(ii) a In general, the common secret that the encryptor and the decryptor really use is composed of { X, B }^tx＝X^tbIs derived using a key derivation function, i.e., KDF (B)^tx，X)＝KDF(X^tb，X)。B＝g^bE G' can be the public key of fixed user "B", i.e.: randomly selected b ∈ Z_qRemain unchanged from session to session. G ═ B^bE G' can also be chosen randomly by user "B" independently in each session, i.e.: b independently in Z in different sessions_qSelecting.

The core and the characteristic of the implementation method-1 are that two functions K are constructed_AAnd K_BSo that K_A(x，w，B，pub)＝K_B(b, w, X', pub). User "a" calculates and sends DH-key component X ═ g^xB^βE.g. G'; user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; wherein, if B ═ g^bIf the E G ' is the public key of the user ' B ', the user ' B ' can calculate and store B in advance^-tbβE G' and/or B^tbβE.g. G'; if B is g^bE G 'is not the public key of user' B ', but is present by user' BEach session is independently selected randomly, and user 'B' first gets g from B^bE.g. G' is sent to "A".

The specific method comprises the following steps: using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'. Diffie-Hellman secret B for (X, B) in a public key encryption algorithm based on Diffie-Hellman or ElGamal is calculated as follows^tx＝g^tbx＝X^tb＝(X′B^-β)^tb＝X′^tbB^-tbβE.g.. G': user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE G ' (the calculation is suitable for the user ' B ' to calculate and store B in advance^-tbβE.g. case of G') or K_B＝(X′B^-β)^tbE G ' (the calculation is suitable for the user ' B ' to calculate and store B in advance^-βE G'); wherein t is 1 orBeta is w or-w, and w and-w are coded as Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，I_BB, pub } or { w, X', I_A，I_BOne subset of, B, pub } containing w, H_wIs a hash function of length with output length less than q, H_wTypically set to a short substring of the hash function H output (e.g., 8 or 16 or 32 bit prefix of H output). The common secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be empty. Is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key.

User "B" may calculate B in advance^-1. If β does not involve X' and if B ═ g^bE.G ' is the public key of user ' B ', user ' B ' calculates B in advance^-tbβE G' and/or B^tbβE G', and B^-tbβAnd/or B^tbβStored in the database entry corresponding to user "A"; namely: when user "A" registers password w with user "B", user "B" calculates β, B^-tbβE G' and/or B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStoring the password in an entry corresponding to a user 'A' in a database instead of directly storing the password w or beta; alternatively, user "B" calculates B in advance^-βAnd B is^-βSecurely stored in the database entry corresponding to user "A" (at this point, B)^-βWill reveal the user's password, suggest pair B^-βEncrypted storage is performed). However, if user "B" does not have a public key, it randomly chooses and sends B ═ g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf so, user "B" still needs to store β in the database entry corresponding to user "a" (suggesting encrypted storage of β).

To prevent offline attacks, user "A" is at X', B^txDeleting x, w, beta, B immediately after calculation^βOr immediately deleted or stored in a secure location. The calculation of the user 'A' can be carried out in advance; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1Upon accelerated calculation, where-beta is exactly w or H_w(W). If β ═ w or β ═ H_w(W), user "B" may calculate and store B in advance^-1。

For the case where user "B" has the public key "B", in general, if the decryptor, i.e., user "B", checks the confirmation X' ∈ G, let t equal to 1. If the decryptor only checksChecking that X 'belongs to G' or X 'belongs to G'/1_GIf X' is not in the range of G, then let

t = \frac{N}{q}

And checked to confirm X'^tb≠B^tbβ(applicable to K)_B＝X′^tbB^-tbβE G' calculation mode) or K_B≠1_GOr (X' B)^-β)^t≠1_G. If user 'B' does not have a public key, it randomly chooses and sends B-g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf so, then the user "B" only checks to confirm that X '∈ G' or X '∈ G'/1_GLet t equal to 1. User "B" aborts protocol execution, returning or not returning an error message, if any check fails. User 'A' sends identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_A(ii) a The modified Diffie-Hellman or ElGamal-based public key encryption algorithm is referred to as a password-based Diffie-Hellman or ElGamal public key encryption algorithm.

Client 'A' encrypts a random number R by using a Diffie-Hellman or ElGamal public key encryption algorithm based on a password to obtain a ciphertext C, and encrypts the ciphertext C and identity information I_ASending to user 'B'; if user 'B' successfully decrypts C to obtain R, the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; let the derived authentication key be R'. The recommended calculation method is as follows: the session key is set to R, and the authentication key R' is formed by R and k₂And (6) exporting. If the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; we assume that user "a" is only allowed to make mistakes a limited number of times to prevent online guessing attacks.

To prove to user "A" that he knows R, user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BC, X', pub } is a session identifier, r_BIs the protocol role designation for user "B". User "A" checks t with the authentication key R_BAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

User "A" proves to user "B" that it does know R as follows: user "A" sends ciphertext C at the same time or receives t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of C, X', pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a". If the Diffie-Hellman or ElGamal public key encryption ciphertext C based on the password for R already contains a label t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), where E is an element in the ciphertext C or the division of t in the ciphertext C_EA subset of other elements than k and in general k e k₁，k₂}, user "A" can prove to user "B" that it knows R more efficiently as follows: user "A" does not send t_A＝F_T(R′，aux_A) But instead t in the ciphertext C_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or in general t_A＝F_T(K_R，{E，aux_A}) in which aux_AIs { I_A，sid，r_APub } and aux_A≠aux_B，K_RIs derived from (K, R ', aux) or (K, R, aux) or is directly set as R' (recommending K)_RR') aux is { I ═ I_A，I_B，sid，r_A，r_BA subset of E, pub } may be empty; namely: k_RKDF ({ K, R' }, aux) or K_RKDF ({ K, R }, aux) or K_RR'; in general, K_RH (k, R), or

<math><mrow><msub><mi>K</mi><mi>R</mi></msub><mo>=</mo><mi>k</mi><mo>&CirclePlus;</mo><mi>R</mi><mo>,</mo></mrow></math>

Or

<math><mrow><msub><mi>K</mi><mi>R</mi></msub><mo>=</mo><mi>H</mi><mrow><mo>(</mo><mi>k</mi><mo>&CirclePlus;</mo><mi>R</mi><mo>)</mo></mrow><mo>,</mo></mrow></math>

Or K_RR'; user "B" checks t_AAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

The implementation method-2: implementation method-2 is applicable to client "a" having public key a ═ g^aUser 'B' has public key B ═ g^bBut does not send the DH-key component Y ═ g^yThe situation (2).

If user "A" registers a password w at user "B", the core and feature of implementing method-3 is to construct two functions K_AAnd K_BSo that K_A(a，x，w，B，pub)＝K_B(b, w, A, X, pub). The specific method comprises the following steps: user "a" calculates and sends DH-key component X ═ g^xB^βE G', wherein β is w or-w, and w and-w are encoded as Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，A，I_BB, pub } or { w, X', I_A，A，I_BOne subset of, B, pub } containing w, H_wIs a hash function that outputs a length less than q, typically taking a short substring of the H output (e.g., 8 or 16 or 32 bit prefix of the H output). User "A" calculation

<math><mrow><msub><mi>K</mi><mi>A</mi></msub><mo>=</mo><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>ae</mi><mo>+</mo><msub><mi>t</mi><mn>2</mn></msub><mi>xc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>,</mo></mrow></math>

User "B" calculation

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>X</mi><mo>′</mo></msup><msup><mi>B</mi><mrow><mo>-</mo><mi>β</mi></mrow></msup><mo>)</mo></mrow><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

(this calculation has the advantage that fewer on-line exponential operations are required, essentially only one exponential operation has to be performed on-line, where B^-βCan be calculated in advance; the disadvantage is that B^-βReveal the user's password), or

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>b</mi></mrow></msup><mo>)</mo></mrow><mi>c</mi></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

(this calculation is suitable for the user "B" to calculate in advance

In which case

<math><mrow><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

Can be calculated in advance; has the advantages that

Without revealing the userA password; recommending the use of such a calculation), or

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><mi>b</mi></mrow></msup><mo>)</mo></mrow><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>c</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

(this calculation is suitable for the user "B" to calculate B in advance^-bβCase of (a) or

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><mo>)</mo></mrow><mi>c</mi></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

Where c ═ H (X ', pub) or H (X', B, pub), e ═ 1 or H (pub), t ═ 1, or H (pub), t_i1 or

I is more than or equal to 1 and less than or equal to 2; c depends on X ', e does not depend on X'; all calculations for user "A" can be performed in advance and are performed at { β, X', K_ADeleting x after the calculation is finished, and w, beta, B^βOr immediately deleted or stored in a secure location; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1With accelerated calculation, when-beta is exactly w or H_w(W) (in this case, user "B" may not calculate B in advance^-1) (ii) a If β ═ w or β ═ H_w(W), user "B" may calculate B in advance^-1. User "B" can be calculated in advanceAnd store B^-1、

<math><mrow><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

If the calculation of beta does not involve X ' user ' B ', it can also be calculated in advance

And/or B^-bβE.g. G'; user 'B' will

Or B^-bβOr

OrOr

Is stored in the database entry corresponding to user "a", encrypted if necessary, rather than storing the password w or β directly, when K is present_BIs calculated as

Or

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><mi>b</mi></mrow></msup><mo>)</mo></mrow><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>c</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

If user 'B' does not calculate in advance

Or B^-bβE.g. G ', user ' B ' will

Securely stored in the database entry corresponding to user "A", if necessary

Encrypted for storage, at this time K_BIs calculated as

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>X</mi><mo>′</mo></msup><msup><mi>B</mi><mrow><mo>-</mo><mi>β</mi></mrow></msup><mo>)</mo></mrow><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>.</mo></mrow></math>

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: for password-based implementations, if the user "B" checks that X' ∈ G and A ∈ G are confirmed, let t₁＝t₂1. If the decryptor only checks to confirm that A ∈ G, X '∈ G' or X '∈ G'/1_GIf X' is not in the range of G, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

<math><mrow><msup><mrow><mo>(</mo><msup><mi>X</mi><mo>′</mo></msup><msup><mi>B</mi><mrow><mo>-</mo><mi>β</mi></mrow></msup><mo>)</mo></mrow><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

(is suitable for

In a calculation manner) or

<math><mrow><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>b</mi></mrow></msup><mo>)</mo></mrow><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

(is suitable for

Is recommended for such inspection) or/and

<math><mrow><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>b</mi></mrow></msup><mo>)</mo></mrow><mi>c</mi></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub><mo>,</mo></mrow></math>

or

<math><mrow><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><mi>b</mi></mrow></msup><mo>)</mo></mrow><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>c</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

(is suitable for

In a calculation manner) or

<math><mrow><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><mo>)</mo></mrow><mi>c</mi></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

(is suitable for

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><mo>)</mo></mrow><mi>c</mi></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

In a calculation manner) or

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>&NotEqual;</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>eb</mi></mrow></msup></mrow></math>

(applicable to the above various K_BManner of calculation), or

<math><mrow><msup><mrow><mo>(</mo><msup><mi>X</mi><mo>′</mo></msup><msup><mi>B</mi><mrow><mo>-</mo><mi>β</mi></mrow></msup><mo>)</mo></mrow><msub><mi>t</mi><mn>2</mn></msub></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub><mo>.</mo></mrow></math>

If any check fails, user "B" then aborts the protocol run, returning or not returning an error message.

There are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X', pub } is derived using a key derivation function, thisThe time user "B" checks X' ∈ G.

(2) Or else, the DH-key component X ═ g in the public key encryption algorithm based on Diffie-Hellman or ElGamal^xIs changed to X' ═ g^xB^βE.g. G'. The common Diffile-Hellman secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be empty. Is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key. User 'A' sends the public key certificate or identity information I of user 'A' at the same time of sending cipher text C or before sending cipher text_AThereby obtaining a password-based secret signature algorithm with the sender identity authentication function. Encrypting a random number R by using the obtained password-based signcryption algorithm; the secret label of the random number R is marked as C, and the secret label C is a set of a plurality of numerical values. If the user 'B' has a decryption error, the execution is stopped, and error information is returned or not returned. The session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; let the derived authentication key be R'. We assume that user "a" is only allowed to make mistakes a limited number of times to prevent online guessing attacks.

If user "a" does not have a password registered at user "B", user "a" calculates and sends DH-key component X ═ g^xE is G; at this time, the core and the characteristic of the implementation method-2 are to construct two functions K_AAnd K_BSo that K_A(a，x，B，pub)＝K_B(b, A, X, pub). The specific method comprises the following steps: user "A" calculation

User "B" calculation

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), e ═ 1 or H (pub), t ═ 1, or H (pub), t_i1 or

I is more than or equal to 1 and less than or equal to 2; the calculation of c depends on X, and the calculation of e does not depend on X. All calculations for user "A" can be performed in advance; user "B" can be calculated in advance

<math><mrow><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>.</mo></mrow></math>

There are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X, pub } is derived using a key derivation function, when user "B" checks X' e G.

(2) Alternatively, the common Diffile-Hellman secret that is really used by the encryptor and the decryptor in a Diffie-Hellman or ElGamal-based public key encryption algorithm is composed of { X, K_A＝K_BDerivation, i.e. KDF (K)_A，X)＝KDF(K_BX) or from { X, K)_A＝K_BDerived from aux, aux is { I }_A，K_B，sid，r_A，r_BPub, can be empty. Notation of { X, K_A＝K_BOr by { X, K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key. User 'A' sends the public key certificate or identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_AThus, a password-based secret signature algorithm with the sender identity authentication function is obtained: . Encrypting a random number R by using the obtained password-based signcryption algorithm; the secret label of the random number R is marked as C, and the secret label C is a set of a plurality of numerical values. If the user 'B' has a decryption error, the execution is stopped, and error information is returned or not returned. The session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; let the derived authentication key be R'.

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: for non-password based implementations, if the user "B" checks that X ∈ G and A ∈ G are confirmed, let t₁＝t₂1 is ═ 1; if the decryptor only checks for confirmations A ∈ G, X ∈ G 'or X ∈ G'/1_GIf X ∈ G cannot be confirmed, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

<math><mrow><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

Or

K_{B} = A^{t_{1} be};

Memory and exportIn order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) (ii) a Wherein aux is implemented for password-based implementation_BIs { I_B，sid，r_BX', pub } for non-password based implementations aux_BIs { I_B，sid，r_BX, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

user "a" proves to user "B" that he does know R' using the following method: user "A" sends X' or X at the same time or receives t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AX', pub } or { I_A，sid，r_AA subset of X, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a". If the authentication key is derived from the random number R of the signpost and the signpost C already contains a tag t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), wherein E is an element of C or t is divided by C_EA subset of other elements than R, then user "A" can prove to user "B" that it knows R' more efficiently as follows: user "A" does not send t_A＝F_T(R′，aux_A) Instead, t in the secret tag C is_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or in general t_A＝F_T(K_R，{E，aux_A}) in which aux_AIs { I_A，sid，r_AX', pub } or { I_A，sid，r_AA subset of X, pub } and aux_A≠aux_B；K_RIs derived from or directly set to R 'of (k, R', aux) or (k, R, aux), where aux is { I }_A，I_B，sid，r_A，r_BX', pub } or { I_A，I_B，sid，r_A，r_BA subset of X, pub } may be empty; namely: k_RKDF ({ K, R' }, aux) or K_RKDF ({ K, R }, aux) or K_RR'; in general, K_RH (k, R), or

Or

Or K_RR', wherein K_RThe length of (d) is taken to be the same as k; user "B" checks t_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method-3: implementation-3 is applicable to the case where client "a" does not have or does not have the convenience of using a public key, but user "a" still sends DH-key component X ═ g^xAnd user 'B' has public key B ═ g^bAnd sends DH-key component Y ═ g^yThe situation (2).

The core and the characteristic of the implementation method-3 are that two functions K are constructed_AAnd K_BSo that K_A(x，B，Y，pub)＝K_B(b, y, X, pub); the specific method comprises the following steps: user "A" calculation

<math><mrow><msub><mi>K</mi><mi>A</mi></msub><mo>=</mo><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>xc</mi></mrow></msup><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>xf</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>,</mo></mrow></math>

User "B" calculation

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>bc</mi><mo>+</mo><msub><mi>t</mi><mn>2</mn></msub><mi>yf</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), f ═ H (pub, X, Y) or f ═ H (pub, B, X, Y) or H (c, Y), t_i1 or

I is more than or equal to 1 and less than or equal to 2; note that the calculation of c depends on X but not on Y, the calculation of f depends on both X and Y; user "A" may be calculated in advance

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: (1) let t be if user "B" checks that X ∈ G is confirmed₁＝t₂1. (2) If user "B" only checks for confirmation X ∈ G 'or X ∈ G'/1_GBut X ∈ G cannot be confirmed, and if y is likely to leak (or the user "B" worries that y is likely to leak)), let

t = t_{1} = t_{2} = \frac{N}{q},

User "B" check confirmation

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>X</mi><mrow><mi>t</mi><mrow><mo>(</mo><mi>bc</mi><mo>+</mo><mi>yf</mi><mo>)</mo></mrow></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub><mo>,</mo></mrow></math>

If y does not leak (i.e., is sufficiently secure, or user "B" confirms that y does not leak), then t is the same as (1)₁，t₂Can still be1. If any check fails, the protocol is aborted and an error message is returned or not.

Deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, X, Y, pub } derives a session key and an authentication key; let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation for user "B". User "A" checks t with the authentication key R_BAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned. To prove to user "B" that he does know R', user "A" is receiving t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

In a specific implementation, it is proposed to implement method-3 in combination with variant (1) of claim 6.

The implementation method-4: the implementation method-4 is suitable for the client 'A' to have a discrete logarithm public key A ═ g^aAnd sends DH-key component X ═ g^xAnd user 'B' also has discrete logarithm public key B ═ g^bAnd sends DH-key component Y ═ g^yThe situation (2).

The core and the characteristic of the implementation method-4 are that two functions K are constructed_AAnd K_BSo that K_A(a，x，B，Y，pub)＝K_B(b, y, A, X, pub). The specific method comprises the following steps: user "A" calculation

<math><mrow><msub><mi>K</mi><mi>A</mi></msub><mo>=</mo><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>ae</mi><mo>+</mo><msub><mi>t</mi><mn>2</mn></msub><mi>xc</mi></mrow></msup><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>ad</mi><mo>+</mo><msub><mi>t</mi><mn>4</mn></msub><mi>xf</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>,</mo></mrow></math>

User "B" calculation

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi><mo>+</mo><msub><mi>t</mi><mn>3</mn></msub><mi>yd</mi></mrow></msup><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi><mo>+</mo><msub><mi>t</mi><mn>4</mn></msub><mi>yf</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), d ═ H (pub, Y) or H (pub, a, Y) e ═ 0 or 1 or H (pub), f ═ H (pub, X, Y) or H (c, d), t (c, Y_i1 or

I is more than or equal to 1 and less than or equal to 4. c. The key points of the setting of d, e and f are as follows: c depends on X but not on Y, d depends on Y but not on X, e depends on neither X nor Y, f depends on (X, Y). User "A" may be calculated in advance

<math><mrow><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>ae</mi><mo>+</mo><msub><mi>t</mi><mn>2</mn></msub><mi>xc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>,</mo></mrow></math>

User "B" can be calculated in advance

<math><mrow><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi><mo>+</mo><msub><mi>t</mi><mn>3</mn></msub><mi>yd</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>;</mo></mrow></math>

t_iI is more than or equal to 1 and less than or equal to 4, and the key of the setting is as follows: (1) if the user 'A' checks that B belongs to G and Y belongs to G, the user 'B' checks that A belongs to G and X belongs to G, let t belong to G₁＝t₂＝t₃＝t₄1 is ═ 1; (2) if user "A" only checks for confirmations B ∈ G, X ∈ G 'or X ∈ G'/1_GWhile X ∈ G cannot be confirmed, user "B" merely checks to confirm A ∈ G, Y ∈ G 'or Y ∈ G'/1_GAnd cannot confirm Y ∈ G, and user "A" worrys about x and/or user "B" worrys about Y may leak, let t₁＝1，

t_{2} = t_{3} = t_{4} = \frac{N}{q},

User "B" check confirmation

<math><mrow><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>bc</mi><mo>+</mo><msub><mi>t</mi><mn>4</mn></msub><mi>yf</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

Or

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>&NotEqual;</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>be</mi><mo>+</mo><msub><mi>t</mi><mn>3</mn></msub><mi>yd</mi></mrow></msup><mo>,</mo></mrow></math>

User "A" check confirmation

<math><mrow><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>ad</mi><mo>+</mo><msub><mi>t</mi><mn>4</mn></msub><mi>xf</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

Or

<math><mrow><msub><mi>K</mi><mi>A</mi></msub><mo>&NotEqual;</mo><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>ae</mi><mo>+</mo><msub><mi>t</mi><mn>2</mn></msub><mi>xc</mi></mrow></msup><mo>;</mo></mrow></math>

If x and y are not leaked, t can be set in the same way as (1)₁＝t₂＝t₃＝t₄1. If any check fails, the protocol is aborted and an error message is returned or not.

Deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, d, e, X, Y, pub } derives a session key and an authentication key; in general, the session key k is generated as follows₁And an authentication key k₂In which H is_KIs a hash function: (1) (k)₁，k₂)←H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_A，f，i)＝H_K(K_B，f，1)H_K(K_B，f，2)…H_K(K_BF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of length, i.e. up to H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_AF, i) is not less than (k)₁，k₂) Length of (d). Is provided with (k)₁，k₂) Of length l, we can take H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_AF, i) is a prefix or suffix of length l. (2) K. k₁←H_K(K_A，f，1)H_K(K_A，f，2)…H_K(K_A，f，i)＝H_K(K_B，f，1)H_K(K_B，f，2)…H_K(K_B，f，i)；k₂←H_K(f，K_A，1)H_K(f，K_A，2)…H_K(f，K_A，i)＝H_K(f，K_B，1)H_K(f，K_B，2)…H_K(f，K_BJ). Let k₁Has a length of l₁，k₂Has a length of l₂Then, the value of the counter i is taken until the output length of the hash function sequence is greater than or equal to l₁The value of the counter j is equal to or larger than l until the output length of the hash function sequence is larger than or equal to l₂。

Let the derived authentication key be R' ═ k₂To prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned. To prove to user "B" that he does know R', user "A" is receiving t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AAnd if the correctness is not correct, the protocol execution is stopped, and error information is returned or not returned.

The implementation method comprises the following steps: implementation-5 applies to the case where one, but not all, of client "A" and client "B" may not have a discrete logarithmic public key defined on (G', G, G, q), but still supports digital signatures.

Let t_i1 or

I is more than or equal to 1 and less than or equal to 6; let aux_A^j，aux′_A^j，aux_Bⁱ，aux′_BⁱJ is more than or equal to 1 and less than or equal to 7, i is more than or equal to 1 and less than or equal to 9, and is divided by X and g respectively^x，Y＝g^yA subset or sequence of other information related to protocol execution, other than that, may be empty or contain repeating elements. aux_AAnd aux'_AIsI_A，sid，r_AA subset of X, Y, pub }, aux_BAnd aux'_BIs { I_B，sid，r_BA subset of X, Y, pub } and aux_A≠aux_BWhere sid is the session identifier, r_BIs the protocol role designation of user "B", r_AIs the protocol role designation for user "a". Order to

<math><mrow><mi>U</mi><mo>&SubsetEqual;</mo><mrow><mo>{</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>}</mo></mrow><mo>.</mo></mrow></math>

A first round: user 'A' transmission

<math><mrow><mrow><mo>{</mo><mi>X</mi><mo>=</mo><msup><mi>g</mi><mi>x</mi></msup><mo>&Element;</mo><mi>G</mi><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mn>1</mn></msubsup><mo>}</mo></mrow><mo>.</mo></mrow></math>

And a second round: user 'B' transmission

<math><mrow><mrow><mo>{</mo><mi>Y</mi><mo>=</mo><msup><mi>g</mi><mi>y</mi></msup><mo>&Element;</mo><mi>G</mi><mo>,</mo><msub><mi>T</mi><mn>1</mn></msub><mo>=</mo><mi>H</mi><mrow><mo>(</mo><mi>Y</mi><mo>,</mo><mi>X</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mn>1</mn></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mn>2</mn></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mn>3</mn></msubsup><mo>}</mo></mrow><mo>,</mo></mrow></math>

Or

{Y, T_{1} = H (Y, X, X^{t_{1} y}, {aux}_{B}^{2}), {aux}_{B}^{3}},

Or { Y, F_T(T′₁，aux_B)，aux_B³} or { Y, aux'_B³}. Wherein,

<math><mrow><msubsup><mi>T</mi><mn>1</mn><mo>′</mo></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>1</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>2</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>2</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

(where U may be null), aux_B³Containing identity information I of user' B_B，aux_B²And/or aux_B¹Containing identity information I of user' B_B(aux_B²And/or aux_B¹May contain only identity information I of user' B_B)。

User 'A' utilization

<math><mrow><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>x</mi></mrow></msup><mrow><mo>(</mo><mo>=</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>y</mi></mrow></msup><mo>)</mo></mrow><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

Examination T₁Or F_T(T′₁，aux_B) The correctness of the test; namely: calculate and check

T_{1} = H (Y, X, H (X, Y, Y^{t_{1} x}, {aux}_{B}^{1}), {aux}_{B}^{2}),

Or

T_{1} = H (Y, X, Y^{t_{1} x}, {aux}_{B}^{2}),

Or calculate

<math><mrow><msubsup><mi>T</mi><mn>1</mn><mo>′</mo></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>X</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>1</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>2</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>1</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>2</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

And check F_T(T′₁，aux_B) Is/are as followsAnd (4) correctness. If any check is incorrect, user "A" terminates the run, with or without returning an error message.

And a third round: if user "a" has public key a ═ g^aE.g. G, then user 'A' sends

{T_{2} = H (X, Y, H (Y, Y^{t_{2} a}, {aux}_{A}^{2}), H (X, Y, Y^{t_{3} x}, {aux}_{A}^{3}), {aux}_{A}^{4}), {aux}_{A}^{5}},

Or

{T_{2} = H (X, Y, Y^{t_{2} a}, Y^{t_{3} x}, {aux}_{A}^{6}), {aux}_{A}^{5}},

Or { F_T(T′₂，aux_A)，aux_A⁵}. Wherein,

<math><mrow><msubsup><mi>T</mi><mn>2</mn><mo>′</mo></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>Y</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>a</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>2</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>3</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>4</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>a</mi></mrow></msup><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

(where U may be null), aux_A⁵Public key certificate or I containing user' A_A，aux_A²，aux_A⁶Identity information I containing user' A_A(aux_A²，aux_A⁶May contain only the identity information I of the user "A_A) (ii) a User 'B' utilization

<math><mrow><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>y</mi></mrow></msup><mrow><mo>(</mo><mo>=</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>a</mi></mrow></msup><mo>)</mo></mrow><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

And

<math><mrow><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>y</mi></mrow></msup><mrow><mo>(</mo><mo>=</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>X</mi></mrow></msup><mo>)</mo></mrow><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

to check T₂Or F_T(T′₂，aux_A) The correctness of (1), namely: calculate and check

T_{2} = H (X, Y, H (Y, A^{t_{2} y}, {aux}_{A}^{2}), H (X, Y, X^{t_{3} y}, {aux}_{A}^{3}), {aux}_{A}^{4}),

Or

T_{2} = H (X, Y, A^{t_{2} y}, X^{t_{3} y}, {aux}_{A}^{6}),

Or calculate

<math><mrow><msubsup><mi>T</mi><mn>2</mn><mo>′</mo></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>Y</mi><mo>,</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>2</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>3</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>4</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>A</mi><mrow><msub><mi>t</mi><mn>2</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

And check F_T(T′₂，aux_A) The correctness of the operation. If any check is incorrect, user "B" terminates the run, with or without returning an error message.

If user "a" does not have public key a ═ g^aE G but still supports digital signatures, user "a" sends s_A，aux_A⁷Therein aux_A⁷Public key certificate or I containing user' A_A，s_AUse of its own private key pair for user "AOr H (F)_T(T_S^A，aux_A)，aux′_A) Is determined by the digital signature of (a) a digital signature,

<math><mrow><msubsup><mi>T</mi><mi>S</mi><mi>A</mi></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>3</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>4</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

(where U may be null); user 'B' utilization

Checks s with the public key of user "A_AThe correctness of (1), namely: computingAnd checks s with the public key of user "A_AThe correctness of the test; or, calculate

<math><mrow><msubsup><mi>T</mi><mi>S</mi><mi>A</mi></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>3</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>4</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>3</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>A</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

And H (F)_T(T_S^A，aux_A)，aux′_A) And checks s with the public key of user "A_AThe correctness of the operation. If any check is incorrect, user "B" terminates the run, with or without returning an error message.

Fourth wheel: if user 'B' has public key B ═ g^bE.g. G, then user 'B' sends

{T_{3} = H (Y, X, H (X, X^{t_{4} b}, {aux}_{B}^{4}), H (X, Y, X^{t_{5} y}, {aux}_{B}^{5}), {aux}_{B}^{6}), {aux}_{B}^{7}},

Or

{T_{3} = H (Y, X, X^{t_{4} b}, X^{t_{5} y}, {aux}_{B}^{8}), {aux}_{B}^{7}},

Or { F_T(T′₃，aux_B)，aux_B⁷}; wherein,

<math><mrow><msubsup><mi>T</mi><mn>3</mn><mo>′</mo></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>4</mn></msub><mi>b</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>4</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>5</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mrow><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>4</mn></msub><mi>b</mi></mrow></msup><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>8</mn></mrow></msubsup></mrow><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

(where U may be null), aux_B⁷Public key certificate or I containing user' B_B，aux_B⁴，aux_B⁸Identity information I containing user' B_B(aux_B⁴，aux_B⁸May contain only identity information I of user' B_B) (ii) a User 'A' utilization

<math><mrow><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>4</mn></msub><mi>x</mi></mrow></msup><mrow><mo>(</mo><mo>=</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>4</mn></msub><mi>b</mi></mrow></msup><mo>)</mo></mrow><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

And

<math><mrow><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>x</mi></mrow></msup><mrow><mo>(</mo><mo>=</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>y</mi></mrow></msup><mo>)</mo></mrow><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

to check T₃Or F_T(T′₃，aux_B) The correctness of (1), namely: calculate and check

T_{3} = H (Y, X, H (X, B^{t_{4} x}, {aux}_{B}^{4}), H (X, Y, Y^{t_{5} x}, {aux}_{B}^{5}), {aux}_{B}^{6}),

Or

T_{3} = H (Y, X, B^{t_{4} x}, Y^{t_{5} x}, {aux}_{B}^{8}),

Or calculate

<math><mrow><msubsup><mi>T</mi><mn>3</mn><mo>′</mo></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>4</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>4</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>5</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mrow><msup><mi>B</mi><mrow><msub><mi>t</mi><mn>4</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>8</mn></mrow></msubsup></mrow><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

And check F_T(T′₃，aux_B) The correctness of the operation. If any check is incorrect, user "A" terminates the run, with or without returning an error message.

If user 'B' does not have public key B ═ g^bE G but still supports digital signatures, user 'B' sends s_B，aux_B⁹Therein aux_B⁹Public key certificate or I containing user' B_B，s_BUse of its own private key pair for user' B

Or H (F)_T(T_S^B，aux_B)，aux′_B) Is determined by the digital signature of (a) a digital signature,

<math><mrow><msubsup><mi>T</mi><mi>S</mi><mi>B</mi></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>5</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>y</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>8</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

(where U may be null); user 'A' utilization

<math><mrow><msup><mi>T</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>x</mi></mrow></msup><mrow><mo>(</mo><mo>=</mo><msup><mi>X</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>y</mi></mrow></msup><mo>)</mo></mrow><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

Checks s with the public key of user' B_BThe correctness of (1), namely: computing

And checks s with the public key of user' B_BThe correctness of the test; or, calculate

<math><mrow><msubsup><mi>T</mi><mi>S</mi><mi>B</mi></msubsup><mo>&Element;</mo><mrow><mo>{</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>5</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>6</mn></mrow></msubsup><mo>)</mo></mrow><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><msup><mi>Y</mi><mrow><msub><mi>t</mi><mn>5</mn></msub><mi>x</mi></mrow></msup><mo>,</mo><msubsup><mi>aux</mi><mi>B</mi><mrow><mo>′</mo><mn>8</mn></mrow></msubsup><mo>)</mo></mrow><mo>}</mo></mrow></mrow></math>

And H (F)_T(T_S^B，aux_B)，aux′_B) And checks s with the public key of user' B_BThe correctness of the operation. If any check is incorrect, user "A" terminates the run, with or without returning an error message.

Session key management

K_{A} = Y^{t_{6} x} = X^{t_{6} y} = K_{B}

And { X, Y, pub }, where user "A" calculates K_AUser "B" calculates K_B. The user "a" may calculate X ═ g in advance^x，

Or

The user "B" may calculate Y ═ g in advance^y，

Or

If user "A" is calculated in advance

Will be calculated after finishing the calculationDelete, and save

If user "B"Is calculated in advanceWill be calculated after finishing the calculationDelete, and save

t_iI is more than or equal to 1 and less than or equal to 6, and the key is as follows: order to

h = \frac{N}{q};

If the user 'B' checks that X belongs to G, let t₁＝t₄＝t₅1 is ═ 1; if the user 'A' checks that Y belongs to G, let t₂＝t₃1. If user "B" only checks for confirmation that X ∈ G 'or X ∈ G'/1_GIf X ∈ G cannot be confirmed and no signature is used for the fourth round, t₁，t₃，t₄，t₅At least one of them is

And checking and confirming X once^hy≠1_GAnd/or X^hb≠1_G(i.e., first computing X during protocol execution^hy≠1_GOr X^hb≠1_GChecking at that time, and not checking once confirmed); if the user "A" only checks for confirmation Y ∈ G 'or Y ∈ G'/1_GAnd if Y ∈ G cannot be confirmed and no signature is used in the third round, then t₁，t₂，t₃，t₅At least one of them isAnd checking and confirming Y at a time^hx≠1_GAnd/or Y^ha≠1_G. If user "A" uses the signature for the third round, user "A" can only check for confirmations Y ∈ G 'or Y ∈ G'/1_GAnd can make t₃1 is ═ 1; if user "B" uses the signature for the fourth round, user "B" can only check for confirmation X ∈ G 'or X ∈ G'/1_GAnd can make t₁＝t₅1. If any check fails, the protocol execution is aborted, with or without an error message being returned. Generally, let t₁＝t₃＝t₅＝t₆. Note that: when in use

t_{1} = t_{3} = t_{5} = t_{6} = \frac{N}{q}

And when no user uses the signature, the check implemented above not only ensures that the DH-key components are not in the small subgroup, but also does not reveal the parity of the discrete logarithm of each user's own DH-key component (but still does not ensure that the opposite party does know the discrete logarithm of the DH-key component it sent).

The public key registration and public key certificate issuing method comprises the following steps:

the following public key registration and public key certificate issuance methods can be applied to simplify the computation of the above implementation method.

(1) The public key certificate authority CA checks to confirm that the public key registered by the user is an element in G or G/1 when issuing a certificate to the user_GMiddle element; if any check fails, the certificate authority refuses to issue the public key certificate; thus, each user can confirm that the public key of the opposite party is G or G/1 only by checking the public key certificate of the opposite party user_GOf (1). It is proposed to employ (1) in all implementations.

(2) When a user registers user identity information ID and a public key PK to a public key certificate authority, belonging to G', the user submits an inverse element PK of the public key at the same time^-1E.g. G'; that is, in addition to ID and PK ∈ G', the public key certificate application also includes PK^-1E.g. G'. It is recommended to adopt (2) in the implementation method-1 and the password-based implementation method-2.

(3) Use ofWhen a user registers user identity information and a public key to a public key certificate authority, submitting the identity information, the public key and a hash value of aux at the same time; or the identity information, the public key inverse element and the hash value of the aux; providing or not providing a digital signature of the resulting hash value and/or aux using a private key corresponding to the public registration key; aux is other information of the protocol, and generally includes a subset of a timestamp (i.e., the date and time of the public key registration application), a session identifier (where the session identifier may be a random number sent by the CA to the user, or a concatenation of two random numbers exchanged by the CA and the registered user), and so on. aux may take a null value; note that the resulting hash value is t_PKThe digital signature of a possible user is s_PK(ii) a That is, the public key certificate application includes both aux and t in addition to the user's identity information, public key, and/or public key inverse_PKBut with or without s_PK。

(4) If the public key issuing authority checks for t_PKOr s_PKIf the certificate is wrong, refusing to issue the certificate; when issuing a certificate to a user, a public key certificate issuing authority issues identity information, a public key and/or an inverse element, aux and a hash value t of the public key certificate to the user_PKAndor do not have s_PKCarrying out digital signature; alternatively, CA only pairs hash values t_PKCarrying out digital signature; rather than merely signing the user's identity information and public key; namely: a legitimate public key certificate must also contain the digital signature of the certificate authority.

Thus, the hash function or key derivation function input or pub contains (I)_AA) or A can be replaced by a hash value in the public key certificate of the user 'A', and the hash value is recorded as t^A_PK(ii) a (I) contained in the hash function or key derivation function input or pub_BB) or B can be replaced by a hash value in a public key certificate of a user 'B' and is marked as t^B_PK. And, if the public key certificate contains the inverse of the user's public key, then in the implementation method-1 and implementation method-2 of claim 1, the users "a" and "B" do not need to calculate B in advance^-1∈G′。

Detailed Description

Having identity I_AThe public key of the user "a" is a ═ g^aAnd having a certificate CERT_AHaving identity I_BThe public key of the user "B" is B ═ g^bAnd having a certificate CERT_B. The certificate authority CA checks the confirmation A e G/1 before issuing the certificate_GAnd B ∈ G/1_G. We assume that user "a" is the protocol operation initiator (initiator), i.e.: first, DH-key component X is sent as g^xE is G; "B" is a protocol operation responder (responder), i.e. after receiving X, it sends DH-key component X ═ g^yE.g. G. Wherein a, x, b, y are from Z_qThe selection is carried out randomly.

In the protocol implementation described below, the message authentication code MAC employs an HMAC authentication code as described in Internet opinion solicitation document No. 2104 (Internet RFC 2104) published by ietf (Internet Engineering task force). The HMAC only needs to do two hash operations and is proven to be both a message authentication code and a pseudorandom function. In protocol implementation, HMAC and the Hash function H, H_KImplemented by the SHA-1 hahsi function. Symmetric encryption employs the AES algorithm specified by the NIST (national institute of standards and technology) standard.

Implementation of the method-1 according to claim 1 is based on the specific embodiment:

password registration: user "B" may calculate and store B in advance^-1. When user "A" registers password w with user "B", user "B" calculates H (w, I)_A，I_B) And let beta be H (w, I)_A，I_B) Is a 32-bit prefix. User "B" calculates B^-tbβE G' and B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStored in the database in the entry corresponding to user "a".

And (4) role marking: let the user 'A' and 'B' parameter negotiation stage exchange two random numbers R_AAnd R_B(and the public key certificate of user "B"), i.e.: user "A" sends R_AUser "B" sends R_B. Let the role of user "A" be labeled: r is_A＝R_A‖R_B(ii) a The role of user "B" is denoted as r_B＝R_B‖R_A(ii) a Where "|" is the string concatenation operator. R_AMay be included in the following information that user "a" transmits the ciphertext.

We present specific embodiments of the ECIES public key encryption algorithm specified in standardized documents based on ANSI X9.63, ISO/IEC 15946-3, and IEEE P1363 a. The specific implementation mode is similar based on other Diffie-Hellman public key encryption algorithms, such as the PSEC public key encryption algorithm specified by the ISO18033-2 standardized draft.

Order to

t = \frac{N}{q},

User "A" is calculated as follows: (1) calculate X ═ g^xB^βE is G; (2) calculate K_A＝B^txE.g. G, if K_A＝1_GRepeating (1) and (2) until K_A≠1_G(ii) a (3) Computing a Diffie-Hellman secret k₁And k is₂：(k₁，k₂)←H(K_A，X′，1)H_K(K_A，X′，2)…H_K(K_AX', i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AThe length of X', i) is not less than (k)₁，k₂) Length of (d). Is provided with (k)₁，k₂) Of length l, we can take H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AAnd X', i) is a prefix of length l. (4) The user 'A' randomly selects a random number R and calculates

E = {AES}_{k_{1}} (R),

Calculating H (k)₂R) and let K_RIs taken as H (k)₂Of R) and k₂Prefixes of the same length, calculating

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A});

Finally, user "A" sends { I_A，X′，E，t_ATo server "B", where C ═ X', E, t_AIt is called password-based public key encryption ciphertext.

Receive { I_A，X′，E，t_AAfter this, user "B" is calculated as follows: (1) check to confirm X 'is ∈ G'/1_GIf, in error (i.e.:

<math><mrow><msup><mi>X</mi><mo>′</mo></msup><mo>&NotElement;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>/</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

) Stopping running and returning error information; (2) calculating X'^tbBelongs to G ', and is checked for X'^tb≠B^tbβ(wherein B^tbβCalculated in advance and stored in the database), if it is wrong (i.e. X'^tb＝B^tbβ): stopping running and returning error information; (3) calculate K_B＝X′^tbB^-tbβE G' (where B is^-tbβCalculated in advance and stored in a database); (4) computing a Diffie-Hellman secret k₁And k is₂: the method is the same as the step (3) of the user 'A', only K in the input of the hash function is used_AIs changed to K_B(ii) a (5) By k₁Decrypting the E to obtain R; (6) by k₂And R calculates K_R(method as same as user "A"), checking and confirming

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A}),

If it is wrong (i.e. the

<math><mrow><msub><mi>t</mi><mi>A</mi></msub><mo>&NotEqual;</mo><msub><mi>HMAC</mi><msub><mi>K</mi><mi>R</mi></msub></msub><mrow><mo>(</mo><mi>E</mi><mo>,</mo><msub><mi>I</mi><mi>A</mi></msub><mo>,</mo><msub><mi>r</mi><mi>A</mi></msub><mo>)</mo></mrow></mrow></math>

) Stopping running and returning error information; (7) setting session key directly to K_RCalculate and send

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B}),

And sets the session key to R. (user's "B" public key certificate may also be sent at this step.)

Receives t_BThereafter, user "A" checks for confirmation

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B});

If it is wrong (i.e. the

<math><mrow><msub><mi>t</mi><mi>B</mi></msub><mo>&NotEqual;</mo><msub><mi>HMAC</mi><msub><mi>K</mi><mi>R</mi></msub></msub><mrow><mo>(</mo><msub><mi>I</mi><mi>B</mi></msub><mo>,</mo><msub><mi>r</mi><mi>B</mi></msub><mo>)</mo></mrow></mrow></math>

) Stopping running and returning error information; the session key is set to R.

The password-based implementation of the method-2 of claim 1 is based on the specific implementation:

we present a password-based embodiment, a non-password-based embodiment being a simplified version of the password-based embodiment, of the implementation method-2 of claim 1.

Password registration: user "B" may calculate and store B in advance^-1. When user "A" registers password w with user "B", user "B" calculates H (w, I)_A，I_B) And let beta be H (w, I)_A，I_B) Is a 32-bit prefix. User "B" calculation

<math><mrow><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><mo>&Element;</mo><mi>G</mi></mrow></math>

And A^bE is G; delete beta and remove

And A^bStored in the database in the entry corresponding to user "A" (if necessary in pairs

In particular A^bAnd encrypted storage is performed).

And (4) role marking: user role r_AAnd r_BThe marking method is the same as the specific implementation mode of the implementation method-1. (We assume that both parties of the protocol have exchanged and verified respective public key certificates.) the random number R sent by user "A"_AAnd user "a" may also be included in the first round of information sent by user "a" in the protocol embodiments below.

Order to

t_{2} = \frac{N}{q},

User "A" is calculated as follows: (1) calculate X ═ g^xB^βE is G; (2) calculating

<math><mrow><msub><mi>K</mi><mi>A</mi></msub><mo>=</mo><msup><mi>B</mi><mrow><mi>a</mi><mo>+</mo><msub><mi>t</mi><mn>2</mn></msub><mi>xc</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>,</mo></mrow></math>

If K_A＝1_GRepeating (1) and (2) until K_A≠1_G(ii) a (3) Computing a Diffie-Hellman secret k₁And k is₂：(k₁，k₂)←H(K_A，X′，1)H_K(K_A，X′，2)…H_K(K_AX', i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AThe length of X', i) is not less than (k)₁，k₂) Length of (d). Is provided with (k)₁，k₂) Of length l, we can take H (K)_A，X′，1)H_K(K_A，X′，2)…H_K(K_AAnd X', i) is a prefix of length l. (4) The user 'A' randomly selects a random number R and calculates

E = {AES}_{k_{1}} (R),

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A});

Finally, user "A" sendsI_A，X′，E，t_ATo server "B", where C ═ X', E, t_AIt is called password-based public key encryption ciphertext. (the public key certificate for user "A" may be sent at this step.)

) Stopping running and returning error information; (2) calculating

<math><mrow><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>b</mi></mrow></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup></mrow></math>

(whereinCalculated in advance and stored in a database) and checked

<math><mrow><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>b</mi></mrow></msup><mo>&NotEqual;</mo><msub><mn>1</mn><mi>G</mi></msub><mo>;</mo></mrow></math>

If it is wrong (i.e. the

) If yes, stopping running and returning error information; (3) calculating

<math><mrow><msub><mi>K</mi><mi>B</mi></msub><mo>=</mo><msup><mi>A</mi><mi>b</mi></msup><msup><mrow><mo>(</mo><msup><mi>B</mi><mrow><mo>-</mo><msub><mi>t</mi><mn>2</mn></msub><mi>bβ</mi></mrow></msup><msup><mi>X</mi><mrow><mo>′</mo><msub><mi>t</mi><mn>2</mn></msub><mi>b</mi></mrow></msup><mo>)</mo></mrow><mi>c</mi></msup><mo>&Element;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>,</mo></mrow></math>

Wherein c ═ H (X', I)_A，A，I_B，B)，A^bAre calculated in advance and stored in a database. (4) Computing a Diffie-Hellman secret k₁And k is₂: the method is the same as the step (3) of the user 'A', only K in the input of the hash function is used_AIs changed to K_B(ii) a (5) By k₁Decrypting the E to obtain R; (6) by k₂And R calculates K_R(method as same as user "A"), checking and confirming

t_{A} = {HMAC}_{K_{R}} (E, I_{A}, r_{A}),

If it is wrong (i.e. the

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B}),

And sets the session key to R.

Receives t_BThereafter, user "A" checks for confirmation

t_{B} = {HMAC}_{K_{R}} (I_{B}, r_{B});

If it is wrong (i.e. the

Claim 1 implementation of a password-based embodiment of method-3:

password registration: user "B" may calculate and store B in advance^-1. When user "A" registers password w with user "B", user "B" calculates H (w, I)_A，I_B) And let beta be H (w, I)_A，I_B) Is a 32-bit prefix. User "B" calculates B^-βE is G; store β in the database in the entry corresponding to user "A" (if necessary for B)^-βEncrypted storage is performed).

And (4) role marking: let r be_A＝0，r_B＝1。

Calculating in advance: user "a" calculates X' ═ g in advance^xB^β∈G，c＝H(X′，I_A，I_BB), and^tcxmodqe G', wherein t is N/q.

In the following detailed description, elements in parentheses indicate transmitted information.

A first round: user "a" sends { X' ═g^xB^βE G (where x is from Z)_qWhere the elements in parenthesis are the information to be sent). After receiving X ', the user ' B ' checks to confirm that X ' belongs to G '/1_G(ii) a If there is an error (i.e., the

) If any check is unsuccessful, user "B" aborts the protocol execution; if the check is passed, user "B" calculates Y ═ g^yE G (where y is from Z_qWherein is randomly selected), c ═ H (X', I)_A，I_B，B)、f＝H(c，Y)，K_B＝(X′B^-β)^t(cb+fy)modqE.g. G' and delete y (where B^-βCalculated in advance and stored in a database); user "B" check confirmation K_B≠1_GIf it is wrong (i.e. K)_B＝1_G) User "B" then aborts the protocol execution and returns an error message. If K_B≠1_GUser "B" calculation (k)₁，k₂)←H(K_B，f，1)H(K_B，f，2)…H(K_BF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is a prefix of length l.

And a second round: user 'B' transmission

{{CERT}_{B}, Y, t_{B} = {HMAC}_{k_{1}} (1)};

Receive the 'B' transmissionAfter the message is sent, user "A" checks CERT_BIs valid and Y ∈ G'/1_GIf any check is unsuccessful, user "B" aborts protocol execution and returns an error message; if the check passes, user "a" calculates f ═ H (c, Y), K_A＝B^tcxY^tfxE.g. G'; user "A" calculation (k)₁，k₂)←H(K_A，f，1)H(K_A，f，2)…H(K_AF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is a prefix of length l. User "A" check

t_{B} = {HMAC}_{k_{1}} (1),

If it is not

t_{B} = {HMAC}_{k_{1}} (1)

The session key is set to k₂And go to the next round, otherwise (i.e. the

<math><mrow><msub><mi>t</mi><mi>B</mi></msub><mo>&NotEqual;</mo><msub><mi>HMAC</mi><msub><mi>k</mi><mn>1</mn></msub></msub><mrow><mo>(</mo><mn>1</mn><mo>)</mo></mrow></mrow></math>

) Aborts protocol execution and returns an error message.

And a third round: user 'A' transmission

{t_{A} = {HMAC}_{k_{1}} (0)}

. Receives t_AThereafter, user "B" checks for confirmation

t_{A} = {HMAC}_{k_{1}} (0);

If it is not

t_{A} = {HMAC}_{k_{1}} (0),

User "B" sets the session key to k₂And successfully ending the protocol, otherwise, stopping the protocol execution.

Embodiment of claim 1 for carrying out method-4:

calculating in advance: user "a" calculates X ═ g in advance^x∈G，c＝H(X，I_A，A，I_B，B)，t＝t₂＝t₃＝t₄N/q and B^txcmodqBelongs to G ', wherein N is the order of the finite field G'; user "B" calculates in advance Y ═ g^y∈G，d＝H(I_B，B，I_A，A，Y)，t＝t₂＝t₃＝t₄N/q and A^{tyd modq}∈G′。

A first round: user "A" transmits { CERT_AX }; received { CERT_AX post user "B" check CERT_AIs valid and X ∈ G'/1_G(ii) a If any checks are unsuccessful, user "B" aborts the protocol execution. If the check passes, user "B" calculates c ═ H (X, I)_A，A，I_B，B)，f＝H(c，d)，X^t(cb+fy)modq(ii) a User "B" checks for confirmation X^t(cb+fy)≠1_GIf X is^t(cb+fy)＝1_GUser "B" aborts the protocol execution and returns an error message; if X^t(cb+fy)≠1_GUser "B" calculates K_B＝A^tydX^t(cb+fy)E G' (where A^{tyd modq}E G' is calculated in advance), calculating (k)₁，k₂)←H(K_B，f，1)H(K_B，f，2)…H(K_BF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_B，f，1)H(K_B，f，2)…H(K_BF, i) is a prefix of length l.

And a second round: user 'B' transmission

{{CERT}_{B}, Y, t_{B} = {HMAC}_{k_{1}} (1)};

After receiving the message sent by "B", user "A" checks CERT_BIs valid and Y ∈ G'/1_G(ii) a If any check is unsuccessful, user "A" aborts protocol execution and returns an error message; if the check passes, user "a" calculates d ═ H (I)_B，B，I_A，A，Y)，f＝H(c，d)，Y^t(da+fx)E.g. G'; user "A" checks for confirmation Y^t(da+fx)≠1_GIf Y is^t(da+fx)＝1_GUser "A" aborts protocol execution and returns an error message; if Y is^t(da+fx)≠1_GUser "A" calculates K_A＝B^txcY^t(da+fx)E G' (where B is^{txc modq}E G' is calculated in advance). User "A" calculation (k)₁，k₂)←H(K_A，f，1)H(K_A，f，2)…H(K_AF, i), where i ≧ 1 is implemented by a counter, the value of i depends on (k)₁，k₂) Of up to H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is not less than (k)₁，k₂) Length of (d); if (k)₁，k₂) Is l, we order (k)₁，k₂) Is H (K)_A，f，1)H(K_A，f，2)…H(K_AF, i) is a prefix of length l. User "A" check

t_{B} = {HMAC}_{k_{1}} (1),

If it is not

t_{B} = {HMAC}_{k_{1}} (1)

The session key is set to k₂And go to the next round, otherwise (i.e. the

) Aborts protocol execution and returns an error message.

And a third round: user 'A' transmission

{t_{A} = {HMAC}_{k_{1}} (0)} .

Receives t_AThereafter, user "B" checks

t_{A} = {HMAC}_{k_{1}} (0);

If it is not

t_{A} = {HMAC}_{k_{1}} (0)

User "B" sets the session key to k₂Successfully ending the protocol; otherwise (i.e. the

<math><mrow><msub><mi>t</mi><mi>A</mi></msub><mo>&NotEqual;</mo><msub><mi>HMAC</mi><msub><mi>k</mi><mn>1</mn></msub></msub><mrow><mo>(</mo><mn>0</mn><mo>)</mo></mrow></mrow></math>

) User "B" aborts the protocol execution and returns an error message.

Embodiment of claim 1 for carrying out method-5:

we present a discrete logarithm public key that user "B" does not define on (G', G, q), in combination with the embodiment of claim 3. User "B" still supports digital signatures, such as the RSA signature scheme. We assume that users "a" and "B" have some kind of negotiation mechanism to mutually confirm and agree on the public key type of the other party, the supported algorithms, and other parameters. In the following embodiment, let

h = \frac{N}{q} .

Calculating in advance: in the following detailed description, user "B" may have been previously calculated Y, H (I)_A，Y，A^y) And delete A^y。

A first round: user "a" sends { X ═ g^xE.g. G }. User "B" checks to confirm that X ∈ G'/1_GIf it is wrong (i.e. wrong)

<math><mrow><mi>X</mi><mo>&NotElement;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>/</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

) The run is aborted and an error message is returned. User "B" calculates Y ═ g^y∈G，X^hyE.g. G', check and confirm X^hy≠1_GIf there is an error (i.e., X)^hy＝1_G) The run is aborted and an error message is returned. User "B" calculates H (X, Y, X)^hy) Delete X^hyAnd calculate

During the whole protocol operation, user 'B' only retains Y, H (X, Y, X)^hy) And possibly H (I)_A，Y，A^y) (if H (I)_A，Y，A^y) Calculated in advance) as temporary secret data (other temporary secret data is deleted immediately after use).

And a second round: user 'B' transmission

<math><mrow><mrow><mo>{</mo><mi>Y</mi><mo>=</mo><msup><mi>g</mi><mi>y</mi></msup><mo>&Element;</mo><mi>G</mi><mo>,</mo><msub><mi>HMAC</mi><mrow><mi>H</mi><mrow><mo>(</mo><mi>Y</mi><mo>,</mo><mi>X</mi><mo>,</mo><msub><mi>I</mi><mi>B</mi></msub><mo>,</mo><mi>H</mi><mrow><mo>(</mo><mi>X</mi><mo>,</mo><mi>Y</mi><mo>,</mo><msup><mi>X</mi><mi>hy</mi></msup><mo>)</mo></mrow><mo>)</mo></mrow></mrow></msub><mrow><mo>(</mo><msub><mi>I</mi><mi>B</mi></msub><mo>)</mo></mrow><mo>}</mo></mrow><mo>.</mo></mrow></math>

User "A" checks to confirm Y ∈ G'/1_GIf it is wrong (i.e. wrong)

<math><mrow><mi>Y</mi><mo>&NotElement;</mo><msup><mi>G</mi><mo>′</mo></msup><mo>/</mo><msub><mn>1</mn><mi>G</mi></msub></mrow></math>

) The run is aborted and an error message is returned. User "A" calculates Y^hxE.g. G', checking to confirm Y^hx≠1_GIf it is wrong (i.e. Y)^hx＝1_G) The run is aborted and an error message is returned. User "A" calculates H (X, Y)^hx) Delete Y^hxChecking and confirming

{HMAC}_{H (Y, X, I_{B}, H (X, Y, X^{hy}))} (I_{B}) = {HMAC}_{H (Y, X, I_{B}, H (X, Y, Y^{hx}))} (I_{B}),

If the error occurs, the operation is stopped and error information is returned. User "A" calculates H (I)_A，Y，Y^a) Calculating

{HMAC}_{H (X, Y, H (I_{A}, Y, Y^{a}), H (X, Y, Y^{hx}))} (I_{A}) .

During the whole protocol operation, user 'A' only retains X, H (X, Y)^hx) And possibly H (I)_B，X，B^x) (if user "A" calculates H (I) in advance_B，X，B^x) As temporary secret data (other temporary secret data is deleted immediately after use).

And a third round: user 'A' transmission

{I_{A}, {CERT}_{A}, {HMAC}_{H (X, Y, H (I_{A}, Y, Y^{a}), H (X, Y, Y^{hx}))} (I_{A})},

Wherein CERT_AIs a public key certificate for user "a". User 'B' authentication confirmation CERT_AAnd if the validity is invalid, the operation is stopped and error information is returned. User "B" check confirmation

{HMAC}_{H (X, Y, H (I_{A}, Y, Y^{a}), H (X, Y, Y^{hx}))} (I_{A}) = {HMAC}_{H (X, Y, (I_{A}, Y, A^{y}), H (X, Y, X^{hy}))} (I_{A}),

If the error occurs, the operation is stopped and error information is returned. User "B" calculation

Using its own private signature key pair

Performing digital signature to obtain a digital signature s_B(ii) a User "B" sets the session key to

Fourth wheel: user "B" transmits { CERT_B，s_BWherein CERT is_BIs a public key certificate for user "B". User "A" authentication confirmation CERT_BAnd if the validity is invalid, the operation is stopped and error information is returned. User "A" calculationAnd checks the confirmation s with the public key of user' B_BIs to

If false (i.e., s)_BIs not right

Valid digital signature) then the run is aborted and an error message is returned. User "A" sets the session key to

Claims

1. An authentication and key exchange method based on password and secret data leakage resistance, which is characterized in that:

the system working environment is as follows:

(1) system parameters: (G ', G, G, q), where G ' is a finite group of order N, G is a subgroup of order q in G ', and G is a generator of G, making it difficult to define the discrete logarithm problem on G; in this document, we represent the operation of an element in G' by multiplication; unless otherwise specified, the unit cell in G, G' is designated as 1_G，G′/1_GIs shown byG' minus Unit cell 1_GSet of other elements thereafter, i.e. not 1 in G_GAn element; note G/1_GIs other than 1 in G_GAn element; without loss of generality, the result of the exponential operation and the multiplication operation not on the exponent is G' or one element of G, and the addition and/or multiplication operation on the exponent is a modulo-q calculation; for any element X ∈ G', we remember X^-1Is the inverse of X relative to G', i.e.: XX^-1＝1_G；

(2) H is a hash function; for character strings or values s₁，s₂，…s_m，m＞1，H(s₁，s₂，…s_m) It is shown that: will s₁，s₂，…，s_mExpressing by proper codes, then connecting all the codes in series, and finally using the string obtained after the serial connection as the input of H; without loss of generality, let us assume that the output of H is Z_q(0, 1, 2, …, q-1) element, otherwise we can simply take one of the outputs of H to belong to Z_qPerforming modulo-q calculation on the substring of H; if s₁，s₂，…，s_mIs a string of m characters, S₁，S₂，…S_nN sets, phi is a null set, n is more than or equal to 1, m, then { s₁，s₂，…，s_m，Φ，S₁，S₂，…，S_nDenoted by s₁，s₂，…，s_m}∪S₁∪S₂∪…∪S_nWherein the order of elements in parentheses may be changed arbitrarily; h(s)₁，s₂，…，s_m，Φ，S₁，S₂，…，S_n) Is expressed by₁，s₂，…s_mAnd S₁∪S₂∪…∪S_n-{s₁，s₂，…，s_mExpressing elements in the code by proper codes, then connecting all code strings in series in sequence, and finally using the strings obtained after the serial connection as the input of H;

(3) unless otherwise specified, with the identity IDI_AUser "a" has a public key a ═ g^aE G, where a is set in Z by user "A_qSelecting randomly from {0, 1, 2, …, q-1 }; accordingly, has ID I_BThe public key of the user "B" is denoted as B ═ g^bE.g. G, and so on; wherein I_AFor identity information or user name of user "A", I_BIdentity information or username for user "B"; for any element x ∈ Z_qWe note that x is x relative to Z_qThe negative element of (a), namely: x + (-x) 0 modq;

(4) the protocol is based on the Diffie-Hellman key exchange protocol; unless otherwise specified, the symbols X-g^xE G is the DH key component of user ' A ', X is the discrete logarithm of DH key component X, X is from Z by user ' A_qEither randomly selected from {0, 1, …, q-1} or from Z_qRandomly selecting from an odd subset of {0, 1, …, q-1 }; let Y be g^yE G is the DH key component of user ' B ', Y is the discrete logarithm of DH key component Y, Y is from Z by user ' B_qEither randomly selected from {0, 1, …, q-1} or from Z_qRandomly selecting from an odd subset of {0, 1, …, q-1 }; suppose user "A" is the initiator of the protocol and user "B" is the responder of the protocol; namely: user "A" sends X first; after receiving X, user 'B' sends Y again; in the password-based implementation method, the DH-key component sent by the client "a" is X' ═ g^xB^β＝XB^β∈G′；

(5) Other information related to protocol execution pub: pub is the component X ═ g for removing DH-key^xOr X', Y ═ g^yA subset or sequence of other protocol execution related information than that, may be empty or contain repeating elements; here, other information related to protocol execution includes: identity information or user names of users, namely protocol initiators and responders, role marks of the protocol initiators and the responders, public keys and public key certificate information, IP addresses, protocol versions, security parameters and key parameters, session identifiers of the protocols, timestamps, cookies, arbitrary numerical values and other information transmitted by protocol sessions except DH-key components; in different implementation methods, pub values can be different; generally, pub contains the public key of the protocol initiator and responderWith identity or user name information, i.e.

<math> <mrow> <mo>{</mo> <msub> <mi>I</mi> <mi>A</mi> </msub> <mo>,</mo> <mi>A</mi> <mo>,</mo> <msub> <mi>I</mi> <mi>B</mi> </msub> <mo>,</mo> <mi>B</mi> <mo>}</mo> <mo>&SubsetEqual;</mo> <mi>pub</mi> <mo>;</mo> </mrow></math>

(6) Key derivation function KDF: KDF (S, aux) is a key derivation function, where S is a value or set of values, aux is a set of numeric strings or counters; in general, a KDF is a hash function or sequence of hash functions, or a pseudorandom function with S as the random seed; the session key and the authentication key may be derived from the same key derivation function on the same input; or the session key and the authentication key are respectively derived from different inputs by the same key derivation function; alternatively, the derivation function of the session key is different from the derivation function of the authentication key, and their inputs are the same or different;

(7) a tag authentication function F_T(K, U), where K is a secret value or a set of secret values and U is a set; tag authentication function F_T(K, U) is any function that satisfies the following properties: (1) cannot be taken from F_T(K, U) solving for K in a polynomial time of the length of K, namely: function F with respect to input K_TIs unidirectional; (2) given F_T(K, U) F cannot be calculated within a polynomial time of the length of K_T(K, U') or F_T(K, U ') such that U ≠ U'; in general, F_TIs a one-way hash function; or F_TIs a message authentication code MAC function where the private key of the MAC is derived from K, U and the information authenticated is a subset of U;

let us assume that the protocol operation sender has some mechanism to negotiate the above parameters, functions, algorithms, user role indication and representation method of session indication symbol, etc., and operates which implementation method to implement, and reach the same; a subset of the information exchanged by the negotiation may be contained in pub; the checking and confirmation of various elements in the application method is disposable, namely: once the confirmation is correct, it is not checked in subsequent runs;

the implementation method comprises the following steps: according to different application environments or systems, the following implementation methods are adopted:

the implementation method-1: implementation method-1 is suitable for a client "a" not having or not having the convenience of using a public key, and a user "B" not sending a DH-key component Y ═ g^yThe case (2); but client "a" has registered a password w at user "B"; generally, user "A" is a client, user "B" is a server, user "B" manages a user database, and creates an entry in the database for each client; user 'B' supports with B ═ g^bThe public key encryption algorithm based on Diffie-Hellman or ElGamal with the E G' as the public key, wherein any legal public key encryption ciphertext is marked as C, is a set containing a plurality of numerical values and comprises a DH-secret key component X ═ G used for generating Diffie-Hellman secret with the public key B^xE is G; namely: x ═ g^xFor generating a common Diffie-Hellman secret B between an encryptor and a decryptor^tx＝g^tbx＝X^tbE G', wherein t is 1 or

(ii) a In general, the common secret that the encryptor and the decryptor really use is composed of { X, B }^tx＝X^tbIs derived using a key derivation function, i.e., KDF (B)^tx，X)＝KDF(X^tb，X)；B＝g^bE G' can be the public key of fixed user "B", i.e.: randomly selected b ∈ Z_qRemain unchanged in different sessions; g ═ B^bE G' can also be chosen randomly by user "B" independently in each session, i.e.: b independently in Z in different sessions_qSelecting;

the core and the characteristic of the implementation method-1 are that two functions K are constructed_AAnd K_BSo that K_A(x，w，B，pub)＝K_B(b, w, X', pub); user "a" calculates and sends DH-key component X ═ g^xB^β∈G′(ii) a User "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; wherein, if B ═ g^bIf the E G ' is the public key of the user ' B ', the user ' B ' can calculate and store B in advance^-tbβE G' and/or B^tbβE.g. G'; if B is g^bE G ' is not the public key of the user ' B ', but is randomly selected by the user ' B ' independently in each session, and then the user ' B ' first sets B to G^bE.g. G' is sent to "A";

the specific method comprises the following steps: using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'; Diffie-Hellman secret B for (X, B) in a public key encryption algorithm based on Diffie-Hellman or ElGamal is calculated as follows^tx＝g^tbx＝X^tb＝(X′B^-β)^tb＝X′^tbB^-tbβE.g.. G': user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; wherein t is 1 or

Beta is w or-w and-w code for Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，I_BB, pub } or { w, X', I_A，I_BOne subset of, B, pub } containing w, H_wIs a hash function of length with output length less than q, H_wA short substring, typically set as the output of the hash function H; the common secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a symmetric encrypted key, k₂Is an authentication key;

user "B" may calculate and store B in advance^-1(ii) a If β does not involve X' and if B ═ g^bE.G ' is the public key of user ' B ', user ' B ' calculates B in advance^-tbβE G' and/or B^tbβE G', and B^-tbβAnd/or B^tbβStored in the database entry corresponding to user "A"; namely: when user "A" registers password w with user "B", user "B" calculates β, B^-tbβE G' and/or B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStoring the password in an entry corresponding to a user 'A' in a database instead of directly storing the password w or beta; alternatively, user "B" calculates B in advance^-βAnd B is^-βSecurely stored in the database entry corresponding to user "A"; however, if user "B" does not have a public key, it randomly chooses and sends B ═ g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf the user B selects the data item, the user B still needs to safely store the beta in the database item corresponding to the user A;

to prevent offline attacks, user "A" is at X', B^txDeleting x, w, beta, B immediately after calculation^βOr immediately deleted or stored in a secure location; the calculation of the user 'A' can be carried out in advance; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1With accelerated calculation, when-beta is exactly w or H_w(W); if β ═ w or β ═ H_w(W), user "B" may calculate and store B in advance^-1；

For the case where user "B" has the public key "B", in general, if the decryptor, i.e., user "B", checks that X' e G is confirmed, let t be 1; if the decryptor only checks to confirm X '∈ G'Or X 'is belonged to G'/1_GIf X' is not in the range of G, then let

t = \frac{N}{q}

And checked to confirm X'^tb≠B^tbβOr K_B≠1_GOr (X' B)^-β)^t≠1_G(ii) a If user 'B' does not have a public key, it randomly chooses and sends B-g^bE G' gives the user "A", namely: b independently in Z in different sessions_qIf so, then user "B" can simply check to confirm that X '∈ G' or X '∈ G'/1_GLet t be 1; if any check fails, user "B" aborts protocol execution, returning or not returning an error message; user 'A' sends identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_A(ii) a The modified public key encryption algorithm based on Diffie-Hellman or ElGamal is called as a password-based Diffie-Hellman or ElGamal public key encryption algorithm;

client 'A' encrypts a random number R by using a Diffie-Hellman or ElGamal public key encryption algorithm based on a password to obtain a ciphertext C, and encrypts the ciphertext C and identity information I_ASending to user 'B'; if user 'B' successfully decrypts C to obtain R, the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; recording the derived authentication key as R'; if the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; we assume that user "A" is only allowed to make mistakes a limited number of times to prevent online guessing attacks;

to prove to user "A" that he knows R, user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BC, X', pub } is a session identifier, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

user "A" proves to user "B" that it does know R as follows: user "A" sends ciphertext C at the same time or receives t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of C, X', pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; if the Diffie-Hellman or ElGamal public key encryption ciphertext C based on the password for R already contains a label t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), where E is an element in the ciphertext or the ciphertext divided by t_EA subset of other elements than that, user "a" can prove more efficiently to user "B" that it knows R, i.e.: user "A" does not send t_A＝F_T(R′，aux_A) But instead t in the ciphertext C_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or generally T_A＝F_T(K_R，{E，aux_A}) in which aux_AIs { I_A，sid，r_APub } and aux_A≠aux_B；K_RIs derived from or directly set to R', aux is { I }_A，I_B，sid，r_A，r_BA subset of E, pub } may be empty; namely: k_RKDF ({ K, R' }, aux) or K_RKDF ({ K, R }, aux) or K_RR', wherein K_RThe length of (d) is taken to be the same as k; in general terms, the amount of the solvent to be used,K_Rh (k, R, aux), or

<math> <mrow> <msub> <mi>K</mi> <mi>R</mi> </msub> <mo>=</mo> <mi>k</mi> <mo>&CirclePlus;</mo> <mi>R</mi> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>R</mi> </msub> <mo>=</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>k</mi> <mo>&CirclePlus;</mo> <mi>R</mi> <mo>)</mo> </mrow> <mo>,</mo> </mrow></math>

Or K_RR'; user "B" checks t_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method-2: implementation method-2 is applicable to client "a" having public key a ═ g^aUser 'B' has public key B ═ g^bBut does not send the DH-key component Y ═ g^yThe case (2);

if user "A" registers a password w at user "B", the core and feature of implementing method-3 is to construct two functions K_AAnd K_BSo that K_A(a，x，w，B，pub)＝K_B(b, w, A, X, pub); the specific method comprises the following steps: user "a" calculates and sends DH-key component X ═ g^xB^βE G', wherein β is w or-w, and w and-w are encoded as Z_qOne element of (1); or beta is H_w(W) or-H_w(W), wherein W is { W, I_A，A，I_BB, pub } or { w, X', I_A，A，I_BOne subset of, B, pub } containing w, H_wThe method is a hash function with the output length smaller than q, and generally takes a short substring output by H; user "A" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Wherein c ═ H (X ', pub) or H (X'B, pub), e ═ 1 or h (pub), t_i1 or

I is more than or equal to 1 and less than or equal to 2; c depends on X ', e does not depend on X'; all calculations for user "A" can be performed in advance and are performed at { β, X', K_ADeleting x after the calculation is finished, and w, beta, B^βOr immediately deleted or stored in a secure location; in particular, if β ═ w or β ═ H_w(W), user "A" may calculate B in advance^-1With accelerated calculation, when-beta is exactly w or H_w(W); if β ═ w or β ═ H_w(W), user "B" may calculate B in advance^-1(ii) a User "B" may calculate and store B in advance^-1、

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

<math> <mrow> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

And/or B^-bβE.g. G "; user 'B' will

Or B^-bβOrOr

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

If user 'B' does not calculate in advance

Or B^-bβE.g. G ', user ' B ' will

Securely stored in the database entry corresponding to user "A", if necessaryEncrypted for storage, at this time K_BIs calculated as

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: for password-based implementations, ifThe user ' B ' checks to confirm that X ' ∈ G and A ∈ G, then let t₁＝t₂1 is ═ 1; if the decryptor only checks to confirm that A ∈ G, X '∈ G' or X '∈ G'/1_GIf X' is not in the range of G, let t₁＝1，

t_{2} = \frac{N}{q}

User "B" check validation

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or/and

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow></math>

or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bβ</mi> </mrow> </msup> <mo>)</mo> </mrow> <mi>c</mi> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>eb</mi> </mrow> </msup> <mo>,</mo> </mrow></math>

Or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> <mo>;</mo> </mrow></math>

If any check fails, the user 'B' stops the protocol operation and returns or does not return error information;

there are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X ', pub } is derived using a key derivation function, at which time user "B" checks X' for G;

(2) or else, the DH-key component X ═ g in the public key encryption algorithm based on Diffie-Hellman or ElGamal^xIs changed to X' ═ g^xB^βE.g. G'; the common Diffile-Hellman secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; is recorded by { X', K_A＝K_BOr by { X', K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key; user 'A' is sending ciphertext CAt the same time or before sending the cipher text, sending the public key certificate or identity information I of the user' A_AThus obtaining a password-based secret signature algorithm with the sender identity authentication function; encrypting a random number R by using the obtained password-based signcryption algorithm; recording the secret label of the random number R as C, wherein the secret label C is a set of a plurality of numerical values; if the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; recording the derived authentication key as R'; we assume that user "A" is only allowed to make mistakes a limited number of times to prevent online guessing attacks;

if user "a" does not have a password registered at user "B", user "a" calculates and sends DH-key component X ═ g^xE is G; at this time, the core and the characteristic of the implementation method-2 are to construct two functions K_AAnd K_BSo that K_A(a，x，B，pub)＝K_B(b, A, X, pub); the specific method comprises the following steps: user "A" calculation

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

I is more than or equal to 1 and less than or equal to 2; c depends on X, e does not depend on X; all calculations for user "A" can be performed in advance; user "B" can be calculated in advance

There are two ways to generate the session key and the authentication key:

(1) session key and authentication key are directly composed of K_A＝K_BAnd some subset of { c, e, X, pub } is derived using a key derivation function, at which time user "B" checks that X' is for G;

(2) alternatively, the common Diffile-Hellman secret that is really used by the encryptor and the decryptor in a Diffie-Hellman or ElGamal-based public key encryption algorithm is composed of { X, K_A＝K_BDerivation, i.e. KDF (K)_A，X)＝KDF(K_BX) or from { X, K)_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; notation of { X, K_A＝K_BOr by { X, K }_A＝K_BThe secret derived from (k) and aux is₁，k₂) (ii) a In general, k is₁Is a key for symmetric encryption and decryption, k₂Is a MAC authentication key; user 'A' sends the public key certificate or identity information I of user 'A' at the same time of sending cipher text C or before sending cipher text_AThereby obtaining a certificate of identity of the senderA password-based signcryption algorithm; encrypting a random number R by using the obtained password-based signcryption algorithm; recording the secret label of the random number R as C, wherein the secret label C is a set of a plurality of numerical values; if the decryption of the user B is wrong, the execution is stopped, and error information is returned or not returned; the session key and the authentication key are composed of random numbers R and k₁，k₂C, pub } or directly setting the session key and/or the authentication key to R; recording the derived authentication key as R';

t_ii is more than or equal to 1 and less than or equal to 2, and the key is as follows: for non-password based implementations, if the user "B" checks that X ∈ G and A ∈ G are confirmed, let t₁＝t₂1 is ═ 1; if the decryptor only checks for confirmations A ∈ G, X ∈ G 'or X ∈ G'/1_GAnd cannot confirm X ∈ G, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

<math> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

K_{B} = A^{t_{1} be};

let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux is implemented for password-based implementation_BIs { I_B，sid，r_BX', pub } for non-password based implementations aux_BIs { I_B，sid，r_BX, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

user "a" proves to user "B" that he does know R' using the following method: user "A" sends X' or X at the same time or receives t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AX', pub } or { I_A，sid，r_AA subset of X, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; if the authentication key is derived from the random number R of the signpost and the signpost C already contains a tag t_E＝MAC_k(E) Or in general t_E＝F_T(k, E), wherein E is an element of C or t is divided by C_EA subset of other elements than that, user "a" can prove more efficiently to user "B" that it knows R', i.e.: user "A" does not send t_A＝F_T(R′，aux_A) Instead, t in the secret tag C is_EIs replaced by

t_{A} = {MAC}_{K_{R}} (E, {aux}_{A})

Or

the implementation method-3: implementation-3 is applicable to the case where client "a" does not have or does not have the convenience of using a public key, but user "a" still sends DH-key component X ═ g^xAnd user 'B' has public key B ═ g^bAnd sends DH-key component Y ═ g^yThe case (2);

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>xc</mi> </mrow> </msup> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

t_iI is more than or equal to 1 and less than or equal to 2, and the key is as follows: (1) let t be if user "B" checks that X ∈ G is confirmed₁＝t₂1 is ═ 1; (2) if user "B" only checks for confirmation X ∈ G 'or X ∈ G'/1_GBut X ∈ G cannot be confirmed, if y may leak, let

t = t_{1} = t_{2} = \frac{N}{q},

User "B" check confirmation K_B＝X^t(bc+yf)≠1_GIf y does not leak, the same procedure is followed as (1) t₁，t₂Can still be 1; if any check fails, the protocol operation is stopped, and error information is returned or not returned;

deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, X, Y, pub } derives a session key and an authentication key; let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned; to prove to user "B" that he does know R', user "A" is receiving t_BAnd verifies the confirmation t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method-4: the implementation method-4 is suitable for the client 'A' to have a discrete logarithm public key A ═ g^aAnd sends DH-key component X ═ g^xAnd user 'B' also has discrete logarithm public key B ═ g^bAnd sends DH-key component Y ═ g^yThe case (2);

the core and the characteristic of the implementation method-4 are that two functions K are constructed_AAnd K_BSo that K_A(a，x，B，Y，pub)＝K_B(b, y, A, X, pub); the specific method comprises the following steps: user "A" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>ad</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Where c ═ H (X, pub) or H (X, B, pub), d ═ H (pub, Y) or H (pub, a, Y), e ═ 0 or 1 or H (pub), f ═ H (pub, X, Y) or H (c, d) or H (c, Y) or H (d, X), t_i1 or

I is more than or equal to 1 and less than or equal to 4; c. the key points of the setting of d, e and f are as follows: c is calculated according toX but not Y, d dependent calculations and Y but not X, e independent calculations neither X nor Y, f dependent calculations dependent on (X, Y); user "A" may be calculated in advance

<math> <mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

User "B" can be calculated in advance

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

Deriving a function from K using a secret key_A＝K_BAnd a subset of { f, c, d, e, X, Y, pub } derives a session key and an authentication key;

t_ii is more than or equal to 1 and less than or equal to 4, and the key of the setting is as follows: (1) if the user 'A' checks that B belongs to G and Y belongs to G, the user 'B' checks that A belongs to G and X belongs to G, let t belong to G₁＝t₂＝t₃＝t₄1 is ═ 1; (2) if user "A" only checks for confirmations B ∈ G, X ∈ G 'or X ∈ G'/1_GWhile X ∈ G cannot be confirmed, user "B" merely checks to confirm A ∈ G, Y ∈ G 'or Y ∈ G'/1_GIf Y ∈ G cannot be confirmed and x and/or Y may leak, let t₁＝1，

t_{2} = t_{3} = t_{4} = \frac{N}{q},

User "B" check confirmation

<math> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>yf</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>yd</mi> </mrow> </msup> <mo>,</mo> </mrow></math>

User "A" check confirmation

<math> <mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>ad</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>xf</mi> </mrow> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>ae</mi> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>xc</mi> </mrow> </msup> <mo>;</mo> </mrow></math>

If x and y are not leaked, t can be set in the same way as (1)₁＝t₂＝t₃＝t₄1 is ═ 1; if any check fails, the protocol operation is stopped, and error information is returned or not returned;

let the derived authentication key be R ', in order to prove to user "A" that it knows R', user "B" utilizes a tag authentication function F_TCalculate and send t_B＝F_T(R′，aux_B) Wherein aux_BIs { I_B，sid，r_BX, Y, pub } is a subset of the session identifier, sid, r_BIs the protocol role designation of user "B"; user "A" checks t with the authentication key R_BIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned; to prove to user "B" that he does know R', user "A" is receiving t_BAnd verify t_BAfter correctness, t is calculated and sent to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Y, pub } and aux_A≠aux_B，r_AIs the protocol role designation for user "a"; user "B" checks t with the authentication key R_AIf the correctness is incorrect, the protocol execution is stopped, and error information is returned or not returned;

the implementation method comprises the following steps: implementation method-5 applies to the case where one, but not all, of client "A" and client "B" may not have a discrete logarithmic public key defined on (G', G, G, q), but still supports digital signatures;

let t_i1 or

I is more than or equal to 1 and less than or equal to 6; let aux_A^j，aux′_A^j，aux_Bⁱ，aux′_BⁱJ is more than or equal to 1 and less than or equal to 7, i is more than or equal to 1 and less than or equal to 9, and is divided by X and g respectively^x，Y＝g^yA subset or sequence of other protocol execution related information than that, may be empty or contain repeating elements; aux_AAnd aux'_AIs { I_A，sid，r_AA subset of X, Y, pub }, aux_BAnd aux'_BIs { I_B，sid，r_BA subset of X, Y, pub } and aux_A≠aux_BWhere sid is the session identifier, r_BIs the protocol role designation of user "B", r_AIs the protocol role designation for user "a"; order to

<math> <mrow> <mi>U</mi> <mo>&SubsetEqual;</mo> <mo>{</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>}</mo> <mo>;</mo> </mrow></math>

Calculating in advance: user "A" may calculate X in advance,

Or

(ii) a User "B" can calculate Y in advance,

Or

A first round: user 'A' transmission

<math> <mrow> <mo>{</mo> <mi>X</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>x</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mn>1</mn> </msubsup> <mo>}</mo> <mo>;</mo> </mrow></math>

And a second round: user "B" calculates and sends

<math> <mrow> <mo>{</mo> <mi>Y</mi> <mo>=</mo> <msup> <mi>g</mi> <mi>y</mi> </msup> <mo>&Element;</mo> <mi>G</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>1</mn> </msub> <mo>=</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <mi>X</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>1</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>2</mn> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mn>3</mn> </msubsup> <mo>}</mo> <mo>,</mo> </mrow></math>

Or

{Y, T_{1} = H (Y, X, X^{t_{1} y}, {aux}_{B}^{2}), {aux}_{B}^{3}},

Or { Y, F_T(T′₁，aux_B)，aux_B³}, or { Y, aux'_B³}; wherein,

<math> <mrow> <msubsup> <mi>T</mi> <mn>1</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>1</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>,</mo> </mrow></math>

aux_B³containing identity information I of user' B_B，aux_B²And/or aux_B¹Containing identity information I of user' B_B；

User 'A' utilization

<math> <mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Examination T₁Or F_T(T′₁，aux_B) If the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

and a third round: if user "a" has public key a ═ g^aE.g. G, then user 'A' calculates and sends

{T_{2} = H (X, Y, H (Y, Y^{t_{2} a}, {aux}_{A}^{2}), H (X, Y, Y^{t_{3} x}, {aux}_{A}^{3}), {aux}_{A}^{4}), {aux}_{A}^{5}},

Or

{T_{2} = H (X, Y, Y^{t_{2} a}, Y^{t_{3} x}, {aux}_{A}^{6}), {aux}_{A}^{5}},

Or { F_T(T′₂，aux_A)，aux_A⁵}; wherein,

<math> <mrow> <msubsup> <mi>T</mi> <mn>2</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>2</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>,</mo> </mrow></math>

aux_A⁵public key certificate or I containing user' A_A，aux_A²，aux_A⁶Identity information I containing user' A_A(ii) a User 'B' utilization

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>y</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>a</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

And

<math> <mrow> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>y</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>X</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

to check T₂Or F_T(T′₂，aux_A) If the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

<math> <mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>A</mi> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>3</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>3</mn> </msub> <mi>x</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>A</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>;</mo> </mrow></math>

user 'B' utilization

Checks s with the public key of user "A_AIf the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

fourth wheel: if user 'B' has public key B ═ g^bE.g. G, then user 'B' sends

{T_{3} = H (Y, X, H (X, X^{t_{4} b}, a {ux}_{B}^{4}), H (X, Y, X^{t_{5} y}, {aux}_{B}^{5}), {aux}_{B}^{6}), {aux}_{B}^{7}},

Or

{T_{3} = H (Y, X, X^{t_{4} b}, X^{t_{5} y}, {aux}_{B}^{8}), {aux}_{B}^{7}},

Or { F_T(T′₃，aux_B)，aux_B⁷}; wherein,

<math> <mrow> <msubsup> <mi>T</mi> <mn>3</mn> <mo>′</mo> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>4</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <mi>au</mi> <msubsup> <mi>x</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>,</mo> </mrow></math>

aux_B⁷public key certificate or I containing user' B_B，aux_B⁴，aux_B⁸Identity information I containing user' B_B(ii) a User 'A' utilization

<math> <mrow> <msup> <mi>B</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>4</mn> </msub> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

And

<math> <mrow> <msup> <mi>Y</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>x</mi> </mrow> </msup> <mrow> <mo>(</mo> <mo>=</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>)</mo> </mrow> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

to check T₃Or F_T(T′₃，aux_B) If the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

if user 'B' does not have public key B ═ g^bE.g. G but still supports digital signature, thenHome "B" sends s_B，aux_B⁹Therein aux_B⁹Public key certificate or I containing user' B_B，s_BUse of its own private key pair for user' B

<math> <mrow> <msubsup> <mi>T</mi> <mi>S</mi> <mi>B</mi> </msubsup> <mo>&Element;</mo> <mo>{</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>5</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>6</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>,</mo> <mi>H</mi> <mrow> <mo>(</mo> <mi>U</mi> <mo>,</mo> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>5</mn> </msub> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msubsup> <mi>aux</mi> <mi>B</mi> <mrow> <mo>′</mo> <mn>8</mn> </mrow> </msubsup> <mo>)</mo> </mrow> <mo>}</mo> <mo>;</mo> </mrow></math>

user 'A' utilization

Checks s with the public key of user' B_BIf the correctness is incorrect, the operation is stopped, and error information is returned or not returned;

session key management

K_{A} = Y^{t_{6} x} = X^{t_{6} y} = K_{B}

And a subset of { X, Y, pub }; user "A" may be calculated in advance

X = g^{x}, B^{t_{4} x}

Or

User "B" can be calculated in advance

Y = g^{y}, A^{t_{2} y}

Or(ii) a If user "A" is calculated in advance

Will be calculated after finishing the calculation

Delete, and save

(ii) a If user 'B' is calculated in advance

Will be calculated after finishing the calculation

Delete, and save

h = \frac{N}{q};

If the user 'B' checks that X belongs to G, let t₁＝t₄＝t₅1 is ═ 1; if the user 'A' checks that Y belongs to G, let t₂＝t₃1 is ═ 1; if user "B" only checks for confirmation that X ∈ G 'or X ∈ G'/1_GIf X ∈ G cannot be confirmed and no signature is used for the fourth round, t₁，t₃，t₄，t₅At least one of them is

And checking for confirmation X^hy≠1_GAnd/or X^hb≠1_G(ii) a If the user "A" only checks for confirmation Y ∈ G 'or Y ∈ G'/1_GAnd if Y ∈ G cannot be confirmed and no signature is used in the third round, then t₁，t₂，t₃，t₅At least one of them isAnd checking for confirmation Y^hx≠1_GAnd/or Y^ha≠1_G(ii) a If user "A" uses the signature for the third round, user "A" can only check for confirmations Y ∈ G 'or Y ∈ G'/1_GAnd can make t₃1 is ═ 1; if user "B" uses the signature for the fourth round, user "B" can only check for confirmation X ∈ G 'or X ∈ G'/1_GAnd can make t₁＝t₅1 is ═ 1; if any check fails, the protocol execution is stopped, and error information is returned or not returned; generally, let t₁＝t₃＝t₅＝t₆。

2. The password-based, secret data disclosure-resistant authentication and key exchange method according to claim 1, characterized by a password-based public key encryption and signcryption method:

let client "a" register a password w with user "B", who has a public key B ═ g^bE G and supports Diffie-Hellman or ElGamal-based public key encryption algorithms with its public key B as the public key, where any legitimate secret C includes a DH-key component X ═ G that is used to generate a Diffie-Hellman secret with public key B^xE.g. G'; namely: x ═ g^xFor generating a common Diffie-Hellman secret B between an encryptor and a decryptor, i.e. user' B^tx＝g^tbx＝X^tbE G', i.e.: user "A" calculates B^txE.g. G ', user ' B ' calculates X^tbE G' whereT is 1 or

(ii) a In general, the common secret used for encryption and decryption is composed of { X, B }^tx＝X^tbIs derived using a key derivation function, i.e., KDF (B)^tx，X)＝KDF(X^tb，X)；

The public key encryption method based on the password comprises the following specific steps: using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'; Diffie-Hellman secret B for (X, B) in a public key encryption algorithm based on Diffie-Hellman or ElGamal is calculated as follows^tx＝g^tbx＝X^tb＝(X′B^-β)^tb＝X′_tbB_-tβbE G', i.e.: user "A" calculates K_A＝B^txE.g. G', and user "B" calculates K_B＝X′^tbB^-tbβE.g. G' or K_B＝(X′B^-β)^tbE.g. G'; the common secret really used by the encryptor and the decryptor is composed of { X', K_A＝K_BDerivation, i.e. KDF (K)_A，X′)＝KDF(K_BX '), or from { X', K_A＝K_BDerived from aux, aux is { I }_A，I_B，sid，r_A，r_BPub, can be null; wherein β is w and w is encoded as Z_qOne element of (1); or beta is H_w(W), wherein W is { W, I_A，I_BB, pub } or { w, X', I_A，I_BOne subset of, B, pub } containing w, H_wIs a hash function of length with output length less than q, H_wA short substring, typically set as the output of the hash function H; wherein t is 1 or(ii) a If beta is w or H_w(W) and W is { W, I_A，I_BOne subset of w, B, pub, user "B" calculates B in advance^-tbβE G' and/or B^tbβE G', and B^-tbβAnd/or B^tbβStored in the database entry corresponding to user "A"; namely: when user "A" registers password w with user "B", user "B" calculates β, B^-tbβE G' and/or B^tbβE.g. G', deleting beta and adding B^-tbβAnd/or B^tbβStoring the password in an entry corresponding to a user 'A' in a database instead of directly storing the password w or beta; to prevent offline attacks, user "A" is at X', B^txDeleting x, w, beta, B after calculation^βOr immediately deleted or stored in a secure location; the calculation of the user 'A' can be carried out in advance; in general, if the decryptor, i.e. user "B", checks the validation X ' e G, let t be 1, if the decryptor only checks the validation X ' e G ' or X ' e G '/1_GIf X' is not in the middle of G, then let

t = \frac{N}{q}

And checked to confirm X'^tb≠B^tbβOr K_B≠1_GOr (X' B)^-β)^t≠1_G(ii) a If any check fails, the user 'B' suspends the protocol operation, and returns or does not return error information; user 'A' sends identity information I of user 'A' at the same time of sending cipher text or before sending cipher text_A(ii) a The modified public key encryption algorithm based on Diffie-Hellman or ElGamal is called as a password-based Diffie-Hellman or ElGamal public key encryption algorithm;

the password-based secret signature specific method comprises the following steps: let client "a" have public key a ═ g^aE.g. G, and a password w is registered at the user 'B'; using DH-key component X ═ g for generating Diffie-Hellman secret in public key encryption algorithm based on Diffie-Hellman or ElGamal^xG is changed from e G to X ═ G^xB^βE.g. G'; wherein β is w and w is encoded as Z_qOr beta is H_w(W), wherein W is { W, I_A，A，I_BOne of the B, pub } contains a subset of w; user' sCalculation of "A

User 'B' calculation

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>bc</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <msup> <mrow> <mo>(</mo> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>bβ</mi> </mrow> </msup> <msup> <mi>X</mi> <mrow> <mo>′</mo> <mi>b</mi> </mrow> </msup> <mo>)</mo> </mrow> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>c</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> </mrow></math>

Or

，1≤i≤2；

All calculations for user "A" can be performed in advance and are performed at { β, X', K_ADeleting x after the calculation is finished, and w, beta, B^βOr immediately deleted or stored in a secure location; user "B" can be calculated in advance

<math> <mrow> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

Or/and B^-bβE.g. G'; user 'B' will

Or B^-bβOr

OrOr

Or

If user 'B' does not calculate in advance

Or B^-bβE.g. G ', user ' B ' will

Securely stored in the database entry corresponding to user "A", if necessary

Storing the data in an encrypted manner, wherein the beta is epsilon { w, H_w(W) }, at which time K_BIs calculated as

In general, if user "B" checks for confirmationX' belongs to G and A belongs to G, then let t₁＝t₂1 is ═ 1; if the decryptor only checks to confirm that A ∈ G, X '∈ G' or X '∈ G'/1_GAnd cannot confirm X' is the G, let t₁＝1，

t_{2} = \frac{N}{q},

User "B" check confirmation

And/or

Or

<math> <mrow> <msup> <mrow> <mo>(</mo> <msup> <mi>X</mi> <mo>′</mo> </msup> <msup> <mi>B</mi> <mrow> <mo>-</mo> <mi>β</mi> </mrow> </msup> <mo>)</mo> </mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> </msup> <mo>&NotEqual;</mo> <msub> <mn>1</mn> <mi>G</mi> </msub> </mrow></math>

Or

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>&NotEqual;</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>be</mi> </mrow> </msup> <mo>;</mo> </mrow></math>

If any check fails, the protocol operation is stopped, and error information is returned or not returned;

will K_A＝K_BReplacing Diffie-Hellman secrets B in Diffie-Hellman or ElGamal-based public key encryption algorithms^tx＝g^tbx＝X^tbNamely: b is to be^txIs replaced by K_AIs mixing X^tbIs changed to K_BAnd obtaining the password-based signcryption algorithm.

3. The password-based, secret data disclosure-resistant authentication and key exchange method according to claim 1, characterized by a non-forgeable knowledge binding attestation method:

let A be g^aE G and X ═ G^xE G is the public key and DH-key component of a user, i.e. the proof of knowledge binding "a", and a challenge Z G given to a verifier "B ═ is given^zE G ', ' A ' prove to the verifier that it does know a e Z using the following method_qAnd x ∈ Z_q(ii) a Wherein, the transmission sequence of A, X and Z is arbitrary, namely: user "a" can be either an initiator of the agreement or a responder to the agreement;

user "A" calculates and sends t to user "B_A＝F_T(R′，aux_A) Wherein aux_AIs { I_A，sid，r_AA subset of X, Z }, I_AIs the identity information of user "A", sid is the session identifier, r_AIs the protocol role designation of user ' A ' and the authentication key R ' is represented by K_A＝K_BExporting; the core of the knowledge binding proof is to calculate K_A＝K_BThe method of (1); wherein user "A" calculates K_AUser "B" calculates K_BPub contains the identity and public key information of users 'A' and 'B';

(1).

<math> <mrow> <msub> <mi>K</mi> <mi>A</mi> </msub> <mo>=</mo> <msup> <mi>Z</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>a</mi> <msub> <mi>h</mi> <mn>1</mn> </msub> <mo>+</mo> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>x</mi> <msub> <mi>h</mi> <mn>2</mn> </msub> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>,</mo> </mrow></math>

<math> <mrow> <msub> <mi>K</mi> <mi>B</mi> </msub> <mo>=</mo> <msup> <mi>A</mi> <mrow> <msub> <mi>t</mi> <mn>1</mn> </msub> <mi>z</mi> <msub> <mi>h</mi> <mn>1</mn> </msub> </mrow> </msup> <msup> <mi>X</mi> <mrow> <msub> <mi>t</mi> <mn>2</mn> </msub> <mi>z</mi> <msub> <mi>h</mi> <mn>2</mn> </msub> </mrow> </msup> <mo>&Element;</mo> <msup> <mi>G</mi> <mo>′</mo> </msup> <mo>;</mo> </mrow></math>

wherein if the challenge Z is random, then h₁＝H(Z，pub) H if the challenge Z is a fixed public key₁H (pub, Z) or H (pub) or 1; h is₂H (X, Z, pub) or H₂＝H(h₁，X)；t_i1 or

I is more than or equal to 1 and less than or equal to 2; in general, R ═ KDF (K)_A，h₂)＝KDF(K_B，h₂) (ii) a If the user 'A' checks that Z belongs to G, let t_i1 is not less than 1 and i is not less than 2; if user "A" only checks for confirmation that Z ∈ G'/1_GOr Z belongs to G', and if Z belongs to G, then let

t_{i} = \frac{N}{q},

I is 1. ltoreq. i.ltoreq.2, and the user "A" further checks the confirmation K_A≠1_G(ii) a If any check fails, the user "A" suspends the protocol operation, and returns or does not return error information;

(2).K_A＝H(U，H(I_A，Z，Z^ta)，H(O，Z^tx)，aux)，K_B＝H(U，H(I_A，Z，A^tz)，H(O，X^tz) Aux), where t ═ 1 or

U ═ X, Z or

<math> <mrow> <mi>U</mi> <mo>&SubsetEqual;</mo> <mo>{</mo> <mi>X</mi> <mo>,</mo> <mi>Z</mi> <mo>}</mo> <mo>,</mo> </mrow></math>

If user "a" sends X user "B" first and then Z, O is (X, Z), and if user "B" sends Z user "a" first and then X, O is (Z, X); or, K_A＝H(U，Z^ta，Z^tx，aux)，K_B＝H(U，A^tz，X^tzAux), t ═ 1 or

(ii) a aux is a subset or sequence of other information related to protocol execution other than X, Z, and may be null; verifier "B" can calculate H (I) in advance_A，Z，A^tz) Or A^tz(ii) a If the user 'A' checks that Z belongs to G, making t equal to 1; if user "A" only checks for confirmation that Z ∈ G'/1_GOr Z belongs to G', and if Z belongs to G, then let

t = \frac{N}{q},

And user "A" further checks for confirmation Z^ta≠1_GAnd/or Z^tx≠1_G(ii) a If any check fails, user "A" aborts the protocol running, returning or not returning an error message.

4. A password-based, secret data leakage resistant authentication and key exchange method according to claim 1, characterized by the following method of resisting temporary secret data leakage:

the method for resisting temporary secret data leakage comprises the following steps: let A be g^aE G and X ═ G^xE G is the public key and DH-key component of a user, namely a knowledge binding prover 'A', and Z is set to G^zOne challenge of E G as verifier B is that the following method for resisting temporary secret data leakage is suitable for all Z needing to be calculated^ta＝A^tzAnd Z^tx＝X^tzThe protocol of (1); t is 1 or

(ii) a If the prover "a" transmits X verifier "B" first and then Z, O is (X, Z), and if "B" transmits Z user "a" first and then X, O is (Z, X);

the specific method comprises the following steps: will be Z in the original protocol^ta＝A^tzReplacement by H (I)_A，Z，Z^ta＝A^tz，aux₁) Will Z^tx＝X^tzBy substitution with H (O, Z)^tx＝X^tz，aux₂)；aux_j，1≤j≤2A subset or sequence of other protocol execution related information than X, Z, respectively, may be null; namely: user "B" will A^tzReplacement by H (I)_A，Z，A^tz，aux₁) Is mixing X^tzBy substitution with H (O, X)^tz，aux₂) (ii) a User "A" will Z^taReplacement by H (I)_A，Z，Z^ta，aux₁) Is a reaction of Z^txBy substitution with H (O, Z)^tx，aux₂)；

Verifier "B" can calculate H (I) in advance_A，Z，A^tz，aux₁) (ii) a The verifier only saves { z, H (I)_A，Z，A^tz，aux₁)，H(O，X^tz，aux₂) A subset of which serves as temporary secret data, with a deleted^tzAnd/or X^tz(ii) a Prover "A" only holds { x, a, H (I) }_A，Z，Z^ta，aux₁)，H(O，Z^tx，aux₂) A subset of Z is deleted as temporal secret data, with Z deleted^taAnd/or Z^tx(ii) a This method is used in conjunction with the implementation-5 of claim 1, where users "a" and "B" are both provers and verifiers, X is the challenge for user "B" and Y is the challenge for user "a".

5. The method of authentication and key exchange, password-based public key encryption and signcryption, and proof of knowledge binding and resistance to temporary secret disclosure according to claims 1, 2, 3, 4, characterized in that some subset of the following public key registration and public key certificate issuance methods can be applied to simplify the computation:

(1) the public key certificate authority CA checks to confirm that the public key registered by the user is an element in G or G/1 when issuing a certificate to the user_GMiddle element; if any check fails, the certificate authority refuses to issue the public key certificate; thus, each user can confirm that the public key of the opposite party is G or G/1 only by checking the public key certificate of the opposite party user_GThe elements of (1);

(2) the user registers user identity information ID and public key PK to a public key certificate authorityG', while submitting the inverse PK of the public key^-1E.g. G'; that is, in addition to ID and PK ∈ G', the public key certificate also includes PK^-1∈G′；

(3) When registering user identity information and a public key to a public key certificate authority, a user submits the identity information and the public key and the hash value of aux at the same time, or the identity information and the public key and the inverse element of the public key and the hash value of aux; providing or not providing a digital signature of the resulting hash value and/or aux using a private key corresponding to the public registration key; where aux is other information of the protocol: a subset of timestamps, session identifiers, etc., may be null; takes the hash value as t_PKThe digital signature is s_PK(ii) a I.e. the public key certificate includes t at the same time_PKAnd a subset of aux, with or without s_PK；

(4) If the public key issuing authority checks for t_PKOr s_PKIf the certificate is wrong, refusing to issue the certificate; when issuing a certificate to a user, a public key certificate issuing authority issues identity information, a public key and/or an inverse element, aux and a hash value t of the public key certificate to the user_PKAndor do not have s_PKCarrying out digital signature; alternatively, CA only pairs hash values t_PKCarrying out digital signature; rather than merely signing the user's identity information and public key; namely: a legitimate public key certificate must also contain the digital signature of the certificate authority;

thus, the hash function or key derivation function input or pub contains (I)_AA) or A can be replaced by a hash value in the public key certificate of the user 'A', and the hash value is recorded as t^A_PK(ii) a (I) contained in the hash function or key derivation function input or pub_BB) or B can be replaced by a hash value in a public key certificate of a user 'B' and is marked as t^B_PK(ii) a And, if the public key certificate contains the inverse of the user's public key, then in the implementation method-1 and implementation method-2 of claim 1, the users "a" and "B" do not need to calculate B in advance^-1∈G′。

6. Method of authentication and key exchange, public key encryption and signcryption based on passwords, and proof of knowledge binding and resistance to temporary secret disclosure according to claims 1, 2, 3, 4, characterized in that some subset of the following variants are applicable:

(1) a password-based variant: method of implementation-3 and method of implementation-4 of claim 1 are based on password variants; let user "A" register a password w at user "B"; in all methods, the DH key component X ═ XB sent by user "a" is transmitted^wOr X' ═ XB^-wOr is or

Or

Or is or

Or

(ii) a Where B is the public key of user "B", and X ═ g^x∈G′，H_wIs a hash function with an output length less than the length of q; after receiving X ', user "B" calculates X ═ X' B according to the corresponding calculation mode of X^-wOr X ═ X' B^wOr is or

Or

Or is or

Or

；K_A，K_B，t_A，t_BThe calculation still uses X as the challenge under the index, but X in the input of the function c, d, e, f above the index can be changed to X'; if, in addition to other prescribed off-line calculations in advance

Or

User "A" may calculate B in advance^-1E.g. G'; if X ═ XB^wOr X' ═ XB^-wUser "B" may calculate B in advance^-1E.g. G'; in the password-based variant, if both the public key of user "A" and X' are checked to confirm G or G/1_GElement in (1), then t in all indexes_iTaking an integer of 1; in implementation method-3, if user "B" only checks to confirm that X '∈ G' or X '∈ G'/1_GIf X' is not in the range of G, then let

t_{1} = t_{2} = \frac{N}{q}

And user "B" checks for confirmation K_B≠1_G(ii) a If any check fails, the protocol operation is stopped, and error information is returned or not returned;

(2) nesting identical or different hash functions in the input of the hash function, i.e.: taking the input of the original hash function and the nested hash function as nodes of a special directed graph, wherein the node represented by the input of the original hash function has no fan-in, the node represented by the hash function at the outermost layer has no fan-out, and the value represented by each node is the input of the hash function represented by the fan-out node;

(3) randomly changing the input sequence of the hash function; and/or, all inputs of the hash function are transformed into a union of all inputs, namely: repeated elements appear only once in the input; and/or, the hash function is converted into any function with the output as an integer; and/or, the hash function applied at each location is the same as or different from the hash function applied at other locations; that is, we use a set of hash functions H₁，H₂，…H_nH, wherein for any i, j, 1 ≦ i, j ≦ n, i ≠ j, H_i＝H_jOr H_i≠H_jN is more than or equal to 1 and n is the upper bound of the times of the hash function which is required to be applied;

(4) different key derivation functions: the key derivation function applied at each place is the same as or different from the key derivation functions applied at other places; that is, we use a set of key derivation functions KDF₁，KDF₂，…KDF_nJ, where for any i, j, 1 ≦ i, j ≦ n, i ≠ j, KDF_i＝KDF_jOr KDF_i≠KDF_jN is greater than or equal to 1 and n is the upper bound of the number of times we need to apply the key derivation function;

(5) in all methods user "A" checks K_A≠1_GUser "B" checks K_B≠1_G；

(6) For elliptic curve based implementations, K in the key derivation function input_A，K_BIs changed to K_A，K_BX-coordinate values or y-coordinate values of; each user checks that the x-coordinate and y-coordinate of the DH-key component of the opposite user are correctly coded elements in the finite field on which the elliptic curve is based;

(7) error abort and error message return: in all methods, once a user fails the check, i.e. makes an error, the protocol is aborted and an error message is sent back or not; in password-based implementations, client "a" is allowed to make mistakes only a limited number of times to prevent online attacks;

(8) a session identifier and user protocol role identification method: the session identifier is generally composed of two random numbers or DH-key components sent by users "a" and "B" in series in the order initiator-responder; the protocol role designations of the users are generally designated by different integers or different orders of the random numbers or DH-key components sent by users "a" and "B".