Summary of the invention
The present invention combines PKI public-key cryptosystem, the public-key cryptosystem of identity-based and the advantage of certificateless cryptosystem, disclose a kind of newly based on elliptic curve, do not use two-wire to the concrete methods of realizing without CertPubKey cryptographic system of computing.The present invention adopts new encryption key distribution mode, effectively manages user key.The present invention does not need to carry out complicated certificate management, and do not use Bilinear map computing, user key can be cancelled.On this basis without CertPubKey cryptographic system newly, id-based signatures (Identity Based Signature can be constructed, IBS) scheme, certification (the Identity BasedIdentificaton of identity-based, IBI) key agreement (the Identity Based Authentication Key Exchange of agreement and identity-based, IBAKE) agreement, and for common digital signature, public key encryption, cipher key change and sign close etc., completely compatible with existing elliptic curve cryptography, there is operation efficiency high, take resource few, the clear superiority of high safety, be suitable for the ultra-large system application with mass users.
Of the present inventionly to be made up of believable key generation centre (Key Generation Center, be called for short KGC) and user subject without CertPubKey cryptographic system.It is different without certificate system prototype version that key distribution scheme and Al-Riyami propose, user's secret value be arranged on KGC for before user's generating portion private key, instead of after KGC is user's generating portion private key, and, when KGC is user's generating portion private key, in the mode of signature, user ID and User Part PKI are bound together, public key replacement attack, personation identity attack and forgery attack can be eliminated.Further, two parts key that system generates and user generates is synthesized a double secret key and uses by the present invention, does not need to use Bilinear map computing, can use the existing standard public-key cryptographic keys algorithm based on elliptic curve during crypto-operation.
Implementation method without CertPubKey cryptographic system of the present invention is based upon on conventional elliptic curve, and main contents comprise system foundation, user key generation, user key use and cryptographic algorithm application etc.
1. system is set up
System of the present invention is set up and is completed according to the following steps.
If E:y
^{2}=x
^{3}+ ax+b is finite field F
_{q}on elliptic curve, n is prime number, and m>=1 is positive integer, and G is a n rank basic point on E, h
_{0}(), h
_{1}() ..., h
_{m}() is one group of { HASH function of 0,1}* → [1, n 1].
KGC Stochastic choice m secret value
as main system private key, computing system Your Majesty key: P
_{1}=s
_{1}g ..., P
_{m}=s
_{m}g.The secret s of KGC
_{1}..., s
_{m}, open system parameters
2. user key generates
User key of the present invention is generated and is completed by following steps.
(1) the user subject Stochastic choice secret value of ID is designated
calculate X=xG.Send (ID, X) to KGC.
(2) KGC is after receiving (ID, X), the legitimacy of inspection user ID and identity.Stochastic choice
calculate: P=X+yG, e
_{i}=h
_{i}(ID||P), i=0,1 ..., m, if e
_{0}=0 or e
_{1}..., e
_{m}be 0 entirely, then reselect y.Finally generate User Part private key z=e
_{0}y+e
_{1}s
_{1}+ ... + e
_{m}s
_{m}(mod n), P to user, and publishes as the part PKI of user by loopback (P, z).For ensureing system safety, KGC should ensure to select different y and different P for different users.
(note: symbol || represent the serial connection of data, lower same.)
(3), after user receives (P, z), e is calculated
_{i}=h
_{i}(ID||P), d=e
_{0}x+z (mod n), Q=dG, and verify Q=e
_{0}p+e
_{1}p
_{1}+ ... + e
_{m}p
_{m}whether set up.If set up, then arrange the private key that d is user, P is the part PKI of user, and Q is the actual public key of user.
Note r=x+y, private key for user of the present invention can be expressed as d=e
_{0}r+e
_{1}s
_{1}+ ... + e
_{m}s
_{m}(mod n), described User Part PKI can be expressed as P=rG, and described user's actual public key can be expressed as Q=e
_{0}p+e
_{1}p
_{1}+ ... + e
_{m}p
_{m}, and meet Q=dG.
3. user key uses
(1) private key for user uses
User of the present invention is when using private key, identical with public key algorithm on common elliptic curve, private key d directly can be used to carry out crypto-operation, and separately need not use secret value x and part private key z.
(2) client public key uses
PKI relying party (i.e. public user) of the present invention calculates e by user ID ID and User Part PKI P
_{i}=h
_{i}(ID||P), re-use the actual public key that system PKI calculates user, computing formula is as follows:
Q＝e
_{0}P+e
_{1}P
_{1}+…+e
_{m}P
_{m}。
Because user's secret value x of the present invention is that user independently generates, the actual private key d of user is unknowable to other people, even if be also like this to KGC, therefore user has complete control to private key.
The present invention also comprises a kind of special circumstances, if in above-mentioned generative process, make x be 0, then the actual private key of user is d=z.In this case, the mode of KGC needs safety is by z loopback user, and user does not have complete control to private key.
4. cryptographic algorithm application
Adopt the user key without the generation of CertPubKey cryptographic system implementation method of the present invention to (Q, d) be in fact exactly public private key pair on conventional elliptic curve, so be applicable to the standard public key algorithm on all about elliptic curve, as ECDSA signature algorithm, Schnorr signature algorithm, country SM2 Standard signatures algorithm, public key encryption algorithm and cipher key agreement algorithm etc., when using these public key algorithms, do not need to use Bilinear map computing.
If user signing, Authentication and Key Agreement time, the part of the part PKI of oneself as signature result, certification authority and key agreement data submitted to, recipient then directly can calculate the actual public key of user and not rely on the support of key generation centre.Therefore, except public key encryption, all can be exchanged into id-based signatures (IBS), the certification (IBI) of identity-based and the key agreement (IBAKE) of identity-based based on the signature without CertPubKey cryptographic system of the present invention, Authentication and Key Agreement.
Be described for signature algorithm below:
If signer is user A, it is designated ID
_{a}, part PKI is P
_{a}, use private key d
_{a}the Standard signatures of message M is designated as
then
be exactly the identification signature of this user to message M.
Other users receive the mark ID of this user
_{a}, after message M and signature sigma, first according to user ID
_{a}, User Part PKI P
_{a}with system PKI { P
_{i}calculate the actual public key Q of this user
_{a}, then use PKI Q
_{a}by the signature of Standard signatures proof of algorithm to M
this proof procedure, completely by verifier's complete independently, does not need third party to assist, and is therefore equal to a kind of signature algorithm based on mark.
Public key encryption algorithm and cipher key agreement algorithm can with similar method process.
5. fail safe
Fail safe without CertPubKey cryptographic system implementation method of the present invention is based on following two hypothesis:
A) KGC is believable (being similar to the CA of PKI system).
B) it is computationally infeasible for separating dispersed accumulation (ECDLP) on elliptic curve.
(1) system key fail safe
First, according to ECDLP hypothesis, assailant can not from system PKI P
_{i}obtain system private key s
_{i}.
Resistance against colluders: namely resist the attack that all users conspire to system key.
Assuming that assailant obtains the part PKI of a group of user ID, private key and correspondence:
ID
_{i}，d
_{i}，PP
_{i}，i＝1，2，...，tt＜＜n
Wherein, d
_{i}=e
_{i, 0}r
_{i}+ e
_{i, 1}s
_{1}+ ... + e
_{i, m}s
_{m}(mod n), e
_{i, j}=h
_{j}(ID
_{i}|| PP
_{i}), PP
_{i}=r
_{i}g, ites is desirable to therefrom to obtain system private key s
_{1}..., s
_{m}.
In this group formula, s
_{1}..., s
_{m}, r
_{1}..., r
_{t}unknown to assailant, according to user key create-rule, r
_{i}stochastic generation and different.By the system of linear equations of t equations simultaneousness composition containing t+m unknown:
{e
_{i，0}r
_{i}+e
_{i，1}s
_{1}+…+e
_{i，m}s
_{m}＝d
_{i}(mod n)|i＝1，2，...，t}
This solution of equations space is at least m dimension, due to m>=1, is truly separated s
_{1}..., s
_{m}probability be 1/n
^{m}, also more difficult than solving ECDLP.Therefore, organize user key derivation system private key s from arbitrarily more
_{1}..., s
_{m}be that calculating is upper infeasible, this illustrates that system key of the present invention can resist collusion attack.
(2) user key fail safe
What User Part PKI of the present invention and private key for user formed can be mapped to described system private key to (P, d) signs to user ID Schnorr.Document proves, under random oracle model, Schnorr signature algorithm is safe.In fact, also do not find the effective attack method to Schnorr signature algorithm at present, existing attack method is all equal to substantially separates dispersed accumulation on elliptic curve.Therefore user key generating algorithm of the present invention is safe, and what described User Part PKI and private key formed can not forge (P, d).
(3) algorithm security
Signature algorithm without CertPubKey cryptographic system implementation method employing standard of the present invention, cryptographic algorithm, identity authentication protocol and key agreement protocol, their fail safe gains public acceptance.
(4) property demonstrate,proved certainly of client public key
Of the present invention without in CertPubKey cryptographic system implementation method, when the system of use PKI calculates the actual public key Q of user from user ID ID and part PKI P, be actually a checking to system private key signature (P, d).If checking is correct, namely Q calculates correct, then Q must be actual public key corresponding to user ID.If for a certain reason (as assailant has forged a User Part PKI) make Q mistake in computation, then use the sign test done of Q or public key encryption all can not obtain expected result subsequently, reason is that assailant pseudo-can not produce the private key corresponding with Q.This illustrates that user key of the present invention has a kind of Self-certified, when the system of use PKI calculates the actual public key Q of user from user ID ID and part PKI P, automatic hidden contains the certification to client public key, and the user being only designated ID just has the private key corresponding with P and Q.
(5) there is not trustship in user key
Of the present invention without in CertPubKey cryptographic system implementation method, the private key of user is also unknown to KGC, therefore there is not the trustship problem of user key.Reason is that user key is generated jointly by user and KGC, private key for user d=e
_{0}x+z (mod n), wherein x is unknown to KGC, e
_{0}, z, Q and X are known to KGC, and Q=dG=e
_{0}xG+zG=e
_{0}x+zG, if KGC can know the private key d of user, then KGC is by calculating
draw
$\mathrm{xG}={e}_{0}^{-1}(d-z)G={e}_{0}^{-1}(Q-\mathrm{zG})=X,$ Thus release KGC can separate this ECDLP difficult problem of X=xG, with fail safe hypothesis test.
6. high efficiency
Implementation method without CertPubKey cryptographic system of the present invention, do not use Bilinear map computing, do not use digital certificate, computational efficiency is high, takies resource few, and whole efficiency reaches a new height.
According to measuring and calculating, on the basis that cryptosecurity intensity is suitable, if adopt the Bilinear map computing on super unusual elliptic curve to realize CLPKC, the computing time that a Bilinear map computing expends be the 10-20 of a multi point arithmetic doubly, even if through the Bilinear map computing that optimizes on up-to-date BN curve, the computing time that a Bilinear map computing expends be the 8-10 of a multi point arithmetic doubly.Of the present invention without CertPubKey cryptographic system, do not use complicated Bilinear map computing, only need a small amount of multi point arithmetic and point add operation, calculate the actual private key of user and be reduced to 1/10 many times some amounts of calculation, the computing such as signature/sign test, encrypt/decrypt also adopts the cryptographic algorithm of standard, and amount of calculation reaches minimum.Therefore, of the present invention is high efficiency without CertPubKey cryptographic system.
Of the present invention without in CertPubKey cryptographic system implementation method, KGC needs saved system private key and system parameters.Often generate a user key, system only needs to preserve the mark of user and part PKI and random number y.The storage overhead of KGC is quite little as can be seen here, therefore invents the described system application being suitable for extensive mass users without CertPubKey cryptographic system.
Of the present invention without in CertPubKey cryptographic system implementation method, user only needs saved system parameter, private key for user, client public key and part PKI, and storage overhead is very little, saves storage resources and the network bandwidth.User side encryption device only needs to support common elliptic curve cryptography, can use existing chip.
Implementation method without CertPubKey cryptographic system of the present invention, be applicable to the ellipse curve signature algorithm (as ECDSA, SM2, Schnorr scheduling algorithm) of standard, there is the advantage that signature form is simple, signed data is short, add user ID and the part PKI of signer, a digital signature only takies the memory space being equivalent to 2 elliptic curve points.Such as, as finite field F
_{q}when being 256bit with the scale of n, if user ID length is no more than 32 bytes, then signature is no more than 128 bytes with the total length of user ID and User Part PKI.Therefore, the transmission and the checking that are conducive to signature without certificate signature that adopt the present invention to generate.
Embodiment
Implementation method without CertPubKey cryptographic system of the present invention, based on conventional elliptic curve, does not use Bilinear map computing, and two parts synthesis that user key is independently generated by KGC and user self, building-up process is completed by KGC.The specific embodiment of the present invention and simplification thereof and distortion are described below in detail.Should be understood that following embodiment is for illustration of the present invention instead of limits the scope of the invention.
Embodiment one
Stage one: system is set up
System is set up and is completed by KGC.
KGC selects finite field F
_{q}on safety elliptic curve E: y
^{2}=x
^{3}+ ax+b, get a n rank point G on E as basic point, wherein n is prime number.Choose positive integer m>=1 again, and one group of { 0,1}
^{*}the HASH function h of → [1, n-1]
_{0}(), h
_{1}() ..., h
_{m}().General selection F
_{q}for prime field, and the bit number of q and n is more than 192, such as, can select the elliptic curve parameter that national SM2 standard specifies.In SM2 standard, the bit number of q and n is all 256.
KGC Stochastic choice m secret value
as main system private key, computing system Your Majesty key: P
_{1}=s
_{1}g ..., P
_{m}=s
_{m}g.The secret s of KGC
_{1}..., s
_{m}, open system parameters
Stage two: user key generates
User key generates and is jointly completed by KGC and user.
(1) the user subject Stochastic choice secret value of ID is designated
calculate X=xG, send (ID, X) to KGC.
(2) KGC is after receiving (ID, X), the legitimacy of inspection user ID and identity, for user generates another part private key z.KGC Stochastic choice
calculate: P=X+yG, e
_{i}=h
_{i}(ID||P), i=0,1 ..., m, z=e
_{0}y+e
_{1}s
_{1}+ ... + e
_{m}s
_{m}(mod n).If e
_{0}=0 or e
_{1}..., e
_{m}be 0 entirely, then regenerate y.P to user, and publishes as the part PKI of user by last KGC loopback (P, z).
For ensureing system safety, KGC ensures to select different y and different P for different users by the mode that Database Lists is inquired about.
(3), after user receives (P, z), e is calculated
_{i}=h
_{i}(ID||P), i=0,1 ..., m, d=e
_{0}x+z (mod n), Q=dG, and verify Q=e
_{0}p+e
_{1}p
_{1}+ ... + e
_{m}p
_{m}whether set up.If set up, then arranging d is private key for user, and P is User Part PKI, and Q is user's actual public key.
Stage three: user key uses
(1) private key for user uses
User is when using private key, identical with common public key algorithm, can directly use private key d to carry out crypto-operation.
(2) client public key uses
Client public key relying party (i.e. public user) calculates e by user ID ID and User Part PKI P
_{i}=h
_{i}(ID||P), then by system PKI { P
_{i}calculate the actual public key Q=e of user
_{0}p+e
_{1}p
_{1}ten ... + e
_{m}p
_{m}.
In the present embodiment, the actual public key calculating user needs to carry out m+1 multi point arithmetic and m point add operation.Store m system Your Majesty key and need m × O (G) byte space, wherein O (G) represents the byte number of basic point G.At m=1 in particular cases, the formula calculating user's actual public key becomes Q=e
_{0}p+e
_{1}p
_{1}, according to documents and materials display, there is a kind of fast algorithm, make such amount of calculation only be equivalent to the amount of calculation of 1.17 many times points, storing 1 system Your Majesty key needs O (G) byte space.Such as, when the bit number of q and n is all 256, storing 1 system Your Majesty key only needs 64 byte spaces.
Embodiment two
Choose elliptic curve as embodiment one.Getting m > 1, h () is { 0 a, 1}
^{*}→ [1,2
^{m}-1] HASH function, the open parameter of system is
at user key generation phase, the definition of x and y, as embodiment one, makes e=h (ID||P), e is pressed binary expansion, be designated as e=(e
_{1}, e
_{2}..., e
_{m})
_{2}, wherein e
_{i}∈ 0,1}, i=1 ..., m.The private key for user finally generated is d=x+y+e
_{1}s
_{1}+ ... + e
_{m}s
_{m}(mod n), the part PKI of user is P=xG+yG, and the actual public key of user is Q=P+e
_{1}p
_{1}+ ... + e
_{m}p
_{m}.
Work as e
_{i}when=0, i-th of calculating in the formula of Q will not occur, therefore calculating user's actual public key on average only needs to carry out m/2 point add operation.As m < log
_{2}n, time (), the time that the time calculating Q cost spends than 1 multi point arithmetic wants much less, therefore adopts and can obtain higher efficiency in this way.For ensureing safety, General Requirements m >=128 in practical application.Such as when the bit number of n is 256, once many times of points calculate average needs 255 double point processings and 128 point add operations.Get m=128, the present embodiment calculates the actual public key of user on average needs 64 point add operations, is 1/6 of one many times some amounts of calculation, and stores 128 system Your Majesty keys and only need 8K byte space.The amount of calculation of the present embodiment calculating user actual public key is 1/ (6m) of embodiment one.
Embodiment three
Choose elliptic curve as embodiment one.Get l, N is positive integer, m≤2
^{n}, h () is { 0 a, 1}
^{*}→ [1,2
^{lN}-1] HASH function, the open parameter of system is
at user key generation phase, the definition of x and y, as embodiment one, makes e=h (ID||P), and launched by binary bits by e, every N continuous bit forms a word, forms l word altogether, is denoted as e=(w
_{1}, w
_{2}..., w
_{l})
_{n}, then make e
_{i}=w
_{i}(mod m)+1, then e
_{i}∈ [1, m], i=1 ..., l.The private key for user finally generated is d=x+y+s
_{e1}+ ... + s
_{el}(mod n), the part PKI of user is P=xG+yG, and the PKI of user's reality is Q=P+P
_{e1}+ ... + P
_{el}.
In the present embodiment, calculate user's actual public key only to need to carry out l point add operation.For ensureing safety, require number of combinations
such as when the bit number of n is 256, get N=8, l=32, m=128 can meet the demands.In this case, lN=256, calculating the actual public key of user only needs 32 point add operations, than fast 12 times of calculating one many times points, and stores 128 system Your Majesty keys and only needs 8K byte space, therefore obtain the efficiency higher than embodiment two.
Embodiment four
Choose elliptic curve as embodiment one.Getting N is positive integer, meets mN≤log
_{2}n (), h () is { 0 a, 1}
^{*}→ [1,2
^{mN}-1] HASH function, the open parameter of system is
at user key generation phase, the definition of x and y, as embodiment one, makes e=h (ID||P), and launched by binary bits by e, every N continuous bit forms a word, forms m word altogether, is denoted as e=(e
_{1}, e
_{2}..., e
_{m})
_{n}.The private key for user finally generated is d=x+y+e
_{1}s
_{1}+ ... + e
_{m}s
_{m}(mod n), the part PKI of user is P=xG+yG, and the actual public key of user is Q=P+e
_{1}p
_{1}+ ... + e
_{m}p
_{m}.
In the present embodiment, although calculating user actual public key needs to carry out m multi point arithmetic, e
_{i}be smaller integer, computational efficiency is higher.Such as when the bit number of n is 256, get N=128, m=2, in this case, calculate the actual public key many times points fast 1/4 more common than calculating one of user, and store 2 system Your Majesty keys and only need 128 byte spaces.The present embodiment all takes advantage in computational efficiency and memory space, reaches relative equilibrium over time and space, is a preferred embodiment of the present invention.
Above-described embodiment, only for illustration of connotation of the present invention and technical conceive, uses so that of the present invention and implements, and can not limit the scope of the invention with this.All equivalent transformations of carrying out according to Spirit Essence of the present invention and modification, all should be encompassed within protection scope of the present invention.