Disclosure of Invention
In view of the above, the invention provides a distributed anti-quantum digital signature method and a system, which can improve the signature security through the distributed signature of a mobile terminal, a cloud server and a trusted cryptography device.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in a first aspect, the present invention provides a distributed anti-quantum digital signature method, in which a mobile terminal, a cloud server and a trusted cryptography device participate in a signature process, comprising the steps of:
S1, the mobile terminal and a cloud server negotiate a signature public key together and generate respective signature private keys independently;
S2, the mobile terminal and the cloud server perform signature calculation by using the private keys of the signatures to obtain respective intermediate vectors respectivelyAnd;
S3, the mobile terminal and the cloud server pair respective intermediate vectorsAndAfter filling and splicing, transmitting data to the trusted cryptography equipment by utilizing a Paillier homomorphic encryption algorithm and a password-based message authentication code mechanism;
S4, the trusted cryptography device performs aggregation calculation on the received data, and returns a calculation result to the mobile terminal and the cloud server;
S5, the mobile terminal and the cloud server continue to perform signature calculation by utilizing data returned by the trusted cryptography equipment, and partial signature fragments are respectively generated;
And S6, the cloud server sends the generated partial signature fragments to the mobile terminal, the mobile terminal verifies the correctness of the partial signature fragments sent by the cloud server, and if the verification is passed, the partial signature fragments of the two parties are aggregated to generate a complete signature.
Further, S1 includes:
s11, the server runs a Paillier key generation algorithm to generate 2048-bit prime numbersObtaining private key of Paillier homomorphic encryption algorithmPublic keyPublic key is used forTransmitting to the mobile terminal;
S12, uniformly and randomly selecting 256-bit random numbers by the mobile terminalAnd generating random numbers by SHAKE-256 function,;
Will bePerforming a matrix expansion algorithm as input, generating a matrixWherein k and l are the number of rows and columns of the matrix, respectively,Representation ofA polynomial ring of (2);
Will beObtaining a private key vector as input to a key generation algorithmAndWherein, the method comprises the steps of, wherein,Representing the range of values of the key,Representation ofA polynomial ring of (2);
Calculation ofWill beAndSending the cloud server to a cloud server;
S13, uniformly and randomly selecting 256-bit random numbers by the cloud serverAnd generating random numbers by SHAKE-256 function,;
Will bePerforming a matrix expansion algorithm as input, generating a matrix;
Will beAs input to the key generation algorithm, a private key vector is obtainedAnd;
Calculation ofWill (i) beAndTransmitting to the mobile terminal;
s14, mobile terminal random calculationAndAnd sum the calculated resultsAndAnd sent to a cloud server, wherein,Is vector quantityCharacter strings formed by splicing the coefficients of the medium polynomials;
S15, random calculation of cloud serverAndAnd sum the calculated resultsAndTo the mobile terminal, wherein,Is vector quantityCharacter strings formed by splicing the coefficients of the medium polynomials;
s16, the mobile terminal and the cloud server verify the data according to the hash value, if the verification is not passed, the protocol is terminated, and S11-S16 are executed again;
s17, mobile terminal calculation,,ObtainingSignature private key;
Cloud server computing,,Obtaining a public keySignature private keyWherein, the method comprises the steps of, wherein,Representing a matrix expansion algorithm.
Further, S2 includes:
Mobile terminal randomly generates polynomial vectorCalculating an intermediate vectorAnd intermediate vectorFilling and splicing coefficients of (2) to obtain an integer;
Cloud server randomly generates polynomial vectorCalculating an intermediate vectorAnd intermediate vectorFilling and splicing coefficients of (2) to obtain an integerWherein, the method comprises the steps of, wherein,Representing vectorsA range of medium coefficients is provided,Representation modelA polynomial ring of (2);
For intermediate vectorsAndThe filling and splicing modes are the same, and the vector is aimed atEach element of (a) is a 255 th degree polynomial, one of which is set as a polynomial coefficientEach coefficient has a length ofThe mobile terminal fills each coefficient into an integer with 24bit length in a form of 0 supplement, and the filled values are pieced together into an integer with 3072bit length by taking 128 coefficients as a group, wherein the first group of pieced results are that。
Further, S3 includes:
the mobile terminal uses Paillier homomorphic encryption algorithm to carry out block encryption to obtain ciphertextGenerating message authentication codes by executing HMAC algorithmCiphertext is takenAnd message authentication codeTo a trusted cryptography device, wherein,Representing a message digest algorithm, H representing a SHAKE-256 function;
The cloud server performs block encryption by using a Paillier homomorphic encryption algorithm to obtain ciphertextGenerating message authentication codes by executing HMAC algorithmCiphertext is takenAnd message authentication codeAnd sending the information to the trusted cryptography device.
Further, S4 includes:
After the trusted cryptography device receives the data sent by the mobile terminal and the cloud server, vrfy algorithm is executed to identify the message authentication codeAuthentication is performed, wherein,Representative ofAndIf (if)Then the following cryptographic calculation operations are performed:
using private keysDecrypting the data:
Wherein,Representing a Paillier decryption algorithm;
For integersGrouping in 24bit units to recover polynomial vectorsWill beDiscarding low order of coefficient, and calculatingWherein, the method comprises the steps of, wherein,The representation is made of a high order bit function,In the form of a modulus,Indicating the length of discarding the low-order data;
Calculation ofAnd respectively sent to the mobile terminal and the cloud server, wherein,Representing the message string to be signed.
Further, S5 includes:
Mobile terminal computing,If (3)Or (b)The result is discarded, wherein,Representing the taking of the low order bit function,Representing a portion of the signature fragment of the mobile terminal,Representing polynomial vectorsThe maximum value range of the medium coefficient,Representation ofIs a maximum value range of (a); Representation ofA low bit value;
Cloud server computing,If (3)Or (b)The result is discarded and, if so,Representing a partial signature fragment of a cloud server; Representation ofLow bit values.
Further, S6 includes:
Cloud server willAndTransmitting to the mobile terminal;
mobile terminal verification equationWhether the result is true or not, if so, receiving the result, otherwise, discarding;
After verification is passed, the mobile terminal aggregates the signatures of the two parties to generate a complete signature:。
further, the method further comprises the following steps:
signer calculationVerification ofAndWhether the signature is valid is judged, if the signature is valid, otherwise, the signature is invalid.
Further, before S1, the method further includes:
key for generating message authentication code by mobile terminalWherein, the method comprises the steps of, wherein,For the password value of the mobile terminal,Contains unique identification information of the mobile terminal device,A password value for the cloud server;
The mobile terminal will keyAnd uploading the cloud server in advance.
In a second aspect, the present invention provides a distributed anti-quantum digital signature system, which adopts the distributed anti-quantum digital signature method as described above, comprising:
the public-private key generation module is used for enabling the mobile terminal and the cloud server to negotiate a signature public key together and independently generating respective signature private keys;
The intermediate vector calculation module is used for enabling the mobile terminal and the cloud server to conduct signature calculation by using the respective private signature keys to obtain respective intermediate vectors respectivelyAnd;
The splicing module is used for enabling the mobile terminal and the cloud server to pair respective intermediate vectorsAndAfter filling and splicing, transmitting data to the trusted cryptography equipment by utilizing a Paillier homomorphic encryption algorithm and a password-based message authentication code mechanism;
the aggregation module is used for enabling the trusted cryptography equipment to conduct aggregation calculation on the received data and returning calculation results to the mobile terminal and the cloud server;
The partial signature module is used for enabling the mobile terminal and the cloud server to continuously perform signature calculation by utilizing data returned by the trusted cryptography equipment, and generating partial signature fragments respectively;
and the complete signature module is used for enabling the cloud server to send the generated partial signature fragments to the mobile terminal, the mobile terminal verifies the correctness of the partial signature fragments sent by the cloud server, and if the verification is passed, the partial signature fragments of the two sides are aggregated to generate a complete signature.
Compared with the prior art, the invention has the following beneficial effects:
(1) According to the invention, the terminal equipment and the cloud server jointly negotiate the public key and independently generate the private keys of the partial signatures, and even if an attacker obtains the private key stored in the user terminal equipment, the attacker cannot generate the correct signature, so that the overall safety of the scheme is obviously improved. The method can be applied to password products such as a collaborative signature server, a password machine, a password card and the like, so as to achieve the aim of resisting quantum attack and enhance the security of password equipment.
(2) The invention adopts the trusted cryptography equipment to carry out the secret state aggregation of secret parameters, and when data is transmitted, the polynomial is specially processed and arranged, so that the Paillier addition homomorphic encryption algorithm with higher speed can be utilized to replace the lattice-based BFV and other homomorphic encryption algorithms with low efficiency, the confidentiality protection of the secret parameters is realized while the scheme execution efficiency is improved, and the safety of the data in the transmission process is ensured.
(3) The invention adopts a message authentication code mechanism based on a password. The user generates a unique HMAC (HASH MESSAGE Authentication Code, using a hashed message authentication code) key by using SM3 algorithm by means of information such as password, CPU serial number of the mobile terminal, network card serial number, etc., and uploads to the cloud server in advance. By the method, the integrity protection of the secret parameters is realized, the data is prevented from being tampered or revealed in the transmission process, and the fact that privacy information such as passwords of users cannot be mastered by the cloud server can be ensured.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the embodiment of the invention discloses a distributed anti-quantum digital signature method, which is characterized in that a mobile terminal, a cloud server and trusted cryptography equipment participate in a signature process, and the method comprises the following steps:
S1, the mobile terminal and a cloud server negotiate a signature public key together and generate respective signature private keys independently;
S2, the mobile terminal and the cloud server perform signature calculation by using the private keys of the signatures to obtain respective intermediate vectors respectivelyAnd;
S3, the mobile terminal and the cloud server pair respective intermediate vectorsAndAfter filling and splicing, transmitting data to the trusted cryptography equipment by utilizing a Paillier homomorphic encryption algorithm and a password-based message authentication code mechanism;
S4, the trusted cryptography device performs aggregation calculation on the received data, and returns a calculation result to the mobile terminal and the cloud server;
S5, the mobile terminal and the cloud server continue to perform signature calculation by utilizing data returned by the trusted cryptography equipment, and partial signature fragments are respectively generated;
And S6, the cloud server sends the generated partial signature fragments to the mobile terminal, the mobile terminal verifies the correctness of the partial signature fragments sent by the cloud server, and if the verification is passed, the partial signature fragments of the two parties are aggregated to generate a complete signature.
The invention is essentially a post quantum distributed collaborative signature method based on the Module-SIS (Module SMALLEST INTEGER Solution) difficult problem, the whole signature process is composed of a mobile terminal, a cloud server and a plurality of trusted cryptography equipment, and the secure distributed signature is completed together.
Mobile terminalWhen a user signs through a mobile phone, a computer and the like, the risk of leakage exists in a signing key stored in the mobile terminal, so that the whole signing process is completed through multiparty cooperation of the mobile terminal, a cloud server and the like.
Cloud serverIn order to protect a private key of a signature, a part of the private key of the signature is independently generated by a mobile terminal and a cloud server in a key generation stage, wherein the private key mastered by the cloud server is difficult to acquire by an attacker, so that the overall security of the digital signature is ensured.
Trusted cryptography deviceThe trusted cryptography equipment plays a role of a trusted third party in the signing process, the mobile terminal and the cloud server encrypt data and send the encrypted data to the trusted cryptography equipment, the mobile terminal and the cloud server perform calculation operation, and the calculation result is returned to the two parties, so that private data leakage to the other party is prevented.
The above steps are further described below.
The signature method is improved based on Dilithium signature algorithm, and the theoretical security of the algorithm depends on SIS (minimum integer solution) difficult problems. Key generation, signature verification and other processes are in a homopolynomial ringPerforming an operation thereon, wherein,,Can be divided by n. To further improve the execution efficiency of the distributed signature algorithm, NTT (number theoretic transform, number theory transform) may be used to perform fast operations for polynomial multiplication.
Prior to the signing process, the mobile terminal generates a key for a message authentication codeWherein, the method comprises the steps of, wherein,For the password value of the user's mobile terminal,The unique identification information of the equipment such as the CPU serial number, the network card serial number and the like of the mobile terminal equipment of the user is contained,For the password value of the cloud server end, the mobile terminal then uses the secret keyAnd uploading the cloud server in advance.
The specific signing process comprises the following steps:
S1, the mobile terminal and the cloud server negotiate a signature public key together and generate respective signature private keys independently, wherein a specific key generation process is shown in fig. 2 and comprises the following steps:
s11, the server runs a Paillier key generation algorithm to randomly generate two 2048-bit large prime numbersFurther obtaining private key of Paillier homomorphic encryption algorithmPublic keyPublic key is used forTransmitting the private key to the mobile terminalSending the information to a trusted cryptographic device;
S12, uniformly and randomly selecting 256-bit random numbers by the mobile terminalAnd generating random numbers by SHAKE-256 function,Wherein SHAKE is one of SHA3 algorithm, is the direct application of Keccak sponge function, and can output hash value with arbitrary length;
Will bePerforming a matrix expansion algorithm as input, generating a matrixWherein k and l are the number of rows and columns of the matrix, respectively,Representation ofPolynomial ring of (2);
Will beObtaining a private key vector as input to a key generation algorithmAndWherein, the method comprises the steps of, wherein,Representing the range of values of the key,Representation ofPolynomial ring of (2);
Calculation ofWill beAndSending the cloud server to a cloud server;
S13, uniformly and randomly selecting 256-bit random numbers by the cloud serverAnd generating random numbers by SHAKE-256 function,;
Will bePerforming a matrix expansion algorithm as input, generating a matrix;
Will beAs input to the key generation algorithm, a private key vector is obtainedAnd;
Calculation ofWill (i) beAndTransmitting to the mobile terminal;
s14, mobile terminal random calculationAndAnd sum the calculated resultsAndAnd sent to a cloud server, wherein,Is vector quantityCharacter strings formed by splicing the coefficients of the medium polynomials;
S15, random calculation of cloud serverAndAnd sum the calculated resultsAndTo the mobile terminal, wherein,Is vector quantityCharacter strings formed by splicing the coefficients of the medium polynomials;
s16, the mobile terminal and the cloud server verify the data according to the hash value, if the verification is not passed, the protocol is terminated, and S11-S16 are executed again;
s17, mobile terminal calculation,,ObtainingSignature private key;
Cloud server computing,,Obtaining a public keySignature private keyWherein, the method comprises the steps of, wherein,Representing a matrix expansion algorithm.
S2-S5 introduce a distributed signing process, as shown in fig. 3, comprising:
S2, the mobile terminal and the cloud server perform signature calculation by using the private keys of the signatures to obtain respective intermediate vectors respectivelyAnd;
Mobile terminal randomly generates polynomial vectorCalculating an intermediate vectorAnd intermediate vectorFilling and splicing coefficients of (2) to obtain an integerWherein, the method comprises the steps of, wherein,Representing vectorsA range of medium coefficients is provided,Representation modelPolynomial ring of (2);
Cloud server randomly generates polynomial vectorCalculating an intermediate vectorAnd intermediate vectorFilling and splicing coefficients of (2) to obtain an integer。
Wherein the intermediate vectorAndThe same way of filling and splicing is performed, with intermediate vectorsThe filling process is described for the sake of example:
For vectorsEach element of (a) is a 255 th degree polynomial, one of which is set as a polynomial coefficientEach coefficient has a length ofThe mobile terminal fills each coefficient into an integer with 24bit length in a form of 0 supplement, the filled values are pieced into an integer with 3072bit length by taking 128 coefficients as a group, and the first group of pieced results are that。
S3, the mobile terminal and the cloud server pair respective intermediate vectorsAndAnd after filling and splicing, transmitting the data to the trusted cryptography equipment by using a Paillier homomorphic encryption algorithm and a password-based message authentication code mechanism. Comprising the following steps:
the mobile terminal uses Paillier homomorphic encryption algorithm to carry out block encryption to obtain ciphertextGenerating message authentication codes by executing HMAC algorithmCiphertext is takenAnd message authentication codeTo a trusted cryptography device, wherein,Representing a message digest algorithm, H representing a SHAKE-256 function;
The cloud server performs block encryption by using a Paillier homomorphic encryption algorithm to obtain ciphertextGenerating message authentication codes by executing HMAC algorithmCiphertext is takenAnd message authentication codeAnd sending the information to the trusted cryptography device.
S4, the trusted cryptography device performs aggregation calculation on the received data and returns a calculation result to the mobile terminal and the cloud server, wherein the method comprises the following steps:
After receiving the data sent by the mobile terminal and the cloud server, the trusted cryptography device executes Vrfy (abbreviation of Verify, generalized verification algorithm) algorithm on the message authentication codeAuthentication is performed, wherein,Representative ofAndIf (if)Then the following cryptographic calculation operations are performed:
using private keysDecrypting the data:
Wherein,Representing a Paillier decryption algorithm;
For integersGrouping in 24bit units to recover polynomial vectorsWill beDiscarding low order of coefficient, and calculatingWherein, the method comprises the steps of, wherein,The representation is made of a high order bit function,In the form of a modulus,Indicating the length of discarding the low-order data;
Calculation ofAnd respectively sent to the mobile terminal and the cloud server, wherein,Representing the message string to be signed.
S5, continuing signature calculation by the mobile terminal and the cloud server by using data returned by the trusted cryptography equipment, and respectively generating partial signature fragments, wherein the method comprises the following steps:
Mobile terminal computing,If (3)Or (b)The result is discarded, wherein,Representing the taking of the low order bit function,Representing a portion of the signature fragment of the mobile terminal,Representing polynomial vectorsThe maximum value range of the medium coefficient,Representation ofIs a maximum value range of (a); Representation ofA low bit value;
Cloud server computing,If (3)Or (b)The result is discarded and, if so,Representing a partial signature fragment of a cloud server; Representation ofLow bit values.
S6, the cloud server sends the generated partial signature fragments to the mobile terminal, the mobile terminal verifies the correctness of the partial signature fragments sent by the cloud server, if the verification is passed, the partial signature fragments of the two parties are aggregated to generate a complete signature, and the method comprises the following steps:
Cloud server willAndTransmitting to the mobile terminal;
mobile terminal verification equationWhether the result is true or not, if so, receiving the result, otherwise, discarding;
After verification is passed, the mobile terminal aggregates the signatures of the two parties to generate a complete signature:。
then, the validity of the signature needs to be verified, the specific verification process is shown in fig. 4, and the signer calculatesVerification ofAndWhether the signature is valid is judged, if the signature is valid, otherwise, the signature is invalid.
In other embodiments, the present invention further provides a distributed anti-quantum digital signature system, which adopts the distributed anti-quantum digital signature method as described above, including:
the public-private key generation module is used for enabling the mobile terminal and the cloud server to negotiate a signature public key together and independently generating respective signature private keys;
The intermediate vector calculation module is used for enabling the mobile terminal and the cloud server to conduct signature calculation by using the respective private signature keys to obtain respective intermediate vectors respectivelyAnd;
The splicing module is used for enabling the mobile terminal and the cloud server to pair respective intermediate vectorsAndAfter filling and splicing, transmitting data to the trusted cryptography equipment by utilizing a Paillier homomorphic encryption algorithm and a password-based message authentication code mechanism;
the aggregation module is used for enabling the trusted cryptography equipment to conduct aggregation calculation on the received data and returning calculation results to the mobile terminal and the cloud server;
The partial signature module is used for enabling the mobile terminal and the cloud server to continuously perform signature calculation by utilizing data returned by the trusted cryptography equipment, and generating partial signature fragments respectively;
and the complete signature module is used for enabling the cloud server to send the generated partial signature fragments to the mobile terminal, the mobile terminal verifies the correctness of the partial signature fragments sent by the cloud server, and if the verification is passed, the partial signature fragments of the two sides are aggregated to generate a complete signature.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.