CN116260587A - Quantum-resistant signature authentication method based on hash signature and having small size - Google Patents

Quantum-resistant signature authentication method based on hash signature and having small size Download PDF

Info

Publication number
CN116260587A
CN116260587A CN202211548920.8A CN202211548920A CN116260587A CN 116260587 A CN116260587 A CN 116260587A CN 202211548920 A CN202211548920 A CN 202211548920A CN 116260587 A CN116260587 A CN 116260587A
Authority
CN
China
Prior art keywords
signature
key
algorithm
seed
hash
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211548920.8A
Other languages
Chinese (zh)
Inventor
李凌云
赵海勇
段鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Liaocheng University
Original Assignee
Institute of Information Engineering of CAS
Liaocheng University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS, Liaocheng University filed Critical Institute of Information Engineering of CAS
Priority to CN202211548920.8A priority Critical patent/CN116260587A/en
Publication of CN116260587A publication Critical patent/CN116260587A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Power Engineering (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a signature authentication method which is quantum resistant, hash-based and small in size, and relates to the technical field of data communication information security; the technology is a method for carrying out digital signature on a large-scale public data stream continuously transmitted from a sender to a receiver under the application background that the large-scale public data stream continuously propagates between two communication parties. And designing a specific signature method to generate an authentication identifier for the data stream by utilizing a hash-based signature technology, and checking the data stream and the authentication identifier by a receiver. If the verification is passed, judging that the sender equipment is the equipment to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender equipment fails, and the authenticity of the sender identity and the integrity of the sent data are protected; compared with the XMS signature algorithm, the signature compression rate is 0.828 to 0.017 in a specific parameter interval, so that the signature size obtained by the technology can be reduced by hundreds of times under specific parameters.

Description

Quantum-resistant signature authentication method based on hash signature and having small size
Technical Field
The invention relates to the technical field of data communication information security, in particular to a signature authentication method which is quantum resistant, hash-based and small in size.
Background
In the application background of continuous transmission of two parties of communication, in order to ensure the authenticity of the identity of the parties in communication and the integrity of data (not tampered), the identity authentication of data sources and the integrity authentication of data are always typical requirements in data communication. The digital signature algorithm is an asymmetric cryptographic technology for carrying out message source identity authentication and message integrity authentication in the communication field, the traditional digital signature scheme based on the mathematical theory difficult assumption is the most mainstream algorithm used in the application field, but with the development of quantum computation, the defects of the traditional digital signature scheme based on the mathematical theory difficult assumption are gradually revealed, if the digital signature scheme does not have the characteristic of resisting quantum attack, the security assumption is complex, the theoretical basis is immature, and the digital signature scheme cannot resist multi-objective attack and has low security.
As one of five-major quantum cryptography algorithms, hash-based signature technology has received increasing attention in recent years and is widely used in the fields of message source identity authentication and message integrity authentication. Compared with a digital signature scheme based on the calculation difficulty number theory problem, the hash-based signature has the characteristics of quantum attack resistance, non-counterfeitability of a signature algorithm, basic security assumption based on a hash function, high efficiency, easiness in implementation and the like. However, the existing hash signature technology has the problem that the total cost of key generation, signature generation and verification is too high because of the design of combining One-time signature (One-time signature) or less-time signature (Few-time signature) with a hash tree, and the problem that the signature size is large occurs.
Disclosure of Invention
In order to solve the problems of large size, high key generation, high total cost of signature generation and verification of the existing hash signature, the invention aims to provide an anti-quantum hash signature-based authentication method for carrying out identity authentication and data integrity authentication of a data source on a large-scale data stream under the application background of continuous transmission of two communication parties.
The invention aims to achieve the aim, and the aim is achieved by the following technical scheme:
the technology has the functions that:
(1) Identity authentication of the data source to ensure authenticity of the identity of the party in the communication;
(2) Integrity of the data is verified to ensure that the data transmitted in the communication is not tampered with.
The application scene of the technology is characterized in that:
(1) The large-scale public data stream is continuously transmitted between the two communication parties;
(2) There are identity authentication and data integrity authentication requirements in applications.
A signature authentication method which is quantum resistant, hash-based and small in size is a signature method for carrying out identity authentication and data integrity authentication of a data source on a large-scale data stream under the application background of continuous transmission of two communication parties; for clarity, some terms will now be defined as follows:
Complete transmission: uninterrupted message transmission between signer and verifier, which is a time interval;
signer: i.e. sender, verifier: namely the receiving party;
signing key: the signature key is a private key and is used in a signature stage to generate an authentication identifier;
authentication key: the verification key is a public key;
x: the number of complete transmissions that a public key can verify;
signature period: a time interval for signing using a set of stamps;
s: the number of signable messages in a signature cycle;
fragments: compressing a plurality of messages into a time interval of a message digest through a batch digest sub-algorithm;
the signature authentication method comprises the following steps:
s1: time-sequentially dividing a complete transmission between a sender and a receiver into a plurality of fragments, and setting a 32-bit fragment tag IDX for each fragment smt The value of the product is 0, and 1 is added in sequence; the data communication of the fragments starts with a start identifier SRT; then, based on the block size or transmission time, the data stream in the segment is divided into a plurality of data blocks, the data blocks are represented by m, and each data block m is assigned a tag IDX msg And after attaching to each data block, its value starts from 0, adds 1 in turn, and each segment ENDs with an END identifier END; index parameter IDX for each data block pkt =IDX smt ||IDX msg
S2: a key generation algorithm Gen, which comprises two steps S2.1 of private key generation sub-algorithm SKGEN and S2.2 of public key generation sub-algorithm PKGEN in sequence
The key generation algorithm Gen generates a signature key and a verification key for a sender by using a forward secure pseudo-random function, and provides a key for constructing a non-counterfeitable forward secure signature scheme;
the algorithm comprises a private key generation sub-algorithm SKGEN and a public key generation sub-algorithm PKGEN;
s2.1 private Key Generation sub-Algorithm SKGEN
Private key generation sub-algorithm from initial state SEED fws Initially, the seed key seed of the j-1 th period is used j-1 To generate a seed key seed for the j-th period j Then, use seed j Involving t SEALs in generation cycle j i,j Private key SK of (1.ltoreq.i.ltoreq.t) periodj J=1, 2, …, x+l, wherein the values of x and t are all the power of 2; the generation algorithm is as follows:
input: pseudo-random function
Q:={q k :k×(0,1) n →(0,1) n |k∈(0,1) n };
n is a security parameter, and the value of n depends on the security level set in the application of the algorithm;
SEED for generating private key fws : random selectionFrom (0, 1) n Is uniformly distributed;
and (3) treatment:
seed 0 =SEED fws
Figure BDA0003980308920000031
Figure BDA0003980308920000032
Figure BDA0003980308920000033
and (3) outputting: SK (SK) periodj ,j=1,2,…,x+l;
Wherein the first x private keys SK period j J=1, 2, …, x, which is used as the first signing key, the latter l private keys, SK at the beginning of each complete transmission period j J=x+1, x+2, …, x+l, used as a subsequent signing key, used in sequence in the complete transmission; the assignment of x is random, as when x=10, l=10, the first 10 private keys SK period j J=1, 2, …,8,9, 10 is used as the first signature key at the beginning of each complete transmission, the last 10 private keys SK period j J=11, 12, …,18, 19, 20 is used as a subsequent signing key, used in sequence in the complete transmission;
s2.2 public Key Generation sub-Algorithm PKGEN
Step S2.1 after generating the private key, the public key generation sub-algorithm PKGEN is based on the adjustable hash function to SK period j J=1, 2, …, x+l, as input, using the hash tree to generate the corresponding public key; specifically:
first, use sk period j J=x+1, x+2, …, x+l as input to the pseudo-random function F to generate PK period j ,j=1,2,…,x+l;
Then, SEED is generated with public key auth And tag HIDX m,n As input to the pseudo-random function R, each iteration step is generatedThe required KEY and MSK;
next, with each PK period j Is used as a leaf node of a hash tree, generates a root node of the hash tree by utilizing an adjustable hash function th, and sequentially generates PKs j ,j=1,2,…,x+l;
Finally, use PK j J=1, 2, …, x is the hash tree HT r oo t According to KEY and MSK required for generating each iteration and PK generation j Step j=1, 2, …, x+l, constructing hash tree HT root Root node PK of (1) root Root node PK root Namely a public key;
the specific treatment process comprises the following steps:
input: a security parameter n;
pseudo-random function
Figure BDA0003980308920000034
Pseudo-random function
R:={rSEED:IDX→KEY||MSK|SEED∈(0,1) n };
Adjustable hash function
Figure BDA0003980308920000041
SEED generated by public key auth : randomly selected from (0, 1) n Is uniformly distributed;
label HIDX m,n Sequence: consists of the sequence number of the complete transmission, the position of the corresponding level of nodes in the authentication tree, where m=0, 1..logt-1, n=0, 1..2 m -1; respectively representing the layer number of corresponding nodes from top to bottom in the authentication tree and the position number from left to right in each layer, wherein the m and n counts are respectively from 0, and are sequentially added with 1; the nodes at each level comprise a root node and a leaf node, and N is used as follows m,n To represent;
Figure BDA0003980308920000046
and (3) treatment:
(1) the following procedure calculates PK j ,j=1,2,…,x+l;
a.
Figure BDA0003980308920000042
For each j e 1,2,..,
Figure BDA0003980308920000043
b. the KEY and mask required for each iteration step are generated using a pseudo-random function R, denoted below by the KEY and MSK with subscripts, respectively:
Figure BDA0003980308920000044
/>
m=0,1,...logt-2,n=0,1,...,2 m -1;
c. calculating the root node N of the hash tree 0,0 : the value of m is logt-1, logt-2, 0,
for each m described above, calculate:
Figure BDA0003980308920000045
wherein n takes the values 0,2,4 in that order m -2;
PK j =N 0,0
(2) The following procedure calculates PK root
a.N logx,0 ,N logx,1 ,...N logx,x-1 =PK 1 ,PK 2 ,...,PK x
b. Generating KEY and MSK required by each iteration by using a pseudo-random function R:
r(SEED auth ,HIDX m,n )=KEY m,n ||MSK m,n
m=0,1,2,...logx-2,n=0,1,2,...,2 m -1;
c. Calculating the root node N of the hash tree 0,0 : the values of m are log x-1, log x-2, 0,
for each m described above, calculate:
Figure BDA0003980308920000051
wherein n takes the values 0,2,4 in that order m -2;
PK root =N 0,0
S3: the signature algorithm Sig comprises two steps S3.1 of batch digest sub-algorithm BDA and S3.2 of signature sub-algorithm:
s3.1 batch summary sub-algorithm BDA
The batch summary sub-algorithm comprises the following specific steps:
the batch digest sub-algorithm inputs the data processed in the S1 stage in the unit of a segment, and indexes parameters m of all data blocks in each segment 1 ,IDX pkt,1 ,m 2 ,IDX pkt,2 ,…,m j ,IDX pkt,j Generating batch digest values BDS of all data blocks in each segment by using a pseudo-random function P and a hash function family T; all batch digest values in a complete transmission are chronologically recorded as BDS 1 ,BDS 2 …; the batch summarization of data in a segment is as follows:
input: a security parameter n;
all data blocks m in one transmission segment 1 ,...,m j
Pseudo-random function p= { P SEED :(0,1) 64 ×(0,1)) * ×(0,1) n →(0,1) n |SEED∈(0,1) n };
Hash function family T: = { t KEY :(0,1) n ×(0,1) n →(0,1) n |KEY∈(0,1) n };
And (3) treatment:
t 0 (IDX,SEED dg ,m)=p(SEED dg ,IDX smt,j ||{0} 32 )=IV prd,j
p(SEED dg ,IDX pkt,i ,m i )=MD i ||KEY i
Figure BDA0003980308920000061
i=1,2,...,j;
and (3) outputting: bds=t j (IDX,SEED dg ,m);
S3.2 signature sub-algorithm
Input: a security parameter n;
pseudo-random function F 1 :{0,1} n ×{0,1} 2n →{0,1} n
Hash function H 1 :{0,1} n ×{0,1} 2n →{0,1} n
Hash function family
Figure BDA0003980308920000062
Private key sequence: SK (SK) periodj ,j=1,2,…,x+l;
All batch digest values in a complete transmission are recorded chronologically as BDS 1 ,BDS 2 ,…;
And (3) treatment: first, the batch digest value BDS is added to the database 1 ,BDS 2 … are sequentially re-divided according to signature periods, and the batch digest value to be processed in the jth period is expressed as BDS i,j ,i∈1,2,…,s;
When i=1, 2, …, s-1,
calculation of
RDM i,j =F 1 (SK,BDS i,j ),
DGT i,j =H 1 (RDM i,j ,BDS i,j );
When i=s,
calculation of
RDM s,j =F 1 (SK,BDS s,j ||pk j+1 )
DGT s,j =H 1 (RDM s,j ,BDS s,j ||pk j+1 )
Wherein RDM i,j And DGT i,j Is an intermediate parameter, and does not need to define the specific meaning represented by the intermediate parameter;
next, for each DGT i,j The identity verification is carried out by i epsilon 1,2 and …, and the specific steps are as follows:
from a private key sequence SK period j Select k SEAL jp Wherein p=1, 2, …, k, i.ltoreq.j p T is less than or equal to, and the following conditions are satisfied:
Figure BDA0003980308920000071
wherein the first signing key in each complete transmission is in turn selected from SK period j J=1, 2, …, x, the subsequent keys being sequentially selected from SK period j ,j=x+1,x+2,…,x+l;
Finally, in order to reduce the signature size of a complete transmission, the appropriate q values are chosen such that, in the case of t, k and s being determined,
2 q +(logt-q+1)*s*k
taking a minimum value;
the final signature is:
when j+.1:
when i=1, the number of the cells,
Figure BDA0003980308920000072
when i=2, 3 …, s,
Figure BDA0003980308920000073
where i represents the signature sequence over a period,
Figure BDA0003980308920000074
represents->
Figure BDA0003980308920000075
Verification path of public key from the logt layer to the q layer, 1.ltoreq.j p T, p=1, 2..k, i.e. in the public key generation algorithm PKGEN, +.>
Figure BDA0003980308920000076
When the hash tree is used for calculating the root node, all the side nodes from the lowt layer to the q layer pass through, wherein the side nodes refer to other node values except the hash value in the next layer when the upper-level node is calculated; / >
Figure BDA0003980308920000077
Values of all nodes of the q-th layer of the hash tree;
Figure BDA0003980308920000078
representing hash values corresponding to all nodes in a q-th layer of the hash tree;
when j=1, the number of the groups,
the signature when i=1 is:
Figure BDA0003980308920000079
wherein the authentication path pktoroot Containing logx values, using pk for the public key generation algorithm PKGEN 1 ,pk 2 ,…,pk 2^q Corresponding hash tree HT root The root node as the highest level hash tree HT root Is used for constructing the root node PK of the highest-level hash tree root At this time, the root node PK from the lowest layer to the top layer root All the side nodes passed through, wherein the side nodes refer to another node value except the hash value in the next layer when calculating the upper level node;
when i=2, 3, …, s,
Figure BDA0003980308920000081
and (3) outputting: the signature value sigma is an authentication identifier;
s4: verification algorithm Ver
When the data stream with the authentication identifier is transmitted from the sender to the receiver, the receiver verifies according to the following method:
input: a data stream and related index parameters interacted by both communication parties in a complete transmission;
signature value, wherein the signature value of the j-th period is expressed as:
when j+.1:
when i=1, the number of the cells,
Figure BDA0003980308920000082
when i=2, 3, …, s,
Figure BDA0003980308920000083
when j=1, the number of the groups,
the signature when i=1 is:
Figure BDA0003980308920000084
when i=2, 3, …, s,
Figure BDA0003980308920000085
/>
public key: SEED dg 、SEED auth 、PK root :
A data stream;
And (3) treatment:
dividing the data stream according to the transmission segments, wherein the data stream in each transmission period is m 1 ,IDX pkt,1 ,m 2 ,IDX pkt,2 ,…,m s ,IDX pkt,s
Invoking batch summary sub-algorithm BDA to compute related batchesQuantity digest value, batch digest value for the jth cycle is denoted BDS i,j ,i∈1,2,…,s;
When i=1, 2, …, s-1,
calculation of
RDM i,j =F 1 (SK,BDS i,j ),
DGT i,j =H 1 (RDM i,j ,BDS i,j );
When i=s,
calculation of
RDM s,j =F 1 (SK,BDS s,j ||pk j+1 )
DGT s,j =H 1 (RDM s,j ,BDS s,j ||pk j+1 ).
Verification
Figure BDA0003980308920000091
When j noteq1, i noteq1,
input SEED auth Index tag HIDX m,n ,(m=0,1,…,logx-2,n=0,1,…,2 m -1) k SEAL jp (p=1, 2, …, k), calling hash values of k nodes corresponding to the q-th layer of the PKGEN algorithm, and comparing whether the hash values of the k nodes are equal to the corresponding pk in the first signature value in the transmission period 1 ,pk 2 ,…,pk 2^q The method comprises the steps of carrying out a first treatment on the surface of the If equal, the signature is true;
when j noteq1, i = 1,
that is, the signature is the first signature value in a cycle and not the first signature in a complete transmission, and in addition to the verification, pk is also entered 1 ,pk 2 ,…,pk 2^q Invoking PKGEN algorithm to calculate the root node of the hash tree, and comparing whether the root node is equal to the corresponding public key, wherein the public key is signed by the private key of the previous period; if equal, the signature is true;
when j=1, i=1,
that is, the signature is the first signature in a complete transmission, and in addition to the verification, PK is entered root Circumference of the bodyA period index and an identity verification path; first, the period index is checked to ensure that the signature uses an unused key pair; then, input pk j 、path pktoroot Invoking PKGEN algorithm to calculate slave pk j Via path pktoroot Whether the root node of the computed hash tree is equal to PK root The method comprises the steps of carrying out a first treatment on the surface of the If equal, the signature is true;
and (3) outputting: the signature is true/false;
when the output of the receiving party is true, the representative data and the authentication identification pass the verification, the sending party is judged to be the equipment to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender fails, so that the authenticity of the identity of the sender and the integrity of the sent data are protected;
in summary, in the anti-quantum signature authentication method based on hash signature and having a small size, key generation and signature occur at the sender, and the sender takes data to be sent to the receiver as input: firstly, generating a signature key and a verification key pair according to a key generation algorithm Gen, wherein the signature key is a private key and is used in a signature stage to generate an authentication identifier, the verification key is a public key, a trusted third party in a system signs and generates an X.509 certificate, and the X.509 certificate is sent to a receiver by a sender and is used in a ready authentication stage; the sender prepares the data sent to the receiver for digital signature by using a private key and a signature algorithm to generate an authentication identifier; when the data flow with authentication identification is transmitted to the receiver by the sender, the receiver uses an authentication algorithm Ver to carry out authentication, if the authentication is passed, the sender is judged to be the sender to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender fails, and the authenticity of the identity of the sender and the integrity of the sent data are protected.
The existing authentication methods are mainly divided into two main categories: the mainstream class is designed based on classical cryptography; the front-end is designed based on the post quantum cryptography.
Compared with the prior art, the invention has the following advantages:
(1) Quantum security. Most of the existing mainstream authentication technologies are based on the mathematical difficult assumption in classical cryptography, and the authentication technologies do not have quantum attack resistance. The method is based on hash-based signature design of five-big-back quantum passwords, has the characteristic of natural resistance to quantum attack, and is a quantum security authentication method;
(2) The underlying security assumption is simple. Compared with the authentication technology based on other four post quantum passwords, the technology only depends on the security assumption of the bottom hash function, the security assumption is simpler, and the theoretical basis is more mature;
(3) The algorithm security is higher. Compared with other authentication technologies based on hash-based signatures, the method can resist multi-equation and multi-target attack under lower security assumption (non-collision security) by using the adjustable hash function, and has higher security;
(4) About a hundred times the size of the reduced signature. The biggest disturbance in applications of hash-based authentication techniques is that their signature size is too large. The design method of combining the one-time signature or the few signatures with the hash tree causes the problems of large signature size, overhigh total cost of key generation, signature generation and verification and the like, so that the method is limited in practical application. Compared with other authentication technologies based on hash signatures, the signature size in the authentication data of the method is reduced by hundreds to thousands of times. Compared with the current most mainstream hash-based signature algorithm XMS (ISO issued RFC8391 standard), the signature compression rate of eBiBa-256 is 0.828 to 0.017 in a specific parameter interval compared with that of XMS-256, so that the signature size obtained by the technology can be reduced by hundred times under specific parameters.
Drawings
FIG. 1 is a flow diagram of a quantum resistant, hash signature based signature authentication method with small dimensions;
FIG. 2 is a process schematic diagram of a forward secure private key generation algorithm;
FIG. 3 is a schematic diagram of a process of a public key generation algorithm based on an adjustable hash function;
FIG. 4 is a schematic process diagram of three nodes in each triangle of FIG. 3;
FIG. 5 is a process diagram of a batch digest algorithm based on an adjustable hash function; l in the figure j For the number of messages processed by the batch digest sub-algorithm this time, the subscript of message m is its sequence number in the input of the batch digest sub-algorithm;
FIG. 6 is a schematic diagram of shortest signature path optimization in a complete transmission;
FIG. 7 is a general structural schematic diagram of a quantum resistant, hash signature based signature authentication method with small dimensions; the subscript of message m is its sequence number throughout the transmission, l i IDX for the number of messages processed for the ith fragment smt The second subscript of (2) indicates the sequence number of the segment in which the corresponding message is located in one period, each segment being similar in structure and therefore no longer being in the symbol IDX pkt The differences in the representation of the fragment in which they are located;
FIG. 8 is a schematic diagram of a process for processing messages during each cycle of FIG. 7;
Fig. 9 is a schematic diagram of structural connection of wireless sensor network communication.
Detailed Description
The present invention is directed to a signature authentication method based on hash signatures with small size, which is quantum resistant, and is further described below with reference to specific embodiments.
Example 1
A signature authentication method which is quantum resistant, hash-based and small in size is a signature method for carrying out identity authentication and data integrity authentication of a data source on a large-scale data stream under the application background of continuous transmission of two communication parties; as shown in fig. 1:
for clarity, some terms will now be defined as follows:
complete transmission: uninterrupted message transmission between signer and verifier, which is a time interval;
signer: i.e. sender, verifier: namely the receiving party;
signing key: the signature key is a private key and is used in a signature stage to generate an authentication identifier;
authentication key: the verification key is a public key;
x: the number of complete transmissions that a public key can verify;
signature period: a time interval for signing using a set of stamps;
s: the number of signable messages in a signature cycle;
fragments: compressing a plurality of messages into a time interval of a message digest through a batch digest sub-algorithm;
The signature authentication method comprises the following steps:
s1: time-sequentially dividing a complete transmission between a sender and a receiver into a plurality of fragments, and setting a 32-bit fragment tag IDX for each fragment smt The value of the product is 0, and 1 is added in sequence; the data communication of the fragments starts with a start identifier SRT; then, based on the block size or transmission time, the data stream in the segment is divided into a plurality of data blocks, the data blocks are represented by m, and each data block m is assigned a tag IDX msg And after attaching to each data block, its value starts from 0, adds 1 in turn, and each segment ENDs with an END identifier END; index parameter IDX for each data block pkt =IDX smt ||IDX msg
S2: a key generation algorithm Gen, which comprises two steps S2.1 of private key generation sub-algorithm SKGEN and S2.2 of public key generation sub-algorithm PKGEN in sequence
The key generation algorithm Gen generates a signature key and a verification key for a sender by using a forward secure pseudo-random function, and provides a key for constructing a non-counterfeitable forward secure signature scheme;
the algorithm comprises a private key generation sub-algorithm SKGEN and a public key generation sub-algorithm PKGEN;
s2.1 private Key Generation sub-Algorithm SKGEN
As shown in fig. 2, the private key generation sub-algorithm starts from an initial state SEED fws Initially, the seed key seed of the j-1 th period is used j-1 To generate a seed key seed for the j-th period j Then, use seed j Involving t SEALs in generation cycle j i,j Private key SK of (1.ltoreq.i.ltoreq.t) period j J=1, 2, …, x+l, wherein the values of x and t are all the power of 2; the generation algorithm is as follows: input: pseudo-random function
Q:={q k :k×{0,1) n →(0,1) n |k∈(0,1) n );
n is a security parameter, and the value of n depends on the security level set in the application of the algorithm;
SEED for generating private key fws : randomly selected from (0, 1) n Is uniformly distributed;
and (3) treatment:
seed 0 =SEED fws
Figure BDA0003980308920000121
/>
Figure BDA0003980308920000122
j=1,2,…,x+l.
and (3) outputting: SK (SK) period j ,j=1,2,…,x+l;
Wherein the first x private keys SK period j J=1, 2, …, x, which is used as the first signing key, the latter l private keys, SK at the beginning of each complete transmission period j J=x+1, x+2, …, x+l, used as a subsequent signing key, used in sequence in the complete transmission; the assignment of x is random, as when x=10, l=10, the first 10 private keys SK period j J=1, 2, …,8,9, 10 is used as the first signature key at the beginning of each complete transmission, the last 10 private keys SK period j J=11, 12, …,18, 19, 20 is used as a subsequent signing key, used in sequence in the complete transmission;
s2.2 public Key Generation sub-Algorithm PKGEN
Step S2.1 after generating the private key, the public key generation sub-algorithm PKGEN is based on the adjustable hash function to SK period j J=1, 2, …, x+l, as input, using the hash tree to generate the corresponding public key; as shown in fig. 3 and 4, specifically: first, use sk period j J=x+1, x+2, …, x+l is generated as input to the pseudo-random function FPK period j ,j=1,2,…,x+l;
Then, SEED is generated with public key auth And tag HIDX m,n As input of pseudo random function R, generating KEY and MSK needed by each iteration;
next, with each PK period j Is used as a leaf node of a hash tree, generates a root node of the hash tree by utilizing an adjustable hash function th, and sequentially generates PKs j ,j=1,2,…,x+l;
Finally, use PK j J=1, 2, …, x is the hash tree HT root According to KEY and MSK required for generating each iteration and PK generation j Step j=1, 2, …, x+l, constructing hash tree HT root Root node PK of (1) root Root node PK root Namely a public key;
the specific treatment process comprises the following steps:
input: a security parameter n;
pseudo-random function
Figure BDA0003980308920000131
Pseudo-random function
R:={r SEED :IDX→KEY||MSK|SEED∈(0,1) n };
Adjustable hash function
th:=((0,1) n ×(0,1) 4n →(0,1) n };
SEED generated by public key auth : randomly selected from (0, 1) n Is uniformly distributed;
label HIDX m,n Sequence: consists of the sequence number of the complete transmission, the position of the corresponding level of nodes in the authentication tree, where m=0, 1..logt-1, n=0, 1..2 m -1; respectively representing the layer number of corresponding nodes from top to bottom in the authentication tree and the position number from left to right in each layer, wherein the m and n counts are respectively from 0, and are sequentially added with 1; the nodes at each level comprise a root node and a leaf node, and N is used as follows m,n To represent;
Figure BDA0003980308920000141
and (3) treatment:
(1) the following procedure calculates PK j ,j=1,2,…,x+l;
a.
Figure BDA0003980308920000142
For each j e 1,2,..,
Figure BDA0003980308920000143
b. the KEY and mask required for each iteration step are generated using a pseudo-random function R, denoted below by the KEY and MSK with subscripts, respectively:
r(SEED auth ,HIDX m,n )=KEY m, n||MSK m,n
m=0,1,...logt-2,n=0,1,...,2 m -1;
c. calculating the root node N of the hash tree 0,0 : the value of m is logt-1, logt-2, 0,
for each m described above, calculate:
Figure BDA0003980308920000144
wherein n takes the values 0,2,4 in that order m -2;
PK j =N 0,0
(2) The following procedure calculates PK root
a.N logx,0 ,N logx,1 ,...N logx,x-1 =PK 1 ,PK 2 ,...,PK x
b. Generating KEY and MSK required by each iteration by using a pseudo-random function R:
r(SEED auth ,HIDX m,n )=KEY m,n ||MSK m,n
m=0,1,2,...logx-2,n=0,1,2,...,2 m -1;
c. calculating the root node N of the hash tree 0,0 : the values of m are log x-1, log x-2, 0,
for each m described above, calculate:
Figure BDA0003980308920000152
wherein n takes the values 0,2,4 in that order m -2;
PK root =N 0,0
S3: the signature algorithm Sig comprises two steps S3.1 of batch digest sub-algorithm BDA and S3.2 of signature sub-algorithm:
s3.1 batch summary sub-algorithm BDA
The batch summary sub-algorithm comprises the following specific steps:
the batch digest sub-algorithm inputs the data processed in the S1 stage in the unit of a segment, and indexes parameters m of all data blocks in each segment 1 ,IDX pkt,1 ,m 2 ,IDX pkt,2 ,…,m j ,IDX pkt,j Generating batch digest values BDS of all data blocks in each segment by using a pseudo-random function P and a hash function family T; all batch digest values in a complete transmission are chronologically recorded as BDS 1 ,BDS 2 …; as shown in fig. 5, the batch summarization process for data in one segment is as follows:
input: a security parameter n;
all data blocks m in one transmission segment 1 ,...,m j
Pseudo-random function P: = { p SEED :(0,1) 64 ×(0,1) * ×(0,1) n →(0,1) n |SEED∈(0,1) n };
Hash function family T: = { t KEY :(0,1) n ×(0,1) n →(0,1) n |KEY∈(0,1) n };
And (3) treatment:
t 0 (IDX,SEED dg ,m)=p(SEED dg ,IDX smt,j ||{0} 32 )=IV prd,j
p(SEED dg ,IDX pkt,i ,m i )=MD i ||KEY i
Figure BDA0003980308920000151
i=1,2,...,j;
and (3) outputting: bds=t j (IDX,SEED dg ,m);
S3.2 signature sub-algorithm
The signature sub-algorithm comprises the following steps:
input: a security parameter n;
pseudo-random function F 1 :{0,1} n ×{0,1} 2n →{0,1} n
Hash function H 1 :{0,1} n ×{0,1} 2n →{0,1} n
Hash function family
Figure BDA0003980308920000161
Private key sequence: SK (SK) periodj ,j=1,2,…,x+l;
All batch digest values in a complete transmission are recorded chronologically as BDS 1 ,BDS 2 ,…;
And (3) treatment: first, the batch digest value BDS is added to the database 1 ,BDS 2 … are sequentially re-divided according to signature periods, and the batch digest value to be processed in the jth period is expressed as BDS i,j ,i∈1,2,…,s;
When i=1, 2, …, s-1,
calculation of
RDM i,j =F 1 (SK,BDS i,j ),
DGT i,j =H 1 (RDM i,j ,BDS i,j );
When i=s,
calculation of
RDM s,j =F 1 (SK,BDS s,j ||pk j+1 )
DGT s,j =H 1 (RDM s,j ,BDS s,j ||pk j+1 )
Next, for each DGT i,j The identity verification is carried out by i epsilon 1,2 and …, and the specific steps are as follows:
from a private key sequence SK period j Select k SEAL jp Wherein p=1, 2, …, k, i.ltoreq.j p T is less than or equal to, and the following conditions are satisfied:
Figure BDA0003980308920000162
wherein the first signing key in each complete transmission is in turn selected from SK period j J=1, 2, …, x, the subsequent keys being sequentially selected from SK period j ,j=x+1,x+2,…,x+l;
Finally, in order to reduce the signature size of a complete transmission, the appropriate q values are chosen such that, in the case of t, k and s being determined,
2 q Ten (logt-q+1) S k
Take the minimum value as shown in fig. 6;
the final signature is:
when j+.1:
when i=1, the number of the cells,
Figure BDA0003980308920000171
/>
when i=2, 3 …, s,
Figure BDA0003980308920000172
where i represents the signature sequence over a period,
Figure BDA0003980308920000173
representative of/>
Figure BDA0003980308920000174
Verification path of public key from the logt layer to the q layer, 1.ltoreq.j p T, p=1, 2..k, i.e. in the public key generation algorithm PKGEN, +.>
Figure BDA0003980308920000175
When the hash tree is used for calculating the root node, all the side nodes from the lowt layer to the q layer pass through, wherein the side nodes refer to other node values except the hash value in the next layer when the upper-level node is calculated; />
Figure BDA0003980308920000176
Values of all nodes of the q-th layer of the hash tree; />
Figure BDA0003980308920000177
Representing hash values corresponding to all nodes in a q-th layer of the hash tree;
when j=1, the number of the groups,
the signature when i=1 is:
Figure BDA0003980308920000178
wherein the authentication path pktoroot Containing logx values, using pk for the public key generation algorithm PKGEN 1 ,pk 2 ,…,pk 2^q Corresponding hash tree HT root The root node as the highest level hash tree HT root Is used for constructing the root node PK of the highest-level hash tree root At this time, the root node PK from the lowest layer to the top layer root All the side nodes passed through, wherein the side nodes refer to another node value except the hash value in the next layer when calculating the upper level node;
When i=2, 3, …, s,
Figure BDA0003980308920000179
and (3) outputting: the signature value sigma is an authentication identifier;
s4: verification algorithm Ver
When the data stream with the authentication identifier is transmitted from the sender to the receiver, the receiver verifies according to the following method:
input: a data stream and related index parameters interacted by both communication parties in a complete transmission;
signature value, wherein the signature value of the j-th period is expressed as:
when j+.1:
when i=1, the number of the cells,
Figure BDA0003980308920000181
when i=2, 3, …, s,
Figure BDA0003980308920000182
when j=1, the number of the groups,
the signature when i=1 is:
Figure BDA0003980308920000183
when i=2, 3, …, s,
Figure BDA0003980308920000184
public key: SEED dg 、SEED auth 、PK root
A data stream;
and (3) treatment:
dividing the data stream according to the transmission segments, wherein the data stream in each transmission period is m 1 ,IDX pkt,1 ,m 2 ,IDX pkt,2 ,…,m s ,IDX pkt,s
Invoking batch summary sub-computationsThe method BDA calculates the related batch digest value, and the batch digest value of the jth cycle is expressed as BDS i,j ,i∈1,2,…,s;
When i=1, 2, …, s-1,
calculation of
RDM i,j =F 1 (SK,BDS i,j ),
DGT i,j =H 1 (RDM i,j ,BDS i,j );
When i=s,
calculation of
RDM s,j =F 1 (SK,BDS s,j ||pk j+1 )
DGT s,j =H 1 (RDM sj ,BDS s,j ||pk j+1 ).
Verification
Figure BDA0003980308920000191
When j noteq1, i noteq1,
input SEED auth Index tag HIDX m,n ,(m=0,1,…,logx-2,n=0,1,…,2 m -1) k SEAL jp (p=1, 2, …, k), calling hash values of k nodes corresponding to the q-th layer of the PKGEN algorithm, and comparing whether the hash values of the k nodes are equal to the corresponding pk in the first signature value in the transmission period 1 ,pk 2 ,…,pk 2^q The method comprises the steps of carrying out a first treatment on the surface of the If equal, the signature is true;
When j noteq1, i = 1,
that is, the signature is the first signature value in a cycle and not the first signature in a complete transmission, and in addition to the verification, pk is also entered 1 ,pk 2 ,…,pk 2^q Invoking PKGEN algorithm to calculate the root node of the hash tree, and comparing whether the root node is equal to the corresponding public key, wherein the public key is signed by the private key of the previous period; if equal, the signature is true;
when j=1, i=1,
that is, the signature is the first signature in a complete transmission, and in addition to the verification, PK is entered root A period index, an identity verification path; first, the period index is checked to ensure that the signature uses an unused key pair; then, input pk j 、path pktoroot Invoking PKGEN algorithm to calculate slave pk j Via path pktoroot Whether the root node of the computed hash tree is equal to PK root The method comprises the steps of carrying out a first treatment on the surface of the If equal, the signature is true;
and (3) outputting: the signature is true/false;
when the output of the receiving party is true, the representative data and the authentication identification pass the verification, the sending party is judged to be the equipment to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender fails, so that the authenticity of the identity of the sender and the integrity of the sent data are protected;
FIG. 7 is a schematic diagram of the overall structure of a quantum-resistant, hash-signature-based signature authentication method with small dimensions; the text and the above in the first row corresponds to steps S2 and S4 from top to bottom, and the text and the below in the second row corresponds to steps S1 and S3 as shown in fig. 7 and 8.
In summary, in the anti-quantum signature authentication method based on hash signature and having a small size, key generation and signature occur at the sender, and the sender takes data to be sent to the receiver as input: firstly, generating a signature key and a verification key pair according to a key generation algorithm Gen, wherein the signature key is a private key and is used in a signature stage to generate an authentication identifier, the verification key is a public key, a trusted third party in a system signs and generates an X.509 certificate, and the X.509 certificate is sent to a receiver by a sender and is used in a ready authentication stage; the sender prepares the data sent to the receiver for digital signature by using a private key and a signature algorithm to generate an authentication identifier; when the data flow with authentication identification is transmitted to the receiver by the sender, the receiver uses an authentication algorithm Ver to carry out authentication, if the authentication is passed, the sender is judged to be the sender to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender fails, and the authenticity of the identity of the sender and the integrity of the sent data are protected.
The anti-quantum signature-based signature authentication method with small size is a method for carrying out digital signature on a large-scale public data stream continuously transmitted from a sender to a receiver under the application background that the large-scale public data stream continuously propagates between two communication parties. And designing a specific signature method to generate an authentication identifier for the data stream by utilizing a hash-based signature technology, and checking the data stream and the authentication identifier by a receiver. If the verification is passed, judging that the sender equipment is the equipment to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender equipment fails, and the authenticity of the sender identity and the integrity of the sent data are protected.
The signature authentication method which is quantum resistant, hash-based and small in size can be used for Wireless Sensor Network (WSN) communication authentication and Internet of vehicles communication security authentication.
The Wireless Sensor Network (WSN) is one of the core technologies of the Internet of things, has wide application prospect due to the advantages of low construction and transmission cost, strong platform adaptability, easy expansion, portability and the like, and is widely applied to a plurality of fields such as mobile electronic transaction, national defense military, smart city and the like, and the connection relation of the Wireless Sensor Network (WSN) is shown in fig. 9, but the wireless sensor network is easy to suffer from various active and passive attacks such as impersonation of message source identity, falsification of data, unauthorized access of messages, message replay and the like due to the openness of wireless communication and the functional limitation of sensor nodes. Specific scenes of information interaction between the base station and the nodes through the wireless network are aimed at. The base station is used as a main information sending and processing port for collecting and processing large-scale information and sending the information to the node. The nodes are distributed on terminals of the wireless sensor network and serve as main information receiving ports for receiving data from the base station. The base station transmits a large-scale continuous data stream to the sensor, which can verify the authenticity of the identity of the base station, as well as the integrity of the data stream transmitted by the base station.
In the communication between the base station and the terminal node, the base station continuously transmits large-scale data to the terminal node. The base station is used as a sender, the method of the invention is used for providing the terminal node with the indication of the authenticity of the identity of the base station and the integrity of the sent data, and the terminal node completes the corresponding verification. The data processing pressure is mainly concentrated on the base station, and the terminal node can complete the verification process only by having the hash function computing capability, so that the method is applicable to terminal equipment with multiple limited functions, and has higher flexibility and practicability.
In the same way, in the internet of vehicles communication security authentication, terminal devices such as a vehicle-mounted sensor and the like need to receive a large-scale continuous transmission control signal from a central server, and in order to prevent the signal from being tampered, identity authentication and integrity authentication on the central server are needed. The central server is used as a sender to show the terminal node with the method of the invention, and the terminal node verifies that the identity of the central server and the transmission data are not tampered. The protection of the identity authenticity and the transmission data integrity of the central server by the vehicle-mounted sensor terminal equipment is realized.
Compared with the current most mainstream hash-based signature algorithm XMS (ISO issued RFC8391 standard), in a specific parameter interval, the signature compression ratio of eBiBa-256 is 0.828 to 0.017 compared with that of XMS-256, and therefore the signature size obtained by the technology can be reduced by hundred times under specific parameters.
The anti-quantum signature authentication method based on the hash signature and having a small size can be also used for other network communication security authentication, and the same or similar effects can be obtained.

Claims (1)

1. A signature authentication method which is quantum resistant, hash-based and has a small size is characterized in that: the method is a signature method for carrying out identity authentication and data integrity authentication of a data source on a large-scale data stream under the application background of continuous transmission of both communication parties;
for clarity, some terms will now be defined as follows:
complete transmission: uninterrupted message transmission between signer and verifier, which is a time interval;
signer: i.e. sender, verifier: namely the receiving party;
signing key: the signature key is a private key and is used in a signature stage to generate an authentication identifier;
authentication key: the verification key is a public key;
x: the number of complete transmissions that a public key can verify;
signature period: a time interval for signing using a set of stamps;
s: the number of signable messages in a signature cycle;
fragments: compressing a plurality of messages into a time interval of a message digest through a batch digest sub-algorithm;
The signature authentication method comprises the following steps:
s1: time-sequentially dividing a complete transmission between a sender and a receiver into a plurality of fragments, and setting a 32-bit fragment tag IDX for each fragment smt The value of the product is 0, and 1 is added in sequence; the data communication of the fragments starts with a start identifier SRT; then, based on the block size or transmission time, the data stream in the segment is divided into a plurality of data blocks, the data blocks are represented by m, and each data block m is assigned a tag IDX msg And after attaching to each data block, its value starts from 0, adds 1 in turn, and each segment ENDs with an END identifier END; index parameter IDX for each data block pkt =IDX smt ||IDX msg
S2: a key generation algorithm Gen, which comprises two steps S2.1 of private key generation sub-algorithm SKGEN and S2.2 of public key generation sub-algorithm PKGEN in sequence
The key generation algorithm Gen generates a signature key and a verification key for a sender by using a forward secure pseudo-random function, and provides a key for constructing a non-counterfeitable forward secure signature scheme;
the algorithm comprises a private key generation sub-algorithm SKGEN and a public key generation sub-algorithm PKGEN;
s2.1 private Key Generation sub-Algorithm SKGEN
Private key generation sub-algorithm from initial state SEED fws Initially, the seed key seed of the j-1 th period is used j-1 To generate a seed key seed for the j-th period j Then, use seed j Involving t SEALs in generation cycle j i,j Private key SK of (1.ltoreq.i.ltoreq.t) periodj J=1, 2, …, x+l, wherein the values of x and t are all the power of 2; the generation algorithm is as follows:
input: pseudo-random function
Q:={q k :k×(0,1) n →{0,1) n |k∈(0,1) n };
n is a security parameter, and the value of n depends on the security level set in the application of the algorithm;
SEED for generating private key fws : randomly selected from (0, 1) n Is uniformly distributed;
and (3) treatment:
seed 0 =SEED fws
Figure FDA0003980308910000021
Figure FDA0003980308910000022
j=1,2,...,x+l.
and (3) outputting: SK (SK) periodj ,j=1,2,…,x+l;
Wherein the first x private keys SK periodj J=1, 2, …, x, which is used as the first signing key, the latter l private keys, SK at the beginning of each complete transmission periodj J=x+1, x+2, …, x+l, used as a subsequent signing key, used in sequence in the complete transmission; the assignment of x is random, as when x=10, l=10, the first 10 private keys SK periodj J=1, 2, …,8,9, 10 is used as the first signature key at the beginning of each complete transmission, the last 10 private keys SK periodj J=11, 12, …,18, 19, 20 is used as a subsequent signing key, used in sequence in the complete transmission;
s2.2 public Key Generation sub-Algorithm PKGEN
Step S2.1 after generating the private key, the public key generation sub-algorithm PKGEN is based on the adjustable hash function to SK periodj J=1, 2, …, x+l, as input, using the hash tree to generate the corresponding public key; specifically:
first, use sk periodj J=x+1, x+2, …, x+l as input to the pseudo-random function F to generate PK periodj ,j=1,2,…,x+l;
Then, SEED is generated with public key auth And tag HIDX m,n As input of pseudo random function R, generating KEY and MSK needed by each iteration;
next, with each PK periodj Is used as a leaf node of a hash tree, generates a root node of the hash tree by utilizing an adjustable hash function th, and sequentially generates PKs j ,j=1,2,…,x+l;
Finally, use PK j J=1, 2, …, x is the hash tree HT root According to KEY and MSK required for generating each iteration and PK generation j Step j=1, 2, …, x+l, constructing hash tree HT root Root node PK of (1) root Root node PK root Namely a public key;
the specific treatment process comprises the following steps:
input: a security parameter n;
pseudo-random function
Figure FDA0003980308910000031
Pseudo-random function
R:={r SEED :IDX→KEY||MSK|SEED∈(0,1) n };
Adjustable hash function
th:={(0,1) n ×(0,1) 4n →(0,1) n };
SEED generated by public key auth : randomly selected from (0, 1) n Is uniformly distributed;
label (Label)HIDX m,n Sequence: consists of the sequence number of the complete transmission, the position of the corresponding level of nodes in the authentication tree, where m=0, 1..logt-1, n=0, 1..2 m -1; respectively representing the layer number of corresponding nodes from top to bottom in the authentication tree and the position number from left to right in each layer, wherein the m and n counts are respectively from 0, and are sequentially added with 1; the nodes at each level comprise a root node and a leaf node, and N is used as follows m,n To represent;
Figure FDA0003980308910000032
and (3) treatment:
(1) the following procedure calculates PK j ,j=1,2,…,x+l;
a.
Figure FDA0003980308910000033
For each j e 1,2,..,
Figure FDA0003980308910000034
/>
b. the KEY and mask required for each iteration step are generated using a pseudo-random function R, denoted below by the KEY and MSK with subscripts, respectively:
r(SEED auth ,HIDX m,n )=KEY m,n ||MSK m,n
m=0,1,...logt-2,n=0,1,...,2 m -1;
c. calculating the root node N of the hash tree 0,0 : the value of m is logt-1, logt-2, 0,
for each m described above, calculate:
Figure FDA0003980308910000035
wherein, the value of n is 0,2,4 in turn,...,2 m -2;
PK j =N 0,0
(2) the following procedure calculates PK root
a.N logx,0 ,N logx,1 ,...N logx,x-1 =PK 1 ,PK 2 ,...,PK x
b. Generating KEY and MSK required by each iteration by using a pseudo-random function R:
r(SEED auth ,HIDX m,n )=KEY m,n ||MSK m,n
m=0,1,2,...logx-2,n=0,1,2,...,2 m -1;
c. calculating the root node N of the hash tree 0,0 : the values of m are log x-1, log x-2, 0,
for each m described above, calculate:
Figure FDA0003980308910000041
wherein n takes the values 0,2,4 in that order m -2;
PK root =N 0,0
S3: the signature algorithm Sig comprises two steps S3.1 of batch digest sub-algorithm BDA and S3.2 of signature sub-algorithm:
s3.1 batch summary sub-algorithm BDA
The batch summary sub-algorithm comprises the following specific steps:
the batch digest sub-algorithm inputs the data processed in the S1 stage in the unit of a segment, and indexes parameters m of all data blocks in each segment 1 ,IDX pkt,1 ,m 2 ,IDX pkt,2 ,…,m j ,IDX pkt,j Generating batch digest values BDS of all data blocks in each segment by using a pseudo-random function P and a hash function family T; all batch digest values in a complete transmission are chronologically recorded as BDS 1 ,BDS 2 …; data in a segmentThe batch summarization process is as follows:
input: a security parameter n;
all data blocks m in one transmission segment 1 ,...,m j
Pseudo-random function P: = { p SEED :(0,1) 64 ×(0,1) * ×(0,1) n →(0,1) n |SEED∈(0,1) n };
Hash function family T: = { t KEY :(0,1) n ×(0,1) n →(0,1) n |KEY∈(0,1) n };
And (3) treatment:
t 0 (IDX,SEED dg ,m)=p(SEED dg ,IDX smt,j ||{0} 32 )=IV prd,j
p(SEED dg ,IDX pkt,i ,m i )=MD i ||KEY i
Figure FDA0003980308910000051
i=1,2,...,j;
and (3) outputting: bds=t j (IDX,SEED dg,m );
S3.2 signature sub-algorithm
Input: a security parameter n;
pseudo-random function F 1 :{0,1} n ×{0,1} 2n →{0,1} n
Hash function H 1 :{0,1} n ×{0,1} 2n →{0,1} n
Hash function family
Figure FDA0003980308910000052
Private key sequence: SK (SK) periodj ,j=1,2,…,x+l;
All batch digest values in a complete transmission are recorded chronologically as BDS 1 ,BDS 2 ,…;
And (3) treatment: first, the batch digest value BDS is added to the database 1 ,BDS 2 … are sequentially re-divided according to signature periods, and the batch digest value to be processed in the jth period is expressed as BDS i,j ,i∈1,2,…,s;
When i=1, 2, …, s-1,
calculation of
RDM i,j =F 1 (SK,BDS i,j ),
DGT i,j =H 1 (RDM i,j ,BDS i,j );
When i=s,
calculation of
RDM s,j =F 1 (SK,BDS s,j ||pk j+1 )
DGT s,j =H 1 (RDM s,j ,BDS s,j ||pk j+1 )
Next, for each DGT i,j The identity verification is carried out by i epsilon 1,2 and …, and the specific steps are as follows:
from a private key sequence SK periodj Select k SEAL jp Wherein p=1, 2, …, k, i.ltoreq.j p T is less than or equal to, and the following conditions are satisfied:
Figure FDA0003980308910000061
wherein the first signing key in each complete transmission is in turn selected from SK periodj J=1, 2, …, x, the subsequent keys being sequentially selected from SK periodj ,j=x+1,x+2,…,x+l;
Finally, in order to reduce the signature size of a complete transmission, the appropriate q-value is chosen such that t, k and s are defined, 2 q +(logt-q+1)*s*k
Taking a minimum value;
the final signature is:
When j+.1:
when i=1, the number of the cells,
Figure FDA0003980308910000062
when i=2, 3 …, s,
Figure FDA0003980308910000063
where i represents the signature sequence over a period,
Figure FDA0003980308910000064
represents->
Figure FDA0003980308910000065
Verification path of public key from the logt layer to the q layer, 1.ltoreq.j p T, p=1, 2..k, i.e. in the public key generation algorithm PKGEN, +.>
Figure FDA0003980308910000066
When the hash tree is used for calculating the root node, all the side nodes from the lowt layer to the q layer pass through, wherein the side nodes refer to other node values except the hash value in the next layer when the upper-level node is calculated; />
Figure FDA0003980308910000067
Values of all nodes of the q-th layer of the hash tree; />
Figure FDA0003980308910000068
Representing hash values corresponding to all nodes in a q-th layer of the hash tree;
when j=1, the number of the groups,
the signature when i=1 is:
Figure FDA0003980308910000071
wherein the method comprises the steps ofAuthentication path pktoroot Containing logx values, using pk for the public key generation algorithm PKGEN 1 ,pk 2 ,…,pk 2^q Corresponding hash tree HT root The root node as the highest level hash tree HT root Is used for constructing the root node PK of the highest-level hash tree root At this time, the root node PK from the lowest layer to the top layer root All the side nodes passed through, wherein the side nodes refer to another node value except the hash value in the next layer when calculating the upper level node;
when i=2, 3, …, s,
Figure FDA0003980308910000072
and (3) outputting: the signature value sigma is an authentication identifier;
S4: verification algorithm Ver
When the data stream with the authentication identifier is transmitted from the sender to the receiver, the receiver verifies according to the following method:
input: a data stream and related index parameters interacted by both communication parties in a complete transmission;
signature value, wherein the signature value of the j-th period is expressed as:
when j+.1:
when i=1, the number of the cells,
Figure FDA0003980308910000073
when i=2, 3, …, s,
Figure FDA0003980308910000074
when j=1, the number of the groups,
the signature when i=1 is:
Figure FDA0003980308910000075
when i=2, 3, …, s,
Figure FDA0003980308910000076
public key: SEED dg 、SEED auth 、PK root
A data stream;
and (3) treatment:
dividing the data stream according to the transmission segments, wherein the data stream in each transmission period is m 1 ,IDX pkt,1 ,m 2 ,IDX pkt,2 ,…,m s ,IDX pkt,s
Invoking the batch digest sub-algorithm BDA to calculate an associated batch digest value, the batch digest value for the jth cycle being denoted BDS i,j ,i∈1,2,…,s;
When i=1, 2, …, s-1,
calculation of
RDM i,j =F 1 (SK,BDS i,j ),
DGT i,j =H 1 (RDM i,j ,BDS i,j );
When i=s,
calculation of
RDM s,j =F 1 (SK,BDS s,j ||pk j+1 )
DGT s,j =H 1 (RDM s,j ,BDS s,j ||pk j+1 ).
Verification
Figure FDA0003980308910000081
When j noteq1, i noteq1,
input SEED auth Index tag HIDX m,n ,(m=0,1,…,logx-2,n=0,1,…,2 m -1) k SEAL jp (p=1, 2, …, k), calling hash values of k nodes corresponding to the q-th layer of the PKGEN algorithm, and comparing whether the hash values of the k nodes are equal to the corresponding pk in the first signature value in the transmission period 1 ,pk 2 ,…,pk 2^q The method comprises the steps of carrying out a first treatment on the surface of the If equal, the signature is true;
when j noteq1, i = 1,
that is, the signature is the first signature value in a cycle and not the first signature in a complete transmission, and in addition to the verification, pk is also entered 1 ,pk 2 ,…,pk 2^q Invoking PKGEN algorithm to calculate the root node of the hash tree, and comparing whether the root node is equal to the corresponding public key, wherein the public key is signed by the private key of the previous period; if equal, the signature is true;
when j=1, i=1,
that is, the signature is the first signature in a complete transmission, and in addition to the verification, PK is entered root A period index, an identity verification path; first, the period index is checked to ensure that the signature uses an unused key pair; then, input pk j 、path pktoroot Invoking PKGEN algorithm to calculate slave pk j Via path pktoroot Whether the root node of the computed hash tree is equal to PK root The method comprises the steps of carrying out a first treatment on the surface of the If equal, the signature is true;
and (3) outputting: the signature is true/false;
when the output of the receiving party is true, the representative data and the authentication identification pass the verification, the sending party is judged to be the equipment to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender fails, so that the authenticity of the identity of the sender and the integrity of the sent data are protected;
in summary, in the anti-quantum signature authentication method based on hash signature and having a small size, key generation and signature occur at the sender, and the sender takes data to be sent to the receiver as input: firstly, generating a signature key and a verification key pair according to a key generation algorithm Gen, wherein the signature key is a private key and is used in a signature stage to generate an authentication identifier, the verification key is a public key, a trusted third party in a system signs and generates an X.509 certificate, and the X.509 certificate is sent to a receiver by a sender and is used in a ready authentication stage; the sender prepares the data sent to the receiver for digital signature by using a private key and a signature algorithm to generate an authentication identifier; when the data flow with authentication identification is transmitted to the receiver by the sender, the receiver uses an authentication algorithm Ver to carry out authentication, if the authentication is passed, the sender is judged to be the sender to be interacted, and the data information is correct; if the verification is not passed, the interaction with the sender fails, and the authenticity of the identity of the sender and the integrity of the sent data are protected.
CN202211548920.8A 2022-12-05 2022-12-05 Quantum-resistant signature authentication method based on hash signature and having small size Pending CN116260587A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211548920.8A CN116260587A (en) 2022-12-05 2022-12-05 Quantum-resistant signature authentication method based on hash signature and having small size

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211548920.8A CN116260587A (en) 2022-12-05 2022-12-05 Quantum-resistant signature authentication method based on hash signature and having small size

Publications (1)

Publication Number Publication Date
CN116260587A true CN116260587A (en) 2023-06-13

Family

ID=86678278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211548920.8A Pending CN116260587A (en) 2022-12-05 2022-12-05 Quantum-resistant signature authentication method based on hash signature and having small size

Country Status (1)

Country Link
CN (1) CN116260587A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116886311A (en) * 2023-07-24 2023-10-13 三未信安科技股份有限公司 Policy signature method, system and storage medium based on blockchain privacy security
CN116980081A (en) * 2023-09-25 2023-10-31 成都凌亚科技有限公司 Data processing method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116886311A (en) * 2023-07-24 2023-10-13 三未信安科技股份有限公司 Policy signature method, system and storage medium based on blockchain privacy security
CN116980081A (en) * 2023-09-25 2023-10-31 成都凌亚科技有限公司 Data processing method and system
CN116980081B (en) * 2023-09-25 2023-12-19 成都凌亚科技有限公司 Data processing method and system

Similar Documents

Publication Publication Date Title
Cui et al. An efficient authentication scheme based on semi-trusted authority in VANETs
Zhao et al. An efficient certificateless aggregate signature scheme for the Internet of Vehicles
CN108551392B (en) Blind signature generation method and system based on SM9 digital signature
CN116260587A (en) Quantum-resistant signature authentication method based on hash signature and having small size
CN110932865B (en) Linkable ring signature generation method based on SM2 digital signature algorithm
CN109756893A (en) A kind of intelligent perception Internet of Things anonymous authentication method based on chaotic maps
CN107979840A (en) A kind of the car networking V2I Verification Systems and method of Key-insulated safety
CN103733564A (en) Digital signatures with implicit certificate chains
CN115378604B (en) Identity authentication method of edge computing terminal equipment based on reputation value mechanism
CN112532394B (en) Block chain anti-signature traceable certificateless blind signature generation method
CN103259662A (en) Novel procuration signature and verification method based on integer factorization problems
CN113300856B (en) Heterogeneous mixed signcryption method capable of proving safety
CN103313142A (en) Safety responsibility identifying method of video content for integration of three networks
CN108337092A (en) Method and system for executing collective's certification in a communication network
CN110034936B (en) Pierceable digital signature method
CN113014398B (en) Aggregate signature generation method based on SM9 digital signature algorithm
Ogundoyin An Efficient, Secure and Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad-hoc Networks.
CN110661816B (en) Cross-domain authentication method based on block chain and electronic equipment
CN111147240B (en) Privacy protection method and system with traceability
CN113055161A (en) Mobile terminal authentication method and system based on SM2 and SM9 digital signature algorithms
Wang et al. A novel blockchain identity authentication scheme implemented in fog computing
CN115442057A (en) Randomizable blind signature method and system with strong unlinkability
CN112217629B (en) Cloud storage public auditing method
CN111404689B (en) Identity-based lightweight linear homomorphic network coding signature method
CN112423295B (en) Lightweight security authentication method and system based on block chain technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination