[go: up one dir, main page]

TWI877003B - Anonymous credential method and system based on hash and post-quantum cryptography - Google Patents

Anonymous credential method and system based on hash and post-quantum cryptography Download PDF

Info

Publication number
TWI877003B
TWI877003B TW113118407A TW113118407A TWI877003B TW I877003 B TWI877003 B TW I877003B TW 113118407 A TW113118407 A TW 113118407A TW 113118407 A TW113118407 A TW 113118407A TW I877003 B TWI877003 B TW I877003B
Authority
TW
Taiwan
Prior art keywords
post
quantum cryptography
anonymous
terminal device
key
Prior art date
Application number
TW113118407A
Other languages
Chinese (zh)
Other versions
TW202546673A (en
Inventor
陳志華
林峻鋒
林邦曄
繆嘉新
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW113118407A priority Critical patent/TWI877003B/en
Application granted granted Critical
Publication of TWI877003B publication Critical patent/TWI877003B/en
Publication of TW202546673A publication Critical patent/TW202546673A/en

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An anonymous credential method and system based on hash and post-quantum cryptography are provided. The anonymous credential method includes following steps: generating, by a terminal device based on post-quantum cryptography, a random number as a private key corresponding to the post-quantum cryptography, and performing, hash calculation for w times on the private key to obtain a public key corresponding to the post-quantum cryptography; expanding, by an authorization certificate center based on post-quantum cryptography, the public key to obtain an expansion result; and generating, by the authorization certificate center based on post-quantum cryptography, an anonymous certificate of the terminal device based on post-quantum cryptography, wherein the anonymous certificate includes the expansion result.

Description

基於雜湊及後量子密碼學的匿名憑證方法及系統Anonymous certification method and system based on hashing and post-quantum cryptography

本發明是有關於一種基於雜湊及後量子密碼學的匿名憑證方法及系統。 The present invention relates to an anonymous certification method and system based on hashing and post-quantum cryptography.

現行的公鑰加密方法主要採用RSA密碼學方法或橢圓曲線密碼學(Elliptic Curve Cryptography,ECC)方法,但已經被證實可能被破解。特別是,質因數分解演算法可將具有現行主流的密碼學演算法(如:RSA和ECC)破解時間從指數級時間複雜度O(2n)降低為多項式級時間複雜度O(n)。 The current public key encryption method mainly adopts RSA cryptography or Elliptic Curve Cryptography (ECC) method, but it has been proven that it can be cracked. In particular, the prime factorization algorithm can reduce the cracking time of the current mainstream cryptography algorithms (such as RSA and ECC) from exponential time complexity O(2n) to polynomial time complexity O(n).

本發明的基於雜湊及後量子密碼學的匿名憑證方法包括以下步驟:由基於後量子密碼學的終端設備產製隨機數a以作為對應於後量子密碼學的私鑰,並且對私鑰執行w次雜湊計算以得到對應於後量子密碼學的公鑰;由基於後量子密碼學的授權憑證 中心擴展公鑰以獲得擴展結果;以及由基於後量子密碼學的授權憑證中心產製基於後量子密碼學的終端設備的匿名憑證CE,其中匿名憑證CE包括擴展結果。 The anonymous certification method based on hashing and post-quantum cryptography of the present invention comprises the following steps: a terminal device based on post-quantum cryptography generates a random number a as a private key corresponding to post-quantum cryptography, and performs w hashing calculations on the private key to obtain a public key corresponding to post-quantum cryptography; an authorized certification center based on post-quantum cryptography expands the public key to obtain an expanded result; and an authorized certification center based on post-quantum cryptography generates an anonymous certificate CE of a terminal device based on post-quantum cryptography, wherein the anonymous certificate CE includes the expanded result.

本發明的基於雜湊及後量子密碼學的匿名憑證系統包括基於後量子密碼學的授權憑證中心以及基於後量子密碼學的終端設備,其中基於後量子密碼學的終端設備產製隨機數a以作為對應於後量子密碼學的私鑰,並且對私鑰執行w次雜湊計算以得到對應於後量子密碼學的公鑰;基於後量子密碼學的授權憑證中心擴展公鑰以獲得擴展結果;基於後量子密碼學的授權憑證中心產製基於後量子密碼學的終端設備的匿名憑證CE,其中匿名憑證CE包括擴展結果。 The anonymous certificate system based on hashing and post-quantum cryptography of the present invention includes an authorized certificate center based on post-quantum cryptography and a terminal device based on post-quantum cryptography, wherein the terminal device based on post-quantum cryptography generates a random number a as a private key corresponding to post-quantum cryptography, and performs w hashing calculations on the private key to obtain a public key corresponding to post-quantum cryptography; the authorized certificate center based on post-quantum cryptography expands the public key to obtain an expanded result; the authorized certificate center based on post-quantum cryptography generates an anonymous certificate CE based on the terminal device of post-quantum cryptography, wherein the anonymous certificate CE includes the expanded result.

S10、S30、S50:步驟 S10, S30, S50: Steps

S10a-2、S10b-2a、S10b-2b、S30a-2、S30b-2a、S30b-2b、S50-2、S61-2a、S61-2b、S62-2、S63-2a、S63-2b、S71-2a、S71-2b、S81-2、S82-2a、S82-2b、S83-2a、S83-2b:步驟 S10a-2, S10b-2a, S10b-2b, S30a-2, S30b-2a, S30b-2b, S50-2, S61-2a, S61-2b, S6 2-2, S63-2a, S63-2b, S71-2a, S71-2b, S81-2, S82-2a, S82-2b, S83-2a, S83-2b: Steps

S10a-3、S10b-3、S21-3、S22-3、S23-3、S24-3、S25-3、S30a-3、S30b-3、S30c-3、S50-3、S61-3、S62-3、S63-3、S64-3、S65-3、S66-3、S67-3:步驟 S10a-3, S10b-3, S21-3, S22-3, S23-3, S24-3, S25-3, S30a-3, S30b-3, S30c-3, S50-3, S61-3, S62-3, S63-3, S64-3, S65-3, S66-3, S67-3: Steps

110:基於後量子密碼學的授權憑證中心 110: Authorization certification center based on post-quantum cryptography

130:基於後量子密碼學的終端設備 130: Terminal devices based on post-quantum cryptography

130-1:第一基於後量子密碼學的終端設備 130-1: The first terminal device based on post-quantum cryptography

130-2:第二基於後量子密碼學的終端設備 130-2: The second terminal device based on post-quantum cryptography

150:基於後量子密碼學的註冊中心 150: Registration center based on post-quantum cryptography

圖1是根據本發明的一實施例繪示的基於雜湊及後量子密碼學的匿名憑證方法的流程圖。 FIG1 is a flow chart of an anonymous certification method based on hashing and post-quantum cryptography according to an embodiment of the present invention.

圖2A是圖1所示的基於雜湊及後量子密碼學的匿名憑證方法的一個實施範例。 FIG2A is an implementation example of the anonymous certification method based on hashing and post-quantum cryptography shown in FIG1.

圖2B是圖1所示的基於雜湊及後量子密碼學的匿名憑證方法的再一個實施範例。 FIG2B is another implementation example of the anonymous certification method based on hashing and post-quantum cryptography shown in FIG1.

圖3是圖1所示的基於雜湊及後量子密碼學的匿名憑證方法的另一個實施範例。 FIG3 is another implementation example of the anonymous certification method based on hashing and post-quantum cryptography shown in FIG1.

圖1是根據本發明的一實施例繪示的基於雜湊及後量子密碼學的匿名憑證方法的流程圖,其中所述基於雜湊及後量子密碼學的匿名憑證方法適於由匿名憑證系統執行,其中所述匿名憑證系統包括基於後量子密碼學的授權憑證中心以及基於後量子密碼學的終端設備。請參照圖1。 FIG1 is a flow chart of an anonymous certification method based on hashing and post-quantum cryptography according to an embodiment of the present invention, wherein the anonymous certification method based on hashing and post-quantum cryptography is suitable for being executed by an anonymous certification system, wherein the anonymous certification system includes an authorized certification center based on post-quantum cryptography and a terminal device based on post-quantum cryptography. Please refer to FIG1.

在步驟S10中,由基於後量子密碼學的終端設備產製隨機數a以作為對應於後量子密碼學的私鑰,並且對私鑰執行w次雜湊計算以得到對應於後量子密碼學的公鑰。 In step S10, a random number a is generated by a terminal device based on post-quantum cryptography as a private key corresponding to post-quantum cryptography, and w hash calculations are performed on the private key to obtain a public key corresponding to post-quantum cryptography.

在步驟S30中,由基於後量子密碼學的授權憑證中心擴展公鑰以獲得擴展結果。 In step S30, the public key is expanded by the authorization certificate center based on post-quantum cryptography to obtain an expanded result.

在步驟S50中,由基於後量子密碼學的授權憑證中心產製基於後量子密碼學的終端設備的匿名憑證CE,其中匿名憑證CE包括擴展結果。 In step S50, an authorized certificate center based on post-quantum cryptography generates an anonymous certificate CE of a terminal device based on post-quantum cryptography, wherein the anonymous certificate CE includes an expansion result.

以下將以實施例進一步說明本發明的實施範例。 The following will further illustrate the implementation examples of the present invention with examples.

圖2A是圖1所示的基於雜湊及後量子密碼學的匿名憑證方法的一個實施範例。請同時參照圖1及圖2A。在本實施例中,私鑰包括後量子密碼學私鑰a,公鑰包括後量子密碼學公鑰A,擴展結果包括重構值P。基於後量子密碼學的終端設備130包括第一基於後量子密碼學的終端設備130-1以及第二基於後量子密碼學的終端設備130-2。進一步而言,基於後量子密碼學的終端設備 130包括後量子密碼學金鑰產製模組。換言之,第一基於後量子密碼學的終端設備130-1以及第二基於後量子密碼學的終端設備130-2都可包括後量子密碼學金鑰產製模組。另一方面,基於後量子密碼學的授權憑證中心110包括第一後量子密碼學金鑰擴展模組。 FIG2A is an implementation example of the anonymous certification method based on hashing and post-quantum cryptography shown in FIG1. Please refer to FIG1 and FIG2A at the same time. In this embodiment, the private key includes a post-quantum cryptography private key a, the public key includes a post-quantum cryptography public key A, and the expansion result includes a reconstructed value P. The terminal device 130 based on post-quantum cryptography includes a first terminal device 130-1 based on post-quantum cryptography and a second terminal device 130-2 based on post-quantum cryptography. Further, the terminal device 130 based on post-quantum cryptography includes a post-quantum cryptography key production module. In other words, the first post-quantum cryptography-based terminal device 130-1 and the second post-quantum cryptography-based terminal device 130-2 may both include a post-quantum cryptography key generation module. On the other hand, the post-quantum cryptography-based authorization certificate center 110 includes a first post-quantum cryptography key expansion module.

在步驟S10a-2中,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組可產製隨機數a以作為後量子密碼學私鑰a。本實施例中的數字採用十六進位制表示。舉例來說,後量子密碼學私鑰a可為60B420BB3851D9D47ACB933DBE70399BF6C92DA33AF01D4FB770E98C0325F41D。 In step S10a-2, the post-quantum cryptography key generation module of the first post-quantum cryptography-based terminal device 130-1 can generate a random number a as a post-quantum cryptography private key a. The numbers in this embodiment are expressed in hexadecimal. For example, the post-quantum cryptography private key a can be 60B420BB3851D9D47ACB933DBE70399BF6C92DA33AF01D4FB770E98C0325F41D.

在步驟S10b-2a中,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組可對後量子密碼學私鑰a執行w次雜湊計算以得到後量子密碼學公鑰A。舉例來說,為提升計算效率,第一基於後量子密碼學的終端設備130-1可挑選長度2bytes的w值,該w值可為FFFF,但也可根據實際應用場域需求增加長度來提升安全性。第一基於後量子密碼學的終端設備130-1可計算出後量子密碼學公鑰A為D98742E324A52127AA02A5DD994D68446EF94E10005B5A1984F5D9F687FAA57D。 In step S10b-2a, the post-quantum cryptography key generation module of the first post-quantum cryptography-based terminal device 130-1 may perform w hashing calculations on the post-quantum cryptography private key a to obtain the post-quantum cryptography public key A. For example, to improve computing efficiency, the first post-quantum cryptography-based terminal device 130-1 may select a w value of 2 bytes, which may be FFFF, but the length may also be increased according to actual application requirements to improve security. The first terminal device 130-1 based on post-quantum cryptography can calculate that the post-quantum cryptography public key A is D98742E324A52127AA02A5DD994D68446EF94E10005B5A1984F5D9F687FAA57D.

在執行完步驟S10a-2以及步驟S10b-2a(步驟S10a-2以及步驟S10b-2a亦稱為產製後量子密碼學金鑰對步驟)之後,第一 基於後量子密碼學的終端設備130-1可傳送後量子密碼學公鑰A及第一基於後量子密碼學的終端設備130-1的授權資訊E給基於後量子密碼學的授權憑證中心110。 After executing step S10a-2 and step S10b-2a (step S10a-2 and step S10b-2a are also referred to as steps of generating a post-quantum cryptography key pair), the first post-quantum cryptography-based terminal device 130-1 can transmit the post-quantum cryptography public key A and the authorization information E of the first post-quantum cryptography-based terminal device 130-1 to the post-quantum cryptography-based authorization certificate center 110.

在步驟S30a-2中,由第一後量子密碼學金鑰擴展模組產製隨機數r。舉例來說,為提升計算效率,基於後量子密碼學的授權憑證中心110的第一後量子密碼學金鑰擴展模組可挑選長度2bytes的隨機數r,該隨機數r為30A5,但也可根據實際應用場域需求增加長度來提升安全性。 In step S30a-2, the first post-quantum cryptography key expansion module generates a random number r. For example, to improve computing efficiency, the first post-quantum cryptography key expansion module of the post-quantum cryptography-based authorization certificate center 110 can select a random number r with a length of 2 bytes, which is 30A5. However, the length can also be increased according to the actual application requirements to improve security.

在步驟S30b-2a中,由第一後量子密碼學金鑰擴展模組對後量子密碼學公鑰A執行隨機數r次的雜湊計算以將後量子密碼學公鑰A擴展為重構值P。在本實施例中,基於後量子密碼學的授權憑證中心110可利用P=H r (A)來計算出重構值P。詳細而言,H r (A)表示為對後量子密碼學公鑰A執行隨機數r次的雜湊計算。舉例來說,基於後量子密碼學的授權憑證中心110可計算出重構值P為A0A7C26314A878A11D5FEE4D65FB5ED78E427733C41A9D42C0F086BE897D9526。 In step S30b-2a, the first post-quantum cryptography key expansion module performs a random number r of hash calculations on the post-quantum cryptography public key A to expand the post-quantum cryptography public key A into a reconstruction value P. In this embodiment, the post-quantum cryptography-based authorization certificate center 110 can use P= H r ( A ) to calculate the reconstruction value P. In detail, H r ( A ) represents the random number r of hash calculations performed on the post-quantum cryptography public key A. For example, the authentication center 110 based on post-quantum cryptography can calculate the reconstruction value P as A0A7C26314A878A11D5FEE4D65FB5ED78E427733C41A9D42C0F086BE897D9526.

在執行完步驟S30a-2以及步驟S30b-2a(步驟S30a-2以及步驟S30b-2a亦稱為產製後量子密碼學重構值步驟)之後,在步驟S50-2中,由基於後量子密碼學的授權憑證中心110產製第一基於後量子密碼學的終端設備130-1的匿名憑證CE,其中匿名憑證CE(至少)包括重構值P。詳細而言,基於後量子密碼學的授 權憑證中心110可利用編碼函數Encode(P,E,*)產製第一基於後量子密碼學的終端設備130-1的匿名憑證CE。換言之,在本實施例中,匿名憑證CE(至少)包括重構值P以及第一基於後量子密碼學的終端設備130-1的授權資訊E。在本實施例中,編碼函數Encode(P,E,*)可為Octet Encoding Rules(OER)格式。 After executing step S30a-2 and step S30b-2a (step S30a-2 and step S30b-2a are also referred to as the step of generating a post-quantum cryptography reconstruction value), in step S50-2, the authorization certificate center 110 based on post-quantum cryptography generates an anonymous certificate CE of the first terminal device 130-1 based on post-quantum cryptography, wherein the anonymous certificate CE (at least) includes the reconstruction value P. In detail, the authorization certificate center 110 based on post-quantum cryptography can generate the anonymous certificate CE of the first terminal device 130-1 based on post-quantum cryptography using an encoding function Encode ( P , E , *). In other words, in this embodiment, the anonymous certificate CE includes (at least) the reconstructed value P and the authorization information E of the first terminal device 130-1 based on post-quantum cryptography. In this embodiment, the encoding function Encode ( P , E , *) can be in the Octet Encoding Rules (OER) format.

在執行完步驟S50-2(亦稱為產製後量子密碼學匿名憑證步驟)之後,在步驟S61-2a中,由第一後量子密碼學金鑰擴展模組產製匿名憑證C E 的雜湊值h。舉例來說,匿名憑證C E 的雜湊值h(即H 1(C E ))可為2A93A8A442E305E84DA02D6620F77F97EC9EBBCA18ABEF6F64DAF110C3992937。為提升計算效率,基於後量子密碼學的授權憑證中心110可挑選雜湊值最後的2bytes作為雜湊值h,該雜湊值h為2937,但也可根據實際應用場域需求增加長度來提升安全性。 After executing step S50-2 (also referred to as the step of generating a post-quantum cryptography anonymous certificate), in step S61-2a, the first post-quantum cryptography key expansion module generates a hash value h of the anonymous certificate CE . For example, the hash value h of the anonymous certificate CE (i.e., H1 ( CE ) ) can be 2A93A8A442E305E84DA02D6620F77F97EC9EBBCA18ABEF6F64DAF110C3992937. To improve computing efficiency, the post -quantum cryptography-based authentication center 110 may select the last 2 bytes of the hash value as the hash value h , which is 2937. However, the length may be increased to improve security according to actual application requirements.

在步驟S62-2中,由第一後量子密碼學金鑰擴展模組根據(匿名憑證CE的)雜湊值h以及隨機數r得到重構值私鑰b。詳細而言,重構值私鑰b可採用下列計算公式取得,通過計算取得重構值私鑰b為59DC;b=h+r In step S62-2, the first post-quantum cryptography key expansion module obtains the reconstructed private key b according to the hash value h (of the anonymous certificate CE ) and the random number r. In detail, the reconstructed private key b can be obtained by the following calculation formula, and the reconstructed private key b is 59DC; b = h + r

接著,基於後量子密碼學的授權憑證中心110可傳送重構值私鑰b以及匿名憑證CE至第一基於後量子密碼學的終端設備130-1。 Then, the post-quantum cryptography-based authorization certificate center 110 may transmit the reconstructed value private key b and the anonymous certificate CE to the first post-quantum cryptography-based terminal device 130-1.

在步驟S63-2a中,由(第一基於後量子密碼學的終端設 備130-1的)後量子密碼學金鑰產製模組根據重構值私鑰b產製出擴展後後量子密碼學私鑰q。詳細而言,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組可採用下列計算公式取得擴展後後量子密碼學私鑰q:q=H b (a)(即,對後量子密碼學私鑰a執行b次雜湊計算) In step S63-2a, the post-quantum cryptography key generation module (of the first post-quantum cryptography-based terminal device 130-1) generates an extended post-quantum cryptography private key q according to the reconstructed value private key b. Specifically, the post-quantum cryptography key generation module of the first post-quantum cryptography-based terminal device 130-1 can use the following calculation formula to obtain the extended post-quantum cryptography private key q: q = H b ( a ) (i.e., performing b hash calculations on the post-quantum cryptography private key a)

舉例來說,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組可計算出擴展後後量子密碼學私鑰q為44A8598BB7D14F4C50183BDF70AF631029F5EA622C54D4C791A847393F967287。 For example, the post-quantum cryptography key production module of the first post-quantum cryptography-based terminal device 130-1 can calculate the expanded post-quantum cryptography private key q as 44A8598BB7D14F4C50183BDF70AF631029F5EA622C54D4C791A847393F967287.

在執行完步驟S61-2a、步驟S62-2以及步驟S63-2a(步驟S61-2a、步驟S62-2以及步驟S63-2a亦稱為產製擴展後後量子密碼學私鑰步驟)之後,在步驟S71-2a中,第一基於後量子密碼學的終端設備130-1可根據下列計算公式產製出擴展後後量子密碼學公鑰Q:Q=H b (A)=H h (P)=H w (q) After executing step S61-2a, step S62-2, and step S63-2a (step S61-2a, step S62-2, and step S63-2a are also referred to as steps for generating an extended post-quantum cryptography private key), in step S71-2a, the first post-quantum cryptography-based terminal device 130-1 can generate an extended post-quantum cryptography public key Q according to the following calculation formula: Q = H b (A) = H h ( P ) = H w ( q )

在步驟S81-2中,由第二基於後量子密碼學的終端設備130-2從基於後量子密碼學的授權憑證中心110取得第一基於後量子密碼學的終端設備130-1的匿名憑證CEIn step S81-2, the second terminal device 130-2 based on post-quantum cryptography obtains the anonymous certificate CE of the first terminal device 130-1 based on post-quantum cryptography from the authorization certificate center 110 based on post-quantum cryptography.

在步驟S82-2a中,由第二基於後量子密碼學的終端設備130-2計算匿名憑證CE的雜湊值h。 In step S82-2a, the hash value h of the anonymous certificate CE is calculated by the second post-quantum cryptography-based terminal device 130-2.

在步驟S83-2a中,由第二基於後量子密碼學的終端設備130-2根據雜湊值h以及第一基於後量子密碼學的終端設備130-1的匿名憑證C E 中的重構值P產製出擴展後後量子密碼學公鑰Q。承上述實例,匿名憑證C E 的雜湊值h為2937,重構值P為A0A7C26314A878A11D5FEE4D65FB5ED78E427733C41A9D42C0F086BE897D9526。第二基於後量子密碼學的終端設備130-2可根據下列計算公式產製出擴展後後量子密碼學公鑰Q:Q=Hh(P)(Hh(P)表示為對P執行h次雜湊計算) In step S83-2a, the second post-quantum cryptography-based terminal device 130-2 generates an extended post-quantum cryptography public key Q according to the hash value h and the reconstructed value P in the anonymous certificate CE of the first post-quantum cryptography-based terminal device 130-1. Based on the above example, the hash value h of the anonymous certificate CE is 2937, and the reconstructed value P is A0A7C26314A878A11D5FEE4D65FB5ED78E427733C41A9D42C0F086BE897D9526. The second terminal device 130-2 based on post-quantum cryptography can generate an extended post-quantum cryptography public key Q according to the following calculation formula: Q=H h (P) (H h (P) represents h times of hashing calculation on P)

舉例來說,第二基於後量子密碼學的終端設備130-2可產製出擴展後後量子密碼學公鑰Q為93AA6322F2A17FC3C41C03E928ECECF858173F57E0E33C4B4BA0915CE44EB1E7。 For example, the second post-quantum cryptography-based terminal device 130-2 can generate an extended post-quantum cryptography public key Q of 93AA6322F2A17FC3C41C03E928ECECF858173F57E0E33C4B4BA0915CE44EB1E7.

在此值得說明的是,步驟S81-2、步驟S82-2a以及步驟S83-2a亦稱為產製擴展後後量子密碼學公鑰步驟。 It is worth noting that step S81-2, step S82-2a, and step S83-2a are also referred to as steps for generating an extended post-quantum cryptography public key.

在一實施例中,基於後量子密碼學的終端設備130對應於車聯網終端設備。本實施例的匿名憑證方法更包括以下步驟:由基於後量子密碼學的終端設備130發送車聯網封包。進一步而言,車聯網封包可包括匿名憑證C E 。車聯網封包更可包括基於後量子密碼學的終端設備130運用擴展後後量子密碼學私鑰q來對車聯網封包的內容的簽章,或車聯網封包更可包括基於後量子密碼學的終端設備130運用擴展後後量子密碼學私鑰q來對車聯網封包的雜湊值h’的簽章。 In one embodiment, the terminal device 130 based on post-quantum cryptography corresponds to a vehicle network terminal device. The anonymous certificate method of this embodiment further includes the following steps: the terminal device 130 based on post-quantum cryptography sends a vehicle network packet. Furthermore, the vehicle network packet may include an anonymous certificate CE . The vehicle network packet may also include the terminal device 130 based on post-quantum cryptography using an extended post-quantum cryptography private key q to sign the content of the vehicle network packet, or the vehicle network packet may also include the terminal device 130 based on post-quantum cryptography using an extended post-quantum cryptography private key q to sign the hash value h' of the vehicle network packet.

在一實施例中,基於後量子密碼學的終端設備130對應於個人終端設備。本實施例的匿名憑證方法更包括以下步驟:由基於後量子密碼學的終端設備130進行匿名投票。進一步而言,匿名投票可包括匿名憑證CE。匿名投票更可包括基於後量子密碼學的終端設備130運用擴展後後量子密碼學私鑰q來對匿名投票的內容的簽章,或匿名投票更可包括基於後量子密碼學的終端設備130運用擴展後後量子密碼學私鑰q來對匿名投票的雜湊值h’的簽章。 In one embodiment, the terminal device 130 based on post-quantum cryptography corresponds to a personal terminal device. The anonymous certification method of this embodiment further includes the following steps: anonymous voting is performed by the terminal device 130 based on post-quantum cryptography. Further, the anonymous voting may include an anonymous certificate CE . The anonymous voting may further include the terminal device 130 based on post-quantum cryptography using an extended post-quantum cryptography private key q to sign the content of the anonymous vote, or the anonymous voting may further include the terminal device 130 based on post-quantum cryptography using an extended post-quantum cryptography private key q to sign the hash value h' of the anonymous vote.

圖2B是圖1所示的基於雜湊及後量子密碼學的匿名憑證方法的一個實施範例。請同時參照圖1、圖2A及圖2B。相似於圖2A的實施範例,在圖2B的實施範例中,私鑰包括後量子密碼學私鑰a,公鑰包括後量子密碼學公鑰A,擴展結果包括重構值P。基於後量子密碼學的終端設備130包括第一基於後量子密碼學的終端設備130-1以及第二基於後量子密碼學的終端設備130-2。進一步而言,基於後量子密碼學的終端設備130包括後量子密碼學金鑰產製模組。換言之,第一基於後量子密碼學的終端設備130-1以及第二基於後量子密碼學的終端設備130-2都可包括後量子密碼學金鑰產製模組。另一方面,基於後量子密碼學的授權憑證中心110包括第一後量子密碼學金鑰擴展模組。 FIG2B is an implementation example of the anonymous certification method based on hashing and post-quantum cryptography shown in FIG1 . Please refer to FIG1 , FIG2A and FIG2B at the same time. Similar to the implementation example of FIG2A , in the implementation example of FIG2B , the private key includes a post-quantum cryptography private key a, the public key includes a post-quantum cryptography public key A, and the expansion result includes a reconstructed value P. The terminal device 130 based on post-quantum cryptography includes a first terminal device 130-1 based on post-quantum cryptography and a second terminal device 130-2 based on post-quantum cryptography. Furthermore, the terminal device 130 based on post-quantum cryptography includes a post-quantum cryptography key production module. In other words, the first post-quantum cryptography-based terminal device 130-1 and the second post-quantum cryptography-based terminal device 130-2 may both include a post-quantum cryptography key generation module. On the other hand, the post-quantum cryptography-based authorization certificate center 110 includes a first post-quantum cryptography key expansion module.

在此需先說明的是,圖2B與圖2A的其中一個差異在於,在圖2B的實施範例中,雜湊計算包括偽隨機數產生器計算。除此之外,在圖2B中,基於後量子密碼學的授權憑證中心110的第一 後量子密碼學金鑰擴展模組、第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組、第二基於後量子密碼學的終端設備130-2的後量子密碼學金鑰產製模組都可包括偽隨機數產生器。以下將繼續說明圖2B的詳細步驟。 It should be noted here that one of the differences between FIG. 2B and FIG. 2A is that in the implementation example of FIG. 2B , the hash calculation includes pseudo-random number generator calculation. In addition, in FIG. 2B , the first post-quantum cryptography key expansion module of the post-quantum cryptography-based authorization certificate center 110, the first post-quantum cryptography-based terminal device 130-1 post-quantum cryptography key production module, and the second post-quantum cryptography-based terminal device 130-2 post-quantum cryptography key production module can all include pseudo-random number generators. The detailed steps of FIG. 2B will be further described below.

在步驟S10a-2中,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組可產製隨機數a以作為後量子密碼學私鑰a。本實施例中的數字採用十六進位制表示。舉例來說,後量子密碼學私鑰a可為806B32813B08F97。 In step S10a-2, the post-quantum cryptography key generation module of the first post-quantum cryptography-based terminal device 130-1 can generate a random number a as a post-quantum cryptography private key a. The numbers in this embodiment are expressed in hexadecimal. For example, the post-quantum cryptography private key a can be 806B32813B08F97.

在步驟S10b-2b中,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組的偽隨機數產生器可對後量子密碼學私鑰a執行w次偽隨機數產生器計算以得到後量子密碼學公鑰A。舉例來說,本實施例中所採用偽隨機數產生器可為Java內建Random類別的偽隨機數產生器。該後量子密碼學公鑰A採用下列計算公式取得,其中G函數表示為偽隨機數產生器函數,G w (a)表示為設定a為初始隨機數種子,執行w次偽隨機數產生器計算,每次取第t個隨機數。其中,本實施例中設定t係1,則G 1(a)表示為設定a為隨機數種子,取得第1個隨機數作為G 1(a)的值。G 2(a)表示為設定G 1(a)為隨機數種子,取得第1個隨機數作為G 2(a)的值,也就是G 2(a)=G 1(G 1(a))。 In step S10b-2b, the pseudo-random number generator of the post-quantum cryptography key production module of the first post-quantum cryptography-based terminal device 130-1 can perform w pseudo-random number generator calculations on the post-quantum cryptography private key a to obtain the post-quantum cryptography public key A. For example, the pseudo-random number generator used in this embodiment can be a pseudo-random number generator of the Java built-in Random class. The post-quantum cryptography public key A is obtained using the following calculation formula, where the G function is represented by the pseudo-random number generator function, and Gw (a ) is represented by setting a as the initial random number seed, executing w pseudo-random number generator calculations, and taking the tth random number each time. In this embodiment, t is set to 1, then G1 ( a ) is expressed as setting a as a random number seed and obtaining the first random number as the value of G1 (a ) . G2 ( a ) is expressed as setting G1 ( a ) as a random number seed and obtaining the first random number as the value of G2 ( a ), that is, G2 ( a ) = G1 ( G1 ( a ) ) .

本實施例的該後量子密碼學公鑰為A=G w (a) The post-quantum cryptography public key of this embodiment is A = Gw ( a )

為提升計算效率,第一基於後量子密碼學的終端設備130-1可挑選長度2bytes的w值,該w值可為FFFF,但也可根據 實際應用場域需求增加長度來提升安全性。第一基於後量子密碼學的終端設備130-1可計算出後量子密碼學公鑰A為720405EEF70B774E。 To improve computational efficiency, the first terminal device 130-1 based on post-quantum cryptography can select a w value of 2 bytes, which can be FFFF, but the length can also be increased according to actual application requirements to improve security. The first terminal device 130-1 based on post-quantum cryptography can calculate that the post-quantum cryptography public key A is 720405EEF70B774E.

在執行完步驟S10a-2以及步驟S10b-2b(步驟S10a-2以及步驟S10b-2b亦稱為產製後量子密碼學金鑰對步驟)之後,第一基於後量子密碼學的終端設備130-1可傳送後量子密碼學公鑰A及第一基於後量子密碼學的終端設備130-1的授權資訊E給基於後量子密碼學的授權憑證中心110。 After executing step S10a-2 and step S10b-2b (step S10a-2 and step S10b-2b are also referred to as steps of generating a post-quantum cryptography key pair), the first post-quantum cryptography-based terminal device 130-1 can transmit the post-quantum cryptography public key A and the authorization information E of the first post-quantum cryptography-based terminal device 130-1 to the post-quantum cryptography-based authorization certificate center 110.

在步驟S30a-2中,由第一後量子密碼學金鑰擴展模組產製隨機數r。舉例來說,為提升計算效率,基於後量子密碼學的授權憑證中心110的第一後量子密碼學金鑰擴展模組可挑選長度2bytes的隨機數r,該隨機數r為4729,但也可根據實際應用場域需求增加長度來提升安全性。 In step S30a-2, the first post-quantum cryptography key expansion module generates a random number r. For example, to improve computing efficiency, the first post-quantum cryptography key expansion module of the post-quantum cryptography-based authorization certificate center 110 can select a random number r with a length of 2 bytes, which is 4729. However, the length can also be increased according to the actual application requirements to improve security.

在步驟S30b-2b中,由第一後量子密碼學金鑰擴展模組的偽隨機數產生器對後量子密碼學公鑰A執行隨機數r次的偽隨機數產生器計算以將後量子密碼學公鑰A擴展為重構值P。在本實施例中,基於後量子密碼學的授權憑證中心110可利用P=G r (A)來計算出重構值P。詳細而言,G r (A)表示為對A執行r次偽隨機數產生器計算。舉例來說,基於後量子密碼學的授權憑證中心110可計算出重構值P為EC3085D9A2DFF8B6。 In step S30b-2b, the pseudo-random number generator of the first post-quantum cryptography key expansion module performs pseudo-random number generator calculations on the post-quantum cryptography public key A for a random number of r times to expand the post-quantum cryptography public key A into a reconstruction value P. In this embodiment, the authorization certificate center 110 based on post-quantum cryptography can use P= G r ( A ) to calculate the reconstruction value P. In detail, G r ( A ) is represented by performing pseudo-random number generator calculations on A r times. For example, the authorization certificate center 110 based on post-quantum cryptography can calculate the reconstruction value P as EC3085D9A2DFF8B6.

在執行完步驟S30a-2以及步驟S30b-2b(步驟S30a-2以及步驟S30b-2b亦稱為產製後量子密碼學重構值步驟)之後,在步 驟S50-2中,由基於後量子密碼學的授權憑證中心110產製第一基於後量子密碼學的終端設備130-1的匿名憑證CE,其中匿名憑證CE(至少)包括重構值P。詳細而言,基於後量子密碼學的授權憑證中心110可利用編碼函數Encode(P,E,*)產製第一基於後量子密碼學的終端設備130-1的匿名憑證CE。換言之,在本實施例中,匿名憑證CE(至少)包括重構值P以及第一基於後量子密碼學的終端設備130-1的授權資訊E。在本實施例中,編碼函數Encode(P,E,*)可為Octet Encoding Rules(OER)格式。 After executing step S30a-2 and step S30b-2b (step S30a-2 and step S30b-2b are also referred to as the step of generating a post-quantum cryptography reconstruction value), in step S50-2, the authorization certificate center 110 based on post-quantum cryptography generates an anonymous certificate CE of the first terminal device 130-1 based on post-quantum cryptography, wherein the anonymous certificate CE (at least) includes the reconstruction value P. In detail, the authorization certificate center 110 based on post-quantum cryptography can generate the anonymous certificate CE of the first terminal device 130-1 based on post-quantum cryptography using an encoding function Encode ( P , E , *). In other words, in this embodiment, the anonymous certificate CE includes (at least) the reconstructed value P and the authorization information E of the first terminal device 130-1 based on post-quantum cryptography. In this embodiment, the encoding function Encode ( P , E , *) can be in the Octet Encoding Rules (OER) format.

在執行完步驟S50-2(亦稱為產製後量子密碼學匿名憑證步驟)之後,在步驟S61-2b中,由第一後量子密碼學金鑰擴展模組的偽隨機數產生器產製匿名憑證C E 的偽隨機數值h。舉例來說,匿名憑證C E 的偽隨機數值h(即G1(C E ))可為B18D9F7BA00A68CC。為提升計算效率,基於後量子密碼學的授權憑證中心110可挑選偽隨機數值最後的2bytes作為偽隨機數值h,該偽隨機數值h為68CC,但也可根據實際應用場域需求增加長度來提升安全性。 After executing step S50-2 (also referred to as the step of generating a post-quantum cryptography anonymous certificate), in step S61-2b, the pseudo-random number generator of the first post-quantum cryptography key expansion module generates a pseudo-random value h of the anonymous certificate CE . For example, the pseudo - random value h of the anonymous certificate CE (i.e., G1 ( CE )) can be B18D9F7BA00A68CC. To improve computing efficiency, the authorization certificate center 110 based on post-quantum cryptography can select the last 2 bytes of the pseudo-random value as the pseudo-random value h, and the pseudo-random value h is 68CC. However, the length can also be increased according to the requirements of the actual application scenario to improve security.

在步驟S62-2中,由第一後量子密碼學金鑰擴展模組的偽隨機數產生器根據(匿名憑證CE的)偽隨機數值h以及隨機數r得到重構值私鑰b。詳細而言,重構值私鑰b可採用下列計算公式取得,通過計算取得重構值私鑰b為AFF5;b=h+r In step S62-2, the pseudo-random number generator of the first post-quantum cryptography key expansion module obtains the reconstructed private key b according to the pseudo-random number h (of the anonymous certificate CE ) and the random number r. In detail, the reconstructed private key b can be obtained by the following calculation formula, and the reconstructed private key b is obtained by calculation as AFF5; b = h + r

接著,基於後量子密碼學的授權憑證中心110可傳送重構值私鑰b以及匿名憑證CE至第一基於後量子密碼學的終端設備 130-1。 Then, the post-quantum cryptography-based authorization certificate center 110 may transmit the reconstructed value private key b and the anonymous certificate CE to the first post-quantum cryptography-based terminal device 130-1.

在步驟S63-2b中,由(第一基於後量子密碼學的終端設備130-1的)後量子密碼學金鑰產製模組的偽隨機數產生器根據重構值私鑰b產製出擴展後後量子密碼學私鑰q。詳細而言,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組的偽隨機數產生器可採用下列計算公式取得擴展後後量子密碼學私鑰q: q=G b (a)(即,對後量子密碼學私鑰a執行b次偽隨機數產生器計算) In step S63-2b, the pseudo random number generator of the post-quantum cryptography key generation module (of the first post-quantum cryptography-based terminal device 130-1) generates an extended post-quantum cryptography private key q according to the reconstructed value private key b. In detail, the pseudo random number generator of the post-quantum cryptography key generation module of the first post-quantum cryptography-based terminal device 130-1 can use the following calculation formula to obtain the extended post-quantum cryptography private key q: q = G b ( a ) (i.e., perform b pseudo random number generator calculations on the post-quantum cryptography private key a)

舉例來說,第一基於後量子密碼學的終端設備130-1的後量子密碼學金鑰產製模組可計算出擴展後後量子密碼學私鑰q為FCCD109657606A0E。 For example, the post-quantum cryptography key production module of the first post-quantum cryptography-based terminal device 130-1 can calculate the expanded post-quantum cryptography private key q as FCCD109657606A0E.

在執行完步驟S61-2b、步驟S62-2以及步驟S63-2b(步驟S61-2b、步驟S62-2以及步驟S63-2b亦稱為產製擴展後後量子密碼學私鑰步驟)之後,在步驟S71-2b中,第一基於後量子密碼學的終端設備130-1可根據下列計算公式產製出擴展後後量子密碼學公鑰Q:Q=G b (A)=G h (P)=G w (q) After executing step S61-2b, step S62-2, and step S63-2b (step S61-2b, step S62-2, and step S63-2b are also referred to as steps for generating an extended post-quantum cryptography private key), in step S71-2b, the first post-quantum cryptography-based terminal device 130-1 may generate an extended post-quantum cryptography public key Q according to the following calculation formula: Q = G b (A) = G h ( P ) = G w ( q )

在步驟S81-2中,由第二基於後量子密碼學的終端設備130-2從基於後量子密碼學的授權憑證中心110取得第一基於後量子密碼學的終端設備130-1的匿名憑證CEIn step S81-2, the second terminal device 130-2 based on post-quantum cryptography obtains the anonymous certificate CE of the first terminal device 130-1 based on post-quantum cryptography from the authorization certificate center 110 based on post-quantum cryptography.

在步驟S82-2b中,由第二基於後量子密碼學的終端設備 130-2的後量子密碼學金鑰產製模組的偽隨機數產生器計算匿名憑證CE的偽隨機數值h。 In step S82-2b, the pseudo random number generator of the post-quantum cryptography key generation module of the second post-quantum cryptography-based terminal device 130-2 calculates the pseudo random number h of the anonymous certificate CE .

在步驟S83-2b中,由第二基於後量子密碼學的終端設備130-2的後量子密碼學金鑰產製模組的偽隨機數產生器根據偽隨機數值h以及第一基於後量子密碼學的終端設備130-1的匿名憑證C E 中的重構值P產製出擴展後後量子密碼學公鑰Q。承上述實例,匿名憑證C E 的偽隨機數值h為68CC,重構值P為EC3085D9A2DFF8B6。第二基於後量子密碼學的終端設備130-2可根據下列計算公式產製出擴展後後量子密碼學公鑰Q: Q=Gh(P)(Gh(P)表示為對P執行h次偽隨機數產生器計算) In step S83-2b, the pseudo random number generator of the post-quantum cryptography key generation module of the second post-quantum cryptography-based terminal device 130-2 generates an extended post-quantum cryptography public key Q according to the pseudo random number h and the reconstructed value P in the anonymous certificate CE of the first post-quantum cryptography-based terminal device 130-1. Based on the above example, the pseudo random number h of the anonymous certificate CE is 68CC, and the reconstructed value P is EC3085D9A2DFF8B6. The second terminal device 130-2 based on post-quantum cryptography can generate an extended post-quantum cryptography public key Q according to the following calculation formula: Q= Gh (P) ( Gh (P) represents h pseudo-random number generator calculations performed on P)

舉例來說,第二基於後量子密碼學的終端設備130-2可產製出擴展後後量子密碼學公鑰Q為9CE63D981FF19202。 For example, the second post-quantum cryptography-based terminal device 130-2 can generate an extended post-quantum cryptography public key Q of 9CE63D981FF19202.

在此值得說明的是,步驟S81-2、步驟S82-2b以及步驟S83-2b亦稱為產製擴展後後量子密碼學公鑰步驟。 It is worth noting that step S81-2, step S82-2b and step S83-2b are also called steps for generating the extended post-quantum cryptography public key.

圖3是圖1所示的基於雜湊及後量子密碼學的匿名憑證方法的另一個實施範例。請同時參照圖1及圖3。在本實施例中,私鑰包括簽章用後量子密碼學毛蟲私鑰a,公鑰包括簽章用後量子密碼學毛蟲公鑰A,擴展結果包括簽章用後量子密碼學蝴蝶公鑰Qι。進一步而言,所述匿名憑證系統更包括基於後量子密碼學的註冊中心150。更進一步而言,基於後量子密碼學的授權憑證中心110包括第一後量子密碼學金鑰擴展模組。基於後量子密碼學的終端 設備130包括後量子密碼學金鑰產製模組。基於後量子密碼學的註冊中心150包括第二後量子密碼學金鑰擴展模組。 FIG3 is another implementation example of the anonymous certification method based on hashing and post-quantum cryptography shown in FIG1. Please refer to FIG1 and FIG3 at the same time. In this embodiment, the private key includes a post-quantum cryptography caterpillar private key a for signature, the public key includes a post-quantum cryptography caterpillar public key A for signature, and the expansion result includes a post-quantum cryptography butterfly public key Qι for signature. Further, the anonymous certification system further includes a registration center 150 based on post-quantum cryptography. Further, the authorization certificate center 110 based on post-quantum cryptography includes a first post-quantum cryptography key expansion module. The terminal device 130 based on post-quantum cryptography includes a post-quantum cryptography key production module. The post-quantum cryptography-based registration center 150 includes a second post-quantum cryptography key expansion module.

在步驟S10a-3中,由基於後量子密碼學的終端設備130產製隨機數a以作為簽章用後量子密碼學毛蟲私鑰a。本實施例中的數字採用十六進位制表示,該簽章用後量子密碼學毛蟲私鑰a的值為60B420BB3851D9D47ACB933DBE70399BF6C92DA33AF01D4FB770E98C0325F41D。 In step S10a-3, the terminal device 130 based on post-quantum cryptography generates a random number a as a post-quantum cryptography caterpillar private key a for signature. The numbers in this embodiment are expressed in hexadecimal, and the value of the post-quantum cryptography caterpillar private key a for signature is 60B420BB3851D9D47ACB933DBE70399BF6C92DA33AF01D4FB770E98C0325F41D.

在步驟S10b-3中,由基於後量子密碼學的終端設備130對簽章用後量子密碼學毛蟲私鑰a執行w次雜湊計算以得到簽章用後量子密碼學毛蟲公鑰A。本實施例中為提升計算效率挑選長度2bytes的w值,該w值為係FFFF,但可以根據實際應用場域需求增加長度來提升安全性,通過計算取得簽章用後量子密碼學毛蟲公鑰A係D98742E324A52127AA02A5DD994D68446EF94E10005B5A1984F5D9F687FAA57D。 In step S10b-3, the terminal device 130 based on post-quantum cryptography performs w hash calculations on the post-quantum cryptography caterpillar private key a for signature to obtain the post-quantum cryptography caterpillar public key A for signature. In this embodiment, a w value of 2 bytes is selected to improve the calculation efficiency. The w value is FFFF, but the length can be increased according to the actual application field requirements to improve security. The post-quantum cryptography caterpillar public key A for signature obtained by calculation is D98742E324A52127AA02A5DD994D68446EF94E10005B5A1984F5D9F687FAA57D.

在執行完步驟S10a-3以及步驟S10b-3(步驟S10a-3以及步驟S10b-3亦稱為產製後量子密碼學金鑰毛蟲金鑰對步驟)之後,基於後量子密碼學的註冊中心150可執行產製後量子密碼學繭公鑰步驟(即步驟S21-3、S22-3、S23-3、S24-3以及S25-3)。在此值得先說明的是,產製後量子密碼學繭公鑰步驟為,由基於後量子密碼學的註冊中心150根據簽章用後量子密碼學毛蟲公鑰A 擴展為簽章用後量子密碼學繭公鑰Bι。以下將繼續說明。 After executing step S10a-3 and step S10b-3 (step S10a-3 and step S10b-3 are also called the step of generating a post-quantum cryptography caterpillar key pair), the post-quantum cryptography registration center 150 can execute the step of generating a post-quantum cryptography cocoon public key (i.e., steps S21-3, S22-3, S23-3, S24-3, and S25-3). It is worth mentioning here that the step of generating a post-quantum cryptography cocoon public key is that the post-quantum cryptography registration center 150 based on the post-quantum cryptography caterpillar public key A for signature is expanded to the post-quantum cryptography cocoon public key Bι for signature. The following will continue to explain.

在步驟S21-3中,由基於後量子密碼學的終端設備130產製AES金鑰ck。詳細而言,基於後量子密碼學的終端設備130可採用AES-128演算法產製AES金鑰ck,該AES金鑰ck為23C29B624DE9EF9C2F931EFC580F9AFB,可採用該AES金鑰ck執行AES加密演算法。 In step S21-3, the terminal device 130 based on post-quantum cryptography generates an AES key ck. Specifically, the terminal device 130 based on post-quantum cryptography can use the AES-128 algorithm to generate the AES key ck, and the AES key ck is 23C29B624DE9EF9C2F931EFC580F9AFB, and the AES key ck can be used to execute the AES encryption algorithm.

在步驟S22-3中,由後量子密碼學金鑰產製模組產製包括加密用後量子密碼學私鑰p以及加密用後量子密碼學公鑰P的加密用後量子密碼學金鑰對(p,P)。詳細而言,加密用後量子密碼學金鑰對(p,P)為Kyber密碼學演算法金鑰對,加密用後量子密碼學私鑰p為Kyber密碼學私鑰、加密用後量子密碼學公鑰P為Kyber密碼學公鑰。然而本發明不限於此。 In step S22-3, the post-quantum cryptography key production module produces a post-quantum cryptography key pair (p, P) for encryption, including a post-quantum cryptography private key p for encryption and a post-quantum cryptography public key P for encryption. In detail, the post-quantum cryptography key pair (p, P) for encryption is a Kyber cryptography algorithm key pair, the post-quantum cryptography private key p for encryption is a Kyber cryptography private key, and the post-quantum cryptography public key P for encryption is a Kyber cryptography public key. However, the present invention is not limited to this.

在步驟S23-3中,由基於後量子密碼學的終端設備130發送(ck,A,P)給基於後量子密碼學的註冊中心150。 In step S23-3, the terminal device 130 based on post-quantum cryptography sends (ck, A, P) to the registration center 150 based on post-quantum cryptography.

在步驟S24-3中,由基於後量子密碼學的註冊中心150產製複數個ι值,並且運用AES金鑰ck以及擴展函數F(ck,ι)計算出擴展值rι。在本實施例中,ι值為01。擴展函數F(ck,ι)的值是採用AES金鑰ck對明文ι值執行AES加密演算法得到的密文。舉例來說,擴展函數F(ck,ι)值的可為83DE7844AFE1C80645B4F20BAC594B5C。在本實施例中,為提升計算效率,基於後量子密碼學的註冊中心150可挑選密文最後的2bytes作為擴展值rι,擴展值rι為4B5C,但可以根據實際應用場 域需求增加長度來提升安全性。 In step S24-3, a plurality of ι values are generated by the post-quantum cryptography-based registration center 150, and an extended value rι is calculated using the AES key ck and the expansion function F(ck,ι). In this embodiment, the ι value is 01. The value of the expansion function F(ck,ι) is the ciphertext obtained by using the AES key ck to execute the AES encryption algorithm on the plaintext ι value. For example, the value of the expansion function F(ck,ι) can be 83DE7844AFE1C80645B4F20BAC594B5C. In this embodiment, in order to improve the computing efficiency, the registration center 150 based on post-quantum cryptography can select the last 2 bytes of the ciphertext as the extension value rι, and the extension value rι is 4B5C, but the length can be increased according to the actual application field requirements to improve security.

在步驟S25-3中,由(基於後量子密碼學的註冊中心150的)第二後量子密碼學金鑰擴展模組根據擴展值rι以及簽章用後量子密碼學毛蟲公鑰A做雜湊計算以產製簽章用後量子密碼學繭公鑰Bι。詳細而言,簽章用後量子密碼學繭公鑰Bι可採用下列計算公式取得,其中H (A)表示為對簽章用後量子密碼學毛蟲公鑰A執行擴展值rι次雜湊計算,通過計算取得簽章用後量子密碼學繭公鑰Bι為1804C0EEFF11F3262DF7B957EFF9F0487DD19E3DD4CCDDDA9EE59B058BCCEB76;B ι =H (A) In step S25-3, the second post-quantum cryptography key expansion module (of the post-quantum cryptography registration center 150) performs a hashing calculation based on the expansion value rι and the post-quantum cryptography caterpillar public key A for signature to generate the post-quantum cryptography cocoon public key Bι for signature. In detail, the signature post-quantum cryptography cocoon public key Bι can be obtained by the following calculation formula, where H ( A ) represents the execution of the extended value rι hash calculation on the signature post-quantum cryptography caterpillar public key A, and the signature post-quantum cryptography cocoon public key Bι is obtained by calculation as 1804C0EEFF11F3262DF7B957EFF9F0487DD19E3DD4CCDDDA9EE59B058BCCEB76; B ι = H ( A )

在執行完步驟S21-3、步驟S22-3、步驟S23-3、步驟S24-3以及步驟S25-3(即產製後量子密碼學繭公鑰步驟)之後,基於後量子密碼學的授權憑證中心110可執行產製後量子密碼學蝴蝶公鑰步驟(即步驟S30a-3、步驟S30b-3、以及步驟S30c-3)。在此值得先說明的是,產製後量子密碼學蝴蝶公鑰步驟為,基於後量子密碼學的授權憑證中心110根據簽章用後量子密碼學繭公鑰Bι擴展為簽章用後量子密碼學蝴蝶公鑰Qι。以下將繼續說明。 After executing step S21-3, step S22-3, step S23-3, step S24-3 and step S25-3 (i.e., the step of generating the post-quantum cryptography cocoon public key), the authorization certificate center 110 based on post-quantum cryptography can execute the step of generating the post-quantum cryptography butterfly public key (i.e., step S30a-3, step S30b-3, and step S30c-3). It is worth mentioning here that the step of generating the post-quantum cryptography butterfly public key is that the authorization certificate center 110 based on post-quantum cryptography expands the post-quantum cryptography cocoon public key Bι for signature into the post-quantum cryptography butterfly public key Qι for signature. The following will continue to explain.

在步驟S30a-3中,由基於後量子密碼學的註冊中心150發送簽章用後量子密碼學繭公鑰Bι以及加密用後量子密碼學公鑰P給基於後量子密碼學的授權憑證中心110。 In step S30a-3, the registration center 150 based on post-quantum cryptography sends the post-quantum cryptography public key Bι for signing and the post-quantum cryptography public key P for encryption to the authorization certification center 110 based on post-quantum cryptography.

在步驟S30b-3中,由(基於後量子密碼學的授權憑證中 心110的)第一後量子密碼學金鑰擴展模組產製隨機數c。本實施例中為提升計算效率挑選長度2bytes的隨機數c,該隨機數c為EB76,但可以根據實際應用場域需求增加長度來提升安全性。 In step S30b-3, the first post-quantum cryptography key expansion module (of the post-quantum cryptography-based authorization certificate center 110) generates a random number c. In this embodiment, a random number c of 2 bytes is selected to improve computing efficiency. The random number c is EB76, but the length can be increased according to the actual application requirements to improve security.

在步驟S30c-3中,由(基於後量子密碼學的授權憑證中心110的)第一後量子密碼學金鑰擴展模組根據隨機數c對簽章用後量子密碼學繭公鑰Bι做雜湊計算以產製簽章用後量子密碼學蝴蝶公鑰Qι。詳細而言,簽章用後量子密碼學蝴蝶公鑰Qι可採用下列計算公式取得,其中H c ()表示為對簽章用後量子密碼學繭公鑰Bι執行c次雜湊計算,通過計算取得該簽章用後量子密碼學蝴蝶公鑰Qι係6ACBBFBDD7E69C26C37619B3D30627D12F376935C9652ACA514E7445C08EDBB5;Q ι =H c (B ι ) In step S30c-3, the first post-quantum cryptography key expansion module (of the post-quantum cryptography-based certification center 110) performs a hashing calculation on the post-quantum cryptography butterfly public key Bι for signature according to a random number c to generate the post-quantum cryptography butterfly public key Qι for signature. In detail, the post-quantum cryptography butterfly public key Qι for signature can be obtained by the following calculation formula, where H c ( B ι ) represents the execution of c hash calculations on the post-quantum cryptography butterfly public key B ι for signature. The post-quantum cryptography butterfly public key Q ι for signature obtained by calculation is 6ACBBFBDD7E69C26C37619B3D30627D12F376935C9652ACA514E7445C08EDBB5; Q ι = H c ( B ι )

在執行完步驟S30a-3、步驟S30b-3、以及步驟S30c-3(即產製後量子密碼學蝴蝶公鑰步驟)之後,在步驟S50-3中,基於後量子密碼學的授權憑證中心110可產製基於後量子密碼學的終端設備130的匿名憑證CE,其中匿名憑證CE可包括簽章用後量子密碼學蝴蝶公鑰Qι。 After executing step S30a-3, step S30b-3, and step S30c-3 (i.e., the step of generating a post-quantum cryptography butterfly public key), in step S50-3, the authorization certificate center 110 based on post-quantum cryptography can generate an anonymous certificate CE for the terminal device 130 based on post-quantum cryptography, wherein the anonymous certificate CE may include a post-quantum cryptography butterfly public key Qι for signature.

在執行完步驟S50-3(步驟S50-3亦稱為產製後量子密碼學匿名憑證步驟)之後,基於後量子密碼學的終端設備130可執行產製後量子密碼學蝴蝶私鑰步驟(即步驟S61-3、步驟S62-3、步驟S63-3、步驟S64-3、步驟S65-3、步驟S66-3、以及步驟S67- 3)。以下將繼續說明。 After executing step S50-3 (step S50-3 is also called the step of generating a post-quantum cryptography anonymous certificate), the terminal device 130 based on post-quantum cryptography can execute the step of generating a post-quantum cryptography butterfly private key (i.e., step S61-3, step S62-3, step S63-3, step S64-3, step S65-3, step S66-3, and step S67- 3). The following will continue to explain.

在步驟S61-3中,由基於後量子密碼學的授權憑證中心110運用加密用後量子密碼學公鑰P對隨機數c加密。 In step S61-3, the authorization certificate center 110 based on post-quantum cryptography uses the encryption post-quantum cryptography public key P to encrypt the random number c.

接著,由基於後量子密碼學的授權憑證中心110傳送隨機數c的密文給基於後量子密碼學的終端設備130。詳細而言,在步驟S62-3中,基於後量子密碼學的授權憑證中心110可傳送隨機數c的密文以及隨機數c的簽章給基於後量子密碼學的註冊中心150。然後,在步驟S63-3中,基於後量子密碼學的註冊中心150可傳送複數個ι值、隨機數c的密文以及隨機數c的簽章給基於後量子密碼學的終端設備130。 Next, the authorization certificate center 110 based on post-quantum cryptography transmits the ciphertext of the random number c to the terminal device 130 based on post-quantum cryptography. In detail, in step S62-3, the authorization certificate center 110 based on post-quantum cryptography can transmit the ciphertext of the random number c and the signature of the random number c to the registration center 150 based on post-quantum cryptography. Then, in step S63-3, the registration center 150 based on post-quantum cryptography can transmit multiple ι values, the ciphertext of the random number c and the signature of the random number c to the terminal device 130 based on post-quantum cryptography.

接著,在步驟S64-3中,由基於後量子密碼學的終端設備130運用AES金鑰ck、ι值以及擴展函數F(ck,ι)計算出擴展值rι。 Next, in step S64-3, the terminal device 130 based on post-quantum cryptography uses the AES key ck, ι value and expansion function F(ck, ι) to calculate the expansion value rι.

在步驟S65-3中,由(基於後量子密碼學的終端設備130的)後量子密碼學金鑰產製模組根據擴展值rι以及簽章用後量子密碼學毛蟲私鑰a做雜湊計算以產製簽章用後量子密碼學繭私鑰bι。舉例來說,該簽章用後量子密碼學繭私鑰bι可為0E233E7F441C76998990C7D697E4362C67EA9F1A621767E6E9A555EF67A727CA。 In step S65-3, the post-quantum cryptography key generation module (of the terminal device 130 based on post-quantum cryptography) performs hashing calculation based on the extended value rι and the post-quantum cryptography caterpillar private key a for signature to generate the post-quantum cryptography caterpillar private key bι for signature. For example, the post-quantum cryptography caterpillar private key bι for signature can be 0E233E7F441C76998990C7D697E4362C67EA9F1A621767E6E9A555EF67A727CA.

在步驟S66-3中,由(基於後量子密碼學的終端設備130的)後量子密碼學金鑰產製模組運用加密用後量子密碼學私鑰p解密隨機數c的密文以取得隨機數c的明文。 In step S66-3, the post-quantum cryptography key generation module (of the terminal device 130 based on post-quantum cryptography) uses the encryption post-quantum cryptography private key p to decrypt the ciphertext of the random number c to obtain the plaintext of the random number c.

在步驟S67-3中,由後量子密碼學金鑰產製模組根據隨 機數c對簽章用後量子密碼學繭私鑰bι做雜湊計算以產製簽章用後量子密碼學蝴蝶私鑰qι。詳細而言,簽章用後量子密碼學蝴蝶私鑰qι可為9C85CAD311430F4DE81DC07182489C95942FC728FBF99F8A28029249E8D34116。 In step S67-3, the post-quantum cryptography key generation module performs hashing calculation on the post-quantum cryptography butterfly private key bι for signature according to the random number c to generate the post-quantum cryptography butterfly private key qι for signature. In detail, the post-quantum cryptography butterfly private key qι for signature can be 9C85CAD311430F4DE81DC07182489C95942FC728FBF99F8A28029249E8D34116.

在一實施例中,基於後量子密碼學的終端設備130對應於車聯網終端設備。本實施例的匿名憑證方法更包括以下步驟:由基於後量子密碼學的終端設備130發送車聯網封包。進一步而言,車聯網封包可包括匿名憑證CE。車聯網封包更可包括基於後量子密碼學的終端設備130運用簽章用後量子密碼學蝴蝶私鑰qι來對車聯網封包的內容的簽章,或車聯網封包更可包括基於後量子密碼學的終端設備130運用簽章用後量子密碼學蝴蝶私鑰qι來對車聯網封包的雜湊值h’的簽章。 In one embodiment, the terminal device 130 based on post-quantum cryptography corresponds to a vehicle network terminal device. The anonymous certificate method of this embodiment further includes the following steps: the terminal device 130 based on post-quantum cryptography sends a vehicle network packet. Furthermore, the vehicle network packet may include an anonymous certificate CE . The vehicle network packet may also include the terminal device 130 based on post-quantum cryptography using a signature using a post-quantum cryptography butterfly private key qι to sign the content of the vehicle network packet, or the vehicle network packet may also include the terminal device 130 based on post-quantum cryptography using a signature using a post-quantum cryptography butterfly private key qι to sign the hash value h' of the vehicle network packet.

在此需說明的是,本實施例的匿名憑證方法更包括以下步驟:由基於後量子密碼學的終端設備130取得匿名憑證CE中的簽章用後量子密碼學蝴蝶公鑰Qι,並且利用簽章用後量子密碼學蝴蝶公鑰Qι來驗證車聯網封包的內容的簽章,或驗證車聯網封包的雜湊值h’的簽章。 It should be noted here that the anonymous certification method of the present embodiment further includes the following steps: obtaining the signature post-quantum cryptography butterfly public key Qι in the anonymous certificate CE by the terminal device 130 based on post-quantum cryptography, and using the signature post-quantum cryptography butterfly public key Qι to verify the signature of the content of the vehicle network packet, or verify the signature of the hash value h' of the vehicle network packet.

在一實施例中,基於後量子密碼學的終端設備130對應於個人終端設備。本實施例的匿名憑證方法更包括以下步驟:由基於後量子密碼學的終端設備130進行匿名投票。進一步而言,匿名投票包括可匿名憑證CE。匿名投票更可包括基於後量子密碼學 的終端設備130運用簽章用後量子密碼學蝴蝶私鑰qι來對匿名投票的內容的簽章,或匿名投票更可包括基於後量子密碼學的終端設備130運用簽章用後量子密碼學蝴蝶私鑰qι來對匿名投票的雜湊值h’的簽章。 In one embodiment, the terminal device 130 based on post-quantum cryptography corresponds to a personal terminal device. The anonymous certification method of this embodiment further includes the following steps: anonymous voting is performed by the terminal device 130 based on post-quantum cryptography. Further, the anonymous voting includes an anonymous certificate CE . Anonymous voting may further include the terminal device 130 based on post-quantum cryptography using a signature using a post-quantum cryptography butterfly private key qι to sign the content of the anonymous vote, or anonymous voting may further include the terminal device 130 based on post-quantum cryptography using a signature using a post-quantum cryptography butterfly private key qι to sign the hash value h' of the anonymous vote.

在此需說明的是,本實施例的匿名憑證方法更包括以下步驟:由基於後量子密碼學的終端設備130取得匿名憑證CE中的簽章用後量子密碼學蝴蝶公鑰Qι,並且利用簽章用後量子密碼學蝴蝶公鑰Qι來驗證匿名投票的內容的簽章,或驗證匿名投票的雜湊值h’的簽章。 It should be noted here that the anonymous certification method of this embodiment further includes the following steps: the terminal device 130 based on post-quantum cryptography obtains the signature post-quantum cryptography butterfly public key Qι in the anonymous certificate CE , and uses the signature post-quantum cryptography butterfly public key Qι to verify the signature of the content of the anonymous vote, or to verify the signature of the hash value h' of the anonymous vote.

本發明另提供一種基於雜湊及後量子密碼學的匿名憑證系統。所述匿名憑證系統包括基於後量子密碼學的授權憑證中心以及基於後量子密碼學的終端設備,其中基於後量子密碼學的終端設備產製隨機數a以作為對應於後量子密碼學的私鑰,並且對私鑰執行w次雜湊計算以得到對應於後量子密碼學的公鑰;基於後量子密碼學的授權憑證中心擴展公鑰以獲得擴展結果;基於後量子密碼學的授權憑證中心產製基於後量子密碼學的終端設備的匿名憑證C E ,其中匿名憑證C E 包括擴展結果。所述匿名憑證系統已於前述實施例說明。在一實施例中,所述匿名憑證系統更包括基於後量子密碼學的註冊中心,以執行上述圖3所述的基於雜湊及後量子密碼學的匿名憑證方法的實施範例。 The present invention further provides an anonymous certificate system based on hashing and post-quantum cryptography. The anonymous certificate system includes an authorized certificate center based on post-quantum cryptography and a terminal device based on post-quantum cryptography, wherein the terminal device based on post-quantum cryptography generates a random number a as a private key corresponding to post-quantum cryptography, and performs w hashing calculations on the private key to obtain a public key corresponding to post-quantum cryptography; the authorized certificate center based on post-quantum cryptography expands the public key to obtain an expanded result; the authorized certificate center based on post-quantum cryptography generates an anonymous certificate CE based on the terminal device of post-quantum cryptography, wherein the anonymous certificate CE includes the expanded result. The anonymous certification system has been described in the above embodiments. In one embodiment, the anonymous certification system further includes a registration center based on post-quantum cryptography to execute the implementation example of the anonymous certification method based on hashing and post-quantum cryptography described in FIG. 3 above.

綜上所述,本發明的基於雜湊及後量子密碼學的匿名憑證方法及系統可由基於後量子密碼學的授權憑證中心擴展(對應 於後量子密碼學的)公鑰以獲得擴展結果。然後,可由基於後量子密碼學的授權憑證中心產製基於後量子密碼學的終端設備的匿名憑證CE,且匿名憑證CE可包括所述擴展結果。如此一來,能夠避免公鑰被質因數分解演算法輕易地破解。 In summary, the anonymous certificate method and system based on hashing and post-quantum cryptography of the present invention can be expanded by an authorized certificate center based on post-quantum cryptography (corresponding to post-quantum cryptography) to obtain an expanded result. Then, the authorized certificate center based on post-quantum cryptography can generate an anonymous certificate CE of a terminal device based on post-quantum cryptography, and the anonymous certificate CE can include the expanded result. In this way, it is possible to prevent the public key from being easily cracked by a prime factor decomposition algorithm.

S10、S30、S50:步驟 S10, S30, S50: Steps

Claims (23)

一種基於雜湊及後量子密碼學的匿名憑證方法,適於由匿名憑證系統執行,其中所述匿名憑證系統包括基於後量子密碼學的授權憑證中心以及基於後量子密碼學的終端設備,其中所述匿名憑證方法包括以下步驟:由所述基於後量子密碼學的終端設備產製隨機數a以作為對應於所述後量子密碼學的私鑰,並且對所述私鑰執行w次雜湊計算以得到對應於所述後量子密碼學的公鑰;由所述基於後量子密碼學的授權憑證中心擴展所述公鑰以獲得擴展結果;以及由所述基於後量子密碼學的授權憑證中心產製所述基於後量子密碼學的終端設備的匿名憑證,其中所述匿名憑證包括所述擴展結果。 An anonymous certification method based on hashing and post-quantum cryptography is suitable for being executed by an anonymous certification system, wherein the anonymous certification system includes an authorized certification center based on post-quantum cryptography and a terminal device based on post-quantum cryptography, wherein the anonymous certification method includes the following steps: the terminal device based on post-quantum cryptography generates a random number a as a random number corresponding to the post-quantum cryptography. A private key is obtained, and w hash calculations are performed on the private key to obtain a public key corresponding to the post-quantum cryptography; the authorized certificate center based on post-quantum cryptography expands the public key to obtain an expanded result; and the authorized certificate center based on post-quantum cryptography generates an anonymous certificate of the terminal device based on post-quantum cryptography, wherein the anonymous certificate includes the expanded result. 如請求項1所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述私鑰包括後量子密碼學私鑰a,其中所述公鑰包括後量子密碼學公鑰A,其中所述擴展結果包括重構值P。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 1, wherein the private key includes a post-quantum cryptography private key a, wherein the public key includes a post-quantum cryptography public key A, and wherein the expansion result includes a reconstructed value P. 如請求項2所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的授權憑證中心包括第一後量子密碼學金鑰擴展模組,其中由所述基於後量子密碼學的授權憑證中心擴展所述公鑰以獲得所述擴展結果的步驟包括:由所述第一後量子密碼學金鑰擴展模組產製隨機數r,並且對所述後量子密碼學公鑰A執行所述隨機數r次的所述雜湊計算 以將所述後量子密碼學公鑰A擴展為所述重構值P。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 2, wherein the authorization certification center based on post-quantum cryptography includes a first post-quantum cryptography key expansion module, wherein the step of the authorization certification center based on post-quantum cryptography expanding the public key to obtain the expansion result includes: generating a random number r by the first post-quantum cryptography key expansion module, and performing the hashing calculation r times on the post-quantum cryptography public key A to expand the post-quantum cryptography public key A to the reconstructed value P. 如請求項3所述的基於雜湊及後量子密碼學的匿名憑證方法,更包括以下步驟:由所述第一後量子密碼學金鑰擴展模組產製所述匿名憑證的雜湊值h,並且根據所述雜湊值h以及所述隨機數r得到重構值私鑰b。 The anonymous certificate method based on hashing and post-quantum cryptography as described in claim 3 further includes the following steps: the first post-quantum cryptography key expansion module generates a hash value h of the anonymous certificate, and obtains a reconstructed value private key b based on the hash value h and the random number r. 如請求項4所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備包括後量子密碼學金鑰產製模組,其中所述匿名憑證方法更包括以下步驟:由所述後量子密碼學金鑰產製模組根據所述重構值私鑰b產製出擴展後後量子密碼學私鑰q。 As described in claim 4, the anonymous certification method based on hashing and post-quantum cryptography, wherein the terminal device based on post-quantum cryptography includes a post-quantum cryptography key generation module, wherein the anonymous certification method further includes the following steps: the post-quantum cryptography key generation module generates an extended post-quantum cryptography private key q according to the reconstructed value private key b. 如請求項5所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備包括第一基於後量子密碼學的終端設備以及第二基於後量子密碼學的終端設備,其中所述匿名憑證方法更包括以下步驟:由所述第二基於後量子密碼學的終端設備從所述基於後量子密碼學的授權憑證中心取得所述第一基於後量子密碼學的終端設備的所述匿名憑證;以及由所述第二基於後量子密碼學的終端設備計算所述匿名憑證的所述雜湊值h,並且根據所述雜湊值h以及所述第一基於後量子密碼學的終端設備的所述匿名憑證中的所述重構值P產製出擴展後後量子密碼學公鑰Q。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 5, wherein the terminal device based on post-quantum cryptography includes a first terminal device based on post-quantum cryptography and a second terminal device based on post-quantum cryptography, and wherein the anonymous certification method further includes the following steps: the second terminal device based on post-quantum cryptography obtains the anonymous certificate of the first terminal device based on post-quantum cryptography from the authorized certification center based on post-quantum cryptography; and the second terminal device based on post-quantum cryptography calculates the hash value h of the anonymous certificate, and generates an extended post-quantum cryptography public key Q based on the hash value h and the reconstructed value P in the anonymous certificate of the first terminal device based on post-quantum cryptography. 如請求項5所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備對應於車聯網終端設備,其中所述匿名憑證方法更包括以下步驟:由所述基於後量子密碼學的終端設備發送車聯網封包,其中所述車聯網封包包括所述匿名憑證;所述車聯網封包更包括所述基於後量子密碼學的終端設備運用所述擴展後後量子密碼學私鑰q來對所述車聯網封包的內容的簽章,或包括所述車聯網封包更包括所述基於後量子密碼學的終端設備運用所述擴展後後量子密碼學私鑰q來對所述車聯網封包的雜湊值h’的所述簽章。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 5, wherein the terminal device based on post-quantum cryptography corresponds to a vehicle network terminal device, wherein the anonymous certification method further comprises the following steps: the terminal device based on post-quantum cryptography sends a vehicle network packet, wherein the vehicle network packet includes the anonymous certificate; the vehicle network packet further includes the terminal device based on post-quantum cryptography using the extended post-quantum cryptography private key q to sign the content of the vehicle network packet, or includes the vehicle network packet further including the terminal device based on post-quantum cryptography using the extended post-quantum cryptography private key q to sign the hash value h' of the vehicle network packet. 如請求項5所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備對應於個人終端設備,其中所述匿名憑證方法更包括以下步驟:由所述基於後量子密碼學的終端設備進行匿名投票,其中所述匿名投票包括所述匿名憑證;所述匿名投票更包括所述基於後量子密碼學的終端設備運用所述擴展後後量子密碼學私鑰q來對所述匿名投票的內容的簽章,或包括所述匿名投票更包括所述基於後量子密碼學的終端設備運用所述擴展後後量子密碼學私鑰q來對所述匿名投票的雜湊值h’的所述簽章。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 5, wherein the terminal device based on post-quantum cryptography corresponds to a personal terminal device, wherein the anonymous certification method further comprises the following steps: anonymous voting is performed by the terminal device based on post-quantum cryptography, wherein the anonymous voting includes the anonymous certificate; the anonymous voting further includes the terminal device based on post-quantum cryptography using the extended post-quantum cryptography private key q to sign the content of the anonymous vote, or the anonymous voting further includes the terminal device based on post-quantum cryptography using the extended post-quantum cryptography private key q to sign the hash value h' of the anonymous vote. 如請求項2所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述雜湊計算包括偽隨機數產生器計算。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 2, wherein the hashing calculation includes a pseudo-random number generator calculation. 如請求項9所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的授權憑證中心包括第一後量子密碼學金鑰擴展模組,且所述第一後量子密碼學金鑰擴展模組包括偽隨機數產生器,其中由所述基於後量子密碼學的授權憑證中心擴展所述公鑰以獲得所述擴展結果的步驟包括:由所述第一後量子密碼學金鑰擴展模組產製隨機數r,並且由所述第一後量子密碼學金鑰擴展模組的所述偽隨機數產生器對所述後量子密碼學公鑰A執行所述隨機數r次的所述偽隨機數產生器計算以將所述後量子密碼學公鑰A擴展為所述重構值P。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 9, wherein the authorization certificate center based on post-quantum cryptography includes a first post-quantum cryptography key expansion module, and the first post-quantum cryptography key expansion module includes a pseudo-random number generator, wherein the authorization certificate center based on post-quantum cryptography expands the public key to obtain the The step of obtaining the expansion result includes: generating a random number r by the first post-quantum cryptography key expansion module, and executing the pseudo-random number generator calculation r times on the post-quantum cryptography public key A by the pseudo-random number generator of the first post-quantum cryptography key expansion module to expand the post-quantum cryptography public key A to the reconstructed value P. 如請求項10所述的基於雜湊及後量子密碼學的匿名憑證方法,更包括以下步驟:由所述第一後量子密碼學金鑰擴展模組的所述偽隨機數產生器產製所述匿名憑證的偽隨機數值h,並且根據所述偽隨機數值h以及所述隨機數r得到重構值私鑰b。 The anonymous certificate method based on hashing and post-quantum cryptography as described in claim 10 further includes the following steps: the pseudo-random number generator of the first post-quantum cryptography key expansion module generates the pseudo-random value h of the anonymous certificate, and obtains the reconstructed value private key b according to the pseudo-random value h and the random number r. 如請求項11所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備包括後量子密碼學金鑰產製模組,且所述後量子密碼學金鑰產製模組包括所述偽隨機數產生器,其中所述匿名憑證方法更包括以下步驟:由所述後量子密碼學金鑰產製模組的所述偽隨機數產生器根據所述重構值私鑰b產製出擴展後後量子密碼學私鑰q。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 11, wherein the terminal device based on post-quantum cryptography includes a post-quantum cryptography key generation module, and the post-quantum cryptography key generation module includes the pseudo-random number generator, wherein the anonymous certification method further includes the following steps: the pseudo-random number generator of the post-quantum cryptography key generation module generates an extended post-quantum cryptography private key q according to the reconstructed value private key b. 如請求項12所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備包括第一 基於後量子密碼學的終端設備以及第二基於後量子密碼學的終端設備,其中所述第二基於後量子密碼學的終端設備的所述後量子密碼學金鑰產製模組包括所述偽隨機數產生器,其中所述匿名憑證方法更包括以下步驟:由所述第二基於後量子密碼學的終端設備從所述基於後量子密碼學的授權憑證中心取得所述第一基於後量子密碼學的終端設備的所述匿名憑證;以及由所述第二基於後量子密碼學的終端設備的所述後量子密碼學金鑰產製模組的所述偽隨機數產生器計算所述匿名憑證的所述偽隨機數值h,並且根據所述偽隨機數值h以及所述第一基於後量子密碼學的終端設備的所述匿名憑證中的所述重構值P產製出擴展後後量子密碼學公鑰Q。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 12, wherein the terminal device based on post-quantum cryptography includes a first terminal device based on post-quantum cryptography and a second terminal device based on post-quantum cryptography, wherein the post-quantum cryptography key generation module of the second terminal device based on post-quantum cryptography includes the pseudo-random number generator, and wherein the anonymous certification method further includes the following steps: the second terminal device based on post-quantum cryptography generates a pseudo-random number from the pseudo-random number generator; The post-quantum cryptography-based authorization certificate center obtains the anonymous certificate of the first post-quantum cryptography-based terminal device; and the pseudo-random number generator of the post-quantum cryptography key production module of the second post-quantum cryptography-based terminal device calculates the pseudo-random value h of the anonymous certificate, and generates an extended post-quantum cryptography public key Q based on the pseudo-random value h and the reconstructed value P in the anonymous certificate of the first post-quantum cryptography-based terminal device. 如請求項1所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述私鑰包括簽章用後量子密碼學毛蟲私鑰a,其中所述公鑰包括簽章用後量子密碼學毛蟲公鑰A,其中所述擴展結果包括簽章用後量子密碼學蝴蝶公鑰Qι,其中所述匿名憑證系統更包括基於後量子密碼學的註冊中心,其中所述匿名憑證方法更包括以下步驟:由所述基於後量子密碼學的註冊中心根據所述簽章用後量子密碼學毛蟲公鑰A擴展為簽章用後量子密碼學繭公鑰Bι;其中由所述基於後量子密碼學的授權憑證中心擴展所述公鑰以獲得所述擴展結果的步驟包括: 由所述基於後量子密碼學的授權憑證中心根據所述簽章用後量子密碼學繭公鑰Bι擴展為所述簽章用後量子密碼學蝴蝶公鑰Qι。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 1, wherein the private key includes a post-quantum cryptography caterpillar private key a for signature, wherein the public key includes a post-quantum cryptography caterpillar public key A for signature, wherein the extended result includes a post-quantum cryptography butterfly public key Qι for signature, wherein the anonymous certification system further includes a registration center based on post-quantum cryptography, wherein the anonymous certification method further includes the following steps: The registration center based on post-quantum cryptography expands the post-quantum cryptography caterpillar public key A for signature into the post-quantum cryptography cocoon public key Bι for signature; wherein the step of the authorization certificate center based on post-quantum cryptography expanding the public key to obtain the expansion result includes: The authorization certificate center based on post-quantum cryptography expands the post-quantum cryptography cocoon public key Bι for signature into the post-quantum cryptography butterfly public key Qι for signature. 如請求項14所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備包括後量子密碼學金鑰產製模組,其中所述基於後量子密碼學的註冊中心包括第二後量子密碼學金鑰擴展模組,其中由所述基於後量子密碼學的註冊中心根據所述簽章用後量子密碼學毛蟲公鑰A擴展為所述簽章用後量子密碼學繭公鑰Bι的步驟包括:由所述後量子密碼學金鑰產製模組產製包括加密用後量子密碼學私鑰p以及加密用後量子密碼學公鑰P的加密用後量子密碼學金鑰對(p,P);由所述基於後量子密碼學的終端設備產製AES金鑰ck;由所述基於後量子密碼學的終端設備發送(ck,A,P)給所述基於後量子密碼學的註冊中心;由所述基於後量子密碼學的註冊中心產製複數個ι值,並且運用所述AES金鑰ck以及擴展函數F(ck,ι)計算出擴展值rι;以及由所述第二後量子密碼學金鑰擴展模組根據所述擴展值rι以及所述簽章用後量子密碼學毛蟲公鑰A做所述雜湊計算以產製所述簽章用後量子密碼學繭公鑰Bι。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 14, wherein the terminal device based on post-quantum cryptography includes a post-quantum cryptography key generation module, wherein the registration center based on post-quantum cryptography includes a second post-quantum cryptography key expansion module, wherein the step of the registration center based on post-quantum cryptography expanding the post-quantum cryptography caterpillar public key A for signature into the post-quantum cryptography cocoon public key Bι for signature includes: the post-quantum cryptography key generation module generates a post-quantum cryptography private key p for encryption and a post-quantum cryptography public key P for encryption key pair (p, P); the terminal device based on post-quantum cryptography generates an AES key ck; the terminal device based on post-quantum cryptography sends (ck, A, P) to the registration center based on post-quantum cryptography; the registration center based on post-quantum cryptography generates a plurality of ι values, and uses the AES key ck and the expansion function F(ck, ι) to calculate the expansion value rι; and the second post-quantum cryptography key expansion module performs the hashing calculation based on the expansion value rι and the post-quantum cryptography caterpillar public key A for signature to generate the post-quantum cryptography cobweb public key Bι for signature. 如請求項15所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的授權憑證中心包括第一後量子密碼學金鑰擴展模組,其中由所述基於後量子密碼學的授權憑證中心根據所述簽章用後量子密碼學繭公鑰Bι擴展為所述簽章用後量子密碼學蝴蝶公鑰Qι的步驟包括:由所述基於後量子密碼學的註冊中心發送所述簽章用後量子密碼學繭公鑰Bι以及所述加密用後量子密碼學公鑰P給所述基於後量子密碼學的授權憑證中心;以及由所述第一後量子密碼學金鑰擴展模組產製隨機數c,並且根據所述隨機數c對所述簽章用後量子密碼學繭公鑰Bι做所述雜湊計算以產製所述簽章用後量子密碼學蝴蝶公鑰Qι。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 15, wherein the authorization certificate center based on post-quantum cryptography includes a first post-quantum cryptography key expansion module, wherein the step of the authorization certificate center based on post-quantum cryptography expanding the signature post-quantum cryptography butterfly public key Bι to the signature post-quantum cryptography butterfly public key Qι includes: The registration center sends the post-quantum cryptography butterfly public key Bι for signature and the post-quantum cryptography butterfly public key P for encryption to the authorization certificate center based on post-quantum cryptography; and the first post-quantum cryptography key expansion module generates a random number c, and performs the hash calculation on the post-quantum cryptography butterfly public key Bι for signature according to the random number c to generate the post-quantum cryptography butterfly public key Qι for signature. 如請求項16所述的基於雜湊及後量子密碼學的匿名憑證方法,更包括以下步驟:由所述基於後量子密碼學的授權憑證中心運用所述加密用後量子密碼學公鑰P對所述隨機數c加密,並且傳送所述隨機數c的密文給所述基於後量子密碼學的終端設備;由所述基於後量子密碼學的終端設備運用所述AES金鑰ck、所述ι值以及擴展函數F(ck,ι)計算出所述擴展值rι;由所述後量子密碼學金鑰產製模組根據所述擴展值rι以及所述簽章用後量子密碼學毛蟲私鑰a做所述雜湊計算以產製簽章用後量子密碼學繭私鑰bι;以及由所述後量子密碼學金鑰產製模組運用所述加密用後量子密 碼學私鑰p解密所述隨機數c的密文以取得所述隨機數c的明文,並且根據所述隨機數c對所述簽章用後量子密碼學繭私鑰bι做所述雜湊計算以產製簽章用後量子密碼學蝴蝶私鑰qι。 The anonymous certification method based on hashing and post-quantum cryptography as described in claim 16 further includes the following steps: the authorization certification center based on post-quantum cryptography uses the encryption post-quantum cryptography public key P to encrypt the random number c, and transmits the ciphertext of the random number c to the terminal device based on post-quantum cryptography; the terminal device based on post-quantum cryptography uses the AES key ck, the ι value and the expansion function F(ck,ι) to calculate the expansion value rι; the post-quantum cryptography uses the AES key ck, the ι value and the expansion function F(ck,ι) to calculate the expansion value rι; The cryptographic key generation module performs the hashing calculation based on the extended value rι and the post-quantum cryptographic caterpillar private key a for signature to generate the post-quantum cryptographic cocoon private key bι for signature; and the post-quantum cryptographic key generation module uses the post-quantum cryptographic private key p for encryption to decrypt the ciphertext of the random number c to obtain the plaintext of the random number c, and performs the hashing calculation on the post-quantum cryptographic cocoon private key bι for signature based on the random number c to generate the post-quantum cryptographic butterfly private key qι for signature. 如請求項17所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備對應於車聯網終端設備,其中所述匿名憑證方法更包括以下步驟:由所述基於後量子密碼學的終端設備發送車聯網封包,其中所述車聯網封包包括所述匿名憑證;所述車聯網封包更包括所述基於後量子密碼學的終端設備運用所述簽章用後量子密碼學蝴蝶私鑰qι來對所述車聯網封包的內容的簽章,或所述車聯網封包更包括所述基於後量子密碼學的終端設備運用所述簽章用後量子密碼學蝴蝶私鑰qι來對所述車聯網封包的雜湊值h’的所述簽章。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 17, wherein the terminal device based on post-quantum cryptography corresponds to a vehicle network terminal device, wherein the anonymous certification method further comprises the following steps: the terminal device based on post-quantum cryptography sends a vehicle network packet, wherein the vehicle network packet includes the anonymous certificate; the vehicle network packet further includes the terminal device based on post-quantum cryptography using the signature post-quantum cryptography butterfly private key qι to sign the content of the vehicle network packet, or the vehicle network packet further includes the terminal device based on post-quantum cryptography using the signature post-quantum cryptography butterfly private key qι to sign the hash value h' of the vehicle network packet. 如請求項18所述的基於雜湊及後量子密碼學的匿名憑證方法,更包括以下步驟:由所述基於後量子密碼學的終端設備取得所述匿名憑證中的所述簽章用後量子密碼學蝴蝶公鑰Qι,並且利用所述簽章用後量子密碼學蝴蝶公鑰Qι來驗證所述車聯網封包的所述內容的所述簽章,或驗證所述車聯網封包的所述雜湊值h’的所述簽章。 The anonymous certification method based on hashing and post-quantum cryptography as described in claim 18 further includes the following steps: the terminal device based on post-quantum cryptography obtains the signature post-quantum cryptography butterfly public key Qι in the anonymous certificate, and uses the signature post-quantum cryptography butterfly public key Qι to verify the signature of the content of the vehicle network packet, or verify the signature of the hash value h' of the vehicle network packet. 如請求項17所述的基於雜湊及後量子密碼學的匿名憑證方法,其中所述基於後量子密碼學的終端設備對應於個人終端設備,其中所述匿名憑證方法更包括以下步驟: 由所述基於後量子密碼學的終端設備進行匿名投票,其中所述匿名投票包括所述匿名憑證;所述匿名投票更包括所述基於後量子密碼學的終端設備運用所述簽章用後量子密碼學蝴蝶私鑰qι來對所述匿名投票的內容的簽章,或所述匿名投票更包括所述基於後量子密碼學的終端設備運用所述簽章用後量子密碼學蝴蝶私鑰qι來對所述匿名投票的雜湊值h’的所述簽章。 An anonymous certification method based on hashing and post-quantum cryptography as described in claim 17, wherein the terminal device based on post-quantum cryptography corresponds to a personal terminal device, wherein the anonymous certification method further comprises the following steps: The terminal device based on post-quantum cryptography performs anonymous voting, wherein the anonymous voting includes the anonymous certificate; the anonymous voting further comprises the terminal device based on post-quantum cryptography using the signature post-quantum cryptography butterfly private key qι to sign the content of the anonymous vote, or the anonymous voting further comprises the terminal device based on post-quantum cryptography using the signature post-quantum cryptography butterfly private key qι to sign the hash value h' of the anonymous vote. 如請求項20所述的基於雜湊及後量子密碼學的匿名憑證方法,更包括以下步驟:由所述基於後量子密碼學的終端設備取得所述匿名憑證中的所述簽章用後量子密碼學蝴蝶公鑰Qι,並且利用所述簽章用後量子密碼學蝴蝶公鑰Qι來驗證所述匿名投票的所述內容的所述簽章,或驗證所述匿名投票的所述雜湊值h’的所述簽章。 The anonymous certification method based on hashing and post-quantum cryptography as described in claim 20 further includes the following steps: the terminal device based on post-quantum cryptography obtains the signature post-quantum cryptography butterfly public key Qι in the anonymous certificate, and uses the signature post-quantum cryptography butterfly public key Qι to verify the signature of the content of the anonymous vote, or verify the signature of the hash value h' of the anonymous vote. 一種基於雜湊及後量子密碼學的匿名憑證系統,包括基於後量子密碼學的授權憑證中心以及基於後量子密碼學的終端設備,其中所述基於後量子密碼學的終端設備產製隨機數a以作為對應於所述後量子密碼學的私鑰,並且對所述私鑰執行w次雜湊計算以得到對應於所述後量子密碼學的公鑰;所述基於後量子密碼學的授權憑證中心擴展所述公鑰以獲得擴展結果;所述基於後量子密碼學的授權憑證中心產製所述基於後量子 密碼學的終端設備的匿名憑證,其中所述匿名憑證包括所述擴展結果。 An anonymous certificate system based on hashing and post-quantum cryptography includes an authorized certificate center based on post-quantum cryptography and a terminal device based on post-quantum cryptography, wherein the terminal device based on post-quantum cryptography generates a random number a as a private key corresponding to the post-quantum cryptography, and performs w hashing calculations on the private key to obtain a public key corresponding to the post-quantum cryptography; the authorized certificate center based on post-quantum cryptography expands the public key to obtain an expansion result; the authorized certificate center based on post-quantum cryptography generates an anonymous certificate for the terminal device based on post-quantum cryptography, wherein the anonymous certificate includes the expansion result. 如請求項22所述的基於雜湊及後量子密碼學的匿名憑證系統,其中所述私鑰包括簽章用後量子密碼學毛蟲私鑰a,其中所述公鑰包括簽章用後量子密碼學毛蟲公鑰A,其中所述擴展結果包括簽章用後量子密碼學蝴蝶公鑰Qι,其中所述匿名憑證系統更包括基於後量子密碼學的註冊中心,其中所述基於後量子密碼學的註冊中心根據所述簽章用後量子密碼學毛蟲公鑰A擴展為簽章用後量子密碼學繭公鑰Bι;所述基於後量子密碼學的授權憑證中心根據所述簽章用後量子密碼學繭公鑰Bι擴展為所述簽章用後量子密碼學蝴蝶公鑰Qι。 An anonymous certificate system based on hashing and post-quantum cryptography as described in claim 22, wherein the private key includes a post-quantum cryptography caterpillar private key a for signature, wherein the public key includes a post-quantum cryptography caterpillar public key A for signature, wherein the expansion result includes a post-quantum cryptography butterfly public key Qι for signature, wherein the anonymous certificate system further includes a registration center based on post-quantum cryptography, wherein the registration center based on post-quantum cryptography expands the post-quantum cryptography caterpillar public key A for signature into a post-quantum cryptography cocoon public key Bι for signature; and the authorized certificate center based on post-quantum cryptography expands the post-quantum cryptography cocoon public key Bι for signature into the post-quantum cryptography butterfly public key Qι for signature.
TW113118407A 2024-05-17 2024-05-17 Anonymous credential method and system based on hash and post-quantum cryptography TWI877003B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW113118407A TWI877003B (en) 2024-05-17 2024-05-17 Anonymous credential method and system based on hash and post-quantum cryptography

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW113118407A TWI877003B (en) 2024-05-17 2024-05-17 Anonymous credential method and system based on hash and post-quantum cryptography

Publications (2)

Publication Number Publication Date
TWI877003B true TWI877003B (en) 2025-03-11
TW202546673A TW202546673A (en) 2025-12-01

Family

ID=95830716

Family Applications (1)

Application Number Title Priority Date Filing Date
TW113118407A TWI877003B (en) 2024-05-17 2024-05-17 Anonymous credential method and system based on hash and post-quantum cryptography

Country Status (1)

Country Link
TW (1) TWI877003B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI648679B (en) * 2017-08-16 2019-01-21 永豐商業銀行股份有限公司 License management system and method using blockchain
US20230120742A1 (en) * 2017-10-04 2023-04-20 Jintai Ding Quantumproof blockchain
CN117744822A (en) * 2023-12-21 2024-03-22 重庆邮电大学 Quantum hash k collision searching method based on local diffusion operator

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI648679B (en) * 2017-08-16 2019-01-21 永豐商業銀行股份有限公司 License management system and method using blockchain
US20230120742A1 (en) * 2017-10-04 2023-04-20 Jintai Ding Quantumproof blockchain
CN117744822A (en) * 2023-12-21 2024-03-22 重庆邮电大学 Quantum hash k collision searching method based on local diffusion operator

Similar Documents

Publication Publication Date Title
CN111106936B (en) A method and system for attribute encryption based on SM9
CN114157427B (en) Threshold signature method based on SM2 digital signature
CN111211897B (en) Time control encryption security enhancement method based on random prediction model
JP2017517229A (en) Network authentication system using dynamic key generation
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
CN119011137B (en) Secure communication protocol method and system based on microchip fingerprint technology
CN107911209A (en) The method for establishing the security public key cryptography of resisting quantum computation attack
CN112787796A (en) Aggregation method and device for detecting virtual dummy data injection in edge calculation
CN114785487B (en) Anti-quantum computing HTTPS communication method and system based on CA and national encryption algorithm
CN110855425A (en) Lightweight multiparty cooperative SM9 key generation and ciphertext decryption method and medium
WO2024239591A1 (en) Multi-party key agreement method and system based on guomi algorithms
JP6758476B2 (en) Systems and methods to obtain common session keys between devices
CN109361519B (en) Improved secret-containing number generation method and system
CN117614624B (en) Identity authentication security trust method based on key agreement in Internet of vehicles
CN117997532A (en) Lattice-based distributed verifiable random function construction method and system
CN110086630A (en) Generation method based on Margaret Edwards Curve Digital Signature
Chen et al. Provable secure group key establishment scheme for fog computing
CN106850584A (en) Anonymous authentication method facing client/server network
TWI877003B (en) Anonymous credential method and system based on hash and post-quantum cryptography
CN113395691B (en) Contact tracking privacy protection method based on aggregated signature
CN119449283B (en) Cross-domain authentication method based on zero knowledge proof
CN112601221B (en) Internet of things dynamic NTRU access authentication method based on time information
JP4867916B2 (en) Shuffle decoding correctness proving apparatus and method, shuffle decoding verifying apparatus and method, program and recording medium
CN119995892A (en) An efficient outsourcing method for generating non-interactive zero-knowledge proofs
WO2010041690A1 (en) Multi-party variance multiplication device, multi-party variance multiplication system and method