CN112910649A - Dilithium algorithm implementation method and device - Google Patents
Dilithium algorithm implementation method and device Download PDFInfo
- Publication number
- CN112910649A CN112910649A CN201911230381.1A CN201911230381A CN112910649A CN 112910649 A CN112910649 A CN 112910649A CN 201911230381 A CN201911230381 A CN 201911230381A CN 112910649 A CN112910649 A CN 112910649A
- Authority
- CN
- China
- Prior art keywords
- calculating
- signature
- module
- sub
- dilithium
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention discloses a method and a device for realizing a Dilithium algorithm, wherein the method comprises the following steps: selecting parameters of a Dilithium algorithm, the parameters including n, c, k, l, d, omega, eta, beta, q, gamma1、γ2Where n is 256, c is 60, k is 5, l is 4, d is 14, ω is 96, η is 3, β is 175, q is a 22-bit prime number and q is 1mod 512; gamma ray1Is satisfied with [ log ]2(2(γ1‑β)‑1)]=18,γ2Is an integer greater than 245760 and divided by (q-1); and generating a signature key pair according to the parameters and the Dilithium algorithm, and signing the message M. The embodiment of the invention can reduce the length of the key pair and the length of the signature while ensuring the safety by selecting the proper parameters and generating the signature key pair and signing the message M by utilizing the selected parameters and the Dilithium algorithm, thereby realizing the high efficiency and the safety of the Dilithium algorithm.
Description
Technical Field
The invention relates to the field of data signatures, in particular to a method and a device for realizing a Dilithium algorithm.
Background
With the development of quantum computers, traditional digital signature algorithms such as an asymmetric encryption algorithm RSA and an elliptic curve-based digital signature algorithm ECDSA face the risk of being cracked. Dilithium is a digital signature algorithm based on a pattern, the algorithm involves a plurality of parameters, and different choices of the parameters have great influence on the safety and the related efficiency of the algorithm; in the prior art, a method for randomly selecting parameters is generally adopted, so that the high efficiency and the safety of the Dilithium algorithm are difficult to ensure, and although the prior art also has recommended 128-quantum-bit-safe parameters, the problems still exist.
Disclosure of Invention
In view of the above problems, the present invention proposes a method and apparatus for implementing a Dilithium algorithm so as to provide a solution to the above problems or at least partially solve the above problems.
In order to achieve the above object, the present invention provides a method for implementing Dilithium algorithm, including:
selecting parameters of a Dilithium algorithm, the parameters including n, c, k, l, d, omega, eta, beta, q, gamma1、γ2Where n is 256, c is 60, k is 5, l is 4, d is 14, ω is 96, η is 3, β is 175, q is a 22-bit prime number and q is 1mod 512; gamma ray1Satisfy the requirement of
γ2Is an integer greater than 245760 and divided by (q-1);
and generating a signature key pair according to the parameters and the Dilithium algorithm, and signing the message M.
Optionally, said q is 2101249, said γ1131072, said γ2262656; or, q is 3072001, γ1131072, said γ2256000; or, q is 3686401, γ1131072, said γ2245760; or, q is 3870721, γ1131072, said γ2=258048。
Optionally, the method further comprises:
and verifying the received message M and the signature, wherein the signature is signed by adopting the implementation method of the Dilithium algorithm described in any example above.
Optionally, the step of generating a signature key pair according to the parameter and the Dilithium algorithm, and signing the message M includes:
computing ρ ← {0, 1 })256;
Compute K ← {0,1}256;
computing
Computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Calculate tr ∈ {0, 1}384:=CRH(ρ||t1);
Return (pk ═ p, t)1),sk=(ρ,K,tr,s1,s2,t0) ); wherein pk is a private key and sk is a public key;
computing
Calculate μ e {0, 1}384:=CRH(tr||M);
And calculating k: 0, (z, h): t is ═ T;
calculate ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
when (z, h) ═ t; the following processes are executed in a loop:
computing
Calculating w: ay;
calculating w1:=HighBitsq(w,2γ2);
Calculating c ∈ B60:=H(μ||w1);
And calculating z: y + cs1;
Calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
If | | z | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
If, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
return σ ═ (z, h, c); wherein, σ is a digital signature result.
Optionally, the step of generating a signature key pair according to the parameter and the Dilithium algorithm, and signing the message M includes:
computing ρ ← {0, 1 })256;
Computing K ← {0, 1 })256;
Computing
Computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Return (pk ═ p, t)1),sk=(ρ,K,s1,s2) ); wherein pk is a private key and sk is a public key;
computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Calculate tr ∈ {0, 1}384:=CRH(ρ||t1);
Calculate μ e {0, 1}384:=CRH(tr||M);
And calculating k: 0, (z, h): t is ═ T;
calculate ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
when (z, h) ═ t; the following processes are executed in a loop:
computing
Calculating w: ay;
calculating w1:=HighBitsq(w,2γ2);
Calculating c ∈ B60:=H(μ||w1);
And calculating z: y + cs1;
Calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
If | | z | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
If, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
return σ ═ (z, h, c); wherein, σ is a digital signature result.
Optionally, the step of verifying the received message M and the signature includes:
computing
Calculate μ e {0, 1}384:=CRH(CRH(ρ||t1)||M);
Calculate w'1:=UseHintq(h,Az-ct1·2d,2γ2);
Return to
And
and the number of bits 1 in h is less than or equal to ω.
The invention also provides a device for realizing the Dilithium algorithm, which comprises:
a parameter selection module for selecting parameters of Dilithium algorithm, wherein the parameters comprise n, c, k, l, d, omega, eta, beta, q, gamma1、γ2Where n is 256, c is 60, k is 5, l is 4, d is 14, ω is 96, η is 3, β is 175, q is a 22-bit prime number and q is 1mod 512; gamma ray1Satisfy the requirement of
γ2Is an integer greater than 245760 and divided by (q-1);
and the signature module is used for generating a signature key pair according to the parameters and the Dilithium algorithm and signing the message M.
Optionally, said q is 2101249, said γ1131072, said γ2262656; or, q is 3072001, γ1131072, said γ2256000; or, q is 3686401, γ1131072, said γ2245760; or, q is 3870721, γ1131072, said γ2=258048。
Optionally, the apparatus further comprises:
and the signature verification module is used for verifying the signature of the received message M and the signature, and the signature is signed through the implementation device of the Dilithium algorithm in any example.
Optionally, the signature module includes:
a first sub-module for key generation, for computing ρ ← {0, 1 })256;
A second sub-module for key generation, for computing K ← {0, 1 })256;
A third sub-module for key generation for calculation
A fourth submodule of key generation for calculating
A fifth sub-module for key generation, configured to calculate t: as ═ As1+s2;
A sixth submodule of key generation for calculating (t)1,t0):=Power2Roundq(t,d);
A seventh sub-module for key generation for returning (pk ═ p, t)1),sk=(ρ,K,s1,s2) ); wherein pk is a private key and sk is a public key;
a first sub-module of signature for calculating
A signature second sub-module for calculating t: as ═ As1+s2;
Signature third submodule for calculating (t)1,t0):=Power2Roundq(t,d);
Signature fourth submodule for calculating tr e {0, 1}384:=CRH(ρ||t1);
A signature fifth sub-module for calculating μ e {0, 1}384:=CRH(tr||M);
A signature sixth sub-module for calculating k: 0, (z, h): t is ═ T;
a seventh sub-module of signature for calculating ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
an eighth signature submodule, configured to determine when (z, h) ═ t; the following processes are executed in a loop:
ninth sub-module of signature for calculating
A tenth sub-module of signature for calculating w: ay;
an eleventh sub-module for signature for calculating w1:=HighBitsq(w,2γ2);
A twelfth sub-module of signature for calculating c e B60:=H(μ||w1);
A signature thirteenth sub-module for calculating z: y + cs1;
Signature fourteenth submodule for calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
A fifteenth sub-module of signature for counting the luminance if | | | z | | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
A sixteenth sub-module for signing if | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
a signature seventeenth sub-module for returning σ ═ (z, h, c); wherein, σ is a digital signature result.
According to the method and the device for realizing the Dilithium algorithm, provided by the embodiment of the invention, the appropriate parameters are selected, the selected parameters and the Dilithium algorithm are utilized to generate the signature key pair and sign the message M, so that the length of the key pair and the length of the signature can be reduced while the safety is ensured, and the high efficiency and the safety of the Dilithium algorithm are realized.
Drawings
FIG. 1 is a flowchart illustrating steps of a method for implementing Dilithium algorithm according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating steps of a method for implementing Dilithium algorithm according to another embodiment of the present invention;
fig. 3 is a block diagram of an apparatus for implementing Dilithium algorithm according to an embodiment of the present invention;
fig. 4 is a block diagram of an apparatus for implementing the Dilithium algorithm according to another embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, an embodiment of the present invention provides a method for implementing a Dilithium algorithm, which is applied to an intelligent electronic device, such as a computer, a notebook computer, a smart phone, a tablet computer, and the like; the method comprises the following steps:
and 102, generating a signature key pair according to the parameters and the Dilithium algorithm, and signing the message M.
As described in step 101, the intelligent electronic device is a signature end when signing, and is a signature verification end when verifying a signature. When the intelligent electronic device signs the message M based on the Dilithium algorithm as a signature end, firstly, parameters of the Dilithium algorithm are selected, wherein the parameters comprise n, c, k, l, d, omega, eta, beta, q and gamma1、γ2And n is determined to be 256, c is 60, k is 5, l is 4, d is 14, ω is 96, η is 3, β is 175, and q is selected to be 22-ratioA specific prime number and q is 1mod 512; gamma ray1Satisfy [ log ]2(2(γ1-β)-1)]18, preferably, γ1Or easily from (- (gamma))1-1),(γ1-1)) randomly selected data; gamma ray2Is an integer greater than 245760 and divided by (q-1) and γ2The quotient of the integer divide (q-1) is within a preset range, which may be less than 15, or which may be greater than 8 and less than 15, and so on. The selection of the parameters can ensure that the lengths of the generated key pair and the signature are kept within a small value range, so that the transmission and calculation efficiency of the signature algorithm is improved.
As shown in step 102 above, a signing key pair is generated from the parameters and the Dilithium algorithm, and the message M is signed. Specifically, in one example, the selected parameters may be substituted into the key generation function and the signature function of the Dilithium algorithm, so as to generate a signature key pair and sign the message M. In another example, the key generation function and the signature function of the Dilithium algorithm may be modified, and then the selected parameters are substituted into the key generation function and the signature function of the modified Dilithium algorithm, so as to generate a signature key pair and sign the message M.
Specifically, in one example, the step of generating a signature key pair according to the parameter and the Dilithium algorithm and signing the message M includes using a polynomial quotient ring R ═ Zq[X]/(Xn+ 1); and the following steps are carried out:
computing ρ ← {0, 1 })256;
Computing K ← {0, 1 })256;
Computing
Computing
Wherein A is generated and stored in the mathematical transformation NTT as
And calculating t: as ═ As1+s2(ii) a Wherein the content of the first and second substances,
calculating (t)1,t0):=Power2Roundq(t,d);
Calculate tr ∈ {0, 1}384:=CRH(ρ||t1);
Return (pk ═ p, t)1),sk=(ρ,K,tr,s1,s2,t0) ); wherein pk is a private key and sk is a public key;
computing
Calculate μ e {0, 1}384:=CRH(tr||M);
And calculating k: 0, (z, h): t is ═ T;
calculate ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
when (z, h) ═ t; precomputation
And
and circularly executing the following processes:
computing
Calculating w: ay; wherein the content of the first and second substances,
calculating w1:=HighBitsq(w,2γ2);
Calculating c ∈ B60:=H(μ||w1) (ii) a Wherein c is stored as
B60Is more than 2256An element of (1);
and calculating z: y + cs1(ii) a Wherein the content of the first and second substances,
calculating (r)1,r0):=Decomposeq(w-cs2,2γ2) (ii) a Wherein the content of the first and second substances,
if | | z | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2) (ii) a Wherein the content of the first and second substances,
if, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
return σ ═ (z, h, c); wherein, σ is a digital signature result.
In this example, after determining the parameters n 256, c 60, k 5, l 4, d 14, ω 96, η 3, β 175, the parameters q 2101249, γ may be selected1=131072,γ2262656; or the parameter q is selected to be 3072001, gamma1=131072,γ2256000; or the parameter q is selected to be 3686401, gamma1=131072,γ2245760; or the parameter q is selected to be 3870721, gamma1=131072,γ2258048. Experiments prove that proper parameters q and gamma are selected1Can be made ofThe length of the generated key pair and the signature result is effectively reduced; by selecting the appropriate parameter gamma2The safety factor of the signature algorithm can be improved. Specifically, compared with the result of implementing the 128-qubit secure parameter recommended by the Dilithium algorithm in the prior art, the steps of generating the signature key pair and signing the message M are executed by using the enumerated parameter values, so that the public key is reduced by 150 bytes, the signature is reduced by 256 bytes, and the private key is reduced by 2576 bytes; and the safety is higher than the safety of the parameter realization recommended by the Dilithium algorithm in the prior art and is safe for 128 quanta.
In another example, the step of generating a signature key pair in dependence on the parameter and the Dilithium algorithm, and signing the message M, comprises using a polynomial quotient ring R ═ Zq[X]/(Xn+ 1); and the following steps are carried out:
computing ρ ← {0, 1 })256;
Computing K ← {0, 1 })256;
Computing
Computing
Wherein A is generated and stored in the mathematical transformation NTT as
And calculating t: as ═ As1+s2(ii) a Wherein the content of the first and second substances,
calculating (t)1,t0):=Power2Roundq(t,d);
Return (pk ═ p, t)1),sk=(ρ,K,s1,s2) ); wherein pk is a private key and sk is a public key;
computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Calculate tr ∈ {0, 1}384:=CRH(ρ||t1);
Calculate μ e {0, 1}384:=CRH(tr||M);
And calculating k: 0, (z, h): t is ═ T;
calculate ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
when (z, h) ═ t; precomputation
And
and circularly executing the following processes:
computing
Calculating w: ay; wherein the content of the first and second substances,
calculating w1:=HighBitsq(w,2γ2);
Calculating c ∈ B60:=H(μ||w1) (ii) a Wherein c is stored as
And calculating z: y + cs1(ii) a Wherein the content of the first and second substances,
calculating (r)1,r0):=Decomposeq(w-cs2,2γ2) (ii) a Wherein the content of the first and second substances,
if | | z | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2) (ii) a Wherein the content of the first and second substances,
if, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
return σ ═ (z, h, c); wherein, σ is a digital signature result.
This example compares to the previous example, in generating the key pair, the generated private key sk does not contain tr and t0Therefore, the present example can further reduce the length of the key pair while ensuring the security of the algorithm, compared to the above example.
Further, referring to fig. 2, in another embodiment of the present invention, the method further includes:
As described in step 103, when the smart electronic device is used as a signature to verify a signature signed based on the Dilithium algorithm, a signature verification function based on the Dilithium algorithm may be used to implement a signature verification process.
Specifically, the step of verifying the received message M and the signature includes:
computing
Calculate μ e {0, 1}384:=CRH(CRH(ρ||t1)||M);
Calculate w'1:=UseHintq(h,Az-ct1·2d,2γ2) (ii) a Wherein the content of the first and second substances,
return to
And
the number of bits 1 in the sum h is less than or equal to omega; the returned result is the signature checking result.
According to the implementation method of the Dilithium algorithm provided by the embodiment of the invention, the proper parameters are selected, the selected parameters and the Dilithium algorithm are utilized to generate the signature key pair and sign the message M, the length of the key pair and the signature length can be reduced while the safety is ensured, and the high efficiency and the safety of the Dilithium algorithm are realized.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 3, an embodiment of the present invention further provides an apparatus for implementing a Dilithium algorithm, including:
a parameter selection module 201 for selecting parameters of Dilithium algorithm, the parameters including n, c, k, l, d, ω, η, β, q, γ1、γ2Wherein n ═256, c is 60, k is 5, l is 4, d is 14, ω is 96, η is 3, β is 175, q is a 22-bit prime number and q is 1mod 512; gamma ray1Satisfy [ log ]2(2(γ1-β)-1)]=18,γ2Is an integer greater than 245760 and divided by (q-1);
and the signature module 202 is configured to generate a signature key pair according to the parameter and the Dilithium algorithm, and sign the message M.
In an alternative embodiment, q is 2101249 and γ is1131072, said γ2262656; or, q is 3072001, γ1131072, said γ2256000; or, q is 3686401, γ1131072, said γ2245760; or, q is 3870721, γ1131072, said γ2=258048。
Further, as shown in fig. 4, in another embodiment, the apparatus further includes:
and a signature verification module 203 for verifying the received message M and the signature, wherein the signature is signed by the parameter selection module 201 and the signature module 202 as described in any of the above examples.
In an alternative example, the signature module 202 includes using a polynomial quotient ring R ═ Zq[X]/(Xn+ 1); and includes the following sub-modules:
first key generation first submodule for computing ρ ← {0, 1}256;
The first key generation second sub-module, used to compute K ← {0, 1 })256;
A third sub-module for generating the first key
A fourth sub-module for generating the first key
A fifth sub-module for first key generationAnd calculating t: as ═ As1+s2;
A sixth submodule of first key generation for calculating (t)1,t0):=Power2Roundq(t,d);
A seventh sub-module for first key generation, for calculating tr e {0, 1}384:=CRH(ρ||t1);
The first key generation eighth submodule for returning (pk ═ p, t)1),sk=(ρ,K,tr,s1,s2,t0) ); wherein pk is a private key and sk is a public key;
first signature first submodule for calculating
A first signature second submodule for calculating μ e {0, 1}384:=CRH(tr||M);
A third sub-module of the first signature, for calculating k: 0, (z, h): t is ═ T;
a first signature fourth sub-module for calculating p' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
a first signature fifth sub-module, configured to determine when (z, h) ═ t; precomputation
And
and circularly executing the following sub-modules:
a sixth submodule of the first signature for calculating
A first signature seventh submodule for calculating w: ay;
a first signature eighth submodule for calculating w1:=HighBitsq(w,2γ2);
A ninth sub-module of the first signature for calculating c e B60:=H(μ||w1);
A first signature tenth submodule for calculating z: y + cs1;
A first signature eleventh submodule for calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
A twelfth sub-module of the first signature for counting Y if Z Y is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
A thirteenth sub-module for first signature if, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
a first signature fourteenth submodule for returning σ ═ (z, h, c); wherein, σ is a digital signature result.
In another alternative example, the signature module 202 includes using a polynomial quotient ring R ═ Zq[X]/(Xn+ 1); and includes the following sub-modules:
a first sub-module for key generation, for computing ρ ← {0, 1 })256;
A second sub-module for key generation, for computing K ← {0, 1 })256;
A third sub-module for key generation for calculation
A fourth submodule of key generation for calculating
A fifth sub-module for key generation, configured to calculate t: as ═ As1+s2;
A sixth submodule of key generation for calculating (t)1,t0):=Power2Roundq(t,d);
A seventh sub-module for key generation for returning (pk ═ p, t)1),sk=(ρ,K,s1,s2) ); wherein pk is a private key and sk is a public key;
a first sub-module of signature for calculating
A signature second sub-module for calculating t: as ═ As1+s2;
Signature third submodule for calculating (t)1,t0):=Power2Roundq(t,d);
Signature fourth submodule for calculating tr e {0, 1}384:=CRH(ρ||t1);
A signature fifth sub-module for calculating μ e {0, 1}384:=CRH(tr||M);
A signature sixth sub-module for calculating k: 0, (z, h): t is ═ T;
a seventh sub-module of signature for calculating ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
an eighth signature submodule, configured to determine when (z, h) ═ t; precomputation
And
and circularly executing the following sub-modules:
signature ninth sub-moduleFor calculating
A tenth sub-module of signature for calculating w: ay;
an eleventh sub-module for signature for calculating w1:=HighBitsq(w,2γ2);
A twelfth sub-module of signature for calculating c e B60:=H(μ||w1);
A signature thirteenth sub-module for calculating z: y + cs1;
Signature fourteenth submodule for calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
A fifteenth sub-module of signature for counting the luminance if | | | z | | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
A sixteenth sub-module for signing if | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
a signature seventeenth sub-module for returning σ ═ (z, h, c); wherein, σ is a digital signature result.
Optionally, the signature verification module 203 includes:
a first sub-module for calculating
A second sub-module for signature verification, for calculating μ e {0, 1}384:=CRH(CRH(ρ||t1)||M);
A third sub-module for calculating w'1:=UseHintq(h,Az-ct1·2d,2γ2);
A fourth sub-module for returning
And
and the number of bits 1 in h is less than or equal to ω.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for implementing Dilithium algorithm is characterized by comprising the following steps:
selecting parameters of a Dilithium algorithm, the parameters comprising n, c, k,
d、ω、η、β、q、γ1、γ2Where n is 256, c is 60, k is 5,
d is 14, ω is 96, η is 3, β is 175, q is 22-bit prime number and q is 1mod 512; gamma ray1Satisfy the requirement of
γ2Is an integer greater than 245760 and divided by (q-1);
and generating a signature key pair according to the parameters and the Dilithium algorithm, and signing the message M.
2. The method of claim 1, wherein q is 2101249 and γ is1131072, said γ2262656; or, q is 3072001, γ1131072, said γ2256000; or, q is 3686401, γ1131072, said γ2245760; or, q is 3870721, γ1131072, said γ2=258048。
3. A method of implementing the Dilithium algorithm as claimed in claim 1 or 2, further comprising:
the received message M and a signature signed using an implementation of the Dilithium algorithm as claimed in claim 1 or 2 are signed.
4. Method for implementing the Dilithium algorithm according to claim 3, wherein said step of generating a signing key pair from said parameters and said Dilithium algorithm and signing message M comprises using a polynomial quotient ring R ═ Zq[X]/(Xn+ 1); and the following steps are carried out:
computing ρ ← {0, 1 })256;
Computing K ← {0, 1 })256;
Computing
Computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Calculate tr ∈ {0, 1}384:=CRH(ρ||t1);
Return (pk ═ p, t)1),sk=(ρ,K,tr,s1,s2,t0) ); wherein pk is a private key and sk is a public key;
computing
Calculate μ e {0, 1}384:=CRH(tr||M);
And calculating k: 0, (z, h): t is ═ T;
calculate ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
when (z, h) ═ t; the following processes are executed in a loop:
computing
Calculating w: ay;
calculating w1:=HighBitsq(w,2γ2);
Calculating c ∈ B60:=H(μ||w1);
And calculating z: y + cs1;
Calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
If | | z | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
If, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
return σ ═ (z, h, c); wherein, σ is a digital signature result.
5. According to the claimsThe method for implementing Dilithium algorithm in claim 3, wherein the step of generating a signature key pair according to the parameter and the Dilithium algorithm and signing the message M comprises using a polynomial quotient ring R ═ Zq[X]/(Xn+ 1); and the following steps are carried out:
computing ρ ← {0, 1 })256;
Computing K ← {0, 1 })256;
Computing
Computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Return (pk ═ p, t)1),sk=(ρ,K,s1,s2) ); wherein pk is a private key and sk is a public key;
computing
And calculating t: as ═ As1+s2;
Calculating (t)1,t0):=Power2Roundq(t,d);
Calculate tr ∈ {0, 1}384:=CRH(ρ||t1);
Calculate μ e {0, 1}384:=CRH(tr||M);
And calculating k: 0, (z, h): t is ═ T;
calculate ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ' ← {0, 1}384The random signature of (2);
when (z, h) ═ t; the following processes are executed in a loop:
computing
Calculating w: ay;
calculating w1:=HighBitsq(w,2γ2);
Calculating c ∈ B60:=H(μ||w1);
And calculating z: y + cs1;
Calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
If | | z | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
If, | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
return σ ═ (z, h, c); wherein, σ is a digital signature result.
6. The method of claim 5, wherein said step of signing the received message M and the signature comprises:
computing
Calculate μ e {0, 1}384:=CRH(CRH(ρ||t1)||M);
Calculate w'1:=UseHintq(h,Az-ct1·2d,2γ2);
Return to
And
and the number of bits 1 in h is less than or equal to ω.
7. An apparatus for implementing Dilithium algorithm, comprising:
a parameter selection module for selecting parameters of Dilithium algorithm, wherein the parameters comprise n, c, k,
d、ω、η、β、q、γ1、γ2Where n is 256, c is 60, k is 5,
d is 14, ω is 96, η is 3, β is 175, q is 22-bit prime number and q is 1mod 512; gamma ray1Satisfy the requirement of
γ2Is an integer greater than 245760 and divided by (q-1);
and the signature module is used for generating a signature key pair according to the parameters and the Dilithium algorithm and signing the message M.
8. The apparatus of claim 7, wherein q is 2101249 and γ is1131072, said γ2262656; or, q is 3072001, γ1131072, said γ2256000; or, q is 3686401, γ1131072, said γ2245760; or, q is 3870721, γ1131072, said γ2=258048。
9. Apparatus for implementing the Dilithium algorithm as claimed in claim 7 or 8, further comprising:
a signature verification module for verifying the received message M and the signature signed by the implementation means of the Dilithium algorithm according to claim 7 or 8.
10. The apparatus for implementing Dilithium algorithm as claimed in claim 9, wherein said signature module comprises:
a first sub-module for key generation, for computing ρ ← {0, 1 })256;
A second sub-module for key generation, for computing K ← {0, 1 })256;
A third sub-module for key generation for calculation
A fourth submodule of key generation for calculating
A fifth sub-module for key generation, configured to calculate t: as ═ As1+s2;
A sixth submodule of key generation for calculating (t)1,t0):=Power2Roundq(t,d);
A seventh sub-module for key generation for returning (pk ═ p, t)1),sk=(ρ,K,s1,s2) ); wherein pk is a private key and sk is a public key;
a first sub-module of signature for calculating
A signature second sub-module for calculating t: as ═ As1+s2;
Signature third submodule for calculating (t)1,t0):=Power2Roundq(t,d);
Signature fourth submodule for calculating tr e {0, 1}384:=CRH(ρ||t1);
A signature fifth sub-module for calculating μ e {0, 1}384:=CRH(tr||M);
A signature sixth sub-module for calculating k: 0, (z, h): t is ═ T;
a seventh sub-module of signature for calculating ρ' ∈ {0, 1}384: CHR (K | | μ), or ρ) ← {0, 1}384The random signature of (2);
an eighth signature submodule, configured to determine when (z, h) ═ t; the following sub-modules are executed in a loop:
ninth sub-module of signature for calculating
A tenth sub-module of signature for calculating w: ay;
an eleventh sub-module for signature for calculating w1:=HighBitsq(w,2γ2);
A twelfth sub-module of signature for calculating c e B60:=H(μ||w1);
A signature thirteenth sub-module for calculating z: y + cs1;
Signature fourteenth submodule for calculating (r)1,r0):=Decomposeq(w-cs2,2γ2);
A fifteenth sub-module of signature for counting the luminance if | | | z | | luminance is satisfied∞≥γ1- β, or satisfy | | | r0||∞≥γ2- β, or satisfy r1≠w1Then (z, h) is calculated: t is ═ T; otherwise, calculating h: MakeHintq(-ct0,w-cs2+ct0,2γ2);
A sixteenth sub-module for signing if | | ct is satisfied0||∞≥γ2Or the number of bits 1 in h is greater than ω, then (z, h) is calculated: ═ and k: k + 1;
a signature seventeenth sub-module for returning σ ═ (z, h, c); wherein, σ is a digital signature result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911230381.1A CN112910649A (en) | 2019-12-04 | 2019-12-04 | Dilithium algorithm implementation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911230381.1A CN112910649A (en) | 2019-12-04 | 2019-12-04 | Dilithium algorithm implementation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112910649A true CN112910649A (en) | 2021-06-04 |
Family
ID=76110827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911230381.1A Pending CN112910649A (en) | 2019-12-04 | 2019-12-04 | Dilithium algorithm implementation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112910649A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936458A (en) * | 2019-03-18 | 2019-06-25 | 上海扈民区块链科技有限公司 | A kind of lattice digital signature method based on multiple evidence error correction |
| US10425401B1 (en) * | 2018-10-31 | 2019-09-24 | ISARA Corporation | Extensions for using a digital certificate with multiple cryptosystems |
| US20190312728A1 (en) * | 2018-04-09 | 2019-10-10 | Infineon Technologies Ag | Method and processing device for performing a lattice-based cryptographic operation |
-
2019
- 2019-12-04 CN CN201911230381.1A patent/CN112910649A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190312728A1 (en) * | 2018-04-09 | 2019-10-10 | Infineon Technologies Ag | Method and processing device for performing a lattice-based cryptographic operation |
| US10425401B1 (en) * | 2018-10-31 | 2019-09-24 | ISARA Corporation | Extensions for using a digital certificate with multiple cryptosystems |
| CN109936458A (en) * | 2019-03-18 | 2019-06-25 | 上海扈民区块链科技有限公司 | A kind of lattice digital signature method based on multiple evidence error correction |
Non-Patent Citations (1)
| Title |
|---|
| LEO DUCAS: "CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme", 《IACR CRYPTOLOGY EPRINT ARCHIVE》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021238527A1 (en) | Digital signature generation method and apparatus, computer device, and storage medium | |
| RU2376651C2 (en) | Using isogenies to design cryptosystems | |
| CN106664205B (en) | System and method for generating digital signature, non-transitory computer readable storage medium | |
| US9219602B2 (en) | Method and system for securely computing a base point in direct anonymous attestation | |
| CN110505067B (en) | Block chain processing method, device, equipment and readable storage medium | |
| US20130326602A1 (en) | Digital Signatures | |
| CN109064324A (en) | Method of commerce, electronic device and readable storage medium storing program for executing based on alliance's chain | |
| WO2021036086A1 (en) | Transaction data processing method, apparatus and system, and computer-readable storage medium | |
| CN112560091B (en) | Digital signature method, signature information verification method, related device and electronic equipment | |
| CN106357701A (en) | Integrity verification method for data in cloud storage | |
| CN113411188B (en) | Electronic contract signing method, electronic contract signing device, storage medium and computer equipment | |
| US20130097420A1 (en) | Verifying Implicit Certificates and Digital Signatures | |
| US20160149708A1 (en) | Electronic signature system | |
| CN111161075B (en) | Blockchain transaction data proving and supervising method, system and related equipment | |
| CN111245626B (en) | Zero knowledge proving method, device and storage medium | |
| CN114640463B (en) | Digital signature method, computer equipment and medium | |
| KR102070061B1 (en) | Batch verification method and apparatus thereof | |
| CN112910649A (en) | Dilithium algorithm implementation method and device | |
| US11616994B2 (en) | Embedding information in elliptic curve base point | |
| CN115118433A (en) | Client authorization method and device, privacy protection set intersection calculation method and device | |
| TWI555370B (en) | Digital signature method | |
| CN103973446B (en) | For verifying method and the data handling equipment of electronic signature | |
| CN112837064A (en) | Signature method, signature verification method and device of alliance chain | |
| CN111327423A (en) | Examination and approval device and method based on ordered multiple signatures and readable storage medium | |
| WO2011033642A1 (en) | Signature generation device and signature verification device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |