CN109150533B - A UOV signature key recovery device and method - Google Patents

A UOV signature key recovery device and method Download PDF

Info

Publication number
CN109150533B
CN109150533B CN201710464016.1A CN201710464016A CN109150533B CN 109150533 B CN109150533 B CN 109150533B CN 201710464016 A CN201710464016 A CN 201710464016A CN 109150533 B CN109150533 B CN 109150533B
Authority
CN
China
Prior art keywords
key
value
calculation formula
power consumption
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710464016.1A
Other languages
Chinese (zh)
Other versions
CN109150533A (en
Inventor
易海博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Polytechnic
Original Assignee
Shenzhen Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Polytechnic filed Critical Shenzhen Polytechnic
Priority to CN201710464016.1A priority Critical patent/CN109150533B/en
Publication of CN109150533A publication Critical patent/CN109150533A/en
Application granted granted Critical
Publication of CN109150533B publication Critical patent/CN109150533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种UOV签名的密钥恢复装置,包括:消息和签名模块,用于生成N对消息签名对;功耗曲线模块,用于采集每对消息签名对生成过程中产生的功耗曲线;密钥运算模块,用于依次选取UOV签名生成过程中所有密钥参与的计算公式;密钥猜测值模块,用于依次选取GF(2k)中的元素作为每个所选取的计算公式中的密钥的猜测值;以及,中央处理模块,用于在每选取一个猜测值时,对N条功耗曲线进行分析,获得所述UOV签名算法中的密钥。相应地,本发明还公开了一种UOV签名的密钥恢复方法。本发明能够快速恢复密钥,发现UOV签名的安全性问题,从而为保护UOV提供技术支持。

Figure 201710464016

The invention discloses a UOV signature key recovery device, comprising: a message and signature module for generating N pairs of message signature pairs; a power consumption curve module for collecting the power consumption generated during the generation of each pair of message signature pairs curve; the key operation module is used to sequentially select the calculation formulas of all keys involved in the UOV signature generation process; the key guess value module is used to sequentially select the elements in GF(2 k ) as each selected calculation formula The guessed value of the key in ; and the central processing module, configured to analyze N power consumption curves each time a guessed value is selected to obtain the key in the UOV signature algorithm. Correspondingly, the present invention also discloses a key recovery method for UOV signature. The invention can quickly recover the key and discover the security problem of the UOV signature, thereby providing technical support for protecting the UOV.

Figure 201710464016

Description

Key recovery device and method for UOV signature
Technical Field
The invention relates to the technical field of information security, in particular to a key recovery device and method for a UOV signature.
Background
The UOV signature is one of multivariate signatures that have the ability to resist quantum computer attacks. The safety of the method is established on the basis of an NP-Hard problem, namely a finite field multivariate quadratic equation system is solved.
Multivariable structure of UOV signatures
Figure BDA0001325487130000011
Contains a center mapping transformation and an affine transformation: y is0,y1,...,ym-1Is a message, x0,x1,...,xn-1Is signature, F is center mapping transformation, L is affine transformation, and the key is composed of parameters of F and L. Inverse transformation of center mapping
Figure BDA0001325487130000012
Comprises a multi-element system of quadratic equations,
Figure BDA0001325487130000013
is the center mapping transformation result. Inverse transform of affine transformation
Figure BDA0001325487130000014
In the form of
Figure BDA0001325487130000015
A is an n matrix, b is a length n vector, and A and b are keys.
In the prior art, the key recovery of the UOV signature mainly adopts an algebraic analysis method, so that the efficiency is low, and the wide application of the UOV signature is hindered to a certain extent.
Disclosure of Invention
The embodiment of the invention provides a key recovery device and a key recovery method for a UOV signature, which can quickly recover a key and find the security problem of the UOV signature, thereby providing technical support for protecting the UOV.
The embodiment of the invention provides a key recovery device for UOV signature, which comprises:
the message and signature module is used for generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
the power consumption curve module is used for acquiring power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
the key operation module is used for sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
a key guess value module for selecting GF (2) in turnk) As guesses of the key in each chosen calculation formula; and the number of the first and second groups,
and the central processing module is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module, acquiring the input values of the calculation formula and performing operation according to the messages in the N pairs of message signatures in sequence when each guess value is selected to obtain N output values, and analyzing the N power consumption curves to obtain the keys in the UOV signature algorithm based on the N input values and the N output values corresponding to each guess value.
Further, the key comprises a plurality of elements; choosing GF (2) in sequencek) As the keyA guess value for each element in (a);
the central processing module comprises a controller and a processor;
the controller is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module;
the processor is used for calculating the Hamming distance between each input value and the corresponding output value after selecting a guess value for each element in the key for operation, and obtaining N Hamming distances corresponding to each guess value; the N Hamming distances correspond to the N power consumption curves one by one;
the controller is further used for grouping the N power consumption curves according to the Hamming distance, so that the power consumption curves with the Hamming distance larger than a preset value are in a first group, and the power consumption curves with the Hamming distance smaller than the preset value are in a second group;
the processor is also used for carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guessed value;
the controller is further configured to use the maximum amplitude of each curve as an extreme value of the curve, obtain an extreme value of the curve for each guess value, use a guess value corresponding to the curve with the maximum extreme value as the element in the key, and further obtain all elements in the key to obtain the key in the calculation formula.
Further, the calculation formula of the difference operation is as follows:
Figure BDA0001325487130000031
Figure BDA0001325487130000032
Figure BDA0001325487130000033
wherein, Delta is a curve of guessed values,tiis the ith power consumption curve, T0Is a first set of power consumption curves, T1Is a second set of power consumption curves, | T0L is the number of the first set of power consumption curves, | T1L is the number of the second set of power consumption curves,
Figure BDA0001325487130000034
k is a positive integer, which is the hamming distance between the ith input value D and the ith output value R.
Further, the calculation formula of all key participation in the UOV signature generation process is
Figure BDA0001325487130000035
Where D is the input value, E is the key, R is the output value, □ is the addition or multiplication, D, E and R are both GF (2)k) The composition of elements (A) and (B).
Further, the UOV signature algorithm includes a first affine transformation calculation formula
Figure BDA0001325487130000036
y is the message in the message signature pair,
Figure BDA0001325487130000037
as a result after the y affine transformation, a is a matrix of m × m, b is a vector of length m;
the first affine transformation calculation formula comprises a first calculation formula aij′=aij×yiAnd a second calculation formula bi′=aij′+bi,0≤i≤m-1,0≤j≤n-1;
Wherein in the first calculation formula, yiIs input with a value D, aijIs a secret key E, aij' is the output value R; in the second calculation formula, aijIs an input value D, biIs a secret key E, bi' is the output value R.
Further, the key recovery device for UOV signature further comprises a random variable control module;
the random variable control module is used for fixing random variables in the UOV signature generation process;
the controller is also used for calling the random variable control module.
Further, the UOV signature algorithm includes a central mapping calculation formula
Figure BDA0001325487130000038
Figure BDA0001325487130000039
Is composed of
Figure BDA00013254871300000310
The result after the inverse transformation of the center map,
Figure BDA00013254871300000311
the O and the V are two types of variables;
the center map calculation formula includes a plurality of multivariate equations:
Figure BDA00013254871300000312
the multiple multivariate equations are divided into a first layer of calculation formula Vj′=αijVjThe second layer calculation formula V ″)j=Vj′+δiThird layer of calculation formula Vi′=βijViFourth layer calculation formula Vi″=γiViAnd the fifth calculation formula
Figure BDA0001325487130000041
Wherein, in the first layer of calculation formula, VjIs fixed to a preset value as an input value D, alpha by the random variable control moduleijAs keys E, Vj' is the output value R; in the second layer of calculation formula, VjIs an input value D, deltaiIs the key E, V ″)jIs an output value R; in the third layer of calculation formula, ViBy said random variablesThe control module is fixed to a preset value as an input value D, betaijAs keys E, Vi' is the output value R; in the fourth layer of calculation formula, ViIs fixed to a preset value as an input value D, gamma by the random variable control moduleiAs keys E, Vi"is the output value R; in the fifth-level calculation formula,
Figure BDA0001325487130000042
to input a value D, η is a secret key E,
Figure BDA0001325487130000043
is the output value R.
Further, the UOV signature algorithm includes a second affine transformation calculation formula
Figure BDA0001325487130000044
x is
Figure BDA0001325487130000045
As a result after affine transformation, C is a matrix of n × n, d is a vector of length n;
the second affine transformation calculation formula includes a third calculation formula
Figure BDA0001325487130000046
And a fourth calculation formula di′=cij′+di
Wherein, in the third calculation formula,
Figure BDA0001325487130000047
as input values D, cijIs a secret key E, cij' is the output value R; in the fourth calculation formula, cijIs an input value D, DiIs a secret key E, di' is the output value R.
Correspondingly, an embodiment of the present invention further provides a key recovery method for UOV signatures, including:
generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
acquiring power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
choosing GF (2) in sequencek) As guesses of the key in each chosen calculation formula;
and when each guess value is selected, sequentially obtaining the input values of the calculation formula according to the messages in the N pairs of message signatures and carrying out operation to obtain N output values, and analyzing the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain the key in the UOV signature algorithm.
The embodiment of the invention has the following beneficial effects:
the key recovery device and method for UOV signature provided by the embodiment of the invention can generate a message signature pair and a corresponding power consumption curve, operate the UOV signature algorithm by adopting a mode of setting a key guess value, analyze the power consumption curve based on an operation result and obtain a real key, thereby realizing the quick recovery of the key in the UOV signature algorithm, finding the security problem of the UOV signature and providing technical support for protecting the UOV.
Drawings
Fig. 1 is a schematic structural diagram of an embodiment of a UOV signed key recovery device provided in the present invention;
fig. 2 is a schematic flowchart of an embodiment of a key recovery method for UOV signatures provided in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a schematic structural diagram of an embodiment of a UOV signed key recovery apparatus provided in the present invention includes:
the message and signature module 1 is used for generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
the power consumption curve module 2 is used for collecting power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
the key operation module 3 is used for sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
a key guess value module 4 for selecting GF (2) in turnk) As guesses of the key in each chosen calculation formula; and the number of the first and second groups,
and the central processing module 5 is configured to invoke the message and signature module, the power consumption curve module, the key operation module and the key guess value module, and when each guess value is selected, sequentially obtain input values of the calculation formula according to the messages in the N pairs of message signatures and perform operation to obtain N output values, and analyze the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain a key in the UOV signature algorithm.
It should be noted that the message in the message signature pair is the message y of the UOV signature algorithm0,y1,...,ym-1The size is m bytes, y0,y1,...,ym-1Are all finite fields GF (2)k) K is a positive integer; the signature in the message signature pair is x0,x1,...,xn-1Size is n bytes, x0,x1,...,xn-1Are all finite fields GF (2)k) Of (2) is used. When a pair of message signature pairs is generated, a power consumption curve is correspondingly generated, so that N pairs of message signature pairs correspond to N power consumption curves one by one. Wherein each power consumption curve contains the power consumption generated at each time point during the generation of a single signature.
The central processing module is respectively connected with the message andthe signature module, the power consumption curve module, the key operation module and the key guess value module are connected with each other. The central processing module is used for scheduling and controlling the modules connected with the central processing module, and processing the operation in the UOV key recovery process. The message and signature module is used for generating N pairs of message signatures for the keys to be analyzed. And the key operation module is used for selecting finite field addition, multiplication and inverse operation of the key participating in the UOV signature generation. The key guess module consists of a finite field GF (2)k) All elements make up, i.e. (00.. 00)2To (11.. 11)2
During the analysis, the key is guessed first, and the range is GF (2)k) All elements, i.e. GF (2) in turnk) The element(s) in (b) is used as a guess value for the key, and simultaneously, N input values are obtained according to N messages in the N pairs of message signatures. And based on each guess value, sequentially substituting the N input values into a calculation formula to carry out operation to obtain N output values, namely, each guess value corresponds to the N input values, the N output values and the N power consumption curves, and the N input values, the N output values and the N power consumption curves are in one-to-one correspondence. For each guess value, the Hamming distances between the N input values and the corresponding output values are respectively calculated, so that N Hamming distances are obtained, and the N Hamming distances correspond to the N power consumption curves one by one. And analyzing the N power consumption curves based on the N Hamming distances to obtain an analysis result of each guess value, and determining a true value of the key according to the analysis results of all the guess values.
Further, the key comprises a plurality of elements; choosing GF (2) in sequencek) As a guess value for each element in the key;
the central processing module comprises a controller and a processor;
the controller is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module;
the processor is used for calculating the Hamming distance between each input value and the corresponding output value after selecting a guess value for each element in the key for operation, and obtaining N Hamming distances corresponding to each guess value; the N Hamming distances correspond to the N power consumption curves one by one;
the controller is further used for grouping the N power consumption curves according to the Hamming distance, so that the power consumption curves with the Hamming distance larger than a preset value are in a first group, and the power consumption curves with the Hamming distance smaller than the preset value are in a second group;
the processor is also used for carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guessed value;
the controller is further configured to use the maximum amplitude of each curve as an extreme value of the curve, obtain an extreme value of the curve for each guess value, use a guess value corresponding to the curve with the maximum extreme value as the element in the key, and further obtain all elements in the key to obtain the key in the calculation formula.
It should be noted that the controller is used for scheduling and controlling the modules connected to the central processing module, and the processor is used for processing the operation in the UOV key recovery process.
Further, the calculation formula of the difference operation is as follows:
Figure BDA0001325487130000071
Figure BDA0001325487130000072
Figure BDA0001325487130000073
where Δ is the curve of the guess, tiIs the ith power consumption curve, T0Is a first set of power consumption curves, T1Is a second set of power consumption curves, | T0L is the number of the first set of power consumption curves, | T1L is the number of the second set of power consumption curves,
Figure BDA0001325487130000074
k is a positive integer, which is the hamming distance between the ith input value D and the ith output value R.
In specific application, the controller calls the message and signature module to generate N message signature pairs, calls the power consumption curve module to generate N corresponding power consumption curves, and calls the key operation module to sequentially select a calculation formula in which all keys participate in the UOV signature generation process.
The key in the calculation formula generally comprises a plurality of elements, and each element needs to be guessed and determined respectively. When analyzing a certain element in the key, the controller calls the key guess value module to select GF (2)k) The element in (1) is used as a guess value of the element in the key, and when each guess value is selected, the processor calculates N output values in one-to-one correspondence based on the N input values and based on the Hamming distance between the input value and the corresponding output value. The controller divides the N power consumption curves into two groups, namely when the Hamming distance between one input value and the corresponding output value is smaller than a preset value, the power consumption curves corresponding to the input value are divided into a first group; and when the Hamming distance between one input value and the corresponding output value is larger than or equal to a preset value, dividing the power consumption curve corresponding to the input value into a second group. The processor calculates the curve of the selected guessed value according to the two groups of power consumption curves, and the controller obtains the maximum absolute value, namely the maximum amplitude value, of the curve. After each guess value is selected in turn, the controller obtains the maximum amplitude of the curve of all guess values by maxiMarking the maximum amplitude of the curve of the ith guess to obtain a set (max)0,max1,..) to select the maximum value max in the setjThen the maximum value maxjThe guess value corresponding to the curve of (a) is used as the true value of the element in the key. By analogy, the true values of other elements in the key are obtained by the method, and then the true values of all the elements in the key are obtained, namely the key is obtained.
Further, the calculation formula of all key participation in the UOV signature generation process is
Figure BDA0001325487130000081
Where D is the input value, E is the key, R is the output value,
Figure BDA0001325487130000082
for addition or multiplication, both D, E and R are GF (2)k) The composition of elements (A) and (B).
It should be noted that, in the UOV signature algorithm, the length of the hash of the message to be signed is m bytes, and the length of the signed message is n bytes. The private key comprises a reversible affine transformation and a central mapping transformation, and the public key is a combination of the central mapping transformation and the reversible affine transformation. Inverse reversible affine transformation L-1In the form of
Figure BDA0001325487130000083
A is a matrix of size n x n, b is a vector of dimension n, and both A and b operate as private keys. The center mapping transformation F consists of m multivariate polynomials (F)0,f1,...,fm-1) Is in the form of
Figure BDA0001325487130000084
Figure BDA0001325487130000085
Is a finite set of vinegar and oil variables:
Figure BDA0001325487130000086
is a finite set of vinegar variables, having a total of n-m vinegar variables, used as a private key;
Figure BDA0001325487130000087
is a finite set of oil variables, for a total of m oil variables. Multivariable polynomial f of multiple degree0,f1,...,fm-1Is defined as f (O)0,O1,...,Om-1)=∑αijOiVj+∑βijViVj+∑γiVi+∑δiOi+η。Oi,(Vi,Vj) Respectively oil variable and vinegar variable, alphaij、βij、γi、δiAnd η is the coefficient of a multivariate quadratic polynomial and is used as a key.
For example, the message is 28 bytes in length and the signature is 56 bytes in length. UOV operates in the finite field GF (2)8). A is a matrix of size 56 x 56, b is a vector of dimension 56, and both a and b operate as private keys. The center mapping transformation F consists of 28 multivariate polynomials (F)0,f1,...,f27) Is in the form of
Figure BDA0001325487130000091
Figure BDA0001325487130000092
Is a finite set of vinegar and oil variables:
Figure BDA0001325487130000093
is a finite set of vinegar variables, for a total of 28 vinegar variables, used as private keys;
Figure BDA0001325487130000094
is a finite set of oil variables, for a total of 28 oil variables. Multivariable polynomial f of multiple degree0,f1,...,f27Is defined as f (O)0,O1,...,O27)=∑αijOiVj+∑βijViVj+∑γiVi+∑δiOi+η。Oi,(Vi,Vj) Respectively oil variable and vinegar variable, alphaij、βij、γi、δiAnd η is the coefficient of a multivariate quadratic polynomial and is used as a key.
Further, the UOV signature algorithm includes a first affine transformation calculation formula
Figure BDA0001325487130000095
y is the message in the message signature pair,
Figure BDA0001325487130000096
as a result after the y affine transformation, a is a matrix of m × m, b is a vector of length m;
the first affine transformation calculation formula comprises a first calculation formula aij′=aij×yiAnd a second calculation formula bi′=aij′+bi,0≤i≤m-1,0≤j≤n-1;
Wherein in the first calculation formula, yiIs input with a value D, aijIs a secret key E, aij' is the output value R; in the second calculation formula, aijIs an input value D, biIs a secret key E, bi' is the output value R.
In the first calculation formula, aijIs an element of Key A, row i, column j, yiIs the i-th element, a, of the message yij' are finite field multiplication results, all finite field GF (2)k) Of (2) is used. Let D be yi,R=aij′,E=aijStarting to guess the key, the range is GF (2)k) All the elements. Since E is the guess value (known) of the key and D is an element (known) of the message, R is obtained by R ═ E × D calculation, based on
Figure BDA0001325487130000097
Key a is analyzed by adopting Hamming distance modelij
In the second calculation formula, let D ═ aij′,R=bi′,E=biGuessing the key is started. In analyzing out the key aijAfter a, aijBy calculation of (known), biIs the ith element of the key b, which is the guess (known), bi' is the result of finite field addition, and is further based on
Figure BDA0001325487130000101
Analyzing a secret key b by adopting a Hamming distance modeli
Suppose 2000 pairs of message signatures and corresponding 2000 power consumption curves are generated, A is26 × 26 matrix, b is a vector of length 26, A, b, y,
Figure BDA0001325487130000102
The elements contained are all finite fields GF (2)8) Of (2) is used. To calculate aij′=aij×yiFor example, let D be yi,R=aij′,E=aijStarting to guess the key, the range is GF (2)8) All the elements. Since E is the guess value (known) of the key and D is an element (known) of the message, R is obtained by R ═ E × D calculation. Based on the Hamming distance between D and R
Figure BDA0001325487130000103
The 2000 power consumption curves are divided into two groups:
Figure BDA0001325487130000104
Figure BDA0001325487130000105
and then carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guess value, taking the maximum amplitude of each curve as the extreme value of the curve, obtaining the extreme value of the curve of each guess value, and taking the guess value corresponding to the curve with the maximum extreme value as the true value of the key.
Further, the key recovery device for UOV signature also includes a random variable control module 6;
the random variable control module 6 is used for fixing random variables in the UOV signature generation process;
the controller is also used for calling the random variable control module.
Further, the UOV signature algorithm includes a central mapping calculation formula
Figure BDA0001325487130000106
Figure BDA0001325487130000107
Is composed of
Figure BDA0001325487130000108
The result after the inverse transformation of the center map,
Figure BDA0001325487130000109
the O and the V are two types of variables;
the center map calculation formula includes a plurality of multivariate equations:
Figure BDA00013254871300001010
the multiple multivariate equations are divided into a first layer of calculation formula Vj′=αijVjThe second layer calculation formula V ″)j=Vj′+δiThird layer of calculation formula Vi′=βijViFourth layer calculation formula Vi″=γiViAnd the fifth calculation formula
Figure BDA00013254871300001011
Wherein, in the first layer of calculation formula, VjIs fixed to a preset value as an input value D, alpha by the random variable control moduleijAs keys E, Vj' is the output value R; in the second layer of calculation formula, VjIs an input value D, deltaiIs the key E, V ″)jIs an output value R; in the third layer of calculation formula, ViIs fixed to a preset value as an input value D, beta by the random variable control moduleijAs keys E, Vi' is the output value R; in the fourth layer of calculation formula, ViIs fixed to a preset value as an input value D, gamma by the random variable control moduleiAs keys E, Vi"is the output value R; in the fifth-level calculation formula,
Figure BDA0001325487130000111
to input a value D, η is a secret key E,
Figure BDA0001325487130000112
is the output value R.
It should be noted that, in the key analysis process in the central mapping calculation formula, the controller calls the random variable control module to fix the generated random variable to a preset value, that is, the random variables are fixed to (00000001) in sequence2To (11111111)2The value of (c).
The center mapping calculation formula includes a plurality of multivariable equations divided into a plurality of layers, wherein V of a first layer is a random variable and V of a next layer is composed of O and V of an upper layer, so that the plurality of multivariable equations are reduced to a first-order polynomial with respect to O by operation, and a value of O is obtained by solving a finite field linear equation set.
In the first layer of calculation formula, let D ═ Vj,R=Vj′,E=αijV is controlled by a random variable control modulejFixed to a preset value based on
Figure BDA0001325487130000113
Analyzing the secret key alpha by adopting a Hamming distance modelij. In the second layer calculation formula, let D ═ Vj′,R=V″j,E=δiV is controlled by a random variable control modulejFixed to a preset value based on
Figure BDA0001325487130000114
Key delta analysis using hamming distance modeli. In the third layer of calculation formula, let D be Vi,R=Vi′,E=βijV is controlled by a random variable control moduleiFixed to a preset value based on
Figure BDA0001325487130000115
Key beta analysis using hamming distance modelij. In the fourth layer of calculation formula, let D ═ Vi,R=Vi″,E=γiBy random variable controlMake module ViFixed to a preset value based on
Figure BDA0001325487130000116
Analyzing the secret key gamma by using Hamming distance modeli. For the fifth layer of calculation formula, let
Figure BDA0001325487130000117
E ═ η, calculate
Figure BDA0001325487130000118
Is then based on
Figure BDA0001325487130000119
The key η is analyzed using a hamming distance model.
Further, the UOV signature algorithm further includes a second affine transformation calculation formula
Figure BDA00013254871300001110
x is
Figure BDA00013254871300001111
As a result after affine transformation, C is a matrix of n × n, d is a vector of length n;
the second affine transformation calculation formula includes a third calculation formula
Figure BDA00013254871300001112
And a fourth calculation formula di′=cij′+di
Wherein, in the third calculation formula,
Figure BDA0001325487130000121
as input values D, cijIs a secret key E, cij' is the output value R; in the fourth calculation formula, cijIs an input value D, DiIs a secret key E, di' is the output value R.
In the third calculation formula, c isijIs an element of key C row i column j,
Figure BDA0001325487130000122
is the result of a central mapping transformation
Figure BDA0001325487130000123
The ith element, cij' are finite field multiplication results, all finite field GF (2)k) Of (2) is used. Order to
Figure BDA0001325487130000124
R=cij′,E=cijStarting to guess the key, the range is GF (2)k) All elements, since E is the guess (known) of the key, D is an element (known) of the result of the transformation of the center map, and R is obtained by calculation from R ═ E × D, and is based on
Figure BDA0001325487130000125
Analyzing out a secret key c by adopting a Hamming distance modelij
In the fourth calculation formula, let D ═ cij′,R=di′,E=diGuessing the key is started. Since E is the guess (known) of the key, D is calculated (known), and R is calculated from R ═ E + D, based on
Figure BDA0001325487130000126
Key d is analyzed by adopting Hamming distance modeli
After all keys of the UOV signature are obtained by the method, key recovery of the UOV signature is completed.
The key recovery device for the UOV signature provided by the embodiment of the invention can generate a message signature pair and a corresponding power consumption curve, operate the UOV signature algorithm by adopting a mode of setting a key guess value, analyze the power consumption curve based on an operation result and obtain a real key, thereby realizing the quick recovery of the key in the UOV signature algorithm, finding the security problem of the UOV signature and providing technical support for protecting the UOV.
Referring to fig. 2, it is a schematic flow chart of an embodiment of the key recovery method for UOV signature provided in the invention, including:
s1, generating N pairs of message signatures based on the UOV signature algorithm; wherein N is a positive integer greater than 2000;
s2, collecting power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
s3, sequentially selecting calculation formulas of all key participation in the UOV signature generation process;
s4, selecting GF (2) in sequencek) As guesses of the key in each chosen calculation formula;
and S5, when each guess value is selected, sequentially obtaining the input values of the calculation formula according to the messages in the N pairs of message signatures and carrying out operation to obtain N output values, and analyzing the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain the key in the UOV signature algorithm.
The key recovery method for the UOV signature provided by the embodiment of the invention can generate a message signature pair and a corresponding power consumption curve, operate the UOV signature algorithm by adopting a mode of setting a key guess value, analyze the power consumption curve based on an operation result and obtain a real key, thereby realizing the quick recovery of the key in the UOV signature algorithm, finding the security problem of the UOV signature and providing technical support for protecting the UOV.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (3)

1.一种UOV签名的密钥恢复装置,其特征在于,包括:1. a key recovery device of UOV signature, is characterized in that, comprises: 消息和签名模块,用于基于UOV签名算法生成N对消息签名对;其中,N为大于2000的正整数;The message and signature module is used to generate N pairs of message signature pairs based on the UOV signature algorithm; wherein, N is a positive integer greater than 2000; 功耗曲线模块,用于采集每对消息签名对生成过程中产生的功耗曲线,获得N条功耗曲线;The power consumption curve module is used to collect the power consumption curves generated during the generation of each message signature pair, and obtain N power consumption curves; 密钥运算模块,用于依次选取UOV签名生成过程中所有密钥参与的计算公式;The key operation module is used to sequentially select the calculation formulas of all keys involved in the UOV signature generation process; 密钥猜测值模块,用于依次选取GF(2k)中的元素作为每个所选取的计算公式中的密钥的猜测值;以及,a key guess value module for sequentially selecting elements in GF(2 k ) as the guess value of the key in each selected calculation formula; and, 中央处理模块,用于调用所述消息和签名模块、所述功耗曲线模块、所述密钥运算模块和所述密钥猜测值模块,以及在每选取一个猜测值时,依次根据所述N对消息签名对中的消息获取所述计算公式的输入值并进行运算,获得N个输出值,并基于每个猜测值所对应的N个输入值和N个输出值,对所述N条功耗曲线进行分析,获得所述UOV签名算法中的密钥;The central processing module is used to call the message and signature module, the power consumption curve module, the key operation module and the key guess value module, and when selecting a guess value, sequentially according to the N Obtain the input values of the calculation formula for the message in the message signature pair and perform operations to obtain N output values, and based on the N input values and N output values corresponding to each guessed value, perform the calculation on the N functions. The consumption curve is analyzed to obtain the key in the UOV signature algorithm; 所述密钥包括多个元素;依次选取GF(2k)中的元素作为所述密钥中的每个元素的猜测值;The key includes a plurality of elements; the elements in GF(2 k ) are successively selected as the guess value of each element in the key; 所述中央处理模块包括控制器和处理器;The central processing module includes a controller and a processor; 所述控制器用于调用所述消息和签名模块、所述功耗曲线模块、所述密钥运算模块和所述密钥猜测值模块;The controller is configured to call the message and signature module, the power consumption curve module, the key operation module and the key guess value module; 所述处理器用于对于所述密钥中的一个元素,在每选取一个猜测值进行运算后,计算每个输入值与其对应的输出值之间的汉明距离,获得每个猜测值所对应的N个汉明距离;其中,所述N个汉明距离和N条功耗曲线一一对应;The processor is used to calculate the Hamming distance between each input value and its corresponding output value for an element in the key after each selected guess value for operation, and obtain the corresponding value of each guess value. N Hamming distances; wherein, the N Hamming distances are in one-to-one correspondence with N power consumption curves; 所述控制器还用于根据所述汉明距离对所述N条功耗曲线进行分组,使汉明距离大于预设值的功耗曲线为第一组,使汉明距离小于预设值的功耗曲线为第二组;The controller is further configured to group the N power consumption curves according to the Hamming distance, so that the power consumption curves with the Hamming distance greater than the preset value are the first group, and the power consumption curves with the Hamming distance less than the preset value are the first group. The power consumption curve is the second group; 所述处理器还用于对两组功耗曲线进行差分运算,获得每个猜测值的曲线;The processor is also used to perform a differential operation on the two sets of power consumption curves to obtain a curve of each guessed value; 所述控制器还用于将每个猜测值的曲线的最大幅值作为所述猜测值的曲线的极值,获得每个猜测值的曲线的极值,并将极值最大的猜测值的曲线所对应的猜测值作为所述密钥中的所述元素,进而获取所述密钥中的所有元素,以获取所述计算公式中的密钥;The controller is further configured to take the maximum magnitude of the curve of each guessed value as the extreme value of the curve of the guessed value, obtain the extreme value of the curve of each guessed value, and use the curve of the guessed value with the largest extreme value. The corresponding guess value is used as the element in the key, and then all elements in the key are obtained to obtain the key in the calculation formula; 所述差分运算的计算公式如下:The calculation formula of the difference operation is as follows:
Figure FDA0003048568550000021
Figure FDA0003048568550000021
Figure FDA0003048568550000022
Figure FDA0003048568550000022
Figure FDA0003048568550000023
Figure FDA0003048568550000023
 其中,Δ为猜测值的曲线,ti为第i条功耗曲线,T0为第一组功耗曲线,T1为第二组功耗曲线,|T0|为第一组功耗曲线的数量,|T1|为第二组功耗曲线的数量,
Figure FDA0003048568550000024
为第i个输入值D与第i个输出值R之间的汉明距离,k为一个正整数;Among them, Δ is the curve of the guessed value, t i is the ith power consumption curve, T 0 is the first group of power consumption curves, T 1 is the second group of power consumption curves, and |T 0 | is the first group of power consumption curves The number of , |T 1 | is the number of the second set of power consumption curves,
Figure FDA0003048568550000024
is the Hamming distance between the ith input value D and the ith output value R, and k is a positive integer; 所述UOV签名生成过程中所有密钥参与的计算公式为
Figure FDA0003048568550000025
其中,D为输入值,E为密钥,R为输出值,
Figure FDA0003048568550000026
为加法运算或乘法运算,D、E和R均由GF(2k)的元素组成;所述UOV签名的密钥恢复装置还包括随机变量控制模块;The calculation formula of all keys involved in the UOV signature generation process is:
Figure FDA0003048568550000025
Among them, D is the input value, E is the key, R is the output value,
Figure FDA0003048568550000026
For addition operation or multiplication operation, D, E and R are all made up of elements of GF (2 k ); the key recovery device of the UOV signature also includes a random variable control module; 所述随机变量控制模块用于固定UOV签名生成过程中的随机变量;The random variable control module is used to fix the random variable in the UOV signature generation process; 所述控制器还用于调用所述随机变量控制模块;The controller is further configured to call the random variable control module; 所述UOV签名算法包括第一仿射变换计算公式
Figure FDA0003048568550000027
y为消息签名对中的消息,
Figure FDA0003048568550000028
为y仿射变换之后的结果,A是m×m的矩阵,b是长度为m的向量;The UOV signature algorithm includes the first affine transformation calculation formula
Figure FDA0003048568550000027
y is the message in the message signature pair,
Figure FDA0003048568550000028
is the result after y affine transformation, A is a matrix of m×m, and b is a vector of length m; 所述第一仿射变换计算公式包括第一计算公式aij′=aij×yi和第二计算公式bi′=aij′+bi,0≤i≤m-1,0≤j≤n-1;The first affine transformation calculation formula includes a first calculation formula a ij ′=a ij ×y i and a second calculation formula b i ′=a ij ′+ bi , 0≤i≤m-1,0≤j ≤n-1; 其中,在所述第一计算公式中,yi为输入值D,aij为密钥E,aij′为输出值R;在所述第二计算公式中,aij′为输入值D,bi为密钥E,bi′为输出值R;aij是密钥A第i行第j列的元素;yi是消息y的第i个元素;aij′是有限域乘法结果,均是有限域GF(2k)的元素;bi是密钥b的第i个元素,为猜测值;bi′是有限域加法结果;Wherein, in the first calculation formula, yi is the input value D, a ij is the key E, and a ij ' is the output value R; in the second calculation formula, a ij ' is the input value D, b i is the key E, and b i ' is the output value R; a ij is the element of the i-th row and j-th column of the key A; yi is the i-th element of the message y; a ij ' is the finite field multiplication result, are all elements of finite field GF(2 k ); b i is the i-th element of key b, which is the guess value; b i ' is the addition result of finite field; 所述UOV签名算法包括中心映射计算公式
Figure FDA0003048568550000031
Figure FDA0003048568550000032
Figure FDA0003048568550000033
中心映射逆变换之后的结果,
Figure FDA0003048568550000034
由O和V是两类变量组成;The UOV signature algorithm includes a central mapping calculation formula
Figure FDA0003048568550000031
Figure FDA0003048568550000032
for
Figure FDA0003048568550000033
The result after the inverse transformation of the center map,
Figure FDA0003048568550000034
It consists of two types of variables, O and V; 所述中心映射计算公式包括多个多变量方程:The center map calculation formula includes multiple multivariate equations:
Figure FDA0003048568550000035
Figure FDA0003048568550000035
 所述多个多变量方程分为第一层计算公式Vj′=αijVj、第二层计算公式Vj″=Vj′+δi、第三层计算公式Vi′=βijVi、第四层计算公式Vi″=γiVi和第五层计算公式
Figure FDA0003048568550000036
The multiple multivariable equations are divided into a first-level calculation formula V j ′=α ij V j , a second-level calculation formula V j ″=V j ′+δ i , and a third-level calculation formula V i ′=β ij V i , the calculation formula of the fourth layer V i ″=γ i V i and the calculation formula of the fifth layer
Figure FDA0003048568550000036
 其中,在第一层计算公式中,Vj通过所述随机变量控制模块被固定为预设值,作为输入值D,αij为密钥E,Vj′为输出值R;在第二层计算公式中,Vj′为输入值D,δi为密钥E,Vj″为输出值R;在第三层计算公式中,Vi通过所述随机变量控制模块被固定为预设值,作为输入值D,βij为密钥E,Vi′为输出值R;在第四层计算公式中,Vi通过所述随机变量控制模块被固定为预设值,作为输入值D,γi为密钥E,Vi″为输出值R;在第五层计算公式中,
Figure FDA0003048568550000037
为输入值D,η为密钥E,
Figure FDA0003048568550000038
为输出值R;Among them, in the calculation formula of the first layer, V j is fixed as a preset value by the random variable control module, as the input value D, α ij is the key E, and V j ′ is the output value R; in the second layer In the calculation formula, V j ′ is the input value D, δ i is the key E, and V j ″ is the output value R; in the third layer calculation formula, V i is fixed to a preset value by the random variable control module , as the input value D, β ij is the key E, and V i ′ is the output value R; in the calculation formula of the fourth layer, V i is fixed as a preset value by the random variable control module, as the input value D, γ i is the key E, and V i ″ is the output value R; in the calculation formula of the fifth layer,
Figure FDA0003048568550000037
is the input value D, n is the key E,
Figure FDA0003048568550000038
is the output value R; 计算过程中,在第一层计算公式中,令D=Vj,R=Vj′,E=αij,通过随机变量控制模块将Vj固定为预设值,再基于
Figure FDA0003048568550000039
采用汉明距离模型分析密钥αij;在第二层计算公式中,令D=Vj′,R=Vj″,E=δi,通过故器障分析将Vj固定为预设值,再基于
Figure FDA00030485685500000310
采用汉明距离模型分析密钥δi;在第三层计算公式中,令D=Vi,R=Vi′,E=βij,通过随机变量控制模块将Vi固定为预设值,再基于
Figure FDA00030485685500000311
采用汉明距离模型分析密钥βij;在第四层计算公式中,令D=Vi,R=Vi″,E=γi,通过随机变量控制模块将Vi固定为预设值,再基于
Figure FDA00030485685500000312
采用汉明距离模型分析密钥γi;对于第五层计算公式,令
Figure FDA00030485685500000313
E=η,计算
Figure FDA00030485685500000314
的值,再基于
Figure FDA00030485685500000315
采用汉明距离模型分析密钥η。In the calculation process, in the calculation formula of the first layer, let D=V j , R=V j ′, E=α ij , V j is fixed as a preset value by the random variable control module, and then based on
Figure FDA0003048568550000039
The Hamming distance model is used to analyze the key α ij ; in the calculation formula of the second layer, let D=V j ′, R=V j ″, E=δ i , and V j is fixed as a preset value through fault analysis , based on
Figure FDA00030485685500000310
The Hamming distance model is used to analyze the key δ i ; in the calculation formula of the third layer, let D=V i , R=V i ′, E=β ij , and V i is fixed as a preset value by the random variable control module, based on
Figure FDA00030485685500000311
The Hamming distance model is used to analyze the key β ij ; in the calculation formula of the fourth layer, let D=V i , R=V i ″, E=γ i , and V i is fixed to a preset value by the random variable control module, based on
Figure FDA00030485685500000312
The Hamming distance model is used to analyze the key γ i ; for the calculation formula of the fifth layer, let
Figure FDA00030485685500000313
E=η, calculate
Figure FDA00030485685500000314
value, based on
Figure FDA00030485685500000315
The key η is analyzed using the Hamming distance model. 2.如权利要求1所述的UOV签名的密钥恢复装置,其特征在于,所述UOV签名算法包括第二仿射变换计算公式
Figure FDA0003048568550000041
x为
Figure FDA0003048568550000042
仿射变换之后的结果,C是n×n的矩阵,d是长度为n的向量;2. the key recovery device of UOV signature as claimed in claim 1 is characterized in that, described UOV signature algorithm comprises the second affine transformation calculation formula
Figure FDA0003048568550000041
x is
Figure FDA0003048568550000042
The result after affine transformation, C is an n×n matrix, and d is a vector of length n; 所述第二仿射变换计算公式包括第三计算公式
Figure FDA0003048568550000043
和第四计算公式di′=cij′+diThe second affine transformation calculation formula includes a third calculation formula
Figure FDA0003048568550000043
and the fourth calculation formula d i ′=c ij ′+d i ; 其中,在所述第三计算公式中,
Figure FDA0003048568550000044
为输入值D,cij为密钥E,cij′为输出值R;在所述第四计算公式中,cij′为输入值D,di为密钥E,di′为输出值R;cij是密钥C第i行第j列的元素;
Figure FDA0003048568550000045
是中心映射变换结果
Figure FDA0003048568550000046
第i个元素;cij′是有限域乘法结果,均是有限域GF(2k)的元素;di是密钥d的第i个元素,为猜测值;di′是有限域加法结果。Wherein, in the third calculation formula,
Figure FDA0003048568550000044
is the input value D, c ij is the key E, and c ij ' is the output value R; in the fourth calculation formula, c ij ' is the input value D, d i is the key E, and d i ' is the output value R; c ij is the element of the i-th row and the j-th column of the key C;
Figure FDA0003048568550000045
is the result of the center mapping transformation
Figure FDA0003048568550000046
The i-th element; c ij ' is the multiplication result of the finite field, both are elements of the finite field GF(2 k ); d i is the i-th element of the key d, which is the guess value; d i ' is the addition result of the finite field . 3.一种利用如权利要求1至2中任意一项所述的密钥恢复装置实施的UOV签名的密钥恢复方法,其特征在于,包括:3. a key recovery method utilizing the UOV signature implemented by the key recovery device according to any one of claims 1 to 2, is characterized in that, comprising: 基于UOV签名算法生成N对消息签名对;其中,N为大于2000的正整数;Generate N pairs of message signature pairs based on the UOV signature algorithm; where N is a positive integer greater than 2000; 采集每对消息签名对生成过程中产生的功耗曲线,获得N条功耗曲线;Collect the power consumption curves generated during the generation of each message signature pair, and obtain N power consumption curves; 依次选取UOV签名生成过程中所有密钥参与的计算公式;Select the calculation formula of all keys involved in the UOV signature generation process in turn; 依次选取GF(2k)中的元素作为每个所选取的计算公式中的密钥的猜测值;Select the elements in GF(2 k ) in turn as the guess value of the key in each selected calculation formula; 在每选取一个猜测值时,依次根据所述N对消息签名对中的消息获取所述计算公式的输入值并进行运算,获得N个输出值,并基于每个猜测值所对应的N个输入值和N个输出值,对所述N条功耗曲线进行分析,获得所述UOV签名算法中的密钥。When each guess value is selected, the input values of the calculation formula are obtained and operated according to the messages in the N pairs of message signature pairs in turn, and N output values are obtained, and N inputs corresponding to each guess value are obtained. value and N output values, analyze the N power consumption curves, and obtain the key in the UOV signature algorithm.
CN201710464016.1A 2017-06-19 2017-06-19 A UOV signature key recovery device and method Active CN109150533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710464016.1A CN109150533B (en) 2017-06-19 2017-06-19 A UOV signature key recovery device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710464016.1A CN109150533B (en) 2017-06-19 2017-06-19 A UOV signature key recovery device and method

Publications (2)

Publication Number Publication Date
CN109150533A CN109150533A (en) 2019-01-04
CN109150533B true CN109150533B (en) 2021-08-24

Family

ID=64804358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710464016.1A Active CN109150533B (en) 2017-06-19 2017-06-19 A UOV signature key recovery device and method

Country Status (1)

Country Link
CN (1) CN109150533B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157431A (en) * 2021-10-27 2022-03-08 上海朝夕网络技术有限公司 Block chain transaction processing method based on multivariate signature method and computer equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530091A (en) * 2016-01-29 2016-04-27 易海博 Decryption method for TTS signature
WO2016155565A1 (en) * 2015-03-30 2016-10-06 Jintai Ding Improvements on multivariate digital signature schemes based on hfev- and new applications of multivariate digital signature schemes for white-box encryption

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016155565A1 (en) * 2015-03-30 2016-10-06 Jintai Ding Improvements on multivariate digital signature schemes based on hfev- and new applications of multivariate digital signature schemes for white-box encryption
CN105530091A (en) * 2016-01-29 2016-04-27 易海博 Decryption method for TTS signature

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
On the Importance of Checking Multivariate Public Key Cryptography for Side-Channel Attacks: The Case of enTTS Scheme;HaiBo Yi et al.;《Oxford University Press on behalf of The British Computer Society》;20170215;摘要,正文2-4节 *
有限域运算和多变量公钥密码硬件的优化和设计;易海博;《中国博士学位论文全文数据库 信息科技辑》;20150831;正文第2、6章 *

Also Published As

Publication number Publication date
CN109150533A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN113239404B (en) Federal learning method based on differential privacy and chaotic encryption
CN114817958A (en) Model training method, device, equipment and medium based on federal learning
CN105629733B (en) A kind of fractional order cell neural network Self-adaptive synchronization control and circuit design method
WO2023060809A1 (en) Number theoretic transforms computation circuit and method, and computer device
CN113761469B (en) Highest bit carry calculation method for protecting data privacy
CN103490897B (en) A kind of multivariable public key signature/checking system and signature/verification method
CN103067165A (en) Outsourcing calculation method, device and server of public key system
CN109150533B (en) A UOV signature key recovery device and method
CN110245501B (en) Image encryption method based on infinite dimension hyperchaos
CN114465728B (en) Method, device, equipment and storage medium for attacking elliptic curve signature algorithm
CN109150506B (en) A kind of side channel analysis method and device of rainbow signature
CN103929305A (en) SM2 signature algorithm implementation method
CN105530091A (en) Decryption method for TTS signature
CN117240458B (en) Multi-secret sharing method for user self-choice sub-secret
CN105991289A (en) Side channel energy analysis method and device of SM3 cipher algorithm
CN104580174A (en) Sensitive data computation outsourcing service method capable of preventing malicious server attacks
Tong et al. Design of S-box multi-objective optimization algorithm based on combined chaotic system
Zhang et al. On the immunity of rotation symmetric Boolean functions against fast algebraic attacks
CN113922990B (en) Strong PUF (physical unclonable function) machine learning attack resisting method based on matrix encryption
CN115865302A (en) Multi-party matrix multiplication method with privacy protection attribute
CN114817954A (en) Image processing method, system and device
CN111788584A (en) A neural network computing method and device
JPWO2018207348A1 (en) Inverse image sampling device, inverse image sampling method, and inverse image sampling program
CN108536651B (en) Method and apparatus for generating an invertible modulo m matrix
CN112383394A (en) Novel incremental signature method based on ideal lattice

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant