CN103220146A - Zero knowledge digital signature method based on multivariate public key cryptosystem - Google Patents

Abstract

The invention provides a zero knowledge digital signature method based on a multivariate public key cryptosystem. The method comprises the following steps of generating a system parameter, generating a signature, and verifying the signature. A user keeps a corresponding private key secret through disclosing a public key based on a multivariate public key cryptography; a signer can sign any message according to the private key; the digital signature can be verified by any verifier through the public key of the signer; and if the signature verification passes, the signature of the message is true.

Description

Zero knowledge digital signature method based on the multivariable public-key cryptosystem

Technical field

The invention belongs to field of information security technology, relate to a kind of zero knowledge digital signature method based on the multivariable public-key cryptosystem.

Background technology

Digital signature is in information security, and particularly there is important application aspects such as data validity, integrality and non-repudiation.

Digital signature can equally with traditional handwritten signature play the effect of law authentication.By contrast, handwritten signature shows significant limitation in the information age based on computer and the Internet.Because handwritten signature is in computer network, very easily copy is forged.And comprising the information of the employed secret keys of signer in the digital signature, it all is almost impossible that anyone who does not know this private key forges digital signature.Therefore, digital signature is more suitable for the application requirements in the New Times.People can carry out the telefile signature by network, increase work efficiency.

Many digital signature methods are based on the conventional cipher system, and as Digital Signature Algorithms such as RSA and DSA etc., major part is based on all that big integer factor decomposes and the conventional public-key cryptographic system of discrete logarithm problem.

Yet the appearance of quantum computer has caused threat to the conventional public-key cryptographic system, and for the active demand of fail safe and high efficiency, multivariable public-key cryptosystem (MPKCs) becomes a kind of novel public-key cryptosystem fast rapidly.It is based on the finite field NP-difficulty of polynary quadratic polynomial equation group and finds the solution problem, and quantum computer does not show any advantage handling on the NP difficult problem,

MPKCs might become the cryptographic system of back quantum epoch safety with its high computational efficiency.MPKCs can be divided into two electrode systems and hybrid system.Two electrode systems mainly contain MI, HFE, OV, TTM and l-IC system etc.The zero knowledge digital signature method of research back quantum epoch safety has important theory and practical significance.

Summary of the invention

The purpose of this invention is to provide a kind of zero knowledge digital signature method, solve prior art no longer safe problem under quantum calculation based on the multivariable public-key cryptosystem.

The object of the present invention is achieved like this, and the zero knowledge digital signature method based on the multivariable public-key cryptosystem may further comprise the steps:

Step 1. generation system parameter; System parameters be (k, q, l, m, n, H), q wherein, l is a security parameter, k=GF (q ^l) be a finite field, m is the number of multivariable equation, n is the number of variable.H:{0,1} ^*→ k ⁿIt is the unidirectional crash-resistant hash function of a cryptography safety;

Key generates: the private key SK={L of signer correspondence ₁, F, L ₂, wherein F is the mapping of reversible center, L ₁And L ₂Be respectively k ^mAnd k ⁿOn reversible affine transformation; The PKI PK of signer Be m the multinomial component with n variable, symbol here.Representative function is compound;

Step 2. signature generates; Signer to message M ∈ 0,1} ^*Sign, step is as follows:

(1) selects u at random _i∈ k ^m, i=1 wherein ..., t;

(2) calculate

c＝H(M||PK||u ₁||...||u _t)∈k ⁿ；

(3) calculate

(4) output message M ∈ 0,1} ^*Zero signatures of Knowledge σ=(c, s ₁..., s _t);

Step 3. signature verification:

Signature sigma=(c, s to message M ₁..., s _t), any verifier's checking utilizes the PKI of signer

The checking equation

$c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$

Whether set up.If set up, then accept this signature; Otherwise refuse this signature.

The invention has the beneficial effects as follows

1, the present invention can solve the defective that existing zero knowledge digital signature method will be no longer safe under quantum calculation, not only has fail safe but also have the high advantage of computational efficiency.

2, the zero knowledge digital signature method based on the multivariable public-key cryptosystem that proposes of the present invention satisfies completeness, unforgeable and zero-knowledge proof, in back quantum cryptography epoch safety still.

Embodiment

The present invention is further detailed explanation below in conjunction with embodiment.

Based on the zero knowledge digital signature method of multivariable public-key cryptosystem, implement according to following steps:

Step 1. generation system parameter

System parameters be (k, q, l, m, n, H).Q wherein, l is a security parameter, k=GF (q ^l) be a finite field, m is the number of multivariable equation, n is the number of variable.H:{0,1} ^*→ k ⁿIt is the unidirectional crash-resistant hash function of a cryptography safety;

Key generates: the private key SK={L of signer correspondence ₁, F, L ₂, wherein F is the mapping of reversible center, L ₁And L ₂Be respectively k ^mAnd k ⁿOn reversible affine transformation.The PKI of signer

Be m multinomial component with n variable.Here symbol.Representative function is compound.

Step 2. signature generates

Signer to message M ∈ 0,1} ^*Sign, step is as follows:

(1) selects u at random _i∈ k ^m, i=1 wherein ..., t;

(2) calculate

c＝H(M||PK||u ₁||...||u _t)∈k ⁿ；

(3) calculate

(4) output message M ∈ 0,1} ^*Zero signatures of Knowledge σ=(c, s ₁..., s _t).

Step 3. signature verification

Signature sigma=(c, s to message M ₁..., s _t), any verifier's checking utilizes the PKI of signer

The checking equation $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ Whether set up,, then accept this signature if set up; Otherwise refuse this signature.

Safety analysis about the zero knowledge digital signature method that the present invention is based on the multivariable public-key cryptosystem:

1. correctness

If each step, signature of message M so of having followed signature process of signer honesty

σ=(c, s ₁..., s _t) satisfy:

$H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$

$=H\left(M\right|\left|\mathrm{PK}\right|\left|u_1\right||...|\left|u_t\right)$

$=c$

The verifier always accepts signature, so method has completeness.

2. unforgeable

Suppose that signer is a tricker, promptly he does not know private key SK={L ₁, F, L ₂, attempt is forged a message M and is effectively signed.One of approach of signature adulterator success is that he selects u at random _i∈ k ^m, i=1 wherein ..., t; Calculate then

C=H (M||PK||u ₁|| ... || u _t) ∈ k ⁿNext, do not having under the prerequisite of private key, the adulterator need pass through equation

Calculate s _i, i=1 ..., t, the adulterator knows u _iAnd c, find the solution this equation, be under the hypothesis of a difficult problem finding the solution of secondary multivariable equation, be difficult.Academia generally acknowledges that finding the solution of secondary multivariable equation is a difficult problem at present.So this forgery probability of successful is very little.

Two of the approach of signature adulterator success is to find the solution to satisfy verification expression $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ One group separate σ=(c, s ₁..., s _t), at hash function H:{0,1} ^*→ k ⁿThe unidirectional crash-resistant hypothesis that is a cryptography safety is difficult down.

Embodiment 1. is based on the interactive zero knowledge proof of identification method of multivariable oil-vinegar public-key cryptosystem.

Step 1. generation system parameter:

(1) k=GF (q) being set is the finite field that is characterized as p=2, wherein q=2 ⁸

(2) make o=30, v=64, m=o=30 are the number of equation in the multivariable equation group, and n=o+v=97 is the number of variable.

(3) select secure Hash function, H:{0,1} ^*→ k ⁹⁷, specifically can get the secure Hash function is preceding 776 bits of the 896 bits output of sha-512||sha-384, is converted into finite field k=GF (2 according to 776=8*97 then ⁸) on 97 variablees.

Key generates: it is from k that the certifier selects F at random ⁹⁷To k ³⁰The mapping of reversible Oil-Vinegar multinomial, the Oil-Vinegar multinomial is that any one total degree with following form is 2 multinomial

$f=\underset{i=1}{\overset{o}{\mathrm{\Σ}}}\underset{j=1}{\overset{v}{\mathrm{\Σ}}}{a}_{\mathrm{ij}}{x}_i{\hat{x}}_j+\underset{i=1}{\overset{v}{\mathrm{\Σ}}}\underset{j=1}{\overset{v}{\mathrm{\Σ}}}{b}_{\mathrm{ij}}{\hat{x}}_i{\hat{x}}_j+\underset{i=1}{\overset{o}{\mathrm{\Σ}}}{c}_i{x}_i+\underset{j=1}{\overset{v}{\mathrm{\Σ}}}{d}_j{\hat{x}}_j+e$

A wherein _Ij, b _Ij, c _i, d _j, e ∈ k.Here o=30, v=64.

Make F:k ⁿ→ k ^oBe a multinomial mapping, form is as follows:

$F(x_1,\·\·\·,x_o,{\hat{x}}_1,\·\·\·,{\hat{x}}_v)=(f_1,\·\·\·f_o)$

Wherein

It is the Oil-Vinegar multinomial.Here n=o+v=97.

The certifier selects L at random ₂Be from k ⁿTo k ⁿA reversible affine transformation

$L_2({\hat{x}}_1,\·\·\·,{\hat{x}}_v,x_1,\·\·\·,x_o)=M_2{({\hat{x}}_1,\·\·\·,{\hat{x}}_v,x_1,\·\·\·,x_o)}^T+a_2$

M wherein ₂Be the invertible matrix of a n * n on the finite field k, a ₂The column vector of n * 1 on the finite field k.

The certifier announces its PKI

Then

$\stackrel{\‾}{F}({\hat{x}}_1,\·\·\·,{\hat{x}}_v,x_1,\·\·\·,x_o)=({\stackrel{\‾}{f}}_1,\·\·\·,{\stackrel{\‾}{f}}_0)$

Wherein each

In multivariable polynomial.

Certifier its private key SK={F that maintains secrecy, L ₂.

Annotate: in the multivariable oil-vinegar public-key cryptosystem, can not select k ^mOn reversible affine transformation L ₁

Step 2. signature generates:

Signer to message M ∈ 0,1} ^*Sign, step is as follows:

(1) selects u at random _i∈ k ^m, i=1 wherein ..., t; Here can get t=8.

(2) calculate then

c＝H(M||PK||u ₁||...||u _t)∈k ⁿ；

(3) calculate

Annotate: F here inverts ^-1The time, at first appoint and get one group

Find the solution (x then ₁..., x _o).

(4) output message M ∈ 0,1} ^*Zero signatures of Knowledge σ=(c, s ₁..., s _t).

Step 3. signature verification:

Signature sigma=(c, s to message M ₁..., s _t), any verifier's checking utilizes the PKI of signer

The checking equation $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ Whether set up.If set up, then accept this signature; Otherwise refuse this signature.

In the endorsement method of the present invention, the user is by disclosing its PKI based on the multivariable public key cryptography, secret corresponding private key.Signer can utilize the private key of oneself, to any information signature.This signature can the authenticatee utilize the PKI of signer to verify.If signature verification is passed through, the signature that this message then is described is real.

With compare based on the digital signature method of traditional cryptographic system, the present invention has the computational efficiency height, under quantum calculation safety advantage.

Claims (2)

1. based on the zero knowledge digital signature method of multivariable public-key cryptosystem, it is characterized in that, comprise that generation system parameter step, signature generate step and signature verification step.

2. the zero knowledge digital signature method based on the multivariable public-key cryptosystem as claimed in claim 1 is characterized in that concrete steps are as follows:

Step 1. generation system parameter

System parameters be (k, q, l, m, n, H); Q wherein, l is a security parameter, k=GF (q ^l) be a finite field, m is the number of multivariable equation, n is the number of variable, H:{0,1} ^*→ k ⁿIt is the unidirectional crash-resistant hash function of a cryptography safety;

Key generates: the private key SK={L of signer correspondence ₁, F, L ₂, wherein F is the mapping of reversible center, L ₁And L ₂Be respectively k ^mAnd k ⁿOn reversible affine transformation.The PKI of signer Be m multinomial component with n variable.Here symbol.Representative function is compound;

Step 2. signature generates:

Signer to message M ∈ 0,1} ^*Sign, step is as follows:

(1) selects u at random _i∈ k ^m, i=1 wherein ..., t;

(2) calculate then

c＝H(M||PK||u ₁||...||u _t)∈k ⁿ；

(3) calculate

(4) output message M ∈ 0,1} ^*Zero signatures of Knowledge σ=(c, s ₁..., s _t);

Step 3. signature verification:

Signature sigma=(c, s to message M ₁..., s _t), any verifier's checking utilizes the PKI of signer

The checking equation $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ Whether set up; If set up, then accept this signature; Otherwise refuse this signature.