RU2369974C1 - Method for generation and authentication of electronic digital signature that certifies electronic document - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: invention is related to the field of cryptographic devices of electronic digital signature (EDS). Substance of invention consists in the fact that method for generation and authentication of EDS includes the following sequence of actions: secret key is generated in the form of multi-digit binary number (MBN) x, secret key is used to generate open key Y in the form of MBN size vector m, where 2≤m<64, electronic document (ED) is received, represented by MBN H, depending on received electronic document and on value of secret key, EDS Q is generated in the form of two MBNs, depending on EDS, ED and open key, the first A and second B authenticating MBN are generated, MBN A and B are compared. When they parametres coincide, conclusion is made on authenticity of electronic digital signature.

EFFECT: higher efficiency of electronic digital signature (EDS) algorithms without reduction of its resistance level.

5 cl, 10 tbl, 4 ex, 1 app

Description

The invention relates to the field of telecommunications and computer technology, and more particularly to the field of cryptographic authentication methods for electronic messages transmitted over telecommunication networks and computer networks, and can be used in electronic message systems (documents) certified by electronic digital signature (EDS) presented in as a multi-bit binary number (MDC). Hereinafter, MDC means an electromagnetic signal in binary digital form, the parameters of which are: the number of bits and the order of their unit and zero values ( ^{1) the} interpretation of the terms used in the description is given in Appendix 1).

A known method of formation and verification of electronic digital signature, proposed in US patent No. 4405829 from 09/20/1983 and described in detail also in books 1. M.A. Ivanov. Cryptography. M., KUDITS-IMAGE, 2001; 2. A.G. Rostovtsev, E.B. Makhovenko. Introduction to public key cryptography. St. Petersburg: Peace and Family, 2001. - p. 43. The known method consists in the following sequence of actions:

form a secret key in the form of three simple MDC p, q and d, form a public key (n, e) in the form of a pair of MDC n and e, where n is a number representing the product of two simple MDC p and q, and e is a MDC, satisfying the condition ed = 1 mod (p-1) (q-1), an electronic document (ED) submitted by MDC H is received,

depending on the value of H and the value of the secret key, the digital signature is formed in the form of MDC Q = S = H ^d mod n;

form the first verification MDC A = H;

form the second verification MDC B, for which MDC S is raised to an integer power e modulo n: B = S ^e mod n;

comparing the generated verification MDC A and B,

when the parameters of the compared MDC A and B coincide, they conclude that the digital signature is authentic.

The disadvantage of this method is the relatively large size of the signature and the need to increase the size of the signature when developing new, more efficient methods for decomposing the number n into factors or with an increase in the productivity of modern computing devices. This is because the value of the signature element S is calculated by performing arithmetic operations modulo n, and the stability of the digital signature is determined by the complexity of the decomposition of the module n into factors p and q.

There is also a known method of forming and verifying the authenticity of the digital signature of El-Gamal, described in the book by Moldovyan A.A., Moldovyan N.A., Sovetov B.Ya. Cryptography. - St. Petersburg, Doe, 2000. - p.156-159, which includes the following actions:

form a simple MDC p and a binary number G, which is a primitive root modulo p, generate a secret key in the form of MDC x, depending on the secret key form a public key in the form of MDC Y = G ^x mod p, take the ED presented in the form of MDC H , depending on H and the secret key, the EDS Q is formed in the form of two MDC S and R, that is, Q = (S, R);

carry out a digital signature authentication procedure, including calculating two control parameters using the original MDC p, G, Y, H, and S by raising the MDC G, Y, R to a discrete degree modulo p and comparing the calculated control parameters;

when the values of the control parameters coincide, they conclude that the digital signature is authentic.

The disadvantage of this method is also the relatively large size of the EDS. This is because the values of the signature elements S and R are calculated by performing arithmetic operations modulo p-1 and modulo p, respectively.

There is also a known method of forming and verifying EDS, proposed in US patent No. 4995089 of 02.19.1991. The known method consists in the following sequence of actions:

form a simple MDC p, such that p = Nq + 1, where q is a simple MDC;

form a simple MDC a, such that a ≠ 1 and a ^q mod p = 1;

by generating a random equiprobable sequence generate a secret key in the form of MDC x;

form a public key in the form of MDC y according to the formula y = a ^x mod p;

accept ED submitted by MDC M;

form an EDS in the form of a pair of MDC (e, s), for which a random MDC t is generated, form a MDC R according to the formula R = a ^t mod p, form a MDC e = f (M || R), where the sign || denotes the operation of joining two MDCs and f is some specified hash function whose value has a fixed length (usually 160 or 256 bits), regardless of the size of the argument, i.e. from the size of the MDC M || R, and then form the MDC s according to the formula s = (t-ex) mod q;

form the first verification MDC A, for which MDC R 'is generated according to the formula R' = a ^s y ^e mod p and form the MDC A = f (M || R ');

form the second verification MDC In by copying MDC e: B = e;

comparing the generated verification MDC A and B;

when the parameters of the compared MDC A and B coincide, they conclude that the digital signature is authentic.

The disadvantage of the method according to US patent is the relatively high computational complexity of the procedure for the formation and verification of the digital signature, which is due to the fact that to ensure the minimum required level of resistance it is required to use a simple module with a bit capacity of at least 1024 bits.

Closest in technical essence to the claimed one is the well-known method of forming and verifying the authenticity of the digital signature, proposed by the Russian standard GOST R 34.10-2001 and described, for example, in the book of B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information security. M., Hot line - Telecom, 2005 .-- 229 p. (see p.110-111), according to which the digital signature is formed as a pair of MDC r and s, for which an elliptic curve (EC) is generated as a set of points, each point being represented by two coordinates in a Cartesian coordinate system as two MDCs, called abscissa (x) and ordinate (y), then they carry out operations to generate EC points, add EC points and multiply the EC points by a number, as well as arithmetic operations on the MDC, after which MDC r and s are formed as a result of the performed operations. The indicated operations on points are performed as operations on the MDC, which are the coordinates of the points, according to well-known formulas [B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information security. M., Hot line - Telecom, 2005 .-- 229 p. (see p. 110-111)]. The operation of adding two points A and B with the coordinates (x _A , y _A ) and (x _B , y _B ), respectively, is performed according to the formulas:

x _C = k ² -x _A -x _B mod p and y _C = k (x _A -x _C ) -y _A mod p,

, если точки А и В не равны, и

если точки А и В равны. Операция умножения точки А на натуральное число n определяется как многократное сложение точки А:Where

if points A and B are not equal, and

if points A and B are equal. The operation of multiplying point A by a natural number n is defined as the multiple addition of point A:

nA = A + A + ... + A (n times).

The result of multiplying any EC point by zero determines a point called an infinitely distant point and denoted by the letter O. Two points A = (x, y) and -A = (x, -y) are called opposite. Multiplication by a negative integer -n is defined as follows: (-n) A = n (-A). By definition, it is assumed that the sum of two opposite points is equal to the infinitely distant point O.

In the prototype, i.e. in the method of forming and verifying the authenticity of digital signatures according to GOST R 34.10-2001, they generate an EC described by the equation y ² = x ³ + ax + b mod p, therefore, the generation of an EC consists in the generation of numbers a, b and p, which are EC parameters and uniquely defining a set of points EC, abscissa and ordinate of each of which satisfies the specified equation. The closest analogue (prototype) is to perform the following sequence of actions:

generate an elliptic curve (EC), which is a collection of MDC pairs, called EC points and having certain properties (see Appendix 1, paragraphs 15-19);

by generating a random equiprobable sequence generate secret keys in the form of MDC k ₁ , k ₂ , ..., k _n ;

form public keys in the form of EC points P ₁ , P ₂ , ..., P _n , for which a point G is generated having an order value equal to q (the order of an EC point is the smallest positive integer q, such that the result of multiplying this point by a number q is the so-called infinitely distant point O; the result of multiplying any EC point by zero by definition is the point O [B.Ya. Ryabko, AN Fionov. Cryptographic methods of information protection. M., Hot line - Telecom, 2005. - 229 pp. (See pp. 97-130)]; see also Appendix 1, paragraphs 15-19), and generate public keys Uteem G MDCH point multiplication by k _1, k _2, ..., k _n, i.e. form public keys according to the formulas P ₁ = k ₁ G, P ₂ = k ₂ G, ..., P _n = k _n G;

accept ED submitted by MDCH N;

generating a random MDC 0 <t <q, according to which a point R is formed according to the formula R = tG;

form an EDS Q in the form of a pair of MDC (r, s), for which MDC r is generated by the formula r = x _R mod q, where x _R is the abscissa of the point R, and then MDC s is generated by the formula s = (tH + rk _i ) mod q, where 1≤i≤n;

form the first verification MDC A, for which MDC v is generated by the formula v = sH ^-1 mod q and MDC w by the formula w = (q-rH ^-1 ) mod q, then the point R 'is generated by the formula R' = vG + wP _i , after which MDC A is obtained by the formula A = x _{R '} mod q, where x _R' is the abscissa of the point R ';

form the second verification MDC B by copying the MDC r: B = r;

comparing the generated verification MDC A and B;

when the parameters of the compared MDC A and B coincide, they conclude that the digital signature is authentic.

The disadvantage of the closest analogue is the relatively low productivity of the procedure for generating and checking the digital signature, which is due to the fact that performing operations on EC points includes the operation of dividing the MDC modulo a simple MDC, which requires a runtime more than 10 times the duration of the multiplication operation .

The aim of the invention is to develop a method for generating and verifying the authenticity of an electronic digital signature that certifies an electronic signature free of the division operation modulo a simple MDC, thereby increasing the productivity of the procedures for generating and verifying an electronic digital signature.

This goal is achieved by the fact that in the known method of generating and verifying the authenticity of an electronic digital signature verifying an ED, which consists in generating a secret key in the form of MDC x, using the secret key, they form a public key Y in the form of more than one MDC, and the ED presented by the MDC is received N, depending on the received ED and on the value of the secret key, an EDS Q is formed in the form of two MDCs, depending on the public key received by the ED and EDS, the first A and second B are formed, verification MDCs, compare them and, if their parameters coincide, they conclude mean of the digital signature, the public key Y is formed in the form of a MDC vector of dimension m, where 2≤m≤64.

Performing the operation of multiplying MDC vectors includes performing addition and multiplication operations on the MDC modulo a simple MDC. Due to the fact that when performing operations of multiplication and raising to the power of vectors of MDCs, it is not necessary to perform the division operation modulo, an increase in the productivity of the procedures for generating and verifying the authenticity of digital signatures is provided.

It is also new that the public key Y is generated in the form of a MDC vector of dimension m = 2, for which a MDC vector G of dimension m = 2 is generated, having an order equal to MDC q, and the public key Y is generated by

the formula Y = G ^x (mod p), and the EDS is formed as a pair of MDCs e and s, for which a random MDC k is generated, the MDC vector R is generated by the formula

R = G ^k (mod p), where p is the MDC, which is the module used to perform operations on the MDCs that are part of the MDC vector G when performing the power raising operation on G, then form the first MDC e of an electronic digital signature by the formula e = rH mod δ, where r = (r ₁ || r ₂ ) is the MDC equal to the concatenation of the MDC included in the MDC vector R and δ is the auxiliary simple MDC, then the second MDC s of the electronic digital signature is generated by the formula s = (k -ex) mod q, after which the first and second verification MDCs A and B are formed according to the formulas A = r'H mod δ and B = e, where r '= (r' ₁ || r ' ₂ ) is the MDC equal to the concatenation M B included in vector MDCH R ', calculated according to the formula ^{R' = Y e G s (} mod p).

Also new is the fact that the FDM p and q are simple.

It is also new that the public key Y is generated in the form of a 3 × 3 MDC vector, for which a 3 × 3 MDC vector G is generated, having an order equal to the MDC q, and the public key Y is formed by the formula Y = G ^x ( mod p), where p is the MDC, which is the module by which operations are performed on the MDCs that are part of the MDC vector G when performing power-up operations on G, and an electronic digital signature is formed as a pair of MDC e and s, for which they generate random MDC k, generate the MDC vector R according to the formula R = G ^k (mod p), then form the first MDC e ctron digital signature by the formula e = rH mod δ, where r = (r ₁ || r ₂ || r ₃ ) is the MDC equal to the concatenation of the MDC included in the MDC vector R, and δ is the auxiliary simple MDC, then a second MDC s of an electronic digital signature by the formula s = (k + ex) mod q, after which the first and second verification MDCs A and B are formed by the formulas A = r'H mod δ and B = e, where r '= (r' ₁ || r ' ₂ || r' ₃ ) - MDC equal to the concatenation of the MDC included in the MDC vector R 'calculated by the formula R' = Y ^qe G ^s (mod p).

Also new is the fact that MDC p is composite, i.e. is a product of two or more primes.

The concatenation of two MDCs a and b, represented in some positional calculus in the form a = a ₁ a ₂ a ₃ ... a _g and b = b ₁ b ₂ b ₃ ... b _k , is called the number c = a || b = a ₁ a ₂ a ₃ ... a _g b ₁ b ₂ b ₃ ... b _k . Sign || denotes a concatenation operation.

A multi-bit binary number vector is a set of two or more MDC called components (MDC vector). The MDC vector is written in various ways, the requirement for which is that they identify the positions of the components. For example, the MDC vector can be written in the form (a ₁ , a ₂ , ..., a _m ), where m≥2 is the dimension of the MDC vector, which means the number of components in the MDC vector. As a separator, the sign of the operation defined over the components of the vector can be used, and then the components of the vector are identified by indicating a formal variable (at the beginning or at the end of the corresponding component) in the form of a letter of the Latin alphabet. A variable is called formal because no numerical value is assigned to it, and it serves only to identify the component of the MDC vector, regardless of the sequence of its writing. So, the MDC vectors Z ₁ = 5е + 3i + 5j and Z ₂ = 3i + 5e + 5j are considered equal, i.e. Z ₁ = Z ₂ . The dimension of the MDC vector is the number of MDC included in the MDC vector as components. In this application, finite groups are considered whose elements are MDC vectors of the form Z = ae + bi + cj, where the group operation is defined through operations on MDC vectors as the operation of multiplying polynomials, taking into account the fact that the resulting products of formal variables are replaced by some specified table . Such a variable replacement table for MDC vectors of dimension m = 3 has, for example, the following form:

This table defines the following variable substitution rule:

e · i → i, e · j → j, j · i → e, i · i → j, j · j → i, etc.

) выполняется следующим образом:For example, let Z ₁ = a ₁ е + b ₁ i + с ₁ j and Z ₂ = а ₂ е + b ₂ i + с ₂ j, then the operation of multiplying the MDC vectors Z ₁ and Z ₂ (we denote it by

) is performed as follows:

To define finite groups of MDC vectors, the operations of addition and multiplication over MDC, which are components of the MDC vectors, are specified modulo a prime number p, the size of which is chosen so as to provide a sufficiently large order of the group of MDC vectors:

будем записывать в виде Z₁Z₂ (mod p), т.e.

В зависимости от размерности векторов МДЧ, над которыми определяются операции умножения, и конкретного варианта операции умножения могут быть использованы различные таблицы подстановок переменных, например:When writing formulas describing the execution of operations in a finite group of MDC vectors and given through modulo addition and multiplication operations, we will indicate in brackets (mod p) at the end of the right side of the formulas, where p is the value of the module. For example, operation

we will write in the form Z ₁ Z ₂ (mod p), i.e.

Depending on the dimension of the MDC vectors over which the multiplication operations are determined, and the specific variant of the multiplication operation, various variable substitution tables can be used, for example:

1. For vectors of dimension m = 2, an acceptable table has the form

where 0 <a <p.

2. For vectors of dimension m = 3, an acceptable table has the form

where 0 <a <p. The value of parameter a can be selected by any of the specified interval. Different values of the parameter a give different properties to a finite group of MDC vectors for a fixed value of dimension m and modulus p. In a similar way, group operations on finite groups of MDC vectors of dimensions m = 4, m = 5, etc. can be defined.

причем порядок этой подгруппы является достаточно большим. Группа - это алгебраическая структура (т.е. множество математических элементов некоторой природы), над элементами которой задана некоторая операция таким образом, что алгебраическая структура обладает следующим набором свойств: операция ассоциативна, результатом выполнения операции над двумя элементами является также элемент этой же структуры, существует нейтральный элемент такой, что при выполнении операции над ним и другим некоторым элементом а группы результатом является элемент а. Детальное описание групп дано в широкодоступной математической литературе, например в книгах А.Г.Курош. Теория групп.- М., «Наука», 1967. - 648 с. и М.И.Каргаполов, Ю.И.Мерзляков. Основы теории групп. - М., «Наука. Физматлит», 1996. - 287 с. Операция, определенная над элементами группы, называется групповой операцией. Группа называется циклической, если каждый ее элемент может быть представлен в виде g=aⁿ для некоторого натурального числа n, где а - элемент данной подгруппы, называющийся генератором или образующим элементом циклической подгруппы, и степень n означает, что над элементом а выполняются n последовательных операций, т.е.

(n раз). Известно, что, если порядок группы есть простое число, то она циклическая [А.И.Кострикин. Введение в алгебру. Основы алгебры. М.: Физматлит. 1994. - 320 с.]. Важной характеристикой группы является ее порядок, который равен числу элементов в группе. Для элементов группы также применяется понятие порядка. Порядком элемента группы, является минимальное значение степени, в которую нужно возвести этот элемент, чтобы результатом операции было получение нейтрального элемента группы.With the appropriate choice of the formal variable change table and the simple value p, the set of MDC vectors is finite, and this finite set contains the subset of MDC vectors that form a group with a group operation

moreover, the order of this subgroup is quite large. A group is an algebraic structure (i.e., a set of mathematical elements of some nature), on the elements of which an operation is specified in such a way that the algebraic structure has the following set of properties: the operation is associative, the result of the operation on two elements is also an element of the same structure, there is a neutral element such that when performing an operation on it and some other element of a group, the result is element a. A detailed description of the groups is given in the widely available mathematical literature, for example, in the books of A.G. Kurosh. Theory of groups. - M., "Science", 1967. - 648 p. and M.I. Kargapolov, Yu.I. Merzlyakov. Fundamentals of group theory. - M., “Science. Fizmatlit ", 1996. - 287 p. An operation defined on group elements is called a group operation. A group is called cyclic if its every element can be represented in the form g = a ⁿ for some natural number n, where a is an element of a given subgroup, called a generator or a generating element of a cyclic subgroup, and degree n means that n consecutive operations i.e.

(n times). It is known that if the order of a group is a prime, then it is cyclic [A.I. Kostrikin. Introduction to Algebra. Fundamentals of Algebra. M .: Fizmatlit. 1994. - 320 p.]. An important characteristic of a group is its order, which is equal to the number of elements in the group. For group elements, the concept of order also applies. The order of an element of a group is the minimum value of the degree to which this element must be raised so that the result of the operation is to obtain a neutral element of the group.

Usually, when developing methods for forming and checking digital signatures, cyclic groups of large simple order or groups whose order is divided entirely into a large prime number are used [Wenbo Mao. Modern cryptography. Theory and practice. - M., St. Petersburg, Kiev. Williams Publishing House, 2005. - 763 p.]. With the appropriate definition of the group of MDC vectors, this condition is easily ensured. Moreover, the stability of the methods of forming and checking the digital signature is determined by the complexity of the discrete logarithm problem, which consists in determining the value of degree n to which the given element of the group must be raised so that the result of this operation is some other given element of the group [N. Moldovyan Workshop on public key cryptosystems. - SPb., BHV-Petersburg, 2007. - 298 p.].

над векторами МДЧ выполняется путем выполнения модульных умножений и сложений над МДЧ, являющихся компонентами векторов МДЧ, достаточно высокая трудность задачи дискретного логарифмирования в группе векторов МДЧ достигается при сравнительно малом значении размера модуля р, благодаря чему обеспечивается сравнительно высокая производительность операции возведения векторов МДЧ в большую степень. Поскольку производительность процедур формирования и проверки ЭЦП определяется производительностью операции возведения в степень, то при использовании операций над векторами МДЧ обеспечивается сравнительно высокая производительность процедур формирования и проверки ЭЦП.Since the group operation

on MDC vectors is performed by performing modular multiplications and additions on MDC, which are components of the MDC vectors, a rather high difficulty of the discrete logarithm problem in the group of MDC vectors is achieved with a relatively small value of the module size p, which ensures a relatively high performance of the operation of raising the MDC vectors to a large degree . Since the performance of the procedures for generating and checking the digital signature is determined by the performance of the exponentiation operation, when using operations on the MDC vectors, a relatively high productivity of the procedures for generating and checking the digital signature is ensured.

The order of the MDC vector V is the smallest positive integer q such that V ^q = 1, i.e. such that the result of multiplying the MDC vector Q by itself q times is a unit MDC vector E = 1e + 0i + 0j = 1.

The correctness of the claimed method is proved theoretically. Consider, for example, an embodiment of the method according to claims 4 and 5 of the claims. The public key corresponding to the secret key x is the MDC vector Y = G ^x (mod p).

The MDC vector R is generated by the formula R = G ^k (mod p), and the first MDC in the EDS (e, s) is calculated by the formula e = rH mod δ, where r = (r ₁ || r ₂ || r ₃ ) - MDC equal to the concatenation of the MDC included in the MDC vector R. The value of s is generated by the formula s = (k + ex) mod q, therefore the MDC vector R 'generated by the formula R' = Y ^qe G ^s mod p and used to form the first verification MDC A is

R '= Y ^qe G ^s (mod p) = G ^{(qe) x} G ^s (mod p) = G ^{(qe) x + (k + ex)} (mod p) =

= G ^{qx + k} (mod p) = G ^qx G ^k (mod p) = G ^k (mod p) = R.

Since the MDC vectors R 'and R are the same, the values of r' and r are equal to each other: r '= (r' ₁ || r ' ₂ || r' ₃ ) = r = (r ₁ || r ₂ || r ₃ ), therefore, A = r'H mod δ = rH mod δ = e = B, i.e. A correctly formed collective signature satisfies the signature verification procedure, i.e. the correctness of the procedures for generating and verifying EDS is proved. Similarly, the proof of correctness is given for claims 2 and 3 of the claims.

Consider examples of the implementation of the claimed technical solution, where specific values of the parameters used are described in the numerical examples given below. The MDC vectors used in the examples were generated using a program developed specifically for generating matrices, including MDC vectors with a given order, and performing operations on MDC vectors. The MDCs given in the example are taken of a relatively small size and are written for brevity in the form of decimal numbers. In computing devices, MDCs are represented and converted in binary form, i.e. as a sequence of high and low potential signals. In real applications, MDC vectors should be used, which include MDCs from 16 to 512 bits in length, depending on the value of their dimension m. With a smaller dimension, a higher-resolution MDC should be used.

When using the proposed method in practice, one should choose a variable replacement table and the size of the parameters p and q in such a way that the bit capacity of the order q is equal to or greater than 160 bits. The examples below use parameters with artificially reduced bit depth to reduce the size of the examples and make them more visual.

выполняется с использованием следующей таблицы замены переменных:Example 1. The case of using two-component MDC vectors (illustration of claims 2 and 3 of the claims). In this example, a group operation

performed using the following variable replacement table:

The following sequence of actions is performed.

1. A prime number p is generated such that p-1 contains a large prime factor q, that is, p = Nq + 1, where N is an even number:

p = 3990163786012426536171919;

q = 1997539432909;

G = 2205829896139765611199743e + 750652585528120205203869i;

2. Generate the secret key x in the form of a random MDC:

x = 1853362791;

3. The public key is formed in the form of a MDC vector Y, for which the following sequence of actions is performed.

3.1. An MDC vector of order q = 1997539432909 is generated.

3.2. Generate the MDC vector Y = G ^x (mod p):

Y = 1170349070330824405069406e + 2505690115109586035639139i;

4. Accept the ED represented, for example, by the following MDC H (which can be taken, in particular, the hash function of the ED):

H = 635473563483.

5. Form the digital signature Q in the form of a pair of numbers (e, s) for which they perform the following steps:

5.1. The first element of the digital signature is formed e, for which

5.1.1. A random MDC k = 18357236873 is generated.

5.1.2. The MDC vector R = G ^k (mod p) is generated:

R = 2057361867821351253457028е + 3679538494005836479635721i.

5.1.3. MDC e is calculated by the formula e = r ₁ h mod δ, where δ is an auxiliary prime number (for example, δ = q = 1997539432909), r ₁ is the first MDC in the MDC vector R: е = 113678582682.

5.2. The second element of the EDS s is formed by the formula s = k + xe mod q:

s = 139316649025.

6. The first verification MDC A is formed, for which the following actions are performed.

6.1. The MDC vector R 'is calculated by the formula:

q-e = 1883860850227;

Y ^qe = 2005499870579969554139198е + 3027974868612498293037474i. G ^s = 1846689595470242217257892e + 2845865428349522504128287i. R '= 20573b1867821351253457028e + 3679538494005836479635721i.

6.2. MDC A is calculated by the formula A = R ' _e h mod q: A = 113678582682.

7. The second verification MDC is formed according to the formula B = e:

B = 113678582682.

8. Compare the first and second verification MDC: A = B.

The coincidence of verification MDC confirms the authenticity of the digital signature.

выполняется с использованием следующей таблицы замены переменных:Example 2. The case of the use of three-component MDC vectors (illustration of claim 4 of the claims). In this example, a group operation

performed using the following variable replacement table:

The following sequence of actions is performed.

1. A prime number p is generated such that p-1 contains a large prime factor q, that is, p = Nq + 1, where N is an even number:

p = 30817; q is 107;

2. Generate the secret key x in the form of a random MDC:

x = 79.

3. The public key is formed in the form of a MDC vector Y, for which the following sequence of actions is performed.

3.1. Generate the MDC vector G of order q = 107:

G = 11297e + 10799i + 23186j.

3.2. Generate the MDC vector Y = G ^x (mod p):

Y = G ^x (mod p) = 9129e + 24262i + 19035j.

4. Accept the ED represented, for example, by the following MDC H (which can be taken, in particular, the hash function of the ED): H = 68.

5. Form the digital signature Q in the form of a pair of numbers (e, s), for which they perform the following steps:

5.1. The first element of the digital signature is formed e, for which

5.1.1. A random MDF k = 87 is generated.

5.1.2. The MDC vector R = G ^k (mod p) = 23203e + 17932i + 16380j is generated.

5.1.3. The MDC e is calculated by the formula e = rH mod δ, where r = (r ₁ || r ₂ || r ₃ ) is the MDC equal to the concatenation of the MDC included in the vector R, and δ = 109 is an auxiliary prime number: e = 76.

5.2. The second element of the EDS s is formed by the formula s = k + хе mod q: s = 99.

6. The first verification MDC A is formed, for which the following actions are performed:

6.1. The MDC vector R 'is calculated by the formula

Y ^qe (mod p) = 16855e + 6774i + 24171j.

G ^s (mod p) = 6300e + 3337i + 13319j.

R '= 23203e + 17932i + 16380j.

6.2. MDC A is calculated by the formula A = r'H mod δ, where r '= (r' ₁ || r ' ₂ || r' ₃ ) is the MDC equal to the concatenation of the MDC included in the MDC vector R ', and δ = 109 - auxiliary prime: A = 76.

7. The second verification MDC is formed according to the formula B = e: B = e = 76.

8. Compare the first and second verification MDC: A = B.

The coincidence of verification MDC confirms the authenticity of the digital signature.

выполняется с использованием следующей таблицы замены переменных:Example 3. The case of using three-component MDC vectors (illustration of claim 4 of the claims). In this example, a group operation

performed using the following variable replacement table:

This example shows that with an appropriate choice of a prime number p and a variable substitution table, a value of order q can significantly exceed a value of p. The following sequence of actions is performed.

1. Generate a prime number p such that p ² + p + 1 contains a large prime factor q:

p = 97; q = 3169.

2. Generate the secret key x in the form of a random MDC:

x = 2079.

3. The public key is formed in the form of a MDC vector Y, for which the following sequence of actions is performed.

3.1. Generate the MDC vector G of order q = 3169:

G = 8e + 3i + 93j.

3.2. Generate the MDC vector Y = G ^x (mod p):

Y = 87e + 96i + 86j.

4. Accept the ED represented, for example, by the following MDC H (which can be taken, in particular, the hash function of the ED): H = 5168.

5. Form the digital signature Q in the form of a pair of numbers (e, s), for which they perform the following steps:

5.1. The first element of the digital signature is formed e, for which

5.1.1. A random MDF k = 5387 is generated.

5.1.2. The MDC vector R = G ^k (mod p) = 96e + 56i + 81j is generated.

5.1.3. The MDC e is calculated by the formula e = rH mod δ, where r = (r ₁ || r ₂ || r ₃ ) is the MDC equal to the concatenation of the MDC included in the vector R and δ = 3169: e = 3138.

5.2. The second element of the EDS s is formed by the formula s = k + xe mod q: s = 1149.

6. The first verification MDC A is formed, for which the following actions are performed:

6.1. The MDC vector R 'is calculated by the formula

Y ^qe (mod p) = 75e + 46i + 84j

G ^s (mod p) = 27e + 81i + 81j

R '= 96e + 56i + 81j.

6.2. MDC A is calculated by the formula A = r'H mod δ, where r '= (r' ₁ || r ' ₂ || r' ₃ ) is the MDC equal to the concatenation of the MDC included in the MDC vector R ', and δ = 3169 is an auxiliary prime: A = 3138.

7. A second verification MDC is formed by the formula B = e: B = e = 3138.

8. Compare the first and second verification MDC: A = B.

The coincidence of verification MDC confirms the authenticity of the digital signature.

выполняется с использованием следующей таблицы замены переменных:Example 4. The case of using three-component MDC vectors (illustration of claim 5 of the claims). In this example, the composite MDC is used as the module p, and the group operation

performed using the following variable replacement table:

The following sequence of actions is performed.

1. Generate a composite number p equal to the product of the prime numbers 11 and 457: p = 5027.

2. Generate the secret key x in the form of a random MDC:

x = 279.

3. The public key is formed in the form of a MDC vector Y, for which the following sequence of actions is performed.

3.1. Generate the MDC vector G of order q = 457:

G = 1e + 4631i + 4785j.

3.2. Generate the MDC vector Y = G ^x (mod p):

Y = 1e + 2156i + 2860j.

4. Accept the ED represented, for example, by the following MDC N (which can be taken, in particular, the hash function of the ED): N = 168.

5. Form the digital signature Q in the form of a pair of numbers (e, s), for which they perform the following steps:

5.1. The first element of the digital signature is formed e, for which

5.1.1. A random MDC k = 387 is generated.

5.1.2. The MDC vector R = G ^k (mod p) = 1e + 2475i + 1859j is generated.

5.1.3. The MDC e is calculated by the formula e = rH mod δ, where r = (r ₁ || r ₂ || r ₃ ) is the MDC equal to the concatenation of the MDC included in the vector R, and δ = 319: e = 190.

5.2. The second element of the EDS s is formed by the formula s = k + xe mod q: s = 385.

6. The first verification MDC A is formed, for which the following actions are performed:

6.1. The MDC vector R 'is calculated by the formula

Y ^qe (mod p) = 1e + 2475i + 4543j; G ^s (mod p) = 1e + 2937i + 2343j

R '= 1e + 56i + 81j.

6.2. MDC A is calculated by the formula A = r'H mod δ, where r '= (r' ₁ || r ' ₂ || r' ₃ ) is the MDC equal to the concatenation of the MDC included in the MDC vector R ', and δ = 3169 is an auxiliary prime: A = 190.

7. A second verification MDC is formed according to the formula B = e: B = e = 190.

8. Compare the first and second verification MDC: A = B.

The coincidence of verification MDC confirms the authenticity of the digital signature.

The above examples show the fundamental feasibility and correctness of the claimed method of forming and verifying the authenticity of the digital signature certifying the ED. Similarly, the inventive method is implemented using MDC vectors of dimension m = 4, m = 5, m = 6, etc. For example, the following formal variable replacement tables can be used, in which the value of the parameter a can be selected in the interval 0≤a <p, where the number p is chosen so that a value of the order of the MDC vectors q is ensured, which is equal to a sufficiently large simple MDC, for example, equal to the value of a simple MDC of 160, 256 or 512 bit. The table for specifying a group operation on four-component MDC vectors (case m = 4) has the form:

The table for specifying a group operation on five-component MDC vectors (case m = 5) has the form:

The table for specifying the group operation on the six-component MDC vectors (case m = 6) has the form:

Computer programs have been developed that implement the operations of multiplying and raising to a large integer power MDC vectors having dimensions m = 2, m = 3, m = 4, m = 5, and m = 6. Using these programs, the above examples were generated and it was found that similar examples of the implementation of the claimed method using MDC vectors of dimensions m = 4, m = 5 and m = 6 also ensure the correctness of the digital signature authentication procedure.

By analogy with the construction of the above tables, we can construct tables defining group operations on vectors of arbitrary dimensions m. Moreover, when using groups of MDC vectors having a relatively large dimension, high cryptographic strength of the digital signature is ensured with a lower bit depth of the MDC, which are components of the MDC vectors. For example, with m = 16 and m = 32, the bit depth of these MDCs can be 64 and 32 bits, respectively, which allows to increase the speed of signature generation and verification procedures in software implementation to run programs that implement the claimed method on 64- and 32-bit microprocessors.

The above examples experimentally confirm the correctness of the implementation of the proposed method, which complements the above mathematical proofs of the correctness of the described specific implementations of the claimed method of forming and checking the digital signature verifying the ED.

Thus, it is shown that the inventive method can be the basis for stable systems of digital signature, providing increased productivity of devices and programs for the formation and verification of digital signature.

The above examples and mathematical justification show that the proposed method for generating and verifying the authenticity of the digital signature works correctly, is technically feasible and allows to achieve the formulated technical result.

Annex 1

Interpretation of the terms used in the description of the application

1. Binary digital electromagnetic signal - a sequence of bits in the form of zeros and ones.

2. Parameters of a binary digital electromagnetic signal: bit depth and order of single and zero bits.

3. The bit depth of a binary digital electromagnetic signal is the total number of its single and zero bits, for example, the number 10011 is 5-bit.

4. Electronic digital signature (EDS) - a binary digital electromagnetic signal, the parameters of which depend on the signed electronic document and on the secret key. EDS authentication is carried out using a public key, which depends on the secret key.

5. An electronic document (ED) is a binary digital electromagnetic signal, the parameters of which depend on the original document and how it is converted to electronic form.

6. Secret key - a binary digital electromagnetic signal used to generate a signature for a given electronic document. The secret key is represented, for example, in binary form as a sequence of digits "0" and "1".

7. Public key - a binary digital electromagnetic signal, the parameters of which depend on the secret key and which is designed to verify the authenticity of a digital electronic signature.

8. A hash function of an electronic document is a binary digital electromagnetic signal, the parameters of which depend on the electronic document and the chosen method of its calculation. In EDS systems, it is believed that the hash function uniquely represents ED, since the used hash functions satisfy the requirement of collision stability, which means it is computationally impossible to find two different EDs that correspond to the same value of the hash function.

9. A multi-bit binary number (MDC) is a binary digital electromagnetic signal, interpreted as a binary number and represented as a sequence of digits "0" and "1".

10. The operation of raising a number S to a discrete power A modulo n is an operation performed on a finite set of natural numbers {0, 1, 2, ..., n-1}, including n numbers that are the remainders of dividing all kinds of integers by a number n; the result of the operations of addition, subtraction and multiplication modulo n is a number from the same set [Vinogradov IM Fundamentals of number theory. - M .: Nauka, 1972. - 167 p.]; the operation of raising a number S to a discrete power Z modulo n is defined as a Z-fold sequential multiplication modulo n of the number S by itself, i.e. as a result of this operation, the number W is also obtained that is less than or equal to the number n-1; even for very large numbers S, Z and n, there are effective algorithms for performing the operation of raising a discrete power modulo.

11. The exponent q modulo n of the number a, which is coprime with n, is the minimum of the numbers γ for which the condition a ^γ mod n = 1 is satisfied, that is, q = min {γ ₁ , γ ₂ , ...} [I. Vinogradov Fundamentals of number theory. - M .: Nauka, 1972. - 167 p.].

12. The operation of dividing the integer A by an integer B modulo n is performed as the operation of multiplying modulo n the number A by an integer B ^-1 , which is the inverse of B modulo n.

13. The order of q modulo n of a is the exponent q modulo n of a.

14. A group is an algebraic structure (that is, a set of mathematical elements of various nature), on the elements of which a certain operation is specified and they have a given set of properties: the operation is associative, the result of the operation on two elements is also an element of the same structure, there is a neutral an element such that when performing an operation on it and some other element a of the group, the result is element a. A detailed description of the groups is given in the books of A.G. Kurosh. Group theory. M., "Science", 1967. - 648 p. and M.I. Kargapolov, Yu.I. Merzlyakov. Fundamentals of group theory. - M., “Science. Fizmatlit ", 1996. - 287 p. An operation defined over group elements is called a group operation.

обозначает операцию, определенную над элементами группы.15. A cyclic group is a group, each element of which can be represented in the form g = a ⁿ for some natural value n, where a is an element of this group, called a generator or generatrix element of a cyclic group. The degree n means that n consecutive operations are performed on element a, i.e. calculations are performed according to the formula

denotes an operation defined on group elements.

16. A cyclic subgroup of a group is a subgroup, each element of g of which can be represented as g = a ⁿ for some natural value n, where a is an element of this subgroup, called a generator or a generating element of a cyclic subgroup.

17. A vector is a set of two or elements of different nature called components of a vector.

18. A vector of multi-bit binary numbers (MDC vector) is a set of two or more MDC called components of the MDC vector. The MDC vector is written in various ways, the requirement for which is that they identify the positions of the components. For example, the MDC vector can be written in the form (a ₁ , a ₂ , ..., a _m ), where m≥2 is the dimension of the MDC vector, which means the number of components in the MDC vector. As a separator, the sign of the operation defined over the components of the vector can be used, and then the components of the vector are identified by indicating a formal variable (at the beginning or at the end of the corresponding component) in the form of a letter of the Latin alphabet. A variable is called formal because no numerical value is assigned to it, and it serves only to identify the component of the MDC vector, regardless of the sequence of its recording. So, the MDC vectors Z ₁ = 5e + 3i + 5j and

Z ₂ = 3i + 5e + 5j are considered equal, i.e. Z ₁ = Z ₂ . When using some private variable substitution tables, formal variables in the literature are sometimes called basis vectors, and the numbers Z ₁ and Z ₂ are called vectors of the m-dimensional space [L.B.Shneperman. A course in algebra and number theory in problems and exercises. - Minsk, “Higher School”, 1986. - 272 p.].

19. The dimension of the MDC vector is the number of MDC included in the MDC vector as components.

Claims (5)

1. A method for generating and verifying the authenticity of an electronic digital signature certifying an electronic document, which consists in generating a secret key in the form of a multi-bit binary number x, using the secret key, form a public key Y in the form of more than one multi-bit binary number, receiving an electronic document, represented by a multi-bit binary number H, depending on the received electronic document and the value of the secret key, form an electronic digital signature Q in the form of two multi-bit binary numbers, depending on the public key, the received electronic document and electronic digital signature, form the first A and second B multi-bit verification binary numbers, compare them and, if their parameters coincide, make a conclusion about the authenticity of the electronic digital signature, characterized in that the public key Y is formed in as a vector of multi-bit binary numbers of dimension m, where 2≤m≤64. 2. The method according to claim 1, characterized in that the public key Y is generated in the form of a vector of multi-bit binary numbers of dimension m = 2, for which a vector of multi-bit binary numbers G of dimension m = 2 is generated, having an order equal to a multi-bit binary number q, and the public key Y is formed by the formula Y = G ^x (mod p), where p is a multi-bit binary number, which is the module by which operations are performed on the multi-bit binary numbers that are part of the vector of multi-bit binary numbers G when performing the exponentiation operation on G b, and the electronic digital signature is formed as a pair of multi-bit binary numbers e and s, for which a random multi-bit binary number k is generated, generate
the vector of multi-bit binary numbers R by the formula R = G ^k (mod p), then the first multi-bit binary number e of an electronic digital signature is formed by the formula e = r ₁ H mod δ, where r ₁ is the first multi-bit binary number in the vector of multi-bit binary numbers R and δ is an auxiliary simple multi-bit binary number, then a second multi-bit binary number s of electronic digital signature is generated by the formula s = (k + ex) mod q, after which the first and second test multi-bit binary numbers A and B are formed by the formulas A = r ' H mod δ and B = e, where r ' ₁ is the first multi-bit binary number in the vector of multi-bit binary numbers R 'calculated by the formula R' = Y ^qe G ^s (mod p). 3. The method according to claim 2, characterized in that the multi-bit binary numbers p and q are prime. 4. The method according to claim 1, characterized in that the public key Y is generated in the form of a vector of multi-bit binary numbers of dimension m = 3, for which a vector of multi-bit binary numbers G of dimension m = 3 is generated, having an order equal to a multi-bit binary number q, and the public key Y is formed by the formula Y = G ^x (mod p), where p is a multi-bit binary number, which is the module by which operations are performed on the multi-bit binary numbers that are part of the vector of multi-bit binary numbers G when performing the exponentiation operation on G b, and an electronic digital signature is formed in the form of a pair of multi-bit binary numbers e and s, for which a random multi-bit binary number k is generated, a vector of multi-bit binary numbers R is generated by the formula R = G ^k (mod p), then the first multi-bit binary number e is formed digital signature according to the formula e = rН mod δ, where r = (r ₁ || r ₂ || r ₃ ) is a multi-bit binary number equal to the concatenation of the multi-bit binary numbers that make up the multi-bit binary numbers vector R, and δ is an auxiliary simple multi-bit binary h Then, the second multi-bit binary number s of the electronic digital signature is generated by the formula s = (k + ex) mod q, after which the first and second test multi-bit binary numbers A and B are formed by the formulas A = r'H mod δ and B = e , where r '= (r' ₁ || r ' ₂ || r' ₃ ) is a multi-bit binary number equal to the concatenation of the multi-bit binary numbers included in the vector of multi-bit binary numbers R 'calculated by the formula R' = Y ^qe G ^s (mod p). 5. The method according to claim 4, characterized in that the multi-bit binary number p is composite.