基于k-Lin假设的同态加密方案  被引量：1

作　　者：赖俊祚[1] 黄正安 翁健[1] 吴永东 LAI Jun-Zuo;HUANG Zheng-An;WENG Jian;WU Yong-Dong(College of Cyber Security,Ji’nan University,Guangzhou 510632,China;PengCheng Laboratory,Shenzhen 518055,China)

机构地区：[1]暨南大学网络空间安全学院,广东广州510632 [2]鹏城实验室,广东深圳518055

出　　处：《软件学报》2023年第2期802-817,共16页Journal of Software

基　　金：国家自然科学基金(61922036,U2001205);广东省基础与应用基础研究重大项目(2019B030302008)。

摘　　要：作为数字货币的底层核心技术之一,区块链随着数字货币的快速发展而受到了广泛关注.由于区块链具有去中心化、防篡改、可追溯等性质,如今越来越多的企业和个人用户选择利用区块链技术来实现数据的传输和记录.区块链公开透明的特性,一方面充分保证了数据的可用性;但另一方面,又给用户的隐私信息带来了严重威胁.为了同时兼顾用户数据的机密性和可用性,同态加密常常被用到区块链的安全解决方案之中.然而,现实应用对于所部署的同态加密方案的安全强度要求也很可能会随着时间推移而有所变化.考虑到区块链应用场景的复杂多样性和分布式特点,同态加密方案一旦部署下去,之后,当随着时间推移需要调整安全性强度时,相应的工作量将会非常繁重.此外,在区块链的现实应用中,考虑到监管方面的需求,很多情况下(尤其是针对某些群组成员发布和传输的数据)需要允许某可信第三方(如监管方)能够对链上的相应密文数据进行解密.若采用传统的同态加密方案对数据进行加密,可信第三方需要存储所有用户的私钥,这将给密钥管理和存储带来巨大压力.针对当前的区块链应用场景和安全需求,提出了一个基于Z_(N^(2))^(*)上的判定性k-Lin假设的加法同态加密方案.该方案不仅在标准模型下能够满足IND-CCA1安全性,还具有3个特殊优势:(i)可以通过对参数k的调控细粒度地调节加密方案的安全性强度;(ii)加密方案具有双解密机制:存在两种私钥,一种由用户本人持有,另一种由可信第三方持有,其中,可信第三方的私钥可用于该加密体制所有用户的密文解密;(iii)加密方案可以极为便利地退化为IND-CPA安全的公钥加密方案,退化后的方案不仅其公私钥长度和密文长度变得更短,而且同样具有加法同态性和双解密机制.Blockchain,as one of the underlying key technologies of digital currency,has received extensive attention with the rapid development of digital currency.Due to the decentralization,tamper resistance,traceability,and other properties of blockchain,more and more enterprise/individual users now choose to use blockchain technology to achieve data transmission and recording.On the one hand,the openness and transparency of the blockchain can fully guarantee the availability of data,but on the other hand,it bring s high risks to users’privacy.In order to balance the confidentiality and availability of data,homomorphic encryption is usually employed in security solutions of blockchain.However,in practice,the security strength of the deployed homomorphic encryption schemes is likely to change over time.Considering the complex diversity and distributed characteristics of blockchain application scenarios,once a homomorphic encryption scheme is deployed,the corresponding workload will be very heavy when its security strength needs to be adjusted over time.To make things worse,in practice of blockchain,when considering the regulation requirements in many cases(especially for the data published and transmitted by certain group members),a trusted third party(TTP)such as a regulator,which is able to decryp t all the corresponding ciphertexts on the chain,is needed.If a traditional homomorphic encryption scheme is deployed,the TTP needs to store all users’secret keys,which introduces lots of practical problems to key management and storage of the TTP.According to the cu rrent application scenarios and security requirements of blockchain,an additive homomorphic encryption scheme is proposed,whose security is based on the decisional k-Lin assumption over Z_(N^(2))^(*) The proposed scheme can be proved IND-CCA1 secure in the standard model,and has the following three advantages:(i)fine-grained adjustment of the security strength of the proposed scheme can achieved via adjusting the parameter k;(ii)it is a double decryption schem

关 键 词：区块链 同态加密 安全性调控 监管 双解密机制 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]