WO2004010641A1 - A method for small-feature-based hyperbolic digital signature - Google Patents

A method for small-feature-based hyperbolic digital signature Download PDF

Info

Publication number
WO2004010641A1
WO2004010641A1 PCT/CN2002/000749 CN0200749W WO2004010641A1 WO 2004010641 A1 WO2004010641 A1 WO 2004010641A1 CN 0200749 W CN0200749 W CN 0200749W WO 2004010641 A1 WO2004010641 A1 WO 2004010641A1
Authority
WO
WIPO (PCT)
Prior art keywords
plaintext
signature
pair
public key
number pair
Prior art date
Application number
PCT/CN2002/000749
Other languages
French (fr)
Chinese (zh)
Inventor
Zhenhua Wang
Zhijie Chen
Original Assignee
Shanghai Chlor-Alkali Chemical Co., Ltd.
Shanghai Yantuo Computer Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Chlor-Alkali Chemical Co., Ltd., Shanghai Yantuo Computer Co., Ltd. filed Critical Shanghai Chlor-Alkali Chemical Co., Ltd.
Priority to AU2002344027A priority Critical patent/AU2002344027A1/en
Publication of WO2004010641A1 publication Critical patent/WO2004010641A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • Hyperbolic digital signature method based on small features
  • the invention belongs to a digital signature method for computer information security, in particular to a hyperbolic digital signature method based on small features.
  • the digital signature method is a public key system that guarantees the unchangeability of electronic data. It not only authenticates the identity of the sender of the information, but also verifies the consistency and integrity of the information sent.
  • the operation process is too slow.
  • the hardware implementation is used to speed up the operation, the digital Too long will also make the cost extremely expensive.
  • the hardware development and service life will be greatly shortened, and the running cost will be extremely high.
  • the technical problem to be solved by the present invention is to provide a hyperbolic digital signature method based on small features. This method can ensure that the number of basic key bits used is greatly reduced on the basis of equal security levels, thereby reducing development costs and operating costs. , Reduce the occupation of computer resources, improve the speed of generating related prime numbers, and shorten the signature verification time.
  • the technical solutions adopted by the present invention are:
  • a hyperbolic digital signature method based on small features includes the following steps.
  • test parameters are Ql, Q2,
  • a security check is performed on the generated private key. The security check is to determine whether Q1 can divide X] or Q2 can divide X 2. If one of the judgments is negative, you need to regenerate the private key ⁇ ⁇ ⁇ 2 .
  • verL (r *, s *) r * s * e F P [a]
  • ver (m *, r *, Y * 1; Y * 2 ) ⁇ * ⁇ * ⁇ * ⁇
  • verL (r *, s *) verR (m *, r *, Y * j, Y * 2 )
  • the sender A may make the public key number pair (Y ,, ⁇ 2 ) into an X.509 certificate, and then send it to the receiver ⁇ B. Since the above-mentioned solution is adopted, the advantages of the present invention compared with the prior art are:
  • This scheme uses two digest functions to extract randomized plaintext abstract number pairs, and the signature is formed by the hyperbolic effect of the private key on the abstract number pairs, so that there is an index between the number of small features and the security performance.
  • the proportion increases, so it not only guarantees a fairly high level of security, but also reduces the occupation of computer resources, improves the speed of generating related prime numbers, and shortens the time for signature verification, thereby reducing development costs and operating costs;
  • FIG. 1 is a main flow chart of the steps of the hyperbolic digital signature method based on small features of the present invention.
  • FIG. 2 is a view of the hyperbolic digital signature method based on small features of the present invention.
  • FIG. 3 is a sub-flow diagram for generating signatures and digests in a hyperbolic digital signature method based on small features of the present invention
  • FIG. 4 is a sub-flow diagram for verifying a signature in a hyperbolic digital signature method based on small features of the present invention
  • FIG. 5 is a schematic diagram of a circuit of a private key generation module in a hyperbolic digital signature method based on small features of the present invention
  • FIG. 6 is a schematic diagram of a public key generation module circuit in a hyperbolic digital signature method based on small features of the present invention.
  • F P be a prime number
  • F P be a Galois field with P elements
  • U polynomial X p -X-1 is irreducible on the field F P
  • be this irreducible polynomial ⁇ P- ⁇ - l at a certain zero point of F P
  • the extended field F P [oc] is the split field of the above irreducible polynomial, it is a Galois field containing P p elements, and the elements in F P [ot] can be uniquely A polynomial expressed as a degree not exceeding P-1.
  • the order M Q of ⁇ must be a factor of M.
  • M yp ⁇ 1 (mod P-I) so M and p-1 are coprime, so M.
  • the factor as M is also prime with p-1. If one original root c of F P is taken, then the order of c is equal to P ⁇ 1, so the order of CCC is equal to the least common multiple of P ⁇ 1 and M, which is (P ⁇ 1) M.
  • ca is the original root of Galois domain F P [ct].
  • the small feature-based hyperbolic digital signature method of the present invention is composed of the following steps: key generation, signature generation, digest, and verification signature. As shown in FIG.
  • the process of key generation is divided into
  • the public key can be a polynomial number pair
  • an X.509 certificate can be generated from the polynomial number pair.
  • the signature generation and digest are obtained by taking out the private key and randomly
  • the number of signatures is composed of the first component, the number of generated digests and the second component of the generated signature.
  • the verification signature has two parts: compatibility verification and anti-forgery verification.
  • test parameters are Ql, Q2,
  • sender A using hardware consisting of a private key generation module, a public key generation module, and a verification module is
  • the private key XBX 2 is randomly generated, and the number pair (XX 2 ) is the private key
  • the sender A can make the public key number pair (Y ⁇ 2 ) into an X.509 certificate, and then send it to the recipient B.
  • the steps and verification equations of the recipient B are unchanged.
  • the second component s of the signature number pair is the hyperbolic effect of the digest number pair on the private key number pair and the product of the random factor 1 1 , the hyperbolic effect of the private key number pair on the digest number pair ( ⁇ ,, ⁇ 2 ) ⁇ d 2 ) can be defined as
  • the abstracts in this solution are also random, which can be seen from the formation of the above abstract number pairs.
  • the realization of the present invention requires a physical entity.
  • the entity may be a computer or a dedicated chip. It should include at least a circuit of a private key module, a hardware circuit of a public key generation module, a generation module of a signature number pair, and a verification module. Hardware circuit.
  • the circuit of the private key module consists of modules such as a random number generator, a remainder circuit, a coefficient generation circuit, a sigma circuit, a MUX, and a buffer.
  • modules such as a random number generator, a remainder circuit, a coefficient generation circuit, a sigma circuit, a MUX, and a buffer.
  • the module works, first input the prime number P to the random number generating circuit. This circuit generates a random number nl '; nl' calculates the remainder with the input ql and determines whether the remainder is 0.
  • the coefficient generation circuit starts to work nl 'is decomposed into polynomials, and the coefficients are generated and sent to the summation circuit to determine whether the constraint 2 is satisfied. If it is satisfied, the MUX is gated, and the private key nl is output from the buffer.
  • the public key generation hardware circuit is composed of cyclic FFT (Fast Fourier Transform) operation core, RAM (random memory), operation circuit, output buffer, control circuit and other modules.
  • the generated private key is multiplied by a polynomial by the FFT operation kernel, and the intermediate value of the operation is temporarily stored in RAM, and the calculation of the coefficient is assisted by the operation circuit.
  • the coefficient (public key) is sent to the buffer and serially output.
  • the generation module of r in the signature number pair is the same as the public key generation hardware circuit.
  • the hardware circuit of the verification module is composed of an input buffer, an Md5 operation core, a SHA operation core, a signature number pair S generation module, a cyclic FFT operation core 1, 2, a memory A, B, a comparator, and a control circuit.
  • the digest number pair dl, d2 is generated, and then one of the signature number pair S is generated.
  • the two cyclic FFT operation cores respectively operate on the digest number pair, the signature number pair, and the private key, and compare the results generated by the comparator with the comparison result output by the flag bit.

Abstract

The invention disclosed a method for small-feature-based hyperbolic digital signature. It comprises the steps as follows: supposed the sender is A, the receiver is B, the clear text is m, 1) sender A that utilizes hardware performs functions as: randomly generates private key pair (X1, X2), generates public key pair (Y1, Y2), generates signature pair (r, s) and sends above described pairs to receiver B, 2) receiver B that utilizes hardware performs functions as: receives public key pair, signature pair and clear text sended from A, then extracts digest pair from the received clear text, finally verify the equation. The method can ensure that greatly reduces basic key bits used on the basis of equal security level, thereby reduce development expense and run cost, decrease occupancy to computer resource, improve the operation speed of generating related prime, shorten the authentication time of signature.

Description

基于小特征的双曲数字签名方法 技术领域  Hyperbolic digital signature method based on small features
本发明属于一种用于计算机信息安全的数字签名方法, 尤其是一种 基于小特征的双曲数字签名方法。  The invention belongs to a digital signature method for computer information security, in particular to a hyperbolic digital signature method based on small features.
技术背景 technical background
在现代信息社会中, 对于全球计算机及网络安全的需求正在变得日 益迫切, 在各种不同的领域中, 例如电子商务、 企业安全及国家安全等 等, 保护电子信息的完整性, 特别是保护重要信息的完整性, 已成为国 际社会所普遍关注的问题。 数字签名方法是一种保证电子数据不可更改 的公开密钥体制, 它不仅对信息发送者的身份进行认证, 而且还可以对 所发送信息的一致性和完整性进行检验。  In the modern information society, the demand for global computer and network security is becoming increasingly urgent. In various fields, such as e-commerce, corporate security, and national security, etc., the integrity of electronic information is protected, especially to protect The integrity of important information has become a general concern of the international community. The digital signature method is a public key system that guarantees the unchangeability of electronic data. It not only authenticates the identity of the sender of the information, but also verifies the consistency and integrity of the information sent.
现有数字签名方法, 如著名的 RSA数字签名方法, 它是基于数学 中的大数分解困难, 假设有两个素数?、 Q, 有^^?0, 当 N足够大时, 由 N得出 P、 Q在数学上是相当困难的; 但如今随着科学技术的发展, 对大数快速分解方法的研究已经得出许多新成果, 再加上计算技术及计 算机的发展, 大数分解的难度在不断地降低, 为了达到相应级别的安全 性能要求, 就会使得数学运算位逐渐加长, 从上世纪 80年代的 512位、 90年代的 1024位到现在的 2048位, 一个算法的密钥过长, 其相关素数 生成困难, 并会占用庞大的计算机资源, 运算过程过慢, 为了加快运算 速度而采用硬件实现时, 数位的过长也会使得费用极其昂贵, 另外由于 硬件实现方式的不可更改性, 硬件开发和使用寿命将大大缩短, 运行成 本极高。  Existing digital signature methods, such as the famous RSA digital signature method, are based on the difficulty of factoring large numbers in mathematics. Suppose there are two prime numbers? , Q, ^^? 0, when N is large enough, it is mathematically difficult to obtain P and Q from N; but with the development of science and technology, the research on the fast decomposition method of large numbers has been obtained Many new achievements, coupled with the development of computing technology and computers, the difficulty of factoring large numbers continues to decrease. In order to meet the corresponding level of security performance requirements, the number of mathematical operations will gradually increase, from 512 in the 1980s. From 1024 bits in the 90's to 2048 bits now, an algorithm's key is too long, its related primes are difficult to generate, and it will take up huge computer resources. The operation process is too slow. When the hardware implementation is used to speed up the operation, the digital Too long will also make the cost extremely expensive. In addition, due to the immutability of the hardware implementation, the hardware development and service life will be greatly shortened, and the running cost will be extremely high.
发明内容 Summary of the Invention
本发明需要解决的技术问题是提供一种基于小特征的双曲数字签名 方法, 该方法能保证在相等安全级别的基础上, 大大减少所使用基本密 钥位数, 从而降低开发费用和运行成本, 减少对计算机资源的占用, 提 高生成相关素数运算速度, 縮短签名认证时间。 为解决上述技术问题, 本发明采用的技术方案是: The technical problem to be solved by the present invention is to provide a hyperbolic digital signature method based on small features. This method can ensure that the number of basic key bits used is greatly reduced on the basis of equal security levels, thereby reducing development costs and operating costs. , Reduce the occupation of computer resources, improve the speed of generating related prime numbers, and shorten the signature verification time. To solve the above technical problems, the technical solutions adopted by the present invention are:
一种基于小特征的双曲数字签名方法, 包括有以下步骤,  A hyperbolic digital signature method based on small features includes the following steps.
假设发件人是 A, 收件人是 B, 明文为 m, 小特征为 Ρ, α为多项 式 Χρ-Χ-1在含有 Ρ个元素的伽罗瓦域 FP上的零点, 参数为 c, 检验参 数为 Ql、 Q2, Suppose the sender is A, the recipient is B, the plaintext is m, the small feature is P, and α is the zero point of the polynomial χ ρ -χ-1 on the Galois Field F P with P elements, and the parameter is c , The test parameters are Ql, Q2,
①发件人 A利用硬件进行的操作为  ① The operation performed by sender A using hardware is
a:随机生成私钥 Χ^ΠΧ2, 取数对(Χ Χ2) 为私钥
Figure imgf000004_0001
a: Randomly generate the private key X ^ Πχ 2 , and take the number pair (X χ 2 ) as the private key
Figure imgf000004_0001
其中有  Including
Ρ - 1 Ρ -ι  Ρ-1 Ρ -ι
∑ a , < Ρ ∑ bt < Ρ ∑ a, <ρ ∑ b t
/= 0 ί= 0  / = 0 ί = 0
b: 对所生成的私钥进行安全化检验, 所述安全化检验是判断 Q1 能 否整除 X】或 Q2能否整除 X2, 如果有其中一个判断是否定的, 那么需 要重新生成私钥 χ^πχ2b: A security check is performed on the generated private key. The security check is to determine whether Q1 can divide X] or Q2 can divide X 2. If one of the judgments is negative, you need to regenerate the private key χ ^ πχ 2 .
c: 生成公钥 (ca) X1, Y2= (ca) 取 (Υ Υ2) 为相应于 私钥 (Χ Χ2) 的公钥, Υη Υ2表示为在含有 Ρ个元素的伽罗瓦域上的 a的多项式; c: Generate the public key (ca) X1 , Y 2 = (ca) take (Υ Υ 2 ) as the public key corresponding to the private key (χ χ 2 ), Υ η Υ 2 is represented as a Gal with P elements Polynomial of a on tile field;
d: 对明文 m取文摘数对 (^, d2), 及形成签名数对 (r,s), 先在 非负整数域内随机取 k和 k—1, 并满足条件 k k-!≡l (mod Pp-1), 得出签名数对的一个分量 r, r为 r 0≤ Rt < Ρ (θ < < - l)
Figure imgf000004_0002
d: Take the digest number pair (^, d 2 ) for the plaintext m and form the signature number pair (r, s), first randomly take k and k- 1 in the non-negative integer domain, and satisfy the condition k k- ! ≡l (mod P p -1), get a component r of the signature number pair, r is r 0 ≤ R t <Ρ (θ <<-l)
Figure imgf000004_0002
然后将所得的 R。, ···, ^顺序加入到明文 m 中产生一新 的明文, 记为 (RQ, …, Rp-1), 用文摘函数 MD5和 SHA1对明 文!^进行运算, 得出相应的文摘数对(^, d2), 其中 dj = Md5 Cm1 (R0, ···, Rp— ), The resulting R is then obtained. , ···, ^ are sequentially added to the plaintext m to generate a new plaintext, denoted as (R Q ,…, R p-1 ), and the plaintexts are digested by the digest functions MD5 and SHA1! ^ Perform operations to obtain the corresponding abstract number pairs (^, d 2 ), where dj = Md5 Cm 1 (R 0 , ···, R p —),
d2= SHA1 (m, (R0, ···, Rp— )), d 2 = SHA1 (m, (R 0 , ···, R p —)),
再令 s ≡k"! (X!d!+X^) (mod Pp-l) ,得出签名数对另 一分量 s, 由此签名数对 (r, s) 形成; 其中 r为在含有 P个元素的伽罗 瓦域上的多项式, 系数为 R。, …, RP-1J 而 s为一个整数; Let s ≡k " ! (X! D! + X ^) (mod P p -l), and obtain the number of signatures against another component s, from which the number of signatures (r, s) is formed; where r is between A polynomial on a Galois field containing P elements, with coefficients R.,... R P-1J and s being an integer;
e: 向 B发送公钥数对, 签名数对和明文。  e: Send the number of public key pairs, the number of signature pairs, and the plaintext to B.
②收件人 B利用硬件进行的操作是  ② The operation performed by recipient B using hardware is
a: 接收从 A.发来的公钥数对 (Y*!, Y*2), 签名数对(r*, s*)和 明文 m*; a: Receive the public key pairs (Y * !, Y * 2 ), the signature number pairs (r *, s *), and the plaintext m * from A .;
b:将接收到签名数对的 r*中的系数 RQ, ···, 加入到 B所接 收的明文 m*中产生一新的明文, 记为 in*, (R0, ···, Rp.,), 用文 摘函数 MD5和 SHA1对明文 进行运算,得出相应的文摘数对( , d*2), 其中 b: Add the coefficient R Q in r * of the received signature number pair to the plaintext m * received by B to generate a new plaintext, denoted as in *, (R 0 , ···, Rp.,), Use the digest functions MD5 and SHA1 to operate on the plaintext to obtain the corresponding digest number pair (, d * 2 ), where
d*! = Md5 (m*j (R0, …, Rp-1)), d *! = Md5 (m * j (R 0 ,…, R p-1 )),
d*2= SHA1 (m*! (R0, ···, Rp-1)); d * 2 = SHA1 (m *! (R 0 , ···, R p-1 ));
c: 验证等式, 取  c: verify the equation, take
verL (r*, s* ) =r*s* e FP[a] , ver ( m*, r* , Y*1 ; Y*2 ) = γ*^*^*^ 如果上述等式中 verL ( r*, s* ) = verR ( m* , r*, Y*j , Y*2), 表明验证通过, 所收到的明文 m*为 A所发出的明文 m。 所述发件人 A可将公钥数对(Y,, Υ2) 制成 Χ.509证书后, 再发送 到收件 Λ Β。 由于采取了上述的方案, 本发明与现有技术相比所具有的优点是:verL (r *, s *) = r * s * e F P [a], ver (m *, r *, Y * 1; Y * 2 ) = γ * ^ * ^ * ^^ If verL (r *, s *) = verR (m *, r *, Y * j, Y * 2 ), which indicates that the verification is passed, and the plaintext m * received is the plaintext m sent by A. The sender A may make the public key number pair (Y ,, Υ 2 ) into an X.509 certificate, and then send it to the receiver Λ B. Since the above-mentioned solution is adopted, the advantages of the present invention compared with the prior art are:
1、 由于本方案利用两个文摘函数对已随机化的明文取文摘数对, 且通过私钥对文摘数对的双曲作用而形成签名, 使小特征的位数和安全 性能之间呈现指数增长比例, 所以既保证了相当高的安全级别, 又减少 了对计算机资源的占用, 提高生成相关素数运算速度, 缩短签名认证时 间, 从而降低开发费用和运行成本; 1. This scheme uses two digest functions to extract randomized plaintext abstract number pairs, and the signature is formed by the hyperbolic effect of the private key on the abstract number pairs, so that there is an index between the number of small features and the security performance. The proportion increases, so it not only guarantees a fairly high level of security, but also reduces the occupation of computer resources, improves the speed of generating related prime numbers, and shortens the time for signature verification, thereby reducing development costs and operating costs;
2、 由于本方法对私钥数对进行安全化处理, 能防止 "生日攻击"。 附图说明  2. Since this method performs security processing on the number of private key pairs, it can prevent "birthday attacks". BRIEF DESCRIPTION OF THE DRAWINGS
以下结合附图和具体实施方式对本发明作进一步详细说明- 图 1是本发明基于小特征的双曲数字签名方法的步骤主流程图; 图 2是本发明基于小特征的双曲数字签名方法中生成密钥的子流程 图;  The following further describes the present invention in detail with reference to the accompanying drawings and specific embodiments. FIG. 1 is a main flow chart of the steps of the hyperbolic digital signature method based on small features of the present invention. FIG. 2 is a view of the hyperbolic digital signature method based on small features of the present invention. Sub-flow diagram for generating keys;
图 3是本发明基于小特征的双曲数字签名方法中生成签名和文摘的 子流程图;  3 is a sub-flow diagram for generating signatures and digests in a hyperbolic digital signature method based on small features of the present invention;
图 4是本发明基于小特征的双曲数字签名方法中验证签名的子流程 图;  4 is a sub-flow diagram for verifying a signature in a hyperbolic digital signature method based on small features of the present invention;
图 5是本发明基于小特征的双曲数字签名方法中私钥生成模块电路 原理图;  5 is a schematic diagram of a circuit of a private key generation module in a hyperbolic digital signature method based on small features of the present invention;
图 6是本发明基于小特征的双曲数字签名方法中公钥生成模块电路 原理图; ■  FIG. 6 is a schematic diagram of a public key generation module circuit in a hyperbolic digital signature method based on small features of the present invention; ■
图 7是本发明基于小特征的双曲数字签名方法中验证模块电路原理 图。 7 is a circuit principle of a verification module in a hyperbolic digital signature method based on small features of the present invention Illustration.
具体实施方式 detailed description
由于本发明会涉及一系列的数学原理, 现将本发明的数学背景作如 下阐述:  Since the present invention will involve a series of mathematical principles, the mathematical background of the present invention will now be described as follows:
设 P是一个素数, FP是含有 P个元素的 Galois (伽罗瓦)域, 贝 U多 项式 Xp-X-1在域 FP上不可约; 设 α是这个不可约多项式 χΡ-Χ-l在 FP 的某个零点, 那么扩域 FP [oc]是上述不可约多项式的分裂域, 它 是含有 Pp个元素的 Galois域, 而且 FP [ot]中的元素都可以唯一 地表示成 α的次数不超过 P- 1的多项式。 设 Let P be a prime number, F P be a Galois field with P elements, and the U polynomial X p -X-1 is irreducible on the field F P ; let α be this irreducible polynomial χP-χ- l at a certain zero point of F P , then the extended field F P [oc] is the split field of the above irreducible polynomial, it is a Galois field containing P p elements, and the elements in F P [ot] can be uniquely A polynomial expressed as a degree not exceeding P-1. Assume
Figure imgf000007_0001
Figure imgf000007_0001
因此 α的阶 MQ—定是 M的因子。 M = y p ≡ 1 (mod P - I ) 所以 M与 p- 1互素, 从而 M。作为 M的因子也与 p- 1互素。 如果取 FP的一个原根 c, 则 c的阶等于 P- l, 于是 CCC的阶等于 P- 1 与 M 的最小公倍数, 即为 (P- 1 ) M。 特别当 α的阶等于 Μ 时, ca就是 Galois域 FP[ct]的原根。 如图 1所示, 本发明基于小特征的双曲数字签名方法, 由以下几个 步骤组成, 生成密钥、 生成签名和文摘、 验证签名组成, 如图 2所示, 生成密钥的过程分为生成私钥和生成公钥两个部分组成, 公钥可为多项 式数对, 可以由该多项式数对生成 X.509证书; 如图 3所示, 生成签名 和文摘是由取出私钥、 随机化签名数对第一分量、 生成文摘数对和生成 签名数对第二分量组成; 如图 4所示, 验证签名有相容性验证和防伪造 验证两部分。 Therefore, the order M Q of α must be a factor of M. M = yp ≡ 1 (mod P-I) so M and p-1 are coprime, so M. The factor as M is also prime with p-1. If one original root c of F P is taken, then the order of c is equal to P−1, so the order of CCC is equal to the least common multiple of P−1 and M, which is (P−1) M. Especially when the order of α is equal to M, ca is the original root of Galois domain F P [ct]. As shown in FIG. 1, the small feature-based hyperbolic digital signature method of the present invention is composed of the following steps: key generation, signature generation, digest, and verification signature. As shown in FIG. 2, the process of key generation is divided into In order to generate a private key and a public key, the public key can be a polynomial number pair, and an X.509 certificate can be generated from the polynomial number pair. As shown in FIG. 3, the signature generation and digest are obtained by taking out the private key and randomly The number of signatures is composed of the first component, the number of generated digests and the second component of the generated signature. As shown in FIG. 4, the verification signature has two parts: compatibility verification and anti-forgery verification.
假设发件人是 A, 收件人是 B, 明文为 m, 小特征为 Ρ, α为多项 式 Χρ-Χ-1在含有 Ρ个元素的伽罗瓦域 FP上的零点, 参数为 c, 检验参 数为 Ql、 Q2, Assume that the sender is A, the recipient is B, the plain text is m, the small feature is P, and α is the zero point of the polynomial X ρ -X-1 on the Galois Field F P with P elements, and the parameter is c , The test parameters are Ql, Q2,
①发件人 A利用由私钥生成模块、 公钥生成模块和验证模块组成的 硬件进行的操作为  ① The operation performed by sender A using hardware consisting of a private key generation module, a public key generation module, and a verification module is
a:随机生成私钥 X B X2, 取数对 (X X2) 为私钥
Figure imgf000008_0001
a: The private key XBX 2 is randomly generated, and the number pair (XX 2 ) is the private key
Figure imgf000008_0001
其中有  Including
∑ ^ < p ∑ b t < P b: 对所生成的私钥进行安全化检验, 所述安全化检验是判断 Q1能 否整除 或 Q2能否整除 X2, 如果有其中一个判断是否定的, 那么需 要重新生成私钥 Χ^ΠΧ2∑ ^ <p ∑ b t <P b: Perform a security check on the generated private key. The security check determines whether Q1 is divisible or Q2 is divisible by X 2. If one of the judgments is negative, the private key X ^ Π × needs to be regenerated. 2 .
c: 生成公钥 (ca) X1, Y2= (ca) , 取(Y Υ2) 为相应于 私钥 (Χ1 X2) 的公钥, Υ2表示为在含有 Ρ个元素的伽罗瓦域上的 a的多项式; c: Generate the public key (ca) X1 , Y 2 = (ca), take (Y Υ 2 ) as the public key corresponding to the private key (χ 1 X 2 ), and Υ 2 is expressed as a Gal with P elements Polynomial of a on tile field;
d: 对明文 m取文摘数对((^, d2), 及形成签名数对(r,s), 先在 非负整数域内随机取 k和 k一1, 并满足条件 k k ≡l (mod Pp-1), 得出签名数对的一个分量 r, d: Take the abstract number pairs ((^, d 2 ) for plaintext m and form the signature number pair (r, s), first randomly take k and k- 1 in the non-negative integer domain, and satisfy the condition kk ≡l (mod P p -1), to obtain a component r of the signature number pair,
r ^ (ca )K = J) /" 1 e [ J 0 < Rt < P (θ ≤ i≤ P - l) 然后将所得的 RQ, ···, !^^顺序加入到明文 m 中产生一新 的明文, 记为 11^ (1。, …, Rp.j), 用文摘函数 MD5 (Microsoft digest 5)和 SHAl(Security Hash Algorithm 1)对明文 进行运算, 得出相应的 文摘数对( , d2), 其中 dj = Md5 (m1 (R0, ···, Rp.j)>, d2= SHA1 (mj (R0, ···, Rp-1)), 再令 s ≡k"' (X^^X^) (mod pp-l),得出签名数对另 一分量 s, 由此签名数对 (r, s)形成。 e: 向 B发送公钥数对, 签名数对和文摘数对。 ②收件人 B利用硬件进行的操作是 a: 接收从 A发来的公钥数对 (Y*j, Y*2), 签名数对(r*, s*)和 明文 m*; r ^ (ca) K = J) / " 1 e [J 0 <R t <P (θ ≤ i≤ P-l) and then add the resulting R Q , ···,! ^^ to the plaintext m in order Generate a new plaintext and record it as 11 ^ (1.,…, Rp.j), and use the digest function MD5 (Microsoft digest 5) and SHAl (Security Hash Algorithm 1) to operate on the plaintext to obtain the corresponding digest number pairs. (, D 2 ), where dj = Md5 (m 1 (R 0 , ···, R p .j)>, d 2 = SHA1 (mj (R 0 , ···, R p-1 )), then Let s ≡k "'(X ^^ X ^) (mod p p -l), get the number of signatures to another component s, and form the number of signatures (r, s). E: Send the public key to B The number of pairs, the number of signatures and the number of digests. ② The operation performed by the recipient B using hardware is a: receiving the number of public key pairs (Y * j, Y * 2 ) from A, and the number of signature pairs (r * , S *) and Plain text m * ;
b: 将接收到签名数对的 r*中的系数 RQ, …, 加入到 B所接 收的明文 m*中产生一新的明文, 记为 (R0, ···, R^), 用文 摘函数 MD5和 SHA1对明文 m*进行运算,得出相应的文摘数对( d^, d*2), 其中 d*! = Md5 (m*! (R。, ···, R^)), b: Add the coefficients R Q ,… in the received r * of signature number pairs to the plaintext m * received by B to generate a new plaintext, denoted as (R 0 , ···, R ^), using The digest functions MD5 and SHA1 operate on the plaintext m * to obtain the corresponding digest number pairs (d ^, d * 2 ), where d *! = Md5 (m *! (R., ···, R ^)) ,
d*2= SHA1 (m*j (R。, ···, Rp— ); c: 验证等式, 取 verL (r*, s* ) =r*s* s Fp[a] , verR (m*, r*, Y*1? Y*2) =
Figure imgf000010_0001
如果上述等式中 verL (r*, s*) =verR (m*, r*, Y*1? Y*2), 表明验证通过, 所收到的明文 m*为 A所发出的明文 m。 d * 2 = SHA1 (m * j (R., ···, R p —); c: verify the equation, take verL (r *, s *) = r * s * s F p [a], verR (m *, r *, Y * 1? Y * 2 ) =
Figure imgf000010_0001
If verL (r *, s *) = verR (m *, r *, Y * 1? Y * 2 ) in the above equation, it means that the verification is successful, and the plaintext m * received is the plaintext m sent by A.
发件人 A可将公钥数对 (Y Υ2)制成 Χ.509证书后, 再发送到收 件人 Β, 收件人 Β的步骤和验证等式不变。 The sender A can make the public key number pair (Y Υ 2 ) into an X.509 certificate, and then send it to the recipient B. The steps and verification equations of the recipient B are unchanged.
签名数对的第二分量 s是文摘数对经私钥数对的双曲作用并与随机 因子 1 1的积, 私钥数对对文摘数对的双曲作用 (Χ,, Χ2) ο d2) 可定义为
Figure imgf000010_0002
; 本方案中的文摘也是随机的, 这一点可 以从上述的文摘数对的形成看出。 The second component s of the signature number pair is the hyperbolic effect of the digest number pair on the private key number pair and the product of the random factor 1 1 , the hyperbolic effect of the private key number pair on the digest number pair (χ ,, χ 2 ) ο d 2 ) can be defined as
Figure imgf000010_0002
The abstracts in this solution are also random, which can be seen from the formation of the above abstract number pairs.
相对于 RSA, 其模的位数与安全性能之间呈多项式比例增 长关系, 我们的方案最大优越之处是模的位数与安全性能之间 呈指数增长比例, 这一点, 在密码工程实践中具有非常重要的 意义。 为了说明我们方案的这一特点, 与 RSA作一比较: 假定 RSA 的模数为 1024 位的, 实施成功攻击的最大可能计算量是 21024; 而本方案模数只要为 8位的, 则可达到 RSA相应的安全 性, 因为在我们的方案中, 实施成功攻击的最大可能计算量的 公式为(2η)Λ {2η}, 其中 η为模数的位数。 Compared with RSA, the number of modulo bits and the security performance have a polynomial proportional growth relationship. The biggest advantage of our solution is the exponential growth ratio between the number of modulo bits and the security performance. This is the practice in cryptographic engineering. It is very important. To illustrate this feature of our scheme, compare it with RSA: suppose The modulus of RSA is 1024 bits, and the maximum possible calculation amount for a successful attack is 2 1024. As long as the modulus of this solution is 8 bits, the corresponding security of RSA can be achieved, because in our solution, the implementation is successful The formula for the maximum possible calculation amount of an attack is (2 η ) Λ {2 η }, where η is the number of digits of the modulus.
本发明的实现需要借助一个物理实体, 该实体可以是一台 计算机或是一个专用芯片, 它至少应该包括私钥模块的电路、 公 钥产生硬件电路、 签名数对中 r的产生模块和验证模块硬件电路。  The realization of the present invention requires a physical entity. The entity may be a computer or a dedicated chip. It should include at least a circuit of a private key module, a hardware circuit of a public key generation module, a generation module of a signature number pair, and a verification module. Hardware circuit.
如图 5所示, 私钥模块的电路由随机数发生器、 求余电路、 系数产 生电路、 ∑电路、 MUX和缓冲器等模块组成。 模块工作时首先输入素 数 P至随机数发生电路, 该电路产生一个随机数 nl ' ; nl ' 与输入的 ql 求余, 并判断余数是否为 0; 余数为 0时, 系数产生电路开始工作, 把 nl ' 分解为多项式, 并产生系数送至求和电路, 判断是否满足约束 2, 如满足则选通 MUX, 私钥 nl由缓冲器输出。  As shown in Figure 5, the circuit of the private key module consists of modules such as a random number generator, a remainder circuit, a coefficient generation circuit, a sigma circuit, a MUX, and a buffer. When the module works, first input the prime number P to the random number generating circuit. This circuit generates a random number nl '; nl' calculates the remainder with the input ql and determines whether the remainder is 0. When the remainder is 0, the coefficient generation circuit starts to work nl 'is decomposed into polynomials, and the coefficients are generated and sent to the summation circuit to determine whether the constraint 2 is satisfied. If it is satisfied, the MUX is gated, and the private key nl is output from the buffer.
如图 6所示, 公钥产生硬件电路由循环 FFT (快速傅立叶变换)运 算核、 RAM (随机存储器)、 运算电路、 输出缓存、 控制电路等模块组 成。 产生的私钥由 FFT运算核完成多项式相乘, 并把运算的中间值暂存 至 RAM 中, 由运算电路辅助完成系数的求解。 最后把系数 (公钥)送 入缓存并串行输出。 签名数对中 r的产生模块与公钥产生硬件电路相同。  As shown in Fig. 6, the public key generation hardware circuit is composed of cyclic FFT (Fast Fourier Transform) operation core, RAM (random memory), operation circuit, output buffer, control circuit and other modules. The generated private key is multiplied by a polynomial by the FFT operation kernel, and the intermediate value of the operation is temporarily stored in RAM, and the calculation of the coefficient is assisted by the operation circuit. Finally, the coefficient (public key) is sent to the buffer and serially output. The generation module of r in the signature number pair is the same as the public key generation hardware circuit.
如图 7所示, 验证模块硬件电路由输入缓冲、 Md5运算核、 SHA 运算核、 签名数对 S产生模块、 循环 FFT运算核 1,2、 存储器 A, B、 比较器及控制电路组成。 首先由 r经过 Md5、 SHA运算核后产生文摘数 对 dl、 d2, 并由此产生签名数对之一 S。 再由两个循环 FFT运算核分别 对文摘数对、 签名数对和私钥进行运算, 并对其产生的结果通过比较器 进行比较, 比较结果由标志位输出。  As shown in FIG. 7, the hardware circuit of the verification module is composed of an input buffer, an Md5 operation core, a SHA operation core, a signature number pair S generation module, a cyclic FFT operation core 1, 2, a memory A, B, a comparator, and a control circuit. Firstly, after r through Md5 and SHA operation kernel, the digest number pair dl, d2 is generated, and then one of the signature number pair S is generated. Then, the two cyclic FFT operation cores respectively operate on the digest number pair, the signature number pair, and the private key, and compare the results generated by the comparator with the comparison result output by the flag bit.

Claims

权利要求 Rights request
1、 一种基于小特征的双曲数字签名方法, 其特征在于: 它包括 有以下步骤, 1. A hyperbolic digital signature method based on small features, which is characterized in that it includes the following steps,
假设发件人是 A, 收件人是 B, 明文为 m, 小特征为 Ρ, α为多项 式 Χρ-Χ-1在含有 Ρ个元素的伽罗瓦域 FP上的零点, 参数为 c, 检验参 数为 Ql、 Q2, Assume that the sender is A, the recipient is B, the plain text is m, the small feature is P, and α is the zero point of the polynomial X ρ -X-1 on the Galois Field F P with P elements, and the parameter is c , The test parameters are Ql, Q2,
①发件人 A利用硬件进行的操作为  ① The operation performed by sender A using hardware is
a:随机生成私钥 Χ^ΠΧ2, 取数对 ( , Χ2) 为私钥
Figure imgf000012_0001
a: Randomly generate the private key X ^ Πχ 2 , and take the number pair (, χ 2 ) as the private key
Figure imgf000012_0001
其中有  Including
P -1 P -1  P -1 P -1
∑ a t < P ∑ < P ∑ a t <P ∑ <P
= 0 ί= 0  = 0 ί = 0
b: 对所生成的私钥进行安全化检验, 所述安全化检验是判断 Q1 能 否整除 ^或 Q2能否整除 X2, 如果有其中一个判断是否定的, 那么需 要重新生成私钥 X BX2; b: Perform a security check on the generated private key. The security check is to determine whether Q1 is divisible by ^ or Q2 is divisible by X 2. If one of the judgments is negative, then the private key X BX needs to be regenerated. 2;
c: 生成公钥 Y (ca) X1, Y2= (ca) , 取(Y^ Υ2) 为相应于 私钥 (Χ Χ2) 的公钥, Υρ Υ2表示为在含有 Ρ个元素的伽罗瓦域上的 a的多项式; c: Generate the public key Y (ca) X1 , Y 2 = (ca), take (Y ^ Υ 2 ) as the public key corresponding to the private key (× χ 2 ), and Υρ Υ 2 is expressed as Polynomial of a over the Galois field;
d: 对明文 m取文摘数对(^, d2), 及形成签名数对(r,s), 先在 非负整数域内随机取 k和 k— 并满足条件 k k-^l (mod Pp-1), 得出签名数对的一个分量 r, r为 r 0≤ Rt < P (θ < z < - l)
Figure imgf000012_0002
d: Take the digest number pair (^, d 2 ) of the plaintext m and form the signature number pair (r, s), first randomly take k and k in the non-negative integer domain and satisfy the condition k k- ^ l (mod P p -1), to obtain a component r of the signature number pair, r is r 0 ≤ R t <P (θ <z <-l)
Figure imgf000012_0002
然后将所得的 R。, ···, Rp.J 序加入到明文 m 中产生一新 的明文, 记为 (R。, ···, Rp-1), 用文摘函数 MD5和 SHA1对明 文1¾进行运算, 得出相应的文摘数对 (d,, d2), 其中 The resulting R is then obtained. , ···, R p .J is added to the plaintext m in order to generate a new plaintext, denoted as (R., ···, R p-1 ), and the digest functions MD5 and SHA1 are used to clarify the plaintext. Paper 1¾ performs operations to obtain the corresponding abstract number pairs (d ,, d 2 ), where
d! = Md5 (m (R0, ···, Rp-1)), d2= SHA1 (m (R0, ···, Rp-1)), d! = Md5 (m (R 0 , ···, R p-1 )), d 2 = SHA1 (m (R 0 , ···, R p-1 )),
再令 s ≡ A
Figure imgf000013_0001
(mod pp-l),得出签名数对另 一分量 s, 由此签名数对(r, s)形成, 其中 r为在含有 P个元素的伽罗 瓦域上的 α的多项式, 系数为 RQ, …, Rp.,, 而 s为一个整数; e: 向 B发送公钥数对, 签名数对和明文; Let s ≡ A
Figure imgf000013_0001
(mod p p -l), to obtain the number of signatures against another component s, from which the number of signatures (r, s) is formed, where r is a polynomial of α on the Galois Field with P elements, coefficient Is R Q ,…, Rp. ,, and s is an integer; e: sends the public key number pair, the signature number pair, and the plaintext to B;
②收件人 B利用硬件进行的操作是 ·  ② The operations performed by recipient B using hardware are:
a:接收从 A发来的公钥数对 (Y* Y*2), 签名数对(r*, s*)和 明文 m*; a: Receive the number of public key pairs (Y * Y * 2 ), number of signatures (r *, s *) and plaintext m * from A ;
b:将接收到签名数对的第一分量 r*中的系数 R。, ···, ^加入 到 B所接收的明文 m*中产生一新的明文, 记为 (Ro, …, 用文摘函数 MD5和 SHA1对明文 进行运算, 得出相应的文摘数对 (a*,, d*2), 其中 b: The coefficient R in the first component r * of the signature number pair will be received. ,…, ^ Is added to the plaintext m * received by B to generate a new plaintext, denoted as (Ro,…, the plaintext is calculated using the digest function MD5 and SHA1, and the corresponding digest number pair (a * ,, d * 2 ), where
d*! = Md5 (m*! (R0, ···, Rp-1)), d *! = Md5 (m *! (R 0 , ···, R p-1 )),
d*2= SHA1 (m*! (R0, ···, Rp-1)); d * 2 = SHA1 (m *! (R 0 , ···, R p-1 ));
c: 验证等式, 取 verL (r*, s*) =r*s* G FP[a] , verR (m*, r*, Y*15 Y*2) = γ* ΐγ*,2 c: verify the equation, take verL (r *, s *) = r * s * GF P [a], verR (m *, r *, Y * 15 Y * 2 ) = γ * ΐγ *, 2
如果上述等式中 verL (r*, s*) = verR (m*, r*, Y*】, Y*2), 表明验证通过, 所收到的明文 m*为 A所发出的明文 m。 If verL (r *, s *) = verR (m *, r *, Y *], Y * 2 ) in the above equation, the verification is successful, and the plaintext m * received is the plaintext m sent by A.
2、 根据权利要求 1 所述的基于小特征的双曲数字签名方法, 其 特征在于: 所述发件人 A可将公钥数对 (Υ Υ2)制成 Χ.509证书后, 再发送到收件人:8。 2. The hyperbolic digital signature method based on small features according to claim 1, characterized in that: the sender A can make a public key number pair (Υ Υ 2 ) into an X.509 certificate, and then send it To the recipient: 8.
PCT/CN2002/000749 2002-07-24 2002-10-29 A method for small-feature-based hyperbolic digital signature WO2004010641A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002344027A AU2002344027A1 (en) 2002-07-24 2002-10-29 A method for small-feature-based hyperbolic digital signature

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN02136177.0 2002-07-24
CN 02136177 CN1220959C (en) 2002-07-24 2002-07-24 Hyperbolic digital signature method based on signlet

Publications (1)

Publication Number Publication Date
WO2004010641A1 true WO2004010641A1 (en) 2004-01-29

Family

ID=4748537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2002/000749 WO2004010641A1 (en) 2002-07-24 2002-10-29 A method for small-feature-based hyperbolic digital signature

Country Status (3)

Country Link
CN (1) CN1220959C (en)
AU (1) AU2002344027A1 (en)
WO (1) WO2004010641A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101673334B (en) * 2004-12-09 2013-04-03 中国科学院计算技术研究所 Information embedding and extracting method with a type of PDF text as shelter

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5680455A (en) * 1994-08-17 1997-10-21 International Business Machines Corporation Digital signature generator /verifier/ recorder (DS-GVR) for analog transmissions
US6079018A (en) * 1997-10-08 2000-06-20 Agorics, Inc. System and method for generating unique secure values for digitally signing documents

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5680455A (en) * 1994-08-17 1997-10-21 International Business Machines Corporation Digital signature generator /verifier/ recorder (DS-GVR) for analog transmissions
US6079018A (en) * 1997-10-08 2000-06-20 Agorics, Inc. System and method for generating unique secure values for digitally signing documents

Also Published As

Publication number Publication date
CN1391168A (en) 2003-01-15
AU2002344027A1 (en) 2004-02-09
CN1220959C (en) 2005-09-28
AU2002344027A8 (en) 2004-02-09

Similar Documents

Publication Publication Date Title
CN108809658B (en) SM 2-based identity base digital signature method and system
Kaliski PKCS# 1: RSA encryption version 1.5
US20140372765A1 (en) Hashing Prefix-Free Values in a Signature Scheme
US9049022B2 (en) Hashing prefix-free values in a certificate scheme
EP2498437A2 (en) Issuing implicit certificates
WO2005114900A2 (en) Digital signatures including identity-based aggregate signatures
US7912216B2 (en) Elliptic curve cryptosystem optimization using two phase key generation
CN108650097B (en) Efficient digital signature aggregation method
EP2427996A1 (en) Self-signed implicit certificates
CN112446052B (en) Aggregated signature method and system suitable for secret-related information system
KR0144086B1 (en) Electronic signature mathod
Saepulrohman et al. Data integrity and security of digital signatures on electronic systems using the digital signature algorithm (DSA)
CN113014398B (en) Aggregate signature generation method based on SM9 digital signature algorithm
CN113032844B (en) Signature method, signature verification method and signature verification device for elliptic curve
US20080002825A1 (en) Method and a system for a quick verification rabin signature scheme
CN108667619B (en) White box implementation method and device for SM9 digital signature
WO2004010641A1 (en) A method for small-feature-based hyperbolic digital signature
Pornin et al. Digital signatures do not guarantee exclusive ownership
CN113556233B (en) SM9 digital signature method supporting batch verification
CN112491560A (en) SM2 digital signature method and medium supporting batch verification
EP4165826A1 (en) Cross-certification for secure binding of cryptographic systems
Zhang et al. Efficient designated confirmer signature from bilinear pairings
CN111680332A (en) Digital signature method based on elliptic curve
CN111064581B (en) Privacy protection method and system with connection capability
CN115174052B (en) Adapter signature generation method and device based on SM9 signature

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP