CN1610291A - Method for encrypting and decrypting data - Google Patents

Abstract

The data enciphering and deciphering method includes pseudo-enciphering data to be transmitted in pseudo-enciphering method in the transmitting side and deciphering the received data in the method corresponding to the pseudo-enciphering method in the receiving side. The present invention, unlike traditional elliptic curve cipher system, adopts pseudo-enciphering method to obtain new plain text embedding method and one enciphering system with semanteme safety under the adaptive selective cipher text attack. The present invention provides one very clear plain text embedding mode and can verify the legality of cipher text to provide even high data safety.

Description

Data encryption and decryption method

Technical Field

The invention relates to a data encryption and decryption method, in particular to an encryption and corresponding decryption method for adaptively selecting semantic security under ciphertext attack on an elliptic curve group with a new plaintext embedding mode, and belongs to the technical field of computer and communication security.

Background

Since 1976 when Diffie and Hellman (Hellman) proposed the idea of public key cryptography, cryptologists and scientists have studied for almost thirty years for the concrete implementation of this idea, but so far, the safe and effective public key cryptography is still very limited, and can be roughly classified into three categories according to the problems on which it is based: the encryption system based on the big number decomposition problem, the encryption system based on the finite field discrete logarithm problem and the encryption system based on the elliptic curve discrete logarithm problem. Because a sub (sub) exponential time algorithm for solving the problem of elliptic curve discrete logarithm is not found, the encryption system based on the elliptic curve discrete logarithm problem has the advantages that the first two encryption systems are incomparable, for example: under the same security intensity, the system parameters and the key are short in size (for example, an Elliptic Curve public key Cryptography (ECC) with 160bits and an RSA with 1024bits have equivalent security intensity), and the choice is large.

Elliptic curve public key cryptography was proposed independently in 1985 by v.miller and n.koblitz, and the subsequently proposed elliptic curve cryptosystem was almost obtained by translating an existing cryptosystem based on a discrete logarithm problem over a finite field onto an elliptic curve group. An elliptic curve encryption system ECES (elliptic curveEncryption scheme) mentioned in American institute of Electrical and electronics Engineers standard IEEE P1363, which is derived from ElGamal system, and because of the expansibility of an encryption algorithm, is not indistinguishable under an adaptive selection ciphertext attack (in-ciphertext attack, IND-CCA2), but under a plaintext attack (Ind-CPA); in 2000, m.abdalla et al proposed a cryptosystem DHIES (cryptosystem based on The duffie-hellman problem) that was secure under a standard model, and was adopted by Standards such as ANSI X9.63(ANSI is an abbreviation for American National Standards Institute) and SECG (The Standards for Efficient Cryptography Group) because of its comparable efficiency and higher security level. Applying DHIES to elliptic Curve groups yields elliptic Curve Integrated cryptosystems ECIES (elliptic current Integrated Encryption system), which is an elliptic Curve hybrid cryptosystem submitted by the american company Certicom to europe, the organization responsible for New (New European schemes for Signatures, Integrity and Encryption) about signature, Integrity and Encryption New schemes, and the current conclusion on security is that in the general group model, if the symmetric cryptosystem is semantically secure under chosen plaintext attack and the Hash function is ideal, then the ECIES system is IND-CCA2 secure, but since elliptic Curve groups have special properties, while general groups ignore this property, this can only be seen as a theoretical conclusion. The Nippon Telegraph and Telephon Public corporation laboratories have constructed a series of certified security elliptic curve cryptography: PSEC-1 (variant 1 of PSEC, PSEC is a Provably Secure Elliptic Curve cryptosystem, short for Provably Secure Elliptic Curve encryption scheme), PSEC-2 (variant 2 of PSEC), and PSEC-3 (variant 3 of PSEC), PSEC-1 is IND-CCA2 Secure if Elliptic curves decide that the Diffie-Hellman Problem ECDDHP (Elliptic Curve derivation Diffie-Hellman Proble) is difficult to solve under the random oracle model; PSEC-2 with padding is IND-CCA2 safe if the elliptic curve computation Diffie-Hellman problem (ECCDHP) is difficult to solve; if ECCDHP is difficult to solve and the symmetric encryption system is safe under passive attack, PSEC-2 with the symmetric encryption system is safe with IND-CCA 2; if the elliptic curve Gap Diffie-Hellman problem (ECGDHP) is difficult to solve, PSEC-3 is IND-CCA2 safe. They are both submitted to NESSIE, but since NTT corporation subsequently proposed a Key encapsulation mechanism based on PSEC- -PSEC-KEM (PSEC Key encapsulation mechanism), PSEC-1 and PSEC-2 are withdrawn.

The ECIES system, the PSEC-2 and the PSEC-3 are all mixed encryption systems, namely the systems comprise symmetrical encryption systems, and the sizes of ciphertexts of the systems are respectively three times, three times and four times of the sizes of plaintexts (assuming that the sizes of the plaintexts and the ciphertexts of the symmetrical encryption systems are equivalent, the output size of a Hash function (Hash function) is equivalent to a safety parameter, and an elliptic curve point compression technology is adopted); although the PSEC-1 does not need a symmetric encryption system, the safety is based on the premise that ECCDHP is difficult to solve, if ECCDHP can be solved, ECCDDHP is difficult to solve, so the premise is not stronger than ECCDHP, and the safety under the condition of ECCDHP based difficulty is not higher than that under the condition of ECCDHP based difficulty.

Disclosure of Invention

One object of the present invention is to provide a data encryption method, which adaptively selects an elliptic curve with semantic security under a ciphertext based on a new plaintext embedding mode of pseudo-addition operation.

Another object of the present invention is to provide a method for decrypting data, in particular, for decrypting encrypted data obtained by the above encryption method to obtain original data before encryption.

When a sender sends data to a receiver, the data to be sent is encrypted according to a pseudo-encryption method:

firstly, randomly selecting an integer k, wherein the integer k satisfies the following conditions: k is more than 1 and less than n;

then, F (k), P, F (k), Q are calculated_A(ii) a Wherein: f (k) is the Hash function value of k, F (k) P is the F (k) times point of the elliptic curve point P, F (k) Q_AElliptic curve point Q_AF (k) times the point of (a); f (k) is a positive integer less than n, F (k) P and F (k) Q_AAll points are points on an elliptic curve;

the encrypted data is further processed according to the following formula:

m’＝m||0^λ’wherein m is encrypted data, m 'is intermediate data formed in the encryption process, and λ' is the number of 0 to be added; λ' can be obtained in a number of ways, for example: one third of the safety parameters are taken; the security parameter herein refers to a quantitative representation of the degree of security of the cryptographic algorithm itself, such as: 192 bits is a more secure security parameter than the 1024bits RSA;

calculating G (k); if x (F (k) Q_A) If m'  g (k), re-selecting the integer k, and repeating the above steps; otherwise, starting to calculate the ciphertext; wherein: g (k) is the Hash function value of k; x (F (k) Q_A) Is an elliptic curve point F (k) Q_AX coordinate value of (a);

finally, ciphertext C is calculated according to the following formula:

C＝(C₁，C₂)＝(F(k)P，F(k)Q_A+(m′G(k)，H(m′G(k))k))；

wherein the ciphertext C has two elements C₁And C₂；C₁＝F(k)P；C₂＝F(k)Q_A+F(k)Q_A+ (m ' G (k), H (m'  G (k))  k); h (m ' G (k)) is the Hash function value of m'  G (k);

if C is present₂Belongs to the set { m'  G (k) }, x (F (k) Q_A) Re-selecting an integer k, and repeating the steps; otherwise, the ciphertext C is output.

In order to enable a party receiving the encrypted data to restore the encrypted data after receiving the data encrypted by the encryption playback method, the invention also provides a corresponding decryption method, and for the ciphertext C, the specific decryption steps are as follows:

first, Q' ═ d is calculated_AC₁If x (Q') isequal to x (C)₂) Refusing to receive the ciphertext data; wherein Q' is an elliptic curve point, d_AIs the private key data of the decryptor, x (Q'), x (C)₂) Are respectively Q' and C₂X coordinate of (a);

then calculating (M, r) ═ C₂-Q', if M ═ x (C)₂) Or x (Q'), refusing to receive the ciphertext data; wherein M, r are the x-coordinate and the y-coordinate of a point on the affine plane, respectively;

further calculating f ═ h (m)  r; wherein H (M) is the Hash function value of M; if F (f) P ═ C₁And the rear lambda 'bit value of M is 0, the received plaintext M is the front lambda-lambda' bit of M; otherwise, refusing to receive; wherein F (f) P is F (f) times the elliptic curve point P; λ 'is the number of 0's added in the encryption process; λ is a safety parameter which can be essentially considered as the length of M above.

The invention fully utilizes the characteristics of pseudo-addition, obtains a new plaintext embedding method, obtains an encryption system with semantic security under the attack of adaptively selecting ciphertext, and has the characteristics of being the biggest difference from the traditional elliptic curve encryption system. The invention provides a very simple plaintext embedding mode, and can verify the legality of a ciphertext during decryption, thereby providing higher-level data security. Compared with the existing encryption and decryption processing based on the elliptic curve under the attack of adaptively selecting the ciphertext, the data encryption and decryption method has safer semantics.

Detailed Description

The invention is further illustrated in detail in the following examples:

before a specific encryption scheme is given, a description is first given of a pseudo-addition operation: affine plane F_P ²Two points with different x coordinates can uniquely determine the Weierstrass equation Y on the plane²＝X³+a₄X+a₆Wherein X, Y are variables, a₄、a₆Is domain F_pP is a large prime number. If the cubic curve it determines is an elliptic curve, the coordinates of their addition points are determined entirely by themselves.

The invention utilizes the property to define a new operation: and (5) false addition.

Let P₁＝(x₁，y₁)，P₂＝(x₂，y₂) Is an affine plane F_P ²Two upper points, and x₁≠x₂The pseudo-addition operation is defined as follows:

1、P₁+P₂＝P₃＝(x₃，y₃) Wherein x₃，y₃Satisfies the following formula:

$x_3={\left(\frac{y_2-y_1}{x_2-x_1}\right)}^2-x_1-x_2,y_3=\frac{y_2-y_1}{x_2-x_1}(x_1-x_3)-y_1$

2、-P₁＝(x₁，-y₁)

3、P₁-P₂＝P₁+(-P₂)

let P, Q be affine planes F_P ²And x is not the same, then P and Q uniquely define an affine curve E (P, Q): y is²＝X³+ aX + b, such that P, Q are points on the affine curve, where a, b are the fields F_pIs uniquely defined by points P and Q of different x-coordinates, F_PIs a finite field of P elements, P being a prime number and P being a point whose two coordinates are F_POf (1). Here, a double-point operation is defined for all non-singular point additions on the curve E (P, Q), which is exactly the same as the double-point operation formula for an elliptic curve:

let curve E (P, Q): y is²＝X³+aX+b，P₁＝(x₁，y₁) Is a non-singular point on the curve, then 2P ═ x₃，y₃) Wherein:

x₃＝λ²-2x₁

y₃＝λ(x₁-x₃)-y₁

<math> <mrow> <mi>&lambda;</mi> <mo>=</mo> <mfrac> <mrow> <msubsup> <mrow> <mn>3</mn> <mi>x</mi> </mrow> <mn>1</mn> <mn>2</mn> </msubsup> <mo>+</mo> <mi>a</mi> </mrow> <mrow> <mn>2</mn> <msub> <mi>y</mi> <mn>1</mn> </msub> </mrow> </mfrac> </mrow> </math>

if 4a³+27b²Not equal to 0modp, the curve is an elliptic curve, the pseudo-addition operation defined above, "+" is the addition of points of the elliptic curve, all rational points on the elliptic curve form a group under the operation of "+" and point multiplication, the point 0 at infinity is the zero point, and "-" is the inverse operation of "+"; if 4a³+27b²When the curve is singular and has only one singular point, all the non-singular points on the curve also form a group under the operations of "+" and multiple point, the point 0 at infinity is the zero point, and "-" is the inverse operation of "+".

The operation property shows that: if and only if P, Q are all non-singular points on E (P, Q) and R (═ P + Q), P, Q are different in x coordinates two by two, Q (R-P) can be found from R (═ P + Q) and P without knowing the specific equation of PQ determined by P, Q, noting that R, P, Q are different in x coordinates two by two and P is all non-singular points, so that the probability of P, Q being all non-singular points is at least 1-6/(P-1), where P is a large prime number, that is, two points P, Q, R + Q whose x coordinates are different, from each other, another point can be calculated from any two points in 1-6/(P-1) probability. The characteristic is the biggest difference from the traditional elliptic curve cryptosystem.

Setting E:Y²＝X³+ aX + b is the finite field F_pElliptic curve of (A), E (F)_p) All F's referring to E_pRational points and 0. For E (F)_p) If the smallest integer n exists at any point P, so that nP is 0, and n is called the order of point P, then point P may generate an n-order cyclic group. The elliptic curve public key cryptosystem is mostly constructed on a cyclic group generated by points with large prime numbers in order, and the points are called base points. Unless otherwise specified, the following description shall be made without exception to the case where a point on a curve is represented by a capital letter, a small-case letter represents an element on a finite field, x (P), y (P) represent an x coordinate and a y coordinate of the point P, the addition between the different points is the above-mentioned pseudo addition, and the point multiplication is a point multiplication defined on an elliptic curve.

Setting the system parameters as (P, a, b, P, n), wherein P is a large prime number and is determined by the required safety intensity, namely a safety parameter lambda; a, b are finite fields F_pDetermines an elliptic curve E: y is²＝X³+ aX + b. F with P being E_pThe rational point is that the order is n, which is a large prime number and is comparable to the size of p. Each user A has its own user parameters (SK)_a，PK_a)＝(d_a，Q_a) Wherein Q is_a＝d_aP，d_aIs a positive integer less than n, d_aAnd Q_aCalled user a's private and public keys, respectively, the public key is public and can be known to anyone, while the private key is private and is only known to user a himself. H (), F (), G (), are all {0, 1}^λ→{0，1}^λλ' is any integer satisfying 1/2^λ′Is a negligible function of λ, where λ' is not made λ/4. In the implementation of the scheme, in order to reduce the possibility of data out-of-range, the maximum 8 bits of each Hash function value are forced to be 0.

If user B wants to send a message m e {0, 1}^λ-λ′For user A, user B performs the following encryption operations:

firstly, randomly selecting an integer k, wherein k is more than 1 and less than n; then calculating the Hash function value F (k) of k, F (k) times point F (k) of elliptic curve point Pk) P is denoted as C₁Point Q of an elliptic curve_aF (k) times the point F (k) Q_a(ii) a Then, λ '0 s are added after m to obtain m', that is, m ═ m | |0^λ′(ii) a Calculating the Hash function value G (k) of k if F (k) Q_aX (F (k)) Q_a) Returning to reselect the integer k if m'  G (k); finally, the ciphertext C ═ C is calculated₁，C₂)＝(C₁，F(k)Q_a+ (m ' G (k), H (m'  G (k))  k), if affine plane point C₂Belongs to the set { m'  G (k) }, x (F (k) Q_a) And returning to reselect the integer k; otherwise, the ciphertext C is output.

After receiving the ciphertext C sent by the user B method, the user A carries out the following decryption operation to recover the plaintext m:

1. first, an elliptic curve point C is calculated₁D of_aMultiple point d_aC₁Denoted as Q ', if x (Q') ═ x (C)₂) Refusing to receive;

2. recalculating point C on the affine plane₂Q' is (M, r), M and r are both finite fields F_pWherein, if M ═ x (C)₂) Or x (Q'), deny reception;

3. further calculating H (M)  r as f;

4. if F (f) times the point F (f) P of the elliptic curve point P is the elliptic curve point C₁And the last lambda 'bit of M  g (f) is 0, then the first lambda-lambda' bit of plaintext M  g (f) is received; otherwise, the receiving is refused.

The following is a mathematical proof of high security obtained by encrypting data using the present invention:

suppose the order of the elliptic curve group is approximately p and there is half m such that m³+ am + b is the quadratic residue modulo p, the following conclusion states that the probability of returning a1 during encryption is small.

Lesion 1. for randomly chosen k and m, x (kQ)_a) The probability of m is at most 2/p.

Theorem 2. let R ═ kP + (m, hash (m)  k), where x (kP) ≠ m, then the probability of x (R) ∈ { m, x (kP) } is negligible.

Proving that if kP is (c, d), then d²＝c³+ ac + b, c, d is completely determined by k. Hereinafter, Hash () is abbreviated as h (). If x (r) ═ m, from the pseudo-additive equation:

<math> <mrow> <mi>m</mi> <mo>=</mo> <msup> <mrow> <mo>(</mo> <mfrac> <mrow> <mi>h</mi> <mrow> <mo>(</mo> <mi>m</mi> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>k</mi> <mo>-</mo> <mi>d</mi> </mrow> <mrow> <mi>m</mi> <mo>-</mo> <mi>c</mi> </mrow> </mfrac> <mo>)</mo> </mrow> <mn>2</mn> </msup> <mo>-</mo> <mi>m</mi> <mo>-</mo> <mi>c</mi> </mrow> </math>

using the relation d²＝c³+ ac + b may replace d in the above formula to give the following formula:

(h(m)k)⁴+(h(m)k)²(6m²c-4m³+2ac+2b)-4(h(m)k)(c³+ac+b)

+4m⁶-12m⁵c-9m²c²-4m³(ac+b)+6m²(ac+b)+a²c²+b²+2abc＝0

if the probability that the above formula is established for a given k is not negligible, the Hash function h (right) satisfies the above formula with the non-negligible probability, and if the k is fixed, the Hash function e satisfying the above formula takes m as an unknown number, and an original image of e can be obtained by solving the six-order equation, that is, if the probability that the above formula is established for the given k is not negligible, the Hash function h (right) does not satisfy the requirement of unidirectionality, so that the probability that the above formula is established for any k is negligible, and the probability that x (r) ═ m is negligible. If x (r) ═ c, the same can be said:

(h(m)k)²+c³+ac+b-m³-2m²c+3mc²)²＝4(h(m)k)²(c³+ac+b)

since the Hash function h () is one-way, the probability that the above equation holds is negligible. The probability of x (R) e { m, x (kP) } is negligible from the above.

The above introduction explains that: the probability of 1 returned by the encryption process is negligible, and both encryption and decryption only need two times of multiplication and one pseudo addition of elliptic curve points, so that the method can be considered as follows: the encryption method adopted by the invention is effective, and the rationality is obvious. Referring to the IEEE P1363 standard, if a point compression technique is used, the system produces ciphertext with three times the plaintext expansion, i.e., ciphertext size is three times the plaintext size.

Based on the fact that the pseudo-addition of two different points does not depend on the curve, the method changes the plaintext embedding mode in the ElGamal encryption system, namely embedding m into the points (m ' G (k)), H (m'  G (k))  k) instead of embedding the points into the points on the elliptic curve determined by the system parameters. This makes plaintext embedding very natural and simple. In addition, the system also has the following characteristics: it can verify the validity of the ciphertext through the 4 th step in the decryption process, which makes it very difficult to forge the legal ciphertext (unless by selecting the plaintext); it uses different elliptic curve groups to operate. I.e. an elliptic curve determined by the system parameters, and F (k) Q_aAnd (m ' g (k), H (m'  g (k)  k) a curve is determined, which varies with m and k, and it is impossible to know the elliptic curve group in which the current operation is located unless the private key of user a is known.

The encryption time complexity of the encryption system is 2 scalar multiplications, which is equivalent to the efficiency of the ElGamal system; the time complexity of decryption with verification is 2 scalar multiplications, which are one more scalar multiplication than the ElGamal system. Without verification, the efficiency is comparable. If a point compression technique is used, it has a 3x plaintext expansion. For convenience of description, only the regime where the base domain is characterized by a large prime number is given here, and when the characteristic is 2, the description of the pseudo-additive regime is extremely similar.

The encryption scheme is a variation of the ElGamal scheme, and its security is based on the elliptic curve to compute the diffie-hellman problem (ECCDHP). The method provides a very concise plaintext embedding mode, and can verify the legality of a ciphertext, so that higher-level security is provided. Under the random oracle model, the cryptosystem is proven to be semantically secure under adaptive chosen ciphertext (IND-CCA 2).

Under the random oracle model (random oracle model), it is demonstrated that if the elliptic curve computational diffie-hellman problem (ECCDHP) is difficult to solve, the cryptosystem is semantically secure under an adaptive choice ciphertext attack (IND-CCA2), which may be more secure than PSEC-1 since the proof is based on ECCDHP. The method is not a mixed encryption system, the operation of the method only comprises multiplication, pseudo-addition operation and hash functions of elliptic curve points, and a symmetrical encryption system does not need to be applied. The encryption system utilizes a brand-new pseudo-addition operation to embed the plaintext into the x coordinate of the midpoint of the affine plane, provides a very simple plaintext embedding mode and can verify the legality of the ciphertext.

In the implementation of this cryptosystem, the first thing to face is the problem of the choice of system parameters (P, a, b, P, n). From a security point of view, to combat some known attack algorithms, special restrictions may be made on the system parameters:

1.n＞2¹⁶⁰and is $n>4\sqrt{p};$

2. The elliptic curves are non-supersingular, i.e. p divides p +1- # E (F) unequally_p)；

3. The order n of the base point P is not divided by P^k-1 (1. ltoreq. k. ltoreq. C), in practice usually C20;

4. elliptic curves are non-anomalous (non-anomallous), i.e. # E (F)_p)≠p。

This embodiment takes the base domain F_pFor the finite field proposed by the standard ieee p1363, the Hash functions G (), F (), and H (), are SHA1 and force the highest 8 bits of the Hash function value to be 0, and the number of bits of the large prime p to be λ. The parameters a and b of the elliptic curve are randomly selected, the order of the elliptic curve is calculated by utilizing an SEA algorithm, and then the elliptic curve meeting the requirements is used as a system parameter. In the specific implementation of the present invention, an elliptic curve point addition algorithm, a pseudo addition algorithm, an elliptic curve point doubling algorithm, and scalar multiplication of elliptic curve points are required, and each algorithm is given below one by one.

The pseudo-addition algorithm is the same as the point addition algorithm of two points with different x coordinates of the elliptic curve, so that the pseudo-addition algorithm is not separately listed.

In a specific embodiment of the present invention, the key generation process is as follows:

1. randomly selecting an integer d_A，1＜d_A< n, calculating Q by using NAF coding and scalar multiplication algorithm_A＝d_AP；

2. Will d_AAs a private key, Q_AAs a public key.

The specific encryption steps are as follows: grouping message data m according to 3 lambda/4₁m₂...m_dEncrypting one packet at a time, for example: the message m of a packet is transmitted after being encrypted.

2.1 finding the public Key Q_A；

2.2 selecting a random number k, wherein k is more than 1 and less than n;

2.3 calculate f — SHA1 (k);

2.4 calculating fP by using NAF coding and scalar multiplication algorithm and recording as C₁；

2.5 converting m into the Domain element m' ═ m | | |0^λ/4；

2.6 use NAF coding and scalar multiplication algorithm to calculate fQ_AAs Q ', if x (Q'), etc2.2 at m'  f;

2.7 calculate Q ' + (m '  f, SHA1(m '  f)  k) as C using the dot-and-dot algorithm₂If x (C)₂) X (Q ') and m'  f are different two by two, encrypted data (C) is transmitted₁，C₂) Otherwise, return to 2.2.

And (3) decryption process: receiving encrypted data (C)₁，C₂) Then, the following decryption process is implemented:

3.1 calculate the point Q'd using NAF coding and scalar multiplication algorithms_AC₁If x (Q') is equal to x (C)₂) Refusing to receive;

3.2 computing (M, r) ═ C by using the dot-addition algorithm₂-Q', if M is equal to x (C)₂) Or x (Q') refuses to receive;

3.3 calculate k — SHA1(M)  r;

3.4 calculate f — SHA1 (k);

3.5 calculation of M' ═ M  f

3.6 calculation with NAF coding and scalar multiplication algorithm, if fP equals C₁And the last lambda/4 bit of m 'is 0, then the first 3/4 bits of m' are received; otherwise, the receiving is refused.

The above point addition algorithm is as follows:

when encrypting a data, for the input elliptic curve y²＝x³+ ax + b, and a point P on the curve₀＝(x₀，y₀) And point P₁＝(x₁，y₁)；

A1 if P₀When it is 0, the point P is output₂Is namely P₁

A2 if P₁When it is 0, the point P is output₂Is namely P₀

A3 if x₀≠x₁

A3.1 calculating λ←(y₀-y₁)/(x₀-x₁) mod p; means that (y0-y1)/(x0-x1) mod p is assigned to λ;

a3.2 executing step A7

A4 if y₀≠y₁Output P₂←O

A5 if y₀0, output P₂←O

A6, calculate λ ← (3 x)²+a)/(2y₁)mod p

A7, calculating x₂←λ²-x₀-x₁ mod p

A8, calculating y₂←(x₁-x₂)λ-y₁ mod p

A9, output P₂←(x₂，y₂)

Note: if the point P is to be decreased, the point P is (x, y) if the point P is to be increased.

The above-mentioned ellipse curve upper multiple point algorithm is as follows:

inputting: point P (X) on elliptic curve E, E₁，Y₁，Z₁)，P≠O

And (3) outputting: (X)₃，，Y₃，Z₃)＝2P

B1, calculating lambda₁←3X₁ ²+aZ₁ ⁴；

B2, calculating Z₃←2Y₁Z₁

B3, calculating lambda₂，←4X₁Y₁ ²；

B4, calculating X₃←λ₁ ²-2λ₂；

B5, calculating lambda₃←8Y₁ ⁴；

B6, calculating Y₃←λ₁(λ₂-X₃)-λ₃；

B7, output (X)₃，Y₃，Z₃)

The NAF coding algorithm described above is as follows:

inputting: integer number of <math> <mrow> <mi>k</mi> <mo>=</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>0</mn> </mrow> <mrow> <mi>l</mi> <mo>-</mo> <mn>1</mn> </mrow> </msubsup> <msub> <mi>k</mi> <mi>j</mi> </msub> <msup> <mn>2</mn> <mi>j</mi> </msup> <mo>,</mo> <msub> <mi>k</mi> <mi>j</mi> </msub> <mo>&Element;</mo> <mo>{</mo> <mn>0,1</mn> <mo>}</mo> <mo>.</mo> </mrow> </math>

And (3) outputting: NAF <math> <mrow> <mi>k</mi> <mo>=</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>0</mn> </mrow> <mi>l</mi> </msubsup> <msub> <mi>s</mi> <mi>i</mi> </msub> <msup> <mn>2</mn> <mi>i</mi> </msup> <mo>,</mo> <msub> <mi>s</mi> <mi>i</mi> </msub> <mo>&Element;</mo> <mo>{</mo> <mo>-</mo> <mn>1,0,1</mn> <mo>}</mo> </mrow> </math>

C1、c₀←0，k_l←0，k_l+1←0；

C2、j←0

C3. If j ≠ l +1

C3.1 calculation

C3.2 calculation of s_j←k_j+c_j-2c_j+1

C3.3 calculation of j ═ j +1

C3.4 transfer to step 3

C4, output(s)_ls_l-1，...，s₁，s₀)₂

The NAF scalar multiplication algorithm described above is as follows:

inputting: NAF(s) of a point P, integer k on the elliptic curve_ls_l-1，...，s₁，s₀)₂，s_l＝1；

And (3) outputting: q ═ kP;

D1、Q←O；

D2、j←l；

d3, if j ≠ -1

D3.1 computing Q ← 2Q

D3.2 if s_jCalculate Q ← Q + P ═ 1

D3.3 if s_jComputing Q ← Q + P ═ 1

D3.4 calculation of j ═ j-1

D3.5 transfer to step 3

D4, output Q.

The above algorithms give a specific embodiment of the elliptic curve cryptosystem described in the present invention, and a set of experimental data obtained by running in this manner is given below, wherein each data is expressed in hexadecimal notation.

System parameters:

λ：192

p：fffffffffffffffffffffffffffffffeffffffffffffffff

a：fffffffffffffffffffffffffffffffefffffffffffffffc

b：02d5134233c1f7f4f50706f02882d85e767294c7230612c2

P.x：df00000129200001db000001ffbe800169ea40011de3ec01

P.y：46b19ab9a84501afc6c94ce6fb9ae8f21a93fedb9ec6881f

n：fffffffffffffffffffffffe75432f994b9b16ef54c39393

d_A：83cedad356f4f6cf573ff873b789add938df2ec7d5d2753b

Q_A.x：1f18bcacb74087835ae629a87968f0d57adb39110ec1fd70

Q_Ay: 53b96505a207de2442510c7f01c80c4cffcdaf40099fa0a1 encrypted:

m：00000000000000000313233343536373839

m’：00000000000000000313233343536373839000000000000

k：9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d

f：09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6

C₁.x：362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db

C₁.y：f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5

fQ_A.x：fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c

fQ_A.y：91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a

m’f：09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6

SHA1(m’f)k：

92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36

C₂.x：6edaa4c686f938464514b379720f10dd4ba8a353e1a9e6de

C₂y: after decryption of 2f47f3be8875cc0417fbfacf87993ea4893595ddf610b 43:

Q′.x：fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c

Q′.y：91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a

M：09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6

r：92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36

SHA1(M)：0475dd35cdf0845f4db2b702644a1cdbde621b3e3201f4b

k：9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d

f＝SHA1(k)：09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6

m’f：00000000000000000313233343536373839000000000000

fP.x：362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db

fP.y：f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5

m：00000000000000000313233343536373839；

in a computer using the INTEL corporation pentium iv 1.7G microprocessor, 256M internal memory, and in the context of WINDOWS98 operating system, the system over a finite field with feature p and feature 2 is implemented in the ANSIC programming language, where p is 2¹⁹²-2⁶⁴+1，F_2mM 193, generating a polynomial f (x) x¹⁹³+x¹⁵+ 1; the efficiency achieved is shown in the following table:

content providing method and apparatus	*Fp	Fp	*F2m	F2m
					Key generation	1.21	5.43	0.67	2.48
Encryption	6.70	10.95	3.29	5.43
					ECES encryption	6.76	10.53	3.20	5.26
Decryption	6.50	11.57	3.12	5.42
					Decryption (without verification)	5.26	5.95	2.59	2.45
ECES decryption	5.51	5.48	2.62	2.53
					Multiplying by one	1.20	5.32	0.65	2.39

Each index in the table is the speed of executing 1000 times, and the unit is second; the index under the column x is the allowable pre-processing speed.

If F_pThe above operations are written in assembly language, the multiplication speed of 192-bit points is 1.81 seconds (1000 times), and the table below lists p ═ 2²⁵⁶The following speed was performed 1000 times in seconds:

content providing method and apparatus	ANSI C	Assembling
			Key generation	2.25	0.93
Encryption	18.93	6.35
			Decryption	18.64	6.35
Decryption (without verification)	16.2	5.43

The encryption/decryption efficiency realized by the single chip microcomputer with the model number of MCS51 is shown in the following table, wherein the MCS51 is configured in a main memory: 256B internal RAM, 64KB external RAM, 64KB program area rom clock frequency: 1M clock period/sec (crystal frequency: 12 MHz). Take F_p，p＝2¹⁹²-2⁶⁴-1 and F_2mM is 193 and its generator polynomial is x¹⁹³+x¹⁵+1。

Function(s)	Fp(second/time)	F2m(second/time)
			Key generation	4.89	4.34
Encryption	25.32	20.84
			ECES encryption	25.19	20.74
Decryption (without verification)	20.43	16.21
			ECES decryption	20.42	16.21
Decryption (with storage)	25.33	20.10
			Multiplication (with prestore)	4.77	4.32
Multiplication (without prestore)	19.96	16.4

Note: f_pThe external RAM occupies 1.5K, the ROM occupies 9K programs, and 6K pre-stored values; f_2mOccupies: 2K (with pre-storage)/1.2K (without pre-storage), ROM occupancy: 7K program, 6K pre-stored value.

In the following, a detailed proof that the encryption system is semantically secure under the adaptive selection of the ciphertext is given.

Definition of one, safety

It is assumed that U is a probability algorithm,then A (x)₁，x₂,..; r) represents the input as x₁，x₂,., the output of algorithm A when the random number is r; y ← A (x)₁，x₂,..) denotes random selection of r, let y equal to A (x)₁，x₂,..; r); if r is present, then A (x)₁，x₂,..; r) is y, then y is A (x)₁，x₂,..); and if S is a finite set, x ← S shows that x is randomly selected from the set S according to uniform distribution, and if a is neither a set nor an algorithm, x ← a shows that the value of a is given to x.

Definition 1. the public key encryption system is a triplet consisting of algorithms: PE ═ g (KG, Enc, Dec), where

KG: the key generation algorithm is a probability algorithm, and the input is a security parameter 1^λ(lambda belongs to N), and the output is a pair of public and private keys (pk, sk);

enc: the encryption algorithm is a probability algorithm, and the input is a public key pk and a plaintext x ∈ {0, 1}^*And the output is a ciphertext y;

and Dec: the decryption algorithm is a deterministic algorithm, the input is a private key sk and a ciphertext y, and the output is a plaintext x e from {0, 1}^*Or special characters *, which indicate that the input ciphertext is not a valid ciphertext, i.e., there is no x e {0, 1}^*So that its ciphertext is y.

For any public-private key pair (pk, sk) and any plaintext x ∈ {0, 1} resulting from the key generation algorithm^*If y is Enc_pk(x) The output of (1) must have Dec_sk(y) x. Since the public key encryption system needs to ensure the security of the information that is actually transmitted, the above three algorithms (KG, Enc, Dec) are all polynomial time algorithms with security parameters as scales.

The definition of security of the public key cryptosystem may first consider an attacker's possible attack targets (gold) and possible attack models (attack model), respectively, and then give a definition of various levels of security by combining the attack models and the attack targets.

Depending on different attack targets, security analysis of the system mainly considers one-way (OW), Semantic Security (SS), indistinguishable property of ciphertext (IND) and non-extensibility (NM). Simply, unidirectional means that the corresponding plaintext x ═ Dec is obtained from the target ciphertext y_sk(y) is very difficult; semantically safe means that any information of the corresponding plaintext x is infeasible to calculate from the target ciphertext y; the indistinguishability of the ciphertext means that it is known that two plaintexts and a ciphertext corresponding to a plaintext cannot be determined which plaintext corresponds to the ciphertext. The indistinguishability and semantic security of the ciphertext can be considered as the improvement of unidirectional concepts, the concepts are all covered in the traditional security requirements, the unidirectional concept is the minimum requirement of the security of an encryption system, and if the system is that the ciphertext is indistinguishable or the semantic security is safe, the system is unidirectional, so that the property of any unidirectional concept is not discussed in the text. The non-expansibility is to obtain another different ciphertext y ' from the target ciphertext y, so that a ' meaningful relation ' (for example, x ' is x +1) exists between the corresponding ciphertexts x and x ', and the idea of preventing the ciphertext from being tampered in reality is improved.

The attack model expresses the ability of an attacker, and can be divided into a Choice Plaintext Attack (CPA), a non-adaptive choice ciphertext attack (CCA 1) and an adaptive choice ciphertext attack (CCA 2). The CPA gives an attacker the right of freely selecting a plaintext and obtaining a corresponding ciphertext, and for a public key encryption system, the attacker knows a public key, namely, the attacker has the ability of selecting a plaintext to attack; the formal definition of CCA1 is given by two-bit learners Naor and Yung, where an attacker has access to the decryption oracle (the external device is the decryption algorithm) in addition to knowing the public key, but the attacker only has the right to access the decryption oracle before getting the target ciphertext (non-adaptive means that access to the decryption oracle is not dependent on the target ciphertext), by its very nature, non-adaptive choice ciphertext attacks are also known as midnight attacks (midnight attacks) or lunchtime attacks (lunchmidnight-break attacks); the CCA2 is proposed by two-bit learners Rackoff and Simon, where an attacker has both knowledge of the public key and access to the decryption oracle, and is unrestricted in its access to the decryption oracle, even if the attacker still has access to the decryption oracle after obtaining the target ciphertext, but he cannot take the target ciphertext itself as an input to the decryption oracle (adaptive means that access to the decryption oracle is dependent on the target ciphertext).

Combining the attack targets and attack models described above, various security definitions can be obtained, and only indistinguishable formal definitions are given below, which include the highest level of security — the semantically secure IND-CCA2 under adaptive selection cipher text.

According to the fact that an attacker U has different inputs at different stages, the attacker U can be regarded as two probability algorithms (U)₁，U₂) Wherein U is₁And U₂The effect of (c) depends on the target of the attacker. In the definition of the indistinguishability of the ciphertext, the algorithm U₁Has an input of pk and an output of (x)₀，x₂S), the first two terms are two plain texts with the same length, and s is the information that an attacker wants to keep; from x₀，x₁Randomly selects one of them to be marked as x_bThe challenge ciphertext y is x_bAlgorithm U₂Is (x)₀，x₁S) and the challenge cryptogram y it attempts to output the correct b.

Definition 2(IND-CPA, IND-CCA1, IND-CCA2) assuming that PE ═ (KG, Enc, Dec) is a public key cryptosystem, a ═ is (a ═ a₁，A₂) Is an attacker, H (.) is a random oracle, let us say for any of atk e { cpa, cca1, cca2} and any of λ e N

<math> <mrow> <msubsup> <mi>Adv</mi> <mrow> <mi>PE</mi> <mo>,</mo> <mi>A</mi> </mrow> <mrow> <mi>ind</mi> <mo>-</mo> <mi>atk</mi> </mrow> </msubsup> <mrow> <mo>(</mo> <mi>&lambda;</mi> <mo>)</mo> </mrow> <mo>=</mo> <mi>Pr</mi> <mo>[</mo> <mi>Ex</mi> <msubsup> <mi>p</mi> <mrow> <mi>PE</mi> <mo>,</mo> <mi>A</mi> </mrow> <mrow> <mi>ind</mi> <mo>-</mo> <mi>atk</mi> <mo>-</mo> <mn>1</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <mi>&lambda;</mi> <mo>)</mo> </mrow> <mo>=</mo> <mn>1</mn> <mo>]</mo> <mo>-</mo> <mi>Pr</mi> <mo>[</mo> <mi>E</mi> <msubsup> <mi>xp</mi> <mrow> <mi>PE</mi> <mo>,</mo> <mi>A</mi> </mrow> <mrow> <mi>ind</mi> <mo>-</mo> <mi>atk</mi> <mo>-</mo> <mn>0</mn> </mrow> </msubsup> <mrow> <mo>(</mo> <mi>&lambda;</mi> <mo>)</mo> </mrow> <mo>=</mo> <mn>1</mn> <mo>]</mo> </mrow> </math>

Wherein b belongs to {0, 1}, and the experiment Exp is defined_PE，A ^ind-atk-d(lambda) is

<math> <mrow> <mrow> <mo>(</mo> <mi>pk</mi> <mo>,</mo> <mi>sk</mi> <mo>)</mo> </mrow> <mover> <mo>&LeftArrow;</mo> <mi>R</mi> </mover> <mi>KG</mi> <mrow> <mo>(</mo> <mi>&lambda;</mi> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

<math> <mrow> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mn>0</mn> </msub> <mo>,</mo> <msub> <mi>x</mi> <mn>1</mn> </msub> <mo>,</mo> <mi>s</mi> <mo>)</mo> </mrow> <mo>&LeftArrow;</mo> <msubsup> <mi>A</mi> <mn>1</mn> <mrow> <msub> <mi>O</mi> <mn>1</mn> </msub> <mrow> <mo>(</mo> <mo>&CenterDot;</mo> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mo>&CenterDot;</mo> <mo>)</mo> </mrow> </mrow> </msubsup> <mrow> <mo>(</mo> <mi>pk</mi> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

y←Enc_pk(x_b)；

<math> <mrow> <mi>d</mi> <mo>&LeftArrow;</mo> <msubsup> <mi>A</mi> <mn>2</mn> <mrow> <msub> <mi>O</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mo>&CenterDot;</mo> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mo>&CenterDot;</mo> <mo>)</mo> </mrow> </mrow> </msubsup> <mrow> <mo>(</mo> <msub> <mi>x</mi> <mn>0</mn> </msub> <mo>,</mo> <msub> <mi>x</mi> <mn>1</mn> </msub> <mo>,</mo> <mi>s</mi> <mo>,</mo> <mi>y</mi> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

Return d。

If atk ═ cpa, O₁(.)＝*，O₂(.) ═ *; if atk is cca1, O₁(.)＝Dec_sk(.)，O₂(.) ═ *; if atk is cca2, O₁(.)＝De_sk(.)，O₂(.)＝Dec_sk(.); also requires | x₀|＝|x₁I, Algorithm A₂The plaintext of y cannot be obtained with the decryption oracle. If there is an Exp for an attacker A of any polynomial time_PE，A ^ind-atk(. cndot.) is a negligible function, the public key cryptosystem PE is said to be secure in the IND-ATK sense.

Second, safety analysis

From the system perspective, the operation of the invention is based on different elliptic curve groups, and the plus has almost no combination law (for example, affine plane R)²The above three points P ═ 1, 2, Q ═ 2, 3, R ═ 3, 1, and from the pseudo-additive formula, (P + Q) + R ═ 2, 1) + (3, 1) ═ 1, -1, and P + (Q + R) ═ 1, 2) + (-1, -9) ═ 121/4, -1303/8. ) Therefore, it is very difficult to obtain R (m) ciphertext from m ciphertext, where R is a non-trivial relationship, i.e. intuitively, the system has non-extended property, which is the most obvious difference from ElGamal system and is a reason for the improvement of security. The use of a Hash function further enhances the security of the regime. This section will prove that the regime is IND-CCA2 safe. For convenience, the encryption system is abbreviated as pi hereinafter.

Theorem 1. under ECCDHP refractory conditions, II is IND-CCA2 safe.

Prove that an attacker A ═ A (A) in the sense that Pi exists IND-CCA2₁，A₂) A accesses the corresponding records of random oracles G (), H (), and F (), referred to as the G-table, H-table, and F-table, respectively, denoted as τ_G＝{(g_i，G_i)}，τ_H＝{(h_i，H_i)}，τ_F＝{(f_i，F_i) Their lengths (number of visits) are q respectively_G，q_H，q_FAnd (4) showing. The solution algorithm B for ECCDHP can be constructed as follows. Let the inputs of B be P, Q ═ aP, and Y ═ bP, for the purpose of calculating R ═ abP.

B takes P and Q as A₁Input call of A₁Due to A₁A random oracle and a decryption oracle may be accessed, so B needs to emulate the random oracle and the decryption oracle. Let A₁Querying a random oracle G (·) for G, and if G is in a query record, taking a corresponding output value in the record as a response to A; otherwise, randomly selecting the number in the value field as the pair A₁K and the random number are added to the record as a pair of input and output. B mimics the actions of random oracle H (and F) in the same way as G (are modeled). Let A₁Accessing y ═ C to the decryption oracle₁，C₂) If present in the G-, F-and H-tables, respectively (G)_i，G_i)，(f₁，F₁)，(h_j，H_j) Satisfy f₁＝g_i，F₁P＝C₁，C₂＝F₁Q+(h_j，H_jf₁) Calculating M ═ h_jG_iIf the low λ 'bit of M is 0, the high λ - λ' bit of M is output as a plaintext output, and otherwise, the dummy string * is output. In A₁At the time of stopping, A is not provided₁Has an output of (m)₀，m₁，s)。

B random selection of C₂ ^*∈{0，1}^2λLet y^*＝(C₁ ^*＝Y，C₂ ^*) B will be (m)₀，m₁，s，y^*) As A₂Input of, call A₂It mimics the process of decrypting oracle and random oracle as above.

After a is discontinued, B picks randomly (H, H) from the H-table, if t is present so that R ═ C₂ ^*- (h, t) belongs to E, and then R is output; otherwise, selecting (H, H) from the H-table again; if the above relation does not exist in the H-table, a point of E is randomly output as R.

Hereinafter, F ═ log_PY，(s*，t*)＝C₂ ^*-F × Q, H × s, k × t ×  H (H). By using the equation of E and the pseudo-additive formula, C can be known₂ ^*- (h, t) ∈ E is a six-degree equation for t with at most six solutions, let AskH denote the event: if a accesses H to H (, B outputs the probability of correct ECDH solution <math> <mrow> <msup> <mi>&epsiv;</mi> <mo>&prime;</mo> </msup> <mo>&GreaterEqual;</mo> <mfrac> <mrow> <mi>Pr</mi> <mo>[</mo> <mi>AskH</mi> <mo>]</mo> </mrow> <msub> <mrow> <mn>6</mn> <mi>q</mi> </mrow> <mi>H</mi> </msub> </mfrac> <mo>.</mo> </mrow> </math>

To ensure a correct invocation of A, firstly B must correctly mimic the decryption oracle, and secondly B must ensure that the target ciphertext y^*And (4) legality. Bad means that the response to decrypt oracle is incorrect or y^*Not a legitimate ciphertext. Let A succeed with a probability of (1+ ε)/2, if B correctly calls A, because y^*And m₀，m₁Completely irrelevant, so the probability that A outputs the correct result is 1/2

(1+ε)/2≤1/2(1-Pr[Bad])+Pr[Bad]，

Pr Bad not less than epsilon can be obtained. It is obvious that

Pr[AskH]≥Pr[AskH∧Bad]＝Pr[Bad]-Pr[Bad∧﹁AskH]≥ε-Pr[Bad|﹁AskH]

Bad may only occur if a accesses k (denoted AskK) to G (·) or F (·) or the response to decrypt oracle is incorrect (denoted DBad), i.e., Bad is not accessed to H (·), i.e., Bad

Pr[Bad|﹁AskH]≤Pr[AskK|﹁AskH]+Pr[DBad|﹁AskH∧﹁AskK]

If H is not visited, then H (H) is completely random, so k t  H (H) is completely random, so k is not visited more than (q)_G+q_F)/2^λI.e. by

<math> <mrow> <mi>Pr</mi> <mo>[</mo> <mi>AskK</mi> <mo>|</mo> <mo>&Not;</mo> <mi>AskH</mi> <mo>]</mo> <mo>&le;</mo> <mfrac> <mrow> <msub> <mi>q</mi> <mi>G</mi> </msub> <mo>+</mo> <msub> <mi>q</mi> <mi>F</mi> </msub> </mrow> <msup> <mn>2</mn> <mi>&lambda;</mi> </msup> </mfrac> <mo>.</mo> </mrow> </math>

The following discussion is based on the premise that k, h are not visited.

Suppose the input of A to the decryption oracle is y (C)₁，C₁) Let F be logPC₁，(s，t)＝C₂-FQ，k＝H(s)t，h＝s，Pr′[.]＝Pr[·|﹁AskH∧﹁AskK]。

If h and k are both inquired, the output result is certain correct; if h is queried but k is not queried to G (. or F.), the output result is a null string, if the result is not true, then y must be a legitimate ciphertext, as discussed in the following cases: since h is queried, k is determined, and k is random, so the probability of k is no greater than 2^-λWhen the probability that y is a legal ciphertext under the condition that k is at most 1, the probability that the simulated response is wrong is not more than 2^-λ(ii) a If k ≠ k @, and k has no access to G (·), y being a legitimate ciphertext means that the low λ' bit of s  G (k) is 0, since k ≠ k @, and k has no access to G (·), the probability of y being a legitimate ciphertext is not greater than 2^-λ′(ii) a If k ≠ and k has no access to F (), y is a legitimate ciphertext meaning F (k) ═ log_pC₁Since k ≠ and k has no access to F (.), y is of legitimate ciphertextProbability not greater than 2^-λ(ii) a If h is not queried, the output result is a null string, if the result is not true, y must be a legal ciphertext, i.e., F (k) log_PC₁And the low λ' bit of s  g (k) is 0, if h ═ h, h (h) is completely random because h is also not queried; if k ≠ k, since h is not queried, so H (h) is completely random; therefore, h (h) is completely random under the condition that h is not queried, and k is t  h (h) is completely random, so f (k) is log_PC₁Has a probability of not more than 2^-2S  G (k) has a probability of 0 being not more than 2^-λ′Then the probability of a simulated answer error is no greater than 2 without h being visited^-λ。

By combining the above analyses, Pr [ DBad | AskK | AskH |)]≤3q_D/2^λ+q_D/2^λThen, then

<math> <mrow> <mi>Pr</mi> <mo>[</mo> <mi>Bad</mi> <mo>|</mo> <mo>&Not;</mo> <mi>AskH</mi> <mo>]</mo> <mo></mo> <mo>&le;</mo> <mfrac> <mrow> <msub> <mi>q</mi> <mi>G</mi> </msub> <mo>+</mo> <msub> <mi>q</mi> <mi>F</mi> </msub> <mo>+</mo> <mn>3</mn> <msub> <mi>q</mi> <mi>D</mi> </msub> </mrow> <msup> <mn>2</mn> <mi>&lambda;</mi> </msup> </mfrac> <mo>+</mo> <mfrac> <msub> <mi>q</mi> <mi>D</mi> </msub> <msup> <mn>2</mn> <msup> <mi>&lambda;</mi> <mo>&prime;</mo> </msup> </msup> </mfrac> </mrow> </math>

<math> <mrow> <mi>Pr</mi> <mo>[</mo> <mi>AskH</mi> <mo>]</mo> <mo>&GreaterEqual;</mo> <mi>&epsiv;</mi> <mo>-</mo> <mi>Pr</mi> <mo>[</mo> <mi>Bad</mi> <mo>|</mo> <mo>&Not;</mo> <mi>AskH</mi> <mo>]</mo> <mo>&GreaterEqual;</mo> <mi>&epsiv;</mi> <mo>-</mo> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>q</mi> <mi>G</mi> </msub> <mo>+</mo> <msub> <mi>q</mi> <mi>F</mi> </msub> <mo>+</mo> <mn>3</mn> <msub> <mi>q</mi> <mi>D</mi> </msub> </mrow> <msup> <mn>2</mn> <mi>&lambda;</mi> </msup> </mfrac> <mo>+</mo> <mfrac> <msub> <mi>q</mi> <mi>D</mi> </msub> <msup> <mn>2</mn> <msup> <mi>&lambda;</mi> <mo>&prime;</mo> </msup> </msup> </mfrac> <mo>)</mo> </mrow> </mrow> </math>

So B outputs the probability of correct ECDH solution

<math> <mrow> <msup> <mi>&epsiv;</mi> <mo>&prime;</mo> </msup> <mo>&GreaterEqual;</mo> <mfrac> <mrow> <mi>Pr</mi> <mo>[</mo> <mi>AskH</mi> <mo>]</mo> </mrow> <msub> <mrow> <mn>6</mn> <mi>q</mi> </mrow> <mi>H</mi> </msub> </mfrac> <mo>&GreaterEqual;</mo> <mfrac> <mi>&epsiv;</mi> <msub> <mrow> <mn>6</mn> <mi>q</mi> </mrow> <mi>H</mi> </msub> </mfrac> <mo>-</mo> <mfrac> <mrow> <msub> <mi>q</mi> <mi>G</mi> </msub> <mo>+</mo> <msub> <mi>q</mi> <mi>F</mi> </msub> <mo>+</mo> <mn>3</mn> <msub> <mi>q</mi> <mi>D</mi> </msub> </mrow> <mrow> <msub> <mrow> <mn>6</mn> <mi>q</mi> </mrow> <mi>H</mi> </msub> <msup> <mn>2</mn> <mi>&lambda;</mi> </msup> </mrow> </mfrac> <mo>-</mo> <mfrac> <msub> <mi>q</mi> <mi>D</mi> </msub> <mrow> <msub> <mrow> <mn>6</mn> <mi>q</mi> </mrow> <mi>H</mi> </msub> <msup> <mn>2</mn> <msup> <mi>&lambda;</mi> <mo>&prime;</mo> </msup> </msup> </mrow> </mfrac> </mrow> </math>

From the above equation, if epsilon is not negligible, epsilon' must not be negligible, and if the operation time of a is t, the operation time of B is t ═ t + q_Ht_fWherein t is_fIs shown in F_pThe time required to solve the six-order equation above, it is clear that if A is polynomial time, then B must also be polynomial time, from the above it is known that if n is not IND-CCA2 safe, then ECCDHP can be solved, which is contradictory, so in the case of ECCDHP refractory, n is IND-CCA2 safe.

Finally, it should be noted that: the above embodiments are only used to illustrate the present invention and do not limit the technical solutions described in the present invention; thus, while the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted; all such modifications and variations are intended to be included herein within the scope of this disclosure and the present invention and protected by the following claims.

Claims (2)

1. A method of data encryption, characterized by: when a sender sends data to a receiver, encrypting the data to be sent according to a pseudo-encryption method; the encryption processing steps are as follows:

step 10: randomly selecting an integer k, wherein the integer k satisfies the following conditions: k is more than 1 and less than n; wherein n is the order of the base point of the elliptic curve;

step 11: calculating F (k), F (k) Q_A(ii) a Wherein:

f (k) is the Hash function value of k, F (k) P is the F (k) times point of the elliptic curve point P, F (k) Q_AIs an elliptic curve point Q_AF (k) times the point of (a);

f (k) is a positive integer less than n, F (k) P and F (k) Q_AAll points are points on an elliptic curve;

step 12: the encrypted data is processed according to the following formula:

m’＝m||0^λ’wherein

m is the encrypted data, m ' is the data in the encryption process, λ ' is the number of 0's to be added;

step 13: calculating G (k); if x (F (k) Q_A) M'  g (k), go to step 10; otherwise, executing step 14;

wherein: g (k) is the Hash function value of k;

x(F(k)Q_A) Is an elliptic curve point F (k) Q_AX coordinate value of (a);

step 14: ciphertext C is calculated according to the following formula:

C＝(C₁，C₂)＝(F(k)P，F(k)Q_A+(m′G(k)，H(m′G(k))k))；

wherein C is a ciphertext data set, C₁And C₂Two elements which are C; and,

C₁＝F(k)P；

C₂＝F(k)Q_A+F(k)Q_A+(m′G(k)，H(m′G(k))k)；

h (m ' G (k)) is the Hash function value of m'  G (k);

step 15: if C is present₂Belongs to the set { m'  G (k) }, x (F (k) Q_A) Executing step 10; otherwise, the ciphertext C is output.

2. A method of decrypting data encrypted according to the method of claim 1, characterized by: when the receiving party receives the encrypted ciphertext data of the sending party, the receiving party decrypts the ciphertext data according to the following method and restores the encrypted data into data; the decryption steps are as follows:

step 20: calculating Q' ═ d_AC₁If x (Q') isequal to x (C)₂) Refusing to receive the ciphertext data; wherein,

q' is an elliptic curve point, d_AIs the private key data of the decryptor, x (Q'), x (C)₂) Are respectively Q' and C₂X coordinate of (a);

step 21: calculating (M, r) ═ C₂-Q', if M ═ x (C)₂) Or x (Q'), refusing to receive the ciphertext data; wherein M, r are the x-coordinate and the y-coordinate of a point on the affine plane, respectively;

step 22: calculating f ═ h (m)  r; wherein H (M) is the Hash function value of M;

step 23: if F (f) P ═ C₁And the rear lambda 'bit value of M is 0, the received plaintext M is the front lambda-lambda' bit of M; otherwise, refusing to receive;

wherein F (f) P is F (f) times the elliptic curve point P;

λ 'is the number of 0's added in the encryption process;

λ is a safety parameter.