CN102104481B - Elliptic curve-based key exchange method - Google Patents

Abstract

The invention provides an elliptic curve-based key exchange method. In the process of constructing a key generation function, user identity information, elliptic curve equation parameter information, public keys of a user and other information are fully considered, and a cofactor, a random number and other information are fully utilized in the process of calculating elliptic curve points. Therefore, compared with the prior art, the method can better improve the safety.

Description

A kind of key exchange method based on elliptic curve

Technical field

The present invention relates to information encryption, particularly a kind of key exchange method based on elliptic curve.

Background technology

Information security is the focal issue that national governments, enterprises and institutions and individual pay close attention in information exchanging process always.Information being encrypted, being obtained by unauthorized person preventing, is core technology means that ensure information safety.

Traditional encryption method adopts the symmetric key system more, communicating pair must be reached an agreement with regard to secret and the authenticity of key, but can there be certain problem in this method in actual applications, such as: owing to need to carry out by means of the third party distribution of key, therefore implement cumbersomely, and have security risk.

For this reason, propose again a kind of by the on-the-spot method of consulting to generate shared key of communicating pair in the prior art, such as the key exchange method under the public key system, specifically comprise the Diffie-Hellman key exchange method of RSA-Based and based on key exchange method of elliptic curve etc.Owing to all have advantage at aspects such as security intensity, arithmetic speed and operands, than other method, use more extensively based on the key exchange method of elliptic curve.

Existing key exchange method based on elliptic curve mainly comprises based on the Diffie-Hellman key exchange method of elliptic curve with based on the MQV key exchange method of elliptic curve etc.But the structure of the key-function of using in these methods is all tight not, does not consider the information such as identity of communicating pair, and the computational methods of the elliptic curve point that uses are also safe not, can't take precautions against the attack patterns such as small subgroup and invalid curve.

Summary of the invention

In view of this, main purpose of the present invention is to provide a kind of key exchange method based on elliptic curve, can improve fail safe.

For achieving the above object, technical scheme of the present invention is achieved in that

A kind of key exchange method based on elliptic curve is characterized in that the method comprises:

A, communicating pair pre-determine an elliptic curve;

B, produce random number r as communication initiator's user A _A∈ [1, n-1], and calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁), with described R _ASend to the user B as communication response side; Wherein, described G represents the basic point of elliptic curve, and described n represents the rank of G, described [r _A] G represents to calculate the r of G _ATimes the point;

C, user B produce random number r _B∈ [1, n-1], and calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂);

From described R _BMiddle taking-up field element x ₂, be integer form with its data type conversion, and calculate

Described

Be x ₂Function with n;

Calculate

Wherein, described d _BThe private key of expression user B, described mod represents modular arithmetic;

The R that checking receives _AWhether satisfy the elliptic curve equation, if do not satisfy, process ends then, otherwise, from described R _AMiddle taking-up field element x ₁, be integer form with its data type conversion, and calculate

Described Be x ₁Function with n;

Calculate elliptic curve point

Wherein, described h represents cofactor, h=#E (F _q)/n, described F _qExpression comprises the finite field of q element, described E (F _q) representative domain F _qThe set that all rational points of middle elliptic curve form, described #E (F _q) number of element in the expression set, described P _AThe PKI of expression user A;

Determine whether described V is infinite point, if so, process ends then, otherwise, with x _VAnd y _VData type conversion be Bit String, and computation key K _B=KDF (x _V, y _V, Z _A, Z _B, klen); Wherein, described KDF represents cipher key derivation function, and described klen represents the length of cipher key derivation function output data, described Z _AThe Hash Value that the PKI by the sign distinguished, elliptic curve equation parameter and the user A of user A calculates, described Z _BIt is the Hash Value that the PKI by the sign distinguished, elliptic curve equation parameter and the user B of user B calculates;

With described R _BSend to user A;

D, user A are from described R _AMiddle taking-up field element x ₁, be integer form with its data type conversion, and calculate successively

With

Described d _AThe private key of expression user A;

The R that checking receives _BWhether satisfy the elliptic curve equation, if do not satisfy, process ends then, otherwise, from described R _BMiddle taking-up field element x ₂, be integer form with its data type conversion, and calculate

Calculate elliptic curve point

Wherein, described P _BThe PKI of expression user B;

Determine whether described U is infinite point, if so, process ends then, otherwise, with x _UAnd y _UData type conversion be the Bit String form, and computation key K _A=KDF (x _U, y _U, Z _A, Z _B, klen).

As seen, adopt technical scheme of the present invention, when the structure key-function, subscriber identity information, elliptic curve equation parameter information and user's the information such as PKI have been taken into full account, and when the calculating of elliptic curve point, take full advantage of the information such as cofactor and random number, therefore than prior art, improved preferably fail safe.

Description of drawings

Fig. 1 is the flow chart that the present invention is based on the key exchange method embodiment of elliptic curve.

Embodiment

For problems of the prior art, a kind of key exchange method based on elliptic curve is proposed among the present invention, can improve preferably fail safe.

For make technical scheme of the present invention clearer, understand, referring to the accompanying drawing embodiment that develops simultaneously, scheme of the present invention is described in further detail.

Fig. 1 is the flow chart that the present invention is based on the key exchange method embodiment of elliptic curve.Suppose to have determined in advance an elliptic curve, and configured respectively PKI P for communicating pair user A and user B _A, P _BWith private key d _A, d _B, how to confirm elliptic curve and how dispose PKI for the user and private key is prior art repeats no more.As shown in Figure 1, may further comprise the steps:

Step 11: the user A as the communication initiator produces random number r _A∈ [1, n-1], and calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁), with R _ASend to the user B as communication response side.

Wherein, G represents the basic point of elliptic curve, and n represents the rank (being generally prime number) of G, [r _A] G represents to calculate the r of G _ATimes the point.

Step 12: user B produces random number r _B∈ [1, n-1], and calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂).

Equally, [r _B] G represents to calculate the r of G _BTimes the point.

Step 13: user B is from R _BMiddle taking-up field element x ₂, be integer form with its data type conversion, and calculate

Wherein,

Expression top function,

The smallest positive integral more than or equal to x is asked in i.e. expression; ﹠amp; Bit and computing are pressed in expression.Can find out,

Be x ₂Function with n.

In the present embodiment, adopt integer conversion (IntTrans) method with x ₂Be converted to integer form, specific implementation comprises:

1) supposes that field element to be converted is that α (corresponds to and is x in this step ₂), the result after the conversion is integer x;

2) if q is (the finite field F that elliptic curve is corresponding _qIn element number) be odd prime, then make x=α;

3) if q=2 ^m, then α will be the Bit String of m for length, establish s _M-1, s _M-2..., s ₀Represent successively each bit from left to right in the Bit String, then $x=\underset{i=0}{\overset{m-1}{\mathrm{\Σ}}}{2}^i{s}_i.$

Step 14: user B calculates $t_B=(d_B+\stackrel{\‾}{x_2}\·r_B)\mathrm{mod}n.$

Wherein, d _BThe private key of expression user B, mod represents modular arithmetic.

Step 15: the R that user B checking receives _AWhether satisfy the elliptic curve equation, if do not satisfy, process ends then, otherwise, from R _AMiddle taking-up field element x ₁, be integer form with its data type conversion, and calculate

Can find out,

Be x ₁Function with n.

In this step, with R _AThe transverse and longitudinal coordinate respectively as x and y substitution elliptic curve equation, if untenable, process ends then, otherwise, calculate

Step 16: user B calculates elliptic curve point

And whether definite V be infinite point, if so, and process ends then, otherwise, with x _VAnd y _VData type conversion be the Bit String form.

Wherein, h represents cofactor, h=#E (F _q)/n, F _qExpression comprises the finite field of q element, E (F _q) representative domain F _qThe set that all rational points of middle elliptic curve form, #E (F _q) number of element in the expression set; P _AThe PKI of expression user A.

Whether how to confirm V is that infinite point is prior art, repeats no more.

In addition, in the present embodiment, adopt Bit String conversion (BitTrans) method with x _VAnd y _VData type conversion be the Bit String form, specific implementation comprises:

1) supposes that field element to be converted is that α (corresponds to and is x in this step _VOr y _V), the result after the conversion is Bit String s;

2) if q=2 ^m, then make s=α;

3) if q is odd prime, then α will at first be converted to α the byte serial S that length is l for the integer in interval [0, q-1],

Simultaneously, l need to satisfy 2 ^8l＞α establishes M _L-1, M _L-2..., M ₀Represent successively each byte from left to right among the byte serial S, then need to satisfy

Then, byte serial S is converted to Bit String s:

The length of Bit String s is m, m=8l, s _M-1, s _M-2..., s ₀Represent successively each bit from left to right among the Bit String s, s _iBe M _jI-8j+1 bit from right to left, wherein

Expression end function,

The maximum integer that is less than or equal to x is asked in i.e. expression.

Step 17: user B computation key K _B=KDF (x _V, y _V, Z _A, Z _B, klen).

Usually, described K _B=KDF (x _V|| y _V|| Z _A|| Z _B, klen).

Wherein, KDF represents cipher key derivation function; Klen represents the length of cipher key derivation function output data; Z _AIt is the Hash Value that the PKI by the sign distinguished, elliptic curve equation parameter and the user A of user A calculates; Z _BIt is the Hash Value that the PKI by the sign distinguished, elliptic curve equation parameter and the user B of user B calculates; || the expression splicing.

The concrete account form of cipher key derivation function is:

The expression mode of 1) establishing cipher key derivation function is KDF (x, y, Z _A, Z _B, klen),

2) counter ct=0x00000001 who is consisted of by 32 bits of initialization;

3) for value be followed successively by from 1 to I, calculate respectively Ha _i=H _v(x||y||Z _A|| Z _B|| ct), the value that the value of i whenever adds 1, ct also needs to add 1; H _vThe length of expression output data is the hash function of v, and klen is less than (2 ³²-1) v;

4) determine whether klen/v is integer, if so, then order

Otherwise, order

Equal

In from the left side Individual bit;

5) will

As KDF (x, y, Z _A, Z _B, Output rusults klen).

In addition, above-mentioned Z _AConcrete account form be:

Z _A=H ₂₅₆(ENTL _A|| ID _A|| a||b||x _G|| y _G|| x _A|| y _A); Wherein, ID _AThe sign distinguished of expression user A is ASCII coding form, ENTL _AExpression ID _ALength, represent that with two bytes a and b represent the elliptic curve equation parameter, all be converted to the Bit String form, x _GAnd y _GThe coordinate of expression basic point G all is converted to the Bit String form, x _AAnd y _AThe coordinate of the PKI of expression user A all is converted to the Bit String form; H ₂₅₆The length of expression output data is 256 hash function;

Z _BAccount form comprise:

Z _B=H ₂₅₆(ENTL _B|| ID _B|| a||b||x _G|| y _G|| x _B|| y _B); Wherein, ID _BThe sign distinguished of expression user B is ASCII coding form, ENTL _BExpression ID _BLength, represent x with two bytes _BAnd y _BThe coordinate of the PKI of expression user B all is converted to the Bit String form.

Step 18: user B is with R _BSend to user A.

The R here _B, be the R that calculates in the step 12 _B

Step 19: user A is from R _AMiddle taking-up field element x ₁, be integer form with its data type conversion, and calculate successively

With

Wherein, d _AThe private key of expression user A.

Step 110: the R that user A checking receives _BWhether satisfy the elliptic curve equation, if do not satisfy, process ends then, otherwise, from R _BMiddle taking-up field element x ₂, be integer form with its data type conversion, and calculate

Step 111: user A calculates elliptic curve point

Wherein, P _BThe PKI of expression user B.

Step 112: user A determines whether U is infinite point, if so, and process ends then, otherwise, with x _UAnd y _UData type conversion be the Bit String form.

Step 113, computation key K _A=KDF (x _U, y _U, Z _A, Z _B, klen).

Usually, described K _A=KDF (x _U|| y _U|| Z _A|| Z _B, klen).

So far, user A and user B have all obtained key, i.e. K _AAnd K _B, both concrete values are the same.

In addition, for the identity to communicating pair authenticates, thereby further improve fail safe, in step 17 shown in Figure 1, namely user B calculates K _BAfterwards, also can further carry out following operation:

User B calculates S _B=H (0x02||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), x _V, y _V, x ₁, y ₁, x ₂And y ₂All be converted to the Bit String form;

User B is with S _BSending to user A (in actual applications, can be together with R _BSend together);

Follow-up, user A calculates S ₁=H (0x02||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), x _U, y _U, x ₁, y ₁, x ₂And y ₂All be converted to the Bit String form, and checking S ₁=S _BWhether set up, if so, then think authentification failure from user B to user A, process ends, otherwise, think successfully, calculate S _A=H (0x03||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), and with S _ASend to user B;

User B calculates S ₂=H (0x03||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), and checking S ₂=S _AWhether set up, if so, then think authentification failure from user A to user B, process ends.

Above-mentioned at calculating S _B, S ₁, S _AAnd S ₂The length of the output data of Shi Suoyong hash function can be decided according to the actual requirements, such as can be 192 or 256.

Need to prove that each symbol that occurs in above-described embodiment only is illustrated, and please refer to above stated specification during follow-up the appearance when occurring first.

In addition, embodiment illustrated in fig. 1ly be not limited to technical scheme of the present invention only for illustrating, such as, be not to carry out in strict accordance with order shown in Figure 1 between each step, as long as can realize scheme of the present invention.

The feasibility of scheme of the present invention is described below by some concrete examples.

Suppose that the distinguishing of user A in the following example is designated ALICE123YAHOO.COM, be designated as ID with the ASCII coding _A: 414C 49,434,531 32334059 41484F4F 2E434F4D, ENTL _A=0090; Distinguishing of user B is designated BILL456YAHOO.COM, is designated as ID with the ASCII coding _B: 42 494C4C34,35364059 41484F4F 2E434F4D, ENTL _B=0088.

In addition, below used hash function H () in each example, its input is that length is less than 2 ⁶⁴The message bit string, output is that length is the Hash Value of 192 or 256 bits.If output length is that the hash function of 192 bits is H ₁₉₂(), output length are that the hash function of 256 bits is H ₂₅₆() below selects H in each example ₂₅₆().

Have again, below in each example the number that represents of useful 16 systems, the left side is high-order, the right is low level.

F _pUpper elliptic curve key exchanged form

The elliptic curve equation is: y ²=x ³+ ax+b

Example 1:F _q-192

Prime number q: BDB6F4FE 3E8B1D9E 0DA8C0D4 6F4C318C EFE4AFE3 B6B8551F

Coefficient a:BB8E5E8F BC115E13 9FE6A814 FE48AAA6 F0ADA1AA 5DF91985

Coefficient b:1854BEBD C31B21B7 AEFC80AB 0ECD10D5 B1B3308E 6DBF11C1

Cofactor h:1

Basic point G=(x _G, y _G), its rank are designated as n.

Coordinate x _G: 4AD5F704 8DE709AD 51236DE6 5E4D4B48 2C836DC6 E4106640

Coordinate y _G: 02BB3A02 D4AAADAC AE24817A 4CA3A1B0 14B5270432DB27D2

Rank n:BDB6F4FE 3E8B1D9E 0DA8C0D4 0FC96219 5DFAE76F 56564677

The private key d of user A _A: 217B68E4 32A97CE6 A0C6E04E 0DF71CA4 9346980D75DBD585

The PKI P of user A _A=(x _A, y _A):

Coordinate x _A: 365655CB 104D75C8 5250374B 27B86C7B 99100E85 05AD9A13

Coordinate y _A: 85D04BFE 5091FBE3 F0EFBB32 46C43631 3EFB918C 3935AB69

The private key d of user B _B: 02654286 C23E7C94 5E73A150 6C8E74D6 FE70EDC0D0E61BF0

The PKI P of user B _B=(x _B, y _B):

Coordinate x _B: A9F52767 848BE669 95526CBF 19515849 27501F40 916E0AC2

Coordinate y _B: 8B22F0A1 B3327D14 06AE5D0F F8D291F4 0B,0F1,AC0 25135354

Hash Value Z _A=H ₂₅₆(ENTL _A|| ID _A|| a||b||x _G|| y _G|| x _A|| y _A).

Z _A：29DBEDC5?CC237FB1?28B243FC?9A858392?3629F15D?F3D0353DDADEC704?239EB566

Hash Value Z _B=H ₂₅₆(ENTL _B|| ID _B|| a||b||x _G|| y _G|| x _B|| y _B).

Z _B：D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6FB63751A8?13182AA9

Correlation in step 11～12:

Produce random number r _A: 0BEB802E 84B69F34 77A7A2CE F3A5D921 AA4B3E1FBA7B947A

Calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁):

Coordinate x ₁: 0A3FB526 003998E1 848793AD AC48EEB4 CD3E3995 AA411F3F

Coordinate y ₁: 59555E99 D2A5BCD2 414D9CE2 8A89A8B4 0DD48ECCDCCF25AD

Produce random number r _B: 1CF3475A F6E77D2B BD0758A6 13C456EB 9AA98CE0A8165309

Calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂):

Coordinate x ₂: 3B7A2867 097E00CA AC2000B3 1C69AAF2 C401727E C146B5F8

Coordinate y ₂: 507E7EA6 66AB8E41 B6FBBE4A E6A88660 47F50793 D1BF703F

Correlation in step 13～14:

Get

9C69AAF2 C401727E C146B5F8

Calculate

Modn:7CEE04EF 50440A94 2E40530B CB4F1650FED831D6 539919B0

Correlation in step 15～16:

Get

AC48EEB4 CD3E3995 AA411F3F

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A0},y_{A0}):$

Coordinate x _A0: 82586966 E992E229 83E3B83C CAB29EE1 1AD11D27 8745DDFC

Coordinate y _A0: B758D99B 1CCA0252 5255BF3F 7F0D6B63 0EB0A218 40A29177

Calculate elliptic curve point $P_A+\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A1},y_{A1}):$

Coordinate x _A1: 1A03D4F0 F639F174 A433B51A D873F58A 877FB05C 37E408E0

Coordinate y _A1: 8E5184CB 6534D701 8EDFB9E8 B227FE56 331212DD F998D0DD

Calculate $V=[h\·t_B](P_A+[{\stackrel{\‾}{x}}_1\left]R_A\right)=(x_V,y_V):$

Coordinate x _V: 0DAD244A C84E7ECD 0AD5B8A2 4DC6CDDA CE30234CAB52898C

Coordinate y _V: 71EAFB2A DC703483 297C182D 6D07E695 D682D7FA 832CC923

Correlation in the step 17:

Calculating K _B=KDF (x _V|| y _V|| Z _A|| Z _B, klen):

x _V||y _V||Z _A||Z _B：

0DAD244A?C84E7ECD?0AD5B8A2?4DC6CDDA?CE30234C?AB52898C71EAFB2A?DC703483?297C182D?6D07E695?D682D7FA?832CC923?29DBEDC5CC237FB1?28B243FC?9A858392?3629F15D?F3D0353D?DADEC704?239EB566D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6F?B63751A813182AA9

klen＝128

Shared key K _B: 9A399CE7 FD619BCE 92490D15 CF5F0EAB

Calculation options S _B=H (0x02||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

0DAD244A?C84E7ECD?0AD5B8A2?4DC6CDDA?CE30234C?AB52898C29DBEDC5?CC237FB1?28B243FC?9A858392?3629F15D?F3D0353D?DADEC704239EB566?D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6FB63751A8?13182AA9?0A3FB526?003998E1?848793AD?AC48EEB4?CD3E3995AA411F3F?59555E99?D2A5BCD2?414D9CE2?8A89A8B4?0DD48ECC?DCCF25AD3B7A2867?097E00CA?AC2000B3?1C69AAF2?C401727E?C146B5F8?507E7EA666AB8E41?B6FBBE4A?E6A88660?47F50793?D1BF703F

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：CF7A0B04?26540C22?CCD082CC?74B1E573D37F8449?384FC21C?14301BD9?5D0443C5

0x02||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?71EAFB2A?DC703483?297C182D?6D07E695?D682D7FA?832CC923CF7A0B04?26540C22?CCD082CC?74B1E573?D37F8449?384FC21C?14301BD95D0443C5

Option S _B: B6650913 BED05BEE 6C67AD43 DD108BF1 6672F10C 17CB5F13B1F14332 D765F2FB

Correlation in step 19～110:

Get

AC48EEB4 CD3E3995 AA411F3F

Calculate

Modn:5A5166D5 4F17B545 04FEAE37 6F18077AF71F743E E00B2F30

Get

9C69AAF2 C401727E C146B5F8

Correlation in step 111～112:

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B0},y_{B0}):$

Coordinate x _B0: 1677DAFF 3EC9C7F4 FF643B4E C2414D7D 7DB2FC74 17F07DA8

Coordinate y _B0: 0D532313 88CF334D B2C64EAC 8B25C45C 9E26D1FE B2392DE7

Calculate elliptic curve point $P_B+\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B1},y_{B1}):$

Coordinate x _B1: 7341C52B 8911812B F4D577A0 5C345561 1D0B2BB4 1CEE73CE

Coordinate y _B1: 7011855D 852A14F5 9CA09BB7 25D8D0C7 28B197AB 719EF4B6

Calculate $U=[h\·t_A](P_B+[{\stackrel{\‾}{x}}_2\left]R_B\right)=(x_U,y_U):$

Coordinate x _U: 0DAD244A C84E7ECD 0AD5B8A2 4DC6CDDA CE30234CAB52898C

Coordinate yxx _U: 71EAFB2A DC703483 297C182D 6D07E695 D682D7FA 832CC923

Correlation in the step 113:

Calculating K _A=KDF (x _U|| y _U|| Z _A|| Z _B, klen):

x _U||y _U||Z _A||Z _B：

0DAD244A?C84E7ECD?0AD5B8A2?4DC6CDDA?CE30234C?AB52898C71EAFB2A?DC703483?297C182D?6D07E695?D682D7FA?832CC923?29DBEDC5CC237FB1?28B243FC?9A858392?3629F15D?F3D0353D?DADEC704?239EB566D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6F?B63751A813182AA9

klen＝128

Shared key K _A: 9A399CE7 FD619BCE 92490D15 CF5F0EAB

Calculation options S ₁=H (0x02||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

0DAD244A?C84E7ECD?0AD5B8A2?4DC6CDDA?CE30234C?AB52898C29DBEDC5?CC237FB1?28B243FC?9A858392?3629F15D?F3D0353D?DADEC704239EB566?D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6FB63751A8?13182AA9?0A3FB526?003998E1?848793AD?AC48EEB4?CD3E3995AA411F3F?59555E99?D2A5BCD2?414D9CE2?8A89A8B4?0DD48ECC?DCCF25AD3B7A2867?097E00CA?AC2000B3?1C69AAF2?C401727E?C146B5F8?507E7EA666AB8E41?B6FBBE4A?E6A88660?47F50793?D1BF703F

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：CF7A0B04?26540C22?CCD082CC?74B1E573D37F8449?384FC21C?14301BD9?5D0443C5

0x02||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?71EAFB2A?DC703483?297C182D?6D07E695?D682D7FA?832CC923CF7A0B04?26540C22?CCD082CC?74B1E573?D37F8449?384FC21C?14301BD95D0443C5

Option S ₁: B6650913 BED05BEE 6C67AD43 DD108BF1 6672F10C 17CB5F13B1F14332 D765F2FB

Calculation options S _A=H (0x03||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

0DAD244A?C84E7ECD?0AD5B8A2?4DC6CDDA?CE30234C?AB52898C29DBEDC5?CC237FB1?28B243FC?9A858392?3629F15D?F3D0353D?DADEC704239EB566?D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6FB63751A8?13182AA9?0A3FB526?003998E1?848793AD?AC48EEB4?CD3E3995AA411F3F?59555E99?D2A5BCD2?414D9CE2?8A89A8B4?0DD48ECC?DCCF25AD3B7A2867?097E00CA?AC2000B3?1C69AAF2?C401727E?C146B5F8?507E7EA666AB8E41?B6FBBE4A?E6A88660?47F50793?D1BF703F

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：CF7A0B04?26540C22?CCD082CC?74B1E573D37F8449?384FC21C?14301BD9?5D0443C5

0x03||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?71EAFB2A?DC703483?297C182D?6D07E695?D682D7FA?832CC923CF7A0B04?26540C22?CCD082CC?74B1E573?D37F8449?384FC21C?14301BD95D0443C5

Option S _A: E138ADF5 3051A3F5 9FED92CE 68F39A01 0EC8B6D4 0FE4BFC85F9850F1 CCB979B9

Calculation options S ₂=H (0x03||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

0DAD244A?C84E7ECD?0AD5B8A2?4DC6CDDA?CE30234C?AB52898C29DBEDC5?CC237FB1?28B243FC?9A858392?3629F15D?F3D0353D?DADEC704239EB566?D9AF4854?326C29F5?1E814D3A?CCAE4FF8?ED87D9B9?4635BF6FB63751A8?13182AA9?0A3FB526?003998E1?848793AD?AC48EEB4?CD3E3995AA411F3F?59555E99?D2A5BCD2?414D9CE2?8A89A8B4?0DD48ECC?DCCF25AD3B7A2867?097E00CA?AC2000B3?1C69AAF2?C401727E?C146B5F8?507E7EA666AB8E41?B6FBBE4A?E6A88660?47F50793?D1BF703F

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：CF7A0B04?26540C22?CCD082CC?74B1E573D37F8449?384FC21C?14301BD9?5D0443C5

0x03||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?71EAFB2A?DC703483?297C182D?6D07E695?D682D7FA?832CC923CF7A0B04?26540C22?CCD082CC?74B1E573?D37F8449?384FC21C?14301BD95D0443C5

Option S ₂: E138ADF5 3051A3F5 9FED92CE 68F39A01 0EC8B6D4 0FE4BFC85F9850F1 CCB979B9

Example 2:F _q-256

Prime number q: 8542D69E 4C044F18 E8B92435 BF6FF7DE 45728391 5C45517D722EDB8B 08F1DFC3

Coefficient a:787968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0EC65228B 3937E498

Coefficient b:63E4C6D3 B23B0C84 9CF84241 484BFE48 F61D59A5 B16BA06E6E12D1DA 27C5249A

Cofactor h:1

Basic point G=(x _G, y _G), its rank are designated as n.

Coordinate x _G: 421DEBD6 1B62EAB6 746434EB C3CC315E 32220B3BADD50BDC 4C4E6C14 7FEDD43D

Coordinate y _G: 0680512B CBB42C07 D47349D2 153B70C4 E5D7FDFC BFA36EA1A85841B9 E46E09A2

Rank n:8542D69E 4C044F18 E8B92435 BF6FF7DD 29772063 0485628D5AE74EE7 C32E79B7

The private key d of user A _A: 6FCBA2EF 9AE0AB90 2BC3BDE3 FF915D44 BA4CC78F88E2F8E7 F8996D3B 8CCEEDEE

The PKI P of user A _A=(x _A, y _A):

Coordinate x _A: 3099093B F3C137D8 FCBBCDF4 A2AE50F3 B0F216C3 122D79425FE03A45 DBFE1655

Coordinate y _A: 3DF79E8D AC1CF0EC BAA2F2B4 9D51A4B3 87F2EFAF 482339086A27A8E0 5BAED98B

The private key d of user B _B: 5E35D7D3 F3C54DBA C72E6181 9E730B01 9A84208CA3A35E4C 2E353DFC CB2A3B53

The PKI P of user B _B=(x _B, y _B):

Coordinate x _B: 245493D4 46C38D8C C0F11837 4690E7DF 633A8A4B FB3329B5ECE604B2 B4F37F43

Coordinate y _B: 53C0869F 4B9E1777 3DE68FEC 45E14904 E0DEA45B F6CECF9918C85EA0 47C60A4C

Hash Value Z _A=H ₂₅₆(ENTL _A|| ID _A|| a||b||x _G|| y _G|| x _A|| y _A).

Z _A：E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA0?98E51A668487240F?75E20F31

Hash Value Z _B=H ₂₅₆(ENTL _B|| ID _B|| a||b||x _G|| y _G|| x _B|| y _B).

Z _B：6B4B6D0E?276691BD?4A11BF72?F4FB501A?E309FDAC?B72FA6CC336E6656?119ABD67

Correlation in step 11～12:

Produce random number r _A: 83A2C9C8 B96E5AF7 0BD480B4 72409A9A 327257F1EBB73F5B 07,335,4B2 48668563

Calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁):

Coordinate x ₁: 6CB56338 16F4DD56 0B1DEC45 8310CBCC 6856C095 05324A6D23150C40 8F162BF0

Coordinate y ₁: 0D6FCF62 F1036C0A 1B6DACCF 57399223 A65F7D7B F2D9637E5BBBEB85 7961BF1A

Produce random number r _B: 33FE2194 0342161C 55619C4A 0C060293 D543C80AF19748CE 176D8347 7DE71C80

Calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂):

Coordinate x ₂: 1799B2A2 C7782953 00D9A232 5C686129 B8F2B533 7B3DCF4514E8BBC1 9D900EE5

Coordinate y ₂: 54C9288C 82733EFD F7808AE7 F27D0E73 2F7C73A7 D9AC98B7D8740A91 D0DB3CF4

Correlation in step 13～14:

Get

B8F2B533 7B3DCF45 14E8BBC1 9D900EE5

Calculate

Modn:

2B2E11CB?F03641FC?3D939262?FC0B652A?70ACAA25?B5369AD38B375C02?65490C9F

Correlation in step 15～16:

Get

E856C095 05324A6D 23150C40 8F162BF0

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A0},y_{A0}):$

Coordinate x _A0: 2079015F 1A2A3C13 2B67CA90 75BB2803 1D6F2239 8DD8331E72529555 204B495B

Coordinate y _A0: 6B3FE6FB 0F5D5664 DCA16128 B5E7FCFD AFA5456C 1E5A914D1300DB61 F37888ED

Calculate elliptic curve point $P_A+\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A1},y_{A1}):$

Coordinate x _A1: 1C006A3B FF97C651 B7F70D0D E0FC09D2 3AA2BE7A8E9FF7DA F32673B4 16349B92

Coordinate y _A1: 5DC74F8A CC114FC6 F1A75CB2 86864F34 7F9B2CF2 9326A27079B7D37A FC1C145B

Calculate $V=[h\·t_B](P_A+[{\stackrel{\‾}{x}}_1\left]R_A\right)=(x_V,y_V):$

Coordinate x _V: 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF2900F8B7F5 66E40905

Coordinate y _V: 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866BBB5C6846 A4C4A295

Correlation in the step 17:

Calculating K _B=KDF (x _V|| y _V|| Z _A|| Z _B, klen):

x _V||y _V||Z _A||Z _B：

47C82653?4DC2F6F1?FBF28728?DD658F21?E174F481?79ACEF29?00F8B7F566E40905?2AF86EFE?732CF12A?D0E09A1F?2556CC65?0D9CCCE3?E249866BBB5C6846?A4C4A295?E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA098E51A66?8487240F?75E20F31?6B4B6D0E?276691BD?4A11BF72?F4FB501AE309FDAC?B72FA6CC?336E6656?119ABD67

klen＝128

Shared key K _B: 55B0AC62 A6B927BA 23703832 C853DED4

Calculation options S _B=H (0x02||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

47C82653?4DC2F6F1?FBF28728?DD658F21?E174F481?79ACEF29?00F8B7F566E40905?E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA0?98E51A668487240F?75E20F31?6B4B6D0E?276691BD?4A11BF72?F4FB501A?E309FDACB72FA6CC?336E6656?119ABD67?6CB56338?16F4DD56?0B1DEC45?8310CBCC6856C095?05324A6D?23150C40?8F162BF0?0D6FCF62?F1036C0A?1B6DACCF57399223?A65F7D7B?F2D9637E?5BBBEB85?7961BF1A?1799B2A2?C778295300D9A232?5C686129?B8F2B533?7B3DCF45?14E8BBC1?9D900EE5?54C9288C82733EFD?F7808AE7?F27D0E73?2F7C73A7?D9AC98B7?D8740A91?D0DB3CF4

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：FF49D95B?D45FCE99?ED54A8AD?7A7091109F513944?42916BD1?54D1DE43?79D97647

0x02||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?2AF86EFE?732CF12A?D0E09A1F?2556CC65?0D9CCCE3?E249866BBB5C6846?A4C4A295?FF49D95B?D45FCE99?ED54A8AD?7A709110?9F51394442916BD1?54D1DE43?79D97647

Option S _B: 284C8F19 8F141B50 2E81250F 1581C7E9 EEB4CA69 90F9E02DF388B454 71F5BC5C

Correlation in step 19～110:

Get

E856C095 05324A6D 23150C40 8F162BF0

Calculate

Modn:236CF0C7 A177C65C 7D55E12D 361F7A6C174A7869 8AC099C0 874AD065 8A4743DC

Get

B8F2B533 7B3DCF45 14E8BBC1 9D900EE5

Correlation in step 111～112:

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B0},y_{B0}):$

Coordinate x _B0: 66864274 6BFC066A 1E731ECF FF51131B DC81CF60 9701CB8C657B25BF 55B7015D

Coordinate y _B0: 1988A7C6 81CE1B50 9AC69F49 D72AE60E 8B71DB6C E087AF8499FEEF4C CD523064

Calculate elliptic curve point $P_B+\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B1},y_{B1}):$

Coordinate x _B1: 7D2B4435 10886AD7 CA3911CF 2019EC07 078AFF11 6E0FC409A9F75A39 01F306CD

Coordinate y _B1: 331F0C6C 0FE08D40 5FFEDB30 7BC255D6 8198653B DCA68B9CBA100E73 197E5D24

Calculate $U=[h\·t_A](P_B+[{\stackrel{\‾}{x}}_2\left]R_B\right)=(x_U,y_U):$

Coordinate x _U: 47C82653 4DC2F6F1 FBF28728 DD658F21E 174F481 79ACEF2900F8B7F5 66E40905

Coordinate y _U: 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866BBB5C6846 A4C4A295

Correlation in the step 113:

Calculating K _A=KDF (x _U|| y _U|| Z _A|| Z _B, klen):

x _U||y _U||Z _A||Z _B：

47C82653?4DC2F6F1?FBF28728?DD658F21?E174F481?79ACEF29?00F8B7F566E40905?2AF86EFE?732CF12A?D0E09A1F?2556CC65?0D9CCCE3?E249866BBB5C6846?A4C4A295?E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA098E51A66?8487240F?75E20F31?6B4B6D0E?276691BD?4A11BF72?F4FB501AE309FDAC?B72FA6CC?336E6656?119ABD67

klen＝128

Shared key K _A: 55B0AC62 A6B927BA 23703832 C853DED4

Calculation options S ₁=H (0x02||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

47C82653?4DC2F6F1?FBF28728?DD658F21?E174F481?79ACEF29?00F8B7F566E40905?E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA0?98E51A668487240F?75E20F31?6B4B6D0E?276691BD?4A11BF72?F4FB501A?E309FDACB72FA6CC?336E6656?119ABD67?6CB56338?16F4DD56?0B1DEC45?8310CBCC6856C095?05324A6D?23150C40?8F162BF0?0D6FCF62?F1036C0A?1B6DACCF57399223?A65F7D7B?F2D9637E?5BBBEB85?7961BF1A?1799B2A2?C778295300D9A232?5C686129?B8F2B533?7B3DCF45?14E8BBC1?9D900EE5?54C9288C82733EFD?F7808AE7?F27D0E73?2F7C73A7?D9AC98B7?D8740A91?D0DB3CF4

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：FF49D95B?D45FCE99?ED54A8AD?7A7091109F513944?42916BD1?54D1DE43?79D97647

0x02||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?2AF86EFE?732CF12A?D0E09A1F?2556CC65?0D9CCCE3?E249866BBB5C6846?A4C4A295?FF49D95B?D45FCE99?ED54A8AD?7A709110?9F51394442916BD1?54D1DE43?79D97647

Option S ₁: 284C8F19 8F141B50 2E81250F 1581C7E9 EEB4CA69 90F9E02DF388B454 71F5BC5C

Calculation options S _A=H (0x03||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

47C82653?4DC2F6F1?FBF28728?DD658F21?E174F481?79ACEF29?00F8B7F566E40905?E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA0?98E51A668487240F?75E20F31?6B4B6D0E?276691BD?4A11BF72?F4FB501A?E309FDACB72FA6CC?336E6656?119ABD67?6CB56338?16F4DD56?0B1DEC45?8310CBCC6856C095?05324A6D?23150C40?8F162BF0?0D6FCF62?F1036C0A?1B6DACCF57399223?A65F7D7B?F2D9637E?5BBBEB85?7961BF1A?1799B2A2?C778295300D9A232?5C686129?B8F2B533?7B3DCF45?14E8BBC1?9D900EE5?54C9288C82733EFD?F7808AE7?F27D0E73?2F7C73A7?D9AC98B7?D8740A91?D0DB3CF4

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：FF49D95B?D45FCE99?ED54A8AD?7A7091109F513944?42916BD1?54D1DE43?79D97647

0x03||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?2AF86EFE?732CF12A?D0E09A1F?2556CC65?0D9CCCE3?E249866BBB5C6846?A4C4A295?FF49D95B?D45FCE99?ED54A8AD?7A709110?9F51394442916BD1?54D1DE43?79D97647

Option S _A: 23444DAF 8ED75343 66CB901C 84B3BDBB 63504F40 65C1116C91A4C006 97E6CF7A

Calculation options S ₂=H (0x03||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

47C82653?4DC2F6F1?FBF28728?DD658F21?E174F481?79ACEF29?00F8B7F566E40905?E4D1D0C3?CA4C7F11?BC8FF8CB?3F4C02A7?8F108FA0?98E51A668487240F?75E20F31?6B4B6D0E?276691BD?4A11BF72?F4FB501A?E309FDACB72FA6CC?336E6656?119ABD67?6CB56338?16F4DD56?0B1DEC45?8310CBCC6856C095?05324A6D?23150C40?8F162BF0?0D6FCF62?F1036C0A?1B6DACCF57399223?A65F7D7B?F2D9637E?5BBBEB85?7961BF1A?1799B2A2?C778295300D9A232?5C686129?B8F2B533?7B3DCF45?14E8BBC1?9D900EE5?54C9288C82733EFD?F7808AE7?F27D0E73?2F7C73A7?D9AC98B7?D8740A91?D0DB3CF4

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：FF49D95B?D45FCE99?ED54A8AD?7A7091109F513944?42916BD1?54D1DE43?79D97647

0x03||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?2AF86EFE?732CF12A?D0E09A1F?2556CC65?0D9CCCE3?E249866BBB5C6846?A4C4A295?FF49D95B?D45FCE99?ED54A8AD?7A709110?9F51394442916BD1?54D1DE43?79D97647

Option S ₂: 23444DAF 8ED75343 66CB901C 84B3BDBB 63504F40 65C1116C91A4C006 97E6CF7A

Based on before introduction as can be known, q may be odd prime, also may q=2 ^m, more than q in two examples be odd prime, below q=2 in two examples ^m

F ₂The upper elliptic curve key exchanged form of m

The elliptic curve equation is: y ²+ xy=x ³+ ax ²+ b

Example 3:F ₂M-193

Base field generator polynomial: x ¹⁹³+ x ¹⁵+ 1

Coefficient a:0

Coefficient b:00 2FE22037 B624DBEB C4C618E1 3FD998B1 A18E1EE0D05C46FB

Cofactor h:4

Basic point G=(x _G, y _G), its rank are designated as n.

Coordinate x _G: 00 D78D47E8 5C936440 71BC1C21 2CF994E4 D21293AAD8060A84

Coordinate y _G: 00 615B9E98 A31B7B2F DDEEECB7 6B5D8755 86293725F9D2FC0C

Rank n:80000000 00,000,000 00000000 43E9885C 46BF45D8 C5EBF3A1

The private key d of user A _A: 5E39F93D AD7F334A 7D57E0CD 0F5C5556 128DABC4F5D21844

The PKI P of user A _A=(x _A, y _A):

Coordinate x _A: 00 2A3B6E0C B88265C4 FB1DC1EB 9208DDFB AED784E5E8837972

Coordinate y _A: 00 635BF2ED BD18BAD5 4AE54A11 9EEED807 D8007A23909F4BCC

The private key d of user B _B: 0F479000 13BDBEB9 D37426A3 D5DCA50B 51D7E68AE85522ED

The PKI P of user B _B=(x _B, y _B):

Coordinate x _B: 01 088DEF49 C86C2D62 3301A9B7 3619AD0C EB501EFAF436EE06

Coordinate y _B: 01 E5CEC76D 90A8A542 0697E547 27F9DDA5 0D1E17FB0D4AF5FB

Hash Value Z _A=H ₂₅₆(ENTL _A|| ID _A|| a||b||x _G|| y _G|| x _A|| y _A).

Z _A：7F518EAE?CD4B53C3?983707E2?64AFD495?E633E0EE?E11ECB9EACD9E4DB?A0457512

Hash Value Z _B=H ₂₅₆(ENTL _B|| ID _B|| a||b||x _G|| y _G|| x _B|| y _B).

Z _B：9BE6B11D?B47ACC6A?B9E60729?1270CE6F?07D873EC?ED435556919A0255?5DC3BE84

Correlation in step 11～12:

Produce random number r _A: 789A80A5 84773D2C E07F303C 0A754723 0E09CC375EB42004

Calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁):

Coordinate x ₁: 01 543F4E17 9E9CAE08 EC39EC3A, 26023547 EA1FEFD4 B306B8E4

Coordinate y ₁: 01 5AE6274C E1DD41D2 D703DF9C E1702F27 48EFE55C6BD2835A

Produce random number r _B: 0374158C 755437D6 8AF8DA3A 10491DB1 D837EE13C411B623

Calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂):

Coordinate x ₂: 01 FF9CD527 28A988A8 3DCECF63 189C0EE3 6B401790E4FEC056

Coordinate y ₂: 01 86192973 ABDB5A7B 7B0C0501 0D98623E 3B4FF8AE1A702AAC

Correlation in step 13～14:

Get

989C0EE3 6B401790 E4FEC056

Calculate

3EF66606 B5D199FB 8D1B07F9 9887B3DE6DA70AC1 224EC943

Calculate ht _BModn:7BD9981A D74667EE 346C1FE6 1E35471D 6FDCE52BC34F316B

Correlation in step 15～16:

Get A6023547 FA1FEFD4 B306B8E4

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A0},y_{A0}):$

Coordinate x _A0: 00 75E4B8FA, 85211324 82F6BC20 7A67E43D 1434C91C1D0C91D8

Coordinate y _A0: 00 86591FC2 9D807E41 ADBDEBAA A6627071 636065FBE546BC14

Calculate elliptic curve point $P_A+\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A1},y_{A1}):$

Coordinate x _A1: 00 2CD08E7B F1BEF15C 2539CD62 2FB084C0 B3CAF5FDEE5688C6

Coordinate y _A1: 01 F31B5F04 865403A5 FD50230D 29DEFC64 9719AA5917CA08C8

Calculate $V=[h\·t_B](P_A+[{\stackrel{\‾}{x}}_1\left]R_A\right)=(x_V,y_V):$

Coordinate x _V: 00 A0CD5BAB AEBFF027 93AA433F 624025A5 65E8A33378A15E26

Coordinate y _V: 01 CEA2EBF6 CCE80178 8880A83D 922CCFAB D8345CCA15FDB0CB

Correlation in the step 17:

Calculating K _B=KDF (x _V|| y _V|| Z _A|| Z _B, klen):

x _V||y _V||Z _A||Z _B：

00A0CD5B?ABAEBFF0?2793AA43?3F624025?A565E8A3?3378A15E2601CEA2?EBF6CCE8?01788880?A83D922C?CFABD834?5CCA15FD?B0CB7F518EAECD4B?53C39837?07E264AF?D495E633?E0EEE11E?CB9EACD9?E4DBA04575129BE6?B11DB47A?CC6AB9E6?07291270?CE6F07D8?73ECED43?5556919A02555DC3?BE84

klen＝128

Shared key K _B: 82295D33 0321D234 23A16995 7297EC80

Calculation options S _B=H (0x02||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00A0CD5B?ABAEBFF0?2793AA43?3F624025?A565E8A3?3378A15E267F518E?AECD4B53?C3983707?E264AFD4?95E633E0?EEE11ECB?9EACD9E4DBA04575?129BE6B1?1DB47ACC?6AB9E607?291270CE?6F07D873?ECED435556919A02?555DC3BE?8401543F?4E179E9C?AE08EC39?EC3A2602?3547FA1FEFD4B306?B8E4015A?E6274CE1?DD41D2D7?03DF9CE1?702F2748?EFE55C6BD2835A01?FF9CD527?28A988A8?3DCECF63?189C0EE3?6B401790?E4FEC05601861929?73ABDB5A?7B7B0C05?010D9862?3E3B4FF8?AE1A702A?AC

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：0CA189F8?E28B8E8D?30CB4C24?E61E297280E0A686?6BDB5129?961A072B?F4FFA43E

0x02||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?01CEA2EB?F6CCE801?788880A8?3D922CCF?ABD8345C?CA15FDB0CB0CA189?F8E28B8E?8D30CB4C?24E61E29?7280E0A6?866BDB51?29961A072BF4FFA4?3E

Option S _B: 75F40322 BA2F9C44 809D8D60 5E4403E5 8CFFABCD 4F0ADA474A72A06A 0A23E9AF

Correlation in step 19～110:

Get

A6023547 FA1FEFD4 B306B8E4

Calculate

Modn:12575522 45B95F5F 6B549D1B 01ACEC39E2D2A049 AAC41A1F

Calculate ht _AModn:495D5489 16E57D7D AD52746C 06B3B0E7 8B4A8126AB10687C

Get

989C0EE3 6B401790 E4FEC056

Correlation in step 111～112:

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B0},y_{B0}):$

Coordinate x _B0: 01 B97A51CF 690E8AE1 B3FDF131 E4CC9288 6D3B7C5286E381A2

Coordinate y _B0: 00 26816833 49B6603B CB6EDB6F 3A6478FE D9B4A7FB9A252CCD

Calculate elliptic curve point $P_B+\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B1},y_{B1}):$

Coordinate x _B1: 01 87F0CA04 8AB231F2 01458A5F 062EDEA1 734B7CF328ED956E

Coordinate y _B1: 01 89882B8C 295CF7BE 1EF71FD8 744791AA C52CECD5CAF2FAD6

Calculate $U=[h\·t_A](P_B+[{\stackrel{\‾}{x}}_2\left]R_B\right)=(x_U,y_U):$

Coordinate x _U: 00 A0CD5BAB AEBFF027 93AA433F 624025A5 65E8A33378A15E26

Coordinate y _U: 01 CEA2EBF6 CCE80178 8880A83D 922CCFAB D8345CCA15FDB0CB

Correlation in the step 113:

Calculating K _A=KDF (x _U|| y _U|| Z _A|| Z _B, klen):

x _U||y _U||Z _A||Z _B：

00A0CD5B?ABAEBFF0?2793AA43?3F624025?A565E8A3?3378A15E2601CEA2?EBF6CCE8?01788880?A83D922C?CFABD834?5CCA15FD?B0CB7F518EAECD4B?53C39837?07E264AF?D495E633?E0EEE11E?CB9EACD9?E4DBA04575129BE6?B11DB47A?CC6AB9E6?07291270?CE6F07D8?73ECED43?5556919A02555DC3?BE84

klen＝128

Shared key K _A: 82295D33 0321D234 23A16995 7297EC80

Calculation options S ₁=H (0x02||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00A0CD5B?ABAEBFF0?2793AA43?3F624025?A565E8A3?3378A15E267F518E?AECD4B53?C3983707?E264AFD4?95E633E0?EEE11ECB?9EACD9E4DBA04575?129BE6B?11DB47ACC?6AB9E607?291270CE?6F07D873?ECED435556919A02?555DC3BE?8401543F?4E179E9C?AE08EC39?EC3A2602?3547FA1FEFD4B306?B8E4015A?E6274CE1?DD41D2D7?03DF9CE1?702F2748?EFE55C6BD2835A01?FF9CD527?28A988A8?3DCECF63?189C0EE3?6B401790?E4FEC05601861929?73ABDB5A?7B7B0C05?010D9862?3E3B4FF8?AE1A702A?AC

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：0CA189F8?E28B8E8D?30CB4C24?E61E297280E0A686?6BDB5129?961A072B?F4FFA43E

0x02||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?01CEA2EB?F6CCE801?788880A8?3D922CCF?ABD8345C?CA15FDB0CB0CA189?F8E28B8E?8D30CB4C?24E61E29?7280E0A6?866BDB51?29961A072BF4FFA4?3E

Option S ₁: 75F40322 BA2F9C44 809D8D60 5E4403E5 8CFFABCD 4F0ADA474A72A06A 0A23E9AF

Calculation options S _A=H (0x03||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00A0CD5B?ABAEBFF0?2793AA43?3F624025?A565E8A3?3378A15E267F518E?AECD4B53?C3983707?E264AFD4?95E633E0?EEE11ECB?9EACD9E4DBA04575?129BE6B1?1DB47ACC?6AB9E607?291270CE?6F07D873?ECED435556919A02?555DC3BE?8401543F?4E179E9C?AE08EC39?EC3A2602?3547FA1FEFD4B306?B8E4015A?E6274CE1?DD41D2D7?03DF9CE1?702F2748?EFE55C6BD2835A01?FF9CD527?28A988A8?3DCECF63?189C0EE3?6B401790?E4FEC05601861929?73ABDB5A?7B7B0C05?010D9862?3E3B4FF8?AE1A702A?AC

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：0CA189F8?E28B8E8D?30CB4C24?E61E297280E0A686?6BDB5129?961A072B?F4FFA43E

0x03||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?01CEA2EB?F6CCE801?788880A8?3D922CCF?ABD8345C?CA15FDB0CB0CA189?F8E28B8E?8D30CB4C?24E61E29?7280E0A6?866BDB51?29961A072BF4FFA4?3E

Option S _A: A0E6264D 1C57EE72 85CE5D1D 7A3BFB03 E4196AF6 4DE9CF5F2E972190 46DC7F17

Calculation options S ₂=H (0x03||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00A0CD5B?ABAEBFF0?2793AA43?3F624025?A565E8A3?3378A15E267F518E?AECD4B53?C3983707?E264AFD4?95E633E0?EEE11ECB?9EACD9E4DBA04575?129BE6B1?1DB47ACC?6AB9E607?291270CE?6F07D873?ECED435556919A02?555DC3BE?8401543F?4E179E9C?AE08EC39?EC3A2602?3547FA1FEFD4B306?B8E4015A?E6274CE1?DD41D2D7?03DF9CE1?702F2748?EFE55C6BD2835A01?FF9CD527?28A988A8?3DCECF63?189C0EE3?6B401790?E4FEC05601861929?73ABDB5A?7B7B0C05?010D9862?3E3B4FF8?AE1A702A?AC

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：0CA189F8?E28B8E8D?30CB4C24?E61E297280E0A686?6BDB5129?961A072B?F4FFA43E

0x03||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?01CEA2EB?F6CCE801?788880A8?3D922CCF?ABD8345C?CA15FDB0CB0CA189?F8E28B8E?8D30CB4C?24E61E29?7280E0A6?866BDB51?29961A072BF4FFA4?3E

Option S ₂: A0E6264D 1C57EE72 85CE5D1D 7A3BFB03 E4196AF6 4DE9CF5F2E972190 46DC7F17

Example 4:F ₂M-257

Base field generator polynomial: x ²⁵⁷+ x ¹²+ 1

Factor alpha: 0

Coefficient b:00 E78BCD09 746C2023 78A7E72B 12BCE002 66B9627E CB0B5A25367AD1AD 4CC6242B

Cofactor h:4

Basic point G=(x _G, y _G), its rank are designated as n.

Coordinate x _G: 00 CDB9CA7F 1E6B0441 F658343F 4B10297C 0EF9B6491082400A 62E7A748 5735FADD

Coordinate y _G: 01 3DE74DA6 5951C4D7 6DC89220 D5F7777A 611B1C38BAE260B1 75951DC8 060C2B3E

Rank n:7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF BC972CF7 E6B6F900945B3C6A 0CF6161D

The private key d of user A _A: 4813903D 254F2C20 A94BC570 42384969 54BB5279F861952E F2C5298E 84D2CEAA

The PKI P of user A _A=(x _A, y _A):

Coordinate x _A: 00 8E3BDB2E 11F91933 88F1F901 CCC857BF 49CFC065 FB38B9069CAAE6D5 AFC3592F

Coordinate y _A: 00 4555122A AC0075F4 2E0A8BBD 2C0665C7 89120DF19D77B4E3 EE4712F5 98040415

The private key d of user B _B: 08F41BAE 0922F47C 212803FE 681AD52B 9BF28A35E1CD0EC2 73A2CF81 3E8FD1DC

The PKI P of user B _B=(x _B, y _B):

Coordinate x _B: 00 34297DD8 3AB14D5B 393B6712 F32B2F2E 938D4690 B095424B89DA880C 52D4A7D9

Coordinate y _B: 01 99BBF11A C95A0EA3 4BBD00CA 50B93EC2 4ACB68335D20BA5D CFE3B33B DBD2B62D

Hash Value Z _A=H ₂₅₆(ENTL _A|| ID _A|| a||b||x _G|| y _G|| x _A|| y _A).

Z _A：ECF00802?15977B2E?5D6D61B9?8A99442F?03E8803D?C39E349F8DCA5621?A9ACDF2B

Hash Value Z _B=H ₂₅₆(ENTL _B|| ID _B|| a||b||x _G|| y _G|| x _B|| y _B).

Z _B：557BAD30?E183559A?EEC3B225?6E1C7C11?F870D22B?165D015ACF9465B0?9B87B527

Correlation in step 11～12:

Produce random number r _A: 54A3D667 3FF3A6BD 6B02EBB 164C2A3AF 6D4A4906229D9BFC E68CC366 A2E64BA4

Calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁):

Coordinate x ₁: 01 81076543 ED19058C 38B313D7 39921D46 B80094D9 61A13673D4A5CF8C 7159E304

Coordinate y ₁: 01 D8CFFF7C A27A01A2 E88C1867 3748FDE9 A74C1F9B45646ECA 0997293C 15C34DD8

Produce random number r _B: 1F219333 87BEF781 D0A8F7FD 708C5AE0 A56EE3F423DBC2FE 5BDF6F06 8C53F7AD

Calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂):

Coordinate x ₂: 00 2A4832B4 DCD399BA AB3FFFE7 DD6CE6ED 68CC43FFA5F2623B 9BD04E46 8D322A2A

Coordinate y ₂: 00 16599BB5 2ED9EAFA D01CFA45 3CF3052E D60184D2EECFD42B 52DB7411 0B984C23

Correlation in step 13～14:

Get

E8CC43FF A5F2623B 9BD04E46 8D322A2A

Calculate

Modn:3D51D331 14A453A0 5791DB63 5B45F8DBC54686D7 E2212D49 E4A717C6 B10DEDB0

Calculate ht _BModn:75474CC4 52914E81 5E476D8D 6D17E36F 5882EE67A1CDBC26 FE4122B0 B741A0A3

Correlation in step 15～16:

Get

B80094D9 61A13673 D4A5CF8C 7159E304

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A0},y_{A0}):$

Coordinate x _A0: 01 98AB5F14 349B6A46 F77FBFCB DDBFCD34 320DC1F4C546D13C 3A9F0E83 0C39B579

Coordinate y _A0: 00 BFB49224 ACCE2E51 04CD4519 C0CBE3AD 0C19BF11805BE108 59069AA6 9317A2B7

Calculate elliptic curve point $P_A+\left[{\stackrel{\‾}{x}}_1\right]R_A=(x_{A1},y_{A1}):$

Coordinate x _A1: 00 24A92F64 66A37C5C 12A2C68D 58BFB0F0 32F2B97660957CB0 5E63F961 F160FE57

Coordinate y _A1: 00 F74A4F17 DC560A55 FDE0F1AB 168BCBF7 6502E240BA2D6BD6 BE6E5D79 16B288FC

Calculate $V=[h\·t_B](P_A+[{\stackrel{\‾}{x}}_1\left]R_A\right)=(x_V,y_V):$

Coordinate x _V: 00 DADD0874 06221D65 7BC3FA79 FF329BB0 22E9CB7DDFCFCCFE 277BE8CD 4AE9B954

Coordinate y _V: 01 F0464B1E 81684E5E D6EF281B 55624EF4 6CAA3B2D 37484372D91610B6 98252CC9

Correlation in the step 17:

Calculating K _B=KDF (x _V|| y _V|| Z _A|| Z _B, klen):

x _V||y _V||Z _A||Z _B：

00DADD08?7406221D?657BC3FA?79FF329B?B022E9CB?7DDFCFCCFE277BE8?CD4AE9B9?5401F046?4B1E8168?4E5ED6EF?281B5562?4EF46CAA3B2D3748?4372D916?10B69825?2CC9ECF0?08021597?7B2E5D6D?61B98A99442F03E8?803DC39E?349F8DCA?5621A9AC?DF2B557B?AD30E183?559AEEC3B2256E1C?7C11F870?D22B165D?015ACF94?65B09B87?B527

klen＝128

Shared key K _B: 4E587E5C 66634F22 D973A7D9 8BF8BE23

Calculation options S _B=H (0x02||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00DADD08?7406221D?657BC3FA?79FF329B?B022E9CB?7DDFCFCCFE277BE8?CD4AE9B9?54ECF008?0215977B?2E5D6D61?B98A9944?2F03E8803DC39E34?9F8DCA56?21A9ACDF?2B557BAD?30E18355?9AEEC3B2?256E1C7C11F870D2?2B165D01?5ACF9465?B09B87B5?27018107?6543ED19?058C38B313D73992?1D46B800?94D961A1?3673D4A5?CF8C7159?E30401D8?CFFF7CA27A01A2E8?8C186737?48FDE9A7?4C1F9B45?646ECA09?97293C15?C34DD8002A4832B4?DCD399BA?AB3FFFE7?DD6CE6ED?68CC43FF?A5F2623B?9BD04E468D322A2A?0016599B?B52ED9EA?FAD01CFA?453CF305?2ED60184?D2EECFD42B52DB74?110B984C?23

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：E05FE287?B73B0CE6?639524CD?86694311?562914F4F6A34241?01D885F8?8B05369C

0x02||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?01F0464B?1E81684E?5ED6EF28?1B55624E?F46CAA3B?2D37484372D91610?B698252C?C9E05FE2?87B73B0C?E6639524?CD866943?11562914F4F6A342?4101D885?F88B0536?9C

Option S _B: 4EB47D28 AD3906D6 244D01E0 F6AEC73B 0B51DE15 74C13798184E4833 DBAE295A

Correlation in step 19～110:

Get

B80094D9 61A13673 D4A5CF8C 7159E304

Calculate

Modn:18A1C649 B94044DF 16DC8634 993F1A4AEE3F6426 DFE14AC1 3644306A A5A94187

Calculate ht _AModn:62871926 E501137C 5B7218D2 64FC692B B8FD909B7F852B04 D910C1AA 96A5061C

Get

E8CC43FF A5F2623B 9BD04E46 8D322A2A

Correlation in step 111～112:

Calculate elliptic curve point $\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B0},y_{B0}):$

Coordinate x _B0: 01 0AA3BAC9 7786B629 22F93414 57AC64F7 2552AA15D9321677 A10C7021 33B16735

Coordinate y _B0: 00 C10837F4 8F53C46B 714BCFBF AA1AD627 11FCB03C0C25B366 BF176A2D C7B8E62E

Calculate elliptic curve point $P_B+\left[{\stackrel{\‾}{x}}_2\right]R_B=(x_{B1},y_{B1}):$

Coordinate x _B1: 00 C7A446E1 98DB4278 60C3BB50 ED2197DE B81619739141CA61,03745035 9FAD9A99

Coordinate y _B1: 00 602E5A42 17427EAB C5E3917D E81BFFA1 D806591AF949DD7C 97EF90FD 4CF0A42D

Calculate $U=[h\·t_A](P_B+[{\stackrel{\‾}{x}}_2\left]R_B\right)=(x_U,y_U):$

Coordinate x _U: 00 DADD0874 06221D65 7BC3FA79 FF329BB0 22E9CB7DDFCFCCFE 277BE8CD 4AE9B954

Coordinate y _U: 01 F0464B1E 81684E5E D6EF281B 55624EF4 6CAA3B2D37484372 D91610B6 98252CC9

Correlation in the step 113:

Calculating K _A=KDF (x _U|| y _U|| Z _A|| Z _B, klen):

x _U||y _U||Z _A||Z _B：

00DADD08?7406221D?657BC3FA?79FF329B?B022E9CB?7DDFCFCCFE277BE8?CD4AE9B95?401F046?4B1E8168?4E5ED6EF?281B5562?4EF46CAA3B2D3748?4372D916?10B69825?2CC9ECF0?08021597?7B2E5D6D?61B98A99442F03E8?803DC39E?349F8DCA?5621A9AC?DF2B557B?AD30E183?559AEEC3B2256E1C?7C11F870?D22B165D?015ACF94?65B09B87?B527

klen＝128

Shared key K _A: 4E587E5C 66634F22 D973A7D9 8BF8BE23

Calculation options S ₁=H (0x02||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00DADD08?7406221D?657BC3FA?79FF329B?B022E9CB?7DDFCFCCFE277BE8?CD4AE9B9?54ECF008?0215977B?2E5D6D61?B98A9944?2F03E8803DC39E34?9F8DCA56?21A9ACDF?2B557BAD?30E18355?9AEEC3B2?256E1C7C11F870D2?2B165D01?5ACF9465?B09B87B5?27018107?6543ED19?058C38B313D73992?1D46B800?94D961A1?3673D4A5?CF8C7159?E30401D8?CFFF7CA27A01A2E8?8C186737?48FDE9A7?4C1F9B45?646ECA09?97293C15?C34DD8002A4832B4?DCD399BA?AB3FFFE7?DD6CE6ED?68CC43FF?A5F2623B?9BD04E468D322A2A?0016599B?B52ED9EA?FAD01CFA?453CF305?2ED60184?D2EECFD42B52DB74?110B984C?23

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：E05FE287?B73B0CE6?639524CD?86694311?562914F4F6A34241?01D885F8?8B05369C

0x02||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

02?01F0464B?1E81684E?5ED6EF28?1B55624E?F46CAA3B?2D37484372D91610?B698252C?C9E05FE2?87B73B0C?E6639524?CD866943?11562914F4F6A342?4101D885?F88B0536?9C

Option S ₁: 4EB47D28 AD3906D6 244D01E0 F6AEC73B 0B51DE15 74C13798184F4833 DBAE295A

Calculation options S _A=H (0x03||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00DADD08?7406221D?657BC3FA?79FF329B?B022E9CB?7DDFCFCCFE277BE8?CD4AE9B9?54ECF008?0215977B?2E5D6D61?B98A9944?2F03E8803DC39E34?9F8DCA56?21A9ACDF?2B557BAD?30E18355?9AEEC3B2?256E1C7C11F870D2?2B165D01?5ACF9465?B09B87B5?27018107?6543ED19?058C38B313D73992?1D46B800?94D961A1?3673D4A5?CF8C7159?E30401D8?CFFF7CA27A01A2E8?8C186737?48FDE9A7?4C1F9B45?646ECA09?97293C15?C34DD8002A4832B4?DCD399BA?AB3FFFE7?DD6CE6ED?68CC43FF?A5F2623B?9BD04E468D322A2A?0016599B?B52ED9EA?FAD01CFA?453CF305?2ED60184?D2EECFD42B52DB74?110B984C?23

H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：E05FE287?B73B0CE6?639524CD?86694311?562914F4F6A34241?01D885F8?8B05369C

0x03||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?01F0464B?1E81684E?5ED6EF28?1B55624E?F46CAA3B?2D37484372D91610?B698252C?C9E05FE?287B73B0C?E6639524?CD866943?11562914F4F6A342?4101D885?F88B0536?9C

Option S _A: 588AA670 64F24DC2 7CCAA1FA B7E27DFF 811D500A D7EF2FB8F69DDF48 CC0FECB7

Calculation options S ₂=H (0x03||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)):

x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂：

00DADD08?7406221D?657BC3FA?79FF329B?B022E9CB?7DDFCFCCFE277BE8?CD4AE9B9?54ECF008?0215977B?2E5D6D61?B98A9944?2F03E8803DC39E34?9F8DCA56?21A9ACDF?2B557BAD?30E18355?9AEEC3B2?256E1C7C11F870D2?2B165D01?5ACF9465?B09B87B5?27018107?6543ED19?058C38B313D73992?1D46B800?94D961A1?3673D4A5?CF8C7159?E30401D8?CFFF7CA27A01A2E8?8C186737?48FDE9A7?4C1F9B45?646ECA09?97293C15?C34DD8002A4832B4?DCD399BA?AB3FFFE7?DD6CE6ED?68CC43FF?A5F2623B?9BD04E468D322A2A?0016599B?B52ED9EA?FAD01CFA?453CF305?2ED60184?D2EECFD42B52DB74?110B984C?23

H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：E05FE287?B73B0CE6?639524CD?86694311?562914F4F6A34241?01D885F8?8B05369C

0x03||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)：

03?01F0464B?1E81684E?5ED6EF28?1B55624E?F46CAA3B?2D37484372D91610?B698252C?C9E05FE2?87B73B0C?E6639524?CD866943?11562914F4F6A342?4101D885?F88B0536?9C

Option S ₂: 588AA670 64F24DC2 7CCAA1FA B7E27DFF 811D500A D7EF2FB8F69DDF48 CC0FECB7

In a word, adopt technical scheme of the present invention, can improve preferably fail safe.

The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.

Claims (6)

1. key exchange method based on elliptic curve is characterized in that the method comprises:

A, communicating pair pre-determine an elliptic curve;

B, produce random number r as communication initiator's user A _A∈ [1, n-1], and calculate elliptic curve point R _A=[r _A] G=(x ₁, y ₁), with described R _ASend to the user B as communication response side; Wherein, described G represents the basic point of elliptic curve, and described n represents the rank of G, described [r _A] G represents to calculate the r of G _ATimes point, described (x ₁, y ₁) denotation coordination;

C, user B produce random number r _B∈ [1, n-1], and calculate elliptic curve point R _B=[r _B] G=(x ₂, y ₂), described (x ₂, y ₂) denotation coordination;

From described R _BMiddle taking-up field element x ₂, be integer form with its data type conversion, and calculate

Described Be x ₂Function with n;

Calculate Wherein, described d _BThe private key of expression user B, described mod represents modular arithmetic;

The R that checking receives _AWhether satisfy the elliptic curve equation, if do not satisfy, process ends then, otherwise, from described R _AMiddle taking-up field element x ₁, be integer form with its data type conversion, and calculate

Described

Be x ₁Function with n;

Calculate elliptic curve point

Wherein, described h represents cofactor, h=#E (F _q)/n, described F _qExpression comprises the finite field of q element, described E (F _q) representative domain F _qThe set that all rational points of middle elliptic curve form, described #E (F _q) number of element in the expression set, described P _AThe PKI of expression user A, described (x _V, y _V) denotation coordination;

Determine whether described V is infinite point, if so, process ends then, otherwise, with x _VAnd y _VData type conversion be Bit String, and computation key K _B=KDF (x _V, y _V, Z _A, Z _B, klen); Wherein, described KDF represents cipher key derivation function, and described klen represents the length of cipher key derivation function output data, described Z _AThe Hash Value that the PKI by the sign distinguished, elliptic curve equation parameter and the user A of user A calculates, described Z _BIt is the Hash Value that the PKI by the sign distinguished, elliptic curve equation parameter and the user B of user B calculates;

With described R _BSend to user A;

D, user A are from described R _AMiddle taking-up field element x ₁, be integer form with its data type conversion, and calculate successively

With

Described d _AThe private key of expression user A;

The R that checking receives _BWhether satisfy the elliptic curve equation, if do not satisfy, process ends then, otherwise, from described R _BMiddle taking-up field element x ₂, be integer form with its data type conversion, and calculate

Calculate elliptic curve point

Wherein, described P _BThe PKI of expression user B, described (x _U, y _U) denotation coordination;

Determine whether described U is infinite point, if so, process ends then, otherwise, with x _UAnd y _UData type conversion be the Bit String form, and computation key K _A=KDF (x _U, y _U, Z _A, Z _B, klen);

Wherein, described calculating

Comprise: described

Wherein, described Described

Expression top function, Suo Shu ﹠amp; Bit and computing are pressed in expression;

Described calculating Comprise: described

2. the key exchange method based on elliptic curve according to claim 1 is characterized in that, described is that integer form comprises with data type conversion:

Suppose that field element to be converted is α, the result after the conversion is integer x;

If q is odd prime, then x=α;

If q=2 ^m, then described α is that length is the Bit String of m, establishes s _M-1, s _M-2..., s ₀Represent successively each bit from left to right in the Bit String, then

3. the key exchange method based on elliptic curve according to claim 1 is characterized in that, described is that the Bit String form comprises with data type conversion:

Suppose that field element to be converted is α, the result after the conversion is Bit String s;

If q=2 ^m, s=α then;

If q is odd prime, then described α is the integer in interval [0, q-1], at first described α is converted to the byte serial S that length is l,

Simultaneously, l need to satisfy 2 ^8l＞α establishes M _L-1, M _L-2..., M ₀Represent successively each byte from left to right among the byte serial S, then need to satisfy

Obtaining length is the Bit String s of m, m=8l, s _M-1, s _M-2..., s ₀Represent successively each bit from left to right among the Bit String s, s _iBe M _jI-8j+1 bit from right to left, wherein

Described Expression end function.

4. the key exchange method based on elliptic curve according to claim 1 is characterized in that, the account form of described cipher key derivation function comprises:

If the expression mode of cipher key derivation function is KDF (x, y, Z _A, Z _B, klen);

Counter ct=0x00000001 who is consisted of by 32 bits of initialization;

For value be followed successively by from 1 to

I, calculate respectively Ha _i=H _v(x||y||Z _A|| Z _B|| ct), the value of i whenever adds 1, and the value of described ct also needs to add 1; Described H _vThe length of expression output data is the hash function of v, and described klen is less than (2 ³²-1) v; Described || the expression splicing;

Determine whether klen/v is integer, if so, then order

Otherwise, order

Equal

In from the left side

Individual bit;

Will

As KDF (x, y, Z _A, Z _B, Output rusults klen).

5. the key exchange method based on elliptic curve according to claim 1 is characterized in that, described Z _AAccount form comprise:

Z _A=H ₂₅₆(ENTL _A|| ID _A|| a||b||x _G|| y _G|| x _A|| y _A); Wherein, described ID _AThe sign distinguished of expression user A is the ASCII coding form, described ENTL _AExpression ID _ALength, represent that with two bytes described a and b represent the elliptic curve equation parameter, all be converted to the Bit String form, described x _GAnd y _GThe coordinate of expression basic point G all is converted to the Bit String form, described x _AAnd y _AThe coordinate of the PKI of expression user A all is converted to the Bit String form, described H ₂₅₆The length of expression output data is 256 hash function;

Described Z _BAccount form comprise:

Z _B=H ₂₅₆(ENTL _B|| ID _B|| a||b||x _G|| y _G|| x _B|| y _B); Wherein, described ID _BThe sign distinguished of expression user B is the ASCII coding form, described ENTL _BExpression ID _BLength, represent described x with two bytes _BAnd y _BThe coordinate of the PKI of expression user B all is converted to the Bit String form.

6. each described key exchange method based on elliptic curve is characterized in that according to claim 1～5, and described user B calculates K _BAfterwards, further comprise:

User B calculation options S _B=H (0x02||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), described x _V, y _V, x ₁, y ₁, x ₂And y ₂All be converted to the Bit String form; Described || the expression splicing;

User B is with described S _BSend to user A;

User A calculation options S ₁=H (0x02||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), described x _U, y _U, x ₁, y ₁, x ₂And y ₂All be converted to the Bit String form; And checking S ₁=S _BWhether set up, if so, then think authentification failure from user B to user A, process ends, otherwise, calculation options S _A=H (0x03||y _U|| H (x _U|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), and send to user B;

User B calculation options S ₂=H (0x03||y _V|| H (x _V|| Z _A|| Z _B|| x ₁|| y ₁|| x ₂|| y ₂)), and checking S ₂=S _AWhether set up, if so, then think authentification failure from user A to user B, process ends;

Wherein, H () expression hash function.