WO2008148275A1 - Method and system for encoding and decoding the digital message - Google Patents

Abstract

A method and system for encoding and decoding the digital message are provided. The method includes: a public key containing E(x) is generated, wherein, E(x) is the set of non-linearly mapping function from x to y on domain F; and, the E(x) contains interface function R(x) implicitly, which is used to obtain n m-variable functions; a private key containing R(x), one way function chain H(w)and its inverse function H-1(z) are generated; corresponding encryption/decryption process or signature authentication process is completed using H(w), thepublic key, and the private key. The conversion of plaintext and ciphertext, signature and data is equaled to its part of equations are the simultaneous permutation equation set of one way function. Due to the one way function maps the bit string to the bit string in the manner of almost random, the origin algebra relation is destroyed, the mathematics conversion rule of one way function equals to dense polynomial set, expanding it completely needs index level store space, anti-decoding is improved greatly.

Description

 Method and system for encoding and decoding digital messages

 The present application claims priority to Chinese Patent Application No. 200710100306.4, entitled "A Method and System for Encoding and Decoding Digital Messages", filed on June 7, 2007, the entire contents of which is incorporated herein by reference. This is incorporated herein by reference.

TECHNICAL FIELD The present invention relates to the field of encoding and decoding of information, and more particularly to a public key cryptosystem for encrypting, decrypting, and signing and verifying data messages.

Background technique

 Cryptography is a science and technology that studies encryption and decryption transformation. Usually, people refer to plain text as plaintext; incomprehensible text that transforms plaintext into ciphertext. The process of transforming plaintext into ciphertext is called encryption; the reverse process, that is, the process of transforming ciphertext into plaintext is called decryption. This encryption or decryption transformation is controlled by a key. The cryptosystem used in an open environment should meet the following basic requirements:

 Confidentiality: Ensure that information is not leaked to unauthorized users;

 Integrity: Ensure that information is not arbitrarily or intentionally modified;

 Non-repudiation: Prevent individuals or entities from denying the information they have published by destroying evidence to prove that something has happened.

 Public key cryptography is a key technology to address the above-mentioned confidentiality, integrity, and non-repudiation. The official birth of it is the "New Directions in Cryptography" by W. Diffie and M. Hellman in 1976 (W. Diffe, ME Hellman, "New direction in cryptography", IEEE Trans., 1976, 22, 644-654 ). The public key cipher uses a public key and a private key. The public key can be publicly delivered, but the associated private key is kept secret. Only by using a private key can decrypt the data encrypted with the public key and sign the data. The role of the public key is to encrypt the information and verify the correctness of the signature.

An important challenge facing current public key cryptography is the challenge of quantum computing. The Shor algorithm invented by Shor in 1994 (PW Shor, "Algorithms for quantum computation: Discrete log and factoring", Proceedings of the 35th Symposium on Foundations of Computer Science, 1994, pp. 124-134.), can be polynomial time It breaks all public key ciphers that can be converted into generalized discrete Fourier transforms, including three widely used public key cryptosystems such as RSA, DH and ECC. The basic strategy for public key cryptography to cope with quantum computing challenges is to establish a public key cryptosystem using mathematical problems that cannot be transformed into discrete Fourier transforms. According to this line of thinking, there are currently three types of competing "anti-quantum computing" public key cryptosystems in the world, δ卩:

 One is the NTRU public key cryptosystem (J. Hoffstein, J. Pipher, and JH Silverman, "NTRU: a ring based public key cryptosystem", Crypto'96, LNCS 1423, pp. 267-288. Springer-Verlag, 1998. ), its security is based on the mathematical problem of finding a very short vector in a large dimension lattice.

 The second is the OTU2000 public key cryptosystem (T. Okamoto, K. Tanaka, and S. Uchiyama, "Quantum Public-Key Cryptosystems," CRYPTO2000, LNCS 1880, pp. 147-165, Springer-Verlag (2000).) Security is based on improved backpacking issues.

 The third is the MQ public key cryptosystem, that is, the Multivariate Quadratic Polynomials in Public Key Cryptosystem. Its security is based on the incomprehensibility of the quadratic polynomial indefinite equations. A typical solution in this area is the SPLASH signature algorithm (J. Patarin, L. Goubin, N. Courtois, "C*+- and HM: Variations around two schemes of T. Matsumoto and H. Imai", in Advances in Cryptology, Proceedings Of ASIACRYPT'98, LNCS 1514. Springer Verlag, 1998, pp.35-49. ), which is the digital signature algorithm recommended by the European cryptographic standard NESSIE (http://www.cryptonessie.org), mainly in special cards such as smart cards. Used in the field.

 The prior art solution most similar to the present invention is the MQ public key cryptosystem. The general form of the public key of the MQ public key cryptosystem is:

 m

1< j≤k≤m 7=1

 Where F is the specified domain. Since /w>", the public key of MQ is an indefinite system of equations, which is an irreversible function. The inverse function of the public key is generally defined as the private key corresponding to it, that is, the reversible transformation from ^ = (^, . . . , 3^1 Χ = (ΧΙ , ..., ).

 However, the above-mentioned prior art MQ public key cryptosystem has the following disadvantages:

1. The encryption algorithm is too simple, that is, the mathematical structure of the quadratic polynomial function limits the size of the encryption algorithm. If the number of polynomials is "less than the number of arguments, or the combination is relatively simple, it is easy to be deciphered. If the number of polynomials is "more than the number of arguments, or a combination of complex Miscellaneous, engineering practical aspects such as key length, encoding and decoding speed, memory requirements, and transmission bandwidth all pose insurmountable technical problems. Due to this shortcoming, coupled with some simple MQ solutions being deciphered, people are suspected that MQ is not safe enough. There are many papers on MQ research, but they are rarely used, even if they become international standards (such as SPLASH signature algorithm). Rarely used.

 2, can only sign, can not be encrypted. The reason is: Its public key (that is, the encryption algorithm) is an indefinite system of equations, and the solution of the indefinite system of equations is a large set, which can only be used for the unrecoverable digital signature algorithm, and cannot be restored from the signature. The data. in particular:

The method for generating a signature by MQ is: Substituting the data to be signed fl = ( _l , ..., :) into the private key, performing an evaluation operation to obtain a signature 6 =

The method for verifying the signature of MQ is as follows: Let the signed data be fl = (a _u a _m ), substitute the signature 6 to be verified into the public key, and calculate if (d, ..., Α, ..., Ο, Accept the signature, otherwise reject the signature.

Since the calculation for generating the signature is a one-to-one mapping, for example, from (b ₁ ..., b _ra ); and the calculation of the verification signature is not a one-to-one mapping, for example, only getting ( _Cl , . From the signature M to the original complete signed data ₁ ..., a _m ), that is, cannot be used for encryption.

 Of course, if the number n of polynomials in its public key (ie, encryption algorithm) is set to be as much as the number of arguments m, let its public key become a system of substitution equations, and no longer an indefinite system of equations, although it can be signed from 6 Restore the signed data fl (that is, the function of encryption), but it is easy to be deciphered. Summary of the invention

 The present invention provides a method and apparatus for encoding and decoding digital messages that overcomes the shortcomings of current MQ techniques that can only be signed and not encrypted.

According to an embodiment of the present invention, a method for encoding and decoding a digital message is disclosed, which may specifically include: selecting a positive integer /w, n, where m >n; generating a public key containing Ε (Λ) Where Ε(χ) is a non-linear mapping function group from :) to , ...,; „:) on the domain F; and, the implicit interface function is used to obtain according to :) a function about :): MQ(X) = ( ..., x _m ), u _0n (xi, ..., x _m )) = R(x); generates a corresponding to the public key a private key, the private key comprising R; setting a one-way function chain HO), and an inverse function of the one-way function chain Η - converting the message w to an intermediate result X by a one-way function chain ,, and then using the public key Encoding the intermediate result X to obtain a coding result, transforming the coding result into an intermediate result z by using the private key, and then using the inverse function H_) of the one-way function chain and the private key The result z is converted to a decoded message w.

According to an embodiment of the present invention, a method for digital signature is further disclosed, which may specifically include: selecting a positive integer w, n, n where w > w ≥ w'; generating a public containing E'(x) Key, where E'W is a set of nonlinear mapping functions from ..., x _m )m(y ..., JV) on the domain F; and, the E'W implicitly contains an interface function RO, which is used to get "about" based on :)

Function: U ₀ (X) = ( o\(X\, ... , x _m \ U _Qn {Xi, x _m )) = R( ); generates a private key corresponding to the public key The private key includes R; sets a one-way function chain HO), and an inverse function of the one-way function chain Η - uses the private key to first convert the message to be signed /' into an intermediate result, and then uses a one-way function The inverse function of the chain ;-; and the private key converts the intermediate result 为 to the digital signature IV; and, by the one-way function chain HO) converts the digital signature w to the intermediate result X, and then uses the public key pair to the middle As a result, X is decoded to obtain a decoding result, and the decoding result J and the message to be verified are compared, and it is determined whether the digital signature w is correct based on the comparison result.

According to an embodiment of the invention, a method for encoding and decoding a digital message is also disclosed, comprising: selecting a positive integer w, n, nr, where m >n≥; generating one containing E'(x, ID Public key, where E'(x,ID) is from ..., x _m , ID _h on domain F

a non-linear mapping function group of ..., jv), the ID = (ID ₁ ..., ID is an identity of the authorized user; and, the E' ( , ID) implicitly contains an interface function R ( x), which is used to get a function of ") about ..., x _m ): "Q(X) = ( uoi(x ..., x _m ), u _0n (x ..., x _m )) = R(x); for an authorized user whose identity is ΙΌ(Κ), generate a private key corresponding to the identity, the private key includes R; set a one-way function chain HO), and a single The inverse function H^z) to the function chain; using the public key, the one-way function chain HO) and the ID (^), encoding the message to obtain the encoded message N; using the private key and the one-way function chain The inverse function H- ¹ ^) decodes the encoded message N to obtain a decoded message ^ and/or, and encodes the message by using the private key and the inverse function H- ^{1 of the} one-way function chain to obtain a code. The message uses the public key, the one-way function chain HO) and π to decode the encoded message N' to obtain a decoded message '.

According to an embodiment of the present invention, a system for encoding and decoding a digital message is further provided, including: a public key generating unit, configured to generate an included public key, where, is a slave on the domain F: . , ) to (^, the nonlinear mapping function group, m, "is a positive integer, m > and, the implicitly contains an interface function, which is used to obtain "a", x _m according to :) Function: M ₀ (X) = ( Mo^, = R(x);

a private key generating unit, configured to generate a private key corresponding to the public key, where the private key includes R(x) _; A one-way function chain determining unit for setting a one-way function chain HO) and an inverse function H of a one-way function chain

 An encryption unit, configured to convert the message w into an intermediate result X by a one-way function chain HO), and encode the intermediate result X by using the public key to obtain a coding result J;

The decryption unit is configured to convert the encoding result J into an intermediate result Z by using the private key, convert the intermediate result z into a decoding message w by using an inverse function H- ^{1 of the} one-way function chain and a private key.

 According to an embodiment of the invention, a system for digital signature is also disclosed, including:

a public key generating unit, configured to generate a public key containing Ε', which is a non-linear mapping function group from :) to , ..., .) on the domain F; '(χ) implicitly contains the interface function R(x), which is used to get a "about:" function according to x _ra :): "( x) = ( o\(x\, ... , x _m ), o„(x\, ... , Xm ) = R( ); where wi, π, is a positive integer, m > π≥ n, ; a private key generation unit for generating a public key Corresponding private key, the private key includes R(x) _{; a} one-way function chain determining unit for setting a one-way function chain HO), and an inverse function H of the one-way function chain

a signature unit, configured to convert the message to be signed/' into an intermediate result z by using the private key, using an inverse function H- ^{1 of the} one-way function chain (and a private key to convert the intermediate result z into a digital signature IV; and verifying a unit for converting a digital signature w into an intermediate result X by a one-way function chain HO, decoding the intermediate result X with the public key, obtaining a decoding result ^ and comparing the decoding result J and waiting The verified message determines whether the digital signature w is correct based on the comparison result.

 According to an embodiment of the present invention, a system for encoding and decoding a digital message is further disclosed, including at least:

a public key generating unit, configured to generate a public key including E'(x, ID), which is a slave ID _b ..., ID _r ) ilJ (y) on the domain F !, j) of the non-linear mapping function group, the ID = (ID _1; ..., ID is the identity of the authorized user; and, the E' (x, ID) implicitly contains the interface function R ( x), which is used to get a function of "one about...,": u ₀ (x) = ( uoi(x ..., x _m ), ... , u _0n (x , ... , Xm ) = R(x); where m, n, r , r are positive integers, m >n>n'; a private key generating unit is configured to generate an identity with the authorized user whose identity is π Corresponding private key, the private key includes R;

 a one-way function chain determining unit for setting a one-way function chain HO), and an inverse function H− of the one-way function chain, and at least one of an encryption/decryption unit and a signature verification unit, wherein

An encryption and decryption unit for using the public key, the one-way function chain HO) and the ID (^), for the message Encoding, obtaining the encoded message N; using the private key and the inverse function H-) of the one-way function chain to decode the encoded message N to obtain a decoded message;

 Alternatively, the signature verification unit is configured to encode the message by using the private key and the inverse function H-) of the one-way function chain to obtain the encoded message N, and use the public key, the one-way function chain HO) and Π, The encoded message N' is decoded to obtain a decoded message 7.

 Compared with the prior art, the present invention has the following advantages:

 (1) The encryption algorithm and the recoverable signature algorithm of the present invention, the conversion between plaintext and ciphertext, signature and data, are equivalent to a simultaneous replacement equations in which a part of the equation is a one-way function. Since the one-way function maps the bit string to the bit string in an almost random manner, the original algebraic relationship is completely destroyed, so that the mathematical transformation rule of the one-way function chain is equivalent to the dense polynomial group, and it needs to be fully expanded. Exponential storage space, in the process of solving the equation, will inevitably encounter the great difficulty of one-way function is difficult to expand.

 (2) The present invention further clarifies the security by alternately applying factorization (mainly for "multiplication") and function decomposition (decomposition (mainly for "iteration") to analyze hidden within the rational fractional indefinite equations. The difficulty of multi-level nested structure; the combination of multiple simple functions into complex functions, so that the security of the password does not depend on a single variable, but depends on the multi-level chain relationship, thus achieving: directly set a complex representation Mathematical puzzles, but this puzzle is hard to prove equivalent to a mathematical problem known as a simple representation.

 (3) Under the condition that the length of the plaintext and the signed packet are kept the same, the security of the cryptosystem can be arbitrarily increased by increasing the function size of the public key.

 Secondly, in the 20 years after the publication of MQ, the inventor proposed this technical solution, and its technological innovation is fully reflected in:

(1) The unexpected benefits brought about by the "one-way function chain" require a sufficiently high level of mathematics to understand. For example, why is MQ only signed and not encrypted? The reason is: If the public key of MQ is a displacement equation (that is, its number of arguments is equal to the number of polynomials), it is easy to be deciphered by methods such as Grobner base. Gr0bner base belongs to the category of abstract algebra and has a profound theoretical background. For those of ordinary skill in the art, an effective method of combating Gr0bner base attacks is required, and creative research is required. The innovative invention combines a one-way function into a function chain, and organically combines with an interface function and a public-private key, on the one hand, realizes the reversibility of the coding and decoding process (even if the number of arguments is greater than the number of polynomials), on the other hand The use of Gr0bner base and other methods to decipher will inevitably encounter the decomposition problem of dense polynomials. (2) Proposing the concept of "one-way function chain" and designing feasible, practical, and complete technical solutions requires a high technical threshold: not only to grasp the progress of contemporary mathematics, but also to have rich practical Coding experience and level of analysis, skilled in using some special mathematical skills, have a deep understanding of the law and nature of passwords, and have certain engineering realization capabilities, in addition to relying on indeterminate factors such as inspiration, opportunity; With the capital investment, it will definitely solve the problem. The large amount of defamatory information given in this manual has gone through the iterative process from scientific theory to coding practice, which is the result of long-term thinking of the inventors. The completion of the present invention also involves an automated derivation technique for a large number of mathematical formulas, requiring the development of a dedicated software system. Without these pioneering research accumulations, it is difficult for a person of ordinary skill in the art to complete the design of the solution.

 (3) To propose a technical solution of "one-way function chain", it is necessary to overcome technical bias. Since 1985, the international cryptographic academia has conducted an in-depth analysis of MQ and published a large amount of literature, especially the recent Wolf's summary study (C. Wolf, {Multivariate Quadratic Polynomials in Public Key Cryptography), Katholieke Universiteit Leuven, ISBN 90- 5682-649-2, 2005. ), proposed ten basic algorithms for constructing MQ, four basic trapdoors, and designed an extended TTS signature scheme based on the analysis of existing technology. But Wolf’s research still cannot fundamentally overcome the above.

The shortcomings of MQ. Most of the research in the past 20 years has digging potential within the MQ framework, without breaking the MQ framework to the outside as in the present invention - adding a one-way function chain to create a new public key cryptosystem in a larger algorithm space. .

 In addition, the design of the one-way function chain overcomes the long-standing technical bias of understanding and using one-way functions: although a single one-way function is irreversible, several one-way functions are skillfully organized to form a mutual The restricted system-one-way function chain is reversible. At present, the traditional application of the one-way function mainly investigates its irreversibility and collision resistance, and the present invention further requires that it be provided with polynomials. Indicates the density of the time.

 The preferred technical solution of the present invention has the beneficial effects compared with MQ:

 (1) Replacing a polynomial with rational fractions is equivalent to raising the quadratic sparse polynomial of MQ to a higher-order dense polynomial, exposing the scale of the polynomial function equivalent to the public key, essentially improving the indefinite equations. The difficulty of the inverse function.

(2) Using the ID mapping method to establish an identity-based working method. All users on the entire network share a public key, which brings great convenience to public key management in the network environment. The method of "compositing private keys with multiple distribution centers" and "personalization of private key forms" is used to improve the anti-collusion attack ability of the cryptosystem. DRAWINGS

 1 is a flow chart of an embodiment of a method for encoding and decoding a digital message according to the present invention; FIG. 2 is a flow chart of an embodiment of a method for digital signature of the present invention;

 3 is a schematic diagram of data flow direction according to an embodiment of the present invention;

 Figure 4 is a schematic diagram showing the relationship between H(x), R(x) and H- of the present invention;

 5 is a data flow diagram of an encryption or verification signature process of a small data embodiment of m=3, n=2 of the present invention;

 Figure 6 is a data flow diagram of the decryption or signature process of the small data embodiment of m = 3, n = 2 of the present invention; Figure 7 is a preferred embodiment of the present invention for encoding and decoding digital messages in an identity based manner. Flow chart

 8 is a schematic diagram of jointly establishing a private key by multiple private key distribution centers of the present invention;

 9 is a data flow diagram of implementing a private key form personalization of a small data embodiment of m=U and n=8 of the present invention;

 Figure 10 is a flow chart of the encryption process of the small data embodiment of m = U, n = 8 of the present invention.

The present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.

 The invention belongs to the category of information security products and is mainly applied to network trust systems, such as documents, banks, mobile phones, internet, e-commerce, e-government, logistics, network monitoring, power control, fund transfer, transactions, data encryption and the like.

 The hardware environment required to apply the present invention is well known to those skilled in the art. Among them: public key generation unit, private key generation unit, and one-way function chain determination unit, which involve automatic derivation of complex mathematical formulas, generally should adopt high-end computer system; encryption and decryption unit, signature verification unit, only related to given The mathematical calculation of the calculation can be carried out in various grades of hardware platforms, such as single-chip microcomputers, dedicated digital signal processing chips, smart cards, and the like.

 Some of the terms that may be involved in the present invention are briefly explained below:

 Password: Generally understood as an algorithm for information encryption and decryption transformation. Its basic purpose is to disguise information so that outsiders cannot understand the true meaning of the information, and insiders can understand the original meaning of the disguised information.

Key: In the process of executing the cryptographic algorithm, the only thing that can control the effective change between plaintext and ciphertext The key parameter to change is called the key.

 Public key cryptosystem: The public key cryptosystem uses two keys—a public key (referred to as: public key) and a private key (referred to as: private key). The public and private keys are mathematically related, but it is difficult to calculate the private key from the public key. The public key can be publicly transmitted between the communicating parties, or it can be publicly published as a telephone number, and the private key is kept in secret by the authorized user. Anyone can find its public key from the name of a user, so it can send an encrypted message to this user. Only authorized users can use their private key to complete the decryption.

 The public key cryptosystem also provides the ability to digitally sign and authenticate: an authorized user can sign the information with his private key (equivalent to the process of decrypting with the private key described above); other users cannot sign because they do not have the private key. However, the user's public key can be used to verify the correctness of the signature (equivalent to the above process of encrypting with the public key). There are two types of digital signature algorithms: Recoverable digital signature scheme: The signed data can be derived from the signature; Unrecoverable digital signature scheme: The signed data cannot be derived from the signature.

 Finite field: It is a concrete and visual mathematical structure that can be understood in a colloquial manner as a collection of finite elements that can be added, subtracted, multiplied, and divided. (usually denoted as F, when the number of elements in the finite field is prime;?, denote F.)

Polynomial over a finite field: can be understood in a common sense: when there is only one argument: f (x) = a _s x ^s + a _s - \ X ^sA +... ten α ₀ χ ⁰ (mod p) where Called as an argument, called a coefficient, called a term, their values are between Ο, ..., /7-l. When there are multiple arguments:

f(x ..., x _n ) =

(mod;?)

The polynomial set on F, the polynomial four is the domain, called the polynomial extension of F. If the number of terms in a polynomial is relatively small, it is called a sparse polynomial; otherwise it is called a dense polynomial. Dense polynomials not only have a high number of times, but the number of items is very large, and it is expanded to indicate that it takes a lot of space.

 Rational fraction on a finite field: It can be understood as dividing two polynomials:

^/(JCl "'") mod ^ The multiplicative inverse of a polynomial other than the polynomial of 0 is

( 3⁄4 ..., χ _η )) - ^{1 (mod} ) = (f(x _h ... , χ _η )Υ~ ² (mod ρ) But when ρ is large, the expansion of the above formula requires huge storage The result of space, therefore the division of two sparse polynomials (the denominator is not a polynomial), usually a dense polynomial:

^/( =Rx _l ,...,x _n )-{g{x _l ,...,x _n )) ^p - ² (mod^) This property is very important for understanding the security of rational fractional public key cryptography . The rational fractional set on F, the four arithmetic operations on the rational fraction is the domain, called the rational fractional extension of F.

 The indeterminate equation system on the finite field has a range group on the limit field:

^{x _x ,...,x _m ) mod p = 0

Where :) is a polynomial or rational fraction. If the number of unknown elements is more than the number n of equations, the above equation is called the /7 element of the indefinite equations, usually called the Diophantine equation. The solution of an indefinite system of equations is a large collection of vector values.

 When the above indefinite system of equations has a solution, its solution is usually a set of points in the dimensional space on the finite field, which can be expressed as algebraic curves, algebraic surfaces or even highly complex high-dimensional algebraic clusters (a common to several polynomials) The collection of roots).

 One-way function: Let the function be _y = Hash, it is easy to calculate X _y, and it is difficult to calculate X from _y. This function is called one-way function, also called hash function, hash function, Hash functions, etc., have been widely used in data integrity testing and information authentication. It converts an arbitrary length of data X into a fixed-length or fixed-number field or a string _y.

 Methods of constructing one-way functions are well known in the art. The most popular one-way function algorithms are MD5 and SHA-1 (Federal Information Processing Standard FIPS 180-1); stronger one-way function algorithms are SHA-256, SHA-384 and SHA-512 (US Federation) Information Processing Standard FIPS 180-2).

The domain F specified in the present invention may adopt a finite field F in which the number of elements is a prime number; but is not limited to this and can be extended to various domains. When F is a finite field, the power operations of functions or arguments, including integer power operations and fractional power operations, can be converted into expanded, simplified, and organized A rational representation of the fraction.

 The encoded message described in the present invention may be generated by a user of a location and transmitted to another location and then decoded by the user of the other location, i.e., the coded decoding may not be co-located. Of course, encoding and decoding at the same location is a simpler case.

 Referring to FIG. 1, there is shown a flow chart of an embodiment of a method for encoding and decoding a digital message according to the present invention, which may specifically include the following steps:

 Step 101: Select a positive integer w, n, where m>n;

 Step 102: Generate a public key including E(x), where E(x) is a slave in domain F

To the nonlinear mapping function group of (^,; and the interface function R(x) is implicitly contained in the E(x), which is used to obtain "Xl, according to (Xl, ., X _ra ) ., X _ra ) function: " ₀ (X) = ( .. Xnr), ... -,

U0n(X\, ···, )) = R(X);

 Step 103: Generate a private key corresponding to the public key, where the private key includes R;

Step 104, setting a one-way function chain HO), and an inverse function of the one-way function chain H- ¹ ^;

 Step 105: Convert the message w into an intermediate result X through a one-way function chain HO), and then encode the intermediate result X by using the public key to obtain a coding result and

Step 106: Convert the encoding result into an intermediate result z by using the private key, and then convert the intermediate result z into the decoding message w by using the inverse function H- ¹ ^) of the one-way function chain and the private key.

 For the present embodiment, various types of encryption and decryption can be applied. For example, step 105 is mainly applied to the case of encryption, and step 106 is mainly applied to the case of decryption. Of course, for different applications, the parameters are different, and the performance of the compiled code is also good or bad. A more preferred embodiment will be described later in the specification.

 Referring to FIG. 2, an embodiment of a method for digital signature according to the present invention is shown. Specifically, the method may include: Step 201: Select a positive integer w, n, n where w > w ≥ w, ;

Step 202: Generate a public key including E'(x), where Ε' is a non-linear mapping function group of x _m )m (y.. on the domain F; and, the E'W The implicit interface function Ι is used to get a function about (Xi, (Q(X) = ( ..., x _m ), ..., according to ( l,

 Step 203: Generate a private key corresponding to the public key, where the private key includes R;

Step 204, setting a one-way function chain HO), and an inverse function of the one-way function chain H- ¹ ^;

Step 205: using the private key to first convert the message to be signed /' into an intermediate result z, and then using the inverse function H- ^{1 of the} one-way function chain (and the private key to convert the intermediate result z into a digital signature IV; Step 206: Convert the digital signature iv into an intermediate result x through a one-way function chain HO), and then decode the intermediate result X by using the public key to obtain a decoding result.

 Step 207: Compare the decoding result with the message to be verified, and determine whether the digital signature w is correct according to the comparison result.

 For the present embodiment, various digital signatures can be applied. For example, step 205 is mainly applied to the case of signing a message, and steps 206 and 207 are mainly applied to the case of verifying a signature.

 Combining the above two embodiments, in fact, when > «≥«', it can be applied to various digital signatures, and when > « = «', it can be applied to various encryption and decryption cases.

 In design, a given E(x) is not necessarily a public key E'(x) (assuming the public key has no other parameters, the public key can be considered as Ε'), according to "=« ' or the latter It is all or part of the former.

 A public key corresponds mathematically to the transformation rules of a given input and output message, and only one private key; of course, this private key can take different representations.

 There are many specific methods for establishing public and private keys. This is a content of mathematical design. In the years of application of public key systems, those skilled in the art have more technical precipitation for this aspect. Detailed. However, the present invention can give a more preferable basic idea: randomly generate a number of simple reversible linear transformations and reversible nonlinear transformations, and assemble them into a whole by various methods (iteration, multiplication, division, addition, etc.). Then re-expand, simplify, and organize to obtain a public key; using these inverse functions of reversible linear transformation and reversible nonlinear transformation, the public key can be inverted as the private key corresponding to the public key.

 Referring to Fig. 3, there is shown a data flow diagram of an embodiment of the present invention, including data processing procedures such as encryption and decryption and digital signature. Among them, > « = «' can be used for encryption and decryption and recoverable signatures; when > « > «', it can be used for unrecoverable signatures.

 For a recoverable signature, the decoded message is compared with all the data of the original message to determine whether it belongs to the correct signature; and for the unrecoverable signature (ie, the case of ">«' in the specification), it is decoded. The message is compared to a portion of the original message to determine if it is the correct signature.

There is no inevitable sequence in the steps of the above embodiments. The numerical ordering is only for convenience of explanation, and the order of each step can be adjusted in actual situations. The specific implementation method of the "one-way function" is a well-known technique and will not be described in detail herein. This embodiment introduces a one-way function chain for expanding the original message, then compressing it, and satisfying the reversible requirement. Therefore, it can be applied to various encryption and decryption and digital numbers with high security performance. Signature occasion.

 A one-way function chain has the following two properties:

 One is complexity: its mathematical properties should be understood as a set of dense polynomial functions:

···," ),

The above formula is part of the permutation equations that transform plaintext into ciphertext, which makes the equations encounter great difficulties. Second, reversibility: When 〉“, (x ₁ has some arguments that are superfluous, only need one of them) "A variable can recover 0 ₁ ...,!". For example, in the embodiment of FIG. 5, without using x ₃ , as long as A and X _{2 are} sequentially calculated: W ₂ = X ₂ _ 3⁄4 ( ), W _X = ^! - 3⁄4 (^ ₂ ), _Wl can be recovered. ,

W

The basic method for realizing the above properties is: For z = l, 2, ... (the order can be arbitrarily specified), w/ / ≠ 0 is continuously added to the upper side by the transformation of the one-way function. Still take Figure 5 as an example: After w ₂ is transformed by _3⁄4 , it is added to _Wl to get Α, then transformed by 3⁄4 and added to w ₂ to get x ₂ , and so on, to achieve multi-layer one-way function nesting. Reversible one-way function chain.

 A preferred example of the invention is described from a mathematical point of view as follows:

(1) 3⁄4iv = (wi, ..., w _n ), x = (x ..., x _m ), y =

..., y _n ), w _h xy _k ≡¥, positive integer m>n≥ n, F is the specified domain; set a one-way function chain, that is, set a mapping function from w to x: x = H (w); the HO) is a reversible nonlinear transformation implemented by a number of one-way functions, and the IV is expanded to X by a combination operation using a plurality of one-way functions 0;

HO) is equivalent to the m w on _{w. 1} "to" meta dense on the polynomial function F.; Known HO) algorithm, find the X w is easy;

(2) Establish the function R( ): u ₀ (x) = (η _οι (χχ, x _m \ ..., η _0η (χχ, ..., x _m )) = R(x), which is used Convert x into a polynomial function on the F;

 (3) Deriving the inverse function of the one-way function chain by HO, which satisfies:

Where z = (z ₁ ..., z _n ) = u ₀ (x)= (uoi(xi, x _m \ U _Qn {Xi, ..., X _m )), Zi≡F, u _0i ( x) Yes? The polynomial function on ..., ) is the value of the function ^ C^,

(4) Using HO as part of the public encryption algorithm, "< Λ 到 into the public key" In the elementary function group, Η· ¹ )^ is used as part of the decryption algorithm, and the calculation parameter of R(x) is taken as part of the private key.

 When using the public key Ε' Ο for encrypted data processing:

First use ΗΟ) to expand the plaintext w to the intermediate result X, ie calculate: x = HO) _;

 Then use the public key Ε ' to compress X into ciphertext; that is, calculate: j = E' .

 The following briefly introduces the interface function R(x):

The interface function is mainly used to get "a function about:" according to :), which is generally expressed as: u ₀ (x)

R(x);

 Among them, the simplest R(x) is: For / w = «, convert :) to an identity transformation.

In the present invention, the function of the interface function R(x) can be understood as: converting a variable ..., ) obtained by computing a one-way function chain X = U(w) into "one about...," The function, thus achieving the combination of the one-way function chain HO) and the public key Ε', and narrowing down the intermediate result after the expansion of the one-way function chain. Its mathematical description is usually very simple. For example, in Figure 5, for =3, n=2, convert, x ₂ , x ₃ three variables, convert to two polynomials: M _Q corpse A+^ , ti ₀₂ = x ₂ . The information of R(x), including the functional form of i3⁄4, M _Q2 , and the value of the coefficient e ₃ are all secret information that the unauthorized user should not know. Of course, those skilled in the art can design a variety of modes according to the characteristics of R(x), which cannot be detailed here.

It is not reversible in itself, but it is reversible in combination with HO). That is, although it is not possible to recover Α, x ₂ , x ₃ from the value of w _Q2 , but with the knowledge of fully disclosed HO) "x ₃ = H ₃ ( ₂ ) ", and hidden in E(x) The secret parameter e ₃ of R(x) can be calculated as: = ζ _λ - e ₃ x ₃ = z\- e _{3 3⁄4} ( ), x ₂ = z

 It is entirely feasible to adopt any public key generation method that complies with the public key attribute requirements of the present invention, but preferably, the present embodiment can obtain the public key and the private key by the following steps:

Step a: Select the "metainvertible linear transformation T = CΓ ₁ , ... , T _i+1 :) on the domain F, where each includes the n-element of "··· on the domain F Linear polynomial

Step b, selecting "metainvertible nonlinear transformation G = (G ₁ ... , Ο:) on s fields F, wherein each includes a function on the domain F;

 Wherein, the function may include various function types such as a polynomial, a rational fraction, and the like, and the present invention does not need to be limited thereto.

Step c: synthesizing the "(), T, and G according to a preset rule to obtain a nonlinearity from X to Mapping function group: (y ₁ ..., y _n ) = E(x) = (E _l (x _l , ..., x _m \ ..., E _n (x _u ..., x _m ) );

 The purpose of synthesizing the "<), T, and G is to embed and hide information about R, T, and G in the public key, all of which belong to secret information that the unauthorised user should not know. In order to achieve hidden purposes, it is feasible to adopt various preset synthesis rules. It is very difficult to separate "« 、 , T and G from Ε ', and it is necessary to alternate factorization (factorization, mainly for "multiplication") and function decomposition (decomposition (mainly for "iteration") to analyze the hidden in this uncertainty. A multi-level nested structure inside a system of equations.

Step d, select "' function as E'(x) in E(x), get the public key; where E'(x) contains a function about (i, ..., ); E'( ) = (Ei( i, ..., x _m ), ..., E _w i, ..., x _m )); disclose the public key to all users;

When _m>n=n , that is, the selection in step f does not delete the function, all functions in E(x) are selected as Ε'. At this time, the embodiment can be used for various situations such as encryption and decryption and digital signature.

When _{m>n> η} ', that is, a method of discarding a part of the function is employed in the step f, the present embodiment can be used in the case of digital signature.

When _m=n=n , the security performance at this time is poor; when _m=n >t, this embodiment can be used for the case of digital signature. Further, if the interface function R(x) is preferably used in the embodiment to convert m arguments into n polynomials, m>n can be guaranteed. Of course, if m=n is needed according to the actual situation, those skilled in the art can obtain according to various prior art, and will not be described in detail herein.

Ho step g, generating inverse function T T- ^1; generating an inverse function of G G- ^1; T ^{a. 1} and G- ¹ calculated the DO; generating a private key, the private key R and comprising D0, the key that Send it to authorized users for secret storage. R(x) in the private key is used for the inverse function H- ^{1 of the} one-way function chain (together the intermediate result z into a decoded message w.

 The preset rules described in the foregoing step e may be set by a person skilled in the art according to actual conditions.

 Preferably, if the expected E'(x) contains a rational fractional function, the preset rule may be in the following two cases:

Substituting the function group " _Q (x) into it, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substitute into G _s and substitute (^ into T _i+1 ;

Or, substituting the function group, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substitute into G _s .

For the above two possible ways, when the last linear transformation T _i+1 , the obtained rationality The fractional public key, the denominator polynomial of each rational fraction is the same; when the last is a nonlinear transformation, the denominator polynomial of each rational fraction in the public key is usually different. For engineering applications, the default denominator can save public key storage space (as long as "+1, not 2" polynomial is stored), increase the speed of the operation (as long as the value of "+1, not 2" polynomial is calculated ).

 Correspondingly, with respect to the above embodiments, the present invention also provides two device embodiments:

 A system embodiment for encoding and decoding a digital message may specifically include:

a public key generating unit, configured to generate an included public key, where, from (...) to (^, the non-linear mapping function group of the ^, ", is a positive integer, m > and The implicitly contains an interface function for obtaining a function of "a", x _m ) according to :): Μο(·^) ⁼ uoi(xi, ···, 3⁄4), ... , Uo„(Xi, ..., x _m ) =R( );

a private key generating unit, configured to generate a private key corresponding to the public key, the private key including R(x) _{; a} one-way function chain determining unit, configured to set a one-way function chain HO), and a one-way The inverse function of the function chain H—

 An encryption unit, configured to convert the message w into an intermediate result X by a one-way function chain HO), and then encode the intermediate result X by using the public key to obtain a coding result and

 And a decryption unit, configured to convert the encoding result J into an intermediate result Z by using the private key, and then convert the intermediate result z into a decoding message w by using an inverse function H—^) of the one-way function chain and a private key.

 And, a system embodiment for digital signature, specifically includes:

a public key generating unit, configured to generate a public key including Ε', which is a non-linear mapping function group of s to ..., j) on the domain F; and, the E' ( x) implicitly contains the interface function R(x), which is used to get a "about:" function according to x _ra :): "( 0 ) = (u ₀ (x , ..., x _m ), . .., u _0n (x , ..., x _m ) =R( ); where m, n, "' is a positive integer, m >n>r;

a private key generating unit, configured to generate a private key corresponding to the public key, the private key including R(x) _{; a} one-way function chain determining unit, configured to set a one-way function chain HO), and a one-way The inverse function of the function chain H—

 a signature unit, configured to use the private key to first convert the message to be signed/' into an intermediate result z, and then use an inverse function of the one-way function chain ;-; and the private key to convert the intermediate result to a digital signature IV; as well as

a verification unit, configured to convert the digital signature w into an intermediate result X by a one-way function chain HO), and then use the public key to decode the intermediate result X to obtain a decoding result^ Comparing the decoding result and the message to be verified, it is determined whether the digital signature W is correct according to the comparison result.

 The following is a brief introduction to the generation of a single function chain:

 Of course, the method of establishing a one-way function chain is not limited to the following methods, but can be generalized to various methods that satisfy the function of the one-way function chain. The invention has been described by way of a preferred embodiment.

The first step is to build a one-way function chain. Set a one-way function:

..., L, L^(m -n), a _u a ₂ , ..., β≡¥ _ρ , whose input is a number of modules; Integer, whose output is a modulo;? The integer. The inversion of a one-way function, that is, it is difficult to find its input by its output. Set up a one-way function chain with a one-way function:

 X = ( ι,..., = H(iv) = H(wi,..., w„),

Although the mapping from IV to X is a complex dense polynomial function, it is very difficult to expand and simplify it, but it is easy to invert it, that is, it is easy to find IV by X. The specific practice of this embodiment is:

(1) Set the function (x ₁ ..., ) = 1^( , ..., ):

First, let ₂ = _", _{1 =} - ₂ , (x _u ..., x _n ) = (w _u ..., w _n ), set the pointer 1), e{L _x ), \^θ{ ί)^η·,

Then, for

..., , replace in order:

Χθ(ί) (χβ(ί) + 3⁄4( ι , ... , χ _θ{ί) - 1 , χ _θ{ί) +ι, ..., x _n )) mod ρ.

 In the present embodiment, θ(ί) is set as a loop from 1 to η.

(2) Set the function (x„ ₊₁ , ..., x _m ) = K ₂ (x uses a one-way function, corpse..., L, calculated from x ₁

The function Κ ₂ in this embodiment is: for

, ₂ , calculated in turn: x _i+n = li _i+Li (x ₎ ).

(3) Combine the above I and K ₂ into HO):

x = ..., x ", x n + ..., ra) = (Ki (wi, ..., w n \ K 2 (Ki (wi, ..., w n))) 0 is the The calculation results of Kl and K2 are linked together as the calculation result of H v).

In the second step, set the function " _Q (x), that is, convert X into n polynomials about X " _Q (x) =

(uoi(x\, ... , x _m ), ... , u _0n (xi, ... , x _m )) = R(x) , satisfying the known " ₀ , R(x), H _{A +1} , ..., 3⁄4, easy to find;

The algorithm of the function R(x) in this embodiment is: Let "0=^, ..., jg, e _x =.. =e _n =\, randomly select e _m ≡¥ _p ; specify the pointer η ( )), ι= η+\, m, \^η(ί)^η, but η(ί)≠θ(Ι^·' Replace in order:

_{¾) (¾) + etXj)} mod p.

 The third step is to derive the inverse of the one-way function chain: ιν = ^,...,Ο = Η—3⁄4)

 Two feet:

The algorithm of H-) in this embodiment is: First, for z' = , ..., «+1, replace in order: ('■) <― (1⁄4■) - ^e i ^H i- "+A (3⁄4))) intestinal dp;

Then, for z= , ..., 1, replace in order:

Ζβ{ί) (ΖΘ(Γ) - 3⁄4(ζι , ... , z _0(i) - 1 , ζ _θ(ί) +ι, ...,ζ _η ) mod^;

Finally, ^(wi, ..., w _n ) = (zi, ..., Z _w )o

In the fourth step, HO) and H- ¹ ^ are publicly released as cryptographic algorithms, and the algorithm parameters (for example, :) of R(x) are distributed as part of the private key to the authorized user for secret preservation. Calculating Η· ¹ ^ requires these parameters.

The functional form of the ^, ..., x _ra :) contained in the Ε' may be a polynomial, and preferably, may be a combination of a polynomial and a rational fraction, or all of the rational fractions.

 Compared to polynomials, rational fractions have a significantly increased size of the encryption function. For ease of analysis, the rational fraction on the finite field is converted to an equivalent polynomial. For example, let the number of times the public key of the present invention is 2, and convert it into a polynomial representation:

h _l+ ...+h _M ≤2{p-2)

_{Xi, y (Ά, β ϋ} , Yi jk b i · F P, m> n, 1 ί ^ η ·, the number of items which will ¾ ₊₂ =, increased to about

= 3⁄43⁄43⁄4. For example, when pw = 2: ι + χχ +χ ₂ + 2χχχ ₂ + 3x ₂ ² f mod 5

+ 3x ₂ + 2x\ ² x ₂ + + i ⁴ ₂ + i ⁵ ₂ + 2x ₂ ² + i ₂ ² +

X2 + 4 ₂ ³ + 4 i ₂ ³ + 4 i ² ₂ ³ + 4 i3⁄4 ³ + Xi + 4 i ₂ ⁴ + 3 i ² ₂ ⁴ + ₂ ⁵ + 4 i ₂ ⁵ + 2 ₂ ⁶ ) mod 5

= (3 + 3 i + 3 i + ₂ + 4x ₂ + 2 i ₂ + i ₂ + i ₂ + + 4 i ₂ +

4xi

Mod 5;

And when ;==65537, =8, the number of terms equivalent to the polynomial of the rational fraction will be increased by (3⁄4 ₊₂ =45, approximately

 ^2(n-2) (8 + 2 (65537-2))!

U ^{2) =} 81(2(65537-2))! = ^{21608526535866}诵^{1721640525505904640} ; Obviously, a polynomial of such a large size, although objectively present in the mathematical world, requires an exponential storage space, which is actually difficult Operational. The beneficial effects of this property are: Promoting the quadratic sparse polynomial of MQ to a higher-order dense polynomial, exposing the scale of the polynomial function equivalent to the public key, essentially improving the difficulty of finding the inverse function of the indefinite system of equations. Sex, which significantly increases the ability to resist deciphering.

 The following is an analysis of the benefits of the one-way function chain for the coding and decoding process, taking the encryption and decryption and recoverable signature process as an example.

 When >«=«', Ε' = Ε(Λ , known ciphertext (or data to be signed;), deciphering plaintext (or signature on data ^) w, first request intermediate result X, this case is equivalent In the indefinite equations:

(yi, ..., y„) = (Ει( ι, ...,x _m \ ...,E _w ( i, ...,x _m )) The number of arguments is greater than the number of equations, The solution of X of the above equations is many, and it appears as a huge solution set. However, the one-way function chain is put together with the above equations to form a simultaneous equation system about the unknown element w:

(w _l ,...,w _n ) = Yi(y _l ,...,y _m ) where the one-way function chain consists of several equations containing a one-way function transformation, for example, in the specification =3, n = 2, only three one-way functions, 3⁄4, 3⁄4: (Λ·λ3琳釾军'3⁄4骈3⁄4¥^?3⁄4 3⁄4 睇^ 3⁄4 3⁄4观^

 . Min Lin '^ M ^ a

 令^ 3⁄4 °3⁄4窬 百^:3⁄4 ^篛鲜 3⁄4®3⁄4 ^ nmmm m

 By turning '^mmrn^ ^ -i^ ^T ^^ ^ ai ra '^Μ®^·#3⁄4

 ^

+ ((((^) ¾ + τ ^) ¾ + ζ ^) £ ΐύ (((^) ¾ + + + ((((^) ¾ + τ ^) ¾ + ^) ¾)

((3⁄4 )3⁄4 + IM)†7 + ((((^)3⁄4 + ^τ ^)3⁄4 + ^)3⁄4)6 + _r (((^)3⁄4 + ^τ ^)3⁄4 + ^Ζ ^)Π + (( (^)3⁄4

+ ^)3⁄4 +3⁄4 )((3⁄4 )3⁄4 + ¹ ^)6 + (((^)3⁄4 + + ^Ζ ^)Π + _r ((^)3⁄4 + + ((^)3⁄4

+ ^T ^)ei + ^i)/Q(((^^3⁄4 + ^τ ^)3⁄4 + ^)3⁄4)^ + ((((^^3⁄4 + ^τ ^)3⁄4 + ^)3⁄4)((( ^)3⁄4

+ + 3⁄4 )£ + ((((3⁄41)3⁄4 + + ^Ζ Μ)3⁄4) ((3(41)3⁄4 + + (((^^3⁄4 + ^Τ ^)3⁄4 ζ\

^{+ Ζ ^) £ ΐί) ζ} \ + r (((^) ¾ + T ^) ¾ + + (((^) ¾ + Τ ^) ¾ + ¾ί) ((¾) ¾ + Τ ^) θΐ

+ (((3⁄4 )3⁄4 + ^τ ^)3⁄4 +^)θΐ + _r ((^)3⁄4 +^)6 + ((^)3⁄4 +^)9ΐ + 6)) =

L\ poiu + ^£ x ^z x + ^£ x ^T x†7 + ^£ x + yfrl + 3⁄4 6 + ^Z ^ \ + + 3⁄4ΐ + Π)/( _ζ + +

((((3(4)3⁄4 + ^Τ ^)3⁄4 + ^)3⁄4) '(((^)3⁄4 + ^Τ ^)3⁄4 + '((^)3⁄4 + ^T ^)) ^T 3 =

Nm '¥a °te, i 3⁄4 f3⁄4 游 璨 ^老^ '^ ^^ -i^ ^

'3⁄4汤鲜f3⁄4te, l WJlYJl3⁄43⁄4骈尔尔鲜^ ^^璨 ί3⁄4·#^Ψ^— 3⁄4

'm. Na Yi *Violence M Ben 3⁄4g

 -02-

1?9Ζ0.0/.00ΖΝ3/Χ3«Ι Explain the public key. The detailed steps are as follows:

 The first step is to build a one-way function chain HO)

First, set the structure of the cryptographic algorithm. For example, let F be a finite field F> /? Is a prime number, a positive integer "' and w>"'. Assume

...., z _n ), ^, x,, j^eF.

 Establish a one-way function chain: x = H(w), which uses a combination of several one-way functions HO ..., 3⁄4◦ to convert w to X, which is a sufficiently complex, reversible nonlinearity Transform

Establish interface function R(x): u ₀ (x) = ( _0i (xi, ... , ... , _0n (x ... , x _m )) = R(x), which converts x to a function about xi, ...,

 From HO, derive the inverse of the one-way function chain: w = H - ^z), which satisfies:

w =

= H ( R( HO))) ;

 Use HO) as part of the public cryptographic algorithm, as part of the private key, to calculate

H—Requires the use of R(x).

 The second step, establish password parameters T, G

 Randomly select the "metalinear transformation Τ" on F, where each "metalinear transformation consists of n meta-polynomials on % of F on %:

T = (T _1; ..., T _i+1 ), where:

Ίί = Ty(ori, On) = bij ₀ + byi a _x + b _ij2 a2 + ... + b _ijn On,

Then, the inverse function T ^{1 of} T is derived, that is, the above-mentioned inverse transformation of the meta-linear transformation is respectively derived, wherein each inverse transformation IV ^{1 is} derived from "F on F, ..., β _η The η-ary linear polynomial consists of:

Τ" ¹ = (ΤΓ ¹ , ..., T _s+ ¹ ), where: Ti' = Tn ,

···, ")),

Oj = Ty ^l, ... , A) = ^C ≠ + Ciji x + Cy ₂ y3⁄4 +... + C _{ijn n} , Randomly select the "metainvertible nonlinear transformation G" on s F, each n-ary reversible nonlinear transformation consists of functions on On on w F:

G = (G _b ..., G _S ), where:

= (G _n ( ..., %), ..., G _in ( ...,%)),

Then, the inverse function G- ^{1 of} G is derived, which is the inverse of the above-mentioned inverse transformation of the elementary reversible nonlinear transformation, where each inverse transformation is composed of "F on, F, ..., β _η Function composition:

 -1

G- ¹ = (G ₁ - ¹ , ..., Ο ¹ ), where:

^EF , Ι Ά,

The specific implementation methods of the above-mentioned Τ, G, G- ¹ are well-known technologies, and will not be described in detail herein. The third step is to synthesize the function group «« 、 , T, G into E(x), and establish a public key Ε '

Combine the above "<), T, G into an input on F, "a nonlinear transformation of the output: E(x) = T _{s + l} (G _s (T _s ( ... G/T/ ... G ₂ (T ₂ (G ₁ (T ₁ (« ₀ ( )))))···))···································· Put it. Substituting into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substituting into G _s , substituting (^ into T _i+1 . In the synthesis process, you can also not use the linear transformation T _i+1 . After E (x) is expanded and simplified, the metafunction on the root is obtained:

^U jO,k _l ...k _m ^A \ - -- ^A m

And at least one of 7T _1Q , 7Γ ₂₀ ,..., , _Q , that is, at least one of them is a rational function that defines E'(x) as the ''function in E(x)

E'(x) = (E^, ., £ E(x), then: (y ₁ ..., _1⁄4,) = £» is the / indefinite equations for ₁ , ..., ;

 Use Ε' as the public key.

The fourth step, put! ¹¹ , G- ^{1 is} synthesized as DO), and the private key {DO, R(x)} is established.

Combine T-G ¹ into the transformation of "input, η output" on F, which consists of "the metafunction of "about, _y":

O( ) = (Di(y _b ..., y _n ), ..., O _n (y _u ..., y _n )),

The DO can take a variety of function representations: it can be represented by a function or a simplification, or it can be used directly! ¹¹ , G- ¹ to indicate that it can also be represented by other functional forms;

 Use {DO , R(x)} as the private key;

 Step 5, encrypt and decrypt, digitally sign and verify

Let the signed data after the one-way function transformation be; =(^, ..., y _n the data to be verified is y = ( 'I, ..., ");

If " = «', ie

The invention can realize both encryption and signature of recoverable data by:

 When using the public key Ε' to encrypt or verify the digital signature, the plaintext w, or the digital signature w, is converted into ciphertext; or data; the calculation method is: j = E' = E'(H( X), If you accept the signature, otherwise reject the signature;

 When the private key {DO , R } is used for decryption or digital signature generation, the ciphertext; or data; is converted into plaintext w, or digital signature w, and the calculation method is: w=H— ;)=H— ^ DO );

If ">", that is, E'(x)cE(x), the present invention can only realize the signature of the unrecoverable data, and the encryption cannot be implemented. The method is as follows: When the private key {DO , R } is used to generate a digital signature, the data;, is converted into a digital signature IV, and the calculation method is: w

);

 When using the public key E'(x) to verify the digital signature, the calculation method is: j) = E'( ) = E'(HO)), if (^, ..., 3ν) = 0, ..., «'), accept the signature, otherwise reject the signature.

 The following describes some of the above-mentioned specific implementation process:

The preferred method of establishing Τ is: randomly setting a square matrix consisting of a series of reversible square matrices = { , ..., Α ₊₁ }, the inverse of which is ^μΛ ..., Α+r ¹ } And a vector group consisting of s+i upper order vectors

ι = 0, s. This kind of "linear transformation", for a polynomial in a rational fraction, when the addition of fractions requires a generalization, the number of times of the polynomial will be increased, which should be understood as a nonlinear transformation.

 The preferred method for establishing G is: pre-establishing a large enough function library; later, when needed, randomly extracting a number of simple functions from the library and combining them into complex encryption and decryption functions according to certain rules.

 Among them, the preferred method of building a function library is to select several different types of polynomial functions or rational fractional functions whose number of independent variables does not exceed ", and is reversible for its last independent variable, according to its The number of variables is divided into "classes"

S= { S ₁ ...,S„}, where:

Si = {β= G ₍ y)(ori, t), Od = G _{ij) ' ^x ( _u ... , θα, β), _/ =1, 2,... },

<3⁄4, β≡Έ _ρ , i =1, ..., η, G( _y ), G(y) - ¹ in the above equation, the number of independent variables is z, and the number in the middle is j - pair The inverse function. For example: For z=l, at least two records can be created in the function library.

G(ii): .

G(i ₂₎ : ;

For z=2, at least 4 records can be created in S ₂ in the function library:

G(2i): β= ( axOi + .

Mod pa, = mod p;

, (22) ta, +t, t _xx + 1,

 (23): β 2 mod p (23) , mod p .

 Τ

G, (24): β = ^ ^χ(Χχ + ² mod p, G, a. = ^J - -—— - mod p .

 , . (twenty four)

 ,

 After the database is built, the nature of each function, the nature of its different combinations of functions, and its best use are analyzed. The rules and strategies for automatically generating the cryptographic algorithm are developed, and the rules are implemented. Strategy software.

Further, the use of the above-described method of establishing a library of G is: for z = l, s, were randomly selected for each water reciprocal pair of functions from the function library S "classes s ₁ s" in:

G={G _b ..., G _s j, where: G, = (G _n(1 ), ..., G _M

 G' = {G ,..., G }, where: G," = (Gn(i)" ,..., ),

 G , Gy() E S/,

In the above formula, G, G _m ■i厶, not the number of its independent variables is ^ and for it;

 -1

Reverse, in. , the first function in the zth function vector of G. The advantages of this type of G are: In the encryption process, the functions are independent, the latter calculation does not need to refer to the result of the previous calculation; but in the decryption process, the latter calculation refers to the result of the previous calculation. , making the decryption function more complicated than the encryption function, BP: The z-layer encryption function vector is:

Ui2 = G/2(2)(Vn, ),

U _in = G _S (2)(Vn, V _i2 , ―., V _in ),

The function scale of the corresponding decryption function vector G ¹ of the i-th layer has exploded:

Vin = Gin{n) (1⁄41, ^―, U _in )

= Gin(n) ^l { G/i(l)

U _in ). Other problem explanation: When seeking the value of the rational fraction, you may encounter that although the denominator is not a polynomial of 0, but the value of the denominator polynomial as a function is 0, resulting in an error in encryption and decryption. Although the probability is small, the necessary fault tolerance or corrective measures should be taken.

 Referring to Figure 4, the following briefly describes the relationship between H(x), R(x) and H-:

 In the process of establishing a public key, HO) belongs to the public cryptographic algorithm, hidden in the function group E, and it is difficult to separate R(x) and T, G from E(x);

In the process of establishing the private key, G- ^{1 is used to} establish D0, and the ciphertext is obtained by DO to obtain the intermediate result z, that is, the value of the function group "ο when encrypting:

 Ζ = (Ζ\, .— = llo(x) = ( o\(X\,... , Xm),... , 3⁄40«( 1,... ,

However, the further decryption calculation needs to consider the inversion process of H ^ and as a whole, and it is necessary to establish a total inverse function with the cooperation of the two: ιν = Η· :>. The reason: In the process of input X from the output ζ reverse, the use of its own parameters, but also use the one-way function chain ΗΟ), and only use R (x) can not transform ζ into x. So the rule Η· ) is a direct transformation from Ζ to w, and the parameter R(x) needs to be used when calculating Η· ¹ , Η· ) satisfies: w =

= H ( R( HO))).

 The parameters of R (including function form and coefficients) are part of the private key and will be kept secret by the authorized user.

For a more detailed description of the specific embodiments of the embodiment, an example of a small data is described below, as shown in FIG. 5 and FIG. 6, wherein the virtual box 501 represents a process of processing by using a one-way function chain x=HO, a virtual frame. 502 represents the process of processing using the public key E'(x); the dashed box 601 represents the process of processing with the private key z = DO, and the dashed box 602 represents the processing of the secret parameter 6 ₃ using the inverse function H_ and the private key. process.

Let F be the finite field F; ?=17, n=n ^, =2, m=3, s=\, H _1; 3⁄4, 3⁄4 are 3 one-way functions. For the sake of verification, the algorithm is assumed to be (^ = The algorithm for _3⁄4 (» = 3⁄4(^= modl7, the parameter e ₃ =2 of the function R(x), setting the one-way function chain HO) is:

X\ = (w\ + Hi(w ₂ ) ) mod p = (w\ + w ₂ ) mod p, x ₂ = (w ₂ + H ₂ ( i) ) mod p = (w ₂ + X\ ) mod p = (w ₂ + (w\ + w ₂ ) ) mod p,

 3 3 3

3= H ₃ ( ₂ ) = Xi mod p = (w ₂ + X\ ) mod p = (w ₂ + (w\ + w ₂ ) ) mod ρ·, whose linear transformation T, T ¹ (represented by β) And the nonlinear transformation G, G- ¹ are:

B 1 - ^ll b ₁₂ )=(l,2), B ₂ = (b _2l , b ₂₂ )=(5,7),

 1

G ₁₁₍₁₎ : u _n =― mod 17, G ₁₂₍₂₎ : u _l2 =— modl7

 v\2

G ₁₁₍₁₎ - ¹ : v _n =— mod 17, G ₁₂₍₂₎ - ¹ : v _xl =― mod 17 Use the above parameters to derive Ε' = Ε( ): oi = (χ\ + e ₃ Χ3 ) mod p,

 UQI = 3⁄4,

Vll = («111 UQI + «112^02 + ^ll) mod p,

Vl2 = («121 «01 + «122^02 + b _U ) mod p,

Mii = (l I n) mod^, u _xl = {v _n lv _xl ) mod^,

V ₂ 1 = («211 «11 + «212^12 + 3⁄4l) mod pm. Dp

22 = («22i «ii + a ₂₂₂ u _u + b ₂₂ ) mod p Substituting specific values, deriving

J^l =Ει( ι, ₂ , X3) = ν ₂ ι

γ ₂ = Ε ₂ (χι,χ ₂ , X3) = v ₂ 2

 Since " = r = 2, E'(x) = Ε(:) is specified.

Then, derive the corresponding decryption function DO:

«11 = (3⁄4ii + C2U (y ₂ b ₂ 2) ) mod;?, tin = (<3⁄42i

+ c _iri (y ₂ b ₂ 2) ) mod;?, 11 = (1 / 3⁄4ii) mod p,

 12 = ( n I un) mod;?,

(cm ( n - bn) + Cn ₂ ( i2 b ₁₂ ) ) mod;?,

 1

Ύ\Ύ1 ( ^_ ^ll + -)

 «222(^1 -^21)

211 222― 212 221 211 222 — 212 221 a\\\ ^a \22― ^a in ^a

UQ2 = (Ci2i ( n - bn) + C ₁₂₂ (v _i2 - bi ₂ ) ) mod

«222(^1-^21) «212(^2-^22)

 Q Q ― Q o o o ― o o

 211 222 212 221 211 222 212 221

 (- · +

(α _ηι (- b ₁₂ + 1/ ((- "2 ₂₁ 0 ) + a ₂ (y ₂ -b ₂₂ ) )

 / Q o ― o o o o ― o o

 I "211 222 212 221 211 222 212 221

( "222 O ) a _2l2 y ₂ _b ₂₂ ) 》》 - _an2aui )) _{mod p} ;

211 222 212 221 211 222 212 221 /

If the DO adopts the expanded representation, the above formula is substituted into a specific value, and is derived.

Z = (z!, ..., z _n ) = O(y) = (DjCyj, y ₂ \ D ₂ (y!, y ₂ )) , where:

15 + lOv, +2v _{7 t} ^

 Z^=Ό^(V^ V ) = Urn = : ―——― ^ mod 17,

^{1 llyi} ' ^{1⁄2j 01} 14 ₊ 15^ _{1 +} ^ ² ₊ 12^ ₊ 11^ _{2 +} 11^ ₂ ²

, 10 + 2^ +8^ ² +y ₂ +3 _yi y ₂ +3y ₂ ² Obviously, the above-mentioned expanded E and DO are lost compared to the structure before the expansion, such as hierarchy and nesting. This property poses great difficulties for cryptanalysis; however, D0 is usually very high, and it can only be fully expanded if the function is simple.

To calculate the inverse of a one-way function chain ¹ ^, you need to use the secret parameter of the private key e _3:

x\ = {z\ - _{3 3⁄4} ( )) mod p,

w ₂ = z ₂ - H ₂ ( i) = ( - H ₂ (zi - e _{3 3⁄4} ( ))) mod p, wi = ^i - Hi(w ₂ ) = ((zi - e _{3 3⁄4} ( )) - Hi(z ₂ - H ₂ (zi - e _{3 3⁄4} ( )))) mod;?, although the true one-way function is not expandable, according to the special provisions of this embodiment:

w ₂ = (z ₂ - (ζι - 2 ³ ) ³ ) mod p, Wi = (zi - 2 z ₂ ³ - (z ₂ - (ζι - 2 ³ ) ³ ) ³ ) mod ρ·,

 For example: Let plaintext w = (7,8), x = U(w) = (9, 6, 12), ciphertext j = E(x) = (3, 12); z = O(y) = ( 16, 6), the recovered plaintext w = H_ ) = (7, 8), which means that the above encryption and decryption algorithm is correct. The same reason can prove the correctness of the signature algorithm.

 PKI (Public Key Infrastructure) is a network trust technology system based on public key cryptography. In recent years, PKI construction has faced major challenges, highlighted by the sharp increase in management costs. One of the main reasons is that the current public key cryptosystem is difficult to adapt to the complex use environment of ultra-large-scale networks. The present invention proposes a basic countermeasure for a public key cryptography to cope with the challenge of building a network trust system: an identity-based public key cryptography system.

 The so-called "identity-based" means that the content of the public key is the user's identity mark ID - some combination of information such as name, phone, email, etc., with the information itself, you can directly determine who the public key belongs to. Instead of using a public key certificate like PKI, bind the user's ID to the user's public key. The essence of this technology point is that "all users share a public key". The realization of "identity-based" brings the benefits of public key management in the network environment: first, the economic benefits are significant; second, the user capacity is huge; third, the integrated management of public key data and user identification is realized.

 Referring to Figure 7, an embodiment of a method for encoding and decoding digital messages is shown, and Figure 7 shows a flow chart of the steps. This embodiment adopts an identity-based technology point, and specifically includes:

 Step 701: Select a positive integer w, n, n r, where m > n ≥ n, ;

Step 702: Generate a public key including E′(x, ID), where E′(x, ID) is from the domain F, ..., x _m , ID

a non-linear mapping function group of ..., jv), said ID = (ID _1;

ID) is the identity of the authorized user; and, in the E'(x, ID), the interface function R(x) is implicitly included, which is used to obtain "one (Xi, ..., ) according to (1) The function: ₀ (x) = ( oi(x _U ..., X _m ), ...-,

U0n(X\, ···, )) = R(X);

 Step 703: Generate, according to an authorized user whose identity is Π, a private key corresponding to the identity, where the private key includes R;

Step 704, setting a one-way function chain HO), and an inverse function of the one-way function chain H- ¹ ^;

 Step 705: Using the public key, the one-way function chain HO) and the ID (^), encoding the message to obtain the encoded message N; using the private key and the inverse function H-) of the one-way function chain Encoding the message N to decode, to obtain a decoded message;

And/or, step 706, using the private key and the inverse function H of the one-way function chain to encode the message M, obtaining the encoded message using the public key, the one-way function chain HO), and the ID (^), Correct The encoded message N' is decoded to obtain a decoded message 7.

 In this embodiment, the public key and the private key can be obtained by the following steps:

Set the set of reversible nonlinear mapping functions from X to: (y ₁ ..., y _n ) = E( , ID) = (Έ^,...,x _m , ID ₁ ... , ID _r ), ... , E„(x _h ..., x _m , ID _h ... , ID _r )) _;

 Generating a private key according to the inverse function of E(x, ID);

 Select "' function as E'(x, ID) in E(x, ID) to get the public key

 When used for the encryption and decryption process, m>n = r; and in the case of >«≥«', it can be used for various digital signatures.

 Preferably, the present embodiment may also obtain the public key and the private key in other preferred steps, which will be described in detail in the following specific embodiments.

A preferred example of the present embodiment is described from a mathematical point of view (taking the rational fraction as an example) as follows: Let the ID be the user identity after the specified transformation, ID = (ID ₁ ..., ID, r is a positive integer, ID^F; The coefficient in the public key Ε' 规定 is defined as the mapping function of the ID. After the public key is expanded, simplified, and collated, it can be expressed as a +r element nonlinear transformation on F:

 (yi, ..., JV) = E, (x, ID)

(Ei( i, ..., x _m , IDi, ID _r ), E _w i, ..., x _m , ID _b ID _r )),

x ^e _} Q, - , pi-p _r , ^e n, - , px , F, lim, ljn, l^k^r, πβ^Ο, π^^Ο, τ>0, and at 7T _1Q , ΤΓ ₂₀ ,..., ^Ο at least one _Ό ≥1; use the E'(x, ID) as the identity-based public key shared by all users in the public key cryptosystem.

 The purpose of combining "ID mapping" in this embodiment is to implement an identity-based public key cryptosystem. An example of a specific implementation process is described in detail below:

 The first step is to define the password parameters T and G as functions of ID.

This is a different place from the previous embodiment: at least one of the coefficients of T and / or G is a mapping function of the ID. Gp, at least one coefficient of any one or more of T is ID a mapping function; and/or a mapping function in which at least one coefficient of any one or more of G is an ID. Preferably, at least one coefficient in the last layer is a mapping function of the ID; and/or at least one coefficient in the last layer is a mapping function of the ID.

For example, let the authorized user's identity ID = (ID ₁ ..., i ), r be a positive integer, ID ^ F; the coefficient of the function in T, G is specified by the private key distribution center as the mapping function of the ID , so that T, G become a function of ID;

 The benefits of doing this are: Limiting the size of the function of the public key E'(x, ID). For example, E'(x, ID) is just a function of ID^^ID. On the contrary, if you put it! The coefficient in ^ is defined as a function of ID. After the nonlinear transformation, the number of IDs increases, making the function size of the public key too large, reducing the practicability.

 The second step is to synthesize 1\ G into E(x, ID) and establish the public key E'(x, ID)

Combine " _Q (x), T, G into a nonlinear transformation on F:

 y = (yi, ...,_3⁄4) = E(X, ID)

= (Ei( i, ..., x _m , IDi, ID _r ), E _w ( i, ..., x _m , ID _b ID _r )), after expansion, simplification,

y _f =E

^X " y ^e j0,k _l ...k _m ,p _l ...p _r , ^e jXk _l ...k _m ,p _l ...p _r , iU _k ^ t, lim, ljn, l^ k^r, πβ^Ο, π^^Ο, τ>0; Let E'( , ID) = ( Ει( ι, ... , IDi, ... , ID _r ), ... , E _wb ..., x _m , ID _b ... , ID _r )),

E'( , ID) £ E( , ID);

 E'(x, ID) is publicly released as a public key shared by all users;

The third step, put! ^ ^1, G- ¹ synthesized as D0, the establishment of each user's private key {DO, R} private key distribution center to an authorized user ID code parameter substituting TG ^1, the synthesis TG- ¹ to D0, then {DO, R(x)} is sent as a private key to the authorized user for secret storage;

In the above synthesis, the small difference in ID, after a series of formula derivation, will result in a huge difference between the public and private keys. The fourth step, encryption and decryption, digital signature and verification

Substituting the identity ID (^) of the authorized user f into E'(x, ID), deriving E and encrypting or verifying the data processing of the digital signature, BP: γ = Ε 'κ{χ) =

ΙΌ(Κ)) ₀

To more clearly illustrate the specific embodiment of the present embodiment, an example of a small data is described below: Let r = l, ie ID = (ID), e ₃ = 2, = (b„, b ₁₂ )= (1, 2), B ₂ = (b _2U b ₂₂ )= (5 + \5 ID + ID ² , 6 + 16ID + ID ² ),

a 211 212 1 + llID + ID' 2 + 12ID + ID

 a 221 a 222 3 + 13ID + ID 4 + 14ID + ID

15 + 10ID + 8ID ² 1 + 6ID + 9ID^

1 + 2ID + ID ² 1 + 2ID + ID ²

 A,

 10 + 15ID + 9ID 8 + 3ID + 8ID

1 + 2ID + ID ² 1 + 2ID + ID ² Using the similar method derived above, calculate the public key shared by all users as:

E'( , ID) = E( , ID) = (Ei( i, x ₂ , x ₃ , ID), E ₂ (x ₁ x ₂ , x ₃ , ID)), where:

= ((16 + 10ID + 13ID ² + 5 j + lOID j + 9ID ² j + 2ID j ² + 7IDV+ 6 ₂ + 14IDx ₂ +llID + 8 1 2 + 15ID i ₂ + 16ID ² i ₂ + 16x ₂ ² + 5IDx ₂ ² + 4ID ² + 10 ₃ + 3ID ₃ + ID + 8ID i ₃ + HID ² i ₃ + \6x ₂ x ₃ + 13IDx ₂ x ₃ + 15ID x ₃ + 8ID ₃ ² + 11ID3⁄4 ² ) / (12 + _{\ 3χ + χχ + \ Αχ 2} + 9χ χ χ 2 + 14χ 2 2 + 9χ 3 + 4χχ 3 + χ 2 Χ3 + 4χ 3 2)) mod 17,

^2 = Ε ₂ ( ι, 2, Χ 3, ID)

= ((13 + 7ID + 13ID ² + lO j + 15ID i + 9ID ² j + 13 j ² + 15ID i ² + 7ID ² xi ² + 14 ₂ + 5ID ₂ + 11 ID3⁄4 + 1 χχ ₂ + 4ID i ₂ + 161Ό ² χχ ₂ + 10x ₂ ² + 16JDx ₂ ² + 4ID ² + 3x ₃ + 13ID ₃ + ID + 1 3+ 9ID i ₃ + HID ² i ₃ + \\χ ₂ χ ₃ + 8IDx ₂ x ₃ + 15ID x ₃ + x ₃ ² + 9ID ₃ ² + 11ID3⁄4 ² ) / (12 + \ χ _χ +χχ + 14 ₂ + 9χχ ₂ + Πχ ₂ ² + 9χ ₃ + 4 ι ₃ + Χ2Χ3 + 4 ₃ )) mod 17;

The private key distribution center establishes a private key for each authorized user. For example, for a user with ID=6, the value of the ID is substituted into the relevant password parameter: B ₂ = (b ₂ i, b ₂₂ ) = (5 + 15 ID + ID ² , 6 + 16 ID + ID ² ) = (12, 2),

Then derive the user's private key DO is

For example: Let plaintext iv = (7, 8), x = HO) = (9, 6, 12), ciphertext j = E(x, ID) = (4, 9); z = DO = (16,6 ), the recovered plaintext iv = IT ¹ = (7, 8), indicating that the above encryption and decryption algorithm is correct. The same reason can prove the correctness of the signature algorithm.

 Correspondingly, with respect to the above embodiments, the present invention also provides an apparatus embodiment, which includes at least the following units:

a public key generating unit, configured to generate a public key including E'(x, ID), which is a slave ID _b ..., ID _r ) ilJ (y) on the domain F !, j) of the non-linear mapping function group, the ID = (ID _1; ..., ID is the identity of the authorized user; and, the E' (x, ID) implicitly contains the interface function R ( x), which is used to get a function about (χι, ..., ) according to (i, "( :) : ^^·^, x _m ), u _0n (x\, ..., x _m )) = R(x); where m, n, r , r are positive integers, m > n≥ n, ; a private key generation unit for generating an identity with an authorized user whose identity is π Identify a corresponding private key, the private key including R;

 a one-way function chain determining unit for setting a one-way function chain HO), and an inverse function H− of the one-way function chain, and at least one of an encryption/decryption unit and a signature verification unit, wherein

 An encryption and decryption unit, configured to encode the message by using the public key, the one-way function chain HO) and the ID (^), to obtain an encoded message N; using the private function and the inverse function of the one-way function chain H—) Decoding the encoded message N to obtain a decoded message;

Alternatively, the signature verification unit is configured to encode the message by using the private key and the inverse function H-) of the one-way function chain to obtain the encoded message N, and use the public key, the one-way function chain HO) and Π, The encoded message N' is decoded to obtain a decoded message 7. The following describes some of the ambiguous information in the specific implementation process of the above embodiments.

 How to make the number of IDs in the public key low, and the number of equivalent IDs in the private key is very high:

(1) Injecting the mapping of the ID in the last layer of the encrypted password parameter (for example, the coefficient in G _s ), for the derivation process of deriving the decryption function, it is equivalent to injecting the mapping of the ID in the first layer, after the latter The multi-layer nonlinear transformation magnifies the number of IDs in the decryption function.

(2) Using a relatively large one, in the process of sequentially calculating during decryption, since ^^ is to participate in the operation of v _y , the number of IDs of the decryption function is serially amplified.

 (3) Use a nonlinear transformation whose nonlinear number remains constant, for example, set to:

t jkQ + t jkl ^V jl +... + t jkn ^V jn ,

u _jk = G _jk (v _jU ... , v _jn = _{+tv + +tv} ^m ,

'jOO 卞^{ jOl 1 卞...卞^l jn ^v jn tjkh tj0l≡Y _p , jk, V _jk ≡¥ _p (Xx, ..., X _m ), k= 1, and then G ' is derived. o

Gΐβ ) is:

_ one ^12^ ₇ 20 + tj\. Tj 22一tj22tj00 ^U j + ^j20^j02 ^U j\ + ^j\2^j00 ^U j2一^j\0^j02 ^U j2

Mod p ^j\2^j2\—tjVitj22 ⁺ ^j22^jO\ ^U j\ ~ ^j2\^j02 ^U j\ ~ ^j\2^jO\ ^U j2 + ^j\^j02 ^U j2

v _ ^l j\Vj20 ^L j j2\ ^{τ L} j2VjQQ ^u j\ ^l j20 ^l j0\ ^u j\ ^l j\\ ^l j00 ^u j2 ^{τ l} j\0 ^l j0\ ^u j2 _mQ( ^ p —tj tj 22 ⁺ ^j22^jQ\ ^U j\ -^/■ 21^/02^/1 ~^j\2^jQ\ ^U j2 + Ί 1^/02^/2

 Obviously, if the coefficient ^ in the above encryption process is specified as the mapping function of the ID, the number of decryption process IDs is n times the number of IDs in the encryption process, and the number of times remains unchanged.

 Further, the specific coding code step in this embodiment can be optimized as:

 For the case of encryption and decryption, the original message may be converted into an intermediate result message M by using a one-way function chain (HO), and the message is encoded by using the public key and ID (^) to obtain an encoded message N; The private key decodes the encoded message N to obtain a decoded message, and converts the intermediate result message into a final decoding result by using an inverse function H-^ of the one-way function chain;

 For the case of signature, it may be: using the private key to encode the message, obtaining an intermediate result z, transforming the intermediate result z into a digital signature message N through the inverse function H of the one-way function chain, and, through a one-way function The chain HO) converts the digital signature message N' into an intermediate result X, and uses the public key and ID (^) to decode the intermediate result X to obtain a decoded message 7.

Since the technical point about the one-way function chain has been described in detail above, it will not be described here. Ho sub-step a, obtained from the calculation of T ¹ and ^G-1 D0, and, associated with said DO ID; ho sub-step B, the D0 is divided into at least two parts, at least two private key stored in the distribution center , each part is related to the ID;

 Sub-step c, each private key distribution center substitutes the authorized user identifier Π into the part DO that is secretly saved, calculates a part of the private key, and sends it to the user;

 Sub-step d, the user synthesizes the private key of each part, and calculates the private key.

 As shown in FIG. 8, it is a schematic diagram of a plurality of private key distribution centers of the present invention jointly establishing a private key. An example of the above process is described mathematically as follows:

 (1) A unique primary key distribution center in the network ^(^ establishes the public key E'(x, ID) and establishes a private key generation function corresponding to E'(x, ID):

Z = (ζχ, ..., z _n ) = O(y, dx, d ₂ , ...)

= (Di(y _b ..., yd _x , d ₂ , ...), D _w (y _b ..., yd _x , d ₂ , ...)), argument 4 in the function, 4, ... is the mapping function of ID: ά _χ = _χ {ΙΌ), d ₂ = f ₂ (W), ... ;

(^, ^(^ According to the agreed method, separate DO, ^^ into parts: {Dd A, d ₂ , ...), O ^(h) (y, d _x , h, ...) }, sent to 2 secondary private key distribution centers, ie

Send D^j, ^^...) to the KDC for secret preservation; and send _i(ID), / ₂ (ID),..., to all secondary private key distribution centers to secretly save; The specific implementation method of separating Ο, Α, Α, into two parts is a well-known technique.

(3), when establishing a private key for an authorized user f, KDC ₂₁ , ..., 10) _2/! first substitute the value of the identity ID (^) of the authorized user K into the mapping of the ID. Function / ID), / ₂ (ID),..., calculate the value of 4, 4, ...; then substitute the value of H. into KDC ₂₁ , KDC _2A secretly saved Ό, d _h d ₂ , ...), Calculate

.

(4), authorized user f from KDC ₂₁ , ..., KDC _{2 /} ^ do not receive D) O, ..., D) O, according to the agreed method, restore to the user's complete private key :).

 The technical point of using multiple private key distribution centers to synthesize private keys is to ensure that even the internal personnel of the private key distribution center cannot steal the user's private key. To illustrate the specific implementation more clearly, an example of a small data is described below:

In the foregoing embodiment, it is assumed ^ ₁ ^ is the number of elements, the elements are mapped β ₂ ID, G, there is no parameter, the secret key generation function

z = (zz ₂ ) = O(y, A ₂ , B ₂ ) = (O, (y, A ₂ , B ₂ ), D ₂ (y, A ₂ , B ₂ )), where: z\= Di(yi, y2, «211, <3⁄4i2, <3⁄42i, <3⁄422, 3⁄4i, ^22)

 +

15<72l

+

 twenty two

2 <¾11 <¾12 <¾21_½ - 2 (2211 <¾2 ½) / (16 <¾ 21 <¾ 22 6 21 + <¾ 12 <¾ 21 b 21 b22 + <¾11 <¾22 21 22 + 16 <¾ 11 (¾ ₁₂ b ₂₂ ² + 2<3⁄4 ₂₁ <3⁄4 ₂₂ b _2L yi + 16(3⁄4 ₁₂ <3⁄4 ₂ ib _2Z yi + 16<3⁄4 ₁₁₍ 3⁄4 ₂₂ b _2Z yi + \6a ₂₂ ia227yi ² +

16i3⁄4 ₁₂ i3⁄4 ₂₁ b _2L 1⁄2 +

+

16<3⁄4 ₁₁₍ 3⁄4 _lz y ₂ ² )) mod 17

= D ₂ (yi, «211, <3⁄412, <3⁄421, <3⁄422, 3⁄41, 22)

+ 14<72l

+

 twenty two

<¾11 <¾22 21 22 + 16 <2 2 11 «212¾2 + 14 <¾12 <¾ 21 + 3 <2 2 11« 221 ^ 222 ^ 1 + 2 <¾ 21 <¾ 22 b 2l yi +

_{16 <¾ 12 <<¾2 ½} ¾ 21 b 2Z yi + 16 <¾ 11 (¾ 22 b 2Z yi + \ 6a 22 ia227yi 2 + 3 <¾ 11 (¾ 12 <¾2ΐ_½ + 14 <¾ιι 2 +

16i3⁄4 ₁₂ i3⁄4 ₂₁ b _2L 1⁄2 +

+

\6a ₂ n _lxl yi (2a ₂₂ 1 «222^21 ² + 15<3⁄4i2<3⁄42i 2i 22 + 15a _2U a ₂₂₂ b ₂ ib ₂₂ + 2a _2U a _2U b ₂₂ ² + 13<3⁄4 ₂₁ <3⁄4 ₂₂ b _2L Yi + 2<3⁄4 ₁₂ <3⁄4 ₂₁ b _2L y ₂ +

2ί3⁄41ΐί3⁄422 1_1⁄2 +

2ί7 ₂₁₁ ί3⁄4 _1Ζ 1⁄2 ² )) mod

17

Let ?=2, decompose 00 , ^ ₂ , :) into 2 parts, for example, it can be specified as:

D ⁽¹⁾ (j , A ₂ , B ₂ ) = two molecular polynomials in DO , A ₂ , β ₂ ),

O ⁽²⁾ (y, A ₂ , B ₂ ) = two denominator polynomials in O(y, A ₂ , β ₂ ).

KDCn sends the above D ⁽¹ 3⁄4, Α ₂ , β ₂ ) to KDC ₂₁ , D( ² 3⁄4 , Α ₂ , β ₂ ) to KDC ₂₂ , and maps ID to 4, 4, ... The functions are also sent to them.

When establishing a private key for an authorized user, KDC ₂₁ and KDC ₂₂ respectively substitute the ID of the user into the mapping function, and calculate "211, «212, «221, «222, ^1, 1⁄2, and then substitute them respectively. :

«211, «212, «221, a , b _2l , b ₂₂ ), O ⁽²⁾ ( , a _2n , ₂ n, a ₂₂ \, «222, b _2l , b ₂₂ ), calculate D ⁽¹⁾ O, D ⁽²⁾ 0 , and then sent to the user separately;

Authorized users receive D ⁽¹⁾ 0 and D ⁽²⁾ 0 from KDC ₂₁ and KDC ₂₂ respectively, and then restore to DO according to the specified method.

In the above scheme: each KDC _{2 is} not restricted by the management system and computing power, but is unable to steal the user's private key due to lack of information; and the KDCu that grasps all the secrets is usually in the closed storage state and does not directly participate in the establishment. Private key. It is recommended that KDCu establish a private key generation function, Renaming variables (such as ll, «212, «221, «222, ^1, 2) can achieve better results. In order to realize the personalization of the private key form, the embodiment may further include the following steps: In the process of generating the private key, the random transform w() and the inverse w-) are inserted.

 The personalization of the private key form from a mathematical perspective is as follows:

 In the process of synthesizing the private key DO, insert the random transform W0 and the inverse W_ :

DO) = D,(D _a 0)) = D.CW-^WCD^)))) = D (D, .0 ), where D, _fl ()=W(D _fl ()), D', ()=D, (W- ¹ 0), it is difficult to decompose W(), W-) from D, _fl (), D (), respectively. The specific implementation method of W(), W^) is a well-known technique.

 In summary, the basic idea of personalization of the private key form is to insert a random transformation in the process of deriving the DO to cover the correlation between DO and ID, and hide R; thus: For the private key D0 of different users Not only is its mathematical nature different, but its function expression is also subject to two independent factors, one from ID and random transformation, which effectively improves the ability to resist collusion.

In order to more clearly describe the specific embodiment, an example of a small data is described below, as shown in FIG. 9, which is a data flow diagram of the embodiment of the small data of m=U and n=8 of the present invention to realize the personalization of the private key form:

A random linear transformation W ₂ 0, W^O is inserted between IV ¹ , and the specific steps are as follows:

 The first step is to calculate:

They are all 8-ary rational fractions, and their numerator and denominator are linear polynomials with the same denominator.

 The second step is to calculate in order:

II = D _V II (M'II, is), which is a 8 yuan secondary rational fraction;

VI2 = D _V I ₂ (M'II, is, ii), which is a 9-order 2-order rational fraction;

I3 = D _V I ₃ (M'II, ... is, vii, v _l2 ), which is a 10 yuan 2 rational fraction;

I4 = D _V I ₄ (M'II, ... 18, Vll, Vl2, is), which is a 11-order 2-order rational fraction;

VI5 = D _V I ₅ (M'II, i8, vn, ..., v _l4 ), which is a 12-member 2-order rational fraction;

I6 = D _V I ₆ (M'II, i8, vn, ..., i ₅ ), which is a 13-order 2-order rational fraction;

VI ₇ = D _V I ₇ (3⁄4'II, i8, vn, ..., v _l6 ), which is a 14-member 2-order rational fraction;

I ₈ = D _V I ₈ (M'II, i8, vn, ..., v _l7 ), which is a 15 yuan secondary rational fraction;

The above; ii, the argument of the substitution when deriving the formula; the value substituted in the decryption calculation. The third step is to calculate:

ζ' _Γ Ό _ζΊ {ν _η , ..., ν ₁₈ ), 1^8, which is an 8-element linear polynomial;

 The fourth step is to calculate in order:

Xj = O _XJ (z , ..., z' ₈ ), =7,8, which is an 8-element linear polynomial;

(xx _w , _n , ₁₂ ) = K ₂ ( ₇ , ₈ ), which is a combination of a set of one-way functions;

Xj = O _XJ (z , ... , z' ₈ , x _% io, n, i ₂ ). l^/ 6, which is a 12-ary linear polynomial; (w _u ..., w,) =

..., x ₈ ), which is a combination of a set of one-way functions.

Where ..., z ₆ ) is hidden as a set of intermediate results in the calculation process of the fourth ,, which can be understood as the parameter of R(x) in the private key is also hidden in the personalized private key, for the authorized user Confidential.

 When using "multiple private key distribution centers to jointly establish user private keys", each secondary private key distribution center should use the same W), ν".

 In the following, from the perspective of engineering application, the quantitative design of the cryptographic algorithm is further understood, and the present invention is analyzed in more detail. Referring to Fig. 10, there is shown a data flow diagram of an encryption process of the small data embodiment of the invention = 12 and = 8.

 Let "="'=8, m=12, s=2:

 (1) Set a sufficiently large ;? according to the allowed encryption and decryption error probability.

(2) Set the appropriate one-way function chain, for example, its K ₂ part combines the functions of the four one-way functions into one one-way function.

 (3) The following factors should be considered when setting ", m, T, G:

The number of elements of the solution set of the indefinite equations Ε'^Η^, ..., jv) is approximately, which should be greater than 2 ⁶⁴ . Let 3 be the number of times E'(x) about X, then the number of terms of an m-ary δ-degree polynomial is

, which reflects the storage space and encryption speed of the public key, should be as small as possible.

The number of times that DO is about; then, the number of items in the polynomial polynomial is C _{+ / l} , which reflects the difficulty of using the linear attack method to decipher the private key, and should be as large as possible. The condition for implementing a linear attack is that the known function z = « _Q = R can be randomly generated in large quantities (z, right.

In the identity-based mode, let τ be E'(x, ID) for the number of ID ₁ ..., ΐ, then the number of items of a +r-order polynomial is C^C^, which reflects the public key Storage space and encryption speed should be as small as possible.

 In the identity-based mode, in order to hide the mapping function of the ID, the derivation process of establishing D0 can be divided into several segments:

O(y)=O _k (...O _b (O _a (y))...), And expand D _fl 0, D, (), D ) respectively; because the ID is mapped to D. 0, so the D. Each coefficient of 0 is equivalent to an r-ary/sub-polynomial with respect to the ID, and the number of terms of the polynomial is C.

Make it much larger than the attacker's ability to collect a large number of private keys.

 Assume;? Is 32 bits, n=8, m=12, s=2, is:

Gn: tin = ( nvn + ^112) mod/?, G — i: _{V =} ^n -fii2 _D

 -1

Uij- ∑ ι _≠ Μ-∑ υΛ- ^ε ι

-1 \≤k≤h≤ jl k=\ 1 0 0 j : v _j = mod/?, j =2,...,8,

1 ^V 1J— 1 where the parameter hjk,

s is the coefficient in the quadratic rational fraction;

G ₂ uses the "non-linear transformation whose nonlinear number remains constant" as described above:

J0 + ;'1 ^V 21 +... + ^27'8 ^V 28 ,

G _2j : ^u ij =― mod p , = 1, 8

,200 + ,201 ^V 21 + · · · + 1⁄28 ^V 28

G ₂ J ^v 2j = mod;?, = 1, -·, 8

Wherein, G ₂ - ¹ _gy coefficients, the coefficient to be understood as the _{G 2 ½ (), ...,} 88 8 linear function; G ₂ is disposed linear function ID, then G ₂ - ¹ It is the 8th function of the ID.

 The relevant technical indicators and encryption and decryption steps of the above schemes are as follows:

_W;3⁄42 32(i2-8) _{= 2} i28 _; C^ = C3⁄4 ₊₂ =91, ie E(x) has a total of 91 X 9=819 items (8 identical denominator polynomials, which should be counted as 1 polynomial ); but in the identity-based mode, let τ = 1, r = A, C _m ^d ₊₅ Cl _{+ T} =

That is, E, (x, ID) has a total of 455 X 9 = 4095 items. The encryption steps are:

The first step is to calculate x=HO) _:

( i, ... , x,) = K _l (w _l , ..., w ₈ ), which is a combination of a set of one-way functions;

(x lO, X11, Xll) = K ₂ (w ₇ , w ₈ ), which is a combination of a set of one-way functions;

The second step is to calculate E'(x,ID): Yj = Ej(x _u ... , ₁₂ , ID!, ... , ID ₄ ), l ^y 8, which is a 16-member 3rd rational fraction.

The number of DOs for J = 255, C^ _{+ A} = C3⁄4 ₅ = 509850594887712, that is, the storage space required for a linear attack under the condition of known R(x) is:

(C) ² =259947629107353817789888594944 > 2 ⁶⁴ ; In an identity-based manner, assume D. 0 The number of times is 4, Bay ij = 4 X 8=32, the number of private keys that need to be collected to complete the collusion attack = C ₊₃₂ = 58905. The main way to improve this indicator is to increase r. For example, when r is increased from 4 to 10, = (^ ² ₂₊₂ (^ ₀₊₁ = 1001, ie the function size of E'(x, ID) is only increased from 4095 items to 1001 X 9=9009 Item, but its anti-collusion attack index increased from 58905 to C3⁄4 ₊₃₂ =1471442973, an increase of 24979.9 times, equivalent to: If there is a collusion attack on the national ID card public key cryptosystem of 1.4 billion people in China, at least Buying 1.47 billion private keys clearly lost the meaning of a collusion attack.

 Of course: even D. 0 The number of times is 4, and its function size is still large. For this reason, it is preferable to adopt the aforementioned "private key form personalization" technology point.

 With the foregoing preferred embodiment, the ID mapping method is used to establish an identity-based working mode, so that all users of the entire network share a public key, which brings great convenience to the public key management in the network environment; The method of "multiple private key distribution center synthesis private key" and "private key form personalization" improves the anti-collusion attack ability of the cryptosystem.

 The various embodiments in the present specification are based on the same technical concept, and therefore, the descriptions are all unique to the embodiments, and the same similar parts between the respective embodiments can be referred to each other. Moreover, for the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.

 The foregoing provides a method and system for encoding and decoding digital messages, and a method and apparatus for digital signature provided by the present invention. Detailed descriptions of the present invention apply to the principles of the present invention and The embodiments have been described, and the description of the above embodiments is only for helping to understand the method of the present invention and its core ideas; at the same time, for those skilled in the art, according to the idea of the present invention, in the specific embodiments and application scopes There are variations, and the description is not to be construed as limiting the invention.

Claims

Rights request

 A method for encoding and decoding a digital message, comprising:

 Select a positive integer w, n, where m >n ·'

Generating a public key containing E(x), where E(x) is a set of nonlinear mapping functions from ..., x _m )M(yi, ..., on the domain F; The interface function R(x) is implicitly contained in E(x), which is used to derive "a function related to:" ₀ (X) = (M Xi, —., Μο^, x _m )) = R( x);

 Generating a private key corresponding to the public key, the private key including R (x;

 Set the one-way function chain HO), and the inverse function of the one-way function chain Η—

 Translating the message w into an intermediate result X by a one-way function chain, and then encoding the intermediate result X with the public key to obtain a coding result ^ and

The private result is used to transform the encoded result into an intermediate result Z, and then the intermediate result _{τ is} converted into a decoded message w using the inverse function H_) of the one-way function chain and the private key.

 2. The method of claim 1 wherein the public key and the private key are obtained by:

Select the "meta-reversible linear transformation Τ = (T _b T _i+ !) on the domain F, where each includes the relevant n-ary linear polynomial on the domain F;

Selecting the "metainvertible nonlinear transformation G = (G ₁ where, each of the functions including n on the domain F);

According to the preset rule, the "( Λ , Τ , and G, get the nonlinear mapping function group from X to: (yi, ..., y _n ) = E( ) = (Ει( ι, ... , x _m ), ... , E _n (x ... , x _m ));

 According to E(x), the public key is obtained;

Generating the inverse function T of T—generating the inverse function G of G—calculating DO from T ¹ and G— ¹ ; generating a private key, the private key including and DO; and the same one-way function chain in the private key The inverse function H- ¹ (together the intermediate result z together into a decoded message w.

 3. The method according to claim 2, wherein the preset rule is:

Substituting the function group " _Q (x) into it, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substitute into G _s and substitute (^ into T _i+1 ;

Or, substituting the function group, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1 into G/, ..., put! Substitute into G _s .

4. The method of claim 1 wherein:

 The above contains a rational fractional function for :).

 5. A method for digital signature, comprising:

 Select a positive integer n, «,, where /77 >«≥«' ;

Generating a public key containing E'(x), where E'(x) is from ..., χ _η ) (γι, ..., on the domain F)

J) is non-linear mapping function group; and, said Ε 'implied the interface function according to which, X _RA) to give "on a function, X _RA) of:." ₀ (X).

.. Xm), ....,^ ... x _m )) =R(x);

 Generating a private key corresponding to the public key, the private key including R (x;

 Set the one-way function chain HO), and the inverse function of the one-way function chain Η—

Using the private key to first convert the message to be signed /' into an intermediate result, and then using the inverse function Η- ¹ ^ of the one-way function chain and the private key to convert the intermediate result to the digital signature IV;

 The digital signature w is converted into an intermediate result X by a one-way function chain HO), and then the intermediate result X is decoded by the public key to obtain a decoding result.

 Comparing the decoded result with the message to be verified, it is determined whether the digital signature w is correct based on the comparison result.

 6. The method of claim 5, wherein the public key and the private key are obtained by the following steps:

Select the meta-reversible linear transformation T = (T _b T _i+ !) on the domain F, where each includes the relevant n-ary linear polynomial on the domain F;

Selecting the "metainvertible nonlinear transformation G = (G ₁ where, each of the functions including n on the domain F);

According to the preset rules, the "« 、 , Τ and G are synthesized, and the nonlinear mapping function group from X is obtained: (yi, ..., y _n ) = E( ) = (Ει( ι, ... , x _m ), ... , E _n (x ... , x _m ));

 Select "the function as E'(x) to get the public key;

Generating the inverse function T of T—generating the inverse function G of G—calculating DO from T ¹ and G— ¹ ; generating a private key, the private key including and DO; and the same one-way function chain in the private key The inverse function H- ¹ (together the intermediate result z together into a decoded message w.

 7. The method according to claim 6, wherein the preset rule is:

Substituting the function group " _Q (x) into it, and substituting 1 into the handle. Substituting into T ₂ , substituting Τ ₂ into G ₂ , ..., put! Substitute into ■, ..., put! Substitute into G _s and substitute (^ into T _i+1 ; Alternatively, substituting the function group, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., substituting into G _s .

 8. The method of claim 5, wherein

 The Ε' contains a rational fractional function for :).

 9. A method for encoding and decoding a digital message, comprising:

 Select a positive integer w, n , n r, where m > n≥ r ;

Generate a public key containing E'(x, ID), where E'(x, ID) is from ..., x _m , ID _b ..., ID _r ) ilJ(y) on domain F a non-linear mapping function group of !, ..., jv), the ID = (ID _1; ..., ID is an identity of the authorized user; and, the E'(x, ID) is implicitly contained The interface function R(x), which is used to get a function of (i, about -., ) according to (i, u ₀ (x) = ( ₀ i(Xi , . . Xm), —. , Μο^, x _m )) = R(x);

 Generating a private key corresponding to the identity identifier for the authorized user whose identity is π, where the private key includes R;

 Set the one-way function chain HO), and the inverse function of the one-way function chain Η—

 Using the public key, the one-way function chain HO) and Π, encoding the message to obtain an encoded message, using the inverse function of the private key and the one-way function chain 译码 - decoding the encoded message N to obtain a translation Code message

 And/or, using the inverse function of the private key and the one-way function chain 编码 - encoding the message, obtaining the encoded message using the public key, the one-way function chain HO) and the ID (^), the encoded message N ' Decode, get the decoded message 7 .

 10. The method of claim 9, wherein the public key and the private key are obtained by the following steps:

Select the meta-reversible linear transformation T = (T _b T _i+ !) on the domain F, where each includes the relevant n-ary linear polynomial on the domain F;

Selecting the meta-reversible nonlinear transformation G = (G ₁ :) on s fields F, where each includes a function on the n domains F;

 At least one of the coefficients of T and / or G is a mapping function of an ID;

According to the preset rules, the "« 、 , T and G are obtained, and the nonlinear mapping function group from x, ID to ; is obtained: (yi, — ., y») = E(x, ID) = (E^ , — . , x _m , IDh — .JD , E^, — ., x _m , IDi,...,ID _r )) _;

Select "' function as E' (x, ID) in E(x, ID) to get the public key; Generating an inverse function T ^{1 of} T; generating an inverse function G of G - substituting the value of the authorized user's identity into T- ¹ and G- ¹ , calculating the DO associated with the identity; generating a private corresponding to the identity Key, the private key includes and D0.

 11. The method of claim 9, wherein the public key and the private key are obtained by the following steps:

Set the set of reversible nonlinear mapping functions from X to: (y ₁ ..., y _n ) = E( , ID) = (Έ^,...,x _m , ID ₁ ... , ID _r ), ... , E„(x _h ..., x _m , ID _h ... , ID _r )) _;

 Generating a private key according to the inverse function of E(x, ID);

 Select "' function as E'(x, ID) in E(x, ID) to get the public key

When used in the encryption and decryption process, m > _n = r.

 12. A method as claimed in claim 9, 10 or 11, characterized in that the private key is established by the following steps:

 Calculating D0, the DO is related to the ID;

 Dividing the DO into at least two parts, stored in at least two private key distribution centers, each part being associated with an ID;

 Each private key distribution center calculates a part of the private key according to the ID of the authorized user, and sends it to the user;

 The user synthesizes the various parts of the private key and calculates the private key.

 13. A system for encoding and decoding digital messages, comprising:

a public key generating unit, configured to generate an included public key, where, from (...) to (^, the non-linear mapping function group of the ^, ", is a positive integer, m > and The implicitly contains an interface function for obtaining a function of "a", x _m ) according to :): "Q(X) = ΟΙ(Χ , ..., x _m ), .. ., u _0n (xi, ..., x _m ) = R(x);

a private key generating unit, configured to generate a private key corresponding to the public key, the private key including R(x) _{; a} one-way function chain determining unit, configured to set a one-way function chain HO), and a one-way The inverse function of the function chain H—

 An encryption unit, configured to convert the message w into an intermediate result X by a one-way function chain HO), and encode the intermediate result X by using the public key to obtain a coding result J;

And a decryption unit, configured to convert the encoding result J into an intermediate result z by using the private key, convert the intermediate result z into a decoding message w by using an inverse function H- ^{1 of the} one-way function chain and a private key.

14. A system for digital signature, comprising: a public key generating unit, configured to generate a public key containing Ε', which is a non-linear mapping function group from :) to , ..., .) on the domain F; '(χ) implicitly contains the interface function R(x), which is used to get a "about:" function according to x _ra :): Wo = (u ₀ (x , ..., x _m ), .. , u _0n (x , ..., x _m ) = R( ); where m, n, "' is a positive integer, m > n >r;

a private key generating unit, configured to generate a private key corresponding to the public key, the private key including R(x) _{; a} one-way function chain determining unit, configured to set a one-way function chain HO), and a one-way The inverse function of the function chain H—

a signature unit, configured to convert the message to be signed/' into an intermediate result z by using the private key, and use an inverse function H- ^{1 of the} one-way function chain (and a private key to convert the intermediate result z into a digital signature IV; a verification unit, configured to convert the digital signature w into an intermediate result X by a one-way function chain HO), decode the intermediate result X by using the public key, obtain a decoding result, and compare the decoding result J and The message to be verified determines whether the digital signature w is correct based on the comparison result.

 A system for encoding and decoding a digital message, comprising: a public key generating unit, configured to generate a public key including E'(x, ID), the E' (x) , ID) for the domain

a set of nonlinear mapping functions from ID _b ..., ID _r ) ilJ(y!, j ) on F, said ID = (ID _1; ..., ID is the identity of the authorized user; and, The E'(x, ID) implicitly contains the interface function R(x), which is used to get a function about (χι, ..., ) according to (i, "( :) : ^^·^ , x _m ), u _0n (x , ..., x _m ) =R(x); where m, n, r , r are positive integers, m>n>n'; private key generation unit, for Generating a private key corresponding to the identity identifier for the authorized user whose identity is ,, the private key including R;

 a one-way function chain determining unit for setting a one-way function chain HO), and an inverse function H− of the one-way function chain, and at least one of an encryption/decryption unit and a signature verification unit, wherein

 The encryption and decryption unit is configured to encode the message M by using the public key, the one-way function chain HO) and the ID (^) to obtain an encoded message N; and adopt an inverse function of the private key and the one-way function chain H-) decoding the encoded message N to obtain a decoded message;

 The signature verification unit is configured to encode the message by using the inverse function of the private key and the one-way function chain, and obtain the encoded message by using the public key, the one-way function chain HO) and the ID (^), and the encoding The message N' is decoded to obtain a decoded message.