首页|基于MLWE和MSIS的可验证解密方案

基于MLWE和MSIS的可验证解密方案

扫码查看
原文链接
  • 万方数据
  • 维普
两方安全计算中涉及的可验证解密技术可以应用在医疗研究数据共享、机构间合作进行模型训练等有隐私保护需求的现实场景中,有助于进一步打破数据孤岛、保障数据安全.但是目前已有的为基于格密码或其他后量子加密方案正确解密所构造的零知识证明的效率不高.面对这一现状,文中针对Kyber提出了一个基于模容错学习问题(MLWE)和模小整数解问题(MSIS)的可验证解密方案.首先,根据Kyber的加解密特性,在利用证明者和验证者所持数据构造相等关系时存在差异,该方案提出了一种利用误差估计结合Kyber的压缩函数,使证明者提供给验证者一部分所持数据的信息,从而消除差异的方法,进而提供可以用于验证的相等关系,把该关系与Dilithium签名方案无公钥压缩版本的框架相结合,构造非交互式零知识证明,将可验证解密问题转变为证明环中短向量满足的线性关系.其次,在理论上分析了方案的正确性、安全性、通信开销和计算复杂度,将方案的合理性和零知识性规约到MSIS困难假设,并提供了 2组不同安全等级的建议参数设置.最后,通过编写C语言程序测试了所提方案的正确性和效率.实验结果与理论分析结果基本一致,与现有方案相比,所提方案在对单个密文的证明大小和证明时间上有显著优势,更加简洁、高效.
Verifiable Decryption Scheme Based on MLWE and MSIS
T he verifiable decryption technology involved in the two-party secure computing can be applied in real-world scenarios that require privacy protection,such as medical research data sharing,and inter-institutional cooperation for model training,which can help further break down the data isolation problem and ensure data security.However,the existing zero-knowledge proofs constructed for correct decryption based on lattice cryptography or other post-quantum encryption schemes are less efficient.Fa-cing this situation,this paper proposes a verifiable decryption scheme based on the module learning with errors(MLWE)and module short integer solution(MSIS)for Kyber.Firstly,based on the encryption and decryption properties of Kyber,there is a difference in constructing the equivalence relation using the data held by the prover and the verifier.The scheme proposes a me-thod that uses error estimation combined with Kyber compression function to enable the prover to provide the verifier with some information about his own data to eliminate the difference,and then provides an equivalence relation that can be used for verifica-tion,and combines this relation with the framework of the Dilithium signature scheme without public key compression version to construct a non-interactive zero-knowledge proof,which transforms the verifiable decryption problem into proving a linear relation satisfied by short vectors in the ring.Secondly,the correctness,security,communication overhead and computational complexity of the scheme are theoretically analyzed,the soundness and zero-knowledge of the scheme are reduced to the hardness assumptions of MSIS,and two groups of suggested parameters with different security levels are provided.Finally,the correctness and efficien-cy of this scheme are tested by writing a C program.Experimental results are consistent with the theoretical analysis results,and compared with the existing schemes,the scheme in this paper has significant advantages in terms of proof size and proof time for a single ciphertext,which is more concise and efficient.

Verifiable decryptionLattice-based cryptographyMLWEMSISZero-knowledge proof

郭春彤、吴文渊

展开 >

中国科学院重庆绿色智能技术研究院 自动推理与认知重庆市重点实验室 重庆 400714

中国科学院大学重庆学院 重庆 400714

可验证解密 格密码 MLWE MSIS 零知识证明

国家重点研发专项重庆市在渝院士牵头科技创新引导专项重庆市在渝院士牵头科技创新引导专项重庆市在渝院士牵头科技创新引导专项

2020YFA07123002022YSZX-JCX0011CSTBcstc2021yszx-jcyjX0004CSTB2023YSZX-JCX0008

2024

10.11896/jsjkx.230300127

计算机科学
重庆西南信息有限公司(原科技部西南信息中心)

计算机科学

CSTPCD北大核心
影响因子:0.944
ISSN:1002-137X
年,卷(期):2024.51(5)
  • 32