CN113541952A - Digital signature method based on lattice - Google Patents
Digital signature method based on lattice Download PDFInfo
- Publication number
- CN113541952A CN113541952A CN202010304930.1A CN202010304930A CN113541952A CN 113541952 A CN113541952 A CN 113541952A CN 202010304930 A CN202010304930 A CN 202010304930A CN 113541952 A CN113541952 A CN 113541952A
- Authority
- CN
- China
- Prior art keywords
- function
- signer
- input
- mod
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 239000013598 vector Substances 0.000 claims description 56
- 238000004422 calculation algorithm Methods 0.000 claims description 46
- 238000009826 distribution Methods 0.000 claims description 32
- 238000013507 mapping Methods 0.000 claims description 24
- 239000011159 matrix material Substances 0.000 claims description 23
- 230000008569 process Effects 0.000 claims description 13
- 238000004364 calculation method Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 239000007983 Tris buffer Substances 0.000 claims description 9
- 238000005070 sampling Methods 0.000 claims description 7
- 238000009827 uniform distribution Methods 0.000 claims description 5
- 101100365548 Caenorhabditis elegans set-14 gene Proteins 0.000 claims description 3
- 101100042371 Caenorhabditis elegans set-3 gene Proteins 0.000 claims description 3
- 101100421296 Caenorhabditis elegans set-6 gene Proteins 0.000 claims description 3
- 101100256732 Caenorhabditis elegans set-9 gene Proteins 0.000 claims description 3
- 101150055297 SET1 gene Proteins 0.000 claims description 3
- 101150104646 SET4 gene Proteins 0.000 claims description 3
- 239000000126 substance Substances 0.000 claims description 3
- 230000009466 transformation Effects 0.000 claims description 3
- OAICVXFJPJFONN-UHFFFAOYSA-N Phosphorus Chemical compound [P] OAICVXFJPJFONN-UHFFFAOYSA-N 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 10
- 238000004458 analytical method Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 117
- 230000009467 reduction Effects 0.000 description 7
- 239000000243 solution Substances 0.000 description 7
- 238000012360 testing method Methods 0.000 description 5
- 238000005457 optimization Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Complex Calculations (AREA)
Abstract
A digital signature method based on lattice. The private key of the signer is sk ═ p, K, tr, s, e, t0) The public key is pk ═ p, t1) The information to be encrypted is M e to {0,1}*(ii) a For M e {0,1}*The signer calculates a legal signature σ of M as (z, h, c) by using the private key sk of the signer; the verifier holds the public key pk of the signer as (ρ, t)1) For a given message signature pair (M, σ), and outputs a message signature pair that is 1 if and only if the verifier accepts (M, σ) as legitimate. The method specifically selects parameters through programming design, deep mathematical analysis and a large number of program tests to obtain the optimal balance between efficiency and safety on the premise of meeting the correctness of the digital signature mechanism.
Description
Technical Field
The invention relates to a cryptographic technology, in particular to a grid-based digital signature method.
Background
IBM engineers predict that quantum computers will be used on a large scale in the next twenty years. Once quantum computers are manufactured on a large scale, most public key cryptosystems based on discrete logarithm, elliptic curve discrete logarithm or large integer factorization will be broken. Therefore, no matter whether the arrival time of the quantum computing era can be accurately predicted or not, the current information security system needs to be improved to the quantum resistant level.
Lattice ciphers are one of the major mathematical methods currently used against quantum attacks. In cryptography, the lwe (learning With error) problem and the sis (short Integer solution) problem have proven to be more fully functional than other classical lattice difficulties (e.g., SVP and CVP).
Wherein each string or value α represents a binary value, α | β represents two binary strings α, β ∈ {0,1}*A linking operation between; for any real number x, the number x,
represents the largest integer less than or equal to x,
represents the smallest integer greater than or equal to x,
when α is a positive even number, r' r mod is defined for any integer r±Alpha is a unique integer r ' satisfying-alpha/2 < r ' ≦ alpha/2, r ' ≡ r (mod alpha); when α is a positive even number, r' is defined as rmod for any integer r±α is a unique integer r ' satisfying- α/2. ltoreq. r '. ltoreq.α/2, r ' ≡ r (mod α); when α is a positive integer, r' r mod is defined for any integer r+Alpha is a unique positive integer r 'satisfying 0 ≦ r' ≦ alpha-1, r ≡ r (mod alpha); when the representation of the remainder r' is unimportant, it is simply written as r mod α.
If S is a finite set, then | S | represents its cardinality, and x ← S represents uniform random fetching of an element from S; the symbol u (S) represents a uniform distribution over a finite set S; x ← D, if D represents a probability distribution, representing the selection of an element according to D and assignment to x; if α is neither an algorithm nor a set, then x ← α represents a simple assignment operation, or is written as x: ═ α; if A is a probabilistic algorithm, then A (x)1,x2,..; r) denotes the sum of x1,x2,., as input, r is the operation result of A when random seed; we use y ← A (x)1,x2,..; r) denotes randomly chosen r and let y be A (x)1,x2,..; r) experimental results; by Pr [ R ]1;...;Rn:E]Representing events E in a sequential series of random processes R1,...,RnThe probability of later occurrence; if it is notFor any c > 0, for all λ > λcAll have a lambdacSo that f (lambda) < 1/lambdacThen the function f (λ) is negligible; definition ring
Wherein the content of the first and second substances,
is the mth cyclotomic polynomial; rqThe element in (1) is an n-dimensional polynomial of the form a0+a1x1+a2x2+…+an- 1xn-1Wherein n is a positive integer; the positive integers k and l are the dimensions of the matrix samples,
a matrix of dimension k × l, each element being a ring RqAn n-dimensional polynomial of (a); for an input that is a function of a vector, the operation is to process the computation separately for each dimension of the vector.
For elements
Definition | w |∞Is | wmod±q |; for the element w ═ w0+w1x+…+wn-1xn-1∈RqOr vector
Definition of
For w ═ w1,w2,…,wk)∈RkDefinition of
Definition set SηAll satisfy w ∈ R, | | | w | | | non-woven phosphor∞Set of elements not more than eta, Sη={w∈R∣‖w‖∞Eta is less than or equal to; definition set B60Is composed of
For binary vector h ═ h (h)i) Define the Hamming distance as | h |1=∑hi。
For RqEach element a e R in (1)qThe NTT is expressed in the form of a result obtained by carrying out forward NTT transformation on a; for example, when the prime number q satisfies q ≡ 1(mod2n), let r be the multiplication cycle group
An element of 2n order; for any one
Let vector quantity
NTT representation of a. For input RqFunction of up-vector whose NTT operation is for each RqThe polynomials of (a) are separately subjected to NTT operation.
For positive continuous numbers σ > 0 and x ∈ R, a Gaussian function is defined
Order to
To represent
One-dimensional discrete Gaussian distribution of (a) by a probability density function
And (6) determining. Order to
Is shown in
N-dimensional spherical discrete gaussian distribution in which each coordinate is independent of
Given positive integers n and q, which are parameters in a polynomial in a security parameter λ, and given integer vectors
And one is defined in
Upper probability distribution χ, random uniform selection
Noise e ← χ, order Aq,x,χIs that
Is distributed and output
The noise distribution χ is generally considered to be a discrete gaussian probability distribution
But other distributions may be used.
In decision-based LWE assumptions, for a sufficiently large security parameter λ, the probabilistic polynomial time algorithm cannot distinguish A with a non-negligible probabilityq,s,χAnd
are uniformly distributed. Even if the adversary sees a polynomial multiple of the samples, and the secret vector x is from χnThis is also true for random choices.
The MLWE problem is a variant of the LWE problem. Sample formats from MLWE distributions are
From the ringRandom selection
Calculating to obtain t ═ As + e, wherein
And
respectively two probability distributions, and the distribution parameter is recorded as eta1And η2The distributions may be the same or different, by default
Is a set
The distribution of the components is uniform, and the components are uniformly distributed,
is a set
Are uniformly distributed. The MLWE problem is recovering (s, e) from the polynomial samples from the MLWE distribution.
In particular, for adversary A, define
If the dominance of algorithm A without the maximum running time t is greater than ε, we call
The difficulty assumption holds.
The following Euclidean norm can also be defined on the standard lattice
And infinite norm
The problem is that m and n are positive integers, q is a modulus, and beta is a threshold parameter. Given the parameters (q, m, n, β) determined
Requiring finding a non-zero vector
Satisfies Ax ≡ 0(mod q), | x |2≤β,
Requiring finding a non-zero vector
Satisfies Ax ≡ 0(mod q), | x |∞≤β。
Similarly, the MSIS problem under the euclidean norm and the infinite norm can be defined, and the parameters are (q, k, l, β), where m, n are positive integers, q is a modulus, and β is a threshold parameter; in the determination of the parameters (q, k, l, β), the parameters (q, k, l, β) are specified
Requiring finding a non-zero vector
Satisfies Ax ≡ 0(modq), | x |2≤β,
Requiring finding a non-zero vector
Satisfies Ax ≡ 0 (x ≡ 0)modq),‖x‖∞Beta is less than or equal to beta. For any adversary A, define
If the dominance of algorithm A without the maximum running time t is greater than ε, we call
The difficulty assumption holds.
Based on the difficulties of the MLWE problem and the MSIS problem (under infinite norm), a lattice-based digital signature mechanism can be constructed. A digital signature mechanism may be given by an algorithmically constructed triplet (Gen, Sign, Verify), for any arbitrary signature
Is provided with
1) Gen: the key generation algorithm is a probability polynomial time algorithm, input 1λAnd outputs a pair of strings (pk, sk), (pk, sk) called public key and private key, respectively, which process can be written as (pk, sk) ← Gen (1)λ);
2) Sign: the signature algorithm is a probabilistic polynomial time algorithm, for any information M to be signed, belonging to {0,1}, the algorithm uses a private key sk as a parameter to calculate and obtain a signature sigma corresponding to M, and the process is marked as sigma ← Signsk(M);
3) Verify: the verification algorithm is a deterministic polynomial time algorithm which uses the public key pk as a parameter and returns b e {0,1} for any information/signature pair (M, sigma). The process is marked as b: ═ Verifypk(M,σ)。
If to any
Each pair is composed of Gen (1)λ) The generated public key/private key pair (pk, sk) is, for any information M to be signed, e {0,1}, and for any σ ← SignskIf (M) has Verify (M, σ) of 1, the digital signature mechanism is said to be correct.
One DKC (diagnostic key consensus) method DKC ═ consists of the following three parts:
params ═ q, κ, g, δ, aux represents a system parameter, where the positive integers q, κ, g, δ satisfy 2 ≦ κ, g ≦ q,0 ≦ δ ≦ q/2, aux represents a set of other values determined by (q, κ, g, δ), and is null by default;
·(k1,v)←Con(σ1params), where Con (-) is a deterministic polynomial time function with the input being (
params), output (k)1V) wherein
·k2←Rec(σ2V, params), where Rec (. cndot.) is a deterministic polynomial time function at the input of (σ)2V, params), output
When params can be determined from context, params can be represented by default for ease of description.
The DKC methods used all meet the correctness requirements, i.e., for any
When | σ1-σ2‖∞When delta is less than or equal to delta, k must be present1=k2(ii) a A most preferred embodiment of the DKC process, DKCN ═ is (params, Con, Rec), when κ ≧ 2, g ≧ 2, and 2 κ δ < q, as shown in FIG. 1.
On the basis of the optimal example DKCN, four functions can be defined
HighBitsq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() And the method is used for ensuring the correctness of the signature method. The four functions are defined as shown in figure 2.
Disclosure of Invention
A first aspect of the present invention provides a lattice-based digital signature method in which each string or value α represents a binary value, α | β represents two binary strings α, β ∈ {0,1}*A linking operation between; for any real number x, the number x,
represents the largest integer less than or equal to x,
represents the smallest integer greater than or equal to x,
when α is a positive even number, r' is defined as rmod for any integer r±Alpha is a unique integer r ' satisfying-alpha/2 < r ' ≦ alpha/2, r ' ≡ r (mod alpha); when α is a positive even number, r' is defined as rmod for any integer r±α is a unique integer r ' satisfying- α/2. ltoreq. r '. ltoreq.α/2, r ' ≡ r (mod α); when α is a positive integer, r' is defined as rmod for any integer r+Alpha is a unique positive integer r 'satisfying 0 ≦ r' ≦ alpha-1, r ≡ r (mod alpha); when the concrete expression form of the same remainder r' is unimportant, the residue is simply written as rmod alpha;
if S is a finite set, then | S | represents its cardinality, and x ← S represents uniform random fetching of an element from S; the symbol u (S) represents a uniform distribution over a finite set S; x ← D, if D represents a probability distribution, representing the selection of an element according to D and assignment to x; if α is neither an algorithm nor a set, then x ← α represents a simple assignment operation, or is written as x: ═ α; if A is a probabilistic algorithm, then A (x)1,x2,..; r) denotes the sum of x1,x2,., as input, r is the operation result of A when random seed; we use y ← A (x)1,x2,..; r) denotes randomly chosen r and let y be A (x)1,x2,..; r) experimental results; by Pr [ R ]1;…;Rn:E]Representing events E in a sequential series of random processes R1,...,RnThe probability of later occurrence; if > 0 for any c, λ > λ for all λcAll have a lambdacSo that f (lambda) < 1/lambdacThen the function f (λ) is negligible; definition ring
Wherein the content of the first and second substances,
is the mth cyclotomic polynomial; rqThe element in (1) is an n-dimensional polynomial of the form a0+a1x1+a2x2+…+an- 1xn-1Wherein n is a positive integer; the positive integers k and l are the dimensions of the matrix samples,
a matrix of dimension k × l, each element being a ring RqAn n-dimensional polynomial of (a); for the input which is a function of the vector, the operation is to process calculation for each dimension of the vector;
for elements
Definition | w |∞Is | | wmod±q | |; for the element w ═ w0+w1x+…+wn-1xn-1∈RqDefinition of
For w ═ w1,w2,…,wk)∈RkDefinition of
When the positive integer η is determined, the set S is definedηFor all the requirements of w ∈ R, | w |∞Set of elements not more than eta, Sη={w∈R∣‖w‖∞Eta is less than or equal to; for any positive integer h, define set BhIs composed of
For binary vector h ═ h (h)i) Define the Hamming distance as | h | Σ hi;
The sample form in the MLWE distribution is
The MLWE problem is to recover the secret value (s, e) from the polynomial number of samples from the MLWE distribution; in particular, random selection from the ring
Calculating to obtain t ═ As + e, wherein
And
respectively two probability distributions, and the distribution parameter is recorded as eta1And η2The distributions may be the same or different, by default
Is a set
The distribution of the components is uniform, and the components are uniformly distributed,
is a set
Uniform distribution of the components; for adversary A, define
If there is not maximum run time τ and advantageAlgorithm A, we call > ε
The difficulty assumption holds; where τ is a polynomial for n and ε is a negligible function for n;
one DKC (diagnostic key consensus) method DKC ═ consists of the following three parts:
params ═ q, κ, g, δ, aux represents a system parameter, where the positive integers q, κ, g, δ satisfy 2 ≦ κ, g ≦ q,0 ≦ δ ≦ q/2, aux represents a set of other values determined by (q, κ, g, δ), and is null by default;
·(k1,v)←Con(σ1params), where Con (-) is a deterministic polynomial time function with the input being
params), output (k)1V) wherein
·k2←Rec(σ2V, params), where Rec (. cndot.) is a deterministic polynomial time function at the input of (σ)2V, params), output
When params can be determined from context, for simplicity of description params can be represented by default,
the DKC methods used all meet the correctness requirements, i.e., for any
When | σ1-σ2‖∞When delta is less than or equal to delta, k must be present1=k2;
The method comprises the following steps:
the system parameters required to generate the signature include (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2) (ii) a Wherein, positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is a prime number satisfying q ═ 1(modn/2), positive integer kappa satisfies 2 ≦ kappa ≦ 12, and χ is1,χ2For two identical or different noise distributions, k and l being positive integers and being a polynomial of λ, d being a positive integer, a threshold parameter β1,β2,γ1,γ2Are all positive integers, omega is a positive integer, beta1,β2Is a positive integer and beta1≤h·η1,β2≤h·η2H is a positive integer, and the parameter gamma1=γ1(q,κ),γ2=γ2(q, k) is a positive integer and its value depends on q, k, the parameter L1,L2Are all positive integers, and are not limited to the integer,
and (3) generating a public and private key: the signer performs the following operations in turn:
1) the signer obtains random seeds by sampling
And/or
2) The signer obtains through random sampling
3) The signer will have a bit length of L1Is mapped by calling a function ExpandA () into
A matrix A of (A); wherein ExpandA () is a mapping function;
4) the signer computation
And call Power2Roundq(t, d) function to generate (t)1,t0) (ii) a Wherein t is1,
5) The signer calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking the inputs in the function CRH may be arbitrary, auxtrIs a set whose value can be null;
6) the signer finally outputs (pk, sk), where pk ═ is (ρ, t)1) Is the public key of the signer, sk ═ p, K, tr, s, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) A private key of the signer;
the signer sends the public key information pk to the verifier;
the signature method comprises the following steps: the signer owns the private key sk ═ p, K, tr, s, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) And information M to be signed belongs to {0,1}*Finally obtaining and outputting corresponding signatures (z, h, c) by sequentially carrying out the following operations; first, the signer will have a length L1Random character string of
Mapping into by calling function expandA ()
The matrix a of (1), wherein ExpandA () is a mapping function; the signer then generates by calling μ: ═ CRH (tr, M)
Wherein the input variable sequence of CRH () function can be arbitrarily adjusted, the output element belongs to the set
The signer then obtains the random seed in the signature method
Where ρ' is either by calling
Completely randomly or deterministically generated according to a calculation CRH (K, μ); finally, the signer sets ctr: ═ 0, (z, h ═ t) to complete the initialization work of the cycle body; then the signer enters a cycle until a signature meeting the requirement that (z, h) is not equal to ≠ is found; specifically, in each round of circulation, the signer works in two ways:
the first working mode is as follows:
1) the signer first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
2) the signer computation
And
wherein the HighBitsq(r,γ1) Output of
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
3) the signer calls c: ═ H (w)1Mu) to obtain c e BhWherein B ishIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed*Mapped as set BhA certain element of (1);
4) the signer calculates z: ═ y + cs, where
5) The signer calculates (r)1,r0):=Decomposeq(w-ce,γ1) Wherein the function calls (r)1,r0):=Decomposeq(r,γ1) Will input
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
6) if | z |∞≥γ1-β1Or | r0‖∞≥γ2-β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
7) the signer calculates h: ═ MakeHintq(-ct0,w-ce+ct0,γ1) (ii) a Wherein makeHintq(z,r,γ1) Input element satisfaction of function
The output values belong to the set {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}k·n;
8) If | ct0‖≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer takes the (z, h, c) value generated in the last round as input information M e {0,1}*To said verifier;
the second working mode is based on DKCN and has the following working principle:
1) the signer first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein the input element order of the ExpandMask () function can be arbitrary, and the output element belongs to the set
2) The signer computation
And
wherein the HighBitsq,κ(r) output
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
3) the signer calls c: ═ H (w)1Mu) to obtain c e BhWherein B ishIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed*Mapped as set BhA certain element of (1);
4) the signer calculates z: ═ y + cs, where
5) The signer calculates (r)1,r0) Con (w-ce), in which a function call (r) is made1,r0) Con (r) will be inputted
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
6) if | z |∞≥γ1-β1Or | r0‖∞≥q/2-κ·β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
7) the signer calculates h: ═ MakeHintq,κ(-ct0,w-ce+ct0) (ii) a Wherein makeHintq,κThe input elements of the (z, r) function satisfy
The output values belong to the set {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}k·n;
8) If | | | ct0||≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer takes the (z, h, c) value generated in the last round as input information M e {0,1}*To said verifier;
the verification method comprises the following steps: the verifier receives (M, (z, h, c)) pair (where M ∈ {0,1}*,
h∈{0,1}k·n,c∈Bh) Then, the public key information pk is (ρ, t)1) Performing verification operation; if the signer uses the first working mode, the verifier performs the following operations:
1) the verifier will be of length L1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
2) the verifier calculates tr:CRH (ρ, t)1,auxtr) Wherein
The input linking sequence in the function CRH can be arbitrary, auxtrIs a set whose value can be null;
3) the verifier generates Power2Round by calling μ: ═ CRH (tr, M)q() (ii) a Wherein the CRH () input can be linked in any order, and the output element belongs to the set
4) The verifier calculates w'1:=UseHintq(h,Az-ct1·2d,γ1) (ii) a Wherein UseHintq(h,r,γ1) According to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
5) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nIf the hamming distance of (a) is less than or equal to the parameter ω, setting b: ═ 1 indicates acceptance of (M, (z, h, c)) pair as a correct labelA first name pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b ∈ {0,1 };
if the signer uses the second working mode, the verifier performs the following operations:
1) the verifier will be of length L1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
2) the verifier calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking of the inputs in the function CRH may be arbitrary, the output element belonging to the set
auxtrIs a set whose value can be null;
3) the verifier generates by calling μ: ═ CRH (tr, M)
Wherein, the input link sequence in the function CRH can be arbitrary, and the output element belongs to the set
4) The verifier calculates w'1:=UseHintq,κ(h,Az-ct1·2d) (ii) a Wherein UseHintq,κ(h, r) according to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
5) if | z |∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nB ═ 1 indicates acceptance of the (M, (z, h, c)) pair as a correct information signature pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer output b ∈ {0,1 }.
A second aspect of the present invention is based on the first aspect of the present invention, wherein:
ExpandA () function will be a random seed
Mapping to a matrix
NTT representation of (a); wherein, the NTT representation form of each element is the result after the element is subjected to positive NTT transformation;
CRH () is a collision-resistant hash function, where the order of the chaining of input elements can be arbitrary, which can be {0,1}*Is mapped to
A certain element of (1);
the ExpandMask function inputs the element {0,1}*Is mapped as
The element y in (3), the link order of the input elements in the function can be arbitrary;
a most preferred specific example of a DKC process can be constructed when κ ≧ 2, g ≧ 2, and 2 κ δ < q (params, Con, Rec), where:
·
at a given input (σ)1Params) of
The function Con is implemented as follows: first, v: ═ k · σ is calculated1mod±q; if k · σ1K is satisfied when-v ═ k · q is satisfied10, otherwise k is set1:=(κ·σ1-v)/q; finally, the function returns (k)1,v);
At a given input (σ)2V, params) of
The function Rec is implemented as follows: computing
Function return k2;
A third aspect of the present invention is based on the second aspect of the present invention, wherein: function Power2Roundq() The function is as follows:
at a given input (r, d) is: (
d<log2q), function Power2Roundq() The following operations are performed: first, r: ═ rmod is calculated+q; then calculate r0:=rmod±2d(ii) a Finally, the function returns ((r-r)0)/2d,r0);
Function Decompose in the first mode of operationq(),HighBitsq(),MakeHintq(),UseHintq() The definition of (A) is as follows:
given an input (r, α)
Function Decomposeq() The following operations are performed: first, r: ═ rmod is calculated+q; then calculate r0:=rmod±α; if r-r0If q-1 is true, then (r) is set1,r0):=(0,r0-1), otherwise set r1:=(r-r0) A,/α; finally, return (r)1,r0);
Given an input (r, α)
Function HighBitsq() The following operations are performed: first calculate (r)1,r0):=Decomposeq(r, α); then returns to r1;
Given input (z, r, α)
Function MakeHintq() The following operations are performed: first, r is calculated1:=HighBitsq(r, α); then calculate v1:=HighBitsq(r + z, α); if r is1=v1If yes, returning to 0, otherwise, returning to 1;
given an input (h, r, α) (h e {0,1},
) Function UseHintq() The following operations are performed: firstly, calculating m: (q-1)/alpha; then calculate (r)1,r0):=Decomposeq(r, α); if h is 0, return r1(ii) a If h is 1 and r0If > 0, return (r)1+1)mod+m; if h is 1 and r0If not more than 0 is true, return to (r)1-1)mod+m;
Function Decompose in the second mode of operationq,κ(),HighBitsq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() By using the optimal example DKCN, it is defined as follows:
·
given input r
Function Decomposeq,κ() The following operations are performed: first calculate (r)1,r0) Con (r); then returns (r)1,r0);
Given input r
Function HighBitsq,κ() The following operations are performed: (r)1,r0) Con (r); then returns to r1;
Given input r
Function LowBitsq,κ() The following operations are performed: (r)1,r0) Con (r); then returns to r0;
Given input r
Function MakeHintq,κ() The following operations are performed: first, r is calculated1:=HighBitsq,κ(r); then calculate v1:=HighBitsq,κ(r + z); if r is1=v1If yes, returning to 0, otherwise, returning to 1;
given input r
Function UseHintq,κ() The following operations are performed: first calculate (r)1,r0) Con (r); if h is 0, return r1(ii) a If h is 1 and r0If > 0, return (r)1+1)mod+Kappa; if h is 1 and r0If not more than 0 is true, return to (r)1-1)mod+κ
A fourth aspect of the present invention is based on the third aspect of the present invention, wherein:
·λ≥128;
·L1≥256,L2≥384;
·
·n=256;
·h=60;
·q≤220is a prime number;
d satisfies
·3≤κ≤12,q/κ≤218,3≤k≤8,2≤l≤7;
·
·η1,η2∈{1,2};
·β1≤60·η1,β2≤60·η2。
The fifth aspect of the present invention is based on the fourth aspect of the present invention, and specifically, the parameters of the inventive method are selected as follows:
parameter set-1: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=3,l=2,ω≤64
Parameter set-2: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=4,l=3,ω≤80;
Parameter set-3: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=5,l=4,ω≤96;
Parameter set-4: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=6,l=5,ω≤120;
Parameter set-5: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=4,l=3,ω≤80;
Parameter set-6: λ 128, n 256, h 60,L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=5,l=4,ω≤96;
Parameter set-7: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=6,l=5,ω≤120;
Parameter set-8: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=4,l=3,ω≤80;
Parameter set-9: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=5,l=4,ω≤96;
Parameter set-10: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=6,l=5,ω≤120;
Parameter set-11: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=4,l=3,ω≤80;
Parameter set-12: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=5,l=4,ω≤96;
Parameter set-13: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=6,l=5,ω≤120;
Parameter set-14: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=4,l=3,ω≤80;
Parameter set-15: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=5,l=4,ω≤96;
Parameter set-16: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=6,l=5,ω≤120。
Drawings
Fig. 1 exemplarily shows a construction principle of a DKCN mechanism;
fig. 2 exemplarily shows the definition of auxiliary functions based on the DKCN mechanism, which are used in the second way of working of the signature function and the verification function.
FIG. 3 illustrates an exemplary first representation of four functions
Decomposeq(),HighBitsq(),MakeHintq(),UseHintq() Are used in the first mode of operation for the signature function and the verification function.
Detailed Description
The invention provides a novel grid-based digital signature schemeThe parameter setting method of (1). Where S denotes the signer and V denotes the verifier. S uses its own private key sk to calculate the corresponding information M e {0,1}*A signature σ of (2); v verifies the inherent logical relationship between the message signature pair (M, σ) using the public key pk of S, and finally outputs 1 a legitimate message signature pair from S if and only if V approves (M, σ).
The system parameters required to generate the signature include (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2) (ii) a Wherein, positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is a prime number satisfying q ═ 1(mod2n), positive integer kappa satisfies 2 ≦ kappa ≦ 12, and χ1,χ2For two identical or different noise distributions, k and l being positive integers and being a polynomial of λ, d being a positive integer, a threshold parameter β1,β2,γ1,γ2Are all positive integers, omega is a positive integer, beta1,β2Is a positive integer and beta1≤h·η1,β2≤h·η2H is a positive integer, and the parameter gamma1=γ1(q,κ),γ2=γ2(q, k) is a positive integer whose value depends on q, k, L1,L2Are all positive integers.
And (3) generating a public and private key: the signer S performs the following operations in sequence:
7) the signer S obtains random seeds through sampling
And/or
;
8) The signer S obtains through random sampling
9) The signer S will have a bit length L1Is mapped by calling the function ExpandA ()Is composed of
A matrix A of (A); wherein ExpandA () is a mapping function;
10) the signer S computation
And call Power2Roundq(t, d) function to generate (t)1,t0) (ii) a Wherein
At a given input (r, d) is: (
d<log2q), function Power2Roundq() The following operations are performed: first, r: ═ rmod is calculated+q; then calculate r0:=rmod±2d(ii) a Finally, the function returns ((r-r)0)/2d,r0);
11) The signer S calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking the input elements in the function CRH may be arbitrary, the output elements belonging to the set
auxtrIs a set whose value can be null;
12) the signer S finally outputs (pk, sk), where pk ═ is (ρ, t)1) Is the public key of the signer S, sk ═ p, K, tr, S, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) Is the private key of the signer S;
and the signer S sends the public key information pk to the verifier V.
The signature method comprises the following steps: the signer S owns the private key sk ═ p, K, tr, S, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) And information M E to be signed0,1}*Finally obtaining and outputting corresponding signatures (z, h, c) by sequentially carrying out the following operations; first, the signer S will have a length L1Random character string of
Mapping into by calling function expandA ()
The matrix a of (1), wherein ExpandA () is a mapping function; the signer S then generates by calling μ: ═ CRH (tr, M)
Wherein the linking order of the input elements in the function CRH can be arbitrary and the output elements belong to a set
The signer S then obtains the random seed in the signature method
Where ρ' is either by calling
Completely randomly or deterministically generated according to a calculation CRH (K, μ); finally, the signer S sets ctr: (z, h): ═ 0, and ═ t to complete the initialization work of the cycle body; then the signer S enters a cycle body until a signature meeting the requirement that (z, h) is not equal to ≠ is found; specifically, in each round of circulation, the signer S works in two ways:
in the first mode of operation, Decompose is requiredq(),HighBitsq(),MakeHintq(),UseHintq() Four functions, the definition of which is shown in figure 3. The working principle of the first working mode is as follows:
9) the signer S first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
10) the signer S computation
And
wherein the HighBitsq(r,γ1) Output of
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
11) the signer S calls c: ═ H (w)1Mu) to obtain c e BhWherein B ishIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed*Mapped as set BhThe elements of (1);
12) the signer S calculates z: ═ y + cs, where
13) The signer S calculates (r)1,r0):=Decomposeq(w-ce,γ1) Wherein the function calls (r)1,r0):=Decomposeq(r,γ1) Will input
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
14) if | z |∞≥γ1-β1Or | r0‖∞≥γ2-β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
15) the signer S calculates h:makehintq(-ct0,w-ce+ct0,γ1) (ii) a Wherein makeHintq(z,r,γ1) Input element satisfaction of function
The output value belongs to {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}k·n;
16) If | ct0‖≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer S takes the (z, h, c) value generated in the last round as input information M e {0,1}*Is sent to the verifier V.
The second working mode is based on DKCN and auxiliary functions HighBits constructed on DKCNq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() The definition of which is shown in figure 2. The working principle of the second working mode is as follows:
9) the signer S first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
10) the signer S computation
And
wherein the HighBitsq,κ(r) output
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
11) what is needed isThe signer S calls c: ═ H (w)1Mu) to obtain c e BhWherein B ishIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed*Mapped as set BhA certain element of (1);
12) the signer S calculates z: ═ y + cs, where
13) The signer S calculates (r)1,r0) Con (w-ce), in which a function call (r) is made1,r0) Con (r) will be inputted
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
14) if | | z | non-calculation∞≥γ1-β1Or | r0‖∞≥q/2-κ·β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
15) the signer S calculates h:makehintq,κ(-ct0,w-ce+ct0) (ii) a Wherein makeHintq,κThe input elements of the (z, r) function satisfy
The output value belongs to {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}k·n;
16) If | | | ct0||≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer S takes the (z, h, c) value generated in the last round as input information M e {0,1}*Is sent to the verifier V.
The verification method comprises the following steps: the verifier V receives a (M, (z, h, c)) pair (where M ∈ {0,1 })*,
h∈{0,1}k·n,c∈Bh) Then, the public key information pk is (ρ, t)1) Performing verification operation; if the signer S uses the first working mode, the verifier V performs the following operations:
6) the verifier V will be of length L1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
7) the verifier V calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking the inputs in the function CRH may be arbitrary, auxtrIs a set whose value can be null;
8) the verifier V generates by calling μ: ═ CRH (tr, M)
9) The verifier V calculates w'1:=UseHintq(h,Az-ct1·2d,γ1) (ii) a Wherein UseHintq(h,r,γ1) According to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
10) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nB ═ 1 indicates acceptance of the (M, (z, h, c)) pair as a correct information signature pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer V outputs b ∈ {0,1 }.
If the signer S uses the second working mode, the verifier V performs the following operations:
6) the verifier V will be of length L1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
7) the verifier V calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking the input elements in the function CRH may be arbitrary, the output elements belonging to the set
auxtrIs a set whose value can be null;
8) the verifier V generates by calling μ: ═ CRH (tr, M)
Wherein the input linking order in the function CRH can be arbitrary and the output element belongs to a set
9) The verifier V calculates w'1:=UseHintq,κ(h,Az-ct1·2d) (ii) a Wherein UseHintq,κ(h, r) according to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
10) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nHas a small Hamming distanceEqual to parameter ω, set b: ═ 1 denotes acceptance of the (M, (z, h, c)) pair as the correct information signature pair; otherwise, set up
b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer V outputs b ∈ {0,1 }.
In the above-described signature mechanism,
ExpandA () function puts a random seed ρ e {0,1}L1Mapping to a matrix
The NTT expression form of (1) can be any, and the link sequence of the input elements is generally L1More than or equal to 256; for example, the ExpandA () function can be implemented by repeatedly calling the SHAKE-128 function;
CRH () is a hash function against collisions, the order of linking input elements can be arbitrary, it can be {0,1}*Is mapped to
An element in (1) is generally L2More than or equal to 384; CRH (), for example, can be implemented by calling the SHAKE-256 function;
the ExpandMask function inputs the element {0,1}*Is mapped as
Element y in (1); for example, it is implemented by repeatedly calling the SHAKE-256 function;
in general, λ ≧ 128, n ═ 256, h ═ 60,
for other parameters, generally we η1,η2∈{1,2},β1≤60·η1,β2≤60·η2n=256,q≤220Is a prime number, d satisfies
3≤κ≤12,q/κ≤218,3≤k≤8,2≤l≤7,
Specifically, the parameters of the method are selected as follows:
parameter set-1: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=3,l=2,ω≤64
Parameter set-2: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=4,l=3,ω≤80;
Parameter set-3: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=5,l=4,ω≤96;
Parameter set-4: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=6,l=5,ω≤120;
Parameter set-5: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=4,l=3,ω≤80;
Parameter set-6: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=5,l=4,ω≤96;
Parameter set-7: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=6,l=5,ω≤120;
Parameter set-8: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=4,l=3,ω≤80;
Parameter set-9: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=5,l=4,ω≤96;
Parameter set-10: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=6,l=5,ω≤120;
Parameter set-11: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=4,l=3,ω≤80;
Parameter set-12: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=5,l=4,ω≤96;
Parameter set-13: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=6,l=5,ω≤120;
Parameter set-14: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=4,l=3,ω≤80;
Parameter set-15: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=5,l=4,ω≤96;
Parameter set-16: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=6,l=5,ω≤120。
The difficulty and creativity of parameter selection and test of the invention method: the correctness, safety and efficiency (including the operation efficiency of a signature algorithm, the operation efficiency of a verification algorithm, the size of a signature, the size of a public key and a private key and the like) of the method in practical application depend on the selection of specific parameters seriously. The selection of these parameters requires a combination of a number of factors and programming tests. The difficulty is to improve the efficiency of the system as much as possible while ensuring the correctness of the system and achieving sufficient strength of safety.
Specifically, in selecting the recommended parameters, we need to consider the following requirements and objectives:
parameters should be chosen appropriately to ensure the correctness of the signature mechanism;
the recommended parameters should first be selected according to the 128-bit quantum security goal, while trying to ensure the quantum security of the other set of parameters to a desired degree;
the parameters should be chosen such that the expected value of the number of restarts in the signature algorithm is as small as possible, in order to guarantee the efficiency of the signature algorithm;
the appropriate parameters should be chosen so that the sum of the public key size and the signature size is as small as possible.
From the perspective of the parameter values, the system parameters (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2)
Should satisfy
N is 256, and the prime number q satisfies q ≡ 1 (modn/2);
·κ<q,k≥l;
·χ1=U(Sη1),χ2=U(Sη2);
·β1,β2should take appropriate value so that for the random variable c ← B60,
For one, Pr [ | c s |)∞≥β1],Pr[||c·e||∞≥β2]≤2-128If true;
·
·
the value of omega cannot be too large, otherwise the signature length is affected; the value of omega cannot be too small, otherwise the average running time of the signature algorithm is increased;
·
the value of d cannot be too large, otherwise the difficulty of the MLWE problem is affected; the value of d cannot be too small, otherwise the size of the public key would be significantly increased.
From the viewpoint of efficiency, in the signature system, the size of the public key is
Byte, the size of the private key is
Bytes, the size of the signature being
A byte. The run time of the signature function depends mainly on the expected value of the number of occurrences of the two rejection sampling steps. The probability of a double restart can be estimated using the following equation
In particular, the value of the parameter ω affects the size of the signature and the runtime of the signature function, and it is difficult to perform accurate theoretical analysis on the specific value of ω. Therefore, a large number of example tests are required to be performed by program development to obtain a proper value for ω, so that a proper balance is obtained between the size of the signature and the runtime of the signature function.
From the security point of view, the security of the above signature mechanism needs to consider the key recovery attack and the (strong) fake signature attack, which can be understood as solving (variants of) the MLWE problem and (in infinite norm) the MSIS problem, respectively; parameters n, q, k, l, η1,η2Appropriate values are required to ensure that the corresponding MLWE problem reaches sufficient quantum security strength; parameters n, q, k, l, d, κ, η1,η2Appropriate values are required to ensure that the corresponding MSIS problem (under infinite norm) reaches sufficient quantum security strength.
Among them, the MSIS problem (under infinite norm) is less studied, and a special test script needs to be developed to test the corresponding quantum security strength. In addition, because the constraint conditions corresponding to different dimensions in the corresponding (under infinite norm) MSIS problem are very different, the quantum security strength of the corresponding (under infinite norm) MSIS problem has two evaluation modes of symmetry and asymmetry.
The existing mainstream method for evaluating the complexity of the SIS problem with the infinite norm is to use a Core-SVP model to equate the complexity of the SIS problem with the infinite norm to the complexity of the corresponding Core-SVP problem. Then, a plurality of short vectors are solved by using a commonly used lattice reduction algorithm, namely a BKZ algorithm. However, these short vectors are obtained for the euclidean norm. Unfortunately, the shortest vector under the euclidean norm is likely not to be the "short" vector under the infinite norm. Based on the method, an improved algorithm is utilized to measure the complexity of the SIS problem under an infinite norm on the basis of the BKZ algorithm. Specifically, a sub-lattice is first selected from a given lattice by projection, and then the length sequence of the orthogonalized basis corresponding to the basis output by the BKZ algorithm is estimated in the sub-lattice. And sequentially dividing the vectors in the base into three types according to the length sequence of the orthogonalized base, and respectively estimating the number of the three types of vectors. And "short vectors" under an infinite norm belong to the second class thereof. Any vector is chosen, and the length of the vector is assumed to conform to a certain form of distribution on the three types of projection, so as to estimate the probability p that the vector conforms to the infinite norm requirement. And finally, optimizing the target function by means of exhausting the dimension of the sub-lattices and the dimension of the SVP-oracle in the BKZ algorithm, thereby achieving the purpose of complexity estimation.
However, this complexity measure of the infinite norm SIS problem has some important drawbacks. Firstly, the correctness of the measuring method is based on two assumptions, namely that the output result of the BKZ algorithm conforms to an expected statistical rule, and the projection length of an arbitrary vector on the orthogonalization base dimension of the BKZ algorithm output base conforms to an expected probability distribution. The correctness of these two hypotheses needs to be checked. Secondly, when the bound parameter in the SIS problem of infinite norm is reduced to a certain degree, the output result of the measuring method has little change or changes too severely without practical reference value. Therefore, the rationality of this method is problematic and the application is very limited.
In order to overcome the difficulty and reflect the change rule of the SIS problem of infinite norm along with bound parameters more accurately, a new complexity measuring method is provided by combining the latest complexity achievement about the SVP problem under infinite norm, the output result of the complexity measuring method continuously increases along with the reduction of the bound parameters, and the output result accords with the expectation of the difficulty of the SIS problem of infinite norm. In general, we try to perfect the complexity measure method of the problem by analyzing and improving the defects of the existing complexity measure method of the SIS problem of infinite norm, and provide a more reasonable and reference evaluation method.
Briefly, our test method analyzes SIS by calling the BKZ algorithm∝The specific difficulty of the problem under the Core-SVP model gives the classical and quantum attack complexity. For Ring-SIS∝/Module-SIS∝The problem, whose instances can be transformed into corresponding instances of the SIS ∞ problem, gives its classical and quantum attack complexity under the Core-SVP model by invoking the BKZ algorithm. The work in this aspect provides technical tools and means for difficulty evaluation of the lattice digital signature scheme.
For Ring-SIS∝And Module-SIS∝To the problem, so far, there has not beenAggressive algorithms can fully exploit these additional algebraic structures to increase the efficiency of the attack. Thus, for Ring-SIS∝And Module-SIS∝Problem, we equate it to SIS of the corresponding dimension∝Problem, SIS equating their complexity to the corresponding dimension∝The complexity of the problem. Therefore, the detection method is suitable for SIS-based detection∝/Ring-SIS∝/Module-SIS∝Detection of a lattice-based cryptographic algorithm of the problem.
Our SIS∝The problem complexity estimation method is to use SIS∝Problem reduction to lattice reduction problem and then analyzing the returned solution of lattice reduction to satisfy SIS∝The problem requires the corresponding constraints and analyzes within this range how to optimize the defined objective function.
a. First, the SIS is solved by solving a lattice reduction problem on lattice ^ { x | Ax ═ 0modq }, to solve the SIS∝And (5) problems are solved.
b. Secondly, the problem is understood as an optimization problem with respect to the BKZ algorithm block size function. By calling the BKZ algorithm to solve the lattice reduction problem, the algorithm will output an equivalent basis containing several short vectors. Thereby analyzing the probability that the projection of each dimension of the vector accessed by the SVP oracle under the base meets the constraint condition. The objective function of the optimization problem is the quotient of the running time of the BKZ algorithm and the probability.
c. The BKZ algorithm block size, which can achieve the optimization of the objective function, and the optimal value of the objective function are determined by exhaustive search within the set of feasible solutions.
d. In particular, there are two different implementations for the SVP oracle invoked in the BKZ algorithm, resulting in two similar objective functions and two extrema at optimization. SIS we will import∝The complexity of the problem is defined as the lesser of the optimal extrema when the two objective functions are optimized separately.
In general, the problem of SIS based on infinite norm is more difficult than SIS based on euclidean norm, because a short vector under infinite norm can be understood as a short vector under euclidean norm, but the opposite is not necessarily true. More specifically, the SIS problem under the infinite norm puts forward a plurality of independent constraint conditions for the target vector; and the SIS problem under the Euclidean norm only puts forward a constraint condition to the target vector.
Since the BKZ algorithm is only valid for Euclidean lattices, we cannot directly convert the SIS problem under each infinite norm to the corresponding Core-SVP problem. However, we can use the BKZ algorithm to compute a solution to estimate the specific difficulty of solving an infinite norm SIS problem. It should be noted that this estimation process is conservative.
In the SIS problem of infinite norm, a given matrix
And norm requirement β, requiring finding a non-zero short vector
Such that Ax ≡ 0(modq) and | x |∞Beta is less than or equal to beta. We can first narrow the search range from m-dimensional to find a suitable vector for w-dimensional, and take the remaining m-w dimensions to 0. We then search in the specified w-dimension to determine the probability of finding a suitable solution. In the case that the size b of the BKZ search algorithm is determined, we estimate the probability that the return solution of the BKZ algorithm satisfies the condition by setting a heuristic assumption. We define the objective function as T/p, where T is the running time of the BKZ algorithm of size b, and p is the probability that the solution returned by the BKZ algorithm under the current condition satisfies the condition. We judge by means of an exhaustive search that the (w, b) value that can optimize the objective function can be set to (w)*,b*). Finally, we define the difficulty of the infinite norm SIS problem instance as the value (w)*,b*) The running time of the corresponding BKZ algorithm.
In addition, the signature mechanism in the present invention, which corresponds to the (M) SIS problem, has a certain specificity, i.e. asymmetry. Specifically, in the SIS problem, parameters q, m, n are given1,m2,β1,β2And a random matrix
Requiring finding and outputting a non-zero vector
So that the constraint Ax ≡ 0(mod q),0 | | | x1||≤β1,0<‖x2‖≤β2And at the same time. The definition of the problem reflects the asymmetry of the parameters, and in the existing attack method system, under the condition that other parameters are not changed, the asymmetric example
Difficulty between two symmetrical examples
And
between the difficulties of (1). Thus, by estimating the parameter β1,β2The influence on the difficulty degree of the problem can be obtained by the method for evaluating the difficulty degree of the symmetric example, so that a more accurate estimation value about the difficulty degree of the asymmetric example can be obtained.
All this represents the difficulty of selecting parameters and the importance of the above invention.
Claims (5)
1. A lattice-based digital signature method in which each string or value α represents a binary value, α | β represents two binary strings α, β ∈ {0,1}*A linking operation between; for any real number x, the number x,
represents the largest integer less than or equal to x,
represents the smallest integer greater than or equal to x,
when α is a positive even number, r' r mod is defined for any integer r±Alpha is a unique integer r ' satisfying-alpha/2 < r ' ≦ alpha/2, r ' ≡ r (mod alpha); when α is a positive even number, r' r mod is defined for any integer r±α is a unique integer r ' satisfying- α/2. ltoreq. r '. ltoreq.α/2, r ' ≡ r (mod α); when α is a positive integer, r' r mod is defined for any integer r+Alpha is a unique positive integer r 'satisfying 0 ≦ r' ≦ alpha-1, r ≡ r (mod alpha); when the concrete expression form of the same remainder r' is unimportant, the expression form is simply written as r mod alpha;
if S is a finite set, then | S | represents its cardinality, and x ← S represents uniform random fetching of an element from S; the symbol u (S) represents a uniform distribution over a finite set S; x ← D, if D represents a probability distribution, representing the selection of an element according to D and assignment to x; if α is neither an algorithm nor a set, then x ← α represents a simple assignment operation, or is written as x: ═ α; if A is a probabilistic algorithm, then A (x)1,x2,..; r) denotes the sum of x1,x2,., as input, r is the operation result of A when random seed; we use y ← A (x)1,x2,..; r) denotes randomly chosen r and let y be A (x)1,x2,..; r) experimental results; by Pr [ R ]1;...;Rn:E]Representing events E in a sequential series of random processes R1,...,RnThe probability of later occurrence; if > 0 for any c, λ > λ for all λcAll have a lambdacSo that f (lambda) < 1/lambdacThen the function f (λ) is negligible; definition ring
Wherein the content of the first and second substances,
is the m < th > oneA cyclotomic polynomial; rqThe element in (1) is an n-dimensional polynomial of the form a0+a1x1+a2x2+…+an-1xn-1Wherein n is a positive integer; the positive integers k and l are the dimensions of the matrix samples,
a matrix of dimension k × l, each element being a ring RqAn n-dimensional polynomial of (a); for the input which is a function of the vector, the operation is to process calculation for each dimension of the vector;
for elements
Define | | w | non-conducting phosphor∞Is | | wmod±q |; for the element w ═ w0+w1x+…+wn-1xn-1∈RqDefinition of
For w ═ w1,w2,…,wk)∈RkDefinition of
When the positive integer η is determined, the set S is definedηFor all the requirements of w ∈ R, | w |∞Set of elements not more than eta, Sη={w∈R∣ ‖w‖∞Eta is less than or equal to; for any positive integer h, define set BhIs composed of
For binary vector h ═ h (h)i) Define its Hamming distance as | | h | |1=∑hi;
The sample form in the MLWE distribution is
The MLWE problem is to recover the secret value (s, e) from the polynomial number of samples from the MLWE distribution; in particular, random selection from the ring
Calculating to obtain t ═ As + e, wherein
And
respectively two probability distributions, and the distribution parameter is recorded as eta1And η2The distributions may be the same or different, by default
Is a set
The distribution of the components is uniform, and the components are uniformly distributed,
is a set
Uniform distribution of the components; for adversary A, define
If there is no algorithm A that runs for a maximum of τ time and has a dominance greater than ε, we call it
The difficulty assumption holds; where τ is a polynomial for n and ε is a negligible function for n;
one DKC (diagnostic key consensus) method DKC ═ consists of the following three parts:
params ═ q, κ, g, δ, aux represents a system parameter, where the positive integers q, κ, g, δ satisfy 2 ≦ κ, g ≦ q,0 ≦ δ ≦ q/2, aux represents a set of other values determined by (q, κ, g, δ), and is null by default;
·(k1,v)←Con(σ1params), where Con (-) is a deterministic polynomial time function with the input being
Then output (k)1V) wherein
·k2←Rec(σ2V, params), where Rec (. cndot.) is a deterministic polynomial time function at the input of (σ)2V, params), output
When params can be determined from context, for simplicity of description params can be represented by default,
the DKC methods used all meet the correctness requirements, i.e., for any
When | σ1-σ2||∞When delta is less than or equal to delta, k must be present1=k2;
The method comprises the following steps:
the system parameters required to generate the signature include (λ, n, q, κ, k, l, η)1,η2,χ1,χ2,β1,β2,γ1,γ2,ω,d,h,L1,L2) (ii) a Wherein, positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is a prime number satisfying q ═ 1(mod n/2), positive integer kappa satisfies 2 ≦ kappa ≦ 12, and χ1,χ2For two identical or different noise distributions, k and l beingPositive integer and is a polynomial of λ, d is a positive integer, a threshold parameter β1,β2,γ1,γ2Are all positive integers, omega is a positive integer, beta1,β2Is a positive integer and beta1≤h·η1,β2≤h·η2H is a positive integer, and the parameter gamma1=γ1(q,κ),γ2=γ2(q, k) is a positive integer and its value depends on q, k, the parameter L1,L2Are all positive integers, and are not limited to the integer,
and (3) generating a public and private key: the signer performs the following operations in turn:
1) the signer obtains random seeds by sampling
And/or
2) The signer obtains through random sampling
3) The signer will have a bit length of L1Is mapped by calling a function ExpandA () into
A matrix A of (A); wherein ExpandA () is a mapping function;
4) the signer computation
And call Power2Roundq(t, d) function to generate (t)1,t0) (ii) a Wherein
5) The signer calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking the inputs in the function CRH may be arbitrary, auxtrIs a set whose value can be null;
6) the signer finally outputs (pk, sk), where pk ═ is (ρ, t)1) Is the public key of the signer, sk ═ p, K, tr, s, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) A private key of the signer;
the signer sends the public key information pk to the verifier;
the signature method comprises the following steps: the signer owns the private key sk ═ p, K, tr, s, e, t0) Or sk ═ e (ρ, tr, s, e, t)0) And information M to be signed belongs to {0,1}*Finally obtaining and outputting corresponding signatures (z, h, c) by sequentially carrying out the following operations; first, the signer will have a length L1Random character string of
Mapping into by calling function expandA ()
The matrix a of (1), wherein ExpandA () is a mapping function; the signer then generates by calling μ: ═ CRH (tr, M)
Wherein the input variable sequence of CRH () function can be arbitrarily adjusted, the output element belongs to the set
The signer then obtains the random seed in the signature method
Where ρ' is either by calling
Completely randomly or deterministically generated according to a calculation CRH (K, μ); finally, the signer sets ctr: ═ 0, (z, h ═ t) to complete the initialization work of the cycle body; then the signer enters a cycle until a signature meeting the requirement that (z, h) is not equal to ≠ is found; specifically, in each round of circulation, the signer works in two ways:
the first working mode is as follows:
1) the signer first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein ExpandMask () function output set
A certain element of (1);
2) the signer computation
And
wherein the HighBitsq(r,γ1) Output of
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
3) the signer calls c: ═ H (w)1Mu) to obtain c e BhWherein B ishIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed*Mapped as set BhA certain element of (1);
4) the signer calculates z: ═ y + cs, where
5) The signer calculates (r)1,r0):=Decomposeq(w-ce,γ1) Wherein the function calls (r)1,r0):=Decomposeq(r,γ1) Will input
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
6) if | z |∞≥γ1-β1Or | r0‖∞≥γ2-β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
7) the signer calculates h: ═ MakeHintq(-ct0,w-ce+ct0,γ1) (ii) a WhereinMakeHintq(z,r,γ1) Input element satisfaction of function
The output values belong to the set {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}k·n;
8) If | ct0‖≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer takes the (z, h, c) value generated in the last round as input information M e {0,1}*To said verifier;
the second working mode is based on DKCN and has the following working principle:
1) the signer first generates random elements of the current round of rotation by calling y: ═ expand mask (ρ', ctr)
Wherein the input element order of the ExpandMask () function can be arbitrary, and the output element belongs to the set
2) The signer computation
And
wherein the HighBitsq,κ(r) output
Part of information of
The function can be defined in an extensible way
On each coefficient of (a);
can be regarded as
One vector element of (1);
3) the signer calls c: ═ H (w)1Mu) to obtain c e BhWherein B ishIs a subset of the number R of the groups,
h (-) is a function, the sequence of input variables can be random, and the character string {0,1} which is input randomly is formed*Mapped as set BhA certain element of (1);
4) the signer calculates z: ═ y + cs, where
5) The signer calculates (r)1,r0) Con (w-ce), in which a function call (r) is made1,r0) Con (r) will be inputted
Is decomposed into
And
the function can be defined in an extensible way
On each coefficient of (a);
6) if | z |∞≥γ1-β1Or | r0‖∞≥q/2-κ·β2Or r1≠w1If so, directly ending the cycle, setting ctr: (ctr + 1), and then entering the next cycle;
7) the signer calculates h: ═ MakeHintq,κ(-ct0,w-ce+ct0) (ii) a Wherein makeHintq,κThe input elements of the (z, r) function satisfy
The output values belong to the set {0,1 }; the function can be defined in an extensible way
On each coefficient of (a); h is corresponding to {0,1}k·n;
8) If | ct0‖≥γ2Or h e {0,1}k·nIf the hamming distance is larger than the parameter omega, directly ending the cycle, setting ctr: (ctr + 1), and entering the next cycle; otherwise, (z, h, c) generated in the current round is a signature meeting the requirement;
the signer takes the (z, h, c) value generated in the last round as input information M e {0,1}*To said verifier;
the verification method comprises the following steps: the verifier receives (M, (z, h, c)) pair (where M ∈ {0,1}*,
h∈{0,1}k·n,c∈Bh) Then, the public key information pk is (ρ, t)1) Performing verification operation; if the signer uses the first working mode, the verifier performs the following operations:
1) the verifier will be of length L1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
2) the verifier calculates tr:CRH (ρ, t)1,auxtr) Wherein
The input linking sequence in the function CRH can be arbitrary, auxtrIs a set whose value can be null;
3) the verifier generates Power2Round by calling μ: ═ CRH (tr, M)q() (ii) a Wherein the CRH () input can be linked in any order, and the output element belongs to the set
4) The verifier calculates w'1:=UseHintq(h,Az-ct1·2d,γ1) (ii) a Wherein UseHintq(h,r,γ1) According to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
5) if | | z | non-calculation∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nB ═ 1 indicates acceptance of the (M, (z, h, c)) pair as a correct information signature pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b ∈ {0,1 };
if the signer uses the second working mode, the verifier performs the following operations:
1) the verifier will be of length L1Random character string
Mapping into by calling function expandA ()
A matrix A of (A); wherein ExpandA () is a mapping function;
2) the verifier calculates tr:CRH (ρ, t)1,auxtr) Wherein
The order of linking of the inputs in the function CRH may be arbitrary, the output element belonging to the set
auxtrIs a set whose value can be null;
3) the verifier generates by calling μ: ═ CRH (tr, M)
Wherein, the input link sequence in the function CRH can be arbitrary, and the output element belongs to the set
4) The verifier calculates w'1:=UseHintq,κ(h,Az-ct1·2d) (ii) a Wherein UseHintq,κ(h, r) according to
h e {0,1}, to generate a
Value of
The function is defined to be extensible to each component of the input vector;
can be regarded as
The vector of (1);
5) if | z |∞<γ1-β1And c ═ H (μ, w'1) And h is e {0,1}k·nB ═ 1 indicates acceptance of the (M, (z, h, c)) pair as a correct information signature pair; otherwise, set b: ═ 0 indicates that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer output b ∈ {0,1 }.
2. The method of claim 1, wherein:
ExpandA () function will be a random seed
Mapping to a matrix
NTT representation of (a); wherein the NTT representation of each element is in the form of its progression forwardThe result after NTT transformation;
CRH () is a collision-resistant hash function, where the order of the chaining of input elements can be arbitrary, which can be {0,1}*Is mapped to
A certain element of (1);
the ExpandMask function inputs the element {0,1}*Is mapped as
The element y in (3), the link order of the input elements in the function can be arbitrary;
a most preferred specific example of a DKC process can be constructed when κ ≧ 2, g ≧ 2, and 2 κ δ < q (params, Con, Rec), where:
·
at a given input (σ)1Params) of
The function Con is implemented as follows: first, v: ═ k · σ is calculated1mod±q; if k · σ1K is satisfied when-v ═ k · q is satisfied10, otherwise k is set1:=(κ·σ1-v)/q; finally, the function returns (k)1,v);
At a given input (σ)2V, params) of
The function Rec is implemented as follows: computing
Function return k2;。
3. The method of claim 2, wherein: function Power2Roundq() The function is as follows:
at a given input (r, d) is: (
d<log2q), function Power2Roundq() The following operations are performed: first, r: ═ r mod is calculated+q; then calculate r0:=r mod±2d(ii) a Finally, the function returns ((r-r)0)/2d,r0);
Function Decompose in the first mode of operationq(),HighBitsq(),MakeHintq(),UseHintq() The definition of (A) is as follows:
given an input (r, α)
Function Decomposeq() The following operations are performed: first, r: ═ r mod is calculated+q; then calculate r0:=r mod±α; if r-r0If q-1 is true, then (r) is set1,r0):=(0,r0-1), otherwise set r1:=(r-r0) A,/α; finally, return (r)1,r0);
Given an input (r, α)
Function HighBitsq() The following operations are performed: first calculate (r)1,r0):=Decomposeq(r, α); then returns to r1;
Given input (z, r, α)
Function MakeHintq() The following operations are performed: first, r is calculated1:=HighBitsq(r, α); then calculate v1:=HighBitsq(r + z, α); if r is1=v1If yes, returning to 0, otherwise, returning to 1;
given an input (h, r, α) (h e {0,1},
) Function UseHintq() The following operations are performed: firstly, calculating m: (q-1)/alpha; then calculate (r)1,r0):=Decomposeq(r, α); if h is 0, return r1(ii) a If h is 1 and r0If > 0, return (r)1+1)mod+m; if h is 1 and r0If not more than 0 is true, return to (r)1-1)mod+m;
Function Decompose in the second mode of operationq,κ(),HighBitsq,κ(),LowBitsq,κ(),MakeHintq,κ(),UseHintq,κ() By using the optimal example DKCN, it is defined as follows:
·
given input r
Function Decomposeq,κ() The following operations are performed: first calculate (r)1,r0) Con (r); then returns (r)1,r0);
Given input r
Function HighBitsq,κ() The following operations are performed: (r)1,r0) Con (r); then returns to r1;
Given input r
Function LowBitsq,κ() The following operations are performed: (r)1,r0) Con (r); then returns to r0;
Given input r
Function MakeHintq,κ() The following operations are performed: first, r is calculated1:=HighBitsq,κ(r); then calculate v1:=HighBitsq,κ(r + z); if r is1=v1If yes, returning to 0, otherwise, returning to 1;
given input r
Function UseHintq,κ() The following operations are performed: first calculate (r)1,r0) Con (r); if h is 0, return r1(ii) a If h is 1 and r0If > 0, return (r)1+1)mod+Kappa; if h is 1 and r0If not more than 0 is true, return to (r)1-1)mod+κ。
4. The method of claim 3, wherein there is:
·λ≥128;
·L1≥256,L2≥384;
·
·n=256;
·h=60;
·q≤220is a prime number;
d satisfies
·3≤κ≤12,q/κ≤218,3≤k≤8,2≤l≤7;
·
·η1,η2∈{1,2};
·β1≤60·η1,β2≤60·η2。
5. The method according to claim 4, in particular the parameters of the inventive method are chosen as follows:
parameter set-1: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=3,l=2,ω≤64
Parameter set-2: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=4,l=3,ω≤80;
Parameter set-3: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=5,l=4,ω≤96;
Parameter set-4: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=2,β1≤120,β2≤120,q≤1952257,κ=8,d=13,
γ1=244032,γ2=122016,
k=6,l=5,ω≤120;
Parameter set-5: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=4,l=3,ω≤80;
Parameter set-6: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=5,l=4,ω≤96;
Parameter set-7: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤523777,κ=4,d=12,
γ1=130944,γ2=65472,
k=6,l=5,ω≤120;
Parameter set-8: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=4,l=3,ω≤80;
Parameter set-9: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=5,l=4,ω≤96;
Parameter set-10: λ 128, n 256, h 60, L1=256,L2=384,
η1=η2=1,β1≤60,β2≤60,q≤592897,κ=5,d=12,
γ1=118579,γ2=59289,
k=6,l=5,ω≤120;
Parameter set-11: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=4,l=3,ω≤80;
Parameter set-12: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=5,l=4,ω≤96;
Parameter set-13: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤786433,κ=6,d=12,
γ1=131072,γ2=65536,
k=6,l=5,ω≤120;
Parameter set-14: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=4,l=3,ω≤80;
Parameter set-15: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=5,l=4,ω≤96;
Parameter set-16: λ 128, n 256, h 60, L1=256,L2=384,
η1=2,η2=1,β1≤120,β2≤60,q≤913921,κ=7,d=12,
γ1=130560,γ2=65280,
k=6,l=5,ω≤120。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010304930.1A CN113541952B (en) | 2020-04-17 | 2020-04-17 | Digital signature method based on lattice |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010304930.1A CN113541952B (en) | 2020-04-17 | 2020-04-17 | Digital signature method based on lattice |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113541952A true CN113541952A (en) | 2021-10-22 |
| CN113541952B CN113541952B (en) | 2023-07-25 |
Family
ID=78123350
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010304930.1A Active CN113541952B (en) | 2020-04-17 | 2020-04-17 | Digital signature method based on lattice |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113541952B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023206869A1 (en) * | 2022-04-26 | 2023-11-02 | 南方电网科学研究院有限责任公司 | Lattice-based proxy signature method, apparatus and device, lattice-based proxy signature verification method, apparatus and device, and storage medium |
| WO2024012431A1 (en) * | 2022-07-11 | 2024-01-18 | 复旦大学 | Method for efficiently, parallely and quickly achieving lattice-based signature |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150067336A1 (en) * | 2012-04-12 | 2015-03-05 | Jintai Ding | New Cryptographic Systems Using Pairing with Errors |
| US20190116035A1 (en) * | 2017-10-17 | 2019-04-18 | Comsats Institute Of Information Technology | Post-Quantum Cryptographic Communication Protocol |
| CN109687969A (en) * | 2018-12-03 | 2019-04-26 | 上海扈民区块链科技有限公司 | A kind of lattice digital signature method based on key common recognition |
| CN110138549A (en) * | 2019-04-19 | 2019-08-16 | 北京信息科学技术研究院 | A kind of digital signature method based on lattice |
-
2020
- 2020-04-17 CN CN202010304930.1A patent/CN113541952B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150067336A1 (en) * | 2012-04-12 | 2015-03-05 | Jintai Ding | New Cryptographic Systems Using Pairing with Errors |
| US20190116035A1 (en) * | 2017-10-17 | 2019-04-18 | Comsats Institute Of Information Technology | Post-Quantum Cryptographic Communication Protocol |
| CN109687969A (en) * | 2018-12-03 | 2019-04-26 | 上海扈民区块链科技有限公司 | A kind of lattice digital signature method based on key common recognition |
| CN110138549A (en) * | 2019-04-19 | 2019-08-16 | 北京信息科学技术研究院 | A kind of digital signature method based on lattice |
Non-Patent Citations (2)
| Title |
|---|
| YUNLEI ZHAO ETC: "Generic and Practial Key Establishment from Lattice", 《ACNS》 * |
| 赵运磊等: "Schnorr方案推广及其在格密码学中的应用", 《计算机工程》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023206869A1 (en) * | 2022-04-26 | 2023-11-02 | 南方电网科学研究院有限责任公司 | Lattice-based proxy signature method, apparatus and device, lattice-based proxy signature verification method, apparatus and device, and storage medium |
| WO2024012431A1 (en) * | 2022-07-11 | 2024-01-18 | 复旦大学 | Method for efficiently, parallely and quickly achieving lattice-based signature |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113541952B (en) | 2023-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gao et al. | Privacy-preserving Naive Bayes classifiers secure against the substitution-then-comparison attack | |
| Beullens et al. | Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices | |
| Indyk et al. | Polylogarithmic private approximations and efficient matching | |
| Kiss et al. | SoK: Modular and efficient private decision tree evaluation | |
| De Feo et al. | Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies | |
| Boyar et al. | Logic minimization techniques with applications to cryptology | |
| JP5373026B2 (en) | Enhanced verification of digital signatures and public keys | |
| US8411855B1 (en) | Size optimization for large elliptic curve cryptography scalar multiplication acceleration tables | |
| US20080080710A1 (en) | Method for generating secure elliptic curves using an arithmetic-geometric mean iteration | |
| Pastuszak et al. | Identification of bad signatures in batches | |
| CN113541952A (en) | Digital signature method based on lattice | |
| Zhao et al. | SOCI: A toolkit for secure outsourced computation on integers | |
| US8799754B2 (en) | Verification of data stream computations using third-party-supplied annotations | |
| Barenghi et al. | A novel fault attack against ECDSA | |
| CN110708160B (en) | SM2 algorithm scalar multiplication coding-based side channel attack resisting method and system | |
| Kotukh et al. | Method of Security Improvement for MST3 Cryptosystem Based on Automorphism Group of Ree Function Field | |
| Kwon et al. | Fast verification of signatures with shared ECQV implicit certificates | |
| CN115801264A (en) | Physical attack method, medium, equipment and system for elliptic curve digital signature | |
| Han et al. | Single-trace attack on NIST round 3 candidate Dilithium using machine learning-based profiling | |
| CN113411181B (en) | Parameter optimization method based on distributed parallel differential evolution algorithm | |
| RU2392736C1 (en) | Method for generation and authentication of electronic digital signature that verifies electronic document | |
| Sule | Local inversion of maps: A new attack on Symmetric encryption, RSA and ECDLP | |
| US20220309496A1 (en) | Key-value map commitments system and method | |
| Zhang et al. | Efficient cloud-based private set intersection protocol with hidden access attribute and integrity verification | |
| Akhmetzyanova et al. | On methods of shortening ElGamal-type signatures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220818 Address after: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438 Applicant after: Zhao Yunlei Address before: Room 345, No.5, Lane 786, Xinzhong Road, Xinhe Town, Chongming District, Shanghai 202156 Applicant before: SHANGHAI HUMIN BLOCKCHAIN TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240116 Address after: 200433 No. 220, Handan Road, Shanghai, Yangpu District Patentee after: FUDAN University Address before: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438 Patentee before: Zhao Yunlei |
|
| TR01 | Transfer of patent right |