A post-quantum certificateless signature generation method, verification method and device

CN122394813APending Publication Date: 2026-07-14SHENZHEN OLYM INFORMATION SECURITY TECHOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN OLYM INFORMATION SECURITY TECHOLOGY CO LTD
Filing Date
2026-06-12
Publication Date
2026-07-14

Smart Images

  • Figure CN122394813A_ABST
    Figure CN122394813A_ABST
Patent Text Reader

Abstract

The application provides a post-quantum certificateless signature generation method and verification method and device. The generation method comprises the steps of obtaining user identity information and a system master public key; generating a user signature key pair according to a preset working mode, wherein the user signature key pair comprises a user signature public key and a user signature private key; submitting the user identity information and the user signature public key to a key generation center, receiving an identity binding signature for proving the binding relationship between the user identity information and the user signature public key generated by a system master private key held by the key generation center; generating a user message signature by the user signature private key and an application message to be authenticated, and generating a signature transmission object by the identity binding signature, an explicit transmission part of the user signature public key and the user message signature. The application solves the contradiction between key escrow and transmission efficiency in a post-quantum identity cryptography system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, specifically to a post-quantum certificateless signature generation method, verification method, and apparatus. Background Technology

[0002] With the rapid development of quantum computing technology, traditional public-key cryptosystems face the potential risk of being cracked, and migrating to post-quantum cryptography has become a global consensus. Identity-based cryptography, especially the Identifier Key Encapsulation Mechanism (IBKEM), has shown application potential in closed or semi-closed systems such as the Internet of Things and government and enterprise offices because it does not require the management of traditional public key certificates and supports direct encryption based on identity.

[0003] However, existing technologies face the following prominent contradictions and shortcomings in practical deployment: The key escrow defects of identifier-based signatures: Traditional identifier-based signature schemes that work with IBKEM require users' signature private keys to be generated and distributed uniformly by a key generation center. This gives the key generation center the ability to forge any user's signature, failing to meet the "non-repudiation" requirements of scenarios such as judicial evidence preservation and financial transactions, and resulting in serious legal semantic defects.

[0004] Classical certificate-based signatures suffer from inefficient transmission: While certificateless signature paradigms, introduced to eliminate escrow issues, allow users to generate signature keys locally and have certificates issued by a central authority, their transmission overhead is enormous in post-quantum algorithm constructions. The complete authentication object, consisting of the authority certificate, the full user public key, and the user signature, is massive, far exceeding the capacity of many bandwidth-constrained scenarios. Although message recovery signature techniques can be used to compress size, existing solutions typically only compress the user signature layer; the credential layer still needs to transmit the complete user public key, limiting overall compression efficiency.

[0005] Existing technologies have failed to provide a post-quantum signature scheme that simultaneously eliminates key escrow at the architectural level and achieves extreme compression in transmission.

[0006] Therefore, there is an urgent need in this field for a technical solution that can fundamentally resolve the above contradictions, namely, to completely eliminate the risk of signature key escrow while significantly reducing the transmission overhead of authentication data, so as to achieve efficient, practical and legally non-repudiable post-quantum signatures. Summary of the Invention

[0007] In view of the aforementioned problems, this application is proposed to provide a post-quantum certificateless signature generation method, verification method, and apparatus that overcomes or at least partially solves the aforementioned problems, comprising: A post-quantum certificateless signature generation method, wherein the method is implemented through a system key pair generated by a key generation center, the system key pair including a system master private key and a system master public key, and includes the following steps: Obtain user identity information and the system's master public key; A user signature key pair is generated according to a preset working mode, the working mode including a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key; Submit the user identity information and the user signature public key to the key generation center, and receive an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key; A user message signature is generated by combining the user's private key with the application message to be authenticated, and a signature transmission object is generated by combining the identity binding signature, the explicit transmission portion of the user's public key, and the user message signature.

[0008] Further, the step of generating a user signature key pair according to a preset working mode, wherein the working mode includes a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key, includes: When the default working mode is unmanaged mode, user signature key pairs are generated independently in the local security domain, and the user signature private key is stored in the local security domain. When the default working mode is managed mode, the user signature key pair is generated through the key generation center, and the user signature private key is sent to the local machine.

[0009] Further, the step of submitting the user identity information and the user signature public key to the key generation center, and receiving an identity binding signature generated by the system master private key held by the key generation center to prove the binding relationship between the user identity information and the user signature public key, includes: Submit user identity information and user signature public key to the key generation center; the key generation center verifies the legality of the user identity information, and after verification, the key generation center uses the system master private key it holds to generate an identity binding signature using the message recovery signature mode; Receive the identity binding signature issued by the key generation center, the identity binding signature containing a recoverable part of the user's signature public key.

[0010] Furthermore, the step of generating an identity binding signature using the message recovery signature mode includes: The user-signed public key is split into a first recoverable part and a first explicit part; A first explicit message is generated using the user's identity information and the first explicit portion; A second explicit message is generated by adding a domain separation tag and a timestamp to the explicit message. The domain separation tag is used to distinguish the operation context of this protocol from other cryptographic protocols, and the timestamp is used to limit the validity period of the identity binding signature. The system master private key is used to perform a signature operation on the second explicit message and the first recoverable part to generate an identity binding signature with anti-replay and anti-cross-protocol attack capabilities.

[0011] Further, the step of generating a user message signature using the user signing private key and the application message to be authenticated, and generating a signature transmission object using the identity binding signature, the explicit transmission portion of the user signing public key, and the user message signature, includes: Obtain the application message to be authenticated, and generate a user message signature using the message recovery signature mode with the user signature private key. The user message signature contains a recoverable part of the application message. The identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature are concatenated to generate a signature transmission object.

[0012] Furthermore, it also includes: When the verifier is unaware of the user's identity information or the application message has an explicit portion, the user's identity information or the explicit portion of the application message is appended to the signature transmission object.

[0013] A post-quantum certificateless signature verification method, wherein the verification method is used to verify the signature generated by the method described above, and the verifier of the verification method holds the system master public key generated by the key generation center, comprising the following steps: Obtain the signature transmission object to be verified; wherein, the signature transmission object includes the identity binding signature, the explicit transmission part of the user signature public key, and the user message signature; The first-level verification is performed on the identity binding signature using the system master public key. After successful verification, the recoverable portion of the user signature public key hidden inside the identity binding signature is recovered. The complete user signature public key can be reconstructed by the explicit transmission portion of the user signature public key and the recoverable portion of the user signature public key; The user message signature is subjected to a second-level verification using the user signature public key. After successful verification, the recoverable part of the application message hidden inside the user message signature is recovered, and a complete application message is generated. If both levels of verification pass, it confirms that the application message was issued by the user with the corresponding user identity information and has not been tampered with; if either level of verification fails, a verification failure result is output.

[0014] A post-quantum certificateless signature device is provided, wherein the device utilizes a system key pair generated by a key generation center, the system key pair including a system master private key and a system master public key, and the device implements the steps of the post-quantum certificateless signature generation method described above: include: The acquisition module is used to acquire user identity information and the system's master public key; The user signature key pair module is used to generate user signature key pairs according to a preset working mode, including a managed mode and an unmanaged mode. The user signature key pair includes a user signature public key and a user signature private key. The identity binding signature module is used to submit the user's identity information and the user's signature public key to the key generation center, and to receive an identity binding signature generated by the system master private key held by the key generation center, which proves the binding relationship between the user's identity information and the user's signature public key. The signature transmission object module is used to generate a user message signature using the user signature private key and the application message to be authenticated, and to generate a signature transmission object using the identity binding signature, the explicit transmission part of the user signature public key, and the user message signature.

[0015] A computer electronic device includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein the computer program, when executed by the processor, implements the method described above.

[0016] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the method described above.

[0017] This application has the following advantages: In the embodiments of this application, in contrast to the problems of key custody defects, low transmission efficiency, incomplete single-layer message recovery compression, and inability to balance legal non-repudiation and transmission compactness in the prior art of post-quantum signature, this application provides a post-quantum certificateless signature generation method. This method is implemented through a system key pair generated by a key generation center. The system key pair includes a system master private key and a system master public key. The method includes the following steps: obtaining user identity information and the system master public key; generating a user signature key pair according to a preset working mode, including a custodial mode and an uncustodial mode, wherein the user signature key pair includes a user signature public key and a user signature private key; submitting the user identity information and the user signature public key to the key generation center, and receiving an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key; generating a user message signature using the user signature private key and the application message to be authenticated, and generating a signature transmission object using the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature. By employing a dual-working-mode compatible architecture and a two-layer message recovery compression mechanism, the core contradiction in post-quantum signature systems—the incompatibility between key escrow risk and transmission efficiency—is resolved. This achieves the elimination of legal non-repudiation of signature key escrow, dual bandwidth compression at the credential and user signature layers, flexible switching between escrow and non-escrow modes to adapt to all scenario requirements, and inherent compatibility with post-quantum identifier key encapsulation mechanisms without requiring modification of existing systems. It ensures long-term quantum-resistant security while meeting the non-repudiation signature requirements of high-security scenarios such as judicial evidence preservation and financial transactions. Simultaneously, it is adaptable to bandwidth-constrained scenarios such as satellite communication and low-power IoT, and can be directly integrated and deployed with existing post-quantum IBKEM systems. The transformation is simple, the computational efficiency is high, and it balances the security, practicality, and efficiency of signatures. Attached Figure Description

[0018] To more clearly illustrate the technical solution of this application, the drawings used in the description of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1 This is a flowchart illustrating the steps of a post-quantum certificateless signature generation method according to an embodiment of this application; Figure 2 This is a system architecture diagram of a post-quantum certificateless signature generation method provided in one embodiment of this application; Figure 3 This is a flowchart illustrating the steps of a post-quantum certificateless signature verification method provided in one embodiment of this application; Figure 4 This is a structural block diagram of a post-quantum certificateless signature generation device provided in one embodiment of this application; Figure 5 This is a structural block diagram of a post-quantum certificateless signature verification device provided in one embodiment of this application; Figure 6 This is a schematic diagram of the structure of a computer device provided in an embodiment of the present invention; 1. Computer equipment; 2. External devices; 3. Processing unit; 4. Bus; 5. Network adapter; 6. I / O interface; 7. Display; 8. Memory; 9. Random access memory; 10. Cache memory; 11. Storage system; 12. Program / utility; 13. Program module. Detailed Implementation

[0020] To make the objectives, features, and advantages of this application more apparent and understandable, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.

[0021] Analysis of existing technologies reveals that users' signature private keys must be uniformly generated and distributed by the Key Generation Center (KGC). As a result, the KGC has the ability to forge any user's signature, making it impossible to provide "non-repudiable" legal semantics for high-security scenarios such as judicial evidence preservation, financial transactions, and government and enterprise authentication. This severely limits the large-scale promotion of post-quantum cryptography systems.

[0022] Reference Figure 1 This application illustrates a post-quantum certificateless signature generation method according to an embodiment of the present application. The method utilizes a system key pair generated by a key generation center. The system key pair includes a system master private key and a system master public key, and includes the following steps: S110. Obtain user identity information and the system master public key; S120. Generate a user signature key pair according to a preset working mode, wherein the working mode includes a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key. S130. Submit the user identity information and the user signature public key to the key generation center, and receive the identity binding signature generated by the system master private key held by the key generation center, which proves the binding relationship between the user identity information and the user signature public key. S140. Generate a user message signature using the user signature private key and the application message to be authenticated, and generate a signature transmission object using the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature.

[0023] In the embodiments of this application, in contrast to the problems of key custody defects, low transmission efficiency, incomplete single-layer message recovery compression, and inability to balance legal non-repudiation and transmission compactness in the prior art of post-quantum signature, this application provides a post-quantum certificateless signature generation method. This method is implemented through a system key pair generated by a key generation center. The system key pair includes a system master private key and a system master public key. The method includes the following steps: obtaining user identity information and the system master public key; generating a user signature key pair according to a preset working mode, including a custodial mode and an uncustodial mode, wherein the user signature key pair includes a user signature public key and a user signature private key; submitting the user identity information and the user signature public key to the key generation center, and receiving an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key; generating a user message signature using the user signature private key and the application message to be authenticated, and generating a signature transmission object using the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature. By employing a dual-working-mode compatible architecture and a two-layer message recovery compression mechanism, the core contradiction in post-quantum signature systems—the incompatibility between key escrow risk and transmission efficiency—is resolved. This achieves the elimination of legal non-repudiation of signature key escrow, dual bandwidth compression at the credential and user signature layers, flexible switching between escrow and non-escrow modes to adapt to all scenario requirements, and inherent compatibility with post-quantum identifier key encapsulation mechanisms without requiring modification of existing systems. It ensures long-term quantum-resistant security while meeting the non-repudiation signature requirements of high-security scenarios such as judicial evidence preservation and financial transactions. Simultaneously, it is adaptable to bandwidth-constrained scenarios such as satellite communication and low-power IoT, and can be directly integrated and deployed with existing post-quantum IBKEM systems. The transformation is simple, the computational efficiency is high, and it balances the security, practicality, and efficiency of signatures.

[0024] It should be noted that, referring to Figure 2The double-layer message recovery certificateless signature generation method (hereinafter referred to as DM-CBS, Double-MRMCcertificate-BasedSignature) proposed in this application consists of four types of entities: Key Generation Center (KGC), user (signer), verifier, and identity / authentication credential directory service. It includes five core algorithms: KGC key generation KGCKeyGen, user key generation UserKeyGen, identity binding signature issuance CertSign-MRM, user message signature UserSign-MRM, and two-phase verification CertSig-Verify.

[0025] As described in step S110, obtain the user's identity information and the system's master public key.

[0026] It should be noted that the system's master public key is generated and publicly distributed once during the system initialization phase by the key generation center. It serves as the unique global trust anchor for signature verification by all participants. The corresponding system master private key is permanently and secretly stored by the key generation center and will never be disclosed. User identity information supports any readable string format, such as email address, mobile phone number, device serial number, employee ID, and unified social credit code, and shares the same identity namespace as the collaboratively deployed post-quantum identifier key encapsulation mechanism system. This design allows users to acquire both the encryption / decryption capabilities of the identifier key encapsulation mechanism and the digital signature capabilities of this solution by completing only one identity registration process. This eliminates the need to maintain identity information in two separate systems, significantly reducing the deployment complexity and user management costs of the post-quantum hybrid cryptography system.

[0027] As an example, the KGC key generation algorithm is as follows: Input: Security parameters .

[0028] Output: KGC key pair .

[0029] step: (1) Select NTRU parameters ,in The KEM module should be matched with the collaborative deployment module; preferably, this invention... , ; (2) Call the NTRU trapdoor generator (preferably the ring NTRU trapdoor generation method of Antrag / MITaka class) to generate short polynomial quadruples. ,set up , ; (3) This serves as the system's master public key, which is distributed to all verifiers.

[0030] As described in step S120, a user signature key pair is generated according to a preset working mode. The working mode includes a managed mode and an unmanaged mode. The user signature key pair includes a user signature public key and a user signature private key.

[0031] It should be noted that the choice can be made flexibly based on the security requirements and resource conditions of different application scenarios. The non-custodial mode eliminates the key escrow defects of traditional identifier signing at its architectural root, meeting the stringent non-repudiation requirements of high-security scenarios such as judicial evidence preservation and financial transactions. The custodial mode, on the other hand, is suitable for the deployment needs of resource-constrained devices such as IoT terminals and edge computing nodes, with key generation and management handled centrally by a key generation center, reducing the computational burden and maintenance costs of terminal devices. Both modes share the same set of system parameters and verification processes, and can run in parallel within the same system without interference.

[0032] In one embodiment of the present invention, the specific process of step S120, "generating a user signature key pair according to a preset working mode, wherein the working mode includes a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key," can be further explained in conjunction with the following description.

[0033] As described in the following steps, when the preset working mode is unmanaged mode, a user signature key pair is generated independently in the local security domain, and the user signature private key is stored in the local security domain; It should be noted that the local security domain can be protected by operating system security mechanisms, trusted platform modules, hardware security modules, or security elements, ensuring that the user's signing private key is not stolen by malware or physical attacks throughout its entire lifecycle of generation, storage, and use. The user's signing private key is only used locally to generate application message signatures and is never transmitted externally through any network interface, nor disclosed to the key generation center or any third party. The key generation center cannot obtain the user's signing private key throughout the entire system lifecycle, therefore it has no ability to forge any user signature, fundamentally guaranteeing the legal non-repudiation of the signature. Furthermore, the user's signing key pair is independent of the identity decapsulation key of the collaboratively deployed identification key encapsulation mechanism, allowing users to update their signing key pair independently as needed without re-registering their encrypted identity.

[0034] As an example, the process of a user generating a signature key pair locally in an unmanaged mode can be represented as follows: Input: System parameters .

[0035] Output: User key pair and its decomposition form .

[0036] step: (1) The user independently calls the NTRU trapdoor generator to generate short polynomial quadruples locally. ,set up , ; (2) According to the predetermined splitting rules Will Encode and segment:

[0037] in Length is bytes (default value equal to the maximum recoverable payload length of this signature scheme in MRM mode, preferred) bytes, meaning filling the entire MRM slot. The remaining part; (3) When registering with KGC, users only submit [the necessary information]. , KGC remains on the user's side at all times and is never touched throughout its entire lifecycle. .

[0038] User signing private key Generated locally by the user and never uploaded, even if KGC is completely compromised, it is impossible to forge a legitimate signature for any user message.

[0039] As described in the following steps, when the preset working mode is managed mode, a user signature key pair is generated through the key generation center, and the user signature private key is sent to the local machine; It should be noted that the managed mode is suitable for low-power IoT devices and embedded terminals with limited computing power that cannot independently perform key generation operations. The key generation center uses the exact same cryptographic algorithm as the unmanaged mode to generate user signature key pairs, ensuring consistent key security in both modes. After generation, the key generation center distributes the user signature private key to the corresponding terminal device through a pre-established encrypted secure channel. The private key remains encrypted throughout the transmission process to prevent theft by man-in-the-middle attacks. The key generation center provides unified lifecycle management for all keys in the managed mode, including key generation, distribution, updating, and revocation, significantly reducing the operational complexity of large-scale terminal deployments.

[0040] As described in step S130, the user identity information and the user signature public key are submitted to the key generation center, and an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key, is received.

[0041] It's important to note that the identity-binding signature is the core credential of this scheme, functioning equivalent to a digital certificate in traditional public key infrastructure (PKI), but smaller and more efficient in verification. Unlike traditional certificates that only contain a plaintext binding of the public key and identity information, this scheme's identity-binding signature uses message recovery technology to hide part of the user's public key within the signature, eliminating the need to explicitly transmit the complete user public key, thus achieving bandwidth compression at the credential layer. The key generation center is only responsible for verifying the legitimacy of the user's identity and issuing the identity-binding signature; it does not participate in the generation of the user's signature private key. Therefore, even if the key generation center is compromised by an attacker, the attacker cannot forge any legitimate user's application message signature.

[0042] In one embodiment of the present invention, the specific process of step S130, which involves "submitting the user identity information and the user signature public key to the key generation center and receiving an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key," can be further explained in conjunction with the following description.

[0043] As described in the following steps, submit user identity information and user signature public key to the key generation center; the key generation center verifies the legality of the user identity information, and after the verification is passed, the key generation center uses the system master private key it holds to generate an identity binding signature using the message recovery signature mode; It should be noted that the key generation center interfaces with the enterprise's internal identity management system, the operator's real-name authentication system, or a third-party trusted identity service to strictly verify the legality and uniqueness of the identity information submitted by users. This ensures that the same identity information corresponds to only one legitimate user signature public key throughout the system's lifecycle, preventing identity impersonation and replay attacks. After successful verification, the key generation center generates an identity-bound signature using a message recovery signature mode. This mode embeds part of the message to be signed into the signature, significantly reducing the amount of data that needs to be transmitted without compromising security.

[0044] As described in the following steps, receive the identity binding signature issued by the key generation center, wherein the identity binding signature contains a recoverable portion of the user's signature public key; It should be noted that the recoverable portion of the user signature public key hidden within the identity binding signature is crucial for achieving bandwidth compression at the credential layer. During the verification process of the identity binding signature, the verifier can automatically recover this recoverable portion from within the signature, and then concatenate it with the explicitly transmitted portion of the user signature public key to obtain the complete user signature public key.

[0045] In one embodiment of the present invention, the specific process of step "generating an identity binding signature using message recovery signature mode" can be further explained in conjunction with the following description.

[0046] As described in the following steps, the user signature public key is split into a first recoverable portion and a first explicit portion; It should be noted that the splitting rules for the user signing public key are predefined in the system's standardized parameters, and all participants must strictly adhere to them. The length of the first recoverable part is exactly equal to the maximum recoverable payload of the message recovery signature mode, achieving the theoretical maximization of credential layer compression efficiency without any wasted slot resources. The first explicit part consists of the remaining bytes of the user signing public key, used to bind it with the user's identity information and participate in subsequent challenge hash operations. This splitting method ensures that the two parts of the user signing public key form an inseparable binding relationship with the user's identity information, preventing attackers from forging a legitimate identity-bound signature by replacing either part.

[0047] As an example, the user's public key is split as follows:

[0048] in, For the complete user public key, The recoverable portion of the user's public key. The explicit part of the user's public key. This indicates a byte concatenation operation. The recoverable portion has a fixed length of Lr = N / 8, which precisely fills the maximum recoverable payload slot of the Message Recovery Mode (MRM), theoretically maximizing the compression efficiency at the credential layer without wasting any slot resources. The explicit portion consists of the remaining bytes of the user's public key, used to bind to the user's identity and participate in subsequent challenge hash operations. Different security levels (N = 512, 768, 1024) correspond to different split lengths, ensuring optimal compression performance at each security level.

[0049] As described in the following steps, a first explicit message is generated using the user identity information and the first explicit portion; It should be noted that the first explicit message is constructed by concatenating the user's identity information and the first explicit part in a fixed order. This concatenation order is written into the system's standardized parameters, which all participants must strictly adhere to. This construction method ensures a strong binding relationship between the user's identity information and the recoverable and explicit parts of the user's signing public key. Any tampering with the identity information or public key will cause subsequent signature verification to fail, thus fundamentally defending against public key substitution attacks and identity forgery attacks.

[0050] As described in the following steps, a domain separation tag and a timestamp are added to the explicit message to generate a second explicit message. The domain separation tag is used to distinguish the operational context of this protocol from other cryptographic protocols, and the timestamp is used to limit the validity period of the identity binding signature. It's important to note that the domain separation tag is a globally unique, fixed string. Adding this tag to hash operations clearly distinguishes the computational context of this protocol from other cryptographic protocols, fundamentally preventing cross-protocol replay attacks and preventing attackers from reusing legitimate signatures generated in other protocols within this protocol. The timestamp records the issuance time and expiration time of the identity-bound signature. This not only prevents the signature from being replayed indefinitely but also implements an automatic signature expiration mechanism, eliminating the need to maintain a complex identity-bound signature revocation list and significantly reducing system maintenance costs.

[0051] As described in the following steps, a signature operation is performed on the system master private key containing the second explicit message and the first recoverable part to generate an identity binding signature with anti-replay and anti-cross-protocol attack capabilities.

[0052] It should be noted that this signature operation is based on the NTRU lattice cryptographic algorithm, which possesses long-term resistance to quantum computing attacks. The system's master private key is the only key capable of generating legitimate identity-bound signatures and is strictly stored by the key generation center. The generated identity-bound signature simultaneously provides identity authentication, public key transmission, and message recovery functions. The verifier only needs a single signature verification operation to simultaneously complete identity verification and the recovery of the complete user's public key, significantly improving verification efficiency.

[0053] As an example, the identity binding signature is generated as follows:

[0054] in, Generate a central private key for the key. For credential layer recoverable messages (i.e., the recoverable portion of the user's public key) , For explicit messages at the credential layer (i.e., user identity identifiers) With the explicit part of the user's public key (a string of spliced ​​parts).

[0055] The identity binding signature contains a recoverable portion of the user's public key. The verifier only needs the system's master public key, the identity binding signature, and the explicit message. This allows the complete user public key to be recovered from the identity-bound signature. Unlike traditional certificate signing, which only generates a signature value, the identity-bound signature generated in this step serves the dual functions of signature verification and information recovery. Furthermore, the preimage sampling operation in this step also operates on a negative cyclic polynomial ring with modulus q=3329, allowing direct reuse of the core arithmetic operators of the IBKEM system and ensuring consistency in the algorithm's backend.

[0056] As described in step S140, a user message signature is generated using the user signature private key and the application message to be authenticated, and a signature transmission object is generated using the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature.

[0057] It should be noted that the user message signature is independently generated locally by the user using their own signing private key. The key generation center and any third party cannot participate in or interfere with this process, further strengthening the unmanaged and non-repudiable nature of this scheme. This step also uses the message recovery signature mode to generate the user message signature, forming a two-layer collaborative compression architecture with the message recovery compression at the credential layer, jointly achieving a significant reduction in overall transmission size. The generated signature transmission object is a standardized binary data packet, which can be directly transmitted to the verifier via any network protocol.

[0058] In one embodiment of the present invention, the specific process of step S140, which involves "submitting the user identity information and the user signature public key to the key generation center and receiving an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key," can be further explained in conjunction with the following description.

[0059] As described in the following steps, obtain the application message to be authenticated, and generate a user message signature using the message recovery signature mode with the user signature private key. The user message signature contains a recoverable part of the application message. It should be noted that the application message to be authenticated can be any binary data, supporting various formats such as text, file hash values, transaction data, contract content, and identity authentication information, with no length limit. When the application message length is less than or equal to the maximum recoverable load of the message recovery mode, the entire application message can be hidden as a recoverable part within the user message signature. In this case, no application message data needs to be transmitted; only the signature needs to be transmitted to complete message authentication and transmission, achieving ultimate transmission compression. When the application message length exceeds the maximum recoverable load, the first Lr bytes are taken as the recoverable part, and the remaining part is transmitted as the explicit part.

[0060] As an example, the application message is split in the following way:

[0061] in, For the complete application message to be signed, For the recoverable portion of the application message, This is the explicit part of the application message.

[0062] The user signature is generated in the following way:

[0063] SKU is the user's private key for signing. For user-level recoverable messages (i.e., the recoverable portion of application messages) ) For user-level explicit messages (i.e., the application message explicit part) The user's private key performs preimage sampling on the constructed user-layer message to generate a short vector-based user signature. This signature hides the recoverable portion of the application message. When verifying the signature, the verifier can recover this recoverable portion of the application message from the user signature without explicitly transmitting it. Simultaneously, the user signature implicitly includes the association information of the identity public key bound to the credential, ensuring that the signature can only be used with the corresponding identity public key bound credential and preventing the signature from being copied and used under other authentication credentials.

[0064] As described in the following steps, the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature are concatenated to generate a signature transmission object.

[0065] It should be noted that the signature transmission object is assembled using a fixed binary format. The length and order of each component are predefined in the system's standardized parameters, allowing the verifier to quickly parse each component based on this format. The signature transmission object in this scheme only contains the identity binding signature, the explicit portion of the user's public key, the user message signature, and an optional explicit portion of the application message. Under NIST Level 1 security, the total size does not exceed 1800 bytes, a reduction of at least 20% compared to traditional schemes, significantly lowering bandwidth consumption and storage costs.

[0066] In one embodiment of the present invention, it further includes: When the verifier is unaware of the user's identity information or the application message has an explicit portion, the user's identity information or the explicit portion of the application message is appended to the signature transmission object.

[0067] It should be noted that the transmitted content can be dynamically adjusted based on the verifier's context information. When the verifier already knows the signer's identity through out-of-band channels such as session establishment, TLS handshake, and identity directory lookup, the user's identity information does not need to be sent along with the signature transmission object. When the application message is entirely hidden within the user message signature, the explicit part of the application message also does not need to be transmitted. In the optimal case, only the basic signature transmission object needs to be transmitted to complete the full authentication and message verification, further improving transmission efficiency in bandwidth-constrained scenarios.

[0068] In a specific implementation, the transmission size comparison data for different schemes is shown in the table below:

[0069] In one embodiment of the present invention, a post-quantum certificateless signature verification method is also proposed. This verification method is used to verify signatures generated by any of the methods described above. The verifier in the verification method holds the system master public key generated by the key generation center. The method includes the following steps: S310. Obtain the signature transmission object to be verified; wherein, the signature transmission object includes the identity binding signature, the explicit transmission part of the user signature public key, and the user message signature; It should be noted that the signed transmission object adopts a standardized binary encoding format. The length, order, and offset of each component are predefined in the system's standardized parameters. The verifier can quickly parse all components using a fixed offset, without the need for complex format parsing logic. In addition to the mandatory components, the signed transmission object can selectively append user identity information and explicit application message portions based on the actual transmission scenario. When the verifier has already obtained the user identity information through out-of-band channels, or when the application message is entirely hidden within the user message signature, the aforementioned optional components can be omitted, further compressing the transmission size. This modular design allows this solution to adapt to different bandwidth conditions and application scenarios.

[0070] As an example, the complete transmission object format of this invention is as follows:

[0071] This format no longer transmits the complete user public key, complete application message, and user identity identifier, achieving ultimate transmission compression. When the authenticator does not know the identity beforehand or the explicit portion of the application message is not empty, it can... and Appended to the transmission object: The rest of the process remains unchanged. This step will perform format validation and integrity checks on the acquired data, discarding data with incorrect formatting or that has been tampered with, to prevent invalid data from entering subsequent verification processes.

[0072] S320. Perform first-level verification on the identity binding signature using the system master public key. After successful verification, recover the recoverable portion of the user signature public key hidden inside the identity binding signature. It's important to note that Level 1 verification is the foundation of trust in the entire verification process. Its core function is to verify the legitimacy of the identity-bound signature and confirm the binding relationship between the user's identity information and the user's signing public key. This solution innovatively combines public key recovery and signature verification into one process. The recoverable portion of the user's signing public key is automatically recovered as a byproduct of the signature verification process, requiring no additional decryption or transmission steps. If Level 1 verification fails, the verifier will immediately terminate all subsequent verification processes and output a verification failure result, avoiding unnecessary computational overhead and improving verification efficiency.

[0073] S330. The complete user signature public key is reconstructed using the explicit transmission portion of the user signature public key and the recoverable portion of the user signature public key. It should be noted that the reconstruction process of the complete user signature public key strictly follows the same splitting and splicing rules as the generation stage, splicing the recoverable part obtained from the first-level verification with the explicit part explicitly transmitted in the signature transmission object in a fixed order. This process requires no additional keys or parameters, only the splitting length defined in the system's standardized parameters.

[0074] As an example, the expression for public key recovery is as follows: = pkKGC( , Where pkKGC is the system master public key, Bind a credential to the public key of the identity to be verified. This is an explicit credential layer message. The authenticator first concatenates the user's identity identifier with the explicit portion of the user's public key to form an explicit credential layer message. Then, using the system master public key, an NTRU verification operation is performed on the identity binding signature bound to the identity public key to recover the recoverable portion of the user's public key from the identity binding signature. After successful verification, the verifier reassembles the recoverable portion and the explicit portion into a complete user public key according to preset splitting rules. .

[0075] S340. Perform a second-level verification on the user message signature using the user signature public key. After successful verification, recover the recoverable part of the application message hidden inside the user message signature and generate a complete application message. It should be noted that the second-level verification verifies the integrity and legitimacy of the application message, ensuring that the message has not been tampered with during transmission and was indeed signed by the user with the corresponding identity. Similar to the first-level verification, the recoverable portion of the application message is also automatically recovered as a byproduct of the user message signature verification process. If the application message length is less than or equal to the maximum recoverable payload of the message recovery mode, the complete application message can be directly recovered from the signature without transmitting any application message data; if the application message length exceeds the maximum recoverable payload, the recovered recoverable portion is concatenated with the explicit application message portion attached to the signature transmission object to obtain the complete application message.

[0076] As an example, the user signature layer verification and message recovery methods are as follows: = (σU, =m(e)) in, For the complete user public key recovered from the above steps, σ U Sign up for the user to be verified. This is an explicit message at the user level. The verifier uses the complete user public key recovered in the previous step to perform an NTRU verification operation on the user signature, recovering the recoverable portion of the application message from within the user signature. After successful verification, the verifier reassembles the recoverable portion and the explicit portion of the application message into a complete application message according to preset splitting rules. When the application message length is less than or equal to the maximum recoverable load of the message recovery mode, the explicit part of the application message is empty. In this case, the verifier only needs to recover the complete application message through the user signature, without transmitting any application message data, thus achieving ultimate transmission compression.

[0077] S350. If both levels of verification pass, it is confirmed that the application message was issued by the user with the corresponding user identity information and has not been tampered with; if either level of verification fails, a verification failure result is output.

[0078] It should be noted that this scheme employs a strict two-level sequential verification logic. Only when both the identity binding signature verification and the user message signature verification pass can the legitimacy of the signature and the integrity of the message be confirmed. Failure at any level of verification indicates that the signature is invalid or the message has been tampered with, and the verifier must immediately reject the signature. In the non-custodial mode, because the user's signature private key is held solely by the user and never disclosed, a signature that passes both levels of verification possesses complete legal non-repudiation and can be directly used as valid legal evidence in scenarios such as judicial preservation, financial transactions, and electronic contracts.

[0079] Example 1: NIST L1 Level DM-CBS-512 Case Parameter configuration: , Both KGC and users use Antrag-MRM instances. fixed byte, byte.

[0080] KGC initialization: KGC calls Antrag in... , The following generation ,release (Approximately 768 bytes)

[0081] User registration: User Alice (identity string "alice@example.com") is generated locally. ,calculate ,according to Divided into (Fill in the MRM slot) and (Explicit part). Alice will Submit to KGC. KGC verifies identity and then calls... Output (Approximately 1134 bytes) and returned to Alice. Throughout the process... Always remain on Alice's local machine.

[0082] Message signature: Alice's message Call generate (Approximately 591 bytes). In a context-bound scenario, the receiver knows Alice's identity and there is no explicit message tail; Alice sends... The total size is approximately 1794 bytes.

[0083] Receiver verification: The receiver first uses... Call ,by recover ,reconstruction ; then use Call recover If both phases are successful, output .

[0084] Effect: Overall Transfer Object 1794 bytes Compared to the Falcon+Falcon baseline (2229 bytes): approximately 20% reduction. Compared to Falcon-MRM + Falcon single-layer MRM (2003 bytes): approximately 10% reduction. The signing key remains entirely on the user's side; KGC has no forgery capability. The underlying algorithms all work in It shares the algorithm backend with ANSA-IBKEM.

[0085] Example 2: NIST L5 Level DM-CBS-1024 Case Parameter configuration: , Both KGC and users use Antrag-MRM instances, and the public key splitting rules are fixed. 128, the actual recoverable payload is 1407 bytes, the explicit part of the public key is 129 bytes, and the rest is the same as in Example 1.

[0086] Effect: Overall Transfer Object 3637 bytes Compared to the Falcon+Falcon baseline (4353 bytes): approximately 16% reduction. Compared to Falcon-MRM + Falcon single-layer MRM (3919 bytes): approximately 7% reduction. Shared with ANSA-IBKEM2 Algorithm backend 8.3 Example 3: End-to-end scenario of co-deployment with ANSA-IBKEM Scenario Description: After the deployment of the internal office system of a government and enterprise, quantum identifier cryptographic secure communication is implemented. KGC simultaneously acts as the issuer of the IBKEM master key and the issuer of the identity-bound signature. User Bob sends an encrypted and signed message to Alice. .

[0087] Deployment and Operation: (1) KGC initialization: Simultaneously generate the ANSA-IBKEM master key pair and the DM-CBS identity binding signature issuance key pair, which are managed independently; (2) Alice and Bob, under the same identity registration process, respectively receive the ANSA-IBKEM extraction key (used for decapsulation) and the DM-CBS certificate. (Used for signing), Alice and Bob's signing private keys are both kept locally; (3) Bob sends a message: First, call ANSA-IBKEM. Generate shared key With ciphertext (Approximately 2944 bytes); then call DM-CBS. right generate (Approximately 1794 bytes); using Derived symmetric key encryption ; (4) After Alice receives the message: first call ANSA-IBKEM. recover And decrypt Then, the two-phase verification of DM-CBS is invoked to recover Bob's public key. And verify .

[0088] Effect: Same identity namespace, same KGC entity, same Algorithm backend; The total cost per message is approximately bytes, far lower than the existing IBKEM + classic CBS combination (approximately byte); Even if KGC is breached, Bob's undeniable commitment to the message remains valid.

[0089] As the device embodiment is basically similar to the method embodiment, the description is relatively simple, and relevant parts can be found in the description of the method embodiment.

[0090] Reference Figure 4 This illustration shows a post-quantum certificateless signature device according to an embodiment of this application. The device is implemented using a system key pair generated by a key generation center. The system key pair includes a system master private key and a system master public key. The device implements the steps of the post-quantum certificateless signature generation method described in any one of the above six claims: include: The acquisition module 410 is used to acquire user identity information and the system master public key; User signature key pair module 420 is used to generate user signature key pairs according to a preset working mode, the working mode including a managed mode and an unmanaged mode, the user signature key pair including a user signature public key and a user signature private key; The identity binding signature module 430 is used to submit the user identity information and the user signature public key to the key generation center, and receive the identity binding signature generated by the system master private key held by the key generation center to prove the binding relationship between the user identity information and the user signature public key. The signature transmission object module 440 is used to generate a user message signature using the user signature private key and the application message to be authenticated, and to generate a signature transmission object using the identity binding signature, the explicit transmission part of the user signature public key, and the user message signature.

[0091] In one embodiment of the present invention, the user signature key pair module 420 includes: The unmanaged mode submodule is used to independently generate user signature key pairs in the local security domain and store the user signature private key in the local security domain when the preset working mode is unmanaged mode. The managed mode submodule is used to generate user signature key pairs through the key generation center and distribute the user signature private key to the local machine when the preset working mode is managed mode.

[0092] In one embodiment of the present invention, the identity binding signature module 430 includes: The identity binding signature generation submodule is used to submit user identity information and user signature public key to the key generation center; the key generation center verifies the legality of the user identity information, and after the verification is passed, the key generation center uses the system master private key it holds to generate an identity binding signature using the message recovery signature mode; The identity binding signature receiving submodule is used to receive the identity binding signature issued by the key generation center. The identity binding signature contains a recoverable part of the user's signature public key.

[0093] In one embodiment of the present invention, the identity binding signature generation submodule includes: The user signature public key splitting unit is used to split the user signature public key into a first recoverable part and a first explicit part; The first explicit message unit is used to generate a first explicit message using the user identity information and the first explicit part; The second explicit message unit is used to add a domain separation tag and a timestamp to the explicit message to generate a second explicit message. The domain separation tag is used to distinguish the operation context of this protocol from other cryptographic protocols, and the timestamp is used to limit the validity period of the identity binding signature. The signature operation unit is used to perform signature operation on the second explicit message and the first recoverable part using the system master private key, and generate an identity binding signature with anti-replay and anti-cross-protocol attack capabilities.

[0094] In one embodiment of the present invention, the signature transmission object module 440 includes: The user message signature submodule is used to obtain the application message to be authenticated and generate a user message signature using the message recovery signature mode through the user signature private key. The user message signature contains the recoverable part of the application message. The signature transmission object submodule is used to concatenate the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature to generate a signature transmission object.

[0095] In one embodiment of the present invention, it further includes: The splicing submodule is used to append the user identity information or the explicit part of the application message to the signature transmission object when the verifier does not know the user identity information or the application message has an explicit part.

[0096] Reference Figure 5 This illustration shows a post-quantum certificateless signature verification device according to an embodiment of this application, the device being used to verify certificateless signatures generated by the method described in any of the preceding claims: include: The signature transmission object acquisition module 510 is used to acquire the signature transmission object to be verified; wherein, the signature transmission object includes an identity binding signature, an explicit transmission part of the user signature public key, and a user message signature; The first-level verification module 520 is used to perform first-level verification on the identity binding signature using the system master public key. After successful verification, the recoverable part of the user signature public key hidden inside the identity binding signature is recovered. The user signature public key reconstruction module 530 is used to reconstruct the complete user signature public key from the explicit transmission part of the user signature public key and the recoverable part of the user signature public key; The second-level verification module 540 is used to perform second-level verification on the user message signature using the user signature public key. After successful verification, the recoverable part of the application message hidden inside the user message signature is recovered, and a complete application message is generated. The verification result module 550 is used to confirm that the application message was issued by the user with the corresponding user identity information and has not been tampered with if both levels of verification pass; if either level of verification fails, a verification failure result is output.

[0097] Reference Figure 6 The diagram illustrates a computer apparatus for implementing a post-quantum certificateless signature generation method of the present invention, which may specifically include the following: The aforementioned computer device 1 is in the form of a general-purpose computing device. The components of the computer device 1 may include, but are not limited to: one or more processors or processing units 3, memory 8, and a bus 4 connecting different system components (including memory 8 and processing unit 3).

[0098] Bus 4 represents one or more of several bus architectures, including memory buses or memory controllers, peripheral buses, graphics acceleration ports, processors, or local buses using any of the various bus architectures. For example, these architectures include, but are not limited to, the Industry Standard Architecture (ISA) bus, the Micro Channel Architecture (MAC) bus, the Enhanced ISA bus, the Audio / Video Electronics Standards Association (VESA) local bus, and the Peripheral Component Interconnect (PCI) bus.

[0099] Computer device 1 typically includes a variety of computer system readable media. These media can be any available media that can be accessed by computer device 1, including volatile and non-volatile media, removable and non-removable media.

[0100] Memory 8 may include computer system readable media in the form of volatile memory, such as random access memory 9 and / or cache memory 10. Computer device 1 may further include other removable / non-removable, volatile / non-volatile computer system storage media. By way of example only, storage system 11 may be used to read and write non-removable, non-volatile magnetic media (commonly referred to as a "hard disk drive"). Although Figure 6As not shown, a disk drive for reading and writing to a removable non-volatile disk (such as a "floppy disk") and an optical disk drive for reading and writing to a removable non-volatile optical disk (such as a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 4 via one or more data media interfaces. The memory may include at least one program product having a set (e.g., at least one) of program modules 13 configured to perform the functions of the embodiments of this application.

[0101] A program / utility 12 having a set (at least one) of program modules 13 may be stored, for example, in memory. Such program modules 13 include—but are not limited to—an operating system, one or more application programs, other program modules 13, and program data. Each or some combination of these examples may include an implementation of a network environment. Program modules 13 typically perform the functions and / or methods described in the embodiments of this application.

[0102] Computer device 1 can also communicate with one or more external devices 2 (e.g., keyboard, pointing device, monitor 7, camera, etc.), and with one or more devices that enable an operator to interact with computer device 1, and / or with any device that enables computer device 1 to communicate with one or more other computing devices (e.g., network card, modem, etc.). This communication can be performed through I / O interface 6. Furthermore, computer device 1 can communicate with one or more networks (e.g., local area network (LAN)), wide area network (WAN), and / or public networks (e.g., the Internet) through network adapter 5, and can also exchange data via medical data network protocols such as ICD protocol, DICOM protocol, and HL7 protocol. Figure 6 As shown, network adapter 5 communicates with other modules of computer device 1 via bus 4. It should be understood that, although... Figure 6 Not shown, it can be combined with computer device 1 to use other hardware and / or software modules, including but not limited to: microcode, device drivers, redundant processing unit 3, external disk drive array, RAID system, tape drive and data backup storage system 11, etc.

[0103] The processing unit 3 executes various functional applications and data processing by running programs stored in memory 8, such as implementing a post-quantum certificateless signature generation method provided in the embodiments of this application.

[0104] That is, when the above-mentioned processing unit 3 executes the above-mentioned program, it achieves the following: obtaining user identity information and the system master public key; A user signature key pair is generated according to a preset working mode, the working mode including a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key; Submit the user identity information and the user signature public key to the key generation center, and receive an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key; A user message signature is generated by combining the user's private key with the application message to be authenticated, and a signature transmission object is generated by combining the identity binding signature, the explicit transmission portion of the user's public key, and the user message signature.

[0105] In this application embodiment, the application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements a post-quantum certificateless signature generation method as provided in all embodiments of the application.

[0106] That is, when the program is executed by the processor, it shall achieve the following: obtaining user identity information and the system master public key; A user signature key pair is generated according to a preset working mode, the working mode including a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key; Submit the user identity information and the user signature public key to the key generation center, and receive an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key; A user message signature is generated by combining the user's private key with the application message to be authenticated, and a signature transmission object is generated by combining the identity binding signature, the explicit transmission portion of the user's public key, and the user message signature.

[0107] Any combination of one or more computer-readable media may be used. A computer-readable medium can be a computer-readable signal medium or a computer-readable storage medium. A computer-readable storage medium can be, for example—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of computer-readable storage media include: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, optical storage device, magnetic storage device, or any suitable combination thereof. In this document, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in connection with an instruction execution system, apparatus, or device.

[0108] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals may take various forms, including—but not limited to—electromagnetic signals, optical signals, or any suitable combination thereof. Computer-readable signal media may also be any computer-readable medium other than computer-readable storage media, capable of transmitting, propagating, or transmitting programs for use by or in connection with an instruction execution system, apparatus, or device.

[0109] Computer program code for performing the operations of this application can be written in one or more programming languages ​​or a combination thereof. These programming languages ​​include object-oriented programming languages—such as Java, Smalltalk, and C++—and conventional procedural programming languages—such as the "C" language or similar programming languages. The program code can be executed entirely on the operator's computer, partially on the operator's computer, as a standalone software package, partially on the operator's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the operator's computer via any type of network—including a local area network (LAN) or wide area network (WAN) that is compatible with medical network standards such as HL7 for HIS, RIS, and LIS systems—or it can be connected to an external computer (e.g., via the Internet using an Internet service provider). The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably.

[0110] Although preferred embodiments of the present application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the embodiments of the present application.

[0111] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes said element.

[0112] The above provides a detailed description of the post-quantum certificateless signature generation method, verification method, and apparatus provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. A method for generating certificateless signatures in the post-quantum era, characterized in that, The method is implemented using a system key pair generated by a key generation center. The system key pair includes a system master private key and a system master public key, and includes the following steps: Obtain user identity information and the system's master public key; A user signature key pair is generated according to a preset working mode, the working mode including a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key; Submit the user identity information and the user signature public key to the key generation center, and receive an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key; A user message signature is generated by combining the user's private key with the application message to be authenticated, and a signature transmission object is generated by combining the identity binding signature, the explicit transmission portion of the user's public key, and the user message signature.

2. The generation method according to claim 1, characterized in that, The step of generating a user signature key pair according to a preset working mode, wherein the working mode includes a managed mode and an unmanaged mode, and the user signature key pair includes a user signature public key and a user signature private key, includes: When the default working mode is unmanaged mode, user signature key pairs are generated independently in the local security domain, and the user signature private key is stored in the local security domain. When the default working mode is managed mode, the user signature key pair is generated through the key generation center, and the user signature private key is sent to the local machine.

3. The generation method according to claim 1, characterized in that, The step of submitting the user identity information and the user signature public key to the key generation center, and receiving an identity binding signature generated by the system master private key held by the key generation center, proving the binding relationship between the user identity information and the user signature public key, includes: Submit user identity information and user signature public key to the key generation center; the key generation center verifies the legality of the user identity information, and after verification, the key generation center uses the system master private key it holds to generate an identity binding signature using the message recovery signature mode; Receive the identity binding signature issued by the key generation center, the identity binding signature containing a recoverable part of the user's signature public key.

4. The generation method according to claim 3, characterized in that, The step of generating an identity binding signature using the message recovery signature mode includes: The user-signed public key is split into a first recoverable part and a first explicit part; A first explicit message is generated using the user's identity information and the first explicit portion; A second explicit message is generated by adding a domain separation tag and a timestamp to the explicit message. The domain separation tag is used to distinguish the operation context of this protocol from other cryptographic protocols, and the timestamp is used to limit the validity period of the identity binding signature. The system master private key is used to perform a signature operation on the second explicit message and the first recoverable part to generate an identity binding signature with anti-replay and anti-cross-protocol attack capabilities.

5. The generation method according to claim 1, characterized in that, The step of generating a user message signature using the user signature private key and the application message to be authenticated, and then transmitting the signature transmission object generated by the identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature, includes: Obtain the application message to be authenticated, and generate a user message signature using the message recovery signature mode with the user signature private key. The user message signature contains a recoverable part of the application message. The identity binding signature, the explicit transmission portion of the user signature public key, and the user message signature are concatenated to generate a signature transmission object.

6. The generation method according to claim 1, characterized in that, Also includes: When the verifier is unaware of the user's identity information or the application message has an explicit portion, the user's identity information or the explicit portion of the application message is appended to the signature transmission object.

7. A post-quantum certificateless signature verification method, characterized in that, The verification method is used to verify the signature generated by the method according to any one of claims 1-6, wherein the verifier of the verification method holds the system master public key generated by the key generation center, and includes the following steps: Obtain the signature transmission object to be verified; wherein, the signature transmission object includes the identity binding signature, the explicit transmission part of the user signature public key, and the user message signature; The first-level verification is performed on the identity binding signature using the system master public key. After successful verification, the recoverable portion of the user signature public key hidden inside the identity binding signature is recovered. The complete user signature public key can be reconstructed by the explicit transmission portion of the user signature public key and the recoverable portion of the user signature public key; The user message signature is subjected to a second-level verification using the user signature public key. After successful verification, the recoverable part of the application message hidden inside the user message signature is recovered, and a complete application message is generated. If both levels of verification pass, it confirms that the application message was issued by the user with the corresponding user identity information and has not been tampered with; if either level of verification fails, a verification failure result is output.

8. A post-quantum certificateless signature device, characterized in that, The device implements a system key pair generated by a key generation center, the system key pair including a system master private key and a system master public key, and the device implements the steps of the post-quantum certificateless signature generation method as described in any one of claims 1-6: include: The acquisition module is used to acquire user identity information and the system's master public key; The user signature key pair module is used to generate user signature key pairs according to a preset working mode, including a managed mode and an unmanaged mode. The user signature key pair includes a user signature public key and a user signature private key. The identity binding signature module is used to submit the user's identity information and the user's signature public key to the key generation center, and to receive an identity binding signature generated by the system master private key held by the key generation center, which proves the binding relationship between the user's identity information and the user's signature public key. The signature transmission object module is used to generate a user message signature using the user signature private key and the application message to be authenticated, and to generate a signature transmission object using the identity binding signature, the explicit transmission part of the user signature public key, and the user message signature.

9. A computer electronic device, characterized in that, It includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein the computer program, when executed by the processor, implements the method as described in any one of claims 1 to 6.

10. A computer-readable storage medium, characterized in that, A computer program is stored on the computer-readable storage medium, which, when executed by a processor, implements the method as described in any one of claims 1 to 6.