阅读说明：本技术 一种简单安全的群元数乘和幂运算的计算方法及系统 (Simple and safe calculation method and system for group element number multiplication and power operation ) 是由 龙毅宏 于 2021-09-08 设计创作，主要内容包括：群元数乘的计算方法：第一方保存有G-(h)＝[ha～(-1)]G,G-(b)＝[(ba)～(-1)]G,其中h、b、a为[1,n-1]内的第一方的整数秘密,G为阶为素数n的加法群中的元；当第一方需要计算G-(k)＝[k]G时,其中k为[1,n-1]内的第一方的保密整数,第一方计算c＝b(ak-h),将c、G-(b)提交给第二方；第二方计算G-(c)＝[c]G-(b)；某一方计算G-(k)＝G-(c)+G-(h)即为[k]G。群元幂运算的计算方法：第一方保存有g-(h)＝g^(ha～(-1)),g-(b)＝g^(ba)～(-1),其中h、b、a为[1,n-1]内的第一方的整数秘密,g为阶为素数n的乘法群中的元；当第一方需要计算g-(k)＝g^k时,其中k为[1,n-1]内的第一方的保密整数,c＝b(ak-h),将c、g-(b)提交给第二方；第二方计算g-(c)＝g-(b)^c；某一方g-(k)＝g-(c)g-(h)即为g^k。(The calculation method of the group element number multiplication comprises the following steps: the first party has G h ＝[ha ‑1 ]G，G b ＝[(ba) ‑1 ]G, wherein h, b and a are [1, n-1]]An integer secret of the first party in, G being an element in an addition group of order prime n; when the first party needs to calculate G k ＝[k]G, wherein k is [1, n-1]]The first party calculates c ═ b (ak-h), and compares c and G b Submitting to a second party; second party calculates G c ＝[c]G b (ii) a One party calculates G k ＝G c +G h Is [ k ]]G. The group element power operation calculation method comprises the following steps: the first party has g stored h ＝g^(ha ‑1 )，g b ＝g^(ba) ‑1 Wherein h, b and a are [1, n-1]]An integer secret of the first party within, g being an element in a multiplicative group of order prime n; when the first party needs to calculate g k When g ^ k, k is [1, n-1]]Of the first party inC ═ b (ak-h), mixing c and g b Submitting to a second party; second party calculates g c ＝g b C, a, c; a certain party g k ＝g c g h Namely g ^ k.)

1. A group element number multiplication calculation method is characterized by comprising the following steps:

the method relates to a first party, a second party and an addition group with the order of prime number n, wherein the first party is a device with limited resources and weak computing power, and the second party is a device with rich resources and strong computing power;

the first party has G stored in advance_h＝[ha^-1]G，G_b＝[(ba)^-1]G, wherein h, b and a are [1, n-1]]The integer secret of the first party in, G is an element of the addition group of order prime n, [ 2 ]]Means plusThe number multiplication operator of the normal group element;

when the first party needs to calculate G_k＝[k]G, wherein k is [1, n-1]]The first party calculates c ═ b (ak-h), and compares c and G_bSubmitting to a second party;

second party calculates G_c＝[c]G_b；

The first or second party or other parties calculating G_k＝G_c+G_hThen G is_kIs [ k ]]G；

One of the values of a and b is allowed to be a non-secret constant;

the above integer operations using h, b, a, k are modulo operations or modulo n congruence operations.

2. The method of claim 1, wherein:

first party updates h, b, G_h、G_bOne method of (2) is as follows:

the first side is in [1, n-1]]Randomly selecting an integer r as ra^-1Or (ra)^-1G is calculated as k by the method of the above-mentioned addition group element number multiplication_r＝[ra^-1]G or G_r＝[(ra)^-1]G, then with r as the new value of h or b, with G accordingly_rAs G_hOr G_bA new value of (d);

at G_rH, b, a, G used in the calculation process_h，G_bH, b, a, G used in the NAND updating calculation process_h，G_bEither the same set of data or a different set of data.

3. The method of claim 1, wherein:

first party updates h, b, G_h、G_bOne method of (2) is as follows:

after completing a G_kAfter calculation, the first party replaces h with ka and G_kSubstitution of G_hOr by (ka)^-1Alternative to b, with G_kSubstitution of G_b。

4. A method of computing a group element multiplication operation according to any one of claims 1 to 3, wherein:

if the first party maintains m groups of data h_i，b_i，a_i，G_hi＝[h_i(a_i)^-1]G，G_bi＝[(b_ia_i)^-1]G, wherein h_i，b_i，a_iIs [1, n-1]]I is 1, …, m, m ≧ 2, and G_h＝G_h1+…+G_hmThen, a security enhancement scheme for the above calculation method of the addition group element number multiplication is as follows:

when the first party needs to calculate G_k＝[k]G, wherein k is [1, n-1]]A secret integer of a first party in the first party, the first party randomly decomposing k into [1, n-1]]Inner m integers k_iI is 1, …, m, and k is k₁+…+k_m；

First party calculation c_i＝b_i(a_ik_i-h_i) C is mixing_i、G_biI 1, …, m, to the second party;

second party calculates G_ci＝[c_i]G_biI 1, …, m, calculating G_c＝G_c1+…+G_cm；

The first or second party or other parties calculating G_k＝G_c+G_hThen G is_kIs [ k ]]G；

Use of h as described above_i，b_i，k_iThe integer operation of (a) is a modulo operation or a modulo n congruence operation.

5. The system for calculating a group element number multiplication operation according to the method for calculating a group element number multiplication operation of claim 4, wherein:

the system comprises two devices, wherein one device is called a first party and has limited resources and weak computing power, and the other device is called a second party and has rich resources and strong computing power; when a first party needs to carry out addition group element number multiplication, the first party and a second party calculate according to the calculation method of the addition group element number multiplication to obtain the result of the addition group element number multiplication.

6. A method for computing group element power operation is characterized in that:

the method relates to a first party, a second party and a multiplication group with the order of prime number n, wherein the first party is a device with limited resources and weak computing power, and the second party is a device with rich resources and strong computing power;

the first party has g stored in advance_h＝g^(ha^-1)，g_b＝g^((ba)^-1) Wherein h, b and a are [1, n-1]]An integer secret of a first party in g, an element in a multiplicative group of order a prime number n, a power operator representing the multiplicative group element;

when the first party needs to calculate g_kWhen g ^ k, k is [1, n-1]]C ═ b (ak-h), and mixing c and g_bSubmitting to a second party;

second party calculates g_c＝(g_b^c)；

The first or second party or other parties calculating g_k＝g_cg_hThen g is_kNamely g ^ k;

one of the values of a and b is allowed to be a non-secret constant;

the above integer operations using h, b, a, k are modulo operations or modulo n congruence operations.

7. The method of claim 6, wherein:

for the above described method of computing multiplicative group exponentiations, the first party updates h, b, g_h、g_bOne method of (2) is as follows:

the first side is in [1, n-1]]Randomly selecting an integer r as ra^-1Or (ra)^-1G is obtained by adopting the calculation method of the multiplicative group element power operation as k_r＝g^(ra^-1) Or g_r＝g^((ra)^-1) Then r is taken as the new value of h or b, and accordinglyg_rAs g_hOr g_bA new value of (d);

in g_rH, b, a, g used in the calculation process_h，g_bH, b, a, g used in the NAND updating calculation process_h，g_bEither the same set of data or a different set of data.

8. The method of claim 6, wherein:

for the above described method of computing multiplicative group exponentiations, the first party updates h, b, g_h、g_bOne method of (2) is as follows:

after completing one g_kAfter calculation, the first party replaces h with ka and g_kSubstitution of g_hOr by (ka)^-1In place of b, using g_kSubstitution of g_b。

9. The method of computing a group exponentiation according to any of claims 6-8, wherein:

if the first party maintains m groups of data h_i，b_i，a_i，g_hi＝g^(h_i(a_i)^-1)、g_bi＝g^((b_ia_i)^-1) Wherein h is_i，b_i，a_iIs [1, n-1]]I is 1, …, m, m ≧ 2, and g_h＝g_h1g_h2…g_hmThen, a security enhancement scheme for the above calculation method of multiplicative group element exponentiation is as follows:

when the first party needs to calculate g_kWhen g ^ k, k is [1, n-1]]A secret integer of a first party in the first party, the first party randomly decomposing k into [1, n-1]]Inner m integers k_iI is 1, …, m, and k is k₁+…+k_m；

First party calculation c_i＝b_i(a_ik_i-h_i) C is mixing_i、g_biI 1, …, m, to the second party;

second party calculates g_ci＝g_bi^c_iI 1, …, m, calculating g_c＝g_c1g_c2…g_cm；

The first or second party or other parties calculating g_k＝g_cg_hThen g is_kNamely g ^ k;

use of h as described above_i，b_i，k_iThe integer operation of (a) is a modulo operation or a modulo n congruence operation.

10. A group exponentiation calculation system based on the group exponentiation calculation method of claim 9, wherein:

the system comprises two devices, wherein one device is called a first party and has limited resources and weak computing power, and the other device is called a second party and has rich resources and strong computing power; when a first party needs to perform multiplicative group element exponentiation, the first party and a second party calculate the result of the multiplicative group element exponentiation according to the calculation method of the multiplicative group element exponentiation.

Technical Field

The invention belongs to the technical field of passwords, and particularly relates to a simple and safe computing method and system for addition group element number multiplication operation (scalar multiplication operation and multiplication operation) and multiplication group element power operation aiming at a resource-limited device.

Background

In cryptographic operations (mainly cryptographic operations of public key cryptographic algorithms) often a number multiplication (scalar multiplication, multiplication) of a group element in an addition group or an exponentiation of a group element in a multiplication group is performed, which often involves complex large number operations, e.g. in cryptographic algorithms based on elliptic curve point groups often a kG number multiplication is performed, where G is an elliptic curve addition point groupK is a randomly selected integer whose value may be very large, computing kG involves large number computations, which are computationally expensive, and k is typically a number that needs to be kept secret; as another example, in some cryptographic operations (e.g., a cryptographic algorithm based on a two-line pairing), g is often performed^kExponentiation, where g is an element in a multiplicative group, e.g., it may be a very large integer, and k is a randomly selected integer whose value may be very large, thus computing g^kIt involves large number operations, the amount of computation is large, and k is usually a number that needs to be kept secret.

With the development of the internet of things, more and more tiny devices are intelligentized and access to the network. Due to the need of security protection function, these intelligent tiny devices (such as infinite sensors, intelligent wearable devices, field instruments and the like) may need to perform cryptographic operations, and these tiny devices are usually resource-limited devices and have weak computing power, and it is difficult to perform such complex addition group element multiplication or multiplication group element exponentiation operations involving large number operations in real time, and it is difficult to complete the related calculations within a desired time, so that the application of cryptographic algorithms (especially public key cryptographic algorithms) in these tiny intelligent devices is limited.

In order to solve the problem, the inventions CN201711318078.8 and CN201910907018.2 propose corresponding technical solutions, and the ideas of these solutions are to complete real-time computation of group element multiplication in an addition group or group element power operation in a multiplication group by means of devices with abundant resources and strong computing power, and to ensure that secrets of devices with limited resources and devices with weak computing power, such as randomly selected integer k, are not leaked or cracked. The weakness of the CN201711318078.8 is that in some situations, the security is weak, for example, when there is a one-time calculation result of k in other cryptographic calculation processes or the final cryptographic calculation result (for example, s in (r, s) digitally signed by SM2, or the situation may occur in the cooperative calculation process of SM9 digital signature), the scheme of CN201711318078.8 is not secure, and the CN201910907018.2 increases the applicability and security of the scheme by maintaining the parameter pool, but the resource-limited device needs to maintain the parameter pool and perform a small-computation-amount updating operation on the data in the parameter pool, which also needs to consume the limited resources and computation power of the resource-limited device.

Disclosure of Invention

The invention aims to provide a method and a corresponding system for improving the calculation of addition group element number multiplication operation (scalar multiplication operation and multiplication operation) and multiplication group element power operation aiming at a resource limited device so as to overcome the defects of the prior art.

In view of the above objects, the present invention provides an improved method for computing an addition group element number multiplication, a method for computing a multiplication group element exponentiation, and a corresponding system.

In the present invention, the term]Represents a number multiplication operation (scalar multiplication operation, multiple addition operation) in the addition group, [ k ]]G, if k>0 represents the addition G + … + G of k identical group elements G in the addition group, if k<0, which represents the addition inverse of the addition result of | k | same group elements G in the addition group; ^ x denotes the exponentiation in the multiplicative group, g ^ k, if k>0, then represents the multiplication gg … g of k identical groups g in the multiplicative group, if k is<0, which represents the inverse multiplication of the multiplication result of | k | same group element g in the multiplication group; in the description of the invention, integer operations are, unless otherwise specified, modulo-n operations (mod n) or modulo-n congruence operations ((mod n)), where n is the order of the group of additions or multiplications involved, being prime, for an integer a, a^-1Denotes the inverse of modulo n multiplication (a)^-1a mod n ═ 1) or the inverse modulo n congruence multiplication (a)^-1a ═ 1(mod n)); an ellipsis ". -" indicates that a plurality of identical (types of) data items are repeated or that a plurality of identical operations are repeated; if no misunderstanding is caused, the multiplication a and b of the two quantities a and b is directly expressed as ab (except for the variable subscript, the characters continuously appearing in the variable subscript have no operation meaning and only have identification meaning, such as G)_hiHi in has no h by i meaning).

The calculation method of the addition group element number multiplication operation provided by the invention is specifically described as follows.

The method involves a first party and a second party and an addition group with an order of prime number n, wherein the first party is a device with (relative) limited resources and weak computing power (such as an infinite sensor, intelligent wearable equipment, a field instrument and the like), and the second party is a device with (relative) rich resources and strong computing power (such as a computer, a server, an edge computing server, a cloud computing system and the like);

the first party has G stored in advance_h＝[ha^-1]G，G_b＝[(ba)^-1]G, wherein h, b and a are [1, n-1]]G is a (non-zero) element of an addition group of order prime n, [ 2 ]]Number multiplication operator ([ 2 ]) representing addition group element]The inside is an integer multiplier [ alpha ], [ alpha ] a]Followed by a group element);

when the first party needs to calculate G_k＝[k]G, wherein k is [1, n-1]]The first party calculates c ═ b (ak-h), and compares c and G_bSubmitting to a second party;

second party calculates G_c＝[c]G_b；

The first or second party or other parties calculating G_k＝G_c+G_hThen G is_kIs [ k ]]G；

One of the values a and b is allowed to be a non-secret constant (such as a fixed value 1);

the above integer operations using h, b, a, k are modulo operations (mod n) or modulo n congruence ((mod n)).

(if G)_k＝G_c+G_hCalculated by a party other than the first party, then G_hNon-secrecy)

In the above-described method for calculating the addition group element number multiplication operation, h, b, and G are required to be calculated (when h, b, and G are required)_h、G_bAt update time), the first party updates h, b, G_h、G_bOne method of (2) is as follows:

the first side is in [1, n-1]]Randomly selecting an integer r as ra^-1Or (ra)^-1G is calculated as k by the method of the above-mentioned addition group element number multiplication_r＝[ra^-1]G or G_r＝[(ra)^-1]G, then with r as the new value of h or b, with G accordingly_rAs G_hOr G_bA new value of (d);

at G_rH, b, a, G used in the calculation process_h，G_bIn the NAND-update calculation process (i.e. ordinary G)_kDuring calculation process) h, b, a, G_h，G_bEither the same set of data or a different set of data.

h、G_hAnd b, G_bNot necessarily updated at the same time (either simultaneously or not). The secret parameter a can also be updated, but it is troublesome to perform two update calculations (G)_hAnd G_b)。

In the above-described method for calculating the addition group element number multiplication operation, h, b, and G are required to be calculated (when h, b, and G are required)_h、G_bAt update time), the first party updates h, b, G_h、G_bAnother method of (2) is as follows:

after completing a (normal) G_kAfter calculation, the first party replaces h with ka and G_kSubstitution of G_hOr by (ka)^-1Alternative to b, with G_kSubstitution of G_b(one k, only one of h and b can be updated, and h and b can be updated alternately by k or only one of h and b can be updated according to the convention rule).

The updating of the parameters h and b is not necessary, and whether the parameters h and b need to be updated or not and whether G is calculated each time_kAre updated, and when updated, depending on the actual security needs, when the result of the one-time calculation of k occurs elsewhere (e.g., when k is used to generate s in (r, s) of the SM2 digital signature), then h, b may need to be updated.

In specific implementation, the above two h, b and G can be implemented_h、G_bOne of the updating methods is implemented simultaneously or the two methods h, b and G are used alternately_h、G_bAnd (4) updating the method.

For the above-described method of calculating the number of addition elements multiplication, the selection of the initial values of h, b, a and the corresponding initial elements G_h、G_bThe calculation of (a) is carried out during the initialization of the system, and the initial values of h, b and a are [1, n-1]]An internal randomly selected integer.

If the first party maintains m groups of data h_i，b_i，a_i，G_hi＝[h_i(a_i)^-1]G，G_bi＝[(b_ia_i)^-1]G, wherein h_i，b_i，a_iIs [1, n-1]]I is 1, …, m, m ≧ 2, and G_h＝G_h1+…+G_hmThen, a security enhancement scheme for the above calculation method of the addition group element number multiplication is as follows:

when the first party needs to calculate G_k＝[k]G, wherein k is [1, n-1]]A secret integer of a first party in the first party, the first party randomly decomposing k into [1, n-1]]Inner m integers k_iI is 1, …, m, and k is k₁+…+k_m(typically in [1, n-1]]Internal random selection of k_iI is 1, …, m-1, and then k is calculated_m＝k-(k₁+…+k_m-1))；

First party calculation c_i＝b_i(a_ik_i-h_i) C is mixing_i、G_biI 1, …, m, to the second party;

second party calculates G_ci＝[c_i]G_biI 1, …, m, calculating G_c＝G_c1+…+G_cm；

The first or second party or other parties calculating G_k＝G_c+G_hThen G is_kIs [ k ]]G；

Use of h as described above_i，b_i，k_iThe integer operation of (d) is a modulo operation (mod n) or a modulo n congruence ((mod n)).

(if G)_k＝G_c+G_hCalculated by a party other than the first party, then G_hNon-secrecy)

(if the first party needs to update h_i、b_i、G_hi、G_biIf i is 1, …, m, h, b, G can be updated_h、G_bUpdating in the same way, e.g. with k and G_kTo update a certain pair of parameters h_i、G_hiOr b_i、G_biOne of them, but not generally required)

The calculation method of the multiplicative group element exponentiation of the present invention is described in detail below.

The method involves a first party and a second party and a multiplicative group with an order of prime number n, wherein the first party is a device with (relative) limited resources and weak computing power (such as an infinite sensor, an intelligent wearable device, a field instrument and the like), and the second party is a device with (relative) rich resources and strong computing power (such as a computer, a server, an edge computing server, a cloud computing system and the like);

the first party has g stored in advance_h＝g^(ha^-1)，g_b＝g^((ba)^-1) Wherein h, b and a are [1, n-1]]An integer secret of a first party in, g is a (non-unity) element in a multiplicative group of order prime n, and a represents a power operator of the multiplicative group element (before a group element, after a power operation number);

when the first party needs to calculate g_kWhen g ^ k, k is [1, n-1]]C ═ b (ak-h), and mixing c and g_bSubmitting to a second party;

second party calculates g_c＝(g_b^c)；

The first or second party or other parties calculating g_k＝g_cg_hThen g is_kNamely g ^ k;

one of the values a and b is allowed to be a non-secret constant (such as a fixed value 1);

the above integer operations using h, b, a, k are modulo operations (mod n) or modulo n congruence ((mod n)).

(if g)_k＝g_cg_hCalculated by parties other than the first party, then g_hNon-secrecy)

For the above calculation method of multiplicative group element exponentiation, (when h, b, g are required)_h、g_bAt update time), the first party updates h, b, g_h、g_bOne method of (2) is as follows:

the first side is in [1, n-1]]Randomly selecting an integer r as ra^-1Or (ra)^-1G is obtained by adopting the calculation method of the multiplicative group element power operation as k_r＝g^(ra^-1) Or g_r＝g^((ra)^-1) Then r is taken as the new value of h or bIn g accordingly_rAs g_hOr g_bA new value of (d);

in g_rH, b, a, g used in the calculation process_h，g_bIn the NAND-update calculation process (i.e. ordinary g)_kDuring calculation) h, b, a, g_h，g_bEither the same set of data or a different set of data.

h、g_hAnd b, g_bNot necessarily updated at the same time (either simultaneously or not). The secret parameter a can be updated, but the secret parameter a is troublesome and needs to be updated twice (g)_hAnd g_b)。

For the above calculation method of multiplicative group element exponentiation, (when h, b, g are required)_h、g_bAt update time), the first party updates h, b, g_h、g_bAnother method of (2) is as follows:

after completing one (normal) g_kAfter calculation, the first party replaces h with ka and g_kSubstitution of g_hOr by (ka)^-1In place of b, using g_kSubstitution of g_b(one k, only one of h and b can be updated, and h and b can be updated alternately by k or only one of h and b can be updated according to the convention rule).

The updating of the parameters h and b is not necessary, and whether the parameters h and b need to be updated or not and whether g is calculated each time_kAnd when it is updated, depending on the actual security requirement, for example, when the result of the one-time modulo n operation of the integer k occurs in the process of the cooperative computation of the digital signature used in the SM9, h and b may need to be updated.

In specific implementation, the above two h, b and g can be implemented_h、g_bOne of the updating methods is implemented simultaneously or the two methods h, b and g are used alternately_h、g_bAnd (4) updating the method.

In the above method for computing multiplicative group element exponentiation, the selection of initial values of h, b, and a and the computation of the corresponding initial group elements are performed during system initialization, and the initial values of h, b, and a are randomly selected integers within [1, n-1 ].

If the first party maintains m groups of data h_i，b_i，a_i，g_hi＝g^(h_i(a_i)^-1)、g_bi＝g^((b_ia_i)^-1) Wherein h is_i，b_i，a_iIs [1, n-1]]I is 1, …, m, m ≧ 2, and g_h＝g_h1g_h2…g_hmThen, a security enhancement scheme for the above calculation method of multiplicative group element exponentiation is as follows:

when the first party needs to calculate g_kWhen g ^ k, k is [1, n-1]]A secret integer of a first party in the first party, the first party randomly decomposing k into [1, n-1]]Inner m integers k_iI is 1, …, m, and k is k₁+…+k_m(typically in [1, n-1]]Internal random selection of k_iI is 1, …, m-1, and then k is calculated_m＝k-(k₁+…+k_m-1))；

First party calculation c_i＝b_i(a_ik_i-h_i) C is mixing_i、g_biI 1, …, m, to the second party;

second party calculates g_ci＝g_bi^c_iI 1, …, m, calculating g_c＝g_c1g_c2…g_cm；

The first or second party or other parties calculating g_k＝g_cg_hThen g is_kNamely g ^ k;

use of h as described above_i，b_i，k_iThe integer operation of (d) is a modulo operation (mod n) or a modulo n congruence ((mod n)).

(if g)_k＝g_cg_hCalculated by parties other than the first party, then g_hNon-secrecy)

(if the first party needs to update h_i、b_i、g_hi、g_biIf i is 1, …, m, h, b, g can be updated_h、g_bUpdating in the same way, e.g. with k and g_kTo update a certain pair of parameters h_i、g_hiOr b_i、g_biBut is generally not required)

Based on the method, a corresponding computing system aiming at the operation of multiplying the additive group element number or multiplying the group element power can be constructed, wherein the system comprises two devices, one of the two devices is a device (such as an infinite sensor, an intelligent wearable device, a field instrument and the like) with limited resources and weak computing power, which is called a first party, and the other device (such as a computer, a server, an edge computing server, a cloud computing system and the like) with rich (relative) resources and strong computing power, which is called a second party; when a first party needs to perform addition group element number multiplication or multiplication group element exponentiation, the first party and a second party calculate according to the calculation method of the addition group element number multiplication or multiplication group element exponentiation to obtain a group element number multiplication or group element exponentiation result.

In the above calculation method and system for the add group element number multiplication or multiply group element power operation of the present invention, the first party is a device with limited (relative) resources and weak calculation capability, and the second party is a device with rich (relative) resources and strong calculation capability; based on the method and the system, a first party with limited resources and weak computing power can complete group element multiplication operation (such as the number multiplication or multiple addition operation of points in an elliptic curve point group) in an addition group with large computing quantity or group element exponentiation operation (such as the exponentiation operation of group elements in a double-line paired multiplication group) in a multiplication group by a second party with rich resources and strong computing power, and simultaneously, the secret of the first party, such as a secret integer k, is prevented from being leaked_h、G_bOr g_h、g_bAnd updating is carried out, so that k is difficult to crack even if the method is used for SM2 digital signatures or SM9 digital signature collaborative calculation, so that the method has wider applicability and overcomes the defect of CN201711318078.8, and meanwhile, the first party of the method does not need to maintain a parameter pool and update the operation data of addition group element multiplication or multiplication group element power in the parameter pool, so that the method overcomes the defect of CN 201910907018.2. The scheme of the invention not only improves the safety, but also is simple. As aIn a security enhancement scheme, the first party of the present invention may also maintain m sets of parameters, but the difference from CN201910907018.2 is that the number m of parameter sets maintained by the first party of the present invention may be small, and m is usually 2, 3, whereas the number m of parameter sets maintained by the first party in CN201910907018.2 is large to be secure, and the first party of the present invention does not need to perform small-computation-amount group element multiplication or group element exponentiation update on the group elements in the parameter sets, which is required by CN 201910907018.2.

Detailed Description

The present invention will be further described with reference to the following examples. The following examples are merely illustrative of a few possible embodiments of the present invention and are not intended to represent all possible embodiments and are not intended to limit the present invention.

Examples 1,

This embodiment involves an addition group, the order of which is a prime number n; this embodiment includes a first party that is a resource-constrained, computationally-weak device (e.g., an infinite sensor, a smart wearable device, a field instrument, etc.) and a second party that is a (relatively) resource-rich, computationally-strong device (e.g., a computer, a server, an edge computing server, a cloud computing system, etc.);

the first party has G stored in advance_h＝[ha^-1]G，G_b＝[(ba)^-1]G, wherein h, b and a are [1, n-1]]G is a (non-zero) element of an addition group of order prime n, [ 2 ]]Number multiplication operator ([ 2 ]) representing addition group element]The inside is an integer multiplier [ alpha ], [ alpha ] a]Followed by a group element);

when the first party needs to calculate G_k＝[k]G, wherein k is [1, n-1]]The first party calculates c ═ b (ak-h), and compares c and G_bSubmitting to a second party;

second party calculates G_c＝[c]G_b；

The first or second party or other parties calculating G_k＝G_c+G_hThen G is_kIs [ k ]]G；

In this embodiment, one of a and b is allowed to be a non-secret constant (e.g., a fixed value of 1);

the integer operations described above using h, b, a, k are modulo (mod n) or modulo n congruence ((mod n)).

(if G)_k＝G_c+G_hCalculated by a party other than the first party, then G_hNon-secrecy)

In this embodiment, the selection of the initial values of h, b, and a and the calculation of the corresponding initial group elements are performed during the initialization of the system, and the initial values of h, b, and a are randomly selected integers within [1, n-1 ].

Examples 2,

The difference between this embodiment and embodiment 1 is that one (ordinary) G is calculated at a time_kBefore or after (not necessarily just before or just after, but may be in advance or idle), the first party pairs h, G as follows_hAnd/or b, G_bUpdating:

the first side is in [1, n-1]]Randomly selecting an integer r as ra^-1Or (ra)^-1G is calculated as k by the method of the above-mentioned addition group element number multiplication_r＝[ra^-1]G or G_r＝[(ra)^-1]G, then with r as the new value of h or b, with G accordingly_rAs G_hOr G_bA new value of (d);

at G_rH, b, a, G used in the calculation process_h，G_bIn the NAND-update calculation process (i.e. ordinary G)_kDuring calculation process) h, b, a, G_h，G_bEither the same set of data or a different set of data.

Examples 3,

The difference between this embodiment and embodiment 2 is that one (ordinary) G is done at a time_kAfter calculation, the first party pairs h, G as follows_hOr b, G_bUpdating:

the first is to substitute ka for h and G_kSubstitution of G_hOr by (ka)^-1Alternative to b, with G_kSubstitution of G_b(one k, only one of h and b can be updated, and h and b can be updated alternately by k or only one of h and b can be updated according to the convention rule).

Examples 4,

The difference between this example and examples 2 and 3 is that

At each calculation of one G_kBefore or after (not necessarily just before or just after, but may be in advance or idle), the first party pairs h, G as in embodiment 2_hAnd b, G_bOne of the two pairs of parameters is updated, completing a (normal) G_kAfter calculation, another pair of parameters is updated in the manner of example 3.

Examples 5,

The difference between this embodiment and embodiment 1 is that the first party maintains m sets of data h_i，b_i，a_i，G_hi＝[h_i(a_i)^-1]G，G_bi＝[(b_ia_i)^-1]G, wherein h_i，b_i，a_iIs [1, n-1]]I is 1, …, m, m ≧ 2, and G_h＝G_h1+…+G_hm；

When the first party needs to calculate G_k＝[k]G, wherein k is [1, n-1]]A secret integer of a first party in the first party, the first party randomly decomposing k into [1, n-1]]Inner m integers k_iI is 1, …, m, and k is k₁+…+k_m(typically in [1, n-1]]Internal random selection of k_iI is 1, …, m-1, and then k is calculated_m＝k-(k₁+…+k_m-1))；

First party calculation c_i＝b_i(a_ik_i-h_i) C is mixing_i、G_biI 1, …, m, to the second party;

second party calculates G_ci＝[c_i]G_biI 1, …, m, calculating G_c＝G_c1+…+G_cm；

The first or second party or other parties calculating G_k＝G_c+G_hThen G is_kIs [ k ]]G；

Use of h as described above_i，b_i，k_iThe integer operation of (d) is a modulo operation (mod n) or a modulo n congruence ((mod n)).

(if G)_k＝G_c+G_hCalculated by a party other than the first party, then G_hNon-secrecy)

In this embodiment, if the first party needs to update h_i、b_i、G_hi、G_biIf i is 1, …, m, h, b, G can be updated_h、G_bUpdating in the same way, e.g. with k and G_KTo update a certain pair of parameters h_i、G_hiOr b_i、G_biOne of these, but is generally not required.

In a specific implementation, the size of m depends on safety requirements, and usually m is 2, 3 is sufficient.

Examples 6,

This embodiment relates to a multiplicative group, the order of which is a prime number n; this embodiment includes a first party that is a resource-constrained, computationally-weak device (e.g., an infinite sensor, a smart wearable device, a field instrument, etc.) and a second party that is a (relatively) resource-rich, computationally-strong device (e.g., a computer, a server, an edge computing server, a cloud computing system, etc.);

the first party has g stored in advance_h＝g^(ha^-1)，g_b＝g^((ba)^-1) Wherein h, b and a are [1, n-1]]An integer secret of a first party in, g is a (non-unity) element in a multiplicative group of order prime n, and a represents a power operator of the multiplicative group element (before a group element, after a power operation number);

when the first party needs to calculate g_kWhen g ^ k, k is [1, n-1]]C ═ b (ak-h), and mixing c and g_bSubmitting to a second party;

second party calculates g_c＝(g_b^c)；

The first or second party or other parties calculating g_k＝g_cg_hThen g is_kNamely g ^ k;

in this embodiment, one of a and b is allowed to be a non-secret constant (e.g., a fixed value of 1);

the integer operations described above using h, b, a, k are modulo (mod n) or modulo n congruence ((mod n)).

(if g)_k＝g_cg_hCalculated by parties other than the first party, then g_hNon-secrecy)

In this embodiment, the selection of the initial values of h, b, and a and the calculation of the corresponding initial group elements are performed during the initialization of the system, and the initial values of h, b, and a are randomly selected integers within [1, n-1 ].

Example 7,

The difference between this embodiment and embodiment 6 is that one (ordinary) g is calculated at a time_kBefore or after (not necessarily just before or just after, but may be ahead or idle), the first party pairs h, g as follows_hAnd/or b, g_bCarrying out the following steps:

the first side is in [1, n-1]]Randomly selecting an integer r as ra^-1Or (ra)^-1G is obtained by adopting the calculation method of the multiplicative group element power operation as k_r＝g^(ra^-1) Or g_r＝g^((ra)^-1) Then r is taken as the new value of h or b, correspondingly g_rAs g_hOr g_bA new value of (d);

in g_rH, b, a, g used in the calculation process_h，g_bIn the NAND-update calculation process (i.e. ordinary g)_kDuring calculation) h, b, a, g_h，g_bEither the same set of data or a different set of data.

Example 8,

The difference between this embodiment and embodiment 7 is that one (ordinary) g is calculated at a time_kThe first party then pairs h, g as follows_hOr b, g_bUpdating:

after completing one (normal) g_kAfter calculation, the first party replaces h with ka and g_kSubstitution of g_hOr by (ka)^-1In place of b, using g_kSubstitution of g_b(one k, only one of h and b can be updated, and h and b can be updated alternately by k or only one of h and b can be updated according to the convention rule).

Examples 9,

This example differs from examples 7 and 8 in that one g is calculated at a time_kBefore or after (not necessarily just before or just after, but may be in advance or idle), the first party pairs h, g as in embodiment 7_hAnd b, g_bOne of these two pairs of parameters is updated, completing one (normal) g_kAfter calculation, another pair of parameters is updated in the manner of example 8.

Examples 10,

The difference between this embodiment and embodiment 6 is that the first party maintains m sets of data h_i，b_i，a_i，g_hi＝g^(h_i(a_i)^-1)、g_bi＝g^((b_ia_i)^-1) Wherein h is_i，b_i，a_iIs [1, n-1]]I is 1, …, m, m ≧ 2, and g_h＝g_h1g_h2…g_hm；

When the first party needs to calculate g_kWhen g ^ k, k is [1, n-1]]A secret integer of a first party in the first party, the first party randomly decomposing k into [1, n-1]]Inner m integers k_iI is 1, …, m, and k is k₁+…+k_m(typically in [1, n-1]]Internal random selection of k_iI is 1, …, m-1, and then k is calculated_m＝k-(k₁+…+k_m-1))；

First party calculation c_i＝b_i(a_ik_i-h_i) C is mixing_i、g_biI 1, …, m, to the second party;

second party calculates g_ci＝g_bi^c_iI 1, …, m, calculating g_c＝g_c1g_c2…g_cm；

The first or second party or other parties calculating g_k＝g_cg_hThen g is_kNamely g ^ k;

use of h as described above_i，b_i，k_iThe integer operation of (d) is a modulo operation (mod n) or a modulo n congruence ((mod n)).

(if g)_k＝g_cg_hCalculated by parties other than the first party, then g_hNon-secrecy)

In this embodiment, if the first party needs to update h_i、b_i、g_hi、g_biIf i is 1, …, m, h, b, g can be updated_h、g_bUpdating in the same way, e.g. with k and g_kTo update a certain pair of parameters h_i、g_hiOr b_i、g_biBut is generally not required.

In a specific implementation, the size of m depends on safety requirements, and usually m is 2, 3 is sufficient.

The method based on the invention can be implemented and used for constructing a corresponding computing system aiming at the operation of multiplying the additive group element number or multiplying the multiplicative group element power, wherein the system comprises two devices, one of which is a device (such as an infinite sensor, an intelligent wearable device, a field instrument and the like) with limited resources and weak computing power called as a first party, and the other is a device (such as a computer, a server, an edge computing server, a cloud computing system and the like) with rich (relative) resources and strong computing power called as a second party; when a first party needs to perform addition group element number multiplication or multiplication group element exponentiation, the first party and a second party calculate the result of the addition group element number multiplication or multiplication group element exponentiation according to the calculation method of the addition group element number multiplication or multiplication group element exponentiation.

Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.