Background
IBM engineers predict that quantum computers will be used on a large scale in the next twenty years. Once quantum computers are manufactured on a large scale, most public key cryptosystems based on discrete logarithm, elliptic curve discrete logarithm or large integer factorization will be broken. Therefore, no matter whether the arrival time of the quantum computing era can be accurately predicted or not, the current information security system needs to be improved to the quantum resistant level.
Lattice ciphers are one of the major mathematical methods currently used against quantum attacks. In cryptography, the lwe (learning With error) problem and the sis (short Integer solution) problem have proven to be more fully functional than other classical lattice difficulties (e.g., SVP and CVP).
Wherein each string or value α represents a binary value, α | β represents two binary strings α, β ∈ {0,1}
*A linking operation between; for any real number x, the number x,
represents the largest integer less than or equal to x,
represents the smallest integer greater than or equal to x,
when α is a positive even number, r' r mod is defined for any integer r±Alpha is a unique integer r ' satisfying-alpha/2 < r ' ≦ alpha/2, r ' ≡ r (mod alpha); when α is a positive even number, r' is defined as rmod for any integer r±α is a unique integer r ' satisfying- α/2. ltoreq. r '. ltoreq.α/2, r ' ≡ r (mod α); when α is a positive integer, r' r mod is defined for any integer r+Alpha is a unique positive integer r 'satisfying 0 ≦ r' ≦ alpha-1, r ≡ r (mod alpha); when the representation of the remainder r' is unimportant, it is simply written as r mod α.
If S is a finite set, then | S | represents its cardinality, and x ← S represents uniform random fetching of an element from S; the symbol u (S) represents a uniform distribution over a finite set S; x ← D, if D represents a probability distribution, representing the selection of an element according to D and assignment to x; if α is neither an algorithm nor a set, then x ← α represents a simple assignment operation, or is written as x: ═ α; if A is a probabilistic algorithm, then A (x)
1,x
2,..; r) denotes the sum of x
1,x
2,., as input, r is the operation result of A when random seed; we use y ← A (x)
1,x
2,..; r) denotes randomly chosen r and let y be A (x)
1,x
2,..; r) experimental results; by Pr [ R ]
1;...;R
n:E]Representing events E in a sequential series of random processes R
1,...,R
nThe probability of later occurrence; if it is notFor any c > 0, for all λ > λ
cAll have a lambda
cSo that f (lambda) < 1/lambda
cThen the function f (λ) is negligible; definition ring
Wherein the content of the first and second substances,
is the mth cyclotomic polynomial; r
qThe element in (1) is an n-dimensional polynomial of the form a
0+a
1x
1+a
2x
2+…+a
n- 1x
n-1Wherein n is a positive integer; the positive integers k and l are the dimensions of the matrix samples,
a matrix of dimension k × l, each element being a ring R
qAn n-dimensional polynomial of (a); for an input that is a function of a vector, the operation is to process the computation separately for each dimension of the vector.
For elements
Definition | w |
∞Is | wmod
±q |; for the element w ═ w
0+w
1x+…+w
n-1x
n-1∈R
qOr vector
Definition of
For w ═ w
1,w
2,…,w
k)∈R
kDefinition of
Definition set S
ηAll satisfy w ∈ R, | | | w | | | non-woven phosphor
∞Set of elements not more than eta, S
η={w∈R∣‖w‖
∞Eta is less than or equal to; definition set B
60Is composed of
For binary vector h ═ h (h)i) Define the Hamming distance as | h |1=∑hi。
For R
qEach element a e R in (1)
qThe NTT is expressed in the form of a result obtained by carrying out forward NTT transformation on a; for example, when the prime number q satisfies q ≡ 1(mod2n), let r be the multiplication cycle group
An element of 2n order; for any one
Let vector quantity
NTT representation of a. For input R
qFunction of up-vector whose NTT operation is for each R
qThe polynomials of (a) are separately subjected to NTT operation.
For positive continuous numbers σ > 0 and x ∈ R, a Gaussian function is defined
Order to
To represent
One-dimensional discrete Gaussian distribution of (a) by a probability density function
And (6) determining. Order to
Is shown in
N-dimensional spherical discrete gaussian distribution in which each coordinate is independent of
Given positive integers n and q, which are parameters in a polynomial in a security parameter λ, and given integer vectors
And one is defined in
Upper probability distribution χ, random uniform selection
Noise e ← χ, order A
q,x,χIs that
Is distributed and output
The noise distribution χ is generally considered to be a discrete gaussian probability distribution
But other distributions may be used.
In decision-based LWE assumptions, for a sufficiently large security parameter λ, the probabilistic polynomial time algorithm cannot distinguish A with a non-negligible probability
q,s,χAnd
are uniformly distributed. Even if the adversary sees a polynomial multiple of the samples, and the secret vector x is from χ
nThis is also true for random choices.
The MLWE problem is a variant of the LWE problem. Sample formats from MLWE distributions are
From the ringRandom selection
Calculating to obtain t ═ As + e, wherein
And
respectively two probability distributions, and the distribution parameter is recorded as eta
1And η
2The distributions may be the same or different, by default
Is a set
The distribution of the components is uniform, and the components are uniformly distributed,
is a set
Are uniformly distributed. The MLWE problem is recovering (s, e) from the polynomial samples from the MLWE distribution.
In particular, for adversary A, define
If the dominance of algorithm A without the maximum running time t is greater than ε, we call
The difficulty assumption holds.
The following Euclidean norm can also be defined on the standard lattice
And infinite norm
The problem is that m and n are positive integers, q is a modulus, and beta is a threshold parameter. Given the parameters (q, m, n, β) determined
Requiring finding a non-zero vector
Satisfies Ax ≡ 0(mod q), | x |
2≤β,
Requiring finding a non-zero vector
Satisfies Ax ≡ 0(mod q), | x |
∞≤β。
Similarly, the MSIS problem under the euclidean norm and the infinite norm can be defined, and the parameters are (q, k, l, β), where m, n are positive integers, q is a modulus, and β is a threshold parameter; in the determination of the parameters (q, k, l, β), the parameters (q, k, l, β) are specified
Requiring finding a non-zero vector
Satisfies Ax ≡ 0(modq), | x |
2≤β,
Requiring finding a non-zero vector
Satisfies Ax ≡ 0 (x ≡ 0)modq),‖x‖
∞Beta is less than or equal to beta. For any adversary A, define
If the dominance of algorithm A without the maximum running time t is greater than ε, we call
The difficulty assumption holds.
Based on the difficulties of the MLWE problem and the MSIS problem (under infinite norm), a lattice-based digital signature mechanism can be constructed. A digital signature mechanism may be given by an algorithmically constructed triplet (Gen, Sign, Verify), for any arbitrary signature
Is provided with
1) Gen: the key generation algorithm is a probability polynomial time algorithm, input 1λAnd outputs a pair of strings (pk, sk), (pk, sk) called public key and private key, respectively, which process can be written as (pk, sk) ← Gen (1)λ);
2) Sign: the signature algorithm is a probabilistic polynomial time algorithm, for any information M to be signed, belonging to {0,1}, the algorithm uses a private key sk as a parameter to calculate and obtain a signature sigma corresponding to M, and the process is marked as sigma ← Signsk(M);
3) Verify: the verification algorithm is a deterministic polynomial time algorithm which uses the public key pk as a parameter and returns b e {0,1} for any information/signature pair (M, sigma). The process is marked as b: ═ Verifypk(M,σ)。
If to any
Each pair is composed of Gen (1)
λ) The generated public key/private key pair (pk, sk) is, for any information M to be signed, e {0,1}, and for any σ ← Sign
skIf (M) has Verify (M, σ) of 1, the digital signature mechanism is said to be correct.
One DKC (diagnostic key consensus) method DKC ═ consists of the following three parts:
params ═ q, κ, g, δ, aux represents a system parameter, where the positive integers q, κ, g, δ satisfy 2 ≦ κ, g ≦ q,0 ≦ δ ≦ q/2, aux represents a set of other values determined by (q, κ, g, δ), and is null by default;
·(k
1,v)←Con(σ
1params), where Con (-) is a deterministic polynomial time function with the input being (
params), output (k)
1V) wherein
·k
2←Rec(σ
2V, params), where Rec (. cndot.) is a deterministic polynomial time function at the input of (σ)
2V, params), output
When params can be determined from context, params can be represented by default for ease of description.
The DKC methods used all meet the correctness requirements, i.e., for any
When | σ
1-σ
2‖
∞When delta is less than or equal to delta, k must be present
1=k
2(ii) a A most preferred embodiment of the DKC process, DKCN ═ is (params, Con, Rec), when κ ≧ 2, g ≧ 2, and 2 κ δ < q, as shown in FIG. 1.
On the basis of the optimal example DKCN, four functions can be defined
HighBitsq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() And the method is used for ensuring the correctness of the signature method. The four functions are defined as shown in figure 2.
Disclosure of Invention
A first aspect of the present invention provides a lattice-based digital signature method in which each string or value α represents a binary value, α | β represents two binary strings α, β ∈ {0,1}
*A linking operation between; for any real number x, the number x,
represents the largest integer less than or equal to x,
represents the smallest integer greater than or equal to x,
when α is a positive even number, r' is defined as rmod for any integer r±Alpha is a unique integer r ' satisfying-alpha/2 < r ' ≦ alpha/2, r ' ≡ r (mod alpha); when α is a positive even number, r' is defined as rmod for any integer r±α is a unique integer r ' satisfying- α/2. ltoreq. r '. ltoreq.α/2, r ' ≡ r (mod α); when α is a positive integer, r' is defined as rmod for any integer r+Alpha is a unique positive integer r 'satisfying 0 ≦ r' ≦ alpha-1, r ≡ r (mod alpha); when the concrete expression form of the same remainder r' is unimportant, the residue is simply written as rmod alpha;
if S is a finite set, then | S | represents its cardinality, and x ← S represents uniform random fetching of an element from S; the symbol u (S) represents a uniform distribution over a finite set S; x ← D, if D represents a probability distribution, representing the selection of an element according to D and assignment to x; if α is neither an algorithm nor a set, then x ← α represents a simple assignment operation, or is written as x: ═ α; if A is a probabilistic algorithm, then A (x)
1,x
2,..; r) denotes the sum of x
1,x
2,., as input, r is the operation result of A when random seed; we use y ← A (x)
1,x
2,..; r) denotes randomly chosen r and let y be A (x)
1,x
2,..; r) experimental results; by Pr [ R ]
1;…;R
n:E]Representing events E in a sequential series of random processes R
1,...,R
nThe probability of later occurrence; if > 0 for any c, λ > λ for all λ
cAll have a lambda
cSo that f (lambda) < 1/lambda
cThen the function f (λ) is negligible; definition ring
Wherein the content of the first and second substances,
is the mth cyclotomic polynomial; r
qThe element in (1) is an n-dimensional polynomial of the form a
0+a
1x
1+a
2x
2+…+a
n- 1x
n-1Wherein n is a positive integer; the positive integers k and l are the dimensions of the matrix samples,
a matrix of dimension k × l, each element being a ring R
qAn n-dimensional polynomial of (a); for the input which is a function of the vector, the operation is to process calculation for each dimension of the vector;
for elements
Definition | w |
∞Is | | wmod
±q | |; for the element w ═ w
0+w
1x+…+w
n-1x
n-1∈R
qDefinition of
For w ═ w
1,w
2,…,w
k)∈R
kDefinition of
When the positive integer η is determined, the set S is defined
ηFor all the requirements of w ∈ R, | w |
∞Set of elements not more than eta, S
η={w∈R∣‖w‖
∞Eta is less than or equal to; for any positive integer h, define set B
hIs composed of
For binary vector h ═ h (h)i) Define the Hamming distance as | h | Σ hi;
The sample form in the MLWE distribution is
The MLWE problem is to recover the secret value (s, e) from the polynomial number of samples from the MLWE distribution; in particular, random selection from the ring
Calculating to obtain t ═ As + e, wherein
And
respectively two probability distributions, and the distribution parameter is recorded as eta
1And η
2The distributions may be the same or different, by default
Is a set
The distribution of the components is uniform, and the components are uniformly distributed,
is a set
Uniform distribution of the components; for adversary A, define
If there is not maximum run time τ and advantageAlgorithm A, we call > ε
The difficulty assumption holds; where τ is a polynomial for n and ε is a negligible function for n;
one DKC (diagnostic key consensus) method DKC ═ consists of the following three parts:
params ═ q, κ, g, δ, aux represents a system parameter, where the positive integers q, κ, g, δ satisfy 2 ≦ κ, g ≦ q,0 ≦ δ ≦ q/2, aux represents a set of other values determined by (q, κ, g, δ), and is null by default;
·(k
1,v)←Con(σ
1params), where Con (-) is a deterministic polynomial time function with the input being
params), output (k)
1V) wherein
·k
2←Rec(σ
2V, params), where Rec (. cndot.) is a deterministic polynomial time function at the input of (σ)
2V, params), output
When params can be determined from context, for simplicity of description params can be represented by default,
the DKC methods used all meet the correctness requirements, i.e., for any
When | σ
1-σ
2‖
∞When delta is less than or equal to delta, k must be present
1=k
2;
The method comprises the following steps:
the system parameters required to generate the signature include (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2) (ii) a Wherein, positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is a prime number satisfying q ═ 1(modn/2), positive integer kappa satisfies 2 ≦ kappa ≦ 12, and χ is1,χ2For two identical or different noise distributions, k and l being positive integers and being a polynomial of λ, d being a positive integer, a threshold parameter β1,β2,γ1,γ2Are all positive integers, omega is a positive integer, beta1,β2Is a positive integer and beta1≤h·η1,β2≤h·η2H is a positive integer, and the parameter gamma1=γ1(q,κ),γ2=γ2(q, k) is a positive integer and its value depends on q, k, the parameter L1,L2Are all positive integers, and are not limited to the integer,
and (3) generating a public and private key: the signer performs the following operations in turn:
1) the signer obtains random seeds by sampling
And/or
2) The signer obtains through random sampling
3) The signer will have a bit length of L
1Is mapped by calling a function ExpandA () into
A matrix A of (A); wherein ExpandA () is a mapping function;
4) the signer computation
And call Power2Round
q(t, d) function to generate (t)
1,t
0) (ii) a Wherein t is
1,
5) The signer calculates tr:CRH (ρ, t)
1,aux
tr) Wherein
The order of linking the inputs in the function CRH may be arbitrary, aux
trIs a set whose value can be null;
6) the signer finally outputs (pk, sk), where pk ═ is (ρ, t)1) Is the public key of the signer, sk ═ p, K, tr, s, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) A private key of the signer;
the signer sends the public key information pk to the verifier;
the signature method comprises the following steps: the signer owns the private key sk ═ p, K, tr, s, e, t
0) Or sk ═ e (ρ, tr, s, e, t)
0) And information M to be signed belongs to {0,1}
*Finally obtaining and outputting corresponding signatures (z, h, c) by sequentially carrying out the following operations; first, the signer will have a length L
1Random character string of
Mapping into by calling function expandA ()
The matrix a of (1), wherein ExpandA () is a mapping function; the signer then generates by calling μ: ═ CRH (tr, M)
Wherein the input variable sequence of CRH () function can be arbitrarily adjusted, the output element belongs to the set
The signer then obtains the random seed in the signature method
Where ρ' is either by calling
Completely randomly or deterministically generated according to a calculation CRH (K, μ); finally, the signer sets ctr: ═ 0, (z, h ═ t) to complete the initialization work of the cycle body; then the signer enters a cycle until a signature meeting the requirement that (z, h) is not equal to ≠ is found; specifically, in each round of circulation, the signer works in two ways:
the first working mode is as follows:
1) the signer first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
2) the signer computation
And
wherein the HighBits
q(r,γ
1) Output of
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
3) the signer calls c: ═ H (w)
1Mu) to obtain c e B
hWherein B is
hIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed
*Mapped as set B
hA certain element of (1);
4) the signer calculates z: ═ y + cs, where
5) The signer calculates (r)
1,r
0):=Decompose
q(w-ce,γ
1) Wherein the function calls (r)
1,r
0):=Decompose
q(r,γ
1) Will input
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
6) if | z |∞≥γ1-β1Or | r0‖∞≥γ2-β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
7) the signer calculates h: ═ MakeHint
q(-ct
0,w-ce+ct
0,γ
1) (ii) a Wherein makeHint
q(z,r,γ
1) Input element satisfaction of function
The output values belong to the set {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}
k·n;
8) If | ct0‖≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer takes the (z, h, c) value generated in the last round as input information M e {0,1}*To said verifier;
the second working mode is based on DKCN and has the following working principle:
1) the signer first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein the input element order of the ExpandMask () function can be arbitrary, and the output element belongs to the set
2) The signer computation
And
wherein the HighBits
q,κ(r) output
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
3) the signer calls c: ═ H (w)
1Mu) to obtain c e B
hWherein B is
hIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed
*Mapped as set B
hA certain element of (1);
4) the signer calculates z: ═ y + cs, where
5) The signer calculates (r)
1,r
0) Con (w-ce), in which a function call (r) is made
1,r
0) Con (r) will be inputted
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
6) if | z |∞≥γ1-β1Or | r0‖∞≥q/2-κ·β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
7) the signer calculates h: ═ MakeHint
q,κ(-ct
0,w-ce+ct
0) (ii) a Wherein makeHint
q,κThe input elements of the (z, r) function satisfy
The output values belong to the set {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}
k·n;
8) If | | | ct0||≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer takes the (z, h, c) value generated in the last round as input information M e {0,1}*To said verifier;
the verification method comprises the following steps: the verifier receives (M, (z, h, c)) pair (where M ∈ {0,1}
*,
h∈{0,1}
k·n,c∈B
h) Then, the public key information pk is (ρ, t)
1) Performing verification operation; if the signer uses the first working mode, the verifier performs the following operations:
1) the verifier will be of length L
1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
2) the verifier calculates tr:CRH (ρ, t)
1,aux
tr) Wherein
The input linking sequence in the function CRH can be arbitrary, aux
trIs a set whose value can be null;
3) the verifier generates Power2Round by calling μ: ═ CRH (tr, M)
q() (ii) a Wherein the CRH () input can be linked in any order, and the output element belongs to the set
4) The verifier calculates w'
1:=UseHint
q(h,Az-ct
1·2
d,γ
1) (ii) a Wherein UseHint
q(h,r,γ
1) According to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
5) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nIf the hamming distance of (a) is less than or equal to the parameter ω, setting b: ═ 1 indicates acceptance of (M, (z, h, c)) pair as a correct labelA first name pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b ∈ {0,1 };
if the signer uses the second working mode, the verifier performs the following operations:
1) the verifier will be of length L
1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
2) the verifier calculates tr:CRH (ρ, t)
1,aux
tr) Wherein
The order of linking of the inputs in the function CRH may be arbitrary, the output element belonging to the set
aux
trIs a set whose value can be null;
3) the verifier generates by calling μ: ═ CRH (tr, M)
Wherein, the input link sequence in the function CRH can be arbitrary, and the output element belongs to the set
4) The verifier calculates w'
1:=UseHint
q,κ(h,Az-ct
1·2
d) (ii) a Wherein UseHint
q,κ(h, r) according to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
5) if | z |∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nB ═ 1 indicates acceptance of the (M, (z, h, c)) pair as a correct information signature pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer output b ∈ {0,1 }.
A second aspect of the present invention is based on the first aspect of the present invention, wherein:
ExpandA () function will be a random seed
Mapping to a matrix
NTT representation of (a); wherein, the NTT representation form of each element is the result after the element is subjected to positive NTT transformation;
CRH () is a collision-resistant hash function, where the order of the chaining of input elements can be arbitrary, which can be {0,1}
*Is mapped to
A certain element of (1);
the ExpandMask function inputs the element {0,1}
*Is mapped as
The element y in (3), the link order of the input elements in the function can be arbitrary;
a most preferred specific example of a DKC process can be constructed when κ ≧ 2, g ≧ 2, and 2 κ δ < q (params, Con, Rec), where:
at a given input (σ)
1Params) of
The function Con is implemented as follows: first, v: ═ k · σ is calculated
1mod
±q; if k · σ
1K is satisfied when-v ═ k · q is satisfied
10, otherwise k is set
1:=(κ·σ
1-v)/q; finally, the function returns (k)
1,v);
At a given input (σ)
2V, params) of
The function Rec is implemented as follows: computing
Function return k
2;
A third aspect of the present invention is based on the second aspect of the present invention, wherein: function Power2Roundq() The function is as follows:
at a given input (r, d) is: (
d<log
2q), function Power2Round
q() The following operations are performed: first, r: ═ rmod is calculated
+q; then calculate r
0:=rmod
±2
d(ii) a Finally, the function returns ((r-r)
0)/2
d,r
0);
Function Decompose in the first mode of operationq(),HighBitsq(),MakeHintq(),UseHintq() The definition of (A) is as follows:
given an input (r, α)
Function Decompose
q() The following operations are performed: first, r: ═ rmod is calculated
+q; then calculate r
0:=rmod
±α; if r-r
0If q-1 is true, then (r) is set
1,r
0):=(0,r
0-1), otherwise set r
1:=(r-r
0) A,/α; finally, return (r)
1,r
0);
Given an input (r, α)
Function HighBits
q() The following operations are performed: first calculate (r)
1,r
0):=Decompose
q(r, α); then returns to r
1;
Given input (z, r, α)
Function MakeHint
q() The following operations are performed: first, r is calculated
1:=HighBits
q(r, α); then calculate v
1:=HighBits
q(r + z, α); if r is
1=v
1If yes, returning to 0, otherwise, returning to 1;
given an input (h, r, α) (h e {0,1},
) Function UseHint
q() The following operations are performed: firstly, calculating m: (q-1)/alpha; then calculate (r)
1,r
0):=Decompose
q(r, α); if h is 0, return r
1(ii) a If h is 1 and r
0If > 0, return (r)
1+1)mod
+m; if h is 1 and r
0If not more than 0 is true, return to (r)
1-1)mod
+m;
Function Decompose in the second mode of operationq,κ(),HighBitsq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() By using the optimal example DKCN, it is defined as follows:
given input r
Function Decompose
q,κ() The following operations are performed: first calculate (r)
1,r
0) Con (r); then returns (r)
1,r
0);
Given input r
Function HighBits
q,κ() The following operations are performed: (r)
1,r
0) Con (r); then returns to r
1;
Given input r
Function LowBits
q,κ() The following operations are performed: (r)
1,r
0) Con (r); then returns to r
0;
Given input r
Function MakeHint
q,κ() The following operations are performed: first, r is calculated
1:=HighBits
q,κ(r); then calculate v
1:=HighBits
q,κ(r + z); if r is
1=v
1If yes, returning to 0, otherwise, returning to 1;
given input r
Function UseHint
q,κ() The following operations are performed: first calculate (r)
1,r
0) Con (r); if h is 0, return r
1(ii) a If h is 1 and r
0If > 0, return (r)
1+1)mod
+Kappa; if h is 1 and r
0If not more than 0 is true, return to (r)
1-1)mod
+κ
A fourth aspect of the present invention is based on the third aspect of the present invention, wherein:
·λ≥128;
·L1≥256,L2≥384;
·n=256;
·h=60;
·q≤220is a prime number;
·3≤κ≤12,q/κ≤218,3≤k≤8,2≤l≤7;
·η1,η2∈{1,2};
·β1≤60·η1,β2≤60·η2。
The fifth aspect of the present invention is based on the fourth aspect of the present invention, and specifically, the parameters of the inventive method are selected as follows:
parameter set-1: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=3,l=2,ω≤64
Parameter set-2: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=4,l=3,ω≤80;
Parameter set-3: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=5,l=4,ω≤96;
Parameter set-4: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=6,l=5,ω≤120;
Parameter set-5: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ
1=130944,γ
2=65472,
k=4,l=3,ω≤80;
Parameter set-6: λ 128, n 256, h 60,L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ
1=130944,γ
2=65472,
k=5,l=4,ω≤96;
Parameter set-7: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ
1=130944,γ
2=65472,
k=6,l=5,ω≤120;
Parameter set-8: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ
1=118579,γ
2=59289,
k=4,l=3,ω≤80;
Parameter set-9: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ
1=118579,γ
2=59289,
k=5,l=4,ω≤96;
Parameter set-10: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ
1=118579,γ
2=59289,
k=6,l=5,ω≤120;
Parameter set-11: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ
1=131072,γ
2=65536,
k=4,l=3,ω≤80;
Parameter set-12: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ
1=131072,γ
2=65536,
k=5,l=4,ω≤96;
Parameter set-13: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ
1=131072,γ
2=65536,
k=6,l=5,ω≤120;
Parameter set-14: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ
1=130560,γ
2=65280,
k=4,l=3,ω≤80;
Parameter set-15: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ
1=130560,γ
2=65280,
k=5,l=4,ω≤96;
Parameter set-16: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ
1=130560,γ
2=65280,
k=6,l=5,ω≤120。
Detailed Description
The invention provides a novel grid-based digital signature schemeThe parameter setting method of (1). Where S denotes the signer and V denotes the verifier. S uses its own private key sk to calculate the corresponding information M e {0,1}*A signature σ of (2); v verifies the inherent logical relationship between the message signature pair (M, σ) using the public key pk of S, and finally outputs 1 a legitimate message signature pair from S if and only if V approves (M, σ).
The system parameters required to generate the signature include (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2) (ii) a Wherein, positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is a prime number satisfying q ═ 1(mod2n), positive integer kappa satisfies 2 ≦ kappa ≦ 12, and χ1,χ2For two identical or different noise distributions, k and l being positive integers and being a polynomial of λ, d being a positive integer, a threshold parameter β1,β2,γ1,γ2Are all positive integers, omega is a positive integer, beta1,β2Is a positive integer and beta1≤h·η1,β2≤h·η2H is a positive integer, and the parameter gamma1=γ1(q,κ),γ2=γ2(q, k) is a positive integer whose value depends on q, k, L1,L2Are all positive integers.
And (3) generating a public and private key: the signer S performs the following operations in sequence:
7) the signer S obtains random seeds through sampling
And/or
;
8) The signer S obtains through random sampling
9) The signer S will have a bit length L
1Is mapped by calling the function ExpandA ()Is composed of
A matrix A of (A); wherein ExpandA () is a mapping function;
10) the signer S computation
And call Power2Round
q(t, d) function to generate (t)
1,t
0) (ii) a Wherein
At a given input (r, d) is: (
d<log
2q), function Power2Round
q() The following operations are performed: first, r: ═ rmod is calculated
+q; then calculate r
0:=rmod
±2
d(ii) a Finally, the function returns ((r-r)
0)/2
d,r
0);
11) The signer S calculates tr:CRH (ρ, t)
1,aux
tr) Wherein
The order of linking the input elements in the function CRH may be arbitrary, the output elements belonging to the set
aux
trIs a set whose value can be null;
12) the signer S finally outputs (pk, sk), where pk ═ is (ρ, t)1) Is the public key of the signer S, sk ═ p, K, tr, S, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) Is the private key of the signer S;
and the signer S sends the public key information pk to the verifier V.
The signature method comprises the following steps: the signer S owns the private key sk ═ p, K, tr, S, e, t
0) Or sk ═ e (ρ, tr, s, e, t)
0) And information M E to be signed0,1}
*Finally obtaining and outputting corresponding signatures (z, h, c) by sequentially carrying out the following operations; first, the signer S will have a length L
1Random character string of
Mapping into by calling function expandA ()
The matrix a of (1), wherein ExpandA () is a mapping function; the signer S then generates by calling μ: ═ CRH (tr, M)
Wherein the linking order of the input elements in the function CRH can be arbitrary and the output elements belong to a set
The signer S then obtains the random seed in the signature method
Where ρ' is either by calling
Completely randomly or deterministically generated according to a calculation CRH (K, μ); finally, the signer S sets ctr: (z, h): ═ 0, and ═ t to complete the initialization work of the cycle body; then the signer S enters a cycle body until a signature meeting the requirement that (z, h) is not equal to ≠ is found; specifically, in each round of circulation, the signer S works in two ways:
in the first mode of operation, Decompose is requiredq(),HighBitsq(),MakeHintq(),UseHintq() Four functions, the definition of which is shown in figure 3. The working principle of the first working mode is as follows:
9) the signer S first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
10) the signer S computation
And
wherein the HighBits
q(r,γ
1) Output of
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
11) the signer S calls c: ═ H (w)
1Mu) to obtain c e B
hWherein B is
hIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed
*Mapped as set B
hThe elements of (1);
12) the signer S calculates z: ═ y + cs, where
13) The signer S calculates (r)
1,r
0):=Decompose
q(w-ce,γ
1) Wherein the function calls (r)
1,r
0):=Decompose
q(r,γ
1) Will input
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
14) if | z |∞≥γ1-β1Or | r0‖∞≥γ2-β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
15) the signer S calculates h:makehint
q(-ct
0,w-ce+ct
0,γ
1) (ii) a Wherein makeHint
q(z,r,γ
1) Input element satisfaction of function
The output value belongs to {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}
k·n;
16) If | ct0‖≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer S takes the (z, h, c) value generated in the last round as input information M e {0,1}*Is sent to the verifier V.
The second working mode is based on DKCN and auxiliary functions HighBits constructed on DKCNq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() The definition of which is shown in figure 2. The working principle of the second working mode is as follows:
9) the signer S first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
10) the signer S computation
And
wherein the HighBits
q,κ(r) output
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
11) what is needed isThe signer S calls c: ═ H (w)
1Mu) to obtain c e B
hWherein B is
hIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed
*Mapped as set B
hA certain element of (1);
12) the signer S calculates z: ═ y + cs, where
13) The signer S calculates (r)
1,r
0) Con (w-ce), in which a function call (r) is made
1,r
0) Con (r) will be inputted
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
14) if | | z | non-calculation∞≥γ1-β1Or | r0‖∞≥q/2-κ·β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
15) the signer S calculates h:makehint
q,κ(-ct
0,w-ce+ct
0) (ii) a Wherein makeHint
q,κThe input elements of the (z, r) function satisfy
The output value belongs to {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}
k·n;
16) If | | | ct0||≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer S takes the (z, h, c) value generated in the last round as input information M e {0,1}*Is sent to the verifier V.
The verification method comprises the following steps: the verifier V receives a (M, (z, h, c)) pair (where M ∈ {0,1 })
*,
h∈{0,1}
k·n,c∈B
h) Then, the public key information pk is (ρ, t)
1) Performing verification operation; if the signer S uses the first working mode, the verifier V performs the following operations:
6) the verifier V will be of length L
1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
7) the verifier V calculates tr:CRH (ρ, t)
1,aux
tr) Wherein
The order of linking the inputs in the function CRH may be arbitrary, aux
trIs a set whose value can be null;
8) the verifier V generates by calling μ: ═ CRH (tr, M)
9) The verifier V calculates w'
1:=UseHint
q(h,Az-ct
1·2
d,γ
1) (ii) a Wherein UseHint
q(h,r,γ
1) According to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
10) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nB ═ 1 indicates acceptance of the (M, (z, h, c)) pair as a correct information signature pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer V outputs b ∈ {0,1 }.
If the signer S uses the second working mode, the verifier V performs the following operations:
6) the verifier V will be of length L
1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
7) the verifier V calculates tr:CRH (ρ, t)
1,aux
tr) Wherein
The order of linking the input elements in the function CRH may be arbitrary, the output elements belonging to the set
aux
trIs a set whose value can be null;
8) the verifier V generates by calling μ: ═ CRH (tr, M)
Wherein the input linking order in the function CRH can be arbitrary and the output element belongs to a set
9) The verifier V calculates w'
1:=UseHint
q,κ(h,Az-ct
1·2
d) (ii) a Wherein UseHint
q,κ(h, r) according to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
10) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nHas a small Hamming distanceEqual to parameter ω, set b: ═ 1 denotes acceptance of the (M, (z, h, c)) pair as the correct information signature pair; otherwise, set up
b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer V outputs b ∈ {0,1 }.
In the above-described signature mechanism,
ExpandA () function puts a random seed ρ e {0,1}
L1Mapping to a matrix
The NTT expression form of (1) can be any, and the link sequence of the input elements is generally L
1More than or equal to 256; for example, the ExpandA () function can be implemented by repeatedly calling the SHAKE-128 function;
CRH () is a hash function against collisions, the order of linking input elements can be arbitrary, it can be {0,1}
*Is mapped to
An element in (1) is generally L
2More than or equal to 384; CRH (), for example, can be implemented by calling the SHAKE-256 function;
the ExpandMask function inputs the element {0,1}
*Is mapped as
Element y in (1); for example, it is implemented by repeatedly calling the SHAKE-256 function;
in general, λ ≧ 128, n ═ 256, h ═ 60,
for other parameters, generally we η
1,η
2∈{1,2},β
1≤60·η
1,β
2≤60·η
2n=256,q≤2
20Is a prime number, d satisfies
3≤κ≤12,q/κ≤2
18,3≤k≤8,2≤l≤7,
Specifically, the parameters of the method are selected as follows:
parameter set-1: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=3,l=2,ω≤64
Parameter set-2: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=4,l=3,ω≤80;
Parameter set-3: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=5,l=4,ω≤96;
Parameter set-4: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ
1=244032,γ
2=122016,
k=6,l=5,ω≤120;
Parameter set-5: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ
1=130944,γ
2=65472,
k=4,l=3,ω≤80;
Parameter set-6: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ
1=130944,γ
2=65472,
k=5,l=4,ω≤96;
Parameter set-7: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ
1=130944,γ
2=65472,
k=6,l=5,ω≤120;
Parameter set-8: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ
1=118579,γ
2=59289,
k=4,l=3,ω≤80;
Parameter set-9: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ
1=118579,γ
2=59289,
k=5,l=4,ω≤96;
Parameter set-10: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ
1=118579,γ
2=59289,
k=6,l=5,ω≤120;
Parameter set-11: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ
1=131072,γ
2=65536,
k=4,l=3,ω≤80;
Parameter set-12: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ
1=131072,γ
2=65536,
k=5,l=4,ω≤96;
Parameter set-13: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ
1=131072,γ
2=65536,
k=6,l=5,ω≤120;
Parameter set-14: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ
1=130560,γ
2=65280,
k=4,l=3,ω≤80;
Parameter set-15: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ
1=130560,γ
2=65280,
k=5,l=4,ω≤96;
Parameter set-16: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ
1=130560,γ
2=65280,
k=6,l=5,ω≤120。
The difficulty and creativity of parameter selection and test of the invention method: the correctness, safety and efficiency (including the operation efficiency of a signature algorithm, the operation efficiency of a verification algorithm, the size of a signature, the size of a public key and a private key and the like) of the method in practical application depend on the selection of specific parameters seriously. The selection of these parameters requires a combination of a number of factors and programming tests. The difficulty is to improve the efficiency of the system as much as possible while ensuring the correctness of the system and achieving sufficient strength of safety.
Specifically, in selecting the recommended parameters, we need to consider the following requirements and objectives:
parameters should be chosen appropriately to ensure the correctness of the signature mechanism;
the recommended parameters should first be selected according to the 128-bit quantum security goal, while trying to ensure the quantum security of the other set of parameters to a desired degree;
the parameters should be chosen such that the expected value of the number of restarts in the signature algorithm is as small as possible, in order to guarantee the efficiency of the signature algorithm;
the appropriate parameters should be chosen so that the sum of the public key size and the signature size is as small as possible.
From the perspective of the parameter values, the system parameters (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2)
Should satisfy
N is 256, and the prime number q satisfies q ≡ 1 (modn/2);
·κ<q,k≥l;
·χ1=U(Sη1),χ2=U(Sη2);
·β
1,β
2should take appropriate value so that for the random variable c ← B
60,
For one, Pr [ | c s |)
∞≥β
1],Pr[||c·e||
∞≥β
2]≤2
-128If true;
·
the value of omega cannot be too large, otherwise the signature length is affected; the value of omega cannot be too small, otherwise the average running time of the signature algorithm is increased;
·
the value of d cannot be too large, otherwise the difficulty of the MLWE problem is affected; the value of d cannot be too small, otherwise the size of the public key would be significantly increased.
From the viewpoint of efficiency, in the signature system, the size of the public key is
Byte, the size of the private key is
Bytes, the size of the signature being
A byte. The run time of the signature function depends mainly on the expected value of the number of occurrences of the two rejection sampling steps. The probability of a double restart can be estimated using the following equation
In particular, the value of the parameter ω affects the size of the signature and the runtime of the signature function, and it is difficult to perform accurate theoretical analysis on the specific value of ω. Therefore, a large number of example tests are required to be performed by program development to obtain a proper value for ω, so that a proper balance is obtained between the size of the signature and the runtime of the signature function.
From the security point of view, the security of the above signature mechanism needs to consider the key recovery attack and the (strong) fake signature attack, which can be understood as solving (variants of) the MLWE problem and (in infinite norm) the MSIS problem, respectively; parameters n, q, k, l, η1,η2Appropriate values are required to ensure that the corresponding MLWE problem reaches sufficient quantum security strength; parameters n, q, k, l, d, κ, η1,η2Appropriate values are required to ensure that the corresponding MSIS problem (under infinite norm) reaches sufficient quantum security strength.
Among them, the MSIS problem (under infinite norm) is less studied, and a special test script needs to be developed to test the corresponding quantum security strength. In addition, because the constraint conditions corresponding to different dimensions in the corresponding (under infinite norm) MSIS problem are very different, the quantum security strength of the corresponding (under infinite norm) MSIS problem has two evaluation modes of symmetry and asymmetry.
The existing mainstream method for evaluating the complexity of the SIS problem with the infinite norm is to use a Core-SVP model to equate the complexity of the SIS problem with the infinite norm to the complexity of the corresponding Core-SVP problem. Then, a plurality of short vectors are solved by using a commonly used lattice reduction algorithm, namely a BKZ algorithm. However, these short vectors are obtained for the euclidean norm. Unfortunately, the shortest vector under the euclidean norm is likely not to be the "short" vector under the infinite norm. Based on the method, an improved algorithm is utilized to measure the complexity of the SIS problem under an infinite norm on the basis of the BKZ algorithm. Specifically, a sub-lattice is first selected from a given lattice by projection, and then the length sequence of the orthogonalized basis corresponding to the basis output by the BKZ algorithm is estimated in the sub-lattice. And sequentially dividing the vectors in the base into three types according to the length sequence of the orthogonalized base, and respectively estimating the number of the three types of vectors. And "short vectors" under an infinite norm belong to the second class thereof. Any vector is chosen, and the length of the vector is assumed to conform to a certain form of distribution on the three types of projection, so as to estimate the probability p that the vector conforms to the infinite norm requirement. And finally, optimizing the target function by means of exhausting the dimension of the sub-lattices and the dimension of the SVP-oracle in the BKZ algorithm, thereby achieving the purpose of complexity estimation.
However, this complexity measure of the infinite norm SIS problem has some important drawbacks. Firstly, the correctness of the measuring method is based on two assumptions, namely that the output result of the BKZ algorithm conforms to an expected statistical rule, and the projection length of an arbitrary vector on the orthogonalization base dimension of the BKZ algorithm output base conforms to an expected probability distribution. The correctness of these two hypotheses needs to be checked. Secondly, when the bound parameter in the SIS problem of infinite norm is reduced to a certain degree, the output result of the measuring method has little change or changes too severely without practical reference value. Therefore, the rationality of this method is problematic and the application is very limited.
In order to overcome the difficulty and reflect the change rule of the SIS problem of infinite norm along with bound parameters more accurately, a new complexity measuring method is provided by combining the latest complexity achievement about the SVP problem under infinite norm, the output result of the complexity measuring method continuously increases along with the reduction of the bound parameters, and the output result accords with the expectation of the difficulty of the SIS problem of infinite norm. In general, we try to perfect the complexity measure method of the problem by analyzing and improving the defects of the existing complexity measure method of the SIS problem of infinite norm, and provide a more reasonable and reference evaluation method.
Briefly, our test method analyzes SIS by calling the BKZ algorithm∝The specific difficulty of the problem under the Core-SVP model gives the classical and quantum attack complexity. For Ring-SIS∝/Module-SIS∝The problem, whose instances can be transformed into corresponding instances of the SIS ∞ problem, gives its classical and quantum attack complexity under the Core-SVP model by invoking the BKZ algorithm. The work in this aspect provides technical tools and means for difficulty evaluation of the lattice digital signature scheme.
For Ring-SIS∝And Module-SIS∝To the problem, so far, there has not beenAggressive algorithms can fully exploit these additional algebraic structures to increase the efficiency of the attack. Thus, for Ring-SIS∝And Module-SIS∝Problem, we equate it to SIS of the corresponding dimension∝Problem, SIS equating their complexity to the corresponding dimension∝The complexity of the problem. Therefore, the detection method is suitable for SIS-based detection∝/Ring-SIS∝/Module-SIS∝Detection of a lattice-based cryptographic algorithm of the problem.
Our SIS∝The problem complexity estimation method is to use SIS∝Problem reduction to lattice reduction problem and then analyzing the returned solution of lattice reduction to satisfy SIS∝The problem requires the corresponding constraints and analyzes within this range how to optimize the defined objective function.
a. First, the SIS is solved by solving a lattice reduction problem on lattice ^ { x | Ax ═ 0modq }, to solve the SIS∝And (5) problems are solved.
b. Secondly, the problem is understood as an optimization problem with respect to the BKZ algorithm block size function. By calling the BKZ algorithm to solve the lattice reduction problem, the algorithm will output an equivalent basis containing several short vectors. Thereby analyzing the probability that the projection of each dimension of the vector accessed by the SVP oracle under the base meets the constraint condition. The objective function of the optimization problem is the quotient of the running time of the BKZ algorithm and the probability.
c. The BKZ algorithm block size, which can achieve the optimization of the objective function, and the optimal value of the objective function are determined by exhaustive search within the set of feasible solutions.
d. In particular, there are two different implementations for the SVP oracle invoked in the BKZ algorithm, resulting in two similar objective functions and two extrema at optimization. SIS we will import∝The complexity of the problem is defined as the lesser of the optimal extrema when the two objective functions are optimized separately.
In general, the problem of SIS based on infinite norm is more difficult than SIS based on euclidean norm, because a short vector under infinite norm can be understood as a short vector under euclidean norm, but the opposite is not necessarily true. More specifically, the SIS problem under the infinite norm puts forward a plurality of independent constraint conditions for the target vector; and the SIS problem under the Euclidean norm only puts forward a constraint condition to the target vector.
Since the BKZ algorithm is only valid for Euclidean lattices, we cannot directly convert the SIS problem under each infinite norm to the corresponding Core-SVP problem. However, we can use the BKZ algorithm to compute a solution to estimate the specific difficulty of solving an infinite norm SIS problem. It should be noted that this estimation process is conservative.
In the SIS problem of infinite norm, a given matrix
And norm requirement β, requiring finding a non-zero short vector
Such that Ax ≡ 0(modq) and | x |
∞Beta is less than or equal to beta. We can first narrow the search range from m-dimensional to find a suitable vector for w-dimensional, and take the remaining m-w dimensions to 0. We then search in the specified w-dimension to determine the probability of finding a suitable solution. In the case that the size b of the BKZ search algorithm is determined, we estimate the probability that the return solution of the BKZ algorithm satisfies the condition by setting a heuristic assumption. We define the objective function as T/p, where T is the running time of the BKZ algorithm of size b, and p is the probability that the solution returned by the BKZ algorithm under the current condition satisfies the condition. We judge by means of an exhaustive search that the (w, b) value that can optimize the objective function can be set to (w)
*,b
*). Finally, we define the difficulty of the infinite norm SIS problem instance as the value (w)
*,b
*) The running time of the corresponding BKZ algorithm.
In addition, the signature mechanism in the present invention, which corresponds to the (M) SIS problem, has a certain specificity, i.e. asymmetry. Specifically, in the SIS problem, parameters q, m, n are given
1,m
2,β
1,β
2And a random matrix
Requiring finding and outputting a non-zero vector
So that the constraint Ax ≡ 0(mod q),0 | | | x
1||≤β
1,0<‖x
2‖≤β
2And at the same time. The definition of the problem reflects the asymmetry of the parameters, and in the existing attack method system, under the condition that other parameters are not changed, the asymmetric example
Difficulty between two symmetrical examples
And
between the difficulties of (1). Thus, by estimating the parameter β
1,β
2The influence on the difficulty degree of the problem can be obtained by the method for evaluating the difficulty degree of the symmetric example, so that a more accurate estimation value about the difficulty degree of the asymmetric example can be obtained.
All this represents the difficulty of selecting parameters and the importance of the above invention.