Summary of the invention
The embodiment of the present invention provides a kind of information processing method, subscriber equipment and encryption device, can reduce the complexity of calculating.
First aspect, provides a kind of information processing method, and the method comprises: subscriber equipment receives the Part I private key that key generation centre sends, and generates secret value, and described secret value is little norm matrix; Described subscriber equipment multiplies each other described secret value and described Part I private key to obtain Part II private key; Described subscriber equipment is determined the individual private key of described subscriber equipment according to described Part I private key and described Part II private key.
In conjunction with first aspect, in the possible implementation of the first, described generation secret value, specific implementation can be:
Described subscriber equipment generates described secret value according to Gauss's sampling algorithm; Or described subscriber equipment generates described secret value according to random uniform sampling algorithm.
In conjunction with the possible implementation of the first of first aspect, in the possible implementation of the second, described according to Gauss's sampling algorithm generation secret value, specific implementation can be:
According to the set of m dimension integer vectors
a canonical base, centered by 0 vector, according to deviations described
the column vector of m m × 1 of middle extraction, the matrix of the column vector composition m × m of described m m × 1, subscript m is positive integer; Whether judge the matrix of described m × m
reversible, subscript q is that positive integer represents modulus; If the matrix of described m × m is not
reversible, described
in again extract the column vector of m m × 1; If the matrix of described m × m is
reversible, determine that the matrix of described m × m is described secret value.
In conjunction with the possible implementation of the second of the possible implementation of the first of first aspect or first aspect or first aspect, in the third possible implementation, specific implementation can be:
Described subscriber equipment is selected a random matrix Q,
subscript m and n are positive integer and represent dimension, and subscript q is that positive integer represents modulus; Described subscriber equipment is determined the PKI of subscriber equipment according to described Q, described secret value and described Part I private key; The PKI of described subscriber equipment is sent to encryption device by described subscriber equipment, so that described encryption device is according to the PKI generating ciphertext of User Identity, message bit and described subscriber equipment.
In conjunction with the third possible implementation of first aspect, in the 4th kind of possible implementation, specific implementation can be:
Described subscriber equipment receives the described ciphertext that described encryption device sends; Described subscriber equipment is decrypted and obtains described message bit described ciphertext according to the individual private key of described subscriber equipment.
In conjunction with the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation, the described PKI of determining subscriber equipment according to described Q, described secret value and described Part I private key, specific implementation can be:
U
1=(QSt) mod q, the PKI of described subscriber equipment is (u
1, Q); Wherein, S is described secret value,
t is described Part I private key,
mod is delivery operator; Described encryption device is according to the PKI generating ciphertext of User Identity, message bit and described subscriber equipment, and specific implementation can be:
u=H(id)
P
1=Q
TK+X,
P
2=A
TK+X,
Described ciphertext is C=(P
1, P
2, c'),
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that described encryption device is selected,
for
on discrete distribution, subscript
a is the random matrix that described key generation centre generates according to trapdoor generating algorithm,
for
on discrete distribution, b is described message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
In conjunction with the 5th kind of possible implementation of first aspect, in the 6th kind of possible implementation, described according to the individual private key of described subscriber equipment to described ciphertext be decrypted obtain described message bit, specific implementation can be:
w=c'-e
TP
1-t
TP
2
Wherein, described ciphertext is C=(P
1, P
2, c'),
the individual private key of described subscriber equipment is (t, e), and t is described Part I private key, and e is described Part II private key, and subscript T represents transposition,
for downward rounding operation symbol.
In conjunction with the possible implementation of the first of first aspect or first aspect, to any mode of the 6th kind of possible implementation of first aspect, in the 7th kind of possible implementation, specific implementation can be:
Described Part I private key is generated according to trapdoor generating algorithm, security parameter and customer equipment identification by described key generation centre.
Second aspect, a kind of private key generation method is provided, the method comprises: encryption device receives the PKI of the described subscriber equipment of subscriber equipment transmission, the PKI of described subscriber equipment be described subscriber equipment according to described Q, the Part I private key of described secret value and described subscriber equipment determine, wherein, described Part I private key is sent by key generation centre, described secret value is the little norm matrix being generated by subscriber equipment, and described Q is a random matrix of being selected by described subscriber equipment
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents modulus; Described encryption device is according to the PKI generating ciphertext of User Identity, message bit and described subscriber equipment.
In conjunction with second aspect, in the possible implementation of the first, specific implementation can be:
Described encryption device sends described ciphertext to described subscriber equipment, so that described subscriber equipment is decrypted and obtains described message bit described ciphertext according to the individual private key of described subscriber equipment, the individual private key of described subscriber equipment determined according to the Part II private key of described Part I private key and subscriber equipment by described subscriber equipment, described Part II private key by described subscriber equipment by the acquisition of multiplying each other of described secret value and described Part I private key.
In conjunction with a kind of possible implementation of second aspect, in the possible implementation of the second, the PKI of described subscriber equipment be described subscriber equipment according to described Q, described secret value and described Part I private key determine, specific implementation can be:
U
1=(QSt) mod q, the PKI of described subscriber equipment is (u
1, Q)
Wherein, S is described secret value,
t is described Part I private key,
mod is delivery operator; Described according to the PKI generating ciphertext of User Identity, message bit and described subscriber equipment, specific implementation can be:
u=H(id)
P
1=Q
TK+X,
P
2=A
TK+X,
Described ciphertext is C=(P
1, P
2, c'),
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that described encryption device is selected,
for
on discrete distribution, the A random matrix that to be described key generation centre generate according to trapdoor generating algorithm,
for
on discrete distribution, subscript
b is described message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
In conjunction with the possible implementation of the first of second aspect or second aspect or the possible implementation of the second, in the third possible implementation, specific implementation can be:
Described Part I private key is generated according to trapdoor generating algorithm, security parameter and customer equipment identification by described key generation centre.
In conjunction with the possible implementation of the first of second aspect or second aspect to any mode of the third possible implementation of second aspect, in the 4th kind of possible implementation, specific implementation can be: described secret value is generated according to Gauss's sampling algorithm or random uniform sampling algorithm by described subscriber equipment.
The third aspect, provides a kind of subscriber equipment, and this subscriber equipment comprises: receiving element, the Part I private key of subscriber equipment sending for receiving key generation centre; Generation unit, for generating secret value, described secret value is little norm matrix; Acquiring unit, for multiplying each other the described Part I private key of the described secret value of described generation unit generation and the reception of described receiving element to obtain the Part II private key of described subscriber equipment; Determining unit, the described Part II private key obtaining for the described Part I private key that receives according to described receiving element and described acquiring unit is determined the individual private key of described subscriber equipment.
In conjunction with the third aspect, in the possible implementation of the first, described generation unit specifically for: generate described secret value according to Gauss's sampling algorithm; Or specifically for: generate described secret value according to random uniform sampling algorithm.
In conjunction with the possible implementation of the first of the third aspect or the third aspect, in the possible implementation of the second, described generation unit specifically for: according to the set of m dimension integer vectors
a canonical base, centered by 0 vector, according to deviations described
the column vector of m m × 1 of middle extraction, the matrix of the column vector composition m × m of described m m × 1, subscript m is positive integer; Whether judge the matrix of described m × m
reversible, subscript q is that positive integer represents modulus; If the matrix of described m × m is not
reversible, described
in again extract the column vector of m m × 1; If the matrix of described m × m is
reversible, determine that the matrix of described m × m is described secret value.
In conjunction with the possible implementation of the first of the third aspect or the third aspect or the possible implementation of the second, in the third possible implementation, described acquiring unit also for: select a random matrix Q,
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents modulus; Described determining unit is also for the PKI of determining subscriber equipment according to described Q, described secret value and described Part I private key; Described subscriber equipment also comprises transmitting element, and described transmitting element, for the PKI of described subscriber equipment is sent to encryption device, so that described encryption device is according to the PKI generating ciphertext of User Identity, message bit and described subscriber equipment.
In conjunction with the third possible implementation of the third aspect, in the 4th kind of possible implementation, described receiving element also for: receive the described ciphertext that described encryption device sends; Described acquiring unit also for: according to the individual private key of described subscriber equipment to described ciphertext be decrypted obtain described message bit.
In conjunction with the 4th kind of possible implementation of the third aspect, in the 5th kind of possible implementation, described determining unit specifically for: determine the PKI of subscriber equipment,
U
1=(QSt) mod q, the PKI of described subscriber equipment is (u
1, Q)
Wherein, S is described secret value,
t is described Part I private key,
mod is delivery operator;
The described ciphertext that described encryption device generates is C=(P
1, P
2, c'),
u=H(id)
P
1=Q
TK+X,
P
2=A
TK+X,
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that described encryption device is selected,
for
on discrete distribution, the A random matrix that to be described key generation centre generate according to trapdoor generating algorithm,
for
on discrete distribution, subscript
b is described message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
Fourth aspect, a kind of encryption device is provided, this encryption device comprises: receiving element, be used for the PKI of the described subscriber equipment that receives subscriber equipment transmission, the PKI of described subscriber equipment is that described subscriber equipment is determined according to the Part I private key of Q, secret value and described subscriber equipment, wherein, described Part I private key is sent by key generation centre, described secret value is the little norm matrix being generated by subscriber equipment, and described Q is a random matrix of being selected by described subscriber equipment
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents modulus; Generation unit, for the PKI generating ciphertext of the described subscriber equipment that receives according to User Identity, message bit and described receiving element.
In conjunction with fourth aspect, in the possible implementation of the first, described encryption device also comprises transmitting element, described transmitting element, for sending described ciphertext to described subscriber equipment, so that described subscriber equipment is decrypted and obtains described message bit described ciphertext according to the individual private key of described subscriber equipment, the individual private key of described subscriber equipment is determined according to the Part II private key of described Part I private key and subscriber equipment by described subscriber equipment, described Part II private key is multiplied each other described secret value and described Part I private key to obtain by described subscriber equipment.
In conjunction with the possible implementation of the first of fourth aspect or fourth aspect, in the possible implementation of the second, the PKI of described subscriber equipment is (u
1, Q), u
1=(QSt) mod q, wherein, S is described secret value,
t is described Part I private key,
mod is delivery operator; Described generation unit specifically for:
Generate described ciphertext,
u=H(id)
P
1=Q
TK+X,
P
2=A
TK+X,
Described ciphertext is C=(P
1, P
2, c'),
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that described encryption device is selected,
for
on discrete distribution, the A random matrix that to be described key generation centre generate according to trapdoor generating algorithm,
for
on discrete distribution, subscript
b is described message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
In conjunction with the possible implementation of the second of the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect, in the third possible implementation, described Part I private key is generated according to trapdoor generating algorithm, security parameter and customer equipment identification by described key generation centre.
In conjunction with the possible implementation of the first of fourth aspect or fourth aspect to any mode of the third possible implementation, in the 4th kind of possible implementation, described secret value is generated according to Gauss's sampling algorithm or random uniform sampling algorithm by described subscriber equipment.
Based on technique scheme, embodiment of the present invention subscriber equipment generates secret value, secret value is little norm matrix, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing that generates private key is simple, can reduce the complexity of calculating.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Should understand, the technical scheme of the embodiment of the present invention can be applied to various communication systems, for example: global system for mobile telecommunications (Global System ofMobile communication, referred to as " GSM ") system, code division multiple access (Code Division Multiple Access, referred to as " CDMA ") system, Wideband Code Division Multiple Access (WCDMA) (Wideband Code Division Multiple Access, referred to as " WCDMA ") system, GPRS (General Packet Radio Service, referred to as " GPRS "), Long Term Evolution (Long Term Evolution, referred to as " LTE ") system, LTE Frequency Division Duplexing (FDD) (Frequency Division Duplex, referred to as " FDD ") system, LTE time division duplex (Time Division Duplex, referred to as " TDD "), universal mobile telecommunications system (Universal Mobile Telecommunication System, referred to as " UMTS "), the interconnected inserting of microwave in the whole world (Worldwide Interoperability forMicrowave Access, referred to as " WiMAX ") communication system etc.
Will also be understood that, in embodiments of the present invention, subscriber equipment (User Equipment, referred to as " UE ") can be referred to as terminal (Terminal), travelling carriage (Mobile Station, referred to as " MS "), mobile terminal (Mobile Terminal) etc., this subscriber equipment can be through wireless access network (Radio Access Network, referred to as " RAN ") communicate with one or more core net, for example, subscriber equipment can be mobile phone (or being called " honeycomb " phone), there is the computer of mobile terminal etc., for example, subscriber equipment can also be portable, pocket, hand-hold type, built-in computer or vehicle-mounted mobile device, they and wireless access network switched voice and/or data.
The applied mathematical theory of the present invention and the explanation of technology language:
1, the trapdoor generating algorithm of lattice: for generating random orthogonal lattice, and generate one group of trapdoor base (base that Euclid norm is little) of these random lattice
2, Euclid norm: for vector x=(x
1..., x
n), Euclid norm is defined as
to a matrix X=(x
1..., x
n), Euclid norm is defined as X=max
i|| x
i||.
3, Hash function: be exactly a kind of function that long arbitrarily input message is become to the input message of regular length.
4, preimage sampling algorithm: a given preimage sampling function f
a(x)=Ax mod q, a picture y, utilizes trapdoor to extract a preimage x from the former image set of y and makes Ax mod q=y.
5,
reversible: for a matrix
if A mod q is as one
in matrix be reversible.In other words, for a matrix
if there is a matrix
make AB mod q=I, I is unit matrix here, and matrix A is so
reversible, subscript q is that positive integer represents modulus.
Fig. 1 is the flow chart of the information processing method of one embodiment of the invention.The method of Fig. 1 is carried out by UE.
101, receive the Part I private key of the subscriber equipment of key generation centre transmission, and generate secret value, secret value is little norm matrix.
102, secret value and Part I private key are multiplied each other and obtain the Part II private key of subscriber equipment.
103, determine the individual private key of subscriber equipment according to Part I private key and Part II private key.
Based on technique scheme, embodiment of the present invention subscriber equipment is according to generating secret value, secret value is little norm matrix, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing that generates private key is simple, can reduce the complexity of calculating.
Alternatively, as an embodiment, in
step 101, subscriber equipment can generate this little norm matrix S according to random uniform sampling algorithm or Gauss's sampling algorithm,
wherein, m and q are positive integer.
Should be understood that the algorithm that the embodiment of the present invention generates secret value employing to subscriber equipment is not construed as limiting.
Preferably, generate this little norm matrix as example take subscriber equipment according to Gauss's sampling algorithm, subscriber equipment can be tieed up according to m the set of integer vectors
(also referred to as " lattice
") a canonical base, centered by 0 vector, (for example can get according to deviations
k is a positive integer)
the matrix of the column vector composition m × m of m m × 1 of middle extraction.For example, exist
the column vector of the m of middle extraction m × 1 is respectively: s
1, s
2... s
m, the matrix of composition m × m is S'=(s
1, s
2... s
m).Further, whether subscriber equipment judges S'
reversible, subscriber equipment judges whether S' meets
(S'/q is as one
matrix be reversible), if S' is not
reversible, exist
in again extract the column vector of m m × 1; If S' is reversible, determine that S' is little norm matrix S, is secret value.Because the S' obtaining is
reversible probability is at least
ε is insignificant function, and the value of deviations can be much larger than 1, obtains S' and is
reversible probability approaches 1, therefore, extracts at the most twice and just can obtain one
the Probability maximum of the matrix of reversible m × m, has improved and has generated the efficiency of secret value, thereby has improved the efficiency that generates the individual private key of subscriber equipment.
Secret value S is the little norm matrix of Gaussian distributed, and in
step 102, subscriber equipment is by the Part I private key t(of secret value S and cipher key center transmission
) multiplying each other obtains Part II private key e=St, Part II private key is also the little norm matrix of
Gaussian distributed.In step 103, subscriber equipment determines that the individual private key of subscriber equipment is (t, e).
Secret value is little norm matrix, and in step 102, the Part II private key that adopts secret value and Part I private key to multiply each other to obtain is also little norm matrix.Therefore, the generation method of embodiment of the present invention Part II private key has extensibility and portability.Be that the embodiment of the present invention can also be used in other scheme, for example, construct Proxy Signature Scheme or the heavy signature scheme of agency etc.For example, in the signature scheme based on lattice, the signature of a piece of news is the vector (being assumed to be signature B1) of a little norm, by the matrix of little norm of structure, utilize the Part II private key generation method (method of matrix and multiplication of vectors) of the embodiment of the present invention, signature B1 can be transformed into signature B2, signature B2 has identical character with signature B1, is still the vector of little norm.Again for example, the private key on lattice is all matrix and the vector of little norm, by the generation method of embodiment of the present invention Part II private key, because little norm matrix has transferability, can realize the transmission of private key, thus structure allograph etc.Should be understood that the embodiment of the present invention does not limit the application of Part II private key generation method.
Alternatively, as another embodiment, subscriber equipment can be selected a random matrix Q,
according to Q, secret value and Part I private key are determined the PKI of subscriber equipment, and the PKI of subscriber equipment is sent to encryption device, so that encryption device is according to the PKI generating ciphertext of User Identity, message bit and subscriber equipment.Further, subscriber equipment can receive the ciphertext that encryption device sends, and according to the individual private key of subscriber equipment definite in
step 103, ciphertext is decrypted to acquisition message bit.
Particularly, subscriber equipment can determine that the PKI of subscriber equipment is (u by following formula
1, Q):
u
1=(QSt)mod q (1)
Wherein, S is above-mentioned secret value,
t is Part I private key,
mod is delivery operator.
Encryption device receives the PKI (u of the subscriber equipment of subscriber equipment transmission
1, Q), can encrypt a message bit by following formula, generating ciphertext is C=(P
1, P
2, c'),
u=H(id) (2)
P
1=Q
TK+X,
P
2=A
TK+X,
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that encryption device is selected,
for
on discrete distribution, the A random matrix that to be key generation centre generate according to trapdoor generating algorithm,
for
on discrete distribution, subscript
(
for
on discrete distribution, its stochastic variable is
be distributed as ψ
α, wherein, ψ
αfor
on distribution, be by take 0 as desired value and
in normal distribution for standard variance, choose that a value mould 1 obtains,
for the symbol of rounding operation nearby), b is message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
By such scheme, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, and ciphertext form is C=(P
1, P
2, c'), the identity that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
Further, subscriber equipment receives the above-mentioned ciphertext C=(P that encryption device sends
1, P
2, c'), subscriber equipment can be decrypted acquisition message bit to ciphertext according to the individual private key of subscriber equipment, particularly, can obtain message bit b by following formula:
w=c '-e
TP
1-t
TP
2 (6)
If
export 1, i.e. b=1;
Wherein, the individual private key of subscriber equipment is (t, e), and t is Part I private key, and e is above-mentioned Part II private key, and subscript T represents transposition.
Should be understood that the embodiment of the present invention determines the mode of the PKI of subscriber equipment to subscriber equipment, the mode of key generation centre to message encryption, and subscriber equipment is not construed as limiting the mode of decrypt ciphertext.
Alternatively, as another embodiment, before step 101, Part I private key can be generated according to trapdoor generating algorithm, security parameter and customer equipment identification by key generation centre.
Particularly, key generation centre produces a random matrix A according to trapdoor generating algorithm,
to pass
a trapdoor base T,
and
(|| || represent Euclid norm, n is security parameter).Preimage sampling function is
key generation centre obtains Your Majesty's key A and main private key T.Key generation centre carries out Hash function to customer equipment identification id and calculates u=H (id),
utilize a preimage t of main private key T and preimage sampling algorithm extraction u,
be that t is Part I private key.
By such scheme, key generation centre sends to the not need to be keep secret of Part I private key of subscriber equipment, can transmit from overt channel, in other words, does not need to set up in advance a safe lane between key generation centre and subscriber equipment.
Should be understood that the form that the embodiment of the present invention generates Part I private key to key generation centre does not limit.
Also in connection with the example of Fig. 3, the embodiment of the present invention is described in further detail below.
Fig. 2 is the flow chart of the information processing method of another embodiment of the present invention.The method of Fig. 2 is carried out by encryption device, and corresponding with the method for Fig. 1, therefore will suitably omit the description repeating with the embodiment of Fig. 1.
201, receive the PKI of the subscriber equipment of subscriber equipment transmission, the PKI of subscriber equipment is that subscriber equipment is according to Q, the Part I private key of secret value and subscriber equipment is determined, wherein, Part I private key is sent by key generation centre, and secret value is the little norm matrix being generated by subscriber equipment, Q is a random matrix of being selected by subscriber equipment
m, n and q are positive integer.
202, according to the PKI generating ciphertext of User Identity, message bit and subscriber equipment.
Alternatively, as an embodiment, in step 201, the PKI that encryption device receives the subscriber equipment of subscriber equipment transmission is (u
1, Q), obtained by above-mentioned (1) formula by subscriber equipment.In step 202, encryption device can be by the formula generating ciphertext of above-mentioned (2)-(5), and this ciphertext is C=(P
1, P
2, c'),
By such scheme, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, and ciphertext form is C=(P
1, P
2, c'), the identity that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
Alternatively, as another embodiment, above-mentioned secret value is generated according to Gauss's sampling algorithm or random uniform sampling algorithm by subscriber equipment.
Alternatively, as another embodiment, Part I private key can be generated according to trapdoor generating algorithm, security parameter and customer equipment identification by key generation centre.
Alternatively, as another embodiment, after step 202, encryption device sends ciphertext to subscriber equipment, so that subscriber equipment is decrypted acquisition message bit according to the individual private key of subscriber equipment to ciphertext.Wherein, the individual private key of subscriber equipment determined according to the Part II private key of Part I private key and subscriber equipment by subscriber equipment, Part II private key by subscriber equipment by the acquisition of multiplying each other of Part I private key and secret value.The example of the example of subscriber equipment acquisition Part II private key and the individual private key of definite subscriber equipment is described above, repeats no more herein.
Based on technique scheme, embodiment of the present invention subscriber equipment generates secret value according to Gauss's sampling algorithm, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing of subscriber equipment generation private key is simple, can reduce the complexity of calculating.
Example below in conjunction with Fig. 3 is described the embodiment of the present invention in further detail.
Fig. 3 is the indicative flowchart of the process of the information processing method of another embodiment of the present invention.
301, key generation centre generates Part I private key.
Alternatively, key generation centre can generate Part I private key according to trapdoor generating algorithm, security parameter and customer equipment identification id.
For example, key generation centre produces a random matrix A according to trapdoor generating algorithm,
to pass
a trapdoor base T,
and
n is security parameter.Preimage sampling function is
key generation centre obtains Your Majesty's key A and main private key T.Key generation centre carries out Hash function to customer equipment identification id and calculates u=H (id),
utilize main private key T and preimage sampling algorithm to extract a preimage t of u
id,
be t
idfor Part I private key.
By such scheme, key generation centre sends to the not need to be keep secret of Part I private key of subscriber equipment, can transmit from overt channel, in other words, does not need to set up in advance a safe lane between key generation centre and subscriber equipment.
Alternatively, key generation centre can send to subscriber equipment by Your Majesty's key A.
Should be understood that the form that the embodiment of the present invention generates Part I private key to key generation centre does not limit.
302, Part I private key is sent to subscriber equipment by key generation centre.
303, subscriber equipment generates secret value.
Secret value is little norm matrix.
Alternatively, subscriber equipment generates secret value according to Gauss's sampling algorithm.Particularly, subscriber equipment can be according to lattice
a canonical base, centered by 0 vector, (for example can get according to deviations
k is a positive integer)
the matrix of the column vector composition m × m of m m × 1 of middle extraction.For example, exist
the column vector of the m of middle extraction m × 1 is respectively: s
1, s
2... s
m, the matrix of composition m × m is S'=(s
1, s
2... s
m).Further, whether subscriber equipment judges S'
reversible, subscriber equipment judges whether S' meets
(S'/q is as one
matrix be reversible), if S' is not
reversible, exist
in again extract the column vector of m m × 1; If S' is reversible, determine that S' is little norm matrix S, is secret value.Because the S' obtaining is
reversible probability is at least
the value of deviations can be much larger than 1, obtains S' to be
reversible probability approaches 1, therefore, extracts at the most twice and just can obtain one
the Probability maximum of the matrix of reversible m × m, has improved and has generated the efficiency of secret value, thereby has improved the efficiency that generates the individual private key of subscriber equipment.
Should be understood that the algorithm that the embodiment of the present invention generates secret value employing to subscriber equipment is not construed as limiting, for example, embodiment of the present invention subscriber equipment can also generate secret value according to random uniform sampling algorithm.
304, subscriber equipment is determined the individual private key of subscriber equipment.
The Part I private key t that subscriber equipment receives by the secret value S generating in 303 steps with in 302 steps
idmultiply each other and obtain Part II private key e
id=St
id, determine that the individual private key of subscriber equipment is (t
id, e
id).Therefore, the computing that generates private key is simple, can reduce the complexity of calculating.
In addition, because Part II private key is also little norm matrix, the generation method of embodiment of the present invention Part II private key has extensibility and portability.Be that the embodiment of the present invention can also be used in other scheme, for example, construct Proxy Signature Scheme or the heavy signature scheme of agency etc.
Should be understood that the embodiment of the present invention does not limit the application of Part II private key generation method.
305, subscriber equipment is determined the PKI of subscriber equipment.
Alternatively, subscriber equipment can be selected a random matrix Q,
according to Q, secret value and Part I private key are determined the PKI of subscriber equipment.Particularly, subscriber equipment can determine that the PKI of subscriber equipment is (u by following above-mentioned (1) formula
1, Q).
Should be understood that the embodiment of the present invention determines that to subscriber equipment the sequencing of the PKI of subscriber equipment and the individual private key of definite subscriber equipment is not construed as limiting.
306, the PKI of subscriber equipment is sent to encryption device by subscriber equipment.
307, encryption device generating ciphertext.
Alternatively, encryption device is encrypted message M, can be according to a message bit in User Identity id, message bit b(message M, b ∈ 0,1}) and the PKI of the subscriber equipment that receives of step 306 generate the ciphertext of this message bit b.Particularly, encryption device carries out Hash function to User Identity id and calculates u=H (id), selects an even random column vector K,
determine P by above-mentioned (3), (4) and (5) formula
1, P
2and c', the ciphertext of this message bit b is C=(P
1, P
2, c'),
wherein, Your Majesty's key A that subscriber equipment can generate key generation centre sends to encryption device.
Encryption device is encrypted each message bit in message M by the way.Due to, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, ciphertext form is C=(P
1, P
2, c'), the identity (for example customer equipment identification) that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
308, ciphertext is sent to subscriber equipment by encryption device.
309, subscriber equipment is decrypted ciphertext.
Alternatively, subscriber equipment receives the ciphertext of the message M of encryption device transmission in step 308, according to the individual private key of subscriber equipment, the ciphertext of message M is decrypted and obtains message M.To the ciphertext C=(P of a message bit b in message M
1, P
2, c') and can obtain w by above-mentioned (6) formula, if
export 1, i.e. b=1; If
export 0, i.e. b=0.
Should be understood that the embodiment of the present invention determines the mode of the PKI of subscriber equipment to subscriber equipment, the mode of key generation centre to message encryption, and subscriber equipment is not construed as limiting the mode of decrypt ciphertext.
Fig. 4 is the structured flowchart of the subscriber equipment of one embodiment of the invention.Subscriber equipment 400 comprises receiving element 401, generation unit 402, acquiring unit 403 and determining unit 404.
Receiving element 401, the Part I private key of subscriber equipment sending for receiving key generation centre.
Generation unit 402, for generating secret value, secret value is little norm matrix.
Acquiring unit 403, the Part I private key receiving for secret value that generation unit 402 is generated and receiving element 401 multiplies each other and obtains the Part II private key of subscriber equipment.
Determining unit 404, the Part II private key obtaining for the Part I private key that receives according to receiving element 401 and acquiring unit 403 is determined the individual private key of subscriber equipment.
Based on technique scheme, embodiment of the present invention subscriber equipment generates secret value, secret value is little norm matrix, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing that generates private key is simple, can reduce the complexity of calculating.
Subscriber equipment 400 can be realized the operation that relates to subscriber equipment in the embodiment of Fig. 1 to Fig. 3, therefore, for avoiding repetition, is not described in detail.
Alternatively, as an embodiment, generation unit 402 is specifically for generating described secret value according to Gauss's sampling algorithm; Or specifically for: generate described secret value according to random uniform sampling algorithm.
Should be understood that the algorithm that the embodiment of the present invention generates secret value employing to subscriber equipment is not construed as limiting.
Preferably, generate this little norm matrix as example take
generation unit 402 according to Gauss's sampling algorithm,
generation unit 402 is specifically for tieing up the set of integer vectors according to m
a canonical base, centered by 0 vector, exist according to deviations
the column vector of m m × 1 of middle extraction.The matrix of the column vector composition m × m of m m × 1, subscript m is positive integer; Whether judge the matrix of m × m
reversible, subscript q is that positive integer represents modulus.If the matrix of m × m is not
reversible, exist
in again extract the column vector of m m × 1; If the matrix of m × m is
reversible, determine that the matrix of m × m is secret value.Because the S' obtaining is
reversible probability is at least
the value of deviations can be much larger than 1, obtains S' to be
reversible probability approaches 1, therefore, extracts at the most twice and just can obtain one
the Probability maximum of the matrix of reversible m × m, has improved and has generated the efficiency of secret value, thereby has improved the efficiency that generates the individual private key of subscriber equipment.
Secret value S is the little norm matrix of Gaussian distributed, and acquiring unit 403 is by the Part I private key t(of secret value S and cipher key center transmission
) multiplying each other obtains Part II private key e=St, determining unit 404 determines that the individual private key of subscriber equipment is (t, e).
In addition, Part II private key is also little norm matrix.Therefore, the generation method of embodiment of the present invention Part II private key has extensibility and portability.Be that the embodiment of the present invention can also be used in other scheme, for example, construct Proxy Signature Scheme or the heavy signature scheme of agency etc.
Should be understood that the embodiment of the present invention does not limit the application of Part II private key generation method.
Alternatively, as another embodiment, acquiring
unit 403 is also for selecting a random matrix Q,
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents
modulus.Determining unit 404 is also for the PKI of determining subscriber equipment according to Q, secret value and Part I private
key.Subscriber equipment 400 also comprises transmitting
element 405, and transmitting
element 405 is for the PKI of subscriber equipment is sent to encryption device, so that encryption device is according to the PKI generating ciphertext of User Identity, message bit and subscriber equipment.Further, the ciphertext that receiving
element 401 also sends for receiving encryption
device.Acquiring unit 403 is also decrypted acquisition message bit for the individual private key according to subscriber equipment to ciphertext.
Particularly, determining unit 404 is specifically for determining that according to following formula the PKI of subscriber equipment is (u
1, Q),
u
1=(QSt)mod q (1)
Wherein, S is above-mentioned secret value,
t is Part I private key,
mod is delivery operator.
The ciphertext that encryption device generates by following formula is C=(P
1, P
2, c'),
u=H(id) (2)
P
1=Q
TK+X,
P
2=A
TK+X,
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that encryption device is selected,
for
on discrete distribution, the A random matrix that to be key generation centre generate according to trapdoor generating algorithm,
for
on discrete distribution, subscript
(
for
on discrete distribution, its stochastic variable is
be distributed as ψ
α, wherein, ψ
αfor
on distribution, be by take 0 as desired value and
in normal distribution for standard variance, choose that a value mould 1 obtains,
for the symbol of rounding operation nearby), b is message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
By such scheme, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, and ciphertext form is C=(P
1, P
2, c'), the identity that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
Further, acquiring unit 403 is specifically for obtaining above-mentioned message bit according to following formula:
w=c′-e
TP
1-t
TP
2 (6)
Wherein, the individual private key of subscriber equipment is (t, e), and t is Part I private key, and e is above-mentioned Part II private key, and subscript T represents transposition.
Should be understood that the embodiment of the present invention determines the mode of the PKI of subscriber equipment to subscriber equipment, the mode of key generation centre to message encryption, and subscriber equipment is not construed as limiting the mode of decrypt ciphertext.
Fig. 5 is the structured flowchart of the encryption device of another embodiment of the present invention.Encryption device 500 comprises receiving element 501 and generation unit 502.
Receiving
element 501, be used for the PKI of the subscriber equipment that receives subscriber equipment transmission, the PKI of subscriber equipment is that subscriber equipment is determined according to the Part I private key of Q, secret value and subscriber equipment, wherein, Part I private key is sent by key generation centre, secret value is the little norm matrix being generated by subscriber equipment, and Q is a random matrix of being selected by subscriber equipment
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents modulus.
Generation unit 502, for the PKI generating ciphertext of the subscriber equipment that receives according to User Identity, message bit and receiving element 501.
Alternatively, as an embodiment, the PKI that receiving
element 501 receives the subscriber equipment of subscriber equipment transmission is (u
1, Q), obtained by above-mentioned (1) formula by subscriber
equipment.Generation unit 502 is specifically for the formula generating ciphertext C=(P by above-mentioned (2)-(5)
1, P
2, c'),
By such scheme, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, and ciphertext form is C=(P
1, P
2, c'), the identity that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
Encryption device 500 can be realized the operation that relates to encryption device in the embodiment of Fig. 1 to Fig. 3, therefore, for avoiding repetition, is not described in detail.
Alternatively, as another embodiment, above-mentioned secret value is generated according to Gauss's sampling algorithm or random uniform sampling algorithm by subscriber equipment.
Should be understood that the algorithm that the embodiment of the present invention generates secret value employing to subscriber equipment is not construed as limiting.
Alternatively, as another embodiment, Part I private key can be generated according to trapdoor generating algorithm, security parameter and customer equipment identification by key generation centre.
Alternatively, as another embodiment, encryption device 500 also comprises transmitting element 503, transmitting element 503 is for sending ciphertext to subscriber equipment, so that subscriber equipment is decrypted acquisition message bit according to the individual private key of subscriber equipment to ciphertext, the individual private key of subscriber equipment determined according to the Part II private key of Part I private key and subscriber equipment by subscriber equipment, Part II private key by subscriber equipment by the acquisition of multiplying each other of secret value and Part I private key.
Based on technique scheme, embodiment of the present invention subscriber equipment is according to generating secret value, secret value is little norm matrix, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing of subscriber equipment generation private key is simple, can reduce the complexity of calculating.
The embodiment of the present invention further provides the device embodiment that realizes each step and method in said method embodiment.Fig. 6 shows a kind of embodiment of equipment, and in this embodiment, equipment 600 comprises processor 601, memory 602, reflector 603 and receiver 604.The operation of processor 601 control appliances 600, processor 601 can also be called CPU(Central Processing Unit, CPU).Memory 602 can comprise read-only memory and random access memory, and provides instruction and data to processor 601.A part for memory 602 can also comprise non-volatile row random access memory (NVRAM).Processor 601, memory 602, reflector 603 and receiver 604 are coupled by bus system 610, and wherein bus system 610, except comprising data/address bus, also comprises power bus, control bus and status signal bus in addition.But for the purpose of clearly demonstrating, in the drawings various buses are all designated as to bus system 610.
The method that the invention described above embodiment discloses can be applied above-mentioned equipment 600.Wherein, processor 601 may be a kind of integrated circuit (IC) chip, has the disposal ability of signal.In implementation procedure, each step of said method can complete by the instruction of the integrated logic circuit of the hardware in processor 601 or form of software.
Fig. 7 is the structured flowchart of the subscriber equipment of one embodiment of the invention.Subscriber equipment 700 comprises receiver 701 and processor 702.
The Part I private key of subscriber equipment that receiver 701 sends for receiving key generation centre.
Processor 702 is for generating secret value according to Gauss's sampling algorithm; For the multiply each other Part II private key of acquisition subscriber equipment of the Part I private key that the secret value of generation and receiver 701 are received; Determine the individual private key of subscriber equipment for the Part I private key receiving according to receiver 701 and the Part II private key obtaining.
Based on technique scheme, embodiment of the present invention subscriber equipment generates secret value, secret value is little norm matrix, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing that generates private key is simple, can reduce the complexity of calculating.
Subscriber equipment 700 can be realized the operation that relates to subscriber equipment in the embodiment of Fig. 1 to Fig. 3, therefore, for avoiding repetition, is not described in detail.
Alternatively, as an embodiment, processor 702 is specifically for generating described secret value according to Gauss's sampling algorithm; Or specifically for: generate described secret value according to random uniform sampling algorithm.
Should be understood that the algorithm that the embodiment of the present invention generates secret value employing to subscriber equipment is not construed as limiting.
Preferably, generate this little norm matrix as example take
processor 702 according to Gauss's sampling algorithm,
processor 702 is specifically for tieing up the set of integer vectors according to m
a canonical base, centered by 0 vector, exist according to deviations
the column vector of m m × 1 of middle extraction.The matrix of the column vector composition m × m of m m × 1, subscript m is positive integer; Whether judge the matrix of m × m
reversible, subscript q is that positive integer represents modulus.If the matrix of m × m is not
reversible, exist
in again extract the column vector of m m × 1; If the matrix of m × m is
reversible, determine that the matrix of m × m is secret value.
Secret value S is the little norm matrix of Gaussian distributed, and
processor 702 is by the Part I private key t(of secret value S and cipher key center transmission
) multiplying each other obtains Part II private key e=St, the individual private key of determining subscriber equipment is (t, e).
In addition, Part II private key is also little norm matrix.Therefore, the generation method of embodiment of the present invention Part II private key has extensibility and portability.Be that the embodiment of the present invention can also be used in other scheme, for example, construct Proxy Signature Scheme or the heavy signature scheme of agency etc.
Should be understood that the embodiment of the present invention does not limit the application of Part II private key generation method.
Alternatively, as another embodiment,
processor 702 is also for selecting a random matrix Q,
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents modulus.Also for determine the PKI of subscriber equipment according to Q, secret value and Part I private
key.Subscriber equipment 700 also comprises
reflector 703, and
reflector 703 is for the PKI of subscriber equipment is sent to encryption device, so that encryption device is according to the PKI generating ciphertext of User Identity, message bit and subscriber equipment.Further, the ciphertext that
receiver 701 also sends for receiving
encryption device.Processor 702 is also decrypted acquisition message bit for the individual private key according to subscriber equipment to ciphertext.
Particularly, processor 702 is specifically for determining that according to following formula the PKI of subscriber equipment is (u
1, Q),
u
1=(QSt)mod q (1)
Wherein, S is above-mentioned secret value,
t is Part I private key,
mod is delivery operator.
The ciphertext that encryption device generates by following formula is C=(P
1, P
2, c'),
u=H(id) (2)
P
1=Q
TK+X,
P
2=A
TK+X,
Wherein, H is Hash function, and id is customer equipment identification, and K is the even random column vector that encryption device is selected,
for
on discrete distribution, the A random matrix that to be key generation centre generate according to trapdoor generating algorithm,
for
on discrete distribution, subscript
(
for
on discrete distribution, its stochastic variable is
be distributed as ψ
α, wherein, ψ
αfor
on distribution, be by take 0 as desired value and
in normal distribution for standard variance, choose that a value mould 1 obtains,
for the symbol of rounding operation nearby), b is message bit, b ∈ 0,1}, subscript T represents transposition,
for downward rounding operation symbol.
By such scheme, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, and ciphertext form is C=(P
1, P
2, c'), the identity that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
Further, processor 702 is specifically for obtaining above-mentioned message bit according to following formula:
w=c′-e
TP
1-t
TP
2 (6)
Wherein, the individual private key of subscriber equipment is (t, e), and t is Part I private key, and e is above-mentioned Part II private key, and subscript T represents transposition.
Should be understood that the embodiment of the present invention determines the mode of the PKI of subscriber equipment to subscriber equipment, the mode of key generation centre to message encryption, and subscriber equipment is not construed as limiting the mode of decrypt ciphertext.
Fig. 8 is the structured flowchart of the encryption device of another embodiment of the present invention.Encryption device 800 comprises receiver 801 and processor 802.
Receiver 801, be used for the PKI of the subscriber equipment that receives subscriber equipment transmission, the PKI of subscriber equipment is that subscriber equipment is determined according to the Part I private key of Q, secret value and subscriber equipment, wherein, Part I private key is sent by key generation centre, secret value is the little norm matrix being generated by subscriber equipment, and Q is a random matrix of being selected by subscriber equipment
subscript m and n are positive integer and represent that dimension, subscript q are that positive integer represents modulus;
Processor 802, for the PKI generating ciphertext of the subscriber equipment that receives according to User Identity, message bit and receiver 801.
Alternatively, as an embodiment, the PKI that receiver 801 receives the subscriber equipment of subscriber equipment transmission is (u
1, Q), obtained by above-mentioned (1) formula by subscriber equipment.Processor 802 is specifically for the formula generating ciphertext C=(P by above-mentioned (2)-(5)
1, P
2, c),
By such scheme, the ciphertext that encryption device generates is undistinguishable in being uniformly distributed, and ciphertext form is C=(P
1, P
2, c'), the identity that receives the subscriber equipment of ciphertext can be hidden in ciphertext, therefore, from ciphertext C=(P
1, P
2, c') in can not directly obtain the information relevant to the identity of subscriber equipment, thereby improved fail safe.
Encryption device 800 can be realized the operation that relates to encryption device in the embodiment of Fig. 1 to Fig. 3, therefore, for avoiding repetition, is not described in detail.
Alternatively, as another embodiment, above-mentioned secret value is generated according to Gauss's sampling algorithm or random uniform sampling algorithm by subscriber equipment.
Alternatively, as another embodiment, Part I private key can be generated according to trapdoor generating algorithm, security parameter and customer equipment identification by key generation centre.
Alternatively, as another embodiment, encryption device 800 also comprises reflector 803, reflector 803 is for sending ciphertext to subscriber equipment, so that subscriber equipment is decrypted acquisition message bit according to the individual private key of subscriber equipment to ciphertext, the individual private key of subscriber equipment determined according to the Part II private key of Part I private key and subscriber equipment by subscriber equipment, Part II private key by subscriber equipment by the acquisition of multiplying each other of secret value and Part I private key.
Based on technique scheme, embodiment of the present invention subscriber equipment is according to generating secret value, secret value is little norm matrix, by the Part I private key of the subscriber equipment being sent by key generation centre of this secret value and reception being multiplied each other to obtain the Part II private key of subscriber equipment, the individual private key of Part I private key and Part II private key composition subscriber equipment.Therefore, the computing of subscriber equipment generation private key is simple, can reduce the complexity of calculating.
Those of ordinary skills can recognize, unit and the algorithm steps of each example of describing in conjunction with embodiment disclosed herein, can realize with the combination of electronic hardware or computer software and electronic hardware.These functions are carried out with hardware or software mode actually, depend on application-specific and the design constraint of technical scheme.Professional and technical personnel can realize described function with distinct methods to each specifically should being used for, but this realization should not thought and exceeds scope of the present invention.
Those skilled in the art can be well understood to, and for convenience and simplicity of description, the specific works process of the system of foregoing description, device and unit, can, with reference to the corresponding process in preceding method embodiment, not repeat them here.
In the several embodiment that provide in the application, should be understood that disclosed system, apparatus and method can realize by another way.For example, device embodiment described above is only schematic, for example, the division of described unit, be only that a kind of logic function is divided, when actual realization, can have other dividing mode, for example multiple unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, indirect coupling or the communication connection of device or unit can be electrically, machinery or other form.
The described unit as separating component explanation can or can not be also physically to separate, and the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of unit wherein to realize the object of the present embodiment scheme.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing unit, can be also that the independent physics of unit exists, and also can be integrated in a unit two or more unit.
If described function realizes and during as production marketing independently or use, can be stored in a computer read/write memory medium using the form of SFU software functional unit.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or the part of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprise that some instructions (can be personal computers in order to make a computer equipment, server, or the network equipment etc.) carry out all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, portable hard drive, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CDs.