CN101399668A - Method and system for transmitting digital signature based on braid group - Google Patents

Abstract

The invention provides a transitive digital signature system based on a braid group and a method thereof. The transitive digital signature system comprises a key generating module, a signature braid generating module and a signature synthesizing module, wherein, the key generating module is used for selecting a system parameter to generate a signature private key and a corresponding public key of authentication signature according to the requirement of system security; the signature braid generating module is used for applying the hash function to a message to be signed which is expressed as two-tuples in a message space to select a corresponding signature braid in a braid group according to conjugation operation and the private key generated by the key generating module, and combines the message to be signed with the signature braid thereof to form a complete signature of the message; and the signature synthesizing module is used for synthesizing a signature braid of third message, according to signatures and public keys of at least two messages generated by the signature braid generating module. The invention uses a signature proposal based on braid group to replace common signature in the traditional transitive signature, and is much safer as the generated signature can resist the known quantum analysis.

Description

Method and system based on the transmission digital signature of braid group

Technical field

Present invention relates in general to be used for the method and system of the trust chain management of data transmission safety communication.More particularly, the present invention relates to use braid group to set up the method and system that transmits digital signature system and then realize the trust chain management as the bottom mathematical platform.

Background technology

Transmitting signature is by Micali and Rivest ^[1]At first proposed in 2002, be mainly used in the binary crelation with transitivity is efficiently signed.What the transmission of signature was represented is the transmission of trusting relationship, thereby transmitting signature all has important application in military affairs, politics and the economic dispatch field relevant with the trust chain management ^[1-3]

Transmission is signed once proposition, has caused many researchers' concern at once, through Micali, Rivest ^[1], Bellare ^[2,3]Deng cryptologist ^[4-10]Effort, now people have known how based on big integer factorization problem (IFP, Integer Factoring Problem) ^[2,3], a discrete logarithm difficult problem (DLP, Discrete Logarithm Problem) ^[1]And the cryptography difficult problem hypothesis relevant with bilinearity pairing (Bilinear Pairings) ^[7]Realize transmitting signature.

Yet under the quantum calculation environment, an above-mentioned difficult problem all can be solved within polynomial time complexity and polynomial space complexity ^[11]That is to say that above-mentioned transmission signature system all is unsafe under the quantum calculation environment.Therefore, we think and are necessary can resist based on new that quantum attacks---can resist at least known quantum attack---, and the public key cryptography platform redesigns and transmits signature.

In order to strengthen the fail safe of public-key cryptosystem under the quantum calculation environment, people have proposed some new public key cryptography platforms, comprising based on some common key cryptosystems on the noncommutative groups such as braid group.The braid group cryptographic system is to be proposed in 2000 by the people such as Ko of Korea S the earliest ^[12]Though, having developed so far 6,7 years, the cryptographic system with approved safe is also few.First digital signature system based on braid group is also proposed in 2002 by people such as Ko ^[13]After this, though also there is the people that this system has been proposed improvement ^[14], even also applied for patent ^[15], but all there are not strict provable security stipulations.Up to date, the people is just arranged, provided the provable security stipulations at this signature system (and improvement system afterwards) ^[16]

Under such background, we propose the present invention just.Be intended to realize the transmission digital signature system of safety based on braid group.

The above-mentioned document of quoting is as follows:

[1]S.Micali?and?R.L.Rivest，Transitive?signature?schemes.In?B.Preneel(Ed.)：CT-RSA?2002，LNCS?2271，pp.236-243，Springer-Verlag，2002

[2]M.Bellare?and?G.Neven，Transitive?signatures?based?on?factoring?andRSA.In?Y.Zheng(Ed.)：ASIACRYPT?2002，LNCS?2501，pp.397-414，Springer-Verlag，2002

[3]M.Bellare?and?G.Neven，Transitive?signatures：New?schemes?andproofs.IEEE?Transactions?on?Information?Theory，Vol.51，No.6，pp.2133-2151，June?2005

[4] Huang Zhenjie, Hao Yanhua, Wang Yumin, Chen Kefei. an oriented efficiently transmission signature scheme, electronic letters, vol, the 33rd the 8th phase of volume, 1497-1501 page or leaf, in August, 2005

[5]H.Kuwakado，H.Tanaka.Transitive?Signature?Scheme?for?DirectedTrees.IEICE?Transactions?on?Fundamentals?of?Electronics，Communications?andComputer?Sciences?Vol.E86-A，No.5，pp.1120-1126，May?2003

[6]C.Ma，P.Wu，and?G.Gu.A?New?Method?for?the?Design?of?StatelessTransitive?Signature?Schemes.In?H.T.Shen?et?al.(Eds.)：APWeb?Workshops2006，LNCS?3842，pp.897-904，Springer-Verlag，2006

[7]S.F.Shahandashti，M.Salmasizadeh，J.Mohajeri.A?provably?secureshort?transitive?signature?scheme?from?bilinear?group?Pairs.In?C.Blundo?andS.Cimato(Eds.)：SCN?2004，LNCS?3352，pp.60-76，Springer-Verlag，2005

[8]X.Yi.Directed?transitive?signature?scheme.In?CT-RS?A’07，LNCS?4377，pages?129-144.Springer-Verlag?Berlin?Heidelberg，2007

[9]X.Yi，C.-H.Tan，E.Okamoto.Security?of?Kuwakado-Tanaka?transitivesignature?scheme?for?directed?trees.IEICE?Transactions?on?Fundamentals?ofElectronics，Communications?and?Computer?Sciences?Vol.E87-A，No.4，pp.955-957，April?2004

[10]H.Zhu.Model?for?undirected?transitive?signatures.IEE?Proceedings：Communications?Vol.151，No.4，pp.312-315，August?2004

[11]P.Shor.Polynomial-time?algorithms?for?prime?factorization?and?discretelogarithms?on?a?quantum?computer.SIAM?J.Comput.5(1997)：1484-1509

[12]K.H.Ko，S.J.Lee，J.H.Cheon，and?J.W.Han.New?public-keycryptosystem?using?braid?groups.In?CRYPTO?2000，LNCS?1880，pages166-183.Springer-Verlag?Berlin?Heidelberg，2000

[13]K.H.Ko，D.H.Choi，M.S.Cho，and?J.W.Lee.New?signaturescheme?using?conjugacy?problem.Preprint，http：//eprint.iacr.org/2002/168，2002

[14] fourth is brave, Tian Haibo, Wang Yumin. a kind of improved digital signature system based on braid group. and Xian Electronics Science and Technology University's journal, the 33rd the 1st phase of volume, 50-61 page or leaf, in February, 2006

[15] fourth is brave, Chen Jianyong, Li Yahui. a kind of digital signature method, Chinese patent application number: 200310113604 based on the braid group conjugate problem; Publication number: 1545242; Open day: 20041110

[16]L.Wang，Z.Cao，P.Zeng，and?X.Li.One-more?matching?conjugateproblem?and?security?of?braid-based?signatures.In?ASIACCS’07，pages295-301.ACM，March?2007

Summary of the invention

The preferred embodiment for the present invention provides transmission digital signature method and the system based on braid group, wherein use signature scheme based on braid group to replace common signature in the conventional transmission signature, can resist known The quantum analysis with the signature that toilet produces, thus safer.

According to an aspect of the present invention, a kind of transmission digital signature system based on braid group is provided, comprise: key production module, be used for requiring the selective system parameter according to security of system, determine braid group according to system parameters, and generate the PKI of signature private key and corresponding certifying signature according to selected system parameters and described braid group, wherein, described system parameters comprises the pigtail index n of braid group, the length scale of work plait, the message space that is constituted by two tuples of the message of desire signature and be used for being in described braid group, selects the to sign hash function of plait of the message in the message space; Signature plait generation module, be used for private key according to conjugate operation and the generation of described key production module, the message that is expressed as two tuples that this hash function is applied to the signature of desire in the message space to select corresponding signature plait in described braid group, and the complete signature that message and its signature plait of desire signature is combined into this message; And the signature synthesis module, be used for the signature and the PKI of at least two message being generated according to described signature plait generation module, the signature plait of synthetic the 3rd message.

According to a further aspect in the invention, a kind of transmission digital signature method based on braid group is provided, the method comprising the steps of: require the selective system parameter according to security of system, determine braid group according to system parameters, and generate the PKI of signature private key and corresponding certifying signature according to selected system parameters and described braid group, wherein, described system parameters comprises the pigtail index n of braid group, the length scale of work plait, the message space that is constituted by two tuples of the message of desire signature and be used for being in described braid group, selects the to sign hash function of plait of the message in the message space; According to conjugate operation and the private key that is generated, the message that is expressed as two tuples that this hash function is applied to the signature of desire in the message space to select corresponding signature plait in described braid group, and the complete signature that message and its signature plait of desire signature is combined into this message; And according at least two message and signature that is generated and PKI, the signature plait of synthetic the 3rd message.

In accordance with a further aspect of the present invention, a kind of computer product is provided, implement program on it based on the transmission digital signature method of braid group, the method comprising the steps of: require the selective system parameter according to security of system, determine braid group according to system parameters, and generate the PKI of signature private key and corresponding certifying signature according to selected system parameters and described braid group, wherein, described system parameters comprises the pigtail index n of braid group, the length scale of work plait, the message space that is constituted by two tuples of the message of desire signature and be used for being in described braid group, selects the to sign hash function of plait of the message in the message space; According to conjugate operation and the private key that is generated, the message that is expressed as two tuples that this hash function is applied to the signature of desire in the message space to select corresponding signature plait in described braid group, and the complete signature that message and its signature plait of desire signature is combined into this message; And according at least two message and signature that is generated and PKI, the signature plait of synthetic the 3rd message.

The present invention compares with being fruitful, following outstanding feature is arranged: the one, compare with the transmission signature scheme of having delivered, the present invention is expected to resist known The quantum analysis, thereby it is safer, the transmission delivered signature based on a number theory difficult problem under the quantum calculation environment, all can efficiently find the solution, thereby be unsafe; The 2nd, compare with existing signature scheme or patent based on braid group, the present invention is fit to transmit the application scenarios of signature.Transmit signature and often comprised a common signature interior, as the signature scheme of node certificate, but common signature can't replace transmitting signature, and transmitting signature has more attribute and requirement than common signature, therefore, existing common signature scheme and patent can not replace the present invention.

Description of drawings

In conjunction with the drawings with reference to following detailed, above and other objects of the present invention, feature and advantage will become clearer, wherein:

Fig. 1 diagram is according to the preferred embodiment of the present invention based on the transmission digital signature system schematic diagram of braid group;

Fig. 2 is the block diagram of diagram according to key production module of the present invention;

Fig. 3 is the block diagram of the detailed structure of diagram signature plait generation module;

Fig. 4 is the block diagram of diagram according to the structure of signature synthesis module of the present invention;

Fig. 5 is the block diagram of the structure of diagram signature verification module; And

Fig. 6 diagram is according to the preferred embodiment of the present invention based on the flow chart of the transmission digital signature method of braid group.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.Should be appreciated that the present invention can realize with other different execution modes, and should not be limited to execution mode as described herein.In fact, provide following execution mode just for comprehensively and intactly scope of the present invention is conveyed to those of ordinary skill in the art.

In addition, identical referenced drawings mark is indicated identical part, feature and structure in institute's drawings attached.In addition, also will be omitted in the known function of combination here and the description of configuration in the following detailed description, because it may obscure the present invention.

The preferred embodiment for the present invention provides transmission digital signature method and the system based on braid group, the present invention is based on conjugation search problem (CSP, Conjugator Search Problem) and transmits digital signature, to strengthen the fail safe of signature.

So-called conjugation search problem is meant: given two plait p ∈ B _nWith q ∈ B _n, wherein q is that p is about certain plait s ∈ B _nConjugation, i.e. q=s ^-1Ps (wherein s is called as conjugation of p and q, generally is undocumented, as private key for user) asks certain plait r ∈ B _n, make that r also is conjugation (not requiring that r necessarily equals s) of p and q, be q=r with formulae express ^-1Pr.

Here, braid group B _nUsually define by following group representation method

B _n＝〈σ ₁，…，σ _n-1|σ _iσ _j＝σ _iσ _j，|i-j|≥2；σ _iσ _jσ _i＝σ _jσ _iσ _j，|i-j|＝1〉，

Each σ wherein _iBe called Artin and generate son, n is called as the pigtail index.

If with each σ _iAnd contrary (being designated as ) all regard letter as, then by this 2 (n-1) individual alphabetical constituting word matrix, any word that is defined in so on this alphabet all is called plait.The length of plait is defined as the number of generation that plait comprises, for example, and plait σ ₂σ ₃Length equal 2.Generally speaking, can stipulate employed plait length characteristic by the length scale that limits plait.

Specific length is that zero empty string is exactly the identical element (Identity also claims unit) of braid group, and the multiplication between plait and the plait just is defined as the connection of word.For example

And σ ₂σ ₃Multiplied result is exactly

And

With

Multiplied result then is

(because ${\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}={\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1={\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_1$ )。

Below at first according to Fig. 1 describe this preferred implementation, based on the transmission digital signature system of braid group.Fig. 1 illustrate according to preferred implementation of the present invention, based on the block diagram of the transmission digital signature system of braid group.With reference to figure 1, the transmission digital signature system based on braid group comprises according to the preferred embodiment of the present invention: key production module 101, signature plait generation module 102, signature synthesis module 103 and signature verification module 104.

This key production module 101 is used for requiring the selective system parameter according to security of system, and generates the PKI of signature private key and corresponding certifying signature according to selected system parameters.Fig. 2 is the block diagram of diagram according to key production module 101 of the present invention.With reference to figure 2, key production module 101 comprises system parameter selection unit 201, plait selected cell 203, plait acquiring unit 205 and key generation unit 207.

System parameter selection unit 201 requires to select suitable system parameters according to security of system.These parameters mainly comprise the pigtail index n of braid group, the length scale of work plait, message space, signature space, needed hash function or the like in the signature.

Specifically, at first, it is the system safety parameter that n require to be selected according to security of system in system parameter selection unit 201, so that be pigtail index structure braid group B with n _nTransmit in the signature system at this, with the simplification computation purpose, all working plait all comes from braid group B for convenience _n, and the scale of (nature) length of regulation work plait (being the number of generation that comprised) is O (n ²).The length scale that it will be apparent to those skilled in the art that the work plait can be chosen as other values.

According to preferred implementation of the present invention, suggestion selects n to be at least 16, and this moment, level of security of the present invention was at least 2 ¹²⁰And the length of work plait should be chosen in 16 ²About=256.Convenience for example below, we get n is 5, and the length of work plait plait also is no more than 10.

Secondly, system parameter selection unit 201 is according to the length scale structure message space and the signature space of specified pigtail index n and work plait.The detailed process of structure message space and signature space is as follows: the message that each is to be signed corresponds to a nonoriented edge, and with two summit numberings of this nonoriented edge, for example, each summit can be numbered a natural number.Therefore, two tuples of the numbering on two summits of the nonoriented edge that a piece of news is corresponding with this message composition are corresponding one by one.In this case, message space can be regarded as the set of possible nonoriented edge, and is represented by two tuples.Under situation, contain m (m-1)/2 nonoriented edge in the message space with m summit.

With the signature on every limit as a plait, so signature space also can be regarded as braid group B _nThen, select hash function H:N → B _nAs unidirectional Hash function, be used for the summit numbering is mapped as plait at random, N represents the natural number set here.It should be noted that, here be to select hash function as the example that is numbered on the summit of the nonoriented edge of message space with natural number, in fact hash function is not limited to form described here, can change other set that the summit that is used for to the nonoriented edge of message space is numbered into such as set N.

Next, plait selected cell 203 from the system parameter selection unit 201 determined braid group B _nIn select two plaits at random, be designated as the first plait W and the second plait P respectively.

Then, plait acquiring unit 205 as conjugation, obtains three plait Q with second plait P conjugation according to this conjugation with the plait selected cell 203 selected first plait W, can pass through Q=W here ^-1PW calculates.

Then, key generation unit 207 with the plait selected cell 203 selected first plait W as private key, obtain signature private key sk=W, and the 3rd plait Q that the plait selected cell 203 selected second plait P and plait acquiring unit 205 are obtained as the PKI pk=of corresponding certifying signature (P, Q).

For example, when getting n=5, suppose first plait of selecting at random $W={\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1,$ Second plait $P={\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1,$ The 3rd plait then

$Q=W^{-1}\mathrm{PW}={\left({\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1\right)}^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1\left({\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1\right)$

$={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1$

$={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-2}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1$

Get back to Fig. 1, according to the preferred embodiment of the present invention based on the signature private key sk=W of the signature plait generation module 102 in the transmission digital signature system of braid group according to conjugate operation and key production module 101 generations, message (being the limit) to the desire signature is calculated, to generate the signature plait.Then, signature plait generation module 102 with the message of desire signature with obtained be combined into the full signature of this message about the signature plait of this message.

Fig. 3 is the block diagram of the detailed structure of diagram signature plait generation module 102.With reference to figure 3, this signature plait generation module 102 comprises that the message plait is to generation unit 301, middle plait generation unit 303 and signature plait generation unit 305.

The message plait is used for message to desire signature to generation unit 301, and promptly Hash operation is carried out on two of the limit summits, and it is right to obtain the message plait.For example, according to preferred implementation of the present invention, if will corresponding to the limit of the message of desire signature (i, two summits j) are made as i and j, then carrying out Hash operation, to obtain the message plait right, (b _i=H (i), b _j=H (j)).

Then, middle plait generation unit 303 carries out product calculation with the message plait to first plait of the message plait centering of generation unit 301 generations and the contrary plait of second plait, plait in the middle of obtaining.Specifically, for present embodiment, with the first plait b of message plait centering _iMultiply by the second right plait b of message plait _jContrary plait Plait in the middle of obtaining, promptly

Signature plait generation unit 305 as conjugation, obtains the signature plait of the middle plait conjugation that generates with middle plait generation unit 303 with first plait selected in the plait selected cell 203.Specifically, according to a preferred embodiment of the present invention, the plait selected cell 203 selected first plait W (being signature private key) as conjugation, are obtained and middle plait

The signature plait of conjugation, promptly $R_{\mathrm{ij}}=W^{-1}{b}_i{b}_j^{-1}W.$ Then, combine by the message that will sign and described signature plait and obtain complete signature.In preferred implementation according to the present invention, described message table is shown the limit, and (i, j), and described signature plait is $R_{\mathrm{ij}}=W^{-1}{b}_i{b}_j^{-1}W,$ Therefore, obtain full signature (i, j, the R of this message _Ij).

For example, suppose that limit to be signed is (1,2), and hypothesis $b_1={{\mathrm{\σ}}_4\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1,$ $b_2={{\mathrm{\σ}}_3\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3,$ Plait is then

${\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\left({\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3\right)}^{-1}{=\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1},$ The signature plait then is

$R_{\mathrm{ij}}={\left({\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1\right)}^{-1}{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}\left({\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1\right)$

$={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1$

Return Fig. 1, signature synthesis module 103 is according to the signature of the message on two shared summits of signature plait generation module 102 generations, the signature of synthetic new information.Fig. 4 is the block diagram of diagram according to the structure of signature synthesis module 103 of the present invention.With reference to figure 4, this signature synthesis module 103 comprises signature verification unit 401 and signature synthesis unit 403.

Here, signature verification unit 401 is used to call and will judges in the signature verification module 104 of following detailed description whether two signatures to be synthesized are effective.If any one is invalid in two signatures to be synthesized, then refusal synthesizes and the output invalid flag.

If each is all effective in two signatures to be synthesized, then carry out the operation of calling signature synthesis unit 403.Signature synthesis unit 403 is used for two signatures to be synthesized are multiplied each other, and obtains and export signature plait after synthesizing.Specifically, according to preferred implementation of the present invention, two message sharing vertex information are made as the limit, and (i is j) with (j, k), they share described signature (i, j, the R of summit j _Ij) and (j, k, R _Jk) and described PKI (P, Q), synthetic the 3rd message is that (this signature is (i, k, R for i, signature k) on the limit _Ik), R wherein _Ik=R _IjR _Jk, promptly corresponding two signature plaits multiply each other.

In the present invention, described PKI does not use during synthetic signature, and this requires every entity that obtains described PKI with the definition of transmitting signature contradiction not because transmit the definition of signature, and that all can sign is synthetic.And usually, PKI is that everybody is obtainable as public information, whether uses unimportant.Among the present invention, as long as obtained the described signature of two message of shared vertex information, the people can synthesize new signature per capita, so meet the definition of transmitting signature on the function fully.

For example, two that suppose to share vertex information while being (1,2) and limit (2,3), and promptly their shared summit 2 supposes that they are respectively by signature separately

$R_{12}={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1$

$R_{23}={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_2{{\mathrm{\σ}}_3\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1,$

Then, the signature after they synthesize is

$R_{13}=R_{12}{R}_{23}={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1$

Return Fig. 1, signature verification module 104 judges according to message (being the limit) and signature plait and PKI whether this signature plait is effective signature of this message (being the limit).

Fig. 5 illustrates the structure of signature verification module 104.With reference to figure 5, this authentication module comprises that the message plait generates subelement 505, the second middle plait to generation unit 501, middle plait generation unit 503, the first middle plait and generates subelement the 507, the 3rd middle plait generation subelement 509 and signature verification unit 511.

In authentication module of the present invention, the message plait carries out Hash operation to generation unit 501 with the message (being two summits on limit) of the desire certifying signature imported in this module, and to obtain the message plait right.Specifically, in preferred implementation according to the present invention, the message plait is to generation unit 401 will sign (i, j, R _Ij) and described PKI (P, Q) as input, two plait b of elder generation's calculating _i=H (i) and b _j=H (j).

Then, middle plait generation unit 503 is right to the plait that generation unit 501 is calculated according to the message plait, generates the needed middle plait of signature verification.In according to the embodiment of the present invention, the plait that middle plait generation unit 503 is calculated generation unit 501 according to the message plait is to b _i=H (i) and b _j=H (j) calculates three middle plaits $C_1=b_i{b}_j^{-1},$ C ₂＝QR _ij、C ₃＝PC ₁。

Middle plait generation unit 503 can be divided into following three subelements: plait generated subelement 509 in the middle of plait generated subelement 505, the second middle plait generation subelement 507 and the 3rd in the middle of first.

Plait generates subelement 505 message plait in this module is carried out product calculation to first plait that generation unit 503 is generated with the contrary plait of second plait in the middle of first, obtains the first centre plait.In preferred implementation according to the present invention, the first middle plait generates subelement 505 and calculates middle plait $C_1=b_i{b}_j^{-1}$ As the first middle plait.

Plait generates the signature plait of importing in the 3rd plait that subelement 507 obtained the plait acquiring unit 205 of key production module 101 and this module and carries out product calculation in the middle of second, obtain second in the middle of plait.In preferred implementation according to the present invention, plait generates the 3rd plait Q that subelement 507 obtains according to plait acquiring unit 205 and the signature plait R of input in the middle of second _IjCalculate C ₂=QR _IjAs the second middle plait.

Plait generation subelement 509 carries out product calculation with plait in the middle of plait selected cell 203 selected second plaits and described first of key production module 101 in the middle of the 3rd, obtains the 3rd middle plait.In preferred implementation according to the present invention, the 3rd middle plait generates subelement 509 and calculates C according to the second plait P and the first middle plait P that plait selected cell 203 obtains ₃=PC ₁As the 3rd middle plait.

Then, signature verification unit 511 judge signature plait that this module imports whether with described first in the middle of the plait conjugation, and in the middle of described second plait whether with the described the 3rd in the middle of the plait conjugation.If these two conjugate relations are all set up, then signature effectively exports 1; Otherwise it is invalid to sign, output 0.In according to the embodiment of the present invention, signature verification unit 511 is judged signature plait R _IjWith the first middle plait C ₁Plait C in the middle of the conjugation, second whether ₂Whether with the 3rd in the middle of plait C ₃Conjugation is formulated as R _Ij～C ₁And C ₂～C ₃If R _Ij～C ₁And C ₂～C ₃Conjugate relation is set up simultaneously, and then this signature verification unit 511 judges that this signature is correct, and exports 1; Otherwise this signature verification unit 511 is judged as this signature mistake, and exports 0.

For example, and certifying signature (1,2, R ₁₂) calculation procedure be:

Calculate the Hash plait of two summits 1 and 2 earlier, as above, hypothesis $b_1={{\mathrm{\σ}}_4\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1,$ $b_2={{\mathrm{\σ}}_3\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3;$

Plait in the middle of calculating three:

$C_1=b_1{b}_2^{-1}{=\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}$

$C_2=Q{R}_{12}=\left({\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1^{-1}{{\mathrm{\σ}}_2\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1^2{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1\right)$

$\left({\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1\right)$

$={\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1^2{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}$

${\mathrm{\σ}}_1{\mathrm{\σ}}_2^{-1}{\mathrm{\σ}}_3{\mathrm{\σ}}_4{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1$

$C_3{=\mathrm{PC}}_1{=\mathrm{\σ}}_1^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_2{\mathrm{\σ}}_1^2{\mathrm{\σ}}_4{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_1{\mathrm{\σ}}_3^{-1}{\mathrm{\σ}}_2{\mathrm{\σ}}_3{\mathrm{\σ}}_4^{-1}{\mathrm{\σ}}_3^{-1}$

According to preferred implementation of the present invention, provide transmission digital signature method based on braid group.Fig. 6 illustrates the flow chart according to the transmission digital signature method based on braid group of the present invention.

In step 101 shown in Figure 6, select the system parameters of this transmission digital signature system.Specifically, at first selecting n is the system safety parameter, with structure braid group B _n, all working plait all comes from braid group B _n, the scale of (nature) length of regulation work plait (being the number of generation that comprised) is O (n ²).Secondly, the message that each is to be signed corresponds to a nonoriented edge, and two tuples of forming with two summit numbering (for example, being taken as natural number) so that with the numbering on two summits of nonoriented edge are represented this nonoriented edge.In this case, message space can be regarded as the set of possible nonoriented edge, therefore, contains m (m-1)/2 a bar nonoriented edge in the message space with m summit.And the signature on every limit all is a plait, so signature space also can be regarded as B _nThen, select hash function H:N → B _nAs unidirectional Hash function, be used for the summit numbering is mapped as plait at random, N represents the natural number set here.

Then, in step 102, generate user's the signature private key and the PKI of corresponding certifying signature according to selected system parameters.Detailed process is as follows:

With system safety parameter n as input, from braid group B _nIn to select two natural length scales at random be O (n ²) plait, be designated as the first plait W and the second plait P respectively.The first plait W as conjugation, is obtained the 3rd plait Q with the second plait P conjugation according to this conjugation, can pass through Q=W here ^-1PW calculates.Then, obtain signature private key sk=W and corresponding certifying signature PKI pk=(P, Q).

Next,, the message (being the limit) of desire signature is calculated, generated the signature plait, and the message of desire signature is combined into complete signature with the signature plait that is obtained according to conjugate operation and described private key in step 103.Specifically, this step 103 comprises following substep:

1) Hash operation being carried out on two summits of the message of desire signature, to obtain the message plait right.In preferred implementation of the present invention, the message of desire signature be the limit (i, j), two summit is i and j, it is right to obtain the message plait by Hash operation, it is expressed as (b _i=H (i), b _j=H (j));

2) first plait that the message plait is right multiply by the contrary plait of the second right plait of message plait, plait in the middle of obtaining.In preferred implementation of the present invention, middle plait may be calculated

The first plait W (being signature private key) that 3) will select obtains the signature plait with middle plait conjugation as conjugation.In preferred implementation of the present invention, middle plait is b _ib _j, therefore, the signature plait is $R_{\mathrm{ij}}=W^{-1}{b}_i{b}_j^{-1}W;$ And

4) described message and described signature plait are combined obtain complete signature (i, j, R _Ij).In preferred implementation of the present invention, (i is j) with described signature plait R with described message _IjCombine and obtain complete signature (i, j, R _Ij).

Next, in step 104, according to the described signature and the described PKI of two message sharing vertex information, the signature of synthetic the 3rd message.In preferred implementation of the present invention, two message tables sharing vertex information be shown the limit (i, j) and (j, k), they share summit j, the described signature of these two information is (i, j, R _Ij) and (j, k, R _Jk) and described PKI be that (P, Q), (i, signature k) they are (i, k, R to then synthetic the 3rd message _Ik), R wherein _Ik=R _IjR _Jk, promptly corresponding two signature plaits multiply each other.

Next, in step 105, other user can verify after obtaining above-mentioned signature (no matter be original generation or synthetic) by the following method:

1) (i, j, R will sign _Ij) and described PKI (P, Q) as input, two plait b of elder generation's calculating _i=H (i) and b _j=H (j);

2) calculate three middle plaits again $C_1=b_i{b}_j^{-1},$ C ₂＝QR _ij、C ₃＝PC ₁；

3) judge signature plait R _IjWith middle plait C ₁Whether conjugation, middle plait C ₂Whether with middle plait C ₃Conjugation is formulated as R _Ij～C ₁And C ₂～C ₃And

4) if R _Ij～C ₁And C ₂～C ₃Conjugate relation is set up simultaneously, and it is correct then should to sign, and exports 1; Otherwise, this mistake of signing, and export 0.

Therefore, the present invention makes and can resist known The quantum analysis according to signature scheme of the present invention by the signature in the common transmission signature scheme being replaced to the signature based on braid group, thereby safer.

All or part of module in the above-mentioned execution mode can be realized by hardware, also can realize by corresponding computer program command control relevant hardware.Described computer program instructions can be stored on any data storage device by computer system reads.The example of computer readable recording medium storing program for performing comprises read-only memory (ROM), random-access memory (ram), CD-ROM, tape, floppy disk, light data storage device and carrier wave (sending such as the data by the internet).Computer readable recording medium storing program for performing can also be distributed in the computer system of networking, so that store and computer readable code executed in the mode that distributes.

Although above-mentioned is to have described the present invention with reference to illustrative embodiments, it will be understood by those skilled in the art that under the prerequisite that does not deviate from the aim of the present invention that limits by appended claims and scope, can carry out modification on various forms and the details to the present invention.Preferred implementation should only be thought illustrative, rather than restrictive.Therefore, detailed description of the present invention does not limit scope of the present invention, and scope of the present invention should be defined by the following claims, and the technical characterictic of having any different in the scope of the present invention is interpreted as comprising in the present invention.

Claims (17)

1. transmission digital signature system based on braid group comprises:

Key production module, be used for requiring the selective system parameter according to security of system, determine braid group according to system parameters, and generate the PKI of signature private key and corresponding certifying signature according to selected system parameters and described braid group, wherein, described system parameters comprise the length scale of pigtail index n, the work plait of braid group, the message space that constituted by two tuples of the message of desire signature and be used for being in described braid group, selects the to sign hash function of plait of the message in the message space;

Signature plait generation module, be used for private key according to conjugate operation and the generation of described key production module, the message that is expressed as two tuples that this hash function is applied to the signature of desire in the message space to select corresponding signature plait in described braid group, and the complete signature that message and its signature plait of desire signature is combined into this message; And

The signature synthesis module is used for the signature and the PKI of at least two message being generated according to described signature plait generation module, the signature plait of synthetic the 3rd message.

2. the transmission digital signature system based on braid group as claimed in claim 1 also comprises the signature verification module, is used for judging according to the message and signature and the PKI that receive whether this signature is effective signature of this message.

3. the transmission digital signature system based on braid group as claimed in claim 2, wherein, described key production module comprises:

The system parameter selection unit is used for requiring to select suitable system parameters according to security of system;

The plait selected cell is used for from selecting first plait and second plait at random according to the system parameter selection unit determined braid group of selected system parameters;

Plait acquiring unit, first plait that is used for the plait selected cell is selected be as conjugation, obtains the 3rd plait with the second plait conjugation according to this conjugation; And

The key generation unit is used for the 3rd plait that second plait that the plait selected cell is selected and plait acquiring unit obtain as PKI, and first plait that the plait selected cell is selected is as private key.

4. the transmission digital signature system based on braid group as claimed in claim 3, wherein, described signature plait generation module comprises:

The message plait is used for calculating the 4th plait and the 5th plait by hash function from the binary batch total of the message of desire signature to generation unit;

Middle plait generation unit is used for the message plait being carried out product calculation to the 4th plait of generation unit generation and the contrary plait of the 5th plait, plait in the middle of obtaining; And

Signature plait generation unit, first plait that is used for the plait selected cell is selected obtain the signature plait of this centre plait conjugation that generates with this centre plait generation unit as conjugation.

5. the transmission digital signature system based on braid group as claimed in claim 2, wherein, described signature synthesis module comprises:

Signature verification unit is used to call described signature verification module and judges whether at least two signatures to be synthesized are effective, and if any one is invalid in these at least two signatures to be synthesized, then refusal is synthetic, and the output invalid flag; And

The signature synthesis unit, be used for to be synthesized these at least two effectively signature multiply each other, obtain and export signature plait after synthesizing.

6. the transmission digital signature system based on braid group as claimed in claim 3, wherein, described signature verification module comprises:

The message plait is used for calculating the 4th plait and the 5th plait by hash function from the binary batch total of the message of desire signature to generation unit;

Middle plait generation unit is used to generate the needed middle plait of signature verification, and this centre plait generation unit comprises

Plait generates subelement in the middle of first, is used for this module message plait is carried out product calculation to the 4th plait of generation unit generation and the contrary plait of the 5th plait, obtains the first middle plait,

Plait generates subelement in the middle of second, is used for the 3rd plait that the plait acquiring unit of key production module obtains and the signature plait that will verify and carries out product calculation, obtain second in the middle of plait and

Plait generates subelement in the middle of the 3rd, and plait carries out product calculation in the middle of second plait and described first that is used for the plait selected cell of key production module is selected, and obtains the 3rd middle plait; And

Signature verification unit, be used to judge the signature plait that will verify whether with described first in the middle of the plait conjugation, and in the middle of described second plait whether with the described the 3rd in the middle of the plait conjugation, if these two conjugate relations are all set up, it is effective then to be judged as this signature, otherwise it is invalid to be judged as this signature.

7. as the described transmission digital signature system based on braid group of one of claim 1 to 6, wherein, the length scale of described work plait is defined as O (n ²).

8. as the described transmission digital signature system based on braid group of one of claim 1 to 6, wherein, described hash function is the unidirectional Hash function that described message space is mapped to described signature space.

9. transmission digital signature method based on braid group, the method comprising the steps of:

1) requires the selective system parameter according to security of system, determine braid group according to system parameters, and generate the PKI of signature private key and corresponding certifying signature according to selected system parameters and described braid group, wherein, described system parameters comprise the length scale of pigtail index n, the work plait of braid group, the message space that constituted by two tuples of the message of desire signature and be used for being in described braid group, selects the to sign hash function of plait of the message in the message space;

2) according to conjugate operation and the private key that is generated, the message that is expressed as two tuples that this hash function is applied to the signature of desire in the message space to select corresponding signature plait in described braid group, and the complete signature that message and its signature plait of desire signature is combined into this message; And

3) according at least two message and signature that is generated and PKI, the signature plait of synthetic the 3rd message.

10. the transmission digital signature method based on braid group as claimed in claim 9 also comprises step 4): according to the signature and the PKI of the message of desire signature, verify the validity of this signature.

11. the transmission digital signature method based on braid group as claimed in claim 10, wherein, step 1) comprises:

From the determined braid group of system parameters, select first plait and second plait at random, described first plait as conjugation, is obtained the 3rd plait with the described second plait conjugation according to described conjugation; And

With described second plait and the 3rd plait as PKI, with described first plait as private key.

12. the transmission digital signature method based on the plait group as claimed in claim 11, wherein, step 2) comprising:

Calculate the 4th plait and the 5th plait by hash function from the binary batch total of the message of desire signature;

The 4th plait be multiply by the contrary plait of the 5th plait, plait in the middle of obtaining;

Described second plait and described middle plait are carried out product calculation, obtain the plait of signing; And

With the combination of the message of described desire signature and described signature plait complete signature as the message of described desire signature.

13. the transmission digital signature method based on the plait group as claimed in claim 10, wherein, step 3) comprises:

According to these at least two message and corresponding signature and PKI, judge whether this corresponding signature is effective signature of corresponding message; And

The signature plait of synthetic the 3rd message when the signature of these at least two message is effective.

14. the digital signature method based on the plait group as claimed in claim 11, wherein, step 4) comprises:

Calculate the 4th plait and the 5th plait by hash function from the binary batch total of the message of desire signature;

The contrary plait of the 4th plait and the 5th plait is carried out product calculation, obtain the first middle plait;

Described the 3rd plait and the signature plait that will verify are carried out product calculation, obtain the second middle plait;

Plait in the middle of described second plait and described first is carried out product calculation, obtain the 3rd middle plait;

Judge to desire in the middle of the signature plait and described first in the certifying signature whether conjugation of plait, and plait and the described the 3rd middle plait conjugation whether in the middle of judging described second; And

If plait conjugation in the middle of the signature plait of checking and described first, and plait conjugation in the middle of the described second middle plait and the described the 3rd, judge that then described signature is effective.

15. as the described transmission digital signature method based on braid group of one of claim 9 to 14, wherein, the length scale of described work plait is defined as O (n ²).

16. as the described transmission digital signature method based on braid group of one of claim 9 to 14, wherein, described hash function is the unidirectional Hash function that described message space is mapped to described signature space.

17. a computer product implements the program based on the transmission digital signature method of braid group on it, the method comprising the steps of:

Require the selective system parameter according to security of system, determine braid group according to system parameters, and generate the PKI of signature private key and corresponding certifying signature according to selected system parameters and described braid group, wherein, described system parameters comprise the length scale of pigtail index n, the work plait of braid group, the message space that constituted by two tuples of the message of desire signature and be used for being in described braid group, selects the to sign hash function of plait of the message in the message space;

According to conjugate operation and the private key that is generated, the message that is expressed as two tuples that this hash function is applied to the signature of desire in the message space to select corresponding signature plait in described braid group, and the complete signature that message and its signature plait of desire signature is combined into this message; And

According at least two message and signature that is generated and PKI, the signature plait of synthetic the 3rd message.

Images