Network Working Group X. Boyen
Request for Comments: 5091 L. Martin
Category: Informational Voltage Security
December 2007
Network Working Group X. Boyen
Request for Comments: 5091 L. Martin
Category: Informational Voltage Security
December 2007
Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems
基于身份的密码标准(IBCS)#1:BF和BB1密码系统的超奇异曲线实现
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
IESG Note
IESG注释
This document specifies two mathematical algorithms for identity based encryption (IBE). Due to its specialized nature, this document experienced limited review within the IETF. Readers of this RFC should carefully evaluate its value for implementation and deployment.
本文件规定了基于身份的加密(IBE)的两种数学算法。由于其专业性质,本文件在IETF中的审查有限。本RFC的读者应仔细评估其实施和部署价值。
Abstract
摘要
This document describes the algorithms that implement Boneh-Franklin (BF) and Boneh-Boyen (BB1) Identity-based Encryption. This document is in part based on IBCS #1 v2 of Voltage Security's Identity-based Cryptography Standards (IBCS) documents, from which some irrelevant sections have been removed to create the content of this document.
本文档描述了实现Boneh Franklin(BF)和Boneh Boyen(BB1)基于身份的加密的算法。本文件部分基于电压安全公司基于身份的加密标准(IBCS)文件的IBCS#1 v2,其中删除了一些不相关的部分,以创建本文件的内容。
Table of Contents
目录
1. Introduction ....................................................4
1.1. Sending a Message That Is Encrypted Using IBE ..............5
1.1.1. Sender Obtains Recipient's Public Parameters ........6
1.1.2. Construct and Send an IBE-Encrypted Message .........6
1.2. Receiving and Viewing an IBE-Encrypted Message .............7
1.2.1. Recipient Obtains Public Parameters from PPS ........8
1.2.2. Recipient Obtains IBE Private Key from PKG ..........8
1.2.3. Recipient Decrypts IBE-Encrypted Message ............9
2. Notation and Definitions ........................................9
2.1. Notation ...................................................9
2.2. Definitions ...............................................12
3. Basic Elliptic Curve Algorithms ................................12
3.1. The Group Action in Affine Coordinates ....................13
3.1.1. Implementation for Type-1 Curves ...................13
3.2. Point Multiplication ......................................14
3.3. Operations in Jacobian Projective Coordinates .............17
3.3.1. Implementation for Type-1 Curves ...................17
3.4. Divisors on Elliptic Curves ...............................19
3.4.1. Implementation in F_p^2 for Type-1 Curves ..........19
3.5. The Tate Pairing ..........................................21
3.5.1. Tate Pairing Calculation ...........................21
3.5.2. The Miller Algorithm for Type-1 Curves .............21
4. Supporting Algorithms ..........................................24
4.1. Integer Range Hashing .....................................24
4.1.1. Hashing to an Integer Range ........................24
4.2. Pseudo-Random Byte Generation by Hashing ..................25
4.2.1. Keyed Pseudo-Random Bytes Generator ................25
4.3. Canonical Encodings of Extension Field Elements ...........26
4.3.1. Encoding an Extension Element as a String ..........26
4.3.2. Type-1 Curve Implementation ........................27
4.4. Hashing onto a Subgroup of an Elliptic Curve ..............28
4.4.1. Hashing a String onto a Subgroup of an
Elliptic Curve .....................................28
4.4.2. Type-1 Curve Implementation ........................29
4.5. Bilinear Mapping ..........................................29
4.5.1. Regular or Modified Tate Pairing ...................29
4.5.2. Type-1 Curve Implementation ........................30
4.6. Ratio of Bilinear Pairings ................................31
4.6.1. Ratio of Regular or Modified Tate Pairings .........31
4.6.2. Type-1 Curve Implementation ........................32
5. The Boneh-Franklin BF Cryptosystem .............................32
5.1. Setup .....................................................32
5.1.1. Master Secret and Public Parameter Generation ......32
5.1.2. Type-1 Curve Implementation ........................33
5.2. Public Key Derivation .....................................34
1. Introduction ....................................................4
1.1. Sending a Message That Is Encrypted Using IBE ..............5
1.1.1. Sender Obtains Recipient's Public Parameters ........6
1.1.2. Construct and Send an IBE-Encrypted Message .........6
1.2. Receiving and Viewing an IBE-Encrypted Message .............7
1.2.1. Recipient Obtains Public Parameters from PPS ........8
1.2.2. Recipient Obtains IBE Private Key from PKG ..........8
1.2.3. Recipient Decrypts IBE-Encrypted Message ............9
2. Notation and Definitions ........................................9
2.1. Notation ...................................................9
2.2. Definitions ...............................................12
3. Basic Elliptic Curve Algorithms ................................12
3.1. The Group Action in Affine Coordinates ....................13
3.1.1. Implementation for Type-1 Curves ...................13
3.2. Point Multiplication ......................................14
3.3. Operations in Jacobian Projective Coordinates .............17
3.3.1. Implementation for Type-1 Curves ...................17
3.4. Divisors on Elliptic Curves ...............................19
3.4.1. Implementation in F_p^2 for Type-1 Curves ..........19
3.5. The Tate Pairing ..........................................21
3.5.1. Tate Pairing Calculation ...........................21
3.5.2. The Miller Algorithm for Type-1 Curves .............21
4. Supporting Algorithms ..........................................24
4.1. Integer Range Hashing .....................................24
4.1.1. Hashing to an Integer Range ........................24
4.2. Pseudo-Random Byte Generation by Hashing ..................25
4.2.1. Keyed Pseudo-Random Bytes Generator ................25
4.3. Canonical Encodings of Extension Field Elements ...........26
4.3.1. Encoding an Extension Element as a String ..........26
4.3.2. Type-1 Curve Implementation ........................27
4.4. Hashing onto a Subgroup of an Elliptic Curve ..............28
4.4.1. Hashing a String onto a Subgroup of an
Elliptic Curve .....................................28
4.4.2. Type-1 Curve Implementation ........................29
4.5. Bilinear Mapping ..........................................29
4.5.1. Regular or Modified Tate Pairing ...................29
4.5.2. Type-1 Curve Implementation ........................30
4.6. Ratio of Bilinear Pairings ................................31
4.6.1. Ratio of Regular or Modified Tate Pairings .........31
4.6.2. Type-1 Curve Implementation ........................32
5. The Boneh-Franklin BF Cryptosystem .............................32
5.1. Setup .....................................................32
5.1.1. Master Secret and Public Parameter Generation ......32
5.1.2. Type-1 Curve Implementation ........................33
5.2. Public Key Derivation .....................................34
5.2.1. Public Key Derivation from an Identity and
Public Parameters ..................................34
5.3. Private Key Extraction ....................................35
5.3.1. Private Key Extraction from an Identity, a
Set of Public ......................................35
5.4. Encryption ................................................36
5.4.1. Encrypt a Session Key Using an Identity and
Public Parameters ..................................36
5.5. Decryption ................................................37
5.5.1. Decrypt an Encrypted Session Key Using
Public Parameters, a Private Key ...................37
6. The Boneh-Boyen BB1 Cryptosystem ...............................38
6.1. Setup .....................................................38
6.1.1. Generate a Master Secret and Public Parameters .....38
6.1.2. Type-1 Curve Implementation ........................39
6.2. Public Key Derivation .....................................41
6.2.1. Derive a Public Key from an Identity and
Public Parameters ..................................41
6.3. Private Key Extraction ....................................41
6.3.1. Extract a Private Key from an Identity,
Public Parameters and a Master Secret ..............41
6.4. Encryption ................................................42
6.4.1. Encrypt a Session Key Using an Identity and
Public Parameters ..................................42
6.5. Decryption ................................................45
6.5.1. Decrypt Using Public Parameters and Private Key ....45
7. Test Data ......................................................47
7.1. Algorithm 3.2.2 (PointMultiply) ...........................47
7.2. Algorithm 4.1.1 (HashToRange) .............................48
7.3. Algorithm 4.5.1 (Pairing) .................................48
7.4. Algorithm 5.2.1 (BFderivePubl) ............................49
7.5. Algorithm 5.3.1 (BFextractPriv) ...........................49
7.6. Algorithm 5.4.1 (BFencrypt) ...............................50
7.7. Algorithm 6.3.1 (BBextractPriv) ...........................51
7.8. Algorithm 6.4.1 (BBencrypt) ...............................52
8. ASN.1 Module ...................................................53
9. Security Considerations ........................................58
10. Acknowledgments ...............................................60
11. References ....................................................60
11.1. Normative References .....................................60
11.2. Informative References ...................................60
5.2.1. Public Key Derivation from an Identity and
Public Parameters ..................................34
5.3. Private Key Extraction ....................................35
5.3.1. Private Key Extraction from an Identity, a
Set of Public ......................................35
5.4. Encryption ................................................36
5.4.1. Encrypt a Session Key Using an Identity and
Public Parameters ..................................36
5.5. Decryption ................................................37
5.5.1. Decrypt an Encrypted Session Key Using
Public Parameters, a Private Key ...................37
6. The Boneh-Boyen BB1 Cryptosystem ...............................38
6.1. Setup .....................................................38
6.1.1. Generate a Master Secret and Public Parameters .....38
6.1.2. Type-1 Curve Implementation ........................39
6.2. Public Key Derivation .....................................41
6.2.1. Derive a Public Key from an Identity and
Public Parameters ..................................41
6.3. Private Key Extraction ....................................41
6.3.1. Extract a Private Key from an Identity,
Public Parameters and a Master Secret ..............41
6.4. Encryption ................................................42
6.4.1. Encrypt a Session Key Using an Identity and
Public Parameters ..................................42
6.5. Decryption ................................................45
6.5.1. Decrypt Using Public Parameters and Private Key ....45
7. Test Data ......................................................47
7.1. Algorithm 3.2.2 (PointMultiply) ...........................47
7.2. Algorithm 4.1.1 (HashToRange) .............................48
7.3. Algorithm 4.5.1 (Pairing) .................................48
7.4. Algorithm 5.2.1 (BFderivePubl) ............................49
7.5. Algorithm 5.3.1 (BFextractPriv) ...........................49
7.6. Algorithm 5.4.1 (BFencrypt) ...............................50
7.7. Algorithm 6.3.1 (BBextractPriv) ...........................51
7.8. Algorithm 6.4.1 (BBencrypt) ...............................52
8. ASN.1 Module ...................................................53
9. Security Considerations ........................................58
10. Acknowledgments ...............................................60
11. References ....................................................60
11.1. Normative References .....................................60
11.2. Informative References ...................................60
This document provides a set of specifications for implementing identity-based encryption (IBE) systems based on bilinear pairings. Two cryptosystems are described: the IBE system proposed by Boneh and Franklin (BF) [BF], and the IBE system proposed by Boneh and Boyen (BB1) [BB1]. Fully secure and practical implementations are described for each system, comprising the core IBE algorithms as well as ancillary hybrid components used to achieve security against active attacks. These specifications are restricted to a family of supersingular elliptic curves over finite fields of large prime characteristic, referred to as "type-1" curves (see Section 2.1). Implementations based on other types of curves currently fall outside the scope of this document.
本文档提供了一组规范,用于实现基于双线性对的基于身份的加密(IBE)系统。描述了两种密码系统:Boneh和Franklin(BF)[BF]提出的IBE系统,以及Boneh和Boyen(BB1)[BB1]提出的IBE系统。描述了每个系统的完全安全和实用实现,包括核心IBE算法以及用于实现主动攻击安全性的辅助混合组件。这些规范仅限于具有大素数特征的有限域上的超奇异椭圆曲线族,称为“1型”曲线(见第2.1节)。基于其他类型曲线的实现目前不在本文档的范围内。
IBE is a public-key technology, but one which varies from other public-key technologies in a slight, yet significant way. In particular, IBE keys are calculated instead of being generated randomly, which leads to a different architecture for a system using IBE than for a system using other public-key technologies. An overview of these differences and how a system using IBE works is given in [IBEARCH].
IBE是一种公钥技术,但它与其他公钥技术有着细微但重要的区别。特别是,IBE密钥是计算出来的,而不是随机生成的,这导致使用IBE的系统与使用其他公钥技术的系统具有不同的体系结构。[IBEARCH]中概述了这些差异以及使用IBE的系统是如何工作的。
Identity-based encryption (IBE) is a public-key encryption technology that allows a public key to be calculated from an identity, and the corresponding private key to be calculated from the public key. Calculation of both the public and private keys in an IBE-based system can occur as needed, resulting in just-in-time key material. This contrasts with other public-key systems [P1363], in which keys are generated randomly and distributed prior to secure communication commencing. The ability to calculate a recipient's public key, in particular, eliminates the need for the sender and receiver in an IBE-based messaging system to interact with each other, either directly or through a proxy such as a directory server, before sending secure messages.
基于身份的加密(Identity-based encryption,IBE)是一种公钥加密技术,它允许从身份计算公钥,并从公钥计算相应的私钥。在基于IBE的系统中,可以根据需要计算公钥和私钥,从而生成即时密钥材料。这与其他公钥系统形成对比[P1363],在其他公钥系统中,密钥是在安全通信开始之前随机生成和分发的。特别是,计算收件人公钥的能力消除了基于IBE的消息传递系统中的发送方和接收方在发送安全消息之前直接或通过代理(如目录服务器)相互交互的需要。
This document describes an IBE-based messaging system and how the components of the system work together. The components required for a complete IBE messaging system are the following:
本文档描述了一个基于IBE的消息传递系统以及该系统的组件如何协同工作。完整的IBE消息传递系统所需的组件如下:
o a Private-key Generator (PKG). The PKG contains the cryptographic material, known as a master secret, for generating an individual's IBE private key. A PKG accepts an IBE user's private key request, and after successfully authenticating them in some way, returns the IBE private key.
o 私钥生成器(PKG)。PKG包含加密材料,称为主密钥,用于生成个人的IBE私钥。PKG接受IBE用户的私钥请求,并在以某种方式成功对其进行身份验证后,返回IBE私钥。
o a Public Parameter Server (PPS). IBE System Parameters include publicly sharable cryptographic material, known as IBE public parameters, and policy information for the PKG. A PPS provides a well-known location for secure distribution of IBE public parameters and policy information for the IBE PKG.
o 公共参数服务器(PPS)。IBE系统参数包括公开共享的加密材料(称为IBE公共参数)和PKG的策略信息。PPS为IBE PKG的IBE公共参数和策略信息的安全分发提供了一个众所周知的位置。
A logical architecture would be to have a PKG/PPS per name space, such as a DNS zone. The organization that controls the DNS zone would also control the PKG/PPS and thus the determination of which PKG/PSS to use when creating public and private keys for the organization's members. In this case the PPS URI can be uniquely created by the form of the identity that it supports. This architecture would make it clear which set of public parameters to use and where to retrieve them for a given identity.
逻辑体系结构是每个名称空间(如DNS区域)有一个PKG/PPS。控制DNS区域的组织还将控制PKG/PPS,从而确定在为组织成员创建公钥和私钥时使用哪个PKG/PSS。在这种情况下,PPS URI可以通过其支持的标识形式唯一地创建。该体系结构将明确使用哪一组公共参数,以及在何处检索给定标识的公共参数。
IBE-encrypted messages can use standard message formats, such as the Cryptographic Message Syntax (CMS) [CMS]. How to use IBE with CMS is described in [IBECMS].
IBE加密消息可以使用标准消息格式,如加密消息语法(CMS)[CMS]。[IBECMS]中描述了如何将IBE与CMS结合使用。
Note that IBE algorithms are used only for encryption, so if digital signatures are required, they will need to be provided by an additional mechanism.
请注意,IBE算法仅用于加密,因此如果需要数字签名,则需要通过其他机制提供。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[关键词]中所述进行解释。
In order to send an encrypted message, an IBE user must perform the following steps:
为了发送加密消息,IBE用户必须执行以下步骤:
1. Obtain the recipient's public parameters.
1. 获取收件人的公共参数。
The recipient's IBE public parameters allow the creation of unique public and private keys. A user of an IBE system is capable of calculating the public key of a recipient after he obtains the public parameters for their IBE system. Once the public parameters are obtained, IBE-encrypted messages can be sent.
接收方的IBE公共参数允许创建唯一的公钥和私钥。IBE系统的用户在获得其IBE系统的公共参数后,能够计算收件人的公钥。一旦获得公共参数,就可以发送IBE加密的消息。
2. Construct and send an IBE-encrypted message.
2. 构造并发送IBE加密消息。
All that is needed, in addition to the IBE public parameters, is the recipient's identity in order to generate their public key for use in encrypting messages to them. When this identity is the same as the identity that a message would be addressed to, then no more information is needed from a user to send
除了IBE公共参数外,还需要收件人的身份,以便生成他们的公钥,用于加密发送给他们的消息。如果此标识与邮件要发送到的标识相同,则不需要用户发送更多信息
someone a secure message than is needed to send them an unsecured message. This is one of the major benefits of an IBE-based secure messaging system. Examples of identities can be an individual, group, or role identifiers.
有人发送了一封安全邮件,而不是发送一封不安全邮件所需的安全邮件。这是基于IBE的安全消息传递系统的主要优点之一。身份的示例可以是个人、组或角色标识符。
The sender of a message obtains the IBE public parameters that he needs for calculating the IBE public key of the recipient from a PPS that is hosted at a well-known URI. The IBE public parameters contain all of the information that the sender needs to create an IBE-encrypted message except for the identity of the recipient. [IBEARCH] describes the URI where a PPS is located, the format of IBE public parameters, and how to obtain them. The URI from which users obtain IBE public parameters MUST be authenticated in some way; PPS servers MUST support Transport Layer Security (TLS) 1.1 [TLS] to satisfy this requirement and MUST verify that the subject name in the server certificate matches the URI of the PPS. [IBEARCH] also describes the way in which identity formats are defined and a minimum interoperable format that all PPSs and PKGs MUST support. This step is shown below in Figure 1.
消息的发送方从驻留在已知URI上的PPS获取计算接收方IBE公钥所需的IBE公共参数。IBE公共参数包含发件人创建IBE加密邮件所需的所有信息,但收件人的身份除外。[IBEARCH]描述PPS所在的URI、IBE公共参数的格式以及如何获取这些参数。用户从中获取IBE公共参数的URI必须以某种方式进行身份验证;PPS服务器必须支持传输层安全(TLS)1.1[TLS]以满足此要求,并且必须验证服务器证书中的使用者名称是否与PPS的URI匹配。[IBEARCH]还描述了标识格式的定义方式以及所有PPS和PKG必须支持的最低互操作格式。该步骤如下图1所示。
IBE Public Parameter Request
----------------------------->
Sender PPS
<-----------------------------
IBE Public Parameters
IBE Public Parameter Request
----------------------------->
Sender PPS
<-----------------------------
IBE Public Parameters
Figure 1. Requesting IBE Public Parameters
图1。请求IBE公共参数
The sender of an IBE-encrypted message selects the PPS and corresponding PKG based on his local security policy. Different PPSs may provide public parameters that specify different IBE algorithms or different key strengths, for example, or require the use of PKGs that require different levels of authentication before granting IBE private keys.
IBE加密消息的发送方根据其本地安全策略选择PPS和相应的PKG。例如,不同的PPS可提供指定不同IBE算法或不同密钥强度的公共参数,或要求在授予IBE私钥之前使用需要不同身份验证级别的PKG。
To IBE-encrypt a message, the sender chooses a content encryption key (CEK) and uses it to encrypt his message and then encrypts the CEK with the recipient's IBE public key (for example, as described in [CMS]). This operation is shown below in Figure 2. This document describes the algorithms needed to implement two forms of IBE. [IBECMS] describes how to use the Cryptographic Message Syntax (CMS) to encapsulate the encrypted message along with the IBE information that the recipient needs to decrypt the message.
要对消息进行IBE加密,发送方选择内容加密密钥(CEK)并使用它对其消息进行加密,然后使用接收方的IBE公钥对CEK进行加密(例如,如[CMS]中所述)。此操作如下图2所示。本文档描述了实现两种形式的IBE所需的算法。[IBECMS]描述如何使用加密消息语法(CMS)封装加密消息以及收件人解密消息所需的IBE信息。
CEK ----> Sender ----> IBE-encrypted CEK
CEK ----> Sender ----> IBE-encrypted CEK
^ | |
^ | |
Recipient's Identity and IBE Public Parameters
收件人的身份和IBE公共参数
Figure 2. Using an IBE Public-Key Algorithm to Encrypt
图2。使用IBE公钥算法进行加密
In order to read an encrypted message, a recipient of an IBE-encrypted message parses the message (for example, as described in [IBECMS]). This gives him the URI he needs to obtain the IBE public parameters required to perform IBE calculations as well as the identity that was used to encrypt the message. Next, the recipient must carry out the following steps:
为了读取加密邮件,IBE加密邮件的收件人解析邮件(例如,如[IBECMS]中所述)。这为他提供了获取执行IBE计算所需的IBE公共参数以及用于加密消息的标识所需的URI。接下来,收件人必须执行以下步骤:
1. Obtain the recipient's public parameters.
1. 获取收件人的公共参数。
An IBE system's public parameters allow it to uniquely create public and private keys. The recipient of an IBE-encrypted message can decrypt an IBE-encrypted message if he has both the IBE public parameters and the necessary IBE private key. The PPS can also provide the URI of the PKG where the recipient of an IBE-encrypted message can obtain the IBE private keys.
IBE系统的公共参数允许它唯一地创建公钥和私钥。如果IBE加密邮件的收件人同时具有IBE公共参数和必要的IBE私钥,则他可以解密IBE加密邮件。PPS还可以提供PKG的URI,IBE加密邮件的收件人可以从中获取IBE私钥。
2. Obtain the IBE private key from the PKG.
2. 从PKG获取IBE私钥。
To decrypt an IBE-encrypted message, in addition to the IBE public parameters, the recipient needs to obtain the private key that corresponds to the public key that the sender used. The IBE private key is obtained after successfully authenticating to a private key generator (PKG), a trusted third party that calculates private keys for users. The recipient receives the IBE private key over an HTTPS connection. The URI of a PKG MUST be authenticated in some way; PKG servers MUST support TLS 1.1 [TLS] to satisfy this requirement.
要解密IBE加密的邮件,除了IBE公共参数外,收件人还需要获取与发件人使用的公钥相对应的私钥。IBE私钥是在成功向私钥生成器(PKG)进行身份验证后获得的,PKG是为用户计算私钥的可信第三方。收件人通过HTTPS连接接收IBE私钥。PKG的URI必须以某种方式进行身份验证;PKG服务器必须支持TLS 1.1[TLS]才能满足此要求。
3. Decrypt the IBE-encrypted message.
3. 解密IBE加密的消息。
The IBE private key decrypts the CEK, which is then used to decrypt encrypted message.
IBE私钥解密CEK,然后用于解密加密的消息。
The PKG may allow users other than the intended recipient to receive some IBE private keys. Giving a mail filtering appliance permission to obtain IBE private keys on behalf of users, for example, can allow the appliance to decrypt and scan encrypted messages for viruses or other malicious features.
PKG可能允许预期收件人以外的用户接收某些IBE私钥。例如,为邮件过滤设备授予代表用户获取IBE私钥的权限,可以允许该设备解密和扫描加密邮件中的病毒或其他恶意功能。
Before he can perform any IBE calculations related to the message that he has received, the recipient of an IBE-encrypted message needs to obtain the IBE public parameters that were used in the encryption operation. This operation is shown below in Figure 3.
IBE加密邮件的收件人需要获取加密操作中使用的IBE公共参数,然后才能执行与其收到的邮件相关的任何IBE计算。此操作如下图3所示。
IBE Public Parameter Request
----------------------------->
Recipient PPS
<-----------------------------
IBE Public Parameters
IBE Public Parameter Request
----------------------------->
Recipient PPS
<-----------------------------
IBE Public Parameters
Figure 3. Requesting IBE Public Parameters
图3。请求IBE公共参数
To obtain an IBE private key, the recipient of an IBE-encrypted message provides the IBE public key used to encrypt the message and their authentication credentials to a PKG and requests the private key that corresponds to the IBE public key. Section 4 of this document defines the protocol for communicating with a PKG as well as a minimum interoperable way to authenticate to a PKG that all IBE implementations MUST support. Because the security of IBE private keys is vital to the overall security of an IBE system, IBE private keys MUST be transported to recipients over a secure protocol. PKGs MUST support TLS 1.1 [TLS] for transport of IBE private keys. This operation is shown below in Figure 4.
为了获得IBE私钥,IBE加密邮件的收件人向PKG提供用于加密邮件及其身份验证凭据的IBE公钥,并请求与IBE公钥对应的私钥。本文件第4节定义了与PKG通信的协议,以及所有IBE实现必须支持的对PKG进行身份验证的最低互操作方式。由于IBE私钥的安全性对于IBE系统的整体安全至关重要,因此必须通过安全协议将IBE私钥传输给收件人。PKG必须支持传输IBE私钥的TLS 1.1[TLS]。此操作如下图4所示。
IBE Private Key Request
---------------------------->
Recipient PKG
<----------------------------
IBE Private Key
IBE Private Key Request
---------------------------->
Recipient PKG
<----------------------------
IBE Private Key
Figure 4. Obtaining an IBE Private Key
图4。获取IBE私钥
After obtaining the necessary IBE private key, the recipient uses that IBE private key, and the corresponding IBE public parameters, to decrypt the CEK. This operation is shown below in Figure 5. He then uses the CEK to decrypt the encrypted message content (for example, as specified in [IBECMS]).
在获得必要的IBE私钥后,接收方使用该IBE私钥和相应的IBE公共参数对CEK进行解密。此操作如下图5所示。然后,他使用CEK对加密的消息内容进行解密(例如,[IBMS]中指定的内容)。
IBE-encrypted CEK ----> Recipient ----> CEK
IBE-encrypted CEK ----> Recipient ----> CEK
^ | |
^ | |
IBE Private Key and IBE Public Parameters
IBE私钥和IBE公共参数
Figure 5. Using an IBE Public-Key Algorithm to Decrypt
图5。使用IBE公钥算法解密
This section summarizes the notions and definitions regarding identity-based cryptosystems on elliptic curves. The reader is referred to [ECC] for the mathematical background and to [BF], [IBEARCH] regarding all notions pertaining to identity-based encryption.
本节总结了椭圆曲线上基于身份的密码系统的概念和定义。读者参考[ECC]了解数学背景,参考[BF],[IBEARCH]了解与基于身份的加密相关的所有概念。
F_p denotes finite field of prime characteristic p; F_p^2 denotes its extension field of degree 2.
F_p表示素特征p的有限域;F_p^2表示它的二次扩张域。
Let E/F_p: y^2 = x^3 + a * x + b be an elliptic curve over F_p. For an extension of degree 2, the curve E/F_p defines a group (E(F_p^2), +), which is the additive group of points of affine coordinates (x, y) in (F_p^2)^2 satisfying the curve equation over F_p^2, with null element, or point at infinity, denoted as 0.
设E/fp:y^2=x^3+a*x+b是fp上的椭圆曲线。对于阶数2的扩展,曲线E/F\p定义了一个组(E(F\u p^2),+),它是(F\u p^2)^2中仿射坐标(x,y)的点的加法组,满足F\u p^2上的曲线方程,具有空元素,或点在无穷远处,表示为0。
Let q be a prime such that E(F_p) has a cyclic subgroup G1' of order q.
设q为素数,使得E(F_p)具有q阶的循环子群G1′。
Let G1'' be a cyclic subgroup of E(F_p^2) of order q, and G2 be a cyclic subgroup of (F_p^2)* of order p.
设G1''是q阶E(F_p^2)的循环子群,G2是p阶E(F_p^2)*的循环子群。
Under these conditions, a mathematical construction known as the Tate
pairing provides an efficiently computable map e: G1' x G1'' -> G2
that is linear in both arguments and believed hard to invert [BF].
If an efficiently computable non-rational endomorphism phi: G1' ->
Under these conditions, a mathematical construction known as the Tate
pairing provides an efficiently computable map e: G1' x G1'' -> G2
that is linear in both arguments and believed hard to invert [BF].
If an efficiently computable non-rational endomorphism phi: G1' ->
G1'' is available for the selected elliptic curve on which the Tate pairing is computed, then we can construct a function e': G1' x G1'' -> G2, defined as e'(A, B) = e(A, phi(B)), called the modified Tate pairing. We generically call a pairing either the Tate pairing e or the modified Tate pairing e', depending on the chosen elliptic curve used in a particular implementation.
G1''可用于计算Tate配对的选定椭圆曲线,然后我们可以构造一个函数e':G1'x G1'->G2,定义为e'(a,B)=e(a,phi(B)),称为修改的Tate配对。我们通常将配对称为Tate配对e或修改的Tate配对e',这取决于在特定实现中使用的选定椭圆曲线。
The following additional notation is used throughout this document.
本文件中使用了以下附加符号。
p - A 512-bit to 7680-bit prime, which is the order of the finite field F_p.
p-512位到7680位的素数,这是有限域F_p的顺序。
F_p - The base finite field of order p over which the elliptic curve of interest E/F_p is defined.
F_p-定义感兴趣的椭圆曲线E/F_p的p阶基有限域。
#G - The size of the set G.
#G-集合G的大小。
F* - The multiplicative group of the non-zero elements in the field F; e.g., (F_p)* is the multiplicative group of the finite field F_p.
F*——场F中非零元素的乘法群;e、 (F_p)*是有限域F_p的乘法群。
E/F_p - The equation of an elliptic curve over the field F_p, which, when p is neither 2 nor 3, is of the form E/F_p: y^2 = x^3 + a * x + b, for specified a, b in F_p.
E/F_p-场F_p上的椭圆曲线方程,当p既不是2也不是3时,其形式为E/F_p:y^2=x^3+a*x+b,用于F_p中指定的a,b。
0 - The null element of any additive group of points on an elliptic curve, also called the point at infinity.
0-椭圆曲线上任意加性点组的零元素,也称为无穷远处的点。
E(F_p) - The additive group of points of affine coordinates (x, y), with x, y in F_p, that satisfy the curve equation E/F_p, including the point at infinity 0.
E(F_p)-仿射坐标(x,y)中x,y满足曲线方程E/F_p的点的加法组(x,y),包括无穷远处的点。
q - A 160-bit to 512-bit prime that is the order of the cyclic subgroup of interest in E(F_p).
q-一个160位到512位的素数,它是E(F_p)中感兴趣的循环子群的阶数。
k - The embedding degree of the cyclic subgroup of order q in E(F_p). For type-1 curves this is always equal to 2.
k-E(F_p)中q阶循环子群的嵌入度。对于1型曲线,该值始终等于2。
F_p^2 - The extension field of degree 2 of the field F_p.
F_p^2-字段F_p的次2的扩展字段。
E(F_p^2) - The group of points of affine coordinates in F_p^2 satisfying the curve equation E/F_p, including the point at infinity 0.
E(F_p^2)-F_p^2中满足曲线方程E/F_p的仿射坐标点组,包括无穷远处的点。
Z_p - The additive group of integers modulo p.
Z_p-模p的整数的加法群。
lg - The base 2 logarithm function, so that 2^lg(x) = x.
lg-以2为底的对数函数,因此2^lg(x)=x。
The term "object identifier" will be abbreviated "OID."
术语“对象标识符”将缩写为“OID”
A Solinas prime is a prime of the form 2^a (+/-) 2^b (+/-) 1.
Solinas素数是形式为2^A(+/-)2^b(+/-)1的素数。
The following conventions are assumed for curve operations.
对于曲线操作,假定以下约定。
Point addition - If A and B are two points on a curve E, their sum is denoted as A + B.
点加法-如果A和B是曲线E上的两点,则它们的和表示为A+B。
Point multiplication - If A is a point on a curve, and n an integer, the result of adding A to itself a total of n times is denoted [n]A.
点乘-如果A是曲线上的一个点,n是一个整数,则将A自身加总n次的结果表示为[n]A。
The following class of elliptic curves is exclusively considered for pairing operations in the present version of this document, which are referred to as "type-1" curves.
在本文档的当前版本中,以下类别的椭圆曲线专门用于配对操作,称为“1型”曲线。
Type-1 curves - The class of curves of type-1 is defined as the class
of all elliptic curves of equation E/F_p: y^2 = x^3 + 1 for all
primes p congruent to 11 modulo 12. This class forms a subclass of
the class of supersingular curves. These curves satisfy #E(F_p) = p
+ 1, and the p points (x, y) in E(F_p) \ {0} have the property that x
= (y^2 - 1)^(1/3) (mod p). Type-1 curves always have an embedding
degree k = 2.
Type-1 curves - The class of curves of type-1 is defined as the class
of all elliptic curves of equation E/F_p: y^2 = x^3 + 1 for all
primes p congruent to 11 modulo 12. This class forms a subclass of
the class of supersingular curves. These curves satisfy #E(F_p) = p
+ 1, and the p points (x, y) in E(F_p) \ {0} have the property that x
= (y^2 - 1)^(1/3) (mod p). Type-1 curves always have an embedding
degree k = 2.
Groups of points on type-1 curves are plentiful and easy to construct by random selection of a prime p of the appropriate form. Therefore, rather than to standardize upon a small set of common values of p, it is henceforth assumed that all type-1 curves are freshly generated at random for the given cryptographic application (an example of such generation will be given in Algorithm 5.1.2 (BFsetup1) or Algorithm 6.1.2 (BBsetup1)). Implementations based on different classes of curves are currently unsupported.
1型曲线上的点组丰富且易于通过随机选择适当形式的素数p来构造。因此,与其标准化p的一小部分公共值,不如假设所有1型曲线都是针对给定的加密应用随机生成的(算法5.1.2(BFsetup1)或算法6.1.2(BBsetup1)中将给出此类生成的示例)。目前不支持基于不同曲线类的实现。
We assume that the following concrete representations of mathematical objects are used.
我们假设使用以下数学对象的具体表示。
Base field elements - The p elements of the base field F_p are represented directly using the integers from 0 to p - 1.
基本字段元素-基本字段F_p的p元素直接使用0到p-1之间的整数表示。
Extension field elements - The p^2 elements of the extension field
F_p^2 are represented as ordered pairs of elements of F_p. An
ordered pair (a_0, a_1) is interpreted as the complex number a_0 +
a_1 * i, where i^2 = -1. This allows operations on elements of F_p^2
to be implemented as follows. Suppose that a = (a_0, a_1) and b =
(b_0, b_1) are elements of F_p^2. Then a + b = ((a_0 + b_0)(mod p),
(a_1 + b_1)(mod p)) and a * b = ((a_1 * b_1 - a_0 * b_0)(mod p), (a_1
* b_0 + a_0 * b_1)(mod p)).
Extension field elements - The p^2 elements of the extension field
F_p^2 are represented as ordered pairs of elements of F_p. An
ordered pair (a_0, a_1) is interpreted as the complex number a_0 +
a_1 * i, where i^2 = -1. This allows operations on elements of F_p^2
to be implemented as follows. Suppose that a = (a_0, a_1) and b =
(b_0, b_1) are elements of F_p^2. Then a + b = ((a_0 + b_0)(mod p),
(a_1 + b_1)(mod p)) and a * b = ((a_1 * b_1 - a_0 * b_0)(mod p), (a_1
* b_0 + a_0 * b_1)(mod p)).
Elliptic curve points - Points in E(F_p^2) with the point P = (x, y)
in F_p^2 x F_p^2 satisfying the curve equation E/F_p. Points not
equal to 0 are internally represented using the affine coordinates
(x, y), where x and y are elements of F_p^2.
Elliptic curve points - Points in E(F_p^2) with the point P = (x, y)
in F_p^2 x F_p^2 satisfying the curve equation E/F_p. Points not
equal to 0 are internally represented using the affine coordinates
(x, y), where x and y are elements of F_p^2.
The following terminology is used to describe an IBE system.
以下术语用于描述IBE系统。
Public parameters - The public parameters are a set of common, system-wide parameters generated and published by the private key generator (PKG).
公共参数-公共参数是由私钥生成器(PKG)生成和发布的一组通用系统范围参数。
Master secret - The master secret is the master key generated and privately kept by the key server and used to generate the private keys of the users.
主密钥-主密钥是密钥服务器生成并私自保存的主密钥,用于生成用户的私钥。
Identity - An identity is an arbitrary string, usually a human-readable unambiguous designator of a system user, possibly augmented with a time stamp and other attributes.
标识-标识是一个任意字符串,通常是系统用户的一个人类可读的明确指示符,可能会增加一个时间戳和其他属性。
Public key - A public key is a string that is algorithmically derived from an identity. The derivation may be performed by anyone, autonomously.
公钥-公钥是通过算法从标识派生的字符串。推导可以由任何人自主执行。
Private key - A private key is issued by the key server to correspond to a given identity (and the public key that derives from it) under the published set of public parameters.
私钥-密钥服务器根据已发布的公共参数集发布私钥,以对应于给定标识(以及由此派生的公钥)。
Plaintext - Plaintext is an unencrypted representation, or in the clear, of any block of data to be transmitted securely. For the present purposes, plaintexts are typically session keys, or sets of session keys, for further symmetric encryption and authentication purposes.
明文-明文是要安全传输的任何数据块的未加密表示或明文表示。出于本发明的目的,明文通常是会话密钥或会话密钥集,用于进一步的对称加密和认证目的。
Ciphertext - Ciphertext is an encrypted representation of any block of data, including plaintext, to be transmitted securely.
密文-密文是安全传输的任何数据块(包括明文)的加密表示。
This section describes algorithms for performing all needed basic arithmetic operations on elliptic curves. The presentation is specialized to the type of curves under consideration for simplicity of implementation. General algorithms may be found in [ECC].
本节介绍在椭圆曲线上执行所有必需的基本算术运算的算法。该演示文稿专门针对考虑中的曲线类型,以简化实现。一般算法可在[ECC]中找到。
Algorithm 3.1.1 (PointDouble1): adds a point to itself on a type-1 elliptic curve.
算法3.1.1(PointDouble1):在1型椭圆曲线上为自身添加一个点。
Input:
输入:
o A point A in E(F_p^2), with A = (x, y) or 0
o E(F_p^2)中的点A,A=(x,y)或0
o An elliptic curve E/F_p: y^2 = x^3 + 1
o 椭圆曲线E/F_p:y^2=x^3+1
Output:
输出:
o The point [2]A = A + A
o 点[2]A=A+A
Method:
方法:
1. If A = 0 or y = 0, then return 0
1. 如果A=0或y=0,则返回0
2. Let lambda = (3 * x^2) / (2 * y)
2. 设lambda=(3*x^2)/(2*y)
3. Let x' = lambda^2 - 2 * x
3. 设x'=lambda^2-2*x
4. Let y' = (x - x') * lambda - y
4. 设y'=(x-x')*lambda-y
5. Return (x', y')
5. 返回(x',y')
Algorithm 3.1.2 (PointAdd1): adds two points on a type-1 elliptic curve.
算法3.1.2(PointAdd1):在1型椭圆曲线上添加两个点。
Input:
输入:
o A point A in E(F_p^2), with A = (x_A, y_A) or 0
o E(F_p^2)中的点A,A=(x_A,y_A)或0
o A point B in E(F_p^2), with B = (x_B, y_B) or 0
o E(F_p^2)中的点B,B=(x_B,y_B)或0
o An elliptic curve E/F_p: y^2 = x^3 + 1
o 椭圆曲线E/F_p:y^2=x^3+1
Output:
输出:
o The point A + B
o A+B点
Method:
方法:
1. If A = 0, return B
1. 如果A=0,则返回B
2. If B = 0, return A
2. 如果B=0,则返回A
3. If x_A = x_B:
3. 如果x_A=x_B:
(a) If y_A = -y_B, return 0
(a) 如果y_A=-y_B,则返回0
(b) Else return [2]A computed using Algorithm 3.1.1 (PointDouble1)
(b) Else返回[2]使用算法3.1.1(PointDouble1)计算的A
4. Otherwise:
4. 否则:
(a) Let lambda = (y_B - y_A) / (x_B - x_A)
(a) Let lambda = (y_B - y_A) / (x_B - x_A)
(b) Let x' = lambda^2 - x_A - x_B
(b) Let x' = lambda^2 - x_A - x_B
(c) Let y' = (x_A - x') * lambda - y_A
(c) Let y' = (x_A - x') * lambda - y_A
(d) Return (x', y')
(d) 返回(x',y')
Algorithm 3.2.1 (SignedWindowDecomposition): computes the signed m-ary window representation of a positive integer [ECC].
算法3.2.1(SignedWindowDecomposition):计算正整数[ECC]的有符号m元窗口表示。
Input:
输入:
o An integer k > 0, where k has the binary representation k = {Sum(k_j * 2^j, for j = 0 to l} where each k_j is either 0 or 1 and k_l = 0
o 一个整数k>0,其中k具有二进制表示k={Sum(k_j*2^j,对于j=0到l}),其中每个k_j是0或1,k_l=0
o An integer window bit-size r > 0
o 整数窗口位大小r>0
Output:
输出:
o An integer d and the unique d-element sequence {(b_i, e_i), for i = 0 to d - 1} such that k = {Sum(b_i * 2^(e_i), for i = 0 to d - 1}, each b_i = +/- 2^j for some 0 < j <= r - 1 and each e_i is a non-negative integer
o 一个整数d和唯一的d元素序列{(b_i,e_i),对于i=0到d-1},使得k={Sum(b_i*2^(e_i),对于i=0到d-1},对于一些0<j<=r-1,每个b_i=+/-2^j,每个e_i都是一个非负整数
Method:
方法:
1. Let d = 0
1. 设d=0
2. Let j = 0
2. 设j=0
3. While j <= l, do:
3. 当j<=l时,执行以下操作:
(a) If k_j = 0, then:
(a) 如果k_j=0,则:
i. Let j = j + 1
i. 设j=j+1
(b) Else:
(b) 其他:
i. Let t = min{l, j + r - 1}
i. Let t = min{l, j + r - 1}
ii. Let h_d = (k_t, k_(t - 1), ..., k_j) (base 2)
ii. Let h_d = (k_t, k_(t - 1), ..., k_j) (base 2)
iii. If h_d > 2^(r - 1), then:
iii.如果h_d>2^(r-1),则:
A. Let b_d = h_d - 2^r
A. Let b_d = h_d - 2^r
B. Increment the number (k_l, k_(l-1),...,k_j) (base 2) by 1
B.将数字(k_l,k_(l-1),…,k_j)(基数2)增加1
iv. Else:
四.其他:
A. Let b_d = h_d
A.设b_d=h_d
v. Let e_d = j
v. 设e_d=j
vi. Let d = d + 1
vi.设d=d+1
vii. Let j = t + 1
七,。设j=t+1
4. Return d and the sequence {(b_0, e_0), ..., (b_(d - 1), e_(d - 1))}
4. 返回d和序列{(b_0,e_0),…,(b_(d-1),e_(d-1))}
Algorithm 3.2.2 (PointMultiply): scalar multiplication on an elliptic curve using the signed m-ary window method.
算法3.2.2(点乘法):椭圆曲线上使用有符号m元窗口方法的标量乘法。
Input:
输入:
o A point A in E(F_p^2)
o E中的A点(F_p^2)
o An integer l > 0
o 整数l>0
o An elliptic curve E/F_p: y^2 = x^3 + a * x + b
o 椭圆曲线E/F_p:y^2=x^3+a*x+b
Output:
输出:
o The point [l]A
o 点[l]A
Method:
方法:
1. (Window decomposition)
1. (窗口分解)
(a) Let r > 0 be an integer (fixed) bit-wise window size, e.g., r = 5
(a) 设r>0为整数(固定)逐位窗口大小,例如r=5
(b) Let l' = l where l = {Sum(l_j * 2^j), for j = 0 to
len_l} is the binary expansion of l, where len_l =
Ceiling(lg(l))
(b) Let l' = l where l = {Sum(l_j * 2^j), for j = 0 to
len_l} is the binary expansion of l, where len_l =
Ceiling(lg(l))
(c) Compute (d, {(b_i, e_i), for i = 0 to d - 1} =
SignedWindowDecomposition(l, r), the signed 2^r-ary window
representation of l using Algorithm 3.2.1
(SignedWindowDecomposition)
(c) Compute (d, {(b_i, e_i), for i = 0 to d - 1} =
SignedWindowDecomposition(l, r), the signed 2^r-ary window
representation of l using Algorithm 3.2.1
(SignedWindowDecomposition)
2. (Precomputation)
2. (预计算)
(a) Let A_1 = A
(a) 设A_1=A
(b) Let A_2 = [2]A, using Algorithm 3.1.1 (PointDouble1)
(b) Let A_2 = [2]A, using Algorithm 3.1.1 (PointDouble1)
(c) For i = 1 to 2^(r - 2) - 1, do:
(c) 对于i=1到2^(r-2)-1,请执行以下操作:
i. Let A_(2 * i + 1) = A_(2 * i - 1) + A_2 using
Algorithm 3.1.2 (PointAdd1)
i. Let A_(2 * i + 1) = A_(2 * i - 1) + A_2 using
Algorithm 3.1.2 (PointAdd1)
(d) Let Q = A_(b_(d - 1))
(d) Let Q = A_(b_(d - 1))
3. Main loop
3. 主回路
(a) For i = d - 2 to 0 by -1, do:
(a) 对于i=d-2到0乘以-1,请执行以下操作:
i. Let Q = [2^(e_(i + 1) - e_i)]Q, using repeated
applications of Algorithm 3.1.1 (PointDouble1)
e_(i + 1) - e_i times
i. Let Q = [2^(e_(i + 1) - e_i)]Q, using repeated
applications of Algorithm 3.1.1 (PointDouble1)
e_(i + 1) - e_i times
ii. If b_i > 0, then:
二,。如果b_i>0,则:
A. Let Q = Q + A_(b_i) using Algorithm 3.1.2 (PointAdd1)
A.使用算法3.1.2(PointAdd1)设Q=Q+A_u(b_i)
iii. Else:
三、其他:
A. Let Q = Q - A_(-(b_i)) using Algorithm 3.1.2
(PointAdd1)
A. Let Q = Q - A_(-(b_i)) using Algorithm 3.1.2
(PointAdd1)
(b) Calculate Q = [2^(e_0)]Q using repeated applications of
Algorithm 3.1.1 (PointDouble1) e_0 times
(b) Calculate Q = [2^(e_0)]Q using repeated applications of
Algorithm 3.1.1 (PointDouble1) e_0 times
4. Return Q.
4. 返回Q。
Algorithm 3.3.1 (ProjectivePointDouble1): adds a point to itself in Jacobian projective coordinates for type-1 curves.
算法3.3.1(ProjectivePointDouble1):在1型曲线的雅可比投影坐标中为自身添加一个点。
Input:
输入:
o A point (x, y, z) = A in E(F_p^2) in Jacobian projective coordinates
o 雅可比投影坐标中E(F_p^2)中的点(x,y,z)=A
o An elliptic curve E/F_p: y^2 = x^3 + 1
o 椭圆曲线E/F_p:y^2=x^3+1
Output:
输出:
o The point [2]A in Jacobian projective coordinates
o 雅可比射影坐标中的点[2]A
Method:
方法:
1. If z = 0 or y = 0, return (0, 1, 0) = 0, otherwise:
1. 如果z=0或y=0,则返回(0,1,0)=0,否则:
2. Let lambda_1 = 3 * x^2
2. 设lambda_1=3*x^2
3. Let z' = 2 * y * z
3. 设z'=2*y*z
4. Let lambda_2 = y^2
4. 设lambda_2=y^2
5. Let lambda_3 = 4 * lambda_2 * x
5. 让lambda_u3=4*lambda\u 2*x
6. Let x' = lambda_1^2 - 2 * lambda_3
6. 设x'=lambda_1^2-2*lambda_3
7. Let lambda_4 = 8 * lambda_2^2
7. 设lambda_4=8*lambda_2^2
8. Let y' = lambda_1 * (lambda_3 - x') - lambda_4
8. 设y'=lambda_1*(lambda_3-x')-lambda_4
9. Return (x', y', z')
9. 返回(x',y',z')
Algorithm 3.3.2 (ProjectivePointAccumulate1): adds a point in affine coordinates to an accumulator in Jacobian projective coordinates, for type-1 curves.
算法3.3.2(ProjectivePointAccumerate1):针对1型曲线,将仿射坐标中的点添加到雅可比投影坐标中的累加器中。
Input:
输入:
o A point (x_A, y_A, z_A) = A in E(F_p^2) in Jacobian projective coordinates
o 雅可比射影坐标中E(F_p^2)中的点(x_A,y_A,z_A)=A
o A point (x_B, y_B) = B in E(F_p^2) \ {0} in affine coordinates
o 仿射坐标系中E(F_p^2)\{0}中的点(x_B,y_B)=B
o An elliptic curve E/F_p: y^2 = x^3 + 1
o 椭圆曲线E/F_p:y^2=x^3+1
Output:
输出:
o The point A + B in Jacobian projective coordinates
o 雅可比投影坐标中的点A+B
Method:
方法:
1. If z_A = 0, return (x_B, y_B, 1) = B, otherwise:
1. 如果z_A=0,则返回(x_B,y_B,1)=B,否则:
2. Let lambda_1 = z_A^2
2. 设lambda_1=z_A^2
3. Let lambda_2 = lambda_1 * x_B
3. 设lambda_2=lambda_1*x_B
4. Let lambda_3 = x_A - lambda_2
4. 设lambda_3=x_A-lambda_2
5. If lambda_3 = 0, then return (0, 1, 0), otherwise:
5. 如果lambda_3=0,则返回(0,1,0),否则:
6. Let lambda_4 = lambda_3^2
6. 设lambda_4=lambda_3^2
7. Let lambda_5 = lambda_1 * y_B * z_A
7. 设lambda_5=lambda_1*y_B*z_A
8. Let lambda_6 = lambda_4 - lambda_5
8. 设lambda_6=lambda_4-lambda_5
9. Let lambda_7 = x_A + lambda_2
9. 设lambda_7=x_A+lambda_2
10. Let lambda_8 = y_A + lambda_5
10. 设lambda_8=y_A+lambda_5
11. Let x' = lambda_6^2 - lambda_7 * lambda_4
11. 设x'=lambda_6^2-lambda_7*lambda_4
12. Let lambda_9 = lambda_7 * lambda_4 - 2 * x'
12. 设lambda_9=lambda_7*lambda_4-2*x'
13. Let y' = (lambda_9 * lambda_6 -
13. 设y'=(lambda_9*lambda_6-
lambda_8 * lambda_3 * lambda_4) / 2
lambda_8 * lambda_3 * lambda_4) / 2
14. Let z' = lambda_3 * z_A
14. 设z'=lambda_3*z_A
15. Return (x', y', z')
15. 返回(x',y',z')
Algorithm 3.4.1 (EvalVertical1): evaluates the divisor of a vertical line on a type-1 elliptic curve.
算法3.4.1(EvalVertical1):计算1型椭圆曲线上垂直线的除数。
Input:
输入:
o A point B in E(F_p^2) with B != 0
o E(F_p^2)中的点B与B!=0
o A point A in E(F_p)
o E中的A点(F_p)
o A description of a type-1 elliptic curve E/F_p
o 一类1型椭圆曲线E/F\p的描述
Output:
输出:
o An element of F_p^2 that is the divisor of the vertical line going through A evaluated at B
o F_p^2的一个元素,是通过A的垂直线的除数,在B处求值
Method:
方法:
1. Let r = x_B - x_A
1. 设r=x_B-x_A
2. Return r
2. 返回r
Algorithm 3.4.2 (EvalTangent1): evaluates the divisor of a tangent on a type-1 elliptic curve.
算法3.4.2(EvalTangent1):计算1型椭圆曲线上切线的除数。
Input:
输入:
o A point B in E(F_p^2) with B != 0
o E(F_p^2)中的点B与B!=0
o A point A in E(F_p)
o E中的A点(F_p)
o A description of a type-1 elliptic curve E/F_p
o 一类1型椭圆曲线E/F\p的描述
Output:
输出:
o An element of F_p^2 that is the divisor of the line tangent to A evaluated at B
o F_p^2的一个元素,是在B处计算的与A相切的直线的除数
Method:
方法:
1. (Special cases)
1. (特殊情况)
(a) If A = 0, return 1
(a) 如果A=0,则返回1
(b) If y_A = 0, return EvalVertical1(B, A) using Algorithm 3.4.1 (EvalVertical1)
(b) 如果y_A=0,则使用算法3.4.1(EvalVertical1)返回EvalVertical1(B,A)
2. (Line computation)
2. (直线计算)
(a) Let a = -3 * (x_A)^2
(a) Let a = -3 * (x_A)^2
(b) Let b = 2 * y_A
(b) 设b=2*y_A
(c) Let c = -b * y_A - a * x_A
(c) Let c = -b * y_A - a * x_A
3. (Evaluation at B)
3. (B级评价)
(a) Let r = a * x_B + b * y_B + c
(a) Let r = a * x_B + b * y_B + c
4. Return r
4. 返回r
Algorithm 3.4.3 (EvalLine1): evaluates the divisor of a line on a type-1 elliptic curve.
算法3.4.3(EvalLine1):计算1型椭圆曲线上直线的除数。
Input:
输入:
o A point B in E(F_p^2) with B != 0
o E(F_p^2)中的点B与B!=0
o Two points A', A'' in E(F_p)
o E(F_p)中的两点A',A''
o A description of a type-1 elliptic curve E/F_p
o 一类1型椭圆曲线E/F\p的描述
Output:
输出:
o An element of F_p^2 that is the divisor of the line going through A' and A'' evaluated at B
o F_p^2的一个元素,是在B处计算的经过A'和A''的直线的除数
Method:
方法:
1. (Special cases)
1. (特殊情况)
(a) If A' = 0, return EvalVertical1(B, A'') using Algorithm 3.4.1 (EvalVertical1)
(a) 如果A'=0,使用算法3.4.1(EvalVertical1)返回EvalVertical1(B,A')
(b) If A'' = 0, return EvalVertical1(B, A') using Algorithm 3.4.1 (EvalVertical1)
(b) 如果A''=0,则使用算法3.4.1(EvalVertical1)返回EvalVertical1(B,A')
(c) If A' = -A'', return EvalVertical1(B, A') using Algorithm 3.4.1 (EvalVertical1)
(c) 如果A'=-A',使用算法3.4.1(EvalVertical1)返回EvalVertical1(B,A')
(d) If A' = A'', return EvalTangent1(B, A') using Algorithm 3.4.2 (EvalTangent1)
(d) 如果A'=A'',则使用算法3.4.2(EvalTangent1)返回EvalTangent1(B,A')
2. (Line computation)
2. (直线计算)
(a) Let a = y_A' - y_A''
(a) 设a=y_-a'-y_-a''
(b) Let b = x_A'' - x_A'
(b) 设b=x_A''-x_A'
(c) Let c = -b * y_A' - a * x_A'
(c) Let c = -b * y_A' - a * x_A'
3. (Evaluation at B)
3. (B级评价)
(a) Let r = a * x_B + b * y_B + c
(a) Let r = a * x_B + b * y_B + c
4. Return r
4. 返回r
Algorithm 3.5.1 (Tate): computes the Tate pairing on an elliptic curve.
算法3.5.1(Tate):计算椭圆曲线上的Tate配对。
Input:
输入:
o A point A of order q in E(F_p)
o E(fp)中q的A阶点
o A point B of order q in E(F_p^2)
o E(F_p^2)中q阶的A点B
o A description of an elliptic curve E/F_p such that E(F_p) and E(F_p^2) have a subgroup of order q
o 椭圆曲线E/fp的一种描述,使得E(fp)和E(fp^2)有一个q阶子群
Output:
输出:
o The value e(A, B) in F_p^2, computed using the Miller algorithm
o F_p^2中的值e(A,B),使用Miller算法计算
Method:
方法:
1. For a type-1 curve E, execute Algorithm 3.5.2 (TateMillerSolinas)
1. 对于1型曲线E,执行算法3.5.2(TateMillerSolinas)
Algorithm 3.5.2 (TateMillerSolinas): computes the Tate pairing on a type-1 elliptic curve.
算法3.5.2(TateMillerSolinas):计算1型椭圆曲线上的Tate配对。
Input:
输入:
o A point A of order q in E(F_p)
o E(fp)中q的A阶点
o A point B of order q in E(F_p^2)
o E(F_p^2)中q阶的A点B
o A description of a type-1 supersingular elliptic curve E/F_p such that E(F_p) and E(F_p^2) have a subgroup of Solinas prime order q where q = 2^a + s * 2^b + c, where c and s are limited to the values +/-1
o 对1型超奇异椭圆曲线E/F\p的一种描述,使得E(F\u p)和E(F\u p^2)有一个素数阶q的子群,其中q=2^A+s*2^b+c,其中c和s被限制为+/-1
Output:
输出:
o The value e(A, B) in F_p^2, computed using the Miller algorithm
o F_p^2中的值e(A,B),使用Miller算法计算
Method:
方法:
1. (Initialization)
1. (初始化)
(a) Let v_num = 1 in F_p^2
(a) 设F_p^2中的v_num=1
(b) Let v_den = 1 in F_p^2
(b) 设v_den=1在F_p^2中
(c) Let V = (x_V , y_V , z_V ) = (x_A, y_A, 1) in (F_p)^3, being
the representation of (x_A, y_A) = A using Jacobian projective
coordinates
(c) Let V = (x_V , y_V , z_V ) = (x_A, y_A, 1) in (F_p)^3, being
the representation of (x_A, y_A) = A using Jacobian projective
coordinates
(d) Let t_num = 1 in F_p^2
(d) 在F_p^2中设t_num=1
(e) Let t_den = 1 in F_p^2
(e) 设t_den=1在F_p^2中
2. (Calculation of the (s * 2^b) contribution)
2. (计算(s*2^b)供款)
(a) (Repeated doublings) For n = 0 to b - 1:
(a) (重复加倍)对于n=0到b-1:
i. Let t_num = t_num^2
i. 设t_num=t_num^2
ii. Let t_den = t_den^2
二,。设t_den=t_den^2
iii. Let t_num = t_num * EvalTangent1(B, (x_V / z_V^2, y_V /
z_V^3)) using Algorithm 3.4.2 (EvalTangent1)
iii. Let t_num = t_num * EvalTangent1(B, (x_V / z_V^2, y_V /
z_V^3)) using Algorithm 3.4.2 (EvalTangent1)
iv. Let V = (x_V , y_V , z_V ) = [2]V using Algorithm 3.3.1
(ProjectivePointDouble1)
iv. Let V = (x_V , y_V , z_V ) = [2]V using Algorithm 3.3.1
(ProjectivePointDouble1)
v. Let t_den = t_den * EvalVertical1(B, (x_V / z_V^2, y_V /
z_V^3)using Algorithm 3.4.1 (EvalVertical1)
v. Let t_den = t_den * EvalVertical1(B, (x_V / z_V^2, y_V /
z_V^3)using Algorithm 3.4.1 (EvalVertical1)
(b) (Normalization)
(b) (正常化)
i. Let V_b = (x_(V_b) , y_(V_b))
i. Let V_b = (x_(V_b) , y_(V_b))
= (x_V / z_V^2, s * y_V / z_V^3) in (F_p)^2,
= (x_V / z_V^2, s * y_V / z_V^3) in (F_p)^2,
resulting in a point V_b in E(F_p)
导致E(F_p)中的点V_b
(c) (Accumulation) Selecting on s:
(c) (累积)在s上选择:
i. If s = -1:
i. 如果s=-1:
A. Let v_num = v_num * t_den
让v_num=v_num*t_den
B. Let v_den = v_den * t_num * EvalVertical1(B, (x_V /
z_V^2, y_V / z_V^3))) using Algorithm 3.4.1
(EvalVertical1)
B. Let v_den = v_den * t_num * EvalVertical1(B, (x_V /
z_V^2, y_V / z_V^3))) using Algorithm 3.4.1
(EvalVertical1)
ii. If s = 1:
二,。如果s=1:
A. Let v_num = v_num * t_num
让v_num=v_num*t_num
B. Let v_den = v_den * t_den
让v_den=v_den*t_den
3. (Calculation of the 2^a contribution)
3. (2^a供款的计算)
(a) (Repeated doublings) For n = b to a - 1:
(a) (重复加倍)对于n=b到a-1:
i. Let t_num = t_num^2
i. 设t_num=t_num^2
ii. Let t_den = t_den^2
二,。设t_den=t_den^2
iii. Let t_num = t_num * EvalTangent1(B, (x_V / z_V^2, y_V /
z_V^3))) using Algorithm 3.4.2 (EvalTangent1)
iii. Let t_num = t_num * EvalTangent1(B, (x_V / z_V^2, y_V /
z_V^3))) using Algorithm 3.4.2 (EvalTangent1)
iv. Let V = (x_V , y_V , z_V) = [2]V using Algorithm 3.3.1
(ProjectivePointDouble1)
iv. Let V = (x_V , y_V , z_V) = [2]V using Algorithm 3.3.1
(ProjectivePointDouble1)
v. Let t_den = t_den * EvalVertical1(B, (x_V / z_V^2, y_V /
z_V^3))) using Algorithm 3.4.1 (EvalVertical1)
v. Let t_den = t_den * EvalVertical1(B, (x_V / z_V^2, y_V /
z_V^3))) using Algorithm 3.4.1 (EvalVertical1)
(b) (Normalization)
(b) (正常化)
i. Let V_a = (x_(V_a) , y_(V_a)) =
i. Let V_a = (x_(V_a) , y_(V_a)) =
(x_V /z_V^2, s * x_V / z_V^3) in (F_p)^2,
(x_V/z_V^2,s*x_V/z_V^3)在(F_p)^2中,
resulting in a point V_a in E(F_p)
导致E(F_p)中的点V_a
(c) (Accumulation)
(c) (累积)
i. Let v_num = v_num * t_num
i. 设v_num=v_num*t_num
ii. Let v_den = v_den * t_den
二,。让v_den=v_den*t_den
4. (Correction for the (s * 2^b) and (c) contributions)
4. (更正(s*2^b)和(c)供款)
(a) Let v_num = v_num * EvalLine1(B, V_a, V_b) using Algorithm 3.4.3 (EvalLine1)
(a) 让v_num=v_num*EvalLine1(B,v_a,v_B)使用算法3.4.3(EvalLine1)
(b) Let v_den = v_den * EvalVertical1(B, V_a + V_b) using
Algorithm 3.4.1 (EvalVertical1)
(b) Let v_den = v_den * EvalVertical1(B, V_a + V_b) using
Algorithm 3.4.1 (EvalVertical1)
(c) If c = -1, then:
(c) 如果c=-1,则:
i. Let v_den = v_den * EvalVertical1(B, A) using Algorithm 3.4.1 (EvalVertical1)
i. 使用算法3.4.1(EvalVertical1),设v_den=v_den*EvalVertical1(B,A)
5. (Correcting exponent)
5. (校正指数)
(a) Let eta = (p^2 - 1) / q
(a) Let eta = (p^2 - 1) / q
6. (Final result)
6. (最终结果)
(a) Return (v_num / v_den)^eta
(a) 返回(v数量/v数量)^eta
This section describes a number of supporting algorithms for encoding and hashing.
本节描述了编码和哈希的一些支持算法。
HashToRange(s, n, hashfcn) takes a string s, an integer n, and a cryptographic hash function hashfcn as input and returns an integer in the range 0 to n - 1 by cryptographic hashing. The input n MUST be less than 2^(hashlen), where hashlen is the number of octets comprising the output of the hash function hashfcn. HashToRange is based on Merkle's method for hashing [MERKLE], which is provably as secure as the underlying hash function hashfcn.
HashToRange(s,n,hashfcn)将字符串s、整数n和加密哈希函数hashfcn作为输入,并通过加密哈希返回0到n-1范围内的整数。输入n必须小于2^(hashlen),其中hashlen是包含哈希函数hashfcn的输出的八位字节数。HashToRange基于Merkle的散列方法[Merkle],该方法与底层散列函数hashfcn一样安全。
Algorithm 4.1.1 (HashToRange): cryptographically hashes strings to integers in a range.
算法4.1.1(HashToRange):以加密方式将字符串散列为范围内的整数。
Input:
输入:
o A string s of length |s| octets
o 长度为| s |八位字节的字符串
o A positive integer n represented as Ceiling(lg(n) / 8) octets.
o 表示为上限(lg(n)/8)八位字节的正整数n。
o A cryptographic hash function hashfcn
o 一种加密哈希函数hashfcn
Output:
输出:
o A positive integer v in the range 0 to n - 1
o 范围为0到n-1的正整数v
Method:
方法:
1. Let hashlen be the number of octets comprising the output of hashfcn
1. 设hashlen为包含hashfcn输出的八位字节数
2. Let v_0 = 0
2. 设v_0=0
3. Let h_0 = 0x00...00, a string of null octets with a length of hashlen
3. 设h_0=0x00…00,一个长度为hashlen的空八位字节字符串
4. For i = 1 to 2, do:
4. 对于i=1到2,请执行以下操作:
(a) Let t_i = h_(i - 1) || s, which is the (|s| + hashlen)- octet
string concatenation of the strings h_(i - 1) and s
(a) Let t_i = h_(i - 1) || s, which is the (|s| + hashlen)- octet
string concatenation of the strings h_(i - 1) and s
(b) Let h_i = hashfcn(t_i), which is a hashlen-octet string resulting from the hash algorithm hashfcn on the input t_i
(b) 设h_i=hashfcn(t_i),它是由输入t_i上的哈希算法hashfcn产生的hashlen八位组字符串
(c) Let a_i = Value(h_i) be the integer in the range 0 to 256^hashlen - 1 denoted by the raw octet string h_i interpreted in the unsigned big-endian convention
(c) 设a_i=值(h_i)为0到256^ hashlen-1范围内的整数,由在无符号big-endian约定中解释的原始八位字符串h_i表示
(d) Let v_i = 256^hashlen * v_(i - 1) + a_i
(d) Let v_i = 256^hashlen * v_(i - 1) + a_i
5. Let v = v_l (mod n)
5. 设v=v_l(模n)
HashBytes(b, p, hashfcn) takes an integer b, a string p, and a cryptographic hash function hashfcn as input and returns a b-octet pseudo-random string r as output. The value of b MUST be less than or equal to the number of bytes in the output of hashfcn. HashBytes is based on Merkle's method for hashing [MERKLE], which is provably as secure as the underlying hash function hashfcn.
HashBytes(b,p,hashfcn)将整数b、字符串p和加密哈希函数hashfcn作为输入,并返回一个b-octet伪随机字符串r作为输出。b的值必须小于或等于hashfcn输出中的字节数。HashBytes基于Merkle的散列方法[Merkle],该方法与底层散列函数hashfcn一样安全。
Algorithm 4.2.1 (HashBytes): keyed cryptographic pseudo-random bytes generator.
算法4.2.1(HashBytes):密钥加密伪随机字节生成器。
Input:
输入:
o An integer b
o 整数b
o A string p
o 字符串p
o A cryptographic hash function hashfcn
o 一种加密哈希函数hashfcn
Output:
输出:
o A string r comprising b octets
o 由b个八位字节组成的字符串r
Method:
方法:
1. Let hashlen be the number of octets comprising the output of hashfcn
1. 设hashlen为包含hashfcn输出的八位字节数
2. Let K = hashfcn(p)
2. 设K=hashfcn(p)
3. Let h_0 = 0x00...00, a string of null octets with a length of hashlen
3. 设h_0=0x00…00,一个长度为hashlen的空八位字节字符串
4. Let l = Ceiling(b / hashlen)
4. l=天花板(b/hashlen)
5. For each i in 1 to l, do:
5. 对于1到l中的每个i,请执行以下操作:
(a) Let h_i = hashfcn(h_(i - 1))
(a) Let h_i = hashfcn(h_(i - 1))
(b) Let r_i = hashfcn(h_i || K), where h_i || K is the (2 * hashlen)-octet concatenation of h_i and K
(b) 设r_i=hashfcn(h_i | | | K),其中h_i | | K是h_i和K的(2*hashlen)-八位组串联
6. Let r = LeftmostOctets(b, r_1 || ... || r_l), i.e., r is formed as the concatenation of the r_i, truncated to the desired number of octets
6. 设r=leftmostoctes(b,r|1 | | | | | | | r| l),即r被形成为r|i的串联,被截断为所需数量的八位字节
Canonical(p, k, o, v) takes an element v in F_p^k, and returns a canonical octet string of fixed length representing v. The parameter o MUST be either 0 or 1, and specifies the ordering of the encoding.
Canonical(p,k,o,v)接受fu p^k中的元素v,并返回一个表示v的固定长度的规范八位组字符串。参数o必须为0或1,并指定编码的顺序。
Algorithm 4.3.1 (Canonical): encodes elements of an extension field F_p^2 as strings.
算法4.3.1(规范):将扩展字段F_p^2的元素编码为字符串。
Input:
输入:
o An element v in F_p^2
o F_p^2中的一个元素v
o A description of F_p^2
o F_p^2的描述
o An ordering parameter o, either 0 or 1
o 排序参数o,0或1
Output:
输出:
o A fixed-length string s representing v
o 表示v的固定长度字符串s
Method:
方法:
1. For a type-1 curve, execute Algorithm 4.3.2 (Canonical1)
1. 对于1型曲线,执行算法4.3.2(Canonical1)
Canonical1(p, o, v) takes an element v in F_p^2 and returns a canonical representation of v as an octet string s of fixed size. The parameter o MUST be either 0 or 1, and specifies the ordering of the encoding.
Canonical1(p,o,v)接受F_p^2中的元素v,并返回v的规范表示形式,即固定大小的八位组字符串s。参数o必须为0或1,并指定编码的顺序。
Algorithm 4.3.2 (Canonical1): canonically represents elements of an extension field F_p^2.
算法4.3.2(Canonical1):规范地表示扩展字段F_p^2的元素。
Input:
输入:
o An element v in F_p^2
o F_p^2中的一个元素v
o A description of p, where p is congruent to 3 modulo 4
o p的一种描述,其中p与3模4全等
o A ordering parameter o, either 0 or 1
o 排序参数o,0或1
Output:
输出:
o A string s of size 2 * Ceiling(lg(p) / 8) octets
o 大小为2*天花板(lg(p)/8)八位字节的字符串s
Method:
方法:
1. Let l = Ceiling(lg(p) / 8), the number of octets needed to represent integers in Z_p
1. 设l=上限(lg(p)/8),表示Z_p中整数所需的八位字节数
2. Let v = a + b * i, where i^2 = -1
2. 设v=a+b*i,其中i^2=-1
3. Let a_(256^l) be the big-endian zero-padded fixed-length octet string representation of a in Z_p
3. 设a_256;(256^l)是a在Z_p中的大端零填充固定长度八位字节字符串表示形式
4. Let b_(256^l) be the big-endian zero-padded fixed-length octet string representation of b in Z_p
4. 设b_256;(256^l)是b在Z_p中的大端零填充固定长度八位字符串表示
5. Depending on the choice of ordering o:
5. 根据订购o的选择:
(a) If o = 0, then let s = a_(256^l) || b_(256^l), which is the
concatenation of a_(256^l) followed by b_(256^l)
(a) If o = 0, then let s = a_(256^l) || b_(256^l), which is the
concatenation of a_(256^l) followed by b_(256^l)
(b) If o = 1, then let s = b_(256^l) || a_(256^l), which is the
concatenation of b_(256^l) followed by a_(256^l)
(b) If o = 1, then let s = b_(256^l) || a_(256^l), which is the
concatenation of b_(256^l) followed by a_(256^l)
6. Return s
6. 返回s
HashToPoint(E, p, q, id, hashfcn) takes an identity string id, the description of a subgroup of prime order q in E(F_p) or E(F_p^2), and a cryptographic hash function hashfcn and returns a point Q_id of order q in E(F_p) or E(F_p^2).
HashToPoint(E,p,q,id,hashfcn)获取标识字符串id、E(F_p)或E(F_p^2)中素数阶q的子群的描述以及加密哈希函数hashfcn,并返回E(F_p)或E(F_p^2)中q阶q的点q_id。
Algorithm 4.4.1 (HashToPoint): cryptographically hashes strings to points on elliptic curves.
算法4.4.1(HashToPoint):以加密方式将字符串散列到椭圆曲线上的点。
Input:
输入:
o An elliptic curve E
o 椭圆曲线E
o A prime p
o 素数p
o A prime q
o 素数q
o A string id
o 字符串id
o A cryptographic hash function hashfcn
o 一种加密哈希函数hashfcn
Output:
输出:
o A point Q_id = (x, y) of order q n E(F_p)
o 一个Q_id=(x,y)阶Q n E(F_p)的点
Method:
方法:
1. For a type-1 curve E, execute Algorithm 4.4.2 (HashToPoint1)
1. 对于1型曲线E,执行算法4.4.2(HashToPoint1)
HashToPoint1(p, q, id, hashfcn) takes an identity string id and the description of a subgroup of order q in E(F_p), where E: y^2 = x^3 + 1 with p congruent to 11 modulo 12, and returns a point Q_id of order q in E(F_p) that is calculated using the cryptographic hash function hashfcn. The parameters p, q and hashfcn MUST be part of a valid set of public parameters as defined in Section 5.1.2 or Section 6.1.2.
HashToPoint1(p,q,id,hashfcn)获取标识字符串id和E(F_p)中q阶子群的描述,其中E:y^2=x^3+1,p与11模12全等,并返回E(F_p)中q阶的点q_id,该点使用加密哈希函数hashfcn计算。参数p、q和hashfcn必须是第5.1.2节或第6.1.2节中定义的有效公共参数集的一部分。
Algorithm 4.4.2 (HashToPoint1): cryptographically hashes strings to points on type-1 curves.
算法4.4.2(HashToPoint1):以加密方式将字符串散列到1型曲线上的点。
Input:
输入:
o A prime p
o 素数p
o A prime q
o 素数q
o A string id
o 字符串id
o A cryptographic hash function hashfcn
o 一种加密哈希函数hashfcn
Output:
输出:
o A point Q_id of order q in E(F_p)
o E(F\p)中Q阶的点Q\u-id
Method:
方法:
1. Let y = HashToRange(id, p, hashfcn), using Algorithm 4.1.1 (HashToRange), an element of F_p
1. 设y=HashToRange(id,p,hashfcn),使用算法4.1.1(HashToRange),fp的一个元素
2. Let x = (y^2 - 1)^((2 * p - 1) / 3) modulo p, an element of F_p
2. 设x=(y^2-1)^((2*p-1)/3)模p,F_p的一个元素
3. Let Q' = (x, y), a non-zero point in E(F_p)
3. 设Q'=(x,y),E(F_p)中的非零点
4. Let Q = [(p + 1) / q ]Q', a point of order q in E(F_p)
4. 设Q=[(p+1)/Q]Q',E(F_p)中的序点Q
Pairing(E, p, q, A, B) takes two points A and B, both of order q, and, in the type-1 case, returns the modified pairing e'(A, phi(B)) in F_p^2 where A and B are both in E(F_p).
配对(E,p,q,A,B)取两个点A和B,都是q阶,在type-1的情况下,返回F_p^2中修改的配对E'(A,phi(B)),其中A和B都在E(F_p)中。
Algorithm 4.5.1 (Pairing): computes the regular or modified Tate pairing depending on the curve type.
算法4.5.1(配对):根据曲线类型计算常规或修改的Tate配对。
Input:
输入:
o A description of an elliptic curve E/F_p such that E(F_p) and E(F_p^2) have a subgroup of order q
o 椭圆曲线E/fp的一种描述,使得E(fp)和E(fp^2)有一个q阶子群
o Two points A and B of order q in E(F_p) or E(F_p^2)
o E(fp)或E(fp^2)中q阶的两点A和B
Output:
输出:
o On supersingular curves, the value of e'(A, B) in F_p^2 where A and B are both in E(F_p)
o 在超奇异曲线上,F_p^2中e’(A,B)的值,其中A和B都在e(F_p)中
Method:
方法:
1. If E is a type-1 curve, execute Algorithm 4.5.2 (Pairing1)
1. 如果E是1型曲线,则执行算法4.5.2(Pairing1)
Algorithm 4.5.2 (Pairing1): computes the modified Tate pairing on type-1 curves. The values of p and q MUST be part of a valid set of public parameters as defined in Section 5.1.2 or Section 6.1.2.
算法4.5.2(Pairing1):计算1型曲线上的修改Tate配对。p和q值必须是第5.1.2节或第6.1.2节中定义的一组有效公共参数的一部分。
Input:
输入:
o A curve E/F_p: y^2 = x^3 + 1 where p is congruent to 11 modulo 12 and E(F_p) has a subgroup of order q
o 曲线E/F_p:y^2=x^3+1,其中p与11模12全等,E(F_p)有一个q阶子群
o Two points A and B of order q in E(F_p)
o E(F_p)中q阶的两点A和B
Output:
输出:
o The value of e'(A, B) = e(A, phi(B)) in F_p^2
o F_p^2中e’(A,B)=e(A,φ(B))的值
Method:
方法:
1. Compute B' = phi(B), as follows:
1. 计算B'=φ(B),如下所示:
(a) Let (x, y) in F_p x F_p be the coordinates of B in E(F_p)
(a) 设F_p x F_p中的(x,y)为E(F_p)中B的坐标
(b) Let zeta = (a_zeta , b_zeta), where a_zeta = (p - 1) / 2 and
b_zeta = 3^((p + 1) / 4) (mod p), an element of F_p^2
(b) Let zeta = (a_zeta , b_zeta), where a_zeta = (p - 1) / 2 and
b_zeta = 3^((p + 1) / 4) (mod p), an element of F_p^2
(c) Let x' = x * zeta in F_p^2
(c) Let x' = x * zeta in F_p^2
(d) Let B' = (x', y) in F_p^2 x F_p
(d) Let B' = (x', y) in F_p^2 x F_p
2. Compute the Tate pairing e(A, B') = e(A, phi(B)) in F_p^2 using the Miller method, as in Algorithm 3.5.1 (Tate) described in Section 3.5
2. 使用Miller方法计算F_p^2中的Tate配对e(A,B')=e(A,phi(B)),如第3.5节所述的算法3.5.1(Tate)
PairingRatio(E, p, q, A, B, C, D) takes four points as input and computes the ratio of the two bilinear pairings, Pairing(E, p, q, A, B) / Pairing(E, p, q, C, D), or, equivalently, the product, Pairing(E, p, q, A, B) * Pairing(E, p, q, C, -D).
配对比率(E,p,q,A,B,C,D)将四个点作为输入,并计算两个双线性配对(E,p,q,A,B)/配对(E,p,q,C,D)的比率,或者,等价地,乘积,配对(E,p,q,A,B)*配对(E,p,q,C,-D)。
On type-1 curves, all four points are of order q in E(F_p), and the result is an element of order q in the extension field F_p^2 .
在1型曲线上,所有四个点在E(F_p)中都是q阶,结果是扩展域F_p^2中的一个q阶元素。
The motivation for this algorithm is that the ratio of two pairings can be calculated more efficiently than by computing each pairing separately and dividing one into the other, since certain calculations that would normally appear in each of the two pairings can be combined and carried out at once. Such calculations include the repeated doublings in steps 2(a)i, 2(a)ii, 3(a)i, and 3(a)ii of Algorithm 3.5.2 (TateMillerSolinas), as well as the final exponentiation in step 6(a) of Algorithm 3.5.2 (TateMillerSolinas).
该算法的动机是,与单独计算每个配对并将一个配对划分为另一个配对相比,可以更有效地计算两个配对的比率,因为通常出现在两个配对中的某些计算可以合并并立即执行。此类计算包括算法3.5.2(TateMillerSolinas)步骤2(a)i、2(a)ii、3(a)i和3(a)ii中的重复加倍,以及算法3.5.2(TateMillerSolinas)步骤6(a)中的最终指数运算。
Algorithm 4.6.1 (PairingRatio): computes the ratio of two regular or modified Tate pairings depending on the curve type.
算法4.6.1(PairingRatio):根据曲线类型计算两个规则或修改的Tate对的比率。
Input:
输入:
o A description of an elliptic curve E/F_p such that E(F_p) and E(F_p^2) have a subgroup of order q
o 椭圆曲线E/fp的一种描述,使得E(fp)和E(fp^2)有一个q阶子群
o Four points A, B, C, and D, of order q in E(F_p) or E(F_p^2)
o E(F_p)或E(F_p^2)中q阶的四个点A、B、C和D
Output:
输出:
o On supersingular curves, the value of e'(A, B) / e'(C, D) in F_p^2 where A, B, C, D are all in E(F_p)
o 在超奇异曲线上,F_p^2中e'(A,B)/e'(C,D)的值,其中A,B,C,D都在e(F_p)中
Method:
方法:
1. If E is a type-1 curve, execute Algorithm 4.6.2 (PairingRatio1)
1. 如果E是1型曲线,则执行算法4.6.2(PairingRatio1)
Algorithm 4.6.2 (PairingRatio1): computes the ratio of two modified Tate pairings on type-1 curves. The values of p and q MUST be part of a valid set of public parameters as defined in Section 5.1.2 or Section 6.1.2.
算法4.6.2(PairingRatio1):计算1型曲线上两个修改的Tate对的比率。p和q值必须是第5.1.2节或第6.1.2节中定义的一组有效公共参数的一部分。
Input:
输入:
o A curve E/F_p: y^2 = x^3 + 1, where p is congruent to 11 modulo 12 and E(F_p) has a subgroup of order q
o 曲线E/F_p:y^2=x^3+1,其中p与11模12全等,E(F_p)有一个q阶子群
o Four points A, B, C, and D of order q in E(F_p)
o E(fp)中q阶的四点A、B、C和D
Output:
输出:
o The value of e'(A, B) / e'(C, D) = e(A, phi(B)) / e(C, phi(D)) = e(A, phi(B)) * e(-C, phi(D)), in F_p^2
o e’(A,B)/e’(C,D)=e(A,phi(B))/e(C,phi(D))=e(A,phi(B))*e(-C,phi(D)),单位为fp^2
Method:
方法:
1. The step-by-step description of the optimized algorithm is omitted in this normative specification
1. 本规范中省略了优化算法的逐步说明
The correct result can always be obtained, although more slowly, by computing the product of pairings Pairing1(E, p, q, A, B) * Pairing1(E, p, q, -C, D) by using two invocations of Algorithm 4.5.2 (Pairing1).
通过使用算法4.5.2(Pairing1)的两次调用计算配对1(E,p,q,A,B)*配对1(E,p,q,-C,D)的乘积,始终可以获得正确的结果,尽管速度较慢。
This chapter describes the algorithms constituting the Boneh-Franklin identity-based cryptosystem as described in [BF].
本章描述了构成[BF]中描述的基于Boneh-Franklin身份的密码系统的算法。
Algorithm 5.1.1 (BFsetup): randomly selects a master secret and the associated public parameters.
算法5.1.1(BFsetup):随机选择一个主密钥和相关的公共参数。
Input:
输入:
o An integer version number
o 整数版本号
o A security parameter n (MUST take values either 1024, 2048, 3072, 7680, 15360)
o 安全参数n(必须取1024、2048、3072、7680、15360)
Output:
输出:
o A set of public parameters (version, E, p, q, P, P_pub, hashfcn)
o 一组公共参数(version、E、p、q、p、p_pub、hashfcn)
o A corresponding master secret s
o 相应的主秘密
Method:
方法:
1. Depending on the selected type t:
1. 根据所选类型t:
(a) If version = 2, then execute Algorithm 5.1.2 (BFsetup1)
(a) 如果版本=2,则执行算法5.1.2(BFsetup1)
2. The resulting master secret and public parameters are separately encoded as per the application protocol requirements
2. 根据应用协议要求,对生成的主密钥和公共参数分别进行编码
BFsetup1 takes a security parameter n as input. For type-1 curves, the scale of n corresponds to the modulus bit-size believed [BF] of comparable security in the classical Diffie-Hellman or RSA public-key cryptosystems.
BFsetup1将安全参数n作为输入。对于1型曲线,n的尺度对应于经典Diffie-Hellman或RSA公钥密码系统中可比安全性的模位大小[BF]。
Algorithm 5.1.2 (BFsetup1): establishes a master secret and public parameters for type-1 curves.
算法5.1.2(BFsetup1):为1型曲线建立主秘密和公共参数。
Input:
输入:
o A security parameter n, which MUST be either 1024, 2048, 3072, 7680 or 15360
o 安全参数n,必须是1024、2048、3072、7680或15360
Output:
输出:
o A set of common public parameters (version, p, q, P, Ppub, hashfcn)
o 一组公共参数(version、p、q、p、Ppub、hashfcn)
o A corresponding master secret s
o 相应的主秘密
Method:
方法:
1. Set the version to version = 2.
1. 将版本设置为version=2。
2. Determine the subordinate security parameters n_p and n_q as follows:
2. 确定次级安全参数n_p和n_q,如下所示:
(a) If n = 1024, then let n_p = 512, n_q = 160, hashfcn =
1.3.14.3.2.26 (SHA-1 [SHA]
(a) If n = 1024, then let n_p = 512, n_q = 160, hashfcn =
1.3.14.3.2.26 (SHA-1 [SHA]
(b) If n = 2048, then let n_p = 1024, n_q = 224, hashfcn =
2.16.840.1.101.3.4.2.4 (SHA-224 [SHA])
(b) If n = 2048, then let n_p = 1024, n_q = 224, hashfcn =
2.16.840.1.101.3.4.2.4 (SHA-224 [SHA])
(c) If n = 3072, then let n_p = 1536, n_q = 256, hashfcn =
2.16.840.1.101.3.4.2.1 (SHA-256 [SHA])
(c) If n = 3072, then let n_p = 1536, n_q = 256, hashfcn =
2.16.840.1.101.3.4.2.1 (SHA-256 [SHA])
(d) If n = 7680, then let n_p = 3840, n_q = 384, hashfcn =
2.16.840.1.101.3.4.2.2 (SHA-384 [SHA])
(d) If n = 7680, then let n_p = 3840, n_q = 384, hashfcn =
2.16.840.1.101.3.4.2.2 (SHA-384 [SHA])
(e) If n = 15360, then let n_p = 7680, n_q = 512, hashfcn =
2.16.840.1.101.3.4.2.3 (SHA-512 [SHA])
(e) If n = 15360, then let n_p = 7680, n_q = 512, hashfcn =
2.16.840.1.101.3.4.2.3 (SHA-512 [SHA])
3. Construct the elliptic curve and its subgroup of interest, as follows:
3. 构造椭圆曲线及其感兴趣的子群,如下所示:
(a) Select an arbitrary n_q-bit Solinas prime q
(a) 选择任意n_q位Solinas素数q
(b) Select a random integer r such that p = 12 * r * q - 1 is an
n_p-bit prime
(b) Select a random integer r such that p = 12 * r * q - 1 is an
n_p-bit prime
4. Select a point P of order q in E(F_p), as follows:
4. 选择E(F_P)中的顺序点q,如下所示:
(a) Select a random point P' of coordinates (x', y') on the curve
E/F_p: y^2 = x^3 + 1 (mod p)
(a) Select a random point P' of coordinates (x', y') on the curve
E/F_p: y^2 = x^3 + 1 (mod p)
(b) Let P = [12 * r]P'
(b) Let P = [12 * r]P'
(c) If P = 0, then start over in step 3a
(c) 如果P=0,则在步骤3a中重新开始
5. Determine the master secret and the public parameters as follows:
5. 确定主密钥和公共参数,如下所示:
(a) Select a random integer s in the range 2 to q - 1
(a) 选择范围为2到q-1的随机整数s
(b) Let P_pub = [s]P
(b) Let P_pub = [s]P
6. (version, E, p, q, P, P_pub) are the public parameters where E: y^2 = x^3 + 1 is represented by the OID 2.16.840.1.114334.1.1.1.1.
6. (version,E,p,q,p,p_pub)是公共参数,其中E:y^2=x^3+1由OID 2.16.840.1.114334.1.1.1表示。
7. The integer s is the master secret
7. 整数s是主秘密
BFderivePubl takes an identity string id and a set of public parameters, and it returns a point Q_id. The public parameters used MUST be a valid set of public parameters as defined by Section 5.1.2.
BFderivePubl接受一个标识字符串id和一组公共参数,并返回一个点Q_id。使用的公共参数必须是第5.1.2节定义的一组有效公共参数。
Algorithm 5.2.1 (BFderivePubl): derives the public key corresponding to an identity string.
算法5.2.1(BFderivePubl):派生与标识字符串对应的公钥。
Input:
输入:
o An identity string id
o 标识字符串id
o A set of public parameters (version, E, p, q, P, P_pub, hashfcn)
o 一组公共参数(version、E、p、q、p、p_pub、hashfcn)
Output:
输出:
o A point Q_id of order q in E(F_p) or E(F_p^2)
o E(F_p)或E(F_p^2)中Q阶的点Q_id
Method:
方法:
1. Q_id = HashToPoint(E, p, q, id, hashfcn), using Algorithm 4.4.1 (HashToPoint)
1. Q_id=HashToPoint(E,p,Q,id,hashfcn),使用算法4.4.1(HashToPoint)
5.3.1. Private Key Extraction from an Identity, a Set of Public Parameters and a Master Secret
5.3.1. 从身份、一组公共参数和主密钥提取私钥
BFextractPriv takes an identity string id, a set of public parameters, and corresponding master secret, and it returns a point S_id. The public parameters used MUST be a valid set of public parameters as defined by Section 5.1.2.
BFextractPriv接受一个标识字符串id、一组公共参数和相应的主密钥,并返回一个点S_id。使用的公共参数必须是第5.1.2节定义的一组有效公共参数。
Algorithm 5.3.1 (BFextractPriv): extracts the private key corresponding to an identity string.
算法5.3.1(BFextractPriv):提取与标识字符串对应的私钥。
Input:
输入:
o An identity string id
o 标识字符串id
o A set of public parameters (version, E, p, q, P, P_pub, hashfcn)
o 一组公共参数(version、E、p、q、p、p_pub、hashfcn)
Output:
输出:
o A point S_id of order q in E(F_p)
o E(F_p)中q阶的S_-id点
Method:
方法:
1. Let Q_id = HashToPoint(E, p, q, id, hashfcn) using Algorithm 4.4.1 (HashToPoint)
1. 使用算法4.4.1(HashToPoint),设Q_id=HashToPoint(E,p,Q,id,hashfcn)
2. Let S_id = [s]Q_id
2. 设S_id=[S]Q_id
BFencrypt takes three inputs: a public parameter block, an identity id, and a plaintext m. The plaintext MUST be a random symmetric session key. The public parameters used MUST be a valid set of public parameters as defined by Section 5.1.2.
BFencrypt接受三个输入:公共参数块、标识id和明文m。明文必须是随机对称会话密钥。使用的公共参数必须是第5.1.2节定义的有效公共参数集。
Algorithm 5.4.1 (BFencrypt): encrypts a random session key for an identity string.
算法5.4.1(BFencrypt):加密标识字符串的随机会话密钥。
Input:
输入:
o A plaintext string m of size |m| octets
o 大小为| m |八位字节的纯文本字符串m
o A recipient identity string id
o 收件人标识字符串id
o A set of public parameters (version, E, p, q, P, P_pub, hashfcn)
o 一组公共参数(version、E、p、q、p、p_pub、hashfcn)
Output:
输出:
o A ciphertext tuple (U, V, W) in E(F_p) x {0, ... , 255}^hashlen x {0, ... , 255}^|m|
o E(F_p)x{0,…,255}^ hashlen x{0,…,255}^ m中的密文元组(U,V,W)|
Method:
方法:
1. Let hashlen be the length of the output of the cryptographic hash function hashfcn from the public parameters.
1. hashlen是来自公共参数的加密哈希函数hashfcn的输出长度。
2. Q_id = HashToPoint(E, p, q, id, hashfcn), using Algorithm 4.4.1 (HashToPoint), which results in a point of order q in E(F_p)
2. Q_id=HashToPoint(E,p,Q,id,hashfcn),使用算法4.4.1(HashToPoint),其结果是E(F_p)中的顺序点Q
3. Select a random hashlen-bit vector rho, represented as (hashlen / 8)-octet string in big-endian convention
3. 选择一个随机hashlen位向量rho,在big-endian约定中表示为(hashlen/8)-八位字符串
4. Let t = hashfcn(m), a hashlen-octet string resulting from applying the hashfcn algorithm to the input m
4. 设t=hashfcn(m),将hashfcn算法应用于输入m得到的hashlen八位字节字符串
5. Let l = HashToRange(rho || t, q, hashfcn), an integer in the range 0 to q - 1 resulting from applying Algorithm 4.1.1 (HashToRange) to the (2 * hashlen)-octet concatenation of rho and t
5. 设l=HashToRange(rho | | t,q,hashfcn),一个0到q-1范围内的整数,该整数是将算法4.1.1(HashToRange)应用于rho和t的(2*hashlen)-八位组串联而得到的
6. Let U = [l]P, which is a point of order q in E(F_p)
6. 设U=[l]P,这是E(F_P)中的一个序点q
7. Let theta = Pairing(E, p, q, P_pub, Q_id), which is an element of the extension field F_p^2 obtained using the modified Tate pairing of Algorithm 4.5.1 (Pairing)
7. 设θ=配对(E,p,q,p_pub,q_id),这是使用算法4.5.1(配对)的修改Tate配对获得的扩展字段F_p^2的元素
8. Let theta' = theta^l, which is theta raised to the power of l in F_p^2
8. 设θ'=θ^l,它是θ在F_p^2中提升到l的幂
9. Let z = Canonical(p, k, 0, theta'), using Algorithm 4.3.1 (Canonical), the result of which is a canonical string representation of theta'
9. 设z=Canonical(p,k,0,θ),使用算法4.3.1(Canonical),其结果是θ’的规范字符串表示
10. Let w = hashfcn(z) using the hashfcn hashing algorithm, the result of which is a hashlen-octet string
10. 设w=hashfcn(z),使用hashfcn哈希算法,其结果是hashlen八位字节字符串
11. Let V = w XOR rho, which is the hashlen-octet long bit-wise XOR of w and rho
11. 设V=w XOR rho,它是w和rho的hashlen八位组长按位异或
12. Let W = HashBytes(|m|, rho, hashfcn) XOR m, which is the bit-wise XOR of m with the first |m| octets of the pseudo-random bytes produced by Algorithm 4.2.1 (HashBytes) with seed rho
12. 设W=HashBytes(|m |,rho,hashfcn)XOR m,它是m的按位异或,带有种子rho的算法4.2.1(HashBytes)产生的伪随机字节的第一个| m |八位组
13. The ciphertext is the triple (U, V, W)
13. 密文是三元组(U,V,W)
5.5.1. Decrypt an Encrypted Session Key Using Public Parameters, a Private Key
5.5.1. 使用公共参数(私钥)解密加密的会话密钥
BFdecrypt takes three inputs: a public parameter block, a private key block key, and a ciphertext parsed as (U', V', W'). The public parameters used MUST be a valid set of public parameters as defined by Section 5.1.2.
BFdecrypt接受三个输入:公共参数块、私钥块密钥和解析为(U',V',W')的密文。使用的公共参数必须是第5.1.2节定义的有效公共参数集。
Algorithm 5.5.1 (BFdecrypt): decrypts an encrypted session key using a private key.
算法5.5.1(BFdecrypt):使用私钥解密加密的会话密钥。
Input:
输入:
o A private key point S_id of order q in E(F_p)
o 顺序为q in E(F_p)的私钥点S_id
o A ciphertext triple (U, V, W) in E(F_p) x {0, ... , 255}^hashlen x {0, ... , 255}*
o E(F_p)x{0,…,255}^ hashlen x{0,…,255}中的密文三元组(U,V,W)*
o A set of public parameters (version, E, p, q, P, P_pub, hashfcn)
o 一组公共参数(version、E、p、q、p、p_pub、hashfcn)
Output:
输出:
o A decrypted plaintext m, or an invalid ciphertext flag
o 解密的明文m或无效的密文标志
Method:
方法:
1. Let hashlen be the length of the output of the hash function hashlen measured in octets
1. 设hashlen为哈希函数hashlen的输出长度,以八位字节为单位
2. Let theta = Pairing(E, p ,q, U, S_id) by applying the modified Tate pairing of Algorithm 4.5.1 (Pairing)
2. 通过应用算法4.5.1(配对)中修改的Tate配对,设θ=配对(E,p,q,U,S_id)
3. Let z = Canonical(p, k, 0, theta) using Algorithm 4.3.1 (Canonical), the result of which is a canonical string representation of theta
3. 使用算法4.3.1(Canonical),设z=Canonical(p,k,0,θ),其结果是θ的规范字符串表示
4. Let w = hashfcn(z) using the hashfcn hashing algorithm, the result of which is a hashlen-octet string
4. 设w=hashfcn(z),使用hashfcn哈希算法,其结果是hashlen八位字节字符串
5. Let rho = w XOR V, the bit-wise XOR of w and V
5. 设rho=w XOR V,w和V的按位异或
6. Let m = HashBytes(|W|, rho, hashfcn) XOR W, which is the bit-wise XOR of m with the first |W| octets of the pseudo-random bytes produced by Algorithm 4.2.1 (HashBytes) with seed rho
6. 设m=HashBytes(|W |,rho,hashfcn)XOR W,它是m的按位异或,带有种子rho的算法4.2.1(HashBytes)产生的伪随机字节的第一个| W |八位组
7. Let t = hashfcn(m) using the hashfcn algorithm
7. 设t=hashfcn(m),使用hashfcn算法
8. Let l = HashToRange(rho || t, q, hashfcn) using Algorithm 4.1.1 (HashToRange) on the (2 * hashlen)-octet concatenation of rho and t
8. 使用算法4.1.1(HashToRange),在rho和t的(2*hashlen)-八位字节串联上,设l=HashToRange(rho | | t,q,hashfcn)
9. Verify that U = [l]P:
9. 验证U=[l]P:
(a) If this is the case, then the decrypted plaintext m is returned
(a) 如果是这种情况,则返回解密的明文m
(b) Otherwise, the ciphertext is rejected and no plaintext is returned
(b) 否则,将拒绝密文,不返回明文
This section describes the algorithms constituting the first of the two Boneh-Boyen identity-based cryptosystems proposed in [BB1]. The description follows the practical implementation given in [BB1].
本节描述了构成[BB1]中提出的两个基于Boneh-Boyen身份的密码系统中的第一个系统的算法。描述遵循[BB1]中给出的实际实现。
Algorithm 6.1.1 (BBsetup). Randomly selects a set of master secrets and the associated public parameters.
算法6.1.1(BBS设置)。随机选择一组主机密和相关的公共参数。
Input:
输入:
o An integer version number
o 整数版本号
o An integer security parameter n (MUST take values either 1024, 2048, 3072, 7680, or 15360)
o 整数安全参数n(必须取1024、2048、3072、7680或15360)
Output:
输出:
o A set of public parameters
o 一组公共参数
o A corresponding master secret
o 相应的主秘密
Method:
方法:
1. Depending on the version:
1. 根据版本:
(a) If version = 2, then execute Algorithm 6.1.2 (BBsetup1)
(a) 如果版本=2,则执行算法6.1.2(BBsetup1)
BBsetup1 takes a security parameter n as input. For type-1 curves, n corresponds to the modulus bit-size believed [BF] of comparable security in the classical Diffie-Hellman or RSA public-key cryptosystems. For this implementation, n MUST be one of 1024, 2048, 3072, 7680 or 15360, which correspond to the equivalent bit security levels of 80, 112, 128, 192 and 256 bits respectively.
BBsetup1将安全参数n作为输入。对于1型曲线,n对应于经典Diffie-Hellman或RSA公钥密码系统中可比安全性的模位大小[BF]。对于该实现,n必须是1024、2048、3072、7680或15360中的一个,其分别对应于80、112、128、192和256位的等效位安全级别。
Algorithm 6.1.2 (BBsetup1): randomly establishes a master secret and public parameters for type-1 curves.
算法6.1.2(BBsetup1):随机为1型曲线建立主秘密和公共参数。
Input:
输入:
o A security parameter n, either 1024, 2048, 3072, 7680, or 15360
o 安全参数n,1024、2048、3072、7680或15360
Output:
输出:
o A set of public parameters (version, k, E, p, q, P, P_1, P_2, P_3, v, hashfcn)
o 一组公共参数(版本,k,E,p,q,p,p_1,p_2,p_3,v,hashfcn)
o A corresponding triple of master secrets (alpha, beta, gamma)
o 相应的三重主秘密(阿尔法、贝塔、伽马)
Method:
方法:
1. Determine the subordinate security parameters n_p and n_q as follows:
1. 确定次级安全参数n_p和n_q,如下所示:
(a) If n = 1024, then let n_p = 512, n_q = 160, hashfcn =
1.3.14.3.2.26 (SHA-1 [SHA]
(a) If n = 1024, then let n_p = 512, n_q = 160, hashfcn =
1.3.14.3.2.26 (SHA-1 [SHA]
(b) If n = 2048, then let n_p = 1024, n_q = 224, hashfcn =
2.16.840.1.101.3.4.2.4 (SHA-224 [SHA])
(b) If n = 2048, then let n_p = 1024, n_q = 224, hashfcn =
2.16.840.1.101.3.4.2.4 (SHA-224 [SHA])
(c) If n = 3072, then let n_p = 1536, n_q = 256, hashfcn =
2.16.840.1.101.3.4.2.1 (SHA-256 [SHA])
(c) If n = 3072, then let n_p = 1536, n_q = 256, hashfcn =
2.16.840.1.101.3.4.2.1 (SHA-256 [SHA])
(d) If n = 7680, then let n_p = 3840, n_q = 384, hashfcn =
2.16.840.1.101.3.4.2.2 (SHA-384 [SHA])
(d) If n = 7680, then let n_p = 3840, n_q = 384, hashfcn =
2.16.840.1.101.3.4.2.2 (SHA-384 [SHA])
(e) If n = 15360, then let n_p = 7680, n_q = 512, hashfcn =
2.16.840.1.101.3.4.2.3 (SHA-512 [SHA])
(e) If n = 15360, then let n_p = 7680, n_q = 512, hashfcn =
2.16.840.1.101.3.4.2.3 (SHA-512 [SHA])
2. Construct the elliptic curve and its subgroup of interest as follows:
2. 构造椭圆曲线及其感兴趣的子群,如下所示:
(a) Select a random n_q-bit Solinas prime q
(a) 选择随机n_q位Solinas素数q
(b) Select a random integer r, such that p = 12 * r * q - 1 is an
n_p-bit prime
(b) Select a random integer r, such that p = 12 * r * q - 1 is an
n_p-bit prime
3. Select a point P of order q in E(F_p), as follows:
3. 选择E(F_P)中的顺序点q,如下所示:
(a) Select a random point P' of coordinates (x', y') on the curve
E/F_p: y^2 = x^3 + 1 (mod p)
(a) Select a random point P' of coordinates (x', y') on the curve
E/F_p: y^2 = x^3 + 1 (mod p)
(b) Let P = [12 * r]P'
(b) Let P = [12 * r]P'
(c) If P = 0, then start over in step 3a
(c) 如果P=0,则在步骤3a中重新开始
4. Determine the master secret and the public parameters as follows:
4. 确定主密钥和公共参数,如下所示:
(a) Select three random integers alpha, beta, gamma, each of them in the range 1 to q - 1
(a) 选择三个随机整数alpha、beta、gamma,每个整数的范围为1到q-1
(b) Let P_1 = [alpha]P
(b) Let P_1 = [alpha]P
(c) Let P_2 = [beta]P
(c) Let P_2 = [beta]P
(d) Let P_3 = [gamma]P
(d) Let P_3 = [gamma]P
(e) Let v = Pairing(E, p, q, P_1, P_2), which is an element of the extension field F_p^2 obtained using the modified Tate pairing of Algorithm 4.5.1 (Pairing)
(e) 设v=配对(E,p,q,p_1,p_2),这是使用算法4.5.1(配对)的修改Tate配对获得的扩展域F_p^2的元素
5. (version, E, p, q, P, P_1, P_2, P_3, v, hashfcn) are the public parameters
5. (version、E、p、q、p、p_1、p_2、p_3、v、hashfcn)是公共参数
6. (alpha, beta, gamma) constitute the master secret
6. (阿尔法、贝塔、伽马)构成主秘密
Takes an identity string id and a set of public parameters and returns an integer h_id. The public parameters used MUST be a valid set of public parameters as defined by Section 6.1.2.
获取标识字符串id和一组公共参数,并返回整数h_id。使用的公共参数必须是第6.1.2节定义的有效公共参数集。
Algorithm 6.2.1 (BBderivePubl): derives the public key corresponding to an identity string. The public parameters used MUST be a valid set of public parameters as defined by Section 6.1.2.
算法6.2.1(BBderivePubl):派生与标识字符串对应的公钥。使用的公共参数必须是第6.1.2节定义的有效公共参数集。
Input:
输入:
o An identity string id
o 标识字符串id
o A set of common public parameters (version, k, E, p, q, P, P_1, P_2, P_3, v, hashfcn)
o 一组公共参数(版本,k,E,p,q,p,p_1,p_2,p_3,v,hashfcn)
Output:
输出:
o An integer h_id modulo q
o 模q的整数h_-id
Method:
方法:
1. Let h_id = HashToRange(id, q, hashfcn), using Algorithm 4.1.1 (HashToRange)
1. 使用算法4.1.1(HashToRange),设h_id=HashToRange(id,q,hashfcn)
6.3.1. Extract a Private Key from an Identity, Public Parameters and a Master Secret
6.3.1. 从身份、公共参数和主密钥中提取私钥
BBextractPriv takes an identity string id, a set of public parameters, and corresponding master secrets, and it returns a private key consisting of two points D_0 and D_1. The public parameters used MUST be a valid set of public parameters as defined by Section 6.1.2.
BBextractPriv接受一个标识字符串id、一组公共参数和相应的主密钥,并返回一个由两点D_0和D_1组成的私钥。使用的公共参数必须是第6.1.2节定义的有效公共参数集。
Algorithm 6.3.1 (BBextractPriv): extracts the private key corresponding to an identity string.
算法6.3.1(BBextractPriv):提取与标识字符串对应的私钥。
Input:
输入:
o An identity string id
o 标识字符串id
o A set of public parameters (version, k, E, p, q, P, P_1, P_2, P_3, v, hashfcn)
o 一组公共参数(版本,k,E,p,q,p,p_1,p_2,p_3,v,hashfcn)
Output:
输出:
o A pair of points (D_0, D_1), each of which has order q in E(F_p)
o 一对点(D_0,D_1),每个点在E(F_p)中的顺序为q
Method:
方法:
1. Select a random integer r in the range 1 to q - 1
1. 选择1到q-1范围内的随机整数r
2. Calculate the point D_0 as follows:
2. 按如下方式计算D_0点:
(a) Let hid = HashToRange(id, q, hashfcn) using Algorithm 4.1.1 (HashToRange)
(a) 使用算法4.1.1(HashToRange),设hid=HashToRange(id,q,hashfcn)
(b) Let y = alpha * beta + r * (alpha * h_id + gamma) in F_q
(b) Let y = alpha * beta + r * (alpha * h_id + gamma) in F_q
(c) Let D_0 = [y]P
(c) Let D_0 = [y]P
3. Calculate the point D_1 as follows:
3. 计算点D_1,如下所示:
(a) Let D_1 = [r]P
(a) Let D_1 = [r]P
4. The pair of points (D_0, D_1) constitutes the private key for id
4. 这对点(D_0,D_1)构成id的私钥
BBencrypt takes three inputs: a set of public parameters, an identity id, and a plaintext m. The plaintext MUST be a random session key. The public parameters used MUST be a valid set of public parameters as defined by Section 6.1.2.
BBencrypt接受三个输入:一组公共参数、一个标识id和一个明文m。明文必须是随机会话密钥。使用的公共参数必须是第6.1.2节定义的有效公共参数集。
Algorithm 6.4.1 (BBencrypt): encrypts a session key for an identity string.
算法6.4.1(BBencrypt):加密身份字符串的会话密钥。
Input:
输入:
o A plaintext string m of size |m| octets
o 大小为| m |八位字节的纯文本字符串m
o A recipient identity string id
o 收件人标识字符串id
o A set of public parameters (version, k, E, p, q, P, P_1, P_2, P_3, v, hashfcn)
o 一组公共参数(版本,k,E,p,q,p,p_1,p_2,p_3,v,hashfcn)
Output:
输出:
o A ciphertext tuple (u, C_0, C_1, y) in F_q x E(F_p) x E(F_p) x {0, ... , 255}^|m|
o F_q x E(F_p)x E(F_p)x{0,…,255}m中的密文元组(u,C_0,C_1,y)|
Method:
方法:
1. Select a random integer s in the range 1 to q - 1
1. 选择范围为1到q-1的随机整数s
2. Let w = v^s, which is v raised to the power of s in F_p^2, the result is an element of order q in F_p^2
2. 设w=v^s,它被提升到F_p^2中s的幂,结果是F_p^2中的一个q阶元素
3. Calculate the point C_0 as follows:
3. 计算点C_0,如下所示:
(a) Let C_0 = [s]P
(a) Let C_0 = [s]P
4. Calculate the point C_1 as follows:
4. 计算点C_1,如下所示:
(a) Let _hid = HashToRange(id, q, hashfcn) using Algorithm 4.1.1 (HashToRange)
(a) 使用算法4.1.1(HashToRange),设_hid=HashToRange(id,q,hashfcn)
(b) Let y = s * h_id in F_q
(b) 设F_q中的y=s*h_id
(c) Let C_1 = [y]P_1 + [s]P_3
(c) Let C_1 = [y]P_1 + [s]P_3
5. Obtain canonical string representations of certain elements:
5. 获取某些元素的规范字符串表示形式:
(a) Let psi = Canonical(p, k, 1, w) using Algorithm 4.3.1 (Canonical), the result of which is a canonical octet string representation of w
(a) 使用算法4.3.1(Canonical),设psi=Canonical(p,k,1,w),其结果是w的规范八位组字符串表示
(b) Let l = Ceiling(lg(p) / 8), the number of octets needed to represent integers in F_p, and represent each of these F_p elements as a big-endian zero-padded octet string of fixed length l:
(b) 设l=上限(lg(p)/8),表示F_p中整数所需的八位字节数,并将这些F_p元素表示为固定长度l的大端零填充八位字节串:
(x_0)_(256^l) to represent the x coordinate of C_0
(x_0)(256^l)表示C_0的x坐标
(y_0)_(256^l) to represent the y coordinate of C_0
(y_0)(256^l)表示C_0的y坐标
(x_1)_(256^l) to represent the x coordinate of C_1
(x_1)(256^l)表示C_1的x坐标
(y_1)_(256^l) to represent the y coordinate of C_1
(y_1)_(256^l)表示C_1的y坐标
6. Encrypt the message m into the string y as follows:
6. 将消息m加密到字符串y中,如下所示:
(a) Compute an encryption key h_0 as a two-pass hash of w via its representation psi:
(a) 通过其表示psi将加密密钥h_0计算为w的两次散列:
i. Let zeta = hashfcn(psi) using the hashing algorithm hashfcn
i. 使用哈希算法hashfcn,设zeta=hashfcn(psi)
ii. Let xi = hashfcn(zeta || psi) using the hashing algorithm hashfcn
二,。用Hash算法HiFFCN设席=HASFCN(Zetaγi PSI)
iii. Let h' = xi || zeta, the concatenation of the previous two hashfcn outputs
II.让H’=席氏zeta,前两个HASFCN输出的级联
(b) Let y = HashBytes(|m|, h', hashfcn) XOR m, which is the bit-wise XOR of m with the first |m| octets of the pseudo-random bytes produced by Algorithm 4.2.1 (HashBytes) with seed h'
(b) 设y=HashBytes(|m |,h',hashfcn)XOR m,它是m与算法4.2.1(HashBytes)产生的伪随机字节的第一个| m |八位组的逐位异或,该算法使用种子h'
7. Create the integrity check tag u as follows:
7. 创建完整性检查标记u,如下所示:
(a) Compute a one-time pad h'' as a dual-pass hash of the representation of (w, C_0, C_1, y):
(a) 将一次性pad h“”计算为(w,C_0,C_1,y)表示形式的双过程散列:
i. Let sigma = (y_1)_(256^l) || (x_1)_(256^l) ||
(y_0)_(256^l) || (x_0)_(256^l) || y || psi be the
concatenation of y and the five indicated strings in the
specified order
i. Let sigma = (y_1)_(256^l) || (x_1)_(256^l) ||
(y_0)_(256^l) || (x_0)_(256^l) || y || psi be the
concatenation of y and the five indicated strings in the
specified order
ii. Let eta = hashfcn(sigma) using the hashing algorithm hashfcn
二,。使用哈希算法hashfcn,设eta=hashfcn(sigma)
iii. Let mu = hashfcn(eta || sigma) using the hashfcn hashing algorithm
iii.使用hashfcn哈希算法,设mu=hashfcn(eta | | sigma)
iv. Let h'' = mu || eta, the concatenation of the previous two outputs of hashfcn
iv.设h'=mu | | eta,hashfcn前两个输出的串联
(b) Build the tag u as the encryption of the integer s with the one-time pad h'':
(b) 将标记u构建为带有一次性填充h“”的整数s的加密:
i. Let rho = HashToRange(h'', q, hashfcn) to get an integer in Z_q
i. 让rho=HashToRange(h'',q,hashfcn)得到Z_q中的整数
ii. Let u = s + rho (mod q)
二,。设u=s+rho(模q)
8. The complete ciphertext is given by the quadruple (u, C_0, C_1, y)
8. 完整的密文由四元组(u,C_0,C_1,y)给出
BBdecrypt takes three inputs: a set of public parameters (version, k, E, p, q, P, P_1, P_2, P_3, v, hashfcn), a private key (D_0, D_1), and a ciphertext (u, C_0, C_1, y). It outputs a message m, or signals an error if the ciphertext is invalid for the given key. The public parameters used MUST be a valid set of public parameters as defined by Section 6.1.2.
BBdecrypt需要三个输入:一组公共参数(version、k、E、p、q、p、p_1、p_2、p_3、v、hashfcn)、一个私钥(D_0、D_1)和一个密文(u、C_0、C_1、y)。它输出消息m,或者如果密文对给定密钥无效,则发出错误信号。使用的公共参数必须是第6.1.2节定义的有效公共参数集。
Algorithm 6.5.1 (BBdecrypt): decrypts a ciphertext using public parameters and a private key.
算法6.5.1(BBdecrypt):使用公共参数和私钥解密密文。
Input:
输入:
o A private key given as a pair of points (D_0, D_1) of order q in E(F_p)
o 作为E(F_p)中q阶点对(D_0,D_1)给出的私钥
o A ciphertext quadruple (u, C_0, C_1, y) in Z_q x E(F_p) x E(F_p) x {0, ... , 255}*
o Z_q x E(F_p)x E(F_p)x{0,…,255}中的密文四元组(u,C_0,C_1,y)*
o A set of public parameters (version, k, E, p, q, P, P_1, P_2, P_3, v, hashfcn)
o 一组公共参数(版本,k,E,p,q,p,p_1,p_2,p_3,v,hashfcn)
Output:
输出:
o A decrypted plaintext m, or an invalid ciphertext flag
o 解密的明文m或无效的密文标志
Method:
方法:
1. Let w = PairingRatio(E, p, q, C_0, D_0, C_1, D_1), which computes the ratio of two Tate pairings (modified, for type-1 curves) as specified in Algorithm 4.6.1 (PairingRatio)
1. 设w=配对比率(E,p,q,C_0,D_0,C_1,D_1),它计算算法4.6.1(配对比率)中规定的两个Tate配对的比率(针对1型曲线进行了修改)
2. Obtain canonical string representations of certain elements:
2. 获取某些元素的规范字符串表示形式:
(a) Let psi = Canonical(p, k, 1, w) using Algorithm 4.3.1 (Canonical); the result is a canonical octet string representation of w
(a) 使用算法4.3.1(规范),设psi=规范(p,k,1,w);结果是w的规范八位组字符串表示
(b) Let l = Ceiling(lg(p) / 8), the number of octets needed to represent integers in F_p, and represent each of these F_p elements as a big-endian zero-padded octet string of fixed length l:
(b) 设l=上限(lg(p)/8),表示F_p中整数所需的八位字节数,并将这些F_p元素表示为固定长度l的大端零填充八位字节串:
(x_0)_(256^l) to represent the x coordinate of C_0
(x_0)(256^l)表示C_0的x坐标
(y_0)_(256^l) to represent the y coordinate of C_0
(y_0)(256^l)表示C_0的y坐标
(x_1)_(256^l) to represent the x coordinate of C_1
(x_1)(256^l)表示C_1的x坐标
(y_1)_(256^l) to represent the y coordinate of C_1
(y_1)_(256^l)表示C_1的y坐标
3. Decrypt the message m from the string y as follows:
3. 从字符串y中解密消息m,如下所示:
(a) Compute the decryption key h' as a dual-pass hash of w via its representation psi:
(a) 通过其表示形式psi将解密密钥h'计算为w的双过程散列:
i. Let zeta = hashfcn(psi) using the hashing algorithm hashfcn
i. 使用哈希算法hashfcn,设zeta=hashfcn(psi)
ii. Let xi = hashfcn(zeta || psi) using the hashing algorithm hashfcn
二,。用Hash算法HiFFCN设席=HASFCN(Zetaγi PSI)
iii. Let h' = xi || zeta, the concatenation of the previous two hashfcn outputs
II.让H’=席氏zeta,前两个HASFCN输出的级联
(b) Let m = HashBytes(|y|, h', hashfcn)_XOR y, which is the bit-wise XOR of y with the first |y| octets of the pseudo-random bytes produced by Algorithm 4.2.1 (HashBytes) with seed h'
(b) 设m=HashBytes(|y |,h',hashfcn)uxor y,它是y与算法4.2.1(HashBytes)产生的伪随机字节的第一个| y |八位字节的按位异或,该算法使用种子h'
4. Obtain the integrity check tag u as follows:
4. 获得完整性检查标签u,如下所示:
(a) Recover the one-time pad h'' as a dual-pass hash of the representation of (w, C_0, C_1, y):
(a) 将一次性pad h“”恢复为(w,C_0,C_1,y)表示形式的双过程散列:
i. Let sigma = (y_1)_(256^l) || (x_1)_(256^l) || (y_0)_(256^l)
|| (x_0)_(256^l) || y || psi be the concatenation of y and
the five indicated strings in the specified order
i. Let sigma = (y_1)_(256^l) || (x_1)_(256^l) || (y_0)_(256^l)
|| (x_0)_(256^l) || y || psi be the concatenation of y and
the five indicated strings in the specified order
ii. Let eta = hashfcn(sigma) using the hashing algorithm hashfcn
二,。使用哈希算法hashfcn,设eta=hashfcn(sigma)
iii. Let mu = hashfcn(eta || sigma) using the hashing algorithm hashfcn
iii.使用哈希算法hashfcn,设mu=hashfcn(eta | | sigma)
iv. Let h'' = mu || eta, the concatenation of the previous two hashfcn outputs
iv.设h'=mu | | eta,前两个hashfcn输出的串联
(b) Unblind the encryption randomization integer s from the tag u using h'':
(b) 使用h''从标记u中解盲加密随机化整数s:
i. Let rho = HashToRange(h'', q, hashfcn) to get an integer in Z_q
i. 让rho=HashToRange(h'',q,hashfcn)得到Z_q中的整数
ii. Let s = u - rho (mod q)
二,。设s=u-rho(mod q)
5. Verify the ciphertext consistency according to the decrypted values:
5. 根据解密值验证密文一致性:
(a) Test whether the equality w = v^s holds
(a) 测试等式w=v^s是否成立
(b) Test whether the equality C_0 = [s]P holds
(b) Test whether the equality C_0 = [s]P holds
6. Adjudication and final output:
6. 裁决和最终结果:
(a) If either of the tests performed in step 5 fails, the ciphertext is rejected, and no decryption is output
(a) 如果在步骤5中执行的任一测试失败,则拒绝密文,并且不输出解密
(b) Otherwise, i.e., when both tests performed in step 5 succeed, the decrypted message is the output
(b) 否则,即,当在步骤5中执行的两个测试都成功时,解密的消息就是输出
The following data can be used to verify the correct operation of selected algorithms that are defined in this document.
以下数据可用于验证本文档中定义的选定算法的正确操作。
Input:
输入:
q = 0xfffffffffffffffffffffffffffbffff
q = 0xfffffffffffffffffffffffffffbffff
p = 0xbffffffffffffffffffffffffffcffff3
p = 0xbffffffffffffffffffffffffffcffff3
E/F_p: y^2 = x^3 + 1
E/F_p: y^2 = x^3 + 1
A = (0x489a03c58dcf7fcfc97e99ffef0bb4634,
0x510c6972d795ec0c2b081b81de767f808)
A = (0x489a03c58dcf7fcfc97e99ffef0bb4634,
0x510c6972d795ec0c2b081b81de767f808)
l = 0xb8bbbc0089098f2769b32373ade8f0daf
l = 0xb8bbbc0089098f2769b32373ade8f0daf
Output:
输出:
[l]A = (0x073734b32a882cc97956b9f7e54a2d326,
0x9c4b891aab199741a44a5b6b632b949f7)
[l]A = (0x073734b32a882cc97956b9f7e54a2d326,
0x9c4b891aab199741a44a5b6b632b949f7)
Input:
输入:
s =
54:68:69:73:20:41:53:43:49:49:20:73:74:72:69:6e:67:20:77:69:74
:68:6f:75:74:20:6e:75:6c:6c:2d:74:65:72:6d:69:6e:61:74:6f:72
("This ASCII string without null-terminator")
s =
54:68:69:73:20:41:53:43:49:49:20:73:74:72:69:6e:67:20:77:69:74
:68:6f:75:74:20:6e:75:6c:6c:2d:74:65:72:6d:69:6e:61:74:6f:72
("This ASCII string without null-terminator")
n = 0xffffffffffffffffffffefffffffffffffffffff
n = 0xffffffffffffffffffffefffffffffffffffffff
hashfcn = 1.3.14.3.2.16 (SHA-1)
hashfcn=1.3.14.3.2.16(SHA-1)
Output:
输出:
v = 0x79317c1610c1fc018e9c53d89d59c108cd518608
v = 0x79317c1610c1fc018e9c53d89d59c108cd518608
Input:
输入:
q = 0xfffffffffffffffffffffffffffbffff
q = 0xfffffffffffffffffffffffffffbffff
p = 0xbffffffffffffffffffffffffffcffff3
p = 0xbffffffffffffffffffffffffffcffff3
E/F_p: y^2 = x^3 + 1
E/F_p: y^2 = x^3 + 1
A = (0x489a03c58dcf7fcfc97e99ffef0bb4634,
0x510c6972d795ec0c2b081b81de767f808)
A = (0x489a03c58dcf7fcfc97e99ffef0bb4634,
0x510c6972d795ec0c2b081b81de767f808)
B = (0x40e98b9382e0b1fa6747dcb1655f54f75,
0xb497a6a02e7611511d0db2ff133b32a3f)
B = (0x40e98b9382e0b1fa6747dcb1655f54f75,
0xb497a6a02e7611511d0db2ff133b32a3f)
Output:
输出:
e'(A, B) = (0x8b2cac13cbd422658f9e5757b85493818,
0xbc6af59f54d0a5d83c8efd8f5214fad3c)
e'(A, B) = (0x8b2cac13cbd422658f9e5757b85493818,
0xbc6af59f54d0a5d83c8efd8f5214fad3c)
Input:
输入:
id = 6f:42:62 ("Bob")
id = 6f:42:62 ("Bob")
version = 2
version = 2
p = 0xa6a0ffd016103ffffffffff595f002fe9ef195f002fe9efb
p = 0xa6a0ffd016103ffffffffff595f002fe9ef195f002fe9efb
q = 0xffffffffffffffffffffffeffffffffffff
q = 0xffffffffffffffffffffffeffffffffffff
P = (0x6924c354256acf5a0ff7f61be4f0495b54540a5bf6395b3d,
0x024fd8e2eb7c09104bca116f41c035219955237c0eac19ab)
P = (0x6924c354256acf5a0ff7f61be4f0495b54540a5bf6395b3d,
0x024fd8e2eb7c09104bca116f41c035219955237c0eac19ab)
P_pub = (0xa68412ae960d1392701066664d20b2f4a76d6ee715621108,
0x9e7644e75c9a131d075752e143e3f0435ff231b6745a486f)
P_pub = (0xa68412ae960d1392701066664d20b2f4a76d6ee715621108,
0x9e7644e75c9a131d075752e143e3f0435ff231b6745a486f)
Output:
输出:
Q_id = (0x22fa1207e0d19e1a4825009e0e88e35eb57ba79391498f59,
0x982d29acf942127e0f01c881b5ec1b5fe23d05269f538836)
Q_id = (0x22fa1207e0d19e1a4825009e0e88e35eb57ba79391498f59,
0x982d29acf942127e0f01c881b5ec1b5fe23d05269f538836)
Input:
输入:
s = 0x749e52ddb807e0220054417e514742b05a0
s = 0x749e52ddb807e0220054417e514742b05a0
version = 2
version = 2
p = 0xa6a0ffd016103ffffffffff595f002fe9ef195f002fe9efb
p = 0xa6a0ffd016103ffffffffff595f002fe9ef195f002fe9efb
q = 0xffffffffffffffffffffffeffffffffffff
q = 0xffffffffffffffffffffffeffffffffffff
P = (0x6924c354256acf5a0ff7f61be4f0495b54540a5bf6395b3d,
0x024fd8e2eb7c09104bca116f41c035219955237c0eac19ab)
P = (0x6924c354256acf5a0ff7f61be4f0495b54540a5bf6395b3d,
0x024fd8e2eb7c09104bca116f41c035219955237c0eac19ab)
P_pub = (0xa68412ae960d1392701066664d20b2f4a76d6ee715621108,
0x9e7644e75c9a131d075752e143e3f0435ff231b6745a486f)
P_pub = (0xa68412ae960d1392701066664d20b2f4a76d6ee715621108,
0x9e7644e75c9a131d075752e143e3f0435ff231b6745a486f)
Output:
输出:
Q_id = (0x8212b74ea75c841a9d1accc914ca140f4032d191b5ce5501,
0x950643d940aba68099bdcb40082532b6130c88d317958657)
Q_id = (0x8212b74ea75c841a9d1accc914ca140f4032d191b5ce5501,
0x950643d940aba68099bdcb40082532b6130c88d317958657)
Note: the following values can also be used to test Algorithm 5.5.1 (BFdecrypt).
注:以下值也可用于测试算法5.5.1(BFdecrypt)。
Input:
输入:
m = 48:69:20:74:68:65:72:65:21 ("Hi there!")
m = 48:69:20:74:68:65:72:65:21 ("Hi there!")
id = 6f:42:62 ("Bob")
id = 6f:42:62 ("Bob")
version = 2
version = 2
p = 0xa6a0ffd016103ffffffffff595f002fe9ef195f002fe9efb
p = 0xa6a0ffd016103ffffffffff595f002fe9ef195f002fe9efb
q = 0xffffffffffffffffffffffeffffffffffff
q = 0xffffffffffffffffffffffeffffffffffff
P = (0x6924c354256acf5a0ff7f61be4f0495b54540a5bf6395b3d,
0x024fd8e2eb7c09104bca116f41c035219955237c0eac19ab)
P = (0x6924c354256acf5a0ff7f61be4f0495b54540a5bf6395b3d,
0x024fd8e2eb7c09104bca116f41c035219955237c0eac19ab)
P_pub = (0xa68412ae960d1392701066664d20b2f4a76d6ee715621108,
0x9e7644e75c9a131d075752e143e3f0435ff231b6745a486f)
P_pub = (0xa68412ae960d1392701066664d20b2f4a76d6ee715621108,
0x9e7644e75c9a131d075752e143e3f0435ff231b6745a486f)
Output:
输出:
Using the random value rho = 0xed5397ff77b567ba5ecb644d7671d6b6f2082968, we get the following output:
使用随机值rho=0xed5397ff77b567ba5ecb644d7671d6b6f2082968,我们得到以下输出:
U = (0x1b5f6c461497acdfcbb6d6613ad515430c8b3fa23b61c585e9a541b199e 2a6cb, 0x9bdfbed1ae664e51e3d4533359d733ac9a600b61048a7d899104e826a0ec 4fa4)
U=(0x1b5f6c461497acdfcbb6d6613ad515430c8b3fa23b61c585e9a541b199e 2a6cb,0x9BDFBED1AE664E51E34533359D733AC9A600B61048D899104E826A0EC 4fa4)
V =
e0:1d:ad:81:32:6c:b1:73:af:c2:8d:72:2e:7a:32:1a:7b:29:8a:aa
V =
e0:1d:ad:81:32:6c:b1:73:af:c2:8d:72:2e:7a:32:1a:7b:29:8a:aa
W = f9:04:ba:40:30:e9:ce:6e:ff
W = f9:04:ba:40:30:e9:ce:6e:ff
Input:
输入:
alpha = 0xa60c395285ded4d70202c8283d894bad4f0
alpha = 0xa60c395285ded4d70202c8283d894bad4f0
beta = 0x48bf012da19f170b13124e5301561f45053
beta = 0x48bf012da19f170b13124e5301561f45053
gamma = 0x226fba82bc38e2ce4e28e56472ccf94a499
gamma = 0x226fba82bc38e2ce4e28e56472ccf94a499
version = 2
version = 2
p = 0x91bbe2be1c8950750784befffffffffffff6e441d41e12fb
p = 0x91bbe2be1c8950750784befffffffffffff6e441d41e12fb
q = 0xfffffffffbfffffffffffffffffffffffff
q = 0xfffffffffbfffffffffffffffffffffffff
P = (0x13cc538fe950411218d7f5c17ae58a15e58f0877b29f2fe1,
0x8cf7bab1a748d323cc601fabd8b479f54a60be11e28e18cf)
P = (0x13cc538fe950411218d7f5c17ae58a15e58f0877b29f2fe1,
0x8cf7bab1a748d323cc601fabd8b479f54a60be11e28e18cf)
P_1 = (0x0f809a992ed2467a138d72bc1d8931c6ccdd781bedc74627,
0x11c933027beaaf73aa9022db366374b1c68d6bf7d7a888c2)
P_1 = (0x0f809a992ed2467a138d72bc1d8931c6ccdd781bedc74627,
0x11c933027beaaf73aa9022db366374b1c68d6bf7d7a888c2)
P_2 = (0x0f8ac99a55e575bf595308cfea13edb8ec673983919121b0,
0x3febb7c6369f5d5f18ee3ea6ca0181448a4f3c4f3385019c)
P_2 = (0x0f8ac99a55e575bf595308cfea13edb8ec673983919121b0,
0x3febb7c6369f5d5f18ee3ea6ca0181448a4f3c4f3385019c)
P_3 = (0x2c10b43991052e78fac44fdce639c45824f5a3a2550b2a45,
0x6d7c12d8a0681426a5bbc369c9ef54624356e2f6036a064f)
P_3 = (0x2c10b43991052e78fac44fdce639c45824f5a3a2550b2a45,
0x6d7c12d8a0681426a5bbc369c9ef54624356e2f6036a064f)
v = (0x38f91032de6847a89fc3c83e663ed0c21c8f30ce65c0d7d3,
0x44b9aa10849cc8d8987ef2421770a340056745da8b99fba2)
v = (0x38f91032de6847a89fc3c83e663ed0c21c8f30ce65c0d7d3,
0x44b9aa10849cc8d8987ef2421770a340056745da8b99fba2)
id = 6f:42:62 ("Bob")
id = 6f:42:62 ("Bob")
Output:
输出:
Using the random value r = 0x695024c25812112187162c08aa5f65c7a2c, we get the following output:
使用随机值r=0x695024c25812112187162c08aa5f65c7a2c,我们得到以下输出:
D_0 = (0x3264e13feeb7c506493888132964e79ad657a952334b9e53,
0x3eeaefc14ba1277a1cd6fdea83c7c882fe6d85d957055c7b)
D_0 = (0x3264e13feeb7c506493888132964e79ad657a952334b9e53,
0x3eeaefc14ba1277a1cd6fdea83c7c882fe6d85d957055c7b)
D_1 = (0x8d7a72ad06909bb3bb29b67676d935018183a905e7e8cb18,
0x2b346c6801c1db638f270af915a21054f16044ab67f6c40e)
D_1 = (0x8d7a72ad06909bb3bb29b67676d935018183a905e7e8cb18,
0x2b346c6801c1db638f270af915a21054f16044ab67f6c40e)
Note: the following values can also be used to test Algorithm 5.5.1 (BFdecrypt).
注:以下值也可用于测试算法5.5.1(BFdecrypt)。
Input:
输入:
m = 48:69:20:74:68:65:72:65:21 ("Hi there!")
m = 48:69:20:74:68:65:72:65:21 ("Hi there!")
id = 6f:42:62 ("Bob")
id = 6f:42:62 ("Bob")
version = 2
version = 2
E: y^2 = x^3 + 1
E: y^2 = x^3 + 1
p = 0x91bbe2be1c8950750784befffffffffffff6e441d41e12fb
p = 0x91bbe2be1c8950750784befffffffffffff6e441d41e12fb
q = 0xfffffffffbfffffffffffffffffffffffff
q = 0xfffffffffbfffffffffffffffffffffffff
P = (0x13cc538fe950411218d7f5c17ae58a15e58f0877b29f2fe1,
0x8cf7bab1a748d323cc601fabd8b479f54a60be11e28e18cf)
P = (0x13cc538fe950411218d7f5c17ae58a15e58f0877b29f2fe1,
0x8cf7bab1a748d323cc601fabd8b479f54a60be11e28e18cf)
P_1 = (0x0f809a992ed2467a138d72bc1d8931c6ccdd781bedc74627,
0x11c933027beaaf73aa9022db366374b1c68d6bf7d7a888c2)
P_1 = (0x0f809a992ed2467a138d72bc1d8931c6ccdd781bedc74627,
0x11c933027beaaf73aa9022db366374b1c68d6bf7d7a888c2)
P_2 = (0x0f8ac99a55e575bf595308cfea13edb8ec673983919121b0,
0x3febb7c6369f5d5f18ee3ea6ca0181448a4f3c4f3385019c)
P_2 = (0x0f8ac99a55e575bf595308cfea13edb8ec673983919121b0,
0x3febb7c6369f5d5f18ee3ea6ca0181448a4f3c4f3385019c)
P_3 = (0x2c10b43991052e78fac44fdce639c45824f5a3a2550b2a45,
0x6d7c12d8a0681426a5bbc369c9ef54624356e2f6036a064f)
P_3 = (0x2c10b43991052e78fac44fdce639c45824f5a3a2550b2a45,
0x6d7c12d8a0681426a5bbc369c9ef54624356e2f6036a064f)
v = (0x38f91032de6847a89fc3c83e663ed0c21c8f30ce65c0d7d3,
0x44b9aa10849cc8d8987ef2421770a340056745da8b99fba2)
v = (0x38f91032de6847a89fc3c83e663ed0c21c8f30ce65c0d7d3,
0x44b9aa10849cc8d8987ef2421770a340056745da8b99fba2)
hashfcn = 1.3.14.3.2.26 (SHA-1)
hashfcn=1.3.14.3.2.26(SHA-1)
Output:
输出:
Using the random value s = 0x62759e95ce1af248040e220263fb41b965e, we get the following output:
使用随机值s=0x62759e95ce1af248040e220263fb41b965e,我们得到以下输出:
u = 0xad1ebfa82edf0bcb5111e9dc08ff0737c68
u = 0xad1ebfa82edf0bcb5111e9dc08ff0737c68
C_0 = (0x79f8f35904579f1aaf51897b1e8f1d84e1c927b8994e81f9,
0x1cf77bb2516606681aba2e2dc14764aa1b55a45836014c62)
C_0 = (0x79f8f35904579f1aaf51897b1e8f1d84e1c927b8994e81f9,
0x1cf77bb2516606681aba2e2dc14764aa1b55a45836014c62)
C_1 = (0x410cfeb0bccf1fa4afc607316c8b12fe464097b20250d684,
0x8bb76e7195a7b1980531b0a5852ce710cab5d288b2404e90)
C_1 = (0x410cfeb0bccf1fa4afc607316c8b12fe464097b20250d684,
0x8bb76e7195a7b1980531b0a5852ce710cab5d288b2404e90)
y = 82:a6:42:b9:bb:e9:82:c4:57
y = 82:a6:42:b9:bb:e9:82:c4:57
This section defines the ASN.1 module for the encodings discussed in this document.
本节为本文档中讨论的编码定义ASN.1模块。
IBCS { joint-iso-itu-t(2) country(16) us(840) organization(1)
identicrypt(114334) ibcs(1) module(5) version(1) }
IBCS { joint-iso-itu-t(2) country(16) us(840) organization(1)
identicrypt(114334) ibcs(1) module(5) version(1) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN
DEFINITIONS IMPLICIT TAGS ::= BEGIN
--
-- Identity-based cryptography standards (IBCS):
-- supersingular curve implementations of
-- the BF and BB1 cryptosystems
--
-- This version only supports IBE using
-- type-1 curves, i.e., the curve y^2 = x^3 + 1.
--
--
-- Identity-based cryptography standards (IBCS):
-- supersingular curve implementations of
-- the BF and BB1 cryptosystems
--
-- This version only supports IBE using
-- type-1 curves, i.e., the curve y^2 = x^3 + 1.
--
ibcs OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1)
identicrypt(114334) ibcs(1)
}
ibcs OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1)
identicrypt(114334) ibcs(1)
}
--
-- IBCS1
--
-- IBCS1 defines the algorithms used to implement IBE
--
--
-- IBCS1
--
-- IBCS1 defines the algorithms used to implement IBE
--
ibcs1 OBJECT IDENTIFIER ::= {
ibcs ibcs1(1)
}
ibcs1 OBJECT IDENTIFIER ::= {
ibcs ibcs1(1)
}
--
-- An elliptic curve is specified by an OID.
-- A type1curve is defined by the equation y^2 = x^3 + 1.
--
--
-- An elliptic curve is specified by an OID.
-- A type1curve is defined by the equation y^2 = x^3 + 1.
--
type1curve OBJECT IDENTIFIER ::= {
ibcs1 curve-types(1) type1-curve(1)
}
type1curve OBJECT IDENTIFIER ::= {
ibcs1 curve-types(1) type1-curve(1)
}
-- -- Supporting types --
----配套类型--
--
-- Encoding of a point on an elliptic curve E/F_p
-- An FpPoint can either represent an element of
-- F_p^2 or an element of (F_p)^2.
--
-- Encoding of a point on an elliptic curve E/F_p
-- An FpPoint can either represent an element of
-- F_p^2 or an element of (F_p)^2.
FpPoint ::= SEQUENCE {
x INTEGER,
y INTEGER
}
FpPoint ::= SEQUENCE {
x INTEGER,
y INTEGER
}
--
-- The following hash functions are supported:
--
-- SHA-1
--
-- id-sha1 OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) oiw(14)
-- secsig(3) algorithms(2) hashAlgorithmIdentifier(26)
-- }
--
-- SHA-224
--
-- id-sha224 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2)country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha224(4)
-- }
--
-- SHA-256
--
-- id-sha256 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2)country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha256(1)
-- }
--
-- SHA-384
--
-- id-sha384 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2)country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha384(2)
-- }
--
--
-- The following hash functions are supported:
--
-- SHA-1
--
-- id-sha1 OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) oiw(14)
-- secsig(3) algorithms(2) hashAlgorithmIdentifier(26)
-- }
--
-- SHA-224
--
-- id-sha224 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2)country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha224(4)
-- }
--
-- SHA-256
--
-- id-sha256 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2)country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha256(1)
-- }
--
-- SHA-384
--
-- id-sha384 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2)country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha384(2)
-- }
--
-- SHA-512
--
-- id-sha512 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2) country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha512(3)
-- }
--
--
-- Algorithms
--
-- SHA-512
--
-- id-sha512 OBJECT IDENTIFIER ::= {
-- joint-iso-itu-t(2) country(16) us(840)
-- organization(1) gov(101)
-- csor(3) nistAlgorithm(4) hashAlgs(2) sha512(3)
-- }
--
--
-- Algorithms
--
ibe-algorithms OBJECT IDENTIFIER ::= {
ibcs1 ibe-algorithms(2)
}
ibe-algorithms OBJECT IDENTIFIER ::= {
ibcs1 ibe-algorithms(2)
}
---
--- Boneh-Franklin IBE
---
---
--- Boneh-Franklin IBE
---
bf OBJECT IDENTIFIER ::= { ibe-algorithms bf(1) }
bf OBJECT IDENTIFIER ::= { ibe-algorithms bf(1) }
--
-- Encoding of a BF public parameters block.
-- The only version currently supported is version 2.
-- The values p and q define a subgroup of E(F_p) of order q.
--
--
-- Encoding of a BF public parameters block.
-- The only version currently supported is version 2.
-- The values p and q define a subgroup of E(F_p) of order q.
--
BFPublicParameters ::= SEQUENCE {
version INTEGER { v2(2) },
curve OBJECT IDENTIFIER,
p INTEGER,
q INTEGER,
pointP FpPoint,
pointPpub FpPoint,
hashfcn OBJECT IDENTIFIER
}
BFPublicParameters ::= SEQUENCE {
version INTEGER { v2(2) },
curve OBJECT IDENTIFIER,
p INTEGER,
q INTEGER,
pointP FpPoint,
pointPpub FpPoint,
hashfcn OBJECT IDENTIFIER
}
--
-- A BF private key is a point on an elliptic curve,
-- which is an FpPoint.
-- The only version supported is version 2.
--
--
-- A BF private key is a point on an elliptic curve,
-- which is an FpPoint.
-- The only version supported is version 2.
--
BFPrivateKeyBlock ::= SEQUENCE {
version INTEGER { v2(2) },
privateKey FpPoint
}
BFPrivateKeyBlock ::= SEQUENCE {
version INTEGER { v2(2) },
privateKey FpPoint
}
--
-- A BF master secret is an integer.
-- The only version supported is version 2.
--
--
-- A BF master secret is an integer.
-- The only version supported is version 2.
--
BFMasterSecret ::= SEQUENCE {
version INTEGER {v2(2) },
masterSecret INTEGER
}
BFMasterSecret ::= SEQUENCE {
version INTEGER {v2(2) },
masterSecret INTEGER
}
--
-- BF ciphertext block
-- The only version supported is version 2.
--
--
-- BF ciphertext block
-- The only version supported is version 2.
--
BFCiphertextBlock ::= SEQUENCE {
version INTEGER { v2(2) },
u FpPoint,
v OCTET STRING,
w OCTET STRING
}
BFCiphertextBlock ::= SEQUENCE {
version INTEGER { v2(2) },
u FpPoint,
v OCTET STRING,
w OCTET STRING
}
-- -- Boneh-Boyen (BB1) IBE --
----Boneh Boyen(BB1)IBE--
bb1 OBJECT IDENTIFIER ::= { ibe-algorithms bb1(2) }
bb1 OBJECT IDENTIFIER ::= { ibe-algorithms bb1(2) }
--
-- Encoding of a BB1 public parameters block.
-- The version is currently fixed to 2.
--
--
--
-- Encoding of a BB1 public parameters block.
-- The version is currently fixed to 2.
--
--
BB1PublicParameters ::= SEQUENCE {
version INTEGER { v2(2) },
curve OBJECT IDENTIFIER,
p INTEGER,
q INTEGER,
pointP FpPoint,
pointP1 FpPoint,
pointP2 FpPoint,
pointP3 FpPoint,
v FpPoint,
hashfcn OBJECT IDENTIFIER
}
BB1PublicParameters ::= SEQUENCE {
version INTEGER { v2(2) },
curve OBJECT IDENTIFIER,
p INTEGER,
q INTEGER,
pointP FpPoint,
pointP1 FpPoint,
pointP2 FpPoint,
pointP3 FpPoint,
v FpPoint,
hashfcn OBJECT IDENTIFIER
}
--
-- BB1 master secret block
-- The only version supported is version 2.
--
--
-- BB1 master secret block
-- The only version supported is version 2.
--
BB1MasterSecret ::= SEQUENCE {
version INTEGER { v2(2) },
alpha INTEGER,
beta INTEGER,
gamma INTEGER
}
BB1MasterSecret ::= SEQUENCE {
version INTEGER { v2(2) },
alpha INTEGER,
beta INTEGER,
gamma INTEGER
}
--
-- BB1 private Key block
-- The only version supported is version 2.
--
--
-- BB1 private Key block
-- The only version supported is version 2.
--
BB1PrivateKeyBlock ::= SEQUENCE {
version INTEGER { v2(2) },
pointD0 FpPoint,
pointD1 FpPoint
}
BB1PrivateKeyBlock ::= SEQUENCE {
version INTEGER { v2(2) },
pointD0 FpPoint,
pointD1 FpPoint
}
--
-- BB1 ciphertext block
-- The only version supported is version 2.
--
--
-- BB1 ciphertext block
-- The only version supported is version 2.
--
BB1CiphertextBlock ::= SEQUENCE {
version INTEGER {v2(2) },
pointChi0 FpPoint,
pointChi1 FpPoint,
nu INTEGER,
y OCTET STRING
}
BB1CiphertextBlock ::= SEQUENCE {
version INTEGER {v2(2) },
pointChi0 FpPoint,
pointChi1 FpPoint,
nu INTEGER,
y OCTET STRING
}
END
终止
This document describes cryptographic algorithms. We assume that the security provided by such algorithms depends entirely on the secrecy of the relevant private key, and for an adversary to defeat the security provided by the algorithms, he will need to perform computationally-intensive cryptanalytic attacks to recover the private key.
本文档描述加密算法。我们假设,此类算法提供的安全性完全取决于相关私钥的保密性,而对于对手来说,要击败这些算法提供的安全性,他将需要执行计算密集型密码分析攻击来恢复私钥。
We assume that users of the algorithms described in this document will require one of five levels of cryptographic strength: the equivalent of 80 bits, 112 bits, 128 bits, 192 bits or, 256 bits. The 80-bit level is suitable for legacy applications and SHOULD NOT be used to protect information whose useful life extends past the year 2010. The 112-bit level is suitable for use in key transport of Triple-DES keys and should be adequate to protect information whose useful life extends up to the year 2030. The 128-bit levels and higher are suitable for use in the transport of Advanced Encryption Standard (AES) keys of the corresponding length or less and are adequate to protect information whose useful life extends past the year 2030.
我们假设本文档中描述的算法的用户将需要五个加密强度级别中的一个:相当于80位、112位、128位、192位或256位。80位级别适用于旧式应用程序,不应用于保护使用寿命超过2010年的信息。112位级别适用于三重DES密钥的密钥传输,应足以保护使用寿命延长至2030年的信息。128位及以上级别适用于传输相应长度或更短的高级加密标准(AES)密钥,并足以保护使用寿命超过2030年的信息。
Table 1 summarizes the security parameters for the BF and BB1 algorithms that will attain these levels of security. In this table, |p| represents the number of bits in a prime number p, and |q| represents the number of bits in a subprime q. This table assumes that a Type-1 supersingular curve is used.
表1总结了将达到这些安全级别的BF和BB1算法的安全参数。在该表中,| p |表示素数p中的位数,| q |表示次素数q中的位数。本表假设使用1型超奇异曲线。
Bits of Security |p| |q|
80 512 160
112 1024 224
128 1536 256
192 3840 384
256 7680 512
Bits of Security |p| |q|
80 512 160
112 1024 224
128 1536 256
192 3840 384
256 7680 512
Table 1: Sizes of BF and BB1 Parameters Required to Attain Standard Levels of Bit Security [SP800-57].
表1:达到比特安全标准水平所需的BF和BB1参数的大小[SP800-57]。
If an IBE key is used to transport a symmetric key that provides more bits of security than the bit strength of the IBE key, users should understand that the security of the system is then limited by the strength of the weaker IBE key. So if an IBE key that provides 112 bits of security is used to transport a 128-bit AES key, then the security provided is limited by the 112 bits of security of the IBE key.
如果IBE密钥用于传输提供比IBE密钥的比特强度更多安全比特的对称密钥,则用户应了解,系统的安全性将受到较弱IBE密钥强度的限制。因此,如果提供112位安全性的IBE密钥用于传输128位AES密钥,则提供的安全性受到IBE密钥的112位安全性的限制。
Note that this document specifies the use of the National Institute of Standards and Technology (NIST) hashing algorithms [SHA] to hash identities to either a point on an elliptic curve or an integer. Recent attacks on SHA-1 [SHA] have discovered ways to find collisions with less work than the expected 2^80 hashes required based on the size of the output of the hash function alone. If an attacker can find a collision, then they could use the colliding preimages to create two identities that have the same IBE private key. The practical use of such a SHA-1 [SHA] collision is extremely unlikely, however.
请注意,本文件规定了使用国家标准与技术研究所(NIST)散列算法[SHA]将身份散列到椭圆曲线上的点或整数。最近对SHA-1[SHA]的攻击发现了查找冲突的方法,其工作量比仅基于哈希函数输出大小所需的预期2^80哈希要少。如果攻击者能够找到冲突,那么他们可以使用冲突的前映像创建具有相同IBE私钥的两个标识。然而,这种SHA-1[SHA]碰撞的实际应用是极不可能的。
Identities are typically not random strings like the preimages of a hash collision would be. In particular, this is true if IBE is used as described in [IBECMS], in which components of an identity are defined to be an e-mail address, a validity period, and a URI. In this case, the unpredictable results of a collision are extremely unlikely to fit the format of a valid identity, and thus, are of no use to an attacker. Any protocol using IBE MUST define an identity in a way that makes collisions in a hash function essentially useless to an attacker. Because random strings are rarely used as identities, this requirement should not be unduly difficult to fulfill.
标识通常不是散列冲突的前映像那样的随机字符串。特别是,如果按照[IBECMS]中的描述使用IBE,则这一点是正确的,其中标识的组件被定义为电子邮件地址、有效期和URI。在这种情况下,冲突的不可预测结果极不可能符合有效身份的格式,因此,攻击者没有任何用处。任何使用IBE的协议都必须定义一个标识,使哈希函数中的冲突对攻击者基本上没有用处。因为随机字符串很少用作标识,所以这一要求不应该太难满足。
The randomness of the random values that are required by the cryptographic algorithms is vital to the security provided by the algorithms. Any implementation of these algorithms MUST use a source of random values that provides an adequate level of security. Appropriate algorithms to generate such values include [FIPS186-2] and [X9.62]. This will ensure that the random values used to mask plaintext messages in Sections 5.4 and 6.4 are not reused with a significant probability.
密码算法所需的随机值的随机性对于算法提供的安全性至关重要。这些算法的任何实现都必须使用提供足够安全级别的随机值源。生成此类值的适当算法包括[FIPS186-2]和[X9.62]。这将确保第5.4节和第6.4节中用于屏蔽明文消息的随机值不会以很大的概率重复使用。
The strength of a system using the algorithms described in this document relies on the strength of the mechanism used to authenticate a user requesting a private key from a PKG, as described in step 2 of Section 1.2 of this document. This is analogous to the way in which the strength of a system using digital certificates [X.509] is limited by the strength of the authentication required of users before certificates are granted to them. In either case, a weak mechanism for authenticating users will result in a weak system that relies on the technology. A system that uses the algorithms described in this document MUST require users to authenticate in a way that is suitably strong, particularly if IBE private keys will be used for authentication.
如本文件第1.2节第2步所述,使用本文件所述算法的系统的强度取决于用于认证向PKG请求私钥的用户的机制的强度。这类似于使用数字证书[X.509]的系统的强度受到用户在获得证书之前所需的身份验证强度的限制。在任何一种情况下,弱的用户认证机制都会导致依赖于该技术的弱系统。使用本文档中描述的算法的系统必须要求用户以适当强的方式进行身份验证,特别是如果将使用IBE私钥进行身份验证。
Note that IBE systems have different properties than other asymmetric cryptographic schemes when it comes to key recovery. If a master secret is maintained on a secure PKG, then the PKG and any
请注意,IBE系统在密钥恢复方面具有与其他非对称加密方案不同的属性。如果在安全PKG上维护主密钥,则PKG和任何
administrator with the appropriate level of access will be able to create arbitrary private keys, so that controls around such administrators and logging of all actions performed by such administrators SHOULD be part of a functioning IBE system.
具有适当访问级别的管理员将能够创建任意私钥,因此,围绕此类管理员的控制以及此类管理员执行的所有操作的日志记录应该是正常运行的IBE系统的一部分。
On the other hand, it is also possible to create IBE private keys using a master secret and to then destroy the master secret, making any key recovery impossible. If this property is not desired, an administrator of an IBE system SHOULD require that the format of the identity used by the system contain a component that is short-lived. The format of identity that is defined in [IBECMS], for example, contains information about the time period of validity of the key that will be calculated from the identity. Such an identity can easily be changed to allow the rekeying of users if their IBE private key is somehow compromised.
另一方面,也可以使用主密钥创建IBE私钥,然后销毁主密钥,从而使任何密钥恢复都不可能。如果不需要此属性,IBE系统的管理员应要求系统使用的标识格式包含一个短期组件。例如,[IBECMS]中定义的标识格式包含有关将根据标识计算的密钥有效期的信息。如果用户的IBE私钥受到某种程度的损害,可以很容易地更改这样的身份,以允许用户重新键入密钥。
This document is based on the IBCS #1 v2 document of Voltage Security, Inc. Any substantial use of material from this document should acknowledge Voltage Security, Inc. as the source of the information.
本文件以Voltage Security,Inc.的IBCS#1 v2文件为基础。对本文件中材料的任何实质性使用均应确认Voltage Security,Inc.为信息来源。
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[TLS]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。
[BB1] D. Boneh and X. Boyen, "Efficient selective-ID secure identity based encryption without random oracles," In Proc. of EUROCRYPT 04, LNCS 3027, pp. 223-238, 2004.
[BB1]D.Boneh和X.Boyen,“无随机预言的高效选择性身份安全基于身份的加密”,在Proc。欧洲密码04,LNCS 3027,第223-238页,2004年。
[BF] D. Boneh and M. Franklin, "Identity-based encryption from the Weil pairing," in Proc. of CRYPTO 01, LNCS 2139, pp. 213-229, 2001.
[BF]D.Boneh和M.Franklin,“Weil配对中基于身份的加密”,在Proc。《加密01》,LNCS 2139,第213-229页,2001年。
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
[CMS]Housley,R.,“加密消息语法(CMS)”,RFC 38522004年7月。
[ECC] I. Blake, G. Seroussi, and N. Smart, "Elliptic Curves in Cryptography", Cambridge University Press, 1999.
[ECC]I.Blake,G.Seroussi和N.Smart,“密码学中的椭圆曲线”,剑桥大学出版社,1999年。
[FIPS186-2] National Institute of Standards and Technology, "Digital Signature Standard," Federal Information Processing Standard 186-2, August 2002.
[FIPS186-2]国家标准与技术研究所,“数字签名标准”,联邦信息处理标准186-22002年8月。
[IBEARCH] G. Appenzeller, L. Martin, and M. Schertler, "Identity-based Encryption Architecture", Work in Progress.
[IBEARCH]G.Appenzeller、L.Martin和M.Schertler,“基于身份的加密体系结构”,正在进行中。
[IBECMS] L. Martin and M. Schertler, "Using the Boneh-Franklin and Boneh-Boyen identity-based encryption algorithms with the Cryptographic Message Syntax (CMS)", Work in Progress.
[IBECMS]L.Martin和M.Schertler,“使用基于Boneh Franklin和Boneh Boyen身份的加密算法和加密消息语法(CMS)”,工作正在进行中。
[MERKLE] R. Merkle, "A fast software one-way hash function," Journal of Cryptology, Vol. 3 (1990), pp. 43-58.
[MERKLE]R.MERKLE,“快速软件单向散列函数”,《密码学杂志》,第3卷(1990年),第43-58页。
[P1363] IEEE P1363-2000, "Standard Specifications for Public Key Cryptography," 2001.
[P1363]IEEE P1363-2000,“公钥加密的标准规范”,2001年。
[SP800-57] E. Barker, W. Barker, W. Burr, W. Polk and M. Smid, "Recommendation for Key Management - Part 1: General (Revised)," NIST Special Publication 800-57, March 2007.
[SP800-57]E.Barker、W.Barker、W.Burr、W.Polk和M.Smid,“关键管理建议——第1部分:概述(修订)”,NIST特别出版物800-57,2007年3月。
[SHA] National Institute for Standards and Technology, "Secure Hash Standard," Federal Information Processing Standards Publication 180-2, August 2002, with Change Notice 1, February 2004.
[SHA]国家标准与技术研究所,“安全散列标准”,联邦信息处理标准出版物180-22002年8月,附2004年2月1日变更通知。
[X9.62] American National Standards Institute, "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)," American National Standard for Financial Services X9.62-2005, November 2005.
[X9.62]美国国家标准协会,“金融服务业的公钥加密:椭圆曲线数字签名算法(ECDSA)”,美国国家金融服务标准X9.62-2005,2005年11月。
[X.509] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, Information Technology - Open Systems Interconnection - The Directory: Public-key and Attribute Certificate Frameworks.
[X.509]ITU-T建议X.509(2000)| ISO/IEC 9594-8:2001,信息技术-开放系统互连-目录:公钥和属性证书框架。
Authors' Addresses
作者地址
Xavier Boyen Voltage Security 1070 Arastradero Rd Suite 100 Palo Alto, CA 94304
泽维尔·博伊恩电压安全1070阿拉斯特拉德罗路100号套房,加利福尼亚州帕洛阿尔托94304
EMail: xavier@voltage.com
EMail: xavier@voltage.com
Luther Martin Voltage Security 1070 Arastradero Rd Suite 100 Palo Alto, CA 94304
路德·马丁电压安全公司加利福尼亚州帕洛阿尔托市阿拉斯塔德罗路1070号100室94304
EMail: martin@voltage.com
EMail: martin@voltage.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78 and at www.rfc-editor.org/copyright.html, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78和www.rfc-editor.org/copyright.html中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.