CN102761412A - P-element domain SM2 elliptic curve public key encryption, decryption and encryption-decryption hybrid system - Google Patents

Abstract

The invention relates to a p-element domain SM2 elliptic curve public key encryption, decryption and encryption-decryption hybrid system. The system comprises an encryption party control center for performing judgment, bit string splicing, cryptographic hash and data exchange with other modules to control the working time sequence of other modules, a random number generation module for generating a random number, a point doubling module for performing a point doubling function and a key derivation module for performing a key derivation function, and all the modules are implemented by hardware. The system disclosed by the invention can implement a public key encryption algorithm in an SM2 elliptic curve public key cryptographic algorithm by hardware.

Description

P unit territory SM2 elliptic curve public key cryptographic, deciphering and encryption and decryption hybrid system

Technical field

The present invention relates to field of information security technology, particularly relate to p unit territory SM2 elliptic curve public key cryptographic, deciphering and encryption and decryption hybrid system.

Background technology

Along with the development of the communication technology and the information processing technology, the fail safe of information in transmission course more and more receives publicity, and need come guarantee information in communication process, not eavesdropped, distort and copy through the information processing technology.Cryptographic technique can solve the requirement of this respect.

Since Diffie in 1976 and Hellmann propose the notion of public-key cryptosystem; 3 types of generally acknowledged common key cryptosystems have safely and effectively appearred; The mathematical problem of its dependence is respectively integer factors resolution problem (IFP), discrete logarithm problem (DLP) and elliptic curve discrete logarithm problem (ECDLP), and corresponding algorithm is RSA Algorithm, DSA Digital Signature Algorithm, elliptic curve (ECC) successively.These three kinds of problems all guarantee the fail safe of key based on the NPC problem (Non-deterministic Polynomial Complete problem) of computational complexity.With respect to other two kinds of algorithms, the security performance of ECC is higher, amount of calculation is littler, and processing speed is faster, needed keys sizes is littler, lower to the requirement of bandwidth under the identical situation of fail safe, and therefore, the ECC system has more wide application prospect.

SM2 ellipse curve public key cipher algorithm is a kind of ECC algorithm of national Password Management office issue; Public key encryption algorithm is an important algorithm wherein; It is applicable to the information encryption and decryption in the commercial cipher application; Encryption side utilizes the PKI of deciphering side that message is encrypted, and decipher with corresponding private key deciphering side, thus the message of obtaining.But what national Password Management office had announced only is the flow process of public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm, does not occur as yet at present any it being used hard-wired hardware device, is difficult to this outstanding algorithm ready for application.

Summary of the invention

Technical problem to be solved by this invention provides p unit territory SM2 elliptic curve public key cryptographic, deciphering and encryption and decryption hybrid system, can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm with hardware.

The technical scheme that the present invention solves the problems of the technologies described above is following: the first territory of a kind of p SM2 elliptic curve public key cryptographic system, and said elliptic curve has basic G, cofactor h, rank n; PKI is PB; This system comprises: the side of encryption control centre, random number generation module, point doubling module, key derivation module; Wherein,

Said encryption side control centre is used for, and receiving length is the message M to be encrypted of klen bit; With random number k with the some G send to said point doubling module as one group of point doubling data, and receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to said point doubling module as one group of point doubling data, and receive the coordinate of its some S that returns; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; With random number k with the some PB send to said point doubling module as one group of point doubling data, and receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to said key derivation module as a group key derived data, and receive the Bit String t that it returns; Judging whether t is complete 0 Bit String, is under the situation that is in judged result, notifies said random number generation module to regenerate random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; The Bit String x2-M-y2 that x2, M and y2 are spliced carries out the cryptographic hash computing, generates Hash Value C3; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Said random number generation module is used for, generate 1 and (n-1) between random number k, and send it to said encryption side control centre;

Said point doubling module is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned said encryption side control centre;

Said key derivation module is used for, and the Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns said encryption side control centre with the length that obtains.

The invention has the beneficial effects as follows: among the present invention; Because encryption side control centre can be through controlling the work schedule of these modules with the mode of random number generation module, point doubling module, key derivation module swap data; And realize judging, splicing functions such as Bit String, cryptographic hash computing, thereby can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm.And the control centre of the encryption side among the present invention, random number generation module, point doubling module, key derivation module can utilize hardware to realize, thereby the present invention can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm with hardware.

On the basis of technique scheme, the present invention can also do following improvement:

Further, said encryption side control centre comprises: encryption side's control submodule, cryptographic hash submodule; Wherein,

Said encryption side's control submodule is used for, and Bit String x2-M-y2 and scalar v that x2, M and y2 are spliced send to said cryptographic hash submodule as one group of cryptographic hash data, and receive the Hash Value C3 that it returns;

Said cryptographic hash submodule is used for, and the Bit String in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value of the scalar in the cryptographic hash data returns the said side of encryptioning and controls submodule with the length that generates.

Further, said point doubling module comprises: invert submodule, projection mooring points of point doubling control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field adds submodule; Wherein,

Said point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to said territory conversion submodule with the coordinate of D under affine coordinate system; Will (zd3) sending to said projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of said f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, said Montgomery multiplication submodule for xd1, yd1 with the coordinate as a result of said (L-1) inferior interative computation; Zd1 is sent to the said finite field submodule of inverting in the value of finite field; With zd1 ^-1Value in finite field sends to said territory conversion submodule; With the coordinate as a result of said (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, said Montgomery multiplication submodule; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule respectively in the value of affine coordinate system; With xd1, the two coordinate of forming in the value of finite field of yd1 (xd1, yd1) the operation result output of conduct [f] D; Once described interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to said projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that said projective system two point doubling submodules are returned sends to said projection mooring points and adds submodule;

Said projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to said point doubling control submodule as output coordinate;

Said territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned said point doubling control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned said point doubling control submodule;

Territory, said Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to said point doubling control submodule in the value of finite field; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns said point doubling control submodule in the value of affine coordinate system with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with said xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to said point doubling control submodule;

The said finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to said point doubling control submodule;

Said projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to said point doubling control submodule.

Further, said key derivation module comprises: the cryptographic hash submodule of the Hash Value of key derivation control submodule, output v bit; Wherein,

Said key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein

For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, once described cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to said cryptographic hash submodule as one group of cryptographic hash data; The H that said cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Said cryptographic hash submodule is used for, and the Bit String ZZ-ct in the cryptographic hash data that receive is carried out the cryptographic hash computing, is the Hash Value H of the scalar v bit in the cryptographic hash data with the length of exporting _v(ZZ-ct) return said key derivation control submodule.

The present invention also provides the first territory of a kind of p SM2 curve public key decryption system, and said elliptic curve has basic G, cofactor h, rank n; Private key is dB; This system comprises: the side of deciphering control centre, point doubling module, key derivation module; Wherein,

Said deciphering side control centre is used for, and the reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 ', and the length of Bit String C2 ' wherein is the klen bit; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of said elliptic curve, is under the situation that is in judged result, cofactor h and some C1 ' is sent to said point doubling module as one group of point doubling data, and receive the coordinate of its some S ' that returns; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to said point doubling module as one group of point doubling data, and receive the coordinate (x2 ', y2 ') of its point that returns; Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to said key derivation module with scalar klen as a group key derived data, and receives the Bit String t ' that it returns; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of said elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Said point doubling module is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned said deciphering side control centre;

Said key derivation module is used for, and the Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns said deciphering side control centre with the length that obtains.

Further, said deciphering side control centre comprises: deciphering side's control submodule, cryptographic hash submodule; Wherein,

Said deciphering side's control submodule is used for, and Bit String x2 '-M '-y2 ' and scalar v that x2 ', M ' and y2 ' are spliced send to said cryptographic hash submodule as one group of cryptographic hash data, and receive the Hash Value u that it returns;

Said cryptographic hash submodule is used for, and Bit String x2 '-M '-y2 ' in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value u of the scalar v bit in the cryptographic hash data returns said deciphering side and controls submodule with the length that generates.

Further, said point doubling module comprises: invert submodule, projection mooring points of point doubling control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field adds submodule; Wherein,

Said point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to said territory conversion submodule with the coordinate of D under affine coordinate system; Will (zd3) sending to said projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of said f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, said Montgomery multiplication submodule for xd1, yd1 with the coordinate as a result of said (L-1) inferior interative computation; Zd1 is sent to the said finite field submodule of inverting in the value of finite field; With zd1 ^-1Value in finite field sends to said territory conversion submodule; With the coordinate as a result of said (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, said Montgomery multiplication submodule; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule respectively in the value of affine coordinate system; With xd1, the two coordinate of forming in the value of finite field of yd1 (xd1, yd1) the operation result output of conduct [f] D; Once described interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to said projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that said projective system two point doubling submodules are returned sends to said projection mooring points and adds submodule;

Said projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to said point doubling control submodule as output coordinate;

Said territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned said point doubling control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned said point doubling control submodule;

Territory, said Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to said point doubling control submodule in the value of finite field; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns said point doubling control submodule in the value of affine coordinate system with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with said xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to said point doubling control submodule;

The said finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to said point doubling control submodule;

Said projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to said point doubling control submodule.

Further, said key derivation module comprises: the cryptographic hash submodule of the Hash Value of key derivation control submodule, output v bit; Wherein,

Said key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein

For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, once described cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to said cryptographic hash submodule as one group of cryptographic hash data; The H that said cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Said cryptographic hash submodule is used for, and the Bit String ZZ-ct in the cryptographic hash data that receive is carried out the cryptographic hash computing, is the Hash Value H of the scalar v bit in the cryptographic hash data with the length of exporting _v(ZZ-ct) return said key derivation control submodule.

The present invention also provides the first territory of a kind of p SM2 curve public key encryption and decryption hybrid system, and said elliptic curve has basic G, cofactor h, rank n; PKI is PB, and private key is dB; This system comprises: upper strata final election module, the side of encryption control centre, the side of deciphering control centre, random number generation module, point doubling module, key derivation module; Wherein,

Said upper strata final election module is between said encryption side control centre and said point doubling module, the key derivation module, and the data forwarding module between said deciphering side control centre and said point doubling module, the key derivation module;

Said encryption side control centre is used for, and receiving length is the message M to be encrypted of klen bit; Random number k is sent to said point doubling module as one group of point doubling data through said upper strata final election module with some G, and through said upper strata final election module receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to said point doubling module as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S that returns through said upper strata final election module; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; Random number k is sent to said point doubling module as one group of point doubling data through said upper strata final election module with some PB, and through said upper strata final election module receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to said key derivation module as a group key derived data through said upper strata final election module, and receive its Bit String t that returns through said upper strata final election module; Judging whether t is complete 0 Bit String, is under the situation that is in judged result, notifies said random number generation module to regenerate random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; The Bit String x2-M-y2 that x2, M and y2 are spliced carries out the cryptographic hash computing, generates Hash Value C3; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Said deciphering side control centre is used for; The reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 '; Bit String C1 ' wherein is corresponding with said Bit String C1; Bit String C2 ' and its length corresponding with said Bit String C2 is the klen bit, and Bit String C3 ' is corresponding with said Bit String C3; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of said elliptic curve; In judged result is under the situation that is; Cofactor h and some C1 ' are sent to said point doubling module as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S ' that returns through said upper strata final election module; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to said point doubling module as one group of point doubling data through said upper strata final election module; And through said upper strata final election module receive its point that returns coordinate (x2 '; Y2 '), Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to said key derivation module as a group key derived data through said upper strata final election module with scalar klen, and receives its Bit String t ' that returns through said upper strata final election module; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of said elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Said random number generation module is used for, generate 1 and (n-1) between random number k, and send it to said encryption side control centre;

Said point doubling module is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned said encryption side control centre or the side of deciphering control centre through said upper strata final election module;

Said key derivation module is used for; Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns said encryption side control centre or the side of deciphering control centre through said upper strata final election module with the length that obtains.

In addition, the present invention also provides the first territory of a kind of p SM2 curve public key encryption and decryption hybrid system, and said elliptic curve has basic G, cofactor h, rank n; PKI is PB, and private key is dB; It is characterized in that this system comprises: upper strata final election module, lower floor's final election module, encryption side's control submodule, deciphering side control submodule, random number generation module, point doubling control submodule, key derivation control submodule, projective system two point doubling submodules, territory are changed invert submodule, projection mooring points of submodule, territory, Montgomery multiplication submodule, finite field and are added submodule, export the cryptographic hash submodule of the Hash Value of v bit; Wherein,

Said upper strata final election module is that said encryption side control submodule and said point doubling control submodule, key derivation are controlled between the submodule, and said deciphering side controls submodule and said point doubling is controlled the data forwarding module between submodule, the key derivation control submodule;

Said lower floor final election module is between said encryption side control submodule and the said cryptographic hash submodule; Between said deciphering side control submodule and the said cryptographic hash submodule; Said point doubling control submodule and said territory conversion submodule, territory, Montgomery multiplication submodule, finite field are inverted between the submodule, and the data forwarding module between said key derivation control submodule and the said cryptographic hash submodule;

Said encryption side's control submodule is used for, and receiving length is the message M to be encrypted of klen bit; Random number k is sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module with some G, and through said upper strata final election module receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S that returns through said upper strata final election module; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; Random number k is sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module with some PB, and through said upper strata final election module receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to said key derivation control submodule as a group key derived data through said upper strata final election module, and receive its Bit String t that returns through said upper strata final election module; Judging whether t is complete 0 Bit String, is under the situation that is in judged result, notifies said random number generation module to regenerate random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; Bit String x2-M-y2 and scalar v that x2, M and y2 are spliced send to said cryptographic hash submodule as one group of cryptographic hash data through said lower floor final election module, and receive its Hash Value C3 that returns through said lower floor final election module; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Said deciphering side's control submodule is used for; The reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 '; Bit String C1 ' wherein is corresponding with said Bit String C1; Bit String C2 ' and its length corresponding with said Bit String C2 is the klen bit, and Bit String C3 ' is corresponding with said Bit String C3; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of said elliptic curve; In judged result is under the situation that is; Cofactor h and some C1 ' are sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S ' that returns through said upper strata final election module; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module; And through said upper strata final election module receive its point that returns coordinate (x2 '; Y2 '), Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to said key derivation control submodule as a group key derived data through said upper strata final election module with scalar klen, and receives its Bit String t ' that returns through said upper strata final election module; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit String x2 '-M '-y2 ' and scalar v that x2 ', M ' and y2 ' are spliced send to said cryptographic hash submodule as one group of cryptographic hash data through said lower floor final election module, and receive its Hash Value u that returns through said lower floor final election module; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of said elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Said random number generation module is used for, generate 1 and (n-1) between random number k, and send it to said encryption side control centre;

Said point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to said territory conversion submodule through said lower floor final election module with the coordinate of D under affine coordinate system; Will (zd3) sending to said projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of said f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, said Montgomery multiplication submodule through said lower floor final election module for xd1, yd1 with the coordinate as a result of said (L-1) inferior interative computation; Zd1 is sent to the said finite field submodule of inverting in the value of finite field through said lower floor final election module; With zd1 ^-1Value in finite field sends to said territory conversion submodule through said lower floor final election module; With the coordinate as a result of said (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, said Montgomery multiplication submodule through said lower floor final election module; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule through said lower floor final election module respectively in the value of affine coordinate system; (xd1 yd1) returns through said upper strata final election module as the operation result of [f] D that said encryptions side controls submodule or deciphering side controls submodule with the two coordinate of forming in the value of finite field of xd1, yd1; Once described interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to said projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that said projective system two point doubling submodules are returned sends to said projection mooring points and adds submodule;

Said key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit Bit, wherein For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, once described cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to said cryptographic hash submodule as one group of cryptographic hash data; The H that said cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Said projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to said point doubling control submodule as output coordinate;

Said projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to said point doubling control submodule;

Said territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned said point doubling through said lower floor final election module control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned said point doubling control submodule through said lower floor final election module;

Territory, said Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to said point doubling control submodule in the value of finite field through said lower floor final election module; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns said point doubling control submodule in the value of affine coordinate system through said lower floor final election module with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with said xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to said point doubling control submodule through said lower floor final election module;

The said finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to said point doubling control submodule through said lower floor final election module;

Said cryptographic hash submodule is used for; Bit String in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value of the scalar in the cryptographic hash data returns said encryption side's control submodule, deciphering side's control submodule or key derivation control submodule through said lower floor final election module with the length that generates.

Description of drawings

Utilize public key encryption algorithm to come the flow chart of encrypting messages in the SM2 ellipse curve public key cipher algorithm of Fig. 1 for the issue of national Password Management office;

Fig. 2 is the structure chart of the territory SM2 elliptic curve public key cryptographic system of p unit of the present invention's proposition;

Fig. 3 is the structure chart of the point doubling module of the present invention's proposition;

Utilize public key encryption algorithm to come the flow chart of decrypting ciphertext in the SM2 ellipse curve public key cipher algorithm of Fig. 4 for the issue of national Password Management office;

Fig. 5 is the structure chart of the p unit territory SM2 curve public key decryption system of the present invention's proposition;

Fig. 6 is the structure chart of the p unit territory SM2 curve public key encryption and decryption hybrid system of the present invention's proposition;

Fig. 7 is the structure chart of the specific embodiment of the p unit territory SM2 curve public key encryption and decryption hybrid system of the present invention's proposition.

Embodiment

Below in conjunction with accompanying drawing principle of the present invention and characteristic are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.

Public key cryptography AES in the SM2 ellipse curve public key cipher algorithm comprises encrypting messages and two flow processs of decrypting ciphertext, and the user of encrypting messages is called encryption side, and A representes with label, and the user of decrypting ciphertext is called deciphering side, and B representes with label.The key that these two flow processs of encrypting messages and decrypting ciphertext are used is that a pair of public and private key is right, and that encrypting messages is used is PKI PB, and that decrypting ciphertext is used is private key dB; The PB here is the coordinate of a point on the elliptic curve; DB is a scalar, and PB and dB are corresponding each other, and the two basic G through elliptic curve connects; Satisfy following relation: PB=[dB] G, [dB] G wherein representes a G is carried out the dB point doubling.PB is disclosed; And dB only has deciphering to know; And known PB and G to calculate dB be infeasible, this can guarantee the privacy of dB, thereby guarantees to have only deciphering side could decipher with dB with the message that PB encrypted; Even the external world has intercepted and captured ciphertext and can not decipher, thereby has also guaranteed the safety of information.

The used elliptic curve of SM2 ellipse curve public key cipher algorithm is the elliptic curve in the p unit finite field.In p unit finite field, the equation of elliptic curve is y ²=x ³+ ax+b, the p here are the prime number greater than 3, and a and b are the numerical value in the p unit territory, and satisfy (4a ³+ 27b ²) mod p is not 0, mod is a modulo operator.

This elliptic curve has characteristic quantities such as basic G, rank n and cofactor h, and G is a point on the elliptic curve, and coordinate is that (xG, yG), n is a prime number.

Utilize public key encryption algorithm to come the flow chart of encrypting messages in the SM2 ellipse curve public key cipher algorithm of Fig. 1 for the issue of national Password Management office.As shown in Figure 1, this flow process comprises the steps:

Step 101: parameter a, b in the known elliptic curve equation, the basic G of elliptic curve, cofactor h, rank n, PKI PB, message M to be encrypted and length klen bit thereof.

Message M to be encrypted is a Bit String; Length is the klen bit; It is a form expressly, and the process of encrypting messages is encrypted M exactly, obtains the process of ciphertext C output; The process of decrypting ciphertext is exactly by deciphering side the ciphertext C that receives to be deciphered, thereby obtains the process of the plaintext of message M.

Step 102: generate 1 and (n-1) between random number k; (x1 y1), and is converted into Bit String C1 according to the coordinate of C1=[k] G calculation level C1; Coordinate according to S=[h] PB calculation level S.

Here, [k] G is for (xG, some G yG) carry out the k point doubling, and operation result is that (x1, y1), and C1 also is the point on the elliptic curve for the coordinate of another C1 to coordinate.

Equally, [h] PB is for to carry out the h point doubling to a PB, and operation result also is the coordinate of a some S, and the some S that computing obtains also is the point on the elliptic curve.

With the Coordinate Conversion of a C1 is the method for Bit String, can adopt " ellipse curve public key cipher algorithm " the part 1 4.2.4 of national Password Management office in December, 2010 issue and the method that 4.2.5 partly puts down in writing, and is prior art, seldom does description at this.It is to be noted; Owing to be mutual corresponding between coordinate and the Bit String C1 of some C1; Capable of using should " ellipse curve public key cipher algorithm " middle method of putting down in writing the conversion each other; Thereby do not change the two sign C1 in the present invention, and only come to represent respectively the form that they are different with some C1 or Bit String C1.

Step 103: judging whether S is infinite point, is execution in step 108 then, otherwise execution in step 104.

Here, infinite point is special point on the elliptic curve, and the some S that step 102 calculates possibly be an infinite point, thereby this step need be verified it; If then failed encryption withdraws from ciphering process, execution in step 108; Otherwise, can proceed to encrypt execution in step 104.

Step 104: according to (x2, y2)=[k] PB calculates coordinate (x2, y2), (x2-y2 klen) calculates Bit String t according to t=KDF.

Here, [k] PB carries out the k point doubling to a PB, and (x2 y2) also is point on the elliptic curve as the point of operation result.

X2-y2 is for to splice the new Bit String that obtains to x2 and y2, and specific practice forms a new Bit String for the back of the most last bit that the y2 Bit String is connected in the x2 Bit String.

(x2-y2 is that bit string x2-y2 carries out password derivation computing klen) to KDF, and obtaining length is the Bit String output of klen, and KDF wherein is the sign of key derivation function.The core of key derivation computing is the cryptographic hash computing that circulation is carried out.The cryptographic hash computing is the computing that a kind of Bit String with random length is mapped as the fixed-length bits string, and its output valve is called Hash Value.The cryptographic hash computing has computing irreversibility and input and output correspondence one by one, thereby the Hash Value that utilizes the cryptographic hash computing to obtain can not revealed the information of its input value.

The length that is located at the Hash Value of the cryptographic hash computing generation of being carried out in this key derivation computing is the v bit, identifies Bit String x2-y2 with Z, and the counting variable ct of one 32 bit is set, and then the operation method of this key derivation computing is:

(a) initial value of putting ct is 00000001 of 16 systems;

(b) determine smallest positive integral more than or equal to (klen/v) || klen/v||, i is increased to from 1 in cyclic variable || and the process of klen/v||, b1 and b2 step are carried out in circulation:

(b1) according to Ha _i=H _v(Z-ct) obtain Ha _iWherein, H _v(Z-ct) be that the Bit String Z-ct that Z and ct are spliced is carried out the cryptographic hash computing, generating length is the Hash Value of v bit;

(b2) ct increases progressively, and recruitment is 00000001 of 16 systems;

(c) if (klen/v) be integer, then put Ha! _{|| klen/v||}=Ha _{|| klen/v||}Otherwise, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein

For being less than or equal to the smallest positive integral of (klen/v);

(d) according to t=Ha ₁-Ha ₂-...-Ha _{(|| klen/v||-1)}-Ha! _{|| klen/v||}Splice computing, obtain Bit String t.

Thus, to step (d), can obtain Bit String t, can find out through the key derivation computing from step (a), in this key derivation calculating process, except Bit String splicing computing, the cryptographic hash computing that most crucial computing is carried out for circulation.The purpose of step (c) is, confirm to be used in the step (d) to be spliced into t last Bit String Ha! _{|| klen/v||}, the length that makes t is the klen bit.

Step 105: judge whether Bit String t is complete 0 Bit String, is then to return step 102, otherwise execution in step 106.

The Bit String t that step 104 used herein produces possibly be complete 0 Bit String, if judged result then can't continue to encrypt for being, returns step 102 and reruns, if judged result then can continue to carry out ciphering process for not, gets into step 106 and carries out.

Step 106: M and t are carried out the step-by-step XOR, obtain Bit String C2, x2-M-y2 is carried out the cryptographic hash computing, obtain Hash Value C3.

Here; M and t are carried out the step-by-step XOR can use formula

to represent,

wherein is the step-by-step xor operator.

X2-M-y2 is the new Bit String that obtains after bit string x2, M and y2 splice; Specific practice is: the back of last bit that Bit String M is spliced to the x2 Bit String; The y2 Bit String is spliced to the back of last bit of M Bit String, thereby forms new Bit String x2-M-y2.

Cryptographic hash computing to x2-M-y2 carries out can use formula C3=Hash (x2-M-y2) to represent, wherein, and the function that Hash (X) carries out the cryptographic hash computing for bit string X.

The password that step 104 is carried out derives from the cryptographic hash computing in the computing, and the cryptographic hash computing in this step, and the length of the Hash Value of generation is the v bit, and the v here can be 192, also can be 256, is determined on a case-by-case basis.

Step 107: Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C.

Here, the formation method of Bit String C1-C2-C3 can for: with the back of last bit that Bit String C2 is spliced to Bit String C1, Bit String C3 is spliced the back of last bit in Bit String C2.

With ciphertext C output, mean that encryption side sends to deciphering side with ciphertext C.

Step 108: failed encryption, export the message that this ciphering process finishes.

Here, behind the failed encryption, this ciphering process stops to carry out, and exports the message that this ciphering process finishes.If again M is encrypted, then need again from step 101 execution.

Fig. 2 is the structure chart of the territory SM2 elliptic curve public key cryptographic system of p unit of the present invention's proposition.Related elliptic curve has basic G, cofactor h and rank n among the present invention, and the G here, n and h are the known quantities of ECC algorithm field, do not do explanation at this.

Message to be encrypted is M, is the form of a Bit String, and its length is the klen bit, and encryption side will utilize PKI PB to come it is encrypted, and the label of the ciphertext after the encryption is C.Here, PKI PB and the private key dB that decipher ciphertext deciphering side are that a pair of public and private key is right, and wherein, PB is the known key of the public, and dB has only deciphering to know the key of dawn.

As shown in Figure 2, this system comprises: the side of encryption control centre 201, random number generation module 202, point doubling module 203, key derivation module 204; Wherein,

The side of encryption control centre 201 is used for, and receiving length is the message M to be encrypted of klen bit; With random number k with the some G send to point doubling module 203 as one group of point doubling data, and receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to point doubling module 203 as one group of point doubling data, and receive the coordinate of its some S that returns; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; With random number k with the some PB send to point doubling module 203 as one group of point doubling data, and receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to key derivation module 204 as a group key derived data, and receive the Bit String t that it returns; Judge whether t is complete 0 Bit String, is under the situation that is in judged result, notice random number generation module 202 regenerates random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; The Bit String x2-M-y2 that x2, M and y2 are spliced carries out the cryptographic hash computing, generates Hash Value C3; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Random number generation module 202 is used for, generate 1 and (n-1) between random number k, and send it to encryption side control centre 201;

Point doubling module 203 is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned encryption side control centre 201;

Key derivation module 204 is used for, and the Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns encryption side control centre 201 with the length that obtains.

Here; The side of encryption control centre can be through controlling the work schedule of these modules with the mode of random number generation module, point doubling module, key derivation module swap data; And functions such as realization is judged, splicing Bit String, cryptographic hash computing; What the random number generation module was realized is the function that generates random number, and what the point doubling module realized is the function of the point on the elliptic curve being carried out point doubling, and what the key derivation module realized is the function of key derivation computing.

Wherein, Parameters such as a that step 101 was confirmed among Fig. 1, b, G, n, h, PB, M, klen are the known parameters among the present invention, and the side of encryption control centre can send to the point doubling module with putting the point doubling data that constitute with scalar, and receives the coordinate of its point that returns; With the Coordinate Conversion of point is Bit String; Can the key derivation data that the scalar sum Bit String constitutes be sent to the key derivation module, and receive the new Bit String that it returns, control random number generation module generates random number; The random number generation module realizes generating the function of random number; The point doubling module can realize the function of point doubling, and the key derivation module can realize the key derivation function, and these functions are enough to realize the step 102,104,106 and 107 among Fig. 1.In addition, the side of encryption control centre can also realize judging the function with dateout, thereby realizes the step 103,105 and 108 among Fig. 1.Therefore, system shown in Figure 2 can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm.

Random number generation module among the present invention can adopt the randomizer of State Commercial Cryptography Administration's approval to realize that this randomizer is the form of hardware.

This shows; Among the present invention; Because encryption side control centre can be through controlling the work schedule of these modules with the mode of random number generation module, point doubling module, key derivation module swap data; And realize judging, splicing functions such as Bit String, cryptographic hash computing, thereby can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm.And the control centre of the encryption side among the present invention, random number generation module, point doubling module, key derivation module can utilize hardware to realize, thereby the present invention can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm with hardware.

Because the present invention can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm by enough hardware, realizes that with respect to the software of this algorithm the present invention can improve speed, the safety of data transmission of data encrypting and deciphering.

In this system, the function ratio of the side of encryption control centre is more, and the key hash function ratio that it has is unique, and an available independent submodule comes independent this function that realizes.Like this, the side of encryption control centre comprises: encryption side's control submodule, cryptographic hash submodule; Wherein,

Encryption side's control submodule is used for, and Bit String x2-M-y2 and scalar v that x2, M and y2 are spliced send to the cryptographic hash submodule as one group of cryptographic hash data, and receive the Hash Value C3 that it returns;

The cryptographic hash submodule is used for, and the Bit String in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value of the scalar in the cryptographic hash data returns the side of encryptioning and controls submodule with the length that generates.

What the key hash submodule was here realized is that Bit String is carried out the function that the cryptographic hash computing obtains Hash Value, and the length of Hash Value is the length of the scalar regulation in the cryptographic hash data.The method of this cryptographic hash computing can be the SM3 cryptographic hash algorithm of national Password Management office issue.

Encryption side's control submodule here sends to cryptographic hash submodule with Bit String and scalar as one group of cryptographic hash data except having; And receive outside the function of its Hash Value that returns; Also have the arbitration functions that encryption side control centre had among Fig. 2, with other module swap datas with other all functions such as the function of the work schedule of controlling other modules, Bit String splicing function, data input/output functions, promptly receiving length is the message M to be encrypted of klen bit; With random number k with the some G send to point doubling module 203 as one group of point doubling data, and receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to point doubling module 203 as one group of point doubling data, and receive the coordinate of its some S that returns; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; With random number k with the some PB send to point doubling module 203 as one group of point doubling data, and receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to key derivation module 204 as a group key derived data, and receive the Bit String t that it returns; Judge whether t is complete 0 Bit String, is under the situation that is in judged result, notice random number generation module 202 regenerates random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C.

Fig. 3 is the structure chart of the point doubling module of the present invention's proposition.As shown in Figure 3, the point doubling module comprises: invert submodule 304, projection mooring points of point doubling control submodule 301, projective system two point doubling submodules 303, territory conversion submodule 305, territory, Montgomery multiplication submodule 306, finite field adds submodule 302; Wherein,

Point doubling control submodule 301 is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to territory conversion submodule 305 with the coordinate of D under affine coordinate system; Will (zd3) sending to the projection mooring points adds submodule 302 for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, Montgomery multiplication submodule 306 for xd1, yd1 with the coordinate as a result of (L-1) inferior interative computation; Zd1 is sent to the finite field submodule 304 of inverting in the value of finite field; With zd1 ^-1Value in finite field sends to territory conversion submodule 305; With the coordinate as a result of (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, Montgomery multiplication submodule 306; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule 306 respectively in the value of affine coordinate system; With xd1, the two coordinate of forming in the value of finite field of yd1 (xd1, yd1) the operation result output of conduct [f] D; An interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to projective system two point doubling submodules 303, be under the situation of binary one at the current bit of f, the output coordinate that projective system two point doubling submodules 303 are returned sends to the projection mooring points and adds submodule 302;

Projective system two point doubling submodules 303 are used for, and input coordinate is carried out two point doublings, and operation result is back to point doubling control submodule 301 as output coordinate;

Territory conversion submodule 305 is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned point doubling control submodule 301; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned point doubling control submodule 301;

Territory, Montgomery multiplication submodule 306 is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to point doubling control submodule 301 in the value of finite field; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns point doubling control submodule 301 in the value of affine coordinate system with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to point doubling control submodule 301;

The finite field submodule 304 of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to point doubling control submodule 301;

The projection mooring points adds submodule 302 and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to point doubling control submodule 301.

The control of the point doubling here submodule is the control core that realizes point doubling, itself and other submodule swap data, thus control the work schedule of other submodules; Itself and encryption side control centre exchange point doubling data and point doubling result; Its Coordinate Conversion with following of affine coordinate system is the coordinate of following of projective coordinate system.

What projective system two point doubling submodules were realized is that input coordinate is carried out two point doublings; The data that this two point doubling relates to are the data in the territory, Montgomery under the projective coordinate system; The method of this data being carried out two point doublings is a prior art, can realize through a series of multiplication and add operation.Simultaneously, the present invention is that the data in the territory, Montgomery are carried out two point doublings under the projective coordinate system with the data transaction in the finite field under the affine coordinate system, though increased the data transaction computing, operation efficiency is greatly improved.

In this system, the key derivation module comprises: the cryptographic hash submodule of the Hash Value of key derivation control submodule, output v bit, and the v here can be set at 192 or 256 according to circumstances; Wherein,

Key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, a cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to the cryptographic hash submodule as one group of cryptographic hash data; The H that the cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

The cryptographic hash submodule is used for, and the Bit String ZZ-ct in the cryptographic hash data that receive is carried out the cryptographic hash computing, is the Hash Value H of the scalar v bit in the cryptographic hash data with the length of exporting _v(ZZ-ct) " return " key" derives from the control submodule.

The key derivation control submodule here is the control core that realizes the key derivation computing; Realize be and the side of encryptioning control centre between carry out the exchange of key derivation data and key derivation operation result, variable increment, and cryptographic hash operator module exchange the result's of cryptographic hash data and cryptographic hash computing function.

The cryptographic hash submodule is an arithmetic unit of realizing the cryptographic hash computing, and the cryptographic hash computing of its realization can be adopted the SM3 cryptographic hash algorithm of national Password Management office issue, thereby identical with encryption side control centre included cryptographic hash submodule.

Public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm of Password Management office of country issue except comprising encryption method, also comprises decryption method.Utilize public key encryption algorithm to come the flow chart of decrypting ciphertext in the SM2 ellipse curve public key cipher algorithm of Fig. 4 for the issue of national Password Management office.This deciphering flow process is corresponding with encryption flow shown in Figure 1, realization be the deciphering of ciphertext C that encryption flow shown in Figure 1 is exported.Ciphertext C is after the side of encryption is transferred to deciphering side, and label becomes C ', with embody C maybe factor in transmission course the change of generation according to losing, distorted, forged etc.

As shown in Figure 4, this deciphering flow process comprises the steps:

Step 401: parameter a, b in the known elliptic curve equation, the basic G of elliptic curve, cofactor h, rank n, private key dB, the length klen bit of Bit String C2 ' in the ciphertext C ' of reception=C1 '-C2 '-C3 ' and the ciphertext.

This step is the step that a given data is confirmed, private key dB is corresponding with above-mentioned PKI PB, and it is right that the two constitutes a public and private key.

The ciphertext to be deciphered that C ' receives for deciphering side, it can be expressed as the form of Bit String C1 '-C2 '-C3 ' that is spliced by C1 ', C2 ', C3 '.Because in Fig. 1,2, the 3 described method and systems; The form of the ciphertext C of encryption side's output can be expressed as the form of the Bit String C1-C2-C3 that is spliced by these three Bit Strings of C1, C2 and C3; The representation of treating decrypting ciphertext C ' here is corresponding with it, uses Bit String C1 ' corresponding with Bit String C1, uses Bit String C2 ' corresponding with Bit String C2; Use Bit String C3 ' corresponding with Bit String C3; Corresponding two Bit String length are identical, and length is total to knowledge by encryption side and deciphering side, thereby can from C ', take out C1 ', C2 ' and C3 ' respectively at subsequent step.

Step 402: from C ', take out Bit String C1 ', and be converted into a C1 '.

Here; Because the C ' that deciphering side receives is corresponding with the ciphertext C that encryption side sends in form; Promptly all can be expressed as the form of the splicing Bit String that three corresponding Bit Strings of length are spliced; And length is identical and is encryption side, deciphering Fang Gongzhi between the corresponding Bit String, thereby can from C ', take out Bit String C1 ', C2 ' and C3 '.

Convert Bit String C1 ' method of a C1 ' into, can adopt " ellipse curve public key cipher algorithm " the part 1 4.2.3 and the method that 4.2.9 puts down in writing of national Password Management office in December, 2010 issue, be prior art, seldom do description at this.It is to be noted; Because putting the coordinate of C1 ' is identical with Bit String C1 ' essence; Corresponding each other between the two; Capable of using should " ellipse curve public key cipher algorithm " middle method of putting down in writing the conversion each other, thereby do not change the sign C1 ' of the two in the present invention, and only come to represent respectively the form that they are different with some C1 ' or Bit String C1 '.

Step 403: whether the coordinate of judging point C1 ' satisfies the elliptic curve equation, is execution in step 404 then, otherwise execution in step 411.

Here, the coordinate of some C1 ' does not satisfy the elliptic curve equation, and then explanation point C1 ' is not the point on the elliptic curve; Thereby can judge that the ciphertext C that encryption side sends loss of data has taken place, forged, distorted equiprobable change in transmission course; Thereby the ciphertext C ' that deciphering side receives is different with C, and like this, this method just need not, can not decipher C ' and obtains the message M that the side of encryption will send; So execution in step 411 stops to decipher and exporting the message that deciphering finishes.

Step 404: according to the coordinate of S '=[h] C1 ' calculation level S '.

In step 403 judged result is under the situation that is, carries out this step.[h] C1 ' wherein carries out the h point doubling to a C1 ', and its operation result is a new some S '.

Step 405: judging whether S ' is infinite point, is execution in step 411 then, otherwise execution in step 406.

In this step; If S ' is an infinite point, then loss of data has taken place, has been forged, has been distorted equiprobable change in the ciphertext C of explanation encryption side transmission in transmission course, thereby the ciphertext C ' that deciphering side receives is different with C; Like this; This method just need not, can not decipher and obtain the message M that the side of encryption will send C ', so execution in step 411 stops to decipher and exporting the message that deciphering finishes.

Step 406: calculate coordinate (x2 ', y2 ') according to (x2 ', y2 ')=[dB] C1 ', according to t '=KDF (x2 '-y2 ', klen) calculate Bit String t '.

Judged result in step 405 is under the situation not, carries out this step.

Wherein, [dB] C1 ' is for to carry out the dB point doubling to a C1 ', and the point that the result that obtains is new, its coordinate are (x2 ', y2 ').

KDF (x2 '-y2 ', be that Bit String x2 '-y2 ' that x2 ' and y2 ' are spliced is carried out the key derivation computing klen), generating length is the new Bit String t ' of klen bit.The method of key derivation computing is described in detail in Fig. 1 step 104, no longer repeats at this.

Step 407: judging whether t ' is complete 0 Bit String, is execution in step 411 then, otherwise execution in step 408.

Here; If t ' is complete 0 Bit String, then loss of data has taken place, has been forged, has been distorted equiprobable change in the ciphertext C of explanation encryption side transmission in transmission course, thereby the ciphertext C ' that deciphering side receives is different with C; Like this; This method just need not, can not decipher and obtain the message M that the side of encryption will send C ', so execution in step 411 stops to decipher and exporting the message that deciphering finishes.

Step 408: from C ', take out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '.

Judged result in step 407 is under the situation not, carries out this step.

The method of C2 ' and t ' being carried out the step-by-step XOR is a common practise, does not do at this and gives unnecessary details.The length of the Bit String M ' that it obtains is identical with C2 ' and t ', is the klen bit.

The method that Bit String x2 '-M '-y2 ' that x2 ', M ', y2 ' are spliced carries out the cryptographic hash computing can be the SM3 cryptographic hash operation method of national Password Management office issue, and its operation result is a Hash Value u.

Step 409: judging whether u equates with C3 ', is execution in step 410 then, otherwise execution in step 411.

Here; If u is not equal to C3 ', then loss of data has taken place, has been forged, has been distorted equiprobable change in the ciphertext C of explanation encryption side transmission in transmission course, thereby the ciphertext C ' that deciphering side receives is different with C; Like this; This method just need not, can not decipher and obtain the message M that the side of encryption will send C ', so execution in step 411 stops to decipher and exporting the message that deciphering finishes.

Step 410: M ' is exported as C ' corresponding plaintext.

Judged result in step 409 is to carry out this step under the situation that is.This step is data output step, and the M ' of its output is the plaintext that deciphering obtains, this plaintext by deciphering side be used as be to the side of encryption the recovery of the message M that will send, so far, to the decrypting process end of C '.

Step 411: the deciphering failure, export the message that this decrypting process finishes.

This step is not satisfy the equation of elliptic curve, the step that S ' carries out when being not equal to any situation generation in these four kinds of situation of C3 ' for infinite point, t ' for complete 0 Bit String, u at the coordinate of a C1 '.The generation of above-mentioned any situation explains that all the ciphertext C that sends encryption side in the process of deciphering side's transmission change is taking place, and causes deciphering side to obtain the message M that the side of encryption sends through the ciphertext C ' that deciphering receives self.Therefore, this step finishes decrypting process, and the message that finishes because of failure is deciphered in output.

Fig. 5 is the structure chart of the p unit territory SM2 curve public key decryption system of the present invention's proposition.The elliptic curve here has basic G, cofactor h and rank n; Private key is dB, and this dB and the encryption side used PB of the encrypting messages M public and private key that partners is right.

Decryption system shown in Figure 5 is corresponding with encryption system shown in Figure 2, is used for the ciphertext C that encryption system shown in Figure 2 is exported is deciphered.Because problems such as loss of data, change, quilt are distorted, quilt is forged possibly take place in ciphertext C the process that is transferred to deciphering side from the side of encryption, thus cause deciphering side can't obtain the side of encryption the message plaintext M that will transmit, thereby in the present invention; The received ciphertext to be deciphered of decryption system uses label C ' to represent; Equally, corresponding with the form of expression C1-C2-C3 of Bit String C, Bit String C ' also is expressed as the form of C1 '-C2 '-C3 '; And Bit String C1 ' is corresponding with Bit String C1; Bit String C2 ' is corresponding with Bit String C2, and Bit String C3 ' is corresponding with Bit String C3, here; Bit String is corresponding to mean that the two length is identical, and is total to knowledge by encryption side and deciphering side.

As shown in Figure 5, this system comprises: the side of deciphering control centre 501, point doubling module 502, key derivation module 503; Wherein,

The side of deciphering control centre 501 is used for, and the reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 ', and the length of Bit String C2 ' wherein is the klen bit; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of elliptic curve, is under the situation that is in judged result, cofactor h and some C1 ' is sent to point doubling module 502 as one group of point doubling data, and receive the coordinate of its some S ' that returns; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to point doubling module 502 as one group of point doubling data, and receive the coordinate (x2 ', y2 ') of its point that returns; Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to key derivation module 503 with scalar klen as a group key derived data, and receives the Bit String t ' that it returns; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Point doubling module 502 is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned deciphering side control centre;

Key derivation module 503 is used for, and the Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns deciphering side control centre with the length that obtains.

Wherein, The side of deciphering control centre is the control core of carrying out decrypt ciphertext, its have judgement, with other module swap datas with the work schedule of controlling other modules, Bit String is converted into point, Bit String splicing, Data Receiving and output, carries out function such as cryptographic hash computing.

What the point doubling module realized is the point doubling function, and what the key derivation module realized is the key derivation function.

Can realize above-mentioned functions just because of deciphering side control centre, point doubling module and key derivation module; Thereby can realize each step among Fig. 4; Thereby realize the decrypting process that public key encryption algorithm proposed in the SM2 ellipse curve public key cipher algorithm with hardware, improve the speed and the fail safe of deciphering.

In this decryption system, the side of deciphering control centre has the cryptographic hash function, and is similar with encryption system, this function also can with one independently submodule realize that thereby the side of deciphering control centre can comprise: deciphering side's control submodule, cryptographic hash submodule; Wherein,

Deciphering side's control submodule is used for, and Bit String x2 '-M '-y2 ' and scalar v that x2 ', M ' and y2 ' are spliced send to the cryptographic hash submodule as one group of cryptographic hash data, and receive the Hash Value u that it returns;

The cryptographic hash submodule is used for, and Bit String x2 '-M '-y2 ' in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value u of the scalar v bit in the cryptographic hash data returns deciphering side and controls submodule with the length that generates.

What the cryptographic hash submodule was here realized is the cryptographic hash function, the SM3 cryptographic hash algorithm of for example national Password Management office issue.

Control submodule in deciphering side's is except having above-mentioned splicing Bit String and exchanging cryptographic hash data and the Hash Value with the cryptographic hash submodule; Can also have other functions that deciphering side control centre shown in Figure 5 is had; I.e. reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 ', and the length of Bit String C2 ' wherein is the klen bit; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of elliptic curve, is under the situation that is in judged result, cofactor h and some C1 ' is sent to point doubling module 502 as one group of point doubling data, and receive the coordinate of its some S ' that returns; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to point doubling module 502 as one group of point doubling data, and receive the coordinate (x2 ', y2 ') of its point that returns; Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to key derivation module 503 with scalar klen as a group key derived data, and receives the Bit String t ' that it returns; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure.

In this decryption system; The function of point doubling is realized that by the point doubling module this point doubling module comprises: invert submodule, projection mooring points of point doubling control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field adds submodule; Wherein,

Point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to territory conversion submodule with the coordinate of D under affine coordinate system; Will (zd3) sending to the projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, Montgomery multiplication submodule for xd1, yd1 with the coordinate as a result of (L-1) inferior interative computation; Zd1 is sent to the finite field submodule of inverting in the value of finite field; With zd1 ^-1Value in finite field sends to territory conversion submodule; With the coordinate as a result of (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, Montgomery multiplication submodule; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule respectively in the value of affine coordinate system; With xd1, the two coordinate of forming in the value of finite field of yd1 (xd1, yd1) the operation result output of conduct [f] D; An interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that projective system two point doubling submodules are returned sends to the projection mooring points and adds submodule;

Projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to point doubling control submodule as output coordinate;

Territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned point doubling control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned point doubling control submodule;

Territory, Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to point doubling control submodule in the value of finite field; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns point doubling control submodule in the value of affine coordinate system with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to point doubling control submodule;

The finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to point doubling control submodule;

The projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to point doubling control submodule.

Can find out; Because what the point doubling module in this decryption system realized also is that the point doubling data are carried out point doubling; Therefore; Its with encryption system in point doubling module as shown in Figure 3 compare, remove the used data of computing and carry out outside control module (being the side of encryptioning control centre in the encryption system, is deciphering side control centre in the decryption system) difference of exchanges data with point doubling control submodule; The structure and the function of each submodule are identical, thereby this point doubling module can realize with the hardware identical with point doubling module shown in Figure 3.

Key derivation module in this decryption system comprises: the cryptographic hash submodule of the Hash Value of key derivation control submodule, output v bit; Wherein,

Key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, a cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to the cryptographic hash submodule as one group of cryptographic hash data; The H that the cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

The cryptographic hash submodule is used for, and the Bit String ZZ-ct in the cryptographic hash data that receive is carried out the cryptographic hash computing, is the Hash Value H of the scalar v bit in the cryptographic hash data with the length of exporting _v(ZZ-ct) " return " key" derives from the control submodule.

Can find out; Because what the key derivation module in this decryption system realized also is that the key derivation data are carried out the key derivation computing; Therefore; It is compared with the key derivation module in the encryption system, removes the used data of computing and carries out outside control module (being the side of encryptioning control centre in the encryption system, is deciphering side control centre in the decryption system) difference of exchanges data with key derivation control submodule; The structure and the function of each submodule are identical, thus this key derivation module can with encryption system in the identical hardware of key derivation module realize.

Like Fig. 2 and shown in Figure 5; All have point doubling module and key derivation module in encryption system and the decryption system; And can know that by above analysis the point doubling module of two systems can have identical structure and function respectively with the key derivation module, therefore; Can carry out the point doubling module in two systems and key derivation module multiplexing, thereby obtain a kind of encryption and decryption hybrid system that realizes the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm with hardware.

Fig. 6 is the structure chart of the p unit territory SM2 curve public key encryption and decryption hybrid system of the present invention's proposition.The elliptic curve here has basic G, cofactor h and rank n; Encryption side treats encrypting messages M and encrypts that to generate the employed key of ciphertext C be that PKI is PB, and it is that private key is dB that used key is deciphered to the ciphertext C ' of reception by deciphering side, and PB here and dB are that public and private key is right.

As shown in Figure 6, this system comprises: upper strata final election module 604, encryption side control centre 601, deciphering side control centre 602, random number generation module 603, point doubling module 605, key derivation module 606; Wherein,

Upper strata final election module 604 is between encryption side control centre 601 and point doubling module 605, the key derivation module 606, and the data forwarding module between the side of deciphering control centre 602 and point doubling module 605, the key derivation module 606;

The side of encryption control centre 601 is used for, and receiving length is the message M to be encrypted of klen bit; Random number k is sent to point doubling module 605 as one group of point doubling data through upper strata final election module 604 with some G, and through upper strata final election module 604 receive its some C1 that return coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to point doubling module 605 as one group of point doubling data through upper strata final election module 604, and receive the coordinate of its some S that returns through upper strata final election module 604; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; Random number k is sent to point doubling module 605 as one group of point doubling data through upper strata final election module 604 with some PB, and through upper strata final election module 604 receive its points that return coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to key derivation module 606 as a group key derived data through upper strata final election module 604, and receive its Bit String t that returns through upper strata final election module 604; Judge whether t is complete 0 Bit String, is under the situation that is in judged result, notice random number generation module 603 regenerates random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; The Bit String x2-M-y2 that x2, M and y2 are spliced carries out the cryptographic hash computing, generates Hash Value C3; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

The side of deciphering control centre 602 is used for; The reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 '; Bit String C1 ' wherein is corresponding with Bit String C1; Bit String C2 ' and its length corresponding with Bit String C2 is the klen bit, and Bit String C3 ' is corresponding with Bit String C3; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of elliptic curve; In judged result is under the situation that is; Cofactor h and some C1 ' are sent to point doubling module 605 as one group of point doubling data through upper strata final election module 604, and receive the coordinate of its some S ' that returns through upper strata final election module 604; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to point doubling module 605 as one group of point doubling data through upper strata final election module 604; And through upper strata final election module 604 receive its points that return coordinate (x2 '; Y2 '), Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to key derivation module 606 as a group key derived data through upper strata final election module 604 with scalar klen, and receives its Bit String t ' that returns through upper strata final election module 604; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Random number generation module 603 is used for, generate 1 and (n-1) between random number k, and send it to encryption side control centre 601;

Point doubling module 605 is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned encryption side control centre 601 or the side of deciphering control centre 602 through upper strata final election module 604;

Key derivation module 606 is used for; Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns encryption side control centre 601 or the side of deciphering control centre 602 through upper strata final election module 604 with the length that obtains.

Encryption side control centre among Fig. 6, random number generation module, the side of deciphering control centre, point doubling module and key derivation module can be respectively realize with Fig. 2 and encryption system shown in Figure 5 and the hardware module of the same name in the decryption system.

Final election module in upper strata can realize with MUX; Thereby realize between the side of encryption control centre and point doubling module, the key derivation module, and the exchanges data between the side of deciphering control centre and point doubling module, the key derivation module as data forwarding module.

And; Under encryption side control centre among Fig. 6, random number generation module, point doubling module, key derivation module can cooperate in the data forwarding of upper strata final election module; Realize the function of encryption system shown in Figure 2; Under deciphering side control centre among Fig. 6, point doubling module, key derivation module can cooperate in the data forwarding of upper strata final election module; Realize the function of decryption system shown in Figure 5, therefore, Fig. 6 can with hardware realize the issue of national Password Management office like ciphering process that public key encryption algorithm provided and decrypting process in Fig. 1 and the SM2 ellipse curve public key cipher algorithm shown in Figure 4.Compare encryption system that separates and decryption system that Fig. 2 and Fig. 5 are provided, the encryption and decryption hybrid system that Fig. 6 provides has realized the multiplexing of point doubling module and key derivation module, thereby has practiced thrift hardware resource to increase the cost of upper strata final election module.

Further, because encryption side control centre, the side of deciphering control centre, key derivation module among Fig. 2 and Fig. 5 have all been used the cryptographic hash submodule, and the function of these cryptographic hash submodules is identical; All independently realize the cryptographic hash computing, thereby structure is identical, also since Fig. 2 and point doubling module shown in Figure 5 all can realize with structure shown in Figure 3; And has an identical point doubling function; Therefore, also can on the basis of Fig. 6 structure, further carry out multiplexing to some submodules; Thereby improve the devices use rate further, the economize on hardware resource.

Fig. 7 is the structure chart of the specific embodiment of the p unit territory SM2 curve public key encryption and decryption hybrid system of the present invention's proposition.This structure can be regarded further multiplexing to encrypting and deciphering system structure shown in Figure 6 as.The related elliptic curve of this system has basic G, cofactor h and rank n; Encrypting messages M used PKI in the side of encryption is that PB is that dB is that public and private key is right with the used private key of deciphering side decrypting ciphertext C '.For embody the ciphertext C that sends encryptions side maybe factor in transmission course according to lose, change, quilt is distorted, quilt is forged etc. former thereby cause the reception of deciphering side treat that decrypting ciphertext and C are different; The ciphertext to be deciphered that will the side of deciphering among the present invention receives uses label C ' to represent; And these two Bit Strings of C ' and C have the identical form of expression; Be the form of corresponding three Bit Strings splicing, wherein, the Bit String C1 ' among the C ' is corresponding with Bit String C1 among the C; Bit String C2 ' among the C ' is corresponding with Bit String C2 among the C; Bit String C3 ' among the C ' is corresponding with Bit String C3 among the C, and the correspondence here means that the two length is identical, and length is for encryptions side with decipher Fang Gongzhi.

As shown in Figure 7, this system comprises: upper strata final election module 704, lower floor's final election module 709, encryption side's control submodule 701, deciphering side control submodule 702, random number generation module 703, point doubling control submodule 705, key derivation control submodule 706, projective system two point doubling submodules 707, territory are changed invert submodule 712, projection mooring points of submodule 710, territory, Montgomery multiplication submodule 711, finite field and are added submodule 708, export the cryptographic hash submodule 713 of the Hash Value of v bit; Wherein,

Upper strata final election module 704 controls submodule 701 for encryption side and point doubling control submodule 705, key derivation are controlled between the submodule 706, and deciphering side controls submodule 702 and the data forwarding module between the submodule 706 is controlled in point doubling control submodule 705, key derivation;

Lower floor's final election module 709 is between encryption side's control submodule 701 and the cryptographic hash submodule 713; Between deciphering side's control submodule 702 and the cryptographic hash submodule 713; Point doubling control submodule 705 and territory conversion submodule 710, territory, Montgomery multiplication submodule 711, finite field are inverted between the submodule 712, and the data forwarding module between key derivation control submodule 706 and the cryptographic hash submodule 713;

Encryption side's control submodule 701 is used for, and receiving length is the message M to be encrypted of klen bit; Random number k is sent to point doubling control submodule 705 as one group of point doubling data through upper strata final election module 704 with some G, and through upper strata final election module 704 receive its some C1 that return coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to point doubling control submodule 705 as one group of point doubling data through upper strata final election module 704, and receive the coordinate of its some S that returns through upper strata final election module 704; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; Random number k is sent to point doubling control submodule 705 as one group of point doubling data through upper strata final election module 704 with some PB, and through upper strata final election module 704 receive its points that return coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to key derivation control submodule 706 as a group key derived data through upper strata final election module 704, and receive its Bit String t that returns through upper strata final election module 704; Judge whether t is complete 0 Bit String, is under the situation that is in judged result, notice random number generation module 703 regenerates random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; Bit String x2-M-y2 and scalar v that x2, M and y2 are spliced send to cryptographic hash submodule 713 as one group of cryptographic hash data through lower floor's final election module 709, and receive its Hash Value C3 that returns through lower floor's final election module 709; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Deciphering side's control submodule 702 is used for; The reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 '; Bit String C1 ' wherein is corresponding with Bit String C1; Bit String C2 ' and its length corresponding with Bit String C2 is the klen bit, and Bit String C3 ' is corresponding with Bit String C3; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of elliptic curve; In judged result is under the situation that is; Cofactor h and some C1 ' are sent to point doubling control submodule 705 as one group of point doubling data through upper strata final election module 704, and receive the coordinate of its some S ' that returns through upper strata final election module 704; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to point doubling control submodule 705 as one group of point doubling data through upper strata final election module 704; And through upper strata final election module 704 receive its points that return coordinate (x2 '; Y2 '), Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to key derivation control submodule 706 as a group key derived data through upper strata final election module 704 with scalar klen, and receives its Bit String t ' that returns through upper strata final election module 704; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit String x2 '-M '-y2 ' and scalar v that x2 ', M ' and y2 ' are spliced send to cryptographic hash submodule 713 as one group of cryptographic hash data through lower floor's final election module 709, and receive its Hash Value u that returns through lower floor's final election module 709; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Random number generation module 703 is used for, generate 1 and (n-1) between random number k, and send it to encryption side control centre;

Point doubling control submodule 705 is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to territory conversion submodule 710 through lower floor's final election module 709 with the coordinate of D under affine coordinate system; Will (zd3) sending to the projection mooring points adds submodule 708 for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, Montgomery multiplication submodule 711 through lower floor's final election module 709 for xd1, yd1 with the coordinate as a result of (L-1) inferior interative computation; Zd1 is sent to the finite field submodule 712 of inverting in the value of finite field through lower floor's final election module 709; With zd1 ^-1Value in finite field sends to territory conversion submodule 710 through lower floor's final election module 709; With the coordinate as a result of (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, Montgomery multiplication submodule 711 through lower floor's final election module 709; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule 711 through lower floor's final election module 709 respectively in the value of affine coordinate system; (xd1 yd1) returns through upper strata final election module 704 as the operation result of [f] D that encryptions side controls submodule 701 or deciphering side controls submodule 702 with the two coordinate of forming in the value of finite field of xd1, yd1; An interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to projective system two point doubling submodules 707, be under the situation of binary one at the current bit of f, the output coordinate that projective system two point doubling submodules 707 are returned sends to the projection mooring points and adds submodule 708;

Key derivation control submodule 706 is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein

For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, a cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to the cryptographic hash submodule as one group of cryptographic hash data; The H that the cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Projective system two point doubling submodules 707 are used for, and input coordinate is carried out two point doublings, and operation result is back to point doubling control submodule 705 as output coordinate;

The projection mooring points adds submodule 708 and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to point doubling control submodule 705;

Territory conversion submodule 710 is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned point doubling through lower floor's final election module 709 control submodule 705; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned point doubling control submodule 705 through lower floor's final election module 709;

Territory, Montgomery multiplication submodule 711 is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to point doubling control submodule 705 in the value of finite field through lower floor's final election module 709; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns point doubling control submodule 705 in the value of affine coordinate system through lower floor's final election module 709 with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to point doubling control submodule 705 through lower floor's final election module 709;

The finite field submodule 712 of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to point doubling control submodule 705 through lower floor's final election module 709;

Cryptographic hash submodule 713 is used for; Bit String in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value of the scalar in the cryptographic hash data returns encryption side's control submodule 701, deciphering side's control submodule 702 or key derivation control submodule 706 through lower floor's final election module 709 with the length that generates.

As stated, the upper strata final election module among Fig. 7 and lower floor's final election module can realize with MUX respectively.Encryption side among Fig. 7 control submodule, deciphering side control submodule, random number generation module, point doubling control submodule, key derivation are controlled submodule, projective system two point doubling submodules, territory and are changed submodule, territory, Montgomery multiplication submodule, finite field and invert that submodule, projection mooring points add submodule, the cryptographic hash submodule can be realized with the hardware module of the same name in encryption system provided by the invention and the decryption system respectively.

Encryption side among Fig. 7 control submodule, random number generation module, point doubling control submodule, key derivation control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field are inverted, and submodule, projection mooring points add submodule, cryptographic hash submodule available hardware realizes the ciphering process in the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm, and the deciphering side's control submodule among Fig. 7, point doubling control submodule, key derivation control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field are inverted, and submodule, projection mooring points add submodule, cryptographic hash submodule available hardware realizes the decrypting process in the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm.Therefore, the system that provides of Fig. 7 is for realizing the encryption method that public key encryption algorithm proposed and the hybrid system of decryption method in the SM2 ellipse curve public key cipher algorithm with hardware.

On the basis of system in Fig. 6 of system shown in Figure 7; With the cost that increases lower floor's final election module; Obtained territory conversion submodule, territory, Montgomery multiplication submodule, finite field the multiplexing of submodule and cryptographic hash submodule of inverting greatly practiced thrift hardware resource.

This shows that the present invention has the following advantages:

(1) among the present invention; Because encryption side control centre can be through controlling the work schedule of these modules with the mode of random number generation module, point doubling module, key derivation module swap data; And realize judging, splicing functions such as Bit String, cryptographic hash computing, thereby can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm.And the control centre of the encryption side among the present invention, random number generation module, point doubling module, key derivation module can utilize hardware to realize, thereby the present invention can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm with hardware.

(2) because the present invention can realize the public key encryption algorithm in the SM2 ellipse curve public key cipher algorithm by enough hardware, realize that with respect to the software of this algorithm the present invention can improve speed, the safety of data transmission of data encrypting and deciphering.

(3) the present invention is that the data in the territory, Montgomery are carried out two point doublings under the projective coordinate system with the data transaction in the finite field under the affine coordinate system, though increased the data transaction computing, operation efficiency is greatly improved.

The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. territory SM2 elliptic curve public key cryptographic system of p unit, said elliptic curve has basic G, cofactor h, rank, n; PKI is PB; It is characterized in that this system comprises: the side of encryption control centre, random number generation module, point doubling module, key derivation module; Wherein,

Said encryption side control centre is used for, and receiving length is the message M to be encrypted of klen bit; With random number k with the some G send to said point doubling module as one group of point doubling data, and receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to said point doubling module as one group of point doubling data, and receive the coordinate of its some S that returns; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; With random number k with the some PB send to said point doubling module as one group of point doubling data, and receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to said key derivation module as a group key derived data, and receive the Bit String t that it returns; Judging whether t is complete 0 Bit String, is under the situation that is in judged result, notifies said random number generation module to regenerate random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; The Bit String x2-M-y2 that x2, M and y2 are spliced carries out the cryptographic hash computing, generates Hash Value C3; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Said random number generation module is used for, generate 1 and (n-1) between random number k, and send it to said encryption side control centre;

Said point doubling module is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned said encryption side control centre;

Said key derivation module is used for, and the Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns said encryption side control centre with the length that obtains.

2. system according to claim 1 is characterized in that, said encryption side control centre comprises: encryption side's control submodule, cryptographic hash submodule; Wherein,

Said encryption side's control submodule is used for, and Bit String x2-M-y2 and scalar v that x2, M and y2 are spliced send to said cryptographic hash submodule as one group of cryptographic hash data, and receive the Hash Value C3 that it returns;

Said cryptographic hash submodule is used for, and the Bit String in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value of the scalar in the cryptographic hash data returns the said side of encryptioning and controls submodule with the length that generates.

3. system according to claim 1; It is characterized in that said point doubling module comprises: invert submodule, projection mooring points of point doubling control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field adds submodule; Wherein,

Said point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to said territory conversion submodule with the coordinate of D under affine coordinate system; Will (zd3) sending to said projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of said f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, said Montgomery multiplication submodule for xd1, yd1 with the coordinate as a result of said (L-1) inferior interative computation; Zd1 is sent to the said finite field submodule of inverting in the value of finite field; With zd1 ^-1Value in finite field sends to said territory conversion submodule; With the coordinate as a result of said (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, said Montgomery multiplication submodule; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule respectively in the value of affine coordinate system; With xd1, the two coordinate of forming in the value of finite field of yd1 (xd1, yd1) the operation result output of conduct [f] D; Once described interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to said projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that said projective system two point doubling submodules are returned sends to said projection mooring points and adds submodule;

Said projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to said point doubling control submodule as output coordinate;

Said territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned said point doubling control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned said point doubling control submodule;

Territory, said Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to said point doubling control submodule in the value of finite field; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns said point doubling control submodule in the value of affine coordinate system with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with said xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to said point doubling control submodule;

The said finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to said point doubling control submodule;

Said projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to said point doubling control submodule.

4. according to the described system of arbitrary claim among the claim 1-3, it is characterized in that said key derivation module comprises: the cryptographic hash submodule of the Hash Value of key derivation control submodule, output v bit; Wherein,

Said key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, once described cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to said cryptographic hash submodule as one group of cryptographic hash data; The H that said cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Said cryptographic hash submodule is used for, and the Bit String ZZ-ct in the cryptographic hash data that receive is carried out the cryptographic hash computing, is the Hash Value H of the scalar v bit in the cryptographic hash data with the length of exporting _v(ZZ-ct) return said key derivation control submodule.

5. p unit territory SM2 curve public key decryption system, said elliptic curve have basic G, cofactor h,, rank, n; Private key is dB; It is characterized in that this system comprises: the side of deciphering control centre, point doubling module, key derivation module; Wherein,

Said deciphering side control centre is used for, and the reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 ', and the length of Bit String C2 ' wherein is the klen bit; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of said elliptic curve, is under the situation that is in judged result, cofactor h and some C1 ' is sent to said point doubling module as one group of point doubling data, and receive the coordinate of its some S ' that returns; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to said point doubling module as one group of point doubling data, and receive the coordinate (x2 ', y2 ') of its point that returns; Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to said key derivation module with scalar klen as a group key derived data, and receives the Bit String t ' that it returns; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of said elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Said point doubling module is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned said deciphering side control centre;

Said key derivation module is used for, and the Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns said deciphering side control centre with the length that obtains.

6. system according to claim 5 is characterized in that, said deciphering side control centre comprises: deciphering side's control submodule, cryptographic hash submodule; Wherein,

Said deciphering side's control submodule is used for, and Bit String x2 '-M '-y2 ' and scalar v that x2 ', M ' and y2 ' are spliced send to said cryptographic hash submodule as one group of cryptographic hash data, and receive the Hash Value u that it returns;

Said cryptographic hash submodule is used for, and Bit String x2 '-M '-y2 ' in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value u of the scalar v bit in the cryptographic hash data returns said deciphering side and controls submodule with the length that generates.

7. system according to claim 5; It is characterized in that said point doubling module comprises: invert submodule, projection mooring points of point doubling control submodule, projective system two point doubling submodules, territory conversion submodule, territory, Montgomery multiplication submodule, finite field adds submodule; Wherein,

Said point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to said territory conversion submodule with the coordinate of D under affine coordinate system; Will (zd3) sending to said projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of said f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, said Montgomery multiplication submodule for xd1, yd1 with the coordinate as a result of said (L-1) inferior interative computation; Zd1 is sent to the said finite field submodule of inverting in the value of finite field; With zd1 ^-1Value in finite field sends to said territory conversion submodule; With the coordinate as a result of said (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, said Montgomery multiplication submodule; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule respectively in the value of affine coordinate system; With xd1, the two coordinate of forming in the value of finite field of yd1 (xd1, yd1) the operation result output of conduct [f] D; Once described interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to said projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that said projective system two point doubling submodules are returned sends to said projection mooring points and adds submodule;

Said projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to said point doubling control submodule as output coordinate;

Said territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned said point doubling control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned said point doubling control submodule;

Territory, said Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to said point doubling control submodule in the value of finite field; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns said point doubling control submodule in the value of affine coordinate system with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with said xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to said point doubling control submodule;

The said finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to said point doubling control submodule;

Said projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to said point doubling control submodule.

8. according to the described system of arbitrary claim among the claim 5-7, it is characterized in that said key derivation module comprises: the cryptographic hash submodule of the Hash Value of key derivation control submodule, output v bit; Wherein,

Said key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein

For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, once described cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to said cryptographic hash submodule as one group of cryptographic hash data; The H that said cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Said cryptographic hash submodule is used for, and the Bit String ZZ-ct in the cryptographic hash data that receive is carried out the cryptographic hash computing, is the Hash Value H of the scalar v bit in the cryptographic hash data with the length of exporting _v(ZZ-ct) return said key derivation control submodule.

9. p unit territory SM2 curve public key encryption and decryption hybrid system, said elliptic curve has basic G, cofactor h, rank n; PKI is PB, and private key is dB; It is characterized in that this system comprises: upper strata final election module, the side of encryption control centre, the side of deciphering control centre, random number generation module, point doubling module, key derivation module; Wherein,

Said upper strata final election module is between said encryption side control centre and said point doubling module, the key derivation module, and the data forwarding module between said deciphering side control centre and said point doubling module, the key derivation module;

Said encryption side control centre is used for, and receiving length is the message M to be encrypted of klen bit; Random number k is sent to said point doubling module as one group of point doubling data through said upper strata final election module with some G, and through said upper strata final election module receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to said point doubling module as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S that returns through said upper strata final election module; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; Random number k is sent to said point doubling module as one group of point doubling data through said upper strata final election module with some PB, and through said upper strata final election module receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to said key derivation module as a group key derived data through said upper strata final election module, and receive its Bit String t that returns through said upper strata final election module; Judging whether t is complete 0 Bit String, is under the situation that is in judged result, notifies said random number generation module to regenerate random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; The Bit String x2-M-y2 that x2, M and y2 are spliced carries out the cryptographic hash computing, generates Hash Value C3; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Said deciphering side control centre is used for; The reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 '; Bit String C1 ' wherein is corresponding with said Bit String C1; Bit String C2 ' and its length corresponding with said Bit String C2 is the klen bit, and Bit String C3 ' is corresponding with said Bit String C3; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of said elliptic curve; In judged result is under the situation that is; Cofactor h and some C1 ' are sent to said point doubling module as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S ' that returns through said upper strata final election module; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to said point doubling module as one group of point doubling data through said upper strata final election module; And through said upper strata final election module receive its point that returns coordinate (x2 '; Y2 '), Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to said key derivation module as a group key derived data through said upper strata final election module with scalar klen, and receives its Bit String t ' that returns through said upper strata final election module; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit string x2 '-M '-y2 ' carries out the cryptographic hash computing, obtains Hash Value u; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of said elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Said random number generation module is used for, generate 1 and (n-1) between random number k, and send it to said encryption side control centre;

Said point doubling module is used for, and the point in the point doubling data is carried out scalar point doubling wherein, and operation result is returned said encryption side control centre or the side of deciphering control centre through said upper strata final election module;

Said key derivation module is used for; Bit String in the key derivation data is carried out the key derivation computing, is that the Bit String of the scalar in the key derivation data returns said encryption side control centre or the side of deciphering control centre through said upper strata final election module with the length that obtains.

10. p unit territory SM2 curve public key encryption and decryption hybrid system, said elliptic curve has basic G, cofactor h, rank n; PKI is PB, and private key is dB; It is characterized in that this system comprises: upper strata final election module, lower floor's final election module, encryption side's control submodule, deciphering side control submodule, random number generation module, point doubling control submodule, key derivation control submodule, projective system two point doubling submodules, territory are changed invert submodule, projection mooring points of submodule, territory, Montgomery multiplication submodule, finite field and are added submodule, export the cryptographic hash submodule of the Hash Value of v bit; Wherein,

Said upper strata final election module is that said encryption side control submodule and said point doubling control submodule, key derivation are controlled between the submodule, and said deciphering side controls submodule and said point doubling is controlled the data forwarding module between submodule, the key derivation control submodule;

Said lower floor final election module is between said encryption side control submodule and the said cryptographic hash submodule; Between said deciphering side control submodule and the said cryptographic hash submodule; Said point doubling control submodule and said territory conversion submodule, territory, Montgomery multiplication submodule, finite field are inverted between the submodule, and the data forwarding module between said key derivation control submodule and the said cryptographic hash submodule;

Said encryption side's control submodule is used for, and receiving length is the message M to be encrypted of klen bit; Random number k is sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module with some G, and through said upper strata final election module receive its some C1 that returns coordinate (x1, y1); To put C1 and convert Bit String C1 into; Cofactor h and some PB are sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S that returns through said upper strata final election module; Judging whether S is infinite point, is the message that this encryption of output finishes because of failure under the situation that is in judged result; Random number k is sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module with some PB, and through said upper strata final election module receive its point that returns coordinate (x2, y2); X2 and y2 are spliced into Bit String x2-y2; Scalar klen and Bit String x2-y2 are sent to said key derivation control submodule as a group key derived data through said upper strata final election module, and receive its Bit String t that returns through said upper strata final election module; Judging whether t is complete 0 Bit String, is under the situation that is in judged result, notifies said random number generation module to regenerate random number k, is under the situation not in judged result, and M and t are carried out the step-by-step XOR, obtains Bit String C2; Bit String x2-M-y2 and scalar v that x2, M and y2 are spliced send to said cryptographic hash submodule as one group of cryptographic hash data through said lower floor final election module, and receive its Hash Value C3 that returns through said lower floor final election module; Bit String C1, C2 and C3 are spliced into new Bit String C1-C2-C3, and it is exported as ciphertext C;

Said deciphering side's control submodule is used for; The reception form is the ciphertext C ' to be deciphered of Bit String C1 '-C2 '-C3 ' of being spliced by C1 ', C2 ', C3 '; Bit String C1 ' wherein is corresponding with said Bit String C1; Bit String C2 ' and its length corresponding with said Bit String C2 is the klen bit, and Bit String C3 ' is corresponding with said Bit String C3; From C ', take out Bit String C1 ', and be converted into a C1 '; Whether the coordinate of judging point C1 ' satisfies the equation of said elliptic curve; In judged result is under the situation that is; Cofactor h and some C1 ' are sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module, and receive the coordinate of its some S ' that returns through said upper strata final election module; Judge whether S ' is infinite point; In judged result is under the situation not; Private key dB and some C1 ' are sent to said point doubling control submodule as one group of point doubling data through said upper strata final election module; And through said upper strata final election module receive its point that returns coordinate (x2 '; Y2 '), Bit String x2 '-y2 ' that x2 ', y2 ' are spliced sends to said key derivation control submodule as a group key derived data through said upper strata final election module with scalar klen, and receives its Bit String t ' that returns through said upper strata final election module; Judging whether t ' is complete 0 Bit String, is under the situation not in judged result, from C ', takes out Bit String C2 '; C2 ' and t ' are carried out the step-by-step XOR, obtain Bit String M '; Bit String x2 '-M '-y2 ' and scalar v that x2 ', M ' and y2 ' are spliced send to said cryptographic hash submodule as one group of cryptographic hash data through said lower floor final election module, and receive its Hash Value u that returns through said lower floor final election module; From C ', take out Bit String C3 '; Judge whether u equates with C3 ', is under the situation that is in judged result, and M ' is exported as C ' corresponding plaintext; Do not satisfy the equation of said elliptic curve at the coordinate of a C1 ', when S ' is not equal to any situation generation among the C3 ' for infinite point, t ' for complete 0 Bit String, u, export the message that deciphering finishes because of failure;

Said random number generation module is used for, generate 1 and (n-1) between random number k, and send it to said encryption side control centre;

Said point doubling control submodule is used for, and receives arbitrary point doubling data of being made up of scalar f and some D; (xd yd) converts the coordinate (xd2, yd2,1) of D under projective coordinate system into, and xd2, yd2,1 are sent to said territory conversion submodule through said lower floor final election module with the coordinate of D under affine coordinate system; Will (zd3) sending to said projection mooring points adds submodule for xd3, yd3, and with its as [f] D the coordinate in territory, Montgomery (xd1, yd1, initial value zd1), [f] D wherein are the result who D is carried out the f point doubling; Confirm the binary bits length L of f; With the initial value of the inferior higher bit position in the binary form of f as its current bit; Inferior higher bit position from the binary form of said f begins; Bit of each reduction till its lowest bit position, carries out (L-1) inferior interative computation as current bit; (zd1 in zd1) sends to territory, said Montgomery multiplication submodule through said lower floor final election module for xd1, yd1 with the coordinate as a result of said (L-1) inferior interative computation; Zd1 is sent to the said finite field submodule of inverting in the value of finite field through said lower floor final election module; With zd1 ^-1Value in finite field sends to said territory conversion submodule through said lower floor final election module; With the coordinate as a result of said (L-1) inferior interative computation (xd1, yd1, xd1, yd1 and zd1 in zd1) ^-1Value in the territory, Montgomery sends to territory, said Montgomery multiplication submodule through said lower floor final election module; With 1 with xd1 the value of affine coordinate system, 1 and yd1 send to territory, Montgomery multiplication submodule through said lower floor final election module respectively in the value of affine coordinate system; (xd1 yd1) returns through said upper strata final election module as the operation result of [f] D that said encryptions side controls submodule or deciphering side controls submodule with the two coordinate of forming in the value of finite field of xd1, yd1; Once described interative computation wherein comprises: with coordinate (xd1; Yd1; Zd1) currency sends to said projective system two point doubling submodules, be under the situation of binary one at the current bit of f, the output coordinate that said projective system two point doubling submodules are returned sends to said projection mooring points and adds submodule;

Said key derivation control submodule is used for, and receives arbitrary key derivation data of being made up of scalar klen and Bit String ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Confirm smallest positive integral more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || klen/v||, increase by 1 at every turn, carry out || klen/v|| cryptographic hash computing; At (klen/v) is under the situation of integer, put Ha! _{|| klen/v||}=Ha _{|| klen/v||}At (klen/v) is not under the situation of integer, with Ha! _{|| klen/v||}Be changed to Bit String Ha _{|| klen/v||}In from the highest-order bit

Bit, wherein

For being less than or equal to the smallest positive integral of (klen/v); With i from 1 be incremented to (|| Ha klen/v||-1) _iAnd Ha! _{|| klen/v||}Splice in order, the Bit String that with the length that obtains is the klen bit is as result's output of ZZ being carried out the key derivation computing; Wherein, once described cryptographic hash computing comprises: currency and the ZZ of ct are spliced into Bit String ZZ-ct; ZZ-ct and scalar v are sent to said cryptographic hash submodule as one group of cryptographic hash data; The H that said cryptographic hash submodule is returned _v(ZZ-ct) assignment is given Ha _iThe value of ct increases by 00000001 of 16 systems;

Said projective system two point doubling submodules are used for, and input coordinate is carried out two point doublings, and operation result is back to said point doubling control submodule as output coordinate;

Said projection mooring points adds submodule and is used for, with input coordinate with (xd3, yd3 zd3) carry out point add operation, and operation result is sent to said point doubling control submodule;

Said territory conversion submodule is used for, and converts value xd2, the yd2,1 of finite field value xd3, yd3, the zd3 of each territory, comfortable Montgomery into respectively, and it is returned said point doubling through said lower floor final election module control submodule; With zd1 ^-1Value in finite field converts its value in the territory, Montgomery into, and it is returned said point doubling control submodule through said lower floor final election module;

Territory, said Montgomery multiplication submodule is used for, and zd1 is carried out the multiplying of territory, Montgomery in the value and 1 in territory, Montgomery, and the zd1 that obtains is sent to said point doubling control submodule in the value of finite field through said lower floor final election module; To xd1 and zd1 ^-1Value, yd1 and zd1 in the territory, Montgomery ^-1Value in the territory, Montgomery is carried out the multiplying of territory, Montgomery respectively, and the two returns said point doubling control submodule in the value of affine coordinate system through said lower floor final election module with the xd1 that obtains, yd1; The two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system with said xd1, yd1, and the xd1 that obtains, the two value in finite field of yd1 are turned back to said point doubling control submodule through said lower floor final election module;

The said finite field submodule of inverting is used for, and zd1 is carried out inversion operation in the value of finite field, with the zd1 that obtains ^-1Value in finite field sends to said point doubling control submodule through said lower floor final election module;

Said cryptographic hash submodule is used for; Bit String in the cryptographic hash data is carried out the cryptographic hash computing, is that the Hash Value of the scalar in the cryptographic hash data returns said encryption side's control submodule, deciphering side's control submodule or key derivation control submodule through said lower floor final election module with the length that generates.

Images