CN102624524A - Non-forgeable knowledge proof and message signature authentication method based on bilinear pairings - Google Patents

Abstract

The invention provides a non-forged knowledge proof and message signature authentication method based on bilinear pairings. The objective of the invention is the concurrency of Non-forgeable security and knowledge extraction resistance capacity. With the method provided by the invention, a valid knowledge proof or message signature authentication is provided only when corresponding secret knowledge is known. Through regarding user identities and/or fixed DH elements as a public key, the method of the invention comprises an efficient numerical signature method and an identity-based or certificate-free signature method. Through operating the method of the invention, each side which operates the method of the invention proves the respective secret DH-knowledge knowledge. A key exchange method for authentication and an identity-based or certificate-free key exchange method for authentication are derived by the method of the invention.

Description

Non-forgeable knowledge proof and message signature authentication method based on bilinear pairings

Technical Field

The invention belongs to the technical field of passwords, and particularly relates to a bilinear pairing-based (interaction-free) non-forgeable knowledge proof and message signature authentication method. The purpose of the inventive method is concurrent non-forgeable security and knowledge extraction. Specifically, only knowledge of the corresponding secret can give a legitimate proof of knowledge or message signature authentication. By regarding the identity of the user and/or the fixed DH component as a public key, the invention method implies a high-efficiency numerical signature method and an identity-based signature method; each party (running the inventive method) proves their own secret DH-knowledge by running the inventive method and the inventive method derives an authenticated key exchange method and an authenticated identity-based key exchange method.

Background

Preliminary knowledge and symbol marking

The methods and operations described herein are based on efficient bilinear pairwise mapping

Or

WhereinIs N_AFinite Abel group of order (for most cases)

Is N_AA cyclic group or field of order). Note the book

As a collection of numbers

Note the book

All greater than 0 and less than N_AAnd with N_AA set of integers of primes. Remember | N_AL is N_AIs used to represent the length of the binary representation. In particular, if N_AIs a prime number, then

In describing the method of the present invention, we will now describe

Are described as multiplicative groups. In some of the literature, it is known that,

also described as an additive group. Here, we emphasize that

The descriptions as additive or multiplicative groups are merely different in sign, and the two descriptions are isomorphic. The method described with multiplicative group tokens can be applied isomorphically to the method described with additive group tokens; also, the method described by the additive group notation may be isomorphicGround applies to the method described with multiplicative group notation. For convenience of description, we will describe

Are described as multiplicative groups.

Is composed ofThe production unit of (1) is provided with a production unit,

is composed of

The production unit of (1). In the normal case, N_AIs a prime number or the product of two or more prime numbers or N_A＝2^kK is not less than 1 or N_A＝q^kK.gtoreq.1 wherein q is a prime number. In some cases

At this time

And

may or may not be equal. If it is

Let us call e_AIs a symmetric bilinear pair, if

Let us call e_AAre asymmetric bilinear pairs. Note that for asymmetric bilinear pairs, DDH is assumed to be

Or

The above is still true. For asymmetric bilinear pairs

Is greater than the elements in

The elements in (1) are shorter; also, for asymmetric bilinear pairs

Is greater than the elements in

The elements in (1) are shorter;

is called a valid bilinear pair if the following condition (forThe effective bilinear pairs of (c) are similarly defined):

(1)

is that

The generator of (in particular,is not provided with

A unit cell of (a).

(2) For arbitrary <math> <mrow> <mi>a</mi> <mo>,</mo> <mi>b</mi> <mo>&Element;</mo> <msubsup> <mi>Z</mi> <msub> <mi>N</mi> <mi>A</mi> </msub> <mo>*</mo> </msubsup> <mo>,</mo> </mrow> </math> $e_A({\left(g_A^1\right)}^a,{\left(g_A^2\right)}^b)=e_A{(g_A^1,g_A^2)}^{\mathrm{ab}}.$

(3) For arbitrary

Can be efficiently (with N)_ALength of (d) is recorded as | N_AIs ginsengPolynomial time of number).

Typically, the amount of the liquid to be used,

and/or

Is a group (or its corresponding subgroup) of points defined on an algebraic (elliptic) curve, usually with their coordinate values located in a finite field or in an extension (extension) of a preferential field. Such as: based on finite fields (in particular, finite fields)

Or

Where q is a prime number, in particular q is 2, K is a positive integer), hyper-odd elliptic curves (hyper-singular curves), MNT curves, etc. More generally, the amount of the solvent to be used,

and/or

Is an abelian cluster (abelian variety) based on a finite Field, where elliptic curves are special abelian clusters with dimension 1.

Usually a finite Field, which is usually a large enough extension of the finite Field. Although for the bilinear pairs known so far,

and

or

Different but not different fromExclude future ability to find

Andor

The same bilinear pair. Weil and Tate bilinear pairs and variants thereof (e.g., variants of Tate pairs: Eta and Ate pairs) are currently commonly used bilinear pairs. When in use

In some cases, it is possible to use,

there is a homomorphic mapping between. When in useIn some cases, it is possible to use,the expression of the elements in

The representation of the middle element is shorter, or,

the expression of the elements in

The representation of the middle element is shorter. For these special groups, the representation in which the element may belong to

Or

(this particular group is advantageous for increasing communication complexity). When we need oneAn assistant

To

When the function is hashed, the input can be simply output and the input left after the highest bit or the lowest bit of the input is removed.

Regarding the encoding representation of the elements on the elliptic curve group: generally, for a group G (or its corresponding subgroup) consisting of points defined on an algebraic (elliptic) curve, for an element X ∈ G which is a non-unit element in G, the encoding method of X (prover) commonly used is as follows: x is directly related to its coordinate value (X)_X，y_X) Is shown in which x_XThe value of X-axis coordinate, y_XThe y-axis coordinate value of X is shown. To obtain a shorter representation of the element X in G, one can use (X) directly_XAnd b) when compared to x_XThe verifier may recover that there may be two different y-axis coordinate values, b e {0, 1} indicating that the y-axis coordinate values above or below the x-axis should be used (e.g., b ═ 1 indicating that the y-axis coordinate values above the x-axis should be used). There is also a more aggressive coding scheme, namely: x for element X in G_XTo indicate. For the last approach, since for x_XThe verifier may recover two different y-axis coordinate values and thus X ═ X (X)_X，y_X) Or X ═ X_X，-y_X). We assume that when the verifier performs a verification operation using X as one of the parameters of the bilinear pair, the code of X includes both X-axis coordinate values and y-axis coordinate values.

We assume the discrete logarithm assumption at

The above holds, namely: given a

(wherein x is selected from

Selected randomly) and none (by | N)_AParameterized |) probabilistic polynomial time algorithm can solve X from X with a non-negligible probability. A function f is unidirectional, given f (x), where x is chosen randomly within the domain of the function f, an algorithm without probability polynomial time (with | x | as a parameter) can solve for x with a non-negligible probability. A function is negligible if the output of the function is less than an arbitrary polynomial fraction for all sufficiently long inputs.

The inventors use the "a" symbol (e.g.,

) To indicate a logical or "distinct" identity (identity) of a user or device, such as a name, a device serial number, an emial or IP address, even a role in the operation of the method, etc. In some cases, these identities may be accompanied or included or contained in a digital certificate. Let … be a collection of information or values.

The hash function is used to convert a string into a numeric value or a fixed-length string, etc. Typically, the input to the hash function, i.e. any one string (or a concatenation of several strings), is first encoded as a {0, 1}^*And then a hash function is applied to the converted 0-1 string input to obtain a fixed-length 0-1 string output. Here {0, 1}^*The set of all 0-1 strings is represented. One basic function of hash functions in cryptography is to provide a "one-way" conversion, where "one-way" means that it is difficult to find its input or look-ahead given the output of a function, and "collision-resistant" where it is difficult to find a different input given an input so that the output of the hash function is the same on the two different inputs. The hash function can be very extensive: from a simple mixing (mixing) function to a function with pseudo-random output properties. With pseudo-randomHash functions of the machine output nature are often idealized as a "random oracle" in cryptographic analysis. There are several hash functions widely used in cryptography: for example, MD5 converts data of arbitrary length into a 128-bit 0-1 string, while the output of another common hash function SHA is a 160-bit 0-1 string. In the description of the present invention, if the input of the hash function is a set of several parameters, the order of the function input parameters may be arbitrary unless otherwise specified. Generally, all input parameters are encoded according to a certain code system, then the encoded parameters are connected into a character string, and then the character string obtained by connection is used as the input of the actual operation of the function. If the output of the hash function is defined as

The output length is | N_AHash function of | 1, where | N_AI denotes N_AA binary length of; if the hash function outputs 0 on some inputs, the output of the hash function on these inputs may be predefined as

One element of (1). In practical applications, all inputs of the hash function are first converted into 0-1 strings, then the converted 0-1 strings are connected into a 0-1 string (the sequence of the connection can be changed), and finally the conversion function is applied to the connected 0-1 string to obtain an output. In some applications, only part of the output of the conversion function is used. In most cases, the order of the inputs to the conversion function is not important (the order may be changed). For example, take the conversion function f as an example, let S ═ x₁，…，x_tT is more than or equal to 1, and is a set of t character strings

Is x₁，x₂，x₃，…，x_t2 carry 0-1 string code representation, then

Where "|" represents a character string junction operator. Attention is paid to

The order of the joins may vary, but the order of joins needs to be fixed and all users interacting with the inventive method know and use the same order to perform the join operations (the order of inputs may be determined by two or more users negotiating the interaction using the inventive method, or specified by a trusted user or institution). For f (x)₁，x₂，…，x_t) If in which x is_iI is more than or equal to 1 and less than or equal to t, and is an empty string or an empty set, then f (x)₁，x₂，…，x_t)＝f(x₁，…，x_i-1，x_i+1，…，x_t)。

In general, in the description of the present invention, if the input of the function is a set of several parameters, the order of inputting the parameters of the function may be arbitrary unless otherwise specified. However, in practical applications of the inventive method, the order of function inputs needs to be fixed and all users interacting with the inventive method know and operate in the same order (the order of inputs may be determined by two or more users negotiating interactions using the inventive method or specified by a trusted user or institution). If the input to the function is an empty set, the output of the function is defined as a constant or 0.

In the conventional public key cryptosystem, a signer is assumed and noted as

Has a public signature key U, a public signature key U and a signer identity

Is performed by a trusted third party user or authority. Typically, a trusted third party user or institution will check

And the validity of U, then

Make a digital signature and will

And the signature of the trusted third party forms a target

Public key certificate, as

Digital signature correlation work and comparison:

given a

Wherein

Are all open, e_AIs oneAn efficient bilinear pairwise mapping (note that,the elements in (1) are more indicative than

Short in (c), and therefore correspondingly short in the signature obtained below). And m is information to be signed. The signer has an identity of

Let H₁Is a domain of {0, 1}^*The output belongs to

A hash function of (1).

The best determined bilinear pair-based digital signature method in the current related work is given by Boneh and Boyen, as follows:

Boneh-Boyen signature method:

signature public key:

H₁；

signature private key: x is the number of₁Wherein x is₁From

The selection is carried out randomly.

Signature: for a message m, calculate

Will tau_AAs a signature on message m.

Signature verification: verifier gets m and tau_AThen, computing verification

If the equation is true, the signature is accepted, otherwise, the signature is rejected.

The disadvantages of the Boneh-Boyen protocol are: it cannot prove the full signature security, in order to get it, the public key of the Boneh-Boyen scheme needs to add a DH-component and the signature must be random (i.e. the signature itself contains a random string); in addition, the Boneh-Boyen solution does not provide sufficient unforgeable security, such as given

A malicious adversary can forge it intoWherein H₁(m′)＝cH₁(m) of the reaction mixture. By means of such an attack it is possible to,

is relative to public key X'₁＝(X₁)^cThe signature for m'.

Below, we compare the Boneh-Boyen scheme with the signature scheme we have invented:

the invention discloses a signature method: \ u

Public key: the public key of the signer includes:

and H₁。

Private key: x is the number of₁Wherein x is₁From

The selection is carried out randomly.

Signature: signer computation

Wherein

Is X₁Is from the x-axis coordinate value of, or delta

With a randomly chosen constant c. Tau is_AAs a signature on message m.

And (3) verification: to obtain (m, t)_A) The signature verifier calculates whether to verify

If the equation is true, the signature is accepted, otherwise, the signature is rejected. Wherein

And

may be calculated in advance and be part of the public signature key.

Compared with the Boneh-Boyen scheme, the signature method has the advantages that: the public signature key may contain only one DH-componentAnd is a deterministic signature. Note that to get full signature security, the public key of the Boneh-Boyen scheme requires 2 DH-components, and the signature is random and except τ_AA random number (therefore, both public and signature are lengthened); in particular, our forging attack against Bonen-Boyen as described above would not be applicable to the inventive signature method.

Identity-based signature correlation work and comparison:

given a

Wherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging to

The hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping ofIn

And

order to

Is a hash function.

Trusted user public and private keys: trusted user computing

Wherein s is selected from

The selection is carried out randomly. From

C is randomly selected. Order toAnd c and

is the public key of the trusted user and s is the private key of the trusted user.

User public and private keys: all using said inventive method and the same trusted user public key P_pubHas an identity of

Is recorded as the public key of the user

User' s

Is marked as

Having a trusted user computing and transmitting to the user via a secure channel

And m is information to be signed. The signer has an identity of

Currently, the best identity-based signature scheme is that given by Hess, as follows:

hess signature: the signer makes the following calculations

(1) ComputingWhere r is represented by the signer

Selecting randomly;

(2) calculating v ═ h (m, R);

(3) computing $U={\left(g_A^S\right)}^v{\left(g_A^P\right)}^r;$

(4) (U, v) is taken as the signature for message m.

Verification of the Hess signature: after m and (U, v) are obtained, the signature verifier performs the following calculation:

(1) computing $R=e_A(U,g_A^P)e_A{(Q_A,P_{\mathrm{pub}}^{-1})}^v;$

(2) And if v is h (m, R), the signature is accepted, and if not, the signature is rejected.

Note that: the signature computation complexity of the Hess signature is: 1 operation of a bilinear pair is carried out,

the amount of calculation of (a) is equivalent to 1.5 exponential operations. The verification complexity of the Hess signature is: 2 bilinear pairings (one of which, i.e. one of which

Can be pre-calculated), 1 exponential operation, 1 inversion operation and 1

The multiplication of (2).

The Hess signature scheme only proves secure against fixed identity attacks under the random oracle (random oracle) model. Note that the fixed identity attack security section is a weak security, so the Hess scheme has not been able to achieve full security (even under the random oracle model).

Below, we compare the Hess identity-based signature scheme with our inventive identity-based signature scheme:

inventive identity-based signature method-1 (which does not require the public key of a trusted user to include c or

)：

Signature: signer computation

Wherein

Will (X)₁，τ_A) As a signature on message m. Wherein X₁May be calculated in advance and be part of the public key of the signer.

And (3) verification: to obtain (m, X)₁，τ_A) The verifier then calculates as follows: calculating whether to verify

If the equation is true, the signature is accepted, otherwise it is rejected.

The invention relates to an identity-based signature method-1 computational complexity analysis: the signature requires 2 exponential operations to be computed without performing bilinear pairings. Since bilinear pairings correspond approximately to 1.5 or 2 exponential operations. Therefore, the signature computation amount of the identity signature method based on the invention is greatly improved compared with the Hess scheme. Signature verification of the inventive method requires 2 bilinear pairings (one of which can be computed beforehand),

the calculation of (a) is equivalent to 1.5 exponential operations. Note that if X₁As part of the public key of the signer, then

Or may be calculated in advance. Thus, the online computation of signature verification by our inventive method can be only 1 bilinear pair operation and 1 exponential operation. Therefore, the signature verification of our inventive scheme is computationally more computationally on-line (without the need for inversion and summation) than the Hess scheme

The multiplication operation of (c).

And (4) safety comparison: with respect to the Hess scheme, which can only be targeted to fixed-identity attacks in advance and under the random oracle model, our inventive identity-based signature scheme-1 does not require a random oracle hypothesis and is resistant to dynamic attacks directed to arbitrary identities. Thus, our inventive identity-based signature scheme provides superior security assurance compared to the Hess scheme.

Inventive identity-based signature method-2:

signature: signer computation

Will (X)₁，τ_A) As a signature on message m. Wherein X₁May be calculated in advance and be part of the public key of the signer.

And (3) verification: to obtain (m, X)₁，τ_A) The verifier then calculates as follows: calculating whether to verify

If the equation is true, the signature is accepted, otherwise it is rejected.

The invention relates to an identity-based signature method-2 computational complexity analysis: the signature requires 2 exponential operations to be computed without performing bilinear pairings. Because of the fact thatBilinear pairings correspond approximately to 1.5 or 2 exponential operations. Therefore, the signature computation amount of the identity signature method based on the invention is greatly improved compared with the Hess scheme. The signature verification of the method of the invention requires 2 bilinear pairings (one of which can be calculated in advance) and an exponential operation

(Note that

Directly in the public key of the trusted user). Thus, the online computation of signature verification of our inventive method-2 can be only 1 bilinear pair operation and 1 exponential operation. Therefore, the signature verification of our inventive scheme is computationally more computationally on-line (without the need for inversion and summation) than the Hess scheme

The multiplication operation of (c).

And (4) safety comparison: with respect to the Hess scheme, which can only be targeted to fixed-identity attacks in advance and under the random oracle model, our inventive identity-based signature method-2 does not require a random oracle hypothesis and is resistant to dynamic attacks against arbitrary identities. Thus, our inventive identity-based signature scheme-2 provides superior security assurance compared to the Hess scheme.

Inventive identity-based signature method-3 (which does not require the public key of a trusted user to include c or

)：

Signature: signer computation

Will (X)₁，X₂，τ_A) As a signature on message m.

And (3) verification: to obtain (m, (X)₁，X₂，τ_A) After) the verifier makes the following calculation: calculating whether to verify

If the equation is true, the signature is accepted, otherwise it is rejected.

The invention relates to a signature method based on identity-3 computational complexity analysis: the signature requires 3 exponential operations to be computed without performing bilinear pairings. The signature verification of the method of the invention requires 2 bilinear pairings (one of which can be calculated in advance) and an exponential operation

Thus, the online computation of signature verification of our inventive method-2 can be only 1 bilinear pair operation and 1 exponential operation. Therefore, the signature verification of our inventive scheme is computationally more computationally on-line (without the need for inversion and summation) than the Hess scheme

The multiplication operation of (c).

And (4) safety comparison: in addition to providing security against dynamic attacks against arbitrary identities without the need for a random oracle, inventive identity-based signature method-3 has another important advantage over the Hess scheme in that: signature private key

May be calculated only in the offline pre-calculation stage (i.e. calculation) Phase) usage, while the online phase of the signature (i.e., computation)

The private signature key does not participate in the operation. This may further greatly improve the security of the signature scheme.

Identity-based key exchange related work and comparison:

given a

Wherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging toThe hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping, wherein

And

order to

Is a hash function.

Trusted user public and private keys: trusted user computingWherein s is selected from

The selection is carried out randomly. From

C is randomly selected. Order to

And c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and

)

user public and private keys: all using said inventive method and the same trusted user public key P_pubHas an identity of

Is recorded as the public key of the userUser' s

Is marked as

User' s

Is marked as

User' sIs marked as

User' sIs marked as

User' sIs marked as

And

calculated by a trusted user and sent to the user via a secure channel

And

and

at present, the best identity-based key exchange scheme is that given by Smart, as follows

(1)ComputingWherein x is by the user

In that

The selection is carried out randomly. User' s

Sending X to user

(2)

Computing

Wherein y is by the user

In that

The selection is carried out randomly. User' s

Sending Y to user

(3) After Y is obtained, the user

ComputingAfter X is obtained, the userComputing

Attention is paid to

(4) Session key derivation: user' s

Calculating session key K KDF (K)_A) Where KDF is a deterministic key derivation function; user' s

Calculating session key K KDF (K)_B)。

Computational complexity analysis of Smart protocol: each user

Or

2 bilinear pairings and 2 exponents need to be computed. The online computation efficiency per user (except for values that can be computed in advance) is 1 bilinear pair operation.

Security analysis of Smart protocol: the Smart protocol cannot provide sufficient security. In particular, the known Smart protocol does not provide perfect forward security (perfect forward security). In addition, Smart protocols do not provide explicit key validation and authentication.

Another disadvantage of the Smart protocol is that it cannot be applied to three-party user key exchange.

Inventive identity-based key exchange method-1:

let u_A，υ_B，υ_CEither null (i.e., a null string), or υ_A，υ_B，υ_CAre three numerical values different from each other. Such as: upsilon is_A，υ_B，υ_CAll being empty, or upsilon_A＝0，υ_B＝1，υ_C＝2。

(1) User' s

Compute and send

(2) User' s

Compute and send

(3) User' s

Compute and send

If the inventive method is used only for two users, e.g. for

And

(then no user is needed)

Participate), a key exchange is performed. User' s

To obtain

Authentication

User' s

To obtain

AuthenticationAnd if the verification fails, stopping the operation.

Session key derivation and authentication: user' s

Computing

User' s

ComputingUser' s

Setting the session key to K KDF (K)_A，S_AB) (ii) a User' s

Setting the session key to K KDF (K)_B，S_AB) Wherein

If the inventive method is implemented in three users,

andand

to exchange keys therebetween. User' s

To obtain

And

post verification

Andif the verification is passed, the userComputing

User' s

To obtain

And

post verification

Andif the verification is passed, the user

Computing $K_B=e_A{({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1,Z_1)}^{y_1}\left({=e}_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}\right).$

The user obtains

And

then, verify

And

if the verification is passed, the user

Computing $K_C=e_A{({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1,Y_1)}^{z_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}).$

Three-party user session key derivation: order to

User' s

Setting the session key to K KDF (K)_A，S_ABC) User ofSetting the session key to K KDF (K)_B，S_ABC) User C sets the session key to K KDF (K)_C，S_ABC)。

Comparison of the inventive identity-based key exchange method-1 with the Smart protocol:

for the case of two-party user key exchange, the inventive identity-based key exchange method-1 provides strong, non-forgeable security. In particular, a perfect forward security attack against the Smart protocol is not applicable to the inventive identity-based key exchange method-1. The inventive identity-based key exchange method-1 has perfect forward security. In addition, the inventive identity-based key exchange method-1 provides an explicit identity authentication function. In particular, the inventive identity-based key exchange method-1 can be applied to three-party user key exchange, whereas the Smart protocol cannot be used for key exchange between three users.

Inventive identity-based key exchange method-1:

let u_A，υ_B，υ_CEither null (i.e., a null string), or υ_A，υ_B，υ_CAre three numerical values different from each other. Such as: upsilon is_A，υ_B，υ_CAll being empty, or upsilon_A＝0，υ_B＝1，υ_C＝2。

(1) User' s

Compute and send

For certificateless key exchange, X may be₁As a user

Is part of the public key of (1).

(2) User' s

Compute and send

For certificateless key exchange, Y may be₁As a user

Is part of the public key of (1).

(3) User' s

Compute and send

For certificateless key exchange, Z may be₁As a user

Is part of the public key of (1).

If the inventive method is used only for two users, e.g. for

And

(then no user is needed)

Participate), a key exchange is performed. User' s

To obtain

Authentication

User' s

To obtain ${\mathrm{<figure-callout\; id="1"\; label="Y"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">Y</figure-callout>}}_1={\left(g_A^P\right)}^{{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">y</figure-callout>}}_1},$ $Y_2={\left(g_A^P\right)}^{y_2},$

Authentication

Session key derivation and authentication: user' s

Computing

User' sComputing

(for certificateless implementations, user

Computing

User' s

Computing

) For identity-based implementations, the user

And

one interaction can generate 2 session keys, one from

And

lead out, a from

And

and (6) exporting.

If the inventive method is implemented in three users,

and

and

to exchange keys therebetween. User' s

To obtain

And

then, verifyAnd

if the verification is passed, the user

Computing

And $K_A^2=e_A{(Y_2,Z_2)}^{x_2}(=e_A{(g_A^P,g_A^P)}^{x_2{y}_2{z}_2}).$

user' s

To obtain

And

post verificationAnd

if the verification is passed, the user

Computing

And $K_B^2=e_A{(X_2,Z_2)}^{y_2}(=e_A{(g_A^P,g_A^P)}^{x_2{y}_2{z}_2}).$

user' s

To obtain

And

then, verify

And

(if the authentication is passed, the user

Computing

And $K_C^2=e_A{(X_2,Z_2)}^{z_2}\left({=e}_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}\right).$

three-party user session key derivation: order to

User' s

Deriving two session keys as

And

user' s

Deriving two session keys

Anduser' sDeriving two session keys $K_{}$ ${}_1=\mathrm{KDF}({\mathrm{<figure-callout\; id="1"\; label="K\; C"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">K</figure-callout>}}_C^{},S_{\mathrm{ABC}})$ And $K_2=\mathrm{KDF}(K_C^2,S_{\mathrm{ABC}}).$

the inventive identity-based key exchange method-2 compares the computational complexity with the Smart protocol: in order to generate 2 session keys, each user in the inventive identity-based key exchange method-2 needs to calculate 6 exponential operations and 2 bilinear pairings, while the online calculation amount of each user is 3 exponential operations and 1 bilinear pairings. For the inventive identity-based key exchange method-2, each user calculates on average 3 exponential operations and 1 bilinear pairings operation each time a session key is generated, which is superior to the computational complexity of the Smart protocol. For the identity-based key exchange method-2 of the invention, the average online calculation amount of each user is 1.5 exponential operations and 0.5 bilinear pairings operations every time one session key is generated.

The identity-based key exchange method-2 for the invention is applicable to key exchange between three-party users, but the Smart protocol cannot.

The inventive identity-based key exchange method-2 compares with the security of Smart protocol: the inventive identity-based key exchange method-2 provides robust, non-forgeable security. In particular, a perfect forward security attack against the Smart protocol is not applicable to the inventive identity-based key exchange method-2. The inventive identity-based key exchange method-2 has perfect forward security. In addition, the inventive identity-based key exchange method-2 provides an explicit authentication function, whereas the Smart protocol cannot provide an explicit authentication function.

Disclosure of Invention

The invention provides a method for non-forgeable knowledge proof and message signature authentication based on bilinear pairings. The inventive method is based on the fact that no interaction is required. The purpose of the inventive method is concurrent non-forgeable security and knowledge extraction. Specifically, only knowledge of the corresponding secret can give a legitimate proof of knowledge or message signature authentication. By taking the identity of the user and/or the DH component fixed after the user as a public key, the method disclosed by the invention contains a high-efficiency numerical signature method and a signature method based on the identity; each party (running the inventive method) proves their own secret DH-knowledge by running the inventive method and the inventive method derives an authenticated key exchange method and an authenticated identity-based key exchange method.

1. A method of non-forgeable knowledge proof and message signature authentication, the method comprising:

identity isIs obtained by the user

n is more than or equal to 1, wherein

Is one with N_AFinite Abelian group of ordersAre each generated from

I is more than or equal to 1 and less than or equal to n, a one-way exponential function is formed, and the output isIf the code used is only X-axis coordinate values of the element, then the y-axis coordinate values corresponding to the X-axis are calculated by the verifier_iIncluding both the x-axis coordinate value and the y-axis coordinate value), each of which is based on a relative coordinate of the two axes

I is more than or equal to 1 and less than or equal to n, constituting a certain at least one parameter

A function of (a); each one of which is

I is more than or equal to 1 and less than or equal to n, constituting a certain at least one parameter x_iA function of wherein

Identity is

Get m_AWherein m is_AIs a collection of public information, wherein

Is a user

The authenticated message is to be signed (when the inventive method is used for signing,including signed information; when the inventive method is used for a key exchange,including the user

And may also include using the inventive methods and

identity information of other parties or multiple parties interacting with each other, and other information sent by two or more parties interacting using the method, such as random strings and the like; when the inventive method is used for encryption,

including a portion of the ciphertext to provide authentication); user' s

To obtain

And the user

To obtain m_AThe sequence of (A) can be arbitrary; x as described above₁，...，X_nCalled user

DH component of (1), x₁，...，x_nCalled userThe secret DH index of (a); x₁，…，X_n，m_ASome are fixed values used in multiple sessions, others are temporary values used in only one session; a DH component or DH index used in a plurality of sessions is referred to as a fixed DH component, and a DH component or DH index used in only one session is referred to as a provisional DH component; the (subset of) fixed DH components may serve as the public key of the user, and correspondingly the (subset of) fixed ephemeral DH indices may serve as the private key of the user.

User' s

Computing

Wherein

Form a one-way exponential function with an output of

One of the encoding modes of an element (i.e.,

of an element or

If the encoding mode does not include complete information of y-axis coordinate value, the coordinate value of one element is calculated in the checking process_AIs verified by tau_AX-axis coordinate value of (1) other than 0 to recover tau_AY-axis coordinate values of);

is one with N_AFinite Abelian group of ordersThe generation element of (a) is generated,forming a certain at least one parameter

And its output is

One of the elements of (a) or (b),each of 0 ≦ i ≦ n constitutes a certain value

As a function of the input parameters. (in the usual caseI is not less than 0 and not more than n and the output is

One element of (1). However, the inventive method can be applied to functions whose general output is an integer or real number

0 ≦ i ≦ n, e.g., if

Can be directly equal toThe output for generality does not necessarily belong to

Is/are as follows0 ≦ i ≦ n, and in general,

is that

An element of, even

1. ltoreq. i.ltoreq.n are each

One element of (1). ) Lambda [ alpha ]_AForm a definite oneAs a function of the input parameters, τ_AIs that

Of an element or

A coordinate value of one element;

is marked as

Is disclosed. Note the bookIn the group of

Middle removing

Another one out of them is noted as

Note the book

In the group of

Either public or user

All haveThe secret value of (a); if it is

Is a userA secret value of

And is

Is a public parameter (e.g., in an identity-based cryptosystem, P_pubIs a public key of a trusted user that generates a private key for the user), where

Is a secret value that is a function of,e is a certain input parameter including

As a function of (a) or (b),

form a one-way exponential function and have an output of

One of the elements of (a) or (b),

forming a certain at least one parameter

Function of f_pub(s) forming a defined function of at least one parameter s; if it is

Definition of

WhereinIs that

Or will beIs arranged as

Where r is the user

A random number is selected such that <math> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> <mo>+</mo> <msubsup> <mi>f</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>+</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>+</mo> <msubsup> <mi>f</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mi>n</mi> </msub> <mo>)</mo> </mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> <mo>&NotEqual;</mo> <mn>0</mn> <mo>.</mo> </mrow> </math>

<math> <mrow> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>=</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mfrac> <mrow> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> <mo>+</mo> <msubsup> <mi>f</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>+</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <msubsup> <mi>f</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mi>n</mi> </msub> <mo>)</mo> </mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </mfrac> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <msubsup> <mi>G</mi> <mi>A</mi> <mn>2</mn> </msubsup> </msub> </mrow> </math> One of the following publicly verifiable equations is satisfied:

(1) if it is

Are all public values and e_AIs oneEfficient bilinear pairings mapping: <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math> This case corresponds to τ_AThe verifier may recover tau, as represented by the x-axis coordinate values_ATwo different y-axis coordinate values.

(2) Or, if

Are all public values and e_AIs oneEfficient bilinear pairings mapping: <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math> This case corresponds to τ_AThe verifier may recover tau, as represented by the x-axis coordinate values_ATwo different y-axis coordinate values.

(3) Or, if

Is a secret value and e_AIs one

Efficient bilinear pairings mapping:or

This case corresponds to τ_AThe verifier may recover tau, as represented by the x-axis coordinate values_ATwo different y-axis coordinate values.

(4) Or, if

Is a secret value and e_AIs one

Efficient bilinear pairings mapping:

orThis case corresponds to τ_AThe verifier may recover tau, as represented by the x-axis coordinate values_ATwo different y-axis coordinate values.

(5) Or, if

Is a secret value and e_AIs one

Efficient bilinear pairings mapping:

or

This case corresponds to τ_AThe verifier may recover tau, as represented by the x-axis coordinate values_ATwo different y-axis coordinate values.

(6) Or,is a secret value and e_AIs one

Efficient bilinear pairings mapping:

orThis case corresponds to τ_AThe verifier may recover tau, as represented by the x-axis coordinate values_ATwo different y-axis coordinate values.

Wherein e is_AIs one

Or

An efficient bi-linear pair mapping is achieved,

is N_AIs a finite Abelian group of orders and

or

Is that

The production unit of (1) is provided with a production unit,

forming a certain at least one parameter

And its output isOne of the elements of (a) or (b),

is that a determined input parameter comprises

Has an output ofOne of the elements of (a) or (b),is that a determined input parameter comprises

Has an output ofOne element of (1);

is that a certain input parameter comprises P_pubFunction having an output of

One of the elements of (a) or (b),is that a determined input parameter comprises

Is output as

One element of (1);

i is more than or equal to 0 and less than or equal to n meets the following requirements:

1) is provided with

Is a function of

I is greater than or equal to 0 and less than or equal to n, then

Or

Comprises

And all the temporary DH components (or the x-axis coordinate values of all the temporary DH components), or

Comprises

And one set of coordinate axes of all DH components (in particular, x-axis coordinate values of all DH components).

2) Given a

Algorithms without probability polynomial time can be based on the parameter | N_AProbability of non-negligible | findingOr { X'₁，…，X′_nThe temporary DH component contained in (b) with { X }₁，…，X_nContains a different temporary DH-component, wherein

|N_AI denotes N_AThe binary length of (c) satisfies:

a) function(s)

I is 0 or more and n is defined inOutput of (2) is noted

I is more than or equal to 0 and less than or equal to n, wherein

And function

I is 0 or more and n is defined in

At the output of

I is more than or equal to 0 and is more than or equal to n.

b) And/or, is defined in

Value of

And is defined in

Value of

The same is true.

c) And/or, is defined inValue of <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msubsup> <mi>X</mi> <mn>1</mn> <mo>&prime;</mo> </msubsup> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msubsup> <mi>X</mi> <mi>n</mi> <mo>&prime;</mo> </msubsup> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>,</mo> </mrow> </math> Is equal to $e_A(t_A\left(g_A^1\right),B_A^{n+1}\left(g_A^2\right))$ Or $e_A(B_A^{n+1}\left(g_A^2\right),t_A\left(g_A^1\right))$ Or

OrWherein

3) Assumption functionI is more than or equal to 1 and less than or equal to n and the output is

A random uniformly distributed element of (a) for any value

Algorithm selection regardless of any polynomial time

Satisfies the following conditions:

a) if n is 1, then

Where ε (| N)_A| is one with | N)_AAnd | is a negligible function of the parameter. Epsilon (| N)_AI) is negligible if for all sufficiently large N_AAnd an arbitrary polynomial p (·),

b) if n is more than or equal to 2, at most one k element {1, …, n } exists, so that for all i, 1 is more than or equal to i is not equal to k is more than or equal to n,

alternatively, for all temporary DH components X_i，1≤i≤n，

To obtain

Then, identity isVerifier verification of

I is not less than 1 and not more than t, wherein

City of presentation

In which unit cell is removed

The set of elements remaining thereafter (in application,

can be prepared by the following methodAnd (4) checking: (1)

(2)

wherein G is a group of order N and

is a subgroup of G). Tau is_AAnd will be τ_AAs a verifier

ReceivingThe requirements of (a).

{x₁，…，x_nIs as

Selected private value, { x₁，…，x_nEither { x } or { x }₁，…，x_n，g_SIs as

Secret knowledge to be certified; by running the inventive method, the user

Proving its true knowledge of secret knowledge in a non-forgeable secure manner x₁，…，x_nEither { x } or { x }₁，…，x_n，g_SAnd are right to

Signature authentication is performed.

In the above-mentioned inventive process, wherein,disclosed is

Function(s)

And E, B_pub，f_s，

f_A，λ_A，φ_A，t_AAre fixed and the same for a group of users or are negotiated by two or more users connected through a network or device.

2. The method as described in 1 above, if

Is a user

The secret value of (2), then:

wherein

Is that a determined input parameter comprises

Is output as

One of the elements (in general,

)，f_s(s) is a function of a determined input parameter including s;

is part of the public key of a trusted user CA; part or all of the public key of CA is contained in m_APerforming the following steps; using the method and public key for each with an identity ID

User of (1), CA calculation

And will be

The user ID is sent over a secure channel.

3. The method as described in the above 2, wherein <math> <mrow> <mo>{</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>=</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>1</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>f</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msub> <mi>X</mi> <mi>n</mi> </msub> <mo>=</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mi>n</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>f</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mi>n</mi> </msub> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>m</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>}</mo> </mrow> </math> Then, the verifier calculates <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math> Or

Or

Or

Or

Or

OrOr

Or

To verify tau_A(iii) correctness (note that all of the above verifications require public information); for all DH-components or temporary DH-components X_iI is more than or equal to 1 and less than or equal to n, and verified and/or not verified by a verifier

And/orAnd/or X_iAre not 0, and will be verified if such verification is performed

And/or

And/or X_iThe X-axis coordinate value of (a) is not 0 as an acceptance { X [ ]₁，…，X_n，m_A，τ_AThe requirement of (b) }, whereinIs shown as

The number of the unit cells of (a),

is shown as

A set of elements other than a unit cell. To verify or not verify

Or

Wherein

Is shown as

A unit cell of (a). Verification of tau_AAnd

and/or

And/or X_iThe x-axis coordinate value of (1) is not 0 and verification

Or

The order of (d) can be arbitrary (in general, due to the verification of τ)_ANeeds to perform bilinear pair operation, so verifying tau_AIs usually placed last).

4. In the method as described in the above 3, wherein

A subset of (if not an identity-based cryptosystem, may be a null set), and a subset of fixed DH-components and m_AAs a subset of the user (e.g., certain security parameters, functions, pre-computable values, etc.)

A portion of the public key of (a); m is_AAs part of the trusted user CA public key; if it is

And is

Only the information that is disclosed is included,

as a subset of (may be empty) users

Or part of the public key of the trusted user CA.

As a subset of (may be empty) users

Or part of the public key of the trusted user CA.

5. The method as described in 3 above, wherein m_AInvolving users

Information exchanged with other users, and/or,

and/or disclosed

And/or comprises P_pubPart or all of the public key of the trusted user CA;

involving users

And/or

And/or

(in an identity-based cryptosystem, the identity of the user and

or

Interchangeable) and/or public key information and/or timestamp information, and/or contain P_pubOf the public key of the trusted user CA, and/or

Information exchanged with other users using said method via a network or a device

And/or

Containing a value v_AWherein upsilon is_AEither a null value or a value associated with a role (e.g., protocol initiator, protocol responder) (i.e., different protocol roles for different upsilons)_AValue). For example, for multiple users

(wherein

One subset may be the same user, or even the same user

Correspond to the same oneUser-selectable), let υ_A＝0，υ_B＝1，υ_CIs labeled 2Different roles of (a).

6. The method as described in the above 5, wherein

Comprises that

And other random numbers, and/or coordinate values of a subset of (temporary) DH-components, and/or identity and/or public key information and/or timestamp information, which are mutually exchanged by users using the method via a network or a device.

7. The method as described in 3, 4, 5, 6 above, wherein the function

I is more than or equal to 0 and less than or equal to n, and the method is realized as follows:

1)

constituting an output (the input comprising a subset of the public information of the fixed DH-component and/or the user identity) belonging to

Or ifIs a point on an elliptic curve

Wherein

Is that

X-axis coordinate value of (1), or if

Order to

Or if

Order to

Is equal to

One length of (1) is | N_ASub-string of | e (e.g. removing the most significant or least significant value, which corresponds to a particular output belonging to

Hash function of) or

Or

Wherein

(in general c)₁Is that

Randomly selecting a constant and using the constant as a user

Part of, or with, the public key

The interactive user generates and sends to

Or with

A coordinate value of a DH component of the interactive user contribution), or

Containing only usersA subset of the DH components is fixed (e.g.,

or

Wherein

Is X₁Of (2), in particular, X₁X-axis coordinate value of (2), or X₁Exclusive or of coordinate values, etc.); or if

Wherein

Order toWherein

Is that a determined input parameter comprises

The output belongs to

Or if

Order to

Is that a determined input parameter comprises

The output belongs toA function of or

Or

Wherein∩m_A(c₁Can be used as a user

Part of a public key) or

Is a function of the fixed DH composition (coordinate values) (e.g.,

output a coordinate value of a certain fixed DH component, in particular, a coordinate value of the x-axis); if it is

Then

1 ≦ j ≦ n constitutes an output

A function of, or

Or if

Wherein

Is composed of

Coordinate values of

Or

Or

Or

Or ifThen

If for some j, 1 ≦ j ≦ n,

orIs not a group

One element (or no group) of

One of the coordinate values of one of the elements), then

Form an output belonging to

Such as a hash function, or a function on (coordinate values of) a subset of the DH components, and other outputs belong toA function of). In particular, it is possible to use, for example,wherein

Is a hash function; or

Or

Or

Wherein

Is X_iX-axis coordinate value of (c)₂Is (user)

Or a trusted user or

Interactive user) fromOf a value (can let c be a value) selected at random₂As usersOr part of the public key of a trusted user, or, alternatively, with

The interactive user or the trusted user is generated and sent toOf (d); or,

wherein

Is X_iX-axis coordinate values of;

2)

i is not less than 0 and not more than n, from F (S)_F) Deriving, where F is a certain input parameter including

Or the input parameters of F at least comprise

And a transient DH component.

8. The method as described in the above 7, wherein <math> <mrow> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>.</mo> <mo>.</mo> <mo>.</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>)</mo> </mrow> <msup> <mrow> <mo>(</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> </msup> <mo>,</mo> </mrow> </math> WhereinIs shown as

In that

The inverse of (1).

9. The method as described in claim 8, wherein the function φ_A，H_AIs a function of the same function as the function,

containing only user identities

Or in addition to the user identity

Outer cover

Further comprises a compound containing P_pubOf a trusted user CA and/or a user

A subset of the fixed DH components of (a); if it is

And is

Is a user

Secret value ofAnd n is more than or equal to 2.

10. The method as described in the above 9, wherein

H_AIs an output belonging toThe hash function of (a) of (b),

f_pub(s)＝s，f_s(s)＝s，

each of which constitutes a cyclic group or domain; n is a radical of_AIs a prime number, or the product of two or more prime numbers.

11. The method as described in the above 10, whereinIf it is

Is a value that is disclosed as a value,

or <math> <mrow> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>&NotEqual;</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>.</mo> </mrow> </math>

12. The method as described in 10, wherein if n is 1, τ_AThe following calculation method is adopted:

(1)

or

Wherein

Or is equal to

(in general, c)₂C is randomly and uniformly distributed in

C and/orCan be used as a user

Part of the public key, { c₂A subset of c could be made available to the user

Can also be generated by

The interactive user generates and sends to) Or is or

Is X₁A function of the coordinate values (e.g.,

is X₁One of the two coordinate values, in particular the x-axis coordinate value, for N_AModulo) or with

One coordinate value (particularly x-axis coordinate value) for a DH component generated by an interactive user for N_AAnd (6) taking a mold.

(2) Or,

orWhereinIs an output belonging to

The hash function of (a) of (b),

either a hash function or

A function of the coordinate values. For example,

or

Or

(3) Or, <math> <mrow> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mfrac> <mn>1</mn> <mrow> <msub> <mi>x</mi> <mn>1</mn> </msub> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </mfrac> </msup> </mrow> </math> or

Wherein

(4) Or,

whereinAnd

is an output belongs to

The hash function of (a) of (b),

(5) or,

whereinAnd

is an output belongs to

A hash function of

(i.e., the order of input of the functions here is forced to be different).

(6) Or, <math> <mrow> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mfrac> <mn>1</mn> <mrow> <msub> <mi>x</mi> <mn>1</mn> </msub> <msub> <mi>t</mi> <mn>1</mn> </msub> <mo>+</mo> <msub> <mi>t</mi> <mn>0</mn> </msub> </mrow> </mfrac> </msup> <mo>,</mo> </mrow> </math> wherein

Wherein

H is a hash function, "| |" represents the connection of character strings, l ≧ 1.

If n > 1, then τ_AThe following calculation method is adopted:

(7) <math> <mrow> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mfrac> <mn>1</mn> <mrow> <msub> <mi>x</mi> <mn>1</mn> </msub> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <msub> <mi>x</mi> <mn>2</mn> </msub> <msubsup> <mi>h</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>+</mo> <msub> <mi>x</mi> <mi>n</mi> </msub> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mi>n</mi> </msub> <mo>)</mo> </mrow> <mo>+</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </mfrac> </msup> <mo>,</mo> </mrow> </math> wherein

(8) Or,

wherein

(9) Or,

(10) or,

wherein DH component X₁Is fixed for use in multiple sessions;

(11) or,

or

Or

Or

Wherein n is 2, the total weight of the compound, <math> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>2</mn> </msub> <mo>,</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <mo>&NotEqual;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>,</mo> <msub> <mi>X</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math>

13. the method as described in 12 above, wherein

And/or X₁And/or X₂And/or

And/or

And/or

As users

A portion of the public key of (a);

and/or

And/or

As part of the public key of the trusted user CA; and/or

Or

Or

As a subset of (may be empty) users

Or part of the public key of the trusted user CA. c can be used by users

Can also be generated by

The interactive user generates and sends to

(if c is a group consisting ofThe interactive user generates and sends toC is generally not as

Part of the public key of).

14. The method as described in the above 7, wherein F (S)_F)＝H(1，S_F)||…||H(l，S_F) H is a hash function, l ≧ 1.

Drawings

FIG. 1 is a knowledge proof and signature authenticator

A schematic of the information obtained and generated; FIG. 2 is two users of the operational aspect method, knowledge proof and signature authenticatorAnd verifier

A schematic flow chart of the method of the invention was run.

Detailed Description

Based on the above summary, we present some preferred embodiments.

Signature implementation:

given a

WhereinAre all open, e_AIs one

An efficient bilinear pairwise mapping (note that,

the elements in (1) are more indicative than

Short in (c), and therefore correspondingly short in the signature obtained below). Based onAn efficient bilinear pair mapping can be obtained accordingly.

Andeither in the same cyclic group or in different groups (

Andwith a different more preferred). If it is

And

in the same way, the first and second,

and

may or may not be equal. And m is information to be signed. The signer has an identity of

Signature embodiment-1:

public key: the public key of the signer includes:the public key of the signer may also contain a value that the verifier can calculate in advance:

and/or

And/or delta, wherein

Is X₁Is from the x-axis coordinate value of, or delta

Of a randomly selected constant c, or

H_δIs an output belonging to

The hash function of (a) of (b),is that

A subset of (a). In some interactive application environments, δ may be defined by the userThe other users of the interaction generate and send to

Private key: x is the number of₁Wherein x is₁From

The selection is carried out randomly.

Signature: signer computation

Wherein H₁Is a domain of {0, 1}^*The output belongs to

A hash function of (1). Tau is_AAs a signature on message m. Note that: the computational complexity of the signer is equivalent to an exponential operation. In some applications, the identity of the signer may also be used

As H₁One of the parameters is input. If x₁H₁(X₁M) + δ equal to 0, let

Or orderWhere r is a random number and (r, τ)_A) As a signature. Above for τ_AA treatment method which is not defined (i.e. the denominator of the numerator in the index is zero) is similarly applicable to all embodiments of the inventive method (for the sake of brevity of description this treatment is omitted in the following embodiments).

And (3) verification: to obtain (m, t)_A) Or (m, r, τ)_A) If, if

The signature verifier calculates whether to verify

Or

If it is

Verifier verification

The establishment of the equation is that the verifier accepts tau_AAs a prerequisite for the signature of the message m. In the authentication

Previously, the signature verifier could also check

And/or tau_AIs not zero and will notAnd/or tau_AThe non-zero x-axis coordinate value of the same is also used as the acceptance T_AAs a prerequisite for the signature of the message m (these additional checks apply equally to the following signature embodiments and to other embodiments of the inventive method). Wherein,

and/orCan be calculated and stored in advance by the signature verifier, or

And/or

As part of the signer public key. By pre-computing, the computational complexity of the verifier can be reduced to an exponential and a bilinear pairwise operation.

To shorten the yield of the signature, only τ may be used_AAs a signature. At this time, the verifier needs to calculate τ by himself/herself_AAnd the y-axis coordinate value of (2), and

or

As acceptance τ_AAs a prerequisite for the signature of the message m. (this treatment may also be applied to other embodiments of the inventive method.)

Signature embodiment-2:

public key: the public key of the signer includes:

and

the public key of the signer may also contain a value that can be calculated in advance by the verifier.

Private key: x is the number of₁，x₂Wherein x is₁，x₂From

The selection is carried out randomly.

Signature: signer computationWherein H₁Is an output belonging to

A hash function of (1). δ is 0(δ — 0 is a preferred embodiment), or δ is a member of the group

In which a randomly selected constant, or δ is X₁，X₂One of the x-axis coordinate values of (a) to N_ATaking a model, or

Wherein H_δIs an output belonging to

The hash function of (a) of (b),

is that

A subset of (a). In some interactive application environments, δ may be defined by the user

The other users of the interaction generate and send to

τ_AAs a signature on message m. In some applications, the identity of the signer may also be usedAs H₁One of the parameters is input.

And (3) verification: to obtain (m, t)_A) The signature verifier calculates whether to verify

The establishment of the equation is that the verifier accepts tau_AAs a prerequisite for the signature of the message m. Wherein,

and/orCan be calculated and stored in advance by the signature verifier, or

And/or

As part of the signer public key.

This embodiment has the advantage that the computational complexity of signature verification can be reduced by one exponential operation if δ is 0 (the disadvantage is the longer public and private keys). To shorten the yield of the signature, only τ may be used_AAs a signature. At this time, the verifier needs to calculate τ by himself/herself_AAnd the y-axis coordinate value of (2), and

orAs acceptance τ_AAs a prerequisite for the signature of the message m.

Signature embodiment-3:

public key: the public key of the signer includes:and

the public key of the signer may also contain a value that can be calculated in advance by the verifier.

Private key: x is the number of₁，x₂Wherein x is₁，x₂FromThe selection is carried out randomly.

Signature: signer computation

Wherein H₁Is an output belonging to

A hash function of (1). δ is 0(δ — 0 is a preferred embodiment), or δ is a member of the group

In which a randomly selected constant, or δ is X₁，X₂One of the x-axis coordinate values of (a) to N_ATaking a model, or

Wherein H_δIs an output belonging to

The hash function of (a) of (b),

is that

A subset of (a). In some interactive applicationsIn the use environment, delta can be defined by the user

The other users of the interaction generate and send to

τ_AAs a signature on message m. In some applications, the identity of the signer may also be used

As H₁One of the parameters is input.

And (3) verification: to obtain (m, t)_A) The signature verifier calculates whether to verify

The establishment of the equation is that the verifier accepts tau_AAs a prerequisite for the signature of the message m. Wherein,

and/or

Can be calculated and stored in advance by the signature verifier, orAnd/or

As part of the signer public key.

This embodiment has the advantage that the computational complexity of signature verification can be reduced by one exponential operation if δ is 0 (the disadvantage is the longer public and private keys). To shorten the yield of the signature, only τ may be used_AAs a signature. At this time, the verifier needs to calculate τ by himself/herself_AAnd the y-axis coordinate value of (2), andor

As acceptance τ_AAs a prerequisite for the signature of the message m.

Signature embodiment-4:

public key: the public key of the signer includes:

and

the public key of the signer may also contain a value that the verifier can calculate in advance:

and

and

private key: x is the number of₁，x₂Wherein x is₁，x₂From

The selection is carried out randomly.

Signature: signer computation

Wherein

Is an output belonging to

A hash function of (if

Can order

)，

Each of which constitutes an output belonging to

Or the value of the x-axis coordinate of the output input to N_AThe modulus value of (1); if it is

Can order

i belongs to {1, 2}, if

Can order

Output X_iOne length of (1) is | N_AA substring of | s. Tau is_AAs a signature on message m. Note that: the computational complexity of the signer is equivalent to an exponential operation. In some applications, the identity of the signer may also be used

As

Of one subset of input parameters.

And (3) verification: to obtain (m, t)_A) The signature verifier calculates whether to verify

The establishment of the equation is that the verifier accepts tau_AAs a prerequisite for the signature of the message m. Wherein,and

and

can be calculated and stored in advance by the signature verifier, orAnd

and

as part of the public key of the signer.

This embodiment has the advantage that the online computational complexity of signature verification can be only for one common generator

And a bilinear pair computation. To shorten the yield of the signature, only τ may be used_AAs a signature. At this time, the verifier needs to calculate τ by himself/herself_AAnd the y-axis coordinate value of (2), and

or

As acceptance τ_AAs a prerequisite for the signature of the message m.

Signature embodiment-5:

public key: the public key of the signer includes:

signer's official certificateThe key may also contain a value that the verifier can calculate in advance:

and/or

Private key: x is the number of₁Wherein x is₁FromThe selection is carried out randomly.

Signature: signer computation

τ_AAs a signature on message m. Note that: the computational complexity of the signer is equivalent to an exponential operation. In some applications, the identity of the signer may also be used

As

Or

One of the parameters is input.

And (3) verification: to obtain (m, t)_A) The signature verifier calculates whether to verify

The establishment of the equation is that the verifier accepts tau_AAs a prerequisite for the signature of the message m. Wherein,

and/or

Can be calculated and stored in advance by the signature verifier,or

And/or

As part of the public key of the signer.

To shorten the yield of the signature, only τ may be used_AAs a signature. At this time, the verifier needs to calculate τ by himself/herself_AAnd the y-axis coordinate value of (2), and

or

As acceptance τ_AAs a prerequisite for the signature of the message m.

Key exchange implementation:

given a

Wherein

Are all disclosed.And

either in the same cyclic group or in different groups. If it is

And

in the same way, the first and second,

and

may or may not be equal. The inventive method may be used to establish the session key(s) before two users or three users. For ease of description, we describe three user embodiments. For convenience of description, we assume that all users use the same parameters

And a function

In practical applications, different (partly) parameters and functions may be selected by different usersThe following description is directed to e_AIs one

Efficient bilinear pair mapping. Based on

An efficient key exchange implementation of bilinear pairwise mappings may be obtained accordingly.

Each time the key exchange method is run as a session, each session may be marked by an identity sid. Generally, the sid includes a random number and/or a temporary DH-component (or some coordinate value of the temporary DH component) and/or identity and public key information of the users that are exchanged with each other by the users interacting using a key exchange method; the sid may also contain some timestamp information; sid may also be empty.

User' s

Calculated and sent (or published) with the inventive method:

here, generally, X may be made₁And/or X₂As users

The public key of (a) is stored,

involving usersIdentity and/or public key information of

Involving usersIdentity and/or public key information of and

identity and/or public key information of the other or both parties of the interaction,

it may also contain a session identifier sid and/or some time stamp information. In particular, it is possible to use, for example,

can be taken as a functionThe input of (1);

user' s

Calculated and sent (or published) with the inventive method:

here, generally, Y may be made₁And/or Y₂As users

The public key of (a) is stored,

involving users

Identity and/or public key information of

Involving usersIdentity and/or public key information of and

identity and/or public key information of the other or both parties of the interaction,

it may also contain a session identifier sid and/or some time stamp information. In particular, it is possible to use, for example,can be taken as a function

The input of (1);

user' sCalculated and sent (or published) with the inventive method:

here, in general, Z can be made₁And/or Z₂As users

The public key of (a) is stored,

involving users

Identity and/or public key information ofInvolving users

Identity and/or public key information of and

identity and/or public key information of the other or both parties of the interaction,

it may also contain a session identifier sid and/or some time stamp information. In particular, it is possible to use, for example,

can be taken as a function

The input of (1);

if the above-described key exchange method is used for two-party users, such as usersAnd

user' s

Will tau_BAs an acceptance { Y }₁，…，Y_n，τ_B，m_BA requirement of user

Will tau_AAn experiment ofCertify correctness as Accept { X₁，…，X_n，τ_A，m_AA requirement of. (each user checks or does not check the DH component of the other user, particularly the temporary DH component, isOf (1). ) If the user is

Accept { Y₁，…，Y_n，τ_B，m_B}, user

Computing

Is denoted as K_A(ii) a If the user is

Accept { X₁，…，X_n，τ_A，m_A}, user

Computing

Is denoted as K_B＝K_A. For each K_B＝K_AIn (1)

OrI is equal to or less than 1, j is equal to or less than n, and a session key is derived using a predefined key derivation function KDF. Typically the input to the KDF comprises

Or

And the x-axis coordinate values of (a) and the identity of the user participating in the interaction (this key derivation method applies to all embodiments of the inventive method). In particular, X for session key generation_i，Y _j1 ≦ i, j ≦ n is each a temporary DH component; the above method can also be used for X participating in session key generation_i，Y _j1 ≦ i, j ≦ n is a fixed DH component (e.g., for public key encryption or signcryption schemes). User' s

And

n can be derived by running the one-time key exchange method²(a subset of) session keys. In practical application, we can order

Wherein each x_j，y_jIs a temporary DH index. User' s

And

the generated session key may then be utilized for encryption and/or authentication, among other operations. In the above description of the key exchange method, we assume that the user is

And

the same (n) DH components are contributed, and different users can send different numbers of DH components in practical applications.

If the key exchange method is used for the situation of three-party users, the users

Will tau_BAnd τ_CAs an acceptance { Y }₁，…，Y_n，τ_B，m_BAnd { Z }₁，…，Z_n，τ_C，m_CA requirement of. User' s

Will tau_A，τ_CAs acceptance { X)₁，…，X_n，τ_A，m_AAnd { Z }₁，…，Z_n，τ_C，m_CA requirement of. User' s

Will tau_A，τ_BAs acceptance { X)₁，…，X_n，τ_A，m_AAnd { Y }₁，…，Y_n，τ_B，m_BA requirement of. (each user checks to confirm or not to confirm DH components, particularly temporary DH components, of the other two users belonging to) If both users receive the information sent by the other side, the users

Computing

Is denoted as K_AUser of

Computing

Is denoted as K_BUser of

Computing

Is denoted as K_CWherein

To a certain subset of (a). For each one

A session key is derived using a predefined key derivation function KDF. Typically, the input to the KDF includes

OrAnd the x-axis coordinate values of (a) and the identity of the user participating in the interaction (here, the identity of the three-party user). In particular, X for session key generation_i，Y_j，Z _k1 ≦ i, j, k ≦ n is a temporary DH component; the above method can also be used for X participating in session key generation_i，Y_j，Z_kSome subset of 1 ≦ i, j, k ≦ n is a fixed DH component (e.g., for public key encryption or signcryption schemes). User' s

And

and

n can be derived by running the one-time key exchange method³(a subset of) session keys. In practical application, we can orderWherein each x_i，y_j，z_jIs a temporary DH index. By usingHousehold

And

and

the generated session key may then be utilized for encryption and/or authentication, among other operations. In the above description of the key exchange method, we assume that the user isAnd

and

the same (n) DH components are contributed, and different users can send different numbers of DH components in practical applications.

Identity-based (or certificateless) signature implementation:

given a

Wherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging toThe hash function of (1).

And

either in the same cyclic group or in different groups. Here, for the convenience of description, we assume that all users use the same

In practical applications, users with different ID may use different parameters

The following description is directed to e_AIs one

Efficient bilinear pair mapping. Based on

An efficient implementation of bilinear pairwise mapping may be obtained accordingly. In particular, for certificateless signature implementations, the signature is based on

Efficient bilinear mapping implementation is more preferable (because of the signature, i.e., τ, at this time)_AShorter).

Trusted user public and private keys: trusted user computing

Wherein s is selected from

The selection is carried out randomly. Order to

Is the public key of the trusted user and s is the private key of the trusted user.

User public and private keys: all using said inventive method and the same trusted applicationUser public key P_pubThe public key of the user with the identity ID is recorded as Q_ID＝H_ID(ID) or Q_ID＝H_ID(ID，P_pub) In which H is_IDIs an output belonging toThe hash function of (1); the private key of the user ID is noted

There is a trusted user calculation and sends to the user ID over a secure channel. If used in a certificateless cryptographic system implementation, a subset of the fixed DH components contributed by each user is also part of the user's public key.

By the user

For example, the public key is

Or

The private key is marked as

And m is information to be signed. The signer has an identity of

Identity-based signature embodiment-1:

order to $g_A^S={\mathrm{<figure-callout\; id="1"\; label="g\; A"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">g</figure-callout>}}_A^{},$ $g_A^P=g_A^2.$

Signature: signer computation

Wherein H₁Is an output belonging to

A hash function of (1). (X)₁，X₂，τ_A) As a signature on message m. In some applications, the identity of the signer may also be used

And/or creditable user public key P_pubAs H₁One of the parameters is input. X₁，X₂Can be calculated in advance by the signer; for certificateless signature implementation, X₁And/or X₂As part of the signer public key.

And (3) verification: to obtain (m, X)₁，X₂，τ_A) If, if

The signature verifier calculates whether to verify

The establishment of the equation is accepted by the verifier (X)₁，X₂，τ_A) As a necessary strip for signing message mAnd (3) a component. Wherein e is_A(Q_A，P_pub) Can be calculated and stored in advance by the signature verifier, or e_A(Q_A，P_pub) As part of the signer public key. Verifier verification or non-verification X₁，

If X is verified₁，

Then X will be₁，

As receiving (X)₁，X₂，τ_A) As a prerequisite for the signature of the message m. Verification of X₁，And verification

The order of (A) can be arbitrary, in general, X is checked first₁，

And/or

Post verification

The advantages of this embodiment are: (1) efficient signature verification. By pre-calculation, the calculation complexity of the verifier can be reduced to an exponential and a bilinear pairing operation; (2) signature private key

Can be used only in pre-calculation, and can better protect the private signature key.

Based on bodySignature embodiment of shares-2:

order to $g_A^S=g_A^2,$ $g_A^P={\mathrm{<figure-callout\; id="1"\; label="g\; A"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">g</figure-callout>}}_A^{}.$

Signature: signer computation

Wherein H₁Is an output belonging to

A hash function of (1). Delta is X₁Or Q_AOr P_pubIs one of the coordinate values of (in particular, the x-axis coordinate), or δ is from

Of a randomly selected constant c, or

H_δIs an output belonging to

The hash function of (a) of (b),

is that

A subset of (a).In some interactive application environments, δ may be defined by the user

The other users of the interaction generate and send to

(X₁，τ_A) As a signature on message m. In some applications, the identity of the signer may also be used

And/or creditable user public key P_pubAs H₁One of the parameters is input. X₁Can be calculated in advance by the signer; for certificateless signature implementation, X₁As part of the signer public key. To facilitate signature verification, δ and/orAs part of the public key of the signer and/or as part of the public key of the trusted user.

And (3) verification: to obtain (m, X)₁，τ_A) If, if

The signature verifier calculates whether to verify

The establishment of the equation is accepted by the verifier (X)₁，τ_A) As a prerequisite for the signature of the message m. Wherein e is_A(P_pub，Q₁) Can be calculated and stored in advance by the signature verifier, or e_A(P_pub，Q₁) As part of the signer public key. Verifier verification or non-verification

If it is verified

Then will be

As a prerequisite for the signature of the message m. Authentication

And verification

The order of (A) can be arbitrary, in general, first checking

Post verification

Identity-based signature implementation-3:

order to $g_A^S=g_A^2,$ $g_A^P={\mathrm{<figure-callout\; id="1"\; label="g\; A"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">g</figure-callout>}}_A^{}.$

Signature: signer computation Wherein

Form an output belonging to

Or outputs a coordinate value (particularly, x-axis coordinate) of its input; for example,

if it is

Can order

If it is

Can order

Output X_iOne length of (1) is | N_AA substring of | s. In some applications, the identity of the signer may also be used

And/or creditable user public key P_pubAs H₀And/orOne of the parameters is input. X₁Can be calculated in advance by the signer; for certificateless signature implementation, X₁OrAs part of the signer public key.

And (3) verification: to obtain (m, X)₁，τ_A) If, if

The signature verifier calculates whether to verify

The establishment of the equation is accepted by the verifier (X)₁，τ_A) As a prerequisite for the signature of the message m. Wherein e is_A(P_pub，Q_A) Can be calculated and stored in advance by the signature verifier, or e_A(P_pub，Q_A) As part of the signer public key. Verifier verification or non-verification

If it is verified

Then will be

As a prerequisite for the signature of the message m. Authentication

And/orAnd verification

The order of (A) can be arbitrary, in general, first checkingAnd/or

Post verification

Identity-based signature implementation-4:

order to $g_A^S=g_A^2,$ $g_A^P={\mathrm{<figure-callout\; id="1"\; label="g\; A"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">g</figure-callout>}}_A^{}.$

Signature: signer computation

Wherein H₁Is an output belonging to

A hash function of (1). (X)₁，X₂，τ_A) As a signature on message m. In some applications, the identity of the signer may also be used

And/or creditable user public key P_pubAs H₁One of the parameters is input. X₁，X₂Can be calculated in advance by the signer; for certificateless signature implementation, X₁And/or X₂As part of the signer public key.

And (3) verification: to obtain (m, X)₁，X₂，τ_A) If, if

The signature verifier calculates whether to verify

The establishment of the equation is accepted by the verifier (X)₁，X₂，τ_A) As a prerequisite for the signature of the message m. Wherein e is_A(P_pub，Q_A) Can be calculated and stored in advance by the signature verifier, or e_A(P_pub，Q_A) As part of the signer public key.

Identity-based signature implementation-5:

order to $g_A^S=g_A^2,$ $g_A^P={\mathrm{<figure-callout\; id="1"\; label="g\; A"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">g</figure-callout>}}_A^{}.$

Signature: signer computation

Wherein

Is an output belonging to

A hash function of (if

Can order)，Each of which constitutes an output belonging to

Or outputs a coordinate value (particularly, x-axis coordinate) of its input; if it is

Can order

i belongs to {1, 2}, if

Can order

Output X_iOne length of (1) is | N_AA substring of | s. (X)₁，X₂，τ_A) As a signature on message m. In some applications, the identity of the signer may also be used

And/or creditable user public key P_pubAs

Of one subset of input parameters. For certificateless signature implementation, X₁And/or X₂As part of the signer public key.

τ_AThere is also the following calculation:

or,

or,wherein δ is X₁Or X₂Or Q_AOr P_pubCoordinates of (2)One of the values, or δ is from

Of a randomly selected constant c, or

H_δIs an output belonging to

The hash function of (a) of (b),

is that

Or a subset thereof. In some interactive application environments, δ may be defined by the user

The other users of the interaction generate and send to

And (3) verification: to obtain (m, X)₁，X₂，τ_A) If, if

The signature verifier calculates whether to verify

The establishment of the equation is accepted by the verifier (X)₁，X₂，τ_A) As a prerequisite for the signature of the message m. Wherein e is_A(P_pub，Q_A) Can be calculated and stored in advance by the signature verifier, or e_A(P_pub，Q_A) As part of the signer public key. Verifier verification or non-verification X₁，

If X is verified₁，

Then X will be₁，

As receiving (X)₁，X₂，τ_A) As a prerequisite for the signature of the message m. Verification of X₁，

And/or

And verification

The order of (A) can be arbitrary, in general, X is checked first₁，

And/or

Post verification <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> </mrow> </msubsup> <msup> <msub> <mi>X</mi> <mn>2</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>X</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mi>P</mi> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <mi>m</mi> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>P</mi> <mi>pub</mi> </msub> <mo>,</mo> <msub> <mi>Q</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math>

Identity (or certificateless) based key exchange implementation:

given a

And a function

Wherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging toThe hash function of (1).

Andeither in the same cyclic group or in different groups. Here, for the convenience of description, we assume that all users use the same

And a function

When applied in a multi-user environment,

1 ≦ i ≦ n indicates that the user ID is calculated τ_IDFunction of time

Is input. In practical applications, users with different ID may use different parameters

Andthe following description is directed to e_AIs oneEfficient bilinear pair mapping. Based on

An efficient implementation of bilinear pairwise mapping may be obtained accordingly.

Trusted user public and private keys: trusted user computing

Wherein s is selected fromThe selection is carried out randomly. Order to

Is the public key of the trusted user and s is the private key of the trusted user.

User public and private keys: all using said inventive method and the same trusted user public key P_pubThe public key of the user with the identity ID is recorded as Q_ID＝H_ID(ID) or Q_ID＝H_ID(ID，P_pub) In which H is_IDIs an output belonging to

The hash function of (1); the private key of the user ID is noted

There is a trusted user calculation and sends to the user ID over a secure channel. If used in a certificateless cryptographic system implementation, a subset of the fixed DH components contributed by each user is also part of the user's public key.

For convenience of description, we assume that all users use the same

Order to

The inventive method may be used to establish the session key(s) before two users or three users. Order user

Has a public key of

Or

The private key is marked as

User' s

Has a public key ofOrThe private key is marked asUser' sHas a public key of

Or

The private key is marked as

In the following description, users with different identity IDs use

Different generators of

To calculate tau_ID. Some values may be pre-calculated or may be calculatedAs part of the public key of the user or trusted user. E.g. e_A(P_pub，Q_A) And/or

Can be used as a user

Part of the public key, e_A(P_pub，Q_B) And/or

Can be used as a user

Part of the public key, e_A(P_pub，Q_C) And/or

Can be used as a user

A part of the public key. Fixed DH components for user contribution, e.g. if X_iWhere 1. ltoreq. i. ltoreq. n is the user

A contributed immobilized DH component of

As users

A public key and/or a part of a trusted user public key.

Each time the key exchange method is run as a session, each session may be marked by an identity sid. Generally, the sid includes random numbers and/or temporary DH-components (or some coordinate value of the temporary DH component) and/or identity and/or public key and/or role information of the users that interact with each other using a key exchange method; the sid may also contain some timestamp information; sid may also be empty.

User' s

Calculated and sent (or published) with the inventive method:

here, to obtain a certificateless implementation, in general, X may be made₁And/or X₂And/or

And/or

As usersIs part of the public key of (accordingly, x)₁And/or x₂As users

A portion of the private key of).

Involving users

Identity and/or public key information of

Involving users

Identity and/or public key information of and

identity and/or public key information of the other or both parties of the interaction,

it may also contain a session identifier sid and/or some time stamp information and/or the public key of the trusted user. In particular, it is possible to use, for example,

can be taken as a function

The input of (1);

user' s

Calculated and sent (or published) with the inventive method:

wherein, tau_BIs a user

By its private key

Calculated as a basis. Here, to obtain a certificateless implementation, generally, Y may be made₁And/or Y₂And/or

And/or

As users

As part of the public key of the user

Is part of the public key of (accordingly, y)₁And/or y₂As users

A portion of the private key of).

Involving users

Identity and/or public key information of

Involving users

Identity and/or public key information of and

identity and/or public key information of the other or both parties of the interaction,

it may also contain a session identifier sid and/or some time stamp information and/or the public key of the trusted user. In particular, it is possible to use, for example,

can be taken as a function

The input of (1);

user' s

Calculated and sent (or published) with the inventive method:

wherein, tau_CIs a user

By its private keyAs a basis to calculateIn (1). Here, to obtain a certificateless implementation, in general, Z may be made₁And/or Z₂And/or

And/orAs usersAs part of the public key of the userIs part of the public key of (accordingly, z)₁And/or z₂As usersA portion of the private key of).

Involving usersIdentity and/or public key information of

Involving usersIdentity and/or public key information of and

identity and/or public key information of the other or both parties of the interaction,

it may also contain a session identifier sid and/or some time stamp information and/or the public key of the trusted user. In particular, it is possible to use, for example,

can be taken as a function

The input of (1);

if the above-described key exchange method is used for two-party users, such as users

And

user' s

Validating correctness of τ B, i.e.As acceptance { Y₁，…，Y_n，τ_B，m_BA requirement of user

Will tau_AIs verified for correctness, i.e.

As receiving { X₁，…，X_n，τ_A，m_AA requirement of. Each user checks whether or not the DH component (particularly, temporary DH component) of the user of the confirmation partner belongs to

Or

If the user is

Accept { Y₁，…，Y_n，τ_B，m_B}, user

Computing

Is denoted as K_A(ii) a If the user is

Accept { X₁，…，X_n，τ_A，m_A}, user

Computing

Is denoted as K_B＝K_A. For each K_B＝K_AIn (1)

Or

I is less than or equal to 1, j is less than or equal to n, a session key is derived using a predefined key derivation function KDF, wherein KDF is a certain input parameter comprising

Or

1 ≦ i, j ≦ n. In particular, X for session key generation_i，Y _j1 ≦ i, j ≦ n is each a temporary DH component; the above method can also be used for X participating in session key generation_i，Y _j1 ≦ i, j ≦ n is a fixed DH component (e.g., for public key encryption or signcryption schemes). User' s

And

n can be derived by running the one-time key exchange method²(a subset of) session keys. In practical application, we can order

Wherein each x_j，y_jIs a temporary DH index. User' s

And

the generated session key may then be utilized for encryption and/or authentication, among other operations. In the above description of the key exchange method, we assume that the user is

And

the same (n) DH components are contributed, and different users can send different numbers of DH components in practical applications.

If the key exchange method is used for the situation of three-party users, the users

Will tau_BAnd τ_CIs verified for correctness, i.e.

And is

As acceptance { Y₁，…，Y_n，τ_B，m_BAnd { Z }₁，…，Z_n，τ_C，m_CA requirement of. User' sWill tau_A，τ_CAs acceptance { X)₁，…，X_n，τ_A，m_AAnd { Z }₁，…，Z_n，τ_C，m_CA requirement of. User' s

Will tau_A，τ_BAs acceptance { X)₁，…，X_n，τ_A，m_AAnd { Y }₁，…，Y_n，τ_B，m_BA requirement of. Each user checks whether or not to confirm that the DH components (particularly, temporary DH components) of the other two users belong to

OrIf the user is

Accept { Y₁，…，Y_n，τ_B，m_BAnd { Z }₁，…，Z_n，τ_C，m_C}, user

Computing

Is denoted as K_A(ii) a If the user is

Accept { X₁，…，X_n，τ_A，m_AAnd { Z }₁，…，Z_n，τ_C，m_C}, userComputing

Is denoted as K_B(ii) a If the user isAccept { X₁，…，X_n，τ_A，m_AAnd { Y }₁，…，Y_n，τ_B，m_B}, user

Computing

Is denoted as K_CWherein

To a certain subset of (a). For each oneA session key is derived using a predefined key derivation function KDF. In particular, X for session key generation_i，Y_j，Z _k1 ≦ i, j, k ≦ n is a temporary DH component; the above method can also be used for X participating in session key generation_i，Y_j，Z_kSome subset of 1 ≦ i, j, k ≦ n is a fixed DH component (e.g., for public key encryption or signcryption schemes). User' s

Andand

n can be derived by running the one-time key exchange method³(a subset of) session keys. In practical application, we can order

Wherein each x_i，y_j，z_jIs a temporary DH index. User' s

Andand

the generated session key may then be utilized for encryption and/or authentication, among other operations. In the above description of the key exchange method, we assume that the user is

And

and

the same (n) DH components are contributed, and different users can send different numbers of DH components in practical applications.

Identity (or certificateless) based key exchange implementation-1:

as described in the identity-based (or certificateless) key exchange implementation, wherein,

wherein

Involving users

Identity and/or public key information of, and/or user

Is a role value v_AAnd/or user

Identity and/or public key information of, and/or user

And/or public key information, and/or session identifier sid; in particular, let

Or

If X_iI is 1. ltoreq. n is a fixed DH component, such thatAs users

A public key and/or a portion of a trusted user public key; and/or e_A(P_pub，Q_A) As part of the user's public key, and/or

And/or

As usersA public key and/or a part of a trusted user public key.

Wherein

Involving users

Identity and/or public key information of, and/or user

Is a role value v_BAnd/or user

Identity and/or public key information of, and/or user

And/or public key information, and/or session identifier sid;

wherein

Involving usersIdentity and/or public key information of, and/or user

Is a role value v_CAnd/or user

Identity and/or public key information of, and/or user

And/or public key information, and/or session identifier sid.

Identity (or certificateless) based key exchange implementation-2:

as described in the identity-based (or certificateless) key exchange implementation, where let n-2,wherein H₁Is a transmissionOut of

The hash function of (a) of (b),

involving users

Identity and/or public key information of, and/or userIs a role value v_AAnd/or user

Identity and/or public key information of, and/or user

And/or public key information, and/or session identifier sid; in particular, it is possible to use, for example,orOrOr

WhereinInvolving users

Identity and/or public key information of, and/or userIs a role value v_BAnd/or userIdentity and/or public key information of, and/or user

And/or public key information, and/or session identifier sid; in particular, it is possible to use, for example,

or

OrOr

Wherein

Involving users

Identity and/or public key information of, and/or user

Is a role value v_CAnd/or, users

Identity and/or public key information of, and/or, user

And/or the identity and/or public key information of (a), and/or the session identifier sid; in particular, it is possible to use, for example,or

Or

Or

Identity key exchange based implementation-3:

as described in the identity-based (or certificateless) key exchange implementation, where let n-1,

or,

wherein,

involving users

Identity and/or public key information and/or Q of_AAnd/or user

Is a role value v_AAnd/or user

Identity and/or public key information and/or Q of_BAnd/or userIdentity and/or public key information and/or Q of_CAnd/or a session identifier sid; in particular, it is possible to use, for example,

or

OrOrδ_AIs X₁Or Q_AOr P_pubOne of the coordinate values of (1), or δ_AIs fromOf a randomly selected constant c (the constant c or/and

may be fixed and be part of the public key of the user or trusted user), or

H_δIs an output belonging to

The hash function of (a) of (b),is thatA subset of (a). In some interactive application environments, δ_A(e.g., δ)_AIs a random number) can be communicated to the user

The other users of the interaction generate and send to

To facilitate signature verification, δ_AAnd/or

And/or

As part of the public key of the signer and/or as part of the public key of the trusted user.

Or,

wherein,

involving users

Identity and/or public key information and/or Q of_BAnd/or userIs a role value v_BAnd/or user

Identity and/or public key information and/or Q of_AAnd/or user

Identity and/or public key information and/or Q of_CAnd/or a session identifier sid; in particular, it is possible to use, for example,

or

OrOr

δ_BIs Y₁Or Q_BOr P_pubOne of the coordinate values of (1), or δ_BIs from

Of a randomly selected constant c (the constant c or/and

may be fixed and be part of the public key of the user or trusted user), or

Is that

A subset of (a). In some interactive application environments, δ_B(e.g., δ)_BIs a random number) can be communicated to the user

The other users of the interaction generate and send to

To facilitate signature verification, δ_BAnd/or

And/orAs part of the public key of the signer and/or as part of the public key of the trusted user.

Or,

wherein,

involving users

Identity and/or public key information and/or Q of_CAnd/or user

Is a role value v_CAnd/or userIdentity and/or public key information and/or Q of_AAnd/or user

Identity and/or public key information and/or Q of_BAnd/or a session identifier sid; in particular, it is possible to use, for example,

or

Or

Or

δ_CIs Z₁Or Q_COr P_pubOne of the coordinate values of (1), or δ_CIs from

Of a randomly selected constant c (the constant c or/and

may be fixed and be part of the public key of the user or trusted user), or

Is that

A subset of (a). In some interactive application environments, δ_C(e.g., δ)_CIs a random number) can be communicated to the user

The other users of the interaction generate and send to

To facilitate signature verification, δ_CAnd/or

And/orAs part of the public key of the signer and/or as part of the public key of the trusted user.

Identity-based key exchange implementation-4:

given a

WhereinIs a non-limiting disclosure of the components of,

H_Ais an output belonging to

The hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping, wherein

And

order to

Is a hash function.

Trusted user public and private keys: trusted user computing

Wherein s is selected from

The selection is carried out randomly. FromC is randomly selected. Order to

And c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and)

user public and private keys: all usesSaid invention method and same credible user public key P_pubHas an identity of

Is recorded as the public key of the userUser' s

Is marked as

User' s

Is marked as

User' s

Is marked as

User' s

Is marked asUser' s

Is marked as

And

calculated by a trusted user and sent to the user via a secure channel

And

and

let u_A，υ_B，υ_CEither null (i.e., a null string), or υ_A，υ_B，υ_CAre three numerical values different from each other. Such as: upsilon is_A，υ_B，υ_CAll being empty, or upsilon_A＝0，υ_B＝1，υ_C＝2。

(1) User' s

Compute and send

Wherein

sid is the session identifier. Each operation of the inventive method is denoted as a session, each session having a unique identifier, such as sid r_A||r_B(for two-party users

And

in the case of (1) or sid ═ r_A||r_B||r_C(for three-party users

And

and

in the case of (1)), where r)_A，r_B，r_CAre respectively users

And

andthe transmitted random number. Or, for both users

And

in the case of performing a key exchange, let

At this time the user

Only after receiving Y₁Then calculates and transmits tau_A(e.g., user)

Sending X in the first round₁And on the third round, t_A) (ii) a Or, for three-party users

And

and

carry out key exchangeIn the alternative, let

(2) User' s

Compute and send

Wherein <math> <mrow> <msub> <mi>&delta;</mi> <msub> <mi>Y</mi> <mn>1</mn> </msub> </msub> <mo>=</mo> <msub> <mi>x</mi> <msub> <mi>Y</mi> <mn>1</mn> </msub> </msub> <mi>mod</mi> <msub> <mi>N</mi> <mi>A</mi> </msub> <mo>.</mo> </mrow> </math>

(3) User' sCompute and send

Wherein <math> <mrow> <msub> <mi>&delta;</mi> <msub> <mi>z</mi> <mn>1</mn> </msub> </msub> <mo>=</mo> <msub> <mi>x</mi> <msub> <mi>z</mi> <mn>1</mn> </msub> </msub> <mi>mod</mi> <msub> <mi>N</mi> <mi>A</mi> </msub> <mo>.</mo> </mrow> </math>

If the inventive method is used only for two users, e.g. for

And

(then no user is needed)

Participate), a key exchange is performed. User' s

To obtain Authentication

(user)Can also verify) User' s

To obtain

Then, verify(user)

Verification can also be verified

). If the verification fails, the operation is stopped;

session key derivation and authentication: user' s

ComputingUser' s

Computing

If the key confirmation is carried out in the session, the userComputing

User' s

Calculation (K)₁，K₂)＝kf(K_A，S_AB) Wherein

User' s

Is sending

While simultaneously transmitting a utilization K₁Computing an authentication value, e.g. Auth (K)₁0) where Auth is a deterministic function (e.g., a hash function, a message authentication code function, a pseudorandom function, etc.); receiving user

By K₁After the calculated authentication value, the userBy K₁And (6) carrying out verification. User' s

Next (in the third round) use K₁Sending a different authentication value, e.g. Auth (K)₁,1). Receive fromUser' s

By K₁After the calculated authentication value, the user

By K₁And (6) carrying out verification. If the verification is passed, the user

Andwill K₂As their session key.

If the key confirmation is not carried out in the session, the user

Setting session key to K KDF (K) directly_A，S_AB) (ii) a User' s

Setting session key to K KDF (K) directly_B，S_AB)。

If the inventive method is implemented in three users,and

andto exchange keys therebetween. User' s

To obtain

And

post verification

And

(user)

Can also verifyAnd

) If the verification is passed, the user

Computing $K_A=e_A{({\mathrm{<figure-callout\; id="1"\; label="Y"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">Y</figure-callout>}}_1,Z_1)}^{x_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}).$

User' s

To obtain

And

post verification

And

(user)

Can also verify

And

) If the verification is passed, the user

Computing $K_B=e_A{({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1,Z_1)}^{y_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}).$

User' s

To obtain

And

then, verify

And

(user)Can also verify

And) If the verification is passed, the user

Computing $K_C=e_A{({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1,Y_1)}^{z_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}).$

Three-party user session key derivation: order to

User' s

Setting the session key to K KDF (K)_A，S_ABC) User of

Setting the session key to K KDF (K)_B，S_ABC) User C sets the session key to K KDF (K)_C，S_ABC)。

Identity-based key exchange implementation-5:

given a

e_A，H_A，N_AWherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging to

The hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping, wherein

Order to

Is a hash function.

Trusted user public and private keys: trusted user computing

Wherein s is selected fromThe selection is carried out randomly. From

C is randomly selected. Order to

And c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and

)

user public and private keys: all using said inventive method and the same trusted user public key P_pubHas an identity of

Is recorded as the public key of the user

User' s

Is marked as

User' s

Is marked as

User' s

Is marked as

User' sIs marked asUser' s

Is marked as

Andcalculated by a trusted user and sent to the user via a secure channel

And

and

let u_A，υ_B，υ _CEither null (i.e., a null string), or υ_A，υ_B，υ_CAre three numerical values different from each other. Such as: upsilon is_A，υ_B，υ_CAll being empty, or upsilon_A＝0，υ_B＝1，υ_C＝2。

(1) User' s

Compute and send

(2) User' sCompute and send

(3) User' s

Compute and send

If the inventive method is used only for two users, e.g. for

And

(then no user is needed)

Participate), a key exchange is performed. User' s

To obtain

Authentication

(user)

Verification can also be verified). User' s

To obtain

Authentication(user)

Can also verify

) If the verification fails, the operation is stopped;

session key derivation and authentication: user' s

Computing

User' s

Computing

If the key confirmation is carried out in the session, the user

Calculation (K)₁，K₂)＝kf(K_B，S_AB) User of

Calculation (K)₁，K₂)＝kf(K_A，S_AB) Wherein

User' sIs sending

While simultaneously transmitting a utilization K₁Computing an authentication value, e.g. Auth (K)₁0) where Auth is a deterministic function (e.g., a hash function, a message authentication code function, a pseudorandom function, etc.); receiving user

By K₁After the calculated authentication value, the user

By K₁And (6) carrying out verification. User' sNext (in the third round) use K₁Sending a different authentication value, e.g. Auth (K)₁,1). Receiving user

By K₁After the calculated authentication value, the user

By K₁And (6) carrying out verification. If the verification is passed, the user

And

will K₂As their session key.

If the key confirmation is not carried out in the session, the userSetting session key to K KDF (K) directly_A，S_AB) (ii) a User' s

Setting session key to K KDF (K) directly_B，S_AB)。

If the inventive method is implemented in three users,

and

and

to exchange keys therebetween. User' s

To obtain

And

post verification

And(user)

Can also verify

And

) If the verification is passed, the user

Computing $K_A=e_A{({\mathrm{<figure-callout\; id="1"\; label="Y"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">Y</figure-callout>}}_1,Z_1)}^{x_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}).$

User' sTo obtain

And

post verification

And(user)

Can also verifyAnd

) If the verification is passed, the userComputing

User' s

To obtain

And

then, verify

And

(user)

Can also verify

And

) If the verification is passed, the user

Computing

Three-party user session key derivation: order to

User' s

Setting the session key to K KDF (K)_A，S_ABC) User ofSetting the session key to K KDF (K)_B，S_ABC) User C sets the session key to K KDF (K)_C，S_ABC)。

Identity-based key exchange implementation-6:

given ae_A，H_A，N_AWherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging to

The hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping, whereinAnd

order to

Is a hash function.

Trusted user public and private keys: trusted user computing

Wherein s is selected fromThe selection is carried out randomly. From

C is randomly selected. Order to

And c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and

)

user public and private keys: all using said inventive method and the same trusted user public key P_pubHas an identity of

Is recorded as the public key of the user

User' sIs marked as

User' s

Is marked asUser' s

Is marked as

User' s

Is marked as

User' s

Is marked as

And

calculated by a trusted user and sent to the user via a secure channel

And

and

let u_A，υ_B，υ_CEither null (i.e., a null string), or υ_A，υ_B，υ_CAre three numerical values different from each other. Such as: upsilon is_A，υ_B，υ_CAll being empty, or upsilon_A＝0，υ_B＝1，υ_C＝2。

(1) User' s

Compute and sendFor certificateless key exchange, X may be₁As a user

Is part of the public key of (1).

(2) User' s

Compute and send

For certificateless key exchange, Y may be₁As a user

Is part of the public key of (1).

(3) User' s

Compute and sendFor certificateless key exchange, Z may be₁As a user

Is part of the public key of (1).

If the inventive method is used only for two users, e.g. for

And

(then no user is needed)

Participate), a key exchange is performed. User' s

To obtain

Authentication

(user)Verification can also be verified

And

). User' s

To obtain

Authentication

(user)

Can also verify

And

) If the verification fails, the operation is stopped;

session key derivation and authentication: user' s

Computing

User' sComputing

(for certificateless implementations, user

ComputingUser' s

Computing

) For identity-based implementations, the user

Andone interaction can generate 2 session keys, one from

And

lead out, a from

And

and (6) exporting. If only one session key needs to be generated, the session key can also be generated

And

and (6) exporting.

If the key confirmation is carried out in the session, the user

Computing

Wherein

K_BIs composed of

A non-empty subset of; user' s

Calculation (K)₁，K₂)＝kf(K_A，S_AB) In which K is_A＝K_BIs composed of

Is not an empty subset. (for example,

) User' s

Is sendingWhile simultaneously transmitting a utilization K₁Computing an authentication value, e.g. Auth (K)₁0) where Auth is a deterministic function (e.g., a hash function, a message authentication code function, a pseudorandom function, etc.); receiving user

By K₁After the calculated authentication value, the user

By K₁And (6) carrying out verification. User' s

Next (in the third round) use K₁Sending a different authentication value, e.g. Auth (K)₁,1). Receiving user

By K₁After the calculated authentication value, the user

By K₁And (6) carrying out verification. If the verification is passed, the user

And

will K₂As their session key.

If the key confirmation is not carried out in the session, the userSetting session key to K KDF (K) directly_A，S_AB) (ii) a User' s

Setting session key to K KDF (K) directly_B，S_AB)。

If the inventive method is implemented in three users,

and

and

to exchange keys therebetween. User' s

To obtainAnd

then, verify

And

(user)Can also verify Y₁，

And Z₁，

) If the verification is passed, the user

Computing $K_A^{}$ ${}_1^{}=e_A{({\mathrm{<figure-callout\; id="1"\; label="Y"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">Y</figure-callout>}}_1,Z_1)}^{x_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1})$ And $K_A^2=e_A{({\mathrm{<figure-callout\; id="1"\; label="Y"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">Y</figure-callout>}}_1,Z_1)}^{x_2}(=e_A{(g_A^P,g_A^P)}^{x_2{y}_2{z}_2}).$

user' s

To obtain

And

post verification

And

(user)

Can also verify X₁，

And Z₁，

) If the verification is passed, the user Computing $K_B^{}$ ${}_1^{}=e_A{({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1,Z_1)}^{y_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1})$ And $K_A^2=e_A{(X_2,Z_2)}^{y_2}(=e_A{(g_A^P,g_A^P)}^{x_2{y}_2{z}_2}).$

user' sTo obtain

And

then, verify

And

(user)

Can also verify X₁，

And Y₁，

) If the verification is passed, the user

Computing $K_C^{}$ ${}_1^{}=e_A{({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000426873800012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1,Y_1)}^{z_1}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1})$ And $K_C^2=e_A{(X_2,Y_2)}^{z_2}(=e_A{(g_A^P,g_A^P)}^{x_1{y}_1{z}_1}).$

three-party user session key derivation: order toUser' s

Setting the session key to K KDF (K)_A，S_ABC) User of

Setting the session key to K KDF (K)_B，S_ABC) User C sets the session key to K KDF (K)_C，S_ABC). Wherein

And K is_A＝K_B＝K_C. For certificateless implementations, let

Identity-based key exchange implementation-7:

given a

e_A，H_A，H_AWherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging toThe hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping, wherein

Andorder to

Is a hash function.

Trusted user public and private keys: trusted user computing

Wherein s is selected from

The selection is carried out randomly. From

C is randomly selected. Order to

And c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and

)

user public and private keys: all using said inventive method and the same trusted user public key P_pubHas an identity ofIs recorded as the public key of the user

User' s

Is marked asUser' s

Is marked as

User' s

Is marked as

Calculated by a trusted user, anRespectively sent to users through a secure channelAnd

(1) user' s

Compute and send

Wherein <math> <mrow> <msub> <mi>&delta;</mi> <msub> <mi>Y</mi> <mn>1</mn> </msub> </msub> <mo>=</mo> <msub> <mi>x</mi> <msub> <mi>Y</mi> <mn>1</mn> </msub> </msub> <mi>mod</mi> <msub> <mi>N</mi> <mi>A</mi> </msub> <mo>.</mo> </mrow> </math>

(2) User' s

Compute and send

Wherein <math> <mrow> <msub> <mi>&delta;</mi> <msub> <mi>X</mi> <mn>1</mn> </msub> </msub> <mo>=</mo> <msub> <mi>x</mi> <msub> <mi>X</mi> <mn>1</mn> </msub> </msub> <mi>mod</mi> <msub> <mi>N</mi> <mi>A</mi> </msub> <mo>.</mo> </mrow> </math>

If the inventive method is used only for two users, e.g. for

And

(then no user is needed)

Participate), a key exchange is performed. User' s

To obtain

Authentication

(user)

Can also verify

) User' sTo obtain

Then, verify

(user)

Verification can also be verified

). And if the verification fails, stopping the operation.

Session key derivation and authentication: user' s

Computing

User' s

Computing

Session key managementAnd

and (6) exporting.

Identity-based key exchange implementation-8:

given a

e_A，H_A，N_AWherein

Is a non-limiting disclosure of the components of,

H_Ais an output belonging to

The hash function of (1). Let e_AIs one

Efficient bilinear pairwise mapping, wherein

And

order to

Is a hash function.

Trusted user public and private keys: trusted user computing

Wherein s is selected from

The selection is carried out randomly. From

C is randomly selected. Order toAnd c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and)

user public and private keys: all using said inventive method and the same trusted user public key P_pubHas an identity of

Is recorded as the public key of the user

User' s

Is marked as

User' s

Is marked as

User' s

Is marked as

Calculated by a trusted user and sent to the user via a secure channel

And

。

(1) user' s

Compute and send $X_1={\left(g_A^P\right)}^{x_1};$

(2) User' s

Computing

(3) User' s

Compute and send

User' sTo obtainThen, verify

(user)

Can also verify

) User' s

To obtain

Then, verify

(user)

Verification can also be verified

). And if the verification fails, stopping the operation.

Session key derivation and authentication: user' s

Computing

User' s

Computing

Session key managementAnd

and (6) exporting.

Identity-based or certificateless key exchange implementation-9:

given a

e_A，H_A，N_AWhereinIs a non-limiting disclosure of the components of,

H_Ais an output belonging toThe hash function of (1). Let e_AIs oneEfficient bilinear pairwise mapping, wherein

And

order to

Is a hash function.

Trusted user public and private keys: trusted user computingWherein s is selected from

The selection is carried out randomly. From

C is randomly selected. Order to

And c and

is the public key of the trusted user and s is the private key of the trusted user. (for some inventive method implementations, it is not necessary that the trusted user's public key include c and

)

user public and private keys: all using said inventive method and the same trusted user public key P_uubHas an identity of

Is recorded as the public key of the user

User' s

Is marked as

User' s

Is marked as

User' s

Is marked as

Calculated by a trusted user and sent to the user via a secure channel

And

(1) user' s

Compute and send

For certificateless key exchange, X may be₁As a user

Is part of the public key of (1).

(2) User' s

Compute and send

For certificateless key exchange, Y may be₁As a user

Is part of the public key of (1).

(3) User' s

Compute and sendUser' s

To obtain

Then, verify

(user)

Can also verify

And

) User' s

To obtain

Then, verify

(user)

Verification can also be verified

And). If the verification fails, the operation is stopped;

session key derivation and authentication: user' s

Computing

User' sComputing(for certificateless implementations, user

Computing

User' s

Computing

) For identity-based implementations, the user

And

one interaction can generate 2 session keys, one from

And

lead out, a from

And

and (6) exporting. If only one session key needs to be generated, the session key can also be generated

And

and (6) exporting.

Claims (14)

1. A method of non-forgeable knowledge proof and message signature authentication, the method comprising:

identity isIs obtained by the user

n is more than or equal to 1, wherein

Is one with N_AFinite Abelian group of ordersAre each generated from

I is more than or equal to 1 and less than or equal to n, a one-way exponential function is formed, and the output is

One element of each

I is more than or equal to 1 and less than or equal to n, constituting a certain at least one parameter

A function of (a); each one of which is

I is more than or equal to 1 and less than or equal to n, constituting a certain at least one parameter x_iA function of wherein

Identity is

Get m_AWherein m is_AIs a collection of public information, wherein

Is a user

A message to be signed for authentication; user' s

To obtain

And the userTo obtain m_AThe sequence of (A) can be arbitrary; x as described above₁，...，X_nCalled user

DH component of (1), x₁，...，x_nCalled user

The secret DH index of (a); x₁，…，X_n，m_ASome are fixed values used in multiple sessions, others are temporary values used in only one session; a DH component or DH index used in a plurality of sessions is referred to as a fixed DH component, and a DH component or DH index used in only one session is referred to as a provisional DH component;

user' s

Computing

Wherein

Is one with N_AFinite Abelian group of orders

The generation element of (a) is generated,

forming a certain at least one parameterAnd its output is

An element of (1), τ_AIs that

Of an element or

The coordinate value of one of the elements in (b),

each of 0 ≦ i ≦ n constitutes a certain value

As a function of the input parameter, λ_AForm a definite one

As a function of the input parameters, τ_AIs thatOf an element or

A coordinate value of one element;

is marked asIs disclosed. Note the book

In the group of

Middle removing

Another one out of them is noted as

Note the book

In the group of

Either public or user

The owned secret value; if it is

Is a user

A secret value of

And is

Is a public parameter, wherein

Is a secret value that is a function of,

e is a certain input parameter including

As a function of (a) or (b),

form a one-way exponential function and have an output of

One of the elements of (a) or (b),

forming a certain at least one parameter

Function of f_pub(s) forming a defined function of at least one parameter s;one of the following publicly verifiable equations is satisfied:

(1) if it is

Are all public values and e_AIs one

Efficient bilinear pairings mapping: <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

(2) Or, if

Are all public values and eA is one

Efficient bilinear pairings mapping: <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

(3) Or, if

Is a secret value and e_AIs one

Efficient bilinear pairings mapping:

or

(4) Or, if

Is a secret value and e_AIs one

Efficient bilinear pairings mapping:

or

(5) Or, if

Is a secret value and e_AIs one

Efficient bilinear pairings mapping:

or

(6) Or,

is a secret value and e_AIs one

Efficient bilinear pairings mapping:

or

Wherein e is_AIs one

Or

An efficient bi-linear pair mapping is achieved,

is N_AIs a finite Abelian group of orders and

or

Is that

The production unit of (1) is provided with a production unit,

forming a certain at least one parameter

And its output is

One of the elements of (a) or (b),

is that a determined input parameter comprisesHas an output of

One of (1)The elements are selected from the group consisting of,is that a determined input parameter comprises

Has an output of

One element of (1);

is that a certain input parameter comprises P_pubFunction having an output ofOne of the elements of (a) or (b),

is that a determined input parameter comprises

Is output as

One element of (1);

the following requirements are met:

1) is provided with

Is a function of

Is a set of all input parameters, then

OrComprisesAnd the x-axis coordinate values of all the provisional DH components or all the provisional DH components, or

Comprises

And a set of coordinate axes for all DH components;

2) given a

Algorithms without probability polynomial time can be based on the parameter | N_AProbability of non-negligible | finding

OrThe temporary DH component and { X } contained in (1)₁，…，X_nContains a different temporary DH-component, wherein

|N_AI denotes N_AThe binary length of (c) satisfies:

a) function(s)

I is 0 or more and n is defined inOutput of (2) is noted

I is more than or equal to 0 and less than or equal to n, wherein

And function

I is 0 or more and n is defined in

At the output ofI is more than or equal to 0 and is more than or equal to n;

b) and/or, is defined inValue of

And is defined inValue of

The same;

c) and/or, is defined in

Value of <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msubsup> <mi>X</mi> <mn>1</mn> <mo>&prime;</mo> </msubsup> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msubsup> <mi>X</mi> <mi>n</mi> <mo>&prime;</mo> </msubsup> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msubsup> <mi>X</mi> <mn>1</mn> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <mo>&prime;</mo> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <msup> <mi>S</mi> <mo>&prime;</mo> </msup> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>,</mo> </mrow> </math> Is equal to

Or

Or

OrWherein

3) Assumption function

I is more than or equal to 1 and less than or equal to n and the output is

A random uniformly distributed element of (a) for any value

Algorithm selection regardless of any polynomial time

Satisfies the following conditions:

a) if n is 1, then

Where ε (| N)_A| is one with | N)_AAnd | is a negligible function of the parameter. Epsilon (| N)_AI) is negligible if for all sufficiently large N_AAnd an arbitrary polynomial p (·),

b) if n is more than or equal to 2, at most one k element {1, …, n } exists, so that for all i, 1 is more than or equal to i is not equal to k is more than or equal to n,

alternatively, for all temporary DH components X_i，1≤i≤n，

To obtainThen, identity isVerifier of (d) verifies tau_AAnd will be τ_AAs a verifier

Receiving

The requirements of (A);

{x₁，…，x_nis asSelected private value, { x₁，…，x_nEither { x } or { x }₁，…，x_n，g_SIs asSecret knowledge to be certified; by running the inventive method, the userProving its true knowledge of secret knowledge in a non-forgeable secure manner x₁，…，x_nEither { x } or { x }₁，…，x_n，g_SAnd are right to

Signature authentication is carried out; wherein,disclosed is

Function(s)

And E, B_pub，f_s，

f_A，λ_A，

φ_A，t_AAre fixed and the same for a group of users or are negotiated by two or more users connected through a network or device.

2. The method of claim 1, if

Is a userThe secret value of (2), then:wherein

Is that a determined input parameter comprises

Is output as

An element of (1), f_s(s) is a function of a determined input parameter including s;

is part of the public key of a trusted user CA; part or all of the public key of CA is contained in m_APerforming the following steps; for each oneUse of the method and public key with identity ID

User of (1), CA calculation

And will be

Sending the user ID through a secure channel; if it is

Definition of

Wherein

Is that

Or will be

Is arranged as

Where r is the user

A random number is selected such that

3. The method of claim 2, wherein <math> <mrow> <mo>{</mo> <msub> <mi>X</mi> <mn>1</mn> </msub> <mo>=</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>1</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>f</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msub> <mi>X</mi> <mi>n</mi> </msub> <mo>=</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mi>n</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>f</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mi>n</mi> </msub> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>m</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>}</mo> </mrow> </math> Then, the verifier calculates <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or <math> <mrow> <msub> <mi>e</mi> <mi>A</mi> </msub> <msup> <mrow> <mo>(</mo> <msub> <mi>&tau;</mi> <mi>A</mi> </msub> <mo>,</mo> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> <mo>=</mo> <msub> <mi>e</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mrow> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>t</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math> Or

Or

Or

Or

Or

OrOr

Or

To verify tau_AThe correctness of the test; if it is

Check validation

For all DH-components or temporary DH-components X_iI is more than or equal to 1 and less than or equal to n, and verified and/or not verified by a verifierAnd/or

And/or X_iAre not 0, and will be verified if such verification is performed

And/or

And/or X_iThe X-axis coordinate value of (a) is not 0 as an acceptance { X [ ]₁，…，X_n，m_A，τ_AThe requirement of (b) }, whereinIs shown as

The number of the unit cells of (a),is shown as

A set of elements other than the unit cell; to verify or not verify

Or

Wherein

Is shown as

A unit cell of (a); verification of tau_AAnd

and/or

And/or X_iThe x-axis coordinate value of (1) is not 0 and verification

Or

The order of (a) and (b) may be arbitrary.

4. The method as claimed in claim 3, wherein

A subset of (2) and a subset of fixed DH-components and m_AAs a subset of users

A portion of the public key of (a); m is_AAs part of the trusted user CA public key;

if it isAnd isOnly the information that is disclosed is included,

as a subset of (may be empty) users

Part of the public key of the trusted user CA or part of the public key of the trusted user CA;

as a subset of users

Or part of the public key of the trusted user CA.

5. The method of claim 3, wherein m_AInvolving usersInformation exchanged with other users, and/or,

and/or disclosed

And/or comprises P_pubPart or all of the public key of the trusted user CA;

involving users

And/or

And/or

And/or public key information and/or time stamp information, and/or contains P_pubOf the public key of the trusted user CA, and/or

Information exchanged with other users using said method via a network or a device

And/orContaining a value v_AWherein upsilon is_AEither a null value or a role-specific value (i.e., different protocol roles for different upsilons)_AValue).

6. The method of claim 5, wherein

Comprises that

Random numbers, and/or a subset of DH-components and/or other random numbers, which are mutually exchanged by users using the method via a network or a device

And/or

And/or identity and/or public key information and/or timestamp information.

7. The method of claims 3, 4, 5, 6, whereinMiddle function

I is more than or equal to 0 and less than or equal to n, and the method is realized as follows:

1)

form an output belonging to

A function of, or if

Is a point on an elliptic curveWhereinIs that

X-axis coordinate value of (1), or ifOrder to

Or if

Order to

Is equal to

One length of (1) is | N_AA substring of |, or

Or

WhereinOr

Containing only usersFixing a subset of the DH components; or if

WhereinOrder to

WhereinIs that a determined input parameter comprisesThe output belongs to

A function of, or if

Order to

Is that a determined input parameter comprises

The output belongs to

A function of or

OrWherein

Or

Is a function of the fixed DH component; if it is

Then

1 ≦ j ≦ n constitutes an output

A function of, or "

", or if

Wherein

Is composed of

Coordinate values of

Or

Or

Or

Or ifThen

If for some j, 1 ≦ j ≦ n,

or

Is not a groupAn element of (1), thenForm an output belonging to

The hash function of (1); in particular, it is possible to use, for example,

wherein

Is a hash function; or

Or

Or

Wherein

Is X_iX-axis coordinate value of (c)₂Is a user

Or a trusted user orInteractive user interface

Selecting a value randomly from the Chinese characters;

2)

i is not less than 0 and not more than n, from F (S)_F) Deriving, where F is a certain input parameter including

Or the input parameters of F at least comprise

And a transient DH component.

8. The method of claim 7, wherein <math> <mrow> <msub> <mi>f</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msup> <msub> <mi>X</mi> <mi>n</mi> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>B</mi> <mi>A</mi> <mn>0</mn> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>g</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>0</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <msup> <msub> <mi>X</mi> <mn>1</mn> </msub> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> </mrow> </msup> <mo>.</mo> <mo>.</mo> <mo>.</mo> <msubsup> <mi>X</mi> <mi>n</mi> <mrow> <msubsup> <mi>h</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>n</mi> </msubsup> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>)</mo> </mrow> <msup> <mrow> <mo>(</mo> <msub> <mi>&lambda;</mi> <mi>A</mi> </msub> <mrow> <mo>(</mo> <msubsup> <mi>S</mi> <mi>A</mi> <mi>&lambda;</mi> </msubsup> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mo>-</mo> <mn>1</mn> </mrow> </msup> </msup> <mo>,</mo> </mrow> </math> WhereinIs shown as

In that

The inverse of (1).

9. The method of claim 8, wherein the function φ_A，H_AIs a function of the same function as the function,

containing only user identities

Or in addition to the user identity

Outer cover

Further comprises a compound containing P_pubOf a trusted user CA and/or a user

A subset of the fixed DH components of (a); if it is

And is

Is a user

Secret value ofAnd n is more than or equal to 2.

10. The method of claim 9, wherein

H_AIs an output belonging to

The hash function of (a) of (b),

f_pub(s)＝s，f_s(s)＝s，

each of which constitutes a cyclic group or domain; n is a radical of_AIs a prime number, or the product of two or more prime numbers.

11. The method of claim 10, wherein

If it is

Is a value that is disclosed as a value,or

12. The method of claim 10, wherein τ is provided if n-1_AThe following calculation method is adopted:

(1)

wherein

Or is equal to

Or

Is X₁Or

Or

A function of the coordinate values;

(2) or,whereinIn (1)Either one being an output belonging to

The hash function of (a) of (b),

either a hash function or

A function of the coordinate values;

(3) or,

or

Wherein

(4) Or,wherein

And

is an output belongs to

The hash function of (a) of (b),

(5) or,

wherein

And

is an output belongs to

A hash function of

(6) Or,

wherein

WhereinH is a hash function, "| |" represents the connection of character strings, l is more than or equal to 1; if n > 1, then τ_AThe following calculation method is adopted:

(1)

wherein

(2) Or,wherein

(3) Or,

(4) or,

wherein DH component X₁Is fixed for use in multiple sessions;

(5) or,

or

Or

Or

Wherein n is 2, the total weight of the compound,

13. the method as described in 12 above, wherein

And/or X₁And/or X₂And/orAnd/or

And/or

As users

A portion of the public key of (a);

and/or

And/or

As part of the public key of the trusted user CA; and/or

Or

OrAs a subset of users

Part of the public key of the trusted user CA or part of the public key of the trusted user CA; c orOr

Can be both used by users

Can also be generated byThe interactive user generates and sends to

14. The method of claim 7, wherein F (S)_F)＝H(1，S_F)||…||H(l，S_F) H is a hash function, l ≧ 1.

Images