CN103780386A - Blind signature method based on identity and device thereof - Google Patents

Abstract

The invention provides a blind signature method based on an identity and a device thereof. The method comprises the following steps: (1) a signer chooses a random number r belonging to Zq*, a formula U'=rP is calculated, Zq* represents integers in a range from 1 to (q-1), q is a set large prime number, P is the generator of G1, and p is a set large prime number; (2) a sending user randomly selects a blind factor (alpha, beta) belonging to Zq*, a formula U=U'+(alpha+beta)P is calculated, a= (alpha*beta*H3(U)) H2 (m), b= alpha+beta+H2(m), H2 and H3 are one-way Hash functions, and m is plain text information to be signed; (3) the signer uses a private key dID=sQID of the signer to sign (a, b), a formula V'=a*dID/(r+b) is calculated, H1 is a one-way Hash function, and s is a random number as a main cipher key; (4) a receiving user calculates a formula V=V'/(alpha*beta*H3(U))=H2(m)*dID/(r+b), and the coordinate X of V is the signature of a message m. According to the blind signature method based on an identity of the embodiment of the invention, a blind signature message length is only the X coordinate of an elliptic curve point, and the throughput of system operation is increased.

Description

Based on blind endorsement method and the device of identity

Technical field

The present invention relates to communication technical field, relate in particular to a kind of blind endorsement method and device based on identity.

Background technology

In traditional common key cryptosystem, the main PKI(Public Key Infrastructure that adopts, PKIX) carry out the correlation of verification public key and user identity, binding between subscriber identity information and PKI is by CA(Certificate Authority, authentication center) provide public key certificate realize, very high computing cost and the storage overhead of certificate management process need of this mode.

Under the public-key cryptosystem based on identity, PKI can be arbitrary string, so can be using the identity information of a certain entity directly as its PKI, thereby the binding issue that has got around PKI and its holder's identity, this can greatly simplify the complex management that in conventional P KI, CA carries out user certificate.The bright spot of the public key encryption system based on identity is exactly the identity information that directly the utilizes user PKI as user.Anyone can directly utilize user's the direct encrypting plaintext of identity information like this, has saved the authenticating step of PKI, has also saved the loaded down with trivial details management of CA to public key certificate.

Blind signature, because have blind this feature of property, can effectively be protected the particular content of signed message, so have a wide range of applications in the field such as ecommerce and electronic voting.Blind signature allows message person first message to be blinded, and relief signer is signed to the message blinding, and stop press owner removes the blind factor to signing messages, obtains the signature of signer about former message.Blind signature is exactly a kind of special digital signature technology that recipient takes in the situation that not allowing signer obtain signed message particular content, and it also must meet two character below except meeting general digital signature condition:

1. the message that signer is signed it is sightless, and signer is not known the particular content of message that he signs.

2. signature information untraceable, after signature information comes forth, signer cannot know that this is his which time signature.

Blind endorsement method based on identity is the important branch of recent domestic cryptology, at present, also there is no the effectively blind endorsement method based on identity in prior art.

Summary of the invention

Embodiments of the invention provide a kind of blind endorsement method and device based on identity, shorten signature information length to realize.

Based on a blind endorsement method for identity, comprise

Signer is selected random number r ∈ Z _q ^*, calculate U '=rP, described Z _q ^*represent 1 ~ (q-1) integer in scope, described q is the large prime number of setting, and described P is G ₁generator, described G ₁f _pon a subgroup that rank are q of elliptic curve E module, described F _pfor the territory from 0 composition of the integer to (p-1), described p is the large prime number of setting, and described q is the prime factor of (p+1);

Send user and select at random blinding factor α, β ∈ Z _q ^*, calculate U=U '+(alpha+beta) P, a=(α β H ₃(U)) H ₂(m), b=alpha+beta+H ₂(m), described H ₂, H ₃an One-way Hash function, H ₂: { 0,1} ^*→ Z _q ^*, H ₃: G ₁→ Z _q ^*, described m will sign close cleartext information, m ∈ Z _q ^*, described transmission user sends to described signer by message to (a, b);

Described signer is signed to (a, b) to described message with the private key of oneself, calculates V '=ad _iD/ (r+b), and V ' is sent to and receives user, the private key d of described signer _iD=sQ _iD, described Q _iD=H ₁(ID), the identification information that described ID is described signer, ID ∈ { 0,1} ^*, described H ₁an One-way Hash function, described H ₁: { 0,1} ^*→ G ₁, described s is the random number as master key;

Described reception user receives after described V ', calculates V=V '/(α β H ₃(U))=H ₂(m) d _iD/ (r+b), the abscissa x of described V is the signature of message m.

Based on a blind signature apparatus for identity, comprising:

Message blinds processing module, for select random number r ∈ Z by signer _q ^*, calculate U '=rP, described Z _q ^*represent 1 ~ (q-1) integer in scope, described q is the large prime number of setting, and described P is G ₁generator, described G ₁f _pon a subgroup that rank are q of elliptic curve E module, described F _pfor the territory from 0 composition of the integer to (p-1), described p is the large prime number of setting, and described q is the prime factor of (p+1);

Select at random blinding factor α, β ∈ Z by sending user _q ^*, calculate U=U '+(alpha+beta) P, a=(α β H ₃(U)) H ₂(m), b=alpha+beta+H ₂(m), described H ₂, H ₃an One-way Hash function, H ₂: { 0,1}* → Z _q ^*, H ₃: G ₁→ Z _q ^*, described m will sign close cleartext information, m ∈ Z _q ^*, described transmission user sends to described signer by message to (a, b);

Signature processing module, signs to (a, b) to described message for the private key with described signer, calculates V '=ad _iD/ (r+b), and V ' is sent to and receives user, the private key d of described signer _iD=sQ _iD, described Q _iD=H ₁(ID), the identification information that described ID is described signer, ID ∈ { 0,1} ^*, described H ₁an One-way Hash function, described H ₁: { 0,1} ^*→ G ₁, described s is the random number as master key;

Signature calculation module, for calculating V=V '/(α β H by described reception user ₃(U))=H ₂(m) d _iD/ (r+b), the abscissa x of described V is the signature of message m.

The technical scheme being provided by the embodiment of the invention described above can be found out, the blind signature information length of the blind endorsement method based on identity of the embodiment of the present invention is only the abscissa of elliptic curve point, be shorter than the signature information length of the blind endorsement method of existing elliptic curve, increase the throughput of system operation, be suitable for the communication environment of Bandwidth-Constrained.

Accompanying drawing explanation

In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.

The process chart of a kind of blind endorsement method based on identity that Fig. 1 provides for the embodiment of the present invention one;

The detailed process schematic diagram of a kind of blind signature processing that Fig. 2 provides for the embodiment of the present invention one;

The concrete structure figure of a kind of blind signature apparatus based on identity that Fig. 3 provides for the embodiment of the present invention two.

Embodiment

For ease of the understanding to the embodiment of the present invention, be further explained explanation below in conjunction with accompanying drawing as an example of several specific embodiments example, and each embodiment does not form the restriction to the embodiment of the present invention.

Embodiment mono-

The handling process of a kind of blind endorsement method based on identity that this embodiment provides as shown in Figure 1, comprises following treatment step:

Step 11, selected G ₁, G ₂, p, q, obtain G ₁generator P, Bilinear Pairing

Selected G ₁, G ₂be two groups that rank are q, p, q are two large prime numbers (wherein p is at least 512 bits, and q is at least 160 bits), and q is the prime factor of (p+1), and the number of bits of q represents with n.G ₁f _pon a subgroup of elliptic curve E module, above-mentioned F _prepresent from the territory of 0 integer to (p-1) composition, above-mentioned elliptic curve E can shape as y ²the form of=f (x), G ₂it is territory

on a multiplicative group, wherein

by F _pquadratic extension obtains, and shape is as F _p[x]/f, F _p[x] is F _pon polynomial ring, f is that a secondary can not be changed about multinomial.P is G ₁generator, i.e. q*P=O, " O " is infinite point.

g ₁× G ₁→ G ₂be a bilinear map, this Bilinear Pairing

be one from set G ₁× G ₁to set G ₂a mapping, this mapping has following character:

Bilinearity: for any g ₁, g ₂∈ G ₁integer a arbitrarily, b ∈ Z _p ^*, have $\hat{e}({g_1}^a,{g_2}^b)=$ $\hat{e}{(g_1,g_2)}^{\mathrm{ab}};$

Non-degeneracy: have g ₁, g ₂∈ G ₁make

Computability: to g arbitrarily ₁, g ₂∈ G ₁, can calculate rapidly

value.

Step 12, selection hash function H ₁, H ₂and H ₃.

H ₁: { 0,1} ^*→ G ₁, H ₁be a unilateral hash function, this function is safe simultaneously, and it is mapped to G 0,1 character string of a random length that represents subscriber identity information ₁a point of upper elliptic curve E, and PKI using this as above-mentioned user, G ₁be on elliptic curve E set a little.Secure Hash function refers to can not instead release cleartext information by cryptographic Hash expressly.

H ₂: { 0,1} ^*→ Z _q ^*, H ₂also be an One-way Hash function, it is also safe, and it is mapped to Z 0,1 character string of a random length _q ^*, Z _q ^*be a multiplicative group, its element comprises and is more than or equal to 1 and be less than or equal to all integers of q-1, and m will sign close cleartext information, m ∈ Z _q ^*, x (R) represents the abscissa of the upper point of elliptic curve E R.

H ₃: G ₁→ Z _q ^*, H ₃also be an One-way Hash function, it is also safe, and it is G ₁a point of upper elliptic curve is mapped to Z _q ^*.

Step 13, PKG(Private Key Generator, private key for user generating center) select a random number as master key s ∈ Z _q ^*, calculate P _pub=sP, the open system parameters of PKG

preserve master key s.

Specifically, can select F _pon super singular curve, order of a curve #E (F _p)=p+1, chooses p and is the large prime number of 1024: p=0xEB348F4B648412EAB3CE675E03B3AF14D434DFE4C6BC54291DD3 00DBDBA1BFDACB0D7CFEE20185398A64748E3CB8E25EAADF8612D188 1FC808A749E661703A734C22EF62112B3A109A0CB86CEB1A2324B818 37CA56C52EE75EDB37907E73B7FDF52F1BD333B16A0167D8116BD29B 1939E3F3607E4B581BFE3D25969470A88D1B;

Choose q and be the large prime number of 256:

q=0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF；

Association's factor:

cof＝0xEB348F4C4FB8A23618527A47CC4D8726882FECC2976A2A78DD549C5C0939B77715D9A03FB62A2375AB9D47932124F1469F5D6511D1511DCC61C57B874F8108122E932AE6070A1B484CCFD295F03F5031AB641265B4A7E401C2DA696B8F5772E4；

Elliptic curve E _pupper number is a little called the rank #E (Fp) of elliptic curve E, as the elliptic curve E of crypto-operation comprise 160 of large prime factor q(binary bit or more than), assist factor cof=#E (F _p)/q, the #E in above-mentioned formula represents the rank of elliptic curve E.

Curvilinear equation E:y ²=x ³+ x;

Embed number of times k=2, adopt Tate pairing to carry out computing;

Embed number of times and make q/(p ^k-1) minimum positive integer of setting up.Tate pairing computing is from G ₁× G ₁→ G ₂bilinear map.Basic point P is the generator of elliptic curve E.

The basic point P of elliptic curve:

(0x887FE3AB3AA6440B8298D4DDD7BE6DE3739A4F7F1D28D7886FA00BD99585A1DAB2A94896B73D066FCB08B262DF04A7ABA6AF977E4627838F62968A9C23CC6CF6163C9FE926402F8876D249B826497817BB50530CEFF0B92C0A76105A1BAEC1B5F44EFBC9D10CD78AD33354D70BA9D63B51CF17BFE39E95D19C8B5652FBE209BB,

0x76433E8F372C45A378CF9076F3BA681922C3952E21BF659EEBAFEBD7ADAE334CBD7E7A768644BECB725C8D7B7E8B36A382F865F3D82352F4A3E5AE99C837B6FEE64106FD81269C7E551E6AA1EE0ED76EDF31C43A47CB47D7B25742B2B1632A9F7E5635EEBFAF39E9E29D987DB51887C43F9E3E7D46DE6814E6E3AAF1021B87F2)。

H ₁: { 0,1} ^*→ G ₁concrete processing procedure is as follows:

1) given subscriber identity information ID ∈ { 0,1} ^*, set i ← 0, " ← " represents the meaning of assignment;

2) set (x, b) ← sha-1 (i||ID), x is the abscissa calculating here, and b is the binary bit of determining ordinate; Sha-1 represents international standard hash algorithm, and the binary bits figure place of establishing its result of calculation is n, and last binary bit is b, before n-1 binary bit be x.

3) according to equation y ²=f (x), and x abscissa, calculate two square root y value y ₀and y ₁, according to 2) in the binary bits value of b, determine G ₁on some Q _iD' (x, y _b);

4) calculate Q _iD=cof*Q _iD'.If Q _iD≠ 0, i.e. the output G corresponding with ID ₁on some Q _iD, otherwise turn 5).

5) variable i is added to 1 certainly, turn 2).

H ₂: can select hash Hash SHA-1 algorithm.

H ₃：G ₁→Z _q ^*。If R ∈ is G ₁, z ∈ Z _q ^*, can define H ₃: z=H ₂(R _x|| R _y), R in above-mentioned formula _xand R _yrepresent respectively abscissa and the ordinate of some R.

Step 14, PKG generate the private key of signer.

Calculate Q _iD=H ₁(ID||Time), the identification information of signer is mapped to F _pon super singular curve on point, the cycle that the time factor Time here can upgrade according to private key be set as year, month, week or day, above-mentioned time factor Time is used for setting the private key for user update cycle, if for example time factor is set as " moon ", user must monthly upgrade private key one time.

Compute signature person's private key d _iD=sQ _iD.

Step 15, signer blind the information after treatment processing of signing to sending user.

As shown in Figure 2, blind signature process is to complete alternately between signer and transmission user to the detailed process schematic diagram of above-mentioned blind signature processing, specifically comprises following processing procedure:

Signer is selected random number r ∈ Z _q ^*, calculate U '=rP;

Send user and select at random blinding factor α, β ∈ Z _q ^*, calculate

U=U '+(alpha+beta) P, a=(α β H3 (U)) H2 (m), b=alpha+beta+H2 (m), then U is distributed to all users by the mode of broadcast, by (a, b) send to signer, described m will sign close cleartext information, m ∈ Zq ^*,

After signer receives that the message having blinded is to (a, b), it is signed with own private key, calculating V '=ad _iD/ (r+b), and V ' is sent to and receives user.

Step 16, reception user go blind and checking processing to the message after signing

Receive user and receive after above-mentioned V ', calculate V=V '/(α β H ₃(U))=H ₂(m) d _iD/ (r+b), the abscissa x of V is the signature of message m so.

Above-mentioned transmission user, reception user and signer can be verified by checking processing procedure below the accuracy of the transmitting procedure of above-mentioned message m.

Checking processing procedure is as follows:

Calculate

this is a constant, can store acquisition by precomputation;

Calculate h=H ₂(m);

Calculate the some V on curve according to abscissa x ₁;

Calculate $g_2=\hat{e}(V_1,P+(U/H_2\left(m\right)));$

If g ₂=g ₁or g ₂=g ₁ ^-1, be verified; Otherwise authentication failed.

Prove:

According to the equation y of curve E ²=f (x) known (x, y) and (x ,-y) be all the point on curve, thereby:

V ₁=V or V ₁=-V, gets V ₁=V:

$g_2=\hat{e}(V_1,P+(U/H_2\left(m\right)))=\hat{e}(V,P+(U/H_2\left(m\right)))=$

$\hat{e}(H_2\left(m\right)d_{\mathrm{ID}}/(r+b),(H_2\left(m\right)P+U)/H_2\left(m\right))=\hat{e}(H_2\left(m\right)d_{\mathrm{ID}}/(r+b),\left((r+b)P\right)/H_2\left(m\right))=$

$\hat{e}(d_{\mathrm{ID}},P)=\hat{e}(s{Q}_{\mathrm{ID}},P)=\hat{e}(Q_{\mathrm{ID}},\mathrm{sP})=\hat{e}(Q_{\mathrm{ID}},P_{\mathrm{pub}})=g_1$

Or get V ₁=-V:

$g_2=\hat{e}(V_1,P+(U/H_2\left(m\right)))=\hat{e}(-V,P+(U/H_2\left(m\right)))={g_1}^{-1}$ Card is finished.

Embodiment bis-

This embodiment provides a kind of blind signature apparatus based on identity, and its concrete structure as shown in Figure 3, comprises following module:

Message blinds processing module 31, for select random number r ∈ Z by signer _q ^*, calculate U '=rP, described Z _q ^*represent 1～(q-1) integer in scope, described q is the large prime number of setting, and described P is G ₁generator, described G1 is a subgroup that rank are q of the elliptic curve E module on Fp, described Fp is the territory from 0 integer to (p-1) composition, described p is the large prime number of setting, and described q is the prime factor of (p+1);

Select at random blinding factor α, β ∈ Z by sending user _q ^*, calculate U=U '+(alpha+beta) P, a=(α β H3 (U)) H2 (m), b=alpha+beta+H2 (m), described H2, H3 are One-way Hash functions, H2:{0,1} ^*→ Z _q ^*, H3:G ₁→ Z _q ^*, described m will sign close cleartext information, m ∈ Zq ^*, described transmission user sends to described signer by message to (a, b);

Signature processing module 32, signs to (a, b) to described message for the private key with described signer, calculates V '=ad _iD/ (r+b), and V ' is sent to and receives user, the private key d of described signer _iD=sQ _iD, described Q _iD=H ₁(ID), the identification information that described ID is described signer, ID ∈ { 0,1} ^*, described H ₁an One-way Hash function, described H ₁: { 0,1} ^*→ G ₁, described s is the random number as master key;

Signature calculation module 33, for calculating V=V '/(α β H by described reception user ₃(U))=H ₂(m) d _iD/ (r+b), the abscissa x of described V is the signature of message m.

Concrete, described message blinds processing module 31, also for calculating Q by following processing procedure _iD=H ₁(ID) comprising:

Step 1, given subscriber identity information ID ∈ { 0,1} ^*, set i ← 0, " ← " represents the meaning of assignment;

Step 2, setting (x, b) ← sha-1 (i||ID), x is the abscissa calculating here, b is the binary bit of determining ordinate; Sha-1 represents international standard hash algorithm, and the binary bits figure place of establishing its result of calculation is n, and last binary bit is b, before n-1 binary bit be x.

Step 3, according to equation y ²=f (x), and x abscissa, calculate two square root y value y ₀and y ₁, according to 2) in the binary bits value of b, determine G ₁on some Q _iD' (x, y _b);

Step 4, calculating Q _iD=cof ^*q _iD', if Q _iD≠ 0, i.e. the output G corresponding with ID ₁on some Q _iD, otherwise, variable i, from adding 1, is re-executed to above-mentioned steps 2,3,4.

Concrete, described signature processing module 32, also for the time factor Time according to setting to described private key Q _iDupgrade, described time factor Time is year, the moon, week or day.

Concrete, described signature calculation module 33, also for calculating

described

be a bilinear map, be one from set (G ₁× G ₁) to set G ₂a mapping, described G ₂for the group that rank are q, described q is the large prime number of setting;

Calculate the some V on curve E according to abscissa x ₁;

Calculate $g_2=\hat{e}(V_1,P);$

If g ₂=g ₁or g ₂=g ₁ ^-1, be verified; Otherwise authentication failed.

The detailed process and the preceding method embodiment that carry out the blind signature based on identity with the device of the embodiment of the present invention are similar, repeat no more herein.

One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.

One of ordinary skill in the art will appreciate that: the module in the equipment in embodiment can be described and be distributed in the equipment of embodiment according to embodiment, also can carry out respective change and be arranged in the one or more equipment that are different from the present embodiment.The module of above-described embodiment can be merged into a module, also can further split into multiple submodules.

In sum, the blind signature information length of the blind endorsement method based on identity of the embodiment of the present invention is only the abscissa of elliptic curve point, be shorter than the signature information length of the blind endorsement method of existing elliptic curve, increased the throughput of system operation, be suitable for the communication environment of Bandwidth-Constrained.

In blind signature-verification process, although need to calculate two step pairing computings, the first step can obtain by precomputation storing queries, thereby proof procedure only need to calculate the pairing computing of a step key, greatly reduce the calculation cost of checking equation, improved the operational efficiency of whole system.

The above; only for preferably embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (8)

1. the blind endorsement method based on identity, is characterized in that, comprises

Signer is selected random number r ∈ Z _q ^*, calculate U '=rP, described Zq ^*represent 1～(q-1) integer in scope, described q is the large prime number of setting, described P is the generator of G1, described G1 is a subgroup that rank are q of the elliptic curve E module on Fp, described Fp is the territory from 0 composition of the integer to (p-1), described p is the large prime number of setting, and described q is the prime factor of (p+1);

Send user and select at random blinding factor α, β ∈ Z _q ^*, calculate U=U '+(alpha+beta) P, a=(α β H3 (U)) H2 (m), b=alpha+beta+H2 (m), described H2, H3 are One-way Hash functions, H2:{0,1} ^*→ Z _q ^*, H3:G ₁→ Z _q ^*, described m will sign close cleartext information, m ∈ Zq ^*, described transmission user sends to described signer by message to (a, b);

Described signer is signed to (a, b) to described message with the private key of oneself, calculates V '=ad _iD/ (r+b), and V ' is sent to and receives user, the private key d of described signer _iD=sQ _iD, described Q _iD=H ₁(ID), the identification information that described ID is described signer, ID ∈ { 0,1} ^*, described H ₁an One-way Hash function, described H ₁: { 0,1} ^*→ G ₁, described s is the random number as master key;

Described reception user receives after described V ', calculates V=V '/(α β H ₃(U))=H ₂(m) d _iD/ (r+b), the abscissa x of described V is the signature of message m.

2. the blind endorsement method based on identity according to claim 1, is characterized in that,

Described calculating Q _iD=H ₁(ID) comprising:

Step 1, given subscriber identity information ID ∈ { 0,1} ^*, set i ← 0, " ← " represents the meaning of assignment;

Step 2, setting (x, b) ← sha-1 (i||ID), x is the abscissa calculating here, b is the binary bit of determining ordinate; Sha-1 represents international standard hash algorithm, and the binary bits figure place of establishing its result of calculation is n, and last binary bit is b, before n-1 binary bit be x.

Step 3, according to equation y ²=f (x), and x abscissa, calculate two square root y value y ₀and y ₁, according to 2) in the binary bits value of b, determine G ₁on some Q _iD' (x, y _b);

Step 4, calculating Q _iD=cof ^*q _iD', if Q _iD≠ 0, i.e. the output G corresponding with ID ₁on some Q _iD, otherwise, variable i, from adding 1, is re-executed to above-mentioned steps 2,3,4.

3. the blind endorsement method based on identity according to claim 1, is characterized in that, described method also comprises:

Described signer according to set time factor Time to described private key Q _iDupgrade, described time factor Time is year, the moon, week or day.

4. according to the blind endorsement method based on identity described in claim 1 or 2 or 3, it is characterized in that, described method also comprises:

Calculate

described

be a bilinear map, be one from set (G ₁× G ₁) to set G ₂a mapping, described G ₂it is territory

on a multiplicative group, described P _pub=sP;

Calculate h=H ₂(m);

Calculate the some V on curve according to abscissa x ₁;

Calculate $g_2=\hat{e}(V_1,P+(U/H_2\left(m\right)));$

If g ₂=g ₁or g ₂=g ₁ ^-1, determine and pass through for the signature verification of described cleartext information m; Otherwise authentication failed.

5. the blind signature apparatus based on identity, is characterized in that, comprising:

Message blinds processing module, for select random number r ∈ Z by signer _q ^*, calculate U '=rP, described Z _q ^*represent 1 ~ (q-1) integer in scope, described q is the large prime number of setting, and described P is G ₁generator, described G ₁f _pon a subgroup that rank are q of elliptic curve E module, described F _pfor the territory from 0 composition of the integer to (p-1), described p is the large prime number of setting, and described q is the prime factor of (p+1);

Select at random blinding factor α, β ∈ Z by sending user _q ^*, calculate U=U '+(alpha+beta) P, a=(α β H ₃(U)) H ₂(m), b=alpha+beta+H ₂(m), described H ₂, H ₃an One-way Hash function, H ₂: { 0,1} ^*→ Z _q ^*, H ₃: G ₁→ Z _q ^*, described m will sign close cleartext information, m ∈ Z _q ^*, described transmission user sends to described signer by message to (a, b);

Signature processing module, signs to (a, b) to described message for the private key with described signer, calculates V '=ad _iD/ (r+b), and V ' is sent to and receives user, the private key d of described signer _iD=sQ _iD, described Q _iD=H ₁(ID), the identification information that described ID is described signer, ID ∈ { 0,1} ^*, described H ₁an One-way Hash function, described H ₁: { 0,1} ^*→ G ₁, described s is the random number as master key;

Signature calculation module, for calculating V=V '/(α β H by described reception user ₃(U))=H ₂(m) d _iD/ (r+b), the abscissa x of described V is the signature of message m.

6. the blind signature apparatus based on identity according to claim 5, is characterized in that:

Described message blinds processing module, also for calculating Q by following processing procedure _iD=H ₁(ID) comprising:

Step 1, given subscriber identity information ID ∈ { 0,1} ^*, set i ← 0, " ← " represents the meaning of assignment;

Step 2, setting (x, b) ← sha-1 (i||ID), x is the abscissa calculating here, b is the binary bit of determining ordinate; Sha-1 represents international standard hash algorithm, and the binary bits figure place of establishing its result of calculation is n, and last binary bit is b, before n-1 binary bit be x.

Step 3, according to equation y ²=f (x), and x abscissa, calculate two square root y value y ₀and y ₁, according to 2) in the binary bits value of b, determine G ₁on some Q _iD' (x, y _b);

Step 4, calculating Q _iD=cof ^*q _iD', if Q _iD≠ 0, i.e. the output G corresponding with ID ₁on some Q _iD, otherwise, variable i, from adding 1, is re-executed to above-mentioned steps 2,3,4.

7. the blind signature apparatus based on identity according to claim 6, is characterized in that:

Described signature processing module, also for according to set time factor Time to described private key Q _iDupgrade, described time factor Time is year, the moon, week or day.

8. according to the blind signature apparatus based on identity described in claim 5 or 6 or 7, it is characterized in that:

Described signature calculation module, also for calculating

described

be a bilinear map, be one from set (G ₁× G ₁) to set G ₂a mapping, described G ₂for the group that rank are q, described q is the large prime number of setting;

Calculate the some V on curve E according to abscissa x ₁;

Calculate $g_2=\hat{e}(V_1,P);$

If g ₂=g ₁or g ₂=g ₁ ^-1, be verified; Otherwise authentication failed.

Images