WO2009026771A1

WO2009026771A1 - The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information

Info

Publication number: WO2009026771A1
Application number: PCT/CN2007/070628
Authority: WO
Inventors: Haiming Guan
Original assignee: Guan, Haiying
Priority date: 2007-08-24
Filing date: 2007-09-05
Publication date: 2009-03-05
Also published as: CN101374043B; CN101374043A

Abstract

The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information includes the following steps, Step 1, the shared A(x) of one user group is pre-set, and the use group includes at least two users, the A(x) is the nonlinear function group, in which the vector X of n variables is transformed to the vector Y of n variables, y=(y1,..., yn)=A(x)=(A1(x1,..., xn),...,An(x1,..., xn)), where n>1. As to A(x), the number of the coefficients of x which is not equal to 0 in the s-layered iteration A(s)(x) is unchanged, where the s is the integer. When B(x)=A(A(x)), then A(b(x))=B(A(x)). Step 2, the users of the user group interchange the middle results of the iteration of the A(x). Step 3, the users calculate the shared key K according to the middle results. So the complexity of cryptography and performance of anti-attack are improved.

Description

Key negotiation method, encryption/decryption method, and signature/verification method

This application is required to be submitted to the Chinese Patent Office on August 24, 2007, application number 200710120763.X, and the Chinese patent application titled "Method of Key Agreement, Method of Addition/Decryption and Method of Signature/Verification" is preferred. The entire contents of which are incorporated herein by reference.

TECHNICAL FIELD The present invention relates to the field of information security and cryptography, and more particularly to a public key cryptosystem capable of performing key negotiation, encrypting/decrypting data messages, and signing/verifying.

BACKGROUND OF THE INVENTION Cryptography is a science and technology that studies encryption and decryption transformation. Usually, people refer to plain text as plaintext; incomprehensible text that transforms plaintext into ciphertext. The process of transforming plaintext into ciphertext is called encryption; the reverse process, that is, the process of transforming ciphertext into plaintext is called decryption. This encryption or decryption transformation is controlled by a key. The cryptosystem used in an open environment should meet the following basic requirements:

Confidentiality: Ensure that information is not leaked to unauthorized users;

Integrity: Ensure that information is not arbitrarily or intentionally modified;

Non-repudiation: Prevent individuals or entities from denying the information they have published by destroying evidence to prove that something has happened.

Public key cryptography is a key technology to address the above-mentioned confidentiality, integrity, and non-repudiation. The official birth of it is the "New Directions in Cryptography" by W. Diffie and M. Hellman in 1976 (W. Diffe, ME Hellman, "New direction in cryptography", IEEE Trans., 1976, 22, 644-654 ). The public key cipher uses a public key and a private key. The public key can be publicly delivered, but the associated private key is kept secret. Only by using a private key can decrypt the data encrypted with the public key and sign the data. The role of the public key is to encrypt the information and verify the correctness of the signature. The public key cipher can also implement a key agreement protocol, that is, two users establish a key shared by both parties on a completely public channel without any prior secret agreement.

Public key cryptography schemes, which are currently recognized as having strong security and have been widely used, are classified according to the mathematical problems they are based on, and only have the following three types:

The first is the RSA system. Commonly invented by Rivest, Shamir, and Adleman in 1978 Key cryptography (RL Rivest, A. Shamir, and LM Adleman, "A method for obtaining digital signatures public-key cryptosystems", Communications of the ACM, 21 (1978), 120-126), whose security is based on large integer factors Decompose the problem.

The second is the DH system. The key agreement protocol invented by Diffie and Hellman in 1976, and the ElGamal encryption and digital signature scheme proposed by ElGamal in 1985 (T. ElGamal, "A public key cryptosystem and signature scheme based on discrete logarithms", IEEE Transactions on Information Theory, 31 (1985), pp. 469-472.), whose security is based on the discrete logarithm problem on multiplicative groups of finite fields. This type of algorithm also includes the US Digital Signature Standard DSS (Federal Information Processing Standard FIPS 186) and so on.

The third is the ECC system. Elliptic Curve Public Key Cryptography (VS Miller, "Use of elliptic curve in cryptography", CRYPTO' 85, Springer-Verlag, 1986, pp. 417-426.) (N), which Miller and Koblits independently invented in 1985 (N) Koblitz, "Elliptic curve cryptosystems", Mathematics of Computation, v. 48, n. 177, 1987, pp. 203-209.), whose security is based on the discrete logarithm problem of elliptic curve groups. This type of algorithm also includes the hyperelliptic curve public key cryptosystem (N. Koblitz, "Hyperelliptic cryptography", of Crypto., 1989, 1(3), ρρ.139-150.)

It is worth noting that RSA, DH, and ECC are widely used, but their security is not theoretically proven, mainly due to the actual needs (signature, identification, payment, key management, etc.), in the absence of other alternative technologies. Next, I have to use it. However, since the security of the above three public key cryptosystems has not been proved by mathematical theory, such a possibility cannot be ruled out: After several decades of analysis and research, some people have actually found an effective method for deciphering them, but only This fact is not open to the public.

Moreover, with the advancement of quantum computer research, the possibility of supporting the above three public key cryptosystems to be deciphered has greatly increased. For example, the Shor algorithm invented by Shor in 1994 (R W. Shor, "Algorithms for quantum computation: Discrete log and factoring", Proceedings of the 35th Symposium on Foundations of Computer Science, 1994, pp. 124-134.), It is possible to break all public key ciphers that can be converted into generalized discrete Fourier transforms in polynomial time.

To this end, it is of great significance to construct a public key cryptosystem with greater algorithm space and stronger security. The present invention is the result of research based on this idea. Summary of the invention

The technical problem to be solved by the present invention is to provide a public key cryptosystem coding method and apparatus by using a conformal iterative transform method to realize key negotiation, encryption and decryption and digital with larger algorithm space and stronger security. Signed technical solution.

In order to solve the above problems, according to an embodiment of the present invention, a method for key agreement is disclosed, which includes:

Step 1, the user group shared by the preset user group (Λ, the user group includes at least two users; the is a non-linear function group of the meta-vector X to the meta-vector

Where, >1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, S is an integer; if B(x) = A(A(x)), Bay ij A(B(x)) = B(A(x)) _;

Step 2: Each user in the user group exchanges intermediate results related to integer layer iterations;

Step 3: Each user uses the received intermediate result to calculate a key shared by the user group.

Preferably, when the user group includes only two users, the step 2 further includes: the first user selecting an integer, calculating the first intermediate result, and transmitting to the second user; the first intermediate result and the A Layer iteration of (x);

The second user selects an integer, calculates a second intermediate result, and passes it to the first user; the second intermediate result is related to a layer iteration of A(x).

Further, the value of the coefficient in A(x) may be determined according to a pseudo-random sequence; the seed of the pseudo-random sequence is used to identify the A(x).

In accordance with another embodiment of the present invention, a method for encoding and decoding a digital message is disclosed, including:

Step 1: Pre-set the shared side between the encryption end and the decryption end (Λ _; the AW is a non-linear function group from the meta-vector to the meta-vector^

Where η > 1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, s is an integer; B(x)=A(A(x)), Bay ij A(B(x)) = B(A(x)) _;

Step 2: Select the integer ^ as the private key; use Α (Λ 层 layer iteration to establish the corresponding public key; Step 3, the encryption side selects the integer ί, use the public key to convert to the intermediate key for ί, and then use The intermediate key encrypts the plaintext, and transmits the result of the encryption and the result of the transformation to the decryption end; the transformation result of the t is related to the t-layer iteration of A(x);

Step 4: The decryption end uses the transformation result of the ί, the private key, and the 中间(χ) to calculate the same intermediate key, and then uses the intermediate key to decrypt the encryption result.

Preferably, the private key is established by the following steps:

Presetting a private key table, ..., and corresponding public key tables ^ ... , G„ are distributed in a key distribution center;

According to the preset rule, a pointer to multiple private key tables is obtained according to the user ID; respectively, one or more private key components are respectively obtained from the plurality of private key tables pointed to, and the private key of the user is obtained in combination.

According to another embodiment of the present invention, a method for digital signature and verification is disclosed, including: Step 1, a preset signature end and a verification end share a Α (Λ _; the Α is determined by a meta vector Nonlinear function group of metavector^

Where η > 1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, s is an integer; if B(x)=A(A(x)), then A(B(x)) = B(A(x)) _;

Step 2: Select the integer ^ as the private key; use Α(Λ^ layer to iterate to establish the corresponding public key; Step 3. The signature end selects the integer ί, and transforms the data to be signed into the private key according to the preset rule. Intermediate message, then transmitting a digital signature containing the intermediate message and the result of the transformation of ί to the verification end; the transformation result of the t is related to the t-layer iteration of A(x);

Step 4: The verification end uses the transformation result of ί, the data to be signed, the intermediate message, the public key, and the verification to satisfy whether the preset rule is met. If yes, the digital signature verification is passed.

According to another embodiment of the present invention, a system for key agreement is disclosed, including: a sharing unit, configured to store a user group shared Α (Λ, the user group includes at least two users; Nonlinear function group of metavector X to η-element vector

Where, >1, the A(x) needs to satisfy: The s layer of A(x) is iterated A ⁽ⁱ⁾ (x), and A(x) Ratio, the number and type of terms whose coefficient of x is not 0 remains unchanged, S is an integer; if B(x) = A(A(x)), Bay ij A(B(x)) = B( A(x)) _;

An intermediate result exchange unit is connected to each user end in the user group for transmitting intermediate results related to integer layer iterations of each user in the user group to other users.

The key calculation unit is located at each user end of the user group, and is configured to calculate, by using the received intermediate result for each user, a key K shared by the user group.

In accordance with another embodiment of the present invention, a system for encoding and decoding digital messages is also disclosed, including:

a shared unit, configured to store Α(χ) shared by the encryption end and the decryption end _; the A(x) is a non-linear function group from the n-ary vector X to the meta-vector

Where η > 1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, s is an integer; if B(x)=A(A(x)), Bay ij A(B(x)) = B(A(x)) _;

a public-private key establishing unit for selecting an integer as a private key; using a layer of iteration to establish a corresponding public key;

An encryption unit, located at the encryption end, for selecting an integer t, converting the public key into an intermediate key for t, encrypting the plaintext with the intermediate key, and transmitting the result of the encryption and the result of the transformation to the decryption end; The transformation result of t is related to the t-layer iteration;

The decryption unit, located at the decryption end, is configured to calculate the same intermediate key by using the transform result of t, the private key k and A(x), and decrypt the encrypted result by using the intermediate key.

According to another embodiment of the present invention, a system for digital signature and verification is also disclosed, including:

a shared unit, configured to store the signature shared by the signature end and the verification end (Λ is a η element vector X to a non-linear function group of the meta-vector

a public-private key establishing unit for selecting an integer as a private key; using a layer of iteration to establish a corresponding public key; a signature unit, located at the signature end, for selecting an integer ί, transforming the data to be signed into an intermediate message related to the private key according to a preset rule, and transmitting a digital signature including the intermediate message and the transformation result of t to the verification end; The transformation result of t is related to the t-layer iteration;

The verification unit is located at the verification end, and is used to use the transformation result of the ί, the data to be signed, the intermediate message, the public key, and the Α (Λ to verify whether the preset rule is satisfied, and if so, the digital signature verification is passed.

Compared with the prior art, the present invention has the following advantages:

The inventive proposal proposes to construct a public key cryptosystem based on the number of layers of multivariate nonlinear conformal iterative transformation on the domain or on the ring; the public key cryptosystem can implement key negotiation, encryption and digital signature With a unique coding style and strong anti-attack capability, the size and complexity of the cryptographic algorithm are significantly enhanced to solve the problems of small algorithm space and insufficient security in the prior art. DRAWINGS

1 is a flow chart of an embodiment of a method for key agreement according to the present invention;

2 is a flow chart of an embodiment of a method for establishing a nonlinear function group Α according to the present invention; FIG. 3 is a flow chart of another embodiment of a method for establishing a nonlinear function group according to the present invention; BRIEF DESCRIPTION OF THE DRAWINGS FIG. 5 is a flow chart of an embodiment of a method for encoding and decoding digital messages; FIG. 5 is a flow chart of an embodiment of a method for digital signature and verification of the present invention; Schematic diagram of a digital signature data stream;

7 is a schematic diagram of a signature verification data stream of the present invention;

8 is a schematic diagram of a mathematical problem based on the security of the present invention based on an iterative layer number problem of a multivariate nonlinear conformal iterative transformation;

9 is a schematic diagram of a mathematical problem based on the security of the present invention based on an iterative layer number problem of a multivariate nonlinear conformal iterative transformation.

The present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.

The invention belongs to the category of information security products and is mainly applied to network trust systems, such as documents, banks, mobile phones, internet, e-commerce, e-government, logistics, network monitoring, power control, fund transfer, transactions, data encryption and the like.

The hardware environment required to apply the present invention is well known to those skilled in the art. For example: Computers, network devices, handheld or portable devices, programmable consumer electronics devices, smart cards, microcontrollers, dedicated digital signal processing chips, multiprocessor systems, distributed computing environments including any of the above systems or devices, and more.

Some of the terms that may be involved in the present invention are briefly explained below:

Password: Generally understood as an algorithm for information encryption and decryption transformation. Its basic purpose is to disguise information so that outsiders cannot understand the true meaning of the information, and insiders can understand the original meaning of the disguised information.

Key: The only key parameter that can control the effective conversion between plaintext and ciphertext during the execution of the cryptographic algorithm.

Public key cryptosystem: The public key cryptosystem uses two keys—a public key (referred to as: public key) and a private key (referred to as: private key). The public and private keys are mathematically related, but it is difficult to calculate the private key from the public key. The public key can be publicly transmitted between the communicating parties, or it can be publicly published as a telephone number, and the private key is kept in secret by the authorized user. Anyone can find its public key from the name of a user, so it can send an encrypted message to this user. Only authorized users can use their private key to complete the decryption.

The public key cryptosystem also provides the ability to digitally sign and authenticate: an authorized user can sign the information with his private key (equivalent to the process of decrypting with the private key described above); other users cannot sign because they do not have the private key. However, the user's public key can be used to verify the correctness of the signature (equivalent to the above process of encrypting with the public key).

Key agreement protocol Two or more users establish a key shared by two or more parties on a fully public channel without any prior secret agreement.

Finite field: A concrete and visual mathematical structure that can be understood in a colloquial manner as a collection of finite elements that can be added, subtracted, multiplied, and divided. (usually denoted as F, when the number of elements in the domain is prime p, it is recorded as a finite field F.)

Polynomial over a finite field: can be understood in a common sense as when there is only one argument: f (x) = a _s x ^s + a _s -\ X ^sA +... ten α ₀ χ ⁰ (mod p)

Where x is called an argument, called a coefficient, called a term, and they take values between Ο, . . . , /7-l. When there are multiple arguments:

f(x _x , ..., x _n ) = Z ^a _h ... i _n ^x i - ^x n (mod;?) If the number of terms in a polynomial is relatively small, it is called a sparse polynomial; otherwise it is called a dense polynomial. Dense polynomials not only have a high number of times, but the number of items is very large, and it is expanded to indicate that it takes a lot of space.

Rational fraction on a finite field: It can be understood as the division of two polynomials: / ^(JCl "'") mod p The multiplicative inverse of a polynomial other than the o polynomial is

( 3⁄4 ..., χ _η )) - ^{1 (mod} ) = (f(x _h ... , χ _η )Υ~ ² (mod ρ) But when ρ is large, the expansion of the above formula requires huge storage Space, therefore the result of dividing two sparse polynomials (the denominator is not a polynomial), usually a dense polynomial: =/( ... he,... ² (mod^) rational function: two polynomial phases are available In addition to the function expressed, if the number of denominator polynomials is greater than 0, it is expressed as a rational fraction, and if its denominator is a 0th degree polynomial, it is represented as a polynomial.

Ring (rmg): is a mathematical structure, denoted R, which can be understood as a collection of elements with both addition and multiplication and satisfying the law of multiplication. For example, the number of elements consisting of {0, 1, is a set of positive integers, and the addition and multiplication specified in the sense of the modulus is called the integer residual class ring Z _ra .

Polynomial on the ring, for example:

f(x _x ,...,x _n )= X ··· ; ¹ ... ΐ (modw3⁄4), _{w is} not necessarily a prime number

H— \-i _n < s

Since the division operation is not defined in the mathematical structure of the ring, only the polynomial on the ring can be established, and the rational fraction on the ring cannot be established.

Referring to FIG. 1, an embodiment of a method for key agreement is shown. Specifically, the method may include: Step 101: Pre-set a user group shared by a user group to include at least two users; To the nonlinear function group of the metavector

...,Α _η (χχ, ..., χ _η )) Where, >1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, S is an integer; if B(x) = A(A(x)), Bay ij A(B(x)) = B(A(x)) _;

Step 102: Each user in the user group exchanges intermediate results related to integer layer iterations of each other;

Step 103: Each user uses the received intermediate result to calculate a key shared by the user group.

In this embodiment, each user in the user group can exchange the integers hidden in the iteration result of the user group to achieve the key shared by the parties on the public channel. After the key negotiation is successful, the symmetry can be performed. Encryption. In general, the purpose of key negotiation is to establish the key used by the symmetric password. The usual reason is: The public key encryption speed is too slow. Generally, the public key is used to establish the key used by the symmetric password, and then the symmetric password is used. The encryption and decryption are completed at a faster speed. The purpose of this method is also to use keyless secure communication, that is, secret communication for temporary key negotiation for each communication, which is characterized by not being afraid of the key being leaked in advance, so that the internal personnel It doesn't make sense to sell a key, because the public-private key method still has a problem that the private key is leaked beforehand.

The user group may include two or more users. Of course, each user in the user group needs to exchange information with each other to establish a key shared by the entire group. Since the exchange of information between two users is the basis for the exchange of multiple users, and the information exchange process between multiple users can be regarded as a repeated process of exchange between users, the following two users are The example is explained.

Preferably, when the user group includes only two users, the step 2 may further refine: the first user selects an integer, calculates a first intermediate result, and delivers to the second user; The result is related to the layer iteration of A(x); the second user selects an integer, computes a second intermediate result, and passes it to the first user; the second intermediate result is related to the layer iteration.

In another preferred embodiment of the present invention, if the method further includes: establishing a vector shared by the user group, the number of arguments is greater than 1 and the user group includes only two users,

The step 102 further includes: the first user selecting an integer, substituting g and performing layer AW iteration: rf^A^^), passing the calculation result to the second user; the second user selecting the integer, substituting g Α(χ) and perform layer Α(χ) iteration: d^ A^q , put the calculation result Rf _{2 is} passed to the first user;

The step 103 further includes: the first user calculates the key = ( , . , ^ ) = Α ^(3⁄4) ( ); the second user calculates the key ;

Wherein, the A(x) further satisfies: A (A^)(x)) = A(^ ² )(x), so that the keys calculated by the first user and the second user are guaranteed to be the same.

In another preferred embodiment of the present invention, when the user group includes only two users, the step 102 further includes: the first user selects an integer, and calculates a layer Α (an iteration of Λ: ι(χ) = 2; the second user selects an integer, calculates the iteration of layer A(x): B ₂ (x) = A ⁽ ^(x), and passes the function group B ₂ (x) to the first user;

The step 103 further includes: the first user calculates the key Second user calculation key = Β (X);

Wherein, the A(x) further satisfies: if B(x) = A( ^3⁄4 )(x), then B^)(x) = A(^)(x), thereby ensuring the first user and the first The keys calculated by the two users are the same.

The following is a brief introduction to how to establish a suitable Α (Λ, of course, in addition to the types of functions disclosed in the present invention and their establishment methods, in practice, there may be other Α (Λ function type and method of establishing A(x) For example, a finite field or a function on a finite ring that appears in an exponential power manner; it is not described in detail here, and only a preferred embodiment of the present invention is described. As long as the defined requirements satisfying the present invention are established, step 101 The "presets" described in the above may include: real-time establishment, pre-establishment or others establishment.

In the following description, the present invention provides three types of establishing methods. Let 〉1, F be the specified domain, R be the specified ring, x = (x _u ..., x _n ), y = (y _u ..., y _n ), z= (z ... , z _n ), xy or R; randomly select a "meta-nonlinear nonlinear conformal iterative transformation: j = A, then you can choose from the following three methods of establishment.

First type

Referring to FIG. 2, the first type of meta-nonlinear function group can be established by the following steps: Step 201: Pre-configured structure: consisting of n-ary rational fractional functions on n domains F, each of which is rational The numerator and denominator in the fractional function are linear polynomials for x „, whose denominator polynomials are the same;

Step 202: Receive a related technical indicator parameter of A(x), where the indicator parameter includes an amount of the variable And the data length of the argument;

Step 203: A coefficient of each item in the generation;

Step 204: Output the obtained according to the preset structure.

Specifically, the first type consists of the "meta rational fractional function" on F:

y = ( ... , _y„) = Α(χ) = (Α ₁ (χ ₁ , ..., ")), where: ιΌ iL 1 in n

y. =A _i (x _l ,...,x _n ) =

ICH~ ... ~\~ C, a _i j,x _i ,y _i ≡F, n, ; n, the numerator and denominator in the rational fraction are linear polynomials, the denominators are the same, the A(x) The characteristics are: Substituting itself into and expanding and simplifying, z = (z ..., ζ„) = Α(Α(χ)) = (Α ₁ (γ ₁ , ..., y„), .. .,A„(y _h ...,y„)), where:

/0 /1 ₀₀ +ί3⁄4 _{1 1} + ...+ 0w _w ■ ... + a.

biO ^{+ b} il ^X l ⁺ - ^{+ b} in ^X nn _i_ _n _i_ _i_ _n "" ο +...+""

u +a^ +...+a _0n x _n On a ₀₀ +a _0l x _{ +...+a _0n x _n b _m +b _0l x _x +... + b _0n x _n

3⁄4≠0, for a, ≠ 0

Satisfy:

b.. = 0, for a.. = 0 second type

Referring to FIG. 3, the second type of "meta-linear function group A can be established by the following steps: Step 301, Preset Α () structure: consists of "meta rational function on the domain F, which contains For the term of d, greater than 1 time; when the denominator of Ai<x _{1 is} a polynomial of degree 0, the rational function is a polynomial; when the denominator of Ai<x ₁ is a polynomial greater than 1 degree, the rational function is a rational part formula;

Step 302: Receive a related technical indicator parameter of A(x), where the indicator parameter includes an argument quantity “, a data length of the argument, and a highest nonlinear number of times;

Step 303: Generate a representation according to the indicator parameter and the preset structure, and the non-zero coefficient in the A(x) is represented by an argument symbol;

Step 304: Substituting A(x) into itself and performing data processing of expansion and simplification: (x) = A(A( )); Step 305, newly appearing for comparison of B(x) and A(x) Every item about X, generated about The polynomial of the coefficients of these terms, such that the value of these polynomials is 0, thereby establishing a simultaneous equations; Step 306, determining whether the system has a solution, if there is no solution, returning to step 303; if there is a solution, then calculating Obtain a set of solutions for the system of equations, and substitute the values of the coefficients in A(x)

a representation of 303 generated;

Step 307: Output the obtained A(x).

Specifically, the second type consists of the "meta rational function" on F:

y = ( ..., _y„) = Α(χ) = (Α ₁ (χ ₁ , ..., ")), where:

a O which contains ^ times for ^,...,^, >1. When the denominator polynomial is constant, the rational function is a polynomial. The characteristic of A(x) is: Substitute itself and expand and simplify. z = (z ..., ) = A(A(x)) = (A ₁ (y ₁ , ..., y _n ), ..., Α^, ..., y _n )), where :

ϊ+...+ϊ _η ≤1 ₂ Third type

The third type of "meta-linear function group Α (Λ can be established by the following steps, since the process steps are very similar, so see also Figure 3.

Step a, Preset structure: Α 3⁄4 « Rings R on the "metapolynomial composition: it contains about ...," more than 1 term;

Step b: receiving relevant technical parameter parameters of A(x), where the indicator parameter includes the number of arguments, the data length of the argument, and the highest non-linear number of times;

Step c: generating a representation according to the indicator parameter and the preset structure, and the non-zero coefficient in the A(x) is represented by an argument symbol;

Step d, substituting A(x) into itself and performing unwrapping, simplification of data processing: B(x) = A(A(x ee, new for B(x) versus A(x)) For each item of X, a polynomial is generated for the coefficients of these terms, so that the values of these polynomials are 0, thereby establishing a simultaneous equations;

Step f, judging whether the system of equations has a solution, if there is no solution, returning to step c; if there is a solution, calculating a set of solutions of the system of equations, and taking the value of the coefficient in the step, substituting into the step c to generate Representation of A(x);

Step g, output the obtained A(x).

Specifically, the third type consists of the "metapolynomial function on R":

y = ( ..., _ ")), where:

a; it contains the term of ^ ^, >1, the characteristics of the A (x) are: Substituting itself into the body and expanding, simplifying, z

= k >

Two feet: ≠0

= 0

, .

In fact, in order to achieve good security, the second and third types should be satisfied: From ν, A(x), Β(χ)=Α( χ) is easy, and by A(x), B(x) finds s difficult; or, it is easy to find i = A ⁽ⁱ )( ) from s, q, A(x), and s is difficult by rf, q, A(x), where = ..., ), d = (d ... , d _n ), 4 ^ or .

Preferably, during the establishment of the second type and the third type of Α (Λ, there may be many optimization steps, for example, between steps 304 and 305, or between steps e and f , the method may further include: comparing B(x) with A(x), if there are at least two new items in the B(x) for each of the newly appearing items of X, performing step 305 or step e , otherwise return to step 303 or step 0.

The reason is that the purpose of the present invention is to find a specific function that satisfies the conformal iteration, and if there is only one new item, the coefficient of this term multiplied by any number not equal to zero cannot be equal to zero (if it is on the ring) The probability that the function is equal to zero is very small), and if there are more than two items, it is possible to add these coefficients to be equal to zero, thus eliminating the newly added item after iteration. That is, the effect of initial filtering can be achieved, the number of calls to the solution equation can be reduced, and computing resources can be saved.

The above method of establishing Α(Λ) by using an indefinite system of equations on coefficients can ensure that the function scale after two iterations does not expand, and can guarantee a large probability of satisfying the requirements of the present invention. In a preferred embodiment of the invention, between steps 306 and 307, or between steps f and g, more screening steps may be included for further filtering, for example, verification The function scale after the layer iteration does not expand, or whether the combination law about the iterative operation is satisfied.

It should be noted that although the above three types of function establishment methods are introduced as independent three methods, those skilled in the art should be aware that they can be completely in the same execution process, and only need to Add a selection step, which will not be detailed here. Referring to FIG. 3, the foregoing establishment process will be described in detail through a specific example. Since the establishment process of the second type and the third type is relatively similar, they are collectively introduced as a specific example. :

In the first step, a desired representation of A(x) is randomly set as required, and the coefficients in the A(x) are represented by arguments:

It is usually possible to use the finite field ^ of the prime number p as the finite field F, or the integer residual class Z as the finite ring R, but can be more complicated? Or 11.

Its representation of A(x) consists of n rational fractions or polynomials whose coefficients in the function are represented by abstract variable symbols (such as ^ ... etc.). E.g:

+ <3⁄4x c ₂ ) mod p yi = Α ₂ ( ι, χ ₂ ) = (bo + biXi + + b3XiX ₂ ) How does mod p set the desired optimal Α (function representation of Λ, which is beyond the scope of the present invention, but has a significant impact on the implementation of the present invention. In a sense, This work often requires intuition and experience to design and analyze, rather than relying entirely on rigorous theoretical derivation and proof. Especially for complex nonlinear functions, there are many options. The best way is to try different transformations. Until the desired form of function is obtained. The specific algorithm of each layer of the function, the relationship between the layers, and how to combine several simple functions into a relatively complex function can be imported into Mathematica and other software. As a known condition for solving the equation, to improve the calculation efficiency.

For example, for the above embodiment, a simple reversible nonlinear transformation can be set first:

Then set up a linear transformation:

+ b ₂ 1⁄2) mod p Then substitute the nonlinear transformation into the linear transformation, then the expected A ^ is:

Yi= Αι( ι, x ₂ ) = («ο + a\X\ + ma ₂ X\ + mod py ₂ = A ₂ ( i, ₂ ) = bo + Mod p where, b _t , should be understood as the factor of the coefficient. Of course, you can also set it directly as: yi= Αι( ι, x ₂ ) = («ο + a\X\ + a ₂ X\ + <3⁄4x c ₂ ) mod p yi = A ₂ ( i, x ₂ ) = (bo + + b3XiX ₂ ) mod p However, this will cause the math software to fail to get the structural information of the function. It may encounter computational difficulties when entering the third 以下 "determining whether the equation group T has a solution".

In the second step, substituting A(x) into itself, deducing 2 = 0) = ( ( )) = 8( ) and expanding: Comparing B(x) with A(x), if there are at least two items of this type in each of the newly appearing items of X in B(x), the representation of the type satisfies the requirement; Otherwise it indicates that it does not meet the requirements, it should be returned to the first 歩 reset,

Z = (z\, z ₂ )

z corpse Mod p

2 2 2

= (a ₀ + αι(α ₀ + a\X\ + ma ₂ X\ + ₂ X\X2) + ma ₂ ( o + a\X\ + ma ₂ X\ + <3⁄4 3⁄4) +

3⁄4 = A ₂ (yi, ) = (bo + b _x y _x + w%i ² + b ₇ y _l y ₂ ) mod p

= (b + b ₂ (ao + «ι ι +

= (b ₀ + αφχ + ma ₀ ² b ₂ + t ₀ b ₀ b ₂ + α _χ χι + 2τηα ₀ α ₂ Χι+ +

Obviously the above formula can pass the prescribed test.

The third step is to establish a simultaneous equation T and determine if it has a solution:

For each term about X that appears new to B(x) versus A(x), list the polynomials of the coefficients of these terms in B(x) and specify: Let each polynomial in A(x) Regarding the type of each item existing in X, the polynomial (indicated by ^) of the coefficient of such item in the corresponding B(x) is not 0; Β (the relative of each polynomial in Λ The newly generated type of each term for X, the corresponding polynomial (represented by its coefficient) is 0; thus listing the simultaneous equations, namely:

Τ: ...}

Specifically, for the above embodiment, first extract the coefficient of the relevant item, and make it 0:

For items + α ι) = 0 mod ρ twenty two

For the term X m <3⁄4 (ma ₂ + b ₂ ) = 0 mod p

For item X x ₂ : + α ₂ ) = 0 mod p

For the term X xr- 2ma ₂ (ma ₂ + b ₂ ) = 0 mod p

For the term X XI : a ₂ (ma ₂ + b ₂ ) = 0 mod p

The items are such that they are not equal to 0; then the coefficients of the relevant items are extracted, making it 0:

For item X: mb ₂ (2maia2 + + α ₂ ) = 0 mod p

For the item X 0 mod p

For item X + α ₂ ) = 0 mod p

For the term X xr- 2ma ₂ b ₂ (ma ₂ + b ₂ ) = mod p

For the item XX\ XXIi :: a ₂ b ₂ (ma ₂ + b ₂ ) = mod p

Other items make them not equal to zero. To simplify the above equations, the simultaneous equations T are:

2m aa ₂ + α ₂ ΐ + ab ₂ = 0 mod p

Ma ₂ +b ₂ =0 mod p

This is a set of indefinite equations for a range of 0 ₁ a ₂ , b _u , on a finite field. The general solution for T is:

Ma\ + bi = 0 mod p, ma ₂ + b ₂ = mod p

This shows that the above Α(Λ representation can be set to conformal iterative transformation.

Usually Τ is a complex multivariable nonlinear indefinite system of equations, but the purpose of establishing this system is to find any set of special solutions, which is easier than the general solution of the indefinite equations.

In the fourth step, we find a set of solutions for the equations , and substitute them into the desired Α

For example, for the above embodiment, let ?? = 17, a ₀ = l, b ₀ = 7, corpse 3, a ₂ = 5, m = 2, then b _x = -ma _x mod 17 = 11, b ₂ = -/TW ₂ mod 17 = 7, it can be proved that this A(x) is a conformal iterative function

A( )= ((1+ 3 i + ΙΟ ι + 5 i ₂ ) mod 17,

(7 + ll i+ 14 i + 7 i ₂ ) mod 17)

((15 + 8 i + 4 i + 2 i ₂ ) mod 17,

(13 +x _x + 9χχ + 13 i ₂ ) mod 17)

A ⁽ⁱ⁾ (x)=((7+ lO i + 5 i + ll i ₂ ) mod 17,

A ⁽⁴⁾ ( ) = ((14 + 4 i + 2χ ^ζ + x _x x ₂ ) mod 17,

(15 + 9χχ + \3>χχ + \5χιχ ₂ ) mod 17) A ⁽⁵⁾ ( )=((10 + 5 i+ ll i ² + 14 i ₂ ) mod 17,

A ⁽⁶⁾ ( ) = ((5 + 2x _l + χχ + 9 i ₂ ) mod 17,

(16 + 13 i+ 15 i ² + 16 i ₂ ) mod 17)

A ⁽⁷⁾ ( )=((3 + ll i+ l + 7 i ₂ ) mod 17,

(3 + + 6 i ² + 3 i ₂ ) mod 17)

A ⁽⁸⁾ ( ) = ((9 + 9 i ² + 13 i ₂ ) mod 17,

(8 + 15 i+ 16 i ² + 8 i ₂ ) mod 17) Let x = (3, 5), then A(x) = (5, 16), = (8,

10), A ⁽⁵⁾ (x) = (ll, 4), A ⁽⁶⁾ (x) = (2, 5), A ⁽⁷⁾ (x) = (12, 2), A ⁽⁸⁾ ( x) = (16, 1), ....

The above method of constructing A using the polynomial is also suitable for establishing the rational fraction using the above and using the polynomial of the integer residual class ring Z _W to establish the Α (Λ , and generalize to the «> 2 case, The established derivation process is more complicated.

It should be noted that when calculating the value of the rational fraction, there will be cases where the denominator is not a polynomial whose coefficient is 0, but the value of the denominator polynomial is 0. The necessary fault tolerance and error correction measures should be taken.

As the length of the vector increases, the function size of A(x) will increase rapidly, making A(x) take up a lot of storage space. It is difficult to compress a large A(x) into a short data. However, a short data /0 can be used as a seed of a pseudo-random sequence generator, using the pseudo-random sequence generated by it (μι, μ ₂ , to establish the corresponding Α (Λ, thus using the short data / 0 to indicate the corresponding replacement only It is necessary to re-agreed /0. That is, preferably, the value of the coefficient in A(x) can be determined according to the pseudo-random sequence; and the seed of the pseudo-random sequence is used to identify the A(x).

The specific process is introduced as follows:

For the first class A(x), use the / for each coefficient in A(x) according to the agreed rules. Indicates the A(x);

For the second and third categories (Λ, according to the agreed rules, used to determine Α (Λ: First, use (/ ₁ / ₂ , to determine the functional form of A(x), that is, determine A(x) Which of the items has a coefficient other than 0, and which items have a coefficient of 0, for example, in the above embodiment,

y ₂ = A ₂ ( i, ₂ ) = (bo + bi i + Mod p It is assumed that the value is used to determine that the coefficient of the term about Χ ₂ ² is 0, and the coefficient of the term of χιχ ₂ is not 0;

Secondly, after determining that the system of equations T for the coefficients has a solution, the value of ( , Ζ / 2, is used to determine a set of special solutions of the system of equations, for example, in the above embodiment, , Mod 17 =11, b ₂ ⁼ ~ma ₂ mod 17 =7, and use the values of these variables to determine the coefficient of A(x).

With the above method, under the control of the determined pseudo-random sequence (/ ₁ / ₂ , it is possible to establish a corresponding A(x), so that a short data / _Q can be used to represent a long data. As for the specific corresponding process, due to its variety, it is only explained by an example here, and other solutions are not introduced.

The outstanding advantages of this method are: It can realize the high efficiency compression coding of A(x), let different users, according to different situations, use different A(x), thus achieving the cryptographic algorithm parameter A(x) Changeable. With this technical system in place, the attacker must invest in a specific cryptanalysis for each specific A(x), which will greatly increase the cost of deciphering.

The following invention provides a specific way of two key negotiation methods, the difference being whether the information conveyed by the public uses the vector d _t or the function Bi(x).

Key agreement method 1

Let the password parameter A(x)=((1+ 3 ι + 10 i ² + 5 i ₂ ) mod 17,(7 + ll j + \Αχ _χ ² + Ίχ^) mod 17), q=(3, 5 ), carried out:

User 1 randomly selects the integer = 2, substitutes q and performs layer Α (the iteration of Λ: d _x = A = A ⁽²⁾ (3, 5) = (3, 3), the result of the calculation d (3, 3 ) passed to user 2;

2 = an integer random user to select q and substituting layer Α (Λ _{^{iteration: i 2 = A ¾) (}} ¾r) = A (3) (3,5) = (9, 8), the calculated result RF = ₂ (9, 8) passed to user 1;

User 1 calculates the key

2 calculates the user key _{= (, ..., ^ ¾)} = ^ ^ 1) = (3) (3,3) = (11,4);

Thus, User 1 and User 2 have established the same key = (11, 4:).

Key agreement method 2

Let the password parameter A(x)=((1+ 3 ι + 10 i ² + 5 i ₂ ) mod 17,(7 + \\χ _λ + \Αχ _χ ² + Ίχ^) mod 17), execute:

User 1 randomly selects integer = 2, and derives the iteration of layer A(x): _l (x) =

= ((15 + 8 i+ 4 i ² + 2 j ₂ ) mod 17, (13 + j+ 9x _x ² + xix ₂ ) mod 17), and put the function Group ^ is passed to user 2;

User 2 randomly selects the integer = 3, and derives the iteration of layer A(x): ₂ (x) = A^ x)= A ⁽³⁾ ( ) = ((7+ 10 ι+ 5χι ² + ηχιχ ₂ ) mod 17 , (12 + \Ax _x + Ίχ _χ ² + Uxix ₂ ) mod 17), and pass function group B ₂ to user 1;

User 1 calculates the key = B ₂ ^w (x) = B ₂ ⁽²⁾ ( ) = A ^(2x3) ( ) = ((5 + 2χ _λ + χ _λ ² + 9χ _λ χ ₂ ) mod 17, (16 + 13 ι + 15 ι + 16 ι ₂ ) mod 17);

User 2 calculates the key = Β ⁽³⁾ ( ) = Α ^(3χ2) ( ) = ((5 + 2χ _λ + χ _λ ² + 9χ _λ χ ₂ ) mod 17, (16 + 13 ι + 15 ι + 16 ι ₂ ) mod 17);

Thus, User 1 and User 2 have established the same key.

Referring to FIG. 4, a method for encoding and decoding a digital message according to the present invention is disclosed, which is mainly used for encryption and decryption, and may specifically include:

Step 401: The preset encryption terminal and the decryption end share the non-linear function group from the meta-vector X to the meta-vector J.

Where, >1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The quantity and type remain unchanged, S is an integer; if B(x) = A(A(x)), Bay ijA(B(x)) = B(A(x)) _;

Step 402: Select an integer ^ as a private key; use the layer iteration to establish a corresponding public key; Step 403, the encryption end selects an integer ί, converts the public key into an intermediate key about ί, and then uses the intermediate key Encrypting the plaintext, transmitting the result of the encryption and the result of the transformation to the decryption end; the transformation result of the t is related to the t-layer iteration of A(x);

Step 404: The decryption end uses the transformation result of the ί, the private key, and the 中间(χ) to calculate the same intermediate key, and then uses the intermediate key to decrypt the encryption result.

In the above embodiment, the encryption end transmits the real-time selected integer ί to the decryption end by the conversion result of t, and the decryption end actually implicitly includes the information of the private key k when establishing the public key, so The two sides exchanged their own information and, therefore, can perform encryption and decryption very well. Specifically, the present invention does not need to be limited. The purpose of the transformation is to prevent the third party from obtaining the information of the ί, and the decryption end can use the intermediate key to obtain the intermediate key. Of course, the setting of the transformation rule may affect the security of the present invention in the process of encryption and decryption.

In another preferred embodiment of the present invention, if the method further comprises the steps of: establishing a vector g shared by the encryption end and the decryption end, the number of arguments being greater than 1, the public key rf=W, ..., 4) = A ^(fc) _; Bei ij, The step 403 further includes: the encryption terminal selects an integer ί, and converts the public key into an intermediate key about ί, Then, the intermediate text is used to encrypt the plaintext, CD, and the ciphertext containing the result V of the encryption result C and ί is transmitted to the decryption end, E={v, C), v = (v _b ..., v _w ) = A3⁄4) ;

The step 404 further includes: the decryption end uses the transformation result v of the t, the private key k and the calculation to obtain the same intermediate key, and then uses the intermediate key to decrypt the encryption result C,

Wherein, the A(x) further satisfies: A ^w (A ⁽ⁱ )(xX)=A( )(x).

For example, set shared = select integer calculation

Put as a private key; put as a public key;

The encryption method for converting the plaintext M into ciphertext using the public key rf is: randomly select the integer ί, calculate:

C = O(M,K), E= {v, C};

The decryption method for converting the ciphertext ={v,C} into plaintext using the private key is:

The above cryptographic encryption of the symmetric cipher " = Ο (Μ, ", and the corresponding decryption transformation" Μ = The specific implementation methods are all well-known technologies.

In another preferred embodiment of the present invention, when the public key B = A ^w , the shell lj,

The step 403 further includes: the encryption terminal selects an integer ί, and converts the public key into an intermediate key K about ί, K= And then using the intermediate key to encrypt the plaintext, C = D(, K), transmitting the ciphertext E containing the result of the transformation of the encryption results C and t V(x) to the decryption end, {Y(x), C} ,

The step 404 further includes: the decryption end uses the transformation result V of the t, the private key k, and calculates the same intermediate key, and then uses the intermediate key to decrypt the encryption result C to obtain the plaintext.

Wherein, the A(x) further satisfies: If B( _X )=A(kXx), then B(tXx)=A(ktXx). For example, select the integer calculation Β(Λ = Α ⁽ 3⁄4 ; put Η乍 as the private key; Β (χ) as the public key; use the public key Β (Λ, the encryption method to convert the plaintext into ciphertext is: randomly select the integer ί, calculation:

Y(x) = K= ^(t \x), C = O(M,K), E= { (x\ C};

The decryption method for converting ciphertext = {V , C} into plaintext using the private key is:

For the establishment process of the n-ary nonlinear function group Α (Λ in the embodiment of the encryption and decryption in this section, refer to the foregoing related part, which is not described in detail here. This embodiment can also determine the Α according to the pseudo-random sequence ( The value of the coefficient in χ); the seed of the pseudo-random sequence is used to identify the Α(χ).

Preferably, this embodiment can also establish an identity-based key management system. The so-called ID-based key management is to directly use the user's identity, such as name, address, telephone, etc. as the user. Public key.

For example, the following can be rapidly established by the private key ho: a private key preset table, ..., and the corresponding public key distributed in Table G ₁ a key distribution center; according to the predetermined rule, to obtain the identity of the user ID to point a pointer of the plurality of private key tables; respectively obtaining a private key component from each of the plurality of private key tables pointed to, and combining to obtain the private key of the user. The specific description is as follows:

(1) Each of the λ key distribution centers independently establishes its own sufficiently large private key table, ..., and the corresponding public key table G ₁ ..., G,; The content of the record is a positive integer, denoted by _y , l, 2, the content of the related record in the public key table is the corresponding public key; the public key table is disclosed, and the private key table is secretly saved by each key distribution center;

(2), set a one-way function, the input is the user's ID, and its output is a pointer to a private key table and λ public key tables ηι, , η _θ : { ηι, η ₂ , } = Hash(ID);

(3), the private key of the user whose identity is ID is

λ Θ '■=1 7=1

That is, each authorized user receives a private key component from each of the key distribution centers:

Θ

_{= ΣΑ, ¾, ί = 1-} , then these components are added private keys, user's private key authorized for the synthesis of: = ^: 1:) + ... + _^^;.

(4) When the public key adopts the vector "rf=W, ...,4)=Α( ^Λ 1⁄2)", set the shared = q _n ), and the public key of the user whose identity is ID is: λ Θ

(∑∑ ·)

d = G _h (G _l% (...(G,^ (G _A , (q)))))) = A (q); When the public key uses the function "B(x)=A ^w ( x)", the public key of the user whose identity is ID:

λ Θ

(∑∑ ·)

B(x) = G (G _u% (...(G^ (G^ _% ( )))...)) = A- ¹ (X). The invention uses a plurality of key distribution centers to jointly establish a user private key to implement an identity-based key management system, which is characterized in that: the user ID is the public key of the user; each key distribution center and each user Managing their own secrets, no one can get all the secrets; each key distribution center is not restricted by the administrative management system and computing power, but is unable to steal the user's private key due to lack of information.

The present invention provides two encryption schemes, the difference being whether the public key uses the vector rf or the function B(); the scheme 1 uses a vector as the public key, and the scheme 2 uses a function group as the public key. The advantage of the encryption scheme 1 is that the data length of the public key is very short, and the advantage of the encryption scheme 2 is that the security of the password is stronger. The following are specific instructions:

Encryption scheme 1

First, let '=2, set the password parameter, that is, the conformal iterative transformation function is:

Α(χ)=(Α ₁ (χ ₁ ,χ ₂ ), Αι( ι, ₂ ))' where:

Αι( ι, χ ₂ ) = (1+ + ΙΟ ι + 5 i ₂ ) mod 17,

A ₂ ( i, ₂ ) = (7 + ll i + 14 i + 7 i ₂ ) mod 17, set the shared vector q = (q _u q ₂ ) = (3, 5), E finite field F^, p =\7 , select a positive integer k=2 as the private key, substitute g into A(x) for layer iteration, and calculate:

d= (dd ₂ ) = A( ² )(3, 5) = (3, 3),

Rf=P, 3M乍 is the public key (the calculation result, see how to create the second type, the third type A(x) small data embodiment in this specification);

When using public key encryption, randomly select a positive integer ί, set ί=3, substitute ί and g into Α(χ), and calculate:

V = = A( ³ )(3, 5) = (9, 8),

Substituting ί and public key into A(x :

K = = A ⁽³⁾ (3, 3) = (11, 4),

Encryption is performed on the key used as symmetric encryption: C = D( , K) = D( , (11, 4)),

Where " = Ο (Μ, " can use any kind of symmetric cryptographic encryption algorithm, for example, using the US data encryption standard AES; the following will use "TW^D^CW to represent the corresponding symmetric cryptographic decryption algorithm;

The above result of encrypting with a public key consists of two parts: {v, C}={(9,8), C}, where v=(9,

8) is the ciphertext header, C is the cipher text;

When decrypting with the private key, the ciphertext header V and the private key ^ are first substituted into the calculation:

The key used as symmetric decryption is decrypted and transformed:

Since the same =(ll, 4) is used for encryption and decryption, the correct plaintext can be restored.

Encryption scheme 2

The difference between the two encryption schemes is only that the data format of the public key is different: the encryption scheme 1 uses a vector ^ 4) as the public key, and the advantage is that the public key data length is short; the encryption scheme 2 uses a function group B(x). = (B^ !, ..., x _n \ ..., B _w ( _b ..., x„) as a public key has the advantage of obtaining a longer password period.

Let "=2, p=\,, set the password parameter:

Α ( ) = (Αι (χι , χ ₂ ), Αι( ι, χ ₂ ))

= ((1+ 3 ι + ΙΟ ι ² + 5 ι ₂ ) mod 17 , (7 + Ιΐ ι + Ι χχ +Ίχ^) mod 17), set the private key ^=2, the corresponding public key is:

= ((15 + 8 i + 4 i ² + 2 i ₂ ) mod 17, (13 + x ₁ + 9x ₁ ² + 13 i ₂ ) mod 17); Using the public key Β (Λ when encrypting, randomly selecting a positive Integer ί=3, calculate the ciphertext header:

= ((7+ ΙΟ ι + 5 i ² + ll i ₂ ) mod 17, (12 + \Ax _x + lx _x ² + \2χιχ ₂ ) mod 17), calculate the key used for symmetric encryption:

) ( )

= ((5 + + 16 i ₂ ) mod 17), using the encryption transformation to get the ciphertext body as:

C = D( , K) = D( , ((5+2 ι+ ι ² +9 ι ₂ ) mod 17, (16+13 i+ 5 i ² +16 i ₂ ) mod 17》, the above result encrypted with public key B consists of two parts composition:

E = {V( ), C}

= { ((7+ 10 ι+5 ι ² + 1 li ₂ ) mod 17, (12+14 i+7 i ² +12 i ₂ ) mod 17), C}; When decrypting with a private key, first privately The key ^ and the ciphertext header are used to calculate the key used for symmetric encryption:

= ((5 + + 16 i ₂ ) mod 17), then use K to convert ciphertext C into plaintext

= D( , ((5+2 ι+ ι ² +9 ι ₂ ) mod 17, ( 16+ 13 i+ 15 i ² + 16 i ₂ ) mod 17)), since the encryption and decryption use the same, so Restore the correct plaintext.

Referring to FIG. 5, an embodiment of a method for digital signature and verification is shown, including: Step 501: Establishing a non-linear function shared by an n-ary vector X to an n-ary vector shared by a signature end and a verification end group

..., A _w ( i, ..., x _n )) where η>1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), Compared with A(x), the number and type of terms whose coefficient of X is not 0 remains unchanged, S is an integer; if B(x) = A(A(x)), Bay ijA(B(x) ) = B(A(x)) _;

Step 502: Select an integer ^ as a private key; use the layer iteration to establish a corresponding public key; Step 503: The signature end selects an integer ί, and converts the data to be signed into an intermediate message related to the private key ^ according to a preset rule. And then transmitting a digital signature containing the intermediate message and the result of the transformation of ί to the verification end; the transformation result of the t is related to the t-layer iteration;

Step 504: The verification end uses the transformation result of t, the data to be signed, the intermediate message, the public key, and the verification to satisfy whether the preset rule is met. If yes, the digital signature verification is passed.

Since the preset rules are determined privately by both parties, the validity of the signature can be guaranteed. As for the specific rules, the present invention cannot be and need not be limited, and those skilled in the art can set them as needed.

In general, the direct verification verifies whether the preset rule is met. Preferably, the preset rule may also be transformed, and the signature is verified to be correct by verifying whether the transformed pre-made rule is satisfied.

In a preferred embodiment of the present invention, the method further includes: establishing, by the signature end and the verification end, a vector having a variable number greater than 1 | The step 503 further includes: the signature end selects an integer ί, converts the data to be signed 为 into an intermediate message c related to the private key according to a preset rule, and then transmits the number of the transformation result e including the intermediate messages c and ί Signature S to the decryption end, S= {c, ; The transformation result e of the ί is related to the ί layer iteration of A(x): e = ( _ei , ..., 0 = Α ^(ί) (^ _; The preset rule is an integer equation Φ: c = Φ(ί, w, k), where w is an integer calculated according to data to be signed;

The step 504 further includes: the verification end uses the transformation result e of t, the w calculated according to the data to be signed M, the intermediate message ^ public key, and whether the verification satisfies the preset rule: assuming that the integer equation Φ can be further advanced Expressed as: = A and contains ί, then verify that Α ⁽ "1⁄2) = Α ⁽ 1⁄2;) = { ^β - ) is true; if correct, the digital signature is verified;

Among them, when the public key..., d _n ) = The A(x) is further satisfied: A ^w (A ⁽ⁱ )(x)

= , Bay ijB ⁽ⁱ⁾ (x)=A ⁽ )(x).

For the establishment process of the n-ary nonlinear function group Α (Λ in the embodiment of the digital signature in this part, reference may be made to the foregoing related part, which will not be described in detail herein. In addition, the embodiment may also be determined according to a pseudo-random sequence. The value of the coefficient in Α(χ); the seed of the pseudo-random sequence is used to identify the Α(χ). And, the embodiment can also be applied to the case of constructing an identity-based key management system, which has been previously Detailed, so I won't go into details here.

The present invention also provides two digital signature schemes, the difference being whether the public key is a vector rf or a function B(x), as follows:

Digital signature scheme 1

As shown in Figures 6 and 7: Function, the input Δ of the function is some combination of information such as data M that the verifier can obtain, but at least M should be included, and its output w is a positive integer; Let Φ be an integer equation for c, t, w, A The equation can take different forms, for example: k = c + w + t, k + w = c + t, k + c + w = t, ...; ie divide c, t, w, : into N = c^n^ is used instead of the minus sign, and t is included in it, so that the equation Φ and the corresponding iterative equation Φ' are expressed as:

Φ: α = β,

Φ': A ⁽ )=A ⁽ %);

Let "c = <D(i,w, " be the operation of substituting the known ί, w, into the equation Φ for c. The calculation speeds of different Φs are different, but the security is the same. For example, in this embodiment, Regulation

Φ: k = c + w+t,

After e = A ⁽ 3⁄4) is substituted into the above formula, the specific test formula is

φ,: d = A ^(c+w) (β)

After the integer equation Φ is specified, in order to ensure that the Φ-definite solution, a range of ^, t, w, and each is required. For example, when c = Φ(ί, w, k) = kwt, the requirement is: k>c, k >w+t ₀

As shown in Figure 6, 7: set the password parameter A (x) = ((1 + 3 ι + 10 i ² + 5 i ₂ ) mod 17, (7 + ll j + l + 7x ₁ ) mod 17); q=(3, 5), private key = 8, and its corresponding public key rf = A ^w (g) = A ⁽⁸⁾ (3, 5) = (16, 1);

The method of using the private key to convert the data M into a digital signature S is: Randomly select a positive integer ί, set ί=3, calculate:

e = e ₂ ) = = A ⁽³⁾ (3, 5) = (9, 8),

Suppose w = Η(Δ) = H( ) = 2, Bay ij c = Φ(ί, w, k) = kwt = 8—2—3 = 3, whose signature is: S = {c, e} = { 3, (9, 8)};

Using the public key rf=G6, 1), the method for checking whether the digital signature S is correct is: first calculate w = H(A) = H( ) = 2, then substitute <, c, w, e, g into the iteration equation

Since ί = Α ⁽ ^^, e = A ), the specific verification formula is

d = A ^(c+W) (e) ?

(16, l) = A( ³⁺² )(9, 8) = A( ⁵ )(9, 8)

Therefore S = {3, (9, 8)} indicates that the signature of M has been verified.

Digital signature scheme 2

As shown in Figures 6 and 7: Function, the input Δ of the function is some combination of information such as data M that the verifier can obtain, but at least should include M; its output w is a positive integer; let Φ be an integer equation for c, t, w, A , the equation can take different forms, for example: wk=c + t, wk+c = t, ...; that is, divide c, t, w, into c^n parts that do not use the minus sign, in the equation There may be a product term (such as wA) containing two variables of k, and is included to represent the equation Φ, and the corresponding iterative equation Φ' as:

Φ: α = β,

Φ!': A ⁽ )=A ⁽ %);

Let "c = <D(i,w, " be the operation of substituting the known ί, w, into the equation Φ for c. The calculation speeds of different Φs are different, but the security is the same. For example, in this embodiment, Regulation Φ: wk=c + t, ίΕ The formula is

After specifying the integer equation Φ, in order to ensure that Φ-definite solution, it is necessary to define a range for ^, t, w, and each. For example, when c = <D(i, w, = M^-i, it is required: wk>c.

Let the password parameter A(x)=((1+ 3 ι + 10 i ² + 5 i ₂ ) mod 17,(7 + ll j + \Αχ _χ ² + Ίχ^) mod 17); let g = (3, 5), the private key k = 2, and its corresponding public key is B ( ) = ((15

+ 8 ι + + 13 i ₂ ) mod 17);

The method of using the private key to convert the data Λ/, into a digital signature S is: Randomly select a positive integer ί, for example, set ί=3, calculate:

e = e ₂ ) = = A ⁽³⁾ (3, 5) = (9, 8),

Fl3⁄4 w = Η(Δ) = H( ) = 4 , WlJc = <D(i,w, :) = ^—i = 4X2- 3 = 5, whose signature is: S= {c, e} = {5 , (9, 8)};

Using the public key Β (Λ, verify that the digital signature S is correct is: first calculate w =

Η(Δ) = Η( ) = 4, then substituting Β(Λ:), q, c, w, e into the iterative equation where:

, 5) = (16, 1)

Therefore, S= {5, (9, 8)} is verified as the signature of the pair.

Scalability description of digital signature scheme

Once the Α(Α), the technical personnel in the field can understand and enlighten the above digital signature scheme, and can design many new digital signature schemes that look more complicated and the coding techniques are very similar. For example, Set the more complicated equation Φ, the one-way function 3⁄4:.:) can be more flexible, when Α (Λ can also use negative integers. The specific method of establishing Φ, Η is a well-known technology (see Application Code for details). Learning - Protocols, Algorithms, and C Programs, Bruce Schneier, China Machine Press, 2000., pp. 389-399). However, these modified digital signature schemes will all follow the common invention. Necessary technical features: Its security is based on the number of layers of multivariate nonlinear conformal iterative transformation.

For the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of actions. Combinations, but those skilled in the art will appreciate that the present invention is not limited by the order of the acts described, as some steps may be employed in other sequences or concurrently in accordance with the present invention. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

Correspondingly, the present invention further discloses a system for performing key agreement, which specifically includes: a sharing unit, configured to store a user group shared Α (Λ, the user group includes at least two users; Nonlinear function group of metavector X to η-element vector

Where η > 1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, S is an integer; if B(x) = A(A(x)), Bay ij A(B(x)) = B(A(x)) _;

The key calculation unit is located at each user end of the user group, and is configured to calculate, by using the received intermediate result for each user, a key shared by the user group.

Correspondingly, the present invention also discloses a system for encoding and decoding a digital message, comprising: a sharing unit, configured to store A(x) shared by the encryption end and the decryption end _; the A(x) is by n Metavector X to the nonlinear function group of the metavector

. . . , x _n ), ... , A _w ( i, . . . , x _n )) where, >1, the A(x) needs to satisfy: Iterative A of the s layer of A(x) ⁽ⁱ⁾ (x), compared with A(x), the number and type of terms whose coefficient of X is not 0 remains unchanged, s is an integer; if B(x)=A(A(x)) , Bay ij A(B(x)) = B(A(x)) _;

a public-private key establishing unit for selecting an integer as a private key; using a layer iteration of A^ to establish a corresponding public key;

An encryption unit, located at the encryption end, for selecting an integer to convert the public key into an intermediate key for t, and then encrypting the plaintext by using the intermediate key, and transmitting the result of the encryption and the result of the transformation to the decryption end; The transformation result is related to the t-layer iteration;

The decryption unit, located at the decryption end, is configured to calculate the same intermediate key by using the transformation result of ί, the private key, and Α(χ), and then decrypting the encryption result by using the intermediate key.

Correspondingly, the present invention also discloses a system for digital signature and verification, comprising: a sharing unit, configured to store the identifier shared by the signature end and the verification end (Λ is by n-direction The quantity X to the nonlinear function group of the metavector

... , A _w ( i, . . . , x _n )) where η > 1, the A(x) needs to satisfy: The iteration of A ⁽ x) s layer A ⁽ⁱ⁾ (x), Compared with A(x), the number and type of terms whose coefficient of X is not 0 remains unchanged, s is an integer; if B(x)=A(A(x)), Bay ij A(B(x) )) = B(A(x)) _;

a signature unit, located at the signature end, for selecting an integer ί, transforming the data to be signed into an intermediate message related to the ί and the private key according to a preset rule, and then transmitting a digital signature including the intermediate message and the result of the transformation of the ί to the verification end; The transformation result of ί is related to the ί layer iteration;

The verification unit is located at the verification end, and is configured to use the transformation result, the data to be signed, the intermediate message, the public key, and the verification to satisfy the preset rule. If yes, the digital signature verification is passed.

For the device embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. Moreover, in the device embodiment of the present invention, the corresponding module units are all virtualized for the corresponding execution steps. In order to save space, the corresponding process steps are not described here one by one, but Those skilled in the art should be aware that each execution step can correspond to a virtual module one by one. The following is an example with a simple explanation:

The foregoing device embodiments may further include an establishing unit, specifically including the following modules: a structure determining module, configured for presetting:) consisting of a "metapolynomial on a ring R: it contains more than one time. Item

a parameter determining module, configured to receive a related technical indicator parameter of the Α (χ), where the indicator parameter includes an argument quantity “, a data length of the argument, and a highest non-linear number of times;

a random generation module, configured to generate a representation form according to the indicator parameter and the preset structure, wherein the non-zero coefficient in the A(x) is represented by an argument symbol;

An iterative module for substituting A(x) into itself and performing unwrapped, simplified data processing: B(x) = A(A( ));

A system of equations for generating a polynomial for each of the new terms for B (x) and A(x), and generating a polynomial for the coefficients of these terms, so that the values of these polynomials are 0, thereby establishing a simultaneous cubic Cheng group

a judgment module, configured to determine whether the equation group has a solution, and if there is no solution, return a random generation model a block; if there is a solution, a set of solutions of the system of equations is calculated and substituted as a value of the coefficient in A(x) into the representation generated by the random generation module;

The result output module is used to output the resulting Α(χ).

The various embodiments in the present specification are based on the same technical concept, and therefore, the descriptions are all unique to the embodiments, and the same similar parts between the respective embodiments can be referred to each other.

Since the present invention is complicated in technology and the core concept is relatively abstract, for the sake of easy understanding, the main differences between the present invention and the prior art are briefly described below:

The closest technical solution in the prior art to the present invention is DH, the key agreement protocol proposed by Diffie and Hellman in 1976, and the encryption and digital signature scheme proposed by ElGamal. Its security is based on: Known prime numbers; It is difficult to find the discrete logarithm, the primitive l<g</?, and i = mod/?.

The Diffie-Hellman key agreement protocol is: Two users apply the common agreement; , g, when establishing the key f of the mutual secret agreement on the public channel, execute:

The first trick: User 1 randomly selects a positive integer and passes it to User 2; Second: User 2 randomly selects a positive integer. And passed to user 1; third: user 1 calculates the key = = g ^k ^ modp;

Fourth 用户: User 2 calculates the key = ² = ^ ¹ 1110 (1; 7.

The ElGamal encryption scheme is: Using a common agreement; , g, randomly select the positive integer public key as = g ^k modp, the private key is

The encryption algorithm is: Randomly select positive integer ί, ί and (-1) mutual prime, calculate β = πιο(1;?, b = d ^t

M odp, where is plaintext, a, b is ciphertext;

The decryption algorithm is:

Among them, "M" and "b/" can be understood as simple symmetric cryptographic encryption and decryption operations.

The ElGamal digital signature scheme is: Using a common agreement; , g, randomly select a positive integer public key is i = mod/?, the private key is

The signature algorithm is: Randomly select positive integer ί, ί and mutual prime, calculate: α = πιο(1;?, b satisfies A/=(1⁄2 + ib)mod( -l), and fl, b as signature;

The verification algorithm is: If ^ 1110 (1;?, then the signature is verified;

Among them, the signature equation "(ka + tb) mod (p -1)", and the corresponding verification equation "i mod" p = g ^M modp", can also take different forms. The general signature equation can be expressed as:

At = ( 3+ mod (p - 1), depending on the β, w taxi, and whether the value is 1, you can establish different signature equations (see "Applied Cryptography - Protocols, Algorithms and C Programs", Bruce Schneier, China Machine Press, 2000., pp. 389-399).

As a pioneering invention, DH proved for the first time that "on a completely open channel, even if the communication parties do not have any secrets agreed in advance, they can conduct confidential communication." This is the most revolutionary cryptography for thousands of years. Sexual progress, its contribution is mainly to propose new concepts. However, the security of DH's specific algorithm still has a lot of room for improvement.

The main difference between the present invention and DH is that the mathematical difficulties on which the two are based are different.

The security of DH is based on discrete logarithm problems over finite fields: known prime numbers; The primitives l < _g < p, and i = mod/?, it is difficult to find the discrete logarithm. The common technical features of various DH cryptographic algorithms are: Using an integer as a secret parameter, with a power of g of 6 (= touch (1 is a public parameter, then it is difficult to obtain a secret parameter ^ from the public parameter 6). The function of public parameters and secret parameters in the key agreement protocol is equivalent to the public and private keys used in encryption or signing.

The security of the present invention is based on the iterative layer number problem of multivariate nonlinear conformal iterative transformation, δ卩: set to a given nonlinear conformal iterative function group, which is a positive integer, and B is a layer iteration, then known A (x), B (x) seeking is difficult. Where Β(χ) = Α( ^Λ )(χ) = Α(Α(...(Α(Α(χ)))...)), can be understood as an input, "output transform AW Concatenated, it is synthesized into an input, η output transform B(x), as shown in Fig. 8, where the dashed box 801 represents the layer iteration of A(x).

The core idea of the various algorithms of the present invention is that a certain integer k is preset as a secret parameter, and a k-layer iteration B of AW is used as a public parameter, and then the parameter is publicized (soliciting the secret parameter k is difficult, by secret It is easy to find the parameter B for the parameter.

The above problem can also be represented by another equivalent: set..., q _n ), d = {d _x , ... , d _n ) = It is difficult. That is, the change from the value of the vector from g to the change of the function from A(x) to B(x) which causes the changes of these vectors is replaced, as shown in Fig. 9, wherein the dashed box 901 represents Layer iteration of A(x).

δ卩, another expression of the core idea of various algorithms of the present invention is: preset g, A(x), with a positive integer as a secret parameter, a vector as a public parameter, and a secret parameter by a public parameter ^ sleepy Difficult, it is easy to ask for public parameters from secret parameters. Although there is no specific Β (Λ expression as a public parameter, but in the process of calculation, you need to use B. The advantage of this expression is: the data length is significantly reduced than the function length of B, saving the public key storage.

Compared with DH, the invention achieves a significant improvement in the security of the password, and the beneficial effects thereof are as follows: Compared with DH, the invention runs in a larger and more complex algorithm space, causing the scale of the cryptographic function to explode. .

In the DH scheme, no matter how large, its cryptographic function is always a single item about the argument g. When =1, i = g mod ρ·,

When k=2, d = g ² mod p; when k=, d = g ^s mod p;

Its mathematical nature is very simple and clear, and it is easy to provide clues for password deciphering. For example, using the nature of its crypto period p_l, it can be deciphered using the Shor quantum algorithm (see PW Shor, "Algorithms for quantum computation: Discrete log and factoring", Proceedings of the 35th Symposium on Foundations of Computer Science, 1994, pp .124-134. ).

Compared with DH, after the iteration of the present invention, on the one hand, its number of arguments X remains unchanged; on the other hand, not only its nonlinear number of coefficients increases, but also its function scale with respect to coefficients explodes. , thus greatly improving the difficulty of performing mathematical analysis. For example, it seems very simple to have only two arguments ^, Α) of the first class A(x), after the layer iteration, the cryptographic function is: When,

A

When =2,

When =3, A ⁽³⁾ (x;

The coefficients «00, «01, «02, «10, «11, «12, b ₀ , bi, b _{2 in} A(X) are treated as 9 variables in A(x), that is, Λ is understood as:

y=(yu ...,y„) = A(x, a ₀₀ , b ₂ )

= (Α ₁ ( ... ₁ , ..., χ _η , «οο, ···, 3⁄4), ..·, A _w ( i, ..., χ _η , «οο, ···, 3⁄4) )' Then the coefficient (i3⁄4 _Q , the number of terms of b in the numerator polynomial or denominator polynomial in A ^w (x) after expansion or simplification is approximately: r _k _ (9 + k)\ ie A(x , ooo, b ₂ ) consists of a dense polynomial about 0 _QQ , b ₂ ). For example, when it is again 65536 (that is, the 16-bit binary number 10000000000000000), the number of terms for each polynomial will be increased to approximately: 61497085601546282326893635550884880385; a polynomial of such a large size, although objectively present in the mathematical world, requires an occupation index The level of storage space is actually difficult to operate, and it is more difficult to explore the laws through mathematical analysis.

In accordance with the advances in contemporary computational mathematics, the cost of using mathematical analysis to decipher (for example, the analysis of functions with 61497085601546282326836635550884880385 items) will be far greater than the cost of directly deciphering with exhaustive methods (for example, only 65,536 trials).

Compared with the above case, when the second type and the third type A(x) are adopted, with the increase, A ^w (x) The non-linear number of coefficients will increase at a faster rate, causing A ^W (X) to explode at a faster rate with respect to the function size of the coefficients. For example, when an item is contained in A(x), the nonlinear number of A ^w (x) with respect to the coefficient is (2 ^fc -l).

When the Shor quantum algorithm is used to decipher the present invention, the required function sequence {Α ⁽¹⁾ , Α ⁽²⁾ ( ), Performing a generalized discrete Fourier transform, this transformation is subject to the number of terms in the function A ^w , that is, when A ^w explodes on the function scale of the coefficient, the cost of performing the generalized discrete Fourier transform is greatly increased.

In summary, the present invention achieves a qualitative leap for the security of the password.

After the inventors made the present invention, it was found in comparison with the three prior art mentioned in the background art that in the extreme case of the safety reduction of the present invention, the mathematical expression is similar to DH. Gp, when the present invention is based on the iterative layer number problem of the 1-variable monomial function of =1, the iterative function is: D=gx, and the result of the two-layer iteration is /(xX)=g ² x, ..., layer iteration The result is ..( (3⁄4 ...:)= _; and let x = l, then from the surface phenomenon, the mathematical expression of the present invention is similar to DH. In order to avoid others after seeing the present invention, The present invention is simply understood as a natural extension of DH, and the innovation difficulties of the present invention will be briefly described below.

1. From the DH scheme, there is no suggestion for the present invention.

First of all, the prior art has recognized the possibility that the three coding systems mentioned in the background are unsafe, but what are the specific factors that cause insecurity? What is the specific direction of improvement? How to improve? And which coding system should be based on improvement? These problems are not given by the prior art.

Secondly, when the present invention is limited to "=1, the monomial function, and x=l, the present invention and DH are indeed similar in mathematical expression, but those skilled in the art should know that, in fact, d = g ^k modp can It is an extreme case of a very large number of mathematical models, and it is almost impossible to derive the universal form of its determination from an extreme situation. For example, the discrete logarithm problem of the basic domain can also be extended to the discrete logarithm problem of the square matrix on the basic domain. It can also be said that the present invention selects a most suitable mathematical model from a very large number of mathematical models corresponding to 6 = mod;

The most important thing is that the invention first proposed the concept of conformal function conformal. From the perspective of DH, there is no argument X, and there is no function of the argument X, so it is difficult to think of the iteration of the function. Don't say that the inventor needs to consider whether the iterative function can be preserved, and what is the meaning of conformalization.

In fact, the present invention proposes a completely new research direction, just in the mathematical expression The extreme form is similar to DH. In the various existing publications, not only the term "conformal iteration" is used for the first time in the present invention, but also its concept, definition, description of nature, method of determination, establishment of steps, etc., which was first proposed by the present invention.

2. Making the invention requires overcoming long-standing technical biases.

It is always considered to be a difficult problem to achieve a multivariable nonlinear iterative transformation in which the function scale of X does not expand and the function scale of its coefficients explodes. First, extending the iteration of a simple single-variant monomial to a nonlinear iteration of a single-variant polynomial will inevitably encounter a function expansion problem. For example: Let the iterative function be: fix) = (a ₀ + α _λ χ + a ₂ x ² ) mod p. When = 2:

2 2 2

Fj[x)) = (<3⁄4("o + ct\X + a ₂ x ) + α\(α ₀ + a\X + a ₂ x ) + a ₀ ) mod p

a ₂ V) modp, at this time there are items that do not exist in D, such as x ^{4 ,} and the size of the above function will explode after multiple layers of iteration. Using this function to perform cryptographic operations requires exponentially large storage space and lengthy computation time.

Second, the iteration of a single argument function is simply extended to the iteration of a multivariate function, and usually the function expansion problem is encountered. For example: (J^ + A , x _l + x ₂ ), after two layers of iteration: (X + SJ^A + x ₂ ² + x _l + x ₂ , x _l ¹ + x _l + 2x ₁ ), There have been new items such as χΛ ι3⁄4 x ₂ ^{2 that} did not exist.

It is precisely because of the above situation that it has long been recognized by those skilled in the art that for a one-dimensional nonlinear function having two or more terms, iteratively results in a combined explosion of the scale of the function after iteration. Therefore, for multivariate nonlinear functions, it is generally believed that after iteration, it should also lead to a combination explosion of the function.

However, there is no theoretical proof: "For a non-linear function with more than two terms, after iteration, it will inevitably lead to a combined explosion of the scale of the function", this conclusion must be extended to the case of more than two: Multivariate nonlinear functions, after iteration, will inevitably lead to a combined explosion of the scale of the function. Therefore, the present invention proposes to overcome this technical bias that has been formed for decades. The inventor needs to determine that in a multivariate nonlinear function, there is both assurance about the argument

The non-linear number of times c : ) remains constant, and a function that rapidly increases the number of nonlinearities of the coefficients in the function can be guaranteed, and such a function can be established by a certain method.

3. Implementing the present invention, it is very difficult to establish a multivariate nonlinear conformal iterative transformation.

First of all, the invention belongs to pioneering research, and its mathematical theory background is not mature. There is very little information available, for example: How to understand the mathematical structure of the conformal iterative transformation from the perspective of abstract space? How to establish a homomorphic mapping from a rational fractional domain to a polynomial domain, and a homomorphic mapping from a polynomial domain to a basic domain? How to find the period of conformal iteration? How to determine the specific mathematical properties of conformal iterations and how to determine these properties? These issues involve some profound mathematical frontier topics that are not yet fully resolved.

Secondly, it is easy to put forward the concept of the invention, but to design a feasible, practical and complete technical solution, it requires a high technical threshold: not only to grasp the progress of the frontier of contemporary mathematics, but also to have rich practical coding. The level of experience and analysis, the skillful use of mathematical tools, and the reliance on non-deterministic factors such as inspiration and opportunity, it is difficult for a person of ordinary skill in the art to accomplish this work, for example: For the first type of conformal iterative transformation, by using The division of two linear polynomials to establish a rational fraction seems simple, but understanding the principles behind the algorithm involves complex mathematical derivations;

For the second and third types of conformal iterative transformations, it also involves the technical means of solving indefinite equations and the method of determining conformal iterative properties. Complex symbolic operations and quantitative analysis are needed.

Existing DH digital signature algorithms need to calculate the crypto period, but the period of the conformal iterative transformation (that is, 10 when A ^W =A is usually difficult to calculate, how to bypass the complex period calculation in the digital signature, it needs to be quite high The coding technique. The invention mainly establishes the signature equation by the calculation of integers instead of the calculation of one cycle. It should be noted that although this cycle problem exists in key negotiation, encryption and signature, the signature is The problem is especially acute.

4. What kind of beneficial effects can be brought about by the nature of the function of "conformal iteration"? It requires a deep understanding of the law and nature of the password to be fully understood.

For example, for the "fractal" effect of conformal iterations, you need to use your imagination to understand the cleverness of its algorithm design. Specifically, in the above-mentioned "=2 of the first type Α (Λ, A ^(FC+1) W is relative to Α ⁽ 3⁄4, from Α ⁽ 3⁄4 of the unknown element ^, x _{2 part} of it, in There is a similar function structure in the corresponding position in A ^(FC+1) . This description not only has pure theoretical and wonderful artistic appreciation value, but also a substantial cryptographic design: when iterative layer When the number increases, it is conceivable that the explosion of the function scale has a certain regularity. However, as long as the coefficient in A ^w (x) is substituted into a specific value and expanded and simplified, the regularity, that is, the structural information of the function , it will disappear.

In short, how to establish a cryptographic nature is both very nonlinear and does not bring about The conformal iterative function of the exponential explosion of X is an extremely exploratory frontier subject. Its research has both broad application prospects and high technical difficulty. It has undergone repeated processes from theory to practice. It is the result of long-term thinking by the inventor, which fully reflects the inventor's wisdom and innovation.

Compared with the ECC public key cryptosystem in the prior art, the main difference between the present invention is:

The first is the difference in mathematical concepts: the points on the elliptic curve are represented by a two-dimensional array (X, the elliptic curve group defines an "addition" - one is a two point in an elliptic curve, seeking A three-point nonlinear operation, but this operation does not satisfy the definition of a conformal iterative function.

Secondly, the mathematical problems are different: a conformal iterative transformation A(x) is equivalent to an n input, "output function, set {A ⁽¹⁾ W, A ⁽²⁾ W, ... , A ^W W, for a iterative operation, constitutes a semigroup. The so-called conformal iterative layer number problem can be understood as defining a "conformal iterative discrete logarithm problem" in the semigroup, and its mathematical properties and "elliptic curve dispersion" The logarithm problem is very different.

Finally, the crypto periods are different: The period for calculating the conformal iteration has not been found yet (this period is defined as the general method when A ^w = A, for which the present invention deliberately avoids the difficult period calculation problem; and the ECC period ( That is, the order of the points on the elliptic curve) can be calculated.

Since the present invention is different from the ECC algorithm principle and lacks comparability, the beneficial effects of the present invention are understood from the perspective of algorithm space: ECC uses the operation of values between two points, and the algorithm space corresponds to a two-dimensional plane. The set of points of the elliptic curve, the elements in the set are represented by the value of the two-dimensional vector (X,; and the present invention uses an operator between two functions whose algorithm space corresponds to a polynomial group Or a collection of rational fractions, from the perspective of abstract space: The elements in the set are represented by coefficients in the function group, independent of the value of their unknown element x ₁ ; for example, a polynomial group ((<3⁄4 ) + Mod /?) is described by the coefficients ^, , , ^ , which are independent of the value of (^, Α) and belong to the set of points in the upper 8-dimensional space; obviously, the present invention has a larger algorithm space, The law of change is also more complicated.

The foregoing provides a method for key agreement, a method and system for encoding and decoding digital messages, and a method and system for digital signature, which are described in detail herein. The principles and embodiments of the present invention have been described in terms of specific examples, and the description of the above embodiments is only for helping to understand the method of the present invention and its core ideas. Meanwhile, for those skilled in the art, according to the idea of the present invention, The details of the present invention and the scope of the application are subject to change. The contents of the present specification are not to be construed as limiting the present invention.

Claims

OP070709 WO 2009/026771 PCT/CN2007/070628 -39- Claims

A method for key agreement, comprising:

Where η> 1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, S is an integer; if B(x) = A(A(x)), Bay ij A(B(x)) = B(A(x)) _;

2. The method according to claim 1, wherein when the user group includes only two users, the step 2 further includes:

The first user selects an integer, calculates a first intermediate result, and passes it to the second user; the first intermediate result is related to a layer iteration of A(x);

3. The method according to claim 1, further comprising: establishing a vector shared by the user group and having an argument quantity greater than one, and wherein the user group includes only two users,

The step 2 further includes: the first user selecting an integer, substituting g and performing the iteration of layer A(x): Passing the result of the calculation to the second user; the second user selecting the integer ^ substituting g into A(x) and performing the iteration of layer A(x): , the calculation result rf _{2 is} delivered to the first user;

The step 3 further includes: the first user calculates the key = ( , ..., ς) = Α ^(3⁄4) ( ); the second user calculates the key = ( , ..., ^ ) = ² ^ ) _;

Wherein, the Α(χ) further satisfies: A (A( (x)) = A(^ ² ) (x).

4. The method of claim 1, wherein when the user group includes only two users,

The step 2 further includes: the first user selects an integer, and the calculation layer is iterative: OP070709

WO 2009/026771 PCT/CN2007/070628

-40- l(x) = 2; The second user selects an integer, calculates the iteration of layer A(x): B ₂ (x) = A ⁽ ^(x), and passes the function group B ₂ (x) to the first user;

The step 3 further includes: the first user calculates the key = B ₂ ⁽ W(x) _{; the} second user calculates the key = B ^(k2 x).

" Among them, ¹ A(x) is satisfied: If B(x) = A(x), then B^)(x) = A^)(x).

5. The method according to claim 1, wherein the meta-linear function group A (>:

Preset structure: Α(Λ 3⁄4 «The linear polynomial of the "Molecular rational fractional function, each numerator and denominator in each rational fractional function is about ..., χ „) on the domain F, The denominator polynomial is the same

Receiving relevant technical indicator parameters of A(x), where the indicator parameters include the number of arguments n and the data length of the arguments;

The coefficient of each item in the generation;

According to the preset structure, the resulting Α is output.

6. The method according to claim 1, wherein the elemental non-linear function group A (>:

a, the structure of the preset AW: consists of the "meta rational function on the domain F, which contains more than one term for ^, ..., j; when the denominator of Ai < x _{1 is} a polynomial of 0 degree The rational function is a polynomial; when the denominator of Α, , is a polynomial greater than one, the rational function is a rational fraction;

b. receiving relevant technical indicator parameters of A(x), where the indicator parameters include the number of arguments, the data length of the arguments, and the highest non-linear number of times;

c. generating a representation according to the indicator parameter and the preset structure, and the coefficient of the non-zero in the Α (Λ is represented by an argument symbol;

d. Substituting A(x) into itself and performing unwrapped, simplified data processing: B(x) = A(A(x)) _; e, for each new occurrence of B(x) versus A(x) An item about x, generating polynomials about the coefficients of these terms, so that the values of these polynomials are 0, thereby establishing a simultaneous equations;

f. determining whether the system of equations has a solution, if there is no solution, returning to step c; if there is a solution, calculating a set of solutions of the system of equations, and taking the value of the coefficient in the step, substituting the generated by step c Representation of A(x);

g, output the resulting AW. OP070709

WO 2009/026771 PCT/CN2007/070628

-41 -

7. The method according to claim 1, wherein the meta-linear function group A (>: is established by the following steps:

a, preset structure: Α (Λ 3⁄4 « Ring R on the "polynomial polynomial composition: it contains (i, more than 1 term;

d. Substituting A(x) into itself and performing unwrapping and simplification of data processing: B(x) = A(A(x)) _;

e. For each term about x newly appearing in comparison with B(x) and A(x), generate polynomials for the coefficients of these terms, and let the values of these polynomials be 0, thereby establishing a simultaneous equations;

f. Determine whether the system of equations has a solution. If there is no solution, return to step c; if there is a solution, calculate a set of solutions of the system of equations, and substitute 值 (the value of the coefficient in Λ, substitute step c) Generated representation;

g, the output is obtained Α

8. The method according to claim 6 or 7, wherein between the step d and the step e, the method further comprises:

Compare B(x) with A(x). If there are at least two new occurrences of X in B(x), execute step e, otherwise return to step 0.

9. The method of claim 1, further comprising:

Determining the value of the coefficient in A(x) based on the pseudo-random sequence;

The seed of the pseudo-random sequence is used to identify the A(x).

10. A method for encoding and decoding a digital message, comprising: step 1, a preset shared by the encryption end and the decryption end (Λ _; the AW is from a meta vector to a meta vector Nonlinear function group

Step 2: Select the integer ^ as the private key; use Α (Λ layer iteration to establish the corresponding public key; Step 3, the encryption side selects the integer ί, and transform the public key into an intermediate key about ί, OP070709

WO 2009/026771 PCT/CN2007/070628

-42- then encrypting the plaintext by using the intermediate key, transmitting the result of the encryption and the result of the transformation to the decryption end; the transformation result of the t is related to the t-layer iteration of A(X);

Step 4: The decryption end calculates the same intermediate key by using the transformation result of the ί, the private key, and Α(χ), and then decrypts the encryption result by using the intermediate key.

The method according to claim 10, further comprising: establishing a vector g shared by the encryption end and the decryption end and having an argument quantity greater than 1, the public key rf=W, ..., 4) = A ^(fc) _; Beij ij Step 3: The encryption side selects the integer ί, transforms the public key into an intermediate key about ί, Then, using the intermediate key to encrypt the plaintext, CD, and transmitting the ciphertext containing the result V of the encryption result C and ί to the decryption end, E={v, C}, v = (v _b ..., v _w ) = A3⁄4);

The step 4 further includes: the decryption end uses the transformation result v of t, the private key k and the Α (Λ to obtain the same intermediate key, and then decrypts the encryption result C by using the intermediate key,

Wherein, the A(x) further satisfies: A ^w (A ⁽ⁱ )(xX)=A( )(x).

12. The method of claim 10, wherein when the public key B = A ^w , then

The step 3 further includes: the encryption terminal selects an integer ί, converts the public key into an intermediate key H= about ί, and then encrypts the plaintext by using the intermediate key, C=D(, K), transmitting The ciphertext E containing the result of the transformation of the encrypted result C and t V(x) to the decryption end, {Y(x), C},

The step 4 further includes: the decryption end uses the transformation result ν of t (the private key k and the calculation to obtain the same intermediate key, and then decrypts the encryption result C by using the intermediate key to obtain the plaintext A/ ,

Wherein, the A(x) further satisfies: If B( _X )=A(kXx), then B(tXx)=A(ktXx).

13. The method according to claim 10, wherein the elemental non-linear function group is established by the following steps

Receiving related technical indicator parameters of A(x), where the indicator parameters include the number of arguments n and the data length of the arguments; OP070709

WO 2009/026771 PCT/CN2007/070628

-43 - Generate coefficients for each item in A;

According to the preset structure, the resulting Α is output.

14. The method of claim 10, wherein the meta-nonlinear function group is established by the following steps

f. Determine whether the system of equations has a solution. If there is no solution, return to step c; if there is a solution, calculate a set of solutions of the system of equations, and as a value of the coefficient in Α (substituting a step c) Generated representation;

g, output the resulting AW.

15. The method of claim 10, wherein the meta-nonlinear function group is established by the following steps

f, determine whether the system of equations has a solution, if there is no solution, return to step c; if there is a solution, then OP070709

WO 2009/026771 PCT/CN2007/070628

-44- Calculate a set of solutions for the system of equations, and substitute the value of the coefficient in Α(Λ) into the representation generated by step C;

g, output the resulting AW.

The method according to claim 14 or 15, wherein between the step d and the step e, the method further comprises:

17. The method of claim 10, further comprising:

Using the seed of the pseudo-random sequence, the A(x) is identified.

18. The method according to claim 10, wherein the private key is established by: presetting a private key table, ..., and a corresponding public key table ^, G„ distributed in a key Distribution center

19. A method for digital signature and verification, comprising:

Step 1, the preset signature end and the verification end share the Α (Λ _; the AW is a non-linear function group from the meta-vector to the meta-vector^

Step 4: The verification end uses the transformation result of the ί, the data to be signed, the intermediate message, the public key, and the verification to satisfy whether the preset rule is met. If yes, the digital signature verification is passed.

20. The method of claim 19, further comprising:

Directly verifying whether the preset rule is met; OP070709

WO 2009/026771 PCT/CN2007/070628

-45- Alternatively, the preset rule is transformed to verify whether the signature is correct by verifying whether the transformed pre-made rule is satisfied.

The method according to claim 19, further comprising: establishing a vector shared by the signature end and the verification end and having an argument quantity greater than one

The step 3 further includes: the signature end selects an integer ί, and the data to be signed is determined according to a preset rule.

Μ is transformed into an intermediate message c associated with the ^ private key, and then the digital signature S containing the transformation result e of the intermediate messages c and ί is transmitted to the decryption end, S = {c, ; the transformation result e of the ί and A (x The ί layer iterative correlation: e = (e _h ... , e _n ) = A ) _; wherein the preset rule is an integer equation: c = Φ(ί, w, k), w is based on the signature to be signed The integer calculated from the data;

The step 4 further includes: the verification end uses the transformation result of t to calculate the w, the intermediate message ^, the public key, and the 依据 according to the data M to be signed (Α verify whether the preset rule is satisfied: assuming that the integer equation Φ can be Into one is expressed as = Α ^{β ― ^{t }} (e) whether it is true; if it is established, the digital signature verification is passed;

Where the public key The A(x) is further satisfied: A ^w ( A ⁽ⁱ )(x) When the public key B(x) = A ^w (x), the A(x) further satisfies: If Β(χ) = Α( ^Λ )(χ), Bay ij B ⁽ⁱ⁾ (x) = A ⁽ )(x).

22. The method of claim 19, wherein the meta-nonlinear function group is established by the following steps

The coefficient of each item in the generation;

According to the preset structure, the output is Α (Λ.

23. The method of claim 19, wherein the meta-nonlinear function group is established by the following steps

a, the structure of the preset AW: consists of the "meta rational function on the domain F, which contains more than one term for ^, ..., j; when the denominator of Ai < x _{1 is} a polynomial of 0 degree The rational function is a polynomial; when the denominator of Ai<x ₁ is a polynomial greater than one time, the rational function is a rational fraction; OP070709

WO 2009/026771 PCT/CN2007/070628

-46- b, receiving A (x) related technical indicator parameters, the indicator parameters include the number of arguments, the data length of the arguments, and the highest number of non-linear times;

g, output the resulting AW.

24. The method of claim 19, wherein the meta-nonlinear function group is established by the following steps

a, preset structure: Α (Λ 3⁄4 « "Right polynomial composition on the ring R: it contains information about (x _u greater than 1 time;

f, judging whether the system of equations has a solution, if there is no solution, returning to step c; if there is a solution, calculating a set of solutions of the system of equations, and taking the value of the coefficient in the step, substituting the generated by step c Representation of A(x);

g, output the resulting AW.

The method according to claim 23 or 24, further comprising: between the step d and the step e:

The method of claim 19, further comprising: OP070709

WO 2009/026771 PCT/CN2007/070628

-47- determining the value of the coefficient in A(X) based on the pseudo-random sequence;

Using the seed of the pseudo-random sequence, the A(x) is identified.

27. The method according to claim 19, wherein the private key is established by: presetting a private key table, ..., and a corresponding public key table ^, G„ distributed in a key Distribution center

Obtaining a pointer to multiple private key tables according to the user ID according to the preset rule;

One or more private key components are respectively obtained from each of the plurality of private key tables pointed to, and the private key of the user is obtained in combination.

28. A system for key agreement, comprising:

a sharing unit, configured to store a user group shared Α (Λ, the user group includes at least two users; the nonlinear function group is a η-element vector X to an η-element vector

Where η > 1, the A(x) needs to satisfy: The s layer iteration A ⁽ⁱ⁾ (x) of A(x), compared with A(x), the term whose coefficient of X is not 0 The number and type remain unchanged, S is an integer; if B(x) = A(A(x)), then A(B(x)) = B(A(x)) _;

29. A system for encoding and decoding digital messages, comprising:

An encryption unit, located at the encryption end, for selecting an integer t, using an intermediate key for transforming the public key into t, encrypting the plaintext with the intermediate key, and transmitting the result of the encryption and the result of the transformation to the decryption end; The transformation result of t is related to the t-layer iteration; OP070709

WO 2009/026771 PCT/CN2007/070628

The decryption unit is located at the decryption end and is used to calculate the same intermediate key by using the transformation result of ί, the private key and Α(χ), and decrypting the encryption result by using the intermediate key.

30. A system for digital signature and verification, comprising:

a signature unit, located at the signature end, for selecting an integer ί, transforming the data to be signed into an intermediate message related to t and the private key according to a preset rule, and transmitting a digital signature including the intermediate message and the transformation result of t to the verification end; The transformation result of t is related to the t-layer iteration;

The verification unit is located at the verification end, and is used to utilize the transformation result of t, the data to be signed, the intermediate message, the public key, and the Α (Λ to verify whether the preset rule is satisfied, and if so, the digital signature verification is passed.