Page 292 - 《软件学报》2020年第12期

P. 292

3958 Journal of Software 软件学报 Vol.31, No.12, December 2020

• 密文 (cc′ , ′ ) 是 Alice 经过下述方式构造的.
i L i R
(1) 由密文 CC ,利用方案E计算:
,
2 b′
1 b′
a
′
2
n
C = ((C ) 1 a k ⋅ L 2 mod ) (1+ n 2 × kkn )r n mod ,
a
( L 1 ) ′ ⋅b ′ + 1 a k b 1 ′ 1 a 1 a 1 a
2
′
C (a ⋅b ′ + = ((C b ) 1 a k ⋅a 1 L mod ) (1+ n 2 × kkn )r n mod n 2 ,
1 2 ) ′ L 1 a k 2 ′ 1 a 1 a 2 a
a
C = ((C ) a k 2 ⋅ R 2 mod ) (1+ n 2 × k ′ k ) n r n mod n 2 ,
a
( R 1 ) ′ ⋅b ′ + a k b 1 ′ 2 a 2 a 3 a
2 2
C (a 1 R ⋅ 2 )+ ′ b ′ 2 = ((C b 2 ′ a k ) a k 2 ⋅a 1 R mod ) (1+ n 2 × k 2 a ′ k 2 a ) n r n 2 a mod n 2 ;
(2) 随机选取一个:
, ′
∈
(( ′ cc 1 R ),( ′ c 2 L , ′ c R 2 )) {((C ( L 2 1 ) ′ ⋅ ′ + 1 a ,C (a 1 L b 2 ) ′ ⋅b ′ +k 1 a ),(C ( R 2 1 ) ′ ⋅ k ′ + 2 ,C (a 1 R b 2 ) ′ ⋅ b a k ′ + a k 2 )),
a
1 L
a
((C (a ⋅ ′ + ,C (a ′ ⋅b ),(C (a ⋅ + + ′ ,C ( R b ⋅ +k ′ a )),
1 2 ) ′ L 1 a k 2 1 ) ′ L b 1 a 1 2 ) ′ R b 2 2 1 ) ′ a k a k 2
((C ′ + ,C ′ ),(C ′ ,C ′ )),
a
a
a
( R 2 1 ) ′ ⋅ 2 ( R b 2 ) ′ ⋅b 2 ( L b ⋅+ a k 1 ) ′ a k 1 a k (a 1 L b ⋅ 2 ) ′+ + 1 a k
2
1
((C (a ⋅b ′ + ,C (a + ′ ⋅ a k ),(C (a ⋅b ′ + ,C ′ + )),
1 2 ) ′ R 2 2 1 ) ′ R b a k 2 1 2 ) ′ L 1 a k (a L 2 1 ) ′ ⋅b 1 a k
((C ′ + ,C ),(C ,C ′ + )),
a
a
a
( R 2 1 ) ′ ⋅ 2 ( R b 2 ) ′ ⋅b ′ + a k 2 ( L 2 1 ) ′ ⋅ k ′ + a 1 a k (a 1 L b 2 ) ′ ⋅ b 1 a k
1
((C ,C ),(C ,C )),
a
a
( L 1 ) ′ ⋅ ′ + 1 a k (a 1 L b 2 ) ′ ⋅b ′ + 1 a k ( R b 1 )+ ′ ⋅ ′ ( R ⋅b 2 ) ′ a k + a k ′ a
2 2 2 1 2
((C (a ⋅ ′ + ,C (a ⋅b ′ + a k ),(C (a ⋅ ′ + a k ,C (a ⋅b ′ + )),
1 2 ) ′ R 2 2 1 ) ′ R b 2 1 2 ) ′ L 1 a k 2 1 ) ′ L b 1 a k
((C ,C ),(C ,C ))}.
(a 1 ⋅ 2 ) ′ L ′ +b 1 a k (a 2 1 ) ′ L k a ′ +⋅b 1 (a 1 ⋅ 2 ) ′ R ′ + 2 (a 2 ⋅b 1 ) ′ R b a k ′ + a k 2
,
而 Alice 在协议Π 1 的实际执行中生成的实际视图为 (CC 2 b ( , c 1 L ,c 1 R ),(c 2 L ,c R 2 ) ) ,其中, CC 是 Bob 利用自
,
1 b
1 b
2 b
2
2 b
己的公钥通过计算 C = (1 n r+ ) b 1 n mod n 2 ,C = (1 n+ ) r n mod n 得到的,密文 (cc ) 是 Alice 经过下述方式
,
1 b 1 b 2 b 2 b i L i R
构造的.
(1) 由密文 CC 利用方案E同态性计算得到:
,
1 b 2 b
a
′
C ′ = ((C ) 1 a k ⋅ L 2 mod ) (1+ n 2 × kkn )r n mod n 2 ,
a
( L ⋅b 1 )+ a k 1 b 1 a 1 a 1 a
2 1
′
C (a 1 L ⋅b 2 )+ a k ′ = 1 ((C 2 b ) 1 a k ⋅a 1 L mod ) (1+ n 2 × kkn )r n 2 a mod n 2 ,
1 a
1 a
a
C = ((C ) a k 2 ⋅ R 2 mod ) (1+ n 2 × k ′ k ) n r n mod n 2 ,
a
( R ⋅b 1 )+ a k ′ 1 b 2 a 2 a 3 a
2 2
×
C = ((C ) a k 2 ⋅a 1 R mod n 2 ) (1+ k ′ k ) n r n mod n 2 ;
( R ⋅a 2 )+b ′ a k 2 b 2 a 2 a 2 a
1 2
(2) 随机选择一个:
,
((cc 1 R ),(c 2 L ,c R 2 )) {((∈ ( L 2 ⋅ 1 )+ ′ C 1 ,C (a 1 L b ⋅b 2 )+ a k ′ 1 ),(C ( R b ⋅ 1 )+ a k ′ 2 ,C (a 1 R b ⋅ 2 )+ a k ′ a k 2 )),
a
1 L
a
2
((C (a ⋅ ′ ,C ( L b ⋅b ′ ),(C a ⋅ ′ ,C ( R b ⋅b )),
a
a
1 L 2 )+ 1 2 1 )+ a k 1 ( R 1 2 )+ a k 2 2 1 )+ k a k ′ a 2
((C ′ ,C ′ ),(C ′ ,C ′ )),
a
a
a
( R 2 ⋅ 1 )+ 2 ( R b ⋅b 2 )+ a k 2 ( L b ⋅ 1 )+ a k 1 (a 1 L b ⋅ 2 )+ a k 1 a k
1
2
((C (a ⋅ ′ ,C ( R b ⋅b ′ ),(C (a ⋅ ′ ,C ( L a ⋅b ′ )),
a
1 R 2 )+ 2 2 1 )+ a k 2 1 L b 2 )+ a k 1 2 1 )+ a k 1 a k
((C ,C ),(C ,C )),
a
a
a
( R ⋅ 1 )+ ′ ( R b ⋅b 2 )+ a k ′ ( L b ⋅ 1 )+ a k ′ (a 1 L b ⋅ 2 )+ a k ′ 1 a k
2 2 1 2 2 1
((C ,C ),(C ,C )),
a
a
a
⋅b
( L ⋅ 1 )+ a k ′ (a 1 L b 2 )+ ′ ( R b ⋅ 1 )+ a ′ ( R b ⋅k 2 )+ a k ′ a k
2 1 1 2 2 1 2
((C (a ⋅ ′ ,C ( R b ⋅b ′ ),(C (a ⋅ ′ ,C ( L a ⋅ b ′ )),
a
1 R 2 )+ 2 2 1 )+ a k 2 1 L b 2 )+ a k 1 2 1 )+ a k 1 a k
((C ,C ),(C ,C ))}.
a
(a 1 L ⋅ 2 )+ ′ 1 ( L b ⋅b 1 )+ a k ′ 1 (a 1 R b ⋅ 2 )+ a k ′ 2 ( R b ⋅ 1 )+ a k ′ a k 2
a
2
2
, ′
,
敌手 S 2 Π 1 (或者 Bob)获得 (cc′ i R ) 与 (cc i R ) 后,通过解密运算后,最多只能得到由 4 个方程(其中,每个方程
i L
i L
各包含 3 个不同的未知数)组成的方程组,不可能通过联立方程组计算出具体的 a 1 L ,a 2 L ,a 1 R ,a .即 S 2 Π 1 满足安全
R
2
定义关系式(1b).
综上,在半诚实模型下,用于保密判定某一有理数是否属于一个上、下界为有理数区间的协议是安全的. □

287 288 289 290 291 292 293 294 295 296 297