Summary of the invention
The object of the invention is at the deficiencies in the prior art, and a kind of public key encryption and decryption method of efficient quick is provided, and a kind of digital signature method safely and efficiently also is provided simultaneously thus.
Public key encryption and decryption method technical scheme of the present invention is based on nonlinear multivariable equation group intractability problem on the finite field and a kind of multivariable public key encryption and decryption method of designing, and its specific implementation is as follows,
(I) set up encryption system:
Utilize ground field F earlier
2={ 0,1} constructs little territory F
qWith big territory
F
q=F
2[x]/g (x),
Q=2 wherein
k, g (x) is ground field F
2On k irreducible function, f (x) is little territory F
qOn n irreducible function, F
2[x], F
q[x] represents F respectively
2, F
qThe polynomial ring of last indeterminate x;
Define ground field F then
2On k gt F
2 kTo little territory F
qA dijection π, any k dimensional vector
π (b) ∈ F then
q, π (b)=b
K-1x
K-1+ ... + b
1X+b
0Modg (x); And little territory F
qOn n-dimensional vector space F
q nTo big territory
A dijection
Any n-dimensional vector
Then
Thereby by dijection π and
Support ground field F
2, little territory F
qWith big territory
Between element conversion;
Reversible Linear Transformation parts and reversible nonlinear transformation parts are set in system, and described Reversible Linear Transformation parts are little territory F
qTwo Reversible Linear Transformation T, U of last picked at random, wherein the contrary of Reversible Linear Transformation T is little territory F
qOn Reversible Linear Transformation T
-1, the contrary of Reversible Linear Transformation U is little territory F
qOn Reversible Linear Transformation U
-1But the form of Reversible Linear Transformation T, U is n rank inverse square matrix; Described reversible nonlinear transformation parts are little territory F
qThe nonlinear multivariable equation group of a last n argument, a n equation, the concrete make of described nonlinear multivariable equation group is as follows:
Definition from
Arrive
Reversible nonlinear function
Wherein
θ, γ satisfies 2≤γ<n, 0<θ<n and gcd (q
θ+ γ, q
n-1)=1, wherein gcd represents greatest common factor (G.C.F.); The inverse function of reversible nonlinear function F (A) is nonlinear function F
-1(A)=A
h, h=(q wherein
θ+ γ)
-1Mod (q
n-1);
If little territory F
qOn a n-dimensional vector (x
0, x
1..., x
N-1), earlier with little territory F
qOn Reversible Linear Transformation U to (x
0, x
1..., x
N-1) carrying out linear hybrid, the result of mixing is still little territory F
qOn n-dimensional vector; Use dijection then
N-dimensional vector after the linear hybrid is become big territory
An elements A, utilize big territory again
On nonlinear function
To the elements A effect, the result of effect is still big territory
On element, be designated as B; Use dijection at last
Contrary with big territory
On element B be mapped to little territory F
qOn a n-dimensional vector, and with little territory F
qOn Reversible Linear Transformation T it is carried out linear hybrid, the result of mixing is still little territory F
qOn a n-dimensional vector, be designated as (y
0, y
1..., y
N-1); Thereby obtain little territory F
qOn n-dimensional vector (x
0, x
1..., x
N-1) and n-dimensional vector (y
0, y
1..., y
N-1) relation, relation shows as little territory F
qThe nonlinear multivariable equation group of a last n argument, a n equation, its form is as follows:
Wherein the highest number of times of each polynomial equation is γ+1;
With above-mentioned little territory F
qThe nonlinear multivariable equation group of a last n argument, a n equation is as the PKI G of system, and the PKI equation group of formation is labeled as,
G(x
0,x
1,…,x
n-1)=(g
0(x
0,x
1,…,x
n-1),g
1(x
0,x
1,…,x
n-1),…,g
n-1(x
0,x
1,…,x
n-1));
(II) ciphering process: the ciphering process that the PKI G that utilizes encryption system to provide realizes, the concrete operations mode is as follows: establishing clear-text message is little territory F
qOn n-dimensional vector (m
0, m
1..., m
N-1), with (m
0, m
1..., m
N-1) be updated to above-mentioned PKI equation group G, just can obtain cyphertext vector (c
0, c
1..., c
N-1)=G (m
0, m
1..., m
N-1);
(III) decrypting process: private key is { T
-1, U
-1, concrete decrypting process is as follows,
Earlier with little territory F
qOn Reversible Linear Transformation T
-1To cyphertext vector (c
0, c
1..., c
N-1) carrying out linear hybrid, the result of mixing is still little territory F
qOn n-dimensional vector;
Use dijection described in the encryption system then
N-dimensional vector after the linear hybrid is become big territory
An element, be designated as B, utilize big territory again
On nonlinear function F
-1(B)=B
hTo the element B effect, the result of effect is still big territory
On element, be designated as A;
Use dijection at last
Contrary with big territory
On elements A be mapped to little territory F
qOn a n-dimensional vector, and with little territory F
qOn Reversible Linear Transformation U
-1It is carried out linear hybrid, and the result of mixing is still little territory F
qOn n-dimensional vector, be designated as (m
0, m
1..., m
N-1), promptly deciphering back gained is expressly vectorial.
And, set parameter γ=2 in the encryption system.
And, Reversible Linear Transformation T in the described Reversible Linear Transformation parts is replaced with T
П, T
ПBut the capable n that constitutes of last r of expression deletion n rank inverse square matrix T * (n-r) matrix, wherein 0<r<n; The PKI of encryption system becomes little territory F
qThe nonlinear multivariable equation group of a last n argument, a n-r equation is labeled as
G П, its form is as follows:
And, set parameter γ=2 in the encryption system, adopt private key { T
-1, U
-1, Seed} realizes signature, adopts PKI G
ПRealize certifying signature; Wherein Seed represents the random seed Bit String, PKI G
ПIn the highest the number of times of each polynomial equation be 3;
Suppose that clear-text message is M, specifically signature and verification mode are as follows,
(a) signature process is:
1. use the Hash function hash (.) of appointment to calculate M
1=hash (M), M
2=hash (M
1), and with Bit String M
2Be connected Bit String M
1The back forms a new Bit String M
1|| M
2, extract M
1|| M
2(n-r) q position Bit String of front is designated as Y;
2. use the Hash function hash (.) of appointment to calculate hash (Seed), the rq position Bit String that extracts hash (Seed) front is designated as R;
3. Bit String R is connected the Bit String Y||R of a long nq position of formation, Bit String Y back, and Y||R is mapped as little territory F according to the π of dijection described in the encryption system
qOn a n-dimensional vector, be designated as (m
0, m
1..., m
N-1);
4. earlier with little territory F
qOn Reversible Linear Transformation T
-1To n-dimensional vector (m
0, m
1..., m
N-1) carrying out linear hybrid, the result of mixing is still little territory F
qOn n-dimensional vector; Use dijection described in the encryption system then
N-dimensional vector after the linear hybrid is become big territory
An element, be designated as B;
5. utilize big territory
On nonlinear function F
-1(B)=B
hTo the element B effect, the result of effect is still big territory
On element, be designated as A; Use dijection described in the encryption system at last
Contrary with big territory
On elements A be mapped to little territory F
qOn a n-dimensional vector, and with little territory F
qLast Reversible Linear Transformation U
-1It is carried out linear hybrid, and the result of mixing is still little territory F
qOn n-dimensional vector, be designated as (c
0, c
1..., c
N-1);
6. with (c
0, c
1..., c
N-1) be encoded into the signature Bit String S of corresponding signature length.
(b) certifying signature process:
1. use the Hash function hash (.) of appointment to calculate M
1=hash (M), M
2=hash (M
1), and with Bit String M
2Be connected Bit String M
1The back forms a new Bit String M
1|| ‖ M
2, extract M
1|| M
2(n-r) q position Bit String of front is designated as Y; And Bit String Y is mapped as little territory F according to the π of dijection described in the encryption system
qOn a n-r dimensional vector (m
0, m
1..., m
N-r-1);
2. utilize the π of dijection described in the encryption system Bit String S that will sign to be mapped as little territory F
qOn n-dimensional vector (c
0, c
1..., c
N-1);
3. utilize PKI G
ПCalculate (m '
0, m '
1..., m '
N-r-1)=G
П(c
0, c
1..., c
N-1), and with the inverse mapping of dijection π with little territory F
qOn the n-r dimensional vector (m '
0, m '
1..., m '
N-r-1) be mapped to the Bit String of (n-r) q position, be designated as Y '; If Y=Y ' then accept signature, otherwise refusal is accepted.
Public key encryption and decryption method technical scheme provided by the invention belongs to the multivariable common key cryptosystem, provide encryption by Reversible Linear Transformation, reversible nonlinear transformation and Reversible Linear Transformation three recombinations, only need grasp two Reversible Linear Transformation during decoding as private key.The present invention is the substance lifting to the Matsumoto-Imai cryptographic system, and new algorithm can effectively be resisted attack methods such as differential attack, linearisation attack.Also inherited simultaneously the multivariable public-key cryptosystem high efficiency, do not need password coprocessor, be particularly suitable for advantages such as smart card, the attack that especially can resist quantum computer, these advantages are that the conventional public-key cryptographic system is incomparable.In case quantum computer reaches the practicability stage, the present invention can be used as the scheme of conventional public-key passwords such as substituting RSA, ECC, ElGama1.Based on this public key encryption and decryption method, the present invention also provides digital signature method safely and efficiently, can play a significant role at information security field.
Embodiment
Public key encryption and decryption method provided by the invention is based on nonlinear multivariable equation group intractability problem on the finite field and a kind of multivariable public key encryption and decryption method of designing:
(I) in order to realize encryption and decryption, top priority is to set up encryption system:
Utilize ground field F earlier
2={ 0,1} constructs little territory F
qWith big territory
F
q=F
2[x]/g (x),
Q=2 wherein
k, g (x) is ground field F
2On k irreducible function, f (x) is little territory F
qOn n irreducible function, F
2[x], F
q[x] represents F respectively
2, F
qThe polynomial ring of last indeterminate x;
Define ground field F then
2On k gt F
2 kTo little territory F
qA dijection π, any k dimensional vector
π (b) ∈ F then
q, π (b)=b
K-1x
K-1+ ... + b
1X+b
0Modg (x); And territory F
qOn n-dimensional vector space F
q nArrive
A dijection
Any n-dimensional vector
Then
Thereby by dijection π and
Support ground field F
2, little territory F
qWith big territory
Between element conversion;
Reversible Linear Transformation parts and reversible nonlinear transformation parts are set in system, and described Reversible Linear Transformation parts are little territory F
qTwo Reversible Linear Transformation T, U of last picked at random, wherein the contrary of Reversible Linear Transformation T is little territory F
qOn Reversible Linear Transformation T
-1, the contrary of Reversible Linear Transformation U is little territory F
qOn Reversible Linear Transformation U
-1But the form of Reversible Linear Transformation T, U is n rank inverse square matrix; Described reversible nonlinear transformation parts are little territory F
qThe nonlinear multivariable equation group of a last n argument, a n equation, the concrete make of described nonlinear multivariable equation group is as follows:
Definition from
Arrive
Reversible nonlinear function
Wherein
θ, γ satisfies 2≤γ<n, 0<θ<n and gcd (q
θ+ γ, q
n-1)=1, wherein gcd represents greatest common factor (G.C.F.).The inverse function of reversible nonlinear function F (A) is nonlinear function F
-1(A)=A
h, h=(q wherein
θ+ γ)
-1Mod (q
n-1);
If little territory F
qOn a n-dimensional vector (x
0, x
1..., x
N-1), earlier with little territory F
qOn Reversible Linear Transformation U to (x
0, x
1..., x
N-1) carrying out linear hybrid, the result of mixing is still little territory F
qOn n-dimensional vector; Use dijection then
N-dimensional vector after the linear hybrid is become big territory
An elements A, utilize big territory again
On nonlinear function
To the elements A effect, the result of effect is still big territory
On element, be designated as B; Use dijection at last
Contrary with big territory
On element B be mapped to little territory F
qOn a n-dimensional vector, and with little territory F
qOn Reversible Linear Transformation T it is carried out linear hybrid, the result of mixing is still little territory F
qOn a n-dimensional vector, be designated as (y
0, y
1..., y
N-1); Thereby obtain n-dimensional vector (x
0, x
1..., x
N-1) and n-dimensional vector (y
0, y
1..., y
N-1) relation, relation shows as little territory F
qThe nonlinear multivariable equation group of a last n argument, a n equation, its form is as follows:
Wherein the highest number of times of each polynomial equation is γ+1;
With above-mentioned little territory F
qThe nonlinear multivariable equation group of a last n argument, a n equation is as the PKI G of system, and the PKI equation group of formation is labeled as,
G(x
0,x
1,…,x
n-1)=(g
0(x
0,x
1,…,x
n-1),g
1(x
0,x
1,…,x
n-1),…,g
n-1(x
0,x
1,…,x
n-1))。
During concrete enforcement, can set up encryption system according to the concrete numerical value of the setting of engineering application need k, n, θ, r.
(II) determine PKI by encryption system after, ciphering process directly utilizes PKI to get final product: the ciphering process that utilizes PKI G that encryption system provides to realize, the concrete operations mode is as follows,
If clear-text message is little territory F
qOn n-dimensional vector (m
0, m
1..., m
N-1), with (m
0, m
1..., m
N-1) be updated to above-mentioned PKI equation group G, just can obtain cyphertext vector (c
0, c
1..., c
N-1)=G (m
0, m
1..., m
N-1).
(III) decrypting process is the inverse process of ciphering process: private key is { T
-1, U
-1, concrete decrypting process is as follows,
Earlier with little territory F
qOn Reversible Linear Transformation T
-1To cyphertext vector (c
0, c
1..., c
N-1) carrying out linear hybrid, the result of mixing is still little territory F
qOn n-dimensional vector;
Use dijection described in the encryption system then
N-dimensional vector after the linear hybrid is become big territory
An element, be designated as B, utilize big territory again
On nonlinear function F
-1(B)=B
hTo the element B effect, the result of effect is still big territory
On element, be designated as A;
Use dijection at last
Contrary with big territory
On elements A be mapped to little territory F
qOn a n-dimensional vector, and with little territory F
qOn Reversible Linear Transformation U
-1It is carried out linear hybrid, and the result of mixing is still little territory F
qOn n-dimensional vector, be designated as (m
0, m
1..., m
N-1), promptly deciphering back gained is expressly vectorial.
Referring to Fig. 1, the essence of encryption can simplify that to be expressed as be exactly that plaintext M is passed through linear transformation U, nonlinear transformation F, linear transformation T successively, forms ciphertext C; Otherwise the essence of decoding is exactly that ciphertext C passes through linear transformation T successively
-1, nonlinear transformation F
-1, linear transformation U
-1, solve plaintext M.
The present invention adopts high order (the highest number of times is greater than 2) the multinomial equation group on the finite field to design new multivariable common key cryptosystem, therefore sets 2≤γ<n.The invention provides further technical scheme and simplify the encryption and decryption process: set parameter γ=2 in the encryption system.Can reduce the encryption system complexity like this, improve encryption efficiency, be better than the situation of γ>2.
The invention provides further technical scheme and simplify, this simplification is mainly used in digital signature, improves the fail safe of signature and the efficient of certifying signature.Be embodied in: Reversible Linear Transformation T in the described Reversible Linear Transformation parts is replaced with T
П, T
ПBut the capable n that constitutes of last r of the n rank inverse square matrix T of expression deletion * (n-r) matrix, wherein 0<r<n; The PKI of encryption system becomes little territory F
qThe nonlinear multivariable equation group of a last n argument, a n-r equation is labeled as G
ПIts form is as follows:
Digital signature method provided by the invention is based on these two kinds of simplification: set parameter γ=2 in the encryption system, adopt private key { T
-1, U
-1, Seed} realizes signature, adopts PKI G
ПRealize certifying signature, wherein Seed represents the random seed Bit String; PKI G
ПIn the highest the number of times of each polynomial equation be 3 (they being γ+1);
Suppose that communicating pair is validated user A and B, it is that M signs to clear-text message that user B needs A, and specifically signature and verification mode are as follows,
(a) referring to Fig. 2, user A to the signature process of plaintext M is:
1. use the Hash function hash (.) of appointment to calculate M
1=hash (M), M
2=hash (M
1), and with Bit String M
2Be connected Bit String M
1The back forms a new Bit String M
1|| M
2, extract M
1|| M
2(n-r) q position Bit String of front is designated as Y;
2. use the Hash function hash (.) of appointment to calculate hash (Seed), the rq position Bit String that extracts hash (Seed) front is designated as R;
3. Bit String R is connected the Bit String Y||R of a long nq position of formation, Bit String Y back, and Y||R is mapped as little territory F according to the π of dijection described in the encryption system
qOn a n-dimensional vector, be designated as (m
0, m
1..., m
N-1);
4. earlier with little territory F
qOn Reversible Linear Transformation T
-1To n-dimensional vector (m
0, m
1..., m
N-1) carrying out linear hybrid, the result of mixing is still little territory F
qOn n-dimensional vector; Use dijection described in the encryption system then
N-dimensional vector after the linear hybrid is become big territory
An element, be designated as B;
5. utilize big territory
On nonlinear function F
-1(B)=B
hTo the element B effect, the result of effect is still big territory
On element, be designated as A; Use dijection described in the encryption system at last
Contrary with big territory
On elements A be mapped to little territory F
qOn a n-dimensional vector, and with little territory F
qLast Reversible Linear Transformation U
-1It is carried out linear hybrid, and the result of mixing is still little territory F
qOn n-dimensional vector, be designated as (c
0, c
1..., c
N-1);
6. with (c
0, c
1..., c
N-1) be encoded into the signature Bit String S of corresponding signature length.
7. the user A S that will sign sends to user B.
(b) referring to Fig. 3, user B certifying signature process is:
1. use the Hash function hash (.) of appointment to calculate M
1=hash (M), M
2=hash (M1), and with Bit String M
2Be connected Bit String M
1The back forms a new Bit String M
1|| M
2, extract M
1|| M
2(n-r) q position Bit String of front is designated as Y; And Bit String Y is mapped as little territory F according to the π of dijection described in the encryption system
qOn a n-r dimensional vector (m
0, m
1..., m
N-r-1);
2. utilize the π of dijection described in the encryption system Bit String S that will sign to be mapped as little territory F
qOn n-dimensional vector (c
0, c
1..., c
N-1);
3. utilize PKI G
ПCalculate (m '
0, '
1..., m '
N-r-1)=G
П(C
0, c
1..., c
N-1), and with the inverse mapping of dijection π with little territory F
qOn the n-r dimensional vector (m '
0, m '
1..., m '
N-r-1) be mapped to the Bit String of (n-r) q position, be designated as Y '; If Y=Y ' then accept signature, otherwise refusal is accepted.Y '=G wherein
П(S) that is Y '=G
П(c
0, c
1..., c
N-1).
Below in conjunction with embodiment the present invention is further described, but embodiment should not be construed as limitation of the present invention.
Embodiment one
(I) set up system: utilize ground field F earlier
2={ 0,1} constructs little territory and big territory: little territory F
8=F
2[X]/(X
3+ X+1), big territory
Define F then
8 3Arrive
A dijection
So can be by dijection
Carry out little territory F
8With big territory
Between element conversion.
The Reversible Linear Transformation parts adopt little territory F
8(establishing α is generator) but two 3 rank inverse square matrixs going up picked at random as T, U.
Choose non-linear invertible function F (A), arbitrary element
Have
Obvious gcd (8
2+ 2,8
3-1)=1, so nonlinear function F (A) is reversible, and inverse function is F
-1(A)=A
271
The private key of encryption system is { T
-1, U
-1.
The PKI of encryption system can be derived by square formation T, U.Basic thought is that the input of reversible nonlinear function F (A), output vector are carried out linear hybrid with U and T respectively, to reach the purpose of hiding private key information, supposes that the input vector of F is
The derivation of PKI is as follows:
1. to input vector with carrying out linear hybrid:
2. use dijection then
It is mapped to big territory
On an elements A:
3. obtain big territory with nonlinear function F effect
On another element B:
4. use dijection again
Contrary
With big territory
On element B its be mapped to little territory F
8On a vector
5. at last with T to vector
Carry out linear hybrid, obtain the output vector { y of PKI G
0, y
1, y
2}:
Aforementioned calculation result is the PKI of system, and the PKI equation group can be expressed as little territory F
8On one 3 yuan 3 order polynomial equation group:
(II) use the public key encryption process: establish clear-text message vector (x
0, x
1, x
2)={ 1+ α, α
2, α }, the above-mentioned 3 yuan of 3 order polynomial equation group of substitution can obtain cyphertext vector (y
0, y
1, y
2)={ 1+ α, 1+ α, α+α
2.
(III) with private key { T
-1, U
-1Decrypting process is identical with the derivation of system PKI, as long as linear transformation that will be wherein, nonlinear transformation are respectively with corresponding inverse transformation.
Embodiment 2 has provided a fail safe and has been at least 2
80Efficient signature scheme:
System parameters: choose parameter k=5, n=37, θ=7, r=16, the Hash function is selected SHA-1 for use, and the output length value of SHA-1 is 160 bits.So q=2
k=32, structure intermediate field F
32With big territory
F
32=F
2[x]/(x
5+ x
2+ 1),
The random seed Seed that produces one 80 bit then reaches at intermediate field F
32Generate the U of two affine dijections at random, T, then system's private key is { T
-1, U
-1, Seed} needs the memory space of 1.72Kbytes.PKI G is F
32 37To F
32 2137 arguments, the cubic equation group of 21 equations, it can be released by private key, i.e. G=T о F о U, its form is as follows:
Wherein, ζ
I, j, k, t, η
I, j, k, μ
I, j, λ
i∈ F
32
All these cubic polynomials (G that puts together
0, G
1..., G
36) just formed the PKI of system, need the memory space of 129.68Kbytes altogether.
Suppose that message to be signed is M, then signature-verification process is as follows:
(I) signature process is:
Step1. establish M
1And M
2Be 160 bits,
M
1=SHA-1(M),M
2=SHA-1(M
1)
Be that Hash function hash (.) adopts common SHA-1 (.) function.
Step2. establishing v is 105 bits,
V=[M
2]
0→104
Step3. establishing W is 80 bits,
W=[SHA-1(V||Seed)]
0→79
Step4. establishing Y is F
32The vector of last 21 elements, length 105 bits,
Y=(π([V]
0→4),π([V]
5→9),…,π([V]
100→104))
Step5. establishing R is F
32The vector of last 16 elements, length 80 bits,
R=(π([W]
0→4),π([W]
5→9),…,π([W]
75→79))
Step6. establish
Wherein
h=(32
7+2)
-1mod(32
37-1)
Step7. the s that signs is that length is the Bit String of 185 bits,
S=π
-1(X
0)||…||π
-1(X
36)
(II) certifying signature process:
Step1. establish M
1And M
2Be 160 bits,
M
1=SHA-1(M),M
2=SHA-1(M
1)
Step2. establishing v is 105 bits,
V=[M
2]
0→104
Step3. establishing Y is F
32The vector of last 21 elements, length 105 bits,
Y=(π([V]
0→4),π([V]
5→9),…,π([V]
100→104))
Step4. establishing Y ' is F
32The vector of last 21 elements, length 105 bits,
Y′=G(π([S]
0→4),π([S]
5→9),…,π([S]
100→104))
If Step5. Y=Y ' accepts signature, otherwise the refusal signature.
The fail safe of signature system is 2
80, in the signature process, main computing is finite field F
32Multiplication and add operation because the territory is less, so the implementation efficiency height, is fit to software and hardware and realizes.
The content that this specification is not described in detail belongs to the those skilled in the art known prior art.