一些同态加密算法
RSA
1、产生公钥和私钥
随意选择两个大的质数p和q,p不等于q,令N=pq.
令 r = φ ( N ) = φ ( p ) φ ( q ) = ( p − 1 ) ( q − 1 ) r=φ(N)=φ(p)φ(q)=(p−1)(q−1) r=φ(N)=φ(p)φ(q)=(p−1)(q−1)
选择一个小于 r r r 的整数 e e e( g c d ( e , r ) = 1 gcd(e, r)=1 gcd(e,r)=1)
求得 e e e 关于 r r r 的模反元素 d d d(即 e × d = 1 m o d r e \times d=1\mod r e×d=1modr)
公钥:(N,e)
私钥:(N,d)
2、明文m加密为c
c = m e m o d N c = m^e \mod N c=memodN
3、密文c解密为m
m = c d m o d N m = c^d \mod N m=cdmodN
Paillier
1、产生公钥和私钥
随意选择两个大的质数p和q,p不等于q,令n=pq.
令 λ = l c m ( p − 1 ) ( q − 1 ) \lambda=lcm(p-1)(q-1) λ=lcm(p−1)(q−1)
随机选择一个整数 g ∈ Z N 2 ∗ g\in Z^*_{N^2} g∈ZN2∗( g c d ( L ( g λ m o d N 2 ) , N ) = 1 gcd(L(g^\lambda \mod N^2), N)=1 gcd(L(gλmodN2),N)=1)
其中,函数 L ( u ) = ( u − 1 ) / n L(u)=(u-1)/n L(u)=(u−1)/n
公钥:(n,g)
私钥:( λ \lambda λ)
2、明文m加密为c
随机选取整数 r ∈ Z n ∗ r \in Z^*_n r∈Zn∗
c = g m ⋅ r n m o d n 2 c=g^m \cdot r^n \mod n^2 c=gm⋅rnmodn2
3、密文c解密为m
m = L ( c λ m o d n 2 ) L ( g λ m o d n 2 ) m o d n m=\frac{L(c^\lambda \mod n^2)}{L(g^\lambda \mod n^2)}\mod n m=L(gλmodn2)L(cλmodn2)modn
fate_paillier:
1、明文m加密为c
n = p q n=pq n=pq
g = n + 1 g=n+1 g=n+1,则 g m = ( n + 1 ) m ≡ ( n ∗ m + 1 ) m o d n 2 g^m=(n+1)^m \equiv (n*m+1)\mod n^2 gm=(n+1)m≡(n∗m+1)modn2
apply_obfuscator():
随机选取整数 r ∈ Z n ∗ r \in Z^*_n r∈Zn∗
o b f u s c a t o r = r n m o d n 2 obfuscator=r^n \mod n^2 obfuscator=rnmodn2(in apply_obfuscator)
raw_encrypt():
i f : ( n − n 3 − 1 ) ≤ m < n if:(n-\frac{n}{3}-1) \le m
t h e n : x = i n v e r t ( ( n ∗ ( n − m ) + 1 ) m o d n 2 , n 2 ) then:x=invert((n*(n-m)+1) \mod n^2,n^2) then:x=invert((n∗(n−m)+1)modn2,n2)
e l s e : x = ( n ∗ m + 1 ) m o d n 2 else:x=(n*m+1)\mod n^2 else:x=(n∗m+1)modn2
c = x ∗ o b f u s c a t o r m o d n 2 c=x*obfuscator \mod n^2 c=x∗obfuscatormodn2
2、密文c解密为m(using Chinese-remaindering)
h _ f u n c : h ( x ) = i n v e r t ( l ( g x − 1 m o d x 2 , x ) , x ) h\_func: h(x)=invert(l(g^{x-1} \mod x^2, x), x) h_func:h(x)=invert(l(gx−1modx2,x),x)
l _ f u n c : l ( x , y ) = x − 1 y l\_func: l(x, y)=\frac{x-1}{y} l_func:l(x,y)=yx−1
h p = h ( p ) = i n v e r t ( l ( g p − 1 m o d p 2 , p ) , p ) hp=h(p)=invert(l(g^{p-1} \mod p^2, p),p) hp=h(p)=invert(l(gp−1modp2,p),p)
h q = h ( q ) = i n v e r t ( l ( g q − 1 m o d q 2 , q ) , q ) hq=h(q)=invert(l(g^{q-1} \mod q^2, q),q) hq=h(q)=invert(l(gq−1modq2,q),q)
m p = l ( c p − 1 m o d p 2 , p ) ∗ h p m o d p mp=l(c^{p-1}\mod p^2,p)*hp \mod p mp=l(cp−1modp2,p)∗hpmodp
m q = l ( c q − 1 m o d q 2 , q ) ∗ h q m o d q mq=l(c^{q-1} \mod q^2, q)*hq \mod q mq=l(cq−1modq2,q)∗hqmodq
u = ( m p − m q ) ∗ i n v e r t ( q , p ) m o d p u=(mp-mq)*invert(q,p) \mod p u=(mp−mq)∗invert(q,p)modp
m = ( m q + u ∗ q ) m o d n m=(mq+u*q) \mod n m=(mq+u∗q)modn
Affine
1、keygen
生成n,再生成a、inv_a、b
g c d ( a , n ) = 1 gcd(a,n)=1 gcd(a,n)=1
(根据欧拉公式得, a ∗ i n v _ a m o d n = 1 a*inv\_a \mod n=1 a∗inv_amodn=1)
2、明文m加密为(c,k)(代码中k=1)
c = ( a ∗ m + k ∗ b ) m o d n c=(a*m+k*b)\mod n c=(a∗m+k∗b)modn,recorded as pair (E(x), k), E(x) is ciphertext, k means the bias b’ coefficient is k.
3、密文(c,k)解密为m
m = ( i n v _ a ∗ ( c m o d n − k ∗ b ) ) m o d n m=(inv\_a*(c \mod n-k*b))\mod n m=(inv_a∗(cmodn−k∗b))modn
i f : m / n > 0.9 if:m/n>0.9 if:m/n>0.9
t h e n : m = m − n then:m=m-n then:m=m−n
e l s e : m = m else:m=m else:m=m
IterativeAffine Homomorphic Encryption
1、keygen
Generate an key-tuple array, the element in the array is a tuple (a, inv_a, n), where (a, n) = 1, inv_a * a % n = 1. The array is sorted by n.
2、Encrypt
1E(x) = Enc_n o … o Enc_1(x), Enc_r(x) = a_r * x % n_r. a_r, n_r is the r-th element of key-tuple array.
3、Decrypt
Dec(E(x)) = Dec_1 o … o Dec_n(x), Dec_r(x) = (inv_a)_r * (a_r * x) % n_r = x % n_r