CN109936458B - Lattice-based digital signature method based on multiple evidence error correction - Google Patents
Lattice-based digital signature method based on multiple evidence error correction Download PDFInfo
- Publication number
- CN109936458B CN109936458B CN201910203000.4A CN201910203000A CN109936458B CN 109936458 B CN109936458 B CN 109936458B CN 201910203000 A CN201910203000 A CN 201910203000A CN 109936458 B CN109936458 B CN 109936458B
- Authority
- CN
- China
- Prior art keywords
- params
- aux
- algorithm
- function
- steps
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims description 181
- 238000012937 correction Methods 0.000 title claims description 3
- 238000009826 distribution Methods 0.000 claims description 12
- 238000009827 uniform distribution Methods 0.000 claims description 12
- 238000012546 transfer Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 8
- 239000000126 substance Substances 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 2
- FESBVLZDDCQLFY-UHFFFAOYSA-N sete Chemical compound [Te]=[Se] FESBVLZDDCQLFY-UHFFFAOYSA-N 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 5
- 238000013461 design Methods 0.000 abstract description 4
- 230000005540 biological transmission Effects 0.000 description 5
- 241000218378 Magnolia Species 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 239000002131 composite material Substances 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- SMBQBQBNOXIFSF-UHFFFAOYSA-N dilithium Chemical compound [Li][Li] SMBQBQBNOXIFSF-UHFFFAOYSA-N 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Abstract
In the invention, a novel mechanism called evidence indistinguishable key consensus is introduced, and an efficient, modular, flexible and strong-security signature scheme is constructed based on the novel mechanism. In the design of the conventional lattice signature scheme, an example of MLWE whose public key is t ═ (t1, t0) ═ As + e. To reduce the size of the public key, only t1 may be used as the public key of the signature, and t0 may be used as a part of the private key, where t0 corresponds to the lower bits of t and t1 corresponds to the upper bits of t. In the present invention, we use the true t at the same time when signing0And several slaves t0T 'converted for obfuscation'0. The mechanism can greatly improve the signature efficiency and enhance the safety of the private key.
Description
Technical Field
The invention relates to a post-quantum lattice digital signature technology, which has important application in the aspects of ensuring the integrity of information transmission, carrying out identity authentication of an information sender and preventing repudiation in transactions.
Background
The digital signature technology is used for solving the following problems: the sender Alice signs the message M with the private key sk to obtain a signature σ. The receiver Bob authenticates the signature σ using the public key pk, and if the authentication is passed, the receiver Bob recognizes that the message M was transmitted by Alice. The method solves the problems of how to design the digital signature, ensures the integrity of information transmission, carries out identity authentication of an information sender and prevents repudiation in transaction.
With the rapid development of quantum computers, the development of quantum digital signature methods and techniques becomes increasingly urgent. In the post-quantum cryptography route, lattice-based cryptography becomes one of the mainstream technical routes of post-quantum cryptography due to the solid computational complexity foundation and the comprehensive performance advantage.
In the present invention, we introduce a novel mechanism called evidence-indistinguishable key consensus, constructing a lattice-based efficient, modular, flexible and strongly secure signature scheme named "magnolia". In the design of the conventional lattice signature scheme, an example of MLWE whose public key is t ═ (t1, t0) ═ As + e. To reduce the size of the public key, only t1 may be used as the public key of the signature, and t0 may be used as a part of the private key, where t0 corresponds to the lower bits of t and t1 corresponds to the upper bits of t. We find by analysis and experimental verification that at most 100 ten thousand signatures are required to fully recover t0 with high probability.
In the present invention, we introduce a novel evidence indistinguishable approach to protect t0. In short, we use the true t at the same time when signing0And a slave t0T 'converted for obfuscation'0. Note that it is specific to the signature verifier that it cannot distinguish (and therefore the signature is independent of) the signature process that t is0Is also t'0. This evidence-based indistinguishable approach is equivalent to recovering t from the signature seen0Introduces noise, which in turn amounts to introducing additional noise when solving the underlying MLWE problem, thereby achieving security enhancements without changing parameters. To our knowledge, there is no known method to recover t from signatures0. In other words, to recover the private key from the public key, Dilithium only provides the MLWE line of defense, hiding t0 only to reduce the public key size; and the magnolia provides two lines of defense, namely composite armor, for private key protection. More importantly, the composite armor mechanism can also greatly improve the signature efficiency. Under the same security parameters, the security of the magnolia is stronger and the signature efficiency is improved by about 1 time compared with the traditional signature method.
We do a lot of parametric test engineering work to optimize and balance performance. For example, we found by extensive testing that t is a pair0Exhibit a normal effect on the change in the number of signature cycles. Under the parameters selected by us, compared with the traditional lattice-based signature method, the signature is shorter, the signature efficiency is improved by about 1.5 times, the signature verification efficiency is better due to the use of a smaller modulus q, and the anti-counterfeiting signature security is higher.
Disclosure of Invention
The sender Alice running the method obtains the private key sk and the public parameter params, signs the message M running signature algorithm Sign (params, sk, M), obtains the signature sigma (z, c, h), and discloses the transmission signature sigma (z, c, h) to the receiver Bob running the method. Bob gets the public key pk, the message M and the signature σ to the message M as inputs, runs the verification algorithm Verify (pk, M, (z, c, h)), and gets 1/0, indicating verification pass/fail, respectively. If the authentication is passed, the recipient Bob acknowledges that the message M was sent by Alice. The method of the invention is used for solving the problem of how to design the digital signature, and has important application in the aspects of ensuring the integrity of information transmission, carrying out identity authentication of an information sender and preventing repudiation in transactions.
A lattice-based digital signature method based on key consensus; wherein { … } represents a set of information or values; r, RqRepresents an algebraic ring, wherein q is an integer; the signature algorithm includes three specific algorithms: gen, Sign (-), Verify (-).
Gen is a key generation algorithm, the algorithm input contains security parameters and the output contains a public key pk and a private key sk. sign () is a signature algorithm whose inputs contain the system parameters params, the private key sk and the message M e {0,1}*Wherein {0,1}*Representing a set of 0-1 strings of arbitrary length, the output contains (z, c, h), where z ∈ Rlq,
Wherein t is a positive integer, gh(n,m,h,auxh) Is about n, m, h, auxhFunction of (2), auxhIs a set of auxiliary parameters for h that may be empty. The sender Alice running the method obtains the private key sk and the public parameter params, signs the message M running signature algorithm Sign (params, sk, M), obtains the signature sigma (z, c, h), and discloses the transmission signature sigma (z, c, h) to the receiver Bob running the method. Verify (-) is a verification algorithm with inputs containing the system parameters params, public key pk, message M and signature (z, c, h), and outputs 1 or 0, indicating verification pass or fail, respectively. Bob gets the public key pk, the message M and the signature σ to the message M as inputs, runs the verification algorithm Verify (pk, M, (z, c, h)), and gets 1/0, indicating verification pass/fail, respectively. If the authentication is passed, the recipient Bob acknowledges that the message M was sent by Alice.
Lattice-based digital signature method based on multiple evidence error correctionA method; wherein { … } represents a set of information or values; r, RqRepresents an algebraic ring, wherein q is a positive integer;
gen is a key generation algorithm, the algorithm input contains security parameters, the output contains a public key pk and a private key sk, and the algorithm runs as follows:
1) obtaining system parameters params ═ { q, k, d, n, m, l, aux }, wherein q, k, d, n, m, l are positive integers; aux is a set of other auxiliary system parameters that may be empty;
2) to obtain
3) To obtain
Wherein s is taken from the set
e is taken from some set which may be empty
4) To obtain
5) To obtain
Wherein
The results of the analysis with respect to t, params,
as a function of (a) or (b),
is t can be empty1A set of auxiliary parameters; to obtain
Wherein
Is about t, t1,params,
As a function of (a) or (b),
is t can be empty0,0A set of auxiliary parameters;
6) outputting a public key pk and a private key sk; wherein the public key pk comprises params, t1Generating the information required for A, auxpkWherein auxpkA set of auxiliary parameters that are public keys that may be null; the private key sk contains the information required to generate A, s, e, t0,0,auxskWherein auxskIs a set of auxiliary parameters of the private key that may be empty;
sign (·) is a signature algorithm, the inputs of which contain the system parameters params, the public key pk, the private key sk and the message μ ∈ {0,1}*Wherein {0,1}*Represents a set of 0-1 strings of arbitrary length, the output comprising (z, c, h), where
Wherein b is a positive integer, gh(n,m,h,auxh) Is about n, m, h, auxhThe output result of (2) is a function of the integer, auxhIs an auxiliary parameter set of h that may be empty; the algorithm operates as follows:
1) to obtain
2) To obtain
Wherein f ise0The results of the tests relating to e, params,
as a function of (a) or (b),
is can be empty e0A set of auxiliary parameters;
3) to obtain
Wherein Transform isiIs about t0,0,params,
The transfer function of (a) is selected,
is t can be empty0,iA set of auxiliary parameters;
4) to obtain
Wherein f isΔiIs about t0,i,t0,0,params,
As a function of (a) or (b),
is a Δ which may be nulliA set of auxiliary parameters;
5) to obtain
Wherein the content of the first and second substances,
is about e0,Δi,params,
As a function of (a) or (b),
is can be empty eiA set of auxiliary parameters;
6) to obtain
Wherein y' can be a 0 vector;
7) to obtain
8) To obtain
Wherein
The relationship between the values for w, params,
as a function of (a) or (b),
is w that can be empty1A set of auxiliary parameters;
9) to obtain
Wherein
Is about w1,params,
As a function of (a) or (b),
is w 'which may be empty'1A set of auxiliary parameters;
10) to obtain c ═ H (w'1,μ,auxc) Where H is a hash function, or one-way function, or transfer function, auxcA set of auxiliary parameters that may be null c;
11) to yield z ═ fz(pk,y,s,w1,c,μ,auxz) Wherein f iszIs related to pk, y, s, w1,c,μ,auxzFunction of (2), auxzAn auxiliary parameter set of z that may be empty;
12) judgment of conditions
Whether or not it is true, wherein,
is R which may be emptyzA set of auxiliary parameters; if not, returning to the step 6), and circulating until RzIf true;
13) judgment of conditions
Is established, wherein bi∈{0,1}p‘,p′=p+1,jiIs a counter, w(i)∈RqIs the i-th dimension of w,
then respectively represent e0,e1,…,epI ═ 1, …, m; if true, the algorithm records a positive integer ji,σ(i)∈Rq(ii) a If not, returning to the step 6), and circulating until
If true;
14) to obtain sigma ═ fσ(σ(1),…,σ(m),params,auxσ) Wherein f isσIs about
Function of (2), auxσA set of auxiliary parameters that may be null σ;
15) to obtain
Wherein the content of the first and second substances,
is about
As a function of (a) or (b),
is t can be empty0A set of auxiliary parameters;
16) to obtain sigma ═ fσ′(c,t0,params,auxσ′) Wherein f isσ′Is about c, t0,params,auxσ′Function of (2), auxσ′A set of auxiliary parameters that can be null σ';
17) to obtain
Wherein f ishAre related to w, c, e0,e1,…,ep,t0,σ,σ′,y′,params,
As a function of (a) or (b),
is an auxiliary parameter set of h that may be empty;
18) judgment of conditions
Whether or not it is true, wherein,
is R which may be emptyhA set of auxiliary parameters; if not, returning to the step 6), and circulating until RhIf true;
19) outputting the signature (z, c, h);
verify (-) is a signature verification algorithm, the algorithm input contains system parameters params, public key pk, message μ and signature (z, c, h), and outputs 1 or 0, where 1 represents that signature passes and 0 represents that signature does not pass; the algorithm operates as follows:
1) to obtain
2) To obtain
Wherein
Is about h, A, z, c, t1,params,
As a function of (a) or (b),
is w that can be empty2A set of auxiliary parameters;
3) to obtain
Wherein the content of the first and second substances,
is about w2,params,
As a function of (a) or (b),
is w that can be empty2' a set of auxiliary parameters;
4) to obtain c '═ H (w'2,μ,auxc′) Where H is a hash function, or one-way function, or transfer function, auxc′A set of auxiliary parameters that may be null c';
5) judgment ofCondition
Whether or not it is true, wherein,
is R which may be emptyvA set of auxiliary parameters; if yes, 1 is output, otherwise, 0 is output.
The method as described above, wherein the algebraic ring R, RqSatisfies the relation RqR/(qR), wherein ring R is Zq[X]/(Xn+1), or Zq[X]/(Xn+Xn-1+ … +1), or Zq[X]/(Xn-1), wherein n is a positive integer.
The method as described above, wherein aux comprises a sub-set of { η, η ', ξ, ζ, γ, B', ω, σ, σ ', g, q', α, α ', p, p' }, which may be empty, wherein η, η ', ξ, ζ, γ, B', ω, σ, σ ', g, p, p' are positive integers, and p +1 ═ 2p′Or else, q ' ═ lcm (q, k) is the least common multiple of q and k, α ═ q '/q, α ═ q '/k.
The method as recited above, wherein,
compliance
And (4) upper probability distribution.
The method as described above, where Sam is an extended output function, y to S:. Sam (x) indicates that the input is x, and the value y is output in the distribution S (or a uniform distribution over the set S).
The method as described above, wherein ρ is a random seed, i.e., a random number of fixed length.
The method as above, wherein s is obedient
A uniform distribution of S, or a discrete Gaussian distribution ofηRepresenting the individual coefficients of the ring R belonging to [ - η, η [ - ]]A set of polynomials of (a);e compliance
A uniform distribution, or a discrete gaussian distribution, or e ═ 0.
The method as described above, wherein s, e can be generated with the extended output function Sam input seed when each coefficient of s, e obeys a uniform distribution over [ - η, η ] and [ - η ', η' ] respectively.
The method as recited above, wherein,
the calculating method comprises the following steps:
t1=(t-tmod±2d)/2dwherein for any integer a and positive integer b, amod±b represents falling in
Such that b | c-a, here for any real number x,
represents the largest integer less than or equal to x;
t1=(t-t mo d2d)/2dwherein a mod b represents a value falling within [0, b-1 ] for any integer a and positive integer b]Such that b | c-a.
The method as described above, wherein the information required to generate a may comprise a random seed ρ.
The method as described above, wherein auxskThe public key pk may be included.
The method as recited above, wherein,
the calculating method comprises the following steps: t is t0,0=t-t1·2d。
The method as recited above, wherein,
the calculation method comprises the following steps: handle e0Assigned a value of e, i.e. e0←e。
The method as recited above, wherein,
the calculating method comprises the following steps:
will t0,0A plurality of bits of the plurality of dimensions are flipped;
will t0,0A number of bits of a number of dimensions become 0;
will t0,0A number of bits of a number of dimensions become 1;
will t0,0A plurality of bits of a plurality of dimensions are inverted, or become 0, or become 1;
will t0,0Randomly replacing a plurality of bits of a plurality of dimensions;
the combination of the above five methods.
The method as recited above, wherein,
the calculating method comprises the following steps:
Δi=t0,i-t0,0(ii) a Or
Δi=t0,0-t0,i。
The method as recited above, wherein,
the calculating method comprises the following steps:
ei=e0-Δi(ii) a Or
ei=e0+Δi。
The method as described above, wherein t0,i,Δi,eiThe calculation of (c) is circularly generated according to the value of i.
The method as recited above, wherein,
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ;
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ'; wherein B, B ', σ, σ' are auxiliary parameters;
the method as described above, wherein y, y' can input the seed, public key pk, aux with the extended output function Samsk、auxyDeterministically generated, wherein auxyIs a collection that may be empty.
The method as recited above, wherein,
the calculation method comprises the following steps: w is a1←HighBitsq,k(w, params), wherein the HighBitsq,kIs a transfer function.
The method as described above, wherein for r ∈ Zq,HighBitsq,kThe (r, params) algorithm operates as follows:
calculating (r)1,r0) Oid, where oid is an encoding algorithm;
output r1。
If the algorithm is HighBitsq,k(. input)
And the common parameter params, means that HighBits is used separately for each coefficient in the polynomial vector wq,kAnd (4) an algorithm.
The method as described above, wherein the coding algorithm Con (-) input comprises r ∈ Z ·qAnd the common parameter params, the algorithm pair r ∈ ZqCoding based on params, output contains (r)1,r0) Wherein r is1∈Zk,r0∈ZtK is a system parameter, t is an integer; if the algorithm Con (-) inputs
And the common parameter params, means that the Con algorithm is used separately for each coefficient in the polynomial vector w.
The method as described above, wherein r0∈ZtThe value of the middle integer t comprises: t-g or t-g + 1. The method of claim 21, wherein the Con (r, params) algorithm operates as follows:
calculating sigmaA∈Zq′;
Calculating r0;
Calculating r1;
Return (r)1,r0)。
The method as described above, wherein σAThe calculating method comprises the following steps: from the set [0, alpha-1 ]]Or set of
Selecting a determined element e, and particularly, taking e as 0; calculation of σA=αr+e∈Zq′。
The method of claim 25, wherein σA=αr+e∈Zq′The calculating method comprises the following steps:
σAα r + e mod q', or
σA=αr+e mod±q′。
The method as recited above, wherein,
is about sigmaAα, α', k.
The method as described above, wherein r0The calculating method comprises the following steps:
calculating r0=σAmod±α', or
Calculating r0=σAmod α', or
Computing
Or
Computing
Or
Computing
Or
Computing
Wherein k, q are system parameters, g, α' are auxiliary parameters; for any real number a of the real numbers,
represents an integer closest to a.
The method as described above, wherein r1The calculating method comprises the following steps:
computing
Or
Computing
Or
If k, q are mutliphatic and kr-r0When kq, let r10; otherwise, calculate r1=(kr-r0)/q,
Where k, q are system parameters and α' is an auxiliary parameter.
The method as recited above, wherein,
the calculating method comprises the following steps:
Where k, q are system parameters.
The method as described above, wherein auxcContaining pk and/or params and/or a public key certificate. The method of claim 1, wherein z ═ fz(pk,y,s,w1,c,μ,auxz) The calculating method comprises the following steps:
the method as described above, wherein the conditions
The method comprises the following steps: II z II∞<ξ, wherein ξ is an auxiliary parameter; for any a ∈ R, | a |∞Represents the maximum of the absolute values of all the coefficients of the polynomial a; for any a ═ a1,…,ab)∈RbB is a positive integer, | σ |)∞Is denoted as | ai‖∞And i is more than or equal to 1 and less than or equal to the maximum value of b.
The method of claim 1, wherein the conditions are
The judging step comprises:
selection of bi∈{0,1}p‘;
Let counter ji=bi;
Computing
Computing
Judgment of conditions
If yes, recording ji,σ(i);
Otherwise let ji=bi+1, continuing back to c) until
Is formed ofi=bi+p+1;
If ji=bi+ p +1, then the decision is made
It is not true.
The method as described above, wherein steps b) -f) can be implemented by a for loop statement.
The method of claim 34, wherein,
can be calculated by
And (4) obtaining.
The method as described above, wherein the conditions
Comprises the following steps:
and is
Where ζ is an auxiliary parameter.
The method as described above, wherein σ ═ fσ(σ(1),…,σ(m),params,auxσ) The calculating method comprises the following steps: σ ═ s (σ)(1),…,σ(m))。
The method as recited above, wherein,
the calculating method comprises the following steps:
the method as described above, wherein σ' ═ fσ′(c,t0,params,auxσ′) The calculating method comprises the following steps:
σ′=ct0;
σ′=-ct0。
the method as recited above, wherein,
the calculating method comprises the following steps:
h ═ MakeHint (- σ ', σ + σ', params), where MakeHint is a transfer function; or
h ═ makehit (σ ', σ - σ', params), or
h ═ makeglint (- σ ', σ + σ', params), or
h=MakeGHint(σ′,σ-σ′,params)。
The method as described above, wherein for Z ∈ Zq,r∈ZqThe algorithm makehit (z, r, params) is calculated as follows:
r1=HighBitsq,k(r,params);
v1=HighBitsq,k(r+z,params);
if r1=v1If yes, returning to 0; otherwise, 1 is returned.
If the algorithm MakeH int (-) inputs z',
and a common parameter params, where a is a positive integer, then
Meaning that for the polynomial vector z',
each set of corresponding coefficients in (1) is separately processed using MakeHint algorithm. The method of claim 41, wherein for Z e Zq,r∈ZqThe algorithm MakeGHint (z, r, params) is calculated as follows:
r1=HighBitsq,k(r,params);
v1=HighBitsq,k(r+z,params);
return h ═ v1-r1)mod±k or h ═ v1-r1)mod k。
If the algorithm MakeGH int (-) inputs z',
and the common parameter params, where a is a positive integer, means that for the polynomial vector z',
each set of corresponding coefficients in (1) uses the MakeGHint algorithm, respectively.
The method as described above, wherein the conditions
The method comprises the following steps: II sigma' |∞<γ and # h ≦ ω, where γ is the auxiliary parameter for h ∈ {0,1}aWhere a is a positive integer and # h denotes the number of coefficients 1 in the polynomial vector h.
The method as recited above, wherein,
the calculating method comprises the following steps:
Wherein the content of the first and second substances,
is about h, A, z, c, t1,params,
As a function of (a) or (b),
re c is the decoding function.
The method as recited above, wherein,
the calculating method comprises the following steps:
where d is a system parameter.
The method of claim 45, wherein the decoding algorithm Re c (·), the algorithm input comprises r' ∈ Z (·), andq,r0∈Ztand a system parameter params, wherein (r)1,r0)←Con(r,params),r∈Zq,|r′-r|qD ' is not more than d ', and d ' is an integer; for any integer a, | aqIs defined as min { a mod q, q-a mod q }, and min {. is defined as the minimum value; the algorithm pair r' belongs to Zq,r0∈ZtDecoding based on params, output comprising r'1Wherein r'1∈ZkK is a system parameter; r 'if the distance d' between r 'and r satisfies a certain constraint'1=r1And both parties successfully correct the error.
The method as described above, wherein Re c (r', r)0Params) includes:
The method as described above, wherein d' satisfies the relationship comprising:
(2 d' +1) k < q (1-1/g), or
(2 d' +2) k < q (1-1/g), or
(2 d' +1) k < q (1-2 τ/g), where τ is max { | c |, |1-c | }, for any real number a, | a | denotes taking the absolute value of a, max {. cndot.) is defined as taking the maximum value, or
(d' +1) k < q (1/2- τ/g), or
2 kd' < q, or
2k(d′+1)<q。
The method as described above, wherein c 'is a real number, and 0. ltoreq. c'.ltoreq.1 is satisfied.
The method as described above, wherein for h e {0,1}, r e ZqThe algorithm UseHint (h, r, params) is calculated as follows:
(r1,r0)=Con(r,params);
if h is 1 and r0>0, return (r)1+1) mod k; if h is 1 and r0<0, return (r)1-1)mod k;
Otherwise, if h is equal to 0, return r1。
The method as described above, wherein for h e {0,1}, r e ZqThe algorithm UseGHint (h, r, params) is calculated as follows:
r1=HighBits(r,params);
return (r)1+h)mod k。
The method as recited above, wherein,
the calculating method comprises the following steps:
The method as described above, wherein auxc′Containing pk and/or params and/or a public key certificate. The method of claim 1, wherein the conditions are
The method comprises the following steps: ,
c ═ c' and | z |∞<Xi, or
c ═ c' and | z |∞<Xi and # h are less than or equal to omega;
where ξ, ω are the auxiliary parameters.
The method as claimed in claim 18, wherein auxskComprising a random number seed K, auxyA counter is included for recording each signature for the second execution of step 6).
As described above, y, y' is deterministically generated by Expand (ρ, K, tr, counter), where tr is CRH (ρ, K), CRH is a collision-resistant cryptographic hash function, and Expand is a deterministic expansion function.
The method as described above, wherein b is chosen randomlyi←{0,1}p‘Or b isiIs set to {0,1}p‘Or b isiFrom { pk, ρ, K, tr, auxsk,auxyIs derived deterministically.
The method as described above, wherein biAnd simultaneously deriving the y and the y'.
As mentioned above, t is generated during the signature process0,i、Δi、eiCan be computed off-line and stored prior to signing, or part or all of it can be placed in auxskAs part of the private key.
Detailed Description
In the practical application of the inventive method, p is 1 or 3. If p is 1, the Transform function suggests a t0,0The middle bit of each dimension is overturned or replaced randomly; if p is 3 pairs t0,0The middle three bits of each dimension are flipped or randomly replaced (or both flipped and randomly replaced). When p is 1 or 3, for a post quantum security level of approximately 128-bits, the specific parameters proposed are as follows:
for the above specific parameters, the Transform function suggests a t-pair when p is 10,0The low-order 5 th bit of each dimension is overturned or randomly replaced; if p is 3 pairs t0,0The three bits between the 5 th, 6 th and 7 th bits of each dimension are inverted or randomly replaced (or a combination of the two).
The following description of the embodiments of Gen, Sign (-), Verify (-), Con (-), and HighBits (-) is given when p is 1. The specific embodiment can be simply extended to the case where p is 3.
Gen:
1) Obtaining system parameters params ═ { q, k, d, n, m, l, aux }, wherein q, k, d, n, m, l are integers; aux is a set of other auxiliary system parameters that may be empty;
2)ρ←{0,1}256;
3)
4)
5)
6)t1=(t-tmod±2d)/2d;
7)t0,0=t-t1·2d
8)K←{0,1}256;
9)tr=CRH(ρ||t1)∈{0,1}384where | is a string connector;
10) output pk ═ p, t1,params,auxpk),sk=(s,e,t0,0,auxsk={K,tr},ρ);
Sign(params,pk,sk,μ)-1:
Sign(params,sk,μ)-2:
Verify(pk,μ,(z,c,h)):
1)
2)w2=UseH int(h,Az-ct1·2d,params);
3)
4)c′=H(ρ,t1,w′2,μ)
5) If c ═ c' and | z | |)∞<Xi and the number of 1 in h is less than or equal to omega, 1 is output; otherwise, outputting 0;
Con(r,params):
1)r0=krmod±q;
2) if kr-r0When kq, let r10; otherwise, calculate r1=(kr-r0)/q;
3) Return (r)1,r0)。
Highbits(r,params):
1)(r1,r0)←Con(r,params);
2) Return r1。
Claims (60)
1. A lattice-based digital signature method based on multiple evidence error correction; wherein { … } represents a set of information or values; r, RqRepresents an algebraic ring, wherein q is a positive integer;
gen is a key generation algorithm, the algorithm input contains security parameters, the output contains a public key pk and a private key sk, and the algorithm runs as follows:
1) obtaining system parameters params ═ { q, k, d, n, m, l, aux }, wherein q, k, d, n, m, l are positive integers; aux is a set of other auxiliary system parameters that may be empty;
2) to obtain
3) To obtain
Wherein s is taken from the set
e is taken from some set which may be empty
4) To obtain
5) To obtain
Wherein
Is about
As a function of (a) or (b),
is t can be empty1A set of auxiliary parameters; to obtain
Wherein
Is offAt t, t1,params,
As a function of (a) or (b),
is t can be empty0,0A set of auxiliary parameters;
6) outputting a public key pk and a private key sk; wherein the public key pk comprises params, t1Generating the information required for A, auxpkWherein auxpkA set of auxiliary parameters that are public keys that may be null; the private key sk contains the information required to generate A, s, e, t0,0,auxskWherein auxskIs a set of auxiliary parameters of the private key that may be empty;
sign (·) is a signature algorithm, the inputs of which contain the system parameters params, the public key pk, the private key sk and the message μ ∈ {0,1}*Wherein {0,1}*Represents a set of 0-1 strings of arbitrary length, the output comprising (z, c, h), where
c∈R,
Wherein b is a positive integer, gh(n,m,h,auxh) Is about n, m, h, auxhThe output result of (2) is a function of the integer, auxhIs an auxiliary parameter set of h that may be empty; the algorithm operates as follows:
1) to obtain
2) To obtain
Wherein
Is aboute,params,
As a function of (a) or (b),
is can be empty e0A set of auxiliary parameters;
3) to obtain
Wherein Transform isiIs about
The transfer function of (a) is selected,
is t can be empty0,iA set of auxiliary parameters;
4) to obtain
Wherein
Is about t0,i,t0,0,params,
As a function of (a) or (b),
is a Δ which may be nulliA set of auxiliary parameters;
5) to obtain
i-1, … p, wherein,
is about e0,Δi,params,
As a function of (a) or (b),
is can be empty eiA set of auxiliary parameters;
6) to obtain
Wherein y' can be a 0 vector;
7) to obtain
8) To obtain
Wherein
The relationship between the values for w, params,
as a function of (a) or (b),
is w that can be empty1A set of auxiliary parameters;
9) to obtain
Wherein
Is about w1,params,
As a function of (a) or (b),
is w 'which may be empty'1A set of auxiliary parameters;
10) to obtain c ═ H (w'1,μ,auxc) Where H is a hash function, or one-way function, or transfer function, auxcA set of auxiliary parameters that may be null c;
11) to yield z ═ fz(pk,y,s,w1,c,μ,auxz) Wherein f iszIs related to pk, y, s, w1,c,μ,auxzFunction of (2), auxzAn auxiliary parameter set of z that may be empty;
12) judgment of conditions
Whether or not it is true, wherein,
is R which may be emptyzA set of auxiliary parameters; if not, returning to the step 8), and circularly running until RzIf true;
13) judgment of conditions
Is established, wherein bi∈{0,1}p’,p′=p+1,jiIs a counter, w(i)∈RqIs the i-th dimension of w,
then respectively represent e0,e1,…,epI ═ 1, …, m; if true, the algorithm records a positive integer ji,σ(i)∈Rq(ii) a If not, returning to the step 8), and circulating until
If true;
14) to obtain sigma ═ fσ(σ(1),…,σ(m),params,auxσ) Wherein f isσIs about sigma(1),…,σ(m),params,
Function of (2), auxσA set of auxiliary parameters that may be null σ;
15) to obtain
Wherein the content of the first and second substances,
is about t0,1,…,t0,p,j1,…jm,params,
As a function of (a) or (b),
is t can be empty0A set of auxiliary parameters;
16) to obtain sigma ═ fσ′(c,t0,params,auxσ′) Wherein f isσ′Is about c, t0,params,auxσ′Function of (2), auxσ′A set of auxiliary parameters that can be null σ';
17) to obtain
Wherein f ishAre related to w, c, e0,e1,…,ep,t0,σ,σ′,y′,params,
As a function of (a) or (b),
is an auxiliary parameter set of h that may be empty;
18) judgment of conditions
Whether or not it is true, wherein,
is R which may be emptyhA set of auxiliary parameters; if not, returning to the step 6), and circulating until RhIf true;
19) outputting the signature (z, c, h);
verify (-) is a signature verification algorithm, the algorithm input contains system parameters params, public key pk, message μ and signature (z, c, h), and outputs 1 or 0, where 1 represents that signature passes and 0 represents that signature does not pass; the algorithm operates as follows:
1) to obtain
2) To obtain
Wherein
Is about h, A, z, c, t1,params,
As a function of (a) or (b),
is w that can be empty2A set of auxiliary parameters;
3) to obtain
Wherein the content of the first and second substances,
is about w2,params,
As a function of (a) or (b),
is w 'which may be empty'2A set of auxiliary parameters;
4) to obtain c '═ H (w'2,μ,auxc′) Where H is a hash function, or one-way function, or transfer function, auxc′A set of auxiliary parameters that may be null c';
5) judgment of conditions
Whether or not it is true, wherein,
is R which may be emptyvA set of auxiliary parameters; if yes, 1 is output, otherwise, 0 is output.
2. The method of claim 1, wherein the algebraic ring R, RqSatisfies the relation RqR/(qR), wherein ring R is Zq[X]/(Xn+1), or Zq[X]/(Xn+Xn-1+ … +1), or Zq[X]/(Xn-1), wherein n is a positive integer.
3. The method of claim 1, wherein aux comprises a subset of { η, η ', ξ, ζ, γ, B', ω, σ, σ ', g, q', α, α ', p, p' }, which may be empty, wherein η, η ', ξ, ζ, γ, B', ω, σ, σ ', g, p, p' are positive integers, and p +1 ═ 2p′Or else, q ' ═ lcm (q, k) is the least common multiple of q and k, α ═ q '/q, α ═ q '/k.
4. The method of claim 1, wherein,
compliance
And (4) upper probability distribution.
5. The method of claim 4, wherein Sam is an extended output function, y-S: ═ Sam (x) denotes an input of x, and values y are output with a uniform distribution over the distribution S or set S.
6. The method of claim 4, wherein p is a random seed, a random number of fixed length.
7. The method of claim 1, wherein s is obedient
A uniform distribution of S, or a discrete Gaussian distribution ofηRepresenting the individual coefficients of the ring R belonging to [ - η, η [ - ]]A set of polynomials of (a); e compliance
A uniform distribution, or a discrete gaussian distribution, or e ═ 0.
8. The method of claim 1, wherein s, e can be generated with a spread output function Sam input seed when each coefficient of s, e obeys a uniform distribution over [ - η, η ] and [ - η ', η' ] respectively.
9. The method of claim 1, wherein,
the calculating method comprises the following steps:
1)t1=(t-t mod±2d)/2dwhereinFor any integer a and positive integer b, a mod±b represents falling in
Such that b | (c-a), here for any real number x,
represents the largest integer less than or equal to x;
2)t1=(t-t mod 2d)/2dwherein a mod b represents a value falling within [0, b-1 ] for any integer a and positive integer b]C, such that b | (c-a).
10. The method of claim 1, wherein the information required to generate a may comprise a random seed p.
11. The method of claim 1, wherein auxskMay contain the public key pk or t1。
12. The method of claim 1, wherein,
the calculating method comprises the following steps: t is t0,0=t-t1·2d。
13. The method of claim 1, wherein,
the calculation method comprises the following steps: handle e0Assigned a value of e, i.e. e0←e。
14. The method of claim 1, wherein,
the calculating method comprises the following steps:
1) will t0,0A plurality of bits of the plurality of dimensions are flipped;
2) will t0,0A number of bits of a number of dimensions become 0;
3) will t0,0A number of bits of a number of dimensions become 1;
4) will t0,0A plurality of bits of a plurality of dimensions are inverted, or become 0, or become 1;
5) will t0,0Randomly replacing a plurality of bits of a plurality of dimensions;
6) the combination of the above five methods.
15. The method of claim 1, wherein,
the calculating method comprises the following steps:
1)Δi=t0,i-t0,0(ii) a Or
2)Δi=t0,0-t0,i。
16. The method of claim 1, wherein,
the calculating method comprises the following steps:
1)ei=e0-Δi(ii) a Or
2)ei=e0+Δi。
17. The method of claim 1, wherein t is0,i,Δi,eiThe calculation of (c) is circularly generated according to the value of i.
18. The method of claim 1, wherein,
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ;
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ'; where B, B ', σ, σ' are auxiliary parameters.
19. The method of claim 18, wherein y, y' may input a seed, a public key pk, aux with an extended output function Samsk、auxyIs deterministically generated, wherein auxyIs a collection that may be empty.
20. The method of claim 1, wherein,
the calculation method comprises the following steps: w is a1←HighBitsq,k(w, params), wherein the HighBitsq,kIs a transfer function.
21. The method of claim 20, wherein for r e Zq,HighBitsq,kThe (r, params) algorithm operates as follows:
1) calculating (r)1,r0) Oid, where oid is an encoding algorithm;
2) output r1,
If the algorithm is HighBitsq,k(. input)
And the common parameter params, means that HighBits is used separately for each coefficient in the polynomial vector wq,kAnd (4) an algorithm.
22. The method of claim 21, wherein the coding algorithm Con (-) input comprises r e ZqAnd the common parameter params, the algorithm pair r ∈ ZqCoding based on params, output contains (r)1,r0) Wherein r is1∈Zk,r0∈ZtK is a system parameter, t is an integer; if the algorithm Con (-) inputs
And the common parameter params, means that the Con algorithm is used separately for each coefficient in the polynomial vector w.
23. The method of claim 22, wherein r0∈ZtThe value of the middle integer t comprises: t-g or t-g + 1.
24. The method of claim 21, wherein the Con (r, params) algorithm operates as follows:
1) calculating sigmaA∈Zq′;
2) Calculating r0;
3) Calculating r1;
4) Return (r)1,r0)。
25. The method of claim 24, wherein σAThe calculating method comprises the following steps: from the set [0, alpha-1 ]]Or set of
Selecting a determined element e, and particularly, taking e as 0; calculating sigmaA=αr+e∈Zq′。
26. The method of claim 25, wherein σA=αr+e∈Zq′Meter (2)The calculation method comprises the following steps:
1)σAα r + e mod q', or
2)σA=αr+e mod±q′。
27. The method of claim 24, wherein,
is about sigmaAα, α', k.
28. The method of claim 27, wherein r0The calculating method comprises the following steps:
1) calculating r0=σAmod±α', or
2) Calculating r0=σAmod α', or
3) Computing
Or
4) Computing
Or
5) Computing
Or
6) Computing
Wherein k, q are system parameters, g, α' are auxiliary parameters; for any real number a of the real numbers,
represents an integer closest to a.
29. The method of claim 27, wherein r1The calculating method comprises the following steps:
1) computing
Or
2) Computing
Or
3) If k, q are mutliphatic and kr-r0When kq, let r10; otherwise, calculate r1=(kr-r0) And/q, wherein k and q are system parameters, and alpha' is an auxiliary parameter.
30. The method of claim 1, wherein,
the calculating method comprises the following steps:
1)
or
2)
Where k, q are system parameters.
31. The method of claim 1, wherein auxcContaining all or part of the information of pk and/or params and/or public key certificate.
32. The method of claim 1, wherein z ═ fz(pk,y,s,w1,c,μ,auxz) The calculating method comprises the following steps:
33. the method of claim 1, wherein the conditions are
The method comprises the following steps: II z II∞< xi, where xi is an auxiliary parameter; for any a ∈ R, | a |∞Represents the maximum of the absolute values of all the coefficients of the polynomial a; for any a ═ a1,…,ab)∈RbB is a positive integer, | a |)∞Is denoted as | ai‖∞And i is more than or equal to 1 and less than or equal to the maximum value of b.
34. The method of claim 1, wherein the conditions are
The judging step comprises:
a) selection of bi∈{0,1}p’;
b) Let counter ji=bi;
c) Computing
d) Computing
e) Judgment of conditions
If yes, recording ji,σ(i)(ii) a Otherwise let ji=bi+1, continuing back to c) until
Is formed ofi=bi+p+1;
f) If ji=bi+ p +1, then the decision is made
It is not true.
35. The method of claim 34, wherein steps b) -f) are implemented by a for loop statement.
36. The method of claim 34, wherein,
can be calculated by
And (4) obtaining.
37. The method of claim 34, wherein the conditions
Comprises the following steps:
and is
Where ζ is an auxiliary parameter.
38. The method of claim 1, wherein σ ═ fσ(σ(1),…,σ(m),params,auxσ) The calculating method comprises the following steps: σ ═ s (σ)(1),…,σ(m))。
39. The method of claim 1, wherein,
the calculating method comprises the following steps:
40. the method of claim 1, wherein σ' ═ fσ′(c,t0,params,auxσ′) The calculating method comprises the following steps:
1)σ′=ct0;
2)σ′=-ct0。
41. the method of claim 1, wherein,
the calculating method comprises the following steps:
1) h ═ MakeHint (- σ ', σ + σ', params), where MakeHint is a transfer function; or
2) h ═ makehit (σ ', σ - σ', params), or
3) h ═ makeglint (- σ ', σ + σ', params), or
4)h=MakeGHint(σ′,σ-σ′,params)。
42. The method of claim 41, wherein for Z e Zq,r∈ZqThe algorithm makehit (z, r, params) is calculated as follows:
1)r1=HighBitsq,k(r,params);
2)v1=HighBitsq,k(r+z,params);
3) if r1=v1If yes, returning to 0; otherwise, the process returns to 1,
if the algorithm makeHint (-) is input
And the common parameter params, where a is a positive integer, means for a polynomial vector
Each set of corresponding coefficients in (1) is separately processed using MakeHint algorithm.
43. The method of claim 41, wherein for Z e Zq,r∈ZqThe algorithm MakeGHint (z, r, params) is calculated as follows:
1)r1=HighBitsq,k(r,params);
2)v1=HighBitsq,k(r+z,params);
3) return h ═ v1-r1)mod±k or h ═ v1-r1)mod k,
If the algorithm makeGH int (-) inputs
And the common parameter params, where a is a positive integer, means for a polynomial vector
Each set of corresponding coefficients in (1) uses the MakeGHint algorithm, respectively.
44. The method of claim 1, wherein the conditions are
The method comprises the following steps: II sigma' |∞< gamma and # h ≦ ω, where gamma is an auxiliary parameter for h ∈{0,1}aWhere a is a positive integer and # h denotes the number of coefficients 1 in the polynomial vector h.
45. The method of claim 1, wherein,
the calculating method comprises the following steps:
1)
or
2)
Or
3)
Wherein the content of the first and second substances,
is about h, A, z, c, t1,params,
As a function of (a) or (b),
re c is the decoding function.
46. The method of claim 45, wherein,
the calculating method comprises the following steps:
where d is a system parameter.
47. The method of claim 45, wherein the decoding algorithm Rec (·), the algorithm input contains r' ∈ Zq,r0∈ZtAnd a system parameter params, wherein (r)1,r0)←Con(r,params),r∈Zq,|r′-r|qD ' is not more than d ', and d ' is an integer; for any integer a, | aqIs defined as min { a mod q, q-a mod q }, and min {. is defined as the minimum value; the algorithm pair r' belongs to Zq,r0∈ZtDecoding based on params, output comprising r'1Wherein r'1∈ZkK is a system parameter; r 'if the distance d' between r 'and r satisfies a certain constraint'1=r1And both parties successfully correct the error.
48. The method of claim 47, wherein Rec (r', r)0Params) includes:
1)
or
2)
Or
3)
Where c' is a real number.
49. The method of claim 47, wherein d' satisfies the relationship comprising:
1) (2 d' +1) k < q (1-1/g), or
2) (2 d' +2) k < q (1-1/g), or
3) (2 d' +1) k < q (1-2 τ/g), where τ is max { | c |, |1-c | }, for any real number a, | a | denotes taking the absolute value of a, max {. cndot.) is defined as taking the maximum value, or
4) (d' +1) k < q (1/2- τ/g), or
5)2 kd' < q, or
6)2k(d′+1)<q。
50. The method of claim 48, wherein c' is a real number, satisfying 0 ≦ c ≦ 1.
51. The method of claim 45, wherein for h e {0,1}, r e ZqThe algorithm UseHint (h, r, params) is calculated as follows:
1)(r1,r0)=Con(r,params);
2) if h is 1 and r0> 0, back (r)1+1) mod k; if h is 1 and r0< 0, return (r)1-1) mod k; otherwise, if h is equal to 0, return r1。
52. The method of claim 45, wherein for h e {0,1}, r e ZqThe algorithm UseGHint (h, r, params) is calculated as follows:
1)r1=HighBits(r,params);
2) return (r)1+h)mod k。
53. The method of claim 1, wherein,
the calculating method comprises the following steps:
1)
or
2)
54. The method of claim 1, wherein auxc′Containing pk and/or params and/or a public key certificate.
55. As claimed in claim1, wherein the conditions
The method comprises the following steps: ,
1) c ═ c' and | z |∞< xi, or
2) c ═ c' and | z |∞Xi is less than and # h is less than or equal to omega;
where ξ, ω are the auxiliary parameters.
56. The method of claim 19, the method of claim 18, wherein auxskComprising a random number seed K, auxyA counter is included for recording each signature for the second execution of step 6).
57. The method of claim 56, wherein y, y' is deterministically generated by Expand (p, K, tr, counter), wherein tr is CRH (p, K), CRH is a collision-resistant cryptographic hash function, and Expand is a deterministic expansion function.
58. The method of claim 34, wherein b is chosen randomlyi←{0,1}p’Or b isiIs set to {0,1}p’Or b isiFrom { pk, ρ, K, tr, auxsk,auxyIs derived deterministically.
59. The method of claim 58, wherein biAnd simultaneously deriving the y and the y'.
60. The method of claim 1, wherein t is generated during the signature process0,i、Δi、eiCan be computed off-line and stored prior to signing, or part or all of it can be placed in auxskAs part of the private key.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910203000.4A CN109936458B (en) | 2019-03-18 | 2019-03-18 | Lattice-based digital signature method based on multiple evidence error correction |
| PCT/CN2019/112512 WO2020186750A1 (en) | 2019-03-18 | 2019-10-22 | Multi-evidence error correction-based lattice-based digital signature method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910203000.4A CN109936458B (en) | 2019-03-18 | 2019-03-18 | Lattice-based digital signature method based on multiple evidence error correction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109936458A CN109936458A (en) | 2019-06-25 |
| CN109936458B true CN109936458B (en) | 2022-04-26 |
Family
ID=66987344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910203000.4A Active CN109936458B (en) | 2019-03-18 | 2019-03-18 | Lattice-based digital signature method based on multiple evidence error correction |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109936458B (en) |
| WO (1) | WO2020186750A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936458B (en) * | 2019-03-18 | 2022-04-26 | 上海扈民区块链科技有限公司 | Lattice-based digital signature method based on multiple evidence error correction |
| CN112910649A (en) * | 2019-12-04 | 2021-06-04 | 深圳奥联信息安全技术有限公司 | Dilithium algorithm implementation method and device |
| CN112217629B (en) * | 2020-10-13 | 2022-07-22 | 安徽大学 | Cloud storage public auditing method |
| CN113037484B (en) * | 2021-05-19 | 2021-08-24 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7237116B1 (en) * | 2000-01-19 | 2007-06-26 | International Business Machines Corporation | Digital signature system and method based on hard lattice problem |
| CN101997683A (en) * | 2009-08-10 | 2011-03-30 | 北京多思科技发展有限公司 | Method and device for authenticating zero knowledge proof |
| CN102833265A (en) * | 2012-09-13 | 2012-12-19 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
| CN103986576A (en) * | 2014-04-18 | 2014-08-13 | 深圳大学 | Proxy signature method and system based on lattice |
| CN104009847A (en) * | 2014-05-14 | 2014-08-27 | 国家电网公司 | Big data storage integrity verification method based on lattices |
| WO2015030553A1 (en) * | 2013-08-30 | 2015-03-05 | 고려대학교 산학협력단 | Lattice-based certificateless signature system and method |
| CN107592203A (en) * | 2017-09-25 | 2018-01-16 | 深圳技术大学筹备办公室 | A kind of aggregate signature method and its system based on lattice |
| CN107947944A (en) * | 2017-12-08 | 2018-04-20 | 安徽大学 | A kind of increment endorsement method based on lattice |
| CN108989031A (en) * | 2018-07-27 | 2018-12-11 | 上海扈民区块链科技有限公司 | A kind of more bit error correction coding-decoding methods |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120071884A (en) * | 2010-12-23 | 2012-07-03 | 한국전자통신연구원 | Ring signature method based on lattices |
| WO2012098543A2 (en) * | 2011-01-18 | 2012-07-26 | Fortress Gb Ltd. | System and method for computerized negotiations based on coded integrity |
| CN105791321A (en) * | 2016-05-03 | 2016-07-20 | 西南石油大学 | Cloud storage data common auditing method possessing secret key leakage resistance characteristic |
| CN109936458B (en) * | 2019-03-18 | 2022-04-26 | 上海扈民区块链科技有限公司 | Lattice-based digital signature method based on multiple evidence error correction |
-
2019
- 2019-03-18 CN CN201910203000.4A patent/CN109936458B/en active Active
- 2019-10-22 WO PCT/CN2019/112512 patent/WO2020186750A1/en active Application Filing
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7237116B1 (en) * | 2000-01-19 | 2007-06-26 | International Business Machines Corporation | Digital signature system and method based on hard lattice problem |
| CN101997683A (en) * | 2009-08-10 | 2011-03-30 | 北京多思科技发展有限公司 | Method and device for authenticating zero knowledge proof |
| CN102833265A (en) * | 2012-09-13 | 2012-12-19 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
| WO2015030553A1 (en) * | 2013-08-30 | 2015-03-05 | 고려대학교 산학협력단 | Lattice-based certificateless signature system and method |
| CN103986576A (en) * | 2014-04-18 | 2014-08-13 | 深圳大学 | Proxy signature method and system based on lattice |
| CN104009847A (en) * | 2014-05-14 | 2014-08-27 | 国家电网公司 | Big data storage integrity verification method based on lattices |
| CN107592203A (en) * | 2017-09-25 | 2018-01-16 | 深圳技术大学筹备办公室 | A kind of aggregate signature method and its system based on lattice |
| CN107947944A (en) * | 2017-12-08 | 2018-04-20 | 安徽大学 | A kind of increment endorsement method based on lattice |
| CN108989031A (en) * | 2018-07-27 | 2018-12-11 | 上海扈民区块链科技有限公司 | A kind of more bit error correction coding-decoding methods |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109936458A (en) | 2019-06-25 |
| WO2020186750A1 (en) | 2020-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109936458B (en) | Lattice-based digital signature method based on multiple evidence error correction | |
| Campanelli et al. | Zero-knowledge contingent payments revisited: Attacks and payments for services | |
| CN110971405B (en) | SM2 signing and decrypting method and system with cooperation of multiple parties | |
| CN102263638B (en) | Authenticating device, authentication method and signature generation device | |
| CN112989368B (en) | Method and device for processing private data by combining multiple parties | |
| Wei et al. | SecCloud: Bridging secure storage and computation in cloud | |
| CN107196763A (en) | SM2 algorithms collaboration signature and decryption method, device and system | |
| CN110933045A (en) | Block chain digital asset privacy protection method based on commitment | |
| US11349648B2 (en) | Pre-calculation device, method, computer-readable recording medium, vector multiplication device, and method | |
| CN113111373B (en) | Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system | |
| JPWO2005071881A1 (en) | Mix net system | |
| JP4835831B2 (en) | Method and apparatus for computing a function from multiple inputs | |
| Yuen | PAChain: private, authenticated & auditable consortium blockchain and its implementation | |
| EP3864794B1 (en) | Linking transactions | |
| US20210279341A1 (en) | Cryptographic security system, method, and program product using data partitioning | |
| CN106789087A (en) | Determine the data summarization of message, the method and system based on multi-party digital signature | |
| CN113424492A (en) | More efficient post-quantum signatures | |
| CN114666032A (en) | Block chain transaction data privacy protection method based on homomorphic encryption | |
| CN109687969B (en) | Lattice-based digital signature method based on key consensus | |
| CN110266479A (en) | It is a kind of that encryption method is denied based on the two-way of the fault-tolerant problem concerning study of mould | |
| Adelsbach et al. | Overcoming the obstacles of zero-knowledge watermark detection | |
| CN107465508A (en) | A kind of method, system and the equipment of software and hardware combining construction true random number | |
| CN112087296A (en) | Lattice-based digital signature method based on evidence indistinguishable key consensus | |
| JP5227816B2 (en) | Anonymous signature generation device, anonymous signature verification device, anonymous signature tracking determination device, anonymous signature system with tracking function, method and program thereof | |
| Tamil Selvi et al. | Post‐Quantum Cryptosystems for Blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40008162 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220816 Address after: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438 Patentee after: Zhao Yunlei Address before: Room 345, No.5, Lane 786, Xinzhong Road, Xinhe Town, Chongming District, Shanghai 202156 Patentee before: SHANGHAI HUMIN BLOCKCHAIN TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240104 Address after: 200433 No. 220, Handan Road, Shanghai, Yangpu District Patentee after: FUDAN University Address before: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438 Patentee before: Zhao Yunlei |