Anti-quantum-cooperation signature method

By obtaining quantum-resistant joint keys and joint random points on resource-constrained devices, the zero-knowledge proof process is optimized, and the computation and communication overhead is reduced. This solves the computation and storage problems of existing collaborative signature schemes on resource-constrained devices, and realizes quantum-resistant and lightweight joint signatures.

CN120956428BActive Publication Date: 2026-07-07中电信量子信息科技集团有限公司

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
中电信量子信息科技集团有限公司
Filing Date
2025-08-19
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

The huge computational and storage requirements of existing collaborative signature schemes make it difficult for resource-constrained devices to meet the operational requirements of the SPHINCS+ algorithm, limiting its application in resource-intensive scenarios. Furthermore, traditional schemes cannot simultaneously achieve quantum security and lightweight design.

Method used

A quantum-resistant collaborative signature method is provided. By obtaining a quantum-resistant joint key and joint random points, zero-knowledge proofs are used to optimize the number of interactions, reduce computation and communication overhead, and a lightweight cryptographic algorithm is used to generate joint signatures on resource-constrained devices.

Benefits of technology

While ensuring quantum-resistant security, it significantly reduces computation and communication overhead, improves signature efficiency, and is suitable for resource-constrained scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120956428B_ABST
    Figure CN120956428B_ABST
Patent Text Reader

Abstract

The application provides an anti-quantum cooperative signature method, and relates to the technical field of information security. The method comprises the following steps: acquiring an anti-quantum joint key, a joint random point, a first key random number and a second key random number; signing a message according to the joint random point and the first key random number to obtain a first signature component, and receiving a second signature component sent by a second communication terminal; signing the message according to the first signature component, the second signature component and first private key blocks corresponding to each first public key block in the first post-quantum public key to obtain a first joint signature; and generating a target joint signature according to the first joint signature and a second joint signature. The method provided by the application can significantly reduce the calculation and communication overhead, improve the signature efficiency and be suitable for a resource-limited scene.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security technology, and more specifically, to a quantum-resistant collaborative signature method. Background Technology

[0002] In the field of information security, protecting the private key of software cryptographic modules has always been a critical and extremely challenging problem. In traditional signature algorithms, the private key is often completely controlled by a single user. While this ensures the non-repudiation of the signature operation, it also introduces many security vulnerabilities, such as loss of the private key, abuse of privileges, or the private key being obtained by attackers.

[0003] To effectively address this challenge, collaborative signature schemes have emerged. These schemes utilize multi-party collaborative computation to complete private key signing, obtaining a valid signature result without needing to reconstruct the complete private key, thus greatly enhancing the security of the private key.

[0004] Among existing collaborative signature schemes, some novel signature algorithms, such as SPHINCS+, have demonstrated excellent quantum resistance. However, SPHINCS+ and similar algorithms also face challenges in practical applications, particularly in terms of significant computational and storage overhead. For resource-constrained devices, their limited computing power and storage space cannot meet the operational requirements of the SPHINCS+ algorithm. This makes it difficult for the algorithm to be directly adapted to the collaborative signature needs of resource-constrained devices, limiting its application in resource-intensive scenarios. Summary of the Invention

[0005] This application addresses the shortcomings of the prior art by providing a quantum-resistant collaborative signature method to solve the problems existing in the prior art.

[0006] The technical solution adopted in the embodiments of this application is as follows:

[0007] In a first aspect, embodiments of this application provide a quantum-resistant collaborative signature method applied to a first communication terminal, the method comprising:

[0008] To obtain a quantum-resistant joint key, the quantum-resistant joint key includes at least: a first post-quantum public key of the first communication terminal, a second post-quantum public key of the second communication terminal, and a joint public key;

[0009] Obtain a joint random point from the first communication terminal and the second communication terminal;

[0010] Based on the joint public key, obtain the first key random number of the first communication terminal and the second key random number of the second communication terminal;

[0011] The message is signed based on the joint random point and the first key random number to obtain a first signature component, which is then sent to the second communication terminal.

[0012] The second signature component sent by the second communication terminal is received. The second signature component is a signature component obtained by the second communication terminal signing the message according to the joint random point and the second key random number.

[0013] The message is signed based on the first signature component, the second signature component, and the first private key block corresponding to each first public key block in the first post-quantum public key to obtain a first joint signature, which is then sent to the second communication terminal.

[0014] The second joint signature is obtained by receiving the second joint signature sent by the second communication terminal. The second joint signature is the first signature component, the second signature component, and the second private key block corresponding to each second public key block in the second post-quantum public key. The message is then signed to obtain the joint signature.

[0015] A target joint signature is generated based on the first joint signature and the second joint signature.

[0016] In one embodiment, obtaining the joint random point of the first communication terminal and the second communication terminal includes:

[0017] Generate the first signature random number;

[0018] Based on the first signature random number, a first random point is generated and sent to the second communication terminal, so that the second communication terminal generates the joint random point based on the second random number and the first random point;

[0019] Receive a second random point sent by the second communication terminal, wherein the second random point is a random point generated by the second communication terminal based on the second signature random number;

[0020] The joint random point is generated based on the first signature random number and the second random point.

[0021] In one embodiment, signing the message based on the joint random point and the first key random number to obtain a first signature component includes:

[0022] Extract the joint random coordinates based on the x-coordinates of the joint random points;

[0023] The first signature component is generated based on the joint random coordinates, the first key random number, and the hash value of the message;

[0024] The second signature component is a signature component generated by the second communication terminal based on the joint random coordinates, the second key random number, and the hash value of the message.

[0025] In one embodiment, signing the message based on the first signature component, the second signature component, and the private key blocks corresponding to each first public key block in the first post-quantum public key to obtain a first joint signature includes:

[0026] Generate joint signature parameters based on the first signature component and the second signature component;

[0027] Based on the joint signature parameters, the joint random coordinates, and the message, generate the joint hash value of the message;

[0028] The combined hash value is encoded in binary and converted to decimal to generate the first position index of multiple decimal characters;

[0029] The combined hash value is encoded in hexadecimal to generate a second position index of multiple hexadecimal characters;

[0030] The first joint signature is generated based on multiple first position indices, multiple second position indices, and the first private key block corresponding to each first public key block;

[0031] The second joint signature is a joint signature generated by the second communication terminal based on multiple first location indices, multiple second location indices, and the second private key blocks corresponding to each second public key block.

[0032] In one embodiment, generating a target joint signature based on the first joint signature and the second joint signature includes:

[0033] The target joint signature is generated based on the first joint signature, the second joint signature, the joint signature parameters, and the joint random coordinates.

[0034] In one embodiment, prior to obtaining the quantum-resistant joint key, the method further includes:

[0035] The first key random number is generated based on the shared random number seed and the identity identifier of the first communication terminal; the second key random number is a random number generated by the second communication terminal based on the shared random number seed and the identity identifier of the second communication terminal.

[0036] Based on the first key random number, the first public key component is generated using the elliptic curve signature algorithm;

[0037] Obtain the second public key component sent by the second communication terminal. The second public key component is a public key component generated by the second communication terminal using the elliptic curve signature algorithm based on the second key random number.

[0038] The joint public key is generated based on the first public key component and the second public key component.

[0039] In one embodiment, prior to obtaining the quantum-resistant joint key, the method further includes:

[0040] Generate the first private key based on the first secret seed;

[0041] A cryptographic hash chain algorithm is used to perform hash operations on each private key block in the first private key to generate multiple first public key blocks;

[0042] The first post-quantum public key is generated based on the plurality of first public key blocks;

[0043] The second post-quantum public key is a post-quantum public key generated by the second communication terminal based on multiple second public key blocks.

[0044] In one embodiment, the method further includes:

[0045] Calculate the verification point based on the message, the joint public key, and the joint random coordinates;

[0046] Extract the x-coordinate of the verification point;

[0047] If the x-coordinate of the verification point matches the x-coordinate of the joint random point, then calculate the recovery public key block corresponding to the remaining hash count based on each second private key block in the second joint signature;

[0048] Signature verification is performed based on the recovered public key block and each of the second public key blocks in the second post-quantum public key.

[0049] In one embodiment, the method further includes:

[0050] By using a collaborative signature server and employing a zero-knowledge proof protocol, the binding relationship between the first public key component and the corresponding private key component is verified bidirectionally.

[0051] In one embodiment, the method further includes:

[0052] Using a collaborative signature server and a zero-knowledge proof protocol, the commitment consistency of the first and second post-quantum public keys is verified.

[0053] The beneficial effects of this application are as follows: This application provides a quantum-resistant collaborative signature method, including obtaining a quantum-resistant joint key, wherein the quantum-resistant joint key includes at least: a first post-quantum public key of a first communication terminal, a second post-quantum public key of a second communication terminal, and a joint public key; obtaining a joint random point of the first communication terminal and the second communication terminal; obtaining a first key random number of the first communication terminal and a second key random number of the second communication terminal based on the joint public key; signing a message based on the joint random point and the first key random number to obtain a first signature component, and sending it to the second communication terminal; receiving a second signature component sent by the second communication terminal, wherein the second signature component... The first joint signature is obtained by the second communication terminal signing the message based on the joint random point and the second key random number; the second joint signature is obtained by signing the message based on the first signature component, the second signature component, and the first private key block corresponding to each first public key block in the first post-quantum public key, and is sent to the second communication terminal; the third joint signature is obtained by receiving the second joint signature sent by the second communication terminal, the second joint signature being the joint signature obtained by signing the message based on the first signature component, the second signature component, and the second private key block corresponding to each second public key block in the second post-quantum public key; and the fourth joint signature is generated based on the first joint signature and the second joint signature.

[0054] The method in this application ensures quantum-resistant security while reducing the number of interactions by optimizing the zero-knowledge proof process, significantly reducing computation and communication overhead, improving signature efficiency, and making it applicable to resource-constrained scenarios. Attached Figure Description

[0055] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0056] Figure 1 A schematic diagram of the structure of the quantum-resistant collaborative signature system provided in this application;

[0057] Figure 2 One of the flowcharts of the quantum-resistant collaborative signature method provided in the embodiments of this application;

[0058] Figure 3 A second schematic flowchart illustrating the quantum-resistant collaborative signature method provided in this application embodiment;

[0059] Figure 4The third schematic diagram of the quantum-resistant collaborative signature method provided in the embodiments of this application;

[0060] Figure 5 The fourth schematic flowchart of the quantum-resistant collaborative signature method provided in the embodiments of this application;

[0061] Figure 6 Fifth schematic diagram of the quantum-resistant collaborative signature method provided in the embodiments of this application;

[0062] Figure 7 A schematic diagram of the quantum-resistant collaborative signature method provided in this application embodiment;

[0063] Figure 8 The seventh flowchart illustrating the quantum-resistant collaborative signature method provided in this application embodiment;

[0064] Figure 9 This is a schematic diagram of the structure of the quantum-resistant collaborative signature device provided in the embodiments of this application;

[0065] Figure 10 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0066] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are some embodiments of this application, but not all embodiments.

[0067] Therefore, the following detailed description of the embodiments of this application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely to illustrate selected embodiments of the application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.

[0068] Furthermore, the terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Additionally, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0069] It should be noted that, where there is no conflict, the features in the embodiments of this application can be combined with each other.

[0070] First, let's explain the terms used in this application:

[0071] Zero-Knowledge Proof (ZKP): A cryptographic protocol that allows one party to prove the truth of a statement to another without revealing any additional information. In this application, an interactive discrete logarithmic zero-knowledge proof protocol is used to verify the binding relationship between the public key and private key components, ensuring the unforgeability and resistance to man-in-the-middle attacks of the stored keys.

[0072] Collaborative Signature (CoSig): A digital signature generation mechanism involving multiple parties. Its core objective is to avoid the exposure of the complete private key through distributed computing, while improving the security of the signature.

[0073] Oblivious Transfer (OT): A cryptographic protocol that allows a sender to transmit one of multiple messages to a receiver without the sender knowing which message the receiver has selected. In this application, it is used to securely generate random number seeds.

[0074] Elliptic Curve Point Multiplication (ECPM): A core operation in elliptic curve cryptography, which generates public key components by multiplying a scalar with the base points of an elliptic curve.

[0075] Pseudo-Random Generator (PRG): A deterministic algorithm that generates a seemingly random sequence of numbers using an initial seed to generate random numbers, ensuring the randomness of key components.

[0076] A hash function (Hash) is a one-way function that maps an input of arbitrary length to an output of fixed length.

[0077] With the rapid development of cloud computing and big data technologies, the global digitalization process continues to accelerate, and smart communication terminals have become an indispensable part of people's daily lives. From multifunctional smartphones and portable tablets to smart cars and IoT sensors, these smart communication terminals constantly generate, process, and transmit massive amounts of sensitive data in their daily operations. To ensure the confidentiality, integrity, and authenticity of this data, digital signature technology, as one of the cornerstones of cybersecurity, plays a crucial role.

[0078] In cryptographic application security technology systems, the security of signature schemes highly depends on the reliability of the private key storage and computing environments. Typically, private key security can be ensured through hardware cryptographic modules such as security chips, smart cryptographic keys, PCI-E cryptographic cards, and server cryptographic machines. However, with the widespread application of public-key cryptography algorithms, especially in emerging fields such as the Industrial Internet, the Internet of Things, the Internet of Vehicles, cryptography, and blockchain, many smart communication terminals, due to cost control, size limitations, or specific application requirements, cannot be equipped with the aforementioned hardware cryptographic modules and must instead adopt software cryptographic modules. The private keys of these software cryptographic modules need to be stored and processed on the communication terminal. Although a certain level of protection can be provided through password-derived keys, local multiple storage, or other encryption methods, considering that most smart communication terminals on the Internet belong to individual users and lack professional private key protection environments, sensitive information is highly vulnerable to attacks or even theft by adversaries, leading to economic losses.

[0079] To address the challenge of protecting private keys in software cryptographic modules, collaborative signature (CoSig) schemes have emerged based on innovative concepts such as secure multi-party computation and threshold signatures. This scheme splits the private key into multiple components, each of which is independently generated, stored, and computed. The signing operation is completed through multi-party collaborative computation, yielding a valid signature result without reconstructing the complete private key. However, existing collaborative signature schemes, such as those based on the Elliptic Curve Digital Signature Algorithm (ECDSA), while effectively preventing the exposure of the complete private key through private key splitting, still rely on traditional cryptographic assumptions for security and are vulnerable to quantum computing attacks. While signature algorithms such as SPHINCS+, with their quantum-resistant properties, could be an ideal solution, their significant computational and storage overhead makes them unsuitable for the collaborative signature requirements of resource-constrained devices.

[0080] In summary, traditional collaborative signature schemes struggle to achieve both quantum-resistant security and lightweight design simultaneously: traditional quantum-resistant schemes (such as lattice-based signatures) suffer from high polynomial ring operation overhead, making them unsuitable for resource-constrained devices; while lightweight post-quantum schemes (such as hash chains) lack a dynamic coupling mechanism with classical cryptography in collaborative scenarios, making it difficult to balance real-time performance and security.

[0081] To address the aforementioned issues, this application provides a quantum-resistant collaborative signature method. This method can be generated by any electronic device with computing and processing capabilities. The electronic device can be, for example, a terminal-facing computer device or a backend server.

[0082] The following examples, in conjunction with the accompanying drawings, provide specific illustrations of this application. Figure 1A schematic diagram of the structure of the quantum-resistant collaborative signature system provided in this application is shown below. Figure 1 As shown, this application provides a quantum-resistant collaborative signature system, which includes a software layer and a hardware layer.

[0083] The software layer comprises a key management layer, a collaborative computing layer, a quantum-resistant algorithm layer, and a secure communication layer. The key management layer is used to generate and verify distributed keys, including random number seed sharing based on an unintentional transfer protocol, key fragment generation using a pseudo-random number generator, public-private key binding verification using interactive discrete logarithm zero-knowledge proofs, and parallel generation and commitment consistency proof of post-quantum key pairs, ensuring the integrity and tamper resistance of the keys throughout their lifecycle.

[0084] The collaborative computing layer performs multi-party signature calculation tasks, including joint random point generation, distributed computation of signature components, and parallel verification of dual post-quantum signatures. Algorithm optimization reduces the number of communication interactions, lowering the computational overhead for resource-constrained devices.

[0085] The quantum-resistant algorithm layer integrates a post-quantum signature algorithm, providing dual security guarantees in both classical and quantum environments. It encapsulates key generation, signing, and verification interfaces, supporting dynamic coupling with the classical ECDSA mechanism to achieve collaborative operation of a dual-channel signature architecture.

[0086] The secure communication layer establishes an end-to-end secure transmission channel, ensuring the confidentiality and integrity of data exchange based on encryption protocols such as TLS. It supports secure random number seed exchange via unintentional transmission protocols to prevent man-in-the-middle attacks and ensure the secure transmission of sensitive information during collaboration.

[0087] The hardware layer consists of a communication terminal, a collaborative signature server, and a physical cryptographic card (such as a security chip), which are interconnected through a secure communication protocol (such as TLS).

[0088] The communication terminal invokes the key management layer, which is responsible for generating and storing private key components and performing local cryptographic operations (such as elliptic curve multiplication and hash calculation). The communication terminal can be a resource-constrained device such as an integrated embedded sensor or a smartphone. In this application, the communication terminal supports lightweight cryptographic algorithms and interacts with the collaborative signature server and physical cryptographic card through a secure interface.

[0089] The collaborative signature server, as the core coordinating node of the system, invokes the collaborative computing layer and the quantum-resistant algorithm layer. It is responsible for process control of multi-party interactions (such as protocol initialization and message relay), zero-knowledge proof verification (verifying ZKP evidence submitted by communication terminals), and key storage management (recording and synchronizing quantum-resistant joint key parameters). It possesses dynamic load balancing capabilities to adapt to concurrent requests from distributed communication terminals.

[0090] The physical cryptographic card invokes a secure communication layer, providing hardware-level private key protection. It employs secure chips or encryption modules to resist side-channel attacks and prevent key leakage. Sensitive private key components are stored, and hardware acceleration units optimize elliptic curve operations and post-quantum signature calculations, enhancing the security of the key storage and computation environment.

[0091] The following provides an exemplary description of the quantum-resistant collaborative signature method provided in this application.

[0092] Figure 2 This is one of the flowcharts illustrating the quantum-resistant cooperative signature method provided in this application embodiment. The method is applied to a first communication terminal, such as... Figure 2 As shown, the method includes:

[0093] S101, Obtain the quantum-resistant joint key.

[0094] The quantum-resistant joint key is a joint key generated and recorded by the first communication terminal and the second terminal respectively before executing the method of this embodiment. The quantum-resistant joint keys generated and recorded by the first communication terminal and the second communication terminal are identical. In this application, the first communication terminal and the second communication terminal refer to the two communication terminals performing the collaborative signature.

[0095] The quantum-resistant joint key includes at least: the first post-quantum public key of the first communication terminal. The second post-quantum public key of the second communication terminal and joint public key That is, the quantum-resistant joint key is Among them, the first post-quantum public key With private key Constructing the first post-quantum key pair, and the second post-quantum public key With private key This constitutes the second post-quantum key pair.

[0096] S102. Obtain the joint random point of the first communication terminal and the second communication terminal.

[0097] Obtain the joint random point of the first communication terminal and the second communication terminal , Represented in coordinate form.

[0098] S103. Based on the joint public key, obtain the first key random number of the first communication terminal and the second key random number of the second communication terminal.

[0099] Joint public key According to the joint public key The first key random number can be obtained. Second key random number .in, An elliptic curve of order p The base point is p, where p is a prime number.

[0100] S104. Sign the message according to the joint random point and the first key random number to obtain the first signature component, and send it to the second communication terminal.

[0101] Based on joint random points and the first key random number Regarding the message Perform the signing to obtain the first signature component. And send it to the second communication terminal.

[0102] S105, Receive the second signature component sent by the second communication terminal.

[0103] Second signature component For the second communication terminal based on joint random points and the second key random number Regarding the message The second communication terminal generates a second signature component from the signature component obtained by the signing process. Next, the second signature component Send to the first communication terminal.

[0104] S106. Sign the message according to the first signature component, the second signature component, and the first private key block corresponding to each first public key block in the first post-quantum public key to obtain the first joint signature, and send it to the second communication terminal.

[0105] According to the first signature component Second signature component First post-quantum public key The first private key block corresponding to the first public key block in each message... Signatures are obtained to obtain the first joint signature. And send it to the second communication terminal.

[0106] The generation of the first joint signature only requires a maximum of 255 hashes to be performed on each private key block (because the post-quantum key pair is generated by a finite number of hashes when generating the collaborative key in the previous stage of collaborative signing, so the number of hashes performed during signing is also finite). When there are 48 private key blocks, the total number of hashes is less than 12,240, while the SPHINCS+ algorithm requires at least 40,000 hashes to perform a single signature. The computational load of this embodiment is reduced by more than 70%.

[0107] S107. Receive the second joint signature sent by the second communication terminal.

[0108] The second joint signature is obtained by the second communication terminal based on the first signature component. Second signature component Second post-quantum public key The second private key block corresponding to each second public key block in the message... Joint signature obtained by signing .

[0109] S108. Generate the target joint signature based on the first joint signature and the second joint signature.

[0110] Generate a joint signature based on the first and second joint signatures. Complete the collaborative signature process.

[0111] In summary, the embodiments of this application provide a quantum-resistant collaborative signature method that, while ensuring quantum-resistant security, reduces the number of interactions by optimizing the zero-knowledge proof process, significantly reduces computation and communication overhead, and improves signature efficiency, making it suitable for resource-constrained scenarios.

[0112] Another embodiment of this application provides an implementation method for obtaining joint random points, such as... Figure 3 As shown, obtaining the joint random point of the first communication terminal and the second communication terminal in step S102 may include:

[0113] S201. Generate the first signature random number.

[0114] The first communication terminal is from the remaining class ring of module p. Generate the first signature random number Modulo p residual class ring (where p is usually a prime number) is a fundamental concept in abstract algebra, which can be understood as "the algebraic structure formed by partitioning integers according to the congruence relation modulo p".

[0115] In the set of integers Z, all integers that have the same remainder when divided by p constitute a "remainder class" (e.g., the class with a remainder of 0 includes ..., -2p, -p, 0, p, 2p, ...). It is a set consisting of these p residue classes (with remainders of 0, 1, 2, ..., p-1), denoted as {0, 1, 2, ..., p-1}, and defines two operations: addition modulo p and multiplication modulo p. Since p is a prime number, Every non-zero element in the ring has a multiplicative inverse, so it is not only a "ring" but also a finite field.

[0116] S202. Generate a first random point based on the first signature random number and send it to the second communication terminal, so that the second communication terminal generates a joint random point based on the second random number and the first random point.

[0117] The first communication terminal is from the remaining class ring of module p. Generate the first signature random number Then, based on the first signature random number Generate the first random point and the first random point Send to the second communication terminal. Among them, An elliptic curve of order p The basis.

[0118] Similarly, the second communication terminal is from the remaining class ring of module p. Generate a second signature random number Then, based on the second signature random number Generate a second random point .

[0119] S203. Receive the second random point sent by the second communication terminal. The second random point is a random point generated by the second communication terminal based on the second signature random number.

[0120] The second communication terminal generates the second random point. Then, the second random point The data is sent to the first communication terminal, so that both the first and second communication terminals can obtain the first random point. and the second random point .

[0121] S204. Generate a joint random point based on the first signature random number and the second random point.

[0122] The first communication terminal uses the first signature random number Second random point Generate joint random points , Similarly, the second communication terminal uses the second signature random number... and the first random point Generate joint random points , .

[0123] That is, the first communication terminal and the second communication terminal generated the same joint random point. .

[0124] Another embodiment of this application provides an implementation method for obtaining the first signature component on a first communication terminal, such as... Figure 4 As shown, step S104, which involves signing the message based on the joint random point and the first key random number to obtain the first signature component, may include:

[0125] S301. Extract the joint random coordinates based on the x-coordinates of the joint random points.

[0126] Based on joint random points Extract joint random coordinates , ,in, for The x-coordinate.

[0127] S302. Generate the first signature component based on the joint random coordinates, the first key random number, and the hash value of the message.

[0128] The first communication terminal, based on joint random coordinates First key random number and messages hash value Generate the first signature component , ,Will Send to the second communication terminal.

[0129] Similarly, the second communication terminal uses joint random coordinates Second key random number and messages hash value Generate the second signature component , ,Will The first signature component is sent to the first communication terminal. Both the first and second communication terminals can obtain the first signature component. Second signature component .

[0130] Another embodiment of this application provides an implementation method for obtaining a first joint signature, such as... Figure 5 As shown, step S106, which involves signing the message based on the first signature component, the second signature component, and the private key blocks corresponding to each first public key block in the first post-quantum public key to obtain the first joint signature, may include:

[0131] S401. Generate joint signature parameters based on the first signature component and the second signature component.

[0132] The first communication terminal based on the first signature component Second signature component ,calculate and take , obtain joint signature parameters .

[0133] Similarly, the second communication terminal uses the first signature component... Second signature component ,calculate and take The same joint signature parameters are obtained. .

[0134] S402. Generate the joint hash value of the message based on the joint signature parameters, joint random coordinates, and the message.

[0135] Both the first and second communication terminals use the joint signature parameters. Joint random coordinates And news The combined hash value of the generated message , .

[0136] S403. Encode the combined hash value into binary and convert it into decimal, generating the first position index of multiple decimal characters.

[0137] Combined hash value Encode it in binary form and then convert the binary form into 32 decimal numbers. , as the first position index.

[0138] S404. Encode the combined hash value in hexadecimal to generate a second position index of multiple hexadecimal characters.

[0139] Combined hash value The encoding is in hexadecimal form. The position index of each character in the hexadecimal representation is summed, and the result modulo 255 yields 16 steps. , as the second position index.

[0140] S405. Generate a first joint signature based on multiple first position indices, multiple second position indices, and the first private key block corresponding to each first public key block.

[0141] The first communication terminal is based on multiple first location indices Multiple second position indexes and each first public key block The corresponding 48 first private key blocks Generate the first joint signature , And the first joint signature. Send to the second communication terminal.

[0142] The second joint signature is a joint signature generated by the second communication terminal based on multiple first position indices, multiple second position indices, and the second private key blocks corresponding to each second public key block. , And the second joint signature. Send to the first communication terminal.

[0143] Based on this, S108, generating the target joint signature according to the first joint signature and the second joint signature, includes: generating the target joint signature according to the first joint signature. Second joint signature Joint signature parameters and joint random coordinates Generate the target joint signature, denoted as Both the first and second communication terminals generate the target joint signature. Complete the collaborative signature process.

[0144] The following is an exemplary description of the process by which the first and second communication terminals generate a collaborative key before completing the collaborative signature.

[0145] This application provides an implementation method for generating a joint public key, such as... Figure 6 As shown, before obtaining the quantum-resistant joint key in S101, the method of this application further includes:

[0146] S501. Generate a first key random number based on the shared random number seed and the identity identifier of the first communication terminal.

[0147] The first and second communication terminals determine a shared random number seed using an unintentional transmission protocol, and then use a pseudo-random number generator (PRG) based on the shared random number seed and the identity identifier of the first communication terminal. Generate the remaining class ring of module p The first key random number in the array is denoted as . , The second key random number is generated by the second communication terminal based on the shared random number seed and the identity identifier of the second communication terminal. The generated random number is denoted as , .

[0148] Generate the first key random number Or a second key random number The specific steps are: combine seed with or After concatenation, input the SM3 hash function to generate the initial state of the entropy pool. The random number sequence is then expanded by iteratively performing HMAC-SM3 operations, with each round generating the sequence based on the current state. Using the key, perform HMAC calculation on the fixed constant 0x00 and output... =HMAC-SM3 0x00 and update status HMAC-SM3 0x01 Repeat this process until the target random number length is reached.

[0149] S502. Based on the first key random number, use the elliptic curve signature algorithm to generate the first public key component.

[0150] The first communication terminal obtains the first key random number. Then, the first public key component can be generated using the elliptic curve signature algorithm. Specifically, this involves using an elliptic curve over a finite field... The dot multiplication method is used to calculate the corresponding first public key component. , , An elliptic curve of order p The base point, then the first communication terminal sends the first public key component. Send to the second communication terminal.

[0151] S503. Obtain the second public key component sent by the second communication terminal.

[0152] The second public key component is the public key component generated by the second communication terminal using an elliptic curve signature algorithm based on the second key random number. Specifically, it includes: using an elliptic curve over a finite field... The dot multiplication method is used to calculate the corresponding second public key component. , , An elliptic curve of order p The base point. Then, the second communication terminal will send the second public key component. Send to the first communication terminal.

[0153] S504. Generate a joint public key based on the first public key component and the second public key component.

[0154] The first communication terminal generates a joint public key based on elliptic curve point addition and scalar multiplication. The second communication terminal generates a joint public key in parallel.

[0155] After generating the first public key component Second public key component Subsequently, a zero-knowledge proof protocol can be used through a collaborative signature server. The binding relationship between the first public key component and the corresponding private key component is verified bidirectionally to ensure the unforgeability and resistance to man-in-the-middle attacks of the stored keys.

[0156] Specifically, the first communication terminal sends to the second communication terminal. The specific steps are as follows: The first communication terminal generates a random number. Calculate commitment The second communication terminal then sent the challenge. The first communication terminal calculates the response. Send later The second communication terminal verification equation Whether it is valid or not.

[0157] After the above steps are completed, the second communication terminal sends a message to the first communication terminal in the same manner. The above verification process will be executed. If any step of the verification fails, the agreement will terminate.

[0158] This application provides an implementation method for generating a post-quantum public key, such as... Figure 7 As shown, before performing S101 to obtain the quantum-resistant joint key, the method of this application further includes:

[0159] S601. Generate the first private key based on the first secret seed.

[0160] The first communication terminal uses security parameters to generate the first secret seed. The first private key is generated using the pseudo-random number generator RPG. Similarly, the second communication terminal uses security parameters to generate a second secret seed. A second private key is generated using the pseudo-random number generator RPG. Each private key contains 48 private key blocks, i.e. .

[0161] S602. Using a cryptographic hash chain algorithm, perform hash operations on each private key block in the first private key to generate multiple first public key blocks.

[0162] The first communication terminal uses a cryptographic hash chain algorithm to process the first private key. Each private key block undergoes 255 SM3 hash operations to generate multiple first public key blocks. .

[0163] The second communication terminal uses a cryptographic hash chain algorithm to secure the second private key. Each private key block undergoes 255 SM3 hash operations to generate multiple second public key blocks. .

[0164] S603. Generate the first post-quantum public key based on multiple first public key blocks.

[0165] Based on multiple first public key blocks Generate the first post-quantum public key After obtaining the first quantum key pair The first quantum key pair is held by the first communication terminal.

[0166] Similarly, the second post-quantum public key is the post-quantum public key generated by the second communication terminal based on multiple second public key blocks. After obtaining the second quantum key pair The second quantum key pair is held by the second communication terminal.

[0167] This embodiment limits the number of private key blocks (48 blocks) and the maximum number of hashes (255 times) to keep the storage overhead at the 0(1) level (approximately 1.5KB private key + 3KB public key), which is much smaller than the more than 100,000 hash values ​​(greater than 40KB) that SPHINCS+ needs to store.

[0168] Furthermore, because a hash operation is performed when generating the key, only a few dozen hash calculations are needed during subsequent collaborative signing, compared to lattice ciphers. Polynomial multiplication or Thousand Hash with Sphinx+ reduces the computational load.

[0169] This application also provides an implementation method for verifying the generated collaborative signature, such as... Figure 8 As shown, the method includes:

[0170] S701. Calculate the verification point based on the message, the joint public key, and the joint random coordinates.

[0171] According to the news Joint public key and and joint random coordinates Calculate the verification points .

[0172] S702, Extract the x-coordinate of the verification point.

[0173] Extract verification points x-coordinate .

[0174] S703. If the x-coordinate of the verification point matches the x-coordinate of the joint random point, then calculate the recovery public key block corresponding to the remaining hash count based on each second private key block in the second joint signature.

[0175] If verification point x-coordinate With joint random points x-coordinate If a match is found, proceed to the next step; otherwise, terminate the protocol.

[0176] The next step is: based on the second joint signature. For each of the second private key blocks, calculate the recovery public key block corresponding to the remaining hash count, denoted as . , .

[0177] S704. Perform signature verification based on the recovered public key block and each second public key block in the second post-quantum public key.

[0178] If the public key block is recovered If the signature is valid, the agreement is terminated; otherwise, the agreement is terminated.

[0179] The second communication terminal performs the same verification steps, specifically including: if the verification point x-coordinate With joint random points x-coordinate Matching, based on the first joint signature For each of the first private key blocks, calculate the recovery public key block corresponding to the remaining hash count, denoted as . , If satisfied If the signature is valid, the agreement is terminated; otherwise, the agreement is terminated.

[0180] In summary, in this embodiment, the verification points are calculated. And extract its x-coordinate Combine it with joint random points x-coordinate The process involves matching signatures. If no match is found, the protocol terminates. If a match is successful, the validity of the signature is verified using the remaining hash counts. If both verifications pass, the signature is valid; otherwise, the protocol terminates. This embodiment employs a dual verification mechanism to resist common security threats such as forgery attacks and replay attacks, ensuring the reliability of the signature during interaction between the hardware terminal and the collaborative signature server.

[0181] In summary, this application provides a quantum-resistant cooperative signature method with the following advantages:

[0182] 1. During the collaborative key generation process, a hash chain is pre-computed, and the quantum key pair is generated through a finite number of hash operations (255 times). Thus, in the collaborative signature generation stage, a single signature only requires dozens of hash operations (no more than 255 times), which significantly reduces computation and communication overhead, improves signature efficiency, and is suitable for resource-constrained scenarios. Furthermore, if any stage is compromised (such as quantum computing cracking elliptic curves or classical computing brute-force cracking the hash chain), it will not cause the entire system to fail, achieving double insurance.

[0183] 2. While ensuring quantum-resistant security, the zero-knowledge proof process is optimized to reduce the number of interactions, significantly reduce computation and communication overhead, and improve signature efficiency, making it suitable for resource-constrained scenarios.

[0184] 3. After the signature is generated, a dual verification mechanism is used to verify the integrity of the signature, which can resist common security threats such as forgery attacks and replay attacks, and ensure the reliability of the signature during the interaction between the hardware terminal and the collaborative signature server.

[0185] The apparatus, device, and storage medium for implementing the quantum-resistant cooperative signature method provided in any of the above embodiments of this application will be explained below. The specific implementation process and the resulting technical effects are the same as those in the corresponding method embodiments. For the sake of brevity, the parts not mentioned in the following embodiments can be referred to the corresponding content in the method embodiments.

[0186] like Figure 9 As shown, this application also provides a quantum-resistant cooperative signature device for use in a first communication terminal, the device comprising:

[0187] The first acquisition module 10 is used to acquire a quantum-resistant joint key, which includes at least: a first post-quantum public key of the first communication terminal, a second post-quantum public key of the second communication terminal, and a joint public key.

[0188] The second acquisition module 20 is used to acquire the joint random points of the first communication terminal and the second communication terminal.

[0189] The third acquisition module 30 is used to acquire the first key random number of the first communication terminal and the second key random number of the second communication terminal based on the joint public key.

[0190] The first signature module 40 is used to sign the message according to the joint random point and the first key random number to obtain a first signature component, and send it to the second communication terminal.

[0191] The first receiving module 50 is used to receive the second signature component sent by the second communication terminal. The second signature component is a signature component obtained by the second communication terminal signing the message according to the joint random point and the second key random number.

[0192] The second signature module 60 is used to sign the message according to the first signature component, the second signature component, and the first private key block corresponding to each first public key block in the first post-quantum public key, to obtain a first joint signature, and send it to the second communication terminal.

[0193] The second receiving module 70 is used to receive the second joint signature sent by the second communication terminal. The second joint signature is a joint signature obtained by signing the message using the first signature component, the second signature component, and the second private key block corresponding to each second public key block in the second post-quantum public key.

[0194] The generation module 80 is used to generate a target joint signature based on the first joint signature and the second joint signature.

[0195] Optionally, the second acquisition module 20 is configured to generate a first signature random number; generate a first random point based on the first signature random number and send it to the second communication terminal, so that the second communication terminal generates the joint random point based on the second random number and the first random point; receive a second random point sent by the second communication terminal, the second random point being a random point generated by the second communication terminal based on the second signature random number; and generate the joint random point based on the first signature random number and the second random point.

[0196] Optionally, the first signature module 40 is configured to extract joint random coordinates based on the horizontal coordinates of the joint random points; generate the first signature component based on the joint random coordinates, the first key random number, and the hash value of the message; and the second signature component is a signature component generated by the second communication terminal based on the joint random coordinates, the second key random number, and the hash value of the message.

[0197] Optionally, the second signature module 60 is configured to generate joint signature parameters based on the first signature component and the second signature component; generate a joint hash value of the message based on the joint signature parameters, the joint random coordinates, and the message; encode the joint hash value in binary and convert it to decimal to generate a plurality of decimal character first position indices; encode the joint hash value in hexadecimal to generate a plurality of hexadecimal character second position indices; generate the first joint signature based on the plurality of first position indices, the plurality of second position indices, and the first private key block corresponding to each first public key block; the second joint signature is a joint signature generated by the second communication terminal based on the plurality of first position indices, the plurality of second position indices, and the second private key block corresponding to each second public key block.

[0198] Optionally, the generation module 80 is configured to generate the target joint signature based on the first joint signature, the second joint signature, the joint signature parameters, and the joint random coordinates.

[0199] Optionally, the device further includes a key generation module, configured to generate a first key random number based on a shared random number seed and the identity identifier of the first communication terminal; the second key random number is a random number generated by the second communication terminal based on the shared random number seed and the identity identifier of the second communication terminal; generate a first public key component based on the first key random number using an elliptic curve signature algorithm; obtain a second public key component sent by the second communication terminal, the second public key component being a public key component generated by the second communication terminal based on the second key random number using the elliptic curve signature algorithm; and generate the joint public key based on the first public key component and the second public key component.

[0200] Optionally, the key generation module is used to generate a first private key based on a first secret seed; to perform hash operations on each private key block in the first private key using a cryptographic hash chain algorithm to generate multiple first public key blocks; to generate a first post-quantum public key based on the multiple first public key blocks; and the second post-quantum public key is a post-quantum public key generated by the second communication terminal based on multiple second public key blocks.

[0201] Optionally, the device further includes a verification module, configured to calculate a verification point based on the message, the joint public key, and the joint random coordinates; extract the horizontal coordinate of the verification point; if the horizontal coordinate of the verification point matches the horizontal coordinate of the joint random point, calculate the recovery public key block corresponding to the remaining hash count based on each second private key block in the second joint signature; and perform signature verification based on the recovery public key block and each second public key block in the second post-quantum public key.

[0202] Optionally, the verification module is also used to perform bidirectional verification of the binding relationship between the first public key component and the corresponding private key component using a zero-knowledge proof protocol through a collaborative signature server.

[0203] Optionally, the verification module is also used to verify the commitment consistency of the first post-quantum public key and the second post-quantum public key through a collaborative signature server using a zero-knowledge proof protocol.

[0204] The above-described device is used to execute the method provided in the foregoing embodiments, and its implementation principle and technical effect are similar, so they will not be described again here.

[0205] These modules can be one or more integrated circuits configured to implement the above methods, such as one or more Application Specific Integrated Circuits (ASICs), one or more microprocessors, or one or more Field Programmable Gate Arrays (FPGAs). Alternatively, when a module is implemented using processing element scheduler code, the processing element can be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. Furthermore, these modules can be integrated together as a system-on-a-chip (SOC).

[0206] like Figure 10 As shown, this application also provides an electronic device, including a processor 100, a storage medium 200, and a bus 300. The storage medium stores program instructions executable by the processor. When the electronic device is running, the processor communicates with the storage medium via the bus, and the processor executes the program instructions to implement the quantum-resistant cooperative signature method described in any of the above embodiments.

[0207] This application also provides a readable storage medium storing program instructions, which, when executed by a processor, implement the quantum-resistant cooperative signature method described in any of the above embodiments.

[0208] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0209] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0210] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or in a combination of hardware and software functional units.

[0211] The integrated units implemented as software functional units described above can be stored in a computer-readable storage medium. These software functional units, stored in a storage medium, include several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute some steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0212] The above are merely specific embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A quantum-resistant cooperative signature method, characterized in that, Applied to a first communication terminal, the method includes: To obtain a quantum-resistant joint key, the quantum-resistant joint key includes at least: a first post-quantum public key of the first communication terminal, a second post-quantum public key of the second communication terminal, and a joint public key; Obtain a joint random point from the first communication terminal and the second communication terminal; Based on the joint public key, obtain the first key random number of the first communication terminal and the second key random number of the second communication terminal; The message is signed based on the joint random point and the first key random number to obtain a first signature component, which is then sent to the second communication terminal. The second signature component sent by the second communication terminal is received. The second signature component is a signature component obtained by the second communication terminal signing the message according to the joint random point and the second key random number. The message is signed based on the first signature component, the second signature component, and the first private key block corresponding to each first public key block in the first post-quantum public key to obtain a first joint signature, which is then sent to the second communication terminal. The second joint signature is received from the second communication terminal. The second joint signature is a joint signature obtained by the second communication terminal signing the message based on the first signature component, the second signature component, and the second private key block corresponding to each second public key block in the second post-quantum public key. A target joint signature is generated based on the first joint signature and the second joint signature.

2. The method according to claim 1, characterized in that, The step of obtaining the joint random point of the first communication terminal and the second communication terminal includes: Generate the first signature random number; Based on the first signature random number, a first random point is generated and sent to the second communication terminal, so that the second communication terminal generates the joint random point based on the second random number and the first random point; Receive a second random point sent by the second communication terminal, wherein the second random point is a random point generated by the second communication terminal based on the second signature random number; The joint random point is generated based on the first signature random number and the second random point.

3. The method according to claim 1, characterized in that, The step of signing the message based on the joint random point and the first key random number to obtain the first signature component includes: Extract the joint random coordinates based on the x-coordinates of the joint random points; The first signature component is generated based on the joint random coordinates, the first key random number, and the hash value of the message; The second signature component is a signature component generated by the second communication terminal based on the joint random coordinates, the second key random number, and the hash value of the message.

4. The method according to claim 3, characterized in that, The step of signing the message based on the first signature component, the second signature component, and the private key blocks corresponding to each first public key block in the first post-quantum public key to obtain a first joint signature includes: Generate joint signature parameters based on the first signature component and the second signature component; Based on the joint signature parameters, the joint random coordinates, and the message, generate the joint hash value of the message; The combined hash value is encoded in binary and converted to decimal to generate the first position index of multiple decimal characters; The combined hash value is encoded in hexadecimal to generate a second position index of multiple hexadecimal characters; The first joint signature is generated based on multiple first position indices, multiple second position indices, and the first private key block corresponding to each first public key block; The second joint signature is a joint signature generated by the second communication terminal based on multiple first location indices, multiple second location indices, and the second private key blocks corresponding to each second public key block.

5. The method according to claim 4, characterized in that, The step of generating a target joint signature based on the first joint signature and the second joint signature includes: The target joint signature is generated based on the first joint signature, the second joint signature, the joint signature parameters, and the joint random coordinates.

6. The method according to claim 1, characterized in that, Before obtaining the quantum-resistant joint key, the method further includes: The first key random number is generated based on the shared random number seed and the identity identifier of the first communication terminal; the second key random number is a random number generated by the second communication terminal based on the shared random number seed and the identity identifier of the second communication terminal. Based on the first key random number, the first public key component is generated using the elliptic curve signature algorithm; Obtain the second public key component sent by the second communication terminal. The second public key component is a public key component generated by the second communication terminal using the elliptic curve signature algorithm based on the second key random number. The joint public key is generated based on the first public key component and the second public key component.

7. The method according to claim 1, characterized in that, Before obtaining the quantum-resistant joint key, the method further includes: Generate the first private key based on the first secret seed; A cryptographic hash chain algorithm is used to perform hash operations on each private key block in the first private key to generate multiple first public key blocks; The first post-quantum public key is generated based on the plurality of first public key blocks; The second post-quantum public key is a post-quantum public key generated by the second communication terminal based on multiple second public key blocks.

8. The method according to claim 3, characterized in that, The method further includes: Calculate the verification point based on the message, the joint public key, and the joint random coordinates; Extract the x-coordinate of the verification point; If the x-coordinate of the verification point matches the x-coordinate of the joint random point, then calculate the recovery public key block corresponding to the remaining hash count based on each second private key block in the second joint signature; Signature verification is performed based on the recovered public key block and each of the second public key blocks in the second post-quantum public key.

9. The method according to claim 6, characterized in that, The method further includes: By using a collaborative signature server and employing a zero-knowledge proof protocol, the binding relationship between the first public key component and the corresponding private key component is verified bidirectionally.

10. The method according to claim 1, characterized in that, The method further includes: Using a collaborative signature server and a zero-knowledge proof protocol, the commitment consistency of the first and second post-quantum public keys is verified.