CN103297241B - Close building method is signed in a kind of One-off public key anonymity - Google Patents

Abstract

The invention discloses the anonymity of a kind of One-off public key and sign close building method, the method utilizes computer system to complete One-off public key anonymity and signs close structure, and described computer system comprises user side U _a, user side U _band a trusted party TC, wherein user side U _a, user side U _bwith the intercommunication of trusted party TC; The method is divided into 7 steps; The first step is generation computer system PKI, and second step generates User Part key, and the 3rd step generates user key, and the 4th step generates One-off public key, and the 5th step is the legitimate verification of One-off public key, and the 6th step is that label are close, and the 7th step is that solution is signed close.Method of the present invention has anonymity and traceability compared with the conventional method, effectively can prevent the disposable attack of malicious user and attack from the non-trusted of internal system trusted party simultaneously.Meanwhile, this method also has higher operation efficiency and lower communication overhead compared with the conventional method.

Description

Close building method is signed in a kind of One-off public key anonymity

Technical field

The invention belongs to field of information security technology, be specifically related to the anonymity of a kind of One-off public key and sign close building method.

Background technology

Due to opening and the sharing of network, cause subjecting to various malicious attack, the network user is often faced with as the leakage of the important information such as password, account, loss or the safety problem destroying data integrity in communication transmission process.The sensitive data of protection user transmission, has usually based on modes such as CertPubKey system, identity-based and Proxy Signature.

User U is referred to based on CertPubKey system (CertificateBasedPublicKeyCryptosystem) _iaccording to the private key s of self _icalculate and generate PKI P _i, then to trusted certificates authorization center CA(CerrificateAuthentication) and submit certificate request to, obtain and issue certificate Cert _i.This certificate is by user U _ithe same P of identity _icarry out effectively bind, at least contain the information such as user name, user's public information, the client public key term of validity.CA is responsible for the management of all user certificates, guarantees the validity of certificate.If the sensitive information leakage of user, CA needs the cost regular hour nullify and again issue certificate.Therefore, there is the excessive challenge of certificate management expense based on CertPubKey system, efficiency is not high.

The public-key cryptosystem (IdentityBasedPublicKeyCryptosystem) of identity-based proposes to solve based on CertPubKey system management " bottleneck " problem, main thought be user by the user profile of oneself (such as, user name and network ip address) as oneself PKI, by private key generating center KGC(KeyGenerationCenter) generate corresponding private key.The uniqueness of user profile (such as, the addresses of items of mail of user, telephone number or office number), owing to not needing user certificate that user identity is carried out effectively bind with PKI, just no longer needs certificate of certification.And the private key of user must calculate generation by private key generating center KGC, user therefore just can be avoided to forge the unsafe problems of private key, if namely user self can calculate generation private key, he also just can calculate the private key of other users.But because the private key of all users all leaves in private key generating center KGC, just create the new safety problem of key escrow.In addition, the same identity of Long-Time Service also will expose the sensitive information of user.

Proxy Signature (BlindSignatureSystems) can propose for the tracking of all signature effective informations in order to avoid signer, and its key step is:

(1) user blinds the origination message m that will sign and processes and will blind information m _tsend to signer;

(2) signer is to blinding message m _tsign, blinding signature information is and send to user;

(3) user is first to blinding signature information go to blind, obtain information signature message m '.

In blind signature scheme, signer does not only know all the elements of signature information, does not know the object of oneself signing and time yet, this ensure that the confidentiality of message and the unforgeable of signature.But due to the anonymity controlled of Proxy Signature, the identity of malicious user cannot be determined, bring the chance being engaged in unlawful activities to malicious user.

Therefore, in order to realize the safety of user privacy information, can combine again the identity that trusted party discloses malicious user, document [1] proposes disposable blind PKI thought, utilize RSA and Fiat-Shamir identity verify scheme, construct the disposable blind public key scheme of identity-based mark.Trusted party only need issue a private key to user in scheme, and when each use, user just can generate different PKIs with it.But the program is also dangerous, and disabled user can forge private key and certificate, manufactures signature and cheat.Document [2] proposes the One-off public key system of identity-based, ensure that the irrelevance between the anonymity of user and activity, follow the trail of and disclose the identity of malicious user, but document [3] points out the scheme of document [2] and dangerous, registration and nonregistered user all can forge a signature.Document [4] proposes the One-off public key anonymous authentication scheme in general environment, and demonstrate its fail safe, there is strong anonymity, calculate and the traffic less, but scheme is dangerous under general environment, and recipient faces the threat of the disposable attack of malicious entities.

Such scheme is all signature authentication, and signs confidentiality and non-repudiation that close algorithm just achieves information in a logic step simultaneously, compares with traditional authentication mode, signs closely to have lower communication overhead and less amount of calculation.Document [5] proposes the One-off public key scheme of identity-based based on signing close thought, efficiency is higher, but scheme can not resist the malicious attack of trusted party.

Above-mentioned document [1] is respectively to document [5]:

[1] Zhang Qiupu, Guo Baoan. based on the One-off public key [J] of ID. electronic letters, vol, 2003,31 (5): 769-771.

[2] Zhang Sheng, Xu Guoai, Hu Zhengmin etc. a kind of structure [J] of identity-based One-off public key. electronics and information journal, 2006,28 (8): 1412-1415.

[3] Zhen Honggu, Chen Yue, Li Le etc. the One-off public key analysis of identity-based and reconstruct [J]. computer engineering, 2010,36 (1): 187-189.

[4] Luo Changyuan, Huo Shiwei, Xing Hongzhi. based on the anonymous authentication scheme [J] of One-off public key in general environment. communication journal, 2012,33 (2): 93-98.

[5] Li Yi, Zhang Shaowu, Zhang Yuanyang etc. a kind of new One-off public key system [J]. computer engineering, 2008,34 (7): 168-170.

Summary of the invention

For Problems existing in the middle of above-mentioned prior art, the object of this invention is to provide the anonymity of a kind of One-off public key and sign close building method, exist in solution prior art: there is certificate management expense based on CertPubKey system excessive; The same identity of Long-Time Service will expose the sensitive information of user; Lack traceability, the identity of malicious user cannot be determined; Disabled user can forge private key and certificate, manufactures signature and cheats; Registration and nonregistered user all can forge a signature; Under general environment, recipient faces the threat of the disposable attack of malicious entities; The problems such as the malicious attack of trusted party can not be resisted.

In order to realize above-mentioned task, the technical solution used in the present invention is:

The present invention relates to tripartite altogether, that is: user side U _a, user side U _band a trusted party TC, wherein user side U _a, user side U _bwith the intercommunication of trusted party TC.The method is divided into 7 steps, and the first step generates computer system PKI, and second step generates User Part key, 3rd step generates user key, and the 4th step generates One-off public key, and the 5th step is the legitimate verification of One-off public key, 6th step is that label are close, and the 7th step is that solution is signed close.

A close building method is signed in One-off public key anonymity, and the method utilizes computer system to complete One-off public key anonymity and signs close structure, and described computer system comprises user side U _a, user side U _band a trusted party TC, wherein user side U _a, user side U _bwith the intercommunication of trusted party TC; Described computer system is set up and to user side U _a, user side U _band the open system parameters of trusted party TC, this system parameters comprises: P, q, G ₁, G ₂, H ₁, H ₂, H ₃; Wherein P is a point on elliptic curve, and the equation of this elliptic curve is: y ³=x ³+ ax+b, a and b are constant; G ₁, G ₂for two groups generated by P, G ₁, G ₂rank be prime number q, G ₁for circled addition group, G ₂for circulation multiplicative group, at group G ₁, G ₂middle discrete logarithm problem is double linear problems of difficulty for solving; G ₁, G ₂there is relation as follows:

in formula, for Bilinear map maps;

Described H ₁, H ₂and H ₃for secure hash function, be expressed as follows: H ₁: { 0,1} ^*→ G ₁,

$H_2:\{\mathrm{0,1}{\}}^{*}\×G_1\→Z_q^{*},$ $H_3:\{\mathrm{0,1}{\}}^{*}\→Z_q^{*};$

The method specifically comprises the following steps:

Step one, generates computer system PKI:

Trusted party TC random selecting P ∈ G ₁, and calculate g=sP, wherein g is system PKI and by trusted party TC to user side U _a, user side U _bopen; S is system master key and is preserved by trusted party TC secret;

Step 2, generates User Part key:

1) user side U is remembered _aidentity is ID _a, note user side U _bidentity is ID _b, user side U _arandom selecting calculate Y _a=z _ap, and by identity ID _aand Y _asend to trusted party TC; User side U _bstochastic choice calculate Y _b=z _bp, and by identity ID _band Y _bsend to trusted party TC;

2) utilize the mode of zero-knowledge proof to user side U at trusted party TC _aidentity ID _aand Y _aafter row confirms, trusted party TC random selecting perform X successively ₁=x _ap, X _a=X ₁+ Y _a, Q _a=H ₁(ID _a, X _a), d _a=x _a+ sQ _a, obtain user side U _apart of key d _a, and by d _a, X _asend to user side U _a;

Similarly, trusted party TC utilizes the mode of zero-knowledge proof to user side U _bidentity ID _band Y _bafter confirming, trusted party TC random selecting perform X successively ₂=x _bp, X _b=X ₂+ Y _b, Q _b=H ₁(ID _b, X _b), d _b=x _b+ sQ _b, obtain user side U _bpart of key d _b, and by d _b, X _bsend to user side U _b;

Step 3, generates user key:

User side U _acalculate y _a=z _a+ d _a, judge equation X ₁+ gH ₁(ID _a, X _a)=d _awhether P becomes Rob Roy to verify the part of key that trusted party TC generates; If X ₁+ gH ₁(ID _a, X _a)=d _ap equation is set up, then by y _aas user side U _akey; Otherwise return step 2;

User side U _bcalculate y _b=z _b+ d _b, judge equation X ₂+ gH ₁(ID _b, X _b)=d _bp verifies the part of key that trusted party TC generates; If equation X ₂+ gH ₁(ID _b, X _b)=d _bp sets up, then by y _bas user side U _bkey; Otherwise return step 2;

Step 4, generates One-off public key:

User side U _arandom selecting calculate W _a=ky _ap, V _a=kX _a, K _a=kPQ _a, obtain user side U _aone-off public key < W _a, V _a, K _a>;

User side U _brandom selecting calculate W _b=ly _bp, V _b=lX _b, K _b=lPQ _b, obtain user side U _bone-off public key < W _b, V _b, K _b>;

Step 5, One-off public key legitimate verification:

User side U _bchecking equation: $\hat{e}(V_A,P)\&CenterDot;\hat{e}(K_A,g)=\hat{e}(W_A,P)$ And equation $\hat{e}(K_A,X_A)=\hat{e}(V_A,Q_{A}P)$ Whether set up, if two equatioies are all set up, then show user side U _apKI and identity legal, otherwise return step 2;

User side U _achecking equation $\hat{e}(V_B,P)\&CenterDot;\hat{e}(K_B,g)=\hat{e}(W_B,P)$ And equation $\hat{e}(K_B,X_B)=\hat{e}(V_B,Q_{B}P)$ Whether set up, if two equatioies are all set up, then show user side U _bpKI and identity legal, otherwise return step 2;

Step 6, sign close:

User side U _amessage m is carried out label are close sends to user side U _b, detailed process is as follows:

1) user side U _arandom selecting calculate R=rP;

2) user side U _acalculate h=H ₂(R, ID _a, m) and p _a=r/ (z _a+ d _a), wherein, < h, p _a> is the signature to message m;

3) user side U _acalculate t=ky _aw _bwith wherein, c is the encryption to message; Dense civilian σ=< h, p will be signed _a, c > sends to user side U _b;

Step 7, separate label close:

User side U _breceive user side U _aafter the ciphertext sent, carry out solution and sign close operation, detailed process is as follows:

1) user side U _bcalculate t'=ly _bw _a, message recovery

2) user side U _bcalculate R'=p _a(X _a+ gH ₁(ID _a, Y _a)), h'=H ₂(R', ID _a, m);

3) user side U _bjudge, if h'=h sets up, signature verification success is described, user side U _breceipt message, otherwise rejection message.

Method of the present invention has anonymity and traceability compared with the conventional method, effectively can prevent the disposable attack of malicious user and attack from the non-trusted of internal system trusted party simultaneously.Meanwhile, this method also has higher operation efficiency and lower communication overhead compared with the conventional method.

Accompanying drawing explanation

Fig. 1 is the overall flow figure of the inventive method;

Fig. 2 is system PKI generation figure;

Fig. 3 is part of key generation figure;

Fig. 4 is user key generation figure;

Fig. 5 is One-off public key generation figure;

Fig. 6 is for signing close figure;

Fig. 7 signs close figure for separating;

Fig. 8 is performance evaluation figure of the present invention;

Below in conjunction with the drawings and specific embodiments, the present invention is described in detail.

Embodiment

Below in conjunction with the drawings and specific embodiments, technical scheme of the present invention is further elaborated.

One, symbol description

Symbol description involved in literary composition sees the following form 1

Table 1 symbol description

Two, embodiment

In Fig. 3 to Fig. 7, for convenience of explanation, i=A or B in figure, that is:

Symbol description in table 2 Fig. 3 to Fig. 7

As shown in Figure 2: establish G ₁, G ₂be respectively the circled addition group and circulation multiplicative group that are generated by P, P is a point on elliptic curve, and elliptic curve is an algebraic curve, and the equation of this elliptic curve is: y ²=x ³+ ax+b, wherein a, b are constant; This elliptic curve, without singular point, does not have cusp or self intersection.G ₁, G ₂discrete logarithm problem (DLP problem) in group is double linear problems of difficulty for solving, and its rank are prime number q. be that a Bilinear map maps, be expressed as define safe Hash function: H ₁: { 0,1} ^*→ G ₁, trusted party TC random selecting P ∈ G ₁, calculating g=sP, g is system PKI, and s is system master key and secret preservation, open system parameters L EssT.LTssT.LT P, q, G ₁, G ₂, g, H ₁, H ₂, H ₃>.

As shown in Figure 3: suppose user side U _ifor user side U _awith user side U _b.User side U _aidentity is ID _a, user side U _bidentity is ID _b.User side U _arandom selecting calculate Y _a=z _ap, by identity ID _aand Y _asend to trusted party TC.User side U _bstochastic choice calculate Y _b=z _bp, by identity ID _band Y _bsend to trusted party TC.

The mode of trusted party TC zero-knowledge proof is to user side U _aidentity ID _aand Y _aconfirm, namely to Y _ain secret number z _aconfirm, anyly pretend to be user side U _a, because jactitator does not know U _asecret number z _a, just cannot calculate and generate correct Y _avalue.

At trusted party TC to user side U _aidentity ID _aand Y _aafter confirming, trusted party TC random selecting calculate X ₁=x _ap, X _a=X ₁+ Y _a, Q _a=H ₁(ID _a, X _a), d _a=x _a+ sQ _a, and by < d _a, X _a> sends to user side U _a, d _afor user side U _apart of key.In like manner, trusted party TC is to user side U _bidentity and Y _bafter confirming by the mode of zero-knowledge proof, trusted party TC random selecting calculate X ₂=x _bp, X _b=X ₂+ Y _b, Q _b=H ₁(ID _b, X _b), d _b=x _b+ sQ _b, and by < d _b, X _b> sends to user side U _b, d _bfor user side U _bpart of key.Trusted party TC preserves < X _a, Q _a, ID _a> and < X _b, Q _b, ID _b>, respectively as confirmation user side U _awith user side U _bthe backup of identity.

As shown in Figure 4: user side U _acalculate y _a=z _a+ d _a, judge equation X ₁+ gH ₁(ID _a, X _a)=d _ap verifies the part of key that trusted party TC generates, if equation is set up, then by y _aas user side U _akey.User side U _bcalculate y _b=z _b+ d _b, judge equation X ₂+ gH ₁(ID _b, X _b)=d _bp verifies the part of key that trusted party TC generates, if equation is set up, then by y _bas user side U _bkey.

As shown in Figure 5: user side U _arandom selecting calculate W _a=ky _ap, V _a=kX _a, K _a=kPQ _a, user side U _aone-off public key be < W _a, V _a, K _a>.User side U _brandom selecting calculate W _b=ly _bp, V _b=lX _b, K _b=lPQ _b, user side U _bone-off public key be < W _b, V _b, K _b>.

Before label are close, two users need to carry out legitimate verification to the One-off public key of the other side mutually:

1) user side U _aone-off public key legitimate verification

User side U _bneed to verify equation correctness.If correct, then show user side U _aregister at trusted party TC.Proof procedure is as follows:

$\hat{e}(V_A,P)\&CenterDot;\hat{e}(K_A,g)=\hat{e}(k\&CenterDot;X_A,P)\&CenterDot;\hat{e}(k\&CenterDot;Q_A\&CenterDot;P,g)$

$=\hat{e}(k\&CenterDot;(x_A+z_A)P,P)\&CenterDot;\hat{e}(k\&CenterDot;Q_A\&CenterDot;P,\mathrm{sP})$

$=\hat{e}(k\&CenterDot;(x_A+z_A)P,P)\&CenterDot;\hat{e}(k\&CenterDot;s\&CenterDot;Q_A\&CenterDot;P,P)$

$=\hat{e}(k\&CenterDot;(x_A+z_A+s\&CenterDot;Q_A)P,P)$

$=\hat{e}(W_A,P)$

2) in order to ensure trusted party TC where necessary to user side U _atraceability, just in case user side U _afor malicious user, then enough disclose its identity, user side U _balso need to verify equation correctness, if correctly, be then validated user.Proof procedure is as follows:

$\hat{e}(K_A,X_A)=\hat{e}(k\&CenterDot;Q_A\&CenterDot;P,X_A)$

$=\hat{e}(k\&CenterDot;X_A,Q_A\&CenterDot;P)$

$=\hat{e}(V_A,Q_A\&CenterDot;P)$

In like manner, user side U _aalso need user side U _bone-off public key < W _b, V _b, K _b> legitimacy and equation $\hat{e}(K_B,X_B)=\hat{e}(V_B,Q_{B}P)$ Correctness verify.

As shown in Figure 6: user side U _arandom selecting calculate R=rP successively, h=H ₂(R, ID _a, m), p _a=r/ (z _a+ d _a), then < h, p _a> is the signature to message m.User side U _acalculate t=ky _aw _b, the encryption that to be wherein c be to message.Dense civilian σ=< h, p will be signed _a, c > sends to user side U _b.

As shown in Figure 7: user side U _breceive after signing dense literary composition, calculate t'=ly _bw _a, message recovery user side U _bcalculate R'=p _a(X _a+ gH ₁(ID _a, X _a)), h'=H ₂(R', ID _a, m).If h'=h sets up, signature verification success is described, user's receipt message, otherwise refusal.

Three, security proving of the present invention

(1) correctness proof: after user utilizes the close message σ of label received, carries out solution and signs close operation.

1)t'＝l·y _B·W _A

＝l·y _B·k·y _A·P

＝k·y _A·W _B

＝t

If the result of calculation t ' of this formula=t, then description messages m can be resumed.

2)R'＝p _A(X _A+g·H ₁(ID _A,X _A))

＝r(X _A+g·H ₁(ID _A,X _A))/(x _A+d _A)

＝r(z _AP+x _AP+s·H ₁(ID _A,X _A)·P)/(x _A+d _A)

＝rP(x _A+d _A)/(x _A+d _A)

＝R

If can correctly calculate R '=R, then demonstrate the validity of checking.

(2) Security Proof

1) direct

Traditional based in the CertPubKey system of PKI, CA(CertificateAuthority) be responsible for the certification carrying out this user identity according to the PKI of user's submission, promulgate that related credentials proves the identity of user and the legitimacy of PKI.But the administration overhead of digital signature is excessive, recipient user is before the signature of certification transmit leg user, the certificate first obtaining transmit leg is needed to verify, this means that authentication signature will perform a step more, the efficiency causing certification is not high, especially when in network during authenticated user enormous amount.And scheme trusted party TC in this paper only registers in the identity of system initialization and part of key generation phase participating user and calculates < X _i, Q _i, d _i>, in label close the reconciliations label close stage, trusted party TC does not perform any operation, and user can directly certification, alleviates the burden of trusted party TC, has deleted and the step that certification is unnecessary improve the efficiency of certification.

2) anonymity

Generate the numerical value of One-off public key because user chooses there is randomness, just can ensure the unlinkability of the One-off public key that the user of certification both sides uses at every turn, the same identity of Long-Time Service can not occur and expose the unsafe incidents of the sensitive information of user.Now be illustrated with object lesson.User side U _arandom selecting calculating One-off public key is < W _a, V _a, K _a>.User side U _brandom selecting calculating One-off public key is < W _b, V _b, K _b>.User side U _awith user side U _bonce then will select respectively upper the One-off public key of the different user of random number is also by difference, and therefore, user cannot know the true identity of the other side, ensure that the anonymity of verification process.

3) unforgeable

I) certification two parties cannot be forged One-off public key and be signed dense literary composition

Now be illustrated with object lesson.User side U _aone-off public key < W cannot be forged _a, V _a, K _a> and the dense civilian σ of label.

If user side U _arandom selecting wherein k ≠ k ^*, then calculate v _a=kX _a, forge and generate One-off public key and send it to user side U _b.User side U _bfirst equation is verified correctness, be verified.But due to k ≠ k ^*, user side U _bfind then cannot by checking.User side U _aone-off public key cannot be forged and cheat other users.Therefore, certification two parties all cannot forge oneself One-off public key.

If user side U _aone-off public key < W _a, V _a, K _a> is by checking equation then provable system master key s is contained in PKI W _ain, same by checking equation t=t'=ly _bw _a, also provable system master key s is contained in PKI W _ain, by checking equation R'=p _a(X _a+ gH ₁(ID _a, X _a)), then provable p _aby user side U _ad _agenerate, in legal private key, comprise system master key s, thus forge < h, p _a> is infeasible.Therefore, the transmit leg user in certification cannot forge and sign dense civilian σ.

Ii) disabled user cannot forge One-off public key and sign dense literary composition arbitrarily

If user side U ^*not in TC registration, user side U ^*random selecting k, calculate W ^*=kX ^*+ k ^*gQ ^*, V ^*=kX ^*, K ^*=k ^*pQ ^*, user side U ^*one-off public key is < W ^*, V ^*, K ^*>.First recipient's user side verifies equation correctness, be verified.But due to user side U ^*unregistered, legal private key d cannot be obtained ^*, then p cannot be calculated ^*, also just cannot forge and sign dense civilian σ.

If user side U ^*attempt to forge legal user side U _aone-off public key < W _a, V _a, K _a> and label dense civilian σ, user side U* random selecting calculate W ^*=kW _a, V ^*=k ^*v _a, K ^*=k ^*k _a, user side U* One-off public key is < W ^*, V ^*, K ^*>.User side U _bfirst equation is verified correctness, be verified.But user side U ^*the long-term private z of user cannot be obtained _a, can not forge and effectively sign dense civilian σ.Therefore, any disabled user's end all cannot be forged One-off public key and sign dense literary composition.

4) resist non-trusted to attack

Trusted party TC random selecting calculate g=sP, X ₁=x _ap, Q _a=H ₁(ID _a, X _a), d _a=x _a+ sQ _a, s is system master key, and by < d _a, X _a> sends to user side U _a, d _aas user side U _apart of key.Trusted party TC preserves < X _a, Q _a, ID _a>, as confirmation user side U _athe backup of identity.Trusted party TC chooses calculate W _tC=aW _a, V _tC=aV _a, K _tC=aK _a, the One-off public key of trusted party TC is < W _tC, V _tC, K _tC>.Trusted party TC is by equation checking, to obtain secret value r, just must be calculated by equation R=rP, but this problem is DLP problem, although trusted party TC knows user side U _apart of key d _abut, based on equation Y _a=z _ap obtains the long term keys z of user _a, be a DLP problem too.Because DLP problem is discrete logarithm double linear problems of difficulty for solving on elliptic curve, trusted party TC cannot obtain user key z _a, the identity of malicious user can only be disclosed where necessary as third party, and non-trusted attack can not be initiated.

5) disposable attack is resisted

In this programme, user side U _aby the Y calculated _awith identity ID _asend to trusted party TC together, achieve validated user identity ID by trusted party TC certification _a, then complete first time and recipient's user side U according to algorithm operating _bcommunication.If user side U _afor malicious user, so user side U _awhen second time communication to user side U _blaunch a offensive, user side U _bassociating trusted party TC is by checking equation tracking discloses malicious user end U _atrue identity, register at trusted party TC.User side U _afirst calculate One-off public key and send to recipient user, user side U _bclose Cheng Qian of crossing is signed just to user side U in the close reconciliation of label _aidentity verify, found user side U _afor malicious user, refusal communicates, and has resisted disposable attack.Therefore, although user side U _afor malicious user, but because user side U _bclose Cheng Qian of crossing is signed just to user side U in the close reconciliation of label _aidentity verify, found malicious user identity, therefore this method can resist disposable attack.

6) traceability

Propose a plan according to the present invention, computer system is the rogue activity preventing user, user side U _buser side U is disclosed by cooperation with trusted party TC _aidentity during rogue activity.User side U _bby user side U _a< V _a, K _a> sends to trusted party TC to disclose user side U _atrue identity.Trusted party TC is according to the user side U preserved _aidentity information < X _a, Q _a, ID _a>, checking equation correctness, if by checking; demonstrate user side U _arogue activity promoter.Therefore, under the anonymity prerequisite when ensure that User Activity, scheme can prevent user from carrying out rogue activity.

7) unlinkability

Due to certification two parties end U _a, user side U _bthe random number k at every turn chosen _uthe difference of (U=A or B), the One-off public key < W that user authentication is used _u, V _u, K _u> is also different, and this not only ensure that the independence of the One-off public key that user uses, and also ensure that user carries out the unlinkability between different activity.

Four, invention performance evaluation

The present invention proposes a plan and defines 3 safe Hash function: H at initial phase ₁: { 0,1} ^*→ G ₁, there are 13 point multiplication operations, calculate g=sP, Y during generating portion key respectively at the system PKI at initial phase _a=z _ap, X ₁=x _ap, d _a=x _a+ sQ _a, generate U _aone-off public key < W _a, V _a, K _a>, signs close stage R=rP, p _a=r/ (z _a+ d _a), t=ky _aw _b, separate and sign close stage t'=ly _bw _aand R'=p _a(X _a+ gH ₁(ID _a, X _a)); Authentication of users U _aone-off public key $\hat{e}(V_A,P)\&CenterDot;\hat{e}(K_A,g)=\hat{e}(W_A,P)$ With equation during its identity legitimacy of inspection $\hat{e}(K_A,X_A)=\hat{e}(V_A,Q_{A}P)$ During checking, have 5 Bilinear map computings.In addition, in invention without exponent arithmetic.

Fig. 8 is for mentioning the Performance comparision of the building method described in document 2 " a kind of structure of identity-based One-off public key ", document 4 " based on the anonymous authentication scheme of One-off public key in general environment ", document 5 " a kind of new One-off public key system " in building method scheme in this paper and background technology.Hash in Fig. 8 represents Hash computing, represent Bilinear map computing, EXP represents exponent arithmetic, and MUL representative point multiplication, the ordinate in Fig. 8 represents the number of times of various computing.By relatively finding, computing of the present invention does not need exponent arithmetic, and simultaneously under the prerequisite that ensure that fail safe, the present invention is all ideal in operation efficiency and communication overhead.

It is almost blank that existing research signs close research about One-off public key anonymity, and close for label thought and One-off public key anonymity schemes combine by the present invention, proposes the anonymous stopover sites of a kind of new One-off public key, and demonstrates its fail safe.The present invention has anonymity and traceability, and effectively can prevent the disposable attack of malicious user and attack from the non-trusted of internal system trusted party TC simultaneously, algorithm does not need exponent arithmetic, and operation efficiency and communication overhead are all ideal.

Claims (1)

1. a close building method is signed in One-off public key anonymity, it is characterized in that, the method utilizes computer system to complete One-off public key anonymity and signs close structure, and described computer system comprises user side U _a, user side U _band a trusted party TC, wherein user side U _a, user side U _bwith the intercommunication of trusted party TC; Described computer system is set up and to user side U _a, user side U _band the open system parameters of trusted party TC, this system parameters comprises: P, q, G ₁, G ₂, H ₁, H ₂, H ₃; Wherein P is a point on elliptic curve, and the equation of this elliptic curve is: y ³=x ³+ ax+b, a and b are constant; Described G ₁, G ₂for two groups generated by P, G ₁, G ₂rank be prime number q, G ₁for circled addition group, G ₂for circulation multiplicative group, at group G ₁, G ₂middle discrete logarithm problem is double linear problems of difficulty for solving; G ₁, G ₂there is relation as follows:

$\hat{e}:G_1\&times;G_1\&RightArrow;G_2,$ In formula, for Bilinear map maps;

Described H ₁, H ₂and H ₃for secure hash function, be expressed as follows: H ₁: { 0,1} ^*→ G ₁, $H_2:{\left\{\mathrm{0,1}\right\}}^{*}\&times;G_1\&RightArrow;Z_q^{*},$ $H_3:{\left\{\mathrm{0,1}\right\}}^{*}\&RightArrow;Z_q^{*};$

The method specifically comprises the following steps:

Step one, generates computer system PKI:

Trusted party TC random selecting P ∈ G ₁, and calculate g=sP, wherein g is system PKI and by trusted party TC to user side U _a, user side U _bopen; S is system master key and is preserved by trusted party TC secret;

Step 2, generates User Part key:

1) user side U is remembered _aidentity is ID _a, note user side U _bidentity is ID _b, user side U _arandom selecting calculate Y _a=z _ap, and by identity ID _aand Y _asend to trusted party TC; User side U _bstochastic choice calculate Y _b=z _bp, and by identity ID _band Y _bsend to trusted party TC;

2) utilize the mode of zero-knowledge proof to user side U at trusted party TC _aidentity ID _aand Y _aafter row confirms, trusted party TC random selecting perform X successively ₁=x _ap, X _a=X ₁+ Y _a, Q _a=H ₁(ID _a, X _a), d _a=x _a+ sQ _a, obtain user side U _apart of key d _a, and by d _a, X _asend to user side U _a;

Similarly, trusted party TC utilizes the mode of zero-knowledge proof to user side U _bidentity ID _band Y _bafter confirming, trusted party TC random selecting perform X successively ₂=x _bp, X _b=X ₂+ Y _b, Q _b=H ₁(ID _b, X _b), d _b=x _b+ sQ _b, obtain user side U _bpart of key d _b, and by d _b, X _bsend to user side U _b;

Step 3, generates user key:

User side U _acalculate y _a=z _a+ d _a, judge equation X ₁+ gH ₁(ID _a, X _a)=d _awhether P becomes Rob Roy to verify the part of key that trusted party TC generates; If X ₁+ gH ₁(ID _a, X _a)=d _ap equation is set up, then by y _aas user side U _akey; Otherwise return step 2;

User side U _bcalculate y _b=z _b+ d _b, judge equation X ₂+ gH ₁(ID _b, X _b)=d _bp verifies the part of key that trusted party TC generates; If equation X ₂+ gH ₁(ID _b, X _b)=d _bp sets up, then by y _bas user side U _bkey; Otherwise return step 2;

Step 4, generates One-off public key:

User side U _arandom selecting calculate W _a=ky _ap, V _a=kX _a, K _a=kPQ _a, obtain user side U _aone-off public key <W _a, V _a, K _a>;

User side U _brandom selecting calculate W _b=ly _bp, V _b=lX _b, K _b=lPQ _b, obtain user side U _bone-off public key <W _b, V _b, K _b>;

Step 5, One-off public key and user identity legitimate verification:

User side U _bchecking equation: $\hat{e}(V_A,P)\&CenterDot;\hat{e}(K_A,g)=\hat{e}(W_A,P)$ And equation $\hat{e}(K_A,X_A)=\hat{e}(V_A,Q_{A}P)$ Whether set up, if two equatioies are all set up, then show user side U _apKI and identity legal, otherwise return step 2;

User side U _achecking equation $\hat{e}(V_B,P)\&CenterDot;\hat{e}(K_B,g)=\hat{e}(W_B,P)$ And equation $\hat{e}(K_B,X_B)=\hat{e}(V_B,Q_{B}P)$ Whether set up, if two equatioies are all set up, then show user side U _bpKI and identity legal, otherwise return step 2;

Step 6, sign close:

User side U _amessage m is carried out label are close sends to user side U _b, detailed process is as follows:

1) user side U _arandom selecting calculate R=rP;

2) user side U _acalculate h=H ₂(R, ID _a, m) and p _a=r/ (z _a+ d _a), wherein, <h, p _a> is the signature to message m;

3) user side U _acalculate t=ky _aw _bwith wherein, c is the encryption to message; Dense civilian σ=<h, p will be signed _a, c> sends to user side U _b;

Step 7, separate label close:

User side U _breceive user side U _aafter the ciphertext sent, carry out solution and sign close operation, detailed process is as follows:

1) user side U _bcalculate t'=ly _bw _a, message recovery

2) user side U _bcalculate R'=p _a(X _a+ gH ₁(ID _a, Y _a)), h'=H ₂(R', ID _a, m);

3) user side U _bjudge, if h'=h sets up, signature verification success is described, user side U _breceipt message, otherwise rejection message.