Internet Engineering Task Force (IETF)                         M. Groves
Request for Comments: 6508                                          CESG
Category: Informational                                    February 2012
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                         M. Groves
Request for Comments: 6508                                          CESG
Category: Informational                                    February 2012
ISSN: 2070-1721
        

Sakai-Kasahara Key Encryption (SAKKE)

Sakai Kasahara密钥加密(SAKKE)

Abstract

摘要

In this document, the Sakai-Kasahara Key Encryption (SAKKE) algorithm is described. This uses Identity-Based Encryption to exchange a shared secret from a Sender to a Receiver.

本文描述了Sakai Kasahara密钥加密(SAKKE)算法。这使用基于身份的加密将共享秘密从发送方交换给接收方。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。互联网工程指导小组(IESG)已批准将其出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6508.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6508.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
      1.1. Requirements Terminology ...................................3
   2. Notation and Definitions ........................................3
      2.1. Notation ...................................................3
      2.2. Definitions ................................................5
      2.3. Parameters to Be Defined or Negotiated .....................6
   3. Elliptic Curves and Pairings ....................................7
      3.1. E(F_p^2) and the Distortion Map ............................7
      3.2. The Tate-Lichtenbaum Pairing ...............................7
   4. Representation of Values ........................................9
   5. Supporting Algorithms ..........................................10
      5.1. Hashing to an Integer Range ...............................10
   6. The SAKKE Cryptosystem .........................................11
      6.1. Setup .....................................................11
           6.1.1. Secret Key Extraction ..............................11
           6.1.2. User Provisioning ..................................11
      6.2. Key Exchange ..............................................12
           6.2.1. Sender .............................................12
           6.2.2. Receiver ...........................................12
      6.3. Group Communications ......................................13
   7. Security Considerations ........................................13
   8. References .....................................................15
      8.1. Normative References ......................................15
      8.2. Informative References ....................................15
   Appendix A. Test Data..............................................17
        
   1. Introduction ....................................................2
      1.1. Requirements Terminology ...................................3
   2. Notation and Definitions ........................................3
      2.1. Notation ...................................................3
      2.2. Definitions ................................................5
      2.3. Parameters to Be Defined or Negotiated .....................6
   3. Elliptic Curves and Pairings ....................................7
      3.1. E(F_p^2) and the Distortion Map ............................7
      3.2. The Tate-Lichtenbaum Pairing ...............................7
   4. Representation of Values ........................................9
   5. Supporting Algorithms ..........................................10
      5.1. Hashing to an Integer Range ...............................10
   6. The SAKKE Cryptosystem .........................................11
      6.1. Setup .....................................................11
           6.1.1. Secret Key Extraction ..............................11
           6.1.2. User Provisioning ..................................11
      6.2. Key Exchange ..............................................12
           6.2.1. Sender .............................................12
           6.2.2. Receiver ...........................................12
      6.3. Group Communications ......................................13
   7. Security Considerations ........................................13
   8. References .....................................................15
      8.1. Normative References ......................................15
      8.2. Informative References ....................................15
   Appendix A. Test Data..............................................17
        
1. Introduction
1. 介绍

This document defines an efficient use of Identity-Based Encryption (IBE) based on bilinear pairings. The Sakai-Kasahara IBE cryptosystem [S-K] is described for establishment of a shared secret value. This document adds to the IBE options available in [RFC5091], providing an efficient primitive and an additional family of curves.

本文档定义了基于双线性对的基于身份的加密(IBE)的有效使用。Sakai Kasahara IBE密码系统[S-K]用于建立共享秘密值。本文档添加了[RFC5091]中提供的IBE选项,提供了一个高效的基本体和一个额外的曲线族。

This document is restricted to a particular family of curves (see Section 2.1) that have the benefit of a simple and efficient method of calculating the pairing on which the Sakai-Kasahara IBE cryptosystem is based.

本文件仅限于特定的曲线族(见第2.1节),该曲线族具有计算Sakai Kasahara IBE密码系统所基于的配对的简单有效方法的优点。

IBE schemes allow public and private keys to be derived from Identifiers. In fact, the Identifier can itself be viewed as corresponding to a public key or certificate in a traditional public key system. However, in IBE, the Identifier can be formed by both Sender and Receiver, which obviates the necessity of providing public keys through a third party or of transmitting certified public keys

IBE方案允许从标识符派生公钥和私钥。事实上,标识符本身可以被视为与传统公钥系统中的公钥或证书相对应。然而,在IBE中,标识符可以由发送方和接收方形成,这就避免了通过第三方提供公钥或传输经认证的公钥的必要性

during each session establishment. Furthermore, in an IBE system, calculation of keys can occur as needed, and indeed, messages can be sent to users who are yet to enroll.

在每次会议期间建立。此外,在IBE系统中,可以根据需要计算密钥,并且确实可以将消息发送给尚未注册的用户。

The Sakai-Kasahara primitive described in this document supports simplex transmission of messages from a Sender to a Receiver. The choice of elliptic curve pairing on which the primitive is based allows simple and efficient implementations.

本文档中描述的Sakai Kasahara原语支持消息从发送方到接收方的单工传输。原语所基于的椭圆曲线对的选择允许简单而高效的实现。

The Sakai-Kasahara Key Encryption scheme described in this document is drawn from the Sakai-Kasahara Key Encapsulation Mechanism (SK-KEM) scheme (as modified to support multi-party communications) submitted to the IEEE P1363 Working Group in [SK-KEM].

本文件中描述的Sakai Kasahara密钥加密方案取自[SK-KEM]中提交给IEEE P1363工作组的Sakai Kasahara密钥封装机制(SK-KEM)方案(经修改以支持多方通信)。

1.1. Requirements Terminology
1.1. 需求术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. Notation and Definitions
2. 符号和定义
2.1. Notation
2.1. 符号

n A security parameter; the size of symmetric keys in bits to be exchanged by SAKKE.

n安全参数;SAKKE交换的对称密钥的大小(以位为单位)。

p A prime, which is the order of the finite field F_p. In this document, p is always congruent to 3 modulo 4.

p A素数,它是有限域F_p的阶。在本文中,p总是与3模4全等。

F_p The finite field of order p.

p阶有限域。

F* The multiplicative group of the non-zero elements in the field F; e.g., (F_p)* is the multiplicative group of the finite field F_p.

F*场F中非零元素的乘法群;e、 (F_p)*是有限域F_p的乘法群。

q An odd prime that divides p + 1. To provide the desired level of security, lg(q) MUST be greater than 2*n.

q除以p+1的奇数素数。要提供所需的安全级别,lg(q)必须大于2*n。

E An elliptic curve defined over F_p, having a subgroup of order q. In this document, we use supersingular curves with equation y^2 = x^3 - 3 * x modulo p. This curve is chosen because of the efficiency and simplicity advantages it offers. The choice of -3 for the coefficient of x provides advantages for elliptic curve arithmetic that are explained in [P1363]. A further reason for this choice of curve is that Barreto's trick [Barreto] of eliminating the computation of the denominators when calculating the pairing applies.

E定义在F_p上的椭圆曲线,具有q阶子群。在本文中,我们使用方程y^2=x^3-3*x模p的超奇异曲线。选择此曲线是因为它提供了效率和简单的优势。x的系数选择-3为椭圆曲线算法提供了优势,如[P1363]所述。选择这种曲线的另一个原因是Barreto在计算配对时消除分母计算的技巧[Barreto]适用。

E(F) The additive group of points of affine coordinates (x,y) with x, y in the field F, that satisfy the curve equation for E.

E(F)域F中的仿射坐标(x,y)与x,y的点的加法群,满足E的曲线方程。

   P      A point of E(F_p) that generates the cyclic subgroup of order
          q.  The coordinates of P are given by P = (P_x,P_y).  These
          coordinates are in F_p, and they satisfy the curve equation.
        
   P      A point of E(F_p) that generates the cyclic subgroup of order
          q.  The coordinates of P are given by P = (P_x,P_y).  These
          coordinates are in F_p, and they satisfy the curve equation.
        

0 The null element of any additive group of points on an elliptic curve, also called the point at infinity.

椭圆曲线上任意加性点组的零元素,也称为无穷远处的点。

F_p^2 The extension field of degree 2 of the field F_p. In this document, we use a particular instantiation of this field; F_p^2 = F_p[i], where i^2 + 1 = 0.

F_p^2字段F_p的次2的扩展字段。在本文档中,我们使用此字段的特定实例化;F_p^2=F_p[i],其中i^2+1=0。

PF_p The projectivization of F_p. We define this to be (F_p^2)*/(F_p)*. Note that PF_p is cyclic and has order p + 1, which is divisible by q.

F_p是F_p的投影。我们将其定义为(F_p^2)*/(F_p)*。注意,PF_p是循环的,其阶数为p+1,可被q整除。

G[q] The q-torsion of a group G. This is the subgroup generated by points of order q in G.

G[q]群G的q-扭。这是由G中q阶点生成的子群。

< , > A version of the Tate-Lichtenbaum pairing. In this document, this is a bilinear map from E(F_p)[q] x E(F_p)[q] onto the subgroup of order q in PF_p. A full definition is given in Section 3.2.

<,>泰特·利希滕鲍姆配对的一个版本。在本文中,这是从E(F_p)[q]xe(F_p)[q]到PF_p中q阶子群的双线性映射。第3.2节给出了完整的定义。

Hash A cryptographic hash function.

散列加密散列函数。

lg(x) The base 2 logarithm of the real value x.

lg(x)实值x的以2为底的对数。

The following conventions are assumed for curve operations:

对于曲线操作,假定以下约定:

Point addition - If A and B are two points on a curve E, their sum is denoted as A + B.

点加法-如果A和B是曲线E上的两点,则它们的和表示为A+B。

Scalar multiplication - If A is a point on a curve, and k an integer, the result of adding A to itself a total of k times is denoted [k]A.

标量乘法-如果A是曲线上的一个点,k是整数,则将A自身加上总共k次的结果表示为[k]A。

We assume that the following concrete representations of mathematical objects are used:

我们假设使用以下数学对象的具体表示:

Elements of F_p - The p elements of F_p are represented directly using the integers from 0 to p-1.

F_p的元素-F_p的p元素直接使用从0到p-1的整数表示。

Elements of F_p^2 - The elements of F_p^2 = F_p[i] are represented as x_1 + i * x_2, where x_1 and x_2 are elements of F_p.

F_p^2的元素-F_p^2=F_p[i]的元素表示为x_1+i*x_2,其中x_1和x_2是F_p的元素。

Elements of PF_p - Elements of PF_p are cosets of (F_p)* in (F_p^2)*. Every element of F_p^2 can be written unambiguously in the form x_1 + i * x_2, where x_1 and x_2 are elements of F_p. Thus, elements of PF_p (except the unique element of order 2) can be represented unambiguously by x_2/x_1 in F_p. Since q is odd, every element of PF_p[q] can be represented by an element of F_p in this manner.

PF_p的元素-PF_p的元素是(F_p)*in(F_p^2)*的陪集。F_p^2的每个元素都可以用x_1+i*x_2的形式明确地书写,其中x_1和x_2是F_p的元素。因此,PF_p的元素(除了阶数2的唯一元素)可以用F_p中的x_2/x_1明确表示。由于q是奇数,PF_p[q]的每个元素都可以用F_p的一个元素以这种方式表示。

This representation of elements in PF_p[q] allows efficient implementation of PF_p[q] group operations, as these can be defined using arithmetic in F_p. If a and b are elements of F_p representing elements A and B of PF_p[q], respectively, then A * B in PF_p[q] is represented by (a + b)/(1 - a * b) in F_p.

PF_p[q]中元素的这种表示允许有效地实现PF_p[q]组运算,因为这些运算可以使用F_p中的算术来定义。如果a和b是F_p的元素,分别表示PF_p[q]的元素a和b,那么PF_p[q]中的a*b由F_p中的(a+b)/(1-a*b)表示。

2.2. Definitions
2.2. 定义

Identifier - Each user of an IBE system MUST have a unique, unambiguous identifying string that can be easily derived by all valid communicants. This string is the user's Identifier. An Identifier is an integer in the range 2 to q-1. The method by which Identifiers are formed MUST be defined for each application.

标识符-IBE系统的每个用户都必须有一个唯一的、明确的标识字符串,所有有效的通信者都可以轻松地导出该字符串。此字符串是用户的标识符。标识符是介于2到q-1之间的整数。必须为每个应用程序定义形成标识符的方法。

Key Management Service (KMS) - The Key Management Service is a trusted third party for the IBE system. It derives system secrets and distributes key material to those authorized to obtain it. Applications MAY support mutual communication between the users of multiple KMSs. We denote KMSs by KMS_T, KMS_S, etc.

密钥管理服务(KMS)-密钥管理服务是IBE系统的可信第三方。它获取系统机密,并将关键材料分发给获得授权的人。应用程序可以支持多个kms的用户之间的相互通信。我们用KMS\T、KMS\S等表示KMS。

Public parameters - The public parameters are a set of parameters that are held by all users of an IBE system. Such a system MAY contain multiple KMSs. Each application of SAKKE MUST define the set of public parameters to be used. The parameters needed are p, q, E, P, g=<P,P>, Hash, and n.

公共参数-公共参数是由IBE系统的所有用户持有的一组参数。这样的系统可能包含多个KMS。SAKKE的每个应用程序都必须定义要使用的公共参数集。所需的参数是p、q、E、p、g=<p、p>、散列和n。

Master Secret (z_T) - The Master Secret z_T is the master key generated and privately kept by KMS_T and is used by KMS_T to generate the private keys of the users that it provisions; it is an integer in the range 2 to q-1.

主密钥(z_T)-主密钥z_T是KMS_T生成并私自保存的主密钥,KMS_T使用主密钥生成其规定的用户的私钥;它是一个介于2到q-1之间的整数。

   KMS Public Key: Z_T = [z_T]P - The KMS Public Key Z_T is used to form
      Public Key Establishment Keys for all users provisioned by KMS_T;
      it is a point of order q in E(F_p).  It MUST be provisioned by
      KMS_T to all who are authorized to send messages to users of the
      IBE system.
        
   KMS Public Key: Z_T = [z_T]P - The KMS Public Key Z_T is used to form
      Public Key Establishment Keys for all users provisioned by KMS_T;
      it is a point of order q in E(F_p).  It MUST be provisioned by
      KMS_T to all who are authorized to send messages to users of the
      IBE system.
        

Receiver Secret Key (RSK) - Each user enrolled in an IBE system is provisioned with a Receiver Secret Key by its KMS. The RSK provided to a user with Identifier 'a' by KMS_T is denoted K_(a,T). In SAKKE, the RSK is a point of order q in E(F_p).

接收方密钥(RSK)-IBE系统中注册的每个用户都由其KMS提供接收方密钥。由KMS\u T提供给具有标识符“a”的用户的RSK被表示为K(a,T)。在SAKKE中,RSK是E(fp)中的顺序问题q。

Shared Secret Value (SSV) - The aim of the SAKKE scheme is for the Sender to securely transmit a shared secret value to the Receiver. The SSV is an integer in the range 0 to (2^n) - 1.

共享秘密值(SSV)-SAKKE方案的目的是让发送方安全地将共享秘密值传输给接收方。SSV是介于0到(2^n)-1之间的整数。

Encapsulated Data - The Encapsulated Data are used to transmit secret information securely to the Receiver. They can be computed directly from the Receiver's Identifier, the public parameters, the KMS Public Key, and the SSV to be transmitted. In SAKKE, the Encapsulated Data are a point of order q in E(F_p) and an integer in the range 0 to (2^n) - 1. They are formatted as described in Section 4.

封装数据-封装数据用于将机密信息安全地传输到接收器。它们可以直接从接收器的标识符、公共参数、KMS公钥和要传输的SSV计算出来。在SAKKE中,封装的数据是E(F_p)中的一个顺序点q和一个范围为0到(2^n)-1的整数。它们的格式如第4节所述。

2.3. Parameters to Be Defined or Negotiated
2.3. 待定义或协商的参数

In order for an application to make use of the SAKKE algorithm, the communicating hosts MUST agree on values for several of the parameters described above. The curve equation (E) and the pairing (< , >) are constant and used for all applications.

为了让应用程序使用SAKKE算法,通信主机必须就上述几个参数的值达成一致。曲线方程(E)和配对(<,>)是常数,用于所有应用。

For the following parameters, each application MUST either define an application-specific constant value or define a mechanism for hosts to negotiate a value:

对于以下参数,每个应用程序必须定义特定于应用程序的常量值,或定义主机协商值的机制:

* n

* N

* p

* P

* q

* Q

* P = (P_x,P_y)

* P=(P_x,P_y)

* g = <P,P>

* g=<P,P>

* Hash

* 搞砸

3. Elliptic Curves and Pairings
3. 椭圆曲线与椭圆对

E is a supersingular elliptic curve (of j-invariant 1728). E(F_p) contains a cyclic subgroup of order q, denoted E(F_p)[q], whereas the larger object E(F_p^2) contains the direct product of two cyclic subgroups of order q, denoted E(F_p^2)[q].

E是超奇异椭圆曲线(j-不变1728)。E(F_p)包含一个q阶循环子群,表示为E(F_p)[q],而较大的对象E(F_p^2)包含两个q阶循环子群的直积,表示为E(F_p^2)[q]。

P is a generator of E(F_p)[q]. It is specified by the (affine) coordinates (P_x,P_y) in F_p, satisfying the curve equation.

P是E(F_P)[q]的生成元。它由F_P中的(仿射)坐标(P_x,P_y)指定,满足曲线方程。

Routines for point addition and doubling on E(F_p) can be found in Appendix A.10 of [P1363].

可在[P1363]的附录A.10中找到E(F_p)上的加点和倍增程序。

3.1. E(F_p^2) and the Distortion Map
3.1. E(F_p^2)和畸变图

If (Q_x,Q_y) are (affine) coordinates in F_p for some point (denoted Q) on E(F_p)[q], then (-Q_x,iQ_y) are (affine) coordinates in F_p^2 for some point on E(F_p^2)[q]. This latter point is denoted [i]Q, by analogy with the definition for scalar multiplication. The two points P and [i]P together generate E(F_p^2)[q]. The map [i]: E(F_p) -> E(F_p^2) is sometimes termed the distortion map.

如果(Q_x,Q_y)是E(F_p)[Q]上某点(表示为Q)在F_p中的(仿射)坐标,那么(-Q_x,iQ_y)是E(F_p^2)[Q]上某点在F_p^2中的(仿射)坐标。与标量乘法的定义类似,后一点被表示为[i]Q。两点P和[i]P一起生成E(F_P^2)[q]。映射[i]:E(F_p)->E(F_p^2)有时被称为畸变映射。

3.2. The Tate-Lichtenbaum Pairing
3.2. 泰特-利希滕鲍姆配对

We proceed to describe the pairing < , > to be used in SAKKE. We will need to evaluate polynomials f_R that depend on points on E(F_p)[q]. Miller's algorithm [Miller] provides a method for evaluation of f_R(X), where X is some element of E(F_p^2)[q] and R is some element of E(F_p)[q] and f_R is some polynomial over F_p whose divisor is (q)(R) - (q)(0). Note that f_R is defined only up to scalars of F_p.

我们继续描述SAKKE中使用的配对<,>。我们需要计算依赖于E(f_p)[q]上的点的多项式f_R。米勒算法[Miller]提供了一种计算f_R(X)的方法,其中X是E(f_p^2)[q]的某个元素,R是E(f_p)[q]的某个元素,f_R是f_p上的某个多项式,其除数为(q)(R)-(q)(0)。注意,f_R的定义仅限于f_p的标量。

   The version of the Tate-Lichtenbaum pairing used in this document is
   given by <R,Q> = f_R([i]Q)^c / (F_p)*.  It satisfies the bilinear
   relation <[x]R,Q> = <R,[x]Q> = <R,Q>^x for all Q, R in E(F_p)[q], for
   all integers x.  Note that the domain of definition is restricted to
   E(F_p)[q] x E(F_p)[q] so that certain optimizations are natural.
        
   The version of the Tate-Lichtenbaum pairing used in this document is
   given by <R,Q> = f_R([i]Q)^c / (F_p)*.  It satisfies the bilinear
   relation <[x]R,Q> = <R,[x]Q> = <R,Q>^x for all Q, R in E(F_p)[q], for
   all integers x.  Note that the domain of definition is restricted to
   E(F_p)[q] x E(F_p)[q] so that certain optimizations are natural.
        

We provide pseudocode for computing <R,Q>, with elliptic curve arithmetic expressed in affine coordinates. We make use of Barreto's trick [Barreto] for avoiding the calculation of denominators. Note that this section does not fully describe the most efficient way of computing the pairing; it is possible to compute the pairing without any explicit reference to the extension field F_p^2. This reduces the number and complexity of the operations needed to compute the pairing.

我们提供了用于计算<R,Q>的伪代码,并使用仿射坐标表示的椭圆曲线算法。我们利用巴雷托的技巧[巴雷托]来避免分母的计算。请注意,本节未充分描述计算配对的最有效方法;可以在不显式引用扩展字段F_p^2的情况下计算配对。这减少了计算配对所需操作的数量和复杂性。

<CODE BEGINS>

<代码开始>

   /*
   Copyright (c) 2012 IETF Trust and the persons identified as
   authors of the code.  All rights reserved.
        
   /*
   Copyright (c) 2012 IETF Trust and the persons identified as
   authors of the code.  All rights reserved.
        

Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). */

根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info). */

Routine for computing the pairing <R,Q>:

计算配对的例程<R,Q>:

Input R, Q points on E(F_p)[q];

在E(F_p)[Q]上输入R,Q点;

Initialize variables:

初始化变量:

           v = (F_p)*;    // An element of PF_p[q]
           C = R;         // An element of E(F_p)[q]
           c = (p+1)/q;   // An integer
        
           v = (F_p)*;    // An element of PF_p[q]
           C = R;         // An element of E(F_p)[q]
           c = (p+1)/q;   // An integer
        

for bits of q-1, starting with the second most significant bit, ending with the least significant bit, do

对于q-1的位,从第二个最高有效位开始,以最低有效位结束,do

           // gradient of line through C, C, [-2]C.
           l = 3*( C_x^2 - 1 ) / ( 2*C_y );
        
           // gradient of line through C, C, [-2]C.
           l = 3*( C_x^2 - 1 ) / ( 2*C_y );
        
           //accumulate line evaluated at [i]Q into v
           v = v^2 * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) );
        
           //accumulate line evaluated at [i]Q into v
           v = v^2 * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) );
        
           C = [2]C;
        
           C = [2]C;
        

if bit is 1, then

如果位为1,则

             // gradient of line through C, R, -C-R.
             l = ( C_y - R_y )/( C_x - R_x );
        
             // gradient of line through C, R, -C-R.
             l = ( C_y - R_y )/( C_x - R_x );
        
             //accumulate line evaluated at [i]Q into v
             v = v * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) );
        
             //accumulate line evaluated at [i]Q into v
             v = v * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) );
        
             C = C+R;
        
             C = C+R;
        
           end if;
         end for;
        
           end if;
         end for;
        
         t = v^c;
        
         t = v^c;
        

return representative in F_p of t;

t的F_p中的返回代表;

End of routine;

常规结束;

Routine for computing representative in F_p of elements of PF_p:

计算PF_p元素的代表F_p的例程:

Input t, in F_p^2, representing an element of PF_p;

在F_p^2中输入t,表示PF_p的一个元素;

         Represent t as a + i*b, with a,b in F_p;
         return b/a;
        
         Represent t as a + i*b, with a,b in F_p;
         return b/a;
        

End of routine;

常规结束;

<CODE ENDS>

<代码结束>

4. Representation of Values
4. 价值的表达

This section provides canonical representations of values that MUST be used to ensure interoperability of implementations. The following representations MUST be used for input into hash functions and for transmission.

本节提供了必须用于确保实现互操作性的值的规范表示。输入到散列函数和传输时必须使用以下表示形式。

Integers Integers MUST be represented as an octet string, with bit length a multiple of 8. To achieve this, the integer is represented most significant bit first, and padded with zero bits on the left until an octet string of the necessary length is obtained. This is the octet string representation described in Section 6 of [RFC6090].

整数必须表示为八位字符串,位长度为8的倍数。为了实现这一点,首先将整数表示为最高有效位,并在左侧填充零位,直到获得所需长度的八位组字符串。这是[RFC6090]第6节中描述的八位字节字符串表示法。

F_p elements Elements of F_p MUST be represented as integers in the range 0 to p-1 using the octet string representation defined above. Such octet strings MUST have length L = Ceiling(lg(p)/8).

F_p元素F_p的元素必须使用上面定义的八位字节字符串表示法表示为0到p-1范围内的整数。这种八位组串的长度必须为L=上限(lg(p)/8)。

PF_p elements Elements of PF_p MUST be represented as an element of F_p using the algorithm in Section 3.2. They are therefore represented as octet strings as defined above and are L octets in length. Representation of the unique element of order 2 in PF_p will not be required.

PF_p元素PF_p的元素必须使用第3.2节中的算法表示为F_p的元素。因此,它们表示为上文定义的八位字节字符串,长度为L个八位字节。不需要在PF_p中表示订单2的唯一元素。

Points on E Elliptic curve points MUST be represented in uncompressed form as defined in Section 2.2 of [RFC5480]. For an elliptic curve point (x,y) with x and y in F_p, this representation is given by

椭圆曲线上的点必须以[RFC5480]第2.2节中定义的未压缩形式表示。对于F_p中具有x和y的椭圆曲线点(x,y),该表示式由下式给出:

0x04 || x' || y', where x' is the octet string representing x, y' is the octet string representing y, and || denotes concatenation. The representation is 2*L+1 octets in length.

0x04 | | x'| | y',其中x'是表示x的八位字符串,y'是表示y的八位字符串,| |表示串联。表示长度为2*L+1个八位字节。

Encapsulated Data The Encapsulated Data MUST be represented as an elliptic curve point concatenated with an integer in the range 0 to (2 ^ n) - 1. Since the length of the representation of elements of F_p is well defined given p, these data can be unambiguously parsed to retrieve their components. The Encapsulated Data is 2*L + n + 1 octets in length.

封装数据封装数据必须表示为一个椭圆曲线点,该点与范围为0到(2^n)-1的整数相连。由于F_p元素表示的长度在给定p时定义得很好,因此可以明确地解析这些数据以检索它们的组件。封装的数据长度为2*L+n+1个八位字节。

5. Supporting Algorithms
5. 支持算法
5.1. Hashing to an Integer Range
5.1. 散列到整数范围

We use the function HashToIntegerRange( s, n, hashfn ) to hash strings to an integer range. Given a string (s), a hash function (hashfn), and an integer (n), this function returns a value between 0 and n - 1.

我们使用函数HashToIntegerRange(s,n,hashfn)将字符串散列到整数范围。给定一个字符串、一个哈希函数(hashfn)和一个整数(n),该函数返回一个介于0和n-1之间的值。

Input:

输入:

* an octet string, s

* 八位组字符串,s

* an integer, n <= (2^hashlen)^hashlen

* 一个整数,n<=(2^hashlen)^hashlen

* a hash function, hashfn, with output length hashlen bits

* 一个哈希函数hashfn,输出长度为hashlen位

Output:

输出:

* an integer, v, in the range 0 to n-1

* 一个介于0到n-1之间的整数v

Method:

方法:

1) Let A = hashfn( s )

1) 设A=hashfn(s)

2) Let h_0 = 00...00, a string of null bits of length hashlen bits

2) 设h_0=00…00,一个长度为hashlen位的空位字符串

      3) Let l = Ceiling(lg(n)/hashlen)
        
      3) Let l = Ceiling(lg(n)/hashlen)
        

4) For each i in 1 to l, do:

4) 对于1到l中的每个i,请执行以下操作:

         a) Let h_i = hashfn(h_(i - 1))
        
         a) Let h_i = hashfn(h_(i - 1))
        

b) Let v_i = hashfn(h_i || A), where || denotes concatenation

b) 设v_i=hashfn(h_i | | | A),其中| |表示串联

5) Let v' = v_1 || ... || v_l

5) 设v'=v|1 | | |……|v_l

6) Let v = v' mod n

6) 设v=v’mod n

6. The SAKKE Cryptosystem
6. 萨克密码体制

This section describes the Sakai-Kasahara Key Encryption algorithm. It draws from the cryptosystem first described in [S-K].

本节介绍Sakai Kasahara密钥加密算法。它来自于[S-K]中首次描述的密码系统。

6.1. Setup
6.1. 安装程序

All users share a set of public parameters with a KMS. In most circumstances, it is expected that a system will only use a single KMS. However, it is possible for users provisioned by different KMSs to interoperate, provided that they use a common set of public parameters and that they each possess the necessary KMS Public Keys. In order to facilitate this interoperation, it is anticipated that parameters will be published in application-specific standards.

所有用户都与KMS共享一组公共参数。在大多数情况下,预计一个系统将只使用一个KMS。但是,由不同KMS配置的用户可以进行互操作,前提是他们使用一组公共参数,并且每个用户都拥有必要的KMS公钥。为了促进这种互操作,预计将在特定于应用程序的标准中公布参数。

KMS_T chooses its KMS Master Secret, z_T. It MUST randomly select a value in the range 2 to q-1, and assigns this value to z_T. It MUST derive its KMS Public Key, Z_T, by performing the calculation Z_T = [z_T]P.

KMS_T选择其KMS主密钥z_T。它必须随机选择范围为2到q-1的值,并将该值分配给z_T。它必须通过执行计算z_T=[z_T]P来派生其KMS公钥z_T。

6.1.1. Secret Key Extraction
6.1.1. 密钥提取

The KMS derives each RSK from an Identifier and its KMS Master Secret. It MUST derive a RSK for each user that it provisions.

KMS从一个标识符及其KMS主密钥获取每个RSK。它必须为它提供的每个用户派生一个RSK。

   For Identifier 'a', the RSK K_(a,T) provided by KMS_T MUST be derived
   by KMS_T as K_(a,T) = [(a + z_T)^-1]P, where 'a' is interpreted as an
   integer, and the inversion is performed modulo q.
        
   For Identifier 'a', the RSK K_(a,T) provided by KMS_T MUST be derived
   by KMS_T as K_(a,T) = [(a + z_T)^-1]P, where 'a' is interpreted as an
   integer, and the inversion is performed modulo q.
        
6.1.2. User Provisioning
6.1.2. 户定购

The KMS MUST provide its KMS Public Key to all users through an authenticated channel. RSKs MUST be supplied to all users through a channel that provides confidentiality and mutual authentication. The mechanisms that provide security for these channels are beyond the scope of this document: they are application specific.

KMS必须通过经过身份验证的通道向所有用户提供其KMS公钥。RSK必须通过提供保密性和相互认证的渠道提供给所有用户。为这些通道提供安全性的机制超出了本文档的范围:它们是特定于应用程序的。

Upon receipt of key material, each user MUST verify its RSK. For Identifier 'a', RSKs from KMS_T are verified by checking that the following equation holds: < [a]P + Z, K_(a,T) > = g, where 'a' is interpreted as an integer.

收到关键材料后,每个用户必须验证其RSK。对于标识符“a”,通过检查以下等式是否成立来验证KMS_T中的RSK:<[a]P+Z,K_(a,T)>=g,其中“a”被解释为整数。

6.2. Key Exchange
6.2. 密钥交换

A Sender forms Encapsulated Data and sends it to the Receiver, who processes it. The result is a shared secret that can be used as keying material for securing further communications. We denote the Sender A with Identifier 'a'; we denote the Receiver B with Identifier 'b'; Identifiers are to be interpreted as integers in the algorithms below. Let A be provisioned by KMS_T and B be provisioned by KMS_S.

发送方形成封装的数据并将其发送给接收方,由接收方进行处理。其结果是一个共享的秘密,可以用作密钥材料,以确保进一步通信的安全。我们用标识符“A”表示发送者A;我们用标识符“B”表示接收器B;在下面的算法中,标识符将被解释为整数。设A由KMS提供,B由KMS提供。

6.2.1. Sender
6.2.1. 发件人

In order to form Encapsulated Data to send to device B who is provisioned by KMS_S, A needs to hold Z_S. It is anticipated that this will have been provided to A by KMS_T along with its User Private Keys. The Sender MUST carry out the following steps:

为了形成封装数据以发送到由KMS_S提供的设备B,A需要保持Z_S。预计这将由KMS_T与其用户私钥一起提供给A。发送方必须执行以下步骤:

1) Select a random ephemeral integer value for the SSV in the range 0 to 2^n - 1;

1) 为SSV选择范围为0到2^n-1的随机瞬时整数值;

      2) Compute r = HashToIntegerRange( SSV || b, q, Hash );
        
      2) Compute r = HashToIntegerRange( SSV || b, q, Hash );
        
      3) Compute R_(b,S) = [r]([b]P + Z_S) in E(F_p);
        
      3) Compute R_(b,S) = [r]([b]P + Z_S) in E(F_p);
        

4) Compute the Hint, H;

4) 计算提示H;

a) Compute g^r. Note that g is an element of PF_p[q] represented by an element of F_p. Thus, in order to calculate g^r, the operation defined in Section 2.1 for calculation of A * B in PF_p[q] is to be used as part of a square and multiply (or similar) exponentiation algorithm, rather than the regular F_p operations;

a) 计算g^r。注意,g是由F_p的元素表示的PF_p[q]的元素。因此,为了计算g^r,第2.1节中定义的用于计算PF_p[q]中A*B的运算将用作平方和乘法(或类似)求幂算法的一部分,而不是常规的F_p运算;

         b) Compute H := SSV XOR HashToIntegerRange( g^r, 2^n, Hash );
        
         b) Compute H := SSV XOR HashToIntegerRange( g^r, 2^n, Hash );
        

5) Form the Encapsulated Data ( R_(b,S), H ), and transmit it to B;

5) 形成封装的数据(R_(b,S),H),并将其传输到b;

6) Output SSV for use to derive key material for the application to be keyed.

6) 输出SSV,用于导出要设置关键帧的应用程序的关键材料。

6.2.2. Receiver
6.2.2. 接受者

Device B receives Encapsulated Data from device A. In order to process this, it requires its RSK, K_(b,S), which will have been provisioned in advance by KMS_S. The method by which keys are provisioned by the KMS is application specific. The Receiver MUST carry out the following steps to derive and verify the SSV:

设备B从设备A接收封装的数据。为了处理该数据,它需要其RSK,K_(B,S),该RSK,K_(B,S)将由KMS预先设置。KMS设置密钥的方法是特定于应用程序的。接收器必须执行以下步骤来推导和验证SSV:

1) Parse the Encapsulated Data ( R_(b,S), H ), and extract R_(b,S) and H;

1) 解析封装的数据(R_b,S,H),并提取R_b(b,S)和H;

      2) Compute w := < R_(b,S), K_(b,S) >.  Note that by bilinearity,
         w = g^r;
        
      2) Compute w := < R_(b,S), K_(b,S) >.  Note that by bilinearity,
         w = g^r;
        
      3) Compute SSV = H XOR HashToIntegerRange( w, 2^n, Hash );
        
      3) Compute SSV = H XOR HashToIntegerRange( w, 2^n, Hash );
        
      4) Compute r = HashToIntegerRange( SSV || b, q, Hash );
        
      4) Compute r = HashToIntegerRange( SSV || b, q, Hash );
        
      5) Compute TEST = [r]([b]P + Z_S) in E(F_p).  If TEST does not
         equal R_(b,S), then B MUST NOT use the SSV to derive key
         material;
        
      5) Compute TEST = [r]([b]P + Z_S) in E(F_p).  If TEST does not
         equal R_(b,S), then B MUST NOT use the SSV to derive key
         material;
        

6) Output SSV for use to derive key material for the application to be keyed.

6) 输出SSV,用于导出要设置关键帧的应用程序的关键材料。

6.3. Group Communications
6.3. 群通信

The SAKKE scheme can be used to exchange SSVs for group communications. To provide a shared secret to multiple Receivers, a Sender MUST form Encapsulated Data for each of their Identifiers and transmit the appropriate data to each Receiver. Any party possessing the group SSV MAY extend the group by forming Encapsulated Data for a new group member.

SAKKE方案可用于交换SSV以进行组通信。为了向多个接收者提供共享秘密,发送者必须为每个接收者的标识符形成封装数据,并将适当的数据发送给每个接收者。拥有集团SSV的任何一方可通过为新的集团成员形成封装数据来扩展集团。

While the Sender needs to form multiple Encapsulated Data, the fact that the sending operation avoids pairings means that the extension to multiple Receivers can be carried out more efficiently than for alternative IBE schemes that require the Sender to compute a pairing.

虽然发送方需要形成多个封装数据,但发送操作避免配对这一事实意味着,与要求发送方计算配对的替代IBE方案相比,可以更有效地执行对多个接收机的扩展。

7. Security Considerations
7. 安全考虑

This document describes the SAKKE cryptographic algorithm. We assume that the security provided by this algorithm depends entirely on the secrecy of the secret keys it uses, and that for an adversary to defeat this security, he will need to perform computationally intensive cryptanalytic attacks to recover a secret key. Note that a security proof exists for SAKKE in the Random Oracle Model [SK-KEM].

本文档描述了SAKKE加密算法。我们假设该算法提供的安全性完全取决于它所使用的密钥的保密性,并且对于要击败这种安全性的对手,他将需要执行计算密集型密码分析攻击来恢复密钥。请注意,随机Oracle模型[SK-KEM]中存在SAKKE的安全证明。

When defining public parameters, guidance on parameter sizes from [SP800-57] SHOULD be followed. Note that the size of the F_p^2 discrete logarithm on which the security rests is 2*lg(p). Table 1 shows bits of security afforded by various sizes of p. If k bits of security are needed, then lg(q) SHOULD be chosen to be at least 2*k. Similarly, if k bits of security are needed, then a hash with output size at least 2*k SHOULD be chosen.

定义公共参数时,应遵循[SP800-57]中关于参数大小的指南。注意,安全性所依赖的F_p^2离散对数的大小是2*lg(p)。表1显示了不同大小的p提供的安全性。如果需要k个安全位,则lg(q)应选择为至少2*k。类似地,如果需要k个安全位,则应选择输出大小至少为2*k的散列。

         Bits of Security | lg(p)
         -------------------------
         80               |   512
         112              |  1024
         128              |  1536
         192              |  3840
         256              |  7680
        
         Bits of Security | lg(p)
         -------------------------
         80               |   512
         112              |  1024
         128              |  1536
         192              |  3840
         256              |  7680
        

Table 1: Comparable Strengths, Taken from Table 2 of [SP800-57]

表1:可比强度,取自[SP800-57]的表2

The KMS Master Secret provides the security for each device provisioned by the KMS. It MUST NOT be revealed to any other entity. Each user's RSK protects the SAKKE communications it receives. This key MUST NOT be revealed to any entity other than the trusted KMS and the authorized user.

KMS主密钥为KMS提供的每个设备提供安全性。不得向任何其他实体披露。每个用户的RSK保护其接收的SAKKE通信。此密钥不得透露给受信任KMS和授权用户以外的任何实体。

In order to ensure that the RSK is received only by an authorized device, it MUST be provided through a secure channel. The security offered by this system is no greater than the security provided by this delivery channel.

为了确保RSK仅由授权设备接收,必须通过安全通道提供。此系统提供的安全性不高于此传送通道提供的安全性。

Note that IBE systems have different properties than other asymmetric cryptographic schemes with regard to key recovery. The KMS (and hence any administrator with appropriate privileges) can create RSKs for arbitrary Identifiers, and procedures to monitor the creation of RSKs, such as logging of administrator actions, SHOULD be defined by any functioning implementation of SAKKE.

请注意,IBE系统在密钥恢复方面与其他非对称密码方案具有不同的属性。KMS(以及任何具有适当权限的管理员)可以为任意标识符创建RSK,并且监控RSK创建的过程(如记录管理员操作)应该由SAKKE的任何功能实现定义。

Identifiers MUST be defined unambiguously by each application of SAKKE. Note that it is not necessary to hash the data in a format for Identifiers (except in the case where its size would be greater than that of q). In this way, any weaknesses that might be caused by collisions in hash functions can be avoided without reliance on the structure of the Identifier format. Applications of SAKKE MAY include a time/date component in their Identifier format to ensure that Identifiers (and hence RSKs) are only valid for a fixed period of time.

标识符必须由SAKKE的每个应用程序明确定义。注意,没有必要以标识符格式散列数据(除非其大小大于q)。通过这种方式,可以避免哈希函数中的冲突可能导致的任何弱点,而无需依赖标识符格式的结构。SAKKE的应用程序可以在其标识符格式中包含时间/日期组件,以确保标识符(因此RSK)仅在固定的时间段内有效。

The randomness of values stipulated to be selected at random in SAKKE, as described in this document, is essential to the security provided by SAKKE. If the ephemeral value r selected by the Sender is not chosen at random, then the SSV, which is used to provide key material for further communications, could be predictable. Guidance on the generation of random values for security can be found in [RFC4086].

如本文件所述,SAKKE规定随机选择的值的随机性对SAKKE提供的安全性至关重要。如果发送方选择的瞬时值r不是随机选择的,那么用于为进一步通信提供关键材料的SSV是可预测的。有关生成安全性随机值的指南,请参见[RFC4086]。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, March 2009.

[RFC5480]Turner,S.,Brown,D.,Yiu,K.,Housley,R.,和T.Polk,“椭圆曲线加密主题公钥信息”,RFC 54802009年3月。

[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, February 2011.

[RFC6090]McGrew,D.,Igoe,K.,和M.Salter,“基本椭圆曲线密码算法”,RFC 60902011年2月。

[S-K] Sakai, R., Ohgishi, K., and M. Kasahara, "ID based cryptosystem based on pairing on elliptic curves", Symposium on Cryptography and Information Security - SCIS, 2001.

[S-K]Sakai,R.,Ohgishi,K.,和M.Kasahara,“基于椭圆曲线配对的基于身份的密码系统”,密码学和信息安全研讨会-SCIS,2001年。

[SK-KEM] Barbosa, M., Chen, L., Cheng, Z., Chimley, M., Dent, A., Farshim, P., Harrison, K., Malone-Lee, J., Smart, N., and F. Vercauteren, "SK-KEM: An Identity-Based KEM", submission for IEEE P1363.3, June 2006, (http://grouper.ieee.org/groups/1363/IBC/ submissions/Barbosa-SK-KEM-2006-06.pdf).

[SK-KEM]Barbosa,M.,Chen,L.,Cheng,Z.,Chimley,M.,Dent,A.,Farshim,P.,Harrison,K.,Malone Lee,J.,Smart,N.,和F.Vercauteren,“SK-KEM:基于身份的KEM”,提交IEEE P1363.3,2006年6月(http://grouper.ieee.org/groups/1363/IBC/ 提交文件/Barbosa-SK-KEM-2006-06.pdf)。

[SP800-57] Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid, "Recommendation for Key Management - Part 1: General (Revised)", NIST Special Publication 800-57, March 2007.

[SP800-57]Barker,E.,Barker,W.,Burr,W.,Polk,W.,和M.Smid,“关键管理建议-第1部分:概述(修订)”,NIST特别出版物800-57,2007年3月。

8.2. Informative References
8.2. 资料性引用

[Barreto] Barreto, P., Kim, H., Lynn, B., and M. Scott, "Efficient Algorithms for Pairing-Based Cryptosystems", Advances in Cryptology - Crypto 2002, LNCS 2442, Springer-Verlag (2002), pp. 354-369.

[Barreto]Barreto,P.,Kim,H.,Lynn,B.,和M.Scott,“基于配对的密码系统的有效算法”,密码学进展-加密2002,LNCS 2442,Springer Verlag(2002),第354-369页。

[Miller] Miller, V., "The Weil pairing, and its efficient calculation", J. Cryptology 17 (2004), 235-261.

[Miller]Miller,V.,“Weil配对及其有效计算”,J.密码学17(2004),235-261。

[P1363] IEEE P1363-2000, "Standard Specifications for Public-Key Cryptography", 2001.

[P1363]IEEE P1363-2000,“公钥加密的标准规范”,2001年。

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.

[RFC4086]Eastlake 3rd,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。

[RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems", RFC 5091, December 2007.

[RFC5091]Boyen,X.和L.Martin,“基于身份的密码标准(IBCS)#1:BF和BB1密码系统的超奇异曲线实现”,RFC 5091,2007年12月。

[RFC6509] Groves, M., "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)", RFC 6509, February 2012.

[RFC6509]Groves,M.,“MIKEY-SAKKE:Sakai Kasahara多媒体互联网密钥加密(MIKEY)”,RFC 65092012年2月。

Appendix A. Test Data
附录A.试验数据

This appendix provides test data for SAKKE with the public parameters defined in Appendix A of [RFC6509]. 'b' represents the Identifier of the Responder. The value "mask" is the value used to mask the SSV and is defined to be HashToIntegerRange( g^r, 2^n, Hash ).

本附录提供了具有[RFC6509]附录A中定义的公共参数的SAKKE测试数据b'表示响应者的标识符。值“mask”是用于屏蔽SSV的值,定义为HashToIntegerRange(g^r,2^n,哈希)。

      // --------------------------------------------------------
      // The KMS generates:
        
      // --------------------------------------------------------
      // The KMS generates:
        

z = AFF429D3 5F84B110 D094803B 3595A6E2 998BC99F

z=AFF429D3 5F84B110 D094803B 3595A6E2 998BC99F

Zx = 5958EF1B 1679BF09 9B3A030D F255AA6A 23C1D8F1 43D4D23F 753E69BD 27A832F3 8CB4AD53 DDEF4260 B0FE8BB4 5C4C1FF5 10EFFE30 0367A37B 61F701D9 14AEF097 24825FA0 707D61A6 DFF4FBD7 273566CD DE352A0B 04B7C16A 78309BE6 40697DE7 47613A5F C195E8B9 F328852A 579DB8F9 9B1D0034 479EA9C5 595F47C4 B2F54FF2

Zx=5958EF1B 1679BF09 9B3A030D F255AA6A 23C1D8F1 43D4D23F 753E69BD 27A832F3 8CB4AD53 DDEF4260 B0FE8BB4 5C4C11F5 10EF701D9 14AEF097 24825FA0 707D61A6 DFF4FBD7 273566CD DE352A0B 04B7C16A 78309BE6 40697DE7 C195E8B9 F328852A 579DB9D0034 5F4 5EAF42

Zy = 1508D375 14DCF7A8 E143A605 8C09A6BF 2C9858CA 37C25806 5AE6BF75 32BC8B5B 63383866 E0753C5A C0E72709 F8445F2E 6178E065 857E0EDA 10F68206 B63505ED 87E534FB 2831FF95 7FB7DC61 9DAE6130 1EEACC2F DA3680EA 4999258A 833CEA8F C67C6D19 487FB449 059F26CC 8AAB655A B58B7CC7 96E24E9A 39409575 4F5F8BAE

Zy = 1508D375 14DCF7A8 E143A605 8C09A6BF 2C9858CA 37C25806 5AE6BF75 32BC8B5B 63383866 E0753C5A C0E72709 F8445F2E 6178E065 857E0EDA 10F68206 B63505ED 87E534FB 2831FF95 7FB7DC61 9DAE6130 1EEACC2F DA3680EA 4999258A 833CEA8F C67C6D19 487FB449 059F26CC 8AAB655A B58B7CC7 96E24E9A 39409575 4F5F8BAEtranslate error, please retry

      // --------------------------------------------------------
      // Creating Encapsulated Data
        
      // --------------------------------------------------------
      // Creating Encapsulated Data
        

b = 3230 31312D30 32007465 6C3A2B34 34373730 30393030 31323300

b=3230 312D30207465 6C3A2B34 34373730 30393030 31323300

        SSV    = 12345678 9ABCDEF0 12345678 9ABCDEF0
        
        SSV    = 12345678 9ABCDEF0 12345678 9ABCDEF0
        

r = HashToIntegerRange( 12345678 9ABCDEF0 12345678 9ABCDEF0 32303131 2D303200 74656C3A 2B343437 37303039 30303132 3300, q, SHA-256 )

r=HashToIntegerRange(12345678 9ABCDEF0 12345678 9ABCDEF0 32303131 2D33200 74656C3A 2B343437 37303039 30303132 3300,q,SHA-256)

= 13EE3E1B 8DAC5DB1 68B1CEB3 2F0566A4 C273693F 78BAFFA2 A2EE6A68 6E6BD90F 8206CCAB 84E7F42E D39BD4FB 131012EC CA2ECD21 19414560 C17CAB46 B956A80F 58A3302E B3E2C9A2 28FBA7ED 34D8ACA2 392DA1FF B0B17B23 20AE09AA EDFD0235 F6FE0EB6 5337A63F 9CC97728 B8E5AD04 60FADE14 4369AA5B 21662132 47712096

=13EE3E1B 8DAC5DB1 68B1CEB3 2F0566A4 C273693F 78BAFFA2 A2EE6A68 6E6BD90F 8206CCAB 84E7F42E D39BD4FB 131012EC CA2ECD21 19414560 C17CAB46 B956A80F 58A3302E B3E2C9A2 28FBA7D8ACA2 392DAFF B0B17B23 20AE09AA EDFD0235 F6FE0EB6 5337A63F 9CC97728 B8E5AD04 60FADE14 4369AA5B 2162132 472096

Rbx = 44E8AD44 AB8592A6 A5A3DDCA 5CF896C7 18043606 A01D650D EF37A01F 37C228C3 32FC3173 54E2C274 D4DAF8AD 001054C7 6CE57971 C6F4486D 57230432 61C506EB F5BE438F 53DE04F0 67C776E0 DD3B71A6 29013328 3725A532 F21AF145 126DC1D7 77ECC27B E50835BD 28098B8A 73D9F801 D893793A 41FF5C49 B87E79F2 BE4D56CE

Rbx=44E8AD44 AB8592A6 A5A3DDCA 5CF896C7 18043606 A01D650D EF37A01F 37C228C3 32FC3173 54E2C274 D4DAF8AD 001054C7 6CE57971 C6F4486D 57230432 61C506EB F5BE438F 53DE04F0 67C776E0 DD3B71A6 29013323725A532 F21AF145 126DC1D77ECC27B E50835BD 28098B8A 73D9F801 D893793A 41FF5C49 B87E792BE56CE

Rby = 557E134A D85BB1D4 B9CE4F8B E4B08A12 BABF55B1 D6F1D7A6 38019EA2 8E15AB1C 9F76375F DD1210D4 F4351B9A 009486B7 F3ED46C9 65DED2D8 0DADE4F3 8C6721D5 2C3AD103 A10EBD29 59248B4E F006836B F097448E 6107C9ED EE9FB704 823DF199 F832C905 AE45F8A2 47A072D8 EF729EAB C5E27574 B07739B3 4BE74A53 2F747B86

Rby=557E134A D85BB1D4 B9CE4F8B E4B08A12 BABF55B1 D6F1D7A6 38019EA2 8E15AB1C 9F76375F DD1210D4 F4351B9A 009486B7 F3ED46C9 65DED2D8 0F3 8C6721D5 2C3AD103 A10EBD29 59248B4E F006836B F097448E 6107C9 EE9FB704 823DF199 F832C905 AE45F8A2 4772D8 EF729EAB C537747B3

g^r = 7D2A8438 E6291C64 9B6579EB 3B79EAE9 48B1DE9E 5F7D1F40 70A08F8D B6B3C515 6F2201AF FBB5CB9D 82AA3EC0 D0398B89 ABC78A13 A760C0BF 3F77E63D 0DF3F1A3 41A41B88 11DF197F D6CD0F00 3125606F 4F109F40 0F7292A1 0D255E3C 0EBCCB42 53FB182C 68F09CF6 CD9C4A53 DA6C74AD 007AF36B 8BCA979D 5895E282 F483FCD6

g^r=7D2A8438 E6291C64 9B6579EB 3B79EAE9 48B1DE9E 5F7D1F40 70A08F8D B6B3C515 6F2201AF FBB5CB9D 82AA3EC0 D0398B89 ABC78A13 A760C0BF 3F77E63D 0DF3F1A3 41A41B88 11DF197F D6CD0F00 312560F 4F40F7292A1 0D255E3C 0EBCCB42 53182C 68F09CF6 CD9C4A53 DA6C74AD 00AF368B9FCD6982

mask = HashToIntegerRange( 7D2A8438 E6291C64 9B6579EB 3B79EAE9 48B1DE9E 5F7D1F40 70A08F8D B6B3C515 6F2201AF FBB5CB9D 82AA3EC0 D0398B89 ABC78A13 A760C0BF 3F77E63D 0DF3F1A3 41A41B88 11DF197F D6CD0F00 3125606F 4F109F40 0F7292A1 0D255E3C 0EBCCB42 53FB182C 68F09CF6 CD9C4A53 DA6C74AD 007AF36B 8BCA979D 5895E282 F483FCD6, 2^128, SHA-256 )

掩码=HashToIntegerRange(7D2A8438 E6291C64 9B6579EB 3B79EAE9 48B1DE9E 5F7D1F40 70A08F8D B6B3C515 6F2201AF FBB5CB9D 82AA3EC0 D0398B89 ABC78A13 A760C0BF 3F77E63D 0DF3F1A3 41B88 11DF197F D6CD0F00 312560F 4F109F40 0F7292A1 0D255E3C 0EBCCB42 53FB182C 68F09CF6 CD9A53 DA77E63A 0DF367AFD6CFB 58952,FC972,F4982)

= 9BD4EA1E 801D37E6 2AD2FAB0 D4F5BBF7

=9BD4EA1E 801D37E6 2AD2FAB0 D4F5BBF7

        H      = 89E0BC66 1AA1E916 38E6ACC8 4E496507
        
        H      = 89E0BC66 1AA1E916 38E6ACC8 4E496507
        
      // --------------------------------------------------------
      // Receiver processing
        
      // --------------------------------------------------------
      // Receiver processing
        

// Device receives Kb from the KMS

//设备从KMS接收Kb

Kbx = 93AF67E5 007BA6E6 A80DA793 DA300FA4 B52D0A74 E25E6E7B 2B3D6EE9 D18A9B5C 5023597B D82D8062 D3401956 3BA1D25C 0DC56B7B 979D74AA 50F29FBF 11CC2C93 F5DFCA61 5E609279 F6175CEA DB00B58C 6BEE1E7A 2A47C4F0 C456F052 59A6FA94 A634A40D AE1DF593 D4FECF68 8D5FC678 BE7EFC6D F3D68353 25B83B2C 6E69036B

Kbx=93AF67E5 007BA6E6 A80DA793 DA300FA4 B52D0A74 E25E6E7B 2B3D6EE9 D18A9B5C 5023597B D82D8062 D3401956 3 BA1D25C 0DC56B7B 979D74AA 50F29FBF 11CC2C93 F5DFCA61 5E609279 F6175CEA DB00B58C 6EE7A 2A47C4F0 C456F052 59A6FA94 A634A40D AE1DF593 D4FECF68 8D6835FC678 B6B

Kby = 155F0A27 241094B0 4BFB0BDF AC6C670A 65C325D3 9A069F03 659D44CA 27D3BE8D F311172B 55416018 1CBE94A2 A783320C ED590BC4 2644702C F371271E 496BF20F 588B78A1 BC01ECBB 6559934B DD2FB65D 2884318A 33D1A42A DF5E33CC 5800280B 28356497 F87135BA B9612A17 26042440 9AC15FEE 996B744C 33215123 5DECB0F5

Kby=155F0A27 241094B0 4BFB0BDF AC6C670A 65C325D3 9A069F03 659D44CA 27D3BE8D F311172B 55416018 1CBE94A2 A783320C ED590BC4 2644702C F371271E 496BF20F 588B78A1 BC01ECBB 6559934B DD2FB65D 2884318A 33D1A42A DF5E33CC 5800280B 283556497 F87135BA B9612A17 26042440 C15费用996B744C 3321523 DECB0F5

// Device processes Encapsulated Data

//设备处理封装的数据

w = 7D2A8438 E6291C64 9B6579EB 3B79EAE9 48B1DE9E 5F7D1F40 70A08F8D B6B3C515 6F2201AF FBB5CB9D 82AA3EC0 D0398B89 ABC78A13 A760C0BF 3F77E63D 0DF3F1A3 41A41B88 11DF197F D6CD0F00 3125606F 4F109F40 0F7292A1 0D255E3C 0EBCCB42 53FB182C 68F09CF6 CD9C4A53 DA6C74AD 007AF36B 8BCA979D 5895E282 F483FCD6

w=7D2A8438 E6291C64 9B6579EB 3B79EAE9 48B1DE9E 5F7D1F40 70A08F8D B6B3C515 6F2201AF FBB5CB9D 82AA3EC0 D0398B89 ABC78A13 A760C0BF 3F77E63D 0DF3F1A3 41A41B88 11DF197F D6CD0F00 312560F 4F109F7292A1 0D255E3C 0EBCCB42 53FB182C 68F09CF6 CD9C4A53 DA6C747AF36F4982

        SSV    = 12345678 9ABCDEF0 12345678 9ABCDEF0
        
        SSV    = 12345678 9ABCDEF0 12345678 9ABCDEF0
        

r = 13EE3E1B 8DAC5DB1 68B1CEB3 2F0566A4 C273693F 78BAFFA2 A2EE6A68 6E6BD90F 8206CCAB 84E7F42E D39BD4FB 131012EC CA2ECD21 19414560 C17CAB46 B956A80F 58A3302E B3E2C9A2 28FBA7ED 34D8ACA2 392DA1FF B0B17B23 20AE09AA EDFD0235 F6FE0EB6 5337A63F 9CC97728 B8E5AD04 60FADE14 4369AA5B 21662132 47712096

r=13EE3E1B 8DAC5DB1 68B1CEB3 2F0566A4 C273693F 78BAFFA2 A2EE6A68 6E6BD90F 8206CCAB 84E7F42E D39BD4FB 131012EC CA2ECD21 19414560 C17CAB46 B956A80F 58A3302E B3E2C9A2 28FBA7D8ACA2 392DAFF B0B17B23 20AE09AA EDFD0235 F6FE0EB6 5337A63F 9CC97728 B8E5AD04 60FADE14 4369AA5B 2162132 472096

TESTx = 44E8AD44 AB8592A6 A5A3DDCA 5CF896C7 18043606 A01D650D EF37A01F 37C228C3 32FC3173 54E2C274 D4DAF8AD 001054C7 6CE57971 C6F4486D 57230432 61C506EB F5BE438F 53DE04F0 67C776E0 DD3B71A6 29013328 3725A532 F21AF145 126DC1D7 77ECC27B E50835BD 28098B8A 73D9F801 D893793A 41FF5C49 B87E79F2 BE4D56CE

TESTx=44E8AD44 AB8592A6 A5A3DDCA 5CF896C7 18043606 A01D650D EF37A01F 37C228C3 32FC3173 54E2C274 D4DAF8AD 001054C7 6CE57971 C6F4486D 57230432 61C506EB F5BE438F 53DE04F0 67C776E0 DD3B71A6 29013323725A532 F21AF145 126DC1D77ECC27B E50835BD 28098B8A 73D9F801 D893793A 41FF5C49 B87E795BE56CE

TESTy = 557E134A D85BB1D4 B9CE4F8B E4B08A12 BABF55B1 D6F1D7A6 38019EA2 8E15AB1C 9F76375F DD1210D4 F4351B9A 009486B7 F3ED46C9 65DED2D8 0DADE4F3 8C6721D5 2C3AD103 A10EBD29 59248B4E F006836B F097448E 6107C9ED EE9FB704 823DF199 F832C905 AE45F8A2 47A072D8 EF729EAB C5E27574 B07739B3 4BE74A53 2F747B86

TESTy=557E134A D85BB1D4 B9CE4F8B E4B08A12 BABF55B1 D6f16lang1024 D6F1D7A6 38019EA2 8E15AB1C 9F76375F DD1210D4 F4351B9A 009486B7 F3ED46C9 65DED2D8 0DADED4F3 8C6721D5 2C3D103 A10EBD29 59248B4E F006836B F097448E 6107C9FB704 823DF199 F832C905 AE45F8A2 4772D8 EF729EAB C53774B3

TEST == Rb

测试==Rb

      // --------------------------------------------------------
      // HashToIntegerRange( M, q, SHA-256 ) example
        
      // --------------------------------------------------------
      // HashToIntegerRange( M, q, SHA-256 ) example
        

M = 12345678 9ABCDEF0 12345678 9ABCDEF0 32303131 2D303200 74656C3A 2B343437 37303039 30303132 3300

M=12345678 9ABCDEF0 12345678 9ABCDEF0 32303131 2D3320074656C3A 2B343437 370303039 30303132 3300

A = E04D4EF6 9DF86893 22B39AE3 80284617 4A93BEDB 1E3D2A2C 5F2C7EA0 05513EBA

A=E04D4EF6 9DF86893 22B39AE3 80284617 4A93BEDB 1E3D2A2C 5F2C7EA0 05513EBA

h0 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

h0=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000

h1 = 66687AAD F862BD77 6C8FC18B 8E9F8E20 08971485 6EE233B3 902A591D 0D5F2925

h1=66687AAD F862BD77 6C8FC18B 8E9F8E20 08971485 6EE233B3 902A591D 0D5F2925

h2 = 2B32DB6C 2C0A6235 FB1397E8 225EA85E 0F0E6E8C 7B126D00 16CCBDE0 E667151E

h2=2B32DB6C 2C0A6235 FB1397E8 225EA85E 0F0E6E8C 7B126D00 16CCBDE0 E66715E

h3 = 12771355 E46CD47C 71ED1721 FD5319B3 83CCA3A1 F9FCE3AA 1C8CD3BD 37AF20D7

h3=12771355 E46CD47C 71ED1721 FD5319B3 83CCA3A1 F9FCE3AA 1C8CD3BD 37AF20D7

h4 = FE15C0D3 EBE314FA D720A08B 839A004C 2E6386F5 AECC19EC 74807D19 20CB6AEB

h4=FE15C0D3 EBE314FA D720A08B 839A004C 2E6386F5 AECC19EC 74807D19 20CB6AEB

v1 = FA2656CA 1D2DBD79 015AE918 773DFEDC 24957C91 E3C9C335 40D6BF6D 7C3C0055

v1=FA2656CA 1D2DB79 015AE918 773DFEDC 24957C91 E3C9C335 40D6BF6D 7C3C0055

v2 = F016CD67 59620AD7 87669E3A DD887DF6 25895A91 0CEE1486 91A06735 B2F0A248

v2=F016CD67 59620AD7 87669E3A DD887DF6 25895A91 0CEE1486 91A06735 B2F0A248

v3 = AC45C6F9 7F83BCE0 A2BBD0A1 4CF4D7F4 CB3590FB FAF93AE7 1C64E426 185710B5

v3=AC45C6F9 7F83BCE0 A2BBD0A1 4CF4D7F4 CB3590FB FAF93AE7 1C64E426 185710B5

v4 = E65D50BD 551A54EF 981F535E 072DE98D 2223ACAD 4621E026 3B0A61EA C56DB078

v4=E65D50BD 551A54EF 981F535E 072DE98D 2223 ACAD 4621E026 3B0A61EA C56DB078

v mod q = 13EE3E1B 8DAC5DB1 68B1CEB3 2F0566A4 C273693F 78BAFFA2 A2EE6A68 6E6BD90F 8206CCAB 84E7F42E D39BD4FB 131012EC CA2ECD21 19414560 C17CAB46 B956A80F 58A3302E B3E2C9A2 28FBA7ED 34D8ACA2 392DA1FF B0B17B23 20AE09AA EDFD0235 F6FE0EB6 5337A63F 9CC97728 B8E5AD04 60FADE14 4369AA5B 21662132 47712096

v mod q=13EE3E1B 8DAC5DB1 68B1CEB3 2F0566A4 C273693F 78BAFFA2 EE6A68 6E6BD90F 8206CCAB 84E7F42E D39BD4FB 131012EC CA2ECD21 19414560 C17CAB46 B956A80F 58A3302E B3E2C9A2 FBA7D8ACA2 392DAFF B0B17B23 20AE09AA EDFD0235 F6FE0EB6 5337A63F 9CC97728 B8E5AD04 60FAD4 4369AA5B 2162712096

      // --------------------------------------------------------
        
      // --------------------------------------------------------
        

Author's Address

作者地址

Michael Groves CESG Hubble Road Cheltenham GL51 8HJ UK

迈克尔·格罗夫斯英国切尔滕纳姆塞斯克哈勃路GL51 8HJ

   EMail: Michael.Groves@cesg.gsi.gov.uk
        
   EMail: Michael.Groves@cesg.gsi.gov.uk