WO2017063114A1 - Method for establishing secure attack-resistant public key cryptographic algorithm - Google Patents

Method for establishing secure attack-resistant public key cryptographic algorithm Download PDF

Info

Publication number
WO2017063114A1
WO2017063114A1 PCT/CN2015/091710 CN2015091710W WO2017063114A1 WO 2017063114 A1 WO2017063114 A1 WO 2017063114A1 CN 2015091710 W CN2015091710 W CN 2015091710W WO 2017063114 A1 WO2017063114 A1 WO 2017063114A1
Authority
WO
WIPO (PCT)
Prior art keywords
party
agreement
protocol
calculates
selects
Prior art date
Application number
PCT/CN2015/091710
Other languages
French (fr)
Chinese (zh)
Inventor
王晓峰
王威鉴
Original Assignee
王晓峰
王威鉴
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 王晓峰, 王威鉴 filed Critical 王晓峰
Priority to CN201580000535.1A priority Critical patent/CN106664199A/en
Priority to PCT/CN2015/091710 priority patent/WO2017063114A1/en
Publication of WO2017063114A1 publication Critical patent/WO2017063114A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Definitions

  • the present invention relates to the field of information security, and in particular to a cryptographic technique for establishing public key cryptography against various known attacks including quantum computing attacks.
  • the object of the present invention is Through the innovative introduction of double-lock technology to establish a public key cipher to resist various attacks.
  • the object of the present invention is achieved by a method for establishing an anti-attack security public key cipher, comprising a method for generating a shared key, and a method for generating a shared key is also referred to as generating a shared key protocol, and the generating is shared.
  • the method of the key includes the following steps:
  • Both parties of the agreement select an element g in G, wherein the first party of the agreement selects four elements b 1 , b 2 , b 3 , b 4 ⁇ A as the private key, and the second party of the agreement selects four elements d 1 . d 2 , d 3 , d 4 ⁇ B as a private key;
  • the first party of the agreement selects four elements a 1 , a 2 , a 3 , a 4 ⁇ A, and calculates
  • the second party of the agreement selects two elements c 3 , c 4 ⁇ B, and calculates
  • a method for encrypting and decrypting information data is further included, and the method for encrypting and decrypting the information data includes the following steps;
  • (21) Define the encoded plaintext information to be encrypted as m ⁇ 0,1 ⁇ k , that is, a 0-1 string of length k; and define ⁇ : G ⁇ 0,1 ⁇ k is a group G to The plaintext space ⁇ 0,1 ⁇ k anti-collision Hash function, the first party of the protocol selects (G, A, B, g, ⁇ ) as its public key;
  • a method for digital signature is further included, and the method for digital signature includes the following steps:
  • G ⁇ 0,1 ⁇ k is an anti-collision Hash function, and the first party of the protocol selects (G, A, B, g, ⁇ ) is its public key;
  • the method further includes the method of identity authentication, where the first party of the protocol is a witness, and the second party of the protocol is a verifier; the method for authenticating the identity includes the following steps:
  • the first party of the agreement selects an anti-collision Hash function ⁇ : G ⁇ 0,1 ⁇ k , and the first party of the protocol selects (G, A, B, g, ⁇ ) as its public key;
  • a method for establishing an anti-attack security public key cryptography includes a method for generating a shared key, and another method for generating a shared key includes the following steps:
  • Both parties of the agreement select an element g in G, where the first party of the agreement selects four elements b 10 , b 30 ⁇ A and d 20 , d 40 ⁇ B as the private key, and the second party of the agreement selects four elements b 20 , b 40 ⁇ A and d 10 , d 30 ⁇ B as private keys;
  • the first party of the agreement selects four elements a 10 , a 30 ⁇ A and c 20 , c 40 ⁇ B, to calculate
  • the second party of the agreement selects two elements a 40 ⁇ A and c 30 ⁇ B, to calculate
  • a method for encrypting and decrypting information data is further included, and the method for encrypting and decrypting the information data includes the following steps;
  • (21.1) Define the encoded plaintext information that needs to be encrypted as m ⁇ 0,1 ⁇ k , that is, a 0-1 string of length k; and define ⁇ : G ⁇ 0,1 ⁇ k is a group G to The plaintext space ⁇ 0,1 ⁇ k anti-collision Hash function, the first party of the protocol selects (G, A, B, g, ⁇ ) as its public key;
  • a method for digital signature is further included, and the method for digital signature includes the following steps:
  • G ⁇ 0,1 ⁇ k is an anti-collision Hash function, and the first party of the protocol selects (G, A, B, g, ⁇ ) is its public key;
  • a method for identity authentication is further included, where the first party of the protocol is a witness, and the second party of the protocol is a certifier; the method for identity authentication includes the following steps;
  • the first party of the agreement selects an anti-collision Hash function ⁇ : G ⁇ 0,1 ⁇ k , and the first party of the protocol selects (G, A, B, g, ⁇ ) as its public key;
  • the infinite non-exchange group G is preferably a unitary group, and a generator element system of the Mihailova subgroup having an unsolvable subgroup member problem of the group B n (n ⁇ 12) is given, and the group B n is given ( n ⁇ 12)
  • the private key of both protocols is generated by the generator of the Mihailova subgroup.
  • the infinite non-exchange group G takes a group B n with an index of n ⁇ 12 and is represented by the group defined as follows:
  • the elements of the group are represented by words in the set ⁇ 1 , ⁇ 2 , ..., ⁇ n-1 ⁇ representing the unique formal form of the element.
  • the group B n contains the following two subgroups:
  • a braid group B n LB n braids left and right respectively braids RB n
  • subgroups generated by ⁇ 1 , ⁇ 2 , . . . , ⁇ m-1 and ⁇ m+1 , ⁇ m+2 , . . . , ⁇ n-1 , respectively, and for any a ⁇ LB n and any b ⁇ RB n , with ab ba, the subgroup A of the G is taken as LB n , and the subgroup B of G is taken as RB n ;
  • LB n and RB n respectively contain a subgroup that is isomorphic to F 2 ⁇ F 2 , that is, a subgroup of two products of two free ranks of rank 2:
  • LA ⁇ m-5 2 , ⁇ m-4 2 , ⁇ m-2 2 , ⁇ m-1 2 > ⁇ LB n
  • RA ⁇ m+1 2 , ⁇ m+2 2 , ⁇ m+4 2 , ⁇ m+5 2 > ⁇ RB n ;
  • the invention performs bilateral double insurance technology by selecting four elements as the respective private keys on both sides of the agreement, and proves that all possible attacks can be uncalculated, that is, the public key cryptography method of the present invention is resistant to quantum computing. All known attacks of the attack. Compared with the prior art, it has the following advantages:
  • G must also meet the following conditions:
  • G is at least exponential growth, that is, the number of elements in which the word length in G is a positive integer n is entangled in an exponential function about n;
  • the elements of the group are represented by words in the set ⁇ 1 , ⁇ 2 , ..., ⁇ n - 1 ⁇ representing the unique formal form of the element.
  • the group B n contains the following two subgroups:
  • a braid group B n LB n braids left and right respectively braids RB n
  • LB n and RB n respectively contain a subgroup with F 2 ⁇ F 2 , that is, a direct product isomorphism of two free groups of rank 2.
  • LA ⁇ m-5 2 , ⁇ m-4 2 , ⁇ m-2 2 , ⁇ m-1 2 > ⁇ LB n
  • RA ⁇ m+1 2 , ⁇ m+2 2 , ⁇ m+4 2 , ⁇ m+5 2 > ⁇ RB n
  • the parties to the agreement are Alice and Bob, respectively.
  • step 4) of the above protocol since d 1 , d 2 ⁇ RB n , a 1 , a 2 , b 3 , b 4 ⁇ LB n , d 1 -1 , d 2 -1 and b 3 , respectively.
  • the a 1 and b 4 , a 2 multiplications are interchangeable, so the last equation in this step is obtained.
  • the last equation in step 5) is obtained.
  • B n ⁇ 0,1 ⁇ k is a group B n to the plaintext space ⁇ 0, 1 ⁇ k anti-collision Hash function.
  • Alice's public key is (B n , LB n , RB n , g, ⁇ ), and a 1 , a 2 , a 3 , a 4 , b 1 , b 2 , b 3 , b 4 ⁇ LB n are selected .
  • the keys are b 1 , b 2 , b 3 , b 4 .
  • Bob selects c 1 , c 2 , c 3 , c 4 , d 1 , d 2 , d 3 , d 4 ⁇ RB n , and uses d 1 , d 2 , d 3 , d 4 as the private key.
  • B n ⁇ 0,1 ⁇ k is an anti-collision hash function.
  • Alice's public key is (B n , LB n , RB n , g, ⁇ ), and a 1 , a 2 , a 3 , a 4 , b 1 , b 2 , b 3 , b 4 ⁇ LB n are selected .
  • the keys are b 1 , b 2 , b 3 , b 4 .
  • Alice's public key is (B n , LB n , RB n , g, x, ⁇ ), and the private key is b 1 , b 2 , b 3 , b 4 .
  • the parties to the agreement are Alice and Bob, respectively.
  • Alice and Bob jointly select an element g in B n , Alice selects four elements b 1 , b 3 ⁇ LB n and d 2 , d 4 ⁇ RB n as a private key, and Bob selects four elements b 2 , b 4 ⁇ LB n and d 1 , d 3 ⁇ RB n as private keys;
  • step 4.1) of the above protocol since c 1 , c 2 , c 3 , c 4 , d 1 , d 2 ⁇ RB n , a 1 , a 2 , a 3 , a 4 , b 1 , b 2 ⁇ LB n , so d 1 -1 , d 2 -1 are interchangeable with a 1 , a 2 , a 3 , a 4 , b 1 , b 2 respectively, and b 1 -1 , b 2 -1 and c 1 respectively , c 2 , c 3 , c 4 , d 1 , d 2 multiplication can be exchanged so that the last equation in this step is obtained. In the same way, the last equation in step 5.1) is obtained.
  • Subgroup membership problem or generalized wordproblem (abbreviated as GWP): a subgroup H of a given group G whose generated metaset is X, and determines whether any element g in G can be represented by a word on X, ie It is determined whether g is an element in H.
  • GWP generalized wordproblem
  • GDSP extended decomposition search problem
  • the non-commutative group G taken infinite index n ⁇ 12 braid group B n, A and B taken subgroup B n LB n and RB n, while the private key b 1, b 2, b 3 , b 4 , and d 1 , d 2 , d 3 , d 4 are selected in the Mihailova subgroup M LA (H) of LB n and the Mihailova subgroup M RA (H) of RB n respectively, in the above Eve
  • she solved h 1 , h 2 , h 3 , h 4 , h 5 , h 6 ⁇ LB n , and g 1 , g 2 , g 3 , g 4 , g 5 , g 6 ⁇ by solving the GDSP problem.
  • the private keys b 1 , b 2 , b 3 , b 4 and d 1 , d 2 , d 3 , d 4 are selected from the Mihailova subgroups M LA (H) and M RA (H) of the ⁇ group B n , respectively.
  • the private key in the protocol is not attackable.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of information security. Disclosed is a method for establishing a secure attack-resistant public key cryptographic algorithm comprising a method for generating a shared key. The method for generating a shared secret key comprises the following steps: (11) establishing an infinite non-abelian group G; (12) choosing, by each of two entities of a protocol, four elements in G as private keys; (13) computing y by a second entity of the protocol, and sending y to a first entity of the protocol; (14) computing x and z by the first entity of the protocol, and sending (x, z) to the second entity of the protocol; (15) computing w and v by the second entity of the protocol, and sending (w, v) to the first entity of the protocol; (16) computing u by the first entity of the protocol, and sending u to the second entity of the protocol; and (17) computing K A by the first entity of the protocol, and computing K B by the second entity of the protocol, so as to obtain a shared key K = K A = K B . The security of the above method for establishing a public key cryptographic algorithm has been adequately theoretically proved. The introduction of a double locking technique enables the method for establishing a public key cryptographic algorithm to prevent all known attacks including a quantum computational attack. Moreover, since a selection of a private key is undecryptable, the method has high security.

Description

建立抗攻击的安全性公钥密码的方法Method for establishing anti-attack security public key cryptography 技术领域Technical field
本发明涉及信息安全领域,特别涉及一种建立抗包括量子计算攻击的各种已知攻击的公钥密码的密码技术。The present invention relates to the field of information security, and in particular to a cryptographic technique for establishing public key cryptography against various known attacks including quantum computing attacks.
背景技术Background technique
在经典公钥密码算法中,作为安全保障的实际计算困难问题,随着计算机性能的提高其难解性将大大降低。特别地,Shor于1997年提出的著名的Shor量子算法将分别在多项式时间内进行大整数的因数分解和离散对数的计算,这意示着一旦量子计算机予以实现,则基于RSA,ECC,E1Gamal算法等建立的公钥密码协议将不再安全。针对Ko等人提出的基于辫群的元素的共轭问题建立公钥密码体制方案,人们陆续发现了诸如基于长度的攻击、线性表示攻击、Super-Summit-set攻击等攻击方案。从而,对应的公钥密码体制也存在着安全隐患。In the classic public key cryptography algorithm, as the practical calculation difficulty of security, the incomprehensibility will be greatly reduced with the improvement of computer performance. In particular, the well-known Shor quantum algorithm proposed by Shor in 1997 will perform factorization and discrete logarithm calculation of large integers in polynomial time, which means that once the quantum computer is implemented, it is based on RSA, ECC, E1Gamal. Public key cryptographic protocols established by algorithms, etc., will no longer be secure. In order to establish a public key cryptosystem for the conjugate problem of 辫 group-based elements proposed by Ko et al., people have discovered attack schemes such as length-based attacks, linear representation attacks, and Super-Summit-set attacks. Therefore, the corresponding public key cryptosystem also has security risks.
为了能抵抗各种已知的攻击的公钥密码技术,在中国发明专利申请号为:201380001693.X的文献中给出了一种建立抗量子计算攻击的公钥密码的方法,这种方法能有效抵抗多种已知的攻击的公钥密码技术,但由于其中的协议双方在协议过程中每次仅做了单层保护,这就会造成在达成一定条件的情况下,会有攻击者可以得到协议双方达成的共享密钥,这就仍会存在一定的安全性隐患。In order to be able to resist the public key cryptography of various known attacks, a method for establishing a public key cryptography against quantum computing attacks is given in the Chinese Patent Application No. 201380001693.X. Public key cryptography that effectively resists many known attacks, but since both parties in the protocol only do a single layer of protection at a time during the protocol process, this will result in an attacker being able to reach certain conditions. Get the shared key reached by the parties to the agreement, there will still be some security risks.
发明内容Summary of the invention
为解决基于现有公钥密码的安全性存在隐患的问题,本发明的目的在于 通过创新地引入了双加锁技术建立一个能抵抗各种攻击的公钥密码的的建立方法。In order to solve the problem that the security of the existing public key cryptography is hidden, the object of the present invention is Through the innovative introduction of double-lock technology to establish a public key cipher to resist various attacks.
本发明的目的是这样实现的:一种建立抗攻击的安全性公钥密码的方法,包括生成共享密钥的方法,生成共享密钥的方法也称为生成共享密钥协议,所述生成共享密钥的方法包括如下步骤:The object of the present invention is achieved by a method for establishing an anti-attack security public key cipher, comprising a method for generating a shared key, and a method for generating a shared key is also referred to as generating a shared key protocol, and the generating is shared. The method of the key includes the following steps:
(11)建立一个无限非交换群G及G的两个子群A和B,使得对任意a∈A、任意的b∈B,等式ab=ba成立;(11) Establishing two subgroups A and B of an infinite non-exchange group G and G such that for any a∈A, any b∈B, the equation ab=ba is established;
(12)协议双方选取G中一元素g,其中,协议第一方选取四个元素b1,b2,b3,b4∈A作为私钥,协议第二方选取四个元素d1,d2,d3,d4∈B作为私钥;(12) Both parties of the agreement select an element g in G, wherein the first party of the agreement selects four elements b 1 , b 2 , b 3 , b 4 ∈ A as the private key, and the second party of the agreement selects four elements d 1 . d 2 , d 3 , d 4 ∈B as a private key;
(13)协议第二方选取两个元素c1,c2∈B,计算y=d1c1gc2d2,并将y发送给协议第一方;(13) The second party of the protocol selects two elements c 1 , c 2 ∈ B, calculates y=d 1 c 1 gc 2 d 2 , and sends y to the first party of the protocol;
(14)协议第一方选取四个元素a1,a2,a3,a4∈A,计算(14) The first party of the agreement selects four elements a 1 , a 2 , a 3 , a 4 ∈ A, and calculates
x=b1a1ga2b2和z=b3a3a1ya2a4b4=b3a3a1d1c1gc2d2a2a4b4,x=b 1 a 1 ga 2 b 2 and z=b 3 a 3 a 1 ya 2 a 4 b 4 =b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 ,
并将(x,z)发送给协议第二方;And send (x, z) to the second party of the agreement;
(15)协议第二方选取两个元素c3,c4∈B,计算(15) The second party of the agreement selects two elements c 3 , c 4 ∈ B, and calculates
w=d3c3c1xc2c4d4=d3c3c1b1a1ga2b2c2c4d4 w=d 3 c 3 c 1 xc 2 c 4 d 4 =d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4
with
v=c3d1 -1zd2 -1c4=c3d1 -1b3a3a1d1c1gc2d2a2a4b4d2 -1c4=c3b3a3a1c1gc2a2a4b4c4 v=c 3 d 1 -1 zd 2 -1 c 4 =c 3 d 1 -1 b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 d 2 -1 c 4 =c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4
并将(w,v)发送给协议第一方;And send (w, v) to the first party of the agreement;
(16)协议第一方计算(16) First party calculation of the agreement
u=a3b1 -1wb2 -1a4=a3b1 -1d3c3c1b1a1ga2b2c2c4d4b2 -1a4=a3d3c3c1a1ga2c2c4d4a4,u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 b 1 -1 d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4 b 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4 ,
并将u发给协议第二方; And send u to the second party of the agreement;
(17)协议第一方计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4,而且协议第二方计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4; (17) The first party of the agreement calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 , and the second party of the agreement calculates K B = d 3 -1 Ud 4 -1 = a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4;
由于a1,a2,a3,a2∈A,c1,c2,c3,c4∈B,所以a1,a3分别与c1,c3乘法可交换,而且a2,a4分别与c2,c4乘法可交换,故协议第一方和协议第二方达成共享密钥K=KA=KBSince a 1 , a 2 , a 3 , a 2 ∈ A, c 1 , c 2 , c 3 , c 4 ∈ B, a 1 , a 3 are respectively interchangeable with c 1 , c 3 , and a 2 , A 4 is interchangeable with c 2 , c 4 multiplication, respectively, so the first party of the agreement and the second party of the agreement reach a shared key K=K A =K B .
作为一种优选方式,还包括信息数据加密解密的方法,所述信息数据加密解密的方法包括如下步骤;As a preferred method, a method for encrypting and decrypting information data is further included, and the method for encrypting and decrypting the information data includes the following steps;
(21)定义需要加密的已编码明文信息为m∈{0,1}k,即长度为k的0-1数串;并定义Θ:G→{0,1}k是一个由群G到明文空间{0,1}k抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥;(21) Define the encoded plaintext information to be encrypted as m∈{0,1} k , that is, a 0-1 string of length k; and define Θ: G→{0,1} k is a group G to The plaintext space {0,1} k anti-collision Hash function, the first party of the protocol selects (G, A, B, g, Θ) as its public key;
(22)加密:协议第二方先计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4,然后进行加密计算
Figure PCTCN2015091710-appb-000001
并将t作为密文发送给协议第一方,这里的
Figure PCTCN2015091710-appb-000002
是异或运算;(22) Encryption: The second party of the protocol first calculates K B =d 3 -1 ud 4 -1 =a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 , and then performs encryption calculation
Figure PCTCN2015091710-appb-000001
And send t as the ciphertext to the first party of the agreement, here
Figure PCTCN2015091710-appb-000002
Is an exclusive OR operation;
(23)解密:协议第一方先计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4,然后进行解密计算
Figure PCTCN2015091710-appb-000003
 (23) Decryption: The first party of the protocol first calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 , and then performs decryption calculation
Figure PCTCN2015091710-appb-000003
(24)验证m′=m:由密钥交换协议知KA=KB,所以(24) Verify that m'=m: Known by the key exchange protocol, K A =K B , so
Figure PCTCN2015091710-appb-000004
Figure PCTCN2015091710-appb-000004
作为一种优选方式,还包括数字签名的方法,所述数字签名的方法包括如下步骤:As a preferred method, a method for digital signature is further included, and the method for digital signature includes the following steps:
(31)将需要签名的已编码明文信息定义为p,并定义Θ:G→{0,1}k是一个抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥; (31) Define the encoded plaintext information that needs to be signed as p, and define Θ: G→{0,1} k is an anti-collision Hash function, and the first party of the protocol selects (G, A, B, g, Θ ) is its public key;
(32)签名:协议第一方计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4和S=Θ(pKA),协议第一方将S作为它对信息p的签名并将(S,p)发送给协议第二方;(32) Signature: The first party of the agreement calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 and S = Θ (pK A ), protocol first S will use S as its signature for information p and send (S,p) to the second party of the protocol;
(33)验证:协议第二方计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4和S′=Θ(pKB),如果S′=S,协议第二方则认可S是协议第一方对信息p的签名,否则,协议第二方拒绝接受S是协议第一方对信息p的签名。(33) Verification: the second party of the agreement calculates K B =d 3 -1 ud 4 -1 =a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 and S'=Θ(pK B ), if S '=S, the second party of the agreement recognizes that S is the signature of the first party of the agreement on the information p. Otherwise, the second party of the agreement refuses to accept that S is the signature of the first party of the agreement on the information p.
作为一种优选方式,还包括身份认证的方法,所述协议第一方为示证人,所述协议第二方为验证人;所述身份认证的方法包括如下步骤:As a preferred method, the method further includes the method of identity authentication, where the first party of the protocol is a witness, and the second party of the protocol is a verifier; the method for authenticating the identity includes the following steps:
(41)协议第一方选取一个抗碰撞的Hash函数Θ:G→{0,1}k,协议第一方选取(G,A,B,g,Θ)为其公钥;(41) The first party of the agreement selects an anti-collision Hash function Θ: G→{0,1} k , and the first party of the protocol selects (G, A, B, g, Θ) as its public key;
(42)协议第二方计算y=d1c1gc2d2和w=d3c3c1xc2c4d4,其中x=b1a1ga2b2,并将(y,w)作为挑战一发送给协议第一方;(42) The second party of the agreement calculates y=d 1 c 1 gc 2 d 2 and w=d 3 c 3 c 1 xc 2 c 4 d 4 , where x=b 1 a 1 ga 2 b 2 and will (y , w) sent as a challenge to the first party of the agreement;
(43)协议第一方计算(43) First party calculation of the agreement
z=b3a3a1ya2a4b4和u=a3b1 -1wb2 -1a4=a3d3c3c1a1ga2c2c4d4a4,z=b 3 a 3 a 1 ya 2 a 4 b 4 and u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4 ,
其中y=d1c1gc2d2,并将(z,u)作为响应发送给协议第二方;Where y=d 1 c 1 gc 2 d 2 and send (z, u) as a response to the second party of the protocol;
(44)协议第二方计算v=c3d1 -1zd2 -1c4=c3b3a3a1c1gc2a2a4b4c4,并将v作为挑战二发送给协议第一方;(44) The second party of the agreement calculates v=c 3 d 1 -1 zd 2 -1 c 4 =c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4 and v as the challenge two Send to the first party of the agreement;
(45)协议第一方计算t=Θ(b3 -1vb4 -1)=Θ(c3a3a1c1gc2a2a4c4)并将t作为承诺发送给协议第二方;(45) The first party of the agreement calculates t=Θ(b 3 -1 vb 4 -1 )=Θ(c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 ) and sends t as a promise to the agreement Two parties;
(46)协议第二方计算t′=Θ(d3 -1ud4 -1)=Θ(a3c3c1a1ga2c2c4a4),并验证是否t=t′,如果t=t′,协议第二方认可协议第一方的身份,否则拒绝认可。 (46) The second party of the agreement calculates t'=Θ(d 3 -1 ud 4 -1 )=Θ(a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 ) and verifies whether t=t' If t=t', the second party of the agreement recognizes the identity of the first party of the agreement, otherwise it refuses to accept.
一种建立抗攻击的安全性公钥密码的方法,包括生成共享密钥的方法,另一种生成共享密钥的方法包括如下步骤:A method for establishing an anti-attack security public key cryptography includes a method for generating a shared key, and another method for generating a shared key includes the following steps:
(11.1)建立一个无限非交换群G及G的两个子群A和B,使得对任意a∈A、任意的b∈B,等式ab=ba成立;(11.1) Establishing two subgroups A and B of an infinite non-exchange group G and G such that for any a∈A, any b∈B, the equation ab=ba is established;
(12.1)协议双方选取G中一元素g,其中协议第一方选取四个元素b10,b30∈A和d20,d40∈B作为私钥,协议第二方选取四个元素b20,b40∈A和d10,d30∈B作为私钥;(12.1) Both parties of the agreement select an element g in G, where the first party of the agreement selects four elements b 10 , b 30 ∈ A and d 20 , d 40 ∈ B as the private key, and the second party of the agreement selects four elements b 20 , b 40 ∈A and d 10 , d 30 ∈B as private keys;
(13.1)协议第二方选取两个元素a20∈A和c10∈B,计算y=d10c10ga20b20,并将y发送给协议第一方;(13.1) The second party of the protocol selects two elements a 20 ∈A and c 10 ∈B, calculates y=d 10 c 10 ga 20 b 20 , and sends y to the first party of the protocol;
(14.1)协议第一方选取四个元素a10,a30∈A和c20,c40∈B,计算(14.1) The first party of the agreement selects four elements a 10 , a 30 ∈ A and c 20 , c 40 ∈ B, to calculate
x=b10a10gc20d20和z=b30a30a10yc20c40d40=b30a30a10d10c10ga20b20c20c40d40,x=b 10 a 10 gc 20 d 20 and z=b 30 a 30 a 10 yc 20 c 40 d 40 = b 30 a 30 a 10 d 10 c 10 ga 20 b 20 c 20 c 40 d 40 ,
并将(x,z)发送给协议第二方;And send (x, z) to the second party of the agreement;
(15.1)协议第二方选取两个元素a40∈A和c30∈B,计算(15.1) The second party of the agreement selects two elements a 40 ∈A and c 30 ∈B, to calculate
w=d30c30c10xa20a40b40=d30c30c10b10a10gc20d20a20a40b40 w=d 30 c 30 c 10 xa 20 a 40 b 40 =d 30 c 30 c 10 b 10 a 10 gc 20 d 20 a 20 a 40 b 40
with
v=c30d10 -1zb20 -1a40=c30d10 -1b30a30a10d10c10ga20b20c20c40d40b20 -1a40 v=c 30 d 10 -1 zb 20 -1 a 40 =c 30 d 10 -1 b 30 a 30 a 10 d 10 c 10 ga 20 b 20 c 20 c 40 d 40 b 20 -1 a 40
=c30b30a30a10c10ga20c20c40d40a40 =c 30 b 30 a 30 a 10 c 10 ga 20 c 20 c 40 d 40 a 40
并将(w,v)发送给协议第一方;And send (w, v) to the first party of the agreement;
(16.1)协议第一方计算(16.1) Calculation of the first party of the agreement
u=a30b10 -1wd20 -1c40=a30b10 -1d30c30c10b10a10gc20d20a20a40b40d20 -1c40 u=a 30 b 10 -1 wd 20 -1 c 40 =a 30 b 10 -1 d 30 c 30 c 10 b 10 a 10 gc 20 d 20 a 20 a 40 b 40 d 20 -1 c 40
=a30d30c30c10a10gc20a20a40b40c40,=a 30 d 30 c 30 c 10 a 10 gc 20 a 20 a 40 b 40 c 40 ,
并将u发给协议第二方; And send u to the second party of the agreement;
(17.1)协议第一方计算KA=b30 -1vd40 -1=c30a30a10c10ga20c20c40a40,而且协议第二方计算KB=d30 -1ub40 -1=a30c30c10a10gc20a20a40c40; (17.1) The first party of the agreement calculates K A = b 30 -1 vd 40 -1 = c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 , and the second party of the agreement calculates K B =d 30 -1 Ub 40 -1 = a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40;
由于a10,a20,a30,a40∈A,c10,c20,c30,c40∈B,所以a10,a20,a30,a40与c10,c20,c30,c40分别乘法可交换,故协议第一方和协议第二方达成共享密钥K=KA=KBSince a 10 , a 20 , a 30 , a 40 ∈ A, c 10 , c 20 , c 30 , c 40 ∈ B, so a 10 , a 20 , a 30 , a 40 and c 10 , c 20 , c 30 , c 40 respectively multiply can be exchanged, so the first party of the agreement and the second party of the agreement reach a shared key K = K A = K B .
作为一种优选方式,还包括信息数据加密解密的方法,所述信息数据加密解密的方法包括如下步骤;As a preferred method, a method for encrypting and decrypting information data is further included, and the method for encrypting and decrypting the information data includes the following steps;
(21.1)定义需要加密的已编码明文信息为m∈{0,1}k,即长度为k的0-1数串;并定义Θ:G→{0,1}k是一个由群G到明文空间{0,1}k抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥;(21.1) Define the encoded plaintext information that needs to be encrypted as m∈{0,1} k , that is, a 0-1 string of length k; and define Θ: G→{0,1} k is a group G to The plaintext space {0,1} k anti-collision Hash function, the first party of the protocol selects (G, A, B, g, Θ) as its public key;
(22.1)加密:协议第二方先计算KB=d30 -1ub30 -1=a30c30c10a10gc20a20a40c40;,然后进行加密计算
Figure PCTCN2015091710-appb-000005
并将t作为密文发送给协议第一方,这里的
Figure PCTCN2015091710-appb-000006
是异或运算;(22.1) Encryption: The second party of the protocol first calculates K B =d 30 -1 ub 30 -1 =a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40; and then performs encryption calculation
Figure PCTCN2015091710-appb-000005
And send t as the ciphertext to the first party of the agreement, here
Figure PCTCN2015091710-appb-000006
Is an exclusive OR operation;
(23.1)解密:协议第一方先计算KA=b40 -1vd40 -1=c30a30a10c10ga20c20c40a40,然后进行解密计算
Figure PCTCN2015091710-appb-000007
 (23.1) Decryption: The first party of the protocol first calculates K A = b 40 -1 vd 40 -1 = c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 , and then performs decryption calculation
Figure PCTCN2015091710-appb-000007
(24.1)验证m′=m:由密钥交换协议知KA=KB,所以(24.1) Verify that m'=m: Known by the key exchange protocol, K A =K B , so
Figure PCTCN2015091710-appb-000008
Figure PCTCN2015091710-appb-000008
作为一种优选方式,还包括数字签名的方法,所述数字签名的方法包括如下步骤:As a preferred method, a method for digital signature is further included, and the method for digital signature includes the following steps:
(31.1)将需要签名的已编码明文信息定义为p,并定义Θ:G→{0,1}k是一个抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥; (31.1) Define the encoded plaintext information that needs to be signed as p, and define Θ: G→{0,1} k is an anti-collision Hash function, and the first party of the protocol selects (G, A, B, g, Θ ) is its public key;
(32.1)签名:协议第一方计算KA=b40 -1vd40 -1=c30a30a10c10ga20c20c40a40和S=Θ(pKA),协议第一方将S作为它对信息p的签名并将(S,p)发送给协议第二方;(32.1) Signature: First party of the agreement calculates K A = b 40 -1 vd 40 -1 = c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 and S = Θ (pK A ), agreement first S will use S as its signature for information p and send (S,p) to the second party of the protocol;
(33.1)验证:协议第二方计算KB=d30 -1ub30 -1=a30c30c10a10gc20a20a40c40;和S′=Θ(pKB),如果S′=S,协议第二方则认可S是协议第一方对信息p的签名,否则,协议第二方拒绝接受S是协议第一方对信息p的签名。(33.1) Verification: the second party of the agreement calculates K B =d 30 -1 ub 30 -1 =a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40; and S'=Θ(pK B ), if S'=S, the second party of the protocol recognizes that S is the signature of the first party of the agreement on the information p. Otherwise, the second party of the agreement refuses to accept that S is the signature of the first party to the information p.
作为一种优选方式,还包括身份认证的方法,所述协议第一方为示证人,所述协议第二方为验证人;所述身份认证的方法包括如下步骤;As a preferred method, a method for identity authentication is further included, where the first party of the protocol is a witness, and the second party of the protocol is a certifier; the method for identity authentication includes the following steps;
(41.1)协议第一方选取一个抗碰撞的Hash函数Θ:G→{0,1}k,协议第一方选取(G,A,B,g,Θ)为其公钥;(41.1) The first party of the agreement selects an anti-collision Hash function Θ: G→{0,1} k , and the first party of the protocol selects (G, A, B, g, Θ) as its public key;
(42.1)协议第二方计算y=d10c10ga20b20和w=d30c30c10xa20a40b40=d30c30c10b10a10gc20d20a20a40b40,并将(y,w)作为挑战一发送给协议第一方;(42.1) The second party of the agreement calculates y=d 10 c 10 ga 20 b 20 and w=d 30 c 30 c 10 xa 20 a 40 b 40 =d 30 c 30 c 10 b 10 a 10 gc 20 d 20 a 20 a 40 b 40 and send (y, w) as challenge one to the first party of the agreement;
(43.1)协议第一方计算(43.1) First party calculation of the agreement
z=b30a30a10yc20c40d40=b30a30a10d10c10ga20b20c20c40d40 z=b 30 a 30 a 10 yc 20 c 40 d 40 =b 30 a 30 a 10 d 10 c 10 ga 20 b 20 c 20 c 40 d 40
with
u=a30b10 -1wd20 -1c40=a30d30c30c10a10gc20a20a40b40c40,u=a 30 b 10 -1 wd 20 -1 c 40 =a 30 d 30 c 30 c 10 a 10 gc 20 a 20 a 40 b 40 c 40 ,
并将(z,u)作为响应发送给协议第二方;And sending (z, u) as a response to the second party of the agreement;
(44.1)协议第二方计算v=c30d10 -1zb20 -1a40=c30b30a30a10c10ga20c20c40d40a40,并将v作为挑战二发送给协议第一方; (44.1) The second party of the agreement calculates v=c 30 d 10 -1 zb 20 -1 a 40 =c 30 b 30 a 30 a 10 c 10 ga 20 c 20 c 40 d 40 a 40 and v as the challenge two Send to the first party of the agreement;
(45.1)协议第一方计算t=Θ(b30 -1vd40 -1)=Θ(c30a30a10c10ga20c20c40a40)并将t作为承诺发送给协议第二方;(45.1) The first party of the agreement calculates t=Θ(b 30 -1 vd 40 -1 )=Θ(c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 ) and sends t as a promise to the agreement Two parties;
(46.1)协议第二方计算t′=Θ(d30 -1ub40 -1)=Θ(a30c30c10a10gc20a20a40c40),并验证是否t=t′,如果t=t′,协议第二方认可协议第一方的身份,否则拒绝认可。(46.1) The second party of the agreement calculates t'=Θ(d 30 -1 ub 40 -1 )=Θ(a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40 ) and verifies whether t=t' If t=t', the second party of the agreement recognizes the identity of the first party of the agreement, otherwise it refuses to accept.
其中,所述无限非交换群G优选为辫群,给出辫群Bn(n≧12)的具有不可解的子群成员问题的Mihailova子群的生成元系,给出了辫群Bn(n≧12)的具有子群成员问题不可解的Mihailova子群的生成元系,并建议为抗量子计算攻击,上述协议双方的私钥由Mihailova子群的生成元生成。Wherein, the infinite non-exchange group G is preferably a unitary group, and a generator element system of the Mihailova subgroup having an unsolvable subgroup member problem of the group B n (n≧12) is given, and the group B n is given ( n≧12) The generator element of the Mihailova subgroup with subgroup membership problem unsolvable, and suggested to be an anti-quantum computational attack. The private key of both protocols is generated by the generator of the Mihailova subgroup.
所述无限非交换群G取指数为n≧12的辫群Bn,并由如下呈示所定义的群:The infinite non-exchange group G takes a group B n with an index of n ≧ 12 and is represented by the group defined as follows:
Bn=<σ12,…,σn-1iσj=σjσi,|i-j|≥2,σiσi+1σi=σi+1σiσi+1,1≤i≤n-2>,B n =<σ 12 ,...,σ n-1i σ jj σ i ,|ij|≥2,σ i σ i+1 σ ii+1 σ i σ i +1 , 1 ≤ i ≤ n-2>,
所述群的元素均以集合{σ12,…,σn-1}上代表该元素的具有唯一性的正规形式的字表示。The elements of the group are represented by words in the set {σ 1 , σ 2 , ..., σ n-1 } representing the unique formal form of the element.
辫群Bn含有如下两个子群:The group B n contains the following two subgroups:
Figure PCTCN2015091710-appb-000009
为不大于n/2的最大整数,辫群Bn的左辫子LBn和右辫子RBn分别为make
Figure PCTCN2015091710-appb-000009
Not more than n / 2 the maximum integer, a braid group B n LB n braids left and right respectively braids RB n
LBn=<σ12,…,σm-1>和RBn=<σm+1m+2,…,σn-1>LB n =<σ 12 ,...,σ m-1 > and RB n =<σ m+1m+2 ,...,σ n-1 >
即,分别为由σ12,…,σm-1和σm+1m+2,…,σn-1生成的子群,并且,对于任意的a∈LBn和任意的b∈RBn,有ab=ba,所述的G的子群A即取为LBn,而G的子群B即取为RBnThat is, subgroups generated by σ 1 , σ 2 , . . . , σ m-1 and σ m+1 , σ m+2 , . . . , σ n-1 , respectively, and for any a ∈ LB n and any b∈RB n , with ab=ba, the subgroup A of the G is taken as LB n , and the subgroup B of G is taken as RB n ;
当n≧12时,LBn和RBn分别含有一个与F2×F2同构的子群,即两个秩为2的自由群的直积同构的子群:When n≧12, LB n and RB n respectively contain a subgroup that is isomorphic to F 2 ×F 2 , that is, a subgroup of two products of two free ranks of rank 2:
LA=<σm-5 2m-4 2m-2 2m-1 2>≤LBn LA=<σ m-5 2 , σ m-4 2 , σ m-2 2 , σ m-1 2 >≤LB n
with
RA=<σm+1 2m+2 2m+4 2m+5 2>≤RBnRA=<σ m+1 2 , σ m+2 2 , σ m+4 2 , σ m+5 2 >≤RB n ;
本发明通过在协议双方各选取了四个元素作为各自私钥进行双边双保险技术,并且证明了所有可能的攻击均是能行不可计算的,即本发明的公钥密码方法是抗包括量子计算攻击的所有已知攻击。与现有技术相比,具有以下优点:The invention performs bilateral double insurance technology by selecting four elements as the respective private keys on both sides of the agreement, and proves that all possible attacks can be uncalculated, that is, the public key cryptography method of the present invention is resistant to quantum computing. All known attacks of the attack. Compared with the prior art, it has the following advantages:
1.理论上给出证明对本发明的公钥密码算法的所有攻击是能行不可计算的,从而本发明的公钥密码算法是抗包括抗量计算攻击的所有已知攻击;1. Theoretically, it is shown that all attacks against the public key cryptographic algorithm of the present invention are uncalculable, so that the public key cryptographic algorithm of the present invention is resistant to all known attacks including anti-computation attacks;
2.私钥的选取由于Mihai lova子群成员问题的不可解性而安全可靠并可重复使用。2. The selection of the private key is safe, reliable and reusable due to the incomprehensibility of the Mihai lova subgroup members.
具体实施方式detailed description
下面结合实施例对本发明一种建立抗量子计算攻击的公钥密码协议作进一步详细说明。A public key cryptographic protocol for establishing an anti-quantum computing attack according to the present invention will be further described in detail below with reference to the embodiments.
1.建立公钥密码协议的平台1. Establish a platform for public key cryptography
建立所有公钥密码协议的平台是一个无限非交换群(non-abelian group)G及G的两个子群A和B,使得对任意a∈A任意的b∈B,等式ab=ba成立。此外,由于编码和密钥生成的需要,G还必须满足以下条件: The platform for establishing all public key cryptographic protocols is an infinite non-abelian group G and two subgroups A and B of G, such that for any a ∈ A arbitrary b ∈ B, the equation ab = ba holds. In addition, due to the need for encoding and key generation, G must also meet the following conditions:
1)于G的生成元集合上的代表G的元素的字具有可计算的正规形式(normal form);1) The word representing the element of G on the set of generators of G has a computable normal form;
2)G至少是呈指数增长(exponential growth),即G中字长为正整数n的元素个数下囿于一个关于n的指数函数;2) G is at least exponential growth, that is, the number of elements in which the word length in G is a positive integer n is entangled in an exponential function about n;
3)基于正规形式的群的乘积运算和求逆运算是能行可计算的。3) Product operations and inversion operations based on groups of normal forms are computationally achievable.
为此,选取无限非交换群G为指数n≧12的辫群Bn,Bn具有上述性质并由如下呈示(presentation)所定义的群:For this purpose, an infinite non-commutative group selected G ≧ braid group B n 12 of index n, B n having the properties presented by the following (Presentation) group defined by:
Bn=<σ12,…,σn-1iσj=σjσi,|i-j|≥2,σiσi+1σi=σi+1σiσi+1,1≤i≤n-2>,B n =<σ 12 ,...,σ n-1i σ jj σ i ,|ij|≥2,σ i σ i+1 σ ii+1 σ i σ i +1 , 1 ≤ i ≤ n-2>,
所述群的元素均以集合{σ12,…,σn-1}上代表该元素的具有唯一性的正规形式的字表示。The elements of the group are represented by words in the set {σ 1 , σ 2 , ..., σ n - 1 } representing the unique formal form of the element.
辫群Bn含有如下两个子群:The group B n contains the following two subgroups:
Figure PCTCN2015091710-appb-000010
为不大于n/2的最大整数,辫群Bn的左辫子LBn和右辫子RBn分别为make
Figure PCTCN2015091710-appb-000010
Not more than n / 2 the maximum integer, a braid group B n LB n braids left and right respectively braids RB n
LBn=<σ12,…,σm-1>和RBn=<σm+1m+2,…,σn-1>LB n =<σ 12 ,...,σ m-1 > and RB n =<σ m+1m+2 ,...,σ n-1 >
即,分别由σ12,…,σm-1和σm+1m+2,…,σn-1生成的子群,并且,对于任意的a∈LBn和任意的b∈RBn,有ab=ba。That is, subgroups generated by σ 1 , σ 2 , ..., σ m-1 and σ m+1 , σ m+2 , ..., σ n-1 , respectively, and for any a ∈ LB n and arbitrary b∈RB n , with ab=ba.
当n≧12时,LBn和RBn分别含有一个与F2×F2,即两个秩为2的自由群的直积同构的子群When n≧12, LB n and RB n respectively contain a subgroup with F 2 ×F 2 , that is, a direct product isomorphism of two free groups of rank 2.
LA=<σm-5 2m-4 2m-2 2m-1 2>≤LBn LA=<σ m-5 2 , σ m-4 2 , σ m-2 2 , σ m-1 2 >≤LB n
with
RA=<σm+1 2m+2 2m+4 2m+5 2>≤RBn RA=<σ m+1 2 , σ m+2 2 , σ m+4 2 , σ m+5 2 >≤RB n
由一个两个元素生成的其字问题不可解的有限呈示群H,再构造LA的一个 Mihailova子群MLA(H)和RA的一个Mihailova子群MRA(H);下方即为MLA(H)的56个生成元,其中i=m-5;而当令i=m+1,便可得到MRA(H)的56个生成元:A finite representation group H generated by a two element whose word problem is unsolvable, a Mihailova subgroup M LA (H) of LA and a Mihailova subgroup M RA (H) of RA ; M LA (H) 56 generators, where i=m-5; and when i=m+1, we can get 56 generators of M RA (H):
Figure PCTCN2015091710-appb-000011
Figure PCTCN2015091710-appb-000011
而27个Sij为(将下述每一Sij中的所有σi换成σi+3,所有σi+1换成σi+4便得到对应的27个Tij,j=1,2,…,27):And 27 S ij are (replace all σ i in each S ij described below with σ i+3 , and all σ i+1 are replaced by σ i+4 to obtain the corresponding 27 T ij , j=1, 2,...,27):
Figure PCTCN2015091710-appb-000012
Figure PCTCN2015091710-appb-000012
Figure PCTCN2015091710-appb-000013
Figure PCTCN2015091710-appb-000013
Figure PCTCN2015091710-appb-000014
Figure PCTCN2015091710-appb-000014
Figure PCTCN2015091710-appb-000015
Figure PCTCN2015091710-appb-000015
Figure PCTCN2015091710-appb-000016
Figure PCTCN2015091710-appb-000016
Figure PCTCN2015091710-appb-000017
Figure PCTCN2015091710-appb-000017
Figure PCTCN2015091710-appb-000018
Figure PCTCN2015091710-appb-000018
Figure PCTCN2015091710-appb-000019
Figure PCTCN2015091710-appb-000019
Figure PCTCN2015091710-appb-000020
Figure PCTCN2015091710-appb-000020
Figure PCTCN2015091710-appb-000021
Figure PCTCN2015091710-appb-000021
Figure PCTCN2015091710-appb-000022
Figure PCTCN2015091710-appb-000022
Figure PCTCN2015091710-appb-000023
Figure PCTCN2015091710-appb-000023
Figure PCTCN2015091710-appb-000024
Figure PCTCN2015091710-appb-000024
Figure PCTCN2015091710-appb-000025
Figure PCTCN2015091710-appb-000025
Figure PCTCN2015091710-appb-000026
Figure PCTCN2015091710-appb-000026
Figure PCTCN2015091710-appb-000027
Figure PCTCN2015091710-appb-000027
Figure PCTCN2015091710-appb-000028
Figure PCTCN2015091710-appb-000028
Figure PCTCN2015091710-appb-000029
Figure PCTCN2015091710-appb-000029
Figure PCTCN2015091710-appb-000030
Figure PCTCN2015091710-appb-000030
Figure PCTCN2015091710-appb-000031
Figure PCTCN2015091710-appb-000031
Figure PCTCN2015091710-appb-000032
Figure PCTCN2015091710-appb-000032
Figure PCTCN2015091710-appb-000033
Figure PCTCN2015091710-appb-000033
Figure PCTCN2015091710-appb-000034
Figure PCTCN2015091710-appb-000034
Figure PCTCN2015091710-appb-000035
Figure PCTCN2015091710-appb-000035
Figure PCTCN2015091710-appb-000036
Figure PCTCN2015091710-appb-000036
Figure PCTCN2015091710-appb-000037
Figure PCTCN2015091710-appb-000037
Figure PCTCN2015091710-appb-000038
Figure PCTCN2015091710-appb-000038
2.建立公钥密码体制的核心协议一2. Establish a core protocol for the public key cryptosystem
在本实施例中,协议双方分别是Alice和Bob,In this embodiment, the parties to the agreement are Alice and Bob, respectively.
1)Alice和Bob共同选取Bn中一元素g,Alice选取四个元素b1,b2,b3,b4∈LBn作为私钥,Bob选取四个元素d1,d2,d3,d4∈RBn作为私钥;1) Alice and Bob jointly select an element g in B n , Alice selects four elements b 1 , b 2 , b 3 , b 4 ∈ LB n as the private key, and Bob selects four elements d 1 , d 2 , d 3 , d 4 ∈ RB n as a private key;
2)Bob选取两个元素c1,c2∈RBn,计算y=d1c1gc2d2,并将y发送给Alice;2) Bob selects two elements c 1 , c 2 ∈ RB n , calculates y=d 1 c 1 gc 2 d 2 , and sends y to Alice;
3)Alice选取四个元素a1,a2,a3,a4∈LBn,计算3) Alice selects four elements a 1 , a 2 , a 3 , a 4 ∈ LB n , and calculates
x=b1a1ga2b2和z=b3a3a1ya2a4b4=b3a3a1d1c1gc2d2a2a4b4,x=b 1 a 1 ga 2 b 2 and z=b 3 a 3 a 1 ya 2 a 4 b 4 =b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 ,
并将(x,z)发送给Bob;And send (x, z) to Bob;
4)Bob选取两个元素c3,c4∈RBn,计算4) Bob selects two elements c 3 , c 4 ∈ RB n , and calculates
w=d3c3c1xc2c4d4=d3c3c1b1a1ga2b2c2c4d4 w=d 3 c 3 c 1 xc 2 c 4 d 4 =d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4
with
v=c3d1 -1zd2 -1c4=c3d1 -1b3a3a1d1c1gc2d2a2a4b4d2 -1c4=c3b3a3a1c1gc2a2a4b4c4 v=c 3 d 1 -1 zd 2 -1 c 4 =c 3 d 1 -1 b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 d 2 -1 c 4 =c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4
并将(w,v)发送给Alice;And send (w, v) to Alice;
5)Alice计算5) Alice calculation
u=a3b1 -1wb2 -1a4=a3b1 -1d3c3c1b1a1ga2b2c2c4d4b2 -1a4=a3d3c3c1a1ga2c2c4d4a4,u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 b 1 -1 d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4 b 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4 ,
并将u发给Bob,And send u to Bob,
上述协议中的第4)步中,由于d1,d2∈RBn,a1,a2,b3,b4∈LBn,所以d1 -1,d2 -1分别与b3,a1和b4,a2乘法可交换,故得该步骤中最后一个等式。同理得到第5)步中最后一个等式。In step 4) of the above protocol, since d 1 , d 2 ∈ RB n , a 1 , a 2 , b 3 , b 4 ∈ LB n , d 1 -1 , d 2 -1 and b 3 , respectively. The a 1 and b 4 , a 2 multiplications are interchangeable, so the last equation in this step is obtained. In the same way, the last equation in step 5) is obtained.
建立密钥交换协议的优选实施例:A preferred embodiment of establishing a key exchange protocol:
在核心协议的五个步骤后继续进行如下进程:After the five steps of the core protocol, proceed as follows:
6)Alice计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4而且Bob计算KB=d3 -1ud4 -1 =a3c3c1a1ga2c2c4a46) Alice calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 and Bob calculates K B = d 3 -1 ud 4 -1 = a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 .
由于a1,a2,a3,a2∈LBn,c1,c2,c3,c4∈RBn,所以a1,a3与c1,c3乘法可交换,而且a2,a4与c2,c4乘法可交换,故Alice和Bob达成共享密钥K=KA=KBSince a 1 , a 2 , a 3 , a 2 ∈ LB n , c 1 , c 2 , c 3 , c 4 ∈ RB n , a 1 , a 3 and c 1 , c 3 are multiplied, and a 2 , a 4 and c 2 , c 4 multiplication are exchangeable, so Alice and Bob reach a shared key K = K A = K B .
建立数据加密协议的优选实施例:A preferred embodiment of establishing a data encryption protocol:
设需要加密的明文信息(已编码)为m∈{0,1}k(即长度为k的0-1数串),并设Θ:Bn→{0,1}k是一个由群Bn到明文空间{0,1}k抗碰撞的Hash函数。Alice的公钥是(Bn,LBn,RBn,g,Θ),并选取a1,a2,a3,a4,b1,b2,b3,b4∈LBn,私钥为b1,b2,b3,b4。Bob选取c1,c2,c3,c4,d1,d2,d3,d4∈RBn,并且以d1,d2,d3,d4,为私钥。在核心协议的五个步骤后继续进行如下进程:Let the plaintext information (encoded) that needs to be encrypted be m∈{0,1} k (that is, a 0-1 string of length k), and set Θ: B n →{0,1} k is a group B n to the plaintext space {0, 1} k anti-collision Hash function. Alice's public key is (B n , LB n , RB n , g, Θ), and a 1 , a 2 , a 3 , a 4 , b 1 , b 2 , b 3 , b 4 ∈ LB n are selected . The keys are b 1 , b 2 , b 3 , b 4 . Bob selects c 1 , c 2 , c 3 , c 4 , d 1 , d 2 , d 3 , d 4 ∈ RB n , and uses d 1 , d 2 , d 3 , d 4 as the private key. After the five steps of the core protocol, proceed as follows:
6)加密:Bob先计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4,然后计算(加密)
Figure PCTCN2015091710-appb-000039
并将t作为密文发送给Alice。这里的
Figure PCTCN2015091710-appb-000040
是异或(exclusiveor)运算。6) Encryption: Bob first calculates K B =d 3 -1 ud 4 -1 =a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 , then calculates (encrypted)
Figure PCTCN2015091710-appb-000039
Send t to Alice as a ciphertext. here
Figure PCTCN2015091710-appb-000040
Is an exclusive or exclusive operation.
7)解密:Alice先计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4,然后计算(解密)7) Decryption: Alice first calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 , then calculates (decrypts)
Figure PCTCN2015091710-appb-000041
Figure PCTCN2015091710-appb-000041
验证m′=m:由密钥交换协议知KA=KB,所以Verify that m'=m: knows K A =K B by the key exchange protocol, so
Figure PCTCN2015091710-appb-000042
Figure PCTCN2015091710-appb-000042
建立数字签名协议的优选实施例:A preferred embodiment of establishing a digital signature protocol:
设需要签名明文信息(已编码)为p,并设Θ:Bn→{0,1}k是一个抗碰撞的Hash函数。Alice的公钥是(Bn,LBn,RBn,g,Θ),并选取a1,a2,a3,a4,b1,b2,b3,b4∈LBn,私钥为b1,b2,b3,b4。Bob选取c1,c2,c3,c4,d1,d2,d3,d4∈RBn,并且以d1,d2,d3,d4为私钥。在核心协议的五个步骤后继续进行 如下进程:Let the signature plaintext information (encoded) be p, and set Θ: B n →{0,1} k is an anti-collision hash function. Alice's public key is (B n , LB n , RB n , g, Θ), and a 1 , a 2 , a 3 , a 4 , b 1 , b 2 , b 3 , b 4 ∈ LB n are selected . The keys are b 1 , b 2 , b 3 , b 4 . Bob selects c 1 , c 2 , c 3 , c 4 , d 1 , d 2 , d 3 , d 4 ∈ RB n , and d 1 , d 2 , d 3 , d 4 are private keys. Following the five steps of the core agreement, proceed as follows:
6)签名:Alice计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4和S=Θ(pKA),Alice将S作为她对文件p的签名并将(S,p)发送给Bob。6) Signature: Alice calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 and S = Θ (pK A ), Alice uses S as her file The signature of p and (S, p) are sent to Bob.
7)验证:Bob计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4和S′=Θ(pKB),如果S′=S,Bob则认可S是Alice对文件p的签名,否则,Bob拒绝接受S是Alice对文件p的签名。7) Verification: Bob calculates K B =d 3 -1 ud 4 -1 =a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 and S'=Θ(pK B ), if S'=S, Bob recognizes that S is Alice's signature on file p. Otherwise, Bob refuses to accept that S is Alice's signature on file p.
一种在核心协议基础上的身份认证协议的优选实施例:A preferred embodiment of an identity authentication protocol based on a core protocol:
Alice选取Bn中一元素g,八个元素a1,a2,a3,a4,b1,b2,b3,b4∈LBn,一个抗碰撞的Hash函数Θ:Bn→{0,1}k,并计算x=b1a1ga2b2。Alice的公钥是(Bn,LBn,RBn,g,x,Θ),私钥为b1,b2,b3,b4Alice selects an element g in B n , eight elements a 1 , a 2 , a 3 , a 4 , b 1 , b 2 , b 3 , b 4 ∈ LB n , an anti-collision Hash function Θ: B n → {0,1} k and calculate x=b 1 a 1 ga 2 b 2 . Alice's public key is (B n , LB n , RB n , g, x, Θ), and the private key is b 1 , b 2 , b 3 , b 4 .
认证过程:Certification process:
设Alice是示证人(prover),Bob是验证人(verifier)。Let Alice be the prover and Bob be the verifier.
1)Bob选取八个元素c1,c2,c3,c4,d1,d2,d3,d4∈RBn,私钥为d1,d2,d3,d4。Bob计算1) Bob selects eight elements c 1 , c 2 , c 3 , c 4 , d 1 , d 2 , d 3 , d 4 ∈ RB n , and the private keys are d 1 , d 2 , d 3 , d 4 . Bob calculation
y=d1c1gc2d2和w=d3c3c1xc2c4d4 y=d 1 c 1 gc 2 d 2 and w=d 3 c 3 c 1 xc 2 c 4 d 4
并将(y,w)作为挑战(challenge)一发送给Alice;And (y, w) is sent to Alice as a challenge (challenge);
2)Alice选取两个元素b3,b4∈LBn,,计算2) Alice selects two elements b 3 , b 4 ∈ LB n , and calculates
z=b3a3a1ya2a4b4和u=a3b1 -1wb2 -1a4=a3d3c3c1a1ga2c2c4d4a4,z=b 3 a 3 a 1 ya 2 a 4 b 4 and u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4 ,
并将(z,u)作为响应(response)发送给Bob;And (z, u) is sent to Bob as a response (response);
3)Bob计算v=c3d1 -1zd2 -1c4=c3b3a3a1c1gc2a2a4b4c4,并将v作为挑战二发送给Alice;3) Bob calculates v = c 3 d 1 -1 zd 2 -1 c 4 = c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4 , and sends v as challenge two to Alice;
4)Alice计算t=Θ(b3 -1vb4 -1)=Θ(c3a3a1c1gc2a2a4c4)并将t作为承诺 (commitment)发送给Bob;4) Alice calculates t=Θ(b 3 -1 vb 4 -1 )=Θ(c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 ) and sends t as a commitment to Bob;
5)Bob t′=Θ(d3 -1ud4 -1)=Θ(a3c3c1a1ga2c2c4a4),并验证是否t=t′。5) Bob t'=Θ(d 3 -1 ud 4 -1 )=Θ(a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 ), and verify whether t=t'.
如果t=t′,Bob认可Alice的身份,否则拒绝认可。If t = t', Bob recognizes Alice's identity, otherwise refuses to approve.
建立公钥密码体制的核心协议二Establish a core protocol for the public key cryptosystem
在本实施例中,协议双方分别是Alice和Bob,In this embodiment, the parties to the agreement are Alice and Bob, respectively.
1.1)Alice和Bob共同选取Bn中一元素g,Alice选取四个元素b1,b3∈LBn和d2,d4∈RBn作为私钥,Bob选取四个元素b2,b4∈LBn和d1,d3∈RBn作为私钥;1.1) Alice and Bob jointly select an element g in B n , Alice selects four elements b 1 , b 3 ∈ LB n and d 2 , d 4 ∈ RB n as a private key, and Bob selects four elements b 2 , b 4 ∈ LB n and d 1 , d 3 ∈ RB n as private keys;
2.1)Bob选取两个元素a2∈LBn和c1∈RBn,计算y=d1c1ga2b2,并将y发送给Alice;2.1) Bob selects two elements a 2 ∈ LB n and c 1 ∈ RB n , calculates y=d 1 c 1 ga 2 b 2 , and sends y to Alice;
3.1)Alice选取两个元素a2∈LBn和c1∈RBn,计算3.1) Alice selects two elements a 2 ∈ LB n and c 1 ∈ RB n , which are calculated
x=b1a1gc2d2和z=b3a3a1yc2c4d4=b3a3a1d1c1ga2b2c2c4d4,x=b 1 a 1 gc 2 d 2 and z=b 3 a 3 a 1 yc 2 c 4 d 4 =b 3 a 3 a 1 d 1 c 1 ga 2 b 2 c 2 c 4 d 4 ,
并将(x,z)发送给Bob;And send (x, z) to Bob;
4.1)Bob选取两个元素a4∈LBn和c3∈RBn,计算4.1) Bob selects two elements a 4 ∈ LB n and c 3 ∈ RB n , which is calculated
w=d3c3c1xa2a4b4=d3c3c1b1a1gc2d2a2a4b4 w=d 3 c 3 c 1 xa 2 a 4 b 4 =d 3 c 3 c 1 b 1 a 1 gc 2 d 2 a 2 a 4 b 4
with
v=c3d1 -1zb2 -1a4=c3d1 -1b3a3a1d1c1ga2b2c2c4d4b2 -1a4=c3b3a3a1c1ga2c2c4d4a4 v=c 3 d 1 -1 zb 2 -1 a 4 =c 3 d 1 -1 b 3 a 3 a 1 d 1 c 1 ga 2 b 2 c 2 c 4 d 4 b 2 -1 a 4 =c 3 b 3 a 3 a 1 c 1 ga 2 c 2 c 4 d 4 a 4
并将(w,v)发送给Alice;And send (w, v) to Alice;
5.1)Alice计算5.1) Alice calculation
u=a3b1 -1wd2 -1c4=a3b1 -1d3c3c1b1a1gc2d2a2a4b4d2 -1c4=a3d3c3c1a1gc2a2a4b4c4,u=a 3 b 1 -1 wd 2 -1 c 4 =a 3 b 1 -1 d 3 c 3 c 1 b 1 a 1 gc 2 d 2 a 2 a 4 b 4 d 2 -1 c 4 =a 3 d 3 c 3 c 1 a 1 gc 2 a 2 a 4 b 4 c 4 ,
并将u发给Bob;And send u to Bob;
上述协议中的第4.1)步中,由于c1,c2,c3,c4,d1,d2∈RBn,a1,a2,a3,a4,b1, b2∈LBn,所以d1 -1,d2 -1分别与a1,a2,a3,a4,b1,b2乘法可交换,而b1 -1,b2 -1分别与c1,c2,c3,c4,d1,d2乘法可交换故得该步骤中最后一个等式。同理得到第5.1)步中最后一个等式。In step 4.1) of the above protocol, since c 1 , c 2 , c 3 , c 4 , d 1 , d 2 ∈ RB n , a 1 , a 2 , a 3 , a 4 , b 1 , b 2 ∈ LB n , so d 1 -1 , d 2 -1 are interchangeable with a 1 , a 2 , a 3 , a 4 , b 1 , b 2 respectively, and b 1 -1 , b 2 -1 and c 1 respectively , c 2 , c 3 , c 4 , d 1 , d 2 multiplication can be exchanged so that the last equation in this step is obtained. In the same way, the last equation in step 5.1) is obtained.
3.3应用协议3.3 Application Protocol
在核心协议的基础上建立如下的应用协议,Establish the following application protocols based on the core protocol.
建立密钥交换协议的优选实施例:A preferred embodiment of establishing a key exchange protocol:
在核心协议的五个步骤后继续进行如下进程:After the five steps of the core protocol, proceed as follows:
6.1)Alice计算KA=b3 -1vd4 -1=c3a3a1c1ga2c2c4a4,而且Bob计算KB=d3 -1ub3 -1=a3c3c1a1gc2a2a4c46.1) Alice calculates K A = b 3 -1 vd 4 -1 = c 3 a 3 a 1 c 1 ga 2 c 2 c 4 a 4 , and Bob calculates K B = d 3 -1 ub 3 -1 = a 3 c 3 c 1 a 1 gc 2 a 2 a 4 c 4 .
由于a1,a2,a3,a4∈LBn,c1,c2,c3,c4∈RBn,所以a1,a2,a3,a4分别与c1,c2,c3,c4乘法可交换,故Alice和Bob达成共享密钥K=KA=KBSince a 1 , a 2 , a 3 , a 4 ∈ LB n , c 1 , c 2 , c 3 , c 4 ∈ RB n , so a 1 , a 2 , a 3 , a 4 and c 1 , c 2 , respectively , c 3 , c 4 multiplication is exchangeable, so Alice and Bob reach the shared key K = K A = K B .
五、安全性分析V. Security analysis
我们仅给出密钥交换协议的安全性即可。We only give the security of the key exchange protocol.
首先,给出群上的两个判定问题的定义。First, the definition of the two decision problems on the group is given.
子群成员问题(subgroup membership problem or generalized wordproblem,简记为GWP):给定群G的一个其生成元集为X的子群H,判定G中任意元素g是否可由X上的字代表,即判定g是否为H中元素。Subgroup membership problem or generalized wordproblem (abbreviated as GWP): a subgroup H of a given group G whose generated metaset is X, and determines whether any element g in G can be represented by a word on X, ie It is determined whether g is an element in H.
扩展的元素分解搜索问题(generalized decomposition search problem,简记为GDSP):设g和h是群G两个元素,H和K是G的两个子群。已知存在H元素c和K的元素d,使得h=cgd。求H的元素 c′和K的元素d′,使得h=c′gd′。The extended decomposition search problem (abbreviated as GDSP): Let g and h be two elements of group G, and H and K be two subgroups of G. The element d of the H elements c and K is known to be present such that h = cgd. Find the elements of H The elements d' of c' and K are such that h = c'gd'.
在核心协议中,攻击方Eve通过公开信息和Alice与Bob的交互式过程能获取的信息如下:In the core protocol, the information that the attacker Eve can obtain through the public information and the interactive process between Alice and Bob is as follows:
无限非交换群G,G的两个子群A和B,使得对任意a∈A任意的b∈B,有ab=ba,G中一元素g,以及下列G中元素:Infinite non-exchange group G, two subgroups A and B of G, such that for any a∈A arbitrary b∈B, there are ab=ba, an element g in G, and the following elements in G:
x=b1a1ga2b2,y=d1c1gc2d2,x=b 1 a 1 ga 2 b 2 , y=d 1 c 1 gc 2 d 2 ,
z=b3a3a1ya2a4b4=b3a3a1d1c1gc2d2a2a4b4,z=b 3 a 3 a 1 ya 2 a 4 b 4 =b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 ,
w=d3c3c1xc2c4d4=d3c3c1b1a1ga2b2c2c4d4,w=d 3 c 3 c 1 xc 2 c 4 d 4 =d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4 ,
v=c3d1 -1zd2 -1c4=c3d1 -1b3a3a1d1c1gc2d2a2a4b4d2 -1c4=c3b3a3a1c1gc2a2a4b4c4,v=c 3 d 1 -1 zd 2 -1 c 4 =c 3 d 1 -1 b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 d 2 -1 c 4 =c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4 ,
u=a3b1 -1wb2 -1a4=a3b1 -1d3c3c1b1a1ga2b2c2c4d4b2 -1a4=a3d3c3c1a1ga2c2c4d4a4 u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 b 1 -1 d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4 b 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4
注意,Eve只知道代表x,y,z,w,u,v这些元素的字的正规形式,不知道对应的分解表达式。Note that Eve only knows the normal form of the words representing the elements x, y, z, w, u, v, and does not know the corresponding decomposition expression.
Eve如果能够通过解决GDSP问题而获得c1′,c2′∈B,和a1′,a2′∈A,使得a1′ga2′=a1ga2和c1′gc2′=c1gc2,则由A和B的元素乘法可交换性得Eve can obtain c 1 ', c 2 '∈B, and a 1 ', a 2 '∈A by solving the GDSP problem, such that a 1 'ga 2 '=a 1 ga 2 and c 1 'gc 2 '= c 1 gc 2 , then the elemental multiplication of A and B is interchangeable
c1′a1′ga2′c2′=c1′a1ga2c1′=a1c1′gc2′a2=a1c1gc2a2 c 1 'a 1 'ga 2 'c 2 '=c 1 'a 1 ga 2 c 1 '=a 1 c 1 'gc 2 'a 2 =a 1 c 1 gc 2 a 2
所以,Eve需要先获得元素a1ga2和c1gc2,并在此基础上开展进一步的攻击。Therefore, Eve needs to obtain the elements a 1 ga 2 and c 1 gc 2 first , and carry out further attacks on this basis.
首先,攻击者Eve从得到的等式x=b1a1ga2b2中只知道x和g的正规形式。从而Eve唯一能做的就是通过解决GDSP问题而获得h1,h2∈A,使得h1gh2=x=b1a1ga2b2。但是,在群A中有无穷多个分解式h1=b1′a1′和h2=a2′b2′。例如,令b1′为A中任意元素,令a1′=b1-1h1,则a1′∈A,并且b1′a1′=b1′b1-1h1=h1。由b1′得任意性,这样的元素对b1′和a1′有无穷多。由于Eve不知道a1ga2及其正规形式,她无法确定那一对a1′和a2′满足等式a1′ga2′=a1ga2。所以Eve不能 做任何进一步的攻击。First, the attacker Eve knows only the regular forms of x and g from the obtained equation x=b 1 a 1 ga 2 b 2 . So the only thing Eve can do is to get h 1 , h 2 ∈A by solving the GDSP problem, so that h 1 gh 2 =x=b 1 a 1 ga 2 b 2 . However, there are an infinite number of decompositions in group A, h 1 = b 1 'a 1 ' and h 2 = a 2 'b 2 '. For example, let b 1 ' be any element in A, let a 1 '=b 1 ' -1 h 1 , then a 1 '∈A, and b 1 'a 1 '=b 1 'b 1 ' -1h 1 =h 1 . There is arbitrariness from b 1 ', such elements have an infinite number of b 1 ' and a 1 '. Since Eve does not know a 1 ga 2 and its regular form, she is not sure that the pair a 1 ' and a 2 ' satisfy the equation a 1 'ga 2 '=a 1 ga 2 . So Eve can't do any further attacks.
同理,对于等式y=d1c1gc2d2,v=c3d1 -1zd2 -1c4,u=a3b1 -1wb2 -1a4,除了通过解决GDSP问题而获得g1,g2,g3,g4∈B,h3,h4∈A,使得Similarly, for the equation y=d 1 c 1 gc 2 d 2 , v=c 3 d 1 -1 zd 2 -1 c 4 , u=a 3 b 1 -1 wb 2 -1 a 4 , except by solving Get G 1 , g 2 , g 3 , g 4 ∈B, h 3 , h 4 ∈A for the GDSP problem, making
g1gg2=y=d1c1gc2d2,h3zh4=v=c3d1 -1zd2 -1c4,g3wg4=u=a3b1 -1wb2 -1a4以外,Eve不能做任何进一步的攻击。g 1 gg 2 =y=d 1 c 1 gc 2 d 2 ,h 3 zh 4 =v=c 3 d 1 -1 zd 2 -1 c 4 ,g 3 wg 4 =u=a 3 b 1 -1 wb Outside of 2 -1 a 4 , Eve can't do any further attacks.
假如Eve能够通过解决GDSP问题而获得h5,h6∈A,使得h5yh6=z=b3a3a1ya2a4b4。同理,在群A中有无穷多个分解式h1=b3′a1′和h2=a2′b4′。由于Eve不知道a1ya2及其正规形式,她无法确定那一对a1′和a2′满足等式a1′ya2′=a1ya2。所以Eve也不能做任何进一步的攻击。类似地,由于Eve不知道a3a1ya2a4及其正规形式,她无法确定那一对a1′和a2′满足等式a1′ya2′=a3a1ya2a4。所以Eve仍不能做任何进一步的攻击。If Eve can obtain h 5 , h 6 ∈ A by solving the GDSP problem, let h 5 yh 6 = z = b 3 a 3 a 1 ya 2 a 4 b 4 . Similarly, there are an infinite number of decompositions in group A, h 1 = b 3 'a 1 ' and h 2 = a 2 'b 4 '. Since Eve does not know a 1 ya 2 and its regular form, she is not sure that the pair a 1 ' and a 2 ' satisfy the equation a 1 'ya 2 '=a 1 ya 2 . So Eve can't do any further attacks. Similarly, since Eve does not know a 3 a 1 ya 2 a 4 and its normal form, she is not sure that the pair a 1 ' and a 2 ' satisfy the equation a 1 'ya 2 '=a 3 a 1 ya 2 a 4 . So Eve still can't do any further attacks.
同理,对于等式w=d3c3c1xc2c4d4=d3c3c1b1a1ga2b2c2c4d4,除了通过解决GDSP问题而获得g5,g6∈B,使得g5xg6=w=d3c3c1xc2c4d4以外,Eve不能做任何进一步的攻击。Similarly, for the equation w=d 3 c 3 c 1 xc 2 c 4 d 4 =d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4 , except that g is obtained by solving the GDSP problem 5 , g 6 ∈ B, such that g 5 xg 6 = w = d 3 c 3 c 1 xc 2 c 4 d 4 , Eve can not do any further attack.
所以,由于双加锁技术,Eve对核心协议进行攻击的计算问题是不可解的。Therefore, due to the double-locking technology, Eve's calculation problem of attacking the core protocol is unsolvable.
特别地,在具体实施方案中无限非交换群G取指数n≥12的辫群Bn,A和B分别取Bn的子群LBn和RBn,而私钥b1,b2,b3,b4,和d1,d2,d3,d4分别在LBn的Mihailova子群MLA(H)和RBn的Mihailova子群MRA(H)中选取,则在上述Eve的攻击中,她通过解决GDSP问题解得h1,h2,h3,h4,h5,h6∈LBn,和g1,g2,g3,g4,g5,g6∈RBn,她还必须先确定是否h1,h2,h3,h4,h5,h6的分解式中的b1′,b2′,b3′,b4′为MLA(H)中元素,d1′,d2′,d3′,d4′是否为MRA(H)中元素。但MLA(H) 和MRA(H)的GWP问题不可解,故Eve对协议双方的私钥也无法进行攻击。In particular, in a specific embodiment the non-commutative group G taken infinite index n≥12 braid group B n, A and B taken subgroup B n LB n and RB n, while the private key b 1, b 2, b 3 , b 4 , and d 1 , d 2 , d 3 , d 4 are selected in the Mihailova subgroup M LA (H) of LB n and the Mihailova subgroup M RA (H) of RB n respectively, in the above Eve In the attack, she solved h 1 , h 2 , h 3 , h 4 , h 5 , h 6 ∈ LB n , and g 1 , g 2 , g 3 , g 4 , g 5 , g 6通过 by solving the GDSP problem. RB n , she must also first determine whether h 1 , h 2 , h 3 , h 4 , h 5 , h 6 in the decomposition formula b 1 ', b 2 ', b 3 ', b 4 ' is M LA ( H) The element, d 1 ', d 2 ', d 3 ', d 4 ' is an element in M RA (H). However, the GWP problems of M LA (H) and M RA (H) are unsolvable, so Eve cannot attack the private keys of both parties.
六、参数的选取Sixth, the selection of parameters
在一个优选实施例中,辫群Bn的指数n≥12,各协议中的子群A=LBn,B=RBn,a1,a2,a3,a4,c1,c2,c3,c4的选取要满足其乘积a3a1c3c1gc2c4a2a4不小于128比特,私钥b1,b2,b3,b4,d1,d2,d3,d4均不小于128比特。In a preferred embodiment, the index of the group B n is n ≥ 12, and the subgroups A = LB n , B = RB n , a 1 , a 2 , a 3 , a 4 , c 1 , c 2 in each protocol , c 3 , c 4 are selected to satisfy the product a 3 a 1 c 3 c 1 gc 2 c 4 a 2 a 4 not less than 128 bits, private keys b 1 , b 2 , b 3 , b 4 , d 1 , d 2 , d 3 , and d 4 are each not less than 128 bits.
特别建议私钥b1,b2,b3,b4和d1,d2,d3,d4分别在辫群Bn的Mihailova子群MLA(H)和MRA(H)中选取。从而,由于MLA(H)和MRA(H)的GWP的不可解性,正如在安全性分析中所述,协议中的私钥是不可被攻击的。It is particularly recommended that the private keys b 1 , b 2 , b 3 , b 4 and d 1 , d 2 , d 3 , d 4 are selected from the Mihailova subgroups M LA (H) and M RA (H) of the 辫 group B n , respectively. . Thus, due to the incompatibility of the GWPs of M LA (H) and M RA (H), as described in the security analysis, the private key in the protocol is not attackable.
以上是对本发明一种建立抗攻击的安全性公钥密码的方法进行了阐述,用于帮助理解本发明,但本发明的实施方式并不受上述实施例的限制,任何未背离本发明原理下所作的改变、修饰、替代、组合、简化,均应为等效的置换方式,都包含在本发明的保护范围之内。 The foregoing is a method for establishing an anti-attack security public key cipher according to the present invention, which is used to help the understanding of the present invention, but the embodiments of the present invention are not limited by the above embodiments, and any one does not deviate from the principle of the present invention. The changes, modifications, substitutions, combinations, and simplifications that are made are equivalent substitutions and are included in the scope of the present invention.

Claims (9)

  1. 一种建立抗攻击的安全性公钥密码的方法,其特征在于:包括生成共享密钥的方法,所述生成共享密钥的方法包括如下步骤:A method for establishing an anti-attack security public key cryptogram, comprising: a method for generating a shared key, wherein the method for generating a shared key comprises the following steps:
    (11)建立一个无限非交换群G及G的两个子群A和B,使得对任意a∈A、任意的b∈B,等式ab=ba成立;(11) Establishing two subgroups A and B of an infinite non-exchange group G and G such that for any a∈A, any b∈B, the equation ab=ba is established;
    (12)协议双方选取G中一元素g,其中,协议第一方选取四个元素b1,b2,b3,b4∈A作为私钥,协议第二方选取四个元素d1,d2,d3,d4∈B作为私钥;(12) Both parties of the agreement select an element g in G, wherein the first party of the agreement selects four elements b 1 , b 2 , b 3 , b 4 ∈ A as the private key, and the second party of the agreement selects four elements d 1 . d 2 , d 3 , d 4 ∈B as a private key;
    (13)协议第二方选取两个元素c1,c2∈B,计算y=d1c1gc2d2,并将y发送给协议第一方;(13) The second party of the protocol selects two elements c 1 , c 2 ∈ B, calculates y=d 1 c 1 gc 2 d 2 , and sends y to the first party of the protocol;
    (14)协议第一方选取四个元素a1,a2,a3,a4∈A,计算(14) The first party of the agreement selects four elements a 1 , a 2 , a 3 , a 4 ∈ A, and calculates
    x=b1a1ga2b2和z=b3a3a1ya2a4b4=b3a3a1d1c1gc2d2a2a4b4,x=b 1 a 1 ga 2 b 2 and z=b 3 a 3 a 1 ya 2 a 4 b 4 =b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 ,
    并将(x,z)发送给协议第二方;And send (x, z) to the second party of the agreement;
    (15)协议第二方选取两个元素c3,c4∈B,计算(15) The second party of the agreement selects two elements c 3 , c 4 ∈ B, and calculates
    w=d3c3c1xc2c4d4=d3c3c1b1a1ga2b2c2c4d4 w=d 3 c 3 c 1 xc 2 c 4 d 4 =d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4
    with
    v=c3d1 -1zd2 -1c4=c3d1 -1b3a3a1d1c1gc2d2a2a4b4d2 -1c4=c3b3a3a1c1gc2a2a4b4c4 v=c 3 d 1 -1 zd 2 -1 c 4 =c 3 d 1 -1 b 3 a 3 a 1 d 1 c 1 gc 2 d 2 a 2 a 4 b 4 d 2 -1 c 4 =c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4
    并将(w,v)发送给协议第一方;And send (w, v) to the first party of the agreement;
    (16)协议第一方计算(16) First party calculation of the agreement
    u=a3b1 -1wb2 -1a4=a3b1 -1d3c3c1b1a1ga2b2c2c4d4b2 -1a4=a3d3c3c1a1ga2c2c4d4a4,u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 b 1 -1 d 3 c 3 c 1 b 1 a 1 ga 2 b 2 c 2 c 4 d 4 b 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4 ,
    并将u发给协议第二方;And send u to the second party of the agreement;
    (17)协议第一方计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4,而且协议第二方计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4; (17) The first party of the agreement calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 , and the second party of the agreement calculates K B = d 3 -1 Ud 4 -1 = a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4;
    由于a1,a2,a3,a2∈A,c1,c2,c3,c4∈B,所以a1,a3分别与c1,c3乘法可交换, 而且a2,a4分别与c2,c4乘法可交换,故协议第一方和协议第二方达成共享密钥K=KA=KBSince a 1 , a 2 , a 3 , a 2 ∈ A, c 1 , c 2 , c 3 , c 4 ∈ B, a 1 , a 3 are respectively interchangeable with c 1 , c 3 , and a 2 , A 4 is interchangeable with c 2 , c 4 multiplication, respectively, so the first party of the agreement and the second party of the agreement reach a shared key K=K A =K B .
  2. 根据权利要求1所述的建立抗攻击的安全性公钥密码的方法,其特征在于:还包括信息数据加密解密的方法,所述信息数据加密解密的方法包括如下步骤;The method for establishing an anti-attack security public key cipher according to claim 1, further comprising: a method for encrypting and decrypting information data, wherein the method for encrypting and decrypting the information data comprises the following steps;
    (21)定义需要加密的已编码明文信息为m∈{0,1}k,即长度为k的0-1数串;并定义Θ:G→{0,1}k是一个由群G到明文空间{0,1}k抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥;(21) Define the encoded plaintext information to be encrypted as m∈{0,1} k , that is, a 0-1 string of length k; and define Θ: G→{0,1} k is a group G to The plaintext space {0,1} k anti-collision Hash function, the first party of the protocol selects (G, A, B, g, Θ) as its public key;
    (22)加密:协议第二方先计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4,然后进行加密计算
    Figure PCTCN2015091710-appb-100001
    并将t作为密文发送给协议第一方,这里的
    Figure PCTCN2015091710-appb-100002
    是异或运算;    (22) Encryption: The second party of the protocol first calculates K B =d 3 -1 ud 4 -1 =a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 , and then performs encryption calculation
    Figure PCTCN2015091710-appb-100001
    And send t as the ciphertext to the first party of the agreement, here
    Figure PCTCN2015091710-appb-100002
    Is an exclusive OR operation;
    (23)解密:协议第一方先计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4,然后进行解密计算
    Figure PCTCN2015091710-appb-100003
         (23) Decryption: The first party of the protocol first calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 , and then performs decryption calculation
    Figure PCTCN2015091710-appb-100003
    (24)验证m′=m:由密钥交换协议知KA=KB,所以(24) Verify that m'=m: Known by the key exchange protocol, K A =K B , so
    Figure PCTCN2015091710-appb-100004
    Figure PCTCN2015091710-appb-100004
  3. 根据权利要求1所述的建立抗攻击的安全性公钥密码的方法,其特征在于:还包括数字签名的方法,所述数字签名的方法包括如下步骤:The method for establishing an anti-attack security public key cipher according to claim 1, further comprising: a method for digital signature, the method for digital signature comprising the following steps:
    (31)将需要签名的已编码明文信息定义为p,并定义Θ:G→{0,1}k是一个抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥;(31) Define the encoded plaintext information that needs to be signed as p, and define Θ: G→{0,1} k is an anti-collision Hash function, and the first party of the protocol selects (G, A, B, g, Θ ) is its public key;
    (32)签名:协议第一方计算KA=b3 -1vb4 -1=c3a3a1c1gc2a2a4c4和S=Θ(pKA),协议第一方将S作为它对信息p的签名并将(S,p)发送给协议第二方; (32) Signature: The first party of the agreement calculates K A = b 3 -1 vb 4 -1 = c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 and S = Θ (pK A ), protocol first S will use S as its signature for information p and send (S,p) to the second party of the protocol;
    (33)验证:协议第二方计算KB=d3 -1ud4 -1=a3c3c1a1ga2c2c4a4和S′=Θ(pKB),如果S′=S,协议第二方则认可S是协议第一方对信息p的签名,否则,协议第二方拒绝接受S是协议第一方对信息p的签名。(33) Verification: the second party of the agreement calculates K B =d 3 -1 ud 4 -1 =a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 and S'=Θ(pK B ), if S '=S, the second party of the agreement recognizes that S is the signature of the first party of the agreement on the information p. Otherwise, the second party of the agreement refuses to accept that S is the signature of the first party of the agreement on the information p.
  4. 根据权利要求1所述的建立抗攻击的安全性公钥密码的方法,其特征在于:还包括身份认证的方法,所述协议第一方为示证人,所述协议第二方为验证人;所述身份认证的方法包括如下步骤:The method for establishing an anti-attack security public key cryptography according to claim 1, further comprising: a method for identity authentication, wherein the first party of the protocol is a witness, and the second party of the protocol is a certifier; The method for identity authentication includes the following steps:
    (41)协议第一方选取一个抗碰撞的Hash函数Θ:G→{0,1}k,协议第一方选取(G,A,B,g,Θ)为其公钥;(41) The first party of the agreement selects an anti-collision Hash function Θ: G→{0,1} k , and the first party of the protocol selects (G, A, B, g, Θ) as its public key;
    (42)协议第二方计算y=d1c1gc2d2和w=d3c3c1xc2c4d4,其中x=b1a1ga2b2,并将(y,w)作为挑战一发送给协议第一方;(42) The second party of the agreement calculates y=d 1 c 1 gc 2 d 2 and w=d 3 c 3 c 1 xc 2 c 4 d 4 , where x=b 1 a 1 ga 2 b 2 and will (y , w) sent as a challenge to the first party of the agreement;
    (43)协议第一方计算(43) First party calculation of the agreement
    z=b3a3a1ya2a4b4和u=a3b1 -1wb2 -1a4=a3d3c3c1a1ga2c2c4d4a4,z=b 3 a 3 a 1 ya 2 a 4 b 4 and u=a 3 b 1 -1 wb 2 -1 a 4 =a 3 d 3 c 3 c 1 a 1 ga 2 c 2 c 4 d 4 a 4 ,
    其中y=d1c1gc2d2,并将(z,u)作为响应发送给协议第二方;Where y=d 1 c 1 gc 2 d 2 and send (z, u) as a response to the second party of the protocol;
    (44)协议第二方计算v=c3d1 -1zd2 -1c4=c3b3a3a1c1gc2a2a4b4c4,并将v作为挑战二发送给协议第一方;(44) The second party of the agreement calculates v=c 3 d 1 -1 zd 2 -1 c 4 =c 3 b 3 a 3 a 1 c 1 gc 2 a 2 a 4 b 4 c 4 and v as the challenge two Send to the first party of the agreement;
    (45)协议第一方计算t=Θ(b3 -1vb4 -1)=Θ(c3a3a1c1gc2a2a4c4)并将t作为承诺发送给协议第二方;(45) The first party of the agreement calculates t=Θ(b 3 -1 vb 4 -1 )=Θ(c 3 a 3 a 1 c 1 gc 2 a 2 a 4 c 4 ) and sends t as a promise to the agreement Two parties;
    (46)协议第二方计算t′=Θ(d3 -1ud4 -1)=Θ(a3c3c1a1ga2c2c4a4),并验证是否t=t′,如果t=t′,协议第二方认可协议第一方的身份,否则拒绝认可。(46) The second party of the agreement calculates t'=Θ(d 3 -1 ud 4 -1 )=Θ(a 3 c 3 c 1 a 1 ga 2 c 2 c 4 a 4 ) and verifies whether t=t' If t=t', the second party of the agreement recognizes the identity of the first party of the agreement, otherwise it refuses to accept.
  5. 一种建立抗攻击的安全性公钥密码的方法,其特征在于:包括生成共 享密钥的方法,所述生成共享密钥的方法包括如下步骤:A method for establishing an anti-attack security public key cipher, which comprises: generating a total A method for enjoying a key, the method for generating a shared key includes the following steps:
    (11.1)建立一个无限非交换群G及G的两个子群A和B,使得对任意a∈A、任意的b∈B,等式ab=ba成立;(11.1) Establishing two subgroups A and B of an infinite non-exchange group G and G such that for any a∈A, any b∈B, the equation ab=ba is established;
    (12.1)协议双方选取G中一元素g,其中协议第一方,选取四个元素b10,b30∈A和d20,d40∈B作为私钥,协议第二方选取四个元素b20,b40∈A和d10,d30∈B作为私钥;(12.1) Both parties of the agreement select an element g in G, where the first party of the agreement selects four elements b 10 , b 30 ∈ A and d 20 , d 40 ∈ B as the private key, and the second party of the agreement selects four elements b 20 , b 40 ∈ A and d 10 , d 30 ∈ B as private keys;
    (13.1)协议第二方选取两个元素a20∈A和c10∈B,计算y=d10c10ga20b20,并将y发送给协议第一方;(13.1) The second party of the protocol selects two elements a 20 ∈A and c 10 ∈B, calculates y=d 10 c 10 ga 20 b 20 , and sends y to the first party of the protocol;
    (14.1)协议第一方选取四个元素a10,a30∈A和c20,c40∈B,计算(14.1) The first party of the agreement selects four elements a 10 , a 30 ∈ A and c 20 , c 40 ∈ B, to calculate
    x=b10a10gc20d20和z=b30a30a10yc20c40d40=b30a30a10d10c10ga20b20c20c40d40 x=b 10 a 10 gc 20 d 20 and z=b 30 a 30 a 10 yc 20 c 40 d 40 = b 30 a 30 a 10 d 10 c 10 ga 20 b 20 c 20 c 40 d 40
    并将(x,z)发送给协议第二方;And send (x, z) to the second party of the agreement;
    (15.1)协议第二方选取两个元素a40∈A和c30∈B,计算(15.1) The second party of the agreement selects two elements a 40 ∈A and c 30 ∈B, to calculate
    w=d30c30c10xa20a40b40=d30c30c10b10a10gc20d20a20a40b40 w=d 30 c 30 c 10 xa 20 a 40 b 40 =d 30 c 30 c 10 b 10 a 10 gc 20 d 20 a 20 a 40 b 40
    with
    v=c30d10 -1zb20 -1a40=c30d10 -1b30a30a10d10c10ga20b20c20c40d40b20 -1a40 v=c 30 d 10 -1 zb 20 -1 a 40 =c 30 d 10 -1 b 30 a 30 a 10 d 10 c 10 ga 20 b 20 c 20 c 40 d 40 b 20 -1 a 40
    =c30b30a30a10c10ga20c20c40d40a40 =c 30 b 30 a 30 a 10 c 10 ga 20 c 20 c 40 d 40 a 40
    并将(w,v)发送给协议第一方;And send (w, v) to the first party of the agreement;
    (16.1)协议第一方计算(16.1) Calculation of the first party of the agreement
    u=a30b10 -1wd20 -1c40=a30b10 -1d30c30c10b10a10gc20d20a20a40b40d20 -1c40 u=a 30 b 10 -1 wd 20 -1 c 40 =a 30 b 10 -1 d 30 c 30 c 10 b 10 a 10 gc 20 d 20 a 20 a 40 b 40 d 20 -1 c 40
    =a30d30c30c10a10gc20a20a40b40c40,=a 30 d 30 c 30 c 10 a 10 gc 20 a 20 a 40 b 40 c 40 ,
    并将u发给协议第二方;And send u to the second party of the agreement;
    (17.1)协议第一方计算KA=b30 -1vd40 -1=c30a30a10c10ga20c20c40a40,而且协议 第二方计算KB=d30 -1ub40 -1=a30c30c10a10gc20a20a40c40; (17.1) The first party of the agreement calculates K A = b 30 -1 vd 40 -1 = c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 , and the second party calculates K B =d 30 -1 Ub 40 -1 = a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40;
    由于a10,a20,a30,a40∈A,c10,c20,c30,c40∈B,所以a10,a20,a30,a40与c10,c20,c30,c40分别乘法可交换,故协议第一方和协议第二方达成共享密钥K=KA=KBSince a 10 , a 20 , a 30 , a 40 ∈ A, c 10 , c 20 , c 30 , c 40 ∈ B, so a 10 , a 20 , a 30 , a 40 and c 10 , c 20 , c 30 , c 40 respectively multiply can be exchanged, so the first party of the agreement and the second party of the agreement reach a shared key K = K A = K B .
  6. 根据权利要求5所述的建立抗攻击的安全性公钥密码的方法,其特征在于:还包括信息数据加密解密的方法,所述信息数据加密解密的方法包括如下步骤;The method for establishing an anti-attack security public key cipher according to claim 5, further comprising: a method for encrypting and decrypting information data, wherein the method for encrypting and decrypting the information data comprises the following steps;
    (21.1)定义需要加密的已编码明文信息为m∈{0,1}k,即长度为k的0-1数串;并定义Θ:G→{0,1}k是一个由群G到明文空间{0,1}k抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥;(21.1) Define the encoded plaintext information that needs to be encrypted as m∈{0,1} k , that is, a 0-1 string of length k; and define Θ: G→{0,1} k is a group G to The plaintext space {0,1} k anti-collision Hash function, the first party of the protocol selects (G, A, B, g, Θ) as its public key;
    (22.1)加密:协议第二方先计算KB=d30 -1ub30 -1=a30c30c10a10gc20a20a40c40;,然后进行加密计算
    Figure PCTCN2015091710-appb-100005
    并将t作为密文发送给协议第一方,这里的
    Figure PCTCN2015091710-appb-100006
    是异或运算;    (22.1) Encryption: The second party of the protocol first calculates K B =d 30 -1 ub 30 -1 =a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40; and then performs encryption calculation
    Figure PCTCN2015091710-appb-100005
    And send t as the ciphertext to the first party of the agreement, here
    Figure PCTCN2015091710-appb-100006
    Is an exclusive OR operation;
    (23.1)解密:协议第一方先计算KA=b40 -1vd40 -1=c30a30a10c10ga20c20c40a40,然后进行解密计算
    Figure PCTCN2015091710-appb-100007
         (23.1) Decryption: The first party of the protocol first calculates K A = b 40 -1 vd 40 -1 = c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 , and then performs decryption calculation
    Figure PCTCN2015091710-appb-100007
    (24.1)验证m′=m:由密钥交换协议知KA=KB,所以(24.1) Verify that m'=m: Known by the key exchange protocol, K A =K B , so
    Figure PCTCN2015091710-appb-100008
    Figure PCTCN2015091710-appb-100008
  7. 根据权利要求5所述的建立抗攻击的安全性公钥密码的方法,其特征在于:还包括数字签名的方法,所述数字签名的方法包括如下步骤:The method for establishing an anti-attack security public key cipher according to claim 5, further comprising: a method for digital signature, the method for digital signature comprising the following steps:
    (31.1)将需要签名的已编码明文信息定义为p,并定义Θ:G→{0,1}k是一个抗碰撞的Hash函数,协议第一方选取(G,A,B,g,Θ)为其公钥; (31.1) Define the encoded plaintext information that needs to be signed as p, and define Θ: G→{0,1} k is an anti-collision Hash function, and the first party of the protocol selects (G, A, B, g, Θ ) is its public key;
    (32.1)签名:协议第一方计算KA=b40 -1vd40 -1=c30a30a10c10ga20c20c40a40和S=Θ(pKA),协议第一方将S作为它对信息p的签名并将(S,p)发送给协议第二方;(32.1) Signature: First party of the agreement calculates K A = b 40 -1 vd 40 -1 = c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 and S = Θ (pK A ), agreement first S will use S as its signature for information p and send (S,p) to the second party of the protocol;
    (33.1)验证:协议第二方计算KB=d30 -1ub30 -1=a30c30c10a10gc20a20a40c40;和S′=Θ(pKB),如果S′=S,协议第二方则认可S是协议第一方对信息p的签名,否则,协议第二方拒绝接受S是协议第一方对信息p的签名。(33.1) Verification: the second party of the agreement calculates K B =d 30 -1 ub 30 -1 =a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40; and S'=Θ(pK B ), if S'=S, the second party of the protocol recognizes that S is the signature of the first party of the agreement on the information p. Otherwise, the second party of the agreement refuses to accept that S is the signature of the first party to the information p.
  8. 根据权利要求5所述的建立抗攻击的安全性公钥密码的方法,其特征在于:还包括身份认证的方法,所述协议第一方为示证人,所述协议第二方为验证人;所述身份认证的方法包括如下步骤;The method for establishing an anti-attack security public key cryptography according to claim 5, further comprising: a method for identity authentication, wherein the first party of the protocol is a witness, and the second party of the protocol is a certifier; The method for identity authentication includes the following steps;
    (41.1)协议第一方选取一个抗碰撞的Hash函数Θ:G→{0,1}k,协议第一方选取(G,A,B,g,Θ)为其公钥;(41.1) The first party of the agreement selects an anti-collision Hash function Θ: G→{0,1} k , and the first party of the protocol selects (G, A, B, g, Θ) as its public key;
    (42.1)协议第二方计算y=d10c10ga20b20和w=d30c30c10xa20a40b40=d30c30c10b10a10gc20d20a20a40b40,其中x=b10a10gc20d20,并将(y,w)作为挑战一发送给协议第一方;(42.1) The second party of the agreement calculates y=d 10 c 10 ga 20 b 20 and w=d 30 c 30 c 10 xa 20 a 40 b 40 =d 30 c 30 c 10 b 10 a 10 gc 20 d 20 a 20 a 40 b 40 , where x=b 10 a 10 gc 20 d 20 , and (y, w) is sent as a challenge one to the first party of the agreement;
    (43.1)协议第一方计算(43.1) First party calculation of the agreement
    z=b30a30a10yc20c40d40=b30a30a10d10c10ga20b20c20c40d40 z=b 30 a 30 a 10 yc 20 c 40 d 40 =b 30 a 30 a 10 d 10 c 10 ga 20 b 20 c 20 c 40 d 40
    with
    u=a30b10 -1wd20 -1c40=a30d30c30c10a10gc20a20a40b40c40,u=a 30 b 10 -1 wd 20 -1 c 40 =a 30 d 30 c 30 c 10 a 10 gc 20 a 20 a 40 b 40 c 40 ,
    并将(z,u)作为响应发送给协议第二方;And sending (z, u) as a response to the second party of the agreement;
    (44.1)协议第二方计算v=c30d10 -1zb20 -1a40=c30b30a30a10c10ga20c20c40d40a40, 并将v作为挑战二发送给协议第一方;(44.1) The second party of the agreement calculates v=c 30 d 10 -1 zb 20 -1 a 40 =c 30 b 30 a 30 a 10 c 10 ga 20 c 20 c 40 d 40 a 40 , and v as the challenge two Send to the first party of the agreement;
    (45.1)协议第一方计算t=Θ(b30 -1vd40 -1)=Θ(c30a30a10c10ga20c20c40a40)并将t作为承诺发送给协议第二方;(45.1) The first party of the agreement calculates t=Θ(b 30 -1 vd 40 -1 )=Θ(c 30 a 30 a 10 c 10 ga 20 c 20 c 40 a 40 ) and sends t as a promise to the agreement Two parties;
    (46.1)协议第二方计算t′=Θ(d30 -1ub40 -1)=Θ(a30c30c10a10gc20a20a40c40),并验证是否t=t′,如果t=t′,协议第二方认可协议第一方的身份,否则拒绝认可。(46.1) The second party of the agreement calculates t'=Θ(d 30 -1 ub 40 -1 )=Θ(a 30 c 30 c 10 a 10 gc 20 a 20 a 40 c 40 ) and verifies whether t=t' If t=t', the second party of the agreement recognizes the identity of the first party of the agreement, otherwise it refuses to accept.
  9. 根据权利要求1-8所述的任一建立抗攻击的安全性公钥密码的方法,其特征在于:所述无限非交换群G为辫群。The method for establishing an anti-attack security public key cipher according to any one of claims 1-8, characterized in that the infinite non-exchange group G is a 辫 group.
    所述辫群为具有子群成员不可解的Mihailova子群,且私钥在Mihailova子群中选取。The 辫 group is a Mihailova subgroup with subgroup members that are unsolvable, and the private key is selected in the Mihailova subgroup.
    所述无限非交换群G取指数为n≧12的辫群Bn,并由如下呈示所定义的群:The infinite non-exchange group G takes a group B n with an index of n ≧ 12 and is represented by the group defined as follows:
    Bn=<σ12,…,σn-1iσj=σjσi,|i-j|≥2,σiσi+1σi=σi+1σiσi+1,1≤i≤n-2>B n =<σ 12 ,...,σ n-1i σ j= σ j σ i ,|ij|≥2,σ i σ i+1 σ ii+1 σ i σ i +1 , 1 ≤ i ≤ n-2>
    所述群的元素均以集合{σ12,…,σn-1}上代表该元素的具有唯一性的正规形式的字表示。The elements of the group are represented by words in the set {σ 1 , σ 2 , ..., σ n - 1 } representing the unique formal form of the element.
    辫群Bn含有如下两个子群:令
    Figure PCTCN2015091710-appb-100009
    为不大于n/2的最大整数,辫群Bn的左辫子LBn和右辫子RBn分别为    The group B n contains the following two subgroups:
    Figure PCTCN2015091710-appb-100009
    Not more than n / 2 the maximum integer, a braid group B n LB n braids left and right respectively braids RB n
    LBn=<σ12,…,σm-1>和RBn=<σm+1m+2,…,σn-1>LB n =<σ 12 ,...,σ m-1 > and RB n =<σ m+1m+2 ,...,σ n-1 >
    即,分别为由σ12,…,σm-1和σm+1m+2,…,σn-1生成的子群,并且,对于任意的a∈LBn和任意的b∈RBn,有ab=ba,所述的G的子群A即取为LBn,而G的子群B即取为RBnThat is, subgroups generated by σ 1 , σ 2 , . . . , σ m-1 and σ m+1 , σ m+2 , . . . , σ n-1 , respectively, and for any a ∈ LB n and any b∈RB n , with ab=ba, the subgroup A of the G is taken as LB n , and the subgroup B of G is taken as RB n ;
    当n≧12时,LBn和RBn分别含有一个与F2×F2同构的子群,即两个秩为2的自由群的直积同构的子群:When n≧12, LB n and RB n respectively contain a subgroup that is isomorphic to F 2 ×F 2 , that is, a subgroup of two products of two free ranks of rank 2:
    LA=<σm-5 2m-4 2m-2 2m-1 2>≤LBn LA=<σ m-5 2 , σ m-4 2 , σ m-2 2 , σ m-1 2 >≤LB n
    with
    RA=<σm+1 2m+2 2m+4 2m+5 2>≤RBnRA=<σ m+1 2 , σ m+2 2 , σ m+4 2 , σ m+5 2 >≤RB n ;
    再由两个元素生成的其字问题不可解的有限呈示群H,构造LA的一个Mihailova子群MLA(H)和RA的Mihailova子群MRA(H);下方即为MLA(H)的56个生成元,其中i=m-5;而当令i=m+1,便可得到MRA(H)的56个生成元:The finite representation group H of the unsolvable problem of the word generated by two elements, the Mihailova subgroup M LA (H) of LA and the Mihailova subgroup M RA (H) of RA ; the lower part is M LA (H) 56 generators, where i=m-5; and when i=m+1, we can get 56 generators of M RA (H):
    Figure PCTCN2015091710-appb-100010
    Figure PCTCN2015091710-appb-100010
    而27个Sij为: And 27 S ij are:
    Figure PCTCN2015091710-appb-100011
    Figure PCTCN2015091710-appb-100011
    Figure PCTCN2015091710-appb-100012
    Figure PCTCN2015091710-appb-100012
    Figure PCTCN2015091710-appb-100013
    Figure PCTCN2015091710-appb-100013
    将上述每一Sij中的所有σi换成σi+3,所有σi+1换成σi+4便得到对应的27个Tij,j=1,2,…,27。 All σ i in each of the above S ij are replaced by σ i+3 , and all σ i+1 are replaced by σ i+4 to obtain corresponding 27 T ij , j=1, 2, . . . , 27 .
PCT/CN2015/091710 2015-10-12 2015-10-12 Method for establishing secure attack-resistant public key cryptographic algorithm WO2017063114A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201580000535.1A CN106664199A (en) 2015-10-12 2015-10-12 Method of establishing anti-attack security public key password
PCT/CN2015/091710 WO2017063114A1 (en) 2015-10-12 2015-10-12 Method for establishing secure attack-resistant public key cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/091710 WO2017063114A1 (en) 2015-10-12 2015-10-12 Method for establishing secure attack-resistant public key cryptographic algorithm

Publications (1)

Publication Number Publication Date
WO2017063114A1 true WO2017063114A1 (en) 2017-04-20

Family

ID=58517046

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/091710 WO2017063114A1 (en) 2015-10-12 2015-10-12 Method for establishing secure attack-resistant public key cryptographic algorithm

Country Status (2)

Country Link
CN (1) CN106664199A (en)
WO (1) WO2017063114A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021179258A1 (en) * 2020-03-12 2021-09-16 深圳大学 Digital signature method, digital signature apparatus, digital signature system, and storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019000231A1 (en) * 2017-06-27 2019-01-03 王威鉴 Method for establishing anti-attack public key cipher
CN108449754A (en) * 2018-03-16 2018-08-24 丘佳珏 The method that smart machine is surfed the Internet by wireless routing
CN109787752A (en) * 2018-09-30 2019-05-21 王威鉴 The method for establishing the shared key of attack resistance
CN111400773B (en) * 2020-03-12 2022-09-09 深圳大学 Digital signature method, digital signature device, system and storage medium
CN114221753B (en) * 2021-11-23 2023-08-04 深圳大学 Key data processing method and electronic equipment
CN114640463B (en) * 2022-02-25 2023-05-12 深圳大学 Digital signature method, computer equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012156254A1 (en) * 2011-05-13 2012-11-22 Telefónica, S.A. A method for performing a group digital signature
CN103326852A (en) * 2013-06-20 2013-09-25 武汉大学 Shared key establishment method under quantum computation environment
CN103414569A (en) * 2013-08-21 2013-11-27 王威鉴 Method for establishing anti-attack public key cryptogram
CN103501227A (en) * 2013-10-23 2014-01-08 西安电子科技大学 Improved multi-variable public key cryptogram encryption and decryption scheme
WO2015081505A1 (en) * 2013-12-04 2015-06-11 王威鉴 Method for establishing public key cryptogram against quantum computing attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080144836A1 (en) * 2006-12-13 2008-06-19 Barry Sanders Distributed encryption authentication methods and systems

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012156254A1 (en) * 2011-05-13 2012-11-22 Telefónica, S.A. A method for performing a group digital signature
CN103326852A (en) * 2013-06-20 2013-09-25 武汉大学 Shared key establishment method under quantum computation environment
CN103414569A (en) * 2013-08-21 2013-11-27 王威鉴 Method for establishing anti-attack public key cryptogram
CN103501227A (en) * 2013-10-23 2014-01-08 西安电子科技大学 Improved multi-variable public key cryptogram encryption and decryption scheme
WO2015081505A1 (en) * 2013-12-04 2015-06-11 王威鉴 Method for establishing public key cryptogram against quantum computing attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Quantum Safe Cryptography and Security", ETSI WHITE PAPER NO.8, 30 June 2015 (2015-06-30), pages 1 - 64, XP055375035 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021179258A1 (en) * 2020-03-12 2021-09-16 深圳大学 Digital signature method, digital signature apparatus, digital signature system, and storage medium

Also Published As

Publication number Publication date
CN106664199A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
US9537660B2 (en) Method of establishing public key cryptographic protocols against quantum computational attack
CN107911209B (en) Method for establishing security public key password for resisting quantum computing attack
WO2017063114A1 (en) Method for establishing secure attack-resistant public key cryptographic algorithm
JP4785851B2 (en) Digital signatures, including identity-based aggregate signatures
US20080052521A1 (en) Hierarchical identity-based encryption and signature schemes
JP2001313634A (en) Method for communication
WO2017041669A1 (en) Password based key exchange from ring learning with er-rors
Garber Braid group cryptography
US20240097894A1 (en) Threshold key exchange
Azarderakhsh et al. How not to create an isogeny-based PAKE
CN105393488B (en) The method for establishing the public key cryptography of resisting quantum computation attack
JP3955567B2 (en) Public key cryptosystem using finite noncommutative groups
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
US20190215148A1 (en) Method of establishing anti-attack public key cryptogram
CN109787752A (en) The method for establishing the shared key of attack resistance
CN110740034A (en) Method and system for generating QKD network authentication key based on alliance chain
Lee et al. Provably secure extended chaotic map-based three-party key agreement protocols using password authentication
KR20240045231A (en) Creation of digitally signed shares
Tahat et al. A new digital signature scheme with message recovery using hybrid problems
Andreevich et al. On Using Mersenne Primes in Designing Cryptoschemes
CN107276759A (en) A kind of efficient Threshold cryptosystem scheme
CN115336224A (en) Adaptive attack-resistant distributed symmetric encryption
Muthukumarn et al. A Secure and Enhanced Public Key Cryptosystem Using Double Conjugacy Search Problem Near-Ring
WO2019000231A1 (en) Method for establishing anti-attack public key cipher
Jivanyan et al. Efficient oblivious transfer protocols based on white-box cryptography

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15905999

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 01.08.2018)

122 Ep: pct application non-entry in european phase

Ref document number: 15905999

Country of ref document: EP

Kind code of ref document: A1