RU2401513C2 - Method for generating and verification electronic digital signature authenticating electronic document - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: method for generating and verification electronic digital signature (EDS) includes following sequence of operations: secret key is generated as at least one string of bits (BS) - k; on the basis of the secret key, open key Y is generated as BS vector of m length, where 2<m<64; electronic document (ED) supplied by H "МДЧ" is received; depending on received electronic document and secret key value Q EDS is generated as at least two BSs depending on EDS, ED and open key the first A and the second B check BSs are generated; A and B BSs are compared. When their parametres match it is concluded that electronic digital signature is authentic.

EFFECT: increase in EDS procedures efficiency without decrease in its stability.

8 cl, 9 tbl

Description

The invention relates to the field of telecommunications and computer technology, and more particularly to the field of cryptographic authentication methods for electronic messages transmitted over telecommunication networks and computer networks, and can be used in electronic message systems (documents) certified by electronic digital signature (EDS) presented in as a bit string (BS) or several BSs. Hereinafter, BS refers to an electromagnetic signal in binary digital form, the parameters of which are: the number of bits and the order of their unit and zero values (the interpretation of the terms used in the description is given in Appendix 1).

A known method of forming and checking the digital signature, proposed in US patent No. 4405829 from 09/20/1983 and described in detail also in books [1. M.A. Ivanov. Cryptography. M., KUDITS-IMAGE, 2001; 2. A.G. Rostovtsev, E.B. Makhovenko. Introduction to public key cryptography. St. Petersburg, Peace and Family, 2001.- p. 43]. The known method consists in the following sequence of actions:

form a secret key in the form of three simple multi-bit binary numbers (MDC) p, q and d, represented by three BS;

form the public key (n, e) in the form of a pair of MDC n and e, where n is a number representing the product of two simple MDC p and q, and e is a MDC satisfying the condition ed = 1mod (p-l) (q-1),

accept an electronic document (ED) submitted by BS N,

depending on the value of H, which is understood as the value of the MDC represented by BS N, and the values of the secret key form an EDS in the form of a MDC Q = S = H ^d mod n.

form the first verification MDC A = N;

form the second verification MDC B, for which MDC S is raised to an integer power e modulo n: B = S ^e mod n;

comparing the generated verification MDC A and B;

when the parameters of the compared MDC A and B coincide, they conclude that the digital signature is authentic.

The disadvantage of this method is the relatively large size of the signature and the need to increase the size of the signature when developing new, more efficient methods for decomposing the number n into factors or with an increase in the productivity of modern computing devices. This is because the value of the signature element S is calculated by performing arithmetic operations modulo n, and the stability of the digital signature is determined by the complexity of the decomposition of the module n into factors p and q.

There is also a known method of forming and verifying the authenticity of the digital signature of El-Gamal, described in the book [Moldovyan A.A., Moldovyan N.A., Sovetov B.Ya. Cryptography. - St. Petersburg .: Doe, 2000. - p.156-159], which includes the following actions:

form a simple MDC p and a binary number G, which is a primitive root modulo p, generate a secret key in the form of MDC x, depending on the secret key form a public key in the form of MDC Y = G ^x mod p, take the ED presented in the form of MDC N , depending on H and the secret key, an EDS Q is formed in the form of two MDC S and R, that is, Q = (S, R);

carry out a digital signature authentication procedure, including calculating two control parameters using the original MDC p, G, Y, H, and S by raising the MDC G, Y, R to a discrete degree modulo p and comparing the calculated control parameters;

when the values of the control parameters coincide, they conclude that the digital signature is authentic.

The disadvantage of this method is also the relatively large size of the EDS. This is because the values of the signature elements S and R are calculated by performing arithmetic operations modulo p - 1 and modulo p, respectively.

There is also a known method of forming and verifying EDS, proposed in US patent No. 4995089 of 02.19.1991. The known method consists in the following sequence of actions:

form a simple MDC p, such that p = Nq + 1, where q is a simple MDC;

form a simple MDC a, such that a ≠ 1 and a ^q mod p = 1;

by generating a random equiprobable sequence generate a secret key in the form of MDC k;

form a public key in the form of MDC y according to the formula y = a ^k mod p;

accept ED submitted by MDC M;

form an EDS in the form of a pair of MDC (e, s), for which a random MDC t is generated, form a MDC R according to the formula R = a ^t mod p, form a MDC e = f (M || R), where the sign || denotes the operation of joining two MDCs and f is some specified hash function whose value has a fixed length (usually 160 or 256 bits), independent of the size of the argument, i.e. from the size of the MDC M || R, and then form the MDC s according to the formula s = (t + ek) mod q;

form the first verification MDC A, for which MDC R 'is generated according to the formula R' = a ^s y ^-e mod p and form the MDC e '= f (M || R');

form the second verification MDC In by copying MDC e: B = e;

comparing the generated verification MDC A and B;

when the parameters of the compared MDC A and B coincide, they conclude that the digital signature is authentic.

The disadvantage of the method according to the US patent is the relatively high computational complexity of the procedure for forming and checking the digital signature, which is due to the fact that to ensure the minimum required level of resistance, it is required to use a simple module p with a bit capacity of at least 1024 bits.

The closest in technical essence to the claimed one is the well-known method of forming and verifying the authenticity of electronic digital signatures, proposed by the Russian standard GOST R 34.10-2001 and described, for example, in the book [B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information security. M., Hot line - Telecom, 2005 .-- 229 p. (see p.110-111)], according to which the digital signature is formed as a pair of MDC r and s, for which an elliptic curve (EC) is generated as a set of points, each point being represented by two coordinates in a Cartesian coordinate system as two MDC , called abscissa (x) and ordinate (y), then perform the operations of generating EC points, adding EC points and multiplying the EC points by a number, as well as arithmetic operations on the MDC, after which MDC r and s are formed as a result of the performed operations. The indicated operations on points are performed as operations on the MDC, which are the coordinates of the points, according to well-known formulas [B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information security. M., Hotline - Telecom, 2005.- 229 p. (see p. 110-111)]. The operation of adding two points A and B with the coordinates (x _A , y _A ) and (x _B , y _B ), respectively, is performed according to the formulas:

x _C = k ² -x _A -x _B mod p and y _C = k (x _A -x _C ) -y _A mod p,

mod p, если точки А и В не равны, и

mod p, если точки А и В равны. При вычислении значения k выполняется операция деления МДЧ по модулю простого МДЧ, что ограничивает производительность формирования и проверки подлинности ЭЦП по стандарту ГОСТ Р 34.10-2001. Операция умножения точки А на натуральное число n определяется как многократное сложение точки А:Where

mod p if points A and B are not equal, and

mod p if points A and B are equal. When calculating the value of k, the operation of dividing the MDC modulo a simple MDC is performed, which limits the performance of the formation and authentication of the digital signature according to the standard GOST R 34.10-2001. The operation of multiplying point A by a natural number n is defined as the multiple addition of point A:

nA = A + A + ... + A (n times).

The result of multiplying any EC point by zero determines a point called an infinitely distant point and denoted by the letter O. Two points A = (x, y) and -A = (x, -y) are called opposite. Multiplication by a negative integer -n is defined as follows: (-n) A = n (-A). By definition, it is assumed that the sum of two opposite points is equal to the infinitely distant point O.

In the prototype, i.e. in the method of forming and verifying the authenticity of digital signatures according to GOST R 34.10-2001, they generate an EC described by the equation y ² = x ³ + ax + b mod p, therefore, the generation of an EC consists in the generation of numbers a, b and p, which are parameters of the EC and uniquely defining a set of points EC, abscissa and ordinate of each of which satisfies the specified equation. The closest analogue (prototype) is to perform the following sequence of actions:

generate an elliptic curve (EC), which is a collection of MDC pairs, called EC points and having certain properties (see Appendix 1, paragraphs 27-31);

by generating a random equiprobable sequence generate a secret key in the form of MDC k;

form the public key P in the form of two MDC, which are the coordinates of the EC point P, for which they generate a point G having an order value equal to q (the order of the EC point is the smallest positive integer q, such that the result of multiplying this point by q is the so-called infinitely distant point O; the result of multiplying any EC point by zero by definition is point O [B.Ya. Ryabko, AN Fionov. Cryptographic methods of information protection. M., Hot line - Telecom, 2005. - 229 pp. ( see p. 97-130)]; see also Appendix 1, paragraphs 27-31) and the gene iruyut public key by multiplying the point G on MDCH k, that form a public key according to the formula P = kG;

accept ED submitted by MDCH N;

generating a random MDC 0 <t <q, according to which a point R is formed according to the formula R = tG;

form an EDS Q in the form of a pair of MDC (r, s), for which MDC r is generated by the formula r = x _R mod q, where x _R is the abscissa of the point R, and then MDC s is generated by the formula s = (tH + rk) mod q;

form the first verification MDC A, for which MDC ν is generated by the formula ν = sH ^-1 mod q and MDC w by the formula w = (q-rH ^-1 ) mod q, then the point R 'is generated by the formula R' = νG + wP , after which MDC A is obtained by the formula A = x _{R '} mod q, where x _R' is the abscissa of the point R ';

form the second verification MDC B by copying the MDC r: B = r;

comparing the generated verification MDC A and B;

when the parameters of the compared MDC A and B coincide, they conclude that the digital signature is authentic.

The disadvantage of the closest analogue is the relatively low productivity of the procedure for generating and checking EDS, which is due to the fact that performing operations on EC points includes the operation of dividing the MDC modulo a simple MDC, which requires a runtime more than 10 times the duration of the multiplication operation .

The aim of the invention is to develop a method for generating and verifying the authenticity of an electronic digital signature that certifies an electronic signature free of the division operation modulo a simple MDC, thereby increasing the productivity of the procedures for generating and verifying electronic digital signature.

This goal is achieved by the fact that in the known method of generating and verifying the authenticity of an electronic digital signature verifying an ED, which consists in generating a secret key in the form of at least one bit string, the public key Y is formed in the form of more than one BS take the ED represented by BS N ₁ , N ₂ , ..., H _z , where z≥1, depending on the received ED and the value of the secret key, the digital signature Q is formed in the form of a combination of MDC e, s ₁ , s ₂ , ..., s _u, where 1≤u≤8, depending on the public key, the received signature and ED, forming the first a and second B roverochnye BSs, and compares them with coincidence of their parameters conclude authentication signature, new in the claimed invention is, Y's public key to form a w-dimensional, where 2≤m≤64, by generating a vector w-dimensional vectors G _1, G ₂ , ..., G _u , the coordinates of each of which are BS bits of r, where 16≤r≤512, generate a secret key in the form of MDC k ₁ , k ₂ , ..., k _u and generate a public key Y according to the formula

,

,

where the sign ° denotes the operation of multiplying vectors.

The implementation of the operations of the multiplication of the vectors of the BS does not require the operation of dividing the MDC modulo simple MDC, which increases the productivity of the formation and authentication of the digital signature, which certifies the ED. In addition, the coordinates of the BS vector, which is the result of the operation of multiplying the BS vectors, which are operands, are calculated independently from the coordinates of the operand vectors, it is possible to parallelize the operation of multiplying the BS vectors by m independent processes and perform them in parallel, due to which the use of calculations over vectors can significantly increase the speed of formation and authentication of digital signatures.

Also new is that the public key Y is formed in the form of m-dimensional, where 2≤m≤64, MDC vectors by generating m-dimensional MDC vectors G ₁ , G ₂ , ..., G _u , the coordinates of each of which are MDC bit capacity r, where 16≤r≤512, generating a secret key in the form of MDC k ₁ , k ₂ , ..., k _u and generating a public key Y according to the formula

,

,

where the sign ° denotes the operation of multiplying MDC vectors.

The use of MDC vectors as BS vectors can effectively implement the claimed method in computer programs.

It is also new that the public key Y is formed in the form of an m-dimensional, where 2≤m≤64, vector of polynomials by generating m-dimensional vectors of polynomials G ₁ , G ₂ , ..., G _u , the coordinates of each of which are polynomials bit capacity r, where 16≤r≤512, generating a secret key in the form of MDC k ₁ , k ₂ , ..., k _u and generating a public key Y according to the formula

,

,

where the sign ° denotes the operation of multiplying the vectors of polynomials.

The use of MDC vectors as BS vectors can effectively implement the claimed method in specialized computing devices. The operation of the BS vector multiplication operation includes the addition and multiplication operations on the BS modulo a simple MDC, if the BSs are MDCs, or modulo an irreducible polynomial if the BSs are polynomials. In both cases, it is not necessary to perform the division operation modulo a prime number or modulo an irreducible polynomial, thereby increasing the productivity of the procedures for generating and verifying the digital signature authenticity both in software and in hardware implementation of the claimed method.

Also new is the fact that the public key Y is formed in the form of an m-dimensional, where m = 2, vector by generating m-dimensional vectors G ₁ and G ₂ having an order equal to a simple MDC q, generating a secret key in the form of MDC k ₁ and k ₂ and public key generation Y by the formula

,

,

receive the ED represented by BS H ₁ , and the EDS is formed in the form of three MDCs e, s ₁ and s ₂ , for which random MDC t ₁ and t ₂ are generated, the vector R is generated by the formula

,

,

then, depending on R and H ₁ , the first MDC e EDS is formed according to the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating MDC e, then a pair is generated depending on the secret key MDC s ₁ and s ₂ EDS according to the formulas

s ₁ = (t ₁ -k ₁ e) mod q and s ₂ = (t ₂ -k ₂ e) mod q,

then form the first and second test BS A and B according to the formulas

A = f (R ', H ₁ ) and B = e,

where the vector R 'is calculated by the formula

.

.

The generation of two different secret keys makes it possible to increase the stability of the EDS algorithm when using non-cyclic groups of vectors through the use of BS vectors G ₁ and G _{2 of} dimension m = 2, generating cyclic subgroups of a non-cyclic group of vectors, such that they do not fall into any one cyclic subgroup of a non-cyclic groups of vectors.

Also new is the fact that the public key Y is formed in the form of an m-dimensional, where m = 3, vector by generating w-dimensional vectors G ₁ , G ₂ and G ₃ having an order equal to the simple MDC q, generating a secret key in MDC k ₁ , k ₂ and k ₃ and public key generation Y by the formula

,

,

receive the ED represented by BS H ₁ , and the digital signature is formed in the form of four bit strings e, s ₁ , s ₂ , and s ₃ , for which random MDC t ₁ , t ₂ , and t ₃ are generated, the vector R is generated by the formula

,

,

then, depending on R and H ₁ , the first MDC e EDS is formed according to the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating MDC e, then a triple is generated depending on the secret key MDC s ₁ , s ₂ , and s ₃ EDS according to the formulas

s ₁ = (t ₁ -k ₁ e) mod q, s ₂ = (t ₂ -k ₂ e) mod q

and s ₃ = (t ₃ -k ₃ e) mod q,

then form the first and second test BS A and B according to the formulas

A = f (R ', H ₁ ) and B = e,

where the vector R 'is calculated by the formula

.

.

и

, называется БС

. Знак || обозначает операцию конкатенации.As an expression e = f (R, H ₁ ), for example, the formula e = rH ₁ mod δ can be used, where r = (r ₁ || r ₂ || r ₃ ) is the MDC given by the concatenation of BS, which are the coordinates BS vectors R, and δ is an auxiliary prime MDC. The generation of three different secret keys makes it possible to increase the stability of the EDS algorithm when using non-cyclic groups of BS vectors by using the BS vectors G ₁ , G ₂ and G ₃ , dimension m = 3, generating cyclic subgroups of the non-cyclic group of BS vectors, such that they do not fall into pairs into any one cyclic subgroup of a non-cyclic group of BS vectors. The concatenation of two BSs a and b, represented as

and

called BS

. Sign || denotes a concatenation operation.

It is also new that the public key Y is formed in the form of an m-dimensional, where m = 5, vector by generating m-dimensional vectors G ₁ and G ₂ having orders equal to MDC q ₁ and q ₂ , respectively, generating a secret key in the form of MDC k ₁ and k ₂ and generating public key Y according to the formula

,

,

take the ED represented by BS H ₁ , and the digital signature is formed in the form of three MDCs e, s ₁ and s ₂ , for which random MDC numbers t ₁ and t ₂ are generated, the vector R is generated by the formula

,

,

then, depending on R and H ₁ , the first MDC e EDS is formed according to the formula e = f (R ', H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating the number e, then, depending on the secret key, generate a pair of MDC s ₁ and s ₂ EDS according to the formulas

s ₁ = (t ₁ -k ₁ e) mod q ₁ and s ₂ = (t ₂ -k ₂ e) mod q ₂ ,

then form the first and second test BS A and B according to the formulas

A = f (R ', H ₁ ) and B = e,

where the vector R is calculated by the formula

.

.

The use of BS vectors of dimension m = 5 makes it possible to reduce the complexity of the operation of multiplying BS vectors in comparison with the use of BS vectors of lower dimension, while retaining the possibility of obtaining non-cyclic groups of BS vectors containing various cyclic subgroups that do not belong to any one cyclic subgroup, which improves the stability EDS algorithms by generating a public key using two secret keys.

, принимают ЭД, представленный БС H₁, а ЭЦП формируют в виде двух МДЧ е и s₁, для чего генерируют случайное МДЧ t, генерируют вектор R по формуле R=G^t, затем в зависимости от R и Н₁ формируют первое МДЧ е ЭЦП по формуле e=f(R,H₁), где f(R,H₁) - выражение, задающее правило вычисления числа е, затем в зависимости от секретного ключа генерируют второе МДЧ s₁ ЭЦП по формулеIt is also new that the public key Y is formed in the form of an m-dimensional, where m = 3, vector by generating an m-dimensional vector G ₁ having an order equal to MDC q, generating a secret key in the form of MDC k ₁ and generating an open key Y according to the formula

take the ED represented by BS H ₁ , and the EDS is formed in the form of two MDCs e and s ₁ , for which a random MDC t is generated, a vector R is generated by the formula R = G ^t , then, depending on R and H ₁ , the first MDC e is formed EDS by the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating the number e, then, depending on the secret key, a second MDC s ₁ EDS is generated according to the formula

s ₁ = (t + k ₁ e) mod q,

then form the first and second test BS A and B according to the formulas

A = f (R ', H ₁ ) and B = e,

where the vector R 'is calculated by the formula

.

.

It is also new that the public key Y is formed in the form of an m-dimensional, where 2≤m≤8, vector by generating m-dimensional vectors G ₁ , G ₂ , ..., G _m having the order equal to a simple MDC q, generating a secret key in the form of MDC k ₁ , k ₂ , ..., k _m and generating a public key Y according to the formula

,

,

receive the ED represented by BS N ₁ , N ₂ , ..., N _m , and the EDS is formed as a combination of MDC e, s ₁ , s ₂ , ..., s _m , for which random MDC t ₁ , t ₂ , ..., t are generated _m , generate a vector R by the formula

,

,

then, depending on R, the first MDC number e of the EDS is formed according to the formula e = f (R, H), where f (R, H) is an expression defining the rule for calculating the number e, and H = H ₁ || H ₂ || H ₃ || ... || H _m , where the sign || denotes a concatenation operation, then, depending on the secret key, m MDCs s ₁ , s ₂ , ..., s _{m are} generated EDS according to the formulas

s ₁ = (t ₁ -k ₁ e) H ₁ ^-1 mod q, s ₂ = (t ₂ -k ₂ e) H ₂ ^-1 mod q, ...,

..., s _m = (t _m -k _m e) H _m ^-1 mod q,

then form the first and second test BS A and B according to the formulas

A = f (R ', H) and B = e,

where the vector R is calculated by the formula

.

.

Using a secret key in the form of a set of several MDCs allows for high EDS stability when using BS vectors, the order of which is equal to a prime number of a relatively small size, which simplifies the choice of parameters for implementing the claimed method of generating and checking an EDS certifying an ED.

A BS vector is a set of two or more BSs called coordinates of a BS vector. The BS vector is written in various ways, the requirement for which is that they identify the positions of the coordinates of the BS vector. For example, the BS vector can be written in the form (a ₁ , a ₂ , ..., a _m ), where m≥2 is the dimension of the BS vector equal to the number of coordinates in the BS vector. As a separator, the sign of the operation of adding BS vectors, defined as the addition of the same coordinates of two BS vectors, which are terms, can be used. When using such a separator, the coordinates of the vector are identified by indicating a formal basis vector (set before or after the corresponding coordinate) in the form of a letter of the Latin alphabet. Basic vectors are called formal because no physical meaning is attributed to them. They serve only to identify the coordinates of the BS vector, regardless of the sequence of their recording. So, for example, BS vectors Z ₁ = 523425e + 3676785i + 53453453j and Z ₂ = 3676785i + 523425e + 53453453j, in which the coordinates are MDCs, are considered equal, i.e. Z ₁ = Z ₂ . The individual terms in such a record of BS vectors are called components of the BS vector, since they are BS vectors with one nonzero coordinate. The dimension of the BS vector is the number of BS included in the BS vector as its coordinates. This application considers finite groups of BS vectors, i.e. algebraic groups whose elements are BS vectors of the form Z = ae + bi + ... + cj, and the group operation is defined through operations on the BS vectors as the operation of multiplying the components of the BS vectors, which are operands, taking into account that the resulting products of formal basis vectors, are replaced according to some specified table with one basis vector or a one-component vector, i.e. a vector containing only one nonzero coordinate. Such a table of multiplication of basis vectors for the case of BS vectors of dimension m = 3 has, for example, the following form:

This table defines the following basis vector substitution rule:

e · i → i, e · j → j, j · i → e, i · i → j, j · j → i, etc.

We will call such tables multiplication tables of basis vectors. For example, let Z ₁ = a ₁ е + b ₁ i + c ₁ j and Z ₂ = а ₂ е + b ₂ i + с ₂ j then the operation of multiplying the BS vectors Z ₁ and Z ₂ (we denote it by the sign “o”) performed as follows:

To specify the finite groups of BS vectors, the operations of addition and multiplication over the BS, which are the coordinates of the BS vectors, are specified in a special way, namely, the coordinates are elements of a finite field, in particular, the field of numbers that are the remainders of dividing all integers by some prime number p called the module. Such fields are called simple and are denoted as follows by GF (p). The number of elements of a simple finite field is p and is called the field order. Another practically important case of defining finite sets of BS vectors is the specification of BS vectors over finite fields of polynomials. Such fields are called expanded finite fields and are denoted as follows GF (p ^d ), where d is a natural number called the degree of expansion of a simple field of characteristic p. The concept of a field is well known in the scientific and technical literature [see, for example, A.I. Kostrikin. Introduction to Algebra. The basics of algebra. M .: Fizmatlit. 1994. - 320 p.]. A polynomial is a sequence of coefficients, for example, MDF, which are elements of the field GF (p). The operations of addition of polynomials and multiplication of polynomials are defined over polynomials, which are reduced to performing actions with coefficients of polynomials that are operands. Polynomials and the rules of action on them are discussed in detail in books [A.I. Kostrikin. Introduction to Algebra. The basics of algebra. M .: Fizmatlit. 1994. - 320 p.] And [Kurosh A.G. Course of higher algebra. - M., "Science", 1971. - 431 p.]. In computing devices, polynomials are represented as BSs in which each bit or each substring of bits of a fixed length is interpreted as one of the coefficients of the polynomial over which the operations of addition and multiplication of coefficients are defined. Elements of a finite field of polynomials are all possible polynomials whose coefficients are elements of a simple field GF (p) for some given value of a prime number p. The operation of multiplication in the field of polynomials consists in multiplying the polynomial factors and taking the remainder of dividing the resulting product by some given irreducible polynomial. The number of elements of the finite field of polynomials (field order) is p ^d , where d is the degree of the irreducible polynomial, which coincides with the maximum number of coefficients in the polynomials obtained as the remainder of the division by the irreducible polynomial.

Vectors in which BS are elements of a finite simple field, i.e. multidigit binary numbers, we will call MDC vectors. Vectors in which BSs are elements of a finite extended field, i.e. polynomials, we will call vectors of polynomials. Actions on finite sets of MDC vectors and finite sets of polynomials are described in the same way, except that the actions on the coordinates of the vectors refer to fields of various types, and therefore differ in these two cases. Actions on the coordinates of the MDC vectors can be described as performing addition and multiplication modulo a prime number p. Actions on the coordinates of the vectors of polynomials can be described as performing operations of addition and multiplication modulo an irreducible polynomial p. The size of the module in both cases is chosen so as to provide a sufficiently large order of the group of MDC vectors. In both cases, the formula that describes the actions that are performed when multiplying the BS vectors Z ₁ = (a ₁ e + b ₁ i + c ₁ j) and Z ₂ = a ₂ e + b ₂ i + c ₂ j has the same form:

Thus, examples of the implementation of the proposed method for generating and verifying the authenticity of electronic digital signatures given for the case of specifying BS vectors over simple fields simultaneously specify examples of implementing the proposed method for the case of specifying BS vectors over finite extended fields, i.e. fields of polynomials.

In the case of MDC vectors, the coordinates of the MDC vector can be set to integers from a finite ring of integers that are the remainders of dividing all integers by a composite natural number. A possible variant of such cases is described in detail in Example 6 below.

Depending on the dimension of the BS vectors over which the multiplication operations are determined, and the specific option for specifying the operation of the BS vector multiplication, various base vector multiplication tables can be used, for example, for BS vectors of dimension m = 2, an acceptable table has the form of table 2, where 0 <ε <p, and for BS vectors of dimension m = 3 - the form of table 3, where 0 <ε <p. The value of the parameter ε, called the tensile coefficient, can be selected arbitrarily from the specified interval. Different values of the parameter ε give different properties to a finite group of BS vectors for a fixed value of dimension m and modulus p. Multiplication tables of basis vectors for the case of MDC vectors and polynomial vectors representing particular variants of specifying BS vectors have the same form, except that in the case of MDC vectors, the coefficient ε is some MDC, and in the case of polynomial vectors, the coefficient ε is some polynomial .

In a similar way, group operations on finite groups of BS vectors of dimensions m = 4, m = 5, etc. can be defined. For example, the rules for multiplying basis vectors for the case m = 7 are given in the following table 4, where arbitrary six values can be used as the tensile coefficients p, τ, λ, ε, μ, and τ, which are polynomials in the case when the BS vectors are polynomial vectors, or being MDCs in the case when the BS vectors are MDC vectors.

причем порядок этой подгруппы является достаточно большим. Группа - это алгебраическая структура (т.е. множество математических элементов некоторой природы), над элементами которой задана некоторая операция таким образом, что алгебраическая структура обладает следующим набором свойств: операция ассоциативна, результатом выполнения операции над двумя элементами является элемент этой же структуры, существует нейтральный элемент такой, что при выполнении операции над ним и другим некоторым элементом а группы результатом является элемент а. Детальное описание групп дано в широко доступной математической литературе, например в книгах [А.Г.Курош. Теория групп.- М., изд-во «Наука», 1967. - 648 с.] и [М.И.Каргаполов, Ю.И.Мерзляков. Основы теории групп.- М., изд-во «Наука. Физматлит», 1996. - 287 с.]. Операция, определенная над элементами группы, называется групповой операцией. Группа называется циклической, если каждый ее элемент может быть представлен в виде g=аⁿ для некоторого натурального числа n, где а - элемент данной подгруппы, называющийся генератором или образующим элементом циклической подгруппы, и степень n означает, что над элементом а выполняются n последовательных операций, т.е.

(n раз). Известно, что, если порядок группы есть простое число, то она циклическая [А.И. Кострикин. Введение в алгебру. Основы алгебры. М.: Физматлит. 1994. - 320 с.]. Важной характеристикой группы является ее порядок, который равен числу элементов в группе. Для элементов группы также применяется понятие порядка. Порядком элемента группы является минимальное значение степени, в которую нужно возвести этот элемент, чтобы результатом операции было получение нейтрального элемента группы.With the appropriate choice of the base vector multiplication table and the simple value p, the set of MDC vectors is finite and this finite set contains a subset of the MDC vectors, which form a group with a group operation

moreover, the order of this subgroup is quite large. A group is an algebraic structure (i.e., a set of mathematical elements of some nature), on whose elements a certain operation is specified in such a way that the algebraic structure has the following set of properties: the operation is associative, the result of the operation on two elements is an element of the same structure, there is the neutral element is such that when performing an operation on it and some other element of the group a, the result is element a. A detailed description of the groups is given in widely available mathematical literature, for example, in books [A.G. Kurosh. Theory of groups. - M., publishing house "Science", 1967. - 648 p.] And [M.I. Kargapolov, Yu.I. Merzlyakov. Fundamentals of group theory. - M., publishing house "Science. Fizmatlit ", 1996. - 287 p.]. An operation defined on group elements is called a group operation. A group is called cyclic if its every element can be represented in the form g = a ⁿ for some natural number n, where a is an element of a given subgroup, called a generator or a generating element of a cyclic subgroup, and degree n means that n consecutive operations i.e.

(n times). It is known that if the order of a group is a prime, then it is cyclic [A.I. Kostrikin. Introduction to Algebra. The basics of algebra. M .: Fizmatlit. 1994. - 320 p.]. An important characteristic of a group is its order, which is equal to the number of elements in the group. For group elements, the concept of order also applies. The order of an element of a group is the minimum value of the degree to which this element must be raised so that the result of the operation is to obtain a neutral element of the group.

Usually, when developing methods for forming and checking digital signatures, cyclic groups of large simple order or groups whose order is divided entirely into a large prime number are used [Wenbo Mao. Modern cryptography. Theory and practice. - M., St. Petersburg, Kiev. Williams Publishing House, 2005. - 763 p.]. With the appropriate specification of the group of BS vectors, this condition is easily ensured. Moreover, the stability of the methods of forming and checking the digital signature is determined by the complexity of the discrete logarithm problem, which consists in determining the value of degree n into which the given element of the group must be raised so that the result of this operation is some other given element of the group [Moldovyan NA. Workshop on public key cryptosystems. - SPb. BHV-Petersburg, 2007. - 298 p.].

над векторами МДЧ выполняется путем выполнения модульных умножений и сложений над МДЧ, являющихся компонентами векторов МДЧ, достаточно высокая трудность задачи дискретного логарифмирования в группе векторов МДЧ достигается при сравнительно малом значении размера модуля р, благодаря чему обеспечивается сравнительно высокая производительность операции возведения векторов МДЧ в большую степень. Поскольку производительность процедур формирования и проверки ЭЦП определяется производительностью операции возведения в степень, то при использовании операций над векторами МДЧ обеспечивается сравнительно высокая производительность процедур формирования и проверки ЭЦП.Since the group operation

on MDC vectors is performed by performing modular multiplications and additions on MDC, which are components of the MDC vectors, a rather high difficulty of the discrete logarithm problem in the group of MDC vectors is achieved with a relatively small value of the module size p, which ensures a relatively high performance of the operation of raising the MDC vectors to a large degree . Since the performance of the procedures for generating and checking the digital signature is determined by the performance of the exponentiation operation, when using operations on the MDC vectors, a relatively high productivity of the procedures for generating and checking the digital signature is ensured.

The order of the BS vector V is the smallest positive integer q such that V ^q = 1, i.e. such that the result of multiplying the MDC vector Q by itself q times is a unit MDC vector E = 1e + 0i + ... + 0j = (1, 0, 0, ..., 0).

In particular cases of defining a finite set of BS vectors, it will represent an extended field in which all nonzero BS vectors constitute a cyclic multiplicative group [N. Moldovyan Information authentication algorithms in ACS based on structures in finite vector spaces // Automation and Telemechanics (M., RAS), 2008]. In other special cases, the formed groups are noncyclic, which contain q + 1 cyclic subgroups of prime order q, where q is a divisor of the order of the field over which BS vectors are given. Moreover, the q value is quite large, due to which non-cyclic groups of BS vectors can be the basis for the implementation of stable EDS algorithms even when the size of the maximum simple order of subgroups is 60-100 bits or less. This is due to the fact that the public key is formed on the basis of several specified BS vectors that are part of different subgroups of simple order that have a single common element - a single BS vector. This mechanism for setting the public key in the methods of generating and verifying EDS is new and previously unknown.

и используемый для формирования первого проверочного МДЧ А, равенThe correctness of the claimed method is proved theoretically. Consider, for example, an embodiment of the method according to claim 9. The public key corresponding to the secret key k is the BS vector Y = G ^k . The BS vector R is generated by the formula R = G ^k , and the first MDC in the EDS (e, s) is calculated by the formula e = f (R, H). The value of s is generated by the formula s = (k + ex) mod q, therefore, the MDC vector R 'generated by the formula

and used to form the first verification MDC A, is

Since the MDC vectors R 'and R are the same, the values e' = f (R ', H) and e = f (R, H) are equal to each other, i.e. A = e '= e = B. Thus, a correctly formed EDS signature satisfies the signature verification procedure, i.e. the correctness of the procedures for generating and verifying EDS is proved. Similarly, the proof of correctness is given for claims 5-8 of the claims.

где k₁, k₂, …, k_u - элементы секретного ключа, а подлинность ЭЦП проверяется по формуле

где s₁, s₂, …, s_u - элементы ЭЦП, u≤m.A feature of claims 5-7 and claim 11 of the claims is the use of several different BS vectors G ₁ , ..., G _u (G ₁ and G ₂ in claims 5 and 7; G ₁ , G ₂ and G ₃ , in claim 6; G ₁ , G ₂ , ..., G _m in clause 11), by which the public key is calculated and which are included in the corresponding EDS authentication formulas. This feature is new in the field of methods for generating and verifying EDS and is of fundamental importance for the case of using finite groups of BS vectors that are non-cyclic. In non-cyclic groups of BS vectors, there are no separate values of BS vectors, the degrees of which any BS vector can express. The different values used G ₁ , G ₂ and G ₃ belong to different cyclic subgroups of the non-cyclic group of BS vectors, therefore, to determine the secret key from the public key, it is necessary to calculate the secret key as a whole, i.e. there is no way to calculate the secret key in parts. This allows you to build robust digital signature algorithms even in cases where the orders of the BS vectors G ₁ , G ₂ and G ₃ , i.e. MDC values q ₁ , q ₂ and q ₃ , respectively, have a size significantly less than 160 bits. The security requirement is that the total length of q ₁ , q ₂ and q _{3 is} no less than 160 bits. Depending on the parameters of the finite set of BS vectors and the multiplication operation, with which the finite groups of BS vectors are specified for generating the public key, one G value can be used (claim 9), the order of which is 160 bits or more in size, two (claims 5 and 7 of the claims), three (claims 6 of the claims), four or more values of G _i , i = 1,2, ..., u (claim 11 of the claims) are used. In accordance with this, the EDS verification equation is also modified. So in the general case, the public key is formed by the formula

where k ₁ , k ₂ , ..., k _u are the elements of the secret key, and the authenticity of the digital signature is verified by the formula

where s ₁ , s ₂ , ..., s _u are EDS elements, u≤m.

поэтому вектор МДЧ R', генерируемый по формуле

и используемый для формирования первого проверочного МДЧ А, равенParagraph 10 of the claims represents a particular embodiment of the claimed method, in which, to ensure the security of the digital signature, the complexity of calculating the roots of a large degree w from a given value of the BS vector is used. In this case, the correctness of the EDS authentication procedure is proved as follows. The public key corresponding to the secret key generated in the form of BS K is a BS Y vector, calculated by the formula Y = K ^w , where w is an auxiliary simple MDC. The MDC vector R is generated by the formula R = T ^w , where T is the BS vector generated randomly. The first MDF EDS (e, S) is calculated by the formula e = f (R, H). Vector BS S is generated by the formula

therefore, the MDC vector R 'generated by the formula

and used to form the first verification MDC A, is

Since the MDC vectors R 'and R are the same, the values e' = f (R ', H) and e = f (R, H) are equal to each other, i.e. A = e '= e = B. Thus, a correctly formed digital signature satisfies the signature verification procedure, i.e. the correctness of the procedures for generating and verifying EDS is proved in the case of a particular embodiment of the proposed method according to claim 10 of the claims. The proof of the correctness of the verification of the digital signature in the case of clause 8 includes the union of the evidence performed for clauses 9 and 10.

Consider examples of the implementation of the claimed technical solution, where specific values of the parameters used are described in the numerical examples given below. The MDC vectors used in the examples were generated using a program developed specifically for generation by the MDC vector, including MDC vectors with a given order, and performing operations on the MDC vectors. The MDCs given in the example are taken of a relatively small size and are written for brevity in the form of decimal numbers. In computing devices, MDCs are represented and converted in binary form, i.e. as a BS in the form of a sequence of high and low potential signals. In real applications, MDC vectors should be used, which include, as their coordinates, MDC from 16 to 512 bits in length, depending on the value of their dimension m MDC vectors. With a smaller dimension, a higher-resolution MDC should be used.

When using the proposed method in practice, one should choose a multiplication table for the basis vectors and the size of the parameters p and q so that the bit depth of the order q is equal to or greater than 32, 40, 64, 80, and 160 bits, depending on the particular implementation of the claimed method. The examples below use parameters with artificially reduced bit depth to reduce the size of the examples and make them more visual.

Example 1

выполняется с использованием таблицы 2. В соответствии с этой таблицей умножения базисных векторов для случая размерности m=2 имеем i·i=ε, где ε∈ {1,…,М-1}. Операция умножения двухмерных БС (а, b) и (с, d) выполняется по правилу:This example illustrates an implementation option of the claimed method, corresponding to paragraph 5 of the claims, in which actions are performed on two-component BS vectors. To obtain a finite group of two-dimensional BS vectors of the form (e, b) = its + bi, BS e and b are interpreted as MDCs, over which the operations of multiplication and addition of coordinates are defined, performed modulo a positive integer M. In this example, the group operation

is performed using table 2. In accordance with this multiplication table of basis vectors for the case of dimension m = 2 we have i · i = ε, where ε∈ {1, ..., M-1}. The operation of multiplying two-dimensional BS (a, b) and (c, d) is performed according to the rule:

(a, b) (c, d) = ((ac + εbd) mod M, (ad + bc) mod M) = g'e + h'i,

where g '= (ac + εbd) mod M and h' = (ad + bc) mod M. It is easy to verify that the addition and multiplication operations defined in this way have the properties of associativity and commutativity. Among algebraic structures of this type there are finite fields and multiplicative groups whose essential property is the presence of a unit E = (1, 0), a neutral multiplication element that determines the existence for each nonzero pair A of a unique inverse value A ^-1 such that AA ^-1 = E.

A group is an algebraic structure with an associative operation for which there is an inverse operation [Kurosh A.G. The course of higher algebra. - M., "Science", 1971.- 431 p.], Ie equations

AX = B and YA = B have a unique solution for any elements A and B. Since the multiplication operation defined above is commutative, the indicated equations are equivalent and only one of them can be considered. It is easy to show that the uniqueness of the solution of these equations is satisfied if for each element A there is a unique inverse value A ^-1 , therefore it is of interest to consider a solution of equations of the form AX = E, which can be represented as follows:

(ae + bi) (xe + yi) = ((ax + εby) mod M) e + (ay + bx) mod M) i = 1e + 0i.

From the last record it follows that to determine the inverse values, one should solve the following system of two linear comparisons with two unknowns

We consider the existence of solutions of this system for the case of using a simple MDF p as a module, i.e. M = p. Equating to zero the main determinant of this system, we obtain the characteristic equation

e ² -εb ² = 0 mod p.

The value (a, b) = (0,0) is a solution of the characteristic equation for any values of the module, therefore, for this pair there is no inverse value. The values of p and s can be chosen in such a way that the characteristic equation has no other solutions, which means that the considered comparison system has a unique solution for any pair (a, b) ≠ (0,0). We consider several important special cases.

Case 1. Of considerable interest is the choice of a parameter ε as a parameter, which is a quadratic non-residue modulo p. In this case, we obtain a structure that is a finite field GF (p ² ) whose multiplicative group is of order

Ω = p ² -1 = (p-1) (p + 1).

By setting different values of the modulus p and the parameter ε, we obtain various variants of a finite field of type GF (p ² ). For a given value of p, we have (p-1) / 2 different variants of the field GF (p ² ), including the same set of elements, but differing in the form of the multiplication operation, respectively, according to the number of different quadratic residues modulo p.

Case 2 (used to illustrate particular embodiments of the proposed method according to claim 5 and claim 8 of the claims in examples 1 and 4, respectively). Let the parameter ε be used in the definition of the multiplication operation, which is the quadratic residue modulo p. Under these conditions, the characteristic equation has, in addition to (a, b) = (0,0), another 2 (p-1) of the following solutions of the form

(ε ^1/2 b mod p, b) and (-ε ^1/2 b mod p, b),

where b∈ {0,1, ..., p-1}. For pairs of this kind, there are no solutions to the comparison system that determine the value of the inverse elements. Therefore, the number of elements for which there are unique inverse values is

Ω = p ² -2 (p-1) -1 = (p-1) ² .

These elements make up the multiplicative group, since the result of multiplying any two elements from this set is an element of the same set. This group of BS vectors is non-cyclic and contains a large number of cyclic subgroups having the same value of prime order q, which is a divisor of p-1. The largest value of the order of cyclic subgroups is p-1. Our theoretical and experimental studies have shown that the BS group corresponding to Case 2 contains q + 1 cyclic subgroups of prime order q for each prime divisor of p-1. For large values of q, the size of which exceeds 80 bits, the number of cyclic subgroups is extremely large, which makes it possible to ensure the resistance of the EDS to the corresponding resistance of the EDS in the case of known analogues when using cyclic groups of simple order, the size of which exceeds 160 bits.

Case 3 (relates to an embodiment of the inventive method according to claim 10 of the claims illustrated in example 6 below). A feature of this case is the specification of operations of addition and multiplication over the coordinates of the BS vector, performed modulo M, which is not simple. In this case, a general analysis of the conditions for the existence of groups and the determination of their order is more complicated. However, the following special case of the composite module M = w ² , where w is a prime number, of interest to us, allows us to obtain formulas for calculating the order of the group for an arbitrary simple MDF w.

Let the value M = w ² be used, where w is a prime number, as a module, and the parameter ε is divided by w. Under these conditions, for elements (a, b) such that a is not divisible by w, the characteristic equation has no solutions, since w | ε, and the determinant of the comparison system is coprime with the module M = w ² , i.e. for each of these elements there are inverse values. In this case, the operation of multiplying two elements gives the third element, in which the first coordinate is also not divided by M, i.e. the operation of multiplication is closed on the indicated set of pairs (a, b). Therefore, this set of BS vectors is a group whose order can be determined from the fact that the number of possible values of the first coordinate is equal to the Euler function of the module φ (M) = φ (w ² ) = w (w-1), the number of possible values of the second the coordinates are M = w ² . We obtain the following formula for the order value of the constructed multiplicative group

Ω = w (wl); w ² = w ³ (w-1).

Experience has shown that the constructed group contains a cyclic group of order

Ω '= w ² (w-1),

which is suitable for solving our task of synthesizing EDS algorithms based on the computational complexity of finding roots of a large simple degree in finite multiplicative groups.

Example 1 implements the calculations in the group of BS vectors, the type of which corresponds to case 2 described above. In this case, the following sequence of actions is performed.

1. A prime number p is generated such that p - 1 contains a large prime factor q, that is, p = Nq + 1, where N is an even number, and ε = 225 is set, which is a quadratic residue modulo p:

p = 3990163786012426536171919;

q = 1997539432909;

2. Generate a secret key in the form of a pair of random MDC k ₁ and k ₂ :

k ₁ = 1853362791;

k ₂ = 8457313533;

3. The public key is formed in the form of a MDC vector Y, for which the following sequence of actions is performed.

3.1. Generate a pair of MDC vectors G ₁ and G ₂ of order

q = 1997539432909.

G ₁ = 3294504589562920276812106е + 2766233567473802431338876i;

G ₂ = 1028484769067346813640211е + 3852939155310569961109202i;

:3.2. MDC vector generate

:

=1183619390973024467297431е+3703669051605973538784782i;

= 1183619390973024467297431e + 3703669051605973538784782i;

=182788774563б60856108049е+1936038364647789724421279i;

= 182788774563b60856108049e + 1936038364647789724421279i;

=1924471834140042300320534e+174837666126798422981001i;

= 1924471834140042300320534e + 174837666126798422981001i;

4. Accept the ED represented, for example, by the following MDC H ₁ (which can be taken, in particular, the hash function of the ED):

H ₁ = 7579346783.

5. Form the digital signature Q in the form of three BS e, s ₁ and s ₂ , for which they perform the following steps:

5.1. The first BS e digital signature is formed, for which

5.1.1. A pair of random MDC t ₁ = 18357236873 and t ₂ = 38157216371 are generated.

:5.1.2. Generate vector BS R according to the formula

:

=755879295575251075473814е+440880985283782634380692i;

= 755879295575251075473814e + 440880985283782634380692i;

=1432490514364096482144778e+952288470467392311694046i;

= 1432490514364096482144778e + 952288470467392311694046i;

5.1.3. BS e is generated in the form of MDC calculated by the formula e = r ₁ H ₁ mod δ, where δ is an auxiliary simple MDC, for example, δ = q = 1997539432909; r ₁ - MDC, which is the first coordinate of the vector MDC R: e = 1701612237557.

5.2. Form the second and third BS s ₁ and s ₂ EDS in the form of two MDC, calculated by the formulas s ₁ = t ₁ -k ₁ e mod q and s ₂ = t ₂ -k ₂ e mod q:

s ₁ = 1767916348307; s ₂ = 1894616394985.

6. The first test BS A is formed, for which the following actions are performed:

6.1. Generate the BS vector R 'in the form of a MDC vector calculated by the formula

:

:

Y ^e = 3849037943945673660459504е + 3583704901879536834939540i.

=3580532237073410771710519e+896847748485820473603568i;

= 3580532237073410771710519e + 896847748485820473603568i;

=2902157646689814295993329е+1114779150752846285743470i.

= 2902157646689814295993329е + 1114779150752846285743470i.

R '= 1828785111436413473493597e + 3766810841718525336502327i.

6.2. BS A is generated in the form of MDC, calculated by the formula A = r ' ₁ H ₁ mod q, where r' ₁ is the MDC, which is the first coordinate of the MDC vector R ':

A = 1701612237557.

7. A second test BS B is formed by copying the MDC e, i.e. according to the formula B = e: B = 1701612237557.

8. Compare the first and second test BS: A = B.

The coincidence of the test BS confirms the authenticity of the digital signature.

Example 2 (illustration of claim 6).

In this example, we consider the case of using three-component BS vectors (m = 3), in which the group operation о is performed using table 3, which defines the rule for multiplying basis vectors. Perform the following sequence of actions.

1. A prime number p is generated such that p-1 contains a large prime factor q, that is, p = Nq + 1, where N is an even number, and set the value ε = 6859 = 19 ³ , which is a cubic residue modulo p:

p = 33888823497367; q = 2376581;

2. Generate a secret key in three random MDC k ₁ , k ₂ and k ₃ :

k ₁ = 1853362791; k ₂ = 8457313533; k ₃ = 3873059582.

3. Form the public key in the form of a vector MDC Y, for which the following sequence of actions is performed:

3.1. Three MDC vectors G ₁ , G ₂ and G ₃ are generated having the order q = 2376581.

G ₁ = 5955377462471e + 28217758221981i + 21380040635602j;

G ₂ = 31195950338318e + 1146212670059i + 19798505045659j;

G ₃ = 12169985178873e + 22834221533336i + 23611151771899j.

:3.2. MDC vector generate

:

=26106362944111e+9121853491576i+7998895962567j;

= 26106362944111e + 9121853491576i + 7998895962567j;

=8841482011615e+31890466083034i+31068266275905j;

= 8841482011615e + 31890466083034i + 31068266275905j;

=32249398803413e+18420663759564i+31373921099158j;

= 32249398803413e + 18420663759564i + 31373921099158j;

4. Accept the ED represented, for example, in the form of a BS by the following MDC H ₁ (which can be taken, in particular, the hash function of the ED):

H ₁ = 1578147.

5. Form the digital signature Q in the form of four BS e, s ₁ , s ₂ , and s ₃ , for which they perform the following steps:

5.1. The first BS e digital signature is formed, for which

5.1.1. Three random MDC t ₁ = 16355233827, t ₂ = 9315216313 and t ₃ = 286572167 are generated.

:5.1.2. MDC R vector is generated by the formula

:

=26476756850873e+89620836256881+670851250270j;

= 26476756850873e + 89620836256881 + 670851250270j;

=30556526925766e+28584458265015i+8838154755582j;

= 30556526925766e + 28584458265015i + 8838154755582j;

=11801846609303e+18076196032752i+32080216656488j;

= 11801846609303e + 18076196032752i + 32080216656488j;

5.1.3. BS e is generated in the form of MDC, calculated by the formula e = (r ₁ || r ₂ || r ₃ ) H ₁ mod δ, where δ is an auxiliary prime number, in which, in this example, MDC q is taken, i.e. δ = q = 2376581; r ₁ || r ₂ || r ₃ - MDC, equal to the concatenation of the coordinates of the vector MDC R: е = 665438.

5.2. Form the second, third and fourth BS s ₁ , s ₂ and s ₃ , EDS in the form of three MDC calculated by the formulas s ₁ = t ₁ -k ₁ e mod q, s ₂ = t ₂ -k ₂ e mod q and s ₃ = t ₃ -k ₃ e mod q:

s ₁ = 56419; s ₂ = 1472355; s ₃ = 1213067.

6. Form the first test BS A, for which the following actions are performed:

:6.1. The MDC vector R 'is calculated by the formula

:

Y ^e = 6474526780075e + 26594658074693i + 27807198777585j;

=46566596б2651е+31668525221129i+9741922667955j;

= 46566596b2651e + 31668525221129i + 9741922667955j;

=13878539449612e+10268579457949i+25993200515657j;

= 13878539449612e + 10268579457949i + 25993200515657j;

=8522604164956e+3729385407205i+6316798018014j;

= 8522604164956e + 3729385407205i + 6316798018014j;

R '= 10344044176952e + 11648038573307i + 33051212302586j.

6.2. The first test BS A is generated in the form of an MDC calculated by the formula A = (r ' ₁ || r' ₂ || r ' ₃ ) H ₁ mod q: A = 665438.

7. A second test BS B is formed by copying the MDC e according to the formula B = e: B = 665438.

8. Compare the first and second test BS: A = B

The coincidence of the test BS confirms the authenticity of the digital signature.

Example 3 (illustration of claim 7).

In this example, we consider the case of using five-component BS vectors (dimension m = 5), in which the group operation о is performed using the following table of base vector multiplication.

Perform the following sequence of actions.

1. A prime number p is generated such that p-1 contains a large prime factor q, that is, p = Nq + 1, where N is an even number, and ε = 17377 is set:

p = 13900359797; q = 820177;

2. Generate a secret key in the form of two random MDC k ₁ and k ₂ :

k ₁ = 3178457367; k ₂ = 4154733715.

3. A public key is formed in the form of a BS Y vector, for which the following sequence of actions is performed.

3.1. Two BS vectors G ₁ and G _{2 are} generated having the order q ₁ = 820177 and g ₂ = 59403247. G ₁ = 4670230529e + 6363758539i + 1115493580j + 11774211119k + 4481291788u;

G ₂ = 7346947995e + 9935549003i + 571858634j + 5252170971k + 11375019823u.

:3.2. BS vector is generated

:

Y ₁ = 5595374136e + 6222510934i + 5243302038j + 12338881800k + 1993502504u;

Y ₂ = 8724284212e + 10520629249i + 37795532j + 9839512858k + 9802549315u;

4. Take the ED represented, for example, by the following MDC H ₁ (which can be taken, in particular, the hash function of the ED): H ₁ = 89154314.

5. Form the digital signature Q in the form of three BS e, s ₁ and s ₂ , for which they perform the following steps:

5.1. The first BS e digital signature is formed, for which

5.1.1. A pair of random MDCs k ₁ = 613352348 and k ₂ = 37591463 are generated.

:5.1.2. MDC vector generate

:

R ₁ = 2267371210e + 1531475463i + 11370174246j + 13211765802k + 10527441855u;

R ₂ = 1310809391le + 3936822199i + 9539524888j + 5370585930k + 6567932491u;

5.1.3. BS e is generated in the form of MDC, calculated by the formula e = (r ₁ || r ₂ || r ₃ ,) H ₁ mod δ, where δ is an auxiliary prime number, in which, in this example, MDC is taken δ = 2376581; r ₁ || r ₂ || r ₃ - MDC, equal to the concatenation of three MDC, which are the coordinates of the vector MDC R: е = 119236.

5.2. Form a pair of BS s ₁ and s ₂ in the form of MDC calculated by the formulas s ₁ = t ₁ -k ₁ e mod q ₁ and s ₂ = t ₂ -k ₂ e mod q ₂ .

s ₁ = 626030; s ₂ = 2528952.

6. The first test BS A is formed, for which the following actions are performed:

:6.1. The MDC vector R 'is calculated by the formula

:

Y ^e = 977315114e + 13874743606i + 10113644214j + 97683587k + 971368210u;

=10769096929e+2654696484i+11130937343j+3507101146k+4306145379u;

= 10769096929e + 2654696484i + 11130937343j + 3507101146k + 4306145379u;

=12814278574e+7057455723i+12699485338j+1124012626k+147947960u;

= 12814278574e + 7057455723i + 12699485338j + 1124012626k + 147947960u;

R '= 6897422139e + 631158804i + 593548634j + 4117090044k + 2590225180u.

6.2. BS A is generated in the form of MDC calculated by the formula

A = (r ' ₁ || r' ₂ || r ' ₃ ) H ₁ mod δ: A = 119236.

7. Form a second verification BS In by copying MDC e:

B = e = 119236.

8. Compare the first and second test BS: A = B.

The coincidence of the test BS confirms the authenticity of the digital signature.

Example 4

This example relates to an embodiment of the inventive method according to claim 8. In this example, we use a non-cyclic group Γ containing cyclic subgroups whose order is divided by w ² . The formation of such a non-cyclic group is described in example 1 as case 2. In this particular example, relating to the use of a group whose order is expressed by the formula Ω = (p-1) ² , there are elements of the order ω = (p-1) = Nw in the group Г ² , where N is an even number and w is a prime number of a sufficiently large size.

In this example, the simple MDC p = 2qw ² +1, where

p = 757095462971039987; q = 1433729993 - simple MDC;

w = 16249 - simple MDC.

Perform the following sequence of operations using the value of the parameter ε = 152399025, which is the square of 12345.

1. Generate a secret key in the form of a two-dimensional vector of the BS K = (k ₁ , k ₂ ), represented by two MDC k ₁ and k ₂ , and one BS represented by MDC k:

K = (k ₁ , k ₂ ) = (162748957475865968, 978716439507194574);

k = 73678436295562.

2. Generate a BS vector G whose order is q:

G = (89833863138176218, 481445738651243524).

выполняя следующие действия:3. Form the public key Y in the form of a two-dimensional vector of the BS, calculated by the formula

following these steps:

3.1. The values of the BS vectors G ^k and K ^w are calculated:

G ^k = (328752664651659001, 188933597249340036);

K ^w = (561576529082416854, 311520115027605902).

3.2. Generate the public key Y = (y ₁ , y ₂ ), for which the BS vector G ^{k is} multiplied by the BS vector K ^w :

Y = (y ₁ , y ₂ ) = (355961954073853677, y ₂ = 52073643974617679).

4. Accept the ED represented, for example, by the following MDC H ₁ (which can be taken, in particular, the hash function of the ED).

5. A digital signature is formed in the form of four BS defined by four MDCs e, s, s ₁ and s ₂ , for which the following sequence of actions is performed.

5.1. A random MDC t and a random two-dimensional BS vector are generated, in which the coordinates are the MDC:

t = 2134356456473;

T = (64697680789267, 70914503766891).

5.2. Generate the vector BS R, performing calculations by the formula:

G ^t = (633200307649534083,225907802600880012);

T ^w = (334316797118875406.694605535104513177).

As a result of the multiplication of the BS vectors G ^t and T ^w , the following coordinates of the BS vector R are generated:

r ₁ = 278285084410523629; r ₂ = 476437561152596152.

5.3. The first BS e EDS is formed in the form of a MDC calculated by the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression specifying the procedure for calculating the number e. Let a value equal to e = 874095303603 be obtained.

5.4. The two-dimensional BS vector S is calculated, the coordinates of which are the third and fourth EDS BS, according to the formula

K- ^e = K ^p-1-e = (586016270354358239, 327468169526176273);

S = (s ₁ , s ₂ ) = (120860422228891963, 483553947421564222).

5.5. BS s are generated in the form of MDC calculated by the formula

s = s ₁ ^-1 (t-ke) mod q:

s ₁ ^-1 = 124122450; s = 222387665.

6. Verify the authenticity of the digital signature, for which they perform the following sequence of actions.

где F(S)=s₁:6.1. Form the vector BS R 'by the formula

where F (S) = s ₁ :

sF (S) = 26877867090397379188836395;

G ^{s · F (S)} = (117660193869193445, 78350012648906257);

Y ^e = (45991950818968478, 376342549870250020);

S ^w = (441809832936651938, 4975252013635854).

R '= (r' ₁ , r ' ₂ ) = (278285084410523629, 476437561152596152).

6.2. The first test BS A is formed using the formula A = f (R ', H ₁ ).

Since R ′ = R is obtained, then A = f (R ′, H ₁ ) = f (R, H ₁ ) = e, i.e. we have:

A = 874095303603.

6.3. Form the second test BS In the formula B = e:

B = 874095303603.

6.4. Compare test BS A and B.

6.5. The comparison shows that the parameters of the test BS A and B are the same, on the basis of which they conclude that the digital signature is authentic.

Example 5

выполняемой по таблице 6 умножения базисных векторов.The case of the use of three-component MDC vectors (illustration of claim 9 of the claims). In this example, we consider a group of three-dimensional BS vectors with a group operation

performed according to table 6 of the multiplication of basic vectors.

This example shows that with an appropriate choice of dimension m, a prime number p and a tensile coefficient ε, a value of the order of q can significantly exceed the value of p. Perform the following sequence of actions.

1. A prime number p is generated such that the number p ² + p + 1 contains a large prime factor q: p = 97; q = 3169.

2. Generate the secret key k in the form of a random MDC: k = 2079.

3. A public key is formed in the form of a BS Y vector, for which the following sequence of actions is performed.

3.1. Generate a BS vector G having order q = 3169:

G = 8e + 3i + 93j.

3.2. The BS vector Y = G ^{k is} generated: Y = 87е + 96i + 86j.

4. Accept the ED represented, for example, by the following MDC H ₁ (which can be taken, in particular, the hash function of the ED): H ₁ = 5168.

5. Form the digital signature Q in the form of two BS e and s, for which they perform the following steps:

5.1. The first BS e digital signature is formed, for which

5.1.1. Generate random MDC t = 5387

5.1.2. The MDC vector R is generated by the formula R = G ^t = 96e + 56i + 81j.

5.1.3. Generate BS e in the form of MDC, calculated by the formula e = rH ₁ mod δ,

where r = (r ₁ || r ₂ || r ₃ ) is the MDC equal to the concatenation of the MDC, which are the coordinates of the MDC vector R and δ = 3169: e = 3138.

5.2. Form the second BS s EDS in the form of MDC, calculated by the formula

s = t + ke mod q: s = 1149.

6. Form the first test BS A, for which the following actions are performed:

6.1. The MDC vector R 'is calculated by the formula

Y ^qe (mod p) = 75e + 46i + 84j

G ^s (mod p) = 27e + 81i + 81j

R '= 96e + 56i + 81j.

6.2. BS A is generated in the form of MDC, calculated by the formula A = r'H ₁ mod δ, where r '= (r' ₁ || r ' ₂ || r' ₃ ) MDC equal to the concatenation of the MDC included in the MDC vector R 'and δ = 3169 is an auxiliary prime number: A = 3138.

7. Form a second verification BS In by copying MDC e:

B = e = 3138.

8. Compare the first and second test BS: A = B

The coincidence of the test BS confirms the authenticity of the digital signature.

Example 6

This example relates to an embodiment of the claimed method according to claim 10 of the claims. In this example, we use a non-cyclic group Γ containing cyclic subgroups whose order is divided by w ² . The formation of such a non-cyclic group is described in example 1 as case 3.

This specific example relates to the use of a group of this type. The order of the group Γ is expressed by the formula Ω = w ³ (w − 1), where w is a prime.

The group Γ contains elements of order ω = w ² (w − 1). Take the value w = 92618137318729677928546646365838873180498085133. Then we have the value of the module

M = w ² = 8578119360391067054292626600438708965746964997146182659298964331315788956009108954679715627689

As the coefficient ε, we take the value 101w, i.e. ε = 9354431869191697470783211282949726191230306598433.

The choice of a group of this particular type introduces a certain specificity into the synthesized EDS algorithm. When generating a random secret key K = (k ₁ , k ₂ ) ∈ Г, a check should be done: GCD (w, k ₁ ) = l and K ^{w (w-1)} ≠ 1.0). The first condition ensures that the element belonging to the group D is selected as the secret key. The second condition ensures that the element is selected as the secret key, the order of which is divided by the square of the root degree, which is a digital signature security requirement. A similar check should be performed when generating a random BS vector T = (t ₁ , t ₂ ) ∈ G. If this condition is not fulfilled (the probability of this event is small) for randomly selected coordinates k ₁ and k ₂ (or for coordinates t ₁ and t ₂ ), then one should choose new random values of the coordinates k ₁ ≤M = w ² and k ₂ ≤M = w ² (or coordinates t ₁ ≤M = w ² and t ₂ ≤M = w ² ). In this example, the following sequence of actions is performed.

1. Generate a secret key K in the form of a two-dimensional vector of the BS, represented by two MDC:

K = (162748957475865968, 9787164395071945749328495).

2. Form the public key Y in the form of a two-dimensional vector of the BS, by performing the operation of raising the secret key to the power w in accordance with the formula Y = K ^w = (y ₁ , y ₂ ) - As a result, the following coordinates of the vector of the BS Y are generated:

y ₁ = 21228784879778840523736855349044078599261832125691229247376837230 26454694663820975943984437961;

y ₂ = 90646893590375535174289454483400852640445760352160962710838716809 2764835.

3. Accept the ED submitted by BS N ₁ .

4. The EDS is formed in the form of three BSs defined by three MDCs e, s ₁ and s ₂ , for which the following sequence of actions is performed.

4.1. A random two-dimensional BS vector is generated in which a pair of BS is interpreted as a pair of MDC:

T = (96846596736586738292216171, 37586931174658693746285927).

4.2. The BS vector R is generated by performing the operation of raising the BS T vector to the power w in accordance with the formula R = T ^w (r ₁ , r ₂ ). As a result, the following coordinates of the BS vector R are generated:

r ₁ = 6676527716822018383957988126039278418617223915758582479614295011535668063135439573548109332464;

r ₂ = 3481231552924180293255968160466563282460623255695990065475962954205823291.

4.3. The first EDS BS is formed in the form of MDC e, calculated by the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression specifying the procedure for calculating the number e. Let a value equal to e = 75867496586968496537352193793673918466970375638 be obtained.

4.4. The two-dimensional BS vector S is calculated, the coordinates of which are the second and third EDS BS, according to the formula

s ₁ = 8256594105547617216423939012826302237218370734284428450969373421295221722475025012259161992826;

s ₂ = 422260754784925502959681748215173239940083978470857855504330212012892903897205453209052939744.

5. Check the authenticity of the digital signature, for which they perform the following sequence of actions:

5.1. Form the vector BS R 'by the formula

r ' ₁ = 6676527716822018383957988126039278418617223915758582479614295011535668063135439573548109332464;

r ' ₂ = 3481231552924180293255968160466563282460623255695990065475962954205823291.

5.2. The first test BS A is formed using the formula A = f (R ', H).

The comparison shows that R '= R, therefore A = f (R', H) = f (R ', H) = e, i.e. A = 75867496586968496537352193793673918466970375638.

5.3. Form the second test BS In the formula B = e:

B = 75867496586968496537352193793673918466970375638.

5.4. Compare test BS A and B.

5.5. The comparison shows that the parameters of the test BS A and B are the same, on the basis of which they conclude that the digital signature is authentic.

Example 7

This example relates to an embodiment of the claimed method according to claim 11 of the claims. It uses a group whose elements are BS vectors of dimension m over which the multiplication operation is determined so that the order of the group is (p-1) ^m , and the maximum order of the elements of the group is p-1, where p is the characteristic of a finite simple field, over which BS vectors are given, and BS are interpreted as MDC, and operations on the BS are performed as operations on the MDC. The conditions for constructing groups of this type are described, for example, for the case m = 3, in [N. Moldovyan Groups of vectors for electronic digital signature algorithms // Bulletin of St. Petersburg State University. Ser. 10.2008]. In a similar way, BS groups can be defined for dimensions m = 4, 5, 6, .... In this example, specific values of the obtained BS values are not given, but the results of the procedures for the formation and generation of BS and BS vectors in a generalized form for an arbitrary case are described. Substituting specific numerical values instead of letter symbols, various variants of numerical illustration of claim 11 of the claims may be constructed. In this example, the emphasis is on the correctness of the EDS authentication procedure, which is proved for the general case. The following sequence of actions is performed.

…,k_m.1. Generate a secret key in the form of MDC k ₁ , k ₂ ,

..., k _m .

2. The public key Y is formed in the form of an m-dimensional, where m≥2, BS vector, for which the following steps are performed.

2.1. BS vectors G ₁ , G ₂ , ..., G _{m of} dimension m are generated having an order equal to a simple MDC q.

.2.2. Generate the public key Y in the form of a BS vector calculated by the formula

.

3. Accept the ED represented by BS H ₁ , H ₂ , ..., H _z , where z = m.

4. Form the digital signature in the form of a set of BS e, s ₁ , s ₂ , ..., s _m , for which the following steps are performed.

4.1. Random MDC t ₁ , t ₂ , ..., t _{m are} generated.

.4.2. Generate vector BS R according to the formula

.

4.3. The first BS e EDS is formed in the form of MDC calculated depending on R and H according to the formula e = f (R, H), where f (R, H) is an expression defining the rule for calculating the number e, and H = H ₁ || H ₂ || ... || H _z , where z = m.

4.4. Generate m BS s ₁ , s ₂ , ..., s _m EDS in the form of MDC calculated by the formulas s ₁ = (t ₁ -k ₁ e) H ^-1 ₁ mod q, s ₂ = (t ₂ -k ₂ e) H ^-1 ₂ mod q ..., s _m = (t _m -k _m e) H ^-1 _m mod q.

5. The first test BS A is formed, for which the following actions are performed.

.5.1. Form the vector BS R ', performing calculations by the formula

.

5.2. BS A is formed according to the formula A = f (R ', H), where f (R, H) is an expression defining the rule for calculating the number e and H = H ₁ || H ₂ || ... || H _z , where z = m.

6. A second test BS B is formed by copying the BS e, i.e. by the formula B = e.

7. Compare test BS A and B.

The comparison shows that the parameters of the test BS A and B are the same, on the basis of which they conclude that the digital signature is authentic. The fact that when checking the digital signature generated by the procedure for generating the digital signature using the correct secret key, in step 7, the matching parameters of the test BS will be proved as follows. Substitute in the formula,

by which the BS vector R 'is formed (see clause 5.1), the BS values s ₁ , s ₂ , ..., s _m obtained by the formulas given in clause 4.4. As a result, we get

Thus, the correctness of the EDS authentication procedure is proved.

The sequence of actions for forming and verifying the authenticity of the digital signature verifying the ED described in Example 7 can also be performed for the case when the BSs are polynomials. Moreover, the multiplication tables of basis vectors for a given value of dimension m are the same as above, except that the tensile coefficient ε in the case of the implementation of the inventive method using polynomials will be some predetermined polynomial that determines the specific form of the operation of multiplying the vectors of polynomials. The proof of the correctness of the EDS check procedure in the case when the BS vectors are polynomial vectors is the same as the above proof for the case of using BS vectors, which are MDC vectors. Particular examples of the implementation of the inventive method, similar to the examples described above 1-6, can also be implemented for the case of using computations over BS vectors, which are polynomial vectors. The operations of addition, multiplication and division of polynomials, as well as operations of multiplication and addition modulo an irreducible polynomial are widely described in the scientific and technical literature. The implementation of finite fields of polynomials and their main properties are also widely represented (see, for example, the books [Kurosh A.G. Course of Higher Algebra. - M .: Nauka, 1971. - 431 p.], [Kostrikin A. I. Introduction to Algebra. Fundamentals of Algebra. M.: Fizmatlit. 1994. - 320 p.], [A. Akritas. Fundamentals of computer algebra with applications. M.: Mir, 1994. - 544 p.] And [LB Schneperman. Algebra and Theory Course. numbers in tasks and exercises. - Minsk, "Higher School", 1986.- 272 p.]). Variants of constructing finite sets of polynomial vectors are considered in the work [N. Moldovyan Groups of vectors for electronic digital signature algorithms // Bulletin of St. Petersburg State University. Ser. 10.2008].

For practice, various options of values of dimension m of the BS vectors are of interest. The choice of the appropriate dimension m depends on the requirements of specific applications of the claimed method of forming and checking the digital signature. For example, when using 32-bit processors to perform calculations, of interest are simple values of dimension m = 5, m = 7, m = 11, and m = 13. With the hardware implementation in the form of specialized computing devices, high performance of the procedures for generating the digital signature verification can be achieved with the dimensions of the BS vectors m = 8, m = 9, m = 16, and m = 32. The highest performance in hardware implementation can be achieved by using the claimed method for the case of using vectors of binary polynomials as vectors BS. This is because the operations of addition and multiplication and binary polynomials in the finite fields of binary polynomials are most effective in terms of obtaining high performance and reducing the complexity of hardware implementation.

The above examples show the fundamental feasibility and correctness of the claimed method of forming and verifying the authenticity of the digital signature certifying the ED. Similarly, the inventive method is implemented using MDC vectors of dimension m = 4, m = 5, m = 6, etc. For example, the following multiplication tables of basis vectors can be used, in which the value of the tensile coefficient ε can be selected in the interval 0≤ε <p, where the number p is chosen so that the order value of the MDC vectors q is equal to a sufficiently large simple MDC, for example equal to the value of a simple MDC of bits 32, 40, 64, 80, 160, or 256 bits. The table of multiplication of basis vectors for specifying a group operation on four-dimensional MDC vectors (case m = 4) has the form of table 7.

The table for specifying the group operation on the six-dimensional MDC vectors (case m = 6) has the form of table 8. Computer programs have been developed that implement the operations of multiplying and raising to a large integer degree the MDC vectors having dimensions from m = 2 to m = 55 for each intermediate integer dimension value. Using these programs, the above examples were generated and it was found that similar examples of the implementation of the claimed method using MDC vectors of dimensions m = 7, m = 8, m = 11, m = 13, m = 16, m = 17, etc. also ensure the correctness of the EDS authentication procedure.

Multiplication tables of basis vectors defining group operations on vectors of arbitrary dimensions m are constructed according to the following general rule. Initially, an initial table is constructed, which does not include stretching factors, by sequentially writing rows of basis vectors so that each next row is obtained from the previous one by cyclic shift by one cell. The initial table of multiplication of basis vectors obtained in this way has a standard form for arbitrary values of the dimension of vectors, therefore it can be called typical (see the distribution of basis vectors in table 9). For a typical table and an arbitrary value of m, there are two simple and general options for setting the distribution of the tensile coefficient over the cells of the base vector multiplication table, which ensures the associativity and commutativity of the operation of the BS vector vector multiplication.

One of these options is to select a square consisting of all cells not in the first row or in the first row, and to introduce the tensile coefficient ε into the cells of this square located on the diagonal from the upper right corner to the lower left corner (each of of these cells contains the base vector e), as well as in all cells located above this diagonal. The second of these options is symmetrical to the first relative to the indicated diagonal (this diagonal is marked in gray in Table 9). The second distribution option is shown as the distribution of the coefficient µ, which is introduced into each cell of the diagonal containing the base vector e and all the cells located below this diagonal. Coefficients µ and ε can be assigned any value in the range from 0 to p-1. In this case, the operation of multiplying MDC vectors will have the properties of associativity and commutativity. The choice of specific values of the tensile coefficients determines the parameters of the groups of BS vectors and should be carried out with reference to the specific values of dimension m and number p used.

When implementing the inventive method using operations on vectors of polynomials of different dimensions m, multiplication tables of basis vectors are constructed according to the above general rule, except that in the case of polynomial vectors, the coefficients ε and μ are polynomials. When using groups of BS vectors having a relatively large dimension, the high cryptographic strength of the digital signature is ensured with a lower bit depth of the MDC, which are components of the MDC vectors. For example, with m = 16 and m = 32, the bit depth of these MDCs can be 64 and 32 bits, respectively, which allows to increase the speed of signature generation and verification procedures in software implementation to run programs that implement the claimed method on 64- and 32-bit microprocessors .

The above examples experimentally confirm the correctness of the implementation of the proposed method, which complements the above mathematical proofs of the correctness of the described specific implementations of the claimed method of forming and verifying an electronic digital signature verifying the ED.

Thus, it is shown that the inventive method can be the basis for stable systems of digital signature, providing increased productivity of devices and programs for the formation and verification of digital signature.

The above examples and mathematical justification show that the proposed method for generating and verifying the authenticity of the digital signature works correctly, is technically feasible and allows to achieve the formulated technical result.

Annex 1

Interpretation of the terms used in the description of the application

1. Binary digital electromagnetic signal - a sequence of bits in the form of zeros and ones.

2. Parameters of a binary digital electromagnetic signal: bit depth and order of single and zero bits.

3. The bit depth of a binary digital electromagnetic signal is the total number of its single and zero bits, for example, the number 10011 is 5-bit.

4. Bit string (BS) - a binary digital electromagnetic signal, presented in the form of a finite sequence of digits "0" and "1".

5. Electronic digital signature (EDS) - a binary digital electromagnetic signal, the parameters of which depend on the signed electronic document and on the secret key. EDS authentication is carried out using a public key, which depends on the secret key.

6. An electronic document (ED) is a binary digital electromagnetic signal, the parameters of which depend on the source document and how it is converted to electronic form.

7. Secret key - a binary digital electromagnetic signal used to generate a signature for a given electronic document. The secret key is represented, for example, in binary form as a sequence of digits "0" and "1".

8. Public key - a bit string, the parameters of which depend on the secret key and which is intended for authentication of a digital electronic signature.

9. The hash function of an electronic document is a binary digital electromagnetic signal, the parameters of which depend on the electronic document and the chosen method of its calculation. In EDS systems, it is believed that the hash function uniquely represents ED, since the used hash functions satisfy the requirement of collision stability, which means it is computationally impossible to find two different EDs that correspond to the same value of the hash function.

10. A multi-bit binary number (MDC) is a binary digital electromagnetic signal, interpreted as a binary number and represented as a sequence of digits "0" and "1".

11. The operation of raising a number S to a discrete power A modulo n is an operation performed on a finite set of natural numbers {0, 1, 2, ..., n-1}, including n numbers that are the remainders of dividing all kinds of integers by a number n; the result of the operations of addition, subtraction and multiplication modulo n is a number from the same set [Vinogradov IM Fundamentals of number theory. - M .: Nauka, 1972. - 167 p.]; the operation of raising a number S to a discrete power Z modulo n is defined as a Z-fold sequential multiplication modulo n of the number S by itself, i.e. as a result of this operation, the number W is also obtained that is less than or equal to the number n-1; even for very large numbers S, Z and n, there are effective algorithms for performing the operation of raising a discrete power modulo.

12. The exponent q modulo n of the number a, which is coprime with n, is the minimum of the numbers γ for which the condition a ^γ modn = 1 holds, that is q = min {γ ₁ , γ ₂ , ...} [I. Vinogradov Fundamentals of number theory. - M .: Nauka, 1972. - 167 p.].

13. The operation of dividing the integer A by an integer B modulo n is performed as the operation of multiplying modulo n the number A by an integer B ^-1 , which is the inverse of B modulo n.

14. The order of q modulo n of a is the exponent q modulo n of a.

15. A polynomial is a sequence of coefficients, such as multi-bit binary numbers (MDC). The operations of addition of polynomials and multiplication of polynomials are defined over polynomials, which are reduced to performing actions with coefficients of polynomials that are operands. Polynomials and the rules of action on them are discussed in detail in books [Kostrikin A.I. Introduction to Algebra. Fundamentals of Algebra. M .: Fizmatlit. 1994. - 320 p.] And [Kurosh A.G. Course of higher algebra. - M .: Nauka, 1971. - 431 p.]. In computing devices, polynomials are represented as a bit string in which each bit or each substring of bits of a fixed length is interpreted as one of the coefficients of the polynomial over which the operations of addition and multiplication of coefficients are defined.

16. An algebraic structure is a set of mathematical elements of some nature. As mathematical elements, for example, polynomials, MDCs, pairs of MDCs, pairs of polynomials, triples of MDCs, triples of polynomials, matrices of MDCs, matrices of polynomials, etc., over which mathematical actions (operations) are specified, can act. A mathematically algebraic structure is determined by specifying a specific set of mathematical elements and one or more operations performed on the elements.

17. An element of an algebraic structure is a single bit string or a set of several bit strings over which an algebraic operation is defined. When determining a specific type of algebraic structure, operations are determined on elements of the algebraic structure, which uniquely indicate the rules for interpretation and transformation of bit strings representing these elements. The transformations of bit strings implemented in computing devices correspond to operations performed on elements of a given algebraic structure.

18. A group is an algebraic structure (that is, many elements of different nature), on the elements of which one operation is defined and which, for a given operation, has a given set of properties: the operation is associative, the result of the operation on two elements is also an element of the same structure, there is a neutral element such that when performing an operation on it and some other element of a group, the result is element a. A detailed description of the groups is given in the books [A.G. Kurosh. Group theory. - M .: Nauka, 1967. - 648 p.] And [M.I. Kargapolov, Yu.I. Merzlyakov. Fundamentals of group theory. - M .: Science. Fizmatlit, 1996. - 287 p.]. An operation defined on group elements is called a group operation.

19. A ring is an algebraic structure (that is, a set of mathematical elements of nature), on the elements of which two operations are defined, one of which is called addition, and the second - multiplication. Moreover, for given operations, this algebraic structure has a given set of properties: addition and multiplication operations are associative and commutative, the multiplication operation is distributive with respect to the addition operation, and the result of each of these operations on two elements is also an element of the same structure. In addition, for addition, there is a neutral element, such that when performing an operation on it and some other element a of the group, the result is element a. A neutral element with respect to addition is called a zero element (or simply zero). A detailed description of the rings is given in the books [Kostrikin A.I. Introduction to Algebra. Fundamentals of Algebra. M .: Fizmatlit. 1994. - 320 p.] And [Kurosh A.G. Course of higher algebra. - M .: Nauka, 1971. - 431 p.].

20. A field is an algebraic structure (that is, a set of mathematical elements of various nature), on the elements of which two operations are defined, one of which is called addition, and the second - multiplication. Moreover, for given operations, this algebraic structure has a given set of properties: addition and multiplication operations are associative and commutative, the multiplication operation is distributive with respect to the addition operation, and the result of each of these operations on two elements is also an element of the same structure. Moreover, for each of these two operations there is a neutral element, such that when performing operations on it and some other element of the group a, the result is element a. The neutral element with respect to addition is called the zero element (or simply zero), and the neutral element with respect to multiplication is called the unit element (or simply unit). In addition, each non-zero element a can be associated with a single element a ^-1 , called the inverse element with respect to this element, such that the product a ^-1 a (and therefore aa ^-1 ) is equal to one. A detailed description of the fields is given in the books [A.I. Kostrikin. Introduction to Algebra. The basics of algebra. M .: Fizmatlit. 1994. - 320 p.] And [Kurosh A.G. Course of higher algebra. - M .: Nauka, 1971. - 431 p.].

для некоторого натурального значения n, где а - элемент данной группы, называемый генератором или образующим элементом циклической группы. Степень n означает, что над элементом а выполняются n последовательных операций, т.е. выполняются вычисления по формуле

(n раз), где «°» обозначает операцию, определенную над элементами группы.21. A cyclic group is a group, each element of which can be represented as

for some natural value n, where a is an element of a given group, called a generator or a generating element of a cyclic group. The degree n means that n consecutive operations are performed on element a, i.e. calculations are performed according to the formula

(n times), where “°” denotes the operation defined on the elements of the group.

для некоторого натурального значения n, где а - элемент данной подгруппы, называющийся генератором или образующим элементом циклической подгруппы.22. A cyclic subgroup of a group is a subgroup, each element of which can be represented as

for some natural value n, where a is an element of a given subgroup, called a generator or a generating element of a cyclic subgroup.

23. A vector is a collection of two or more elements of a given algebraic structure called components of a vector. The number of elements of an algebraic structure over which a vector is given is called the dimension of the vector.

24. The bit string vector (BS vector) is a set of two or more BSs, each of which represents a given algebraic structure. Bit strings are called the coordinates (or components) of the vector. The BS vector is written in various ways, the requirement for which is that they identify the position of the coordinates. For example, the BS vector can be written in the form (a ₁ , a ₂ , ..., a _m ), where m≥2 is the dimension of the BS vector, which means the number of coordinates (components) in the BS vector. As a separator, the sign of the operation defined over the coordinates (components) of the vector can be used, and then the coordinates (components) of the vector are identified by indicating a formal variable (at the beginning or at the end of the corresponding component) in the form of a letter of the Latin alphabet. A variable is called formal because it is not assigned any numerical value and it serves only to identify a specific position of the coordinate (component) of the BS vector, regardless of the sequence of its recording. So BS vectors Z ₁ = ae + bi + cj and Z ₂ = bi + ae + cj are considered equal, i.e. Z ₁ = Z ₂ . When using some private variable substitution tables, formal variables in the literature are sometimes called basis vectors, and vectors Z ₁ and Z ₂ are called vectors of m-dimensional space [L.B.Shneperman. A course in algebra and number theory in problems and exercises. - Minsk: Higher School, 1986. - 272 p.].

25. The vector of multi-bit binary numbers (MDC vectors) is a BS vector whose coordinates are MDC.

26. The dimension of the BS vector is the number of BS included in the BS vector as coordinates.

27. An elliptic curve (EC) is a collection of MDC pairs that satisfy a relation of the form

,

,

where the coefficients a and b and the module p determine a specific variant of EC. The operation of addition of MDC pairs and the operation of multiplying the MDC pair by an arbitrary integer are defined over EC. The indicated MDC pairs are written in the form (x, y), where x is called the abscissa of the point, and y is the ordinate. Operations defined on EC points are performed as operations on the coordinates of EC points. As a result, the MDC pair is calculated, which is the coordinates of the new point that is the result of the operation. EC points are called equal if both of their x and y coordinates are equal. A detailed description of EC can be found in widely available books: [B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information security. M .: Hot line - Telecom, 2005 .-- 229 p. (see p. 97-130)].

28. The operation of adding two points A and B with coordinates (x _A , y _A ) and (x _B , y _B ), respectively, is performed according to the formulas:

и

,

and

,

, если точки А и В не равны, и

, если точки А и В равны.Where

if points A and B are not equal, and

if points A and B are equal.

29. The operation of multiplying point A by a natural number n is defined as the multiple addition of point A:

nA = A + A + ... + A (n times).

The result of multiplying any EC point by zero determines a point called an infinitely distant point and denoted by the letter O. Two points A = (x, y) and -A = (x, -y) are called opposite. Multiplication by a negative integer -n is defined as follows: (-n) A = n (-A). By definition, it is assumed that the sum of two opposite points is equal to the infinitely distant point O [B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information security. M .: Hot line - Telecom, 2005 .-- 229 p. (see p. 97-130)].

30. Operations on EC points are performed in computing devices as actions on binary digital electromagnetic signals, carried out according to certain rules determined through operations on MDC.

31. The order of the point A EC is the smallest positive integer q such that qA = O, that is, such that the result of multiplying point A by q is an infinitely distant point.

Claims (8)

1. A method for generating and verifying the authenticity of an electronic digital signature certifying an electronic document, which consists in generating a secret key in the form of at least one bit string, using the secret key as the public key Y in the form of more than one bit string, accept an electronic document represented by the bit lines H ₁ , H ₂ , ..., H _z , where z≥1, depending on the received electronic document and the value of the secret key, form an electronic digital signature Q in the form of a multidigit binary x numbers e, s ₁ , s ₂ , ..., s _u , where 1≤u≤8, depending on the public key, received electronic document and digital signature, form the first A and second B check bit strings, compare them and if they match their parameters conclude the authenticity of the electronic digital signature, characterized in that the public key Y is formed in the form of an m-dimensional, where 2≤m≤64, vector by generating m-dimensional vectors G ₁ , G ₂ , ..., G _u , coordinates each of which are bit strings with a bit capacity of r, where 16≤r≤512, generating a secret key in the form of many bit binary numbers k ₁ , k ₂ , ..., k _u and public key generation Y according to the formula

where is the sign

denotes the operation of multiplying vectors. 2. The method according to claim 1, characterized in that the public key Y is formed in the form of m-dimensional, where 2≤m≤64, vector of multi-bit binary numbers by generating m-dimensional vectors of multi-bit binary numbers G ₁ , G ₂ , ..., G _u , the coordinates of each of which are multi-bit binary numbers of bit capacity r, where 1≤r≤512, generating a secret key in the form of multi-bit binary numbers k ₁ , k ₂ , ..., k _u and generating a public key Y by the formula

where is the sign

denotes the operation of multiplying the vectors of multi-bit binary numbers. 3. The method according to claim 1, characterized in that the public key Y is formed in the form of m-dimensional, where 2≤m≤64, vector polynomials by generating m-dimensional vectors of polynomials G ₁ , G ₂ , ..., G _u , coordinates each of which are polynomials of bit capacity r, where 1≤r≤512, generating a secret key in the form of multi-bit binary numbers k ₁ , k ₂ , ..., k _u and generating a public key Y according to the formula

where is the sign

denotes the operation of multiplying the vectors of polynomials. 4. The method according to claim 1, characterized in that the public key Y is formed in the form of an m-dimensional, where m = 2, vector by generating m-dimensional vectors G ₁ and G ₂ having the order equal to a simple multi-bit binary number q, generating a secret key in the form of multi-bit binary numbers k ₁ and k ₂ and generating a public key Y according to the formula

receive an electronic document represented by a bit string H ₁ , and an electronic digital signature is formed in the form of three multi-bit binary numbers e, s ₁ and s ₂ , for which random multi-bit binary numbers t ₁ and t ₂ are generated, a vector R is generated by the formula

then, depending on R and H ₁ , the first multi-bit binary number e of the electronic digital signature is formed according to the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating the multi-bit binary number e, then depending on the secret key, a pair of multi-bit binary numbers s ₁ and s _{2 of an} electronic digital signature is generated according to the formulas s ₁ = (t ₁ -k ₁ e) modq and s ₂ = (t ₂ -k ₂ e) modq, after which the first and the second check bit strings A and B according to the formulas A = f (R ', H ₁ ) and B = e, where the vector R' is calculated by the formula

. 5. The method according to claim 1, characterized in that the public key Y is formed in the form of an m-dimensional, where m = 3, vector by generating m-dimensional vectors G ₁ , G ₂ and G ₃ having an order equal to a simple multi-bit binary the number q, generating a secret key in the form of multi-bit binary numbers k ₁ , k ₂ and k ₃ and generating a public key Y by the formula

receive an electronic document represented by a bit string H ₁ , and an electronic digital signature is formed in the form of four bit strings e, s ₁ , s ₂ , and s ₃ , for which random multi-bit binary numbers t ₁ , t ₂ and t ₃ are generated, a vector is generated R by the formula

then, depending on R and H ₁ , the first multi-bit binary number e of the electronic digital signature is formed according to the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating the multi-bit binary number e, then in depending on the secret key, a triple of multi-bit binary numbers s ₁ , s ₂ and s _{3 of} electronic digital signature are generated according to the formulas s ₁ = (t ₁ -k ₁ e) modq, s ₂ = (t ₂ -k ₂ e) modq and s ₃ = (t ₃ -k ₃ e) modq, after which the first and second check bit strings A and B are formed using the formulas A = f (R ', H ₁ ) and B = e, where the vector R' is calculated by the formula

6. The method according to claim 1, characterized in that the public key Y is formed in the form of an m-dimensional, where m = 5, vector by generating m-dimensional vectors G ₁ and G ₂ having orders equal to multi-bit binary numbers q ₁ and q _2, respectively, generating a secret key in the form of multi-bit binary numbers k ₁ and k ₂ and generating a public key Y according to the formula

receive an electronic document represented by a bit string H ₁ , and an electronic digital signature is formed in the form of three multi-bit binary numbers e, s ₁ and s ₂ , for which random multi-bit binary numbers t ₁ and t ₂ are generated, a vector R is generated by the formula

then, depending on R and H ₁ , the first multi-bit binary number e of the electronic digital signature is formed according to the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining the rule for calculating the number e, then depending on the secret key generate a pair of multi-bit binary numbers s ₁ and s ₂ electronic digital signature according to the formulas s ₁ = (t ₁ -k ₁ e) modq ₁ and s ₂ = (t ₂ -k ₂ e) modq ₂ , and then form the first and the second check bit strings A and B according to the formulas A = f (R ', H ₁ ) and B = e, where the vector R' is calculated by the formula

7. The method according to claim 1, characterized in that the public key Y is formed in the form of an m-dimensional, where m = 3, vector by generating an m-dimensional vector G ₁ having an order equal to a multi-bit binary number q, generating a secret key in in the form of a multi-bit binary number k ₁ and public key generation Y according to the formula

receive an electronic document represented by a bit string H ₁ , and an electronic digital signature is formed in the form of two multi-bit binary numbers e and s ₁ , for which a random multi-bit binary number t is generated, a vector R is generated by the formula R = G ', then depending on R and H ₁ form the first multi-bit binary number e of an electronic digital signature according to the formula e = f (R, H ₁ ), where f (R, H ₁ ) is an expression defining a rule for calculating the number e, then, depending on the secret key, a second a digit binary number s ₁ e th digital signature according to the formula s ₁ = (t + k ₁ e) modq, and then forming the first and second parity bit strings A and B according to the formulas A = f (R ', H ₁₎ and B = e, where the vector R' calculated by the formula

. 8. The method according to claim 1, characterized in that the public key Y is formed in the form of an m-dimensional, where 2≤m≤8, a vector by generating m-dimensional vectors G ₁ , G ₂ , ..., G _m having order, equal to a simple multi-bit binary number q, generating a secret key in the form of multi-bit binary numbers k ₁ , k ₂ , ..., k _m and generating a public key Y by the formula

receive an electronic document represented by the bit strings H ₁ , H ₂ , ..., H _m , and the electronic digital signature is formed as a combination of multi-bit binary numbers e, s ₁ , s ₂ , ..., s _m , for which random multi-bit binary numbers t are generated ₁ , t ₂ , ..., t _m , generate a vector R according to the formula

, then, depending on R, the first multi-bit binary number e of the electronic digital signature is formed by the formula e = f (R, H), where f (R, H) is an expression defining the rule for calculating the number e, and H = H ₁ || H ₂ || ... || H _m , where the sign || denotes a concatenation operation, then, depending on the secret key, m multi-bit binary numbers s ₁ , s ₂ , ..., s _{m of an} electronic digital signature are generated according to the formulas

,

, ...,

and then the first and second test bit strings A and B are formed using the formulas A = f (R ', H) and B = e, where the vector R' is calculated by the formula