Научная статья на тему 'A POST-QUANTUM DIGITAL SIGNATURE SCHEME ON GROUPS WITH FOUR-DIMENSIONAL CYCLICITY'

A POST-QUANTUM DIGITAL SIGNATURE SCHEME ON GROUPS WITH FOUR-DIMENSIONAL CYCLICITY Текст научной статьи по специальности «Компьютерные и информационные науки»

CC BY
45
17
i Надоели баннеры? Вы всегда можете отключить рекламу.
Ключевые слова
POST-QUANTUM CRYPTOSCHEMES / COMPUTER SECURITY / DIGITAL SIGNATURE / DISCRETE LOGARITHM PROBLEM / FINITE COMMUTATIVE GROUPS / ASSOCIATIVE ALGEBRAS / MULTI-DIMENSIONAL CYCLICITY

Аннотация научной статьи по компьютерным и информационным наукам, автор научной работы — Moldovyan D.N., Moldovyan N.A.

Introduction: Development of practical post-quantum signature schemes is a current challenge in the applied cryptography. Recently, several different forms of the hidden discrete logarithm problem were proposed as primitive of signature schemes resistant to quantum attacks. Purpose: Development of a new form of the hidden discrete logarithm problem set in finite commutative groups possessing multi-dimensional cyclicity, and a method for designing post-quantum signature schemes. Results: A new form of the hidden discrete logarithm problem is introduced as the base primitive of practical post-quantum digital signature algorithms. Two new four-dimensional finite commutative associative algebras have been proposed as algebraic support for the introduced computationally complex problem. A method for designing signature schemes on the base of the latter problem is developed. The method consists in using a doubled public key and two similar equations for the verification of the same signature. To generate a pair of public keys, two secret minimum generator systems and of two different finite groups r<G Q> and r<H V> possessing two-dimensional cyclicity are selected at random. The first public key (Y, Z, U) is computed as follows: Y = GyiQy2a, Z = GziQZ2fi, U = GuiQu2y, where the set of integers (y1, y2, a, z1, z2, в, u1, u2, y) is a private key. The second public key (Y’, Z’, U’) is computed as follows: Y' = HyiVy2a, Z' = HZlVZ2e, U' = HuiVu2y. Using the same parameters to calculate the corresponding elements belonging to different public keys makes it possible to calculate a single signature which satisfies two similar verification equations specified in different finite commutative associative algebras. Practical relevance: Due to a smaller size of the public key, private key and signature, as well as approximately equal performance as compared to the known analogues, the proposed digital signature scheme can be used in the development of post-quantum signature algorithms.

i Надоели баннеры? Вы всегда можете отключить рекламу.
iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.
i Надоели баннеры? Вы всегда можете отключить рекламу.

Текст научной работы на тему «A POST-QUANTUM DIGITAL SIGNATURE SCHEME ON GROUPS WITH FOUR-DIMENSIONAL CYCLICITY»

-Ч ЗАЩИТА ИНФОРМАЦИИ I

udc 003.26 Articles

doi:10.31799/1684-8853-2021-2-43-51

A post-quantum digital signature scheme on groups with four-dimensional cyclicity

D. N. Moldovyana, PhD, Tech., Research Fellow, orcid.org/0000-0001-5039-7198

N. A. Moldovyana, Dr. Sc., Tech., Professor, Chief Researcher, orcid.org/0000-0002-4483-5048,

[email protected]

aSaint-Petersburg Institute for Informatics and Automation of the RAS, 39, 14 Line, V. O., 199178, Saint-Petersburg, Russian Federation

Introduction: Development of practical post-quantum signature schemes is a current challenge in the applied cryptography. Recently, several different forms of the hidden discrete logarithm problem were proposed as primitive of signature schemes resistant to quantum attacks. Purpose: Development of a new form of the hidden discrete logarithm problem set in finite commutative groups possessing multi-dimensional cyclicity, and a method for designing post-quantum signature schemes. Results: A new form of the hidden discrete logarithm problem is introduced as the base primitive of practical post-quantum digital signature algorithms. Two new four-dimensional finite commutative associative algebras have been proposed as algebraic support for the introduced computationally complex problem. A method for designing signature schemes on the base of the latter problem is developed. The method consists in using a doubled public key and two similar equations for the verification of the same signature. To generate a pair of public keys, two secret minimum generator systems <G, Q> and <H, V> of two different finite groups r<G Q> and r<H V> possessing two-dimensional cyclicity are selected at random. The first public key (Y, Z, U) is computed as follows: Y = GyiQy2a, Z = GZ1QZ2P, U = GuiQu2y, where the set of integers (y1, y2, a, z1, z2, в, u1, u2, y) is a private key. The second public key (Y', Z', U) is computed as follows: Y' = HyiVy2a, Z' = HZlVZ2e, U' = HuiVu2y. Using the same parameters to calculate the corresponding elements belonging to different public keys makes it possible to calculate a single signature which satisfies two similar verification equations specified in different finite commutative associative algebras. Practical relevance: Due to a smaller siZe of the public key, private key and signature, as well as approximately equal performance as compared to the known analogues, the proposed digital signature scheme can be used in the development of post-quantum signature algorithms.

Keywords — post-quantum cryptoschemes, computer security, digital signature, discrete logarithm problem, finite commutative groups, associative algebras, multi-dimensional cyclicity.

For citation: Moldovyan D. N., Moldovyan N. A. A post-quantum digital signature scheme on groups with four-dimensional cyclicity. Informatsionno-upravliaiushchie sistemy [Information and Control Systems], 2021, no. 2, pp. 43-51. doi:10.31799/1684-8853-2021-2-43-51

Introduction

Currently the most widely used public-key cryptoschemes exploit the computational complexity of the factoring problem (FP) [1, 2] and the discrete logarithm problem (DLP) [3, 4]. However, the expected breakthrough in quantum computing technology in the near future makes it extremely urgent to develop cryptosystems that are resistant to attacks using quantum computers. Post-quantum public-key cryptosystems should be based on computationally difficult problems other than FP and DLP, since efficient polynomial algorithms for solving FP and DLP on a quantum computer are known [5-7].

In the current field of development of public-key post-quantum cryptoschemes, considerable attention of the cryptographers is paid to the development of cryptoschemes on algebras [8, 9], on boolean functions [10, 11], and on linear codes [12, 13].

One of attractive post-quantum primitives is the hidden discrete logarithm problem (HDLP) defined usually in non-commutative finite associative algebras (FAAs). Different forms of the HDLP were proposed to develop signature schemes on non-com-

mutative FAAs [9, 14, 15]. For the first time, a signature scheme on a commutative FAA was proposed in [16]. The interest in the HDLP problem is related to the fact that the HDLP-based signature schemes have relatively small sizes of the public key and signature. This area of research is quite new, and for a deeper and more complete understanding of the possibilities for the development of practical post-quantum HDLP-based, it is of significant interest to search for new forms, especially for the case of using commutative FAAs as a carrier of the HDLP.

In this paper, we propose a new form of setting the HDLP in commutative FAAs characterized in that the multiplicative group of the algebras possesses four-dimentional cyclicity in terms of the paper [17]: a finite commutative group whose minimum generator system includes | (| > 2) elements that have the same order is called group with |-di-mensional cyclicity. The method of setting the proposed form of the HDLP is fundamentally different from the method introduced earlier in the paper [16] for development of the HDLP-based signature on a commutative algebra.

Two commutative FAAs used as algebraic support

A finite m-dimensional vector space over the finite ground field GF(p), in which a vector multiplication operation is defined additionally to the scalar multiplication and addition operations, is called m-dimensional algebra, if the vector multiplication is distributive at the left and at the right relatively the addition. A vector A is presented as an ordered set of its coordinates: A = (a0, av

m-1

) or as a sum

of its components: A = a0e0 + a1e1 + ... + am-1em-where ei (i = 0, 1, ..., m - 1) are formal basis vectors. Defining additionally the operation of vector multiplication (o) possessing the property of the two-sided distributivity relatively the addition operation, one gets the finite m-dimensional algebra.

Usually, the multiplication of two vectors

A = ^ ™ Qaiei and B = ^ 'm= 0 bjej is defined by the

following formula: A»B = ^1=0^j= o^bjei °ej,

where the coordinates ai and bi are multiplied as elements of the field GF(p) and every the product of two formal basis vectors is to be replaced by an one-component vector indicated in a cell at the intersection of the i-th row and y-th column of so called basis vector multiplication table, for example, see Table 1 [16]. Each of these tables defines a four-dimensional commutative FAA, multiplicative group of which has order Q that can be computed as number of invertible vectors. Consider, for example, the algebra defined by Table 1.

The unit element of this commutative FAA is the vector E = (0, 0, 1, 0). If for some vector A the vector equation

AX = E

(1)

has a unique solution, then the vector A is called invertible. For a fixed invertible vector A the vector equation AX = E has a unique solution denoted as A 1 (called inverses of A). Evidently, AA-1 = A-1A = E. An invertibility condition can be derived from equation (1) that can be reduced

■ Table 1. Setting the multiplication operation in the first used FAA multiplicative group of which possesses multi-dimensional cyclicity (X ^ 0)

e0 ei e2 e3

eo Xe2 e3 eo Xe1

e1 e3 e2 e1 eo

e2 eo e1 e2 e3

e3 Xe1 eo e3 Xe2

to the following system of four linear equations, where the unknowns are coordinates of the vector X — (#0, x^, X3):

a—xg + 03 xi + a0 x— + a xs = 1 Xa3 Xg + a—xi + a X2 + Xag xs = 0 Xag xg + aixi + a-x- +Xa3x3 = 0 ai xg + ag xi + Оз x— + a— x3 = 0

The main determinant of the system (2) is

(2)

Д =

a— ОЗ ag ai Хоз a— ai Xag Xag ai a— Хаз ai a0 a3 a2 Хаз ai Xag - a3 Xag a— Хаз + a0 ai 03 a— Хаз a— ai - an Xag ai a— ai ag 03

= a—

a— ai Xag ai a— Хаз a0 a3 a2

Хаз a— Xag Xag ai Хаз ai ag a—

a2 (a2 (a2 " Xa3 )"

- «1 (aa - Xa0a3 ) + Xa0 (ag - a0a2 )) -

- ag (xag (a2 - Xa| ) - ai (Xa0a2 - Xa^g ) +

+ Xao (Xaoag - aia2 )) + ao (Xag (aia2 - Xaoag ) -- a2 (Xaoa2 - Xaiag ) + Xao (a2 - af )) -

- ai (Xag (ag - aoa2 ) - a2 (Xaoag - a^ ) +

(2 2 \\ 2(2 2 \2 2 2

Xao -ai )) = ••• = X (ao + ag ) -4Xaoag +

+ ( + a| )2 - 4Xa2a| - 2X( + a| )( + a| ) +

( 2 2 2 2 \2 Xao - ai -a2 +Xag ) -

-4(Xaoag -aa )2 •

The case A ^ 0 defines the following invertibility condition:

(Xa2 -aj2-a| +Xa|) -4(Xaoag-aia2)2 • (3)

The case A = 0 defines the following non-inverti-bility condition:

( 2 2 2 2 \2 / \2 Xao - ai -a2 +Xag ) = 4(Xaoag -aia^ • (4)

Proposition 1. Suppose the structural constant X is a quadratic non-residue in GF(p). Then the number of different non-invertible vectors in the

four-dimensional FAA set by Table 1 is equal to

r = 2p2 - 1.

Proof: The non-invertibility condition (4) sets the following two cases:

2 2 2 2

i) Xoq - ai - a-2 +Xag = 2Xa0«3 - 2a^2 ^

^X(oq -a3)2 = ( -a2)2;

2 2 2 2

ii) Xoq - ai - a2 + Xa3 = -2XoqO3 + 2a^2 ^

^X(aQ +a3 )2 =(ai +a2 )2.

If the structural constant X is a quadratic non-residue modulo p, then for the first case the

equality holds true only if (oq - a3 )2 = (ai - a2 )2 = Q.

This gives p different sets of coordinates a0 and al and p different sets of coordinates a2 and a3, including the zero vector (0, 0, 0, 0). Totally, in the first case we have p2 - 1 non-inverible vectors. In the second case the equality holds true only if 2 2

(q + a3 ) = ( + a2 ) = Q. This defines other p2 sets of coordinates a0, a1, a2, and a3, including (0, 0, 0, 0). Therefore we have r = 2p2 - 1. Proposition 1 is proven.

Proposition 2. Suppose the structural constant X is a quadratic non-residue in GF(p). Then the order of the multiplicative group of the FAA set by the Table 1 is equal to Q = (p2 - 1)2.

Proof: Among p4 different vectors of the algebra you have r = 2p2 - 1 non-invertible ones, therefore Q = p4 - r = (p2 - 1)2. Proposition 2 is proven.

Proposition 3. Suppose the structural constant X is a quadratic residue in GF(p). Then the number of non-invertible vectors in the four-dimensional FFA set by Table 1 is equal to r = 4p3 - 6p2 + 4p2 - 1.

Proof: Since the structural constant X is a quadratic residue, formula (4) defines the following two cases:

= +( -a2 );

= ±(ai + a2 ).

Sets of coordinates (a0, a1, a2, a3) satisfying one of four conditions defined by the said two cases represent non-invertible vectors. The following Table 2 shows the number of vectors coordinates of which satisfy a condition indicated in the left column.

Totally, we have

r = p2 + p2 +2 p (p-1)2 +2 p (p-1)2 = = 4p3 - 6p2 + 4p -1.

Proposition 3 is proven.

■ Table 2. Number of non-invertible vectors relating to different subsets for the case when X is a quadratic residue

Condition # of different combinations of coordinates (a0, a1, a2, a3) satisfying the condition at the left

a0yfk - 0,3 °JX = ai - a2 = 0 p2 including (0, 0, 0, 0)

a0yfX + 03 VX = ai + 02 = 0 p2 including (0, 0, 0, 0)

Oq VX - 03 VX = ±(OI - 02 ) ^ 0 2p(p - 1)2

Oq-V/X + O3-V/X= +(oi + 02 ) ^ 0 2p(p - 1)2

Proposition 4. Suppose the structural constant X is a quadratic residue in GF(p). Then the order of the multiplicative group of the FAA set by the Table 1 is equal to Q = (p - 1)4.

Proof: Among p4 different vectors of the algebra you have q = 4p3 - 6p2 + 4p2 - 1 non-invertible ones, therefore Q = p4 - q = p4 - (4p3 - 6p2 + 4p2 - 1) = = (p - 1)4. Proposition 4 is proven.

Thus, if the structural constant X is equal to a quadratic residue modulo p, then the multiplicative group of the considered algebra has order (p - 1)4 and possesses four-dimensional cyclicity [16]. If the structural constant X is equal to a quadratic non-residue modulo p, then the multiplicative group of the considered algebra has order (p2 - 1)2 and possesses two-dimensional cyclicity [16].

In the developed signature scheme, it is assumed that the first commutative FAA is set by Table 1, where X is equal to a quadratic residue, and the characteristic of the field GF(p) is a prime having the following structure p = 2q + 1 with 256-bit prime q. In this case the integer q divides p - 1 and one can generate a minimum generator system <G, Q>, where G and Q are vectors of the order q, which sets a two-dimensional cyclicity subgroup of order q2.

We also use another commutative FAA possessing the properties similar to that of the algebra set by Table 1. The second used commutative FAA is set by basis vector multiplication table represented as Table 3, where X is equal to a quadratic residue, and includes the unit vector E = (0, 0, 0, 1). Consideration of the number of invertible vectors in the second commutative FAA shows that for the latter the Propositions 1 to 4 are also true. Thus, we have two different commutative FAAs multiplicative group each of which possesses four-dimensional cyclicity. The latter group contains a large num-

■ Table 3. Setting the second used FAA (X * 0)

e0 ei e2 e3

e0 Xe3 e2 Xe1 e0

e1 e2 e3 e0 e1

e2 Xe1 e0 Xe3 e2

e3 e0 e1 e2 e3

ber of two-dimensional cyclicity subgroups of the order q2.

iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

Example 1. In the case of the first FAA with p = 2q + 1 = 307771779467 (prime q = 153885889733) and X = 3 (quadratic residue) one can select the following minimum generator system <G, Q, H, V> setting a primary group r<g q h v> of the order Q<gqhv> = q4 = 5607834646621019342722268060 80639851841841521:

G = (0, 0, 3, 0); Q = (0, 2, 5, 0); H = (2, 7, 3, 0);

V = (13, 12, 10, 17).

For X = 2 (quadratic non-residue) one can select the following minimum generator system <G, Q> setting a primary group r<G q> of the order Q<gq> = q2 =94723468236283682804089:

G = (0, 0, 3, 0) and Q = (0, 1, 2, 0).

Example 2. In the case of the second FAA with p =2q + 1 = 273413518347119 (prime q = = 136706759173559) and X = 2 (quadratic residue) one can select the following minimum generator system <G, Q, H, V> setting a primary group r<G q h v> of the order Q6G q h v> = q4 = 34926892817234073926 007473842204106 8655028853953782643361:

G = (0, 0, 0, 2); Q = (0, 0, 1, 2); H = (0, 1, 4, 7);

V = (1, 3, 7, 10).

For X = 13 (quadratic non-residue) one can select the following minimum generator system <G, Q> setting a primary group r<G q> of the order Q<gq> = q2 = 18688738003737457800684726481:

G = (0, 189, 0, 222) and Q = (0, 0, 0, 2).

Consider a method for generating a minimun generator system of a two-dimensional cyclicity subgroup of order q2. The following procedure outputs a random vector of the order q:

1. Generate a random vector R and compute the vector Q = R2.

2. If Q * E, then output Q. Else go to step 1.

The next probabilistic procedure outputs the minimum generator system:

1. Generate a uniformly random vector G of prime order q.

2. Generate a uniformly random vector Q of order q.

The multiplicative group of the algebra contains q4 - 1 vectors of order q. The cyclic group generated by the vector G includes q - 1 vectors of order q, therefore, probability that the vector Q is an element of the cyclic group generated by the vector G is equal approximately to q-3. In another case the pair of vectors <G, Q> represents a minimum generator system of a primary subgroup of order q2 that is contained in the multiplicative group of the algebra. For the case of 256-bit prime q the probability q-3 that the latter procedure fails is negligible.

A new HDLP-based signature scheme

In the developed signature scheme a 256-bit collision-resistant hash function fH is assumed to be used. Computation of the public key is proposed as the following procedure.

Public-key generation algorithm.

1. Generate at random a minimum generator system <G, Q> of the group of order q2, which is contained in the first commutative FAA.

2. Generate at random integers y1 < q, y2 < q, and a < p, where a is a primitive element in GF(p). Then calculate the vector Y = Gy1Qy2a.

3. Generate at random integers z1 < q, z2 < q, and P < p, where p is a primitive element in GF(p). Then calculate the vector Z = Gz1Qz2p.

4. Generate at random integers y < p, u1 < q, and u2 < q, such that non-equality z1u2 * z2u1 holds true and y is a primitive element in GF(p). Then calculate the vector U = Gu1Q"2y.

5. Generate at random a minimum generator system <H, V> of the group of order q2, which is contained in the second commutative FAA.

6. Calculate the vectors Y' = Hy1V2a, Z' = Hz1Vz2P, and U' = Hu1Vu2y.

7. Output the public key in the form of two triples of vectors: (Y, Z, U) and (Y', Z', U').

In the developed signature scheme, we use the idea of doubling the signature verification equation connected with doubling the public key. Therefore, the triple (Y, Z, U) will be called in this paper the first public key. Respectively, the triple (Y', Z', U') will be called the second public key. Each of the public keys has been calculated with using the same private key representing nine 256-bit integers (y1, y2, a, z1, z2, p, u1, u2, y) and the same formulas. The first (second) public key is computed in the first (second) commutative FAAs. The size of each

of public keys is equal to 384 bytes, and the size of doubled public key equals to 768 bytes.

The vectors G, Q, H, and V are secret, but the developed signature scheme offers the possibility to choose one of two signature generation procedures. In the first one, only four exponentiation operations are executed in FAAs, however, the vectors G, Q, H, and V must be stored by the owner of the public key (the person who generated the public key) as additional elements of his private key. In this case the size of private key is equal to 704 bytes.

In the second version of the signature generation procedures, six exponentiation operations are to be performed in FAAs, but the vectors G, Q, H, and V are not needed and the set of nine integers (y1, y2, a, z1, z2, p, uv u2, y) represent the full private key having the size equal to 192 bytes.

Usually, finding the integer x satisfying the exponential equation Y' = G'x, where Y' and G' are known group elements, which is set in a finite cyclic group is called discrete logarithm problem. If one of the elements Y' and G' or both of them is not directly given, then we have a number of problems we call HDLPs. Different forms of the HDLP are considered in [9, 15]. The HDLP form exploited in the present paper is defined as follows:

Given a triple of vectors (Y, Z, U) contained in the first FAA and a triple of vectors (Y', Z', U') contained in the second FAA. Find the set of integer powers (yp y2, z1, z2, u1, u2) and the set of scalars (a, p, y) such that equations Y = Gy1Qy2a, Z = Gz1Qz2P, U = Gu1Qu2y (in the first FAA), Y' = Hy1Vy2a, Z' = H21V22P, and U' = HurV"2y (in the second FAA) hold true for i) some secret vectors G and Q generating two different cyclic groups of prime order q in the first FAA; ii) some secret vectors H and V generating two different cyclic groups of prime order q in the second FAA.

One can easily show that, due to using random vectors G and Q (H and V) and scalar multiplications, the vectors Y, Z, and U (Y', Z' and U') compose a basis of a three-dimensional cyclicity group in the first (second) FAA. Therefore the vector Y (Y') cannot be represented as a product of some powers of the vectors Z and U (Z' and U') and a periodic function set on the base of the known parameters has periods defined by the order of the public key elements, i. e., by the prime q. The latter means that the Shor quantum algorithm [5] is not applicable to find one of the values y1, y2, z1, z2, u1, and u2.

The said computationally complex problem underlying the developed signature scheme is a new one and currently the authors have no proposal for solving it (except exhaustive search). However, the importance of finding effective solutions allows us to hope that this article will stimulate independent researchers to address this issue.

At the moment, the authors expect that choosing a 256-bit prime number q will provide a 128-bit level of security for the proposed signature algorithm.

The first signature generation algorithm.

1. Generate three uniformly random integers k < q, t < q, and p < p.

2. Calculate the vector R = GkQtp.

3. Calculate the vector R' = HkVtp.

4. Compute the first signature element e that is a hash-function value calculated from the document M to be signed, to which the vectors R and R' are concatenated: e = fH(M, R, R').

5. Interpreting the hash value as a 256-bit binary number e, calculate the second s and third d signature elements, which represent the solution of the following system of two linear equations:

zis + uid = k -eyi mod q Z2S + U2d = t - ey2 mod q

(5)

It is easy to get the following formulas for computation of the second and third signature elements:

U2 (k - eyi )-ui (t - ey2 )

s =-------- mod g;

d =

ZiU2 - Z2Ui

zi (t - ey2 )-z2 (k - eyi )

ZiU2 - Z2Ui

mod g.

(6)

(7)

6. Compute the fourth signature element ct =

= pa-eP-sy-d.

The output signature is four 256-bit numbers (e, s, d, ct) with total size equal to 128 bytes.

The second signature generation algorithm.

1. Generate four uniformly random integers a < q, b < q, c < q, and p < p.

2. Calculate the vector R = YaZbUcp.

3. Calculate the vector R' = Y'aZ'bU'cp.

4. Compute the first signature element e that is a hash-function value calculated from the document M to be signed, to which the vectors R and R' are concatenated: e = fH(M, R, R').

5. Interpreting the hash value as a 256-bit binary number e, calculate the second s and third d signature elements, which represent the solution of the system (5) and can be computed by formulas (6) and (7), substituting the following values of the randomization integers k and t:

k = ay1 + bz1 + cu1 mod q and t = ay2 + bz2 + cu2 mod q.

6. Compute the fourth signature element ct = = paa-epb-y-d.

The main contribution to the computational complexity of the signature generation procedure is introduced by the exponentiation operations.

The exponentiation in each of the four-dimensional FAAs takes about 6144 multiplications in GF(p). One exponentiation in GF(p) takes on the average about 384 multiplications. One can roughly estimate the execution time of the first and second signature generation procedures as 25728 and 38016 multiplications in GF(p), correspondingly.

The signature verification algorithm.

1. Calculate the vector R* = YeZsUdc.

2. Calculate the vector R'* = Y'eZ'sU'dc.

3. Compute the hash-function value from the document M to which the vectors R* and R'*are concatenated: e* = fH(M, R*, R'*).

4. If e* = e, then the signature is accepted as a genuine one, otherwise the signature is rejected as a false one.

One can roughly estimate the computational complexity (execution time) of the signature verification procedure as six exponentiations in the used four-dimensional algebras or as 37248 multiplications in GF(p).

Signature scheme correctness proof.

To prove correctness of the introduced signature scheme, consider a signature (e, s, d, c) computed in full correspondence with the first signature generation procedure when using the correct signer's private key. When, submitting the signature (e, s, d, c) to the input of the verification procedure, we have the following proof of the correctness of the proposed signature scheme with the first signature generation algorithm [take into account formulas in the system (5)]:

R* = YeZsUd c = = Geyi Qey2 aeG3Zl Qsz2 psGdui Qdu2 yd c = = Geyi +sz1 +du1 Qe^2 +sz2 +du2 aepsydc = = Geyi +(k~eyi )Qey2 +{ t~ey2 )epsydpa-ep-sy~d =

= Gk Qtp = R;

R'* = Y 'eZ'sU'd c =

= Heyi Vey2 aeHszi Vsz2 psHdui Vdu2 yd c =

= Heyi +szi +dui Vey2 +sz2 +du2 ae ps yd c = = Heyi +(k-eyi )VeV2 +(t-eV2 )aepsydpa-ep-sy-d =

= Hk Vtp = R';

{R * = R'; R* = R} e* = e.

The final equality means the input signature passes the verification procedure as a genuine signature, i. e., the signature scheme performs correctly. The correctness proof of the signature scheme with the second signature generation algorithm is similar to the presented one.

Discussion

The fact that the same signature satisfies two similar, but different, verification equations is ensured by the same pairs of powers (y1, y2), (z1, z2), and (u1, u2) and the same multipliers a, p, and y, which are used to compute the corresponding elements of the first (Y, Z, U) and second (Y', Z', U') public keys. The public keys are computed after selection random minimum generator systems <G, Q> (in the first FAA) and <H, V> (in the second FAA) which are secret. Every of the element of the first (second) public key is calculated as an element of the two-dimensional cyclicity group r<g q> (r<h v>), which is multiplied by a random scalar. After scalar multiplication we get with a high probability a vector outside the group r<g q> (r<h v>). Thus, the elements of the first (second) public key are not elements of the group r<GQ> (r<HV>).

Suppose a vector W is an element of the group r<g q>. The problem of finding the powers w1 and w2 such that W = Gw1Qw2 is called discrete logarithm problem in a two-dimensional cyclicity group r<gq>. In this paper we assume that a potential signature forger can efficiently solve this problem, i. e., if a minimum generator system is given, then a forger can efficiently express any group element as product of some powers of two generators.

Consider an arbitrary minimum generator system 6G^ Q> of the primary group of order q2 in the first algebra. The forger can generate random integers ai, pi, yi and efficiently compute the values

(ytv Уi2, ZiV zi2, UiV ui2) such that Yaj_1 = GiУi1QiУi2, ZP;-1 = Gi2i1Qi2i2, and Uy1 = Giui1Qiui2. Then, using the formulas (6) and (7), he can compute a signature satisfying the first verification equation. However, this signature will satisfy the second verification equation only if the primary group of order q2 of the second algebra contains a minimum generator system <H;, V;> such that Y'a^1 = Hiyi1Viyi2, Z'Pi"1 = Hizi1V2i2, and U'yi-1 = Hiui1Viui2. Howeiver, in fact, the fixed four values (yi1, yi2, za, zi2) define one minimum generator system <H,, V,> (that can be supposedly computed) such that Y'a^1 = Hiyi1Viyi2 and Z'P,-1 = HiZi1ViZi2. For the fixed value s of th e ve c-tors H, and V, one will get U'yi^1 = Hiu'i1Viu'i2, where the values u'i1 and u'i2 are random. Since the first and second commutative FAAs are independent, the equalities u'i1 = ua and u'i2 = ui2 of two pairs of 256-bit numbers can take place only at random with probability about 2-512.

Therefore, we expect that the signature forger is unable to find efficiently the required alternative pair of vectors <G,, Q,> or to guess the secret elements <G, Q>. A quantum computer will not provide much help to the forger, since the discrete logarithm problem that arises is hidden (the "bases" of logarithms, i. e., <G, Q> and <H, V> are unknown).

In fact, breaking the proposed signature scheme is to find two minimum generator systems of two different two-dimensional cyclicity groups (contained in two different FAAs) which are consistent with each other. These two minimum generator systems are connected by the mechanism of doubling the verification equation, i. e., by a single digital signature, which must satisfy the verification equation given in two different independent commutative FAAs.

One can note, that the method [18, 19] of the reductionist security proof that was applied to the Schnorr signature algorithm [20] can be also applied to the proposed signature scheme. Indeed, an assumption that a signature forger is able to calculate a signature equally well for six different hash functions leads to potential possibility to compute the private key (yp y2, a, z1, z2, p, u1, u2, y).

Indeed, like in [19], suppose a potential signature forger can compute signatures for different hash functions, when the values of the randomization parameters are k, t, and p are fixed. For four different hash functions he computes the signatures (ep sp dp c^, S2, d2, C2), ^3, s3, dz, C3), and (e4, s4, d4, c4). Then the signature forger composes the following system of eight linear equations with eight unknowns y1, y2, z1, z2, u1, u2, k, and t [see (5)]:

z1s1 + Ujd = k - е1У1 mod q

z2s1 + ^2^1 = t - е1У2 mod q

z1s2 + Щ_&2 = k - е2У1 mod q

z2s2 + и2^2 = t - е2У2 mod q

z1s3 +ud3 = k - e3 У1 mod q

Z2S3 + U2d3 = t - e3 У 2 mod q

z1s4 + «1^4 = k - e4 У1 mod q

Z2S4 + «2^4 = t - e4 У2 mod q

iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

Note, the probability that the main determinant of his system of equations equals to zero is negligibly small (q-1). Solving the latter system one can get the values of y1, y2, z1, z2, u1, and u2. It easy to show that, using the formulas ai = pa-eiP-Siy-di for i = 1, 2, 3, 4 (see step 6 in the first signature generation algorithm) and finding roots from different

ratio values a/a- in GF(p), one can calculate the vali J

ues of scalars a, P, and y. Thus, taking into account that operations of finding roots in GF(p), where p = 2q + 1, have polynomial computational complexity, one can conclude that a polynomial algorithm for forging a signature is reducible to a polynomial algorithm of solving the HDLP underlying the introduced signature scheme.

The above provides a general idea for constructing a signature scheme and a general justification for its resistance to attacks using conventional and

■ Table 4. Comparison with some known post-quantum signature schemes

Signature scheme Signature size, byte Public key size, byte Rate of signature generation, arb. un. Rate of signature verification, arb. un.

Falcon 1280 1793 50 25

Crystals-Dilithium 2701 1472 15 2

Rainbow 64 150 000 - -

[15] 192 768 50 80

[16] 192 512 40 80

Proposed 128 768 70 80

quantum computers. Detailed consideration of the security issue and obtaining detailed estimates is a separate independent task for the new study.

It is important that the proposed fundamentally new method for setting the HDLP can be implemented in numerous different ways. The most obvious is the use of different pairs of finite associative algebras. In particular, pairs of algebras of different orders, different types and structures can be used. In particular, is interesting to consider the following versions:

i) one algebra is commutative and the other one is non-commutative;

ii) one algebra is defined over a ground finite field GF(p), and the other one is defined over a finite extension of the binary field GF(2s).

The introduced design method opens up quite wide possibilities for implementing various design variants of digital signature schemes. The introduced signature scheme suites well for software implementation, since it uses only additions, multiplications, exponentiations and inversions (mod p and mod q).

Currently, the NIST competition [21] for the development of post-quantum public-key cryptosystems has entered the final stage [22]. The finalists in the category of post-quantum signatures were Falcon [23] and Crystals-Dilithium [24], and Rainbow [25]. It is interesting to compare the proposed signature scheme with the finalists and with other HDLP-based signatures. A rough comparison is presented in Table 4.

Conclusion

A new design method and a practical HDLP-based post-quantum signature scheme have been introduced. The proposed method is quite simple to understand and has fundamental differences from

other known methods of designing post-quantum digital signature schemes. This reduces the complexity of the further stage of a detailed study of the security of the developed signature scheme. Another important advantage of the proposed method is that it opens up the possibility of devel-

References

1. Rivest R. L., Shamir A., Adleman L. M. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 1978, vol. 21, pp. 120-126.

2. Chiou S. Y. Novel digital signature schemes based on factoring and discrete logarithms. International Journal of Security and its Applications, 2016, vol. 10, no. 3, pp. 295-310.

3. ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 1985, vol. IT-31, no. 4, pp. 469-472.

4. Schnorr C. P. Efficient signature generation by smart cards. Journal of Cryptology, 1991, vol. 4, pp. 161-174.

5. Shor P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on quantum computer. SIAM Journal of Computing, 1997, vol. 26, pp. 1484-1509.

6. Ekert A., Jozsa R. Quantum computation and Shor's factoring algorithm. Reviews of Modern Physics, 1996, vol. 68, pp. 733-752.

7. Smolin J. A., Smith G., Vargo A. Oversimplifying quantum factoring. Nature, 2013, vol. 499, no. 7457, pp. 163-165.

8. Kuzmin A. S., Markov V. T., Mikhalev A. A., Mikha-lev A. V., Nechaev A. A. Cryptographic algorithms on groups and algebras. Journal of Mathematical Sciences, 2017, vol. 223, no. 5, pp. 629-641.

9. Moldovyan N. A., Moldovyan A. A. Finite non-commutative associative algebras as carriers of hidden discrete logarithm problem. Bulletin of the South Ural State University. Ser. Mathematical Modelling, Programming & Computer Software, 2019, vol. 12, no. 1, pp. 66-81. doi:10.14529/mmp190106

10. Agibalov G. P., Pankratova I. A. Asymmetric cryptosystems on Boolean functions. Prikl. Diskr. Mat., 2018, no. 40, pp. 23-33. doi:10.17223/20710410/40/3

11. Agibalov G. P. ElGamal cryptosystems on Boolean functions. Prikl. Diskr. Mat, 2018, no. 42, pp. 57-65. D0I:10.17223/20710410/42/4

12. Alamelou Q., Blazy O., Cauchie S., Gaborit Ph. A code-based group signature scheme. Designs, Codes and Cryptography, 2017, vol. 82, no. 1-2, pp. 469493.

13. Kosolapov Y. V., Turchenko O. Y. On the construction of a semantically secure modification of the McEliece cryptosystem. Prikl. Diskr. Mat., 2019, no. 45, pp. 33-43. doi:10.17223/20710410/45/4

oping a new class of practical post-quantum cryptosystems. The latter is of particular importance in the light of the widely conducted researches on the development of post-quantum digital signature standards.

14. Moldovyan N. A., Moldovyan A. A. New forms of defining the hidden discrete logarithm problem. SPIIRAS Proceedings, 2019, vol. 18, no. 2, pp. 504529. doi:10.15622/sp.18.2.504-529

15. Moldovyan N. A., Moldovyan A. A. Candidate for practical post-quantum signature scheme. Vestnik of Saint Petersburg University. Applied Mathematics. Computer Science. Control Processes, 2020, vol. 16, iss. 4, pp. 455-461. doi:10.21638/11701/spbu10.2020.410

16. Moldovyan D. N., Moldovyan A. A., Moldovyan N. A. A novel method for development of post-quantum digital signature schemes. Informatsionno-upravliaiush-chie sistemy [Information and Control Systems], 2020, no. 6, pp. 21-29. doi:10.31799/1684-8853-2020-6-21-29

17. Moldovyan N. A. Fast signatures based on non-cyclic finite groups. Quasigroups and Related Systems, 2010, vol. 18, no. 1, pp. 83-94.

18. Pointcheval D., Stern J. Security arguments for digital signatures and blind signatures. Journal of Cryp-tology, 2000, vol. 13, pp. 361-396.

19. Koblitz N., Menezes A. J. Another look at "Provable Security". Journal of Cryptology, 2007, vol. 20, pp. 3-38.

20. Schnorr C. P. Efficient signature generation by smart cards. Journal of Cryptology, 1991, vol. 4, pp. 161-174.

21. Federal Register. Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms. Available at: https://www.gpo.gov/fdsys/ pkg/FR-2016-12-20/pdf/2016-30615.pdf (accessed 27 January 2021).

22. Round 3 Finalists: Public-key Encryption and Key-establishment Algorithms. Available at: https://csrc. nist.gov/projects/post-quantum-cryptography/ round-3-submissions (accessed 27 January 2021).

23. Fast-Fourier Lattice-Based Compact Signatures over NTRU. Available at: https://falcon-sign.info/ (accessed 27 January 2021).

24. Ducas L., Kiltz E., Lepoint T., Lyubashevsky V., Schwabe P., Seiler G., Stehle D. CRYSTALS-Dilithi-um: A Lattice-Based Digital Signature Scheme. https://eprint.iacr.org/2017/633.pdf. Available at: https://pq-crystals.org/dilithium/index.shtml (accessed 27 January 2021).

25. Ding J., Schmidt D. Rainbow, a New Multivariable Polynomial Signature Scheme. In: Ioannidis J., Kero-mytis A., Yung M. (eds). Applied Cryptography and Network Security. ACNS 2005. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg, 2005. Vol. 3531. Pp. 164-175.

УДК 003.26

doi:10.31799/1684-8853-2021-2-43-51

Постквантовая схема цифровой подписи на группе с четырехмерной цикличностью

Д. Н. Молдовяна, канд. техн. наук, научный сотрудник, orcid.org/0000-0001-5039-7198

Н. А. Молдовяна, доктор техн. наук, главный научный сотрудник, orcid.org/0000-0002-4483-5048, [email protected] аСанкт-Петербургский институт информатики и автоматизации РАН, 14-я линия В. О., 39, Санкт-Петербург, 199178, РФ

Введение: разработка практичных постквантовых схем подписи является одним из вызовов прикладной криптографии. Несколько различных форм скрытой задачи дискретного логарифмирования были предложены недавно в качестве примитива схем подписи, стойких к квантовым атакам. Цель: разработка новой формы скрытой задачи дискретного логарифмирования, заданной в коммутативной группе, обладающей многомерной цикличностью, и метода построения постквантовых схем подписи. Результаты: предложена новая форма скрытой задачи дискретного логарифмирования в качестве базового примитива для практичных постквантовых алгоритмов цифровой подписи. Представлены две новые четырехмерные конечные коммутативные ассоциативные алгебры в качестве алгебраического носителя предложенной новой вычислительно трудной задачи. Разработан метод построения схем подписи на основе последней. Суть метода состоит в использовании удвоенного открытого ключа и двух одинаковых уравнений для проверки подлинности одной и той же подписи. Для генерации пары открытых ключей выбираются случайным образом два базиса <G, Q> и <H, V> двух различных конечных групп r<G q> и r<H v>, обладающих двумерной цикличностью. Первый открытый ключ (Y, Z, U) вычисляется следующим образом: Y = Gy1Qy2a, Z = GZ1QZ2ß, U = GU1QU2y, где набор целых чисел (yx, y2, a, z1, z2, ß, Uj, u2, у) является секретным ключом. Второй открытый ключ (Y', Z', U') вычисляется следующим образом: Y' = Hy1Vy2a, Z' = HziVz2ß, U' = HU1VU2y. Использование одинаковых параметров для вычисления соответствующих друг другу элементов, принадлежащих разным открытым ключам, обеспечивает возможность вычисления единой подписи, удовлетворяющей двум сходным проверочным уравнениям, заданным в различных конечных коммутативных ассоциативных алгебрах. Практическая значимость: предложенная схема цифровой подписи представляет практический интерес для разработки постквантовых алгоритмов подписи, обладающих сравнительно малыми размерами подписи, открытого и секретного ключей.

Ключевые слова — постквантовые криптосхемы, компьютерная безопасность, электронная цифровая подпись, задача дискретного логарифмирования, конечные коммутативные группы, ассоциативные алгебры, многомерная цикличность.

Для цитирования: Moldovyan D. N., Moldovyan N. A. A post-quantum digital signature scheme on groups with four-dimensional cyclicity. Информационно-управляющие системы, 2021, № 2, с. 43-51. doi:10.31799/1684-8853-2021-2-43-51

For citation: Moldovyan D. N., Moldovyan N. A. A post-quantum digital signature scheme on groups with four-dimensional cyclicity. Informatsionno-upravliaiushchie sistemy [Information and Control Systems], 2021, no. 2, pp. 43-51. doi:10.31799/1684-8853-2021-2-43-51

УВАЖАЕМЫЕ АВТОРЫ!

Научная электронная библиотека (НЭБ) продолжает работу по реализации проекта SCIENCE INDEX. После того как Вы зарегистрируетесь на сайте НЭБ (http://elibrary.ru/ defaultx.asp), будет создана Ваша личная страничка, содержание которой составят не только Ваши персональные данные, но и перечень всех Ваших печатных трудов, имеющихся в базе данных НЭБ, включая диссертации, патенты и тезисы к конференциям, а также сравнительные индексы цитирования: РИНЦ (Российский индекс научного цитирования), h (индекс Хирша) от Web of Science и h от Scopus. После создания базового варианта Вашей персональной страницы Вы получите код доступа, который позволит Вам редактировать информацию, помогая создавать максимально объективную картину Вашей научной активности и цитирования Ваших трудов.

i Надоели баннеры? Вы всегда можете отключить рекламу.