Decryption method based on bilinear pair operation, electronic device, storage medium and program product
By using a random number conversion method for user keys, the vulnerability of the SM9 algorithm to side-channel attacks in bilinear pairing operations is solved, thus achieving secure protection of user information.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SANECHIPS TECH CO LTD
- Filing Date
- 2025-12-09
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, the bilinear pairing operation of the SM9 algorithm in the decryption and key exchange processes is vulnerable to side-channel attacks, threatening user information security.
The user key is converted by random number to obtain the converted second user key. Bilinear pairing operation is then performed based on the second user key to obtain the bilinear pairing mapping result of the information to be decrypted. Decryption is then performed to ensure that the voltage and electromagnetic side channel information released during the calculation process is random.
It effectively resists side-channel attacks, prevents attackers from stealing password information, and ensures user information security.
Smart Images

Figure CN121283633B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of elliptic curve cryptography, and in particular to a decryption method, electronic device, storage medium, and program product based on bilinear pairing operations. Background Technology
[0002] In 1984, Israeli cryptographer Shamir proposed Identity-Based Cryptograph (IBC). Because this cryptographic system uses mathematical algorithms with identification functions, users do not need to apply for and exchange certificates, thus simplifying the complexity of cryptographic system management. Such a system has natural cryptographic delegation capabilities and is suitable for regulated application environments.
[0003] In recent years, my country has been vigorously promoting the standardization of identifier-based cryptographic algorithms. The SM9 algorithm, promulgated by the State Cryptography Administration, is a user-identifier-based cryptographic algorithm. Its security relies on the difficulty of solving the elliptic curve discrete logarithm problem and the bilinear pair inversion problem, with bilinear pair computation being one of the key operations. During the operation of the SM9 algorithm, the user's private key is involved in the bilinear pair computation in both the decryption and key exchange processes. Bilinear pair computation occurs in the SM9 decapsulation / decryption process. ,in For the user's encrypted private key, and To fix known information, attackers can collect a large number of energy consumption curves for bilinear pairing operations, and then perform differential or correlational power consumption analysis on these curves to crack the algorithm. This information could be compromised, thus threatening user information security. Therefore, how to resist side-channel attacks targeting bilinear pairing operations is a technical problem that needs to be solved in related technologies. Summary of the Invention
[0004] This application provides a decryption method, electronic device, storage medium, and program product based on bilinear pairing operations, which can resist side-channel attacks targeting bilinear pairing operations.
[0005] To solve the above-mentioned technical problems, this application is implemented as follows:
[0006] In a first aspect, a decryption method based on bilinear pairing operation is provided, comprising: converting a first user key using a random number to obtain a converted second user key; performing a bilinear pairing operation on the information to be decrypted based on the second user key to obtain a bilinear pairing mapping result of the information to be decrypted; and decrypting the information to be decrypted based on the bilinear pairing mapping result to obtain plaintext information corresponding to the information to be decrypted.
[0007] In a second aspect, an electronic device is provided, comprising a processor and a memory, the memory storing a program or instructions executable on the processor, wherein the program or instructions, when executed by the processor, implement the steps of the decryption method based on bilinear pairing operations described in the first aspect.
[0008] Thirdly, a readable storage medium is provided, on which a program or instructions are stored, which, when executed by a processor, implement the steps of the decryption method based on bilinear pairing operations as described in the first aspect above.
[0009] Fourthly, a computer program product is provided, the computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform the steps of the decryption method based on bilinear pairing operations as described in the first aspect above.
[0010] In this embodiment, a first user key is converted using a random number to obtain a converted second user key. Based on the second user key, a bilinear pairing operation is performed on the information to be decrypted to obtain a bilinear pairing mapping result. Then, based on the bilinear pairing mapping result, the information to be decrypted is decrypted to obtain the plaintext information corresponding to the information to be decrypted. Through the technical solution provided by this embodiment, because a random number is introduced to convert the user key, and the converted user key is used for bilinear pairing operations, the voltage and electromagnetic side-channel information released during the calculation process is random. This prevents attackers from stealing secret information during the algorithm's operation through side-channel attacks, thereby preventing attackers from obtaining password information and ensuring user information security.
[0011] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description
[0012] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0013] Figure 1 A flowchart illustrating a decryption method based on bilinear pairing operations provided in an exemplary embodiment of this application is shown.
[0014] Figure 2 A flowchart illustrating a decryption method based on bilinear pairing operations provided in another exemplary embodiment of this application is shown.
[0015] Figure 3A flowchart illustrating a decryption method based on bilinear pairing operations provided in another exemplary embodiment of this application is shown.
[0016] Figure 4 A schematic diagram of an exemplary embodiment of the present application for calculating SM9 bilinear pairs against side-channel attacks is shown;
[0017] Figure 5a A power consumption curve for an unprotected bilinear pairing operation is shown.
[0018] Figure 5b A TVLA analysis curve for an unprotected bilinear pairing operation is shown.
[0019] Figure 6a A power consumption curve for a protected bilinear pairing operation is shown.
[0020] Figure 6b A TVLA analysis curve for a protected bilinear pairing operation is shown.
[0021] Figure 7 This is a structural block diagram of an electronic device according to an exemplary embodiment of this application. Detailed Implementation
[0022] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.
[0023] Figure 1 A flowchart illustrating a decryption method based on bilinear pairing operations provided in an exemplary embodiment of this application is shown. This method can be executed by an electronic device. Figure 1 As shown, the decryption method based on bilinear pairing operations mainly includes the following steps.
[0024] S110, the first user key is converted using a random number to obtain the converted second user key.
[0025] S120, based on the second user key, performs a bilinear pairing operation on the information to be decrypted to obtain the bilinear pairing mapping result of the information to be decrypted.
[0026] S130, based on the bilinear pairing mapping result, decrypt the information to be decrypted to obtain the plaintext information corresponding to the information to be decrypted.
[0027] In this embodiment of the application, after obtaining the bilinear pair mapping result of the information to be decrypted, the information to be decrypted can be decrypted according to the scheme in the related technology, such as the steps described in SM9. The specific process will not be repeated in this embodiment of the application.
[0028] The method provided in this application embodiment involves converting the first user key using a random number to obtain a converted second user key. Based on the second user key, a bilinear pairing operation is performed on the information to be decrypted to obtain a bilinear pairing mapping result. Then, based on the bilinear pairing mapping result, the information to be decrypted is decrypted to obtain the plaintext information corresponding to the information to be decrypted. In this application embodiment, by randomizing the calculation steps involving secret information in the SM9 bilinear pairing calculation, the voltage and electromagnetic side-channel information released during the calculation process are randomized. This resists attacks based on side-channel analysis techniques, ensuring the user's information security.
[0029] In some embodiments, such as Figure 2 As shown, S110 may include the following steps.
[0030] S112, Obtain the first coordinates of the first point corresponding to the first user key on the elliptic curve in the affine coordinate system;
[0031] S114, Use a random number generator to generate a first random number and a second random number;
[0032] S116, use the first random number and the second random number to convert the first coordinates into the second coordinates in the Jacobian weighted projective coordinate system, where the second coordinates are the coordinates corresponding to the second user key.
[0033] In the above embodiments, a first random number and a second random number can be generated by a random number generator. The first coordinates can be converted into second coordinates in the Jacobian weighted projective coordinate system, i.e., the second user key, by the first random number and the second random number, thereby realizing the randomization of the data of the first coordinates.
[0034] In some embodiments, S116 may include the following steps:
[0035] Step 1: Concatenate the first random number and the second random number to form the target random number;
[0036] Step 2: Use the target random number to convert the first coordinate in the affine coordinate system to the second coordinate in the Jacobi weighted projective coordinate system.
[0037] In the above embodiments, the first random number and the second random number can be concatenated to form the target random number, thereby enabling the concatenation of a short-bit-length random number generated by the random number generator into a longer-bit-length random number, reducing the complexity of generating random numbers. Of course, this is not a limitation; in practical applications, a longer-bit-length random number can also be directly generated by the random number generator, and this application does not limit this aspect.
[0038] In some embodiments, the first coordinate can be converted to the second coordinate using the following formula. ):
[0039] ) = ( );
[0040] Where x and y are the coordinates of the first point in the affine coordinate system, and z is the target random number. ( ,| indicates splicing). The first random number, This is the second random number.
[0041] In the above embodiments, a target random number can be used to convert the coordinates Q(x,y) of the first point Q corresponding to the first user key on the elliptic curve in the affine coordinate system into the second coordinates in the Jacobi weighted projective coordinate system. The calculation is relatively simple.
[0042] In some embodiments, the x and y coordinates of the first point in the affine coordinate system can both be two-dimensional 512-bit numbers. In these embodiments, the lengths of the first and second random numbers can be 256 bits. In these embodiments, a random number generator can be used to generate two 256-bit random numbers. and Then, the affine coordinate point Q corresponding to the first user key is converted to Q in the Jacobian weighted projective coordinate system. and The side-channel information involved in the calculation of the bilinear pair is unpredictable and changes with each calculation. Therefore, the Q obtained through the transformation operation is also unpredictable and changes with each calculation. All side-channel information leaked by the operation steps involving Q, including but not limited to voltage and electromagnetic fields, is random. Therefore, the side-channel information collected by the attacker each time is unrelated and cannot deduce the value of Q, thus resisting attacks by the attacker based on side-channel analysis.
[0043] It should be noted that although the above embodiment uses the example of using a target random number to convert the coordinates of the first point in affine coordinates to the coordinates in Jacobi weighted projective coordinates to illustrate the implementation of converting the first user key with a random number to obtain the converted second user key, it is not limited to this. In practical applications, other methods can also be used to convert the first user key to the second user key. For example, a random number can be inserted into the first user key, and then the coordinates of the point corresponding to the first user key with the inserted random number on the elliptic curve in affine coordinates can be obtained. The bilinear pairing operation can then be performed on the information to be decrypted using these coordinates.
[0044] In some embodiments, such as Figure 3 As shown, S120 may include the following steps:
[0045] S122, based on the third coordinate of the second point corresponding to the elliptic curve in the affine coordinate system and the aforementioned second coordinate, calculate the line function value and use the line function value as a sparse element on the finite extension of the bilinear pair.
[0046] S124. Based on the above sparse elements, the output value of the Miller algorithm is calculated using sparse multiplication iteration.
[0047] S126. Based on the above output value, the bilinear pair mapping result is obtained through exponentiation.
[0048] In the above embodiment, based on the third coordinate of the second point corresponding to the information to be decrypted on the elliptic curve in the affine coordinate system and the second coordinate obtained by the above transformation, the line function value can be calculated. Then, the output value of the Miller algorithm is calculated iteratively using sparse multiplication, and the bilinear pair mapping result is obtained through exponentiation. Since the second coordinate is obtained by encrypting the first user key with a random number, the voltage and electromagnetic side-channel information released in the above calculation process is random, thereby resisting attacks by attackers based on side-channel analysis techniques.
[0049] In some embodiments, S122 may include:
[0050] initialization ,in, Let L be the second coordinate. The length of the binary bits, =6t+2, where t is a parameter defined for the elliptic curve, and t is an integer seed used to generate the elliptic curve parameters. The generation of an elliptic curve requires an initial integer parameter t, and a series of calculations (such as calculating the curve order, base domain characteristics, etc.) are used to ultimately determine a safe elliptic curve. For example, in the GM / T 0044-2016 standard, a recommended value for t is given: t = 600000000058F98A (hexadecimal). This value was selected after safety analysis and is used to generate standard SM9 curve parameters. From t, the order N and base domain characteristics p of the elliptic curve can be calculated. Represented in binary ,and For i, iterate from L-2 to 0 and perform the following steps:
[0051] like Then perform the calculation. ,in, Let P be the value of the tangent function to the elliptic curve, where P is the second point on the elliptic curve corresponding to the information to be decrypted. , , and Let T be the Jacobian-weighted projective coordinates. and Let P be the affine coordinates of the second point. , and The parameters are those of the preset tower expansion formula;
[0052] calculate ,in, coordinate values of each , and They are respectively:
[0053] ;
[0054] ;
[0055] ;
[0056] like ,implement and ;
[0057] in, Let P be the value of the linear function of the elliptic curve;
[0058]
[0059] Calculations yielded coordinate values of each , and They are respectively:
[0060] ;
[0061]
[0062] .
[0063] In the above embodiments, initialization is performed first. That is, initialization , , ),make =6t+2, where t is a parameter defined to generate the elliptic curve. Represented in binary ,and L is The binary bit length, and the affine coordinates corresponding to the second point P are If i is traversed from L-2 to 0, then the following iterative steps are performed:
[0064] like Then execute:
[0065] Step 1, Calculate ,in, Let P be the value of the tangent function to the elliptic curve.
[0066] Step 2, Calculate ;
[0067] like Then execute:
[0068] Step 1', Calculate and ,in, Let P be the value of the linear function of the elliptic curve;
[0069] Step 2', .
[0070] In the above embodiments, due to To weight the Jacobian projective coordinate system, therefore... The calculation can be performed using the formulas for affine coordinates:
[0071]
[0072] Formula for converting to Jacobi weighted projective coordinates:
[0073]
[0074] in, , and These are the parameters of the preset tower expansion formula.
[0075] The calculation can be performed using the formulas for affine coordinates:
[0076]
[0077]
[0078] Formula for converting to Jacobi weighted projective coordinates:
[0079] ;
[0080] ;
[0081] .
[0082] The calculation can be performed using the formulas for affine coordinates:
[0083] ;
[0084] ;
[0085] Formula for converting to Jacobi weighted projective coordinates:
[0086] ;
[0087]
[0088] .
[0089] Through the above embodiments, sparse elements on the finite extension of bilinear pairs can be calculated using the converted second user key. Since the second user key is obtained by converting the first user key with a random number, the side-channel information such as voltage and electromagnetic fields released during the calculation process is random, which can resist attacks by attackers based on side-channel analysis methods.
[0090] In some embodiments, S124 may include the following steps:
[0091] Step 1, Calculate as well as ,in, for The Frobenius first-order self-homomorphism is computed. , for The calculation of the Frobenius quadratic automorphism, ,in It is a constant value, obtained by performing a twelfth-order expansion of a field element where all dimensions are 1. The modulo power is pre-calculated. , The second coordinate; It is a large prime number defined by the parameter t of the BN curve;
[0092] Step 2, Calculate and ;
[0093] Step 3, Calculation and , obtain the output value .
[0094] In the above embodiments, the output value of the Miller algorithm can be calculated iteratively using sparse multiplication based on the sparse elements on the finite extension of the bilinear pair obtained by the converted second user key. Since the second user key is obtained by converting the first user key with a random number, the voltage and electromagnetic side-channel information released during the calculation process is random, which can resist attacks by attackers based on side-channel analysis methods.
[0095] In some embodiments, S126 above may include: calculating the bilinear pair mapping result using the following formula. : ,in, and It is a large prime number defined by the elliptic curve parameter t.
[0096] It should be noted that the embodiments described above involve... "For ordinary extended-domain multiplication calculations, traditional calculation methods can be used. However, the randomization of coordinates will also randomize the intermediate calculation results of these multiplication calculations."
[0097] In related technologies, the Miller algorithm used in the SM9 bilinear pairing operation... , and In the steps, It may be the user's private key and have been used in the computation multiple times. and Related, The data input from the outside world, i.e., the information to be decrypted, can be manipulated by an attacker to control and change the external input. Collect a large number of different inputs The side-channel information involved in the computation steps is then used to obtain the key through differential energy analysis. The value of . Using the technical solution provided in the embodiments of this application, the SM9 bilinear pair calculation method against side-channel attacks can be as follows: Figure 4 As shown, where, Figure 4 In These are the fixed system parameters specified for the national cryptographic SM9 algorithm.
[0098] according to Figure 4 In step ①, use a random number generator to generate two 256-bit random numbers. and Then affine coordinate points Transformed to Jacobi weighted projective coordinates , and It is unpredictable and changes with each bilinear pair calculation, so the result obtained through its transformation operation... It is also unpredictable and changes every time, all existence The side-channel information leaked during the computational steps involved, including but not limited to voltage and electromagnetic fields, is random. The side-channel information collected by the attacker each time is unrelated and cannot be used to deduce... The numerical value. The coordinate transformation formula is as follows: For Affine coordinates of the first point , Each is a two-dimensional 512-bit data set, obtained by introducing random 512 bits. ( (| indicates splicing) can be transformed into Jacobian weighted projective coordinates. ) = ( ).
[0099] Figure 4 Step ② The calculation can be performed using the formulas for affine coordinates:
[0100] ;
[0101] Formula for converting to Jacobi weighted projective coordinates:
[0102] .
[0103] Figure 4 Step ② The calculation can be performed using the formulas for affine coordinates:
[0104] ;
[0105] .
[0106] Formula for converting to Jacobi weighted projective coordinates:
[0107] ;
[0108] ;
[0109] .
[0110] Figure 4 Step ③ The calculation can be performed using the formulas for affine coordinates:
[0111] .
[0112] Formula for converting to Jacobi weighted projective coordinates:
[0113] .
[0114] Figure 4 Step ③ The calculation can be performed using the formulas for affine coordinates:
[0115] ;
[0116] .
[0117] Formula for converting to Jacobi weighted projective coordinates:
[0118] ;
[0119] ;
[0120] .
[0121] Figure 4 Step 4 The calculation of a first-order egomorphism of Frobenius is in the form of: Because of For any element in the set, its exponent is The modulo operation is the conjugate of the element, so the complex calculation of the qth power can be simplified to multiplying each dimension of each element by a specific coefficient, resulting in the following formula:
[0122] .
[0123] Figure 4 Step 4 The calculation formula for the Frobenius quadratic automorphism is as follows:
[0124] .
[0125] Figure 4 The calculations for steps ⑤ and ⑥ are performed similarly.
[0126] Figure 4 Step 7 of the calculation no longer involves sensitive information. Traditional calculation methods can be used.
[0127] Figure 4 The steps involved in "For ordinary extended-domain multiplication calculations, traditional calculation methods can be used. However, the randomization of coordinates will also randomize the intermediate calculation results of these multiplication calculations."
[0128] The above-mentioned , and These can be the parameters of the tower expansion formula used by the SM9 protocol.
[0129] The following is a comparative analysis of the test vector leakage assessment (TVLA) in typical test methods of Destructive Physical Analysis (DPA) using the bilinear pairing calculation with and without anti-attack protection provided in the embodiments of this application:
[0130] The power consumption curves obtained by collecting data for bilinear pair operations without anti-attack protection using the data acquisition and test settings shown in Table 1 are as follows: Figure 5a As shown, the TVLA analysis results are as follows: Figure 5b As shown.
[0131] Table 1.
[0132]
[0133] Depend on Figure 5b It can be seen that the unprotected bilinear pairing operation has significant leakage under the TVLA test, with the |t| value being significantly higher than the threshold of 4.5 at a large number of moments (the statistic t is the leakage confidence level, and when it is greater than 4.5, it is considered that there is a high probability of leakage).
[0134] The power consumption curves obtained by collecting data for bilinear pair operations with anti-attack protection using the data acquisition and test settings shown in Table 2 are as follows: Figure 6a As shown, the TVLA analysis results are as follows: Figure 6b As shown.
[0135] Table 2.
[0136]
[0137] like Figure 6bAs shown, except for the false positive spike caused by input loading detected at the beginning of algorithm execution, there are no other positions where |t|>4.5 are simultaneously satisfied. Therefore, it is evident that the bilinear pairing operation provided in this embodiment can achieve leak-free operation.
[0138] like Figure 7 As shown, this application embodiment also provides an electronic device 600, including a processor 601 and a memory 602. The memory 602 stores a program or instructions that can run on the processor 601. When the program or instructions are executed by the processor 601, they implement the various steps of the above-described decryption method embodiment based on bilinear pairing operation and can achieve the same technical effect. To avoid repetition, they will not be described again here.
[0139] In some embodiments of this application, a readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, performs the following steps:
[0140] The first user key is transformed by a random number to obtain the transformed second user key;
[0141] Based on the second user key, a bilinear pairing operation is performed on the information to be decrypted to obtain the bilinear pairing mapping result of the information to be decrypted.
[0142] Based on the bilinear pairing mapping result, the information to be decrypted is decrypted to obtain the plaintext information corresponding to the information to be decrypted.
[0143] When executed by the processor, this program can implement all the implementation methods in the above-described decryption method based on bilinear pairing operations. To avoid repetition, these will not be described again here.
[0144] In one exemplary embodiment, a readable storage medium is also provided, which stores a program or instructions that a stored program or instruction processor executes all or part of the steps in the decryption method based on bilinear pairing operations described above. For example, the readable storage medium may be a read-only memory (ROM), a random access memory (RAM), a compact disc read-only memory (CD-ROM), magnetic tape, floppy disk, or optical data storage device, etc.
[0145] In one exemplary embodiment, a computer program product is also provided, the computer program product including a computer program stored on a non-transitory readable storage medium, the computer program including program instructions that, when executed by a computer, cause the computer to perform all or part of the steps in the above-described decryption method based on bilinear pairing operations.
[0146] Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this application are indicated by the claims.
[0147] It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.
Claims
1. A decryption method based on a bilinear pairings operation, characterized in that, include: The first user key is transformed by a random number to obtain the transformed second user key; Based on the second user key, a bilinear pairing operation is performed on the information to be decrypted to obtain the bilinear pairing mapping result of the information to be decrypted. Based on the bilinear pairing mapping result, the information to be decrypted is decrypted to obtain the plaintext information corresponding to the information to be decrypted; The step of converting the first user key using a random number to obtain the converted second user key includes: Obtain the first coordinates of the first point corresponding to the first user key on the elliptic curve in the affine coordinate system; Use a random number generator to generate the first and second random numbers; The first coordinates are converted into second coordinates in a Jacobian weighted projective coordinate system using the first random number and the second random number, wherein the second coordinates are the coordinates corresponding to the second user key.
2. The method according to claim 1, characterized in that, Converting the first coordinates to a second coordinate in a Jacobi-weighted projective coordinate system using the first and second random numbers includes: Concatenate the first random number and the second random number to form the target random number; Using the target random number, the first coordinate in the affine coordinate system is converted into the second coordinate in the Jacobian weighted projective coordinate system.
3. The method according to claim 2, characterized in that, The step of using the target random number to convert the first coordinate in the affine coordinate system into the second coordinate includes: Use the following formula to convert the first coordinate to the second coordinate. ): ) = ( ); Where x and y are the coordinates of the first point in the affine coordinate system, and z is the target random number. ( ,| indicates splicing). The first random number, This is the second random number.
4. The method according to claim 3, characterized in that, Both x and y are two-dimensional 512-bit numbers, and the lengths of the first random number and the second random number are both 256 bits.
5. The method according to any one of claims 1 to 4, characterized in that, The step of performing a bilinear pairing operation on the information to be decrypted based on the second user key to obtain the bilinear pairing mapping result of the information to be decrypted includes: Based on the third coordinate of the second point on the elliptic curve corresponding to the information to be decrypted in the affine coordinate system and the second coordinate, the line function value is calculated and the line function value is used as a sparse element on the finite extension of the bilinear pair. Based on the sparse elements, the output value of the Miller algorithm is calculated using sparse multiplication iteration. Based on the output value, the bilinear pair mapping result is obtained through exponentiation.
6. The method according to claim 5, characterized in that, The process involves calculating the line function value based on the third coordinate of the second point corresponding to the elliptic curve in the affine coordinate system and the second coordinate, and then using the line function value as a sparse element on the finite extension of the bilinear pair, including: initialization ,in, The second coordinate is... Represented in binary ,and L is The length of the binary bits, =6t+2, where t is a parameter defined to generate the elliptic curve. The following steps are performed iterating from L-2 to 0 for i: like Then execute ,in, Let P be the value of the tangent function to the elliptic curve at point T, where P is the second point. , , and Let T be the Jacobian-weighted projective coordinates. and Let P be the affine coordinates of the second point. , and The parameters are those of the preset tower expansion formula; calculate , where the calculation yielded coordinate values of each , and They are respectively: ; ; ; like ,implement and ; in, Let P be the value of the linear function passing through points T and Q on the elliptic curve; Calculations yielded coordinate values of each , and They are respectively: ; ; Second coordinate .
7. The method according to claim 6, characterized in that, The step of calculating the output value of the Miller algorithm using sparse multiplication iteration based on the sparse elements includes: calculate as well as ,in, for The Frobenius first-order self-homomorphism is computed. , for The calculation of the Frobenius quadratic automorphism, ,in It is a constant value, obtained by performing a twelfth-order expansion of a field element where all dimensions are 1. The modulo power is pre-calculated. , The second coordinate; It is a large prime number defined by the elliptic curve parameter t; calculate and , Let P be the value of the linear function passing through points T and Q1 on the elliptic curve; calculate and The output value is obtained. , Let P be the value of the linear function passing through points T and Q2 on the elliptic curve.
8. The method according to claim 7, characterized in that, Based on the output value, the bilinear pair mapping result is obtained through exponentiation, including: The bilinear pair mapping result is calculated using the following formula. : ,in, and It is a large prime number defined by the elliptic curve parameter t.
9. An electronic device, characterized in that, The electronic device includes a processor and a memory, the memory storing programs or instructions that can run on the processor, the programs or instructions being executed by the processor to implement the steps of the method as described in any one of claims 1 to 8.
10. A readable storage medium, characterized in that, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the method as described in any one of claims 1 to 8.
11. A computer program product, characterized in that, The computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions that, when executed by a computer, cause the computer to perform the steps of the method as described in any one of claims 1 to 8.