CN101867474B - Digital signature method - Google Patents

Abstract

The invention relates to the technical field of information security, in particular to a digital signature method. A novel lightweight digital signature scheme constructed by being based on the difficulty of matrix decomposition and combining a hash function authentication technology can be widely applied to the fields of network security, electronic commerce, bills, identity authentication and other information security systems, has the advantages of high efficiency, no need of password algorithm protocol processor, high safety, resistance for attack from a quantum computer and the like when used for signature authentication and is particularly applied to the field of information security, such as smart cards, wireless sensing networks, cellular phones, radio-frequency identification (RFID) and the like.

Description

Digital signature method

Technical field

The present invention relates to field of information security technology, relate in particular to a kind of digital signature method.

Background technology

21st century is the epoch of information.Except the electronic information science and technology continues the high speed development, novel information science such as quantum and biology are set up and are developed.The research and development of quantum information science has expedited the emergence of the appearance of quantum computer, quantum communications and quantum cryptography.The R&D work of quantum computer has at present obtained breakthrough progress, and IBM Corporation has taken the lead in succeeding in developing the exemplary quantum computer etc. of 7 quantum bits like calendar year 2001.Shor had proposed famous Shor algorithm in 1994, and this is a kind of password search decoding algorithm of special use, and its expansion algorithm can be attacked the public key cryptography that all can convert the GENERALIZED DISCRETE LINEAR RANDOM SYSTEM Fourier transform into polynomial time, comprises RSA, ElGamal and ECC.Move towards practical in case this means quantum computer, the public-key cryptosystem of these extensive uses will be no longer safe so.

Along with the development (like secondary sieve method and number field sieve method) of integer decomposition technique, RSA class system just must be used the parameter that increases gradually in order to guarantee its fail safe.Use the amount of calculation of RSA system of big modulus very big, reduced the encryption and decryption efficient of this system.Therefore this system is not too to be fit to for computing equipment such as cell phone, the smart card etc. of resource-constrained, says nothing of wireless sensor network and RF tag RFID.Secondly, Next Generation Internet IPv6 introduces a large amount of encryption and authentication techniques in order to improve the fail safe of service, and the service corresponding speed that for the user, conventional public-key cryptographic algorithm efficient is lower, the CPU time of encryption and decryption consumption can make the user is slack-off.

Summary of the invention

To the technical problem of above-mentioned existence, the purpose of this invention is to provide a kind of lightweight new digital endorsement method, it is characterized in that based on the difficulty of matrix decomposition and the new digital endorsement method that combines the hash function authentication techniques to construct.

For achieving the above object, the present invention adopts following technical scheme:

(I) system sets up: the standard hash function H () and finite field gf (q), the wherein q=2 that select at least 160 of outputs ^k, integer k is less than the output valve length of hash function H ();

Specify value (0＜δ, the r＜n) of numeric parameter n, δ and r according to the user security sexual demand;

N on the picked at random GF (q) ties up affine dijection conversion T;

Structure is based on the reversible compressed transform L of hash function H (): (z ₁..., z _n) ← (x ₁..., x _n, x _N+1..., x _{N+ δ}),

Wherein but A is n-δ dimension inverse square matrix, coefficient gamma _i≠ 0 (1≤i≤2 δ), and coefficient a _Ij(1≤i≤δ, 1≤j≤n-1) and constant term α _i(1≤i≤n) for selecting at random; x _N+i(1≤i≤δ) is an expansion variable, and it is vector (x ₁..., x _n) preceding (cryptographic hash of individual component of n-δ+i-1), promptly

x _n+i＝H _k(x ₁||x ₂||…||x _n-δ+i-1)，1≤i≤δ

H wherein _kThe preceding k position of H () output valve is taken out in () expression successively, and " || " expression couples together two Bit Strings;

Make T ^-The capable conversion that constitutes of n-r that T is taken out in expression successively,

The PKI of system is above-mentioned two mapping T ^-Compound with L, G=T ^-ο L, PKI G are the Linear Indeterminate Equation Group that finite field gf (q) is gone up a n+ δ input variable, a n-r output; Private key is formed D={T for the inverse transformation of mapping T and L ^-1, L ^-1; Wherein, inverse transformation L ^-1By A ^-1, B, α _i(1≤i≤n),

And γ _i(δ+1≤j≤2 δ) forms.

(II) signature process is: suppose the message vector (y of user A to user B ₁..., y _N-r) sign, then the signature process of user A is divided following two steps:

1. picked at random r variable y _N-r+i(1≤i≤r) cascade up with the message vector constitutes the n-dimensional vector (y on the GF (q) to ∈ GF (q) ₁..., y _n), and use private key T ^-1Calculate (z ₁, z _n)=T ^-1(y ₁, y _n);

2. use private key L ^-1Calculate and just can obtain corresponding signature (x ₁, x _{N+ δ})=L ^-1(z ₁..., z _n);

(III) certifying signature process: after user B receives the signature of user A to message, divide following two steps:

1. with hash function to the signature (x ₁..., x _{N+ δ}) carry out authentication, promptly each component will satisfy:

x _n+i＝H _k(x ₁||x ₂||…||x _n-δ+i-1)，1≤i≤δ

Otherwise refusal signature;

2. if step 1. authentication pass through, then continue to verify, promptly with the PKI G of user A

$(y_1,...,y_{n-r})\stackrel{?}{=}G(x_1,...,x_{n+\mathrm{\δ}})$

If following formula equation the right and left equates, then accept signature, otherwise the refusal signature.

Said hash function H () can select standard hash functions such as MD5, SHA-1, SHA-2, SHA-3 for use respectively.

The present invention has the following advantages and good effect:

1) the present invention is the very high digital signature scheme of a kind of fail safe.Its fail safe performance mainly depends on employed hash function, and present widely used hash function all is to adopt a large amount of logical operation structures, has very high fail safe, can resist the attack of quantum computer;

2) the present invention is a kind of digital signature scheme of efficient lightweight; Its computing is mainly the multiplying on cryptographic hash computing and the finite field; Present widely used hash function all is to adopt a large amount of logical operation structures; Therefore has lower computational complexity, if we select less field parameter such as GF (2 ⁸), then multiplication can adopt and table look-up, and efficient is higher, and this programme can be widely used in the limited embedded device of computing capability;

3) endorsement method of the present invention has very big flexibility, and hash function can freely be selected.

Embodiment

With specific embodiment the present invention is described further below:

The fail safe of digital signature scheme of the present invention is based on the difficulty of matrix decomposition, also promptly from PKI G=T ^-Successfully decompositing private key information T and L among the ο L is that calculating is gone up infeasible.And L is a non-linear inverible transform based on hash function in essence, and linear transformation T works to hide L, and the therefore chemical combination through two conversion is converted into the fail safe that depends on hash function with the fail safe of system.

In order to make much of signature scheme of the present invention, we provide the instantiation that a level of security is about :

(I) system sets up: choice criteria hash function SHA-1 is as H (), system parameters n=31, δ=12, r=10 and k=8.Picked at random finite field gf (2 ⁸) on 31 the dimension affine dijection conversion T;

Structure is based on the reversible compressed transform L of SHA-1: (z ₁..., z ₃₁) ← (x ₁..., x ₃₁, x ₃₂..., x ₄₃),

Wherein but A is 19 dimension inverse square matrixs, coefficient gamma _i≠ 0 (1≤i≤24), and coefficient a _Ij(1≤i≤12,1≤j≤30) and constant term α _i(1≤i≤31) are for select at random; x _N+i(1≤i≤12) are expansion variable, and it is vector (x ₁..., x ₃₁) cryptographic hash of preceding (18+i) individual component, promptly

x _31+i＝H ₈(x ₁||x ₂||…||x _18+i)，1≤i≤12

H wherein ₈Preceding 8 of H () output valve are taken out in () expression successively, and " || " expression couples together two Bit Strings;

Make T ^-The 21 capable conversion that constituted of T are taken out in expression successively.

The PKI of system is above-mentioned two mapping T ^-Compound with L, G=T ^-ο L, PKI G are finite field gfs (2 ⁸) Linear Indeterminate Equation Group of last 43 input variables, 21 outputs;

System's private key is formed D={T for the inverse transformation of mapping T and L ^-1, L ^-1; Wherein, inverse transformation L ^-1By A ^-1, B, α _i(1≤i≤31),

And γ _i(13≤j≤24) are formed.Can get its inverse transformation L according to above-mentioned inverible transform L based on SHA-1 ^-1: (x ₁..., x ₃₁, x ₃₂..., x ₄₃) ← (z ₁..., z ₃₁),

(II) signature process is: suppose the message vector (y of user A to user B ₁..., y ₂₁) sign, then the signature process of user A is divided following two steps:

1. 10 variable y of picked at random _21+i∈ GF (2 ⁸) (1≤i≤10) and message vector cascade up, and constitutes GF (2 ⁸) on 31 dimensional vector (y ₁..., y ₃₁), and use private key T ^-1Calculate (z ₁, z ₃₁)=T ^-1(y ₁, y ₃₁);

2. use private key L ^-1Calculate and just can obtain corresponding signature (x ₁, x ₄₃)=L ^-1(z ₁..., z ₃₁);

(III) certifying signature process: after user B receives the signature of user A to message, divide following two steps:

1. with hash function to the signature (x ₁..., x ₄₃) carry out authentication, promptly each component will satisfy:

x _31+i＝H ₈(x ₁||x ₂||…||x _18+i)，1≤i≤12

Otherwise refusal signature;

2. if step 1. authentication pass through, then continue to verify, promptly with the PKI G of user A

$(y_1,...,y_{21})\stackrel{?}{=}G(x_1,...x_{43})$

When system parameters n=31, δ=12, r=10 and k=8, then the public key size of system is about 0.88Kbyte, public key size is about 1.65Kbyte, and level of security is about

And main computing is a finite field gf (2 ⁸) on multiplying can the pre-computation and the storage of making a list because finite field is less, so multiplying can be converted into the computing of tabling look-up; Secondly about 10 SHA-1 computings.Therefore implementation efficiency is high, is fit to software and hardware and realizes.

Claims (2)

1. a digital signature method is characterized in that, may further comprise the steps:

(I) system sets up: the standard hash function H () and finite field gf (q), the wherein q=2 that select at least 160 of outputs ^k, integer k is less than the output valve length of hash function H ();

Specify value (0＜δ, the r＜n) of numeric parameter n, δ and r according to the user security sexual demand;

N on the picked at random GF (q) ties up affine dijection conversion T;

Structure is based on the reversible compressed transform L of hash function H (): (z ₁..., z _n) ← (x ₁..., x _n, x _N+1..., x _{N+ δ}),

Wherein but A is n-δ dimension inverse square matrix, coefficient gamma _i≠ 0 (1≤i≤2 δ), and coefficient a _Ij(1≤i≤δ, 1≤j≤n-1) and constant term α _i(1≤i≤n) for selecting at random; x _N+i(1≤i≤δ) is an expansion variable, and it is vector (x ₁..., x _n) preceding (cryptographic hash of individual component of n-δ+i-1), promptly

x _n+i＝H _k(x ₁||x ₂||…||x _n-δ+i-1)，1≤i≤δ

H wherein _kThe preceding k position of H () output valve is taken out in () expression successively, and " || " expression couples together two Bit Strings;

Make T ^-The capable conversion that constitutes of n-r that T is taken out in expression successively,

The PKI of system is above-mentioned two mapping T ^-Compound with L, G=T ^-ο L, PKI G are the Linear Indeterminate Equation Group on the finite field gf (q), and the input variable number is that n+ δ, output variable number are n-r; Private key is formed D={T for the inverse transformation of mapping T and L ^-1, L ^-1; Wherein, inverse transformation L ^-1By A ^-1, B, α _i(1≤i≤n), And γ _j(δ+1≤j≤2 δ) forms;

(II) signature process is: suppose the message vector (y of user A to user B ₁..., y _N-r) sign, then the signature process of user A is divided following two steps:

1. picked at random r variable y _N-r+i(1≤i≤r) cascade up with the message vector constitutes the n-dimensional vector (y on the GF (q) to ∈ GF (q) ₁..., y _n), and use private key T ^-1Calculate (z ₁, z _n)=T ^-1(y ₁, y _n);

2. use private key L ^-1Calculate and just can obtain corresponding signature (x ₁, x _{N+ δ})=L ^-1(z ₁..., z _n);

(III) certifying signature process: after user B receives the signature of user A to message, divide following two steps:

1. with hash function to the signature (x ₁..., x _{N+ δ}) carry out authentication, promptly each component will satisfy:

x _n+i＝H _k(x ₁||x ₂||…||x _n-δ+i-1)，1≤i≤δ

Otherwise refusal signature;

2. if step 1. authentication pass through, then continue to verify, promptly with the PKI G of user A

If following formula equation the right and left equates, then accept signature, otherwise the refusal signature.

2. digital signature method according to claim 1 is characterized in that:

Said hash function H () selects hash function standard MD5, SHA-1, SHA-2, SHA-3 respectively for use.