WO2020186750A1 - Multi-evidence error correction-based lattice-based digital signature method - Google Patents
Multi-evidence error correction-based lattice-based digital signature method Download PDFInfo
- Publication number
- WO2020186750A1 WO2020186750A1 PCT/CN2019/112512 CN2019112512W WO2020186750A1 WO 2020186750 A1 WO2020186750 A1 WO 2020186750A1 CN 2019112512 W CN2019112512 W CN 2019112512W WO 2020186750 A1 WO2020186750 A1 WO 2020186750A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- params
- aux
- algorithm
- function
- calculation
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Definitions
- the invention relates to a post-quantum lattice digital signature technology, which has important applications in ensuring the integrity of information transmission, performing identity authentication of the information sender, and preventing the occurrence of denial in transactions.
- the digital signature technology is used to solve the following problem: the sender Alice signs the message M with the private key sk to obtain the signature ⁇ .
- the receiver Bob uses the public key pk to authenticate the signature ⁇ . If the authentication is passed, the receiver Bob acknowledges that the message M was sent by Alice.
- the method of the invention is to solve how to design a digital signature to ensure the integrity of information transmission, perform identity authentication of the information sender, and prevent denial in transactions.
- t1 can be used as the signature public key
- t0 can be used as a part of the private key, where t0 corresponds to the low bit of t and t1 corresponds to the high bit of t.
- the method of the invention is to solve how to design a digital signature, which has important applications in ensuring the integrity of information transmission, authenticating the identity of the information sender, and preventing denial in transactions.
- a lattice digital signature method based on key consensus where ⁇ ... ⁇ represents a set of information or values; R and R q represent algebraic rings, where q is an integer; the signature algorithm includes three specific algorithms: Gen , Sign( ⁇ ), Verify( ⁇ ).
- Gen is a key generation algorithm.
- the input of the algorithm contains security parameters, and the output contains the public key pk and the private key sk.
- Sign( ⁇ ) is a signature algorithm.
- the input of the algorithm includes system parameters params, private key sk and message M ⁇ ⁇ 0, 1 ⁇ * , where ⁇ 0, 1 ⁇ * represents a set of 0-1 strings of any length, and the output contains (z, c, h), where z ⁇ Rl q , c ⁇ R, Where t is a positive integer, g h (n, m, h, aux h ) is a function of n, m, h, aux h , and aux h is a set of auxiliary parameters of h that can be empty.
- Verify( ⁇ ) is a verification algorithm.
- the input of the algorithm includes system parameters params, public key pk, message M, and signature (z, c, h), and outputs 1 or 0, respectively, indicating that the verification passed or failed.
- a lattice-based digital signature method based on multiple evidence error correction where ⁇ ... ⁇ represents a set of information or values; R, R q represent algebraic rings, where q is a positive integer;
- Gen is a key generation algorithm.
- the input of the algorithm contains security parameters, and the output contains the public key pk and the private key sk.
- the public key pk contains params, t 1 , the information needed to generate A, aux pk , where aux pk is the set of auxiliary parameters of the nullable public key;
- the private key sk Contains the information needed to generate A, s, e, t 0 , 0 , aux sk , where aux sk is a set of auxiliary parameters of a nullable private key;
- Sign( ⁇ ) is a signature algorithm
- the input of the algorithm includes system parameters params, public key pk, private key sk and message ⁇ 0,1 ⁇ * , where ⁇ 0, 1 ⁇ * represents a string of 0-1 of any length Set
- the output contains (z, c, h), where c ⁇ R, Where b is a positive integer, g h (n, m, h, aux h ) is a function of the output result of n, m, h, aux h being an integer, and aux h is a set of auxiliary parameters of h that can be empty; the algorithm runs as follows:
- Is a nullable auxiliary parameter set of t 0 ;
- f h is about w, c, e 0 , e 1 ,..., e p , t 0 , ⁇ , ⁇ ′, y′, params,
- Verify( ⁇ ) is a verification algorithm.
- the input of the algorithm includes system parameters params, public key pk, message ⁇ and signature (z, c, h), and outputs 1 or 0, where 1 means the verification is passed, and 0 means not.
- the algorithm runs as follows:
- c′ H(w′ 2 , ⁇ , aux c′ ), where H is a hash function, or one-way function, or conversion function, and aux c′ is an auxiliary parameter set of c′ that can be empty ;
- Sam is an extended output function
- the value y is output according to the distribution S (or a uniform distribution on the set S).
- ⁇ is a random seed, that is, a random number with a fixed length.
- t 1 (tt mod 2 d )/2 d , where, for any integer a and positive integer b, a mod b represents a unique integer c falling in [0, b-1] such that b
- the method as described above, wherein the information required to generate A may include a random seed p.
- aux sk may include the public key pk.
- the calculation method of is: assign e 0 to e, that is, e 0 ⁇ e.
- the calculation methods include:
- the calculation methods include:
- the calculation methods include:
- y, y′ can be generated deterministically with the extended output function Sam input seed, public key pk, aux sk and aux y , where aux y is an empty set.
- the calculation method of is: w 1 ⁇ HighBits q,k (w,params), where HighBits q,k is a conversion function.
- Each coefficient in the quantity w uses the HighBits q, k algorithm.
- the input of the encoding algorithm Con( ⁇ ) contains r ⁇ Z q and public parameters params
- the algorithm encodes r ⁇ Z q based on params
- the output contains (r 1 , r 0 ), where r 1 ⁇ Z k , r 0 ⁇ Z t , k is the system parameter, t is an integer; if the algorithm Con( ⁇ ) is input
- the common parameter params means to use the Con algorithm for each coefficient in the polynomial vector w.
- the method according to claim 25, wherein the calculation method of ⁇ A ⁇ r+e ⁇ Z q′ comprises:
- the calculation method of r 0 includes:
- k, q are system parameters, g, ⁇ 'are auxiliary parameters; for any real number a, Represents the integer closest to a.
- the calculation method of r 1 includes:
- k, q are system parameters, and ⁇ 'are auxiliary parameters.
- the calculation methods include:
- k, q are system parameters.
- aux c includes pk and/or params and/or public key certificate certificate.
- steps b)-f) can be implemented by a for loop statement.
- ⁇ is an auxiliary parameter.
- the calculation methods include:
- the calculation methods include:
- the calculation methods include:
- Re c is the decoding function
- the calculation methods include: Among them, d is a system parameter.
- the decoding algorithm Re c( ⁇ ) the algorithm input includes r′ ⁇ Z q , r 0 ⁇ Z t and system parameters params, where (r 1 , r 0 ) ⁇ Con( r, params), r ⁇ Z q ,
- q is defined as min ⁇ a mod q, qa mod q ⁇ , min ⁇ is defined as the minimum value; the algorithm decodes r′ ⁇ Z q , r 0 ⁇ Z t based on params, and the output contains r′ 1 , where r′ 1 ⁇ Z k , k is the system parameter; if r′ and The distance d′ of r satisfies certain restriction conditions, then r′ 1 r 1 , and both parties succeed in error correction.
- the relational expression satisfied by d′ includes:
- c′ is a real number and satisfies 0 ⁇ c′ ⁇ 1.
- the calculation methods include:
- aux c′ includes pk and/or params and/or public key certificate certificate.
- condition include:
- ⁇ and ⁇ are auxiliary parameters.
- aux sk includes a random number seed K
- aux y includes a counter for recording the counter execution of step 6) each time the signature is executed.
- y, y'are generated deterministically by Expand( ⁇ , K, tr, counter), where tr CRH( ⁇ , K), CRH is an anti-collision cryptographic hash function, and Expand is a Deterministic extension function.
- b i is derived simultaneously in the process of obtaining y, y'.
- generated in the signing process required for t 0, i, ⁇ i, e i may be calculated offline and stored before the signature, in part or in whole, or as part of the private key aux sk.
- Parameter set-2 q 4191233 8380417 n 256 256 (h, l) (5, 4) (5, 4) ( ⁇ , ⁇ ′) (2, 2) (5, 5) Public key length (bytes) 1472 1472 Signature length (bytes) 2572 2701 repeat times 2.41 3.2
- tr CRH( ⁇
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Complex Calculations (AREA)
Abstract
In the present invention, we introduce a novel mechanism called evidence indistinguishable key consensus, and construct an efficient, modular, flexible, and strongly secure signature scheme on this basis. In the design of the traditional lattice-based signature scheme, a public key thereof is an MLWE instance t=(t1, t0)=As+e. In order to reduce the size of the public key, it is possible to use only t1 as a signature public key, and use t0 as a part of a private key, wherein t0 corresponds to a lower bit of t, and t1 corresponds to an upper bit of t. In the present invention, during signature, we simultaneously use the real t 0 and several t' 0 converted from t 0 and used for confounding. This mechanism can greatly improve the signature efficiency and improve the security of the private key.
Description
本发明涉及后量子格基数字签名技术,在保证信息传输的完整性、进行信息发送者的身份认证、防止交易中的抵赖发生方面具有重要应用。The invention relates to a post-quantum lattice digital signature technology, which has important applications in ensuring the integrity of information transmission, performing identity authentication of the information sender, and preventing the occurrence of denial in transactions.
数字签名技术是用于解决如下问题:发送方Alice利用私钥sk对消息M进行签名,得到签名σ。接收方Bob利用公钥pk对签名σ进行认证,若认证通过,则接收方Bob承认消息M是由Alice发送的。发明方法是解决如何设计数字签名,保证信息传输的完整性、进行信息发送者的身份认证、防止交易中的抵赖发生。The digital signature technology is used to solve the following problem: the sender Alice signs the message M with the private key sk to obtain the signature σ. The receiver Bob uses the public key pk to authenticate the signature σ. If the authentication is passed, the receiver Bob acknowledges that the message M was sent by Alice. The method of the invention is to solve how to design a digital signature to ensure the integrity of information transmission, perform identity authentication of the information sender, and prevent denial in transactions.
随着量子计算机的快速发展,发展后量子数字签名方法和技术变得日益迫切。在后量子密码技术路线中,格基密码由于其坚实的计算复杂性基础和性能综合优势成为后量子密码的主流技术路线之一。With the rapid development of quantum computers, the development of quantum digital signature methods and technologies becomes increasingly urgent. Among the technical routes of post-quantum cryptography, lattice cryptography has become one of the mainstream technical routes of post-quantum cryptography due to its solid computational complexity foundation and comprehensive performance advantages.
在本发明中,我们引入了一种称为证据不可区分密钥共识的新颖机制,构造了一个命名为“木兰”的基于格的高效、模块化、灵活且强安全的签名方案。在传统的格基签名方案的设计中,其公钥是一个MLWE的实例t=(t1,t0)=As+e。为了降低公钥尺寸,可以仅将t1作为签名公钥,而将t0作为私钥的一部分,其中t0对应t的低位,t1对应t的高位。我们通过分析和实验验证发现,至多需要100万个签名即可以很高的概率完全恢复出t0。In the present invention, we introduce a novel mechanism called evidence indistinguishable key consensus, and construct a lattice-based, efficient, modular, flexible and strong secure signature scheme named "Mulan". In the design of the traditional lattice signature scheme, the public key is an instance of MLWE t=(t1, t0)=As+e. In order to reduce the size of the public key, only t1 can be used as the signature public key, and t0 can be used as a part of the private key, where t0 corresponds to the low bit of t and t1 corresponds to the high bit of t. Through analysis and experimental verification, we found that at most 1 million signatures are required to completely recover t0 with a high probability.
在本发明中,我们引入一种新颖的证据不可区分的方法来保护t
0。简而言之,在签名时我们同时使用真实的t
0和一个从t
0转换而来的用于混淆的t′
0。注意,对于签名验证者而言,其无法区分(因此验签独立于)签名过程具体用的是t
0还是t′
0。这种基于证据不可区分的方法,相当于从所看到的签名中恢复t
0时引入噪音,这反过来相当于在解决底层的MLWE问题时引入额外噪音,从而在参数不变的 情况下实现安全增强。据我们所知,没有已知的方法从签名中恢复出t
0。换句话说,从公钥去恢复私钥,Dilithium仅提供了MLWE这一道防线,隐藏t0仅为了减少公钥尺寸;而木兰提供了两道防线“复合装甲”进行私钥保护。更为关键的是,这种“复合装甲”机制还可以大幅提升签名的效率。在相同的安全参数下,木兰的安全性相对于传统签名方法更强并且签名效率提升约1倍。
In the present invention, we introduce a novel method of indistinguishable evidence to protect t 0 . In short, we use both the real t 0 and the t′ 0 converted from t 0 for obfuscation when signing. Note that for the signature verifier, it is impossible to distinguish (so the signature verification is independent of) whether the signature process specifically uses t 0 or t′ 0 . This method based on the indistinguishability of evidence is equivalent to introducing noise when restoring t 0 from the seen signature, which in turn is equivalent to introducing additional noise when solving the underlying MLWE problem, so that it can be achieved without the parameters. Security enhancements. As far as we know, there is no known method to recover t 0 from the signature. In other words, to recover the private key from the public key, Dilithium only provides the MLWE line of defense, and hiding t0 is only to reduce the size of the public key; while Mulan provides two lines of defense "composite armor" for private key protection. More critically, this "composite armor" mechanism can also greatly improve the efficiency of signatures. Under the same security parameters, Mulan's security is stronger than traditional signature methods, and the signature efficiency is about doubled.
我们做了大量的参数测试工程化工作以优化和平衡性能。比如,我们通过大量测试发现在对t
0的不同比特改变对签名循环次数的改变呈现正态效应。在我们所选取的参数下,相对于传统的格基签名方法我们的签名更短、签名效率提升约1.5倍、签名验证效率由于使用更小的模数q也更优、抗伪造签名安全性更高。
We have done a lot of parameter test engineering work to optimize and balance performance. For example, through a lot of tests, we found that changing the different bits of t 0 has a normal effect on the change in the number of signature cycles. Under the parameters we selected, compared with the traditional lattice signature method, our signature is shorter, the signature efficiency is increased by about 1.5 times, the signature verification efficiency is better due to the use of a smaller modulus q, and the anti-forgery signature security is more high.
发明内容Summary of the invention
运行发明方法的发送方Alice得到私钥sk和公共参数params,对消息M运行签名算法Sign(params,sk,M)进行签名,得到签名σ=(z,c,h),并公开传输签名σ=(z,c,h)给运行发明方法的接收方Bob。Bob得到公钥pk,消息M和对消息M的签名σ=(z,c,h)作为输入,运行验证算法Verify(pk,M,(z,c,h)),得到1/0,分别表示验证通过/不通过。若认证通过,则接收方Bob承认消息M是由Alice发送的。发明方法是解决如何设计数字签名,在保证信息传输的完整性、进行信息发送者的身份认证、防止交易中的抵赖发生方面具有重要应用。The sender Alice who runs the inventive method obtains the private key sk and the public parameter params, runs the signature algorithm Sign(params, sk, M) to sign the message M, obtains the signature σ = (z, c, h), and publicly transmits the signature σ = (Z, c, h) to Bob, who runs the inventive method. Bob gets the public key pk, the message M and the signature σ=(z, c, h) for the message M as input, and runs the verification algorithm Verify(pk, M, (z, c, h)) to get 1/0, respectively Indicates the verification passed/failed. If the authentication is passed, the receiver Bob acknowledges that the message M was sent by Alice. The method of the invention is to solve how to design a digital signature, which has important applications in ensuring the integrity of information transmission, authenticating the identity of the information sender, and preventing denial in transactions.
一种基于密钥共识的格基数字签名方法;其中,{…}表示一个信息或者数值的集合;R,R
q表示代数环,其中q是整数;该签名算法包括三个具体的算法:Gen,Sign(·),Verify(·)。
A lattice digital signature method based on key consensus; where {...} represents a set of information or values; R and R q represent algebraic rings, where q is an integer; the signature algorithm includes three specific algorithms: Gen , Sign(·), Verify(·).
Gen是密钥生成算法,算法输入包含安全参数,输出包含公钥pk和私钥sk。Sign(·)是签名算法,算法输入包含***参数params,私钥sk和消息M∈{0,1}
*,其中{0,1}
*表示任意长度的0-1串构成的集合,输出包含(z,c,h),其中z∈Rl
q,c∈R,
其中t是正整数,g
h(n,m,h,aux
h)是关于n,m,h,aux
h的函数,aux
h是可为空的h的辅助参数集合。运行发明方法的发送方Alice得到私钥sk和公共参数params,对消息M运行签名算法Sign(params,sk,M)进行签名,得到签名σ=(z,c,h),并公开传输签名σ= (z,c,h)给运行发明方法的接收方Bob。Verify(·)是验证算法,算法输入包含***参数params,公钥pk,消息M和签名(z,c,h),输出1或者0,分别表示验证通过或者不通过。Bob得到公钥pk,消息M和对消息M的签名σ=(z,c,h)作为输入,运行验证算法Verify(pk,M,(z,c,h)),得到1/0,分别表示验证通过/不通过。若认证通过,则接收方Bob承认消息M是由Alice发送的。
Gen is a key generation algorithm. The input of the algorithm contains security parameters, and the output contains the public key pk and the private key sk. Sign(·) is a signature algorithm. The input of the algorithm includes system parameters params, private key sk and message M ∈ {0, 1} * , where {0, 1} * represents a set of 0-1 strings of any length, and the output contains (z, c, h), where z ∈ Rl q , c ∈ R, Where t is a positive integer, g h (n, m, h, aux h ) is a function of n, m, h, aux h , and aux h is a set of auxiliary parameters of h that can be empty. The sender Alice who runs the inventive method obtains the private key sk and the public parameter params, runs the signature algorithm Sign(params, sk, M) to sign the message M, obtains the signature σ = (z, c, h), and publicly transmits the signature σ = (Z, c, h) to Bob who runs the inventive method. Verify(·) is a verification algorithm. The input of the algorithm includes system parameters params, public key pk, message M, and signature (z, c, h), and outputs 1 or 0, respectively, indicating that the verification passed or failed. Bob gets the public key pk, the message M and the signature σ=(z, c, h) for the message M as input, and runs the verification algorithm Verify(pk, M, (z, c, h)) to get 1/0, respectively Indicates that the verification passed/failed. If the authentication is passed, the receiver Bob acknowledges that the message M was sent by Alice.
一种基于多重证据纠错的格基数字签名方法;其中,{…}表示一个信息或者数值的集合;R,R
q表示代数环,其中q是正整数;
A lattice-based digital signature method based on multiple evidence error correction; where {...} represents a set of information or values; R, R q represent algebraic rings, where q is a positive integer;
Gen是密钥生成算法,算法输入包含安全参数,输出包含公钥pk和私钥sk,Gen is a key generation algorithm. The input of the algorithm contains security parameters, and the output contains the public key pk and the private key sk.
算法运行如下:The algorithm runs as follows:
1)得到***参数params={q,k,d,n,m,l,aux},其中q,k,d,n,m,l均为正整数;aux是可为空的其它辅助***参数的集合;1) Obtain the system parameter params={q, k, d, n, m, l, aux}, where q, k, d, n, m, and l are all positive integers; aux are other auxiliary system parameters that can be empty Collection of
5)得到
其中
是关于t,params,
的函数,
是可为空的t
1的辅助参数集合;得到
其中
是关于t,t
1,params,
的函数,
是可为空的t
0,0的辅助参数集合;
5) get among them Is about t, params, The function, Is the nullable auxiliary parameter set of t 1 ; get among them Is about t, t 1 , params, The function, Is a nullable t 0, 0 auxiliary parameter set;
6)输出公钥pk和私钥sk;其中,公钥pk包含params,t
1,生成A所需要的信息,aux
pk,其中aux
pk是可为空的公钥的辅助参数集合;私钥sk包含生成A所需要的信息,s,e,t
0,0,aux
sk,其中aux
sk是可为空的私钥的辅助参数集合;
6) Output the public key pk and the private key sk; among them, the public key pk contains params, t 1 , the information needed to generate A, aux pk , where aux pk is the set of auxiliary parameters of the nullable public key; the private key sk Contains the information needed to generate A, s, e, t 0 , 0 , aux sk , where aux sk is a set of auxiliary parameters of a nullable private key;
Sign(·)是签名算法,算法输入包含***参数params,公钥pk,私钥sk和消息μ∈{0,1}
*,其中{0,1}
*表示任意长度的0-1串构成的集合,输出包含(z,c,h),其中
c∈R,
其中b是正整数,g
h(n,m,h,aux
h)是关于n,m,h,aux
h的输出结果为整数的函数,aux
h是可为空的h的辅助参数集合;算法运行如下:
Sign(·) is a signature algorithm, the input of the algorithm includes system parameters params, public key pk, private key sk and message μ∈{0,1} * , where {0, 1} * represents a string of 0-1 of any length Set, the output contains (z, c, h), where c∈R, Where b is a positive integer, g h (n, m, h, aux h ) is a function of the output result of n, m, h, aux h being an integer, and aux h is a set of auxiliary parameters of h that can be empty; the algorithm runs as follows:
2)得到
其中
是关于e,params,
的函数,
是可为空的e
0的辅助参数集合;
2) get among them Is about e, params, The function, Is the nullable e 0 auxiliary parameter set;
3)得到
其中Transform
i是关于t
0,0,params,
的转换函数,
是可为空的t
0,i的辅助参数集合;
3) get Where Transform i is about t 0 , 0 , params, Conversion function, Is the nullable t 0, i auxiliary parameter set;
4)得到
其中
是关于t
0,i,t
0,0,params,
的函数,
是可为空的Δ
i的辅助参数集合;
4) get among them Is about t 0, i , t 0 , 0 , params, The function, Is a nullable Δ i auxiliary parameter set;
5)得到
其中,
是关于e
0,Δ
i,params,
的函数,
是可为空的e
i的辅助参数集合;
5) get among them, Is about e 0 , Δ i , params, The function, Is an auxiliary parameter set of e i that can be empty;
8)得到
其中
是关于w,params,
的函数,
是可为空的w
1的辅助参数集合;
8) get among them Is about w, params, The function, Is a nullable auxiliary parameter set of w 1 ;
9)得到
其中
是关于w
1,params,
的函数,
是可为空的w′
1的辅助参数集合;
9) get among them Is about w 1 , params, The function, Is the nullable w′ 1 auxiliary parameter set;
10)得到c=H(w′
1,μ,aux
c),其中H是一个哈希函数,或单向函数,或转换函数,aux
c是可为空的c的辅助参数集合;
10) Obtain c=H(w′ 1 , μ, aux c ), where H is a hash function, or one-way function, or conversion function, and aux c is a nullable auxiliary parameter set of c;
11)得到z=f
z(pk,y,s,w
1,c,μ,aux
z),其中,f
z是关于pk,y,s,w
1,c,μ,aux
z的函数,aux
z是可为空的z的辅助参数集合;
11) Obtain z=f z (pk, y, s, w 1 , c, μ, aux z ), where f z is a function of pk, y, s, w 1 , c, μ, aux z , aux z is a nullable z auxiliary parameter set;
12)判断条件
是否成立,其中,
是可为空的R
z的辅助参数集合;若不成立,则回到第6)步,循环运行直至R
z成立;
12) Judgment conditions Whether it is established, among which, Is the set of auxiliary parameters of R z that can be empty; if not, go back to step 6) and run in a loop until R z is established;
13)判断条件
是否成立,其中,b
i∈{0,1}
p‘,p′=p+1,j
i是计数器,w
(i)∈R
q是w的第i维,
则分别表示e
0,e
1,…,e
p的第i维,i=1,…,m;若成立,则算法记录了正整数j
i,σ
(i)∈R
q;若不成立,则回到第6)步,循环运行直至
成立;
13) Judgment conditions Whether it is true, where b i ∈ {0, 1} p' , p'=p+1, j i is a counter, w (i) ∈ R q is the i-th dimension of w, Then respectively represent the i-th dimension of e 0 , e 1 ,..., e p , i = 1,..., m; if it is true, the algorithm records the positive integer j i , σ (i) ∈ R q ; if it is not true, then Go back to step 6) and cycle until Established
14)得到σ=f
σ(σ
(1),…,σ
(m),params,aux
σ),其中,f
σ是关于 σ
(1),…,σ
(m),params,
的函数,aux
σ是可为空的σ的辅助参数集合;
14) Obtain σ=f σ (σ (1) ,...,σ (m) ,params,aux σ ), where f σ is about σ (1) ,...,σ (m) ,params, Function of, aux σ is a set of auxiliary parameters of σ that can be empty;
15)得到
其中,
是关于t
0,1,…,t
0,p,j
1,…j
m,params,
的函数,
是可为空的t
0的辅助参数集合;
15) get among them, Is about t 0 , 1 , …, t 0, p , j 1 ,… j m , params, The function, Is a nullable auxiliary parameter set of t 0 ;
16)得到σ′=f
σ′(c,t
0,params,aux
σ′),其中,f
σ′是关于c,t
0,params,aux
σ′的函数,aux
σ′是可为空的σ′的辅助参数集合;
16) Obtain σ′=f σ′ (c, t 0 , params, aux σ′ ), where f σ′ is a function of c, t 0 , params, aux σ′ , and aux σ′ is nullable σ'auxiliary parameter set;
17)得到
其中,f
h是关于w,c,e
0,e
1,…,e
p,t
0,σ,σ′,y′,params,
的函数,
是可为空的h的辅助参数集合;
17) get Among them, f h is about w, c, e 0 , e 1 ,..., e p , t 0 , σ, σ′, y′, params, The function, Is the set of auxiliary parameters of h that can be empty;
18)判断条件
是否成立,其中,
是可为空的R
h的辅助参数集合;若不成立,则回到第6)步,循环运行直至R
h成立;
18) Judgment conditions Whether it is established, among which, Is the set of auxiliary parameters of R h that can be empty; if not, go back to step 6), and run cyclically until R h is established;
19)输出签名(z,c,h);19) Output signature (z, c, h);
Verify(·)是验签算法,算法输入包含***参数params,公钥pk,消息μ和签名(z,c,h),输出1或者0,其中,1表示验签通过,0表示不通过;算法运行如下:Verify(·) is a verification algorithm. The input of the algorithm includes system parameters params, public key pk, message μ and signature (z, c, h), and outputs 1 or 0, where 1 means the verification is passed, and 0 means not. The algorithm runs as follows:
2)得到
其中
是关于h,A,z,c,t
1,params,
的函数,
是可为空的w
2的辅助参数集合;
2) get among them Is about h, A, z, c, t 1 , params, The function, Is a nullable auxiliary parameter set of w 2 ;
3)得到
其中,
是关于w
2,params,
的函数,
是可为空的w′
2的辅助参数集合;
3) get among them, Is about w 2 , params, The function, Is a nullable w′ 2 auxiliary parameter set;
4)得到c′=H(w′
2,μ,aux
c′),其中H是一个哈希函数,或单向函数,或转换函数,aux
c′是可为空的c′的辅助参数集合;
4) Obtain c′=H(w′ 2 , μ, aux c′ ), where H is a hash function, or one-way function, or conversion function, and aux c′ is an auxiliary parameter set of c′ that can be empty ;
5)判断条件
是否成立,其中,
是可为空的R
v的辅助参数集合;若成立,则输出1,否则,输出0。
5) Judgment conditions Whether it is established, among which, Is an empty set of auxiliary parameters of R v ; if it is true, then output 1; otherwise, output 0.
如上所述的方法,其中,代数环R,R
q满足关系R
q=R/(qR),其中,环R为Z
q[X]/(X
n+1),或Z
q[X]/(X
n+X
n-1+…+1),或Z
q[X]/(X
n-1),其中,n是正整数。
The method described above, wherein the algebraic ring R, R q satisfy the relationship R q =R/(qR), where the ring R is Z q [X]/(X n +1), or Z q [X]/ (X n +X n-1 +...+1), or Z q [X]/(X n -1), where n is a positive integer.
如上所述方法,其中,aux包含{η,η‘,ξ,ζ,γ,B,B‘,ω,σ,σ‘,g,q′,α,α′,p,p′}的可 为空的子集合,其中,η,η‘,ξ,ζ,γ,B,B‘,ω,σ,σ‘,g,p,p′为正整数,p+1=2
p′或否,q′=lcm(q,k)是q和k的最小公倍数,α=q′/q,α′=q′/k。
The method described above, where aux contains {η,η',ξ,ζ,γ,B,B',ω,σ,σ',g,q',α,α',p,p'} Is an empty subset, where η, η', ξ, ζ, γ, B, B', ω, σ, σ', g, p, p'are positive integers, p+1=2 p'or no , Q′=lcm(q,k) is the least common multiple of q and k, α=q′/q, α′=q′/k.
如上所述的方法,其中,Sam是扩展输出函数,y~S:=Sam(x)表示输入为x,按分布S(或集合S上的均匀分布)输出值y。In the method described above, Sam is an extended output function, y~S:=Sam(x) means that the input is x, and the value y is output according to the distribution S (or a uniform distribution on the set S).
如上所述的方法,其中,ρ是随机种子,即固定长度的随机数。In the method as described above, ρ is a random seed, that is, a random number with a fixed length.
如上述的方法,其中,s可服从
上的均匀分布,或离散高斯分布,其中,S
η表示环R中各个系数属于[-η,η]的多项式全体所构成的集合;e可服从
上的均匀分布,或离散高斯分布,或e=0。
As in the above method, where s can obey The uniform distribution, or discrete Gaussian distribution, where S η represents the set of all polynomials whose coefficients in ring R belong to [-η, η]; e can obey The uniform distribution, or discrete Gaussian distribution, or e=0.
如上所述的方法,其中,当s,e的每个系数分别服从[-η,η]和[-η‘,η’]上的均匀分布时,s,e可用扩展输出函数Sam输入种子生成。The method as described above, wherein, when each coefficient of s, e obeys the uniform distribution on [-η,η] and [-η',η'] respectively, s, e can be generated by the input seed of the extended output function Sam .
如上所述的方法,其中,
的计算方法包括:t
1=(t-t mod
±2
d)/2
d,其中,对于任意整数a和正整数b,a mod
±b表示落在
的唯一整数c,使得b|c-a,这里对于任意实数x,
表示小于或者等于x的最大整数;
The method as described above, in which, The calculation method of includes: t 1 =(tt mod ± 2 d )/2 d , where, for any integer a and positive integer b, a mod ± b means falling in Unique integer c such that b|ca, where for any real number x, Represents the largest integer less than or equal to x;
t
1=(t-t mod 2
d)/2
d,其中,对于任意整数a和正整数b,a mod b表示落在[0,b-1]的唯一整数c,使得b|c-a。
t 1 =(tt mod 2 d )/2 d , where, for any integer a and positive integer b, a mod b represents a unique integer c falling in [0, b-1] such that b|ca.
如上所述的方法,其中,生成A所需的信息可包含随机种子ρ。The method as described above, wherein the information required to generate A may include a random seed p.
如上所述的方法,其中,aux
sk可包含公钥pk。
The method as described above, wherein aux sk may include the public key pk.
如上所述的方法,其中,
的计算方法包括:t
0,0=t-t
1·2
d。
The method as described above, in which, The calculation method of, includes: t 0,0 =tt 1 ·2 d .
如上所述的方法,其中,
的计算方法为:把e
0赋值为e,即e
0←e。
The method as described above, in which, The calculation method of is: assign e 0 to e, that is, e 0 ←e.
将t
0,0的若干维的若干个比特进行翻转;
Flip several bits of several dimensions of t 0, 0 ;
将t
0,0若干维的若干个比特变成0;
Turn several bits of t 0, 0 into 0;
将t
0,0若干维的若干个比特变成1;
Turn several bits of t 0, 0 into 1;
将t
0,0若干维的若干个比特进行翻转,或变成0,或变成1;
Flip several bits of t 0, 0 in several dimensions, or become 0 or 1;
将t
0,0若干维的若干个比特进行随机替换;
Randomly replace several bits in t 0, 0 dimensions;
上述五种方法的组合。A combination of the above five methods.
Δ
i=t
0,i-t
0,0;或
Δ i = t 0, i- t 0, 0 ; or
Δ
i=t
0,0-t
0,i。
Δ i =t 0,0 -t 0,i .
e
i=e
0-Δ
i;或
e i =e 0 -Δ i ; or
e
i=e
0+Δ
i。
e i =e 0 +Δ i .
如上所述的方法,其中t
0,i,Δ
i,e
i的计算根据i的取值循环生成。
In the method described above, the calculation of t 0, i , Δ i , e i is generated cyclically according to the value of i.
如上所述的方法,其中,
可服从
上均匀分布,或标准差为σ的离散高斯分布;
可服从
上均匀分布,或标准差为σ‘的离散高斯分布;其中B,B‘,σ,σ’是辅助参数;
The method as described above, in which, Obeyable The upper uniform distribution, or the discrete Gaussian distribution with standard deviation σ; Obeyable The upper uniform distribution, or the discrete Gaussian distribution with standard deviation σ'; where B, B', σ, σ'are auxiliary parameters;
如上所述的方法,其中,y,y′可用扩展输出函数Sam输入种子、公钥pk、aux
sk、aux
y确定性地生成,其中aux
y是可为空的集合。
In the method described above, y, y′ can be generated deterministically with the extended output function Sam input seed, public key pk, aux sk and aux y , where aux y is an empty set.
如上所述的方法,其中,
的计算方法为:w
1←HighBits
q,k(w,params),其中HighBits
q,k是一个转换函数。
The method as described above, in which, The calculation method of is: w 1 ←HighBits q,k (w,params), where HighBits q,k is a conversion function.
如上所述的方法,其中,对于r∈Z
q,HighBits
q,k(r,params)算法运行如下:
The method described above, where, for r ∈ Z q , the HighBits q, k (r, params) algorithm runs as follows:
计算(r
1,r
0)←Con(r,params),其中Con是一个编码算法;
Calculate (r 1 , r 0 )←Con(r, params), where Con is an encoding algorithm;
输出r
1。
Output r 1 .
若算法HighBits
q,k(·)输入
和公共参数params,则意味着对多项式向
If the algorithm HighBits q, k (·) is input And the public parameter params, it means that the polynomial direction
量w中的每个系数分别使用HighBits
q,k算法。
Each coefficient in the quantity w uses the HighBits q, k algorithm.
如上所述的方法,其中,编码算法Con(·)输入包含r∈Z
q和公共参数params,算法对r∈Z
q基于params进行编码,输出包含(r
1,r
0),其中r
1∈Z
k,r
0∈Z
t,k是***参数,t是整数;若算法Con(·)输入
和公共参数params,则意味着对多项式向量w中的每个系数分别使用Con算法。
In the method described above, the input of the encoding algorithm Con(·) contains r∈Z q and public parameters params, the algorithm encodes r∈Z q based on params, and the output contains (r 1 , r 0 ), where r 1 ∈ Z k , r 0 ∈ Z t , k is the system parameter, t is an integer; if the algorithm Con(·) is input And the common parameter params means to use the Con algorithm for each coefficient in the polynomial vector w.
如上所述的方法,其中,r
0∈Z
t中整数t的取值包含:t=g或t=g+1。如权利要求21所述的方法,其中,Con(r,params)算法运行如下:
In the above method, the value of the integer t in r 0 ∈ Z t includes: t=g or t=g+1. The method of claim 21, wherein the Con(r, params) algorithm operates as follows:
计算σ
A∈Z
q′;
Calculate σ A ∈Z q′ ;
计算r
0;
Calculate r 0 ;
计算r
1;
Calculate r 1 ;
返回(r
1,r
0)。
Return (r 1 , r 0 ).
如上所述的方法,其中,σ
A的计算方法包括:从集合[0,α-1]或集合
中选取确定的元素e,特别地,取e=0;计算σ
A=αr+e∈Z
q′。如权利要求25所述的方法,其中,σ
A=αr+e∈Z
q′的计算方法包括:
The method as described above, wherein the calculation method of σ A includes: from the set [0, α-1] or the set Select a certain element e in, in particular, take e=0; calculate σ A =αr+eεZ q′ . The method according to claim 25, wherein the calculation method of σ A =αr+e∈Z q′ comprises:
σ
A=αr+e mod q′,或
σ A =αr+e mod q′, or
σ
A=αr+e mod
±q′。
σ A =αr+e mod ± q'.
如上所述的方法,其中,
是关于σ
A,α,α′,k的函数。
The method as described above, in which, Is a function of σ A , α, α′, k.
如上所述的方法,其中r
0的计算方法包括:
In the method described above, the calculation method of r 0 includes:
计算r
0=σ
Amod
±α′,或
Calculate r 0 =σ A mod ± α′, or
计算r
0=σ
Amodα′,或
Calculate r 0 =σ A modα′, or
其中,k,q是***参数,g,α′是辅助参数;对于任意实数a,
表示与a最接近的整数。
Among them, k, q are system parameters, g, α'are auxiliary parameters; for any real number a, Represents the integer closest to a.
如上所述的方法,其中r
1的计算方法包括:
In the method described above, the calculation method of r 1 includes:
若k,q互素且kr-r
0=kq,则令r
1=0;否则,计算r
1=(kr-r
0)/q,
If k and q are relatively prime and kr-r 0 =kq, let r 1 =0; otherwise, calculate r 1 =(kr-r 0 )/q,
其中,k,q是***参数,α′是辅助参数。Among them, k, q are system parameters, and α'are auxiliary parameters.
其中,k,q是***参数。Among them, k, q are system parameters.
如上所述的方法,其中,aux
c包含pk和/或params和/或公钥证书certificate。如权利要求1所述的方法,其中,z=f
z(pk,y,s,w
1,c,μ,aux
z)的计算方法包括:
In the method as described above, aux c includes pk and/or params and/or public key certificate certificate. The method of claim 1, wherein the calculation method of z=f z (pk, y, s, w 1 , c, μ, aux z ) comprises:
如上所述的方法,其中,条件
包括:||z||
∞<ξ,其中,ξ是辅助 参数;对于任意a∈R,||a||
∞表示多项式a的所有系数的绝对值的最大值;对于任意a=(a
1,…,a
b)∈R
b,b是正整数,||a||
∞表示||a
i||
∞,1≤i≤b的最大值。
The method as described above, where the condition Including: ||z|| ∞ <ξ, where ξ is an auxiliary parameter; for any a∈R, ||a|| ∞ represents the maximum value of the absolute value of all the coefficients of the polynomial a; for any a=(a 1 ,..., a b )∈R b , b is a positive integer, and ||a|| ∞ means ||a i || ∞ , the maximum value of 1≤i≤b.
选取b
i∈{0,1}
p‘;
Choose b i ∈{0,1} p' ;
令计数器j
i=b
i;
Let the counter j i =b i ;
判断条件
是否成立,若成立,则记录j
i,σ
(i);
Analyzing conditions Whether it is established, if it is established, record j i , σ (i) ;
否则令j
i=b
i+1,继续回到c)直至
成立或j
i=b
i+p+1;
Otherwise, set j i =b i +1 and continue back to c) until It is true or j i =b i +p+1;
如上所述的方法,其中,步骤b)-f)可通过for循环语句实现。The method as described above, wherein steps b)-f) can be implemented by a for loop statement.
如上所述的方法,其中,条件
包含:
且
其中,ζ是辅助参数。
The method as described above, where the condition contain: And Among them, ζ is an auxiliary parameter.
如上所述的方法,其中,σ=f
σ(σ
(1),…,σ
(m),params,aux
σ)的计算方法包括:σ=(σ
(1),…,σ
(m))。
In the method described above, the calculation method of σ=f σ (σ (1) ,...,σ (m) , params, aux σ ) includes: σ=(σ (1) ,...,σ (m) ) .
如上所述的方法,其中,σ′=f
σ′(c,t
0,params,aux
σ′)的计算方法包括:
In the above method, the calculation method of σ′=f σ′ (c, t 0 , params, aux σ′ ) includes:
σ′=ct
0;
σ′=ct 0 ;
σ′=--ct
0。
σ'=--ct 0 .
h=MakeHint(-σ′,σ+σ′,params),其中MakeHint是一个转换函数;或h=MakeHint(-σ′,σ+σ′,params), where MakeHint is a conversion function; or
h=MakeHint(σ′,σ-σ′,params),或h=MakeHint(σ′,σ-σ′,params), or
h=MakeGHint(-σ′,σ+σ′,params),或h=MakeGHint(-σ′,σ+σ′,params), or
h=MakeGHint(σ′,σ-σ′,params)。h=MakeGHint(σ',σ-σ',params).
如上所述的方法,其中,对于z∈Z
q,r∈Z
q,算法MakeHint(z,r,params)的计算方法如下:
The method described above, where, for z ∈ Z q , r ∈ Z q , the calculation method of the algorithm MakeHint(z, r, params) is as follows:
r
1=HighBits
q,k(r,params);
r 1 =HighBits q, k (r, params);
v
1=HighBits
q,k(r+z,params);
v 1 =HighBits q, k (r+z, params);
若r
1=v
1,则返回0;否则,返回1。
If r 1 =v 1 , return 0; otherwise, return 1.
若算法MakeH int(·)输入z′,
和公共参数params,其中a是正整数,则
If the algorithm MakeH int(·) inputs z′, And the public parameter params, where a is a positive integer, then
意味着对多项式向量z′,
中的每组对应的系数分别使用MakeHint算法。如权利要求41所述的方法,其中,对于z∈Z
q,r∈Z
q,算法MakeGHint(z,r,params)的计算方法如下:
Means that for the polynomial vector z′, The coefficients corresponding to each group in each use the MakeHint algorithm. The method according to claim 41, wherein, for z∈Z q , r∈Z q , the calculation method of the algorithm MakeGHint(z, r, params) is as follows:
r
1=HighBits
q,k(r,params);
r 1 =HighBits q, k (r, params);
v
1=HighBits
q,k(r+z,params);
v 1 =HighBits q, k (r+z, params);
返回h=(v
1-r
1)mod
±k或h=(v
1-r
1)mod k。
Return h=(v 1 -r 1 )mod ± k or h=(v 1 -r 1 )mod k.
若算法MakeGH int(·)输入z′,
和公共参数params,其中a是正整数,则
If the algorithm MakeGH int(·) inputs z′, And the public parameter params, where a is a positive integer, then
意味着对多项式向量z′,
中的每组对应的系数分别使用MakeGHint算
Means that for the polynomial vector z′, The coefficients corresponding to each group in are calculated using MakeGHint
法。law.
如上所述的方法,其中,条件
包括:||σ′||
∞<γ和#h≤ω,其中,γ是辅助参数对于h∈{0,1}
a,a是正整数,#h表示多项式向量h中系数1的个数。
The method as described above, where the condition Including: ||σ′|| ∞ <γ and #h≤ω, where γ is an auxiliary parameter. For h∈{0,1} a , a is a positive integer, and #h represents the number of coefficient 1 in the polynomial vector h.
如上所述的方法,其中,
的计算方法包括:
其中,d是***参数。
The method as described above, in which, The calculation methods include: Among them, d is a system parameter.
如权利要求45所述的方法,其中,解码算法Re c(·),算法输入包含r′∈Z
q,r
0∈Z
t和***参数params,其中,(r
1,r
0)←Con(r,params),r∈Z
q,|r′-r|
q≤d′,d′为一个整数;对于任意整数a,|a|
q定义为min{a mod q,q-a mod q},min{·}定义为取最小值;算法对r′∈Z
q,r
0∈Z
t基于params进行解码,输出包含r′
1,其中r′
1∈Z
k,k是***参数;若r′与r的距离d′满足一定的限制条件,则r′
1=r
1,双方纠错成功。
The method according to claim 45, wherein the decoding algorithm Re c(·), the algorithm input includes r′∈Z q , r 0 ∈ Z t and system parameters params, where (r 1 , r 0 )←Con( r, params), r∈Z q , |r′-r| q ≤d′, d′ is an integer; for any integer a, |a| q is defined as min{a mod q, qa mod q}, min {·} is defined as the minimum value; the algorithm decodes r′ ∈ Z q , r 0 ∈ Z t based on params, and the output contains r′ 1 , where r′ 1 ∈ Z k , k is the system parameter; if r′ and The distance d′ of r satisfies certain restriction conditions, then r′ 1 =r 1 , and both parties succeed in error correction.
如上所述的方法,其中,Re c(r′,r
0,params)的计算方法包括:
The method as described above, wherein the calculation method of Re c(r′, r 0 , params) includes:
如上所述的方法,其中,d′满足的关系式包含:In the method as described above, the relational expression satisfied by d′ includes:
(2d′+1)k<q(1-1/g),或(2d′+1)k<q(1-1/g), or
(2d′+2)k<q(1-1/g),或(2d′+2)k<q(1-1/g), or
(2d′+1)k<q(1-2τ/g),其中τ为max{|c|,|1-c|},对于任意实数a,|a|表示取a的绝对值,max{·}定义为取最大值,或(2d′+1)k<q(1-2τ/g), where τ is max{|c|,|1-c|}, for any real number a, |a| represents the absolute value of a, max{ ·} is defined as the maximum value, or
(d′+1)k<q(1/2-τ/g),或(d′+1)k<q(1/2-τ/g), or
2kd′<q,或2kd′<q, or
2k(d′+1)<q。2k(d′+1)<q.
如上所述的方法,其中,c′为实数,满足0≤c′≤1。In the method as described above, c′ is a real number and satisfies 0≦c′≦1.
如上所述的方法,其中,对于h∈{0,1},r∈Z
q,算法UseHint(h,r,params)的计算方法如下:
In the method described above, for h ∈ {0, 1}, r ∈ Z q , the calculation method of the algorithm UseHint(h, r, params) is as follows:
(r
1,r
0)=Con(r,params);
(r 1 , r 0 )=Con(r, params);
若h=1且r
0>0,返回(r
1+1)mod k;若h=1且r
0<0,返回(r
1-1)mod k;
If h=1 and r 0 >0, return (r 1 +1) mod k; if h=1 and r 0 <0, return (r 1 -1) mod k;
否则,若h=0,返回r
1。
Otherwise, if h=0, return r 1 .
如上所述的方法,其中,对于h∈{0,1},r∈Z
q,算法UseGHint(h,r,params)的计算方法如下:
In the method described above, for h ∈ {0, 1}, r ∈ Z q , the calculation method of the algorithm UseGHint(h, r, params) is as follows:
r
1=HighBits(r,params);
r 1 =HighBits(r, params);
返回(r
1+h)mod k。
Return (r 1 +h)mod k.
如上所述的方法,其中,aux
c′包含pk和/或params和/或公钥证书certificate。如权利要求1所述的方法,其中,条件
包括:,
The method as described above, wherein, aux c′ includes pk and/or params and/or public key certificate certificate. The method of claim 1, wherein the condition include:,
c=c′且||z||
∞<ξ,或
c=c′ and ||z|| ∞ <ξ, or
c=c′且||z||
∞<ξ且#h≤ω;
c=c′ and ||z|| ∞ <ξ and #h≤ω;
其中,ξ,ω是辅助参数。Among them, ξ and ω are auxiliary parameters.
如上所述的方法,如权利要求18所述的方法,其中,aux
sk包含一个随机数种子K,aux
y包含一个计数器counter用于记录每次签名时对第6)步的第counter次执行。
The method described above is the method of claim 18, wherein aux sk includes a random number seed K, and aux y includes a counter for recording the counter execution of step 6) each time the signature is executed.
如上所述的方法,y,y′由Expand(ρ,K,tr,counter)确定性地生成,其中tr=CRH(ρ,K),CRH是一个抗碰撞的密码哈希函数,Expand是一个确定性的扩展函数。In the method described above, y, y'are generated deterministically by Expand(ρ, K, tr, counter), where tr=CRH(ρ, K), CRH is an anti-collision cryptographic hash function, and Expand is a Deterministic extension function.
如上所述的方法,其中,随机选取bi←{0,1}
p‘,或b
i被设定为{0,1}
p‘,或b
i从{pk,ρ,K,tr,aux
sk,aux
y}确定性地导出。
The method described above, wherein the randomly selected bi ← {0,1} p ', or b i is set {0,1} p', or b i from {pk, ρ, K, tr , aux sk , Aux y } Deterministically derived.
如上所述的方法,其中,b
i在得到y,y′过程中同时导出。
In the method as described above, b i is derived simultaneously in the process of obtaining y, y'.
如上所述的方法,签名过程中所需生成的t
0,i、Δ
i、e
i可以在签名之前离线计算并存储,或其部分或全体放在aux
sk作为私钥的一部分。
Method as described above, generated in the signing process required for t 0, i, Δ i, e i may be calculated offline and stored before the signature, in part or in whole, or as part of the private key aux sk.
在发明方法的实际应用中,建议p=1或3。如果p=1,Transform函数建议对t
0,0每一维的中间一个比特进行翻转或随机替换;如果p=3对t
0,0每一维的中间三个比特进行翻转或随机替换(或比特翻转和随机替换并用)。当p=1或3时,对于大致128-比特的后量子安全级别,建议的具体参数如下:
In the actual application of the inventive method, p=1 or 3 is recommended. If p = 1, Transform function to the intermediate t recommend 0,0 each dimension bit inversion or a random replacement; if p = 0,0 three pairs each dimension t of the intermediate bit inversion or three random replacement (or Bit flip and random replacement are used together). When p = 1 or 3, for a post-quantum security level of approximately 128-bits, the recommended specific parameters are as follows:
To | 参数集合-1Parameter set-1 | 参数集合-2Parameter set-2 |
41912334191233 | 83804178380417 | |
nn | 256256 | 256256 |
(h,l)(h, l) | (5,4)(5, 4) | (5,4)(5, 4) |
(η,η′)(η,η′) | (2,2)(2, 2) | (5,5)(5, 5) |
公钥长度(字节)Public key length (bytes) | 14721472 | 14721472 |
签名长度(字节)Signature length (bytes) | 25722572 | 27012701 |
重复次数repeat times | 2.412.41 | 3.23.2 |
对于上面具体的参数,当p=1时,Transform函数建议对t
0,0每一维的低 位第5个比特进行翻转或随机替换;如果p=3对t
0,0每一维的低位第5、6、7间三个比特进行翻转或随机替换(或二者结合)。
For the above specific parameters, when p = 1, Transform function suggested t 0,0 each dimension of the lower 5 bits of the random replacement or inversion; if p = 3 t 0,0 for each of the dimensions of the lower The three bits between 5, 6, and 7 are flipped or replaced randomly (or a combination of the two).
下面以p=1时,描述Gen,Sign(·),Verify(·),Con(·)和HighBits(·)具体实施方式如下。具体实施方式可以简单地扩展到p=3的情况。When p=1, the specific implementations of Gen, Sign(·), Verify(·), Con(·) and HighBits(·) are described as follows. The specific implementation can be simply extended to the case of p=3.
Gen:Gen:
1)得到***参数params={q,k,d,n,m,l,aux},其中q,k,d,n,m,l均为整数;aux是可为空的其它辅助***参数的集合;1) Obtain the system parameter params={q, k, d, n, m, l, aux}, where q, k, d, n, m, and l are all integers; aux are other auxiliary system parameters that can be empty set;
2)ρ←{0,1}
256;
2)ρ←{0,1} 256 ;
6)t
1=(t-t mod
±2
d)/2
d;
6) t 1 = (tt mod ± 2 d )/2 d ;
7)t
0,0=t-t
1·2
d
7) t 0,0 =tt 1 ·2 d
8)K←{0,1}
256;
8) K←{0,1} 256 ;
9)tr=CRH(ρ||t
1)∈{0,1}
384,其中||是字符串连接符;
9) tr=CRH(ρ||t 1 )∈{0,1} 384 , where || is a string concatenation;
10)输出pk=(ρ,t
1,params,aux
pk),sk=(s,e,t
0,0,aux
sk={K,tr},ρ);
10) Output pk = (ρ, t 1 , params, aux pk ), sk = (s, e, t 0 , 0 , aux sk = {K, tr}, ρ);
Siqn(params,pk,sk,μ)-1:Siqn(params, pk, sk, μ)-1:
Sign(params,sk,μ)-2:Sign(params, sk, μ)-2:
Verify(pk,μ,(z,c,h)):Verify(pk, μ, (z, c, h)):
2)w
2=UseH int(h,Az-ct
1·2
d,params);
2) w 2 = UseH int(h, Az-ct 1 ·2 d , params);
4)c′=H(ρ,t
1,w′
2,μ)
4) c′=H(ρ, t 1 , w′ 2 , μ)
5)若c=c′且||z||
∞<ξ且h中1的个数≤ω,则输出1;否则,输出0;
5) If c=c′ and ||z|| ∞ <ξ and the number of 1 in h≤ω, then output 1; otherwise, output 0;
Con(r,params):Con(r, params):
1)r
0=kr mod
±q;
1) r 0 =kr mod ± q;
2)若kr-r
0=kq,则令r
1=0;否则,计算r
1=(kr-r
0)/q;
2) If kr-r 0 =kq, then set r 1 = 0; otherwise, calculate r 1 =(kr-r 0 )/q;
3)返回(r
1,r
0)。
3) Return (r 1 , r 0 ).
Highbits(r,params):Highbits(r, params):
1)(r
1,r
0)←Con(r,params);
1)(r 1 , r 0 )←Con(r, params);
2)返回r
1。
2) Return r 1 .
Claims (60)
- 一种基于多重证据纠错的格基数字签名方法;其中,{…}表示一个信息或者数值的集合;R,R q表示代数环,其中q是正整数; A lattice-based digital signature method based on multiple evidence error correction; where {...} represents a set of information or values; R, R q represent algebraic rings, where q is a positive integer;Gen是密钥生成算法,算法输入包含安全参数,输出包含公钥pk和私钥sk,算法运行如下:Gen is a key generation algorithm. The input of the algorithm contains security parameters, and the output contains the public key pk and the private key sk. The algorithm runs as follows:1)得到***参数params={q,k,d,n,m,l,aux},其中q,k,d,n,m,l均为正整数;aux是可为空的其它辅助***参数的集合;1) Obtain the system parameter params={q, k, d, n, m, l, aux}, where q, k, d, n, m, and l are all positive integers; aux are other auxiliary system parameters that can be empty Collection of5)得到 其中 是关于t,params, 的函数, 是可为空的t 1的辅助参数集合;得到 其中 是关于t,t 1,params, 的函数, 是可为空的t 0,0的辅助参数集合; 5) get among them Is about t, params, The function, Is the nullable auxiliary parameter set of t 1 ; get among them Is about t, t 1 , params, The function, Is a nullable t 0, 0 auxiliary parameter set;6)输出公钥pk和私钥sk;其中,公钥pk包含params,t 1,生成A所需要的信息,aux pk,其中aux pk是可为空的公钥的辅助参数集合;私钥sk包含生成A所需要的信息,s,e,t 0,0,aux sk,其中aux sk是可为空的私钥的辅助参数集合; 6) Output the public key pk and the private key sk; among them, the public key pk contains params, t 1 , the information needed to generate A, aux pk , where aux pk is the set of auxiliary parameters of the nullable public key; the private key sk Contains the information needed to generate A, s, e, t 0 , 0 , aux sk , where aux sk is a set of auxiliary parameters of a nullable private key;Sign(·)是签名算法,算法输入包含***参数params,公钥pk,私钥sk和消息μ∈{0,1} *,其中{0,1} *表示任意长度的0-1串构成的集合,输出包含(z,c,h),其中 其中b是正整数,gh(n,m,h,aux h)是关于n,m,h,aux h的输出结果为整数的函数,aux h是可为空的h的辅助参数集合;算法运行如下: Sign(·) is a signature algorithm, the input of the algorithm includes system parameters params, public key pk, private key sk and message μ∈{0,1} * , where {0, 1} * represents a string of 0-1 of any length Set, the output contains (z, c, h), where Where b is a positive integer, gh(n, m, h, aux h ) is a function of the output result of n, m, h, aux h as integers, and aux h is a set of auxiliary parameters of h that can be empty; the algorithm runs as follows :2)得到 其中 是关于e,params, 的函数, 是可为空的e 0的辅助参数集合; 2) get among them Is about e, params, The function, Is the nullable e 0 auxiliary parameter set;3)得到t 0,i=Transform i i=1,…p,其中 Transform i是关于t 0,0,params, 的转换函数, 是可为空的t 0,i的辅助参数集合; 3) Obtain t 0, i = Transform i i=1,...p, where Transform i is about t 0 , 0 , params, Conversion function, Is the nullable t 0, i auxiliary parameter set;4)得到 i=1,…p,其中 是关于t 0,i, 的函数, 是可为空的Δ i的辅助参数集合; 4) get i=1,...p, where Is about t 0, i , The function, Is a nullable Δ i auxiliary parameter set;5)得到 i=1,…p,其中, 是关于 的函数, 是可为空的e i的辅助参数集合; 5) get i=1,...p, where, its about The function, Is an auxiliary parameter set of e i that can be empty;8)得到 其中 是关于w,params, 的函数, 是可为空的w 1的辅助参数集合; 8) get among them Is about w, params, The function, Is a nullable auxiliary parameter set of w 1 ;9)得到 其中 是关于w 1,params, 的函数, 是可为空的w′ 1的辅助参数集合; 9) get among them Is about w 1 , params, The function, Is the nullable w′ 1 auxiliary parameter set;10)得到c=H(w′ 1,μ,aux c),其中H是一个哈希函数,或单向函数,或转换函数,aux c是可为空的c的辅助参数集合; 10) Obtain c=H(w′ 1 , μ, aux c ), where H is a hash function, or one-way function, or conversion function, and aux c is a nullable auxiliary parameter set of c;11)得到z=f z(pk,y,s,w 1,c,μ,aux z),其中,f z是关于pk,y,s,w 1,c,μ,aux z的函数,aux z是可为空的z的辅助参数集合; 11) Obtain z=f z (pk, y, s, w 1 , c, μ, aux z ), where f z is a function of pk, y, s, w 1 , c, μ, aux z , aux z is a nullable z auxiliary parameter set;12)判断条件R z 是否成立,其中, 是可为空的R z的辅助参数集合;若不成立,则回到第8)步,循环运行直至R z成立; 12) Judgment condition R z Whether it is established, among which, Is the set of auxiliary parameters of R z that can be empty; if not, go back to step 8) and run in a loop until R z is established;13)判断条件 是否成立,其中,b i∈{0,1} p′,p′=p+1,j i是计数器,w (i)∈R q是w的第i维, 则分别表示e 0,e 1,…,e p的第i维,i=1,…,m;若成立,则算法记录了正整数j i,σ (i)∈R q;若不成立,则回到第8)步,循环运行直至 成立; 13) Judgment conditions Whether it is true, where b i ∈ {0,1} p′ , p′=p+1, j i is a counter, w (i) ∈ R q is the i-th dimension of w, Then respectively represent the i-th dimension of e 0 , e 1 ,..., e p , i = 1,..., m; if it is true, the algorithm records the positive integer j i , σ (i) ∈ R q ; if it is not true, then Go back to step 8) and run in a loop until Established14)得到σ=f σ(σ (1),…,σ (m),params,aux σ),其中,f σ是关于σ (1),…,σ (m), 的函数,aux σ是可为空的σ的辅助参数集合; 14) Obtain σ=f σ (σ (1) …,σ (m) ,params,aux σ ), where f σ is about σ (1) …,σ (m) , Function of, aux σ is a set of auxiliary parameters of σ that can be empty;15)得到 其中, 是关于 的函数, 是可为空的t 0的辅助参数集合; 15) get among them, its about The function, Is a nullable auxiliary parameter set of t 0 ;16)得到σ′=f σ′(c,t 0,params,aux σ′),其中,f σ′是关于c,t 0,params,aux σ′的函数,aux σ′是可为空的σ′的辅助参数集合; 16) Obtain σ′=f σ′ (c, t 0 , params, aux σ′ ), where f σ′ is a function of c, t 0 , params, aux σ′ , and aux σ′ is nullable σ'auxiliary parameter set;17)得到 其中,f h是关于 的函数, 是可为空的h的辅助参数集合; 17) get Where f h is about The function, Is the set of auxiliary parameters of h that can be empty;18)判断条件R h 是否成立,其中, 是可为空的R h的辅助参数集合;若不成立,则回到第6)步,循环运行直至R h成立; 18) Judgment condition R h Whether it is established, among which, Is the set of auxiliary parameters of R h that can be empty; if not, go back to step 6), and run cyclically until R h is established;19)输出签名(z,c,h);19) Output signature (z, c, h);Verify(·)是验签算法,算法输入包含***参数params,公钥pk,消息μ和签名(z,c,h),输出1或者0,其中,1表示验签通过,0表示不通过;算法运行如下:Verify(·) is a verification algorithm. The input of the algorithm includes system parameters params, public key pk, message μ and signature (z, c, h), and outputs 1 or 0, where 1 means the verification is passed, and 0 means not. The algorithm runs as follows:2)得到 其中 是关于 的函数, 是可为空的w 2的辅助参数集合; 2) get among them its about The function, Is a nullable auxiliary parameter set of w 2 ;3)得到 其中, 是关于 的函数, 是可为空的w′ 2的辅助参数集合; 3) get among them, its about The function, Is a nullable w′ 2 auxiliary parameter set;4)得到c′=H(w′ 2,μ,aux c′),其中H是一个哈希函数,或单向函数,或转换函数,aux c′是可为空的c′的辅助参数集合; 4) Obtain c′=H(w′ 2 , μ, aux c′ ), where H is a hash function, or one-way function, or conversion function, and aux c′ is an auxiliary parameter set of c′ that can be empty ;
- 如权利要1所述的方法,其中,代数环R,R q满足关系R q=R/(qR),其中,环R为Z q[X]/(X n+1),或Z q[X]/(X n+X n-1+…+1),或Z q[X]/(X n-1),其中,n是正整数。 The method according to claim 1, wherein the algebraic ring R and R q satisfy the relationship R q =R/(qR), wherein the ring R is Z q [X]/(X n +1), or Z q [ X]/(X n +X n-1 +...+1), or Z q [X]/(X n -1), where n is a positive integer.
- 如权利要求1所述方法,其中,aux包含{η,η′,ξ,ζ,γ,B,B′,ω,σ,σ′,g,q′,α,α′,p,p′}的可为空的子集合,其中,η,η′,ξ,ζ,γ,B,B′,ω,σ,σ′,g,p,p′为正整数,p+1=2 p′或否,q′=lcm(q,k)是 q和k的最小公倍数,α=q′/q,α′=q′/k。 The method of claim 1, wherein aux contains {η,η',ξ,ζ,γ,B,B',ω,σ,σ',g,q',α,α',p,p' } Can be an empty subset, where η, η', ξ, ζ, γ, B, B', ω, σ, σ', g, p, p'are positive integers, p+1=2 p ' Or not, q'=1cm(q,k) is the least common multiple of q and k, α=q'/q, α'=q'/k.
- 如权利要求4所述的方法,其中,Sam是扩展输出函数,y~S:=Sam(x)表示输入为x,按分布S(或集合S上的均匀分布)输出值y。The method according to claim 4, wherein Sam is an extended output function, y~S:=Sam(x) means that the input is x, and the value y is output according to the distribution S (or a uniform distribution on the set S).
- 如权利要求4所述的方法,其中,ρ是随机种子,即固定长度的随机数。The method of claim 4, wherein ρ is a random seed, that is, a random number with a fixed length.
- 如权利要求1所述的方法,其中,s可服从 上的均匀分布,或离散高斯分布,其中,Sη表示环R中各个系数属于[-η,η]的多项式全体所构成的集合;e可服从 上的均匀分布,或离散高斯分布,或e=0。 The method of claim 1, wherein s can obey The uniform distribution, or discrete Gaussian distribution, where Sη represents the set of all polynomials whose coefficients in the ring R belong to [-η,η]; e can obey The uniform distribution, or discrete Gaussian distribution, or e=0.
- 如权利要求1所述的方法,其中,当s,e的每个系数分别服从[-η,η]和[-η‘,η’]上的均匀分布时,s,e可用扩展输出函数Sam输入种子生成。The method according to claim 1, wherein when each coefficient of s and e obeys uniform distribution on [-η,η] and [-η',η'], respectively, s, e can be used as an extended output function Sam Enter seed generation.
- 1)t 1=(t-t mod ±2 d)/2 d,其中,对于任意整数a和正整数b,a mod ±b表示落在 的唯一整数c,使得b|c-a,这里对于任意实数x, 表示小于或者等于x的最大整数; 1) t 1 = (tt mod ± 2 d )/2 d , where, for any integer a and positive integer b, a mod ± b means falling in Unique integer c such that b|ca, where for any real number x, Represents the largest integer less than or equal to x;2)t 1=(t-t mod 2 d)/2 d,其中,对于任意整数a和正整数b,a mod b表示落在[0,b-1]的唯一整数c,使得b|c-a。 2) t 1 = (tt mod 2 d )/2 d , where, for any integer a and positive integer b, a mod b represents a unique integer c falling in [0, b-1], such that b|ca.
- 如权利要求1所述的方法,其中,生成A所需的信息可包含随机种子ρ。The method of claim 1, wherein the information required to generate A may include a random seed p.
- 如权利要求1所述的方法,其中,aux sk可包含公钥pk或t 1。 The method according to claim 1, wherein aux sk may include a public key pk or t 1 .
- 1)将t 0,0的若干维的若干个比特进行翻转; 1) Flip several bits of several dimensions of t 0,0 ;2)将t 0,0若干维的若干个比特变成0; 2) Turn several bits of t 0, 0 into 0;3)将t 0,0若干维的若干个比特变成1; 3) Turn several bits of t 0, 0 into 1;4)将t 0,0若干维的若干个比特进行翻转,或变成0,或变成1; 4) Flip several bits of t 0, 0 in several dimensions, or turn them into 0 or 1;5)将t 0,0若干维的若干个比特进行随机替换; 5) Randomly replace several bits of t 0, 0 dimensions;6)上述五种方法的组合。6) A combination of the above five methods.
- 如权利要求1所述的方法,其中t 0,i,Δ i,e i的计算根据i的取值循环生成。 The method according to claim 1, wherein the calculation of t 0, i , Δ i , e i is generated cyclically according to the value of i.
- 如权利要求1所述的方法,其中, 可服从 上均匀分布,或标准差为σ的离散高斯分布; 可服从 上均匀分布,或标准差为σ′的离散高斯分布;其中B,B′,σ,σ′是辅助参数。 The method of claim 1, wherein: Obeyable The upper uniform distribution, or the discrete Gaussian distribution with standard deviation σ; Obeyable The upper uniform distribution, or discrete Gaussian distribution with standard deviation σ'; where B, B', σ, σ'are auxiliary parameters.
- 如权利要求18所述的方法,其中,y,y′可用扩展输出函数Sam输入种子、公钥pk、aux sk、aux y的一个非空子集确定性地生成,其中aux y是可为空的集合。 The method according to claim 18, wherein y, y'can be generated deterministically with a non-empty subset of the extended output function Sam input seed, public key pk, aux sk and aux y , wherein aux y is nullable set.
- 如权利要求20所述的方法,其中,对于r∈Z q,HighBits q,k(r,params)算法运行如下: The method of claim 20, wherein, for r ∈ Z q , the HighBits q, k (r, params) algorithm runs as follows:1)计算(r 1,r 0)←Con(r,params),其中Con是一个编码算法; 1) Calculate (r 1 , r 0 )←Con(r, params), where Con is an encoding algorithm;2)输出r 1, 2) Output r 1 ,
- 如权利要求21所述的方法,其中,编码算法Con(·)输入包含r∈Z q和公共参数params,算法对r∈Z q基于params进行编码,输出包含(r 1,r 0),其中r 1∈Z k,r 0∈Z t,k是***参数,t是整数;若算法Con(·)输入 和公共参数 params,则意味着对多项式向量w中的每个系数分别使用Con算法。 The method according to claim 21, wherein the input of the encoding algorithm Con(·) contains r∈Z q and a common parameter params, the algorithm encodes r∈Z q based on params, and the output contains (r 1 , r 0 ), where r 1 ∈Z k , r 0 ∈Z t , k is the system parameter, t is an integer; if the algorithm Con(·) is input And the common parameter params means to use the Con algorithm for each coefficient in the polynomial vector w.
- 如权利要求22所述的方法,其中,r 0∈Z t中整数t的取值包含:t=g或t=g+1。 The method according to claim 22, wherein the value of the integer t in r 0 ∈ Z t includes: t=g or t=g+1.
- 如权利要求21所述的方法,其中,Con(r,params)算法运行如下:The method of claim 21, wherein the Con(r, params) algorithm operates as follows:1)计算σ A∈Z q′; 1) Calculate σ A ∈Z q′ ;2)计算r 0; 2) Calculate r 0 ;3)计算r 1; 3) Calculate r 1 ;4)返回(r 1,r 0)。 4) Return (r 1 , r 0 ).
- 如权利要求25所述的方法,其中,σ A=αr+e∈Z q′的计算方法包括: The method according to claim 25, wherein the calculation method of σ A =αr+e∈Z q′ comprises:1)σ A=αr+e mod q′,或 1) σ A =αr+e mod q′, or2)σ A=αr+e mod ±q′。 2) σ A =αr+e mod ± q'.
- 如权利要求27所述的方法,其中r 0的计算方法包括: The method of claim 27, wherein the calculation method of r 0 comprises:1)计算r 0=σ A mod ±α′,或 1) Calculate r 0 =σ A mod ± α′, or2)计算r 0=σ A mod α′,或 2) Calculate r 0 =σ A mod α′, or
- 如权利要求27所述的方法,其中r 1的计算方法包括: The method according to claim 27, wherein the calculation method of r 1 comprises:3)若k,q互素且kr-r 0=kq,则令r 1=0;否则,计算r 1=(kr-r 0)/q, 3) If k and q are relatively prime and kr-r 0 =kq, then set r 1 =0; otherwise, calculate r 1 =(kr-r 0 )/q,其中,k,q是***参数,α′是辅助参数。Among them, k, q are system parameters, and α'are auxiliary parameters.
- 如权利要求1所述的方法,其中,aux c包含pk和/或params和/或公钥证书certificate全部或部分信息。 The method according to claim 1, wherein aux c contains all or part of the information of pk and/or params and/or public key certificate certificate.
- 如权利要求1所述的方法,其中,条件 包括:||z|| ∞<ξ,其中,ξ是辅助参数;对于任意a∈R,||a|| ∞表示多项式a的所有系数的绝对值的最大值;对于任意a=(a 1,…,a b)∈R b,b是正整数,||a|| ∞表示||a i|| ∞,1≤i≤b的最大值。 The method of claim 1, wherein the condition Including: ||z|| ∞ <ξ, where ξ is an auxiliary parameter; for any a∈R, ||a|| ∞ represents the maximum value of the absolute value of all the coefficients of the polynomial a; for any a=(a 1 ,..., a b )∈R b , b is a positive integer, and ||a|| ∞ means ||a i || ∞ , the maximum value of 1≤i≤b.
- a)选取b i∈{0,1}p′; a) Select b i ∈{0,1}p′;b)令计数器j i=b i; b) Let the counter j i =b i ;e)判断条件 是否成立,若成立,则记录j i,σ (i);否则令j i=b i+1,继续回到c)直至 成立或j i=b i+p+1; e) Judgment conditions Whether it is true, if it is true, record j i , σ (i) ; otherwise, set j i =b i +1, and continue to return to c) until It is true or j i =b i +p+1;
- 如权利要求34所述的方法,其中,步骤b)-f)可通过for循环语句实现。The method according to claim 34, wherein steps b)-f) can be implemented by a for loop statement.
- 如权利要求1所述的方法,其中,σ=f σ(σ (1),…,σ (m),params,aux σ)的计算方法包括:σ=(σ (1),…,σ (m))。 The method according to claim 1, wherein the calculation method of σ=f σ (σ (1) ,...,σ (m) ,params,aux σ ) comprises: σ=(σ (1) ,...,σ ( m) ).
- 如权利要求1所述的方法,其中,σ′=f σ′(c,t 0,params,aux σ′)的计算方法包括: The method according to claim 1, wherein the calculation method of σ′=f σ′ (c, t 0 , params, aux σ′ ) comprises:1)σ′=ct 0; 1)σ′=ct 0 ;2)σ′=-ct 0。 2) σ'=-ct 0 .
- 1)h=MakeHint(-σ′,σ+σ′,params),其中MakeHint是一个转换函数;或1) h=MakeHint(-σ′,σ+σ′,params), where MakeHint is a conversion function; or2)h=MakeHint(σ′,σ-σ′,params),或2) h=MakeHint(σ′,σ-σ′,params), or3)h=MakeGHint(-σ′,σ+σ′,params),或3) h=MakeGHint(-σ′,σ+σ′,params), or4)h=MakeGHint(σ′,σ-σ′,params)。4) h=MakeGHint(σ',σ-σ',params).
- 如权利要求41所述的方法,其中,对于z∈Z q,r∈Z q,算法MakeHint(z,r,params)的计算方法如下: The method according to claim 41, wherein for z∈Z q and r∈Z q , the calculation method of the algorithm MakeHint(z, r, params) is as follows:1)r 1=HighBits q,k(r,params); 1) r 1 =HighBits q, k (r, params);2)v 1=HighBits q,k(r+z,params); 2) v 1 =HighBits q, k (r+z, params);3)若r 1=v 1,则返回0;否则,返回1, 3) If r 1 =v 1 , return 0; otherwise, return 1.若算法MakeH int(·)输入z′, 和公共参数params,其中a是正整数,则意味着对多项式向量z′, 中的每组对应的系数分别使用MakeHint算法。 If the algorithm MakeH int(·) inputs z′, And the public parameter params, where a is a positive integer, it means that for the polynomial vector z′, The coefficients corresponding to each group in each use the MakeHint algorithm.
- 如权利要求41所述的方法,其中,对于z∈Z q,r∈Z q,算法MakeGHint(z,r,params)的计算方法如下: The method according to claim 41, wherein, for z∈Z q , r∈Z q , the calculation method of the algorithm MakeGHint(z, r, params) is as follows:1)r 1=HighBits q,k(r,params); 1) r 1 =HighBits q, k (r, params);2)v 1=HighBits q,k(r+z,params); 2) v 1 =HighBits q, k (r+z, params);3)返回h=(v 1-r 1)mod ±k或h=(v 1-r 1)mod k, 3) Return h=(v 1 -r 1 )mod ± k or h=(v 1 -r 1 )mod k,若算法MakeGH int(·)输入z′, 和公共参数params,其中a是正整数,则意味着对多项式向量z′, 中的每组对应的系数分别使用MakeGHint算法。 If the algorithm MakeGH int(·) inputs z′, And the public parameter params, where a is a positive integer, it means that for the polynomial vector z′, The coefficients corresponding to each group in each use MakeGHint algorithm.
- 如权利要求1所述的方法,其中,条件 包括:||σ′|| ∞<γ和#h≤ω,其中,γ是辅助参数对于h∈{0,1} a,a是正整数,#h表示多项式向量h中系数1的个数。 The method of claim 1, wherein the condition Including: ||σ′|| ∞ <γ and #h≤ω, where γ is an auxiliary parameter. For h∈{0,1} a , a is a positive integer, and #h represents the number of coefficient 1 in the polynomial vector h.
- 如权利要求45所述的方法,其中,解码算法Re c(·),算法输入包含r′∈Z q,r 0∈Z t和***参数params,其中,(r 1,r 0)←Con(r,params),r∈Z q,|r′-r| q≤d′,d′为一个整数;对于任意整数a,|a| q定义为min{a mod q,q-a mod q},min{·}定义为取最小值;算法对r′∈Z q,r 0∈Z t基于params进行解码,输出包含r′ 1,其中r′ 1∈Z k,k是***参数;若r′与r的距离d′满足一定的限制条件,则r′ 1=r 1,双方纠错成功。 The method according to claim 45, wherein the decoding algorithm Re c(·), the algorithm input includes r′∈Z q , r 0 ∈ Z t and system parameters params, where (r 1 , r 0 )←Con( r, params), r∈Z q , |r′-r| q ≤d′, d′ is an integer; for any integer a, |a| q is defined as min{a mod q, qa mod q}, min {·} is defined as the minimum value; the algorithm decodes r′ ∈ Z q , r 0 ∈ Z t based on params, and the output contains r′ 1 , where r′ 1 ∈ Z k , k is the system parameter; if r′ and The distance d′ of r satisfies certain restriction conditions, then r′ 1 =r 1 , and both parties succeed in error correction.
- 如权利要求47所述的方法,其中,d′满足的关系式包含:The method of claim 47, wherein the relational expression satisfied by d'comprises:1)(2d′+1)k<q(1-1/g),或1)(2d′+1)k<q(1-1/g), or2)(2d′+2)k<q(1-1/g),或2)(2d′+2)k<q(1-1/g), or3)(2d′+1)k<q(1-2τ/g),其中τ为max{|c|,|1-c|},对于任意实数a,|a|表示取a的绝对值,max{·}定义为取最大值,或3)(2d′+1)k<q(1-2τ/g), where τ is max{|c|, |1-c|}, for any real number a, |a| represents the absolute value of a, max{·} is defined as the maximum value, or4)(d′+1)k<q(1/2-τ/g),或4)(d′+1)k<q(1/2-τ/g), or5)2kd′<q,或5) 2kd'<q, or6)2k(d′+1)<q。6) 2k(d′+1)<q.
- 如权利要求48所述的方法,其中,c′为实数,满足0≤c′≤1。The method according to claim 48, wherein c'is a real number and satisfies 0≤c'≤1.
- 如权利要求45所述的方法,其中,对于h∈{0,1},r∈Z q,算法UseHint(h, r,params)的计算方法如下: The method of claim 45, wherein for h ∈ {0, 1}, r ∈ Z q , the calculation method of the algorithm UseHint(h, r, params) is as follows:1)(r 1,r 0)=Con(r,params); 1) (r 1 , r 0 )=Con(r, params);2)若h=1且r 0>0,返回(r 1+1)mod k;若h=1且r 0<0,返回(r 1-1)mod k;否则,若h=0,返回r 1。 2) If h=1 and r 0 >0, return (r 1 +1) mod k; if h=1 and r 0 <0, return (r 1 -1) mod k; otherwise, if h=0, return r 1 .
- 如权利要求45所述的方法,其中,对于h∈{0,1},r∈Z q,算法UseGHint(h,r,params)的计算方法如下: The method of claim 45, wherein for h ∈ {0, 1}, r ∈ Z q , the calculation method of the algorithm UseGHint(h, r, params) is as follows:1)r 1=HighBits(r,params); 1) r 1 = HighBits(r, params);2)返回(r 1+h)mod k。 2) Return (r 1 +h)mod k.
- 如权利要求1所述的方法,其中,aux c′包含pk和/或params和/或公钥证书certificate。 The method according to claim 1, wherein, aux c 'comprises pk and / or params and / or public key certificate certificate.
- 如权利要求19所述的方法,如权利要求18所述的方法,其中,aux sk包含一个随机数种子K,aux y包含一个计数器counter用于记录每次签名时对第6)步的第counter次执行。 The method according to claim 19, wherein the method according to claim 18, wherein aux sk contains a random number seed K, and aux y contains a counter counter used to record the counter of step 6) each time the signature is signed. Time execution.
- 如权利要求56所述的方法,y,y′由Expand(ρ,K,tr,counter)确定性地生成,其中tr=CRH(ρ,K),CRH是一个抗碰撞的密码哈希函数,Expand是一个确定性的扩展函数。The method according to claim 56, y, y'are deterministically generated by Expand(ρ, K, tr, counter), where tr=CRH(ρ, K), CRH is an anti-collision cryptographic hash function, Expand is a deterministic expansion function.
- 如权利要求34所述的方法,其中,随机选取b i←{0,1} p′,或b i被设定为{0,1} p′,或b i从{pk,ρ,K,tr,aux sk,aux y}确定性地导出。 The method of claim 34, wherein b i ←{0,1} p′ is randomly selected, or b i is set to {0,1} p′ , or b i is selected from {pk, ρ, K, tr, aux sk , aux y } are derived deterministically.
- 如权利要求58所述的方法,其中,b i在得到y,y′过程中同时导出。 The method of claim 58, wherein, b i derived at the same time to give y, y 'process.
- 如权利要求1所述的方法,签名过程中所需生成的t 0,i、Δ i、e i可以在签名之前离线计算并存储,或其部分或全体放在aux sk作为私钥的一部分。 The method according to claim 1, generated in the signing process required for t 0, i, Δ i, e i may be calculated offline and stored before the signature, in part or in whole, or as part of the private key aux sk.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910203000.4 | 2019-03-18 | ||
CN201910203000.4A CN109936458B (en) | 2019-03-18 | 2019-03-18 | Lattice-based digital signature method based on multiple evidence error correction |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020186750A1 true WO2020186750A1 (en) | 2020-09-24 |
Family
ID=66987344
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/112512 WO2020186750A1 (en) | 2019-03-18 | 2019-10-22 | Multi-evidence error correction-based lattice-based digital signature method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109936458B (en) |
WO (1) | WO2020186750A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112217629A (en) * | 2020-10-13 | 2021-01-12 | 安徽大学 | Cloud storage public auditing method |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109936458B (en) * | 2019-03-18 | 2022-04-26 | 上海扈民区块链科技有限公司 | Lattice-based digital signature method based on multiple evidence error correction |
CN112910649A (en) * | 2019-12-04 | 2021-06-04 | 深圳奥联信息安全技术有限公司 | Dilithium algorithm implementation method and device |
CN113037484B (en) * | 2021-05-19 | 2021-08-24 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103608829A (en) * | 2011-01-18 | 2014-02-26 | 舍德Ip有限责任公司 | System and method for computerized negotiations based on coded integrity |
WO2015030553A1 (en) * | 2013-08-30 | 2015-03-05 | 고려대학교 산학협력단 | Lattice-based certificateless signature system and method |
CN105791321A (en) * | 2016-05-03 | 2016-07-20 | 西南石油大学 | Cloud storage data common auditing method possessing secret key leakage resistance characteristic |
CN108989031A (en) * | 2018-07-27 | 2018-12-11 | 上海扈民区块链科技有限公司 | A kind of more bit error correction coding-decoding methods |
CN109936458A (en) * | 2019-03-18 | 2019-06-25 | 上海扈民区块链科技有限公司 | A kind of lattice digital signature method based on multiple evidence error correction |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7237116B1 (en) * | 2000-01-19 | 2007-06-26 | International Business Machines Corporation | Digital signature system and method based on hard lattice problem |
CN101997683B (en) * | 2009-08-10 | 2012-07-04 | 北京多思科技发展有限公司 | Method and device for authenticating zero knowledge proof |
KR20120071884A (en) * | 2010-12-23 | 2012-07-03 | 한국전자통신연구원 | Ring signature method based on lattices |
CN102833265B (en) * | 2012-09-13 | 2015-01-07 | 北京航空航天大学 | Network theory based signature scheme and secure linear network encoding method thereof |
CN103986576A (en) * | 2014-04-18 | 2014-08-13 | 深圳大学 | Proxy signature method and system based on lattice |
CN104009847A (en) * | 2014-05-14 | 2014-08-27 | 国家电网公司 | Big data storage integrity verification method based on lattices |
CN107592203A (en) * | 2017-09-25 | 2018-01-16 | 深圳技术大学筹备办公室 | A kind of aggregate signature method and its system based on lattice |
CN107947944B (en) * | 2017-12-08 | 2020-10-30 | 安徽大学 | Incremental signature method based on lattice |
-
2019
- 2019-03-18 CN CN201910203000.4A patent/CN109936458B/en active Active
- 2019-10-22 WO PCT/CN2019/112512 patent/WO2020186750A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103608829A (en) * | 2011-01-18 | 2014-02-26 | 舍德Ip有限责任公司 | System and method for computerized negotiations based on coded integrity |
WO2015030553A1 (en) * | 2013-08-30 | 2015-03-05 | 고려대학교 산학협력단 | Lattice-based certificateless signature system and method |
CN105791321A (en) * | 2016-05-03 | 2016-07-20 | 西南石油大学 | Cloud storage data common auditing method possessing secret key leakage resistance characteristic |
CN108989031A (en) * | 2018-07-27 | 2018-12-11 | 上海扈民区块链科技有限公司 | A kind of more bit error correction coding-decoding methods |
CN109936458A (en) * | 2019-03-18 | 2019-06-25 | 上海扈民区块链科技有限公司 | A kind of lattice digital signature method based on multiple evidence error correction |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112217629A (en) * | 2020-10-13 | 2021-01-12 | 安徽大学 | Cloud storage public auditing method |
Also Published As
Publication number | Publication date |
---|---|
CN109936458A (en) | 2019-06-25 |
CN109936458B (en) | 2022-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020186750A1 (en) | Multi-evidence error correction-based lattice-based digital signature method | |
CN110971405B (en) | SM2 signing and decrypting method and system with cooperation of multiple parties | |
Wei et al. | SecCloud: Bridging secure storage and computation in cloud | |
JPWO2005071881A1 (en) | Mix net system | |
CN113111373B (en) | Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system | |
CN114157427B (en) | SM2 digital signature-based threshold signature method | |
US20120294442A1 (en) | Joint encryption of data | |
CN110086599B (en) | Hash calculation method and signcryption method based on homomorphic chameleon Hash function | |
CN109818752B (en) | Credit score generation method and device, computer equipment and storage medium | |
US20230224147A1 (en) | Generating shared private keys | |
CN115804059A (en) | Generating secret shares | |
US20230319103A1 (en) | Identifying denial-of-service attacks | |
Zhang et al. | Simpler efficient group signature scheme with verifier-local revocation from lattices | |
US20230163977A1 (en) | Digital signatures | |
US20240121109A1 (en) | Digital signatures | |
Kim et al. | Remark on Shao et al.'s Bidirectional Proxy Re-signature Scheme in Indocrypt'07. | |
KR20240045231A (en) | Creation of digitally signed shares | |
WO2023072502A1 (en) | Generating shared keys | |
JP5227816B2 (en) | Anonymous signature generation device, anonymous signature verification device, anonymous signature tracking determination device, anonymous signature system with tracking function, method and program thereof | |
Tamil Selvi et al. | Post‐Quantum Cryptosystems for Blockchain | |
CN106357379B (en) | Health data polymerization based on difference privacy | |
You et al. | Secure two-party computation approach for ntruencrypt | |
CN114520728B (en) | Distributed anonymous marking method and system | |
US11856095B2 (en) | Apparatus and methods for validating user data by using cryptography | |
CN113055392B (en) | Block chain-based unified identity authentication method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19919763 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19919763 Country of ref document: EP Kind code of ref document: A1 |