CN107947944B - Incremental signature method based on lattice - Google Patents
Incremental signature method based on lattice Download PDFInfo
- Publication number
- CN107947944B CN107947944B CN201711293616.2A CN201711293616A CN107947944B CN 107947944 B CN107947944 B CN 107947944B CN 201711293616 A CN201711293616 A CN 201711293616A CN 107947944 B CN107947944 B CN 107947944B
- Authority
- CN
- China
- Prior art keywords
- signature
- message
- user
- lattice
- incremental
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
Abstract
The invention discloses a lattice-based incremental signature method, which comprises the following steps: a system establishing step; performing a common signature for the first time; circularly executing incremental signature; and a verification step, wherein the method can be applied to a plurality of scenes with little message difference needing to be signed, and in the case, the method can quickly sign a new message according to the existing signature, thereby reducing the signature overhead of the system. Because the invention adopts the lattice code technology, the incremental signature method can resist the attack of a quantum computer and has better safety.
Description
Technical Field
The invention relates to an information security technology, in particular to a lattice-based incremental signature method.
Background
The incremental signature is a special signature method, and comprises a system establishment algorithm setup, a signature algorithm Sign, an incremental signature algorithm Incsign and a verification algorithm Ver.
In particular, incremental signing allows fast signing of two similar messages on the basis of a common signature algorithm, i.e. if a signature of one message is already obtained, the incremental signature algorithm can fast sign a new message which is slightly modified compared with the original message, thereby reducing the time overhead of signing.
Such signatures can be widely applied to many scenarios, such as signing video files. Because the difference between each frame of a video file is usually small, incremental signing can solve this problem well if it is time consuming to sign each frame of data separately.
In particular, in the present-day environment of big data, the data volume is huge, the relation between a large amount of data is close, the difference is usually small, and the advantage of the incremental signature is more obvious in the situation.
Currently, the existing incremental signatures are of a few kinds and rely only on traditional difficult assumptions, such as discrete logarithm assumptions. Since these assumptions are insecure in the quantum era, the design of quantum attack resistant incremental signature algorithms is crucial to ensure the security of large data era incremental signature applications.
Before presenting the summary of the invention, some technical background and lattice code knowledge to which the invention relates are introduced:
the term "delta" as used herein means that the new message differs from the original message only slightly. Without loss of generality, assuming that messages are composed of K basic message blocks, it can be defined that a new message differs from an original message only by one of the blocks, while the rest of the message blocks are the same. It is easy to see that delta signatures are essentially a recursive definition, i.e. if the signature of a first message is obtained, the signature of a second message can be obtained by using a delta signature method, and then the signature of a third message can be obtained by using the second message as an original message and the third message as a new message by continuing to use the delta signature. And iterating until the signature of the last message is obtained.
The invention adopts two basic lattice cryptographic algorithms: TrapGen and samplepPre. The basic implementation of the algorithm and its analysis are described in the literature "C Gentry, C Peikert and V Vaikuntatathan. traces for hardcertificates and new cryptographic constraints. STOC 2008, pp.197-206". In this paper, the authors also present the ISIS (innogeneous Small Integer solution) problem.
Briefly, the ISIS problem is that, given a security parameter n, the prime number q ≧ 3, the integer d > 2nlog q, andand a matrixSum vectorOutput x is such that Ax ═ y (mod q) and | ≦ α. The authors have demonstrated that the ISIS problem is a difficult problem in lattice, particularly when y is 0, which is known as the sis (small Integer solution) problem, and is also a difficult problem in lattice.
Disclosure of Invention
The invention aims to provide an incremental signature method capable of resisting quantum computer attacks, and the security of a rapid signature algorithm in a big data era is ensured.
Therefore, the invention provides a lattice-based incremental signature method, which comprises the following steps: the system establishment step: inputting a security parameter n, generating a public and private key pair (pk, sk) of a user by using a lattice cipher algorithm TrapGen (q, d), and disclosing a system public parameter pp; the common signature firstly executes the steps of: inputting a system public parameter pp, a user private key sk and a message M, calculating a message function U and outputting a vector sigma by using a lattice cipher algorithm SamplePre (A, T, s, U), and outputting a common signature (U, sigma) of the message by a user; and circularly executing the incremental signature: inputting a system public parameter pp, a user private key sk, an original message M and a corresponding signature sigma, and a new message M ', calculating a new message function U', outputting a vector sigma 'by using a lattice cipher algorithm SamplePre (A, T, s, U'), and outputting an incremental signature (U ', sigma') on the new message by a user; and a verification step: and inputting a system public parameter pp, a user public key pk, a message M and a signature sigma, and verifying the validity of the signature by a verifier.
Compared with the prior art, the invention has the advantages that:
1. the invention adopts the lattice cryptographic technology to design the incremental signature, and because the quantum computer can not effectively attack the lattice cryptographic technology, the signature method can resist the attack of quantum computation.
2. The method does not need complex exponential operation, has high operation efficiency, can adapt to the typical requirements of a big data era, and has better application value.
In addition to the objects, features and advantages described above, other objects, features and advantages of the present invention are also provided. The present invention will be described in further detail below with reference to the drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow chart of a lattice-based incremental signature method according to the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
The invention provides a lattice-based incremental signature method. The method can be applied to a plurality of scenes with little difference of messages needing to be signed, and in the situation, the method can quickly sign the new message according to the existing signature, so that the signature overhead of the system is reduced. Because the invention adopts the lattice code technology, the incremental signature method can resist the attack of a quantum computer and has better safety.
As shown in fig. 1, the incremental signature method based on lattice according to the present invention includes the following steps:
(1) the system set-up algorithm (Setup). The security parameter n is input, the system generates a public and private key pair (pk, sk) of the user, and discloses a system public parameter pp.
(2) Signature algorithm (Sign). And inputting a system public parameter pp, a user private key sk and a message M, and outputting a common signature of the message by the user.
(3) Incremental signature algorithm (incusign). Inputting a system public parameter pp, a user private key sk, an original message M and a corresponding signature sigma, and a new message M', and outputting an incremental signature to the new message by the user.
(4) Verification algorithm (Ver). And inputting a system public parameter pp, a user public key pk, a message M and a signature sigma, and verifying the validity of the signature by a verifier. If the signature is valid, a 1 is output, otherwise a 0 is output.
Wherein, the specific implementation process of the step (1) is as follows:
1.1 input the security parameter n, select k matricesWherein i is more than or equal to 1 and less than or equal to k, the prime number q is more than or equal to 3, and the integer m is more than 2nlog q. In addition, an integer d > 5nlog q is selected, and an output matrix is output by using an algorithm TrapGen (q, d)And T ∈ Zd×dWherein A is used as a user public key and T is used as a user private key.
1.2 final output System public parameter pp ═ A, A1,…,Ak)。
Wherein, the specific implementation process of the step (2) is as follows:
2.1 inputting the system common parameter pp ═ A, A1,…,Ak) The user private key T is belonged to Zd×dAnd message M ∈ {0,1}m×kFirst, a message function is calculatedWherein M isiRepresenting the ith column of message M. The algorithm SamplePre (a, T, s, U) then runs to output vector σ such that a σ ═ U (mod q) andwherein the parameters
2.2 according to the nature of the algorithm TrapGen and the algorithm samplePre, the vector sigma will satisfy the above requirements with great probability. At this time, (U, σ) can be output as a signature of the message M by the user.
Wherein, the specific implementation process of the step (3) is as follows:
3.1 assume that the message that the user has signed is M, with its corresponding signature being (U, σ), and that the new message that the user wishes to sign at this time is M ', with M differing little from M'. In particular, it is not necessary for M ' to differ from M only in the jth column, i.e., M ' ═ M '1,…,M′k]=[M1,…,Mj-1,M′j,Mj+1,…,Mk]. At this time, the user first calculates a new message function U' ═ U + aj(M′j-Mj)。
3.2 the user then runs the algorithm SamplePre (a, T, s, U ') to output vector σ ' such that a σ ═ U ' (mod q) and
3.3 depending on the nature of the algorithm TrapGen and the algorithm SamplePre, the vector σ' will satisfy the above requirements with great probability. At this point, the user may output (U ', σ ') as a delta signature of message M '.
Wherein, the specific implementation process of the step (4) is as follows:
4.1 input System common parameter pp ═ A, A1,…,Ak) Message M ∈ {0,1}m×kAnd a signature (U, σ) which the verifier first calculatesAnd compares whether H is the same as U. If not, the signature is invalid, otherwise, the next step is performed.
4.2 verifier pinging a σ ═ u (mod q) andwhether or not this is true. If so, the signature is valid, otherwise the signature is invalid.
Protocol analysis
1. Accuracy of measurement
The correctness of the scheme needs to be discussed in two cases:
the signature (U, σ) is the message M ∈ {0,1}m×kThe first signature of (1), i.e. the ordinary signature. At this time, it can be known from the generation process of the signature,at the same time, the vector σ will satisfy with great probability a σ ═ u (mod q) and (q) according to the nature of the algorithm trappen and the algorithm SamplePreThe signature is therefore correct.
The signature (U, σ) is the message M ∈ {0,1}m×kThe delta signature of (2). Suppose the original message is M '═ M'1,…,M′k]=[M1,…,Mj-1,M′j,Mj+1,…,Mk]The corresponding signature is (U ', σ'), whereinσ ' satisfies a σ ' ═ U ' (mod q) anddue to the fact thatThe first step of the signature verification algorithm holds. Likewise, according to the nature of the algorithm trappen and the algorithm SamplePre, the vector σ will satisfy a σ ═ u (mod q) with great probability andthe delta signature is also correct.
2. Safety feature
The security of the scheme is discussed in two cases:
adversary directly forges message M e {0,1}m×kA signature (U, σ) of (1), whereinVector σ satisfies A σ ═ U (mod q) andthis means that an adversary can easily attack the ISIS problem, which is difficult in practice, so that such an attack is impossible.
Enemy known message M ═ M'1,…,M′k]=[M1,…,Mj-1,M′j,Mj+1,…,Mk]The signature (U', σ) of (1), whereinVector σ satisfies A σ ═ U (mod q) andat this time, the adversary wants to forge the message M ∈ {0,1}m×kA signature (U', σ) of (1), whereinIn this caseSo Aj(Mj-M′j) 0. Note that Mj-M′jNot equal to 0 and smaller, this means that an adversary can break the SIS problem. This attack is also not feasible, as can be seen by the difficulty of solving the SIS problem.
3. Efficiency analysis
The signature scheme includes two parts, a first part being a normal signature and a second part being a delta signature. In practical applications, the ordinary signature part only needs to be executed once, and then the second part can be executed in a loop. The first part of the invention performs as efficiently as a normal signature, but in the second part, the delta function for a new message only needs to compute U' ═ U + aj(M′j-Mj) This is compared with direct calculationTherefore, the incremental signature method designed by the invention has higher speed than the common signature method, and is more suitable for application scenes with small gap between adjacent messages, such as video data stream authentication and the like.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (5)
1. A lattice-based incremental signature method is characterized by comprising the following steps:
the system establishment step: inputting a security parameter n, generating a public and private key pair (pk, sk) of a user by using a lattice cipher algorithm TrapGen (q, d), and disclosing a system public parameter pp, wherein the prime number q is more than or equal to 3, and the integer d is more than 5nlog q;
the common signature firstly executes the steps of: inputting system public parameter pp, user private keysk and message M, calculating a message function U and outputting a vector sigma by using a lattice cipher algorithm SamplePre (A, T, s, U), and outputting a common signature (U, sigma) of the message by a user, wherein the matrixThe matrix T belongs to Zd×dParameter ofMessage functionWherein M isiI-th column representing the message M, k matrices are selectedWherein i is more than or equal to 1 and less than or equal to k, and the integer m is more than or equal to 2nlog q;
and circularly executing the incremental signature: inputting a system public parameter pp, a user private key sk, an original message M and a corresponding signature sigma, and a new message M ', calculating a new message function U', outputting a vector sigma 'by using a lattice cipher algorithm SamplePre (A, T, s, U'), and outputting an incremental signature (U ', sigma') on the new message by a user; and
a verification step: and inputting a system public parameter pp, a user public key pk, a message M and a signature sigma, and verifying the validity of the signature by a verifier.
2. The lattice-based incremental signature method of claim 1, wherein said system establishing step comprises the sub-steps of:
(1) inputting a security parameter n, and selecting k matrixesWherein i is more than or equal to 1 and less than or equal to k, the prime number q is more than or equal to 3, the integer m is more than 2 nlogq, the integer d is more than 5 nlogq, and a lattice cipher algorithm TrapGen (q, d) is utilized to output a matrixAnd T ∈ Zd×dWherein A is used as a user public key pk, and T is used as a user private key sk; and
(2) output system public parameter pp ═ (a, a)1,…,Ak)。
3. The lattice-based incremental signing method of claim 2, wherein said signing step comprises the sub-steps of:
(1) inputting system common parameter pp ═ (A, A)1,…,Ak) The user private key T is belonged to Zd×dAnd message M ∈ {0,1}m×kFirst, calculateWherein M isiRepresents the ith column of the message M, then runs the lattice cipher algorithm SamplePre (a, T, s, U) to output vector σ, such that a σ ═ U (mod q) andwherein the parametersAnd
(2) the user outputs (U, σ) as a signature of the message M.
4. A lattice-based incremental signing method according to claim 3, characterized in that said incremental signing step comprises the sub-steps of:
(1) the user first calculates U' ═ U + aj(M′j-Mj) Wherein, the new message that the user wishes to sign is M ', and M ' have little difference and make M ' and M have difference only in j column;
(2) the user runs the lattice cipher algorithm SamplePre (a, T, s, U ') output vector σ ', such that a σ ═ U ' (mod q) andand
(3) the user may output (U ', σ ') as a delta signature of message M '.
5. The lattice-based delta signature method as recited in claim 4, wherein said step of verifying comprises the sub-steps of:
(1) inputting system common parameter pp ═ (A, A)1,…,Ak) Message M ∈ {0,1}m×kAnd a signature (U, σ) which the verifier first calculatesComparing whether H is the same as U or not, if not, the signature is invalid, otherwise, carrying out the next step; and
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711293616.2A CN107947944B (en) | 2017-12-08 | 2017-12-08 | Incremental signature method based on lattice |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711293616.2A CN107947944B (en) | 2017-12-08 | 2017-12-08 | Incremental signature method based on lattice |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107947944A CN107947944A (en) | 2018-04-20 |
CN107947944B true CN107947944B (en) | 2020-10-30 |
Family
ID=61945288
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711293616.2A Active CN107947944B (en) | 2017-12-08 | 2017-12-08 | Incremental signature method based on lattice |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107947944B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109756877B (en) * | 2018-12-05 | 2021-09-14 | 西安电子科技大学 | Quantum-resistant rapid authentication and data transmission method for massive NB-IoT (NB-IoT) equipment |
CN109936458B (en) * | 2019-03-18 | 2022-04-26 | 上海扈民区块链科技有限公司 | Lattice-based digital signature method based on multiple evidence error correction |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104009847A (en) * | 2014-05-14 | 2014-08-27 | 国家电网公司 | Big data storage integrity verification method based on lattices |
CN106649455A (en) * | 2016-09-24 | 2017-05-10 | 孙燕群 | Big data development standardized systematic classification and command set system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20120071884A (en) * | 2010-12-23 | 2012-07-03 | 한국전자통신연구원 | Ring signature method based on lattices |
US8755519B2 (en) * | 2011-06-29 | 2014-06-17 | International Business Machines Corporation | Lattice scheme for establishing a secure multi-identity authentication context |
-
2017
- 2017-12-08 CN CN201711293616.2A patent/CN107947944B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104009847A (en) * | 2014-05-14 | 2014-08-27 | 国家电网公司 | Big data storage integrity verification method based on lattices |
CN106649455A (en) * | 2016-09-24 | 2017-05-10 | 孙燕群 | Big data development standardized systematic classification and command set system |
Non-Patent Citations (1)
Title |
---|
格密码技术近期研究进展;张平原,蒋瀚,蔡杰,王晨光,郑志华;《计算机研究与发展》;20170926;第54卷(第10期);2121-2128 * |
Also Published As
Publication number | Publication date |
---|---|
CN107947944A (en) | 2018-04-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109951296B (en) | Remote data integrity verification method based on short signature | |
CN102983971B (en) | Certificateless signature algorithm for user identity authentication in network environment | |
CN110612700A (en) | Authentication based on recovered public key | |
CN111478772B (en) | Assembly line friendly signature and signature verification method, device and storage medium | |
CN112446052B (en) | Aggregated signature method and system suitable for secret-related information system | |
US20140205090A1 (en) | Method and system for securely computing a base point in direct anonymous attestation | |
US11750403B2 (en) | Robust state synchronization for stateful hash-based signatures | |
CN114661318A (en) | Efficient post-quantum security software updates customized for resource constrained devices | |
CN103259662A (en) | Novel procuration signature and verification method based on integer factorization problems | |
CN113037479B (en) | Data verification method and device | |
US20220131707A1 (en) | Digital Signature Method, Signature Information Verification Method, Related Apparatus and Electronic Device | |
CN110719172B (en) | Signature method, signature system and related equipment in block chain system | |
CN114154174A (en) | State synchronization for post-quantum signature facilities | |
CN107947944B (en) | Incremental signature method based on lattice | |
CN114662122A (en) | Effective quantum attack resisting function safety building block for secret key packaging and digital signature | |
CN109600216B (en) | Construction method of chameleon hash function with strong collision resistance | |
CN112152784A (en) | Parallel processing techniques for hash-based signature algorithms | |
CN109831312B (en) | Connectable ring signature method, device, equipment and storage medium | |
JP2022095852A (en) | Digital signature method, signature information verification method, related device, and electronic device | |
CN112511314B (en) | Recoverable message blind signature generation method based on identity | |
CN112434269A (en) | Zero knowledge proof method, verification method, computing device and storage medium of file | |
CN111274613B (en) | Iterative SM2 digital signature generation method, system, medium and device | |
CN113761570A (en) | Privacy intersection-oriented data interaction method | |
CN113489690A (en) | On-line/off-line outsourcing data integrity auditing method with strong resistance to key exposure | |
JP5227816B2 (en) | Anonymous signature generation device, anonymous signature verification device, anonymous signature tracking determination device, anonymous signature system with tracking function, method and program thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |