KR101404642B1 - System and method for lattice-based certificateless signature - Google Patents

Abstract

The present invention comprises a master object for generating a first secret key using the open identification information of a user object and a master key and allocating the first secret key; a user object for generating a second secret key and an open key. The user object includes a signer object for transmitting a signature generated using the open key, the first secret key, and the second secret key to a verifier object; and the verifier object for verifying the signature received from the signer object using the opened identification information of the signer object and the open key. The present invention provides an electronic signature system in which a trapdoor generated based on the difficulty of a small integer solution (SIS) problem on a lattice in the generation of the master key, the first secret key, and the second secret key is used.

Description

[0001] SYSTEM AND METHOD FOR LATTICE-BASED CERTIFICATELESS SIGNATURE [0002]

The present invention relates to an electronic signature system and method.

Digital signature technology is used for authentication and integrity verification of data and is one of the most widely used technologies in the field of cryptography. In this digital signature technique, the signer generates a signature for its given message using its private key, and the verifier uses the public key paired with the secret key to determine the validity of the signature.

In this environment, it is very important to prove what kind of user a particular public key is, so in most environments, this problem is solved through a public certificate issued by a trusted third party.

However, certificate-based digital signature systems cost a great deal to maintain the certificate, and the issuing organization must handle huge amounts of traffic. It also has trust issues with the certificate itself.

Accordingly, a paper entitled "Certificateless Public Key Cryptography" presented by S. S. Al-Riyami and K. G. Paterson in ASIACRYPT in 2003 proposed an electronic signature technology that does not use certificates. Since the certificate is not used, the above-mentioned problems are solved and provide higher efficiency and safety than the conventional certificate-based electronic signature system.

On the other hand, there are many researches on the mathematical difficulties that are the basis for enhancing the safety of signatures. For example, the small integer solution (SIS) problem on the lattice and the learning with errors (LWE) problem, which are known to be difficult problems in the worst case on the average difficulty problems such as the difficulty of the discrete logarithm problem, ) Signature techniques that are based on the difficulty of the problem. These lattice-based encryption technologies provide not only high security, but also computational efficiency. Especially, it is known to be resistant to quantum computer analysis.

Therefore, applying a lattice-based cryptographic technique to certificate-free digital signature technology would provide an electronic signature technology with higher security and efficiency.

Korean Patent No. 10-0369408 ("Method of Designating a Subscriber-Assigned Proxy in Mobile Communications") discloses a method of generating a signature based on the difficulty of the discrete logarithm problem.

Korean Patent Laid-Open No. 10-2005-0128506 ("Limited Verifier Signature Method Using Double Linear Mapping") discloses a method of generating a designated verifier signature using a double linear mapping.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and its object is to provide an electronic signature system and method with high safety and efficiency.

In order to achieve the above object, according to a first aspect of the present invention, there is provided an electronic signature system, which uses a master key of a user and public identification information of a user entity to generate a first secret key, individual; And a user entity for generating its own public key and a second private key, wherein the user object further includes a signature generated using the public key, the first private key, and the second private key, Lt; / RTI > And a verifier entity verifying a signature received from the signer entity using public identification information and a public key of the signer entity, wherein the master key, the first secret key, and the second secret key A trapdoor generated based on the difficulty of a small integer solution (SIS) problem on a lattice is used.

According to a second aspect of the present invention, there is provided an electronic signature method including the steps of: (a) setting a security parameter of a master entity and generating a master key of the master entity; (b) generating and assigning a first secret key to the user entity based on public identification information of the user entity including the signer entity and the verifier entity; (c) the user entity generating its own public key and a second private key; (d) transmitting to the verifier entity a signature generated by the signer entity using its public key, a first secret key, and a second secret key; And (e) verifying the signature received from the signer entity by the verifier entity using the public identification and the public key of the signer entity, wherein the master key, the first secret key, And a trapdoor generated based on the difficulty of the SIS (small integer solution) problem on the lattice is used for generating the second secret key.

The present invention provides an electronic signature system and method with high security and efficiency.

Specifically, since the present invention does not use a certificate, there is no certificate management cost and safety problem of the certificate-based digital signature system, and the certification authority does not have to be completely trusted.

Further, the present invention is based on the difficulty of the SIS problem on the lattice, which is a mathematical difficulty which is difficult even in the worst case, so that the safety is high.

Because it is based on lattice, it represents the advantages of lattice-based cryptosystem's computational efficiency, high security, and immunity to quantum computer analysis. Therefore, it has the highest security among known non-certificate-based, non-certificate-based digital signature techniques.

1 shows a structure of an electronic signature system according to an embodiment of the present invention.
Figure 2 shows the structure of the system of Figure 1 from a different point of view.
Figure 3 illustrates the flow of an electronic method in accordance with an embodiment of the present invention.
FIG. 4 shows a flow of a system setting method according to an embodiment of the present invention.
FIG. 5 illustrates a flow of a first secret-key issuing method according to an embodiment of the present invention.
FIG. 6 shows a flow of a method of generating a public key and a second secret key according to an embodiment of the present invention.
7 shows a flow of a signature method according to an embodiment of the present invention.
FIG. 8 shows a flow of a verification method according to an embodiment of the present invention.
FIG. 9 shows a flow of a trap door generating method according to an embodiment of the present invention.
FIG. 10 shows a flow of a trap door expanding method according to an embodiment of the present invention.
11 shows a flow of a Gaussian sampling method according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, which will be readily apparent to those skilled in the art. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "electrically connected" with another part in between . Also, when an element is referred to as "comprising ", it means that it can include other elements as well, without departing from the other elements unless specifically stated otherwise.

As described above, the non-certificate-based, that is, the certificate-free digital signature system has a problem that the conventional certificate-based digital signature system has a high cost of maintaining and managing a certificate, .

Until now, these certificate-based electronic signature systems have been designed based on factorization, discrete algebra, and pairing. However, these problems, which are considered to be difficult to solve, can no longer guarantee safety due to the recent development of quantum algorithms.

As a result, interest in lattice-based cryptosystems that are known to be resistant to quantum analysis is increasing.

The existing lattice-based cryptosystem lacks the proof of safety, but there are many lattice-based cryptosystems that are proved based on the worst-case problem in recent years. It can be seen that the existing cryptosystem provides very high safety in view of the design based on the average-case problem.

이지만, 래티스에서의 연산 복잡도는

이다. In addition, the lattice-based cryptosystem is more efficient than the conventional technique. The computational complexity, such as factoring, discrete algebra, and pairing,

, But the computational complexity in Lattice is

to be.

Therefore, the present invention aims to provide a non-certificate-based electronic signature technique capable of proving safety in a lattice environment.

1 and 2 show the structure of an electronic signature system according to an embodiment of the present invention.

An electronic signature system 10 according to an embodiment of the present invention is provided with a user M including a signer X, a verifier Y and a third party Z connected via a network entity.

Of the users, the signer X is an entity that signs the message and sends it to the verifier Y, and the verifier Y is the entity verifying the signature received from the signer X. At this time, verification is to confirm that the received signature is a valid signature generated by the signer X, as described above.

A third party (Z) other than the signer (X) who has generated and transmitted the signature and the verifier (Y) who has received the signature can not verify the signature.

Only one signer (X), a verifier (Y), and a third party (Z) entity are shown in the figure, and they are shown as being different entities. However, the signer X, the verifier Y, and the third party Z are all user objects, their roles are not fixed, and there is no limit to the number of user objects participating in the digital signature system 10 It is easy to understand that it is. Each of these user entities may refer to an entity such as a device or software used by the user. Since this is a commonly used concept, an explicit description thereof will be omitted in this specification. For example, in the following description, a user may represent a user entity such as a signer (X), a verifier (Y), a third party (Z), and the like.

As described above, the digital signature system 10 according to the embodiment of the present invention includes a master M entity that generates a first secret key of each user and distributes the first secret key to the user. Here, the master M can be called by various names such as a key generation center and a certification authority, and is used as a concept collectively referred to as organizations that manage the digital signature system 10 to operate smoothly Respectively.

In the conventional public key based environment, as described above, the master M must issue a public certificate to each user. However, the digital signature system 10 according to the embodiment of the present invention may be configured such that the master M authenticates the user X (X, Y, Z), since both the master M and the users X, Y, Z only issue the first secret key to the users X, Y, Z using the public identification information There is no need to manage public certificates, and they are efficient and safe. There is no cost or burden due to the management of authorized certificates, and there is no security risk such as theft of accredited certificates. As will be described later, the users X, Y, and Z generate the second private key, which is another secret key that is not exposed to the master M, by itself, and thus the stability is higher.

Unlike the prior art, the electronic signature system 10 according to an embodiment of the present invention does not use the public certificate but is a public key based method.

The public key based scheme is an asymmetric encryption or signature scheme that generates key pairs that correspond to each other, the dual public key is used for encryption or signature verification, and the secret key is used for decryption or signature.

Since this is to prove who sent the message, when signing a message, sign it with a secret key and confirm it with the corresponding public key. That is, the secret key serves as a seal for the document.

As described above, the encryption and digital signature system is constructed based on a mathematical difficulty that is difficult to solve without specific information. An electronic signature system 10 according to an embodiment of the present invention includes a SIS (small integer solution and learning with errors (LWE) problems.

If there is no specific information, it is difficult to solve, meaning that the operation is unidirectional. Unidirectional is easy to calculate, but it is difficult to obtain the inverse of the operation. This specific information is called a trapdoor.

For example, a cryptographic operation in a public key based environment is performed using a unidirectional operation which is easy to encrypt but its reverse conversion is very difficult when there is no decryption key corresponding to the encryption key used in the encryption. That is, the decryption key corresponding to the encryption key used in the encryption is the trap door. Once the message is encrypted, the encryption key can not be decrypted even if it is present, so the encryption key may be disclosed. On the other hand, trap doors or decryption keys should not be released. Thus, the information used to create the trap door in a public key based environment is disclosed as a public key, and the trap door is not disclosed as a secret key.

Since the Lattice-based SIS problem and the LWE problem are mathematical difficulties that can not be solved even in the worst case as described above, there have been a lot of attempts to apply it to encryption and digital signature systems in recent years. A lattice is a set of all points created by linear combination of two bases in space. If you do not know the bases, it is very difficult to find out where the closest lattice point is from the point, even if the third party (Z) finds out what point it is. Further, if the base is not known, the third party (Z) has an advantage that it is very difficult to find a lattice point within a specific length.

Therefore, the digital signature system 10 according to the embodiment of the present invention generates the first secret key using the public identification information of the master key and the user object (X, Y, Z) (X, Y, Z) for generating a public key and a second secret key of the user object (X, Y, Z) (X) that transmits a signature generated using the public key of the first secret key, the first secret key, and the second secret key to the verifier object Y, and the signature received from the signer entity X, ), And a verifier entity (Y) that verifies using the public key. At this time, a trapdoor generated based on the difficulty of the SIS (small integer solution) problem on the lattice is used for generating the master key, the first secret key, and the second secret key.

2, the master M and each of the users A, B, and C are on a short basis of the lattice generated from any matrix selected in a uniform distribution, A trap door expanding section L200 for expanding the lattice of the trap door to another lattice and creating an extended trap door that is a short base of another lattice, And a sampling unit L300 for sampling the vector from the Gaussian distribution.

In other words, the library L provides basic functions for creating, extending, and using trap doors based on the difficulty of the SIS problem on the lattice with each entity M , X, Y, Z).

The operations performed by these trap door generating section L100, trap door expanding section L200, and sampling section L300 are shown in Figs. 9 to 11. Fig.

The system setting unit 100 of the master M sets security parameters, selects a series of hash functions, uses the trap door generated by using the trap door generating unit L100 as a master key as its secret key , And exposes the corresponding matrices generated together with the hash function.

The master key issuing unit 200 issues the extended trap door generated from the public identification information of the user to the user's first secret key using the trap door extension unit L200.

The user's key generation unit 300 uses the trap door generated by using the trap door generation unit L100 as its second secret key and uses the generated corresponding matrix as its own public key.

Hence, as described above, the digital signature system 10 according to an embodiment of the present invention allows the master M to be trusted exclusively by the user, since the user's second private key is created by the user himself, It has the advantage of not having to.

The signer X of the user uses the signature unit 400 to generate a first signature using his first secret key and public key and to generate a second signature using his second private key and public key And generates a signature using the first signature and the second signature. At this time, the trap door generation unit L100, the trap door extension unit L200, and the sampling unit L300 are used.

The signer X generates a first signature by sampling the vector from the Gaussian distribution of the first secret key, expands the lattice of the second secret key to the extended lattice using the public key, and expands the extended lattice And generates a second signature by sampling the vector from the Gaussian distribution of the extended trap door.

The verifier Y of the user verifies the first signature and the second signature respectively using the public identification information of the signer X and the public key using the verification unit 500, Accept the signature received when it is determined that all of the signatures are legitimate signatures, or reject them.

Thus, each entity of the digital signature system 10 according to one embodiment of the present invention has keys such as those shown in the key store associated with each entity of FIG.

로서 공개된다. The master M has a master key msk, which is a secret key that should not be disclosed to the outside. While the corresponding matrix, along with the hash functions,

.

Identification information and public key of each user (X, Y, Z) are also disclosed. On the other hand, the first secret key and the second secret key of each user (X, Y, Z) are not disclosed.

Figure 3 illustrates the flow of an electronic method in accordance with an embodiment of the present invention.

The master entity M sets security parameters and generates its own master key (SlOO).

The master object M generates a first secret key based on the public identification information of the user object X, Y, Z including the signer object X and the verifier object Y, , Y, Z) (S200).

The user entity (X, Y, Z) generates its own public key and a second private key (S300).

The signer entity X transmits the signature generated by using the public key, the first secret key, and the second secret key to the verifier entity Y (S400).

The signature received from the signer entity X by the verifier entity Y is verified by using the public identification information of the signer entity X and the public key (S500).

Each step will be described in more detail with reference to FIGS. 4 to 8. FIG.

FIG. 4 shows a flow of a system setting method according to an embodiment of the present invention.

The master M selects a hash function (S110).

Using the trap door generating unit L100, a matrix A and a corresponding trap door are generated (S120). The trap door is a short basis of the lattice generated based on the matrix A.

The matrix A and the hash function are output as public parameters (S130).

The generated trap door is used as a master key (S140).

In other words, the system setting step (S100) is a step of determining various parameters to be used in the system and determining a master key of the master (M) issuing the key.

First, we select a collision-resistant hash function that satisfies the following properties.

을 생성하여 공개 파라미터

와 마스터키

를 정한다.And the master (M)

≪ / RTI >

And master keys

.

FIG. 5 shows a flow of a first secret key issuing method according to an embodiment of the present invention.

The master M receives the user ID (S210).

The matrix B is calculated by hashing the user ID (S220).

Using the trap door extension L200, the master key is expanded based on the matrix B (S230).

The extended master key is transmitted to the user (X, Y, Z) as a first secret key for the ID (S240).

In other words, the first secret key issue step S200 is a step in which the master M issues a first secret key for a given ID using its master key.

을 계산하고,

알고리즘을 실행한 후,

을 ID에 대한 제 1 비밀키로 정하고, 안전한 방법으로 해당 ID의 서명자에게 키를 전달한다.The master (M)

Lt; / RTI >

After running the algorithm,

As the first secret key for the ID, and delivers the key to the signer of the corresponding ID in a secure manner.

6 is a flowchart illustrating a method of generating a public key and a second secret key according to an embodiment of the present invention.

As will be described later, the user (X, Y, Z) generates his / her public key and the second secret key completely independently of the master M. Therefore, as described above, since the user (X, Y, Z) does not have to completely trust the master (M) and the second secret key is unknown to the master (M), the digital signature method according to an embodiment of the present invention, Is high.

The user X, Y, Z generates the matrix C and the corresponding trap door using the trap door generating unit L100 (S310). The trap door is a short basis of the lattice generated based on the matrix C.

And uses the matrix C as its own public key (S320).

The generated trap door is used as a second secret key (S330).

In other words, the public key and the second secret key generation step (S300) is a step in which the user (X, Y, Z) corresponding to the ID generates its own public key and the second secret key.

알고리즘을 실행한 후, C를 자신의 ID에 대한 공개키로

를 ID에 대한 제 2 비밀키로 출력한다. The user (X, Y, Z)

After running the algorithm, we send C to the public key for its ID

As a second secret key for the ID.

It should be noted that the master M can know the first secret key of the user X, Y and Z directly, but the second secret key is generated by the user X, Y, I can not tell. Thus, no matter how the master M is, the signature of the signer X can not be generated unless the second secret key is known. Thus, the certificateless electronic signature system 10 according to the embodiment of the present invention has an advantage that the master M is not completely trusted.

7 shows a flow of a signature method according to an embodiment of the present invention.

The signer X receives the message m (S410).

A first signature is generated from its own secret key using the sampling unit L300 (S420). At this time, a value obtained by hashing the public key with a message and an arbitrary character string is used.

The second secret key is expanded using the trap door extension L200 (S440).

The second signature is generated from the extended second secret key by using the sampling unit L300 (S450). In this case, the hash value of the message and another arbitrary character string is used.

A signature is generated using the first signature and the second signature (S460).

The generated signature is sent to the verifier Y (S470).

와 제 2 비밀키

를 사용하여 주어진 메시지에 대한 서명을 생성하는 단계이다. 서명자(X)는 메시지 m에 대한 서명을 다음과 같이 생성한다. In other words, the signing step (S400) is performed in such a manner that the signer X corresponding to the ID has its own first secret key

And the second secret key

Is used to generate a signature for a given message. Signer X generates a signature for message m as follows.

을 계산한다. 여기서 r₁은 서명자(X)가 선택한 임의의 문자열이며, 파라미터 s는

알고리즘에 쓰이는 파라미터다. first,

. Where r ₁ is an arbitrary string selected by the signer (X), and the parameter s is

It is a parameter used in the algorithm.

을 계산하여, 자신의 제 2 비밀키

을 이용해

알고리즘을 실행한 후, 생성한

을 사용하여

을 계산한다. 여기서 r₂ 역시 서명자(X)가 선택한 임의의 문자열이며, 동일한 파라미터 s를 사용한다. After that,

To calculate its own second secret key < RTI ID = 0.0 >

Using

After running the algorithm,

Using

. Where r ₂ Is also an arbitrary string selected by the signer (X), and uses the same parameter s.

으로 구성된다.Finally,

.

FIG. 8 shows a flow of a verification method according to an embodiment of the present invention.

The verifier Y receives the signature of the signer X (S510).

The signer ' s ID and the public key are used to determine whether the pre-specified condition is met as shown for the first signature (S520).

The signer's ID and the public key are used to determine whether the pre-specified condition is met as shown for the first signature (S530).

If both the first signature condition and the second signature condition are satisfied, the signature is verified, and if at least one is not satisfied, the signature is rejected (S540).

In other words, the verification step (S500) is a step in which the verifier (Y) verifies the signature sent by the signatory (X) corresponding to the ID.

은 다음과 같은 조건을 만족할 때 정당하다.Given signature

Is justified when the following conditions are satisfied.

그리고

And

그리고

And

9 to 11, a method for generating, expanding, and sampling a trap door based on the difficulty of the SIS problem on the lattice for use in key issuance and signature, according to an embodiment of the present invention This will be described in detail.

의 이산 가산 서브그룹(discrete additive subgroup)이다. 즉, 쿼션트 그룹(quotient group)

이 유한하다. The present invention uses an m-dimensional full-rank integer lattice, which has a finite index < RTI ID = 0.0 >

Lt; RTI ID = 0.0 > a < / RTI > discrete additive subgroup. That is, a quotient group

This is finite.

은 m개의 선형 독립 기저(basis) 벡터

의 모든 정수 선형 결합의 집합과 동일하게 정의된다.One Lattice

Lt; RTI ID = 0.0 > m < / RTI > linear independent basis vectors

Is defined as the set of all integer linear combinations of.

일 경우, 동일한 래티스를 생성하는 기저들은 무수히 많다.here

, There are a myriad of bases for generating the same lattice.

과

는 정수이며, 차원 n은 본 발명에서 사용되는 시큐리티 파라미터이고, 모든 다른 파라미터들은 n의 함수들로 내포되었다고 가정한다. 여기서 m차원 하드 래티스는 패리티 검사 행렬(parity check matrix)

에 의해 생성되며, 다음과 같이 정의된다.The present invention uses a specific form of integer lattice as follows. here

and

Is an integer, dimension n is a security parameter used in the present invention, and all other parameters are implied by functions of n. Here, the m-dimensional hard lattice is a parity check matrix,

And is defined as follows.

에 의해 생성되는 코셋(coset)은 다음과 같이 정의된다.For any y, the parity check matrix

Is defined as follows: cos (cos?

과 어떤

에 대해, 균등하게 랜덤한(uniformly random)

의 열 벡터는

상의 모두를 (

확률을 제외하고) 생성할 수 있다. 따라서 본 발명은 균등하게 랜덤한

를 사용한다.Some fixed constants

And any

Uniformly random < RTI ID = 0.0 >

The column vector of

All of the above (

(Except for probability). The present invention, therefore,

Lt; / RTI >

The hard-lattice short integer solution (SIS) problem on which the present invention is based belongs to the average-case hardness problems, and Miklos Ajtai describes this problem as worst-case hardness I found a way to make a connection to the server.

norm에서의

문제)는 어떤

에 대해 균등하게 랜덤한 행렬

를 입력으로 받아

와

(즉,

)을 만족하는 영이 아닌(nonzero) 정수 벡터

를 찾는 것으로 정의된다.Lattice's SIS problem (

at norm

Problem)

A uniformly random matrix < RTI ID = 0.0 >

As input

Wow

(In other words,

) Nonzero integer vector satisfying

.

FIG. 9 shows a flow of a trap door generating method according to an embodiment of the present invention.

And receives security parameters (SL110).

An arbitrary matrix is selected from the even distribution (SL120).

And generates a lattice from the matrix (SL130).

The short base of the lattice is calculated (SL140).

The calculated short base is output together with the matrix as a trap door (SL150).

와 이러한 매트릭스로 생성되는 래티스

의 짧은 기저 S를 생성하는 알고리즘

을 제공한다.In other words, the trap door generator L100 generates a trap door

And the lattice created by this matrix

Algorithm to Generate Short Base S of

.

은 임의의 래티스와 그것의 트랩도어(SIS 문제에 대한) 즉, 짧은 기저를 생성하게 된다.Since the problem of finding a short base of arbitrary lattices is a SIS problem,

Will produce any lattice and its trap door (for SIS problem), i.e. short base.

을 만족하며, 기저 S의 길이는

만큼 짧다. At this time,

, And the length of the base S is

.

FIG. 10 shows a flow of a trap door expanding method according to an embodiment of the present invention.

A matrix representing the lattice, that is, a matrix for generating lattice and a short base of the lattice are input (SL 210).

An arbitrary matrix is selected from an even distribution (SL 220).

And generates expanded lattice (SL 230).

The short base of extended lattice is calculated (SL240).

The calculated short base is output to the extended trap door (SL 250).

In other words, the trap door extension L200 provides an algorithm for delegating the short base of the lattice.

와 그것의 짧은 기저

,

를 입력값으로 하는 알고리즘

은 출력값으로 래티스

와 그것의 짧은 기저

을 출력한다. Lattice

And its short base

,

As an input value

Lt; RTI ID = 0.0 >

And its short base

.

FIG. 11 shows a flow of a Gaussian sampling method according to an embodiment of the present invention.

A short base of the lattice, a sampling input value, and a sampling parameter (SL310).

Thereby generating a Gaussian distribution (SL320).

The vector is sampled from the distribution (SL 330).

And outputs a vector (SL340).

In other words, the sampling unit L300 provides an algorithm for sampling the vector from the Gaussian distribution of the lattice.

과 차원

에 대해, 가우시안 함수(Gaussian function)

는

로 정의된다. which

And dimension

Gaussian function < RTI ID = 0.0 >

The

.

에 대해, 코셋 상의 (중심이 0인) 이산 가우시안 분포(discrete Gaussian distribution)

는 각각의

에서

에 비례하는 확률을 가진다.Any coset

, A discrete Gaussian distribution (centered 0) on the co-

Respectively,

in

.

에 대한

의 기저를 말하며,

이다.The properties related to the Gaussian distribution in lattice are as follows. Where s is any

For

, And,

to be.

은 (

통계적인 거리를 가지는)

로부터 샘플링을 할 수 있다.Accordingly

(

With statistical distances)

Can be sampled.

As described above, Gaussian sampling is used by the signer X to extract its own secret key, that is, the lattice vector to be used for signing in the extended trap door.

One embodiment of the present invention may also be embodied in the form of a recording medium including instructions executable by a computer, such as program modules, being executed by a computer. Computer readable media can be any available media that can be accessed by a computer and includes both volatile and nonvolatile media, removable and non-removable media. In addition, the computer-readable medium may include both computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Communication media typically includes any information delivery media, including computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave, or other transport mechanism.

While the methods and systems of the present invention have been described in connection with specific embodiments, some or all of those elements or operations may be implemented using a computer system having a general purpose hardware architecture. In describing an example of a computer system architecture that may be used to implement one or more components or operations of an embodiment of the invention, a hardware system includes a processor, a cache, a memory, and one or more software applications and drivers associated with the functions described above can do.

It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.

The scope of the present invention is defined by the appended claims rather than the detailed description and all changes or modifications derived from the meaning and scope of the claims and their equivalents are to be construed as being included within the scope of the present invention do.

10: Digital Signature System
M: Master
X: Signer
Y: Verifier
Z: Third party

Claims (12)

In an electronic signature system,
A master entity for generating and assigning a first secret key to the user entity using the master key of the user and the public identification information of the user entity; And
And a user entity for generating a public key and a second private key,
The user entity
A signer entity for transmitting a signature generated using the public key, the first secret key, and the second secret key to the verifier entity; And
And a verifier entity for verifying the signature received from the signer entity using the public identification of the signer entity and the public key,
Wherein a trapdoor generated based on the difficulty of the master key, the first secret key, and the small integer solution (SIS) problem on the lattice for generating the second secret key is used. The method according to claim 1,
The master entity
A trap door, which is a short basis of the lattice generated from any matrix selected in a uniform distribution,
Using the trap door as a master key as its secret key, and disclosing the arbitrary matrix. The method according to claim 1,
Expanding the lattice of the master key to the extended lattice using the public identification of the user entity and creating an extended trap door that is the short base of the extended lattice,
And issuing the extended trap door as a first secret key of the user entity. The method according to claim 1,
The user entity
A trap door which is a short base of the lattice generated from an arbitrary matrix selected in a uniform distribution is generated,
Uses the trap door as its second secret key, and uses the arbitrary matrix as its public key. The method according to claim 1,
The user entity
Generates a first signature using its first secret key and a public key,
Generates a second signature using its second private key and public key,
And generate the signature using the first signature and the second signature. 6. The method of claim 5,
The user entity
And a vector is sampled from a Gaussian distribution of the first secret key to generate the first signature. 6. The method of claim 5,
The user entity
Expanding the lattice of the second secret key to the extended lattice using the public key, creating an extended trap door that is the short base of the extended lattice,
And sampling the vector from the Gaussian distribution of the extended trap door to generate the second signature. In the digital signature method,
(a) the master entity establishes security parameters and generates its own master key;
(b) generating and assigning a first secret key to the user entity based on public identification information of the user entity including the signer entity and the verifier entity;
(c) the user entity generating its own public key and a second private key;
(d) transmitting to the verifier entity a signature generated by the signer entity using its public key, a first secret key, and a second secret key; And
(e) verifying the signature received from the signer entity by the verifier entity using the public identification information of the signer entity and the public key,
Wherein the trapdoor is generated based on the difficulty of the master key, the first secret key, and the small integer solution (SIS) problem on the lattice in generating the second secret key. 9. The method of claim 8,
The step (a)
A trap door, which is a short basis of the lattice generated from any matrix selected in a uniform distribution,
Wherein the trap door is used as a master key which is a secret key of the master entity, and the arbitrary matrix is disclosed. 9. The method of claim 8,
The step (b)
Expanding the lattice of the master key to the extended lattice using the public identification of the user entity and creating an extended trap door that is the short base of the extended lattice,
And issuing the extended trap door as a first secret key of the user entity. 9. The method of claim 8,
The step (c)
A trap door, which is the short base of the lattice generated from any matrix selected in a uniform distribution, is generated
Using the trap door as a second secret key of the user entity and using the arbitrary matrix as a public key of the user entity. 9. The method of claim 8,
The step (d)
Using a first private key and a public key of the signer entity to generate a first signature by sampling a vector from a Gaussian distribution of the first private key,
Using the second secret key and the public key of the signer entity to extend the lattice of the second secret key to the extended lattice using the public key and to create an extended trap door that is the short base of the extended lattice , Generating a second signature by sampling the vector from the Gaussian distribution of the extended trap door,
And generating the signature using the first signature and the second signature.

Images