i is 1,2, …, m, this set being denoted mList.

5. The lattice-based distributed threshold addition homomorphic encryption method of claim 4, wherein said step S2 specifically includes: first from a polynomial ring R whose coefficients are { -1,0,1 { (R) }₃Uniformly and randomly selecting a polynomialThen selecting a noise polynomial according to the chi-distributionIs provided withAnd isOperation (pk)_u1，sk_u1)←HPKE.Gen(1^λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sk_u＝(sk_u0，sk_u1) And pk_u＝(pk_u0，pk_u1) And outputting public and private key pair (pk)_u，sk_u)。

6. The lattice-based distributed threshold-addition homomorphic encryption method of claim 5, wherein said step S3 specifically includes:

first, a noise is selectedFor sk_u0Andsplit, the secret distribution algorithm is executed every m continuous coefficients, and the complete sharing of the whole private key and noise are required to be executed respectivelyMultiple secret sharing algorithm, resulting in an ordered set of secret shares for user u's private key and noiseAndordered collection of user public sharesAndeach of the four ordered sets includesAn element; then, taking each user in several sets U as a unit, respectively executing the following processes:

a) ordering two secret shares sent to user v { Ssk }_uv，Seu_uvIs packed into a message s_uvWherein Ssk_uvFor a secret share set with respect to a private key, Seu_uvFor a secret share set with respect to noise, assume that the identity of user v is p₀Then, then

b) Using public key pk of user v_v1Run the encryption algorithm hpke_v1，s_uv) Obtaining an encrypted message e_uv(ii) a Finally, the output is an encrypted message set containing each user e_uv}_v∈UAnd an ordered set of public shares of user uWhere the user u's own share is left local.

7. The lattice-based distributed threshold-addition homomorphic encryption method of claim 6, wherein said step S5 specifically includes: plaintext data m is firstly_uEmbedding a polynomial X of the highest order d as a coefficient_uThen randomly selectTwo noisesRespectively calculateOutputting ciphertext data c of user u_u＝(c_u0，c_u1)。

8. The lattice-based distributed threshold-addition homomorphic encryption method of claim 7, wherein said step S7 specifically includes: dec (sk) runs the decryption algorithm hpke first_u1，e_vu) To obtain a message set s_vu}_v∈U\{u}After the messages are analyzed one by one, a set { Ssk ] of secret share ordered sets related to the private key is obtained_vu}_v∈U\{u}And a set of ordered sets of secret shares pertaining to noise Seu_vu}_v∈U\{u}Both of which respectively comprise n-1 collection elements, each collection element consisting ofThe secret shares are orderly composed; adding two secret share ordered sets reserved for the user u when the user u shares the local private key and the noise, and respectively summarizing the two secret share ordered sets into a total share ordered set; calculating Ssk_uv＝∑_v∈USsk_vu，Seu_uv＝∑_v∈USeu_vuThen, a partial decryption value calculation method is executed to enable the ordered set Ssk_uEmbedding d-degree polynomial in the mode m interval to obtain SK, and collecting Seu ordered set_uCarrying out modulus m continuous embedding into d-degree polynomial to obtain SE; extracting ct from the ciphertext ct₀Calculating pm_u＝[ct₀·SK+SE]_qAnd finally, the partial decrypted value pm of the user u is output_u。

9. The lattice-based distributed threshold-addition homomorphic encryption method of claim 8, wherein said step S8 specifically includes: first, a share set H is exposed to a user₂And H₃Wherein each of the n set elements is composed ofThe public share sets of each user are orderly formed, and the n set elements are correspondingly added in sequence, namely calculation is carried outAndand obtaining a user share summary set:

at this time SH₀And SH₁Are all respectively composed ofThe share sets are organized in order, each share set containing m-th shares, and then each time from SH according to i ═ 1,2, …, m-th₀And SH₁Respectively take out the setsAndpartial decryption values for the user' S public shares are then calculated according to the partial decryption method in step S7, wherein the sorted set isA modulo-m interval embedding is performed,performing modulo m continuous embedding; after m-th times of execution, a partial decryption value set P about the user's public share is obtained₂；

The set of shares k is also disclosed for the system₁，k₂，k₃，…，k_nK is calculated from i 1,2, …, n_i＝n*k_iThe number of the structural elements isTwo sets of

Calculating partial decryption values for the system disclosure shares according to the partial decryption method summarized in step S7, wherein the partial decryption values are aggregatedA modulo-m interval embedding is performed,performing modulo m continuous embedding; after n times of execution, a partial decryption value set P about the system public share is obtained₃Merging the three partial decryption value sets P₁、P₂、P₃Get P ═ pm_iIts corresponding set of identitiesAbbreviated as a ═ { a1, …, ai }, i ∈ [1, | P]Wherein the corresponding Lagrange interpolation basis function of each term is LA_ai(x)；

For i 1,2, 3., | P |, the corresponding sets of { LA |_ai(0)，LA_ai(1)，...，LA_ai(m-1) } embedding d-degree polynomial at m intervals to obtain L_i(ii) a A polynomial M consisting of the final decrypted values is then calculated, wherein:

10. the lattice-based distributed threshold-addition homomorphic encryption method of claim 10,

for any set X, | X | is defined as the number of elements in the set X; if x is a vector, | x | is the dimension of this vector;

② for a given irreducible cyclotomic polynomial f (x) with the highest degree d, defining an integer polynomial ring asAll elements on ring R are vectors, also called polynomials; rq denotes a ring R of all element coefficients modulo q, whereIs represented by R_qIn accordance with the uniform distribution of the aboveAny element on ring RCoefficient of i-th term is a_iI.e. satisfy the formulaWherein x is an independent variable; infinite norm thereofSatisfy the formulaFor theThe spreading factor delta of R_RSatisfy the formula

(iii) for any integer h > 1, defineIs a set of integers Represents an integer ring {0,1,2 …, q-1}, for any arbitrary number[x]_hX mod h; for any one Meaning that the rounding is done down,meaning that the rounding is up,means taking the nearest integer; for any x e R, the x e R,means to make a pairAll coefficients in (a) are modulo-h operated;

for a given safety parameter lambda, if for allAll satisfy negl (lambda) ═ o (1/lambda)^c) Then the function negl (λ) is said to be negligible;

for given parameter probability distributionUse ofRepresents x fromSampling at medium random; for set X, representing that X is uniformly sampled from the set by X ← X; for the distribution χ over the integer, if satisfied, the value ranges from [ -B, B]Within the range, the limit is called B;

sixthly, for embedding the Set with the element number of m into the polynomial Poly with the highest order of d, m is required to be evenly divided by d +1, and d is less than or equal to m²-1; the method comprises the following two modes:

1) continuous embedding of the mold m: when the ith term in the polynomial Poly satisfies i% m-1 (i-1.., d +1), embedding the element ranked first in the ordered Set into the coefficient of the corresponding term, and embedding the same coefficient in each term after the element ranked first until the new term satisfies i% m-1 again, deleting the previous element from the Set, embedding the element ranked first again into the corresponding term, and repeating the execution until the whole polynomial is traversed and ended;

2) embedding the mold m at intervals: when the ith term in the polynomial Poly satisfies i% m 1(i 1.., d +1), embedding the element arranged at the top in the ordered Set into the coefficient of the corresponding term, deleting the element from the Set, and repeating the steps until the whole polynomial is traversed;

and for integer sets { a, b, c, d }, the corresponding Lagrangian basis functions are appointed to be x, and the sets are { LA }_a(x)，LA_b(x)，LA_c(x)，LA_d(x) The method comprises the following steps:

Technical Field

The invention relates to the technical field of secure multiparty computation based on homomorphic encryption, in particular to a lattice-based distributed threshold addition homomorphic encryption method.

Background

The attribute-based encryption mechanism is an extension of the identity-based encryption mechanism, and essentially, the attribute-based encryption mechanism introduces the concept of an access structure in the identity-based encryption mechanism, thereby realizing the control of decryption authority and access authority. The earliest public research originated from simple attribute encryption and later extended to the research content of attribute-ahead, attribute security protocol, etc. Compared with the traditional cryptography, the attribute encryption mechanism greatly enriches the flexibility of an encryption strategy and the descriptiveness of user permission, is expanded from a one-to-one mode to a one-to-many mode, and has the characteristics of high efficiency and flexibility; the encryption cost is only related to the number of corresponding attributes and is not related to the number of users in the system; whether a user can decrypt a ciphertext depends only on whether the attribute of the user meets the strategy of the ciphertext, and is not related to whether the user is added into the system before the ciphertext is produced; the base meter strategy can support complex access structures, such as threshold expressions and Boolean expressions; encryption this does not require knowledge of the identity of the decryptor. Based on the excellent characteristics, the attribute encryption mechanism can effectively realize non-interactive access control.

The current mainstream cryptographic techniques for realizing secure multi-party computation include threshold secret sharing, homomorphic encryption and the like. Homomorphic encryption allows for a specific algebraic operation on the ciphertext domain data with the same or similar result of the decryption as the plaintext domain. The characteristics of the method are widely applied to the scenes of privacy protection cloud service computing, outsourcing computing and DuPont learning, and the method is a direction of emerging privacy technology. The threshold secret sharing scheme of Shamir divides a secret into n secret shares to be distributed to a plurality of participants by constructing a polynomial of degree k-1 and taking the shared secret as a constant term of the polynomial. The shared secret can be recovered by k or more participant collaborations using an interpolation formula, but less than k participant collaborations cannot get any information about the shared secret. Blakeley independently proposes another threshold secret sharing scheme, which is to establish a threshold scheme by using points in a multidimensional space, the scheme is seen as one point in a k-dimensional space through a shared secret s, each sub-secret is a k-1-dimensional hyperplane equation containing the point, the intersection point of any k-1-dimensional hyperplanes just determines the shared secret, and the k-1 sub-secrets, i.e. the hyperplanes, can only determine the intersection lines thereof, so that any information of the shared secret can not be obtained. Some encryption methods based on lattices proposed by the current Shamir secret sharing scheme also need to be further improved due to the problems of more local share, larger occupied memory, more communication traffic and the like.

Disclosure of Invention

The invention provides a lattice-based distributed threshold addition homomorphic encryption method for overcoming the defects in the prior art, reduces the local quota quantity of a user terminal, reduces the communication traffic of the whole protocol and reduces the calculation time of an algorithm of the user terminal.

In order to solve the technical problems, the invention adopts the technical scheme that: a lattice-based distributed threshold addition homomorphic encryption method comprises the following steps:

s1, system initial setting: inputting a security parameter lambda, and outputting a system parameter params ═ { param0, paramSS }, wherein param0 is a system initialization related parameter set, and paramSS is a multi-secret sharing related parameter set;

s2, generating a user secret key: inputting system parameter params and outputting public and private key pair (pk)_u,sk_u)；

S3, generating a user private key share: inputting system parameter params and private key sk of user u_u0And the set of public keys pk in the user set U_v1}_v∈UThe output is a set of encrypted messages { e }_uv}_v∈UAnd an ordered set of public shares of user u

S4, system public key synthesis: import system parameter params, public key set of all users pk_u0}_u∈UCalculating pk [ ∑_u∈Upk_u0]_qOutputting a system public key pk;

s5, data encryption: inputting system parameters params, a system public key pk and plaintext data m of a user u_uOutputting ciphertext data c of user u_u＝(c_u0,c_u1)；

S6, addition homomorphic operation: inputting system parameter params, user ciphertext data set { c_u}_u∈USet of weighting coefficients for user { w_u}_u∈UThen ct is calculated separately₀＝[∑_u∈Uc_u0·w_u]_q、ct₁＝[∑_u∈Uc_u1·w_u]_qAnd finally outputting the system ciphertext ct ═ ct (ct)₀,ct₁)；

S7, partial decryption:inputting system parameters params, system ciphertext ct and public key pk of user u_uAnd user U receives the encrypted message sets { e) of other users in set U_vu}_v∈U\{u}Outputting the partial decoded value pm of the user u_u；

S8, final decryption: inputting system parameter params, system cipher text ct ═ ct (ct)₀,ct₁) Partial decryption value set P of a user₁＝{pm_u}_u∈VWherein | P₁| is greater than or equal to th, the system open share set OS_sysPublic set of shares for all users in set UAnda polynomial M consisting of the final decrypted values is output.

Further, in the above-mentioned case,specifically, a polynomial degree d, a polynomial coefficient modulus q, a plaintext polynomial modulus t, an irreducible cyclotomic polynomial f (x), an integer polynomial ring are setRq represents the ring R of all element coefficient modulus q, normal distribution chi, uniform distribution mu and any element on the ring RHybrid cryptosystem

Hpke.gen, hpke.enc, hpke.dec and multiple secret sharing scheme MultiSS

{ multiss.setup, multiss.split, multiss.recovery }; gen is a key generation algorithm, the input is a security parameter, and the output is an encryption and decryption key pair; enc is an encryption algorithm, the input is an encryption key and a plaintext, and the output is a ciphertext; dec is a decryption algorithm, the input is a ciphertext and a decryption key, and the output is a plaintext; setup is a system initialization algorithm, the input is a safety parameter, and the output is a system parameter; spread is a secret distribution algorithm, the input is system parameters and an ordered secret set, and the output is a secret share set and a user public share; the recovery is a secret reconstruction algorithm, the input is a system parameter and secret share set, and the output is an ordered secret set;

then randomly selectFor paramSS ═ n, th, m, U, V, PList, GList, BList, OS_sysSetup (1) then the algorithm is executed^λ) Available as → paramSS; wherein q is a large integer prime number and is the number of participants, th is a threshold value, m is the number of secrets to be shared at a time, and m is required to be more than or equal to th; the set of all participants is U, the user set meeting the threshold number is V, namely n is more than or equal to | V | > th; then in [ n +2m + th, q-1 ]]In the method, n mutually different integers p are randomly selected₁,p₂,p₃,…,p_nAs the personal identification of each participant, the collection is marked as PList; setting the interval [ m, m + n-1]In a sequence of n integers g₁,g₂,g₃,…,g_nThe identification of shares is disclosed for the system, and the set of the shares is recorded as GList; finally in [0, q-1 ]]Randomly selecting n random integers k in the range₁,k₂,k₃,…,k_nIts system public share is called, its set is denoted as OS_sys。

Furthermore, the secret distribution algorithm MultiSS, Split is executed by a secret distributor, a system parameter paramSS and an ordered secret set mList are input, a secret share set SList and a user public share OS are output_u(ii) a Let m secrets to be shared be specified as C₁,C₂,C₃,…,C_mThe method comprises the following specific steps:

interpolation generates a polynomial h (x) of degree n + m-1: value pair (0, C) composed of m secrets₁)，(1,C₂)，(2,C₃)，…(m-1,C_m) And n number of value pairs (g) of system public shares₁,k₁),(g₂,k₂),(g₃,k₃),…,(g_n,k_n) Total n + m valuesCalculating to obtain n + m-1 degree polynomial h (x) a by using Lagrange polynomial interpolation algorithm₀+a₁x+a₂x²+…+a_n+m-1x^n+m-1；

Generating a secret share set SList of participants: respectively calculating secret shares of participants by using the obtained n + m-1 degree polynomial h (x); identifying the personal identity p of the user_iInputting a polynomial h (x) as an independent variable to obtain a function value h (p)_i) Namely the secret share of the participant, and the set of the secret share is SList;

when m is>th time, a public share set OS of the secret distributor needs to be generated_u: setting the interval [ m + n, m +2n-th-1]M-th continuous integers of b₁,b₂,b₃,…,b_m-thDisclosing the identity of the share for the secret distributor, the set of which is denoted as BList; respectively inputting the identification set BList of the secret distributor public share into a polynomial h (x) to obtain a corresponding value h (b)_i) The set of which is denoted as OS_u。

Furthermore, the secret reconstruction algorithm MultiSS.Recover is executed by any party with secret recovery requirement, system parameters paramSS and a secret share set SList are input, the number of the set is not less than th, and the public share set OS of the secret distributor_uOutputting an ordered secret set mList, which comprises the following steps:

interpolation restores the polynomial h (x) of degree n + m-1: obtaining not less than th number value pair (p) according to secret share set SList_i,h(p_i) ); exposing a share OS according to a system_sysObtaining n number value pairs (g)_n,k_n) (ii) a If m>th, then the public share set OS of the secret distributor needs to be combined_uObtaining m-th numerical value pair (b)_i,h(b_i) ); recovering h (x) by using a Lagrange polynomial interpolation algorithm by using a total number value pair of not less than m + n;

generating an ordered set of secrets mList: respectively calculate C_iThe secret is recovered h (i-1), where i is 1,2, …, m, this set being denoted mList.

Further, the step S2 specifically includes: first from the coefficients-1,0,1} polynomial ring R₃Uniformly and randomly selecting a polynomialThen selecting a noise polynomial according to the chi-distributionIs provided withAnd isOperation of Obtaining the encryption and decryption key pair of the HPKE system, and setting sk_u＝(sk_u0,k_u1) And pk_u＝(pk_u0,pk_u1) And outputting public and private key pair (pk)_u,sk_u)。

Further, the step S3 specifically includes:

first, a noise is selectedFor sk_u0Andsplit, the secret distribution algorithm is executed every m continuous coefficients, and the complete sharing of the whole private key and noise are required to be executed respectivelyMultiple secret sharing algorithm, resulting in an ordered set of secret shares for user u's private key and noiseAndordered collection of user public sharesAndeach of the four ordered sets includesAn element; then, taking each user in several sets U as a unit, respectively executing the following processes:

a) ordering two secret shares sent to user v { Ssk }_uv,Seu_uvIs packed into a message s_uvWherein Ssk_uvFor a secret share set with respect to a private key, Seu_uvFor a secret share set with respect to noise, assume that the identity of user v is p₀Then, then

b) Using public key pk of user v_v1Run the encryption algorithm hpke_v1,s_uv) Obtaining an encrypted message e_uv(ii) a Finally, the output is an encrypted message set containing each user e_uv}_v∈UAnd an ordered set of public shares of user uWhere the user u's own share is left local.

Further, the step S5 specifically includes: plaintext data m is firstly_uEmbedding a polynomial X of the highest order d as a coefficient_uThen randomly selectTwo noisesRespectively calculateOutputting ciphertext data c of user u_u＝(c_u0,c_u1)。

Further, the step S7 specifically includes: dec (sk) runs the decryption algorithm hpke first_u1，e_vu) To obtain a message set s_vu}_v∈U\{u}After the messages are analyzed one by one, a set { Ssk ] of secret share ordered sets related to the private key is obtained_vu}_v∈U\{u}And a set of ordered sets of secret shares pertaining to noise Seu_vu}_v∈U\{u}Both of which respectively comprise n-1 collection elements, each collection element consisting ofThe secret shares are orderly composed; adding two secret share ordered sets reserved for the user u when the user u shares the local private key and the noise, and respectively summarizing the two secret share ordered sets into a total share ordered set; calculating Ssk_uv＝∑_{v∈ U}Ssk_vu,Seu_uv＝∑_v∈USeu_vuThen, a partial decryption value calculation method is executed to enable the ordered set Ssk_uEmbedding d-degree polynomial in the mode m interval to obtain SK, and collecting Seu ordered set_uCarrying out modulus m continuous embedding into d-degree polynomial to obtain SE; extracting ct from the ciphertext ct₀Calculating pm_u＝[ct₀·SK+SE]_qAnd finally, the partial decrypted value pm of the user u is output_u。

Further, the step S8 specifically includes: first, a share set H is exposed to a user₂And H₃Wherein each of the n set elements is composed ofIndividual user public share set orderingForming by adding the n set elements in order, i.e. calculatingAndand obtaining a user share summary set:

at this time SH₀And SH₁Are all respectively composed ofThe share sets are organized in order, each share set containing m-th shares, and then each time from SH according to i ═ 1,2, …, m-th₀And SH₁Respectively take out the setsAndpartial decryption values for the user' S public shares are then calculated according to the partial decryption method in step S7, wherein the sorted set isA modulo-m interval embedding is performed,performing modulo m continuous embedding; after m-th times of execution, a partial decryption value set P about the user's public share is obtained₂；

The set of shares k is also disclosed for the system₁,k₂,k₃,…,k_nK is calculated from i 1,2, …, n_i＝n*k_iThe number of the structural elements isTwo sets of

Calculating partial decryption values for the system disclosure shares according to the partial decryption method summarized in step S7, wherein the partial decryption values are aggregatedA modulo-m interval embedding is performed,performing modulo m continuous embedding; after n times of execution, a partial decryption value set P about the system public share is obtained₃Merging the three partial decryption value sets P₁、P₂、P₃Get P ═ pm_iIts corresponding set of identitiesAbbreviated as a ═ { a1, …, ai }, i ∈ [1, | P]Wherein the corresponding Lagrange interpolation basis function of each term is LA_ai(x)；

For i ═ 1,2,3, …, | P |, the corresponding sets { LA |_ai(0),LA_ai(1),...，LA_ai(m-1) } embedding d-degree polynomial at m intervals to obtain L_i(ii) a A polynomial M consisting of the final decrypted values is then calculated, wherein:

further, for any set X, | X | is defined as the number of elements in the set X; if x is a vector, | x | is the dimension of this vector;

② for a given irreducible cyclotomic polynomial f (x) with the highest degree d, defining an integer polynomial ring asAll elements on ring R are vectors, also called polynomials; rq denotes a ring R of all element coefficients modulo q, whereIs represented by R_qIn accordance with the uniform distribution of the aboveAny element on ring RCoefficient of i-th term is a_iI.e. satisfy the formulaWherein x is an independent variable; infinite norm thereofSatisfy the formulaFor theThe spreading factor delta of R_RSatisfy the formula

③ for any integer h>1, definition ofIs a set of integersRepresenting the integer number of the ring 0,1,2 …, q-1}, for arbitrary[x]_hXmodh; for any one[x]Meaning rounded down, [ x ]]Meaning rounded up, [ x ]]Means taking the nearest integer; for any x e R, the x e R,means to make a pairAll coefficients in (a) are modulo-h operated;

for a given safety parameter lambda, if for allAll satisfy negl (lambda) ═ o (1/lambda)^c) Then the function negl (λ) is said to be negligible;

for given parameter probability distributionUse ofRepresents x fromSampling at medium random; for set X, representing that X is uniformly sampled from the set by X ← X; for the distribution χ over the integer, if satisfying the value range [ -, B [ ]]Within the range, the limit is called B;

sixthly, for embedding the Set with the element number of m into the polynomial Poly with the highest order of d, m is required to be evenly divided by d +1, and d is less than or equal to m²-1; the method comprises the following two modes:

1) continuous embedding of the mold m: when the ith term in the polynomial Poly satisfies i% m ═ 1(i ═ 1, …, d +1), embedding the element ranked first in the ordered Set into the coefficient of the corresponding term, and embedding the same coefficient in each term thereafter until the new term satisfies i% m ═ 1 again, deleting the previous element from the Set, embedding the element ranked first again into the corresponding term, and repeating the execution until the whole polynomial is traversed and ended;

2) embedding the mold m at intervals: when the ith term in the polynomial Poly satisfies i% m ═ 1(i ═ 1, …, d +1), embedding the element ranked at the top in the ordered Set into the coefficient of the corresponding term, deleting the element from the Set, and repeating the execution until the whole polynomial is traversed;

and for integer sets { a, b, c, d }, the corresponding Lagrangian basis functions are appointed to be x, and the sets are { LA }_a(x),LA_b(x),LA_c(x),LA_d(x) The method comprises the following steps:

compared with the prior art, the beneficial effects are: the grid-based distributed threshold addition homomorphic encryption method provided by the invention reduces the local share number of the user side, further reduces the communication traffic of the whole protocol, simultaneously reduces the calculation time of the user side algorithm, and allows the user side to participate in the whole protocol by utilizing lightweight computing equipment.

Drawings

FIG. 1 is a schematic flow diagram of the process of the present invention.

Detailed Description

In this embodiment, a unified convention is first made for the partial symbols and algorithms that appear multiple times in this embodiment. The convention is as follows:

(1) for any set X, | X | is defined as the number of elements in set X; if x is a vector, | x | is the dimension of this vector.

(2) For feedingAn irreducible cyclotomic polynomial f (x) with d as the highest fixed order is defined as an integer polynomial ringAll elements on ring R are vectors, also called polynomials. Rq denotes a ring R of all element coefficients modulo q, whereIs represented by R_qIn accordance with the uniform distribution of the aboveAny element on ring RCoefficient of i-th term is a_iI.e. satisfies formula (1), wherein x is an independent variable; infinite norm thereofSatisfies formula (2); for theThe spreading factor delta of R_RSatisfies formula (3):

(3) for any integer h>1, definition ofIs a set of integersRepresents an integer ring {0,1,2 …, q-1}, for any arbitrary number[x]_hXmodh; for any one[x]Meaning rounded down, [ x ]]Meaning rounded up, and "x" means the nearest integer; for any x e R, the x e R,means to make a pairAll coefficients in (a) are modulo h operated.

(4) For a given safety parameter lambda, if for allAll satisfy negl (lambda) ═ o (1/lambda)^c) The function negl (λ) is said to be negligible. If the probability of an event occurring is negl (λ), it means that the probability of its occurrence is negligible.

(5) For a given parametric probability distribution D, as used hereinRepresents x fromSampling at medium random; for set X, representing that X is uniformly sampled from the set by X ← X; for the distribution χ over the integer, if satisfied, the value ranges from [ -B, B]Within the range, the limit is designated as B.

(6) For a hybrid encryption system HPKE ═ hpke.gen, hpke.enc, hpke.dec }, wherein a key generation algorithm is hpke.gen, input is a security parameter, and output is a key pair for encryption and decryption; enc, the input is an encryption key and a plaintext, and the output is a ciphertext; dec, input as cipher text and decryption key, output as plaintext.

(7) For a polynomial Poly embedding the Set with the number of elements m in the highest order d (requiring that m be divisible by d +1, and d ≦ m²-1), there are the following two methods agreed:

a) continuous embedding of the mold m: when the ith term in the polynomial Poly satisfies i% m ═ 1(i ═ 1, …, d +1), embedding the element ranked first in the ordered Set into the coefficient of the corresponding term, and embedding the same coefficient in each term thereafter until the new term satisfies i% m ═ 1 again, deleting the last element from the Set, embedding the element ranked first again into the corresponding term, and repeating the execution until the traversal of the whole polynomial is finished.

Examples are: set ═ { a, b, c }, where the highest order of Poly is d ═ 8, then the embedded polynomial (the argument is x):

Poly＝a+ax+ax²++bx³+bx⁴+bx⁵+cx⁶+cx⁷+cx⁸。

b) embedding the mold m at intervals: when the ith term in the polynomial Poly satisfies i% m 1(i 1, …, d +1), embedding the element ranked first in the ordered Set in the coefficient of the corresponding term, deleting the element from the Set, and repeating the execution until the whole polynomial is traversed.

Examples are: set ═ { a, b, c }, where the highest order of Poly is d ═ 8, then the embedded polynomial (the argument is x):

Poly＝a+0x+0x²++bx³+0x⁴+0x⁵+cx⁶+0x⁷+0x⁸。

(8) for integer sets { a, b, c, d }, the corresponding Lagrangian basis function (with argument x) set is agreed to be { LA }_a(x),LA_b(x),LA_c(x),LA_d(x) The method comprises the following steps:

(9) for multiple secret sharing scheme

The system initialization algorithm is multiss.setup, the input is a safety parameter, and the output is a system parameter; the secret distribution algorithm is multiss.split, the input is system parameters and an ordered secret set, and the output is a secret share set and a user public share; the secret reconstruction algorithm is multiss.

a) Setup algorithm of System Multi SS

The algorithm inputs a safety parameter lambda and outputs a system parameter paramSS ═ q, n, th, m, U, V, PList, GList, OS_sysQ is a large integer prime number and is the number of participants, th is a threshold value, m is the number of secrets to be shared at a time, and m is required to be larger than or equal to th. The set of all participants is U, and the set of users meeting the threshold number is V, namely n is more than or equal to | V | > th. Then in [ n +2m + th, q-1 ]]In the method, n mutually different integers p are randomly selected₁,p₂,p₃,…,p_nAs the personal identification of each participant, the collection is marked as PList; setting the interval [ m, m + -1%]In a sequence of n integers g₁,g₂，g₃，…，g_nThe identification of shares is disclosed for the system, and the set of the shares is recorded as GList; finally in [0, q-1 ]]Randomly selecting n random integers k in the range₁,k₂，k₃，…，k_nIts system public share is called, its set is denoted as OS_sys。

b) Secret distribution algorithm: spread of multiss

The algorithm is executed by a secret distributor, inputs a system parameter paramSS and an ordered secret set mList, outputs a secret share set SList and a user public share OS_u. Let m secrets to be shared be specified as C₁，C₂，C₃，…，C_mThe method comprises the following specific steps:

1. plug-inValue generation the n + m-1 th order polynomial h (x): value pair (0, C) composed of m secrets₁)，(1，C₂)，(2，C₃)，…(m-1，C_m) And n number of value pairs (g) of system public shares₁，k₁),(g₂,k₂),(g₃,k₃),…,(g_n,k_n) N + m number value pairs are calculated by utilizing a Lagrange polynomial interpolation algorithm to obtain n + m-1 degree polynomial h (x) -a₀+a₁x+a₂x²+…+a_n+m-1x^n+m-1；

2. Generating a secret share set SList of participants: respectively calculating secret shares of participants by using the obtained n + m-1 degree polynomial h (x); identifying the personal identity p of the user_iInputting a polynomial h (x) as an independent variable to obtain a function value h (p)_i) Namely the secret share of the participant, and the set of the secret share is SList;

3. when m is>th time, a public share set OS of the secret distributor needs to be generated_u: setting the interval [ m + n, m +2n-th-1]M-th continuous integers of b₁，b₂，b₃，…，b_m-thDisclosing the identity of the share for the secret distributor, the set of which is denoted as BList; respectively inputting the identification set BList of the secret distributor public share into a polynomial h (x) to obtain a corresponding value h (b)_i) The set of which is denoted as OS_u。

c) Secret reconstruction algorithm: recovery of MultiSS

The algorithm can be executed by any party with secret recovery requirement, and system parameters paramSS and secret share set SList are input, the number of the set is required to be not less than th, and the public share set OS of the secret distributor_uOutputting an ordered secret set mList, which comprises the following steps:

interpolation restores the polynomial h (x) of degree n + m-1: obtaining not less than th number value pair (p) according to secret share set SList_i，h(p_i) ); exposing a share OS according to a system_sysObtaining n number value pairs (g)_n，k_n) (ii) a If m>th, then the public share set OS of the secret distributor needs to be combined_uObtaining m-th numerical value pair (b)_i，h(b_i) ); recovering h (x) by using a Lagrange polynomial interpolation algorithm by using a total number value pair of not less than m + n;

generating an ordered set of secrets mList: respectively calculate C_iThe secret is recovered at h (i-1), where i is 1,2, …, m, this set being denoted mList

The lattice-based distributed threshold addition homomorphic encryption method provided by the embodiment comprises the following steps: the method comprises the following steps of initial setting of a system, generation of a user secret key, generation of a user private key share, synthesis of a system public key, data encryption, addition homomorphic operation, partial decryption and final decryption;

step 1, system initial setting: setup of DTAHE

In the step, a security parameter lambda is input, and a system parameter params is output, wherein param0 and paramSS are respectively, wherein param0 is a system initialization related parameter set, and paramSS is a multi-secret sharing related parameter set. For theSpecifically, a polynomial degree d, a polynomial coefficient analog number q, a plaintext polynomial analog number t, a normal distribution χ, a uniform distribution μ and a multiple secret sharing scheme MultiSS ═ MultiSSFor paramSS ═ n, th, m, U, V, PList, GList, BList, OS_sysSetup (1) then the algorithm is executed^λ) Available as → paramSS. The details are shown in Table 1.

TABLE 1 detailed parameter List of the schemes

Step 2, generating a user key: DTAHE.KeyGen

Inputting system parameter params, and outputting public and private key pair (pk)_u,sk_u) First, from a polynomial ring R whose coefficients are { -1,0,1}, a₃Uniformly and randomly selecting a polynomialThen selecting a noise polynomial according to the chi-distributionIs provided withAnd isOperation (pk)_u1,sk_u1)←HPKE.Gen(1^λ) Obtaining the encryption and decryption key pair of the HPKE system, and setting sk_u＝(sk_u0,sk_u1) And pk_u＝(pk_u0,pk_u1) And outputting public and private key pair (pk)_u,sk_u)。

And 3, generating a user private key share: sharegen, dtahe

Inputting system parameters params and a private key sk of a user u in the step_u0And the set of public keys pk in the user set U_v1}_v∈UThe output is a set of encrypted messages { e }_uv}_v∈UAnd an ordered set of public shares of user u

First randomly selecting a noiseFor sk_u0Andeach m of (1) is connected toContinued coefficients, execution of the algorithm multiss. split, complete sharing of the entire private key and noise all need to be performed separatelyMultiple secret sharing algorithm, resulting in an ordered set of secret shares for user u's private key and noiseAndordered collection of user public sharesAndeach of the four ordered sets includesAn element, wherein:

then, taking each user in the set U as a unit, respectively executing the following processes:

a) ordering two secret shares sent to user v{Ssk_uv,Seu_uvIs packed into a message s_uvWherein Ssk_uvFor a secret share set with respect to a private key, Seu_uvFor a secret share set with respect to noise, assume that the identity of user v is p₀Then, then

b) Using public key pk of user v_v1Run the encryption algorithm hpke_v1,s_uv) Obtaining an encrypted message e_uv. Finally, the output is an encrypted message set containing each user e_uv}_v∈U(user u's own share stays local) and an ordered set of user u's public shares

And 4, synthesizing a system public key: commkey of DTAHE

In this step, the system parameter params and the public key set { pk ] of all users are input_u0}_u∈UCalculating pk [ ∑_{u∈ U}pk_u0]_qAnd outputting the system public key pk.

Step 5, a data encryption algorithm: DTAHE

Inputting system parameters params, a system public key pk and plaintext data m of a user u in the step_uOutputting ciphertext data c of user u_u＝(c_u0,c_u1)。

Plaintext data m is firstly_uEmbedding a polynomial X of the highest order d as a coefficient_uThen randomly selectTwo noisesRespectively calculate Outputting ciphertext data c of user u_u＝(c_u0,c_u1)。

And 6, adding homomorphic operation: evalad. DTAHE

The system parameter params and the ciphertext data set { c of the user are input in the step_u}_u∈USet of weighting coefficients for user { w_u}_u∈UThen ct is calculated separately₀＝[∑_u∈Uc_u0·w_u]_q、ct₁＝[∑_u∈Uc_u1·w_u]_qAnd finally outputting the system ciphertext ct ═ ct (ct)₀,ct₁)。

Step 7, partial decryption: dtahe

Inputting system parameters params, system ciphertext ct and public key pk of user u in the step_uAnd user U receives the encrypted message sets { e) of other users in set U_vu}_v∈U\{u}Outputting the partial decoded value pm of the user u_u。

The partial decryption step is divided into three stages of decryption share, aggregation share and calculation of partial decryption value; dec (sk) runs the decryption algorithm hpke first_u1,e_vu) To obtain a message set s_vu}_v∈U\{u}After the messages are analyzed one by one, a set { Ssk ] of secret share ordered sets related to the private key is obtained_vu}_v∈U\{u}And a set of ordered sets of secret shares pertaining to noise Seu_vv}_v∈U\{u}Both of which respectively comprise n-1 collection elements, each collection element consisting ofThe secret shares are organized in order. And adding two secret share ordered sets reserved for the user u when the user u shares the local private key and the noise, and respectively summarizing the two secret share ordered sets into a total share ordered set. Concrete calculation Ssk_uv＝∑_v∈USsk_vu,Seu_uv＝∑_v∈USeu_vuThen, a partial decryption value calculation method is executed to enable the ordered set Ssk_uEmbedding d-degree polynomial in the mode m interval to obtain SK, and collecting Seu ordered set_uAnd carrying out modulus m continuous embedding of d-degree polynomial to obtain SE. Extracting ct from the ciphertext ct₀Calculating pm_u＝[ct₀·SK+SE]_qAnd finally, the partial decrypted value pm of the user u is output_u。

And 8, a final decryption algorithm: findec, dtahe

The system parameter params is input in the step, and the system ciphertext ct is (ct)₀,ct₁) Partial decryption value set P of a user₁＝{pm_u}_u∈VWherein | P₁| is greater than or equal to th, the system open share set OS_sysPublic set of shares for all users in set UAnda polynomial M consisting of the final decrypted values is output.

And the final decryption step is divided into five stages of aggregating the user public shares, calculating the decryption value of the user public part, aggregating the system public shares, calculating the decryption value of the system public part and interpolating the decryption data. First, a share set H is exposed to a user₂And H₃Wherein each of the n set elements is composed ofThe public share sets of each user are orderly formed, and the n set elements are correspondingly added in sequence, namely calculation is carried outAndand obtaining a user share summary set:

at this time SH₀And SH₁Are all respectively composed ofThe share sets are organized in order, each share set containing m-th shares. Then according to i ═ 1,2, …, m-th, each time from SH₀And SH₁Respectively take out the setsAndthen, referring to a partial decryption value calculation method in dtaheA modulo-m interval embedding is performed,modulo m continuous embedding is performed. After m-th times of execution, a partial decryption value set P about the user's public share can be obtained₂。

The set of shares k is also disclosed for the system₁,k₂,k₃,…,k_nK is calculated from i 1,2, …, n_i＝n*k_iThe number of the structural elements isTwo sets of Calculate partial decryption values for system public shares with reference to the partial decryption value calculation method in dtaheA modulo-m interval embedding is performed,modulo m continuous embedding is performed. After n times of execution, a set of partial decryption values P for the system's public shares can be obtained₃Merging the three partial decryption value sets P₁、P₂、P₃Obtained as { pm ═_iIts corresponding set of identitiesAbbreviated as a ═ { a1, …, ai }, i ∈ [1, | P]. Wherein the Lagrange interpolation basis function corresponding to each item is LA_ai(x)。

For i ═ 1,2,3, …, | P |, the corresponding sets { LA |_ai(0),LA_ai(1),...,LA_ai(m-1) } embedding d-degree polynomial at m intervals to obtain L_i. A polynomial M consisting of the final decrypted values is then calculated, wherein:

although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.