CN1610291A

CN1610291A - Data Encryption and Decryption Methods

Info

Publication number: CN1610291A
Application number: CN 200410091563
Authority: CN
Inventors: 李启明; 韩若频; 黄振海
Original assignee: Minghuaauhan Science & Technology Co Ltd Shenzhen City; China Iwncomm Co Ltd
Current assignee: Xinminghua Blockchain Technology Shenzhen Co ltd
Priority date: 2004-11-19
Filing date: 2004-11-19
Publication date: 2005-04-27
Anticipated expiration: 2024-11-19
Also published as: CN100411334C

Abstract

The data enciphering and deciphering method includes pseudo-enciphering data to be transmitted in pseudo-enciphering method in the transmitting side and deciphering the received data in the method corresponding to the pseudo-enciphering method in the receiving side. The present invention, unlike traditional elliptic curve cipher system, adopts pseudo-enciphering method to obtain new plain text embedding method and one enciphering system with semanteme safety under the adaptive selective cipher text attack. The present invention provides one very clear plain text embedding mode and can verify the legality of cipher text to provide even high data safety.

Description

Data Encryption and Decryption Methods

技术领域technical field

本发明涉及一种数据加密及解密的方法，特别涉及一种在具有新的明文嵌入方式的椭圆曲线群上，适应性选择密文攻击下语义安全的加密和相应的解密方法，属于计算机及通信安全技术领域。The invention relates to a data encryption and decryption method, in particular to a semantically secure encryption and corresponding decryption method under an adaptive selected ciphertext attack on an elliptic curve group with a new plaintext embedding method, belonging to computers and communications field of security technology.

背景技术Background technique

自从1976年迪菲(Diffie)和赫尔曼(Hellman)提出公钥加密体制的思想后，密码学家和数学家为了该思想的具体实现已经研究了近三十年，但到目前为止，安全有效的公钥加密体制仍是非常有限的，依据其基于的难题，大致可以将其分为三类：基于对大数分解难题的加密体制、基于有限域离散对数问题的加密体制和基于椭圆曲线离散对数问题的加密体制。其中，由于还没有找到解决椭圆曲线离散对数问题的次(亚)指数时间算法，所以基于椭圆曲线离散对数问题的加密体制具有前两类加密体制无法比拟的优点，例如：在相同的安全强度下，系统参数和密钥的尺寸较短(如160bits的椭圆曲线公钥密码(Elliptic Curve Cryptography，简称ECC)和1024bits的RSA具有相当的安全强度)，选择余地较大等。Since Diffie and Hellman proposed the idea of public key encryption system in 1976, cryptographers and mathematicians have been researching for the concrete realization of this idea for nearly thirty years, but so far, the security Effective public-key encryption systems are still very limited. According to the problems they are based on, they can be roughly divided into three categories: encryption systems based on the decomposition of large numbers, encryption systems based on finite field discrete logarithm problems, and ellipse-based encryption systems. Encryption schemes for the curved discrete logarithm problem. Among them, since no sub(sub)exponential time algorithm has been found to solve the discrete logarithm problem of elliptic curves, the encryption system based on the discrete logarithm problem of elliptic curves has the incomparable advantages of the former two types of encryption systems, for example: in the same security In terms of strength, the size of system parameters and keys is relatively short (for example, 160bits of Elliptic Curve Cryptography (ECC) and 1024bits of RSA have considerable security strength), and there are more choices.

椭圆曲线公钥密码是于1985年由V.Miller和N.Koblitz各自独立提出的，随后提出的椭圆曲线密码体制几乎都是将已有的基于有限域上离散对数问题的密码体制平移到椭圆曲线群上而得到。美国电子电气工程师协会标准IEEE P1363中提到的椭圆曲线加密体制ECES(Elliptic CurveEncryption Scheme)，来源于ElGamal体制，由于它的加密算法具有扩展性，故它不是适应性选择密文攻击下不可区分的(Indistinguishabilityunder adaptive chosen-ciphertext attack，IND-CCA2)，而是选择明文攻击下不可区分的(Indistinguishability under chosen-plaintextattack，IND-CPA)；2000年，M.Abdalla等人提出了在标准模型下安全的加密体制DHIES(基于迪菲-赫尔曼问题的加密体制)，由于其效率和ElGamal相当，而安全级别较高，故被一些标准所采用，如ANSI X9.63(ANSI是美国国家标准化组织American National Standards Institute的简称)和SECG(The Standards for Efficient Cryptography Group，椭圆密码组标准)。将DHIES应用于椭圆曲线群便获得椭圆曲线集成加密体制ECIES(Elliptic Curve Integrated Encryption System)，它是美国Certicom公司向欧洲负责关于签名、完整性和加密新方案的组织NESSIE(New European schemes for Signatures，Integrity and Encryption)提交的椭圆曲线混合加密体制，目前其安全性的结论是在一般群模型中，如果对称加密体制是选择明文攻击下语意安全的，而且Hash函数是理想的，则ECIES体制是IND-CCA2安全的，但由于椭圆曲线群具有特殊的性质，而一般群谕示忽略了该特点，故这仅能被看作是理论上的结论。日本电报电话公共公司NTT(Nippon Telegraph and Telephone Public Corporation)实验室构造了一系列可证安全的椭圆曲线加密体制：PSEC-1(PSEC的变种1，PSEC为可证明安全的椭圆曲线加密体制，是Provably Secure EllipticCurve encryption scheme的简写)、PSEC-2(PSEC的变种2)和PSEC-3(PSEC的变种3)，在随机谕示模型下如果椭圆曲线判定迪菲-赫尔曼问题ECDDHP(Elliptic Curve Decision Diffie-Hellman Problem)难解，则PSEC-1是IND-CCA2安全的；如果椭圆曲线计算迪菲-赫尔曼问题(ECCDHP)难解，则带有填充的PSEC-2是IND-CCA2安全的；如果ECCDHP难解且对称加密体制是被动攻击下安全的，则带有对称加密体制的PSEC-2是IND-CCA2安全的；如果椭圆曲线Gap迪菲-赫尔曼问题(ECGDHP)是难解的，则PSEC-3是IND-CCA2安全的。它们均被提交给NESSIE，但由于NTT公司随后基于PSEC提出了一种密钥封装机制--PSEC-KEM(PSEC Key EncapsulationMechanism)，故将PSEC-1和PSEC-2撤回。Elliptic curve public key cryptography was independently proposed by V.Miller and N.Koblitz in 1985, and the subsequent elliptic curve cryptosystems almost all translated the existing cryptosystems based on the discrete logarithm problem on finite fields to elliptic obtained from the curve group. The Elliptic Curve Encryption Scheme ECES (Elliptic Curve Encryption Scheme) mentioned in the standard IEEE P1363 of the American Institute of Electrical and Electronics Engineers is derived from the ElGamal system. Because its encryption algorithm is scalable, it is not indistinguishable under adaptive chosen ciphertext attacks. (Indistinguishability under adaptive chosen-ciphertext attack, IND-CCA2), but indistinguishable under plaintext attack (Indistinguishability under chosen-plaintext attack, IND-CPA); in 2000, M.Abdalla et al. proposed a secure The encryption system DHIES (encryption system based on the Diffie-Hellman problem), because its efficiency is equivalent to ElGamal, and the security level is high, it is adopted by some standards, such as ANSI X9.63 (ANSI is the American National Standardization Organization American The abbreviation of National Standards Institute) and SECG (The Standards for Efficient Cryptography Group, elliptic cipher group standard). Apply DHIES to the elliptic curve group to obtain the elliptic curve integrated encryption system ECIES (Elliptic Curve Integrated Encryption System), which is the organization NESSIE (New European schemes for Signatures, New European schemes for Signatures, Integrity and Encryption) the elliptic curve hybrid encryption system, the current security conclusion is that in the general group model, if the symmetric encryption system is semantically secure under the chosen plaintext attack, and the Hash function is ideal, then the ECIES system is IND -CCA2 is safe, but since the elliptic curve group has a special property, which is ignored by the general group oracle, this can only be regarded as a theoretical conclusion. NTT (Nippon Telegraph and Telephone Public Corporation) laboratory constructed a series of provably secure elliptic curve encryption systems: PSEC-1 (Variation 1 of PSEC, PSEC is a provably secure elliptic curve encryption system, is Shorthand for Provably Secure EllipticCurve encryption scheme), PSEC-2 (PSEC variant 2) and PSEC-3 (PSEC variant 3), if the elliptic curve determines the Diffie-Hellman problem ECDDHP (Elliptic Curve Decision Diffie-Hellman Problem) is difficult to solve, then PSEC-1 is IND-CCA2 safe; if the elliptic curve calculation Diffie-Hellman problem (ECCDHP) is difficult to solve, then PSEC-2 with filling is IND-CCA2 safe ; if ECCDHP is intractable and the symmetric encryption system is secure under passive attack, then PSEC-2 with symmetric encryption system is IND-CCA2 secure; if the elliptic curve Gap Diffie-Hellman problem (ECGDHP) is difficult Solution, then PSEC-3 is IND-CCA2 safe. They were all submitted to NESSIE, but because NTT subsequently proposed a key encapsulation mechanism based on PSEC - PSEC-KEM (PSEC Key Encapsulation Mechanism), PSEC-1 and PSEC-2 were withdrawn.

上述的ECIES体制、PSEC-2和PSEC-3均是混合加密体制，即体制中包括有对称加密体制，其密文尺寸分别是明文尺寸的三倍、三倍和四倍(假设对称加密体制的明文尺寸和密文尺寸相当，杂凑函数(Hash函数)的输出尺寸和安全参数相当，并采用了椭圆曲线点的压缩技术)；虽然PSEC-1不需要对称加密体制，但其安全性基于ECDDHP难解这一前提，如果ECCDHP可解，则ECDDHP必可解，故该前提不比ECCDHP难解强，基于ECDDHP难解下的安全性不比基于ECCDHP难解下的安全性高。The above-mentioned ECIES system, PSEC-2 and PSEC-3 are all mixed encryption systems, that is, the system includes a symmetric encryption system, and its ciphertext size is three times, three times and four times the plaintext size respectively (assuming the symmetric encryption system The size of the plaintext is equivalent to the size of the ciphertext, and the output size of the hash function (Hash function) is equivalent to the security parameters, and the compression technology of elliptic curve points is used); although PSEC-1 does not require a symmetric encryption system, its security is based on the ECDDHP difficulty To solve this premise, if ECCDHP is solvable, then ECDDHP must be solvable, so this premise is not stronger than ECCDHP, and the security based on ECDDHP is not higher than that based on ECCDHP.

发明内容Contents of the invention

本发明的一个目的是提供一种数据加密的方法，基于伪加运算的具有新的明文嵌入方式，适应性地选择密文下语义安全的椭圆曲线。An object of the present invention is to provide a data encryption method, which has a new plaintext embedding method based on a pseudo-add operation, and adaptively selects a semantically secure elliptic curve under ciphertext.

本发明的另一个目的是提供一种数据解密的方法，具体是对于采用上述加密方法获得的加密数据进行解密，获得加密前的原始数据。Another object of the present invention is to provide a data decryption method, specifically to decrypt the encrypted data obtained by the above encryption method to obtain the original data before encryption.

当发送方向接收方发送数据时，对所要发送的数据依照伪加加密的方法进行加密处理：When the sender sends data to the receiver, the data to be sent is encrypted according to the pseudo-encryption method:

首先，随机选取一个整数k，且该整数k满足：1＜k＜n；First, randomly select an integer k, and the integer k satisfies: 1<k<n;

然后，计算F(k)，F(k)P，F(k)Q_A；其中：F(k)为k的Hash函数值，F(k)P为椭圆曲线点P的F(k)倍点，F(k)Q_A椭圆曲线点Q_A的F(k)倍点；F(k)为小于n的正整数，F(k)P和F(k)Q_A均为椭圆曲线上的点；Then, calculate F(k), F(k)P, F(k)Q _A ; where: F(k) is the Hash function value of k, and F(k)P is F(k) times of the elliptic curve point P point, F(k) Q _A point F(k) times of elliptic curve point Q _A ; F(k) is a positive integer less than n, F(k)P and F(k)Q _A are both on the elliptic curve point;

再进一步依照如下公式对被加密数据进行处理：Then further process the encrypted data according to the following formula:

m’＝m||0^λ’，其中，m为被加密的数据，m’是加密过程中形成的中间数据，λ′为所要添加的0的数量；λ′可以采用多种方式获得，例如：取安全参数的三分之一等；这里的安全参数是指该密码算法自身安全的程度的数量刻画，例如：192比特就是一个比1024比特的RSA更安全的安全参数；m'=m||0 ^λ' , where m is the encrypted data, m' is the intermediate data formed during the encryption process, and λ' is the number of zeros to be added; λ' can be obtained in various ways, for example : Take one-third of the security parameter, etc.; the security parameter here refers to the quantitative description of the degree of security of the cryptographic algorithm itself, for example: 192 bits is a security parameter that is more secure than 1024-bit RSA;

再计算G(k)；如果x(F(k)Q_A)＝m′G(k)，则重新选取整数k，重复上述的步骤；否则开始计算密文的步骤；其中：G(k)为k的Hash函数值；x(F(k)Q_A)为椭圆曲线点F(k)Q_A的x坐标值；Calculate G(k) again; if x(F(k)Q _A )=m'G(k), then re-select the integer k, repeat the above steps; otherwise start the step of calculating the ciphertext; wherein: G(k ) is the Hash function value of k; x(F(k)Q _A ) is the x coordinate value of the elliptic curve point F(k)Q _A ;

最后，依照如下公式计算密文C：Finally, the ciphertext C is calculated according to the following formula:

C＝(C₁，C₂)＝(F(k)P，F(k)Q_A+(m′G(k)，H(m′G(k))k))；C=(C ₁ , C ₂ )=(F(k)P, F(k)Q _A +(m'G(k), H(m'G(k))k));

其中，密文C具有二个元素C₁和C₂；C₁＝F(k)P；C₂＝F(k)Q_A+F(k)Q_A+(m′G(k)，H(m′G(k))k)；H(m′G(k))为m′G(k)的Hash函数值；Among them, the ciphertext C has two elements C ₁ and C ₂ ; C ₁ =F(k)P; C ₂ =F(k)Q _A +F(k)Q _A +(m′G(k), H(m'G(k))k);H(m'G(k)) is the Hash function value of m'G(k);

如果C₂的x坐标属于集合{m′G(k)，x(F(k)Q_A)}，则重新选取整数k，重复上述的步骤；否则输出密文C。If the x-coordinate of C ₂ belongs to the set {m′G(k), x(F(k)Q _A )}, reselect the integer k and repeat the above steps; otherwise, output the ciphertext C.

为了使接收加密数据的一方在接收到采用上述加密放法进行加密的数据以后，能够对加密数据进行还原，本发明还提供相应的解密方法，对于所述的密文C，具体的解密步骤如下：In order to enable the party receiving the encrypted data to restore the encrypted data after receiving the data encrypted by the above encryption method, the present invention also provides a corresponding decryption method. For the ciphertext C, the specific decryption steps are as follows :

首先，计算Q′＝d_AC₁，如果x(Q′)＝x(C₂)，则拒绝接收密文数据；其中，Q′是椭圆曲线点，d_A是解密方的私钥数据，x(Q′)、x(C₂)分别为Q′和C₂的x坐标；First, calculate Q'=d _A C ₁ , if x(Q')=x(C ₂ ), refuse to receive the ciphertext data; where, Q' is the elliptic curve point, d _A is the private key data of the decryption party, x(Q′), x(C ₂ ) are the x coordinates of Q′ and C ₂ respectively;

再计算(M，r)＝C₂-Q′，如果M＝x(C₂)或x(Q′)，则拒绝接收密文数据；其中，M、r分别是仿射平面上一个点的x坐标和y坐标；Then calculate (M, r)=C ₂ -Q′, if M=x(C ₂ ) or x(Q′), then refuse to receive the ciphertext data; where, M and r are respectively the values of a point on the affine plane x-coordinate and y-coordinate;

进一步计算f＝H(M)r；其中，H(M)是M的Hash函数值；如果F(f)P＝C₁，且M的后λ′比特值为0，则接收的明文m为M的前λ-λ′比特；否则拒绝接收；其中，F(f)P为椭圆曲线点P的F(f)倍点；λ′为加密过程中所添加的0的数量；λ为安全参数，该参数基本上可以看作是上述M的长度。Further calculate f=H(M)r; wherein, H(M) is the Hash function value of M; if F(f)P=C ₁ , and the value of M's back λ' bit is 0, then the received plaintext m is the first λ-λ'bit of M; otherwise, it refuses to receive; among them, F(f)P is the F(f) times point of the elliptic curve point P; λ' is the number of 0s added in the encryption process; λ is the security parameter, which can basically be regarded as the length of the above M.

本发明充分利用了伪加的特点，得到了一个具有新的明文嵌入方法，并得到在适应性选择密文攻击下语义安全的加密体制，该特点也是其与传统椭圆曲线密码体制最大的区别。本发明给出了一种非常简洁的明文嵌入方式，并可以在解密时验证密文的合法性，以此提供了更高级别的数据安全性。本发明对于数据的加密和解密相比于现有的基于椭圆曲线的加密、解密处理在适应性选择密文攻击下，其语义更加安全。The present invention makes full use of the feature of pseudo-encryption, obtains a new plaintext embedding method, and obtains a semantically safe encryption system under adaptive chosen ciphertext attack, which is also the biggest difference between it and the traditional elliptic curve cryptosystem. The invention provides a very concise plaintext embedding method, and can verify the legitimacy of the ciphertext during decryption, thereby providing a higher level of data security. Compared with the existing encryption and decryption processing based on the elliptic curve, the encryption and decryption of data in the present invention has more secure semantics under the attack of adaptively chosen ciphertext.

具体实施方式Detailed ways

以下结合具体的实施例对本发明作进一步的详细说明：Below in conjunction with specific embodiment the present invention is described in further detail:

在给出具体加密方案之前，首先对伪加运算给出描述：仿射平面F_P ²上，x坐标不同的两个点可以唯一地确定该平面上的维尔斯特拉斯(Weierstrass)方程Y²＝X³+a₄X+a₆，其中X，Y是变量，a₄、a₆是域F_p中的元素，p是一个大素数。如果其所确定的三次曲线是椭圆曲线的话，则它们的加法点的坐标完全由它们自身所决定。Before giving the specific encryption scheme, first give a description of the pseudo-add operation: on the affine plane F _P ² , two points with different x coordinates can uniquely determine the Weierstrass equation Y on the plane ² =X ³ +a ₄ X+a ₆ , where X and Y are variables, a ₄ and a ₆ are elements in the field F _p , and p is a large prime number. If the cubic curves they determine are elliptic curves, the coordinates of their addition points are completely determined by themselves.

本发明利用该性质，定义了一种新的运算：伪加。The present invention utilizes this property to define a new operation: pseudo-addition.

设P₁＝(x₁，y₁)，P₂＝(x₂，y₂)是仿射平面F_P ²上两个点，而且x₁≠x₂，如下定义伪加运算：Suppose P ₁ =(x ₁ , y ₁ ), P ₂ =(x ₂ , y ₂ ) are two points on the affine plane F _P ² , and x ₁ ≠x ₂ , the pseudo-add operation is defined as follows:

1、P₁+P₂＝P₃＝(x₃，y₃)其中x₃，y₃满足下式：1. P ₁ +P ₂ =P ₃ =(x ₃ , y ₃ ) where x ₃ and y ₃ satisfy the following formula:

${x x}_{33} = = {((\frac{{y the y}_{22} - - {y the y}_{11}}{{x x}_{22} - - {x x}_{11}}))}^{22} - - {x x}_{11} - - {x x}_{22},, {y the y}_{33} = = \frac{{y the y}_{22} - - {y the y}_{11}}{{x x}_{22} - - {x x}_{11}} (({x x}_{11} - - {x x}_{33})) - - {y the y}_{11}$

2、-P₁＝(x₁，-y₁)2. -P ₁ = (x ₁ , -y ₁ )

3、P₁-P₂＝P₁+(-P₂)3. P ₁ -P ₂ =P ₁ +(-P ₂ )

设P，Q是仿射平面F_P ²上的两个点，而且x坐标不相同，则P和Q唯一确定一条仿射曲线E(P，Q)：Y²＝X³+aX+b，使得P，Q是该仿射曲线上的点，其中a，b为域F_p的元素，由x坐标不同的点P和Q唯一确定，F_P是p个元素的有限域，p是一个素数，而P是一个点，它的两个坐标是F_P中的元素。在此，对于曲线E(P，Q)上的所有非奇异点补充定义倍点运算，该运算公式与椭圆曲线的倍点运算公式完全相同：Suppose P and Q are two points on the affine plane F _P ² , and the x coordinates are different, then P and Q uniquely determine an affine curve E(P, Q): Y ² =X ³ +aX+b, Let P, Q be the points on the affine curve, where a, b are elements of the field F _p , which are uniquely determined by points P and Q with different x coordinates, F _P is a finite field of p elements, and p is a prime number , and P is a point whose two coordinates are elements in F _P . Here, for all non-singular points on the curve E(P, Q), the point-multiplication operation is supplemented and defined, and the operation formula is exactly the same as the point-multiplication formula of the elliptic curve:

设曲线E(P，Q)：Y²＝X³+aX+b，P₁＝(x₁，y₁)是该曲线上的非奇异点，则2P＝(x₃，y₃)，其中：Suppose the curve E(P, Q): Y ² =X ³ +aX+b, P ₁ =(x ₁ ,y ₁ ) is a non-singular point on the curve, then 2P=(x ₃ ,y ₃ ), where :

x₃＝λ²-2x₁ x ₃ =λ ² -2x ₁

y₃＝λ(x₁-x₃)-y₁ y ₃ =λ(x ₁ -x ₃ )-y ₁

$λ λ = = \frac{{33 x x}_{11}^{22} + + a a}{22 {y the y}_{11}}$

如果4a³+27b²≠0modp，则该曲线是椭圆曲线，如上定义的伪加运算“+”即为椭圆曲线点的加法，椭圆曲线上的所有有理点在“+”运算和倍点运算下构成群，无穷远点0是其零点，“-”是“+”的逆运算；若4a³+27b²＝0modp，则该曲线是奇异的，而且仅有一个奇异点，其上的所有非奇异点在“+”运算和倍点运算下也构成一个群，无穷远点0是其零点，“-”是“+”的逆运算。If 4a ³ +27b ² ≠0modp, then the curve is an elliptic curve. The pseudo addition operation "+" defined above is the addition of points on the elliptic curve. All rational points on the elliptic curve are under the "+" operation and point doubling operation form a group, the infinite point 0 is its zero point, and "-" is the inverse operation of "+"; if 4a ³ +27b ² =0modp, then the curve is singular, and there is only one singular point, all non- The singular point also forms a group under the "+" operation and the doubling operation, and the infinite point 0 is its zero point, and "-" is the inverse operation of "+".

由运算性质可知：当且仅当P，Q全为E(P，Q)上的非奇异点，且R(＝P+Q)，P、Q的x坐标两两不同时，可在不知道P，Q所确定的曲线E(PQ的具体方程的情况下，由R(＝P+Q)和P求得Q(＝R-P)。注意到R，P，Q的x坐标两两不同蕴含了P，Q全为非奇异点，所以P，Q全为非奇异点的概率至少为1-6/(p-1)，其中p是一个大素数。也就是说：两个x坐标不相同的点P，Q，记R＝P+Q，在1-6/(p-1)概率下可由其中的任意两点计算出另一点。本发明充分利用了这个特点，得到了一个具有新的明文嵌入方法，并得到在适应性选择密文攻击下语义安全的加密体制，该特点也是其与传统椭圆曲线密码体制最大的区别。From the nature of the operation, it can be seen that if and only if P and Q are all non-singular points on E(P, Q), and R(=P+Q), the x-coordinates of P and Q are different in pairs, it can be obtained without knowing P, in the case of the specific equation of the curve E (PQ) determined by Q, obtain Q (=R-P) by R (=P+Q) and P. Note that R, P, and the x coordinates of Q are different in pairs. P and Q are all non-singular points, so the probability that P and Q are all non-singular points is at least 1-6/(p-1), where p is a large prime number. That is to say: two x coordinates are not the same Point P, Q, note R=P+Q, can calculate another point by any two points wherein under 1-6/(p-1) probability.The present invention has fully utilized this characteristic, has obtained a new plaintext Embedding method, and obtain a semantically secure encryption system under adaptive chosen ciphertext attack, this feature is also the biggest difference between it and the traditional elliptic curve cryptosystem.

设E：Y²＝X³+aX+b是有限域F_p上的椭圆曲线，E(F_p)是指E的所有F_p有理点和0组成的群。对于E(F_p)中的任意一点P，存在最小的整数n，使得nP＝0，称n为点P的阶，则点P可以生成一个n阶循环群。椭圆曲线公钥密码体制绝大多数都构建在阶为大素数的点生成的循环群上，称该点为基点。以下若不做特殊说明，则一律用大写字母表示曲线上的点，小写字母表示有限域上的元素，x(P)，y(P)表示点P的x坐标和y坐标，相异点间的加法为上述的伪加，倍点运算为椭圆曲线上定义的倍点运算。Suppose E: Y ² =X ³ +aX+b is an elliptic curve on a finite field F _p , E(F _p ) refers to the group composed of all rational points of F _p of E and 0. For any point P in E(F _p ), there exists the smallest integer n such that nP=0, n is called the order of point P, then point P can generate a cyclic group of order n. Most of the elliptic curve public-key cryptosystems are built on the cyclic group generated by the point whose order is a large prime number, which is called the base point. Unless otherwise specified below, uppercase letters are used to represent points on the curve, lowercase letters represent elements on a finite field, x(P), y(P) represent the x-coordinates and y-coordinates of point P, and between different points The addition of is the above-mentioned pseudo addition, and the doubling operation is the doubling operation defined on the elliptic curve.

设系统参数为(p，a，b，P，n)，其中p是一个大素数，由所要求的安全强度，即安全参数λ所确定；a，b是有限域F_p中的元素，其决定一条椭圆曲线E：Y²＝X³+aX+b。P是E的F_p有理点，其阶为n，n是一个大素数且和p的尺寸相当。每个用户A拥有自己的用户参数(SK_a，PK_a)＝(d_a，Q_a)，其中Q_a＝d_aP，d_a为小于n的正整数，d_a和Q_a分别称为用户A的私钥和公钥，公钥是公开的，可以被任何人知晓，而私钥是私有的，仅由用户A自己知道。H(.)、F(.)、G(.)均是{0，1}^λ→{0，1}^λ的Hash函数，λ′是任意整数满足1/2^λ′是λ的可忽略函数，在此不妨令λ′＝λ/4。在体制的实现中，为了减少数据越界的可能性，强制令各Hash函数值的最高8比特为0。Let the system parameters be (p, a, b, P, n), where p is a large prime number, which is determined by the required security strength, that is, the security parameter λ; a, b are the elements in the finite field F _p , where Determine an elliptic curve E: Y ² =X ³ +aX+b. P is an F _p- rational point of E with order n, where n is a large prime and is of the same size as p. Each user A has its own user parameters (SK _a , PK _a )=(d _a , Q _a ), where Q _a =d _a P, where d _a is a positive integer smaller than n, and d _a and Q _a are called User A's private key and public key. The public key is public and can be known by anyone, while the private key is private and only known by user A. H(.), F(.), G(.) are all Hash functions of {0, 1} ^λ → {0, 1} ^λ , λ' is any integer satisfying 1/2 ^λ' is a negligible function of λ , let λ'=λ/4 here. In the implementation of the system, in order to reduce the possibility of data out of bounds, the highest 8 bits of each Hash function value are forced to be 0.

如果用户B想发送消息m∈{0，1}^λ-λ′给用户A，则用户B进行以下的加密操作：If user B wants to send a message m ∈ {0, 1} ^λ-λ' to user A, then user B performs the following encryption operations:

首先，随机选取一个整数k，1＜k＜n；再计算k的Hash函数值F(k)，椭圆曲线点P的F(k)倍点F(k)P记为C₁，椭圆曲线点Q_a的F(k)倍点F(k)Q_a；然后在m后添加λ′个0得到m′，即m′＝m||0^λ′；再计算k的Hash函数值G(k)，若F(k)Q_a的x坐标值x(F(k)Q_a)＝m′G(k)，则返回重新选取整数k；最后，计算密文C＝(C₁，C₂)＝(C₁，F(k)Q_a+(m′G(k)，H(m′G(k))k)，若仿射平面点C₂的x坐标属于集合{m′G(k)，x(F(k)Q_a)}，则返回重新选取整数k；否则，输出密文C。First, randomly select an integer k, 1<k<n; then calculate the Hash function value F(k) of k, and record the F(k) times point F(k)P of the elliptic curve point P as C ₁ F(k) times point F(k)Q _a of Q _a ; then add λ′ 0s after m to get m′, that is, m′=m||0 ^λ′ ; then calculate the Hash function value G(k of k ), if the x-coordinate value of F(k)Q _a is x(F(k)Q _a )=m′G(k), return to reselect the integer k; finally, calculate the ciphertext C=(C ₁ , C ₂ )=(C ₁ , F(k)Q _a + (m′G(k), H(m′G(k))k), if the x coordinate of the affine plane point C ₂ belongs to the set{ m′G(k), x(F(k)Q _a )}, then return the reselected integer k; otherwise, output the ciphertext C.

在用户A接收到用户B法送的密文C后，进行以下的解密操作来恢复明文m：After user A receives the ciphertext C sent by user B, the following decryption operation is performed to recover the plaintext m:

1、首先，计算椭圆曲线点C₁的d_a倍点d_aC₁记为Q′，若x(Q′)＝x(C₂)则拒绝接收；1. First, calculate the d _a times point d _a C ₁ of the elliptic curve point C ₁ and record it as Q', if x(Q')=x(C ₂ ), refuse to accept;

2、再计算仿射平面上的点C₂-Q′记为(M，r)，M，r均为有限域F_p中的元素，若M＝x(C₂)或x(Q′)，则拒绝接收；2. Then calculate the point C ₂ -Q′ on the affine plane and write it as (M, r), M, r are elements in the finite field F _p , if M=x(C ₂ ) or x(Q′) , refuse to accept;

3、进一步计算H(M)r记为f；3. Further calculate H(M)r and record it as f;

4、若椭圆曲线点P的F(f)倍点F(f)P为椭圆曲线点C₁且MG(f)的后λ′比特为0，则接收明文m为MG(f)的前λ-λ′比特；否则拒绝接收。4. If the F(f) times point F(f)P of the elliptic curve point P is the elliptic curve point C ₁ and the last λ' bit of MG(f) is 0, then the received plaintext m is MG(f ) of the first λ-λ'bits; otherwise reject reception.

以下，是采用本发明对数据进行加密而获得高安全性的数学证明：The following is a mathematical proof for obtaining high security by encrypting data using the present invention:

假设椭圆曲线群的阶近似为p，并有一半的m使得m³+am+b是模p的二次剩余，则有以下结论说明在加密过程中返回1的概率很小。Assuming that the order of the elliptic curve group is approximately p, and half of m makes m ³ +am+b a quadratic residue modulo p, the following conclusions show that the probability of returning 1 in the encryption process is very small.

引理1.对于随机选取的k和m，x(kQ_a)＝m的概率至多为2/p。Lemma 1. For randomly chosen k and m, the probability of x(kQ _a )=m is at most 2/p.

引理2.记R＝kP+(m，Hash(m)k)，其中，x(kP)≠m，则x(R)∈{m，x(kP)}的概率是可忽略的。Lemma 2. Note R=kP+(m, Hash(m)k), where, x(kP)≠m, then the probability of x(R)∈{m, x(kP)} is negligible.

证明假设kP＝(c，d)，则d²＝c³+ac+b，c，d完全由k决定。以下将Hash(.)简记为h(.)。若x(R)＝m，由伪加公式得：Proof Assuming kP=(c,d), then d ² =c ³ +ac+b, c,d are completely determined by k. Hash(.) will be abbreviated as h(.) below. If x(R)=m, it can be obtained by the pseudo-addition formula:

$m m = = {((\frac{h h ((m m)) &CirclePlus; &CirclePlus; k k - - d d}{m m - - c c}))}^{22} - - m m - - c c$

利用关系式d²＝c³+ac+b可以将上式中的d替换掉，得到下式：The d in the above formula can be replaced by using the relationship d ² =c ³ +ac+b to obtain the following formula:

(h(m)k)⁴+(h(m)k)²(6m²c-4m³+2ac+2b)-4(h(m)k)(c³+ac+b)(h(m)k) ⁴ +(h(m)k) ² (6m ² c-4m ³ +2ac+2b)-4(h(m)k)(c ³ +ac+b)

+4m⁶-12m⁵c-9m²c²-4m³(ac+b)+6m²(ac+b)+a²c²+b²+2abc＝0+4m ⁶ -12m ⁵ c-9m ² c ² -4m ³ (ac+b)+6m ² (ac+b)+a ² c ² +b ² +2abc＝0

如果对于给定的k，上式成立的概率是不可忽略的，则意味着Hash函数h(.)以不可忽略的概率满足上式，在k固定的条件下，对于满足上式的Hash函数值e，把m当做未知数，通过求解六次方程便可以得到e的原像，即若对于给定的k，上式成立的概率是不可忽略的，那么Hash函数h(.)不满足单向性的要求，所以对于任意的k，上式成立的概率均是可以忽略的，则x(R)＝m的概率是可忽略的。若x(R)＝c，同理可得：If for a given k, the probability of the above formula is not negligible, it means that the Hash function h(.) satisfies the above formula with a non-negligible probability. Under the condition of k being fixed, for the Hash function value satisfying the above formula e, taking m as an unknown, the original image of e can be obtained by solving the sixth-order equation, that is, if the probability of the above formula is not negligible for a given k, then the Hash function h(.) does not satisfy the one-way property Therefore, for any k, the probability of the above formula being established is negligible, and the probability of x(R)=m is negligible. If x(R)=c, similarly we can get:

(h(m)k)²+c³+ac+b-m³-2m²c+3mc²)²＝4(h(m)k)²(c³+ac+b)(h(m)k) ² +c ³ +ac+bm ³ -2m ² c+3mc ² ) ² ＝4(h(m)k) ² (c ³ +ac+b)

因为Hash函数h(.)是单向的，所以上式成立的概率也是可忽略的。由上知x(R)∈{m，x(kP)}的概率是可忽略的。Because the Hash function h(.) is one-way, the probability of the above formula is also negligible. It is known from the above that the probability of x(R)∈{m, x(kP)} is negligible.

上述引理说明：加密过程返回1的概率是可忽略的，而加密、解密均只需要两次椭圆曲线点的倍乘和一次伪加，故可以认为：该本发明所采用的加密方法是有效的，其合理性是显然的。参见IEEE P1363标准，如果使用点的压缩技术，则该体制产生的密文有三倍的明文扩张，即密文尺寸是明文尺寸的三倍。Above-mentioned lemma explanation: the probability that encryption process returns 1 is negligible, and encryption, decryption all only need the multiplication of two elliptic curve points and a false addition, so can think: the encryption method that this present invention adopts is effective , its rationality is obvious. Refer to the IEEE P1363 standard, if the point compression technique is used, the ciphertext generated by this system has three times the plaintext expansion, that is, the ciphertext size is three times the plaintext size.

基于两个相异点的伪加不依赖于曲线本身，上述方法对ElGamal加密体制中的明文嵌入方式作了改变，即将m嵌入到点(m′G(k），H(m′G(k))k))，而不是将其嵌入到系统参数所确定的椭圆曲线上的点。这使得明文嵌入非常自然、简单。除此之外，该体制还具有以下几个特点：它通过解密过程中的第4步可以验证密文的合法性，这使得伪造合法的密文变得非常困难(除非通过选择明文)；它使用了不同的椭圆曲线群来进行运算。即除了系统参数所确定的椭圆曲线外，还有一条由F(k)Q_a和(m′G(k)，H(m′G(k)k)确定的曲线，该曲线是随m和k而变化的，除非知道用户A的私钥，否则不可能知道当前运算所在的椭圆曲线群。Based on the fact that the pseudo-addition of two different points does not depend on the curve itself, the above method changes the plaintext embedding method in the ElGamal encryption system, that is, embedding m into the point (m′G(k), H(m′G (k))k)), instead of embedding it into a point on the elliptic curve determined by the system parameters. This makes plaintext embedding very natural and simple. In addition, the system also has the following characteristics: it can verify the legality of the ciphertext through the fourth step in the decryption process, which makes it very difficult to forge legal ciphertext (unless by choosing plaintext); it Different groups of elliptic curves are used to perform the operations. That is to say, in addition to the elliptic curve determined by the system parameters, there is also a curve determined by F(k)Q _a and (m′G(k), H(m′G(k)k), which is As m and k vary, unless user A's private key is known, it is impossible to know the elliptic curve group where the current operation is located.

上述加密体制的加密时间复杂度为2次标量乘法，与ElGamal体制的效率相当；带验证的解密的时间复杂度为2次标量乘法，比ElGamal体制多一次标量乘法。若不带验证，则效率相当。如果采用点的压缩技术，其有3倍的明文扩张。为描述方便起见，这里仅给出了基域特征为大素数下的体制，当特征为2时，伪加以及体制的描述是极其类似的。The encryption time complexity of the above encryption system is 2 scalar multiplications, which is equivalent to the efficiency of the ElGamal system; the time complexity of decryption with verification is 2 scalar multiplications, which is one more scalar multiplication than the ElGamal system. Without validation, the efficiency is equivalent. If the point compression technique is used, it has 3 times the plaintext expansion. For the convenience of description, only the system under which the base domain characteristic is a large prime number is given here. When the characteristic is 2, the description of the pseudo-addition and the system is very similar.

该加密体制作为ElGamal体制的变形，其安全性基于椭圆曲线计算迪菲-赫尔曼问题(ECCDHP)。它给出了一种非常简洁的明文嵌入方式，并可以验证密文的合法性，以此提供了更高级别的安全性。在随机谕示模型(random oracle model)下，证明了该加密体制是适应性选择密文下语义安全的(IND-CCA2)。The encryption system is a variant of the ElGamal system, and its security is based on the Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP). It provides a very concise plaintext embedding method and can verify the validity of the ciphertext, thus providing a higher level of security. Under the random oracle model, it is proved that the encryption scheme is semantically secure under adaptively chosen ciphertext (IND-CCA2).

在随机谕示模型(random oracle model)下，证明了如果椭圆曲线计算迪菲-赫尔曼问题(ECCDHP)难解，则该加密体制是适应性选择密文攻击下语义安全的(IND-CCA2)，由于该证明是基于ECCDHP的，故其安全性可能高于PSEC-1。它不是一种混合加密体制，其运算仅包括椭圆曲线点的倍乘、伪加运算和杂凑函数，不需要应用对称加密体制。该加密体制利用全新的伪加运算，将明文嵌入到仿射平面中点的x坐标，给出了一种非常简洁的明文嵌入方式，并可以验证密文的合法性。Under the random oracle model (random oracle model), it is proved that if the elliptic curve computing Diffie-Hellman problem (ECCDHP) is difficult to solve, then the encryption system is semantically secure under adaptive chosen ciphertext attack (IND-CCA2 ), since the proof is based on ECCDHP, its security may be higher than that of PSEC-1. It is not a hybrid encryption system, and its operations only include multiplication of elliptic curve points, pseudo-addition and hash functions, and do not need to apply a symmetric encryption system. The encryption system uses a new pseudo-add operation to embed the plaintext into the x-coordinate of the midpoint of the affine plane, which provides a very simple plaintext embedding method and can verify the legitimacy of the ciphertext.

在该密码体制的实现中，首先面临的是系统参数(p，a，b，P，n)的选择问题。从安全角度考虑，为抵抗一些已知的攻击算法，可以对系统参数进行特殊的限制：In the implementation of this cryptographic system, the first thing to face is the selection of system parameters (p, a, b, P, n). From a security point of view, in order to resist some known attack algorithms, special restrictions can be placed on system parameters:

1.n＞2¹⁶⁰且 $n > 4 \sqrt{p};$ 1.n>2 ¹⁶⁰ and $no > 4 \sqrt{p};$

2.椭圆曲线是非超奇异的(non-supersingular)，即p不整除p+1-#E(F_p)；2. The elliptic curve is non-supersingular, that is, p does not divide p+1-#E(F _p );

3.基点P的阶n不整除p^k-1(1≤k≤C)，实际中常取C＝20；3. The order n of the base point P is not divisible by p ^k -1 (1≤k≤C), and C=20 is usually taken in practice;

4.椭圆曲线是非异常的(non-anomalous)，即#E(F_p)≠p。4. The elliptic curve is non-anomalous, that is, #E(F _p )≠p.

该实施方式取基域F_p为标准IEEEP1363所建议的有限域，Hash函数G(.)，F(.)和H(.)均为SHA1并强制其Hash函数值的最高8比特为0，大素数p的比特数为λ。随机选取椭圆曲线的参数a，b，利用SEA算法计算它的阶，然后把满足以上要求的椭圆曲线作为系统参数。在本发明的具体实施中，需要椭圆曲线点加算法、伪加算法、椭圆曲线倍点算法以及椭圆曲线点的标量乘法，以下逐一给出各算法。In this embodiment, the base field _Fp is the finite field suggested by the standard IEEEP1363, the Hash functions G(.), F(.) and H(.) are all SHA1 and the highest 8 bits of the Hash function value are forced to be 0, which is large The number of bits of the prime number p is λ. Randomly select the parameters a and b of the elliptic curve, use the SEA algorithm to calculate its order, and then use the elliptic curve that meets the above requirements as the system parameter. In the specific implementation of the present invention, elliptic curve point addition algorithm, pseudo-addition algorithm, elliptic curve point multiplication algorithm and scalar multiplication of elliptic curve points are required, and each algorithm is given below one by one.

由于伪加算法与椭圆曲线x坐标相异的两个点的点加算法相同，故不单独列出来。Since the pseudo-addition algorithm is the same as the point-addition algorithm for two points with different x-coordinates on the elliptic curve, it is not listed separately.

本发明一个具体的实施例中，密钥生成过程如下：In a specific embodiment of the present invention, the key generation process is as follows:

1、随机选择一个整数d_A，1＜d_A＜n，采用NAF编码和标量乘法算法计算Q_A＝d_AP；1. Randomly select an integer d _A , 1<d _A <n, and use NAF coding and scalar multiplication algorithm to calculate Q _A =d _A P;

2、将d_A作为私钥，Q_A作为公钥。2. Use d _A as the private key and Q _A as the public key.

具体的加密步骤是：将消息数据m根据3λ/4进行分组m₁m₂...m_d，一次对一个分组进行加密，例如：将一个分组的消息m加密后传送。The specific encryption steps are: divide the message data m into groups m ₁ m ₂ ...m _d according to 3λ/4, and encrypt one group at a time, for example: encrypt a grouped message m before transmitting.

2.1找到公开密钥Q_A；2.1 Find the public key Q _A ;

2.2选择一个随机数k，1＜k＜n；2.2 Choose a random number k, 1<k<n;

2.3计算f＝SHA1(k)；2.3 Calculate f=SHA1(k);

2.4采用NAF编码和标量乘法算法计算fP记为C₁；2.4 Use NAF coding and scalar multiplication algorithm to calculate fP and mark it as C ₁ ;

2.5将m转化为域中元素m’＝m||0^λ/4；2.5 Transform m into the element m'=m||0 ^λ/4 in the field;

2.6采用NAF编码和标量乘法算法计fQ_A记为Q’，若x(Q’)等于m’f则执行2.2；2.6 Use NAF coding and scalar multiplication algorithm to calculate fQ _A and record it as Q', if x(Q') is equal to m'f, then execute 2.2;

2.7利用点加算法计算Q’+(m’f，SHA1(m’f)k)记为C₂，若x(C₂)，x(Q’)和m’f两两不同，则发送加密数据(C₁，C₂)，否则，返回2.2。2.7 Use point addition algorithm to calculate Q'+(m'f, SHA1(m'f)k) as C ₂ , if x(C ₂ ), x(Q') and m'f are different in pairs , then send encrypted data (C ₁ , C ₂ ), otherwise, return 2.2.

解密过程：收到加密数据(C₁，C₂)后，实施如下解密过程：Decryption process: After receiving encrypted data (C ₁ , C ₂ ), implement the following decryption process:

3.1采用NAF编码和标量乘法算法计算点Q’＝d_AC₁，若x(Q’)等于x(C₂)则拒绝接收；3.1 Use NAF coding and scalar multiplication algorithm to calculate point Q'=d _A C ₁ , if x(Q') is equal to x(C ₂ ), refuse to accept;

3.2采用点加算法计算(M，r)＝C₂-Q’，若M等于x(C₂)或x(Q’)则拒绝接收；3.2 Use point addition algorithm to calculate (M, r) = C ₂ -Q', if M is equal to x(C ₂ ) or x(Q'), refuse to accept;

3.3计算k＝SHA1(M)r；3.3 Calculate k=SHA1(M)r;

3.4计算f＝SHA1(k)；3.4 Calculate f=SHA1(k);

3.5计算m’＝Mf3.5 Calculate m'=Mf

3.6采用NAF编码和标量乘法算法计算，若fP等于C₁且m’的后λ/4比特为0，则接收明文m为m’的前3/4比特；否则拒绝接收。3.6 NAF coding and scalar multiplication algorithm are used for calculation. If fP is equal to C ₁ and the last λ/4 bits of m' are 0, the received plaintext m is the first 3/4 bits of m'; otherwise, it is rejected.

上述的点加算法如下：The above point addition algorithm is as follows:

当对于一个数据进行加密时，对于输入的椭圆曲线y²＝x³+ax+b，和该曲线上的点P₀＝(x₀，y₀)和点P₁＝(x₁，y₁)；When encrypting a piece of data, for the input elliptic curve y ² =x ³ +ax+b, and the point P ₀ =(x ₀ ,y ₀ ) and the point P ₁ =(x ₁ ,y ₁ );

A1、如果P₀＝0，则输出点P₂即为P₁ A1. If P ₀ =0, the output point P ₂ is P ₁

A2、如果P₁＝0，则输出点P₂即为P₀ A2. If P ₁ = 0, the output point P ₂ is P ₀

A3、如果x₀≠x₁ A3. If x ₀ ≠ x ₁

A3.1计算λ←(y₀-y₁)/(x₀-x₁)mod p；是指将(y0-y1)/(x0-x1)mod p赋值给λ；A3.1 Calculate λ←(y ₀ -y ₁ )/(x ₀ -x ₁ )mod p; it means assigning (y0-y1)/(x0-x1)mod p to λ;

A3.2执行第A7步A3.2 Execute step A7

A4、如果y₀≠y₁，输出P₂←OA4. If y ₀ ≠y ₁ , output P ₂ ←O

A5、如果y₀＝0，输出P₂←OA5. If y ₀ =0, output P ₂ ←O

A6、计算λ←(3x²+a)/(2y₁)mod pA6. Calculate λ←(3x ² +a)/(2y ₁ ) mod p

A7、计算x₂←λ²-x₀-x₁ mod pA7. Calculate x ₂ ←λ ² -x ₀ -x ₁ mod p

A8、计算y₂←(x₁-x₂)λ-y₁ mod pA8. Calculate y ₂ ←(x ₁ -x ₂ )λ-y ₁ mod p

A9、输出P₂←(x₂，y₂)A9. Output P ₂ ←(x ₂ , y ₂ )

注：若要减点P＝(x，y)，只要加点-P＝(x，-y)。Note: To subtract point P=(x, y), just add point -P=(x, -y).

上述的椭圆曲线上倍点算法如下：The algorithm for doubling points on the elliptic curve above is as follows:

输入：椭圆曲线E，E上点P(X₁，Y₁，Z₁)，P≠OInput: elliptic curve E, point P(X ₁ , Y ₁ , Z ₁ ) on E, P≠O

输出：(X₃，，Y₃，Z₃)＝2POutput: (X ₃ , Y ₃ , Z ₃ )=2P

B1、计算λ₁←3X₁ ²+aZ₁ ⁴；B1. Calculate λ ₁ ←3X ₁ ² +aZ ₁ ⁴ ;

B2、计算Z₃←2Y₁Z₁ B2. Calculate Z ₃ ← 2Y ₁ Z ₁

B3、计算λ₂，←4X₁Y₁ ²；B3. Calculate λ ₂ , ←4X ₁ Y ₁ ² ;

B4、计算X₃←λ₁ ²-2λ₂；B4. Calculate X ₃ ←λ ₁ ² -2λ ₂ ;

B5、计算λ₃←8Y₁ ⁴；B5. Calculate λ ₃ ←8Y ₁ ⁴ ;

B6、计算Y₃←λ₁(λ₂-X₃)-λ₃；B6. Calculate Y ₃ ←λ ₁ (λ ₂ -X ₃ )-λ ₃ ;

B7、输出(X₃，Y₃，Z₃)B7. Output (X ₃ , Y ₃ , Z ₃ )

上述的NAF编码算法如下：The above NAF encoding algorithm is as follows:

输入：整数 $k = Σ_{j = 0}^{l - 1} k_{j} 2^{j}, k_{j} &Element; {0,1} .$ input: integer $k = Σ_{j = 0}^{l - 1} k_{j} 2^{j}, k_{j} &Element; {0,1} .$

输出：NAF $k = Σ_{i = 0}^{l} s_{i} 2^{i}, s_{i} &Element; {- 1,0,1}$ Output: NAF $k = Σ_{i = 0}^{l} {the s}_{i} 2^{i}, {the s}_{i} &Element; {- 1,0,1}$

C1、c₀←0，k_l←0，k_l+1←0；C1, c ₀ ←0, k _l ←0, k _l+1 ←0;

C2、j←0C2, j←0

C3.如果j≠l+1C3. If j≠l+1

C3.1计算

C3.1 Calculation

C3.2计算s_j←k_j+c_j-2c_j+1 C3.2 Calculate s _j ←k _j +c _j -2c _j+1

C3.3计算j＝j+1C3.3 Calculate j=j+1

C3.4转入第3步C3.4 Go to Step 3

C4、输出(s_ls_l-1，...，s₁，s₀)₂ C4, output (s _l s _l-1 , ..., s ₁ , s ₀ ) ₂

上述的NAF标量乘法算法如下：The above NAF scalar multiplication algorithm is as follows:

输入：椭圆曲线上一点P，整数k的NAF(s_ls_l-1，...，s₁，s₀)₂，s_l＝1；Input: a point P on the elliptic curve, NAF(s _l s _l-1 ,..., s ₁ , s ₀ ) ₂ of integer k, s _l =1;

输出：Q＝kP；Output: Q=kP;

D1、Q←O；D1, Q←O;

D2、j←l；D2, j←l;

D3、如果j≠-1D3. If j≠-1

D3.1计算Q←2QD3.1 Calculate Q←2Q

D3.2如果s_j＝1计算Q←Q+PD3.2 If s _j = 1, calculate Q←Q+P

D3.3如果s_j＝-1计算Q←Q+PD3.3 If s _j = -1, calculate Q←Q+P

D3.4计算j＝j-1D3.4 Calculate j=j-1

D3.5转入第3步D3.5 Go to step 3

D4、输出Q.D4, output Q.

以上各算法给出了本发明所描述的椭圆曲线加密体制的具体实施方式，以下给出在该方式下运行获得的一组试验数据，其中各个数据均以十六进制述表达。The above algorithms provide the specific implementation of the elliptic curve encryption system described in the present invention, and a set of experimental data obtained by running in this mode is given below, wherein each data is expressed in hexadecimal notation.

系统参数：System parameters:

λ：192Lambda: 192

p：fffffffffffffffffffffffffffffffeffffffffffffffffp: ffffffffffffffffffffffffffffffffffffffffffffffff

a：fffffffffffffffffffffffffffffffefffffffffffffffca: ffffffffffffffffffffffffffffffffffffffffffffffc

b：02d5134233c1f7f4f50706f02882d85e767294c7230612c2b: 02d5134233c1f7f4f50706f02882d85e767294c7230612c2

P.x：df00000129200001db000001ffbe800169ea40011de3ec01P.x: df00000129200001db000001ffbe800169ea40011de3ec01

P.y：46b19ab9a84501afc6c94ce6fb9ae8f21a93fedb9ec6881fP.y: 46b19ab9a84501afc6c94ce6fb9ae8f21a93fedb9ec6881f

n：fffffffffffffffffffffffe75432f994b9b16ef54c39393n: fffffffffffffffffffffffe75432f994b9b16ef54c39393

d_A：83cedad356f4f6cf573ff873b789add938df2ec7d5d2753bd _A : 83cedad356f4f6cf573ff873b789add938df2ec7d5d2753b

Q_A.x：1f18bcacb74087835ae629a87968f0d57adb39110ec1fd70Q _A.x : 1f18bcacb74087835ae629a87968f0d57adb39110ec1fd70

Q_A.Y：53b96505a207de2442510c7f01c80c4cffcdaf40099fa0a1加密时：Q _A .Y: 53b96505a207de2442510c7f01c80c4cffcdaf40099fa0a1 when encrypted:

m：00000000000000000313233343536373839m: 000000000000000000313233343536373839

m’：00000000000000000313233343536373839000000000000m': 00000000000000000313233343536373839000000000000

k：9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57dk: 9296decb12fc6d896ffd58ade5b03a3f1e235d0556e3f57d

f：09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6f: 09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6

C₁.x：362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db _C1.x : 362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db

C₁.y：f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5 _C1.y : f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5

fQ_A.x：fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354cfQ _A.x : fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c

fQ_A.y：91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7afQ _A.y : 91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a

m’f：09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6m’f: 09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6

SHA1(m’f)k：SHA1(m'f)k:

92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea3692d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36

C₂.x：6edaa4c686f938464514b379720f10dd4ba8a353e1a9e6deC _2.x : 6edaa4c686f938464514b379720f10dd4ba8a353e1a9e6de

C₂.y：2f47f3be8875cc0417fbfacf87993ea4893595ddf610b43解密后：C _2.y : 2f47f3be8875cc0417fbfacf87993ea4893595ddf610b43 after decryption:

Q′.x：fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354cQ′.x: fa529d8354bbb6bd3289b906f1b3337914628f6cf75a354c

Q′.y：91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7aQ′.y: 91f142b803c9ba20ece5012f02bc9511cb4412b881bbbd7a

M：09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6M: 09cf3ae17aad817331ce3d7cab877f235b27ee7152ac5b6

r：92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36r: 92d183184e2365cc9b2673ddc3f49bf2a3c57cb6b5c3ea36

SHA1(M)：0475dd35cdf0845f4db2b702644a1cdbde621b3e3201f4bSHA1(M): 0475dd35cdf0845f4db2b702644a1cdbde621b3e3201f4b

f＝SHA1(k)：09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6f=SHA1(k):09cf3ae17aad817332dd1e4fe8d41c50d8b7ee7152ac5b6

m’f：00000000000000000313233343536373839000000000000m’f: 0000000000000000000313233343536373839000000000000

fP.x：362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048dbfP.x: 362b32f9f9b3c21c1df13631ea7155f23d04d4853ce048db

fP.y：f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5fP.y: f7cbaa643bccce14f252660b0104542f86a8a5f89f7c1c5

m：00000000000000000313233343536373839；m: 000000000000000000313233343536373839;

在使用INTEL公司PentiumIV 1.7G微处理器、256M内存储器的计算机，并在WINDOWS98操作系统的环境下，用ANSIC编程语言实现特征为p以及特征为2的的有限域上的体制，其中p＝2¹⁹²-2⁶⁴+1，F_2m，m＝193，生成多项式f(x)＝x¹⁹³+x¹⁵+1；实现效率如下表所示：内容 *F_p F_p *F_2m F_2m 密钥生成 1.21 5.43 0.67 2.48 加密 6.70 10.95 3.29 5.43 ECES 加密 6.76 10.53 3.20 5.26 解密 6.50 11.57 3.12 5.42 解密(不带验证) 5.26 5.95 2.59 2.45 ECES解密 5.51 5.48 2.62 2.53 倍乘 1.20 5.32 0.65 2.39 Use INTEL company PentiumIV 1.7G microprocessor, the computer of 256M memory, and under the environment of WINDOWS98 operating system, realize the system on the finite field that is p and characteristic is 2 with ANSIC programming language, wherein p=2 ¹⁹² -2 ⁶⁴ +1, F _2m , m=193, generating polynomial f(x)=x ¹⁹³ +x ¹⁵ +1; the realization efficiency is shown in the following table: content *F _p F _p *F _2m F _2m key generation 1.21 5.43 0.67 2.48 encryption 6.70 10.95 3.29 5.43 ECES encryption 6.76 10.53 3.20 5.26 decrypt 6.50 11.57 3.12 5.42 Decrypt (without verification) 5.26 5.95 2.59 2.45 ECES decryption 5.51 5.48 2.62 2.53 multiply 1.20 5.32 0.65 2.39

表中的各项指标都是在执行1000次的速度，单位为秒；*栏下的指标是允许的预处理速度。The indicators in the table are executed at the speed of 1000 times, and the unit is second; the indicators under the * column are the allowable preprocessing speeds.

若F_p上的运算采用汇编语言编写，192比特的点的倍乘速度为1.81秒(1000次)，下表列出了p＝2²⁵⁶下执行1000次的速度，单位为秒：内容 ANSI C 汇编密钥生成 2.25 0.93 加密 18.93 6.35 解密 18.64 6.35 解密(不带验证) 16.2 5.43 If the operation on F _p is written in assembly language, the multiplication speed of 192-bit points is 1.81 seconds (1000 times), and the following table lists the speed of executing 1000 times under p= ²²⁵⁶ , and the unit is second: content ANSI C compilation key generation 2.25 0.93 encryption 18.93 6.35 decrypt 18.64 6.35 Decrypt (without verification) 16.2 5.43

用型号为MCS51的单片机实现的加/解密效率见下表，其中MCS51主要存贮器配置：256B的内部RAM，64KB的外部RAM，64KB的程序区ROM.时钟频率：1M时钟周期/秒(晶振频率：12MHZ)。取F_p，p＝2¹⁹²-2⁶⁴-1和F_2m，m＝193，其生成多项式为x¹⁹³+x¹⁵+1。功能 F_p(秒/次) F_2m(秒/次) 密钥生成 4.89 4.34 加密 25.32 20.84 ECES加密 25.19 20.74 解密(不带验证) 20.43 16.21 ECES解密 20.42 16.21 解密(带存储) 25.33 20.10 倍乘(带预存储) 4.77 4.32 倍乘(不带预存储) 19.96 16.4 The encryption/decryption efficiency realized by MCS51 single-chip microcomputer is shown in the following table. The main memory configuration of MCS51: 256B internal RAM, 64KB external RAM, 64KB program area ROM. Clock frequency: 1M clock cycle/second (crystal oscillator Frequency: 12MHZ). Taking F _p , p=2 ¹⁹² -2 ⁶⁴ -1 and F _2m , m=193, the generator polynomial is x ¹⁹³ +x ¹⁵ +1. Function F _p (sec/time) F _2m (sec/time) key generation 4.89 4.34 encryption 25.32 20.84 ECES encryption 25.19 20.74 Decrypt (without verification) 20.43 16.21 ECES decryption 20.42 16.21 Decryption (with storage) 25.33 20.10 Multiplication (with pre-stored) 4.77 4.32 Multiplication (without pre-store) 19.96 16.4

注：F_p的外部RAM占用1.5K，ROM占用9K程序，6K预存储值；F_2m的外部RAM占用：2K(带预存储)/1.2K(不带预存储)，ROM占用：7K程序，6K预存储值。Note: F _p ’s external RAM occupies 1.5K, ROM occupies 9K programs, 6K pre-stored values; F _2m ’s external RAM occupies: 2K (with pre-stored)/1.2K (without pre-stored), ROM occupies: 7K programs, 6K pre-stored values.

以下，给出了该加密体制是在适应性选择密文下语义安全的详细证明。In the following, a detailed proof that the encryption scheme is semantically secure under adaptively chosen ciphertexts is given.

一、安全的定义1. Definition of security

假设U是一个概率算法，则A(x₁，x₂，...；r)表示输入为x₁，x₂，...，随机数为r时算法A的输出；y←A(x₁，x₂，...)表示随机选择r，令y等于A(x₁，x₂，...；r)；若存在r使得A(x₁，x₂，...；r)＝y，则称y是A(x₁，x₂，...)的输出；如果S是一个有限集合，则x←S表示从集合S中依据均匀分布随机地选取x，若a既不是一个集合也不是一个算法，则x←a表示将a的值赋给x。Assuming that U is a probability algorithm, then A(x ₁ , x ₂ ,...;r) represents the output of algorithm A when the input is x ₁ , x ₂ ,..., and the random number is r; y←A(x ₁ , x ₂ ,...) means to choose r randomly, let y be equal to A(x ₁ , x ₂ ,...; r); if r exists so that A(x ₁ , x ₂ ,...; r) =y, then y is said to be the output of A(x ₁ , x ₂ ,...); if S is a finite set, then x←S means that x is randomly selected from the set S according to a uniform distribution; if a is neither A set is not an algorithm, then x←a means to assign the value of a to x.

定义1.公钥加密体制是由算法组成的三元组：PE＝(KG，Enc，Dec)，其中Definition 1. The public key encryption system is a triplet composed of algorithms: PE=(KG, Enc, Dec), where

KG：密钥生成算法，是一个概率算法，输入为安全参数1^λ(λ∈N)，输出为一对公私钥(pk，sk)；KG: key generation algorithm, which is a probabilistic algorithm, the input is a security parameter 1 ^λ (λ∈N), and the output is a pair of public and private keys (pk, sk);

Enc：加密算法，是一个概率算法，输入为公钥pk和明文x∈{0，1}^*，输出为密文y；Enc: Encryption algorithm, which is a probabilistic algorithm, the input is the public key pk and the plaintext x∈{0, 1} ^* , and the output is the ciphertext y;

Dec：解密算法，是一个确定型算法，输入为私钥sk和密文y，输出为明文x∈{0，1}^*或特殊字符，该字符表示输入的密文不是有效密文，即不存在x∈{0，1}^*使得其密文为y。Dec: decryption algorithm, which is a deterministic algorithm. The input is the private key sk and the ciphertext y, and the output is the plaintext x∈{0, 1} ^* or the special character , which indicates that the input ciphertext is not a valid ciphertext, that is There is no x ∈ {0, 1} ^* such that its ciphertext is y.

对于由密钥生成算法得到的任意的公私钥对(pk，sk)和任意的明文x∈{0，1}^*，若y是Enc_pk(x)的输出，则一定有Dec_sk(y)＝x。因为公钥加密体制需要保证现实传输的信息的安全，所以，以上的三个算法(KG，Enc，Dec)均是以安全参数为尺度的多项式时间算法。For any public-private key pair (pk, sk) obtained by the key generation algorithm and any plaintext x∈{0, 1} ^* , if y is the output of Enc _pk (x), there must be Dec _sk (y) =x. Because the public key encryption system needs to ensure the security of the information transmitted in reality, the above three algorithms (KG, Enc, Dec) are all polynomial time algorithms based on security parameters.

公钥加密体制的安全性的定义可以首先分别考虑攻击者可能的攻击目标(goals)和可能的攻击模型(attack model)，然后通过组合攻击模型和攻击目标给出各种级别的安全性的定义。The definition of the security of the public key encryption system can first consider the attacker's possible attack goals (goals) and possible attack model (attack model), and then give the definition of various levels of security by combining the attack model and attack goals .

依据攻击目标的不同，体制的安全性分析主要考虑单向性(OW，oneway)、语义安全(SS，semantic security)、密文的不可区分性(IND，indistinguishability of encryptions)和非扩展性(non-malleability，NM)。简单的说，单向性就是指由目标密文y求得相应的明文x＝Dec_sk(y)非常困难；语义安全的就是指从目标密文y获得相应明文x的任何信息均是计算不可行的；密文的不可区分性是指已知两个明文和某个明文所对应的一个密文，无法判断该密文相应的明文是哪一个。可以认为密文的不可区分性和语义安全均是单向性概念的提升，它们都涵盖在传统的保密性要求中，单向性是加密体制安全的最低要求，如果体制是密文不可区分的或语义安全的，则该体制一定是单向的，所以本文不讨论任何单向性的性质。非扩展性就是指从目标密文y求得另外一个不同的密文y′，使得其相应的密文x，x′间存在“有意义的联系”(如x′＝x+1)，它提升了现实中的密文防篡改的思想。According to different attack targets, the security analysis of the system mainly considers one-way (OW, oneway), semantic security (SS, semantic security), indistinguishability of ciphertext (IND, indistinguishability of encryptions) and non-extensibility (non-extensibility). -malleability, NM). Simply put, one-way means that it is very difficult to obtain the corresponding plaintext x=Dec _sk (y) from the target ciphertext y; semantic security means that any information about the corresponding plaintext x obtained from the target ciphertext y is uncomputable Yes; the indistinguishability of ciphertext means that two plaintexts and a ciphertext corresponding to a certain plaintext are known, and it is impossible to determine which plaintext corresponds to the ciphertext. It can be considered that both the indistinguishability of ciphertext and semantic security are the promotion of the concept of one-way, and they are all covered in the traditional confidentiality requirements. One-way is the minimum requirement for encryption system security. If the system is indistinguishable from ciphertext or semantically secure, the system must be unidirectional, so this paper does not discuss any unidirectional properties. Non-extensibility refers to obtaining another different ciphertext y' from the target ciphertext y, so that there is a "meaningful connection" between the corresponding ciphertext x and x' (such as x'=x+1), it It improves the idea of anti-tampering of ciphertext in reality.

攻击模型表述了攻击者所具有的能力，可以分为选择明文攻击(chosen-plaintextattack，CPA)、非适应性选择密文攻击(non-adaptivechosen-ciphertext attack，CCA1)和适应性选择密文攻击(adaptivechosen-ciphertext attack，CCA2)。CPA赋予攻击者自由选择明文并获得相应密文的权利，对于公钥加密体制而言，攻击者知道公钥即具有了选择明文攻击的能力；CCA1的形式化定义是由两位学者Naor和Yung给出的，其中攻击者除了知道公钥外，还可以访问解密谕示(该外部装置是解密算法)，但攻击者只在得到目标密文之前具有访问解密谕示的权利(非适应性是指对解密谕示的访问不依赖于目标密文)，依据其特点，非适应性选择密文攻击也被称为午夜攻击(midnight attack)或午餐攻击(lunchtimeattack，Lunch-breakattack)；CCA2是由两位学者Rackoff和Simon提出的，其中攻击者既知道公钥也可以访问解密谕示，而且其对解密谕示的访问是没有限制的，即使在获得目标密文之后攻击者仍然可以访问解密谕示，但是他不能将目标密文自身作为解密谕示的输入(适应性的是指对解密谕示的访问依赖于目标密文)。The attack model describes the capabilities of the attacker, which can be divided into chosen-plaintext attack (CPA), non-adaptive chosen-ciphertext attack (CCA1) and adaptive chosen-ciphertext attack ( adaptive chosen-ciphertext attack, CCA2). CPA gives the attacker the right to freely choose the plaintext and obtain the corresponding ciphertext. For the public key encryption system, the attacker has the ability to choose the plaintext attack if he knows the public key; the formal definition of CCA1 was developed by two scholars Naor and Yung Given, where the attacker has access to the decryption oracle (the external device is the decryption algorithm) in addition to knowing the public key, but the attacker only has the right to access the decryption oracle before getting the target ciphertext (non-adaptive is Refers to the access to the decryption oracle does not depend on the target ciphertext), according to its characteristics, non-adaptive chosen ciphertext attack is also called midnight attack (midnight attack) or lunch attack (lunchtime attack, Lunch-break attack); CCA2 is developed by Proposed by two scholars, Rackoff and Simon, in which the attacker knows both the public key and can access the decryption oracle, and his access to the decryption oracle is unlimited, even after obtaining the target ciphertext, the attacker can still access the decryption oracle but he cannot use the target ciphertext itself as input to the decryption oracle (adaptive means that access to the decryption oracle depends on the target ciphertext).

组合上述的攻击目标和攻击模型，可以得到各种不同的安全性的定义，下面仅给出不可区分性的形式化定义，其包括了最高级别的安全性--适应性选择密文下语义安全的IND-CCA2。Combining the above-mentioned attack targets and attack models, various definitions of security can be obtained, and only the formal definition of indistinguishability is given below, which includes the highest level of security-semantic security under adaptively chosen ciphertext IND-CCA2.

根据攻击者U在不同阶段具有不同的输入，可以将其看做两个概率算法(U₁，U₂)，其中U₁和U₂的作用依赖于攻击者的目标。在密文的不可区分性的定义中，算法U₁的输入为pk，输出为(x₀，x₂，s)，前两项是两个相同长度的明文，s是攻击者想要保留的信息；从x₀，x₁中随机选择一个记为x_b，挑战密文y为x_b的密文，算法U₂的输入为(x₀，x₁，s)和挑战密文y它试图输出正确的b。According to the fact that the attacker U has different inputs at different stages, it can be regarded as two probabilistic algorithms (U ₁ , U ₂ ), where the roles of U ₁ and U ₂ depend on the goals of the attacker. In the definition of indistinguishability of ciphertext, the input of algorithm U ₁ is pk, the output is (x ₀ , x ₂ , s), the first two terms are two plaintexts of the same length, s is what the attacker wants to keep Information; Randomly select a ciphertext from x ₀ , x ₁ marked as x _b , challenge ciphertext y is x _b , the input of algorithm U ₂ is (x ₀ , x ₁ , s) and challenge ciphertext y It tries to Output the correct b.

定义2(IND-CPA，IND-CCA1，IND-CCA2).假设PE＝(KG，Enc，Dec)是一个公钥加密体制，A＝(A₁，A₂)是一个攻击者，H(.)是随机谕示，对于任意的atk∈{cpa，cca1，cca2}和任意的λ∈N，令Definition 2 (IND-CPA, IND-CCA1, IND-CCA2). Suppose PE=(KG, Enc, Dec) is a public key encryption system, A=(A ₁ , A ₂ ) is an attacker, H(. ) is a random oracle, for any atk∈{cpa, cca1, cca2} and any λ∈N, let

${Adv Adv}_{PE PE,, A A}^{ind ind - - atk atk} ((λ λ)) = = Pr PR [[Ex Ex {p p}_{PE PE,, A A}^{ind ind - - atk atk - - 11} ((λ λ)) = = 11]] - - Pr PR [[E E. {xp xp}_{PE PE,, A A}^{ind ind - - atk atk - - 00} ((λ λ)) = = 11]]$

其中取b∈{0，1}，定义实验Exp_PE，A ^ind-atk-d(λ)为Where b∈{0, 1} is taken, and the experiment Exp _{PE is defined, A} ^ind-atk-d (λ) is

$((pk pk,, sk sk)) \overset{R R}{&LeftArrow; &LeftArrow;} KG KG ((λ λ));;$

$(({x x}_{00},, {x x}_{11},, s the s)) &LeftArrow; &LeftArrow; {A A}_{11}^{{O o}_{11} ((\cdot \cdot)),, H h ((\cdot \cdot))} ((pk pk));;$

y←Enc_pk(x_b)；y←Enc _pk (x _b );

$d d &LeftArrow; &LeftArrow; {A A}_{22}^{{O o}_{22} ((\cdot \cdot)),, H h ((\cdot \cdot))} (({x x}_{00},, {x x}_{11},, s the s,, y the y));;$

Return d。Return d.

如果atk＝cpa，则O₁(.)＝，O₂(.)＝；如果atk＝cca1，则O₁(.)＝Dec_sk(.)，O₂(.)＝；如果atk＝cca2，则O₁(.)＝De_sk(.)，O₂(.)＝Dec_sk(.)；还要求|x₀|＝|x₁|，算法A₂不能利用解密谕示获得y的明文。如果对于任意多项式时间的攻击者A，均有Exp_PE，A ^ind-atk(·)是可忽略的函数，则称公钥加密体制PE是IND-ATK意义下安全的。If atk=cpa, then O ₁ (.)=, O ₂ (.)=; if atk=cca1, then O ₁ (.)=Dec _sk (.), O ₂ (.)=; if atk =cca2, then O ₁ (.)=De _sk (.), O ₂ (.)=Dec _sk (.); also requires |x ₀ |=|x ₁ |, algorithm A ₂ cannot use decryption oracle to obtain y plaintext. If there is Exp _{PE for any attacker A in polynomial time, and A} ^ind-atk (·) is a negligible function, then the public key encryption system PE is said to be secure in the sense of IND-ATK.

二、安全性分析2. Safety Analysis

从体制本身来看，由于本发明的运算基于不同的椭圆曲线群，而且“+”几乎没有结合律(例如：仿射平面R²上三点P＝(1，2)，Q＝(2，3)，R＝(3，1)，由伪加公式得(P+Q)+R＝(-2，1)+(3，1)＝(-1，-1)，而P+(Q+R)＝(1，2)+(-1，-9)＝(121/4，-1303/8)。)，所以由m的密文得到R(m)的密文是非常困难的，其中R是一个非平凡的关系，即直观上该体制具有非扩展的性质，这是与ElGamal体制的最明显的区别，也是安全性提高的一个原因。Hash函数的使用进一步加强了该体制的安全性。本节将证明该体制是IND-CCA2安全的。为方便起见，以下简记该加密体制为∏。From the point of view of the system itself, because the operation of the present invention is based on different elliptic curve groups, and "+" hardly has associative law (for example: three points P=(1,2) on the affine plane R ² , Q=(2, 3), R=(3,1), get (P+Q)+R=(-2,1)+(3,1)=(-1,-1) by the false addition formula, and P+(Q+ R)=(1,2)+(-1,-9)=(121/4,-1303/8).), so it is very difficult to obtain the ciphertext of R(m) from the ciphertext of m, where R is a non-trivial relation, that is, intuitively, the system has a non-expandable property, which is the most obvious difference from the ElGamal system, and it is also a reason for the improved security. The use of the Hash function further strengthens the security of the system. This section will prove that the scheme is IND-CCA2 secure. For convenience, the encryption system is abbreviated as ∏ below.

定理1.在ECCDHP难解的条件下，∏是IND-CCA2安全的。Theorem 1. Under the condition of ECCDHP intractability, Π is IND-CCA2 safe.

证明设∏存在IND-CCA2意义下的攻击者A＝(A₁，A₂)，A访问随机谕示G(.)，H(.)和F(.)所得的相应记录分别被称为G-表、H-表和F-表，记做τ_G＝{(g_i，G_i)}，τ_H＝{(h_i，H_i)}，τ_F＝{(f_i，F_i)}其长度(访问的次数)分别用q_G，q_H，q_F表示。则可以如下构造ECCDHP的求解算法B。设B的输入为P，Q＝aP，Y＝bP，其目的是计算R＝abP。Proof Assuming that ∏ exists in the sense of IND-CCA2, the attacker A=(A ₁ , A ₂ ), the corresponding records obtained by A accessing the random oracle G(.), H(.) and F(.) are respectively called G - table, H-table and F-table, recorded as τ _G ={(g _i , G _i )}, τ _H ={(h _i , H _i )}, τ _F ={(f _i , F _i ) } Its length (the number of visits) is represented by q _G , q _H , and q _F respectively. Then the solution algorithm B of ECCDHP can be constructed as follows. Suppose the input of B is P, Q=aP, Y=bP, and its purpose is to calculate R=abP.

B将P，Q作为A₁的输入调用A₁，由于A₁可以访问随机谕示和解密谕示，所以B需要模拟随机谕示和解密谕示。设A₁向随机谕示G(.)查询g，若g在查询记录中，则将记录中相应的输出值作为对A的应答；否则，随机选取其值域中的数作为对A₁的应答，同时将k和该随机数作为一对输入、输出添加在记录中。B模拟随机谕示H(.)和F(.)的动作与模拟G(.)的方式相同。设A₁向解密谕示访问y＝(C₁，C₂)，如果分别在G-表、F-表和H-表存在(g_i，G_i)，(f₁，F₁)，(h_j，H_j)，满足f₁＝g_i，F₁P＝C₁，C₂＝F₁Q+(h_j，H_jf₁)，计算M＝h_jG_i，若M的低λ′比特为0，则输出M的高λ-λ′比特作为明文输出，其它情况均输出空串。在A₁中止时，不妨设A₁的输出为(m₀，m₁，s)。B uses P and Q as the input of A ₁ to call A ₁ , since A ₁ can access the random oracle and the decryption oracle, B needs to simulate the random oracle and the decryption oracle. Let A ₁ query g from the random oracle G(.), if g is in the query record, then use the corresponding output value in the record as the answer to A; otherwise, randomly select the number in its value range as the answer to A ₁ Answer, and add k and the random number as a pair of input and output to the record at the same time. B simulates random oracles H(.) and F(.) in the same way as it simulates G(.). Let A ₁ access y=(C ₁ , C ₂ ) to the decryption oracle, if (g _i , G _i ), (f ₁ , F ₁ ), ( h _j , H _j ), satisfy f ₁ = g _i , F ₁ P = C ₁ , C ₂ = F ₁ Q+(h _j , H _j f ₁ ), calculate M=h _j G _i , if M If the low λ' bit is 0, the high λ-λ' bit of M is output as plain text, and in other cases, an empty string  is output. When A ₁ is suspended, it is advisable to set the output of A ₁ as (m ₀ , m ₁ , s).

B随机选择C₂ ^*∈{0，1}^2λ，令y^*＝(C₁ ^*＝Y，C₂ ^*)，B将(m₀，m₁，s，y^*)作为A₂的输入，调用A₂，其模拟解密谕示和随机谕示的过程均同上。B randomly selects C ₂ ^* ∈ {0, 1} ^2λ , let y ^* = (C ₁ ^* = Y, C ₂ ^* ), B takes (m ₀ , m ₁ , s, y ^* ) as the input of A ₂ , Call A ₂ , the process of simulating the decryption oracle and the random oracle is the same as above.

在A中止后，B从H-表中随机挑选(h，H)，如果存在t使得R＝C₂ ^*-(h，t)∈E，则输出R；否则，重新从H-表中选取(h，H)；若在H-表中不存在上述关系式，则随机输出E的点作为R。After A terminates, B randomly selects (h, H) from the H-table, if there is t such that R=C ₂ ^* -(h, t)∈E, then output R; otherwise, select from the H-table again (h, H); if the above relation does not exist in the H-table, then randomly output the point of E as R.

以下记F*＝log_PY，(s*，t*)＝C₂ ^*-F*Q，h*＝s*，k*＝t*H(h*)。利用E的方程和伪加公式，可知C₂ ^*-(h，t)∈E是关于t的六次方程，其至多有六个解，令AskH表示事件：A向H(.)访问了h*，则B输出正确的ECDH解的概率 $ϵ^{'} &GreaterEqual; \frac{\Pr [AskH]}{{6 q}_{H}} .$ F*=log _P Y, (s*, t*)=C ₂ ^* -F*Q, h*=s*, k*=t*H(h*) are written below. Using the equation of E and the pseudo-additive formula, it can be known that C ₂ ^* -(h, t)∈E is a sextic equation about t, which has at most six solutions, let AskH represent an event: A visits h to H(.) *, then the probability that B outputs the correct ECDH solution $ϵ^{'} &Greater Equal; \frac{PR [Ask H]}{{6 q}_{h}} .$

为保证A的正确调用，首先B必须正确模拟解密谕示，其次B还要保证目标密文y^*合法。Bad表示解密谕示的应答有误或y^*不是合法密文。设A成功的概率为(1+ε)/2，如果B正确地调用了A，因为y^*与m₀，m₁完全无关，故A输出正确结果的概率为1/2，则In order to ensure the correct invocation of A, firstly, B must correctly simulate the decryption oracle, and secondly, B must ensure that the target ciphertext y ^* is legal. Bad indicates that the response to the decryption oracle is wrong or y ^* is not a valid ciphertext. Suppose the probability of A's success is (1+ε)/2, if B calls A correctly, because y ^* has nothing to do with m ₀ and m ₁ , so the probability of A outputting the correct result is 1/2, then

(1+ε)/2≤1/2(1-Pr[Bad])+Pr[Bad]，(1+ε)/2≤1/2(1-Pr[Bad])+Pr[Bad],

可得Pr[Bad]≥ε。显然It can be obtained that Pr[Bad]≥ε. obviously

Pr[AskH]≥Pr[AskH∧Bad]＝Pr[Bad]-Pr[Bad∧﹁AskH]≥ε-Pr[Bad|﹁AskH]Pr[AskH]≥Pr[AskH∧Bad]＝Pr[Bad]-Pr[Bad∧﹃AskH]≥ε-Pr[Bad|﹃AskH]

在没有向H(.)访问h*的前提下，仅当A向G(.)或F(.)访问了k*(记为AskK)或解密谕示的应答有误(记为DBad)时，Bad才可能发生，即On the premise of not accessing h* to H(.), only when A visits k* (denoted as AskK) to G(.) or F(.) or the answer of the decryption oracle is wrong (denoted as DBad) , Bad may occur, namely

如果h*没有被访问，则H(h*)完全随机，所以k*＝t*H(h*)完全随机，故k*被访问的概率不大于(q_G+q_F)/2^λ，即If h* is not visited, then H(h*) is completely random, so k*=t*H(h*) is completely random, so the probability of k* being visited is not greater than (q _G +q _F )/2 ^λ ,Right now

$Pr PR [[AskK Ask K | | &Not; &Not; AskH Ask H]] \leq \leq \frac{{q q}_{G G} + + {q q}_{F f}}{22^{λ λ}} . .$

以下的讨论均基于k*，h*没有被访问的前提条件。The following discussion is based on the precondition that k* and h* are not visited.

假设A向解密谕示的输入为y(C₁，C₁)，记F＝logPC₁，(s，t)＝C₂-FQ，k＝H(s)t，h＝s，Pr′[.]＝Pr[·|﹁AskH∧﹁AskK]。Assuming that the input of A to the decryption oracle is y(C ₁ , C ₁ ), record F=logPC ₁ , (s, t)=C ₂ -FQ, k=H(s)t, h=s, Pr' [.]=Pr[·|“AskH∧“AskK].

如果h，k均被查询，则输出结果一定正确；如果h被查询但k没有向G(.)或F(.)查询，则输出结果为空串，如果结果不真，那么y一定是合法密文，以下分情况讨论：因为h被查询，所以k确定，而k*随机，故k＝k*的概率不大于2^-λ，在k＝k*的条件下y是合法密文的概率至多为1，则k＝k*时，模拟应答出错的概率不大于2^-λ；如果k≠k*且k没有向G(.)访问，y是合法密文意味着sG(k)的低λ′比特为0，因为k≠k*且k没有向G(.)访问，所以y是合法密文的概率不大于2^-λ′；如果k≠k*且k没有向F(.)访问，y是合法密文意味着F(k)＝log_pC₁，因为k≠k*且k没有向F(.)访问，所以y是合法密文的概率不大于2^-λ；如果h没有被查询，则输出结果为空串，如果结果不真，那么y一定是合法密文，即F(k)＝log_PC₁且sG(k)的低λ′比特为0，如果h＝h*，因为h*也没有被查询，所以H(h)完全随机；如果k≠k*，因为h没有被查询，所以H(h)完全随机；故在h没有被查询的条件下，H(h)是完全随机的，则k＝tH(h)是完全随机的，故F(k)＝log_PC₁的概率不大于2^-2，sG(k)的低λ′比特为0的概率不大于2^-λ′则在h没有被访问的条件下，模拟应答出错的概率不大于2^-λ。If both h and k are queried, the output result must be correct; if h is queried but k is not queried from G(.) or F(.), the output result is an empty string. If the result is not true, then y must be legal The ciphertext is discussed in the following cases: because h is queried, k is determined, and k* is random, so the probability of k=k* is not greater than 2 ^-λ , and the probability of y being a legal ciphertext under the condition of k=k* It is at most 1, then when k=k*, the error probability of the simulated answer is not greater than 2 ^-λ ; if k≠k* and k does not visit G(.), y is legal ciphertext means sG(k) The low λ' bit of y is 0, because k≠k* and k has no access to G(.), so the probability that y is a legal ciphertext is not greater than 2 ^-λ' ; if k≠k* and k has no access to F(. ) access, y is legal ciphertext means F(k)=log _p C ₁ , because k≠k* and k has no access to F(.), so the probability of y being legal ciphertext is not greater than 2 ^-λ ; if h has not been queried, the output result is an empty string, if the result is not true, then y must be a legal ciphertext, that is, F(k)=log _P C ₁ and the low λ' bit of sG(k) is 0, If h=h*, because h* has not been queried, so H(h) is completely random; if k≠k*, because h has not been queried, so H(h) is completely random; so there is no condition for h to be queried , H(h) is completely random, then k=tH(h) is completely random, so the probability of F(k)=log _P C ₁ is not greater than 2 ^-2 , sG(k) If the probability that the low λ' bit is 0 is not greater than 2 ^-λ' , then under the condition that h is not accessed, the probability of an error in the simulated response is not greater than 2 ^-λ .

综合以上分析，可知Pr[DBad|﹁AskK∧﹁AskH]≤3q_D/2^λ+q_D/2^λ，则Based on the above analysis, we can know that Pr[DBad|﹃AskK∧﹠AskH]≤3q _D /2 ^λ +q _D /2 ^λ , then

$Pr PR [[Bad Bad | | &Not; &Not; AskH Ask H]] \leq \leq \frac{{q q}_{G G} + + {q q}_{F f} + + 33 {q q}_{D D.}}{22^{λ λ}} + + \frac{{q q}_{D D.}}{22^{{λ λ}^{' '}}}$

$Pr PR [[AskH Ask H]] &GreaterEqual; &Greater Equal; ϵ ϵ - - Pr PR [[Bad Bad | | &Not; &Not; AskH Ask H]] &GreaterEqual; &Greater Equal; ϵ ϵ - - ((\frac{{q q}_{G G} + + {q q}_{F f} + + 33 {q q}_{D D.}}{22^{λ λ}} + + \frac{{q q}_{D D.}}{22^{{λ λ}^{' '}}}))$

故B输出正确的ECDH解的概率Therefore, the probability that B outputs the correct ECDH solution

${ϵ ϵ}^{' '} &GreaterEqual; &Greater Equal; \frac{Pr PR [[AskH Ask H]]}{{66 q q}_{H h}} &GreaterEqual; &Greater Equal; \frac{ϵ ϵ}{{66 q q}_{H h}} - - \frac{{q q}_{G G} + + {q q}_{F f} + + 33 {q q}_{D D.}}{{66 q q}_{H h} 22^{λ λ}} - - \frac{{q q}_{D D.}}{{66 q q}_{H h} 22^{{λ λ}^{' '}}}$

从上式知，如果ε是不可忽略的，则ε′一定是不可忽略的，设A的运行时间为t，则B的运行时间t′＝t+q_Ht_f，其中t_f表示在F_p上求解六次方程所需的时间，显然如果A是多项式时间的，则B一定也是多项式时间的，由上知若∏不是IND-CCA2安全的，则ECCDHP可解，这是矛盾的，故在ECCDHP难解的条件下，∏是IND-CCA2安全的。From the above formula, if ε is non-negligible, then ε′ must be non-negligible, and if the running time of A is t, then the running time of B is t′=t+q _H t _f , where t _f is expressed in F The time required to solve the sextic equation on _p , obviously if A is polynomial time, then B must also be polynomial time. From the above, if Π is not IND-CCA2 safe, then ECCDHP can be solved, which is contradictory, so Under the ECCDHP-hard condition, Π is IND-CCA2 safe.

最后应说明的是：以上实施例仅用以说明本发明而并非限制本发明所描述的技术方案；因此，尽管本说明书参照上述的各个实施例对本发明已进行了详细的说明，但是，本领域的普通技术人员应当理解，仍然可以对本发明进行修改或者等同替换；而一切不脱离本发明的精神和范围的技术方案及其改进，其均应涵盖在本发明的权利要求范围当中。Finally, it should be noted that: the above embodiments are only used to illustrate the present invention rather than limit the technical solutions described in the present invention; Those of ordinary skill in the art should understand that the present invention can still be modified or equivalently replaced; and all technical solutions and improvements that do not depart from the spirit and scope of the present invention should be covered by the claims of the present invention.

Claims

1. A method of data encryption, characterized by: when a sender sends data to a receiver, encrypting the data to be sent according to a pseudo-encryption method; the encryption processing steps are as follows:

step 10: randomly selecting an integer k, wherein the integer k satisfies the following conditions: k is more than 1 and less than n; wherein n is the order of the base point of the elliptic curve;

step 11: calculating F (k), F (k) Q_A(ii) a Wherein:

f (k) is the Hash function value of k, F (k) P is the F (k) times point of the elliptic curve point P, F (k) Q_AIs an elliptic curve point Q_AF (k) times the point of (a);

f (k) is a positive integer less than n, F (k) P and F (k) Q_AAll points are points on an elliptic curve;

step 12: the encrypted data is processed according to the following formula:

m’＝m||0^λ’wherein

m is the encrypted data, m ' is the data in the encryption process, λ ' is the number of 0's to be added;

step 13: calculating G (k); if x (F (k) Q_A) M'  g (k), go to step 10; otherwise, executing step 14;

wherein: g (k) is the Hash function value of k;

x(F(k)Q_A) Is an elliptic curve point F (k) Q_AX coordinate value of (a);

step 14: ciphertext C is calculated according to the following formula:

C＝(C₁，C₂)＝(F(k)P，F(k)Q_A+(m′G(k)，H(m′G(k))k))；

wherein C is a ciphertext data set, C₁And C₂Two elements which are C; and,

C₁＝F(k)P；

C₂＝F(k)Q_A+F(k)Q_A+(m′G(k)，H(m′G(k))k)；

h (m ' G (k)) is the Hash function value of m'  G (k);

step 15: if C is present₂Belongs to the set { m'  G (k) }, x (F (k) Q_A) Executing step 10; otherwise, the ciphertext C is output.

2. A method of decrypting data encrypted according to the method of claim 1, characterized by: when the receiving party receives the encrypted ciphertext data of the sending party, the receiving party decrypts the ciphertext data according to the following method and restores the encrypted data into data; the decryption steps are as follows:

step 20: calculating Q' ═ d_AC₁If x (Q') isequal to x (C)₂) Refusing to receive the ciphertext data; wherein,

q' is an elliptic curve point, d_AIs the private key data of the decryptor, x (Q'), x (C)₂) Are respectively Q' and C₂X coordinate of (a);

step 21: calculating (M, r) ═ C₂-Q', if M ═ x (C)₂) Or x (Q'), refusing to receive the ciphertext data; wherein M, r are the x-coordinate and the y-coordinate of a point on the affine plane, respectively;

step 22: calculating f ═ h (m)  r; wherein H (M) is the Hash function value of M;

step 23: if F (f) P ═ C₁And the rear lambda 'bit value of M is 0, the received plaintext M is the front lambda-lambda' bit of M; otherwise, refusing to receive;

wherein F (f) P is F (f) times the elliptic curve point P;

λ 'is the number of 0's added in the encryption process;

λ is a safety parameter.