Patent Application
20150055777
1. Technical Field
The present invention relates to the field of information security, and in particular, to a cryptogram technology for establishing public key cryptographic protocols against the quantum computational attack.
2. Related Art
The verification for a real identity of a person who sends and receives information, and the non-repudiation of the sentreceived information after the information is sent or received and the guarantee of the integrity of data are two important issues about the theme of modern cryptography.
Disclosure of a key cryptogram system presents excellent answers to the issues of the two aspects, and more new ideas and solutions are being generated continually. In a public key system, an encryption key is different from a decryption key. People bring an encryption key to public, so that anyone can use the encryption key; but a decryption key is only known by a person performing decryption. In modern periods, the security of a public key cryptosystem is almost based on two categories of mathematic problems that are considered to be difficult to compute, a first category being a decomposition problem of a big prime number, for example, an RSA algorithm; and a second category being a discrete logarithm problem, for example, a key exchange algorithm of Diffie-Hellman, an El Gamal algorithm, an elliptic curve public key cryptographic algorithm (ECC for short), and the like.
In order to solve a problem that a hidden trouble exists in identity verification and security of data guarantee based on an existing public key cryptographic protocol, an objective of the present invention is to establish public key cryptographic protocols technology capable of resisting various known attacks, and provide various application protocols on this basis.
One manner for implementing the objective of the present invention is: a method of establishing public key cryptographic protocols against the quantum computational attack, which includes a method for generating a shared key. The method for generating a shared key is also referred to as generating a shared key protocol, and the method for generating a shared key includes the following steps:
(11) establishing an infinite non-abelian group G and two subgroups A and B of G, so that for any a∈A and any b∈B, the equation ab=ba is true;
(12) choosing, by a first entity of a protocol, an element g in G, where the first entity of the protocol chooses two elements b1, b2∈A as private keys, and a second entity of the protocol chooses two elements d1, d2∈B as private keys;
(13) choosing, by the second entity of the protocol, two elements c1, c2∈B, computing y=d1c1gc2d2, and sending y to the first entity of the protocol;
(14) choosing, by the first entity of the protocol, four elements a1, a2, b3, b4∈A, computing
x=b1a1ga2b2 and z=b3a1ya2b4=b3a1d1c1gc2d2a2b4,
and sending (x, z) to the second entity of the protocol;
(15) choosing, by the second entity of the protocol, two elements d3, d2∈B, computing
w=d3c1xc2d4=d3c1b1a1ga2b2c2d4
and
v=d11zd21=d11b3a1d1c1gc2d2a2b4d21=b3a1c1gc2a2b4
and sending (w, v) to the first entity of the protocol;
(16) computing, by the first entity of the protocol,
u=b1−1wb2−1=b1−1d3c1a1ga2b2c2d4b2−1=d3c1a1ga2c2d4,
and sending u to the second entity of the protocol; and
(17) computing, by the first entity of the protocol, KA=b3−1vb4−1=a1c1gc2a2, and computing, by the second entity of the protocol, KB=d3−1ud4−1=c1a1ga2c2;
because a1, a2∈A, and c1, c2∈B, a1 and c1 are separately commute with a2 and c2 in multiplication, so that the first entity of the protocol and the second entity of the protocol reach a shared key K=KA=KB.
In the present invention, an algebra system in which an unsolvable problem exists is first established theoretically, and second, the unsolvability of the problem is used as security guarantee to establish a public key cryptographic algorithm. The security of the algorithm and the equivalence of the unsolvable problem of the present invention prove that the present invention is immune to the quantum computational attack and the like. Because the method of establishing public key cryptographic protocols of the present invention uses an unsolvable decision problem as the security guarantee, the method is powerfully guaranteed both theoretically and in an actual application aspect, and compared with the prior art, has the following advantages:
1. The security guarantee of a built public key cryptographic algorithm relies on the unsolvability of the problem rather than the computation difficulty of the problem, (a classic public key cryptographic algorithm is based on the computation difficulty);
2. That the security of the public key cryptographic algorithm of the present invention is equivalent to the unsolvability of the problem on which the public key cryptographic algorithm relies has been proved mathematically;
3. The public key cryptographic algorithm of the present invention resists the quantum computational attack.
The following further describes in detail establishment of public key cryptographic protocols against the quantum computational attack according to the present invention with reference to embodiments.
1. A Platform for Establishing Public Key Cryptographic Protocols
A platform for establishing all public key cryptographic protocols is an infinite non-abelian group G and two subgroups A and B of G, so that for any a∈A and any b∈B, the equation ab=ba is true. In addition, because of demands of encoding and key generating, G must further satisfy the following conditions:
1) Any word in terms of generators of G representing an element of G has an unique computable normal form;
2) G at least is in exponential growth, that is, the number of elements whose word length is a positive integer n in G is confined to an exponential function about n;
3) Multiplication and inversion of a group based on the normal form is computable.
Therefore, a braid group Bn with n≧12 is taken as the infinite non-abelian group G, where Bn has the foregoing properties and is a group defined by the following presentation:
B
n=σ1, σ2, . . . , σn−1|σ1σj=σjσ1, |i−j|≧2, σ1σ1+1σ1=σ1+1σ1σ1+1, 1≦i≦n−2
,
the braid group Bn contains the following two subgroups:
let m=└n/2┘ be a maximum integer not greater than n/2, and a left braid LBn and a right braid RBn of the braid group Bn separately are
LBn=σ1, σ2, . . . , σm−1
and RBn=
σm+1, σm+2, . . . , σn−1
that is, separately are subgroups generated by σ1, σ2, . . . , σm−1 and σm+1, σm+2, . . . , σn−1, and for any a∈ LBn and any be RBn, ab=ba is true.
When n≧12, LBn and RBn separately contain a subgroup isomorphic to the direct product of F2×F2, that is, two free groups with ranks being 2:
IA=σm−52, σm−42, σm−22, σm−12
≦LBn
and
RA=σm+12, σm+22, σm+42, σm+52,
≦RBn,
and then a finite presentation group H whose word problem is unsolvable and that is generated by two elements constructs a Mihailova subgroup MLA(H) of LA and a Mihailova subgroup MRA(H) of RA again; the following is 56 generators of MLA(H), where i=m−5; and when i=m+1, 56 generators of MRA(H) can be obtained:
σi2σi+32, σi+12σi+42, Sij, Tij, j=1, 2, . . . , 27
and 27 Sus are (all (7,s in the following each Su are replaced with (7,3s, and all 6,+1s are replaced with 6+4s to obtain corresponding 27 To, where j=1, 2, . . . , 27):
2. An Embodiment for Establishing Core Protocol 1 of Public Key Cryptographic Protocols System:
In this embodiment, two entities of the protocol are separately Alice and Bob,
1) Alice and Bob jointly choose an element g in Bn, Alice chooses two elements b1, b2∈LBn as private keys, and Bob chooses two elements d1, d2∈RBn as private keys;
2) Bob chooses two elements c1, c2∈RBn, computes y=d1c1gc2d2, and sends y to Alice;
3) Alice chooses four elements a1, a2, b3, b4∈LBn, computes
x=b
1a1ga2b2 and z=b3a1ya2b4=b3a1d1c1gc2d2a2b4,
and sends (x, z) to Bob;
4) Bob chooses two elements d3, d4∈RBn, computes
w=d3c1xc2d4=d3c1b1a1ga2b2c2d4
and
v=d
1
−1
zd
2
1
=d
1
−1
b
3
a
1
d
1
c
1
gc
2
d
2
a
2
b
4
d
2
−1
=b
3
a
1
c
1
gc
2
a
2
b
4,
and sends (w, v) to Alice; and
5) Alice computes
u=b
1
−1
wb
2
−1
=b
1
−1
=d
3
c
1
b
1
a
1
ga
2
b
2
c
2
d
4
b
2
−1
=d
3
c
1
a
1
ga
2
c
2
d
4,
u=b1−1wb2−1=b1−1d3c1b1a1ga2b2c2d4b2−1=d3c1a1ga2c2d4,
and sends u to Bob,
In step 4) of the foregoing protocol, because d1, d2∈RBn, and a1, a2, b3, b4∈LBn, d1−1 and d2−1 separately commute with b3 and a1 and with b4 and a2 in multiplication, so that a final equation in the step is obtained. Likewise, a final equation in step 5) is obtained.
On the basis of this embodiment, an exemplary embodiment for establishing a key exchange protocol is:
The following procedures are performed after the five steps in the core protocol:
6) Alice computes KA=b3−1vb4−1=a1c1gc2a2 and Bob computes KB=d3−1ud4−1=c1a1ga2c2.
Because a1, a2∈LBn, and c1, c2∈RBn, a1 and c1 separately commute with a2 and c2 in multiplication, so that Alice and Bob reach a shared key K=KA=KB.
On the Basis of this Embodiment, an Exemplary Embodiment for Establishing a Data Encryption Protocol is:
It is given that to-be-encrypted plaintext information (encoded) is m∈ {0, 1}k (that is, a 0-1 string with a length of k), and it is given that Θ: BnΔ{0, 1}k is a collision-resistant Hash function from the group Bn to a plaintext space {0, 1}k. The private keys of Alice are (Bn, LBn, RBn, g, Θ), and a1, a2, b1, b2, b3, b4∈LBn are chosen, and the private keys are b1 and b2. Bob chooses c1, c2, d1, d2, d3, d4∈RBn, and uses d1 and d2 as the private keys. The following procedures are performed after the five steps in the core protocol:
6) Encrypting: Bob first computes KB=d3−1ud4−1=c1a1ga2c2, then computes (encrypts) t=Θ(KB)⊕m, uses t as ciphertext, and sends the ciphertext to Alice. ⊕ herein is the exclusive or operation.
7) Decrypting: Alice first computes KA=b3−1vb4−1=a1c1gc2a2, then computes (decrypts)
m′=Θ(KA)⊕t=Θ(KA)⊕(Θ(KB)⊕m)
verification of m′=m: KA=KB is known according to a key exchange protocol, and therefore,
m′=Θ(KA)⊕(Θ(KB)⊕m)=Θ(KB)⊕(Θ(KB)⊕m)=(Θ(KB)⊕Θ(KB))⊕m=m.
On the Basis of this Embodiment, an Exemplary Embodiment for Establishing a Digital Signature Protocol is:
It is given that to-be-encrypted plaintext information (encoded) is m, and it is given that Θ: Bn→{0, 1}k is a collision-resistant Hash function. The public keys of Alice are (Bn, LBn, RBn, g, Θ), and a1, a2, b1, b2, b3, b4∈LBn are chosen, and the private keys are b1 and b2. Bob chooses c1, c2, d1, d2, d3, d4∈RBn, and uses d1 and d2 as the private keys. The following procedures are performed after the five steps in the core protocol:
6) Signing: Alice computes KA=b3−1vb4−1=a1c1gc2a2 and S=Θ(mKA), and Alice uses S as a signature of Alice for a file m and sends (S, m) to Bob.
7) Verifying: Bob computes KB=d3−1ud4−1=c1a1ga2c2 and S′=Θ(mKB), and if S′=S, Bob acknowledges that S is the signature of Alice for the file m; otherwise, Bob refuses to accept that S is the signature of Alice for the file m.
On the Basis of this Embodiment, an Exemplary Embodiment for an Identity Authentication Protocol on the Basis of the Core Protocol is:
Alice chooses an element g in Bn, four elements a1, a2, b1, b2∈LBn and a collision-resistant Hash function Θ: Bn→{0, 1}k, and computes x=b1a1ga2b2. The public keys of Alice are (Bn, LBn, RBn, g, x, Θ), and the private keys are b1 and b2.
An authentication process is:
It is given that Alice is a prover and Bob is a verifier.
1) Bob chooses six elements c1, c2, d1, d2, d3, d4∈RBn, the private keys are d1 and d2. Bob computes
y=d1c1gc2d2 and w=d3c1xc2d4,
uses (y, w) as challenge 1, and sends the challenge 1 to Alice;
2) Alice chooses two elements b3, b4∈LBn, computes
z=b3a1ya2b4 and u=b11=d3c1a1ga2c2d4,
uses (z, u) as a response, and sends the response to Bob;
3) Bob computes v=d1−1zd2−1=b3a1c1gc2a2b4, uses v as challenge 2, and sends the challenge 2 to Alice;
4) Alice computes t=Θ(b3−1vb4−1 1)=Θ(a1c1gc2a2), uses t as a commitment, and sends the commitment to Bob;
5) Bob computes t′=Θ(d3−1ud4−1)=Θ(c1a1ga2c2), and verifies whether t=t′,
and if t=t′, Bob acknowledges an identity of Alice; otherwise, Bob refuses to acknowledge the identity.
3. An Embodiment for Establishing Core Protocol 2 of Public Key Cryptographic Protocols System:
In this embodiment, two entities of the protocol are separately Alice and Bob,
1.1) Alice and Bob jointly choose an element g in Bn, Alice chooses two elements b1∈LBn and d2∈RBn as private keys, and Bob chooses two elements b2∈LBn and d1∈RBn as private keys;
2.1) Bob chooses two elements a2∈LBn and c1∈RBn, computes y=d1c1ga2b2, and sends y to Alice;
3.1) Alice chooses four elements a1, b4∈LBn and c2, d4∈RBn, computes
x=b1a1gc2d2 and z=b4a1yc2d4=b4a1d1c1ga2b2c2d4,
and sends (x, z) to Bob;
4.1) Bob chooses two elements b3∈LBn and d3∈RBn, computes
w=d3c1xa2b3=d3c1b1a1gc2d2a2b3
and
v=d
1
−1
zb
2
−1
=d
1
−1
b
4
a
1
d
1
c
1
ga
2
b
2
c
2
d
4
b
2
−1
=b
4
a
1
c
1
ga
2
c
2
d
4,
and sends (w, v) to Alice; and
5.1) Alice computes
u=b
1
−1
wd
2
−1
=b
1
−1
d
3
c
1
b
1
a
1
gc
2
d
2
a
2
b
3
d
2
−1
=d
3
c
1
a
1
gc
2
a
2
b
3,
and sends u to Bob;
In step 4) of the foregoing protocol, because d1, d2∈RBn and a1, a2, b3, b4∈LBn, d1−1, d2−1 separately commute with b3 and a1, and with b4 and a2 in multiplication, so that a final equation in the step is obtained. Likewise, a final equation in step 5) is obtained.
3.3 An application protocol
The following application protocol is established on the basis of the core protocol.
On the Basis of this Embodiment, an Exemplary Embodiment for Establishing a Key Exchange Protocol is:
the following procedures are performed after the five steps in the core protocol:
6.1) Alice computes KA=b41vd41=a1c1ga2c2 and Bob computes KB=d31=c1a1gc2a2.
Because a1, a2∈LBn, and c1, c2∈RBn, a1 and c1 are separately commute with a2 and c2 in multiplication, so that Alice and Bob reach a shared key K=KA=KB.
On the Basis of this Embodiment, an Exemplary Embodiment for Establishing a Data Encryption Protocol is:
It is given that to-be-encrypted plaintext information (encoded) is m∈{0, 1}k (that is, a 0-1 string with a length of k), and it is given that Θ: Bn→{0, 1}k is a collision-resistant Hash function from the group Bn to a plaintext space {0, 1}k. The public keys of Alice are (Bn, LBn, RBn, g, Θ), a1, b1, b4∈LBn and c2, d2, d4∈RBn are chosen, and the private keys are b1 and d2. Bob chooses a2, b2, b3∈LBn and c1, d1, d3∈RBn, and uses d1 and b2 as the private keys. The following procedures are performed after the five steps in the core protocol:
6.1) Encrypting: Bob first computes KB=d3−2ub3−1=c1a1gc2a2, then computes (encrypts) t=Θ(KB)⊕m, uses t as ciphertext, and sends the ciphertext to Alice. ⊕ herein is the exclusive or operation.
7.1) Decrypting: Alice first computes KA=b4−1vd4−1=a1c1ga2c2, then computes (decrypts)
m′=(KA)⊕t=Θ(KA)⊕(Θ(KB)⊕m)
verification of m′=m: KA=KB is known according to a key exchange protocol, and therefore,
m′=Θ(KA)⊕(Θ(KB)⊕m)=Θ(KB)⊕(Θ(KB)⊕m)=(Θ(KB)⊕Θ(KB))⊕m=m.
On the Basis of this Embodiment, an Exemplary Embodiment for Establishing a Digital Signature Protocol is:
It is given that to-be-encrypted plaintext information (encoded) is m, and it is given that Θ: Bn→{0, 1}k is a collision-resistant Hash function. The public keys of Alice are (Bn, LBn, RBn, g, Θ), a1, b1, b4∈LBn and c2, d2, d4 ∈RBn are chosen, and the private keys are b1 and d2. Bob chooses a2, b2, b3∈LBn and c1, d1, d3∈RBn, and uses d1 and b2 as the private keys. The following procedures are performed after the five steps in the core protocol:
6.1) Signing: Alice computes KA=b4−1vd4−1=a1c1ga2c2 and S=Θ(mKA), and Alice uses S as a signature of Alice for a file m and sends (S, m) to Bob.
6.2) Verifying: Bob computes KB=d3−1ub3−1=c1a1gc2a2 and S′=Θ(mKB), and if S′=S, Bob acknowledges that S is the signature of Alice for the file m; otherwise, Bob refuses to accept that S is the signature of Alice for the file m.
On the Basis of this Embodiment, an Exemplary Embodiment for an Identity Authentication Protocol on the Basis of the Core Protocol is:
Alice chooses an element g in Bn, four elements a1, b1∈LBn and c2, d2∈RBn, and a collision-resistant Hash function Θ: Bn→{0, 1}k, and computes x=b1a1gc2d2. The public keys of Alice are (Ba, LBn, RBn, g, x, Θ), and the private keys are b1 and d2.
An authentication process is:
It is given that Alice is a prover and Bob is a verifier.
6.1) Bob chooses six elements c1, d1, d3∈RBn and a2, b2, b3∈LBn, and the private keys are b2 and d1. Bob computes
y=d1c1ga2b2 and w=d3c1xa2b3,
uses (y, w) as challenge 1, and sends the challenge 1 to Alice;
6.2) Alice chooses two elements b4∈LBn and d4∈RBn, computes
z=b4a1yc2d4 and u=b1−1wd2−1=d3c1a1gc2a2b3,
uses (z, u) as a response, and sends the response to Bob;
6.3) Bob computes v=d1−1zb2−1=b4a1c1ga2c2d4, uses v as challenge 2, and sends the challenge 2 to Alice;
6.4) Alice computes t=Θ(b4−1vd4−1)=Θ(a1c1ga2c2), uses t as a commitment, and sends the commitment to Bob;
6.5) Bob computes t′=(d3−1ub3−1)=Θ(c1a1gc2a2), and verifies whether t=t′, and if t=t′, Bob acknowledges an identity of Alice; otherwise, Bob refuses to acknowledge the identity.
4. Security Analysis
We may only provide the security of a key exchange protocol.
First, definitions of three determining problems of a group are provided.
a subgroup membership problem (subgroup membership problem or generalized word problem, GWP for short): given a subgroup H whose generator set is X in group G, whether any element g in G can be represented by a word on Xis determined, that is, whether g is an element in H is determined.
an element decomposition search problem (decomposition search problem, DSP for short): given that g and h are two elements in group G. It is known that two elements c and d exist in G, so that h=cgd. Decide whether two elements c′ and d′ in G can be obtained, so that h=c′gd′
a generalized element decomposition search problem (generalized decomposition search problem, GDSP for short): given that g and h are two elements in group G, and H and K are two subgroups in G. It is known that an element c of H and an element d of K exist, so that h=cgd. Decide whether an element c′ of H and an element d′ of K can be obtained, so that h=c′gd′.
The DSP can be solved easily by letting c′=g−1 and d′=h. The decidability of the GDSP is not determined. However, for a decomposition equation h=cgd (c and d are unknown) in an infinite non-abelian group, it is impossible to certainly solve c and d. Because people do not know values of c and d, even if they enable h=c′gd′ by using so-called “solutions” c′ and d′ which are obtained through computation by solving the GDSP problem, they also cannot determine whether c′=c and d′=d. Particularly, if c and d are separately taken from subgroups C and D with an unsolvable GWP problem, a solver not only cannot determine whether c′=c and d′=d, but also cannot determine whether c′ and d′ respectively are elements in C and D.
In core protocol 1, information that can be acquired by an attacker Eve by using disclosed information and an interactive process with Alice and Bob is as follows:
an infinite non-abelian group G and two subgroups A and B in G, so that for any α∈A and any b∈B, ab=ba is true, an element g in G, and the following elements in G:
y=d1c1gc2d2, x=b1a1ga2b2, z=b3a1d1c1gc2d2a2b4, w=d3c1b1a1ga2b2c2d4, and
v=b3a1c1gc2a2b4 and u=d3c1a1ga2c2d4
It should be noted that Eve only knows x, y, z, w, u and v, but does not know corresponding decomposition expressions. If Eve can obtain c1′, c2′∈B, and a1′, a2′∈A by solving the GDSP problem, so that a1′ga2′=a1ga2 and c1′gc2′=c1gc2, according to the multiplication commutativity of elements in A and B, it is obtained that
c1′a1′ga2′c2′=c1′a1ga2c1′=a1c1′gc2′a2=a1c1gc2a2=K
and therefore, Eve needs to first obtain elements a1ga2 and c1gc2.
Because Eve does not know a1ga2 and c1gc2, she cannot strip b1 and b2 from x to obtain a1ga2, or strip d1 and d2 from y to obtain c1gc2. Eve knows w=b1ub2 and z=d1vd2 (but does not know b1 and b2, and d1 and d2). Now, even if Eve can solve the GDSP problem, to obtain b1′, b2′ ∈A, and d1′, d2′ ∈B, so that b1ub2′=b1ub2 and d1′vd2′=d1vd2, she also cannot determine b1′=b1, b2′=b2, and d1′=d1, d2′=d2. Therefore, Eve still cannot strip b1 and b2 from x to obtain a1ga2, or strip d1 and d2 from y to obtain c1gc2.
Particularly, in a specific implementation solution, a braid group B, with Tz12 is taken as an infinite non-abelian group G, subgroups LBn and RBn of B, are taken as A and B respectively, and private keys b1 and b2, and private keys d1 and d2 are respectively chosen from a Mihailova subgroup MLA(H) of LBn and a Mihailova subgroup MRA(H) of RBn. In the foregoing attack of Eve, she obtains b1′, b2′∈LBn and d1′, d2′∈RBn by solving the GDSP problem, so that b1′ub2′=b1ub2 and d1′vd2′=d1vd2. She must determine b1′=b1, b2′=b2 and d1′=d1, d2′=d2. Because b1, b2EMM(H) and d1, d2 EMRA(H), she must first determine whether b1′, b2′∈MLA(H), and whether d1′, d2′ ∈MRA(H). However, the GWP problems of MLA(H) and MRA(H) are unsolvable, so that Eve cannot carry out an attack even if she uses a quantum computational system.
In core protocol 2, information that can be acquired by an attacker Eve by using disclosed information and an interactive process with Alice and Bob is as follows:
an infinite non-abelian group G and two subgroups A and B in G, so that for any a∈A and any b∈B, ab=ba is true, an element g in G, and the following elements in G:
y=cl1c1ga2b2, x=b1a1gc2d2, z=b4a1d1c1ga2b2c2d4, w=d3c1b1a1gc2d2a2b3,
and
v=b4a1c1ga2c2d4 and u=d3c1a1gc2a2b3
It should be noted that, Eve only knows x, y, z, w, u, and v, but does not know corresponding decomposition expressions. If Eve can obtain c1′, c2′∈B, and a1′, a2′∈A by solving the GDSP problem, so that a1′gc2′=a1gc2 and c1′ga2′=c1ga2, according to the multiplication commutativity of elements in A and B, it is obtained that
c
1′a1′gc2′a2′=c1′a1gc2c1′=a1c1′ga2′c2=a1c1ga2c2=K
and therefore, Eve needs to first obtain elements a1gc2 and c1ga2.
Because Eve does not know a1gc2 and c1ga2, she cannot strip b1 and d2 from x to obtain a1gc2, or strip d1 and b2 from y to obtain c1ga2. Eve knows w=b1ud2 and z=d1vb2 (but does not know b1 and b2, and d1 and d2). Now, even if Eve can solve the GDSP problem, to obtain b1′, b2′∈A, and d1′, d2′∈B, so that b1′ud2′=b1ud2 and d1′vb2′=d1vb2, she also cannot determine b1′=b1, b2′=b2 and d1′=d1, d2′=d2. Therefore, Eve still cannot strip b1 and d2 from x to obtain a1gc2, or strip d1 and b2 from y to obtain c1ga2.
Particularly, in a specific implementation solution, a braid group B, with i,12 is taken as an infinite non-abelian group G, subgroups LBn and RBn of Bn are taken as A and B respectively, and private keys b1 and b2, and private keys d1 and d2 are respectively chosen from a Mihailova subgroup MLA(H) of LB, and a Mihailova subgroup MRA(H) of RBn. In the foregoing attack of Eve, she obtains b1′, b2′ ∈LBn and d1′, d2′∈RBn by solving the GDSP problem, so that b1′ud2′=b1ud2 and d1′vb2′=d1vb2. She must determine b1′=b1, b2′=b2 and d1′=d1, d2′=d2. Because b1, b2∈ MRA(H) and d1, d2E MRA(H), she must first determine whether b1′, b2′∈MLA(H), and whether d1′, d2′∈MRA(H). However, the GWP problems of MLA(H) and MRA(H) are unsolvable, so that Eve cannot carry out an attack even if she uses a quantum computational system.
5. Choosing of a Parameter
In an exemplary embodiment, a braid group B, has an exponent of n≧12, subgroups in each protocol are A=LBn and B=RBn, choosing of a1, a2, c1, and c2 needs to satisfy that their product a1a2c1c2 is not less than 256 bits, each of private keys b1, b2, d1 and d2 is not less than 256 bits, and each of protection layer elements b3, b4, d3, and d4 is not less than 128 bits.
It is particularly pointed out that, to resist the quantum computational attack, it is suggested that private keys b1 and b2, and d1 and d2 be respectively chosen from Mihailova subgroups MLA(H) and MRA(H) of the braid group Bn. Therefore, because of the unsolvability of the GWP of MLA(H) and MRA(H), as described in the security analysis, even if a quantum computational system is used, b1 and b2, and d1 and d2 also cannot be attacked.
The foregoing describes the method of establishing public key cryptographic protocols against the quantum computational attack according to the present invention, so as to help to understand the present invention. However, the implementation manners of the present invention are not limited by the foregoing embodiments, any variation, modification, replacement, combination, and simplification made without departing from the principle of the present invention shall be an equivalent replacement manner and fall within the protection scope of the present invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 201310382299.7 | Aug 2013 | CN | national |
This application claims priority of Chinese patent application No. 201310382299.7 filed on Aug. 21, 2013, the entire content of which are hereby incorporated by reference.
