阅读说明：本技术 一种针对群元数乘或幂运算的计算方法及系统 (Computing method and system for group element number multiplication or power operation ) 是由 龙毅宏 于 2019-09-24 设计创作，主要内容包括：所述方法涉及针对群元数乘或幂运算的计算方法：第一方有一个参数池,池中有m个[1,n-1]内的整数k<Sub>1</Sub>,k<Sub>2</Sub>,…,k<Sub>m</Sub>,及对应的加法群中的元k<Sub>1</Sub>G,k<Sub>2</Sub>G,…,k<Sub>m</Sub>G,其中G是加法群中的一个元,或者对应的乘法群中的元g^k<Sub>1</Sub>,g^k<Sub>2</Sub>,…,g^k<Sub>m</Sub>,其中g是乘法群中的一个元,^为幂运算,n为群的阶；第一方利用池中的整数参数及对应的群元,在不暴露k的情况下借助第二方完成G_k＝kG或g_k＝g^k的计算,其中k是[1,n-1]中的第一方的整数秘密；在完成一次G_k或g_k的计算后,或者在完成规定次数的、针对不同k的G_k或g_k的计算后,第一方对参数池中已使用的整数参数k<Sub>t</Sub>及对应的群元进行更新。(The method involves a computational method for a group element number multiplication or exponentiation: the first party has a parameter pool with m [1, n-1] s]Integer k within 1 ,k 2 ,…,k m And the corresponding element k in the addition group 1 G，k 2 G，…，k m G, where G is an element in an addition group or an element G ^ k in a corresponding multiplication group 1 ，g^k 2 ，…，g^k m Wherein g is an element in the multiplicative group, ^ is the power operation, and n is the group order; the first party performs the computation of G _ k ^ kG or G _ k ^ G ^ k with the second party without exposing k, where k is [1, n-1, using the integer parameters and corresponding group elements in the pool]An integer secret of the first party; after completing the calculation of G _ k or G _ k once or the calculation of G _ k or G _ k for different k for a specified number of times, the first party performs the calculation of the integer parameter k used in the parameter pool t And corresponding group element carries out furtherAnd (5) new.)

1. A computing method for group element number multiplication or power operation is characterized in that:

the method involves one additive or multiplicative group; the order of the addition group or the multiplication group is a prime number n;

the method comprises a first party and a second party, wherein the first party maintains a parameter pool, and m [1, n-1] parameter pools are arranged in the parameter pool]Integer k within the interval₁,k₂,…,k_mAnd corresponding group element k in the addition group₁G，k₂G，…，k_mG, i.e. k₁,k₂,…,k_mThe result of multiplying G, respectively, where G is an element in an addition group or has a corresponding group element G ^ k in a multiplication group₁，g^k₂，…，g^k_mI.e. k₁,k₂,…,k_mSeparately exponentiate gWherein g is an element in the multiplicative group, and ^ represents an exponentiation;

k₁,k₂,…,k_mcalled integer parameter, group element k₁G，k₂G，…，k_mG is called an integer parameter k₁,k₂,…,k_mCorresponding number multiplier, group g ^ k₁，g^k₂，…，g^k_mCalled integer parameter k₁,k₂,…,k_mA corresponding power element;

k₁G，k₂G，…，k_mg is respectively represented as G _ k₁，G_k₂，…，G_k_m；

g^k₁，g^k₂，…，g^k_mAre respectively represented as g _ k₁，g_k₂，…，g_k_m；

When a first party needs to calculate G _ k ^ kG or G _ k ^ G ^ k, wherein k is an integer which is only known by the first party and needs to be kept secret in [1, n-1], the first party and a second party cooperatively complete the calculation of G _ k ^ kG or G _ k ^ G ^ k as follows:

the first party selects an integer parameter k from m integer parameters in the parameter pool according to a predetermined rule_tT is 1,2, …, or m;

the first calculation w ═ k (k)_t)^-1) mod n or w ═ k (k-k)_t) mod n, then w and G _ k_tOr w and g _ k_tIs sent to the second party, where (k)_t)^-1Is k_tModulo n multiplication inverse of (G _ k)_tIs and k_tCorresponding number multiplier, g _ k_tIs and k_tA corresponding power element;

if the formula for w is w ═ (k)_t)^-1) mod n, then:

second party calculates G _ k-wG _ k_tOr g _ k ═ g _ k_t^w；

If the formula for w is w ═ k (k-k)_t) mod n, then:

the second party calculates G _ k ═ wG + G _ k_tOr g _ k ═ g _ k_t(g^w)；

G _ k is kG or G _ k is G ^ k;

at the completion of oneAfter G _ k or G _ k calculations are performed a number of times, or after G _ k or G _ k calculations for different k have been performed a specified number of times, the first party performs a calculation on the integer parameter k that has been used in the parameter pool_tAnd corresponding number multiplier G _ k_tOr power element g _ k_tUpdating, wherein t is 1,2, … or m.

2. The method of claim 1, wherein the method comprises:

the first party selects an integer parameter k from m integer parameters in the parameter pool according to a predetermined rule_tThe method comprises the following steps:

in each calculation of G _ k ^ kG or G _ k ^ G ^ k, one integer parameter k is sequentially selected in sequence from the m integer parameters_tOr randomly selecting an unused integer parameter k among the m integer parameters_t；

Sequentially selecting one integer parameter k from the m integer parameters in sequence_tThe method comprises the following steps:

if G _ k ^ kG or G _ k ^ G is calculated for the first time, k is selected₁；

If the last calculation selected integer parameter is k_iAnd 1 is not less than i<m, then k is selected in the calculation_i+1；

If the last calculation selected integer parameter is k_mThen k is selected for this calculation₁。

3. The method of claim 1, wherein the method comprises:

integer parameter k used in the first party pair parameter pool_tAnd corresponding G _ k_tOr g _ k_tOne way to perform the update is as follows:

selecting p integer parameters from m integer parameters, 1 ≦ p<m; p integer parameters are respectively represented as r₁,r₂,…,r_p；

r₁,r₂,…,r_pThe corresponding number multiplier is denoted as G _ r₁,G_r₂,…,G_r_pOr r is₁,r₂,…,r_pThe corresponding power elements are respectively expressed as g _ r₁,g_r₂,…,g_r_p；

Randomly selecting p positive integers c₁,c₂,…,c_pAnd make c₁+c₂+…+c_pL is less than or equal to L, wherein L is a preset integer less than m;

calculating u ═ c₁r₁+c₂r₂+…+c_pr_p)mod n，

G_u＝c₁G_r₁+c₂G_r₂+…+c_pG_r_p，

Or g _ u ═ g _ r₁^c₁)(g_r₂^c₂)…(g_r_p^c_p)；

Then using u as a new integer parameter k_tUsing G _ u as the new G _ k_tOr using g _ u as new g _ k_t。

4. The method of claim 3, wherein the method comprises:

p is a fixed integer or a non-fixed integer; if p is a non-fixed integer, p is an integer randomly selected within a specified range, or an integer varied or selected according to a predetermined rule.

5. The method of claim 3, wherein the method comprises:

l is chosen so that it is for the integer parameter k_tAnd corresponding G _ k_tOr g _ k_tThe update operation can be performed within a desired or specified time.

6. The method of claim 5, wherein the method comprises:

if L ═ pq, where p and q are integers, the first party randomly selects p positive integers c₁,c₂,…,c_pAnd make c₁+c₂+…+c_pOne mode of ≦ L is as follows:

in [1, q ]]In the random selection of p integers c₁,c₂,…,c_p。

7. A computing system for a group element number multiplication or exponentiation based on the computing method for a group element number multiplication or exponentiation according to any one of claims 1 to 6, wherein:

the system comprises two devices, wherein one device is the first party and the other device is the second party;

when a device as a first party needs to calculate G _ k ═ kG or G _ k ^ G ^ k, where k is an integer known to only the first party in [1, n-1] and needs to be kept secret, the two devices calculate G _ k ═ kG or G _ k ^ G ^ k according to the calculation method for the group element number multiplication or exponentiation.

Technical Field

The invention belongs to the technical field of passwords, and particularly relates to a computing method and a computing system for addition group element number multiplication operation (scalar multiplication operation and multiplication operation) or multiplication group element power operation of a resource-limited device.

Background

In cryptographic operations (mainly cryptographic operations of public key cryptographic algorithms), a number multiplication operation (scalar multiplication operation, multiplication operation) of group elements in an addition group or an exponentiation operation of group elements in a multiplication group is often performed, and this often involves complex large number operations, for example, in cryptographic algorithms based on elliptic curve point groups, a kG number multiplication operation is often performed, where G is one element (point) in the elliptic curve addition point group, k is a randomly selected integer whose value may be very large, and calculating kG involves large number calculation and large amount of calculation; as another example, in some cryptographic operations (e.g., based on two-wire pairing of secrets)Code algorithm), g is often performed^kExponentiation, where g is an element in a multiplicative group, e.g., it may be a very large integer, and k is a randomly selected integer whose value may be very large, thus computing g^kThe calculation amount is large due to the fact that large number operation is involved.

With the development of the internet of things, more and more tiny devices are intelligentized and access to the network. Due to the need of security protection function, these intelligent tiny devices may need to perform cryptographic operations, and these tiny devices are usually resource-limited devices and have weak computing power, and it is difficult to perform such complex multiplication or exponentiation operations involving large number operations in real time, which limits the application of cryptographic algorithms (especially public key cryptographic algorithms) in these tiny intelligent devices.

Disclosure of Invention

The invention aims to provide a computing method of addition group element number multiplication operation (scalar multiplication operation and multiplication operation) or multiplication group element power operation and a corresponding system aiming at resource-limited devices so as to meet the requirements of the devices on the cryptographic function.

In view of the above objects, the present invention provides a method and system for computing a group element multiplication or exponentiation.

The invention provides a computing method for group element number multiplication or power operation, which specifically comprises the following steps:

the method involves one additive or multiplicative group; the order of the addition group or the multiplication group is a prime number n;

the method comprises a first party and a second party, wherein the first party maintains a parameter pool, and m [1, n-1] parameter pools are arranged in the parameter pool]Integer k within the interval₁,k₂,…,k_mAnd corresponding group element k in the addition group₁G，k₂G，…，k_mG, i.e. k₁,k₂,…,k_mThe result of multiplication (scalar multiplication, multiple point operation) with G, respectively, where G is an element in the addition group or the group of elements G ^ k in the corresponding multiplication group₁，g^k₂，…，g^k_mI.e. k₁,k₂,…,k_mRespectively performing exponentiation on g, wherein g is an element in the multiplicative group, and ^ represents the exponentiation (performing exponentiation on the element before ^ and the integer after ^ is the number of exponentiation);

k₁,k₂,…,k_mcalled integer parameter, group element k₁G，k₂G，…，k_mG is called an integer parameter k₁,k₂,…,k_mCorresponding number multiplier, group g ^ k₁，g^k₂，…，g^k_mCalled integer parameter k₁,k₂,…,k_mCorresponding power elements (the integer parameters and their corresponding relationship with the number multiplier or power elements need to be kept secret);

k₁G，k₂G，…，k_mg is respectively represented as G _ k₁，G_k₂，…，G_k_m；

g^k₁，g^k₂，…，g^k_mAre respectively represented as g _ k₁，g_k₂，…，g_k_m；

When the first party needs to calculate G _ k ═ kG or G _ k ^ G ^ k, where k is an integer (such as an integer randomly selected as a secret or an integer selected or calculated by an agreed manner) needing to be kept secret, which is known only to the first party in [1, n-1], the first party and the second party cooperate to complete the calculation of G _ k ═ kG or G _ k ^ G ^ k as follows:

the first party selects an integer parameter k from m integer parameters in the parameter pool according to a predetermined rule_tT is 1,2, …, or m;

the first calculation w ═ k (k)_t)^-1) mod n or w ═ k (k-k)_t) mod n, then w and G _ k_tOr w and g _ k_tIs sent to the second party, where (k)_t)^-1Is k_tModulo n multiplication inverse (i.e., (k)_t(k_t)^-1)mod n＝1)，G_k_tIs (taken from the parameter pool) and k_tCorresponding number multiplier (i.e., G _ k)_t＝k_tG)，g_k_tIs (taken from the parameter pool) and k_tCorresponding power element (i.e., g _ k)_t＝g^k_t)；

If the formula for w is w ═ (k)_t)^-1) mod n, then:

second party calculates G _ k-wG _ k_tOr g _ k ═ g _ k_t^w；

If the formula for w is w ═ k (k-k)_t) mod n, then:

the second party calculates G _ k ═ wG + G _ k_tOr g _ k ═ g _ k_t(g^w)；

G _ k is kG or G _ k is G ^ k;

after completing one calculation of G _ k or G _ k or completing the calculation of G _ k or G _ k for different k for a specified number of times, the first party performs calculation on the integer parameter k used in the parameter pool_tAnd corresponding number multiplier G _ k_tOr power element g _ k_tUpdating, wherein t is 1,2, … or m.

For the above-mentioned computing method for the group element number multiplication or exponentiation, the first party selects one integer parameter k from the m integer parameters in the parameter pool according to a predetermined rule_tThe method comprises the following steps:

in each calculation of G _ k ^ kG or G _ k ^ G ^ k, one integer parameter k is sequentially selected in sequence from the m integer parameters_tOr randomly selecting an unused integer parameter k among the m integer parameters_t(integer parameters that are updated after use belong to unused integer parameters);

sequentially selecting one integer parameter k from the m integer parameters in sequence_tThe method comprises the following steps:

if G _ k ^ kG or G _ k ^ G is calculated for the first time, k is selected₁；

If the last calculation selected integer parameter is k_iAnd 1 is not less than i<m, then k is selected in the calculation_i+1；

If the last calculation selected integer parameter is k_mThen k is selected for this calculation₁。

For the above-described calculation method for the group element multiplication or exponentiation, the first party is directed to the integer parameter k used in the parameter pool_tAnd corresponding G _ k_tOr g _ k_tGo on to moreOne new approach is as follows (not meant to imply all possible approaches):

selecting p integer parameters from the m integer parameters (e.g., p parameters randomly selected from the m integer parameters, or one of the p integer parameters is k_tAnd the other p-1 is randomly selected from the remaining m-1 integer parameters), 1 ≦ p<m; p integer parameters are respectively represented as r₁,r₂,…,r_p；

r₁,r₂,…,r_pThe corresponding number multiplier is denoted as G _ r₁,G_r₂,…,G_r_pOr r is₁,r₂,…,r_pThe corresponding power elements are respectively expressed as g _ r₁,g_r₂,…,g_r_p；

Randomly selecting p positive integers c₁,c₂,…,c_pAnd make c₁+c₂+…+c_pL ≦ L, where L is a predetermined integer less than m (typically L is much less than m);

calculating u ═ c₁r₁+c₂r₂+…+c_pr_p)mod n，

G_u＝c₁G_r₁+c₂G_r₂+…+c_pG_r_p，

Or g _ u ═ g _ r₁^c₁)(g_r₂^c₂)…(g_r_p^c_p)；

Then using u as a new integer parameter k_t(t-th integer parameter) value, using G _ u as new G _ k_t(k_tCorresponding number multiplier) or g _ u as the new g _ k_t(k_tThe corresponding power element).

At the integer parameter k mentioned above_tAnd corresponding G _ k_tOr g _ k_tIn the updating operation, p is a fixed integer or a non-fixed integer; if p is a non-fixed integer, p is an integer randomly selected within a specified range, or an integer varied or selected according to a predetermined rule.

At the integer parameter k mentioned above_tAnd corresponding G _ k_tOr g _ k_tIn the update operation, L is selected so as to be specific to the integer parameter k_tAnd corresponding G _ k_tOr g _ k_tThe update operation performed can be completed within a desired or prescribed time (i.e., in the case of the greatest amount of computation, the update operation can be completed within a desired or prescribed time).

At the integer parameter k mentioned above_tAnd corresponding G _ k_tOr g _ k_tIn the update operation, if L ═ pq (p times q), where p and q are integers, the first party randomly selects p positive integers c₁,c₂,…,c_pAnd make c₁+c₂+…+c_pOne way ≦ L is as follows (not all possible ways):

in [1, q ]]In the random selection of p integers c₁,c₂,…,c_p。

Based on the above-mentioned computing method for the group element number multiplication or exponentiation, a corresponding computing system for the group element number multiplication or exponentiation can be constructed, the system comprises two devices, one of which is the first party and the other of which is the second party;

when a device as a first party needs to calculate G _ k ═ kG or G _ k ^ G ^ k, where k is an integer (such as an randomly selected integer as a secret or an integer needing to be kept secret selected or calculated by an agreed manner) known only by the first party in [1, n-1], the two devices calculate G _ k ═ kG or G _ k ^ G ^ k according to the calculation method for the group element number multiplication or exponentiation.

In the above computing method and system for the group element number multiplication or power operation, the first party is usually a device with limited resources and weak computing power, and the second party is usually a device with rich resources and strong computing power; based on the method and the system, a first party serving as a resource-limited device can complete multiplication operation in an addition group with large calculation amount (such as multiplication or multiplication operation in an elliptic curve point group) or exponentiation operation in a multiplication group (such as exponentiation operation in a double-line paired multiplication group) by using a second party with rich resources; meanwhile, in order to prevent cracking of the integer parameters in the parameter pool, the first party updates the integer parameters according to a predetermined strategy, and the operation involved in the updating operation is an operation which can be borne by the first party (resource-limited device) and has a small calculation amount.

Detailed Description

The present invention will be further described with reference to the following examples. The following examples are merely illustrative of a few possible embodiments of the present invention and are not intended to represent all possible embodiments and are not intended to limit the present invention.