CN109687969A - A kind of lattice digital signature method based on key common recognition - Google Patents

A kind of lattice digital signature method based on key common recognition Download PDF

Info

Publication number
CN109687969A
CN109687969A CN201811462651.7A CN201811462651A CN109687969A CN 109687969 A CN109687969 A CN 109687969A CN 201811462651 A CN201811462651 A CN 201811462651A CN 109687969 A CN109687969 A CN 109687969A
Authority
CN
China
Prior art keywords
params
algorithm
aux
empty
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811462651.7A
Other languages
Chinese (zh)
Other versions
CN109687969B (en
Inventor
赵运磊
程蕾晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Shanghai Hu Min Block Chain Science And Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Hu Min Block Chain Science And Technology Co Ltd filed Critical Shanghai Hu Min Block Chain Science And Technology Co Ltd
Priority to CN201811462651.7A priority Critical patent/CN109687969B/en
Publication of CN109687969A publication Critical patent/CN109687969A/en
Priority to PCT/CN2019/112510 priority patent/WO2020114121A1/en
Application granted granted Critical
Publication of CN109687969B publication Critical patent/CN109687969B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

Provide a kind of lattice digital signature method based on key common recognition.The sender Alice of operation inventive method obtains private key sk and common parameter params, signature algorithm Sign (params is run to message M, sk, M it) signs, obtains signature sigma=(z, c, h), and open signature sigma=(z, the c, h) that transmit is to the recipient Bob of operation inventive method.Bob obtains public key pk, and message M and signature sigma=(z, c, h) the conduct input to message M, runtime verification algorithm Verify (pk, M, (z, c, h)) obtain 1/0, respectively indicate and be verified/do not pass through.If certification passes through, recipient Bob recognizes that message M is sent by Alice.Inventive method is to solve how to design digital signature, in the integrality for guaranteeing information transmission, the authentication for carrying out information transmitter, prevent denial generations in transaction in terms of with important application.

Description

A kind of lattice digital signature method based on key common recognition
Technical field
The present invention relates to digital signature technologies, recognize in the identity of the integrality, progress information transmitter that guarantee information transmission It demonstrate,proves, prevent the denial in transaction from aspect occurs with important application.
Background technique
Digital signature technology is as follows for solving the problems, such as: sender Alice signs to message M using private key sk, Obtain signature sigma.Recipient Bob authenticates signature sigma using public key pk, if certification passes through, recipient Bob recognizes message M It is to be sent by Alice.Inventive method is to solve how to design digital signature, guarantees the integrality of information transmission, carries out information The authentication of sender prevents the denial in transaction from occurring.
Summary of the invention
The sender Alice of operation inventive method obtains private key sk and common parameter params, runs signature to message M and calculates Method Sign (params, sk, M) signs, and obtains signature sigma=(z, c, h), and open signature sigma=(z, the c, h) that transmit is to operation The recipient Bob of inventive method.Bob obtains public key pk, message M and signature sigma=(z, c, h) the conduct input to message M, operation Verification algorithm Verify (pk, M, (z, c, h)), obtains 1/0, respectively indicates and be verified/do not pass through.If certification passes through, connect Debit Bob recognizes that message M is sent by Alice.Inventive method is to solve how to design digital signature, is guaranteeing information transmission Integrality, carry out information transmitter authentication, prevent transaction in denial occur aspect have important application.
A kind of lattice digital signature method based on key common recognition;Wherein, { ... } indicates the collection of an information or numerical value It closes;R,RqRepresentation algebra ring, wherein q is integer;The signature algorithm includes three specific algorithms: Gen, Sign (), Verify(·)。
Gen is key schedule, and algorithm input includes security parameter, and output includes public key pk and private key sk.Sign () is signature algorithm, and algorithm input includes system parameter params, private key sk and message M ∈ { 0,1 }*, wherein { 0,1 }*It indicates The set that the 0-1 string of random length is constituted, output include (z, c, h), whereinc∈R, Wherein t is positive integer, gh(n,m,h,auxh) it is about n, m, h, auxhFunction, auxhBeing to be the auxiliary parameter collection of empty h It closes.The sender Alice of operation inventive method obtains private key sk and common parameter params, runs signature algorithm to message M Sign (params, sk, M) signs, and obtains signature sigma=(z, c, h), and open signature sigma=(z, the c, h) that transmit gives operation hair The recipient Bob of bright method.Verify () is verification algorithm, and algorithm input includes system parameter params, public key pk, message M and signature (z, c, h), output 1 perhaps 0 respectively indicate and are verified or do not pass through.Bob obtains public key pk, message M and right The signature sigma of message M=(z, c, h) obtains 1/0, respectively table as input, runtime verification algorithm Verify (pk, M, (z, c, h)) Show and is verified/does not pass through.If certification passes through, recipient Bob recognizes that message M is sent by Alice.
Specific embodiment
A kind of lattice digital signature method based on key common recognition;Wherein, { ... } indicates the collection of an information or numerical value It closes;R,RqRepresentation algebra ring, wherein q is integer;
Gen is key schedule, and algorithm input includes security parameter, and output includes public key pk and private key sk, algorithm fortune Row is as follows:
(1) system parameter params={ q, k, d, n, m, l, aux } is obtained, wherein q, k, d, n, m, l is integer;Aux is It can be the set of empty other auxiliary system parameters;
(2) obtain
(3) s is obtained1∈Rl,s2∈Rm, wherein s1It is derived from certain sets2Being derived from certain can be empty set
(4) obtain
(5) obtainftIt is about t, params, auxtFunction, Middle auxtBeing to be the auxiliary parameter set of empty t;
(6) public key pk and private key sk is exported;Wherein, public key pk includes params, t1, generate information required for A, auxpk, Wherein auxpkBeing to be the auxiliary parameter set of empty public key;Private key sk includes s1,s2,t0,auxsk, wherein auxskBeing to be sky Private key auxiliary parameter set;
Sign () is signature algorithm, and algorithm input includes system parameter params, private key sk and message M ∈ { 0,1 }*, Wherein { 0,1 }*Indicate the set that the 0-1 string of random length is constituted, output includes (z, c, h), wherein z ∈ Rlq,c∈R,Wherein b is positive integer, gh(n,m,h,auxh) it is about n, m, h, auxhOutput result be The function of integer, auxhBeing to be the auxiliary parameter set of empty h;Algorithm operation is as follows:
(1) obtain
(2) obtain
(3) obtainWherein y2It can be 0 vector;
(4) obtain
(5) obtainWhereinBe about v, the function of params,It can be empty k1Auxiliary parameter set;
(6) obtainWhereinIt is about k1,params,Function,It is It can be empty k1' auxiliary parameter set;
(7) c=H (k is obtained1′,M,auxc), wherein H is a hash function or one-way function or transfer function, auxc Being to be the auxiliary parameter set of empty c;
(8) z=f is obtainedz(pk,y1,s1,k1,c,M,auxz), wherein fzIt is about pk, y1,s1,k1,c,M,auxzLetter Number, auxzBeing to be the auxiliary parameter set of empty z;
(9) obtainWherein,It is about v, c, s2,params,Function, auxk2Being to be empty k2,sig2Auxiliary parameter set;
(10) Rule of judgmentIt is whether true, whereinBeing to be empty R1's Auxiliary parameter set;If not, it then returns to the and (2) walks, circular flow is until R1It sets up;
(11) obtainWherein, fhIt is about v, c, s2,y2,t0,params,Function,Being to be the auxiliary parameter set of empty h;
(12) Rule of judgmentIt is whether true, whereinBeing to be empty R2Auxiliary Parameter sets;If not, it then returns to the and (2) walks, circular flow is until R2It sets up;
(13) output signature (z, c, h);
Verify () is sign test algorithm, and algorithm input includes system parameter params, public key pk, message M and signature (z, C, h), output 1 or 0, algorithm runs as follows:
(1) obtain
(2) obtainWhereinIt is about h, A, z, c, t1,params,Function,Being to be empty k '2Auxiliary parameter set;
(3) obtainWherein,It is about k '2,params,Function,Being to be empty k "2Auxiliary parameter set;
(4) c '=H (k " is obtained2,M,auxc'), wherein H is a hash function or one-way function or transfer function, auxc′Being to be the auxiliary parameter set of empty c ';
(5) Rule of judgmentIt is whether true, whereinBeing to be sky R3Auxiliary parameter set;If so, 1 is then exported, otherwise, output 0;
The present invention claims 2 q-1 aliquant certain power or D2For sky or k1′≠k1
Method as described above, wherein algebraic loop R, RqMeet relationship Rq=R/qR, wherein ring R is Z [X]/(Xn+ 1), Or Z [X]/(Xn+Xn-1+ ...+1) or Z [X]/(Xn-1);Ring RqFor Zq[X]/(Xn+ 1) or Zq[X]/(Xn+Xn-1+ ...+1) or Zq [X]/(Xn- 1), wherein n is positive integer.
Method as described above, whereinauxIt is empty subclass comprising { η, β, ξ, ζ, B, ω, σ, g, q ', α, α ' }, In, η, β, ξ, ζ, B, ω, σ, g are positive integer, and q '=lcm (q, k) is the least common multiple of q and k, α=q '/q, α '=q '/k.
Method as described above, whereinIt obeysUpper probability distribution.
Method as described above, wherein Sam is extension output function, and y~S:=Sam (x) indicates that input is x, by distribution S (or being uniformly distributed on set S) output valve y.
Method as described above, wherein ρ is random seed, is followed the example of including taking { 0,1 }nMiddle random train.
Method as described above, wherein s1It can obeyOn be uniformly distributed or discrete Gaussian Profile, wherein SηIt indicates Coefficient belongs to the multinomial entirety of [- η, η] in ring R;s2It can obeyOn be uniformly distributed or discrete Gaussian Profile or s2= 0。
Method as described above, wherein work as s1,s2Each coefficient obey on [- η, η] when being uniformly distributed, can with expand Output function Sam input seed is opened up to generate.
Method as described above, wherein (t1,t0)=ft(t,params,auxt) calculation method include:
⑴t0=tmod±2d, t1=(t-t0)/2d, wherein arbitrary integer a and positive integer b, amod ± b expression are fallen inUnique integral c so that b | c-a, here for any real number x,It represents less than or the maximum equal to x Integer;
⑵t0=tmod2d, t1=(t-t0)/2d, wherein for arbitrary integer a and positive integer b, amodb expression fall in [0, B-1] unique integral c so that b | c-a.
Method as described above, wherein information needed for generating A may include random seed ρ.
Method as described above, wherein auxskIt may include public key pk.
Method as described above, whereinIt can obeyOn be uniformly distributed or standard deviation is the discrete Gauss point of σ Cloth;It can obeyOn be uniformly distributed or standard deviation be σ discrete Gaussian Profile;Wherein B, σ are auxiliary parameters;
Method as described above, wherein whenWhen obedience is uniformly distributed, extension output function Sam can be used Seed is inputted to generate.
Method as described above, whereinCalculation method include: calculate k1← HighBits (v, params).
Method as described above, wherein for r ∈ Zq, HighBits (r, params) algorithm runs as follows:
(1) (r is calculated1,r0)←Con(r,params);
(2) r is exported1
If algorithm HighBits () is inputtedWith common parameter params, then mean in polynomial vector v Each coefficient uses HighBits algorithm respectively.
Method as described above, wherein encryption algorithm Con () input includes r ∈ ZqWith common parameter params, algorithm To r ∈ ZqIt is encoded based on params, output includes (r1,r0), wherein r1 ∈ Zk,r0∈Zt, k is system parameter, and t is whole Number;If algorithm Con () is inputtedWith common parameter params, then mean to each coefficient in polynomial vector v Con algorithm is used respectively.
Method as described above, wherein the operation of Con (r, params) algorithm is as follows:
(1) σ is calculatedA∈Zq′
(2) r is calculated0
(3) r is calculated1
(4) (r is returned1,r0)。
Method as described above, wherein σACalculation method include: from set [0, α -1] or setThe middle element e for choosing determination particularly takes e=0;Calculate σA=α σ1+e∈Zq′
Method as described above, wherein σA=α r+e ∈ Zq′Calculation method include:
⑴σA=α r+emodq ', or
⑵σA=α r+emod±q′。
Method as described above, wherein It is about σA,α, The function of α ', k.
Method as described above, wherein r0Calculation method include:
(1) r is calculated0Amod±α ', or
(2) r is calculated0AMod α ', or
(3) it calculatesOr
(4) it calculatesOr
(5) it calculatesOr
(6) it calculates
Wherein, k, q are system parameters, and g, α ' are auxiliary parameters;For any real number a, " a " indicates immediate whole with a Number.
Method as described above, wherein r1Calculation method include:
(1) it calculates
(2) r is calculated1=" σA/β」mod±k
(3) if k, q be coprime and kr-r0=kq, then enable r1=0;Otherwise, r is calculated1=(kr-r0)/q,
Wherein, k, q are system parameters.
Method as described above, wherein r0∈ZtThe value of middle t includes: t=g or t=g+1.21. as claim 1 institute The method stated, whereinCalculation method include:
(1)Or
(2)k′1=" qk1/ k ",
Wherein, k, q are system parameters.
Method as described above, wherein auxcInclude pk and/or params and/or public key certificate certificate.
Method as described above, wherein z=fz(pk,y1,s1,k1,c,M,auxz) calculation method include:
Method as described above, whereinCalculation method include:Wherein,It is to close In v, c, s2,params,Function.
Method as described above, whereinCalculation method include:
Method as described above, wherein conditionInclude: | | z | |≤ ξ and | | sig2||≤ ζ and k1=k2, wherein for any a ∈ R, | | a | |The maximum of the absolute value of all coefficients of representative polynomial a Value;For any a=(a1,…,ab)∈Rb, b is positive integer, | | a | |Indicate | | ai||, 1≤i≤b maximum value.
Method as described above, whereinCalculation method include:
(1) h=sig2, or
(2) h=MakeHint (- ct0,v-cs2+ct0, params), or
(3) h=MakeGHint (- ct0,v-cs2+ct0,params)。
Method as described above, wherein h=sig2Calculation method it is as follows:
(1)
(2) h=sig is exported2
Method as described above, wherein for z ∈ Zq,r∈Zq, the calculation method of algorithm MakeHint (z, r, params) It is as follows:
(1)r1=HighBits (r, params);
(2)v1=HighBits (r+z, params);
(3) if r1=v1, then 0 is returned;Otherwise, 1 is returned.
If algorithm MakeHint () is inputtedWith common parameter params, whereinaIt is positive integer, then means To polynomial vectorIn every group of corresponding coefficient use MakeHint algorithm respectively.
Method as described above, wherein for z ∈ Zq,r∈Zq, the calculating side of algorithm MakeGHint (z, r, params) Method is as follows:
(1)r1=HighBits (r, params);
(2)v1=HighBits (r+z, params);
(3) h=(v is returned1-r1)mod±K or h=(v1-r1)mod k。
If algorithm MakeGHint () is inputtedWith common parameter params, whereinaIt is positive integer, then means To polynomial vectorIn every group of corresponding coefficient use MakeGHint algorithm respectively.
Method as described above, whereinCalculation method include:
(1)Or
(2)Or
(3)
Wherein,It is about h, A, z, c, t1,params,Function.
Method as described above, whereinCalculation method include:Wherein, d is system parameter.
Method as described above, wherein decoding algorithm Rec (), algorithm input include r ' ∈ Zq,r0∈ZtJoin with system Number params, wherein (r1,r0) ← Con (r, params), r ∈ Zq, | r '-r |q≤ d ', d ' are an integer;For any whole Number a, | a |qIt is defined as min { a mod q, q-a mod q }, min { } is defined as being minimized;Algorithm is to r ' ∈ Zq,r0∈Zt It is decoded based on params, output includes r1', wherein r1′∈Zk, k is system parameter;If r ' and r distance d ' satisfaction is certain Restrictive condition, then r1'=r1, both sides' error correction success.
Method as described above, wherein Rec (r ', r0, params) calculation method include:
⑴r′1=" α σ2/ β-v/g " modk, or
⑵r′1=" α σ2/ β-(v+1/2)/g " modk, or
⑶r′1=" α σ2/ β-(v+c)/g " modk, whereincIt is a real number.
Method as described above, wherein the relational expression of d ' satisfaction includes:
(1) (2d '+1) k < q (1-1/g), or
(2) (2d '+2) k < q (1-1/g), or
(3) (2d '+1) k < q (1-2 γ/g), wherein γ be defined as max | c |, | 1-c |, for any real number a, | a | table Show that the absolute value for taking a, max { } are defined as being maximized, or
(4) (d '+1) k < q (1/2- γ/g), or
(5) 2kd ' < q.
(6) 2k (d '+1) < q.
Method as described above, wherein c is real number, meets 0≤c≤1.
Method as described above, wherein for h ∈ { 0,1 }, r ∈ Zq, the calculating of algorithm UseHint (h, r, params) Method is as follows:
(1)(r1,r0)=Con (r, params);
(2) if h=1 and r0> 0 returns to (r1+1)modk;If h=1 and r0< 0 returns to (r1-1)modk;Otherwise, if h =0, return to r1
Method as described above, wherein for h ∈ Zk, r ∈ Zq, the calculation method of algorithm UseGHint (h, r, params) It is as follows:
(1)r1=HighBits (r, params);
(2) (r is returned1+h)modk。
Method as described above, whereinCalculation method include:
(1)
(2)k″2=" qk '2/k」。
Method as described above, wherein auxc′Include pk and/or params and/or public key certificate certificate.
Method as described above, whereinCondition includes:
(1) c=c ' and | | z | |≤ξ;
(2) c=c ' and | | z | |≤ ξ and #h≤ω, wherein for h ∈ { 0,1 }a, a is positive integer, #h representative polynomial The number of coefficient 1 in vector h;
Wherein, ξ, ω are auxiliary parameters.
In the practical application of inventive method, the Gen of recommendation, Sign (), Verify (), Con () and HighBits () specific embodiment is as follows:
Gen:
(1) system parameter params={ q, k, d, n, m, l, aux } is obtained, wherein q, k, d, n, m, l is integer;Aux is It can be the set of empty other auxiliary system parameters;
⑸t0=tmod±2d, t1=(t-t0)/2d
(6) pk=(ρ, t are exported1, params, auxpk), sk=(s1,s2,t0,auxsk,ρ);
Sign (params, sk, M):
⑵t0=tmod±2d, t1=(t-t0)/2d
⑸k1← HighBits (v, params);
⑹)k′1=" qk1/k";
(7) c=H (ρ, t1,k′1,M);
(8) z=y1+cs1
⑼(k2,sig2)←Con(v-cs2,params);
(10) if | | z | |< B- β and | | sig2||< q/2-k β and k1=k2It is invalid, then return to (2), circular flow until It sets up;
(11) h=MakeHint (- ct0,v-cs2+ct0,params);
(12) if | | ct0||1 number≤ω is invalid in < q/2k and h, then returns to (2), and circular flow is until set up;
(13) output signature (z, c, h);
Verify (pk, M, (z, c, h)):
⑵k′2=UseHint (h, Az-ct1·2d,params);
⑶k″2=" qk '2/k";
(4) c '=H (ρ, t1,k″2,M);
If c=c ' and | | z | |< B- β while in h 1 number≤ω, then export 1;Otherwise, 0 is exported;
Con (r, params):
⑴r0=krmod±q;
(2) if kr-r0=kq, then enable r1=0;Otherwise, r is calculated1=(kr-r0)/q;
(3) (r is returned1,r0)。
Highbits (r, params):
⑴(r1,r0)←Con(r,params);
(2) r is returned1

Claims (44)

1. a kind of lattice digital signature method based on key common recognition, wherein { ... } indicates the set of an information or numerical value; R,RqRepresentation algebra ring, wherein q is integer;
Gen is key schedule, and algorithm input includes security parameter, and output includes public key pk and private key sk, and algorithm is run such as Under:
(1) system parameter params={ q, k, d, n, m, l, aux } is obtained, wherein q, k, d, n, m, l is integer;Aux is to be The set of empty other auxiliary system parameters;
(2) obtain
(3) s is obtained1∈Rl,s2∈Rm, wherein s1It is derived from certain sets2Being derived from certain can be empty set
(4) obtain
(5) obtainftIt is about t, params, auxtFunction, wherein auxtBeing to be the auxiliary parameter set of empty t;
(6) public key pk and private key sk is exported;Wherein, public key pk includes params, t1, generate information required for A, auxpk, wherein auxpkBeing to be the auxiliary parameter set of empty public key;Private key sk includes s1,s2,t0,auxsk, wherein auxskBeing to be empty private The auxiliary parameter set of key;
Sign () is signature algorithm, and algorithm input includes system parameter params, private key sk and message M ∈ { 0,1 } *, wherein { 0,1 } * indicates the set that the 0-1 string of random length is constituted, and output includes (z, c, h), whereinc∈R,Wherein b is positive integer, gh(n,m,h,auxh) it is about n, m, h, auxhOutput result be it is whole Several functions, auxhBeing to be the auxiliary parameter set of empty h;Algorithm operation is as follows:
(1) obtain
(2) obtain
(3) obtainWherein y2It can be 0 vector;
(4) obtain
(5) obtainWhereinBe about v, the function of params,Being to be empty k1's Auxiliary parameter set;
(6) obtainWhereinIt is about k1,params,Function,Being to be sky K '1Auxiliary parameter set;
(7) c=H (k ' is obtained1,M,auxc), wherein H is a hash function or one-way function or transfer function, auxcBeing can For the auxiliary parameter set of empty c;
(8) z=f is obtainedz(pk,y1,s1,k1,c,M,auxz), wherein fzIt is about pk, y1,s1,k1,c,M,auxzFunction, auxzBeing to be the auxiliary parameter set of empty z;
(9) obtainWherein,It is about v, c, s2,params,'s Function,Being to be empty k2,sig2Auxiliary parameter set;
(10) Rule of judgmentIt is whether true, whereinBeing to be empty R1Auxiliary Parameter sets;If not, it then returns to the and (2) walks, circular flow is until R1It sets up;
(11) obtainWherein, fhIt is about v, c, s2,y2,t0,params, Function,Being to be the auxiliary parameter set of empty h;
(12) Rule of judgmentIt is whether true, whereinBeing to be empty R2Auxiliary parameter Set;If not, it then returns to the and (2) walks, circular flow is until R2It sets up;
(13) output signature (z, c, h);
Verify () is sign test algorithm, and algorithm input includes system parameter params, public key pk, message M and signature (z, c, H), 1 or 0 is exported, wherein 1 expression sign test passes through, and 0 indicates not pass through;Algorithm operation is as follows:
(1) obtain
(2) obtainWhereinIt is about h, A, z, c, t1,params, Function,Being to be empty k '2Auxiliary parameter set;
(3) obtainWherein,It is about k '2,params,Function,Being can For empty k "2Auxiliary parameter set;
(4) c '=H (k " is obtained2,M,auxc'), wherein H is a hash function or one-way function or transfer function, auxc′It is It can be the auxiliary parameter set of empty c ';
(5) Rule of judgmentIt is whether true, whereinBeing to be empty R3 Auxiliary parameter set;If so, 1 is then exported, otherwise, output 0;
The present invention claims 2 q-1 aliquant certain power or D2For sky or k '1≠k1
2. the method as described in right wants 1, wherein algebraic loop R, RqMeet relationship Rq=R/ (qR), wherein ring R is Z [X]/(Xn + 1) or Z [X]/(Xn+Xn-1+ ...+1) or Z [X]/(Xn-1);Ring RqFor Zq[X]/(Xn+ 1) or Zq[X]/(Xn+Xn-1+…+ Or Z 1)q[X]/(Xn- 1), whereinnIt is positive integer.
3. method as described in claim 1, wherein aux includes that { η, β, ξ, ζ, B, ω, σ, g, q ', α, α ' } is empty son Set, wherein η, β, ξ, ζ, B, ω, σ, g are positive integer, and q '=lcm (q, k) is the least common multiple of q and k, α=q '/q, α ' =q '/k.
4. the method for claim 1, whereinIt obeysUpper probability distribution.
5. method as claimed in claim 4, wherein Sam is extension output function, and y~S:=Sam (x) indicates that input is x, By distribution S (or being uniformly distributed on set S) output valve y.
6. method as claimed in claim 4, wherein ρ is random seed.
7. the method for claim 1, wherein s1It can obeyOn be uniformly distributed or discrete Gaussian Profile, wherein Sη Coefficient belongs to the multinomial entirety of [- η, η] in expression ring R;s2It can obeyOn be uniformly distributed or discrete Gaussian Profile, or s2=0.
8. the method for claim 1, wherein working as s1,s2Each coefficient obey on [- η, η] when being uniformly distributed, It can be generated with extension output function Sam input seed.
9. the method for claim 1, wherein (t1,t0)=ft(t,params,auxt) calculation method include:
⑴t0=tmod±2d, t1=(t-t0)/2d, wherein for arbitrary integer a and positive integer b, a mod±B expression is fallen inUnique integral c so that b | c-a, here for any real number x,It represents less than or the maximum equal to x Integer;
⑵t0=tmod2d, t1=(t-t0)/2d, wherein [0, b- is fallen in for arbitrary integer a and positive integer b, a mod b expression 1] unique integral c, so that b | c-a.
10. information needed for the method for claim 1, wherein generating A may include random seed ρ.
11. the method for claim 1, wherein auxskIt may include public key pk.
12. the method for claim 1, whereinIt can obeyOn be uniformly distributed or standard deviation be σ discrete height This distribution;It can obeyOn be uniformly distributed or standard deviation be σ discrete Gaussian Profile;Wherein B, σ are auxiliary parameters.
13. method as claimed in claim 12, wherein whenWhen obedience is uniformly distributed, extension output can be used Function Sam inputs seed and generates.
14. the method for claim 1, whereinCalculation method include: calculate k1 ← HighBits (v, params).
15. method as claimed in claim 14, wherein for r ∈ Zq, HighBits (r, params) algorithm runs as follows:
(1) (r is calculated1,r0)←Con(r,params);
(2) r is exported1
If algorithm HighBits () is inputtedWith common parameter params, then mean to each of polynomial vector v Coefficient uses HighBits algorithm respectively.
16. method as claimed in claim 15, wherein encryption algorithm Con () input includes r ∈ ZqAnd common parameter Params, algorithm is to r ∈ ZqIt is encoded based on params, output includes (r1,r0), wherein r1∈Zk,r0∈Zt, k is system Parameter, t are integers;If algorithm Con () is inputtedWith common parameter params, then mean in polynomial vector v Each coefficient use Con algorithm respectively.
17. the method described in claim 16, wherein the operation of Con (r, params) algorithm is as follows:
(1) σ is calculatedA∈Zq′
(2) r is calculated0
(3) r is calculated1
(4) (r is returned1,r0)。
18. method as claimed in claim 17, wherein σACalculation method include: from set [0, α -1] or setThe middle element e for choosing determination particularly takes e=0;Calculate σA=α σ1+e∈Zq′
19. method as claimed in claim 18, wherein σA=α r+e ∈ Zq′Calculation method include:
⑴σA=α r+emodq ', or
⑵σA=α r+emod±q′。
20. method as claimed in claim 17, wherein Be about σA, α, α ', the function of k.
21. method as claimed in claim 20, wherein r0Calculation method include:
(1) r is calculated0Amod±α ', or
(2) r is calculated0AMod α ', or
(3) r is calculated0=" g (σAmod±α ')/q ", or
(4) r is calculated0=" g (σAMod α ')/q ", or
(5) it calculatesOr
(6) it calculates
Wherein, k, q are system parameters, and g, α ' are auxiliary parameters;For any real number a, " a " is indicated and the immediate integer of a.
22. method as claimed in claim 20, wherein r1Calculation method include:
(1) it calculates
(2) r is calculated1=" σA/β」mod±k
(3) if k, q be coprime and kr-r0=kq, then enable r1=0;Otherwise, r is calculated1=(kr-r0)/q,
Wherein, k, q are system parameters.
23. the method described in claim 16, wherein r0∈ZtThe value of middle t includes: t=g or t=g+1.
24. the method for claim 1, whereinCalculation method include:
(1)Or
(2)k1'=" qk1/ k ",
Wherein, k, q are system parameters.
25. the method for claim 1, wherein auxcInclude pk and/or params and/or public key certificate certificate。
26. the method for claim 1, wherein z=fz(pk,y1,s1,k1,c,M,auxz) calculation method include:
27. the method for claim 1, wherein
Calculation method include:
Wherein,
It is about v, c, s2,params,Function.
28. method as claimed in claim 27, whereinCalculation method include:
29. the method for claim 1, wherein conditionInclude: | | z | |≤ ξ and | | sig2||≤ ζ and k1=k2, wherein for any a ∈ R, | | a | |The absolute value of all coefficients of representative polynomial a Maximum value;For any a=(a1,…,ab)∈Rb, b is positive integer, | | a | |Indicate | | ai||, 1≤i≤b maximum Value.
30. the method for claim 1, whereinCalculation method include:
(1) h=sig2, or
(2) h=MakeHint (- ct0,v-cs2+ct0, params), or
(3) h=MakeGHint (- ct0,v-cs2+ct0,params)。
31. the method as described in claim 27 and 30, wherein h=sig2Calculation method it is as follows:
(1)
(2) h=sig is exported2
32. the method as described in claim 15 and 30, wherein for z ∈ Zq,r∈Zq, algorithm MakeHint (z, r, Params calculation method) is as follows:
(1)r1=HighBits (r, params);
(2)v1=HighBits (r+z, params);
(3) if r1=v1, then 0 is returned;Otherwise, 1 is returned;
If algorithm MakeHint () inputs z ',With common parameter params, wherein a is positive integer, then means to more Item formula vector z ',In every group of corresponding coefficient use MakeHint algorithm respectively.
33. the method as described in claim 15 and 30, wherein for z ∈ Zq,r∈Zq, algorithm MakeGHint (z, r, Params calculation method) is as follows:
(1)r1=HighBits (r, params);
(2)v1=HighBits (r+z, params);
(3) h=(v is returned1-r1)mod±K or h=(v1-r1)mod k;
If algorithm MakeGHint () inputs z ',With common parameter params, wherein a is positive integer, then means to more Item formula vector z ',In every group of corresponding coefficient use MakeGHint algorithm respectively.
34. the method for claim 1, whereinCalculation method include:
(1)Or
(2)Or
(3)
Wherein,It is about h, A, z, c, t1,params,Function.
35. method as claimed in claim 34, whereinCalculation method include:Wherein, d is system parameter.
36. method as claimed in claim 34, wherein decoding algorithm Rec (), algorithm input include r ' ∈ Zq,r0∈ZtWith System parameter params, wherein (r1,r0) ← Con (r, params), r ∈ Zq, | r '-r |q≤ d ', d ' are an integer;For Arbitrary integer a, | a |qIt is defined as min { a mod q, q-a mod q }, min { } is defined as being minimized;Algorithm is to r ' ∈ Zq, r0∈ZtIt is decoded based on params, output includes r1', wherein r1′∈Zk, k is system parameter;If r ' and r distance d ' is full The certain restrictive condition of foot, then r1'=r1, both sides' error correction success.
37. method as claimed in claim 36, wherein Rec (r ', r0, params) calculation method include:
⑴r1'=" α σ2/ β-v/g " mod k, or
⑵r1'=" α σ2/ β-(v+1/2)/g " mod k, or
⑶r1'=" α σ2/ β-(v+c)/g " mod k, wherein c is a real number.
38. method as claimed in claim 36, wherein the relational expression of d ' satisfaction includes:
(1) (2d '+1) k < q (1-1/g), or
(2) (2d '+2) k < q (1-1/g), or
(3) (2d '+1) k < q (1-2 γ/g), wherein γ be defined as max | c |, | 1-c |, for any real number a, | a | expression takes The absolute value of a, max { } are defined as being maximized, or
(4) (d '+1) k < q (1/2- γ/g), or
(5) 2kd ' < q.
(6) 2k (d '+1) < q.
39. method as claimed in claim 37, wherein c is real number, meets 0≤c≤1.
40. method as claimed in claim 34, wherein for h ∈ { 0,1 }, r ∈ Zq, algorithm UseHint (h, r, params) Calculation method it is as follows:
(1)(r1,r0)=Con (r, params);
(2) if h=1 and r0> 0 returns to (r1+1)mod k;If h=1 and r0< 0 returns to (r1-1)mod k;Otherwise, if h=0, Return to r1
41. method as claimed in claim 34, wherein for h ∈ Zk, r ∈ Zq, algorithm UseGHint's (h, r, params) Calculation method is as follows:
(1)r1=HighBits (r, params);
(2) (r is returned1+h)mod k。
42. the method for claim 1, whereinCalculation method include:
(1)
(2)k″2=" qk '2/k」。
43. the method for claim 1, wherein auxc′Include pk and/or params and/or public key certificate certificate。
44. the method for claim 1, wherein
Condition includes:
(1) c=c ' and | | z | |≤ξ;
(2) c=c ' and | | z | |≤ ξ and #h≤ω, wherein for h ∈ { 0,1 }a, a is positive integer, #h representative polynomial vector h The number of middle coefficient 1;
Wherein, ξ, ω are auxiliary parameters.
CN201811462651.7A 2018-12-03 2018-12-03 Lattice-based digital signature method based on key consensus Active CN109687969B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811462651.7A CN109687969B (en) 2018-12-03 2018-12-03 Lattice-based digital signature method based on key consensus
PCT/CN2019/112510 WO2020114121A1 (en) 2018-12-03 2019-10-22 Lattice-based digital signature method employing key agreement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811462651.7A CN109687969B (en) 2018-12-03 2018-12-03 Lattice-based digital signature method based on key consensus

Publications (2)

Publication Number Publication Date
CN109687969A true CN109687969A (en) 2019-04-26
CN109687969B CN109687969B (en) 2021-10-15

Family

ID=66185991

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811462651.7A Active CN109687969B (en) 2018-12-03 2018-12-03 Lattice-based digital signature method based on key consensus

Country Status (2)

Country Link
CN (1) CN109687969B (en)
WO (1) WO2020114121A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020114121A1 (en) * 2018-12-03 2020-06-11 上海扈民区块链科技有限公司 Lattice-based digital signature method employing key agreement
CN113541952A (en) * 2020-04-17 2021-10-22 上海扈民区块链科技有限公司 Digital signature method based on lattice

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781262B (en) * 2023-08-22 2023-11-03 晨越建设项目管理集团股份有限公司 Space region security authentication method based on meta-universe system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833265A (en) * 2012-09-13 2012-12-19 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
WO2014205570A1 (en) * 2013-06-27 2014-12-31 Infosec Global Inc. Key agreement protocol
CN105099671A (en) * 2015-08-20 2015-11-25 赵运磊 Authentication key negotiation method enabling identity privacy and non-malleable security
CN106301789A (en) * 2016-08-16 2017-01-04 电子科技大学 Apply the dynamic verification method of the cloud storage data that linear homomorphism based on lattice signs
CN107124272A (en) * 2017-05-02 2017-09-01 西南石油大学 The lattice cloud storage data safety auditing method for supporting agent data to upload
US9780948B1 (en) * 2016-06-15 2017-10-03 ISARA Corporation Generating integers for cryptographic protocols
US20180309574A1 (en) * 2017-04-25 2018-10-25 International Business Machines Corporation One-shot verifiable encryption from lattices

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120071884A (en) * 2010-12-23 2012-07-03 한국전자통신연구원 Ring signature method based on lattices
CN109687969B (en) * 2018-12-03 2021-10-15 上海扈民区块链科技有限公司 Lattice-based digital signature method based on key consensus

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833265A (en) * 2012-09-13 2012-12-19 北京航空航天大学 Network theory based signature scheme and secure linear network encoding method thereof
WO2014205570A1 (en) * 2013-06-27 2014-12-31 Infosec Global Inc. Key agreement protocol
CN105099671A (en) * 2015-08-20 2015-11-25 赵运磊 Authentication key negotiation method enabling identity privacy and non-malleable security
US9780948B1 (en) * 2016-06-15 2017-10-03 ISARA Corporation Generating integers for cryptographic protocols
CN106301789A (en) * 2016-08-16 2017-01-04 电子科技大学 Apply the dynamic verification method of the cloud storage data that linear homomorphism based on lattice signs
US20180309574A1 (en) * 2017-04-25 2018-10-25 International Business Machines Corporation One-shot verifiable encryption from lattices
CN107124272A (en) * 2017-05-02 2017-09-01 西南石油大学 The lattice cloud storage data safety auditing method for supporting agent data to upload

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Z. L. JIANG等: "Lattice-based proxy signature scheme with reject sampling method", 《 2017 INTERNATIONAL CONFERENCE ON SECURITY, PATTERN ANALYSIS, AND CYBERNETICS (SPAC)》 *
闫建华: "格基签密关键技术研究", 《中国博士学位论文全文数据库信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020114121A1 (en) * 2018-12-03 2020-06-11 上海扈民区块链科技有限公司 Lattice-based digital signature method employing key agreement
CN113541952A (en) * 2020-04-17 2021-10-22 上海扈民区块链科技有限公司 Digital signature method based on lattice
CN113541952B (en) * 2020-04-17 2023-07-25 赵运磊 Digital signature method based on lattice

Also Published As

Publication number Publication date
CN109687969B (en) 2021-10-15
WO2020114121A1 (en) 2020-06-11

Similar Documents

Publication Publication Date Title
CN109657489B (en) Privacy protection set intersection two-party secure calculation method and system
CN109687969A (en) A kind of lattice digital signature method based on key common recognition
CN104038341B (en) A kind of cross-system of identity-based acts on behalf of re-encryption method
CN103475472B (en) The full homomorphic cryptography method of NTRU types on ring LWE
CN108650097B (en) Efficient digital signature aggregation method
CN101651542B (en) Method for protecting security of digital signature documents of multiple verifiers strongly designated by multiple signers.
CN109936458A (en) A kind of lattice digital signature method based on multiple evidence error correction
CN108718240A (en) Authentication method, electronic equipment, storage medium based on full homomorphic cryptography and system
CN104967513A (en) Identity-based multi-recipient ring signcryption method with multiple safety attributes
CN102970143A (en) Method for securely computing index of sum of held data of both parties by adopting addition homomorphic encryption
CN109409254A (en) A kind of electronic contract handwritten signature identification method based on twin neural network
CN104539425B (en) Multi-receiver label decryption method based on multivariable, many security attributes
CN108737116B (en) Voting protocol method based on d-dimensional three-quantum entangled state
CN106357410B (en) A method of subliminal channel is constructed on the lattice signature of not unidirectional trapdoor
CN104618098B (en) Cryptography building method and system that a kind of set member&#39;s relation judges
Tanwar et al. An efficient and secure identity based multiple signatures scheme based on RSA
CN106789066B (en) Agency&#39;s weight endorsement method based on IP signature
CN113343261B (en) Transaction privacy protection method based on threshold audit
CN113489690B (en) On-line/off-line outsourcing data integrity auditing method with strong resistance to key exposure
Fan et al. Fairness electronic payment protocol
Zhang et al. An attribute-based signature scheme from lattice assumption
CN112217629A (en) Cloud storage public auditing method
Zhao et al. High-efficiency continuous-variable quantum digital signature protocol for signing multi-bit messages
CN117499039B (en) Blockchain signature method based on elliptic curve public key cryptographic algorithm
Lim et al. An improved fuzzy vector signature with reusability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40008133

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220822

Address after: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438

Patentee after: Zhao Yunlei

Address before: Room 345, No.5, Lane 786, Xinzhong Road, Xinhe Town, Chongming District, Shanghai 202156

Patentee before: SHANGHAI HUMIN BLOCKCHAIN TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240112

Address after: 200433 No. 220, Handan Road, Shanghai, Yangpu District

Patentee after: FUDAN University

Address before: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438

Patentee before: Zhao Yunlei

TR01 Transfer of patent right