CN1610291A - Method for encrypting and decrypting data - Google Patents

Abstract

The data enciphering and deciphering method includes pseudo-enciphering data to be transmitted in pseudo-enciphering method in the transmitting side and deciphering the received data in the method corresponding to the pseudo-enciphering method in the receiving side. The present invention, unlike traditional elliptic curve cipher system, adopts pseudo-enciphering method to obtain new plain text embedding method and one enciphering system with semanteme safety under the adaptive selective cipher text attack. The present invention provides one very clear plain text embedding mode and can verify the legality of cipher text to provide even high data safety.

Description

The method of data encryption and deciphering

Technical field

The present invention relates to the method for a kind of data encryption and deciphering, be particularly related to a kind of on elliptic curve group with new plaintext embedded mode, adaptability is selected the ciphertext only attack encryption and the corresponding decryption method of semantic safety down, belongs to computer and technical field of communication safety and comprising.

Background technology

After enlightening phenanthrene (Diffie) in 1976 and Hull graceful (Hellman) propose the thought of public key encryption system, cryptologist and mathematician for the specific implementation of this thought after deliberation nearly 30 years, but up to the present, the public key encryption system is still very limited safely and effectively, according to its based on a difficult problem, roughly it can be divided three classes: based on the encryption system that big number is decomposed difficult problems, based on the encryption system of finite field discrete logarithm problem with based on the encryption system of elliptic curve discrete logarithm problem.Wherein, owing to also do not find time (Asia) exponential time algorithm that solves the elliptic curve discrete logarithm problem, so the encryption system based on the elliptic curve discrete logarithm problem has the incomparable advantage of preceding two class encryption systems, for example: under identical security intensity, the size of system parameters and key is short (as ellipse curve public key cipher (the Elliptic Curve Cryptography of 160bits, be called for short ECC) and the RSA of 1024bits have suitable security intensity), the choice is bigger etc.

Ellipse curve public key cipher was independently proposed by V.Miller and N.Koblitz separately in 1985, and the elliptic curve cryptosystem of Ti Chuing nearly all is existing cryptographic system based on discrete logarithm problem on the finite field is moved on the elliptic curve group and to obtain subsequently.The elliptic curve cryptography system ECES that mentions among the standard IEEE P1363 of U.S. IEEE (Elliptic CurveEncryption Scheme), derive from the ElGamal system, because its cryptographic algorithm has autgmentability, so it is not (the Indistinguishabilityunder adaptive chosen-ciphertext attack that adaptability is selected undistinguishable under the ciphertext only attack, IND-CCA2), but under the selection plaintext attack undistinguishable (Indistinguishability under chosen-plaintextattack, IND-CPA); 2000, people such as M.Abdalla have proposed the encryption system DHIES (based on the encryption system of the graceful problem in Di Fei-Hull) of safety under master pattern, because its efficient is suitable with ElGamal, and level of security is higher, so adopted by some standards, as ANSI X9.63 (ANSI is the abbreviation of the American National Standards Institute of American National Standards Institute) and SECG (The Standards for Efficient Cryptography Group, elliptic curves cryptosystem group standard).DHIES is applied to elliptic curve group just obtains the integrated encryption system ECIES of elliptic curve (Elliptic Curve Integrated Encryption System), it is that U.S. Certicom company is responsible for about signature to Europe, integrality and encrypt new departure organize NESSIE (New European schemes for Signatures, Integrity and Encryption) the elliptic curve Hybrid Encryption system of Ti Jiaoing, the conclusion of its fail safe at present is in general group model, if the symmetric cryptography system is to select meaning of one's words safety under the plaintext attack, and the Hash function is desirable, then the ECIES system is an IND-CCA2 safety, but because elliptic curve group has special nature, and general group instructs this characteristics of having ignored, so this only can be counted as theoretic conclusion.The NTT of Nippon Telegraph ﹠ Telephone public company (Nippon Telegraph and Telephone Public Corporation) has constructed the elliptic curve cryptography system of a series of approved safes: the PSEC-1 (mutation 1 of PSEC in the laboratory, PSEC is the elliptic curve cryptography system of provable security, be writing a Chinese character in simplified form of Provably Secure EllipticCurve encryption scheme), PSEC-2 (mutation 2 of PSEC) and PSEC-3 (mutation 3 of PSEC), if elliptic curve judges that the graceful problem ECDDHP in Di Fei-Hull (Elliptic Curve Decision Diffie-Hellman Problem) is difficult to resolve under random oracle model, then PSEC-1 is an IND-CCA2 safety; If elliptic curve calculations Di Fei-Hull graceful problem (ECCDHP) is difficult to resolve, the PSEC-2 that then has filling is an IND-CCA2 safety; If ECCDHP is difficult to resolve and the symmetric cryptography system is a safety under the passive attack, the PSEC-2 that then has the symmetric cryptography system is an IND-CCA2 safety; If the graceful problem in elliptic curve Gap Di Fei-Hull (ECGDHP) is difficult to resolve, then PSEC-3 is an IND-CCA2 safety.They all are submitted to NESSIE, but because NTT company has proposed a kind of key encapsulation mechanism based on PSEC subsequently--PSEC-KEM (PSEC Key EncapsulationMechanism), so PSEC-1 and PSEC-2 are recalled.

Above-mentioned ECIES system, PSEC-2 and PSEC-3 all is Hybrid Encryption systems, be to include the symmetric cryptography system in the system, its ciphertext size be respectively expressly three times, three times and four times of size (the plaintext size of symmetry encryption system is suitable with the ciphertext size, the Output Size and the security parameter of hash function (Hash function) are suitable, and have adopted the compress technique of elliptic curve point); Though PSEC-1 does not need the symmetric cryptography system, but its fail safe is difficult to resolve this prerequisite based on ECDDHP, if ECCDHP can separate, then ECDDHP must separate, so this prerequisite is difficult to resolve by force unlike ECCDHP, safe unlike under being difficult to resolve based on ECCDHP of the fail safe under being difficult to resolve based on ECDDHP.

Summary of the invention

An object of the present invention is to provide a kind of method of data encryption, add the new plaintext embedded mode of having of computing, select the elliptic curve of semantic safety under the ciphertext adaptively based on puppet.

Another object of the present invention provides a kind of method of data decryption, specifically is to be decrypted for the enciphered data that adopts above-mentioned encryption method to obtain, the initial data before obtaining to encrypt.

When the sending direction recipient sends data, the data that send are added method of encrypting according to puppet carry out encryption:

At first, integer k of picked at random, and this integer k satisfies: 1＜k＜n;

Then, calculate F (k), F (k) P, F (k) Q _AWherein: F (k) is the Hash functional value of k, and F (k) P is F (k) times point of elliptic curve point P, F (k) Q _AElliptic curve point Q _AF (k) times point; F (k) is the positive integer less than n, F (k) P and F (k) Q _ABe the point on the elliptic curve;

Further encrypted data are handled again according to following formula:

M '=m||0 ^{λ '}, wherein, m is encrypted data, m ' is the intermediate data that forms in the ciphering process, 0 the quantity of λ ' for adding; λ ' can adopt multiple mode to obtain, for example: the three/first-class of getting security parameter; The security parameter here is meant the quantity portrayal of this cryptographic algorithm inherently safe degree, and for example: 192 bits are exactly the safer security parameter of RSA of ratio 1024 bits;

Calculate G (k) again; If x is (F (k) Q _A)=m ' G (k) then chooses integer k again, repeats above-mentioned step; Otherwise begin to calculate the step of ciphertext; Wherein: G (k) is the Hash functional value of k; X (F (k) Q _A) be elliptic curve point F (k) Q _AThe x coordinate figure;

At last, calculate ciphertext C according to following formula:

C＝(C ₁，C ₂)＝(F(k)P，F(k)Q _A+(m′G(k)，H(m′G(k))k))；

Wherein, ciphertext C has two Elements C ₁And C ₂C ₁=F (k) P; C ₂=F (k) Q _A+ F (k) Q _A+ (m ' G (k), H (m ' G (k)) k); H (m ' G (k)) is the Hash functional value of m ' G (k);

If C ₂The x coordinate belong to set { m ' G (k), x (F (k) Q _A), then choose integer k again, repeat above-mentioned step; Otherwise output ciphertext C.

In order to make the side that receives enciphered data receiving after the above-mentioned encryption method of putting of employing carries out ciphered data, can reduce to enciphered data, the present invention also provides corresponding decryption method, and for described ciphertext C, concrete decryption step is as follows:

At first, calculate Q '=d _AC ₁If, x (Q ')=x (C ₂), then reject encrypt data; Wherein, Q ' is an elliptic curve point, d _ABe the private key data of deciphering side, x (Q '), x (C ₂) be respectively Q ' and C ₂The x coordinate;

Calculate again (M, r)=C ₂-Q ' is if M=x is (C ₂) or x (Q '), then reject encrypt data; Wherein, M, r are respectively the x coordinate and the y coordinates of a point on the affine plane;

Further calculate f=H (M) r; Wherein, H (M) is the Hash functional value of M; If F (f) is P=C ₁, and back λ ' bit value of M is 0, then the plaintext m of Jie Shouing is preceding λ-λ ' bit of M; Otherwise rejection; Wherein, F (f) P is F (f) times point of elliptic curve point P; 0 the quantity of λ ' for being added in the ciphering process; λ is a security parameter, and this parameter can be regarded as the length of above-mentioned M basically.

The present invention has made full use of the pseudo-characteristics that add, and has obtained one and has new plaintext embedding grammar, and obtained selecting in adaptability the encryption system of semantic safety under the ciphertext only attack, and these characteristics also are the differences of itself and traditional elliptic curve cryptosystem maximum.The present invention has provided a kind of very succinct plaintext embedded mode, and can verify the legitimacy of ciphertext when deciphering, provides the Information Security of higher level with this.The present invention selects under the ciphertext only attack in adaptability than existing encryption based on elliptic curve, decryption processing for the encryption and decryption of data, and its semanteme is safer.

Embodiment

The present invention is described in further detail below in conjunction with specific embodiment:

Before providing concrete encipherment scheme, at first puppet is added computing and provide description: affine plane F _P ²On, two different points of x coordinate can be determined Wei Ersite Lars (Weierstrass) the equation Y on this plane uniquely ²=X ³+ a ₄X+a ₆, X wherein, Y is a variable, a ₄, a ₆Be territory F _pIn element, p is a big prime number.If its determined cubic curve is an elliptic curve, then the coordinate of their summing point self is determined by them fully.

The present invention utilizes this character, and defined a kind of new computing: puppet adds.

If P ₁=(x ₁, y ₁), P ₂=(x ₂, y ₂) be affine plane F _P ²Last two points, and x ₁≠ x ₂, as the puppet of giving a definition adds computing:

1, P ₁+ P ₂=P ₃=(x ₃, y ₃) x wherein ₃, y ₃Satisfy following formula:

$x_3={\left(\frac{y_2-y_1}{x_2-x_1}\right)}^2-x_1-x_2,y_3=\frac{y_2-y_1}{x_2-x_1}(x_1-x_3)-y_1$

2、-P ₁＝(x ₁，-y ₁)

3、P ₁-P ₂＝P ₁+(-P ₂)

If P, Q are affine plane F _P ²On two points, and the x coordinate is inequality, then P and Q unique determine an affine curve E (P, Q): Y ²=X ³+ aX+b makes that P, Q are the points on this affine curve, a wherein, and b is territory F _pElement, by the different some P of x coordinate with Q is unique determines F _PBe the finite field of p element, p is a prime number, and P is a point, and its two coordinates are F _PIn element.At this, for curve E (the point doubling formula of this operational formula and elliptic curve is identical for P, Q) all the non-singular point complementary definition point doublings on:

If curve E (P, Q): Y ²=X ³+ aX+b, P ₁=(x ₁, y ₁) be the non-singular point on this curve, 2P=(x then ₃, y ₃), wherein:

x ₃＝λ ²-2x ₁

y ₃＝λ(x ₁-x ₃)-y ₁

$\mathrm{\λ}=\frac{{3x}_1^2+a}{2y_1}$

If 4a ³+ 27b ²≠ 0modp, then this curve is an elliptic curve, and puppet adds the addition that computing "+" is elliptic curve point as defined above, and all rational points on the elliptic curve constitute the group under "+" computing and point doubling, infinite point 0 is its zero point, and "-" is the inverse operation of "+"; If 4a ³+ 27b ²=0modp, then this curve is unusual, and a singular point is only arranged, and all non-singular points on it also constitute a group under "+" computing and point doubling, and infinite point 0 is its zero point, and "-" is the inverse operation of "+".

By computing character as can be known: and if only if P, Q is E (P, Q) non-singular point on entirely, and R (=P+Q), the x coordinate of P, Q can not known P not simultaneously in twos, the determined curve E of Q (under the situation of the concrete equation of PQ, by R (=P+Q) and P try to achieve Q (=R-P).Notice R, P, the x coordinate of Q difference has in twos contained P, and Q is non-singular point entirely, and so P, Q is at least 1-6/ (p-1) for the probability of non-singular point entirely, and wherein p is a big prime number.That is to say: two some P that the x coordinate is inequality, Q, note R=P+Q can calculate another point by wherein any 2 under 1-6/ (p-1) probability.The present invention has made full use of this characteristics, has obtained one and has had new plaintext embedding grammar, and obtained selecting in adaptability the encryption system of semantic safety under the ciphertext only attack, and these characteristics also are the differences of itself and traditional elliptic curve cryptosystem maximum.

If E:Y ²=X ³+ aX+b is finite field F _pOn elliptic curve, E (F _p) be meant all F of E _pRational point and 0 group who forms.For E (F _p) in any 1 P, have minimum Integer n, make to claim n rank by nP=0 for some P, then put P and can generate a n rank cyclic group.The ellipse curve public key cipher system overwhelming majority is structured on the cyclic group of dot generation that rank are big prime number, claims that this point is a basic point.Below if do not do specified otherwise, then represent point on the curve with capitalization without exception, lowercase alphabet is shown with the element in the confinement, x (P), x coordinate and the y coordinate of y (P) expression point P, the addition between dissimilarity is that above-mentioned puppet adds, point doubling is the point doubling that defines on the elliptic curve.

Set up departments the system parameter for (p, a, b, P, n), wherein p is a big prime number, by desired security intensity, promptly security parameter λ determines; A, b are finite field F _pIn element, it determines an elliptic curve E:Y ²=X ³+ aX+b.P is the F of E _pRational point, its rank are n, and n is a big prime number and suitable with the size of p.Each user A has the customer parameter (SK of oneself _a, PK _a)=(d _a, Q _a), Q wherein _a=d _aP, d _aBe the positive integer less than n, d _aAnd Q _aBe called private key and the PKI of user A, PKI is disclosed, can be known by anyone, and private key is privately owned, only oneself is known by user A.H (.), F (.), G (.) all be 0,1} ^λ→ 0,1} ^λThe Hash function, λ ' is that arbitrary integer satisfies 1/2 ^{λ '}Be the function ignored of λ, might as well make λ '=λ/4 at this.In the realization of system, in order to reduce the possibility that data are crossed the border, the highest 8 bits of each Hash functional value of injunction are 0.

If user B want to send message m ∈ 0,1} ^{λ-λ '}Give user A, then user B carries out following cryptographic operation:

At first, integer k of picked at random, 1＜k＜n; Calculate the Hash functional value F (k) of k again, the F of elliptic curve point P (k) doubly puts F (k) P and is designated as C ₁, elliptic curve point Q _aF (k) doubly put F (k) Q _aBehind m, add λ ' individual 0 then and obtain m ', be i.e. m '=m||0 ^{λ '}Calculate the Hash functional value G (k) of k again, if F (k) Q _aX coordinate figure x (F (k) Q _a)=m ' G (k) then returns and chooses integer k again; At last, calculate ciphertext C=(C ₁, C ₂)=(C ₁, F (k) Q _a+ (m ' G (k), H (m ' G (k)) k) is if affine plane point C ₂The x coordinate belong to set { m ' G (k), x (F (k) Q _a), then return and choose integer k again; Otherwise, output ciphertext C.

After user A receives the ciphertext C that user B method send, carry out following decryption oprerations and recover expressly m:

1, at first, calculate elliptic curve point C ₁D _aDoubly put d _aC ₁Be designated as Q ', if x (Q ')=x (C ₂) then rejection;

2, calculate some C on the affine plane again ₂-Q ' is designated as that (M, r), M, r are finite field F _pIn element, if M=x (C ₂) or x (Q '), then rejection;

3, further calculate H (M) r and be designated as f;

4, be elliptic curve point C if the F (f) of elliptic curve point P doubly puts F (f) P ₁And back λ ' bit of M G (f) is 0, and then receiving expressly, m is preceding λ-λ ' bit of M G (f); Otherwise rejection.

Below, be to adopt the present invention that data are encrypted and the mathematical proof that obtains high security:

Suppose that the elliptic curve order of a group is approximately p, and have half m to make m ³+ am+b is the quadratic residue of mould p, has then that to return 1 probability with the explanation of drawing a conclusion in ciphering process very little.

Lemma 1. is for the k and the m of picked at random, x (kQ _aThe probability of)=m is at most 2/p.

Lemma 2. note R=kP+ (m, Hash (m) k), wherein, x (kP) ≠ m, then the probability of x (R) ∈ { m, x (kP) } is insignificant.

Proof hypothesis kP=(c, d), d then ²=c ³+ ac+b, c, d are determined by k fully.Below Hash (.) brief note is h (.).If x (R)=m adds formula by puppet and gets:

$m={\left(\frac{h\left(m\right)\⊕k-d}{m-c}\right)}^2-m-c$

Utilize relational expression d ²=c ³+ ac+b can replace the d in the following formula, obtains following formula:

(h(m)k) ⁴+(h(m)k) ²(6m ²c-4m ³+2ac+2b)-4(h(m)k)(c ³+ac+b)

+4m ⁶-12m ⁵c-9m ²c ²-4m ³(ac+b)+6m ²(ac+b)+a ²c ²+b ²+2abc＝0

If for given k, the probability that following formula is set up be can not ignore, mean that then Hash function h (.) satisfies following formula with the probability of can not ignore, under the condition that k fixes, for the Hash functional value e that satisfies following formula, assign m as unknown number, just can obtain the preimage of e by finding the solution sextic equation, even for given k, the probability that following formula is set up be can not ignore, and Hash function h (.) does not satisfy unidirectional requirement so, so for k arbitrarily, the probability that following formula is set up all is negligible, and then the probability of x (R)=m is insignificant.If x (R)=c in like manner can get:

(h(m)k) ²+c ³+ac+b-m ³-2m ²c+3mc ²) ²＝4(h(m)k) ²(c ³+ac+b)

Because Hash function h (.) is unidirectional, so the probability that following formula is set up also is insignificant.By on know that the probability of x (R) ∈ { m, x (kP) } is insignificant.

Above-mentioned lemma explanation: it is insignificant that ciphering process returns 1 probability, and encrypt, decipher all only need twice elliptic curve point doubly take advantage of and once puppet add, so can think: this encryption method of the present invention is effective, its reasonability is obvious.Referring to IEEE P1363 standard, if use the compress technique of point, then the ciphertext that produces of this system has three times plaintext expansion, and promptly the ciphertext size is three times of size expressly.

Add based on the puppet of two dissimilaritys and not rely on curve itself, said method has been done change to the plaintext embedded mode in the ElGamal encryption system, be about to m and be embedded into point (m ' G (k), H (m ' G (k)) k)), rather than with it be embedded into point on the determined elliptic curve of system parameters.This makes expressly embedding very natural, simple.In addition, this system also has following characteristics: it goes on foot the legitimacy that can verify ciphertext by the 4th in the decrypting process, and this makes that forging legal ciphertext becomes very difficult (unless by selection expressly); It has used different elliptic curve groups to carry out computing.Promptly except the determined elliptic curve of system parameters, also has one by F (k) Q _a(this curve changes with m and k for m ' G (k), the definite curve of H (m ' G (k) k), unless know the private key of user A, otherwise the elliptic curve group at the current computing of there is no telling place.

The encryption time complexity of above-mentioned encryption system is 2 scalar multiplication, and is suitable with the efficient of ElGamal system; The time complexity of the deciphering of band checking is 2 scalar multiplication, Duos scalar multiplication one time than the ElGamal system.If be not with checking, then efficient is suitable.If adopt the compress technique of point, it has 3 times plaintext expansion.For convenience of description, only provided base field here and be characterized as system under the big prime number, when being characterized as 2, puppet adds and the description of system is extremely similar.

This encryption system is as the distortion of ElGamal system, and its fail safe is based on the graceful problem in elliptic curve calculations Di Fei-Hull (ECCDHP).It has provided a kind of very succinct plaintext embedded mode, and can verify the legitimacy of ciphertext, provides the fail safe of higher level with this.Under random oracle model (random oracle model), proved that this encryption system is that adaptability is selected semantic safety (IND-CCA2) under the ciphertext.

Under random oracle model (random oracle model), if having proved elliptic curve calculations Di Fei-Hull graceful problem (ECCDHP) is difficult to resolve, then this encryption system is that adaptability is selected ciphertext only attack semantic safety (IND-CCA2) down, because this proves based on ECCDHP, so its fail safe may be higher than PSEC-1.It is not a kind of Hybrid Encryption system, and its computing only comprises doubly the taking advantage of of elliptic curve point, puppet adds computing and hash function, does not need to use the symmetric cryptography system.The brand-new puppet of this encryption system utilization adds computing, with expressly being embedded into the x coordinate of affine plane mid point, has provided a kind of very succinct plaintext embedded mode, and can verify the legitimacy of ciphertext.

In the realization of this cryptographic system, what at first face is system parameters (p, a, b, P, selection problem n).Consider from security standpoint,, can carry out special restriction system parameters for resisting some known attack algorithms:

1.n＞2 ¹⁶⁰And $n>4\sqrt{p};$

2. elliptic curve is non-super unusual (non-supersingular), and promptly p is not divided exactly p+1-#E (F _p);

3. the rank n of basic point P is not divided exactly p ^k-1 (1≤k≤C), often get C=20 in the reality;

4. unusual (non-anomalous) of elliptic curve right and wrong, i.e. #E (F _p) ≠ p.

This execution mode is got base field F _pBe the finite field that standard IEEE P1363 is advised, Hash function G (.), F (.) and H (.) are SHA1 and force the highest 8 bits of its Hash functional value is 0, the bit number of big prime number p is λ.The parameter a of picked at random elliptic curve, b utilizes its rank of SEA algorithm computation, then satisfying the above elliptic curve that requires as system parameters.In concrete enforcement of the present invention, need elliptic curve arithmetic of rational point, pseudo-computation system, elliptic curve doubly to put the scalar multiplication of algorithm and elliptic curve point, below provide each algorithm one by one.

Owing to the arithmetic of rational point of two different points of pseudo-computation system and elliptic curve x coordinate is identical, so do not list separately.

In specific embodiment of the present invention, the key generative process is as follows:

1, selects an integer d at random _A, 1＜d _A＜n adopts NAF coding and scalar multiplication method to calculate Q _A=d _AP;

2, with d _AAs private key, Q _AAs PKI.

Concrete encrypting step is: with message data m according to 3 λ/4 m that divides into groups ₁m ₂... m _d, once a grouping is encrypted, for example: the message m of a grouping is encrypted the back transmit.

2.1 find public-key cryptography Q _A

2.2 select a random number k, 1＜k＜n;

2.3 calculate f=SHA1 (k);

Be designated as C 2.4 adopt NAF coding and scalar multiplication method to calculate fP ₁

2.5 m is converted into element m '=m||0 in the territory ^λ/4

2.6 adopt NAF coding and scalar multiplication method meter fQ _ABe designated as Q ', (Q ') equals m ' f and then carries out 2.2 if x;

2.7 utilize arithmetic of rational point to calculate Q '+(m ' f, SHA1 (m ' f) k) be designated as C ₂, if x (C ₂), x (Q ') different in twos with m ' f, then send enciphered data (C ₁, C ₂), otherwise, return 2.2.

Decrypting process: receive enciphered data (C ₁, C ₂) after, implement following decrypting process:

3.1 adopt NAF coding and scalar multiplication method calculation level Q '=d _AC ₁, (Q ') equals x (C if x ₂) then rejection;

3.2 the calculating of employing arithmetic of rational point (M, r)=C ₂-Q ' is if M equals x (C ₂) or x (Q ') then rejection;

3.3 calculate k=SHA1 (M) r;

3.4 calculate f=SHA1 (k);

3.5 calculate m '=M f

3.6 adopt NAF coding and scalar multiplication method to calculate, if fP equals C ₁And the back λ of m '/4 bits are 0, and then receiving expressly, m is preceding 3/4 bit of m '; Otherwise rejection.

Above-mentioned arithmetic of rational point is as follows:

When encrypting, for the Elliptic Curve y of input for data ²=x ³Some P on+ax+b and this curve ₀=(x ₀, y ₀) and some P ₁=(x ₁, y ₁);

If A1 is P ₀=0, output point P then ₂Be P ₁

If A2 is P ₁=0, output point P then ₂Be P ₀

If A3 is x ₀≠ x ₁

A3.1 calculates λ ← (y ₀-y ₁)/(x ₀-x ₁) mod p; Be meant and give λ (y0-y1)/(x0-x1) mod p assignment;

A3.2 carries out the A7 step

If A4 is y ₀≠ y ₁, output P ₂← O

If A5 is y ₀=0, output P ₂← O

A6, calculating λ ← (3x ²+ a)/(2y ₁) mod p

A7, calculating x ₂← λ ²-x ₀-x ₁Mod p

A8, calculating y ₂← (x ₁-x ₂) λ-y ₁Mod p

A9, output P ₂← (x ₂, y ₂)

Annotate: if to subtract a P=(x, y), if add some points-P=(x ,-y).

It is as follows doubly to put algorithm on the above-mentioned elliptic curve:

Input: elliptic curve E, the last point of E P (X ₁, Y ₁, Z ₁), P ≠ O

Output: (X ₃,, Y ₃, Z ₃)=2P

B1, calculating λ ₁← 3X ₁ ²+ aZ ₁ ⁴

B2, calculating Z ₃← 2Y ₁Z ₁

B3, calculating λ ₂, ← 4X ₁Y ₁ ²

B4, calculating X ₃← λ ₁ ²-2 λ ₂

B5, calculating λ ₃← 8Y ₁ ⁴

B6, calculating Y ₃← λ ₁(λ ₂-X ₃)-λ ₃

B7, output (X ₃, Y ₃, Z ₃)

Above-mentioned NAF encryption algorithm is as follows:

Input: integer $k={\mathrm{\Σ}}_{j=0}^{l-1}{k}_j{2}^j,k_j\∈\left\{\mathrm{0,1}\right\}.$

Output: NAF $k={\mathrm{\Σ}}_{i=0}^l{s}_i{2}^i,s_i\∈\{-\mathrm{1,0,1}\}$

C1、c ₀←0，k _l←0，k _l+1←0；

C2、j←0

If j ≠ l+1 C3.

C3.1 calculates

C3.2 calculates s _j← k _j+ c _j-2c _J+1

C3.3 calculates j=j+1

C3.4 changed for the 3rd step over to

C4, output (s _ls _L-1..., s ₁, s ₀) ₂

Above-mentioned NAF scalar multiplication method is as follows:

Input: 1 P on the elliptic curve, the NAF (s of integer k _ls _L-1..., s ₁, s ₀) ₂, s _l=1;

Output: Q=kP;

D1、Q←O；

D2、j←l；

If D3 were j ≠-1

D3.1 calculates Q ← 2Q

If D3.2 is s _j=1 calculates Q ← Q+P

If D3.3 is s _j=-1 calculates Q ← Q+P

D3.4 calculates j=j-1

D3.5 changed for the 3rd step over to

D4, output Q.

More than each algorithm provided the embodiment of elliptic curve cryptography system described in the invention, below be given in the battery of tests data that operation obtains under this mode, wherein each data are all stated expression with hexadecimal.

System parameters:

λ：192

p：fffffffffffffffffffffffffffffffeffffffffffffffff

a：fffffffffffffffffffffffffffffffefffffffffffffffc

b：02d5134233c1f7f4f50706f02882d85e767294c7230612c2

P.x：df00000129200001db000001ffbe800169ea40011de3ec01

P.y：46b19ab9a84501afc6c94ce6fb9ae8f21a93fedb9ec6881f

n：fffffffffffffffffffffffe75432f994b9b16ef54c39393

d _A：83cedad356f4f6cf573ff873b789add938df2ec7d5d2753b

Q _A.x：1f18bcacb74087835ae629a87968f0d57adb39110ec1fd70

Q _AWhen .Y:53b96505a207de2442510c7f01c80c4cffcdaf40099fa0a1 encrypting:

m：00000000000000000313233343536373839

m’：00000000000000000313233343536373839000000000000

k：9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d

f：09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6

C ₁.x：362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db

C ₁.y：f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5

fQ _A.x：fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c

fQ _A.y：91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a

m’f：09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6

SHA1(m’f)k：

92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36

C ₂.x：6edaa4c686f938464514b379720f10dd4ba8a353e1a9e6de

C ₂.y:2f47f3be8875cc0417fbfacf87993ea4893595ddf610b43 after the deciphering:

Q′.x：fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c

Q′.y：91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a

M：09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6

r：92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36

SHA1(M)：0475dd35cdf0845f4db2b702644a1cdbde621b3e3201f4b

k：9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d

f＝SHA1(k)：09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6

m’f：00000000000000000313233343536373839000000000000

fP.x：362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db

fP.y：f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5

m：00000000000000000313233343536373839；

At the computer that uses the PentiumIV 1.7G of INTEL Corp. microprocessor, 256 MB of memory reservoir, and under the environment of WINDOWS98 operating system, with the realization of ANSIC programming language be characterized as p and be characterized as 2 finite field on system, p=2 wherein ¹⁹²-2 ⁶⁴+ 1, F _2m, m=193, generator polynomial f (x)=x ¹⁹³+ x ¹⁵+ 1; Implementation efficiency is as shown in the table:

Content	*F p	?F p	?*F 2m	?F 2m
					Key generates	1.21	?5.43	?0.67	?2.48
Encrypt	6.70	?10.95	?3.29	?5.43
					ECES encrypts	6.76	?10.53	?3.20	?5.26
Deciphering	6.50	?11.57	?3.12	?5.42
					Deciphering (not being with checking)	5.26	?5.95	?2.59	?2.45
The ECES deciphering	5.51	?5.48	?2.62	?2.53
					Doubly take advantage of	1.20	?5.32	?0.65	?2.39

Every index in the table all is in the speed of carrying out 1000 times, and unit is second; * the index under the hurdle is the pre-treating speed that allows.

If F _pOn computing adopt assembler language to write, the speed of doubly taking advantage of of the point of 192 bits is 1.81 seconds (1000 times), following table has been listed p=2 ²⁵⁶Carry out 1000 times speed down, unit is second:

Content	????ANSI?C	Compilation
			Key generates	????2.25	????0.93
Encrypt	????18.93	????6.35
			Deciphering	????18.64	????6.35
Deciphering (not being with checking)	????16.2	????5.43

The enciphering/deciphering efficient that with model is the chip microcontroller of MCS51 sees the following form, the wherein main memory configuration of MCS51: the internal RAM of 256B, the external RAM of 64KB, the program area ROM. clock frequency of 64KB: 1M clock cycle/second (crystal oscillator frequency: 12MHZ).Get F _p, p=2 ¹⁹²-2 ⁶⁴-1 and F _2m, m=193, its generator polynomial is x ¹⁹³+ x ¹⁵+ 1.

Function	??F p(second/time)	????F 2m(second/time)
			Key generates	??4.89	????4.34
Encrypt	??25.32	????20.84
			ECES encrypts	??25.19	????20.74
Deciphering (not being with checking)	??20.43	????16.21
			The ECES deciphering	??20.42	????16.21
Deciphering (band storage)	??25.33	????20.10
			Doubly take advantage of (band pre-stored)	??4.77	????4.32
Doubly take advantage of (not being with pre-stored)	??19.96	????16.4

Annotate: F _pExternal RAM take 1.5K, ROM takies the 9K program, the 6K pre-stored value; F _2mExternal RAM take: 2K (band pre-stored)/1.2K (not being with pre-stored), ROM takies: 7K program, 6K pre-stored value.

Below, having provided this encryption system is the detailed proof of selecting semantic safety under the ciphertext in adaptability.

One, definition of safety

Suppose that U is a probabilistic algorithm, then A (x ₁, x ₂...; R) expression is input as x ₁, x ₂..., the output of algorithm A when random number is r; Y ← A (x ₁, x ₂...) represent to select r at random, make y equal A (x ₁, x ₂...; R); If exist r to make A (x ₁, x ₂...; R)=and y, claim that then y is A (x ₁, x ₂...) and output; If S is a finite aggregate, then x ← S represents from S set to choose x randomly according to even distribution, if a is neither set neither an algorithm, then x ← a represents the value of a is composed to x.

Define the tlv triple that 1. public key encryption systems are made up of algorithm: PE=(KG, Enc, Dec), wherein

KG: key schedule is a probabilistic algorithm, is input as security parameter 1 ^λ(λ ∈ N), be output as a pair of public and private key (pk, sk);

Enc: cryptographic algorithm is a probabilistic algorithm, be input as PKI pk and expressly x ∈ 0,1} ^*, be output as ciphertext y;

Dec: decipherment algorithm is a definite type algorithm, is input as private key sk and ciphertext y, be output as expressly x ∈ 0,1} ^*Or spcial character , the ciphertext of this character representation input is not effective ciphertext, promptly do not exist x ∈ 0,1} ^*Make that its ciphertext is y.

For the public private key pair arbitrarily that obtains by key schedule (pk, sk) and arbitrarily expressly x ∈ 0,1} ^*, if y is Enc _Pk(x) output then necessarily has Dec _Sk(y)=x.Because the public key encryption system need guarantee the safety of real information transmitted, so (Dec) all be is the polynomial time algorithm of yardstick with the security parameter to three above algorithms for KG, Enc.

The definition of the fail safe of public key encryption system can be considered possible target of attack of assailant (goals) and possible attack model (attack model) at first respectively, provides the definition of other fail safe of various level then by combination attacks model and target of attack.

Difference according to target of attack, one-way (OW is mainly considered in the safety analysis of system, oneway), semantic safety (SS, semantic security), the indistinguishability (IND of ciphertext, indistinguishability of encryptions) and non-autgmentability (non-malleability, NM).Briefly, one-way just is meant by target ciphertext y and tries to achieve corresponding plaintext x=Dec _Sk(y) very difficult; Semantic safety just be meant any information that obtains corresponding plaintext x from target ciphertext y all be calculate infeasible; The indistinguishability of ciphertext is meant an expressly pairing ciphertext of known two plaintexts and certain, can't judge which this ciphertext expressly is accordingly.Can think that the indistinguishability and the semantic safety of ciphertext all are liftings of one-way notion, they all are encompassed in traditional confidentiality requirement, one-way is the minimum requirements of encryption system safety, if system is the safety ciphertext undistinguishable or semantic, then this system must be unidirectional, so this paper does not discuss any unidirectional character.Non-autgmentability just is meant from target ciphertext y tries to achieve the different ciphertext y ' of another one, makes its corresponding ciphertext x, and between x ' exists " significant contact " (as x '=x+1), it has promoted the anti-tamper thought of the ciphertext in the reality.

Attack model has been explained the ability that the assailant had, can be divided into and select plaintext attack (chosen-plaintextattack, CPA), non-habitual is selected ciphertext only attack (non-adaptivechosen-ciphertext attack, CCA1) and adaptability select ciphertext only attack (adaptivechosen-ciphertext attack, CCA2).CPA gives the right that the assailant freely selected expressly and obtained corresponding ciphertext, and for the public key encryption system, the assailant knows that PKI has promptly had the ability of selecting plaintext attack; The formalization definition of CCA1 is provided by two scholar Naor and Yung, wherein the assailant is except knowing PKI, can also access decryption instruct (this external device (ED) is a decipherment algorithm), but the assailant only had the right (non-habitual is meant that the visit that deciphering is instructed does not rely on the target ciphertext) that access decryption is instructed before obtaining the target ciphertext, according to its characteristics, non-habitual is selected ciphertext only attack to be also referred to as to attack (midnight attack) midnight or lunch attack (lunchtimeattack, Lunch-breakattack); CCA2 is proposed by two scholar Rackoff and Simon, wherein the assailant had both known that PKI also can access decryption instruct, and its visit that deciphering is instructed is hard-core, even the assailant still can access decryption instruct after obtaining the target ciphertext, but he can not self instruct the target ciphertext as deciphering input (adaptive be meant that the visit that deciphering is instructed depends on the target ciphertext).

Make up above-mentioned target of attack and attack model, can obtain the definition of various fail safe, only provide the formalization definition of indistinguishability below, it has comprised the fail safe of highest level--adaptability is selected the IND-CCA2 of semantic safety under the ciphertext.

Have different inputs according to assailant U in different phase, it can be regarded as two probabilistic algorithm (U ₁, U ₂), U wherein ₁And U ₂Effect depend on assailant's target.In the definition of the indistinguishability of ciphertext, algorithm U ₁Be input as pk, be output as (x ₀, x ₂, s), preceding two is the plaintext of two equal length, s is that the assailant wants the information that keeps; From x ₀, x ₁In select one to be designated as x at random _b, challenge ciphertext y is x _bCiphertext, algorithm U ₂Be input as (x ₀, x ₁, s) it attempts to export correct b with challenge ciphertext y.

Definition 2 (IND-CPA, IND-CCA1, IND-CCA2). suppose that (KG, Enc Dec) are a public key encryption system, A=(A to PE= ₁, A ₂) be an assailant, H (.) is a random oracle, for atk ∈ arbitrarily { cpa, cca1, cca2} and λ ∈ N arbitrarily, order

${\mathrm{Adv}}_{\mathrm{PE},A}^{\mathrm{ind}-\mathrm{atk}}\left(\mathrm{\λ}\right)=\mathrm{Pr}[\mathrm{Ex}{p}_{\mathrm{PE},A}^{\mathrm{ind}-\mathrm{atk}-1}\left(\mathrm{\λ}\right)=1]-\mathrm{Pr}[E{\mathrm{xp}}_{\mathrm{PE},A}^{\mathrm{ind}-\mathrm{atk}-0}\left(\mathrm{\λ}\right)=1]$

{ 0,1} defines experiment Exp wherein to get b ∈ _{PE, A} ^Ind-atk-d(λ) be

$(\mathrm{pk},\mathrm{sk})\stackrel{R}{\←}\mathrm{KG}\left(\mathrm{\λ}\right);$

$(x_0,x_1,s)\←A_1^{O_1(\·),H(\·)}\left(\mathrm{pk}\right);$

y←Enc _pk(x _b)；

$d\←A_2^{O_2(\·),H(\·)}(x_0,x_1,s,y);$

Return?d。

If atk=cpa, then O ₁(.)=, O ₂(.)=; If atk=cca1, then O ₁(.)=Dec _Sk(.), O ₂(.)=; If atk=cca2, then O ₁(.)=De _Sk(.), O ₂(.)=Dec _Sk(.); Also require | x ₀|=| x ₁|, algorithm A ₂Can not utilize deciphering to instruct the plaintext that obtains y.If the assailant A for any polynomial time all has Exp _{PE, A} ^Ind-atk() is insignificant function, claims that then public key encryption system PE is a safety under the IND-ATK meaning.

Two, safety analysis

From system itself, because computing of the present invention is based on different elliptic curve groups, and "+" almost do not have associative law (for example: affine plane R ²Last 3 P=(1,2), Q=(2,3), R=(3,1) adds formula by puppet and gets (P+Q)+R=(2,1)+(3,1)=(1 ,-1), and P+ (Q+R)=(1,2)+(1 ,-9)=(121/4 ,-1303/8).), so the ciphertext that obtains R (m) by the ciphertext of m is unusual difficulty, wherein R is the relation of a non-trivial, promptly intuitively goes up the character that this system has non-expansion, this is the most tangible difference with the ElGamal system, also is a reason of fail safe raising.The fail safe of this system has further been strengthened in the use of Hash function.This section will prove that this system is an IND-CCA2 safety.For simplicity, below this encryption system of brief note is ∏.

Theorem 1. is under the condition that ECCDHP is difficult to resolve, and ∏ is an IND-CCA2 safety.

Proof is established ∏ and is had assailant A=(A under the IND-CCA2 meaning ₁, A ₂), A visits random oracle G (.), and the respective record of H (.) and F (.) gained is called as G-table, H-table and F-table respectively, and note is τ _G={ (g _i, G _i), τ _H={ (h _i, H _i), τ _F={ (f _i, F _i) its length (number of times of visit) uses q respectively _G, q _H, q _FExpression.Then can the following derivation algorithm B that constructs ECCDHP.If B is input as P, Q=aP, Y=bP its objective is and calculates R=abP.

B is with P, and Q is as A ₁Input call A ₁, because A ₁Random oracle can be visited and deciphering is instructed, so B need simulate random oracle and deciphering is instructed.If A ₁To random oracle G (.) inquiry g, in query note, corresponding output valve is as replying A in then will writing down as if g; Otherwise the number conduct in its codomain of picked at random is to A ₁Reply, simultaneously k and this random number are added in the record as a pair of input, output.The action of B simulation random oracle H (.) and F (.) is identical with the mode of simulation G (.).If A ₁Instruct visit y=(C to deciphering ₁, C ₂), if having (g at G-table, F-table and H-table respectively _i, G _i), (f ₁, F ₁), (h _j, H _j), satisfy f ₁=g _i, F ₁P=C ₁, C ₂=F ₁Q+ (h _j, H _j f ₁), calculate M=h _j G _i, if low λ ' bit of M is 0, high λ-λ ' bit of then exporting M is as expressly output, other situation is all exported empty string .At A ₁During termination, might as well establish A ₁Be output as (m ₀, m ₁, s).

B selects C at random ₂ ^*∈ 0,1} ^{2 λ}, make y ^*=(C ₁ ^*=Y, C ₂ ^*), B is with (m ₀, m ₁, s, y ^*) as A ₂Input, call A ₂, its simulation deciphering is instructed with the process of random oracle all the same.

After A ends, B from the H-table random choose (h, H), if exist t to make R=C ₂ ^*-(h, t) ∈ E then exports R; Otherwise, from the H-table, choose again (h, H); If do not have the above-mentioned relation formula in the H-table, the point of then exporting E at random is as R.

Below remember F*=log _PY, (s*, t*)=C ₂ ^*-F*Q, h*=s*, k*=t* H (h*).Utilize equation and the puppet of E to add formula, as can be known C ₂ ^*-(h, t) ∈ E is the sextic equation about t, and it has six to separate at the most, makes AskH presentation of events: A visit h* to H (.), and then B exports the probability that correct ECDH separates ${\mathrm{\ϵ}}^{\′}\≥\frac{\mathrm{Pr}\left[\mathrm{AskH}\right]}{{6q}_H}.$

For guaranteeing correctly calling of A, at first B must correctly simulate to decipher and instruct, and secondly B also will guarantee target ciphertext y ^*Legal.Bad represent to decipher instruct reply wrong or y ^*It or not legal ciphertext.If the A probability of successful is (1+ ε)/2, if B has correctly called A, because y ^*With m ₀, m ₁Irrelevant fully, be 1/2 so A exports correct result's probability, then

(1+ε)/2≤1/2(1-Pr[Bad])+Pr[Bad]，

Can get Pr[Bad] 〉=ε.Obviously

Pr[AskH]≥Pr[AskH∧Bad]＝Pr[Bad]-Pr[Bad∧﹁AskH]≥ε-Pr[Bad|﹁AskH]

Not under the prerequisite of H (.) visit h*, only when A to G (.) or F (.) visited k* (being designated as AskK) or decipher instruct reply wrong (being designated as DBad) time, Bad just may take place, promptly

Pr[Bad|﹁AskH]≤Pr[AskK|﹁AskH]+Pr[DBad|﹁AskH∧﹁AskK]

If h* does not have accessed, H (h*) completely random then, thus k*=t* H (h*) completely random, so the accessed probability of k* is not more than (q _G+ q _F)/2 ^λ, promptly

$\mathrm{Pr}\left[\mathrm{AskK}\right|\⫬\mathrm{AskH}]\≤\frac{q_G+q_F}{2^{\mathrm{\λ}}}.$

Following discussion is all based on k*, and h* does not have accessed precondition.

Suppose that A is input as y (C to what deciphering was instructed ₁, C ₁), note F=logPC ₁, (s, t)=C ₂-FQ, k=H (s) t, h=s, Pr ' [.]=Pr[| ﹁ AskH ∧ ﹁ AskK].

If h, k are all inquired about, it is necessarily correct then to export the result; To G (.) or F (.) inquiry, then export the result is not empty string to k if h is inquired about, if the result is untrue, y must be legal ciphertext so, below the discussion of branch situation: because h is inquired about, so k is definite, and k* at random, so the probability of k=k* is not more than 2 ^-λ, y is that the probability of legal ciphertext is at most 1 under the condition of k=k*, then during k=k*, the analog answer probability of errors is not more than 2 ^-λIf to G (.) visit, y is not that legal ciphertext means that low λ ' bit of s G (k) is 0 for k ≠ k* and k,,, y is not more than 2 so being the probability of legal ciphertext because k ≠ k* and k be to G (.) visit ^{-λ '}If to F (.) visit, y is not that legal ciphertext means F (k)=log for k ≠ k* and k _pC ₁,, be not more than 2 so y is the probability of legal ciphertext because k ≠ k* and k be to F (.) visit ^-λIf h is not inquired about, then exporting the result is empty string, if the result is untrue, y must be legal ciphertext so, i.e. F (k)=log _PC ₁And low λ ' bit of s G (k) is 0, if h=h*, because h* would not be inquired about yet, so H (h) completely random; If k ≠ k* is not because h is inquired about, so H (h) completely random; So under the condition that h is not inquired about, H (h) is a completely random, then k=t H (h) is a completely random, so F (k)=log _PC ₁Probability be not more than 2 ^-2, low λ ' bit of s G (k) is that 0 probability is not more than 2 ^{-λ '}Then do not have under the accessed condition at h, the analog answer probability of errors is not more than 2 ^-λ

Comprehensive above analysis the, Pr[DBad| ﹁ AskK ∧ ﹁ AskH as can be known]≤3q _D/ 2 ^λ+ q _D/ 2 ^λ, then

$\mathrm{Pr}\left[\mathrm{Bad}\right|\⫬\mathrm{AskH}]\≤\frac{q_G+q_F+3q_D}{2^{\mathrm{\λ}}}+\frac{q_D}{2^{{\mathrm{\λ}}^{\′}}}$

$\mathrm{Pr}\left[\mathrm{AskH}\right]\≥\mathrm{\ϵ}-\mathrm{Pr}\left[\mathrm{Bad}\right|\⫬\mathrm{AskH}]\≥\mathrm{\ϵ}-(\frac{q_G+q_F+3q_D}{2^{\mathrm{\λ}}}+\frac{q_D}{2^{{\mathrm{\λ}}^{\′}}})$

So probability that the correct ECDH of B output separates

${\mathrm{\ϵ}}^{\′}\≥\frac{\mathrm{Pr}\left[\mathrm{AskH}\right]}{{6q}_H}\≥\frac{\mathrm{\ϵ}}{{6q}_H}-\frac{q_G+q_F+3q_D}{{6q}_H{2}^{\mathrm{\λ}}}-\frac{q_D}{{6q}_H{2}^{{\mathrm{\λ}}^{\′}}}$

Know that from following formula if ε can not ignore, then ε ' must can not ignore, be t the running time of establishing A, then t ' running time=t+q of B _Ht _f, t wherein _fBe illustrated in F _pOn find the solution the required time of sextic equation, if obviously A is a polynomial time, then B necessarily also is a polynomial time, by on know if ∏ be not IND-CCA2 safety, then ECCDHP can separate, this is a contradiction, so under the condition that ECCDHP is difficult to resolve, ∏ is an IND-CCA2 safety.

It should be noted that at last: above embodiment only in order to the explanation the present invention and and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to each above-mentioned embodiment,, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention; And all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the middle of the claim scope of the present invention.

Claims (2)

1, a kind of method of data encryption is characterized in that: when the sending direction recipient sends data, the data that send are added method of encrypting according to puppet carry out encryption; The treatment step of encrypting is as follows:

Step 10: integer k of picked at random, and this integer k satisfies: 1＜k＜n; Wherein, n is the exponent number of elliptic curve basic point;

Step 11: calculate F (k), F (k) P, F (k) Q _AWherein:

F (k) is the Hash functional value of k, and F (k) P is F (k) times point of elliptic curve point P, F (k) Q _ABe elliptic curve point Q _AF (k) times point;

F (k) is the positive integer less than n, F (k) P and F (k) Q _ABe the point on the elliptic curve;

Step 12: encrypted data are handled according to following formula:

M '=m||0 ^{λ '}, wherein,

M is encrypted data, and m ' is the data in the ciphering process, 0 the quantity of λ ' for adding;

Step 13: calculate G (k); If x is (F (k) Q _A)=m ' G (k), then execution in step 10; Otherwise execution in step 14;

Wherein: G (k) is the Hash functional value of k;

X (F (k) Q _A) for being elliptic curve point F (k) Q _AThe x coordinate figure;

Step 14: calculate ciphertext C according to following formula:

C＝(C ₁，C ₂)＝(F(k)P，F(k)Q _A+(m′G(k)，H(m′G(k))k))；

Wherein, C is the encrypt data set, C ₁And C ₂Two elements for C; And,

C ₁＝F(k)P；

C ₂＝F(k)Q _A+F(k)Q _A+(m′G(k)，H(m′G(k))k)；

H (m ' G (k)) is the Hash functional value of m ' G (k);

Step 15: if C ₂The x coordinate belong to set { m ' G (k), x (F (k) Q _A), then execution in step 10; Otherwise output ciphertext C.

2, a kind of deciphering is characterized in that: when the recipient receives transmit leg encrypted ciphertext data, according to following method it is decrypted, with the enciphered data restoring data according to the method for the described method ciphered data of claim 1; The step of described deciphering is as follows:

Step 20: calculate Q '=d _AC ₁If, x (Q ')=x (C ₂), then reject encrypt data; Wherein,

Q ' is an elliptic curve point, d _ABe the private key data of deciphering side, x (Q '), x (C ₂) be respectively Q ' and C ₂The X coordinate;

Step 21: calculate (M, r)=C ₂-Q ' is if M=x is (C ₂) or x (Q '), then reject encrypt data; Wherein, M, r are respectively the x coordinate and the y coordinates of a point on the affine plane;

Step 22: calculate f=H (M) r; Wherein, H (M) is the Hash functional value of M;

Step 23: if F (f) is P=C ₁, and back λ ' bit value of M is 0, then the plaintext m of Jie Shouing is preceding λ-λ ' bit of M; Otherwise rejection;

Wherein, F (f) P is F (f) times point of elliptic curve point P;

0 the quantity of λ ' for being added in the ciphering process;

λ is a security parameter.