CN103220146B - Zero Knowledge digital signature method based on multivariate public key cryptosystem - Google Patents

Abstract

Zero Knowledge digital signature method based on multivariate public key cryptosystem, including generating systematic parameter step, signature generation step and signature verification step.User is by disclosing its PKI based on multivariate public key cryptography, and maintain secrecy corresponding private key.Signer can utilize the private key of oneself, signs any message.This digital signature can be utilized the PKI of signer to verify by any verifier.If signature verification is passed through, then illustrate that the signature of this message is real.

Description

Zero Knowledge digital signature method based on multivariate public key cryptosystem

Technical field

The invention belongs to field of information security technology, relate to a kind of Zero Knowledge based on multivariate public key cryptosystem numeral Endorsement method.

Background technology

Digital signature in information security, particularly the aspect such as data validity, integrity and non-repudiation have important should With.

Digital signature can be with traditional the same effect playing law certification of handwritten signature.By contrast, handwritten signature Significant limitation is shown in the information age based on computer and the Internet.Because handwritten signature is at computer network In network, easily copy forgery.And digital signature comprises the information of the secret keys that signer is used, it is not known that appointing of this private key Who forges digital signature is all hardly possible.Therefore, digital signature is more suitable for the application requirement of New Times.People can To carry out telefile signature by network, improve work efficiency.

Many digital signature methods are based on classical cryptosystem, such as the Digital Signature Algorithms etc. such as RSA and DSA, big portion Point it is all based on the conventional public-key cipher system of big integer factorization and discrete logarithm problem.

But, the appearance of quantum computer causes threat to conventional public-key cipher system, for safety and high efficiency Urgent needs, multivariate public key cryptosystem (MPKCs) rapidly becomes a kind of novel quick public-key cryptosystem.It is base A NP-difficulty Solve problems of quadratic polynomials in several elements equation group on finite field, quantum computer is asked in process NP difficulty Any advantage is not shown in topic,

MPKCs is likely to become the cipher system of safety of rear quantum epoch with its high computational efficiency.MPKCs can be divided into two Electrode systems and hybrid system.Two electrode systems mainly have MI, HFE, OV, TTM and l-IC system etc..Quantum epoch safety after research Zero Knowledge digital signature method has important theoretical and practical significance.

Summary of the invention

It is an object of the invention to provide a kind of Zero Knowledge digital signature method based on multivariate public key cryptosystem, solve The problem that prior art is the safest under quantum calculation.

The object of the present invention is achieved like this, Zero Knowledge digital signature method based on multivariate public key cryptosystem, Comprise the following steps:

Step 1. generates systematic parameter；Systematic parameter is (k, q, l, m, n, H), wherein q, and l is security parameter, k=GF (q^l) Being a finite field, m is the number of multivariable equation, and n is the number of variable.H:{0,1}^*→kⁿIt is a cryptography safety Unidirectional crash-resistant hash function；

Key generates: the private key SK={L that signer is corresponding₁,F,L₂, wherein F is reversible centralizing mapping, L₁And L₂Respectively It is k^mAnd kⁿOn reversible affine transformation；The PKI PK of signerIt is m and there is n variable Multinomial component, here symbol.Representative function is combined；

Step 2. signature generates；Signer is to message M ∈ { 0,1}^*Signing, step is as follows:

(1) u is randomly choosed_i∈k^m, wherein i=1 ..., t；

(2) calculate

C=H (M | | PK | | u₁||...||u_t)∈kⁿ；

(3) calculate

(4) output message M ∈ { 0,1}^*Zero Knowledge signature sigma=(c, s₁,...,s_t)；

Step 3. signature verification:

To the signature sigma of message M=(c, s₁,...,s_t), any verifier checking utilizes the PKI of signerChecking equation

$c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$

Whether set up.If set up, then accept this signature；Otherwise refuse this signature.

The invention has the beneficial effects as follows

1, the present invention can solve existing Zero Knowledge digital signature method under quantum calculation by the safest defect, Not only there is safety but also there is the advantage that computational efficiency is high.

2, the present invention propose Zero Knowledge digital signature method based on multivariate public key cryptosystem, meet completeness, Unforgeable and zero-knowledge proof, may still safety in the rear quantum cryptography epoch.

Detailed description of the invention

Below in conjunction with detailed description of the invention, the present invention is further detailed explanation.

Zero Knowledge digital signature method based on multivariate public key cryptosystem, implements according to following steps:

Step 1. generates systematic parameter

Systematic parameter is (k, q, l, m, n, H).Wherein q, l are security parameters, k=GF (q^l) it is a finite field, m is many The number of variable equation, n is the number of variable.H:{0,1}^*→kⁿIt it is the unidirectional crash-resistant Hash letter of a cryptography safety Number；

Key generates: the private key SK={L that signer is corresponding₁,F,L₂, wherein F is reversible centralizing mapping, L₁And L₂Respectively It is k^mAnd kⁿOn reversible affine transformation.The PKI of signerIt is m the multinomial with n variable Component.Here symbol.Representative function is combined.

Step 2. signature generates

Signer is to message M ∈ { 0,1}^*Signing, step is as follows:

(1) u is randomly choosed_i∈k^m, wherein i=1 ..., t；

(2) calculate

C=H (M | | PK | | u₁||...||u_t)∈kⁿ；

(3) calculate

(4) output message M ∈ { 0,1}^*Zero Knowledge signature sigma=(c, s₁,...,s_t)。

Step 3. signature verification

To the signature sigma of message M=(c, s₁,...,s_t), any verifier checking utilizes the PKI of signerChecking equation $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ Whether set up, if Set up, then accept this signature；Otherwise refuse this signature.

Safety analysis about present invention Zero Knowledge based on multivariate public key cryptosystem digital signature method:

1. correctness

If each step that have followed signature process that signer is honest, then the signature of message M

σ=(c, s₁,...,s_t) meet:

$H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$

$=H\left(M\right|\left|\mathrm{PK}\right|\left|u_1\right||...|\left|u_t\right)$

$=c$

Verifier always accepts signature, because the method has completeness.

2. unforgeable

Assuming that signer is a tricker, i.e. he does not knows private key SK={L₁,F,L₂, message M is forged in attempt Effective signature.One of successful approach of signature forgery person is that he randomly chooses u_i∈k^m, wherein i=1 ..., t；Then calculate

C=H (M | | PK | | u₁||...||u_t)∈kⁿIt follows that on the premise of not having private key, adulterator needs by side JourneyCalculate s_i, i=1 ..., t, adulterator knows u_iAnd c, solve the equation, at secondary multivariate equation Solve be a difficult problem hypothesis under, be difficult.Academic circles at present generally acknowledges that solving of secondary multivariate equation is one Individual difficult problem.So the successful probability of this forgery is the least.

The two of the successful approach of signature forgery person are to solve for meeting verification expression $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ One group of solution σ=(c, s₁,...,s_t), at hash function H:{0,1}^*→kⁿIt it is the unidirectional crash-resistant of a cryptography safety It is difficult under assuming.

Embodiment 1. interactive zero knowledge based on multivariate oil-vinegar public-key cryptosystem proof of identification method.

Step 1. generates systematic parameter:

(1) arranging k=GF (q) is the finite field being characterized as p=2, wherein q=2⁸。

(2) making o=30, v=64, m=o=30 are the number of equation in multiple variant equation, and n=o+v=97 is variable Number.

(3) secure hash function, H:{0,1} are selected^*→k⁹⁷, specifically can take secure hash function is sha-512 | | Front 776 bits of the 896 bit outputs of sha-384, then according to 776=8*97 is converted into finite field k=GF (2⁸On) 97 variablees.

Key generates: it is from k that certifier randomly chooses F⁹⁷To k³⁰Reversible Oil-Vinegar polynomial map, Oil- Vinegar multinomial is that any one has the multinomial that total degree is 2 of following form

$f=\underset{i=1}{\overset{o}{\mathrm{\Σ}}}\underset{j=1}{\overset{v}{\mathrm{\Σ}}}{a}_{\mathrm{ij}}{x}_i{\hat{x}}_j+\underset{i=1}{\overset{v}{\mathrm{\Σ}}}\underset{j=1}{\overset{v}{\mathrm{\Σ}}}{b}_{\mathrm{ij}}{\hat{x}}_i{\hat{x}}_j+\underset{i=1}{\overset{o}{\mathrm{\Σ}}}{c}_i{x}_i+\underset{j=1}{\overset{v}{\mathrm{\Σ}}}{d}_j{\hat{x}}_j+e$

Wherein a_ij,b_ij,c_i,d_j,e∈k.Here o=30, v=64.

Make F:kⁿ→k^oBeing a polynomial map, form is as follows:

$F(x_1,\·\·\·,x_o,{\hat{x}}_1,\·\·\·,{\hat{x}}_v)=(f_1,\·\·\·f_o)$

WhereinIt it is Oil-Vinegar multinomial.Here n=o+v=97.

Certifier randomly chooses L₂It is from kⁿTo kⁿA reversible affine transformation

$L_2({\hat{x}}_1,\·\·\·,{\hat{x}}_v,x_1,\·\·\·,x_o)=M_2{({\hat{x}}_1,\·\·\·,{\hat{x}}_v,x_1,\·\·\·,x_o)}^T+a_2$

Wherein M₂It is the invertible matrix of a n × n on finite field k, a₂The column vector of n × 1 on finite field k.

Certifier announces its PKIThen

$\stackrel{\‾}{F}({\hat{x}}_1,\·\·\·,{\hat{x}}_v,x_1,\·\·\·,x_o)=({\stackrel{\‾}{f}}_1,\·\·\·,{\stackrel{\‾}{f}}_0)$

Each of which In multivariable polynomial.

Certifier maintains secrecy its private key SK={F, L₂}。

Note: in multivariate oil-vinegar public-key cryptosystem, can not select k^mOn reversible affine transformation L₁。

Step 2. signature generates:

Signer is to message M ∈ { 0,1}^*Signing, step is as follows:

(1) u is randomly choosed_i∈k^m, wherein i=1 ..., t；Here t=8 can be taken.

(2) then calculate

C=H (M | | PK | | u₁||...||u_t)∈kⁿ；

(3) calculate

Note: invert F here^-1When, first appoint and take one groupThen (x is solved₁,…,x_o).

(4) output message M ∈ { 0,1}^*Zero Knowledge signature sigma=(c, s₁,...,s_t)。

Step 3. signature verification:

To the signature sigma of message M=(c, s₁,...,s_t), any verifier checking utilizes the PKI of signerChecking equation $c=H\left(M\right|\left|\mathrm{PK}\right||\stackrel{\‾}{F}\left(s_1\right)+\stackrel{\‾}{F}\left(c\right)||...||\stackrel{\‾}{F}\left(s_t\right)+\stackrel{\‾}{F}\left(c\right))$ Whether set up.If become Vertical, then accept this signature；Otherwise refuse this signature.

In endorsement method of the present invention, user is by disclosing its PKI based on multivariate public key cryptography, and maintain secrecy corresponding private Key.Signer can utilize the private key of oneself, signs any message.This signature can utilize the PKI of signer with authenticatee Verify.If signature verification is passed through, then illustrate that the signature of this message is real.

Compared with the digital signature method based on traditional cipher system, it is high that the present invention has computational efficiency, at quantum meter Calculate the advantage of lower safety.

Claims (1)

1. Zero Knowledge digital signature method based on multivariate public key cryptosystem, it is characterised in that include generating systematic parameter Step, signature generation step and signature verification step, specifically comprise the following steps that

Step 1. generates systematic parameter:

Selecting systematic parameter is (k, q, l, m, n, t, H), wherein q, and l is security parameter, and k is a finite field, is designated as k=GF (q^l), element number therein is q^l, GF is the english abbreviation of finite field here, and m is the number of multivariable equation, and n is variable Number, H:{0,1}^*→kⁿIt is the unidirectional crash-resistant hash function of a cryptography safety, k hereⁿRepresent the n on finite field k Gt；

Key generates: the private key SK={L that signer is corresponding₁,F,L₂, wherein F is reversible centralizing mapping, L₁And L₂It is vector respectively Space k^mAnd kⁿOn reversible affine transformation, the PKI PK of signer is the multinomial component that m has n variable,Here symbolRepresentative function is combined；

Step 2. signature generates:

Signer is to message M ∈ { 0,1}^*Signing, step is as follows:

(1) u is randomly choosed_i∈k^m, wherein u_iFor random vector, i=1 ..., t；

(2) calculate

C=H (M | | PK | | u₁||...||u_t)∈kⁿ；

(3) calculate

Wherein, c is step (2) H (M | | PK | | u₁||...||u_t)∈kⁿResult of calculation；

(4) output message M ∈ { 0,1}^*Zero Knowledge signature sigma=(c, s₁,...,s_t)；

Step 3. signature verification:

To the signature sigma of message M=(c, s₁,...,s_t), any verifier checking utilizes the PKI of signerChecking equation

$c=H\left(M\right|\left|PK\right|\left|\stackrel{\‾}{F}\right(s_1)+\stackrel{\‾}{F}(c\left)\right||...|\left|\stackrel{\‾}{F}\right(s_t)+\stackrel{\‾}{F}(c\left)\right)$

Whether set up, if set up, then accept this signature, otherwise refuse this signature, wherein, c is (M | | PK | | the u of H in step (2)₁ ||...||u_t)∈kⁿResult of calculation.