CN117910024B - Key generation method and device, electronic equipment and storage medium - Google Patents

Abstract

The embodiment of the application discloses a key generation method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: taking 0 as first input data, executing a first key protocol, and taking the output result ciphertext as a public key; executing the first key protocol includes: carrying out private key encryption on the first input data by adopting the first noise data and the private key fragments to obtain a first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; the first noise data and the second noise data conform to a first distribution; the first random data conforms to the second distribution; performing first verification based on a preset data relationship by using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragments of all the participants and the first random ciphertext fragments, and outputting a result ciphertext under the condition that the first verification passes; the resulting ciphertext is the domain sum of the first ciphertext fragments of all the participants.

Description

Key generation method and device, electronic equipment and storage medium

Technical Field

The present application relates to, but not limited to, the field of information security technologies, and in particular, to a method and apparatus for generating a key, an electronic device, and a storage medium.

Background

The SPDZ series protocol, which is one of the multiparty secure computing (Multi-Party Computation, MPC) protocols, needs to complete the generation of random data material required in the online computing stage in the preprocessing stage, and in order to ensure the data security in the random data material generation process, related secret keys need to be generated in the offline stage based on the homomorphic encryption algorithm. When the secret key is generated, another set of MPC protocol of which public and private key pairs are arranged between every two parties is usually required to be called, so that the communication quantity and the calculation quantity are huge when the secret key is generated; or the party needs to repeat the key generation for a plurality of times and randomly expose the generation process for less than one time, and the data security is influenced while consuming huge data communication and calculation.

Disclosure of Invention

The embodiment of the application provides a key generation method and device, electronic equipment and a storage medium, which can reduce the communication quantity and the calculation quantity of key generation while ensuring the data security.

The technical scheme of the application is realized as follows:

the embodiment of the application provides a key generation method, which comprises the following steps:

Taking 0 as first input data, executing a first key protocol, and taking the output result ciphertext as a public key; the executing the first key protocol includes: carrying out private key encryption on the first input data by adopting first noise data and a private key fragment to obtain a first ciphertext fragment; broadcasting the first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; broadcasting the first random ciphertext fragment; the first noise data and the second noise data conform to a first distribution; the first random data conforms to a second distribution; performing a first verification based on a preset data relationship by using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragments of all the participants and the first random ciphertext fragments, and outputting the result ciphertext when the first verification is passed; the result ciphertext is a domain sum of the first ciphertext fragments of all participants.

The embodiment of the application provides a key generation device, which comprises:

The generation module is used for taking 0 as first input data, executing a first key protocol and taking the output result ciphertext as a public key; the executing the first key protocol includes: carrying out private key encryption on the first input data by adopting first noise data and a private key fragment to obtain a first ciphertext fragment; broadcasting the first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; broadcasting the first random ciphertext fragment; the first noise data and the second noise data conform to a first distribution; the first random data conforms to a second distribution; performing a first verification based on a preset data relationship by using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragments of all the participants and the first random ciphertext fragments, and outputting the result ciphertext when the first verification is passed; the result ciphertext is a domain sum of the first ciphertext fragments of all participants.

The embodiment of the application provides electronic equipment, which comprises:

a memory for storing a computer program executable on the processor;

and a processor for implementing the steps of the above method when executing the computer program.

An embodiment of the present application provides a storage medium including:

on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method.

According to the key generation method and device, the electronic equipment and the storage medium provided by the embodiment of the application, the participator can verify the validity of the ciphertext of the private data through the first key agreement, and when the private data is in the fragments of 0, the output ciphertext is the public key. In the key generation process, each participant can set own keys, and the data does not need to be exposed due to the verification of the calculation process at any time; on the premise of ensuring the data security, the traffic and the calculated amount in the key generation process can be reduced.

Drawings

FIG. 1 is a schematic diagram of a process for generating a public key according to an embodiment of the present application;

FIG. 2 is a flow chart of a method for generating a re-linearized key according to an embodiment of the present application;

Fig. 3 is a flowchart of a method for executing a second key protocol according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a process for generating a re-linearized key according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a key generating device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The present application will be further described in detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present application more apparent, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.

In the following description, the terms "first", "second", "third" and the like are merely used to distinguish similar objects and do not represent a specific ordering of the objects, it being understood that the "first", "second", "third" may be interchanged with a specific order or sequence, as permitted, to enable embodiments of the application described herein to be practiced otherwise than as illustrated or described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.

Before describing embodiments of the present application in further detail, the terms and terminology involved in the embodiments of the present application will be described, and the terms and terminology involved in the embodiments of the present application are suitable for the following explanation.

Multiparty security calculation: under the condition of no trusted third party, a plurality of participants holding the private data respectively execute the calculation of a contracted public function jointly under the condition of not exposing the private data.

SPDZ series protocol: the protocol is divided into a preprocessing stage and an online computing stage, wherein the preprocessing stage generates random data materials according to the protocol, and prepares for computing the contract function in the online computing stage.

Zero knowledge proof: a cryptographic tool proposed by S.Goldwasser, S.Micali and C.rackoff in the beginning of the 80 s of the 20 th century allows proving validity of a proposition between mutually untrusted parties without revealing any additional information.

In order to facilitate understanding of the present solution, before explaining the embodiments of the present application, an application background in the embodiments of the present application is explained.

The MPC related product aims to create a safe sharing environment of 'data availability invisible' for data sharing exchange across departments, and solves the problems of data security and privacy protection between each entity and each field. The general concept of secure multiparty computing is at multiple participantsCooperatively calculating a public function; the public function is typically input with private data for each party. The SPDZ series of protocols is an MPC protocol for arithmetic circuits, comprising two phases: a preprocessing stage and an online computing stage. The preprocessing stage prepares random data material for the computation of the online stage, which enables the online stage to quickly complete the public function computation. The offline stage of SPDZ-series protocols based on homomorphic encryption algorithms requires the setting of keys of the homomorphic encryption algorithms, typically including private keys, encryption public keys, and re-linearization keys, before preparing the data material.

At present, two main modes of key generation are adopted, and one mode is to call another set of MPC protocol to complete the calculation related to private data in the key generation process. In the set of MPC protocols, the participants are provided with public and private key pairs between each other. And secondly, by repeating constant time key generation and randomly exposing detailed parameters of a constant minus 1 time key generation process, all participants verify the validity of the constant minus 1 time key generation, so that the confidence of the validity of the unexposed key is increased, and the key generated in the unexposed information process is used as the output of a key setting stage. It can be seen that the first mode is simple, but the data volume and the communication volume of the generating process are proportional to the square of the number of the participants, and the communication volume and the calculated volume are larger; the second way is that the probability of successful deception of a malicious adversary is 1 in constant due to the fact that the constant minus 1 key generation process is exposed, and therefore the data security is affected.

The embodiment of the application provides a key generation method and device, electronic equipment and a storage medium, which can reduce the communication quantity and the calculation quantity of key generation while ensuring the data security. The following describes an exemplary application of the electronic device provided by the embodiment of the present application, where the electronic device provided by the embodiment of the present application may be implemented as various types of devices that need to generate a key, such as a notebook computer, a tablet computer, a desktop computer, a server, and the like.

An embodiment of the present application provides an optional key generation method, as shown in fig. 1, using 0 as first input data, executing a first key protocolTaking a result ciphertext output by the first key protocol as a public key; wherein the first key protocol/>, is executedThe method of (1) comprises: S101-S102.

S101, carrying out private key encryption on first input data by adopting first noise data and a private key fragment to obtain a first ciphertext fragment; broadcasting a first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; broadcasting a first random ciphertext fragment; the first noise data and the second noise data conform to a first distribution; the first random data conforms to the second distribution.

In an embodiment of the application, the public keyIs composed of private key/>And (3) generating. Illustratively, the public key is as shown in equation (1).

Formula (1)

Wherein,And/>See equation (2) for the relationship between these.

Formula (2)

Wherein,Consistent with the second distribution,/>Conforming to a first distribution; /(I)The function represents the noise/>, when generating the public keyIs performed by the processor. In some embodiments, the first distribution is a discrete gaussian distribution/>The second distribution is ciphertext mode/>, of homomorphic encryption algorithmIs uniformly randomly distributed/>. Note that, if the variance of the discrete gaussian distribution used for the key setting is not important for the description, the discrete gaussian distribution may be expressed as/>. The plaintext mode of homomorphic encryption algorithm is/>。

In the embodiment of the application, the method is used for plaintextCiphertext/>, can be obtained by private key encryptionSee formula (3).

Formula (3)

Wherein,Conforming to the second distribution. In private key encryption, if random seed is synchronized, the/>Then equation (3) can be written as equation (4).

Formula (4)

In the embodiment of the application, any one of n participantsPossession of private key fragment/>Wherein n is a positive integer,/>. Participant/>Can be distributed/>, in a first wayUpper selection of first noise data/>Using the first noise data/>And private key sharding/>For the first input data/>Performing private key encryption to obtain a first ciphertext fragment/>See formula (5). Wherein, the first input data/>For the participants/>Is a private data of the same.

Formula (5)

In an embodiment of the application, the participantsThe second noise data may be selected from a first distribution of integer domainsAnd selecting the first random data/>, over the second distributionUsing the second noise data/>And private key sharding/>For the first random data/>Performing private key encryption to obtain a first random ciphertext fragment/>See formula (6).

Formula (6)

S102, performing first verification based on a preset data relationship by using first input data, first noise data, second noise data, first random data, first ciphertext fragments of all participants and first random ciphertext fragments, and outputting a result ciphertext under the condition that the first verification is passed; the resulting ciphertext is the domain sum of the first ciphertext fragments of all the participants.

In the embodiment of the application, the first input data can be related to the preset data relationshipFirst noise dataSecond noise data/>First random data/>First ciphertext fragment/>And first random ciphertext fragment/>Calculating to obtain new data, performing first verification based on the new data and a preset data relationship, and outputting first ciphertext fragment/>, of all the participants under the condition that verification is passedDomain-wise and/>Obtaining a result ciphertext.

In the embodiment of the application, the preset data relationship comprises two pieces of calculation data and one piece of result data. In this way, the participant can obtain one result data based on the preset data relationship and the two calculation data. Wherein, the two calculation data are data on the same number domain and conform to the same distribution. Here, the preset data relationship may be set as needed, and the embodiment of the present application is not limited.

In an embodiment of the application, the participantsThe first ciphertext may be fragmented/>Domain-wise and/>And first random ciphertext fragment/>Domain-wise and/>Two pieces of calculation data serving as preset data relations are used for obtaining result data; thus, the result data is based on the first input data/>First noise data/>Second noise data/>And first random data/>And performing first algorithm processing based on a preset data relationship and private key encryption to obtain a first algorithm result. Participant/>Can also be based on the first input data/>First noise data/>Second noise data/>And first random data/>And performing second algorithm processing based on the preset data relationship and the private key encryption to obtain a second algorithm result. Verifying whether the first algorithm result and the second algorithm result are the same or not to judge whether the first verification is passed or not; in the case of the first verification passing, outputting the result ciphertext。

Based on the execution process of the first key protocol, it can be known that, when the first verification is passed, the output result ciphertextAs shown in equation (7).

Formula (7)

Participant(s)Let 0 be the first input data/>Equation (7) can be expressed as equation (8), i.e., a public key is obtained. Thus, the first key protocol verifies ciphertext/>Is effective in the following.

Formula (8)

It can be understood that the party can verify the validity of the ciphertext of the private data through the first key protocol, and when the private data is 0, the output ciphertext is the public key. The calculation process is verified at any time in the key generation process, so that the data security is ensured; and, the communication volume and the calculation volume of the key generation process are reduced.

In some embodiments of the application, the preset data relationship comprises: the product of the first relation data and the random number, and the sum of the second relation data in the same number domain is equal to the third relation data; the random number includes 0 or 1.

In an embodiment of the present application, the first relationship dataNamely, the first calculation data and the second relation data/>Namely second calculation data, third relation data/>Is the result data. The preset data relationship may be written as formula (9).

Formula (9)

Wherein,And may be 0 or 1 as random data.

In some embodiments of the present application, in S102, using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragment of all the participants, and the first random ciphertext fragment, performing a first verification based on a preset data relationship, and in the case that the first verification passes, outputting the result ciphertext may include: S1021-S1024.

S1021, taking the first noise data as first relation data and the second noise data as second relation data, and obtaining the first noise relation data by utilizing a preset data relation; the first noise relationship data is broadcast.

In an embodiment of the application, the participantsCan be based on the first noise data/>And second noise data,/>Obtaining first noise relation data/>, by the formula (9)See formula (10).

Formula (10)

S1022, using the first input data as first relation data, using the first random data as second relation data, and obtaining the first input relation data by using a preset data relation; the first input relationship data is broadcast.

In an embodiment of the application, the participantsMay be based on the first input data/>And first random data/>Obtaining first input relation data/>, through a formula (9)See formula (11).

Formula (11)

Here, the order in which S201 and S202 are performed is not limited. In some embodiments, S201 and S202 may be performed simultaneously.

S1023, carrying out private key encryption on the first input relation data by utilizing the first noise relation data and the private key fragments to obtain first relation ciphertext fragments; the first relationship ciphertext fragment is broadcast.

In an embodiment of the application, the participantsFirst noise relationship data/>, can be utilizedAnd private key sharding/>For the first input relation data/>Performing private key encryption to obtain a first relation ciphertext fragment/>See formula (12).

Formula (12)

S1024, performing first verification based on the domain sum of the first relation ciphertext fragments of all the participants, the sum of the first noise relation data, the sum of the first input relation data, the domain sum of the first ciphertext fragments, the domain sum of the first random ciphertext fragments and the preset data relation.

In an embodiment of the present application, the first relationship ciphertext fragmentIs the result of the second algorithm. Participant/>The first algorithm result may be output based on the domain sum of the first ciphertext fragment, the domain sum of the first random ciphertext fragment, and the preset data relationship. And verifying whether the first algorithm result is the same as the second algorithm result, thereby completing the first verification.

In some embodiments of the present application, the implementation of the first verification in S1024 based on the domain sum of the first relationship ciphertext fragments of all the participants, the sum of the first noise relationship data, the sum of the first input relationship data, the domain sum of the first ciphertext fragments, the domain sum of the first random ciphertext fragments, and the preset data relationship may include: S10241-S10242.

S10241, using the domain of the first ciphertext fragment and the domain of the first random ciphertext fragment as first relation data and using the domain of the first random ciphertext fragment and the domain of the first random ciphertext fragment as second relation data, and obtaining third relation data as result relation data by using a preset data relation.

In the embodiment of the application, the result relationship dataThe result of the first algorithm is obtained. Results relationship data/>See equation (13) for the calculation of (c).

Formula (13)

Wherein,，/>。

S10242, performing first verification based on the domain sum of the first relation ciphertext fragments of all the participants, the sum of the first noise relation data, the sum of the first input relations, and the result relation data.

In an embodiment of the application, the first noise relationship dataSum/>First noise relation data/>, which is n participantsA kind of electronic device. Thus, the first noise relation data/>Sum/>The maximum norm of (2) should be less than or equal to 2n times the upper limit of the preset norm, i.e. the upper limit of the first distribution/>See equation (14). Similarly, the first input relationship data/>Sum/>The maximum norm of (2) should be less than or equal to 2n times the upper limit of the preset norm, i.e. the upper limit/>, of the second distributionSee equation (15).

Formula (14)

Formula (15)

In some embodiments of the application, the participantsCan be found in the result relationship data/>Ciphertext fragment of first relationDomain-wise and/>Identical, i.e./>Satisfy equation (16), and the first noise relationship data/>Sum/>Satisfy equation (14), and first input relationship data/>Sum/>In the case where the formula (15) is satisfied, it is determined that the first verification is passed.

Formula (16)

In some embodiments of the present application, the outputting of the result ciphertext in S102 when the first verification passes may include: S1021-S1023.

S1021, under the condition that the first verification passes, encrypting the first verification random number by utilizing the result ciphertext to obtain a first verification ciphertext and broadcasting; the first verification random number conforms to the second distribution.

In the embodiment of the application, the result ciphertext can be used as a public key, and the participantAnd encrypting the first verification random number through the result ciphertext, wherein the first verification random number is in a public key encryption mode. Wherein the first authentication random numbers of all the parties are the same. Here, each participant/>It is necessary to pick and broadcast a sub-first verification random number conforming to the second distribution, and then each party/>The sub-first authentication random numbers of all the participants need to be summed to obtain a first authentication random number.

And S1022, performing distributed decryption on the first verification ciphertext to obtain a first decryption result.

In an embodiment of the application, the participantsThe first verification ciphertext can be decrypted by utilizing the private key of the first verification ciphertext to obtain a first decryption fragment and broadcast; the first decryption fragments of all participants are then summed to obtain a first decryption result.

S1023, outputting a result ciphertext under the condition that the first decryption result is the same as the first verification random number; or terminating the first key protocol in case the first decryption result is different from the first authentication random number.

In an embodiment of the application, the participantsIn the case where the first decryption result is equal to the first verification random number, the result ciphertext is determined to be valid as the public key, and the result ciphertext is output. Participant/>When the first decryption result is not equal to the first verification random number, the generation process of the result ciphertext is determined to be attacked, the security is affected, and the execution of the first key protocol needs to be stopped.

It can be understood that in the process of generating the public key through the first key protocol, the validity of the public key needs to be verified, and when the validity verification of the public key is passed, that is, the public key is safe, the result ciphertext is output as the public key; the security of information processing can be improved.

In some embodiments of the application, the participantsIn generating the key, except for the private key/>And public key/>In addition, there is also a need to generate a re-linearization key/>; Re-linearization key/>Based on private key/>The generation is shown in formula (17).

Formula (17)

Wherein,And/>The relationship between them is shown in formula (18).

Formula (18)

Wherein,The function is typically a linear function.

At this time, as shown in fig. 2, the key generation method may further include: S201-S202.

S201, taking a linear function value of a private key fragment as first input data, and executing a first key protocol to obtain a ciphertext of the linear function value of the private key; the private key is the domain sum of the private key fragments of all the participants.

In an embodiment of the application, the private key is fragmentedThe linear function value of (c) can be expressed as/>. Participant/>After the first key protocol is executed by taking the first key protocol as the first input data, ciphertext of the linear function value of the private key can be obtained. Here, the participants/>It is necessary to extract the random number/>, from the first distributionBy means of random numbers/>And private key sharding/>Pair/>Encrypting the private key to obtain ciphertext/>, of the linear function value of the private keyAs shown in equation (19).

Formula (19)

In the embodiment of the application, when noiseNot important to the description of the method, equation (19) may be written as equation (20).

Formula (20)

S202, taking the private key fragment as second input data, taking ciphertext of a linear function value of the private key as third input data, executing a second key protocol, and taking the output multiplication ciphertext as a re-linearization key; the multiplication ciphertext is the domain sum of the first multiplication slices of all the participants; the first multiplicative fragment comprises the product of the ciphertext of the linear function value of the private key and the private key fragment.

In an embodiment of the application, the party performs a second key protocol, i.e. outputs the multiplication ciphertext for the second input data and the third input data. Wherein the third input data of all the participants is the same ciphertext; Multiplication ciphertext/>First multiplicative slice/>, for all participantsAnd (3) domain sums. /(I)See formula (21).

Formula (21)

Wherein,Ciphertext/>, as second input dataIs the third input data.

In an embodiment of the present application, the second input dataFor private key fragmentation/>Third input data/>Ciphertext as a linear function value of the private key/>Equation (21) may be written as equation (22).

Formula (22)

In the embodiment of the present application, according to the formula (22) and the formula (20), the formula (23) can be obtained, that is, the re-linearization key is obtained.

Formula (23)

It should be noted that the second key protocol is executedAs illustrated in fig. 3, may include: S301-S305.

S301, carrying out private key encryption on second input data by adopting third noise data and a private key fragment to obtain a second ciphertext fragment; broadcasting a second ciphertext fragment; the third noise data conforms to the first distribution.

In an embodiment of the application, the participantsPossession of private key fragment/>; The participant may choose the third noise data/>, from the first distributionBy means of third noise data/>And private key sharding/>For the second input data/>Performing private key encryption to obtain a second ciphertext fragment/>See equation (24).

Formula (24)

S302, establishing a multiplication data relation between the second input data and the third input data to obtain a first multiplication fragment.

In an embodiment of the present application, establishing the multiplication data relationship with reference to equation (22) includes: the product in the domain of the fourth relationship data and the fifth relationship data is equal to the sixth relationship data. Participant(s)Fourth relationship data/>, can be establishedData on fifth relation/>To obtain sixth relation data/>See formula (25).

Formula (25)

Based on formula (25), the participantsEstablishing the second input data/>And third input data/>To obtain the first multiplication slice/>As in equation (26).

Formula (26)

S303, carrying out private key encryption on the second random data by adopting the fourth noise data and the private key fragments to obtain second random ciphertext fragments; broadcasting a second random ciphertext fragment; the fourth noise data conforms to the first distribution; the second random data conforms to a second distribution.

In an embodiment of the application, the participantsThe fourth noise data/>, can be selected from the first distributionSelecting the second random data/>, from the second distributionUtilize fourth noise data/>And private key sharding/>For the second random data/>Performing private key encryption to obtain a second random ciphertext fragment/>See formula (27).

Formula (27)

S304, establishing a multiplication data relation between the second random data and the third input data to obtain a second multiplication fragment.

In an embodiment of the present application, the participants are based on equation (25)Establishing third random data/>And third input data/>To obtain the second multiplication slice/>As shown in equation (28).

Formula (28)

S305, performing second verification based on a preset data relationship and a multiplication data relationship by using the second input data, the third input data, the second random data, the third noise data and the fourth noise data, and the second ciphertext fragments and the second random ciphertext fragments of all the participants, and outputting the sum of the first multiplication fragments of all the participants as multiplication ciphertext under the condition that the second verification is passed.

In the embodiment of the application, the second input data can be input by utilizing the preset data relationshipAnd second random dataCalculate fourth noise data/>And third noise data/>Performing computation and performing computation on the second ciphertext fragment/>And second random ciphertext fragment/>Obtaining new data; and then carrying out second verification based on the new data and the preset data relationship, and outputting the first multiplication slices/>, of all the participants under the condition that the second verification is passedSum/>And obtaining the multiplication ciphertext.

In an embodiment of the application, the participantsThe second ciphertext may be fragmented/>Domain-wise and/>And a second random ciphertext fragment/>Domain-wise and/>Obtaining result data as two calculation data of a preset data relationship; the result data is based on the second random data/>Fourth noise data/>Second input data/>Third noise data/>And performing third algorithm processing based on the preset data relationship and the private key encryption to obtain a third algorithm result. Thus, the participants/>And can also be based on the second random ciphertext fragment/>Second ciphertext fragment/>And determining ciphertext relation data according to the preset data relation, and performing fourth algorithm processing to obtain a fourth algorithm result.

In an embodiment of the application, the participantsThe first multiplication can be sliced/>Domain-wise and/>And second method slice/>Domain-wise and/>Obtaining result data as two calculation data of a preset data relationship; the result data is based on the third input data/>Second random data/>Fourth noise data/>And carrying out fifth algorithm processing on the multiplication data relationship and the preset data relationship to obtain a fifth algorithm result. Thus, the participants/>Can also be sliced according to the first multiplicationDomain-wise and/>Second method slice/>Domain-wise and/>And performing a sixth algorithm processing on the multiplication data relationship to obtain a sixth algorithm result. /(I)

In an embodiment of the application, the participantsIt may be verified whether the third algorithm result and the fourth algorithm result are the same and whether the fifth algorithm result and the sixth algorithm result are the same; judging whether the second verification is passed or not based on the judgment; in case of the second verification passing, output/>。

It will be appreciated that the party may take as input the linear function value of the private key, generate the ciphertext of the linear function value of the private key via the first key agreement, and then take as input the ciphertext of the linear function value of the private key and the private key fragment, and output the re-linearized key via the second key agreement. The calculation process is verified at any time in the key generation process, so that the information security is ensured; and, the data amount of the key generation process is reduced.

FIG. 4 illustrates a process for generating a re-linearized key, as shown in FIG. 4, by a partyWill/>As input, execute a first key protocol/>The output result ciphertext is the ciphertext/>, of the linear function value of the private keyCiphertext of the linear function value/>And private key sharding/>As input, execute a second key protocol/>The output multiplication ciphertext is used as a re-linearization key.

In some embodiments of the present application, the implementation of the second verification in S303 using the second input data, the third input data, the second random data, the third noise data, the fourth noise data, and the second ciphertext fragment and the second random ciphertext fragment of all the participants based on the preset data relationship and the multiplication data relationship may include: s401 to S405.

S401, taking second input data as first relation data, taking second random data as second relation data, and obtaining the second input relation data by utilizing a preset data relation; the second input relationship data is broadcast.

In an embodiment of the present application, the second input relationship dataIs to use the preset data relationship to the second input dataAnd second random data/>The calculation is performed to obtain new data, see formula (29).

Formula (29)

S402, taking the third noise data as first relation data and the fourth noise data as second relation data, and obtaining the second noise relation data by utilizing a preset data relation; the second noise relationship data is broadcast.

In an embodiment of the application, the second noise relationship dataIs to use the preset data relationship to the third noise dataAnd fourth noise data/>The calculation is performed to obtain new data, see formula (30).

Formula (30)

S403, carrying out private key encryption on the second input relation data by utilizing the second noise relation data and the private key fragments to obtain a third ciphertext fragment; the third ciphertext fragment is broadcast.

In an embodiment of the application, the participantsAfter obtaining the second input relation data/>Second noise relationship dataMay be based on the second input relationship data/>And second noise relation data slicing/>Obtain third ciphertext fragment/>See formula (31).

Equation (31)/>

S404, taking the first multiplication slice as first relation data, taking the second multiplication slice as second relation data, and obtaining a third multiplication slice by utilizing a preset data relation; third-party slicing is broadcast.

In an embodiment of the application, third-harmonic slicingCan be derived from equation (32).

Formula (32)

S405, performing second verification by using the third ciphertext fragment, the second random ciphertext fragment, the second ciphertext fragment, the preset data relationship, the third multiplication fragment, the third input data and multiplication data relationship, the second input relationship data and the second noise relationship data.

In an embodiment of the application, the participantsMay be based on the second random ciphertext fragment/>Second ciphertext fragment/>Determining ciphertext relationship data with a preset data relationship as a fourth algorithm result; fragmenting/j > the third ciphertextAnd as a third algorithm result, verifying whether the third algorithm result and the fourth algorithm result are the same. Participant/>Third input data/>, which may be based on the sum of the second input relationship dataAnd a multiplication data relationship, determining multiplication data as a sixth algorithm result; third-harmonic slicing/>Verifying whether the fifth algorithm result and the sixth algorithm result are the same or not as the fifth algorithm result; thereby performing a second verification.

In some embodiments of the present application, the implementation of the second verification in S405 using the third ciphertext fragment, the second random ciphertext fragment, the second ciphertext fragment, the preset data relationship, the third multiplication fragment, the third input data, the multiplication data relationship, the second input relationship data, and the second noise relationship data may include: S4051-S4053.

S4051, obtaining third relation data as ciphertext relation data by using a preset data relation by taking the domain sum of the second ciphertext fragment as first relation data and the domain sum of the second random ciphertext fragment as second relation data.

In an embodiment of the application, the participantsCan be according to the second ciphertext fragment/>Get its domain sum/>And according to the second random ciphertext fragment/>Get its domain sum/>. Then, it can be according to/>、/>Determining ciphertext relationship data/>, with a preset data relationshipSee formula (33)

Formula (33)

S4052, using the domain of the second input relationship data and the third input data as fourth relationship data and fifth relationship data, respectively, and obtaining multiplication data by utilizing the multiplication data relationship.

In an embodiment of the application, the participantsCan be according to the second input relation data/>Get its domain sum/>. Then, it can be according to/>Third input data/>Determining multiplication data/>, with multiplication data relationshipSee formula (34)

Formula (34)

S4053, performing second verification based on the ciphertext relationship data, the domain sum of the third ciphertext fragment, the multiplication data, the domain sum of the third multiplication fragment, the sum of the second input relationship data, and the sum of the second noise relationship data.

In an embodiment of the application, the participantsMultiplication data/>As a result of the sixth algorithm, compare/>And third-harmonic slicing/>Domain-wise and/>And comparing ciphertext relationship data/>And third ciphertext fragment/>Domain-wise and/>Obtaining a comparison result; based on the comparison result, and the second input relationship data/>Sum/>Second noise relation data/>Sum/>And (5) whether the two thresholds are smaller than or equal to the corresponding upper limit, and performing second verification.

In an embodiment of the present application, the second input relationship dataSum/>Should be less than or equal to 2n times the upper limit of the preset norm, i.e. the upper limit of the first distribution/>See equation (35).

Formula (35)

Similarly, the second noise relation dataSum/>Should be less than or equal to 2n times the upper limit of the preset norm, i.e. the upper limit of the second distribution/>Is 2n times, see equation (36)

Formula (36)

It should be noted that, in combination with the equation (32), the equation (28), and the equation (26), the equation (37) may be obtained.Formula (37)

Thereby obtaining formula (38).

Formula (38)

In an embodiment of the application, the participantsCan be used in ciphertext relation data/>And third ciphertext fragment/>Domain-wise and/>Identical, multiplication data/>And third-harmonic slicing/>Domain-wise and/>The same, and in the case where the formula (35) -the formula (36) are satisfied, the second verification is determined to pass.

In some embodiments of the present application, outputting the sum of the first multiplication slices of all the participants as the realization of the multiplication ciphertext in the case that the second verification passes in S305 may include: S3051-S3054.

S3051, under the condition that the second verification passes, encrypting the second verification random number by using a public key to obtain a second verification ciphertext; and encrypting the third verification random number by using the public key to obtain a third verification ciphertext; the second verification random number and the third verification random number conform to a second distribution.

In an embodiment of the application, each party, in the event of a second authentication passSelecting a sub second verification random number and a sub third verification random number which accord with the second distribution and broadcasting; then, each participant/>The sum of the sub second verification random numbers of all the participants can be calculated to obtain a second verification random number; and calculating the sum of the sub third verification random numbers of all the participants to obtain a third verification random number. And respectively carrying out encryption processing on the second verification random number and the third verification random number by using the public key to obtain a second verification ciphertext and a third verification ciphertext.

S3052, calculating the product of the second verification ciphertext and the third verification ciphertext by using the multiplication ciphertext, obtaining a verification product ciphertext and broadcasting.

In the embodiment of the application, each participantThe multiplication ciphertext can be used as a re-linearization key, the product of the second verification ciphertext and the third verification ciphertext is calculated, and the product ciphertext of the multiplication ciphertext is obtained and broadcasted. /(I)

And S3053, performing distributed decryption on the verification product ciphertext of all the participants to obtain a second decryption result.

In the embodiment of the application, each participantDecrypting the product ciphertext by using a private key to obtain a second decryption fragment of the product ciphertext and broadcasting the second decryption fragment; then, each participant/>And calculating the sum of the second decryption fragments of all the participants to obtain a second decryption result.

S3054, outputting the sum of the first multiplication slices of all the participants as a multiplication ciphertext under the condition that the domain products of the second verification random number and the third verification random number are identical to the second decryption result; or terminating the second key protocol if the product over the fields of the second authentication random number and the third authentication random number is different from the second decryption result.

In an embodiment of the application, the participantsIn the case where the product on the domain of the second verification random number and the third verification random number is equal to the second decryption result, the product ciphertext is determined to be valid as the re-linearization key, and the product ciphertext is output. Participant/>And under the condition that the product and the second decryption result are unequal in the domains of the second verification random number and the third verification random number, determining that the generation process of the product ciphertext is attacked, and the security is influenced, so that the second key protocol needs to be terminated.

It can be understood that in the process of generating the re-linearization key through the second key protocol, the validity of the re-linearization key needs to be verified, and when the validity verification of the re-linearization key passes, that is, the re-linearization key is safe, the product ciphertext is output as the re-linearization key; the security of information processing can be improved.

Illustratively, all participants are of the number ofTable 1 shows the comparison of the communication complexity and the calculation complexity. The keys in table 1 include public keys as well as re-linearization keys. The present application is contrasted with a method of invoking another set of MPCs, and a method of adding promises to generate keys. Wherein the addition promises to repeat the constant c times key generation and randomly expose the detailed parameters of the c-1 times key generation process therein. The communication complexity and the calculation complexity are both in units of the number of the minimum granularity polynomials. The larger the number in table 1, the larger the number of polynomials, the higher the communication complexity and the computation complexity. As is apparent from table 1, the key generation method of the present application has significantly reduced computational complexity and communication complexity compared to the other two methods.

TABLE 1

Based on the above-mentioned key generation method, the embodiment of the present application further provides a key generation device, as shown in fig. 5, where each party includes a key generation device 500, and the device 500 includes:

a generating module 501, configured to execute a first key protocol with 0 as first input data, and use the output result ciphertext as a public key; the executing the first key protocol includes: carrying out private key encryption on the first input data by adopting first noise data and a private key fragment to obtain a first ciphertext fragment; broadcasting the first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; broadcasting the first random ciphertext fragment; the first noise data and the second noise data conform to a first distribution; the first random data conforms to a second distribution; performing a first verification based on a preset data relationship by using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragments of all the participants and the first random ciphertext fragments, and outputting the result ciphertext when the first verification is passed; the result ciphertext is a domain sum of the first ciphertext fragments of all participants.

In some embodiments, the preset data relationship comprises: the product of the first relation data and the random number, and the sum of the second relation data in the same number domain is equal to the third relation data; the random number includes 0 or 1; the generating module 501 is further configured to use the first noise data as the first relationship data, and use the second noise data as the second relationship data, and obtain first noise relationship data by using the preset data relationship; broadcasting the first noise relationship data; the first input data is used as the first relation data, the first random data is used as the second relation data, and the first input relation data is obtained by utilizing the preset data relation; broadcasting the first input relationship data; carrying out private key encryption on the first input relation data by utilizing the first noise relation data and the private key fragment to obtain a first relation ciphertext fragment; broadcasting a first relation ciphertext fragment; and performing the first verification based on the domain sum of the first relation ciphertext fragments, the sum of the first noise relation data, the sum of the first input relation data, the domain sum of the first ciphertext fragments, the domain sum of the first random ciphertext fragments, and the preset data relation of all the participants.

In some embodiments, the generating module 501 is further configured to use the domain of the first ciphertext fragment and the domain of the first random ciphertext fragment as the first relationship data, and use the domain of the first random ciphertext fragment and the domain of the first random ciphertext fragment as the second relationship data, to obtain third relationship data as result relationship data by using the preset data relationship; the first verification is performed based on a domain sum of the first relationship ciphertext fragments of all participants, a sum of the first noise relationship data, a sum of the first input relationship data, and the resulting relationship data.

In some embodiments, the generating module 501 is further configured to determine that the first verification passes when the result relationship data is the same as the domain of the first relationship ciphertext fragment, a maximum norm of a sum of the first noise relationship data is less than or equal to double the total number of participants of the upper limit of the first distribution, and a maximum norm of a sum of the first input relationship data is less than or equal to double the total number of participants of the upper limit of the second distribution.

In some embodiments, the generating module 501 is further configured to encrypt the first verification random number with the result ciphertext to obtain a first verification ciphertext and broadcast the first verification ciphertext if the first verification passes; the first verification random number conforms to the second distribution; performing distributed decryption on the first verification ciphertext to obtain a first decryption result; outputting the result ciphertext under the condition that the first decryption result is the same as the first verification random number; or terminating the first key protocol in the case that the first decryption result is different from the first authentication random number.

In some embodiments, the generating module 501 is further configured to use the linear function value of the private key fragment as the first input data, execute the first key protocol, and obtain a ciphertext of the linear function value of the private key; the private key is the domain sum of the private key fragments of all the participants; taking the private key fragment as second input data, taking ciphertext of a linear function value of the private key as third input data, executing a second key protocol, and taking the output multiplication ciphertext as a re-linearization key; the multiplication ciphertext is the domain sum of the first multiplication slices of all the participants; the first multiplication patch comprises a product of a ciphertext of a linear function value of the private key and the private key patch;

The executing the second key protocol includes: carrying out private key encryption on the second input data by adopting third noise data and the private key fragments to obtain second ciphertext fragments; broadcasting the second ciphertext fragment; the third noise data conforms to the first distribution; establishing a multiplication data relation between the second input data and the third input data to obtain a first multiplication fragment; carrying out private key encryption on the second random data by adopting the fourth noise data and the private key fragments to obtain second random ciphertext fragments; broadcasting the second random ciphertext fragment; the fourth noise data conforms to the first distribution; the second random data conforms to the second distribution; establishing a multiplication data relationship between the second random data and the third input data to obtain a second multiplication fragment; and performing second verification based on the preset data relationship and the multiplication data relationship by using the second input data, the third input data, the second random data, the third noise data, the fourth noise data, the second ciphertext fragment of all the participants and the second random ciphertext fragment, and outputting the sum of the first multiplication fragments of all the participants as the multiplication ciphertext under the condition that the second verification is passed.

In some embodiments, the multiplication data relationship comprises: the product of the fourth relationship data and the fifth relationship data in the domain is equal to the sixth relationship data; the generating module 501 is further configured to use the second input data and the third input data as the fourth relationship data and the fifth relationship data, respectively, to obtain the sixth relationship data as the first multiplication slice; and respectively using the second random data and the third input data as the fourth relation data and the fifth relation data to obtain the sixth relation data as the second multiplication slice.

In some embodiments, the generating module 501 is further configured to use the second input data as the first relationship data, use the second random data as the second relationship data, obtain second input relationship data by using the preset data relationship, and broadcast the second input relationship data; taking the third noise data as the first relation data, taking the fourth noise data as the second relation data, obtaining second noise relation data by utilizing the preset data relation, and broadcasting the second noise relation data; performing private key encryption on the second input relation data by using the second noise relation data and the private key fragment to obtain a third ciphertext fragment; broadcasting the third ciphertext fragment; taking the first multiplication slice as the first relation data, taking the second multiplication slice as the second relation data, and obtaining a third multiplication slice by utilizing the preset data relation; broadcasting the third multiplicative fragment; and performing the second verification by using the third ciphertext fragment, the second random ciphertext fragment, the second ciphertext fragment, the preset data relationship, the third multiplication fragment, the third input data, the multiplication data relationship, the second input relationship data and the second noise relationship data.

In some embodiments, the generating module 501 is further configured to use the domain of the second ciphertext fragment and the domain of the second random ciphertext fragment as the first relationship data, and use the domain of the second random ciphertext fragment and the domain of the second random ciphertext fragment as the second relationship data to obtain third relationship data as ciphertext relationship data by using the preset data relationship; taking the domain of the second input relation data and the third input data as the fourth relation data and the fifth relation data respectively, and obtaining multiplication data by utilizing the multiplication data relation; and performing the second verification based on the ciphertext relationship data, the domain sum of the third ciphertext fragment, the multiplication data, the domain sum of the third multiplication fragment, and the sum of the second input relationship data and the sum of the second noise relationship data.

In some embodiments, the generating module 501 is further configured to determine that the second verification passes if the ciphertext relationship data is over and the same as the domain of the third ciphertext fragment, the multiplication data is over and the same as the domain of the third multiplier fragment, and a maximum norm of a sum of the second noise relationship data is less than or equal to twice the total number of participants of the upper limit of the first distribution, and a maximum norm of a sum of the second input relationship data is less than or equal to twice the total number of participants of the upper limit of the second distribution.

In some embodiments, the generating module 501 is further configured to encrypt the second verification random number with the public key to obtain a second verification ciphertext if the second verification passes; and encrypting the third verification random number by using the public key to obtain a third verification ciphertext; calculating the product of the second verification ciphertext and the third verification ciphertext by using the re-linearization key, obtaining a verification product ciphertext and broadcasting the verification product ciphertext; performing distributed decryption on the verification product ciphertext of all the participants to obtain a second decryption result; outputting the sum of the first multiplication slices of all the participants as the multiplication ciphertext under the condition that the product in the domain of the second verification random number and the third verification random number is the same as the second decryption result; or terminating the second key protocol if the product over the domain of the second authentication random number and the third authentication random number is different from the second decryption result.

In some embodiments, the first distribution is a discrete gaussian distribution and the second distribution is a random uniform distribution over the domain of numbers.

Based on the above-mentioned key generation method, the embodiment of the present application further provides an electronic device, as shown in fig. 6, the electronic device 60 includes a memory 607, a processor 608, and a computer program stored on the memory 607 and executable on the processor 608; wherein the processor 608 is arranged to execute the key generation method as in the previous embodiments when running the computer program.

It is understood that the electronic device 60 also includes a bus system 609; the various components in the electronic device 60 are coupled together by a bus system 609. It is understood that the bus system 609 is used to enable connected communications between these components. The bus system 609 includes a power bus, a control bus, and a status signal bus in addition to the data bus.

It will be appreciated that the memory in embodiments of the application may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable programmable Read Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), magnetic random access Memory (FerromagneticRandom Access Memory, FRAM), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or Read Only optical disk (Compact Disc Read-Only Memory, CD-ROM). The volatile memory may be random access memory (Random Access Memory, RAM) which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (Static RandomAccess Memory, SRAM), synchronous static random access memory (Synchronous Static Random Access Memory, SSRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), synchronous dynamic random access memory (SynchronousDynamic Random Access Memory, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate Synchronous Dynamic Random Access Memory, ddr SDRAM), enhanced synchronous dynamic random access memory (Enhanced Synchronous Dynamic Random Access Memory, ESDRAM), synchronous link dynamic random access memory (SYNCLINKDYNAMIC RANDOM ACCESS MEMORY, SLDRAM), direct memory bus random access memory (Direct Rambus Random Access Memory, DRRAM). The memory described by embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.

The method disclosed by the embodiment of the application can be applied to a processor or realized by the processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium having memory and a processor reading information from the memory and performing the steps of the method in combination with hardware.

Embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs steps in the above-described method.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, and for example, the division of modules is merely a logical function division, and other divisions may be implemented in practice, such as: multiple modules or components may be combined, or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or modules, whether electrically, mechanically, or otherwise.

The above is merely an example of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and scope of the present application are included in the protection scope of the present application.

Claims (15)

1. A key generation method, comprising:

Taking 0 as first input data, executing a first key protocol, and taking the output result ciphertext as a public key; the executing the first key protocol includes:

carrying out private key encryption on the first input data by adopting first noise data and a private key fragment to obtain a first ciphertext fragment; broadcasting the first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; broadcasting the first random ciphertext fragment; the first noise data and the second noise data conform to a first distribution; the first random data conforms to a second distribution;

Performing a first verification based on a preset data relationship by using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragments of all the participants and the first random ciphertext fragments, and outputting the result ciphertext when the first verification is passed; the result ciphertext is a domain sum of the first ciphertext fragments of all the participants;

The performing a first verification based on a preset data relationship using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragment and the first random ciphertext fragment of all the participants, includes: performing first algorithm processing on the domain of the first ciphertext fragment, the domain of the first random ciphertext fragment and the domain of the first random ciphertext fragment by utilizing the preset data relationship to obtain a first algorithm result; encrypting the first input data, the first noise data, the second noise data and the first random data by using the preset data relationship and a private key, and performing second algorithm processing on the first input data, the first noise data, the second noise data and the first random data to obtain a second algorithm result; and determining that the first verification is passed under the condition that the first algorithm result and the second algorithm result are the same.

2. The key generation method according to claim 1, wherein the preset data relationship includes: the product of the first relation data and the random number, and the sum of the second relation data in the same number domain is equal to the third relation data; the random number includes 0 or 1; the performing a first verification based on a preset data relationship using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragment and the first random ciphertext fragment of all the participants, includes:

taking the first noise data as the first relation data, taking the second noise data as the second relation data, and obtaining first noise relation data by utilizing the preset data relation; broadcasting the first noise relationship data;

the first input data is used as the first relation data, the first random data is used as the second relation data, and the first input relation data is obtained by utilizing the preset data relation; broadcasting the first input relationship data;

Carrying out private key encryption on the first input relation data by utilizing the first noise relation data and the private key fragment to obtain a first relation ciphertext fragment; broadcasting a first relation ciphertext fragment;

And performing the first verification based on the domain sum of the first relation ciphertext fragments, the sum of the first noise relation data, the sum of the first input relation data, the domain sum of the first ciphertext fragments, the domain sum of the first random ciphertext fragments, and the preset data relation of all the participants.

3. The key generation method according to claim 2, wherein the first verification based on the domain sum of the first relation ciphertext fragments, the sum of the first noise relation data, the sum of the first input relation data, the domain sum of the first ciphertext fragments, the domain sum of the first random ciphertext fragments, and the preset data relation of all the parties includes:

the domain of the first ciphertext fragment and the domain of the first random ciphertext fragment are used as the first relation data, and the domain of the first random ciphertext fragment and the domain of the second relation data are used as the second relation data, so that third relation data are obtained as result relation data by utilizing the preset data relation;

The first verification is performed based on a domain sum of the first relationship ciphertext fragments of all participants, a sum of the first noise relationship data, a sum of the first input relationship data, and the resulting relationship data.

4. A key generation method according to claim 3, wherein said first verification based on the domain sum of the first relationship ciphertext fragments of all participants, the sum of the first noise relationship data, the sum of the first input relationship data, and the result relationship data comprises:

And determining that the first verification passes when the result relationship data is the same as the domain sum of the first relationship ciphertext fragment, the maximum norm of the sum of the first noise relationship data is less than or equal to double the product of the upper limit of the first distribution and the total number of the participants, and the maximum norm of the sum of the first input relationship data is less than or equal to double the product of the upper limit of the second distribution and the total number of the participants.

5. The key generation method according to claim 1, wherein the outputting the result ciphertext in the case where the first authentication passes includes:

under the condition that the first verification passes, encrypting the first verification random number by utilizing the result ciphertext to obtain a first verification ciphertext and broadcasting; the first verification random number conforms to the second distribution;

performing distributed decryption on the first verification ciphertext to obtain a first decryption result;

Outputting the result ciphertext under the condition that the first decryption result is the same as the first verification random number; or terminating the first key protocol in the case that the first decryption result is different from the first authentication random number.

6. The key generation method according to claim 1, wherein the key generation method further comprises:

taking the linear function value of the private key fragment as the first input data, executing the first key protocol to obtain a ciphertext of the linear function value of the private key; the private key is the domain sum of the private key fragments of all the participants;

taking the private key fragment as second input data, taking ciphertext of a linear function value of the private key as third input data, executing a second key protocol, and taking the output multiplication ciphertext as a re-linearization key; the multiplication ciphertext is the domain sum of the first multiplication slices of all the participants; the first multiplication patch comprises a product of a ciphertext of a linear function value of the private key and the private key patch;

The executing the second key protocol includes: carrying out private key encryption on the second input data by adopting third noise data and the private key fragments to obtain second ciphertext fragments; broadcasting the second ciphertext fragment; the third noise data conforms to the first distribution;

establishing a multiplication data relation between the second input data and the third input data to obtain a first multiplication fragment;

carrying out private key encryption on the second random data by adopting the fourth noise data and the private key fragments to obtain second random ciphertext fragments; broadcasting the second random ciphertext fragment; the fourth noise data conforms to the first distribution; the second random data conforms to the second distribution;

establishing a multiplication data relationship between the second random data and the third input data to obtain a second multiplication fragment;

And performing second verification based on the preset data relationship and the multiplication data relationship by using the second input data, the third input data, the second random data, the third noise data, the fourth noise data, the second ciphertext fragment of all the participants and the second random ciphertext fragment, and outputting the sum of the first multiplication fragments of all the participants as the multiplication ciphertext under the condition that the second verification is passed.

7. The key generation method of claim 6, wherein the multiplication data relationship comprises: the product of the fourth relationship data and the fifth relationship data in the domain is equal to the sixth relationship data; the establishing a multiplication data relationship between the second input data and the third input data to obtain a first multiplication slice includes:

The second input data and the third input data are respectively used as the fourth relation data and the fifth relation data, and the sixth relation data is obtained as the first multiplication slice;

the establishing a multiplication data relationship between the second random data and the third input data to obtain a second multiplication slice includes:

and respectively using the second random data and the third input data as the fourth relation data and the fifth relation data to obtain the sixth relation data as the second multiplication slice.

8. The key generation method of claim 7, wherein the preset data relationship comprises: the product of the first relation data and the random number, and the sum of the second relation data in the same number domain is equal to the third relation data; the random number includes 0 or 1; the performing a second verification using the second input data, the third input data, the second random data, the third noise data, the fourth noise data, and the second ciphertext fragment, the second random ciphertext fragment of all the participants based on the preset data relationship and the multiplication data relationship, includes:

taking the second input data as the first relation data, taking the second random data as the second relation data, obtaining second input relation data by utilizing the preset data relation, and broadcasting the second input relation data;

Taking the third noise data as the first relation data, taking the fourth noise data as the second relation data, obtaining second noise relation data by utilizing the preset data relation, and broadcasting the second noise relation data;

Performing private key encryption on the second input relation data by using the second noise relation data and the private key fragment to obtain a third ciphertext fragment; broadcasting the third ciphertext fragment;

Taking the first multiplication slice as the first relation data, taking the second multiplication slice as the second relation data, and obtaining a third multiplication slice by utilizing the preset data relation; broadcasting the third multiplicative fragment;

and performing the second verification by using the third ciphertext fragment, the second random ciphertext fragment, the second ciphertext fragment, the preset data relationship, the third multiplication fragment, the third input data, the multiplication data relationship, the second input relationship data and the second noise relationship data.

9. The key generation method of claim 8, wherein said performing said second verification using said third ciphertext fragment, a second random ciphertext fragment, a second ciphertext fragment, and said predetermined data relationship, and said third multiplication fragment, third input data, and said multiplication data relationship, and second input relationship data, second noise relationship data, comprises:

the domain of the second ciphertext fragment and the domain of the second random ciphertext fragment are used as the first relation data, and the domain of the second random ciphertext fragment are used as the second relation data, and third relation data is obtained by utilizing the preset data relation and is used as ciphertext relation data;

taking the domain of the second input relation data and the third input data as the fourth relation data and the fifth relation data respectively, and obtaining multiplication data by utilizing the multiplication data relation;

and performing the second verification based on the ciphertext relationship data, the domain sum of the third ciphertext fragment, the multiplication data, the domain sum of the third multiplication fragment, and the sum of the second input relationship data and the sum of the second noise relationship data.

10. The key generation method according to claim 9, wherein the performing the second verification based on the ciphertext relationship data, the domain sum of the third ciphertext fragment, the multiplication data, the domain sum of the third multiplication fragment, and the sum of the second input relationship data, the sum of the second noise relationship data, comprises:

And determining that the second verification passes if the ciphertext relationship data is the same as the third ciphertext fragment in the domain, the multiplication data is the same as the third multiplier fragment in the domain, and the maximum norm of the sum of the second noise relationship data is less than or equal to double the product of the upper limit of the first distribution and the total number of parties, and the maximum norm of the sum of the second input relationship data is less than or equal to double the product of the upper limit of the second distribution and the total number of parties.

11. The key generation method according to claim 6, wherein the outputting of the sum of the first multiplication slices of all the parties as the multiplication ciphertext in the case where the second authentication is passed includes:

Under the condition that the second verification passes, encrypting the second verification random number by using the public key to obtain a second verification ciphertext; and encrypting the third verification random number by using the public key to obtain a third verification ciphertext;

Calculating the product of the second verification ciphertext and the third verification ciphertext by using the re-linearization key, obtaining a verification product ciphertext and broadcasting the verification product ciphertext;

performing distributed decryption on the verification product ciphertext of all the participants to obtain a second decryption result;

Outputting the sum of the first multiplication slices of all the participants as the multiplication ciphertext under the condition that the product in the domain of the second verification random number and the third verification random number is the same as the second decryption result; or terminating the second key protocol if the product over the domain of the second authentication random number and the third authentication random number is different from the second decryption result.

12. The key generation method according to any one of claims 1 to 6, wherein,

The first distribution is a discrete gaussian distribution and the second distribution is a random uniform distribution over the domain of numbers.

13. A key generation apparatus, comprising:

The generation module is used for taking 0 as first input data, executing a first key protocol and taking the output result ciphertext as a public key; the executing the first key protocol includes:

carrying out private key encryption on the first input data by adopting first noise data and a private key fragment to obtain a first ciphertext fragment; broadcasting the first ciphertext fragment; carrying out private key encryption on the first random data by adopting the second noise data and the private key fragments to obtain first random ciphertext fragments; broadcasting the first random ciphertext fragment; the first noise data and the second noise data conform to a first distribution; the first random data conforms to a second distribution;

Performing a first verification based on a preset data relationship by using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragments of all the participants and the first random ciphertext fragments, and outputting the result ciphertext when the first verification is passed; the result ciphertext is a domain sum of the first ciphertext fragments of all the participants;

The performing a first verification based on a preset data relationship using the first input data, the first noise data, the second noise data, the first random data, the first ciphertext fragment and the first random ciphertext fragment of all the participants, includes: performing first algorithm processing on the domain of the first ciphertext fragment, the domain of the first random ciphertext fragment and the domain of the first random ciphertext fragment by utilizing the preset data relationship to obtain a first algorithm result; encrypting the first input data, the first noise data, the second noise data and the first random data by using the preset data relationship and a private key, and performing second algorithm processing on the first input data, the first noise data, the second noise data and the first random data to obtain a second algorithm result; and determining that the first verification is passed under the condition that the first algorithm result and the second algorithm result are the same.

14. An electronic device, comprising:

a memory for storing a computer program executable on the processor;

A processor for implementing the steps of the method of any one of claims 1 to 12 when said computer program is executed.

15. A storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of any of claims 1 to 12.