Text|Wang Zuxi (flower name: Jin Jiu)
Ant Group Development Engineer\
Responsible for Ant Kubernetes cluster container delivery Focus on cluster delivery capability, delivery performance and delivery Trace and other related fields
paper 3063 word reading 5 minutes
—— Data is out of domain, available and invisible
01 background
With the rapid development of big data and artificial intelligence, the leakage and abuse of personal privacy data occur from time to time, and the issue of privacy and security has been paid more and more attention.
The country will implement the password law and in 2020 and the personal information protection law in , which has higher requirements for personal privacy data and data security encryption.
Therefore, privacy computing has also been constantly mentioned and paid attention to because of its excellent data protection function, which makes "data out of the domain, available and invisible" , which limits the usage scenarios of data and prevents data leakage. And aroused the enthusiasm of the industry.
Privacy computing refers to a collection of technologies that realize data sharing and computing on the of protecting the data itself from being to the outside world, sharing the value of the data rather than the source data itself, making the data usable and invisible.
- For individual users , privacy calculation helps to ensure the security of personal information;
- For enterprise , privacy computing is the key path to fulfill data protection obligations in the process of data collaboration;
- For the government , privacy computing is an important support for maximizing the value of data.
Privacy computing is currently undergoing application trials in the fields of finance, medical care, telecommunications, and government affairs, such as:
- and Financial Institutions
On the premise that does not disclose the original data of all parties, can effectively such as credit and fraud by conducting distributed model training;
- institutions
Joint modeling and data analysis can be carried out without sharing the original data. Data users can use the operation result data without on user privacy, effectively promoting the efficient use of data in the .
Privacy-related technical computing there are multiple secure computing (MPC) , trusted execution environment (TEE) , Federal learn (FL) , homomorphic encryption (HE) , differential privacy (DP) , Zero-knowledge proof (ZKP) , (BC) and so on.
These technologies have their own advantages and disadvantages, and privacy computing products or platforms are also built by these technologies.
Among them, homomorphic encryption is obviously related to cryptography. At present, the open source projects of homomorphic encryption algorithms have their own advantages and disadvantages, and users are more complicated to use them. As a basic cryptographic library, BabaSSL should provide a set of easy-to-use and efficient implementations and interfaces of homomorphic encryption algorithms, so that upper-layer applications can more easily use homomorphic encryption algorithms.
In addition, with the rise of privacy computing technology, Ant Group has launched the privacy computing infrastructure out of the box, which is a one-stop solution, which is a trusted native all-in-one machine.
As the core basic software cryptographic library in the Ant Trusted Native All-in-One, BabaSSL integrates the relevant cryptographic capabilities required for privacy computing such as homomorphic encryption, bringing a more convenient and efficient user experience to users of the Trusted Native All-in-One.
02 Homomorphic encryption
Homomorphic Encryption (Homomorphic Encryption, HE) refers to the encryption algorithm that the properties of ciphertext homomorphic operations. It is divided into additive homomorphism and multiplication homomorphism according to the properties:
- Additive homomorphism
- Multiplicative Homomorphism
After homomorphic encryption, the ciphertext data is obtained, and the ciphertext data is obtained by homomorphic addition or multiplication to obtain the ciphertext result. After the ciphertext result is homomorphically decrypted, the calculation result of direct addition or multiplication of the original data can be obtained.
As shown below:
According to the number of operations that satisfy addition and multiplication, it is divided into: fully homomorphic encryption and semi-homomorphic encryption.
- Fully Homomorphic Encryption
( Fully Homomorphic Encryption, FHE )
1. Support any number of addition and multiplication operations
2. Difficult to implement and poor performance (the key is too large, the operation efficiency is low, and the ciphertext is too large)
3. Mainstream algorithms: Gentry, BFV, BGV, CKKS
4. Interfaces that need to be implemented
- Semi-homomorphic encryption
(Partially Homomorphic Encryption, PHE)
1. Only one of addition or multiplication is supported, or a limited number of additions and multiplications can be supported at the same time
2. Simple principle, easy to implement and good performance
3. Mainstream algorithms: RSA, ElGamal, Paillier
4. Interfaces that need to be implemented:
(. 1) the KeyGen (): key generating algorithm for generating a public key PK encrypted data ( Public Key) and the private key SK (Secret Key), as well as some common parameters PP (Public Parameter) . \
(2) Encrypt(): encryption algorithm, use PK to encrypt user data Data, and get ciphertext CT (Ciphertext).
(3) Decrypt(): decryption algorithm, use SK to decrypt the ciphertext CT to obtain the original data PT (Plaintext).
(4) Add(): ciphertext homomorphic addition, input two CTs for homomorphic addition.
(5) Sub(): ciphertext homomorphic subtraction, input two CTs for homomorphic subtraction.
(6) ScalaMul() or Mul() : Homomorphic scalar multiplication of ciphertext, input a CT and a scalar PT, and calculate the scalar multiplication result of CT.
EC-ElGamal Principle
ElGamal encryption algorithm is an asymmetric encryption algorithm based on Diffie-Hellman key exchange. EC-ElGamal is a kind of ECC, which is an implementation of transplanting ElGamal to elliptic curve. The main calculations are: elliptic curve point addition, point subtraction, point Multiplication, Modular Inverse, and Discrete Logarithms.
The following is the algorithm principle of EC-ElGamal:
- public parameters
1. G : base point of elliptic curve\
2. SK : private key, SK=d
(d is a random number between 0 and the order q of the elliptic curve)
3. PK : public key, PK=dG
- encrypted
1. plaintext m, random number r
2. calculates the ciphertext C :
(3) The value range of plaintext m is the modulo space of modulo order(G), but in actual use, m needs to be limited to a smaller number (for example, 32-bit length) , otherwise the elliptic curve discrete logarithm problem (ECDLP ) could not be solved.
- decrypt \
1. computes rPK :\
2. computes mG :\
3. Calculate the ECDLP of mG to obtain the plaintext m. \
- Ciphertext addition, ciphertext subtraction
1. Two ciphertexts :
2 . Ciphertext plus :
Do point additions to the 2 ECC points of the 2 ciphertexts respectively, a total of 2 points are added, the formula is as follows:\
3. ciphertext minus :
The 2 ECC points of the 2 ciphertexts are respectively subtracted, a total of 2 points are subtracted, the formula is as follows:\
- Ciphertext scalar multiplication
1. ciphertext
2. Do the dot product with 𝑚_2 on the 2 ECC points of the ciphertext respectively, for a total of 2 dot products, the formula is as follows:
3. The above formula is consistent with the homomorphic encryption result of plaintext m2m1:
Here r=m2r1
03 algorithm implementation
interface definition
- Object related interface
1. Context object : EC_ELGAMAL_CTX, this object is used to save public and private keys and some other information used internally, and is the first parameter of other interfaces of EC-ElGamal algorithm.
The interface is as follows:
//创建 EC_ELGAMAL_CTX 对象,key 为 ECC 公钥或者私钥的 EC_KEY 对象2. Decrypt table object :
EC_ELGAMAL_DECRYPT_TABLE, this object is used to save the internal information of the decryption table. The elliptic curve discrete logarithm problem (ECDLP) can only be solved by the explosive cracking method, and the explosive cracking speed is relatively slow. The usual method is to use the small-step big-step algorithm (Baby-Step, Giant-Step, BSGS). The general idea is to pre-compute all possible plaintext results in advance and save them in the hash table. Next time, only a small number of operations and hash table lookup are needed to get the results, which greatly improves the decryption efficiency of ECDLP, but the initialization of the decryption table may It is relatively slow, and the implementation of the decryption table is related to the decryption speed. Later, it is considered that the implementation of the interface can be opened to the upper-layer application, so the object and default implementation of a decryption table are defined here.
The interface is as follows:
//创建 EC_ELGAMAL_DECRYPT_TABLE 对象
//decrypt_negative 为 1 时表示该解密表可以解密负数,初始化解密表时将可能的负数运算后插入到 hash 中。
EC_ELGAMAL_DECRYPT_TABLE *EC_ELGAMAL_DECRYPT_TABLE_new(EC_ELGAMAL_CTX *ctx,
int32_t decrypt_negative);
//释放 EC_ELGAMAL_DECRYPT_TABLE 对象
void EC_ELGAMAL_DECRYPT_TABLE_free(EC_ELGAMAL_DECRYPT_TABLE *table);
//设置 EC_ELGAMAL_DECRYPT_TABLE 对象到上下文对象中
//解密时如果存在解密表则使用解密表进行求解,否则直接爆力破解,速度会很慢
void EC_ELGAMAL_CTX_set_decrypt_table(EC_ELGAMAL_CTX *ctx,
EC_ELGAMAL_DECRYPT_TABLE *table);3. Ciphertext object :
EC_ELGAMAL_CIPHERTEXT, according to the above principle, the result obtained after encryption is two points, this object is used to save the encrypted ciphertext information (two points), encryption/decryption sum.
The interface is as follows:
//创建 EC_ELGAMAL_CIPHERTEXT 对象
EC_ELGAMAL_CIPHERTEXT *EC_ELGAMAL_CIPHERTEXT_new(EC_ELGAMAL_CTX *ctx);
//释放 EC_ELGAMAL_CIPHERTEXT 对象
void EC_ELGAMAL_CIPHERTEXT_free(EC_ELGAMAL_CIPHERTEXT *ciphertext);4. Encryption/Decryption interface
//加密,将明文 plaintext 进行加密,结果保存到 EC_ELGAMAL_CIPHERTEXT 对象指针 r 中
int EC_ELGAMAL_encrypt(EC_ELGAMAL_CTX *ctx, EC_ELGAMAL_CIPHERTEXT *r, int32_t plaintext);
//解密,将密文 ciphertext 进行解密,结果保存到 int32_t 指针 r 中
int EC_ELGAMAL_decrypt(EC_ELGAMAL_CTX *ctx, int32_t *r, EC_ELGAMAL_CIPHERTEXT *ciphertext);5. Ciphertext addition/subtraction/scalar multiplication interface
//密文加,r = c1 + c2
int EC_ELGAMAL_add(EC_ELGAMAL_CTX *ctx, EC_ELGAMAL_CIPHERTEXT *r,
EC_ELGAMAL_CIPHERTEXT *c1, EC_ELGAMAL_CIPHERTEXT *c2);
//密文减,r = c1 - c2
int EC_ELGAMAL_sub(EC_ELGAMAL_CTX *ctx, EC_ELGAMAL_CIPHERTEXT *r,
EC_ELGAMAL_CIPHERTEXT *c1, EC_ELGAMAL_CIPHERTEXT *c2);
//标量密文乘,r = m * c
int EC_ELGAMAL_mul(EC_ELGAMAL_CTX *ctx, EC_ELGAMAL_CIPHERTEXT *r,
EC_ELGAMAL_CIPHERTEXT *c, int32_t m);6. Encoding/decoding interface
Homomorphic encryption involves the participation of multiple parties and may require network transmission. Therefore, the ciphertext object EC_ELGAMAL_CIPHERTEXT can be encoded before being passed to the other party. The other party also needs to decode the EC_ELGAMAL_CIPHERTEXT object before calling other interfaces for operation.
The interface is as follows:
//编码,将密文 ciphertext 编码后保存到 out 指针中,out 指针的内存需要提前分配好;
//如果 out 为 NULL,则返回编码所需的内存大小;
//compressed 为是否采用压缩方式编码,1 为压缩编码(编码结果长度较小),0 为正常编码(编码结果长度较大)
size_t EC_ELGAMAL_CIPHERTEXT_encode(EC_ELGAMAL_CTX *ctx, unsigned char *out,
size_t size, EC_ELGAMAL_CIPHERTEXT *ciphertext,
int compressed);
//解码,将长度为 size 的内存数据 in 解码后保存到密文对象 r 中
int EC_ELGAMAL_CIPHERTEXT_decode(EC_ELGAMAL_CTX *ctx, EC_ELGAMAL_CIPHERTEXT *r,
unsigned char *in, size_t size);core implements
BabaSSL is a derivative of OpenSSL that supports many elliptic curve algorithm implementations internally.
For example, most of the elliptic curves of international (prime256v1, secp384r1, etc.), and national secret (SM2) have been supported, and basic algorithms such as elliptic curve point operations and public and private key generation have been implemented in BabaSSL. The core implementation is mainly the realization of EC-ElGamal principle and the realization of ECDLP solution algorithm.
Because the code is too long, check the code and move it to GitHub:
https://github.com/BabaSSL/BabaSSL/blob/master/crypto/ec/ec_elgamal.c
For specific usage methods and cases, can click to view
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。