Grid signature method based on bimodal hyperspherical rejection sampling

By constructing a signature key and a verification key based on bimodal hypersphere rejection sampling, a fixed-length digest vector and a challenge polynomial are generated. The signature parameters and response vector are optimized by combining rANS encoding, which solves the problem of excessive signature size in existing lattice signature schemes, achieving a shorter signature size while ensuring security.

CN122247638APending Publication Date: 2026-06-19HUBEI UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUBEI UNIV
Filing Date
2026-05-22
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing lattice signature schemes still need further optimization in terms of signature size to reduce the size of the signature while ensuring security and efficiency. Traditional digital signature schemes face quantum security threats.

Method used

A lattice signature method based on bimodal hypersphere rejection sampling is adopted. By constructing an initial signature key and a verification key, a fixed-length digest vector and a challenge polynomial are generated. The signature parameters and response vector are optimized by combining rANS encoding, thereby reducing the signature size.

Benefits of technology

While ensuring security, a shorter signature size was achieved, and the security of the scheme was guaranteed by overcoming the difficulties of LWE and MSIS problems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247638A_ABST
    Figure CN122247638A_ABST
Patent Text Reader

Abstract

This invention discloses a lattice signature method based on bimodal hypersphere rejection sampling. This method constructs a Fiat-Shamir type lattice signature scheme based on bimodal hypersphere rejection sampling. This invention converts the modulus from 2q to q in existing technologies and generates shorter signatures during the signing process while ensuring the correctness of the scheme.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of cryptography and information security, specifically to a lattice signature method based on bimodal hypersphere rejection sampling. Background Technology

[0002] Digital signatures are widely used to ensure information integrity, authentication, and non-repudiation, such as in email, software distribution, and financial transactions. Traditional digital signature schemes (such as RSA and ECDSA) face security threats and struggle to achieve quantum-resistant security. Therefore, lattice-based signature schemes have been proposed to prevent quantum computing from breaking modern cryptographic systems.

[0003] The communication overhead of digital signature schemes directly impacts the storage and bandwidth consumption of cryptographic systems. Compared to traditional digital signature schemes, lattice signature schemes have significantly higher communication overhead. Existing lattice signature schemes require further optimization in signature size to further reduce the signature size while ensuring security and efficiency. Summary of the Invention

[0004] To address the shortcomings of existing technologies, the purpose of this invention is to provide a lattice signature method based on bimodal hypersphere rejection sampling, which can solve the problems described in the background art.

[0005] The technical solution for achieving the objective of this invention is as follows:

[0006] The lattice signature method based on bimodal hypersphere rejection sampling includes the following steps:

[0007] Step 1: Construct the initial signing key First verification key Second verification key Based on the initial signing key Determine the signing key Based on the first verification key Second verification key Determine the verification key ;

[0008] Step 2: Based on the verification key With messages Generate a fixed-length first summary vector Generate mask vector Based on the first summary vector Mask vector Signature key and verification key Determine signature parameters Response vector And the first challenge polynomial Based on signature parameters Response vector And the first challenge polynomial Determine the signature value ;

[0009] Step 3: Based on the verification key With messages Determine the second summary vector of fixed length According to the signature value With the second summary vector Generating the second challenge polynomial Preset parameters and parameters Second Challenge Polynomial and signature value The constituent parameters of the judgment condition are used to determine whether the judgment condition is met. If it is met, the signature verification is determined to be successful; otherwise, the signature verification is determined to be unsuccessful.

[0010] Furthermore, step 1 is specifically implemented by including:

[0011] Step 11: From the polynomial ring Uniformly randomly selected matrix and the matrix As the first verification key, the polynomial ring Represents a polynomial ring In A set of matrices consisting of n elements;

[0012] Step 12: From the set Uniformly random selection of secret vectors and from set Uniformly and randomly selected error vector Then, according to element 1, secret vector Error vector The initial signature key is obtained by concatenating the rows in the correct order. , where, set Indicates a set middle( A set of vectors consisting of 100 elements. Indicates a set middle A vector set consisting of n elements;

[0013] Step 13: Generate the second verification key according to the following formula :

[0014]

[0015] Step 14: Based on the initial signing key The function value is calculated. And determine the function value. With preset parameters The size, if Then the signature key is determined to be And determine the verification key as This generates the signature key. and verification key ,like If the condition is met, proceed to step 12 until the condition is met. and obtain the signing key. and verification key ;

[0016] Furthermore, step 2 is specifically implemented by including:

[0017] Step 21: Verify the key and message After concatenation, a hash operation is performed to generate a fixed-length first digest vector. ;

[0018] Step 22: From the hypersphere set Uniformly and randomly selected mask vector The polynomial intermediate vector is calculated as follows: :

[0019]

[0020] In the formula, Represents the mask vector The coefficients are rounded to the nearest whole number. , , express Multiply each component , express The 1D identity matrix is ​​also used to calculate the function as follows: :

[0021]

[0022] In the formula, the parameter As a preset value, Represents the intermediate vector Any coefficient in, , This represents the rounding down operation for integers. Indicates the function Extend to each coefficient;

[0023] Step 23: Set the function With the first summary vector After concatenation, a hash operation is performed to generate the seed string for the first byte. Then, from the seed of the first byte string Generating the first challenge polynomial Among them, the first challenge polynomial For polynomials of degree no more than 255, the first challenge polynomial. The coefficient is 0 or 1, and the number of non-zero coefficients is a preset value. ;

[0024] Step 24: Generate the polynomial ring middle A polynomial vector consisting of elements , and the polynomial vector Each component multiplied by the first challenge polynomial The result of the operation is obtained. Then, a value is randomly selected from 0 and 1 as the value of parameter b, and the variable is calculated. Calculations yielded The value of is then determined. Whether it is valid,

[0025] If not, proceed to step 22; if yes, then change the mask vector. Split into two sub-vectors and and the initial signing key Split into two sub-vectors and subvector mask vector The front of the middle Each component, subvector mask vector The middle Each component, subvector For the initial signing key The front of the middle Each component, subvector For the initial signing key The middle Each component will divide the two subvectors into components. and Each component with the first challenge polynomial Multiply by , and we get and And calculate the response vector. and Then and By concatenating the vectors, we obtain the vector z.

[0026] Step 25: Calculate the signature parameters using the following formula. :

[0027]

[0028] In the formula, Representation function The variable is ,

[0029] Two preset parameters and And calculate the L2 norm of vector z. and The L2 norm is used, and one of 0 and 1 is randomly selected as the parameter. The value of is determined, and the following equation (1) is judged to be true:

[0030] and or and (1)

[0031] If true, output the signature value. Otherwise, proceed to step 22;

[0032] Furthermore, step 3 is specifically implemented by including:

[0033] Step 31: Calculation Combined with verification key and Construct the matrix according to the following formula : Then, by signature sum matrix Calculate using the following formula :

[0034]

[0035] in, express Multiply each component , Then it means Multiply each component ,

[0036] Step 32: Verify the key With messages After concatenation, a hash operation is performed to obtain a fixed-length second digest vector. Then, With the second summary vector After concatenation, a hash operation is performed to generate a seed for the second byte string. Finally, the seed string is derived from the second byte. Generating the second challenge polynomial ;

[0037] Step 33: Preset parameters , And determine whether the following equations (2) and (3) are true at the same time, where equations (2) and (3) constitute the judgment condition:

[0038] (2)

[0039] (3)

[0040] If yes, then the signature verification is successful; otherwise, the signature verification is unsuccessful.

[0041] Furthermore, after step 25 and before step 31, the process also includes:

[0042] Step 4: Signature Signature parameters in and response vector Encode the signature to obtain a shorter signature, thereby optimizing the signature size.

[0043] Furthermore, rANS encoding is used for the signature parameters. and response vector Encode it.

[0044] Furthermore, regarding the signature parameters Encoding includes the following steps:

[0045] rANS encoding uses Distribution construction table Multiple calls to the signature algorithm yielded The coefficients are collected, several coefficients are statistically analyzed and their frequencies are counted, and estimations are performed using these frequencies to construct a new table. The new table The construction depends on The distribution of coefficients, and the table length is usually set to a power of 2, based on the new table. Perform rANS encoding.

[0046] Furthermore, regarding the response vector Encoding includes the following steps:

[0047] First, decompose using the function Decompose. ,get Next, to The final signature is obtained by performing rANS encoding. , Indicates rANS encoding, The function is defined as: for integers , , This represents modulo reduction, and the range of the result after the modulo reduction operation is... , this function Extended to response vector For each coefficient of each polynomial component, we obtain ,and .

[0048] The beneficial effects of the present invention are: the present invention realizes the conversion of the modulus from 2q to q in the prior art, and generates a shorter signature during the signature process while ensuring the correctness of the scheme. Attached Figure Description

[0049] Figure 1 This is a flowchart illustrating a preferred embodiment of the present invention. Detailed Implementation

[0050] The present invention will be further described below with reference to the accompanying drawings and specific embodiments:

[0051] To facilitate understanding of this embodiment, the relevant symbols are defined as follows:

[0052] Polynomial ring: , = ,

[0053] in, Represents a set of integers. Represents the set of real numbers. Modulus The set of remaining classes ,symbol Represents a polynomial variable. It is a prime number. It is a polynomial The number of times; express The range of values ​​for all coefficients in the formula is: The set of polynomials.

[0054] Setting parameters Discrete hypersphere sets Defined as a set With the supersphere The intersection,

[0055] in, Indicates by indivual A vector set consisting of elements in the set. express With polynomial ring Multiplication operation Represents a polynomial ring In In a vector space composed of n elements, with the origin as the center, ... The set of hyperspheres with radius .

[0056] like Figure 1 As shown, the lattice signature method based on bimodal hypersphere rejection sampling includes the following steps:

[0057] Step 1: Key Generation

[0058] Generate a signature key by following these steps. and verification key :

[0059] Step 11: From the polynomial ring Uniformly randomly selected matrix and the matrix As the first verification key.

[0060] Among them, polynomial ring Represents a polynomial ring In A set of matrices consisting of n elements.

[0061] Step 12: From the set Uniformly random selection of secret vectors and from set Uniformly and randomly selected error vector Then, according to element 1, secret vector Error vector The initial signature key is obtained by concatenating the rows in the correct order. That is, element 1, the secret vector Error vector Construct the initial signature key by piecing together the lines. The splicing process involves performing the following operations:

[0062]

[0063] The above operation involves concatenating the three elements row by row to obtain a new vector, which is the signature key. .

[0064] Among them, set Indicates a set middle( A set of vectors consisting of 100 elements. Indicates a set middle A vector set consisting of 10 elements.

[0065] Understandable, and The value of can be determined based on the security level, that is, its value is mainly determined by the level of security. In this embodiment, the proper signature method is a scheme based on the MLWE problem, therefore, ( ) can represent the dimension of an MLWE problem. This represents the number of samples in the MLWE problem.

[0066] Step 13: Generate the second verification key according to the following formula :

[0067]

[0068] That is, based on the first verification key Secret Vector and error vector Generate a second verification key .

[0069] Step 14: Based on the initial signing key The function value is calculated. And determine the function value. With preset parameters The size, if Then the signature key is determined to be And determine the verification key as This generates the signature key. and verification key .

[0070] like If the condition is met, proceed to step 12 until the condition is met. and obtain the signing key. and verification key .

[0071] Among them, the function value The following steps are used to calculate:

[0072] Preset parameters ,calculate as well as Signature key It is a polynomial ring middle polynomials The resulting polynomial vector. The fundamental unit root, then , Calculation function ,

[0073] in, Indicates when hour, No. For larger values, the same principle applies. express The (m+1)th largest value.

[0074] Step 2: Sign

[0075] The signing process, or signing, is completed by following these steps:

[0076] Step 21: Verify the key With messages After concatenation, a hash operation is performed to generate a fixed-length first digest vector. .

[0077] It is understandable that the above operation can be expressed using the following calculation formula:

[0078]

[0079] That is, first verify the key and message. Connect the data and then feed it into the hash function. Perform a hash operation.

[0080] Step 22:

[0081] Step 22: From the hypersphere set Uniformly and randomly selected mask vector The polynomial intermediate vector is calculated as follows: :

[0082]

[0083] In the formula, Represents the mask vector The coefficients are rounded to the nearest whole number. , , express Multiply each component , express 3D identity matrix

[0084] The function is also calculated as follows: :

[0085]

[0086] In the formula, the parameter As a preset value, Represents the intermediate vector Any coefficient in, , This represents the rounding down operation for integers. Indicates the function Extending to each coefficient, that is, the function The coefficients are extended to the intermediate vector. The function can be obtained by going up. .

[0087] function Representation function The variable is the intermediate vector That is, function The input is the intermediate vector .

[0088] Step 23: Set the function With the first summary vector After concatenation, a hash operation is performed to generate the seed string for the first byte. Then, from the seed of the first byte string Generating the first challenge polynomial Among them, the first challenge polynomial For polynomials of degree no more than 255, the first challenge polynomial. The coefficient is 0 or 1, and the number of non-zero coefficients is a preset value. .

[0089] It is understandable that the function With the first summary vector After joining, a hash operation is performed, which is calculated according to the following formula:

[0090]

[0091] Step 24: Generate the polynomial ring middle A polynomial vector consisting of elements , and the polynomial vector Each component multiplied by the first challenge polynomial The result of the operation is obtained. Then, a value is randomly selected from 0 and 1 as the parameter b, and the variable is calculated. Treat this variable as a function The variables (i.e., those used as inputs to the function) are calculated to obtain... The value of is then determined. Whether it is valid,

[0092] If not (i.e., not true), proceed to step 22.

[0093] If so (i.e., true), then the mask vector will be... Split into two sub-vectors and and the initial signing key Split into two sub-vectors and Subvector mask vector The front of the middle Each component, subvector mask vector The middle Each component. Subvector For the initial signing key The front of the middle Each component, subvector For the initial signing key The middle Each component.

[0094] It is understandable that the two sub-vectors and The mask vector can be obtained by concatenating the two vectors. Two subvectors and The initial signing key can be obtained by concatenating the two keys. That is to say, there is , .

[0095] and the two subvectors and Each component with the first challenge polynomial Multiply by , and we get and and calculate and Then and By concatenating the vectors, we obtain the vector z, which is... .

[0096] Step 25: Calculate the signature parameters using the following formula. :

[0097]

[0098] In the formula, Representation function The variable is .

[0099] Two preset parameters and And calculate the L2 norm of vector z. and The L2 norm is used, and one of 0 and 1 is randomly selected as the parameter. The value of is determined, and the following equation (1) is judged to be true:

[0100] and or and (1)

[0101] If true, output the signature value. Otherwise, proceed to step 22.

[0102] After completing step 2, it also includes,

[0103] Step S: Signature Signature parameters in and response vector Encode the signature to obtain a shorter signature, which is a new signature, thus optimizing the signature size.

[0104] Among them, rANS encoding can be used for the signature parameters. and response vector Encode it to get a shorter signature.

[0105] Specifically, regarding signature parameters Encoding includes the following steps:

[0106] rANS encoding requires the use of Distribution construction table This invention obtains the signature by repeatedly calling the signature algorithm. The coefficients were calculated by collecting approximately 20,000 coefficients and statistically analyzing their frequencies. Using these frequencies, an estimation was performed, and a table was constructed. .surface The structure mainly depends on The coefficients are distributed, and the table length is usually set to a power of 2 to facilitate encoding and decoding operations.

[0107] For parameters Encoding: First, decompose using the function Decompose get Next, regarding Perform rANS encoding. Then it can be transmitted directly. The final signature is obtained. . This represents the rANS encoding operation, and the corresponding decoding operation is denoted as... .in The function is defined as: for integers , , This represents modulo reduction, and the range of the result after the modulo reduction operation is... . This function Extended to polynomial vectors For each coefficient of each polynomial component, we obtain ,and .

[0108] Step 3: Verify the signature

[0109] First, sign the encoded data. Decode to obtain the signature The signature verification is achieved through the following steps:

[0110] Step 31: Calculation Combined with verification key and Construct the matrix according to the following formula : .

[0111] Then by signature sum matrix Calculate using the following formula :

[0112]

[0113] in, express Multiply each component , Then it means Multiply each component .

[0114] Step 32: Verify the key With messages After concatenation, a hash operation is performed to obtain a fixed-length second digest vector. That is, the second summary vector is obtained according to the following formula. :

[0115]

[0116] Then, With the second summary vector After concatenation, a hash operation is performed to generate a seed for the second byte string. That is, the seed of the second byte string is obtained according to the following formula. :

[0117]

[0118] Finally, the seed from the second byte string Generating the second challenge polynomial .

[0119] Step 33: Preset parameters , And determine whether the following equations (2) and (3) are true at the same time:

[0120] (2)

[0121] (3)

[0122] If yes (i.e., true), the signature verification is successful, and a logical value of 1 can be returned to indicate that the signature has been verified. If no (i.e., false), the signature verification fails, meaning the signature has not been verified, and a logical value of 0 can be returned to indicate that the signature has not been verified.

[0123] To illustrate the correctness of the lattice signature in this embodiment, a correctness analysis is performed:

[0124] From the formula:

[0125]

[0126] It can be obtained

[0127]

[0128] The first challenge polynomial is generated during the signature process. First byte string seed By constructing the seed string, the second byte string generated during the signature verification process can be obtained. satisfy: .

[0129] You might want to set the received signature to ,at this time:

[0130]

[0131] Therefore, it should be set ,at this time If the signature is valid, it can be verified; otherwise, the signature cannot be verified.

[0132] From a security perspective, the security of the lattice signature in this embodiment is guaranteed by the difficulty of the LWE problem and the difficulty of the MSIS problem. This embodiment also defines a new problem: BimodalSelfTargetMSIS, whose advantage function is as follows:

[0133]

[0134] The difficulty of this new problem can be reduced to the difficulty of the MSIS problem, and finally the security of the signature scheme can be reduced to the difficulty of the LWE problem and the difficulty of the BimodalSelfTargetMSIS problem.

[0135] Specifically, during the key generation phase, the key is in the form of an LWE sample. Whether an adversary can obtain the signature key information from the verification key can be reduced to the LWE problem.

[0136] During the signature phase, a series of operations generate z. By setting the parameters, the distribution of z and the hypersphere set can be obtained. The uniform distribution is the same. Further detection in step 24 ensures that h is generated through z with the same distribution. Therefore, a simulator without a signature key can simulate a signature with statistics close to the real signature. At this point, an adversary's attack on the signature scheme can be transformed into an attack on the simulator, and further into an attack on the BimodalSelfTargetMSIS problem, thus reducing it to the difficulty of the MSIS problem.

[0137] Solution Comparison

[0138] The HAETAE scheme based on the rejection of the bimodal hypersphere is denoted as Scheme 1, and the scheme in this embodiment is denoted as Scheme 2.

[0139] The relevant parameters for Scheme 1 and Scheme 2 are shown in Table 1:

[0140] Table 1: Parameter Table

[0141]

[0142] Based on the parameters in Table 1, the verification key, signature key, and signature size (in bytes) obtained from Scheme 1 and Scheme 2 are shown in Tables 2 and 3 respectively:

[0143] Table 2

[0144]

[0145] Table 3

[0146]

[0147] As can be seen from the above comparison, compared with the existing HAETAE scheme, the present invention has a signature key and a verification key of the same size, while the signature size is 124 bytes smaller, thus achieving optimized signature size.

[0148] Understandably, in practical applications, the signing key, in addition to Also includes and a 32-byte string. Used to generate polynomial vectors in signatures Furthermore, regarding the key... The storage will be based on a byte string seed of length 32 bytes. To replace it.

[0149] This invention constructs a Fiat-Shamir type lattice signature scheme based on bimodal hypersphere rejection sampling, and provides a theoretical analysis of its correctness and security, while also conducting relevant experiments to prove its correctness.

[0150] Typically, the modulus of a lattice signature scheme based on bimodal hypersphere rejection sampling is 2q. This invention introduces a parameter... A new signature scheme was designed, which converts the modulus from 2q to q. While ensuring the correctness of the scheme, a shorter signature was generated during the signing process.

[0151] The embodiments disclosed in this specification are merely illustrative of one aspect of the invention, and the scope of protection of the invention is not limited to these embodiments. Any other functionally equivalent embodiments fall within the scope of protection of the invention. Those skilled in the art can make various other corresponding changes and modifications based on the technical solutions and concepts described above, and all such changes and modifications should fall within the scope of protection of the claims of this invention.

Claims

1. A lattice signature method based on bimodal hypersphere rejection sampling, characterized in that, Includes the following steps: Step 1: Construct the initial signing key First verification key Second verification key Based on the initial signing key Determine the signing key Based on the first verification key Second verification key Determine the verification key ; Step 2: Based on the verification key With messages Generate a fixed-length first summary vector Generate mask vector Based on the first summary vector Mask vector Signature key and verification key Determine signature parameters Response vector And the first challenge polynomial Based on signature parameters Response vector And the first challenge polynomial Determine the signature value ; Step 3: Based on the verification key With messages Determine the second summary vector of fixed length According to the signature value With the second summary vector Generating the second challenge polynomial Preset parameters and parameters Second Challenge Polynomial and signature value The constituent parameters of the judgment condition are used to determine whether the judgment condition is met. If it is met, the signature verification is determined to be successful; otherwise, the signature verification is determined to be unsuccessful.

2. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 1, characterized in that, Step 1 is specifically implemented as follows: Step 11: From the polynomial ring Uniformly randomly selected matrix and the matrix As the first verification key Among them, polynomial ring Represents a polynomial ring In A set of matrices consisting of n elements; Step 12: From the set Uniformly random selection of secret vectors and from set Uniformly and randomly selected error vector Then, according to element 1, secret vector Error vector The initial signature key is obtained by concatenating the rows in the correct order. , Among them, set Indicates a set middle( A set of vectors consisting of 100 elements. Indicates a set middle A vector set consisting of n elements; Step 13: Generate the second verification key according to the following formula : ; Step 14: Based on the initial signing key The function value is calculated. And determine the function value. With preset parameters The size, if Then the signature key is determined to be And determine the verification key as This generates the signing key. and verification key , like If the condition is met, proceed to step 12 until the condition is met. and obtain the signing key. and verification key .

3. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 2, characterized in that, Step 2 is specifically implemented as follows: Step 21: Verify the key and message After concatenation, a hash operation is performed to generate a fixed-length first digest vector. ; Step 22: From the hypersphere set Uniformly and randomly selected mask vector The polynomial intermediate vector is calculated as follows: : In the formula, Represents the mask vector The coefficients are rounded to the nearest whole number. , , express Multiply each component , express 3D identity matrix The function is also calculated as follows: : In the formula, the parameter As a preset value, Represents the intermediate vector Any coefficient in, , This represents the rounding down operation for integers. Indicates the function Extend to each coefficient; Step 23: Set the function With the first summary vector After concatenation, a hash operation is performed to generate the seed string for the first byte. Then, from the seed of the first byte string Generating the first challenge polynomial , Among them, the first challenge polynomial For polynomials of degree no more than 255, the first challenge polynomial. The coefficient is 0 or 1, and the number of non-zero coefficients is a preset value. ; Step 24: Generate the polynomial ring middle A polynomial vector consisting of elements , and the polynomial vector Each component multiplied by the first challenge polynomial The result of the calculation is obtained. Then, a value is randomly selected from 0 and 1 as the value of parameter b, and the variable is calculated. Calculations yielded Then determine the value of . Whether it is valid, If not, proceed to step 22. If so, then the mask vector Split into two sub-vectors and and the initial signing key Split into two sub-vectors and subvector mask vector The front of the middle Each component, subvector mask vector The middle Each component, subvector For the initial signing key The front of the middle Each component, subvector For the initial signing key The middle One portion, Two subvectors and Each component with the first challenge polynomial Multiply by , and we get and And calculate the response vector. and Then and By concatenating the vectors, we obtain the vector z. Step 25: Calculate the signature parameters using the following formula. : In the formula, Representation function The variable is , Two preset parameters and And calculate the L2 norm of vector z. and The L2 norm is used, and one of 0 and 1 is randomly selected as the parameter. The value of is determined, and the following equation (1) is judged to be true: and or and (1) If true, output the signature value. Otherwise, proceed to step 22.

4. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 3, characterized in that, Step 3 is specifically implemented by including, Step 31: Calculation Combined with verification key and Construct a matrix using the following formula : , Then, by signature sum matrix Calculate using the following formula : ,in, express Multiply each component , Then it means Multiply each component , Step 32: Verify the key With messages After concatenation, a hash operation is performed to obtain a fixed-length second digest vector. Then, With the second summary vector After concatenation, a hash operation is performed to generate a seed for the second byte string. Finally, the seed string is derived from the second byte. Generating the second challenge polynomial ; Step 33: Preset parameters , And determine whether the following equations (2) and (3) are true at the same time, where equations (2) and (3) constitute the judgment condition: (2) (3) If yes, then the signature verification is successful; otherwise, the signature verification is unsuccessful.

5. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 4, characterized in that, After step 25 and before step 31, the process also includes: Step 4: Signature Signature parameters in and response vector Encode the signature to obtain a shorter signature, thereby optimizing the signature size.

6. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 5, characterized in that, Use rANS encoding for signature parameters and response vector Encode it.

7. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 6, characterized in that, For signature parameters Encoding includes the following steps: rANS encoding uses Distribution construction table Multiple calls to the signature algorithm yielded The coefficients are collected, several coefficients are statistically analyzed and their frequencies are counted, and estimations are performed using these frequencies to construct a new table. The new table The construction depends on The distribution of coefficients, and the table length is usually set to a power of 2, based on the new table. Perform rANS encoding.

8. The lattice signature method based on bimodal hypersphere rejection sampling according to claim 6, characterized in that, For the response vector Encoding includes the following steps: First, decompose using the function Decompose. ,get , Next, regarding Perform rANS encoding. The final signature , Indicates rANS encoding, The function is defined as: for integers , , This represents modulo reduction, and the range of the result after the modulo reduction operation is... , this function Extended to response vector For each coefficient of each polynomial component, we obtain ,and .