WO2008148276A1

WO2008148276A1 - Method and system for encoding and decoding the digital messages

Info

Publication number: WO2008148276A1
Application number: PCT/CN2007/070266
Authority: WO
Inventors: Haiming Guan
Original assignee: Guan, Haiying
Priority date: 2007-06-07
Filing date: 2007-07-11
Publication date: 2008-12-11
Also published as: CN101321060B; CN101321060A

Abstract

The present invention provides a method and system for encoding and decoding the digital messages. The method includes: Selecting the positive integer m, n', r, and m≥n'; Generating a public key that comprises E' (x, ID), and E' (x, ID) is a nonlinear function group from (x1,…,xm,ID1, …,IDr) to (y1, …,yr) in domain F, and ID=( ID1, …,IDr) is an identification of the authorized user; According to the authorized user whose identification is ID(K), generating a private key corresponding to this identification; then finishing the process of encrypt anddecrypt, or the process of validating digital signatures. The present invention can make the users of whole network own one public key, and solves the problem of managing the grand-scale complex network key; and does not need set up large-scale authentication center and private key database, reduces the cost of setting up, running and managing system; implements the incorporate management of the public key database and user ID, affords facilities for trust management in network environment.

Description

Method and system for encoding and decoding digital messages

The present application claims priority to Chinese Patent Application No. 200710100308.3, entitled "A Method and System for Encoding and Decoding Digital Messages", filed on June 7, 2007, the entire contents of which is incorporated herein by reference. This is incorporated herein by reference.

Technical field

The present invention relates to the field of encoding and decoding of information, and more particularly to a public key cryptosystem for encrypting, decrypting, and signing and verifying data messages.

Background technique

Cryptography is a science and technology that studies encryption and decryption transformation. Usually, people refer to plain text as plaintext; incomprehensible text that transforms plaintext into ciphertext. The process of transforming plaintext into ciphertext is called encryption; the reverse process, that is, the process of transforming ciphertext into plaintext is called decryption. This encryption or decryption transformation is controlled by a key. The cryptosystem used in an open environment should meet the following basic requirements:

Confidentiality: Ensure that information is not leaked to unauthorized users;

Integrity: Ensure that information is not arbitrarily or intentionally modified;

Non-repudiation: Prevent individuals or entities from denying the information they have published by destroying evidence to prove that something has happened.

Public key cryptography is a key technology to address the above-mentioned confidentiality, integrity, and non-repudiation. The official birth of it is the "New Directions in Cryptography" by W. Diffie and M. Hellman in 1976 (W. Diffe, ME Hellman, "New direction in cryptography", IEEE Trans., 1976, 22, 644-654 ). The public key cipher uses a public key and a private key. The public key can be publicly delivered, but the associated private key is kept secret. Only by using a private key can decrypt the data encrypted with the public key and sign the data. The role of the public key is to encrypt the information and verify the correctness of the signature.

An important challenge facing current public key cryptography is the challenge of quantum computing. The Shor algorithm invented by Shor in 1994 (PW Shor, "Algorithms for quantum computation: Discrete log and factoring", Proceedings of the 35th Symposium on Foundations of Computer Science, 1994, pp. 124-134.), can be polynomial time It breaks all public key ciphers that can be converted into generalized discrete Fourier transforms, including three widely used public key cryptosystems such as RSA, DH and ECC.

The basic countermeasure for the public key cryptography to cope with the quantum computing challenge is: the use can not be converted into discrete Fourier transform Change the math problem to establish a public key cryptosystem. According to this line of thinking, there are currently three types of competing "anti-quantum computing" public key cryptosystems in the world, §卩:

One is the NTRU public key cryptosystem (J. Hoffstein, J. Pipher, and JH Silverman, "NTRU: a ring based public key cryptosystem", Crypto'96, LNCS 1423, pp. 267-288. Springer-Verlag, 1998. ), its security is based on the mathematical problem of finding a very short vector in a large dimension lattice.

The second is the OTU2000 public key cryptosystem (T. Okamoto, K. Tanaka, and S. Uchiyama, "Quantum Public-Key Cryptosystems," CRYPTO2000, LNCS 1880, pp. 147-165, Springer-Verlag (2000).) Security is based on improved backpacking issues.

The third is the MQ public key cryptosystem, that is, the multivariate quadratic polynomial public key cryptosystem (Multivariate)

Quadratic Polynomials in Public Key Cryptosystem), whose safety is based on the incomprehensibility of quadratic polynomial indefinite equations. A typical solution in this area is the SPLASH signature algorithm (J. Patarin, L. Goubin, N. Courtois, "C*+- and HM: Variations around two schemes of T. Matsumoto and H. Imai", in Advances in Cryptology, Proceedings Of ASIACRYPT'98, LNCS 1514. Springer Verlag, 1998, pp.35-49. ), which is the digital signature algorithm recommended by the European cryptographic standard NESSIE (http://www.cryptonessie.org), mainly in special cards such as smart cards. Used in the field.

The general form of the public key of the MQ public key cryptosystem is

1< j≤k≤m 7=1

Xy Oi, _i 3⁄43⁄4^ F, in, m >n

Where F is the specified domain. Since /w>", the public key of MQ is an indefinite system of equations, which is an irreversible function. The inverse function of the public key is generally defined as the private key corresponding to it, that is, the reversible transformation from ^ = (^, ... , 3^1 to X = ( ι , ).

However, the above prior art has the following disadvantages:

PKI (Public Key Infrastructure) is a network trust technology system based on public key cryptography. In recent years, PKI construction has faced major challenges, highlighted by the sharp increase in management costs. From a technical point of view, the main reason is that the PKI technology system is difficult to adapt to the complex use environment of ultra-large-scale networks, which is highlighted by:

(1) PKI is an expensive technology. It is necessary to establish a large-scale certification center. The implementation of the key escrow system also requires the establishment of a large private key pool. The engineering construction, system operation and maintenance costs are high, and the manpower and material resources required for mobilization are required. Financial resources have formed a huge economic bubble. (2) PKI is difficult to achieve the scale of certification. The number of users that a certification center can support is limited by the ability to access online, typically only a few thousand users.

(3) It is difficult to achieve the directness of certification. This kind of technical system simplifies a very complicated process of trust propagation into a chain of trust, and then uses the chain of trust as the basis of security. It not only lacks theoretical basis, but also has unpredictable security risks.

For example, China distributes an independent public key certificate for each citizen ID card freely, adding, deleting, and modifying the country's 1.3 billion certificates and private keys, and networking on hundreds of databases distributed throughout the country. Operation, the sharp increase in management costs, the degradation and collapse of the chain of trust, and the attack on the certification center will become very serious problems.

In short, a technical problem that is urgently needed by those skilled in the art is how to replace the existing PKI with a new generation of network trust technology that is simple, inexpensive, efficient, and has a large user capacity and strong anti-attack capability.

Summary of the invention

The present invention provides a method and apparatus for encoding and decoding digital messages to implement an identity-based public key cryptosystem, which can meet the complex use environment of a very large-scale network and can meet the requirements of network trust system construction.

According to an embodiment of the present invention, a method for encoding and decoding a digital message is disclosed, which may specifically include:

Selecting a positive integer w, nr, where m≥n, generating a public key containing E'(x, ID), wherein the E'(x, ID) is from the ... on the domain F, x _m , lO _u ...,

a non-linear mapping function group of ..., jv), the ID = (ID ₁ ..., ID is the identity of the authorized user; for an authorized user whose identity is π, a corresponding one corresponding to the identity is generated a private key; encoding the message by using the public key and π to obtain an encoded message N; decoding the encoded message N by using the private key to obtain a decoded message and/or, using the private key pair message Encoding is performed to obtain an encoded message using the public key and ID (^), and the encoded message N' is decoded to obtain a decoded message '.

Preferably, the private key is established by: calculating D0, the DO is related to the ID; dividing the DO into at least two parts, and storing in at least two private key distribution centers, each part is related to the ID Each private key distribution center calculates a part of the private key according to the ID of the authorized user and sends it to the user; the user synthesizes the parts of the private key and calculates the private key.

Further, the method may further include: inserting a random transform WO and inverse ^) in the process of generating the private key. According to an embodiment of the invention, a system for encoding and decoding a digital message is further disclosed, which at least includes:

a public key generating unit, configured to generate a public key including E'(x, ID), which is a slave ID _b ... , ID _r ) ilJ (y) on the domain F !, j) of the non-linear mapping function group, the ID = (ID _{1 ;} ..., ID is the identity of the authorized user; where m, nr are positive integers, m ≥ n,

a private key generating unit, configured to generate, according to an authorized user whose identity is π, a private key corresponding to the identity identifier; and at least one of an encryption and decryption unit and a signature verification unit, where the encryption and decryption unit, For encoding the message by using the public key and Π, to obtain an encoded message N; decoding the encoded message N by using the private key to obtain a decoded message;

The signature verification unit is configured to encode the message by using the private key to obtain an encoded message, and use the public key and the ID (^) to decode the encoded message N′ to obtain a decoded message.

Preferably, the private key generating unit further includes:

At least two private key distribution centers, each of which has a part of a private key function D0, each part being associated with an ID; each of the private key distribution centers is configured to calculate a private number according to the ID of the authorized user Part of the key, sent to the user;

The private key synthesizing device is configured to synthesize each part of the private key and calculate the private key.

Compared with the prior art, the present invention has the following advantages:

The invention realizes the identity-based public key cryptosystem, can meet the complex use environment of the ultra-large-scale network, and can meet the requirements of the network trust system construction. The so-called "identity-based" means that the content of the public key is the user's identity mark ID - some combination of information such as name, phone, email, etc., with the information itself, it can directly determine who the public key belongs to; Instead of using a public key certificate, the user's ID is bound to the user's public key. The essence is that "all users share a public key". The realization of "identity-based" brings the benefits of public key management in the network environment: First, the economic benefits are significant; Second, the user capacity is huge; Third, the integrated management of public key data and user identification is realized.

From the prior art published, the preferred embodiment of the present invention is the first public key cryptosystem that is "resistant to both Shor and identity based". The present invention provides a pioneering technical solution for the challenge of public key cryptography to cope with quantum computing and the challenge of hyperscale network key management. Its technical advantages are reflected in:

(1) Compared with the prior art of anti-quantum computing such as MQ, all users on the whole network share a common key, which effectively solves the key management problem of hyperscale complex networks: First, the economic benefits are significant: there is no need to establish a large certification center and private key pool, which greatly reduces the system construction cost and operation management cost;

Second, the user capacity is huge: it is convenient for the central government to directly implement centralized and single-level security control for the bottom-end billions of end users;

The third is to realize the integrated management of public key data and user identification, which brings great convenience to trust management in the network environment. It is no longer necessary to use the concept of public key certificate, so that the public key information itself has the following attributes. :

Judgment: The public key is no longer a seemingly random random string. From the content of the public key, it can directly determine who the public key belongs to;

Intuitiveness: The problem of determining the characteristics of power can be solved in an intuitive representation, such as using the graphic of the seal as the public key of the authority, and using the fingerprint and photo as the public key of the natural person;

Authoritative: Matching the real-world authorization process, the trust of the public key is directly dependent on the highest state authority issuing the public key, and a top-down trust system is established according to the jurisdiction and jurisdiction of the authority.

(2) Secondly, the present invention has strong anti-collusion attack capability (that is, the difficulty of calculating a private key generation function by combining a plurality of legitimate users and using enough public key-private key pairs that they jointly grasp): Within the scope of the set collusion attack scale, the security of the private key generation function is described by information theory, which can be theoretically unbreakable, that is: the attacker cannot decipher the private key generation function due to lack of information, Rather than lack of computing power, it has nothing to do with the development level of computational mathematics; Second, outside the scope of the set collusion attack scale, the security of the private key generation function is described by the computational complexity theory, based on a complex large solution. The difficulty of scale nonlinear equations, according to the scientific progress of the world today, is not computationally feasible;

The third is to realize the personalization of the private key form, and to hide the private key with an objective random transformation, so that it is also difficult to list only the equations for solving the private key generation function;

Fourth, it is convenient to implement distributed and power-constrained security controls, so that each private key distribution center and each user can manage their own secrets, and no one can obtain all the secrets;

The fifth is the difficulty in collecting a large number of private keys, involving a large number of factors outside the technology, which requires a high price.

DRAWINGS

1 is a flow chart of an embodiment of a method for encoding and decoding a digital message according to the present invention; FIG. 2 is a flow chart of an embodiment of a method for obtaining a public key and a private key according to the present invention; Figure 3 is a schematic diagram showing the flow of data in the embodiment of Figure 1 of the present invention;

4 is a schematic diagram of jointly establishing a private key by multiple private key distribution centers of the present invention;

5 is a data flow diagram of an encryption or verification signature process of a small data embodiment of m=3, n=2 of the present invention;

6 is a data flow diagram of a decryption or signature process of a small data embodiment of m=3 and n=2 of the present invention; FIG. 7 is a small data embodiment of m=U and n=8 of the present invention for realizing private key form personalization. Data flow graph;

Figure 8 is a flow chart of the encryption process of the small data embodiment of m = U, n = 8 of the present invention. Detailed ways

The above described objects, features and advantages of the present invention will become more apparent from the aspects of the appended claims.

The invention belongs to the category of information security products and is mainly applied to network trust systems, such as documents, banks, mobile phones, internet, e-commerce, e-government, logistics, network monitoring, power control, fund transfer, transactions, data encryption and the like.

The hardware environment required to apply the present invention is well known to those skilled in the art. Among them: public key generation unit, private key generation unit, private key distribution center, involving the automatic derivation of complex mathematical formulas, generally should use high-end computer systems; encryption and decryption unit, signature verification unit, private key synthesis device, only involved For the calculation of a given mathematical formula, various grades of hardware platforms can be used, such as a single chip microcomputer, a dedicated digital signal processing chip, a smart card, and the like.

Some of the terms that may be involved in the present invention are briefly explained below:

Password: Generally understood as an algorithm for information encryption and decryption transformation. Its basic purpose is to disguise information so that outsiders cannot understand the true meaning of the information, and insiders can understand the original meaning of the disguised information.

Key: The key parameter that controls the effective conversion between plaintext and ciphertext during the execution of the cryptographic algorithm is called the key.

Public key cryptosystem: The public key cryptosystem uses two keys—a public key (referred to as: public key) and a private key (referred to as: private key). The public and private keys are mathematically related, but it is difficult to calculate the private key from the public key. The public key can be publicly transmitted between the communicating parties, or it can be publicly released as a telephone number book, and the private key is kept in secret by the authorized user. Anyone can find its public key from the name of a user, so it can send encrypted messages to this user. Only authorized users themselves Can be decrypted with his private key.

The public key cryptosystem also provides the ability to digitally sign and authenticate: an authorized user can sign the information with his private key (equivalent to the process of decrypting with the private key described above); other users cannot sign because they do not have the private key. However, the user's public key can be used to verify the correctness of the signature (equivalent to the above process of encrypting with the public key). There are two types of digital signature algorithms: Recoverable digital signature scheme: The signed data can be derived from the signature; Unrecoverable digital signature scheme: The signed data cannot be derived from the signature.

Finite field: It is a concrete and visual mathematical structure that can be understood in a colloquial manner as a collection of finite elements that can be added, subtracted, multiplied, and divided. (usually denoted as F, when the number of elements in the finite field is prime;?, remember to do F)

Polynomial over a finite field: can be understood in a common sense: when there is only one argument: f (x) = a _s x ^s + a _s -\ X ^sA +... ten α ₀ χ ⁰ (mod p) where Called as arguments, called coefficients, called items, their values are between Ο,...,ρ-l. When there are multiple arguments:

The polynomial set on F, the polynomial four is the domain, called the polynomial extension of F. If the number of terms in a polynomial is relatively small, it is called a sparse polynomial; otherwise it is called a dense polynomial. Dense polynomials not only have a high number of times, but the number of items is very large, and it is expanded to indicate that it takes a lot of space.

Rational fraction on a finite field: It can be understood as dividing two polynomials:

^/(JCl "'") mod^ The multiplicative inverse of polynomials other than the polynomial of 0 is

( 3⁄4 ..., x _n )) - ^{1 (mod} ) = (f(x _h ... , χ _η )Υ~ ² (mod ρ) But when ρ is large, the expansion of the above formula requires huge storage The result of space, therefore the division of two sparse polynomials (the denominator is not a polynomial), usually a dense polynomial: ^/( = Rx _l , ..., x _n ) - {g{x _l , ..., x _n )) ^p - ² (mod ^) This property is very important for understanding the security of rational fraction public key cryptography . The rational fractional set on F, the four arithmetic operations on the rational fraction is the domain, called the rational fractional extension of F.

The indeterminate equation system on the finite field has a range group on the limit field:

^{x _x ,...,x _m ) mod p = 0

Where :) is a polynomial or rational fraction. If the number of unknown elements is more than the number n of equations, the above equation is called /7 yuan. The indefinite equations are usually called Diophantine equations. The solution of an indefinite system of equations is a large collection of vector values.

When the above indefinite system of equations has a solution, its solution is usually a set of points in m-dimensional space over a finite field, which can be expressed as algebraic curves, algebraic surfaces or even highly complex high-dimensional algebraic clusters (several polynomials) a collection of public roots).

One-way function: Let the function be _y = Hash , it is easy to calculate _y for X, and vice versa for _y

X is difficult. This kind of function is called one-way function, also called hash function, hash function, Hash function, etc. It has been widely used in data integrity check and information authentication. It converts an arbitrary length of data X into a fixed-length or fixed-number field or a string _y.

Methods of constructing one-way functions are well known in the art. The most popular one-way function algorithms currently are MD5 and SHA-1 (US Federal Information Processing Standard FIPS 180-1); stronger one-way function algorithms are also available.

SHA-256, SHA-384 and SHA-512, etc. (US Federal Information Processing Standard FIPS 180-2).

In the field F specified in the present invention, the number of elements can be used as a prime number; The finite field F> is not limited to this but can be generalized to various domains. When F is a finite field, the power operations of functions or arguments, including integer power operations and fractional power operations, can be converted into rational fractional representations after being expanded, simplified, and collated.

The encoded message described in the present invention may be generated by a user of a location and transmitted to another location and then decoded by the user of the other location, i.e., the coded decoding may not be co-located. Of course, encoding and decoding at the same location is a simpler case. Referring to FIG. 1, an embodiment of a method for encoding and decoding a digital message according to the present invention is shown.

Step 101: Select a positive integer w, n r, where m≥n,

Step 102: Generate a public key including E′(x, ID), where the E′(x, ID) is from x _m , ID _b 10 to (^, ... on the domain F , j ) a non-linear mapping function group, the ID = (ID _b ..., ID _r ) is an identity of the authorized user;

Step 103: Generate, according to an authorized user whose identity is Π, a private key corresponding to the identity identifier;

Step 104: The public key and the ID (^) are used to encode the message to obtain an encoded message N. The encoded message N is decoded by using the private key to obtain a decoded message.

And/or, step 105, encoding the message by using the private key to obtain an encoded message, using the public key and Π, decoding the encoded message N' to obtain a decoded message 7 .

There is no inevitable sequence in the above steps. For example, the step 103 of generating a private key may be prior to the step 102 of generating the public key, and the numerical ordering is merely for convenience of explanation.

For the present embodiment, various kinds of coding codes can be applied. For example, step 104 is mainly applied to the case of encryption and decryption, and step 105 can be mainly applied to the case of digital signature and verification. Of course, for different applications, the parameters are different, and the performance of the compiled code is also good or bad. A more preferred embodiment will be described later in the specification.

The public key E'(x, ID) is a set of irreversible functions. For a given ID, since the number of arguments of X is greater than the number of functions "more, known j", E'(x, ID) is an indefinite system of equations, and there is no unique solution for x. E(x, ID) and the corresponding DO are a pair of reciprocal functions.

Let the signed data be =(^, ..., _y„), the data to be verified is = 0Λ, ..., „), and the generated digital signature is x = (x ₁ ..., x _m ), and both are data after a one-way function transformation.

The data processing method for generating a digital signature using the private key D0 is: x = DO. The data processing method for verifying the digital signature using the public key E'(x, ID) is: , ...,jv) = E'(x,ID), if...,jv) = (y'i, .. ., /„')' accepts the signature x, otherwise rejects the signature x. According to the J's "the same variable, it is possible to determine all of their variables in the same probability.

Preferably, the embodiment of the present invention shown in FIG. 1 can obtain the public key and the private key by using the following steps, as shown in FIG. 2:

Step 201: Select a positive integer ", where m≥n≥r, and w>«';

Step 202: Set a reversible nonlinear mapping function group from X to: (^,...,3^=£^,10)= (Ei(xi,...,x _m , IDi,...,ID _r ), E _n (xi,...,x _m , IDi,...,ID _r ));

Step 203: Generate a private key according to an inverse function of E(x, ID);

Step 204: Select "' function as E' (x, ID) in E(x, ID) to obtain a public key; where E'(x) contains a function about: E'(x, ID) = (EiC !, x _m , ID _b ID _r ), ...,

ID ₁ ID ).

In the design, a given E(x, ID) is not necessarily a public key E'(x, ID) (assuming the public key has no other parameters, the public key can be considered E'(x, ID, according to 'The latter is all or part of the former.

A public key corresponds mathematically to the transformation rules of a given input and output message, and only one private key; of course, this private key can take different representations.

There are many specific methods for establishing public and private keys. This is a content of mathematical design. In the years of application of public key systems, those skilled in the art have more technical precipitation for this aspect. Detailed. However, the present invention can give a more preferable basic idea: randomly generate a number of simple reversible linear transformations and reversible nonlinear transformations, and assemble them into a whole by various methods (iteration, multiplication, division, addition, etc.). Then re-expand, simplify, and organize to obtain a public key; using these inverse functions of reversible linear transformation and reversible nonlinear transformation, the public key can be inverted as the private key corresponding to the public key.

Referring to Fig. 3, there is shown a data flow diagram of an embodiment of the present invention, including data processing procedures such as encryption and decryption and digital signature. Among them, > « = «' can be used for encryption and decryption and recoverable signatures; when > « > «', it can be used for unrecoverable signatures. For / w= « = « ', it can be used to add decryption, but it is less secure.

For a recoverable signature, the decoded message is compared with all the data of the original message to determine whether it belongs to the correct signature; and for the unrecoverable signature (ie, the case of ">«' in the specification), it is decoded. The message is compared to a portion of the original message to determine if it is the correct signature.

Preferably, the embodiment can also obtain the public key and the private key by the following steps:

Step a, select a positive integer ", where m > n ≥ r;

Step b, setting the interface function, which is used to get "a function about..., x _m ) according to d, :): ₀ (x) = ( _0l (xx, ... , x _m \ ... , η _0η (χχ, ..., x _m )) = R(x);

Among them, the simplest R(x) is: For / w = «, convert :) to the identity transformation. In this step, the function of the interface function R(x) can be understood as: converting a variable ..., ) obtained by computing a one-way function chain X = U(w) into "a... The function, which combines the one-way function chain HO) with the public key E'(x, ID), and reduces the intermediate result after the expansion of the one-way function chain. Its mathematical description is usually very simple. For example, in Figure 5 and Figure 6, for =3, n=2, convert the three variables A, x ₂ and x ₃ into two polynomials: M _Q corpse A+^ , ti ₀₂ = x ₂ . The information of R(x), including the functional form of i3⁄4, M _Q2 , and the value of the coefficient e ₃ are all secret information that the unauthorized user should not know. Of course, those skilled in the art can design a variety of modes according to the characteristics of R(x), which cannot be detailed here.

It is not reversible in itself, but it is reversible in combination with HO). That is, although it is not possible to recover Α, x ₂ , x ₃ from only the value of w _Q2 , but with the knowledge of fully disclosed HO) "x ₃ = H ₃ ( ₂ )", and hidden in E (x, ID) The secret parameter e ₃ in ) can be calculated in order: x ₂ = , x ₃ = H ₃ ( ₂ ), x\ = z\- .

Step c: Select a meta-reversible linear transformation T = (T _b T _i+ !) on the domain F, where each includes an n-ary linear polynomial of "··· on the domain F;

Step d, selecting "metainvertible nonlinear transformation G = (G ₁ ... , Ο:) on s fields F, wherein each includes a function of the correlation on the domain F; wherein, The function may include various function types such as a polynomial, a rational fraction, and the like, and the present invention does not need to be limited thereto.

In the above steps c and d, at least one of the coefficients of T and / or G is a mapping function of the ID. That is, at least one of the coefficients of any one or more of the T is a mapping function of the ID; and/or, at least one of the coefficients of any one or more of the G is a mapping function of the ID. Preferably, at least one of the coefficients in the last layer is a mapping function of the ID; and/or at least one of the coefficients in the last layer is a mapping function of the ID.

The benefits of doing this are: Limiting the size of the function of the public key E'(x, ID). For example, E'(x, ID) is just a function of ID^ ^ID. On the contrary, if you put it! The coefficient in ^ is defined as a function of ID. After the nonlinear transformation, the number of IDs increases, making the function size of the public key too large, reducing the practicability.

Step e: synthesize the "(), T, and G according to a preset rule, and obtain a nonlinear mapping function group from x, ID to;: (yi,..., = E(x, ID) = ( EJC J,..., x _m , ID!,... ,ID _r ), E„(x _h . . . , x _m , IDi,... ,ID _r ));

The purpose of synthesizing the "<), T, and G is to embed and hide information about R, T, and G in the public key, all of which belong to secret information that the unauthorised user should not know. In order to achieve the purpose of hiding, it is feasible to adopt various preset synthesis rules. Put "« x:>, T and G from E'(x, ID) Separation is very difficult, and it is necessary to alternate factorization (factorization, mainly for "multiplication") and function decomposition (decomposition, mainly for "iteration") to analyze the multi-level nested structure hidden inside the indefinite system of equations.

Step f, select "the function as E' (x, ID), get the public key; where E' ^ ID) contains the function (A, x _m , ID _b :©; E' ( x, ID) = (EiC !, x _m , ID _b ID _r ), ... , E _w i, ... , x _m , IDi, ... , ID _r ));

When _m>n=n , that is, the selection in step f does not delete the function, and all the functions in E(x, ID) are selected as E'(x, ID) o. This embodiment can be used for encryption and decryption. And various situations such as digital signatures.

When _{m>n> η} ', that is, a method of discarding a part of the function is employed in the step f, the present embodiment can be used in the case of digital signature.

When _{m = n = n} , the security performance at this time is poor; when _{m = n} > t, this embodiment can be used for the case of digital signature. Further, if the interface function R(x) is preferably used in the embodiment to convert m arguments into n polynomials, m> _n can be guaranteed. Of course, if m=n is needed according to the actual situation, those skilled in the art can obtain according to various prior art, and will not be described in detail herein.

Step g, generating an inverse function T ^{1 of} T, generating an inverse function G- ^{1 of} G; and assigning a value ID of the authorized user's identity (substituting T ¹ and G- ¹ to calculate the DO associated with the identity; generating A private key corresponding to the identity, the private key including R x) and D0 .

The preset rules described in the foregoing step e may be set by a person skilled in the art according to actual conditions.

Preferably, if the desired E'(x, ID) contains a rational fractional function for ..., x _m , lO _u ... , ID, the preset rule may be in the following two cases:

Substituting the function group " _Q (x) into it, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substitute into G _s and substitute (^ into T _i+1 ;

Or, substituting the function group, substituting 1 into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substitute into G _s .

For the above two possible ways, when the last linear transformation T _i+1 , the obtained rational fraction of the public key, the denominator polynomial of each rational fraction is the same; when the last is a nonlinear transformation The denominator polynomial for each rational fraction in its public key is usually different. For engineering applications, the default denominator can save public key storage space (as long as "+1, not 2" polynomial is stored), increase the speed of the operation (as long as the value of "+1, not 2" polynomial is calculated ). The function form of E'(x, ID) containing ..., x _m , ID _b ..., may be a polynomial, preferably, may be a combination of polynomial and rational fraction, or all of the rational points Composition.

Compared to polynomials, rational fractions have a significantly increased size of the encryption function. For ease of analysis, the rational fraction on the finite field is converted to an equivalent polynomial. For example, let the number of times the public key of the present invention is 2, and convert it into a polynomial representation:

\<j≤k<m =1

h _l+ ...+h _m ≤2{p-2)

x _u yt, _i γ _≠ , b _lA — _hm ≡F _p , m>n, l^i^n-, the number of terms will increase from 3⁄4 ₊₂ =^ to approximately ₂ ) = 3⁄43⁄43⁄4. For example, when p = 5, w = 2: f mod 5

+ i ⁴ ₂ + i ⁵ ₂ + 2x ₂ ² + i ₂ ² +

X2 + 4 ₂ ³ + 4 i ₂ ³ + 4 i ² ₂ ³ + 4 i3⁄4 ³ + Xi + 4 i ₂ ⁴ + 3 i ² ₂ ⁴ + ₂ ⁵ + 4 i ₂ ⁵ + 2 ₂ ⁶ ) mod 5

= (3 + 3 i + 3 i + ₂ + 4x ₂ + 2 i ₂ + i ₂ + i ₂ + + 4 i ₂ +

4xi

Mod 5;

And when ;==65537, =8, the number of terms equivalent to the polynomial of the rational fraction will be

₊₂ =45 at MQ, approximately increased to =2160852653586620281721640525505904640;

Obviously, a polynomial of such a large scale, although objectively present in the mathematical world, needs Occupying exponential storage is actually difficult to operate. The beneficial effects of this property are: Promoting the quadratic sparse polynomial of MQ to a higher-order dense polynomial, exposing the scale of the polynomial function equivalent to the public key, essentially improving the difficulty of finding the inverse function of the indefinite system of equations. Sex, which significantly increases the ability to resist deciphering.

A preferred example of the present embodiment is described from a mathematical point of view (taking the rational fraction as an example) as follows: Let the ID be the user identity after the specified transformation, ID = (ID ₁ ..., ID, r is a positive integer, ID^F; The coefficient in the public key Ε' 规定 is defined as the mapping function of the ID. After the public key is expanded, simplified, and collated, it can be expressed as a +r element nonlinear transformation on F:

(yi, ..., JV) = E, (x, ID) = (Ei( i, ..., x _m , IDi, ID _r ), E _w i, ..., x _m , ID _b ID _r )),

Lim, ljn, l^k^r, πβ^Ο, π^^Ο, τ>0, and at least one of 7T _1Q , 7Γ ₂₀ ,..., _Q has 7^≥1; (x, ID) is an identity-based public key shared by all users in the public key cryptosystem.

The purpose of combining "ID mapping" in this embodiment is to implement an identity-based public key cryptosystem. An example of a specific implementation process is described in detail below:

The first step is to define the password parameters T and G as functions of ID.

Let the authorized user's identity ID = (ID ₁ ..., ID, r be a positive integer, ID^F; the coefficient of the function in T and G is specified by the private key distribution center as the mapping function of the ID, thereby T, G become a function of ID;

The second step is to synthesize 1\ G into E(x, ID) and establish the public key E'(x, ID)

Combine " _Q (x), T, G into a nonlinear transformation on F:

y = (y ..., y„) = E(x, ID)

= (Ει( ι, ...,x _m , IDi, ID _r ), ...,E„(x _h ...,x _m , ID _h ID _r )), After expansion and simplification,

Xy ^e i^KK . ' ^ε ΆΑ -K , _Pl ... _Pr '丄t is lim, ljn, l^k^r, πβ^Ο, π^^Ο, τ>0; Let E'( , ID ) = ( Ει( ι, ... , ID _b ... , ID _r ), ... , E _wb ..., x _m , ID _b ... , ID _r )),

E'( , ID) £ E( , ID); publicly publish E'(x, ID) as the public key shared by all users;

The third step, put! ¹¹ , G- ^{1 is} synthesized into D0, establish the private key of each user

Private key distribution center to an authorized user ID code parameter substituting TG ^1, TG- ¹ to synthesize DO, then {DO, R (x)} as a private key, is kept secret distributed to authorized users;

In the above synthesis, the small difference in ID, after a series of formula derivation, will result in a huge difference between the public key and the private key.

The fourth step, encryption and decryption, digital signature and verification

Substituting the identity ID (^) of the authorized user f into E'(x, ID), deriving E and then encrypting or verifying the data processing of the digital signature, gp: γ = Ε'κ{χ) =

ΙΌ(Κ)) ₀

To more clearly illustrate the above embodiment, an example of a small data is described below:

Let F be the finite field F ρ=\Ί, m=n=2, «'= 1, s=l, r=l, g卩ID = (ID); Let linear transformation Τ=(Τ ₁ Τ ₂ ), Composed of ^, Τ ₂ consists of ^, β ₂ , where: B _l = {b _ll , b _ll )

= (1, 2), B ₂ = (b ₂ b ₂₂ )=(5 + 15 ID + ID ² , 6 + 16 ID + ID ² ),

a. 122 — a. 112

"111"122― "112"121 "111"122― "112"121 .15 1"

c —"121 "111 10 8

^111^122― ^112^121 ^111^122― ^112^121 ^A 2U ^A 2\2 "l + HID + ID ² 2 + 12ID + ID ² "

^A 22\ ^222 _ 3 + 13ID + ID ² 4 + 14ID + ID ²

15 + 10ID + 8ID 1 + 6ID + 9ID

1 + 2ID + ID ² 1 + 2ID + ID ²

10 + 15ID + 9ID 8 + 3ID + 8ID

1 + 2ID + ID ² 1 + 2ID + ID ² set the nonlinear transformation G = (G), G corpse (G „, G ₁₂ ), where:

G ₁₁₍₁₎ : u =— mod 17, G ₁₂₍₂ : u _n =— mod 17 ,

G ₁₁₍₁₎ - ¹ : v _u =— modl7, G ₁₂₍₂₎ - ¹ : v ₁₂ mod 17, using the above parameters to derive E(x, ID):

― X\, U()2 = ,

n = («iii Moi + "ii2"02 + ^n) mod p,

Vn = (a UQX + ^122^02 + b _n ) mod p,

V ₂ \ = («211 «11 + «212«12 + 3⁄4l) mod p,

v ₂ 2 = («22i «ii + a ₂₂₂ u ₁₂ + b ₂₂ ) mod ρ·,

Substituting specific values, the mapping function group derived from x, ID to ; is:

y = ( yi) = E( , ID) = (E^, x ₂ , ID), E ₂ (X _U X ₂ , ID)), where:

Yi = Ei( i, x ₂ , ID = ((16 + 10ID + 13ID ² + 5χ + lOID j + 9ID ² JC! +IDJCI ² + HOW + 6x ₂ + 14IDJC ₂ +11ID3⁄4+ 8 J ₂ + 15ID I ₂ + 16ID ² i ₂ + 16JC ₂ ² +IDJC ₂ ² + 4ID ² )/(12 + \?>x _l + x _l ¹ + \Ax ₂ + 9x _x x ₂ + 1 3⁄4 ² )) mod 17,

y ₂ = E ₂ ( i, x ₂ , ID) = ((13 + 7ID + 13ID ² + lO j + 15ID i + 9ID ² j +3 i ² + 15ID i ² + 7ID ² xi ² + 14x ₂ + 5IDx ₂ +llID + 14x c ₂ + 4ID i ₂ + 16ID ² ! ₂ + \0x ₂ ² + 16ID ₂ ² + 4ID ² ) /(12+ 13 i + j ² + Πχ ₂ + 9x _x x ₂ + 14x ₂ ² )) mod 17, put a part of the E(x, ID) The function specifies an identity-based public key E'(ID) shared by all users, for example, EX ₂ , ID) is a public key, and E ₂ ( _b x ₂ , ID) is not a public key.

Then, the private key distribution center uses the value of the ID to derive the corresponding decryption function, that is, the private key DO:

+ <3⁄4 ₁₂ (y ₂ - b ₂₂ ) ) mod/?,

+ c _iri (y ₂ - b ₂₂ ) ) mod;?,

n = (1 / 3⁄4ii) mod p,

I2 = ( n I un) mod;?,

«oi = (cm ( n - bn) + Cn2 (v ₁₂ - b _u ) ) mod p,

02 = (Ci2l ( n - bu) + C ₁₂₂ {v _n - bl2) ) mod f,

Let ID = 6, substitute the above function group, and derive the corresponding private key DO as:

X = (^ι, xi) = DO) = (DjCyj, y ₂ \ D ₂ (y!, _1⁄2)), where:

Let the signed data '=(4, 13), /' the digital signature be: X = DO = (2, 3); 3⁄4 (2, 3) when correct, calculate:

If the data to be verified; Λ = 4, the signature is accepted, otherwise the signature is rejected.

Correspondingly, with respect to the above embodiments, the present invention also provides an apparatus embodiment, which includes at least the following units:

a public key generating unit, configured to generate a public key including E'(x, ID), which is a slave ID _b ..., ID _r ) ilJ (y) on the domain F !, j ) The non-linear mapping function group, the ID = (ID _1; ..., ID is the identity of the authorized user; where m, nr are positive integers, m ≥ n,

a private key generating unit, configured to generate, according to an authorized user whose identity is π, a private key corresponding to the identity identifier; and at least one of an encryption and decryption unit and a signature verification unit, where the encryption and decryption unit is configured to: Using the public key and ID (^), encoding the message to obtain an encoded message N; using the private key to decode the encoded message N to obtain a decoded message;

Or the signature verification unit is configured to encode the message by using the private key, and obtain the encoded message by using the public key and the ID (^), and decoding the encoded message N′ to obtain a decoded message. The following describes some of the ambiguous information in the specific implementation process of the above embodiments.

How to make the number of IDs in the public key low, and the number of equivalent IDs in the private key is very high:

(1) Injecting the mapping of the ID in the encrypted last-level cryptographic parameter (for example, the coefficient in G _s ), for the derivation process of deriving the decryption function, it is equivalent to injecting the mapping of the ID in the first layer, after the latter The multi-layer nonlinear transformation magnifies the number of IDs in the decryption function.

(2) Using a relatively large one, in the process of sequentially calculating during decryption, since ^^ is to participate in the operation of v _y , the number of IDs of the decryption function is serially amplified.

(3) Use a nonlinear transformation whose nonlinear number remains constant, for example, set to:

Ujk = Gj _k (v _J ―. , v _Jn ) = p,

'jOO ten

Ten..." mod

Ten ^τ 』0η ^ν 』 _η tjkb tjoi≡¥ _p , u _jk , Vj _k ≡¥ _p (xi , . . . , x _m ) , k = 1, and then derive GT. . For example, H,, for 'J in J " n = - 2,, Gi = -

G KJj2 ) is:

v _ ^l j\ Vj20 ^L j j2\ ^{τ L} j2VjQQ ^u j\ ^l j20 ^l j0\ ^u j\ ^l j\ \ ^l j00 ^u j2 ^{τ l} j\0 ^l j0\ ^u j2 _mQ( ^ p ■12^/ 21—tj tj 22 ⁺ ^j22^jQ\ ^U j\—tj2\tj. 2 ^U j\ ~ ^j\2^jQ\ ^U j2 + Ί 1^/02^ /2 Obviously, if the above encryption process is in progress The coefficient ^ is specified as the mapping function of the ID, then the decryption process

The number of IDs is n times the number of IDs in the encryption process, while the number of times remains the same.

Into a ho, the present embodiment can establish a private key method the following optimization, ho comprises the sub-steps of: sub-ho step a, D0 obtained by the calculation of T ¹ and ^G-1, and the ID related DO; ho sub step b. Dividing the D0 into at least two parts and storing them in at least two private key distribution centers, each part being related to an ID;

Sub-step c, each private key distribution center substitutes the authorized user identifier Π into the part D0 of each secret storage, calculates a part of the private key, and sends it to the user;

Sub-step d, the user synthesizes the private key of each part, and calculates the private key.

Meanwhile, for the foregoing device embodiment, the private key generating unit further includes: at least two private key distribution centers, wherein each private key distribution center stores a part of a private key function D0, each The parts are all associated with the ID; the private key distribution centers are configured to calculate a part of the private key according to the ID of the authorized user, and send the part to the user; The private key synthesizing device is configured to synthesize each part of the private key and calculate the private key.

As shown in FIG. 4, it is a schematic diagram of a plurality of private key distribution centers of the present invention jointly establishing a private key. An example of the above process is described mathematically as follows:

(1) A unique primary key distribution center in the network ^(^ establishes the public key E'(x, ID) and establishes a private key generation function corresponding to E'(x, ID):

Z = (ζχ, ..., z _n ) = O(y, dx, d ₂ , ...)

= (Di(y _b ..., yd _x , d ₂ , ...), D _w (y _b ..., yd _x , d ₂ , ...)), argument 4 in the function, 4, ... is the mapping function of ID: ά _χ = _χ {ΙΌ), d ₂ = f ₂ (W), ... ;

(^, ^ (^ According to the agreed method, separate DO, ^^ into parts: {Dd A, d ₂ , ...), O ^(h) (y, dh, ...)}, respectively Issued to 2 secondary private key distribution centers, ie for

Send D^j, ^^...) to the KDC for secret preservation; and send _i(ID), / ₂ (ID),..., to all secondary private key distribution centers to secretly save; The specific implementation method of separating Ο, Α, Α, into two parts is a well-known technique.

(3), when establishing a private key for an authorized user f, KDC ₂₁ , ..., 10) _2/! first substitute the value of the identity ID (^) of the authorized user K into the mapping of the ID. Function / ID), / ₂ (ID),..., calculate the value of 4, 4, ...; then substitute the value of H. into KDC ₂₁ , KDC _2A secretly saved Ό, d _h d ₂ , ...), Calculate

.

(4), authorized user f from KDC ₂₁ , ..., KDC _{2 /} ^ do not receive D) O, ..., D) O, according to the agreed method, restore to the user's complete private key :).

The technical point of using multiple private key distribution centers to synthesize private keys is to ensure that even the internal personnel of the private key distribution center cannot steal the user's private key.

An example of a small data is described below:

In the foregoing embodiment, it is assumed ^ ₁ ^ is the number of elements, β ₂ is the mapping function element ID, G, there is no parameter, the secret key generation function is:

x = (x _h x ₂ ) = O(y, A ₂ , B ₂ ) = (O,(y, A ₂ , B ₂ ), O ₂ (y, A ₂ , B ₂ )), where: corpse DC ^, , «211, «212, «221, « ₂₂ 2, 3⁄41, b ₂₂ )

^{= ((_ <¾12 2 <} ¾21 2 + 2 <¾u <¾ 12 <¾ 21 <¾22 ~ <¾11 2 <¾22 2 ~ 2 <¾ 12 <¾ 2 ii +

+

+ ₂₁₁ i3⁄4 _1Z 1⁄2 ² )) mod 17 X ₂ = D ₂ (yi, J^2, <3⁄411, <3⁄412, <3⁄421, <3⁄422, 3⁄41, 22)

= ((<3⁄412 ² <3⁄421 ² ~

^{^{+ <¾11 2 <¾22 2 +}} 3 <¾ 12 <¾ 2 ii ~

twenty two

3< 3<3⁄4u <3⁄422 22 + ^212^221^21^22 +

3⁄4

+ ~

twenty two

^212^221^22^1 ~ 3⁄4 11^222^22^1 ~ <<3⁄42 Vl + 3 <2 ₂ 11^212^221^2 ~ 3<2 ₂ 11 «222^2 ~

~

_{_{_{4i¾ 21 i¾ 22 b 2L yi +}}} 2a lxl a llx b 1 y x + 2i7 211 i¾ 22 b 2 yi + 2a llx a ir] yx + 2i¾ 12 i¾ 21 b 2l y 2 + 2a lxx a 111 b lx y 1 - _{_{_{_{Aa lxx a 1 x 1 b r}}}} ] y 1 - 2a lxl a llx y x y 1 - 2α 1λλ α ΎΏ γ λ γ 1 + 2a lxx a lxl yi)) mod 17 set = 2, to 00, ^ _2,? :) Decomposed into 2 parts, for example, can be specified as:

D ⁽¹⁾ (j, A ₂ , B ₂ ) = two molecular polynomials in DO, A ₂ , β ₂ ),

O ⁽²⁾ (y, A ₂ , B ₂ ) = two denominator polynomials in O(y, A ₂ , β ₂ ).

KDCn sends the above D ⁽¹ 3⁄4, Α ₂ , β ₂ ) to KDC ₂₁ and D( ² 3⁄4, Α ₂ , β ₂ ) to KDC ₂₂ , and also sends the mapping function of ID to dd ₂ ,... Give them.

When a private key is established for an authorized user, KDC ₂₁ and KDC ₂₂ respectively substitute the ID of the user into the mapping function:

(b ₂ i, b ₂₂ ) = (5 + 15 ID + ID ² , 6 + 16 ID + ID ² ),

211 "212 1 + llID + ID ² 2 + 12ID + ID ² a 221 a 222 3 + 13ID + ID ² 4 + 14ID + ID ²

Calculate "211, "212, "221, "222, b ₂ b ₂₂ and substitute them into:

<3⁄411, <3⁄412, <3⁄421, <3⁄422, 21, 22), D ( , <3⁄411, <3⁄412, <3⁄421, <3⁄422, 21, 22), calculate D ⁽¹⁾ O, D ⁽²⁾ O And then sent to the user separately;

Authorized users receive D ⁽¹⁾ 0 and D ⁽²⁾ 0 from KDC ₂₁ and KDC ₂₂ respectively, and then restore to D0 according to the specified method. For example, when ID=6, the private key DO is:

X = (^ι, xi) = DO) = (DjCyj, y ₂ \ D ₂ (y!, _1⁄2)), where:

^ , , 2 + 12v, +6v ₇ , _ΛΓη x _x =u _0l =OAy _l ,y ₂ ) = ; ¹ ; ~ mod 17,

9 + 2^+^+13^+4^+6^ x =u ₍₎₇ =O y _] , y ₇ ) = ^L . ― ~ mod 17;

9 + 2^+^+13^ + 4^ + 6^ In the above scheme: each KDC _{2 is} not restricted by the management system and computing power, but is unable to steal the user's private key due to lack of information; and the KDCu that grasps all the secrets is usually in the closed storage state and does not directly participate in the establishment. Private key. It is recommended that KDCu rename the relevant variables (such as ll, «212, «221, «222, 621, 2) when creating the private key generation function, which can achieve better results.

In order to realize the personalization of the private key form, this embodiment can further include the following steps: In the process of generating the private key, the random transform W( ) and the inverse w- ) are inserted.

The personalization of the private key form from a mathematical perspective is as follows:

In the process of synthesizing the private key DO, insert the random transform wo and the inverse w- :

DO) = D,(D _a 0)) = D.CW-^WCD^)))) = D (D, .0 ), where D, _fl ()=W(D _fl ()), D', ()=D, (W- ¹ 0), it is difficult to decompose W(), W-) from D, _fl (), D (), respectively. The specific implementation methods of w(), W^) are well-known techniques.

In summary, the basic idea of personalizing the form of the private key is to insert a random transformation in the process of deriving the DO to cover up the correlation between the DO and the ID, and hide it; thus: For the private key D0 of different users, Not only its mathematical properties are different, but also the expression of its functions is subject to two independent factors, one from ID and random transformation, which effectively improves the ability to resist collusion.

Further, this embodiment can also combine the technical points of the one-way function chain, that is, the step of setting the one-way function chain HO) and the inverse function H- ¹ ^ of the one-way function chain; A one-way function chain is used to first expand the original message, then compress it, and meet the reversible requirements. Therefore, it can be applied to various encryption and decryption and digital signature situations with high security performance. A one-way function chain has two properties:

One is complexity: its mathematical properties should be understood as a set of dense polynomial functions:

The above formula is part of the permutation equations that transform plaintext into ciphertext, which makes the equations encounter great difficulties. Second, reversibility: When 〉“, (x ₁ has some arguments that are superfluous, only need one of them) "A variable can recover 0 ₁ ..., ! ). For example, in the embodiment of FIG. 5 and FIG. 6, instead of using x ₃ , as long as A and x _{2 are} used to calculate: w ₂ = x ₂ _ 3⁄4 ( ), w _l = x _l - Yi _l {w ₁ ), The basic method that can restore the above properties is: For z = l, 2, ... (the order can be arbitrarily specified), constantly Put w//≠0, after a one-way function transformation, add it. Still taking Fig. 5 and Fig. 6 as an example: After w ₂ is transformed by _3⁄4 , it is added to _Wl to obtain Α, and after 3⁄4 transformation, it is added to w ₂ to obtain x ₂ , and so on. A nested, reversible, one-way function chain of functions.

Then, the specific coding code step in this embodiment can be optimized as:

For the case of encryption and decryption, the original message may be converted into an intermediate result message M by using a one-way function chain (HO), and the message is encoded by using the public key and ID (^) to obtain an encoded message N; The private key decodes the encoded message N to obtain a decoded message, and converts the intermediate result message into a final decoding result by using an inverse function H-^ of the one-way function chain;

For the case of signature, it may be: using the private key to encode the message, and obtaining an intermediate result ^ by converting the intermediate result z into a digital signature message through the inverse function H- ^{1 of the} one-way function chain and through the one-way function chain HO) converts the digital signature message N' into an intermediate result X, and uses the public key and ID (^) to decode the intermediate result X to obtain a decoded message 7.

An example of a detailed implementation process of combining the foregoing embodiment with a one-way function chain will be described below. Set E' directly to E' (x, IDM is the public key (that is, the public key does not contain other parameters), and the E'(x, ID) contains the function of the fractional function as an example. The detailed steps are as follows:

The first step is to build a one-way function chain HO)

First, set the structure of the cryptographic algorithm. For example, let F be a finite field F> p is a prime number, a positive integer "' and w>"'. Assume

...., z _n ), ID=(IDi, ...,ID _r ), wxyz lOi ₀

Establish a one-way function chain: x = H(w), which uses a combination of several one-way functions HO ..., 3⁄4◦ to convert w to X, which is a sufficiently complex, reversible nonlinearity Transform

Establish the function R(x): u ₀ (x)= (uoi(x\, ... , x _m \ ..., u _Qn {xi, ..., x _m )) = R(x), Convert x to "a w polynomial about xi, ...,;

From HO, derive the inverse of the one-way function chain: w = Η" ¹ ^), which satisfies: IV = H ^_1 (R( H(w)));

Using HO) as part of the public cryptographic algorithm, calculate H as part of the private key - you need to use R(x).

The second step is to establish the password parameters T, G, and define T and G as functions of ID. The specific steps are as follows:

(1) Randomly select the "metalinear transformation T" on F, where each n-ary linear transformation consists of "metalinear polynomials of % on F": T = (T _1; ..., T _i+1 ), where:

Ίί = Ty(ori, ..., On) = bij ₀ + byi a _x + b _ij2 a2 + ... + b _ijn On, Oj, b _≠ ≡¥, lz +l, jn, O^k^n -, then, derive the inverse function T ^{1 of} T, that is, derive the above-mentioned inverse transformation of the meta-linear transformation, wherein each inverse transformation IV ^{1 is} from "F on F, ..., The η-element linear polynomial of β _η consists of:

Τ" ¹ = (ΤΓ ¹ , ..., T _s+ ¹ ), where:

Ti' = Tn ,

···, ")),

Oj = Ty ^l, ... , A) = ^C ≠ + Ciji x + Cy ₂ y3⁄4 +... + C _{ijn n} , oc,, c _≠ ≡¥, lz +l, jn, 0 ".

(2) Randomly select the s F “non-reversible nonlinear transformation G”, each n-member reversible nonlinear transformation consists of “a F function on %” on the F:

G = (G _b ..., G _S ), where

= (G _n ( ..., %), ..., G _in ( ...,%)),

Then, the inverse function G- ^{1 of} G is derived, which is the inverse of the above-mentioned inverse transformation of the elementary reversible nonlinear transformation, where each inverse transformation G ^{1 is} composed of the W element on the F composition:

G" ¹ =

...,Ο ¹ ), where:

G; ¹ = (Gn , ... , A), · · · , G _m — ^l (A, ···, ")),

The specific implementation methods of the T, G, and G- ¹ are well-known technologies.

(3) Specify a part of the coefficients in the function in 1\ G as the mapping function of the ID, so that T and G become functions of ID.

The third step is to synthesize R(x), T, G into E(x, ID), and establish the public key E, (x, ID)

Combine the R(x), T, G into:

E(x, ID) = T _i+1 (G ₅ (T ... G/T/ ... G ₂ (T ₂ (G ₁ (T ₁ (« ₀ ( ))))))) )····)))', that is, the function group "« χ) is substituted, and 1 is substituted into the handle. Substituting into T ₂ , substituting Τ ₂ into G ₂ , ..., substituting 1} into G, ..., put! Substituting into G _s , substituting (^ into T _i+1 . You can also not use linear transformation T _i+1 in the synthesis process. Finally, synthesize "( χ:), T, G into a nonlinear transformation on F :

y = (yi, ...,_3⁄4) = E(X, ID)

= (Ei( i, ..., x _m , IDi, ID _r ), E _w ( i, ..., x _m , ID _b ID _r )), after expansion, simplification,

When =0, Ε/χ ₁ is a polynomial; when 1, E/A is a rational fraction; let E'( , ID) = ( Ει( ι, . · . , x _m , IDi, ... , ID _r ), ... , E„{x ..., x _m , ID _b ... , ID _r )),

E'( , ID) £ E( , ID);

E'(x, ID) is publicly released as a public key shared by all users.

The fourth step, put! ^11, G- ¹ synthesized as D0, the establishment of each user's private key {DO, R} private key distribution center to an authorized user ID code parameter substituting TG ^1, TG- ¹ to synthesize D0. The DO can take a variety of function representations: it can be represented by a function or a simplification, or it can be used directly! ¹¹ , G- ¹ , can also be expressed in other functional forms. Then {DO, R(x)} is sent as a private key to the authorized user for secret preservation.

In the above synthesis, the small difference in ID will have a huge difference between the corresponding public key and private key. Step 5, encrypt and decrypt, digitally sign and verify

The signed data after the one-way function transformation is; = (^, ..., y _n data to be verified is = 0 Λ, ..., / „); and data processing through a one-way function;

Substituting the identity ID (^) of the authorized user f into E'(x, ID), deriving E and then encrypting or verifying the data processing of the digital signature. Specifically:

(1) If " = «', that is, E'(x, ID) = E(x, ID), the present invention can implement both encryption and signature of recoverable data by:

When using the public key E'(x, ID) to encrypt or verify the digital signature, the plaintext w or the digital signature w is converted into ciphertext; or the data is calculated as: = E = E'(x, ID( ^)) = E'(HO), ΙΌ(Κ)); If yes, accept the signature, otherwise reject the signature;

When the private key {DO , R } is used for decryption or digital signature generation, the ciphertext; or data; is substituted into the private key to calculate: w = H— ) = 1^(00 );

(2) If _n >n', that is, E'(x, ID)cE(x, ID), the present invention can only implement signature of unrecoverable data, and cannot implement encryption. The method is as follows:

When using the private key {DO, R(x;>} to generate a digital signature, the data is substituted into the private key to calculate w = H" ¹ ^)

=

When using the public key E'(x, ID) to verify the digital signature, the calculation method is:

(yi, JV) = Ε'^ ) = Ε, (χ, ΙΌ(Κ)) = Ε, (ΗΟ), ΙΌ(Κ)), if (^, ..., 3ν) = ()Λ, . .., „,), accept the signature, otherwise refuse to sign. By J and “the same variable, you can think of them as “variables”.

The following describes some of the above-mentioned specific implementation process:

The preferred method for establishing T is: randomly setting a square matrix consisting of a series of reversible square matrices = { , ..., A ₊₁ }, the inverse of which is ^μΛ ..., Α+r ¹ } And a vector group consisting of s+i upper order vectors

ι = 0, s. This kind of "linear transformation", for a polynomial in a rational fraction, when the addition of fractions requires a generalization, the number of times of the polynomial will be increased, which should be understood as a nonlinear transformation.

The preferred method for establishing G is: pre-establishing a large enough function library; later, when needed, randomly extracting a number of simple functions from the library and combining them into complex encryption and decryption functions according to certain rules.

Among them, the preferred method of building a function library is to select several different types of polynomial functions or rational fractional functions whose number of independent variables does not exceed ", and is reversible for its last independent variable, according to its The number of variables is divided into "classes" S= { S ₁ ...,S„}, where:

Si = {β= ..., ), Od = G _{ij) ' ^x ( _u ... , θα, β), 7 =1, 2, ..

<3⁄4, β≡Έ _ρ , i =1,

In the above formula _{G (y), G ^ -} 1 represents the number of independent variables ι, j is a number in the pair of reciprocal function. For example: For z=l, at least two records can be created in the function library (set parameters ^: 3⁄4 h, ...

G(ii): β={ί _χ αι + ί ₂ ) odp-, G _{ u) · \ =—— ^L rnodp.

G(i ₂₎ : = {^- + t ₂ )modp , Q _{n - ¹ , , =-^-mod^ _; For ι=2, at least 4 records can be created in S ₂ in the function library:

Β— t QT—f (Y

G ₍₂ i): β= { aia ₂ + ί _{2 λ} ² + ha _x ) mod^, G ₍₂₁₎ ^_1 _: ¹ ~~—mo&p.

G ₍ 22): β = + ² mod p, G. 2) ^-1 : ^a 2 = -^— ⁱ ~― mod p;

, t, t, a, +t

G, (23): β = ^ίχ(Χχ "2 mod p, G, (23) mod p;

a. β

G ₍₂₄ ): β: ⁰ ^ modp, G^)" ¹ : ₂ = ^tlC(l+t2 ναοάρ, after the completion of the database, the nature of each function, the nature of the different combinations of its functions, And the best way to use it, develop rules and strategies for automatically generating cryptographic algorithm schemes, and write software that implements these rules and policies.

Further, the method for establishing G by using the above function library is: For z=l, s, a pair of reciprocal functions are randomly selected from each of the classes s ₁ s _n of the function library S for each t:

G= {G ..., G _S }, where: Gi = (G _n(1 ),

G' ^l =

.··, G _inn ) ^l ),

:«,

0), G^)- ¹ in the above equation respectively indicate that the number of its self-variable variables is ^ and for its first independent variable

-1

Reverse, in. , the first function in the z'th function vector of G- ¹ . The advantages of this type of G are: In the encryption process, each function is independent, and the latter calculation does not need to refer to the result of the previous calculation; but in the decryption process, the latter calculation refers to the result of the previous calculation, making the decryption function more complicated than the encryption function. BP: The encryption function vector of the Zth layer is:

Ui2 = G/2(2)(Vn, ),

U _in = G _S (2)(Vn, V _i2 , V _in ),

The function scale of the corresponding decryption function vector G ¹ of the i layer has exploded:

V _i2 G 3⁄4a(a2)^ vn, _i2 ) = Ga ₍₂ ) ^-1 ( G _n(1) ^-1 ( _n ), _i2 ),

Vin = Gin{n) (1⁄41, ^―, U _in )

= Gin(n) ^l { G/i(l)

), Other problems: When seeking a rational fractional value, you may encounter that although the denominator is not a polynomial, the denominator polynomial has a value of 0 as a function, resulting in an error in encryption and decryption. Although the probability is small, the necessary fault tolerance or corrective measures should be taken.

In order to more clearly describe the specific embodiment of the present embodiment, an example of a small data is described below, as shown in FIG. 5 and FIG. 6, wherein the virtual block 501 represents a process of processing using a one-way function chain x=HO). The dashed box 502 represents the process of processing with the public key E'(x); the dashed box 601 represents the process of processing with the private key z = DO, and the dashed box 602 represents the secret parameter e ₃ with the inverse function H_ and the private key. The process of processing.

Let F be the finite field F ρ=\Ί, n=n,=2, m=3, s=\, r=l, g卩ID = (ID); for the convenience of verification, assume the algorithm of three one-way functions The same algorithm for ( = 3⁄4(» = 3⁄4(^= modl7, setting the one-way function chain HO) is:

X\ = (w\ + Hi(w ₂ ) ) mod p = (w\ + w ₂ ) mod p, x ₂ = (w ₂ + H ₂ ( i) ) mod p = (w ₂ + X\ ) mod p = (w ₂ + (w\ + w ₂ ) ) mod p,

3 3 3

3= H ₃ ( ₂ ) = Xi mod p = (w ₂ + X\ ) mod p = (w ₂ + (w\ + w ₂ ) ) mod ρ·, the algorithm of the function R( ) is: ί3⁄4 = (χι + e ₃ x ₃ ) mod p, UQ ₂ = X ₂ , set the parameter e ₃ = 2; The password parameters are randomly set by the private key distribution center. Let linear transformation Τ = (Τ _1; Τ ₂ ), Τ! Composed of Α _χ , Τ ₂ consists of ^, β ₂ , where: Si = (bn, bi ₂ ) = (l, 2), B ₂ = (b _2h b ₂₂ )=(5 + 15 ID + ID ² , 6 + 16 ID + ID ² ),

a 2,11 212 1 + llID + ID ² 2 + 12ID + ID ²

221 222 3 + 13ID + ID ² 4 + 14ID + ID ²

111 —a 2.12

^211 '212 "211" 222 ^— 3⁄4123⁄421 3⁄4113⁄422— " ₂₁₂ " ₂₂₁

^4-1

^221 -111 -a 221 a 211

"211" 222 ^— 3⁄4123⁄421 3⁄4113⁄422— " ₂₁₂ " ₂₂₁

15 + 10ID + 8ID ² 1 + 6ID + 9ID

1 + 2ID + ID ² 1 + 2ID + ID ²

10 + 15ID + 9ID 8 + 3ID + 8ID

1 + 2ID + ID ² 1 + 2ID + ID Set the nonlinear transformation G^GO, G!=(Gn, G ₁₂ ), where:

G ₁₁₍₁₎ : u =— modl7, G ₁₂₍₂₎ : u _n =— modl7 , v ^ll v ^12

v,

G 11(1) 11 — mod 17, G, 12(2) " 11

12 mod 17 u 11 u 12

And use the above parameters to derive E(x, ID):

3⁄4οι = (x\ + e _{3 3} ) mod p, u ₀₂ = Xi »

Vll = («111 UQI + «112^02 + ^ll) mod p,

V\2 = («121 «01 + «122^02 + b _n ) mod p,

Mii = (l I ii) mod^, u _xl = {v _n lv _xl ) mod^,

V ₂ 1 = («211 «11 + «212^12 + 3⁄4l) mod p,

V ₂ 2 = («221 «11 + «222^12 + 22) mod ρ·,

Substitute specific values and derive: E( , ID) = (Ei( i, x ₂ , x ₃ , ID), E ₂ ( i, x ₂ , ₃ , ID)), where:

J^I = EI( I, ₂ , , ID) = ₂ i

= ((16 + 10ID + 13ID ² + 5 j + lOID j + 9ID ² j + 2ID j ² + 7IDV+ 6 ₂ + 14IDx ₂ +llID + 8 1 2 + 15ID i ₂ + 16ID ² i ₂ + 16x ₂ ² + 5IDx ₂ ² + 4ID ² + 10 ₃ + 3ID ₃ + ID + 8ID i ₃ + HID ² i ₃ + \6x ₂ x ₃ + 13IDx ₂ x ₃ + 15ID x ₃ + 8ID ₃ ² + 11ID3⁄4 ² ) / (12 + \3χ + χχ + \Αχ ₂ + 9χ _χ χ ₂ + 14χ ₂ ² + 9χ ₃ + 4χ χ ₃ + χ ₂ Χ3 + 4χ ₃ ² )) mod 17,

Yi = E ₂ ( i, x ₂ , , ID) = ν ₂₂

= ((13 + 7ID + 13ID ² + lO j + 15ID i + 9ID ² j + 13 j ² + 15ID i ² + 7ID ² xi ² + 14 ₂ + 5IDx ₂ +llID + Πχ χ ₂ + 41Όχ χ ₂ + 16ID ² i ₂ + 10x ₂ ² + 16IDx ₂ ² + 4ID ² + 3x ₃ + 13ID ₃ + ID + 1 3+ 9ID i ₃ + HID ² i ₃ + \\χ ₂ χ ₃ + 8IDx ₂ x ₃ + 15ID x ₃ _{^{_{^{+ x 3 2 + 9ID 3 2}}}} + 11ID¾ 2) / (12 + \ χ χ + χχ + 14 2 + 9χ χ 2 + Πχ 2 2 + 9χ 3 + 4 ι 3 + Χ2Χ3 + 4 3)) mod 17,

According to "=«'=2, E'(x) = E(x) is specified.

«11 = (<3⁄4ιι + C212 (yi - b ₂₂ ) ) mod/?,

«12 = (<3⁄42i

+ c _iri (y ₂ - b ₂₂ ) ) mod;?,

11 = (1 / 3⁄4ii) mod p,

12 = ( n I un) mod;?,

«oi = (cm ( n - bn) + Cn2 (v ₁₂ - b _u ) ) mod p,

02 = (C121 ( n - bu) + Ci22 ( i ₂ - bl2) ) mod f,

The private key distribution center establishes a private key for each authorized user. For example, for a user with ID=6, the value of the ID is substituted into the relevant password parameter:

B ₂ = (b ₂ i, b ₂₂ ) = (5 + 15 ID + ID ² , 6 + 16 ID + ID ² ) = (12, 2),

15 + 10ID + 8ID 1 + 6ID + 9ID

1 + 2ID + ID ² 1 + 2ID + ID ² 14 15

10 + 15ID + 9ID 8 + 3ID + 8ID 9 13

1 + 2ID + ID ² 1 + 2ID + ID ² and then derive the user's private key DO as:

Z = (z\, ..., z _n ) = O(y) z

To calculate the inverse ff ¹ ^ of the one-way function chain, you need to use e ₃ of the secret parameter of the private key _:

x\ = {z\ - _{3 3⁄4} ( )) mod p,

w ₂ = z ₂ - H ₂ ( i) = ( - H ₂ (zi - e _{3 3⁄4} ( ))) mod p, wi = ^i - Hi(w ₂ ) = ((zi - e _{3 3⁄4} ( )) - Hi(z ₂ - H ₂ (zi - e _{3 3⁄4} ( )))) mod p;

Although the true one-way function is not expandable, the special provisions in accordance with this embodiment:

w ₂ = (z ₂ - (ζι - 2 ³ ) ³ ) mod p,

Wi = (zi - 2 z ₂ ³ - (z ₂ - (zi - 2 ³ ) ³ ) ³ ) mod ρ·, for example: Let the plain iv = (7, 8), x = H(w) = (9, 6, 12), ciphertext j = E(x, ID) = (4, 9); z = DO = (16, 6), recovered plaintext iv = IT ¹ = (7, 8), indicating the above encryption and decryption The algorithm is correct. The same reason can prove the correctness of the signature algorithm.

The private key allocation of the above small data embodiment may also be implemented by using multiple private key distribution centers to synthesize the private key: Since the elements in ^ are numbers, ₂ , the elements in β ₂ are arguments, G Without parameters, the private key generation function is

Ζ = (z!, z ₂ ) = O(y, A ₂ , B ₂ ) = (DJC , A ₂ , B ₂ \ O ₂ (y, A ₂ , B ₂ )), where: z\= Di( Yi, y2, «211, <3⁄4i2, <3⁄42i, <3⁄422, 3⁄4i, ^22)

= ((< +

15<3⁄411<3⁄421<3⁄422 21 +

+ 2<2 ₂ 1 li?212<^221^2 - 2<2211 ² ί?22Ζ)2)/(16ί?221<^222^21 ² + <3⁄412<3⁄421 21 2 + <3⁄411<3⁄422 21 22 +

16<3⁄4 ₁₁₍ 3⁄4 ₁₂ b ₂₂ ² + 2<3⁄4 ₂₁ <3⁄4 ₂₂ b _2L yi + 16(3⁄4 ₁₂ <3⁄4 ₂ ib _2Z yi + 16<3⁄4 ₁₁₍ 3⁄4 ₂₂ b _2Z yi + \6a ₂₂ ia227yi ² + 16i3⁄4 ₁₂ i3⁄4 ₂₁ b _2L 1⁄2 + Ιό^ιι^^ι^ + 2i7 ₂₁₁ i3⁄4 ₁₂ b ₂ y ₂ + «2120221^1^2 + α _1λλ α _ΎΏ γ _λ γ ₁ + 16< _3⁄4 ₁₁₍ 3⁄4 _lz y ₂ ² )) mod 17

= D ₂ (yi, «211, <3⁄412, <3⁄421, <3⁄422, 3⁄41, 22)

+ 14<72l

+

twenty two

<¾11 <¾22 21 22 + 16 <2 2 11 «212¾2 + 14 <¾12 <¾ 21 + 3 <2 2 11« 221 ^ 222 ^ 1 + 2 <¾ 21 <¾ 22 b 2l yi +

_{16 <¾ <¾2 ½ (¾} 12 <¾2ΐ_½ + 14 <¾ιι 2 12 <¾ 21 b 2Z yi + 16 <¾ 11 (¾ 22 b 2Z yi + + 3 <¾ 11 + 16i3⁄4 ₁₂ i3⁄4 ₂₁ b _2L 1⁄2 +

+

\6a ₂ n _lxl yi (2a ₂₂ 1 «222^21 ² + 15<3⁄4i2<3⁄42i 2i 22 + 15a _2U a ₂₂₂ b ₂ ib ₂₂ + 2a _2U a _2U b ₂₂ ² + 13i3⁄4 ₂₁ i3⁄4 ₂₂ b _2L yi + 2i3⁄4 ₁₂ i3⁄4 ₂₁ b _2L y ₂ +

2ί3⁄41ΐί3⁄422 1_1⁄2 +

2ί7 ₂₁₁ ί3⁄4 _1Ζ 1⁄2 ² )) mod 17

Set the number of secondary private key distribution centers

2 parts, for example: D ⁽¹⁾ (j, A ₂ , B ₂ ) = two molecular polynomials in DO, A ₂ , β ₂ ),

KDC ₂₂ , at the same time, the ID is assigned to the mapping functions of fl ₂₁₁ , fl ₂₁₂ , fl ₂₂₁ , i3⁄4 ₂₂ , b ₂₁ , b ₂₂ , and R(x).

When a private key is established for an authorized user, KDC ₂₁ and KDC ₂₂ respectively substitute the ID of the user into the mapping function, and calculate the values of fl ₂₁₁ , «212, «221, «222, 3⁄41, 1⁄2, and then put these values. Substitute:

The authorized user receives D ⁽¹⁾ 0 and D ⁽²⁾ 0 from KDC ₂₁ and KDC ₂₂ respectively, and then restores to D0 according to the specified method, that is, the numerator polynomial and the denominator polynomial are combined into a rational fraction.

In order to more clearly describe how to implement the personalization of the private key form after using the one-way function chain technique, an example of a small data is described below. As shown in FIG. 7, the small data implementation of m=2 and n=8 of the present invention is implemented. For example, the data flow direction of the private key form is personalized: a random linear transformation w ) is inserted between IV ¹ and R- ¹ , and a random linear transformation w ₂ o, w^o is inserted between IV ¹ , and the specific steps are as follows :

The first step is to calculate:

They are all 8-ary rational fractions, and their numerator and denominator are linear polynomials with the same denominator.

Second - step, calculated in turn

Vll = D _v ii(3⁄4'ii, . is), which is an 8 yuan 2 rational fraction;

Vl2 = D _v i ₂ (w'ii, · is, ii), which is 9 yuan 2 times rational points]

Vl3 = D _v i ₃ (w'ii, - is, vii, Yn), which is a 10 yuan secondary rational fraction;

Vl4 = D _v i4(3⁄4'ii, . 18, Vll, Vl2, Vl3)' It is 11 yuan 2 rational fraction

Vl5 = D _v i ₅ (w'ii, - is, vii, ..., v _u ), which is 12 yuan 2汐: rational fraction;

Vl6 = D _vl 6 (M'll, · 18, ll, ..., Ϊ 15), which is 13 yuan 2 汐: rational fraction; I7=D _v i7(3⁄4'll, 3⁄4'l8, Vll, ..., 16), which is a 14-bit 2-order rational fraction; i ₈ = D _v i ₈ (3⁄4'ii, ..., 3⁄4 'ΐ8, vii,...,; n), which is a 15 yuan secondary rational fraction;

The above..., ϊ _17: the argument of the substitution when deriving the formula; the value substituted when performing the decryption calculation.

The third step is to calculate:

ζ' _Γ Ό _ζΊ {ν _η , ..., ν ₁₈ ), 1^8, which is an 8-element linear polynomial;

The fourth step is to calculate in order:

Xj = O _XJ (z , ..., z' ₈ ), =7,8, which is an 8-element linear polynomial;

(x io, xii, xii) = K ₂ ( ₇ , x ₈ ), which is a combination of a set of one-way functions;

Xj = O _XJ (z , ... , ζ ' ₈ , χ x _w , ii, i ₂ ), l^y 6, which is a 12-ary linear polynomial;

(w _u ..., w,) =

..., x ₈ ), which is a combination of a set of one-way functions.

Where ..., z ₆ ) is hidden as a set of intermediate results in the calculation process of the fourth ,, which can be understood as the parameter of R(x) in the private key is also hidden in the personalized private key, for the authorized user Confidential.

When using "multiple private key distribution centers to jointly establish user private keys", each secondary private key distribution center should use the same W),

The following is an analysis of the benefits of the one-way function chain for the coding and decoding process, taking the encryption and decryption and recoverable signature process as an example.

When >«=«', E x) = E(x), known ciphertext (or data to be signed);, deciphering plaintext (or signature on data ^) w, first request intermediate result X, this kind The situation is equivalent to solving the indefinite equations:

(yi, ---, y _n ) = (Ei( i, ..., x _m \ ..., E _w ( i, ..., x _m )) The number of arguments is greater than the number of equations, The solution of x above is a lot of solutions, which is represented by a huge solution set. However, the one-way function chain is put together with the above equations to form a simultaneous equations about the unknown element w:

Wherein, the one-way function chain consists of several equations containing one-way function transformations, for example, in the specification =3, n=2, only three one-way functions, 3⁄4, 3⁄4:

Since the equation is from IV to reversible transformation, the above equation is a system of substitution equations, and it is known that IV has a unique solution. However, the one-way function in the above equation has the property of "mapping a bit string to a bit string in an almost random manner", that is, it is difficult to describe the regularity between its input and output with a simple mathematical transformation rule. It is equivalent to a dense polynomial, and it takes an exponential storage space to fully expand it. Therefore, when solving a system of equations above, it is difficult to expand a one-way function by substituting a variable containing a one-way function into the equation. For example, consider ^, x ₂ , x ₃ as w ₂ The function, substituting Ei, E ₂ , will quickly find out that it is not feasible to expand the above formula into a polynomial about _Wl , w ₂ . In fact, even if the one-way function is not expanded, as the nesting level of the one-way function increases and becomes complicated, the function scale of the above-mentioned function form will explode in combination.

In the following, from the perspective of engineering application, the quantitative design of the cryptographic algorithm is further understood, and the present invention is analyzed in more detail. Referring to Figure 8, let '=«'=8, m=n, s=2:

(1) Set a sufficiently large ;? according to the allowed encryption and decryption error probability.

(2) Set the appropriate one-way function chain, for example, its K ₂ part combines the functions of the four one-way functions into one one-way function.

(3) The following factors should be considered when setting ", m, T, G:

The number of elements of the solution set of the indefinite equations Ε'^Η^, ..., jv) is approximately, which should be greater than 2 ⁶⁴ . Let 3 be the number of times E'(x) about X, then the number of terms of an m-ary δ-degree polynomial is cs ^{= 1} ^, which reflects the storage space and encryption speed of the public key, and should be as small as possible.

Let DO be about; the number of terms of an n-ary λ-degree polynomial is C^ _+/l , which reflects the difficulty of deciphering the private key by linear attack, and should be as large as possible. The condition for implementing a linear attack is that the known function z = « _Q = R can be randomly generated in large quantities (z, right.

In the identity-based mode, let τ be E'(x, ID) for the number of ID ₁ ..., ΐ, then the number of terms of a +r element ό + τ degree polynomial is C ₊ ^ _+T , which reflects The storage space and encryption speed of the public key should be as small as possible.

In the identity-based mode, in order to hide the mapping function of the ID, the derivation process of establishing D0 can be established. Divided into several segments:

O(y)=O _k (...O _b (O _a (y))...),

And expand D _fl 0, D, (), respectively; because the ID is mapped to D. 0, so the D. Each coefficient of 0 is equivalent to an r-ary/sub-polynomial with respect to the ID, and the number of terms of the polynomial is C ₊ , which should be much larger than the attacker's ability to collect a large number of private keys.

Assume;? Is 32 bits, n=8, m=12, s=2, is:

Gn: tin = ( nvn + ^112) mod/?,

1: _{V =} ^U U- l2 _D

\≤k≤h≤j-\ k=\

Mod p, j = 2 where parameter hjk,

s is the coefficient in the quadratic rational fraction;

G ₂ uses the "non-linear transformation whose nonlinear number remains constant" as described above:

;0 + j\ ^V 2\ +... + f ₂ 8 ^V 28 1

G _2j : ^u 2j = ~r―" - —— mod , _{= 1} , —·, ₈

'200 ⁺ '201 ^V 21 + ··· + 1⁄28 ^V 28

G ₂ : ^v 2j = ^ draw d , ₌ l, —., 8

§200 + §2013⁄4 +··· ⁺ 3⁄408 ^W 28

Wherein, G ₂ - ¹ _gy coefficients, the coefficient to be understood as the _{G 2 ½ (), ...,} 88 8 linear function; G ₂ is disposed linear function ID, then G ₂ - ¹ It is the 8th function of the ID.

The relevant technical indicators and encryption and decryption steps of the above schemes are as follows:

_W;3⁄42 32(i2-8) _{= 2} i28 _; C^ = C3⁄4 ₊₂ =91, ie E(x) has a total of 91 X 9=819 items (8 identical denominator polynomials, which should be counted as 1 polynomial ); but in the identity-based mode, let τ = 1, r = A, C _m ^d ₊₅ Cl _{+ T} =

That is, E, (x, ID) has a total of 455 X 9 = 4095 items. The encryption steps are:

First step, calculation

( i, ..., x,) = K _l (w _l , ..., w ₈ ), which is a combination of a set of one-way functions; (x io, xn, X12) = K ₂ (w ₇ , w ₈ ), which is a combination of a set of one-way functions;

The second step is to calculate E'(x,ID):

Yj=Ej(x _u ..., ₁₂ , ID!, ..., ID ₄ ), l^y 8, which is a 16-time 3 rational fraction.

The number of DOs for J = 255, C _n+x = C ₊ ⁵ ₂₅₅ = 509850594887712, that is, the storage space required for linear attacks under the condition of known R(x) is:

(Cg ₂₅₅ ) ² =259947629107353817789888594944 > 2 ⁶⁴ ; In the identity-based mode, assume D. 0 The number of times is 4, Bay ij = 4X8=32, and the number of private keys that need to be collected to complete the collusion attack = C3⁄4 ₃₂ = 58905. The main way to improve this indicator is to increase r. For example, when r is increased from 4 to 10,

= 1001, that is, the function size of E'(x, ID) is only increased from 4095 items to 1001 X 9=9009 items, but its index against collusion attacks is increased from 58905. ₊₃₂ =1471442973, an increase of 2,4979.9 times, which is equivalent to: If there is a conspiracy attack on the public ID cryptosystem of the national ID of 1.4 billion in China, at least 1.47 billion private keys need to be purchased, obviously losing conspiracy The meaning of the attack.

Of course: even D. 0 The number of times is 4, and its function size is still large. For this reason, it is preferable to adopt the aforementioned "private key form personalization" technology point.

With the foregoing preferred embodiment, the ID mapping method is used to establish an identity-based working mode, so that all users of the entire network share a public key, which brings great convenience to the public key management in the network environment; The method of "multiple private key distribution center synthesis private key" and "private key form personalization" improves the anti-collusion attack ability of the cryptosystem.

The various embodiments in the present specification are based on the same technical concept, and therefore, the descriptions are all unique to the embodiments, and the same similar parts between the respective embodiments can be referred to each other. Moreover, for the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.

The method and system for encoding and decoding digital messages provided by the present invention are described in detail. The principles and implementations of the present invention are described in the following. The description of the above embodiments is only The method for understanding the present invention and its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in specific embodiments and application scopes; The description should not be construed as limiting the invention.

Claims

Rights request

A method for encoding and decoding a digital message, comprising:

Select a positive integer w, n r, where m≥n,

Generating a public key containing E'(x, ID), wherein the E'(x, ID) is from x _m , ID _b ..., ID _r ) ilJ (y!, on the domain F) Jv) of the non-linear mapping function group, the ID = (ID _1; ..., ID is the identity of the authorized user;

Generating a private key corresponding to the identity identifier for the authorized user whose identity is π; using the public key and Π, encoding the message to obtain the encoded message N; using the private key to perform the encoded message N Decoding to obtain a decoded message L;

And/or, encoding the message by using the private key to obtain an encoded message, using the public key and ID (^), decoding the encoded message N' to obtain a decoded message 7 .

2. The method of claim 1 wherein the public key and the private key are obtained by:

Select a positive integer ", where m≥n≥n, and w> ",;

Set the set of reversible nonlinear mapping functions from X to : , . =E(x, ID) =

ID ₁ ... , ID _r ), ... , E _n (x _u ..., x _m , ID _h ... , ID _r )) _;

Generating a private key according to the inverse function of E(x, ID);

Select "' function as E' ^ ID in EX, ID;> to get the public key; where Ε' contains the function: E'( , ID) = (Ει( ι, x _m , IDi, ID _r ), E _n -(xx _m , ^ ..., 10 ).

3. The method of claim 1, wherein the public key and the private key are obtained by the following steps:

Select a positive integer "where m > n ≥ T;

Set the interface function RO, which is used to get "a function about:" according to :): " ₀ (x) = ( u ₀ i(xi, ·· x _m \ ... ·, u _Qn (xx, ···, x _m )) = R(x);

Select the meta-reversible linear transformation T = (T _b T _i+ !) on the domain F, where each includes the relevant n-ary linear polynomial on the domain F;

Selecting the "metainvertible nonlinear transformation G = (G ₁ where, each of the functions including n on the domain F);

At least one of the T and/or G coefficients is a mapping function of the ID; According to the preset rules, the "«", T and G are synthesized, and the nonlinear mapping function group from X, ID to ; is obtained: (yi, — ., y _n ) = E(x, ID) = (E^ , — . , x _m , IDh — . JD , E^, — . , x _m ,

Select "' function as E'(x, ID) in E(x, ID) to get the public key; where E'(x, ID) contains a function for (A, x _m , ID _b :©) E'(x, ID) = (EiC !, x _m , ID _b ID _r ), ... , E _w i, ... , x _m , IDi, ... , ID _r ));

Generating an inverse function T ^{1 of} T, generating an inverse function G- ^{1 of} G; substituting the value of the authorized user's identity into T- ¹ and G- ¹ , and calculating the DO associated with the identity; generating and identifying the identity Corresponding private key, the private key includes and D0.

4. The method of claim 3, wherein at least one of the coefficients in the last layer is a mapping function of the ID; and/or at least one of the coefficients in the last layer is a mapping function of the ID.

5. The method of claim 3, wherein

It also includes setting a one-way function chain HO), and a step of the inverse function H- ¹ ^ of the one-way function chain; and the specific coding code is optimized to:

Translating the original message into an intermediate result message M by using a one-way function chain HO), encoding the message by using the public key and ID (^) to obtain an encoded message N; and using the private key to encode the message N Decoding, obtaining a decoded message, converting the intermediate result message into a final decoding result by using an inverse function of the one-way function chain:) and the private key;

Alternatively, the message is encoded by using the private key to obtain an intermediate result z, and the intermediate result z is converted into a digital signature message N' by the inverse function H- ¹ ^ of the one-way function chain and the private key _; and, through the one-way function The chain HO) converts the digital signature message N' into an intermediate result X, and uses the public key and ID (^) to decode the intermediate result X to obtain a decoded message '.

6. The method according to claim 1, wherein the private key is established by: calculating D0, wherein the DO is related to an ID;

Dividing the DO into at least two parts, stored in at least two private key distribution centers, each part being associated with an ID;

Each private key distribution center calculates a part of the private key according to the ID of the authorized user, and sends it to the user;

The user synthesizes the various parts of the private key and calculates the private key.

7. The method of claim 1, further comprising:

In the process of generating the private key, insert a random transform w :) and inverse wi ) o

8. The method of claim 1 wherein:

The E'( _X , ID) contains a rational fractional function for (xl, ..., _xm , lO _u ..., ID).

A system for encoding and decoding a digital message, comprising: a public key generating unit, configured to generate a public key including E' (x, ID), the E' (x) , ID) is a set of nonlinear mapping functions from ..., x _m , ID _b lO _r ) \iyx, ..., j ) on the domain F, the ID = (ID _1; ..., ID is the identity of the authorized user; where m, nr are positive integers, m≥n,

10. The system according to claim 9, wherein the private key generating unit further comprises: