Method and apparatus for generating key stream

Abstract
A method for generating a key stream according to an embodiment includes generating r round keys that are each N-dimensional integer vectors including elements of an integer set defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set , generating a first round output vector x1 by performing a modular addition operation on an initial vector and a first round key RK1 of the r round keys with the prime number t as a modulus, and generating a key stream that is an N-dimensional integer vector consisting of elements of the integer set from the first round output vector x1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.
Description
CROSS-REFERENCE TO RELATED APPLICATION(S)

This application claims the benefit under 35 USC § 119(a) of Korean Patent Application No. 10-2021-0052987, filed on Apr. 23, 2021, in the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference for all purposes.


BACKGROUND
1. Field

The following description relates to a technology for encryption.


2. Description of Related Art

Homomorphic encryption is an encryption system that enables the analysis of encrypted data without decryption. The biggest problem with current homomorphic encryption is that the size of the encrypted data is very large, and thus the network transmission cost and server storage cost are high. On the other hand, symmetric key encryption enables safe and efficient data transmission/storage since the sizes of the message and the ciphertext are the same, but it has the disadvantage that the encrypted data is not able to be analyzed without decryption.


Therefore, a ciphertext conversion framework capable of combining the advantages of homomorphic encryption and symmetric key encryption has been presented. In this framework, data encrypted using symmetric key encryption is transmitted and stored, and then the symmetric key ciphertext is converted into homomorphic ciphertext when analysis of the data is required. Until now, research to apply bit operation-based symmetric key encryption, such as the advanced encryption standard (AES) algorithm, to the ciphertext conversion as framework is being actively conducted. However, when the bit operation-based symmetric key encryption is combined with a homomorphic encryption that encrypts an integer message by applying the ciphertext conversion framework, there is a problem in that efficiency is reduced.


Therefore, when the ciphertext conversion framework is used in order to obtain an integer homomorphic ciphertext, a suitable modular operation-based symmetric key encryption method is required. However, the modular operation-based symmetric key encryption methods presented so far have a large multiplication depth, and as a consequence, a rebooting technique (bootstrapping) has to be applied when the above-mentioned methods are applied to the ciphertext conversion framework, which may lead to a limitation in actual application since the rebooting technique exhibits a very low efficiency.


SUMMARY

Disclosed embodiments are intended to provide a method and apparatus for generating a key stream for modular operation-based symmetric key encryption.


In one general aspect, there is a method for generating a key stream including generating r round keys (where r is a natural number of r≥3) that are each N-dimensional integer vectors (where N=n2, n is an integer of 2 or more) consisting of elements of an integer set custom character defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set custom character; generating a first round output vector x1 by performing a modular addition operation on an initial vector and a first round key RK1 of the r round keys with the prime number t as a modulus; and generating a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom character from the first round output vector x1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.


The one or more first round functions may be sequentially performed and may generate each a j+1-th round output vector xj+1 by using a j-th round output vector xj (where j is a natural number for 1≤j≤r−1) and a j+1-th round key RKj+1 of the r round keys, and the second round function may generate the key stream by using an r−1-th round output vector xr−1 generated by a first round function performed last among the one or more first round functions and an r-th round key RKr of the r round keys.


Each of the one or more first round functions may include a linear layer for generating a vector yj that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the j-th round output vector xj, a nonlinear layer for generating a vector zj that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a nonlinear transform on the vector yj, and an addition layer for generating the j+1-th round output vector xj+1 by performing a modular addition operation on the vector zj and the j+1-th round key RKj+1 with the prime number t as a modulus.


The linear layer may perform the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom character and a second matrix that is a transposed matrix of the first matrix.


The linear layer may convert the j-th round output vector xj into a matrix Xj of size n×n, generate a matrix Yj of size n×n by performing modular multiplication on the matrix Xj, the first matrix, and the second matrix with the prime number t as a modulus, and convert the matrix Yj into the vector yj.


The linear layer may generate the matrix Yj using Equation 1 below,

Yj=A·Xj·B(mod t)∈custom character  (Equation 1)


where A is the first matrix and B is the second matrix.


The nonlinear layer may perform the nonlinear transform by using a nonlinear function having an m-th-order polynomial component (where m is a natural number for m≥2).


The second round function may include a first linear layer for generating a vector yr−1 that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the r−1-th round output vector xr−1, a nonlinear layer for generating a vector zr−1 that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a nonlinear transform on the vector yr−1, a second linear layer for generating a vector s that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the vector zr−1, and an addition layer for generating the key stream by performing a modular addition operation on the vector s and the r-th round key RKr with the prime number t as a modulus.


Each of the first linear layer and the second linear layer may perform the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom character and a second matrix that is a transposed matrix of the first matrix.


The first linear layer may convert the r−1-th round output vector xr−1 into a matrix Xr−1 of size n×n, generate a matrix Yr−1 of size n×n by performing modular multiplication on the matrix Xr−1, the first matrix, and the second matrix with the prime number t as a modulus, and convert the matrix Yr−1 into the vector yr−1, and the second linear layer may convert the vector zr−1 into a matrix Zr−1 of size n×n, generate a matrix S of size n×n by performing modular multiplication on the matrix Zr−1, the first matrix, and the second matrix with the prime number t as a modulus, and convert the matrix S into the vector s.


The first linear layer may generate the matrix Yr−1 using Equation 2 below,

Yr−1=A·Xr−1·B(mod t)∈custom character  (Equation 2)


where A is the first matrix and B is the second matrix, and the second linear layer may generate the matrix S using Equation 3 below,

S=A·Zr−1·B(mod t)∈custom character  (Equation 3)


where A is the first matrix and B is the second matrix.


The generating of the round key may include generating a seed bit string based on the random bit string and the encryption counter, generating r vectors that are each N-dimensional integer vectors consisting of elements of the integer set custom character from the seed bit string by using a predefined generation function, and generating the r round keys by performing modular multiplication operation on each of the r vectors and the secret key by with the prime number t as a modulus.


The generating of the r round keys may include generating the r round keys using Equation 4 below,

RKi=k∘rci(mod t)  (Equation 4)


where RKi is an i-th round key of the r round keys, k is the secret key, rci is an i-th vector of the r vectors, i is a natural number for 1≤i≤r, and ° is an elementwise product between the two vectors.


In another general aspect, there is an apparatus for generating a key stream, the apparatus including a memory that stores one or more instructions and one or more processors that execute the one or more instructions, in which the one or more processors are configured to generate r round keys (where r is a natural number of r≥3) that are each N-dimensional integer vectors (where N=n2, n is an integer of 2 or more) consisting of elements of an integer set custom character defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set custom character, generate a first round output vector x1 by performing a modular addition operation on an initial vector and a first round key RK1 of the r round keys with the prime number t as a modulus, and generate a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom character from the first round output vector x1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.


The one or more first round functions may be sequentially performed and may generate each a j+1-th round output vector xj+1 by using a j-th round output vector xj (where j is a natural number for 1≤j≤r−1) and a j+1-th round key RKj+1 of the r round keys, and the second round function may generate the key stream by using an r−1-th round output vector xr−1 generated by a first round function performed last among the one or more first round functions and an r-th round key RKr of the r round keys.


Each of the one or more first round functions may include a linear layer for generating a vector yj that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the j-th round output vector xj, a nonlinear layer for generating a vector zj that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a nonlinear transform on the vector yj, and an addition layer for generating the j+1-th round output vector xj+1 by performing a modular addition operation on the vector zj and the j+1-th round key RKj+1 with the prime number t as a modulus.


The linear layer may perform the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom character and a second matrix that is a transposed matrix of the first matrix.


The linear layer may convert the j-th round output vector xj into a matrix Xj of size n×n, generate a matrix Yj of size n×n by performing modular multiplication on the matrix Xj, the first matrix, and the second matrix with the prime number t as a modulus, and convert the matrix Yj into the vector yj.


The linear layer may generate the matrix Yj using Equation 1 below,

Yj=A·Xj·B(mod t)∈custom character  (Equation 1)


where A is the first matrix and B is the second matrix.


The nonlinear layer may perform the nonlinear transform by using a nonlinear function having an m-th-order polynomial component (where m is a natural number for m≥2).


The second round function may include a first linear layer for generating a vector yr−1 that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the r−1-th round output vector xr−1, a nonlinear layer for generating a vector zr−1 that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a nonlinear transform on the vector yr−1, a second linear layer for generating a vector s that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the vector zr−1, and an addition layer for generating the key stream by performing a modular addition operation on the vector s and the r-th round key RKr with the prime number t as a modulus.


Each of the first linear layer and the second linear layer may perform the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom character and a second matrix that is a transposed matrix of the first matrix.


The first linear layer may convert the r−1-th round output vector xr−1 into a matrix Xr−1 of size n×n, generate a matrix Yr−1 of size n×n by performing modular multiplication on the matrix Xr−1, the first matrix, and the second matrix with the prime number t as a modulus, and convert the matrix Yr−1 into the vector yr−1, and the second linear layer may convert the vector zr−1 into a matrix Zr−1 of size n×n, generate a matrix S of size n×n by performing modular multiplication on the matrix Zr−1, the first matrix, and the second matrix with the prime number t as a modulus, and convert the matrix S into the vector s.


The first linear layer may generate the matrix Yr−1 using Equation 2 below,

Yr−1=A·Xr−1·B(mod t)∈custom character  (Equation 2)


where A is the first matrix and B is the second matrix, and the second linear layer may generate the matrix S using Equation 3 below,

S=A·Zr−1·B(mod t)∈custom character  (Equation 3)


where A is the first matrix and B is the second matrix.


The one or more processors may be further configured to generate a seed bit string based on the random bit string and the encryption counter, generate r vectors that are each N-dimensional integer vectors consisting of elements of the integer set custom character from the seed bit string by using a predefined generation function, and generate the r round keys by performing modular multiplication operation on each of the r vectors and the secret key with the prime number t as a modulus.


The one or more processors may be further configured to generate the r round keys using Equation 4 below,

RKi=k∘rci(mod t)  (Equation 4)


where RKi is an i-th round key of the r round keys, k is the secret key, rci is an i-th vector of the r vectors, i is a natural number for 1≤i≤r, and ∘ is an elementwise product between the two vectors.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a block diagram of an apparatus for generating a key stream according to an embodiment.



FIG. 2 is a block diagram for illustrating a process of generating a key stream performed by a key stream generator according to an embodiment.



FIG. 3 is a diagram for illustrating a configuration of a first round function according to an embodiment.



FIG. 4 is a diagram for illustrating a configuration of a second round function according to an embodiment.



FIG. 5 is a flowchart of a method for generating a key stream according to an embodiment.



FIG. 6 is a flowchart showing a process of generating a round key according to an embodiment.



FIG. 7 is a flowchart showing a process of generating a key stream using one or more first round functions and a second round function according to an embodiment.



FIG. 8 is a block diagram for exemplarily illustrating a computing environment including a computing device according to an embodiment.





DETAILED DESCRIPTION

Hereinafter, specific embodiments of the present disclosure will be described with reference to the accompanying drawings. The following detailed description is provided to assist in a comprehensive understanding of the methods, devices and/or systems described herein. However, the detailed description is only for illustrative purposes and the present disclosure is not limited thereto.


In describing the embodiments of the present disclosure, when it is determined that detailed descriptions of known technology related to the present disclosure may unnecessarily obscure the gist of the present disclosure, the detailed descriptions thereof will be omitted. The terms used below are defined in consideration of functions in the present disclosure, but may be changed depending on the customary practice or the intention of a user or operator. Thus, the definitions should be determined based on the overall content of the present specification. The terms used herein are only for describing the embodiments of the present disclosure, and should not be construed as limitative. Unless expressly used otherwise, a singular form includes a plural form. In the present description, the terms “including”, “comprising”, “having”, and the like are used to indicate certain characteristics, numbers, steps, operations, elements, and a portion or combination thereof, but should not be interpreted to preclude one or more other characteristics, numbers, steps, operations, elements, and a portion or combination thereof.



FIG. 1 is a block diagram of an apparatus for generating a key stream according to an embodiment.


Referring to FIG. 1, an apparatus 100 for generating a key stream according to an embodiment includes a round key generator 110 and a key stream generator 120.


According to an embodiment, the apparatus 100 for generating a key stream (key stream generating apparatus) is an apparatus for generating a key stream to be used for symmetric key encryption based on a modular operation.


According to an embodiment, the round key generator 110 and the key stream generator 120 may be implemented using one or more physically separated devices, or may be implemented by one or more hardware processors or a combination of one or more hardware processors and software, and may not be clearly distinguished in specific operations, unlike the illustrated example.


The round key generator 110 generates r round keys (where r is a natural number for r≥3) based on a secret key, a random bit string, and an encryption counter. In this case, the secret key and the r round keys are each N-dimensional integer vectors (where N=n2 and n is an integer of 2 or more) consisting of elements of an integer set custom character defined based on a prime number t.


Specifically, the integer set custom character may be defined as in Equation 1 below

custom character={0,1,2, . . . ,t−1}.  (Equation 1)


In addition, the secret key and the r round keys may be each N-dimensional vectors satisfying Equation 2 below

k∈custom character,RKicustom character.  (Equation 2)


In Equation 2, custom character represents an N-dimensional vector space defined by elements of the integer set custom character, k represents the secret key, and RKi represents the i-th round key (where i is a natural number satisfying 1≤i≤r) of the r round keys, and they will be used to indicate the same meanings hereinafter.


Meanwhile, the prime number t and the number r of round keys to be generated may be set in advance as public parameters for encryption and decryption.


The random bit string means a randomly generated bit string, and the length of the random bit string may be determined based on the security strength required for encryption and decryption.


The encryption counter is a public parameter indicating the number of times encryption has been performed. According to an embodiment, the encryption counter may be a bit string of a preset length that is increased by a preset size whenever a key stream is generated using a secret key k.


According to an embodiment, the round key generator 110 may generate a seed bit string for generating round keys based on the random bit string and the encryption counter. For example, the round key generator 110 may generate a seed bit string by concatenating a random bit string and an encryption counter as shown in Equation 3 below

seed=nc∥ctr∈{0,1}*.  (Equation 3)


In Equation 3, seed represents a seed bit string, nc represents a random bit string, and ctr represents an encryption counter, and they will be used to indicate the same meanings hereinafter.


Meanwhile, according to an embodiment, the round key generator 110 may generate r N-dimensional vectors from the seed bit string using a predefined generation function. In this case, each of the generated r vectors may satisfy Equation 4 below

rcicustom character.  (Equation 4)


In Equation 4, rci represents an i-th vector of r N-dimensional vectors generated by the generation function, and it will be used to indicate the same meanings hereinafter.


Meanwhile, the generation function may be, for example, an extensible output function (XOF) such as a SHA3-based SHAKE-256 function. However, the generation function is not necessarily limited to the above-described example, and according to embodiments, in addition to the above-described hash function, various functions that may have one-way and generate an arbitrary sequence based on an input bit string may be used as the generation function.


Meanwhile, according to an embodiment, after generating rci, the round key generator 110 may generate the i-th round key of r round keys based on the secret key k and rci. Specifically, the round key generator 110 may generate the i-th round key of the r round keys, for example, by performing a modular multiplication operation on the secret keys k and rci with t as a modulus, as shown in Equation 5 below.

RKi=k∘rci(mod t).  (Equation 5)


In Equation 5, the operator “∘” represents an elementwise product (also referred to as a Hadamard product) between two vectors.


The key stream generator 120 generates a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom character by using a plurality of round functions performed based on the r round keys generated by the round key generator 110.


Specifically, FIG. 2 is a block diagram for illustrating a process of generating a key stream performed by the key stream generator 120 according to an embodiment.


Referring to FIG. 2, the key stream generator 120 may generate a key stream by using round key addition 210, one or more first round functions 220 and a second round function 230.


The round key addition 210 refers to an operation of generating a first round output vector by performing a modular addition operation on the initial vector and the first round key of the r round keys with the prime number t as a modulus.


Specifically, the key stream generator 120 may perform the round key addition 210 using, for example, Equation 6 below

x1=x0+RK1(mod t)∈custom character.  (Equation 6)


In Equation 6, x1 represents a first round output vector, x0 represents a preset initial vector, and RK1 represents the first round key, respectively.


The one or more first round functions 220 may be sequentially performed, and the j-th first round function of the one or more first round functions 220 (where j is a natural number satisfying 1≤j≤r−2) may generate a j+1-th round output vector xj+1 by using the j-th round output vector xj and a j+1-th round key RKj+1 of the r round keys.


Meanwhile, the number of the first round functions 220 is not necessarily limited to a specific number, and may be changed according to the required encryption strength.



FIG. 3 is a diagram for illustrating a configuration of the first round function 220 according to an embodiment.


Referring to FIG. 3, the one or more first round functions 220 according to an embodiment may each include a linear layer 221, a nonlinear layer 222, and an addition layer 223.


The linear layer 221 may perform a linear transform on the j-th round output vector xj.


Specifically, when the linear layer 221 is a linear layer included in a first round function performed first (that is, j=1) among the one or more first round functions 220, the j-th round output vector xj input to the linear layer 221 may be the first round output vector generated through the round key addition 210 illustrated in FIG. 2 (that is, xj=x1).


On the other hand, when the linear layer 221 is a linear layer included in a first round function performed second or subsequently (that is, 1<j≤r−2) among the one or more first round functions 220, the j-th round output vector xj input to the layer 221 may be a round output vector generated by the first round function performed immediately before (that is, j−1-th) among the one or more first round functions 220.


Meanwhile, according to an embodiment, the linear layer 221 may perform the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom character and a second matrix that is a transposed matrix of the first matrix.


Specifically, the linear layer 221 may convert the j-th round output vector xj into a matrix Xj of size n×n. For example, when the j-th round output vector xj is a 16-dimensional (that is, N=16) vector as shown in Equation 7 below, the linear layer 221 may convert the j-th round output vector xj into a matrix Xj of size 4×4, as shown in Equation 8 below,

xj={xj,1, . . . ,xj,16}∈custom character  (Equation 7)
and










X
j

=


[




x

j
,
1








x

j
,
4


















x

j
,
13








x

j
,
16





]





t

4
×
4


.






(

Equation


8

)







Then, the linear layer 221 may generate a matrix Yj of size n×n by performing modular multiplication on the converted matrix Xj, the first matrix, and the second matrix with the prime number t as a modulus, and then convert the matrix Yj back into an N-dimensional vector yj and output the vector yj.


Specifically, the matrix Yj may be generated using, for example, Equation 9 below

Yj=A·Xj·B(mod t)∈custom character  (Equation 9)


where the operator [·] represents matrix multiplication, A represents the first matrix, and B represents the second matrix. In this case, the first matrix A and the second matrix B may satisfy Equations 10 and 11 below,

A,B∈custom character  (Equation 10)
and
B=AT.  (Equation 11)


Meanwhile, in an embodiment, when N=16, the matrix A may be predefined as, for example, Equation 12 below.









A
=

[



2


3


1


1




1


2


3


1




1


1


2


3




3


1


1


2



]





(

Equation


12

)







However, the matrix A is not necessarily limited to Equation 12 and may be variously changed depending on embodiments.


Meanwhile, after generating the matrix Yj, the linear layer 221 may convert the matrix Yj into the N-dimensional vector yj consisting of elements of the integer set custom character and output the vector yj (that is, yj custom character).


For example, when N=16 and the matrix Yj is a matrix of size 4×4 as shown in Equation 13, the matrix Yj may be converted into the 16-dimensional vector yj as shown in Equation 14,










Y
j

=


[




y

j
,
1








y

j
,
4


















y

j
,
13








y

j
,
16





]




t

4
×
4







(

Equation


13

)







and

yj={yj,1, . . . ,yj,16}∈custom character.  (Equation 14)


Meanwhile, the nonlinear layer 222 may perform a nonlinear transform on the vector yj generated by the linear layer 221.


Specifically, according to an embodiment, the nonlinear layer 222 may convert the vector yj into an N-dimensional vector zj consisting of elements of the integer set custom character by using a predefined nonlinear function F:custom charactercustom character having an m-th order polynomial component (where m is a natural number m≥2), and output the vector zj (that is, z1 custom character).


For example, when the vector yj is the same as Equation 14 described above, the nonlinear layer 222 may convert the vector yj into the vector z using Equation 15 below

zj={zj,1, . . . ,zj,16}={F(yj,1), . . . ,F(yj,16)}∈custom character.  (Equation 15)


As a more specific example, when the nonlinear function F is a polynomial F(x)=x2 having a quadratic (that is, m=2) polynomial component, the vector zj generated by the nonlinear layer 222 is as Equation 16 below

zj={zj,1, . . . ,zj,16}={yj,12, . . . ,yj,162}∈custom character.  (Equation 16)


Meanwhile, the addition layer 223 may generate the j+1-th round output vector xj+1 by performing a modular addition operation on the vector zj generated by the nonlinear layer 222 and the j+1-th round key RKj+1 of the z round keys with the prime number t as a modulus.


Specifically, the addition layer 223 may generate the j+1-th round output vector xj+1 by using, for example, Equation 17 below

xj+1=zj+RKj+1(mod t)∈custom character.  (Equation 17)


Referring back to FIG. 2, the second round function 230 may generate the key stream by using an r−1-th round output vector xr−1 generated by a first round function performed last among the one or more first round functions 220 and an r-th round key RKr of the r round keys.


Specifically, FIG. 4 is a diagram for illustrating the configuration of the second round function 230 according to an embodiment.


Referring to FIG. 4, the second round function 230 according to an embodiment may include a first linear layer 231, a nonlinear layer 232, a second linear layer 233, and an addition layer 234.


The first linear layer 231 may generate a vector yr−1 that is an N-dimensional integer vector consisting of elements of the integer set custom character by performing a linear transform on the r−1-th round output vector xr−1 generated by the first round function performed last among the one or more first round functions 220.


According to an embodiment, the first linear layer 231 may perform a linear transform by using the first matrix A and the second matrix B.


Specifically, the first linear layer 231 may convert the r−1-th round output vector xr−1 into the matrix Xr−1 of size n×n. For example, when the output vector xr−1 is a 16-dimensional (that is, N=16) vector as shown in Equation 18 below, the first linear layer 231 may convert the r−1-th round output vector xr−1 into the matrix Xr−1 of size 4×4, as shown in Equation 19 below,

xr−1={xr−1,1, . . . ,xr−1,16}∈custom character  (Equation 18)
and










X

r
-
1


=


[




x


r
-
1

,
1








x


r
-
1

,
4


















x


r
-
1

,
13








x


r
-
1

,
16





]





t

4
×
4


.






(

Equation


19

)







Then, the first linear layer 231 may generate a matrix Yr−1 of size n×n by performing modular multiplication on the converted matrix Xr−1, the first matrix A, and the second matrix B with the prime number t as a modulus.


Specifically, the matrix Yr−1 may be generated using, for example, Equation 20 below

Yr−1=A·Xr−1·B(mod t)∈custom character.  (Equation 20)


Meanwhile, after generating the matrix Yr−1, the first linear layer 231 may convert the matrix Yr−1 into the N-dimensional vector yjr−1, consisting of elements of the integer set custom character, and output the vector yjr−1 (that is, yr−1 custom character).


For example, when N=16 and the matrix Yr−1 is a matrix of size 4×4 as shown in Equation 21, the matrix Yr−1 may be converted into the 16-dimensional vector yr−1 as shown in Equation 22,










Y

r
-
1


=


[




y


r
-
1

,
1








y


r
-
1

,
4


















y


r
-
1

,
13








y


r
-
1

,
16





]




t

4
×
4







(

Equation


21

)







and

yr−1={yr−1,1, . . . ,tr−1,16}∈custom character.  (Equation 22)


The nonlinear layer 232 may perform a nonlinear transform on the vector yr−1 generated by the first linear layer 231. In this case, according to an embodiment, the nonlinear transform by the nonlinear layer 232 may be performed in the same manner as the nonlinear transform performed by the nonlinear layer 222 included in the first round function 220.


Specifically, according to an embodiment, the nonlinear layer 232 may convert the vector yr−1 into an N-dimensional vector zr−1 consisting of elements of the integer set custom character by using a predefined nonlinear function F:custom charactercustom character having an m-th order polynomial component of, and output the vector zr−1 (that is, zj custom character).


For example, when the vector yr−1 is the same as Equation 22 described above, the nonlinear layer 232 may convert the vector yr−1 into the vector zr−1 using Equation 23 below

zr−1={zr−1,1, . . . ,zr−1,16}={F(yr−1,1), . . . ,F(yr−1,16)}∈custom character.  (Equation23)


Meanwhile, the second linear layer 233 performs the same operation as the first linear layer 231 except that the input vector is a vector generated by the nonlinear layer 232.


Specifically, the second linear layer 233 may convert the vector zr−1 generated by the nonlinear layer 232 into a matrix Zr−1 of size n×n. For example, when the vector zr−1 generated by the nonlinear layer 232 is a 16 dimensional (that is, N=16) vector as in Equation 23 described above, the second linear layer 233 may convert the vector zr−1 into the matrix Zr−1 of size 4×4 as shown in Equation 24 below.










Z

r
-
1


=


[




Z


r
-
1

,
1








Z


r
-
1

,
4


















Z


r
-
1

,
13








Z


r
-
1

,
16





]




t

4
×
4







(

Equation


24

)







Then, the second linear layer 233 may generate a matrix S of size n×n by performing modular multiplication on the converted matrix Zr−1, the first matrix A, and the second matrix B with the prime number t as a modulus.


Specifically, the matrix S may be generated using, for example, Equation 25 below

S=A·Zr−1·B(mod t)∈custom character.  (Equation 25)


Meanwhile, after generating the matrix S, the second linear layer 233 may convert the matrix S into an N-dimensional vectors consisting of elements of the integer set custom character, and output the vector s (that is, s ∈custom character).


For example, when N=16 and the matrix S is a matrix of size 4×4 as shown in Equation 26, the matrix S may be converted into the 16-dimensional vector s as shown in Equation 27,









S
=


[




S
1







S
4

















S
13







S
16




]




t

4
×
4







(

Equation


26

)







and

s={s1, . . . ,s16}∈custom character.  (Equation 27)


Meanwhile, the addition layer 234 may generate a key stream ks by performing a modular addition operation on the vector s generated by the second linear layer 233 and the last (that is, the r-th) round key RKr of the z round keys with the prime number t as a modulus.


Specifically, the addition layer 234 may generate the key stream ks using, for example, Equation 28 below

ks=s+RKr(mod t)∈custom character.  (Equation 28)


Meanwhile, encryption using the key stream ks may be performed through a modular addition operation on a message M to be encrypted and the key stream ks with the prime number t as a modulus, as shown in Equation 29 below

C=M−ks(mod t).  (Equation 29)


In Equation 29, the message M to be encrypted may be an N-dimensional vector consisting of elements of an integer set custom character (that is, M ∈custom character).


In addition, the message M encrypted using the key stream ks may be decrypted by performing a modulo subtraction operation on a ciphertext C and the key stream ks with the prime number t as a modulus, as shown in Equation 30 below

M=C−ks(mod t).  (Equation 30)



FIG. 5 is a flowchart of a method for generating a key stream according to an embodiment.


The method illustrated in FIG. 5 may be performed, for example, by the key stream generating apparatus 100 illustrated in FIG. 1.


Referring to FIG. 5, first, the key stream generating apparatus 100 generates r round keys based on the secret key k, the random bit string nc, and the encryption counter ctr (510).


Then, the key stream generating apparatus 100 generates a first round output vector x1 by performing a modular addition operation on the first round key RK1 of the r round keys and the initial vector with the prime number t as a modulus (520).


Then, the key stream generating apparatus 100 generates a key stream from the first round output vector x1 by using the second to r-th round keys of the r round keys, one or more first round functions 220, and a second round function 230 (530).


Meanwhile, in the flowchart illustrated in FIG. 5, at least some of the steps may be performed in a different order, performed together in combination with other steps, omitted, performed in subdivided steps, or performed by adding one or more steps not illustrated.



FIG. 6 is a flowchart showing a process of generating a round key according to an embodiment.


The process illustrated in FIG. 6 may be performed, for example, by the key stream generating apparatus 100 illustrated in FIG. 1.


Referring to FIG. 6, first, the key stream generating apparatus 100 generates a seed bit string based on the random bit string nc and the encryption counter ctr (610).


Then, the key stream generating apparatus 100 generates r vectors that are each N-dimensional integer vectors consisting of elements of the integer set custom character from the seed bit string by using a predefined generation function (620).


Then, the key stream generating apparatus 100 generates r round keys by performing modular multiplication operation on each of the r vectors and the secret key k with the prime number t as a modulus (630).


Meanwhile, in the flowchart illustrated in FIG. 6, at least some of the steps may be performed in a different order, performed together in combination with other steps, omitted, performed in subdivided steps, or performed by adding one or more steps not illustrated.



FIG. 7 is a flowchart showing a process of generating a key stream using one or more first round functions and a second round function according to an embodiment.


The method illustrated in FIG. 7 may be performed, for example, by the key stream generating apparatus 100 illustrated in FIG. 1.


Referring to FIG. 7, first, the key stream generating apparatus 100 sets an index value j, which indicates the number of times the first round function 220 is performed, to an initial value of 1 (710).


Then, the key stream generating apparatus 100 generates the j+1-th round output vector xj+1 from the j-th round output vector xj by using the j-th first round function of one or more first round functions 220 (720).


Then, the key stream generating apparatus 100 determines whether j=r−2 (730).


At this time, when j≠r−2, the key stream generating apparatus 100 increases j by 1 (740) and then the process returns to step 720.


On the other hand, when j=r−2, the key stream generating apparatus 100 generates the key stream ks from the r−1-th round output vector xr−1 generated by an r−2-th first round function of the one or more first round functions 220 by using the second round function 230 (750).


Meanwhile, in the flowchart illustrated in FIG. 7, at least some of the steps may be performed in a different order, performed together in combination with other steps, omitted, performed in subdivided steps, or performed by adding one or more steps not illustrated.



FIG. 8 is a block diagram for exemplarily illustrating a computing environment including a computing device according to an embodiment. In the illustrated embodiment, each component may have different functions and capabilities in addition to those described below, and additional components may be included in addition to those described below.


The illustrated computing environment 110 includes a computing device 12. In an embodiment, the computing device 12 may be one or more components included in the key stream data generating apparatus 100 illustrated in FIG. 1.


The computing device 12 includes at least one processor 14, a computer-readable storage medium 16, and a communication bus 18. The processor 14 may cause the computing device 12 to operate according to the above-described exemplary embodiments. For example, the processor 14 may execute one or more programs stored in the computer-readable storage medium 16. The one or more programs may include one or more computer-executable instructions, which may be configured to cause, when executed by the processor 14, the computing device 12 to perform operations according to the exemplary embodiments.


The computer-readable storage medium 16 is configured to store computer-executable instructions or program codes, program data, and/or other suitable forms of information. A program 20 stored in the computer-readable storage medium 16 includes a set of instructions executable by the processor 14. In an embodiment, the computer-readable storage medium 16 may be a memory (a volatile memory such as a random access memory, a non-volatile memory, or any suitable combination thereof), one or more magnetic disk storage devices, optical disc storage devices, flash memory devices, other types of storage media that are accessible by the computing device 12 and may store desired information, or any suitable combination thereof.


The communication bus 18 interconnects various other components of the computing device 12, including the processor 14 and the computer-readable storage medium 16.


The computing device 12 may also include one or more input/output interfaces 22 that provide an interface for one or more input/output devices 24, and one or more network communication interfaces 26. The input/output interface 22 and the network communication interface 26 are connected to the communication bus 18. The input/output device 24 may be connected to other components of the computing device 12 via the input/output interface 22. The exemplary input/output device 24 may include a pointing device (a mouse, a trackpad, or the like), a keyboard, a touch input device (a touch pad, a touch screen, or the like), a voice or sound input device, input devices such as various types of sensor devices and/or imaging devices, and/or output devices such as a display device, a printer, a speaker, and/or a network card. The exemplary input/output device 24 may be included inside the computing device 12 as a component constituting the computing device 12, or may be connected to the computing device 12 as a separate device distinct from the computing device 12.


According to the disclosed embodiments, it is possible to achieve highly efficient modular operation-based encryption without the need to apply an additional rebooting technique during homomorphic ciphertext conversion using the ciphertext conversion framework.


Although the present disclosure has been described in detail through the representative embodiments as above, those skilled in the art will understand that various modifications may be made thereto without departing from the scope of the present invention. Therefore, the scope of rights of the present disclosure should not be limited to the described embodiments, but should be defined not only by the claims set forth below but also by equivalents of the claims.

Claims
  • 1. A processor-implemented method for generating a key stream, the method comprising: receiving a message;generating r round keys, where r is a natural number of r≥3, that are each N-dimensional integer vectors, where N=n2, n is an integer of 2 or more, consisting of elements of an integer set defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set ;generating a first round output vector x1 by performing a modular addition operation on an initial vector and a first round key RK1 of the r round keys with the prime number t as a modulus;generating a key stream that is an N-dimensional integer vector consisting of elements of the integer set from the first round output vector x1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function;encrypting the message through the key stream and the prime number t as the modulus; andtransmitting the encrypted message.
  • 2. The method of claim 1, wherein the one or more first round functions are sequentially performed, and generate each a j+1-th round output vector xj+1 by using a j-th round output vector xj, where j is a natural number for 1≥j≥r−1, and a j+1-th round key RKj+1 of the r round keys; and the second round function generates the key stream by using an r−1-th round output vector xr−1 generated by a first round function performed last among the one or more first round functions and an r-th round key RKr of the r round keys.
  • 3. The method of claim 2, wherein each of the one or more first round functions comprises: a linear layer for generating a vector yj that is an N-dimensional integer vector consisting of elements of the integer set t by performing a linear transform on the j-th round output vector xj;a nonlinear layer for generating a vector zj that is an N-dimensional integer vector consisting of elements of the integer set t by performing a nonlinear transform on the vector yj; andan addition layer for generating the j+1-th round output vector xj+1 by performing a modular addition operation on the vector zj and the j+1-th round key RKj+1 with the prime number t as a modulus.
  • 4. The method of claim 3, wherein the linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set t and a second matrix that is a transposed matrix of the first matrix.
  • 5. The method of claim 4, wherein the linear layer converts the j-th round output vector xj into a matrix Xj of size n×n, generates a matrix Yj of size n×n by performing modular multiplication on the matrix Xj, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Yj into the vector yj.
  • 6. The method of claim 5, wherein the linear layer generates the matrix Yj using Equation 1:
  • 7. The method of claim 3, wherein the nonlinear layer performs the nonlinear transform by using a nonlinear function having an m-th-order polynomial component, where m is a natural number for m≤2.
  • 8. The method of claim 2, wherein the second round function comprises: a first linear layer for generating a vector yr−1 that is an N-dimensional integer vector consisting of elements of the integer set t by performing a linear transform on the r−1-th round output vector xr−1;a nonlinear layer for generating a vector zr−1 that is an N-dimensional integer vector consisting of elements of the integer set t by performing a nonlinear transform on the vector yr−1;a second linear layer for generating a vector s that is an N-dimensional integer vector consisting of elements of the integer set t by performing a linear transform on the vector zr−1; andan addition layer for generating the key stream by performing a modular addition operation on the vector s and the r-th round key RKr with the prime number t as a modulus.
  • 9. The method of claim 8, wherein each of the first linear layer and the second linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set t and a second matrix that is a transposed matrix of the first matrix.
  • 10. The method of claim 9, wherein the first linear layer converts the r−1-th round output vector xr−1 into a matrix Xr−1 of size n×n, generates a matrix Yr−1 of size n×n by performing modular multiplication on the matrix Xr−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Yr−1 into the vector yr−1; and the second linear layer converts the vector zr−1 into a matrix Zr−1 of size n×n, generates a matrix S of size n×n by performing modular multiplication on the matrix Zr−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix S into the vector s.
  • 11. The method of claim 10, wherein the first linear layer generates the matrix Yr−1 using Equation 2:
  • 12. The method of claim 8, wherein the nonlinear layer performs a nonlinear transform by using a nonlinear function having an m-th-order polynomial component, where m is a natural number for m≥2.
  • 13. The method of claim 1, wherein the generating of the round key comprises: generating a seed bit string based on the random bit string and the encryption counter;generating r vectors that are each N-dimensional integer vectors consisting of elements of the integer set t from the seed bit string by using a predefined generation function; andgenerating the r round keys by performing modular multiplication operation on each of the r vectors and the secret key with the prime number t as a modulus.
  • 14. The method of claim 13, wherein the generating of the r round keys comprises generating the r round keys using Equation 4: RKi=k20rci(mod t)  [Equation 4]where RKi is an i-th round key of the r round keys, k is the secret key, rci is an i-th vector of the r vectors, i is a natural number for 1≤1≤r, and ∘ is an elementwise product between two vectors.
  • 15. An apparatus for generating a key stream, the apparatus comprising: one or more processors configured to execute instructions; anda memory storing the instructions, wherein the execution of the instructions by the one or more processors configures the one or more processors to: receive a message;generate r round keys (where r is a natural number of r≥3) that are each N-dimensional integer vectors (where N=n2, n is an integer of 2 or more) consisting of elements of an integer set t defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set t;generate a first round output vector x1 by performing a modular addition operation on an initial vector and a first round key RK1 of the r round keys with the prime number t as a modulus;generate a key stream that is an N-dimensional integer vector consisting of elements of the integer set t, from the first round output vector x1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function;encrypt the message through the key stream and the prime number t as the modulus; andtransmit the encrypted message.
  • 16. The apparatus of claim 15, wherein the one or more first round functions are sequentially performed, and generate each a j+1-th round output vector xj+1 by using a j-th round output vector xj, where j is a natural number for 1≤1≤r−1, and a j+1-th round key RKj+1 of the r round keys; and the second round function generates the key stream by using an r−1-th round output vector xr−1 generated by a first round function performed last among the one or more first round functions and an r-th round key RKr of the r round keys.
  • 17. The apparatus of claim 16, wherein each of the one or more first round functions comprises: a linear layer for generating a vector yj that is an N-dimensional integer vector consisting of elements of the integer set t by performing a linear transform on the j-th round output vector xj;a nonlinear layer for generating a vector zj that is an N-dimensional integer vector consisting of elements of the integer set t by performing a nonlinear transform on the vector yj; andan addition layer for generating the j+1-th round output vector xj+1 by performing a modular addition operation on the vector zj and the j+1-th round key RKj+1 with the prime number t as a modulus.
  • 18. The apparatus of claim 17, wherein the linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set t and a second matrix that is a transposed matrix of the first matrix.
  • 19. The apparatus of claim 18, wherein the linear layer converts the j-th round output vector xj into a matrix Xj of size n×n, generates a matrix Yj of size n×n by performing modular multiplication on the matrix Xj, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Yj into the vector yj.
  • 20. The apparatus of claim 19, wherein the linear layer generates the matrix Yj using Equation 1:
  • 21. The apparatus of claim 17, wherein the nonlinear layer performs the nonlinear transform by using a nonlinear function having an m-th-order polynomial component, where m is a natural number for m≥2.
  • 22. The apparatus of claim 16, wherein the second round function comprises: a first linear layer for generating a vector yr−1 that is an N-dimensional integer vector consisting of elements of the integer set t by performing a linear transform on the r−1-th round output vector xr−1;a nonlinear layer for generating a vector zr−1 that is an N-dimensional integer vector consisting of elements of the integer set t by performing a nonlinear transform on the vector yr−1;a second linear layer for generating a vector s that is an N-dimensional integer vector consisting of elements of the integer set t by performing a linear transform on the vector zr−1; andan addition layer for generating the key stream by performing a modular addition operation on the vector s and the r-th round key RKr with the prime number t as a modulus.
  • 23. The apparatus of claim 22, wherein each of the first linear layer and the second linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set t and a second matrix that is a transposed matrix of the first matrix.
  • 24. The apparatus of claim 23, wherein the first linear layer converts the r−1-th round output vector xr−1 into a matrix Xr−1 of size n×n, generates a matrix Yr−1 of size n×n by performing modular multiplication on the matrix Xr−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Yr−1 into the vector yr−1; and the second linear layer converts the vector zr−1 into a matrix Zr−1 of size n×n, generates a matrix S of size n×n by performing modular multiplication on the matrix Zr−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix S into the vector s.
  • 25. The apparatus of claim 24, wherein the first linear layer generates the matrix Yr−1 using Equation 2:
  • 26. The apparatus of claim 22, wherein the nonlinear layer performs the nonlinear transform by using a nonlinear function having an m-th-order polynomial component (where m is a natural number for m≥2).
  • 27. The apparatus of claim 15, wherein the one or more processors are further configured to: generate a seed bit string based on the random bit string and the encryption counter;generate r vectors that are each N-dimensional integer vectors consisting of elements of the integer set t from the seed bit string by using a predefined generation function; andgenerate the r round keys by performing modular multiplication operation on each of the r vectors and the secret key with the prime number t as a modulus.
  • 28. The apparatus of claim 27, wherein the one or more processors are further configured to generate the r round keys using Equation 4: RKi=k∘rci(mod t)  [Equation 4]where RKi is an i-th round key of the r round keys, k is the secret key, rci is an i-th vector of the r vectors, i is a natural number for 1≤1≤r, and ∘ is an elementwise product between the two vectors.
Priority Claims (1)
Number Date Country Kind
10-2021-0052987 Apr 2021 KR national
US Referenced Citations (9)
Number Name Date Kind
8565435 Gentry Oct 2013 B2
20060023875 Graunke Feb 2006 A1
20120307997 Endo Dec 2012 A1
20150023497 Millendorf Jan 2015 A1
20190229889 Kounavis Jul 2019 A1
20200044822 Kotha Feb 2020 A1
20200250318 Al Belooshi Aug 2020 A1
20210328765 Lee Oct 2021 A1
20210391976 Sirdey Dec 2021 A1
Non-Patent Literature Citations (5)
Entry
Wikipedia contributors. (Sep. 9, 2020). Benaloh cryptosystem. In Wikipedia, The Free Encyclopedia. Retrieved Dec. 14, 2023, from https://en.wikipedia.org/w/index.php?title=Benaloh_cryptosystem&oldid=977527848 (Year: 2020).
Wikipedia contributors. (Apr. 16, 2020). Paillier cryptosystem. In Wikipedia, The Free Encyclopedia. Dec. 14, 2023, from https://en.wikipedia.org/w/index.php?title=Paillier_cryptosystem&oldid=951355124 (Year: 2020).
Wikipedia contributors. (Jan. 31, 2021). Damgård-Jurik cryptosystem. In Wikipedia, The Free Encyclopedia. Retrieved Dec. 14, 2023, from https://en.wikipedia.org/w/index.php?title=Damg%C3%A5rd%E2%80%93Jurik_cryptosystem&oldid=1004013163 (Year: 2021).
Kristin Lauter et al., “Can Homomorphic Encryption be Practical?”, ACM CCSW, pp. 113-124, 2011.
Jean-Claude Bajard et al., “A full RNS variant of FV like somewhat homomorphic encryption schemes.”, International Conference on Selected Areas in Cryptography. Springer, Cham, 2016.
Related Publications (1)
Number Date Country
20220368518 A1 Nov 2022 US