CN107947944B - Incremental signature method based on lattice - Google Patents

Incremental signature method based on lattice Download PDF

Info

Publication number
CN107947944B
CN107947944B CN201711293616.2A CN201711293616A CN107947944B CN 107947944 B CN107947944 B CN 107947944B CN 201711293616 A CN201711293616 A CN 201711293616A CN 107947944 B CN107947944 B CN 107947944B
Authority
CN
China
Prior art keywords
signature
message
user
lattice
incremental
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711293616.2A
Other languages
Chinese (zh)
Other versions
CN107947944A (en
Inventor
田苗苗
仲红
陈志立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anhui University
Original Assignee
Anhui University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anhui University filed Critical Anhui University
Priority to CN201711293616.2A priority Critical patent/CN107947944B/en
Publication of CN107947944A publication Critical patent/CN107947944A/en
Application granted granted Critical
Publication of CN107947944B publication Critical patent/CN107947944B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Abstract

The invention discloses a lattice-based incremental signature method, which comprises the following steps: a system establishing step; performing a common signature for the first time; circularly executing incremental signature; and a verification step, wherein the method can be applied to a plurality of scenes with little message difference needing to be signed, and in the case, the method can quickly sign a new message according to the existing signature, thereby reducing the signature overhead of the system. Because the invention adopts the lattice code technology, the incremental signature method can resist the attack of a quantum computer and has better safety.

Description

Incremental signature method based on lattice
Technical Field
The invention relates to an information security technology, in particular to a lattice-based incremental signature method.
Background
The incremental signature is a special signature method, and comprises a system establishment algorithm setup, a signature algorithm Sign, an incremental signature algorithm Incsign and a verification algorithm Ver.
In particular, incremental signing allows fast signing of two similar messages on the basis of a common signature algorithm, i.e. if a signature of one message is already obtained, the incremental signature algorithm can fast sign a new message which is slightly modified compared with the original message, thereby reducing the time overhead of signing.
Such signatures can be widely applied to many scenarios, such as signing video files. Because the difference between each frame of a video file is usually small, incremental signing can solve this problem well if it is time consuming to sign each frame of data separately.
In particular, in the present-day environment of big data, the data volume is huge, the relation between a large amount of data is close, the difference is usually small, and the advantage of the incremental signature is more obvious in the situation.
Currently, the existing incremental signatures are of a few kinds and rely only on traditional difficult assumptions, such as discrete logarithm assumptions. Since these assumptions are insecure in the quantum era, the design of quantum attack resistant incremental signature algorithms is crucial to ensure the security of large data era incremental signature applications.
Before presenting the summary of the invention, some technical background and lattice code knowledge to which the invention relates are introduced:
the term "delta" as used herein means that the new message differs from the original message only slightly. Without loss of generality, assuming that messages are composed of K basic message blocks, it can be defined that a new message differs from an original message only by one of the blocks, while the rest of the message blocks are the same. It is easy to see that delta signatures are essentially a recursive definition, i.e. if the signature of a first message is obtained, the signature of a second message can be obtained by using a delta signature method, and then the signature of a third message can be obtained by using the second message as an original message and the third message as a new message by continuing to use the delta signature. And iterating until the signature of the last message is obtained.
The invention adopts two basic lattice cryptographic algorithms: TrapGen and samplepPre. The basic implementation of the algorithm and its analysis are described in the literature "C Gentry, C Peikert and V Vaikuntatathan. traces for hardcertificates and new cryptographic constraints. STOC 2008, pp.197-206". In this paper, the authors also present the ISIS (innogeneous Small Integer solution) problem.
Briefly, the ISIS problem is that, given a security parameter n, the prime number q ≧ 3, the integer d > 2nlog q, and
Figure GDA0002525482940000021
and a matrix
Figure GDA0002525482940000022
Sum vector
Figure GDA0002525482940000023
Output x is such that Ax ═ y (mod q) and | ≦ α. The authors have demonstrated that the ISIS problem is a difficult problem in lattice, particularly when y is 0, which is known as the sis (small Integer solution) problem, and is also a difficult problem in lattice.
Disclosure of Invention
The invention aims to provide an incremental signature method capable of resisting quantum computer attacks, and the security of a rapid signature algorithm in a big data era is ensured.
Therefore, the invention provides a lattice-based incremental signature method, which comprises the following steps: the system establishment step: inputting a security parameter n, generating a public and private key pair (pk, sk) of a user by using a lattice cipher algorithm TrapGen (q, d), and disclosing a system public parameter pp; the common signature firstly executes the steps of: inputting a system public parameter pp, a user private key sk and a message M, calculating a message function U and outputting a vector sigma by using a lattice cipher algorithm SamplePre (A, T, s, U), and outputting a common signature (U, sigma) of the message by a user; and circularly executing the incremental signature: inputting a system public parameter pp, a user private key sk, an original message M and a corresponding signature sigma, and a new message M ', calculating a new message function U', outputting a vector sigma 'by using a lattice cipher algorithm SamplePre (A, T, s, U'), and outputting an incremental signature (U ', sigma') on the new message by a user; and a verification step: and inputting a system public parameter pp, a user public key pk, a message M and a signature sigma, and verifying the validity of the signature by a verifier.
Compared with the prior art, the invention has the advantages that:
1. the invention adopts the lattice cryptographic technology to design the incremental signature, and because the quantum computer can not effectively attack the lattice cryptographic technology, the signature method can resist the attack of quantum computation.
2. The method does not need complex exponential operation, has high operation efficiency, can adapt to the typical requirements of a big data era, and has better application value.
In addition to the objects, features and advantages described above, other objects, features and advantages of the present invention are also provided. The present invention will be described in further detail below with reference to the drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow chart of a lattice-based incremental signature method according to the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
The invention provides a lattice-based incremental signature method. The method can be applied to a plurality of scenes with little difference of messages needing to be signed, and in the situation, the method can quickly sign the new message according to the existing signature, so that the signature overhead of the system is reduced. Because the invention adopts the lattice code technology, the incremental signature method can resist the attack of a quantum computer and has better safety.
As shown in fig. 1, the incremental signature method based on lattice according to the present invention includes the following steps:
(1) the system set-up algorithm (Setup). The security parameter n is input, the system generates a public and private key pair (pk, sk) of the user, and discloses a system public parameter pp.
(2) Signature algorithm (Sign). And inputting a system public parameter pp, a user private key sk and a message M, and outputting a common signature of the message by the user.
(3) Incremental signature algorithm (incusign). Inputting a system public parameter pp, a user private key sk, an original message M and a corresponding signature sigma, and a new message M', and outputting an incremental signature to the new message by the user.
(4) Verification algorithm (Ver). And inputting a system public parameter pp, a user public key pk, a message M and a signature sigma, and verifying the validity of the signature by a verifier. If the signature is valid, a 1 is output, otherwise a 0 is output.
Wherein, the specific implementation process of the step (1) is as follows:
1.1 input the security parameter n, select k matrices
Figure GDA0002525482940000031
Wherein i is more than or equal to 1 and less than or equal to k, the prime number q is more than or equal to 3, and the integer m is more than 2nlog q. In addition, an integer d > 5nlog q is selected, and an output matrix is output by using an algorithm TrapGen (q, d)
Figure GDA0002525482940000032
And T ∈ Zd×dWherein A is used as a user public key and T is used as a user private key.
1.2 final output System public parameter pp ═ A, A1,…,Ak)。
Wherein, the specific implementation process of the step (2) is as follows:
2.1 inputting the system common parameter pp ═ A, A1,…,Ak) The user private key T is belonged to Zd×dAnd message M ∈ {0,1}m×kFirst, a message function is calculated
Figure GDA0002525482940000033
Wherein M isiRepresenting the ith column of message M. The algorithm SamplePre (a, T, s, U) then runs to output vector σ such that a σ ═ U (mod q) and
Figure GDA0002525482940000034
wherein the parameters
Figure GDA0002525482940000035
Figure GDA0002525482940000036
2.2 according to the nature of the algorithm TrapGen and the algorithm samplePre, the vector sigma will satisfy the above requirements with great probability. At this time, (U, σ) can be output as a signature of the message M by the user.
Wherein, the specific implementation process of the step (3) is as follows:
3.1 assume that the message that the user has signed is M, with its corresponding signature being (U, σ), and that the new message that the user wishes to sign at this time is M ', with M differing little from M'. In particular, it is not necessary for M ' to differ from M only in the jth column, i.e., M ' ═ M '1,…,M′k]=[M1,…,Mj-1,M′j,Mj+1,…,Mk]. At this time, the user first calculates a new message function U' ═ U + aj(M′j-Mj)。
3.2 the user then runs the algorithm SamplePre (a, T, s, U ') to output vector σ ' such that a σ ═ U ' (mod q) and
Figure GDA0002525482940000041
3.3 depending on the nature of the algorithm TrapGen and the algorithm SamplePre, the vector σ' will satisfy the above requirements with great probability. At this point, the user may output (U ', σ ') as a delta signature of message M '.
Wherein, the specific implementation process of the step (4) is as follows:
4.1 input System common parameter pp ═ A, A1,…,Ak) Message M ∈ {0,1}m×kAnd a signature (U, σ) which the verifier first calculates
Figure GDA0002525482940000042
And compares whether H is the same as U. If not, the signature is invalid, otherwise, the next step is performed.
4.2 verifier pinging a σ ═ u (mod q) and
Figure GDA0002525482940000043
whether or not this is true. If so, the signature is valid, otherwise the signature is invalid.
Protocol analysis
1. Accuracy of measurement
The correctness of the scheme needs to be discussed in two cases:
the signature (U, σ) is the message M ∈ {0,1}m×kThe first signature of (1), i.e. the ordinary signature. At this time, it can be known from the generation process of the signature,
Figure GDA0002525482940000044
at the same time, the vector σ will satisfy with great probability a σ ═ u (mod q) and (q) according to the nature of the algorithm trappen and the algorithm SamplePre
Figure GDA0002525482940000045
The signature is therefore correct.
The signature (U, σ) is the message M ∈ {0,1}m×kThe delta signature of (2). Suppose the original message is M '═ M'1,…,M′k]=[M1,…,Mj-1,M′j,Mj+1,…,Mk]The corresponding signature is (U ', σ'), wherein
Figure GDA0002525482940000046
σ ' satisfies a σ ' ═ U ' (mod q) and
Figure GDA0002525482940000047
due to the fact that
Figure GDA0002525482940000048
The first step of the signature verification algorithm holds. Likewise, according to the nature of the algorithm trappen and the algorithm SamplePre, the vector σ will satisfy a σ ═ u (mod q) with great probability and
Figure GDA0002525482940000049
the delta signature is also correct.
2. Safety feature
The security of the scheme is discussed in two cases:
adversary directly forges message M e {0,1}m×kA signature (U, σ) of (1), wherein
Figure GDA0002525482940000051
Vector σ satisfies A σ ═ U (mod q) and
Figure GDA0002525482940000052
this means that an adversary can easily attack the ISIS problem, which is difficult in practice, so that such an attack is impossible.
Enemy known message M ═ M'1,…,M′k]=[M1,…,Mj-1,M′j,Mj+1,…,Mk]The signature (U', σ) of (1), wherein
Figure GDA0002525482940000053
Vector σ satisfies A σ ═ U (mod q) and
Figure GDA0002525482940000054
at this time, the adversary wants to forge the message M ∈ {0,1}m×kA signature (U', σ) of (1), wherein
Figure GDA0002525482940000055
In this case
Figure GDA0002525482940000056
So Aj(Mj-M′j) 0. Note that Mj-M′jNot equal to 0 and smaller, this means that an adversary can break the SIS problem. This attack is also not feasible, as can be seen by the difficulty of solving the SIS problem.
3. Efficiency analysis
The signature scheme includes two parts, a first part being a normal signature and a second part being a delta signature. In practical applications, the ordinary signature part only needs to be executed once, and then the second part can be executed in a loop. The first part of the invention performs as efficiently as a normal signature, but in the second part, the delta function for a new message only needs to compute U' ═ U + aj(M′j-Mj) This is compared with direct calculation
Figure GDA0002525482940000057
Therefore, the incremental signature method designed by the invention has higher speed than the common signature method, and is more suitable for application scenes with small gap between adjacent messages, such as video data stream authentication and the like.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (5)

1. A lattice-based incremental signature method is characterized by comprising the following steps:
the system establishment step: inputting a security parameter n, generating a public and private key pair (pk, sk) of a user by using a lattice cipher algorithm TrapGen (q, d), and disclosing a system public parameter pp, wherein the prime number q is more than or equal to 3, and the integer d is more than 5nlog q;
the common signature firstly executes the steps of: inputting system public parameter pp, user private keysk and message M, calculating a message function U and outputting a vector sigma by using a lattice cipher algorithm SamplePre (A, T, s, U), and outputting a common signature (U, sigma) of the message by a user, wherein the matrix
Figure FDA0002676063860000011
The matrix T belongs to Zd×dParameter of
Figure FDA0002676063860000012
Message function
Figure FDA0002676063860000013
Wherein M isiI-th column representing the message M, k matrices are selected
Figure FDA0002676063860000014
Wherein i is more than or equal to 1 and less than or equal to k, and the integer m is more than or equal to 2nlog q;
and circularly executing the incremental signature: inputting a system public parameter pp, a user private key sk, an original message M and a corresponding signature sigma, and a new message M ', calculating a new message function U', outputting a vector sigma 'by using a lattice cipher algorithm SamplePre (A, T, s, U'), and outputting an incremental signature (U ', sigma') on the new message by a user; and
a verification step: and inputting a system public parameter pp, a user public key pk, a message M and a signature sigma, and verifying the validity of the signature by a verifier.
2. The lattice-based incremental signature method of claim 1, wherein said system establishing step comprises the sub-steps of:
(1) inputting a security parameter n, and selecting k matrixes
Figure FDA0002676063860000015
Wherein i is more than or equal to 1 and less than or equal to k, the prime number q is more than or equal to 3, the integer m is more than 2 nlogq, the integer d is more than 5 nlogq, and a lattice cipher algorithm TrapGen (q, d) is utilized to output a matrix
Figure FDA0002676063860000016
And T ∈ Zd×dWherein A is used as a user public key pk, and T is used as a user private key sk; and
(2) output system public parameter pp ═ (a, a)1,…,Ak)。
3. The lattice-based incremental signing method of claim 2, wherein said signing step comprises the sub-steps of:
(1) inputting system common parameter pp ═ (A, A)1,…,Ak) The user private key T is belonged to Zd×dAnd message M ∈ {0,1}m×kFirst, calculate
Figure FDA0002676063860000017
Wherein M isiRepresents the ith column of the message M, then runs the lattice cipher algorithm SamplePre (a, T, s, U) to output vector σ, such that a σ ═ U (mod q) and
Figure FDA0002676063860000018
wherein the parameters
Figure FDA0002676063860000019
And
(2) the user outputs (U, σ) as a signature of the message M.
4. A lattice-based incremental signing method according to claim 3, characterized in that said incremental signing step comprises the sub-steps of:
(1) the user first calculates U' ═ U + aj(M′j-Mj) Wherein, the new message that the user wishes to sign is M ', and M ' have little difference and make M ' and M have difference only in j column;
(2) the user runs the lattice cipher algorithm SamplePre (a, T, s, U ') output vector σ ', such that a σ ═ U ' (mod q) and
Figure FDA0002676063860000021
and
(3) the user may output (U ', σ ') as a delta signature of message M '.
5. The lattice-based delta signature method as recited in claim 4, wherein said step of verifying comprises the sub-steps of:
(1) inputting system common parameter pp ═ (A, A)1,…,Ak) Message M ∈ {0,1}m×kAnd a signature (U, σ) which the verifier first calculates
Figure FDA0002676063860000022
Comparing whether H is the same as U or not, if not, the signature is invalid, otherwise, carrying out the next step; and
(2) the verifier verifies that a σ is u (mod q) and
Figure FDA0002676063860000023
and if so, the signature is valid, otherwise, the signature is invalid.
CN201711293616.2A 2017-12-08 2017-12-08 Incremental signature method based on lattice Active CN107947944B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711293616.2A CN107947944B (en) 2017-12-08 2017-12-08 Incremental signature method based on lattice

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711293616.2A CN107947944B (en) 2017-12-08 2017-12-08 Incremental signature method based on lattice

Publications (2)

Publication Number Publication Date
CN107947944A CN107947944A (en) 2018-04-20
CN107947944B true CN107947944B (en) 2020-10-30

Family

ID=61945288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711293616.2A Active CN107947944B (en) 2017-12-08 2017-12-08 Incremental signature method based on lattice

Country Status (1)

Country Link
CN (1) CN107947944B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756877B (en) * 2018-12-05 2021-09-14 西安电子科技大学 Quantum-resistant rapid authentication and data transmission method for massive NB-IoT (NB-IoT) equipment
CN109936458B (en) * 2019-03-18 2022-04-26 上海扈民区块链科技有限公司 Lattice-based digital signature method based on multiple evidence error correction

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104009847A (en) * 2014-05-14 2014-08-27 国家电网公司 Big data storage integrity verification method based on lattices
CN106649455A (en) * 2016-09-24 2017-05-10 孙燕群 Big data development standardized systematic classification and command set system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120071884A (en) * 2010-12-23 2012-07-03 한국전자통신연구원 Ring signature method based on lattices
US8755519B2 (en) * 2011-06-29 2014-06-17 International Business Machines Corporation Lattice scheme for establishing a secure multi-identity authentication context

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104009847A (en) * 2014-05-14 2014-08-27 国家电网公司 Big data storage integrity verification method based on lattices
CN106649455A (en) * 2016-09-24 2017-05-10 孙燕群 Big data development standardized systematic classification and command set system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
格密码技术近期研究进展;张平原,蒋瀚,蔡杰,王晨光,郑志华;《计算机研究与发展》;20170926;第54卷(第10期);2121-2128 *

Also Published As

Publication number Publication date
CN107947944A (en) 2018-04-20

Similar Documents

Publication Publication Date Title
CN109951296B (en) Remote data integrity verification method based on short signature
CN102983971B (en) Certificateless signature algorithm for user identity authentication in network environment
CN110612700A (en) Authentication based on recovered public key
CN111478772B (en) Assembly line friendly signature and signature verification method, device and storage medium
CN112446052B (en) Aggregated signature method and system suitable for secret-related information system
US20140205090A1 (en) Method and system for securely computing a base point in direct anonymous attestation
US11750403B2 (en) Robust state synchronization for stateful hash-based signatures
CN114661318A (en) Efficient post-quantum security software updates customized for resource constrained devices
CN103259662A (en) Novel procuration signature and verification method based on integer factorization problems
CN113037479B (en) Data verification method and device
US20220131707A1 (en) Digital Signature Method, Signature Information Verification Method, Related Apparatus and Electronic Device
CN110719172B (en) Signature method, signature system and related equipment in block chain system
CN114154174A (en) State synchronization for post-quantum signature facilities
CN107947944B (en) Incremental signature method based on lattice
CN114662122A (en) Effective quantum attack resisting function safety building block for secret key packaging and digital signature
CN109600216B (en) Construction method of chameleon hash function with strong collision resistance
CN112152784A (en) Parallel processing techniques for hash-based signature algorithms
CN109831312B (en) Connectable ring signature method, device, equipment and storage medium
JP2022095852A (en) Digital signature method, signature information verification method, related device, and electronic device
CN112511314B (en) Recoverable message blind signature generation method based on identity
CN112434269A (en) Zero knowledge proof method, verification method, computing device and storage medium of file
CN111274613B (en) Iterative SM2 digital signature generation method, system, medium and device
CN113761570A (en) Privacy intersection-oriented data interaction method
CN113489690A (en) On-line/off-line outsourcing data integrity auditing method with strong resistance to key exposure
JP5227816B2 (en) Anonymous signature generation device, anonymous signature verification device, anonymous signature tracking determination device, anonymous signature system with tracking function, method and program thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant