CN102664732B - The anti-quantum computation attack of CPK public key system realize method and system - Google Patents

Abstract

What the invention discloses a kind of anti-quantum computation attack of CPK public key system realizes method and system, by the method that computation complexity is become linear complexity, and the method by providing incomplete criterion, quantum calculation is made to become insignificant infinite solution or solve an equation more, including PKI generation module, Digital Signature module, key transmission module；The present invention is generated by key and distribution combines, and enormously simplify the complexity of key management, and meanwhile, PKI and the process of generation are at E²Carry out in rom chip, it is ensured that security of system。CPK is independent of any external support in signature and encryption operation, and then is greatly improved operational efficiency。

Description

The anti-quantum computation attack of CPK public key system realize method and system

Technical field

The present invention relates to cryptographic technique and field of computer technology, realize method and system particularly to a kind of anti-quantum computation attack of CPK public key system。

Background technology

In recent years, due to developing rapidly of quantum information especially quantum calculation research, the safety that contemporary cryptology (is also known as classical cryptoraphy relative to quantum cryptology) receives serious challenge。The appearance of First quantum computer, making over can not exhaustive amount, become now feasible, the existing password being based upon on exhaustive amount basis is created great impact, has research worker to declare: public key system existing after 15 years and digital signature protocol are almost all " death "。CPK is a kind of new public key system, and the research cycle of a New System is very long, generally, is at least 10 years。If a New System only has the life cycle of 10 years or 15 years, this New System just meaning not。

Present CPK obtains the official approval of country, combine in bulletin in five ministries and commissions (Committee of Development and Reform, the Department of Science and Technology, Ministry of Industry and Information, Department of Commerce, Department of Intellectual Property), CPK is also listed in " but front industrialization of new high-technology major fields guide first developed ", these are all had higher requirement to CPK, below in conjunction with the concrete instance of CPK, the quantum computation attack described below impact on CPK。

First the feature of quantum calculation is analyzed；DWave company provides the calculation step comparison diagram of a table, the calculation procedure of the quantum calculation that Fig. 1 provides and electronic computer for the embodiment of the present invention, as it is shown in figure 1, the calculation procedure of RSA factorisation is compared。Give two curves: curve be a quantum chip or one second completes calculation procedure；Another curve is the calculation procedure that the state-of-the-art computer in 500, the whole world expands life cycle 2000 times。

As can be seen from the table, the calculation procedure of quantum calculation is considerably less than different computer, thus calculates speed and be exceedingly fast。Secondly, quantum calculation is little affected by the impact of key length, and the decomposition step of 1024bit is almost suitable with the decomposition step of 2048bit。The accuracy rate of current quantum computer only reaches 78%, is mainly used in the fields such as pattern recognition, but after 15 years, quantum calculation function is used for code breaking, then what cannot realize in the past exhaustive also becomes feasible。The existing public key system being based upon exhaustive difficulty is proposed serious challenge by this。

Impact on password: from the angle of historical development, the development of password is by the impact of several aspects。First it is by along with the impact of process of industrialization。Industrialized development, various components and parts are provided for cryptographic development, different components and parts constitute different password forms, as: the mechanical close epoch, mainly instead of manual action with mechanical action, electronic age mainly instead of artificial memory, microelectronic age with mnemon, mainly instead of artificial computing with computing unit。Although the form of password is quite different, but the ultimate principle of password, it may be said that it is essentially identical。Therefore, still can there is manual cipher in electronic age, in like manner, in the quantum epoch, still can there is electronics or microelectronics password, and cryptographic essence will not be changed。What cryptography was had a direct impact is hand over letter movable and mathematics。Handing over letter activity is cryptographic primary demand, and without handing over, letter is movable, cryptography just necessity not。The demand handing over letter movable is nothing but differentiate and privacy。Discriminating is that a side produces one's proof, and allows the asymmetric activity that each side verifies, privacy is to allow everybody encrypt, only the asymmetric activity of side's DecryptDecryption。This asymmetric activity, only asymmetric system just can be accomplished, and the method for symmetric system or physics is helpless。Asymmetric system only has abstract mathematical method to build。Quantum mechanics is to physics field, and the epoch-making effect in philosophic thinking field is apparent from, but to field of cryptography, is the renewal of components and parts at present。The impact of code breaking is direct by quantum calculation, by engineering that in the past can not be exhaustive, becomes now feasible, and then has influence on the life-span of existing public key system。

What be therefore badly in need of a kind of CPK public key system that can resist quantum computation attack realizes method and system。

Summary of the invention

In view of this, the technical problem to be solved be a kind of CPK public key system that can resist quantum computation attack realize method and system。

An object of the present invention be propose a kind of CPK public key system that can resist quantum computation attack realize method；The two of the purpose of the present invention be propose a kind of CPK public key system that can resist quantum computation attack realize system。

An object of the present invention is achieved through the following technical solutions:

The anti-quantum computation attack of CPK public key system provided by the invention realize method, by not providing or provide incomplete criterion, exhaustive or infinite can not solve an equation thus being formed, generating method with the PKI of quantum computation attack of contending with, specifically including following steps:

S1: KMC generates private key matrix and PKI matrix A=(r_{I, j}, R_{I, j}), B=(q_{I, j}, Q_{I, j})

S2: described PKI matrix is derived from by private key matrix by below equation:

r_{I, j}G=(x_{I, j}, y_{I, j})=R_{I, j}；Q_{I, j}G=(x_{I, j}, y_{I, j})=Q_{I, j}

Wherein, r_{I, j}And q_{I, j}Represent private key matrix, R_{I, j}And Q_{I, j}Representing PKI matrix, r and q is less than the random number of n, i, the ranks number of j representing matrix；

S3: disclosed each entity identification being mapped to PKI matrix A and forms the procedure function of tagged keys, namely only expose input, output factor, its execution process is not exposed to outside function, the Hash including mark converts the displacement transformation etc. with hash value。

Further, charging in chip after described PKI matrix is encrypted, wherein front 8 row of matrix A are charged in EEPROM and are protected。Described secret variable disappears automatically when external device reads and analyzes。

Further, described tagged keys is implemented by following steps:

S31: described tagged keys is by identifying what the YS sequence of the ID conversion output of the Hash under specific key Hkey realized:

$\mathrm{YS}={\mathrm{Hash}}_{{\mathrm{Hkey}}_i}\left(\mathrm{ID}\right)=w_0.w_1,w_2,\·\·\·,w_{32};v_{0,},\·\·\·,v_{8,};$

Wherein, w₀Word length be 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；

w₁..., w₃₂The row-coordinate of instruction combinatorial matrix A, w₁..., w₃₂Word length be k₁Bit, the row of combinatorial matrix A is long for h₁,8 row of combinatorial matrix A, through displacement transformation。Permutation table is the table of 8 × 8；It is classified as displacement sequence number, behavior displacement starting point；

The row coordinate of matrix A is designated generally as t after displacement₁..t₃₂.

The identity private key of S32:Alice, is calculated by KMC:

${\mathrm{isk}}_{\mathrm{Alice}}=\underset{i=1}{\overset{32}{\mathrm{\Σ}}}{r}_{w_i,t_i}\mathrm{mod}n$

The mark PKI of S33:Alice, is calculated by relying party:

${\mathrm{IPK}}_{\mathrm{Alice}}=\underset{i=1}{\overset{32}{\mathrm{\Σ}}}{R}_{w_i,t_i}$

Wherein, R_{I, j}Represent PKI matrix A, r_{I, j}Represent private key matrix A, t_iRepresent 8 row coordinates after displacement with after the coordinate of natural orders of 24 row, i=1 ..., 32。

Further, in the tagged keys generating function in described step S3, including the Hash conversion to mark, to the displacement of hash value, hash value to the mapping of matrix coordinate, especially by following steps realization:

S34: described combinatorial matrix A is sized to h₁× 32, encipherment protection。Front 8 row of described combinatorial matrix A are through displacement transformation；

S35: described combinatorial matrix B is sized to h2 × 8, encipherment protection。8 row of described combinatorial matrix B are through displacement transformation。

Further, also including the method that realizes of the formation of Split Key, described Split Key is implemented by following steps:

The segmentation private key of S41:Alice is calculated by KMC:

${\mathrm{ssk}}_{\mathrm{Alice}}=\underset{i=1}{\overset{8}{\mathrm{\Σ}}}{q}_{v_i,t_i}\mathrm{mod}n;$

S42: corresponding segmentation PKI is calculated by relying party:

${\mathrm{SPK}}_{\mathrm{Alice}}=\underset{i=1}{\overset{8}{\mathrm{\Σ}}}{Q}_{v_i,t_i};$

Wherein, combinatorial matrix B be sized to (h₂, 8), row-coordinate is by the v in YS sequence_iInstruction, v₀Word length is 6-bit, indicate respectively displacement sequence number word length be 3-bit and displacement starting point word length be 3-bit, t_iThe expression 8 row coordinates after displacement, i=1 ..., 8；Represent the variable in PKI matrix B,Represent the variable in private key matrix B；

V in YS sequence₁..., v₈The row-coordinate of instruction combinatorial matrix B, word length is k₂Bit, the long h of row of combinatorial matrix B₂,；Combinatorial matrix B can provide (h by structure₂)⁸Individual different Split Key, Split Key allows to reuse, and user can be divided into different groups, and every a group can share a Split Key。

Further, the synthesis key of the composition generation Alice of described tagged keys and Split Key synthesis private key alice is charged to the ID-card of Alice:

S51: described synthesis private key csk is calculated by KMC:

csk_Alice=(isk_Alice+ssk_Alice) modn=alice,

The calculating of the synthesis PKI CPK of S52:Alice carries out each relying party:

CPK_Alice=IPK_Alice+SPK_Alice=ALICE。

Further, what also include public network key and private network key realizes method, and a public network can be included a lot of private network, described public network key and private network key and be realized by step in detail below:

S61: the generation of public network key, specifically includes following steps:

The key parameter of public network is defined by public network KMC (public network KMC), has and maintain secrecy in public network, including:

The variable of definition public network matrix A and length

The variable of definition public network matrix B and length

Definition public network Hash key Hkey；

The encryption key Mkey of definition public network matrix A and B

S62: the generation of private network key, specifically includes following steps:

The key parameter of private network is defined by each private network KMC (private network KMC), has and maintain secrecy in private network, including:

1) length of private network matrix A is defined

2) length of private network matrix B is defined

3) the Hash key Hkeyi of respective private network is defined；

S63: if a private network user, it is necessary to during with public network user intercommunication, described public network private key and private network private key would be simultaneously written the ID card of user。Described general private key and area private key are simultaneously written the ID card of user。

Further, also including the method that realizes of digital signature protocol function, described digital signature protocol function implements in the following manner:

By the in the digital signature protocol of ECDSA standard the 2nd article, namely

KG=(x₁, y₁)；

C=x₁Modn；

S=k^-1(h+calice) modn；

It is transformed into:

KG=(x₁, y₁)；

C=(x₁+y₁)²mod2^m；

S=k^-1(h+calice) modn；

Wherein, k is random number, G is the basic point of elliptic curve, (x₁, y₁) be the coordinate of point, the bit number of c is check code, s to be signed codevector, h the be hash value of data, m check code。

Further, described digital signature protocol and indentification protocol, specifically include following steps:

S71:Alice signature process:

Select the signature function of following Alice:

SIG_alice(h)=(s, c)；Wherein, alice is private key, and h is Hash code, and s is signed codevector, and c is check code；

Select a random number k, proceed as follows:

KG=(x₁, y₁)；

C=(x₁+y₁)²mod2^m；

S=k^-1(h+calice) modn；

Wherein, the value of k is 0 < k < n, 2^mSelection for check code length；As m < n, equation becomes solving an equation more。

S72:Alice sends: and sign=(s, c)；

S73: proof procedure:

The checking function of Bob is as follows:

VER_ALICE(s)=c '；Wherein, ALICE is PKI；

Bob calculates PKI according to the mark of Alice；

CPK_Alice=IPK_Alice+SPK_Alice=ALICE；

According to signed codevector sign=, (s c) calculates Bob；

s^-1hG+s^-1CALICE=(x₁', y₁')；

C '=(x₁’+y₁’)²mod2^m；

If c=c ', signature is recognized。

Further, also including the method that realizes of key delivery protocol function, described key delivery protocol function is accomplished by:

RBOB=β；

RG=(x₁, y₁)；

Key=(x₁+y₁)²mod2^64or128；

E_key(data)=code；

Wherein, r is less than the random number of n, β be pass to the key of the other side, E is the encryption function under symmetric key, key is the key for data encryption。

Further, described key delivery protocol, realize especially by following steps:

S81: the encryption function selecting Alice is as follows:

ENC_BOB(key)=β；

E_key(data)=code；

Wherein, ENC is non-asymmetric encryption function, and BOB is the other side's PKI, and r is random number；

The ciphering process of S82:Alice:

Calculate the synthesis PKI of Bob:

CPK_Bob=IPK_Bob+SPK_Bob=BOB；

Alice selects random number r, calculates:

RBOB=β；

RG=(x₁, y₁)；

Key=(x₁+y₁)²mod2^64(or128)；

E_key(data)=code；

{ code, β } is sent to Bob by S83:Alice；

S84: select Bob DecryptDecryption function as follows:

DEC_bob(β)=key；

D_key(code)=data；

Wherein, DEC is asymmetric DecryptDecryption function, and bob is the private key of oneself；

The DecryptDecryption process of S85:Bob:

Decryption key is calculated with the synthesis private key bob of oneself；

(bob)^-1β=rG=(x₁, y₁)；

Key=(x_1a+y₁)²mod2^64(or128)；

D_key(code)=data。

The two of the purpose of the present invention are achieved through the following technical solutions:

The anti-quantum computation attack of CPK public key system provided by the invention realize system, including PKI generation module, Digital Signature module, key transmission module；

Described PKI generation module, for entity identification is mapped as tagged keys, Split Key, is finally complex as synthesis key output, and described PKI generates process all to carry out in chip, deposits in the chips after secret variable used is encrypted,；E in described chip²ROM, for preserving COS, front 8 row of combinatorial matrix A, permutation table, Hash key Hkey etc.；

Described Digital Signature module, is used for realizing digital signature protocol and indentification protocol, and by inputting and output is constituted, its input or output directly do not expose PKI or private key, PKI and private key occur with unsolvable sum form。

The input of described digital signature and authentication module, output factor are as follows:

Alice → signature blocks → (s, c)；

Alice, s → authentication module → c '；

Described key transmission module, is used for realizing key delivery protocol, and by inputting and output is constituted, its input or output directly do not expose PKI or private key, PKI and private key occur with unsolvable sum form。

The encrypting module of described key delivery protocol and the input of DecryptDecryption module, output factor are as follows:

Bob, data → encrypting module → code, β；

β, code → DecryptDecryption module → data；

Wherein, β contains the PKI BOB of Bob, but under the protection of random number。

It is an advantage of the current invention that: the present invention adopts CPK based on the public key system of mark, is generated by key and distribution combines, enormously simplify the complexity of key management。Large numbers of variablees are done system master key by CPK, it is ensured that the safety of system key。CPK is independent of any external support in signature and encryption operation, and then is greatly improved operational efficiency。

Quantum calculation make over cannot be carried out exhaustive become feasible。It is make exhaustive inefficacy that existing public key system tackles the fundamental solution of quantum calculation。The most efficient method making exhaustive inefficacy is not provide criterion。Without distinguishing rule, exhaustive speed is fast also meaningless again。In the equation aG=A of elliptic curve, when PKI A is open, A becomes distinguishing rule, make private key a exhaustive effectively。In order to not make PKI A become distinguishing rule, PKI A must maintain secrecy。Under existing public key system, only just can accomplish the secrecy of PKI based on the public key system of mark。

The further advantage of the present invention, target and feature will be illustrated to a certain extent in the following description, and to a certain extent, will be apparent to those skilled in the art based on to investigating hereafter, or can be instructed from the practice of the present invention。The objects and other advantages of the present invention can be passed through description below, claims, and structure specifically noted in accompanying drawing and realize and obtain。

Accompanying drawing explanation

In order to make the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, the present invention is described in further detail, wherein:

The calculation step comparison diagram of the calculation procedure of the quantum calculation that Fig. 1 provides for the embodiment of the present invention and electronic computer；

In the anti-quantum computation attack of CPK public key system that Fig. 2 provides for the embodiment of the present invention, the key of private key generating function (center) generates and uses schematic diagram；

In the anti-quantum computation attack of CPK public key system that Fig. 3 provides for the embodiment of the present invention, the key of PKI generating function (individuality) generates and uses schematic diagram。

Detailed description of the invention

Below with reference to accompanying drawing, the preferred embodiments of the present invention are described in detail；Should be appreciated that preferred embodiment is only for illustrating the present invention, rather than in order to limit the scope of the invention。

Owing to CPK has possessed the framework that can do with quantum computation attack, construct that also to have the system of vitality in the quantum epoch be possible。CPK adopts the method making quantum exhaustive computations lose meaning, tackles the exhaustive attack of quantum calculation so that existing public key system still can have vitality。As solved an equation: (a+b) mod13=7, mental arithmetic also can solve, but this equation is infinite solution, solves an equation or solve an equation more etc. that it solves unrelated with arithmetic speed due to infinite, it is possible to make exhaustive inefficacy。Any exhaustive only exist during a criterion just meaningful, if not giving complete criterion, or only gives incomplete criterion, makes exhaustive cause infinite solution or solve more, it is impossible to determines correct answer, exhaustive just loses meaning。Criterion when existing password and the method evaded are described below in conjunction with object lesson。

In existing unsymmetrical key, for ECC, aG=A, wherein a is private key, and A is PKI, and G is the basic point of elliptic curve。Basic point G is known facts, if again open for PKI A, then can exhaustive a, unique solution can be obtained, because A becomes criterion。PKI A is made not become the way only one of which of criterion, it is simply that to make PKI A become secret variable。But the key of existing public key system is distributed, and disclosing of PKI can only be leaned on to realize, such as PKI, as long as PKI A is open, just anti-incessantly quantum calculation is exhaustive。But the distribution of the key of some system, it is possible to not disclosing by PKI, such as IBE, CPK etc.。At present, only it is possible to PKI to become secret variable based on the public key system of mark, accomplish to generate PKI to combine with PKI distribution to solve simultaneously, and then underground total key can be accomplished。As: the IBE in IBC, Weil pairing on discrete logarithm, two-wire is to the multiple PKI DKP etc. on CPK, the RSA on upper LBP, elliptic curve。In the public key system based on mark, uniquely the disclosed factor of energy is the mark of each entity, and disclosing of identifying, unrelated with quantum computation attack, but the distribution for PKI provides foundation, and also the secrecy for PKI provides probability。

And for example in existing ECDSA signature agreement, signed codevector is with (s, c) represents, wherein s is signed codevector, and c is check and correction code。S and c is open variable, selects a random number k, first calculates c,

KG=(x₀, y₀)(1)

C=x₀modn(2)

Then signed codevector is calculated:

S=k^-1(h+calice)(3)

Wherein h is hash value, and alice is the private key of Alice。

In (2) formula, if x₀< n, then c directly exposes x₀, by the exhaustive k of (1) formula, obtaining private key alice by (3) formula。

Now change (2) formula into c=x₀mod2^m。Assume that key length is 192-bit, m=40。Exhaustive x in (2) formula₀, it may appear that 2¹⁹²/2⁴⁰=2¹⁵²The individual x meeting c₀。2¹⁵²Individual possible x₀, produce 2 by (1) formula¹⁵²Individual possible k, returns to (3) formula, finally obtains 2¹⁵²Individual possible private key alice。This makes exhaustive to lose meaning。It practice, ECDSA agreement has just changed a modulus, change n into 2^m, when 2^mDuring < n, given criterion (such as c) is unsatisfactory for obtaining the requirement of unique solution, thus having no way of determining correct answer。Check and correction code does not need to take 192-bit, and when taking 40-bit, False Rate is only 1/2⁴⁰, but signature length is reduced to 32 bytes from 48 bytes, more applicable, and meet the principle that future network is energy-conservation。

Be described below in detail how to generate a kind of resist quantum computation attack based on CPK public key system, the PKI of public key secret can be generated system method and digital signature protocol and password allocation management method:

In the anti-quantum computation attack of CPK public key system that Fig. 2 provides for the embodiment of the present invention, the key of private key generating function (center) generates and uses schematic diagram, in the anti-quantum computation attack of CPK public key system that Fig. 3 provides for the embodiment of the present invention, the key of PKI generating function (individuality) generates and uses schematic diagram, as shown in the figure: the anti-quantum computation attack of CPK public key system provided by the invention realize method, by not providing or provide incomplete quantum exhaustive computations criterion, make quantum exhaustive computations become infinite solution or the PKI generation method solved thus being formed more, specifically include following steps:

S1: KMC generates private key matrix and PKI matrix A=(r_{I, j}, R_{I, j}), B=(q_{I, j}, Q_{I, j})；

S2: described PKI matrix is derived from by private key matrix by below equation:

r_{I, j}G=(x_{I, j}, y_{I, j})=R_{I, j}, q_{I, j}G=(x_{I, j}, y_{I, j})=Q_{I, j}

Wherein, r_{I, j}, q_{I, j}Represent private key matrix, R_{I, j}, Q_{I, j}Representing PKI matrix, r, q is less than the random number of n, i, the ranks number of j representing matrix；

S3: disclosed each entity identification being mapped to PKI matrix A and forms the procedure function of tagged keys, namely only expose input, output factor, its execution process is not exposed to outside function, the Hash including mark converts the displacement transformation etc. with hash value。

Charging in chip after described PKI matrix is encrypted, wherein front 8 row of matrix A are charged in EEPROM and are protected。Described secret variable disappears automatically when external device reads and analyzes。

Described tagged keys is implemented by following steps:

S31: described tagged keys is by identifying what the YS sequence of the ID conversion output of the Hash under Hash key Hkey realized:

$\mathrm{YS}={\mathrm{Hash}}_{{\mathrm{key}}_i}\left(\mathrm{ID}\right)=w_0.w_1,w_2,\&CenterDot;\&CenterDot;\&CenterDot;,w_{32};v_{0,},\&CenterDot;\&CenterDot;\&CenterDot;,v_{8,};$

Wherein, w₀Word length be 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；W₁..., w₃₂The row-coordinate of instruction combinatorial matrix A, w₁..., w₃₂Word length be k₁Bit, the row of combinatorial matrix A is long for h₁,8 row of combinatorial matrix A, through displacement transformation, permutation table is the table of 8 × 8；Permutation table be classified as displacement sequence number, behavior displacement starting point；

The row coordinate of combinatorial matrix A is unified after displacement is designated as t_i(i=1..32)

The identity private key isk of S32:Alice, is calculated by KMC:

${\mathrm{isk}}_{\mathrm{Alice}}=\underset{i=1}{\overset{32}{\mathrm{\&Sigma;}}}{r}_{w_i,t_i}\mathrm{mod}n$

The mark PKI IPK of S33:Alice, is calculated by relying party:

${\mathrm{IPK}}_{\mathrm{Alice}}=\underset{i=1}{\overset{32}{\mathrm{\&Sigma;}}}{R}_{w_i,t_i}$

Wherein, R_{I, j}Represent PKI matrix, r_{I, j}Represent private key matrix, w_iRepresent row-coordinate, t_iRepresent row coordinate。

In PKI generating function in described step S3, realize including the Hash conversion of mark and the displacement transformation of hash value, realize especially by following steps:

S34: described combinatorial matrix A is sized to h₁× 32, front 8 row of described combinatorial matrix A, through displacement transformation, write E after permutation table is encrypted²ROM protects；

Now illustrate that displacement transformation is as follows:

Permutation table

Permutation table be classified as displacement sequence number, behavior displacement starting point。With sequence number for 3, starting point is 1 is example:

Also including the method that realizes of the formation of Split Key, described Split Key is implemented by following steps:

S35: described combinatorial matrix B is sized to h₂× 8, for the generation of Split Key。8 row of described combinatorial matrix B are through displacement transformation。

The segmentation private key ssk of S41:Alice is calculated by KMC:

${\mathrm{ssk}}_{\mathrm{Alice}}=\underset{i=1}{\overset{8}{\mathrm{\&Sigma;}}}{q}_{v_i,t_i}\mathrm{mod}n;$

S42: corresponding segmentation PKI SPK is calculated by relying party:

${\mathrm{SPK}}_{\mathrm{Alice}}=\underset{i=1}{\overset{8}{\mathrm{\&Sigma;}}}{Q}_{v_i,t_i};$

Wherein, combinatorial matrix B be sized to (h₂, 8), row-coordinate is by the v in YS sequence_iInstruction, v₀Word length is 3-bit instruction displacement sequence number before 6-bit, Q, rear 3-bit instruction displacement starting point, t_iThe expression 8 row coordinates after displacement, i=1 ..., 8；Represent PKI matrix B,Represent private key matrix B；

v₁..., v₃₂The row-coordinate of instruction combinatorial matrix B, word length is k₂Bit, the long h of row of combinatorial matrix B₂,

The composition generation Alice of described tagged keys and Split Key synthesizes key and synthesis private key alice charges to the ID-card of Alice:

S51: described synthesis private key csk is calculated by KMC:

csk_Alice=(isk_Alice+ssk_Alice) modn=alice,

The calculating of the synthesis PKI CPK of S52:Alice carries out each relying party:

CPK_Alice=IPK_Alice+SPK_Alice=ALICE。

What also include public network key and private network key realizes method, and a public network can be included a lot of private network, described public network key and private network key and be realized by step in detail below:

S61: the generation of public network key, specifically includes following steps:

The key parameter of public network is defined by public network KMC (public network KMC), has and maintain secrecy in public network, including:

The variable of definition public network matrix A and length

The variable of definition public network matrix B and length

Definition public network Hash key Hkey；

The encryption key Mkey of definition public network matrix A and B

S62: the generation of private network key, specifically includes following steps:

The key parameter of private network is defined by each private network KMC (private network KMC), has and maintain secrecy in private network, including:

1) length of private network matrix A is defined

2) length of private network matrix B is defined

3) the Hash key Hkeyi of respective private network is defined；

S63: if a private network user, it is necessary to during with public network user intercommunication, described public network private key and private network private key would be simultaneously written the ID card of user。Described general private key and area private key are simultaneously written the ID card of user。

Also including the method that realizes of digital signature protocol function, described digital signature protocol function implements in the following manner:

By the in the digital signature protocol of ECDSA standard the 2nd article, namely

KG=(x₂, y₁)；

C=x₁Modn；

S=k^-1(h+calice) modn；

It is transformed into:

KG=(x₁, y₁)；

C=(x₁+y₁)²mod2^m；

S=k^-1(h+calice) modn；

Wherein, k is random number, G is elliptic curve basic point, (x₁, y₁) be the coordinate of point, c is check code, s to be signed codevector, h the be hash value of data, m be check code bit number。

Described digital signature protocol and indentification protocol, specifically include following steps:

S71:Alice signature process:

Select the signature function of following Alice:

SIG_alice(h)=(s, c)；Wherein, alice is private key, and h is Hash code, and s is signed codevector, and c is check code；

Select a random number k, proceed as follows:

KG=(x₁, y₁)；

C=(x₁+y₁)²mod2^m；

S=k^-1(h+calice) modn；

Wherein, the value of k is 0 < k < n, 2^mSelection for check code length；As m < n, formed and solve an equation more。

S72:Alice sends: and sign=(s, c)；

S73: proof procedure:

The checking function of Bob is as follows:

VER_ALICE(s)=c '；Wherein, ALICE is PKI；

Bob calculates PKI according to the mark of Alice；

CPK_Alice=IPK_Alice+SPK_Alice=ALICE；

According to signed codevector sign=, (s c) calculates Bob；

s^-1hG+s^-1CALICE=(x₁', y₁')；

C '=(x₁’+y₁’)²mod2^m；

If c=c ', signature is recognized。

Also including the method that realizes of key delivery protocol function, described key delivery protocol function is accomplished by:

RBOB=β；

RG=(x₁, y₁)；

Key=(x₁+y₁)²mod2^64or128；

E_key(data)=code；

Wherein, r is less than the random number of n, β be pass to the key of the other side, E is the encryption function of symmetric key, key is the key to data encryption。

Described cryptographic protocol, realizes especially by following steps:

S81: the encryption function selecting Alice is as follows:

ENC_BOB(key)=β；

E_key(data)=code；

Wherein, ENC is non-asymmetric encryption function, and BOB is the other side's PKI, and r is random number；

The ciphering process of S82:Alice:

Calculate the synthesis PKI of Bob:

CPK_Bob=IPK_Bob+SPK_Bob=BOB；

Alice selects random number r, calculates:

RBOB=β；

RG=(x₁, y₁)；

Key=(x₁+y₁)²mod2^64(or128)；

E_key(data)=code；

{ code, β } is sent to Bob by S83:Alice；

S84: select Bob DecryptDecryption function as follows:

DEC_bob(β)=key；

D_key(code)=data；

Wherein, DEC is asymmetric DecryptDecryption function, and bob is the private key of oneself；

The DecryptDecryption process of S85:Bob:

Decryption key is calculated with the general private key bob of oneself；

(bob)^-1β=rG=(x₁, y₁)；

Key=(x_1a+y₁)²mod2^64(or128)；

D_key(code)=data。

The anti-quantum computation attack of CPK public key system provided by the invention realize system, including PKI generation module, Digital Signature module, key transmission module；

Described PKI generation module, for entity identification is mapped as tagged keys and Split Key, is finally complex as the output of synthesis honeymoon, and described PKI generates process all to carry out in chip, leaves E in after secret variable used is encrypted²In ROM；Described band E²The chip of ROM is for preserving COS, front 8 row of combinatorial matrix A, permutation table, Hash riddle Hkey etc.；

Described Digital Signature module, is used for realizing digital signature and indentification protocol, by inputting and output is constituted, and input and directly do not expose PKI in output and private key, PKI and private key occur with unsolvable sum form。

The input of described digital signature and authentication module, output factor are as follows:

Alice → signature blocks → (s, c)；

Alice, s → authentication module → c '；

Described key transmission module, is used for realizing key delivery protocol, and by inputting and output is constituted, input and output directly do not expose PKI and private key, PKI and private key occur with unsolvable sum form。

The input of cryptographic protocol and DecryptDecryption agreement in described key transmission module, output factor are as follows:

Bob, data → encrypting module → code, β；

β, code → DecryptDecryption module → data；

Wherein, β contains the PKI BOB of Bob, but under the protection of random number；

The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, it is clear that the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art。So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification。

Claims (10)

1. The anti-quantum computation attack of 1.CPK public key system realize method, it is characterized in that: by not providing or provide incomplete criterion, exhaustive or infinite can not solve an equation thus being formed, generating method with the PKI of quantum computation attack of contending with, specifically including following steps:

   S1: KMC generates combinatorial matrix A=(r_i,j, R_i,j) and B=(q_i,j,Q_i,j)；Combinatorial matrix includes PKI matrix and private key matrix；

   S2: described PKI matrix is derived from by private key matrix by below equation:

   r_i,jG=(x_i,j,y_i,j)=R_i,j；Q_i,jG=(x_i,j,y_i,j)=Q_i,j

   Wherein, r_i,j、q_i,jRepresent private key matrix, R_i,j、Q_i,jRepresent PKI matrix, i, the ranks number of j representing matrix；Parameter G is a basic point of elliptic curve, the coordinate x of x-axis_ijRepresent, the coordinate y of y-axis_ijLabelling；

   S3: disclosed each entity identification is mapped to combinatorial matrix A and forms tagged keys, by the generation procedure function of tagged keys, i.e. only expose input, output, its execution process is not exposed to outside function, and the hash including mark converts the displacement transformation with hash value；

   Described tagged keys is implemented by following steps:

   S31: described tagged keys is the YS sequence realization by identifying the ID conversion output of the Hash under specific key Hkey:

   $YS={\mathrm{Hash}}_{{\mathrm{Hkey}}_i}\left(ID\right)=w_0,w_1,w_2,...,w_{32};v_0,...,v_7;$

   Wherein, w₀Word length be 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；Hkey is the key being exclusively used in and mark ID carrying out Hash conversion；I represents that a public network includes the i-th private network of multiple private network；

   w₁..., w₃₂The row-coordinate of instruction combinatorial matrix A, w₁..., w₃₂Word length be k₁Bit, the row of combinatorial matrix A is long for h₁,8 row of combinatorial matrix A are through displacement transformation；Permutation table is the table of 8 × 8；It is classified as displacement sequence number, behavior displacement starting point；

   The row coordinate of combinatorial matrix A is designated generally as t after displacement₁..., t₃₂；

   Wherein, combinatorial matrix B be sized to (h₂, 8), row-coordinate is by the v in YS sequence_iInstruction, v₀Word length is 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；PKI matrix variables and the private key matrix variables of combinatorial matrix B are used respectivelyWithRepresent；V₀..., v₇The row-coordinate of instruction combinatorial matrix B, word length is k₂Bit, the row of combinatorial matrix B is long for h₂,Combinatorial matrix B can provide (h₂)⁸Individual different Split Key, Split Key allows to reuse, and user is divided into different groups, and every a group shares a Split Key；

   The identity private key isk of S32:Alice, is calculated by KMC:

   ${\mathrm{isk}}_{Alice}=\underset{i=1}{\overset{32}{\&Sigma;}}{r}_{w_i,t_i}\mathrm{mod}n;$

   Wherein, footmark w_iIt is r_i,jRow-coordinate, t_iIt is r_i,jThe natural sequence number redefined after displacement；N is the rank of elliptic curve；

   The mark PKI IPK of S33:Alice, is calculated by relying party:

   ${\mathrm{IPK}}_{Alice}=\underset{i=1}{\overset{32}{\&Sigma;}}{R}_{w_i,t_i};$

   Wherein, footmark w_iIt is R_i,jRow-coordinate, t_iIt is R_i,jThe natural sequence number redefined after displacement；

   In described step S3, the generation of tagged keys is by carrying out under the displacement transformation effect of Hash function and permutation table, and wherein, permutation table DiskTable and Hash key Hkey is secret variable, realizes especially by following steps:

   S34: described combinatorial matrix A is sized to h₁× 32, encipherment protection；The front 8 row write EEPROM of described combinatorial matrix A protect and through displacement transformation；

   S35: described combinatorial matrix B is sized to h₂× 8, encipherment protection；8 row of described combinatorial matrix B are through displacement transformation；H₂Represent that the row of combinatorial matrix B is long for h₂。
2. 2. the anti-quantum computation attack of CPK public key system according to claim 1 realize method; it is characterized in that: leave in chip after described combinatorial matrix A is encrypted; its front 8 row then leave in EEPROM to be protected; the generation process of described mark PKI all carries out in chip, and the variable in EEPROM disappears automatically when external device reads and analyzes。
3. 3. the anti-quantum computation attack of CPK public key system according to claim 1 realize method, it is characterised in that: also including the method that realizes of the formation of Split Key, described Split Key is implemented by following steps:

   The segmentation private key of S41:Alice is calculated by KMC:

   ${\mathrm{ssk}}_{Alice}=\underset{i=1}{\overset{8}{\&Sigma;}}{q}_{{\mathrm{\&nu;}}_i,t_i}\mathrm{mod}n;$

   S42: corresponding segmentation PKI is calculated by relying party:

   ${\mathrm{SPK}}_{Alice}=\underset{i=1}{\overset{8}{\&Sigma;}}{Q}_{v_i,t_i};$

   Wherein, combinatorial matrix B be sized to (h₂, 8), row-coordinate is by the v in YS sequence_iInstruction, v₀Word length is 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；PKI matrix variables and the private key matrix variables of combinatorial matrix B are used respectivelyWithRepresent；V₀..., v₇The row-coordinate of instruction combinatorial matrix B, word length is k₂Bit, the row of combinatorial matrix B is long for h₂,Combinatorial matrix B can provide (h₂)⁸Individual different Split Key, Split Key allows to reuse, and user is divided into different groups, and every a group shares a Split Key。
4. 4. the anti-quantum computation attack of CPK public key system according to claim 3 realize method, it is characterized in that: the composition generation Alice of described tagged keys and Split Key synthesizes key and synthesis private key alice charges to the ID-card of Alice, and synthesis key includes synthesis private key and synthesizes PKI:

   S51: synthesis private key csk is calculated by KMC:

   csk_Alice=(isk_Alice+ssk_Alice) modn=alice,

   The calculating of the synthesis PKI CPK of S52:Alice carries out each relying party:

   CPK_Alice=IPK_Alice+SPK_Alice=ALICE。
5. 5. the anti-quantum computation attack of CPK public key system according to claim 4 realize method, it is characterized in that: what also include public network key and private network key realizes method, one public network is included a lot of private network, public network key and private network key and is realized by step in detail below:

   S61: the generation of public network key, specifically includes following steps:

   The key parameter of public network is defined by public network KMC and public network KMC, has and maintain secrecy in public network, including:

   Define variable and the length of the first public network matrix

   Define variable and the length of the second public network matrix

   Definition public network Hash key Hkey；

   Define the encryption key Mkey of first, second public network matrix；

   S62: the generation of private network key, specifically includes following steps:

   The key parameter of private network is defined by each private network KMC and private network KMC, has and maintain secrecy in private network, including:

   Define the length of the first private network matrix

   Define the length of the second private network matrix

   Define the Hash key Hkey of first, second private network matrix_i；

   S63: if a private network user, it is necessary to during with public network user intercommunication, described public network key and private network key would be simultaneously written the ID card of user。
6. 6. the anti-quantum computation attack of CPK public key system according to claim 5 realize method, it is characterised in that: also including the method that realizes of digital signature protocol function, described digital signature protocol function implements in the following manner:

   By the in the digital signature protocol of ECDSA standard the 2nd article, namely

   KG=(x₁,y₁)；

   C=x₁Modn；

   S=k^-1(h+calice) modn；

   It is transformed into:

   KG=(x₁,y₁)；

   C=(x₁+y₁)²mod2^m；

   S=k^-1(h+calice) modn；

   Wherein, k is random number, and G is the basic point of elliptic curve, (x₁, y₁) it is the coordinate put, c is check code, and s is signed codevector, and h is the hash value of data, and m is the bit number of check code。
7. 7. the anti-quantum computation attack of CPK public key system according to claim 6 realize method, it is characterised in that: described digital signature protocol and indentification protocol, specifically include following steps:

   S71:Alice signature process:

   Select the signature function of following Alice:

   SIG_alice(h)=(s, c)；Wherein, alice is synthesis private key, and h is Hash code, and s is signed codevector, and c is check code；

   Select a random number k, proceed as follows:

   KG=(x₁, y₁)；

   C=(x₁+y₁)²mod2^m；

   S=k^-1(h+calice) modn；

   Wherein, the value of k is 0 < k < n, 2^mSelection for check code length；As m, < during n, equation becomes solving an equation more；

   S72:Alice sends: SIG_alice(h)=(s, c)；

   S73: proof procedure:

   The checking function of Bob is as follows:

   VER_ALICE(s)=c '；Wherein, ALICE is synthesis PKI；

   Bob calculates synthesis PKI according to the mark of Alice；

   CPK_Alice=IPK_Alice+SPK_Alice=ALICE；

   Bob is according to signature function SIG_alice(h)=(s, c) calculates:

   s^-1hG+s^-1CALICE=(x₁', y₁')；

   C '=(x₁’+y₁’)²mod2^m；

   If c=c ', signature is recognized。
8. 8. the anti-quantum computation attack of CPK public key system according to claim 7 realize method, it is characterised in that: also including the method that realizes of key delivery protocol function, described key delivery protocol function is accomplished by:

   RBOB=β；

   RG=(x₁, y₁)；

   Key=(x₁+y₁)²mod2⁶⁴Or key=(x₁+y₁)²mod2¹²⁸；

   E_key(data)=code；

   Wherein, r is less than the random number of n, and β is the key passing to the other side, and E is asymmetric encryption function, and key is the key for data encryption, and BOB is the PKI of Bob, and data is the data before encryption, and code is the password after encryption。
9. 9. the anti-quantum computation attack of CPK public key system according to claim 8 realize method, it is characterised in that: described key delivery protocol, especially by following steps realize:

   S81: the encryption function selecting Alice is as follows:

   ENC_BOB(key)=β；

   E_key(data)=code；

   Wherein, ENC is non-asymmetric encryption function, and BOB is the other side's PKI, and r is random number；

   The ciphering process of S82:Alice:

   Calculate the general public key of Bob:

   CPK_Bob=IPK_Bob+SPK_Bob=BOB；

   Alice selects random number r, calculates:

   RBOB=β；

   RG=(x₁, y₁)；

   Key=(x₁+y₁)²mod2⁶⁴Or key=(x₁+y₁)²mod2¹²⁸；

   E_key(data)=code；

   { code, β } is sent to Bob by S83:Alice；

   S84: select Bob DecryptDecryption function as follows:

   DEC_bob(β)=key；

   D_key(code)=data；

   Wherein, DEC is asymmetric DecryptDecryption function, and bob is the synthesis private key of Bob；

   The DecryptDecryption process of S85:Bob:

   Decryption key is calculated with the synthesis private key bob of Bob；

   (bob)^-1β=rG=(x₁, y₁)；

   Key=(x₁+y₁)²mod2⁶⁴Or key=(x₁+y₁)²mod2¹²⁸；

   DecryptDecryption function D_key(code)=data。
10. 10.CPK the anti-quantum computation attack of public key system realize system, it is characterised in that: include PKI generation module, Digital Signature module and key transmission module；

    Described PKI generation module, for entity identification is mapped as tagged keys, Split Key, is finally complex as synthesis PKI output, and PKI generates process all to carry out in chip, deposits in the chips after secret variable is encrypted；EEPROM in described chip, for preserving COS, front 8 row of combinatorial matrix A, permutation table, Hash key Hkey, COS are ChipOperatingSystem, are independently developed chip operating systems；

    Described Digital Signature module, is used for realizing digital signature and protocol verification, by inputting and output is constituted, and input and directly do not expose PKI in output and private key, PKI and private key occur with unsolvable sum form；

    The input of described digital signature and protocol verification, output factor are as follows:

    Alice → signature blocks → (s, c)；

    Alice, s → authentication module → c '；

    Containing signature function SIG in signature blocks_aliceH ()=(s, c), s is signed codevector, and c is check code, containing checking function VER in authentication module_ALICE(s)=c '；

    Described key transmission module, is used for realizing key delivery protocol, and by inputting and output is constituted, input and output directly do not expose PKI and private key, PKI and private key occur with unsolvable sum form；

    The encrypting module of described key delivery protocol and the input of DecryptDecryption module, output factor are as follows:

    Bob, data → encrypting module → code, β；

    β, code → DecryptDecryption module → data；

    Wherein, Alice and Bob is name；β is the key passing to the other side, and data is the data before encryption, and code is the password after encryption, contains the PKI BOB of Bob in β, but under the cryptographic key protection of random definition；

    Described tagged keys is implemented by following steps:

    S31: described tagged keys is the YS sequence realization by identifying the ID conversion output of the Hash under Hash key Hkey:

    YS=Hash_Hkeyi(ID)=w₀, w₁, w₂..., w₃₂；V₀..., v₇；

    Wherein, w₀Word length be 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；Hkey is the key being exclusively used in and mark ID carrying out Hash conversion；I represents that a public network includes the i-th private network of multiple private network；

    w₁..., w₃₂The row-coordinate of instruction combinatorial matrix A, w₁..., w₃₂Word length be k₁Bit, the row of combinatorial matrix A is long for h₁,8 row of combinatorial matrix A are through displacement transformation；Permutation table is the table of 8 × 8；It is classified as displacement sequence number, behavior displacement starting point；KMC generates combinatorial matrix A=(r_i,j, R_i,j) and B=(q_i,j,Q_i,j)；Combinatorial matrix includes PKI matrix and private key matrix；

    PKI matrix is derived from by private key matrix by below equation:

    r_i,jG=(x_i,j,y_i,j)=R_i,j；Q_i,jG=(x_i,j,y_i,j)=Q_i,j

    Wherein, r_i,j、q_i,jRepresent private key matrix, R_i,j、Q_i,jRepresent PKI matrix, i, the ranks number of j representing matrix；Parameter G is a basic point of elliptic curve, the coordinate x of x-axis_ijRepresent, the coordinate y of y-axis_ijLabelling；

    The row coordinate of combinatorial matrix A is designated generally as t after displacement₁..., t₃₂；

    The identity private key isk of S32:Alice, is calculated by KMC:

    ${\mathrm{isk}}_{Alice}=\underset{i=1}{\overset{32}{\&Sigma;}}{r}_{w_i,t_i}\mathrm{mod}n;$

    Wherein, footmark w_iIt is r_i,jRow-coordinate, t_iIt is r_i,jThe natural sequence number redefined after displacement；N is the rank of elliptic curve；

    The mark PKI IPK of S33:Alice, is calculated by relying party:

    ${\mathrm{IPK}}_{Alice}=\underset{i=1}{\overset{32}{\&Sigma;}}{R}_{w_i,t_i};$

    Wherein, footmark w_iIt is R_i,jRow-coordinate, t_iIt is R_i,jThe natural sequence number redefined after displacement；

    The generation of tagged keys is by carrying out under the displacement transformation effect of Hash function and permutation table, and wherein, permutation table DiskTable and Hash key Hkey is secret variable, realizes especially by following steps:

    S34: described combinatorial matrix A is sized to h₁× 32, encipherment protection；The front 8 row write EEPROM of described combinatorial matrix A protect and through displacement transformation；

    S35: described combinatorial matrix B is sized to h₂× 8, encipherment protection；8 row of described combinatorial matrix B are through displacement transformation；H₂Represent that the row of combinatorial matrix B is long for h₂；

    Also including the method that realizes of the formation of Split Key, described Split Key is implemented by following steps:

    The segmentation private key of S41:Alice is calculated by KMC:

    ${\mathrm{ssk}}_{Alice}=\underset{i=1}{\overset{8}{\&Sigma;}}{q}_{{\mathrm{\&nu;}}_i,t_i}\mathrm{mod}n;$

    S42: corresponding segmentation PKI is calculated by relying party:

    ${\mathrm{SPK}}_{Alice}=\underset{i=1}{\overset{8}{\&Sigma;}}{Q}_{v_i,t_i};$

    Wherein, combinatorial matrix B be sized to (h₂, 8), row-coordinate is by the v in YS sequence_iInstruction, v₀Word length is 6-bit, front 3-bit instruction displacement sequence number, rear 3-bit instruction displacement starting point；PKI matrix variables and the private key matrix variables of combinatorial matrix B are used respectivelyWithRepresent；V₀..., v₇The row-coordinate of instruction combinatorial matrix B, word length is k₂Bit, the row of combinatorial matrix B is long for h₂,Combinatorial matrix B can provide (h₂)⁸Individual different Split Key, Split Key allows to reuse, and user is divided into different groups, and every a group shares a Split Key；

    The composition generation Alice of tagged keys and Split Key synthesizes key and synthesis private key alice charges to the ID-card of Alice:

    S51: synthesis private key csk is calculated by KMC:

    csk_Alice=(isk_Alice+ssk_Alice) modn=alice,

    The calculating of the synthesis PKI CPK of S52:Alice carries out each relying party:

    CPK_Alice=IPK_Alice+SPK_Alice=ALICE。