CN106209376B - A kind of multivariable endorsement method for resisting forgery attack - Google Patents
A kind of multivariable endorsement method for resisting forgery attack Download PDFInfo
- Publication number
- CN106209376B CN106209376B CN201610511412.0A CN201610511412A CN106209376B CN 106209376 B CN106209376 B CN 106209376B CN 201610511412 A CN201610511412 A CN 201610511412A CN 106209376 B CN106209376 B CN 106209376B
- Authority
- CN
- China
- Prior art keywords
- signature
- designated
- public key
- message
- multivariable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
Abstract
The present invention is a kind of multivariable endorsement method for resisting forgery attack,By increasing an amount for being referred to as signature added value,So that during signature verification,Increase a verification condition on internal information,So that being effective against forgery attack,Specifically include the pretreatment of data,The generation of signature and the checking three phases of signature,The present invention is with multivariate public key cryptosystem as theoretical foundation,A kind of information signature and proof scheme built by the Polynomial equations of multiple variables in finite field,Solve the model defect of existing multivariable signature scheme,So that under conditions of the attack of anti-quantum,Signature verification depends not only upon public key verifications,Further relate to the legal private key of user,Basic technology support can be provided for the foundation of the information security and trust systems in quantum computer epoch,Suitable for the safe digital signature in quantum computer epoch,Simultaneously because it has efficiency and security higher,It is particularly well-suited to the occasion that memory space and operation time are limited.
Description
Technical field
The invention belongs to technical field of cryptology, it is related to the multivariate public key cryptosystem in rear quantum cryptology, especially
It is related to a kind of multivariate digital signature method for resisting forgery attack.
Background technology
Digital signature, is a kind of method for differentiating digital information, is one of main application of public-key cryptosystem,
It is also called public key digital signature.In public-key cryptosystem, the principle of digital signature technology is mainly message with sender's
Secret keys are signed (encryption), send recipient to together with original text.Recipient is decrypted with the public key of sender to signature, will
Whether the value for solving is compared with original text, identical sees, if identical, it is by legal transmission that recipient is considered as the signature
What side sent and came.Therefore, digital signature is generally made up of the computing of two kinds of complementations, and one is used to sign, and one is used to verify,
Communicating pair can carry out signature and the checking of digital information (message) in open network environment.
Most important effect of digital signature is exactly that can determine that message is actually from sender, and after being signed by sender
Issue, other people cannot forge.
The digital signature for being applied to message at present is mainly used based on conventional public-key cipher system such as RSA and ECC
The signature scheme of design.
The security of conventional public-key system is the difficulty based on the factoring problem in number theory.However, American scientist
Peter Shor propose a kind of quantum decomposition algorithm in nineteen ninety-five, and the algorithm is the calculation the most famous so far of quantum calculation field
Method, it can go out the prime factor of big number and discrete by fast decoupled by using the concurrency of quantum calculation in polynomial time
Logarithm problem, that is to say, that the generation of quantum computer, to the security structure of the existing digital signature based on classical cryptosystem
Into serious threat.
The new public-key cryptosystem of construction, to substitute the system based on number theory, resists the following attack based on quantum calculation
It is extremely urgent.
1988, Matsumoto and Imai proposed the multivariate public key cryptography body of alternative conventional public-key cipher system
System --- MI (Matsumoto-Imai multivariables system).2004, multivariable signature system Flash was selected in European password meter
NESSIE is drawn, and is acceptable for the European standard of low-consumption intelligent card.
Multivariate public key cryptosystem is to be based on the Solve problems of multivariable nonlinearity equation group in finite field and design
Cryptographic system, its main composition is the multivariable polynomial in finite field.Its security is multinomial based on one group of multivariable is solved
Formula equation is a NP-C problems, and in treatment, this NP-C problem does not have how many advantage to research quantum computer at present, therefore,
A kind of safe cipher system alternative in quantum epoch is remembered as, as problem very active in cryptographic technique research.
Used as a kind of new research direction, relative to traditional signature system, multivariate public key cryptography is than based on number theory
System has efficiency higher, security, and is easy to hard-wired characteristic, when making it particularly suited for memory space and computing
Between the occasion that is limited, such as smart card, radio sensing network and dynamic RFID label tag.But, by the end of current multivariable signature mould
Type also has problems with:(1) verification condition of the Signature model of standard also has defect, and this is due to current multivariable label
Name checking relies only on public key, and verification condition is excessively single, that is to say, that even if adulterator does not know legal secret keys, also have
May seek that special relationship is counter to solve signature by the structure of public key P;(2) Signature model of standard is not related to internal secret in checking
Confidential information, opportunity is left to adulterator, reason be legal person when being signed, be using the step of secret keys one of oneself
One step is signed obtained from inverting, but current checking is not embodied in design the inversion process, that is to say, that tested
Do not verify whether adulterator grasps legitimate secret during card, so as to reduce the difficulty of forgery;(3) above two reasons will be led
Cause:Attacker can forge an energy and be drawn by secret keys by the checking of public key P but illegal person by the solution to P
Signature.And the problem is ordinary, that is to say, that when centralizing mapping is a many-to-one function, itself there is one and disappear
The phenomenon of the multiple signatures of breath correspondence, therefore, when multivariable signature scheme is designed it is necessary that above-mentioned these problems are considered and kept away
Exempt from.
At present, in the signature scheme based on multivariable public key system, not producing can also effectively solve above-mentioned asking
The safe multivariable signature system of topic.
The content of the invention
In order to overcome the shortcoming of above-mentioned prior art, it is an object of the invention to provide a kind of resistance forgery attack
Multivariable endorsement method, the method will be with multivariate public key cryptosystem as theoretical foundation, by multiple variables in finite field
Polynomial equations and a kind of information signature for building and proof scheme, the program solve existing multivariable signature scheme
Model defect so that under conditions of the attack of anti-quantum, signature verification does not depend solely on the checking of public key, will also be related to user
Legal secret keys, can for the foundation of the information security in quantum computer epoch and trust systems provide basic technology support,
Suitable for the safe digital signature in quantum computer epoch, simultaneously because it has efficiency and security higher, especially fit
For the limited occasion of memory space and operation time, such as smart card, radio sensing network and dynamic RFID label tag.
To achieve these goals, the technical solution adopted by the present invention is:It is referred to as signature added value by increasing by one
Amount so that during signature verification, increase a verification condition on internal information x so that be effective against forgery attack.Tool
Body ground:A kind of multivariable endorsement method for resisting forgery attack, comprises the following steps:
Step 1, selects systematic parameter
Take a finite fieldPositive integer n and m,N times expand domain be designated asM times expand domain be designated asTakeArriveOn one group of multivariable quadratic polynomial equation q1(x1..., xn) ..., qm(x1..., xn), being designated as Q, then Q means that changeable
The centralizing mapping of public-key cryptosystem is measured, wherein input variable is n, and output variable is m, uses Q-1Representative polynomial Q's is inverse
Multinomial, Q-1For validated user is all, separately takeWithUpper reversible affine transformation S and T is secret keys, its inverse polynomial difference
It is designated as S-1And T-1, then randomly selectOn one group of n n units secondary multivariate Polynomial equations (g1(x1,…,xn),…,
gn(x1,…,xn)), the polynomial vector is designated as G, i.e. G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,xn)), with
And a unidirectional irreversible Polynomial equations H, the secret keys of user are made up of the part of S, T, G tri-, and H is that trusted third party is secret
Close selection, but the generation of public key is only used for, the wherein inverse polynomial of G is expressed as G-1, corresponding public key is also by three multinomial structures
Into respectively:Wherein operatorThe synthesis of computing is represented, i.e., from right to left
Substitution calculating is carried out successively;
Step 2, the generation of signature
Known message M's is encoded to vector (u1,…,um), u is denoted as, signature is generated according to the following steps:
(2.1) to signature before producing
(2.1a) is by secret keys T-1, by the coding u=(u of message M1,…,um) it is updated to T-1In, obtain (y1,…,ym),
It is designated as y;
(2.1b) acquired results y is updated to the inverse transformation Q of centralizing mapping Q-1In, obtain (x1,…,xn), it is designated as x;
(2.1c) acquired results x is updated to the inverse S of secret keys S-1In, obtain (v1,…,vn), being designated as v, then v is and disappears
Cease the forward direction signature of the coding u of M;
(2.2) backward signature is produced
Be updated to acquired results x in secret keys G by (2.2a), obtains G (x1,…,xn)=(g1(x1,…,xn),…,gn
(x1,…,xn))=(g1,…,gn), it is designated as g;
(2.2b) acquired results g is updated to the inverse S of secret keys S-1In, obtainIt is designated as vg, then vgThe backward signature of the coding u of as message M;
(2.3) the cascade v of forward direction signature and backward signature | | vgThe signature of the coding u of as message M;
Step 3, the checking of signature
(3.1) verified using public key P
(3.1a) is by preceding to signature v=(v1,…,vn) substitute into public key P, obtain P (v1,…,vn)=(p1(v1,…,
vn),…,pm(v1,…,vn)), its result is designated as v '=(v '1,…,v′n);
(3.1b) judges whether v ' is equal with the coding u of former message M;
(3.2) public key is utilizedWithVerified
(3.2a) is by preceding to signature v=(v1,…,vn) it is updated to public keyIn, obtainIts result is designated as h=(h1,…,hn);
(3.2b) will sign v backwardg=(vg1,…,vgn) it is updated to public keyIn, obtainIts result be designated as h '=
(h′1,…,h′n);
(3.2c) judges whether h and h ' is equal;
If (3.1b) and (3.2c) sets up, v | | vgThe legitimate signature of the coding u of as message M, is otherwise invalid label
Name, refusal.
In the step 1, S, T, G are reversible affine transformation.
Compared with prior art, the beneficial effects of the invention are as follows:
1) present invention is the Signature model based on multivariate public key cryptosystem, therefore can resist conventional quantum attack;
2) present invention is the public-key cryptosystem based on the multivariable polynomial equation group in finite field, its computing for plus and
The multiplication of low order, it is in the absence of index and inversion operation therefore more highly efficient and safe than traditional system based on number theory;
3) signature produced by the present invention is made up of two parts:Forward direction signature v and backward signature vg, the product of forward direction signature v
Life must possess legal secret keys S, T, and sign v backwardgAcquisition must possess legal secret keys S, G and could complete, therefore, phase
It is only preceding to signature v, difficulty that is of the invention then increased attacker for existing multivariable signature scheme;
4) the signature v produced by the present invention | | vgIt is by two parts v and v of being mutually relatedgComposition, and v and vgNeed to meet
About a potential correlating validation of secret keys S and G:And the incidence relation is related to secret keys
Information S and G, only public key cannot try to achieve backward signature without legal secret keys S and G, therefore, more existing Signature model
Checking is only that v meets public key P, and the present invention has the correlating validation of backward signature, is effective against forgery attack, safer.
Additionally, security of the invention is built upon the basic difficult problem of multivariable public key scheme:It is changeable in finite field
The difficulty that amount Polynomial equations are solved.
Brief description of the drawings
Fig. 1 is that present invention signature produces principle schematic.
Fig. 2 is signature verification principle schematic of the present invention.
Specific embodiment
Describe embodiments of the present invention in detail with reference to the accompanying drawings and examples.
First, the mathematical theory that the present invention is applied
(1) finite field
Finite field is a limited set for element for adding and multiplying comprising two computings, and is met equal to addition and multiplication
There are the properties such as the apportionment ratio of inverse element and multiplication to addition with associative law, law of communication, non-zero entry.The number of element is referred to as this in domain
The exponent number in domain, q rank finite fields, is often designated asOr be abbreviated asComputing in finite field is modular arithmetic.
(2) Multivariable
Multivariable be also referred to as multivariable it is secondary-difficult problem.Due to the security of multivariate public key cryptosystem
It is to be based on solving one group of multivariable nonlinearity polynomial equation in finite field:
p1(x1,…,xn)=p2(x1,…,xn)=...=pm(x1,…,xn)=0,
The problem is solved for a NP-C problems, wherein piCoefficient and variable be taken from finite fieldUsual equation piIt is taken as
It is secondary, based on the scheme of Multivariable construction, preceding security basis come from from public key quadratic equation directly crack it is tired
Difficulty, i.e., it is a nonpolynomial time (NP-C) difficult problem completely that known public key solves equation group.
(3) convert
It is a finite field, (y1,…,yn)=f (x1,…,xn),Referred to as one conversion, refers in the presence of change
Change rule and cause (x1,…,xn) it is turned into (y by the rule change1,…,yn), the rule change is designated as f, referred to as converts.
2nd, implementation method
Step 1, selects systematic parameter
Take a finite fieldPositive integer n and m,N times expand domain be designated asM times expand domain be designated asTakeArriveOn one group of multivariable quadratic polynomial equation q1(x1,…,xn),…,qm(x1,…,xn), being designated as Q, then Q means that changeable
The centralizing mapping of public-key cryptosystem is measured, wherein input variable is n, and output variable is m, uses Q-1Representative polynomial Q's is inverse
Multinomial, Q-1For validated user is all.Separately takeWithUpper reversible affine transformation S and T is secret keys, its inverse polynomial difference
It is designated as S-1And T-1.Randomly select againOn one group of n n units secondary multivariate Polynomial equations (g1(x1..., xn) ...,
gn(x1..., xn)), the polynomial vector is designated as G, i.e. G (x1..., xn)=(g1(x1..., xn) ..., gn(x1..., xn)), with
And a unidirectional irreversible Polynomial equations H, the secret keys of user are made up of the part of S, T, G tri-, and H is that trusted third party is secret
Close selection, but the generation of public key is only used for, the wherein inverse polynomial of G is expressed as G-1.Corresponding public key is also by three multinomial structures
Into respectively:Wherein operatorThe synthesis of computing is represented, i.e., from right to left
Substitution calculating is carried out successively.
Step 2, the generation of signature
Known message M's is encoded to vector (u1,…,um), u is denoted as, reference picture 1, signature is then generated according to the following steps:
(2.1) to signature before producing.
(2.1a) is by secret keys T-1, by the coding u=(u of message M1,…,um) it is updated to T-1In, obtain (y1..., ym),
It is designated as y;
(2.1b) acquired results y in above-mentioned (2.1a) is updated to the inverse transformation Q of centralizing mapping Q-1In, obtain (x1,…,
xn), it is designated as x;
(2.1c) acquired results x in (2.1b) is updated to the inverse S of secret keys S-1In, obtain (v1,…,vn), v is designated as,
Then v is the forward direction signature of the coding u of message M.
(2.2) backward signature is produced.
Be updated to acquired results x in above-mentioned (2.1b) in secret keys G by (2.2a), obtains G (x1,…,xn)=(g1
(x1,…,xn),…,gn(x1,…,xn))=(g1,…,gn), it is designated as g;
(2.2b) acquired results g in above-mentioned (2.2a) is updated to the inverse S of secret keys S-1In, obtainIt is designated as vg, then vgThe backward signature of the coding u of as message M;
(2.3) the cascade v of forward direction signature and backward signature | | vgThe signature of the coding u of as message M.
Reference picture 2, the signature verification in the present invention is implemented as follows:
Step 3, the checking of signature
(3.1) verified using public key P.
(3.1a) is by preceding to signature v=(v1,…,vn) substitute into public key P, obtain P (v1,…,vn)=(p1(v1,…,
vn),…,pm(v1..., vn)), its result is designated as u '=(u '1,…,u′m);
(3.1b) judges whether u ' is equal with the coding u of former message M.
(3.2) public key is utilizedWithVerified.
(3.2a) is by preceding to signature v=(v1,…,vn) it is updated to public keyIn, obtainIts result is designated as h=(h1,…,hn);
(3.2b) will sign v backwardg=(vg1,…,vgn) it is updated to public keyIn, obtainIts result be designated as h '=
(h′1,…,h′n);
(3.2c) judges whether h and h ' is equal.
If (3.1b) and (3.2c) sets up, v | | vgThe legitimate signature of the coding u of as message M, is otherwise invalid label
Name, refusal.
Multivariable Signature model proposed by the invention is correct, can resist signature forgery attack.
The correctness of signature:
If recipient receives signature v | | vgIf the signature is progressively produced by above-mentioned steps, and is not had in transmitting procedure
Change, then due to
(1) because forward direction signature v is by the coding (u of message M1,…,um) sequentially pass through secret keys T-1, centralizing mapping Q-1、
Secret keys S-1Produce, that is, haveThen obviously, will be substituted into signature v before gained
To in public key P, have
Set up, i.e., verification expression (3.1b) is set up.
(2) by signing backwardForward direction signature v=S-1(x1,…,xn), then obviously haveAnd then obtainWithIt is equal, i.e. verification expression (3.2c)
Set up.
Therefore, v | | vgIt is the correct signature of the coding u of message M.
The anti-forgery of signature:
Signature model based on multivariable polynomial proposed by the invention is to known public key forgery attack can not
Forge, a difficult problem is solved to when selected multivariable equation.Below, it was demonstrated that digital signature model of the invention
Traditional forgery attack based on public key can be resisted.
Prove:Attacker is thought of as work(and forges a signature, then must have can pass through the forward direction that (3.1b) and (3.2c) sets up
Signature and backward signature.Even if however, adulterator obtains a forward direction by the attack to known public key again signing, being designated as
The backward signature that can be verified by (3.2c) cannot be obtained, is designated asBecause the checking of (3.2c) means preceding to signature
With backward signatureA unique median x will be correspond to, adulterator wants to obtain correct backward signatureOnly two kinds ways
Footpath, otherwise signed using the forward direction for obtainingUsing legal secret keys G and S, S, G, S are sequentially passed through-1, obtainIt is logical
The coding u for crossing message M first seeks x, then asksAnd the public key in the present inventionWithThis signature is limited
Generation can only be produced by secret keys G and S, and G and S are validated user and oneself possess, and adulterator does not have secret keys G and S
Any information, additionally, the solution difficulty of multivariable equation ensure that adulterator cannot obtain the corresponding x of coding u of message M,
Therefore, no matter which kind of approach adulterator cannot get a couple effectively forward direction signatureWith backward signatureIf attacker with
Machine guesses oneThen becauseThe n units vector of q rank finite fields is taken from, so successfully probability is only(q is have
The exponent number of confinement), that is to say, that there is no correct secret keys G and S for attacker, it is impossible to produce by the forward direction of signature verification
SignatureWith corresponding backward signatureI.e. adulterator only cannot successfully be forged a signature by the attack to public key.
To sum up, Signature model proposed by the invention is effective against the forgery attack of multivariable system.
3rd, embodiment
(1) system is generated
Step one, selects systematic parameter
The number for taking m=n=2, i.e. equation and independent variable is 2, finite fieldGF (2)={ 0,1 } is taken, then finite field
Element be { 0,1,2,3 }, computing is mould 4 plus multiplies with mould 4, and the inverse element of an element o refers to that to meet the mould 4 that is multiplied with o again be 1
Element, is designated as o-1.ExistOn have:- 4=0mod 4, -3=1mod 4, -2=2mod 4, -1=3mod 4,1-1=1mod
4,2-1=3mod 4,3-1=2mod 4;On plus, multiply and be mould 4 plus multiply with mould 4.
Taking centralizing mapping Q is:
Corresponding Q-1For
(2) key generation
(2.1) secret keys are generated
The secret keys that trusted third party is presented to Alice are designated as S respectivelyAlice,TAlice,GAlice, wherein TAliceFor:
SAliceFor:
GAliceFor:
Anti- solution linear to (3), obtainsFor:
Anti- solution linear to (4), obtainsFor:
Anti- solution linear to (5), obtainsFor:
(2.2) public key is generated
By the secret keys S of AliceAlice,TAlice,GAlice, (4) are updated in (1), the result of gained is updated to (3) again
In, obtain the public key of AliceFor:
Trusted third party takes a projection function as H, and H is defined as being pointed to from domain of definition second letter of component of codomain
Number, the H is unidirectional irreversible.By the secret keys S of AliceAliceI.e. (4) formula obtains another part public key in being updated to H
For:
h1=2v1+1,(10)
Again by the secret keys S of AliceAliceI.e. (4) formula is updated toI.e. in (8) formula, acquired results are updated in H again,
Obtain Part III public keyResult is designated as h '1, then:
h′1=vg1+2, (11)
(3) generation signature
Known message M, its coding is designated as (u1,u2)=(0,1), Alice is to the message (u1,u2)=(0,1) signed
Name:
(I) to signature before producing.
By the coding (u of message M1,u2)=(0,1) it is updated to secret keysI.e. in (6) formula, (y is obtained1,y2)=(2,
0), by (y1,y2)=(2,0) Q is updated to again-1Result is (x i.e. in (2) formula1,x2)=(1,2), then by (x1,x2)=(1,2) generation
Enter toI.e. in (7) formula, the result for obtaining is (v1,v2)=(0,2), then (v1,v2)=(0,2) it is Alice to message (u1,
u2)=(0,1) forward direction signature;
(II) backward signature is produced.
(the x that Alice is obtained to (I) step1,x2)=(1,2) it is updated in G i.e. (5) formula and obtains (g1,g2)=(1,0),
Again by (g1,g2)=(1,0) it is updated toI.e. in (7) formula, the result for obtaining is (vg1,vg2)=(0,0), then (vg1,vg2)=
(0,0) it is Alice to message (u1,u2)=(0,1) backward signature;
Therefore, Alice is to message (u1,u2)=(0,1) signature be v | | vg=0200.
(4) signature verification
Bob receives the message coding (u that Alice sends1,u2)=(0,1) and signature v | | vg=0200.Bob will be utilized
The public key P of AliceAlice,Judge whether the signature is really coming from Alice, i.e. Alice is needed
Will be to signature v | | vg=0200 is verified:
(I) Bob by it is preceding to signature (v1,v2)=(0,2) it is updated to Alice public keys PAliceI.e. in (9) formula, (0,1) is obtained,
It is equal with origination message;
(II) Bob by it is preceding to signature (v1,v2)=(0,2) it is updated to Alice public keysI.e. in (10) formula, h is obtained1
=1;To backward be signed (vg1,vg2)=(0,0) it is updated to Alice public keysI.e. in (11) formula, h ' is obtained1=1,
Namely:
NamelyWithIt is equal;
V is understood by the checking of (I) and (II) | | vg=1213 is Alice to message (u1,u2)=(0,1) legitimate signature.
The program is effective against forgery attack, and more original scheme effectively improves security.
Embodiment 2
Choose as a example by the centralizing mapping of Matsumoto-Imai multivariable [MI] system, signature scheme is as follows:
(1) original MI schemes.
IfIt is a q rank finite fields,It isN times expansion domain,It is to expand domain to be mapped to the isomorphism of vector space,
It is π (a0+a1x+…+an-1xn-1)=(a0,…,an-1).Positive integerMeet gcd (qn-1,qλ+ 1)=1, existOn take one
It is individual to map one by one:
It is an inverible transform, andWherein t (qλ+ 1)=1mod qn-1.Centralizing mapping Q (x1,…,
xn) beArriveMapping, then for:
Wherein, qi(x1,…,xn), i=1 ..., m is the n quadratic polynomial equation of variable.Making S, T isOn two
Random reversible affine transformation, then have public key
Here each multinomial is secondary.
The system is used as signature algorithm, and process is as follows.Alice will send the message through herself having signed name to Bob
(u1,…,um), first with the private key S of oneselfAlice,TAliceTo message (u1,…,um) signed:(I) calculate(II) calculate
(III) calculateThen by message (u1,…,um) and signature (v1,…,vn) through communication network
Send jointly to Bob.
Bob receives the message (u of Alice through common signal channel1,…,um) and signature (v1,…,vn), it is intended to judge that the signature is
No to be really coming from Alice, then Bob finds the public key P of disclosed AliceAliceVerified.Bob is to signature (v1,…,
vn), using PAlice, calculate PAlice(v1,…,vn), note result is (u '1,…,u′m), then judge the value (u '1,…,u′m) be
No and former message (u1,…,um) equal, its signature (v is received if equal1,…,vn), otherwise refuse.
When MI multivariables system is used as signature scheme, as traditional multivariable Signature model, it is only necessary to tested by public key
Whether card, possess legal secret keys and do not verify to user, utilized the method for linearisation not by Patarin in 2003
Preimage is recovered from public key in the case of needing private key, is broken through as the signature of message, therefore lost practical significance.
(2) below, the centralizing mapping that Q is Matsumoto-Imai multivariables [MI] system is taken.
Alice is to provide a signature for safety, selects a reversible secondary multivariable polynomial GAliceAs private
Key and one it is random unidirectionally can not inverse polynomial H as auxiliary function.
When Alice will send a message (u through herself having signed name to Bob1,…,um) when, (I) utilizes private key
TAlice, calculate(II) calculate
(III) using private key SAlice, calculate(IV) using private key GAlice, calculate GAlice=G
(x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,xn))=(g1,…,gn);(V) using private key SAlice, calculate(VI) by (v1,…,vn) and (vg1,…,vgn) cascade, obtain v1,…,vn||
vg1,…,vgnAs message (u1,…,um) signature.
Bob receives the message (u that Alice sends through common signal channel1,…,um) and signature v1,…,vn||vg1,…,vgn。Bob
It is intended to judge whether the signature is really coming from Alice.Bob finds the public key of disclosed Alice Then to signature v1,…,vn||vg1,…,vgnVerified:
(I) the Bob public key P of AliceAlice, by preceding to signature v=(v1,…,vn) it is updated to PAliceIn, the knot for obtaining
Fruit is designated as (u '1,…,u′m), judge the value (u '1,…,u′m) whether with former message (u1,…,um) equal, if equal, carry out
(II) step judges, otherwise refuses.
(II) Bob by it is preceding to signature (v1,…,vn) substitute into Alice public keyObtainThen will sign (v backwardg1,…,vgn) substitute into Alice public keyIn, note result isThe value of breaking (h '1,…,h′n) whether
(h1,…,hn) equal, if equal, Bob receives the signature of the message, otherwise refuses the signature.
Obviously, new model is applied to the MI, for same message (u1,…,um), sign by original (v1,…,
vn) become v1,…,vn||vg1,…,vgn, except original use public key P is verified during checking
PAlice(v1,…,vn) whether it is equal to (u1,…,um), also need additional authentication related to private keyWhether andEqual, two formulas all can just obtain v by checking1,…,vn
||vg1,…,vgnIt is a legitimate signature, the program is effective against forgery attack, and more original scheme effectively improves it
Security.
Claims (2)
1. it is a kind of resist forgery attack multivariable endorsement method, it is characterised in that comprise the following steps:
Step 1, selects systematic parameter
Take a finite fieldPositive integer n and m,N times expand domain be designated as M times expand domain be designated asTakeArriveOn
One group of multivariable quadratic polynomial equation q1(x1,…,xn),…,qm(x1,…,xn), being designated as Q, then Q means that multivariable public key
The centralizing mapping of cipher system, wherein input variable are n, and output variable is m, uses Q-1The inverse polynomial of representative polynomial Q,
Q-1For validated user is all, separately takeWithUpper reversible affine transformation S and T is secret keys, and its inverse polynomial is designated as S respectively-1With
T-1, then randomly selectOn one group of n n units secondary multivariate Polynomial equations (g1(x1,…,xn),…,gn(x1,…,
xn)), the polynomial vector is designated as G, i.e. G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,xn)), and a list
To irreversible Polynomial equations H, the secret keys of user are made up of the part of S, T, G tri-, and H is that trusted third party is secret to be chosen,
But the generation of public key is only used for, the wherein inverse polynomial of G is expressed as G-1, corresponding public key is also made up of three multinomials, respectively
For:Wherein operatorThe synthesis of computing is represented, i.e., is carried out successively from right to left
Substitute into and calculate;
Step 2, the generation of signature
Known message M's is encoded to vector (u1,…,um), u is denoted as, signature is generated according to the following steps:
(2.1) to signature before producing
(2.1a) is by the coding u=(u of message M1,…,um) it is updated to the inverse transformation T of secret keys T-1In, obtain (y1,…,ym),
It is designated as y;
(2.1b) acquired results y is updated to the inverse transformation Q of centralizing mapping Q-1In, obtain (x1,…,xn), it is designated as x;
(2.1c) acquired results x is updated to the inverse S of secret keys S-1In, obtain (v1,…,vn), being designated as v, then v is message M's
Encode the forward direction signature of u;
(2.2) backward signature is produced
Be updated to acquired results x in secret keys G by (2.2a), obtains G (x1,…,xn)=(g1(x1,…,xn),…,gn(x1,…,
xn))=(g1,…,gn), it is designated as g;
(2.2b) acquired results g is updated to the inverse S- of secret keys S1In, obtain
It is designated as vg, then vgThe backward signature of the coding u of as message M;
(2.3) the cascade v of forward direction signature and backward signature | | vgThe signature of the coding u of as message M;
Step 3, the checking of signature
(3.1) verified using public key P
(3.1a) is by preceding to signature v=(v1,…,vn) substitute into public key P, obtain P (v1,…,vn)=(p1(v1,…,vn),…,
pm(v1,…,vn)), its result is designated as v '=(v1′,…,vn′);
(3.1b) judges whether v ' is equal with the coding u of former message M;
(3.2) public key is utilizedWithVerified
(3.2a) is by preceding to signature v=(v1,…,vn) it is updated to public keyIn, obtainIts result is designated as h=(h1,…,hn);
(3.2b) will sign v backwardg=(vg1,…,vgn) it is updated to public keyIn, obtainIts result be designated as h '=
(h1′,…,hn′);
(3.2c) judges whether h and h ' is equal;
If (3.1b) and (3.2c) sets up, v | | vgThe legitimate signature of the coding u of as message M, is otherwise invalid signature, is refused
Absolutely.
2. the multivariable endorsement method of forgery attack is resisted according to claim 1, it is characterised in that the step 1
In, S, T, G are reversible affine transformation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610511412.0A CN106209376B (en) | 2016-07-01 | 2016-07-01 | A kind of multivariable endorsement method for resisting forgery attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610511412.0A CN106209376B (en) | 2016-07-01 | 2016-07-01 | A kind of multivariable endorsement method for resisting forgery attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106209376A CN106209376A (en) | 2016-12-07 |
CN106209376B true CN106209376B (en) | 2017-06-23 |
Family
ID=57464550
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610511412.0A Active CN106209376B (en) | 2016-07-01 | 2016-07-01 | A kind of multivariable endorsement method for resisting forgery attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106209376B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115130143A (en) * | 2021-03-25 | 2022-09-30 | 华为技术有限公司 | Safe starting method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102006165B (en) * | 2010-11-11 | 2012-11-07 | 西安理工大学 | Ring signature method for anonymizing information based on multivariate public key cryptography |
CN102006166B (en) * | 2010-11-11 | 2013-01-02 | 西安理工大学 | Ring signature method for anonymizing information based on multivariate polynomial |
CN103220146B (en) * | 2013-04-02 | 2016-12-28 | 西安理工大学 | Zero Knowledge digital signature method based on multivariate public key cryptosystem |
-
2016
- 2016-07-01 CN CN201610511412.0A patent/CN106209376B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN106209376A (en) | 2016-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103414569B (en) | A kind of method of the public key cryptography setting up attack resistance | |
Tsai et al. | Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings | |
CN104038341B (en) | A kind of cross-system of identity-based acts on behalf of re-encryption method | |
CN106027262B (en) | Multi-variable signing method resisting key recovery attack | |
CN103259662B (en) | A kind of new allograph based on Integer Decomposition problem and verification method | |
Islam et al. | A provably secure identity-based strong designated verifier proxy signature scheme from bilinear pairings | |
Rass et al. | Cryptography for security and privacy in cloud computing | |
Sun et al. | Strongly unforgeable proxy signature scheme secure in the standard model | |
CN113141247B (en) | Homomorphic encryption method, homomorphic encryption device, homomorphic encryption system and readable storage medium | |
Noether et al. | Monero is not that mysterious | |
CN103220146B (en) | Zero Knowledge digital signature method based on multivariate public key cryptosystem | |
Shao et al. | Unidirectional identity-based proxy re-signature | |
KR20030062401A (en) | Apparatus and method for generating and verifying id-based blind signature by using bilinear parings | |
CN110677243B (en) | Construction method of proxy re-signature scheme supporting heterogeneous public key system | |
CN106209377B (en) | Multivariable-based proxy re-signature method capable of resisting conspiracy attacks | |
Hu et al. | Short and provably secure designated verifier proxy signature scheme | |
Amounas | Elliptic curve digital signature algorithm using Boolean permutation based ECC | |
CN111245615B (en) | Digital signature password reverse firewall method based on identity | |
CN106209376B (en) | A kind of multivariable endorsement method for resisting forgery attack | |
CN102307102B (en) | A kind of light weight digital signature method based on a super logarithm difficult problem | |
Tso | A new way to generate a ring: Universal ring signature | |
Youn et al. | An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes | |
CN102064938A (en) | Public key encrypting method based on multivariable and uncertainty | |
CN108667621A (en) | A kind of digital signature of elliptic curve method | |
Zhang et al. | Provably secure and subliminal-free variant of schnorr signature |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |