CN101626364A

CN101626364A - Method for authentication for resisting secrete data disclosure and key exchange based on passwords

Info

Publication number: CN101626364A
Application number: CN200810040311A
Authority: CN
Inventors: 赵运磊; 姚期智; 储枫; 丁素芬
Original assignee: Individual
Current assignee: Individual
Priority date: 2008-07-08
Filing date: 2008-07-08
Publication date: 2010-01-13

Abstract

The invention belongs to a cryptographic protocol, and in particular relates to a method for authentication for resisting secrete data disclosure and key exchange based on passwords. The method is superior to correlative American or international current standard in the aspects of user password protection, secrete data disclosure resistance, better user privacy protection, better online efficiency calculation, less communication bandwidth and higher security. The method for the authentication and the key exchange comprises sub-methods of an innovative method for public key encryption and signcryption based on passwords, a method for knowledge binding certification, a method for resisting temporary secrete data disclosure, a method for awarding a public key certificate. The method has the advantages of good systematicness, adaptability and compatibility.

Description

Authentication and key exchange method based on password and resisting secret data leakage

Technical Field

The invention belongs to a cryptographic protocol, and particularly relates to an authentication and key exchange method based on a password and resisting secret data leakage, a public key encryption and signcryption method based on the password, a knowledge binding certification and a method resisting temporary secret data leakage.

Background

System parameters: (G ', G, G, q), where G ' is a finite group of order N, G is a subgroup of order q in G ', and G is a generator of G, making it difficult to define the discrete logarithm problem on G. The general settings of G', G are as follows: g' is

p is a prime number, q is divided by (p-1), when the order of G' is N ═ p-1; alternatively, G' is an elliptic curve defined over a finite field (i.e., a group of points on an elliptic curve defined over a finite field). In general terms, the amount of the solvent to be used,

the element operation in (1) is expressed by multiplication, the unit cell is an integer of 1, and the operation on the elliptic curve is expressed by addition, and the unit cell is an infinite point. In this document, we represent the operation of an element in G' by multiplication. Unless otherwise specified, the unit cell in G, G' is designated as 1_G，G′/1_GExpressed is the subtraction of Unit cell 1 from G_GSet of other elements thereafter, i.e. not 1 in G_GAn element; note G/1_GIs other than 1 in G_GAnd (4) elements. Without loss of generality, the result of the exponential operation and the multiplication operation that is not exponential is either G' or one element of G, and the addition and/or multiplication operation on the exponent is a modulo-q calculation. Defining the function DL: z_q→ G, so that h ═ dl (w) ═ G^w. w is referred to as the discrete logarithm of h. We require that no polynomial time algorithm compute the discrete logarithm w of h given a randomly computed h, which is called the discrete logarithm problem. The computational Diffie-Hellman problem refers to: given a random g^xAnd g^yThere is no polynomial time algorithm to calculate g^xy. For those skilled in the art, the discrete logarithm problem and the computational Diffie-Hellman problem may also be defined on a group defined by an elliptic curve or a bilinear pair (bilinear).

The check confirms that one element X is belonged to G, and the following method can be used: (1) calculate and check X^q1 is ═ 1; (2) if N is 2q +1, calculate and check X²Not equal to 1, or calculate the Legendre symbol for X; (3) if G ' is G (for example, G ' is an elliptic curve group with prime order), only X is required to be checked to be G '; (4) calculating and checking X ∈ G' and X^N/qNot equal to 1 to ensure that X is not in a small subgroup of order divisible by N/q; (5) if G' is defined in a finite field F_qChecking that X ∈ G'/1 and the X-coordinate and y-coordinate of X are F_qOf (1). In general, the check of X ∈ G may be embedded into other operations of the protocol.

1. The operating environment and steps of a commonly used password-based authentication protocol (including many commercial applications), such as the SSL/TLS authentication protocol specified in the ietf (internet engineering Task force) rfc 2246 (request For comments) document For securing the world Wide Web (Wordl-Wide Web WW), are as follows:

(1) client "A" does not have a public key, but client "A" registers a password w at server "B"; and the server B stores w in the database entry corresponding to the user A or encrypts and stores w in the database entry corresponding to the user A. Server "B" has a public key.

(2) Client "a" and server "B" run a one-way authenticated key exchange protocol in which only the server authenticates the client, but the client does not. For example, client "a" encrypts a random number K using the server's public key; let K denote the generated session key.

(3) Client "a" encrypts password w using K as the public key of a symmetric encryption algorithm Enc to obtain ciphertext C: c ═ Enc_K(w) and calculating the label t_A＝MAC_K(sid，r_A) Where MAC is a message authentication code algorithm, sid is a session identifier, r_AIs the role designation of user "A"; user "A" will be (C, t)_A) Sending to server 'B'; after receiving C, server "B" verifies t with K_AAnd if the password is correct, the identity of the client A is approved, and if the password is not correct, the identity of the client A is rejected.

The password-based user authentication described above has the following disadvantages:

(a) the user's password may be directly stored in the database of server "B" in the clear and is therefore vulnerable to leakage.

(b) If the session key K is compromised, w can be calculated by C from an offline attack. The possible value of w is guessed offline, and the session key K is used for encryption and comparison with C, and if the two are the same, the password is correct.

(c) Disclosure of ciphertext C may help an attacker to perform time-based (timing) analysis, thus compromising or even revealing the password.

(d) User "A" needs to send t additionally_A＝MAC_K(sid，r_A) Rather than being bound into C.

(e) The session key exchange of step (2) is only one-way authentication for server "B", and no two-way authentication, i.e.: client "a" is not authenticated. Incompatible with the case where client "a" has a public key.

(e) Server "B" is not able to perform a prior offline computation to speed up the efficiency of the online computation.

2. Commonly used Diffie-Hellman key exchange protocols, such as the IKE protocol for securing internet security as specified in RFC 2409 of IETF, and the SSH protocol for securing distributed client-server networks as specified in RFC 4251 of IETF, have the following disadvantages:

(1) identity authentication using digital signatures, and therefore user privacy is not well protected;

(2) moreover, since the verification and generation of the digital signature cannot sufficiently perform the off-line calculation in advance, the efficiency of the on-line calculation is not good enough;

(3) not very compatible with key exchange protocols that do not use signatures.

The commonly used Diffie-Hellman key exchange protocol for identity authentication without using signatures, such as the MQV protocol specified by the X9.42-2001 standard document of the American National Standards Institute (ANSI), the IS 15946-3 standard document of the international organization for standardization (ISO), the 1363-2000 standard document of the Institute of Electrical and Electronics Engineers (IEEE), etc., has the following disadvantages:

(a) the online computational efficiency of the MQV protocol is not good enough. The session key generation mode of MQV does not allow the user to perform partial offline calculation on the session key to improve the efficiency of online calculation. Specifically, user "a" cannot perform a prior offline partial calculation of the session key before receiving the DH-key component Y of user "B", and user "B" cannot perform a prior offline partial calculation of the session key before receiving the DH-key component X of user "a".

(b) MQV protocol does not protect the privacy of the user well. In the MQV protocol, the session key of each user cannot be calculated only from the discrete logarithm of the DH-key component of the opposite user. Namely: the session key is bound in a non-repudiatable manner to the two users that generated the session key. Therefore, the MQV protocol cannot protect user privacy well.

(c) The MQV protocol does not fully guarantee that the DH-key component of each user is not contained in a small subgroup.

3. The leakage of temporary secret data generated during one execution of a commonly used Diffie-Hellman key exchange protocol, such as the IKE protocol for securing internet security as specified in the IETF RFC 2409 document, provides an attacker with the facility to attack the operation of other protocols. Namely: the leakage of deposited temporary secret data can compromise the security of other protocols that are running.

4. The checking of the DH-key components of the user into elements in the corresponding group of the commonly used Diffie-Hellman key exchange protocol cannot be combined well with a prior off-line calculation or it cannot be fully guaranteed that the DH-key components of the user are not contained in a small subgroup.

5. The commonly used Diffie-Hellman key exchange protocol only aims at a certain specific application environment, and the expansion performance and the system performance are poor;

disclosure of Invention

The invention aims to provide a key exchange method which is efficient, can be based on passwords and is resistant to secret data leakage. The key exchange method of the invention has the following characteristics:

1. compared with the common password-based authentication protocol (including many commercial applications), such as the SSL/TLS authentication protocol specified in RFC 2246 of IETF, the following differences and features exist:

(1) the server 'B' does not directly store the password w of the client 'A' in the database entry corresponding to the user 'A'; the data stored in the storage device can not reveal the password of the client 'A', namely: the leakage of the stored data can not reveal the password of the client; and the stored data is directly used for generating the session key and can be calculated in advance to accelerate the calculation efficiency.

(2) The password of client "a" participates in the session key generation process in an implicit way, providing a degree of mutual authentication.

(3) After the session key generation, client "a" does not transmit the password encrypted with the session key, i.e.: the information transmitted after the session key is generated may have no relation to the password of user "a"; this feature ensures that: even if the session key is leaked, an attacker cannot obtain the password of the user from the leaked session key by an offline attack. Furthermore, time-based analysis can be well protected against the encrypted transmission of passwords with session keys.

(4) Client "A" may not need to send t additionally_A＝MAC_K(sid，r_A) But rather bind it to other information sent by the protocol, further increasing computational and communication complexity. Where K is the generated session key.

2. Compared with the commonly used Diffie-Hellman key exchange protocol, such as the IKE protocol specified in RFC 2409 of IETF, the following differences and features exist:

(1) identity authentication is performed without using a digital signature, so that the privacy of a user can be well protected;

(2) off-line calculation can be well performed in advance, so that the high efficiency of on-line calculation is ensured;

(3) is well compatible with key exchange protocols that do not use signatures.

Compared with the commonly used Diffie-Hellman key exchange protocol without signature for identity authentication, such as the MQV protocol specified by the American National Standards Institute (ANSI) X9.42-2001 standard document, the International Standards Organization (ISO) IS 15946-3 standard document, the International institute of Electrical and electronics Engineers' 1363- & 2000 standard document, etc., the following differences and features are present:

(a) in the protocol (implementation method-4) of the present invention, each user only needs to perform an exponential operation online; in the MQV protocol, each user needs to perform 1.5 exponential operations on line; therefore, the inventive protocol has better online computing efficiency.

(b) The session key generated by the protocol has good repudiation performance, so that the privacy of the user can be better protected; in the MQV protocol, however, the generated session key is bound to two users who generate the session key in a non-repudiatable manner, and thus the privacy of the users cannot be well protected.

(c) The inventive protocol may fully guarantee that the DH-key component of each user is not contained in a small subgroup.

3. The inventive protocol has good resistance to the harm caused by the leakage of the temporary secret data, the stored leakage of the temporary secret data about one execution of the protocol does not affect the safety of other executions of the protocol, and effective convenience is not provided for an attacker to solve the computational Diffie-Hellman problem.

4. The inventive protocol allows the checking of the DH-key components of the users as elements in the corresponding groups to be combined well with a priori offline calculations and to fully ensure that the DH-key components of the users are not included in small subgroups.

5. The protocol of the invention has excellent expansion performance and system performance, and can be applied to various application environments and occasions. The system working environment of the method of the invention is as follows:

(1) system parameters: (G ', G, G, q), where G ' is a finite group of order N, G is a subgroup of order q in G ', and G is a generator of G, making it difficult to define the discrete logarithm problem on G. The general settings of G', G are as follows: g' is

the element operation in (1) is expressed by multiplication, the unit cell is an integer of 1, and the operation on the elliptic curve is expressed by addition, and the unit cell is an infinite point. In this document, we represent the operation of an element in G' by multiplication. Unless otherwise specified, the unit cell in G, G' is designated as 1_G，G′/1_GExpressed is the subtraction of Unit cell 1 from G_GSet of other elements thereafter, i.e. not 1 in G_GAn element; note G/1_GIs other than 1 in G_GAnd (4) elements. Without loss of generality, the result of the exponential operation and the multiplication operation that is not exponential is either G' or one element of G, and the addition and/or multiplication operation on the exponent is a modulo-q calculation. Defining the function DL: z_q→ G, so that h ═ dl (w) ═ G^w. w is referred to as the discrete logarithm of h. We require that no polynomial time algorithm compute the discrete logarithm w of h given a randomly computed h, which is called the discrete logarithm problem. The computational Diffie-Hellman problem refers to: given a random g^xAnd g^yWithout polynomial time algorithm to calculate g^xy. For those skilled in the art, the discrete logarithm problem and the computational Diffie-Hellman problem may also be defined on a group defined by an elliptic curve or a bilinear pair (bilinear). For any element X ∈ G', we remember X^-1Is the inverse of X relative to G', i.e.: XX^-1＝1_G(ii) a As general knowledge in the art, X^-abThere may be various equivalent computing methods, such as: x^-ab＝(X^-1)^ab＝(X^-a)^b＝(X^a)^-b＝(X^-b)^a＝(X^b)^-a＝…，X^tcb+tfy＝X^t(cb+fy)And so on;

(2) H is a hash function; for character strings or values s₁，s₂，…s_m，m＞1，H(s₁，s₂，…s_m) It is shown that: will s₁，s₂，…，s_mAnd (4) representing by using proper codes, then connecting all the coding sequences in series, and finally taking the string obtained after the series connection as the input of H. Without loss of generality, let us assume that the output of H is Z_q(0, 1, 2, …, q-1) element, otherwise we can simply take one of the outputs of H to belong to Z_qOr modulo q calculation is performed on the output of H. If s₁，s₂，…，s_mIs a string of m characters, S₁，S₂，…S_nIs n sets, 1 is not more than n, m, { s₁，s₂，…，s_m，S₁，S₂，…，S_nDenoted by s₁，s₂，…，s_m}∪S₁∪S₂∪…∪S_nWherein the order of elements in parentheses may be changed arbitrarily. H(s)₁，s₂，…，s_m，S₁，S₂，…，S_n) Is expressed by₁，s₂，…s_mAnd S₁∪S₂∪…∪S_n-{s₁，s₂，…，s_mThe elements in the code are represented by proper codes, all the code strings are sequentially connected in series, and finally the string obtained after series connection is used as the input of H.

(3) Unless otherwise specified, with an identity ID I_AUser "a" has a public key a ═ g^aE G, where a is set in Z by user "A_q0, 1, 2, …, q-1. Accordingly, has ID I_BThe public key of the user "B" is denoted as B ═ g^bE.g., G, and so on. Wherein I_AFor identity information or user name of user "A", I_BIs the identity information or username of user "B". For any element x ∈ Z_qWe note that x is x relative to Z_qThe negative element of (a), namely: x + (-x) ═ 0 modq.

Without loss of generality, the public key certificate authority checks to confirm that the public key registered by the user is an element in G or G/1 when issuing a certificate to the user_GAnd (5) medium element. The certificate authority refuses to issue the public key certificate if any check fails. Thus, each user can confirm that the public key of the opposite party is G or G/1 only by checking the public key certificate of the opposite party user_GOf (1).

(4) The protocol is based on the Diffie-Hellman key exchange protocol. Unless otherwise specified, the symbols X-g^xA DH key component of user "A", X being a discrete logarithm of DH key component X, X being derived from Z by user "A_q0, 1, …, q-1.Let Y be g^yDH key component for user "B", Y is the discrete logarithm of DH key component Y, Y is derived from Z by user "B_q0, 1, …, q-1. Assume that user "A" is the initiator (initiator) of the protocol and user "B" is the responder to the protocol. Namely: user "A" sends X first; user "B" sends Y again after receiving X. In general, user "B" needs to check X ∈ G'/1 before sending Y_GOr X ∈ G, "A" needs to check Y ∈ G'/1 after receiving Y_GOr Y ∈ G.

(5) Other information related to protocol execution pub: pub is the component X ═ g for removing DH-key^xOr X', Y ═ g^yA subset or sequence of other information related to protocol execution, other than that, may be empty or contain repeating elements. Here, other information related to protocol execution includes: the identity information or user names of the users, i.e., protocol initiators and responders, the role designations of the protocol initiators and responders, public and public key certificate information, IP addresses, protocol versions, security parameters and key (length) parameters, session designations of the protocols, timestamps, arbitrary values, and other information transmitted by the protocol session other than the DH-key component. In different implementation methods and applications, pub values may be different. Generally, pub contains the public key and identity or username information of the protocol initiator and responder, i.e.

<math><mrow> <mrow> <mo>{</mo> <msub> <mi>I</mi> <mi>A</mi> </msub> <mo>,</mo> <mi>A</mi> <mo>,</mo> <msub> <mi>I</mi> <mi>B</mi> </msub> <mo>,</mo> <mi>B</mi> <mo>}</mo> </mrow> <mo>&SubsetEqual;</mo> <mi>pub</mi> <mo>.</mo> </mrow></math>

The session identifier sid is generally two random numbers R sent by the users "a" and "B_AAnd R_BOr DH-key components are concatenated in initiator-responder order, i.e. sid ═ R_A‖R_BOr sid | Y, where | denotes the concatenation operator.

Protocol role designation r of user_AAnd r_BTypically with different integers such as: r is_A＝0，r_B1 is ═ 1; or by different sequences of the random numbers or DH-key components sent by users "a" and "B", such as: r is_A＝R_A‖R_BOr r_A＝X‖Y，r_B＝R_B‖R_AOr r_B＝Y‖X。

For the person skilled in the art, the random number R_AAnd R_BAnd possibly the exchange of public key certificates, may be performed before the implementation method is run, or may be included in the information sent by each user in the implementation method.

(6) Key derivation function KDF: KDF (S, aux) is a key derivation function, where S is a value or set of values and aux is a set of strings of values or a counter. In general, a KDF is a hash function or sequence of hash functions or directly outputs its first input, such as: KDF (S, aux) ═ H (S, aux) (this calculation is suitable for the case where the length of the output of the hash function H is equal to or greater than the length of the specified key, i.e., the true output may be a substring of H (S, aux), such as a prefix, the length of the output substring being equal to the length of the specified key, or KDF (S, aux) ═ H (S, 1) H (S, 2) … H (S, k) where k ≧ 1, aux is a counter (this calculation is suitable for the case where the length of the output of the hash function H is less than the length of the specified key), or KDF (S, aux) ═ S; or KDF is a pseudo-random function with S as the random seed, such as KDF (S, aux) ═ PRF_S(aux). The session key and the authentication key may be derived from the same key derivation function on the same input; alternatively, the session key and the authentication key are derived from the same key derivation function on different inputs, such as the session key is H (S, aux) and the authentication key is H (aux, S); alternatively, the session key derivation function is different from the authentication key derivation function, and their inputs are the same or different, such as: the derivation of the session key and the authentication key uses different hash functions or pseudo-random functions.

(7) A tag authentication function F_T(K, U) where K is a secret value or secret valueAnd in the set, U is a numeric string set. Tag authentication function F_T(K, U) is any function that satisfies the following properties: (1) cannot be taken from F_T(K, U) solving for K in a polynomial time of the length of K, namely: function F with respect to input K_TIs unidirectional; (2) given F_T(K, U) F cannot be calculated within a polynomial time of the length of K_T(K, U') or F_T(K, U ') such that U ≠ U'. In general, F_TIs a one-way hash function, such as: f_T(K, U) ═ H (K, U); or F_TIs a message authentication code MAC function in which the MAC private key is derived from K, U and the authentication information is a subset of U, such as F_T(K，U)＝MAC_K(U)。

Let us assume that the protocol operation sender has some mechanism to negotiate the above parameters (including security parameters and key length parameters), functions, algorithms (including symmetric and public key encryption algorithms, authentication algorithms, signature algorithms, hash functions, etc.), user role indication and session indication symbol representation methods, etc., and to operate which of the following implementation methods, and to reach a agreement. This negotiation mechanism may vary from application environment to application environment and from system to system. Generally, pub contains a subset of the information that the negotiation interacts with. To those familiar with the art, the checks performed on the various elements in the application method confirm that the default is one-time, i.e.: once the validation is correct (typically at the first calculation of the element), it is not checked in subsequent runs.

The implementation method comprises the following steps: according to different application environments and systems, the following implementation methods are adopted:

the implementation method-1: implementation method-1 is suitable for a client "a" not having or not having the convenience of using a public key, and a user "B" not sending a DH-key component Y ═ g^yThe case (2); but client "a" has registered a password w at user "B". Generally, user "A" is a client and user "B" is a server. User "B" manages a user database and creates an entry in the database for each client; user 'B' supports with B ═ g^bE G' is a public key encryption algorithm with a public key based on Diffie-Hellman or ElGamal, such as the public key encryption algorithm ECIES based on Diffle-Hellman specified by standardized documents such as ANSI X9.63, ISO/IEC 15946-3 and IEEEP1363a, or the public key encryption algorithm PSEC based on Diffle-Hellman specified by the ISO18033-2 standardized draft; any legal public key encryption ciphertext, denoted as C, is a set of values and each includes a DH-key component X ═ g for generating a Diffie-Hellman secret with public key B^xE is G; namely: x ═ g^xFor generating a common Diffie-Hellman secret B between an encryptor and a decryptor^tx＝g^tbx＝X^tbE G', wherein t is 1 or

(ii) a In general, the common secret that the encryptor and the decryptor really use is composed of { X, B }^tx＝X^tbIs derived using a key derivation function, i.e., KDF (B)^tx，X)＝KDF(X^tb，X)。B＝g^bE G' can be the public key of fixed user "B", i.e.: randomly selected b ∈ Z_qRemain unchanged from session to session. G ═ B^bE G' can also be chosen randomly by user "B" independently in each session, i.e.: b independently in Z in different sessions_qSelecting.

The core and the characteristic of the implementation method-1 are that two functions K are constructed_AAnd K_BSo that K_A(x，w，B，pub)＝K_B(b, w, X', pub). User "a" calculates and sends DH-key component X ═ g^xB^βE.g. G'; user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; wherein, if B ═ g^bIf the E G ' is the public key of the user ' B ', the user ' B ' can calculate and store B in advance^-tbβE G' and/or B^tbβE.g. G'; if B is g^bE G 'is not the public key of user' B ', but is present by user' BEach session is independently selected randomly, and user 'B' first gets g from B^bE.g. G' is sent to "A".

The specific method comprises the following steps: using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'. Diffie-Hellman secret B for (X, B) in a public key encryption algorithm based on Diffie-Hellman or ElGamal is calculated as follows^tx＝g^tbx＝X^tb＝(X′B^-β)^tb＝X′^tbB^-tbβE.g.. G': user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE G ' (the calculation is suitable for the user ' B ' to calculate and store B in advance^-tbβE.g. case of G') or K_B＝(X′B^-β)^tbE G ' (the calculation is suitable for the user ' B ' to calculate and store B in advance^-βE G'); wherein t is 1 orBeta is w or-w, and w and-w are coded as Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，I_BB, pub } or { w, X', I_A，I_BOne subset of, B, pub } containing w, H_wIs a hash function of length with output length less than q, H_wTypically set to a short substring of the hash function H output (e.g., 8 or 16 or 32 bit prefix of H output). The common secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be empty. Is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key.

User "B" may calculate B in advance^-1. If β does not involve X' and if B ═ g^bE.G ' is the public key of user ' B ', user ' B ' calculates B in advance^-tbβE G' and/or B^tbβE G', and B^-tbβAnd/or B^tbβStored in the database entry corresponding to user "A"; namely: when user "A" registers password w with user "B", user "B" calculates β, B^-tbβE G' and/or B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStoring the password in an entry corresponding to a user 'A' in a database instead of directly storing the password w or beta; alternatively, user "B" calculates B in advance^-βAnd B is^-βSecurely stored in the database entry corresponding to user "A" (at this point, B)^-βWill reveal the user's password, suggest pair B^-βEncrypted storage is performed). However, if user "B" does not have a public key, it randomly chooses and sends B ═ g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf so, user "B" still needs to store β in the database entry corresponding to user "a" (suggesting encrypted storage of β).

To prevent offline attacks, user "A" is at X', B^txDeleting x, w, beta, B immediately after calculation^βOr immediately deleted or stored in a secure location. The calculation of the user 'A' can be carried out in advance; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1Upon accelerated calculation, where-beta is exactly w or H_w(W). If β ═ w or β ═ H_w(W), user "B" may calculate and store B in advance^-1。

For the case where user "B" has the public key "B", in general, if the decryptor, i.e., user "B", checks the confirmation X' ∈ G, let t equal to 1. If the decryptor only checksChecking that X 'belongs to G' or X 'belongs to G'/1_GIf X' is not in the range of G, then let

t = \frac{N}{q}

And checked to confirm X'^tb≠B^tbβ(applicable to K)_B＝X′^tbB^-tbβE G' calculation mode) or K_B≠1_GOr (X' B)^-β)^t≠1_G. If user 'B' does not have a public key, it randomly chooses and sends B-g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf so, then the user "B" only checks to confirm that X '∈ G' or X '∈ G'/1_GLet t equal to 1. User "B" aborts protocol execution, returning or not returning an error message, if any check fails. User 'A' sends identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_A(ii) a The modified Diffie-Hellman or ElGamal-based public key encryption algorithm is referred to as a password-based Diffie-Hellman or ElGamal public key encryption algorithm.

Client 'A' encrypts a random number R by using a Diffie-Hellman or ElGamal public key encryption algorithm based on a password to obtain a ciphertext C, and encrypts the ciphertext C and identity information I_ASending to user 'B'; if user 'B' successfully decrypts C to obtain R, the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; let the derived authentication key be R'. The recommended calculation method is as follows: the session key is set to R, and the authentication key R' is formed by R and k₂And (6) exporting. If the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; we assume that user "a" is only allowed to make mistakes a limited number of times to prevent online guessing attacks.

To prove to user "A" that he knows R, user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BC, X', pub } is a session identifier, r_BIs the protocol role designation for user "B". User "A" checks t with the authentication key R_BAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

User "A" proves to user "B" that it does know R as follows: user "A" sends ciphertext C at the same time or receives t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of C, X', pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a". If the Diffie-Hellman or ElGamal public key encryption ciphertext C based on the password for R already contains a label t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), where E is an element in the ciphertext C or the division of t in the ciphertext C_EA subset of other elements than k and in general k e k₁，k₂}, user "A" can prove to user "B" that it knows R more efficiently as follows: user "A" does not send t_A＝F_T(R′，aux_A) But instead t in the ciphertext C_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or in general t_A＝F_T(K_R，{E，aux_A}) in which aux_AIs { I_A，sid，r_APub } and aux_A≠aux_B，K_RIs derived from (K, R ', aux) or (K, R, aux) or is directly set as R' (recommending K)_RR') aux is { I ═ I_A，I_B，sid，r_A，r_BA subset of E, pub } may be empty; namely: k_RKDF ({ K, R' }, aux) or K_RKDF ({ K, R }, aux) or K_RR'; in general, K_RH (k, R), or

<math><mrow> <msub> <mi>K</mi> <mi>R</mi> </msub> <mo>=</mo> <mi>k</mi> <mo>&CirclePlus;</mo> <mi>R</mi> <mo>,</mo> </mrow></math>

Or

<math><mrow> <msub> <mi>K</mi> <mi>R</mi> </msub> <mo>=</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>k</mi> <mo>&CirclePlus;</mo> <mi>R</mi> <mo>)</mo> </mrow> <mo>,</mo> </mrow></math>

Or K_RR'; user "B" checks t_AAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

The implementation method-2: implementation method-2 is applicable to client "a" having public key a ═ g^aUser 'B' has public key B ═ g^bBut does not send the DH-key component Y ═ g^yThe situation (2).

If user "A" registers a password w at user "B", the core and feature of implementing method-3 is to construct two functions K_AAnd K_BSo that K_A(a，x，w，B，pub)＝K_B(b, w, A, X, pub). The specific method comprises the following steps: user "a" calculates and sends DH-key component X ═ g^xB^βE G', wherein β is w or-w, and w and-w are encoded as Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，A，I_BB, pub } or { w, X', I_A，A，I_BOne subset of, B, pub } containing w, H_wIs a hash function that outputs a length less than q, typically taking a short substring of the H output (e.g., 8 or 16 or 32 bit prefix of the H output). User "A" calculation

<math><mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" calculation

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

(this calculation has the advantage that fewer on-line exponential operations are required, essentially only one exponential operation has to be performed on-line, where B^-βCan be calculated in advance; the disadvantage is that B^-βReveal the user's password), or

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

(this calculation is suitable for the user "B" to calculate in advance

In which case

<math><mrow> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Can be calculated in advance; has the advantages that

Without revealing the userA password; recommending the use of such a calculation), or

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

(this calculation is suitable for the user "B" to calculate B in advance^-bβCase of (a) or

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Where c ═ H (X ', pub) or H (X', B, pub), e ═ 1 or H (pub), t ═ 1, or H (pub), t_i1 or

I is more than or equal to 1 and less than or equal to 2; c depends on X ', e does not depend on X'; all calculations for user "A" can be performed in advance and are performed at { β, X', K_ADeleting x after the calculation is finished, and w, beta, B^βOr immediately deleted or stored in a secure location; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1With accelerated calculation, when-beta is exactly w or H_w(W) (in this case, user "B" may not calculate B in advance^-1) (ii) a If β ═ w or β ═ H_w(W), user "B" may calculate B in advance^-1. User "B" can be calculated in advanceAnd store B^-1、

<math><mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

If the calculation of beta does not involve X ' user ' B ', it can also be calculated in advance

And/or B^-bβE.g. G'; user 'B' will

Or B^-bβOr

OrOr

Is stored in the database entry corresponding to user "a", encrypted if necessary, rather than storing the password w or β directly, when K is present_BIs calculated as

Or

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

If user 'B' does not calculate in advance

Or B^-bβE.g. G ', user ' B ' will

Securely stored in the database entry corresponding to user "A", if necessary

Encrypted for storage, at this time K_BIs calculated as

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>.</mo> </mrow></math>

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: for password-based implementations, if the user "B" checks that X' ∈ G and A ∈ G are confirmed, let t₁＝t₂1. If the decryptor only checks to confirm that A ∈ G, X '∈ G' or X '∈ G'/1_GIf X' is not in the range of G, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

<math><mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

(is suitable for

In a calculation manner) or

<math><mrow> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

(is suitable for

Is recommended for such inspection) or/and

<math><mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow></math>

or

<math><mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

(is suitable for

In a calculation manner) or

<math><mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

(is suitable for

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

In a calculation manner) or

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>eb</mi> </mrow> </msup> </mrow></math>

(applicable to the above various K_BManner of calculation), or

<math><mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>.</mo> </mrow></math>

If any check fails, user "B" then aborts the protocol run, returning or not returning an error message.

There are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X', pub } is derived using a key derivation function, thisThe time user "B" checks X' ∈ G.

(2) Or else, the DH-key component X ═ g in the public key encryption algorithm based on Diffie-Hellman or ElGamal^xIs changed to X' ═ g^xB^βE.g. G'. The common Diffile-Hellman secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be empty. Is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key. User 'A' sends the public key certificate or identity information I of user 'A' at the same time of sending cipher text C or before sending cipher text_AThereby obtaining a password-based secret signature algorithm with the sender identity authentication function. Encrypting a random number R by using the obtained password-based signcryption algorithm; the secret label of the random number R is marked as C, and the secret label C is a set of a plurality of numerical values. If the user 'B' has a decryption error, the execution is stopped, and error information is returned or not returned. The session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; let the derived authentication key be R'. We assume that user "a" is only allowed to make mistakes a limited number of times to prevent online guessing attacks.

If user "a" does not have a password registered at user "B", user "a" calculates and sends DH-key component X ═ g^xE is G; at this time, the core and the characteristic of the implementation method-2 are to construct two functions K_AAnd K_BSo that K_A(a，x，B，pub)＝K_B(b, A, X, pub). The specific method comprises the following steps: user "A" calculation

User "B" calculation

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), e ═ 1 or H (pub), t ═ 1, or H (pub), t_i1 or

I is more than or equal to 1 and less than or equal to 2; the calculation of c depends on X, and the calculation of e does not depend on X. All calculations for user "A" can be performed in advance; user "B" can be calculated in advance

<math><mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>.</mo> </mrow></math>

There are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X, pub } is derived using a key derivation function, when user "B" checks X' e G.

(2) Alternatively, the common Diffile-Hellman secret that is really used by the encryptor and the decryptor in a Diffie-Hellman or ElGamal-based public key encryption algorithm is composed of { X, K_A＝K_BDerivation, i.e. KDF (K)_A，X)＝KDF(K_BX) or from { X, K)_A＝K_BDerived from aux, aux is { I }_A，K_B，sid，r_A，r_BPub, can be empty. Notation of { X, K_A＝K_BOr by { X, K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key. User 'A' sends the public key certificate or identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_AThus, a password-based secret signature algorithm with the sender identity authentication function is obtained: . Encrypting a random number R by using the obtained password-based signcryption algorithm; the secret label of the random number R is marked as C, and the secret label C is a set of a plurality of numerical values. If the user 'B' has a decryption error, the execution is stopped, and error information is returned or not returned. The session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; let the derived authentication key be R'.

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: for non-password based implementations, if the user "B" checks that X ∈ G and A ∈ G are confirmed, let t₁＝t₂1 is ═ 1; if the decryptor only checks for confirmations A ∈ G, X ∈ G 'or X ∈ G'/1_GIf X ∈ G cannot be confirmed, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

<math><mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

K_{B} = A^{t_{1} be};

Memory and exportIn order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) (ii) a Wherein aux is implemented for password-based implementation_BIs { I_B，sid，r_BX', pub } for non-password based implementations aux_BIs { I_B，sid，r_BX, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

user "a" proves to user "B" that he does know R' using the following method: user "A" sends X' or X at the same time or receives t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AX', pub } or { I_A，sid，r_AA subset of X, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a". If the authentication key is derived from the random number R of the signpost and the signpost C already contains a tag t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), wherein E is an element of C or t is divided by C_EA subset of other elements than R, then user "A" can prove to user "B" that it knows R' more efficiently as follows: user "A" does not send t_A＝F_T(R′，aux_A) Instead, t in the secret tag C is_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or in general t_A＝F_T(K_R，{E，aux_A}) in which aux_AIs { I_A，sid，r_AX', pub } or { I_A，sid，r_AA subset of X, pub } and aux_A≠aux_B；K_RIs derived from or directly set to R 'of (k, R', aux) or (k, R, aux), where aux is { I }_A，I_B，sid，r_A，r_BX', pub } or { I_A，I_B，sid，r_A，r_BA subset of X, pub } may be empty; namely: k_RKDF ({ K, R' }, aux) or K_RKDF ({ K, R }, aux) or K_RR'; in general, K_RH (k, R), or

Or

Or K_RR', wherein K_RThe length of (d) is taken to be the same as k; user "B" checks t_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method-3: implementation-3 is applicable to the case where client "a" does not have or does not have the convenience of using a public key, but user "a" still sends DH-key component X ═ g^xAnd user 'B' has public key B ═ g^bAnd sends DH-key component Y ═ g^yThe situation (2).

The core and the characteristic of the implementation method-3 are that two functions K are constructed_AAnd K_BSo that K_A(x，B，Y，pub)＝K_B(b, y, X, pub); the specific method comprises the following steps: user "A" calculation

<math><mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>xc</mi> </mrow> </msup> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" calculation

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), f ═ H (pub, X, Y) or f ═ H (pub, B, X, Y) or H (c, Y), t_i1 or

I is more than or equal to 1 and less than or equal to 2; note that the calculation of c depends on X but not on Y, the calculation of f depends on both X and Y; user "A" may be calculated in advance

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: (1) let t be if user "B" checks that X ∈ G is confirmed₁＝t₂1. (2) If user "B" only checks for confirmation X ∈ G 'or X ∈ G'/1_GBut X ∈ G cannot be confirmed, and if y is likely to leak (or the user "B" worries that y is likely to leak)), let

t = t_{1} = t_{2} = \frac{N}{q},

User "B" check confirmation

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>X</mi> <mrow> <mi>t</mi> <mrow> <mo>(</mo> <mi>bc</mi> <mo>+</mo> <mi>yf</mi> <mo>)</mo> </mrow> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow></math>

If y does not leak (i.e., is sufficiently secure, or user "B" confirms that y does not leak), then t is the same as (1)₁，t₂Can still be1. If any check fails, the protocol is aborted and an error message is returned or not.

Deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, X, Y, pub } derives a session key and an authentication key; let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation for user "B". User "A" checks t with the authentication key R_BAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned. To prove to user "B" that he does know R', user "A" is receiving t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

In a specific implementation, it is proposed to implement method-3 in combination with variant (1) of claim 6.

The implementation method-4: the implementation method-4 is suitable for the client 'A' to have a discrete logarithm public key A ═ g^aAnd sends DH-key component X ═ g^xAnd user 'B' also has discrete logarithm public key B ═ g^bAnd sends DH-key component Y ═ g^yThe situation (2).

The core and the characteristic of the implementation method-4 are that two functions K are constructed_AAnd K_BSo that K_A(a，x，B，Y，pub)＝K_B(b, y, A, X, pub). The specific method comprises the following steps: user "A" calculation

<math><mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>ad</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" calculation

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), d ═ H (pub, Y) or H (pub, a, Y) e ═ 0 or 1 or H (pub), f ═ H (pub, X, Y) or H (c, d), t (c, Y_i1 or

I is more than or equal to 1 and less than or equal to 4. c. The key points of the setting of d, e and f are as follows: c depends on X but not on Y, d depends on Y but not on X, e depends on neither X nor Y, f depends on (X, Y). User "A" may be calculated in advance

<math><mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" can be calculated in advance

<math><mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

t_iI is more than or equal to 1 and less than or equal to 4, and the key of the setting is as follows: (1) if the user 'A' checks that B belongs to G and Y belongs to G, the user 'B' checks that A belongs to G and X belongs to G, let t belong to G₁＝t₂＝t₃＝t₄1 is ═ 1; (2) if user "A" only checks for confirmations B ∈ G, X ∈ G 'or X ∈ G'/1_GWhile X ∈ G cannot be confirmed, user "B" merely checks to confirm A ∈ G, Y ∈ G 'or Y ∈ G'/1_GAnd cannot confirm Y ∈ G, and user "A" worrys about x and/or user "B" worrys about Y may leak, let t₁＝1，

t_{2} = t_{3} = t_{4} = \frac{N}{q},

User "B" check confirmation

<math><mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <mo>,</mo> </mrow></math>

User "A" check confirmation

<math><mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>ad</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

<math><mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>;</mo> </mrow></math>

If x and y are not leaked, t can be set in the same way as (1)₁＝t₂＝t₃＝t₄1. If any check fails, the protocol is aborted and an error message is returned or not.

Deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, d, e, X, Y, pub } derives a session key and an authentication key; in general, the session key k is generated as follows₁And an authentication key k₂In which H is_KIs a hash function: (1) (k)₁，k₂)←H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_A，f，i)＝H_K(K_B，f，1)H_K(K_B，f，2)…H_K(K_BF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of length, i.e. up to H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_AF, i) is not less than (k)₁，k₂) Length of (d). Is provided with (k)₁，k₂) Of length l, we can take H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_AF, i) is a prefix or suffix of length l. (2) K. k₁←H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_A，f，i)＝H_K(K_B，f，1)H_K(K_B，f，2)…H_K(K_B，f，i)；k₂←H_K(f，K_A，1)H_K(f，K_A，2)…H_K(f，K_A，i)＝H_K(f，K_B，1)H_K(f，K_B，2)…H_K(f，K_BJ). Let k₁Has a length of l₁，k₂Has a length of l₂Then, the value of the counter i is taken until the output length of the hash function sequence is greater than or equal to l₁The value of the counter j is equal to or larger than l until the output length of the hash function sequence is larger than or equal to l₂。

Let the derived authentication key be R' ═ k₂To prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned. To prove to user "B" that he does know R', user "A" is receiving t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

The implementation method comprises the following steps: implementation-5 applies to the case where one, but not all, of client "A" and client "B" may not have a discrete logarithmic public key defined on (G', G, G, q), but still supports digital signatures.

Let t_i1 or

I is more than or equal to 1 and less than or equal to 6; let aux_A ^j，aux′_A ^j，aux_B ⁱ，aux′_B ⁱJ is more than or equal to 1 and less than or equal to 7, i is more than or equal to 1 and less than or equal to 9, and is divided by X and g respectively^x，Y＝g^yA subset or sequence of other information related to protocol execution, other than that, may be empty or contain repeating elements. aux_AAnd aux'_AIsI_A，sid，r_AA subset of X, Y, pub }, aux_BAnd aux'_BIs { I_B，sid，r_BA subset of X, Y, pub } and aux_A≠aux_BWhere sid is the session identifier, r_BIs the protocol role designation of user "B", r_AIs the protocol role designation for user "a". Order to

<math><mrow> <mi>U</mi> <mo>&SubsetEqual;</mo> <mrow> <mo>{</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>}</mo> </mrow> <mo>.</mo> </mrow></math>

A first round: user 'A' transmission

<math><mrow> <mrow> <mo>{</mo> <mi>X</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>x</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>}</mo> </mrow> <mo>.</mo> </mrow></math>

And a second round: user 'B' transmission

<math><mrow> <mrow> <mo>{</mo> <mi>Y</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>y</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>1</mn> </msub> <mo>=</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <mi>X</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>3</mn> </msubsup> <mo>}</mo> </mrow> <mo>,</mo> </mrow></math>

Or

{Y, T_{1} = H (Y, X, X^{t_{1} y}, {aux}_{B}^{2}), {aux}_{B}^{3}},

Or { Y, F_T(T′₁，aux_B)，aux_B ³} or { Y, aux'_B ³}. Wherein,

<math><mrow> <msubsup> <mi>T</mi> <mn>1</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>1</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

(where U may be null), aux_B ³Containing identity information I of user' B_B，aux_B ²And/or aux_B ¹Containing identity information I of user' B_B(aux_B ²And/or aux_B ¹May contain only identity information I of user' B_B)。

User 'A' utilization

<math><mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Examination T₁Or F_T(T′₁，aux_B) The correctness of the test; namely: calculate and check

T_{1} = H (Y, X, H (X, Y, Y^{t_{1} x}, {aux}_{B}^{1}), {aux}_{B}^{2}),

Or

T_{1} = H (Y, X, Y^{t_{1} x}, {aux}_{B}^{2}),

Or calculate

<math><mrow> <msubsup> <mi>T</mi> <mn>1</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>X</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>1</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

And check F_T(T′₁，aux_B) Is/are as followsAnd (4) correctness. If any check is incorrect, user "A" terminates the run, with or without returning an error message.

And a third round: if user "a" has public key a ═ g^aE.g. G, then user 'A' sends

{T_{2} = H (X, Y, H (Y, Y^{t_{2} a}, {aux}_{A}^{2}), H (X, Y, Y^{t_{3} x}, {aux}_{A}^{3}), {aux}_{A}^{4}), {aux}_{A}^{5}},

Or

{T_{2} = H (X, Y, Y^{t_{2} a}, Y^{t_{3} x}, {aux}_{A}^{6}), {aux}_{A}^{5}},

Or { F_T(T′₂，aux_A)，aux_A ⁵}. Wherein,

<math><mrow> <msubsup> <mi>T</mi> <mn>2</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

(where U may be null), aux_A ⁵Public key certificate or I containing user' A_A，aux_A ²，aux_A ⁶Identity information I containing user' A_A(aux_A ²，aux_A ⁶May contain only the identity information I of the user "A_A) (ii) a User 'B' utilization

<math><mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>y</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

And

<math><mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>X</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

to check T₂Or F_T(T′₂，aux_A) The correctness of (1), namely: calculate and check

T_{2} = H (X, Y, H (Y, A^{t_{2} y}, {aux}_{A}^{2}), H (X, Y, X^{t_{3} y}, {aux}_{A}^{3}), {aux}_{A}^{4}),

Or

T_{2} = H (X, Y, A^{t_{2} y}, X^{t_{3} y}, {aux}_{A}^{6}),

Or calculate

<math><mrow> <msubsup> <mi>T</mi> <mn>2</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

And check F_T(T′₂，aux_A) The correctness of the operation. If any check is incorrect, user "B" terminates the run, with or without returning an error message.

If user "a" does not have public key a ═ g^aE G but still supports digital signatures, user "a" sends s_A，aux_A ⁷Therein aux_A ⁷Public key certificate or I containing user' A_A，s_AUse of its own private key pair for user "AOr H (F)_T(T_S ^A，aux_A)，aux′_A) Is determined by the digital signature of (a) a digital signature,

<math><mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>A</mi> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

(where U may be null); user 'B' utilization

Checks s with the public key of user "A_AThe correctness of (1), namely: computingAnd checks s with the public key of user "A_AThe correctness of the test; or, calculate

<math><mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>A</mi> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

And H (F)_T(T_S ^A，aux_A)，aux′_A) And checks s with the public key of user "A_AThe correctness of the operation. If any check is incorrect, user "B" terminates the run, with or without returning an error message.

Fourth wheel: if user 'B' has public key B ═ g^bE.g. G, then user 'B' sends

{T_{3} = H (Y, X, H (X, X^{t_{4} b}, {aux}_{B}^{4}), H (X, Y, X^{t_{5} y}, {aux}_{B}^{5}), {aux}_{B}^{6}), {aux}_{B}^{7}},

Or

{T_{3} = H (Y, X, X^{t_{4} b}, X^{t_{5} y}, {aux}_{B}^{8}), {aux}_{B}^{7}},

Or { F_T(T′₃，aux_B)，aux_B ⁷}; wherein,

<math><mrow> <msubsup> <mi>T</mi> <mn>3</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

(where U may be null), aux_B ⁷Public key certificate or I containing user' B_B，aux_B ⁴，aux_B ⁸Identity information I containing user' B_B(aux_B ⁴，aux_B ⁸May contain only identity information I of user' B_B) (ii) a User 'A' utilization

<math><mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

And

<math><mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

to check T₃Or F_T(T′₃，aux_B) The correctness of (1), namely: calculate and check

T_{3} = H (Y, X, H (X, B^{t_{4} x}, {aux}_{B}^{4}), H (X, Y, Y^{t_{5} x}, {aux}_{B}^{5}), {aux}_{B}^{6}),

Or

T_{3} = H (Y, X, B^{t_{4} x}, Y^{t_{5} x}, {aux}_{B}^{8}),

Or calculate

<math><mrow> <msubsup> <mi>T</mi> <mn>3</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

And check F_T(T′₃，aux_B) The correctness of the operation. If any check is incorrect, user "A" terminates the run, with or without returning an error message.

If user 'B' does not have public key B ═ g^bE G but still supports digital signatures, user 'B' sends s_B，aux_B ⁹Therein aux_B ⁹Public key certificate or I containing user' B_B，s_BUse of its own private key pair for user' B

Or H (F)_T(T_S ^B，aux_B)，aux′_B) Is determined by the digital signature of (a) a digital signature,

<math><mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>B</mi> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

(where U may be null); user 'A' utilization

<math><mrow> <msup> <mi>T</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Checks s with the public key of user' B_BThe correctness of (1), namely: computing

And checks s with the public key of user' B_BThe correctness of the test; or, calculate

<math><mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>B</mi> </msubsup> <mo>&Element;</mo> <mrow> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> </mrow> </mrow></math>

And H (F)_T(T_S ^B，aux_B)，aux′_B) And checks s with the public key of user' B_BThe correctness of the operation. If any check is incorrect, user "A" terminates the run, with or without returning an error message.

Session key management

K_{A} = Y^{t_{6} x} = X^{t_{6} y} = K_{B}

And { X, Y, pub }, where user "A" calculates K_AUser "B" calculates K_B. The user "a" may calculate X ═ g in advance^x，

Or

The user "B" may calculate Y ═ g in advance^y，

Or

If user "A" is calculated in advance

Will be calculated after finishing the calculationDelete, and save

If user "B"Is calculated in advanceWill be calculated after finishing the calculationDelete, and save

t_iI is more than or equal to 1 and less than or equal to 6, and the key is as follows: order to

h = \frac{N}{q};

If the user 'B' checks that X belongs to G, let t₁＝t₄＝t₅1 is ═ 1; if the user 'A' checks that Y belongs to G, let t₂＝t₃1. If user "B" only checks for confirmation that X ∈ G 'or X ∈ G'/1_GIf X ∈ G cannot be confirmed and no signature is used for the fourth round, t₁，t₃，t₄，t₅At least one of them is

And checking and confirming X once^hy≠1_GAnd/or X^hb≠1_G(i.e., first computing X during protocol execution^hy≠1_GOr X^hb≠1_GChecking at that time, and not checking once confirmed); if the user "A" only checks for confirmation Y ∈ G 'or Y ∈ G'/1_GAnd if Y ∈ G cannot be confirmed and no signature is used in the third round, then t₁，t₂，t₃，t₅At least one of them isAnd checking and confirming Y at a time^hx≠1_GAnd/or Y^ha≠1_G. If user "A" uses the signature for the third round, user "A" can only check for confirmations Y ∈ G 'or Y ∈ G'/1_GAnd can make t₃1 is ═ 1; if user "B" uses the signature for the fourth round, user "B" can only check for confirmation X ∈ G 'or X ∈ G'/1_GAnd can make t₁＝t₅1. If any check fails, the protocol execution is aborted, with or without an error message being returned. Generally, let t₁＝t₃＝t₅＝t₆. Note that: when in use

t_{1} = t_{3} = t_{5} = t_{6} = \frac{N}{q}

And when no user uses the signature, the check implemented above not only ensures that the DH-key components are not in the small subgroup, but also does not reveal the parity of the discrete logarithm of each user's own DH-key component (but still does not ensure that the opposite party does know the discrete logarithm of the DH-key component it sent).

The public key registration and public key certificate issuing method comprises the following steps:

the following public key registration and public key certificate issuance methods can be applied to simplify the computation of the above implementation method.

(1) The public key certificate authority CA checks to confirm that the public key registered by the user is an element in G or G/1 when issuing a certificate to the user_GMiddle element; if any check fails, the certificate authority refuses to issue the public key certificate; thus, each user can confirm that the public key of the opposite party is G or G/1 only by checking the public key certificate of the opposite party user_GOf (1). It is proposed to employ (1) in all implementations.

(2) When a user registers user identity information ID and a public key PK to a public key certificate authority, belonging to G', the user submits an inverse element PK of the public key at the same time^-1E.g. G'; that is, in addition to ID and PK ∈ G', the public key certificate application also includes PK^-1E.g. G'. It is recommended to adopt (2) in the implementation method-1 and the password-based implementation method-2.

(3) Use ofWhen a user registers user identity information and a public key to a public key certificate authority, submitting the identity information, the public key and a hash value of aux at the same time; or the identity information, the public key inverse element and the hash value of the aux; providing or not providing a digital signature of the resulting hash value and/or aux using a private key corresponding to the public registration key; aux is other information of the protocol, and generally includes a subset of a timestamp (i.e., the date and time of the public key registration application), a session identifier (where the session identifier may be a random number sent by the CA to the user, or a concatenation of two random numbers exchanged by the CA and the registered user), and so on. aux may take a null value; note that the resulting hash value is t_PKThe digital signature of a possible user is s_PK(ii) a That is, the public key certificate application includes both aux and t in addition to the user's identity information, public key, and/or public key inverse_PKBut with or without s_PK。

(4) If the public key issuing authority checks for t_PKOr s_PKIf the certificate is wrong, refusing to issue the certificate; when issuing a certificate to a user, a public key certificate issuing authority issues identity information, a public key and/or an inverse element, aux and a hash value t of the public key certificate to the user_PKAndor do not have s_PKCarrying out digital signature; alternatively, CA only pairs hash values t_PKCarrying out digital signature; rather than merely signing the user's identity information and public key; namely: a legitimate public key certificate must also contain the digital signature of the certificate authority.

Thus, the hash function or key derivation function input or pub contains (I)_AA) or A can be replaced by a hash value in the public key certificate of the user 'A', and the hash value is recorded as t^A _PK(ii) a (I) contained in the hash function or key derivation function input or pub_BB) or B can be replaced by a hash value in a public key certificate of a user 'B' and is marked as t^B _PK. And, if the public key certificate contains the inverse of the user's public key, then in the implementation method-1 and implementation method-2 of claim 1, the users "a" and "B" do not need to calculate B in advance^-1∈G′。

Detailed Description

Having identity I_AThe public key of the user "a" is a ═ g^aAnd having a certificate CERT_AHaving identity I_BThe public key of the user "B" is B ═ g^bAnd having a certificate CERT_B. The certificate authority CA checks the confirmation A e G/1 before issuing the certificate_GAnd B ∈ G/1_G. We assume that user "a" is the protocol operation initiator (initiator), i.e.: first, DH-key component X is sent as g^xE is G; "B" is a protocol operation responder (responder), i.e. after receiving X, it sends DH-key component X ═ g^yE.g. G. Wherein a, x, b, y are from Z_qThe selection is carried out randomly.

In the protocol implementation described below, the message authentication code MAC employs an HMAC authentication code as described in Internet opinion solicitation document No. 2104 (Internet RFC 2104) published by ietf (Internet Engineering task force). The HMAC only needs to do two hash operations and is proven to be both a message authentication code and a pseudorandom function. In protocol implementation, HMAC and the Hash function H, H_KImplemented by the SHA-1 hahsi function. Symmetric encryption employs the AES algorithm specified by the NIST (national institute of standards and technology) standard.

Implementation of the method-1 according to claim 1 is based on the specific embodiment:

password registration: user "B" may calculate and store B in advance^-1. When user "A" registers password w with user "B", user "B" calculates H (w, I)_A，I_B) And let beta be H (w, I)_A，I_B) Is a 32-bit prefix. User "B" calculates B^-tbβE G' and B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStored in the database in the entry corresponding to user "a".

And (4) role marking: let the user 'A' and 'B' parameter negotiation stage exchange two random numbers R_AAnd R_B(and the public key certificate of user "B"), i.e.: user "A" sends R_AUser "B" sends R_B. Let the role of user "A" be labeled: r is_A＝R_A‖R_B(ii) a The role of user "B" is denoted as r_B＝R_B‖R_A(ii) a Where "|" is the string concatenation operator. R_AMay be included in the following information that user "a" transmits the ciphertext.

We present specific embodiments of the ECIES public key encryption algorithm specified in standardized documents based on ANSI X9.63, ISO/IEC 15946-3, and IEEE P1363 a. The specific implementation mode is similar based on other Diffie-Hellman public key encryption algorithms, such as the PSEC public key encryption algorithm specified by the ISO18033-2 standardized draft.

Order to

t = \frac{N}{q},

User "A" is calculated as follows: (1) calculate X ═ g^xB^βE is G; (2) calculate K_A＝B^txE.g. G, if K_A＝1_GRepeating (1) and (2) until K_A≠1_G(ii) a (3) Computing a Diffie-Hellman secret k₁And k is₂：(k₁，k₂)←H(K_A，X′，1)H_K(K_A，X′，2)…H_K(K_AX', i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AThe length of X', i) is not less than (k)₁，k₂) Length of (d). Is provided with (k)₁，k₂) Of length l, we can take H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AAnd X', i) is a prefix of length l. (4) The user 'A' randomly selects a random number R and calculates

E = {AES}_{k_{1}} (R),

Calculating H (k)₂R) and let K_RIs taken as H (k)₂Of R) and k₂Prefixes of the same length, calculating

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A});

Finally, user "A" sends { I_A，X′，E，t_ATo server "B", where C ═ X', E, t_AIt is called password-based public key encryption ciphertext.

Receive { I_A，X′，E，t_AAfter this, user "B" is calculated as follows: (1) check to confirm X 'is ∈ G'/1_GIf, in error (i.e.:

<math><mrow> <msup> <mi>X</mi> <mo>′</mo> </msup> <mo>&NotElement;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>/</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

) Stopping running and returning error information; (2) calculating X'^tbBelongs to G ', and is checked for X'^tb≠B^tbβ(wherein B^tbβCalculated in advance and stored in the database), if it is wrong (i.e. X'^tb＝B^tbβ): stopping running and returning error information; (3) calculate K_B＝X′^tbB^-tbβE G' (where B is^-tbβCalculated in advance and stored in a database); (4) computing a Diffie-Hellman secret k₁And k is₂: the method is the same as the step (3) of the user 'A', only K in the input of the hash function is used_AIs changed to K_B(ii) a (5) By k₁Decrypting the E to obtain R; (6) by k₂And R calculates K_R(method as same as user "A"), checking and confirming

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A}),

If it is wrong (i.e. the

<math><mrow> <msub> <mi>t</mi> <mi>A</mi> </msub> <mo>&NotEqual;</mo> <msub> <mi>HMAC</mi> <msub> <mi>K</mi> <mi>R</mi> </msub> </msub> <mrow> <mo>(</mo> <mi>E</mi> <mo>,</mo> <msub> <mi>I</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>r</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> </mrow></math>

) Stopping running and returning error information; (7) setting session key directly to K_RCalculate and send

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B}),

And sets the session key to R. (user's "B" public key certificate may also be sent at this step.)

Receives t_BThereafter, user "A" checks for confirmation

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B});

If it is wrong (i.e. the

<math><mrow> <msub> <mi>t</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msub> <mi>HMAC</mi> <msub> <mi>K</mi> <mi>R</mi> </msub> </msub> <mrow> <mo>(</mo> <msub> <mi>I</mi> <mi>B</mi> </msub> <mo>,</mo> <msub> <mi>r</mi> <mi>B</mi> </msub> <mo>)</mo> </mrow> </mrow></math>

) Stopping running and returning error information; the session key is set to R.

The password-based implementation of the method-2 of claim 1 is based on the specific implementation:

we present a password-based embodiment, a non-password-based embodiment being a simplified version of the password-based embodiment, of the implementation method-2 of claim 1.

Password registration: user "B" may calculate and store B in advance^-1. When user "A" registers password w with user "B", user "B" calculates H (w, I)_A，I_B) And let beta be H (w, I)_A，I_B) Is a 32-bit prefix. User "B" calculation

<math><mrow> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>&Element;</mo> <mi>G</mi> </mrow></math>

And A^bE is G; delete beta and remove

And A^bStored in the database in the entry corresponding to user "A" (if necessary in pairs

In particular A^bAnd encrypted storage is performed).

And (4) role marking: user role r_AAnd r_BThe marking method is the same as the specific implementation mode of the implementation method-1. (We assume that both parties of the protocol have exchanged and verified respective public key certificates.) the random number R sent by user "A"_AAnd user "a" may also be included in the first round of information sent by user "a" in the protocol embodiments below.

Order to

t_{2} = \frac{N}{q},

User "A" is calculated as follows: (1) calculate X ═ g^xB^βE is G; (2) calculating

<math><mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <mi>a</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

If K_A＝1_GRepeating (1) and (2) until K_A≠1_G(ii) a (3) Computing a Diffie-Hellman secret k₁And k is₂：(k₁，k₂)←H(K_A，X′，1)H_K(K_A，X′，2)…H_K(K_AX', i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AThe length of X', i) is not less than (k)₁，k₂) Length of (d). Is provided with (k)₁，k₂) Of length l, we can take H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AAnd X', i) is a prefix of length l. (4) The user 'A' randomly selects a random number R and calculates

E = {AES}_{k_{1}} (R),

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A});

Finally, user "A" sendsI_A，X′，E，t_ATo server "B", where C ═ X', E, t_AIt is called password-based public key encryption ciphertext. (the public key certificate for user "A" may be sent at this step.)

) Stopping running and returning error information; (2) calculating

<math><mrow> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

(whereinCalculated in advance and stored in a database) and checked

<math><mrow> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>;</mo> </mrow></math>

If it is wrong (i.e. the

) If yes, stopping running and returning error information; (3) calculating

<math><mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mi>b</mi> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

Wherein c ═ H (X', I)_A，A，I_B，B)，A^bAre calculated in advance and stored in a database. (4) Computing a Diffie-Hellman secret k₁And k is₂: the method is the same as the step (3) of the user 'A', only K in the input of the hash function is used_AIs changed to K_B(ii) a (5) By k₁Decrypting the E to obtain R; (6) by k₂And R calculates K_R(method as same as user "A"), checking and confirming

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A}),

If it is wrong (i.e. the

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B}),

And sets the session key to R.

Receives t_BThereafter, user "A" checks for confirmation

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B});

If it is wrong (i.e. the

Claim 1 implementation of a password-based embodiment of method-3:

password registration: user "B" may calculate and store B in advance^-1. When user "A" registers password w with user "B", user "B" calculates H (w, I)_A，I_B) And let beta be H (w, I)_A，I_B) Is a 32-bit prefix. User "B" calculates B^-βE is G; store β in the database in the entry corresponding to user "A" (if necessary for B)^-βEncrypted storage is performed).

And (4) role marking: let r be_A＝0，r_B＝1。

Calculating in advance: user "a" calculates X' ═ g in advance^xB^β∈G，c＝H(X′，I_A，I_BB), and^tcxmodqe G', wherein t is N/q.

In the following detailed description, elements in parentheses indicate transmitted information.

A first round: user "a" sends { X' ═g^xB^βE G (where x is from Z)_qWhere the elements in parenthesis are the information to be sent). After receiving X ', the user ' B ' checks to confirm that X ' belongs to G '/1_G(ii) a If there is an error (i.e., the

) If any check is unsuccessful, user "B" aborts the protocol execution; if the check is passed, user "B" calculates Y ═ g^yE G (where y is from Z_qWherein is randomly selected), c ═ H (X', I)_A，I_B，B)、f＝H(c，Y)，K_B＝(X′B^-β)^t(cb+fy)modqE.g. G' and delete y (where B^-βCalculated in advance and stored in a database); user "B" check confirmation K_B≠1_GIf it is wrong (i.e. K)_B＝1_G) User "B" then aborts the protocol execution and returns an error message. If K_B≠1_GUser "B" calculation (k)₁，k₂)←H(K_B，f，1)H(K_B，f，2)…H(K_BF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is a prefix of length l.

And a second round: user 'B' transmission

{{CERT}_{B}, Y, t_{B} = {HMAC}_{k_{1}} (1)};

Receive the 'B' transmissionAfter the message is sent, user "A" checks CERT_BIs valid and Y ∈ G'/1_GIf any check is unsuccessful, user "B" aborts protocol execution and returns an error message; if the check passes, user "a" calculates f ═ H (c, Y), K_A＝B^tcxY^tfxE.g. G'; user "A" calculation (k)₁，k₂)←H(K_A，f，1)H(K_A，f，2)…H(K_AF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is a prefix of length l. User "A" check

t_{B} = {HMAC}_{k_{1}} (1),

If it is not

t_{B} = {HMAC}_{k_{1}} (1)

The session key is set to k₂And go to the next round, otherwise (i.e. the

<math><mrow> <msub> <mi>t</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msub> <mi>HMAC</mi> <msub> <mi>k</mi> <mn>1</mn> </msub> </msub> <mrow> <mo>(</mo> <mn>1</mn> <mo>)</mo> </mrow> </mrow></math>

) Aborts protocol execution and returns an error message.

And a third round: user 'A' transmission

{t_{A} = {HMAC}_{k_{1}} (0)}

. Receives t_AThereafter, user "B" checks for confirmation

t_{A} = {HMAC}_{k_{1}} (0);

If it is not

t_{A} = {HMAC}_{k_{1}} (0),

User "B" sets the session key to k₂And successfully ending the protocol, otherwise, stopping the protocol execution.

Embodiment of claim 1 for carrying out method-4:

calculating in advance: user "a" calculates X ═ g in advance^x∈G，c＝H(X，I_A，A，I_B，B)，t＝t₂＝t₃＝t₄N/q and B^txcmodqBelongs to G ', wherein N is the order of the finite field G'; user "B" calculates in advance Y ═ g^y∈G，d＝H(I_B，B，I_A，A，Y)，t＝t₂＝t₃＝t₄N/q and A^{tyd modq}∈G′。

A first round: user "A" transmits { CERT_AX }; received { CERT_AX post user "B" check CERT_AIs valid and X ∈ G'/1_G(ii) a If any checks are unsuccessful, user "B" aborts the protocol execution. If the check passes, user "B" calculates c ═ H (X, I)_A，A，I_B，B)，f＝H(c，d)，X^t(cb+fy)modq(ii) a User "B" checks for confirmation X^t(cb+fy)≠1_GIf X is^t(cb+fy)＝1_GUser "B" aborts the protocol execution and returns an error message; if X^t(cb+fy)≠1_GUser "B" calculates K_B＝A^tydX^t(cb+fy)E G' (where A^{tyd modq}E G' is calculated in advance), calculating (k)₁，k₂)←H(K_B，f，1)H(K_B，f，2)…H(K_BF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is a prefix of length l.

And a second round: user 'B' transmission

{{CERT}_{B}, Y, t_{B} = {HMAC}_{k_{1}} (1)};

After receiving the message sent by "B", user "A" checks CERT_BIs valid and Y ∈ G'/1_G(ii) a If any check is unsuccessful, user "A" aborts protocol execution and returns an error message; if the check passes, user "a" calculates d ═ H (I)_B，B，I_A，A，Y)，f＝H(c，d)，Y^t(da+fx)E.g. G'; user "A" checks for confirmation Y^t(da+fx)≠1_GIf Y is^t(da+fx)＝1_GUser "A" aborts protocol execution and returns an error message; if Y is^t(da+fx)≠1_GUser "A" calculates K_A＝B^txcY^t(da+fx)E G' (where B is^{txc modq}E G' is calculated in advance). User "A" calculation (k)₁，k₂)←H(K_A，f，1)H(K_A，f，2)…H(K_AF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is a prefix of length l. User "A" check

t_{B} = {HMAC}_{k_{1}} (1),

If it is not

t_{B} = {HMAC}_{k_{1}} (1)

The session key is set to k₂And go to the next round, otherwise (i.e. the

) Aborts protocol execution and returns an error message.

And a third round: user 'A' transmission

{t_{A} = {HMAC}_{k_{1}} (0)} .

Receives t_AThereafter, user "B" checks

t_{A} = {HMAC}_{k_{1}} (0);

If it is not

t_{A} = {HMAC}_{k_{1}} (0)

User "B" sets the session key to k₂Successfully ending the protocol; otherwise (i.e. the

<math><mrow> <msub> <mi>t</mi> <mi>A</mi> </msub> <mo>&NotEqual;</mo> <msub> <mi>HMAC</mi> <msub> <mi>k</mi> <mn>1</mn> </msub> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow></math>

) User "B" aborts the protocol execution and returns an error message.

Embodiment of claim 1 for carrying out method-5:

we present a discrete logarithm public key that user "B" does not define on (G', G, q), in combination with the embodiment of claim 3. User "B" still supports digital signatures, such as the RSA signature scheme. We assume that users "a" and "B" have some kind of negotiation mechanism to mutually confirm and agree on the public key type of the other party, the supported algorithms, and other parameters. In the following embodiment, let

h = \frac{N}{q} .

Calculating in advance: in the following detailed description, user "B" may have been previously calculated Y, H (I)_A，Y，A^y) And delete A^y。

A first round: user "a" sends { X ═ g^xE.g. G }. User "B" checks to confirm that X ∈ G'/1_GIf it is wrong (i.e. wrong)

<math><mrow> <mi>X</mi> <mo>&NotElement;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>/</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

) The run is aborted and an error message is returned. User "B" calculates Y ═ g^y∈G，X^hyE.g. G', check and confirm X^hy≠1_GIf there is an error (i.e., X)^hy＝1_G) The run is aborted and an error message is returned. User "B" calculates H (X, Y, X)^hy) Delete X^hyAnd calculate

During the whole protocol operation, user 'B' only retains Y, H (X, Y, X)^hy) And possibly H (I)_A，Y，A^y) (if H (I)_A，Y，A^y) Calculated in advance) as temporary secret data (other temporary secret data is deleted immediately after use).

And a second round: user 'B' transmission

<math><mrow> <mrow> <mo>{</mo> <mi>Y</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>y</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msub> <mi>HMAC</mi> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <mi>X</mi> <mo>,</mo> <msub> <mi>I</mi> <mi>B</mi> </msub> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mi>hy</mi> </msup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> </mrow> </msub> <mrow> <mo>(</mo> <msub> <mi>I</mi> <mi>B</mi> </msub> <mo>)</mo> </mrow> <mo>}</mo> </mrow> <mo>.</mo> </mrow></math>

User "A" checks to confirm Y ∈ G'/1_GIf it is wrong (i.e. wrong)

<math><mrow> <mi>Y</mi> <mo>&NotElement;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>/</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

) The run is aborted and an error message is returned. User "A" calculates Y^hxE.g. G', checking to confirm Y^hx≠1_GIf it is wrong (i.e. Y)^hx＝1_G) The run is aborted and an error message is returned. User "A" calculates H (X, Y)^hx) Delete Y^hxChecking and confirming

{HMAC}_{H (Y, X, I_{B}, H (X, Y, X^{hy}))} (I_{B}) = {HMAC}_{H (Y, X, I_{B}, H (X, Y, Y^{hx}))} (I_{B}),

If the error occurs, the operation is stopped and error information is returned. User "A" calculates H (I)_A，Y，Y^a) Calculating

{HMAC}_{H (X, Y, H (I_{A}, Y, Y^{a}), H (X, Y, Y^{hx}))} (I_{A}) .

During the whole protocol operation, user 'A' only retains X, H (X, Y)^hx) And possibly H (I)_B，X，B^x) (if user "A" calculates H (I) in advance_B，X，B^x) As temporary secret data (other temporary secret data is deleted immediately after use).

And a third round: user 'A' transmission

{I_{A}, {CERT}_{A}, {HMAC}_{H (X, Y, H (I_{A}, Y, Y^{a}), H (X, Y, Y^{hx}))} (I_{A})},

Wherein CERT_AIs a public key certificate for user "a". User 'B' authentication confirmation CERT_AAnd if the validity is invalid, the operation is stopped and error information is returned. User "B" check confirmation

{HMAC}_{H (X, Y, H (I_{A}, Y, Y^{a}), H (X, Y, Y^{hx}))} (I_{A}) = {HMAC}_{H (X, Y, (I_{A}, Y, A^{y}), H (X, Y, X^{hy}))} (I_{A}),

If the error occurs, the operation is stopped and error information is returned. User "B" calculation

Using its own private signature key pair

Performing digital signature to obtain a digital signature s_B(ii) a User "B" sets the session key to

Fourth wheel: user "B" transmits { CERT_B，s_BWherein CERT is_BIs a public key certificate for user "B". User "A" authentication confirmation CERT_BAnd if the validity is invalid, the operation is stopped and error information is returned. User "A" calculationAnd checks the confirmation s with the public key of user' B_BIs to

If false (i.e., s)_BIs not right

Valid digital signature) then the run is aborted and an error message is returned. User "A" sets the session key to

Claims

1. An authentication and key exchange method based on password and secret data leakage resistance, which is characterized in that:

the system working environment is as follows:

(1) system parameters: (G ', G, G, q), where G ' is a finite group of order N, G is a subgroup of order q in G ', and G is a generator of G, making it difficult to define the discrete logarithm problem on G; in this document, we represent the operation of an element in G' by multiplication; unless otherwise specified, the unit cell in G, G' is designated as 1_G，G′/1_GIs shown byG' minus Unit cell 1_GSet of other elements thereafter, i.e. not 1 in G_GAn element; note G/1_GIs other than 1 in G_GAn element; without loss of generality, the result of the exponential operation and the multiplication operation not on the exponent is G' or one element of G, and the addition and/or multiplication operation on the exponent is a modulo-q calculation; for any element X ∈ G', we remember X^-1Is the inverse of X relative to G', i.e.: XX^-1＝1_G；

(2) H is a hash function; for character strings or values s₁，s₂，…s_m，m＞1，H(s₁，s₂，…s_m) It is shown that: will s₁，s₂，…，s_mExpressing by proper codes, then connecting all the codes in series, and finally using the string obtained after the serial connection as the input of H; without loss of generality, let us assume that the output of H is Z_q(0, 1, 2, …, q-1) element, otherwise we can simply take one of the outputs of H to belong to Z_qPerforming modulo-q calculation on the substring of H; if s₁，s₂，…，s_mIs a string of m characters, S₁，S₂，…S_nN sets, phi is a null set, n is more than or equal to 1, m, then { s₁，s₂，…，s_m，Φ，S₁，S₂，…，S_nDenoted by s₁，s₂，…，s_m}∪S₁∪S₂∪…∪S_nWherein the order of elements in parentheses may be changed arbitrarily; h(s)₁，s₂，…，s_m，Φ，S₁，S₂，…，S_n) Is expressed by₁，s₂，…s_mAnd S₁∪S₂∪…∪S_n-{s₁，s₂，…，s_mExpressing elements in the code by proper codes, then connecting all code strings in series in sequence, and finally using the strings obtained after the serial connection as the input of H;

(3) unless otherwise specified, with the identity IDI_AUser "a" has a public key a ═ g^aE G, where a is set in Z by user "A_qSelecting randomly from {0, 1, 2, …, q-1 }; accordingly, has ID I_BThe public key of the user "B" is denoted as B ═ g^bE.g. G, and so on; wherein I_AFor identity information or user name of user "A", I_BIdentity information or username for user "B"; for any element x ∈ Z_qWe note that x is x relative to Z_qThe negative element of (a), namely: x + (-x) 0 modq;

(4) the protocol is based on the Diffie-Hellman key exchange protocol; unless otherwise specified, the symbols X-g^xE G is the DH key component of user ' A ', X is the discrete logarithm of DH key component X, X is from Z by user ' A_qEither randomly selected from {0, 1, …, q-1} or from Z_qRandomly selecting from an odd subset of {0, 1, …, q-1 }; let Y be g^yE G is the DH key component of user ' B ', Y is the discrete logarithm of DH key component Y, Y is from Z by user ' B_qEither randomly selected from {0, 1, …, q-1} or from Z_qRandomly selecting from an odd subset of {0, 1, …, q-1 }; suppose user "A" is the initiator of the protocol and user "B" is the responder of the protocol; namely: user "A" sends X first; after receiving X, user 'B' sends Y again; in the password-based implementation method, the DH-key component sent by the client "a" is X' ═ g^xB^β＝XB^β∈G′；

(5) Other information related to protocol execution pub: pub is the component X ═ g for removing DH-key^xOr X', Y ═ g^yA subset or sequence of other protocol execution related information than that, may be empty or contain repeating elements; here, other information related to protocol execution includes: identity information or user names of users, namely protocol initiators and responders, role marks of the protocol initiators and the responders, public keys and public key certificate information, IP addresses, protocol versions, security parameters and key parameters, session identifiers of the protocols, timestamps, cookies, arbitrary numerical values and other information transmitted by protocol sessions except DH-key components; in different implementation methods, pub values can be different; generally, pub contains the public key of the protocol initiator and responderWith identity or user name information, i.e.

<math> <mrow> <mo>{</mo> <msub> <mi>I</mi> <mi>A</mi> </msub> <mo>,</mo> <mi>A</mi> <mo>,</mo> <msub> <mi>I</mi> <mi>B</mi> </msub> <mo>,</mo> <mi>B</mi> <mo>}</mo> <mo>&SubsetEqual;</mo> <mi>pub</mi> <mo>;</mo> </mrow> </math>

(6) Key derivation function KDF: KDF (S, aux) is a key derivation function, where S is a value or set of values, aux is a set of numeric strings or counters; in general, a KDF is a hash function or sequence of hash functions, or a pseudorandom function with S as the random seed; the session key and the authentication key may be derived from the same key derivation function on the same input; or the session key and the authentication key are respectively derived from different inputs by the same key derivation function; alternatively, the derivation function of the session key is different from the derivation function of the authentication key, and their inputs are the same or different;

(7) a tag authentication function F_T(K, U), where K is a secret value or a set of secret values and U is a set; tag authentication function F_T(K, U) is any function that satisfies the following properties: (1) cannot be taken from F_T(K, U) solving for K in a polynomial time of the length of K, namely: function F with respect to input K_TIs unidirectional; (2) given F_T(K, U) F cannot be calculated within a polynomial time of the length of K_T(K, U') or F_T(K, U ') such that U ≠ U'; in general, F_TIs a one-way hash function; or F_TIs a message authentication code MAC function where the private key of the MAC is derived from K, U and the information authenticated is a subset of U;

let us assume that the protocol operation sender has some mechanism to negotiate the above parameters, functions, algorithms, user role indication and representation method of session indication symbol, etc., and operates which implementation method to implement, and reach the same; a subset of the information exchanged by the negotiation may be contained in pub; the checking and confirmation of various elements in the application method is disposable, namely: once the confirmation is correct, it is not checked in subsequent runs;

the implementation method comprises the following steps: according to different application environments or systems, the following implementation methods are adopted:

the implementation method-1: implementation method-1 is suitable for a client "a" not having or not having the convenience of using a public key, and a user "B" not sending a DH-key component Y ═ g^yThe case (2); but client "a" has registered a password w at user "B"; generally, user "A" is a client, user "B" is a server, user "B" manages a user database, and creates an entry in the database for each client; user 'B' supports with B ═ g^bThe public key encryption algorithm based on Diffie-Hellman or ElGamal with the E G' as the public key, wherein any legal public key encryption ciphertext is marked as C, is a set containing a plurality of numerical values and comprises a DH-secret key component X ═ G used for generating Diffie-Hellman secret with the public key B^xE is G; namely: x ═ g^xFor generating a common Diffie-Hellman secret B between an encryptor and a decryptor^tx＝g^tbx＝X^tbE G', wherein t is 1 or

(ii) a In general, the common secret that the encryptor and the decryptor really use is composed of { X, B }^tx＝X^tbIs derived using a key derivation function, i.e., KDF (B)^tx，X)＝KDF(X^tb，X)；B＝g^bE G' can be the public key of fixed user "B", i.e.: randomly selected b ∈ Z_qRemain unchanged in different sessions; g ═ B^bE G' can also be chosen randomly by user "B" independently in each session, i.e.: b independently in Z in different sessions_qSelecting;

the core and the characteristic of the implementation method-1 are that two functions K are constructed_AAnd K_BSo that K_A(x，w，B，pub)＝K_B(b, w, X', pub); user "a" calculates and sends DH-key component X ═ g^xB^β∈G′(ii) a User "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; wherein, if B ═ g^bIf the E G ' is the public key of the user ' B ', the user ' B ' can calculate and store B in advance^-tbβE G' and/or B^tbβE.g. G'; if B is g^bE G ' is not the public key of the user ' B ', but is randomly selected by the user ' B ' independently in each session, and then the user ' B ' first sets B to G^bE.g. G' is sent to "A";

the specific method comprises the following steps: using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'; Diffie-Hellman secret B for (X, B) in a public key encryption algorithm based on Diffie-Hellman or ElGamal is calculated as follows^tx＝g^tbx＝X^tb＝(X′B^-β)^tb＝X′^tbB^-tbβE.g.. G': user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; wherein t is 1 or

Beta is w or-w and-w code for Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，I_BB, pub } or { w, X', I_A，I_BOne subset of, B, pub } containing w, H_wIs a hash function of length with output length less than q, H_wA short substring, typically set as the output of the hash function H; the common secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a symmetric encrypted key, k₂Is an authentication key;

user "B" may calculate and store B in advance^-1(ii) a If β does not involve X' and if B ═ g^bE.G ' is the public key of user ' B ', user ' B ' calculates B in advance^-tbβE G' and/or B^tbβE G', and B^-tbβAnd/or B^tbβStored in the database entry corresponding to user "A"; namely: when user "A" registers password w with user "B", user "B" calculates β, B^-tbβE G' and/or B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStoring the password in an entry corresponding to a user 'A' in a database instead of directly storing the password w or beta; alternatively, user "B" calculates B in advance^-βAnd B is^-βSecurely stored in the database entry corresponding to user "A"; however, if user "B" does not have a public key, it randomly chooses and sends B ═ g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf the user B selects the data item, the user B still needs to safely store the beta in the database item corresponding to the user A;

to prevent offline attacks, user "A" is at X', B^txDeleting x, w, beta, B immediately after calculation^βOr immediately deleted or stored in a secure location; the calculation of the user 'A' can be carried out in advance; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1With accelerated calculation, when-beta is exactly w or H_w(W); if β ═ w or β ═ H_w(W), user "B" may calculate and store B in advance^-1；

For the case where user "B" has the public key "B", in general, if the decryptor, i.e., user "B", checks that X' e G is confirmed, let t be 1; if the decryptor only checks to confirm X '∈ G'Or X 'is belonged to G'/1_GIf X' is not in the range of G, then let

t = \frac{N}{q}

And checked to confirm X'^tb≠B^tbβOr K_B≠1_GOr (X' B)^-β)^t≠1_G(ii) a If user 'B' does not have a public key, it randomly chooses and sends B-g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf so, then user "B" can simply check to confirm that X '∈ G' or X '∈ G'/1_GLet t be 1; if any check fails, user "B" aborts protocol execution, returning or not returning an error message; user 'A' sends identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_A(ii) a The modified public key encryption algorithm based on Diffie-Hellman or ElGamal is called as a password-based Diffie-Hellman or ElGamal public key encryption algorithm;

client 'A' encrypts a random number R by using a Diffie-Hellman or ElGamal public key encryption algorithm based on a password to obtain a ciphertext C, and encrypts the ciphertext C and identity information I_ASending to user 'B'; if user 'B' successfully decrypts C to obtain R, the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; recording the derived authentication key as R'; if the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; we assume that user "A" is only allowed to make mistakes a limited number of times to prevent online guessing attacks;

to prove to user "A" that he knows R, user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BC, X', pub } is a session identifier, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

user "A" proves to user "B" that it does know R as follows: user "A" sends ciphertext C at the same time or receives t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of C, X', pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; if the Diffie-Hellman or ElGamal public key encryption ciphertext C based on the password for R already contains a label t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), where E is an element in the ciphertext or the ciphertext divided by t_EA subset of other elements than that, user "a" can prove more efficiently to user "B" that it knows R, i.e.: user "A" does not send t_A＝F_T(R′，aux_A) But instead t in the ciphertext C_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or generally T_A＝F_T(K_R，{E，aux_A}) in which aux_AIs { I_A，sid，r_APub } and aux_A≠aux_B；K_RIs derived from or directly set to R', aux is { I }_A，I_B，sid，r_A，r_BA subset of E, pub } may be empty; namely: k_RKDF ({ K, R' }, aux) or K_RKDF ({ K, R }, aux) or K_RR', wherein K_RThe length of (d) is taken to be the same as k; in general terms, the amount of the solvent to be used,K_Rh (k, R, aux), or

<math> <mrow> <msub> <mi>K</mi> <mi>R</mi> </msub> <mo>=</mo> <mi>k</mi> <mo>&CirclePlus;</mo> <mi>R</mi> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>R</mi> </msub> <mo>=</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>k</mi> <mo>&CirclePlus;</mo> <mi>R</mi> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math>

Or K_RR'; user "B" checks t_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method-2: implementation method-2 is applicable to client "a" having public key a ═ g^aUser 'B' has public key B ═ g^bBut does not send the DH-key component Y ═ g^yThe case (2);

if user "A" registers a password w at user "B", the core and feature of implementing method-3 is to construct two functions K_AAnd K_BSo that K_A(a，x，w，B，pub)＝K_B(b, w, A, X, pub); the specific method comprises the following steps: user "a" calculates and sends DH-key component X ═ g^xB^βE G', wherein β is w or-w, and w and-w are encoded as Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，A，I_BB, pub } or { w, X', I_A，A，I_BOne subset of, B, pub } containing w, H_wThe method is a hash function with the output length smaller than q, and generally takes a short substring output by H; user "A" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

Wherein c ═ H (X ', pub) or H (X'B, pub), e ═ 1 or h (pub), t_i1 or

I is more than or equal to 1 and less than or equal to 2; c depends on X ', e does not depend on X'; all calculations for user "A" can be performed in advance and are performed at { β, X', K_ADeleting x after the calculation is finished, and w, beta, B^βOr immediately deleted or stored in a secure location; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1With accelerated calculation, when-beta is exactly w or H_w(W); if β ═ w or β ═ H_w(W), user "B" may calculate B in advance^-1(ii) a User "B" may calculate and store B in advance^-1、

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

<math> <mrow> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

And/or B^-bβE.g. G "; user 'B' will

Or B^-bβOrOr

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

If user 'B' does not calculate in advance

Or B^-bβE.g. G ', user ' B ' will

Securely stored in the database entry corresponding to user "A", if necessaryEncrypted for storage, at this time K_BIs calculated as

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: for password-based implementations, ifThe user ' B ' checks to confirm that X ' ∈ G and A ∈ G, then let t₁＝t₂1 is ═ 1; if the decryptor only checks to confirm that A ∈ G, X '∈ G' or X '∈ G'/1_GIf X' is not in the range of G, let t₁＝1，

t_{2} = \frac{N}{q}

User "B" check validation

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow> </math>

Or/and

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow> </math>

or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>eb</mi> </mrow> </msup> <mo>,</mo> </mrow> </math>

Or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>;</mo> </mrow> </math>

If any check fails, the user 'B' stops the protocol operation and returns or does not return error information;

there are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X ', pub } is derived using a key derivation function, at which time user "B" checks X' for G;

(2) or else, the DH-key component X ═ g in the public key encryption algorithm based on Diffie-Hellman or ElGamal^xIs changed to X' ═ g^xB^βE.g. G'; the common Diffile-Hellman secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key; user 'A' is sending ciphertext CAt the same time or before sending the cipher text, sending the public key certificate or identity information I of the user' A_AThus obtaining a password-based secret signature algorithm with the sender identity authentication function; encrypting a random number R by using the obtained password-based signcryption algorithm; recording the secret label of the random number R as C, wherein the secret label C is a set of a plurality of numerical values; if the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; recording the derived authentication key as R'; we assume that user "A" is only allowed to make mistakes a limited number of times to prevent online guessing attacks;

if user "a" does not have a password registered at user "B", user "a" calculates and sends DH-key component X ═ g^xE is G; at this time, the core and the characteristic of the implementation method-2 are to construct two functions K_AAnd K_BSo that K_A(a，x，B，pub)＝K_B(b, A, X, pub); the specific method comprises the following steps: user "A" calculation

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

I is more than or equal to 1 and less than or equal to 2; c depends on X, e does not depend on X; all calculations for user "A" can be performed in advance; user "B" can be calculated in advance

There are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X, pub } is derived using a key derivation function, at which time user "B" checks that X' is for G;

(2) alternatively, the common Diffile-Hellman secret that is really used by the encryptor and the decryptor in a Diffie-Hellman or ElGamal-based public key encryption algorithm is composed of { X, K_A＝K_BDerivation, i.e. KDF (K)_A，X)＝KDF(K_BX) or from { X, K)_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; notation of { X, K_A＝K_BOr by { X, K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key; user 'A' sends the public key certificate or identity information I of user 'A' at the same time of sending cipher text C or before sending cipher text_AThereby obtaining a certificate of identity of the senderA password-based signcryption algorithm; encrypting a random number R by using the obtained password-based signcryption algorithm; recording the secret label of the random number R as C, wherein the secret label C is a set of a plurality of numerical values; if the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; recording the derived authentication key as R';

t_ii is more than or equal to 1 and less than or equal to 2, and the key is as follows: for non-password based implementations, if the user "B" checks that X ∈ G and A ∈ G are confirmed, let t₁＝t₂1 is ═ 1; if the decryptor only checks for confirmations A ∈ G, X ∈ G 'or X ∈ G'/1_GAnd cannot confirm X ∈ G, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

<math> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow> </math>

Or

K_{B} = A^{t_{1} be};

let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux is implemented for password-based implementation_BIs { I_B，sid，r_BX', pub } for non-password based implementations aux_BIs { I_B，sid，r_BX, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

user "a" proves to user "B" that he does know R' using the following method: user "A" sends X' or X at the same time or receives t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AX', pub } or { I_A，sid，r_AA subset of X, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; if the authentication key is derived from the random number R of the signpost and the signpost C already contains a tag t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), wherein E is an element of C or t is divided by C_EA subset of other elements than that, user "a" can prove more efficiently to user "B" that it knows R', i.e.: user "A" does not send t_A＝F_T(R′，aux_A) Instead, t in the secret tag C is_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or

the implementation method-3: implementation-3 is applicable to the case where client "a" does not have or does not have the convenience of using a public key, but user "a" still sends DH-key component X ═ g^xAnd user 'B' has public key B ═ g^bAnd sends DH-key component Y ═ g^yThe case (2);

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>xc</mi> </mrow> </msup> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: (1) let t be if user "B" checks that X ∈ G is confirmed₁＝t₂1 is ═ 1; (2) if user "B" only checks for confirmation X ∈ G 'or X ∈ G'/1_GBut X ∈ G cannot be confirmed, if y may leak, let

t = t_{1} = t_{2} = \frac{N}{q},

User "B" check confirmation K_B＝X^t(bc+yf)≠1_GIf y does not leak, the same procedure is followed as (1) t₁，t₂Can still be 1; if any check fails, the protocol operation is stopped, and error information is returned or not returned;

deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, X, Y, pub } derives a session key and an authentication key; let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned; to prove to user "B" that he does know R', user "A" is receiving t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method-4: the implementation method-4 is suitable for the client 'A' to have a discrete logarithm public key A ═ g^aAnd sends DH-key component X ═ g^xAnd user 'B' also has discrete logarithm public key B ═ g^bAnd sends DH-key component Y ═ g^yThe case (2);

the core and the characteristic of the implementation method-4 are that two functions K are constructed_AAnd K_BSo that K_A(a，x，B，Y，pub)＝K_B(b, y, A, X, pub); the specific method comprises the following steps: user "A" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>ad</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

Where c ═ H (X, pub) or H (X, B, pub), d ═ H (pub, Y) or H (pub, a, Y), e ═ 0 or 1 or H (pub), f ═ H (pub, X, Y) or H (c, d) or H (c, Y) or H (d, X), t_i1 or

I is more than or equal to 1 and less than or equal to 4; c. the key points of the setting of d, e and f are as follows: c is calculated according toX but not Y, d dependent calculations and Y but not X, e independent calculations neither X nor Y, f dependent calculations dependent on (X, Y); user "A" may be calculated in advance

<math> <mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

User "B" can be calculated in advance

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

Deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, d, e, X, Y, pub } derives a session key and an authentication key;

t_ii is more than or equal to 1 and less than or equal to 4, and the key of the setting is as follows: (1) if the user 'A' checks that B belongs to G and Y belongs to G, the user 'B' checks that A belongs to G and X belongs to G, let t belong to G₁＝t₂＝t₃＝t₄1 is ═ 1; (2) if user "A" only checks for confirmations B ∈ G, X ∈ G 'or X ∈ G'/1_GWhile X ∈ G cannot be confirmed, user "B" merely checks to confirm A ∈ G, Y ∈ G 'or Y ∈ G'/1_GIf Y ∈ G cannot be confirmed and x and/or Y may leak, let t₁＝1，

t_{2} = t_{3} = t_{4} = \frac{N}{q},

User "B" check confirmation

<math> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <mo>,</mo> </mrow> </math>

User "A" check confirmation

<math> <mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>ad</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>;</mo> </mrow> </math>

If x and y are not leaked, t can be set in the same way as (1)₁＝t₂＝t₃＝t₄1 is ═ 1; if any check fails, the protocol operation is stopped, and error information is returned or not returned;

let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned; to prove to user "B" that he does know R', user "A" is receiving t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method comprises the following steps: implementation method-5 applies to the case where one, but not all, of client "A" and client "B" may not have a discrete logarithmic public key defined on (G', G, G, q), but still supports digital signatures;

let t_i1 or

I is more than or equal to 1 and less than or equal to 6; let aux_A ^j，aux′_A ^j，aux_B ⁱ，aux′_B ⁱJ is more than or equal to 1 and less than or equal to 7, i is more than or equal to 1 and less than or equal to 9, and is divided by X and g respectively^x，Y＝g^yA subset or sequence of other protocol execution related information than that, may be empty or contain repeating elements; aux_AAnd aux'_AIs { I_A，sid，r_AA subset of X, Y, pub }, aux_BAnd aux'_BIs { I_B，sid，r_BA subset of X, Y, pub } and aux_A≠aux_BWhere sid is the session identifier, r_BIs the protocol role designation of user "B", r_AIs the protocol role designation for user "a"; order to

<math> <mrow> <mi>U</mi> <mo>&SubsetEqual;</mo> <mo>{</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>}</mo> <mo>;</mo> </mrow> </math>

Calculating in advance: user "A" may calculate X in advance,

Or

(ii) a User "B" can calculate Y in advance,

Or

A first round: user 'A' transmission

<math> <mrow> <mo>{</mo> <mi>X</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>x</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>}</mo> <mo>;</mo> </mrow> </math>

And a second round: user "B" calculates and sends

<math> <mrow> <mo>{</mo> <mi>Y</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>y</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>1</mn> </msub> <mo>=</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <mi>X</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>3</mn> </msubsup> <mo>}</mo> <mo>,</mo> </mrow> </math>

Or

{Y, T_{1} = H (Y, X, X^{t_{1} y}, {aux}_{B}^{2}), {aux}_{B}^{3}},

Or { Y, F_T(T′₁，aux_B)，aux_B ³}, or { Y, aux'_B ³}; wherein,

<math> <mrow> <msubsup> <mi>T</mi> <mn>1</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>1</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>,</mo> </mrow> </math>

aux_B ³containing identity information I of user' B_B，aux_B ²And/or aux_B ¹Containing identity information I of user' B_B；

User 'A' utilization

<math> <mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

Examination T₁Or F_T(T′₁，aux_B) If the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

and a third round: if user "a" has public key a ═ g^aE.g. G, then user 'A' calculates and sends

{T_{2} = H (X, Y, H (Y, Y^{t_{2} a}, {aux}_{A}^{2}), H (X, Y, Y^{t_{3} x}, {aux}_{A}^{3}), {aux}_{A}^{4}), {aux}_{A}^{5}},

Or

{T_{2} = H (X, Y, Y^{t_{2} a}, Y^{t_{3} x}, {aux}_{A}^{6}), {aux}_{A}^{5}},

Or { F_T(T′₂，aux_A)，aux_A ⁵}; wherein,

<math> <mrow> <msubsup> <mi>T</mi> <mn>2</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>,</mo> </mrow> </math>

aux_A ⁵public key certificate or I containing user' A_A，aux_A ²，aux_A ⁶Identity information I containing user' A_A(ii) a User 'B' utilization

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>y</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

And

<math> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>X</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

to check T₂Or F_T(T′₂，aux_A) If the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

<math> <mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>A</mi> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>;</mo> </mrow> </math>

user 'B' utilization

Checks s with the public key of user "A_AIf the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

fourth wheel: if user 'B' has public key B ═ g^bE.g. G, then user 'B' sends

{T_{3} = H (Y, X, H (X, X^{t_{4} b}, a {ux}_{B}^{4}), H (X, Y, X^{t_{5} y}, {aux}_{B}^{5}), {aux}_{B}^{6}), {aux}_{B}^{7}},

Or

{T_{3} = H (Y, X, X^{t_{4} b}, X^{t_{5} y}, {aux}_{B}^{8}), {aux}_{B}^{7}},

Or { F_T(T′₃，aux_B)，aux_B ⁷}; wherein,

<math> <mrow> <msubsup> <mi>T</mi> <mn>3</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <mi>au</mi> <msubsup> <mi>x</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>,</mo> </mrow> </math>

aux_B ⁷public key certificate or I containing user' B_B，aux_B ⁴，aux_B ⁸Identity information I containing user' B_B(ii) a User 'A' utilization

<math> <mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

And

<math> <mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

to check T₃Or F_T(T′₃，aux_B) If the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

if user 'B' does not have public key B ═ g^bE.g. G but still supports digital signature, thenHome "B" sends s_B，aux_B ⁹Therein aux_B ⁹Public key certificate or I containing user' B_B，s_BUse of its own private key pair for user' B

<math> <mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>B</mi> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>;</mo> </mrow> </math>

user 'A' utilization

Checks s with the public key of user' B_BIf the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

session key management

K_{A} = Y^{t_{6} x} = X^{t_{6} y} = K_{B}

And a subset of { X, Y, pub }; user "A" may be calculated in advance

X = g^{x}, B^{t_{4} x}

Or

User "B" can be calculated in advance

Y = g^{y}, A^{t_{2} y}

Or(ii) a If user "A" is calculated in advance

Will be calculated after finishing the calculation

Delete, and save

(ii) a If user 'B' is calculated in advance

Will be calculated after finishing the calculation

Delete, and save

h = \frac{N}{q};

If the user 'B' checks that X belongs to G, let t₁＝t₄＝t₅1 is ═ 1; if the user 'A' checks that Y belongs to G, let t₂＝t₃1 is ═ 1; if user "B" only checks for confirmation that X ∈ G 'or X ∈ G'/1_GIf X ∈ G cannot be confirmed and no signature is used for the fourth round, t₁，t₃，t₄，t₅At least one of them is

And checking for confirmation X^hy≠1_GAnd/or X^hb≠1_G(ii) a If the user "A" only checks for confirmation Y ∈ G 'or Y ∈ G'/1_GAnd if Y ∈ G cannot be confirmed and no signature is used in the third round, then t₁，t₂，t₃，t₅At least one of them isAnd checking for confirmation Y^hx≠1_GAnd/or Y^ha≠1_G(ii) a If user "A" uses the signature for the third round, user "A" can only check for confirmations Y ∈ G 'or Y ∈ G'/1_GAnd can make t₃1 is ═ 1; if user "B" uses the signature for the fourth round, user "B" can only check for confirmation X ∈ G 'or X ∈ G'/1_GAnd can make t₁＝t₅1 is ═ 1; if any check fails, the protocol execution is stopped, and error information is returned or not returned; generally, let t₁＝t₃＝t₅＝t₆。

2. The password-based, secret data disclosure-resistant authentication and key exchange method according to claim 1, characterized by a password-based public key encryption and signcryption method:

let client "a" register a password w with user "B", who has a public key B ═ g^bE G and supports Diffie-Hellman or ElGamal-based public key encryption algorithms with its public key B as the public key, where any legitimate secret C includes a DH-key component X ═ G that is used to generate a Diffie-Hellman secret with public key B^xE.g. G'; namely: x ═ g^xFor generating a common Diffie-Hellman secret B between an encryptor and a decryptor, i.e. user' B^tx＝g^tbx＝X^tbE G', i.e.: user "A" calculates B^txE.g. G ', user ' B ' calculates X^tbE G' whereT is 1 or

(ii) a In general, the common secret used for encryption and decryption is composed of { X, B }^tx＝X^tbIs derived using a key derivation function, i.e., KDF (B)^tx，X)＝KDF(X^tb，X)；

The public key encryption method based on the password comprises the following specific steps: using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'; Diffie-Hellman secret B for (X, B) in a public key encryption algorithm based on Diffie-Hellman or ElGamal is calculated as follows^tx＝g^tbx＝X^tb＝(X′B^-β)^tb＝X′_tbB_-tβbE G', i.e.: user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; the common secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; wherein β is w and w is encoded as Z_qOne element of (1); or beta is H_w(W), wherein W is { W, I_A，I_BB, pub } or { w, X', I_A，I_BOne subset of, B, pub } containing w, H_wIs a hash function of length with output length less than q, H_wA short substring, typically set as the output of the hash function H; wherein t is 1 or(ii) a If beta is w or H_w(W) and W is { W, I_A，I_BOne subset of w, B, pub, user "B" calculates B in advance^-tbβE G' and/or B^tbβE G', and B^-tbβAnd/or B^tbβStored in the database entry corresponding to user "A"; namely: when user "A" registers password w with user "B", user "B" calculates β, B^-tbβE G' and/or B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStoring the password in an entry corresponding to a user 'A' in a database instead of directly storing the password w or beta; to prevent offline attacks, user "A" is at X', B^txDeleting x, w, beta, B after calculation^βOr immediately deleted or stored in a secure location; the calculation of the user 'A' can be carried out in advance; in general, if the decryptor, i.e. user "B", checks the validation X ' e G, let t be 1, if the decryptor only checks the validation X ' e G ' or X ' e G '/1_GIf X' is not in the middle of G, then let

t = \frac{N}{q}

And checked to confirm X'^tb≠B^tbβOr K_B≠1_GOr (X' B)^-β)^t≠1_G(ii) a If any check fails, the user 'B' suspends the protocol operation, and returns or does not return error information; user 'A' sends identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_A(ii) a The modified public key encryption algorithm based on Diffie-Hellman or ElGamal is called as a password-based Diffie-Hellman or ElGamal public key encryption algorithm;

the password-based secret signature specific method comprises the following steps: let client "a" have public key a ═ g^aE.g. G, and a password w is registered at the user 'B'; using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'; wherein β is w and w is encoded as Z_qOr beta is H_w(W), wherein W is { W, I_A，A，I_BOne of the B, pub } contains a subset of w; user' sCalculation of "A

User 'B' calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow> </math>

Or

，1≤i≤2；

All calculations for user "A" can be performed in advance and are performed at { β, X', K_ADeleting x after the calculation is finished, and w, beta, B^βOr immediately deleted or stored in a secure location; user "B" can be calculated in advance

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

Or/and B^-bβE.g. G'; user 'B' will

Or B^-bβOr

OrOr

Or

If user 'B' does not calculate in advance

Or B^-bβE.g. G ', user ' B ' will

Securely stored in the database entry corresponding to user "A", if necessary

Storing the data in an encrypted manner, wherein the beta is epsilon { w, H_w(W) }, at which time K_BIs calculated as

In general, if user "B" checks for confirmationX' belongs to G and A belongs to G, then let t₁＝t₂1 is ═ 1; if the decryptor only checks to confirm that A ∈ G, X '∈ G' or X '∈ G'/1_GAnd cannot confirm X' is the G, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

And/or

Or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow> </math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>;</mo> </mrow> </math>

If any check fails, the protocol operation is stopped, and error information is returned or not returned;

will K_A＝K_BReplacing Diffie-Hellman secrets B in Diffie-Hellman or ElGamal-based public key encryption algorithms^tx＝g^tbx＝X^tbNamely: b is to be^txIs replaced by K_AIs mixing X^tbIs changed to K_BAnd obtaining the password-based signcryption algorithm.

3. The password-based, secret data disclosure-resistant authentication and key exchange method according to claim 1, characterized by a non-forgeable knowledge binding attestation method:

let A be g^aE G and X ═ G^xE G is the public key and DH-key component of a user, i.e. the proof of knowledge binding "a", and a challenge Z G given to a verifier "B ═ is given^zE G ', ' A ' prove to the verifier that it does know a e Z using the following method_qAnd x ∈ Z_q(ii) a Wherein, the transmission sequence of A, X and Z is arbitrary, namely: user "a" can be either an initiator of the agreement or a responder to the agreement;

user "A" calculates and sends t to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Z }, I_AIs the identity information of user "A", sid is the session identifier, r_AIs the protocol role designation of user ' A ' and the authentication key R ' is represented by K_A＝K_BExporting; the core of the knowledge binding proof is to calculate K_A＝K_BThe method of (1); wherein user "A" calculates K_AUser "B" calculates K_BPub contains the identity and public key information of users 'A' and 'B';

(1).

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>Z</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>a</mi> <msub> <mi>h</mi> <mn>1</mn> </msub> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>x</mi> <msub> <mi>h</mi> <mn>2</mn> </msub> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow> </math>

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>z</mi> <msub> <mi>h</mi> <mn>1</mn> </msub> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>z</mi> <msub> <mi>h</mi> <mn>2</mn> </msub> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow> </math>

wherein if the challenge Z is random, then h₁＝H(Z，pub) H if the challenge Z is a fixed public key₁H (pub, Z) or H (pub) or 1; h is₂H (X, Z, pub) or H₂＝H(h₁，X)；t_i1 or

I is more than or equal to 1 and less than or equal to 2; in general, R ═ KDF (K)_A，h₂)＝KDF(K_B，h₂) (ii) a If the user 'A' checks that Z belongs to G, let t_i1 is not less than 1 and i is not less than 2; if user "A" only checks for confirmation that Z ∈ G'/1_GOr Z belongs to G', and if Z belongs to G, then let

t_{i} = \frac{N}{q},

I is 1. ltoreq. i.ltoreq.2, and the user "A" further checks the confirmation K_A≠1_G(ii) a If any check fails, the user "A" suspends the protocol operation, and returns or does not return error information;

(2).K_A＝H(U，H(I_A，Z，Z^ta)，H(O，Z^tx)，aux)，K_B＝H(U，H(I_A，Z，A^tz)，H(O，X^tz) Aux), where t ═ 1 or

U ═ X, Z or

<math> <mrow> <mi>U</mi> <mo>&SubsetEqual;</mo> <mo>{</mo> <mi>X</mi> <mo>,</mo> <mi>Z</mi> <mo>}</mo> <mo>,</mo> </mrow> </math>

If user "a" sends X user "B" first and then Z, O is (X, Z), and if user "B" sends Z user "a" first and then X, O is (Z, X); or, K_A＝H(U，Z^ta，Z^tx，aux)，K_B＝H(U，A^tz，X^tzAux), t ═ 1 or

(ii) a aux is a subset or sequence of other information related to protocol execution other than X, Z, and may be null; verifier "B" can calculate H (I) in advance_A，Z，A^tz) Or A^tz(ii) a If the user 'A' checks that Z belongs to G, making t equal to 1; if user "A" only checks for confirmation that Z ∈ G'/1_GOr Z belongs to G', and if Z belongs to G, then let

t = \frac{N}{q},

And user "A" further checks for confirmation Z^ta≠1_GAnd/or Z^tx≠1_G(ii) a If any check fails, user "A" aborts the protocol running, returning or not returning an error message.

4. A password-based, secret data leakage resistant authentication and key exchange method according to claim 1, characterized by the following method of resisting temporary secret data leakage:

the method for resisting temporary secret data leakage comprises the following steps: let A be g^aE G and X ═ G^xE G is the public key and DH-key component of a user, namely a knowledge binding prover 'A', and Z is set to G^zOne challenge of E G as verifier B is that the following method for resisting temporary secret data leakage is suitable for all Z needing to be calculated^ta＝A^tzAnd Z^tx＝X^tzThe protocol of (1); t is 1 or

(ii) a If the prover "a" transmits X verifier "B" first and then Z, O is (X, Z), and if "B" transmits Z user "a" first and then X, O is (Z, X);

the specific method comprises the following steps: will be Z in the original protocol^ta＝A^tzReplacement by H (I)_A，Z，Z^ta＝A^tz，aux₁) Will Z^tx＝X^tzBy substitution with H (O, Z)^tx＝X^tz，aux₂)；aux_j，1≤j≤2A subset or sequence of other protocol execution related information than X, Z, respectively, may be null; namely: user "B" will A^tzReplacement by H (I)_A，Z，A^tz，aux₁) Is mixing X^tzBy substitution with H (O, X)^tz，aux₂) (ii) a User "A" will Z^taReplacement by H (I)_A，Z，Z^ta，aux₁) Is a reaction of Z^txBy substitution with H (O, Z)^tx，aux₂)；

Verifier "B" can calculate H (I) in advance_A，Z，A^tz，aux₁) (ii) a The verifier only saves { z, H (I)_A，Z，A^tz，aux₁)，H(O，X^tz，aux₂) A subset of which serves as temporary secret data, with a deleted^tzAnd/or X^tz(ii) a Prover "A" only holds { x, a, H (I) }_A，Z，Z^ta，aux₁)，H(O，Z^tx，aux₂) A subset of Z is deleted as temporal secret data, with Z deleted^taAnd/or Z^tx(ii) a This method is used in conjunction with the implementation-5 of claim 1, where users "a" and "B" are both provers and verifiers, X is the challenge for user "B" and Y is the challenge for user "a".

5. The method of authentication and key exchange, password-based public key encryption and signcryption, and proof of knowledge binding and resistance to temporary secret disclosure according to claims 1, 2, 3, 4, characterized in that some subset of the following public key registration and public key certificate issuance methods can be applied to simplify the computation:

(1) the public key certificate authority CA checks to confirm that the public key registered by the user is an element in G or G/1 when issuing a certificate to the user_GMiddle element; if any check fails, the certificate authority refuses to issue the public key certificate; thus, each user can confirm that the public key of the opposite party is G or G/1 only by checking the public key certificate of the opposite party user_GThe elements of (1);

(2) the user registers user identity information ID and public key PK to a public key certificate authorityG', while submitting the inverse PK of the public key^-1E.g. G'; that is, in addition to ID and PK ∈ G', the public key certificate also includes PK^-1∈G′；

(3) When registering user identity information and a public key to a public key certificate authority, a user submits the identity information and the public key and the hash value of aux at the same time, or the identity information and the public key and the inverse element of the public key and the hash value of aux; providing or not providing a digital signature of the resulting hash value and/or aux using a private key corresponding to the public registration key; where aux is other information of the protocol: a subset of timestamps, session identifiers, etc., may be null; takes the hash value as t_PKThe digital signature is s_PK(ii) a I.e. the public key certificate includes t at the same time_PKAnd a subset of aux, with or without s_PK；

(4) If the public key issuing authority checks for t_PKOr s_PKIf the certificate is wrong, refusing to issue the certificate; when issuing a certificate to a user, a public key certificate issuing authority issues identity information, a public key and/or an inverse element, aux and a hash value t of the public key certificate to the user_PKAndor do not have s_PKCarrying out digital signature; alternatively, CA only pairs hash values t_PKCarrying out digital signature; rather than merely signing the user's identity information and public key; namely: a legitimate public key certificate must also contain the digital signature of the certificate authority;

thus, the hash function or key derivation function input or pub contains (I)_AA) or A can be replaced by a hash value in the public key certificate of the user 'A', and the hash value is recorded as t^A _PK(ii) a (I) contained in the hash function or key derivation function input or pub_BB) or B can be replaced by a hash value in a public key certificate of a user 'B' and is marked as t^B _PK(ii) a And, if the public key certificate contains the inverse of the user's public key, then in the implementation method-1 and implementation method-2 of claim 1, the users "a" and "B" do not need to calculate B in advance^-1∈G′。

6. Method of authentication and key exchange, public key encryption and signcryption based on passwords, and proof of knowledge binding and resistance to temporary secret disclosure according to claims 1, 2, 3, 4, characterized in that some subset of the following variants are applicable:

(1) a password-based variant: method of implementation-3 and method of implementation-4 of claim 1 are based on password variants; let user "A" register a password w at user "B"; in all methods, the DH key component X ═ XB sent by user "a" is transmitted^wOr X' ═ XB^-wOr is or

Or

Or is or

Or

(ii) a Where B is the public key of user "B", and X ═ g^x∈G′，H_wIs a hash function with an output length less than the length of q; after receiving X ', user "B" calculates X ═ X' B according to the corresponding calculation mode of X^-wOr X ═ X' B^wOr is or

Or

Or is or

Or

；K_A，K_B，t_A，t_BThe calculation still uses X as the challenge under the index, but X in the input of the function c, d, e, f above the index can be changed to X'; if, in addition to other prescribed off-line calculations in advance

Or

User "A" may calculate B in advance^-1E.g. G'; if X ═ XB^wOr X' ═ XB^-wUser "B" may calculate B in advance^-1E.g. G'; in the password-based variant, if both the public key of user "A" and X' are checked to confirm G or G/1_GElement in (1), then t in all indexes_iTaking an integer of 1; in implementation method-3, if user "B" only checks to confirm that X '∈ G' or X '∈ G'/1_GIf X' is not in the range of G, then let

t_{1} = t_{2} = \frac{N}{q}

And user "B" checks for confirmation K_B≠1_G(ii) a If any check fails, the protocol operation is stopped, and error information is returned or not returned;

(2) nesting identical or different hash functions in the input of the hash function, i.e.: taking the input of the original hash function and the nested hash function as nodes of a special directed graph, wherein the node represented by the input of the original hash function has no fan-in, the node represented by the hash function at the outermost layer has no fan-out, and the value represented by each node is the input of the hash function represented by the fan-out node;

(3) randomly changing the input sequence of the hash function; and/or, all inputs of the hash function are transformed into a union of all inputs, namely: repeated elements appear only once in the input; and/or, the hash function is converted into any function with the output as an integer; and/or, the hash function applied at each location is the same as or different from the hash function applied at other locations; that is, we use a set of hash functions H₁，H₂，…H_nH, wherein for any i, j, 1 ≦ i, j ≦ n, i ≠ j, H_i＝H_jOr H_i≠H_jN is more than or equal to 1 and n is the upper bound of the times of the hash function which is required to be applied;

(4) different key derivation functions: the key derivation function applied at each place is the same as or different from the key derivation functions applied at other places; that is, we use a set of key derivation functions KDF₁，KDF₂，…KDF_nJ, where for any i, j, 1 ≦ i, j ≦ n, i ≠ j, KDF_i＝KDF_jOr KDF_i≠KDF_jN is greater than or equal to 1 and n is the upper bound of the number of times we need to apply the key derivation function;

(5) in all methods user "A" checks K_A≠1_GUser "B" checks K_B≠1_G；

(6) For elliptic curve based implementations, K in the key derivation function input_A，K_BIs changed to K_A，K_BX-coordinate values or y-coordinate values of; each user checks that the x-coordinate and y-coordinate of the DH-key component of the opposite user are correctly coded elements in the finite field on which the elliptic curve is based;

(7) error abort and error message return: in all methods, once a user fails the check, i.e. makes an error, the protocol is aborted and an error message is sent back or not; in password-based implementations, client "a" is allowed to make mistakes only a limited number of times to prevent online attacks;

(8) a session identifier and user protocol role identification method: the session identifier is generally composed of two random numbers or DH-key components sent by users "a" and "B" in series in the order initiator-responder; the protocol role designations of the users are generally designated by different integers or different orders of the random numbers or DH-key components sent by users "a" and "B".