CN113541952B - Digital signature method based on lattice - Google Patents

Digital signature method based on lattice Download PDF

Info

Publication number
CN113541952B
CN113541952B CN202010304930.1A CN202010304930A CN113541952B CN 113541952 B CN113541952 B CN 113541952B CN 202010304930 A CN202010304930 A CN 202010304930A CN 113541952 B CN113541952 B CN 113541952B
Authority
CN
China
Prior art keywords
function
signer
input
parameter
verifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010304930.1A
Other languages
Chinese (zh)
Other versions
CN113541952A (en
Inventor
赵运磊
黄兴忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202010304930.1A priority Critical patent/CN113541952B/en
Publication of CN113541952A publication Critical patent/CN113541952A/en
Application granted granted Critical
Publication of CN113541952B publication Critical patent/CN113541952B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

A digital signature method based on a grid. The private key of the signer is sk= (ρ, K, tr, s, e, t) 0 ) The public key is pk= (ρ, t) 1 ) The information to be encrypted is M epsilon {0,1} * The method comprises the steps of carrying out a first treatment on the surface of the For M ε {0,1 }) * The signer calculates a legal signature sigma= (z, h, c) of M by using the private key sk of the signer; the verifier holds the public key pk= (ρ, t) of the signer 1 ) For a given message signature pair (M, σ), and outputs 1 if and only if the verifier accepts (M, σ) as a legitimate message signature pair. The method specifically selects parameters through programming design, deep mathematical analysis and large-scale measurement so as to obtain the optimal balance between efficiency and safety on the premise of meeting the correctness of the digital signature mechanism.

Description

Digital signature method based on lattice
Technical Field
The present invention relates to cryptography, and more particularly to a lattice-based digital signature method.
Background
IBM engineers predict that quantum computers must be applied on a large scale in the next twenty years. Once quantum computers are mass-produced, most public key cryptosystems based on discrete logarithms, elliptic curve discrete logarithms, or large integer decomposition will be compromised. Therefore, whether we can accurately predict the arrival time of the quantum computing age or not, we need to boost the current information security system to the anti-quantum level.
Lattice cryptography is one of the main mathematical methods to combat quantum attacks today. In cryptography, the LWE (Learning With Error) and SIS (Short Integer Solution) problems have proven to be more fully functional than other classical lattice-difficult problems (e.g., SVP and CVP).
Wherein each string or value α represents a binary value, α IIβ represents two binary strings α, β ε {0,1} * A linking operation between them; for any real number x,represents a maximum integer less than or equal to x, < >>Represents a minimum integer greater than or equal to x, < >>
When α is a positive even number, for any integer r, r' =r mod is defined ± Alpha is the unique integer r ' satisfying-alpha/2 < r ' < alpha/2, r ' ≡r (mod alpha); when α is a positive even number, for any integer r, r' =rmod is defined ± Alpha is the unique integer r ' satisfying-alpha/2.ltoreq.r '.ltoreq.alpha/2, r ' ≡r (mod alpha); when α is a positive integer, for any integer r, r' =r mod is defined + Alpha is the only positive integer r ' satisfying 0.ltoreq.r '.ltoreq.alpha-1, r ' ≡r (mod alpha); when the specific expression of the homonym r' is not important, r mod α is simply written.
If S is a finite set, then |S| represents its radix, and x+.S represents uniformly random taking an element from S; the symbol U (S) represents a uniform distribution over the finite set S; if D represents a probability distribution, x+.D represents selecting an element based on D and assigning to x; if α is neither an algorithm nor a set, x+.α represents a simple assignment operation, or x: =α; if A is a probabilistic algorithm, then A (x 1 ,x 2 ,.; r) represents X 1 ,x 2 ,. as input, r is the result of the operation of A when random seeds; we use y+.A (x) 1 ,x 2 ,.; r) represents randomly choosing r and letting y be A (x) 1 ,x 2 ,.; experimental results of r); by Pr [ R ] 1 ;...;R n :E]Representing event E in a series of ordered random processes R 1 ,...,R n Probability of occurrence thereafter; if for any c > 0, for all λ > λ c All have a lambda c Such that f (lambda) < 1/lambda c Then the function f (λ) is negligible; definition ringWherein, the liquid crystal display device comprises a liquid crystal display device,is the mth rounding polynomial; r is R q The element in (a) is an n-dimensional polynomial in the form of a 0 +a 1 x 1 +a 2 x 2 +…+a n- 1 x n-1 Wherein n is a positive integer; positive integers k and l are the dimensions of the matrix samples, < >>Representing a matrix of dimension kxl, each element being a ring R q An n-dimensional polynomial of the above; for a function in which the input is a vector, the operation is a separate processing calculation for each dimension of the vector.
For elementsDefinitions II w II Is ||wmod ± q|; for element w=w 0 +w 1 x+…+w n-1 x n-1 ∈R q Or vector->Definitions->For w= (w 1 ,w 2 ,…,w k )∈R k Definitions->Definition set S η For all w e R to be satisfied, i w i A collection of eta elements, S η ={w∈R∣‖w‖ Not more than eta; definition set B 60 Is that
For binary vector h= (h i ) Define its Haiming distance as II 1 =∑h i
For R q Each element a e R in (1) q The NTT expression form is the result of forward NTT conversion of a; for example, let r be the case when the prime number q satisfies q≡1 (mod 2 n) For groups of multiplication cyclesElements with a middle order of 2 n; for any arbitraryLet go of>Is the NTT representation of a. For input R q The function of the upper vector whose NTT operation is for each R q The polynomials of (2) are independently operated on by NTT respectively.
For positive continuous numbers sigma > 0 and x εR, define a Gaussian functionLet->Representation->The one-dimensional discrete Gaussian distribution is represented by probability density function +.>And (5) determining. Let->Is shown inAn n-dimensional spherical discrete Gaussian distribution over the surface, wherein each coordinate is independent of +.>Given positive integers n and q, which are parameters in the polynomial in the security parameter λ, and given the integer vector +.>And a definition of->Probability distribution χ on the matrix, randomly and uniformly select +.>Noise e≡χ, let A q,x,χ Is->Distribution of upper, and output->The noise distribution χ is generally considered to be a discrete Gaussian probability distribution +.>Other distributions may be used.
In the deterministic LWE hypothesis, the probability polynomial time algorithm cannot distinguish A with non-negligible probability for a sufficiently large security parameter λ q,s,χ Anduniformly distributed on the surface. Even if the adversary sees multiple samples of the polynomial and the secret vector x is taken from χ n This is also true, chosen randomly.
The MLWE problem is a variant of the LWE problem. The samples from the MLWE distribution are in the form of Randomly select +.>Calculating t=as+e, wherein +.> And->Respectively two probability distributions, and the distribution parameter is marked as eta 1 And eta 2 The distribution may be the same or different, and is +.>For the collection->Uniformly distributed on->For the collection->Uniformly distributed on the surface. The MLWE problem is to recover from the polynomial number of samples from the MLWE distribution (s, e).
Specifically, for adversary A, define
If the advantage of algorithm A without the maximum run time t is greater than ε, we callThe difficulty assumption holds.
The standard lattice can also define the European normsAnd +.o under infinite norm>The problem is that m, n is a positive integer, q is a modulus, and β is a threshold parameterA number. When the parameters (q, m, n, beta) are determined, givenRequiring to find a non-zero vector +.>Satisfy Ax≡0 (mod q), |x| 2 ≤β,Requiring to find a non-zero vector +.>Satisfy Ax≡0 (mod q), |x| ≤β。
Similarly, MSIS problems under both European and infinite norms can be defined, with parameters (q, k, l, β), where m, n are positive integers, q is a modulus, and β is a threshold parameter; when the parameters (q, k, l, beta) are determined, givenRequiring to find a non-zero vector +.>Satisfy Ax≡0 (modq), |x| 2 ≤β,Requiring to find a non-zero vector +.>Satisfy Ax≡0 (modq), |x| Beta is not more than. Definition of any adversary A
If the advantage of algorithm A without the maximum run time t is greater than ε, we callThe difficulty assumption holds.
Based on the difficulty of the MLWE problem and the MSIS problem (under infinite norms), a lattice-based digital signature mechanism can be constructed. A digital signature mechanism can be given by the triplet pi= (Gen, sign, verify) of an algorithm, for any arbitraryHas the following components
1) Gen: the key generation algorithm is a probability polynomial time algorithm, input 1 λ And outputs a pair of strings (pk, sk) called public and private keys, respectively, which can be written as (pk, sk) ≡Gen (1) λ );
2) Sign: the signature algorithm is a probability polynomial time algorithm, for any information M epsilon {0,1}, the algorithm uses a private key sk as a parameter to calculate a signature sigma corresponding to M, and the process is named sigma- Σ -Sign sk (M);
3) Verify: the verification algorithm, a deterministic polynomial time algorithm, uses the public key pk as a parameter, returning b e {0,1} for any information/signature pair (M, σ). This process is noted as b =verify pk (M,σ)。
If to arbitraryEach pair consists of Gen (1 λ ) The generated public/private key pair (pk, sk) is e {0,1} for any information to be signed M e {0,1}, for any σ Σsign sk (M) all have Verify (M, σ) =1, then the digital signature mechanism is said to be correct.
One DKC (deterministic key consensus) method dkc= (params, con, rec) consists of three parts:
params= (q, κ, g, δ, aux) represents a system parameter, where positive integers q, κ, g, δ satisfy 2 Σ, g Σ,0 Σ/2, aux represents other sets of values determined by (q, κ, g, δ), defaults to null;
·(k 1 ,v)←Con(σ 1 params), where Con (·) is a deterministic polynomial time function, which is input as [ ]params), output (k 1 V), wherein->
·k 2 ←Rec(σ 2 V, params), where Rec (·) is a deterministic polynomial time function, which is given by the input (σ) 2 V, params), output
When params can be determined according to the context, params can be represented by default for descriptive simplicity.
The DKC method meets the accuracy requirement, namely, for anyWhen II sigma 12 When delta is less than or equal to delta, k is certain 1 =k 2 The method comprises the steps of carrying out a first treatment on the surface of the When κ is greater than or equal to 2, g is greater than or equal to 2,2κδ < q, an optimal specific example of dkcn= (params, con, rec) of DKC method can be constructed as shown in fig. 1.
On the basis of the optimal example DKCN, four functions can be defined
HighBits q,κ (),LowBits q,κ (),MakeHint q,κ (),UseHint q,κ () For ensuring the correctness of the signature method. The definition of these four functions is shown in fig. 2.
Disclosure of Invention
A first aspect of the present invention provides a lattice-based digital signature method wherein each string or value α represents a binary value, α+|β represents two binary strings α, β ε {0,1} * A linking operation between them; for any real number x,represents a maximum integer less than or equal to x, < >>Represents a minimum integer greater than or equal to x, < >>
When α is a positive even number, for any integer r, r' =rmod is defined ± Alpha is the unique integer r ' satisfying-alpha/2 < r ' < alpha/2, r ' ≡r (mod alpha); when α is a positive even number, for any integer r, r' =rmod is defined ± Alpha is the unique integer r ' satisfying-alpha/2.ltoreq.r '.ltoreq.alpha/2, r ' ≡r (mod alpha); when α is a positive integer, for any integer r, r' =rmod is defined + Alpha is the only positive integer r ' satisfying 0.ltoreq.r '.ltoreq.alpha-1, r ' ≡r (mod alpha); when the specific expression form of the congruent number r' is not important, simply writing rmod alpha;
if S is a finite set, then |S| represents its radix, and x+.S represents uniformly random taking an element from S; the symbol U (S) represents a uniform distribution over the finite set S; if D represents a probability distribution, x+.D represents selecting an element based on D and assigning to x; if α is neither an algorithm nor a set, x+.α represents a simple assignment operation, or x: =α; if A is a probabilistic algorithm, then A (x 1 ,x 2 ,.; r) represents X 1 ,x 2 ,. as input, r is the result of the operation of A when random seeds; we use y+.A (x) 1 ,x 2 ,.; r) represents randomly choosing r and letting y be A (x) 1 ,x 2 ,.; experimental results of r); by Pr [ R ] 1 ;…;R n :E]Representing event E in a series of ordered random processes R 1 ,...,R n Probability of occurrence thereafter; if for any c > 0, for all λ > λ c All have a lambda c Such that f (lambda) < 1/lambda c Then the function f (λ) is negligible; definition ringWherein, the liquid crystal display device comprises a liquid crystal display device,is the mth rounding polynomial; r is R q The element in (a) is an n-dimensional polynomial in the form of a 0 +a 1 x 1 +a 2 x 2 +…+a n- 1 x n-1 Wherein n is a positive integer; positive integers k and l are the dimensions of the matrix samples, < >>Representing a matrix of dimension kxl, each element being a ring R q An n-dimensional polynomial of the above; for the function of which the input is a vector, the operation is to process the calculation separately for each dimension of the vector;
for elementsDefinitions II w II Is || wmod ± q|; for element w=w 0 +w 1 x+…+w n-1 x n-1 ∈R q Definitions->For w= (w 1 ,w 2 ,…,w k )∈R k Definition ofWhen positive integer η is determined, set S is defined η For all w e R to be satisfied, II w II A collection of eta elements, S η ={w∈R∣‖w‖ Not more than eta; for any positive integer h, define set B h Is that
For binary vector h= (h i ) Define its Hamming distance as II h II = Σh i
In MLWE distribution In the form of a sample of (a)The MLWE problem is to recover secret values (s, e) from the polynomial samples from the MLWE distribution; specifically, randomly select +.>Calculated As t=as+e, whereAnd->Respectively two probability distributions, and the distribution parameter is marked as eta 1 And eta 2 The distribution may be the same or different, and is +.>For the collection->Uniformly distributed on->For the collection->Uniformly distributed on the upper part; definition of adversary A
If there is no algorithm A with maximum run time τ and advantage greater than ε, we callThe difficulty assumption holds; where τ is a polynomial about n and ε is a negligible function about n;
one DKC (deterministic key consensus) method dkc= (params, con, rec) consists of three parts:
params= (q, κ, g, δ, aux) represents a system parameter, where positive integers q, κ, g, δ satisfy 2 Σ, g Σ,0 Σ/2, aux represents other sets of values determined by (q, κ, g, δ), defaults to null;
·(k 1 ,v)←Con(σ 1 params), where Con (·) is a deterministic polynomial time function, which is at the inputparams), output (k 1 V), wherein->
·k 2 ←Rec(σ 2 V, params), where Rec (·) is a deterministic polynomial time function, which is given by the input (σ) 2 V, params), output
When params can be determined according to the context, params can be represented by default for descriptive simplicity,
the DKC method meets the accuracy requirement, namely, for anyWhen II sigma 12 When delta is less than or equal to delta, k is certain 1 =k 2
The method comprises the following steps:
the system parameters required to generate the signature include (λ, n, q, κ, k, l, η) 12121212 ,ω,d,h,L 1 ,L 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is prime number meeting q=1 (modn/2), positive integer kappa is more than or equal to 2 and less than or equal to 12, and χ is satisfied 12 For two identical or different noise distributions, k and l arePolynomial of positive integer and lambda, d is positive integer, threshold parameter beta 1212 Are all positive integers, omega is a positive integer, beta 12 Is a positive integer and beta 1 ≤h·η 12 ≤h·η 2 H is a positive integer, parameter gamma 1 =γ 1 (q,κ),γ 2 =γ 2 (q, κ) is a positive integer and its value depends on q, κ, parameter L 1 ,L 2 Are all positive integers, the total number of the two is equal to the positive integer,
public and private key generation: the signer performs the following operations in sequence:
1) The signer obtains random seeds through samplingAnd/or +.>
2) The signer obtains by random sampling
3) The signer will have a bit length of L 1 The random string ρ is mapped by calling function expand () toIs a matrix a of (a); wherein Expanda () is a mapping function;
4) The signer calculationAnd call Power2Round q (t, d) function to generate (t) 1 ,t 0 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein t is 1 ,/>
5) The signer computes tr =crh (ρ, t 1 ,aux tr ) WhereinThe order of the links entered in the function CRH can be arbitrary, aux tr A set that can be empty for a value;
6) The signer outputs finally (pk, sk), where pk= (ρ, t) 1 ) Sk= (ρ, K, tr, s, e, t) for the public key of the signer 0 ) Or sk= (ρ, tr, s, e, t) 0 ) A private key for the signer;
the signer sends public key information pk therein to a verifier;
the signature method comprises the following steps: the signer has the private key sk= (ρ, K, tr, s, e, t) 0 ) Or sk= (ρ, tr, s, e, t) 0 ) And information M epsilon {0,1}, to be signed * The corresponding signature (z, h, c) is finally obtained and output by sequentially performing the following operations; first, the signer will have a length L 1 Random character string of (a)Mapping to +.>Wherein Expanda () is a mapping function; the signer then generates by invoking μ: =crh (tr, M)Wherein the order of the input variables of the CRH () function can be arbitrarily adjusted, and the output elements belong to the set +.>After that, the signer gets the random seed +.>Wherein ρ' is either by calling +.>Completely randomly generated or generated according to the calculation CRH (K, mu) certainty; finally, the signer Setting ctr = 0, (z, h) = t to finish the initialization work of the loop body; then the signer enters a loop body until a signature meeting the requirements of (z, h) not equal to T is found; specifically, in each round of cycles, the signer has two modes of operation:
the first working mode is as follows:
1) The signer first generates random elements of the round robin by calling y: =expandmask (ρ', ctr)Wherein the Expandadmask () function outputs the set +.>Certain element in the formula (I);
2) The signer calculationAnd +.>Wherein HighBits q (r,γ 1 ) Output->Partial information of->The function is extendably defined to +.>Is included in the set of coefficients; />Can be regarded as->Is a vector element of (a);
3) The signer is created by calling c: =h (w 1 μ) to obtain c ε B h Wherein B is h For a subset of the R's,h (.) is a function whose order of input variables can be arbitrary, and it will arbitrarily input character string {0,1} * Mapping to set B h Certain element in the formula (I);
4) The signer computes z: =y+cs, where
5) The signer computation (r 1 ,r 0 ):=Decompose q (w-ce,γ 1 ) Wherein the function call (r 1 ,r 0 ):=Decompose q (r,γ 1 ) Will inputBreak down into->And->The function is extendably defined to +.>Is included in the set of coefficients;
6) If II z II ≥γ 11 Or II r 0 ≥γ 22 Or r 1 ≠w 1 Directly ending the cycle of the round, setting ctr =ctr+1, and then entering the next round of cycle;
7) The signer computes h =makeHint q (-ct 0 ,w-ce+ct 01 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein makeHint q (z,r,γ 1 ) Input element of the function satisfiesThe output value belongs to the set {0,1}; the function canExtension definition to +.>Is included in the set of coefficients; h epsilon {0,1 }) k·n
8) If II ct 0 ‖≥γ 2 Or h.epsilon.0, 1 k·n If the Haiming distance of (a) is greater than the parameter omega, directly ending the cycle of the present round, setting ctr: =ctr+1, and then entering the next round of cycle; otherwise, the generated (z, h, c) of the round is a signature meeting the requirements;
the signer takes the (z, h, c) value generated in the last round as input information M epsilon {0,1} * Is sent to the verifier;
the second working mode is based on DKCN, and the working principle is as follows:
1) The signer first generates random elements of the round robin by calling y: =expandmask (ρ', ctr)Wherein the order of the input elements of the Expandadmask () function can be arbitrary, and the output elements belong to the set +.>
2) The signer calculationAnd +.>Wherein HighBits q,κ (r) output->Partial information of->The function is extendably defined to +.>Is included in the set of coefficients; />Can be regarded asIs a vector element of (a);
3) The signer is created by calling c: =h (w 1 μ) to obtain c ε B h Wherein B is h For a subset of the R's,h (.) is a function whose order of input variables can be arbitrary, and it will arbitrarily input character string {0,1} * Mapping to set B h Certain element in the formula (I);
4) The signer computes z: =y+cs, where
5) The signer computation (r 1 ,r 0 ) =con (w-ce), where the function call (r 1 ,r 0 ) Input is =Con (r)Break down into->And->The function is extendably defined to +.>Is included in the set of coefficients;
6) If II z II ≥γ 11 Or II r 0 ≥q/2-κ·β 2 Or r 1 ≠w 1 Then directly ending the cycle, setting ctr: =ctr+1, and thenThen enter the next round of circulation;
7) The signer computes h =makeHint q,κ (-ct 0 ,w-ce+ct 0 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein makeHint q,κ The input elements of the (z, r) function satisfyThe output value belongs to the set {0,1}; the function is extendably defined to +.>Is included in the set of coefficients; h epsilon {0,1 }) k·n
8) If ||ct 0 ||≥γ 2 Or h.epsilon.0, 1 k·n If the Haiming distance of (a) is greater than the parameter omega, directly ending the cycle of the present round, setting ctr: =ctr+1, and then entering the next round of cycle; otherwise, the generated (z, h, c) of the round is a signature meeting the requirements;
the signer takes the (z, h, c) value generated in the last round as input information M epsilon {0,1} * Is sent to the verifier;
the verification method comprises the following steps: the verifier receives a (M, (z, h, c)) pair (where M ε {0,1 }) * ,h∈{0,1} k·n ,c∈B h ) Then, according to the public key information pk= (ρ, t 1 ) Performing verification operation; if the signer uses the first mode of operation, the verifier performs the following operations:
1) The verifier will have a length L 1 Random character stringMapping by calling function Expanda ()Is a matrix a of (a); wherein Expanda () is a mapping function;
2) The verifier calculates tr =crh (ρ, t 1 ,aux tr ) WhereinThe linking order input in the function CRH can be arbitrary, and aux can be realized tr A set that can be empty for a value;
3) The verifier generates Power2Round by calling μ: =CRH (tr, M) q () The method comprises the steps of carrying out a first treatment on the surface of the Wherein the linking order of CRH () input can be arbitrary, and the output element belongs to the collection
4) The verifier calculates w' 1 :=UseHint q (h,Az-ct 1 ·2 d1 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, useHint q (h,r,γ 1 ) According toh.epsilon.0, 1 to generate a +.>Value of +.>The function is extendably defined onto each component of the input vector; />Can be regarded as->Vector in (a);
5) If z <γ 11 And c=h (μ, w' 1 ) And h.epsilon. {0,1 }) k·n If the Hamming distance of (a) is less than or equal to the parameter omega, b is set as that the (M, (z, h, c)) pair is accepted as a correct information signature pair; otherwise, set b: =0 to indicate that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b e {0,1};
if the signer uses the second mode of operation, the verifier performs the following:
1) The verifier will have a length L 1 Random character stringMapping by calling function Expanda ()Is a matrix a of (a); wherein Expanda () is a mapping function;
2) The verifier calculates tr =crh (ρ, t 1 ,aux tr ) WhereinThe order of the links entered in the function CRH can be arbitrary, the output elements belonging to the set +.>aux tr A set that can be empty for a value;
3) The verifier generates by invoking μ: =crh (tr, M)Wherein the order of the links input in the function CRH can be arbitrary, and the output elements belong to the set +.>
4) The verifier calculates w' 1 :=UseHint q,κ (h,Az-ct 1 ·2 d ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, useHint q,κ (h, r) according toh.epsilon.0, 1 to generate a +.>Value of +.>The function is extendably defined onto each component of the input vector; />Can be regarded as->Vector in (a);
5) If II z II <γ 11 And c=h (μ, w' 1 ) And h.epsilon. {0,1 }) k·n If the Hamming distance of (a) is less than or equal to the parameter omega, b is set as that the (M, (z, h, c)) pair is accepted as a correct information signature pair; otherwise, set b: =0 to indicate that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b e {0,1}.
A second aspect of the invention is based on the first aspect of the invention, wherein:
expanda () function will be a random seedMapping into a matrix->NTT representation of (c); wherein, the NTT expression form of each element is the result of forward NTT conversion;
CRH () is a hash function against collision, the order of linking the input elements in the function can be arbitrary, it can be chosen from {0,1} * Any element of (a) is mapped asCertain element in the formula (I);
the Expandadmask function will input the elements {0,1} * Mapping toThe order of the links of the input elements in the function can be arbitrary;
When κ is greater than or equal to 2, g is greater than or equal to 2,2κδ < q, an optimal specific example of dkcn= (params, con, rec) of DKC method can be constructed, wherein:
·
in a given input (sigma 1 Params) timeThe function Con is implemented as follows: first v =κσ is calculated 1 mod ± q; if k.sigma 1 -v=κ·q is true, let k be 1 =0, otherwise set k 1 :=(κ·σ 1 -v)/q; finally, the function returns (k 1 ,v);
In a given input (sigma 2 V, params)The function Rec is implemented as follows: calculation ofFunction return k 2
A third aspect of the invention is based on the second aspect of the invention, wherein: function Power2Round q () The function is as follows:
at a given input (r, d) isd<log 2 q) function Power2Round q () The following operations are performed: first r: =rmod is calculated + q; then calculate r 0 :=rmod ± 2 d The method comprises the steps of carrying out a first treatment on the surface of the Finally, the function returns ((r-r) 0 )/2 d ,r 0 );
Function decompensate in the first mode of operation q (),HighBits q (),MakeHint q (),UseHint q () The definition of (2) is as follows:
at a given input (r, α)Function decompensate q () The following operations are performed: first r: =rmod is calculated + q; then calculate r 0 :=rmod ± Alpha; if r-r 0 When =q-1 is satisfied, then set (r 1 ,r 0 ):=(0,r 0 -1) otherwise set r 1 :=(r-r 0 ) Alpha; finally, return (r 1 ,r 0 );
At a given input (r, α)Function HighBits q () The following operations are performed: first calculate (r 1 ,r 0 ):=Decompose q (r, α); then return to r 1
At a given input (z, r, α)Function makeHint q () The following operations are performed: first, r is calculated 1 :=HighBits q (r, α); then calculate v 1 :=HighBits q (r+z, α); if r 1 =v 1 If true, returning to 0, otherwise, returning to 1;
given an input (h, r, a) (h e 0,1,) Function useHint q () The following operations are performed: first, m= (q-1)/α is calculated; then calculate (r 1 ,r 0 ):=Decompose q (r, α); if h=0 holds, return r 1 The method comprises the steps of carrying out a first treatment on the surface of the If h=1 and r 0 If > 0 is true, return (r 1 +1)mod + m; if h=1 and r 0 If not more than 0 is true, return (r 1 -1)mod + m;
Function decompensate in the second mode of operation q,κ (),HighBits q,κ (),LowBits q,κ (),MakeHint q,κ (),UseHint q,κ () By using the optimal instance DKCN, itThe definition is as follows:
·
at a given input rFunction decompensate q,κ () The following operations are performed: first calculate (r 1 ,r 0 ) 1 =con (r); then return (r) 1 ,r 0 );
At a given input rFunction HighBits q,κ () The following operations are performed: (r) 1 ,r 0 ) 1 =con (r); then return to r 1
At a given input rFunction LowBits q,κ () The following operations are performed: (r) 1 ,r 0 ) 1 =con (r); then return to r 0
At a given input r Function makeHint q,κ () The following operations are performed: first, r is calculated 1 :=HighBits q,κ (r); then calculate v 1 :=HighBits q,κ (r+z); if r 1 =v 1 If true, returning to 0, otherwise, returning to 1;
at a given input rFunction useHint q,κ () The following operations are performed: first calculate (r 1 ,r 0 ) 1 =con (r); if h=0 holds, return r 1 The method comprises the steps of carrying out a first treatment on the surface of the If h=1 and r 0 If > 0 is true, return (r 1 +1)mod + Kappa; if h=1 and r 0 Is less than or equal to 0 and is equal to or less than 0,return (r) 1 -1)mod + κ
A fourth aspect of the present invention is based on the third aspect of the present invention, wherein:
·λ≥128;
·L 1 ≥256,L 2 ≥384;
·
·n=256;
·h=60;
·q≤2 20 is a prime number;
d satisfies
·3≤κ≤12,q/κ≤2 18 ,3≤k≤8,2≤l≤7;
·
·η 12 ∈{1,2};
·β 1 ≤60·η 1 ,β 2 ≤60·η 2
The fifth aspect of the present invention is based on the fourth aspect of the present invention, and specifically, the parameters of the inventive method are selected as follows:
parameter set-1: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=3,l=2,ω≤64
Parameter set-2: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=4,l=3,ω≤80;
Parameter set-3: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=5,l=4,ω≤96;
Parameter set-4: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=6,l=5,ω≤120;
Parameter set-5: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,
γ 1 =130944,γ 2 =65472,k=4,l=3,ω≤80;
Parameter set-6: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,
γ 1 =130944,γ 2 =65472,k=5,l=4,ω≤96;
Parameter set-7: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,
γ 1 =130944,γ 2 =65472,k=6,l=5,ω≤120;
Parameter set-8: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,
γ 1 =118579,γ 2 =59289,k=4,l=3,ω≤80;
Parameter set-9: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,
γ 1 =118579,γ 2 =59289,k=5,l=4,ω≤96;
Parameter set-10: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,
γ 1 =118579,γ 2 =59289,k=6,l=5,ω≤120;
Parameter set-11: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,
γ 1 =131072,γ 2 =65536,k=4,l=3,ω≤80;
Parameter set-12: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,
γ 1 =131072,γ 2 =65536,k=5,l=4,ω≤96;
Parameter set-13: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,
γ 1 =131072,γ 2 =65536,k=6,l=5,ω≤120;
Parameter set-14: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,
γ 1 =130560,γ 2 =65280,k=4,l=3,ω≤80;
Parameter set-15: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,
γ 1 =130560,γ 2 =65280,k=5,l=4,ω≤96;
Parameter set-16: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,
γ 1 =130560,γ 2 =65280,k=6,l=5,ω≤120。
Drawings
Fig. 1 exemplarily shows a construction principle of a DKCN mechanism;
fig. 2 illustrates schematically the definition of auxiliary functions based on the DKCN mechanism, which are used in the second way of working the signature function and the verification function.
FIG. 3 is an exemplary table showing four functions
Decompose q (),HighBits q (),MakeHint q (),UseHint q () They are used in the first mode of operation for the signature function and the verification function.
Detailed Description
The invention provides a new parameter setting method of a digital signature scheme based on a grid. Where S represents the signer and V represents the verifier. S uses its own private key sk to calculate the corresponding information M E {0,1} * One of (2)A signature σ; v verifies the inherent logical relationship between the information signature pairs (M, σ) using the public key pk of S, and finally outputs 1 a pair of legitimate message signature pairs from S if and only if V approves (M, σ).
The system parameters required to generate the signature include (λ, n, q, κ, k, l, η) 12121212 ,ω,d,h,L 1 ,L 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is prime number meeting q=1 (mod 2 n), positive integer kappa is more than or equal to 2 and less than or equal to 12, and χ is satisfied 12 For two identical or different noise distributions, k and l are positive integers and λ polynomials, d is a positive integer, the threshold parameter β 1212 Are all positive integers, omega is a positive integer, beta 12 Is a positive integer and beta 1 ≤h·η 12 ≤h·η 2 H is a positive integer, parameter gamma 1 =γ 1 (q,κ),γ 2 =γ 2 (q, kappa) is a positive integer whose value depends on q, kappa, L 1 ,L 2 Are all positive integers.
Public and private key generation: the signer S sequentially performs the following operations:
7) The signer S obtains random seeds through samplingAnd/or +.>
8) The signer S obtains by random sampling
9) The signer S will have a bit length of L 1 The random string ρ is mapped by calling function expand () toIs a matrix a of (a); wherein Expanda () is a mapping function;
10 The signer S calculatesAnd call Power2Round q (t, d) function to generate (t) 1 ,t 0 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein->
At a given input (r, d) is%d<log 2 q) function Power2Round q () The following operations are performed: first r: =rmod is calculated + q; then calculate r 0 :=rmod ± 2 d The method comprises the steps of carrying out a first treatment on the surface of the Finally, the function returns ((r-r) 0 )/2 d ,r 0 );
11 The signer S calculates tr: =crh (ρ, t) 1 ,aux tr ) WhereinThe order of linking the input elements in the function CRH can be arbitrary, the output elements belong to the set +.>aux tr A set that can be empty for a value;
12 The signer S finally outputs (pk, sk), where pk= (ρ, t) 1 ) For the public key of the signer S, sk= (ρ, K, tr, S, e, t) 0 ) Or sk= (ρ, tr, s, e, t) 0 ) A private key for the signer S;
the signer S transmits public key information pk therein to the verifier V.
The signature method comprises the following steps: the signer S has a private key sk= (ρ, K, tr, S, e, t) 0 ) Or sk= (ρ, tr, s, e, t) 0 ) And information M epsilon {0,1}, to be signed * The corresponding signature (z, h, c) is finally obtained and output by sequentially performing the following operations; first, the signer S willLength L 1 Random character string of (a)Mapping to +.>Wherein Expanda () is a mapping function; then, the signer S generates by calling μ: =crh (tr, M)Wherein the linking order of the input elements in the function CRH can be arbitrary, the output elements belong to the set +.>After that, the signer S gets a random seed in the signing method +.>Wherein ρ' is either by calling +.>Completely randomly generated or generated according to the calculation CRH (K, mu) certainty; finally, the signer S sets ctr: =0, (z, h): = t to finish the initialization work of the loop body; then the signer S enters a loop body until a signature meeting the requirements of (z, h) is not equal to T is found; specifically, in each cycle, the signer S has the following two modes of operation:
In the first mode of operation, a decompensation is required q (),HighBits q (),MakeHint q (),UseHint q () Four functions, the definition of which is shown in figure 3. The first mode of operation works as follows:
9) The signer S first generates random elements of the round robin by calling y: =expandmask (ρ', ctr)Wherein Expandadmask ()Function output set +.>Certain element in the formula (I);
10 The signer S calculatesAnd +.>Wherein HighBits q (r,γ 1 ) Output->Partial information of->The function is extendably defined to +.>Is included in the set of coefficients; />Can be regarded as->Is a vector element of (a);
11 The signer S is signed by invoking c: =h (w) 1 μ) to obtain c ε B h Wherein B is h For a subset of the R's,h (.) is a function whose order of input variables can be arbitrary, and it will arbitrarily input character string {0,1} * Mapping to set B h Elements of (a) and (b); />
12 The signer S calculates z: =y+cs, where
13 The describedSigner S calculation (r 1 ,r 0 ):=Decompose q (w-ce,γ 1 ) Wherein the function call (r 1 ,r 0 ):=Decompose q (r,γ 1 ) Will inputBreak down into->And->The function is extendably defined to +.>Is included in the set of coefficients;
14 If II z II ≥γ 11 Or II r 0 ≥γ 22 Or r 1 ≠w 1 Directly ending the cycle of the round, setting ctr =ctr+1, and then entering the next round of cycle;
15 The signer S calculates h: =makehit q (-ct 0 ,w-ce+ct 01 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein makeHint q (z,r,γ 1 ) Input element of the function satisfiesThe output value belongs to {0,1}; the function is extendably defined to +.>Is included in the set of coefficients; h epsilon {0,1 }) k·n
16 If II ct 0 ‖≥γ 2 Or h.epsilon.0, 1 k·n If the Haiming distance of (a) is greater than the parameter omega, directly ending the cycle of the present round, setting ctr: =ctr+1, and then entering the next round of cycle; otherwise, the generated (z, h, c) of the round is a signature meeting the requirements;
the signer S generates the (z, h, c) value of the last roundAs input information M e {0,1} * Is sent to the verifier V.
The second working mode is based on DKCN and an auxiliary function HighBits constructed on the DKCN q,κ (),LowBits q,κ (),MakeHint q,κ (),UseHint q,κ () The definition of which is shown in figure 2. The second mode of operation works as follows:
9) The signer S first generates random elements of the round robin by calling y: =expandmask (ρ', ctr)Wherein the Expandadmask () function outputs the set +.>Certain element in the formula (I);
10 The signer S calculatesAnd +.>Wherein HighBits q,κ (r) output->Partial information of->The function is extendably defined to +.>Is included in the set of coefficients; />Can be regarded asIs a vector element of (a);
11 The signer S passesCall c =h (w 1 μ) to obtain c ε B h Wherein B is h For a subset of the R's,h (.) is a function whose order of input variables can be arbitrary, and it will arbitrarily input character string {0,1} * Mapping to set B h Certain element in the formula (I);
12 The signer S calculates z: =y+cs, where
13 -the signer S calculates (r) 1 ,r 0 ) =con (w-ce), where the function call (r 1 ,r 0 ) Input is =Con (r)Break down into->And->The function is extendably defined to +.>Is included in the set of coefficients;
14 If z ≥γ 11 Or II r 0 ≥q/2-κ·β 2 Or r 1 ≠w 1 Directly ending the cycle of the round, setting ctr =ctr+1, and then entering the next round of cycle;
15 The signer S calculates h: =makehit q,κ (-ct 0 ,w-ce+ct 0 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein makeHint q,κ The input elements of the (z, r) function satisfyThe output value belongs to {0,1}; the function is extendably defined to +.>Is included in the set of coefficients; h epsilon {0,1 }) k·n
16 If ||ct 0 ||≥γ 2 Or h.epsilon.0, 1 k·n If the Haiming distance of (a) is greater than the parameter omega, directly ending the cycle of the present round, setting ctr: =ctr+1, and then entering the next round of cycle; otherwise, the generated (z, h, c) of the round is a signature meeting the requirements;
the signer S uses the value (z, h, c) generated in the last round as input information M epsilon {0,1} * Is sent to the verifier V.
The verification method comprises the following steps: the verifier V is receiving a (M, (z, h, c)) pair (where M ε {0,1 }) * ,h∈{0,1} k·n ,c∈B h ) Then, according to the public key information pk= (ρ, t 1 ) Performing verification operation; if the signer S uses the first mode of operation, the verifier V performs the following operations:
6) The verifier V will have a length L 1 Random character stringMapping by calling function Expanda ()Is a matrix a of (a); wherein Expanda () is a mapping function;
7) The verifier V calculates tr: =crh (ρ, t 1 ,aux tr ) WhereinThe order of the links entered in the function CRH can be arbitrary, aux tr A set that can be empty for a value;
8) The verifier V generates by invoking μ: =crh (tr, M)
9) The verifier V calculates w' 1 :=UseHint q (h,Az-ct 1 ·2 d1 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, useHint q (h,r,γ 1 ) According toh.epsilon.0, 1 to generate a +.>Value of +.>The function is extendably defined onto each component of the input vector; />Can be regarded as->Vector in (a);
10 If z <γ 11 And c=h (μ, w' 1 ) And h.epsilon. {0,1 }) k·n If the Hamming distance of (a) is less than or equal to the parameter omega, b is set as that the (M, (z, h, c)) pair is accepted as a correct information signature pair; otherwise, set b: =0 to indicate that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer V outputs b ε {0,1}.
If the signer S uses the second mode of operation, the verifier V performs the following operations:
6) The verifier V will have a length L 1 Random character stringMapping by calling function Expanda ()Is a matrix a of (a); wherein Expanda () is a mapping function;
7) The verifier V calculates tr: =crh (ρ, t 1 ,aux tr ) WhereinThe order of linking the input elements in the function CRH can be arbitrary, the output elements belong to the set +.>aux tr A set that can be empty for a value;
8) The verifier V generates by invoking μ: =crh (tr, M)Wherein the order of the links input in the function CRH can be arbitrary, and the output elements belong to the set +.>
9) The verifier V calculates w' 1 :=UseHint q,κ (h,Az-ct 1 ·2 d ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, useHint q,κ (h, r) according toh.epsilon.0, 1 to generate a +.>Value of +.>The function is extendably defined onto each component of the input vector; />Can be regarded as->Vector in (a);
10 If z <γ 11 And c=h (μ, w' 1 ) And h.epsilon. {0,1 }) k·n If the Hamming distance of (a) is less than or equal to the parameter omega, b is set as that the (M, (z, h, c)) pair is accepted as a correct information signature pair; otherwise, set up
b =0 indicates that the (M, (z, h, c)) pair is considered an incorrect information signature pair;
finally, the signer V outputs b ε {0,1}.
In the above-described signature mechanism, the signature,
the Expanda () function will be a random seed ρ ε {0,1} L1 Mapping into a matrixThe NTT expression form of the input elements can be arbitrarily linked, and generally takes L 1 More than or equal to 256; for example, the Expanda () function may be implemented by repeatedly calling the SHAKE-128 function;
CRH () is a hash function against collision, the order of linking the input elements can be arbitrary, it can be used to write {0,1} * Any element of (a) is mapped asSome element in (1) is generally L 2 Not less than 384; for example, CRH ()'s can be implemented by calling SHAKE-256 functions;
the Expandadmask function will input the elements {0,1} * Mapping toElement y of (a); for example, it is implemented by repeatedly calling the SHAKE-256 function;
typically, there is λ. Gtoreq.128, n=256, h=60,
for other parameters, we generally apply η 12 ∈{1,2},β 1 ≤60·η 1 ,β 2 ≤60·η 2 n=256,q≤2 20 Is prime, d satisfies3≤κ≤12,q/κ≤2 18 ,3≤k≤8,2≤l≤7,/>
Specifically, the parameters of the method are selected as follows:
parameter set-1: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=3,l=2,ω≤64
Parameter set-2: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=4,l=3,ω≤80;
Parameter set-3: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=5,l=4,ω≤96;
Parameter set-4: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,
γ 1 =244032,γ 2 =122016,k=6,l=5,ω≤120;
Parameter set-5: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,
γ 1 =130944,γ 2 =65472,k=4,l=3,ω≤80;
Parameter set-6: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,
γ 1 =130944,γ 2 =65472,k=5,l=4,ω≤96;
Parameter set-7: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,
γ 1 =130944,γ 2 =65472,k=6,l=5,ω≤120;
Parameter set-8: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,
γ 1 =118579,γ 2 =59289,k=4,l=3,ω≤80;
Parameter set-9: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,
γ 1 =118579,γ 2 =59289,k=5,l=4,ω≤96;
Parameter set-10: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,
γ 1 =118579,γ 2 =59289,k=6,l=5,ω≤120;
Parameter set-11: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,
γ 1 =131072,γ 2 =65536,k=4,l=3,ω≤80;
Parameter set-12: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,
γ 1 =131072,γ 2 =65536,k=5,l=4,ω≤96;
Parameter set-13: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,
γ 1 =131072,γ 2 =65536,k=6,l=5,ω≤120;
Parameter set-14: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,
γ 1 =130560,γ 2 =65280,k=4,l=3,ω≤80;
Parameter set-15: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,
γ 1 =130560,γ 2 =65280,k=5,l=4,ω≤96;
Parameter set-16: λ=128, n=256, h=60, l 1 =256,L 2 =384,
η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,
γ 1 =130560,γ 2 =65280,k=6,l=5,ω≤120。
Difficulty and creativity regarding the invention method parameter selection and test: the correctness, safety and efficiency (including the operation efficiency of the signature algorithm, the operation efficiency of the verification algorithm, the size of the signature, the size of the public and private keys and the like) of the method in practical application are seriously dependent on the selection of specific parameters. The selection of these parameters requires a number of factors to be considered in combination and requires programming testing. The difficulty is to increase the efficiency of the system as much as possible while ensuring the correctness of the system and achieving security of sufficient strength.
Specifically, when selecting recommended parameters, we need to consider the following requirements and objectives:
parameters should be chosen appropriately to ensure the correctness of the signature mechanism;
the recommended parameters should first be chosen according to the goal of 128-bit quantum security, while striving to ensure that the quantum security of the other set of parameters reaches the ideal level;
the parameters should be chosen so that the expected value of the number of restarts in the signature algorithm is as small as possible to guarantee the efficiency of the signature algorithm;
The appropriate parameters should be chosen such that the sum of the public key size and the signature size is as small as possible.
From the perspective of parameter values, system parameters (λ, n, q, κ, k, l, η 12121212 ,ω,d,h,L 1 ,L 2 )
Should satisfy
N=256, and the prime number q satisfies q≡1 (modn/2);
·κ<q,k≥l;
·χ 1 =U(S η1 ),χ 2 =U(S η2 );
·β 12 should be properly valued so that c≡b for random variables 60 ,For Pr [ |c.s| ] ≥β 1 ],Pr[||c·e|| ≥β 2 ]≤2 -128 Establishment;
·
·the omega value cannot be too large, otherwise the signature length is affected; the omega value cannot be too small, otherwise the average running time of the signature algorithm is increased;
·the d value cannot be too large, otherwise the difficulty of the MLWE problem is affected; the value of d cannot be too small otherwise the size of the public key would increase significantly.
From an efficiency point of view, in the signature regime, the size of the public key isByte, size of private key +.>Byte, signature size isBytes. The runtime of the signature function is mainly dependent on the expected value of the number of occurrences of the two reject sampling steps. Wherein the probability of two restarts can be estimated using the following formula
In particular, the value of the parameter ω affects the size of the signature and the runtime of the signature function, and it is difficult to perform an accurate theoretical analysis of the specific value of ω. It is therefore necessary to develop and conduct a large number of instance tests through the program to obtain the proper value for ω and thus the proper balance between the size of the signature and the runtime of the signature function.
From a security point of view, the security of the signature mechanism described above needs to take into account a key recovery attack and a (strong) fake signature attack, which can be understood as solving (variants of) the MLWE problem and the MSIS problem (under infinite norms) respectively; parameters n, q, k, l, η 12 Proper values are needed to ensure that the corresponding MLWE problem reaches enough quantum security intensity; parameters n, q, k, l, d, kappa, eta 12 Proper values are required to ensure that the corresponding MSIS problem (at infinity) reaches sufficient quantum security strength.
Among these, MSIS problems (under infinite norms) are less studied, and special test scripts need to be developed to test their corresponding quantum security intensities. Moreover, because the constraint conditions corresponding to different dimensions in the corresponding MSIS (under infinite norm) are quite different, the quantum security intensity of the corresponding MSIS (under infinite norm) has two evaluation modes of symmetry and asymmetry.
The current mainstream evaluation method of the complexity of the infinite norm SIS problem adopts a Core-SVP model, and the complexity of the SIS problem under infinite norms is equivalent to the complexity of the corresponding Core-SVP problem. Then, a plurality of short vectors are obtained by using a common lattice reduction algorithm, namely a BKZ algorithm. However, these short vectors are all for the euclidean norms. Unfortunately, the shortest vector under the euclidean norm is likely not a "short" vector under the infinite norm. Based on the BKZ algorithm, an improved algorithm is utilized to measure the complexity of SIS problems under infinite norms. Specifically, first, a sub-lattice is selected from a given lattice by projection, and then the length sequence of the orthogonalization basis corresponding to the basis output by the BKZ algorithm is estimated in the sub-lattice. And dividing the base intermediate vectors into three types in sequence according to the length sequence of the orthogonalization base, and respectively estimating the number of the three types of vectors. While the "short vector" under infinite norms belongs to the second category thereof. Any vector is chosen, assuming that its length fits some form of distribution over the three types of projections, and then estimates its probability p of meeting the infinite norm requirement. Finally, optimizing the objective function by means of exhaustion of the sub-lattice dimension and the SVP-oracle dimension in BKZ algorithm, thereby achieving the purpose of complexity estimation.
However, there are some important drawbacks to this approach to complexity measurement of the infinite norm SIS problem. Firstly, the correctness of the measurement method is based on two assumptions, namely that the output result of the BKZ algorithm accords with an expected statistical rule, and the projection length of any vector on the orthogonalization basis dimension of the output basis of the BKZ algorithm accords with an expected probability distribution. The correctness of these two hypotheses needs to be checked. Second, when the bound parameter in the infinite norm SIS problem is reduced to a certain extent, the output result of the measurement method is hardly changed or is too violent to have a practical reference value. Therefore, the rationality of this method is problematic and the application limitations are great.
To overcome this difficulty, in order to reflect the variation rule of the infinite norm SIS problem with the bound parameter more precisely, we propose a new complexity measurement method in combination with the latest complexity result of the infinite norm SVP problem, and the output result of the new complexity measurement method is continuously increased along with the decrease of the bound parameter, so as to meet the expectation of our difficulty of the infinite norm SIS problem. In general, we have made efforts to perfect a measure of the complexity of an existing SIS problem with respect to infinity by analyzing and improving the drawbacks of the problem, giving a more rational and reference-value evaluation method.
Briefly, our test method analyzes SIS by invoking BKZ algorithm The specific difficulty of the problem under the Core-SVP model gives the complexity of classical and quantum attack. For Ring-SIS /Module-SIS The problem can be converted into the corresponding SIS-oc problem, and the complexity of classical and quantum attack under the Core-SVP model is given by calling the BKZ algorithm. Work in this regard provides technical tools and means for the difficulty assessment of a grid-based digital signature scheme.
For Ring-SIS And Module-SIS The problem is that so far no attack algorithm has been able to fully exploit these additional algebraic structures to improve the efficiency of the attack. Thus, for Ring-SIS And Module-SIS Problem, we equate it to SIS of the corresponding dimension Problems, equivalent complexity to SIS of corresponding dimension Complexity of the problem. Thus, the detection method is applicable to SIS-based detection /Ring-SIS /Module-SIS Detection of the lattice-based cryptographic algorithm of the problem.
Our SIS Problem complexity estimation method is to estimate SIS Problem reduction lattice reduction problem, then analysis of the return solution of lattice reduction satisfies SIS The problem requires the corresponding constraints and analyzes how to optimize the defined objective function within this range.
a. First, by solving the lattice reduction problem on lattice = { x|ax=0 modq }, SIS is solved Problems.
b. Second, the problem is understood as an optimization problem with respect to the BKZ algorithm block size function. The lattice reduction problem is solved by invoking the BKZ algorithm, which will output an equivalent base containing several short vectors. The probability that the projection of the vector accessed by the SVP oracle in each dimension under the base meets the constraint condition is analyzed. The objective function of the optimization problem is the quotient of the running time of the BKZ algorithm and the probability.
c. By exhaustive searching within the feasible solution set, the block size of the BKZ algorithm that can achieve the optimization of the objective function is determined, as well as the optimal value of the objective function.
d. In particular, for the SVP oracle called in BKZ algorithm, there are two different implementation methods, resulting in eventually two similar objective functions and two extrema at the time of optimization. SIS we will input The complexity of the problem is defined as the smaller of the optimal extrema at which the two objective functions are optimized separately.
In general, an infinite norm based SIS problem is more difficult than an euclidean norm based SIS because a short vector under infinite norms can be understood as a short vector under euclidean norms, but vice versa is not necessarily true. More specifically, the SIS problem under infinite norms puts a plurality of mutually independent constraint conditions on the target vector; whereas the SIS problem under the euclidean norm only puts a constraint on the target vector.
Since the BKZ algorithm is only valid for the european lattice (Euclidean lattice), we cannot directly translate SIS problems at each infinite norm to the corresponding Core-SVP problem. However, we can use the BKZ algorithm to calculate the solution to estimate the specific difficulty of solving an infinite norm SIS problem. It should be noted that this estimation process is conservative.
In an infinite norm SIS problem, a given matrixAnd the norm requirement β, a non-zero short vector is sought +.>Make Ax.ident.0% modq) and II x II Beta is not more than. We can first narrow the search range from that of m-dimension to find a suitable vector of w-dimension, and take the remaining m-w dimensions as 0. We then search in the specified w dimension to determine the probability of finding the appropriate solution. In the case of the size b determination of the BKZ search algorithm, we estimate the probability that the return solution of the BKZ algorithm satisfies the condition by setting heuristic assumptions. We set the objective function as T/p, where T is the run time of BKZ algorithm of size b and p is the probability that the solution returned by BKZ algorithm under the current conditions satisfies the conditions. We judge the value (w, b) that can optimize the objective function by means of exhaustive search, set as (w * ,b * ). Finally, we define the difficulty of this infinite norm SIS problem instance as the value (w * ,b * ) The corresponding BKZ algorithm run time.
In addition, the signature mechanism in the invention has certain specificity to the corresponding (M) SIS problem, namelyAsymmetry. Specifically, in this SIS problem, the parameters q, m, n are given 1 ,m 212 Random matrixRequiring to find and output a non-zero vector +.>So that the constraint ax≡0 (mod q), 0 < ||x 1 ||≤β 1 ,0<‖x 2 ‖≤β 2 And so on. The definition of the problem represents the asymmetry of the parameters, and in the existing attack method system, under the condition that other parameters are unchanged, the asymmetry example is->Is between two symmetrical examplesAnd->Is difficult to achieve. Thus, by estimating the parameter beta 12 The influence on the difficulty degree of the problem can be used for obtaining a more accurate estimation value about the difficulty degree of the asymmetric example according to the method for evaluating the difficulty degree of the symmetric example.
All of these present difficulties in parameter selection, as well as the importance of the above-described invention.

Claims (5)

1. A lattice-based digital signature method, wherein each string or value α represents a binary value, α|β represents two binary strings α, β e {0,1} * A linking operation between them; for any real number x,represents a maximum integer less than or equal to x, < >>Represents a minimum integer greater than or equal to x, < >>
When α is a positive even number, for any integer r, r' =rmod is defined ± Alpha is the unique integer r ' satisfying-alpha/2 < r ' < alpha/2, r ' ≡r (mod alpha); when α is a positive even number, for any integer r, r' =rmod is defined ± Alpha is the unique integer r ' satisfying-alpha/2.ltoreq.r '.ltoreq.alpha/2, r ' ≡r (mod alpha); when α is a positive integer, for any integer r, r' =rmod is defined + Alpha is the only positive integer r ' satisfying 0.ltoreq.r '.ltoreq.alpha-1, r ' ≡r (mod alpha);
if S is a finite set, then |S| represents its radix, and x+.S represents uniformly random taking an element from S; the symbol U (S) represents a uniform distribution over the finite set S; if D represents a probability distribution, x+.D represents selecting an element based on D and assigning to x; if α is neither an algorithm nor a set, x+.α represents a simple assignment operation, or x: =α; if A is a probabilistic algorithm, then A (x 1 ,x 2 ,.; r) represents X 1 ,x 2 ,. as input, r is the result of the operation of A when random seeds; we use y+.A (x) 1 ,x 2 ,.; r) represents randomly choosing r and letting y be A (x) 1 ,x 2 ,.; experimental results of r); by Pr [ R ] 1 ;…;R n :E]Representing event E in a series of ordered random processes R 1 ,...,R n Probability of occurrence thereafter; if for any c > 0, for all λ > λ c All have a lambda c Such that f (lambda) < 1/lambda c Then the function f (λ) is negligible; definition ringWherein (1)>Is the mth rounding polynomial; r is R q The element in (a) is an n-dimensional polynomial in the form of a 0 +a 1 x 1 +a 2 x 2 +…+a n-1 x n-1 Wherein n is a positive integer; positive integers k and l are the dimensions of the matrix samples, < >>Representing a matrix of dimension kxl, each element being a ring R q An n-dimensional polynomial of the above; for the function of which the input is a vector, the operation is to process the calculation separately for each dimension of the vector;
for elementsDefinitions II w II Is ||wmod ± q|; for element w=w 0 +w 1 x+…+w n-1 x n-1 ∈R q Definitions of II w II =max i ‖w i ,/>For w= (w 1 ,w 2 ,…,w k )∈R k Definitions of II w II =max i ‖w i ,/>When positive integer η is determined, set S is defined η For all w e R to be satisfied, II w II A collection of eta elements, S η ={w∈R∣‖w‖ Not more than eta; for any positive integer h, define set B h Is that
For binary vector h= (h i ) Define its Hamming distance as II h II = Σh i
The samples in the MLWE distribution are in the form ofThe MLWE problem is to recover secret values (s, e) from the polynomial samples from the MLWE distribution; specifically, randomly select +. >Calculated As t=as+e, where And->Respectively two probability distributions, and the distribution parameter is marked as eta 1 And eta 2 The distribution may be the same or different, and is +.>For the collection->Uniformly distributed on->For the collection->Uniformly distributed on the upper part; definition of adversary A
Algorithm A with advantages greater than ε if there is no maximum run time τThenThe difficulty assumption holds; where τ is a polynomial about n and ε is a negligible function about n;
one DKC (deterministic key consensus) method dkc= (params, con, rec) consists of three parts:
params= (q, κ, g, δ, aux) represents a system parameter, where positive integers q, κ, g, δ satisfy 2 Σ, g Σ,0 Σ/2, aux represents other sets of values determined by (q, κ, g, δ), defaults to null;
·(k 1 ,v)←Con(σ 1 params), where Con (·) is a deterministic polynomial time function, which is at the inputWhen outputting (k) 1 V), wherein->
·k 2 ←Rec(σ 2 V, params), where Rec (·) is a deterministic polynomial time function, which is given by the input (σ) 2 V, params), output
params can default to indicate that the DKC method used meets the accuracy requirement, i.e. for any sigma 1 ,When II sigma 12 When delta is less than or equal to delta, k is certain 1 =k 2
The method comprises the following steps:
the system parameters required to generate the signature include (λ, n, q, κ, k, l, η) 12121212 ,ω,d,h,L 1 ,L 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein positive integer lambda is a safety parameter, positive integer n is a power of 2, q is more than or equal to 2 and is prime number meeting q=1 (modn/2), positive integer kappa is more than or equal to 2 and less than or equal to 12, and χ is satisfied 12 For two identical or different noise distributions, k and l are positive integers and λ polynomials, d is a positive integer, the threshold parameter β 1212 Are all positive integers, omega is a positive integer, beta 12 Is a positive integer and beta 1 ≤h·η 12 ≤h·η 2 H is a positive integer, parameter gamma 1 =γ 1 (q,κ),γ 2 =γ 2 (q, κ) is a positive integer and its value depends on q, κ, parameter L 1 ,L 2 Are all positive integers, the total number of the two is equal to the positive integer,
public and private key generation: the signer performs the following operations in sequence:
1) The signer obtains random seeds through samplingAnd/or +.>
2) The signer obtains by random sampling
3) The signer will have a bit length of L 1 The random string ρ is mapped by calling function expand () toIs a matrix a of (a); wherein Expanda () is a mapping function;
4) The signer calculationAnd call Power2Round q (t, d) function to generate (t) 1 ,t 0 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein the method comprises the steps oft 1 ,/>
5) The signer computes tr =crh (ρ, t 1 ,aux tr ) WhereinThe order of the links entered in the function CRH can be arbitrary, aux tr A set that can be empty for a value;
6) The signer outputs finally (pk, sk), where pk= (ρ, t) 1 ) Sk= (ρ, K, tr, s, e, t) for the public key of the signer 0 ) Or sk= (ρ, tr, s, e, t) 0 ) A private key for the signer;
the signer sends public key information pk therein to a verifier;
the signature method comprises the following steps: the signer has the private key sk= (ρ, K, tr, s, e, t) 0 ) Or sk= (ρ, tr, s, e, t) 0 ) And information M epsilon {0,1}, to be signed * The corresponding signature (z, h, c) is finally obtained and output by sequentially performing the following operations; first, the signer will have a length L 1 Random character string of (a)Mapping to +.>Wherein Expanda () is a mapping function; the signer then generates by invoking μ: =crh (tr, M)Wherein the order of the input variables of the CRH () function can be arbitrarily adjusted, and the output elements belong to the set +.>Then, the signer obtains random seeds in the signing method/>Wherein ρ' is either by calling +.>Completely randomly generated or generated according to the calculation CRH (K, mu) certainty; finally, the signer sets ctr to be: =0, (z, h): = t to finish the initialization work of the loop body; then the signer enters a loop body until a signature meeting the requirements of (z, h) not equal to T is found; specifically, in each round of cycles, the signer has two modes of operation:
the first working mode is as follows:
1) The signer first generates random elements of the round robin by calling y: =expandmask (ρ', ctr)Wherein the Expandadmask () function outputs the set +.>Certain element in the formula (I);
2) The signer calculationAnd +.>Wherein HighBits q (r,γ 1 ) Output->Partial information of->The function is extendably defined to +.>Is included in the set of coefficients; />Can be regarded as->Is a vector element of (a);
3) The signer is created by calling c: =h (w 1 μ) to obtain c ε B h Wherein B is h For a subset of the R's,h (.) is a function whose order of input variables can be arbitrary, and it will arbitrarily input character string {0,1} * Mapping to set B h Certain element in the formula (I);
4) The signer computes z: =y+cs, where
5) The signer computation (r 1 ,r 0 ):=Decompose q (w-ce,γ 1 ) Wherein the function call (r 1 ,r 0 ):=Decompose q (r,γ 1 ) Will inputBreak down into->And->The function is extendably defined to +.>Is included in the set of coefficients;
6) If II z II ≥γ 11 Or II r 0 ≥γ 22 Or r 1 ≠w 1 Directly ending the cycle of the round, setting ctr =ctr+1, and then entering the next round of cycle;
7) The signer computes h =makeHint q (-ct 0 ,w-ce+ct 01 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein makeHint q (z,r,γ 1 ) The input elements of the function satisfy z,the output value belongs to the set {0,1}; the function is extendably defined to +.>Is included in the set of coefficients; h epsilon {0,1 }) k·n
8) If II ct 0 ‖≥γ 2 Or h.epsilon.0, 1 k·n If the Haiming distance of (a) is greater than the parameter omega, directly ending the cycle of the present round, setting ctr: =ctr+1, and then entering the next round of cycle; otherwise, the generated (z, h, c) of the round is a signature meeting the requirements;
the signer takes the (z, h, c) value generated in the last round as input information M epsilon {0,1} * Is sent to the verifier;
the second working mode is based on DKCN, and the working principle is as follows:
1) The signer first generates random elements of the round robin by calling y: =expandmask (ρ', ctr)Wherein the order of the input elements of the Expandadmask () function can be arbitrary, and the output elements belong to the set +.>
2) The signer calculationAnd +.>Wherein HighBits q,κ (r) output->Partial information of->The function is extendably defined to +.>Is included in the set of coefficients; />Can be regarded as->Is a vector element of (a);
3) The signer is created by calling c: =h (w 1 μ) to obtain c ε B h Wherein B is h For a subset of the R's,h (.) is a function whose order of input variables can be arbitrary, and it will arbitrarily input character string {0,1} * Mapping to set B h Certain element in the formula (I);
4) The signer computes z: =y+cs, where
5) The signer computation (r 1 ,r 0 ) =con (w-ce), where the function call (r 1 ,r 0 ) Input is =Con (r)Break down into->And->The function is extendably defined to +.>Is included in the set of coefficients;
6) If II z II ≥γ 11 Or II r 0 ≥q/2-κ·β 2 Or r 1 ≠w 1 Directly ending the cycle of the round, setting ctr =ctr+1, and then entering the next round of cycle;
7) The signer computes h =makeHint q,κ (-ct 0 ,w-ce+ct 0 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein makeHint q,κ The input elements of the (z, r) function satisfy z,the output value belongs to the set {0,1}; the function is extendably defined to +.>Is included in the set of coefficients; h epsilon {0,1 }) k·n
8) If II ct 0 ‖≥γ 2 Or h.epsilon.0, 1 k·n If the Haiming distance of (a) is greater than the parameter omega, directly ending the cycle of the present round, setting ctr: =ctr+1, and then entering the next round of cycle; otherwise, the generated (z, h, c) of the round is a signature meeting the requirements;
the signer takes the (z, h, c) value generated in the last round as input information M epsilon {0,1} * Is sent to the verifier;
the verification method comprises the following steps: the verifier receives a (M, (z, h, c)) pair (where M ε {0,1 }) * ,h∈{0,1} k·n ,c∈B h ) Then, according to the public key information pk= (ρ, t 1 ) Performing verification operation; if the signer uses the first mode of operation, the verifier performs the following operations:
1) The verifier will have a length L 1 Random character stringMapping to +.>Is a matrix a of (a); wherein Expanda () is a mapping function;
2) The verifier calculates tr =crh (ρ, t 1 ,aux tr ) WhereinThe linking order input in the function CRH can be arbitrary, and aux can be realized tr A set that can be empty for a value;
3) The verifier generates Power2Round by calling μ: =CRH (tr, M) q () The method comprises the steps of carrying out a first treatment on the surface of the Wherein the linking order of CRH () input can be arbitrary, and the output element belongs to the collection
4) The verifier calculates w' 1 :=UseHint q (h,Az-ct 1 ·2 d1 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, useHint q (h,r,γ 1 ) According toh.epsilon.0, 1 to generate a +.>Value of +.>The function is extendably defined onto each component of the input vector; />Can be regarded as->Vector in (a);
5) If II z II <γ 11 And c=h (μ, w' 1 ) And h.epsilon. {0,1 }) k·n If the Hamming distance of (a) is less than or equal to the parameter omega, b is set as that the (M, (z, h, c)) pair is accepted as a correct information signature pair; otherwise, set b: =0 to indicate that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b e {0,1};
if the signer uses the second mode of operation, the verifier performs the following:
1) The verifier will have a length L 1 Random character string Mapping to +.>Is a matrix a of (a); wherein Expanda () is a mapping function;
2) The verifier calculates tr =crh (ρ, t 1 ,aux tr ) WhereinThe order of the links entered in the function CRH can be arbitrary, the output elements belonging to the set +.>aux tr A set that can be empty for a value;
3) The verifier generates by invoking μ: =crh (tr, M)Wherein the order of the links input in the function CRH can be arbitrary, and the output elements belong to the set +.>
4) The verifier calculates w' 1 :=UseHint q,κ (h,Az-ct 1 ·2 d ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, useHint q,κ (h, r) according toh.epsilon.0, 1 to generate a +.>Value of +.>The function is extendably defined onto each component of the input vector; />Can be regarded as->Vector in (a);
5) If II z II <γ 11 And c=h (μ, w' 1 ) And h.epsilon. {0,1 }) k·n If the Hamming distance of (a) is less than or equal to the parameter omega, b is set as that the (M, (z, h, c)) pair is accepted as a correct information signature pair; otherwise, set b: =0 to indicate that the (M, (z, h, c)) pair is considered to be an incorrect information signature pair;
finally, the signer outputs b e {0,1}.
2. The method of claim 1, wherein:
expanda () function will be a random seedMapping into a matrix->NTT representation of (c); wherein, the NTT expression form of each element is the result of forward NTT conversion;
CRH () is a hash function against collision, the order of linking the input elements in the function can be arbitrary, it can be chosen from {0,1} * Any element of (a) is mapped asCertain element in the formula (I);
the Expandadmask function will input the elements {0,1} * Mapping toThe linking order of the input elements in the function can be arbitrary;
when κ is greater than or equal to 2, g is greater than or equal to 2,2κδ < q, an optimal specific example of dkcn= (params, con, rec) of DKC method can be constructed, wherein:
·
in a given input (sigma 1 Params) timeThe function Con is implemented as follows: first v =κσ is calculated 1 mod ± q; if k.sigma 1 -v=κ·q is true, let k be 1 =0, otherwise set k 1 :=(κ·σ 1 -v)/q; finally, the function returns (k 1 ,v);
In a given input (sigma 2 ,v,params) time ofThe function Rec is implemented as follows: calculation ofmod kappa; function return k 2
3. The method of claim 2, wherein: function Power2Round q () The function is as follows:
at a given input (r, d) isFunction Power2Round q () The following operations are performed: first r: =rmod is calculated + q; then calculate r 0 :=rmod ± 2 d The method comprises the steps of carrying out a first treatment on the surface of the Finally, the function returns ((r-r) 0 )/2 d ,r 0 );
Function decompensate in the first mode of operation q (),HighBits q (),MakeHint q (),UseHint q () The definition of (2) is as follows:
at a given input (r, α)Function decompensate q () The following operations are performed: first r: =rmod is calculated + q; then calculate r 0 :=rmod ± Alpha; if r-r 0 When =q-1 is satisfied, then set (r 1 ,r 0 ):=(0,r 0 -1) otherwise set r 1 :=(r-r 0 ) Alpha; finally, return (r 1 ,r 0 );
At a given input (r, α)Function HighBits q () The following operations are performed: first calculate (r 1 ,r 0 ):=Decompose q (r, α); then return to r 1
At a given input (z, r, α)Function makeHint q () The following operations are performed: first, r is calculated 1 :=HighBits q (r, α); then calculate v 1 :=HighBits q (r+z, α); if r 1 =v 1 If true, returning to 0, otherwise, returning to 1;
at a given input (h, r, α)Function useHint q () The following operations are performed: first, m= (q-1)/α is calculated; then calculate (r 1 ,r 0 ):=Decompose q (r, α); if h=0 holds, return r 1 The method comprises the steps of carrying out a first treatment on the surface of the If h=1 and r 0 If > 0 is true, return (r 1 +1)mod + m; if h=1 and r 0 If not more than 0 is true, return (r 1 -1)mod + m;
Function decompensate in the second mode of operation q,κ (),HighBits q,κ (),MakeHint q,κ (),UseHint q,κ () By using the optimal instance DKCN, it is defined as follows:
·
at a given input rFunction decompensate q,κ () The following operations are performed: first calculate (r 1 ,r 0 ) 1 =con (r); then return (r) 1 ,r 0 );
At a given input rFunction HighBits q,κ () The following operations are performed: (r) 1 ,r 0 ) 1 =con (r); then return to r 1
At a given input rFunction LowBits q,κ () The following operations are performed: (r) 1 ,r 0 ) 1 =con (r); then return to r 0
At a given input rFunction makeHint q,κ () The following operations are performed: first, r is calculated 1 :=HighBits q,κ (r); then calculate v 1 :=HighBits q,κ (r+z); if r 1 =v 1 If true, returning to 0, otherwise, returning to 1;
at a given input rFunction useHint q,κ () The following operations are performed: first calculate (r 1 ,r 0 ) 1 =con (r); if h=0 holds, return r 1 The method comprises the steps of carrying out a first treatment on the surface of the If h=1 and r 0 If > 0 is true, return (r 1 +1)mod + Kappa; if h=1 and r 0 If not more than 0 is true, return (r 1 -1)mod + κ。
4. A method as claimed in claim 3, wherein there is:
·λ≥128;
·L 1 ≥256,L 2 ≥384;
·
·n=256;
·h=60;
·q≤2 20 is a prime number;
d satisfies
·3≤κ≤12,q/κ≤2 18 ,3≤k≤8,2≤l≤7;
·
·η 12 ∈{1,2};
·β 1 ≤60·η 1 ,β 2 ≤60·η 2
5. The method of claim 4, in particular, the parameters are selected as follows:
parameter set-1: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,γ 1 =244032,γ 2 =122016,k=3,l=2,ω≤64
Parameter set-2: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,γ 1 =244032,γ 2 =122016,k=4,l=3,ω≤80;
Parameter set-3: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,γ 1 =244032,γ 2 =122016,k=5,l=4,ω≤96;
Parameter set-4: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =2,β 1 ≤120,β 2 ≤120,q≤1952257,κ=8,d=13,γ 1 =244032,γ 2 =122016,k=6,l=5,ω≤120;
Parameter set-5: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,γ 1 =130944,γ 2 =65472,k=4,l=3,ω≤80;
Parameter set-6: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,γ 1 =130944,γ 2 =65472,k=5,l=4,ω≤96;
Parameter set-7: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤523777,κ=4,d=12,γ 1 =130944,γ 2 =65472,k=6,l=5,ω≤120;
Parameter set-8: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,γ 1 =118579,γ 2 =59289,k=4,l=3,ω≤80;
Parameter set-9: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,γ 1 =118579,γ 2 =59289,k=5,l=4,ω≤96;
Parameter set-10: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =η 2 =1,β 1 ≤60,β 2 ≤60,q≤592897,κ=5,d=12,γ 1 =118579,γ 2 =59289,k=6,l=5,ω≤120;
Parameter set-11: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,γ 1 =131072,γ 2 =65536,k=4,l=3,ω≤80;
Parameter set-12: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,γ 1 =131072,γ 2 =65536,k=5,l=4,ω≤96;
Parameter set-13: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤786433,κ=6,d=12,γ 1 =131072,γ 2 =65536,k=6,l=5,ω≤120;
Parameter set-14: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,γ 1 =130560,γ 2 =65280,k=4,l=3,ω≤80;
Parameter set-15: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,γ 1 =130560,γ 2 =65280,k=5,l=4,ω≤96;
Parameter set-16: λ=128, n=256, h=60, l 1 =256,L 2 =384,η 1 =2,η 2 =1,β 1 ≤120,β 2 ≤60,q≤913921,κ=7,d=12,γ 1 =130560,γ 2 =65280,k=6,l=5,ω≤120。
CN202010304930.1A 2020-04-17 2020-04-17 Digital signature method based on lattice Active CN113541952B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010304930.1A CN113541952B (en) 2020-04-17 2020-04-17 Digital signature method based on lattice

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010304930.1A CN113541952B (en) 2020-04-17 2020-04-17 Digital signature method based on lattice

Publications (2)

Publication Number Publication Date
CN113541952A CN113541952A (en) 2021-10-22
CN113541952B true CN113541952B (en) 2023-07-25

Family

ID=78123350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010304930.1A Active CN113541952B (en) 2020-04-17 2020-04-17 Digital signature method based on lattice

Country Status (1)

Country Link
CN (1) CN113541952B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584323A (en) * 2022-04-26 2022-06-03 南方电网科学研究院有限责任公司 Lattice-based proxy signature and verification method, device, equipment and storage medium
WO2024012431A1 (en) * 2022-07-11 2024-01-18 复旦大学 Method for efficiently, parallely and quickly achieving lattice-based signature

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109687969A (en) * 2018-12-03 2019-04-26 上海扈民区块链科技有限公司 A kind of lattice digital signature method based on key common recognition
CN110138549A (en) * 2019-04-19 2019-08-16 北京信息科学技术研究院 A kind of digital signature method based on lattice

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
USRE48643E1 (en) * 2012-04-12 2021-07-13 Jintai Ding Cryptographic system using pairing with errors
US10581604B2 (en) * 2017-10-17 2020-03-03 Comsats Institute Of Information Technology Post-quantum cryptographic communication protocol

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109687969A (en) * 2018-12-03 2019-04-26 上海扈民区块链科技有限公司 A kind of lattice digital signature method based on key common recognition
CN110138549A (en) * 2019-04-19 2019-08-16 北京信息科学技术研究院 A kind of digital signature method based on lattice

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Generic and Practial Key Establishment from Lattice;Yunlei Zhao etc;《ACNS》;20190529;全文 *
Schnorr方案推广及其在格密码学中的应用;赵运磊等;《计算机工程》;20140415;全文 *

Also Published As

Publication number Publication date
CN113541952A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
Brumley et al. Cache-timing template attacks
CN108604981B (en) Method and apparatus for estimating secret value
CN113541952B (en) Digital signature method based on lattice
Player Parameter selection in lattice-based cryptography
Takahashi et al. New Bleichenbacher records: Fault attacks on qDSA signatures
Kuang et al. A new quantum-safe multivariate polynomial public key digital signature algorithm
Tremel Real-world performance of cryptographic accumulators
Liu et al. On the security of lattice-based Fiat-Shamir signatures in the presence of randomness leakage
Zhao et al. SOCI: A toolkit for secure outsourced computation on integers
CN113841149A (en) System and method for mining on a workload justification blockchain network
TWI512610B (en) Modular reduction using a special form of the modulus
Barenghi et al. A novel fault attack against ECDSA
US20220414227A1 (en) Side-channel attack on hmac-sha-2 and associated testing
CN112887096A (en) Prime order elliptic curve generation method and system for signature and key exchange
Kwon et al. Fast verification of signatures with shared ECQV implicit certificates
Ming et al. Revealing the weakness of addition chain based masked SBox implementations
CN115801264A (en) Physical attack method, medium, equipment and system for elliptic curve digital signature
Chopra Improved parameters for the ring-TESLA digital signature scheme
US20220309496A1 (en) Key-value map commitments system and method
Jayasena et al. TVLA*: Test Vector Leakage Assessment on Hardware Implementations of Asymmetric Cryptography Algorithms
Ribaric et al. Genetic programming for improved cryptanalysis of elliptic curve cryptosystems
Camurati et al. MCRank: Monte Carlo Key Rank Estimation for Side-Channel Security Evaluations
Lee et al. Forward-secure multi-user aggregate signatures based on zk-SNARKs
Jin et al. Novel key recovery attack on secure ECDSA implementation by exploiting collisions between unknown entries
CN113037495B (en) Safety evaluation method of elliptic curve signature algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220818

Address after: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438

Applicant after: Zhao Yunlei

Address before: Room 345, No.5, Lane 786, Xinzhong Road, Xinhe Town, Chongming District, Shanghai 202156

Applicant before: SHANGHAI HUMIN BLOCKCHAIN TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240116

Address after: 200433 No. 220, Handan Road, Shanghai, Yangpu District

Patentee after: FUDAN University

Address before: Room 717, School of Computer Science, Fudan University (Jiangwan Campus), No. 2005, Songhu Road, Yangpu District, Shanghai, 200438

Patentee before: Zhao Yunlei

TR01 Transfer of patent right