CN-121984660-A - Verifiable ciphertext compression method and system based on lattice password

Abstract

The invention discloses a verifiable ciphertext compression method and system based on a lattice password. The method is characterized in that the structure of the current original ciphertext is kept compressed by constructing a projection matrix meeting the constraint of lattice invariance, and the dimension and the storage cost of the current original ciphertext are obviously reduced on the premise of not damaging homomorphic operation capability. Meanwhile, a zero knowledge proof mechanism is introduced, verifiable constraint is carried out on the correctness, noise safety and projection matrix consistency of the current original ciphertext compression process, and therefore the blockchain node can finish validity verification without decrypting or acquiring the current original ciphertext. Furthermore, the method supports the direct homomorphic calculation of the current compressed ciphertext in the compressed dimension space, and provides a dynamic updating, historical audit and anomaly tracing mechanism of the compression strategy. The method solves the problems that the conventional homomorphic ciphertext of the lattice password has large volume, can not be verified in the compression process and has high block chain link point verification cost.

Inventors

• ZHOU DA
• LAN CHUNJIA

Assignees

• 上海零数众合信息科技有限公司

Dates

Publication Date

20260505

Application Date

20260211

Claims (10)

1. 1. A verifiable ciphertext compression method based on a lattice password, comprising: S1, encrypting local plaintext data by a current data provider based on a lattice password scheme to obtain a current original ciphertext, wherein the dimension of the current original ciphertext is n multiplied by 2; S2, generating a projection matrix with k multiplied by n dimensions according to a projection matrix generating function, wherein k is smaller than n, and the projection matrix meets the constraint of lattice invariance; s3, performing linear compression calculation on the current original ciphertext according to the projection matrix to obtain a current compressed ciphertext, wherein the dimension of the current compressed ciphertext is k multiplied by 2; S4, generating a zero knowledge proof pi according to the current original ciphertext, the projection matrix, the current compressed ciphertext, the hash value of the projection matrix and the target compression noise upper bound parameter; S5, packaging the current compressed ciphertext, the zero knowledge proof pi and the hash value of the projection matrix to form a current verification data packet, and submitting the current verification data packet to a blockchain network; S6, the block chain link point receives the current verification data packet, and verifies zero knowledge proof pi in the current verification data packet by using a preset verification key; and S7, the data user acquires current compressed ciphertext in a verified state corresponding to the plurality of data providers from the blockchain for use.
2. 2. The method according to claim 1, wherein S2 comprises: Generating an initial k multiplied by n-dimensional sparse random matrix according to a projection matrix generating function, wherein each row of the sparse random matrix contains a fixed number of non-zero elements, and the values of the non-zero elements are +1 or-1; the method comprises the steps of obtaining a lattice base B corresponding to a lattice password scheme and an inverse matrix invB of the lattice base B under a mode q; And calculating a projection matrix P according to the sparse random matrix, the grid base B and the inverse matrix invB under the mode q, wherein the projection matrix P multiplied by the grid base B is equal to a new grid base B_prime under the mode q sense, so that the current compressed ciphertext is ensured to be still in a legal grid password space.
3. 3. The method according to claim 1, characterized in that: The target compression noise upper bound parameter tau is calculated and generated according to the L2 norm upper limit tau 0 of the noise vector e and the compression ratio k/n, and the formula is as follows: τ=τ0/sqrt(k/n)。
4. 4. the method according to claim 1, wherein said S7 comprises: the data user acquires current compressed ciphertext in a verified state corresponding to a plurality of data providers from a blockchain; Directly executing homomorphic addition operation on a plurality of current compressed ciphertexts in a compressed dimension space to obtain an aggregate ciphertext; the aggregation ciphertext is sent to each data provider for decryption; the data user obtains the aggregation plaintext decrypted by each data provider and carries out average value calculation to obtain the final aggregation plaintext; And (5) performing wind control model training on the final aggregate plain text.
5. 5. The method according to claim 1, further comprising, after said S7: when the current data provider needs to update compression parameters, a new projection matrix P_new is generated; Repeating the steps S3-S5 by using the new projection matrix P_new to generate a new current verification data packet bundle_new; And after the intelligent contract on the blockchain verifies that the hash value of the projection matrix in the old current verification data packet is consistent with the hash value of the projection matrix stored on the chain, marking the old current verification data packet as abandoned, and setting the new current verification data packet as a current valid state.
6. 6. A verifiable ciphertext compression system based on a lattice password, comprising: The encryption unit is used for encrypting the local plaintext data based on a lattice password scheme by the current data provider to obtain a current original ciphertext, wherein the dimension of the current original ciphertext is n multiplied by 2; A generation unit, configured to generate a projection matrix in k×n dimensions according to a projection matrix generation function, where k < n, and the projection matrix satisfies a lattice invariance constraint; the compression unit is used for performing linear compression calculation on the current original ciphertext according to the projection matrix to obtain a current compressed ciphertext, wherein the dimension of the current compressed ciphertext is k multiplied by 2; The proving unit is used for generating a zero knowledge proving pi according to the current original ciphertext, the projection matrix, the current compressed ciphertext, the hash value of the projection matrix and the target compression noise upper bound parameter; The packing unit is used for packing the current compressed ciphertext, the zero knowledge proof pi and the hash value of the projection matrix to form a current verification data packet and submitting the current verification data packet to a blockchain network; the verification unit is used for receiving the current verification data packet by the block chain link point, and verifying zero knowledge proof pi in the current verification data packet by utilizing a preset verification key; The using unit is used for the data using party to acquire the current compressed ciphertext in the verified state corresponding to the plurality of data providers from the blockchain for use.
7. 7. The system of claim 6, wherein the generating unit comprises: Generating a generating subunit, configured to generate an initial kxn-dimensional sparse random matrix according to a projection matrix generating function, where each row of the sparse random matrix includes a fixed number of non-zero elements, and a value of the non-zero elements is +1 or-1; The lattice base acquisition subunit is used for acquiring a lattice base B corresponding to the lattice password scheme and an inverse matrix invB of the lattice base B under the mode q; And the calculating subunit is used for calculating a projection matrix P according to the sparse random matrix, the grid base B and the inverse matrix invB under the mode q, wherein the projection matrix P multiplied by the grid base B is equal to a new grid base B_prime under the mode q sense, so that the current compressed ciphertext is ensured to be still in a legal grid password space.
8. 8. The system according to claim 6, wherein: The target compression noise upper bound parameter tau is calculated and generated according to the L2 norm upper limit tau 0 of the noise vector e and the compression ratio k/n, and the formula is as follows: τ=τ0/sqrt(k/n)。
9. 9. the system of claim 6, wherein the usage unit comprises: The ciphertext obtaining subunit is used for obtaining current compressed ciphertext in a verified state, which corresponds to a plurality of data providers, from the blockchain by the data user; the aggregation subunit is used for directly executing homomorphic addition operation on a plurality of current compressed ciphertexts in the compressed dimension space to obtain an aggregation ciphertext; The sending subunit is used for sending the aggregation ciphertext to each data provider for decryption; the averaging subunit is used for the data user to acquire the aggregation plaintext decrypted by each data provider and to perform averaging to obtain the final aggregation plaintext; And the training subunit is used for carrying out wind control model training on the final aggregate plaintext.
10. 10. The system of claim 6, further comprising: when the current data provider needs to update compression parameters, a new projection matrix P_new is generated; Repeating the steps S3-S5 by using the new projection matrix P_new to generate a new current verification data packet bundle_new; And after the intelligent contract on the blockchain verifies that the hash value of the projection matrix in the old current verification data packet is consistent with the hash value of the projection matrix stored on the chain, marking the old current verification data packet as abandoned, and setting the new current verification data packet as a current valid state.

Description

Verifiable ciphertext compression method and system based on lattice password Technical Field The invention relates to the technical fields of cryptography, data security and blockchain, in particular to a verifiable ciphertext compression method and system based on a lattice password. Background With the development of privacy computing, federal learning and blockchain technology, homomorphic encryption schemes (such as CKKS) of the base Yu Ge password are widely studied and applied due to their quantum security features. However, the existing homomorphic encryption scheme of the lattice password still has the problems of huge ciphertext volume, unreliable compression, low on-chain verification efficiency and the like in actual deployment. (1) The problem of volume explosion is that the homomorphic ciphertext (such as CKKS scheme) of the lattice password has the dimension of tens of thousands of dimensions because of the need of resisting lattice reduction attack, the volume of a single ciphertext reaches 1-10MB, so that the storage cost on a chain is too high (Fei Chao $200/MB is stored in an Ethernet L2 contract), and the transmission delay of edge equipment is too long (> 8 seconds/time); (2) The problem of unreliable compression is that the conventional modular reduction (Modulus Switching) or truncated compression scheme can destroy homomorphic properties of ciphertext, and cannot prove that the compressed ciphertext still corresponds to legal original ciphertext, so that malicious replacement or counterfeiting risks exist; (3) The problem of low efficiency of verification is that the block chain node can verify the validity of the block chain node by completely downloading and decrypting the ciphertext, and the design principle of a 'light client' is violated, so that the whole network consensus efficiency is low. Therefore, a technical solution for implementing verifiable compression of the lattice cipher ciphertext while maintaining homomorphic operation capability is needed. Disclosure of Invention The embodiment of the invention provides a verifiable ciphertext compression method and a verifiable ciphertext compression system based on a lattice password, which are used for solving the problems of ciphertext volume expansion, unreliable compression and low verification efficiency on a chain in the prior art. In order to achieve the aim, on one hand, the invention provides a verifiable ciphertext compression method based on a lattice password, which comprises the steps of S1, encrypting local plaintext data by a current data provider based on a lattice password scheme to obtain a current original ciphertext, wherein the dimension of the current original ciphertext is n multiplied by 2, S2, generating a k multiplied by n-dimensional projection matrix according to a projection matrix generation function, wherein k is smaller than n, the projection matrix meets lattice-based invariance constraint, S3, performing linear compression calculation on the current original ciphertext according to the projection matrix to obtain a current compressed ciphertext, the dimension of the current compressed ciphertext is k multiplied by 2, S4, generating a zero knowledge proof pi according to the current original ciphertext, the projection matrix, the current compressed ciphertext, the hash value of the projection matrix and a target compression noise upper bound parameter, S5, packaging the current compressed ciphertext, the zero knowledge proof pi and the hash value of the projection matrix to form a current verification data packet, submitting the current verification data packet to a block chain network, S6, receiving the current block link and obtaining the verification data packet from a verification chain through a preset block, and storing the verification data packet in a verification state of the current block 7 if the current block is in the verification state. Optionally, the step S2 includes generating an initial k×n-dimensional sparse random matrix according to a projection matrix generating function, wherein each row of the sparse random matrix contains a fixed number of non-zero elements, the values of the non-zero elements are +1 or-1, acquiring a lattice B corresponding to a lattice password scheme and an inverse matrix invB under a mode q, and calculating to obtain a projection matrix P according to the sparse random matrix, the lattice B and the inverse matrix invB under the mode q, wherein the projection matrix P is multiplied by the lattice B to be equal to a new lattice B_prime under the mode q sense, so that the current compressed ciphertext is still in a legal lattice password space. Optionally, the target compression noise upper bound parameter τ is generated by calculating according to an L2 norm upper limit τ0 of the noise vector e and a compression ratio k/n, and the formula is as follows: τ=τ0/sqrt(k/n)。 Optionally, the S7 comprises the steps that a data user obtains current compressed