• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    Method to produce an encryption system with public key and digital signature with polynomials of few variables based on vectorial exponentiation. In the field of public-key cryptography there is a growing interest in building secure encryption against current attacks and also against attacks from future quantum computers. The present invention describes a new multivariable pubic key encryption system (MPKC) that uses a new method to construct the central invertible applications that allows obtaining a public key with polynomials of very few variables, which guarantees a high efficiency and speed in the encryption, decryption and digital signature processes. (Machine-translation by Google Translate, not legally binding)
    公开号:ES2660626A1
    申请号:ES201700779
    申请日:2017-11-27
    公开日:2018-03-23
    发明作者:Ignacio Maria LUENGO VELASCO
    申请人:Universidad Complutense de Madrid;
    IPC主号:
    专利说明:

    METHOD TO PRODUCE A SYSTEM OF ENCRYPTION WITH PUBLIC KEY ANDDIGITAL SIGNATURE WITH POLYNOMIES IN A FEW VARIABLE BASED ON THEVECTOR EXPOSURE
    SECTOR OF THE TECHNIQUE
    The present invention belongs to the field of information and communications security. More specifically, it refers to a public key encryption system that allows encryption, decryption and digital signature in a secure way.
    BACKGROUND OF THE INVENTION
    The idea of public key cryptography (w. Diffie and ME Hellman, Multiuser cryptographic techniques, presented at National Computer Conference, New York, June 7-10, 1976) revolutionized the field of cryptography allowing safer communications, enabling the development of Internet and electronic commerce.
    The main systems that developed this idea are the RSA (US 4,405,809), ECC (elliptical curves) and for the digital signature OSA and ECDSA that are currently used in virtually all applications of information technology (ICT). These public key systems such as RSA or El Gamal have the disadvantage that they work with very large numbers (or bodies), which makes it difficult to use them in devices with few computational and memory resources that are increasingly used in ICT ( for example 10T).
    In addition, the famous Shor algorithm (P. Shor. Polynomial Time Algorithms for Prime Factorization and Oiscrete Logarithms on a Quantum Computer, SIAM J. Comput. 26 (5), pp. 1484-1509, 1994) allows to factor large numbers in time polynomial with a quantum computer, which makes current encryption methods insecure against a future quantum computer. This fact has increased the interest of ciphers that are resistant to quantum computers. For this reason the American Institute of Standards NIST has published an open competition to identify, choose and standardize
    one or more encryption systems that are safe against quantum computers, also called post-quantum ciphers.
    The best-known post-quantum ciphers use reticles such as the NTRU (US 6,081, 597), error correction codes (MacEliece ciphers), Mekle trees and multivariable systems. Multivariable cryptography (J. Oing, J.E. Gower, O.S. Schmidt: Multivariate Public Key Cryptosystems. Springer, 2006) uses a set of F1 polynomials as a public key, ... FM with coefficients in a finite body IFq that define a
    application F: IF ~ ~ IF ~ which is the public key used to encrypt the messages; application F is the composition of one or several applications L1, .., Lr that form the private part of the key. The applications of the Ll and Lr ends are linear applications and the central application or applications are nonlinear but easy to reverse.
    The first known system was the C * (US 5,016,276) that was broken by Patarin in 1995
    (J. Patarin: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt 88. CRYPT095, LNCS vol. 963, pp. 248-261. Springer, 1995). In system C * the application
    to
    central is an exponentiation G (x) = x in a large body IFqn that contains IFq and n ~ 80. In this system (and, practically, in all published ones) the two linear applications of the ends are dense which forces the polynomials Fv ... Fn are quadratic (grade 2) because if not, the number of monomials grows exponentially and the size of the public key is so large that it makes them impractical. There are very few higher grade systems; at most, quantum (grade 4). The most important system is the HFE (US 5,790,675) that was broken with the parameters proposed by Patarin (n = 80 and degree of central application 96) by means of algebraic cryptanalysis, specifically using Grobner's bases (JC Faugére, A. Joux: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Groebner Bases. CRYPTO 2003, LNCS vol. 2729, pp. 44-60. Springer, 2003).
    Many of the quadratic multivariable systems have been broken for parameter values that are of practical utility (TTS, HFE, etc.) (A. Kipnis, A. Shamir: Cryptanalysis of the HFE Public Key Cryptosystem. CRYPTO 99, LNCS vol. 1666, pp. 19-30. Springer, 1999). To remedy this various modifications have been introduced (oil and vinegar, plus (+), minus (-), etc.). These modifications allow quadratic systems to be effective especially for the digital signature: but not for encryption. To digitally sign a message it is not necessary that the application F be bijective, it is enough that it is overjective, and this allows to construct schemes that are valid only for the digital signature, such as UOV (Unbalanced Oil and Vinegar) (A. Kipnis, L. Patarin , L. Goubin: Unbalanced Oil and Vinegar Schemes. EUROCRYPT 1999. LNCS vol. 1592, pp. 206-222 Springer, 1999.), Rainbow (J. Ding, DS Schmidt: Rainbow, a new multivariate polynomial signature scheme. ACNS 2005 , LNCS vol. 3531, pp. 164-175. Springer, 2005 and .US20080013716) and others.
    Therefore, a new secure encryption method against attacks on a future quantum computer that is efficient and fast in encryption, decryption and digital signature processes would be desirable.
    . EXPLANATION OF THE INVENTION
    In this invention, a public key encryption method is proposed that uses high-grade polynomials which allows very few variables to be used, making it much faster than existing methods and safe against algebraic attacks. To do this, it uses two different central applications to those that have been used so far and that allow obtaining a secure public key with few variables. These applications use exponentiation of vectors with matrix exponents.
    To construct the encryption system, a finite body IFq (q = pe) and an IFp isomorphism are set: IF ~ ~ IFp '= IFq, where p is a small prime number, and parameters n, m, N, m ~ n, s ~ n, e 'n. m = N + s. The encrypted message is a vector of u of IF ~ to which s elements of Fp randomly selected to form a vector x = (Xl '...' xnm) of lF ~ m (e · n · m = N + are added s). The parameter values are m ~ n ~ 2 And the number of variables is m · n ~ 4. The body size has to be
    great because system security is N bits. For example, to get 128 bits of security you can take m = 3, n = 2, e = 24 and s ~ 12.
    They take an injection application h
    h: {1, ..., N} ~ {l, ..., N + s} such that iv- .., im rt./mg(h)
    and a Ho: IF ~ ~ IF ~ + S application that is defined in such a way that if j is in the image of h UE lmg (h), j = h (i)), the j-esima component is HoWj = xh (i)
    If j fl Img (h), the HoWj component is chosen randomly in IFp with the proviso that when composing Ho with the natural bijection no = (no, ..., no) between IF ~ + S and lF ~ m 5 ( e 'n. m = N + s), the components Xln' "'' Xmn of the image of u, ~ = H (u) by the padding application H = B. Ho are not null.
    The public key is Kp = (h, no, F) where F: lF ~ m ~ lF ~ m is an application that is obtained as a composition F = L3 or Gz or Lz. Gl or Ll of five applications according to 10 Diagram 1.
    IFnm L¡ (lF) m Gl (lF) m
    q ---- + q "---- + q"
    F
    Diagram 1
    where Lv Lz, L3 are Fq-linear isomorphisms, Gl is a highly non-application
    linear and bijective in (lFqn - {O} t and, in the same way, Gz is a highly application
    nonlinear and bijective in (lFqm - {o} f.
    20 Thus, the vectors Xl = (Xll '..., Xln), ..., Xm = (Xml' ..., x mn) are different from (O, ..., O) which is fundamental for to be able to reverse the central applications G, and Gz. Developing the composition it is obtained that the components of F, (Fl, ..., Fnm) are polynomials F¡E
    IFq [Xv .. ·, xnml
    The bi-linear linear application LI is obtained as a composition of bijective applications Ll = nl or LI or l according to Diagram 2.
    JB :: m~) (JF ~) m 11) (JF ~) m
    that
    Ll
    Diagram 2 where 7r1 is obtained from a base {av ..., an} of IFqn on IFq
    The isomorphism L1 is defined by its components Lli
    L1 = (Lll, .. "L11t), LH: JF ~ -t JF ~LliC! S) = ~ iA1i Ali E Mnxn (lFq), det AH = F O
    and isomorphism 1: IF ~ m ~ (IF ~ t is obtained by grouping the components of n into n according to their indexes.
    The bi-linear Fq-linear application L2 is obtained as a composition of bijective applications L2 = 7r1 -1 o or M or lt2 according to Diagram 3.
    L2
    Diagram 3
    Where the mixture application M: (IFq n) m ~ (IFqmt is the linear Fq isomorphism that transforms the m IF vectors into n IF vectors according to the following matrix diagram (4)
    ~ l, -1 • 11 X l .. Xn + l, l Xl.) And X7, l)
    M ---- + 'X',
    and"
    ~ m. In, n + 1
    X ~ ll X ~ t1I ~ l I ~ ll Inri xmn
    Diagram 4
    In this way, the mixture M inserts the coordinates of the last m-n vectors of
    the matrix in the final components of the first n vectors, but vertically; that is to say transposing the box of the matrix M formed by the last m-n vectors. This way of inserting the last m-n vectors into the final components of the first n can be changed by any permutation of the (m -n). n inputs and the number of final monomials depends on M (see example 1). This construction of M guarantees that if x E (lFqn - {o}) m then x 'E (lFqm - {O} t. It is important to note that the inverse form of M does not guarantee that if x' E (lFqm - {O} t then yes x E (lFqn - {O} t; this makes all messages can be encrypted, but there are
    Messages that cannot be signed.
    The isomorphism Lz is defined by its components L2i as in the case of L1 except that in this case the matrices of LZí verify that AZí E Mn xn (IFqm) and 7rz is obtained from a base {{J1 '..., {Jm} of IFqm over IFq as:
    The Fq-linear L3 application is obtained as a composition L3 = 7rz -1 or 1-1 or L3 and the L3 isomorphism is defined similarly to Lz from a non-zero determinant A3i E Mn xn (IFqm) matrices like L1 and Lz
    The main novelty of this design is the use of the central applications Gl defined in (lFqn) m and Gz defined in (lFqm t, which are essentially an exponentiation of vectors ((XV "" xm) with exponents matrices Al and 8 z.
    To define G1, choose a matrix Al E Mm x m (~ qn_l) such that det (Al) and qn -1 are cousins to each other and Gl is defined by the formula:
    (xall xa1m
    G (x X) -. .
    1 v ···, m -1 ... m "'"
    The condition mcd (det (Al) 'qn -1) = 1 makes Gl a bijection in (lFqn - {o}) m with inverse GIl defined as in the previous formula by the inverse matrix of Al' It should be noted that the condition mcd (det (Al), qn -1) = 1 is equivalent to
    that there is the inverse of Al in Mm x m (~ ql1-l) And this is the key property of all the
    í
    invention.
    The application Gz is defined in the same way: a matrix Bz E Mn x n (lqm_l) is chosen such that det (Bz) and qm -1 are cousins to each other and Gz is defined by the formula:
    I I) ('b1n Ibn1 Ibnm) G. (lF) n (lF) n
    Gz (Xl '... • Xn = Xl • .... Xn Ibln, ..., Xl. .... Xn, l' qm -qm
    Yes! = (Xl • ... • xnm) are the initial coordinates and Z = (Zl • ... • znm) the final coordinates the composition of the five applications that give F allows to calculate the Fi components which are Fi and IFq polynomials [ XI '... • Xnm]. usually with many monomials.
    To keep the number of monomials small, the matrices Al and Bz are taken with the following properties:
    1) The inputs of Al and Bz are of the form pa.
    2) Two small integers s and t are set. And choose Al so that each
    Al row has at most s non-null entries, and the matrix Bz is chosen so
    that each row has at most t null entries. With these conditions it
    has that each component has at most Mo = ((1 + bmax) 'nS) t monomials,
    bmax depends on the mixture M and each monomial has at most s + t variables.
    In this way it is achieved that if s and t are small the number of monomials
    It is relatively small.
    The public key consists of the pair Kp = (h. No. F) from which the encryption application is constructed as described above DM = F or H: IF ~ --- + lF ~ m
    The private key consists of h, IFq and the applications LI 'Gl • Lz. Gz • L3 to be reversed to decrypt a message. FI is calculated = the Gl I or L "21 or Gil or L" JI and, given an encrypted message Z = DM (X), FI (z) is calculated and the random inputs of FI (z) given by h.
    Once the parameters of the private key have been set, that is, the matrices that define the applications M. LI 'Gz • Lz. Gz YL3 the polynomials Fi E IFq [xv ..., xnm] are obtained by calculating the composition of the applications.
    To quickly obtain the F applications, the following method is followed: each group of m polynomials that come from the xi coordinates when applying G2 and 7r2-1 have the same monomials; if d is said number of monomials, these can be calculated
    monomials Ml, ..., Md multiplied with each other the initial monomials raised to the inputs of and G2 as follows (*):
    Gl
    If MOl = [mo¡} and M02 = [moj], the product MOl * M02 = [mOl. moj] as the list containing all the products and MOf. = [mof]. If we denote by MOk = [Xkl '..., xkn] to the list of monomials of Xk the application makes the list of monomials of each vector of the image be
    Gl NOk = MO: k1 * ... * MO! Tkm which has nS monomials. The application M makes that in the list of monomials of xÍ <those of NOk appear plus those of the vectors that are added at the end. If bk is the number of distinct vectors added in total they will be at most (1 + bk) · nS monomials.
    When applying G2 every monomial
    produces at most Mo =
    ((1 + bmax) 'nS) t monomials, where bmax = max (bk).
    To obtain the coefficients of each monomial in F, a number k of initial messages is taken on '..., ek and their corresponding encrypted messages Zv ..., Zk are calculated. Each component is of the form F¡ = I.1 = 1! Ij mj and, since the y¡ and mj (e¡) are known, these equalities give rise to linear equations where the unknowns are the coefficients [¡jy taking k large enough for the equations to be linearly independent, they are solved efficiently to obtain the coefficients of F.
    The monomials of F¡ (xv ..., xnm) can be evaluated using the same algorithm (*). You start with the list of the coordinates of a given message c, that is M Ok = [Ckl '..., Ckn] you get as a result a list that gives the evaluation of the monomials of each F¡. In this way, polynomials F¡ are evaluated with a significantly smaller number of multiplications and exponentiations in IFq.
    This encryption system also allows digital signature. To sign a message z, the user has to calculate a value K such that z = F (i) Y it is possible that there is no such K because the application is not overjective, although the probability that it does not exist is small (q ) 'To resolve this, a message of length N1 <e is signed. m 'n and se
    use an injective application h1: {l, ..., Ntl ~ {l, ..., emn} in the same way as with h, that is, the entries of z are completed with non-null values that in this case can be random or fixed and in the coordinates that are not in the image of h1 until you get! . In this case the length of the message to be signed N1 does not have to be fixed a priori. In summary, the signature of the z message is:
    For verification, z = Fe! Is calculated. ) And random entries are discarded using
    h1.
    One of the parties (for example ALICIA) can sign an encrypted message for the other party (for example 808) without using the previous filler mechanism as follows: if e is the message, it is encrypted with the public key of 808 K pBOB obtaining ZE lF ~ nn; if z cannot be signed, then random entries cannot be added
    because its length is maximum (N1 = e'n'm) but it can be encrypted again with K pBOB obtaining a different encrypted message because the encryption is non-deterministic Zl = 0 Mee) and Zl is signed. This process can be repeated until a valid signature is obtained.
    The method also allows key encapsulation (KEM) that allows both parties to agree on a common key for use in symmetric encryption. To do this, both parties agree on an HS hash function and one of the parties generates a random message x and sends it encrypted to the other party. In this way, both can calculate w = HS (x).
    BRIEF DESCRIPTION OF THE DRAWINGS
    The proposed method for producing an encryption system is schematized in Figure 1. PREFERRED EMBODIMENT OF THE INVENTION
    The present invention is illustrated by the following examples, which are not limiting of its scope.
    Example 1. Generation of the public key
    If m = 4, n = 2, q = is taken, the exponents of the public key F: IF ~ lO --- t IF ~ depend on the matrices A1 and 82 and they are obtained by the algorithm (*). If l = Xll X12 X31 X41)
    s = 2 and the mixture is given by the matrix M = (x x x x then the
    21 22 32 42
    number of exponents of polynomials F¡ is at most 121 2 = 144
    ll 12 31 32
    If the mix matrix is M = (xXXX xX XX) the number of exponents is at
    21 22 41 42
    sumo 81 2 = 64.
    Example 2. KEM protocol with the encryption system.
    This encryption method described in example 2 allows defining a key encapsulation mechanism (KEM) in the standard way. If both parties, Alice and Bob, want to agree on a symmetric key of length b for an exchange or session, they take an HS hash function of at least b digits, and follow the following protocol:
    One of the parties, for example, Alice, generates a random message x of length N, sends the encrypted message z = DMA (x) to Bob and calculates w = HS (x). Bob deciphers z by obtaining x and also calculates w = HS (x) which is the common symmetric session key. Industrial application
    The method described in the present invention allows to produce a secure encryption system against current attacks and attacks using future quantum computers. Information security mechanisms and network communications are essential in fields such as electronic commerce, banks, etc.
    权利要求:
    Claims (7)
    [1]
    1. Method for producing an encryption system with a public key comprising: a) Choose a small prime number (p), a common IFq body (q = pe) for all 5 key pairs and an IFp -isomorphism ITo: IF ~ ~ IFp '= IFq, about
    parameters (n, m, N, m, s, e, t) so that n, m, N, m ~ n, s ~ n, e 'n. m = N + s, an injection application h and a Ho: IF ~ ~ 1F ~ + s application that is defined in such a way that if j is in the image of h UE lmg (h), j = h (i ', the j-esima component is HoWj = xh (i).
    10 If j fllmg (h), the HoWj component is chosen randomly in IFp on the condition that when composing Ho with the natural bijection no = (ITo, ..., ITo) between IF ~ + S and lF ~ m (e 'n. m = N + s), the components Xln' "'' Xmn of the image of u,! = H (u) by the padding application H = 8 · Ho are not null.
    15 b) Build a polynomial application F: lF ~ m - + lF ~ m which is obtained as a composition F = L3 or ez or Lz. the or Ll of five applications according to the Diagram
    1, where the applications L1, L2 and L3 are linear IFq isomorphisms and the
    G1 and G2 applications are highly nonlinear and chaotic
    to)
    IF ~ m ~ (IFq ,,) 1tt ~ (IFqn) m L 2) (lFqm) T G2) (IFqm) n
    F
    20 Diagram 1 The construction of linear applications L1, L2 and L3 is done as a composition of bijective applications; the applications defined in (lFqnt and e2 defined in (lFqmt, nonlinear and bijective in (lFqn - {o}) m and (IFm - {Onn, are essentially an exponentiation of vectors)
    25 (xv ..., x m) with exponents the matrices Al and 8z, respectively, with the
    following properties: -The entries of Al and 8z are of the pa form. -Two small integers s and t, Yelige Al are set so that each row of Al has at most s non-zero entries, and the 8z matrix
    It is chosen so that each row has at most t non-zero entries.
    Under these conditions, each component has the most
    Mo = ((1 + bmax) · nS / monomials, bmax depends on the mixture M and each monomial has at most s + t variables, so that if s and t are small the number of monomials is relatively small.
    c) Generate the public key as the pair Kp = (h, 7th, F) from which the encryption application D M = F oH is constructed: IF ~ ---- IF ~ m
    [2]
    2. Method for producing an encryption system with a public key, according to claim 1, wherein to define Gl, an array is chosen Al E Mm xm (~ qn_l) such that det (Al) and qn -1 are cousins to each other and defined Gl by the formula:
    Gl (Xl, ..., x) = (X ~ l1 · .... x ~ lm, ..., x ~ ml. .... X ~ mm), Gl: (IFq ,,) m ~ (IFqn) m
    m
    The condition mcd (det (Al), qn -1) = 1 makes Gl a bijection in (IFqn - {O} t with inverse Gil defined as in the previous formula by the inverse matrix of Al. It should be noted that the mcd condition (det (Al), qn_
    1) = 1 is equivalent to the inverse of Al in Mm x m (~ qn_l) and this is the key property of the entire invention. The application Gz is defined in the same way: a matrix 8z E Mn x "(~ qm-l) is chosen such that det (8z) and qm -1 are cousins to each other and Gz is defined by the formula:
    I ') (' b1n Ib1n
    GZ (Xl '..., Xn = Xl ..... X ", ...,
    Yes! = (Xv ..., xnm) are the initial coordinates and z = (zv ..., znm) the final coordinates The composition of the five applications that give F allows to calculate the Fi components which are Fi E IFq polynomials [Xl '. . •, Xnm], usually with many monomials.
    [3]
    3. Method to produce an encryption system with public key, according to
    í
    claims 1 and 2, further comprising generating a private key consisting of h, IFq and the applications Ll • Gl • L2 • G2 • L3 to be reversed to decrypt a message by calculating Fl = L3 or Gl or L2 or G2 or Ll y, given an encrypted message z = DM (X), Fl (z) is calculated and random entries of Fl (z) given by h are discarded.
    [4]
    4. Method for producing a public key encryption system, according to claim 3, wherein the evaluation of the polynomials F¡ in CE IF ~ m to obtain the encrypted message F¡ (e) is carried out efficiently and quickly from the evaluation of their monomials as follows: if of the number of monomials that a group of polynomials m contains, these monomials Ml • ... • Md can be calculated multiplied with each other the initial monomials raised to the inputs of Gl and G2 as follows: -If MOl = [mo¡] and M02 = [moj], the product MOl * M02 = [mo¡ is defined. mj] as the list containing all the products and MOf = [mof]. -Detonating by MOk = [Xkl • ... • Xkn] to the list of monomials of Xk the application Gl makes the list of monomials of each vector of the image NOk = MO: k1 * ... * MO! Km which has nS monomials. The application M makes the NOk list appear in the list of monomials of xíc plus those of the vectors that are added at the end. If bk is the number of vectors
    nS
    different added in total will be at most (1 + bk). monomials
    By applying G2 every monomial of x ~ bln ..... x ~ bln produces at most Mo =
    ((1 + bmax). NS) t monomials, where bmax = max (bk)
    - To obtain the coefficients of each monomial in F, a number k of initial messages Cl> .... Ck are taken and their corresponding encrypted messages Zl '"' 'Zk are calculated. Each component is of the form F¡ =' L1 = t! ij mj and, given that y¡ and mj (C¡) are known, these equalities give rise to k linear equations where the unknowns are the coefficients fixed and taking k large enough so that the equations are linearly independent are solved by Efficient way to obtain the coefficients of F. You can evaluate the monomials of F¡ (Xl. .... xnm) using the same
    algorithm. It begins with the list of coordinates of a given message c, that is, MOk = [Ckl '' '. 'Ckn 1 results in a list that gives the evaluation of the monomials of each F¡. In this way the polynomials F¡ are evaluated with a significantly smaller number of
    multiplications and exponentiations in IFq.
    [5]
    5. Method for producing an encryption system with any of the preceding claims, which generates a digital signature for a z message:
    public key, as it also includes the
    sig (z) = ~, z, hd And where! = F-l (~ where the user has to calculate a K value such that z = FC !.) And it is possible that there is no such K because the application is not overjective. To resolve this, a message of length NI <e is signed. m. n and an injective application h1 is used: {l, ..., Nd -¡ {l, ..., emn} in the same way as with h, that is, the entries of z are completed with random values in the coordinates that are not in the image of h1 until you get! . The length of the message to sign NI does not have to be fixed a priori. the signature is verified by calculating z = F (!.) and discarding random entries using h1. The signature is verified by calculating z = F (!.) and discarding random entries using h1
    [6]
    6. Method for producing an encryption system with public key, according to previous claims, where one of the parties (for example ALICE) can sign an encrypted message for the other party (for example BOB) without using the filling mechanism of the following form: if x is the message, it is encrypted with the public key of BOB K pBOB obtaining z E 1F ~ .n; yes z
    it cannot be signed, so random entries cannot be added because its length is maximum (NI = in · m) but it can be encrypted again with KpBOB obtaining a different encrypted message because the encryption is nondeterministic Z¡ = DM (x) and Z¡ is signed. This process can be repeated to zero.
    [7]
    7. Method for producing a public key encryption system, according to previous claims, further comprising key encapsulation (KEM) that allows the two parties to agree on a common key for symmetric encryption. To do this, both parties agree on an HS hash function AND one of the parties generates a random message x
    and sends it encrypted to the other party. In this way, both can calculate w =
    HS (x).
    Choose: p e
    IFq (q = P)
    Ha: IF ~ ____ 1F ~ + s
    no: IF ~ ~ IFp '= IFq ..)
    h: {l, ..., N}such that eln, ..., emn and Img (h)N + s
    G1 nonlinear and bijective in
    Fq-linear isomorphisms Gz nonlinear and bijective in
    -> {l, ..., N + s} n, m, N, m ~ ns ~ nn, e. n. m = Build: F: IF ~ m ~ IF ~ m F = L oG oL · GoL 3 2 2 1 1 (IFq "- {O}) '" (lFqm - {O}) " L, L, LI,, Generate public key: Kp = (h, no, F), (*) A1 and 82 (..) A1 and 82 allow
     '------..-------- 1 get Fi way
    fast
    Generate private key:
    ¿-L G-1 ¿-1 G-1 ¿-1
    r-
    3'2'2'1'1
    Encrypt: y = F (x) = F (H (x)) "- +
    Decipher:~ = F-1 (y), x = H-1 (~)
    Generate digital signature:
    sig (z) = ~, z, hd
    Verify digital signature: z = F (~)
    Figure 1
    类似技术:
    公开号 | 公开日 | 专利标题
    Albrecht et al.2016|MiMC: Efficient encryption and cryptographic hashing with minimal multiplicative complexity
    Galbraith et al.2016|On the security of supersingular isogeny cryptosystems
    CN105024994B|2018-01-05|Without the safety to computing label decryption method is mixed without certificate
    Boneh et al.2003|A secure signature scheme from bilinear maps
    Bertoni et al.2016|Farfalle: parallel permutation-based cryptography
    ES2842954T3|2021-07-15|Devices and key agreement method
    Garber2010|Braid group cryptography
    Daemen et al.2018|Xoodoo cookbook
    Almajed et al.2019|SE-ENC: A secure and efficient encoding scheme using elliptic curve cryptography
    Niederhagen et al.2017|Practical post-quantum cryptography
    Datta et al.2019|Efficient attribute-based signatures for unbounded arithmetic branching programs
    Ibrahim et al.2021|Efficient key-dependent dynamic S-boxes based on permutated elliptic curves
    Wei et al.2012|On the | security of IDEA in various hashing modes
    Sepahi et al.2014|Lattice-based certificateless public-key encryption in the standard model
    ES2400895A2|2013-04-15|A method for performing a group digital signature
    ES2660626A1|2018-03-23|Method to produce an encryption system with public key and digital signature with polynomials in few variables based on vectorial exponentiation |
    Yao et al.2020|Cryptography
    Azarderakhsh et al.2020|How not to create an isogeny-based PAKE
    Sakalauskas et al.2007|Matrix power s-box construction
    Gajbhiye et al.2017|Paradigm shift from classical cryptography to quantum cryptography
    Hecht2017|Post-Quantum Cryptography: A Zero-Knowledge Authentication Protocol
    Teseleanu et al.2016|Boneh-Gentry-Hamburg's Identity-based Encryption Schemes Revisited
    Mochetti et al.2014|Ideal Lattice-based | IBE Scheme
    Heninger2022|RSA, DH, and DSA in the Wild
    England2006|Elliptic curve cryptography
    同族专利:
    公开号 | 公开日
    WO2019102046A1|2019-05-31|
    ES2660626B2|2018-08-16|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20130042116A1|2011-08-12|2013-02-14|Koichi SAKUMOTO|Information processing apparatus and information processing method|
    KR101753721B1|2017-03-31|2017-07-19|기초과학연구원|High speed multivariate quadratic digital signature scheme and system thereof|
    法律状态:
    2018-08-16| FG2A| Definitive protection|Ref document number: 2660626 Country of ref document: ES Kind code of ref document: B2 Effective date: 20180816 |
    优先权:
    申请号 | 申请日 | 专利标题
    ES201700779A|ES2660626B2|2017-11-27|2017-11-27|Method to produce an encryption system with public key and digital signature with polynomials in few variables based on vector exponentiation|ES201700779A| ES2660626B2|2017-11-27|2017-11-27|Method to produce an encryption system with public key and digital signature with polynomials in few variables based on vector exponentiation|
    PCT/ES2018/000080| WO2019102046A1|2017-11-27|2018-11-23|Method for producing an encryption system having a public key and a digital signature with polynomials of few variables, based on vector exponentiation|
    [返回顶部]