CN112380579A - Lattice-based forward security certificateless digital signature scheme - Google Patents

Abstract

The invention discloses a lattice-based forward security certificateless digital signature scheme, which solves the problems of key escrow and certificate management in the traditional public key cryptosystem, but is still based on the absolute security of a user key. The invention provides a forward security certificateless lattice digital signature scheme for the first time by using a lattice delegation technology, the scheme is realized based on a standard security model, and meanwhile, the SIS problem is solved by using small integers of random lattices, so that the identity selection of external enemies and internal malicious KGC attackers is met, and the forward security of unforgeability and key leakage existing in message attack and the forward security of the message attack are adaptively selected.

Description

Lattice-based forward security certificateless digital signature scheme

Technical Field

The invention relates to the field of keys, in particular to a lattice-based forward security certificateless digital signature scheme.

Background

There are two disadvantages in the conventional public key cryptography scheme, and firstly, if the scheme is certificate-based, the management overhead of the certificate and the like will reduce the operating efficiency of the system. To eliminate the overhead of certificate management, Shamir introduced the idea of identity-based encryption in 1984, in which a public identity is used as a user public key, and a key generation center KGC generates a user private key. There are many efficient identity-based signature schemes, however, if this identity-based encryption concept is adopted, the KGC will have the ability to generate a complete user key, and once the KGC is contaminated, the user will not be secure in the whole system, which is a so-called key escrow problem.

Al-Riyami introduced for the first time in 2003 the concept of certificateless public key cryptography to solve the key escrow problem and eliminate certificate management overhead. The core idea of certificateless cryptography is as follows: the KGC distributes partial keys for the users, and the users are responsible for generating the rest keys. Because KGC can not obtain all keys of the user, potential safety hazards caused by malicious KGC are eliminated. Based on the idea of Al-Riyami, many certificateless digital signature schemes are proposed in succession. However, the security of these schemes is based on traditional number theory challenges such as large integer decomposition and discrete logarithm over finite fields. With the development of quantum computers, the security of cryptographic schemes based on traditional number theory challenges is challenged. In fact, as early as 1994, Shor proposed a quantum algorithm that solved the discrete logarithm and large integer prime decompositions in polynomial time. Moreover, the signature scheme based on bilinear pairings involves a large number of exponential operations, and the disadvantage in the aspect of time complexity restricts the application of the scheme in the mobile field.

The security of many cryptographic schemes is based on the absolute security of the user key. However, in a mobile environment, especially with the heavy use of mobile terminals such as mobile phones, due to the insecure behavior of users, once a mobile device is attacked, a user signature private key stored in the device can be easily stolen, which introduces a forward security problem regarding key leakage.

The forward security of key leakage refers to that the leakage of the user key at a certain moment does not endanger the security of the scheme at any moment in time. In the field of digital signatures, a plurality of schemes aiming at the problem of forward security of key leakage are provided at present, and the basic idea is to realize forward security by constructing an irreversible key updating algorithm. Like many certificateless cryptographic schemes, these forward secure signature schemes are still based on bilinear peer-to-peer mathematical problems, and therefore there is a strong need for a forward secure certificateless signature scheme that can satisfy post-quantum security.

Disclosure of Invention

The technical problem to be solved by the invention is to overcome the defects of the prior art and provide a lattice-based forward security certificateless digital signature scheme, 1, a certificateless digital signature scheme which can prove security under a standard model is provided based on random lattices; combining the certificateless signature with forward security based on random lattices to construct a lattice-based forward security certificateless signature scheme; on the premise of not introducing a third-party agent, the problems of key leakage and key escrow are solved simultaneously based on the random lattice; the method comprises the steps of utilizing a small integer solution SIS hypothesis to realize a certificateless digital signature scheme aiming at adaptive selection information under a standard model and selecting strong forward security and unforgeability under identity attack; two types of adversaries, namely a malicious key generation center and dishonest signature users, are considered in the lattice-based forward security certificate-free signature scheme, and the proposed signature scheme is proved to be strong and unforgeable to the two types of adversaries under a standard model.

In order to solve the technical problems, the invention provides the following technical scheme:

the invention relates to a lattice-based forward security certificateless digital signature scheme, which is composed of five polynomial time algorithms:

s1, the system establishes Setup

Setting the safety parameter as n, real number M > 0, alpha > 0, positive integer k, b, d, l, T, prime number q > 3, M > 5nlogq, upper bound

Take two collision-resistant Hash functions:

H₁：{0，1}^*→{0，1}^d；H₂：{0，1}^*×{0，1}^*→{0，1}^l(ii) a Let 2Td matrices

Wherein D_m×mIs Z_qThe small norm invertible array set of (i ∈ [0, d-1 ]), i ∈ []，j∈[1，T]，b∈{0，1}；

The key generation center KGC runs a polynomial time algorithm TrapGen (n, q, m) to obtainApproximate random matrix

And integer lattice Λ^⊥(A) Group T of_A∈Z^m×m，

And | | | T_ALess than or equal to O (nlogq); let Gaussian parameter

Parameter sequence [ sigma ]₀，σ₁，...，σ_TIn which σ is₀＝O(logm)，σ_i≥m^3i/2ωⁱlog²ⁱ⁺¹m; setting discrete normal distribution parameters

Setting random uniform small norm matrix

Common parameter

Master key MSK ═ T_A}；

S2, Key extraction KeyExtract

Given PP, ID, hypothesis t₀Taking 1 as starting time, KGC runs H H₁(ID|t₀)，

KGC is calculable from master key

To obtain

Short radicals of

To obtain

And is

Will be provided with

Sending to the user as a partial key;

user authentication

And is

Then, an approximate random matrix is obtained from TrapGen (n, q, m)

And integer lattice Λ^⊥(B) Group T of_B∈Z^m×m(ii) a Computing

Thereby composed of

To obtain

Base of corresponding integer lattice

As a secret value; private key of user

Deleting root matrix B and base T_B；

S3, updating KeyUpdate

Let the user own the time t_jCorresponding public and private keys, which the user wishes to update to t_iKey of time, t_i＞t_j(ii) a First, KGC calculates H ═ H₁(ID|t_i) And

then obtained by the ExtBasis and SamplePre algorithms

As part of the private key to the user;

s4, signature Algorithm Sign

Inputting user public key

Private key

Message to be signed mue 0, 1^*；

User randomly selects vectors

Wherein r is₂∈Z^k(ii) a Let v be H₂(ID，t，μ)，

User computing

Order to

By probability

Outputting the signature (e, r);

s5, verifying algorithm Verify

Inputs (Id, (e, r), μ, t), algorithm outputs Accept if and only if:

1)

2) verifier calculates C at (Id, μ, t) input_ID|tAnd

correctness: first, signature statistics are indistinguishable from distribution

Thereby to obtain

Overwhelming probability holds according to

And

can be substituted into Verify 2).

Compared with the prior art, the invention has the following beneficial effects:

1. a certificateless digital signature scheme which can prove safety under a standard model is provided based on a random lattice;

2, combining the certificateless signature with the forward security based on the random lattice to construct a lattice-based forward security certificateless signature scheme;

3, on the premise of not introducing a third-party agent, the problems of key leakage and key escrow are solved simultaneously based on the random lattice;

4, a certificateless digital signature scheme aiming at the adaptability selection information under a standard model and selecting the strong forward security and the unforgeability under the identity attack is realized by using the small integer solution SIS hypothesis;

and 5, two types of adversaries, namely a malicious key generation center and a dishonest signing user, are considered in the lattice-based forward security certificate-free signature scheme, and the proposed signature scheme is proved to be strong and unforgeable to the two types of adversaries under a standard model.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:

FIG. 1 is a schematic view of the overall structure of the present invention;

fig. 2 is a schematic diagram of an embodiment of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.

Example 1

As shown in fig. 1-2, the present invention provides a lattice-based forward secure certificateless digital signature scheme, which is composed of five polynomial time algorithms:

s1, the system establishes Setup

Setting the safety parameter as n, real number M > 0, alpha > 0, positive integer k, b, d, l, T, prime number q > 3, M > 5nlogq, upper bound

Take two collision-resistant Hash functions:

H₁：{0，1}^*→{0，1}^d；H₂：{0，1}^*×{0，1}^*→{0，1}^l(ii) a Let 2Td matrices

Wherein D_m×mIs Z_qThe small norm invertible array set of (i ∈ [0, d-1 ]), i ∈ []，j∈[1，T]，b∈{0，1}；

The key generation center KGC runs a polynomial time algorithm TrapGen (n, q, m) to obtain an approximate random matrix

And integer lattice Λ^⊥(A) Group T of_A∈Z^m×m，

And | | | T_ALess than or equal to O (nlogq); let Gaussian parameter

Parameter sequence [ sigma ]₀，σ₁，...，σ_TIn which σ is₀＝O(logm)，σ_i≥m^3i/2ωⁱlog^{2i+ 1}m; setting discrete normal distribution parameters

Setting random uniform small norm matrix

Common parameter

Master key MSK ═ T_A}；

S2, Key extraction KeyExtract

Given PP, ID, hypothesis t₀Taking 1 as starting time, KGC runs H H₁(ID|t₀)，

KGC is calculable from master key

To obtain

Short radicals of

To obtain

And is

Will be provided with

Sending to the user as a partial key;

user authentication

And is

Then, an approximate random matrix is obtained from TrapGen (n, q, m)

And integer lattice Λ^⊥(B) Group T of_B∈Z^m×m(ii) a Computing

Thereby composed of

To obtain

Base of corresponding integer lattice

As a secret value; private key of user

Deleting root matrix B and base T_B；

S3, updating KeyUpdate

Let the user own the time t_jCorresponding public and private keys, which the user wishes to update to t_iKey of time, t_i＞t_j(ii) a First, KGC calculates H ═ H₁(ID|t_i) And

then obtained by the ExtBasis and SamplePre algorithms

As part of the private key to the user;

s4, signature Algorithm Sign

Inputting user public key

Private key

Message to be signed mue 0, 1^*；

User randomly selects vectors

Wherein r is₂∈Z^k(ii) a Let v be H₂(ID，t，μ)，

User computing

Order to

By probability

Outputting the signature (e, r);

s5, verifying algorithm Verify

Inputs (Id, (e, r), μ, t), algorithm outputs Accept if and only if:

1)

2) verifier calculates C at (Id, μ, t) input_ID|tAnd

correctness: first, signature statistics are indistinguishable from distribution

Thereby to obtain

Overwhelming probability holds according to

And

can be substituted into Verify 2).

Security analysis

This section demonstrates the forward security and presence of unforgeability of the proposed solution under the standard model based on SIS assumptions. And setting a first strong enemy to act as an external attacker and a second strong enemy to act as a malicious KGC key generation center for malicious forged signatures.

The impossibility of the signature scheme proposed by the invention to the presence of strong enemies of the first kind is based on

It is assumed. If there is a strong enemy of the first kind

Can be in polynomial time

The signature of the scheme is forged by the probability which is not negligible, and a polynomial algorithm is adopted

At most

With a probability e ∈ (1-2) in time^-ωlogm) /TQ solution

And (5) problems are solved.

The impossibility of the signature scheme proposed by the invention to the existence of strong enemies of the second class is based on

It is assumed. If there is the second kind of strong enemy hand

Can be in polynomial time

The signature of the scheme is forged by the probability which is not negligible, and a polynomial algorithm is adopted

At most

With a probability e ∈ (1-2) in time^-ωlogm) /TQ solution

And (5) problems are solved.

In addition, the signature scheme proposed by the present invention is forward-secure under a standard model. This is because: as can be seen from the specific implementation of the signature scheme, the public key and the private key of the user are completed by the KGC and the user together. Part of the private key generated by KGC depends on the master key T_AAnd H at the current time t₁(ID | t) value of H₁The collision resistance of (2) is known to be at unknown T_AIn the case of (2), the external adversary obtains partial privacy at time t' < tKey with a key body

Is not less difficult than cracking

The difficulty of the problem. Meanwhile, the private value of the user is the base of an integer lattice corresponding to the public key of the user, and the algorithm is used for calculating the private value of the user

Generation, from definition 4, of privacy value at time t, even if malicious KGC or outside adversary takes

Nor can any time t' < t be obtained

At the same time, the adversary is unknown

In case of forgery v₂Is not less difficult than cracking

The difficulty of the problem. Since the probability of breaking the SIS problem is negligible, the scheme satisfies the forward security of key leakage for both external adversaries and malicious KGCs.

Specifically, the patent application closest to the scheme is as follows:

the certificateless signcryption method on the lattice with post-quantum security is disclosed in the patent number: CN201910519022.1

The invention has novelty because the above patent application does not disclose the technical features of certificateless signature, forward security, standard model, small integer solution SIS, key update without third party participation, strong forward security and unforgeability, dishonest signature user, etc.

The present invention differs from the closest comparison documents in that:

comparison scheme: post-quantum secure certificateless signcryption method on lattice, patent No. CN201910519022.1

The scheme constructs a post-quantum secure lattice certificateless signcryption method by using the thought of certificateless signcryption and lattice password. Compared with the certificateless signature method under the assumption of finite field discrete logarithm and elliptic curve discrete logarithm, the certificateless signature method has the advantages that quantum computation attack can be resisted, and the computation efficiency is higher. The scheme overcomes the problems of certificate management and key escrow, has the advantages of quantum computing attack resistance, high operation efficiency and the like, and is applicable to the field of electronic signcryption.

1, the comparison scheme constructs a certificateless signature scheme based on random lattices, and the certificateless signature scheme is constructed based on the random lattices;

2, the scheme does not consider the forward security problem caused by key leakage, and is different from the scheme of the invention;

3, the scheme does not consider the problem of strong non-forgeability of the signature under a standard model, and is different from the scheme;

4, the scheme does not consider two types of adversary models, namely a malicious KGC key generation center and a dishonest signature user, and is different from the scheme.

Description of the invention

There are 3 problems with the current certificateless signature scheme: 1) the existing certificateless signature scheme based on lattice post-quantum security is only based on a random predictive model, and system security in practical application cannot be guaranteed; 2) the existing certificateless signature scheme has security certification mainly considering external adversaries and a malicious key generation center, but has insufficient resistance to threats from dishonest signature users; 3) at present, a certificateless signature scheme cannot solve the problem of key leakage on the premise of not introducing a third-party agent. Aiming at the above 3 main problems, the invention designs a forward security certificateless signature scheme capable of guaranteeing security under a first standard model by utilizing a lattice-based delegation technology and based on a random lattice theory. Specifically, aiming at dishonest users and internal malicious KGC attackers, the signature scheme provided by the invention meets the requirements of forward security and strong unforgeability; the forward security and certificateless scheme is combined based on random lattices, the problems of key leakage and key escrow are solved simultaneously under the condition of not introducing a third-party agent, and the backward quantum security is realized; the scheme of the invention is a certificateless lattice-based signature scheme which can be certified to be safe under the first standard model.

The invention is suitable for mobile environments such as mobile internet, especially for the use of mobile terminals such as mobile phones, and the like in a large amount, and once mobile equipment is attacked, a user signature key stored in the equipment is easy to steal due to unsafe behaviors of users, namely, the problem of key leakage exists. In addition, the scheme can also be applied to scenes such as a heterogeneous network space, a heterogeneous identity alliance, a block chain, cloud storage, an electronic medical record system, an internet of things and the like which relate to identity management services, the problem of identity authentication is solved by using digital signatures, the requirement on post-quantum security is met, and the efficient forward-security lattice-based certificateless signature method is realized. The forward security certificateless digital signature method provided by the invention can also provide identity authentication support supplement for other identity management, data access control or security sharing schemes.

Examples of the applications

As shown in FIG. 1, application scenario 1, digital signature and blockchain (forward security for application of the present invention)

In the block chain, the digital signature technology comprises two operation algorithms of signature and verification. The digital signature can make the file more secure, and the signature is paired with the blockchain system, so that higher-level security can be obtained. The digital signature is used for signature verification when the transaction is sent in a block chain, whether bitcoin, Ethereum, hyperhedgerfibric or other. The digital signature of the block chain is a section of anti-counterfeiting character string generated only at the roll-out side of the block chain transfer. By verifying the string of numbers, it is verified that the transaction was initiated by the transferor on the one hand, and that the transaction information has not been altered in transit on the other hand. The traditional digital signature scheme has the security depending on the security of a user key, once the key is leaked, the security of the signature cannot be ensured, and by utilizing the forward-safe certificateless lattice-based digital signature scheme provided by the invention, the problem of the forward security of the key leakage can be effectively solved, and the security and the reliability of the digital signature scheme in a block chain system are improved.

As shown in fig. 2, application scenario 2, identity authentication and secure digital signature (certificateless using the present invention) in the environment of internet of things

In the environment of the internet of things, in order to authenticate the identity of a user or a node, a node is often required to perform a secure digital signature. If the traditional signature scheme is realized based on certificates, higher requirements are put forward on the management of the certificates, and especially for a dynamic network such as the internet of things, a node certificate in a management system brings higher load; if the implementation is based on the identity-based password, the KGC is responsible for generating the key for the node, and the key escrow problem is also introduced, thereby reducing the overall security of the system.

By utilizing the certificateless password scheme, the two problems can be effectively solved, KGC is responsible for generating part of keys, and the node/user generates the other part, so that KGC is prevented from revealing keys and harming the key security of the node. The scheme of the invention provides a certificateless signature scheme suitable for the environment of the Internet of things, and the forward security of the scheme can also meet the signature security problem caused by node key leakage in the Internet of things besides the characteristic of certificateless. In addition, the scheme construction is carried out by using the random lattice and the small integer SIS, so that the signature scheme can effectively resist quantum attack, and the post-quantum security is realized.

Compared with the prior art, the invention has the following beneficial effects:

the certificateless public key cryptosystem combines the advantages of two public key cryptosystems of a certificate and an identity base: on one hand, the public key can be authenticated without a certificate, and on the other hand, the problem of key escrow does not exist. Although the certificateless public key cryptosystem has obvious advantages, the certificateless public key cryptosystem can be realized only by means of a secret Key Generation Center (KGC) in the process of identity authentication, but different from the identity public key cryptosystem, KGC only provides a part of private keys for users, and the other part of private keys are generated by data information values given by the users, so that the complete private keys are only known by the users. Thus, true non-repudiation can be achieved without the need for key escrow. Specifically, the existing scheme mainly has the problems of quantum attack resistance, secret key leakage resistance, random prediction model base and the like.

Aiming at the problems, the invention provides a certificateless signature scheme meeting the requirement of key leakage forward security based on the lattice-based delegation technology, and provides a specific structure of the scheme under a standard model. The random lattice is used for scheme construction, the rear quantum security is realized, and meanwhile, the scheme can meet the requirements of strong forward security and unforgeability under the attack of adaptive selection messages by selecting identities for two strong enemies under a standard model. The signature scheme under the standard model provided by the invention has good safety and practicability.

Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (1)

1. A lattice-based forward secure certificateless digital signature scheme, characterized by comprising an algorithm of five polynomial times:

s1, the system establishes Setup

Setting the safety parameter as n, real number M > 0, alpha > 0, positive integer k, b, d, l, T, prime number q > 3, M > 5nlogq, upper bound

Take two collision-resistant Hash functions:

H₁：{0，1}^*→{0，1}^d；H₂：{0，1}^*×{0，1}^*→{0，1}^l(ii) a Let 2Td matrices

Wherein D_m×mIs Z_qThe small norm invertible array set of (i ∈ [0, d-1 ]), i ∈ []，j∈[1，T]，b∈{0，1}；

The key generation center KGC runs a polynomial time algorithm TrapGen (n, q, m) to obtain an approximate random matrix

And integer lattice Λ^⊥(A) Group T of_A∈Z^m×m，

And | | | T_ALess than or equal to O (nlogq); let Gaussian parameter

Parameter sequence [ sigma ]₀，σ₁，...，σ_TIn which σ is₀＝O(logm)，σ_i≥m^3i/2ωⁱlog²ⁱ⁺¹m; setting discrete normal distribution parameters

Setting random uniform small norm matrix

i∈[1，d]；

i∈[1，l](ii) a Common parameter

Master key MSK ═ T_A}；

S2, Key extraction KeyExtract

Given PP, ID, hypothesis t₀Taking 1 as starting time, KGC runs H H₁(ID|t₀)，

KGC is calculable from master key

To obtain

Short radicals of

To obtain

And is

Will be provided with

Sending to the user as a partial key;

user authentication

And is

Then, an approximate random matrix is obtained from TrapGen (n, q, m)

And integer lattice Λ^⊥(B) Group T of_B∈Z^m×m(ii) a Computing

Thereby composed of

To obtain

Base of corresponding integer lattice

As a secret value; private key of user

Deleting root matrix B and base T_B；

S3, updating KeyUpdate

Let the user own the time t_jCorresponding public and private keys, which the user wishes to update to t_iKey of time, t_i＞t_j(ii) a First, KGC calculates H ═ H₁(ID|t_i) And

then obtained by the ExtBasis and SamplePre algorithms

As part of the private key to the user;

s4, signature Algorithm Sign

Inputting user public key

Private key

Message to be signed mue 0, 1^*；

User randomly selects vectors

Wherein r is₂∈Z^k(ii) a Let v be H₂(ID，t，μ)，

User computing

Order to

By probability

Outputting the signature (e, r);

s5, verifying algorithm Verify

Inputs (Id, (e, r), μ, t), algorithm outputs Accept if and only if:

1)

2) verifier calculates C at (Id, μ, t) input_ID|tAnd

correctness: first, signature statistics are indistinguishable from distribution

Thereby to obtain

Overwhelming probability holds according to

And

can be substituted into Verify 2).

Images