CN101383705A

CN101383705A - Multi-variable public key ciphering method and device, deciphering method and device thereof

Info

Publication number: CN101383705A
Application number: CNA2007101497806A
Authority: CN
Inventors: 王志伟; 杨义先; 郑世慧; 张智辉
Original assignee: Sony China Ltd
Current assignee: Sony China Ltd
Priority date: 2007-09-05
Filing date: 2007-09-05
Publication date: 2009-03-11

Abstract

The invention provides an encryption method and an encryption device as well as a decryption method and a decryption device of a multivariate public key. The encryption method comprises the following steps: the centralizing mapping Phi equal to Pi 0 Phi 0 Pi<-1> is provided, wherein the Pi is one k-linear isomorphic mapping which shows that elements on a large field K are mapped to elements on a small field k, the Phi shows the mapping defined on the large field K in the centralizing mapping; the enhancement-type internal perturbation is applied to the centralizing mapping so as to form a public key polynomial equations set; and the clear text is encrypted by using the public key polynomial equations set. The encryption plan of the multivariate public key can resist present four attacking manners aiming at the multivariate key system, and is one safe encryption plan. In addition, because of the special structure of the centralizing mapping, the decryption complexity of the centralizing mapping is lowered.

Description

Multi-variable public key ciphering method and device and decryption method thereof and device

Technical field

The present invention relates to a kind of method and device that utilizes the multivariable public-key cryptosystem to carry out encryption and decryption.

Background technology

Along with the development of the Internet and information technology, more and more higher to the requirement of the various Information Securities on the network, thereby public key cryptography technology becomes an important tool of advanced information society gradually.

The multivariable public-key cryptosystem is the novel public-key cryptosystem of a class, and its feature is that PKI is made of the non-linear multivariable equation on one group of finite field.At present most public-key cryptosystem all is based on two difficult problems in the number theory, and promptly the factor is decomposed and discrete logarithm problem.Because the appearance of quantum computer makes these two problems no longer difficult.For the arrival in back quantum computer epoch, cryptologists have proposed some cryptographic systems based on other difficult problems.The multivariable public-key cryptosystem is exactly one of them.

The multivariable public-key cryptosystem based on difficult problem be to find the solution the non-linear multivariable equation on one group of finite field.In general, be unlikely to long, and computation complexity is unlikely to too high, can gets the second order multivariable equation group in order to make PKI.Finding the solution the second order multivariable equation group on the finite field, be a NP-C problem, and quantum computer can not reduce the degree of difficulty of this problem.

Cryptologists have proposed many schemes in the multivariable field of cryptography.Wherein there are some signature schemes more successful, as SFLASH ^V2[13], be selected in NESSIE:IST-1999-12324.This scheme belongs to the MI class, utilizes Minus perturbation motion method structure to form.

The multivariable encipherment scheme that proposes mainly contains MI class, HFE class, TTM class, MFE class or the like by center mapping classification at present, but still keep safety have only PMI+ and IPHFE, other scheme all (attack, order is attacked, XL ﹠amp by four class attack methods by lienarized equation;

Base algorithm and differential attack) break through.

PMI+ and IPHFE scheme utilize Internally Perturbed Plus (internal disturbance adds) method and Internal Perturbation method to MI encipherment scheme and the disturbance of HFE encipherment scheme and obtain respectively.But the computational efficiency of these two kinds of schemes is not high, and reason is that the center mapping of MI and these two kinds of encipherment schemes of the HFE efficient of inverting is not high.In the MI system, the mapping of its center inverted to do the very big Montgomery Algorithm of index one time.In the HFE system, the mapping of its center inverted to be d ²Inferior Montgomery Algorithm and d ³Inferior multiplying, d is the high reps of center mapping equation.

Summary of the invention

In order to address the above problem, the present invention provides a kind of method and device that utilizes the multivariable public-key cryptosystem to carry out encryption and decryption respectively, wherein adopts new center mapping

It is inverted does not need to do Montgomery Algorithm, when getting degree of extension l and be odd number, only need do twice division arithmetic.Through after the application enhancement mode internal disturbance (internal disturbance adds), be a kind of safe encipherment scheme simultaneously.

According to an aspect of the present invention, multi-variable public key ciphering method comprises step: the center mapping is provided

Wherein π is the mapping of k-linear isomorphism, and expression becomes element on the little territory k with the element map on the big territory K,

Be defined in the mapping on the big territory K in the mapping of expression center; The mapping of described center is applied the enhancement mode internal disturbance, to form PKI polynomial equation group; And utilize described PKI polynomial equation group to come encrypting plaintext.

According to another aspect of the present invention, the multi-variable public key ciphering device comprises: be used to provide the center mapping

Parts, wherein k-linear isomorphism of π mapping, expression becomes the element on the big territory K into the mapping of the element on the little territory k, Be defined in the mapping on the big territory K in the mapping of expression center; Be used for the mapping of described center is applied the enhancement mode internal disturbance, to form the parts of PKI polynomial equation group; And be used to utilize described PKI polynomial equation group to come the parts of encrypting plaintext.

The multi-variable public key ciphering method and the device that the present invention is based on mapping of new center and enhancement mode internal disturbance method have safe advantage.

Description of drawings

To the concrete detailed description of implementing of the present invention, can more easily understand other features of the present invention below reading in conjunction with the drawings, wherein:

Fig. 1 is the block diagram according to the multi-variable public key ciphering device of the embodiment of the invention;

Fig. 2 is the flow chart according to the multi-variable public key ciphering method of the embodiment of the invention;

Fig. 3 is the block diagram according to the multivariable PKI decryption device of the embodiment of the invention; And

Fig. 4 is the flow chart according to the multivariable PKI decryption method of the embodiment of the invention;

Embodiment

Now, will be by the example embodiment that invention will be described in detail with reference to the attached drawing.In the following description, for clarity and conciseness for the purpose of, the known function that will be omitted in merges here and the detailed description of configuration.

As shown in Figure 1, multi-variable public key ciphering device 100 of the present invention comprises that the center mapping provides parts 110, internal disturbance to apply parts 120 and encryption unit 130.The center mapping provides parts 110 to be used for definition or the center mapping is provided , wherein π is a k-linear isomorphism mapping, represents the element on the big territory K is become the mapping of the element on the little territory k, Be defined in the mapping on the big territory K in the mapping of expression center.Internal disturbance applies parts 120 and is used for the mapping of described center is applied the enhancement mode internal disturbance, to form PKI polynomial equation group.Encryption unit 130 is used to utilize described PKI polynomial equation group to come encrypting plaintext, to form ciphertext.

Term " internal disturbance " is a kind of perturbation motion method of multivariable cryptographic system, and actual is exactly a kind of modification method.This method is meant utilizes existing variable, at random construct some linear polynomials, again these multinomials are added in each equation of original center mapping and go, to form new center mapping.The use of this method is further to obscure the structure of center mapping, makes illegal person release lienarized equation from the structure of existing center mapping.The characteristics of this method are not increase new variable, also do not increase the number of center mapping equation, so be referred to as internal disturbance.

Term " enhancement mode internal disturbance " (being also referred to as internal disturbance adds) also is a kind of perturbation motion method of multivariable cryptographic system, it on the basis of " internal disturbance " further, in through the mapping of the center behind the internal disturbance, add some second order polynomial equations at random again, that is to say the number that has increased the center mapping equation.

In the present invention, the structure that center mapping provides parts 110, internal disturbance to apply parts 120 and encryption unit 130 is not construed as limiting technical scope of the present invention, and wherein any two or whole three parts can be used as complete parts and realize.

Describe the operation of multi-variable public key ciphering device 100 of the present invention in detail below in conjunction with Fig. 2.

Fig. 2 is the flow chart according to the multi-variable public key ciphering method of the embodiment of the invention.

As shown in Figure 2, at step S200, provide a new center mapping

(for example it can be stored in the center mapping provides in the parts 110), wherein π is the mapping of k-linear isomorphism, represents the element on the big territory K is become the mapping of the element on the little territory k, promptly chooses the one group base { θ of big territory K on little territory k ₁..., θ ₁, it satisfies relational expression:

π(a ₁θ ₁+…+a ₁θ ₁)＝(a ₁，…，a ₁)

Here, k represents little territory, is taken as two element field among the present invention; K represents big territory, and it is got by little field extension 1 time; φ represents the center mapping;

Be defined in that mapping on the big territory K in the mapping of expression center; L is that big extension of a field number of times is arrived in little territory, gets 47 at least.

Mapping

Form by three equations of higher order on the big territory K, shape as:

\{\begin{matrix} Y_{1} = {({X_{1}}^{2} X_{2})}^{2} + α_{1} ({X_{1}}^{2} X_{2}) \\ Y_{2} = {(X_{1} X_{2})}^{2} + α_{2} (X_{1} X_{2}) \\ Y_{3} = {X_{1}}^{2} X_{2} + X_{1} X_{2} \end{matrix}

Right

Invert is that computational efficiency is than higher.In addition, getting little territory k in the solution of the present invention is F ₂Because the square operation on the big territory K is at little territory k=F ₂On be linear, so center mapping one is a second-order system on little territory k.

Because separately with this center mapping The structure encipherment scheme is unsafe, has lienarized equation.Therefore, utilize enhancement mode internal disturbance method to carry out disturbance among the present invention again, thereby design the encipherment scheme of a safety, as described below.

Next, apply in the parts 120 execution in step S205 to step S220 at internal disturbance.

At step S205,, choose factory's linear equation:

\begin{matrix} z_{1} (x_{1}, \cdot \cdot \cdot, x_{2 l}) = Σ_{j = 1}^{2 l} α_{j 1} (x_{j}) + β_{1} \\ \cdot \\ \cdot \\ \cdot \\ z_{r} (x_{1}, \cdot \cdot \cdot, x_{2 l}) = Σ_{j = 1}^{2 l} α_{jr} (x_{j}) + β_{r} \end{matrix},

z _i-β _iBe linearity independently, definition Z (x ₁..., x _2l)=(z ₁(x ₁..., x _2l) ..., z _r(x ₁..., x _2l)).

Here, z _iBe the linear formula on the little territory; x _iBe the variable on the little territory; α _iRepresent the random number on the big territory; R is the number of " disturbing source ", i.e. z _jNumber, get 6 at least.

Select 3l second order multivariable equation more at random:

{\hat{f}}_{1}, \cdot \cdot \cdot, {\hat{f}}_{3 l} &Element; k [z_{1}, \cdot \cdot \cdot, z_{r}],

Definition

\hat{F} (z_{1}, \cdot \cdot \cdot, z_{r}) = ({\hat{f}}_{1} (z_{1}, \cdot \cdot \cdot, z_{r}), \cdot \cdot \cdot, {\hat{f}}_{3 l} (z_{1}, \cdot \cdot \cdot, z_{r})) .

Here,

Represent the second order polynomial equation on the little territory k, it is with z ₁..., z _rBe variable;

Be the mapping on the little territory, by

{\hat{f}}_{1} (z_{1}, \cdot \cdot \cdot, z_{r}), \cdot \cdot \cdot, {\hat{f}}_{3 l} (z_{1}, \cdot \cdot \cdot, z_{r})

Constitute.

Then, definition (formation) disturbance mapping

Here, F ^*Represent the synthetic mapping on the little territory, promptly

, be " internal disturbance " that is added on the mapping phi of former center; Be F ^*In second order polynomial equation.

Next, at step S210, with F ^*Add among the φ as disturbance, i.e. mapping phi=φ+F ^*=(f ₁..., f _3l).

Here, φ represents former center mapping phi has been added new center mapping after " internal disturbance ".

Then, in step S215, apply " adding disturbance ", be about to a second order polynomial equation q ₁..., ∈ k[x ₁..., x _2l] be attached to φ+F ^*In, form

\overset{=}{φ} = (f_{1}, \cdot \cdot \cdot, f_{3 l}, q_{1}, \cdot \cdot \cdot, q_{a}) .

Here, The new center mapping that expression has been added " internal disturbance " and obtained after " adding disturbance " former center mapping phi; A is the equation number that is added on " adding disturbance " on the mapping phi of center, gets 10 at least; q _iIt is the second order polynomial equation that adds " adding disturbance ".

Then, at step S220, respectively at k ^3l+aOn choose two reversible affine maps L ₁And L ₂, by definition, can obtain PKI polynomial equation group:

Here, F is the synthetic mapping on the little territory, promptly

PKI polynomial equation group just; F _iIt is the second order polynomial equation among the F.

As mentioned above, in the present invention, choose parameter r 〉=6, a 〉=10 and 1 〉=47.

Thus, the PKI that obtains among the present invention is:

(1) " little " territory k;

(2) 3l+a second order multivariable equation F ₁..., F _3l+a∈ k[x ₁..., x _2l

In the present invention, establishing private key is:

(1) mapping phi;

(2) linear function set z ₁..., z _r∈ k[x ₁..., x _2l];

(3) set

P = {(μ, λ) | \hat{F} (μ) = λ}

, or perhaps the multinomial set

{\hat{f}}_{1}, \cdot \cdot \cdot, {\hat{f}}_{3 l} &Element; k [z_{1}, \cdot \cdot \cdot, z_{r}];

(4) two reversible affine transformation L ₁And L ₂

Here, μ is the r unit vector on the little territory; λ is the 3l unit vector on the little territory, satisfies

\hat{F} (μ) = λ .

Then, at step S225, encryption unit 130 receives expressly from the outside, and the PKI polynomial equation group by forming in step S220

Come encrypting plaintext

M' = (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'}),

To obtain ciphertext

Z' = (z_{1}^{'}, \cdot \cdot \cdot, z_{3 l + a}^{'}) = \overset{&OverBar;}{F} (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'})

= ({\overset{&OverBar;}{F}}_{1} (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'}), \cdot \cdot \cdot, {\overset{&OverBar;}{F}}_{3 l + a} (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'})) .

So far, the ciphering process of the embodiment of the invention finishes.

Next, the 3 multivariable PKI decryption devices of describing the embodiment of the invention with reference to the accompanying drawings.

Fig. 3 is the block diagram according to the multivariable PKI decryption device of the embodiment of the invention.

As shown in Figure 3, the multivariable PKI decryption device 300 of the embodiment of the invention comprises first calculating unit 310, second calculating unit 320 and calculates decision means 330.First calculating unit 310 is used for calculating

Y' = L_{2}^{- 1} (Z') = (y_{1}^{'}, \cdot \cdot \cdot, y_{3 l + a}^{'}),

It removes, and last a component obtains in the vector

Second calculating unit 320 is used for each point to point set P, and (μ λ), calculates

(x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = φ^{- 1} ((y_{1}^{'}, \cdot \cdot \cdot, y_{3 l}^{'}) + λ)

, its inspection

Z (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = μ

Whether set up,, then abandon this if be false

Again calculate.Calculating decision means 330 is used for calculating

M' = L_{1}^{- 1} (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = (m_{λ 1}^{'}, \cdot \cdot \cdot, m_{λ 2 l}^{'}),

If have only one

Then determine that it is expressly, if having a plurality ofly, then it utilizes equation q ₁..., q _aDetermine correct plaintext.Wherein μ is the r unit vector on the little territory k; λ is the 3l unit vector on the little territory k, satisfies

\hat{F} (μ) = λ .

In the present invention, first calculating unit 310, second calculating unit 320 and the structure of calculating decision means 330 are not construed as limiting technical scope of the present invention, and wherein any two or whole three parts can be used as complete parts and realize.

Describe the operation of multivariable PKI decryption device 300 of the present invention in detail below in conjunction with Fig. 4.

Fig. 4 is the flow chart according to the multivariable PKI decryption method of the embodiment of the invention.

As shown in Figure 4, at step S400, first calculating unit 310 receives ciphertext from the outside

Z' = (z_{1}^{'}, \cdot \cdot \cdot, z_{3 l + a}^{'}),

Calculate

Y' = L_{2}^{- 1} (Z') = (y_{1}^{'}, \cdot \cdot \cdot, y_{3 l + a}^{'}),

And remove last a component in the vector, to obtain

(y_{1}^{'}, \cdot \cdot \cdot, y_{3 l}^{'}) .

Then, at step S405, (μ λ), calculates second calculating unit 320 for each point among the point set P

(x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = φ^{- 1} ((y_{1}^{'}, \cdot \cdot \cdot, y_{3 l}^{'}) + λ) .

Attention: the most important thing is to ask in this step φ in the decrypting process ^-1, ask φ ^-1Key be to ask

In view of the special construction of the present invention's design, ask

Can divide again for three steps.

The first step is

In separate two shapes such as x ²The equation of+x+ β=0.According to prior art, there is a simple method to find the solution this equation, when l was odd number, amount of calculation can be left in the basket, because

Can obtain by displacement.The first step is separated two quadratic equation with one unknown, can obtain 4 groups

Second step was to utilize

In the 3rd equation Y ₃=X ₁ ²X ₂+ X ₁X ₂, check out correct one group

The calculating in this step mainly is addition, and amount of calculation can be left in the basket.The 3rd step was to use

Solve

With

, the amount of calculation in this step is twice division.Here, Y _i, X _iRepresent the variable on the big territory; x _i, y _iRepresent the variable on the little territory.

At step S410, second calculating unit 320 is checked

Z (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = μ

Whether set up,, then carry out next step if set up; If be false, then abandon this

, re-execute this step.

Next, at step S415, calculate decision means 320 and calculate

M' = L_{1}^{- 1} (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = (m_{λ 1}^{'}, \cdot \cdot \cdot, m_{λ 2 l}^{'}),

If have only one

Then it is exactly expressly;

If have a plurality ofly, can utilize equation q ₁..., q _aJudge who is correct plaintext.

Here,

All are the elements on the little territory.

Thus, can draw plaintext after the deciphering

M' = (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'}) .

More than describe the embodiment of multi-variable public key ciphering device of the present invention, encryption method, decryption device and decryption method with reference to the accompanying drawings.

Example below by the concrete value of relevant parameter describes above embodiment again.

At first consider not add disturbance, directly with the encipherment scheme of the center map construction of the present invention's design.Choose little territory k=F here, ₂, little territory k is got 2 (these are for convenience of description, and l should surpass 47 safety) to the degree of extension l of big territory K, can choose irreducible function x ²+ x+1 constructs K, i.e. K=k[x]/(x ²+ x+1), establish (1, β) be the one group base of K on k.

Then, see how to select private key.Private key L ₁And L ₂Should be respectively k ^2l=k ⁴And k ^3l=k ⁶On reversible affine transformation.Reversible affine transformation is write as matrix form and should be made up of an invertible matrix and a column vector, for simplicity, selects a unit matrix and null vector, i.e. a L here ₁And L ₂All be identical transformation, as follows:

L_{1} (x_{1}, x_{2}, x_{3}, x_{4}) = (\begin{matrix} 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 1 \end{matrix}) (\begin{matrix} x_{1} \\ x_{2} \\ x_{3} \\ x_{4} \end{matrix}) + (\begin{matrix} 0 \\ 0 \\ 0 \\ 0 \end{matrix})

L_{2} (y_{1}, y_{2}, y_{3}, y_{4}, y_{5}, y_{6}) = (\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 \end{matrix}) (\begin{matrix} y_{1} \\ y_{2} \\ y_{3} \\ y_{4} \\ y_{5} \\ y_{6} \end{matrix}) + (\begin{matrix} 0 \\ 0 \\ 0 \\ 0 \\ 0 \\ 0 \end{matrix}) .

Next see and how to generate PKI.PKI is synthetic by three mappings, promptly

。L wherein ₁(x ₁, x ₂, x ₃, x ₄)=(x ₁, x ₂, x ₃, x ₄).

π wherein ^-1(x ₁, x ₂, x ₃, x4) be utilize one group of base (1, β) with (x ₁, x ₂, x ₃, x ₄) become the element (X on the big territory ₁, X ₂), i.e. X ₁=x ₁+ x ₂β and X ₂=x ₃+ x ₄β.

With its substitution mapping

Y ₁＝(X ₁ ²X ₂) ²+α ₁(X ₁ ²X ₂)

Y ₂＝(X ₁X ₂) ²+α ₂(X ₁X ₂)， (1)

Y ₃＝X ₁ ²X ₂+X ₁X ₂

Can get by first equation:

Y ₁＝((x ₁+x ₂β) ²(x ₃+x ₄β)) ²+α ₁(x ₁+x ₂β) ²(x ₃+x ₄β)

＝f ₁(x ₁，x ₂，x ₃，x ₄)+f ₂(x ₁，x ₂，x ₃，x ₄)β

Second equation can get:

Y ₂＝((x ₁+x ₂β)(x ₃+x ₄β)) ²+α ₂(x ₁+x ₂β)(x ₃+x ₄β)

＝f ₃(x ₁，x ₂，x ₃，x ₄)+f ₄(x ₁，x ₂，x ₃，x ₄)β

The 3rd equation can get:

Y ₃＝(x ₁+x ₂β) ²(x ₃+x ₄β)+(x ₁+x ₂β)(x ₃+x ₄β)。

＝f ₅(x ₁，x ₂，x ₃，x ₄)+f ₆(x ₁，x ₂，x ₃，x ₄)β

π (Y ₁, Y ₂, Y ₃) with (Y ₁, Y ₂, Y ₃) become the element (y on the little territory ₁, y ₂, y ₃, y ₄, y ₅, y ₆), that is:

y ₁＝f ₁(x ₁，x ₂，x ₃，x ₄)

y ₂＝f ₂(x ₁，x ₂，x ₃，x ₄)

y ₃＝f ₃(x ₁，x ₂，x ₃，x ₄)。(2)

y ₄＝f ₄(x ₁，x ₂，x ₃，x ₄)

y ₅＝f ₅(x ₁，x ₂，x ₃，x ₄)

y ₆＝f ₆(x ₁，x ₂，x ₃，x ₄)

Last because L ₂(y ₁, y ₂, y ₃, y ₄, y ₅, y ₆)=(y ₁, y ₂, y ₃, y ₄, y ₅, y ₆), promptly (2) are exactly the PKI polynomial equation group that generates.

Ciphering process: to plaintext

M' = (m_{1}^{'}, m_{2}^{'}, m_{3}^{'}, m_{4}^{'})

Encrypt, promptly be with

(x in the substitution (2) ₁, x ₂, x ₃, x ₄), the result of gained is ciphertext

Z' = (z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'}) .

Decrypting process: to ciphertext

Z' = (z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'})

Deciphering promptly is to know private key L ₁And L ₂Condition under, ask

At first

{L_{2}}^{- 1} (z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'}) = (z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'})

Or identical transformation.Next ask

π wherein _-1Still the element on the little territory is become the element on the big territory, promptly from Obtain

Again with its substitution mapping

(1) (the Y in ₁, Y ₂, Y ₃), utilize

Inversion algorithms, solve (X ₁, X ₂), utilize π that the element on the big territory is become element on the little territory again, at last by asking L ₁ ^-1, recover expressly

M' = (m_{1}^{'}, m_{2}^{'}, m_{3}^{'}, m_{4}^{'}) .

Above in this example, owing to select L ₁And L ₂Be identical transformation, so (y ₁, y ₂, y ₃, y ₄, y ₅, y ₆)=φ (x ₁, x ₂, x ₃, x ₄), promptly formula (2) is exactly the PKI of cryptographic system.

Below, consider how PKI generates under the situation that adds the enhancement mode internal disturbance.L ₁And L ₂Still as above example is elected parameter r (being the number of disturbing source) as 2, and parameter a (i.e. the equation number of Tian Jiaing) elects 1 as (this is unsafe, should be r 〉=6, a 〉=10, only for convenience of description) here.

Select r linear polynomial at first at random, constitute mapping

Z (x ₁, x ₂, x ₃, x ₄)=(z ₁(x ₁, x ₂, x ₃, x ₄), z ₂(x ₁, x ₂, x ₃, x ₄)), for example

z ₁(x ₁，x ₂，x ₃，x ₄)＝x ₁，

z ₂(x ₁，x ₂，x ₃，x ₄)＝x ₃

Next with z ₁And z ₂For 6 multinomials that are no more than second order of variable random configuration, be designated as

\hat{F} (z_{1}, z_{2}) = ({\hat{f}}_{1} (z_{1}, z_{2}), {\hat{f}}_{2} (z_{1}, z_{2}), {\hat{f}}_{3} (z_{1}, z_{2}), {\hat{f}}_{4} (z_{1}, z_{2}), {\hat{f}}_{5} (z_{1}, z_{2}), {\hat{f}}_{6} (z_{1}, z_{2})),

For example:

{\hat{f}}_{1} (z_{1}, z_{2}) = z_{1} z_{2}

{\hat{f}}_{2} (z_{1}, z_{2}) = z_{1}

{\hat{f}}_{3} (z_{1}, z_{2}) = z_{2},

{\hat{f}}_{4} (z_{1}, z_{2}) = z_{1}

{\hat{f}}_{5} (z_{1}, z_{2}) = z_{1}

{\hat{f}}_{6} (z_{1}, z_{2}) = z_{1} z_{2}

Then, calculate

F^{*} = (f_{1}^{*}, f_{2}^{*}, f_{3}^{*}, f_{4}^{*}, f_{5}^{*}, f_{6}^{*})

Can be expressed as:

f_{1}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = x_{1} x_{3}

f_{2}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = x_{1}

f_{3}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = x_{3},

f_{4}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = x_{1}

f_{5}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = x_{1}

f_{6}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = x_{1} x_{3}

Add it to equation corresponding among the φ, can get φ newly:

y_{1} = f_{1} (x_{1}, x_{2}, x_{3}, x_{4}) + f_{1}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = f_{1} (x_{1}, x_{2}, x_{3}, x_{4}) + x_{1} x_{3}

y_{2} = f_{2} (x_{1}, x_{2}, x_{3}, x_{4}) + f_{2}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = f_{2} (x_{1}, x_{2}, x_{3}, x_{4}) + x_{1}

y_{3} = f_{3} (x_{1}, x_{2}, x_{3}, x_{4}) + f_{3}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = f_{3} (x_{1}, x_{2}, x_{3}, x_{4}) + x_{3}, - - - (3)

y_{4} = f_{4} (x_{1}, x_{2}, x_{3}, x_{4}) + f_{4}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = f_{4} (x_{1}, x_{2}, x_{3}, x_{4}) + x_{1}

y_{5} = f_{5} (x_{1}, x_{2}, x_{3}, x_{4}) + f_{5}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = f_{5} (x_{1}, x_{2}, x_{3}, x_{4}) + x_{1}

y_{6} = f_{6} (x_{1}, x_{2}, x_{3}, x_{4}) + f_{6}^{*} (x_{1}, x_{2}, x_{3}, x_{4}) = f_{6} (x_{1}, x_{2}, x_{3}, x_{4}) + x_{1} x_{3}

Next, in φ, add a (promptly 1) second order polynomial equation at random again, for example:

y ₇＝q ₁(x ₁，x ₂，x ₃，x ₄)＝x ₁x ₄， (4)

Thereby 7 equations of formula (3) and formula (7) have constituted new

Because the L that selects in this example ₁With L2 all be identical transformation, so this

(7 equation group that equation constitutes) is new PKI.

In this case, its private key is except L ₁And L ₂, also to comprise two linear polynomial z ₁And z ₂, and a point set

P = {(μ, λ) | \hat{F} (μ) = λ},

Wherein μ is the vector (z of 2 elements ₁, z ₂), λ is the vector of 6 elements.

Ciphering process: to plaintext

M' = (m_{1}^{'}, m_{2}^{'}, m_{3}^{'}, m_{4}^{'})

Encrypt, promptly be with

(x in substitution (3) and (4) 7 equations ₁, x ₂, x ₃, x ₄), the result of gained is ciphertext

Z' = (z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'}, z_{7}^{'}) .

Decrypting process: other step is identical with a top example, just asks

Than asking φ ^-1Want complicated.

Discuss below and how to ask

At first will

(z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'}, z_{7}^{'})

In last unit abandon because it belongs to " adding " disturbance.The vector that 6 remaining again elements constitute adds that (μ, λ) (effect in this step is that " internal disturbance ") is asked φ as a top example then in cancellation to the λ in for a point among the point set P ^-1, that is:

φ^{- 1} ((z_{1}^{'}, z_{2}^{'}, z_{3}^{'}, z_{4}^{'}, z_{5}^{'}, z_{6}^{'}) + λ),

With what try to achieve

With μ substitution equation z ₁=x ₁And z ₂=x ₃, do checking, equal then ask

Finish, do not wait then reconnaissance repetition above-mentioned steps from point set P again.

The present invention can implement by the mode that hardware, software or hardware combine with software.For example, the computer program of implementing encryption method of the present invention and/or decryption method can be loaded in the execution unit of for example CPU in the general-purpose computations device, carry out encryption method of the present invention and/or decryption method, perhaps will be for example encryption device 100 and/or decryption device 300 in the embodiment of the invention be integrated in the general-purpose computations device, carry out encryption function of the present invention and/or decipher function.

By analysis, this scheme of the present invention has following good effect:

(1) than PMI+[1] and IPHFE[14] scheme deciphering computation complexity is lower;

(2) can effectively resist lienarized equation and attack (comprising the high order linear equation);

(3) can effectively resist order attacks;

(4) can effectively resist XL ﹠amp;

The base algorithm is attacked;

(5) can effectively resist differential attack;

Multi-variable public key ciphering scheme of the present invention can be resisted the attack method of present four classes at the multivariable cryptographic system, is a kind of safe encipherment scheme.In addition, because the special construction of center of the present invention mapping makes its decryption complexity decrease.

Although described embodiments of the invention above in detail, to those skilled in the art, can make further changes and improvements to the present invention.Should be appreciated that such changes and improvements all within the spirit and scope of the present invention.

Claims

1. multi-variable public key ciphering method comprises step:

The center mapping is provided

2. encryption method as claimed in claim 1, wherein said mapping Form by following three equations of higher order on the big territory K:

\{\begin{matrix} Y_{1} = {({X_{1}}^{2} X_{2})}^{2} + α_{1} ({X_{1}}^{2} X_{2}) \\ Y_{2} = {(X_{1} X_{2})}^{2} + α_{2} (X_{1} X_{2}) \\ Y_{3} = {X_{1}}^{2} X_{2} + X_{1} X_{2} \end{matrix}

3. encryption method as claimed in claim 1 wherein applies the enhancement mode internal disturbance, comprises with the step that forms PKI polynomial equation group the mapping of described center:

Choose r linear equation:

z_{1} (x_{1}, \cdot \cdot \cdot, x_{2 l}) = Σ_{j = 1}^{2 l} α_{j 1} (x_{j}) + β_{1}

.

z_{r} (x_{1}, \cdot \cdot \cdot, x_{2 l}) = Σ_{j = 1}^{2 l} α_{jr} (x_{j}) + β_{r},

And formation Z (x ₁..., x _2l)=(z ₁(x ₁..., x _2l) ..., z _r(x ₁..., x _2l)), here, z _iBe the linear formula on the little territory, x _iBe the variable on the little territory, α _iRepresent the random number on the big territory, r is disturbing source z _iNumber;

Select 3l second order multivariable equation at random:

{\hat{f}}_{1}, \cdot \cdot \cdot, {\hat{f}}_{3 l} &Element; k [z_{1}, \cdot \cdot \cdot, z_{r}],

And form

\hat{F} (z_{1}, \cdot \cdot \cdot, z_{r}) = ({\hat{f}}_{1} (z_{1}, \cdot \cdot \cdot, z_{r}), \cdot \cdot \cdot, {\hat{f}}_{3 l} (z_{1}, \cdot \cdot \cdot, z_{r})),

Here,

Represent the second order polynomial equation on the little territory k, it is with z ₁..., z _rBe variable,

Be the mapping on the little territory, by Constitute, l is the degree of extension of little territory k to big territory K;

By synthetic mapping

Form internal disturbance

Here

Be F ^*In second order polynomial equation;

With internal disturbance F ^*In the mapping phi of adding center, form mapping phi=φ+F ^*=(f ₁..., f _3l);

With a second order polynomial equation q ₁..., q _a∈ k[x ₁..., x _2l] be attached to φ+F ^*In, to form mapping

\overset{&OverBar;}{\overset{&OverBar;}{φ}} = (f_{1}, \cdot \cdot \cdot, f_{3 l}, q_{1}, \cdot \cdot \cdot, q_{a}),

Here q _iIt is second order polynomial equation;

Respectively at k ^3l+aOn choose two reversible affine maps L ₁And L ₂, to form PKI polynomial equation group

4. encryption method as claimed in claim 1, wherein said mapping π satisfies relational expression π (a ₁θ ₁+ ... + a _lθ _l)=(a ₁..., a _l), { θ wherein ₁..., θ _lBe the one group base of big territory K on little territory k.

5. encryption method as claimed in claim 3 is wherein chosen parameter r 〉=6, a 〉=10 and 1 〉=47.

6. the decryption method of the ciphertext that forms of an encryption method that is used for deciphering by claim 3 is wherein established and expressly is

M' = (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'}),

The ciphertext that obtains after the encryption is

Z' = (z_{1}^{'}, \cdot \cdot \cdot, z_{3 l + a}^{'}),

Then described decryption method comprises:

First step calculates

Y' = L_{2}^{- 1} (Z') = (y_{1}^{'}, \cdot \cdot \cdot, y_{3 l + a}^{'}),

Removing in the vector last a component obtains

(y_{1}^{'}, \cdot \cdot \cdot {, y}_{3 l}^{'});

Second step, (μ λ), calculates for each point among the point set P

(x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = φ^{- 1} ((y_{1}^{'}, \cdot \cdot \cdot, y_{3 l}^{'}) + λ),

Check

Z (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = μ

Whether set up,, then abandon this if be false

Re-execute this step; And

Third step calculates

M' = L_{1}^{- 1} (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = (m_{λ 1}^{'}, \cdot \cdot \cdot, m_{λ 2 l}^{'}),

If have only one

Then it is expressly, if having a plurality ofly, then utilizes equation q ₁..., q _aDetermine correct plaintext, wherein μ is the r unit vector on the little territory k; λ is the 3l unit vector on the little territory k, satisfies

\hat{F} (μ) = λ .

7. decryption method as claimed in claim 6, wherein second step also comprises step:

Shine upon at the center

In separate preceding two shapes such as x ²The equation of+x+ β=0 can obtain 4 groups

{X_{1}^{2'} X_{2}^{'}, X_{1}^{'} X_{2}^{'}};

Utilize the center mapping

{X_{1}^{2'} X_{2}^{'}, X_{1}^{'} X_{2}^{'}};

And

With

{X_{1}^{2'} X_{2}^{'}, X_{1}^{'} X_{2}^{'}}

Solve

With Here, Y _i, X _iRepresent the variable on the big territory; x _i, y _iRepresent the variable on the little territory.

8. multi-variable public key ciphering device comprises:

Be used to provide the center mapping Parts, wherein π is the mapping of k-linear isomorphism, expression becomes the element on the big territory K into the mapping of the element on the little territory k,

Be defined in the mapping on the big territory K in the mapping of expression center;

Be used for to the mapping of described center apply the enhancement mode internal disturbance, to form the parts of PKI polynomial equation group; And

Be used to utilize described PKI polynomial equation group to come the parts of encrypting plaintext.

9. encryption device as claimed in claim 8, wherein said mapping

Form by following three equations of higher order on the big territory K:

\{\begin{matrix} Y_{1} = {({X_{1}}^{2} X_{2})}^{2} + α_{1} ({X_{1}}^{2} X_{2}) \\ Y_{2} = {(X_{1} X_{2})}^{2} + α_{2} (X_{1} X_{2}) \\ Y_{3} = {X_{1}}^{2} X_{2} + X_{1} X_{2} \end{matrix}

10. encryption device as claimed in claim 8 wherein is used for the mapping of described center is applied the enhancement mode internal disturbance, carries out following operation with the parts that form PKI polynomial equation group:

Choose r linear equation

z_{1} (x_{1}, \cdot \cdot \cdot, x_{2 l}) = Σ_{j = 1}^{2 l} α_{j 1} (x_{j}) + β_{l}

.

z_{r} (x_{1}, \cdot \cdot \cdot, x_{2 l}) = Σ_{j = 1}^{2 l} α_{jr} (x_{j}) + β_{r},

Select 3l second order multivariable equation at random:

{\hat{f}}_{1}, \cdot \cdot \cdot, {\hat{f}}_{3 l} &Element; k [z_{1}, \cdot \cdot \cdot, z_{r}],

And form

\hat{F} (z_{1}, \cdot \cdot \cdot, z_{r}) = ({\hat{f}}_{1} (z_{1}, \cdot \cdot \cdot, z_{r}), \cdot \cdot \cdot, {\hat{f}}_{3 l} (z_{1}, \cdot \cdot \cdot, z_{r})),

Here, Represent the second order polynomial equation on the little territory k, it is with z ₁..., z _rBe variable,

By synthetic mapping

Form internal disturbance

Here

Be F ^*In second order polynomial equation;

\overset{&OverBar;}{\overset{&OverBar;}{φ}} = (f_{1}, \cdot \cdot \cdot, f_{3 l}, q_{1}, \cdot \cdot \cdot, q_{a}),

Here q _iIt is second order polynomial equation;

11. the decryption device of the ciphertext that an encryption device that is used for deciphering by claim 10 forms is wherein established and expressly is

M' = (m_{1}^{'}, \cdot \cdot \cdot, m_{2 l}^{'}),

The ciphertext that obtains after the encryption is

Z' = (z_{1}^{'}, \cdot \cdot \cdot, z_{3 l + a}^{'}),

Then described decryption device comprises:

Be used for calculating

Y' = L_{2}^{- 1} (Z') = (y_{1}^{'}, \cdot \cdot \cdot, y_{3 l + a}^{'})

Parts, it removes in the vector last a component and obtains

(y_{1}^{'}, \cdot \cdot \cdot y_{3 l}^{'});

(μ λ), calculates to be used for each point to point set P

(x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = φ^{- 1} ((y_{1}^{'}, \cdot \cdot \cdot, y_{3 l}^{'}) + λ)

Parts, its inspection

Z (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = μ

Whether set up,, then abandon this if be false Again calculate; And

Be used for calculating

M' = L_{1}^{- 1} (x_{λ 1}^{'}, \cdot \cdot \cdot, x_{λ 2 l}^{'}) = (m_{λ 1}^{'}, \cdot \cdot \cdot, m_{λ 2 l}^{'})

Parts, if having only one

Then determine that it is expressly, if having a plurality ofly, then it utilizes equation q ₁..., q _aDetermine correct plaintext, wherein μ is the r unit vector on the little territory k; λ is the 3l unit vector on the little territory k, satisfies