RU2809528C2 - Post-quantum method of generating and verifying authenticity of electronic digital signature certifying electronic document - Google Patents

Abstract

FIELD: electronic signatures.

SUBSTANCE: invention relates to methods for verifying an electronic signature (EDS). Post-quantum method of generating and verifying the authenticity of digital signatures: generate an m-dimensional finite non-commutative associative algebra, where m≥4, generate a secret key, including a set of m-dimensional vectors as its elements, from which a public key is formed in the form of a set of m-dimensional vectors, receive an electronic document represented by a multi-bit bit string M, depending on the received electronic document and the value of the secret key, an electronic signature is formed, including an m-dimensional vector S, depending on the public key, the received electronic document M and the digital signature performs the electronic digital signature verification procedure, including performing operations of multiplying m-dimensional vectors, raising m-dimensional vectors to the power of a multi-digit binary number and comparison, and generate a result for verifying the authenticity of an electronic digital signature, characterized in that they perform an electronic digital signature verification procedure, including the implementation of operations according to a mathematical formula in the form of equality with k≥2 occurrences of the m-dimensional vector S.

EFFECT: increase in the performance of post-quantum digital signature algorithms without reducing their level of resistance.

1 cl, 8 tbl

Description

The invention relates to the field of telecommunications and computer technology, and more specifically to the field of cryptographic methods for authenticating electronic messages transmitted over telecommunication networks and computer networks, and can be used in systems for transmitting electronic messages (documents), certified by an electronic digital signature (EDS), represented by for example, as a multi-bit binary number (MDN) or a set of MBNs. Hereinafter, MFC is understood as an electromagnetic signal in binary digital form, the parameters of which are: the number of bits and the order of their one and zero values ¹⁾ . ( ¹⁾ the interpretation of the terms used in the description is given in Appendix 1.)

There is a known method for generating and verifying digital signatures, proposed in the article [Rivest R., Shamir A., Adleman A. A method for Obtaining Digital Signatures and Public-Key Cryptosystems // Communication of the ACM. 1978. V. 21. No. 2. P. 120-126], also described in detail in the book [Moldovyan N.A. Theoretical minimum and digital signature algorithms. - St. Petersburg, BHV-Petersburg, 2010. - p. 63-64]. The known method consists of the following sequence of actions:

generate a secret key in the form of three MDCHs p, q and d, where p and q are prime numbers,

form a public key (n, e) in the form of a pair of MDCHs n and e, where n is a number representing the product of two simple MDCHs p and q, and e is a MDCH that satisfies the condition ed=1 mod (p-1)(q- 1), accept the electronic document (ED) submitted by MDCH M;

depending on the value of M and the value of the secret key, an electronic digital signature is formed in the form of a digital signature S=M ^d mod n;

depending on the public key and the electronic signature M, the digital signature verification procedure is performed, including calculating the MDC M' using the formula M'=S ^e mod n and comparing the MDC M' and M;

if M'=M, then a conclusion is drawn about the authenticity of the digital signature, and if M'≠M, then a conclusion is drawn about the falsity of the digital signature.

The disadvantage of this known method is the relatively large size of the digital signature and the need to increase the size of the digital signature when developing new, more efficient methods for factoring the number n or when the productivity of modern computing devices increases. This is explained by the fact that the durability of the digital signature in this method is determined by the complexity of decomposing the module n into factors p and q.

There is also a known method for generating and verifying the authenticity of El-Gamal’s digital signature, described in the article [ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms // IEEE Transactions on Information Theory, 1985, vol. IT-31, no. 4, pp. 469-472.] and in the book [Moldovyan N.A. Theoretical minimum and digital signature algorithms. - St. Petersburg, BHV-Petersburg, 2010. - p. 79], which includes the following steps:

form a simple MDCH p and a binary number G, which is a primitive root modulo p, generate a secret key in the form of MDCH x, depending on the secret key, form a public key in the form of MDCH Y=G ^x mod p, accept the ED presented in the form of MDCH M , depending on M and the secret key, an electronic digital signature is formed in the form of two MDCHs S and R;

carry out a procedure for verifying the authenticity of the digital signature, including calculating two control parameters using the original MDCs p, G, Y, M and S by raising the MDCs G, Y, R to a discrete power modulo p and comparing the calculated control parameters;

If the values of the control parameters match, a conclusion is drawn about the authenticity of the digital signature.

The disadvantage of this method is also the relatively large size of the digital signature. This is explained by the fact that to obtain an acceptable level of resistance, it is necessary to use a 2048-bit MDC p, and the values of digital signature elements S and R are calculated by performing arithmetic operations modulo p - 1 and modulo p, respectively, i.e. each of the S and R MDCHs has a width of about 2048 bits.

There is also a known method for generating and verifying digital signatures, proposed in the article [Schnorr S.P. Efficient signature generation by smart cards // J. Cryptology. 1991. V. 4. No. 3. P. 161-174] and also described in the book [Moldovyan N.A. Theoretical minimum and digital signature algorithms. - St. Petersburg, BHV-Petersburg, 2010. - p. 83]. The known method consists of the following sequence of actions:

form a simple MDCh p, such that p=Nq+1, where q is a simple MDCh;

form a simple MDCh a, such that a≠1 and a ^q mod p=1;

by generating a random equiprobable sequence, a secret key is formed in the form of MCH x;

form a public key in the form of the MDCH y using the formula y=a ^x mod p;

accept the ED presented by MDCH M;

form an electronic digital signature in the form of a pair of MDC (e, s), for which a random MDC t is generated, form a MDC R using the formula R=a ^t mod p, form a MDC e=ƒ _H (M||R), where ƒ _H is some specified a hash function whose value has a fixed length (typically 160 bits to 512 bits), regardless of the size of the argument, i.e. on the bit string size M||R, and the sign || denotes the operation of joining (concatenating) two bit strings M and R, and then forming the MDCH s according to the formula s=(t-ex) mod q;

a control MFC e' is formed, for which the MFC R' is generated according to the formula R'=a ^s y ^e mod p and the MFC e'=ƒ(M||R') is generated;

compare the generated control MDC e' and MDC e;

if the parameters of the compared MDCs e' and e coincide, a conclusion is drawn about the authenticity of the digital signature.

The disadvantage of this method, based on the computational difficulty of solving the discrete logarithm problem (calculating the unknown x from the equation y = a ^x mod p for given values of y, a and p), is that it does not provide resistance to quantum attacks, i.e. to attacks using quantum computers, for which effective polynomial-time algorithms for solving the discrete logarithm problem and the factorization problem are known (see the article [Shor PW Polynomial-time algorithms for prime factorization and discrete logarithms on quantum computer // SIAM Journal of Computing. 1997. V 26. P. 1484-1509]).

The closest in its technical essence to the stated one is the well-known post-quantum method of generating and verifying the authenticity of an electronic digital signature, proposed in the article [Moldovyan N.A., Moldovyan A.A. Candidate for practical post-quantum signature scheme // Bulletin of St. Petersburg University. Applied Mathematics. Computer science. Management processes. 2020. T. 16. Issue. 4. pp. 455-461. https://doi.org/10.21638/11701/spbu10.2020.410], according to which

generate a four-dimensional finite non-commutative associative algebra by generating a prime p=2q+1, where q is a 256-bit prime, and generating a multiplication table of basis vectors defining a non-commutative associative multiplication operation of four-dimensional vectors whose coordinates are elements of the simple finite field GF(p ), i.e. numbers from the set {0, 1, 2…, p-1};

generate a secret key in the form of a set of four-dimensional vectors G, Q, J, A ₁ , A ₂ , B ₁ , B ₂ , W and MDCH x and w, satisfying the conditions GQ=QG, JG=GJ, A ₂ =A ₁ Q ^w , A ₁ B ₁ ≠B ₁ A ₁ , A ₁ G≠GA ₁ , B ₁ G≠GB ₁ , A ₂ B ₂ ≠B ₂ A ₂ , A ₂ G≠GA ₂ and B ₂ G≠GB ₂ ;

using the secret key, a public key is formed in the form of a set of four-dimensional vectors U ₁ , Y ₁ , Z ₁ , U ₂ , Y ₂ and Z ₂ , calculated by the formulas U ₁ =A ₁ G ^x B ₁ ^-1 , Y ₁ =B ₁ GB ₁ ^-1 , Z ₁ =B ₁ QA ₁ ^-1 , U ₂ =A ₂ J ^x B ₂ ^-1 , Y ₂ =B ₂ JB ₂ ^-1 , Z ₂ =B ₂ QA ₂ ^-1 ;

receive ED represented by a multi-bit bit string M;

depending on the received ED and the value of the secret key, an electronic digital signature is formed in the form of two MDCh e and s and a four-dimensional vector S, for which a random MDCh k<q and a random four-dimensional vector K are generated, vectors R ₁ and R ₂ are calculated using the formulas R ₁ = A ₁ G ^k K and R ₂ =A ₂ J ^k W ^-1 K, calculate the hash function value ƒ _H from the ED M and the vectors R ₁ and R ₂ attached to it, i.e. calculate the value of the MFC e=ƒ _H (M||R ₁ ||R ₂ ), where the sign || denotes the operation of concatenation (attachment), calculate the MDCH s as a solution to the quadratic equation es ² +xs=k mod q, calculate the vector S using the formula S=A ₁ Q ^-s K;

depending on the public key accepted by the digital signature and digital signature, the digital signature verification procedure is performed, including the execution of operations whose operands are the elements of the public key, the elements of the digital signature and the digital signature, depending on the digital signature elements e and s (namely, the digital signature equal to the product es), and in During the EDS verification procedure, two control vectors R ₁ ' and R ₂ ' are calculated using the formulas R ₁ '=(U ₁ Y ₁ ^es Z ₁ ) ^s S and R ₂ '=(U ₂ Y ₂ ^es Z ₂ ) ^s S (duplicating the operations of exponentiation of the MDCH with the same values of the degree es and s is necessary to eliminate the possibility of forging the digital signature using the vector S as an adjustable parameter) and calculating the hash function value ƒ _H from the ED and the vectors R ₁ ' and R ₂ attached to it ', i.e. calculating the control MFC e _K =ƒ _H (M, R ₁ ', R ₂ '), after which the control MFC e _K and MFC e are compared;

form a result for verifying the authenticity of the digital signature, namely, when the equality e _K =e is satisfied, they conclude that the digital signature is genuine, and when the inequality e _K ≠e is satisfied, they conclude that the digital signature is false.

The disadvantage of the closest analogue is the relatively low productivity of digital signature generation and verification procedures. This drawback is associated with the relatively large capacity of the simple MFC p and q used, due to the fact that the stability of the closest analogue is based on the computational complexity of the hidden problem of discrete logarithm [Moldovyan A.A., Moldovyan D.N. Post-quantum electronic digital signature scheme based on the hidden problem of discrete logarithm in four-dimensional finite algebra // Issues of information protection. 2019. No. 2. pp. 18-22]. In this case, an additional decrease in the productivity of these procedures is due to the fact that with a probability of 0.5, the digital signature generation procedure must be repeated until random values of e and k are obtained, at which the quadratic equation es ² +xs=k mod q with an unknown value s will be have solutions, and the digital signature verification procedure uses four exponentiation operations.

The purpose of the invention is to develop a post-quantum method for generating and verifying the authenticity of an electronic signature certifying an electronic signature, which provides a significant increase in the productivity of digital signature generation and verification procedures due to the fact that it is possible to use (as an algebraic carrier) a finite non-commutative associative algebra defined over the field GF(p ), where p=2q+1 with a simple MFC q, the bit depth of which is significantly less than 256 bits, while ensuring high resistance to quantum attacks, achieved by the fact that the basis of the claimed method is the computational difficulty of solving a system of many quadratic equations with many unknowns, t .e. computational difficulty of a problem for which a quantum computer is ineffective [Shuaiting Q., Wenbao H., Yifa Li, Luyao J. Construction of Extended Multivariate Public Key Cryptosystems // International Journal of Network Security. 2016. Vol. 18. N. 1. P. 60-67] (see also [Jintai D., Dieter S. Multivariable Public Key Cryptosystems (2004) https://eprint.iacr.org/2004/350.pdf]). This ensures the possibility of using m-dimensional finite non-commutative associative algebras defined over the field GF(2 ^z ) of characteristic two as an algebraic carrier, in which the multiplication operation has a significantly lower computational complexity compared to the case of using algebras defined over a simple field GF (p) with the same bit depth of MDC 2 ^z and p. In addition, the possibility of repeating the digital signature generation procedure is eliminated and the possibility of performing the digital signature verification procedure, which includes less than four operations of raising the MDC to a power, is ensured.

This goal is achieved by the fact that in the well-known post-quantum method of generating and verifying the authenticity of an electronic signature certifying an ED, which consists in the fact that

generate an m-dimensional finite non-commutative associative algebra, where m≥4, generate a secret key, including a set of m-dimensional vectors as its elements, use the secret key to form a public key in the form of a set of m-dimensional vectors, receive an ED represented by a multi-bit bit string M, depending on the received ED and the value of the secret key, an electronic signature is formed, including an m-dimensional vector S, depending on the public key accepted by the ED M and the digital signature, the electronic signature verification procedure is performed, including performing the operations of multiplying m-dimensional vectors, constructing m- dimensional vectors to the degree of MDC and comparison, and form the result of verifying the authenticity of the digital signature,

what is new is that they perform an electronic digital signature verification procedure, which includes performing operations using a mathematical formula in the form of equality with k≥2 occurrences of the m-dimensional vector S.

The implementation of the electronic digital signature verification procedure, which includes performing operations according to a mathematical formula in the form of equality with k≥2 occurrences of the m-dimensional vector S as a multiplier, written over a finite non-commutative algebra, determines that the post-quantum stability of the claimed method is based on the computational difficulty of solving systems of many quadratic equations with many unknowns, due to which, at a given level of resistance, simple MFC p and q with a significantly lower bit value can be used, which leads to a significant increase in the productivity of digital signature generation and verification procedures. At the same time, protection against digital signature forgery is provided using the m-dimensional vector S as a fitting parameter without duplicating the operations of exponentiation of the MDC at the same degree value, thereby further increasing the performance of the digital signature verification procedure.

What is also new is that the secret key is generated in the form of a set of m-dimensional vectors A, B, D, G, H, G _x , G _u and H _w , MDC x, w and u by generating random multi-bit binary numbers x, w and u and random m-dimensional vectors A, B, D, G and H, satisfying the conditions AB≠BA, AD≠DA, AG≠GA, DB≠BD, BG≠GB, DG≠GD and GH=HG, and calculations of m-dimensional vectors G _x , G _u and H _w using the formulas G _x =G ^x , G _u =G ^u and H _w =H ^w , form a public key in the form of a set of m-dimensional vectors Y ₁ , Z ₁ , Y ₂ , Z ₂ and P by performing calculations using the formulas Y ₁ =AGB, Z ₁ =DHA ^-1 , Y ₂ =AH _w B, Z ₂ =DG _x A ^-1 and P=AG _u HA ^-1 , depending on of the received ED and the value of the secret key, an electronic digital signature is formed in the form of an m-dimensional vector S, the electronic digital signature verification procedure is performed, including the generation, depending on the accepted ED M, of multi-bit binary numbers h ₁ , h ₂ , and h ₃ , performing calculations according to the formula with k=2 occurrences of an m-dimensional vector S, implemented as the calculation of control m-dimensional vectors And and comparison of control m-dimensional vectors K _L and K _R , and form a result for verifying the authenticity of the digital signature in the form of a conclusion about the authenticity of the digital signature, if K _L =K _R , or about the falsehood of the digital signature, if K _L ≠K _R .

What is also new is that the secret key is generated in the form of a set of m-dimensional vectors A, B, D, G, H, G _x , H _w , G _i and H _j by generating random multi-bit binary numbers x, w, i, and j and random m-dimensional vectors A, B, D, F, G and H, where the order of the vectors is equal to the simple MD q, satisfying the conditions AB≠BA, AD≠DA, AF≠FA, AG≠GA, BD≠DB, ≠FB, BG≠GB, DF≠FD, DG≠GD, FG≠GF and GH=HG, and calculations of m-dimensional vectors G _x , H _w , G _i and H _j using the formulas G _x =G ^x , H _w =H ^w , G _j =G ^j and H _i =H ⁱ , form a public key in the form of a set of m-dimensional vectors Y ₁ , Z ₁ , Y ₂ , Z ₂ , Y ₃ and Z ₃ by performing calculations using the formulas Y ₁ =AGB, Z ₁ =DHA ^-1 , Y ₂ =FH _w B, Z ₂ =DG _x F ^-1 , Y ₃ =AH _i D ^-1 and Z ₃ =B ^-1 G _j F ^-1 , form an electronic signature in in the form of a MDR e and an m-dimensional vector S, for which random MDR k and t are generated, the vector R=AG ^k H ^t F ^-1 and MDR e=e ₁ ||e ₂ =ƒ _H (M||R) are calculated, where ƒ _H is a collision-resistant hash function and e ₁ and e ₂ are the MDC having the same bit depth, calculate the MDC n and d using the formulas And calculate the vector S using the formula S=B ^-l G ⁿ H ^d D ^-1 , perform the electronic digital signature verification procedure, including calculating the control m-dimensional vector R _K using the formula with k=3 occurrences of the m-dimensional vector S, calculating the control MDP e _K =ƒ _H (M||R _K ) and comparing the MDP e _K and e, and forming the result of verifying the authenticity of the digital signature in the form of a conclusion about the authenticity of the digital signature, if e _K =е, or about the falsity of the digital signature if e _K ≠е.

What is also new is that the secret key is generated in the form of a set of m-dimensional vectors A, B, G, G _x and H by generating a random MDCH x and random m-dimensional vectors A, B, G and H, where the order of the vectors is a simple MDCh q satisfying the conditions AB≠BA, AG≠GA, BG≠GB and GH=HG, and calculating the m-dimensional vector G _x using the formula G _x =G ^x , a public key is formed in the form of a set of m-dimensional vectors Y, Z and U by performing calculations according to the formulas Y=AGB, Z=AG _x B, U=ANB, depending on the accepted digital signature M and the secret key, an electronic signature is formed in the form of an MDC e and an m-dimensional vector S, and a digital signature verification procedure is performed, including calculation of the control m-dimensional vector R _K using the formula with k=4 entries of the m-dimensional vector S and calculating the control MDP e _K =ƒ _H (M||R _K ), comparing the MDP e _K and e, and forming the result of verifying the authenticity of the digital signature in the form of a conclusion about the authenticity of the digital signature, if e _K =е, or about the falsity of the digital signature if e _K ≠е.

The ability to calculate an m-dimensional vector S that satisfies a mathematical formula in the form of equality with multiple (k≥2) occurrences of an m-dimensional vector S written over KNAA with a non-commutative multiplication operation is ensured due to the fact that knowledge of the secret key associated with the public key , allows us to reduce the equality written over the KNAA to the equality written over some hidden (secret) commutative group contained in the KNAA. Moreover, such a reduction requires the use of secret vectors (which are elements of the secret key), therefore, digital signature forgery (formation of a digital signature without knowledge of the secret key) requires the calculation of vectors that satisfy a set of vector equations specified by a set of mathematical formulas by which the public key is calculated from the secret key, and permutability of secret vectors chosen from the hidden commutative group. In this case, the resulting vector equations contain products of pairs of unknown vectors, i.e. they are square. Thus, forgery of digital signature requires solving systems of quadratic vector equations, which reduce to solving systems of many quadratic equations with many unknowns, written over a finite field over which a KNAA is specified, used as an algebraic carrier for implementing a specific version of the claimed method. The use of a quantum computer to solve such systems of equations is ineffective, which ensures the post-quantum stability of the claimed method.

In the claimed method, what is important is the k-fold occurrence of the vector S in the mathematical formula in the form of an equality, which specifies the set and order of multiplication and exponentiation operations performed. Also important is the use of non-commutative finite associative algebra. It is the property of non-commutativity of the multiplication operation that eliminates the possibility of simplifying a formula with two or more occurrences of the vector S and reducing it to a formula with a single occurrence of the vector S in the form of a multiplier S ^b , where b is some MDCh. In the case of using commutative associative algebras to implement the claimed method, the specified reduction is easily carried out, therefore, to implement the claimed method it is necessary to use non-commutative finite associative algebras as the algebraic carrier of the claimed method. The associativity property provides the ability to quickly perform the operation of exponentiation of the MFC with a capacity of up to 500 bits or more.

In the claimed post-quantum method for generating and verifying the authenticity of an electronic signature certifying an ED, an m-dimensional finite non-commutative associative algebra (CNAA) is generated by generating parameters that define a set of m-dimensional vectors as elements of the CNAA and the operation of vector multiplication. The term “m-dimensional finite algebra” means an m-dimensional finite vector space in which, in addition to the operation of vector addition, the operation of vector multiplication is defined, which has the properties of being closed and distributive to the left and right with respect to the addition operation. Let an m-dimensional vector space be given, which is defined over some finite field . To implement the claimed method as a field you can use, for example, a simple finite field GF(p) or a field GF(2 ^z ), which is an extension of the power z of the binary field GF(2). We will write some m-dimensional vector A as an ordered set of field elements , called vector coordinates: A = (a ₀ , a ₁ , ..., a _m-1 ). In some cases, it is more convenient to represent the vector as the following sum where e _i are formal basis vectors; a _i e _i - one-dimensional components of vector A; a _i ∈ - vector coordinates; the expression a _i e _i can be considered as multiplying the scalar a _i by the vector e _i . Vector space (see p. 12 in the book [Kostrikin A.I. Introduction to algebra. Part 2. Linear algebra. - M., FIZMATLIT, 2001. - 367 pp.]) with an additionally specified operation of multiplication of an arbitrary pair of vectors, distributive on the left and on the right with respect to the operation of addition and possessing the property of closure is called an algebra.

Vector multiplication operation And is defined as the multiplication of each component of vector A with each component of vector B, performed in accordance with the following formula:

in which the coordinates are multiplied as field elements and all products of pairs of basis vectors are replaced by single-component vectors. Namely, each of the products e _i e _j is replaced by a certain vector λe _h selected from a specially developed multiplication table of basis vectors (TBM). In the case of λ=1, the basis vector e _h is indicated in the TUBV. If the value of λ is not equal to the field unit , then it is called a structure constant. The choice of values of λe _h is carried out as follows. In the product e _i e _j, the first (left) operand indicates the row, and the second (right) - the column, at the intersection of which we obtain a cell containing the required value λe _h .

To define associative algebra, a TUBV is developed, which defines a multiplication operation that has the property of associativity, i.e. such a multiplication operation for which for all possible triplets of vectors A, B and C the following equality holds:

(AB)C=A(BC).

If the equality AB=BA holds for an arbitrary pair of vectors A and B, the multiplication operation and the specified algebra are called commutative, otherwise - non-commutative. In the latter case we have KNAA. The associativity property of multiplication is ensured if the TUBV, by which the operation of vector multiplication is specified, for all possible triplets of basis vectors e _i , e _j and e _k ensures the feasibility of the equality (e _i e _j )e _k =e _i (e _j e _k ).

For even values of dimension m>2, various partial TUBVs have been developed that define m-dimensional KNAA containing a certain vector E for which the condition EV=VE=V is satisfied for each vector V. Vector E is called a global two-sided unit. For KNAA elements with a global unit, the concept of reversibility is introduced. A vector V is called reversible, for which there is an inverse vector, denoted as V ^-1 , for which the condition VV ^-1 =V ^-1 V=E is satisfied. The inverse vector is easily calculated by solving the vector equation VX=E with an unknown vector X, which, using TUBV, reduces to solving a system of m linear equations with m unknowns (coordinates of the vector X) in a finite field .

It is necessary to distinguish between the operation of vector multiplication, for which both operands are vectors, and the operation of scalar vector multiplication, for which one operand is a field element , and the second is a vector. For example, scalar multiplication of a vector V by a scalar σ ∈ can be performed as multiplying each coordinate of the vector V by σ. The same result will be obtained if we multiply the vectors V and σE, therefore vectors of the form σE for all possible values of σ ∈ we will call them scalar vectors.

In the article [Moldovyan D.N. Definition of six-dimensional algebras as carriers of cryptoschemes based on the hidden problem of discrete logarithm // Issues of information security. 2021. No. 1. pp. 26-32. DOI: 10.52190/2073-2600_2021_1_26] sparse TUBVs are considered, presented in Tables 1-4, which define various four-dimensional KNAA. Specifying the multiplication operation using decimated TUBVs provides a significant reduction in the computational complexity of the vector multiplication operation, and hence the exponentiation operation. Another option for specifying a four-dimensional KNAA in the form of a table. 5 is presented in the article [Moldovyan A.A., Moldovyan N.A. Post-quantum signature algorithms based on the hidden discrete logarithm problem // Computer Science Journal of Moldova. 2018. Vol. 26, N. 3(78). P. 301-313].

In the article [N.A. Moldovyan, Unified Method for Defining Finite Associative Algebras of Arbitrary Even Dimensions, Quasigroups and Related Systems. 2018. vol. 26, no. 2. P. 263-270], a unified method for specifying KNAA of arbitrary even dimensions m>4 is proposed, using which it is easy to construct TUBV for six-dimensional (Table 6) and eight-dimensional (Table 7) KNAA.

Each of the tables 1-7 can be used to specify a KNAA over a simple finite field GF(p) or a finite field GF(2 ^z ). In the first case, the coordinates of the vectors are the elements of the set of MDCHs {0, 1, 2, ..., p-1} and when performing the operation of vector multiplication on the coordinates, the operations of addition and multiplication modulo p are performed. In the second case, the coordinates of the vectors are the elements of the set of all binary polynomials of degree z-1, which are written in the form of all possible z-bit strings, and when performing a vector multiplication operation on the coordinates, the operations of bitwise addition modulo two and multiplication modulo an irreducible binary polynomial of degree z are performed .

In the claimed method, a secret key is generated, including a set of m-dimensional vectors, some of which are pairwise permutable. To generate these elements of the secret key, for example, a basis <G, H> is generated, forming a commutative primary group of order q ² , which includes two vectors G and H, the order of each of which is equal to the prime MDCH q. When defining a KNAA over the field GF(p), the presence in the KNAA of a large number of such groups is ensured by using a simple MDCh p of the form p=2q+1, where q is also a constant MDCh. For example, the following simple MDFCs q are generated, which specify the generation of simple MDFCs p=2q+1:

1) 80-bit MDCH q=1041260943259690172052821,

2) 96-bit MDCH q=71907494709617529358502495579,

3) 128-bit MDCH q=304643710790881018612993287215112007979;

4) 160-bit MDC q=1443420272407352009010766274913970921515428178119.

5) 192-bit MDC q=5261472747218403390125581496192701306697287924851078249233.

When defining a KNAA over the field GF(2 ^z ), which is an extension of the degree z of the binary field GF(2), it should be taken into account that the order of the multiplicative group of the field GF(2 ^z ) is equal to the MDC q=2 ^z -1, the KNAA contains a large number of commutative groups, each of which is generated by a basis <G, Н>, including two vectors of order q, and has order q ² . Obtaining the MDP q, which is a prime number, is ensured by choosing z equal to the Mersenne degree, at which the MDP q=2 ^z -1 is prime. For example, the following powers of z specify the generation of simple MDFCs q=2 ^z -1:

1) with z=89 we have q=618970019642690137449562111,

2) with z=107 we have q=162259276829213363391578010288127,

3) with z=127 we have q=170141183460469231731687303715884105727,

4) with z=521 we have q=686479766013060971498190079908139321726943530014330540939446345918554318339765605212255964066145455497729631139 1480858037121987999716643812574028291115057151,

5) with z=607 we have q=531137992816767098689588206552468627329593117727031923199444138200403559860852242739162502265229285668889329486 246501015346579337652707239409519978766587351943831270835393219031728127.

For these values of the degree of expansion z in the field GF(2 ^z ), it is advisable to specify the multiplication operation modulo the following irreducible binary polynomials δ(x)=x ⁸⁹ +x ³⁸ +1 (z=89), δ(x)=x ¹⁰⁷ +x ⁹ +x ⁷ +x ⁴ +1 (z=107), δ(x)=x ¹²⁷ +x+1 (z=127), δ(x)=x ⁵²¹ +x ³² +1 (z=521) and δ(x)=x ⁶⁰⁷ +x ¹⁰⁵ +1 (z=607), for which the operation of multiplication in the field GF(2 ^z ), and therefore the operation of multiplication of vectors in the KNAA defined over the field GF(2 ^z ), has comparatively low computational complexity. A table of irreducible binary trinomials and pentamials to the power of 10000 is given, for example, on the website [Table of Low-Weight Binary Irreducible Polynomials // https://www.hpl.hp.com/techreports/98/HPL-98-135.pdf] . To develop stable post-quantum digital signature algorithms using the claimed method, it is sufficient to use irreducible binary polynomials of degree z≤1000.

Both in the case of using KNAA specified over the field CF(p), where a simple MDP p=2q+1 with a simple MDP q, and in the case of using KNAA specified over the field GF(2 ^z ), where z is the Mersenne degree, for To generate a basis <G, H> of a random group with two-dimensional cyclicity contained in the KNAA and having order q ² , a procedure can be used that includes the following steps:

1. Generate a random invertible vector N and calculate the vector L=N ² .

2. If L ^q =E and L≠λE for all values λ ∈ (i.e. if L is not a scalar vector), then go to step 3, otherwise go to step 1.

3. Generate a random value β ∈ , different from zero and one field , such that β ² is also not equal to the field unit .

4. Generate a random integer k(0<k<q)

5. Calculate the vector Н=β ² L ^k .

6. Give two vectors G=L and H as the basis <G, H> of a random group with two-dimensional cyclicity.

The resistance of the declared post-quantum method of generating and verifying the authenticity of an electronic digital signature certifying an electronic signature to attacks using conventional and quantum computers is ensured by the fact that the calculation of a secret key from a public key is associated with solving a system of many quadratic equations (specified in the field ) with many unknowns, for which the use of a quantum computer is not effective. The specified level of robustness of the claimed method is ensured by choosing the dimension of the generated CNAA m≥4 and a sufficiently large bit depth |q| simple MDCH q. In this case, the choice of values m and |q| is consistent with each other and with the required level of resistance, expressed as the value of the binary logarithm L of the minimum number of operations that must be performed to forge an digital signature. For example, for a given level of L-bit strength, the values of m and |q| can be selected from the condition m|q|≥4L.

Let us consider specific examples of the implementation of the claimed method.

Example 1. The case of implementation of the claimed method, illustrating paragraphs. 1 and 2 claims. In this example, the following sequence of actions is performed:

1. Generate a four-dimensional CNAA, for which

1.1) generate a simple MDCh p=2q+1, where q is a 128-bit simple MDCh;

1.2) generate a TUBV that specifies a non-commutative associative operation of multiplication of four-dimensional vectors specified over the field GF(p), for example, by copying the table. 1 and setting the value λ=2.

2. Generate a secret key, including a set of four-dimensional vectors A, B, D, G, H, G _x , G _u and H _w and the MDCH x, w and u as its elements, for which

2.1) generate two random four-dimensional vectors G and H of order forming a basis <G, H> of a commutative group of order q ² possessing two-dimensional cyclicity;

2.2) generate random MDCh x (1 x<q), w (1 w<q) and u (1 u<q) and calculate four-dimensional vectors G _x , G _u and H _w using the formulas G _x = G ^x , G _u =G ^u and H _w =H ^w (obviously, the vectors G, H, G _x , G _u and H _w are pairwise permutable as they belong to the commutative group generated by the basis <G, H>);

2.3) generate random invertible four-dimensional vectors A, B and D, satisfying the conditions AB≠BA, AD≠DA, AG≠GA, DB≠BD, BG≠GB, DG≠GD.

3. A public key is generated in the form of a set of four-dimensional vectors Y _1, Z ₁ , Y ₂ , Z ₂ and P, for which calculations are carried out using the following formulas Y ₁ = AGB, Z ₁ = DHA ^-1 , Y ₂ = AH _w B, Z ₂ =DG _x A ^-1 and P=AG _u HA ^-1 .

4. The ED is received, represented by a multi-bit bit string M.

5. Depending on the received ED and the value of the secret key, an electronic digital signature is formed in the form of a four-dimensional vector S, for which

5.1) using some specified 384-bit hash function ƒ _H , calculate the MDR h=h ₁ ||h ₂ ||h ₃ =ƒ _H (M), where the hash value h is represented as the concatenation of three 128-bit MDR h ₁ , h ₂ and h ₃ ;

5.2) calculate the MFC n and d using the following two formulas:

5.3) calculate the EDS in the form of a four-dimensional vector S using the formula S=B ^-1 G ⁿ H ^d D ^-1 .

6. Depending on the public key accepted by the ED and EDS, the EDS verification procedure is performed, for which

6.1) calculate the MDCH h=h ₁ ||h ₂ ||h ₃ =ƒ _H (M), where the 384-bit hash value h is represented as a concatenation of three 128-bit MDCHs h ₁ , h ₂ and h ₃ ;

6.2) carry out calculations using the formula with two (k=2) occurrences of the four-dimensional vector S and three operations of exponentiation by the MDC, implemented as the calculation of control m-dimensional vectors And and comparison of control m-dimensional vectors K _L and K _R .

7. The result of verifying the authenticity of the digital signature is generated in the form of a conclusion about the authenticity of the digital signature, if K _L =K _R , or about the falsehood of the digital signature, if K _L ≠K _R.

It is easy to see that the calculation of a secret key from a public key is associated with solving a system of 9 quadratic vector equations with 8 unknowns, given over a four-dimensional KNAA, given according to Table. 1 at value λ=2. This system of vector equations reduces to a system of 36 quadratic equations with 32 unknowns, defined over the field GF(p) with a 129-bit order. This determines the post-quantum stability of this particular example of the implementation of the claimed method.

The correctness of this example implementation of the claimed method is proven by demonstrating that a correctly generated digital signature in accordance with step 5 passes the digital signature verification procedure performed at step 6 as a genuine digital signature. Indeed, let the four-dimensional vector S constitute an electronic digital signature, formed in full accordance with the actions prescribed by step 5 of example 1. Then we have the following proof of correctness:

Since the equality K _L =K _R is satisfied, a correctly generated digital signature undergoes the verification procedure as a genuine digital signature, i.e. Example 1, which represents a particular implementation of the claimed method, works correctly.

Other modifications of the considered example 1 can be obtained by using instead of the KNAA specified over the field GF(p) with a 129-bit characteristic p according to table. 1, one of the following algebraic carriers:

-- a six-dimensional KNAA defined over the field GF(p) with a 97-bit characteristic p (with a simple 96-bit MDC q=71907494709617529358502495579) according to Table. 6;

-- four-dimensional KNAA, specified according to table. 2 over the field GF(2 ^z ) with the expansion degree z=127, at which we have a simple MDCH q=2 ^z -1==170141183460469231731687303715884105727;

-- eight-dimensional KNAA, specified according to table. 7 over the field GF(p) with an 81-bit characteristic p (with a simple 80-bit MFC q=1041260943259690172052821).

Other modifications of example 1 are also possible with the assignment of KNAA of various dimensions, and according to different TUBV for each dimension value. In this case, of practical interest is 1) specifying the KNAA over a simple finite field GF(p) and 2) specifying the KNAA over the finite field GF(2 ^z )

Example 2. The case of implementation of the claimed method, illustrating paragraphs. 1 and 3 claims. In this example, the following sequence of actions is performed:

1. Generate a six-dimensional CNAA, for which

1.1) generate a simple MDCH z=107, in which the MDCH 2 ^z -1=q is simple (q=162259276829213363391578010288127);

1.2) generate an irreducible binary polynomial of degree z=107, for example, binary polynomial δ(x)=x ¹⁰⁷ +x ⁹ +x ¹ +x ⁴ +1;

1.3) generate a TUBV that specifies a non-commutative associative operation of multiplication of six-dimensional vectors defined over the field GF(2 ^z ) with the operation of multiplication modulo an irreducible binary polynomial δ(x)=x ¹⁰¹ +x ⁹ +x ⁷ +x ⁴ +1, for example, by copying the table. 6, and setting the structure constant λ equal to the unit field GF(2 ^z ), i.e. λ=1.

2. Generate a secret key, including a set of six-dimensional vectors A, B, D, F, G, H, G _x , H _w , G _j and _Hi - and MDC x, w, i and j as its elements, for which

2.1) generate two random six-dimensional vectors G and H of order q, forming a basis <G, H> of a commutative group of order q ² possessing two-dimensional cyclicity;

2.2) generate random six-dimensional reversible vectors A, B, D, F of order that satisfy the conditions AB≠BA, AD≠DA, AF≠FA, AG≠GA, BD≠DB, BF≠FB, BG≠GB, DF≠FD, DG≠GD, FG≠GF;

2.3) generate random MDCh x (1<x<q), w (1<w<q), i (1<i<q) and j (1<j<q) and calculate six-dimensional vectors G _x , G _j , H _w and H _i according to the formulas G _x =G ^x , G _j =G ^j , H _w =H ^w and H _i =H _i (obviously, the vectors G, H, G _x , G _j , H _w and H _i are pairwise permutable as belonging to the commutative group generated by the basis <G, H>).

3. A public key is generated in the form of a set of six-dimensional vectors Y _1, Z ₁ , Y ₂ , Z ₂ , Y ₃ and Z ₃ , for which calculations are carried out using the following formulas Y ₁ = AGB, Z ₁ = DHA ^-1 , Y ₂ = FH _w B, Z ₂ =DG _x F ^-1 , Y ₃ =AH _i D ^-1 and Z ₃ =B ^-1 G _j F ^-1

4. The ED is received, represented by a multi-bit bit string M.

5. Depending on the received ED and the value of the secret key, an electronic digital signature is formed in the form of an MDC e and a six-dimensional vector S as its elements, for which

5.1) generate random integers k and t that satisfy the conditions 1<k<q and 1<t<q, and calculate the vector R=AG ^k H ^t F ^-1 ;

5.2) using some collision-resistant 256-bit hash function ƒ _H , calculate the MFC e = e ₁ || e ₂ =ƒ _H (M||R), where the hash value e is represented as the concatenation of two 128-bit MFC e ₁ and e ₂ ;

5.3) calculate the MFC n and d using the following two formulas:

5.4) calculate the six-dimensional vector S using the formula S=B ^-1 G ⁿ H ^d D ^-1 .

6. Depending on the public key accepted by the ED and EDS, the EDS verification procedure is performed, for which

6.1) calculate the six-dimensional control vector R _K using the mathematical formula in the form of equality with k=3 occurrences of the six-dimensional vector S and two operations of exponentiation of the MDC;

6.2) calculate the control MFC e _K =ƒ _H (M||R _K );

6.3) compare the control MFC e _K and MFC e.

7. The result of verifying the authenticity of the digital signature is generated in the form of a conclusion about the authenticity of the digital signature, if e _K = e, or about the falsity of the digital signature, if e _K ≠e.

The post-quantum stability of this particular example of the implementation of the claimed method is ensured by the fact that the calculation of the secret key from the public key is associated with solving a system of 11 quadratic vector equations with 10 unknowns, specified over the six-dimensional KNAA used. The specified system of vector equations reduces to a system of 66 quadratic equations with 60 unknowns, defined over the field GF(2 ^z ) with a 107-bit degree of expansion of the binary field GF(2). Using the GF(2 ^z ) field instead of the GF(p) field provides increased performance and reduced circuit complexity of the hardware implementation of the claimed method. Proof of the correct operation of the claimed method according to example 2 is carried out as follows:

Example 3. The case of implementation of the claimed method, illustrating paragraphs. 1 and 4 claims. In this example, the following sequence of actions is performed:

1. Generate a six-dimensional CNAA, for which

1.1) generate a simple MDCH z=127, in which the MDCH 2 ^z -1 = q is simple (q=170141183460469231731687303715884105727);

1.2) generate an irreducible binary polynomial of degree z=121, for example, binary polynomial δ(x)=x ¹²⁷ +x+1;

1.3) generate a TUBV that specifies a non-commutative associative operation of multiplication of six-dimensional vectors defined over the field GF(2 ^z ) with the operation of multiplication modulo an irreducible binary polynomial δ(x)=x ¹²⁷ +x+1, for example, by copying the table. 6 and setting the structure constant λ equal to the unit field GF(2 ^z ), i.e. λ=1;

2. Generate a secret key, including a set of six-dimensional vectors A, B, G, G _x and H and MDC x as its elements, for which

2.1) generate two random six-dimensional vectors G and H of order q, forming a basis <G, H> of a commutative group of order q ² possessing two-dimensional cyclicity;

2.2) generate random six-dimensional invertible vectors A and B of order q, which satisfy the conditions AB≠BA, AG≠GA and BG≠GB;

2.3) generate a random MDCh x (1<x<q) and calculate the six-dimensional vector G _x using the formula G _x =G ^x (obviously, the vectors G, H and G _x are pairwise permutable as belonging to the commutative group generated by the basis <G, N>).

3. A public key is generated in the form of a set of six-dimensional vectors Y, Z and U, for which calculations are carried out using the following formulas Y=AGB, Z=AG _x B and U=ANB

4. The ED is received, represented by a multi-bit bit string M.

5. Depending on the received ED and the value of the secret key, an electronic digital signature is formed in the form of an MDC e and a six-dimensional vector S as its elements, for which

5.1) generate random integers k and t that satisfy the conditions 1<k<q and 1<t<q, and calculate the vector R=B ^-1 G ^k H ^t B;

5.2) using some collision-resistant 256-bit hash function ƒ _H , calculate the MFC e=e ₁ ||e ₂ =ƒ _H (M||R), where the hash value e is represented as the concatenation of two 128-bit MFC e ₁ and e ₂ ;

5.3) calculate the MFC n and d using the following two formulas:

5.4) calculate the six-dimensional vector S using the formula S=B ^-1 G ⁿ H ^d A ^-1 .

6. Depending on the public key accepted by the ED and EDS, the EDS verification procedure is performed, for which

6.1) calculate the six-dimensional control vector R _K using the mathematical formula in the form of equality with k=4 occurrences of the six-dimensional vector S and three operations of raising to the power of the MDC (raising to the power of 6 does not significantly affect the computational complexity of calculating the right side of the equality);

6.2) calculate the control MFC e _K =ƒ _H (M||R _K );

6.3) compare the MFC e _K and e.

7. The result of verifying the authenticity of the digital signature is generated in the form of a conclusion about the authenticity of the digital signature, if e _K = e, or about the falsity of the digital signature, if e _K ≠e.

The post-quantum stability of this particular example of the implementation of the claimed method is ensured by the fact that the calculation of the secret key from the public key is associated with solving a system of the following 5 quadratic vector equations with 5 unknowns A, B ^-1 , G, G _x and H:

YB ^-1 =AG, ZB ^-1 =AG _x , UB ^-1 =AN, GG _x =G _x G, GH=HG.

The specified system of vector equations reduces to a system of 30 quadratic equations with 30 unknowns, defined over the field GF(2 ^z ) with a 127-bit degree of expansion of the binary field. The proof of the correct operation of a particular implementation of the claimed method according to example 3 is carried out, taking into account the formulas for calculating the MFC n and d (see step 5.3)), as follows:

Example 4. A case of implementation of the claimed method, illustrating claim 1 of the claims. In this example, the following sequence of actions is performed:

1. Generate a four-dimensional CNAA, for which

1.1) generate a simple MDC p=2q+1, where q is a 192-bit simple MDC, namely, q=5261472747218403390125581496192701306697287924851078249233;

1.2) generate a TUBV that specifies a non-commutative associative operation of multiplication of four-dimensional vectors specified over the field GF(p), for example, by copying the table. 5 and setting the value λ=2.

2. Generate a secret key, including a set of four-dimensional vectors A, B, F, G, H, G _x , H _w , G _j and _Hi and the MDC x, w, i, and j as its elements, for which

2.1) generate two random four-dimensional vectors G and H of order q, forming a basis <G, H> of a commutative group of order q, which has two-dimensional cyclicity;

2.2) generate random four-dimensional invertible vectors A, B, F of order q, which satisfy the conditions AB≠BA, AF≠FA, AG≠GA, BF≠FB, BG≠GB, FG≠GF;

2.3) generate random MDCh x (1 x<q), w (1 w<q), i (1<i<q), and j (1<j<q) and calculate four-dimensional vectors G _x , G _j , H _w and _Hi according to the formulas G _x =G ^x , G _j =G ^j , H _w =H ^w and H _i =H _i (obviously, the vectors G, H, G _x , G _j , H _w and _Hi are pairwise permutable as belonging to the commutative group generated by the basis <G, H>).

3. A public key is generated in the form of a set of four-dimensional vectors Y ₁ , Z ₁ , Y ₂ , Z ₂ , Y ₃ and Z ₃ , for which calculations are carried out using the following formulas Y ₁ =AGB ^-1 , Z ₁ =BHA ^-1 , Y ₂ =FH _w B ^-1 , Z ₂ =BG _x F ^-1 , Y ₃ =AH _i B ^-1 and Z ₃ =BG _i F ^-1 .

4. The ED is received, represented by a multi-bit bit string M.

5. Depending on the received ED and the value of the secret key, an electronic digital signature is formed in the form of an MDC e and a four-dimensional vector S as its elements, for which

5.1) generate random integers k and t that satisfy the conditions 1<k<q and 1<t<q, and calculate the vector R=AG ^k H ^t F ^-1 ;

5.2) using some collision-resistant 384-bit hash function ƒ _H , calculate the MCH e=e ₁ ||e ₂ ||e ₃ =ƒ _H (M||R), where the hash value e is represented as a concatenation of three 128- bit MDCs e ₁ , e ₂ and e ₃ ;

5.3) calculate the MFC n and d using the following two formulas:

5.4) calculate the six-dimensional vector S using the formula S=BG ⁿ H ^d B ^-1 .

6. Depending on the public key accepted by the ED and EDS, the EDS verification procedure is performed, for which

6.1) calculate the four-dimensional control vector R _K using the mathematical formula in the form of equality with k=3 occurrences of the four-dimensional vector S and three operations of exponentiation of the MDC;

6.2) calculate the control MFC e _K =ƒ _H (M||R _K );

6.3) compare the control MFC e _K and MFC e.

7. The result of verifying the authenticity of the digital signature is generated in the form of a conclusion about the authenticity of the digital signature, if e _K = e, or about the falsity of the digital signature, if e _K ≠e.

The post-quantum stability of this particular example of the implementation of the claimed method is ensured by the fact that the calculation of the secret key from the public key is associated with the solution of a system of 11 quadratic vector equations with 9 unknowns, specified over the six-dimensional KNAA used. This system of vector equations reduces to a system of 44 equations with 36 unknowns, defined over the field GF(p), the order of which is equal to a 192-bit prime number. Proof of the correct operation of the claimed method according to example 4 is carried out as follows:

The above examples of specific implementation options for the claimed method provide mathematical proof of the correctness of these implementation options for the claimed post-quantum method for generating and verifying an electronic signature that certifies an ED.

Thus, it is shown that the proposed method can be used as the basis for stable post-quantum digital signature algorithms, providing relatively high performance of devices and programs for generating and verifying the authenticity of digital signatures. At the same time, the problem of developing practical post-quantum digital signature algorithms with small digital signature sizes and public keys is being solved, which, judging by the current results of the worldwide competition announced for the period 2017-2024. US National Institute of Standards and Technology (NIST), on the development of post-quantum two-key open key agreement algorithms and post-quantum digital signature algorithms [Federal Register. Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms. Available at: https://www.gpo.gov/fdsys/pkg/FR-2016-12-20/pdf/2016-30615.pdf], currently open [Moody, D. 2021. NIST Status Update on the ^3rd Round // https://csrc.nist.gov/CSRC/media/Presentations/status-update-on-the-3rd-round/images-media/session-1-moody-nist-round-3- update.pdf]. In table Figure 8 shows a comparison of the sizes of the public key and digital signature in the algorithms compiled according to the stated method, and in the finalists (Falcon, CRYSTALS-Dilithium, Rainbow algorithms) of the NIST competition in the category of post-quantum digital digital signature algorithms [Round 3 Finalists: Public-key Encryption and Key-establishment Algorithms https://csrc.nist.gov/projects/post-quantum-crvptographv/round-3-submissions!.

The given examples and mathematical justification show that the proposed post-quantum method of generating and verifying the authenticity of an electronic signature certifying an electronic signature works correctly, provides resistance to quantum attacks, is technically feasible and allows one to achieve the formulated technical result.

Annex 1

Interpretation of terms used in the description of the application

1. Binary digital electromagnetic signal - an electromagnetic signal that specifies a sequence of bits in the form of zeros and ones, processed in electronic devices of computing and information and communication networks and systems.

2. Parameters of a binary digital electromagnetic signal - bit depth and sequence of signals transmitting one and zero bits.

3. The size of a binary digital electromagnetic signal is the total number of its one and zero bits, for example, the number 10011 is 5-bit.

4. Multi-bit bit string - an electromagnetic signal in binary digital form, the parameters of which are: the number of bits and the order of their one and zero values.

5. Multi-bit binary number (MDN) - a multi-bit bit string interpreted as a binary number.

6. Multi-bit binary polynomial (MBP) - a multi-bit bit string interpreted as a binary polynomial, written as an ordered sequence of its coefficients.

7. Electronic digital signature (EDS) is a binary digital electromagnetic signal, the parameters of which depend on the signed electronic document and the secret key. Digital signature authentication is verified using a public key, which depends on the private key.

8. Electronic document (ED) - a binary digital electromagnetic signal, the parameters of which depend on the source document and the method of converting it to electronic form.

9. Hash function ƒ _H - a function whose value is used as a cryptographic checksum, calculated from electronic documents and messages and has the properties of difficult reversibility and the practical impossibility of generating two different messages or documents with the same hash value. The second property is called collision resistance. The input value (argument) of the hash function is an electronic message or electronic document of arbitrary size, and the output value (hash value) has a fixed size from 160 to 512 bits. A hash function is specified as an algorithm that describes a sequence of actions performed on an argument, the result of which is the hash function value.

10. Vectors of dimension m (m-dimensional vectors) are ordered sets of m multi-bit bit strings, for example, of m MDCHs, forming a set of sets over which one or more algebraic operations are specified that have the property of closure. A set of m-dimensional vectors over which the operations of addition of vectors and multiplication of a scalar by a vector are given, which have the properties of closure, commutativity and associativity, is called m-dimensional vector space [Kostrikin A.I. Introduction to algebra. Part 2. Linear algebra. - M., FIZMATLIT, 2001. - 367 p.; see p. 12].

11. A finite m-dimensional algebra is a finite m-dimensional vector space with an additionally defined operation of vector multiplication of all possible pairs of m-dimensional vectors, which has the properties of closure and distributivity on the left and right with respect to the addition operation.

12. Non-commutative associative algebra - an algebra in which the multiplication operation has the properties of non-commutativity and associativity, i.e. in the general case, the inequality AB≠BA and the equality (AB)C=A(BC), where A, B and C are vectors that are elements of the algebra, are satisfied.

13. Secret key - a binary digital electromagnetic signal used to generate an electronic digital signature for a given electronic document. The secret key is represented, for example, in binary form as a MDM (a sequence of bits “0” and “1”), a set of MDMs, a vector, a set of vectors, a set of MDMs and vectors.

14. Public key - a binary digital electromagnetic signal, the parameters of which depend on the secret key and which is intended to verify the authenticity of a digital electronic signature.

15. The hash function from an electronic document is a binary digital electromagnetic signal, the parameters of which depend on the electronic document and the chosen method of its calculation. In digital signature systems, a hash function is considered to uniquely represent an ED, since the hash functions used satisfy the requirement of collision resistance, which means that it is computationally impossible to find two different EDs that correspond to the same hash function value.

16. The operation of raising a vector A to a discrete power MDC e is the operation of e-fold multiplication of the vector by itself: A ^e = AA...A (e times). Thanks to the existence of a fast exponentiation algorithm based on the sequential squaring procedure (see, for example, [Moldovyan N.A. Theoretical minimum and digital signature algorithms. - St. Petersburg, BHV-Petersburg, 2010. - p. 56]), Raising vector A to the t-bit power e can be carried out by performing an average of 1.5t vector multiplications, which on modern computers is implemented in small fractions of a second for bit sizes t=100, t=1000 and more. The associative property of the multiplication operation underlies the correct operation of the fast exponentiation algorithm.

17. The order q of vector A is the minimum of the numbers γ for which the condition A ^γ = E is satisfied, i.e. q=min{γ: A ^γ =E}, where E is the unit vector.

18. A group is an algebraic structure (i.e. a set of mathematical elements of different nature), on the elements of which a certain operation is given and they have a given set of properties: the operation is associative, the result of performing an operation on two elements is also an element of the same structure, there is a neutral the element ε is such that when an operation is performed on it and some other element a of the group, the result is the element a; each element is invertible, i.e. for any element a there is an element a ^-1 such that the equality aa ^-1 =ε holds. A detailed description of the groups is given in the books [A.G. Kurosh. Group theory. - M., publishing house “Nauka”, 1967. - 648 p.] and [M.I. Kargapolov, Yu.I. Merzlyakov. Fundamentals of group theory. - M., publishing house “Science. Fizmatlit", 1996. - 287 p.]. An operation defined on elements of a group is called a group operation.

19. A cyclic group is a group, each element of which can be represented in the form g = a ⁿ for some natural value of n, where a is an element of this group, called a generator or forming element of the cyclic group. Degree n means that n consecutive operations are performed on element a, i.e. calculations are performed using the formula a ⁿ =а°а°а°…°а (n times), where “°” denotes the operation defined on the elements of the group.

20. A group with two-dimensional cyclicity is a finite commutative group, each element g of which can be represented as g=a ⁿ b ^d for some natural values of n and d, where a and b are elements of the group having the same order value. The elements a and b are called group generators.

21. The basis of a group is the minimum set of generators of the group, for example, the basis of a group with two-dimensional cyclicity includes two generators of the group a and b of the same order and is denoted as <a, b>.

22. Operand - an element of an algebraic structure on which an operation is performed.

23. The operation parameter is the MDCH, used as the value of the degree of the operation of raising a vector to a power.

24. An irreducible binary polynomial of degree z is a binary polynomial of degree z that cannot be represented as a product of binary polynomials of degrees less than z.

25. Finite field GF(2 ^z ) - the set of all binary polynomials, the degree of which does not exceed the value z-1, for which the addition operation is defined as the addition modulo 2 of all coefficients of operand polynomials with the same powers of the variable and the operation of multiplication modulo an irreducible binary polynomial of degree z, including the zero binary polynomial 0 (the zero element of the field GF(2 ^z )) and the unit binary polynomial 1 (the unit of the GF(2 ^z ) field). Various versions of GF(2 ^z ) fields differ in the operation of multiplication, the specific type of which is determined by specifying a specific irreducible binary polynomial. There are a large number of different irreducible polynomials of degree z>10. For technical applications of GF(2 ^z ) fields, fields with multiplication specified modulo an irreducible polynomial with three (trinomials) and five (pentenomials) non-zero coefficients are of interest. The choice of such irreducible binary polynomials provides a significant reduction in the computational complexity of the multiplication operation in the field GF(2 ^z ). Elements of the field GF(2 ^z ) are written in the form of bit strings of length z, in which every 1st bit is equal to the value of the coefficient at the i-th power of the variable x, i.e. the coefficient of x ⁱ in the form of a binary polynomial in the form of the sum k _z-1 x ^z-1 +…+k _i x ⁱ +…+k ₂ x ² +k ₁ x+k ₀ , where the coefficients k _i have the value 1 or 0 .The terms with a zero value of the coefficient _ki are omitted in the notation of the binary polynomial as the sum of powers of the variable x, but are present in the notation of the binary polynomial in the form of a bit string k _z-1 k _i ...k ₂ k ₁ k ₀ .

26. The concatenation operation (attachment operation), denoted by the sign “||” - the operation of combining two bit strings into a single bit string, the length (bit) of which is equal to the sum of the lengths (bits) of the original two bit strings, for example, 10101||0001=101010001.

27. Multiplication table of basis vectors (TBM) - a table by which the result of multiplication of all possible ordered pairs of basis vectors is specified, and such a result is specified in the form of a one-component vector, i.e. basis vector multiplied by a scalar.

28. Primary group - a group whose order is equal to a prime number or a power of a prime number.

Claims (1)

A post-quantum method for generating and verifying the authenticity of an electronic digital signature certifying an electronic document, which consists in generating an m -dimensional finite non-commutative associative algebra, where m ≥ 4, generating a secret key, including a set of m -dimensional vectors as its elements, according to the secret key, a public key is formed in the form of a set of m -dimensional vectors, an electronic document represented by a multi-bit bit string M is received, depending on the received electronic document and the value of the secret key, an electronic digital signature is formed, including an m -dimensional vector S , depending on the public key , the received electronic document M and the electronic digital signature perform the electronic digital signature verification procedure, including performing the operations of multiplying m -dimensional vectors, raising m -dimensional vectors to the power of a multi-bit binary number and comparison, and generating a result for verifying the authenticity of the electronic digital signature, differing in that that generate a secret key in the form of a set of m -dimensional vectors A , B , D , F , G , H , G _x , H _w , G _{j and Hi} by generating random multi-bit binary numbers x , w , i , and j and random m -dimensional vectors A , B , D , F , G and H , where the order of the vectors G and H is equal to a simple multi-digit binary number q , satisfying the conditions AB # BA , AD # DA , AF # FA, AG # GA, BD # DB _, BF # FB , BG # GB , DF # FD , DG # GD , FG # GF and GH = HG , and calculations of m -dimensional vectors G _x , H _w , G _j and Hi using the formulas G _x = G ^x , H _w = H ^w , G _j = G ^j and H _i = H ⁱ , form a public key in the form of a set of m -dimensional vectors Y ₁ , Z ₁ , Y ₂ , Z ₂ , Y ₃ and Z ₃ by performing calculations on formulas Y ₁ = AGB , Z ₁ = DHA ^-1 , Y ₂ = FH _w B , Z ₂ = DG _x F ^-1 , Y ₃ = AH _i D ^-1 and Z ₃ = B ^-1 G _j F ^-1 , form an electronic digital signature in the form of a multi-bit binary number e and an m -dimensional vector S , for which random multi-bit binary numbers k and t are generated, the vector R = AG ^k H ^t F ^-1 and the multi-bit binary number e = e ₁ || are calculated. e ₂ = f _H ( M || R ), where f _H is a collision-resistant hash function and e ₁ and e ₂ are multi-bit binary numbers of the same width, calculate multi-bit binary numbers n and d using the formulas And , calculate the vector S using the formula S = B ^-1 G ⁿ H ^d D ^-1 , perform the procedure for verifying the electronic digital signature, including calculating the control m -dimensional vector R _K using the formula with k = 3 occurrences of the m -dimensional vector S , calculating the control multi-bit binary number e _K = f _H ( M || R _K ) and comparing the multi-bit binary numbers e _K and e , and generating the result of verifying the authenticity of the electronic digital signature in the form of output about the authenticity of an electronic digital signature, if e _K = e , or about the falsity of an electronic digital signature, if e _K # e .