CN109150533B - Key recovery device and method for UOV signature - Google Patents

Key recovery device and method for UOV signature Download PDF

Info

Publication number
CN109150533B
CN109150533B CN201710464016.1A CN201710464016A CN109150533B CN 109150533 B CN109150533 B CN 109150533B CN 201710464016 A CN201710464016 A CN 201710464016A CN 109150533 B CN109150533 B CN 109150533B
Authority
CN
China
Prior art keywords
key
calculation formula
value
power consumption
uov
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710464016.1A
Other languages
Chinese (zh)
Other versions
CN109150533A (en
Inventor
易海博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Polytechnic
Original Assignee
Shenzhen Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Polytechnic filed Critical Shenzhen Polytechnic
Priority to CN201710464016.1A priority Critical patent/CN109150533B/en
Publication of CN109150533A publication Critical patent/CN109150533A/en
Application granted granted Critical
Publication of CN109150533B publication Critical patent/CN109150533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a key recovery device of UOV signature, comprising: the message and signature module is used for generating N pairs of message signatures; the power consumption curve module is used for collecting power consumption curves generated in the generation process of each pair of message signature pairs; the key operation module is used for sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process; a key guess value module for selecting GF (2) in turnk) As guesses of the key in each chosen calculation formula; and the central processing module is used for analyzing the N power consumption curves when each guess value is selected to obtain the key in the UOV signature algorithm. Correspondingly, the invention also discloses a key recovery method of the UOV signature. The method can quickly recover the key and discover the security problem of the UOV signature, thereby providing technical support for protecting the UOV.

Description

Key recovery device and method for UOV signature
Technical Field
The invention relates to the technical field of information security, in particular to a key recovery device and method for a UOV signature.
Background
The UOV signature is one of multivariate signatures that have the ability to resist quantum computer attacks. The safety of the method is established on the basis of an NP-Hard problem, namely a finite field multivariate quadratic equation system is solved.
Multivariable structure of UOV signatures
Figure BDA0001325487130000011
Contains a center mapping transformation and an affine transformation: y is0,y1,...,ym-1Is a message, x0,x1,...,xn-1Is signature, F is center mapping transformation, L is affine transformation, and the key is composed of parameters of F and L. Inverse transformation of center mapping
Figure BDA0001325487130000012
Comprises a multi-element system of quadratic equations,
Figure BDA0001325487130000013
is the center mapping transformation result. Inverse transform of affine transformation
Figure BDA0001325487130000014
In the form of
Figure BDA0001325487130000015
A is an n matrix, b is a length n vector, and A and b are keys.
In the prior art, the key recovery of the UOV signature mainly adopts an algebraic analysis method, so that the efficiency is low, and the wide application of the UOV signature is hindered to a certain extent.
Disclosure of Invention
The embodiment of the invention provides a key recovery device and a key recovery method for a UOV signature, which can quickly recover a key and find the security problem of the UOV signature, thereby providing technical support for protecting the UOV.
The embodiment of the invention provides a key recovery device for UOV signature, which comprises:
the message and signature module is used for generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
the power consumption curve module is used for acquiring power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
the key operation module is used for sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
a key guess value module for selecting GF (2) in turnk) As guesses of the key in each chosen calculation formula; and the number of the first and second groups,
and the central processing module is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module, acquiring the input values of the calculation formula and performing operation according to the messages in the N pairs of message signatures in sequence when each guess value is selected to obtain N output values, and analyzing the N power consumption curves to obtain the keys in the UOV signature algorithm based on the N input values and the N output values corresponding to each guess value.
Further, the key comprises a plurality of elements; choosing GF (2) in sequencek) As the keyA guess value for each element in (a);
the central processing module comprises a controller and a processor;
the controller is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module;
the processor is used for calculating the Hamming distance between each input value and the corresponding output value after selecting a guess value for each element in the key for operation, and obtaining N Hamming distances corresponding to each guess value; the N Hamming distances correspond to the N power consumption curves one by one;
the controller is further used for grouping the N power consumption curves according to the Hamming distance, so that the power consumption curves with the Hamming distance larger than a preset value are in a first group, and the power consumption curves with the Hamming distance smaller than the preset value are in a second group;
the processor is also used for carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guessed value;
the controller is further configured to use the maximum amplitude of each curve as an extreme value of the curve, obtain an extreme value of the curve for each guess value, use a guess value corresponding to the curve with the maximum extreme value as the element in the key, and further obtain all elements in the key to obtain the key in the calculation formula.
Further, the calculation formula of the difference operation is as follows:
Figure BDA0001325487130000031
Figure BDA0001325487130000032
Figure BDA0001325487130000033
wherein, Delta is a curve of guessed values,tiis the ith power consumption curve, T0Is a first set of power consumption curves, T1Is a second set of power consumption curves, | T0L is the number of the first set of power consumption curves, | T1L is the number of the second set of power consumption curves,
Figure BDA0001325487130000034
k is a positive integer, which is the hamming distance between the ith input value D and the ith output value R.
Further, the calculation formula of all key participation in the UOV signature generation process is
Figure BDA0001325487130000035
Where D is the input value, E is the key, R is the output value, □ is the addition or multiplication, D, E and R are both GF (2)k) The composition of elements (A) and (B).
Further, the UOV signature algorithm includes a first affine transformation calculation formula
Figure BDA0001325487130000036
y is the message in the message signature pair,
Figure BDA0001325487130000037
as a result after the y affine transformation, a is a matrix of m × m, b is a vector of length m;
the first affine transformation calculation formula comprises a first calculation formula aij′=aij×yiAnd a second calculation formula bi′=aij′+bi,0≤i≤m-1,0≤j≤n-1;
Wherein in the first calculation formula, yiIs input with a value D, aijIs a secret key E, aij' is the output value R; in the second calculation formula, aijIs an input value D, biIs a secret key E, bi' is the output value R.
Further, the key recovery device for UOV signature further comprises a random variable control module;
the random variable control module is used for fixing random variables in the UOV signature generation process;
the controller is also used for calling the random variable control module.
Further, the UOV signature algorithm includes a central mapping calculation formula
Figure BDA0001325487130000038
Figure BDA0001325487130000039
Is composed of
Figure BDA00013254871300000310
The result after the inverse transformation of the center map,
Figure BDA00013254871300000311
the O and the V are two types of variables;
the center map calculation formula includes a plurality of multivariate equations:
Figure BDA00013254871300000312
the multiple multivariate equations are divided into a first layer of calculation formula Vj′=αijVjThe second layer calculation formula V ″)j=Vj′+δiThird layer of calculation formula Vi′=βijViFourth layer calculation formula Vi″=γiViAnd the fifth calculation formula
Figure BDA0001325487130000041
Wherein, in the first layer of calculation formula, VjIs fixed to a preset value as an input value D, alpha by the random variable control moduleijAs keys E, Vj' is the output value R; in the second layer of calculation formula, VjIs an input value D, deltaiIs the key E, V ″)jIs an output value R; in the third layer of calculation formula, ViBy said random variablesThe control module is fixed to a preset value as an input value D, betaijAs keys E, Vi' is the output value R; in the fourth layer of calculation formula, ViIs fixed to a preset value as an input value D, gamma by the random variable control moduleiAs keys E, Vi"is the output value R; in the fifth-level calculation formula,
Figure BDA0001325487130000042
to input a value D, η is a secret key E,
Figure BDA0001325487130000043
is the output value R.
Further, the UOV signature algorithm includes a second affine transformation calculation formula
Figure BDA0001325487130000044
x is
Figure BDA0001325487130000045
As a result after affine transformation, C is a matrix of n × n, d is a vector of length n;
the second affine transformation calculation formula includes a third calculation formula
Figure BDA0001325487130000046
And a fourth calculation formula di′=cij′+di
Wherein, in the third calculation formula,
Figure BDA0001325487130000047
as input values D, cijIs a secret key E, cij' is the output value R; in the fourth calculation formula, cijIs an input value D, DiIs a secret key E, di' is the output value R.
Correspondingly, an embodiment of the present invention further provides a key recovery method for UOV signatures, including:
generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
acquiring power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
choosing GF (2) in sequencek) As guesses of the key in each chosen calculation formula;
and when each guess value is selected, sequentially obtaining the input values of the calculation formula according to the messages in the N pairs of message signatures and carrying out operation to obtain N output values, and analyzing the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain the key in the UOV signature algorithm.
The embodiment of the invention has the following beneficial effects:
the key recovery device and method for UOV signature provided by the embodiment of the invention can generate a message signature pair and a corresponding power consumption curve, operate the UOV signature algorithm by adopting a mode of setting a key guess value, analyze the power consumption curve based on an operation result and obtain a real key, thereby realizing the quick recovery of the key in the UOV signature algorithm, finding the security problem of the UOV signature and providing technical support for protecting the UOV.
Drawings
Fig. 1 is a schematic structural diagram of an embodiment of a UOV signed key recovery device provided in the present invention;
fig. 2 is a schematic flowchart of an embodiment of a key recovery method for UOV signatures provided in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a schematic structural diagram of an embodiment of a UOV signed key recovery apparatus provided in the present invention includes:
the message and signature module 1 is used for generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
the power consumption curve module 2 is used for collecting power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
the key operation module 3 is used for sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
a key guess value module 4 for selecting GF (2) in turnk) As guesses of the key in each chosen calculation formula; and the number of the first and second groups,
and the central processing module 5 is configured to invoke the message and signature module, the power consumption curve module, the key operation module and the key guess value module, and when each guess value is selected, sequentially obtain input values of the calculation formula according to the messages in the N pairs of message signatures and perform operation to obtain N output values, and analyze the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain a key in the UOV signature algorithm.
It should be noted that the message in the message signature pair is the message y of the UOV signature algorithm0,y1,...,ym-1The size is m bytes, y0,y1,...,ym-1Are all finite fields GF (2)k) K is a positive integer; the signature in the message signature pair is x0,x1,...,xn-1Size is n bytes, x0,x1,...,xn-1Are all finite fields GF (2)k) Of (2) is used. When a pair of message signature pairs is generated, a power consumption curve is correspondingly generated, so that N pairs of message signature pairs correspond to N power consumption curves one by one. Wherein each power consumption curve contains the power consumption generated at each time point during the generation of a single signature.
The central processing module is respectively connected with the message andthe signature module, the power consumption curve module, the key operation module and the key guess value module are connected with each other. The central processing module is used for scheduling and controlling the modules connected with the central processing module, and processing the operation in the UOV key recovery process. The message and signature module is used for generating N pairs of message signatures for the keys to be analyzed. And the key operation module is used for selecting finite field addition, multiplication and inverse operation of the key participating in the UOV signature generation. The key guess module consists of a finite field GF (2)k) All elements make up, i.e. (00.. 00)2To (11.. 11)2
During the analysis, the key is guessed first, and the range is GF (2)k) All elements, i.e. GF (2) in turnk) The element(s) in (b) is used as a guess value for the key, and simultaneously, N input values are obtained according to N messages in the N pairs of message signatures. And based on each guess value, sequentially substituting the N input values into a calculation formula to carry out operation to obtain N output values, namely, each guess value corresponds to the N input values, the N output values and the N power consumption curves, and the N input values, the N output values and the N power consumption curves are in one-to-one correspondence. For each guess value, the Hamming distances between the N input values and the corresponding output values are respectively calculated, so that N Hamming distances are obtained, and the N Hamming distances correspond to the N power consumption curves one by one. And analyzing the N power consumption curves based on the N Hamming distances to obtain an analysis result of each guess value, and determining a true value of the key according to the analysis results of all the guess values.
Further, the key comprises a plurality of elements; choosing GF (2) in sequencek) As a guess value for each element in the key;
the central processing module comprises a controller and a processor;
the controller is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module;
the processor is used for calculating the Hamming distance between each input value and the corresponding output value after selecting a guess value for each element in the key for operation, and obtaining N Hamming distances corresponding to each guess value; the N Hamming distances correspond to the N power consumption curves one by one;
the controller is further used for grouping the N power consumption curves according to the Hamming distance, so that the power consumption curves with the Hamming distance larger than a preset value are in a first group, and the power consumption curves with the Hamming distance smaller than the preset value are in a second group;
the processor is also used for carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guessed value;
the controller is further configured to use the maximum amplitude of each curve as an extreme value of the curve, obtain an extreme value of the curve for each guess value, use a guess value corresponding to the curve with the maximum extreme value as the element in the key, and further obtain all elements in the key to obtain the key in the calculation formula.
It should be noted that the controller is used for scheduling and controlling the modules connected to the central processing module, and the processor is used for processing the operation in the UOV key recovery process.
Further, the calculation formula of the difference operation is as follows:
Figure BDA0001325487130000071
Figure BDA0001325487130000072
Figure BDA0001325487130000073
where Δ is the curve of the guess, tiIs the ith power consumption curve, T0Is a first set of power consumption curves, T1Is a second set of power consumption curves, | T0L is the number of the first set of power consumption curves, | T1L is the number of the second set of power consumption curves,
Figure BDA0001325487130000074
k is a positive integer, which is the hamming distance between the ith input value D and the ith output value R.
In specific application, the controller calls the message and signature module to generate N message signature pairs, calls the power consumption curve module to generate N corresponding power consumption curves, and calls the key operation module to sequentially select a calculation formula in which all keys participate in the UOV signature generation process.
The key in the calculation formula generally comprises a plurality of elements, and each element needs to be guessed and determined respectively. When analyzing a certain element in the key, the controller calls the key guess value module to select GF (2)k) The element in (1) is used as a guess value of the element in the key, and when each guess value is selected, the processor calculates N output values in one-to-one correspondence based on the N input values and based on the Hamming distance between the input value and the corresponding output value. The controller divides the N power consumption curves into two groups, namely when the Hamming distance between one input value and the corresponding output value is smaller than a preset value, the power consumption curves corresponding to the input value are divided into a first group; and when the Hamming distance between one input value and the corresponding output value is larger than or equal to a preset value, dividing the power consumption curve corresponding to the input value into a second group. The processor calculates the curve of the selected guessed value according to the two groups of power consumption curves, and the controller obtains the maximum absolute value, namely the maximum amplitude value, of the curve. After each guess value is selected in turn, the controller obtains the maximum amplitude of the curve of all guess values by maxiMarking the maximum amplitude of the curve of the ith guess to obtain a set (max)0,max1,..) to select the maximum value max in the setjThen the maximum value maxjThe guess value corresponding to the curve of (a) is used as the true value of the element in the key. By analogy, the true values of other elements in the key are obtained by the method, and then the true values of all the elements in the key are obtained, namely the key is obtained.
Further, the calculation formula of all key participation in the UOV signature generation process is
Figure BDA0001325487130000081
Where D is the input value, E is the key, R is the output value,
Figure BDA0001325487130000082
for addition or multiplication, both D, E and R are GF (2)k) The composition of elements (A) and (B).
It should be noted that, in the UOV signature algorithm, the length of the hash of the message to be signed is m bytes, and the length of the signed message is n bytes. The private key comprises a reversible affine transformation and a central mapping transformation, and the public key is a combination of the central mapping transformation and the reversible affine transformation. Inverse reversible affine transformation L-1In the form of
Figure BDA0001325487130000083
A is a matrix of size n x n, b is a vector of dimension n, and both A and b operate as private keys. The center mapping transformation F consists of m multivariate polynomials (F)0,f1,...,fm-1) Is in the form of
Figure BDA0001325487130000084
Figure BDA0001325487130000085
Is a finite set of vinegar and oil variables:
Figure BDA0001325487130000086
is a finite set of vinegar variables, having a total of n-m vinegar variables, used as a private key;
Figure BDA0001325487130000087
is a finite set of oil variables, for a total of m oil variables. Multivariable polynomial f of multiple degree0,f1,...,fm-1Is defined as f (O)0,O1,...,Om-1)=∑αijOiVj+∑βijViVj+∑γiVi+∑δiOi+η。Oi,(Vi,Vj) Respectively oil variable and vinegar variable, alphaij、βij、γi、δiAnd η is the coefficient of a multivariate quadratic polynomial and is used as a key.
For example, the message is 28 bytes in length and the signature is 56 bytes in length. UOV operates in the finite field GF (2)8). A is a matrix of size 56 x 56, b is a vector of dimension 56, and both a and b operate as private keys. The center mapping transformation F consists of 28 multivariate polynomials (F)0,f1,...,f27) Is in the form of
Figure BDA0001325487130000091
Figure BDA0001325487130000092
Is a finite set of vinegar and oil variables:
Figure BDA0001325487130000093
is a finite set of vinegar variables, for a total of 28 vinegar variables, used as private keys;
Figure BDA0001325487130000094
is a finite set of oil variables, for a total of 28 oil variables. Multivariable polynomial f of multiple degree0,f1,...,f27Is defined as f (O)0,O1,...,O27)=∑αijOiVj+∑βijViVj+∑γiVi+∑δiOi+η。Oi,(Vi,Vj) Respectively oil variable and vinegar variable, alphaij、βij、γi、δiAnd η is the coefficient of a multivariate quadratic polynomial and is used as a key.
Further, the UOV signature algorithm includes a first affine transformation calculation formula
Figure BDA0001325487130000095
y is the message in the message signature pair,
Figure BDA0001325487130000096
as a result after the y affine transformation, a is a matrix of m × m, b is a vector of length m;
the first affine transformation calculation formula comprises a first calculation formula aij′=aij×yiAnd a second calculation formula bi′=aij′+bi,0≤i≤m-1,0≤j≤n-1;
Wherein in the first calculation formula, yiIs input with a value D, aijIs a secret key E, aij' is the output value R; in the second calculation formula, aijIs an input value D, biIs a secret key E, bi' is the output value R.
In the first calculation formula, aijIs an element of Key A, row i, column j, yiIs the i-th element, a, of the message yij' are finite field multiplication results, all finite field GF (2)k) Of (2) is used. Let D be yi,R=aij′,E=aijStarting to guess the key, the range is GF (2)k) All the elements. Since E is the guess value (known) of the key and D is an element (known) of the message, R is obtained by R ═ E × D calculation, based on
Figure BDA0001325487130000097
Key a is analyzed by adopting Hamming distance modelij
In the second calculation formula, let D ═ aij′,R=bi′,E=biGuessing the key is started. In analyzing out the key aijAfter a, aijBy calculation of (known), biIs the ith element of the key b, which is the guess (known), bi' is the result of finite field addition, and is further based on
Figure BDA0001325487130000101
Analyzing a secret key b by adopting a Hamming distance modeli
Suppose 2000 pairs of message signatures and corresponding 2000 power consumption curves are generated, A is26 × 26 matrix, b is a vector of length 26, A, b, y,
Figure BDA0001325487130000102
The elements contained are all finite fields GF (2)8) Of (2) is used. To calculate aij′=aij×yiFor example, let D be yi,R=aij′,E=aijStarting to guess the key, the range is GF (2)8) All the elements. Since E is the guess value (known) of the key and D is an element (known) of the message, R is obtained by R ═ E × D calculation. Based on the Hamming distance between D and R
Figure BDA0001325487130000103
The 2000 power consumption curves are divided into two groups:
Figure BDA0001325487130000104
Figure BDA0001325487130000105
and then carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guess value, taking the maximum amplitude of each curve as the extreme value of the curve, obtaining the extreme value of the curve of each guess value, and taking the guess value corresponding to the curve with the maximum extreme value as the true value of the key.
Further, the key recovery device for UOV signature also includes a random variable control module 6;
the random variable control module 6 is used for fixing random variables in the UOV signature generation process;
the controller is also used for calling the random variable control module.
Further, the UOV signature algorithm includes a central mapping calculation formula
Figure BDA0001325487130000106
Figure BDA0001325487130000107
Is composed of
Figure BDA0001325487130000108
The result after the inverse transformation of the center map,
Figure BDA0001325487130000109
the O and the V are two types of variables;
the center map calculation formula includes a plurality of multivariate equations:
Figure BDA00013254871300001010
the multiple multivariate equations are divided into a first layer of calculation formula Vj′=αijVjThe second layer calculation formula V ″)j=Vj′+δiThird layer of calculation formula Vi′=βijViFourth layer calculation formula Vi″=γiViAnd the fifth calculation formula
Figure BDA00013254871300001011
Wherein, in the first layer of calculation formula, VjIs fixed to a preset value as an input value D, alpha by the random variable control moduleijAs keys E, Vj' is the output value R; in the second layer of calculation formula, VjIs an input value D, deltaiIs the key E, V ″)jIs an output value R; in the third layer of calculation formula, ViIs fixed to a preset value as an input value D, beta by the random variable control moduleijAs keys E, Vi' is the output value R; in the fourth layer of calculation formula, ViIs fixed to a preset value as an input value D, gamma by the random variable control moduleiAs keys E, Vi"is the output value R; in the fifth-level calculation formula,
Figure BDA0001325487130000111
to input a value D, η is a secret key E,
Figure BDA0001325487130000112
is the output value R.
It should be noted that, in the key analysis process in the central mapping calculation formula, the controller calls the random variable control module to fix the generated random variable to a preset value, that is, the random variables are fixed to (00000001) in sequence2To (11111111)2The value of (c).
The center mapping calculation formula includes a plurality of multivariable equations divided into a plurality of layers, wherein V of a first layer is a random variable and V of a next layer is composed of O and V of an upper layer, so that the plurality of multivariable equations are reduced to a first-order polynomial with respect to O by operation, and a value of O is obtained by solving a finite field linear equation set.
In the first layer of calculation formula, let D ═ Vj,R=Vj′,E=αijV is controlled by a random variable control modulejFixed to a preset value based on
Figure BDA0001325487130000113
Analyzing the secret key alpha by adopting a Hamming distance modelij. In the second layer calculation formula, let D ═ Vj′,R=V″j,E=δiV is controlled by a random variable control modulejFixed to a preset value based on
Figure BDA0001325487130000114
Key delta analysis using hamming distance modeli. In the third layer of calculation formula, let D be Vi,R=Vi′,E=βijV is controlled by a random variable control moduleiFixed to a preset value based on
Figure BDA0001325487130000115
Key beta analysis using hamming distance modelij. In the fourth layer of calculation formula, let D ═ Vi,R=Vi″,E=γiBy random variable controlMake module ViFixed to a preset value based on
Figure BDA0001325487130000116
Analyzing the secret key gamma by using Hamming distance modeli. For the fifth layer of calculation formula, let
Figure BDA0001325487130000117
E ═ η, calculate
Figure BDA0001325487130000118
Is then based on
Figure BDA0001325487130000119
The key η is analyzed using a hamming distance model.
Further, the UOV signature algorithm further includes a second affine transformation calculation formula
Figure BDA00013254871300001110
x is
Figure BDA00013254871300001111
As a result after affine transformation, C is a matrix of n × n, d is a vector of length n;
the second affine transformation calculation formula includes a third calculation formula
Figure BDA00013254871300001112
And a fourth calculation formula di′=cij′+di
Wherein, in the third calculation formula,
Figure BDA0001325487130000121
as input values D, cijIs a secret key E, cij' is the output value R; in the fourth calculation formula, cijIs an input value D, DiIs a secret key E, di' is the output value R.
In the third calculation formula, c isijIs an element of key C row i column j,
Figure BDA0001325487130000122
is the result of a central mapping transformation
Figure BDA0001325487130000123
The ith element, cij' are finite field multiplication results, all finite field GF (2)k) Of (2) is used. Order to
Figure BDA0001325487130000124
R=cij′,E=cijStarting to guess the key, the range is GF (2)k) All elements, since E is the guess (known) of the key, D is an element (known) of the result of the transformation of the center map, and R is obtained by calculation from R ═ E × D, and is based on
Figure BDA0001325487130000125
Analyzing out a secret key c by adopting a Hamming distance modelij
In the fourth calculation formula, let D ═ cij′,R=di′,E=diGuessing the key is started. Since E is the guess (known) of the key, D is calculated (known), and R is calculated from R ═ E + D, based on
Figure BDA0001325487130000126
Key d is analyzed by adopting Hamming distance modeli
After all keys of the UOV signature are obtained by the method, key recovery of the UOV signature is completed.
The key recovery device for the UOV signature provided by the embodiment of the invention can generate a message signature pair and a corresponding power consumption curve, operate the UOV signature algorithm by adopting a mode of setting a key guess value, analyze the power consumption curve based on an operation result and obtain a real key, thereby realizing the quick recovery of the key in the UOV signature algorithm, finding the security problem of the UOV signature and providing technical support for protecting the UOV.
Referring to fig. 2, it is a schematic flow chart of an embodiment of the key recovery method for UOV signature provided in the invention, including:
s1, generating N pairs of message signatures based on the UOV signature algorithm; wherein N is a positive integer greater than 2000;
s2, collecting power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
s3, sequentially selecting calculation formulas of all key participation in the UOV signature generation process;
s4, selecting GF (2) in sequencek) As guesses of the key in each chosen calculation formula;
and S5, when each guess value is selected, sequentially obtaining the input values of the calculation formula according to the messages in the N pairs of message signatures and carrying out operation to obtain N output values, and analyzing the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain the key in the UOV signature algorithm.
The key recovery method for the UOV signature provided by the embodiment of the invention can generate a message signature pair and a corresponding power consumption curve, operate the UOV signature algorithm by adopting a mode of setting a key guess value, analyze the power consumption curve based on an operation result and obtain a real key, thereby realizing the quick recovery of the key in the UOV signature algorithm, finding the security problem of the UOV signature and providing technical support for protecting the UOV.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (3)

1. A UOV signed key recovery device, comprising:
the message and signature module is used for generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
the power consumption curve module is used for acquiring power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
the key operation module is used for sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
a key guess value module for selecting GF (2) in turnk) As guesses of the key in each chosen calculation formula; and the number of the first and second groups,
the central processing module is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module, acquiring input values of the calculation formula and operating the input values according to the messages in the N pairs of message signatures in sequence when each guess value is selected to obtain N output values, and analyzing the N power consumption curves to obtain the keys in the UOV signature algorithm based on the N input values and the N output values corresponding to each guess value;
the key comprises a plurality of elements; choosing GF (2) in sequencek) As a guess value for each element in the key;
the central processing module comprises a controller and a processor;
the controller is used for calling the message and signature module, the power consumption curve module, the key operation module and the key guess value module;
the processor is used for calculating the Hamming distance between each input value and the corresponding output value after selecting a guess value for each element in the key for operation, and obtaining N Hamming distances corresponding to each guess value; the N Hamming distances correspond to the N power consumption curves one by one;
the controller is further used for grouping the N power consumption curves according to the Hamming distance, so that the power consumption curves with the Hamming distance larger than a preset value are in a first group, and the power consumption curves with the Hamming distance smaller than the preset value are in a second group;
the processor is also used for carrying out differential operation on the two groups of power consumption curves to obtain a curve of each guessed value;
the controller is further configured to use the maximum amplitude of the curve of each guess value as an extremum of the curve of the guess value, obtain the extremum of the curve of each guess value, use the guess value corresponding to the curve of the guess value with the maximum extremum as the element in the key, and further obtain all elements in the key to obtain the key in the calculation formula;
the calculation formula of the difference operation is as follows:
Figure FDA0003048568550000021
Figure FDA0003048568550000022
Figure FDA0003048568550000023
where Δ is the curve of the guess, tiIs the ith power consumption curve, T0Is a first set of power consumption curves, T1Is a second set of power consumption curves, | T0L is the number of the first set of power consumption curves, | T1L is the number of the second set of power consumption curves,
Figure FDA0003048568550000024
is the Hamming distance between the ith input value D and the ith output value R, and k is a positive integer;
the calculation formula of all the keys participating in the UOV signature generation process is
Figure FDA0003048568550000025
Where D is the input value, E is the key, R is the output value,
Figure FDA0003048568550000026
for addition or multiplication, both D, E and R are GF (2)k) The elemental composition of (a); the U isThe key recovery device of the OV signature also comprises a random variable control module;
the random variable control module is used for fixing random variables in the UOV signature generation process;
the controller is also used for calling the random variable control module;
the UOV signature algorithm comprises a first affine transformation calculation formula
Figure FDA0003048568550000027
y is the message in the message signature pair,
Figure FDA0003048568550000028
as a result after the y affine transformation, a is a matrix of m × m, b is a vector of length m;
the first affine transformation calculation formula comprises a first calculation formula aij′=aij×yiAnd a second calculation formula bi′=aij′+bi,0≤i≤m-1,0≤j≤n-1;
Wherein in the first calculation formula, yiIs input with a value D, aijIs a secret key E, aij' is the output value R; in the second calculation formula, aijIs an input value D, biIs a secret key E, bi' is the output value R; a isijIs an element of key a, row i, column j; y isiIs the ith element of message y; a isij' are finite field multiplication results, all finite field GF (2)k) An element of (1); biIs the ith element of the key b, which is a guess value; bi' is the result of finite field addition;
the UOV signature algorithm comprises a central mapping calculation formula
Figure FDA0003048568550000031
Figure FDA0003048568550000032
Is composed of
Figure FDA0003048568550000033
The result after the inverse transformation of the center map,
Figure FDA0003048568550000034
the O and the V are two types of variables;
the center map calculation formula includes a plurality of multivariate equations:
Figure FDA0003048568550000035
the multiple multivariate equations are divided into a first layer of calculation formula Vj′=αijVjSecond layer calculation formula Vj″=Vj′+δiThird layer of calculation formula Vi′=βijViFourth layer calculation formula Vi″=γiViAnd the fifth calculation formula
Figure FDA0003048568550000036
Wherein, in the first layer of calculation formula, VjIs fixed to a preset value as an input value D, alpha by the random variable control moduleijAs keys E, Vj' is the output value R; in the second layer of calculation formula, VjIs an input value D, deltaiAs keys E, Vj"is the output value R; in the third layer of calculation formula, ViIs fixed to a preset value as an input value D, beta by the random variable control moduleijAs keys E, Vi' is the output value R; in the fourth layer of calculation formula, ViIs fixed to a preset value as an input value D, gamma by the random variable control moduleiAs keys E, Vi"is the output value R; in the fifth-level calculation formula,
Figure FDA0003048568550000037
to input a value D, η is a secret key E,
Figure FDA0003048568550000038
is an output value R;
in the calculation process, in the first layer of calculation formula, D is equal to Vj,R=Vj′,E=αijV is controlled by a random variable control modulejFixed to a preset value based on
Figure FDA0003048568550000039
Analyzing the secret key alpha by adopting a Hamming distance modelij(ii) a In the second layer calculation formula, let D ═ Vj′,R=Vj″,E=δiAnalysis of V by faultjFixed to a preset value based on
Figure FDA00030485685500000310
Key delta analysis using hamming distance modeli(ii) a In the third layer of calculation formula, let D be Vi,R=Vi′,E=βijV is controlled by a random variable control moduleiFixed to a preset value based on
Figure FDA00030485685500000311
Key beta analysis using hamming distance modelij(ii) a In the fourth layer of calculation formula, let D ═ Vi,R=Vi″,E=γiV is controlled by a random variable control moduleiFixed to a preset value based on
Figure FDA00030485685500000312
Analyzing the secret key gamma by using Hamming distance modeli(ii) a For the fifth layer of calculation formula, let
Figure FDA00030485685500000313
E ═ η, calculate
Figure FDA00030485685500000314
Is then based on
Figure FDA00030485685500000315
The key η is analyzed using a hamming distance model.
2. The UOV signed key recovery device according to claim 1, wherein said UOV signature algorithm comprises a second affine transformation calculation formula
Figure FDA0003048568550000041
x is
Figure FDA0003048568550000042
As a result after affine transformation, C is a matrix of n × n, d is a vector of length n;
the second affine transformation calculation formula includes a third calculation formula
Figure FDA0003048568550000043
And a fourth calculation formula di′=cij′+di
Wherein, in the third calculation formula,
Figure FDA0003048568550000044
as input values D, cijIs a secret key E, cij' is the output value R; in the fourth calculation formula, cijIs an input value D, DiIs a secret key E, di' is the output value R; c. CijIs an element of key C row i column j;
Figure FDA0003048568550000045
is the result of a central mapping transformation
Figure FDA0003048568550000046
The ith element; c. Cij' are finite field multiplication results, all finite field GF (2)k) An element of (1); diIs the ith element of the key d, which is the guess value; di' is the result of finite field addition.
3. A key recovery method using UOV signatures implemented by the key recovery apparatus of any of claims 1 to 2, comprising:
generating N pairs of message signatures based on a UOV signature algorithm; wherein N is a positive integer greater than 2000;
acquiring power consumption curves generated in the generation process of each pair of message signature pairs to obtain N power consumption curves;
sequentially selecting calculation formulas in which all keys participate in the UOV signature generation process;
choosing GF (2) in sequencek) As guesses of the key in each chosen calculation formula;
and when each guess value is selected, sequentially obtaining the input values of the calculation formula according to the messages in the N pairs of message signatures and carrying out operation to obtain N output values, and analyzing the N power consumption curves based on the N input values and the N output values corresponding to each guess value to obtain the key in the UOV signature algorithm.
CN201710464016.1A 2017-06-19 2017-06-19 Key recovery device and method for UOV signature Active CN109150533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710464016.1A CN109150533B (en) 2017-06-19 2017-06-19 Key recovery device and method for UOV signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710464016.1A CN109150533B (en) 2017-06-19 2017-06-19 Key recovery device and method for UOV signature

Publications (2)

Publication Number Publication Date
CN109150533A CN109150533A (en) 2019-01-04
CN109150533B true CN109150533B (en) 2021-08-24

Family

ID=64804358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710464016.1A Active CN109150533B (en) 2017-06-19 2017-06-19 Key recovery device and method for UOV signature

Country Status (1)

Country Link
CN (1) CN109150533B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157431A (en) * 2021-10-27 2022-03-08 上海朝夕网络技术有限公司 Block chain transaction processing method based on multivariate signature method and computer equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530091A (en) * 2016-01-29 2016-04-27 易海博 Decryption method for TTS signature
WO2016155565A1 (en) * 2015-03-30 2016-10-06 Jintai Ding Improvements on multivariate digital signature schemes based on hfev- and new applications of multivariate digital signature schemes for white-box encryption

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016155565A1 (en) * 2015-03-30 2016-10-06 Jintai Ding Improvements on multivariate digital signature schemes based on hfev- and new applications of multivariate digital signature schemes for white-box encryption
CN105530091A (en) * 2016-01-29 2016-04-27 易海博 Decryption method for TTS signature

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
On the Importance of Checking Multivariate Public Key Cryptography for Side-Channel Attacks: The Case of enTTS Scheme;HaiBo Yi et al.;《Oxford University Press on behalf of The British Computer Society》;20170215;摘要,正文2-4节 *
有限域运算和多变量公钥密码硬件的优化和设计;易海博;《中国博士学位论文全文数据库 信息科技辑》;20150831;正文第2、6章 *

Also Published As

Publication number Publication date
CN109150533A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
Chen et al. Period distribution of generalized discrete Arnold cat map for $ N= p^{e} $
CN106936569B (en) Method for realizing SM4 algorithm mask S box for resisting power consumption attack
CN114817958B (en) Model training method, device, equipment and medium based on federal learning
CN113761469B (en) Highest bit carry calculation method for protecting data privacy
CN105245343A (en) On-line off-line signature system and method based on multivariable cipher technology
CN109150533B (en) Key recovery device and method for UOV signature
CN114465728B (en) Method, device, equipment and storage medium for attacking elliptic curve signature algorithm
CN109150506B (en) Side channel analysis method and device for rainbow signature
CN103929305A (en) SM2 signature algorithm implementation method
CN105530091A (en) Decryption method for TTS signature
CN105119929A (en) Safe mode index outsourcing method and system under single malicious cloud server
KR20150112315A (en) Batch verification method and apparatus thereof
CN105991289A (en) Side channel energy analysis method and device of SM3 cipher algorithm
Posur On free abelian categories for theorem proving
CN107947943B (en) Online and offline circulating non-equilibrium oil vinegar signature method
Wang et al. The space complexity analysis in the general number field sieve integer factorization
JP6885460B2 (en) Reverse image sampling device, reverse image sampling method and reverse image sampling program
Zhang et al. On the immunity of rotation symmetric Boolean functions against fast algebraic attacks
Tong et al. Design of S-box multi-objective optimization algorithm based on combined chaotic system
CN113626841A (en) Selection problem processing method based on multi-party security calculation
CN112383394A (en) Novel incremental signature method based on ideal lattice
RU2401513C2 (en) Method for generating and verification electronic digital signature authenticating electronic document
Elsheikh et al. Fast computation of Smith forms of sparse matrices over local rings
CN117874825B (en) LU decomposition-based user privacy protection method, device, equipment and medium
Hong et al. Minimal logarithmic signatures for sporadic groups

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant