Embodiments of the present invention relate to communications technologies, and in particular, to a method and an apparatus for public-key encrypted communication.
In communications technologies, to ensure secrecy of communication between two communication individuals, data needs to be encrypted using a key at a transmit end and decrypted using a key at a receive end. If the key used for encryption and the key used for decryption are the same, the encryption is referred to as symmetric key encryption; if the two keys are different, the encryption is referred to as asymmetric key encryption, which is also referred to as public key encryption. The public key encryption manner has two important principles: First, it is required that an encrypted ciphertext must be secure on the premise that an encryption algorithm and a public key are both made public; second, it is required that calculation or processing for both data encryption at the transmit end and data decryption at the receive end by using a private key should be simple but deciphering should be difficult for other persons not having the private key. With development of computer networks, requirements on information confidentiality become increasingly high, and a public key cryptographic algorithm has demonstrated irreplaceable advantages over a symmetric key encryption algorithm.
An existing secure communication method based on a public key system uses a public key system number theory research unit (NTRU). The NTRU is a cryptographic system based on a polynomial ring. A specific algorithm is as follows: using a public key and a private key respectively for encryption and decryption, where the public key and the private key are calculated according to system parameters N, p, and q and two randomly selected polynomials f and g. Such a method has a low security problem.
Embodiments of the present invention provide a method and an apparatus for public-key encrypted communication, so as to achieve a public-key encrypted communication manner with higher security.
A first aspect of the embodiments of the present invention provides a method for public-key encrypted communication, including:
encrypting, by a first device, random information according to a first public key to obtain a first ciphertext; encrypting, by the first device, plaintext information according to a second public key to obtain a second ciphertext, where the plaintext information is unencrypted data to be sent by the first device to a second device, the first public key is represented in a form of a polynomial, the first public key is obtained through calculation on a truncated polynomial ring according to system parameters, the second public key is represented in a form of a polynomial, the second public key is randomly selected on a truncated polynomial ring, and the random information is randomly selected on a truncated polynomial ring; and
sending, by the first device, the first ciphertext and the second ciphertext to the second device.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the random information includes a first random polynomial and a second random polynomial, and the encrypting, by a first device, random information according to a first public key to obtain a first ciphertext specifically includes:
calculating, by the first device, on a first truncated polynomial ring modulo a first system parameter according to the first public key, the first random polynomial, and the second random polynomial, to obtain the first ciphertext.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the plaintext information is represented as a polynomial on a second truncated polynomial ring modulo a second system parameter, and the encrypting, by the first device, plaintext information according to a second public key to obtain a second ciphertext specifically includes:
calculating, by the first device, on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information, to obtain the second ciphertext.
With reference to the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the calculating, by the first device, on a first truncated polynomial ring modulo a first system parameter according to the first public key, the first random polynomial, and the second random polynomial, to obtain the first ciphertext specifically includes:
calculating on the first truncated polynomial ring according to c1=r1h1+r2 to obtain the first ciphertext, where h1 is the first public key, r1 is the first random polynomial, r2 is the second random polynomial, the first truncated polynomial ring is Zq
With reference to the second possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the calculating, by the first device, on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information, to obtain the second ciphertext specifically includes:
calculating on the second truncated polynomial ring according to c2=r1h2+r2+M to obtain the second ciphertext, where h2 is the second public key, r1 is the first random polynomial, r2 is the second random polynomial, the second truncated polynomial ring is Zq
With reference to any one of the second to third possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the first public key is obtained through calculation on the first truncated polynomial ring modulo the first system parameter according to the first system parameter, a third random polynomial, and a fourth random polynomial, the third random polynomial has an inverse element on both the first truncated polynomial ring modulo the first system parameter and a third truncated polynomial ring modulo a third system parameter, and the fourth random polynomial has an inverse element on the first truncated polynomial ring modulo the first system parameter.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the first public key is obtained through calculation on the first truncated polynomial ring according to h1=pfq
With reference to the second possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the second public key is randomly selected on the second truncated polynomial ring, and the second truncated polynomial ring is Zq
A second aspect of the embodiments of the present invention provides a method for public-key encrypted communication, including:
receiving, by a second device, a first ciphertext and a second ciphertext that are sent by a first device;
calculating, by the second device, according to a first private key, a second private key, and the first ciphertext to obtain a second random polynomial, and obtaining a first random polynomial according to a third private key, where the first private key is represented in a form of a polynomial, the first private key is randomly selected on a truncated polynomial ring, the second private key is represented in a form of a polynomial, the second private key is an inverse element of the first private key on the truncated polynomial ring, the third private key is represented in a form of a polynomial, and the third private key is obtained through calculation according to an inverse element of a system parameter and a polynomial having an inverse element on a truncated polynomial; and
obtaining, by the second device, plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and a second public key, where the plaintext information is unencrypted data to be sent by the first device to the second device, the second public key is represented in a form of a polynomial, and the second public key is randomly selected on a truncated polynomial ring.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the calculating, by the second device, according to a first private key, a second private key, and the first ciphertext to obtain a second random polynomial specifically includes:
calculating, by the second device, on a first truncated polynomial ring modulo a first system parameter according to the first ciphertext and the first private key to obtain a procedure parameter; and
obtaining, by the second device, the second random polynomial on a third truncated polynomial ring modulo a third system parameter according to the procedure parameter and the second private key.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the obtaining a first random polynomial according to a third private key specifically includes:
calculating, by the second device, on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial.
With reference to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the obtaining, by the second device, plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and a second public key specifically includes:
calculating, by the second device, on a second truncated polynomial ring modulo a second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information.
With reference to the first possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the calculating, by the second device, on a first truncated polynomial ring modulo a first system parameter according to the first ciphertext and the first private key to obtain a procedure parameter specifically includes:
calculating, by the second device, on the first truncated polynomial ring modulo the first system parameter according to s=fc1 to obtain the procedure parameter, where f is the first private key, and c1 is the first ciphertext.
With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the obtaining, by the second device, the second random polynomial on a third truncated polynomial ring modulo a third system parameter according to the procedure parameter and the second private key specifically includes:
calculating, by the second device, on the third truncated polynomial ring modulo the third system parameter according to sp=s(mod p) and r2=spfp−1 to obtain the second random polynomial, where p is the third system parameter, fp−1 is the second private key, s is the procedure parameter, and the third truncated polynomial ring is Zp[X]/XN−1.
With reference to the fourth possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the calculating, by the second device, on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial specifically includes:
calculating on the first truncated polynomial ring according to sp=s(mod p) and r1=(s−sp)G to obtain the first random polynomial, where s is the procedure parameter, q1 is the first system parameter, p is the third system parameter, G is the third private key, and the first truncated polynomial ring is Zq
With reference to the third possible implementation manner of the second aspect, in a seventh possible implementation manner of the second aspect, the calculating, by the second device, on a second truncated polynomial ring modulo a second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information specifically includes:
calculating on the second truncated polynomial ring according to M=c2−r1h2−r2 to obtain the plaintext information, where c2 is the second ciphertext, r1 is the first random polynomial, r2 is the second random polynomial, and h2 is the second public key.
With reference to the second possible implementation manner of the second aspect, in an eighth possible implementation manner of the second aspect, the first private key is a third random polynomial, the second private key is an inverse element of the third random polynomial on the third truncated polynomial ring modulo the third system parameter, and the third private key is obtained through calculation according to an inverse element of the third system parameter and an inverse element of a fourth random polynomial on the first truncated polynomial ring modulo the first system parameter.
With reference to the eighth possible implementation manner of the second aspect, in a ninth possible implementation manner of the second aspect, the third private key is obtained through calculation on the first truncated polynomial modulo the first system parameter according to G=p−1gq
A third aspect of the embodiments of the present invention provides an apparatus for public-key encrypted communication, including:
an encryption unit, configured to perform encryption according to a first public key and random information to obtain a first ciphertext; and further configured to encrypt plaintext information according to a second public key to obtain a second ciphertext, where the plaintext information is unencrypted data to be sent by the first device to a second device, the first public key is represented in a form of a polynomial, the first public key is obtained through calculation on a truncated polynomial ring according to system parameters, the second public key is represented in a form of a polynomial, the second public key is randomly selected on a truncated polynomial ring, and the random information is randomly selected on a truncated polynomial ring; and
a transceiver unit, configured to send the first ciphertext and the second ciphertext to the second device.
With reference to the third aspect, in a first possible implementation manner of the third aspect, the random information includes a first random polynomial and a second random polynomial, and the encryption unit is specifically configured to:
calculate on a first truncated polynomial ring modulo a first system parameter according to the first public key, the first random polynomial, and the second random polynomial to obtain the first ciphertext.
With reference to the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the plaintext information is represented as a polynomial on a second truncated polynomial ring modulo a second system parameter, and the encryption unit is further specifically configured to:
calculate on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information to obtain the second ciphertext.
With reference to the first possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the encryption unit is configured to calculate on the first truncated polynomial ring modulo the first system parameter according to the first public key, the first random polynomial, and the second random polynomial to obtain the first ciphertext, and is specifically configured to:
calculate on the first truncated polynomial ring according to c1=r1h1+r2 to obtain the first ciphertext, where h1 is the first public key, r1 is the first random polynomial, r2 is the second random polynomial, the first truncated polynomial ring is Zq
With reference to the second possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, the encryption unit is configured to calculate on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information to obtain the second ciphertext, and is specifically configured to:
calculate on the second truncated polynomial ring according to c2=r1h2+r2+M to obtain the second ciphertext, where h2 is the second public key, r1 is the first random polynomial, r2 is the second random polynomial, the second truncated polynomial ring is Zq
With reference to any one of the second to third possible implementation manners of the third aspect, in a fifth possible implementation manner of the third aspect, the first public key is obtained through calculation on the first truncated polynomial ring modulo the first system parameter according to the first system parameter, a third random polynomial, and a fourth random polynomial, the third random polynomial has an inverse element on both the first truncated polynomial ring modulo the first system parameter and a third truncated polynomial ring modulo a third system parameter, and the fourth random polynomial has an inverse element on the first truncated polynomial ring modulo the first system parameter.
With reference to the fifth possible implementation manner of the third aspect, in a sixth possible implementation manner of the third aspect, the first public key is obtained through calculation on the first truncated polynomial ring according to h1=pfq
With reference to the second possible implementation manner of the third aspect, in a seventh possible implementation manner of the third aspect, the second public key is randomly selected on the second truncated polynomial ring, and the second truncated polynomial ring is Zq
A fourth aspect of the embodiments of the present invention provides an apparatus for public-key encrypted communication, including:
a transceiver unit, configured to receive a first ciphertext and a second ciphertext that are sent by a first device; and
a decryption unit, configured to calculate according to a first private key, a second private key, and the first ciphertext to obtain a second random polynomial, and obtain a first random polynomial according to a third private key, where the first private key is represented in a form of a polynomial, the first private key is randomly selected on a truncated polynomial ring, the second private key is represented in a form of a polynomial, the second private key is an inverse element of the first private key on the truncated polynomial ring, the third private key is represented in a form of a polynomial, and the third private key is obtained through calculation according to an inverse element of a system parameter and a polynomial having an inverse element on a truncated polynomial, where
the decryption unit is further configured to obtain plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and a second public key, where the plaintext information is unencrypted data to be sent by the first device to the second device, the second public key is represented in a form of a polynomial, and the second public key is randomly selected on a truncated polynomial ring.
With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the decryption unit is specifically configured to:
calculate on a first truncated polynomial ring modulo a first system parameter according to the first ciphertext and the first private key to obtain a procedure parameter; and
obtain the second random polynomial on a third truncated polynomial ring modulo a third system parameter according to the procedure parameter and the second private key.
With reference to the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the decryption unit is further specifically configured to:
calculate, by the second device, on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial.
With reference to the second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, the decryption unit is further specifically configured to:
calculate on a second truncated polynomial ring modulo a second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information.
With reference to the first possible implementation manner of the fourth aspect, in a fourth possible implementation manner of the fourth aspect, the decryption unit calculates on the first truncated polynomial ring modulo the first system parameter according to the first ciphertext and the first private key to obtain the procedure parameter, and is specifically configured to:
calculate on the first truncated polynomial ring modulo the first system parameter according to s=fc1 to obtain the procedure parameter, where f is the first private key, and c1 is the first ciphertext.
With reference to the fourth possible implementation manner of the fourth aspect, in a fifth possible implementation manner of the fourth aspect, the decryption unit obtains the second random polynomial on the third truncated polynomial ring modulo the third system parameter according to the procedure parameter and the second private key, and is specifically configured to:
calculate on the third truncated polynomial ring modulo the third system parameter according to sp=s(mod p) and r2=spfp−1 to obtain the second random polynomial, where p is the third system parameter, fp−1 is the second private key, s is the procedure parameter, and the third truncated polynomial ring is Zp[X]/XN−1.
With reference to the fourth possible implementation manner of the fourth aspect, in a sixth possible implementation manner of the fourth aspect, the decryption unit calculates on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial, and is specifically configured to:
calculate on the first truncated polynomial ring according to sp=s(mod p) and r1=(s−sp)G to obtain the first random polynomial, where s is the procedure parameter, q1 is the first system parameter, p is the third system parameter, G is the third private key, and the first truncated polynomial ring is Zq
With reference to the third possible implementation manner of the fourth aspect, in a seventh possible implementation manner of the fourth aspect, the decryption unit calculates on the second truncated polynomial ring modulo the second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information, and is specifically configured to:
calculate on the second truncated polynomial ring according to M=c2−r1h2−r2 to obtain the plaintext information, where c2 is the second ciphertext, r1 is the first random polynomial, r2 is the second random polynomial, and h2 is the second public key.
With reference to the second possible implementation manner of the fourth aspect, in an eighth possible implementation manner of the fourth aspect, the first private key is a third random polynomial, the second private key is an inverse element of the third random polynomial on the third truncated polynomial ring modulo the third system parameter, and the third private key is obtained through calculation according to an inverse element of the third system parameter and an inverse element of a fourth random polynomial on the first truncated polynomial ring modulo the first system parameter.
With reference to the eighth possible implementation manner of the fourth aspect, in a ninth possible implementation manner of the fourth aspect, the third private key is obtained through calculation on the first truncated polynomial modulo the first system parameter according to G=p−1 gq1−1, where p−1 is an inverse element of the third system parameter modulo the first system parameter, q1 is the first system parameter, gq
According to the public-key encrypted communication manner in the embodiments of the present invention, a first device encrypts random information according to a first public key to obtain a first ciphertext, and encrypts plaintext information according to a second public key to obtain a second ciphertext, where the plaintext information is unencrypted data to be sent by the first device to a second device, the first public key is represented in a form of a polynomial, the first public key is obtained through calculation on a truncated polynomial ring according to system parameters, the second public key is represented in a form of a polynomial, the second public key is randomly selected on a truncated polynomial ring, and the random information is randomly selected on a truncated polynomial ring; and the first device sends the first ciphertext and the second ciphertext to the second device. This is equivalent to using random information as a shared key, encrypting the random information, and then using a public key and the random information to encrypt plaintext information, thereby achieving a public-key encrypted communication manner with higher security.
To describe the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings required for describing the embodiments or the prior art. Apparently, the accompanying drawings in the following description show some embodiments of the present invention, and persons of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.
To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the following clearly describes the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the described embodiments are some but not all of the embodiments of the present invention. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the protection scope of the present invention.
S101: A first device encrypts random information according to a first public key to obtain a first ciphertext; and the first device encrypts plaintext information according to a second public key to obtain a second ciphertext, where the plaintext information is unencrypted data to be sent by the first device to a second device, the first public key is represented in a form of a polynomial, the first public key is obtained through calculation on a truncated polynomial ring according to system parameters, the second public key is represented in a form of a polynomial, the second public key is randomly selected on a truncated polynomial ring, and the random information is randomly selected on a truncated polynomial ring.
S102: The first device sends the first ciphertext and the second ciphertext to the second device.
In various implementation manners of the method for public-key encrypted communication provided in the present invention, devices at a transmit end and a receive end for public key communication may be respectively referred to as a first device and a second device, and unencrypted data to be sent by the first device to the second device during public key communication may be referred to as plaintext information. The first public key and the second public key may be generated by a key generation device for the public key communication. The key generation device may be the second device or another trusted third-party device. Before sending encrypted data to the second device, the first device acquires, from the key generation device, the first public key and the first public key that are required for encrypted communication with the second device, that is, a public key certificate of the second device. The key generation device also generates a first private key, a second private key, and a third private key, which are paired with the first public key and the second public key. Information about the public keys is stored in a public key certificate issued by a public key infrastructure (Public Key Infrastructure, PKI for short).
The first public key may be represented in a form of a polynomial. The first public key may be calculated on a truncated polynomial ring according to system parameters.
System parameters refer to a group of parameters preset by the key generation device, the first device at the transmit end, and the second device at the receive end based on consideration of security and calculation efficiency in a process of public key communication. A truncated polynomial ring refers to a set of univariate (N−1)th-degree polynomials whose coefficients are integers. The truncated polynomial ring used to calculate the first public key may be determined according to the system parameters used in this public key communication.
The second public key may be represented in a form of a polynomial. The second public key is randomly selected on a truncated polynomial ring.
The truncated polynomial ring used to select the second public key may be determined according to the system parameters used in this public key communication. The random information may be randomly selected on a truncated polynomial ring by the first device according to requirements on security and encryption efficiency, that is, the random information may be any univariate polynomial. Coefficients of the univariate polynomial may constitute a vector, and a norm value of the vector of the coefficients is inversely proportional to encryption efficiency. Therefore, the first device may preferably use a univariate polynomial whose vector of coefficients has the smallest norm as the random information.
The first ciphertext obtained by the first device by using the first public key to encrypt the random information and the second ciphertext obtained by the first device by encrypting the plaintext information according to the second public key and the random information are a pair of polynomials.
That the first device encrypts the random information according to the first public key to obtain the first ciphertext is similar to that two communication parties first negotiate a shared key and insert the shared key into a type of one-way trapdoor function, so as to implement probabilistic encryption. According to the encryption manner for obtaining the first ciphertext, the random information is carried. The random information is equivalent to the shared key of the two communication parties. That the first device encrypts the plaintext information according to the second public key to obtain the second ciphertext is similar to using a shared key to implement one-time pad encryption. The second ciphertext carries the plaintext information. According to the encryption mode for obtaining the second ciphertext, the plaintext information is not leaked. It can be proved by using a mathematical method that the public key communication method in the present invention has higher security than an NTRU algorithm in the prior art. A security assessment method may be described as follows: In a particular attack mode, an attacker randomly selects two plaintexts m1 and m2, and by means of a cryptographic algorithm, a plaintext mb is randomly selected from the two plaintexts and encrypted into a ciphertext c, where b is 1 or 2. If the attacker can determine b=1 or b=2 according to c with a non-negligible probability, which is equivalent to that the attacker correctly guesses which plaintext is encrypted into the ciphertext c, the attacker successfully breaks semantic security of the encryption algorithm. The foregoing method is used to verify security of the encryption manner in the present invention; because in the present invention, encryption is performed twice by constructing two polynomial-based one-way trapdoor functions, the probability that an attacker breaks semantic security of the algorithm is negligible, while the probability that semantic security of the NTRU encryption algorithm in the prior art is broken is non-negligible. Therefore, it can be proved by using a mathematical method that the present invention has higher security compared with the prior art.
According to the public-key encrypted communication manner in this embodiment of the present invention, a first device encrypts random information according to a first public key to obtain a first ciphertext, and encrypts plaintext information according to a second public key to obtain a second ciphertext, where the plaintext information is unencrypted data to be sent by the first device to a second device, the first public key is represented in a form of a polynomial, the first public key is obtained through calculation on a truncated polynomial ring according to system parameters, the second public key is represented in a form of a polynomial, the second public key is randomly selected on a truncated polynomial ring, and the random information is randomly selected on a truncated polynomial ring; and the first device sends the first ciphertext and the second ciphertext to the second device. This is equivalent to using random information as a shared key, encrypting the random information, and then using a public key and the random information to encrypt plaintext information, thereby achieving a public-key encrypted communication manner with higher security.
Optionally, Embodiment 1 of the method shown in
the random information in S101 may include a first random polynomial and a second random polynomial.
Correspondingly, the performing, by a first device, encrypting random information according to a first public key n to obtain a first ciphertext in S101 may specifically include:
S101-1: The first device calculates on a first truncated polynomial ring modulo a first system parameter according to the first public key, the first random polynomial, and the second random polynomial to obtain the first ciphertext.
The plaintext information in S101 may be represented as a polynomial on a second truncated polynomial ring modulo a second system parameter.
Correspondingly, the encrypting, by the first device, plaintext information according to a second public key to obtain a second ciphertext in S101 may specifically include:
S101-2: The first device calculates on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information to obtain the second ciphertext.
The first public key in S101-1 may be obtained through calculation on the first truncated polynomial ring by the key generation device according to the first system parameter, a third random polynomial, and a fourth random polynomial. The third random polynomial and the fourth random polynomial may be randomly selected by the key generation device. A value range of the third random polynomial should satisfy that the third random polynomial has an inverse element on both the first truncated polynomial ring modulo the first system parameter and a third truncated polynomial ring modulo a third system parameter, and a value range of the fourth random polynomial is a polynomial having an inverse element on the first truncated polynomial ring.
The second public key in S101-2 may be randomly selected by the key generation device, and a value range of the second public key is any polynomial on the second truncated polynomial ring.
For example, the first public key may be obtained through calculation on the first truncated polynomial ring according to h1=pfq
The first ciphertext in S101-1 may be obtained through calculation on the first truncated polynomial ring according to c1=r1h1+r2, where h1 is the first public key, r1 is the first random polynomial, r2 is the second random polynomial, the first truncated polynomial ring is Zq
The second ciphertext in S101-2 may be obtained through calculation on the second truncated polynomial ring according to c2=r1h2+r2+M, where h2 is the second public key, r1 is the first random polynomial, r2 is the second random polynomial, the second truncated polynomial ring is Zq
In the foregoing implementation manner, the first system parameter in S101-1, the second system parameter in S101-2, and a fourth system parameter N may all be preset by the key generation device according to requirements on security and key generation performance. Optionally, for security of the highest level, 503 may be selected as the fourth system parameter N. Preferably, the first system parameter and the second system parameter are two odd primes, and the second system parameter is equal to the first system parameter plus 2, that is, q2=q1+2. For example, q1 is 239, and q2 is 241; or q1 is 269, and q2 is 271.
It should be noted that a truncated polynomial ring refers to a set of univariate (N−1)th-degree polynomials whose coefficients are integers, and can be generally represented as Z[X]/XN−1; the first truncated polynomial ring Zq
Further, to reduce the quantity of calculations, for the modulo operation of the present invention, only modulo operation results within an absolute minimum complete residue system are used. For example, operation results within a minimum complete residue system of a natural number modulo 3 are 1, 0, and 1 instead of 0, 1, and 2. Correspondingly, when the first random polynomial and the second random polynomial are selected, a polynomial whose coefficient is +1 or 1 or 0 may be selected on the truncated polynomial ring Z[X]/XN−1, where a quantity of terms whose coefficient is +1 is about N/3, a quantity of terms whose coefficient is −1 is about N/3−1, and coefficients of the rest of the terms are 0.
In this embodiment, the first device sends the first ciphertext and the second ciphertext to the second device, so that the second device performs decryption according to the first ciphertext and the second ciphertext as well as the first private key, the second private key, and the third private key that correspond to the first public key and the second public key to obtain the plaintext information. This is equivalent to using random information as a shared key, encrypting the random information, and then using a public key and the random information to encrypt plaintext information, thereby achieving a public-key encrypted communication manner with higher security. In addition, compared with other encryption manners whose security can be proved, the encryption method of the present invention has some improvements in aspects of encryption speed, decryption speed, and ciphertext expansion ratio.
S201: A second device receives a first ciphertext and a second ciphertext that are sent by a first device.
S202: The second device calculates according to a first private key, a second private key, a first system parameter, and the first ciphertext to a second random polynomial, and obtains a first random polynomial according to a third private key, where the first private key is represented in a form of a polynomial, the first private key is randomly selected on a truncated polynomial ring, the second private key is represented in a form of a polynomial, the second private key is an inverse element of the first private key on the truncated polynomial ring, the third private key is represented in a form of a polynomial, and the third private key is obtained through calculation according to an inverse element of a system parameter and a polynomial having an inverse element on a truncated polynomial.
S203: The second device obtains plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and a second public key, where the plaintext information is unencrypted data to be sent by the first device to the second device, the second public key is represented in a form of a polynomial, and the second public key is randomly selected on a truncated polynomial ring.
The first ciphertext and the second ciphertext that are sent by the first device and received by the second device are encrypted data, and the first ciphertext and the second ciphertext may be a pair of polynomials.
The first private key may be represented in a form of a polynomial, and the first private key may be randomly selected on a truncated polynomial ring; the second private key may be represented in a form of a polynomial, and the second private key may be an inverse element of the first private key on the truncated polynomial ring; the third private key may be represented in a form of a polynomial, and the third private key may be obtained through calculation according to an inverse element of a system parameter and a polynomial having an inverse element on a truncated polynomial.
System parameters refer to a group of parameters preset by a key generation device, the first device at the transmit end, and the second device at the receive end based on consideration of security and calculation efficiency in a process of public key communication. A truncated polynomial ring refers to a set of univariate (N−1)th-degree polynomials whose coefficients are integers.
The truncated polynomial ring used to select the first private key, the truncated polynomial ring used to select the second private key, and the truncated polynomial ring used to select the third private key may be separately determined according to the system parameters used in this public key communication. Before receiving encrypted data sent by the first device, the second device acquires, from the key generation device for public key communication, private key information and public key information that are required for decryption. The key generation device may be the second device or another trusted third-party device. The first private key, the second private key, the third private key, and the second public key may be generated by the key generation device for public key communication. The first private key, the second private key, and the third private key that are generated by the key generation device match the first public key and the second public key.
The process in which the second device calculates according to the first private key, the second private key, the first system parameter, and the first ciphertext to obtain the second random polynomial and obtains the first random polynomial according to the third private key is similar to that two communications parties negotiate a shared key, obtain the second random polynomial corresponding to a one-way trapdoor function through decryption according to the first private key, the second private key, and the first ciphertext, and obtain the first random polynomial through decryption according to the third private key, which is equivalent to acquiring the shared key of the two communications parties from the first ciphertext. The one-way trapdoor function is used by the first device during data encryption, and the system parameter is the same as a system parameter used by the first device during data encryption.
Therefore, the second device can calculate according to the one-way trapdoor function used by the first device in the encryption process, the first private key, the second private key, the first system parameter, the third private key, and the first ciphertext to obtain the second random polynomial and the first random polynomial. The second device can calculate according to the one-way trapdoor function used by the first device in the encryption process, the first random polynomial, the second random polynomial, the second public key, and the second ciphertext to obtain the plaintext information.
Security of the method shown in this embodiment of the present invention is the same as that of the method shown in
Optionally, Embodiment 2 of the method shown in
The calculating, by the second device, according to a first private key, a second private key, and the first ciphertext in S202 to obtain a second random polynomial may specifically include:
S202-1: The second device calculates on a first truncated polynomial ring modulo a first system parameter according to the first ciphertext and the first private key to obtain a procedure parameter.
S202-2: The second device obtains the second random polynomial on a third truncated polynomial ring modulo a third system parameter according to the procedure parameter and the second private key.
The obtaining a first random polynomial according to a third private key in S202 may specifically include:
S202-3: The second device calculates on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial.
The obtaining, by the second device, plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and a second public key in S203 may specifically include:
S203-1: The second device calculates on a second truncated polynomial ring modulo a second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information.
The first private key is a third random polynomial, the second private key is an inverse element of the third random polynomial on the third truncated polynomial ring modulo the third system parameter, and the third private key is obtained through calculation according to an inverse element of the third system parameter and an inverse element of a fourth random polynomial on the first truncated polynomial ring modulo the first system parameter.
The third random polynomial and the fourth random polynomial are randomly selected by the key generation device. A value range of the third random polynomial is a polynomial having an inverse element on both the first truncated polynomial ring and the third truncated polynomial ring modulo the third system parameter, and a value range of the fourth random polynomial is a polynomial having an inverse element on the first truncated polynomial ring modulo the first system parameter.
It should be noted that the foregoing system parameters, the truncated polynomial rings corresponding to the system parameters, and requirements on results of modulo operations are the same as those in Embodiment 1, and the details are not described herein again.
For example, the procedure parameter in S202-1 may be obtained through calculation on the first truncated polynomial ring modulo the first system parameter according to s=fc1, where s is the procedure parameter, f is the first private key, and c1 is the first ciphertext.
The second random polynomial in S202-2 may be obtained through calculation on the third truncated polynomial ring modulo the third system parameter according to sp=s(mod p) and r2=spfp−1, where r2 is the second random polynomial, p is the third system parameter, fp−1 is the second private key, s is the procedure parameter, and the third truncated polynomial ring is Zp[X]/XN−1.
The first random polynomial in S202-3 may be obtained through calculation on the first truncated polynomial ring according to sp=s(mod p) and r1=(s−sp)G, where s is the procedure parameter, q1 is the first system parameter, p is the third system parameter, G is the third private key, and the first truncated polynomial ring is Zq
The third private key may be obtained through calculation on the first truncated polynomial ring modulo the first system parameter according to G=p−1gq
The plaintext information in S203-1 may be obtained through calculation on the second truncated polynomial ring according to M=c2−r1h2−r2, where c2 is the second ciphertext, r1 is the first random polynomial, r2 is the second random polynomial, h2 is the second public key, and q2 is the second system parameter.
In this embodiment, the second device receives a first ciphertext and a second ciphertext that are sent by a first device, and calculates according to a first private key, a second private key, a first system parameter, a third private key, and the first ciphertext to obtain a second random polynomial and a first random polynomial, and then obtains plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and a second public key. This achieves a public-key encrypted communication manner whose security can be proved. In addition, compared with other encryption manners whose security can be proved, the encryption method of this application has some improvements in aspects of encryption speed, decryption speed, and ciphertext expansion ratio.
The following describes in further detail the technical solutions of the method embodiments shown in
S301: A first device performs encryption according to a first public key and random information to obtain a first ciphertext; and the first device encrypts plaintext information according to a second public key to obtain a second ciphertext.
The plaintext information is unencrypted data to be sent by the first device to a second device, and the random information is randomly selected on a truncated polynomial ring.
The first public key and the second public key are generated by a key generation device, and the key generation device may be the second device or another trusted third-party device. The first public key is represented in a form of a polynomial, and the first public key is obtained through calculation on a truncated polynomial ring according to system parameters. The second public key is represented in a form of a polynomial, and the second public key is randomly selected on a truncated polynomial ring.
Optionally, the first random polynomial may be represented as a polynomial on a second truncated polynomial ring modulo a second system parameter.
S302: The first device sends the first ciphertext and the second ciphertext to the second device.
S303: The second device calculates according to a first private key, a second private key, a first system parameter, and the first ciphertext to obtain a second random polynomial, and obtains a first random polynomial according to a third private key.
The first private key, the second private key, and the third public key are generated by a key generation device, and the key generation device may be the second device or another trusted third-party device. The first private key may be represented in a form of a polynomial, and the first private key may be randomly selected on a truncated polynomial ring; the second private key may be represented in a form of a polynomial, and the second private key may be an inverse element of the first private key on the truncated polynomial ring; the third private key may be represented in a form of a polynomial, and the third private key may be obtained through calculation according to an inverse element of a system parameter and a polynomial having an inverse element on a truncated polynomial.
S304: The second device obtains the plaintext information according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key.
Further, before step 301, the method further includes:
S300: The key generation device calculates the first public key, the second public key, the first private key, the second private key, and the third private key according to the first system parameter, a second system parameter, a third system parameter, and a fourth system parameter.
The first public key may be represented in a form of a polynomial, and the first public key is obtained through calculation on a truncated polynomial ring according to system parameters; the second public key is represented in a form of a polynomial, and the second public key is randomly selected on a truncated polynomial ring;
the first private key is represented in a form of a polynomial, the first private key is randomly selected on a truncated polynomial ring, the second private key is represented in a form of a polynomial, the second private key is an inverse element of the first private key on the truncated polynomial ring, the third private key is represented in a form of a polynomial, and the third private key is obtained through calculation according to an inverse element of a system parameter and a polynomial having an inverse element on a truncated polynomial.
Optionally, the first device may search for the public keys of the second device by using a PKI.
This embodiment has the same technical solution and technical effect as those of the methods for public-key encrypted communication shown in
In this embodiment, the first device sends the first ciphertext and the second ciphertext to the second device, and the second device performs decryption according to the first ciphertext and the second ciphertext as well as the first private key, the second private key, and the third private key that correspond to the first public key and the second public key to obtain the plaintext information, thereby achieving a public-key encrypted communication manner whose security can be proved.
S401: Determine system parameters q1, q2, p, and N.
q1 is the first system parameter, q2 is the second system parameter, p is the third system parameter, Nis the fourth system parameter, and the system parameters are set according to security and encryption performance. Preferably, among the system parameters q1, q2, p, and N determined in S401, q1 and q2 may preferably be two odd primes, and q2=q1+2. For example, q1 may be 239, and q2 may be 241; or q1 may be 269, and q2 may be 271. In addition, for security of the highest level, N may preferably be 503.
S402: Determine a first truncated polynomial ring Zq
The first truncated polynomial ring is a set of truncated polynomials modulo q1, the second truncated polynomial ring is a set of truncated polynomials modulo q2, and the third truncated polynomial ring is a set of truncated polynomials modulo p.
S403: Determine a value range Lf of a third random polynomial f and a value range Lg of a fourth random polynomial g.
The value range may be set according to requirements on security and encryption performance. For example, in order to achieve higher security of a private key, when the polynomial f is selected, a polynomial whose coefficient is +1 or −1 or 0 may be selected on a truncated polynomial ring Z[X]/XN−1, where a quantity of terms whose coefficient is +1 is about N/3, a quantity of terms whose coefficient is +1 is about N/3−1, and coefficients of the rest of the terms are 0.
S404: Randomly select a third random polynomial fεLf and a fourth random polynomial gεLg, where f has inverse elements fp−1 and fq
The third random polynomial f is a first private key, and fp−1 is a second private key.
S405: Calculate a first public key h1=pfq
S406: Calculate an inverse element p−1 of p modulo q1.
S407: Calculate a third private key G=p−1gq
S408: Randomly select a second public key h2 on the second truncated polynomial ring.
After step 408, the key generation device publishes q1, q2, p, and N, where h1 and h2 are public keys of the second device.
This embodiment has the same technical solution and technical effect as those of the methods for public-key encrypted communication shown in
S501: Determine a first truncated polynomial ring Zq
q1 is the first system parameter, q2 is the second system parameter, p is the third system parameter, N is the fourth system parameter, and the system parameters q1, q2, p, and N may be obtained by using the method shown in
S502: Determine a value range Lr
The value range may be set according to requirements on security and encryption performance.
S503: Calculate a first ciphertext c1=r1h1+r2 on the first truncated polynomial ring Zq
h1 is a first public key, and h1 may be obtained by using the method shown in
S504: Use a polynomial on the second truncated polynomial ring Zq
S505: Calculate a second ciphertext c2=r1h2+r2+M on the second truncated polynomial ring Qq
h2 is a second public key, and the system parameter h2 may be obtained by using the method shown in
S506: Obtain a ciphertext c(c1,c2) corresponding to the plaintext information M.
This embodiment has the same technical solution and technical effect as those of the methods for public-key encrypted communication shown in
S601: Determine a first truncated polynomial ring Zq
q1 is the first system parameter, q2 is the second system parameter, p is the third system parameter, N is the fourth system parameter, and the system parameters q1, q2, p, and N may be obtained by using the method shown in
S602: Calculate a procedure parameter s=fc1 on the first truncated polynomial ring, and calculate a remainder sp=s(mod p) of the procedure parameter modulo p.
f is the first private key, c1 is the first ciphertext, and f and c1 may be obtained by using the method shown in
S603: Calculate a second random polynomial r2=spfp−1 on the third truncated polynomial ring.
fp−1 is the second private key, and fp−1 may be obtained by using the method shown in
S604: Calculate a first random polynomial r1=(s−sp)G on the first truncated polynomial ring.
G is the third private key, and G may be obtained by using the method shown in
S605: Calculate plaintext information M=c2−r1h2−r2 on the second truncated polynomial ring.
h2 is the second public key, c2 is the second ciphertext, and h2 and c2 may be obtained by using the method shown in
This embodiment has the same technical solution and technical effect as those of the methods for public-key encrypted communication shown in
Optionally, an embodiment of the present invention further provides an optional implementation manner, which is different from the methods shown in
S405-1: Calculate a first public key h1=fq
fq−1 is an inverse element of the third random on the first truncated polynomial ring modulo the first system parameter, g is the fourth random polynomial, q1 is the first system parameter, and the first truncated polynomial ring is Zq
Correspondingly, step S503 in the method shown in
S503: Calculate a first ciphertext c1=r1h1+r2 on the first truncated polynomial ring Zq
h1 is a first public key, and h1 may be obtained by using the method shown in step S405-1.
Other steps of the technical solution of this embodiment are the same as those of the method for public-key encrypted communication shown in
Moreover, in some scenarios in which resources are limited, the encryption manner provided in the present invention can still provide higher security. Compared with other existing encryption manners whose security can be proved, the encryption method of the present invention has some advantages in aspects of encryption speed, decryption speed, and ciphertext expansion ratio. A specific comparison is as follows:
The encryption speed of the method for public-key encrypted communication in the present invention is higher than that of the NTRU algorithm. For ease of comparison between the quantities of calculations required for encryption work by the present invention and the NTRU algorithm, it is assumed that a to-be-encrypted plaintext has a length of N log2p log2q2 bits. In the present invention, a plaintext having a length of N log2q2 bits can be encrypted each time; therefore, encryption needs to be performed for log2p times. In the present invention, during each encryption, c1=r1h1+r2 needs to be obtained through calculation first on the truncated polynomial ring Zq
In addition, the decryption speed of the method for public-key encrypted communication in the present invention is higher than that of the NTRU algorithm. For ease of comparison between the quantities of calculations required for decryption work by the present invention and the NTRU algorithm, it is assumed that plaintext information corresponding to a to-be-decrypted ciphertext has a length of N log2p log2q2 bits. The present invention requires log2p times of decryption, and each decryption requires two multiplication operations s=fc1 and r1=(s−sp)G on the ring Zq
In addition, the method for public-key encrypted communication in the present invention has a smaller ciphertext expansion ratio than that of the NTRU algorithm. If the length of a plaintext to be encrypted in the present invention is represented as N log2q2 bits, ciphertexts c1 and c2 obtained after encryption respectively have a length of N log2q1 bits and N log2q2 bits, and the ciphertext expansion ratio of the present invention is N(log2q1+log2q2):N log2q2<2:1. If the length of a plaintext in the NTRU is represented as N log2p bits, a ciphertext obtained after encryption has a length of N log2q bits, and the ciphertext expansion ratio of the NTRU is N log2q:N log2p=logpq:1. In cases in which the parameters are set to p=3 and q=128, 256, and 512, ciphertext expansion ratios are about 4.42:1, 5.05:1, and 5.68:1 respectively. Therefore, compared with the NTRU, the present invention has a smaller ciphertext expansion ratio.
Optionally, the random information includes a first random polynomial and a second random polynomial, and the encryption unit 11 is specifically configured to:
calculate on a first truncated polynomial ring modulo a first system parameter according to the first public key, the first random polynomial, and the second random polynomial to obtain the first ciphertext.
Correspondingly, the plaintext information is represented as a polynomial on a second truncated polynomial ring modulo a second system parameter, and the encryption unit 11 is further specifically configured to:
calculate on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information to obtain the second ciphertext.
The first public key is obtained through calculation on the first truncated polynomial ring modulo the first system parameter according to the first system parameter, a third random polynomial, and a fourth random polynomial, the third random polynomial has an inverse element on both the first truncated polynomial ring modulo the first system parameter and a third truncated polynomial ring modulo a third system parameter, and the fourth random polynomial has an inverse element on the first truncated polynomial ring modulo the first system parameter. The second public key is randomly selected on the second truncated polynomial ring.
Further, the encryption unit 11 is configured to calculate on the first truncated polynomial ring modulo the first system parameter according to the first public key, the first random polynomial, and the second random polynomial to obtain the first ciphertext, and is specifically configured to:
calculate on the first truncated polynomial ring according to c1=r1h1+r2 to obtain the first ciphertext, where h1 is the first public key, r1 is the first random polynomial, r2 is the second random polynomial, the first truncated polynomial ring is Zq
The encryption unit 11 is configured to calculate on the second truncated polynomial ring modulo the second system parameter according to the second public key, the first random polynomial, the second random polynomial, and the plaintext information to obtain the second ciphertext, and is specifically configured to:
calculate on the second truncated polynomial ring according to c2=r1h2+r2+M to obtain the second ciphertext, where h2 is the second public key, r1 is the first random polynomial, r2 is the second random polynomial, the second truncated polynomial ring is Zq
The first public key is obtained through calculation on the first truncated polynomial ring according to h1=pfq
The apparatus in this embodiment may be configured to execute the technical solutions of the method embodiments shown in
Optionally, the decryption unit 12 is specifically configured to:
calculate on a first truncated polynomial ring modulo a first system parameter according to the first ciphertext and the first private key to obtain a procedure parameter; and
obtain the second random polynomial on a third truncated polynomial ring modulo a third system parameter according to the procedure parameter and the second private key.
The decryption unit 12 is further specifically configured to:
calculate, by the second device, on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial.
The decryption unit 12 is further specifically configured to:
calculate on a second truncated polynomial ring modulo a second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information.
The first private key is a third random polynomial, the second private key is an inverse element of the third random polynomial on the third truncated polynomial ring modulo the third system parameter, and the third private key is obtained through calculation according to an inverse element of the third system parameter and an inverse element of a fourth random polynomial on the first truncated polynomial ring modulo the first system parameter.
For example, the decryption unit 12 calculates on the first truncated polynomial ring modulo the first system parameter according to the first ciphertext and the first private key to obtain the procedure parameter, and may be specifically configured to:
calculate on the first truncated polynomial ring modulo the first system parameter according to s=fc1 to obtain the procedure parameter, where f is the first private key, and c1 is the first ciphertext.
In addition, the decryption unit 12 obtains the second random polynomial on the third truncated polynomial ring modulo the third system parameter according to the procedure parameter and the second private key, and may be specifically configured to:
calculate on the third truncated polynomial ring modulo the third system parameter according to sp=s(mod p) and r2=spfp−1 to obtain the second random polynomial, where p is the third system parameter, fp−1 is the second private key, s is the procedure parameter, and the third truncated polynomial ring is Zp[X]/XN−1.
Correspondingly, the decryption unit 12 calculates on the first truncated polynomial ring modulo the first system parameter according to the procedure parameter and the third private key to obtain the first random polynomial, and may be specifically configured to:
calculate on the first truncated polynomial ring according to sp=s(mod p) and r1=(s−sp)G to obtain the first random polynomial, where s is the procedure parameter, q1 is the first system parameter, p is the third system parameter, G is the third private key, and the first truncated polynomial ring is Zq
Then the decryption unit 12 calculates on the second truncated polynomial ring modulo the second system parameter according to the first random polynomial, the second random polynomial, the second ciphertext, and the second public key to obtain the plaintext information, and may be specifically configured to:
calculate on the second truncated polynomial ring according to M=c2−r1h2−r2 to obtain the plaintext information, where c2 is the second ciphertext, r1 is the first random polynomial, r2 is the second random polynomial, and h2 is the second public key.
The apparatus in this embodiment may be configured to execute the technical solutions of the method embodiments shown in
Persons of ordinary skill in the art may understand that all or some of the steps of the method embodiments may be implemented by a program instructing relevant hardware. The program may be stored in a computer-readable storage medium. When the program runs, the steps of the method embodiments are performed. The foregoing storage medium includes: any medium that can store program code, such as a ROM, a RAM, a magnetic disk, or an optical disc.
Finally, it should be noted that the foregoing embodiments are merely intended for describing the technical solutions of the present invention, but not for limiting the present invention. Although the present invention is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they may still make modifications to the technical solutions described in the foregoing embodiments or make equivalent replacements to some or all technical features thereof, without departing from the scope of the technical solutions of the embodiments of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
201410315215.2 | Jul 2014 | CN | national |
This application is a continuation of International Application No. PCT/CN2015/071619, filed on Jan. 27, 2015, which claims priority to Chinese Patent Application No. 201410315215.2, filed on Jul. 3, 2014, both of which are hereby incorporated by reference in their entireties.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2015/071619 | Jan 2015 | US |
Child | 14985942 | US |