CN106209376B - A kind of multivariable endorsement method for resisting forgery attack - Google Patents

A kind of multivariable endorsement method for resisting forgery attack Download PDF

Info

Publication number
CN106209376B
CN106209376B CN201610511412.0A CN201610511412A CN106209376B CN 106209376 B CN106209376 B CN 106209376B CN 201610511412 A CN201610511412 A CN 201610511412A CN 106209376 B CN106209376 B CN 106209376B
Authority
CN
China
Prior art keywords
signature
designated
public key
message
multivariable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610511412.0A
Other languages
Chinese (zh)
Other versions
CN106209376A (en
Inventor
王鑫
李健
吴华
张永斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi University of Science and Technology
Original Assignee
Shaanxi University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shaanxi University of Science and Technology filed Critical Shaanxi University of Science and Technology
Priority to CN201610511412.0A priority Critical patent/CN106209376B/en
Publication of CN106209376A publication Critical patent/CN106209376A/en
Application granted granted Critical
Publication of CN106209376B publication Critical patent/CN106209376B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms

Abstract

The present invention is a kind of multivariable endorsement method for resisting forgery attack,By increasing an amount for being referred to as signature added value,So that during signature verification,Increase a verification condition on internal information,So that being effective against forgery attack,Specifically include the pretreatment of data,The generation of signature and the checking three phases of signature,The present invention is with multivariate public key cryptosystem as theoretical foundation,A kind of information signature and proof scheme built by the Polynomial equations of multiple variables in finite field,Solve the model defect of existing multivariable signature scheme,So that under conditions of the attack of anti-quantum,Signature verification depends not only upon public key verifications,Further relate to the legal private key of user,Basic technology support can be provided for the foundation of the information security and trust systems in quantum computer epoch,Suitable for the safe digital signature in quantum computer epoch,Simultaneously because it has efficiency and security higher,It is particularly well-suited to the occasion that memory space and operation time are limited.

Description

A kind of multivariable endorsement method for resisting forgery attack
Technical field
The invention belongs to technical field of cryptology, it is related to the multivariate public key cryptosystem in rear quantum cryptology, especially It is related to a kind of multivariate digital signature method for resisting forgery attack.
Background technology
Digital signature, is a kind of method for differentiating digital information, is one of main application of public-key cryptosystem, It is also called public key digital signature.In public-key cryptosystem, the principle of digital signature technology is mainly message with sender's Secret keys are signed (encryption), send recipient to together with original text.Recipient is decrypted with the public key of sender to signature, will Whether the value for solving is compared with original text, identical sees, if identical, it is by legal transmission that recipient is considered as the signature What side sent and came.Therefore, digital signature is generally made up of the computing of two kinds of complementations, and one is used to sign, and one is used to verify, Communicating pair can carry out signature and the checking of digital information (message) in open network environment.
Most important effect of digital signature is exactly that can determine that message is actually from sender, and after being signed by sender Issue, other people cannot forge.
The digital signature for being applied to message at present is mainly used based on conventional public-key cipher system such as RSA and ECC The signature scheme of design.
The security of conventional public-key system is the difficulty based on the factoring problem in number theory.However, American scientist Peter Shor propose a kind of quantum decomposition algorithm in nineteen ninety-five, and the algorithm is the calculation the most famous so far of quantum calculation field Method, it can go out the prime factor of big number and discrete by fast decoupled by using the concurrency of quantum calculation in polynomial time Logarithm problem, that is to say, that the generation of quantum computer, to the security structure of the existing digital signature based on classical cryptosystem Into serious threat.
The new public-key cryptosystem of construction, to substitute the system based on number theory, resists the following attack based on quantum calculation It is extremely urgent.
1988, Matsumoto and Imai proposed the multivariate public key cryptography body of alternative conventional public-key cipher system System --- MI (Matsumoto-Imai multivariables system).2004, multivariable signature system Flash was selected in European password meter NESSIE is drawn, and is acceptable for the European standard of low-consumption intelligent card.
Multivariate public key cryptosystem is to be based on the Solve problems of multivariable nonlinearity equation group in finite field and design Cryptographic system, its main composition is the multivariable polynomial in finite field.Its security is multinomial based on one group of multivariable is solved Formula equation is a NP-C problems, and in treatment, this NP-C problem does not have how many advantage to research quantum computer at present, therefore, A kind of safe cipher system alternative in quantum epoch is remembered as, as problem very active in cryptographic technique research.
Used as a kind of new research direction, relative to traditional signature system, multivariate public key cryptography is than based on number theory System has efficiency higher, security, and is easy to hard-wired characteristic, when making it particularly suited for memory space and computing Between the occasion that is limited, such as smart card, radio sensing network and dynamic RFID label tag.But, by the end of current multivariable signature mould Type also has problems with:(1) verification condition of the Signature model of standard also has defect, and this is due to current multivariable label Name checking relies only on public key, and verification condition is excessively single, that is to say, that even if adulterator does not know legal secret keys, also have May seek that special relationship is counter to solve signature by the structure of public key P;(2) Signature model of standard is not related to internal secret in checking Confidential information, opportunity is left to adulterator, reason be legal person when being signed, be using the step of secret keys one of oneself One step is signed obtained from inverting, but current checking is not embodied in design the inversion process, that is to say, that tested Do not verify whether adulterator grasps legitimate secret during card, so as to reduce the difficulty of forgery;(3) above two reasons will be led Cause:Attacker can forge an energy and be drawn by secret keys by the checking of public key P but illegal person by the solution to P Signature.And the problem is ordinary, that is to say, that when centralizing mapping is a many-to-one function, itself there is one and disappear The phenomenon of the multiple signatures of breath correspondence, therefore, when multivariable signature scheme is designed it is necessary that above-mentioned these problems are considered and kept away Exempt from.
At present, in the signature scheme based on multivariable public key system, not producing can also effectively solve above-mentioned asking The safe multivariable signature system of topic.
The content of the invention
In order to overcome the shortcoming of above-mentioned prior art, it is an object of the invention to provide a kind of resistance forgery attack Multivariable endorsement method, the method will be with multivariate public key cryptosystem as theoretical foundation, by multiple variables in finite field Polynomial equations and a kind of information signature for building and proof scheme, the program solve existing multivariable signature scheme Model defect so that under conditions of the attack of anti-quantum, signature verification does not depend solely on the checking of public key, will also be related to user Legal secret keys, can for the foundation of the information security in quantum computer epoch and trust systems provide basic technology support, Suitable for the safe digital signature in quantum computer epoch, simultaneously because it has efficiency and security higher, especially fit For the limited occasion of memory space and operation time, such as smart card, radio sensing network and dynamic RFID label tag.
To achieve these goals, the technical solution adopted by the present invention is:It is referred to as signature added value by increasing by one Amount so that during signature verification, increase a verification condition on internal information x so that be effective against forgery attack.Tool Body ground:A kind of multivariable endorsement method for resisting forgery attack, comprises the following steps:
Step 1, selects systematic parameter
Take a finite fieldPositive integer n and m,N times expand domain be designated asM times expand domain be designated asTakeArriveOn one group of multivariable quadratic polynomial equation q1(x1..., xn) ..., qm(x1..., xn), being designated as Q, then Q means that changeable The centralizing mapping of public-key cryptosystem is measured, wherein input variable is n, and output variable is m, uses Q-1Representative polynomial Q's is inverse Multinomial, Q-1For validated user is all, separately takeWithUpper reversible affine transformation S and T is secret keys, its inverse polynomial difference It is designated as S-1And T-1, then randomly selectOn one group of n n units secondary multivariate Polynomial equations (g1(x1,…,xn),…, gn(x1,…,xn)), the polynomial vector is designated as G, i.e. G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,xn)), with And a unidirectional irreversible Polynomial equations H, the secret keys of user are made up of the part of S, T, G tri-, and H is that trusted third party is secret Close selection, but the generation of public key is only used for, the wherein inverse polynomial of G is expressed as G-1, corresponding public key is also by three multinomial structures Into respectively:Wherein operatorThe synthesis of computing is represented, i.e., from right to left Substitution calculating is carried out successively;
Step 2, the generation of signature
Known message M's is encoded to vector (u1,…,um), u is denoted as, signature is generated according to the following steps:
(2.1) to signature before producing
(2.1a) is by secret keys T-1, by the coding u=(u of message M1,…,um) it is updated to T-1In, obtain (y1,…,ym), It is designated as y;
(2.1b) acquired results y is updated to the inverse transformation Q of centralizing mapping Q-1In, obtain (x1,…,xn), it is designated as x;
(2.1c) acquired results x is updated to the inverse S of secret keys S-1In, obtain (v1,…,vn), being designated as v, then v is and disappears Cease the forward direction signature of the coding u of M;
(2.2) backward signature is produced
Be updated to acquired results x in secret keys G by (2.2a), obtains G (x1,…,xn)=(g1(x1,…,xn),…,gn (x1,…,xn))=(g1,…,gn), it is designated as g;
(2.2b) acquired results g is updated to the inverse S of secret keys S-1In, obtainIt is designated as vg, then vgThe backward signature of the coding u of as message M;
(2.3) the cascade v of forward direction signature and backward signature | | vgThe signature of the coding u of as message M;
Step 3, the checking of signature
(3.1) verified using public key P
(3.1a) is by preceding to signature v=(v1,…,vn) substitute into public key P, obtain P (v1,…,vn)=(p1(v1,…, vn),…,pm(v1,…,vn)), its result is designated as v '=(v '1,…,v′n);
(3.1b) judges whether v ' is equal with the coding u of former message M;
(3.2) public key is utilizedWithVerified
(3.2a) is by preceding to signature v=(v1,…,vn) it is updated to public keyIn, obtainIts result is designated as h=(h1,…,hn);
(3.2b) will sign v backwardg=(vg1,…,vgn) it is updated to public keyIn, obtainIts result be designated as h '= (h′1,…,h′n);
(3.2c) judges whether h and h ' is equal;
If (3.1b) and (3.2c) sets up, v | | vgThe legitimate signature of the coding u of as message M, is otherwise invalid label Name, refusal.
In the step 1, S, T, G are reversible affine transformation.
Compared with prior art, the beneficial effects of the invention are as follows:
1) present invention is the Signature model based on multivariate public key cryptosystem, therefore can resist conventional quantum attack;
2) present invention is the public-key cryptosystem based on the multivariable polynomial equation group in finite field, its computing for plus and The multiplication of low order, it is in the absence of index and inversion operation therefore more highly efficient and safe than traditional system based on number theory;
3) signature produced by the present invention is made up of two parts:Forward direction signature v and backward signature vg, the product of forward direction signature v Life must possess legal secret keys S, T, and sign v backwardgAcquisition must possess legal secret keys S, G and could complete, therefore, phase It is only preceding to signature v, difficulty that is of the invention then increased attacker for existing multivariable signature scheme;
4) the signature v produced by the present invention | | vgIt is by two parts v and v of being mutually relatedgComposition, and v and vgNeed to meet About a potential correlating validation of secret keys S and G:And the incidence relation is related to secret keys Information S and G, only public key cannot try to achieve backward signature without legal secret keys S and G, therefore, more existing Signature model Checking is only that v meets public key P, and the present invention has the correlating validation of backward signature, is effective against forgery attack, safer.
Additionally, security of the invention is built upon the basic difficult problem of multivariable public key scheme:It is changeable in finite field The difficulty that amount Polynomial equations are solved.
Brief description of the drawings
Fig. 1 is that present invention signature produces principle schematic.
Fig. 2 is signature verification principle schematic of the present invention.
Specific embodiment
Describe embodiments of the present invention in detail with reference to the accompanying drawings and examples.
First, the mathematical theory that the present invention is applied
(1) finite field
Finite field is a limited set for element for adding and multiplying comprising two computings, and is met equal to addition and multiplication There are the properties such as the apportionment ratio of inverse element and multiplication to addition with associative law, law of communication, non-zero entry.The number of element is referred to as this in domain The exponent number in domain, q rank finite fields, is often designated asOr be abbreviated asComputing in finite field is modular arithmetic.
(2) Multivariable
Multivariable be also referred to as multivariable it is secondary-difficult problem.Due to the security of multivariate public key cryptosystem It is to be based on solving one group of multivariable nonlinearity polynomial equation in finite field:
p1(x1,…,xn)=p2(x1,…,xn)=...=pm(x1,…,xn)=0,
The problem is solved for a NP-C problems, wherein piCoefficient and variable be taken from finite fieldUsual equation piIt is taken as It is secondary, based on the scheme of Multivariable construction, preceding security basis come from from public key quadratic equation directly crack it is tired Difficulty, i.e., it is a nonpolynomial time (NP-C) difficult problem completely that known public key solves equation group.
(3) convert
It is a finite field, (y1,…,yn)=f (x1,…,xn),Referred to as one conversion, refers in the presence of change Change rule and cause (x1,…,xn) it is turned into (y by the rule change1,…,yn), the rule change is designated as f, referred to as converts.
2nd, implementation method
Step 1, selects systematic parameter
Take a finite fieldPositive integer n and m,N times expand domain be designated asM times expand domain be designated asTakeArriveOn one group of multivariable quadratic polynomial equation q1(x1,…,xn),…,qm(x1,…,xn), being designated as Q, then Q means that changeable The centralizing mapping of public-key cryptosystem is measured, wherein input variable is n, and output variable is m, uses Q-1Representative polynomial Q's is inverse Multinomial, Q-1For validated user is all.Separately takeWithUpper reversible affine transformation S and T is secret keys, its inverse polynomial difference It is designated as S-1And T-1.Randomly select againOn one group of n n units secondary multivariate Polynomial equations (g1(x1..., xn) ..., gn(x1..., xn)), the polynomial vector is designated as G, i.e. G (x1..., xn)=(g1(x1..., xn) ..., gn(x1..., xn)), with And a unidirectional irreversible Polynomial equations H, the secret keys of user are made up of the part of S, T, G tri-, and H is that trusted third party is secret Close selection, but the generation of public key is only used for, the wherein inverse polynomial of G is expressed as G-1.Corresponding public key is also by three multinomial structures Into respectively:Wherein operatorThe synthesis of computing is represented, i.e., from right to left Substitution calculating is carried out successively.
Step 2, the generation of signature
Known message M's is encoded to vector (u1,…,um), u is denoted as, reference picture 1, signature is then generated according to the following steps:
(2.1) to signature before producing.
(2.1a) is by secret keys T-1, by the coding u=(u of message M1,…,um) it is updated to T-1In, obtain (y1..., ym), It is designated as y;
(2.1b) acquired results y in above-mentioned (2.1a) is updated to the inverse transformation Q of centralizing mapping Q-1In, obtain (x1,…, xn), it is designated as x;
(2.1c) acquired results x in (2.1b) is updated to the inverse S of secret keys S-1In, obtain (v1,…,vn), v is designated as, Then v is the forward direction signature of the coding u of message M.
(2.2) backward signature is produced.
Be updated to acquired results x in above-mentioned (2.1b) in secret keys G by (2.2a), obtains G (x1,…,xn)=(g1 (x1,…,xn),…,gn(x1,…,xn))=(g1,…,gn), it is designated as g;
(2.2b) acquired results g in above-mentioned (2.2a) is updated to the inverse S of secret keys S-1In, obtainIt is designated as vg, then vgThe backward signature of the coding u of as message M;
(2.3) the cascade v of forward direction signature and backward signature | | vgThe signature of the coding u of as message M.
Reference picture 2, the signature verification in the present invention is implemented as follows:
Step 3, the checking of signature
(3.1) verified using public key P.
(3.1a) is by preceding to signature v=(v1,…,vn) substitute into public key P, obtain P (v1,…,vn)=(p1(v1,…, vn),…,pm(v1..., vn)), its result is designated as u '=(u '1,…,u′m);
(3.1b) judges whether u ' is equal with the coding u of former message M.
(3.2) public key is utilizedWithVerified.
(3.2a) is by preceding to signature v=(v1,…,vn) it is updated to public keyIn, obtainIts result is designated as h=(h1,…,hn);
(3.2b) will sign v backwardg=(vg1,…,vgn) it is updated to public keyIn, obtainIts result be designated as h '= (h′1,…,h′n);
(3.2c) judges whether h and h ' is equal.
If (3.1b) and (3.2c) sets up, v | | vgThe legitimate signature of the coding u of as message M, is otherwise invalid label Name, refusal.
Multivariable Signature model proposed by the invention is correct, can resist signature forgery attack.
The correctness of signature:
If recipient receives signature v | | vgIf the signature is progressively produced by above-mentioned steps, and is not had in transmitting procedure Change, then due to
(1) because forward direction signature v is by the coding (u of message M1,…,um) sequentially pass through secret keys T-1, centralizing mapping Q-1、 Secret keys S-1Produce, that is, haveThen obviously, will be substituted into signature v before gained To in public key P, have
Set up, i.e., verification expression (3.1b) is set up.
(2) by signing backwardForward direction signature v=S-1(x1,…,xn), then obviously haveAnd then obtainWithIt is equal, i.e. verification expression (3.2c) Set up.
Therefore, v | | vgIt is the correct signature of the coding u of message M.
The anti-forgery of signature:
Signature model based on multivariable polynomial proposed by the invention is to known public key forgery attack can not Forge, a difficult problem is solved to when selected multivariable equation.Below, it was demonstrated that digital signature model of the invention Traditional forgery attack based on public key can be resisted.
Prove:Attacker is thought of as work(and forges a signature, then must have can pass through the forward direction that (3.1b) and (3.2c) sets up Signature and backward signature.Even if however, adulterator obtains a forward direction by the attack to known public key again signing, being designated as The backward signature that can be verified by (3.2c) cannot be obtained, is designated asBecause the checking of (3.2c) means preceding to signature With backward signatureA unique median x will be correspond to, adulterator wants to obtain correct backward signatureOnly two kinds ways Footpath, otherwise signed using the forward direction for obtainingUsing legal secret keys G and S, S, G, S are sequentially passed through-1, obtainIt is logical The coding u for crossing message M first seeks x, then asksAnd the public key in the present inventionWithThis signature is limited Generation can only be produced by secret keys G and S, and G and S are validated user and oneself possess, and adulterator does not have secret keys G and S Any information, additionally, the solution difficulty of multivariable equation ensure that adulterator cannot obtain the corresponding x of coding u of message M, Therefore, no matter which kind of approach adulterator cannot get a couple effectively forward direction signatureWith backward signatureIf attacker with Machine guesses oneThen becauseThe n units vector of q rank finite fields is taken from, so successfully probability is only(q is have The exponent number of confinement), that is to say, that there is no correct secret keys G and S for attacker, it is impossible to produce by the forward direction of signature verification SignatureWith corresponding backward signatureI.e. adulterator only cannot successfully be forged a signature by the attack to public key.
To sum up, Signature model proposed by the invention is effective against the forgery attack of multivariable system.
3rd, embodiment
(1) system is generated
Step one, selects systematic parameter
The number for taking m=n=2, i.e. equation and independent variable is 2, finite fieldGF (2)={ 0,1 } is taken, then finite field Element be { 0,1,2,3 }, computing is mould 4 plus multiplies with mould 4, and the inverse element of an element o refers to that to meet the mould 4 that is multiplied with o again be 1 Element, is designated as o-1.ExistOn have:- 4=0mod 4, -3=1mod 4, -2=2mod 4, -1=3mod 4,1-1=1mod 4,2-1=3mod 4,3-1=2mod 4;On plus, multiply and be mould 4 plus multiply with mould 4.
Taking centralizing mapping Q is:
Corresponding Q-1For
(2) key generation
(2.1) secret keys are generated
The secret keys that trusted third party is presented to Alice are designated as S respectivelyAlice,TAlice,GAlice, wherein TAliceFor:
SAliceFor:
GAliceFor:
Anti- solution linear to (3), obtainsFor:
Anti- solution linear to (4), obtainsFor:
Anti- solution linear to (5), obtainsFor:
(2.2) public key is generated
By the secret keys S of AliceAlice,TAlice,GAlice, (4) are updated in (1), the result of gained is updated to (3) again In, obtain the public key of AliceFor:
Trusted third party takes a projection function as H, and H is defined as being pointed to from domain of definition second letter of component of codomain Number, the H is unidirectional irreversible.By the secret keys S of AliceAliceI.e. (4) formula obtains another part public key in being updated to H For:
h1=2v1+1,(10)
Again by the secret keys S of AliceAliceI.e. (4) formula is updated toI.e. in (8) formula, acquired results are updated in H again, Obtain Part III public keyResult is designated as h '1, then:
h′1=vg1+2, (11)
(3) generation signature
Known message M, its coding is designated as (u1,u2)=(0,1), Alice is to the message (u1,u2)=(0,1) signed Name:
(I) to signature before producing.
By the coding (u of message M1,u2)=(0,1) it is updated to secret keysI.e. in (6) formula, (y is obtained1,y2)=(2, 0), by (y1,y2)=(2,0) Q is updated to again-1Result is (x i.e. in (2) formula1,x2)=(1,2), then by (x1,x2)=(1,2) generation Enter toI.e. in (7) formula, the result for obtaining is (v1,v2)=(0,2), then (v1,v2)=(0,2) it is Alice to message (u1, u2)=(0,1) forward direction signature;
(II) backward signature is produced.
(the x that Alice is obtained to (I) step1,x2)=(1,2) it is updated in G i.e. (5) formula and obtains (g1,g2)=(1,0), Again by (g1,g2)=(1,0) it is updated toI.e. in (7) formula, the result for obtaining is (vg1,vg2)=(0,0), then (vg1,vg2)= (0,0) it is Alice to message (u1,u2)=(0,1) backward signature;
Therefore, Alice is to message (u1,u2)=(0,1) signature be v | | vg=0200.
(4) signature verification
Bob receives the message coding (u that Alice sends1,u2)=(0,1) and signature v | | vg=0200.Bob will be utilized The public key P of AliceAlice,Judge whether the signature is really coming from Alice, i.e. Alice is needed Will be to signature v | | vg=0200 is verified:
(I) Bob by it is preceding to signature (v1,v2)=(0,2) it is updated to Alice public keys PAliceI.e. in (9) formula, (0,1) is obtained, It is equal with origination message;
(II) Bob by it is preceding to signature (v1,v2)=(0,2) it is updated to Alice public keysI.e. in (10) formula, h is obtained1 =1;To backward be signed (vg1,vg2)=(0,0) it is updated to Alice public keysI.e. in (11) formula, h ' is obtained1=1, Namely:
NamelyWithIt is equal;
V is understood by the checking of (I) and (II) | | vg=1213 is Alice to message (u1,u2)=(0,1) legitimate signature. The program is effective against forgery attack, and more original scheme effectively improves security.
Embodiment 2
Choose as a example by the centralizing mapping of Matsumoto-Imai multivariable [MI] system, signature scheme is as follows:
(1) original MI schemes.
IfIt is a q rank finite fields,It isN times expansion domain,It is to expand domain to be mapped to the isomorphism of vector space, It is π (a0+a1x+…+an-1xn-1)=(a0,…,an-1).Positive integerMeet gcd (qn-1,qλ+ 1)=1, existOn take one It is individual to map one by one:
It is an inverible transform, andWherein t (qλ+ 1)=1mod qn-1.Centralizing mapping Q (x1,…, xn) beArriveMapping, then for:
Wherein, qi(x1,…,xn), i=1 ..., m is the n quadratic polynomial equation of variable.Making S, T isOn two Random reversible affine transformation, then have public key Here each multinomial is secondary.
The system is used as signature algorithm, and process is as follows.Alice will send the message through herself having signed name to Bob (u1,…,um), first with the private key S of oneselfAlice,TAliceTo message (u1,…,um) signed:(I) calculate(II) calculate (III) calculateThen by message (u1,…,um) and signature (v1,…,vn) through communication network Send jointly to Bob.
Bob receives the message (u of Alice through common signal channel1,…,um) and signature (v1,…,vn), it is intended to judge that the signature is No to be really coming from Alice, then Bob finds the public key P of disclosed AliceAliceVerified.Bob is to signature (v1,…, vn), using PAlice, calculate PAlice(v1,…,vn), note result is (u '1,…,u′m), then judge the value (u '1,…,u′m) be No and former message (u1,…,um) equal, its signature (v is received if equal1,…,vn), otherwise refuse.
When MI multivariables system is used as signature scheme, as traditional multivariable Signature model, it is only necessary to tested by public key Whether card, possess legal secret keys and do not verify to user, utilized the method for linearisation not by Patarin in 2003 Preimage is recovered from public key in the case of needing private key, is broken through as the signature of message, therefore lost practical significance.
(2) below, the centralizing mapping that Q is Matsumoto-Imai multivariables [MI] system is taken.
Alice is to provide a signature for safety, selects a reversible secondary multivariable polynomial GAliceAs private Key and one it is random unidirectionally can not inverse polynomial H as auxiliary function.
When Alice will send a message (u through herself having signed name to Bob1,…,um) when, (I) utilizes private key TAlice, calculate(II) calculate (III) using private key SAlice, calculate(IV) using private key GAlice, calculate GAlice=G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,xn))=(g1,…,gn);(V) using private key SAlice, calculate(VI) by (v1,…,vn) and (vg1,…,vgn) cascade, obtain v1,…,vn|| vg1,…,vgnAs message (u1,…,um) signature.
Bob receives the message (u that Alice sends through common signal channel1,…,um) and signature v1,…,vn||vg1,…,vgn。Bob It is intended to judge whether the signature is really coming from Alice.Bob finds the public key of disclosed Alice Then to signature v1,…,vn||vg1,…,vgnVerified:
(I) the Bob public key P of AliceAlice, by preceding to signature v=(v1,…,vn) it is updated to PAliceIn, the knot for obtaining Fruit is designated as (u '1,…,u′m), judge the value (u '1,…,u′m) whether with former message (u1,…,um) equal, if equal, carry out (II) step judges, otherwise refuses.
(II) Bob by it is preceding to signature (v1,…,vn) substitute into Alice public keyObtainThen will sign (v backwardg1,…,vgn) substitute into Alice public keyIn, note result isThe value of breaking (h '1,…,h′n) whether (h1,…,hn) equal, if equal, Bob receives the signature of the message, otherwise refuses the signature.
Obviously, new model is applied to the MI, for same message (u1,…,um), sign by original (v1,…, vn) become v1,…,vn||vg1,…,vgn, except original use public key P is verified during checking
PAlice(v1,…,vn) whether it is equal to (u1,…,um), also need additional authentication related to private keyWhether andEqual, two formulas all can just obtain v by checking1,…,vn ||vg1,…,vgnIt is a legitimate signature, the program is effective against forgery attack, and more original scheme effectively improves it Security.

Claims (2)

1. it is a kind of resist forgery attack multivariable endorsement method, it is characterised in that comprise the following steps:
Step 1, selects systematic parameter
Take a finite fieldPositive integer n and m,N times expand domain be designated as M times expand domain be designated asTakeArriveOn One group of multivariable quadratic polynomial equation q1(x1,…,xn),…,qm(x1,…,xn), being designated as Q, then Q means that multivariable public key The centralizing mapping of cipher system, wherein input variable are n, and output variable is m, uses Q-1The inverse polynomial of representative polynomial Q, Q-1For validated user is all, separately takeWithUpper reversible affine transformation S and T is secret keys, and its inverse polynomial is designated as S respectively-1With T-1, then randomly selectOn one group of n n units secondary multivariate Polynomial equations (g1(x1,…,xn),…,gn(x1,…, xn)), the polynomial vector is designated as G, i.e. G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,xn)), and a list To irreversible Polynomial equations H, the secret keys of user are made up of the part of S, T, G tri-, and H is that trusted third party is secret to be chosen, But the generation of public key is only used for, the wherein inverse polynomial of G is expressed as G-1, corresponding public key is also made up of three multinomials, respectively For:Wherein operatorThe synthesis of computing is represented, i.e., is carried out successively from right to left Substitute into and calculate;
Step 2, the generation of signature
Known message M's is encoded to vector (u1,…,um), u is denoted as, signature is generated according to the following steps:
(2.1) to signature before producing
(2.1a) is by the coding u=(u of message M1,…,um) it is updated to the inverse transformation T of secret keys T-1In, obtain (y1,…,ym), It is designated as y;
(2.1b) acquired results y is updated to the inverse transformation Q of centralizing mapping Q-1In, obtain (x1,…,xn), it is designated as x;
(2.1c) acquired results x is updated to the inverse S of secret keys S-1In, obtain (v1,…,vn), being designated as v, then v is message M's Encode the forward direction signature of u;
(2.2) backward signature is produced
Be updated to acquired results x in secret keys G by (2.2a), obtains G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…, xn))=(g1,…,gn), it is designated as g;
(2.2b) acquired results g is updated to the inverse S- of secret keys S1In, obtain It is designated as vg, then vgThe backward signature of the coding u of as message M;
(2.3) the cascade v of forward direction signature and backward signature | | vgThe signature of the coding u of as message M;
Step 3, the checking of signature
(3.1) verified using public key P
(3.1a) is by preceding to signature v=(v1,…,vn) substitute into public key P, obtain P (v1,…,vn)=(p1(v1,…,vn),…, pm(v1,…,vn)), its result is designated as v '=(v1′,…,vn′);
(3.1b) judges whether v ' is equal with the coding u of former message M;
(3.2) public key is utilizedWithVerified
(3.2a) is by preceding to signature v=(v1,…,vn) it is updated to public keyIn, obtainIts result is designated as h=(h1,…,hn);
(3.2b) will sign v backwardg=(vg1,…,vgn) it is updated to public keyIn, obtainIts result be designated as h '= (h1′,…,hn′);
(3.2c) judges whether h and h ' is equal;
If (3.1b) and (3.2c) sets up, v | | vgThe legitimate signature of the coding u of as message M, is otherwise invalid signature, is refused Absolutely.
2. the multivariable endorsement method of forgery attack is resisted according to claim 1, it is characterised in that the step 1 In, S, T, G are reversible affine transformation.
CN201610511412.0A 2016-07-01 2016-07-01 A kind of multivariable endorsement method for resisting forgery attack Active CN106209376B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610511412.0A CN106209376B (en) 2016-07-01 2016-07-01 A kind of multivariable endorsement method for resisting forgery attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610511412.0A CN106209376B (en) 2016-07-01 2016-07-01 A kind of multivariable endorsement method for resisting forgery attack

Publications (2)

Publication Number Publication Date
CN106209376A CN106209376A (en) 2016-12-07
CN106209376B true CN106209376B (en) 2017-06-23

Family

ID=57464550

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610511412.0A Active CN106209376B (en) 2016-07-01 2016-07-01 A kind of multivariable endorsement method for resisting forgery attack

Country Status (1)

Country Link
CN (1) CN106209376B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115130143A (en) * 2021-03-25 2022-09-30 华为技术有限公司 Safe starting method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006165B (en) * 2010-11-11 2012-11-07 西安理工大学 Ring signature method for anonymizing information based on multivariate public key cryptography
CN102006166B (en) * 2010-11-11 2013-01-02 西安理工大学 Ring signature method for anonymizing information based on multivariate polynomial
CN103220146B (en) * 2013-04-02 2016-12-28 西安理工大学 Zero Knowledge digital signature method based on multivariate public key cryptosystem

Also Published As

Publication number Publication date
CN106209376A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
CN103414569B (en) A kind of method of the public key cryptography setting up attack resistance
Tsai et al. Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings
CN104038341B (en) A kind of cross-system of identity-based acts on behalf of re-encryption method
CN106027262B (en) Multi-variable signing method resisting key recovery attack
CN103259662B (en) A kind of new allograph based on Integer Decomposition problem and verification method
Islam et al. A provably secure identity-based strong designated verifier proxy signature scheme from bilinear pairings
Rass et al. Cryptography for security and privacy in cloud computing
Sun et al. Strongly unforgeable proxy signature scheme secure in the standard model
CN113141247B (en) Homomorphic encryption method, homomorphic encryption device, homomorphic encryption system and readable storage medium
Noether et al. Monero is not that mysterious
CN103220146B (en) Zero Knowledge digital signature method based on multivariate public key cryptosystem
Shao et al. Unidirectional identity-based proxy re-signature
KR20030062401A (en) Apparatus and method for generating and verifying id-based blind signature by using bilinear parings
CN110677243B (en) Construction method of proxy re-signature scheme supporting heterogeneous public key system
CN106209377B (en) Multivariable-based proxy re-signature method capable of resisting conspiracy attacks
Hu et al. Short and provably secure designated verifier proxy signature scheme
Amounas Elliptic curve digital signature algorithm using Boolean permutation based ECC
CN111245615B (en) Digital signature password reverse firewall method based on identity
CN106209376B (en) A kind of multivariable endorsement method for resisting forgery attack
CN102307102B (en) A kind of light weight digital signature method based on a super logarithm difficult problem
Tso A new way to generate a ring: Universal ring signature
Youn et al. An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes
CN102064938A (en) Public key encrypting method based on multivariable and uncertainty
CN108667621A (en) A kind of digital signature of elliptic curve method
Zhang et al. Provably secure and subliminal-free variant of schnorr signature

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant