A Practical Public Key Encryption Scheme Based on ... - IEEE Xplore

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access

A Practical Public Key Encryption Scheme Based on Learning Parity with Noise Zhimin Yu1, Chong-zhi Gao2,4, Zhengjun Jing1, Brij Bhooshan Gupta3, Qiuru Cai1 1

School of Computer Engineering Jiangsu University of Technology, Changzhou Jiangsu 213001, China School of Computer Science and Educational Software, Guangzhou University, China 3 Department of Computer Engineering, National Institute of Technology Kurukshetra, India 4 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, China 2

Corresponding author: Chong-zhi Gao (e-mail: [email protected]).

This work was financially supported by the National Natural Science Foundation of China (Grant Nos. 61672270, 61602216, 61702236), the Changzhou Applied Basic Research Guidance Project (2016365), the Changzhou Science and Technology Program (CJ20179027) and the State Key Laboratory of Cryptology, China.

Abstract To protect cyber security and privacy, it is critical to design security and practical public key encryption schemes. Today, big data and cloud computing bring not only unprecedented opportunities but also fundamental security challenges. Big data faces many security risks in the collection, storage and use of data and brings serious problems regarding the disclosure of private user data. It is challenging to achieve security and privacy protection in the big data environment. Thus, to meet the growing demand of public key encryption in this environment, we proposed a single-bit public key encryption scheme based on a variant of LPN (Learning Parity with Noise) and extended it to a multi-bit public key encryption scheme. We proved the correctness and CPA (Chosen Plaintext Attack) security of the proposed method. Our schemes solved encoding error rate problems of the existing public key schemes based on LPN, and the encoding error rate in our schemes is negligible. INDEX TERMS CPA, Encoding error ratio, Encryption, LPN, Public key encryption I.

[6, 7]. The main classical public key schemes

INTRODUCTION

With the development and application of big

were designed based on a number of difficult

data and cloud computing technology, the

number theory problems, such as large number

large data environment has put forward higher

factorization and discrete logarithms [8-11].

requirements for data encryption, and the

However, many traditional number theory

design of a practical and secure public key

assumptions on which the above schemes are

encryption scheme has important practical

based can be solved by quantum algorithms

significance. Considering data security in the

[12]. That is, in the era of quantum computing,

big data environment, many valuable schemes

these public key encryption schemes have been

have been put forward [1-3]. They have been

broken. Therefore, in the post quantum era,

shown to be useful in applications such as

new public key encryption schemes based on

protecting the privacy in machine learning [4,

new difficult problems need to be designed and

5], and protecting security in cloud computing 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.


implemented [13-14] for the new computing

$

(a, r ), r  Z 2 , the attacker can solve the DLPN

environments and applications.

problem (decisional LPN).

In 2003, Boneh and Silverberg defined the concept of ideal multilinear mapping and

To date, there are two kinds of non-trivial

demonstrated its application scenarios [15].

solving methods for LPN problems. One kind of

However, until 2013, Garg, Gentry and Halevi

method intends to exhaust all possible noise

(GGH) proposed the first realistic multilinear

vectors, and the other solves the LPN problem

mapping based on ideal lattice [16], with its

based on the Blum-Kalai-Wasserman (BKW)

security

multi-level

algorithm [29]. The original BKW algorithm

decision

has sub index time complexity 2O ( n log n ) with

problem (GCDH/GDDH). Many new schemes have been designed based on the GGH scheme

sampling times 2O ( n log n ) . Lyubashevsky gives a BKW algorithm variant that requires higher

[17, 18]. Recently, the GGH scheme was

time complexity 2O ( n log log n ) but with sampling

proved to be insecure [19], and new multilinear

times

mapping construction is being explored.

proposed an improved algorithm with less

based

Diffie-Hellman

on

the

computation

and

n1 

[30]. Recently, Kirchner also

Regev proposed LWE (Learning with Error)

running time [31]. Although there are many

based on lattice theory [20], which has been

solving algorithms for a variety of LPN

widely used in public key cryptosystem design

problems, there are no polynomial time

and applications of data encryption in cloud

algorithms or quantum algorithms.

computing [21-28]. Although LWE issues can

The creation and calculation of LPN

resist quantum attacks, the public key size in

instances are very simple, but it is very difficult

schemes designed based on LWE is too large,

to solve the DLPN problem. Therefore, it is

and the reduction of this size is a public

very

problem.

applications based on LPN. The LPN problem

attractive

to

design

cryptographic

If we design public key schemes based on the

has been widely used in symmetric encryption

variety of LPN that is the special case of LWE in F2 , the size of public key is small. There is a

[32-36], but there has been little progress in the

randomly selected open n -dimensional vector

Alekhnovich proposed a public-key encryption

a  Z 2n

design of the public key scheme. In 2003, scheme based on a decisional LPN problem

and a randomly selected private

n -dimensional vector s  Z 2n

[37]. In this scheme, the noise ratio is   1

in an LPN

instead of a constant defined in a standard LPN

(Learning parity with noise) problem. An

problem.

attacker can get a sample set (a, a, s  e) , where

e  Ber .

Subsequently,

Damgård

et

al.

proposed not only a public key encryption

the

scheme based on decisional LPN problem but

Bernoulli distribution that is discrete 0, 1

also a public-key encryption scheme based on a

probability distribution, and the probability of

ring-LPN problem [38]. Damgård et al. proved

an occurrence of 1 is 0    1 . The parameter

the security of these schemes. Meanwhile, these

in the standard LPN problem is 0    0.5 ,

schemes are practical. Damgård et al. compared

which is essentially the noise rate. On this basis,

some practical public key encryption algorithms

if the attacker is able to distinguish between the

such as RSA for computational efficiency,

sampling element and the random element

public key size and ciphertext. Although the

Ber

represents

n

RSA algorithm does not have an anti-quantum 2



offensive, the performance comparison is

bit-vector involved in cryptographic operations.

meaningful.

When a ciphertext is decrypted, if the hamming weight of the n dimensional vector is less than

However, non-negligible encoding error exists in all existing public key schemes based on an LPN variant [37-38]. To solve this

n , the plaintext bit is 0, and vice versa, the 2

problem, we designed a new public-key

plaintext bit is 1. The probability of the

encryption scheme. First, our issue will extend

hamming weight exceeding expectations will

the LPN variant to a matrix LPN problem, and a

exponentially decay rapidly to a value that is

new public key encryption scheme will be

negligible; thus, decryption error probability is

proposed based on an LPN variant. There are

negligible. Thirdly, we extend the single-bit

two advantages to the proposed scheme. First,

scheme to the multi-bit public key encryption

we maintain the largest advantages of LPN,

algorithm.

which are rapid instance generation, and rapid

In our single-bit and multi-bit schemes, even

computing; second, we solve the encoding error

if we choose a larger parameter   1/ n , it can also ensure that the decryption error can be

problem of existing public key encryption

ignored. Therefore, under the promise of

schemes. There are two vectors in Damgård’s

security, the size of the public key is smaller

and

efficient

encryption

and

decryption

than in Damgård’s scheme. Meanwhile, total

scheme f , e  Bern . The correctness of the

encryption

scheme relies on the fact that the inner product

if

decryption

time

of

our

The remainder of this paper is organized as

f T e will be zero with the greater probability 2 n Pr(f T e  0)  1  (1  2 ) 2 2

and

algorithms is greatly reduced. follows. In section 2, preliminary knowledge

the

will be given. In section 3, we propose a

this

single-bit and a multi-bit public key encryption

probability is greater but not negligible, there is

scheme. Then, in section 4, we give the

an encoding error in the decryption. Damgård

comparison between our scheme and the

chose parameters to ensure the decryption error

existing scheme. The conclusion is given in

parameter

is

selected

carefully.

As

rate is less than 25% and chose the ciphertext

section 5.

expansion as 5. However, all the five bits of

II.

Preliminaries

still

We first introduce the notation used in this

 1 4    1 2  . Meanwhile, Damgård chose a

paper and present the definition of the LPN

decoding

error

probability

are

5

10

problem [39].

small noise rate   (1/ n ) to meet this

A. Notation

condition. Obviously, if  is too small, the

We will completely work in the field GF2 .

attacker will crack the scheme easily.

For a vector u   k2 ,the i -th entry of column

Our contributions include the following:

vector u will be denoted by ui . The i -th

Firstly, we reduce the DLPN variety problem normal DLPN

column vector of matrix U will be denoted by ui . x  D means that x is drawn from

problem. So, our schemes are under the normal

distribution D . Assuming A be n order

DLPN assumption. Secondly, we construct a

matrix, A  denotes the transpose of A and

new single-bit public key encryption algorithm

A 1 denotes the inverse matrix of A . A

with

S  Bernn

to

the

probability  (n) is said to be negligible if

in which a plaintext bit will be converted to a 3



 (n)  1 p(n) for an arbitrarily large enough

III. Public Key Encryption Scheme Based on

integer n . A Bernoulli distribution with

DLPN

In this section, we first give a single-bit public

parameter  will be denoted by Ber . Berk

key encryption scheme based DLPN, and then we prove the correctness and security of the

denotes the distribution of vectors a   k2

scheme. Second, we extend a single-bit scheme to the multi-bit public key encryption

where each entry of the vector is drawn

scheme and prove its correctness and security.

independently from Ber . Binn , denotes the binomial distribution with n trials, each with

A. Single-Bit Public Key Encryption Scheme

success probability  . X  Binn , denotes

1) CONSTRUCTION OF THE SCHEME

A single-bit public key encryption scheme

that X is drawn from distribution Binn , .

includes three PPT algorithms (KeyGen, Enc,

For a vector a   k2 , its hamming weight is

(1)

Dec) following these steps: The

key

generation

algorithm

KeyGen( 1 , ) takes as input an integer n n

the number of ones in a . A function h(a)

and noise rate  . Choose matrix A   n2n

calculates the hamming weight of a   . Let k 2

randomly

and

choose

S  Bern n

,

  (1,1,...,1)   . n 2

E  Bern n . Compute B = AS + E . It returns

a public key pk  ( A, B) and a private key

B. Decisional LPN Problem

Definition 1 (Decisional LPN Problem) n

sk = (S) .

(2) The encryption algorithm Enc( pk , m )

  (1 / n ) and randomly selected matrix

takes as input the public key pk and message

A   n2n , S   n2 n . An attacker can obtain a

c1 = rT A  e1T ,c 2 = rT B  eT2  m . It returns a

sample set (A, AS  E) , where E  Bern n .

ciphertext c  (c1 ,c2 ) .

parameters

,

 

,

Given

m  Z2

(A, AS  E)

and

the private key sk and a ciphertext c  (c1 ,c2 ) as input. Compute d  c1  S + c 2 .

$

(A, R ), R   n2 n

If h(d)  n / 2 , it returns m  0 , else it

with non-negligible probability after obtaining

returns m  1 .

enough samples; then, the attacker is able to

2) CORRECTNESS

solve the decisional LPN (DLPN) problem.

Before giving proof of the correctness of the

Definition 2 (Decisional LPN Assumption)

The

probability

of

any

Compute

(3) The decryption algorithm Dec( sk , c ) takes

If the attacker can distinguish between a new sample

.

scheme, we introduce lemma 3, whose proof

probabilistic

can be found in reference [38].

polynomial time (PPT) attacker to solve the decisional LPN problem with parameters (n, ) is negligible. Alekhnovich defined the

Lemma 3 ([38] Lemma 2.5). Let X  Binn, .

noise ratio   (1/ n ) [37].

1  (1  2 ) . 2 2

Then, the probability that X

is even is

2 n

4



According to parameters selected in the

Lemma 4 The probability of decryption error

of the single-bit public key encryption scheme is negligible. Proof: Because

d  c1  S + c 2

B = AS + E

into

the

2

can be met.

and

Obviously, if plaintext is 1, it is equivalent to

,

do the inverse operation on eT2 , and if the

d  (rT A  e1T )  S  rT B  eT2  m substituting

scheme, h(rT E  e1T S  eT2 )  n

above

plaintext is 0, eT2 remains unchanged. So, if

equations, we can get d  rT E  e1T S  eT2  m . m  0 , then h(rT E  e1T S  eT2 )  n , on the 2

As we know r  Bern , E  Bern n , each entry of

c = rT E is

contrary,

n

ci =  rj ei , j . From

Lemma 3, the probability that ci is 0 will be

be

The function h(rT E  e1T S  eT2 ) takes as

1  (1  2 ) . Similarly, the probability 2 2 2 n

e1T S

must

h(rT E  e1T S  eT2 )  n .  2

j 1

that each entry of

there

input different integer n and larger noise rate

  1 / n . We give in

is 0 will be

Table expectation

mathematical

1  (1  2 ) . Lastly, because eT2  Bern , 2 2 2 n

I

the of

h(rT E  e1T S  eT2 ) when the plaintext m  0 .

we can reach the following conclusions: h(rT E  e1T S  eT2 )  h(rT E)  h(e1T S)  h(eT2 )

,

h(rT E)  h(e1T S)  h(eT2 )  n(1  (1  2 2 ) n   ) . TABLE I Mathematical expectation of h(d) when m  0 .

n

n

2

  1/ n

E (h(rT E))

E (h(e1T S))

E (h(eT2 ))

E (h (d))

9000

4500

0.010541

514

514

95

≈1123

21000

10500

0.006901

1276

1276

145

≈2697

29000

14500

0.005872

1795

1795

166

≈3755

80000

40000

0.003536

5131

5131

282

≈10544

145000

72500

0.002626

9431

9431

381

≈19243

3) SECURITY PROOF

Lemma 5 Choose A   n2 n , S  Bern n

Although we sample private key S  Bern n instead of 

n n 2

and

, its security is still based on

E  Bern n

randomly.

Compute

B = AS + E . Under the assumption f DLPN, it is indistinguishable between ( A, B) and

the DLPN. Therefore, before given a security proof, we introduce lemma 5.

 n2 n × n2 n sampled from uniform distribution. 5



Given

Proof:

a

set

( A i , B i  A i S  Ei ) ,

of

LPN

where

sample

Ai  

n n 2

rT R  eT

,

,

generality, if we assume A11   n2 n , then

(R, rT R  eT )

( A i A11 , Bi  A i A11B1 )

S  Z n 2 n , ,

' i

Furthermore,

' i

 n2n × n2n

r   Bern

e  Ber2n .

and

,

(S, r T S  eT )

and

(S, r T )

randomly chosen from  2n .

selected according to the definition 2 instead of distribution

(S, r T S  eT ) , where

also cannot be distinguished, in which r  is

A i'  A i A11 . If ( A i , B i ) is the LPN sample

uniform

and

where

 ( A , B  A E1  Ei ) ' i

,

 (e ) , 1  i  n . According DLPN ei    1 i (e2 )i , n  i  2n assumptions, it is indistinguishable between

S   n2 n and Ei  Bern n . Without loss of

 ( A i A11 , Bi'  Ei  A i A11E1 )

e   22n

where

If the plaintext is m  1 , eT2  m does

then not change the distribution of eT2 and only

' i

' i

( A , B ) meets the definition in section 3.1.1. makes a negated operation to eT2 . Hence, a

When there is a PPT algorithm that can distinguish

( A i' , Bi' )

and

a

ciphertext is indistinguishable from random

uniform

digits.

distribution  n2n × n2n , then this algorithm can distinguish

( A i , Bi )

B. Multi-Bit Public key Encryption Scheme

and a uniform

1) CONSTRUCTION OF THE SCHEME

A multi-bit public key encryption scheme

distribution  n2n × n2n .

includes three PPT algorithms (KeyGen, Enc,

Therefore, the DLPN variety problem with

Dec) following these steps: (1)

S  Bernn can be reduced to the normal

The

key

generation

algorithm

KeyGen( 1 , ) takes as input an integer n n

DLPN problem.

and noise rate  . Choose matrix A   n2n

Theorem 6 (Security). Under the DLPN assumption, the single-bit public key scheme is

randomly

secure against a chosen plaintext attack. Proof: Suppose the single-bit public key

and

choose

S  Bern n

,

E  Bern n . Compute B = AS + E . It returns

scheme defined in section 3.1.1 has parameters n, and public key pk  ( A, B) . Let

a public key pk  ( A, B) and private key sk = (S) .

ai , j 1  i  n,1  j  n R   n22 n be ri , j   .  bi , j 1  i  n, n  j  2n

(2) The encryption algorithm Enc( pk , m )

Obviously, R has the same distribution as pk  ( A, B) .

m   n2 . First, convert m to a square matrix

takes as input the public key pk and message

If plaintext is m  0 , the ciphertext is

r

T

M    n2 n , if mi  0 , each entry of the i  th

A  e1T ,rT B  eT2  , which can be written as

column of M  are 0, and vice versa, each 6



entry of the i  th

m  (1,1, 0, 0) , then

column are 1, e.g., 1  1 M   1  1

R, E1 , E 2  Bern n

Choose

1 1 1 1

,

then h(rT E  e1T S  eT2 )  n

0  0 . 0  0

0 0 0 0

there must be

2

; in contrast,

h(rT E  e1T S  eT2 )  n

if

2

mi  1 . □ 3) SECURITY PROOF

compute

Theorem 8 (Security) Under the DLPN

C1 = RA  E1 , C2 = RB  E2  M . It returns

assumption, the multi-bit public key scheme is

a ciphertext C  (C1 ,C2 ) .

Proof: Suppose the multi-bit public key



secure against the chosen plaintext attack.

(3) The decryption algorithm Dec( sk , c ) takes

scheme defined in section 3.2.1 has parameters n, and public key pk  ( A, B) . Let

as input the private key sk and a ciphertext C  (C1 ,C2 ) . Compute D  C1  S + C2 . If hamming weight of the i  th column of D is h(d)  n / 2 , then mi  0 , mi  1 . At last it

ai , j 1  i  n,1  j  n Q   n2 2 n , qi , j   .  bi , j 1  i  n, n  j  2n

returns m .

Obviously, Q has the same distribution as pk  ( A, B) .

2) CORRECTNESS

If each entry of plaintext is mi  0 , the

Lemma 7 The probability of decryption error of the multi-bit public key encryption scheme

ciphertext is

is negligible. Proof:

into

B = AS + E

the

 (e1 )i , j 1  i  n,1  j  n (e )i , j   (e 2 )i , j 1  i  n, n  j  2n

above

equations, we get D  RE  E1S  E2  M  , where

indistinguishable between (Q, RQ  E ) and

Lemma 3, the hamming weight of each column

(S, R S  E) , where S   n 2 n , R   Bern n

  of RE and E1S is n  1  (1  2 )  . 2  2 2 n

When each entry of the column vector m

and

parameters h(di )  n

selected 2

According in

the

to

E  Bern 2 n

.

(S, R S  E )

and

is (S, R  ) can also not be distinguished, in

zero, the hamming weight h(di ) is at most n(1  (1  2 2 ) n   ) .

.

According to the DLPN assumptions, it is

R, E1 , E2  Bern n . According to

 i

, which can

be written as RQ  E , where E   n2 2 n ,

It is very easy to verify that D  C1  S + C2  (RA  E1 )  S  RB  E 2  M  , substituting

 RA  E1 , RB  E2 

which R  is randomly chosen from  n2 2 n .

the

scheme,

If a plaintext entry is mi  1 , (e 2 ) i T  m

can be met. Obviously, if the does not change the distribution of (e 2 ) i T and

plaintext is mi  0 , it is equivalent to doing an

simply makes a negated operation to (e2 ) i T .

inverse operation on eT2i ; if the plaintext is 0,

Hence, the ciphertext is indistinguishable from

eT2 remains unchanged. Therefore, if m  0 ,

random. 7



IV. Performance Analysis

F2 . Therefore, the multiplication and addition

We choose for 80-, 112-, and 128-bit security, respectively, n  9000, 21000 and 29000,

have

which are suitable and correspond to the

computational times in the table are the sum of

security levels of 1024-, 2048-, 3072-bit RSA

the multiplication and addition results. Our

[23]. Table 2 lists the comparison between our

scheme has the same public key size as in the

schemes

in

Damgård scheme. Although our scheme

computational efficiency. All calculations in

increases slightly in ciphertext size and

the schemes based on LPN are on all fields

computational overhead, the decryption error

and

the

Damgård

schemes

the

same

overhead.

Thus,

the

can be negligible. TABLE Ⅱ COMPARISON BETWEEN OUR SCHEME AND DAMGÅRD’S SCHEME IN SIZE OF PUBLIC KEY AND CIPHERTEXT Scheme

Size of public key (bit)

Size of ciphertext (bit)

Encoding error

Damgård’s single-bit

2n 2  2n

n 1

have

Our single-bit

2n 2

2n

no

Damgård’s multi-bit

4n 2

2n

have

2

2

Our multi-bit

2n

2n

no

We compare the performance of our

RSA and the decryption in our scheme is faster

multi-bit scheme with RSA(not padding) and

than in RSA. We get the opposite result when

Damgård’s

scheme

in

implementation

compared with Damgård’s multi-bit scheme.

for

The limitation of our approach is that it does not meet the stronger CCA security. Overcoming this shortcoming is one of our future research directions.

various security levels as shown in Table 3. The implementation was written in C++ and made use of the NTL library for some mathematical operations. We can see that the encryption in our scheme is slower than in TABLE III

COMPARISON WITH DAMGÅRD SCHEME AND RSA PUBLIC KEY ENCRYPTION SCHEME Time per encryption (ms)

Time per decryption

Security level (bits)

80

112

128

80

112

128

RSA scheme(not padding)

0.010

0.030

0.060

0.140

0.940

2.890

Damgård’s multi-bit

25.80

128.40

241.70

0.052

0.098

0.128

Our multi-bit scheme

15.60

45.30

102.10

0.11

0.221

0.258

encryption scheme. Our scheme solved the V. Conclusions

decryption error problem of the existing public

In the post quantum era, the design of public

key encryption schemes based on DLPN.

key cryptography under the DLPN assumption

Compared to existing schemes, there is an

is an important research direction. Such

increase in only a small amount of ciphertext

schemes have many advantages such as shorter

space and computing overhead in our scheme.

public key and ciphertext, faster encryption

Our scheme not only is able to withstand

and decryption. But the existing scheme is still

quantum attack but also provides strong

having the problem of decryption error, which

practical security at the same time. In the

is not satisfactory.

future, we will design a public key scheme

Based on the LPN variants problem, we

based DLPN with high security, smaller public

proposed a single-bit and a multi-bit public key

key

and

ciphertext

size,

and

smaller

8



computational designing

overhead.

public

key

Furthermore,

cryptography

[10] Yang L, Xiang Y, Peng D, “Precoding-Based Blind

that

Separation of MIMO FIR Mixtures,” IEEE Access, no.99,

satisfies CCA security is also one of our future

pp. 1-1. 2017.

work.

[11] Neal Koblitz, Alfred Menezes and Scott Vanstone,

References

“The State of Elliptic Curve Cryptography,” Journal of the

[1] Xiaochao Sun, Bao Li, Xianhui Lu, Fuyang Fang,

Designs, Codes and Cryptography, vol. 19, no.(2-3), pp.

“CCA Secure Public Key Encryption Scheme Based on

173-1193, 2000.

LWE Without Gaussian Sampling,”

[12] Shor, P.W, “Polynomial-time algorithms for prime

Lecture Notes in

Computer Science, vol. 9589, pp. 361-378, 2015.

factorization and discrete logarithms on a quantum

[2] Jian Xu, Laiwen Wei, Yu Zhang, Andi Wang, Fucai

computer,” Journal of the SIAM J Comput, vol. 26, no.5,

Zhou, and Chong-zhi Gao, "Dynamic Fully Homomorphic

pp. 1484-1509, 1997.

Encryption-based Merkle Tree for Lightweight Streaming

[13] Zhengan Huang, Shengli Liu, Xianping Mao, Kefei

Authenticated Data Structures", Journal of Network and

Chen, and Jin Li, “Insight of the Protection for Data

Computer Applications, Vol.107, pp.113-124, 2018.

Security under Selective Opening Attacks,” Information Sciences, vol.412–413, pp. 223–241, 2017.

[3] Zheli Liu, Yanyu Huang, Jin Li, Xiaochun Cheng, and

[14]Qun Lin, Hongyang Yan, Zhengan Huang, Wenbin

Chao Shen, "DivORAM: Towards a Practical Oblivious

Chen,

RAM with Variable Block Size", Information Sciences,

Jian Shen, Yi Tang. An ID-based linearly

homomorphic signature scheme and its application in

447: 1-11, 2018.

blockchain.

IEEE

Access.

DOI

：

[4] Tong Li, Jin Li, Zheli Liu, Ping Li, and Chunfu Jia,

10.1109/ACCESS.2018.2809426.[15] Dan Boneh, Alice

"Differentially Private Naive Bayes Learning over

Silverberg,

Multiple Data Sources", Information Sciences, 444:

cryptography,” Journal of the Contemporary Mathematics,

89-104, 2018.

vol. 324, pp. 71-90, 2003.

[5] Chong-zhi Gao, Qiong Cheng, Pei He, Willy Susilo,

[16] Sanjam Garg, Craig Gentry, and Shai Halevi,

“Applications

of

multilinear

forms

“Candidate multilinear maps from ideal lattices,”

and Jin Li, "Privacy-Preserving Naive Bayes Classifiers

to

Lecture

Notes in Computer Science, vol. 7881, pp. 1-17), 2013.

Secure against the Substitution-then-Comparison Attack",

[17] Jean-Sébastien Coron, Tancrède Lepoint, and Mehdi

Information Sciences, 444: 72-88, 2018.

Tibouchi, “Practical multilinear maps over the integers,”

[6] Jin Li, Jingwei Li, Xiaofeng Chen, Chunfu Jia,

Lecture Notes in Computer Science, vol. 8042, pp.

Wenjing Lou, “Identity-based Encryption with Outsourced

476-493, 2013.

Revocation in Cloud Computing, ” IEEE Transactions on

[18] Susan Hohenberger, Amit Sahai, and Brent Waters,

Computers, vol. 64, no. 2, pp. 425-437, 2015.

“Full domain hash from (leveled) multilinear maps and

[7] Ping Li, Jin Li, Zhengan Huang, Tong Li, Chong-Zhi

identity-based aggregate signatures,” Cryptology ePrint

Gao,

Archive,

Siu-Ming

Yiu,

Kai

Chen,

“Multi-key

http://eprint.iacr.org/2013/434.pdf, July 10,

2013.

privacy-preserving deep learning in cloud computing, ”

[19] Yupu Hu and Huiwen Jia, “Cryptanalysis of GGH

Future Generation Computer Systems, vol. 74, pp. 76-85,

Map,”

2017.

Cryptology

ePrint

Archive,

http://eprint.iacr.org/2015/301.pdf, Feb 19, 2016.

[8] Applebaum, B., Cash, D., Peikert, C., Sahai, A., “Fast

[20] O. Regev, “On lattices, learning with errors, random

cryptographic primitives and circular-secure encryption

linear codes, and cryptography,” Journal of the ACM, vol.

based on hard learning problems,” Lecture Notes in

56, no.6, pp.1-40, 2009.

Computer Science, vol. 5677, pp. 595-618, 2009.

[21]

[9] G. Liu, H. Li, L. Yang, “A Topology Preserving

“Trapdoors for hard lattices and new cryptographic

Method of Evolving Contours Based on Sparsity

constructions,” Journal of the Electronic Colloquium on

Constraint for Object Segmentation, ” IEEE Access, vol. 5,

Computational Complexity, vol. 2008, no.14, pp.197-206,

no.99, pp. 19971-19982, 2017.

2008.

Gentry, C., Peikert, C., Vaikuntanathan, V.,

9



[22] Brakerski, Z., Vaikuntanathan, V., “Efficient fully

[35] Jonathan Katz, Ji Sun Shin, and Adam Smith,

homomorphic encryption from (standard) LWE,” IEEE

“Parallel and Concurrent Security of the HB and HB+

Symposium on Foundations of Computer Science, vol. 54,

Protocols,” Journal of the Cryptology, vol. 23, pp. 402-421,

no.2, pp.97-106, 2011.

2010.

[23] Jin Li, Yatkit Li, Xiaofeng Chen, Patrick Lee,

[36] Benny Applebaum et al., “Fast Cryptographic

Wenjing Lou. A Hybrid Cloud Approach for Secure

Primitives and Circular-Secure Encryption Based on Hard

Authorized Deduplication. IEEE Transactions on Parallel

Learning Problems,” Lecture Notes in Computer Science,

and Distributed Systems. 26(5), pp. 1206-1216. 2015.

vol. 5677, pp. 595-618, 2009.

[24] Cabarcas, D., Göpfert, F., Weiden, P., “Provably

[37] Michael Alekhnovich, “More on Average Case vs

secure LWE encryption with smallish uniform noise and

Approximation Complexity,”

secret,” Journal of the ACM, vol. 2014, pp.33-42, 2014.

Foundations of Computer Science, vol.20, no.4, pp.

[25] Wenbin Chen, Hao Lei, Ke Qi. Lattice-Based

755-786, 2003.

Linearly Homomorphic Signatures in the Standard Model.

[38] Ivan Damgård and Sunoo Park, “How Practical is

Theoretical Computer Science, Vol 634. pp:47-54,2016.

Public-Key Encryption Based on LPN and Ring-LPN?,”

[26] Lindner, R., Peikert, C., “Better key sizes (and attacks)

Cryptology

for LWE-based encryption,” Lecture Notes in Computer

on Hard Learning Problems,” Lecture Notes in Computer Science, vol. 773, pp. 278-291, 2001.

for all circuits,” Annual IEEE Symposium on Foundations of Computer Science, vol.311, no.2, pp.40-49, 2013.

Zhimin

[28] Qun Lin, Jin Li, Zhengan Huang, Wenbin Chen, Jian

was

born

in

1973. He received a B.S. degree

scheme," IEEE Access. Volume: 6: 12966-12972, 2018.

in Computer Engineering from

[29] Avrim Blum, Adam Kalai, and Hal Wasserman,

Tongji

“Noise-tolerant learning, the parity problem, and the

University,

Shanghai,

China, in 1996 and an M.S.

statistical query model,” Journal of the ACM, vol.50, no.4,

degree in Computer Application

pp. 506-519, 2003.

from Tongji University, Shanghai, China, in 2004. He is

[30] Vadim Lyubashevsky, “The Parity Problem in the

currently a lecturer at School of Computer Engineering of

Presence of Noise, Decoding Random Linear Codes, and

Jiangsu University of Technology in China. His research

the Subset Sum Problem,” Lecture Notes in Computer

interests include cryptology and information security.

Science, vol. 3624, pp.378-389, 2005.

Chong-zhi Gao received his

[31] Paul Kirchner, “Improved Generalized Birthday ePrint

Yu

Meihekou, China in October

Shen. A short linearly homomorphic proxy signature

Cryptology

Archive,

[39] Avrim Blum et al., “Cryptographic Primitives Based

“Candidate

indistinguishability obfuscation and functional encryption

Attack,”

ePrint

http://eprint.iacr.org/2012/699.pdf, June 20, 2016.

Science, vol. 6558, pp.319-339, 2011. [27] Garg S, Gentry C, Halevi S, et al.,

IEEE Symposium on

Ph.D.

Archive,

(2004)

in

Applied

Mathematics from Sun Yat-sen

http://eprint.iacr.org/2011/377.pdf, June 15, 2016.

University. Currently, he is a

[32] Nicholas J. Hopper, Manuel Blum, “Secure Human

professor

Identification Protocols,” Lecture Notes in Computer

at

the

School

of

Computer Science of Guangzhou

Science, vol. 2248 , pp.52-66, 2001.

University. His research interests

[33] Ari Juels, Stephen A, “Weis: Authenticating

include cryptography and privacy in machine learning.

Pervasive Devices with Human Protocols,” Lecture Notes

Zhengjun

in Computer Science, vol. 3621, pp. 293-308, 2005.

Jing

was

born

in

Danyang, China in October 1978.

[34] Henri Gilbert, Matthew J. B. Robshaw, and Yannick

He

Seurin, “How to Encrypt with the LPN Problem,” Lecture

received

his

Ph.D.

in

Information and Security from

Notes in Computer Science, vol. 5126, pp. 679-690, 2008.

Nanjing University of Posts and

10



Telecommunications in 2015. Since 2016, he has been an Associate Professor in the Department of Computer Engineering, Jiangsu University of Technology. His interests

are

in

the

cryptanalysis

and

design of

cryptography. Brij B. Gupta received the Ph.D. degree in information and cyber security

from

IIT

Roorkee,

Roorkee, India. He is currently an Assistant

Professor

Department Engineering, Kurukshetra,

National India.

of

Institute

His

with

Computer

of

research

the

Technology,

interest

includes

information security, cyber security, cloud computing, web security, intrusion detection, and phishing. Qiuru

Cai

was

Qinhuangdao,

born

China

in in

September 1972. She received a B.S.

degree

in

Computer

Engineering from Northeastern University, Shenyang, China, in 1996 and an M.S. degree in Computer

Application

from

Nanjing University of Aeronautics and Astronautics, Nanjing, China, in 2008. She is currently a lecturer at the School of Computer Engineering of Jiangsu University of Technology in China. Her research interests include cryptology and information security.

11
