WO2023207523A1

WO2023207523A1 - Quantum-resistant blind signature method, user equipment, signature apparatus and signature verification apparatus

Info

Publication number: WO2023207523A1
Application number: PCT/CN2023/085862
Authority: WO
Inventors: 谢天元; 李民; 杨仲凯
Original assignee: 华为技术有限公司
Priority date: 2022-04-28
Filing date: 2023-04-03
Publication date: 2023-11-02
Also published as: CN117014133A

Abstract

Disclosed in the present application is a quantum-resistant blind signature method. The method comprises: after a public key and a second vector that are sent by a signature apparatus are received, calculating a fourth vector according to the second vector, the public key, a randomly generated third vector, a randomly generated target polynomial and a second modulus; performing hashing on a message to be processed and a random byte array to obtain a first hash value; then, generating a blind message according to the first hash value, the fourth vector, a first modulus and the target polynomial; after the blind message is sent to the signature apparatus, receiving a blind signature sent by the signature apparatus; then, acquiring a signature according to the blind signature and the random byte array; and sending the message to be processed and the signature to a signature verification apparatus. By means of the blind signature method in the present application, a blind signature is constructed on the basis of difficult mathematical problems on lattices, thus achieving the characteristic of quantum attack resistance, and the blind signature has higher security compared with a blind signature constructed on the basis of difficult number theory problems. Further provided in the present application are a user equipment that can implement the blind signature method, and a signature apparatus and a signature verification apparatus.

Description

抗量子的盲签名方法,用户设备,签名装置和验签装置Quantum-resistant blind signature method, user equipment, signature device and signature verification device

本申请要求于2022年04月28日提交中国专利局、申请号为202210461476.X、申请名称为“抗量子的盲签名方法,用户设备,签名装置和验签装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application requests the priority of the Chinese patent application submitted to the China Patent Office on April 28, 2022, with the application number 202210461476.X and the application name "Quantum-resistant blind signature method, user equipment, signature device and signature verification device" , the entire contents of which are incorporated herein by reference.

技术领域Technical field

本申请涉及计算机技术领域，尤其涉及抗量子的盲签名方法,用户设备,签名装置和验签装置。This application relates to the field of computer technology, and in particular to quantum-resistant blind signature methods, user equipment, signature devices and signature verification devices.

背景技术Background technique

盲签名是一种数字签名技术。盲签名具有盲性、不可追踪性等特性，可以有效保护所签署消息的具体内容。Blind signature is a digital signature technology. Blind signature has the characteristics of blindness and untraceability, and can effectively protect the specific content of the signed message.

现有的一种盲签名方法大致如下：用户设备向签名设备发送签名请求，签名设备将签名响应发送给用户设备。用户设备将消息盲化后发送给签名设备，签名设备使用私钥对盲化的消息进行签名，并发送给用户设备，用户设备对发来的签名进行去盲操作，得到最终的签名。用户设备将待处理的消息和最终的签名发送给验证设备，验证设备对待处理的消息和最终的签名进行验证。上述盲签名方法是基于大数分解等数论困难问题进行构造，其安全性基于大数分解等数论困难问题难以在多项式时间内求解。An existing blind signature method is roughly as follows: the user device sends a signature request to the signing device, and the signing device sends a signature response to the user device. The user device blinds the message and sends it to the signing device. The signing device uses the private key to sign the blinded message and sends it to the user device. The user device performs a de-blinding operation on the sent signature to obtain the final signature. The user device sends the pending message and the final signature to the verification device, and the verification device verifies the pending message and the final signature. The above blind signature method is constructed based on difficult number theory problems such as large number decomposition, and its security is based on the fact that difficult number theory problems such as large number decomposition are difficult to solve in polynomial time.

但是，目前基于大数分解等数论困难问题构造的盲签名方案能够被量子算法在多项式时间内(例如几个小时)破解，因此现有盲签名方法的安全性受到了严重的量子威胁。However, the current blind signature scheme constructed based on difficult problems in number theory such as large number decomposition can be cracked by quantum algorithms in polynomial time (such as several hours). Therefore, the security of existing blind signature methods is subject to serious quantum threats.

发明内容Contents of the invention

有鉴于此，本申请提供一种盲签名方法，该方法基于MLWE问题生成密钥对，由于MLWE问题不能被量子算法在多项式时间内攻破，因此本申请的盲签名方法可以抵抗量子攻击，提高盲签名的安全性。In view of this, this application provides a blind signature method that generates a key pair based on the MLWE problem. Since the MLWE problem cannot be broken by quantum algorithms in polynomial time, the blind signature method of this application can resist quantum attacks and improve blindness. Signature security.

第一方面提供一种盲签名方法，在该方法中，接收签名装置发送的公钥和第二向量后，从多项式环中随机生成第三向量，以及从多项式集合中随机生成目标多项式，再根据第二向量，公钥，第三向量，目标多项式和第二模数计算出第四向量；将待处理的消息和随机字节数组哈希为第一哈希值，接着根据第一哈希值，第四向量和第一模数哈希运算出第二哈希值，根据第二哈希值和目标多项式生成盲化的消息，然后向签名装置发送盲化的消息；接收签名装置发送的盲签名后，根据盲签名和随机字节数组获取签名，将待处理的消息和签名发送给验签装置。公钥包括矩阵和第一向量。矩阵包括从多项式环中均匀选取的m×l个多项式。第一秘密向量与所述矩阵的乘积与第一向量相关且第二秘密向量与第一模数的乘积与第一向量相关。第一秘密向量包括从目标多项式环中随机选取的l个多项式。第二秘密向量包括从目标多项式环中随机选取的m个多项式。The first aspect provides a blind signature method. In this method, after receiving the public key and the second vector sent by the signature device, the third vector is randomly generated from the polynomial ring, and the target polynomial is randomly generated from the polynomial set, and then based on The second vector, the public key, the third vector, the target polynomial and the second modulus calculate the fourth vector; the message to be processed and the random byte array are hashed into the first hash value, and then the first hash value is , the fourth vector and the first modulus hash to calculate the second hash value, generate a blinded message based on the second hash value and the target polynomial, and then send the blinded message to the signature device; receive the blinded message sent by the signature device After signing, obtain the signature based on the blind signature and random byte array, and send the pending message and signature to the signature verification device. The public key includes the matrix and the first vector. The matrix consists of m × l polynomials chosen uniformly from the polynomial ring. The product of the first secret vector and the matrix is related to the first vector and the product of the second secret vector and the first modulus is related to the first vector. The first secret vector consists of l polynomials randomly selected from the target polynomial ring. The second secret vector consists of m polynomials randomly selected from the target polynomial ring.

依此提供了基于MLWE问题生成的用于盲签名方法的公私密钥对。私钥sk包括第一秘密向量s₁和第二秘密向量s₂。公钥pk包括(A,t＝As₁+ps₂mod q)，特别是s₂这一项需要进行p倍放缩的处理。这样提供了一种新的抗量子攻击的盲签名方法。 This provides a public-private key pair generated based on the MLWE problem for the blind signature method. The private key sk includes a first secret vector s ₁ and a second secret vector s ₂ . The public key pk includes (A,t=As ₁ +ps ₂ mod q), especially the item s ₂ needs to be scaled by p times. This provides a new blind signature method that is resistant to quantum attacks.

在第二种可能的实现方式中，第一向量t，矩阵A，第一秘密向量s₁，第二秘密向量s₂，第一模数p和第二模数q满足以下公式：t＝As₁+ps₂mod q。第一模数为大于1的整数，第一模数p和第二模数q的最大公约数为1。In the second possible implementation, the first vector t, matrix A, first secret vector s ₁ , second secret vector s ₂ , first modulus p and second modulus q satisfy the following formula: t=As ₁ +ps ₂ mod q. The first modulus is an integer greater than 1, and the greatest common divisor of the first modulus p and the second modulus q is 1.

在第三种可能的实现方式中，第二向量x，矩阵A，第三向量a，目标多项式b，第一向量t，第二模数q和第四向量w满足以下公式；w＝x+Aa+bt mod^±q。这样提供了一种计算第四向量的具体方法。In the third possible implementation, the second vector x, matrix A, third vector a, target polynomial b, first vector t, second modulus q and fourth vector w satisfy the following formula; w=x+ Aa+bt mod ^± q. This provides a specific method of calculating the fourth vector.

在第四种可能的实现方式中，根据盲签名，随机字节数组和第二哈希值获取签名包括：确定第五向量为盲签名与第三向量之和；将随机字节数组，第五向量和第二哈希值组成签名。这样提供了一种基于盲签名提取签名的具体方法。In the fourth possible implementation, obtaining the signature based on the blind signature, the random byte array and the second hash value includes: determining the fifth vector as the sum of the blind signature and the third vector; converting the random byte array, the fifth vector The vector and the second hash value form the signature. This provides a specific method for extracting signatures based on blind signatures.

基于第四种可能的实现方式，在第五种可能的实现方式中，上述方法还包括：当第五向量的无穷范数大于第二预设值时，将第一哈希值，第三向量，目标多项式和第二哈希值发送给签名装置。当第五向量的无穷范数小于或等于第二预设值时，可以触发将随机字节数组，第五向量和第二哈希值组成签名的步骤。第二预设值δ₂、第四参数值γ、第一参数值η和第二参数值K和第三参数值α满足以下公式：δ₂＝γ-ηK-α。Based on the fourth possible implementation manner, in the fifth possible implementation manner, the above method further includes: when the infinite norm of the fifth vector is greater than the second preset value, converting the first hash value to the third vector , the target polynomial and the second hash value are sent to the signing device. When the infinite norm of the fifth vector is less than or equal to the second preset value, the step of composing the signature with the random byte array, the fifth vector and the second hash value may be triggered. The second preset value δ ₂ , the fourth parameter value γ, the first parameter value η, the second parameter value K, and the third parameter value α satisfy the following formula: δ ₂ =γ-ηK-α.

在第六种可能的实现方式中，在将待处理的消息和随机字节数组哈希为第一哈希值之前，上述方法还包括：当第四向量的无穷范数小于第一预设值时，触发从多项式环中随机生成第三向量的步骤。第一预设值δ₁，第二模数q，第一模数p、第一参数值η和第二参数值满K足以下公式：δ₁＝q/2-pηK。该方法通过拒绝采样能够重新生成第三向量，直至计算出符合要求的第四向量。In a sixth possible implementation manner, before hashing the message to be processed and the random byte array into the first hash value, the above method further includes: when the infinite norm of the fourth vector is less than the first preset value When , the step of randomly generating the third vector from the polynomial ring is triggered. The first preset value δ ₁ , the second modulus q, the first modulus p, the first parameter value η and the second parameter value K satisfy the following formula: δ ₁ =q/2-pηK. This method can regenerate the third vector by rejecting samples until the fourth vector that meets the requirements is calculated.

基于第一方面以上可能的实现方式，在第七种可能的实现方式中，向签名装置发送盲化的消息之前，上述方法还包括：当盲化的消息的第一范数不等于目标多项式的第一范数和第二哈希值的第一范数之和时，触发从多项式环中随机生成第三向量的步骤。该方法通过拒绝采样能够重新生成第三向量，直至计算出符合要求的盲化的消息。Based on the above possible implementations of the first aspect, in a seventh possible implementation, before sending the blinded message to the signature device, the above method further includes: when the first norm of the blinded message is not equal to the target polynomial The step of randomly generating a third vector from the polynomial ring is triggered when the sum of the first norm and the first norm of the second hash value is obtained. This method can regenerate the third vector by rejecting samples until a blinded message that meets the requirements is calculated.

在第八种可能的实现方式中，向签名装置发送盲化的消息之前，当盲化的消息的无穷范数等于2时，触发从多项式环中随机生成第三向量的步骤。该方法通过拒绝采样能够重新生成第三向量，直至计算出符合要求的盲化的消息。In an eighth possible implementation manner, before sending the blinded message to the signature device, when the infinite norm of the blinded message is equal to 2, a step of randomly generating a third vector from the polynomial ring is triggered. This method can regenerate the third vector by rejecting samples until a blinded message that meets the requirements is calculated.

第二方面提供一种盲签名方法，在该方法中，生成公钥和私钥以及从多项式环中随机生成第六向量；根据第六向量，第二模数和公钥中的矩阵计算出第二向量后，将公钥和第二向量发送给用户设备，再接收用户设备发送的盲化的消息，将第一秘密向量与盲化的消息之积和第六向量进行求和运算，接着将求和运算得到的盲签名发送给用户设备。The second aspect provides a blind signature method, in which a public key and a private key are generated and a sixth vector is randomly generated from a polynomial ring; the sixth vector is calculated based on the sixth vector, the second modulus and the matrix in the public key. After two vectors, the public key and the second vector are sent to the user equipment, and then the blinded message sent by the user equipment is received, the product of the first secret vector and the blinded message and the sixth vector are summed, and then the The blind signature obtained by the summation operation is sent to the user device.

依此提供了基于MLWE问题生成的用于盲签名方法的公私密钥对。私钥sk包括第一秘密向量s₁和第二秘密向量s₂。公钥pk包括(A,t＝As₁+ps₂mod q)，特别是s₂这一项需要进行p倍放缩的处理。这样提供了一种新的抗量子攻击的盲签名方法。This provides a public-private key pair generated based on the MLWE problem for the blind signature method. The private key sk includes a first secret vector s ₁ and a second secret vector s ₂ . The public key pk includes (A,t=As ₁ +ps ₂ mod q), especially the item s ₂ needs to be scaled by p times. This provides a new blind signature method that is resistant to quantum attacks.

在第一种可能的实现方式中，第六向量r，矩阵A，第二向量x和第二模数q满足以下公式；x＝Ar mod q。In the first possible implementation, the sixth vector r, the matrix A, the second vector x and the second modulus q satisfy the following formula; x=Ar mod q.

在第二种可能的实现方式中，将求和运算得到的盲签名发送给用户设备之前，上述方法还包括：当盲签名的无穷范数大于第三预设值时，表明盲签名不是MSIS问题的解，触发从多项式环中随机生成第六向量的步骤。当盲签名的无穷范数小于或等于第三预设值时，表明盲签名可以作为MSIS问题的解，触发将求和运算得到的盲签名发送给用户设备的步骤。该方法通过拒绝采样重新生成第六向量，直至获取符合要求盲签名作为MSIS问题的解。第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。In a second possible implementation, before sending the blind signature obtained by the summation operation to the user device, the above method also includes: when the infinite norm of the blind signature is greater than the third preset value, it indicates that the blind signature is not an MSIS problem. The solution of , triggers the step of randomly generating the sixth vector from the polynomial ring. When the infinite norm of the blind signature is less than or equal to the third preset value, It shows that the blind signature can be used as a solution to the MSIS problem, triggering the step of sending the blind signature obtained by the summation operation to the user device. This method regenerates the sixth vector by rejecting sampling until a blind signature that meets the requirements is obtained as a solution to the MSIS problem. The third preset value δ ₃ , the fourth parameter value γ, the first parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK.

在第三种可能的实现方式中，上述方法还包括：接收用户设备发送的第一哈希值，第三向量，目标多项式和第二哈希值后，根据第二向量，矩阵，第三向量，目标多项式，第一向量和第二模数计算出第四向量，以及根据矩阵，第三向量，盲签名，第二哈希值，第一向量和第二模数计算出第七向量，然后确定第一运算结果等于签名信息减去目标多项式，以及根据第一哈希值，第四向量和第一模数进行哈希运算，以得到第二运算结果，以及根据第一哈希值，第七向量和第一模数进行哈希运算，以得到第三运算结果；当第一运算结果，第二运算结果和第三运算结果均等于第二哈希值且盲签名与第三向量之和的无穷范数大于第三预设值，触发从多项式环中随机生成第六向量的步骤。第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。In a third possible implementation, the above method further includes: after receiving the first hash value, the third vector, the target polynomial and the second hash value sent by the user equipment, according to the second vector, matrix, third vector , the target polynomial, the first vector and the second modulus calculate the fourth vector, and the seventh vector is calculated based on the matrix, the third vector, the blind signature, the second hash value, the first vector and the second modulus, and then Determine that the first operation result is equal to the signature information minus the target polynomial, and perform a hash operation according to the first hash value, the fourth vector and the first modulus to obtain the second operation result, and according to the first hash value, the Perform a hash operation on the seven vectors and the first modulus to obtain the third operation result; when the first operation result, the second operation result and the third operation result are all equal to the second hash value and the sum of the blind signature and the third vector The infinite norm of is greater than the third preset value, triggering the step of randomly generating the sixth vector from the polynomial ring. The third preset value δ ₃ , the fourth parameter value γ, the first parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK.

第三方面提供一种盲签名方法，在该方法中，接收用户设备发送的待处理的消息和签名后向签名装置发送验签公钥请求；接收签名装置发送的公钥，使用公钥对待处理的消息和签名进行验证。签名包括随机字节数组，第五向量和第二哈希值。公钥包括矩阵和第一向量。在盲签名过程中以w mod p作为哈希函数的输入以及在验签过程中计算Az-ct mod^±q后mod p的取低位技术。目前没有已知的盲签名方案通过这种方式来构造盲签名生成过程中哈希函数的输入以及用这种方式进行验签。The third aspect provides a blind signature method. In this method, after receiving the message to be processed and the signature sent by the user equipment, a signature verification public key request is sent to the signature device; the public key sent by the signature device is received, and the public key is used to be processed. The message and signature are verified. The signature consists of a random byte array, a fifth vector and a second hash value. The public key includes the matrix and the first vector. In the blind signature process, w mod p is used as the input of the hash function and in the signature verification process, mod p is taken as the low bit after Az-ct mod ^± q is calculated. There is currently no known blind signature scheme that constructs the input of the hash function in the blind signature generation process and performs signature verification in this way.

在第一种可能的实现方式中，使用公钥对待处理的消息和签名进行验证包括：根据矩阵，第五向量，第二哈希值，第一向量和第二模数计算出第七向量之后，将待处理的消息和随机字节数组哈希为第一哈希值，再根据第一哈希值，第七向量和第一模数计算出第三哈希值；当第三哈希值与第二哈希值相等，则确定待处理的消息和签名通过验证；当第三哈希值与第二哈希值不相等，则确定待处理的消息和签名没有通过验证。In a first possible implementation, the verification of the message and signature to be processed using the public key includes: after calculating the seventh vector based on the matrix, the fifth vector, the second hash value, the first vector and the second modulus , hash the message to be processed and the random byte array into the first hash value, and then calculate the third hash value based on the first hash value, the seventh vector and the first modulus; when the third hash value If the third hash value is equal to the second hash value, it is determined that the message and signature to be processed have passed verification; when the third hash value is not equal to the second hash value, it is determined that the message and signature to be processed have not passed verification.

基于第一种可能的实现方式，在第二种可能的实现方式中，第五向量z，矩阵A，第二哈希值c，第一向量t，第二模数q和第七向量w′满足以下公式：w′＝Az-ct mod^±q。Based on the first possible implementation, in the second possible implementation, the fifth vector z, the matrix A, the second hash value c, the first vector t, the second modulus q and the seventh vector w′ The following formula is satisfied: w′=Az-ct mod ^± q.

基于上述第三方面的可能实现方式，在第三种可能的实现方式中，上述方法还包括：当第五向量的无穷范数大于第二预设值时，确定待处理的消息和签名没有通过验证。当第五向量的无穷范数小于或等于第二预设值时，确定待处理的消息和签名通过验证，向用户设备发送非法签名消息。Based on the possible implementation manner of the above third aspect, in the third possible implementation manner, the above method further includes: when the infinite norm of the fifth vector is greater than the second preset value, determining that the message and signature to be processed have not passed verify. When the infinite norm of the fifth vector is less than or equal to the second preset value, it is determined that the message and signature to be processed pass the verification, and the illegal signature message is sent to the user equipment.

第四方面提供一种用户设备，其具有实现第一方面的方法的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。The fourth aspect provides a user equipment, which has the function of implementing the method of the first aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

第五方面提供一种签名装置，其具有实现第二方面的方法的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。A fifth aspect provides a signature device, which has the function of implementing the method of the second aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

第六方面提供一种验签装置，其具有实现第三方面的方法的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。The sixth aspect provides a signature verification device, which has the function of implementing the method of the third aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

第七方面提供一种用户设备，其包括处理器和存储器，所述存储器用于存储程序；所述处理器通过执行程序用于实现第一方面的方法。A seventh aspect provides a user equipment, which includes a processor and a memory, the memory being used to store programs; The processor is used to implement the method of the first aspect by executing the program.

第八方面提供一种签名装置，其包括处理器和存储器，所述存储器用于存储程序；所述处理器通过执行程序用于实现第二方面的方法。An eighth aspect provides a signature device, which includes a processor and a memory, the memory is used to store a program; the processor is used to implement the method of the second aspect by executing the program.

第九方面提供一种验签装置，其包括处理器和存储器，所述存储器用于存储程序；所述处理器通过执行程序用于实现第三方面的方法。A ninth aspect provides a signature verification device, which includes a processor and a memory, the memory is used to store a program; the processor is used to implement the method of the third aspect by executing the program.

第十方面提供一种计算机可读存储介质，计算机可读存储介质中存储有指令，当其在计算机上运行时，使得计算机执行上述各方面的方法。A tenth aspect provides a computer-readable storage medium. The computer-readable storage medium stores instructions, which when run on a computer, cause the computer to execute the methods of the above aspects.

第十一方面提供了一种包含指令的计算机程序产品，当其在计算机上运行时，使得计算机执行上述各方面的方法。An eleventh aspect provides a computer program product containing instructions that, when run on a computer, causes the computer to perform the methods of the above aspects.

第十二方面提供了一种芯片***，包括至少一个处理器，所述处理器和存储器耦合，所述存储器用于存储计算机程序或指令，所述处理器用于执行所述计算机程序或指令，以实现上述各方面的方法。A twelfth aspect provides a chip system, including at least one processor, the processor is coupled to a memory, the memory is used to store computer programs or instructions, and the processor is used to execute the computer program or instructions, to methods to achieve the above aspects.

附图说明Description of the drawings

图1为本申请实施例中在线交易场景的一个示意图；Figure 1 is a schematic diagram of an online transaction scenario in an embodiment of the present application;

图2为本申请实施例中电子投票场景的一个示意图；Figure 2 is a schematic diagram of an electronic voting scenario in the embodiment of the present application;

图3为本申请实施例中盲签名***的一个示意图；Figure 3 is a schematic diagram of the blind signature system in the embodiment of the present application;

图4为本申请实施例中盲签名方法的一个流程图；Figure 4 is a flow chart of the blind signature method in the embodiment of the present application;

图5为本申请实施例中盲签名方法的另一个流程图；Figure 5 is another flow chart of the blind signature method in the embodiment of the present application;

图6为本申请实施例中盲签名方法的另一个流程图；Figure 6 is another flow chart of the blind signature method in the embodiment of the present application;

图7为本申请实施例中盲签名方法的一个信令交互图；Figure 7 is a signaling interaction diagram of the blind signature method in the embodiment of the present application;

图8为本申请实施例中用户设备的一个结构图；Figure 8 is a structural diagram of user equipment in an embodiment of the present application;

图9为本申请实施例中签名装置的一个结构图；Figure 9 is a structural diagram of the signature device in the embodiment of the present application;

图10为本申请实施例中验签装置的一个结构图；Figure 10 is a structural diagram of the signature verification device in the embodiment of the present application;

图11为本申请实施例中终端的一个结构图；Figure 11 is a structural diagram of a terminal in an embodiment of the present application;

图12为本申请实施例中服务器的一个结构图。Figure 12 is a structural diagram of the server in the embodiment of the present application.

具体实施方式Detailed ways

本申请的盲签名方法可以应用于电子支付***或电子投票***等。下面对上述场景中的盲签名方法进行介绍：The blind signature method of this application can be applied to electronic payment systems or electronic voting systems, etc. The following is an introduction to the blind signature method in the above scenario:

参阅图1，在一个电子支付场景中，电子支付***包括用户设备11，可信第三方(trusted third party,TTP)设备12和销售设备13。Referring to Figure 1, in an electronic payment scenario, the electronic payment system includes a user device 11, a trusted third party (TTP) device 12 and a sales device 13.

步骤101、用户设备11将从电子账户上支取的电子现金盲化。Step 101: The user device 11 blinds the electronic cash withdrawn from the electronic account.

步骤102、用户设备11将盲化的电子现金发送给TTP设备12。Step 102: The user device 11 sends the blinded electronic cash to the TTP device 12.

步骤103、TTP设备12将盲签名发送给用户设备11。Step 103: The TTP device 12 sends the blind signature to the user device 11.

由于盲签名的盲性和不可追溯性，TTP设备12不知道电子现金的金额，也不知道用户提取的签名是在和它的哪次交互中生成的。 Due to the blindness and non-traceability of the blind signature, the TTP device 12 does not know the amount of the electronic cash, nor does it know in which interaction with it the signature extracted by the user was generated.

步骤104、用户设备11解析盲签名，得到签名。Step 104: The user equipment 11 parses the blind signature and obtains the signature.

步骤105、用户设备11将电子现金和签名发送给销售设备13。Step 105: The user device 11 sends the electronic cash and signature to the sales device 13.

步骤106、销售设备13向TTP设备12发送验签公钥请求。Step 106: The sales device 13 sends a signature verification public key request to the TTP device 12.

步骤107、TTP设备12将公钥发送给销售设备13。Step 107: The TTP device 12 sends the public key to the sales device 13.

步骤108、销售设备13使用公钥验签。Step 108: The sales device 13 uses the public key to verify the signature.

步骤109、当签名通过验证时，收取电子现金。电子现金存入商户的电子账户。Step 109: When the signature passes verification, receive electronic cash. Electronic cash is deposited into the merchant's electronic account.

步骤110、销售设备13将收据发送给用户设备12。Step 110: The sales device 13 sends the receipt to the user device 12.

销售设备13收取电子现金之后，也可以发送其他信息，例如货物等。After collecting electronic cash, the sales device 13 can also send other information, such as goods.

按照上述方法，用户和商户通过盲签名能够完成交易，而且交易细节不为TTP设备12所知。According to the above method, the user and the merchant can complete the transaction through blind signature, and the transaction details are not known to the TTP device 12.

参阅图2，在一个电子投票场景中，电子投票***包括投票设备21，签名服务器22和唱票服务器23。Referring to Figure 2, in an electronic voting scenario, the electronic voting system includes a voting device 21, a signature server 22 and a vote counting server 23.

步骤201、投票设备21将选票盲化。Step 201: The voting equipment 21 blinds the ballot.

步骤202、投票设备21将盲化选票发送给签名服务器22。Step 202: The voting equipment 21 sends the blinded ballot to the signature server 22.

步骤203、签名服务器22将盲签名选票发送给投票设备21。Step 203: The signature server 22 sends the blind signature ballot to the voting device 21.

步骤204、投票设备21提取选票签名。Step 204: The voting equipment 21 extracts the ballot signature.

步骤205、投票设备21将选票和签名发送给唱票服务器23。Step 205: The voting equipment 21 sends the ballot and signature to the vote counting server 23.

步骤206、唱票服务器23向签名服务器22发送验签公钥请求。Step 206: The voting server 23 sends a signature verification public key request to the signature server 22.

步骤207、签名服务器22将公钥发送给唱票服务器23。Step 207: The signature server 22 sends the public key to the voting server 23.

步骤208、唱票服务器23使用公钥验签。Step 208: The voting server 23 uses the public key to verify the signature.

步骤209、当签名通过验证时，唱票服务器23将计票数加一。Step 209: When the signature passes the verification, the vote counting server 23 adds one to the counting number.

当签名没有通过验证时，唱票服务器23确定选票为非法，不计入该选票。When the signature fails the verification, the ballot server 23 determines that the ballot is illegal and does not count the ballot.

按照上述方法，投票者的选票在投票阶段是保密的，在唱票阶段才会公开。因此盲签名能够很好的起到保密的作用。According to the above method, voters' votes are kept confidential during the voting stage and will not be made public until the counting stage. Therefore, blind signatures can play a good role in confidentiality.

下面对本申请的盲签名***进行介绍。参阅图3，在一个示例中，本申请的盲签名***包括应用层31、服务层32和运算层33。应用层31按照使用的服务类型划分为用户、签名者和验签者三种角色。用户可以使用服务层32中盲签名模块里的消息盲化和去盲功能。签名者可以使用服务层32中密钥生成模块和盲签名模块里的盲签名生成功能。验签者可以使用服务层32的验签模块。服务层32的使能依赖于运算层返回的结果，服务层32的每个模块都会调用运算层33的多项式模块、采样模块和哈希函数。其中的多项式模块和采样模块是为了支持格上的基础运算和保证方案的安全性而引入的，在基于数论难题构造的盲签名***中没有这两个模块。The blind signature system of this application is introduced below. Referring to FIG. 3 , in one example, the blind signature system of the present application includes an application layer 31 , a service layer 32 and a computing layer 33 . The application layer 31 is divided into three roles: user, signer and verifier according to the type of service used. Users can use the message blinding and de-blinding functions in the blind signature module in service layer 32. The signer can use the blind signature generation function in the key generation module and blind signature module in the service layer 32. The signature verifier can use the signature verification module of service layer 32. The enabling of the service layer 32 depends on the results returned by the operation layer. Each module of the service layer 32 will call the polynomial module, sampling module and hash function of the operation layer 33. The polynomial module and sampling module are introduced to support basic operations on lattice and ensure the security of the scheme. These two modules are not included in the blind signature system based on number theory problems.

在现有的盲签名方法中，密钥对是根据基于大数分解问题或离散对数问题构造的，其所依赖的数学问题能够被量子算法在多项式时间内攻破，因此难以抵抗量子攻击。对于上述问题，本申请提供一种基于有错误的模块学习(module learning with errors，MLWE)问题构造的密钥对。MLWE问题是一种基于标准的格困难问题，量子算法计算该问题需要花费指数时间，因此该数学问题被认为能够抵抗量子攻击的能力。 In the existing blind signature method, the key pair is constructed based on a large number decomposition problem or a discrete logarithm problem. The mathematical problems it relies on can be broken by quantum algorithms in polynomial time, so it is difficult to resist quantum attacks. To address the above problems, this application provides a key pair constructed based on the module learning with errors (MLWE) problem. The MLWE problem is a standard-based lattice-hard problem that requires exponential time to be calculated by quantum algorithms, so this mathematical problem is considered to be resistant to quantum attacks.

本申请的盲签名方法涉及的参数包括n,q,p,m,l,η,γ,α,κ,K，上述参数值均为正整数。The parameters involved in the blind signature method of this application include n, q, p, m, l, η, γ, α, κ, K, and the above parameter values are all positive integers.

首先以用户设备为执行主体对使用上述密钥对的盲签名方法进行介绍，参阅图4，本申请的盲签名方法的一个实施例包括：First, the blind signature method using the above key pair is introduced with the user equipment as the execution subject. Referring to Figure 4, one embodiment of the blind signature method of the present application includes:

步骤401、接收签名装置发送的公钥和第二向量。Step 401: Receive the public key and the second vector sent by the signature device.

公钥包括矩阵A和第一向量t，第一秘密向量s₁与矩阵A的乘积以及第二秘密向量s₂与第一模数p的乘积均与第一向量相关。The public key includes a matrix A and a first vector t. The product of the first secret vector s ₁ and the matrix A and the product of the second secret vector s ₂ and the first modulus p are both related to the first vector.

可选的，第一向量t，矩阵A，第一秘密向量s₁，第二秘密向量s₂，第一模数p和第二模数q满足：
t＝As₁+ps₂mod q 公式1Optional, the first vector t, matrix A, first secret vector s ₁ , second secret vector s ₂ , first modulus p and second modulus q satisfy:
t＝As ₁ +ps ₂ mod q Formula 1

第一模数p为大于1的整数，第一模数p和第二模数q的最大公约数为1。应理解，As₁+ps₂是作为一个整体对q进行mod运算。The first modulus p is an integer greater than 1, and the greatest common divisor of the first modulus p and the second modulus q is 1. It should be understood that As ₁ +ps ₂ modulates q as a whole.

矩阵各包括从多项式环R_q中均匀选取的m×l个多项式。R_q的一种实施例可以是Z_q[x]/(xⁿ+1)，Z_q[x]是一个多项式集合，在Z_q[x]/(xⁿ+1)中每个多项式的次数不超过n。The matrices each include m×l polynomials chosen uniformly from the polynomial ring R _q . An example of R _q can be Z _q [x]/(x ⁿ +1), Z _q [x] is a set of polynomials, and the value of each polynomial in Z _q [x]/(x ⁿ +1) The number of times does not exceed n.

第一秘密向量包括从目标多项式环中随机选取的l个多项式。第二秘密向量包括从目标多项式环中随机选取的m个多项式。在中每个多项式都是小系数多项式，这里η＜q且η为正整数。小系数是指相对第二模数q来说很小。I_η包括[-η,η]区间范围内的整数，I_η ⁿ的小系数来自I_η。The first secret vector consists of the target polynomial ring from l polynomials randomly selected from . The second secret vector consists of the target polynomial ring from m polynomials randomly selected from . exist Each polynomial in is a small coefficient polynomial, where eta < q and eta is a positive integer. The small coefficient means that it is very small relative to the second modulus q. I _η includes integers in the interval [-η, η], and the small coefficients of I _η ⁿ come from I _η .

步骤402、从多项式环中随机生成第三向量。Step 402: Randomly generate a third vector from the polynomial ring.

在多项式环中每个多项式的多项式系数不超过α。The polynomial coefficient of each polynomial in the polynomial ring does not exceed α.

步骤403、从多项式集合中随机生成目标多项式。Step 403: Randomly generate a target polynomial from the polynomial set.

在多项式集合B_κ中每个多项式的系数的绝对值不超过1且非零系数的个数不超过κ。The absolute value of the coefficient of each polynomial in the polynomial set B _κ does not exceed 1 and the number of non-zero coefficients does not exceed κ.

步骤404、根据第二向量，矩阵，第三向量，目标多项式，第一向量和第二模数计算出第四向量。Step 404: Calculate the fourth vector based on the second vector, matrix, third vector, target polynomial, first vector and second modulus.

可选的，第二向量x，矩阵A，第三向量a，目标多项式b，第一向量t，第二模数q和第四向量w满足公式2：
w＝x+Aa+bt mod^±q 公式2Optional, the second vector x, matrix A, third vector a, target polynomial b, first vector t, second modulus q and fourth vector w satisfy formula 2:
w＝x+Aa+bt mod ^± q Formula 2

mod表示模约化运算。对于任意一个整数u，u mod^±q得到的数的绝对值大小不超过q/2。u mod q得到的数属于[0，q-1]。mod represents modular reduction operation. For any integer u, the absolute value of the number obtained by u mod ^± q does not exceed q/2. The number obtained by u mod q belongs to [0, q-1].

步骤405、判断第四向量的无穷范数是否小于第一预设值，若是，执行步骤402，若否，执行步骤406。Step 405: Determine whether the infinite norm of the fourth vector is less than the first preset value. If yes, execute step 402. If not, execute step 406.

当第四向量的无穷范数小于第一预设值时，重新随机生成第三向量和目标多项式，以实现拒绝采样。第一预设值δ₁，第二模数q，第一模数p、第一参数值η和第二参数值K满足公式3：
δ₁＝q/2-pηK 公式3 When the infinite norm of the fourth vector is less than the first preset value, the third vector and the target polynomial are re-randomly generated to achieve rejection sampling. The first preset value δ ₁ , the second modulus q, the first modulus p, the first parameter value eta and the second parameter value K satisfy formula 3:
δ ₁ =q/2-pηK Formula 3

步骤406、将待处理的消息和随机字节数组哈希为第一哈希值。Step 406: Hash the message to be processed and the random byte array into a first hash value.

可选的，使用密码学哈希函数对待处理的消息和随机字节数组进行哈希，得到第一哈希值。除了密码学哈希函数之外，还可以使用其他com函数对待处理的消息和随机字节数组进行哈希处理。随机字节数组中的比特值为0或1。每个比特值是随机生成的，比特值为0的概率与比特值为1的概率相等。Optionally, use a cryptographic hash function to hash the message to be processed and the random byte array to obtain the first hash value. In addition to cryptographic hash functions, other COM functions can be used to hash the message to be processed and random byte arrays. The bits in the random byte array have values 0 or 1. Each bit value is randomly generated, and the probability of a bit value of 0 is equal to the probability of a bit value of 1.

步骤407、根据第一哈希值，第四向量和第一模数哈希运算出第二哈希值。Step 407: Calculate the second hash value according to the first hash value, the fourth vector and the first modulus hash.

可选的，第一哈希值C，第四向量w，第一模数p和第二哈希值c满足公式4：
c＝H(C,w mod p) 公式4Optionally, the first hash value C, the fourth vector w, the first modulus p and the second hash value c satisfy formula 4:
c＝H(C,w mod p) Formula 4

H()表示哈希函数。第一哈希值C与w mod p作为哈希函数的两个输入信息。H() represents the hash function. The first hash value C and w mod p serve as the two input information of the hash function.

第二哈希值对应在多项式环中一个第一范数不超过K-κ的多项式，K＞κ。The second hash value corresponds to a polynomial in a polynomial ring whose first norm does not exceed K-κ, K>κ.

步骤408、根据第二哈希值和目标多项式生成盲化的消息。Step 408: Generate a blinded message based on the second hash value and the target polynomial.

可选的，盲化的消息e等于第二哈希值c与目标多项式b之和。Optionally, the blinded message e is equal to the sum of the second hash value c and the target polynomial b.

步骤409、判断盲化的消息的第一范数是否满足拒绝采样条件，若是，执行步骤402，若否，执行步骤410。Step 409: Determine whether the first norm of the blinded message satisfies the sampling rejection condition. If yes, execute step 402. If not, execute step 410.

为了方便描述，盲化的消息e的第一范数记为||e||₁，目标多项式b的第一范数记为||b||₁，第二哈希值的第一范数记为||c||₁。For convenience of description, the first norm of the blinded message e is denoted as ||e|| ₁ , the first norm of the target polynomial b is denoted as ||b|| ₁ , and the first norm of the second hash value is Recorded as ||c|| ₁ .

可选的，拒绝采样条件为||e||₁≠||b||₁+||c||₁。Optional, the rejection sampling condition is ||e|| ₁ ≠||b|| ₁ +||c|| ₁ .

当||e||₁≠||b||₁+||c||₁，确定||e||₁满足拒绝采样条件，重新随机生成第三向量和目标多项式。当||e||₁＝||b||₁+||c||₁，确定||e||₁不满足拒绝采样条件，执行步骤410。When ||e|| ₁ ≠||b|| ₁ +||c|| ₁ , it is determined that ||e|| ₁ meets the rejection sampling condition, and the third vector and target polynomial are re-randomly generated. When ||e|| ₁ =||b|| ₁ +||c|| ₁ , it is determined that ||e|| ₁ does not meet the rejection sampling condition, and step 410 is executed.

另一可选的，拒绝采样条件为||e||₁＝2。当||e||₁＝2时，确定||e||₁满足拒绝采样条件，重新随机生成第三向量和目标多项式。当||e|_|1≠2时，确定||e|_|1不满足拒绝采样条件，执行步骤410。Alternatively, the sampling rejection condition is ||e|| ₁ =2. When ||e|| ₁ =2, it is determined that ||e|| ₁ meets the rejection sampling condition, and the third vector and target polynomial are randomly generated again. When ||e| _| 1≠2, it is determined that ||e| _| 1 does not satisfy the sampling rejection condition, and step 410 is executed.

步骤410、向签名装置发送盲化的消息。Step 410: Send the blinded message to the signature device.

签名装置根据盲化的消息获取盲签名。可选的，盲签名y，第一秘密向量s₁，第六向量r和盲化的消息e满足：
y＝r+es₁ 公式5The signature device obtains a blind signature based on the blinded message. Optional, the blind signature y, the first secret vector s ₁ , the sixth vector r and the blinded message e satisfy:
y＝r+es _1Formula 5

步骤411、接收签名装置发送的盲签名。Step 411: Receive the blind signature sent by the signature device.

步骤412、确定第五向量为盲签名与第三向量之和。Step 412: Determine the fifth vector to be the sum of the blind signature and the third vector.

步骤413、判断第五向量的无穷范数是否大于第二预设值，若是，执行步骤416，若否，执行步骤414。Step 413: Determine whether the infinite norm of the fifth vector is greater than the second preset value. If yes, execute step 416. If not, execute step 414.

第二预设值δ₂、第四参数值γ、第一参数值η、第二参数值K和第三参数值α满足公式6：
δ₂＝γ-ηK-α 公式6The second preset value δ ₂ , the fourth parameter value γ, the first parameter value η, the second parameter value K and the third parameter value α satisfy Formula 6:
δ ₂ =γ-ηK-α Formula 6

当||z||_∞＞δ₂时，执行步骤416。当||z||_∞≤δ₂，执行步骤414。When ||z|| _∞ > δ ₂ , step 416 is executed. When ||z|| _∞ ≤δ ₂ , step 414 is executed.

步骤414、将随机字节数组，第五向量和第二哈希值组成签名。签名包括随机字节数组、第五向量和第二哈希值。随机字节数组、第五向量和第二哈希值在签名中的顺序可以根据实际情况进行设置。Step 414: Combine the random byte array, the fifth vector and the second hash value to form a signature. The signature consists of a random byte array, a fifth vector, and a second hash value. The order of the random byte array, fifth vector and second hash value in the signature can be Set according to actual situation.

步骤415、将待处理的消息和签名发送给验签装置。Step 415: Send the pending message and signature to the signature verification device.

步骤416、将第一哈希值，第三向量，目标多项式和第二哈希值发送给签名装置。Step 416: Send the first hash value, the third vector, the target polynomial and the second hash value to the signature device.

签名装置接收第一哈希值，第三向量，目标多项式和第二哈希值后，可以根据第一哈希值，第三向量，目标多项式和第二哈希值判断上述信息是否合法，若上述信息合法，则重启盲签名方法。若上述信息中存在非法信息，则提前中止盲签名方法。After receiving the first hash value, the third vector, the target polynomial and the second hash value, the signature device can determine whether the above information is legal based on the first hash value, the third vector, the target polynomial and the second hash value. If If the above information is legal, restart the blind signature method. If there is illegal information in the above information, the blind signature method will be terminated in advance.

本实施例提供了基于MLWE问题生成的用于盲签名方法的公私密钥对。本申请的私钥sk包括第一秘密向量s₁和第二秘密向量s₂。公钥pk包括(A,t＝As₁+ps₂mod q)，特别是s₂这一项需要进行p倍放缩的处理。本实施例中构造密钥对的方式不同于已有格上盲签名方案中基于线性哈希函数(linear hash function)构造的密钥对的方式，也不同于已有的基于SIS问题构造密钥对的方式。基于SIS问题构造的密钥对中，私钥sk为小系数矩阵S，公钥pk为随机生成的矩阵A和矩阵乘积AS。This embodiment provides a public-private key pair for the blind signature method generated based on the MLWE problem. The private key sk of this application includes a first secret vector s ₁ and a second secret vector s ₂ . The public key pk includes (A,t=As ₁ +ps ₂ mod q), especially the item s ₂ needs to be scaled by p times. The method of constructing the key pair in this embodiment is different from the method of constructing the key pair based on the linear hash function in the existing blind signature scheme on the lattice, and is also different from the existing method of constructing the key based on the SIS problem. The right way. In the key pair constructed based on the SIS problem, the private key sk is a small coefficient matrix S, and the public key pk is a randomly generated matrix A and the matrix product AS.

其次，本实施例提供了在盲签名过程中以w mod p作为哈希函数的输入以及在验签过程中计算Az-ct mod^±q后mod p的取低位技术。目前没有已知的盲签名方案通过这种方式来构造盲签名生成过程中哈希函数的输入以及用这种方式进行验签。Secondly, this embodiment provides a technique for taking w mod p as the input of the hash function in the blind signature process and calculating Az-ct mod ^± q and then mod p in the signature verification process. There is currently no known blind signature scheme that constructs the input of the hash function in the blind signature generation process and performs signature verification in this way.

再次，用户设备可以通过拒绝采样更新第三向量和目标多项式，这样使得盲化的消息在所属集合上是均匀分布的，从而保证了签名的盲性和不可追溯性。Thirdly, the user equipment can update the third vector and the target polynomial by rejecting sampling, so that the blinded messages are evenly distributed on the set to which they belong, thus ensuring the blindness and non-traceability of the signature.

此外，本申请的矩阵，第一秘密向量和第二秘密向量可以从目标多项式环中均匀采样得到，第三向量可以从多项式环中均匀采样得到。与离散高斯采样相比，上述采样方法更加简便。In addition, the matrix of the present application, the first secret vector and the second secret vector can be uniformly sampled from the target polynomial ring, and the third vector can be uniformly sampled from the polynomial ring. Compared with discrete Gaussian sampling, the above sampling method is simpler.

下面从签名装置的角度对本申请的盲签名方法进行介绍，参阅图5，本申请的盲签名方法的另一个实施例包括：The following is an introduction to the blind signature method of the present application from the perspective of a signature device. Referring to Figure 5, another embodiment of the blind signature method of the present application includes:

步骤501、生成公钥和私钥。Step 501: Generate public key and private key.

公钥包括矩阵A和第一向量t。私钥包括矩阵A，第一向量t，第一秘密向量s₁和第二秘密向量s₂。第一秘密向量s₁与矩阵A的乘积以及第二秘密向量s₂与第一模数p的乘积均与第一向量t相关，第一模数p为大于1的整数。上述参数可参阅图4所示实施例中相应描述。The public key includes matrix A and first vector t. The private key includes matrix A, first vector t, first secret vector s ₁ and second secret vector s ₂ . The product of the first secret vector s ₁ and the matrix A and the product of the second secret vector s ₂ and the first modulus p are both related to the first vector t, and the first modulus p is an integer greater than 1. For the above parameters, please refer to the corresponding description in the embodiment shown in FIG. 4 .

矩阵包括从多项式环R_q中均匀选取的m×l个多项式。第一秘密向量包括从目标多项式环I_η ⁿ中随机选取的l个多项式。第二秘密向量包括从目标多项式环I_η ⁿ中随机选取的m个多项式。The matrix consists of m × l polynomials chosen uniformly from the polynomial ring R _q . The first secret vector consists of l polynomials randomly selected from the target polynomial ring I _η ⁿ . The second secret vector consists of m polynomials randomly selected from the target polynomial ring I _η ⁿ .

步骤502、从多项式环中随机生成第六向量。Step 502: Randomly generate a sixth vector from the polynomial ring.

步骤503、根据第六向量，矩阵和第二模数计算出第二向量。Step 503: Calculate the second vector according to the sixth vector, matrix and second modulus.

可选的，第六向量r，矩阵A，第二模数q和第二向量x满足公式7：
x＝Ar mod q 公式7Optionally, the sixth vector r, matrix A, second modulus q and second vector x satisfy Formula 7:
x＝Ar mod q Formula 7

步骤504、将公钥和第二向量发送给用户设备。Step 504: Send the public key and the second vector to the user equipment.

步骤505、接收用户设备发送的盲化的消息。Step 505: Receive the blinded message sent by the user equipment.

步骤506、将第一秘密向量与盲化的消息之积和第六向量进行求和运算。Step 506: Sum the product of the first secret vector and the blinded message and the sixth vector.

盲签名y，第一秘密向量s₁与盲化的消息e和第六向量r满足公式8：
y＝r+es₁ 公式8The blind signature y, the first secret vector s ₁ , the blinded message e and the sixth vector r satisfy formula 8:
y=r+es ₁ formula 8

步骤507、判断盲签名的无穷范数是否大于第三预设值，若是，执行步骤502，若否，执行步骤508。Step 507: Determine whether the infinite norm of the blind signature is greater than the third preset value. If yes, execute step 502. If not, execute step 508.

第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足公式9：
δ₃＝γ-ηK 公式9The third preset value δ ₃ , the fourth parameter value γ, the first parameter value η and the second parameter value K satisfy Formula 9:
δ ₃ =γ-ηK Formula 9

盲签名的无穷范数记为||y||_∞，当||y||_∞＞δ₃时，执行步骤502。当||y||_∞≤δ₃时，执行步骤508。The infinite norm of the blind signature is recorded as ||y|| _∞ . When ||y|| _∞ > δ ₃ , step 502 is executed. When ||y|| _∞ ≤δ ₃ , step 508 is executed.

步骤508、将求和运算得到的盲签名发送给用户设备。Step 508: Send the blind signature obtained by the summation operation to the user equipment.

其次，在盲签名过程中以w mod p作为哈希函数的输入以及在验签过程中计算Az-ct mod^±q后mod p的取低位技术。目前没有已知的盲签名方案通过这种方式来构造盲签名生成过程中哈希函数的输入以及用这种方式进行验签。Secondly, in the blind signature process, w mod p is used as the input of the hash function and in the signature verification process, the low-bit technology of mod p is calculated after Az-ct mod ^± q. There is currently no known blind signature scheme that constructs the input of the hash function in the blind signature generation process and performs signature verification in this way.

再次，按照本申请的构造方式,盲化的消息在所属集合上是均匀分布的,因此签名设备无法获知盲化的消息对应的消息,从而保证了消息的盲性。Thirdly, according to the construction method of this application, the blinded messages are evenly distributed in the set to which they belong, so the signature device cannot know the message corresponding to the blinded message, thus ensuring the blindness of the message.

在一个可选实施例中，上述盲签名方法还包括：In an optional embodiment, the above blind signature method also includes:

当用户设备确定第五向量的无穷范数大于第二预设值时，接收用户设备发送的第一哈希值，第三向量，目标多项式和第二哈希值；When the user equipment determines that the infinite norm of the fifth vector is greater than the second preset value, receive the first hash value, the third vector, the target polynomial and the second hash value sent by the user equipment;

根据第二向量，矩阵，第三向量，目标多项式，第一向量和第二模数计算出第四向量；Calculate the fourth vector based on the second vector, matrix, third vector, target polynomial, first vector and second modulus;

根据矩阵，第三向量，盲签名，第二哈希值，第一向量和第二模数计算出第七向量；Calculate the seventh vector based on the matrix, the third vector, the blind signature, the second hash value, the first vector and the second modulus;

确定第一运算结果等于签名信息减去目标多项式；Determine that the first operation result is equal to the signature information minus the target polynomial;

根据第一哈希值，第四向量和第一模数进行哈希运算，以得到第二运算结果；Perform a hash operation according to the first hash value, the fourth vector and the first modulus to obtain the second operation result;

根据第一哈希值，第七向量和第一模数进行哈希运算，以得到第三运算结果；Perform a hash operation according to the first hash value, the seventh vector and the first modulus to obtain a third operation result;

当第一运算结果，第二运算结果和第三运算结果均等于第二哈希值且盲签名与第三向量之和的无穷范数大于第三预设值，表明第一哈希值，第三向量，目标多项式和第二哈希值都来自合法用户，触发步骤502，以重启盲签名方法。When the first operation result, the second operation result and the third operation result are all equal to the second hash value and the infinite norm of the sum of the blind signature and the third vector is greater than the third preset value, it indicates that the first hash value, The three vectors, the target polynomial and the second hash value are all from the legitimate user, triggering step 502 to restart the blind signature method.

本实施例中，当第一运算结果，第二运算结果和第三运算结果中有一个或多个运算结果不等于第二哈希值，或者盲签名与第三向量之和的无穷范数小于或等于第三预设值时，表明第一哈希值，第三向量，目标多项式和第二哈希值中存在非法信息，即表明上述非法信息来自恶意用户，此时可以拒绝响应恶意重启请求，这样提前中止能够减少计算资源的浪费。In this embodiment, when one or more of the first operation result, the second operation result and the third operation result are not equal to the second hash value, or the infinite norm of the sum of the blind signature and the third vector is less than or equal to the third preset value, it indicates that there is illegal information in the first hash value, the third vector, the target polynomial and the second hash value, which means that the above illegal information comes from a malicious user. At this time, you can refuse to respond to the malicious restart request. , such early termination can reduce the waste of computing resources.

下面从验签装置的角度对本申请的盲签名方法进行介绍，参阅图6，本申请的盲签名方法的另一个实施例包括：The following is an introduction to the blind signature method of the present application from the perspective of a signature verification device. Referring to Figure 6, another embodiment of the blind signature method of the present application includes:

步骤601、接收用户设备发送的待处理的消息和签名，签名包括随机字节数组，第五向量和第二哈希值。Step 601: Receive the pending message and signature sent by the user device. The signature includes a random byte array. Fifth vector and the second hash value.

步骤602、向签名装置发送验签公钥请求。Step 602: Send a signature verification public key request to the signature device.

步骤603、接收签名装置发送的公钥，公钥包括矩阵和第一向量。Step 603: Receive the public key sent by the signature device. The public key includes a matrix and a first vector.

步骤604、使用公钥对待处理的消息和签名进行验证。Step 604: Use the public key to verify the message and signature to be processed.

可选的，步骤604包括：根据矩阵，第五向量，第二哈希值，第一向量和第二模数计算出第七向量；将待处理的消息和随机字节数组哈希为第一哈希值；根据第一哈希值，第七向量和第一模数计算出第三哈希值；当第三哈希值与第二哈希值相等，则确定待处理的消息和签名通过验证；当第三哈希值与第二哈希值不相等，则确定待处理的消息和签名没有通过验证。Optionally, step 604 includes: calculating a seventh vector according to the matrix, the fifth vector, the second hash value, the first vector and the second modulus; hashing the message to be processed and the random byte array into the first Hash value; calculate the third hash value based on the first hash value, the seventh vector and the first modulus; when the third hash value is equal to the second hash value, it is determined that the pending message and signature pass Verification; when the third hash value is not equal to the second hash value, it is determined that the pending message and signature have not passed verification.

可选的，矩阵A，第五向量z，第二哈希值c，第一向量t和第二模数q计算出第七向量w′满足：
w′＝Az-ct mod^±q 公式10Optionally, matrix A, fifth vector z, second hash value c, first vector t and second modulus q calculate the seventh vector w′ to satisfy:
w′＝Az-ct mod ^± q Formula 10

可选的，第一哈希值C，第七向量w′，第一模数p和第三哈希值c′满足：
c′＝H(C,w′mod p) 公式11Optionally, the first hash value C, the seventh vector w′, the first modulus p and the third hash value c′ satisfy:
c′=H(C,w′mod p) Formula 11

下面对上述方案的正确性进行说明：
Az-ct mod^±q＝A(y+a)-ct mod^±q
＝A(r+es₁)+Aa-ct mod^±q
＝Ar+e(t-ps₂)+Aa-(e-b)t mod^±q
＝Ar+Aa+bt-pes₂mod^±q
＝w-pes₂mod^±qThe correctness of the above solution is explained below:
Az-ct mod ^± q＝A(y+a)-ct mod ^± q
＝A(r+es ₁ )+Aa-ct mod ^± q
＝Ar+e(t-ps ₂ )+Aa-(eb)t mod ^± q
＝Ar+Aa+bt-pes ₂ mod ^± q
＝w-pes ₂ mod ^± q

因为||w||_∞＜q/2-pηK，所以w mod p＝w′mod p以及c＝c′。基于此，任何合法签名在验签时必然通过验证。Since ||w|| _∞ <q/2-pηK, w mod p=w′mod p and c=c′. Based on this, any legal signature must pass verification during signature verification.

以上可以看出，本申请的密钥对的安全性可以由MLWE问题的困难性保证。签名的不可伪造性可以由模短整数解(module short integer solution，MSIS)问题的困难性保证。It can be seen from the above that the security of the key pair of this application can be guaranteed by the difficulty of the MLWE problem. The unforgeability of signatures can be guaranteed by the difficulty of the modular short integer solution (MSIS) problem.

在另一个可选实施例中，上述盲签名方法还包括：当第五向量的无穷范数大于第二预设值，则确定待处理的消息和签名没有通过验证。In another optional embodiment, the above blind signature method further includes: when the infinite norm of the fifth vector is greater than the second preset value, determining that the message and signature to be processed have not passed verification.

需要说明的是，签名装置可以预先将公钥发送给验签装置，由验签装置保存在本地。在步骤601之后，使用本地存储的公钥对待处理的消息和签名进行验证。It should be noted that the signature device can send the public key to the signature verification device in advance, and the signature verification device stores it locally. After step 601, the message and signature to be processed are verified using the locally stored public key.

参阅图7，本申请的盲签名方法的一个实施例包括：Referring to Figure 7, one embodiment of the blind signature method of the present application includes:

步骤701、签名装置生成公钥和私钥。Step 701: The signature device generates a public key and a private key.

步骤702、签名装置从多项式环中随机生成第六向量。Step 702: The signature device randomly generates a sixth vector from the polynomial ring.

步骤703、签名装置根据第六向量，矩阵和第二模数计算出第二向量。Step 703: The signature device calculates the second vector based on the sixth vector, matrix and second modulus.

步骤704、签名装置将公钥和第二向量发送给用户设备。Step 704: The signature device sends the public key and the second vector to the user equipment.

步骤705、用户设备从多项式环中随机生成第三向量。Step 705: The user equipment randomly generates a third vector from the polynomial ring.

步骤706、用户设备从多项式集合中随机生成目标多项式。 Step 706: The user equipment randomly generates a target polynomial from the polynomial set.

步骤707、用户设备根据第二向量，矩阵，第三向量，目标多项式，第一向量和第二模数计算出第四向量。Step 707: The user equipment calculates a fourth vector based on the second vector, matrix, third vector, target polynomial, first vector and second modulus.

步骤708、用户设备将待处理的消息和随机字节数组哈希为第一哈希值。Step 708: The user equipment hashes the message to be processed and the random byte array into a first hash value.

步骤709、用户设备根据第一哈希值，第四向量和第一模数哈希运算出第二哈希值。Step 709: The user equipment calculates a second hash value based on the first hash value, the fourth vector and the first modulus hash.

步骤710、用户设备根据第二哈希值和目标多项式生成盲化的消息。Step 710: The user equipment generates a blinded message based on the second hash value and the target polynomial.

步骤711、用户设备将盲化的消息发送给签名装置。Step 711: The user equipment sends the blinded message to the signing device.

步骤712、签名装置将第一秘密向量与盲化的消息之积和第六向量进行求和运算。Step 712: The signature device performs a summation operation on the product of the first secret vector and the blinded message and the sixth vector.

步骤713、签名装置将求和运算得到的盲签名发送给用户设备。Step 713: The signature device sends the blind signature obtained by the summation operation to the user equipment.

步骤714、用户设备根据盲签名，随机字节数组和第二哈希值获取签名。Step 714: The user equipment obtains the signature based on the blind signature, the random byte array and the second hash value.

步骤715、用户设备将待处理的消息和签名发送给验签装置。Step 715: The user equipment sends the pending message and signature to the signature verification device.

步骤716、验签装置向签名装置发送验签公钥请求。Step 716: The signature verification device sends a signature verification public key request to the signature device.

步骤717、签名装置将公钥发送给验签装置。Step 717: The signature device sends the public key to the signature verification device.

步骤718、验签装置使用公钥对待处理的消息和签名进行验证。Step 718: The signature verification device uses the public key to verify the message and signature to be processed.

本实施例中，用户设备、签名装置或验签装置执行的步骤分别与图4,图5或图6中用户设备、签名装置或验签装置执行的步骤相似，具体可阅前文记载。In this embodiment, the steps performed by the user equipment, signature device or signature verification device are similar to the steps performed by the user equipment, signature device or signature verification device in Figure 4, Figure 5 or Figure 6 respectively. For details, please refer to the previous description.

本申请的基础方案是基于模格给出的，从该方案可以进一步导出数论研究单元(number theory research unit，NTRU)格上的盲签名方案。导出方法是将s₁和s₂分别对应成小系数多项式，记为f和g，A对应多项式h＝(pg+1)f^-1，公钥中的t相当于被压缩成了1。盲签名和验签流程中的多维多项式向量压缩成1维多项式，将拒绝采样的上界对应地修改即可导出本方案在NTRU格上的一个实例化。NTRU格上的基础运算有电气与电子工程师协会(institute of electrical and electronics engineers，IEEE)标准且在工程上有高效的实现。The basic scheme of this application is given based on the modular lattice, from which the blind signature scheme on the number theory research unit (NTRU) lattice can be further derived. The derivation method is to correspond s ₁ and s ₂ to small coefficient polynomials respectively, recorded as f and g. A corresponds to the polynomial h=(pg+1)f ^-1 , and t in the public key is equivalent to being compressed into 1. The multi-dimensional polynomial vectors in the blind signature and signature verification processes are compressed into 1-dimensional polynomials, and the upper bound of the rejection sampling is modified accordingly to derive an instantiation of this scheme on the NTRU lattice. The basic operations on the NTRU grid are standardized by the Institute of Electrical and Electronics Engineers (IEEE) and have efficient implementation in engineering.

参阅图8，本申请提供的用户设备800的一个实施例包括接收单元801，处理单元802和发送单元803。Referring to Figure 8, an embodiment of user equipment 800 provided by this application includes a receiving unit 801, a processing unit 802 and a sending unit 803.

接收单元801用于接收签名装置发送的公钥和第二向量，公钥包括矩阵和第一向量，第一秘密向量与矩阵的乘积以及第二秘密向量与第一模数的乘积均与第一向量相关，第一模数为大于1的整数；The receiving unit 801 is configured to receive the public key and the second vector sent by the signature device. The public key includes a matrix and a first vector. The product of the first secret vector and the matrix and the product of the second secret vector and the first modulus are both equal to the first Vector correlation, the first modulus is an integer greater than 1;

处理单元802用于从多项式环中随机生成第三向量；从多项式集合中随机生成目标多项式；根据第二向量，矩阵，第三向量，目标多项式，第一向量和第二模数计算出第四向量；将待处理的消息和随机字节数组哈希为第一哈希值；根据第一哈希值，第四向量和第一模数哈希运算出第二哈希值；根据第二哈希值和多项式生成盲化的消息；The processing unit 802 is used to randomly generate a third vector from a polynomial ring; randomly generate a target polynomial from a polynomial set; and calculate a fourth vector based on the second vector, the matrix, the third vector, the target polynomial, the first vector and the second modulus. Vector; hashes the message to be processed and the random byte array into the first hash value; calculates the second hash value according to the first hash value, the fourth vector and the first modulus hash; according to the second hash value Hash values and polynomials generate blinded messages;

发送单元803用于向签名装置发送盲化的消息；The sending unit 803 is used to send the blinded message to the signature device;

接收单元801还用于接收签名装置发送的盲签名，盲签名是签名装置根据盲化的消息获取的；The receiving unit 801 is also used to receive the blind signature sent by the signature device. The blind signature is obtained by the signature device based on the blinded message;

处理单元802还用于根据盲签名，随机字节数组和第二哈希值获取签名；The processing unit 802 is also used to obtain a signature based on the blind signature, the random byte array and the second hash value;

发送单元803还用于将待处理的消息和签名发送给验签装置。The sending unit 803 is also used to send the message and signature to be processed to the signature verification device.

在一个可选实施例中，处理单元802具体用于确定第五向量为盲签名与第三向量之和；将随机字节数组，第五向量和第二哈希值组成签名。 In an optional embodiment, the processing unit 802 is specifically configured to determine that the fifth vector is the sum of the blind signature and the third vector; and combine the random byte array, the fifth vector and the second hash value to form a signature.

在另一个可选实施例中，发送单元803还用于当第五向量的无穷范数大于第二预设值时，将第一哈希值，第三向量，目标多项式和第二哈希值发送给签名装置。In another optional embodiment, the sending unit 803 is also configured to send the first hash value, the third vector, the target polynomial and the second hash value when the infinite norm of the fifth vector is greater than the second preset value. Sent to the signing device.

在另一个可选实施例中，处理单元802还用于当第四向量的无穷范数小于第一预设值时，触发处理单元802从多项式环中随机生成第三向量，第一预设值δ₁，第二模数q，第一模数p、第一参数值η和第二参数值K满足以下公式：δ₁＝q/2-pηK。In another optional embodiment, the processing unit 802 is also configured to trigger the processing unit 802 to randomly generate a third vector from the polynomial ring when the infinite norm of the fourth vector is less than the first preset value. δ ₁ , the second modulus q, the first modulus p, the first parameter value η and the second parameter value K satisfy the following formula: δ ₁ =q/2-pηK.

在另一个可选实施例中，处理单元802还用于当盲化的消息的第一范数不等于目标多项式的第一范数和第二哈希值的第一范数之和时，触发处理单元802从多项式环中随机生成第三向量。In another optional embodiment, the processing unit 802 is also configured to trigger when the first norm of the blinded message is not equal to the sum of the first norm of the target polynomial and the first norm of the second hash value. The processing unit 802 randomly generates a third vector from the polynomial ring.

在另一个可选实施例中，处理单元802还用于当盲化的消息的无穷范数等于2时，触发处理单元802从多项式环中随机生成第三向量。In another optional embodiment, the processing unit 802 is also configured to trigger the processing unit 802 to randomly generate a third vector from the polynomial ring when the infinite norm of the blinded message is equal to 2.

图8所示实施例中名词解释，各单元执行的步骤和有益效果可参阅图4所示实施例中的相应描述。For explanations of terms, steps performed by each unit and beneficial effects in the embodiment shown in Figure 8, please refer to the corresponding descriptions in the embodiment shown in Figure 4.

参阅图9，本申请提供签名装置900的一个实施例包括：Referring to Figure 9, this application provides an embodiment of a signature device 900 including:

处理单元902，用于生成公钥和私钥，公钥包括矩阵和第一向量，私钥包括矩阵，第一向量，第一秘密向量和第二秘密向量，第一秘密向量与矩阵的乘积以及第二秘密向量与第一模数的乘积均与第一向量相关，第一模数为大于1的整数；Processing unit 902, configured to generate a public key and a private key, the public key includes a matrix and a first vector, the private key includes a matrix, a first vector, a first secret vector and a second secret vector, the product of the first secret vector and the matrix, and The product of the second secret vector and the first modulus is related to the first vector, and the first modulus is an integer greater than 1;

处理单元902，还用于从多项式环中随机生成第六向量；The processing unit 902 is also used to randomly generate a sixth vector from the polynomial ring;

处理单元902，还用于根据第六向量，矩阵和第二模数计算出第二向量；The processing unit 902 is also configured to calculate the second vector according to the sixth vector, the matrix and the second modulus;

发送单元903，用于将公钥和第二向量发送给用户设备；Sending unit 903, used to send the public key and the second vector to the user equipment;

接收单元901，用于接收用户设备发送的盲化的消息；The receiving unit 901 is used to receive the blinded message sent by the user equipment;

处理单元902，还用于将第一秘密向量与盲化的消息之积和第六向量进行求和运算；The processing unit 902 is also configured to perform a summation operation on the product of the first secret vector and the blinded message and the sixth vector;

发送单元903，还用于将求和运算得到的盲签名发送给用户设备。The sending unit 903 is also used to send the blind signature obtained by the summation operation to the user equipment.

在一个可选实施例中，In an alternative embodiment,

处理单元902还用于当盲签名的无穷范数大于第三预设值时，触发处理单元从多项式环中随机生成第六向量，第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。The processing unit 902 is also configured to trigger the processing unit to randomly generate a sixth vector from the polynomial ring, the third preset value δ ₃ , the fourth parameter value γ, and the first vector when the infinite norm of the blind signature is greater than the third preset value. The parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK.

在一个可选实施例中，In an alternative embodiment,

接收单元901还用于接收用户设备发送的第一哈希值，第三向量，目标多项式和第二哈希值；The receiving unit 901 is also used to receive the first hash value, the third vector, the target polynomial and the second hash value sent by the user equipment;

处理单元902还用于根据第二向量，矩阵，第三向量，目标多项式，第一向量和第二模数计算出第四向量；根据矩阵，第三向量，盲签名，第二哈希值，第一向量和第二模数计算出第七向量；确定第一运算结果等于签名信息减去目标多项式；根据第一哈希值，第四向量和第一模数进行哈希运算，以得到第二运算结果；根据第一哈希值，第七向量和第一模数进行哈希运算，以得到第三运算结果；当第一运算结果，第二运算结果和第三运算结果均等于第二哈希值且盲签名与第三向量之和的无穷范数大于第三预设值，触发处理单元从多项式环中随机生成第六向量，第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。The processing unit 902 is also configured to calculate a fourth vector based on the second vector, the matrix, the third vector, the target polynomial, the first vector and the second modulus; based on the matrix, the third vector, the blind signature, and the second hash value, Calculate the seventh vector from the first vector and the second modulus; determine that the first operation result is equal to the signature information minus the target polynomial; perform a hash operation based on the first hash value, the fourth vector and the first modulus to obtain the Two operation results; perform a hash operation according to the first hash value, the seventh vector and the first modulus to obtain the third operation result; when the first operation result, the second operation result and the third operation result are all equal to the second operation result The hash value and the infinite norm of the sum of the blind signature and the third vector are greater than the third preset value, triggering the processing unit to randomly generate the sixth vector from the polynomial ring, the third preset value δ ₃ , the fourth parameter value γ, The first parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK.

图9所示实施例中名词解释，各单元执行的步骤和有益效果可参阅图5所示实施例中的相应描述。For the explanation of terms in the embodiment shown in Figure 9, the steps and beneficial effects performed by each unit can be found in the embodiment shown in Figure 5. corresponding description.

参阅图10，在一个实施例中，本申请的验签装置1000包括：Referring to Figure 10, in one embodiment, the signature verification device 1000 of the present application includes:

接收单元1001用于接收用户设备发送的待处理的消息和签名，签名包括随机字节数组，第五向量和第二哈希值；The receiving unit 1001 is configured to receive the message and signature to be processed sent by the user equipment, where the signature includes a random byte array, a fifth vector and a second hash value;

发送单元1003用于向签名装置发送验签公钥请求；The sending unit 1003 is used to send a signature verification public key request to the signature device;

接收单元1001还用于接收签名装置发送的公钥，公钥包括矩阵和第一向量；The receiving unit 1001 is also used to receive the public key sent by the signature device, where the public key includes a matrix and a first vector;

验证单元1002用于使用公钥对待处理的消息和签名进行验证。The verification unit 1002 is used to verify the message and signature to be processed using the public key.

在一个可选实施例中，验证单元1002具体用于根据矩阵，第五向量，第二哈希值，第一向量和第二模数计算出第七向量；将待处理的消息和随机字节数组哈希为第一哈希值；根据第一哈希值，第七向量和第一模数计算出第三哈希值；当第三哈希值与第二哈希值相等，则确定待处理的消息和签名通过验证；当第三哈希值与第二哈希值不相等，则确定待处理的消息和签名没有通过验证。In an optional embodiment, the verification unit 1002 is specifically configured to calculate the seventh vector according to the matrix, the fifth vector, the second hash value, the first vector and the second modulus; combine the message to be processed and the random bytes The array hash is the first hash value; the third hash value is calculated based on the first hash value, the seventh vector and the first modulus; when the third hash value is equal to the second hash value, it is determined to be The processed message and signature pass verification; when the third hash value is not equal to the second hash value, it is determined that the pending message and signature do not pass verification.

在另一个可选实施例中，验证单元1002还用于当第五向量的无穷范数大于第二预设值，则确定待处理的消息和签名没有通过验证。In another optional embodiment, the verification unit 1002 is also configured to determine that the message and signature to be processed do not pass verification when the infinite norm of the fifth vector is greater than the second preset value.

图10所示实施例中名词解释，各单元执行的步骤和有益效果可参阅图6所示实施例中的相应描述。For explanations of terms, steps performed by each unit and beneficial effects in the embodiment shown in Figure 10, please refer to the corresponding descriptions in the embodiment shown in Figure 6.

本申请提供一种终端可以实现图8所示实施例中用户设备的功能和/或者图9所示实施例中验签装置的功能。该终端可以为手机、平板电脑、个人数字助理(personal digital assistant，PDA)、销售终端(point of sales，POS)、车载电脑等任意终端设备。This application provides a terminal that can implement the functions of the user equipment in the embodiment shown in FIG. 8 and/or the functions of the signature verification device in the embodiment shown in FIG. 9 . The terminal can be any terminal device such as a mobile phone, tablet computer, personal digital assistant (personal digital assistant, PDA), point of sales terminal (POS), vehicle-mounted computer, etc.

参阅图11，在一个实施例中，终端包括：射频(radio frequency，RF)电路1110、存储器1120、输入单元1130、显示单元1140、通信接口1150、音频电路1160、无线保真(wireless fidelity，WiFi)模块1170、处理器1180以及电源1190等部件。本领域技术人员可以理解，图11中示出的终端结构并不构成对终端的限定，可以包括比图示更多或更少的部件，或者组合某些部件，或者不同的部件布置。Referring to Figure 11, in one embodiment, the terminal includes: a radio frequency (RF) circuit 1110, a memory 1120, an input unit 1130, a display unit 1140, a communication interface 1150, an audio circuit 1160, wireless fidelity (WiFi) ) module 1170, processor 1180, power supply 1190 and other components. Those skilled in the art can understand that the terminal structure shown in FIG. 11 does not limit the terminal, and may include more or fewer components than shown, or combine certain components, or arrange different components.

下面结合图11对终端的各个构成部件进行具体的介绍：The following is a detailed introduction to each component of the terminal in conjunction with Figure 11:

射频电路1110可用于收发信息或通话过程中，信号的接收和发送，特别地，将基站的下行信息接收后，给处理器1180处理；另外，将设计上行的数据发送给基站。射频电路1110包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(low noise amplifier，LNA)、双工器等。此外，射频电路1110还可以通过无线通信与网络和其他设备通信。上述无线通信可以使用任一通信标准或协议，包括但不限于全球移动通讯***(global system of mobile communication，GSM)、通用分组无线服务(general packet radio service，GPRS)、码分多址(code division multiple access，CDMA)、宽带码分多址(wideband code division multiple access,WCDMA)、长期演进(long term evolution，LTE)、电子邮件、短消息服务(short messaging service，SMS)等。The radio frequency circuit 1110 can be used to receive and transmit information or signals during a call. In particular, after receiving downlink information from the base station, it is processed by the processor 1180; in addition, the designed uplink data is sent to the base station. The radio frequency circuit 1110 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a duplexer, etc. In addition, radio frequency circuitry 1110 can also communicate with networks and other devices through wireless communications. The above wireless communication can use any communication standard or protocol, including but not limited to global system of mobile communication (GSM), general packet radio service (GPRS), code division multiple access (code division) multiple access (CDMA), wideband code division multiple access (WCDMA), long term evolution (LTE), email, short messaging service (SMS), etc.

存储器1120可用于存储软件程序以及模块，处理器1180通过运行存储在存储器1120的软件程序以及模块，从而执行终端的各种功能应用以及数据处理。存储器1120可主要包括存储程序区和存储数据区，其中，存储程序区可存储操作***、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等；存储数据区可存储根据终端的使用所创建的数据(比如音频数据、电话本等)等。此外，存储器1120可以包括高速随机存取存储器，还可以包括非易失性存储器，例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 1120 can be used to store software programs and modules. The processor 1180 executes various functional applications and data processing of the terminal by running the software programs and modules stored in the memory 1120 . The memory 1120 may mainly include a program storage area and a data storage area, where the program storage area may store the operating system, at least one function required Application programs (such as sound playback function, image playback function, etc.); the storage data area can store data created based on the use of the terminal (such as audio data, phone book, etc.), etc. In addition, memory 1120 may include high-speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

输入单元1130可用于接收输入的数字或字符信息，以及产生与终端的用户设置以及功能控制有关的键信号输入。具体地，输入单元1130可包括触控面板1131以及其他输入设备1132。触控面板1131也称为触摸屏，可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触控面板1131上或在触控面板1131附近的操作)，并根据预先设定的程式驱动相应的连接装置。可选的，触控面板1131可包括触摸检测装置和触摸控制器两个部分。其中，触摸检测装置检测用户的触摸方位，并检测触摸操作带来的信号，将信号传送给触摸控制器；触摸控制器从触摸检测装置上接收触摸信息，并将它转换成触点坐标，再送给处理器1180，并能接收处理器1180发来的命令并加以执行。此外，可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触控面板1131。除了触控面板1131，输入单元1130还可以包括其他输入设备1132。具体地，其他输入设备1132可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 1130 may be used to receive input numeric or character information, and generate key signal input related to user settings and function control of the terminal. Specifically, the input unit 1130 may include a touch panel 1131 and other input devices 1132. The touch panel 1131 is also called a touch screen and can collect the user's touch operations on or near the touch panel 1131 (such as the user's operations on or near the touch panel 1131 using any suitable object or accessory such as a finger, stylus, etc. ), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 1131 may include two parts: a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact point coordinates, and then sends it to the touch controller. to the processor 1180, and can receive commands from the processor 1180 and execute them. In addition, the touch panel 1131 can be implemented using various types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch panel 1131, the input unit 1130 may also include other input devices 1132. Specifically, other input devices 1132 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), trackball, mouse, joystick, etc.

显示单元1140可用于显示由用户输入的信息或提供给用户的信息以及终端的各种菜单。显示单元1140可包括显示面板1141，可选的，可以采用液晶显示器(liquid crystal display，LCD)、有机发光二极管(organic light-emitting diode,OLED)等形式来配置显示面板1141。进一步的，触控面板1131可覆盖显示面板1141，当触控面板1131检测到在其上或附近的触摸操作后，传送给处理器1180以确定触摸事件的类型，随后处理器1180根据触摸事件的类型在显示面板1141上提供相应的视觉输出。虽然在图11中，触控面板1131与显示面板1141是作为两个独立的部件来实现终端的输入和输入功能，但是在某些实施例中，可以将触控面板1131与显示面板1141集成而实现终端的输入和输出功能。The display unit 1140 may be used to display information input by the user or information provided to the user as well as various menus of the terminal. The display unit 1140 may include a display panel 1141. Optionally, the display panel 1141 may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), etc. Further, the touch panel 1131 can cover the display panel 1141. When the touch panel 1131 detects a touch operation on or near it, it is sent to the processor 1180 to determine the type of the touch event. The processor 1180 then determines the type of the touch event. Type provides corresponding visual output on display panel 1141. Although in Figure 11, the touch panel 1131 and the display panel 1141 are used as two independent components to implement the input and input functions of the terminal, in some embodiments, the touch panel 1131 and the display panel 1141 can be integrated. Implement the input and output functions of the terminal.

终端还可包括通信接口1150，通信接口1150使用例如但不限于网络接口卡的收发模块，来实现终端与其他设备或通信网络之间的通信。The terminal may also include a communication interface 1150, which uses a transceiver module such as but not limited to a network interface card to implement communication between the terminal and other devices or communication networks.

音频电路1160、扬声器1161，传声器1162可提供用户与终端之间的音频接口。音频电路1160可将接收到的音频数据转换后的电信号，传输到扬声器1161，由扬声器1161转换为声音信号输出；另一方面，传声器1162将收集的声音信号转换为电信号，由音频电路1160接收后转换为音频数据，再将音频数据输出处理器1180处理后，经RF电路1110以发送给比如另一终端，或者将音频数据输出至存储器1120以便进一步处理。The audio circuit 1160, speaker 1161, and microphone 1162 can provide an audio interface between the user and the terminal. The audio circuit 1160 can transmit the electrical signal converted from the received audio data to the speaker 1161, and the speaker 1161 converts it into a sound signal for output; on the other hand, the microphone 1162 converts the collected sound signal into an electrical signal, and the audio circuit 1160 After receiving, it is converted into audio data, and then processed by the audio data output processor 1180, and then sent to, for example, another terminal through the RF circuit 1110, or the audio data is output to the memory 1120 for further processing.

WiFi属于短距离无线传输技术，终端通过WiFi模块1170可以帮助用户收发电子邮件、浏览网页和访问流式媒体等，它为用户提供了无线的宽带互联网访问。虽然图11示出了WiFi模块1170，但是可以理解的是，其并不属于终端的必须构成，完全可以根据需要在不改变申请的本质的范围内而省略。WiFi is a short-distance wireless transmission technology. The terminal can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 1170. It provides users with wireless broadband Internet access. Although FIG. 11 shows the WiFi module 1170, it can be understood that it is not a necessary component of the terminal and can be omitted as needed without changing the essence of the application.

处理器1180是终端的控制中心，利用各种接口和线路连接整个终端的各个部分，通过运行或执行存储在存储器1120内的软件程序和/或模块，以及调用存储在存储器1120内的数据，执行终端的各种功能和处理数据，从而对终端进行整体监控。可选的，处理器1180可包括一个或多个处理单元；处理器1180可集成应用处理器和调制解调处理器，其中，应用处理器主要处理操作***、用户界面和应用程序等，调制解调处理器主要处理无线通信。可以理解的是，上述调制解调处理器也可以不集成到处理器1180中。The processor 1180 is the control center of the terminal and uses various interfaces and lines to connect various parts of the entire terminal. By running or executing software programs and/or modules stored in the memory 1120, and calling data stored in the memory 1120, various functions of the terminal are executed and data is processed, thereby overall monitoring of the terminal is performed. Optionally, the processor 1180 may include one or more processing units; the processor 1180 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, application programs, etc., and the modem processor The debug processor mainly handles wireless communications. It can be understood that the above modem processor may not be integrated into the processor 1180.

终端还包括给各个部件供电的电源1190(比如电池)。可选的，电源可以通过电源管理***与处理器1180逻辑相连，从而通过电源管理***实现管理充电、放电、以及功耗管理等功能。终端还可以包括摄像头、传感器、蓝牙模块等，在此不再赘述。The terminal also includes a power source 1190 (such as a battery) that powers various components. Optionally, the power supply can be logically connected to the processor 1180 through the power management system, so that functions such as charging, discharging, and power consumption management can be implemented through the power management system. The terminal may also include cameras, sensors, Bluetooth modules, etc., which will not be described in detail here.

在本申请实施例中，存储器1120存储有可执行的程序代码，处理器1180执行该程序代码以实现上述抗量子的盲签名方法。具体的，存储器上存储有用于执行上述抗量子的盲签名方法的指令。In this embodiment of the present application, the memory 1120 stores executable program code, and the processor 1180 executes the program code to implement the above-mentioned quantum-resistant blind signature method. Specifically, the memory stores instructions for executing the above-mentioned quantum-resistant blind signature method.

上述实施例中由签名装置所执行的步骤可以基于该图12所示的服务器结构。参阅图12，在一个实施例中，服务器1200包括中央处理器(central processing units，CPU)1222和存储器1232，存储应用程序1242或数据1244的存储介质1230。其中，存储器1232和存储介质1230可以是短暂存储或持久存储。存储在存储介质1230的程序可以包括一个或一个以上模块，每个模块可以包括对服务器中的一系列指令操作。更进一步地，中央处理器1222可以设置为与存储介质1230通信，在服务器1200上执行存储介质1230中的一系列指令操作。The steps performed by the signature device in the above embodiment may be based on the server structure shown in FIG. 12 . Referring to Figure 12, in one embodiment, a server 1200 includes a central processing unit (CPU) 1222 and a memory 1232, and a storage medium 1230 that stores application programs 1242 or data 1244. Among them, the memory 1232 and the storage medium 1230 may be short-term storage or persistent storage. The program stored in the storage medium 1230 may include one or more modules, and each module may include a series of instruction operations in the server. Furthermore, the central processor 1222 may be configured to communicate with the storage medium 1230 and execute a series of instruction operations in the storage medium 1230 on the server 1200 .

服务器1200还可以包括电源1226，有线或无线网络接口1250，输入输出接口1258和/或操作***1241，例如Windows ServerTM，Mac OS XTM，UnixTM,LinuxTM，FreeBSDTM等等。应理解，本申请不限定服务器1200中的中央处理器、存储器、存储介质、电源、有线或无线网络接口以及输入输出接口的个数。The server 1200 may also include a power supply 1226, a wired or wireless network interface 1250, an input/output interface 1258 and/or an operating system 1241, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc. It should be understood that this application does not limit the number of central processors, memories, storage media, power supplies, wired or wireless network interfaces, and input and output interfaces in the server 1200.

需要说明的是，上述装置各模块/单元之间的信息交互、执行过程等内容，由于与本申请方法实施例基于同一构思，其带来的技术效果与本申请方法实施例相同，具体内容可参见本申请前述所示的方法实施例中的叙述，此处不再赘述。It should be noted that the information interaction, execution process, etc. between the modules/units of the above-mentioned device are based on the same concept as the method embodiments of the present application, and the technical effects they bring are the same as those of the method embodiments of the present application. The specific content can be Please refer to the descriptions in the method embodiments shown above in this application, which will not be described again here.

本申请提供一种计算机可读存储介质，计算机可读存储介质中存储有计算机程序，当其在计算机上运行时，使得计算机执行上述实施例或可选实施例中的抗量子的盲签名方法。The present application provides a computer-readable storage medium. A computer program is stored in the computer-readable storage medium. When it is run on a computer, it causes the computer to execute the quantum-resistant blind signature method in the above embodiments or optional embodiments.

本申请还提供一种包括计算机程序产品，当其在计算机上运行时，使得计算机执行如上述所示实施例或可选实施例中的抗量子的盲签名方法。The present application also provides a computer program product that, when run on a computer, causes the computer to perform the quantum-resistant blind signature method as in the embodiment or alternative embodiment shown above.

本申请还提供一种芯片***，该芯片系包括相互耦合的处理器和存储器。存储器用于存储的计算机程序或指令，该处理单元用于执行存储器存储的计算机程序或指令，以使计算设备执行上述实施例中由用户设备、签名装置或验签装置执行的步骤。可选地，存储器为芯片内的存储器，如寄存器、缓存等，存储器还可以是站点内的位于芯片外部的存储器，如只读存储器(read-only memory，ROM)或可存储静态信息和指令的其他类型的静态存储设备，随机存取存储器(random access memory，RAM)等。上述任一处提到的处理器，可以是一个通用中央处理器，微处理器，专用集成电路(application specific integrated circuit，ASIC)或一个或多个用于实现上述抗量子的盲签名方法的集成电路。 The present application also provides a chip system, which includes a processor and a memory coupled to each other. The memory is used to store computer programs or instructions, and the processing unit is used to execute the computer programs or instructions stored in the memory, so that the computing device performs the steps performed by the user equipment, signature device or signature verification device in the above embodiments. Optionally, the memory is a memory within the chip, such as a register, cache, etc. The memory can also be a memory within the site located outside the chip, such as a read-only memory (ROM) or a memory that can store static information and instructions. Other types of static storage devices, random access memory (random access memory, RAM), etc. The processor mentioned in any of the above places can be a general central processing unit, a microprocessor, an application specific integrated circuit (ASIC), or one or more integrations used to implement the above-mentioned quantum-resistant blind signature method. circuit.

另外需说明的是，以上所描述的装置实施例只是示意性的，其中作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。另外，本申请提供的装置实施例附图中，模块之间的连接关系表示它们之间具有通信连接，具体可以实现为一条或多条通信总线或信号线。In addition, it should be noted that the device embodiments described above are only illustrative. The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units. That is, it can be located in one place, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the device embodiments provided in this application, the connection relationship between modules indicates that there are communication connections between them, which can be specifically implemented as one or more communication buses or signal lines.

通过以上的实施方式的描述，所属领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件的方式来实现，当然也可以通过专用硬件包括专用集成电路、专用CpU、专用存储器、专用元器件等来实现。一般情况下，凡由计算机程序完成的功能都可以很容易地用相应的硬件来实现，而且，用来实现同一功能的具体硬件结构也可以是多种多样的，例如模拟电路、数字电路或专用电路等。但是，对本申请而言更多情况下软件程序实现是更佳的实施方式。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在可读取的存储介质中，如计算机的软盘、U盘、移动硬盘、ROM、RAM、磁碟或者光盘等，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例的方法。Through the above description of the embodiments, those skilled in the art can clearly understand that the present application can be implemented by software plus necessary general hardware. Of course, it can also be implemented by dedicated hardware including dedicated integrated circuits, dedicated CPUs, dedicated memories, Special components, etc. to achieve. In general, all functions performed by computer programs can be easily implemented with corresponding hardware. Moreover, the specific hardware structures used to implement the same function can also be diverse, such as analog circuits, digital circuits or special-purpose circuits. circuit etc. However, for this application, software program implementation is a better implementation in most cases. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence or that contributes to the existing technology. The computer software product is stored in a readable storage medium, such as a computer floppy disk. , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to cause a computer device (which can be a personal computer, server, or network device, etc.) to execute the methods of various embodiments of the present application.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product.

计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时，全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一计算机可读存储介质传输，例如，计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line，DSL)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。可用介质可以是磁性介质，(例如软盘、硬盘、磁带)、光介质(例如DVD)、或者半导体介质(例如固态硬盘(solid state disk，SSD))等。 A computer program product includes one or more computer instructions. When computer program instructions are loaded and executed on a computer, processes or functions according to embodiments of the present application are generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g., computer instructions may be transmitted from a website, computer, server or data center via a wired link (e.g. Coaxial cable, optical fiber, digital subscriber line (DSL) or wireless (such as infrared, wireless, microwave, etc.) means to transmit to another website, computer, server or data center. The computer-readable storage medium can be Any available media that a computer can store or a data storage device such as a server or data center integrated with one or more available media. Available media can be magnetic media (such as floppy disks, hard disks, tapes), optical media (such as DVD), Or semiconductor media (such as solid state disk (SSD)), etc.

Claims

一种抗量子的盲签名方法，其特征在于，包括：A quantum-resistant blind signature method, characterized by:

接收签名装置发送的公钥和第二向量，所述公钥包括矩阵和第一向量，第一秘密向量与所述矩阵的乘积以及第二秘密向量与第一模数的乘积均与第一向量相关，所述第一模数为大于1的整数；Receive the public key and the second vector sent by the signature device. The public key includes a matrix and a first vector. The product of the first secret vector and the matrix and the product of the second secret vector and the first modulus are both equal to the first vector. Relevantly, the first modulus is an integer greater than 1;

从多项式环中随机生成第三向量；Randomly generate a third vector from a polynomial ring;

从多项式集合中随机生成目标多项式；Randomly generate a target polynomial from a polynomial set;

根据所述第二向量，所述矩阵，所述第三向量，所述目标多项式，所述第一向量和第二模数计算出第四向量；Calculate a fourth vector according to the second vector, the matrix, the third vector, the target polynomial, the first vector and the second modulus;

将待处理的消息和随机字节数组哈希为第一哈希值；Hash the pending message and random byte array to the first hash value;

根据所述第一哈希值，第四向量和第一模数哈希运算出第二哈希值；According to the first hash value, the fourth vector and the first modulus hash operation to calculate a second hash value;

根据所述第二哈希值和多项式生成盲化的消息；Generate a blinded message based on the second hash value and the polynomial;

向签名装置发送盲化的消息；Send a blinded message to the signing device;

接收签名装置发送的盲签名，所述盲签名是所述签名装置根据所述盲化的消息获取的；Receive a blind signature sent by a signature device, where the blind signature is obtained by the signature device based on the blinded message;

根据所述盲签名，所述随机字节数组和所述第二哈希值获取签名；Obtain a signature based on the blind signature, the random byte array and the second hash value;

将所述待处理的消息和所述签名发送给验签装置。Send the message to be processed and the signature to a signature verification device.
根据权利要求1所述的方法，其特征在于，所述根据所述盲签名，所述随机字节数组和所述第二哈希值获取签名包括：The method of claim 1, wherein obtaining a signature based on the blind signature, the random byte array and the second hash value includes:

确定第五向量为所述盲签名与第三向量之和；Determine the fifth vector to be the sum of the blind signature and the third vector;

将所述随机字节数组，所述第五向量和第二哈希值组成签名。The random byte array, the fifth vector and the second hash value form a signature.
根据权利要求1所述的方法，其特征在于，所述方法还包括：The method of claim 1, further comprising:

当所述第五向量的无穷范数大于第二预设值时，将第一哈希值，第三向量，目标多项式和第二哈希值发送给签名装置。When the infinite norm of the fifth vector is greater than the second preset value, the first hash value, the third vector, the target polynomial and the second hash value are sent to the signature device.
根据权利要求1至3中任一项所述的方法，其特征在于，在所述将待处理的消息和随机字节数组哈希为第一哈希值之前，所述方法还包括：The method according to any one of claims 1 to 3, characterized in that, before hashing the message to be processed and the random byte array into the first hash value, the method further includes:

当所述第四向量的无穷范数小于第一预设值时，触发所述从多项式环中随机生成第三向量的步骤，所述第一预设值δ₁，第二模数q，第一模数p、第一参数值η和第二参数值K满足以下公式：δ₁＝q/2-pηK。When the infinite norm of the fourth vector is less than the first preset value, the step of randomly generating the third vector from the polynomial ring is triggered. The first preset value δ ₁ , the second modulus q, and the A modulus p, the first parameter value η and the second parameter value K satisfy the following formula: δ ₁ =q/2-pηK.
根据权利要求1至3中任一项所述的方法，其特征在于，在所述向签名装置发送盲化的消息之前，所述方法还包括：The method according to any one of claims 1 to 3, characterized in that, before sending the blinded message to the signature device, the method further includes:

当所述盲化的消息的第一范数不等于所述目标多项式的第一范数和所述第二哈希值的第一范数之和时，触发所述从多项式环中随机生成第三向量的步骤。When the first norm of the blinded message is not equal to the sum of the first norm of the target polynomial and the first norm of the second hash value, the random generation of the first norm from the polynomial ring is triggered. Three vector steps.
根据权利要求1至3中任一项所述的方法，其特征在于，在所述向签名装置发送盲化的消息之前，所述方法还包括：The method according to any one of claims 1 to 3, characterized in that, before sending the blinded message to the signature device, the method further includes:

当所述盲化的消息的无穷范数等于2时，触发所述从多项式环中随机生成第三向量的步骤。When the infinite norm of the blinded message is equal to 2, the step of randomly generating the third vector from the polynomial ring is triggered.
一种抗量子的盲签名方法，其特征在于，包括：A quantum-resistant blind signature method, characterized by:

生成公钥和私钥，所述公钥包括矩阵和第一向量，所述私钥包括所述矩阵，所述第一向量，第一秘密向量和第二秘密向量，所述第一秘密向量与所述矩阵的乘积以及第二秘密向量与第一模数的乘积均与所述第一向量相关，所述第一模数为大于1的整数；Generate a public key and a private key, the public key includes a matrix and a first vector, the private key includes the matrix, and the first vector vector, the first secret vector and the second secret vector, the product of the first secret vector and the matrix and the product of the second secret vector and the first modulus are all related to the first vector, the first module The number is an integer greater than 1;

从多项式环中随机生成第六向量；Randomly generate the sixth vector from the polynomial ring;

根据所述第六向量，所述矩阵和第二模数计算出第二向量；Calculate a second vector based on the sixth vector, the matrix and the second modulus;

将所述公钥和所述第二向量发送给用户设备；Send the public key and the second vector to the user equipment;

接收用户设备发送的盲化的消息；Receive blinded messages sent by user devices;

将所述第一秘密向量与所述盲化的消息之积和所述第六向量进行求和运算；Perform a summation operation on the product of the first secret vector and the blinded message and the sixth vector;

将求和运算得到的盲签名发送给用户设备。Send the blind signature obtained by the summation operation to the user device.
根据权利要求7所述的方法，其特征在于，在所述将求和运算得到的盲签名发送给用户设备之前，所述方法还包括：The method according to claim 7, characterized in that, before sending the blind signature obtained by the summation operation to the user equipment, the method further includes:

当盲签名的无穷范数大于第三预设值时，触发所述从多项式环中随机生成第六向量的步骤，第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。When the infinite norm of the blind signature is greater than the third preset value, the step of randomly generating the sixth vector from the polynomial ring is triggered. The third preset value δ ₃ , the fourth parameter value γ, the first parameter value η and The second parameter value K satisfies the following formula: δ ₃ =γ-ηK.
根据权利要求7或8所述的方法，其特征在于，所述方法还包括：The method according to claim 7 or 8, characterized in that, the method further includes:

接收用户设备发送的第一哈希值，第三向量，目标多项式和第二哈希值；Receive the first hash value, the third vector, the target polynomial and the second hash value sent by the user device;

根据所述第二向量，所述矩阵，所述第三向量，目标多项式，所述第一向量和第二模数计算出第四向量；Calculate a fourth vector according to the second vector, the matrix, the third vector, the target polynomial, the first vector and the second modulus;

根据所述矩阵，所述第三向量，所述盲签名，第二哈希值，所述第一向量和第二模数计算出第七向量；Calculate a seventh vector based on the matrix, the third vector, the blind signature, the second hash value, the first vector and the second modulus;

确定第一运算结果等于签名信息减去目标多项式；Determine that the first operation result is equal to the signature information minus the target polynomial;

根据所述第一哈希值，所述第四向量和第一模数进行哈希运算，以得到第二运算结果；According to the first hash value, the fourth vector and the first modulus perform a hash operation to obtain a second operation result;

根据所述第一哈希值，所述第七向量和第一模数进行哈希运算，以得到第三运算结果；According to the first hash value, the seventh vector and the first modulus perform a hash operation to obtain a third operation result;

当所述第一运算结果，所述第二运算结果和所述第三运算结果均等于第二哈希值且所述盲签名与第三向量之和的无穷范数大于第三预设值，触发所述从多项式环中随机生成第六向量的步骤，第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。When the first operation result, the second operation result and the third operation result are all equal to the second hash value and the infinite norm of the sum of the blind signature and the third vector is greater than the third preset value, To trigger the step of randomly generating the sixth vector from the polynomial ring, the third preset value δ ₃ , the fourth parameter value γ, the first parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK .
一种抗量子的盲签名方法，其特征在于，包括：A quantum-resistant blind signature method, characterized by:

接收用户设备发送的待处理的消息和签名，所述签名包括随机字节数组，第五向量和第二哈希值；Receive a pending message and a signature sent by the user device, the signature including a random byte array, a fifth vector and a second hash value;

向签名装置发送验签公钥请求；Send a signature verification public key request to the signature device;

接收签名装置发送的公钥，所述公钥包括矩阵和第一向量；Receive a public key sent by the signature device, where the public key includes a matrix and a first vector;

使用所述公钥对所述待处理的消息和所述签名进行验证。The pending message and the signature are verified using the public key.
根据权利要求10所述的方法，其特征在于，所述使用公钥对待处理的消息和签名进行验证包括：The method according to claim 10, characterized in that using a public key to verify the message and signature to be processed includes:

根据所述矩阵，所述第五向量，所述第二哈希值，第一向量和第二模数计算出第七向量；Calculate a seventh vector based on the matrix, the fifth vector, the second hash value, the first vector and the second modulus;

将所述待处理的消息和所述随机字节数组哈希为第一哈希值；Hash the message to be processed and the random byte array into a first hash value;

根据第一哈希值，第七向量和第一模数计算出第三哈希值； Calculate the third hash value based on the first hash value, the seventh vector and the first modulus;

当所述第三哈希值与所述第二哈希值相等，则确定所述待处理的消息和所述签名通过验证；When the third hash value is equal to the second hash value, it is determined that the message to be processed and the signature pass verification;

当所述第三哈希值与所述第二哈希值不相等，则确定所述待处理的消息和所述签名没有通过验证。When the third hash value is not equal to the second hash value, it is determined that the message to be processed and the signature have not passed the verification.
根据权利要求10或11所述的方法，其特征在于，所述方法还包括：The method according to claim 10 or 11, characterized in that the method further includes:

当所述第五向量的无穷范数大于第二预设值，则确定所述待处理的消息和所述签名没有通过验证。When the infinite norm of the fifth vector is greater than the second preset value, it is determined that the message to be processed and the signature have not passed the verification.
一种用户设备，其特征在于，包括：A user equipment, characterized by including:

接收单元，用于接收签名装置发送的公钥和第二向量，所述公钥包括矩阵和第一向量，第一秘密向量与所述矩阵的乘积以及第二秘密向量与第一模数的乘积均与第一向量相关，所述第一模数为大于1的整数；A receiving unit, configured to receive the public key and the second vector sent by the signature device. The public key includes a matrix and a first vector, the product of the first secret vector and the matrix, and the product of the second secret vector and the first modulus. are all related to the first vector, and the first modulus is an integer greater than 1;

处理单元，用于从多项式环中随机生成第三向量；从多项式集合中随机生成目标多项式；根据所述第二向量，所述矩阵，所述第三向量，所述目标多项式，所述第一向量和第二模数计算出第四向量；将待处理的消息和随机字节数组哈希为第一哈希值；根据所述第一哈希值，第四向量和第一模数哈希运算出第二哈希值；根据所述第二哈希值和多项式生成盲化的消息；A processing unit configured to randomly generate a third vector from a polynomial ring; randomly generate a target polynomial from a polynomial set; according to the second vector, the matrix, the third vector, the target polynomial, and the first The vector and the second modulus calculate a fourth vector; the pending message and the random byte array are hashed into a first hash value; based on the first hash value, the fourth vector and the first modulus are hashed Calculate a second hash value; generate a blinded message based on the second hash value and the polynomial;

发送单元，用于向签名装置发送盲化的消息；A sending unit, used to send the blinded message to the signature device;

所述接收单元，还用于接收签名装置发送的盲签名，所述盲签名是所述签名装置根据所述盲化的消息获取的；The receiving unit is also configured to receive a blind signature sent by a signature device, where the blind signature is obtained by the signature device based on the blinded message;

所述处理单元，还用于根据所述盲签名，所述随机字节数组和所述第二哈希值获取签名；The processing unit is also configured to obtain a signature based on the blind signature, the random byte array and the second hash value;

所述发送单元，还用于将所述待处理的消息和所述签名发送给验签装置。The sending unit is also used to send the message to be processed and the signature to a signature verification device.
根据权利要求13所述的用户设备，其特征在于，The user equipment according to claim 13, characterized in that:

所述处理单元具体用于确定第五向量为所述盲签名与第三向量之和；将所述随机字节数组，所述第五向量和第二哈希值组成签名。The processing unit is specifically configured to determine that the fifth vector is the sum of the blind signature and the third vector; and combine the random byte array, the fifth vector and the second hash value to form a signature.
根据权利要求13所述的用户设备，其特征在于，The user equipment according to claim 13, characterized in that:

所述发送单元还用于当所述第五向量的无穷范数大于第二预设值时，将所述第一哈希值，所述第三向量，所述目标多项式和所述第二哈希值发送给签名装置。The sending unit is also configured to send the first hash value, the third vector, the target polynomial and the second hash value when the infinite norm of the fifth vector is greater than a second preset value. The hash value is sent to the signing device.
根据权利要求13至15中任一项所述的用户设备，其特征在于，The user equipment according to any one of claims 13 to 15, characterized in that,

所述处理单元还用于当所述第四向量的无穷范数小于第一预设值时，触发所述处理单元从多项式环中随机生成第三向量，所述第一预设值δ₁，第二模数q，第一模数p、第一参数值η和第二参数值K满足以下公式：δ₁＝q/2-pηK。The processing unit is also configured to trigger the processing unit to randomly generate a third vector from the polynomial ring when the infinite norm of the fourth vector is less than a first preset value, the first preset value δ ₁ , The second modulus q, the first modulus p, the first parameter value η and the second parameter value K satisfy the following formula: δ ₁ =q/2-pηK.
根据权利要求13至15中任一项所述的用户设备，其特征在于，The user equipment according to any one of claims 13 to 15, characterized in that,

所述处理单元还用于当所述盲化的消息的第一范数不等于所述目标多项式的第一范数和所述第二哈希值的第一范数之和时，触发所述处理单元从多项式环中随机生成第三向量。The processing unit is also configured to trigger the step when the first norm of the blinded message is not equal to the sum of the first norm of the target polynomial and the first norm of the second hash value. The processing unit randomly generates a third vector from the polynomial ring.
根据权利要求13至15中任一项所述的用户设备，其特征在于，The user equipment according to any one of claims 13 to 15, characterized in that,

所述处理单元还用于当所述盲化的消息的无穷范数等于2时，触发所述处理单元从多项式环中随机生成第三向量。 The processing unit is also configured to trigger the processing unit to randomly generate a third vector from the polynomial ring when the infinite norm of the blinded message is equal to 2.
一种签名装置，其特征在于，包括：A signature device, characterized by including:

处理单元，用于生成公钥和私钥，所述公钥包括矩阵和第一向量，所述私钥包括所述矩阵，所述第一向量，第一秘密向量和第二秘密向量，所述第一秘密向量与所述矩阵的乘积以及第二秘密向量与第一模数的乘积均与所述第一向量相关，所述第一模数为大于1的整数；A processing unit configured to generate a public key and a private key, the public key including a matrix and a first vector, the private key including the matrix, the first vector, a first secret vector and a second secret vector, the The product of the first secret vector and the matrix and the product of the second secret vector and the first modulus are both related to the first vector, and the first modulus is an integer greater than 1;

所述处理单元，还用于从多项式环中随机生成第六向量；The processing unit is also used to randomly generate a sixth vector from the polynomial ring;

所述处理单元，还用于根据所述第六向量，所述矩阵和第二模数计算出第二向量；The processing unit is also configured to calculate a second vector based on the sixth vector, the matrix and the second modulus;

发送单元，用于将所述公钥和所述第二向量发送给用户设备；A sending unit, configured to send the public key and the second vector to the user equipment;

接收单元，用于接收用户设备发送的盲化的消息；A receiving unit, configured to receive blinded messages sent by user equipment;

所述处理单元，还用于将所述第一秘密向量与所述盲化的消息之积和所述第六向量进行求和运算；The processing unit is further configured to perform a summation operation on the product of the first secret vector and the blinded message and the sixth vector;

所述发送单元，还用于将求和运算得到的盲签名发送给用户设备。The sending unit is also used to send the blind signature obtained by the summation operation to the user equipment.
根据权利要求19所述的签名装置，其特征在于，The signature device according to claim 19, characterized in that:

所述处理单元还用于当盲签名的无穷范数大于第三预设值时，触发所述处理单元从多项式环中随机生成第六向量，第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。The processing unit is also configured to trigger the processing unit to randomly generate the sixth vector, the third preset value δ ₃ and the fourth parameter value γ from the polynomial ring when the infinite norm of the blind signature is greater than the third preset value. , the first parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK.
根据权利要求19或20所述的签名装置，其特征在于，The signature device according to claim 19 or 20, characterized in that:

所述接收单元还用于接收用户设备发送的第一哈希值，第三向量，目标多项式和第二哈希值；The receiving unit is also configured to receive the first hash value, the third vector, the target polynomial and the second hash value sent by the user equipment;

所述处理单元还用于根据所述第二向量，所述矩阵，所述第三向量，目标多项式，所述第一向量和第二模数计算出第四向量；根据所述矩阵，所述第三向量，所述盲签名，第二哈希值，所述第一向量和第二模数计算出第七向量；确定第一运算结果等于签名信息减去目标多项式；根据所述第一哈希值，所述第四向量和第一模数进行哈希运算，以得到第二运算结果；根据所述第一哈希值，所述第七向量和第一模数进行哈希运算，以得到第三运算结果；当所述第一运算结果，所述第二运算结果和所述第三运算结果均等于第二哈希值且所述盲签名与第三向量之和的无穷范数大于第三预设值，触发所述处理单元从多项式环中随机生成第六向量，第三预设值δ₃、第四参数值γ、第一参数值η和第二参数值K满足以下公式：δ₃＝γ-ηK。The processing unit is also configured to calculate a fourth vector according to the second vector, the matrix, the third vector, the target polynomial, the first vector and the second modulus; according to the matrix, the The third vector, the blind signature, the second hash value, the first vector and the second modulus are used to calculate the seventh vector; it is determined that the first operation result is equal to the signature information minus the target polynomial; according to the first hash Hash value, the fourth vector and the first modulus perform a hash operation to obtain the second operation result; according to the first hash value, the seventh vector and the first modulus perform a hash operation to obtain Obtain a third operation result; when the first operation result, the second operation result and the third operation result are all equal to the second hash value and the infinite norm of the sum of the blind signature and the third vector is greater than The third preset value triggers the processing unit to randomly generate a sixth vector from the polynomial ring. The third preset value δ ₃ , the fourth parameter value γ, the first parameter value η and the second parameter value K satisfy the following formula: δ ₃ =γ-ηK.
一种验签装置，其特征在于，包括：A signature verification device, characterized by including:

接收单元，用于接收用户设备发送的待处理的消息和签名，所述签名包括随机字节数组，第五向量和第二哈希值；A receiving unit configured to receive a message to be processed and a signature sent by the user equipment, where the signature includes a random byte array, a fifth vector and a second hash value;

发送单元，用于向签名装置发送验签公钥请求；A sending unit, used to send a signature verification public key request to the signature device;

所述接收单元，还用于接收签名装置发送的公钥，所述公钥包括矩阵和第一向量；The receiving unit is also used to receive the public key sent by the signature device, where the public key includes a matrix and a first vector;

验证单元，用于使用所述公钥对所述待处理的消息和所述签名进行验证。A verification unit, configured to use the public key to verify the message to be processed and the signature.
根据权利要求22所述的验签装置，其特征在于，The signature verification device according to claim 22, characterized in that:

所述验证单元具体用于根据所述矩阵，所述第五向量，所述第二哈希值，第一向量和第二模数计算出第七向量；将所述待处理的消息和所述随机字节数组哈希为第一哈希值；根据第一哈希值，第七向量和第一模数计算出第三哈希值；当所述第三哈希值与所述第二哈希值相等，则确定所述待处理的消息和所述签名通过验证；当所述第三哈希值与所述第二哈希值不相等，则确定所述待处理的消息和所述签名没有通过验证。The verification unit is specifically configured to calculate a seventh vector based on the matrix, the fifth vector, the second hash value, the first vector and the second modulus; combine the message to be processed with the A random byte array hash is the first hash value; a third hash value is calculated based on the first hash value, the seventh vector and the first modulus; when the third hash value is the same as the second hash value If the hash values are equal, it is determined that the message to be processed and the signature pass verification; when the third hash value is not equal to the second hash value, it is determined that the message to be processed and the signature are verified. Signature failed verification.
根据权利要求22或23所述的验签装置，其特征在于，The signature verification device according to claim 22 or 23, characterized in that:

所述验证单元还用于当所述第五向量的无穷范数大于第二预设值，则确定所述待处理的消息和所述签名没有通过验证。The verification unit is also configured to determine that the message to be processed and the signature have not passed verification when the infinite norm of the fifth vector is greater than a second preset value.
一种计算机可读存储介质，存储有指令，其特征在于，当其在计算机上运行时，使得计算机执行权利要求1至12中任一项所述的方法。 A computer-readable storage medium stores instructions, which, when run on a computer, cause the computer to execute the method described in any one of claims 1 to 12.