2. 河北省科技金融重点实验室, 河北 保定 071051;
3. 河北省科技金融协同创新中心, 河北 保定 071051
2. Science and Technology Finance Key Laboratory of Hebei Province, Baoding Hebei 071051, China;
3. Financial Synergy Innovation of Science and Technology Center in Hebei Province, Baoding Hebei 071051, China
在RSA(Rivest, Shamir, Adelman)公钥密码系统提出后不久,人们就提出了全同态加密(Fully Homomorphic Encryption, FHE)体制的思想[1]。在全同态加密体制中,有Dec(f(Enc(μ1), Enc(μ2), …, Enc(μk)))=f(μ1, μ2, …, μk),其中f为任意函数/电路。在分级全同态加密(leveled FHE)体制中,系统参数不仅依赖于安全参数λ还依赖于电路深度L∈Z+。借助于全同态加密体制,人们可把计算外包给不可信的服务器,而不必担心个人隐私泄露问题。
2009年Gentry[2]基于格理论构造了第一个全同态加密方案。2011年Brakerski等[3]基于环上带误差学习(ring Learning With Errors, ring-LWE)问题[4]构造了一个全同态加密方案;Brakerski等[5]基于LWE问题[6]又构造了一个全同态加密方案。2012年Brakerski等[7]基于环上LWE问题构造了一个高效的分级全同态加密方案。2013年Gentry等[8]基于LWE问题构造了一个简单自然的分级全同态加密方案。
Banerjee等[9]在Eurocrypt 2012上定义了带舍入学习(Learning With Rounding, LWR)问题以及环上LWR(ring-LWR)问题,并在一定参数条件下给出了从LWE问题到LWR问题的归约,以及从环上LWE问题到环上LWR问题的归约。LWR问题是LWE问题的变型,它们的区别主要在于LWE问题需要进行高斯噪声抽样,而LWR问题不需要进行高斯噪声抽样。后来,Bogdanov等[10]又改进了从LWE问题到LWR问题的归约。目前,人们基于LWR问题已构造了一些公钥密码方案,如公钥加密方案[11]、身份基加密方案[12]等。
人们基于LWE问题已构造了许多全同态加密方案[3, 5, 7-8],然而这些方案都需要进行高斯噪声抽样。因为高斯噪声抽样的计算开销很大,所以高斯噪声抽样是制约这些方案计算性能的瓶颈因素。而LWR问题无需进行高斯噪声抽样,故基于LWR问题构造全同态加密方案,从而摒弃耗时的高斯噪声抽样,不失为改善全同态加密方案计算性能的一条有效途径。因为LWR问题是LWE问题的变型,所以可比照现有基于LWE问题的全同态加密方案,而构造基于LWR问题的全同态加密方案。
最近,Costache等[13]比照Brakerski等[7]提出的方案构造了一个基于环上LWR问题的分级全同态加密方案。Costache等之所以比照Brakerski等[7]提出的方案,主要是考虑到在基于LWE的全同态加密方案中,Brakerski等[7]所提方案的计算效率是比较高的。在基于LWE的全同态加密方案中,Gentry等[8]所提方案适用于比较多的场合,例如:基于Gentry等[8]提出的方案,人们构造了身份基全同态加密方案[14-17]、多密钥全同态加密方案[18-19]等;基于多密钥全同态加密方案[18-19],研究者们又进一步构造了属性基全同态加密方案[20-21]。故而本文基于Gentry等[8]提出的方案构造了一个基于LWR问题的分级全同态加密方案。Gentry等[8]所提方案之所以比其他全同态加密方案适用于更多场合,主要是因为它在同态运算时不需要运算密钥evk参与,而其他全同态加密方案在同态运算时都需要运算密钥evk协助。本文所构造的全同态加密方案亦不需要运算密钥evk,因此基于本文所构造的方案,可以进一步构造身份基全同态加密方案、多密钥全同态加密方案以及属性基全同态加密方案等。
1 预备知识本文向量如a等都为行向量,〈a, b〉=a·bT表示向量a与b的内积,其中bT表示向量b的转置。‖a‖k=
定义1 LWE问题[6]。令n和q≥2为整数。对向量s∈Zqn,定义As, χ为Zqn×Zq上的分布,它是通过均匀选取ai←Zqn,输出(ai, bi=〈ai, s〉+ei)∈Zqn×Zq而获得的,其中ei←χ,χ为Zq上的误差分布,通常χ为离散高斯分布。对某一分布之上的s∈Zqn,LWEn, q, χ问题是区分若干抽样(ai, bi)←As, χ与等量的均匀抽样(ci, di)←Zqn×Zp。
定义2 B有界分布。一族Z上的分布{χn}n∈ N ,如果Pre←χn[|e|>B]≤negl(n),其中B=B(n),则称它为B有界分布。
定理1[6, 22-24] 令q=q(n)为素数的幂q=ar或小素数的积
定义3 取整函数。定义取整函数
定义4 LWR问题[9]。令n和q≥p≥2为整数。对向量s∈Zqn,定义As, p为Zqn×Zp上的分布,它是通过均匀选取ai←Zqn,输出
定理2[9] 令χ是任意Zq上的B有界分布,且χ可有效抽样。令
对于从LWE问题到LWR问题的归约,Bogdanov等[10]又给出了一个比定理2更佳的归约结果。
1.2 向量分解技术向量分解技术能保持向量的內积不发生变化。它包括以下转换操作:
BitDecompq(x):例如对x∈Zqk,输出
BitDecompq-1(x′):例如对
Flattenq(x′):例如对x′∈Z
PowersOfTwoq(y):例如对y∈Zqk,输出
对上述这些操作来说,显然有:
①〈BitDecompq(x), PowersOfTwoq(y)〉=〈x, y〉;
② 对任意x′∈Z
而且,对于矩阵A,令BitDecompq(A)、BitDecompq-1(A)和Flattenq(A)皆为矩阵,且是通过分别处理A的每一行而得到的。
1.3 密码定义一个分级全同态加密方案包括密钥生成KeyGen、加密Enc、解密Dec和同态运算Eval四个多项式时间算法。其中,(pk, sk)←KeyGen(1λ, 1L)输入安全参数λ和电路深度L,输出公钥pk和私钥sk;c←Enc(pk, μ)应用公钥pk加密消息μ∈{0, 1}生成密文c;μ←Dec(sk, c)应用私钥sk解密密文c恢复消息μ∈{0, 1};cf←Eval(f, c1, c2, …, ck)输入电路f:{0, 1}k→{0, 1}和密文c1, c2, …, ck,输出密文cf。
通常,f为有限域GF(2)上的算术电路,只包含加法门和乘法门两种门电路,因而人们习惯上把Eval分成同态加法cadd←Add(c1, c2)和同态乘法cmult←Mult(c1, c2)。
分级全同态加密方案的标准安全性为语义安全性,即在选择明文攻击下的不可区分性(INDistinguishability under Chosen Plaintext Attack, IND-CPA)。
定义3 紧致性。如果一个分级全同态加密方案的解密电路不依赖于运算函数f,则称它是紧致的。
2 基础加密方案首先,基于LWR问题构造一个标准公钥加密方案。
2.1 构造KeyGen(1λ, 1L):选择参数n=n(λ, L),选择参数q与p,并且q≥p≥2。这些参数应使得LWRn, q, p问题至少为2λ安全的。选择参数m=m(λ, L)=O(n lb q+lb p)。令l1=
Enc(pk, μ∈{0, 1}):对于消息μ∈{0, 1},均匀选择矩阵R←{0, 1}N×m,并输出密文C,即:
$ \begin{array}{l} \mathit{\boldsymbol{C}} = \left( {\left. {{\rm{Flatte}}{{\rm{n}}_p}\left( {{{\left( {\mu \cdot {\mathit{\boldsymbol{I}}_{{l_2}}}\left| 0 \right.} \right)}^{\rm{T}}} + {\rm{BitDecom}}{{\rm{p}}_p}\left( {\mathit{\boldsymbol{R}} \cdot {\mathit{\boldsymbol{u}}^{\rm{T}}}} \right)} \right)\;} \right|} \right.\\ \;\;\;\;\;\;\;\left. {{\rm{Flatte}}{{\rm{n}}_q}\left( {{{\left( {0\left| {\mu \cdot {\mathit{\boldsymbol{I}}_{n{l_1}}}} \right.} \right)}^{\rm{T}}} + {\rm{BitDecom}}{{\rm{p}}_q}\left( {\mathit{\boldsymbol{R}} \cdot \mathit{\boldsymbol{B}}} \right)\;} \right)} \right) \in \\ \;\;\;\;\;\;\;\left( {{\bf{Z}}_p^{N \times {l_2}}\left| {\, {\bf{Z}}_q^{N \times n{l_1}}} \right.} \right) \end{array} $ |
Dec(sk, C):易见,密钥z的前l2个分量为(1, 2, …, 2l2-1),其中有zi=2i∈(p/4, p/2]。计算xi←Ci·zT,其中Ci为C的第i行,并且输出
在密钥生成算法KeyGen中,有:
$ \begin{array}{*{20}{c}} {\mathit{\boldsymbol{A}} \cdot {\mathit{\boldsymbol{s}}^{\rm{T}}} = \left( {{\mathit{\boldsymbol{u}}^{\rm{T}}}|\mathit{\boldsymbol{B}}} \right) \cdot {{\left( {1, \;-\frac{p}{q} \cdot \mathit{\boldsymbol{d}}} \right)}^{\rm{T}}} = {\mathit{\boldsymbol{u}}^{\rm{T}}}-\frac{p}{q} \cdot \mathit{\boldsymbol{B}} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}} = }\\ {\left( {\begin{array}{*{20}{c}} {{u_1}-\frac{p}{q} \cdot {\mathit{\boldsymbol{v}}_1} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}}}\\ {{u_2} - \frac{p}{q} \cdot {\mathit{\boldsymbol{v}}_2} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}}}\\ \vdots \\ {{u_m} - \frac{p}{q} \cdot {\mathit{\boldsymbol{v}}_m} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}}} \end{array}} \right) = \left( {\begin{array}{*{20}{c}} {{e_1}}\\ {{e_2}}\\ \vdots \\ {{e_m}} \end{array}} \right)} \end{array} $ |
令eT=(e1, e2, …, em)T,其中ek=uk-
$ \begin{array}{l} \mathit{\boldsymbol{C}} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} = \left( {\left. {{\rm{Flatte}}{{\rm{n}}_p}\left( {\left( {\begin{array}{*{20}{c}} {\mu \cdot {\mathit{\boldsymbol{I}}_{{l_2}}}}\\ 0 \end{array}} \right) + {\rm{BitDecom}}{{\rm{p}}_p}\left( {\mathit{\boldsymbol{R}} \cdot {\mathit{\boldsymbol{u}}^{\rm{T}}}} \right)} \right)\;} \right|} \right.\\ \;\;\;\;\left. {{\rm{Flatte}}{{\rm{n}}_q}\left( {\left( {\begin{array}{*{20}{c}} 0\\ {\mu \cdot {\mathit{\boldsymbol{I}}_{n{l_1}}}} \end{array}} \right) + {\rm{BitDecom}}{{\rm{p}}_q}\left( {\mathit{\boldsymbol{R}} \cdot \mathit{\boldsymbol{B}}} \right)\;} \right)} \right) \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} = \\ \;\;\;\;{\rm{Flatte}}{{\rm{n}}_p}\left( {\left( {\begin{array}{*{20}{c}} {\mu \cdot {\mathit{\boldsymbol{I}}_{{l_2}}}}\\ 0 \end{array}} \right) + {\rm{BitDecom}}{{\rm{p}}_p}\left( {\mathit{\boldsymbol{R}} \cdot {\mathit{\boldsymbol{u}}^{\rm{T}}}} \right)} \right) \cdot \\ \;\;\;\;{\left( {{\rm{PowersOfTw}}{{\rm{o}}_p}\left( 1 \right)} \right)^{\rm{T}}} + {\rm{Flatte}}{{\rm{n}}_q}\left( {\left( {\begin{array}{*{20}{c}} 0\\ {\mu \cdot {\mathit{\boldsymbol{I}}_{n{l_1}}}} \end{array}} \right) + } \right.\\ \;\;\;\;\;\left. {{\rm{BitDecom}}{{\rm{p}}_q}\left( {\mathit{\boldsymbol{R}} \cdot \mathit{\boldsymbol{B}}} \right)} \right) \cdot {\left( {-\frac{p}{q}{\rm{PowersOfTw}}{{\rm{o}}_q}\left( \mathit{\boldsymbol{d}} \right)} \right)^{\rm{T}}} = \\ \;\;\;\;\;\left( {\begin{array}{*{20}{c}} {\mu \cdot {{\left( {{\rm{PowersOfTw}}{{\rm{o}}_p}\left( 1 \right)} \right)}^{\rm{T}}}}\\ 0 \end{array}} \right) + \mathit{\boldsymbol{R}} \cdot {\mathit{\boldsymbol{u}}^{\rm{T}}} + \\ \;\;\;\;\;\;\left( {\begin{array}{*{20}{c}} 0\\ {\mu \cdot {{\left( {-\frac{p}{q}{\rm{PowersOfTw}}{{\rm{o}}_q}\left( \mathit{\boldsymbol{d}} \right)} \right)}^{\rm{T}}}} \end{array}} \right)-\frac{p}{q} \cdot \mathit{\boldsymbol{R}} \cdot \mathit{\boldsymbol{B}} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}} = \\ \;\;\;\;\;\;\left( {\begin{array}{*{20}{c}} {\mu \cdot {{\left( {{\rm{PowersOfTw}}{{\rm{o}}_p}\left( 1 \right)} \right)}^{\rm{T}}}}\\ {\mu \cdot {{\left( { - \frac{p}{q}{\rm{PowersOfTw}}{{\rm{o}}_q}\left( \mathit{\boldsymbol{d}} \right)} \right)}^{\rm{T}}}} \end{array}} \right) + \mathit{\boldsymbol{R}} \cdot {\mathit{\boldsymbol{u}}^{\rm{T}}} - \\ \;\;\;\;\;\;\;\frac{p}{q} \cdot \mathit{\boldsymbol{R}} \cdot \mathit{\boldsymbol{B}} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}} = \mu \cdot \left( {\begin{array}{*{20}{c}} {{{\left( {{\rm{PowersOfTw}}{{\rm{o}}_p}\left( 1 \right)} \right)}^{\rm{T}}}}\\ {{{\left( { - \frac{p}{q}{\rm{PowersOfTw}}{{\rm{o}}_q}\left( \mathit{\boldsymbol{d}} \right)} \right)}^{\rm{T}}}} \end{array}} \right) + \\ \;\;\;\;\;\;\mathit{\boldsymbol{R}} \cdot \left( {{\mathit{\boldsymbol{u}}^{\rm{T}}} - \frac{p}{q} \cdot \mathit{\boldsymbol{B}} \cdot {\mathit{\boldsymbol{d}}^{\rm{T}}}} \right) = \mu \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \mathit{\boldsymbol{R}} \cdot {\mathit{\boldsymbol{e}}^{\rm{T}}} \end{array} $ |
故有xi=Ci·zT=μ·zi+Ri·eT,即
定理3 假设LWR问题是难解的,那么上述加密方案是IND-CPA安全的。
证明 考虑下列游戏,其中AdvGamei(
Game 0 该游戏为标准的IND-CPA游戏。
Game 1 与Game 0相比,Game 1修改了密钥生成算法。挑战者不是调用KeyGen生成公钥,它是通过随机均匀选择u←Zpm和B←Zqm×n,而令pk=A=(uT|B)∈(Zpm×1|Zqm×n)。因为假设LWR问题是难解的,所以Game 0与Game 1在计算上是不可区分的,即有|AdvGame 0(
Game 2 与Game 1相比,Game 2修改了加密算法。挑战者不是调用Enc产生密文,而是随机均匀选择Ĉ=(Ĉp|Ĉq)←(ZpN×l2|ZqN×nl1)。由剩余哈希引理(leftover hash lemma)[26]可知,(BitDecompp-1(Cp)|BitDecompq-1(Cq))与(BitDecompp-1(Ĉp)|BitDecompq-1(Ĉq))是统计不可区分的。即Game 1与Game 2是统计不可区分的,即有|AdvGame 1(
在Game 2中,挑战者所给出的公钥和密文都是均匀随机的,且与消息μ∈{0, 1}无关,因此AdvGame 2(
接下来,分析有限域GF(2)上的同态加法和同态乘法运算。
如果给定密文C1=(C1, p|C1, q)∈(ZpN×l2|ZqN×nl1),C2=(C2, p|C2, q)∈(ZpN×l2|ZqN×nl1),则有:
1) Add(C1, C2):输出密文C1与C2的和Cadd,即:
$ \begin{array}{l} {\mathit{\boldsymbol{C}}_{{\rm{add}}}} = \left( {{\rm{Flatte}}{{\rm{n}}_p}\left( {{\mathit{\boldsymbol{C}}_{{\rm{add}}, \;p}}} \right)\, \left| {\, {\rm{Flatte}}{{\rm{n}}_q}\left( {{\mathit{\boldsymbol{C}}_{{\rm{add, }}\;q}}} \right)} \right.} \right) = \\ \;\;\;\;\;\;\;\;\;\;\;\left( {{\rm{Flatte}}{{\rm{n}}_p}\left( {{\mathit{\boldsymbol{C}}_{1, \;p}} + {\mathit{\boldsymbol{C}}_{2, \;p}}} \right)\, \left| {\, {\rm{Flatte}}{{\rm{n}}_q}\left( {{\mathit{\boldsymbol{C}}_{1, \;q}} + {\mathit{\boldsymbol{C}}_{2, \;q}}} \right)} \right.} \right) \end{array} $ |
2) Mult(C1, C2):输出密文C1与C2的积Cmult,即:
$ \begin{array}{l} {\mathit{\boldsymbol{C}}_{{\rm{mult}}}} = \left( {{\rm{Flatte}}{{\rm{n}}_p}\left( {{\mathit{\boldsymbol{C}}_{{\rm{mult, }}\;p}}} \right)\, \left| {\, {\rm{Flatte}}{{\rm{n}}_q}\left( {{\mathit{\boldsymbol{C}}_{{\rm{mult, }}\;q}}} \right)} \right.} \right) = \\ \;\;\;\;\;\;\;\;\;\;\left( {{\rm{Flatte}}{{\rm{n}}_p}\left( {{\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{C}}_{2, \;p}}} \right)\, \left| {\, {\rm{Flatte}}{{\rm{n}}_q}\left( {{\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{C}}_{2, \;q}}} \right)} \right.} \right) \end{array} $ |
已知道,C1·zT=μ1·zT+e1T,C2·zT=μ2·zT+e2T,其中e1和e2为误差。若记z=(zp, zq),则有:
$ \begin{array}{l} {\mathit{\boldsymbol{C}}_{{\rm{add}}}} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} = \left( {{\rm{Flatte}}{{\rm{n}}_p}\left( {{\mathit{\boldsymbol{C}}_{1, \;p}} + {\mathit{\boldsymbol{C}}_{2, \;p}}} \right)|} \right.\\ \;\;\;{\rm{Flatte}}{{\rm{n}}_q}\left( {{\mathit{\boldsymbol{C}}_{1, \;q}} + {\mathit{\boldsymbol{C}}_{2, \;q}}} \right) \cdot {\left( {{\mathit{\boldsymbol{z}}_p}, \;{\mathit{\boldsymbol{z}}_q}} \right)^{\rm{T}}}{\rm{ = }}\\ \;\;\;\left( {{\mathit{\boldsymbol{C}}_{1, \;p}} + {\mathit{\boldsymbol{C}}_{2, \;p}}} \right) \cdot {\mathit{\boldsymbol{z}}_p}^{\rm{T}} + \left( {{\mathit{\boldsymbol{C}}_{1, \;q}} + {\mathit{\boldsymbol{C}}_{2, \;q}}} \right) \cdot {\mathit{\boldsymbol{z}}_q}^{\rm{T}} = \\ \;\;\;\;\left( {{\mathit{\boldsymbol{C}}_{1, \;p}} \cdot {\mathit{\boldsymbol{z}}_p}^{\rm{T}} + {\mathit{\boldsymbol{C}}_{1, \;q}} \cdot {\mathit{\boldsymbol{z}}_q}^{\rm{T}}} \right) + \left( {{\mathit{\boldsymbol{C}}_{2, \;p}} \cdot {\mathit{\boldsymbol{z}}_p}^{\rm{T}} + {\mathit{\boldsymbol{C}}_{2, \;q}} \cdot {\mathit{\boldsymbol{z}}_q}^{\rm{T}}} \right) = \\ \;\;\;\;\;{\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + {\mathit{\boldsymbol{C}}_2} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} = {\mu _1} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \mathit{\boldsymbol{e}}_1^{\rm{T}} + {\mu _2} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \mathit{\boldsymbol{e}}_2^{\rm{T}} = \\ \;\;\;\;\;\left( {{\mu _1} + {\mu _2}} \right) \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \left( {\mathit{\boldsymbol{e}}_1^{\rm{T}} + \mathit{\boldsymbol{e}}_2^{\rm{T}}} \right) \end{array} $ |
$ \begin{array}{l} {\mathit{\boldsymbol{C}}_{{\rm{mult}}}} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} = \left( {{\rm{Flatte}}{{\rm{n}}_p}\left( {{\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{C}}_{2, \;p}}} \right)|} \right.\\ \;\;\;\;\;{\rm{Flatte}}{{\rm{n}}_q}\left( {{\mathit{\boldsymbol{C}}_\mathit{\boldsymbol{1}}} \cdot {\mathit{\boldsymbol{C}}_{2, \;q}}} \right) \cdot {\left( {{\mathit{\boldsymbol{z}}_p}, \;{\mathit{\boldsymbol{z}}_q}} \right)^{\rm{T}}} = \\ \;\;\;\;\;{\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{C}}_{2, \;p}} \cdot {\mathit{\boldsymbol{z}}_p}^{\rm{T}} + {\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{C}}_{2, \;q}} \cdot {\mathit{\boldsymbol{z}}_q}^{\rm{T}} = \\ \;\;\;\;\;{\mathit{\boldsymbol{C}}_1} \cdot \left( {{\mathit{\boldsymbol{C}}_{2, \;p}} \cdot {\mathit{\boldsymbol{z}}_p}^{\rm{T}} + {\mathit{\boldsymbol{C}}_{2, \;q}} \cdot {\mathit{\boldsymbol{z}}_q}^{\rm{T}}} \right) = {\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{C}}_2} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} = \\ \;\;\;\;\;\;{\mathit{\boldsymbol{C}}_1} \cdot \left( {{\mu _2} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \mathit{\boldsymbol{e}}_2^{\rm{T}}} \right) = {\mu _2} \cdot {\mathit{\boldsymbol{C}}_1} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + {\mathit{\boldsymbol{C}}_1} \cdot \mathit{\boldsymbol{e}}_2^{\rm{T}} = \\ \;\;\;\;\;\;{\mu _2} \cdot \left( {{\mu _1} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \mathit{\boldsymbol{e}}_1^{\rm{T}}} \right) + {\mathit{\boldsymbol{C}}_1} \cdot \mathit{\boldsymbol{e}}_2^{\rm{T}} = \\ \;\;\;\;\;\;{\mu _1} \cdot {\mu _2} \cdot {\mathit{\boldsymbol{z}}^{\rm{T}}} + \left( {{\mu _2} \cdot \mathit{\boldsymbol{e}}_1^{\rm{T}} + {\mathit{\boldsymbol{C}}_1} \cdot \mathit{\boldsymbol{e}}_2^{\rm{T}}} \right) \end{array} $ |
所以Cadd为消息μ1+μ2的密文,其误差为eaddT=e1T+e2T;Cmult为消息μ1·μ2的密文,其误差为emultT=μ2·e1T+C1·e2T。而且,不难看出,‖eaddT‖∞≤‖e1T‖∞+‖e2T‖∞;‖emultT‖∞≤‖μ2·e1T‖∞+‖C1·e2T‖∞≤‖e1T‖∞+N·‖e2T‖∞,因为其中μ2∈{0, 1},C1∈{0, 1}N×N。
通过迭代调用以上加法和乘法,可完成电路f的运算。因为Cmult的误差emultT比Cadd的误差eaddT大得多,所以电路f的深度主要是由乘法运算决定的。若令初始密文的误差‖eT‖∞≤E,则f输出密文Cf的误差‖ef‖∞≤(N+1)L·E,其中L为f的电路深度。若有‖ef‖∞≤(N+1)L·E≤p/8,则f输出的密文Cf能够被正确解密。
根据定理2知道,在LWRn, q, p问题中有
显然,对构造的分级全同态加密方案来说,电路f输出的密文Cf∈(ZpN×l2|ZqN×nl1)。所以Cf的规模与电路f的大小无关,即构造的分级全同态加密方案满足紧致性要求。
4 性能比较Costache等[13]提出的基于环上LWR的全同态加密方案,是比照Brakerski等[7]的基于环上LWE的全同态加密方案构造的。在Brakerski等[7]的方案中,不仅要生成公钥,还要生成同态运算密钥evk。而evk是对私钥进行加密的结果,其不能由用户的身份信息计算出来,因此,由Brakerski等[7]的方案无法进而构造身份基全同态加密方案等。本文提出的基于LWR的全同态加密方案,是比照Gentry等[8]的基于LWE的全同态加密方案构造的。在Gentry等[8]的方案中,不需要生成同态运算密钥evk。基于此,基于Gentry等[8]的方案能进而构造身份基全同态加密方案等。目前人们基于Gentry等[8]的全同态加密方案,已构造了身份基全同态加密方案[14-17]、多密钥全同态加密方案[18-19]和属性基全同态加密方案[20-21]等。因此Gentry等[8]的全同态加密方案比Brakerski等[7]的全同态加密方案应用场合更多。Costache等[13]所提的全同态加密方案亦要生成同态运算密钥evk,因此由Costache等[13]所提方案亦无法进而构造身份基全同态加密方案等。本文所提的全同态加密方案亦不需要生成同态运算密钥evk,由此基于本文所提方案亦能进而构造身份基全同态加密方案、多密钥全同态加密方案和属性基全同态加密方案等。因此本文所提方案比Costache等[13]所提方案应用场合更多。
5 结语本文借鉴Gentry等[8]的全同态加密方案,构造了一个基于LWR的分级全同态加密方案,并证明了它的正确性、IND-CPA安全性和紧致性。目前Costache等[13]参照Brakerski等[7]的全同态加密方案,已构造了一个基于环上LWR的分级全同态方案。本文所提方案比Costache等[13]的方案应用场合更多。不过,由于Gentry等[8]的全同态加密方案比Brakerski等[7]的全同态加密方案的计算效率差一些,故而本文所提方案比Costache等[13]的方案的计算效率也差一些。因此,下一步致力于:1)以本文所构造的方案为基础,构造基于LWR问题的身份基分级全同态加密方案、多密钥分级全同态加密方案和属性基分级全同态加密方案;2)利用有关全同态加密性能优化技术,提高本文所构造的方案的计算性能。
[1] | RIVEST R L, ADLEMAN L, DERTOUZOS M L. On data banks and privacy homomorphisms[M]//Foundations of Secure Computation. Salt Lake City, UT:Academic Press, 1978:169-179. |
[2] | GENTRY C. Fully homomorphic encryption using ideal lattices[C]//STOC 2009:Proceedings of the 41st Annual ACM Symposium on Theory of Computing. New York:ACM, 2009:169-178. |
[3] | BRAKERSKI Z, VAIKUNTANATHAN V. Fully homomorphic encryption from ring-LWE and security for key dependent messages[C]//CRYPTO 2011:Proceedings of the 2011 Annual International Cryptology Conference, LNCS 6841. Berlin:Springer, 2011:505-524. |
[4] | LYUBASHEVSKY V, PEIKERT C, REGEV O. On ideal lattices and learning with errors over rings[C]//EUROCRYPT 2010:Proceedings of the 201029th Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 6110. Berlin:Springer, 2010:1-23. |
[5] | BRAKERSKI Z, VAIKUNTANATHAN V. Efficient fully homomorphic encryption from (standard) LWE[C]//FOCS 2011:Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science. Washington, DC:IEEE Computer Society, 2011:97-106. |
[6] | REGEV O. On lattices, learning with errors, random linear codes, and cryptography[C]//STOC 2005:Proceedings of the 37th Annual ACM Symposium on Theory of Computing. New York:ACM, 2005:84-93. |
[7] | BRAKERSKI Z, GENTRY C, VAIKUNTANATHAN V. (Leveled) fully homomorphic encryption without bootstrapping[C]//ITCS 2012:Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. New York:ACM, 2012:309-325. |
[8] | GENTRY C, SAHAI A, WATERS B. Homomorphic encryption from learning with errors:conceptually-simpler, asymptotically-faster, attribute-based[C]//CRYPTO 2013:Proceedings of the 33rd Annual Cryptology Conference, LNCS 8042. Berlin:Springer, 2013:75-92. |
[9] | BANERJEE A, PEIKERT C, ROSEN A. Pseudorandom functions and lattices[C]//EUROCRYPT 2012:Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 7237. Berlin:Springer, 2012:719-737. |
[10] | BOGDANOV A, GUO S Y, MASNY D, et al. On the hardness of learning with rounding over small modulus[C]//Proceedings of the 201613th International Conference on Theory of Cryptography, LNCS 9562. Berlin:Springer, 2016:209-224. |
[11] | DUAN R, GU C X. Public key encryption schemes based on learning with rounding problem[C]//MINES 2013:Proceedings of the 20135th International Conference on Multimedia Information Networking and Security. Washington, DC:IEEE computer society, 2013:101-104. |
[12] | FANG F Y, LI B, LU X H, et al. (Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus[C]//ASIA CCS 2016:Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. New York:ACM, 2016:907-912. |
[13] | COSTACHE A, SMART N P. Homomorphic encryption without Gaussian noise[EB/OL].[2017-04-16]. https://eprint.iacr.org/2017/163.pdf. |
[14] | WANG F Q, WANG K P, LI B. An efficient leveled identity-based FHE[C]//NSS 2015:Proceedings of the 9th International Conference on Network and System Security, LNCS 9408. Berlin:Springer, 2015:303-315. |
[15] | 康元基, 顾纯祥, 郑永辉, 等. 利用特征向量构造基于身份的全同态加密体制[J]. 软件学报, 2016, 27(6): 1487-1497. (KANG Y J, GU C X, ZHENG Y H, et al. Identity-based fully homomorphic encryption from eigenvector[J]. Journal of Software, 2016, 27(6): 1487-1497.) |
[16] | 段然, 顾纯祥, 祝跃飞, 等. NTRU格上高效的基于身份的全同态加密体制[J]. 通信学报, 2017, 38(1): 66-75. (DUAN R, GU C X, ZHU Y F, et al. Efficient identity-based fully homomorphic encryption over NTRU[J]. Journal on Communications, 2017, 38(1): 66-75. DOI:10.11959/j.issn.1000-436x.2017008) |
[17] | 戴晓明, 张薇, 郑志恒, 等. 基于容错学习的GSW-型全同态层次型IBE方案[J]. 计算机应用, 2016, 36(7): 1856-1860. (DAI X M, ZHANG W, ZHENG Z H, et al. GSW-type hierarchical identity-based fully homomorphic encryption scheme from learning with errors[J]. Journal of Computer Applications, 2016, 36(7): 1856-1860. DOI:10.11772/j.issn.1001-9081.2016.07.1856) |
[18] | CLEAR M, MCGOLDRICK C. Multi-identity and multi-key leveled FHE from learning with errors[C]//CRYPTO 2015:Proceedings of the 2015 Annual International Cryptology Conference, LNCS 9216. Berlin:Springer, 2015:630-656. |
[19] | PEIKERT C, SHIEHIAN S. Multi-key FHE from LWE, revisited[C]//Proceedings of the 2016 Theory of Cryptography Conference, LNCS 9986. Berlin:Springer, 2016:217-238. |
[20] | BRAKERSKI Z, CASH D, TSABARY R, et al. Targeted homomorphic attribute based encryption[C]//Proceedings of the 2016 Theory of Cryptography Conference, LNCS 9986. Berlin:Springer, 2016:330-360. |
[21] | HIROMASA R, KAWAI Y. Fully dynamic multi target homomorphic attribute-based encryption[EB/OL].[2017-05-19]. https://eprint.iacr.org/2017/373.pdf. |
[22] | PERIKERT C. Public-key cryptosystems from the worst-case shortest vector problem[C]//STOC 2009:Proceedings of the 41st Annual ACM Symposium on Theory of Computing. New York:ACM, 2009:333-342. |
[23] | MICCIANCIO D, MOL P. Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions[C]//CRYPTO 2011:Proceedings of the 31st Annual International Cryptology Conference, LNCS 6841. Berlin:Springer, 2011:465-484. |
[24] | MICCIANCIO D, PEIKERT C. Trapdoors for lattices:simpler, tighter, faster, smaller[C]//EUROCRYPT 2012:Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 7237. Berlin:Springer, 2012:700-718. |
[25] | BRAKERSKI Z. Fully homomorphic encryption without modulus switching from classical GapSVP[C]//CRYPTO 2012:Proceedings of the 32nd Annual Cryptology Conference, LNCS 7417. Berlin:Springer, 2012:868-886. |
[26] | BARAK B, DODIS Y, KRAWCZYK H, et al. Leftover hash lemma, rivisted[C]//CRYPTO 2011:Proceedings of the 31st Annual International Cryptology Conference, LNCS 6841. Berlin:Springer, 2011:1-20. |
[27] | LENSTRA A K, JR H W L, LOVÁSZ L. Factoring polynomials with rational coefficients[J]. Mathematische Annalen, 1982, 261(4): 515-534. DOI:10.1007/BF01457454 |