This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
A Practical Public Key Encryption Scheme Based on Learning Parity with Noise Zhimin Yu1, Chong-zhi Gao2,4, Zhengjun Jing1, Brij Bhooshan Gupta3, Qiuru Cai1 1
School of Computer Engineering Jiangsu University of Technology, Changzhou Jiangsu 213001, China School of Computer Science and Educational Software, Guangzhou University, China 3 Department of Computer Engineering, National Institute of Technology Kurukshetra, India 4 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, China 2
Corresponding author: Chong-zhi Gao (e-mail:
[email protected]).
This work was financially supported by the National Natural Science Foundation of China (Grant Nos. 61672270, 61602216, 61702236), the Changzhou Applied Basic Research Guidance Project (2016365), the Changzhou Science and Technology Program (CJ20179027) and the State Key Laboratory of Cryptology, China.
Abstract To protect cyber security and privacy, it is critical to design security and practical public key encryption schemes. Today, big data and cloud computing bring not only unprecedented opportunities but also fundamental security challenges. Big data faces many security risks in the collection, storage and use of data and brings serious problems regarding the disclosure of private user data. It is challenging to achieve security and privacy protection in the big data environment. Thus, to meet the growing demand of public key encryption in this environment, we proposed a single-bit public key encryption scheme based on a variant of LPN (Learning Parity with Noise) and extended it to a multi-bit public key encryption scheme. We proved the correctness and CPA (Chosen Plaintext Attack) security of the proposed method. Our schemes solved encoding error rate problems of the existing public key schemes based on LPN, and the encoding error rate in our schemes is negligible. INDEX TERMS CPA, Encoding error ratio, Encryption, LPN, Public key encryption I.
[6, 7]. The main classical public key schemes
INTRODUCTION
With the development and application of big
were designed based on a number of difficult
data and cloud computing technology, the
number theory problems, such as large number
large data environment has put forward higher
factorization and discrete logarithms [8-11].
requirements for data encryption, and the
However, many traditional number theory
design of a practical and secure public key
assumptions on which the above schemes are
encryption scheme has important practical
based can be solved by quantum algorithms
significance. Considering data security in the
[12]. That is, in the era of quantum computing,
big data environment, many valuable schemes
these public key encryption schemes have been
have been put forward [1-3]. They have been
broken. Therefore, in the post quantum era,
shown to be useful in applications such as
new public key encryption schemes based on
protecting the privacy in machine learning [4,
new difficult problems need to be designed and
5], and protecting security in cloud computing 1
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
implemented [13-14] for the new computing
$
(a, r ), r Z 2 , the attacker can solve the DLPN
environments and applications.
problem (decisional LPN).
In 2003, Boneh and Silverberg defined the concept of ideal multilinear mapping and
To date, there are two kinds of non-trivial
demonstrated its application scenarios [15].
solving methods for LPN problems. One kind of
However, until 2013, Garg, Gentry and Halevi
method intends to exhaust all possible noise
(GGH) proposed the first realistic multilinear
vectors, and the other solves the LPN problem
mapping based on ideal lattice [16], with its
based on the Blum-Kalai-Wasserman (BKW)
security
multi-level
algorithm [29]. The original BKW algorithm
decision
has sub index time complexity 2O ( n log n ) with
problem (GCDH/GDDH). Many new schemes have been designed based on the GGH scheme
sampling times 2O ( n log n ) . Lyubashevsky gives a BKW algorithm variant that requires higher
[17, 18]. Recently, the GGH scheme was
time complexity 2O ( n log log n ) but with sampling
proved to be insecure [19], and new multilinear
times
mapping construction is being explored.
proposed an improved algorithm with less
based
Diffie-Hellman
on
the
computation
and
n1
[30]. Recently, Kirchner also
Regev proposed LWE (Learning with Error)
running time [31]. Although there are many
based on lattice theory [20], which has been
solving algorithms for a variety of LPN
widely used in public key cryptosystem design
problems, there are no polynomial time
and applications of data encryption in cloud
algorithms or quantum algorithms.
computing [21-28]. Although LWE issues can
The creation and calculation of LPN
resist quantum attacks, the public key size in
instances are very simple, but it is very difficult
schemes designed based on LWE is too large,
to solve the DLPN problem. Therefore, it is
and the reduction of this size is a public
very
problem.
applications based on LPN. The LPN problem
attractive
to
design
cryptographic
If we design public key schemes based on the
has been widely used in symmetric encryption
variety of LPN that is the special case of LWE in F2 , the size of public key is small. There is a
[32-36], but there has been little progress in the
randomly selected open n -dimensional vector
Alekhnovich proposed a public-key encryption
a Z 2n
design of the public key scheme. In 2003, scheme based on a decisional LPN problem
and a randomly selected private
n -dimensional vector s Z 2n
[37]. In this scheme, the noise ratio is 1
in an LPN
instead of a constant defined in a standard LPN
(Learning parity with noise) problem. An
problem.
attacker can get a sample set (a, a, s e) , where
e Ber .
Subsequently,
Damgård
et
al.
proposed not only a public key encryption
the
scheme based on decisional LPN problem but
Bernoulli distribution that is discrete 0, 1
also a public-key encryption scheme based on a
probability distribution, and the probability of
ring-LPN problem [38]. Damgård et al. proved
an occurrence of 1 is 0 1 . The parameter
the security of these schemes. Meanwhile, these
in the standard LPN problem is 0 0.5 ,
schemes are practical. Damgård et al. compared
which is essentially the noise rate. On this basis,
some practical public key encryption algorithms
if the attacker is able to distinguish between the
such as RSA for computational efficiency,
sampling element and the random element
public key size and ciphertext. Although the
Ber
represents
n
RSA algorithm does not have an anti-quantum 2
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
offensive, the performance comparison is
bit-vector involved in cryptographic operations.
meaningful.
When a ciphertext is decrypted, if the hamming weight of the n dimensional vector is less than
However, non-negligible encoding error exists in all existing public key schemes based on an LPN variant [37-38]. To solve this
n , the plaintext bit is 0, and vice versa, the 2
problem, we designed a new public-key
plaintext bit is 1. The probability of the
encryption scheme. First, our issue will extend
hamming weight exceeding expectations will
the LPN variant to a matrix LPN problem, and a
exponentially decay rapidly to a value that is
new public key encryption scheme will be
negligible; thus, decryption error probability is
proposed based on an LPN variant. There are
negligible. Thirdly, we extend the single-bit
two advantages to the proposed scheme. First,
scheme to the multi-bit public key encryption
we maintain the largest advantages of LPN,
algorithm.
which are rapid instance generation, and rapid
In our single-bit and multi-bit schemes, even
computing; second, we solve the encoding error
if we choose a larger parameter 1/ n , it can also ensure that the decryption error can be
problem of existing public key encryption
ignored. Therefore, under the promise of
schemes. There are two vectors in Damgård’s
security, the size of the public key is smaller
and
efficient
encryption
and
decryption
than in Damgård’s scheme. Meanwhile, total
scheme f , e Bern . The correctness of the
encryption
scheme relies on the fact that the inner product
if
decryption
time
of
our
The remainder of this paper is organized as
f T e will be zero with the greater probability 2 n Pr(f T e 0) 1 (1 2 ) 2 2
and
algorithms is greatly reduced. follows. In section 2, preliminary knowledge
the
will be given. In section 3, we propose a
this
single-bit and a multi-bit public key encryption
probability is greater but not negligible, there is
scheme. Then, in section 4, we give the
an encoding error in the decryption. Damgård
comparison between our scheme and the
chose parameters to ensure the decryption error
existing scheme. The conclusion is given in
parameter
is
selected
carefully.
As
rate is less than 25% and chose the ciphertext
section 5.
expansion as 5. However, all the five bits of
II.
Preliminaries
still
We first introduce the notation used in this
1 4 1 2 . Meanwhile, Damgård chose a
paper and present the definition of the LPN
decoding
error
probability
are
5
10
problem [39].
small noise rate (1/ n ) to meet this
A. Notation
condition. Obviously, if is too small, the
We will completely work in the field GF2 .
attacker will crack the scheme easily.
For a vector u k2 ,the i -th entry of column
Our contributions include the following:
vector u will be denoted by ui . The i -th
Firstly, we reduce the DLPN variety problem normal DLPN
column vector of matrix U will be denoted by ui . x D means that x is drawn from
problem. So, our schemes are under the normal
distribution D . Assuming A be n order
DLPN assumption. Secondly, we construct a
matrix, A denotes the transpose of A and
new single-bit public key encryption algorithm
A 1 denotes the inverse matrix of A . A
with
S Bernn
to
the
probability (n) is said to be negligible if
in which a plaintext bit will be converted to a 3
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
(n) 1 p(n) for an arbitrarily large enough
III. Public Key Encryption Scheme Based on
integer n . A Bernoulli distribution with
DLPN
In this section, we first give a single-bit public
parameter will be denoted by Ber . Berk
key encryption scheme based DLPN, and then we prove the correctness and security of the
denotes the distribution of vectors a k2
scheme. Second, we extend a single-bit scheme to the multi-bit public key encryption
where each entry of the vector is drawn
scheme and prove its correctness and security.
independently from Ber . Binn , denotes the binomial distribution with n trials, each with
A. Single-Bit Public Key Encryption Scheme
success probability . X Binn , denotes
1) CONSTRUCTION OF THE SCHEME
A single-bit public key encryption scheme
that X is drawn from distribution Binn , .
includes three PPT algorithms (KeyGen, Enc,
For a vector a k2 , its hamming weight is
(1)
Dec) following these steps: The
key
generation
algorithm
KeyGen( 1 , ) takes as input an integer n n
the number of ones in a . A function h(a)
and noise rate . Choose matrix A n2n
calculates the hamming weight of a . Let k 2
randomly
and
choose
S Bern n
,
(1,1,...,1) . n 2
E Bern n . Compute B = AS + E . It returns
a public key pk ( A, B) and a private key
B. Decisional LPN Problem
Definition 1 (Decisional LPN Problem) n
sk = (S) .
(2) The encryption algorithm Enc( pk , m )
(1 / n ) and randomly selected matrix
takes as input the public key pk and message
A n2n , S n2 n . An attacker can obtain a
c1 = rT A e1T ,c 2 = rT B eT2 m . It returns a
sample set (A, AS E) , where E Bern n .
ciphertext c (c1 ,c2 ) .
parameters
,
,
Given
m Z2
(A, AS E)
and
the private key sk and a ciphertext c (c1 ,c2 ) as input. Compute d c1 S + c 2 .
$
(A, R ), R n2 n
If h(d) n / 2 , it returns m 0 , else it
with non-negligible probability after obtaining
returns m 1 .
enough samples; then, the attacker is able to
2) CORRECTNESS
solve the decisional LPN (DLPN) problem.
Before giving proof of the correctness of the
Definition 2 (Decisional LPN Assumption)
The
probability
of
any
Compute
(3) The decryption algorithm Dec( sk , c ) takes
If the attacker can distinguish between a new sample
.
scheme, we introduce lemma 3, whose proof
probabilistic
can be found in reference [38].
polynomial time (PPT) attacker to solve the decisional LPN problem with parameters (n, ) is negligible. Alekhnovich defined the
Lemma 3 ([38] Lemma 2.5). Let X Binn, .
noise ratio (1/ n ) [37].
1 (1 2 ) . 2 2
Then, the probability that X
is even is
2 n
4
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
According to parameters selected in the
Lemma 4 The probability of decryption error
of the single-bit public key encryption scheme is negligible. Proof: Because
d c1 S + c 2
B = AS + E
into
the
2
can be met.
and
Obviously, if plaintext is 1, it is equivalent to
,
do the inverse operation on eT2 , and if the
d (rT A e1T ) S rT B eT2 m substituting
scheme, h(rT E e1T S eT2 ) n
above
plaintext is 0, eT2 remains unchanged. So, if
equations, we can get d rT E e1T S eT2 m . m 0 , then h(rT E e1T S eT2 ) n , on the 2
As we know r Bern , E Bern n , each entry of
c = rT E is
contrary,
n
ci = rj ei , j . From
Lemma 3, the probability that ci is 0 will be
be
The function h(rT E e1T S eT2 ) takes as
1 (1 2 ) . Similarly, the probability 2 2 2 n
e1T S
must
h(rT E e1T S eT2 ) n . 2
j 1
that each entry of
there
input different integer n and larger noise rate
1 / n . We give in
is 0 will be
Table expectation
mathematical
1 (1 2 ) . Lastly, because eT2 Bern , 2 2 2 n
I
the of
h(rT E e1T S eT2 ) when the plaintext m 0 .
we can reach the following conclusions: h(rT E e1T S eT2 ) h(rT E) h(e1T S) h(eT2 )
,
h(rT E) h(e1T S) h(eT2 ) n(1 (1 2 2 ) n ) . TABLE I Mathematical expectation of h(d) when m 0 .
n
n
2
1/ n
E (h(rT E))
E (h(e1T S))
E (h(eT2 ))
E (h (d))
9000
4500
0.010541
514
514
95
≈1123
21000
10500
0.006901
1276
1276
145
≈2697
29000
14500
0.005872
1795
1795
166
≈3755
80000
40000
0.003536
5131
5131
282
≈10544
145000
72500
0.002626
9431
9431
381
≈19243
3) SECURITY PROOF
Lemma 5 Choose A n2 n , S Bern n
Although we sample private key S Bern n instead of
n n 2
and
, its security is still based on
E Bern n
randomly.
Compute
B = AS + E . Under the assumption f DLPN, it is indistinguishable between ( A, B) and
the DLPN. Therefore, before given a security proof, we introduce lemma 5.
n2 n × n2 n sampled from uniform distribution. 5
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
Given
Proof:
a
set
( A i , B i A i S Ei ) ,
of
LPN
where
sample
Ai
n n 2
rT R eT
,
,
generality, if we assume A11 n2 n , then
(R, rT R eT )
( A i A11 , Bi A i A11B1 )
S Z n 2 n , ,
' i
Furthermore,
' i
n2n × n2n
r Bern
e Ber2n .
and
,
(S, r T S eT )
and
(S, r T )
randomly chosen from 2n .
selected according to the definition 2 instead of distribution
(S, r T S eT ) , where
also cannot be distinguished, in which r is
A i' A i A11 . If ( A i , B i ) is the LPN sample
uniform
and
where
( A , B A E1 Ei ) ' i
,
(e ) , 1 i n . According DLPN ei 1 i (e2 )i , n i 2n assumptions, it is indistinguishable between
S n2 n and Ei Bern n . Without loss of
( A i A11 , Bi' Ei A i A11E1 )
e 22n
where
If the plaintext is m 1 , eT2 m does
then not change the distribution of eT2 and only
' i
' i
( A , B ) meets the definition in section 3.1.1. makes a negated operation to eT2 . Hence, a
When there is a PPT algorithm that can distinguish
( A i' , Bi' )
and
a
ciphertext is indistinguishable from random
uniform
digits.
distribution n2n × n2n , then this algorithm can distinguish
( A i , Bi )
B. Multi-Bit Public key Encryption Scheme
and a uniform
1) CONSTRUCTION OF THE SCHEME
A multi-bit public key encryption scheme
distribution n2n × n2n .
includes three PPT algorithms (KeyGen, Enc,
Therefore, the DLPN variety problem with
Dec) following these steps: (1)
S Bernn can be reduced to the normal
The
key
generation
algorithm
KeyGen( 1 , ) takes as input an integer n n
DLPN problem.
and noise rate . Choose matrix A n2n
Theorem 6 (Security). Under the DLPN assumption, the single-bit public key scheme is
randomly
secure against a chosen plaintext attack. Proof: Suppose the single-bit public key
and
choose
S Bern n
,
E Bern n . Compute B = AS + E . It returns
scheme defined in section 3.1.1 has parameters n, and public key pk ( A, B) . Let
a public key pk ( A, B) and private key sk = (S) .
ai , j 1 i n,1 j n R n22 n be ri , j . bi , j 1 i n, n j 2n
(2) The encryption algorithm Enc( pk , m )
Obviously, R has the same distribution as pk ( A, B) .
m n2 . First, convert m to a square matrix
takes as input the public key pk and message
If plaintext is m 0 , the ciphertext is
r
T
M n2 n , if mi 0 , each entry of the i th
A e1T ,rT B eT2 , which can be written as
column of M are 0, and vice versa, each 6
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
entry of the i th
m (1,1, 0, 0) , then
column are 1, e.g., 1 1 M 1 1
R, E1 , E 2 Bern n
Choose
1 1 1 1
,
then h(rT E e1T S eT2 ) n
0 0 . 0 0
0 0 0 0
there must be
2
; in contrast,
h(rT E e1T S eT2 ) n
if
2
mi 1 . □ 3) SECURITY PROOF
compute
Theorem 8 (Security) Under the DLPN
C1 = RA E1 , C2 = RB E2 M . It returns
assumption, the multi-bit public key scheme is
a ciphertext C (C1 ,C2 ) .
Proof: Suppose the multi-bit public key
secure against the chosen plaintext attack.
(3) The decryption algorithm Dec( sk , c ) takes
scheme defined in section 3.2.1 has parameters n, and public key pk ( A, B) . Let
as input the private key sk and a ciphertext C (C1 ,C2 ) . Compute D C1 S + C2 . If hamming weight of the i th column of D is h(d) n / 2 , then mi 0 , mi 1 . At last it
ai , j 1 i n,1 j n Q n2 2 n , qi , j . bi , j 1 i n, n j 2n
returns m .
Obviously, Q has the same distribution as pk ( A, B) .
2) CORRECTNESS
If each entry of plaintext is mi 0 , the
Lemma 7 The probability of decryption error of the multi-bit public key encryption scheme
ciphertext is
is negligible. Proof:
into
B = AS + E
the
(e1 )i , j 1 i n,1 j n (e )i , j (e 2 )i , j 1 i n, n j 2n
above
equations, we get D RE E1S E2 M , where
indistinguishable between (Q, RQ E ) and
Lemma 3, the hamming weight of each column
(S, R S E) , where S n 2 n , R Bern n
of RE and E1S is n 1 (1 2 ) . 2 2 2 n
When each entry of the column vector m
and
parameters h(di ) n
selected 2
According in
the
to
E Bern 2 n
.
(S, R S E )
and
is (S, R ) can also not be distinguished, in
zero, the hamming weight h(di ) is at most n(1 (1 2 2 ) n ) .
.
According to the DLPN assumptions, it is
R, E1 , E2 Bern n . According to
i
, which can
be written as RQ E , where E n2 2 n ,
It is very easy to verify that D C1 S + C2 (RA E1 ) S RB E 2 M , substituting
RA E1 , RB E2
which R is randomly chosen from n2 2 n .
the
scheme,
If a plaintext entry is mi 1 , (e 2 ) i T m
can be met. Obviously, if the does not change the distribution of (e 2 ) i T and
plaintext is mi 0 , it is equivalent to doing an
simply makes a negated operation to (e2 ) i T .
inverse operation on eT2i ; if the plaintext is 0,
Hence, the ciphertext is indistinguishable from
eT2 remains unchanged. Therefore, if m 0 ,
random. 7
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
IV. Performance Analysis
F2 . Therefore, the multiplication and addition
We choose for 80-, 112-, and 128-bit security, respectively, n 9000, 21000 and 29000,
have
which are suitable and correspond to the
computational times in the table are the sum of
security levels of 1024-, 2048-, 3072-bit RSA
the multiplication and addition results. Our
[23]. Table 2 lists the comparison between our
scheme has the same public key size as in the
schemes
in
Damgård scheme. Although our scheme
computational efficiency. All calculations in
increases slightly in ciphertext size and
the schemes based on LPN are on all fields
computational overhead, the decryption error
and
the
Damgård
schemes
the
same
overhead.
Thus,
the
can be negligible. TABLE Ⅱ COMPARISON BETWEEN OUR SCHEME AND DAMGÅRD’S SCHEME IN SIZE OF PUBLIC KEY AND CIPHERTEXT Scheme
Size of public key (bit)
Size of ciphertext (bit)
Encoding error
Damgård’s single-bit
2n 2 2n
n 1
have
Our single-bit
2n 2
2n
no
Damgård’s multi-bit
4n 2
2n
have
2
2
Our multi-bit
2n
2n
no
We compare the performance of our
RSA and the decryption in our scheme is faster
multi-bit scheme with RSA(not padding) and
than in RSA. We get the opposite result when
Damgård’s
scheme
in
implementation
compared with Damgård’s multi-bit scheme.
for
The limitation of our approach is that it does not meet the stronger CCA security. Overcoming this shortcoming is one of our future research directions.
various security levels as shown in Table 3. The implementation was written in C++ and made use of the NTL library for some mathematical operations. We can see that the encryption in our scheme is slower than in TABLE III
COMPARISON WITH DAMGÅRD SCHEME AND RSA PUBLIC KEY ENCRYPTION SCHEME Time per encryption (ms)
Time per decryption
Security level (bits)
80
112
128
80
112
128
RSA scheme(not padding)
0.010
0.030
0.060
0.140
0.940
2.890
Damgård’s multi-bit
25.80
128.40
241.70
0.052
0.098
0.128
Our multi-bit scheme
15.60
45.30
102.10
0.11
0.221
0.258
encryption scheme. Our scheme solved the V. Conclusions
decryption error problem of the existing public
In the post quantum era, the design of public
key encryption schemes based on DLPN.
key cryptography under the DLPN assumption
Compared to existing schemes, there is an
is an important research direction. Such
increase in only a small amount of ciphertext
schemes have many advantages such as shorter
space and computing overhead in our scheme.
public key and ciphertext, faster encryption
Our scheme not only is able to withstand
and decryption. But the existing scheme is still
quantum attack but also provides strong
having the problem of decryption error, which
practical security at the same time. In the
is not satisfactory.
future, we will design a public key scheme
Based on the LPN variants problem, we
based DLPN with high security, smaller public
proposed a single-bit and a multi-bit public key
key
and
ciphertext
size,
and
smaller
8
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
computational designing
overhead.
public
key
Furthermore,
cryptography
[10] Yang L, Xiang Y, Peng D, “Precoding-Based Blind
that
Separation of MIMO FIR Mixtures,” IEEE Access, no.99,
satisfies CCA security is also one of our future
pp. 1-1. 2017.
work.
[11] Neal Koblitz, Alfred Menezes and Scott Vanstone,
References
“The State of Elliptic Curve Cryptography,” Journal of the
[1] Xiaochao Sun, Bao Li, Xianhui Lu, Fuyang Fang,
Designs, Codes and Cryptography, vol. 19, no.(2-3), pp.
“CCA Secure Public Key Encryption Scheme Based on
173-1193, 2000.
LWE Without Gaussian Sampling,”
[12] Shor, P.W, “Polynomial-time algorithms for prime
Lecture Notes in
Computer Science, vol. 9589, pp. 361-378, 2015.
factorization and discrete logarithms on a quantum
[2] Jian Xu, Laiwen Wei, Yu Zhang, Andi Wang, Fucai
computer,” Journal of the SIAM J Comput, vol. 26, no.5,
Zhou, and Chong-zhi Gao, "Dynamic Fully Homomorphic
pp. 1484-1509, 1997.
Encryption-based Merkle Tree for Lightweight Streaming
[13] Zhengan Huang, Shengli Liu, Xianping Mao, Kefei
Authenticated Data Structures", Journal of Network and
Chen, and Jin Li, “Insight of the Protection for Data
Computer Applications, Vol.107, pp.113-124, 2018.
Security under Selective Opening Attacks,” Information Sciences, vol.412–413, pp. 223–241, 2017.
[3] Zheli Liu, Yanyu Huang, Jin Li, Xiaochun Cheng, and
[14]Qun Lin, Hongyang Yan, Zhengan Huang, Wenbin
Chao Shen, "DivORAM: Towards a Practical Oblivious
Chen,
RAM with Variable Block Size", Information Sciences,
Jian Shen, Yi Tang. An ID-based linearly
homomorphic signature scheme and its application in
447: 1-11, 2018.
blockchain.
IEEE
Access.
DOI
:
[4] Tong Li, Jin Li, Zheli Liu, Ping Li, and Chunfu Jia,
10.1109/ACCESS.2018.2809426.[15] Dan Boneh, Alice
"Differentially Private Naive Bayes Learning over
Silverberg,
Multiple Data Sources", Information Sciences, 444:
cryptography,” Journal of the Contemporary Mathematics,
89-104, 2018.
vol. 324, pp. 71-90, 2003.
[5] Chong-zhi Gao, Qiong Cheng, Pei He, Willy Susilo,
[16] Sanjam Garg, Craig Gentry, and Shai Halevi,
“Applications
of
multilinear
forms
“Candidate multilinear maps from ideal lattices,”
and Jin Li, "Privacy-Preserving Naive Bayes Classifiers
to
Lecture
Notes in Computer Science, vol. 7881, pp. 1-17), 2013.
Secure against the Substitution-then-Comparison Attack",
[17] Jean-Sébastien Coron, Tancrède Lepoint, and Mehdi
Information Sciences, 444: 72-88, 2018.
Tibouchi, “Practical multilinear maps over the integers,”
[6] Jin Li, Jingwei Li, Xiaofeng Chen, Chunfu Jia,
Lecture Notes in Computer Science, vol. 8042, pp.
Wenjing Lou, “Identity-based Encryption with Outsourced
476-493, 2013.
Revocation in Cloud Computing, ” IEEE Transactions on
[18] Susan Hohenberger, Amit Sahai, and Brent Waters,
Computers, vol. 64, no. 2, pp. 425-437, 2015.
“Full domain hash from (leveled) multilinear maps and
[7] Ping Li, Jin Li, Zhengan Huang, Tong Li, Chong-Zhi
identity-based aggregate signatures,” Cryptology ePrint
Gao,
Archive,
Siu-Ming
Yiu,
Kai
Chen,
“Multi-key
http://eprint.iacr.org/2013/434.pdf, July 10,
2013.
privacy-preserving deep learning in cloud computing, ”
[19] Yupu Hu and Huiwen Jia, “Cryptanalysis of GGH
Future Generation Computer Systems, vol. 74, pp. 76-85,
Map,”
2017.
Cryptology
ePrint
Archive,
http://eprint.iacr.org/2015/301.pdf, Feb 19, 2016.
[8] Applebaum, B., Cash, D., Peikert, C., Sahai, A., “Fast
[20] O. Regev, “On lattices, learning with errors, random
cryptographic primitives and circular-secure encryption
linear codes, and cryptography,” Journal of the ACM, vol.
based on hard learning problems,” Lecture Notes in
56, no.6, pp.1-40, 2009.
Computer Science, vol. 5677, pp. 595-618, 2009.
[21]
[9] G. Liu, H. Li, L. Yang, “A Topology Preserving
“Trapdoors for hard lattices and new cryptographic
Method of Evolving Contours Based on Sparsity
constructions,” Journal of the Electronic Colloquium on
Constraint for Object Segmentation, ” IEEE Access, vol. 5,
Computational Complexity, vol. 2008, no.14, pp.197-206,
no.99, pp. 19971-19982, 2017.
2008.
Gentry, C., Peikert, C., Vaikuntanathan, V.,
9
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
[22] Brakerski, Z., Vaikuntanathan, V., “Efficient fully
[35] Jonathan Katz, Ji Sun Shin, and Adam Smith,
homomorphic encryption from (standard) LWE,” IEEE
“Parallel and Concurrent Security of the HB and HB+
Symposium on Foundations of Computer Science, vol. 54,
Protocols,” Journal of the Cryptology, vol. 23, pp. 402-421,
no.2, pp.97-106, 2011.
2010.
[23] Jin Li, Yatkit Li, Xiaofeng Chen, Patrick Lee,
[36] Benny Applebaum et al., “Fast Cryptographic
Wenjing Lou. A Hybrid Cloud Approach for Secure
Primitives and Circular-Secure Encryption Based on Hard
Authorized Deduplication. IEEE Transactions on Parallel
Learning Problems,” Lecture Notes in Computer Science,
and Distributed Systems. 26(5), pp. 1206-1216. 2015.
vol. 5677, pp. 595-618, 2009.
[24] Cabarcas, D., Göpfert, F., Weiden, P., “Provably
[37] Michael Alekhnovich, “More on Average Case vs
secure LWE encryption with smallish uniform noise and
Approximation Complexity,”
secret,” Journal of the ACM, vol. 2014, pp.33-42, 2014.
Foundations of Computer Science, vol.20, no.4, pp.
[25] Wenbin Chen, Hao Lei, Ke Qi. Lattice-Based
755-786, 2003.
Linearly Homomorphic Signatures in the Standard Model.
[38] Ivan Damgård and Sunoo Park, “How Practical is
Theoretical Computer Science, Vol 634. pp:47-54,2016.
Public-Key Encryption Based on LPN and Ring-LPN?,”
[26] Lindner, R., Peikert, C., “Better key sizes (and attacks)
Cryptology
for LWE-based encryption,” Lecture Notes in Computer
on Hard Learning Problems,” Lecture Notes in Computer Science, vol. 773, pp. 278-291, 2001.
for all circuits,” Annual IEEE Symposium on Foundations of Computer Science, vol.311, no.2, pp.40-49, 2013.
Zhimin
[28] Qun Lin, Jin Li, Zhengan Huang, Wenbin Chen, Jian
was
born
in
1973. He received a B.S. degree
scheme," IEEE Access. Volume: 6: 12966-12972, 2018.
in Computer Engineering from
[29] Avrim Blum, Adam Kalai, and Hal Wasserman,
Tongji
“Noise-tolerant learning, the parity problem, and the
University,
Shanghai,
China, in 1996 and an M.S.
statistical query model,” Journal of the ACM, vol.50, no.4,
degree in Computer Application
pp. 506-519, 2003.
from Tongji University, Shanghai, China, in 2004. He is
[30] Vadim Lyubashevsky, “The Parity Problem in the
currently a lecturer at School of Computer Engineering of
Presence of Noise, Decoding Random Linear Codes, and
Jiangsu University of Technology in China. His research
the Subset Sum Problem,” Lecture Notes in Computer
interests include cryptology and information security.
Science, vol. 3624, pp.378-389, 2005.
Chong-zhi Gao received his
[31] Paul Kirchner, “Improved Generalized Birthday ePrint
Yu
Meihekou, China in October
Shen. A short linearly homomorphic proxy signature
Cryptology
Archive,
[39] Avrim Blum et al., “Cryptographic Primitives Based
“Candidate
indistinguishability obfuscation and functional encryption
Attack,”
ePrint
http://eprint.iacr.org/2012/699.pdf, June 20, 2016.
Science, vol. 6558, pp.319-339, 2011. [27] Garg S, Gentry C, Halevi S, et al.,
IEEE Symposium on
Ph.D.
Archive,
(2004)
in
Applied
Mathematics from Sun Yat-sen
http://eprint.iacr.org/2011/377.pdf, June 15, 2016.
University. Currently, he is a
[32] Nicholas J. Hopper, Manuel Blum, “Secure Human
professor
Identification Protocols,” Lecture Notes in Computer
at
the
School
of
Computer Science of Guangzhou
Science, vol. 2248 , pp.52-66, 2001.
University. His research interests
[33] Ari Juels, Stephen A, “Weis: Authenticating
include cryptography and privacy in machine learning.
Pervasive Devices with Human Protocols,” Lecture Notes
Zhengjun
in Computer Science, vol. 3621, pp. 293-308, 2005.
Jing
was
born
in
Danyang, China in October 1978.
[34] Henri Gilbert, Matthew J. B. Robshaw, and Yannick
He
Seurin, “How to Encrypt with the LPN Problem,” Lecture
received
his
Ph.D.
in
Information and Security from
Notes in Computer Science, vol. 5126, pp. 679-690, 2008.
Nanjing University of Posts and
10
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE Access
Telecommunications in 2015. Since 2016, he has been an Associate Professor in the Department of Computer Engineering, Jiangsu University of Technology. His interests
are
in
the
cryptanalysis
and
design of
cryptography. Brij B. Gupta received the Ph.D. degree in information and cyber security
from
IIT
Roorkee,
Roorkee, India. He is currently an Assistant
Professor
Department Engineering, Kurukshetra,
National India.
of
Institute
His
with
Computer
of
research
the
Technology,
interest
includes
information security, cyber security, cloud computing, web security, intrusion detection, and phishing. Qiuru
Cai
was
Qinhuangdao,
born
China
in in
September 1972. She received a B.S.
degree
in
Computer
Engineering from Northeastern University, Shenyang, China, in 1996 and an M.S. degree in Computer
Application
from
Nanjing University of Aeronautics and Astronautics, Nanjing, China, in 2008. She is currently a lecturer at the School of Computer Engineering of Jiangsu University of Technology in China. Her research interests include cryptology and information security.
11
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.