Embodiment
The present invention is described in further detail below in conjunction with specific embodiment:
Before providing concrete encipherment scheme, at first puppet is added computing and provide description: affine plane F
P 2On, two different points of x coordinate can be determined Wei Ersite Lars (Weierstrass) the equation Y on this plane uniquely
2=X
3+ a
4X+a
6, X wherein, Y is a variable, a
4, a
6Be territory F
pIn element, p is a big prime number.If its determined cubic curve is an elliptic curve, then the coordinate of their summing point self is determined by them fully.
The present invention utilizes this character, and defined a kind of new computing: puppet adds.
If P
1=(x
1, y
1), P
2=(x
2, y
2) be affine plane F
P 2Last two points, and x
1≠ x
2, as the puppet of giving a definition adds computing:
1, P
1+ P
2=P
3=(x
3, y
3) x wherein
3, y
3Satisfy following formula:
2、-P
1=(x
1,-y
1)
3、P
1-P
2=P
1+(-P
2)
If P, Q are affine plane F
P 2On two points, and the x coordinate is inequality, then P and Q unique determine an affine curve E (P, Q): Y
2=X
3+ aX+b makes that P, Q are the points on this affine curve, a wherein, and b is territory F
pElement, by the different some P of x coordinate with Q is unique determines F
PBe the finite field of p element, p is a prime number, and P is a point, and its two coordinates are F
PIn element.At this, for curve E (the point doubling formula of this operational formula and elliptic curve is identical for P, Q) all the non-singular point complementary definition point doublings on:
If curve E (P, Q): Y
2=X
3+ aX+b, P
1=(x
1, y
1) be the non-singular point on this curve, 2P=(x then
3, y
3), wherein:
x
3=λ
2-2x
1
y
3=λ(x
1-x
3)-y
1
If 4a
3+ 27b
2≠ 0modp, then this curve is an elliptic curve, and puppet adds the addition that computing "+" is elliptic curve point as defined above, and all rational points on the elliptic curve constitute the group under "+" computing and point doubling, infinite point 0 is its zero point, and "-" is the inverse operation of "+"; If 4a
3+ 27b
2=0modp, then this curve is unusual, and a singular point is only arranged, and all non-singular points on it also constitute a group under "+" computing and point doubling, and infinite point 0 is its zero point, and "-" is the inverse operation of "+".
By computing character as can be known: and if only if P, Q is E (P, Q) non-singular point on entirely, and R (=P+Q), the x coordinate of P, Q can not known P not simultaneously in twos, the determined curve E of Q (under the situation of the concrete equation of PQ, by R (=P+Q) and P try to achieve Q (=R-P).Notice R, P, the x coordinate of Q difference has in twos contained P, and Q is non-singular point entirely, and so P, Q is at least 1-6/ (p-1) for the probability of non-singular point entirely, and wherein p is a big prime number.That is to say: two some P that the x coordinate is inequality, Q, note R=P+Q can calculate another point by wherein any 2 under 1-6/ (p-1) probability.The present invention has made full use of this characteristics, has obtained one and has had new plaintext embedding grammar, and obtained selecting in adaptability the encryption system of semantic safety under the ciphertext only attack, and these characteristics also are the differences of itself and traditional elliptic curve cryptosystem maximum.
If E:Y
2=X
3+ aX+b is finite field F
pOn elliptic curve, E (F
p) be meant all F of E
pRational point and 0 group who forms.For E (F
p) in any 1 P, have minimum Integer n, make to claim n rank by nP=0 for some P, then put P and can generate a n rank cyclic group.The ellipse curve public key cipher system overwhelming majority is structured on the cyclic group of dot generation that rank are big prime number, claims that this point is a basic point.Below if do not do specified otherwise, then represent point on the curve with capitalization without exception, lowercase alphabet is shown with the element in the confinement, x (P), x coordinate and the y coordinate of y (P) expression point P, the addition between dissimilarity is that above-mentioned puppet adds, point doubling is the point doubling that defines on the elliptic curve.
Set up departments the system parameter for (p, a, b, P, n), wherein p is a big prime number, by desired security intensity, promptly security parameter λ determines; A, b are finite field F
pIn element, it determines an elliptic curve E:Y
2=X
3+ aX+b.P is the F of E
pRational point, its rank are n, and n is a big prime number and suitable with the size of p.Each user A has the customer parameter (SK of oneself
a, PK
a)=(d
a, Q
a), Q wherein
a=d
aP, d
aBe the positive integer less than n, d
aAnd Q
aBe called private key and the PKI of user A, PKI is disclosed, can be known by anyone, and private key is privately owned, only oneself is known by user A.H (.), F (.), G (.) all be 0,1}
λ→ 0,1}
λThe Hash function, λ ' is that arbitrary integer satisfies 1/2
λ 'Be the function ignored of λ, might as well make λ '=λ/4 at this.In the realization of system, in order to reduce the possibility that data are crossed the border, the highest 8 bits of each Hash functional value of injunction are 0.
If user B want to send message m ∈ 0,1}
λ-λ 'Give user A, then user B carries out following cryptographic operation:
At first, integer k of picked at random, 1<k<n; Calculate the Hash functional value F (k) of k again, the F of elliptic curve point P (k) doubly puts F (k) P and is designated as C
1, elliptic curve point Q
aF (k) doubly put F (k) Q
aBehind m, add λ ' individual 0 then and obtain m ', be i.e. m '=m||0
λ 'Calculate the Hash functional value G (k) of k again, if F (k) Q
aX coordinate figure x (F (k) Q
a)=m ' G (k) then returns and chooses integer k again; At last, calculate ciphertext C=(C
1, C
2)=(C
1, F (k) Q
a+ (m ' G (k), H (m ' G (k)) k) is if affine plane point C
2The x coordinate belong to set { m ' G (k), x (F (k) Q
a), then return and choose integer k again; Otherwise, output ciphertext C.
After user A receives the ciphertext C that user B method send, carry out following decryption oprerations and recover expressly m:
1, at first, calculate elliptic curve point C
1D
aDoubly put d
aC
1Be designated as Q ', if x (Q ')=x (C
2) then rejection;
2, calculate some C on the affine plane again
2-Q ' is designated as that (M, r), M, r are finite field F
pIn element, if M=x (C
2) or x (Q '), then rejection;
3, further calculate H (M) r and be designated as f;
4, be elliptic curve point C if the F (f) of elliptic curve point P doubly puts F (f) P
1And back λ ' bit of M G (f) is 0, and then receiving expressly, m is preceding λ-λ ' bit of M G (f); Otherwise rejection.
Below, be to adopt the present invention that data are encrypted and the mathematical proof that obtains high security:
Suppose that the elliptic curve order of a group is approximately p, and have half m to make m
3+ am+b is the quadratic residue of mould p, has then that to return 1 probability with the explanation of drawing a conclusion in ciphering process very little.
Lemma 1. is for the k and the m of picked at random, x (kQ
aThe probability of)=m is at most 2/p.
Lemma 2. note R=kP+ (m, Hash (m) k), wherein, x (kP) ≠ m, then the probability of x (R) ∈ { m, x (kP) } is insignificant.
Proof hypothesis kP=(c, d), d then
2=c
3+ ac+b, c, d are determined by k fully.Below Hash (.) brief note is h (.).If x (R)=m adds formula by puppet and gets:
Utilize relational expression d
2=c
3+ ac+b can replace the d in the following formula, obtains following formula:
(h(m)k)
4+(h(m)k)
2(6m
2c-4m
3+2ac+2b)-4(h(m)k)(c
3+ac+b)
+4m
6-12m
5c-9m
2c
2-4m
3(ac+b)+6m
2(ac+b)+a
2c
2+b
2+2abc=0
If for given k, the probability that following formula is set up be can not ignore, mean that then Hash function h (.) satisfies following formula with the probability of can not ignore, under the condition that k fixes, for the Hash functional value e that satisfies following formula, assign m as unknown number, just can obtain the preimage of e by finding the solution sextic equation, even for given k, the probability that following formula is set up be can not ignore, and Hash function h (.) does not satisfy unidirectional requirement so, so for k arbitrarily, the probability that following formula is set up all is negligible, and then the probability of x (R)=m is insignificant.If x (R)=c in like manner can get:
(h(m)k)
2+c
3+ac+b-m
3-2m
2c+3mc
2)
2=4(h(m)k)
2(c
3+ac+b)
Because Hash function h (.) is unidirectional, so the probability that following formula is set up also is insignificant.By on know that the probability of x (R) ∈ { m, x (kP) } is insignificant.
Above-mentioned lemma explanation: it is insignificant that ciphering process returns 1 probability, and encrypt, decipher all only need twice elliptic curve point doubly take advantage of and once puppet add, so can think: this encryption method of the present invention is effective, its reasonability is obvious.Referring to IEEE P1363 standard, if use the compress technique of point, then the ciphertext that produces of this system has three times plaintext expansion, and promptly the ciphertext size is three times of size expressly.
Add based on the puppet of two dissimilaritys and not rely on curve itself, said method has been done change to the plaintext embedded mode in the ElGamal encryption system, be about to m and be embedded into point (m ' G (k), H (m ' G (k)) k)), rather than with it be embedded into point on the determined elliptic curve of system parameters.This makes expressly embedding very natural, simple.In addition, this system also has following characteristics: it goes on foot the legitimacy that can verify ciphertext by the 4th in the decrypting process, and this makes that forging legal ciphertext becomes very difficult (unless by selection expressly); It has used different elliptic curve groups to carry out computing.Promptly except the determined elliptic curve of system parameters, also has one by F (k) Q
a(this curve changes with m and k for m ' G (k), the definite curve of H (m ' G (k) k), unless know the private key of user A, otherwise the elliptic curve group at the current computing of there is no telling place.
The encryption time complexity of above-mentioned encryption system is 2 scalar multiplication, and is suitable with the efficient of ElGamal system; The time complexity of the deciphering of band checking is 2 scalar multiplication, Duos scalar multiplication one time than the ElGamal system.If be not with checking, then efficient is suitable.If adopt the compress technique of point, it has 3 times plaintext expansion.For convenience of description, only provided base field here and be characterized as system under the big prime number, when being characterized as 2, puppet adds and the description of system is extremely similar.
This encryption system is as the distortion of ElGamal system, and its fail safe is based on the graceful problem in elliptic curve calculations Di Fei-Hull (ECCDHP).It has provided a kind of very succinct plaintext embedded mode, and can verify the legitimacy of ciphertext, provides the fail safe of higher level with this.Under random oracle model (random oracle model), proved that this encryption system is that adaptability is selected semantic safety (IND-CCA2) under the ciphertext.
Under random oracle model (random oracle model), if having proved elliptic curve calculations Di Fei-Hull graceful problem (ECCDHP) is difficult to resolve, then this encryption system is that adaptability is selected ciphertext only attack semantic safety (IND-CCA2) down, because this proves based on ECCDHP, so its fail safe may be higher than PSEC-1.It is not a kind of Hybrid Encryption system, and its computing only comprises doubly the taking advantage of of elliptic curve point, puppet adds computing and hash function, does not need to use the symmetric cryptography system.The brand-new puppet of this encryption system utilization adds computing, with expressly being embedded into the x coordinate of affine plane mid point, has provided a kind of very succinct plaintext embedded mode, and can verify the legitimacy of ciphertext.
In the realization of this cryptographic system, what at first face is system parameters (p, a, b, P, selection problem n).Consider from security standpoint,, can carry out special restriction system parameters for resisting some known attack algorithms:
1.n>2
160And
2. elliptic curve is non-super unusual (non-supersingular), and promptly p is not divided exactly p+1-#E (F
p);
3. the rank n of basic point P is not divided exactly p
k-1 (1≤k≤C), often get C=20 in the reality;
4. unusual (non-anomalous) of elliptic curve right and wrong, i.e. #E (F
p) ≠ p.
This execution mode is got base field F
pBe the finite field that standard IEEE P1363 is advised, Hash function G (.), F (.) and H (.) are SHA1 and force the highest 8 bits of its Hash functional value is 0, the bit number of big prime number p is λ.The parameter a of picked at random elliptic curve, b utilizes its rank of SEA algorithm computation, then satisfying the above elliptic curve that requires as system parameters.In concrete enforcement of the present invention, need elliptic curve arithmetic of rational point, pseudo-computation system, elliptic curve doubly to put the scalar multiplication of algorithm and elliptic curve point, below provide each algorithm one by one.
Owing to the arithmetic of rational point of two different points of pseudo-computation system and elliptic curve x coordinate is identical, so do not list separately.
In specific embodiment of the present invention, the key generative process is as follows:
1, selects an integer d at random
A, 1<d
A<n adopts NAF coding and scalar multiplication method to calculate Q
A=d
AP;
2, with d
AAs private key, Q
AAs PKI.
Concrete encrypting step is: with message data m according to 3 λ/4 m that divides into groups
1m
2... m
d, once a grouping is encrypted, for example: the message m of a grouping is encrypted the back transmit.
2.1 find public-key cryptography Q
A
2.2 select a random number k, 1<k<n;
2.3 calculate f=SHA1 (k);
Be designated as C 2.4 adopt NAF coding and scalar multiplication method to calculate fP
1
2.5 m is converted into element m '=m||0 in the territory
λ/4
2.6 adopt NAF coding and scalar multiplication method meter fQ
ABe designated as Q ', (Q ') equals m ' f and then carries out 2.2 if x;
2.7 utilize arithmetic of rational point to calculate Q '+(m ' f, SHA1 (m ' f) k) be designated as C
2, if x (C
2), x (Q ') different in twos with m ' f, then send enciphered data (C
1, C
2), otherwise, return 2.2.
Decrypting process: receive enciphered data (C
1, C
2) after, implement following decrypting process:
3.1 adopt NAF coding and scalar multiplication method calculation level Q '=d
AC
1, (Q ') equals x (C if x
2) then rejection;
3.2 the calculating of employing arithmetic of rational point (M, r)=C
2-Q ' is if M equals x (C
2) or x (Q ') then rejection;
3.3 calculate k=SHA1 (M) r;
3.4 calculate f=SHA1 (k);
3.5 calculate m '=M f
3.6 adopt NAF coding and scalar multiplication method to calculate, if fP equals C
1And the back λ of m '/4 bits are 0, and then receiving expressly, m is preceding 3/4 bit of m '; Otherwise rejection.
Above-mentioned arithmetic of rational point is as follows:
When encrypting, for the Elliptic Curve y of input for data
2=x
3Some P on+ax+b and this curve
0=(x
0, y
0) and some P
1=(x
1, y
1);
If A1 is P
0=0, output point P then
2Be P
1
If A2 is P
1=0, output point P then
2Be P
0
If A3 is x
0≠ x
1
A3.1 calculates λ ← (y
0-y
1)/(x
0-x
1) mod p; Be meant and give λ (y0-y1)/(x0-x1) mod p assignment;
A3.2 carries out the A7 step
If A4 is y
0≠ y
1, output P
2← O
If A5 is y
0=0, output P
2← O
A6, calculating λ ← (3x
2+ a)/(2y
1) mod p
A7, calculating x
2← λ
2-x
0-x
1Mod p
A8, calculating y
2← (x
1-x
2) λ-y
1Mod p
A9, output P
2← (x
2, y
2)
Annotate: if to subtract a P=(x, y), if add some points-P=(x ,-y).
It is as follows doubly to put algorithm on the above-mentioned elliptic curve:
Input: elliptic curve E, the last point of E P (X
1, Y
1, Z
1), P ≠ O
Output: (X
3,, Y
3, Z
3)=2P
B1, calculating λ
1← 3X
1 2+ aZ
1 4
B2, calculating Z
3← 2Y
1Z
1
B3, calculating λ
2, ← 4X
1Y
1 2
B4, calculating X
3← λ
1 2-2 λ
2
B5, calculating λ
3← 8Y
1 4
B6, calculating Y
3← λ
1(λ
2-X
3)-λ
3
B7, output (X
3, Y
3, Z
3)
Above-mentioned NAF encryption algorithm is as follows:
Input: integer
Output: NAF
C1、c
0←0,k
l←0,k
l+1←0;
C2、j←0
If j ≠ l+1 C3.
C3.2 calculates s
j← k
j+ c
j-2c
J+1
C3.3 calculates j=j+1
C3.4 changed for the 3rd step over to
C4, output (s
ls
L-1..., s
1, s
0)
2
Above-mentioned NAF scalar multiplication method is as follows:
Input: 1 P on the elliptic curve, the NAF (s of integer k
ls
L-1..., s
1, s
0)
2, s
l=1;
Output: Q=kP;
D1、Q←O;
D2、j←l;
If D3 were j ≠-1
D3.1 calculates Q ← 2Q
If D3.2 is s
j=1 calculates Q ← Q+P
If D3.3 is s
j=-1 calculates Q ← Q+P
D3.4 calculates j=j-1
D3.5 changed for the 3rd step over to
D4, output Q.
More than each algorithm provided the embodiment of elliptic curve cryptography system described in the invention, below be given in the battery of tests data that operation obtains under this mode, wherein each data are all stated expression with hexadecimal.
System parameters:
λ:192
p:fffffffffffffffffffffffffffffffeffffffffffffffff
a:fffffffffffffffffffffffffffffffefffffffffffffffc
b:02d5134233c1f7f4f50706f02882d85e767294c7230612c2
P.x:df00000129200001db000001ffbe800169ea40011de3ec01
P.y:46b19ab9a84501afc6c94ce6fb9ae8f21a93fedb9ec6881f
n:fffffffffffffffffffffffe75432f994b9b16ef54c39393
d
A:83cedad356f4f6cf573ff873b789add938df2ec7d5d2753b
Q
A.x:1f18bcacb74087835ae629a87968f0d57adb39110ec1fd70
Q
AWhen .Y:53b96505a207de2442510c7f01c80c4cffcdaf40099fa0a1 encrypting:
m:00000000000000000313233343536373839
m’:00000000000000000313233343536373839000000000000
k:9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d
f:09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6
C
1.x:362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db
C
1.y:f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5
fQ
A.x:fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c
fQ
A.y:91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a
m’f:09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6
SHA1(m’f)k:
92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36
C
2.x:6edaa4c686f938464514b379720f10dd4ba8a353e1a9e6de
C
2.y:2f47f3be8875cc0417fbfacf87993ea4893595ddf610b43 after the deciphering:
Q′.x:fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c
Q′.y:91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a
M:09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6
r:92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36
SHA1(M):0475dd35cdf0845f4db2b702644a1cdbde621b3e3201f4b
k:9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d
f=SHA1(k):09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6
m’f:00000000000000000313233343536373839000000000000
fP.x:362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db
fP.y:f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5
m:00000000000000000313233343536373839;
At the computer that uses the PentiumIV 1.7G of INTEL Corp. microprocessor, 256 MB of memory reservoir, and under the environment of WINDOWS98 operating system, with the realization of ANSIC programming language be characterized as p and be characterized as 2 finite field on system, p=2 wherein
192-2
64+ 1, F
2m, m=193, generator polynomial f (x)=x
193+ x
15+ 1; Implementation efficiency is as shown in the table:
Content | *F
p | ?F
p | ?*F
2m | ?F
2m |
Key generates | 1.21 | ?5.43 | ?0.67 | ?2.48 |
Encrypt | 6.70 | ?10.95 | ?3.29 | ?5.43 |
ECES encrypts | 6.76 | ?10.53 | ?3.20 | ?5.26 |
Deciphering | 6.50 | ?11.57 | ?3.12 | ?5.42 |
Deciphering (not being with checking) | 5.26 | ?5.95 | ?2.59 | ?2.45 |
The ECES deciphering | 5.51 | ?5.48 | ?2.62 | ?2.53 |
Doubly take advantage of | 1.20 | ?5.32 | ?0.65 | ?2.39 |
Every index in the table all is in the speed of carrying out 1000 times, and unit is second; * the index under the hurdle is the pre-treating speed that allows.
If F
pOn computing adopt assembler language to write, the speed of doubly taking advantage of of the point of 192 bits is 1.81 seconds (1000 times), following table has been listed p=2
256Carry out 1000 times speed down, unit is second:
Content | ????ANSI?C | Compilation |
Key generates | ????2.25 | ????0.93 |
Encrypt | ????18.93 | ????6.35 |
Deciphering | ????18.64 | ????6.35 |
Deciphering (not being with checking) | ????16.2 | ????5.43 |
The enciphering/deciphering efficient that with model is the chip microcontroller of MCS51 sees the following form, the wherein main memory configuration of MCS51: the internal RAM of 256B, the external RAM of 64KB, the program area ROM. clock frequency of 64KB: 1M clock cycle/second (crystal oscillator frequency: 12MHZ).Get F
p, p=2
192-2
64-1 and F
2m, m=193, its generator polynomial is x
193+ x
15+ 1.
Function | ??F
p(second/time)
| ????F
2m(second/time)
|
Key generates | ??4.89 | ????4.34 |
Encrypt | ??25.32 | ????20.84 |
ECES encrypts | ??25.19 | ????20.74 |
Deciphering (not being with checking) | ??20.43 | ????16.21 |
The ECES deciphering | ??20.42 | ????16.21 |
Deciphering (band storage) | ??25.33 | ????20.10 |
Doubly take advantage of (band pre-stored) | ??4.77 | ????4.32 |
Doubly take advantage of (not being with pre-stored) | ??19.96 | ????16.4 |
Annotate: F
pExternal RAM take 1.5K, ROM takies the 9K program, the 6K pre-stored value; F
2mExternal RAM take: 2K (band pre-stored)/1.2K (not being with pre-stored), ROM takies: 7K program, 6K pre-stored value.
Below, having provided this encryption system is the detailed proof of selecting semantic safety under the ciphertext in adaptability.
One, definition of safety
Suppose that U is a probabilistic algorithm, then A (x
1, x
2...; R) expression is input as x
1, x
2..., the output of algorithm A when random number is r; Y ← A (x
1, x
2...) represent to select r at random, make y equal A (x
1, x
2...; R); If exist r to make A (x
1, x
2...; R)=and y, claim that then y is A (x
1, x
2...) and output; If S is a finite aggregate, then x ← S represents from S set to choose x randomly according to even distribution, if a is neither set neither an algorithm, then x ← a represents the value of a is composed to x.
Define the tlv triple that 1. public key encryption systems are made up of algorithm: PE=(KG, Enc, Dec), wherein
KG: key schedule is a probabilistic algorithm, is input as security parameter 1
λ(λ ∈ N), be output as a pair of public and private key (pk, sk);
Enc: cryptographic algorithm is a probabilistic algorithm, be input as PKI pk and expressly x ∈ 0,1}
*, be output as ciphertext y;
Dec: decipherment algorithm is a definite type algorithm, is input as private key sk and ciphertext y, be output as expressly x ∈ 0,1}
*Or spcial character , the ciphertext of this character representation input is not effective ciphertext, promptly do not exist x ∈ 0,1}
*Make that its ciphertext is y.
For the public private key pair arbitrarily that obtains by key schedule (pk, sk) and arbitrarily expressly x ∈ 0,1}
*, if y is Enc
Pk(x) output then necessarily has Dec
Sk(y)=x.Because the public key encryption system need guarantee the safety of real information transmitted, so (Dec) all be is the polynomial time algorithm of yardstick with the security parameter to three above algorithms for KG, Enc.
The definition of the fail safe of public key encryption system can be considered possible target of attack of assailant (goals) and possible attack model (attack model) at first respectively, provides the definition of other fail safe of various level then by combination attacks model and target of attack.
Difference according to target of attack, one-way (OW is mainly considered in the safety analysis of system, oneway), semantic safety (SS, semantic security), the indistinguishability (IND of ciphertext, indistinguishability of encryptions) and non-autgmentability (non-malleability, NM).Briefly, one-way just is meant by target ciphertext y and tries to achieve corresponding plaintext x=Dec
Sk(y) very difficult; Semantic safety just be meant any information that obtains corresponding plaintext x from target ciphertext y all be calculate infeasible; The indistinguishability of ciphertext is meant an expressly pairing ciphertext of known two plaintexts and certain, can't judge which this ciphertext expressly is accordingly.Can think that the indistinguishability and the semantic safety of ciphertext all are liftings of one-way notion, they all are encompassed in traditional confidentiality requirement, one-way is the minimum requirements of encryption system safety, if system is the safety ciphertext undistinguishable or semantic, then this system must be unidirectional, so this paper does not discuss any unidirectional character.Non-autgmentability just is meant from target ciphertext y tries to achieve the different ciphertext y ' of another one, makes its corresponding ciphertext x, and between x ' exists " significant contact " (as x '=x+1), it has promoted the anti-tamper thought of the ciphertext in the reality.
Attack model has been explained the ability that the assailant had, can be divided into and select plaintext attack (chosen-plaintextattack, CPA), non-habitual is selected ciphertext only attack (non-adaptivechosen-ciphertext attack, CCA1) and adaptability select ciphertext only attack (adaptivechosen-ciphertext attack, CCA2).CPA gives the right that the assailant freely selected expressly and obtained corresponding ciphertext, and for the public key encryption system, the assailant knows that PKI has promptly had the ability of selecting plaintext attack; The formalization definition of CCA1 is provided by two scholar Naor and Yung, wherein the assailant is except knowing PKI, can also access decryption instruct (this external device (ED) is a decipherment algorithm), but the assailant only had the right (non-habitual is meant that the visit that deciphering is instructed does not rely on the target ciphertext) that access decryption is instructed before obtaining the target ciphertext, according to its characteristics, non-habitual is selected ciphertext only attack to be also referred to as to attack (midnight attack) midnight or lunch attack (lunchtimeattack, Lunch-breakattack); CCA2 is proposed by two scholar Rackoff and Simon, wherein the assailant had both known that PKI also can access decryption instruct, and its visit that deciphering is instructed is hard-core, even the assailant still can access decryption instruct after obtaining the target ciphertext, but he can not self instruct the target ciphertext as deciphering input (adaptive be meant that the visit that deciphering is instructed depends on the target ciphertext).
Make up above-mentioned target of attack and attack model, can obtain the definition of various fail safe, only provide the formalization definition of indistinguishability below, it has comprised the fail safe of highest level--adaptability is selected the IND-CCA2 of semantic safety under the ciphertext.
Have different inputs according to assailant U in different phase, it can be regarded as two probabilistic algorithm (U
1, U
2), U wherein
1And U
2Effect depend on assailant's target.In the definition of the indistinguishability of ciphertext, algorithm U
1Be input as pk, be output as (x
0, x
2, s), preceding two is the plaintext of two equal length, s is that the assailant wants the information that keeps; From x
0, x
1In select one to be designated as x at random
b, challenge ciphertext y is x
bCiphertext, algorithm U
2Be input as (x
0, x
1, s) it attempts to export correct b with challenge ciphertext y.
Definition 2 (IND-CPA, IND-CCA1, IND-CCA2). suppose that (KG, Enc Dec) are a public key encryption system, A=(A to PE=
1, A
2) be an assailant, H (.) is a random oracle, for atk ∈ arbitrarily { cpa, cca1, cca2} and λ ∈ N arbitrarily, order
{ 0,1} defines experiment Exp wherein to get b ∈
PE, A Ind-atk-d(λ) be
y←Enc
pk(x
b);
Return?d。
If atk=cpa, then O
1(.)=, O
2(.)=; If atk=cca1, then O
1(.)=Dec
Sk(.), O
2(.)=; If atk=cca2, then O
1(.)=De
Sk(.), O
2(.)=Dec
Sk(.); Also require | x
0|=| x
1|, algorithm A
2Can not utilize deciphering to instruct the plaintext that obtains y.If the assailant A for any polynomial time all has Exp
PE, A Ind-atk() is insignificant function, claims that then public key encryption system PE is a safety under the IND-ATK meaning.
Two, safety analysis
From system itself, because computing of the present invention is based on different elliptic curve groups, and "+" almost do not have associative law (for example: affine plane R
2Last 3 P=(1,2), Q=(2,3), R=(3,1) adds formula by puppet and gets (P+Q)+R=(2,1)+(3,1)=(1 ,-1), and P+ (Q+R)=(1,2)+(1 ,-9)=(121/4 ,-1303/8).), so the ciphertext that obtains R (m) by the ciphertext of m is unusual difficulty, wherein R is the relation of a non-trivial, promptly intuitively goes up the character that this system has non-expansion, this is the most tangible difference with the ElGamal system, also is a reason of fail safe raising.The fail safe of this system has further been strengthened in the use of Hash function.This section will prove that this system is an IND-CCA2 safety.For simplicity, below this encryption system of brief note is ∏.
Theorem 1. is under the condition that ECCDHP is difficult to resolve, and ∏ is an IND-CCA2 safety.
Proof is established ∏ and is had assailant A=(A under the IND-CCA2 meaning
1, A
2), A visits random oracle G (.), and the respective record of H (.) and F (.) gained is called as G-table, H-table and F-table respectively, and note is τ
G={ (g
i, G
i), τ
H={ (h
i, H
i), τ
F={ (f
i, F
i) its length (number of times of visit) uses q respectively
G, q
H, q
FExpression.Then can the following derivation algorithm B that constructs ECCDHP.If B is input as P, Q=aP, Y=bP its objective is and calculates R=abP.
B is with P, and Q is as A
1Input call A
1, because A
1Random oracle can be visited and deciphering is instructed, so B need simulate random oracle and deciphering is instructed.If A
1To random oracle G (.) inquiry g, in query note, corresponding output valve is as replying A in then will writing down as if g; Otherwise the number conduct in its codomain of picked at random is to A
1Reply, simultaneously k and this random number are added in the record as a pair of input, output.The action of B simulation random oracle H (.) and F (.) is identical with the mode of simulation G (.).If A
1Instruct visit y=(C to deciphering
1, C
2), if having (g at G-table, F-table and H-table respectively
i, G
i), (f
1, F
1), (h
j, H
j), satisfy f
1=g
i, F
1P=C
1, C
2=F
1Q+ (h
j, H
j f
1), calculate M=h
j G
i, if low λ ' bit of M is 0, high λ-λ ' bit of then exporting M is as expressly output, other situation is all exported empty string .At A
1During termination, might as well establish A
1Be output as (m
0, m
1, s).
B selects C at random
2 *∈ 0,1}
2 λ, make y
*=(C
1 *=Y, C
2 *), B is with (m
0, m
1, s, y
*) as A
2Input, call A
2, its simulation deciphering is instructed with the process of random oracle all the same.
After A ends, B from the H-table random choose (h, H), if exist t to make R=C
2 *-(h, t) ∈ E then exports R; Otherwise, from the H-table, choose again (h, H); If do not have the above-mentioned relation formula in the H-table, the point of then exporting E at random is as R.
Below remember F*=log
PY, (s*, t*)=C
2 *-F*Q, h*=s*, k*=t* H (h*).Utilize equation and the puppet of E to add formula, as can be known C
2 *-(h, t) ∈ E is the sextic equation about t, and it has six to separate at the most, makes AskH presentation of events: A visit h* to H (.), and then B exports the probability that correct ECDH separates
For guaranteeing correctly calling of A, at first B must correctly simulate to decipher and instruct, and secondly B also will guarantee target ciphertext y
*Legal.Bad represent to decipher instruct reply wrong or y
*It or not legal ciphertext.If the A probability of successful is (1+ ε)/2, if B has correctly called A, because y
*With m
0, m
1Irrelevant fully, be 1/2 so A exports correct result's probability, then
(1+ε)/2≤1/2(1-Pr[Bad])+Pr[Bad],
Can get Pr[Bad] 〉=ε.Obviously
Pr[AskH]≥Pr[AskH∧Bad]=Pr[Bad]-Pr[Bad∧﹁AskH]≥ε-Pr[Bad|﹁AskH]
Not under the prerequisite of H (.) visit h*, only when A to G (.) or F (.) visited k* (being designated as AskK) or decipher instruct reply wrong (being designated as DBad) time, Bad just may take place, promptly
Pr[Bad|﹁AskH]≤Pr[AskK|﹁AskH]+Pr[DBad|﹁AskH∧﹁AskK]
If h* does not have accessed, H (h*) completely random then, thus k*=t* H (h*) completely random, so the accessed probability of k* is not more than (q
G+ q
F)/2
λ, promptly
Following discussion is all based on k*, and h* does not have accessed precondition.
Suppose that A is input as y (C to what deciphering was instructed
1, C
1), note F=logPC
1, (s, t)=C
2-FQ, k=H (s) t, h=s, Pr ' [.]=Pr[| ﹁ AskH ∧ ﹁ AskK].
If h, k are all inquired about, it is necessarily correct then to export the result; To G (.) or F (.) inquiry, then export the result is not empty string to k if h is inquired about, if the result is untrue, y must be legal ciphertext so, below the discussion of branch situation: because h is inquired about, so k is definite, and k* at random, so the probability of k=k* is not more than 2
-λ, y is that the probability of legal ciphertext is at most 1 under the condition of k=k*, then during k=k*, the analog answer probability of errors is not more than 2
-λIf to G (.) visit, y is not that legal ciphertext means that low λ ' bit of s G (k) is 0 for k ≠ k* and k,,, y is not more than 2 so being the probability of legal ciphertext because k ≠ k* and k be to G (.) visit
-λ 'If to F (.) visit, y is not that legal ciphertext means F (k)=log for k ≠ k* and k
pC
1,, be not more than 2 so y is the probability of legal ciphertext because k ≠ k* and k be to F (.) visit
-λIf h is not inquired about, then exporting the result is empty string, if the result is untrue, y must be legal ciphertext so, i.e. F (k)=log
PC
1And low λ ' bit of s G (k) is 0, if h=h*, because h* would not be inquired about yet, so H (h) completely random; If k ≠ k* is not because h is inquired about, so H (h) completely random; So under the condition that h is not inquired about, H (h) is a completely random, then k=t H (h) is a completely random, so F (k)=log
PC
1Probability be not more than 2
-2, low λ ' bit of s G (k) is that 0 probability is not more than 2
-λ 'Then do not have under the accessed condition at h, the analog answer probability of errors is not more than 2
-λ
Comprehensive above analysis the, Pr[DBad| ﹁ AskK ∧ ﹁ AskH as can be known]≤3q
D/ 2
λ+ q
D/ 2
λ, then
So probability that the correct ECDH of B output separates
Know that from following formula if ε can not ignore, then ε ' must can not ignore, be t the running time of establishing A, then t ' running time=t+q of B
Ht
f, t wherein
fBe illustrated in F
pOn find the solution the required time of sextic equation, if obviously A is a polynomial time, then B necessarily also is a polynomial time, by on know if ∏ be not IND-CCA2 safety, then ECCDHP can separate, this is a contradiction, so under the condition that ECCDHP is difficult to resolve, ∏ is an IND-CCA2 safety.
It should be noted that at last: above embodiment only in order to the explanation the present invention and and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to each above-mentioned embodiment,, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention; And all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the middle of the claim scope of the present invention.