CN104579648A - Ternary-domain anti-error-attack Tate bilinear pairing computation method - Google Patents

Abstract

The invention discloses a ternary-domain anti-error-attack Tate bilinear pairing computation method. The method comprises steps as follows: an original Tate bilinear pairing computation process is modified, and factors of random numbers are added to resist error attacks; the factors of the random numbers cannot affect a final result when a ternary-domain Tate bilinear pairing is not attacked; a result acquired by an attacker finally can be mixed with the factors of the random numbers when computation errors appear due to the fact that the ternary-domain Tate bilinear pairing is attacked. The attacker cannot know concrete values of the random numbers, so that a secret key cannot be calculated with effective information due to the fact that the factors of the random numbers cannot be removed from the final result. Thus, with the adoption of the method, the error attacks on the ternary-domain Tate bilinear pairing can be effectively resisted.

Description

A kind of ternary territory anti-fault analysis Tate Bilinear map computational methods

Technical field

The present invention relates to a kind of public key cryptography application process, particularly relate to a kind of ternary territory anti-fault analysis Tate Bilinear map computational methods.

Background technology

In recent years, Bilinear map obtains investigation and application widely because it has bilinearity character, non degenerate character and computability matter.Cryptographic system based on Bilinear map obtains attention and research with its distinctive advantage, and also progressively applies in industrial quarters.Many normal structures are also in the standard formulating Bilinear map in the world, such as ISO/IEC14888-3, IEEE P1363.3 etc.Researcher proposes many cryptography schemes based on Bilinear map, such as Identity based encryption scheme (identity-basedencryption schemes), short signature scheme (short signature schemes), the key agreement scheme (identity-based authenticated key agreement schemes) etc. of identity-based.

Calculate Bilinear map and have algorithm in two kinds of polynomial times, the Weil namely on algebraic curve to Tate couple.Concerning the curve of same security level, the computational efficiency that the computational efficiency that Tate is right is more right than Weil is much higher.The calculating of Bilinear map is very complicated, and the friendly curve of Bilinear map can realize Bilinear map comparatively fast.Mainly contain following three class curves:

$E\left(F_{p^m}\right):y^2=x^3+\mathrm{Ax}+B$

$E\left(F_{2^m}\right):y^2+y=x^{3}x+b$

$E\left(F_{3^m}\right):y^2=x^3-x+b.$

For on some P (α, β) and Q (x, y), the computing formula of the Tate Bilinear map under ternary territory is as follows:

${\mathrm{\τ}}_l(P,Q)=f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$

$f_P\left(\mathrm{\ψ}\left(Q\right)\right)=\underset{i=1}{\overset{3m}{\mathrm{\Π}}}{\left\{g_{3^{i-1}P}\left(\mathrm{\ψ}\left(Q\right)\right)\right\}}^{3^{3m-i}}.$

Wherein, turning round of some Q (x, y) maps ψ (Q)=(ρ-x, y σ), ρ and σ is in element, meet equation ρ ³-ρ-b=0 and σ ²+ 1=0.For on institute have a V (x _v, y _v), definition on rational function g _v(X, Y), it removes son is (g _v)=3 (V)+([-3] V)-4 (O).G can be eliminated owing to turning round mapping ψ (Q) _vin (X, Y), the computing of denominator, therefore puts the rational function g of V _v(X, Y) is the tangent line of a V.For all can obtain

g _V(x,y)＝l _V,V＝y _V ³y-(x _V ³-x+b) ²。

Finally can obtain rational function f _p(ψ (Q)) is:

$f_P\left(\mathrm{\ψ}\left(Q\right)\right)=\underset{i=1}{\overset{m}{\mathrm{\Π}}}\{{-\mathrm{\σ\β}}^{\left(i\right)}{y}^{(-i+1)}-{({\mathrm{\α}}^{\left(i\right)}+x^{(-i+1)}-\mathrm{\ρ}+b)}^2\}$

Wherein use x ^(j)represent

Owing to calculating [3 ⁱ] in P, need to carry out a large amount of cubic root computings, and cubic root computing on ternary territory is very complicated, its operation efficiency is very low.If Tate Bilinear map on ternary territory therefore will be realized fast to be calculated, can some mathematic(al) manipulations be passed through, cubic root computing formula as above be converted to and following goes cubic root Tate Bilinear map computing formula:

$f_P\left(\mathrm{\ψ}\left(Q\right)\right)=\underset{i=1}{\overset{m}{\mathrm{\Π}}}{A}_i^{3^{m-i}}$

A _i＝λ-μρ-ρ ²

Wherein μ=α ⁽²ⁱ⁾+ x ⁽¹⁾+ (m+1-i) b, λ=(-1) ⁽ⁱ⁺¹⁾σ β ⁽²ⁱ⁾y ⁽¹⁾-μ ².

Cubic root Tate Bilinear map computational methods are gone to convert cubic root computing to a cube computing, and cube computing on ternary territory is very simple and quick, therefore goes cubic root Tate Bilinear map implementation method to be Tate Bilinear map implementation method the most fast and effectively on ternary territory.What above-mentioned Tate Bilinear map formula i.e. correspondence was following goes cubic root Tate Bilinear map implementation method.

tate Bilinear map implementation method: ternary territory in curve

Input P=(α, β), Q=(x, y)

Export $f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$

1.C＝1

2.x＝x ³,y＝y ³,d＝mb

3.For i=1to m do

3.1.α＝α ⁹,β＝β ⁹

3.2.μ＝α+x+d,λ＝σβy-μ ²

3.3.A＝λ-μρ-ρ ²

3.4.C＝C ³·A

3.5.y＝-y,d＝d-b

4. return

Page and Vercauteren first proposed the fault analysis for Tate Bilinear map.When assailant has the ability to import provisional or permanent mistake thus changes the cycle-index m of Tate Bilinear map, assailant just can backstepping private key point P=(α, β).

For Tate Bilinear map implementation method, its concrete fault analysis method is as follows: postulated point P=(α, β) is private key, and some Q=(x, y) is for expressly being chosen by assailant.First do not consider the final Montgomery Algorithm of the 4th step, namely hypothesize attack person can skip final mould power.When fault analysis causes cycle-index to become Δ from m, use represent the error result of the 3.4th step, use represent the correct result of the 3.4th step.The simplest challenge model is hypothesize attack, and person can make Δ=m ± 1.For Δ=m+1, can obtain:

${\stackrel{\‾}{e}}_{\mathrm{\Δ}}={{\stackrel{\‾}{e}}_m}^3{A}_{m+1}$

When obtaining once correct result the once result of mistake just can calculate the intermediate object program A of (m+1) step _m+1, and reckoning obtains private key cc and β thus.

Owing to making the possibility of Δ=m ± 1 less, and the possibility making Δ=m ± r is larger, and therefore also can be found by multiple attack a pair can attack result:

$R_1={\stackrel{\‾}{e}}_{m\±r}(P,Q)$

$R_2={\stackrel{\‾}{e}}_{m\±r+1}(P,Q)$

${\stackrel{\‾}{e}}_{m\±r+1}={{\stackrel{\‾}{e}}_{m\±r}}^3{A}_{m\±r+1},$

Namely when the result obtaining twice mistake with just can calculate the intermediate object program A of (m ± r+1) step _{m ± r+1}, and reckoning obtains private key cc and β thus.Because the time of implementation of circulating is identical at every turn, the value of r can obtain by observing the time calculating operation.

And final mould power can prove by solving the method for equivalent matrice to eliminate its factor.Therefore the fault analysis of the Tate Bilinear map of Page and Vercauteren proposition effectively can obtain private key point.

For the fault analysis method of Page and Vercauteren, the people such as Ghosh propose a kind of method of anti-fault analysis, resist fault analysis by the method blinding cycle-index.Its concrete methods of realizing is as follows.

the Tate Bilinear map implementation method that Ghosh proposes: ternary territory in curve $E\left(F_{3^m}\right):y^2=x^3-x+b$

Input P=(α, β), Q=(x, y)

Export $f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$

1. produce random number produce random positive integer r ₂≤ m

2.C ₀＝r ₁,C ₁＝1

3.m'＝m+r ₂

4.x＝x ³,y＝y ³,d＝mb

5.For i=1to m’do

5.1.α＝α ⁹,β＝β ⁹

5.2.μ＝α+x+d,λ＝σβy-μ ²

5.3.A＝λ-μρ-ρ ²

5.4.C ₁＝C ₁ ³·A

5.5j=(i==m)

5.6C ₀＝C _j

5.7.y＝-y,d＝d-b

6. return

When assailant changes m ', due to the assignment of 5.5 steps and 5.6 steps, if attack when making m ' be greater than m, attacking the final result obtained is still correct result; If when attack makes m ' be less than m, attacking the final result obtained is that the 2nd step is assigned to C ₀random number, therefore which kind of situation fault analysis is all invalid.When assailant changes m, change m ± r into by m.Now calculate loop computation (m ± r+r ₂) wheel, and by error result R that (m ± r) of significance arithmetic takes turns _{m ± r}export.Although the people such as Ghosh analyze assailant can obtain final error result R _{m ± r}but if by analyzing operation time or power consumption profile analysis, assailant can only obtain the cycle-index m ' after blinding, m ' equals (m ± r+r ₂).Due to r ₂for random number, therefore assailant cannot learn effective error loop number of times m ± r, and the fault analysis method of Page and Vercauteren again refinement really learn effective error loop number of times, therefore assailant cannot implementation mistake attack.

But it is not this analysis is not too correct, although this defence method can increase the attack cost of assailant, thorough.The fault analysis method that Page and Vercauteren proposes can by once correct result the once result of mistake attack.Assailant can carry out analytic operation result by the method for exhaustive attack completely.First assailant can obtain the cycle-index m ' after blinding by power consumption profile and (equal (m ± r+r ₂)), due to r ₂≤ m, get rid of the situation as (m '-m>m+1), significant cyclic number is become m+1 by m by remaining situation all hypothesize attack, then will calculate that the private key result obtained checks again, until find the situation meeting and attack hypothesis.Calculate that the computational complexity obtaining private key cc and β is polynomial time due to each by error result, even if therefore need multiple attack significant cyclic number could be become m+1 by m, its total time cost also very little.

In addition, author does not consider the threat of provisional mistake to this implementation method yet.Which proceeds to take turns because assailant can carry out analysis cycle computing by power consumption profile, therefore just can control the moment of provisional mistake to be imported comparatively accurately.Assailant can control to attack 5.5 steps at (m+1) wheel accurately, make variable j=0, this can preserve the value in the memory of variable j by attacking directly change, or to judging that the judged result of statement (i==m) is attacked.This all will make variable C ₀the error result that middle preservation (m+1) is taken turns, thus victim obtains finally available error result.This shows that the defence method blinding cycle-index is completely invalid to this kind of attack.

In addition, this defence method is except thoroughly resisting fault analysis, and its operation efficiency is also very low.Due to r ₂for being less than the random number of m, the mean value of the cycle-index m ' after therefore blinding is 1.5m, this means that the average calculating operation time of the Tate Bilinear map that the people such as Ghosh realize adds 50%.

Summary of the invention

The technical problem to be solved in the present invention is to provide a kind of ternary territory anti-fault analysis Tate Bilinear map computational methods, effectively can resist the fault analysis for ternary territory Tate Bilinear map.

For solving the problems of the technologies described above, ternary territory of the present invention anti-fault analysis Tate Bilinear map computational methods adopt following technical scheme to realize:

Ternary territory lower super singular curve $E\left(F_{3^m}\right):y^2=x^3-x+b,b\∈\{-\mathrm{1,1}\}$ Upper 2 P (α, β) and Q (x, y), Tate Bilinear map go cubic root computing formula as follows:

${\mathrm{\τ}}_l(P,Q)=f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$

$f_P\left(\mathrm{\ψ}\left(Q\right)\right)=\underset{i=1}{\overset{m}{\mathrm{\Π}}}{A}_i^{3^{m-i}}={(...{\left({\left({{\left(A_1\right)}^{3}A}_2\right)}^3{A}_3\right)}^3...)}^3{A}_m$

Wherein A _i=λ-μ ρ-ρ ², μ=α ⁽²ⁱ⁾+ x ⁽¹⁾+ (m+1-i) b, λ=(-1) ⁽ⁱ⁺¹⁾σ β ⁽²ⁱ⁾y ⁽¹⁾-μ ²; ρ and σ is in element, meet equation ρ ³-ρ-b=0 and σ ²+ 1=0;

Above-mentioned Tate Bilinear map go add in the calculation process of cubic root computing formula random number because usually resisting fault analysis; If circulation wheel number m is not changed, so the factor of random number can be eliminated after final mould power; If circulation wheel number m is changed by fault analysis, the result that so assailant finally obtains will mix the factor of random number, because assailant cannot learn the occurrence of random number, thus the factor cannot removing random number from final result obtains effective information to calculate private key; Concrete steps are as follows:

Step one, chooses random number

Step 2, calculates rational function $f_P\left(\mathrm{\ψ}\left(Q\right)\right){=(...{\left({\left({{\left({{\left(R^{3^{2m}}\right)}^{3}A}_1\right)}^{3}A}_2\right)}^3{A}_3\right)}^3...)}^3{A}_{m}R;$

Step 3, calculates Tate Bilinear map

The territory of ternary described in step one in super singular curve, comprise y ²=x ³-x+1 and y ²=x ³-x-1.

The present invention transforms original Tate Bilinear map calculation process, add random number because usually resisting fault analysis.When ternary territory, Tate Bilinear map is not attacked, and so the factor of random number can not affect final result.When ternary territory Tate Bilinear map causes mistake in computation owing to attacking, the result that so assailant finally obtains will mix the factor of random number.Because assailant cannot learn the occurrence of random number, thus the factor cannot removing random number from final result obtains effective information to calculate key.Therefore the present invention effectively can resist the fault analysis for ternary territory Tate Bilinear map.

The time cost that the present invention increases is very few; Can when increasing time cost hardly, the ternary territory anti-fault analysis Tate Bilinear map that realizes fast and safely calculates.

Embodiment

Below the principle of ternary territory anti-fault analysis Tate Bilinear map computational methods is once illustrated.First ternary territory anti-fault analysis Tate Bilinear map computational methods are provided under cycle-index does not have vicious situation, the correctness proof of its operation result:

Original ternary territory Tate Bilinear map calculates rational function f _pthe formula of (ψ (Q)) is as follows:

F ₁＝f _P(ψ(Q))＝(…(((A ₁) ³A ₂) ³A ₃) ³…) ³A _m

Ternary territory anti-fault analysis Tate Bilinear map calculates rational function f _pthe formula of (ψ (Q)) is as follows:

${F_2=f}_P\left(\mathrm{\ψ}\left(Q\right)\right){=(...{\left({\left({{\left({{\left(R^{3^{2m}}\right)}^{3}A}_1\right)}^{3}A}_2\right)}^3{A}_3\right)}^3...)}^3{A}_{m}R$

When cycle-index m is not changed, take turns after computing through m, can obtain due to finite field in element R meet character, can obtain thus reckoning obtains ${F_2}^{3^{3m}-1}={(F_1\·R^{3^{3m}+1})}^{3^{3m}-1}.$ Therefore through final Montgomery Algorithm $f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$ Afterwards, namely the factor of random number R is eliminated, the correct result of the Bilinear map after can casting off illiteracy.

Lower surface analysis once the anti-fault analysis Tate in ternary territory Bilinear map computational methods for the defensive ability/resistance ability of fault analysis:

When cycle-index victim changes, namely change cycle-index into m ± Δ by attacking.After m ± Δ wheel computing, note does not add the rational function f of anti-fault analysis measure _pthe operation result of (ψ (Q)) is note adds the rational function f of anti-fault analysis measure _pthe operation result of (ψ (Q)) is then after final Montgomery Algorithm, final result is ${{\stackrel{\‾}{F}}_2}^{(3^{3m}-1)}={{\stackrel{\‾}{F}}_1}^{(3^{3m}-1)}\·{\left(R^{3^{3m\±\mathrm{\Δ}}+1}\right)}^{(3^{3m}-1)}.$ Assailant wishes that the effective error result obtained is ${{\stackrel{\‾}{F}}_1}^{(3^{3m}-1)},$ And after adding anti-fault analysis measure, assailant can only obtain the error result after blinding due to random number when when being not equal to 1, assailant cannot obtain effective error result from final blinding after error result removes random number factor, thus cannot calculate real error result in addition, most values of Δ all will cause terminal error result still to be blinded, and only have when meeting Δ %6m=0, now assailant just can obtain the error result after casting off illiteracy.

When first proving that and if only if below and meet Δ %6m=0,

$\begin{array}{c}{\left(R^{3^{3m\±\mathrm{\Δ}}+1}\right)}^{(3^{3m}-1)}={\left(R^{3^{3m\±\mathrm{\Δ}}}\right)}^{(3^{3m}-1)}\·R^{(3^{3m}-1)}\\ ={\left(R^{3^{3m}}\right)}^{(3^{3m}-1)3^{\±\mathrm{\Δ}}}\·R^{\left(3^{3m-1}\right)}\\ ={\left(R^{3^{6m}-3^{3m}}\right)}^{3^{\±\mathrm{\Δ}}}\·R^{(3^{3m}-1)}\end{array}$

$\begin{array}{c}={\left(R^{3^{6m}-1}\right)}^{3^{\±\mathrm{\Δ}}}\·{\left(R^{1-3^{3m}}\right)}^{3^{\±\mathrm{\Δ}}}\·R^{(3^{3m}-1)}\\ ={\left(R^{1-3^{3m}}\right)}^{3^{\±\mathrm{\Δ}}}\·R^{(3^{3m}-1)}\end{array}$

If ${\left(R^{1-3^{3m}}\right)}^{3^{\±\mathrm{\Δ}}}\·R^{(3^{3m}-1)}=1,$ So can obtain ${\left(R^{3^{3m}-1}\right)}^{3^{\±\mathrm{\Δ}}}=R^{(3^{3m}-1)}.$ Character according to finite field: and if only if, and Δ=6mn(n is nonnegative integer), finite field in element x meet x=x ^{3 Δs}, finally can obtain Δ %6m=0.This just illustrates to only have when Δ accurately to be changed into the multiple of 6m or 6m by assailant, could remove the random number factor blinded, and obtains the error result after casting off illiteracy required for attack analysis.

But Δ accurately cannot be changed into the multiple of 6m or 6m by existing fault analysis level.Attack cycle-index by fault analysis method, the most frequently used method has two kinds: first method imports mistake in loop computation process, make to circulate terminate to judge to produce provisional wrong time, cycle-index may be made to be less than m or to equal m+1; Or skip cyclic variable increment operator, cycle-index may be made to equal m+1.But it is even larger that cycle-index can not be become 7m by these class methods, and therefore this attack method does not produce threat to the method that the present invention proposes.Second method makes the memory of preservation variable m or register produce permanent mistake by attack, but in general this method can only change single bit(bit of variable), if variable m be changed accurately into m+6nm(n is positive integer), and in general m is 0 and 1 number be evenly distributed, existing attacking ability almost can not complete.In addition, accurate multiple Δ being changed into 6m or 6m even if assailant in future has the ability, the method for this kind of fault analysis still to proposed by the invention is invalid.Because the fault analysis method that Page and Vercauteren proposes needs a pair Bilinear map operation result with and according to analysis before, only have do not blinded.Assailant can not obtain a pair cycle-index adjacent do not blind result to calculate private key, therefore the fault analysis method that proposes of Page and Vercauteren is invalid to method proposed by the invention.

Can obtain through above-mentioned analysis, if there occurs fault analysis, after final Montgomery Algorithm, the factor of random number R cannot be eliminated, and assailant can only obtain the error result after blinding because random number R is unknowable, assailant cannot obtain effective error result from final blinding after error result removes random number factor.

Can obtain thus, the implementation method that the present invention proposes effectively can resist fault analysis.

In addition, its time cost increased of the computational methods that the present invention proposes is also very little, and the calculating comparing increase with original calculation method has two.Section 1 is initial random number computing wherein calculate can map with Frobenius and realize, increase time cost hardly; And ternary subsequently expands territory under cube computing, only need 6 finite fields under mould cube computing can complete.Section 2 is final iteration result territory is expanded in ternary with random number R under modular multiplication, only need 15 finite fields under modular multiplication can complete.Therefore the time cost that computational methods of the present invention increase compares the total time of original calculation method, almost negligible.

Below be ternary territory anti-fault analysis Tate Bilinear map computational methods realize example.

Concrete ternary territory anti-fault analysis Tate Bilinear map implementation method flow process describes as follows:

anti-fault analysis Tate Bilinear map implementation method: ternary territory in curve $E\left(F_{3^m}\right):y^2=x^3-x+b$

Input P=(α, β), Q=(x, y)

Export $f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$

1. produce r=r ₀+ r ₁σ+r ₂ρ+r ₃σ ρ+r ₄ρ ²+ r ₅σ ρ ²,

Meet r _i(0≤i≤5) ≠ 0.

Produce r'=r ₀'+r ₁' σ+r ₂' ρ+r' ₃σ ρ+r ₄' ρ ²+ r ₅' σ ρ ²,

Meet r' _i(0≤i≤5) ≠ 0.

Produce r''=r ₀' '+r ₁' ' σ+r ₂' ' ρ+r ₃' ' σ ρ+r ₄' ' ρ ²+ r ₅' ' σ ρ ²,

Meet r _i' ' (0≤i≤5) ≠ 0.

2.C＝R'

3.F＝R''

4. $C=R^{3^{2m}}$

5.x＝x ³,y＝y ³,d＝mb

6.For i=1to m do

6.1.α＝α ⁹,β＝β ⁹

6.2.μ＝α+x+d,λ＝σβy-μ ²

6.3.A＝λ-μρ-ρ ²

6.4.C＝C ³·A

6.5.y＝-y,d＝d-b

7.F＝C·R

8. return

Following table 1 is that the method for Ghosh method and the present invention's proposition is in ternary territory the increase time cost of lower Tate Bilinear map and error resilience by mistake attack effect compare that (wherein M represents that binary expands territory under modular multiplication, C represent binary expand territory under mould cube computing):

	The time cost increased	Resist DFA effect
			Ghosh method	m(7M+5C)	Cannot resist
The inventive method	15M+6C	Can resist

Table 1

The time cost that wherein Ghosh method increases is mean value, changes according to the difference blinding random number.The time cost that the present invention increases is fixed value.As can be seen from the above table, be no matter the time cost from increasing, still resist the effect of DFA, Ghosh method is all not so good as the method proposed in the present invention.

The increase time cost of method under several typical finite field that Ghosh method and the present invention propose is compared as follows shown in table 2:

Table 2

Can find out, method proposed by the invention increases running time hardly, and its time cost increased is far smaller than Ghosh method.

Above by embodiment to invention has been detailed description, but these are not construed as limiting the invention.Without departing from the principles of the present invention, those skilled in the art also can make many distortion and improvement, and these also should be considered as protection scope of the present invention.

Claims (2)

1. the anti-fault analysis Tate in ternary territory Bilinear map computational methods,

Ternary territory lower super singular curve the computing formula of upper 2 P (α, β) and Q (x, y), Tate Bilinear map is as follows:

${\mathrm{\τ}}_l(P,Q)=f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}$

$f_P\left(\mathrm{\ψ}\left(Q\right)\right)=\underset{i=1}{\overset{m}{\mathrm{\Π}}}{A}_i^{3^{m-i}}={(...{\left({\left({{\left(A_1\right)}^{3}A}_2\right)}^3{A}_3\right)}^3...)}^3{A}_m$

Wherein A _i=λ-μ ρ-ρ ², μ=α ⁽²ⁱ⁾+ x ⁽¹⁾+ (m+1-i) b, λ=(-1) ⁽ⁱ⁺¹⁾σ β ⁽²ⁱ⁾y ⁽¹⁾-μ ²; ρ and σ is in element, meet equation ρ ³-ρ-b=0 and σ ²+ 1=0; It is characterized in that:

Above-mentioned Tate Bilinear map go add in the calculation process of cubic root computing formula random number because usually resisting fault analysis; If circulation wheel number m is not changed, so the factor of random number can be eliminated after final mould power; If circulation wheel number m is changed by fault analysis, the result that so assailant finally obtains will mix the factor of random number, because assailant cannot learn the occurrence of random number, thus the factor cannot removing random number from final result obtains effective information to calculate private key; Concrete steps are as follows:

Step one, chooses random number

Step 2, calculates rational function

$f_P\left(\mathrm{\ψ}\left(Q\right)\right){=(...{\left({\left({{\left({{\left(R^{3^{2m}}\right)}^{3}A}_1\right)}^{3}A}_2\right)}^3{A}_3\right)}^3...)}^3{A}_{m}R;$

Step 3, calculates Tate Bilinear map ${\mathrm{\τ}}_l(P,Q)=f_P{\left(\mathrm{\ψ}\left(Q\right)\right)}^{3^{3m}-1}.$

2. the method for claim 1, is characterized in that: the territory of ternary described in step one in super singular curve, comprise y ²=x ³-x+1 and y ²=x ³-x-1.