CN109687969B - Lattice-based digital signature method based on key consensus - Google Patents
Lattice-based digital signature method based on key consensus Download PDFInfo
- Publication number
- CN109687969B CN109687969B CN201811462651.7A CN201811462651A CN109687969B CN 109687969 B CN109687969 B CN 109687969B CN 201811462651 A CN201811462651 A CN 201811462651A CN 109687969 B CN109687969 B CN 109687969B
- Authority
- CN
- China
- Prior art keywords
- params
- algorithm
- aux
- calculating
- empty
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 133
- 238000012795 verification Methods 0.000 claims abstract description 10
- OAICVXFJPJFONN-UHFFFAOYSA-N Phosphorus Chemical compound [P] OAICVXFJPJFONN-UHFFFAOYSA-N 0.000 claims description 13
- 238000009826 distribution Methods 0.000 claims description 13
- 239000013598 vector Substances 0.000 claims description 12
- 238000009827 uniform distribution Methods 0.000 claims description 11
- 101150047304 TMOD1 gene Proteins 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000005086 pumping Methods 0.000 claims description 2
- 238000010079 rubber tapping Methods 0.000 claims description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 claims description 2
- 239000013604 expression vector Substances 0.000 claims 1
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 238000013461 design Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 2
- 241001083548 Anemone Species 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Complex Calculations (AREA)
Abstract
A lattice-based digital signature method based on key consensus is provided. The sender Alice running the method obtains the private key sk and the public parameter params, signs the message M running signature algorithm Sign (params, sk, M), obtains the signature sigma (z, c, h), and discloses the transmission signature sigma (z, c, h) to the receiver Bob running the method. Bob gets the public key pk, the message M and the signature σ to the message M as inputs, runs the verification algorithm Verify (pk, M, (z, c, h)), and gets 1/0, indicating verification pass/fail, respectively. If the authentication is passed, the recipient Bob acknowledges that the message M was sent by Alice. The method of the invention is used for solving the problem of how to design the digital signature, and has important application in the aspects of ensuring the integrity of information transmission, carrying out identity authentication of an information sender and preventing repudiation in transactions.
Description
Technical Field
The invention relates to a digital signature technology, which has important application in the aspects of ensuring the integrity of information transmission, carrying out identity authentication of an information sender and preventing repudiation in transactions.
Background
The digital signature technology is used for solving the following problems: the sender Alice signs the message M with the private key sk to obtain a signature σ. The receiver Bob authenticates the signature σ using the public key pk, and if the authentication is passed, the receiver Bob recognizes that the message M was transmitted by Alice. The method solves the problems of how to design the digital signature, ensures the integrity of information transmission, carries out identity authentication of an information sender and prevents repudiation in transaction.
Disclosure of Invention
The sender Alice running the method obtains the private key sk and the public parameter params, signs the message M running signature algorithm Sign (params, sk, M), obtains the signature sigma (z, c, h), and discloses the transmission signature sigma (z, c, h) to the receiver Bob running the method. Bob gets the public key pk, the message M and the signature σ to the message M as inputs, runs the verification algorithm Verify (pk, M, (z, c, h)), and gets 1/0, indicating verification pass/fail, respectively. If the authentication is passed, the recipient Bob acknowledges that the message M was sent by Alice. The method of the invention is used for solving the problem of how to design the digital signature, and has important application in the aspects of ensuring the integrity of information transmission, carrying out identity authentication of an information sender and preventing repudiation in transactions.
A lattice-based digital signature method based on key consensus; wherein { … } represents a set of information or values; r, RqRepresents an algebraic ring, wherein q is an integer; the signature algorithm includes three specific algorithms: gen, Sign (-), Verify (-).
Gen is a key generation algorithm, the algorithm input contains security parameters and the output contains a public key pk and a private key sk. Sign (·) is a signature algorithm, the input of which contains system parameters params, private key sk and message M ∈ {0,1}*Wherein {0,1}*Represents a set of 0-1 strings of arbitrary length, the output comprising (z, c, h), where
c∈R,
Wherein t is a positive integer, gh(n,m,h,auxh) Is about n, m, h, auxhFunction of (2), auxhIs a set of auxiliary parameters for h that may be empty. The sender Alice running the method obtains the private key sk and the public parameter params, signs the message M running signature algorithm Sign (params, sk, M), obtains the signature sigma (z, c, h), and discloses the transmission signature sigma (z, c, h) to the receiver Bob running the method. Verify (-) is a verification algorithm with inputs containing the system parameters params, public key pk, message M and signature (z, c, h), and outputs 1 or 0, indicating verification pass or fail, respectively. Bob gets the public key pk, the message M and the signature σ to the message M as inputs, runs the verification algorithm Verify (pk, M, (z, c, h)), and gets 1/0, indicating verification pass/fail, respectively. If the authentication is passed, the recipient Bob acknowledges that the message M was sent by Alice.
Detailed Description
A lattice-based digital signature method based on key consensus; wherein { … } represents a set of information or values; r, RqRepresents an algebraic ring, wherein q is an integer;
gen is a key generation algorithm, the algorithm input contains security parameters, the output contains a public key pk and a private key sk, and the algorithm runs as follows:
obtaining system parameters params ═ q, k, d, n, m, l and aux }, wherein q, k, d, n, m and l are integers; aux is a set of other auxiliary system parameters that may be empty;
obtain good results
Obtaining s from the third step1∈Rl,s2∈RmWherein s is1Taken from a certain set
s2Taken from some set which may be empty
Fourth step obtain
Obtained through fifth
ftIs about t, params, auxtOf (2), wherein auxtIs a set of auxiliary parameters for t that may be empty;
sixthly, outputting a public key pk and a private key sk; wherein the public key pk comprises params, t1Generating the information required for A, auxpkWherein auxpkA set of auxiliary parameters that are public keys that may be null; the private key sk contains s1,s2,t0,auxskWherein auxskIs a set of auxiliary parameters of the private key that may be empty;
sign (·) is a signature algorithm, the input of which contains system parameters params, private key sk and message M ∈ {0,1}*Wherein {0,1}*Representing a set of 0-1 strings of arbitrary length, the output contains (z, c, h), where z ∈ Rlq,c∈R,
Wherein b is a positive integer, gh(n,m,h,auxh) Is about n, m, h, auxhThe output result of (2) is a function of the integer, auxhIs an auxiliary parameter set of h that may be empty; the algorithm operates as follows:
first, get
Obtain good results
Obtaining the product
Wherein y is2Can be a 0 vector;
fourth step obtain
Obtained through fifth
Wherein
Is a function of v, params,
is k can be empty1A set of auxiliary parameters;
obtaining
Wherein
Is about k1,params,
As a function of (a) or (b),
is k can be empty1' a set of auxiliary parameters;
training for c ═ H (k)1′,M,auxc) Where H is a hash function, or one-way function, or transfer function, auxcIs c which may be emptyA set of auxiliary parameters;
and obtain z ═ fz(pk,y1,s1,k1,c,M,auxz) Wherein f iszIs related to pk, y1,s1,k1,c,M,auxzFunction of (2), auxzAn auxiliary parameter set of z that may be empty;
self-tapping
Wherein,
is about v, c, s2,params,
Function of (2), auxk2Is k can be empty2,sig2A set of auxiliary parameters;
judgment condition of the degree of charge
Whether or not it is true, wherein,
is R which may be empty1A set of auxiliary parameters; if not, then get back to the second step of the second, the circulation is up to R1If true;
result from
Wherein f ishIs about v, c, s2,y2,t0,params,
As a function of (a) or (b),
is an auxiliary parameter set of h that may be empty;
water pumping judgment condition
Whether or not it is true, wherein,
is R which may be empty2A set of auxiliary parameters; if not, then get back to the second step of the second, the circulation is up to R2If true;
the signature (z, c, h) is output in a selection mode;
verify (-) is a signature verification algorithm with inputs containing system parameters params, public key pk, message M and signature (z, c, h), and outputs 1 or 0, the algorithm operates as follows:
first, get
Obtain good results
Wherein
Is about h, A, z, c, t1,params,
As a function of (a) or (b),
is k 'which may be empty'2A set of auxiliary parameters;
obtaining the product
Wherein,
is about k'2,params,
As a function of (a) or (b),
is k ", which may be empty2A set of auxiliary parameters;
fourth, c' ═ H (k ″)2,M,auxc') Where H is a hash function, or one-way function, or transfer function, auxc′A set of auxiliary parameters that may be null c';
judgment condition of fife
Whether or not it is true, wherein,
is R which may be empty3A set of auxiliary parameters; if yes, outputting 1, otherwise, outputting 0;
the invention requires a certain power of 2 or D that q-1 cannot divide exactly2Is empty, or k1′≠k1。
The method as described above, wherein the algebraic ring R, RqSatisfies the relation RqWherein ring R is Z [ X ]]/(Xn+1), or Z [ X ]]/(Xn+Xn-1+ … +1), or Z [ X ]]/(Xn-1); ring RqIs Zq[X]/(Xn+1), or Zq[X]/(Xn+Xn-1+ … +1), or Zq[X]/(Xn-1), wherein n is a positive integer.
The method as recited in the preceding paragraph, wherein,auxa subset that can be empty containing { η, β, ξ, ζ, B, ω, σ, g, q ', α, α' }, where η, β, ξ, ζ, B, ω, σ, g are positive integers, q '═ lcm (q, k) is the least common multiple of q and k, α ═ q'/q, α '═ q'/k.
The method as recited above, wherein,
compliance
And (4) upper probability distribution.
The method as described above, where Sam is an extended output function, y to S:. Sam (x) indicates that the input is x, and the value y is output in the distribution S (or a uniform distribution over the set S).
The method as described above, wherein ρ is a random seed, and taking comprises taking {0,1}nA medium random string.
The method as described above, wherein s1Can be obeyed
A uniform distribution of S, or a discrete Gaussian distribution ofηRepresenting the coefficients belonging to [ - η, η ] in the ring R]The polynomial ensemble of (a); s2Can be obeyed
A uniform distribution of, or a discrete Gaussian distribution of, or s2=0。
The method as described above, wherein when s1,s2Subject each coefficient to [ - η, η [ - η [ ]]When the seed is uniformly distributed, the seed can be input and generated by using an extended output function Sam.
The method as described above, wherein (t)1,t0)=ft(t,params,auxt) The calculating method comprises the following steps:
⑴t0=tmod±2d,t1=(t-t0)/2dwherein for any integer a and positive integer b, amod ± b means falling within
Such that b | c-a, here for any real number x,
represents the largest integer less than or equal to x;
⑵t0=tmod2d,t1=(t-t0)/2dwherein, for any integer a and positive integer b, amodb represents a number falling within [0, b-1 ]]Such that b | c-a.
The method as described above, wherein the information required to generate a may comprise a random seed ρ.
The method as described above, wherein auxskThe public key pk may be included.
The method as recited above, wherein,
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ;
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ; wherein B, σ is an auxiliary parameter;
the method as described above, wherein
When uniform distribution is obeyed, the seed generation can be input by using the spread output function Sam.
The method as recited above, wherein,
the calculating method comprises the following steps: calculating k1←HighBits(v,params)。
The method as described above, wherein for r ∈ ZqThe HighBits (r, params) algorithm operates as follows:
(1) calculating (r)1,r0)←Con(r,params);
(2) Output r1。
If the algorithm HighBits (-) inputs
And the common parameter params, means that the HighBits algorithm is used separately for each coefficient in the polynomial vector v.
The method as described above, wherein the coding algorithm Con (-) input comprises r ∈ Z ·qAnd the common parameter params, the algorithm pair r ∈ ZqCoding based on params, output contains (r)1,r0) Where r1 ∈ Zk,r0∈ZtK is a system parameter, t is an integer; if the algorithm Con (-) inputs
And the common parameter params, means that the Con algorithm is used separately for each coefficient in the polynomial vector v.
The method as described above, wherein the Con (r, params) algorithm operates as follows:
(1) calculating sigmaA∈Zq′;
(2) Calculating r0;
(3) Calculating r1;
(4) Return (r)1,r0)。
The method as described above, wherein σAThe calculating method comprises the following steps: from the set [0, alpha-1 ]]Or set of
Selecting a determined element e, and particularly, taking e as 0; calculating sigmaA=ασ1+e∈Zq′。
The method as described above, wherein σA=αr+e∈Zq′The calculating method comprises the following steps:
⑴σAα r + emodq', or
⑵σA=αr+emod±q′。
The method as recited above, wherein,
is about sigmaAα, α', k.
As described aboveMethod in which r0The calculating method comprises the following steps:
(1) calculating r0=σAmod±α', or
(2) Calculating r0=σAmod α', or
(3) Computing
Or
(4) Computing
Or
(5) Computing
Or
(6) Computing
Wherein k, q are system parameters, g, α' are auxiliary parameters; for any real number a, "a" represents the nearest integer to a.
The method as described above, wherein r1The calculating method comprises the following steps:
(1) computing
(2) Calculating r1=「σA/β」mod±k
(3) If k, q are mutliphatic and kr-r0When kq, let r10; otherwise, calculate r1=(kr-r0)/q,
Where k, q are system parameters.
The method as described above, wherein r0∈ZtThe values of t in (1) include: t-g or t-g + 1. 21. The method of claim 1, wherein,
is calculated to the method bagComprises the following steps:
(1)
or
(2)k′1=「qk1/k」,
Where k, q are system parameters.
The method as described above, wherein auxcContaining pk and/or params and/or a public key certificate.
The method as described above, wherein z ═ fz(pk,y1,s1,k1,c,M,auxz) The calculating method comprises the following steps:
the method as recited above, wherein,
the calculating method comprises the following steps:
wherein,
is about v, c, s2,params,
As a function of (c).
The method as recited above, wherein,
the calculating method comprises the following steps:
the method as described above, wherein the conditions
The method comprises the following steps: | z | non-woven phosphor∞Xi and sig | |2||∞Zeta and k1=k2Wherein for any a ∈ R, | | | a | | | ceiling∞Represents the maximum of the absolute values of all the coefficients of the polynomial a; for any a ═ a1,…,ab)∈RbB is a positive integer, | a | | non-woven phosphor∞Express | | | ai||∞And i is more than or equal to 1 and less than or equal to the maximum value of b.
The method as recited above, wherein,
the calculating method comprises the following steps:
(1)h=sig2or is or
(2)h=MakeHint(-ct0,v-cs2+ct0Params), or
(3)h=MakeGHint(-ct0,v-cs2+ct0,params)。
The method as described above, wherein h sig2The calculation method of (2) is as follows:
(1)
(2) output h is sig2。
The method as described above, wherein for Z ∈ Zq,r∈ZqThe algorithm makehit (z, r, params) is calculated as follows:
(1)r1=HighBits(r,params);
(2)v1=HighBits(r+z,params);
(3) if r1=v1If yes, returning to 0; otherwise, 1 is returned.
If the algorithm makeHint (-) is input
And a common parameter params, whereinaIs a positive integer, it means to a polynomial vector
Each set of corresponding coefficients in (1) is separately processed using MakeHint algorithm.
The method as described above, wherein for Z ∈ Zq,r∈ZqThe algorithm MakeGHint (z, r, params) is calculated as follows:
(1)r1=HighBits(r,params);
(2)v1=HighBits(r+z,params);
(3) return h ═ v1-r1)mod±k or h ═ v1-r1)mod k。
If the algorithm MakeGHint (·) is input
And a common parameter params, whereinaIs a positive integer, it means to a polynomial vector
Each set of corresponding coefficients in (1) uses the MakeGHint algorithm, respectively.
The method as recited above, wherein,
the calculating method comprises the following steps:
(1)
or
(2)
Or
(3)
Wherein,
is about h, A, z, c, t1,params,
As a function of (c).
The method as recited above, wherein,
the calculating method comprises the following steps:
where d is a system parameter.
The method as described above, wherein the decoding algorithm Rec (-) and the algorithm input contains r' ∈ Zq,r0∈ZtAnd a system parameter params, wherein (r)1,r0)←Con(r,params),r∈Zq,|r′-r|qD ' is not more than d ', and d ' is an integer; for any integer a, | aqIs defined as min { a mod q, q-a mod q }, and min {. is defined as the minimum value; the algorithm pair r' belongs to Zq,r0∈ZtDecoding based on params, the output comprising r1', wherein r1′∈ZkK is a system parameter; if the distance d 'between r' and r satisfies a certain constraint condition, then r1′=r1And both parties successfully correct the error.
The method as described above, wherein Rec (r', r)0Params) includes:
⑴r′1=「ασ2v/g,/or
⑵r′1=「ασ2/[ beta ] - (v +1/2)/g ] modk, or
⑶r′1=「ασ2/. beta. - (v + c)/g ". modk), whereincIs a real number.
The method as described above, wherein d' satisfies the relationship comprising:
(2 d' +1) k < q (1-1/g), or
(2 d' +2) k < q (1-1/g), or
(2 d' +1) k < q (1-2 γ/g), wherein γ is defined as max { | c |, |1-c | }, for any real number a, | a | represents taking the absolute value of a, max {. cndot } is defined as taking the maximum value, or
Fourthly (d' +1) k < q (1/2-gamma/g), or
⑸2kd′<q。
⑹2k(d′+1)<q。
The method as described above, wherein c is a real number, and 0. ltoreq. c.ltoreq.1 is satisfied.
The method as described above, wherein for h e {0,1}, r e ZqThe algorithm UseHint (h, r, params) is calculated as follows:
(1)(r1,r0)=Con(r,params);
(2) if h is 1 and r0> 0, back (r)1+1) modk; if h is 1 and r0< 0, return (r)1-1) modk; otherwise, if h is equal to 0, return r1。
The method as described above, wherein for h e Zk,r∈ZqThe algorithm UseGHint (h, r, params) is calculated as follows:
(1)r1=HighBits(r,params);
(2) return (r)1+h)modk。
The method as recited above, wherein,
the calculating method comprises the following steps:
(1)
(2)k″2=「qk′2/k」。
the method as described above, wherein auxc′Containing pk and/or params and/or a public key certificate.
The method as recited above, wherein,
the conditions include:
(1) c | | | z | | non-woven phosphor∞≤ξ;
(2) c | | | z | | non-woven phosphor∞ξ and # h ≦ ω, where for h ∈ {0,1}aA is a positive integer# h represents the number of coefficients 1 in the polynomial vector h;
where ξ, ω are the auxiliary parameters.
In the practical application of the inventive method, the recommended Gen, Sign (-), Verify (-), Con (-), and HighBits (-) embodiments are as follows:
Gen:
obtaining system parameters params ═ q, k, d, n, m, l and aux }, wherein q, k, d, n, m and l are integers; aux is a set of other auxiliary system parameters that may be empty;
⑵
⑶
⑷
⑸t0=tmod±2d,t1=(t-t0)/2d;
sixthly, outputting pk ═ ρ, t1,params,auxpk),sk=(s1,s2,t0,auxsk,ρ);
Sign(params,sk,M):
⑴
⑵t0=tmod±2d,t1=(t-t0)/2d;
⑶
⑷
⑸k1←HighBits(v,params);
⑹)k′1=「qk1/k」;
⑺c=H(ρ,t1,k′1,M);
⑻z=y1+cs1;
⑼(k2,sig2)←Con(v-cs2,params);
The lower limit is if z | | non-conducting phosphor∞< B-beta and | | | sig2||∞< q/2-k β and k1=k2If the operation is not established, the operation returns to the second step, and the operation is circulated until the operation is established;
⑾h=MakeHint(-ct0,v-cs2+ct0,params);
well pump if ct0||∞The number of < q/2k and the number of 1 in h is not more than omega, the method returns to the second mode and operates in a circulating mode until the second mode is established;
the signature (z, c, h) is output in a selection mode;
Verify(pk,M,(z,c,h)):
⑴
⑵k′2=UseHint(h,Az-ct1·2d,params);
⑶k″2=「qk′2/k」;
⑷c′=H(ρ,t1,k″2,M);
if c ═ c' and | | | z | | write∞If the sum is less than B-beta and the number of 1 in h is less than or equal to omega, outputting 1; otherwise, outputting 0;
Con(r,params):
⑴r0=krmod±q;
anemone dichotoma Kr-r0When kq, let r10; otherwise, calculate r1=(kr-r0)/q;
Returning (r)1,r0)。
Highbits(r,params):
⑴(r1,r0)←Con(r,params);
To return to r1。
Claims (44)
1. A lattice-based digital signature method based on key consensus, wherein { … } represents a set of information or values; r, RqRepresents an algebraic ring, wherein q is an integer;
gen is a key generation algorithm, the algorithm input contains security parameters, the output contains a public key pk and a private key sk, and the algorithm runs as follows:
obtaining system parameters params ═ q, k, d, n, m, l and aux }, wherein q, k, d, n, m and l are integers; aux is a set of other auxiliary system parameters that may be empty;
obtain good results
Obtaining s from the third step1∈Rl,s2∈RmWherein s is1Taken from a certain set
s2Taken from some set which may be empty
Fourth step obtain
Obtained through fifth
ftIs about t, params, auxtOf (2), wherein auxtIs a set of auxiliary parameters for t that may be empty;
sixthly, outputting a public key pk and a private key sk; wherein the public key pk comprises params, t1Generating the information required for A, auxpkWherein auxpkA set of auxiliary parameters that are public keys that may be null;the private key sk contains s1,s2,t0,auxskWherein auxskIs a set of auxiliary parameters of the private key that may be empty;
sign (·) is a signature algorithm, the input of which contains system parameters params, private key sk and message M ∈ {0,1}*Wherein {0,1}*Represents a set of 0-1 strings of arbitrary length, the output comprising (z, c, h), where
c∈R,
Wherein b is a positive integer, gh(n,m,h,auxh) Is about n, m, h, auxhThe output result of (2) is a function of the integer, auxhIs an auxiliary parameter set of h that may be empty; the algorithm operates as follows:
first, get
Obtain good results
Obtaining the product
Wherein y is2Can be a 0 vector;
fourth step obtain
Obtained through fifth
Wherein
Is a function of v, params,
is k can be empty1A set of auxiliary parameters;
obtaining
Wherein
Is about k1,params,
As a function of (a) or (b),
is k 'which may be empty'1A set of auxiliary parameters;
obtaining c ═ H (k'1,M,auxc) Where H is a hash function, or one-way function, or transfer function, auxcA set of auxiliary parameters that may be null c;
and obtain z ═ fz(pk,y1,s1,k1,c,M,auxz) Wherein f iszIs related to pk, y1,s1,k1,c,M,auxzFunction of (2), auxzAn auxiliary parameter set of z that may be empty;
self-tapping
Wherein,
is about v, c, s2,params,
As a function of (a) or (b),
is k can be empty2,sig2A set of auxiliary parameters;
judgment condition of the degree of charge
Whether or not it is true, wherein,
is R which may be empty1A set of auxiliary parameters; if not, then get back to the second step of the second, the circulation is up to R1If true; wherein the conditions are
The method comprises the following steps: | z | non-woven phosphor∞Xi and sig | |2||∞Zeta and k1=k2Wherein for any a ∈ R, | | | a | | | ceiling∞Represents the maximum of the absolute values of all the coefficients of the polynomial a; for any a ═ a1,…,ab)∈RbB is a positive integer, | a | | non-woven phosphor∞Express | | | ai||∞I is more than or equal to 1 and less than or equal to the maximum value of b;
result from
Wherein f ishIs about v, c, s2,y2,t0,params,
As a function of (a) or (b),
is an auxiliary parameter set of h that may be empty;
water pumping judgment condition
Whether or not it is true, wherein,
is R which may be empty2A set of auxiliary parameters; if not, then get back to the second step of the second, the circulation is up to R2If true;
the signature (z, c, h) is output in a selection mode;
verify (-) is a signature verification algorithm, the algorithm input comprises system parameters params, a public key pk, a message M and a signature (z, c, h), and the output is 1 or 0, wherein 1 represents that the signature passes and 0 represents that the signature does not pass; the algorithm operates as follows:
first, get
Obtain good results
Wherein
Is about h, A, z, c, t1,params,
As a function of (a) or (b),
is k 'which may be empty'2A set of auxiliary parameters;
obtaining the product
Wherein,
is about k'2,params,
As a function of (a) or (b),
is k ", which may be empty2A set of auxiliary parameters;
fourth, c' ═ H (k ″)2,M,auxc') Where H is a hash function, or one-way function, or transfer function, auxc′A set of auxiliary parameters that may be null c';
judgment condition of fife
Whether or not it is true, wherein,
is R which may be empty3A set of auxiliary parameters; if yes, outputting 1, otherwise, outputting 0; wherein,
the conditions include:
(1) c | | | z | | non-woven phosphor∞≤ξ;
(2) c | | | z | | non-woven phosphor∞ξ and # h ≦ ω, where for h ∈ {0,1}aA is a positive integer, # h denotes the number of coefficients 1 in the polynomial vector h; where ξ, ω are auxiliary parameters;
the invention requires a certain power of 2 or D that q-1 cannot divide exactly2Is empty, or k'1≠k1。
2. The method of claim 1, wherein the algebraic ring R, RqSatisfies the relation RqR/(qR), wherein ring R is Z [ X ]]/(Xn+1), or Z [ X ]]/(Xn+Xn-1+ … +1), or Z [ X ]]/(Xn-1); ring RqIs Zq[X]/(Xn+1), or Zq[X]/(Xn+Xn-1+ … +1), or Zq[X]/(Xn-1), wherein n is a positive integer.
3. The method of claim 1, wherein aux comprises an optionally empty subset of { η, β, ξ, ζ, B, ω, σ, g, q ', α, α' }, wherein η, β, ξ, ζ, B, ω, σ, g is a positive integer, q '═ lcm (q, k) is the least common multiple of q and k, α ═ q'/q, α '═ q'/k.
4. The method of claim 1, wherein,
compliance
And (4) upper probability distribution.
5. The method of claim 4, wherein Sam is an extended output function, y-Sam (x) denotes an input of x, and the value y is output in a distribution S (or a uniform distribution over the set S).
6. The method of claim 4, wherein p is a random seed.
7. The method of claim 1, wherein s1Can be obeyed
A uniform distribution of S, or a discrete Gaussian distribution ofηRepresenting the coefficients belonging to [ - η, η ] in the ring R]The polynomial ensemble of (a); s2Can be obeyed
A uniform distribution of, or a discrete Gaussian distribution of, or s2=0。
8. The method of claim 1, wherein when s is1,s2Subject each coefficient to [ - η, η [ - η [ ]]When the seed is uniformly distributed, the seed can be input and generated by using an extended output function Sam.
9. The method of claim 1, wherein (t)1,t0)=ft(t,params,auxt) The calculating method comprises the following steps:
⑴t0=tmod±2d,t1=(t-t0)/2dwherein for any integer a and positive integer b, amod±b represents falling in
Such that b | c-a, here for any real number x,
represents the largest integer less than or equal to x;
⑵t0=tmod2d,t1=(t-t0)/2dwherein, for any integer a and positive integer b, amodb represents a number falling within [0, b-1 ]]Such that b | c-a.
10. The method of claim 1, wherein the information required to generate a may comprise a random seed p.
11. The method of claim 1, wherein auxskThe public key pk may be included.
12. The method of claim 1, wherein,
can be obeyed
An upper uniform distribution, or a discrete gaussian distribution with a standard deviation of σ;
can be obeyed
Upper uniformityA distribution, or a discrete gaussian distribution with a standard deviation σ; where B, σ is an auxiliary parameter.
13. The method of claim 12, wherein when
When uniform distribution is obeyed, the seed generation can be input by using the spread output function Sam.
14. The method of claim 1, wherein,
the calculating method comprises the following steps: calculating k1←HighBits(v,params)。
15. The method of claim 14, wherein for r e ZqThe HighBits (r, params) algorithm operates as follows:
(1) calculating (r)1,r0)←Con(r,params);
(2) Output r1;
If the algorithm HighBits (-) inputs
And the common parameter params, means that the HighBits algorithm is used separately for each coefficient in the polynomial vector v.
16. The method of claim 15, wherein the coding algorithm Con (-) input comprises r e ZqAnd the common parameter params, the algorithm pair r ∈ ZqCoding based on params, output contains (r)1,r0) Wherein r is1∈Zk,r0∈ZtK is a system parameter, t is an integer; if the algorithm Con (-) inputs
And the common parameter params, then means for multiple itemsEach coefficient in the expression vector v uses the Con algorithm, respectively.
17. The method of claim 16, wherein the Con (r, params) algorithm operates as follows:
(1) calculating sigmaA∈Zq′;
(2) Calculating r0;
(3) Calculating r1;
(4) Return (r)1,r0)。
18. The method of claim 17, wherein σAThe calculating method comprises the following steps: from the set [0, alpha-1 ]]Or set of
Selecting a determined element e, and particularly, taking e as 0; calculating sigmaA=ασ1+e∈Zq′。
19. The method of claim 18, wherein σA=αr+e∈Zq′The calculating method comprises the following steps:
⑴σAα r + emodq', or
⑵σA=αr+emod±q′。
20. The method of claim 17, wherein,
is about sigmaAα, α', k.
21. The method of claim 20, wherein r0The calculating method comprises the following steps:
(1) calculating r0=σAmod±α', or
(2) Calculating r0=σAmod α', or
(3) Calculating r0=「g(σAmod±α ')/q', or
(4) Calculating r0=「g(σAmod α')/q ", or
(5) Computing
Or
(6) Computing
Wherein k, q are system parameters, g, α' are auxiliary parameters; for any real number a, "a" represents the nearest integer to a.
22. The method of claim 20, wherein r1The calculating method comprises the following steps:
(1) computing
(2) Calculating r1=「σA/β」mod±k
(3) If k, q are mutliphatic and kr-r0When kq, let r10; otherwise, calculate r1=(kr-r0)/q,
Where k, q are system parameters.
23. The method of claim 16, wherein r0∈ZtThe values of t in (1) include: t-g or t-g + 1.
24. The method of claim 1, wherein,
the calculating method comprises the following steps:
(1)
or
(2)k′1=「qk1/k」,
Where k, q are system parameters.
25. The method of claim 1, wherein auxcContaining pk and/or params and/or a public key certificate.
26. The method of claim 1, wherein z ═ fz(pk,y1,s1,k1,c,M,auxz) The calculating method comprises the following steps:
27. the method of claim 1, wherein,
28. The method of claim 27Wherein
the calculating method comprises the following steps:
29. the method of claim 1, wherein the conditions are
The method comprises the following steps: | z | non-woven phosphor∞Xi and sig | |2||∞Zeta and k1=k2Wherein for any a ∈ R, | | | a | | | ceiling∞Represents the maximum of the absolute values of all the coefficients of the polynomial a; for any a ═ a1,…,ab)∈RbB is a positive integer, | a | | non-woven phosphor∞Express | | | ai||∞And i is more than or equal to 1 and less than or equal to the maximum value of b.
30. The method of claim 1, wherein,
the calculating method comprises the following steps:
(1)h=sig2or is or
(2)h=MakeHint(-ct0,v-cs2+ct0Params), or
(3)h=MakeGHint(-ct0,v-cs2+ct0,params)。
31. The method of claim 30, wherein h-sig2The calculation method of (2) is as follows:
(1)
(2) output h is sig2。
32. The method of claim 15, wherein for Z e Zq,r∈ZqThe algorithm makehit (z, r, params) is calculated as follows:
(1)r1=HighBits(r,params);
(2)v1=HighBits(r+z,params);
(3) if r1=v1If yes, returning to 0; otherwise, returning to 1;
if the algorithm makeHint (-) is input
And the common parameter params, where a is a positive integer, means for a polynomial vector
Each set of corresponding coefficients in (1) is separately processed using MakeHint algorithm.
33. The method of claim 15, wherein for Z e Zq,r∈ZqThe algorithm MakeGHint (z, r, params) is calculated as follows:
(1)r1=HighBits(r,params);
(2)v1=HighBits(r+z,params);
(3) return h ═ v1-r1)mod±k or h ═ v1-r1)mod k;
If the algorithm MakeGHint (·) is input
And the common parameter params, where a is a positive integer, means for a polynomial vector
Each set of corresponding coefficients in (1) uses the MakeGHint algorithm, respectively.
34. The method of claim 1, wherein,
the calculating method comprises the following steps:
(1)
or
(2)
Or
(3)
Wherein,
is about h, A, z, c, t1,params,
As a function of (c).
35. The method of claim 34, wherein,
the calculating method comprises the following steps:
where d is a system parameter.
36. The method of claim 34, wherein the decoding algorithm Rec (·), the algorithm input contains r' ∈ Zq,r0∈ZtAnd a system parameter params, wherein (r)1,r0)←Con(r,params),r∈Zq,|r′-r|qD ' is not more than d ', and d ' is an integer; for any integer a, | aqIs defined as min { amodq, q-amodq }, and min {. is defined as taking the minimumA value; the algorithm pair r' belongs to Zq,r0∈ZtDecoding based on params, the output comprising r1', wherein r1′∈ZkK is a system parameter; if the distance d 'between r' and r satisfies a certain constraint condition, then r1′=r1And both parties successfully correct the error.
37. The method of claim 36, wherein Rec (r', r)0Params) includes:
⑴r1′=「ασ2v/g,/or
⑵r1′=「ασ2/[ beta ] - (v +1/2)/g ] modk, or
⑶r1′=「ασ2,/β - (v + c)/g, ", modk, where c is a real number.
38. The method of claim 36, wherein d' satisfies the relationship comprising:
(2 d' +1) k < q (1-1/g), or
(2 d' +2) k < q (1-1/g), or
(2 d' +1) k < q (1-2 γ/g), wherein γ is defined as max { | c |, |1-c | }, for any real number a, | a | represents taking the absolute value of a, max {. cndot } is defined as taking the maximum value, or
Fourthly (d' +1) k < q (1/2-gamma/g), or
⑸2kd′<q;
⑹2k(d′+1)<q。
39. The method of claim 37, wherein c is a real number, and 0 ≦ c ≦ 1 is satisfied.
40. The method of claim 34, wherein for h e {0,1}, r e ZqThe algorithm UseHint (h, r, params) is calculated as follows:
(1)(r1,r0)=Con(r,params);
(2) if h is 1 and r0> 0, back (r)1+1) modk; if h is 1 and r0< 0, return tor1-1) modk; otherwise, if h is equal to 0, return r1。
41. The method of claim 34, wherein for h e Zk,r∈ZqThe algorithm UseGHint (h, r, params) is calculated as follows:
(1)r1=HighBits(r,params);
(2) return (r)1+h)modk。
42. The method of claim 1, wherein,
the calculating method comprises the following steps:
(1)
(2)k″2=「qk′2/k」。
43. the method of claim 1, wherein auxc′Containing pk and/or params and/or a public key certificate.
44. The method of claim 1, wherein,
(1) c | | | z | | non-woven phosphor∞≤ξ;
(2) c | | | z | | non-woven phosphor∞ξ and # h ≦ ω, where for h ∈ {0,1}aA is a positive integer, # h denotes the number of coefficients 1 in the polynomial vector h;
where ξ, ω are the auxiliary parameters.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811462651.7A CN109687969B (en) | 2018-12-03 | 2018-12-03 | Lattice-based digital signature method based on key consensus |
| PCT/CN2019/112510 WO2020114121A1 (en) | 2018-12-03 | 2019-10-22 | Lattice-based digital signature method employing key agreement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811462651.7A CN109687969B (en) | 2018-12-03 | 2018-12-03 | Lattice-based digital signature method based on key consensus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109687969A CN109687969A (en) | 2019-04-26 |
| CN109687969B true CN109687969B (en) | 2021-10-15 |
Family
ID=66185991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811462651.7A Active CN109687969B (en) | 2018-12-03 | 2018-12-03 | Lattice-based digital signature method based on key consensus |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109687969B (en) |
| WO (1) | WO2020114121A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109687969B (en) * | 2018-12-03 | 2021-10-15 | 上海扈民区块链科技有限公司 | Lattice-based digital signature method based on key consensus |
| CN113541952B (en) * | 2020-04-17 | 2023-07-25 | 赵运磊 | Digital signature method based on lattice |
| CN116781262B (en) * | 2023-08-22 | 2023-11-03 | 晨越建设项目管理集团股份有限公司 | Space region security authentication method based on meta-universe system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833265A (en) * | 2012-09-13 | 2012-12-19 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
| WO2014205570A1 (en) * | 2013-06-27 | 2014-12-31 | Infosec Global Inc. | Key agreement protocol |
| CN105099671A (en) * | 2015-08-20 | 2015-11-25 | 赵运磊 | Authentication key negotiation method enabling identity privacy and non-malleable security |
| CN106301789A (en) * | 2016-08-16 | 2017-01-04 | 电子科技大学 | Apply the dynamic verification method of the cloud storage data that linear homomorphism based on lattice signs |
| CN107124272A (en) * | 2017-05-02 | 2017-09-01 | 西南石油大学 | The lattice cloud storage data safety auditing method for supporting agent data to upload |
| US9780948B1 (en) * | 2016-06-15 | 2017-10-03 | ISARA Corporation | Generating integers for cryptographic protocols |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120071884A (en) * | 2010-12-23 | 2012-07-03 | 한국전자통신연구원 | Ring signature method based on lattices |
| US10742413B2 (en) * | 2017-04-25 | 2020-08-11 | International Business Machines Corporation | Flexible verifiable encryption from lattices |
| CN109687969B (en) * | 2018-12-03 | 2021-10-15 | 上海扈民区块链科技有限公司 | Lattice-based digital signature method based on key consensus |
-
2018
- 2018-12-03 CN CN201811462651.7A patent/CN109687969B/en active Active
-
2019
- 2019-10-22 WO PCT/CN2019/112510 patent/WO2020114121A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833265A (en) * | 2012-09-13 | 2012-12-19 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
| WO2014205570A1 (en) * | 2013-06-27 | 2014-12-31 | Infosec Global Inc. | Key agreement protocol |
| CN105099671A (en) * | 2015-08-20 | 2015-11-25 | 赵运磊 | Authentication key negotiation method enabling identity privacy and non-malleable security |
| US9780948B1 (en) * | 2016-06-15 | 2017-10-03 | ISARA Corporation | Generating integers for cryptographic protocols |
| CN106301789A (en) * | 2016-08-16 | 2017-01-04 | 电子科技大学 | Apply the dynamic verification method of the cloud storage data that linear homomorphism based on lattice signs |
| CN107124272A (en) * | 2017-05-02 | 2017-09-01 | 西南石油大学 | The lattice cloud storage data safety auditing method for supporting agent data to upload |
Non-Patent Citations (1)
| Title |
|---|
| 格基签密关键技术研究;闫建华;《中国博士学位论文全文数据库信息科技辑》;20160315;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020114121A1 (en) | 2020-06-11 |
| CN109687969A (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12021971B2 (en) | Computer-implemented systems and methods for performing computational tasks across a group operating in a trust-less or dealer-free manner | |
| CN110971405B (en) | SM2 signing and decrypting method and system with cooperation of multiple parties | |
| CN108418783B (en) | Method and medium for protecting privacy of intelligent contracts of block chains | |
| CN110011781B (en) | Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof | |
| CN109687969B (en) | Lattice-based digital signature method based on key consensus | |
| CN111819817A (en) | Method and system for block chain implementation for bilinear mapping accumulator-based authorization | |
| CN113065934B (en) | Auction method and system with verifiable privacy, computer equipment and application | |
| Saha et al. | A blockchain framework in post-quantum decentralization | |
| CN109936458B (en) | Lattice-based digital signature method based on multiple evidence error correction | |
| CN107171788B (en) | Identity-based online and offline aggregated signature method with constant signature length | |
| CN109639439A (en) | A kind of ECDSA digital signature method based on two sides collaboration | |
| CN112380495B (en) | Secure multiparty multiplication method and system | |
| CN115883079A (en) | Data processing method, system, device, electronic equipment and storage medium | |
| Tian et al. | DIVRS: Data integrity verification based on ring signature in cloud storage | |
| CN106789066B (en) | Agency's weight endorsement method based on IP signature | |
| CN116318736A (en) | Two-level threshold signature method and device for hierarchical management | |
| CN114065233A (en) | Digital signature aggregation method for big data and block chain application | |
| Zhang et al. | A certificateless ring signature scheme with high efficiency in the random oracle model | |
| CN110430041B (en) | Certificateless digital signature method under cloud service scene | |
| Tan et al. | Multi-party co-signature scheme based on SM2 | |
| CN110995441A (en) | Multi-party collaborative EdDSA digital signature generation method and medium | |
| Shah et al. | Development of | |
| CN112087296A (en) | Lattice-based digital signature method based on evidence indistinguishable key consensus | |
| Xu et al. | A new identity-based threshold ring signature scheme | |
| WO2019000231A1 (en) | Method for establishing anti-attack public key cipher |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40008133 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220822 Address after: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438 Patentee after: Zhao Yunlei Address before: Room 345, No.5, Lane 786, Xinzhong Road, Xinhe Town, Chongming District, Shanghai 202156 Patentee before: SHANGHAI HUMIN BLOCKCHAIN TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240112 Address after: 200433 No. 220, Handan Road, Shanghai, Yangpu District Patentee after: FUDAN University Address before: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438 Patentee before: Zhao Yunlei |