Homomorphic data decryption method and apparatus for implementing privacy protection
摘要
說明書
Random number r with a very small value can be prevented from being selected by limiting the minimum value of length i, to prevent insufficient randomness of homomorphic ciphertext c from affecting security of homomorphic ciphertext c. For example, when n=2048, it is set that i≥224, in other words, the length of random number r is not less than 224 bits, and therefore sufficient randomness and security of homomorphic ciphertext c can be ensured, for example, at least 112-bit or higher security can be provided (homomorphic ciphertext c cannot be decrypted in 2112 steps).
When (hN mod N2)r in the equation is calculated, modular exponentiation can be directly performed each time based on the equation, but a relatively long calculation time may be needed due to a relatively large calculation amount. Actually, after (hr mod N)N is converted into (hN mod N2)r in the equation, it can be found that (hN mod N2)r represents fixed base modular exponentiation with an exponent of i bits, in other words, a base of (hN mod N2)r is fixed to hN mod N2. Therefore, a value of hN mod N2 can be pre-calculated based on h in public key pk, and no temporary calculation is needed.
