CN101783728A

CN101783728A - Public key encryption method for ergodic matrix over hidden field

Info

Publication number: CN101783728A
Application number: CN 200910066449
Authority: CN
Inventors: 赵永哲; 裴士辉; 赵博
Original assignee: Individual
Current assignee: Jilin University
Priority date: 2009-01-19
Filing date: 2009-01-19
Publication date: 2010-07-21
Anticipated expiration: 2029-01-19
Also published as: CN101783728B

Abstract

The invention relates to a public key encryption method for ergodic matrixes over a hidden field, belonging to the technical field of cryptology and computers. The public key encryption method comprises key generation, encryption and decryption. A user owns two keys, where one key is privately owned and is called as a private key, and the other key can be disclosed and is called as a public key. The public key is (Fq, [rho 1 (x, y), ... , rho m (x, y)]), the private key is (Q1, Q2, M, B1, B2, lambada) and the private key cannot be deduced from the public key; the public key is used to convert a plaintext into a ciphertext (encryption) and the private key is used to restore the ciphertext into the plaintext (decryption). The invention has the advantages that the key space is large, the randomness of the public key is good, the operational speed is fast, the technology can be disclosed and the method can be used for the secure storage and the transmission of any files and data in computers and communication networks.

Description

The key encrypt method of Ergodic Matrices on the Hidden field

(1) technical field

Public key encryption method (being called for short key encrypt method or public key cryptography scheme) belongs to cryptographic technique and field of computer technology, is one of core technology of information security and credible calculating.

(2) background technology

Classic cryptographic technique, symmetric cryptographic technique and public key cryptography technology three phases have been experienced in the development of cryptographic technique.1976, American scholar Diffie and Hellman proposed the thought of public key cryptography, indicated the arriving of public key cryptography technology.The public key encryption method of generally using has schemes such as RSA, Rabin and EIGamal (referring to " applied cryptography ", U.S. BruceSchneier is outstanding, and Wu Shizhong, Zhu Shixiong etc. translates, China Machine Press, January calendar year 2001,334-342 page or leaf) at present.In order to shorten parameter length, the EIGamal scheme is everlasting, and simulation realizes that at this moment, it is called as the ECC scheme on the elliptic curve.

In the scheme of using at present the fail safe of RSA and Rabin scheme based on be the factorization problems of counting greatly, the fail safe of EIGamal scheme based on be discrete logarithm problem, and the fail safe of ECC scheme based on be discrete logarithm problem in the elliptic curve group, in the limited time and resource, be impossible promptly to finding the solution of the problems referred to above.Along with the raising of computer run speed, the security parameter of appeal scheme has become increasing, has greatly reduced the efficient of enciphering/deciphering.The particularly realization of quantum computer in the future makes big number factorization and discrete logarithm find the solution and can carry out in polynomial time.

Because main theory involved in the present invention and technology are the applicant and propose first, and great majority are still unexposed delivers.For the ease of the understanding of the present invention, the spy describes them.

2.1 basic symbol involved in the present invention

F _q: q unit finite field

F _qThe set of last n dimensional vector

F _qThe set of last non-zero n dimensional vector

F _qThe set of last n dimension row vector

F _qThe set of last non-zero n dimension row vector

F _qThe set of last n * m matrix

R (M): the row vector set of matrix M

C (M): the column vector set of matrix M

The element of matrix M is the resulting column vector in back by rows

F _q[x]: F _qGo up multinomial set about literal x

V _S(A): the vector space that Vector Groups A generated

2.2 BMQ problem and difficulty thereof on the finite field prove

At first introduce F _qOn " BMQ problem ".Be F _qOn " problem of finding the solution of bisection multivariate quadratic equation group (Bisectional Multivariate Quadratic equations solving problem) ".It is defined as follows:

Definition 2.1 (BMQ problem): F _qOn total 2n the variable of equation group E and m equation, being constructed as follows of each equation:

Σ_{i = 1}^{n} Σ_{j = 1}^{n} a_{ij}^{(k)} x_{i} y_{j} = b_{k}

(

a_{ij}^{(k)}, b_{k} &Element; F_{q}

Be determined value, k=1 ..., m)

Separating of equation group E asked in examination

(x_{1}, \cdot \cdot \cdot, x_{n}), (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n} .

The BMQ problem is a special case of MQ problem.Difference is that the variable in the BMQ equation group has been divided into two groups that quantity equates.And only contain quadratic expression in each equation, and any one quadratic expression is a product of respectively getting one in these two groups of variablees.Therefore in the BMQ equation group, 2n variable formed n just ²Individual quadratic expression.Different with it, in the MQ equation group, in each equation except containing quadratic expression, the one more formula.Therefore 2n variable can be formed 2n altogether ²+ n quadratic expression and 2n expression of first degree.

In addition, F _qOn the MQ equation group unique solution can be arranged.But when q＞2, if x=is (x ₁..., x _n) and y=(y ₁..., y _n) be that of BMQ equation group E separates, then to c ∈ F arbitrarily _q{ 0}, cx=(cx ₁..., cx _n) and c ^-1Y=(c ^-1y ₁..., c ^-1y _n) also must be separating of E.Therefore when q＞2, F _qOn the BMQ solution of equations not unique.F _qOn the MQ problem be proved to be NP completely, prove F below _qOn the BMQ problem also be NP completely.

Theorem 2.1:F _qOn the BMQ problem be NP completely.

The proof: the 3-coloring problem of known figure G be NP completely, if but this problem reduction is F _qOn the BMQ problem, then the latter also must be NP completely.But the 3-coloring problem reduction that at first proves G is F ₂On the BMQ problem, conceive as follows:

1) each vertex v of G _iAll corresponding F ₂On a pair of variable (x _i, y _i)

2) v _iPainted and (x _i, y _i) corresponding relation between the value is:

v _iColor-1, color-2, color-3 and if only if (x _i, y _i)=(0,1), (1,0), (1,1)

3) for each isolated vertex v of G _s, add EQUATION x _sy _s=1 in equation group E

4) if vertex v among the G _iAnd v _jAdjacent, then add EQUATION x _iy _j+ x _jy _i=1 in equation group E

Can get F thus ₂On BMQ equation group E.For isolated vertex v _s, by the EQUATION x in the 3rd step _sy _s=1, it has unique solution (x as can be known _s, y _s)=(1,1), promptly to each isolated vertex of G equal color-3.

And for adjacent vertex v _iAnd v _j, by the EQUATION x in the 4th step _iy _j+ x _jy _i=1, as can be known:

(x _i，y _i)≠(0，0)∧(x _j，y _j)≠(0，0)∧(x _i，y _i)≠(x _j，y _j)

Be v _iAnd v _jEach can only be painted with one of three kinds of colors, and v _iAnd v _jNot homochromy.So but the 3-coloring problem reduction of G is solving equation group E.Thereby proved F ₂On the BMQ problem be NP completely.

But the 3-coloring problem of demonstrate,proving G again also reduction is F _qBMQ problem on (q＞2), conceive as follows:

1) each vertex v of G _iAll corresponding F _qIn three groups of variablees, two pairs every group:

[\begin{matrix} x_{i 1}^{(1)} & y_{i 1}^{(1)} \\ x_{i 2}^{(1)} & y_{i 2}^{(1)} \end{matrix}] [\begin{matrix} x_{i 1}^{(2)} & y_{i 1}^{(2)} \\ x_{i 2}^{(2)} & y_{i 2}^{(2)} \end{matrix}] [\begin{matrix} x_{i 1}^{(3)} & y_{i 1}^{(3)} \\ x_{i 2}^{(3)} & y_{i 2}^{(3)} \end{matrix}]

And the value of every group of variable can only have following two kinds of situations:

Or

(brief note is respectively

With

α, β ∈ F _q0})

2) vertex v _iPainted with its corresponding relation between the value of corresponding three groups of variablees be:

v _iAnd if only if color-1

v _iAnd if only if color-2

v _iAnd if only if color-3

3) for each vertex v of G _t, selected arbitrarily δ ∈ F _q0}, and add following equation in equation group E:

x_{t 1}^{(1)} y_{t 1}^{(1)} = 0,

x_{t 2}^{(1)} y_{t 2}^{(1)} = 0,

x_{t 1}^{(1)} y_{t 2}^{(1)} + x_{t 2}^{(1)} y_{t 1}^{(1)} = δ

x_{t 1}^{(2)} y_{t 1}^{(2)} = 0,

x_{t 2}^{(2)} y_{t 2}^{(2)} = 0,

x_{t 2}^{(2)} y_{t 2}^{(2)} + x_{t 2}^{(2)} y_{t 1}^{(2)} = δ

x_{t 1}^{(3)} y_{t 1}^{(3)} = 0,

x_{t 2}^{(3)} y_{t 2}^{(3)} = 0,

x_{t 1}^{(3)} y_{t 2}^{(3)} + x_{t 2}^{(3)} y_{t 1}^{(3)} = δ

x_{t 1}^{(1)} y_{t 2}^{(2)} = 0,

x_{t 1}^{(1)} y_{t 2}^{(3)} = 0,

x_{t 1}^{(2)} y_{t 2}^{(3)} = 0,

x_{t 1}^{(1)} y_{t 2}^{(1)} + x_{t 1}^{(2)} y_{t 2}^{(2)} + x_{t 1}^{(3)} y_{t 2}^{(3)} = δ

4) if vertex v among the G _iAnd v _jAdjacent, equation is in equation group E below then adding

x_{i 1}^{(1)} y_{j 2}^{(1)} = 0,

x_{i 1}^{(2)} y_{j 2}^{(2)} = 0,

x_{i 1}^{(3)} y_{j 2}^{(3)} = 0

Can get F thus _qOn BMQ equation group E.By the equation in the 3rd step, as can be known each summit of G lucky one of 3 kinds of colors.And, can guarantee that then any two adjacent vertexs of G different colors by the 4th equation that goes on foot.So but the 3-coloring problem reduction of G is to F _qLast BMQ equation group E finds the solution.So F _qOn the BMQ problem also be NP completely.

Card is finished.

2.3BMQ problem find the solution the difficulty analysis

Though we have proved F in theory _qOn the BMQ problem be NP completely, but this and do not mean that to finding the solution of any BMQ equation group all be difficult, it is found the solution, and the number of variable and equation has confidential relation in difficulty and the equation group.Below it is carried out labor.

If F _qOn BMQ equation group E contain 2n variable x ₁..., x _n, y ₁..., y _nWith m equation.With each the quadratic expression (x among the E _iy _j) all use a new variables z _IjRepresent, then can obtain N ₁=n ²Individual variable and M ₁The linear function group E of=m equation ₁Claim this process to be " to the once heavily linearisation of E ".

If m 〉=n ², then can obtain E ₁All z that separates _Ij, and then by z _IjAnti-release E separates

Otherwise, make r=n ²-m.Then can obtain E ₁The basis separate and be And E ₁A particular solution And E ₁General solution can show be:

Z＝(z ₁₁，z ₁₂，…，z _nn)＝Z ₀+α ₁Z ₁+α ₂Z ₂+…+α _rZ _r (α _i∈F _q) (Ⅰ)

But the E that obtains like this ₁Q ^rThe overwhelming majority in individual the separating is " parasitic solution (parasitic solution) ", and by E ₁Parasitic solution Z can't obtain the legal of E and separate.Especially, when E has just that (q-1) is individual to be separated, E ₁Has only a non-parasitic solution.E when though E separates ₁Non-parasitic solution must be arranged, but work as q ^rWhen very big, can't pass through E ₁All rough power of separating attempts deriving separating of E.

From present solution technique to MQ problem on the finite field, the most effective " heavily linearisation (relinearization) " method that surely belongs to Kipnis and Shamir proposition.The basic thought of this method is by the equation number being represented less than the general solution of the equation group of variable number, being constructed the more equation of high order.Thereby make the equation of higher degree sum that finally obtains number more than or equal to high order variable product term (new variables).And finally obtain separating of full scale equation group by counter pushing away.

Because the BMQ problem is a special case of MQ problem, so heavy linearization technique is still effective to finding the solution the BMQ problem.But wanting respective change aspect the reconstruct of equation and variable.Concrete grammar is as follows:

For F _qOn BMQ equation group E, as m＜n ²The time, by the discussion of front as can be known, the key of finding the solution E is to determine equation group E ₁Non-parasitic solution Z=(z ₁₁, z ₁₂..., z _Nn).Again by (I) formula, each component z of Z _Ij=x _iy _jSatisfy:

z _ij＝s ₀+s ₁α ₁+s ₂α ₂+…+s _rα _r (Ⅱ)

R=n wherein ²-m, s ₀..., s _r∈ F _qBe known constant, α ₁..., α _r∈ F _qBe variable.Therefore Z's determines to be equivalent to again how at (α ₁..., α _r) q ^rPlant and to locate its value exactly in the option.For this reason can be to shape as (x _ax _by _iy _j) 4 formulas carry out the reconstruct of equation and variable.By equation:

(x _ax _by _iy _j)＝(x _ay _i)(x _by _j)＝(x _ay _j)(x _by _i)

Can get 2 equation of n th order n z _Aiz _Bj=z _Ajz _BiWith this equation of (II) formula substitution, can obtain about α ₁..., α _r2 equation of n th order n:

\underset{1 \leq i \leq j \leq r}{Σ} a_{i, j} (α_{i} α_{j}) + \underset{1 \leq i \leq r}{Σ} b_{i} α_{i} = c

(Ⅲ)

Shape is as (x again _ax _by _iy _j) 4 formulas total

Individual, each can both produce the equation of 1 shape as (III) formula.And shape is as (x _ax _ay _iy _j) and (x _ax _by _iy _i) 4 formulas all do not produce new equation; So can obtain shape by 4 times all formulas adds up to as 2 equation of n th order n of (III) formula:

M_{2} = C_{n}^{2} \times C_{n}^{2} = \frac{n^{2} {(n - 1)}^{2}}{4}

With each 2 the formula (α in (III) formula _iα _j) and 1 formula α _iAll regard different new variables as, then ading up to of variable:

N_{2} = \frac{r (r + 1)}{2} + r = \frac{r (r + 3)}{2}

So can get F _qOn have M ₂Individual equation, N ₂The linear function group E of individual variable ₂Deserve to be called and state reconstruct equation group E ₂Process be " to the heavily linearisation of secondary of E ".The M that even now obtains ₂Having in the individual equation much is linear correlation, but might as well suppose that they are linear independence each other when analyzing.

If M is arranged this moment ₂〉=N ₂, then can be by E ₂Solve α ₁..., α _r∈ F _qAgain with α ₁..., α _rSubstitution (II) formula can solve all z _Ij=(x _iy _j), and then the separating of the anti-E of release

If M ₂＜N ₂, then can further carry out three heavily linearisations to E.Promptly to shape as (x _ax _bx _cy _iy _jy _k) 6 formulas carry out similar equation and variable reconstruct.6 formulas like this have following several classes:

(1) shape is as (x _ax _bx _cy _iy _jy _k), total

Individual, each can produce 5 about z _Ij3 equation of n th order n.

(2) shape is as (x _ax _bx _cy _iy _iy _j), total

Individual, each can produce 2 about z _Ij3 equation of n th order n.

(3) shape is as (x _ax _ax _by _iy _jy _k), total

Individual, each can produce 2 about z _Ij3 equation of n th order n.

(4) shape is as (x _ax _ax _by _iy _iy _j), total

Individual, each can produce 1 about z _Ij3 equation of n th order n.

(5) shape is as (x _ax _ax _ay _iy _jy _k) and (x _ax _bx _cy _iy _iy _i) 6 formulas all do not produce about z _Ij3 equation of n th order n. therefore, the tangible as (x of institute _ax _bx _cy _iy _jy _k) 6 formulas can produce about z _IjThe ading up to of 3 equation of n th order n:

M_{3} = 5 C_{n}^{3} \times C_{n}^{3} + 8 C_{n}^{2} \times C_{n}^{3} + 4 C_{n}^{2} \times C_{n 2} = \frac{n^{2} {(n - 1)}^{2} ({5 n}^{2} + 4 n + 8)}{36}

With the substitution of (II) formula each about z _Ij3 equation of n th order n, can get following about variable α ₁..., α _r3 equation of n th order n:

\underset{1 \leq i \leq j \leq k \leq r}{Σ} a_{i, j, k} (α_{i} α_{j} α_{k}) + \underset{1 \leq i \leq j \leq r}{Σ} b_{i, j} (α_{i} α_{j}) + \underset{1 \leq i \leq r}{Σ} c_{i} α_{i} = d

(Ⅳ)

With each 3 the formula (α in (IV) formula equation _iα _jα _k), 2 formula (α _iα _j) and 1 formula α _iAll regard different new variables as, then ading up to of variable:

N_{3} = \frac{r (r + 1) (r + 2)}{6} + N_{2} = \frac{r (r^{2} + 6 r + 11)}{6}

Thereby can obtain F _qOn have M ₃Individual equation, N ₃The linear function group E of individual variable ₃

If M ₃〉=N ₃, then can be by E ₃Solve α ₁..., α _r, and the separating of the anti-E of release

Otherwise can further carry out four heavily linearisations to E.Promptly to shape as (x _ax _bx _cx _dy _iy _jy _ky _l) 8 formulas carry out equation and variable reconstruct.8 formulas like this have following several classes:

(1) shape is as (x _ax _bx _cx _dy _iy _jy _ky _l), total

Individual, each can produce 23 about z _Ij4 equation of n th order n.

(2) shape is as (x _ax _bx _cx _dy _iy _iy _jy _k), total

Individual, each can produce 11 about z _Ij4 equation of n th order n.

(3) shape is as (x _ax _bx _cx _dy _iy _iy _iy _j), total

Individual, each can produce 3 about z _Ij4 equation of n th order n.

(4) shape is as (x _ax _bx _cx _dy _iy _iy _jy _j), total

Individual, each can produce 5 about z _Ij4 equation of n th order n.

(5) shape is as (x _ax _ax _bx _cy _iy _jy _ky _l), total Individual, each can produce 11 about z _Ij4 equation of n th order n.

(6) shape is as (x _ax _ax _bx _cy _iy _iy _jy _k), total

Individual, each can produce 6 about z _Ij4 equation of n th order n.

(7) shape is as (x _ax _ax _bx _cy _iy _iy _iy _j), total

Individual, each can produce 2 about z _Ij4 equation of n th order n.

(8) shape is as (x _ax _ax _bx _cy _iy _iy _jy _j), total Individual, each can produce 3 about z _Ij4 equation of n th order n.

(9) shape is as (x _ax _ax _ax _by _iy _jy _ky _l), total Individual, each can produce 3 about z _Ij4 equation of n th order n.

(10) shape is as (x _ax _ax _ax _by _iy _iy _jy _k), total

Individual, each can produce 2 about z _Ij4 equation of n th order n.

(11) shape is as (x _ax _ax _ax _by _iy _iy _iy _j), total Individual, each can produce 1 about z _Ij4 equation of n th order n.

(12) shape is as (x _ax _ax _ax _by _iy _iy _jy _j), total

Individual, each can produce 1 about z _Ij4 equation of n th order n.

(13) shape is as (x _ax _ax _bx _by _iy _jy _ky _l), total

Individual, each can produce 5 about z _Ij4 equation of n th order n.

(14) shape is as (x _ax _ax _bx _by _iy _iy _jy _k), total

Individual, each can produce 3 about z _Ij4 equation of n th order n.

(15) shape is as (x _ax _ax _bx _by _iy _iy _iy _j), total

Individual, each can produce 1 about z _Ij4 equation of n th order n.

(16) shape is as (x _ax _ax _bx _by _iy _iy _jy _j), total

Individual, each can produce 2 about z _Ij4 equation of n th order n.

(17) shape is as (x _ax _ax _ax _ay _iy _jy _ky _l) and (x _ax _bx _cx _dy _iy _iy _iy _i) 8 formulas do not produce about z _Ij4 equation of n th order n. therefore, the tangible as (x of institute _ax _bx _cx _dy _iy _jy _ky _l) 8 formulas can produce about z _Ij4 equation of n th order n add up to:

M_{4} = 23 C_{n}^{4} \times C_{n}^{4} + 66 C_{n}^{3} \times C_{n}^{4} + 54 C_{n}^{3} \times C_{n}^{3} + 22 C_{n}^{2} \times C_{n}^{4} + 42 C_{n}^{2} \times C_{n}^{3} + 10 C_{n}^{2} \times C_{n}^{2}

= \frac{n^{2} {(n - 1)}^{2} ({23 n}^{4} + 34 n^{3} + 131 n^{2} + 84 n + 108)}{576}

With each 4 equation of n th order n above the substitution of (II) formula, can get following about variable α ₁..., α _r4 equation of n th order n:

\underset{1 \leq i \leq j \leq k \leq l \leq r}{Σ} a_{i, j, k, l} (α_{i} α_{j} α_{k} α_{l}) + \underset{1 \leq i \leq j \leq k \leq r}{Σ} b_{i, j, k} (α_{i} α_{j} α_{k}) + \underset{1 \leq i \leq j \leq r}{Σ} c_{i, j} (α_{i} α_{j}) + \underset{1 \leq i \leq r}{Σ} d_{i} α_{i} = e

With each 4 the formula (α in the equation _iα _jα _kα _l), 3 formula (α _iα _jα _k), 2 formula (α _iα _j) and 1 formula α _iAll regard different new variables as, then ading up to of variable:

N_{4} = \frac{r (r + 1) (r + 2) (r + 3)}{24} + N_{3} = \frac{r (r^{3} + 10 r^{2} + 35 r + 50)}{24}

So can obtain F _qOn have M ₄Individual equation, N ₄The linear function group E of individual variable ₄

If M ₄〉=N ₄, then can be by E ₄Solve α ₁..., α _r, and the separating of the anti-E of release

Otherwise can continue E is carried out the more heavily linearisation of high order.

But along with to heavy the increasing of linearisation number of times of E, gained is about variable α ₁..., α _rEquation of higher degree group in variable and equation number also will increase fast.Order is by r variable { α ₁, α ₂..., α _rDifferent t the product formulas that can constitute

Number be P (r, t).Following theorem is then arranged,

Theorem 2.2:

P (r, t) = | {(α_{i_{1}} α_{i_{2}} \cdot \cdot \cdot α_{i_{t}}) | 1 \leq i_{1} \leq i_{2} \leq \cdot \cdot \cdot \leq i_{t} \leq r} | = \frac{r (r + 1) (r + 2) \cdot \cdot \cdot (r + t - 1)}{t!}

If to k time of E heavily after the linearisation resulting equation group be E _kE then _kIn each equation all have following form:

\underset{1 \leq i_{1} \leq \cdot \cdot \cdot \leq i_{k} \leq r}{Σ} a_{i_{1} i_{2} \cdot \cdot \cdot i_{k}}^{(k)} (α_{i_{1}} α_{i_{2}} \cdot \cdot \cdot α_{i_{k}}) + \cdot \cdot \cdot + \underset{1 \leq i \leq j \leq r}{Σ} a_{ij}^{(2)} (α_{i} α_{j}) + \underset{1 \leq i \leq r}{Σ} α_{i}^{(1)} α_{i} = b

With each 1 the formula α in the equation _i, 2 formula (α _iα _j) ..., and k formula

All regard different new variables as.By theorem 2.2, the total N of variable as can be known _kFor about r=n ²The multinomial of-m.And have:

N_{k} = Σ_{t = 1}^{k} P (r, t) = r + \frac{r (r + 1)}{2} + \cdot \cdot \cdot + \frac{r (r + 1) \cdot \cdot \cdot (r + k - 1)}{k!}

Make E _kThe number of middle equation is M _k, then by the front to M ₂, M ₃, M ₄Calculating M as can be known _kIt is multinomial about n.And when k 〉=3, have:

M_{k} = \underset{2 \leq i \leq j \leq k}{Σ} t_{i, j} C_{n}^{i} \times C_{n}^{j} = (k! - 1) C_{n}^{k} \times C_{n}^{k} + (k! - 2) (k - 1) C_{n}^{k - 1} \times C_{n}^{k} + \cdot \cdot \cdot + t_{2,2} C_{n}^{2} \times C_{n}^{2}

Especially, when n is big,

Following table has provided n and had got respectively 50,100,150,200 o'clock, partly (M _k, N _k) for given (n, result of calculation r).

Table 1

By the result of calculation of table 1, be not difficult to draw following character:

(1) M _kAbout the n strictly monotone increasing.

(2) N _kAbout r=n ²-m strictly monotone increasing.

(3) for given n and k (k 〉=2), there is r _kAnd as r 〉=r _kThe time, perseverance has: M _k＜N _kAnd as r＜r _kThe time, perseverance has: M _k〉=N _kAnd r _kIncrease along with the increase of k.R=n again ²So-m is as m≤n ²-r _kThe time, perseverance has M _k＜N _kAnd as m＞n ²-r _kThe time, perseverance has: M _k〉=N _k.

(4) for given k (k 〉=2), establishing has (M when m≤t * n _k＜N _k), then t increases progressively about n.Promptly, make (M along with the increase of n _k＜N _k) the value upper bound of the m that satisfies also increasing with respect to n.

Character (3) and (4) can be used to judge whether equation group E can find the solution by heavy linearization technique by k time of introducing previously.For example, as shown in Table 1,

For n=50, as m≤n ²During-2332=168=3.36n, perseverance has: M ₃＜N ₃.

For n=100, as m≤n ²During-9371=629=6.29n, perseverance has: M ₃＜N ₃.

For n=150, as m≤n ²During-21116=1384=9.227n, perseverance has: M ₃＜N ₃.

For n=200, as m≤n ²During-37565=2435=12.175n, perseverance has: M ₃＜N ₃.

Therefore, when n gets 50,100,150,200 respectively, if the number m of equation satisfies respectively among the E:

m≤3.36n、m≤6.29n、m≤9.227n、m≤12.175n

Then perseverance has: (M ₂＜N ₂) ∧ (M ₃＜N ₃).This means can't by secondary and three times heavily linearisation come E is found the solution.

Generally speaking, at F _qLast picked at random has the BMQ equation group E of 2n variable and m equation, if the value of n and m makes (M _k＜N _k∧ M _K+1〉=N _K+1) set up, then can't by be no more than k time heavily linearisation find the solution E.

If to E carry out k time heavily after the linearisation resulting equation group be E _k, E then _kThe number of middle equation is at most M _kBut often exist the equation of a large amount of linear correlations in the middle of them.Making wherein, the equation quantity of linear independence is

Even (M is then arranged _k〉=N _k), if but

E _kStill intangibility.

In addition, along with to heavy the increasing of linearisation number of times k of E, equation E _kIn variable number N _kAlso increase fast.Because E _kThe space requirement of coefficient matrix be

Therefore bit works as N _kWhen enough big (〉=2 ⁴⁰), whether no matter (M arranged _k〉=N _k), E on room and time _kEqual intangibility; Promptly can't by k time heavily linearisation find the solution E.

Know again, after n determines, M _iAlso determine thereupon; And N _iThen determine uniquely by r (or m).If can find

Make and work as

The time, perseverance has (M _K-1＜N _K-1) and N _kTo such an extent as to enough big E _kIntangibility (k＞2) actually.Then have:

(M ₂＜N ₂∧…∧M _k-1＜N _k-1)∧(N _k＜N _k+1＜N _k+2＜…)

Therefore work as

The time, for k 〉=2 arbitrarily, can't by direct k time heavily linearisation find the solution E.Yet this fashion can not assert that heavy linearizing method is infeasible to finding the solution E.Though (M is arranged ₂＜N ₂∧ ... ∧ M _K-1＜N _K-1), if but can find less r _t=N _t-M _t(2≤t≤k-1) then can be to t heavy resulting equation group E after the linearisation _tReuse general linearization technique again.Be about to E _tIn each variable v _iAll table is r _tIndividual variable Linear equation:

v_{i} = α_{i_{1}} α_{i_{2}} \cdot \cdot \cdot α_{i_{s}} = c_{0} + c_{1} β_{1} + c_{2} β_{2} + \cdot \cdot \cdot + c_{r_{t}} β_{r_{t}}, (1 \leq s \leq t, 1 \leq i \leq N_{t})

Then by reconstruct about variable

H 〉=2 equation of n th order n groups come solving equation group E _t, the anti-E's of release separates again.Know again utilize that general linearization technique again constructs about variable H equation of n th order n group in the variable number be:

{\overset{&OverBar;}{N}}_{t} = Σ_{i = 1}^{h} P (r_{t}, i) &GreaterEqual; Σ_{i = 1}^{2} P (r_{t}, i) = \frac{r_{t} (r_{t} + 3)}{2}

So have only as each r _t=N _t-M _tAll make

Enough big (2≤t≤k-1), can assert that just E can't utilize any heavy linearizing method to find the solution.Following theorem is promptly arranged,

Theorem 2.3: picked at random F _qOn have the BMQ equation group E of 2n variable and m equation, if there are k＞2 Hes

Make and work as

The time, perseverance has:

Then work as

The time, can't find the solution E by heavy linearizing method.

It should be noted that the front is to N _kAnd M _kThe situation of valuation during not q≤k take into account; And this may be to N _kAnd M _kValuation produce this those long influences that disappear.For example, when q=2, have:

(x_{a} x_{b} y_{i} y_{j}) = (x_{a}^{2} x_{b} y_{i}^{2} y_{j}) = (x_{a}^{2} x_{b} y_{i} y_{j}^{2}) = (x_{a} x_{b}^{2} y_{i}^{2} y_{j}) = (x_{a} x_{b}^{2} y_{i} y_{j}^{2})

&DoubleRightArrow; (x_{a} y_{i}) (x_{b} y_{j}) = (x_{a} y_{j}) (x_{b} y_{i}) = (x_{a} y_{i}) (x_{a} y_{j}) (x_{b} y_{i}) = (x_{a} y_{i}) (x_{a} y_{j}) (x_{b} y_{j}) = \cdot \cdot \cdot

&DoubleRightArrow; z_{ai} z_{bj} = z_{aj} z_{bi} = z_{ai} z_{aj} z_{bi} = z_{ai} z_{aj} z_{bj} = \cdot \cdot \cdot

&DoubleRightArrow; \{\begin{matrix} z_{ai} z_{bj} = z_{aj} z_{bi} \\ z_{ai} z_{bj} = z_{ai} z_{aj} z_{bi} \\ z_{ai} z_{bj} = z_{ai} z_{aj} z_{bj} \\ z_{aj} z_{bi} = z_{ai} z_{aj} z_{bi} \\ z_{aj} z_{bi} = z_{ai} z_{aj} z_{bj} \\ \cdot \\ \cdot \\ \cdot \end{matrix}

Promptly by shape as (x _ax _by _iy _j) 4 formulas can not only reconstruct about variable α ₁..., α _r2 equation of n th order n, can also reconstruct corresponding 3 equation of n th order n.And these 3 equation of n th order n are different from by shape probably as (x _ax _bx _cy _iy _jy _k) 6 formula reconstruct gained.In addition, because

With So for F ₂On the BMQ equation group, M _kAnd N _kComputing formula and the front given will produce deviation.

Can specify suitable lower bound to q for this reason,, can guarantee that then the front is to N such as making q＞10 _kAnd M _kThe correctness of valuation (2≤k≤10).Below conclusion be putting before this and obtain.

In fact, theorem 2.3 is guarded for the difficulty assessment of the heavy linearization technique of finding the solution BMQ equation group E, because equation group E _kThe equation quantity that neutral line is irrelevant Can't reach theoretical upper bound M in practice at all _k

By theorem 2.3, for n=50, when r=2332, (M ₃＜N ₃) and N ₄=1237553754679 ≈ 1.1255 * 2 ⁴⁰Enough big; But this moment

r_{2} = 2722610 - 1500625 = 1221985 &DoubleRightArrow; \frac{r_{2} (r_{2} + 3)}{2} = 746625503090 \approx 1.358 \times 2^{38}

r_{3} = 2119098894 - 2118882500 = 216394 &DoubleRightArrow; \frac{r_{3} (r_{3} + 3)}{2} = 23413506209 \approx 1.363 \times 2^{34}

r ₂And r ₃Big inadequately.And when r=2445,

r_{2} = 1492055 &DoubleRightArrow; \frac{r_{2} (r_{2} + 3)}{2} = 1113116299595 \approx 1.0124 \times 2^{40}

r_{3} = 323145195 &DoubleRightArrow; \frac{r_{3} (r_{3} + 3)}{2} = 52211409010511805 \approx 1.45 \times 2^{55}

r ₂And r ₃Enough big.Therefore as m≤n ²During-2445=55=1.1n, can't find the solution E by heavy linearizing method.

For n=100, when r=9371, (M ₃＜N ₃) and N ₄=321659128415624 ≈ 1.142 * 2 ⁴⁸Enough big, r again ₂=19419377 and r ₃=5448123 is enough big.So as m≤n ²During-9371=629=6.29n, can't find the solution E by heavy linearizing method.

For n=150, when r=18900, (M ₂＜N ₂) and N ₃=1125568744650 ≈ 1.02 * 2 ⁴⁰Enough big, r again ₂=53752725 is enough big.So as m≤n ²During-18900=3600=24n, can't find the solution E by heavy linearizing method.

For n=200, when r=28142, (M ₂＜N ₂) and N ₃=3715405463639 ≈ 1.69 * 2 ⁴¹Enough big, but r ₂=18295 is big inadequately; And when r=28200, r ₂=1652300 is enough big.So as m≤n ²During-28200=11800=59n, can't find the solution E by heavy linearizing method.

Therefore when n gets 50,100,150,200 respectively, if the number m of equation satisfies respectively among the E:

m≤1.1n、m≤6.29n、m≤24n、m≤59n

Then can't find the solution E by heavy linearizing method.

In general, after n determined, m was littler, then the heavily linearisation of BMQ equation group E was found the solution just more infeasible.But because the special construction of BMQ equation group, being not that m is more little finds the solution E with regard to difficult more.This point, is then guessed by a spot of exploration separating of E if m is too small with to find the solution the MQ equation group different probably.M The Representation Equation with E is as follows for this reason:

\{\begin{matrix} p_{1} (x, y) = Σ_{i = 1}^{n} Σ_{j = 1}^{n} a_{ij}^{(1)} x_{i} y_{j} = b_{1} \\ \cdot \\ \cdot \\ \cdot \\ p_{m} (x, y) = Σ_{i = 1}^{n} Σ_{j = 1}^{n} a_{ij}^{(m)} x_{i} y_{j} = b_{m} \end{matrix}, (x = (x_{1}, \cdot \cdot \cdot, x_{n}), y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n})

(p then ₁..., p _m) the value space be:

p (E) = {(p_{1} (x, y), \cdot \cdot \cdot, p_{m} (x, y)) | x, y &Element; F_{q}^{n}}

(p again ₁..., p _m) value by x * y=(x ₁y ₁..., x _iy _i..., x _ny _n) unique definite.When x=0 or y=0, x * y=0.Otherwise x * y ≠ 0, and to arbitrarily c ∈ F _q{ 0} has x * y=(cx) * (c ^-1Y).So q corresponding to x and y ²ⁿPlant value, x * y has 0 He The value of kind non-0.And So have:

| p (E) | \leq \min (q^{m}, \frac{{(q^{n} - 1)}^{2}}{(q - 1)} + 1)

Again when n＞1,

q^{2 n - 1} < \frac{{(q^{n} - 1)}^{2}}{(q - 1)} + 1 < q^{2 n} .

Therefore have:

| p (E) | \leq \{\begin{matrix} \frac{{(q^{n} - 1)}^{2}}{(q - 1)} + 1 & (m &GreaterEqual; 2 n) \\ q^{m} & (m < 2 n) \end{matrix}

As (b ₁..., b _m)=0 o'clock, E has (2q at least ⁿ-1) individual shape as (x, 0) and (0, separating y).As (b ₁..., b _m) ≠ 0 o'clock, if Then E does not have and separates; Otherwise E separates (x ≠ 0, y ≠ 0), and to c ∈ F arbitrarily _q{ 0}, (cx, c ^-1Y) also be that separating of E (claims (cx, c ^-1Y) with (x, y) equivalence).Therefore as (b ₁..., b _m) ≠ 0 o'clock, E or nothing are separated, or have separating of (q-1) individual equivalent equivalence at least.

Because (b ₁..., b _m)=0 o'clock is easy to E is found the solution.So emphasis is inquired into (b ₁..., b _m) ∈ p (E) { during 0}, how E is found the solution.Except above-mentioned heavy linearization technique,, also can sound out E and find the solution by the method for so-called " conjecture " based on the special construction of BMQ equation group.This method is specified among x and the y at random, as will solving another behind it substitution E, then can obtain separating of E.For example, specify x=α=(α ₁..., α _n) ≠ 0 then can be about variable y=(y ₁..., y _n) the linear function group E ' of n unit:

\{\begin{matrix} p_{1} (α, y) = b_{1} \\ \cdot \\ \cdot \\ \cdot \\ p_{m} (α, y) = b_{m} \end{matrix}

If E ' separates y=β=(β ₁..., β _n), then (x, y)=(α β) is of E and separates, and can derive (q-1) individual separating of equal value with it again by it.If E ' nothing is separated, then proceed to sound out, till finding out the separating of E next time.

As can be known, for given (b ₁..., b _m) ∈ p (E) { 0} utilizes conjecture method that E is soundd out the success rate find the solution and is directly proportional with the number of separating of E.When E has that (q-1) is individual to be separated, hit it

If to (b arbitrarily ₁..., b _m) ∈ p (E) { 0}, E have just that (q-1) is individual to be separated.Then when n is enough big, can't utilize conjecture method that E is found the solution.

And for { the p of picked at random ₁(x, y) ..., p _m(x, y) }, (q of feasible (x ≠ 0, y ≠ 0) ⁿ-1) ²The overwhelming majority who plants value also makes (p ₁..., p _m) ≠ 0.So to (b arbitrarily ₁..., b _m) ∈ P (E) 0}, the number of on average separating of E is:

\overset{&OverBar;}{k} = \frac{{(q^{n} - 1)}^{2}}{| p (E) | - 1} &GreaterEqual; \{\begin{matrix} (q - 1) & (m &GreaterEqual; 2 n) \\ \frac{{(q^{n} - 1)}^{2}}{(q^{m} - 1)} & (m < 2 n) \end{matrix}

When m＜2n,

Especially, when m≤n,

The average probability of separating of guesing out E this moment is near a hundred per cent.Can get theorem thus,

Theorem 2.4: picked at random F _qOn have the BMQ equation group E of 2n variable and m 〉=2n equation, if to (b arbitrarily ₁..., b _m) ∈ p (E) { 0}, E have just that (q-1) is individual to be separated.Then when n is enough big, can't find the solution E with conjecture method.

By theorem 2.1, theorem 2.3, theorem 2.4; Can get proposition,

Proposition 2.1: picked at random F _qOn have the BMQ equation group E of 2n variable and m equation, if E satisfies:

1) for (b arbitrarily ₁..., b _m) ∈ p (E) { 0}, E is at F _qOn have just that (q-1) is individual to be separated

2) there are k＞2 Hes And work as

The time, perseverance has:

3)

2 n \leq m \leq n^{2} - \overset{&OverBar;}{r}

It is difficult then finding the solution E.

By proposition 2.1 as can be known, for the F of picked at random _qOn have the BMQ equation group E of 2n variable and m equation, when E satisfies (b arbitrarily ₁..., b _m) ∈ p (E) { 0} all just has when (q-1) is individual to be separated; Then the difficulty that E is found the solution is mainly determined by the value of n and m.And F _qSelection only with data computing and the expression relevant, the difficulty of solving a problem is not had influence substantially.Provide definition for this reason,

Definition 2.2: establishing E is at F _qGo up optional BMQ equation group with 2n variable and m equation, and for (b arbitrarily ₁..., b _m) ∈ p (E) { 0}, E is at F _qOn have just that (q-1) is individual to be separated.If the value of n and m makes and finds the solution E is difficult, then claim " (n m) does difficult BMQ problem ".

For example, when n gets 50,100,150,200 respectively, do difficult BMQ problem (n, m) value is as shown in table 2.

Table 2

2.4 Ergodic Matrices and character thereof

Definition 2.3 (Ergodic Matrices): establish

If column vector to any non-0

Just get time

In all non-0 column vectors, claim that then A is F _qOn " Ergodic Matrices (Ergodic Matrix) ".

Definition 2.4: establish

The matrix multiplication spanning set of note A is:＜A 〉={ A ^k| k=1,2,3 ....

About finite field F _qOn (traversal) matrix, following main theorem (proof slightly) is arranged:

Theorem 2.5: to arbitrarily

K ∈ 0,1,2 ...; There is c ₀, c ₁..., c _N-1∈ F _q, make:

A ^k＝c ₀I+c ₁A+c ₂A ²+...+c _n-1A ^n-1

Theorem 2.6: if Nonsingular, then A under matrix multiplication the cycle≤(q ⁿ-1).

Theorem 2.7: For Ergodic Matrices and if only if A under matrix multiplication the cycle=(q ⁿ-1).

Theorem 2.8: if

Be Ergodic Matrices, then＜A in just have

Individual Ergodic Matrices.Claim their " equivalences " each other.

Theorem 2.9: if

Be Ergodic Matrices, then vectorial to any non-0 row

Just get time In all non-0 row vectors.

Theorem 2.10: if

Be Ergodic Matrices, then

And F _q[A] makes a q just under addition of matrices and multiplication ⁿUnit's finite field.

Theorem 2.11: if

Be Ergodic Matrices, then [A ⁰=I, A, A ²..., A ^N-1] make q just ⁿThe finite field F of unit _q[A] is about the finite field F of q unit _qOne group of base.Promptly right

There is unique c ₀, c ₁..., c _N-1∈ F _q, make:

m＝c ₀I+c ₁A+c ₂A ²+...+c _n-1A ^n-1

By the conclusion of front as can be known, the Ergodic Matrices on the finite field has maximum multiplication cycle and spanning set in the same order nonsingular matrix.And the non-zero column vector of all power premultiplications or the right side with Ergodic Matrices take advantage of the result of a capable vector of non-zero fully to disperse (getting just all over all capable vectors of non-zero column vector sum).Table 3 has provided the statistics of the n * n Ergodic Matrices on the part finite field.

Table 3

Can find F from top statistics _qOn n * n Ergodic Matrices be ubiquitous, and its number increases sharply along with the increase of q and n.

For principle of the present invention being described special introduce " MPEMRL problem ".I.e. so-called " the bilateral power of Ergodic Matrices is taken advantage of problem (Multiplied by the Powers of the Ergodic Matrices on the Right and Left.) on the finite field ".It is defined as follows:

Definition 2.5 (MPEMRL problems):

Be Ergodic Matrices,

Known (Q ₁, M, Q ₂, T), ask

With

At first proof is found the solution the MPEMRL problem and be can be exchanged into and find the solution corresponding F _qOn the BMQ problem.By

Be Ergodic Matrices, as can be known F _q[Q ₁] and F _q[Q ₂] under addition of matrices and multiplication, all make q ⁿUnit's finite field.

Select F arbitrarily _q[Q ₁] and F _q[Q ₂] about F _qOne group of base

With

Then exist unique

Make:

Q_{1}^{x} = Σ_{i = 1}^{n} x_{i} Q_{1}^{α_{i}},

Q_{2}^{y} = Σ_{j = 1}^{n} y_{j} Q_{2}^{β_{j}}

Promptly have:

T = Q_{1}^{x} M Q_{2}^{y} = Σ_{i = 1}^{n} Σ_{j = 1}^{n} (x_{i} y_{j}) (Q_{1}^{α_{i}} M Q_{2}^{β_{j}})

With n * n matrix T and each All turn to n by line linearity ²Dimensional vector

With

Can get F _qOn have 2n variable x ₁..., x _n, y ₁..., y _nBMQ equation group with m equation:

[\overset{&RightArrow;}{Q_{1}^{α_{1}} M Q_{2}^{β_{1}}} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{1}} M Q_{2}^{β_{n}}} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{n}} M Q_{2}^{β_{1}}} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{n}} M Q_{2}^{β_{n}}}] \times [\begin{matrix} x_{1} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{1} y_{n} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{n} \end{matrix}] = [\overset{&RightArrow;}{B_{1} M B_{2}}] \times [\begin{matrix} x_{1} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{1} y_{n} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{n} \end{matrix}] = \overset{&RightArrow;}{T}

Wherein

Be coefficient matrix

Order.Note is top by Q ₁, M, Q ₂, BMQ equation group that T derived is E (Q ₁, M, Q ₂, T).

Because the addition of matrix and number are taken advantage of with the addition and the number of vector and are taken advantage of indistinction in itself, so also can be with n * n set of matrices＜Q ₁〉 * M *＜Q ₂And B ₁* M * B ₂All regard n as ²The dimensional vector group, and have:

Rank (< Q_{1} > \times M \times < Q_{2} >) = Rank (B_{1} \times M \times B_{2}) = Rank ([\overset{&RightArrow;}{B_{1} {MB}_{2}}]) = m

Obviously, E (Q ₁, M, Q ₂, T) can separate then corresponding M PEMRL problem and necessarily can separate.Work as m=n ²The time,

Full rank is easily tried to achieve E (Q ₁, M, Q ₂, separating T)

And then can get separating of MPEMRL problem:

Q_{1}^{x} = Σ_{i = 1}^{n} x_{i} Q_{1}^{α_{i}},

Q_{2}^{y} = Σ_{j = 1}^{n} y_{j} Q_{2}^{β_{j}}

As m＜n ²The time, if (n m) does not do difficult BMQ problem, then still can be by the group E (Q that solves an equation ₁, M, Q ₂, T) find the solution corresponding M PEMRL problem.Otherwise can't pass through equation group E (Q ₁, M, Q ₂, T) find the solution corresponding M PEMRL problem.

Therefore for given MPEMRL problem, can it pass through BMQ equation group E (Q ₁, M, Q ₂, the key of T) finding the solution is mainly by Rank (＜Q ₁〉 * M *＜Q ₂) decision.And about Rank (＜Q ₁〉 * M *＜Q ₂) following theorem arranged,

Theorem 2.12: if

Be Ergodic Matrices, then to arbitrarily

Perseverance has:

Rank(<Q ₁>×M×<Q ₂>)＝k×n (1≤k≤n)

Found through experiments, for selected arbitrarily Ergodic Matrices Allow M all over getting

In all non-null matrix, then Rank (＜Q ₁〉 * M *＜Q ₂) all over get n, 2n ..., n ².Table 4 is the statisticses to the part finite field.

Also find by further experiment, in the table 4 about Rank (＜Q ₁〉 * M *＜Q ₂) distributed number and Q ₁And Q ₂Selection irrelevant, but by n and F _qDetermine uniquely.Therefrom be not difficult to find out following rule:

1. for Ergodic Matrices

With k ∈ 1 ..., n} exists

Make:

Rank(<Q ₁>×M×<Q ₂>)＝k×n

2. for Ergodic Matrices

Make Rank (＜Q ₁〉 * M *＜Q ₂)=quantity of the matrix M of k * n increases progressively with q, n, k.

3. for Ergodic Matrices Make Rank (＜Q ₁〉 * M *＜Q ₂)=quantity of the matrix M of n just is n * (q ⁿ-1).

Table 4

Because the MPEMRL problem quite made every effort to the amount of calculation of separating and |＜Q ₁〉 * M *＜Q ₂| closely related.And to arbitrarily With a ∈ F _q0}, perseverance has:

a Q_{1}^{x} = Q_{1}^{x^{'}} &Element; < Q_{1} >^a^{- 1} Q_{2}^{y} = Q_{2}^{y^{'}} &Element; < Q_{2} >^Q_{1}^{x} M Q_{2}^{y} = Q_{1}^{x^{'}} M Q_{2}^{y^{'}}

Therefore to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, have (a at least ₁, b ₁) ..., (a _Q-1, b _Q-1) ∈ 1 ..., q ⁿ-1} ², make:

T = Q_{1}^{a_{1}} M Q_{2}^{b_{1}} = Q_{1}^{a_{2}} M Q_{2}^{b_{2}} = \cdot \cdot \cdot = Q_{1}^{a_{q - 1}} M Q_{2}^{b_{q - 1}}

Again |＜Q ₁|=|＜Q ₂|=(q ⁿ-1), so set＜Q ₁〉 * M *＜Q ₂In the number of different matrixes satisfy:

(q^{n} - 1) \leq | < Q_{1} > \times M \times < Q_{2} > | \leq \frac{{(q^{n} - 1)}^{2}}{(q - 1)}

Further also can demonstrate,prove following theorem:

Theorem 2.13:

Be Ergodic Matrices, Then and if only if Rank (＜Q ₁〉 * M *＜Q ₂)=have during n |＜Q ₁〉 * M *＜Q ₂|=(q ⁿ-1); Also have＜Q this moment ₁〉 * M *＜Q ₂The Q of 〉=＜ ₁〉 * M=M *＜Q ₂.

Theorem 2.14: for getting fixed Ergodic Matrices arbitrarily

With

There is positive integer t, makes T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, (a is just arranged ₁, b ₁) ..., (a _t, b _t) ∈ 1 ..., q ⁿ-1} ², make:

T = Q_{1}^{a_{1}} M Q_{2}^{b_{1}} = Q_{1}^{a_{2}} M Q_{2}^{b_{2}} = \cdot \cdot \cdot = Q_{1}^{a_{t}} M Q_{2}^{b_{t}}

Theorem 2.15: for Ergodic Matrices Allow M all over getting

Then |＜Q ₁〉 * M *＜Q ₂| all over getting

{ d wherein ₁=1 ..., d _k=n} is all positive factors of n.

Definition 2.6: establish Be Ergodic Matrices,

M=Rank (＜Q ₁〉 * M *＜Q ₂).If (n m) does difficult BMQ problem, claims that then " M is about (Q ₁, Q ₂) strong ".And note: M _S(Q ₁, Q ₂)={, A|A was about (Q ₁, Q ₂) strong

" strong matrix " about Ergodic Matrices has following theorem,

Theorem 2.16: establish

Be Ergodic Matrices,

If there is B ∈ M _S(Q ₁, Q ₂), make:

Rank(<Q ₁>×A×<Q ₂>)＝Rank(<Q ₁>×B×<Q ₂>)

A ∈ M then _S(Q ₁, Q ₂).

Theorem 2.17: establish

Be Ergodic Matrices,

With

Be respectively with Q ₁And Q ₂Ergodic Matrices (a, b and q of equal value ⁿ-1 is coprime), then have:

Theorem 2.18: establish

Be Ergodic Matrices, A ∈ M _S(Q ₁, Q ₂), then have:

(1) to x ∈＜Q ₁〉 * A *＜Q ₂, have: x ∈ M _S(Q ₁, Q ₂)

(2) to x, y ∈＜Q ₁〉 * A *＜Q ₂, if Rank is (＜Q ₁〉 * (x+y) *＜Q ₂) 〉=2n, then (x+y) ∈ M _S(Q ₁, Q ₂)

Theorem 2.18 explanations are for Ergodic Matrices

If can find one about (Q ₁, Q ₂) strong matrix, then can obtain a plurality of by it about (Q ₁, Q ₂) strong matrix.By theorem 2.14 and theorem 2.15, can get theorem again:

Theorem 2.19: if

Be Ergodic Matrices, then fixed to getting arbitrarily

A positive factor e who all has n, and to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, BMQ equation group E (Q ₁, M, Q ₂, (q T) is just arranged ^e-1) individual separating.Claim that positive integer e is " (Q ₁, Q ₂) about the index of M ", and note is: Exp (Q ₁, M, Q ₂).

Also find by experiment, for any given Ergodic Matrices

Most

All satisfy Exp (Q ₁, M, Q ₂)=1.If M ∈ is M _S(Q ₁, Q ₂) and Exp (Q ₁, M, Q ₂)=1 is then by proposition 2.1, as can be known to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, find the solution BMQ equation group E (Q ₁, M, Q ₂, be difficult T).But also do not mean that corresponding M PEMRL problem intangibility this moment.Although can't be by the group E (Q that solves an equation ₁, M, Q ₂, T) find the solution it, but it is as follows to find the solution the another kind of method of MPEMRL problem by the character of Ergodic Matrices:

Selected at first arbitrarily F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base With

Then exist unique

Make:

Q_{1}^{x} = Σ_{i = 1}^{n} x_{i} Q_{1}^{α_{i}},

Q_{2}^{- y} = Σ_{j = 1}^{n} y_{j} Q_{2}^{β_{j}}

Again by

Promptly have

Can get equation group thus:

[\overset{&RightArrow;}{Q_{1}^{α_{1}} M} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{n}} M} - \overset{&RightArrow;}{{TQ}_{2}^{β_{1}}} \cdot \cdot \cdot - \overset{&RightArrow;}{{TQ}_{2}^{β_{n}}}] \times [\begin{matrix} x_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} \\ y_{1} \\ \cdot \\ \cdot \\ \cdot \\ y_{n} \end{matrix}] = 0

Note is top by Q ₁, M, Q ₂, 2n that T derived unit linear function group is

Then

Must separate.And at Q ₁, M, Q ₂, T is under the known condition, be easy to obtain Separate.

Order Be

Separate.Then can release or (x, y)=(0,0), or (x ≠ 0, y ≠ 0).Though (x y)=(0,0) is

One separate, but it is not legal separating as can be known by T ≠ 0.So

Untrivialo solution must be arranged, and the quantity of untrivialo solution is (q ^k-1).Wherein:

k = 2 n - Rank ([\overset{&RightArrow;}{Q_{1}^{α_{1}} M} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{n}} M} - \overset{&RightArrow;}{{TQ}_{2}^{β_{1}}} \cdot \cdot \cdot - \overset{&RightArrow;}{{TQ}_{2}^{β_{n}}}])

Appoint and get

Untrivialo solution

Can get

With

Right again

Invert and to get

And

Separate for one that is corresponding MPEMRL problem.

Right

Each untrivialo solution all carry out above-mentioned process, then can draw whole (q of corresponding MPEMRL problem ^k-1) individual separating.Especially, if k=1, then corresponding MPEMRL problem just has separating of (q-1) individual equivalent equivalence.Promptly separate for its any two

With

Can both find a ∈ F _q0}, and

A demand went out of corresponding MPEMRL problem and separated and just can release its all separating this moment.Easily the theorem below the card is set up,

Theorem 2.20: establish

Be Ergodic Matrices,

Then have:

Exp (Q_{1}, M, Q_{2}) = 2 n - Rank ([\overset{&RightArrow;}{Q_{1}^{α_{1}} M} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{n}} M} \overset{&RightArrow;}{{MQ}_{2}^{β_{1}}} \cdot \cdot \cdot \overset{&RightArrow;}{{MQ}_{2}^{β_{n}}}])

Theorem 2.21: establish

Be Ergodic Matrices, E=Exp (Q ₁, M, Q ₂).Then to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, equation group E (Q ₁, M, Q ₂, (q T) is just arranged ^e-1) individual separating.

Theorem 2.22: establish

Be Ergodic Matrices,

E=Exp (Q ₁, M, Q ₂).Then to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, equation group

(q is just arranged ^e-1) individual untrivialo solution and a null solution.

Theorem 2.23: establish Be Ergodic Matrices, M ∈ M _S(Q ₁, Q ₂), if Exp is (Q ₁, M, Q ₂)=1 is then to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, find the solution BMQ equation group E (Q ₁, M, Q ₂, be difficult T).

Theorem 2.24: establish

Be Ergodic Matrices,

And Exp (Q ₁, M, Q ₂)=1.Then to T ∈＜Q arbitrarily ₁〉 * M *＜Q ₂, at known Q ₁, Q ₂, M, T situation under, can be by the solving equation group

Obtain the separating of whole (q-1) individual equivalent equivalences of corresponding MPEMRL problem fast.

Can obtain an important conclusion thus.That is exactly to work as q ⁿWhen enough big, for given Ergodic Matrices

With M ∈ M _S(Q ₁, Q ₂), if Exp is (Q ₁, M, Q ₂)=1 is then to optional

By BMQ equation group E (Q ₁, M, Q ₂, T) find the solution

Be difficult; But at known Q ₁, Q ₂, M, T situation under, by equation group

Find the solution But be easy.

This point is vital, and the core concept of public key cryptography proposed by the invention derives from this just.Its main thought is with BMQ equation group E (Q ₁, M, Q ₂, T) as public-key cryptography, and with Q ₁, Q ₂, B ₁, B ₂, M is as private cipher key.The sender of the message selects message at random

And it is right with the PKI of message recipient

Calculate (encryption) and get ciphertext Then ciphertext T is passed to the recipient; The recipient utilizes its private key reconstruct equation group

And by finding the solution of its being restored expressly

So far, background technology involved in the present invention and mathematical knowledge have been explained and have been finished, and are particular content of the present invention and execution mode below.

(3) summary of the invention

The technical issues that need to address of the present invention are to work out a kind of new public key cryptography scheme, and make it to have higher security intensity than the public key cryptography of current extensive employing.

The present invention is used for the encryption and decryption of various data such as character, literal, figure, image and the sound of computer and communication network and file, kept secure and transmission to guarantee data, file content can be widely used in ecommerce, electronic banking and the E-Government.

The present invention wishes that our country can have the core technology of oneself in the public key encryption field, to guarantee information security, economic security and the safety with sovereign right of country, improves the technological means that finance and tax swindle are taken precautions against by China simultaneously.

The present invention is a kind of public key cryptography scheme based on Ergodic Matrices on the Hidden field, according to this method, can make public key encryption/deciphering chip, can develop public key encryption/decryption software etc.Therefore, the present invention is a kind of production public key encryption deciphering product mandatory basic principle of institute and technical scheme, rather than physical product itself.

The given public key cryptography technology scheme of the present invention generates, encrypts, deciphers three parts by key and forms.Herein, file before encrypting or data are called expressly, file or data after encrypting are called ciphertext.

Suppose that user A desire sends a file or data by network to user B, and carry out in the mode of maintaining secrecy.User A and user B desire realize so secure communication process, and its pattern is as follows:

Key generates: at first, user B should go to the 3rd side authoritative institution (CA or digital certificate center) to get a pair of private key (Private Key) and PKI (Public Key) by the output of key generation parts, and private key must must not be divulged a secret by user B oneself keeping; PKI then allows openly to provide to the external world with disclosed form, so that use.

Cryptographic operation: user A obtains the PKI of user B, and the plaintext that on the machine of operation encryption unit desire is sent is encrypted, and obtains ciphertext, and by network ciphertext is sent to user B.

Decryption oprerations: after user B receives the ciphertext that user A sends, on the machine of operation deciphering parts, ciphertext is decrypted, recovers plaintext with own private key.

In key encrypt method, for the efficient of encryption is provided.Usually adopt the mixed cipher technology, promptly come encrypting plaintext, come encrypted symmetric key with public-key cryptosystem again with DSE arithmetic.Employed encryption key of DSE arithmetic and decruption key are same key in essence, are called as session key.

3.1 technical scheme one of the present invention

First technical scheme of the present invention generates, encrypts, deciphers three parts by key and constitutes.Specific as follows:

3.1.1 key generating portion

The key generating portion is used for CA, is used for to each user produces a pair of private key and PKI, and its implementation is as follows:

(1) picked at random F _qOn two n * n Ergodic Matrices

(q＞10 and q ⁿEnough big)

(2) picked at random is about (Q ₁, Q ₂) strong matrix M ∈ M _S(Q ₁, Q ₂), require Exp (Q simultaneously ₁, M, Q ₂)=1.

(3) picked at random F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base

With

(4) picked at random

The m n-dimensional subspace n

About F _qOne group of base [R ₁..., R _m].

(wherein: m=Rank (＜Q ₁〉 * M *＜Q ₂))

(5) obtain

Each row vector is about base [R ₁..., R _m] coordinates matrix

λ = [\begin{matrix} λ_{1,1} & λ_{1,2} & \cdot \cdot \cdot & λ_{1, m} \\ \cdot \\ \cdot \\ \cdot \\ λ_{n^{2}, 1} & λ_{n^{2}, 2} & \cdot \cdot \cdot & λ_{n^{2}, m} \end{matrix}] &Element; F_{q}^{n^{2} \times m}

It is right to make

K the vectorial r of row _k, have:

r _k＝λ _k，1R ₁+λ _k，2R ₂+…+λ _k，mR _m (1≤k≤n ²)

(6) by [R ₁..., R _m] m F of generation _qOn BMQ multinomial { ρ ₁(x, y) ..., ρ _m(x, y) }:

[\begin{matrix} ρ_{1} (x, y) \\ ρ_{2} (x, y) \\ \cdot \\ \cdot \\ \cdot \\ ρ_{m} (x, y) \end{matrix}] = [\begin{matrix} R_{1} \\ R_{2} \\ \cdot \\ \cdot \\ \cdot \\ R_{m} \end{matrix}] \times [\begin{matrix} x_{1} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{1} y_{n} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{n} \end{matrix}], (x = (x_{1}, \cdot \cdot \cdot, x_{n}), y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n})

At last, with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, with (Q ₁, Q ₂, M, B ₁, B ₂, λ) be private key.

3.1.2 encryption section

Encryption section uses for information sender, is used for to expressly encrypting.Information sender and recipient at first determine a kind of general symmetric encipherment algorithm E, and clear packets M is carried out following steps:

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)])

(2) select at random

Session key:

key = α \times β = (α_{1} β_{1}, \cdot \cdot \cdot, α_{1} β_{n}, \cdot \cdot \cdot, α_{n} β_{1}, \cdot \cdot \cdot, α_{n} β_{n}) &Element; F_{q}^{n^{2}} \ {0}

(3) with recipient's PKI key is encrypted:

C _key＝[z ₁，…，z _m]＝[ρ ₁(α，β)，…，ρ _m(α，β)]

(4) with session key key and symmetric encipherment algorithm E plaintext M is encrypted:

C _M＝E _key(M)

(5) with ciphertext (C _Key, C _M) send to the recipient

3.1.3 decryption portion

Decryption portion is used for the receiving party, is used for ciphertext is decrypted.The recipient with oneself private key as decruption key.

If recipient's private key is (Q ₁, Q ₂, M, B ₁, B ₂, λ), the ciphertext of receiving is (C _Key, C _M).Then decrypting process is as follows:

(1) calculates

Can get matrix T ∈＜Q ₁〉 * M *＜Q ₂

(2) solve one group of untrivialo solution of following 2n unit linear function group:

x = (x_{1}, \cdot \cdot \cdot, x_{n}), y^{'} = (y_{1}^{'}, \cdot \cdot \cdot, y_{n}^{'}) &Element; F_{q}^{n} \ {0}

[\overset{&RightArrow;}{Q_{1}^{α_{1}} M} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{α_{n}} M} - \overset{&RightArrow;}{T Q_{2}^{β_{1}}} \cdot \cdot \cdot - \overset{&RightArrow;}{T Q_{2}^{β_{n}}}] \times {[x_{1} \cdot \cdot \cdot x_{n} y_{1}^{'} \cdot \cdot \cdot y_{n}^{'}]}^{T} = 0

(3) by y ' calculating:

A = Σ_{j = 1}^{n} y_{j}^{'} Q_{2}^{β_{j}} &Element; < Q_{2} >

(4) obtain the inverse matrix A of A ^-1∈＜Q ₂

(5) calculate A ^-1About basic B ₂Coordinate

y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n} \ {0}

(A^{- 1} = Σ_{j = 1}^{n} y_{j} Q_{2}^{β_{j}})

(6) then (x, y) with (α, β) equivalence, reducible thus session key:

key＝x×y＝(x ₁y ₁，…，x ₁y _n，…，x _ny ₁，…，x _ny _n)＝α×β

(7) utilize session key key to ciphertext C _MDeciphering obtains expressly:

M＝D _key(C _M)

At last, the recipient recovers the plaintext M of transmit leg.

3.2 technical scheme two of the present invention

Second technical scheme of the present invention generates, encrypts, deciphers three parts by key and constitute.Specific as follows:

3.2.1 key generating portion

(1) picked at random F _qOn two n * n Ergodic Matrices

(q＞10 and q ⁿEnough big)

(3) picked at random F _qOn two n * n nonsingular matrix

s, t &Element; F_{q}^{n \times n} .

(4) calculate F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base

With

Make:

Q_{1}^{α_{j}} = Σ_{i = 1}^{n} s [i, j] Q_{1}^{i - 1},

Q_{2}^{β_{j}} = Σ_{i = 1}^{n} t [i, j] Q_{2}^{i - 1}, (j = 1,2, \cdot \cdot \cdot, n)

(5) picked at random

The m n-dimensional subspace n

About F _qOne group of base [R ₁..., R _m].

(wherein: m=Rank (＜Q ₁〉 * M *＜Q ₂))

(6) obtain

Each row vector is about base [R ₁..., R _m] coordinates matrix

λ = [\begin{matrix} λ_{1,1} & λ_{1,2} & \cdot \cdot \cdot & λ_{1, m} \\ \cdot \\ \cdot \\ \cdot \\ λ_{n^{2}, 1} & λ_{n^{2}, 2} & \cdot \cdot \cdot & λ_{n^{2}, m} \end{matrix}] &Element; F_{q}^{n^{2} \times m}

It is right to make K the vectorial r of row _k, have:

r _k＝λ _k，1R ₁+λ _k，2R ₂+…+λ _k，mR _m (1≤k≤n ²)

(7) by [R ₁..., R _m] m F of generation _qOn BMQ multinomial { ρ ₁(x, y) ..., ρ _m(x, y) }:

[\begin{matrix} ρ_{1} (x, y) \\ ρ_{2} (x, y) \\ \cdot \\ \cdot \\ \cdot \\ ρ_{m} (x, y) \end{matrix}] = [\begin{matrix} R_{1} \\ R_{2} \\ \cdot \\ \cdot \\ \cdot \\ R_{m} \end{matrix}] \times [\begin{matrix} x_{1} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{1} y_{n} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{n} \end{matrix}], (x = (x_{1}, \cdot \cdot \cdot, x_{n}), y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n})

(8) at last with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, with (Q ₁, Q ₂, M, s ^-1, t ^-1, λ) be private key.

3.2.2 encryption section

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)])

(2) select at random

Session key:

key = α \times β = (α_{1} β_{1}, \cdot \cdot \cdot, α_{1} β_{n}, \cdot \cdot \cdot, α_{n} β_{1}, \cdot \cdot \cdot, α_{n} β_{n}) &Element; F_{q}^{n^{2}} \ {0}

(3) with recipient's PKI key is encrypted:

C _key＝[z ₁，…，z _m]＝[ρ ₁(α，β)，…，ρ _m(α，β)]

C _M＝E _key(M)

(C at last _Key, C _M) be ciphertext, will be sent to the recipient.

3.2.3 decryption portion

If recipient's private key is (Q ₁, Q ₂, M, s ^-1, t ^-1, λ), the ciphertext of receiving is (C _Key, C _M).Then decrypting process is as follows:

(1) calculates

Can get matrix T ∈＜Q ₁〉 * M *＜Q ₂

x = (x_{1}, \cdot \cdot \cdot, x_{n}), y^{'} = (y_{1}^{'}, \cdot \cdot \cdot, y_{n}^{'}) &Element; F_{q}^{n} \ {0}

[\overset{&RightArrow;}{Q_{1}^{0} M} \cdot \cdot \cdot \overset{&RightArrow;}{Q_{1}^{n - 1} M} - \overset{&RightArrow;}{T Q_{2}^{0}} \cdot \cdot \cdot - \overset{&RightArrow;}{T Q_{2}^{n - 1}}] \times {[x_{1} \cdot \cdot \cdot x_{n} y_{1}^{'} \cdot \cdot \cdot y_{n}^{'}]}^{T} = 0

(3) by y ' calculating:

A = Σ_{j = 1}^{n} y_{j}^{'} Q_{2}^{β_{j}} &Element; < Q_{2} >

(4) obtain the inverse matrix A of A ^-1∈＜Q ₂

(5) calculate A ^-1About base Coordinate

y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n} \ {0}

(A^{- 1} = Σ_{j = 1}^{n} y_{j} Q_{2}^{j - 1})

(6) calculate

α^{'} = (α_{1}^{'}, \cdot \cdot \cdot, α_{n}^{'}) = s^{- 1} x, β^{'} = (β_{1}^{'}, \cdot \cdot \cdot, β_{n}^{'}) = t^{- 1} y &Element; F_{q}^{n} \ {0}

(7) then (α ', β ') with (α, β) equivalence, reducible thus session key:

key＝α′×β′＝(α′ ₁β′ ₁，…，α′ ₁β′ _n，…，α′ _nβ′ ₁，…，α′ _nβ′ _n)＝α×β

(8) utilize session key key to ciphertext C _MDeciphering obtains expressly:

M＝D _key(C _M)

At last, the recipient recovers the plaintext M of transmit leg.

3.3 advantage and good effect

Compare with public key cryptography scheme commonly used at present, the given public key cryptography technology scheme of the present invention has following advantage.

3.3.1 fail safe is higher

Can prove the BMQ problem be NP completely.So it is more difficult than big integer factor decomposition and discrete logarithm problem.Therefore, deriving private key or decode expressly from ciphertext from PKI is infeasible in polynomial time.

Moreover public key cryptography commonly used at present all faces the threat of quantum calculation.And do not have effective quantum algorithm for np complete problem.Therefore the present invention can be used as a replacement scheme of existing public key cryptography, thereby has long-range application potential.

3.3.2 key space is big

Work as q ⁿWhen enough big, because

In Ergodic Matrices and about given Ergodic Matrices to (Q ₁, Q ₂) the quantity of strong matrix heavy many, so (private key, PKI) in the given technical scheme of the present invention right selection space is very big.

3.3.3 the randomness of PKI is good

The pairing F of PKI in the given technical scheme of the present invention _qOn BMQ multi-direction type group [ρ ₁..., ρ _m], be by n ²Dimension row vector space

A specific m n-dimensional subspace n about F _qOne group of base [R ₁..., R _m] unique definite.

And

The quantity of m n-dimensional subspace n V be:

\frac{(q^{n^{2}} - 1) (q^{n^{2}} - q) (q^{n^{2}} - q^{2}) \cdot \cdot \cdot (q^{n^{2}} - q^{m - 1})}{(q^{m} - 1) (q^{m} - q) (q^{m} - q^{2}) \cdot \cdot \cdot (q^{m} - q^{m - 1})}

For specific m n-dimensional subspace n V, V is about F _qThe quantity of base (greatly linearly independent vector group) be:

(q ^m-1)(q ^m-q)(q ^m-q ²)…(q ^m-q ^m-1)

So PKI [ρ ₁..., ρ _m] selection randomness very big.

3.3.4 fast operation

The enciphering rate of this key encrypt method is fast.Because it only relates to F _qIn simply add/multiplication, and do not relate to any power exponentiation.

The deciphering speed of this key encrypt method is fast simultaneously.Because it only relates to F _qIn simple matrix add/multiplication conciliates the linear function group operation of 2n unit, and do not relate to any matrix power exponentiation.Thereby be convenient to hardware and realize.

3.3.5 technology can disclose

Realization technology of the present invention can disclose fully, and user's PKI also can openly be provided to the external world with the form of digital certificate.As long as private key is not divulged a secret, just can guarantee the safety of ciphertext fully.

3.3.6 it is favourable to national security

The Internet is a kind of open net, and is apparent, transmits sensitive information in the above and must encrypt.Because internet usage is as means of communication for important departments such as the Chinese government, national defence, finance, the tax, therefore, information security is related to national sovereignty safety and economic security.

Therefore, to have a key encrypt method of independent intellectual property right, original innovation significant in research.

(4) embodiment

The characteristics of this key encrypt method are that it can allow each user obtain two keys, and a key can disclose, and are used for encrypting, and a key can only the individual have, and are used for deciphering.Like this, can not worry that key divulged a secret in the transmittance process on the net.When the agreement correspondent transmitted information on the net, the sender used recipient's PKI that file or message are encrypted, and the recipient uses the private key of oneself that it is decrypted after receiving ciphertext.

Two keys are got by CA (Certificate Authentication) authentication center that each user can arrive appointment.The ca authentication center is the mechanism that the user is registered, key is produced, distributes and manages.It utilizes the key generation method generation user's of 3.1.1 or 3.2.1 joint PKI and private key.

This encryption method can realize that it comprises two parts with logic circuit chip or program language: (1) develops chip or program according to key generation method, is used by the ca authentication center; (2) develop chip or program according to the encryption and decryption method of 3.1.2,3.1.3 or 3.2.2,3.2.3 joint, use by the general user.

Claims

1. the key encrypt method of Ergodic Matrices on the Hidden field, generating, encrypt, decipher three parts by key forms, the key generating portion produces user's (private key for third party authoritative institution, PKI) right, encryption section uses receiving party's PKI expressly being converted to ciphertext for information sender, decryption portion uses the private key of oneself that ciphertext is reduced into expressly for the receiving party, it is characterized in that

Scheme one:

● the key generating portion has adopted the following step:

(1) picked at random F _qOn two n * n Ergodic Matrices

(q＞10 and q ⁿEnough big)

(2) picked at random is about (Q ₁, Q ₂) strong matrix M ∈ M _S(Q ₁, Q ₂), require Exp (Q simultaneously ₁, M, Q ₂)=1

(3) picked at random F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base

With

(4) picked at random

The m n-dimensional subspace n About F _qOne group of base [R ₁..., R _m]

(wherein: m=Rank (＜Q ₁〉 * M *＜Q ₂))

(5) obtain

Each row vector is about base [R ₁..., R _m] coordinates matrix

λ = [\begin{matrix} λ_{1,1} & λ_{1,2} & \cdot \cdot \cdot & λ_{1, m} \\ \cdot \\ \cdot \\ \cdot \\ λ_{n^{2}, 1} & λ_{n^{2}, 2} & \cdot \cdot \cdot & λ_{n^{2}, m} \end{matrix}] &Element; F_{q}^{n^{2} \times m}

It is right to make

K the vectorial r of row _k, have:

r _k＝λ _k，1R ₁+λ _k，2R ₂+…+λ _k，mR _m (1≤k≤n ²)

[\begin{matrix} ρ_{1} (x, y) \\ ρ_{2} (x, y) \\ \cdot \\ \cdot \\ \cdot \\ ρ_{m} (x, y) \end{matrix}] = [\begin{matrix} R_{1} \\ R_{2} \\ \cdot \\ \cdot \\ \cdot \\ R_{m} \end{matrix}] \times \begin{matrix} [\begin{matrix} x_{1} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{1} y_{n} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{n} \end{matrix}] \end{matrix}

(x＝(x ₁，…，x _n)，

y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n})

At last, with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, with (Q ₁, Q ₂, M, B ₁, B ₂, λ) be private key;

● encryption section has adopted the following step:

Information sender and recipient at first determine a kind of general symmetric encipherment algorithm E, and clear packets M is done:

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)])

(2) select α=(α at random ₁..., α _n),

Session key:

key = α \times β = (α_{1} β_{1}, \cdot \cdot \cdot, α_{1} β_{n}, \cdot \cdot \cdot, α_{n} β_{1}, \cdot \cdot \cdot, α_{n} β_{n}) &Element; F_{q}^{n^{2}} \ {0}

(3) with recipient's PKI key is encrypted:

C _key＝[z ₁，…，z _m]＝[ρ ₁(α，β)，…，ρ _m(α，β)]

C _M＝E _key(M)

(C at last _Key, C _M) be ciphertext, will be sent to reciever.

● decryption portion has adopted the following step:

The recipient uses the private key (Q of oneself ₁, Q ₂, M, B ₁, B ₂, λ), at ciphertext (C _Key, C _M) do:

(1) calculates

Can get matrix T ∈＜Q ₁〉 * M *＜Q ₂

(2) solve one group of untrivialo solution of following 2n unit linear function group: x=(x ₁..., x _n),

[\begin{matrix} \overset{&RightArrow;}{Q_{1}^{α_{1}} M} & \cdot \cdot \cdot & \overset{&RightArrow;}{Q_{1}^{α_{n}} M} & - \overset{&RightArrow;}{{TQ}_{2}^{β_{1}}} & \cdot \cdot \cdot & - \overset{&RightArrow;}{{TQ}_{2}^{β_{n}}} \end{matrix}] \times {[\begin{matrix} x_{1} & \cdot \cdot \cdot & x_{n} & y_{1}^{'} & \cdot \cdot \cdot & y_{n}^{'} \end{matrix}]}^{T} = 0

(3) by y ' calculating:

(4) obtain the inverse matrix A of A ^-1∈＜Q ₂

(5) calculate A ^-1About basic B ₂Coordinate

(6) reduction session key:

(7) utilize session key key to ciphertext C _MDeciphering obtains expressly:

M＝D _key(C _M)

At last, the recipient recovers the plaintext M of transmit leg;

Scheme two:

● the key generating portion has adopted the following step:

(1) picked at random F _qOn two n * n Ergodic Matrices Q ₁,

(q＞10 and q ⁿEnough big)

(3) picked at random F _qOn two n * n nonsingular matrix s,

(4) calculate F _q[Q ₁] and F _q[Q ₂] about F _qOne group of base

With

Make:

Q_{1}^{α_{j}} = Σ_{i = 1}^{n} s [i, j] Q_{1}^{i - 1}, Q_{2}^{β_{j}} = Σ_{i = 1}^{n} t [i, j] Q_{2}^{i - 1}

(j＝1，2，…，n)

(5) picked at random The m n-dimensional subspace n

About F _qOne group of base [R ₁..., R _m] (wherein: m=Rank (＜Q ₁〉 * M *＜Q ₂))

(6) obtain Each row vector is about base [R ₁..., R _m] coordinates matrix

λ = [\begin{matrix} λ_{1,1} & λ_{1,2} & \cdot \cdot \cdot & λ_{1, m} \\ \cdot \\ \cdot \\ \cdot \\ λ_{n^{2}, 1} & λ_{n^{2}, 2} & \cdot \cdot \cdot & λ_{n^{2}, m} \end{matrix}] &Element; F_{q}^{n^{2} \times m}

It is right to make

K the vectorial rk of row, have:

r _k＝λ _k，1R ₁+λ _k，2R ₂+…+λ _k，mR _m (1≤k≤n ²)

(7) by [R ₁..., R _m] generate the BMQ multinomial { ρ on m the Fq ₁(x, y) ..., ρ _m(x, y) }:

[\begin{matrix} ρ_{1} (x, y) \\ ρ_{2} (x, y) \\ \cdot \\ \cdot \\ \cdot \\ ρ_{m} (x, y) \end{matrix}] = [\begin{matrix} R_{1} \\ R_{2} \\ \cdot \\ \cdot \\ \cdot \\ R_{m} \end{matrix}] \times \begin{matrix} [\begin{matrix} x_{1} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{1} y_{n} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{1} \\ \cdot \\ \cdot \\ \cdot \\ x_{n} y_{n} \end{matrix}] \end{matrix}

(x＝(x ₁，…，x _n)，

y = (y_{1}, \cdot \cdot \cdot, y_{n}) &Element; F_{q}^{n})

At last with (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)]) be PKI, with (Q ₁, Q ₂, M, s ^-1, t ^-1, λ) be private key;

● encryption section has adopted the following step:

(1) obtains recipient's PKI (F _q, [ρ ₁(x, y) ..., ρ _m(x, y)])

(2) select α=(α at random ₁..., α _n),

Session key:

key = α \times β = (α_{1} β_{1}, \cdot \cdot \cdot, α_{1} β_{n}, \cdot \cdot \cdot, α_{n} β_{1}, \cdot \cdot \cdot, α_{n} β_{n}) &Element; F_{q}^{n^{2}} \ {0}

(3) with recipient's PKI key is encrypted:

C _key＝[z ₁，…，z _m]＝[ρ ₁(α，β)，…，ρ _m(α，β)]

C _M＝E _key(M)

(C at last _Key, C _M) be ciphertext, will be sent to the recipient;

● decryption portion has adopted the following step:

(1) calculates

Can get matrix T ∈＜Q ₁〉 * M *＜Qx 〉

[\begin{matrix} \overset{&RightArrow;}{Q_{1}^{0} M} & \cdot \cdot \cdot & \overset{&RightArrow;}{Q_{1}^{n - 1} M} & - \overset{&RightArrow;}{{TQ}_{2}^{0}} & \cdot \cdot \cdot & - \overset{&RightArrow;}{{TQ}_{2}^{n - 1}} \end{matrix}] \times {[\begin{matrix} x_{1} & \cdot \cdot \cdot & x_{n} & y_{1}^{'} & \cdot \cdot \cdot & y_{n}^{'} \end{matrix}]}^{T} = 0

(3) by y ' calculating:

(4) obtain the inverse matrix A of A ^-1∈＜Q ₂

(5) calculate A ^-1About base

Coordinate

(6) calculate α '=(α ' ₁..., α ' _n)=s ^-1X,

(7) then (α ', β ') with (α, β) equivalence, reducible thus session key:

(8) utilize session key key to ciphertext C _MDeciphering obtains expressly:

M＝D _key(C _M)

At last, the recipient recovers the plaintext M of transmit leg.