Ring-based signature scheme
First Claim
1. A method of generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
- selecting relatively prime ideals p and q of a ring R;
selecting a private key including one or more private key polynomials of the ring R;
generating a public key using the private key and the second ideal q;
generating one or more message polynomials based on the message;
generating the digital signature polynomials using at least the following elements;
(a) at least one of the message polynomials;
(b) at least one of the private key polynomials; and
(c) at least one of the ideals p and q;
wherein the digital signature polynomials in unreduced form are not multiples of the private key polynomials in the ring R; and
verifying the digital signature at least by confirming that a deviation between at least one of the message polynomials and at least one of the digital signature polynomials is less than a predetermined deviation threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for generating and verifying a digital signature of a message is provided. The digital signature includes digital signature polynomials. Two relatively prime ideals p and q of a ring R are selected. A private key and the second ideal q are used to generate a public key. One or more message polynomials are generated based on the message to be signed. The digital signature polynomials are generated using at least one of the message polynomials, at least one of the private key polynomials, and at least one of the ideals p and q, wherein the digital signature polynomials in unreduced form are not multiples of the private key polynomials in the ring R. The signature is then verified by confirming that a deviation between at least one of the message polynomials and at least one of the digital signature polynomials is less than a predetermined deviation threshold.
-
Citations
57 Claims
-
1. A method of generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
-
selecting relatively prime ideals p and q of a ring R;
selecting a private key including one or more private key polynomials of the ring R;
generating a public key using the private key and the second ideal q;
generating one or more message polynomials based on the message;
generating the digital signature polynomials using at least the following elements;
(a) at least one of the message polynomials;
(b) at least one of the private key polynomials; and
(c) at least one of the ideals p and q;
wherein the digital signature polynomials in unreduced form are not multiples of the private key polynomials in the ring R; and
verifying the digital signature at least by confirming that a deviation between at least one of the message polynomials and at least one of the digital signature polynomials is less than a predetermined deviation threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
-
selecting relatively prime ideals p and q of a ring R;
selecting a private key including one or more private key polynomials of the ring R;
generating a public key using the private key and the second ideal q;
generating one or more message polynomials based on the message;
generating the digital signature polynomials using at least the following elements;
(a) at least one of the message polynomials;
(b) at least one of the private key polynomials; and
(c) at least one of the ideals p and q; and
verifying the digital signature at least by confirming that a norm associated with at least one of the digital signature polynomials is less than a predetermined norm threshold. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
-
selecting ideals p and q of a ring R;
selecting a private key including one or more private key polynomials of the ring R;
generating a public key using the private key and the second ideal q;
generating one or more message polynomials based on the message;
selecting auxiliary multiple-use private information;
generating the digital signature polynomials using at least the following elements;
(a) at least one of the message polynomials;
(b) at least one of the private key polynomials;
(c) at least one of the ideals p and q; and
(d) the auxiliary multiple-use private information; and
verifying the digital signature at least by confirming that the digital signature polynomials and the public key satisfy a predetermined relationship. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of generating and verifying a digital signature of a message, wherein the digital signature includes two digital signature polynomials u and v, comprising:
-
selecting relatively prime ideals p and q of a ring R=[X]/(XN−
1), where Nis an integer greater than 1;
selecting a private key including two private key polynomials, f and g of the ring R;
computing a public key h=*g(mod q);
generating one or more message polynomials m using the message;
selecting a first intermediate private polynomial s and a second intermediate private polynomial t such that s*h=t and such that s and t are substantially congruent modulo p;
selecting a third intermediate private polynomial a so as to minimize the number of deviations between one of the message polynomials m and a quantity t+a*g(mod q);
computing the first digital signature polynomial u=s+a*f(mod q);
computing the second digital signature polynomial v=t+a*g(modq); and
verifying the digital signature at least by confirming that a first deviation between one or more of the message polynomials m and the first digital signature polynomial u is less than a predetermined deviation threshold, and that a second deviation between one or more of the message polynomials m and the second digital signature polynomial v is less than the predetermined deviation threshold. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
-
-
35. A method of generating and verifying a digital signature of a message, wherein the digital signature includes two digital signature polynomials u and v, comprising the steps of:
-
selecting relatively prime ideals p and q of a ring R=[X](XN−
1), where N is an integer greater than 1;
selecting a private key including two private key polynomials, f and g of the ring R;
computing a public key h=fq−
1*g(mod q);
generating one or more message polynomials m using the message;
selecting a random polynomial r;
computing a first intermediate polynomial t=r*h(mod q);
selecting a second intermediate polynomial a such that a has a Euclidean norm on the order of {square root}{square root over (N)} and so as to minimize the number of deviations between a message polynomial m and a quantity t+a*g(mod q);
computing the first digital signature polynomial u=r+a*f(mod q);
computing the second digital signature polynomial v=t+a*g(mod q); and
verifying the digital signature at least by confirming that a Euclidean norm of the first digital signature polynomial u is on the order of N, and that a deviation between the message m and the second digital signature polynomial v is less than or equal to a predetermined deviation threshold. - View Dependent Claims (36, 37, 38, 39, 40, 41)
-
-
42. A method of generating and verifying a digital signature of a message, wherein the digital signature includes four digital signature polynomials u1, v1, u2, and v2, comprising the steps of:
-
selecting relatively prime ideals p and q of a ring R=[X](XN−
1), where N is an integer greater than 1;
computing a public key h=fq−
1*g(mod q);
selecting a one-time private key including a one-time private key polynomial e of the ring R;
generating a pair of one-time public key polynomials h1 and h2, wherein h1=f−
1*e(mod q) and h2=g−
1*e(mod q);
selecting a first random polynomial r1;
computing a first intermediate polynomial t1=r1*h1 (mod q);
selecting a second intermediate polynomial a1 such that the Euclidean norm of a1 is on the order of {square root}{square root over (N)} and so as to minimize the number of deviations between one of the message polynomials m and the quantify t1+a1*e(mod q);
computing the first digital signature polynomial u1=r1+a1*f(mod q);
computing the second digital signature polynomial v1=t1+a1*e(mod q);
selecting a second random polynomial r2;
computing a third intermediate polynomial t2=r2*h2(mod q);
selecting a second intermediate polynomial a1 such that the Euclidean norm of a2 is on the order of {square root}{square root over (N)} and so as to minimize the number of deviations between one of the message polynomials m and the quantify t2+a2*e(mod q);
computing the third digital signature polynomial u2=r2+a2*g(mod q);
computing the fourth digital signature polynomial v2=t2+a2*e(mod q); and
verifying the digital signature at least by confirming that a Euclidean norm of each of the first and third digital signature polynomials u1 and u2 is on the order of N, and that a deviation between the message m and each of the second and fourth digital signature polynomials v1 and v2 is less than or equal to a predetermined deviation threshold. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
-
-
55. An apparatus for generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
-
a memory for storing ideals p and q of the ring R and a private key including one or more private key polynomials of the ring R; and
a processor operable to generate one or more message polynomials based on the message, to generate the digital signature polynomials using at least one of the message polynomials, at least one of the private key polynomials, and at least one of the ideals p and q such that the digital signature polynomials in unreduced form are not multiples of the private key polynomials in the ring R, and to verify the digital signature at least by confirming that a deviation between at least one of the message polynomials and at least one of the digital signature polynomials is less than a predetermined deviation threshold.
-
-
56. An apparatus for generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
-
a memory for storing ideals p and q of the ring R and a private key including one or more private key polynomials of the ring R; and
a processor operable to generate one or more message polynomials based on the message, to generate the digital signature polynomials using at least one of the message polynomials, at least one of the private key polynomials, and at least one of the ideals p and q, and to verify the digital signature at least by confirming that a norm of at least one of the digital signature polynomials is less than a predetermined norm threshold.
-
-
57. An apparatus for generating and verifying a digital signature of a message, wherein the digital signature includes one or more digital signature polynomials, comprising:
a memory for storing ideals p and q of the ring R, a private key including one or more private key polynomials of the ring R, and auxiliary multiple-use private information that is unrelated to the private key; and
Specification