李明祥，劉 照，張明艷

(1.河北金融學(xué)院 金融研究所，河北 保定 071051；2.河北省科技金融重點(diǎn)實(shí)驗(yàn)室，河北 保定 071051； 3.河北省科技金融協(xié)同創(chuàng)新中心，河北 保定 071051)

無(wú)高斯噪聲的全同態(tài)加密方案

李明祥1,2*，劉 照1,3，張明艷1,3

(1.河北金融學(xué)院 金融研究所，河北 保定 071051；2.河北省科技金融重點(diǎn)實(shí)驗(yàn)室，河北 保定 071051； 3.河北省科技金融協(xié)同創(chuàng)新中心，河北 保定 071051)

基于帶舍入學(xué)習(xí)(LWR)問(wèn)題，一個(gè)分級(jí)全同態(tài)加密方案最近被提出。LWR問(wèn)題是帶誤差學(xué)習(xí)(LWE)問(wèn)題的變型，但它省掉了代價(jià)高昂的高斯噪聲抽樣，因此與現(xiàn)有基于LWE問(wèn)題的全同態(tài)加密方案相比，該基于LWR問(wèn)題的全同態(tài)加密方案具有更高的計(jì)算效率。然而，該基于LWR問(wèn)題的全同態(tài)加密方案在同態(tài)運(yùn)算時(shí)需要輸入用戶的運(yùn)算密鑰。因此，基于LWR問(wèn)題構(gòu)造了一個(gè)新的分級(jí)全同態(tài)加密方案，該方案在同態(tài)運(yùn)算時(shí)不需要輸入用戶的運(yùn)算密鑰。鑒于所提方案可應(yīng)用于構(gòu)造基于身份的全同態(tài)加密方案、基于屬性的全同態(tài)加密方案等，它具有比最近所提出的基于LWR問(wèn)題的全同態(tài)加密方案更廣泛的應(yīng)用場(chǎng)景。

全同態(tài)加密；分級(jí)全同態(tài)加密；帶舍入學(xué)習(xí)問(wèn)題；帶誤差學(xué)習(xí)問(wèn)題；高斯噪聲抽樣

0 引言

在RSA(Rivest, Shamir, Adelman)公鑰密碼系統(tǒng)提出后不久，人們就提出了全同態(tài)加密(Fully Homomorphic Encryption, FHE)體制的思想[1]。在全同態(tài)加密體制中，有Dec(f(Enc(μ1),Enc(μ2),…,Enc(μk)))=f(μ1,μ2,…,μk)，其中f為任意函數(shù)/電路。在分級(jí)全同態(tài)加密(leveled FHE)體制中，系統(tǒng)參數(shù)不僅依賴于安全參數(shù)λ還依賴于電路深度L∈Z+。借助于全同態(tài)加密體制，人們可把計(jì)算外包給不可信的服務(wù)器，而不必?fù)?dān)心個(gè)人隱私泄露問(wèn)題。

2009年Gentry[2]基于格理論構(gòu)造了第一個(gè)全同態(tài)加密方案。2011年Brakerski等[3]基于環(huán)上帶誤差學(xué)習(xí)(ring Learning With Errors, ring-LWE)問(wèn)題[4]構(gòu)造了一個(gè)全同態(tài)加密方案；Brakerski等[5]基于LWE問(wèn)題[6]又構(gòu)造了一個(gè)全同態(tài)加密方案。2012年Brakerski等[7]基于環(huán)上LWE問(wèn)題構(gòu)造了一個(gè)高效的分級(jí)全同態(tài)加密方案。2013年Gentry等[8]基于LWE問(wèn)題構(gòu)造了一個(gè)簡(jiǎn)單自然的分級(jí)全同態(tài)加密方案。

Banerjee等[9]在Eurocrypt 2012上定義了帶舍入學(xué)習(xí)(Learning With Rounding, LWR)問(wèn)題以及環(huán)上LWR(ring-LWR)問(wèn)題，并在一定參數(shù)條件下給出了從LWE問(wèn)題到LWR問(wèn)題的歸約，以及從環(huán)上LWE問(wèn)題到環(huán)上LWR問(wèn)題的歸約。LWR問(wèn)題是LWE問(wèn)題的變型，它們的區(qū)別主要在于LWE問(wèn)題需要進(jìn)行高斯噪聲抽樣，而LWR問(wèn)題不需要進(jìn)行高斯噪聲抽樣。后來(lái)，Bogdanov等[10]又改進(jìn)了從LWE問(wèn)題到LWR問(wèn)題的歸約。目前，人們基于LWR問(wèn)題已構(gòu)造了一些公鑰密碼方案，如公鑰加密方案[11]、身份基加密方案[12]等。

人們基于LWE問(wèn)題已構(gòu)造了許多全同態(tài)加密方案[3, 5, 7-8]，然而這些方案都需要進(jìn)行高斯噪聲抽樣。因?yàn)楦咚乖肼暢闃拥挠?jì)算開(kāi)銷很大，所以高斯噪聲抽樣是制約這些方案計(jì)算性能的瓶頸因素。而LWR問(wèn)題無(wú)需進(jìn)行高斯噪聲抽樣，故基于LWR問(wèn)題構(gòu)造全同態(tài)加密方案，從而摒棄耗時(shí)的高斯噪聲抽樣，不失為改善全同態(tài)加密方案計(jì)算性能的一條有效途徑。因?yàn)長(zhǎng)WR問(wèn)題是LWE問(wèn)題的變型，所以可比照現(xiàn)有基于LWE問(wèn)題的全同態(tài)加密方案，而構(gòu)造基于LWR問(wèn)題的全同態(tài)加密方案。

最近，Costache等[13]比照Brakerski等[7]提出的方案構(gòu)造了一個(gè)基于環(huán)上LWR問(wèn)題的分級(jí)全同態(tài)加密方案。Costache等之所以比照Brakerski等[7]提出的方案，主要是考慮到在基于LWE的全同態(tài)加密方案中，Brakerski等[7]所提方案的計(jì)算效率是比較高的。在基于LWE的全同態(tài)加密方案中，Gentry等[8]所提方案適用于比較多的場(chǎng)合，例如：基于Gentry等[8]提出的方案，人們構(gòu)造了身份基全同態(tài)加密方案[14-17]、多密鑰全同態(tài)加密方案[18-19]等；基于多密鑰全同態(tài)加密方案[18-19]，研究者們又進(jìn)一步構(gòu)造了屬性基全同態(tài)加密方案[20-21]。故而本文基于Gentry等[8]提出的方案構(gòu)造了一個(gè)基于LWR問(wèn)題的分級(jí)全同態(tài)加密方案。Gentry等[8]所提方案之所以比其他全同態(tài)加密方案適用于更多場(chǎng)合，主要是因?yàn)樗谕瑧B(tài)運(yùn)算時(shí)不需要運(yùn)算密鑰evk參與，而其他全同態(tài)加密方案在同態(tài)運(yùn)算時(shí)都需要運(yùn)算密鑰evk協(xié)助。本文所構(gòu)造的全同態(tài)加密方案亦不需要運(yùn)算密鑰evk，因此基于本文所構(gòu)造的方案，可以進(jìn)一步構(gòu)造身份基全同態(tài)加密方案、多密鑰全同態(tài)加密方案以及屬性基全同態(tài)加密方案等。

1 預(yù)備知識(shí)

1.1 困難問(wèn)題

定義2B有界分布。一族Z上的分布{Xn}n∈N，如果Pre←Xn[|e|>B]≤negl(n)，其中B=B(n)，則稱它為B有界分布。

對(duì)于從LWE問(wèn)題到LWR問(wèn)題的歸約，Bogdanov等[10]又給出了一個(gè)比定理2更佳的歸約結(jié)果。

1.2 向量分解技術(shù)

向量分解技術(shù)能保持向量的內(nèi)積不發(fā)生變化。它包括以下轉(zhuǎn)換操作：

對(duì)上述這些操作來(lái)說(shuō)，顯然有:

①〈BitDecompq(x),PowersOfTwoq(y)〉=〈x,y〉；

許多全同態(tài)加密方案[7-8, 25]都應(yīng)用了向量分解技術(shù)。

1.3 密碼定義

一個(gè)分級(jí)全同態(tài)加密方案包括密鑰生成KeyGen、加密Enc、解密Dec和同態(tài)運(yùn)算Eval四個(gè)多項(xiàng)式時(shí)間算法。其中，(pk,sk)←KeyGen(1λ,1L)輸入安全參數(shù)λ和電路深度L，輸出公鑰pk和私鑰sk；c←Enc(pk,μ)應(yīng)用公鑰pk加密消息μ∈{0,1}生成密文c；μ←Dec(sk,c)應(yīng)用私鑰sk解密密文c恢復(fù)消息μ∈{0,1}；cf←Eval(f,c1,c2,…,ck)輸入電路f:{0,1}k→{0,1}和密文c1,c2,…,ck，輸出密文cf。

通常，f為有限域GF(2)上的算術(shù)電路，只包含加法門和乘法門兩種門電路，因而人們習(xí)慣上把Eval分成同態(tài)加法cadd←Add(c1,c2)和同態(tài)乘法cmult←Mult(c1,c2)。

分級(jí)全同態(tài)加密方案的標(biāo)準(zhǔn)安全性為語(yǔ)義安全性，即在選擇明文攻擊下的不可區(qū)分性(INDistinguishability under Chosen Plaintext Attack, IND-CPA)。

定義3 緊致性。如果一個(gè)分級(jí)全同態(tài)加密方案的解密電路不依賴于運(yùn)算函數(shù)f，則稱它是緊致的。

2 基礎(chǔ)加密方案

首先，基于LWR問(wèn)題構(gòu)造一個(gè)標(biāo)準(zhǔn)公鑰加密方案。

2.1 構(gòu)造

Enc(pk,μ∈{0,1})：對(duì)于消息μ∈{0,1}，均勻選擇矩陣R←{0,1}N×m，并輸出密文C，即:

C=(Flattenp((μ·Il2|0)T+BitDecompp(R·uT))|

2.2 正確性

在密鑰生成算法KeyGen中，有:

2.3 安全性

定理3 假設(shè)LWR問(wèn)題是難解的，那么上述加密方案是IND-CPA安全的。

證明 考慮下列游戲，其中AdvGamei(A)代表敵手A在游戲i中的優(yōu)勢(shì)。

Game 0 該游戲?yàn)闃?biāo)準(zhǔn)的IND-CPA游戲。

在Game 2中，挑戰(zhàn)者所給出的公鑰和密文都是均勻隨機(jī)的，且與消息μ∈{0,1}無(wú)關(guān)，因此AdvGame 2(A)=0。故在Game 0中有AdvGame 0(A)≤nelg(λ)。即在LWR問(wèn)題難解的假設(shè)下，上述加密方案滿足IND-CPA安全性要求。

3 同態(tài)運(yùn)算

接下來(lái)，分析有限域GF(2)上的同態(tài)加法和同態(tài)乘法運(yùn)算。

1)Add(C1,C2)：輸出密文C1與C2的和Cadd，即:

Cadd=(Flattenp(Cadd,p)|Flattenq(Cadd,q))=

(Flattenp(C1,p+C2,p)|Flattenq(C1,q+C2,q))

2)Mult(C1,C2)：輸出密文C1與C2的積Cmult，即:

Cmult=(Flattenp(Cmult,p)|Flattenq(Cmult,q))=

(Flattenp(C1·C2,p)|Flattenq(C1·C2,q))

Cadd·zT=(Flattenp(C1,p+C2,p)|

Flattenq(C1,q+C2,q))·(zp,zq)T=

(C1,p+C2,p)·zpT+(C1,q+C2,q)·zqT=

(C1,p·zpT+C1,q·zqT)+(C2,p·zpT+C2,q·zqT)=

Cmult·zT=(Flattenp(C1·C2,p)|

Flattenq(C1·C2,q))·(zp,zq)T=

C1·C2,p·zpT+C1·C2,q·zqT=

C1·(C2,p·zpT+C2,q·zqT)=C1·C2·zT=

根據(jù)定理2知道，在LWRn,q,p問(wèn)題中有q≥p·B·nω(1)。為正確解密Cf，有p≥8(N+1)L·E，所以q≥8(N+1)L·E·B·nω(1)，即q/B≥8(N+1)L·E·nω(1)。又LWEn,q,X問(wèn)題在q/B=2o(n)時(shí)，仍舊是難解的[27]，所以有L=o(n)，即L為多項(xiàng)式深度。即在LWRn,q,p問(wèn)題難解的假設(shè)下，存在分級(jí)全同態(tài)加密方案。

4 性能比較

Costache等[13]提出的基于環(huán)上LWR的全同態(tài)加密方案，是比照Brakerski等[7]的基于環(huán)上LWE的全同態(tài)加密方案構(gòu)造的。在Brakerski等[7]的方案中，不僅要生成公鑰，還要生成同態(tài)運(yùn)算密鑰evk。而evk是對(duì)私鑰進(jìn)行加密的結(jié)果，其不能由用戶的身份信息計(jì)算出來(lái)，因此，由Brakerski等[7]的方案無(wú)法進(jìn)而構(gòu)造身份基全同態(tài)加密方案等。本文提出的基于LWR的全同態(tài)加密方案，是比照Gentry等[8]的基于LWE的全同態(tài)加密方案構(gòu)造的。在Gentry等[8]的方案中，不需要生成同態(tài)運(yùn)算密鑰evk?；诖?，基于Gentry等[8]的方案能進(jìn)而構(gòu)造身份基全同態(tài)加密方案等。目前人們基于Gentry等[8]的全同態(tài)加密方案，已構(gòu)造了身份基全同態(tài)加密方案[14-17]、多密鑰全同態(tài)加密方案[18-19]和屬性基全同態(tài)加密方案[20-21]等。因此Gentry等[8]的全同態(tài)加密方案比Brakerski等[7]的全同態(tài)加密方案應(yīng)用場(chǎng)合更多。Costache等[13]所提的全同態(tài)加密方案亦要生成同態(tài)運(yùn)算密鑰evk，因此由Costache等[13]所提方案亦無(wú)法進(jìn)而構(gòu)造身份基全同態(tài)加密方案等。本文所提的全同態(tài)加密方案亦不需要生成同態(tài)運(yùn)算密鑰evk，由此基于本文所提方案亦能進(jìn)而構(gòu)造身份基全同態(tài)加密方案、多密鑰全同態(tài)加密方案和屬性基全同態(tài)加密方案等。因此本文所提方案比Costache等[13]所提方案應(yīng)用場(chǎng)合更多。

5 結(jié)語(yǔ)

本文借鑒Gentry等[8]的全同態(tài)加密方案，構(gòu)造了一個(gè)基于LWR的分級(jí)全同態(tài)加密方案，并證明了它的正確性、IND-CPA安全性和緊致性。目前Costache等[13]參照Brakerski等[7]的全同態(tài)加密方案，已構(gòu)造了一個(gè)基于環(huán)上LWR的分級(jí)全同態(tài)方案。本文所提方案比Costache等[13]的方案應(yīng)用場(chǎng)合更多。不過(guò)，由于Gentry等[8]的全同態(tài)加密方案比Brakerski等[7]的全同態(tài)加密方案的計(jì)算效率差一些，故而本文所提方案比Costache等[13]的方案的計(jì)算效率也差一些。因此，下一步致力于：1)以本文所構(gòu)造的方案為基礎(chǔ)，構(gòu)造基于LWR問(wèn)題的身份基分級(jí)全同態(tài)加密方案、多密鑰分級(jí)全同態(tài)加密方案和屬性基分級(jí)全同態(tài)加密方案；2)利用有關(guān)全同態(tài)加密性能優(yōu)化技術(shù)，提高本文所構(gòu)造的方案的計(jì)算性能。

References)

[1] RIVEST R L, ADLEMAN L, DERTOUZOS M L. On data banks and privacy homomorphisms [M]// Foundations of Secure Computation. Salt Lake City, UT: Academic Press, 1978: 169-179.

[2] GENTRY C. Fully homomorphic encryption using ideal lattices [C]// STOC 2009: Proceedings of the 41st Annual ACM Symposium on Theory of Computing. New York: ACM, 2009: 169-178.

[3] BRAKERSKI Z, VAIKUNTANATHAN V. Fully homomorphic encryption from ring-LWE and security for key dependent messages [C]// CRYPTO 2011: Proceedings of the 2011 Annual International Cryptology Conference, LNCS 6841. Berlin: Springer, 2011: 505-524.

[4] LYUBASHEVSKY V, PEIKERT C, REGEV O. On ideal lattices and learning with errors over rings [C]// EUROCRYPT 2010: Proceedings of the 2010 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 6110. Berlin: Springer, 2010: 1-23.

[5] BRAKERSKI Z, VAIKUNTANATHAN V. Efficient fully homomorphic encryption from (standard) LWE [C]// FOCS 2011: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science. Washington, DC: IEEE Computer Society, 2011: 97-106.

[6] REGEV O. On lattices, learning with errors, random linear codes, and cryptography [C]// STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing. New York: ACM, 2005: 84-93.

[7] BRAKERSKI Z, GENTRY C, VAIKUNTANATHAN V. (Leveled) fully homomorphic encryption without bootstrapping [C]// ITCS 2012: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. New York: ACM, 2012: 309-325.

[8] GENTRY C, SAHAI A, WATERS B. Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based [C]// CRYPTO 2013: Proceedings of the 33rd Annual Cryptology Conference, LNCS 8042. Berlin: Springer, 2013: 75-92.

[9] BANERJEE A, PEIKERT C, ROSEN A. Pseudorandom functions and lattices [C]// EUROCRYPT 2012: Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 7237. Berlin: Springer, 2012: 719-737.

[10] BOGDANOV A, GUO S Y, MASNY D, et al. On the hardness of learning with rounding over small modulus [C]// Proceedings of the 2016 13th International Conference on Theory of Cryptography, LNCS 9562. Berlin: Springer, 2016: 209-224.

[11] DUAN R, GU C X. Public key encryption schemes based on learning with rounding problem [C]// MINES 2013: Proceedings of the 2013 5th International Conference on Multimedia Information Networking and Security. Washington, DC: IEEE computer society, 2013: 101-104.

[12] FANG F Y, LI B, LU X H, et al. (Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus [C]// ASIA CCS 2016: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. New York: ACM, 2016: 907-912.

[13] COSTACHE A, SMART N P. Homomorphic encryption without Gaussian noise [EB/OL]. [2017- 04- 16]. https://eprint.iacr.org/2017/163.pdf.

[14] WANG F Q, WANG K P, LI B. An efficient leveled identity-based FHE [C]// NSS 2015: Proceedings of the 9th International Conference on Network and System Security, LNCS 9408. Berlin: Springer, 2015: 303-315.

[15] 康元基,顧純祥,鄭永輝,等.利用特征向量構(gòu)造基于身份的全同態(tài)加密體制[J].軟件學(xué)報(bào),2016,27(6):1487-1497.(KANG Y J, GU C X, ZHENG Y H, et al. Identity-based fully homomorphic encryption from eigenvector [J]. Journal of Software. 2016, 27(6): 1487-1497.)

[16] 段然,顧純祥,祝躍飛,等.NTRU格上高效的基于身份的全同態(tài)加密體制[J].通信學(xué)報(bào),2017,38(1):66-75.(DUAN R, GU C X, ZHU Y F, et al. Efficient identity-based fully homomorphic encryption over NTRU [J]. Journal on Communications, 2017, 38(1): 66-75.)

[17] 戴曉明,張薇,鄭志恒,等.基于容錯(cuò)學(xué)習(xí)的GSW-型全同態(tài)層次型IBE方案[J].計(jì)算機(jī)應(yīng)用,2016,36(7):1856-1860.(DAI X M, ZHANG W, ZHENG Z H, et al. GSW-type hierarchical identity-based fully homomorphic encryption scheme from learning with errors [J]. Journal of Computer Applications, 2016, 36(7): 1856-1860.)

[18] CLEAR M, MCGOLDRICK C. Multi-identity and multi-key leveled FHE from learning with errors [C]// CRYPTO 2015: Proceedings of the 2015 Annual International Cryptology Conference, LNCS 9216. Berlin: Springer, 2015: 630-656.

[19] PEIKERT C, SHIEHIAN S. Multi-key FHE from LWE, revisited [C]// Proceedings of the 2016 Theory of Cryptography Conference, LNCS 9986. Berlin: Springer, 2016: 217-238.

[20] BRAKERSKI Z, CASH D, TSABARY R, et al. Targeted homomorphic attribute based encryption [C]// Proceedings of the 2016 Theory of Cryptography Conference, LNCS 9986. Berlin: Springer, 2016: 330-360.

[21] HIROMASA R, KAWAI Y. Fully dynamic multi target homomorphic attribute-based encryption [EB/OL]. [2017- 05- 19]. https://eprint.iacr.org/2017/373.pdf.

[22] PERIKERT C. Public-key cryptosystems from the worst-case shortest vector problem [C]// STOC 2009: Proceedings of the 41st Annual ACM Symposium on Theory of Computing. New York: ACM, 2009: 333-342.

[23] MICCIANCIO D, MOL P. Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions [C]// CRYPTO 2011: Proceedings of the 31st Annual International Cryptology Conference, LNCS 6841. Berlin: Springer, 2011: 465-484.

[24] MICCIANCIO D, PEIKERT C. Trapdoors for lattices: simpler, tighter, faster, smaller [C]// EUROCRYPT 2012: Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 7237. Berlin: Springer, 2012: 700-718.

[25] BRAKERSKI Z. Fully homomorphic encryption without modulus switching from classical GapSVP [C]// CRYPTO 2012: Proceedings of the 32nd Annual Cryptology Conference, LNCS 7417. Berlin: Springer, 2012: 868-886.

[26] BARAK B, DODIS Y, KRAWCZYK H, et al. Leftover hash lemma, rivisted [C]// CRYPTO 2011: Proceedings of the 31st Annual International Cryptology Conference, LNCS 6841. Berlin: Springer, 2011: 1-20.

[27] LENSTRA A K, JR H W L, LOVSZ L. Factoring polynomials with rational coefficients [J]. Mathematische Annalen,1982, 261(4): 515-534.

This work is partially supported by the Key Research and Development Program of Hebei Province (16210701), the Scientific and Technological Research Project of Higher Education of Hebei Province (ZD2017228).

LIMingxiang, born in 1968, Ph. D., associate professor. His research interests include fully homomorphic encryption scheme.

LIUZhao, born in 1989, M. S., assistant. Her research interests include cloud computing security.

ZHANGMingyan, born in 1983, M. S., associate research fellow. Her research interests include Internet finance.

FullyhomomorphicencryptionschemewithoutGaussiannoise

LI Mingxiang1,2*, LIU Zhao1,3, ZHANG Mingyan1,3

(1.InstituteofFinance,HebeiFinanceUniversity,BaodingHebei071051,China;2.ScienceandTechnologyFinanceKeyLaboratoryofHebeiProvince,BaodingHebei071051,China;3.FinancialSynergyInnovationofScienceandTechnologyCenterinHebeiProvince,BaodingHebei071051,China)

Much lately, a leveled fully homomorphic encryption scheme was proposed based on the Learning With Rounding (LWR) problem. The LWR problem is a variant of the Learning With Errors (LWE) problem, but it dispenses with the costly Gaussian noise sampling. Thus, compared with the existing LWE-based fully homomorphic encryption schemes, the proposed LWR-based fully homomorphic encryption scheme has much higher efficiency. But then, the user’s evaluation key was needed to be obtained in the homomorphic evaluator of the proposed LWR-based fully homomorphic encryption scheme. Accordingly, a new leveled fully homomorphic encryption scheme was constructed based on the LWR problem, and the user’s evaluation key was not needed to be obtained in the homomorphic evaluator of the new fully homomorphic encryption scheme. Since the new proposed fully homomorphic encryption scheme can be used to construct the schemes such as identity-based fully homomorphic encryption schemes, and attribute-based fully homomorphic encryption schemes, the new proposed scheme has wider application than the lately proposed LWR-based fully homomorphic encryption scheme.

Fully Homomorphic Encryption (FHE); leveled Fully Homomorphic Encryption (FHE); Learning With Rounding (LWR) problem; Learning With Errors (LWE) problem; Gaussian noise sampling

2017- 06- 23;

2017- 08- 27。

河北省重點(diǎn)研發(fā)計(jì)劃項(xiàng)目(16210701)；河北省高等學(xué)校科學(xué)技術(shù)研究項(xiàng)目(ZD2017228)。

李明祥(1968—)，男，山東濟(jì)寧人，副教授，博士，主要研究方向：全同態(tài)加密方案； 劉照(1989—)，女，河北保定人，助教，碩士，主要研究方向：云計(jì)算安全； 張明艷(1983—)，女，湖北荊州人，副研究員，碩士，主要研究方向：互聯(lián)網(wǎng)金融。

1001- 9081(2017)12- 3430- 05

10.11772/j.issn.1001- 9081.2017.12.3430

(*通信作者電子郵箱limingxiang@hbfu.edu.cn)

TP309.7

A