CN101783728B - Public key encryption method for ergodic matrix over hidden field - Google Patents

Abstract

The invention relates to a public key encryption method for ergodic matrixes over a hidden field, belonging to the technical field of cryptology and computers. The public key encryption method comprises key generation, encryption and decryption. A user owns two keys, where one key is privately owned and is called as a private key, and the other key can be disclosed and is called as a public key. The public key is (Fq, [rho 1 (x, y), ... , rho m (x, y)]), the private key is (Q1, Q2, M, B1, B2, lambada) and the private key cannot be deduced from the public key; the public key is used to convert a plaintext into a ciphertext (encryption) and the private key is used to restore the ciphertext into the plaintext (decryption). The invention has the advantages that the key space is large, the randomness of the public key is good, the operational speed is fast, the technology can be disclosed and the method can be used for the secure storage and the transmission of any files and data in computers and communication networks.

Description

The key encrypt method of Ergodic Matrices on the Hidden field

(1) technical field

Public key encryption method (being called for short key encrypt method or public key cryptography scheme) belongs to cryptographic technique and field of computer technology, is one of core technology of information security and Trusted Computing.

(2) background technology

Classic cryptographic technique, symmetric cryptographic technique and public key cryptography technology three phases have been experienced in the development of cryptographic technique.1976, American scholar Diffie and Hellman proposed the thought of public key cryptography, indicated the arriving of public key cryptography technology.The public key encryption method of generally using at present has schemes such as RSA, Rabin and EIGamal (referring to " applied cryptography ", U.S. BruceSchneier is outstanding, and Wu Shizhong, Zhu Shixiong etc. translates, China Machine Press, January calendar year 2001,334-342 page or leaf).In order to shorten parameter length, the EIGamal scheme is everlasting, and simulation realizes that at this moment, it is called as the ECC scheme on the elliptic curve.

In the scheme of using at present the fail safe of RSA and Rabin scheme based on be several greatly factorization problems; The fail safe of EIGamal scheme based on be discrete logarithm problem; And the fail safe of ECC scheme based on be the discrete logarithm problem in the elliptic curve group; In the limited time and resource, be impossible promptly to finding the solution of the problems referred to above.Along with the raising of computer run speed, the security parameter of appeal scheme has become increasing, has greatly reduced the efficient of enciphering/deciphering.The particularly realization of quantum computer in the future makes big number factorization and discrete logarithm find the solution and can in polynomial time, carry out.

Because main theory involved in the present invention and technology are the applicant and propose first, and great majority are still unexposed delivers.For the ease of to understanding of the present invention, special they are described.

2.1 basic symbol involved in the present invention

F _q: q unit finite field

F _q ⁿ: F _qThe set of last n dimensional vector

F _q ⁿ{0}:F _qThe set of last non-zero n dimensional vector

F _q ^{1 * n}: F _qThe set of last n dimension row vector

F _q ^{1 * n}{0}:F _qThe set of last non-zero n dimension row vector

F _q ^{N * m}: F _qThe set of last n * m matrix

R (M): the row vector set of matrix M

C (M): the column vector set of matrix M

The element of

matrix M is the resulting column vector in back by rows

F _q[x]: F _qGo up multinomial set about literal x

V _S(A): the vector space that Vector Groups A generated

2.2 BMQ problem and difficulty thereof on the finite field prove

At first introduce F _qOn " BMQ problem ".Be F _qOn " problem of finding the solution of bisection multivariate quadratic equation group (Bisectional Multivariate Quadratic equations solving problem) ".It is defined as follows:

Definition 2.1 (BMQ problem): F _qOn total 2n the variable of equation group E and m equation, being constructed as follows of each equation:

$\underset{i=1}{\overset{n}{\mathrm{\Σ}}}\underset{j=1}{\overset{n}{\mathrm{\Σ}}}{a}_{\mathrm{Ij}}^{\left(k\right)}{x}_i{y}_j=b_k$ (a _Ij ^(k), b _k∈ F _qBe determined value, k=1 ..., m) separating of equation group E asked in examination $(x_1,\·\·\·,x_n),(y_1,\·\·\·,y_n)\∈F_q^n.$

The BMQ problem is a special case of MQ problem.Difference is that the variable in the BMQ equation group has been divided into two groups that quantity equates.And only contain quadratic expression in each equation, and any quadratic expression is a product of respectively getting one of which in these two groups of variablees.Therefore in the BMQ equation group, 2n variable formed n just ²Individual quadratic expression.Different with it, in the MQ equation group, in each equation except containing quadratic expression, the one more formula.Therefore 2n variable can be formed 2n altogether ²+ n quadratic expression and 2n expression of first degree.

In addition, F _qOn the MQ equation group unique solution can be arranged.But when q＞2, if x=is (x ₁..., x _n) and y=(y ₁..., y _n) be that of BMQ equation group E separates, then to c ∈ F arbitrarily _q{0}, cx=(cx ₁..., cx _n) and c ^-1Y=(c ^-1y ₁..., c ^-1y _n) also must be separating of E.Therefore when q＞2, F _qOn the BMQ solution of equations not unique.F _qOn the MQ problem be proved to be NP completely, prove F below _qOn the BMQ problem also be NP completely.

Theorem 2.1:F _qOn the BMQ problem be NP completely.

Proof: the 3-coloring problem of known figure G be NP completely, if but this problem reduction is F _qOn the BMQ problem, then the latter also must be NP completely.But the 3-coloring problem reduction that at first proves G is F ₂On the BMQ problem, the design as follows:

1) each vertex v of G _iAll corresponding F ₂On a pair of variable (x _i, y _i)

2) v _iPainted and (x _i, y _i) corresponding relation between the value is:

v _iColor-1, color-2, color-3 and if only if (x _i, y _i)=(0,1), (1,0), (1,1)

3) for each isolated vertex v of G _s, add EQUATION x _sy _s=1 in equation group E

4) if vertex v among the G _iAnd v _jAdjacent, then add EQUATION x _iy _j+ x _jy _i=1 in equation group E

Can get F thus ₂On BMQ equation group E.For isolated vertex v _s, by the EQUATION x in the 3rd step _sy _s=1, can know that it has unique solution (x _s, y _s)=(1,1), promptly to each isolated vertex of G equal color-3.

And for adjacent vertex v _iAnd v _j, by the EQUATION x in the 4th step _iy _j+ x _jy _i=1, can know:

(x _i，y _i)≠(0，0)^(x _j，y _j)≠(0，0)^(x _i，y _i)≠(x _j，y _j)

Be v _iAnd v _jEach can only use one of three kinds of colors painted, and v _iAnd v _jNot homochromy.So but the 3-coloring problem reduction of G is solving equation group E.Thereby proved F ₂On the BMQ problem be NP completely.

But the 3-coloring problem of demonstrate,proving G again also reduction is F _qBMQ problem on (q＞2), conceive as follows:

1) each vertex v of G _iAll corresponding F _qIn three groups of variablees, two pairs every group:

$\left[\begin{array}{cc}{x}_{i1}^{\left(1\right)}& y_{i1}^{\left(1\right)}\\ x_{i2}^{\left(1\right)}& y_{i2}^{\left(1\right)}\end{array}\right]\left[\begin{array}{cc}{x}_{i1}^{\left(2\right)}& y_{i1}^{\left(2\right)}\\ x_{i2}^{\left(2\right)}& y_{i2}^{\left(2\right)}\end{array}\right]\left[\begin{array}{cc}{x}_{i1}^{\left(3\right)}& y_{i1}^{\left(3\right)}\\ x_{i2}^{\left(3\right)}& y_{i2}^{\left(3\right)}\end{array}\right]$

And the value of every group of variable can only have following two kinds of situations:

$\left[\begin{array}{cc}\mathrm{\α}& 0\\ 0& \mathrm{\β}\end{array}\right]$ Or $\left[\begin{array}{cc}0& \mathrm{\α}\\ \mathrm{\β}& 0\end{array}\right]$ (brief note does respectively With

$\mathrm{\α},\mathrm{\β}\∈F_q\backslash \left\{0\right\}$ )

2) vertex v _iPainted with its corresponding relation between the value of corresponding three groups of variablees be:

v _iAnd if only if color-1

v _iAnd if only if color-2

v _iAnd if only if color-3

3) for each vertex v of G _t, selected arbitrarily δ ∈ F _q{0}, and add following equation in equation group E:

$x_{t1}^{\left(1\right)}{y}_{t1}^{\left(1\right)}=0,$ $x_{t2}^{\left(1\right)}{y}_{t2}^{\left(1\right)}=0,$ $x_{t1}^{\left(1\right)}{y}_{t2}^{\left(1\right)}+x_{t2}^{\left(1\right)}{y}_{t1}^{\left(1\right)}=\mathrm{\δ}$

$x_{t1}^{\left(2\right)}{y}_{t1}^{\left(2\right)}=0,$ $x_{t2}^{\left(2\right)}{y}_{t2}^{\left(2\right)}=0,$ $x_{t1}^{\left(2\right)}{y}_{t2}^{\left(2\right)}+x_{t2}^{\left(2\right)}{y}_{t1}^{\left(2\right)}=\mathrm{\δ}$

$x_{t1}^{\left(3\right)}{y}_{t1}^{\left(3\right)}=0,$ $x_{t2}^{\left(3\right)}{y}_{t2}^{\left(3\right)}=0,$ $x_{t1}^{\left(3\right)}{y}_{t2}^{\left(3\right)}+x_{t2}^{\left(3\right)}{y}_{t1}^{\left(3\right)}=\mathrm{\δ}$

$x_{t1}^{\left(1\right)}{y}_{t1}^{\left(2\right)}=0,$ $x_{t1}^{\left(1\right)}{y}_{t2}^{\left(3\right)}=0,$ $x_{t1}^{\left(2\right)}{y}_{t2}^{\left(3\right)}=0,$ $x_{t1}^{\left(1\right)}{y}_{t2}^{\left(1\right)}+x_{t1}^{\left(2\right)}{y}_{t2}^{\left(2\right)}+x_{t1}^{\left(3\right)}{y}_{t2}^{\left(3\right)}=\mathrm{\δ}$

4) if vertex v among the G _iAnd v _jAdjacent, equation is in equation group E below then adding

$x_{i1}^{\left(1\right)}{y}_{j2}^{\left(1\right)}=0,$ $x_{i1}^{\left(2\right)}{y}_{j2}^{\left(2\right)}=0,$ $x_{i1}^{\left(3\right)}{y}_{j2}^{\left(3\right)}=0$

Can get F thus _qOn BMQ equation group E.By the equation in the 3rd step, can know each summit of G lucky one of 3 kinds of colors.And by the 4th the step equation, can guarantee that then any two adjacent vertexs of G various colors.So but the 3-coloring problem reduction of G is to F _qLast BMQ equation group E finds the solution.So F _qOn the BMQ problem also be NP completely.

Card is finished.

2.3BMQ problem find the solution difficulty analysis

Though we have proved F in theory _qOn the BMQ problem be NP completely, but this and do not mean that to finding the solution of any BMQ equation group all be difficult, it is found the solution, and the number of variable and equation has confidential relation in difficulty and the equation group.Carry out labor in the face of it down.

If F _qOn BMQ equation group E contain 2n variable x ₁..., x _n, y ₁..., y _nWith m equation.With each the quadratic expression (x among the E _iy _j) all use a new variables z _IjRepresent, then can obtain N ₁=n ²Individual variable and M ₁The linear function group E of=m equation ₁Claim that this process is " to the once heavily linearisation of E ".

If m>=n ², then can obtain E ₁All z that separates _Ij, and then by z _IjAnti-release E separates $(x_1,\·\·\·,x_n),(y_1,\·\·\·,y_n)\∈F_q^n.$

Otherwise, make r=n ²-m.Then can obtain E ₁The basis separate and be $Z_1,\·\·\·,Z_r\∈F_q^{n^2},$ And E ₁A particular solution $Z_0\∈F_q^{n^2}.$ And E ₁General solution can show be:

Z＝(z ₁₁，z ₁₂，…，z _nm)＝Z ₀+α ₁Z ₁+α ₂Z ₂+…+α _rZ _r(α _i∈F _q) (I)

But the E that obtains like this ₁Q ^rThe overwhelming majority in individual the separating is " parasitic solution (parasitic solution) ", and by E ₁Parasitic solution Z can't obtain the legal of E and separate.Special, when E has just that (q-1) is individual to be separated, E ₁Has only a non-parasitic solution.E when though E separates ₁Non-parasitic solution must be arranged, but work as q ^rWhen very big, can't pass through E ₁All rough power of separating attempts deriving separating of E.

To the solution technique of MQ problem on the finite field, the most effectively surely belong to " heavily linearisation (relinearization) " method that Kipnis and Shamir propose from present.The basic thought of this method is through the equation number being represented less than the general solution of the equation group of variable number, being constructed the more equation of high order.Thereby make the equation of higher degree sum that finally obtains number more than or equal to high order variable product term (new variables).And finally obtain separating of full scale equation group through counter pushing away.

Because the BMQ problem is a special case of MQ problem, so heavy linearization technique is still effective to finding the solution the BMQ problem.But wanting respective change aspect the reconstruct of equation and variable.Concrete grammar is following:

For F _qOn BMQ equation group E, as m＜n ²The time, can know that by the discussion of front the key of finding the solution E is to confirm equation group E ₁Non-parasitic solution Z=(z ₁₁, z ₁₂..., z _Nm).Again by (I) formula, each component z of Z _Ij=x _iy _jSatisfy:

z _ij＝s ₀+s ₁α ₁+s ₂α ₂+…+s _rα _r (II)

R=n wherein ²-m, s ₀..., s _r∈ F _qBe known constant, α ₁..., α _r∈ F _qBe variable.Therefore Z's confirms to be equivalent to again how at (α ₁..., α _r) q ^rPlant and to locate its value exactly in the option.For this reason can be to shape like (x _ax _by _iy _j) 4 formulas carry out the reconstruct of equation and variable.By equality:

(x _ax _by _iy _j)＝(x _ay _i)(x _by _j)＝(x _ay _j)(x _by _i)

Can get 2 equation of n th order n z _Aiz _Bj=z _Ajz _BiWith this equation of (II) formula substitution, can obtain about α ₁..., α _r2 equation of n th order n:

$\underset{1\≤i\≤j\≤r}{\mathrm{\Σ}}{a}_{i,j}\left({\mathrm{\α}}_i{\mathrm{\α}}_j\right)+\underset{1\≤i\≤r}{\mathrm{\Σ}}{b}_i{\mathrm{\α}}_i=c---\left(\mathrm{III}\right)$

Shape is like (x again _ax _by _iy _j) the total C of 4 formulas _n ²* C _n ²Individual, each can both produce the equation of 1 shape like (III) formula.And shape is like (x _ax _ay _iy _j) and (x _ax _by _iy _i) 4 formulas all do not produce new equation; So can obtain shape by 4 times all formulas adds up to like 2 equation of n th order n of (III) formula:

$M_2=C_n^2\×C_n^2=\frac{n^2{(n-1)}^2}{4}$

With each 2 the formula (α in (III) formula _iα _j) and 1 formula α _iAll regard different new variables as, then ading up to of variable:

$N_2=\frac{r(r+1)}{2}+r=\frac{r(r+3)}{2}$

So can get F _qOn have M ₂Individual equation, N ₂The linear function group E of individual variable ₂Deserve to be called and state reconstruct equation group E ₂Process be " to the heavily linearisation of secondary of E ".The M that even now obtains ₂Having in the individual equation much is linear correlation, but when analyzing, might as well suppose that they are linear independence each other.

If M is arranged this moment ₂>=N ₂, then can be by E ₂Solve α ₁..., α _r∈ F _qAgain with α ₁..., α _rSubstitution (II) formula can solve all z _Ij=(x _iy _j), and then the separating of the anti-E of release $(x_1,\·\·\·,x_n),(y_1,\·\·\·,y_n)\∈F_q^n.$

If M ₂＜N ₂, then can further carry out three heavily linearisations to E.Promptly to shape like (x _ax _bx _cy _iy _jy _k) 6 formulas carry out similar equation and variable reconstruct.Total following several types of 6 formulas like this:

(1) shape is like (x _ax _bx _cy _iy _jy _k), total C _n ³* C _n ³Individual, each can produce 5 about z _Ij3 equation of n th order n.

(2) shape is like (x _ax _bx _cy _iy _iy _j), total C _n ³* 2C _n ²Individual, each can produce 2 about z _Ij3 equation of n th order n.

(3) shape is like (x _ax _ax _by _iy _jy _k), total 2C _n ²* C _n ³Individual, each can produce 2 about z _Ij3 equation of n th order n.

(4) shape is like (x _ax _ax _by _iy _iy _j), total 2C _n ²* 2C _n ²Individual, each can produce 1 about z _Ij3 equation of n th order n.

(5) shape is like (x _ax _ax _ay _iy _jy _k) and (x _ax _bx _cy _iy _iy _i) 6 formulas all do not produce about z _Ij3 equation of n th order n.

Therefore, the tangible as (x of institute _ax _bx _cy _iy _jy _k) 6 formulas can produce about z _IjThe ading up to of 3 equation of n th order n:

$M_3=5C_n^3\×C_n^3+8C_n^2\×C_n^3+4C_n^2\×C_n^2=\frac{n^2{(n-1)}^2(5n^2+4n+8)}{36}$

With the substitution of (II) formula each about z _Ij3 equation of n th order n, can get as follows about variable α ₁..., α _r3 equation of n th order n:

$\underset{1\≤i\≤j\≤k\≤r}{\mathrm{\Σ}}{a}_{i,j,k}\left({\mathrm{\α}}_i{\mathrm{\α}}_j{\mathrm{\α}}_k\right)+\underset{1\≤i\≤j\≤r}{\mathrm{\Σ}}{b}_{i,j}\left({\mathrm{\α}}_i{\mathrm{\α}}_j\right)+\underset{1\≤i\≤r}{\mathrm{\Σ}}{c}_i{\mathrm{\α}}_i=d---\left(\mathrm{IV}\right)$

With each 3 the formula (α in (IV) formula equation _iα _jα _k), 2 formula (α _iα _j) and 1 formula α _iAll regard different new variables as, then ading up to of variable:

$N_3=\frac{r(r+1)(r+2)}{6}+N_2=\frac{r(r^2+6r+11)}{6}$

Thereby can obtain F _qOn have M ₃Individual equation, N ₃The linear function group E of individual variable ₃

If M ₃>=N ₃, then can be by E ₃Solve α ₁..., α _r, and the separating of the anti-E of release $(x_1,\·\·\·,x_n),(y_1,\·\·\·,y_n)\∈F_q^n.$ Otherwise can further carry out four heavily linearisations to E.Promptly to shape like (x _ax _bx _cx _dy _iy _jy _ky _l) 8 formulas carry out equation and variable reconstruct.Total following several types of 8 formulas like this:

(1) shape is like (x _ax _bx _cx _dy _iy _jy _ky _l), total C _n ⁴* C _n ⁴Individual, each can produce 23 about z _Ij4 equation of n th order n.

(2) shape is like (x _ax _bx _cx _dy _iy _iy _jy _k), total C _n ⁴* 3C _n ³Individual, each can produce 11 about z _Ij4 equation of n th order n.

(3) shape is like (x _ax _bx _cx _dy _iy _iy _iy _j), total C _n ⁴* 2C _n ²Individual, each can produce 3 about z _Ij4 equation of n th order n.

(4) shape is like (x _ax _bx _cx _dy _iy _iy _jy _j), total C _n ⁴* C _n ²Individual, each can produce 5 about z _Ij4 equation of n th order n.

(5) shape is like (x _ax _ax _bx _cy _iy _jy _ky _l), total 3C _n ³* C _n ⁴Individual, each can produce 11 about z _Ij4 equation of n th order n.

(6) shape is like (x _ax _ax _bx _cy _iy _iy _jy _k), total 3C _n ³* 3C _n ³Individual, each can produce 6 about z _Ij4 equation of n th order n.

(7) shape is like (x _ax _ax _bx _cy _iy _iy _iy _j), total 3C _n ³* 2C _n ²Individual, each can produce 2 about z _Ij4 equation of n th order n.

(8) shape is like (x _ax _ax _bx _cy _iy _iy _jy _j), total 3C _n ³* C _n ²Individual, each can produce 3 about z _Ij4 equation of n th order n.

(9) shape is like (x _ax _ax _ax _by _iy _jy _ky _l), total 2C _n ²* C _n ⁴Individual, each can produce 3 about z _Ij4 equation of n th order n.

(10) shape is like (x _ax _ax _ax _by _iy _iy _jy _k), total 2C _n ²* 3C _n ³Individual, each can produce 2 about z _Ij4 equation of n th order n.

(11) shape is like (x _ax _ax _ax _by _iy _iy _iy _j), total 2C _n ²* 2C _n ²Individual, each can produce 1 about z _Ij4 equation of n th order n.

(12) shape is like (x _ax _ax _ax _by _iy _iy _jy _j), total 2C _n ²* C _n ²Individual, each can produce 1 about z _Ij4 equation of n th order n.

(13) shape is like (x _ax _ax _bx _by _iy _jy _ky _l), total C _n ²* C _n ⁴Individual, each can produce 5 about z _Ij4 equation of n th order n.

(14) shape is like (x _ax _ax _bx _by _iy _iy _jy _k), total C _n ²* 3C _n ³Individual, each can produce 3 about z _Ij4 equation of n th order n.

(15) shape is like (x _ax _ax _bx _by _iy _iy _iy _j), total C _n ²* 2C _n ²Individual, each can produce 1 about z _Ij4 equation of n th order n.

(16) shape is like (x _ax _ax _bx _by _iy _iy _jy _j), total C _n ²* C _n ²Individual, each can produce 2 about z _Ij4 equation of n th order n.

(17) shape is like (x _ax _ax _ax _ay _iy _jy _ky _l) and (x _ax _bx _cx _dy _iy _iy _iy _i) 8 formulas do not produce about z _Ij4 equation of n th order n. therefore, the tangible as (x of institute _ax _bx _cx _dy _iy _jy _ky _l) 8 formulas can produce about z _Ij4 equation of n th order n add up to:

$M_4=23C_n^4\×C_n^4+66C_n^3\×C_n^4+54C_n^3\×C_n^3+22C_n^2\×C_n^4+42C_n^2\×C_n^3+10C_n^2\×C_n^2$

$=\frac{n^2{(n-1)}^2(23n^4+34n^3+131n^2+84n+108)}{576}$

With each 4 equation of n th order n above the substitution of (II) formula, can get as follows about variable α ₁..., α _r4 equation of n th order n:

$\underset{1\≤i\≤j\≤k\≤l\≤r}{\mathrm{\Σ}}{a}_{i,j,k,l}\left({\mathrm{\α}}_i{\mathrm{\α}}_j{\mathrm{\α}}_k{\mathrm{\α}}_l\right)+\underset{1\≤i\≤j\≤k\≤r}{\mathrm{\Σ}}{b}_{i,j,k}\left({\mathrm{\α}}_i{\mathrm{\α}}_j{\mathrm{\α}}_k\right)+\underset{1\≤i\≤j\≤r}{\mathrm{\Σ}}{c}_{i,j}\left({\mathrm{\α}}_i{\mathrm{\α}}_j\right)+\underset{1\≤i\≤r}{\mathrm{\Σ}}{d}_i{\mathrm{\α}}_i=e$

With each 4 the formula (α in the equation _iα _jα _kα _l), 3 formula (α _iα _jα _k), 2 formula (α _iα _j) and 1 formula α _iAll regard different new variables as, then ading up to of variable:

$N_4=\frac{r(r+1)(r+2)(r+3)}{24}+N_3=\frac{r(r^3+10r^2+35r+50)}{24}$

So can obtain F _qOn have M ₄Individual equation, N ₄The linear function group E of individual variable ₄

If M ₄>=N ₄, then can be by E ₄Solve α ₁..., α _r, and the separating of the anti-E of release $(x_1,\·\·\·,x_n),(y_1,\·\·\·,y_n)\∈F_q^n.$ Otherwise can continue E is carried out the more heavily linearisation of high order.

But along with to heavy the increasing of linearisation number of times of E, gained is about variable α ₁..., α _rEquation of higher degree group in variable and equation number also will increase fast.Order is by r variable { α ₁, α ₂..., α _rDifferent t the product formulas that can constitute

Number be P (r, t).Following theorem is then arranged,

Theorem 2.2: $P(r,t)=\left|\right\{({\mathrm{\α}}_{i_1}{\mathrm{\α}}_{i_2}...{\mathrm{\α}}_{i_t})|1\≤i_1\≤i_2\≤...\≤i_t\≤r\}|=\frac{r(r+1)(r+2)...(r+t-1)}{t!}$

If to k time of E heavily after the linearisation resulting equation group be E _kE then _kIn each equation all have following form:

$\underset{1\≤i_1\≤...\≤i_k\≤r}{\mathrm{\Σ}}{a}_{i_1{i}_2...i_k}^{\left(k\right)}({\mathrm{\α}}_{i_1}{\mathrm{\α}}_{i_2}...{\mathrm{\α}}_{i_k})+...+\underset{1\≤i\≤j\≤r}{\mathrm{\Σ}}{a}_{\mathrm{ij}}^{\left(2\right)}\left({\mathrm{\α}}_i{\mathrm{\α}}_j\right)+\underset{1\≤i\≤r}{\mathrm{\Σ}}{a}_i^{\left(1\right)}{\mathrm{\α}}_i=b$

With each 1 the formula α in the equation _i, 2 formula (α _iα _j) ..., and k formula All regard different new variables as.By theorem 2.2, can know the total N of variable _kFor about r=n ²The multinomial of-m.And have:

$N_k=\underset{t=1}{\overset{k}{\mathrm{\Σ}}}P(r,t)=r+\frac{r(r+1)}{2}+...+\frac{r(r+1)...(r+k-1)}{k!}$

Make E _kThe number of middle equation is M _k, then by the front to M ₂, M ₃, M ₄Calculating can know M _kIt is multinomial about n.And when k >=3, have:

$M_k=\underset{2\≤i\≤j\≤k}{\mathrm{\Σ}}{t}_{i,j}{C}_n^i\×C_n^j=(k!-1)C_n^k\×C_n^k+(k!-2)(k-1)C_n^{k-1}\×C_n^k+...+t_{\mathrm{2,2}}{C}_n^2\×C_n^2$

Special, when n is big, $M_k\≈(k!-1)C_n^k\×C_n^k+(k!-2)(k-1)C_n^{k-1}\×C_n^k.$ Following table has provided n and had got respectively 50,100,150,200 o'clock, partly (M _k, N _k) for given (n, result of calculation r).

Table 1

By the result of calculation of table 1, be not difficult to draw following character:

(1) M _kAbout the n strictly monotone increasing.

(2) N _kAbout r=n ²-m strictly monotone increasing.

(3) for given n and k (k>=2), there is r _kAnd as r>=r _kThe time, perseverance has: M _k＜N _kAnd as r＜r _kThe time, perseverance has: M _k>=N _kAnd r _kIncrease along with the increase of k.R=n again ²So-m is as m≤n ²-r _kThe time, perseverance has M _k＜N _kAnd as m＞n ²-r _kThe time, perseverance has: M _k>=N _k.

(4) for given k (k>=2), establishing has (M when m≤t * n _k＜N _k), then t increases progressively about n.Promptly, make (M along with the increase of n _k＜N _k) the value upper bound of the m that satisfies also increasing with respect to n.

Character (3) and (4) can be used to judge whether equation group E can find the solution by heavy linearization technique through k time that the front is introduced.For example, can know by table 1,

For n=50, as m≤n ²During-2332=168=3.36n, perseverance has: M ₃＜N ₃.

For n=100, as m≤n ²During-9371=629=6.29n, perseverance has: M ₃＜N ₃.

For n=150, as m≤n ²During-21116=1384=9.227n, perseverance has: M ₃＜N ₃.

For n=200, as m≤n ²During-37565=2435=12.175n, perseverance has: M ₃＜N ₃.

Therefore, when n gets 50,100,150,200 respectively, if the number m of equation satisfies respectively among the E:

m≤3.36n、m≤6.29n、m≤9.227n、m≤12.175n

Then perseverance has: (M ₂＜N ₂) ^ (M ₃＜N ₃).This means can't through secondary and three times heavily linearisation come E is found the solution.

Generally speaking, at F _qLast picked at random has the BMQ equation group E of 2n variable and m equation, if the value of n and m makes (M _k＜N _k^M _K+1>=N _K+1) set up, then can't through be no more than k time heavily linearisation find the solution E.

If to E carry out k time heavily after the linearisation resulting equation group be E _k, E then _kThe number of middle equation is at most M _kBut often exist the equation of a large amount of linear correlations in the middle of them.Making wherein, the equation quantity of linear independence is M _kEven (M is then arranged _k>=N _k), if but (M _k＜N _k), E _kStill intangibility.

In addition, along with to heavy the increasing of linearisation number of times k of E, equation E _kIn variable number N _kAlso increase fast.Because E _kThe space requirement of coefficient matrix be N _k ²Log ₂Therefore the q bit works as N _kWhen enough big (>=2 ⁴⁰), whether no matter (M arranged _k>=N _k), E on room and time _kEqual intangibility; Promptly can't through k time heavily linearisation find the solution E.

Know again, after n confirms, M _iAlso confirm thereupon; And N _iThen confirm uniquely by r (or m).If can find r, make when r>=r, perseverance has (M _K-1＜N _K-1) and N _kTo such an extent as to enough big E _kAt intangibility (k＞2) in fact.Then have:

(M ₂＜N ₂^…^M _k-1＜N _k-1)^(N _k＜N _k+1＜N _k+2＜…)

Therefore as m≤n ²During-r, for k>=2 arbitrarily, can't through direct k time heavily linearisation find the solution E.Yet this fashion can not assert that heavy linearizing method is infeasible to finding the solution E.Though (M is arranged ₂＜N ₂^ ... ^M _K-1＜N _K-1), if but can find less r _t=N _t-M _t(2≤t≤k-1) then can be to t heavy resulting equation group E after the linearisation _tReuse general linearization technique again.Be about to E _tIn each variable v _iAll table is r _tIndividual variable

Linear equation:

$v_i={\mathrm{\α}}_{i_1}{\mathrm{\α}}_{i_2}...{\mathrm{\α}}_{i_s}=c_0+c_1{\mathrm{\β}}_1+c_2{\mathrm{\β}}_2+...+c_{r_t}{\mathrm{\β}}_{r_t},(1\≤s\≤t,1\≤i\≤N_t)$

Then through reconstruct about variable

H>=2 equation of n th order n groups come solving equation group E _t, the anti-E's of release separates again.Know that again the variable number about in the h equation of n th order n group of variable of utilizing general linearization technique again to construct is:

${\stackrel{\‾}{N}}_t=\underset{i=1}{\overset{h}{\mathrm{\Σ}}}P(r_t,i)\≥\underset{i=1}{\overset{2}{\mathrm{\Σ}}}P(r_t,i)=\frac{r_t(r_t+3)}{2}$

So have only as each r _t=N _t-M _tAll make N _tEnough big (2≤t≤k-1), can assert that just E can't utilize any heavy linearizing method to find the solution.Following theorem is promptly arranged,

Theorem 2.3: picked at random F _qOn have the BMQ equation group E of 2n variable and m equation, if having k＞2 and r, make when r>=r, perseverance has:

Then as m≤n ²During-r, can't find the solution E through heavy linearizing method.

It should be noted that the front is to N _kAnd M _kThe situation of valuation during not q≤k take into account; And this maybe be to N _kAnd M _kValuation produce this those long influences that disappear.For example, when q=2, have:

$\left(x_a{x}_b{y}_i{y}_j\right)=\left(x_a^2{x}_b{y}_i^2{y}_j\right)=\left(x_a^2{x}_b{y}_i{y}_j^2\right)=\left(x_a{x}_b^2{y}_i^2{y}_j\right)=\left(x_a{x}_b^2{y}_i{y}_j^2\right)$

$\⇒\left(x_a{y}_i\right)\left(x_b{y}_j\right)=\left(x_a{y}_j\right)\left(x_b{y}_i\right)=\left(x_a{y}_i\right)\left(x_a{y}_j\right)\left(x_b{y}_i\right)=\left(x_a{y}_i\right)\left(x_a{y}_j\right)\left(x_b{y}_j\right)=...$

$\⇒z_{\mathrm{ai}}{z}_{\mathrm{bj}}=z_{\mathrm{aj}}{z}_{\mathrm{bi}}=z_{\mathrm{ai}}{z}_{\mathrm{aj}}{z}_{\mathrm{bi}}=z_{\mathrm{ai}}{z}_{\mathrm{aj}}{z}_{\mathrm{bj}}=...$

$\⇒\left\{\begin{array}{c}{z}_{\mathrm{ai}}{z}_{\mathrm{bj}}=z_{\mathrm{aj}}{z}_{\mathrm{bi}}\\ z_{\mathrm{ai}}{z}_{\mathrm{bj}}=z_{\mathrm{ai}}{z}_{\mathrm{aj}}{z}_{\mathrm{bi}}\\ z_{\mathrm{ai}}{z}_{\mathrm{bj}}=z_{\mathrm{ai}}{z}_{\mathrm{aj}}{z}_{\mathrm{bj}}\\ z_{\mathrm{aj}}{z}_{\mathrm{bi}}=z_{\mathrm{ai}}{z}_{\mathrm{aj}}{z}_{\mathrm{bi}}\\ z_{\mathrm{aj}}{z}_{\mathrm{bi}}=z_{\mathrm{ai}}{z}_{\mathrm{aj}}{z}_{\mathrm{bj}}\\ .\\ .\\ .\end{array}\right.$

Promptly by shape like (x _ax _by _iy _j) 4 formulas can not only reconstruct about variable α ₁..., α _r2 equation of n th order n, can also reconstruct corresponding 3 equation of n th order n.And these 3 equation of n th order n are different from by shape like (x probably _ax _bx _cy _iy _jy _k) 6 formula reconstruct gained.In addition, because ${\mathrm{\α}}_i^3={\mathrm{\α}}_i^2={\mathrm{\α}}_i$ With ${\mathrm{\α}}_i^2{\mathrm{\α}}_j={\mathrm{\α}}_i{\mathrm{\α}}_j^2={\mathrm{\α}}_i{\mathrm{\α}}_j,$ So for F ₂On the BMQ equation group, M _kAnd N _kComputing formula and front given will produce deviation.

Can specify suitable lower bound to q for this reason,, can guarantee that then the front is to N such as making q＞10 _kAnd M _kThe correctness of valuation (2≤k≤10).Below conclusion be putting before this and obtain.

In fact, theorem 2.3 is guarded for the difficulty assessment of the heavy linearization technique of finding the solution BMQ equation group E, because equation group E _kThe equation quantity M that neutral line is irrelevant _kIn reality, can't reach theoretical upper bound M at all _k

By theorem 2.3, for n=50, when r=2332, (M ₃＜N ₃) and N ₄=1237553754679 ≈ 1.1255 * 2 ⁴⁰Enough big; But this moment

$r_2=2722610-1500625=1221985\⇒\frac{r_2(r_2+3)}{2}=746625503090\≈1.358\×2^{38}$

$r_3=2119098894-2118882500=216394\⇒\frac{r_3(r_3+3)}{2}=23413506209\≈1.363\×2^{34}$

r ₂And r ₃Big inadequately.And when r=2445,

$r_2=1492055\⇒\frac{r_2(r_2+3)}{2}=1113116299595\≈1.0124\×2^{40}$

$r_3=323145195\⇒\frac{r_3(r_3+3)}{2}=52211409010511805\≈1.45\×2^{55}$

r ₂And r ₃Enough big.Therefore as m≤n ²During-2445=55=1.1n, can't find the solution E through heavy linearizing method.

For n=100, when r=9371, (M ₃＜N ₃) and N ₄=321659128415624 ≈ 1.142 * 2 ⁴⁸Enough big, r again ₂=19419377 and r ₃=5448123 is enough big.So as m≤n ²During-9371=629=6.29n, can't find the solution E through heavy linearizing method.

For n=150, when r=18900, (M ₂＜N ₂) and N ₃=1125568744650 ≈ 1.02 * 2 ⁴⁰Enough big, r again ₂=53752725 is enough big.So as m≤n ²During-18900=3600=24n, can't find the solution E through heavy linearizing method.

For n=200, when r=28142, (M ₂＜N ₂) and N ₃=3715405463639 ≈ 1.69 * 2 ⁴¹Enough big, but r ₂=18295 is big inadequately; And when r=28200, r ₂=1652300 is enough big.So as m≤n ²During-28200=11800=59n, can't find the solution E through heavy linearizing method.

Therefore when n gets 50,100,150,200 respectively, if the number m of equation satisfies respectively among the E:

m≤1.1n、m≤6.29n、m≤24n、m≤59n

Then can't find the solution E through heavy linearizing method.

Generally speaking, after n confirmed, m was littler, then the heavily linearisation of BMQ equation group E was found the solution just more infeasible.But because the special construction of BMQ equation group, being not that m is more little finds the solution E with regard to more difficult.This point, is then guessed through a spot of exploration separating of E if m is too small with to find the solution the MQ equation group different probably.M The Representation Equation with E is following for this reason:

$\left\{\begin{array}{c}{p}_1(x,y)=\underset{i=1}{\overset{n}{\mathrm{\Σ}}}\underset{j=1}{\overset{n}{\mathrm{\Σ}}}{a}_{\mathrm{ij}}^{\left(1\right)}{x}_i{y}_j=b_1\\ .\\ .\\ .\\ p_m(x,y)=\underset{i=1}{\overset{n}{\mathrm{\Σ}}}\underset{j=1}{\overset{n}{\mathrm{\Σ}}}{a}_{\mathrm{ij}}^{\left(m\right)}{x}_i{y}_j=b_m\end{array}\right.(x=(x_1,...,x_n),y=(y_1,...,y_n)\∈F_q^n)$

(p then ₁..., p _m) the value space be:

$p\left(E\right)=\left\{(p_1(x,y),...,p_m(x,y))\right|x,y\∈F_q^n\}$

(p again ₁..., p _m) value by x * y=(x ₁y ₁..., x _iy _j..., x _ny _n) unique definite.When x=0 or y=0, x * y=0.Otherwise x * y ≠ 0, and to arbitrarily c ∈ F _q{0}, x * y=(cx) * (c is arranged ^-1Y).So q corresponding to x and y ²ⁿPlant value, x * y has 0 draw

The value of kind non-0.And $p\left(E\right)\⊆F_q^m,$ So have:

$\left|p\left(E\right)\right|\≤\min (q^m,\frac{{(q^n-1)}^2}{(q-1)}+1)$

Again when n＞1, $q^{2n-1}<\frac{{(q^n-1)}^2}{(q-1)}+1<q^{2n}.$ Therefore have:

<math> <mrow> <mo>|</mo> <mi>p</mi> <mrow> <mo>(</mo> <mi>E</mi> <mo>)</mo> </mrow> <mo>|</mo> <mo>&amp;le;</mo> <mfenced open='{' close=''> <mtable> <mtr> <mtd> <mfrac> <msup> <mrow> <mo>(</mo> <msup> <mi>q</mi> <mi>n</mi> </msup> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> <mn>2</mn> </msup> <mrow> <mo>(</mo> <mi>q</mi> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> </mfrac> <mo>+</mo> <mn>1</mn> </mtd> <mtd> <mrow> <mo>(</mo> <mi>m</mi> <mo>&amp;GreaterEqual;</mo> <mn>2</mn> <mi>n</mi> <mo>)</mo> </mrow> </mtd> </mtr> <mtr> <mtd> <msup> <mi>q</mi> <mi>m</mi> </msup> </mtd> <mtd> <mrow> <mo>(</mo> <mi>m</mi> <mo>&lt;;</mo> <mn>2</mn> <mi>n</mi> <mo>)</mo> </mrow> </mtd> </mtr> </mtable> </mfenced> </mrow></math>

As (b ₁..., b _m)=0 o'clock, E has (2q at least ⁿ-1) individual shape as (x, 0) and (0, separating y).As (b ₁..., b _m) ≠ 0 o'clock, if $(b_1,...,b_m)\&NotElement;p\left(E\right),$ Then E does not have and separates; Otherwise E separates (x ≠ 0, y ≠ 0), and to c ∈ F arbitrarily _q{0}, (cx, c ^-1Y) also be that separating of E (claimed (cx, c ^-1Y) with (x, y) equivalence).Therefore as (b ₁..., b _m) ≠ 0 o'clock, E or nothing are separated, or have separating of (q-1) individual equivalent equivalence at least.

Because (b ₁..., b _m)=0 o'clock is easy to E is found the solution.So emphasis is inquired into (b ₁..., b _m) ∈ p (E) {0} the time, how E is found the solution.Except above-mentioned heavy linearization technique,, also can sound out E and find the solution through the method for so-called " conjecture " based on the special construction of BMQ equation group.This method is specified among x and the y at random, as with solving another behind it substitution E, then can obtain separating of E.For example, specify x=α=(α ₁..., α _n) ≠ 0 then can be about variable y=(y ₁..., y _n) the linear function group E ' of n unit:

$\left\{\begin{array}{c}{p}_1(\mathrm{\&alpha;},y)=b_1\\ .\\ .\\ .\\ p_m(\mathrm{\&alpha;},y)=b_m\end{array}\right.$

If E ' separates y=β=(β ₁..., β _n), then (x, y)=(α β) is of E and separates, and can derive (q-1) individual separating of equal value with it again by it.If E ' nothing is separated, then proceed to sound out, till finding out the separating of E next time.

Can know, for given (b ₁..., b _m) ∈ p (E) {0}, utilize conjecture method that E is soundd out the success rate find the solution and be directly proportional with the number of separating of E.When E has that (q-1) is individual to be separated, hit it

If to (b arbitrarily ₁..., b _m) ∈ p (E) {0}, E has just that (q-1) is individual to be separated.Then when n is enough big, can't utilize conjecture method that E is found the solution.

And for { the p of picked at random ₁(x, y) ..., p _m(x, y) }, (q of feasible (x ≠ 0, y ≠ 0) ⁿ-1) ²The overwhelming majority who plants value also makes (p ₁..., p _m) ≠ 0.So to (b arbitrarily ₁..., b _m) ∈ P (E) {0}, the number of on average separating of E is:

<math> <mrow> <mover> <mi>k</mi> <mo>&amp;OverBar;</mo> </mover> <mo>=</mo> <mfrac> <msup> <mrow> <mo>(</mo> <msup> <mi>q</mi> <mi>n</mi> </msup> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> <mn>2</mn> </msup> <mrow> <mo>|</mo> <mi>p</mi> <mrow> <mo>(</mo> <mi>E</mi> <mo>)</mo> </mrow> <mo>|</mo> <mo>-</mo> <mn>1</mn> </mrow> </mfrac> <mo>&amp;GreaterEqual;</mo> <mfenced open='{' close=''> <mtable> <mtr> <mtd> <mrow> <mo>(</mo> <mi>q</mi> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> </mtd> <mtd> <mrow> <mo>(</mo> <mi>m</mi> <mo>&amp;GreaterEqual;</mo> <mn>2</mn> <mi>n</mi> <mo>)</mo> </mrow> </mtd> </mtr> <mtr> <mtd> <mfrac> <msup> <mrow> <mo>(</mo> <msup> <mi>q</mi> <mi>n</mi> </msup> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> <mn>2</mn> </msup> <mrow> <mo>(</mo> <msup> <mi>q</mi> <mi>m</mi> </msup> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> </mfrac> </mtd> <mtd> <mrow> <mo>(</mo> <mi>m</mi> <mo>&lt;;</mo> <mn>2</mn> <mi>n</mi> <mo>)</mo> </mrow> </mtd> </mtr> </mtable> </mfenced> </mrow></math>

When m＜2n, k＞(q-1).Especially, when m≤n, k>=(q ⁿ-1) average probability of separating of, guesing out E this moment is near a hundred per cent.Can get theorem thus,

Theorem 2.4: picked at random F _qOn have the BMQ equation group E of 2n variable and m>=2n equation, if to (b arbitrarily ₁..., b _m) ∈ p (E) {0}, E has just that (q-1) is individual to be separated.Then when n is enough big, can't find the solution E with conjecture method.

By theorem 2.1, theorem 2.3, theorem 2.4; Can get proposition,

Proposition 2.1: picked at random F _qOn have the BMQ equation group E of 2n variable and m equation, if E satisfies:

1) for (b arbitrarily ₁..., b _m) ∈ p (E) {0}, E is at F _qOn have just that (q-1) is individual to be separated

2) have k＞2 and r, and when r >=r, perseverance has:

3)2n≤m≤n ²-r

It is difficult then finding the solution E.

Can know by proposition 2.1, for the F of picked at random _qOn have the BMQ equation group E of 2n variable and m equation, when E satisfies (b arbitrarily ₁..., b _m) ∈ p (E) {0}, all just have when (q-1) is individual to be separated; The difficulty of then E being found the solution is mainly determined by the value of n and m.And F _qSelection only with data computing with the expression relevant, the difficulty of solving a problem is not had influence basically.Provide definition for this reason,

Definition 2.2: establishing E is at F _qGo up optional BMQ equation group with 2n variable and m equation, and for (b arbitrarily ₁..., b _m) ∈ p (E) {0}, E is at F _qOn have just that (q-1) is individual to be separated.If the value of n and m makes and finds the solution E is difficult, then claim " (n m) does difficult BMQ problem ".

For example, when n gets 50,100,150,200 respectively, do difficult BMQ problem (n, m) value is as shown in table 2.

Table 2

2.4 Ergodic Matrices and character thereof

Definition 2.3 (Ergodic Matrices): establish $A\&Element;F_q^{n\&times;n},$ If column vector to any non-0 $v\&Element;F_q^n\backslash \left\{0\right\},$ $\{\mathrm{Av},A^{2}v,...,A^{q^n-1}v\}$ Just get all over F _q ⁿ{0} in all non-0 column vectors, claim that then A is F _qOn " Ergodic Matrices (Ergodic Matrix) ".

Definition 2.4: establish $A\&Element;F_q^{n\&times;n},$ The matrix multiplication spanning set of note A is:<a>={ A ^k| k=1,2,3 ....

About finite field F _qOn (traversal) matrix, following main theorem (proof slightly) is arranged:

Theorem 2.5: to arbitrarily $A\&Element;F_q^{n\&times;n},$ K ∈ 0,1,2 ...; There is c ₀, c ₁..., c _N-1∈ F _q, make:

A ^k＝c ₀I+c ₁A+c ₂A ²+...+c _n-1A ^n-1

Theorem 2.6: if $A\&Element;F_q^{n\&times;n}$ Nonsingular, then A under matrix multiplication the cycle≤(q ⁿ-1).

Theorem 2.7: $A\&Element;F_q^{n\&times;n}$ For Ergodic Matrices and if only if A under matrix multiplication the cycle=(q ⁿ-1).

Theorem 2.8: if $A\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, then<a>In just have

Individual Ergodic Matrices.Claim their " equivalences " each other.

Theorem 2.9: if $A\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, then vectorial to any non-0 row $r\&Element;F_q^{1\&times;n}\backslash \left\{0\right\},$ $\{\mathrm{RA},r{A}^2,...,r{A}^{q^n-1}\}$ Just get all over F _q ^{1 * n}Non-0 row all in ing is vectorial.

Theorem 2.10: if $A\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, then $F_q\left[A\right]=\left\{0\right\}\&cup;<A>=\{0,A,A^2,...,A^{q^n-1}=I\}.$ And F _q[A] makes a q just under addition of matrices and multiplication ⁿUnit's finite field.

Theorem 2.11: if $A\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, then [A ⁰=I, A, A ²..., A ^N-1] make q just ⁿThe finite field F of unit _q[A] is about the finite field F of q unit _qOne group of base.Promptly right $\&ForAll;m\&Element;F_q\left[A\right],$ There is unique c ₀, c ₁..., c _N-1∈ F _q, make:

n＝c ₀I+c ₁A+c ₂A ²+...+c _n-1A ^n-1

Conclusion by the front can know that the Ergodic Matrices on the finite field has maximum multiplication cycle and spanning set in the same order nonsingular matrix.And the non-zero column vector of all power premultiplications or the right side with Ergodic Matrices take advantage of the result of a capable vector of non-zero fully to disperse (getting just all over the capable vector of all non-zero column vector sums).Table 3 has provided the statistics of the n * n Ergodic Matrices on the part finite field.

Table 3

Can find F from top statistics _qOn n * n Ergodic Matrices be ubiquitous, and its number increases sharply along with the increase of q and n.

In order principle of the present invention to be described special introduce " MPEMRL problem ".I.e. so-called " the bilateral power of Ergodic Matrices is taken advantage of problem (Multiplied by the Powers of the Ergodic Matrices on the Right and Left.) on the finite field ".It is defined as follows:

Definition 2.5 (MPEMRL problems): $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ $T=Q_1^{x}M{Q}_2^y\&Element;\&lang;Q_1\&rang;\&times;M\&times;\&lang;Q_2\&rang;;$ Known (Q ₁, M, Q ₂, T), ask Q ₁ ^xAnd Q ₂ ^y.

At first proof is found the solution the MPEMRL problem and can be exchanged into and find the solution corresponding F _qOn the BMQ problem.By $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, can know F _q[Q ₁] and F _q[Q ₂] under addition of matrices and multiplication, all make q ⁿUnit's finite field.

Select F arbitrarily _q[Q ₁] and F _q[Q ₂] about F _qOne group of base $B_1=[Q_1^{{\mathrm{\&alpha;}}_1},...,Q_1^{{\mathrm{\&alpha;}}_n}]$ With $B_2=[Q_2^{{\mathrm{\&beta;}}_1},...,Q_2^{{\mathrm{\&beta;}}_n}].$ Then exist unique $(x_1,...,x_n),(y_1,...,y_n)\&Element;F_q^n\backslash \left\{0\right\},$ Make:

$Q_1^x=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{x}_i{Q}_1^{{\mathrm{\&alpha;}}_i},$ $Q_2^y=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j{Q}_2^{{\mathrm{\&beta;}}_j}$

Promptly have:

$T=Q_1^{x}M{Q}_2^y=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}\left(x_i{y}_j\right)\left(Q_1^{{\mathrm{\&alpha;}}_i}M{Q}_2^{{\mathrm{\&beta;}}_j}\right)$

With n * n matrix T and each

All turn to n by line linearity ²Dimensional vector

With

Can get F _qOn have 2n variable x ₁..., x _n, y ₁..., y _nBMQ equation group with m equation:

$[\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_1}M{Q}_2^{{\mathrm{\&beta;}}_1}}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_1}M{Q}_2^{{\mathrm{\&beta;}}_n}}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_n}M{Q}_2^{{\mathrm{\&beta;}}_1}}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_n}M{Q}_2^{{\mathrm{\&beta;}}_n}}]\&times;\left[\begin{array}{c}{x}_1{y}_1\\ .\\ .\\ .\\ x_1{y}_n\\ .\\ .\\ .\\ x_n{y}_1\\ .\\ .\\ .\\ x_n{y}_n\end{array}\right]=\left[\stackrel{\&RightArrow;}{B_{1}M{B}_2}\right]\&times;\left[\begin{array}{c}{x}_1{y}_1\\ .\\ .\\ .\\ x_1{y}_n\\ .\\ .\\ .\\ x_n{y}_1\\ .\\ .\\ .\\ x_n{y}_n\end{array}\right]=\stackrel{\&RightArrow;}{T}$

Wherein $m=\mathrm{Rank}\left(\right[\stackrel{\&RightArrow;}{B_{1}M{B}_2}\left]\right)$ Be coefficient matrix $\left[\stackrel{\&RightArrow;}{B_{1}M{B}_2}\right]\&Element;F_q^{n^2\&times;n^2}$ Order.Note is top by Q ₁, M, Q ₂, BMQ equation group that T derived is E (Q ₁, M, Q ₂, T).

Because the addition of matrix is taken advantage of with the addition of vector with number and is taken advantage of indistinction in itself with number, so also can be with n * n set of matrices<q ₁>* M *<q ₂>And B ₁* M * B ₂All regard n as ²The dimensional vector group, and have:

<math> <mrow> <mi>Rank</mi> <mrow> <mo>(</mo> <mo>&lt;;</mo> <msub> <mi>Q</mi> <mn>1</mn> </msub> <mo>></mo> <mo>&amp;times;</mo> <mi>M</mi> <mo>&amp;times;</mo> <msub> <mrow> <mo>&lt;;</mo> <mi>Q</mi> </mrow> <mn>2</mn> </msub> <mo>></mo> <mo>)</mo> </mrow> <mo>=</mo> <mi>Rank</mi> <mrow> <mo>(</mo> <msub> <mi>B</mi> <mn>1</mn> </msub> <mo>&amp;times;</mo> <mi>M</mi> <mo>&amp;times;</mo> <msub> <mi>B</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mi>Rank</mi> <mrow> <mo>(</mo> <mo>[</mo> <mover> <mrow> <msub> <mi>B</mi> <mn>1</mn> </msub> <mi>M</mi> <msub> <mi>B</mi> <mn>2</mn> </msub> </mrow> <mo>&amp;RightArrow;</mo> </mover> <mo>]</mo> <mo>)</mo> </mrow> <mo>=</mo> <mi>m</mi> </mrow></math>

Obviously, E (Q ₁, M, Q ₂, T) can separate then corresponding M PEMRL problem and necessarily can separate.Work as m=n ²The time, Full rank is prone to try to achieve E (Q ₁, M, Q ₂, separating T) $(x_1,...,x_n),(y_1,...,y_n)\&Element;F_q^n\backslash \left\{0\right\};$ And then can get separating of MPEMRL problem:

$Q_1^x=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{x}_i{Q}_1^{{\mathrm{\&alpha;}}_i},$ $Q_2^y=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j{Q}_2^{{\mathrm{\&beta;}}_j}$

As m＜n ²The time, if (n m) does not do difficult BMQ problem, then still can be through the group E (Q that solves an equation ₁, M, Q ₂, T) find the solution corresponding M PEMRL problem.Otherwise can't pass through equation group E (Q ₁, M, Q ₂, T) find the solution corresponding M PEMRL problem.

Therefore for given MPEMRL problem, can it pass through BMQ equation group E (Q ₁, M, Q ₂, the key of T) finding the solution mainly by Rank (<q ₁>* M *<q ₂>) decision.And about Rank (<q ₁>* M *<q ₂>) following theorem arranged,

Theorem 2.12: if $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, then to arbitrarily $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ Perseverance has:

Rank(<Q ₁>×M×<Q ₂>)＝k×n(1≤k≤n)

Find through experiment, for selected arbitrarily Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n},$ Let M all over getting F _q ^{N * n}In all non-null matrix, then Rank (<q ₁>* M *<q ₂>) all over get n, 2n ..., n ².Table 4 is the statisticses to the part finite field.

Also find through further experiment, in the table 4 about Rank (<q ₁>* M *<q ₂>) distributed number and Q ₁And Q ₂Selection irrelevant, but by n and F _qConfirm uniquely.Therefrom be not difficult to find out following rule:

1. for Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n}$ With k ∈ 1 ..., n} exists $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ Make:

Rank(<Q ₁>×M×<Q ₂>)＝k×n

2. for Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n},$ Make Rank (<q ₁>* M *<q ₂>The quantity of the matrix M of)=k * n increases progressively with q, n, k.

3. for Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n},$ Make Rank (<q ₁>* M *<q ₂>The quantity of the matrix M of)=n just is n * (q ⁿ-1).

Table 4

Since to the amount of calculation of quite making every effort to separate of MPEMRL problem with |<q ₁>* M *<q ₂>| closely related.And to arbitrarily $Q_1^{x}M{Q}_2^y\&Element;{<Q}_1>\&times;M\&times;<Q_2>$ With a ∈ F _q{0}, perseverance has:

<math> <mrow> <mi>a</mi> <msubsup> <mi>Q</mi> <mn>1</mn> <mi>x</mi> </msubsup> <mo>=</mo> <msubsup> <mi>Q</mi> <mn>1</mn> <msup> <mi>x</mi> <mo>&amp;prime;</mo> </msup> </msubsup> <mo>&amp;Element;</mo> <msub> <mrow> <mo>&lt;;</mo> <mi>Q</mi> </mrow> <mn>1</mn> </msub> <mo>></mo> <mo>^</mo> <msup> <mi>a</mi> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <msubsup> <mi>Q</mi> <mn>2</mn> <mi>y</mi> </msubsup> <mo>=</mo> <msubsup> <mi>Q</mi> <mn>2</mn> <msup> <mi>y</mi> <mo>&amp;prime;</mo> </msup> </msubsup> <mo>&amp;Element;</mo> <msub> <mrow> <mo>&lt;;</mo> <mi>Q</mi> </mrow> <mn>2</mn> </msub> <mo>></mo> <mo>^</mo> <msubsup> <mi>Q</mi> <mn>1</mn> <mi>x</mi> </msubsup> <mi>M</mi> <msubsup> <mi>Q</mi> <mn>2</mn> <mi>y</mi> </msubsup> <mo>=</mo> <msubsup> <mi>Q</mi> <mn>1</mn> <msup> <mi>x</mi> <mo>&amp;prime;</mo> </msup> </msubsup> <mi>M</mi> <msubsup> <mi>Q</mi> <mn>2</mn> <msup> <mi>y</mi> <mo>&amp;prime;</mo> </msup> </msubsup> </mrow></math>

Therefore to T ∈ arbitrarily<q ₁>* M *<q ₂>, have (a at least ₁, b ₁) ..., (a _Q-1, b _Q-1) ∈ 1 ..., q ⁿ-1} ², make:

$T=Q_1^{a_1}M{Q}_2^{b_1}=Q_1^{a_2}M{Q}_2^{b_2}=...=Q_1^{a_{q-1}}M{Q}_2^{b_{q-1}}$

Again |<q ₁>|=|<q ₂>|=(q ⁿ-1), so set<q ₁>* M *<q ₂>In the number of different matrixes satisfy:

<math> <mrow> <mrow> <mo>(</mo> <msup> <mi>q</mi> <mi>n</mi> </msup> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> <mo>&amp;le;</mo> <mo>|</mo> <msub> <mrow> <mo>&lt;;</mo> <mi>Q</mi> </mrow> <mn>1</mn> </msub> <mo>></mo> <mo>&amp;times;</mo> <mi>M</mi> <mo>&amp;times;</mo> <msub> <mrow> <mo>&lt;;</mo> <mi>Q</mi> </mrow> <mn>2</mn> </msub> <mo>></mo> <mo>|</mo> <mo>&amp;le;</mo> <mfrac> <msup> <mrow> <mo>(</mo> <msup> <mi>q</mi> <mi>n</mi> </msup> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> <mn>2</mn> </msup> <mrow> <mo>(</mo> <mi>q</mi> <mo>-</mo> <mn>1</mn> <mo>)</mo> </mrow> </mfrac> </mrow></math>

Further also can demonstrate,prove following theorem:

Theorem 2.13: $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ Then and if only if Rank (<q ₁>* M *<q ₂>Have during)=n |<q ₁>* M *<q ₂>|=(q ⁿ-1); Also have this moment<q ₁>* M *<q ₂>=<q ₁>* M=M *<q ₂>.

Theorem 2.14: for getting fixed Ergodic Matrices arbitrarily $Q_1,Q_2\&Element;F_q^{n\&times;n}$ With $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ There is positive integer t, makes T ∈ arbitrarily<q ₁>* M *<q ₂>, (a is just arranged ₁, b ₁) ..., (a _t, b _t) ∈ 1 ..., q ⁿ-1} ², make:

$T=Q_1^{a_1}M{Q}_2^{b_1}=Q_1^{a_2}M{Q}_2^{b_2}=...=Q_1^{a_t}M{Q}_2^{b_t}$

Theorem 2.15: for Ergodic Matrices<maths num=" 0113 "><![CDATA[<math><mrow><msub><mi>Q</mi><mn>1</mn></msub><mo>,</mo><msub><mi>Q</mi><mn>2</mn></msub><mo>&Element;</mo><msubsup><mi>F</mi><mi>q</mi><mrow><mi>n</mi><mo>&times;</mo><mi>n</mi></mrow></msubsup><mo>,</mo></mrow></math>]]></maths>Let M all over getting<img file="G2009100664497D00165.GIF" he="58" img-content="drawing" img-format="GIF" inline="yes" orientation="portrait" wi="187"/>Then |<q<sub >1</sub>>* M *<q<sub >2</sub>>| all over getting<maths num=" 0114 "><![CDATA[<math><mrow><mo>{</mo><mfrac><msup><mrow><mo>(</mo><msup><mi>q</mi><mi>n</mi></msup><mo>-</mo><mn>1</mn><mo>)</mo></mrow><mn>2</mn></msup><mrow><mo>(</mo><msup><mi>q</mi><msub><mi>d</mi><mn>1</mn></msub></msup><mo>-</mo><mn>1</mn><mo>)</mo></mrow></mfrac><mo>,</mo><mo>.</mo><mo>.</mo><mo>.</mo><mo>,</mo><mfrac><msup><mrow><mo>(</mo><msup><mi>q</mi><mi>n</mi></msup><mo>-</mo><mn>1</mn><mo>)</mo></mrow><mn>2</mn></msup><mrow><mo>(</mo><msup><mi>q</mi><msub><mi>d</mi><mi>k</mi></msub></msup><mo>-</mo><mn>1</mn><mo>)</mo></mrow></mfrac><mo>}</mo><mo>.</mo></mrow></math>]]></maths>{ d wherein<sub >1</sub>=1 ..., d<sub >k</sub>=n} is all positive factors of n.

Definition 2.6: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ M=Rank (<q ₁>* M *<q ₂>).If (n m) does difficult BMQ problem, claims that then " M is about (Q ₁, Q ₂) strong ".And note: M _S(Q ₁, Q ₂)={, A|A was about (Q ₁, Q ₂) strong

" strong matrix " about Ergodic Matrices has following theorem,

Theorem 2.16: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $A\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ If there is B ∈ M _S(Q ₁, Q ₂), make:

Rank(<Q ₁>×A×<Q ₂>)＝Rank(<Q ₁>×B×<Q ₂>)

A ∈ M then _S(Q ₁, Q ₂).

Theorem 2.17: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, Q ₁ ^aAnd Q ₂ ^bBe respectively with Q ₁And Q ₂Ergodic Matrices (a, b and q of equal value ⁿ-1 is coprime), then have: $M_S(Q_1,Q_2)=M_S(Q_1^a,Q_2^b).$

Theorem 2.18: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, A ∈ M _S(Q ₁, Q ₂), then have:

(1) to x ∈<q ₁>* A *<q ₂>, have: x ∈ M _S(Q ₁, Q ₂)

(2) to x, y ∈<q ₁>* A *<q ₂>If, Rank (<q ₁>* (x+y) *<q ₂>)>=2n, then (x+y) ∈ M _S(Q ₁, Q ₂)

Theorem 2.18 explanations are for Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n},$ If can find one about (Q ₁, Q ₂) strong matrix, then can obtain a plurality of by it about (Q ₁, Q ₂) strong matrix.By theorem 2.14 and theorem 2.15, can get theorem again:

Theorem 2.19: if $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, then fixed to getting arbitrarily $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ A positive factor e who all has n, and to T ∈ arbitrarily<q ₁>* M *<q ₂>, BMQ equation group E (Q ₁, M, Q ₂, (q T) is just arranged ^e-1) individual separating.Claim that positive integer e is " (Q ₁, Q ₂) about the index of M ", and note is: Exp (Q ₁, M, Q ₂).

Also find through experiment, for any given Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n},$ Most $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\}$ All satisfy Exp (Q ₁, M, Q ₂)=1.If M ∈ is M _S(Q ₁, Q ₂) and Exp (Q ₁, M, Q ₂)=1 then by proposition 2.1, can be known T ∈ arbitrarily<q ₁>* M *<q ₂>, find the solution BMQ equation group E (Q ₁, M, Q ₂, be difficult T).But also do not mean that corresponding M PEMRL problem intangibility this moment.Although can't be through the group E (Q that solves an equation ₁, M, Q ₂, T) find the solution it, but it is following to find the solution the another kind of method of MPEMRL problem by the character of Ergodic Matrices:

Selected at first arbitrarily F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base $B_1=[Q_1^{{\mathrm{\&alpha;}}_1},...,Q_1^{{\mathrm{\&alpha;}}_n}]$ With $B_2=[Q_2^{{\mathrm{\&beta;}}_1},...,Q_2^{{\mathrm{\&beta;}}_n}].$ Then exist unique $x=(x_1,...,x_n),y=(y_1,...,y_n)\&Element;F_q^n\backslash \left\{0\right\},$ Make:

$Q_1^x=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{x}_i{Q}_1^{{\mathrm{\&alpha;}}_i},$ $Q_2^{-y}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j{Q}_2^{{\mathrm{\&beta;}}_j}$

Again by $T=Q_1^{x}M{Q}_2^y,$ $Q_1^{x}M=T{Q}_2^{-y};$ Promptly have $\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{x}_i\left(Q_1^{{\mathrm{\&alpha;}}_i}M\right)=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_i\left(T{Q}_2^{{\mathrm{\&beta;}}_j}\right);$ Can get equation group thus:

$[\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_1}M}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_n}M}-\stackrel{\&RightArrow;}{T{Q}_2^{{\mathrm{\&beta;}}_1}}...-\stackrel{\&RightArrow;}{T{Q}_2^{{\mathrm{\&beta;}}_n}}]\&times;\left[\begin{array}{c}{x}_1\\ .\\ .\\ .\\ x_n\\ y_1\\ .\\ .\\ .\\ y_n\end{array}\right]=0$

Note is top by Q ₁, M, Q ₂, 2n that T derived unit linear function group does

Then

Must separate.And at Q ₁, M, Q ₂, T is under the known condition, be easy to obtain

Separate.

Order $x=(x_1,...,x_n),y=(y_1,...,y_n)\&Element;F_q^n$ Be

Separate.Then can release or (x, y)=(0,0), or (x ≠ 0, y ≠ 0).Though (x; Y)=(0; 0) separates for one that is

, but can know that by T ≠ 0 it is not legal separating.So

Untrivialo solution must be arranged, and the quantity of untrivialo solution is (q ^k-1).Wherein:

$k=2n-\mathrm{Rank}\left(\right[\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_1}M}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_n}M}-\stackrel{\&RightArrow;}{T{Q}_2^{{\mathrm{\&beta;}}_1}}...-\stackrel{\&RightArrow;}{T{Q}_2^{{\mathrm{\&beta;}}_n}}\left]\right)$

Appoint and get

Untrivialo solution $x=(x_1,...,x_n),y=(y_1,...,y_n)\&Element;F_q^n\backslash \left\{0\right\},$ Can get $Q_1^x=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{x}_i{Q}_1^{{\mathrm{\&alpha;}}_i}$ With $Q_2^{-y}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j{Q}_2^{{\mathrm{\&beta;}}_j},$ Again to Q ₂ ^-yInvert and to get Q ₂ ^yAnd (Q ₁ ^x, Q ₂ ^y) be of corresponding MPEMRL problem and separate.

Right

Each untrivialo solution all carry out above-mentioned process, then can draw whole (q of corresponding MPEMRL problem ^k-1) individual separating.Especially, if k=1, then corresponding MPEMRL problem just has separating of (q-1) individual equivalent equivalence.Promptly separate for its any two With

Can both find a ∈ F _q{0}, and $Q_1^{x_j}=\left(a{Q}_1^{x_i}\right),$ $Q_2^{y_j}=\left(a^{-1}{Q}_2^{y_i}\right).$ A demand went out of corresponding MPEMRL problem and separated and just can release its all separating this moment.Be prone to the following theorem of card and set up,

Theorem 2.20: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ Then have:

$\mathrm{Exp}(Q_1,M,Q_2)=2n-\mathrm{Rank}\left(\right[\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_1}M}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_n}M}\stackrel{\&RightArrow;}{M{Q}_2^{{\mathrm{\&beta;}}_1}}...\stackrel{\&RightArrow;}{M{Q}_2^{{\mathrm{\&beta;}}_n}}\left]\right)$

Theorem 2.21: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ E=Exp (Q ₁, M, Q ₂).Then to T ∈ arbitrarily<q ₁>* M *<q ₂>, equation group E (Q ₁, M, Q ₂, (q T) is just arranged ^e-1) individual separating.

Theorem 2.22: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ E=Exp (Q ₁, M, Q ₂).Then to T ∈ arbitrarily<q ₁>* M *<q ₂>, equation group

(q is just arranged ^e-1) individual untrivialo solution and a null solution.

Theorem 2.23: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, M ∈ M _S(Q ₁, Q ₂), if Exp is (Q ₁, M, Q ₂)=1 is then to T ∈ arbitrarily<q ₁>* M *<q ₂>, find the solution BMQ equation group E (Q ₁, M, Q ₂, be difficult T).

Theorem 2.24: establish $Q_1,Q_2\&Element;F_q^{n\&times;n}$ Be Ergodic Matrices, $M\&Element;F_q^{n\&times;n}\backslash \left\{0\right\},$ And Exp (Q ₁, M, Q ₂)=1.Then to T ∈ arbitrarily<q ₁>* M *<q ₂>, at known Q ₁, Q ₂, M, T situation under, can pass through the solving equation group

Come to obtain fast the separating of whole (q-1) individual equivalent equivalences of corresponding MPEMRL problem.

Can obtain an important conclusion thus.That is exactly to work as q ⁿWhen enough big, for given Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n}$ With M ∈ M _S(Q ₁, Q ₂), if Exp is (Q ₁, M, Q ₂)=1 is then to optional $T=Q_1^{x}M{Q}_2^y\&Element;{<Q}_1>\&times;M\&times;{<Q}_2>,$ By BMQ equation group E (Q ₁, M, Q ₂, T) find the solution (Q ₁ ^x, Q ₂ ^y) be difficult; But at known Q ₁, Q ₂, M, T situation under, by equation group

Find the solution (Q ₁ ^x, Q ₂ ^y) but be easy.

This point is vital, and the core concept of public key cryptography proposed by the invention derives from this just.Its main thought is with BMQ equation group E (Q ₁, M, Q ₂, T) as public-key cryptography, and with Q ₁, Q ₂, B ₁, B ₂, M is as private cipher key.The sender of the message selects message at random $(Q_1^x,Q_2^y)\&Element;{<Q}_1>\&times;<Q_2>,$ And with the PKI of message recipient to (Q ₁ ^x, Q ₂ ^y) calculating (encryption) must ciphertext $T=Q_1^{x}M{Q}_2^y\&Element;{<Q}_1>\&times;M\&times;{<Q}_2>,$ Then ciphertext T is passed to the recipient; The recipient utilizes its private key reconstruct equation group

And through finding the solution of its being restored expressly (Q ₁ ^x, Q ₂ ^y).

So far, background technology involved in the present invention and mathematical knowledge have been explained and have been finished, and are particular content of the present invention and execution mode below.

(3) summary of the invention

The technical issues that need to address of the present invention are to work out a kind of new public key cryptography scheme, and make it to have higher security intensity than the public key cryptography of current extensive employing.

The present invention is used for the encryption and decryption of various data such as character, literal, figure, image and the sound of computer and communication network and file; Kept secure and transmission to guarantee data, file content can be widely used in ecommerce, electronic banking and the E-Government.

The present invention hopes that our country can have the core technology of oneself in the public key encryption field, to guarantee information security, economic security and the safety with sovereign right of country, improves the technological means that finance and tax swindle are taken precautions against by China simultaneously.

The present invention is a kind of public key cryptography scheme based on Ergodic Matrices on the Hidden field, according to this method, can make public key encryption/deciphering chip, can develop public key encryption/decryption software etc.Therefore, the present invention is a kind of production public key encryption deciphering product mandatory basic principle of institute and technical scheme, rather than physical product itself.

The given public key cryptography technology scheme of the present invention generates, encrypts, deciphers three parts by key and forms.Herein, file before encrypting or data are called expressly, file or data after encrypting are called ciphertext.

Suppose that user A desire sends a file or data through network to user B, and carry out with the mode of maintaining secrecy.User A and user B desire realize so secure communication process, and its pattern is following:

Key generates: at first, user B should go to the 3rd side authoritative institution (CA or digital certificate center) to get a pair of private key (Private Key) and PKI (Public Key) by the output of key generation parts, and private key must must not be divulged a secret by user B oneself keeping; PKI then allows openly to provide to the external world with disclosed form, so that use.

Cryptographic operation: user A obtains the PKI of user B, and the plaintext that on the machine of operation encryption unit, desire is sent is encrypted, and obtains ciphertext, and sends ciphertext to user B through network.

Decryption oprerations: after user B receives the ciphertext that user A sends, on the machine of operation deciphering parts, ciphertext is deciphered, recover plaintext with own private key.

In key encrypt method, for the efficient of encryption is provided.Usually adopt the mixed cipher technology, promptly come encrypting plaintext, come encrypted symmetric key with public-key cryptosystem again with DSE arithmetic.Employed encryption key of DSE arithmetic and decruption key are same key in essence, are called as session key.

3.1 technical scheme one of the present invention

First technical scheme of the present invention generates, encrypts, deciphers three parts by key and constitutes.Specific as follows:

3.1.1 key generates part

Key generates part and supplies CA to use, and is used for to each user produces a pair of private key and PKI, and its implementation is following:

(1) picked at random F _qOn two n * n Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n}.$ (q＞10 and q ⁿEnough big)

(2) picked at random is about (Q ₁, Q ₂) strong matrix M ∈ M _S(Q ₁, Q ₂), require Exp (Q simultaneously ₁, M, Q ₂)=1.

(3) picked at random F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base $B_1=[Q_1^{{\mathrm{\&alpha;}}_1},...,Q_1^{{\mathrm{\&alpha;}}_n}]$ With $B_2=[Q_2^{{\mathrm{\&beta;}}_1},...,Q_2^{{\mathrm{\&beta;}}_n}].$

(4) picked at random The m n-dimensional subspace n

About F _qOne group of base [R ₁..., R _m]. (wherein: m=Rank (<q ₁>* M *<q ₂>))

(5) obtain

Each row vector is about base [R ₁..., R _m] coordinates matrix

$\mathrm{\&lambda;}=\left[\begin{array}{cccc}{\mathrm{\&lambda;}}_{\mathrm{1,1}}& {\mathrm{\&lambda;}}_{\mathrm{1,2}}& ...& {\mathrm{\&lambda;}}_{1,m}\\ & \text{.}& & \\ & .& & \\ & .& & \\ {\mathrm{\&lambda;}}_{n^2,1}& {\mathrm{\&lambda;}}_{n^2,2}& ...& {\mathrm{\&lambda;}}_{n^2,m}\end{array}\right]\&Element;F_q^{n^2\&times;m}$

It is right to make

K the vectorial r of row _k, have:

r _k＝λ _k，1R ₁+λ _k，2R ₂+…+λ _k，mR _m(1≤k≤n ²)

(6) by [R ₁..., R _m] m F of generation _qOn BMQ multinomial { ρ ₁(x, y) ..., ρ _m(x, y) }:

$\left[\begin{array}{c}{\mathrm{\&rho;}}_1(x,y)\\ {\mathrm{\&rho;}}_2(x,y)\\ .\\ .\\ .\\ {\mathrm{\&rho;}}_m(x,y)\end{array}\right]=\left[\begin{array}{c}{R}_1\\ R_2\\ .\\ .\\ .\\ R_m\end{array}\right]\&times;\left[\begin{array}{c}{x}_1{y}_1\\ .\\ .\\ .\\ x_1{y}_n\\ .\\ .\\ .\\ x_n{y}_1\\ .\\ .\\ .\\ x_n{y}_n\end{array}\right],(x=(x_1,...,x_n),y=(y_1,...,y_n)\&Element;F_q^n)$

At last, with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, with (Q ₁, Q ₂, M, B ₁, B ₂, λ) be private key.

3.1.2 encryption section

Encryption section supplies information sender to use, and is used for to expressly encrypting.Information sender and recipient at first confirm a kind of general symmetric encipherment algorithm E, and clear packets M is carried out following steps:

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)])

(2) select at random $\mathrm{\&alpha;}=({\mathrm{\&alpha;}}_1,...,{\mathrm{\&alpha;}}_n),\mathrm{\&beta;}=({\mathrm{\&beta;}}_1,...,{\mathrm{\&beta;}}_n)\&Element;F_q^n\backslash \left\{0\right\},$ Session key:

$\mathrm{key}=\mathrm{\&alpha;}\&times;\mathrm{\&beta;}=({\mathrm{\&alpha;}}_1{\mathrm{\&beta;}}_1,...,{\mathrm{\&alpha;}}_1{\mathrm{\&beta;}}_n,...,{\mathrm{\&alpha;}}_n{\mathrm{\&beta;}}_1,...,{\mathrm{\&alpha;}}_n{\mathrm{\&beta;}}_n)\&Element;F_q^{n^2}\backslash \left\{0\right\}$

(3) with recipient's PKI key is encrypted:

C _key＝[z ₁，…，z _m]＝[ρ ₁(α，β)，…，ρ _m(α，β)]

(4) with session key key and symmetric encipherment algorithm E plaintext M is encrypted:

C _M＝E _key(M)

(5) with ciphertext (C _Key, C _M) send to the recipient

3.1.3 decryption portion

Decryption portion supplies the receiving party to use, and is used for ciphertext is deciphered.The recipient with oneself private key as decruption key.

If recipient's private key is (Q ₁, Q ₂, M, B ₁, B ₂, λ), the ciphertext of receiving is (C _Key, C _M).Then decrypting process is following:

(1) calculates $\stackrel{\&RightArrow;}{T}=\mathrm{\&lambda;}\&times;C_{\mathrm{Key}}^T=\mathrm{\&lambda;}\&times;{[z_1,...,z_m]}^T,$ Can get matrix T ∈<q ₁>* M *<q ₂>

(2) solve one group of untrivialo solution of following 2n unit linear function group: $x=(x_1,...,x_n),y^{\&prime;}=(y_1^{\&prime;},...,y_n^{\&prime;})\&Element;F_q^n\backslash \left\{0\right\}$

$[\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_1}M}...\stackrel{\&RightArrow;}{Q_1^{{\mathrm{\&alpha;}}_n}M}-\stackrel{\&RightArrow;}{T{Q}_2^{{\mathrm{\&beta;}}_1}}...-\stackrel{\&RightArrow;}{T{Q}_2^{{\mathrm{\&beta;}}_n}}]\&times;{[x_1...x_n{y}_1^{\&prime;}...y_n^{\&prime;}]}^T=0$

(3) by y ' calculating: $A=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j^{\&prime;}{Q}_2^{{\mathrm{\&beta;}}_j}\&Element;<Q_2>$

(4) obtain the inverse matrix A of A ^-1∈<q ₂>

(5) calculate A ^-1About basic B ₂Coordinate $y=(y_1,...,y_n)\&Element;F_q^n\backslash \left\{0\right\}$ $(A^{-1}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j{Q}_2^{{\mathrm{\&beta;}}_j})$

(6) then (x, y) with (α, β) equivalence, reducible thus session key:

key＝x×y＝(x ₁y ₁，…，x ₁y _n，…，x _ny ₁，…，x _ny _n)＝α×β

(7) utilize session key key to ciphertext C _MDeciphering obtains expressly:

M＝D _key(C _M)

At last, the recipient recovers the plaintext M of transmit leg.

3.2 technical scheme two of the present invention

Second technical scheme of the present invention generates, encrypts, deciphers three parts by key and constitute.Specific as follows:

3.2.1 key generates part

Key generates part and supplies CA to use, and is used for to each user produces a pair of private key and PKI, and its implementation is following:

(1) picked at random F _qOn two n * n Ergodic Matrices $Q_1,Q_2\&Element;F_q^{n\&times;n}.$ (q＞10 and q ⁿEnough big)

(2) picked at random is about (Q ₁, Q ₂) strong matrix M ∈ M _S(Q ₁, Q ₂), require Exp (Q simultaneously ₁, M, Q ₂)=1.

(3) picked at random F _qOn two n * n nonsingular matrix $s,t\&Element;F_q^{n\&times;n}.$

(4) calculate F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base $B_1=[Q_1^{{\mathrm{\&alpha;}}_1},...,Q_1^{{\mathrm{\&alpha;}}_n}]$ With $B_2=[Q_2^{{\mathrm{\&beta;}}_1},...,Q_2^{{\mathrm{\&beta;}}_n}].$ Make:

$Q_1^{{\mathrm{\&alpha;}}_j}=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}s[i,j]Q_1^{i-1},$ $Q_2^{{\mathrm{\&beta;}}_j}=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}t[i,j]Q_2^{i-1},(j=\mathrm{1,2},...,n)$

(5) picked at random

The m n-dimensional subspace n

About F _qOne group of base [R ₁..., R _m]. (wherein: m=Rank (<q ₁>* M *<q ₂>))

(6) obtain

Each row vector is about base [R ₁..., R _m] coordinates matrix

$\mathrm{\&lambda;}=\left[\begin{array}{cccc}{\mathrm{\&lambda;}}_{\mathrm{1,1}}& {\mathrm{\&lambda;}}_{\mathrm{1,2}}& ...& {\mathrm{\&lambda;}}_{1,m}\\ & \text{.}& & \\ & .& & \\ & .& & \\ {\mathrm{\&lambda;}}_{n^2,1}& {\mathrm{\&lambda;}}_{n^2,2}& ...& {\mathrm{\&lambda;}}_{n^2,m}\end{array}\right]\&Element;F_q^{n^2\&times;m}$

It is right to make

K the vectorial r of row _k, have:

r _k＝λ _k，1R ₁+λ _k，2R ₂+…+λ _k，mR _m(1≤k≤n ²)

(7) by [R ₁..., R _m] m F of generation _qOn BMQ multinomial { ρ ₁(x, y) ..., ρ _m(x, y) }:

$\left[\begin{array}{c}{\mathrm{\&rho;}}_1(x,y)\\ {\mathrm{\&rho;}}_2(x,y)\\ .\\ .\\ .\\ {\mathrm{\&rho;}}_m(x,y)\end{array}\right]=\left[\begin{array}{c}{R}_1\\ R_2\\ .\\ .\\ .\\ R_m\end{array}\right]\&times;\left[\begin{array}{c}{x}_1{y}_1\\ .\\ .\\ .\\ x_1{y}_n\\ .\\ .\\ .\\ x_n{y}_1\\ .\\ .\\ .\\ x_n{y}_n\end{array}\right](x=(x_1,...,x_n),y=(y_1,...,y_n)\&Element;F_q^n)$

(8) at last with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, with (Q ₁, Q ₂, M, s ^-1, t ^-1, λ) be private key.

3.2.2 encryption section

Encryption section supplies information sender to use, and is used for to expressly encrypting.Information sender and recipient at first confirm a kind of general symmetric encipherment algorithm E, and clear packets M is carried out following steps:

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)])

(2) select at random $\mathrm{\&alpha;}=({\mathrm{\&alpha;}}_1,...,{\mathrm{\&alpha;}}_n),\mathrm{\&beta;}=({\mathrm{\&beta;}}_1,...,{\mathrm{\&beta;}}_n)\&Element;F_q^n\backslash \left\{0\right\},$ Session key:

$\mathrm{key}=\mathrm{\&alpha;}\&times;\mathrm{\&beta;}=({\mathrm{\&alpha;}}_1{\mathrm{\&beta;}}_1,...,{\mathrm{\&alpha;}}_1{\mathrm{\&beta;}}_n,...,{\mathrm{\&alpha;}}_n{\mathrm{\&beta;}}_1,...,{\mathrm{\&alpha;}}_n{\mathrm{\&beta;}}_n)\&Element;F_q^{n^2}\backslash \left\{0\right\}$

(3) with recipient's PKI key is encrypted:

C _key＝[z ₁，…，z _m]＝[ρ ₁(α，β)，…，ρ _m(α，β)]

(4) with session key key and symmetric encipherment algorithm E plaintext M is encrypted:

C _M＝E _key(M)

(C at last _Key, C _M) be ciphertext, will be sent out to the recipient.

3.2.3 decryption portion

Decryption portion supplies the receiving party to use, and is used for ciphertext is deciphered.The recipient with oneself private key as decruption key.

If recipient's private key is (Q ₁, Q ₂, M, s ^-1, t ^-1, λ), the ciphertext of receiving is (C _Key, C _M).Then decrypting process is following:

(1) calculates $\stackrel{\&RightArrow;}{T}=\mathrm{\&lambda;}\&times;C_{\mathrm{Key}}^T=\mathrm{\&lambda;}\&times;{[z_1,...,z_m]}^T,$ Can get matrix T ∈<q ₁>* M *<q ₂>

(2) solve one group of untrivialo solution of following 2n unit linear function group: $x=(x_1,...,x_n),y^{\&prime;}=(y_1^{\&prime;},...,y_n^{\&prime;})\&Element;F_q^n\backslash \left\{0\right\}$

$[\stackrel{\&RightArrow;}{Q_1^{0}M}...\stackrel{\&RightArrow;}{Q_1^{n-1}M}-\stackrel{\&RightArrow;}{T{Q}_2^0}...-\stackrel{\&RightArrow;}{T{Q}_2^{n-1}}]\&times;{[x_1...x_n{y}_1^{\&prime;}...y_n^{\&prime;}]}^T=0$

(3) by y ' calculating: $A=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j^{\&prime;}{Q}_2^{{\mathrm{\&beta;}}_j}\&Element;<Q_2>$

(4) obtain the inverse matrix A of A ^-1∈<q ₂>

(5) calculate A ^-1About base [Q ₂ ⁰..., Q ₂ ^N-1] coordinate $y=(y_1,...,y_n)\&Element;F_q^n\backslash \left\{0\right\}$ $(A^{-1}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{y}_j{Q}_2^{{\mathrm{\&beta;}}_j})$

(6) calculate ${\mathrm{\&alpha;}}^{\&prime;}=({\mathrm{\&alpha;}}_1^{\&prime;},...,{\mathrm{\&alpha;}}_n^{\&prime;})=s^{-1}x,{\mathrm{\&beta;}}^{\&prime;}=({\mathrm{\&beta;}}_1^{\&prime;},...,{\mathrm{\&beta;}}_n^{\&prime;})=t^{-1}y\&Element;F_q^n\backslash \left\{0\right\}$

(7) then (α ', β ') with (α, β) equivalence, reducible thus session key:

key＝α′×β′＝(α′ ₁β′ ₁，…，α′ ₁β′ _n，…，α′ _nβ′ ₁，…，α′ _nβ′ _n)＝α×β

(8) utilize session key key to ciphertext C _MDeciphering obtains expressly:

M＝D _key(C _M)

At last, the recipient recovers the plaintext M of transmit leg.

3.3 advantage and good effect

Compare with public key cryptography scheme commonly used at present, the given public key cryptography technology scheme of the present invention has following advantage.

3.3.1 fail safe is higher

Can prove the BMQ problem be NP completely.So it is more difficult than big integer factor decomposition and discrete logarithm problem.Therefore, deriving private key or decode expressly from ciphertext from PKI is infeasible in polynomial time.

Moreover public key cryptography commonly used at present all faces the threat of quantum calculation.And do not have effective quantum algorithm for np complete problem.Therefore the present invention can be used as a replacement scheme of existing public key cryptography, thereby has long-range application potential.

3.3.2 key space is big

Work as q ⁿWhen enough big, because F _q ^{N * n}In Ergodic Matrices and about given Ergodic Matrices to (Q ₁, Q ₂) the quantity of strong matrix heavy many, so (private key, PKI) in the given technical scheme of the present invention right selection space is very big.

3.3.3 the randomness of PKI is good

The pairing F of PKI in the given technical scheme of the present invention _qOn BMQ multi-direction type group [ρ ₁..., ρ _m], be by n ²Dimension row vector space

A specific m n-dimensional subspace n about F _qOne group of base [R ₁..., R _m] unique definite.

And the quantity of the m n-dimensional subspace n V of

is:

$\frac{(q^{n^2}-1)(q^{n^2}-q)(q^{n^2}-q^2)...(q^{n^2}-q^{m-1})}{(q^m-1)(q^m-q)(q^m-q^2)...(q^m-q^{m-1})}$

For specific m n-dimensional subspace n V, V is about F _qThe quantity of base (greatly linearly independent vector group) be:

(q ^m-1)(q ^m-q)(q ^m-q ²)…(q ^m-q ^m-1)

So PKI [ρ ₁..., ρ _m] selection randomness very big.

3.3.4 fast operation

The enciphering rate of this key encrypt method is fast.Because it only relates to F _qIn simply add/multiplication, and do not relate to any power exponentiation.

The deciphering speed of this key encrypt method is fast simultaneously.Because it only relates to F _qIn simple matrix add/multiplication conciliates the linear function group operation of 2n unit, and do not relate to any matrix power exponentiation.Thereby be convenient to hardware and realize.

3.3.5 technology can disclose

Realization technology of the present invention can disclose fully, and user's PKI also can use the form of digital certificate openly to provide to the external world.As long as private key is not divulged a secret, just can guarantee the safety of ciphertext fully.

3.3.6 it is favourable to national security

The Internet is a kind of open net, and is obvious, transmits sensitive information in the above and must encrypt.Because internet usage is as means of communication for important departments such as the Chinese government, national defence, finance, the tax, therefore, information security is related to national sovereignty safety and economic security.

Therefore, to have a key encrypt method of independent intellectual property right, original innovation significant in research.

(4) embodiment

The characteristics of this key encrypt method are that it can let each user obtain two keys, and a key can disclose, and are used for encrypting, and a key can only the individual have, and are used for deciphering.Like this, can not worry that key divulged a secret in the transmittance process on the net.When the agreement correspondent transmitted information on the net, the sender used recipient's PKI that file or message are encrypted, and the recipient uses the private key of oneself that it is deciphered after receiving ciphertext.

Two keys are got by CA (Certificate Authentication) authentication center that each user can arrive appointment.The ca authentication center is the mechanism that the user is registered, key is produced, distributes and manages.It utilizes the key generation method generation user's of 3.1.1 or 3.2.1 joint PKI and private key.

This encryption method can realize that it comprises two parts with logic circuit chip or program language: chip or program are developed according to key generation method in (1), are used by the ca authentication center; (2) develop chip or program according to the encryption and decryption method of 3.1.2,3.1.3 or 3.2.2,3.2.3 joint, use by the general user.

Claims (1)

1. the key encrypt method of Ergodic Matrices on the Hidden field; Generating, encrypt, decipher three parts by key forms; Key generates part and supplies the generation user of third party authoritative institution (private key, PKI) right, and encryption section supplies the PKI of message sender use message receiver expressly converting ciphertext into; Decryption portion supplies message receiver to use the private key of oneself to be reduced into ciphertext expressly, it is characterized in that:

Key generates part and has adopted the following step:

(1) picked at random F _qLast two n * n Ergodic Matrices

Require q＞10 and q ⁿEnough big;

(2) picked at random is about (Q ₁, Q ₂) strong matrix M ∈ M _S(Q ₁, Q ₂), and M satisfies:

Here M _S(Q ₁, Q ₂) be by Ergodic Matrices

Determined set of matrices, it is defined as:

(3) picked at random F _q[Q ₁] and F _q[Q ₂] about F _qBase

With

(4) by B ₁, M, B ₂Calculate n ²* n ²Matrix

All row vectors by A obtain the set of row vector again

Make m=Rank (<q ₁>* M *<q ₂>), the capable vector space V that is then generated by Vector Groups H _S(H) order also is m, i.e. V _S(H) do the vector space of embarking on journey

The m n-dimensional subspace n, last picked at random V _S(H) about F _qOne group of base [R ₁..., R _m];

(5) because each row vector of the matrix A in the 4th step all can be by [R ₁..., R _m] linear expression, each row vector that therefore can obtain A is about base [R ₁..., R _m] coordinates matrix:

And λ satisfies, for k the vectorial r of row of matrix A _k(1≤k≤n ²), r is arranged _k=λ _{K, 1}R ₁+ λ _{K, 2}R ₂+ ... + λ _{K, m}R _m

(6) by [R ₁..., R _m] m F of generation _qOn BMQ multinomial ρ ₁(x, y) ..., ρ _m(x, y):

(7) with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, (Q ₁, Q ₂, M, B ₁, B ₂, λ) be private key;

Encryption section has adopted the following step:

Message sender and recipient confirm a kind of general symmetric encipherment algorithm E in advance, and transmit leg is done plaintext W then:

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]);

(2) select

at random session key then:

(3) with recipient's PKI Key is encrypted:

(4) with session key Key and symmetric encipherment algorithm E plaintext W is encrypted: C _W=E _Key(W);

(5) with (C _Key, C _W) send to reciever;

Decryption portion has adopted the following step:

Message receiver uses the private key (Q of oneself ₁, Q ₂, M, B ₁, B ₂, λ), to the message (C that receives _Key, C _W) do:

(1) by λ, C _KeyCalculate n ²Dimensional vector

Z is regarded as

Then can unique definite F _qOn n * n matrix T ∈<q ₁>* M *<q ₂>

(2) by B ₁, M, B ₂, the following 2n of T simultaneous unit linear function group, obtain one of which group untrivialo solution then

(3) by y ', B ₂Calculate n * n matrix:

(4) obtain the matrix P of matrix of P ^-1∈<q ₂>

(5) calculate P ^-1About basic B ₂Coordinate Make

(6) because (x, y) with (s, t) equivalence, so can by (x y) restores session key:

Key＝x×y＝(x ₁y ₁，…，x ₁y _n，…，x _ny ₁，…，x _ny _n)＝s×t；

(7) at last by C _W, Key and the decipherment algorithm D corresponding with AES E recover expressly: W=D _Key(C _W).