CN101707523A - Forward-secure digital signature method and system capable of balancing cost - Google Patents

Abstract

The invention belongs to the technical field of information security, and relates to a problem of signing digital information, in particular to a digital signature method and a digital signature system which can reduce the influence on the leakage of a signing key and are more applicable. Compared with a common digital signature, the signature method has a key updating algorithm, and realizes forward security of the signing key, namely, even if a rival obtains the signing key in a current time range, the rival cannot forge a legal signature belonging to the previous time range through the key so as to protect the validity of the previous signatures and reduce the loss caused by the leakage of the key. Besides, according to a specific application condition and on the basis of equivalent security, the scheme can allow a project planner to select proper key storage cost and computation cost according to hardware conditions and make full use of the storage capacity and computation ability of hardware so as to enable the key storage cost and the computation cost to achieve perfect balance.

Description

But a kind of forward-secure digital signature method of balancing cost and system

Technical field

The invention belongs to field of information security technology, relate to digital information is carried out the signature problem, relate to a kind of signature key that can alleviate or rather and reveal influence and can allow the designer between storage cost and calculation cost, to obtain the digital signature method and the system of perfect balance according to application demand.

Background technology

The notion of forward secrecy signature was introduced by Anderson in 1997, and purpose is in order to have solved a significant deficiency of common digital signature, in case promptly privacy key is lost (or being stolen), the institute that is generated by this key bore the signature and all becomes invalid in the past.In order to reduce such loss, Anderson proposes the term of validity of key is divided into the period, last in each period, signer obtains a new next period privacy key with a unidirectional pattern from the privacy key of current period, and the privacy key that do not re-use of safety deletion.And PKI remains unchanged in the whole key term of validity, and this method has guaranteed to take place the period validity that is born the signature in the past that key is revealed.

These years recently, the digital signature scheme that possesses forward secrecy obtains research and development.Bellare and Mine be the expansion by common signature scheme fail safe is defined in document " A Forward-Secure Digital Signature Scheme ", provided the formal definition of forward secrecy, proposed two schemes simultaneously: one is the scheme of using the certificate chain structure of tree on common signature basis; Another is to revise the direct structure of common signature scheme to form, and we claim that this scheme is a BM forward-secure digital signature scheme.Subsequently, Abdalla and Reyzin have proposed another one forward-secure digital signature scheme at document " A New Forward-Secure Digital SignatureScheme ", this scheme is with respect to the BM scheme, key length significantly shortens, but amount of calculation increases relatively when compute signature, and we are referred to as AR forward-secure digital signature scheme to this scheme.

In application, select to adopt any digital signature scheme, except will considering its fail safe, the various performance parameters of scheme also is important selection foundation, and along with the environment of applications difference, the emphasis of the performance parameter of being considered is also different.For example, magnetic card, the IC-card application system as key storage media is adopted in design, and the designer need consider whether the storage cost of scheme is enough low, uses in the environment of this limited storage space with convenient; And need operate in the system of handheld mobile devices such as PDA, and then to consider factors such as the computing capability of device chip and power consumption, need consider the calculation cost of scheme.The all very little scheme of calculation cost and storage cost of designing is the target of all researchers, however the two more often can not get both, often a side good behaviour is a cost to sacrifice the opposing party.And system designer need be according to reality, and suitable scheme is selected in balance.

And just present famous forward-secure digital signature, because the designer has different emphasis, to such an extent as to having a long way to go of calculation cost between the different schemes and storage cost, the storage cost of BM scheme and AR scheme very representative .BM scheme in performance performance is that doubly (l is a security parameter for the l of AR scheme approximately, be typically chosen in 160), and being 130 times of BM scheme approximately, the calculation cost of AR scheme signature algorithm and verification algorithm (makes security parameter l=160, hop count T=365 when total). this situation will inevitably make the system engineering designer face the choice of difficulty when selecting to use which kind of algorithm, because if pay the utmost attention to calculation cost, then need to bear huge key storage cost, vice versa. and whether can be on the basis of BM scheme, select to sacrifice certain calculation cost and bring smaller key storage cost? equally, thereby can on the basis of AR scheme, suitably increase certain storage cost and bring higher computational efficiency? we have designed a kind of forward-secure digital signature scheme for this reason, this scheme can be according to concrete applicable cases, on equal fail safe basis, (promptly do not change the value of security parameter k and l), allow the project planner to select suitable key storage cost and calculation cost according to hardware condition, make full use of the storage capacity and the computing capability of hardware, make key storage cost and calculation cost reach perfect balance.

At present, the research of forward-secure digital signature scheme all is based on the defined forward-secure digital signature model of Bellare.This model has at first defined key evolution digital signature scheme model, on this model based, has defined this notion of forward security.In the key evolution digital signature scheme, generate agreement, signature agreement and the signature verification algorithm except the digital signature of standard comprises key, also comprise a key updating protocol, this agreement is used for illustrating key is how to evolve on a time period.

Definition 1:(key evolution digital signature scheme)

Key evolution digital signature scheme KE-SIG=(Sgn Vf) comprises four algorithms for KG, Upd:

(1) key schedule (KG) is a probabilistic algorithm.Algorithm input comprises a security parameter k, hop count T during scheme operation total, and other parameters that may use.Algorithm is output as basic PKI PK and corresponding basic private key SK.

(2) private key update algorithm (Upd) is generally deterministic algorithm.Algorithm is input as the signature key SK of last period _J-1, be output as current period signature key SK _j

(3) signature algorithm (Sgn) is generally probabilistic algorithm.Algorithm is input as current period signature key SK _j, treat signature information M, be output as the signature of j period message M.The combination of a segment value j and mark ξ when this signature general type is this is so this algorithm can be expressed as＜j ξ〉← _RSgn _SKj(M).

(4) verification algorithm (Vf) is a deterministic algorithm.Algorithm is input as PKI PK, message M and signature＜j to be verified, ξ 〉.Algorithm output has only one, and ξ is admitted＜j in 1 representative〉for the message M that produces in the j period effectively signs, 0 representative is denied.This algorithm can be expressed as b ← Vf _PK＜j, ξ 〉.

If a key evolution digital signature scheme has the forward security that defines below, we are called the forward-secure digital signature scheme.Here, we provide the informal definition of forward security:

Definition 2:(forward security)

If one has adaptability and selects the opponent of message attack ability at first key evolution digital signature scheme to be carried out adaptability selection message attack, until j period (j selects arbitrarily for the opponent), then, the opponent can obtain the signature key SKj of j period, if the opponent still can not existence forges one and belongs to period i (effective signature of i＜j) then claims this scheme to have forward security.

In our conceptual design, the number theory knowledge below having used:

If k and l are two security parameters, p ₁=p ₂≡ 3 (mod4) is two big prime numbers.N=p ₁p ₂It is the integer (being that N is a Blum integer) of a k position.In order to simplify calculating, we can reasonably suppose N＞2k-1, and | Z _N ^*|=N-p ₁-p ₂+ 1 〉=2 ^K-1Note Q is the quadratic residue set of mould N.By the theorem in the number theory as can be known | Q| 〉=2 ^K-3, and for arbitrary element x among the set Q, have and only have one in four square roots of x and belong to Q, therefore, square on Q a displacement.From now on, when we said the square root of x, we were meant that square root that belongs to Q.

Make U ∈ Q, definition: F ₀(Z)=Z ²Mod N, F ₁=UZ ²Mod N.For l position binary string σ=b ₁B _l, definition F _σ: Q → Q is:

(note: the U here ^σBe not σ the power of the U on the ordinary meaning, σ here is a binary string, but not represents an integer) because square be displacement on Q, and U ∈ Q, so F _σAlso a displacement on Q.

Under the prerequisite of knowing U and N, F _σ(Z) can calculate fast, simultaneously, if know p ₁And p ₂,, can calculate fast then for given Y

(by calculating

Can get.These calculating can be calculated modp earlier respectively ₁And modp ₂The result, merge with Chinese remainder theorem then.Yet), if do not know the square root of U, F so _σ ^-1Be difficult to calculate.Below we provide the proof that its converse proposition is set up:

Lemma: isometric string σ and τ that given Y ∈ Q is different with two,

Can calculate V ∈ Q and V ²≡ U mod N

Proof: if | σ |=| τ |=1, (without detriment to prevailingly) makes σ=0, τ=1, then F ₀(Z ₁)=F ₁(Z ₂)=Y, then Z ₁ ²≡ UZ ₂ ²Mod N is so obtain V=Z ₁/ Z ₂Mod N.In proof by induction, make that σ and τ are the string of two long m+1 positions, σ ' and τ ' they are the preceding m position of its correspondence.If F _{σ '}(Z ₁)=F _{τ '}(Z ₂), then inductive assumption is finished, otherwise σ and τ last should be different, so (being without loss of generality) supposes that last position of σ is 0, last position of τ is 1, F then ₀(F _{σ '}(Z ₁))=F ₁(F _{τ '}(Z ₂)), the same can the card.

Can construct following digital signature scheme according to one-way function above-mentioned.The forward-secure digital signature scheme that this paper proposes is exactly based on this scheme.

Signer generates big modulus N and a random number S ∈ Q, and S needs safekeeping as signature key.Calculate And openly (N is U) as PKI.H () is that an output figure place is the hash function of l.

In the time of will signing to message M, at first generate random number R ∈ Q, calculate

σ=H (Y, M), Z=F _σ ^-1(Y)=RS ^σMod N.(Z is σ) as the signature of message M in output.

During verifier's certifying signature, at first verify Z ≠ 0mod N, then calculate

Check at last σ=H (Y ', M) whether set up, setting up proves that then this signature is the legitimate signature of M.

Summary of the invention

The objective of the invention is to design a kind of digital signature method and signature system, this endorsement method is compared with the ordinary numbers signature, increased a key updating algorithm, guaranteed that this endorsement method has forward security, even the opponent obtains the signature key of current slot, the opponent can not produce a legitimate signature that belongs to previous time period by this key puppet, has protected the validity of the signature of former period, has reduced the loss that key is revealed; This scheme can be selected suitable parameter according to actual demand in addition, adjusts the calculation cost and the storage cost of scheme, makes the perfect hardware environment that adapts to of the performance of signature scheme aspect calculating and storage.

The characteristics of method:

1. has complete forward security.

2. scheme is decomposed difficult problem based on the Blum number, and is safe.

3. hop count T value arbitrarily when total, signature key, authentication secret length and signature length and T are irrelevant.

4. can be according to hardware condition, free adjustment calculation cost and storage cost.

Technical scheme of the present invention is such:

Whole proposal comprises four parts: key schedule, key updating algorithm, signature algorithm, signature verification algorithm.Below but we provide the complete description of the forward-secure digital signature scheme of this balancing cost.

Algorithm?KG(k，k，l’，T)

Select two k/2 bits grow up prime number p and q at random, satisfy p ≡ q ≡ 3 (mod4); According to the value of application demand selection l and l ', wherein, l is a Hash function output binary string length, l ' ∈ [1, l];

N←pq

For do $S_{i,0}\stackrel{R}{\←}{Z}_N^{*};$ $U_i\←1/S_{i,0}^{2^{l^{\′}(T+1)}}\mathrm{mod}N$ End?For

Return(PK，SK ₀)

Algorithm?Upd(SK _j-1)

1≤j≤T+1

Ifj＝T+1then?return?empty?string

Else

For

$S_{i,j}\←S_{i,j-1}^{2^{l^{\′}}}\mathrm{mod}N$

End?For

Return?SK _j

End?IF

Algorithm

$R\stackrel{R}{\←}{Z}_N^{*};$ $Y=R^{2^{l^{\′}(T+1-i)};}$

Return<j，(σ，Z)>

Algorithm?Vf _PK ^H(M，<j，(σ，Z)>)

Ifσ＝H(j，Y’，M)Then?return?1?Else?return?0

Respectively above-mentioned agreement, algorithm are described below:

Algorithm KG () is a key schedule, is carried out by signer.By carrying out this algorithm, signer can obtain to be used for the initial signature key SK to information signature ₀With corresponding authentication secret PK.Wherein, authentication secret PK openly and in the whole signature cycle remains unchanged signature key SK ₀Need the secret preservation of signer.The input of this algorithm comprises k, l, and l ', four parameters of T, wherein k and l are security parameter, and k represents selected big prime number p and q binary system length, and general recommendations is 512bit; L is the binary string length of the Hash function output of algorithm employing, is generally 160bit.T is total time hop count, and for example, the statement signature verification key PK term of validity is 1 year, if plan to upgrade the once signed key in every month, then T is set to 12, if plan is upgraded once every day, then T is set to 365.L ' is a parameter of EQUILIBRIUM CALCULATION FOR PROCESS cost and storage cost, and span is [1, l], when l '=1, this programme is the BM scheme just, and calculation cost is minimum, and storage cost is the highest, when l '=l, this programme has just become the AR scheme, and calculation cost is the highest, and storage cost is minimum.Along with l ' value is ascending, the storage cost of scheme progressively reduces, and calculation cost progressively raises.

Algorithm Upd () is the key updating algorithm, carries out this algorithm by signer at the initial time of each period.The signature key SK that is input as a period of this algorithm _J-1, be output as the signature key SK of this period _jIt is emphasized that when this algorithm is finished and obtain SK _jAfter, thoroughly delete last period key SK _J-1. in addition, here our regulation when whole end cycle, promptly during j-1=T, is carried out this algorithm again, obtains being output as empty string.

Algorithm Sgn () is a signature algorithm, is carried out by signer.Signature information M is treated in being input as of this algorithm, and the signature key Sk of current period of signer _j, be output as a tlv triple head＜j, (σ, Z)〉as the signature of message M in the j period.In the computational process of signature, use earlier the hash value σ of output length, then σ is cut apart successively by l ' length, obtain as Hash function H () the calculating M of l

Individual binary string σ _i, wherein

Length be l ',

Length be l mod l '.In addition

S on the also non-ordinary meaning _{I, j}σ _iInferior power, σ _iRepresent binary string here, but not represent an integer.

F in need introducing according to basis, front number theory knowledge _σ: the definition of Q → Q is calculated.

Algorithm Vf () is the signature verification algorithm, can be carried out by any signature verifier who has signature verification key PK.This algorithm be input as message M with and signature＜j to be verified, (σ, Z) 〉, be output as bit: 0 representative denies＜j, (σ, Z)〉be message M at the signature of j period, 1 representative is sure＜j, (σ, Z)〉be the signature of message M in the j period.Treat in the algorithm value σ in the certifying signature dividing method and

Computational methods be corresponding identical with signature algorithm.

Signature algorithm of this programme and signature verification algorithm can be correct be that a message is signed, and can make right judgement to a legal information signature, below we provide simple proof to this programme correctness:

Proof:

Card is finished

Below we analyze this programme relatively with BM scheme and AR scheme store and calculating aspect performance.When the statistical computation amount, we adopt simple algorithm to consider the amount of calculation of each scheme under the poorest situation, and to analyze the conclusion that obtains in this case be fair and have persuasive.In addition, we regard the operand of multiplying and square operation as approximately equal, because the multiplying amount is no more than twice square computing, Tong Ji result is more directly perceived like this, and our statistics all is that number of times with multiplying is as unit in the following table.(page table 1 as follows)

We are as can be seen from table 1, our scheme is two end points that show as performance with BM scheme and AR scheme, promptly when l '=1, our scheme shows suitable with the BM scheme on key length, signature algorithm and verification algorithm amount of calculation, this moment calculation cost minimum but key storage cost maximum; When l '=l, the performance of our scheme is identical with the AR scheme, this moment the key storage cost minimum of scheme and calculation cost maximum. and work as l ' regional (1, l) get different values in, then can make our scheme have different performance performances, for example, we are provided with following value: l=160 for each security parameter, k=1024, T=365, we are set to 16 to l ', the page table more as follows 2 of the various performance parameters of scheme and BM scheme and AR scheme, from table 2 we as can be seen, with respect to BM scheme huge key storage cost and the huge calculation cost of AR scheme, key storage cost and the calculation cost of our scheme in l '=16 o'clock is all comparatively moderate. the project planner can be as required, select the l ' that is fit to be worth, the key storage cost and the calculation cost of regulation scheme make scheme and hardware environment more identical, make system obtain best performance performance.

Embodiment

Summary of the invention part of the present invention has been made detailed description to implementing, and no longer is repeated in this description at this.But need to prove: at different application demands, different safety grades requirements can be adopted the parameter of different scales: N, l etc.In addition,, need the designer as required, set the l ' value that is fit to, so the present invention can have a variety of concrete execution modes at different applied environments.

Claims (1)

1. digital signature method and signature system, this endorsement method can be selected suitable parameters according to actual application environment, obtains the balance between key storage cost and the calculation cost.In addition, this signature scheme has forward security, and when signature key took place to reveal, the validity of the signature before can having protected had reduced the loss that key is revealed.It is characterized in that security scheme decomposes difficult problem based on the Blum number, whole proposal comprises four parts: key schedule, key updating algorithm, signature algorithm, signature verification algorithm.But be the complete description of the forward-secure digital signature scheme of this balancing cost below:

Algorithm?KG(k，l，l′，T)

Select two k/2 bits grow up prime number p and q at random, satisfy p ≡ q ≡ 3 (mod4); According to the value of application demand selection l and l ', wherein, l is a Hash function output binary string length, l ' ∈ [1, l];

N←pq

For do $S_{i,0}\stackrel{R}{\&LeftArrow;}{Z}_N^{*};$ $U_i\&LeftArrow;1/S_{i,0}^{2^{l^{\&prime;}(T+1)}}\mathrm{mod}N$ End?For

Return(PK，SK ₀)

Algorithm?Upd(SK _j-1)

1≤j≤T+1

If?j＝T+1?then?return?empty?string

Else

For

do $S_{i,j}\&LeftArrow;S_{i,j-1}^{2^{l^{\&prime;}}}\mathrm{mod}N$

End?For

Return?SK _j

End?IF

Algorithm

$R{\stackrel{R}{\&LeftArrow;}Z}_N^{*};$ $Y=R^{2^{l^{\&prime;}(T+1-j)}};$

Return<j，(σ，Z)>

Algorithm?Vf _PK ^H(M，<j，(σ，Z)>)

If?σ＝H(j，Y，M)Then?return?1?Else?return?0

Algorithm KG () is a key schedule, carry out by signer. by carrying out this algorithm, signer can obtain to be used for to the initial signature key SK0 of information signature and corresponding authentication secret PK. wherein, and authentication secret PK is open and remain unchanged in the whole signature cycle, and signature key SK0 needs that signer is secret to be preserved. and the input of this algorithm comprises k, l, l ', four parameters of T, wherein k and l are security parameter, k represents selected big prime number p and q binary system length, and general recommendations is 512bit; L is the binary string length of the Hash function output of algorithm employing, being generally 160bit.T is total time hop count, for example, the statement signature verification key PK term of validity is 1 year, if plan to upgrade in every month the once signed key, then T is set to 12, if plan is upgraded once every day, then T is set to the parameter of 365.l ' for EQUILIBRIUM CALCULATION FOR PROCESS cost and storage cost, span is [1, l], when l '=1, this programme just is the BM scheme, calculation cost is minimum, storage cost is the highest, and when l '=l, this programme has just become the AR scheme, calculation cost is the highest, storage cost is minimum. and along with l ' value is ascending, the storage cost of scheme progressively reduces, and calculation cost progressively raises.

Algorithm Upd () is the key updating algorithm, carries out this algorithm by signer at the initial time of each period.The signature key SK that is input as a period of this algorithm _J-1, be output as the signature key SK of this period _jIt is emphasized that when this algorithm is finished and obtain SK _jAfter, thoroughly delete last period key SK _J-1In addition, here our regulation when whole end cycle, promptly during j-1=T, is carried out this algorithm again, obtains being output as empty string.

Algorithm Sgn () is a signature algorithm, is carried out by signer.Signature information M is treated in being input as of this algorithm, and the signature key Sk of current period of signer _j, be output as a tlv triple head＜j, (σ, Z)〉as the signature of message M in the j period.In the computational process of signature, use earlier the hash value σ of output length, then σ is cut apart successively by l ' length, obtain as Hash function H () the calculating M of l

Individual binary string σ _i, σ wherein ₁, σ ₂,

Length be l ',

Length be l mod l '.In addition S on the also non-ordinary meaning _{I, j}σ _iInferior power, σ _iRepresent binary string here, but not represent an integer.

F in need introducing according to basis, front number theory knowledge _σ: the definition of Q → Q is calculated.

Algorithm Vf () is the signature verification algorithm, can be carried out by any signature verifier who has signature verification key PK.This algorithm be input as message M with and signature＜j to be verified, (σ, Z) 〉, be output as bit: 0 representative denies＜j, (σ, Z)〉be message M at the signature of j period, 1 representative is sure＜j, (σ, Z)〉be the signature of message M in the j period.Treat in the algorithm value σ in the certifying signature dividing method and

Computational methods be corresponding identical with signature algorithm.