# 前置知识
约数

![1](picture/1.jpg)

GCD：**两个不同时为0的整数α与b的公约数中最大的称为其最大公约数，记作gcd(a，b)。**
互质数

![2](picture/2.jpg)

例如，gcd(24，30)=6，gcd(5，7)=1，gcd(0，9)=9。如果a与b不同时为0，则ged(a，b)是一个在

欧几里得法（又叫辗转相除法）
思想很简单，
```python
    while b > 0: # 欧几里得法，又叫辗转相除法
        a, b = b, a % b
```

最小公倍数（Least Common Multiple，LCM）

![3](picture/3.jpg)

注意：gcd(a,0) = gcd(0,a) = a
[参考链接(要开vpn才能访问)](https://asecuritysitecom/encryption/pal_ex)

参考书籍：《算法导论》

# 密钥生成
![4](picture/4.jpg)

In [1]:
from random import randint
import libnum
import sys
p=17
q=19
def gcd(a,b):
    '''
        最大公约数
    '''
    while b > 0: # 欧几里得法，又叫辗转相除法
        a, b = b, a % b
    return a
    
def lcm(a, b):
    '''
        最小公倍数
    '''
    return a * b / gcd(a, b)



2
144


![5](picture/5.jpg)

 于是便有公钥(n,g) 私钥(gLamda,gMu)

In [55]:
n = p*q
g = randint(20,150)
gLambda = int(lcm(p-1,q-1))
l = (pow(g, gLambda, n*n)-1)//n # 这里是将参数带入的L(x)
gMu = libnum.invmod(l, n) # 得到μ
gMu

230

![6](picture/6.jpg)

m:明文 

n:n=p*q，两个大质数乘积

 r:随机数  
 
 g:随机整数

In [56]:
r = randint(20,150)
m = 10
k1 = pow(g, m, n*n)
k2 = pow(r, n, n*n)

cipher = (k1 * k2) % (n*n)
cipher

15867

![7](picture/7.jpg)

In [57]:
l = (pow(cipher, gLambda, n*n)-1) // n

mess= (l * gMu) % n
mess

10

![8](picture/8.jpg)

同态加密测试，密文加2

In [7]:
g = 285 
n = 323
if (gcd(g,n)==1):
	print("g 和 n*n 互质")
else:
	print("不互质")

19
不互质


In [59]:

m1=2
k3 = pow(g, m1, n*n)
cipher2 = (k3 * k2) % (n*n)
ciphertotal = (cipher* cipher2) % (n*n)

l = (pow(ciphertotal, gLambda, n*n)-1) // n
mess2= (l * gMu) % n

print("Result:",mess2)

Result: 12


# 定理证明
![9](picture/9.jpg)

# 完整代码

In [None]:
from random import randint
import libnum
import sys

def gcd(a,b):
    """ 最大公约数"""
    while b > 0:
        a, b = b, a % b
    return a
    
def lcm(a, b):
    """最小公倍数"""
    return a * b // gcd(a, b)



def L(x,n):
	return ((x-1)//n)

p=17
q=19
m=10

if (len(sys.argv)>1):
	m=int(sys.argv[1])

if (len(sys.argv)>2):
	p=int(sys.argv[2])

if (len(sys.argv)>3):
	q=int(sys.argv[3])

if (p==q):
	print("P and Q cannot be the same")
	sys.exit()

n = p*q

gLambda = lcm(p-1,q-1)


g = randint(20,150)
if (gcd(g,n*n)==1):
	print("g 和 n*n 互质")
else:
	print("WARNING: g 和 n*n 不互质!!!")

r = randint(20,150)


l = (pow(g, gLambda, n*n)-1)//n
gMu = libnum.invmod(l, n)

k1 = pow(g, m, n*n)
k2 = pow(r, n, n*n)
cipher = (k1 * k2) % (n*n)
l = (pow(cipher, gLambda, n*n)-1) // n

mess= (l * gMu) % n

print("p=",p,"\tq=",q)
print("g=",g,"\tr=",r)
print("================")
print("Mu:\t\t",gMu,"\tgLambda:\t",gLambda)
print("================")
print("公钥 (n,g):\t\t",n,g)
print("私钥 (lambda,mu):\t",gLambda,gMu)
print("================")
print("明文:\t",mess)

print("密文:\t\t",cipher)
print("解密后的密文:\t",mess)

print("================")
print("进行同态加密，原有基础上加2")


m1=2

k3 = pow(g, m1, n*n)

cipher2 = (k3 * k2) % (n*n)

ciphertotal = (cipher* cipher2) % (n*n)

l = (pow(ciphertotal, gLambda, n*n)-1) // n

mess2= (l * gMu) % n

print("Result:\t\t",mess2)

# 封装成类

In [None]:
from random import randint
import libnum
import sys
import numpy as np

class Pallier:
    def __init__(self) -> None:
        """ 为了防止不互质的情况出现，这里参数都手动设置，而不是随机值,注意：要加密的信息越长，质数就越大"""
        self.p=9967
        self.q=9973
        self.g = 1753
        self.r = 2677
        self.n = self.p*self.q

    def gcd(self,a,b):
        """ 最大公约数"""
        while b > 0:
            a, b = b, a % b
        return a
        
    def lcm(self,a, b):
        """最小公倍数"""
        return a * b // self.gcd(a, b)

    def public_key(self):
        """ 公钥(n,g) """
        return self.n,self.g

    def condition(self):
        if (self.gcd(self.g,self.n*self.n)==1):
            print("g 和 n*n 互质")
        else:
            print("WARNING: g 和 n*n 不互质!!!")
            print("不互质此时结果不对!!!")
        if (self.gcd(self.l,self.n)==1):
            print("l 和 n 互质")
        else:
            print("WARNING:l和n不互质,此时程序会报错")

    def private_key(self):
        """ 私钥(gLamda,gMu) """
        gLambda = int(self.lcm(self.p-1,self.q-1))
        self.l = (pow(self.g, gLambda, self.n*self.n)-1)//self.n # 这里是将参数带入的L(x)
        self.condition()
        gMu = libnum.invmod(self.l, self.n) # 得到μ
        return gLambda,gMu

    # def mx_encrypt(self,mx):
    #     mx_g = np.zeros([2,mx.shape[1]])
    #     mx_n = np.zeros([2,mx.shape[1]])
    #     k1 = np.zeros([2,mx.shape[1]])
    #     k1 = 

    def encrypt(self,m):
        """ 公钥进行加密。m为明文,返回密文 """
        k1 = pow(self.g, m, self.n*self.n) # g^m%(n^2)
        self.k2 = pow(self.r, self.n, self.n*self.n)
        cipher = (k1 * self.k2) % (self.n*self.n)
        return cipher

    def decrypt(self,cipher,gLambda,gMu):
        """ 私钥进行解密。输入密文和私钥，返回明文 """
        l = (pow(cipher, gLambda, self.n*self.n)-1) // self.n
        mess= (l * gMu) % self.n
        return mess

    def add_homo(self,cipher,m1,gLambda,gMu):
        k3 = pow(self.g,m1,self.n*self.n)
        cipher2 = (k3 * self.k2) % (self.n*self.n)
        ciphertotal = (cipher* cipher2) % (self.n*self.n)
        l = (pow(ciphertotal, gLambda, self.n*self.n)-1) // self.n
        mess2= (l * gMu) % self.n
        return mess2

    def cout(self,gLambda,gMu,cipher,mess,m1):     
        print("p=",self.p,"\tq=",self.q)
        print("g=",self.g,"\tr=",self.r)
        print("================")
        print("Mu:\t\t",gMu,"\tgLambda:\t",gLambda)
        print("================")
        print("公钥 (n,g):\t\t",self.n,self.g)
        print("私钥 (lambda,mu):\t",gLambda,gMu)
        print("================")
        print("明文:\t",mess)

        print("密文:\t\t",cipher)
        print("解密后的密文:\t",mess)

        print("================")
        print("进行同态加密，原有基础上加",m1)

if __name__ == "__main__":
    test = Pallier()
    m = 8800000
    gLambda,gMu = test.private_key()
    cipher = test.encrypt(m)
    mess = test.decrypt(cipher,gLambda,gMu)
    m1 = 2000000
    test.cout(gLambda,gMu,cipher,mess,m1)
    mess1 = test.add_homo(cipher,m1,gLambda,gMu)
    test.condition()
    print("Result:\t\t",mess1)

# 对矩阵进行操作

In [70]:
import numpy as np
user1Items1 = np.array([
         np.array([ 0.29908732,-0.95422575])
        ])

user2Items1 = np.array([
             np.array([ 0.219908732,-0.95422575])
            ])

user1Items1_tem = user1Items1.T
user1Items1_tem = user1Items1_tem*1e+7
user1Items1_tem = user1Items1_tem.astype(np.float64)
print(user1Items1_tem)

user1Items2_tem = user2Items1.T
user1Items2_tem = user1Items2_tem*1e+7
user1Items2_tem = user1Items2_tem.astype(np.float64)
p=9967
q=9973
g = 1753
r = 2677
n = p*q


[[ 2990873.2]
 [-9542257.5]]


# Pallier算法慢的原因：
每个数字的密钥都是单独的，k1 = pow(g, m, n*n)，m为明文，m不同，k1就不同，所以矩阵的每个元素都要单独计算公钥，而使用np会溢出，直接使用Pow计算又只能使用遍历，其复杂度过高

In [None]:
# 生成公钥
k1 = pow(g, m, n*n)
k2 = pow(r, n, n*n)
cipher = (k1 * k2) % (n*n)

In [None]:
def private_key():
    """ 私钥(gLamda,gMu) """
    gLambda = int(lcm(p-1,q-1))
    l = (pow(g, gLambda, n*n)-1)//n # 这里是将参数带入的L(x)
    gMu = libnum.invmod(l, n) # 得到μ
    return gLambda,gMu

## 方案一：失败
直接使用矩阵计算密文
mx_k1 = np.power(mx_g,user1Items1_tem)%(n*n)
1868277117.py:1: RuntimeWarning: overflow encountered in power 
numpy矩阵溢出，尝试了幂模运算，失败

In [67]:
mx_g = np.full([2,user1Items1_tem.shape[1]],g).astype(np.float64)
mx_n = n*n
mx_n

126172012849

In [68]:
mx_g

array([[223.],
       [223.]])

In [53]:
k1 = pow(g, 299, n*n)
k1

48495062761

In [38]:
user1Items1_tem

array([[ 2990873],
       [-9542257]])

In [54]:
mx_k1 = np.full([2,user1Items1_tem.shape[1]],g).astype(np.float64)

In [69]:
mx_k1 = np.power(mx_g,user1Items1_tem)%(n*n)

  mx_k1 = np.power(mx_g,user1Items1_tem)%(n*n)
  mx_k1 = np.power(mx_g,user1Items1_tem)%(n*n)


In [43]:
mx_k1

array([[nan],
       [ 0.]])

# 方案二
单独计算，然后放入矩阵内