CN101540673A - Public key encryption and decryption method and digital signature method thereof - Google Patents

Abstract

The invention provides a technical proposal of a public key encryption and decryption method and belongs to a multivariate public key cryptographic system. The encryption is provided by triple combination of reversible linear transformation, reversible nonlinear transformation and reversible linear transformation, and only two reversible linear transformations are necessary to be mastered as a private key at decryption. The method is a substantial improvement of a Matsumoto-Imai cryptographic system, and the new proposal can help effectively resist attack methods such as differential attack, linearization attack and the like. The method also follows the advantages of high efficiency, no cryptographic processor, and being especially suitable for smart cards and the like of the multivariate public key cryptographic system. The advantages of the multivariate public key cryptographic system, particularly resistance of attacks by a quantum computer, can not be compared by those of the traditional public key cryptographic system. Once the quantum computer is practically used, the proposal can be used for replacing the traditional public key cryptographies such as RSA, ECC, ELGamal and the like. The invention further provides a safe and efficient digital signature method based on the public key encryption and decryption method.

Description

Public key encryption and decryption method and digital signature method thereof

Technical field

The invention belongs to field of information security technology, particularly relate to a kind of public key encryption and decryption method, and the corresponding digital endorsement method.

Background technology

The development of quantum computer, (as RSA, ElGamal etc.) have constituted great threat to the conventional public-key cryptographic system.For this reason, the public key cryptography with anti-quantum computer attack has been subjected to paying close attention to widely, and how designing the public-key cryptosystem that can resist the quantum computer attack is the major issue that field of information security technology needs to be resolved hurrily.The public key cryptography that the anti-Shor quantum algorithm that proposes is at present attacked mainly contains three types of NTRU, 0TU2000 and polynary quadratic polynomial (being called for short MQ) public-key cryptosystems.NTRU at a plurality of national registrations patent, China has also carried out the theoretical research to NTRU during "the 10th five-years", but does not have to produce the basic research achievement with independent intellectual property right; OTU2000 produces cipher key processes need calculate discrete logarithm, and speed is very slow, makes that the practicality of this cryptographic system is not enough; The MQ public key cryptography has caused the very big interest of cryptography community in recent years, be considered to one of optimal selection that replaces RSA, its fail safe is based on the intractability of secondary equation with many unknowns group on the finite field, except anti-quantum calculation, its great advantage is the implementation efficiency height, do not need password coprocessor, be fit to very much smart card.These advantages are that conventional cipher systems such as RSA, ElGamal are incomparable.

2003 by NESSIE (andEncryption) the selected SFLASH of engineering is exactly a kind of quick signature algorithm that designs for special applications such as cheap smart cards specially for New Europen Scheme for Signatures, Integrity.It is faster than RSA aspect signature.SFLASH is by the development of Matsumoto-Imai cryptographic system, and nineteen ninety-five, Patarin utilizes lienarized equation to break through the Matsumoto-Imai cryptographic system, and Patarin has done improvement to it subsequently, and the algorithm after the improvement is called C ^*-, SFLASH is C ^*-An example of algorithm parameterization, people such as Dubois utilized differential attack to crack the SFLASH signature algorithm in 2007.Therefore, there is the defective that can not resist lienarized equation attack and differential attack in the Matsumoto-Imai cryptographic system.

Summary of the invention

The object of the invention is at the deficiencies in the prior art, and a kind of public key encryption and decryption method of efficient quick is provided, and a kind of digital signature method safely and efficiently also is provided simultaneously thus.

Public key encryption and decryption method technical scheme of the present invention is based on nonlinear multivariable equation group intractability problem on the finite field and a kind of multivariable public key encryption and decryption method of designing, and its specific implementation is as follows,

(I) set up encryption system:

Utilize ground field F earlier ₂={ 0,1} constructs little territory F _qWith big territory

F _q=F ₂[x]/g (x), $F_{q^n}=F_q\left[x\right]/f\left(x\right),$ Q=2 wherein ^k, g (x) is ground field F ₂On k irreducible function, f (x) is little territory F _qOn n irreducible function, F ₂[x], F _q[x] represents F respectively ₂, F _qThe polynomial ring of last indeterminate x;

Define ground field F then ₂On k gt F ₂ ^kTo little territory F _qA dijection π, any k dimensional vector $b=(b_0,b_1,...,b_{k-1})\∈F_2^k,$ π (b) ∈ F then _q, π (b)=b _K-1x ^K-1+ ... + b ₁X+b ₀Modg (x); And little territory F _qOn n-dimensional vector space F _q ⁿTo big territory

A dijection

Any n-dimensional vector $w=(w_0,w_1,...,w_{n-1})\∈F_q^n,$ Then

Thereby by dijection π and Support ground field F ₂, little territory F _qWith big territory

Between element conversion;

Reversible Linear Transformation parts and reversible nonlinear transformation parts are set in system, and described Reversible Linear Transformation parts are little territory F _qTwo Reversible Linear Transformation T, U of last picked at random, wherein the contrary of Reversible Linear Transformation T is little territory F _qOn Reversible Linear Transformation T ^-1, the contrary of Reversible Linear Transformation U is little territory F _qOn Reversible Linear Transformation U ^-1But the form of Reversible Linear Transformation T, U is n rank inverse square matrix; Described reversible nonlinear transformation parts are little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation, the concrete make of described nonlinear multivariable equation group is as follows:

Definition from

Arrive

Reversible nonlinear function $F\left(A\right)=A^{q^{\mathrm{\θ}}+\mathrm{\γ}},$ Wherein $A\∈F_{q^n},$ θ, γ satisfies 2≤γ＜n, 0＜θ＜n and gcd (q ^θ+ γ, q ⁿ-1)=1, wherein gcd represents greatest common factor (G.C.F.); The inverse function of reversible nonlinear function F (A) is nonlinear function F ^-1(A)=A ^h, h=(q wherein ^θ+ γ) ^-1Mod (q ⁿ-1);

If little territory F _qOn a n-dimensional vector (x ₀, x ₁..., x _N-1), earlier with little territory F _qOn Reversible Linear Transformation U to (x ₀, x ₁..., x _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector; Use dijection then

N-dimensional vector after the linear hybrid is become big territory

An elements A, utilize big territory again

On nonlinear function $F\left(A\right)=A^{q^{\mathrm{\θ}}+\mathrm{\γ}}$ To the elements A effect, the result of effect is still big territory

On element, be designated as B; Use dijection at last

Contrary with big territory

On element B be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qOn Reversible Linear Transformation T it is carried out linear hybrid, the result of mixing is still little territory F _qOn a n-dimensional vector, be designated as (y ₀, y ₁..., y _N-1); Thereby obtain little territory F _qOn n-dimensional vector (x ₀, x ₁..., x _N-1) and n-dimensional vector (y ₀, y ₁..., y _N-1) relation, relation shows as little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation, its form is as follows:

$\left\{\begin{array}{c}{y}_0=g_0(x_0,x_1,...,x_{n-1})\\ .\\ .\\ .\\ y_{n-1}=g_{n-1}(x_0,x_1,...,x_{n-1})\end{array}\right.$

Wherein the highest number of times of each polynomial equation is γ+1;

With above-mentioned little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation is as the PKI G of system, and the PKI equation group of formation is labeled as,

G(x ₀，x ₁，…，x _n-1)＝(g ₀(x ₀，x ₁，…，x _n-1)，g ₁(x ₀，x ₁，…，x _n-1)，…，g _n-1(x ₀，x ₁，…，x _n-1))；

(II) ciphering process: the ciphering process that the PKI G that utilizes encryption system to provide realizes, the concrete operations mode is as follows: establishing clear-text message is little territory F _qOn n-dimensional vector (m ₀, m ₁..., m _N-1), with (m ₀, m ₁..., m _N-1) be updated to above-mentioned PKI equation group G, just can obtain cyphertext vector (c ₀, c ₁..., c _N-1)=G (m ₀, m ₁..., m _N-1);

(III) decrypting process: private key is { T ^-1, U ^-1, concrete decrypting process is as follows,

Earlier with little territory F _qOn Reversible Linear Transformation T ^-1To cyphertext vector (c ₀, c ₁..., c _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector;

Use dijection described in the encryption system then

N-dimensional vector after the linear hybrid is become big territory

An element, be designated as B, utilize big territory again

On nonlinear function F ^-1(B)=B ^hTo the element B effect, the result of effect is still big territory

On element, be designated as A;

Use dijection at last

Contrary with big territory

On elements A be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qOn Reversible Linear Transformation U ^-1It is carried out linear hybrid, and the result of mixing is still little territory F _qOn n-dimensional vector, be designated as (m ₀, m ₁..., m _N-1), promptly deciphering back gained is expressly vectorial.

And, set parameter γ=2 in the encryption system.

And, Reversible Linear Transformation T in the described Reversible Linear Transformation parts is replaced with T _П, T _ПBut the capable n that constitutes of last r of expression deletion n rank inverse square matrix T * (n-r) matrix, wherein 0＜r＜n; The PKI of encryption system becomes little territory F _qThe nonlinear multivariable equation group of a last n argument, a n-r equation is labeled as _{G П}, its form is as follows:

$\left\{\begin{array}{c}{y}_0=g_0(x_0,x_1,...,x_{n-1})\\ .\\ .\\ .\\ y_{n-r-1}=g_{n-r-1}(x_0,x_1,...,x_{n-1})\end{array}\right..$

And, set parameter γ=2 in the encryption system, adopt private key { T ^-1, U ^-1, Seed} realizes signature, adopts PKI G _ПRealize certifying signature; Wherein Seed represents the random seed Bit String, PKI G _ПIn the highest the number of times of each polynomial equation be 3;

Suppose that clear-text message is M, specifically signature and verification mode are as follows,

(a) signature process is:

1. use the Hash function hash (.) of appointment to calculate M ₁=hash (M), M ₂=hash (M ₁), and with Bit String M ₂Be connected Bit String M ₁The back forms a new Bit String M ₁|| M ₂, extract M ₁|| M ₂(n-r) q position Bit String of front is designated as Y;

2. use the Hash function hash (.) of appointment to calculate hash (Seed), the rq position Bit String that extracts hash (Seed) front is designated as R;

3. Bit String R is connected the Bit String Y||R of a long nq position of formation, Bit String Y back, and Y||R is mapped as little territory F according to the π of dijection described in the encryption system _qOn a n-dimensional vector, be designated as (m ₀, m ₁..., m _N-1);

4. earlier with little territory F _qOn Reversible Linear Transformation T ^-1To n-dimensional vector (m ₀, m ₁..., m _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector; Use dijection described in the encryption system then

N-dimensional vector after the linear hybrid is become big territory

An element, be designated as B;

5. utilize big territory

On nonlinear function F ^-1(B)=B ^hTo the element B effect, the result of effect is still big territory

On element, be designated as A; Use dijection described in the encryption system at last

Contrary with big territory

On elements A be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qLast Reversible Linear Transformation U ^-1It is carried out linear hybrid, and the result of mixing is still little territory F _qOn n-dimensional vector, be designated as (c ₀, c ₁..., c _N-1);

6. with (c ₀, c ₁..., c _N-1) be encoded into the signature Bit String S of corresponding signature length.

(b) certifying signature process:

1. use the Hash function hash (.) of appointment to calculate M ₁=hash (M), M ₂=hash (M ₁), and with Bit String M ₂Be connected Bit String M ₁The back forms a new Bit String M ₁|| ‖ M ₂, extract M ₁|| M ₂(n-r) q position Bit String of front is designated as Y; And Bit String Y is mapped as little territory F according to the π of dijection described in the encryption system _qOn a n-r dimensional vector (m ₀, m ₁..., m _N-r-1);

2. utilize the π of dijection described in the encryption system Bit String S that will sign to be mapped as little territory F _qOn n-dimensional vector (c ₀, c ₁..., c _N-1);

3. utilize PKI G _ПCalculate (m ' ₀, m ' ₁..., m ' _N-r-1)=G _П(c ₀, c ₁..., c _N-1), and with the inverse mapping of dijection π with little territory F _qOn the n-r dimensional vector (m ' ₀, m ' ₁..., m ' _N-r-1) be mapped to the Bit String of (n-r) q position, be designated as Y '; If Y=Y ' then accept signature, otherwise refusal is accepted.

Public key encryption and decryption method technical scheme provided by the invention belongs to the multivariable common key cryptosystem, provide encryption by Reversible Linear Transformation, reversible nonlinear transformation and Reversible Linear Transformation three recombinations, only need grasp two Reversible Linear Transformation during decoding as private key.The present invention is the substance lifting to the Matsumoto-Imai cryptographic system, and new algorithm can effectively be resisted attack methods such as differential attack, linearisation attack.Also inherited simultaneously the multivariable public-key cryptosystem high efficiency, do not need password coprocessor, be particularly suitable for advantages such as smart card, the attack that especially can resist quantum computer, these advantages are that the conventional public-key cryptographic system is incomparable.In case quantum computer reaches the practicability stage, the present invention can be used as the scheme of conventional public-key passwords such as substituting RSA, ECC, ElGama1.Based on this public key encryption and decryption method, the present invention also provides digital signature method safely and efficiently, can play a significant role at information security field.

Description of drawings

Fig. 1 is an encryption and decryption schematic diagram of the present invention;

Fig. 2 is the flow chart of the present invention to message M signature;

Fig. 3 is the flow chart of certifying signature S of the present invention.

Embodiment

Public key encryption and decryption method provided by the invention is based on nonlinear multivariable equation group intractability problem on the finite field and a kind of multivariable public key encryption and decryption method of designing:

(I) in order to realize encryption and decryption, top priority is to set up encryption system:

Utilize ground field F earlier ₂={ 0,1} constructs little territory F _qWith big territory

F _q=F ₂[x]/g (x), $F_{q^n}=F_q\left[x\right]/f\left(x\right),$ Q=2 wherein ^k, g (x) is ground field F ₂On k irreducible function, f (x) is little territory F _qOn n irreducible function, F ₂[x], F _q[x] represents F respectively ₂, F _qThe polynomial ring of last indeterminate x;

Define ground field F then ₂On k gt F ₂ ^kTo little territory F _qA dijection π, any k dimensional vector $b=(b_0,b_1,...,b_{k-1})\∈F_2^k,$ π (b) ∈ F then _q, π (b)=b _K-1x ^K-1+ ... + b ₁X+b ₀Modg (x); And territory F _qOn n-dimensional vector space F _q ⁿArrive

A dijection

Any n-dimensional vector $w=(w_0,w_1,...,w_{n-1})\∈F_q^n,$ Then

Thereby by dijection π and Support ground field F ₂, little territory F _qWith big territory

Between element conversion;

Reversible Linear Transformation parts and reversible nonlinear transformation parts are set in system, and described Reversible Linear Transformation parts are little territory F _qTwo Reversible Linear Transformation T, U of last picked at random, wherein the contrary of Reversible Linear Transformation T is little territory F _qOn Reversible Linear Transformation T ^-1, the contrary of Reversible Linear Transformation U is little territory F _qOn Reversible Linear Transformation U ^-1But the form of Reversible Linear Transformation T, U is n rank inverse square matrix; Described reversible nonlinear transformation parts are little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation, the concrete make of described nonlinear multivariable equation group is as follows:

Definition from

Arrive

Reversible nonlinear function $F\left(A\right)=A^{q^{\mathrm{\θ}}+\mathrm{\γ}},$ Wherein $A\∈F_{q^n},$ θ, γ satisfies 2≤γ＜n, 0＜θ＜n and gcd (q ^θ+ γ, q ⁿ-1)=1, wherein gcd represents greatest common factor (G.C.F.).The inverse function of reversible nonlinear function F (A) is nonlinear function F ^-1(A)=A ^h, h=(q wherein ^θ+ γ) ^-1Mod (q ⁿ-1);

If little territory F _qOn a n-dimensional vector (x ₀, x ₁..., x _N-1), earlier with little territory F _qOn Reversible Linear Transformation U to (x ₀, x ₁..., x _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector; Use dijection then

N-dimensional vector after the linear hybrid is become big territory

An elements A, utilize big territory again

On nonlinear function $F\left(A\right)=A^{q^{\mathrm{\θ}}+\mathrm{\γ}}$ To the elements A effect, the result of effect is still big territory

On element, be designated as B; Use dijection at last

Contrary with big territory

On element B be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qOn Reversible Linear Transformation T it is carried out linear hybrid, the result of mixing is still little territory F _qOn a n-dimensional vector, be designated as (y ₀, y ₁..., y _N-1); Thereby obtain n-dimensional vector (x ₀, x ₁..., x _N-1) and n-dimensional vector (y ₀, y ₁..., y _N-1) relation, relation shows as little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation, its form is as follows:

$\left\{\begin{array}{c}{y}_0=g_0(x_0,x_1,...,x_{n-1})\\ .\\ .\\ .\\ y_{n-1}=g_{n-1}(x_0,x_1,...,x_{n-1})\end{array}\right.$

Wherein the highest number of times of each polynomial equation is γ+1;

With above-mentioned little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation is as the PKI G of system, and the PKI equation group of formation is labeled as,

G(x ₀，x ₁，…，x _n-1)＝(g ₀(x ₀，x ₁，…，x _n-1)，g ₁(x ₀，x ₁，…，x _n-1)，…，g _n-1(x ₀，x ₁，…，x _n-1))。

During concrete enforcement, can set up encryption system according to the concrete numerical value of the setting of engineering application need k, n, θ, r.

(II) determine PKI by encryption system after, ciphering process directly utilizes PKI to get final product: the ciphering process that utilizes PKI G that encryption system provides to realize, the concrete operations mode is as follows,

If clear-text message is little territory F _qOn n-dimensional vector (m ₀, m ₁..., m _N-1), with (m ₀, m ₁..., m _N-1) be updated to above-mentioned PKI equation group G, just can obtain cyphertext vector (c ₀, c ₁..., c _N-1)=G (m ₀, m ₁..., m _N-1).

(III) decrypting process is the inverse process of ciphering process: private key is { T ^-1, U ^-1, concrete decrypting process is as follows,

Earlier with little territory F _qOn Reversible Linear Transformation T ^-1To cyphertext vector (c ₀, c ₁..., c _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector;

Use dijection described in the encryption system then

N-dimensional vector after the linear hybrid is become big territory An element, be designated as B, utilize big territory again

On nonlinear function F ^-1(B)=B ^hTo the element B effect, the result of effect is still big territory

On element, be designated as A;

Use dijection at last

Contrary with big territory

On elements A be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qOn Reversible Linear Transformation U ^-1It is carried out linear hybrid, and the result of mixing is still little territory F _qOn n-dimensional vector, be designated as (m ₀, m ₁..., m _N-1), promptly deciphering back gained is expressly vectorial.

Referring to Fig. 1, the essence of encryption can simplify that to be expressed as be exactly that plaintext M is passed through linear transformation U, nonlinear transformation F, linear transformation T successively, forms ciphertext C; Otherwise the essence of decoding is exactly that ciphertext C passes through linear transformation T successively ^-1, nonlinear transformation F ^-1, linear transformation U ^-1, solve plaintext M.

The present invention adopts high order (the highest number of times is greater than 2) the multinomial equation group on the finite field to design new multivariable common key cryptosystem, therefore sets 2≤γ＜n.The invention provides further technical scheme and simplify the encryption and decryption process: set parameter γ=2 in the encryption system.Can reduce the encryption system complexity like this, improve encryption efficiency, be better than the situation of γ＞2.

The invention provides further technical scheme and simplify, this simplification is mainly used in digital signature, improves the fail safe of signature and the efficient of certifying signature.Be embodied in: Reversible Linear Transformation T in the described Reversible Linear Transformation parts is replaced with T _П, T _ПBut the capable n that constitutes of last r of the n rank inverse square matrix T of expression deletion * (n-r) matrix, wherein 0＜r＜n; The PKI of encryption system becomes little territory F _qThe nonlinear multivariable equation group of a last n argument, a n-r equation is labeled as G _ПIts form is as follows:

$\left\{\begin{array}{c}{y}_0=g_0(x_0,x_1,...,x_{n-1})\\ .\\ .\\ .\\ y_{n-r-1}=g_{n-r-1}(x_0,x_1,...,x_{n-1})\end{array}\right.$

Digital signature method provided by the invention is based on these two kinds of simplification: set parameter γ=2 in the encryption system, adopt private key { T ^-1, U ^-1, Seed} realizes signature, adopts PKI G _ПRealize certifying signature, wherein Seed represents the random seed Bit String; PKI G _ПIn the highest the number of times of each polynomial equation be 3 (they being γ+1);

Suppose that communicating pair is validated user A and B, it is that M signs to clear-text message that user B needs A, and specifically signature and verification mode are as follows,

(a) referring to Fig. 2, user A to the signature process of plaintext M is:

1. use the Hash function hash (.) of appointment to calculate M ₁=hash (M), M ₂=hash (M ₁), and with Bit String M ₂Be connected Bit String M ₁The back forms a new Bit String M ₁|| M ₂, extract M ₁|| M ₂(n-r) q position Bit String of front is designated as Y;

2. use the Hash function hash (.) of appointment to calculate hash (Seed), the rq position Bit String that extracts hash (Seed) front is designated as R;

3. Bit String R is connected the Bit String Y||R of a long nq position of formation, Bit String Y back, and Y||R is mapped as little territory F according to the π of dijection described in the encryption system _qOn a n-dimensional vector, be designated as (m ₀, m ₁..., m _N-1);

4. earlier with little territory F _qOn Reversible Linear Transformation T ^-1To n-dimensional vector (m ₀, m ₁..., m _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector; Use dijection described in the encryption system then

N-dimensional vector after the linear hybrid is become big territory An element, be designated as B;

5. utilize big territory

On nonlinear function F ^-1(B)=B ^hTo the element B effect, the result of effect is still big territory

On element, be designated as A; Use dijection described in the encryption system at last

Contrary with big territory

On elements A be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qLast Reversible Linear Transformation U ^-1It is carried out linear hybrid, and the result of mixing is still little territory F _qOn n-dimensional vector, be designated as (c ₀, c ₁..., c _N-1);

6. with (c ₀, c ₁..., c _N-1) be encoded into the signature Bit String S of corresponding signature length.

7. the user A S that will sign sends to user B.

(b) referring to Fig. 3, user B certifying signature process is:

1. use the Hash function hash (.) of appointment to calculate M ₁=hash (M), M ₂=hash (M1), and with Bit String M ₂Be connected Bit String M ₁The back forms a new Bit String M ₁|| M ₂, extract M ₁|| M ₂(n-r) q position Bit String of front is designated as Y; And Bit String Y is mapped as little territory F according to the π of dijection described in the encryption system _qOn a n-r dimensional vector (m ₀, m ₁..., m _N-r-1);

2. utilize the π of dijection described in the encryption system Bit String S that will sign to be mapped as little territory F _qOn n-dimensional vector (c ₀, c ₁..., c _N-1);

3. utilize PKI G _ПCalculate (m ' ₀, ' ₁..., m ' _N-r-1)=G _П(C ₀, c ₁..., c _N-1), and with the inverse mapping of dijection π with little territory F _qOn the n-r dimensional vector (m ' ₀, m ' ₁..., m ' _N-r-1) be mapped to the Bit String of (n-r) q position, be designated as Y '; If Y=Y ' then accept signature, otherwise refusal is accepted.Y '=G wherein _П(S) that is Y '=G _П(c ₀, c ₁..., c _N-1).

Below in conjunction with embodiment the present invention is further described, but embodiment should not be construed as limitation of the present invention.

Embodiment one

(I) set up system: utilize ground field F earlier ₂={ 0,1} constructs little territory and big territory: little territory F ₈=F ₂[X]/(X ³+ X+1), big territory $F_{8^3}=F_8\left[X\right]/(X^3+X+1),$ Define F then ₈ ³Arrive

A dijection

$\∀w=(w_0,w_1,w_2)\∈F_8^3,$

So can be by dijection

Carry out little territory F ₈With big territory

Between element conversion.

The Reversible Linear Transformation parts adopt little territory F ₈(establishing α is generator) but two 3 rank inverse square matrixs going up picked at random as T, U.

$U=\left(\begin{array}{ccc}{\mathrm{\α}}^3& {\mathrm{\α}}^5& {\mathrm{\α}}^3\\ {\mathrm{\α}}^2& {\mathrm{\α}}^6& {\mathrm{\α}}^5\\ {\mathrm{\α}}^4& 1& {\mathrm{\α}}^5\end{array}\right),$ $U^{-1}=\left(\begin{array}{ccc}{\mathrm{\α}}^2& 0& 1\\ \mathrm{\α}& {\mathrm{\α}}^5& \mathrm{\α}\\ 1& 1& \mathrm{\α}\end{array}\right),$ $T=\left(\begin{array}{ccc}{\mathrm{\α}}^3& \mathrm{\α}& 1\\ {\mathrm{\α}}^5& {\mathrm{\α}}^4& 1\\ 0& 0& 1\end{array}\right),$ $T^{-1}=\left(\begin{array}{ccc}{\mathrm{\α}}^2& {\mathrm{\α}}^6& 1\\ {\mathrm{\α}}^3& \mathrm{\α}& 1\\ 0& 0& 1\end{array}\right)$

Choose non-linear invertible function F (A), arbitrary element $A\∈F_{8^3}$ Have $F\left(A\right)=A^{8^2+2},$ Obvious gcd (8 ²+ 2,8 ³-1)=1, so nonlinear function F (A) is reversible, and inverse function is F ^-1(A)=A ²⁷¹

The private key of encryption system is { T ^-1, U ^-1.

The PKI of encryption system can be derived by square formation T, U.Basic thought is that the input of reversible nonlinear function F (A), output vector are carried out linear hybrid with U and T respectively, to reach the purpose of hiding private key information, supposes that the input vector of F is $(x_0,x_1,x_2)\∈F_8^3,$ The derivation of PKI is as follows:

1. to input vector with carrying out linear hybrid:

$U\·\left(\begin{array}{c}{x}_0\\ x_1\\ x_2\end{array}\right)=\left(\begin{array}{ccc}{\mathrm{\α}}^3& {\mathrm{\α}}^5& {\mathrm{\α}}^3\\ {\mathrm{\α}}^2& {\mathrm{\α}}^6& {\mathrm{\α}}^5\\ {\mathrm{\α}}^4& 1& {\mathrm{\α}}^5\end{array}\right)\left(\begin{array}{c}{x}_0\\ x_1\\ x_2\end{array}\right)=\left(\begin{array}{c}{\mathrm{\α}}^3{x}_0+{\mathrm{\α}}^5{x}_1+{\mathrm{\α}}^3{x}_2\\ {\mathrm{\α}}^2{x}_0+{\mathrm{\α}}^6{x}_1+{\mathrm{\α}}^5{x}_2\\ {\mathrm{\α}}^4{x}_0+x_1+{\mathrm{\α}}^5{x}_2\end{array}\right)$

2. use dijection then It is mapped to big territory

On an elements A:

3. obtain big territory with nonlinear function F effect

On another element B:

$B=F\left(A\right)=A^{8^2+2}\mathrm{mod}(X^3+X+1)$

$=({\mathrm{\α}}^6{x}_0^3+{\mathrm{\α}}^4{x}_0^2{x}_1+{\mathrm{\α}}^6{x}_0{x}_1^2+{\mathrm{\α}}^4{x}_1^2{x}_2+{\mathrm{\α}}^6{x}_0{x}_2^2+{\mathrm{\α}}^6{x}_1{x}_2^2+{\mathrm{\α}}^4{x}_2^3)$

$+({\mathrm{\α}}^6{x}_0^2{x}_2+{\mathrm{\α}}^4{x}_1^2{x}_2+{\mathrm{\α}}^4{x}_0{x}_2^2+{\mathrm{\α}}^4{x}_1{x}_2^2+x_2^3)X$

$+(\mathrm{\α}{x}_0^3+{\mathrm{\α}}^6{x}_0{x}_1^2+{\mathrm{\α}}^2{x}_1^3+{\mathrm{\α}}^6{x}_0^2{x}_2+{\mathrm{\α}}^2{x}_0{x}_2^2+x_1{x}_2^2+{\mathrm{\α}}^2{x}_2^3)X^2$

4. use dijection again Contrary

With big territory

On element B its be mapped to little territory F ₈On a vector

5. at last with T to vector

Carry out linear hybrid, obtain the output vector { y of PKI G ₀, y ₁, y ₂}:

Aforementioned calculation result is the PKI of system, and the PKI equation group can be expressed as little territory F ₈On one 3 yuan 3 order polynomial equation group:

$\left\{\begin{array}{c}{y}_0={\mathrm{\α}}^4{x}_0^3+{\mathrm{\α}}^5{x}_0^2{x}_1+{\mathrm{\α}}^4{x}_0{x}_1^2+x_1^3+{\mathrm{\α}}^2{x}_0^2{x}_2+{{\mathrm{\α}}^4{x}_1^2{x}_2+\mathrm{\α}}^5{x}_0{x}_2^2+x_2^3+{\mathrm{\α}}^4{x}_2^3\\ y_1={\mathrm{\α}}^2{x}_0^3+{\mathrm{\α}}^5{x}_0^2{x}_1+x_0{x}_1^2+{{\mathrm{\α}}^4{x}_0^2{x}_2+\mathrm{\α}}^4{x}_1^2{x}_2+{\mathrm{\α}}^4{x}_1{x}_2^2+{\mathrm{\α}}^4{x}_2^3\\ y_2=\mathrm{\α}{x}_0^3+{\mathrm{\α}}^5{x}_0{x}_1^2+{\mathrm{\α}}^2{x}_1^3+x_0^2{x}_2+x_1{x}_2^2+{\mathrm{\α}}^2{x}_2^3\end{array}\right.$

(II) use the public key encryption process: establish clear-text message vector (x ₀, x ₁, x ₂)={ 1+ α, α ², α }, the above-mentioned 3 yuan of 3 order polynomial equation group of substitution can obtain cyphertext vector (y ₀, y ₁, y ₂)={ 1+ α, 1+ α, α+α ².

(III) with private key { T ^-1, U ^-1Decrypting process is identical with the derivation of system PKI, as long as linear transformation that will be wherein, nonlinear transformation are respectively with corresponding inverse transformation.

Embodiment 2 has provided a fail safe and has been at least 2 ⁸⁰Efficient signature scheme:

System parameters: choose parameter k=5, n=37, θ=7, r=16, the Hash function is selected SHA-1 for use, and the output length value of SHA-1 is 160 bits.So q=2 ^k=32, structure intermediate field F ₃₂With big territory

F ₃₂=F ₂[x]/(x ⁵+ x ²+ 1), $F_{{32}^{37}}=F_{32}\left[x\right]/(x^{37}+x^{12}+x^{10}+x^2+1).$ The random seed Seed that produces one 80 bit then reaches at intermediate field F ₃₂Generate the U of two affine dijections at random, T, then system's private key is { T ^-1, U ^-1, Seed} needs the memory space of 1.72Kbytes.PKI G is F ₃₂ ³⁷To F ₃₂ ²¹37 arguments, the cubic equation group of 21 equations, it can be released by private key, i.e. G=T о F о U, its form is as follows:

$G_i(X_0,...,X_{36})=\underset{0\&le;j,k,t<n}{\mathrm{\&Sigma;}}{\mathrm{\&zeta;}}_{i,j,k,t}{X}_j{X}_k{X}_t+\underset{0\&le;j,k<n}{\mathrm{\&Sigma;}}{\mathrm{\&eta;}}_{i,j,k}{X}_j{X}_k+\underset{0\&le;j<n}{\mathrm{\&Sigma;}}{\mathrm{\&mu;}}_{i,j}{X}_j+{\mathrm{\&lambda;}}_i$

Wherein, ζ _{I, j, k, t}, η _{I, j, k}, μ _{I, j}, λ _i∈ F ₃₂

All these cubic polynomials (G that puts together ₀, G ₁..., G ₃₆) just formed the PKI of system, need the memory space of 129.68Kbytes altogether.

Suppose that message to be signed is M, then signature-verification process is as follows:

(I) signature process is:

Step1. establish M ₁And M ₂Be 160 bits,

M ₁＝SHA-1(M)，M ₂＝SHA-1(M ₁)

Be that Hash function hash (.) adopts common SHA-1 (.) function.

Step2. establishing v is 105 bits,

V＝[M ₂] _0→104

Step3. establishing W is 80 bits,

W＝[SHA-1(V||Seed)] _0→79

Step4. establishing Y is F ₃₂The vector of last 21 elements, length 105 bits,

Y＝(π([V] _0→4)，π([V] _5→9)，…，π([V] _100→104))

Step5. establishing R is F ₃₂The vector of last 16 elements, length 80 bits,

R＝(π([W] _0→4)，π([W] _5→9)，…，π([W] _75→79))

Step6. establish $X=(X_0,...,X_{36})\&Element;F_{32}^{37},$

Wherein

h＝(32 ⁷+2) ^-1mod(32 ³⁷-1)

Step7. the s that signs is that length is the Bit String of 185 bits,

S＝π ^-1(X ₀)||…||π ^-1(X ₃₆)

(II) certifying signature process:

Step1. establish M ₁And M ₂Be 160 bits,

M ₁＝SHA-1(M)，M ₂＝SHA-1(M ₁)

Step2. establishing v is 105 bits,

V＝[M ₂] _0→104

Step3. establishing Y is F ₃₂The vector of last 21 elements, length 105 bits,

Y＝(π([V] _0→4)，π([V] _5→9)，…，π([V] _100→104))

Step4. establishing Y ' is F ₃₂The vector of last 21 elements, length 105 bits,

Y′＝G(π([S] _0→4)，π([S] _5→9)，…，π([S] _100→104))

If Step5. Y=Y ' accepts signature, otherwise the refusal signature.

The fail safe of signature system is 2 ⁸⁰, in the signature process, main computing is finite field F ₃₂Multiplication and add operation because the territory is less, so the implementation efficiency height, is fit to software and hardware and realizes.

The content that this specification is not described in detail belongs to the those skilled in the art known prior art.

Claims (4)

1, a kind of public key encryption and decryption method is characterized in that: be based on nonlinear multivariable equation group intractability problem on the finite field and a kind of multivariable public key encryption and decryption method of designing, its specific implementation is as follows,

(I) set up encryption system:

Utilize ground field F earlier ₂={ 0,1} constructs little territory F _qWith big territory

F _q=F ₂[x]/g (x), $F_{q^n}=F_q\left[x\right]/f\left(x\right),$ Q=2 wherein ^k, g (x) is ground field F ₂On k irreducible function, f (x) is little territory F _qOn n irreducible function, F ₂[x], F _q[x] represents F respectively ₂, F _qThe polynomial ring of last indeterminate x;

Define ground field F then ₂On k gt F ₂ ^kTo little territory F _qA dijection π, any k dimensional vector $b=(b_0,b_1,\&CenterDot;\&CenterDot;\&CenterDot;,b_{k-1})\&Element;F_2^k,$ π (b) ∈ F then _q, π (b)=b _K-1x ^K-1+ ... + b ₁X+b ₀Modg (x); And little territory F _qOn n-dimensional vector space F _q ⁿTo big territory

A dijection

Any n-dimensional vector $w=(w_0,w_1,\&CenterDot;\&CenterDot;\&CenterDot;,w_{n-1})\&Element;F_q^n,$ Then

Thereby by dijection π and

Support ground field F ₂, little territory F _qWith big territory

Between element conversion;

Reversible Linear Transformation parts and reversible nonlinear transformation parts are set in system, and described Reversible Linear Transformation parts are little territory F _qTwo Reversible Linear Transformation T, U of last picked at random, wherein the contrary of Reversible Linear Transformation T is little territory F _qOn Reversible Linear Transformation T ^-1, the contrary of Reversible Linear Transformation U is little territory F _qOn Reversible Linear Transformation U ^-1But the form of Reversible Linear Transformation T, U is n rank inverse square matrix; Described reversible nonlinear transformation parts are little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation, the concrete make of described nonlinear multivariable equation group is as follows:

Definition from

Arrive

Reversible nonlinear function $F\left(A\right)=A^{q^{\mathrm{\&theta;}}+\mathrm{\&gamma;}},$ Wherein $A\&Element;F_{q^n},$ θ, γ satisfies 2≤r＜n, 0＜θ＜n and gcd (q ^θ+ γ, q ⁿ-1)=1, wherein gcd represents greatest common factor (G.C.F.); The inverse function of reversible nonlinear function F (A) is nonlinear function F ^-1(A)=A ^h, h=(q wherein ^θ+ γ) ^-1Mod (q ⁿ-1);

If little territory F _qOn a n-dimensional vector (x ₀, x ₁..., x _N-1), earlier with little territory F _qOn Reversible Linear Transformation U to (x ₀, x ₁..., x _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector; Use dijection then

N-dimensional vector after the linear hybrid is become big territory

An elements A, utilize big territory again

On nonlinear function $F\left(A\right)=A^{q^{\mathrm{\&theta;}}+\mathrm{\&gamma;}}$ To the elements A effect, the result of effect is still big territory

On element, be designated as B; Use dijection at last

Contrary with big territory

On element B be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qOn Reversible Linear Transformation T it is carried out linear hybrid, the result of mixing is still little territory F _qOn a n-dimensional vector, be designated as (y ₀, y ₁..., y _N-1); Thereby obtain little territory F _qOn n-dimensional vector (x ₀, x ₁..., x _N-1) and n-dimensional vector (y ₀, y ₁..., y _N-1) relation, relation shows as little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation, its form is as follows:

$\left\{\begin{array}{c}{y}_0=g_0(x_0,x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_{n-1})\\ .\\ .\\ .\\ y_{n-1}=g_{n-1}(x_0,x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_{n-1})\end{array}\right.$

Wherein the highest number of times of each polynomial equation is γ+1;

With above-mentioned little territory F _qThe nonlinear multivariable equation group of a last n argument, a n equation is as the PKI G of system, and the PKI equation group of formation is labeled as,

G(x ₀，x ₁，…，x _n-1)＝(g ₀(x ₀，x ₁，…，x _n-1)，g ₁(x ₀，x ₁，…，x _n-1)，…，g _n-1(x ₀，x ₁，…，x _n-1))；

(II) ciphering process: the ciphering process that the PKI G that utilizes encryption system to provide realizes, the concrete operations mode is as follows: establishing clear-text message is little territory F _qOn n-dimensional vector (m ₀, m ₁..., m _N-1), with (m ₀, m ₁..., m _N-1) be updated to above-mentioned PKI equation group G, just can obtain cyphertext vector (c ₀, c ₁..., c _N-1)=G (m ₀, m ₁..., m _N-1);

(III) decrypting process: private key is { T ^-1, U ^-1, concrete decrypting process is as follows,

Earlier with little territory F _qOn Reversible Linear Transformation T ^-1To cyphertext vector (c ₀, c ₁..., c _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector;

Use dijection described in the encryption system then

N-dimensional vector after the linear hybrid is become big territory

An element, be designated as B, utilize big territory again

On nonlinear function F ^-1(B)=B ^hTo the element B effect, the result of effect is still big territory

On element, be designated as A;

Use dijection at last

Contrary with big territory

On elements A be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qOn Reversible Linear Transformation U ^-1It is carried out linear hybrid, and the result of mixing is still little territory F _qOn n-dimensional vector, be designated as (m ₀, m ₁..., m _N-1), promptly deciphering back gained is expressly vectorial.

2, a kind of public key encryption and decryption method as claimed in claim 1 is characterized in that: set parameter γ=2 in the encryption system.

3, a kind of public key encryption and decryption method as claimed in claim 1 is characterized in that: Reversible Linear Transformation T in the described Reversible Linear Transformation parts is replaced with T _∏, T _∏But the capable n that constitutes of last r of expression deletion n rank inverse square matrix T * (n-r) matrix, wherein 0＜r＜n; The PKI of encryption system becomes little territory F _qThe nonlinear multivariable equation group of a last n argument, a n-r equation is labeled as G _∏, its form is as follows:

$\left\{\begin{array}{c}{y}_0=g_0(x_0,x_1,\&CenterDot;\&CenterDot;\&CenterDot;x_{n-1})\\ .\\ .\\ .\\ y_{n-r-1}=g_{n-r-1}(x_0,x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_{n-1})\end{array}.\right.$

4, the digital signature method of realizing with the described public key encryption and decryption method of claim 3 is characterized in that: set parameter γ=2 in the encryption system, adopt private key { T ^-1, U ^-1, Seed} realizes signature, adopts PKI G _∏Realize certifying signature; Wherein Seed represents the random seed Bit String, PKI G _∏In the highest the number of times of each polynomial equation be 3;

Suppose that clear-text message is M, specifically signature and verification mode are as follows,

(a) signature process is:

1. use the Hash function hash (.) of appointment to calculate M ₁=hash (M), M ₂=hash (M ₁), and with Bit String M ₂Be connected Bit String M ₁The back forms a new Bit String M ₁|| M ₂, extract M ₁|| M ₂(n-r) q position Bit String of front is designated as Y;

2. use the Hash function hash (.) of appointment to calculate hash (Seed), the rq position Bit String that extracts hash (Seed) front is designated as R;

3. Bit String R is connected the Bit String Y||R of a long nq position of formation, Bit String Y back, and Y||R is mapped as little territory F according to the π of dijection described in the encryption system _qOn a n-dimensional vector, be designated as (m ₀, m ₁..., m _N-1);

4. earlier with little territory F _qOn Reversible Linear Transformation T ^-1To n-dimensional vector (m ₀, m ₁..., m _N-1) carrying out linear hybrid, the result of mixing is still little territory F _qOn n-dimensional vector; Use dijection described in the encryption system then

N-dimensional vector after the linear hybrid is become big territory

An element, be designated as B;

5. utilize big territory

On nonlinear function F ^-1(B)=B ^hTo the element B effect, the result of effect is still big territory

On element, be designated as A; Use dijection described in the encryption system at last

Contrary with big territory

On elements A be mapped to little territory F _qOn a n-dimensional vector, and with little territory F _qLast Reversible Linear Transformation U ^-1It is carried out linear hybrid, and the result of mixing is still little territory F _qOn n-dimensional vector, be designated as (c ₀, c ₁..., c _N-1);

6. with (c ₀, c ₁..., c _N-1) be encoded into the signature Bit String s of corresponding signature length.

(b) certifying signature process:

1. use the Hash function hash (.) of appointment to calculate M ₁=hash (M), M ₂=hash (M ₁), and with Bit String M ₂Be connected Bit String M ₁The back forms a new Bit String M ₁|| M ₂, extract M ₁|| M ₂(n-r) q position Bit String of front is designated as Y; And Bit String Y is mapped as little territory F according to the π of dijection described in the encryption system _qOn a n-r dimensional vector (m ₀, m ₁..., m _N-r-1);

2. utilize the π of dijection described in the encryption system Bit String S that will sign to be mapped as little territory F _qOn n-dimensional vector (c ₀, c ₁..., c _N-1);

3. utilize PKI G _∏Calculate (m ' ₀, m ' ₁., m ' _N-r-1)=G _∏(c ₀, c ₁..., c _N-1), and with the inverse mapping of dijection π with little territory F _qOn the n-r dimensional vector (m ' ₀, m ' ₁..., m ' _N-r-1) be mapped to the Bit String of (n-r) q position, be designated as Y '; If Y=Y ' then accept signature, otherwise refusal is accepted.

Images