CN106789019A - A kind of Certificateless partially blind signature method and device - Google Patents

A kind of Certificateless partially blind signature method and device Download PDF

Info

Publication number
CN106789019A
CN106789019A CN201611226746.XA CN201611226746A CN106789019A CN 106789019 A CN106789019 A CN 106789019A CN 201611226746 A CN201611226746 A CN 201611226746A CN 106789019 A CN106789019 A CN 106789019A
Authority
CN
China
Prior art keywords
signer
signature
private key
systematic parameter
calculate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611226746.XA
Other languages
Chinese (zh)
Other versions
CN106789019B (en
Inventor
张鹏
李俊超
喻建平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen University
Original Assignee
Shenzhen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen University filed Critical Shenzhen University
Priority to CN201611226746.XA priority Critical patent/CN106789019B/en
Publication of CN106789019A publication Critical patent/CN106789019A/en
Application granted granted Critical
Publication of CN106789019B publication Critical patent/CN106789019B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3257Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using blind signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention is applied to field of information security technology, there is provided a kind of Certificateless partially blind signature method, including sets up an open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2,Ppub};Signer extracts its private keyExtracting public key isSigner is randomly choosedAnd calculate z=H0(c) and R=rP, and R is sent to signature request person;After signature request person receives R, blinding factor is randomly choosedAnd calculate z=H0(c), R '=α R,H '=H2(m, z, y), h=α‑1(β h '), and h is sent to signer;After signer receives h, calculateAnd S is sent to signature request person;Signature request person carries out work of casting off illiteracy, and calculates S '=α S, and the signature for obtaining message m and negotiation message c is σ=(y, h ', S ');Verifier carries out signature verification.The present invention is efficiently solved in Certificateless partially blind signature because consulting the safety issue that public information being distorted and brought.

Description

A kind of Certificateless partially blind signature method and device
Technical field
The invention belongs to field of information security technology, more particularly to a kind of Certificateless partially blind signature method and device.
Background technology
Proxy Signature is a kind of signature that signer is completed in the case of signature request person institute request message content is not known, this Plant characteristic and be referred to as blind property.Proxy Signature not only has content integrity, the non repudiation and double of transaction that digital signature has The properties such as the authenticity of square identity, can also well protect privacy of user using blind property.Signer is to signature in Proxy Signature Message is known nothing, and easily causes signature and is illegally used by the requestor of malice.Then, the concept of Partial Blind Signature is suggested, its Message is divided into and blinds part and common portion, therefore Partial Blind Signature is while privacy of user is ensured and to signature contents portion Divide controllable.
In Identity- based cryptography, key generation centre (Key Generation Center, KGC) knows institute There is the private key of user, the signature of any user can be forged, this problem is referred to as key escrow.Asked to solve this Topic, Al-Riyam and Paterson is proposed without CertPubKey cryptography (Certificateless Public Key within 2003 Cryptography, CL-PKC) concept.For details, reference can be made to document:Al-Riyami S S,Paterson K G.Certificateless Public Key Cryptography[J].Lecture Notes in Computer Science,2003,2894(2):452-473. hereinafter referred to as documents 1.In CL-PKC, key generation centre is generated for user Part private key, and the private key of user is made up of part private key and oneself randomly selected secret value, so as to solve key escrow Problem.Proxy Signature (the Certificateless Blind referred to as without certificate will be combined without CertPubKey cryptography and Proxy Signature Signature, CL-BS), CL-BS is used to can both to have protected the privacy of user in ecommerce, in can avoiding PKI again Key escrow in certificate management and ID-PKC.In order to preferably be applied in electronic cash system, will be without CertPubKey Cryptography and Partial Blind Signature are combined Partial Blind Signature (the Certificateless Partially referred to as without certificate Blind Signature,CL-PBS)。
It is existing to have had the pertinent literature for delivering the related Partial Blind Signature without certificate, such as:
Cheng L,Wen Q.Cryptanalysis and improvement of a certificateless partially blind signature[J].IET Information Security,2015,9(6):Below 380-386. Abbreviation document 2.
Zhang L,Zhang F,Qin B,et al.Corrigendum:"Provably-secure electronic cash based on certicateless partially-blind signatures"[J].Electronic Commerce Research & applications,2011,10(1):545-552. hereinafter referred to as documents 3.
Document 2 points out that the CL-PBS schemes that document 3 is proposed can not resist the attack of user's replacement signer public key of malice And propose improvement project.But analyzed by improvement project, find its can not the user of anti-malice distort the public letter of negotiation Breath is attacked.
The content of the invention
The embodiment of the present invention provides a kind of Certificateless partially blind signature method, it is intended to solve existing without the blind label of certification portions Consult the low problem of public cybersecurity in name.
The embodiment of the present invention is achieved in that a kind of Certificateless partially blind signature method, including:
Set up an open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2,Ppub};Wherein, l is safety ginseng Number, and meet prime number q > 2l, { G1,+} is the circled addition group that rank is q, and P is group G1In any generation unit;{G2, it is rank It is the circulation multiplicative group of q, g is generation unit;Bilinear map maps e:G1×G1→G2, g=e (P, P) ∈ G2;Hash functions:H1:{0,1}*→G1,It is master key, P that KGC chooses spub=sP is Public key;
Signer extracts its private keyPublic key is
Signer is randomly choosedAnd calculate z=H0(c) and R=rP, and R is sent to signature request person;
After signature request person receives R, blinding factor is randomly choosedAnd calculate z=H0(c)、H '=H2(m, z, y), h=α-1(β-h '), and h is sent To signer;
After signer receives h, calculateAnd S is sent to signature request person;
Signature request person carries out work of casting off illiteracy, and calculates S '=α S, obtain the signature of message m and negotiation message c for σ=(y, h′,S′);
Verifier carries out signature verification.
Preferably, it is described to set up an open systematic parameter params={ G1,G2,P,l,q,e,H1,H2,H3,PpubTool Body step is:
According to security needs, the size of safety coefficient l and prime number q is determined, meeting bilinearity using elliptic curve construction reflects Penetrate e:G1×G1→G2Circled addition group { G1,+} and circulation multiplicative group { G2,·};
Selection collisionless hash functionH1:{0,1}*→G1,
The master key that an integer s generates center KGC as private key is randomly selected from the multiplication of integers group of mod q, and Calculate Ppub=sP is used as its corresponding public key;
Open systematic parameter { G1,G2,P,e,g,H0,H1,H2,Ppub, and preserved s as master key.
Preferably, the signer extracts its private key and isPublic key isIt is specific Step is:
Input system parameter params, the identity ID of signerB, KGC calculatingAnd handle Part private keyIt is sent to signer;
According to the systematic parameter params and identity ID of signerB, signer random selectionAs its secret value;
According to systematic parameter params, the identity ID of signerB, part private keyAnd secret valueSigned The private key of person is
According to systematic parameter params, the identity ID of signerBAnd secret valueObtain the public key of signer
Preferably, the verifier carries out the specific steps of signature verification includes:
Verifier receives the message-signature of signer to (m, c, σ=(y, h ', S '));
Calculate z=H0(c),
Checking equation h '=H2Whether (m, z, y ') sets up, if it is, verifier just believes (m, c, σ=(y, h ', S ')) It is that effective Proxy Signature is carried out by signer;
It is otherwise invalid.
Embodiments of the invention also provide a kind of Certificateless partially blind signature device, including:
Systematic parameter sets up unit, for setting up open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2, Ppub};
Extraction unit, private key and public key are extracted for signer;
Committing unit, for randomly choosingAnd calculate z=H0(c) and R=rP, and R is sent to signature request person;
Unit is blinded, after receiving R, blinding factor is randomly choosedAnd calculate z=H0(c)、H '=H2(m, z, y), h=α-1(β-h '), and h is sent to signer;
Partial Blind Signature unit, after receiving h, calculatesAnd S be sent to signature please The person of asking;
Cast off illiteracy unit, for carrying out work of casting off illiteracy, calculate S '=α S, obtain the signature of message m and negotiation message c for σ= (y,h′,S′);
Authentication unit, for carrying out signature verification.
Preferably, the systematic parameter is set up unit and is included:
Module is built, the size for determining safety coefficient l and prime number q meets bilinearity and reflects using elliptic curve construction Penetrate e:G1×G1→G2Circled addition group { G1,+} and circulation multiplicative group { G2,·};
Function selecting module, for selecting collisionless hash functionH1:{0,1}*→G1,
Cipher key module, center is generated for randomly selecting an integer s from the multiplication of integers of mod q group as private key The master key of KGC, and calculate Ppub=sP is used as its corresponding public key, and open systematic parameter { G1,G2,P,e,g,H0,H1,H2, Ppub, and preserved s as master key.
Preferably, the extraction unit includes:
Part private key generation module, for according to systematic parameter params, the identity ID of signerB, KGC calculating And part private keyIt is sent to signer;
Secret value generation module, for the identity ID according to systematic parameter params and signerB, random selection As its secret value;
Private key module, for the identity ID according to systematic parameter params, signerB, part private keyAnd secret valueThe private key for obtaining signer is
Public key module, for the identity ID according to systematic parameter params, signerBAnd secret valueSigned The public key of person
Preferably, the authentication unit includes:
Receiver module, for receiving the message-signature of signature request person's transmission to (m, c, σ=(y, h ', S '));
Computing module, for calculating z=H0(c),
Authentication module, for verifying equation h '=H2Whether (m, z, y ') sets up, if it is, verifier just believes (m, c, σ =(y, h ', S ')) it is that effective Proxy Signature is carried out by signer, it is otherwise invalid.
Technical scheme, due to negotiation information is inserted into calculating due to signer In, wherein z=H0(c), during by the correctness of attestation-signatures scheme, signer insertion negotiation information z=H0C () not only corresponds to To signature request person C blind the negotiation information of signature insertionSimultaneously Also negotiation information is consulted with the insertion used in checking equationIt is corresponding, because This, the solution of the present invention is safe under negotiation information Tampering attack, is efficiently solved in Certificateless partially blind signature because of association The safety issue that business's public information is distorted and brought.
Brief description of the drawings
Fig. 1 is a kind of Certificateless partially blind signature method schematic flow sheet provided in an embodiment of the present invention;
Fig. 2 is a kind of Certificateless partially blind signature method general flow chart provided in an embodiment of the present invention;
Fig. 3 is a kind of Certificateless partially blind signature apparatus structure block diagram provided in an embodiment of the present invention;
Fig. 4 is the structured flowchart that systematic parameter of the invention sets up unit;
Fig. 5 is the structured flowchart of extraction unit of the invention;
Fig. 6 is the structured flowchart of authentication unit of the invention.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
In order to more effectively understand technical scheme, we are briefly described the meropia in above-mentioned document 2 The process of signature:
Initially set up one and set up an open systematic parameter params={ G1,G2,P,l,q,e,H0,H1,H2,Ppub}。
Given security parameter l, and meet prime number q > 2l, { G1,+} is the circled addition group that rank is q, and P is group G1In appoint Meaning generation unit;{G2, it is that rank is the circulation multiplicative group of q, g is generation unit;Bilinear map maps e:G1×G1→G2, g=e (P, P)∈G2;Hash functions: It is master key, P that KGC chooses spub=sP is public key, systematic parameter params={ G1,G2,P,l,q,e,H0,H1,H2,Ppub}。
Then key-extraction algorithm is carried out:
Part private key generating algorithm:Input system parameter params, the identity ID of signerB, KGC calculatingAnd part private keyIt is sent to signer.
Secret value-based algorithm is set:The identity ID of input system parameter params and signerB, signer random selectionAs its secret value.
Private key algorithm is set:The identity ID of algorithm input system parameter, signerB, part private keyAnd secret valueExport signer private key be
Public key algorithm is set:The identity ID of algorithm input system parameter, signerBAnd secret valueInput signer Public key
Then Partial Blind Signature generating algorithm is carried out again:
Assuming that m is the information that signature request person asks for an autograph, c is the public information that signer is consulted with signature request person, Signer its private keyAnd public keyMessage m and public negotiation information c are carried out with signature request person Signature.Detailed process is as follows:
A) promise to undertake.Signer is randomly choosedAnd calculate z=H0(c) and R=rzP, and R is sent into signature request person.
B) blind.After signature request person receives R, blinding factor is randomly choosedAnd calculate z=H0(c), R '=γ R,H=γ-1(β-h '), and h It is sent to signer.
C) Partial Blind Signature.After receiving h, signer only needs to calculateAnd S is sent signature Requestor.
D) cast off illiteracy.Signature request person calculates S '=γ S+ α Ppub
After this series of interaction, signature request person obtain to the signature of message m and negotiation information c for σ=(R ', h ', S′)。
Finally carry out signature verification algorithm:
Verifier is received by signer to the signature of message m and negotiation information c after σ=(R ', h ', S '), first to calculate z =H0(c),Finally verify equationWhether set up. If set up, then it is assumed that message-signature is the legal signature of signer to (m, c, σ=(R ', h ', S ')).It is otherwise invalid.
Above scheme can produce security attack, and specific attack analysis are as follows:
Because being that scheme is carried out to distort negotiation information c is c ' attacks, signer its private keyWith Public keyMessage m and public negotiation information c signatures are carried out with signature request person, signature request person usurps negotiation information c It is changed to c ':
A) promise to undertake.Signer is randomly choosedAnd calculate z=H0(c) and R=rzP, and R is sent into signature request Person.
B) blind.After signature request person receives R, blinding factor is randomly choosedCalculate z=H0(c), z '= H0(c '), R '=γ R, R "=z-1z′R′,h =γ-1(β-h ') and h "=zz '-1H, and h " is sent to signer.
C) Partial Blind Signature.Receive h " after, signer only needs to calculateAnd S is sent label Name requestor.
D) cast off illiteracy.Signature request person calculates S '=z-1Z ' S, S "=γ S '+α Ppub
After this series of interaction, signature request person obtain to the signature of message m and negotiation information c ' for σ=(R ", h ', S″)。
Signature request person to the signature of message m and negotiation information c ' for σ=(R ", h ', S ") are, it is necessary to calculateZ '=H0(c ') verifies equationWhether set up.Such as Fruit is set up, then be effective signature, that is, distort negotiation information c ' successes.In this verification process, checking etc. is only needed in fact FormulaWhether set up;
I.e. on the premise of unsigned person agrees to, signature request person distorts the signature formed after public information can also lead to Cross checking equation checking, therefore verifier believe σ=(R ", h ', S ") they are signers to message m and effective label of negotiation message c ' Name.
With reference to shown in Fig. 1 and Fig. 2, embodiments of the invention provide a kind of Certificateless partially blind signature method, including following Step:
Step S100, sets up an open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2,Ppub};
Wherein, l is security parameter, and meets prime number q > 2l, { G1,+} is the circled addition group that rank is q, and P is group G1In Any generation unit;{G2, it is that rank is the circulation multiplicative group of q, g is generation unit;Bilinear map maps e:G1×G1→G2, g=e (P,P)∈G2;Hash functions:H1:{0,1}*→G1,KGC chooses S is master key, Ppub=sP is public key;
Step S200, signer extracts its private key and isPublic key is
Step S300, signer random selectionAnd calculate z=H0(c) and R=rP, and R is sent to signature request Person;
Step S400, after signature request person receives R, randomly chooses blinding factorAnd calculate z=H0(c), R '=α R,H '=H2(m, z, y), h=α-1(β-h '), and h is sent To signer;
Step S500, after signer receives h, calculatesAnd S is sent to signature request Person;
Step S600, signature request person carries out work of casting off illiteracy, and calculates S '=α S, obtains the signature of message m and negotiation message c It is σ=(y, h ', S ');
Step S700, verifier carries out signature verification.
Preferably, it is described to set up an open systematic parameter params={ G in the step S1001,G2,P,e,g, H0,H1,H2,PpubConcretely comprise the following steps:
Step S110, according to security needs, determines the size of safety coefficient l and prime number q, is constructed using elliptic curve and met Bilinear map e:G1×G1→G2Circled addition group { G1,+} and circulation multiplicative group { G2,·};
Step S120, selection collisionless hash function H1:{0,1}*→G1,
Step S130, randomly selects an integer s as private key generation center KGC's from the multiplication of integers group of mod q Master key, and calculate Ppub=sP is used as its corresponding public key;
Step S140, open systematic parameter { G1,G2,P,e,g,H0,H1,H2,Ppub, and preserved s as master key.
Further, the step S200 is specifically included:
Step S210, input system parameter params, the identity ID of signerB, KGC calculating And part private keyIt is sent to signer;
Step S220, according to the systematic parameter params and identity ID of signerB, signer random selectionAs Its secret value;
Step S230, according to systematic parameter params, the identity ID of signerB, part private keyAnd secret value The private key for obtaining signer is
Step S240, according to systematic parameter params, the identity ID of signerBAnd secret valueObtain signer Public key
Further, in the step S700, specifically include:
Step S710, verifier receives the message-signature of signer to (m, c, σ=(y, h ', S '));
Step S720, calculates z=H0(c),
Step S730, checking equation h '=H2Whether (m, z, y ') sets up, if it is, verifier just believe (m, c, σ= (y, h ', S ')) it is that effective Proxy Signature is carried out by signer;
It is otherwise invalid.
Because negotiation information is inserted into calculating by signerIn, wherein z=H0C (), passes through During the correctness of attestation-signatures scheme, signer insertion negotiation information z=H is found0C () not only corresponds to signature request person and carries out Blind the negotiation information of signature insertionAlso used with checking equation simultaneously Negotiation information is consulted in the insertion arrivedIt is corresponding.Therefore this programme can be in case public Negotiation information Tampering attack.
As shown in figure 3, embodiments of the invention also provide a kind of Certificateless partially blind signature device, including:
Systematic parameter sets up unit 100, for setting up open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2, Ppub};
Extraction unit 200, private key and public key are extracted for signer;
Committing unit 300, for randomly choosingAnd calculate z=H0(c) and R=rP, and R be sent to signature please The person of asking;
Unit 400 is blinded, after receiving R, blinding factor is randomly choosedAnd calculate z=H0(c)、H '=H2(m, z, y), h=α-1(β-h '), and h is sent To signer;
Partial Blind Signature unit 500, after receiving h, calculatesAnd S is sent to label Name requestor;
Cast off illiteracy unit 600, for carrying out work of casting off illiteracy, calculate S '=α S, the signature for obtaining message m and negotiation message c is σ =(y, h ', S ');
Authentication unit 700, for carrying out signature verification.
As shown in figure 4, further, the systematic parameter sets up unit 100 to be included:
Module 101 is built, the size for determining safety coefficient l and prime number q meets bilinearity using elliptic curve construction Mapping e:G1×G1→G2Circled addition group { G1,+} and circulation multiplicative group { G2,·};
Function selecting module 102, for selecting collisionless hash functionH1:{0,1}*→G1,
Cipher key module 103, for randomly selecting an integer s from the multiplication of integers of mod q group as in private key generation The master key of heart KGC, and calculate Ppub=sP is used as its corresponding public key, and open systematic parameter { G1,G2,P,e,g,H0,H1, H2,Ppub, and preserved s as master key.
As shown in figure 5, further, the extraction unit 200 is further included:
Part private key generation module 201, for according to systematic parameter params, the identity ID of signerB, KGC calculating And part private keyIt is sent to signer;
Secret value generation module 202, for the identity ID according to systematic parameter params and signerB, random selectionAs its secret value;
Private key module 203, for the identity ID according to systematic parameter params, signerB, part private keyAnd secret ValueThe private key for obtaining signer is
Public key module 204, for the identity ID according to systematic parameter params, signerBAnd secret valueObtain The public key of signer
As shown in fig. 6, further, the authentication unit 700 includes:
Receiver module 701, for receiving the message-signature of signature request person's transmission to (m, c, σ=(y, h ', S '));
Computing module 702, for calculating z=H0(c),
Authentication module 702, for verifying equation h '=H2Whether (m, z, y ') sets up, if it is, verifier just believe (m, C, σ=(y, h ', S ')) it is that effective Proxy Signature is carried out by signer, it is otherwise invalid.
Below, the technical scheme in the present invention is carried out the comparing of computational efficiency with above-mentioned already present CL-PBS schemes, Including the scheme in document 2 and document 3, its Literature 2 is the improvement side that there is the proposition of public key substitution attack to document 3 Case.Use the super unusual elliptic curve E (F that insertion degree is 2P):y2=x3+ x, wherein q=2159+217+ 1 is 160 bit prime numbers, p To meet the 512 bit prime numbers of condition p+1=12qr.Hardware platform:CPU is CPIV 3-GHZ, 512MB internal memories and Windows XP operating systems.Table 1 takes big elementary cell operation efficiency in listing cryptography scheme.
(unit is for elementary cell operation efficiency in the scheme of table 1:Millisecond)
Table 2 lists the number of computations of specific time-consuming computing in each scheme, mainly compares signer, signature request person and tests Card person amount of calculation during scheme constructses.
Calculating Performance comparision (the unit of the various schemes of table 2:Millisecond)
To sum up, can substantially obtain the scheme for being constructed of the invention has efficiency higher.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention Any modification, equivalent and improvement made within god and principle etc., should be included within the scope of the present invention.

Claims (8)

1. a kind of Certificateless partially blind signature method, it is characterised in that including:
Set up an open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2,Ppub};Wherein, l is security parameter, and Meet prime number q > 2l, { G1,+} is the circled addition group that rank is q, and P is group G1In any generation unit;{G2, it is that rank is q Circulation multiplicative group, g is generation unit;Bilinear map maps e:G1×G1→G2, g=e (P, P) ∈ G2;Hash functions:H1:{0,1}*→G1,It is master key, P that KGC chooses spub=sP is public key;
Signer extracts its private keyPublic key is
Signer is randomly choosedAnd calculate z=H0(c) and R=rP, and R is sent to signature request person;
After signature request person receives R, blinding factor is randomly choosedAnd calculate z=H0(c), R '=α R,H '=H2(m, z, y), h=α-1(β-h '), and h is sent to signer;
After signer receives h, calculateAnd S is sent to signature request person;
Signature request person carries out work of casting off illiteracy, and calculates S '=α S, obtain the signature of message m and negotiation message c for σ=(y, h ', S′);
Verifier carries out signature verification.
2. Certificateless partially blind signature method as claimed in claim 1, it is characterised in that described to set up an open system ginseng Number params={ G1,G2,P,e,g,H0,H1,H2,PpubConcretely comprise the following steps:
According to security needs, the size of safety coefficient l and prime number q is determined, bilinear map e is met using elliptic curve construction:G1 ×G1→G2Circled addition group { G1,+} and circulation multiplicative group { G2,·};
Selection collisionless hash functionH1:{0,1}*→G1,
An integer s is randomly selected from the multiplication of integers group of mod q and the master key of center KGC is generated as private key, and calculate Ppub=sP is used as its corresponding public key;
Open systematic parameter { G1,G2,P,e,g,H0,H1,H2,Ppub, and preserved s as master key.
3. Certificateless partially blind signature method as claimed in claim 1, it is characterised in that the signer extracts its private key and isPublic key isConcretely comprise the following steps:
Input system parameter params, the identity ID of signerB, KGC calculatingAnd part Private keyIt is sent to signer;
According to the systematic parameter params and identity ID of signerB, signer random selectionAs its secret value;
According to systematic parameter params, the identity ID of signerB, part private keyAnd secret valueObtain signer Private key is
According to systematic parameter params, the identity ID of signerBAnd secret valueObtain the public key of signer
4. Certificateless partially blind signature method as claimed in claim 1, it is characterised in that the verifier carries out signature verification Specific steps include:
Verifier receives the message-signature of signer to (m, c, σ=(y, h ', S '));
Calculate z=H0(c),
Checking equation h '=H2Whether (m, z, y ') sets up, if it is, verifier just believes that (m, c, σ=(y, h ', S ')) is by signing Name person carries out effective Proxy Signature;
It is otherwise invalid.
5. a kind of Certificateless partially blind signature device, it is characterised in that including:
Systematic parameter sets up unit, for setting up open systematic parameter params={ G1,G2,P,e,g,H0,H1,H2,Ppub};
Extraction unit, private key and public key are extracted for signer;
Committing unit, for randomly choosingAnd calculate z=H0(c) and R=rP, and R is sent to signature request person;
Unit is blinded, after receiving R, blinding factor is randomly choosedAnd calculate z=H0(c), R '=α R,H '=H2(m, z, y), h=α-1(β-h '), and h is sent to signer;
Partial Blind Signature unit, after receiving h, calculatesAnd S is sent to signature request Person;
Cast off illiteracy unit, for carrying out work of casting off illiteracy, calculate S '=α S, obtain the signature of message m and negotiation message c for σ=(y, h′,S′);
Authentication unit, for carrying out signature verification.
6. Certificateless partially blind signature device according to claim 5, it is characterised in that the systematic parameter sets up unit Including:
Module is built, the size for determining safety coefficient l and prime number q meets bilinear map e using elliptic curve construction:G1 ×G1→G2Circled addition group { G1,+} and circulation multiplicative group { G2,·};
Function selecting module, for selecting collisionless hash functionH1:{0,1}*→G1,
Cipher key module, for randomly selecting an integer s from the multiplication of integers of mod q group as private key generation center KGC's Master key, and calculate Ppub=sP is used as its corresponding public key, and open systematic parameter { G1,G2,P,e,g,H0,H1,H2,Ppub, And preserved s as master key.
7. Certificateless partially blind signature device according to claim 5, it is characterised in that the extraction unit includes:
Part private key generation module, for according to systematic parameter params, the identity ID of signerB, KGC calculatingAnd part private keyIt is sent to signer;
Secret value generation module, for the identity ID according to systematic parameter params and signerB, random selectionAs Its secret value;
Private key module, for the identity ID according to systematic parameter params, signerB, part private keyAnd secret value The private key for obtaining signer is
Public key module, for the identity ID according to systematic parameter params, signerBAnd secret valueObtain signer Public key
8. Certificateless partially blind signature device according to claim 5, it is characterised in that the authentication unit includes:
Receiver module, for receiving the message-signature of signature request person's transmission to (m, c, σ=(y, h ', S '));
Computing module, for calculating z=H0(c),
Authentication module, for verifying equation h '=H2Whether (m, z, y ') sets up, if it is, verifier just believe (m, c, σ=(y, H ', S ')) it is that effective Proxy Signature is carried out by signer, it is otherwise invalid.
CN201611226746.XA 2016-12-27 2016-12-27 Certificate-free partial blind signature method and device Active CN106789019B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611226746.XA CN106789019B (en) 2016-12-27 2016-12-27 Certificate-free partial blind signature method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611226746.XA CN106789019B (en) 2016-12-27 2016-12-27 Certificate-free partial blind signature method and device

Publications (2)

Publication Number Publication Date
CN106789019A true CN106789019A (en) 2017-05-31
CN106789019B CN106789019B (en) 2020-01-17

Family

ID=58922071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611226746.XA Active CN106789019B (en) 2016-12-27 2016-12-27 Certificate-free partial blind signature method and device

Country Status (1)

Country Link
CN (1) CN106789019B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108521396A (en) * 2018-02-09 2018-09-11 天津职业技术师范大学 The blind operation method of privacy information
CN108989050A (en) * 2018-08-23 2018-12-11 电子科技大学 A kind of certificateless digital signature method
CN110311776A (en) * 2019-06-21 2019-10-08 矩阵元技术(深圳)有限公司 Data processing method, device, computer equipment and storage medium
CN112070490A (en) * 2020-08-20 2020-12-11 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system based on two-dimension code
CN112070492A (en) * 2020-08-20 2020-12-11 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system
CN114915426A (en) * 2022-05-20 2022-08-16 曲阜师范大学 Certificateless based message recoverable blind signature method
WO2023207523A1 (en) * 2022-04-28 2023-11-02 华为技术有限公司 Quantum-resistant blind signature method, user equipment, signature apparatus and signature verification apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387019A (en) * 2011-10-19 2012-03-21 西安电子科技大学 Certificateless partially blind signature method
CN102420810A (en) * 2011-09-28 2012-04-18 盛乐信息技术(上海)有限公司 Network file system and method based on certificate-free public key infrastructure
EP2947840A1 (en) * 2013-09-16 2015-11-25 Huawei Device Co., Ltd. Certificateless multi-agent signature method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420810A (en) * 2011-09-28 2012-04-18 盛乐信息技术(上海)有限公司 Network file system and method based on certificate-free public key infrastructure
CN102387019A (en) * 2011-10-19 2012-03-21 西安电子科技大学 Certificateless partially blind signature method
EP2947840A1 (en) * 2013-09-16 2015-11-25 Huawei Device Co., Ltd. Certificateless multi-agent signature method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
苏万力等: "《无证书盲签名方案》", 《电子科技大学学报》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108521396A (en) * 2018-02-09 2018-09-11 天津职业技术师范大学 The blind operation method of privacy information
CN108989050A (en) * 2018-08-23 2018-12-11 电子科技大学 A kind of certificateless digital signature method
CN108989050B (en) * 2018-08-23 2020-08-11 电子科技大学 Certificateless digital signature method
CN110311776A (en) * 2019-06-21 2019-10-08 矩阵元技术(深圳)有限公司 Data processing method, device, computer equipment and storage medium
CN110311776B (en) * 2019-06-21 2022-03-22 矩阵元技术(深圳)有限公司 Range proving method, range proving device, computer equipment and storage medium
CN112070490A (en) * 2020-08-20 2020-12-11 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system based on two-dimension code
CN112070492A (en) * 2020-08-20 2020-12-11 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system
CN112070492B (en) * 2020-08-20 2022-03-25 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system
CN112070490B (en) * 2020-08-20 2022-03-25 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system based on two-dimension code
WO2023207523A1 (en) * 2022-04-28 2023-11-02 华为技术有限公司 Quantum-resistant blind signature method, user equipment, signature apparatus and signature verification apparatus
CN114915426A (en) * 2022-05-20 2022-08-16 曲阜师范大学 Certificateless based message recoverable blind signature method
CN114915426B (en) * 2022-05-20 2023-12-15 曲阜师范大学 Certificate-free message recoverable blind signature method

Also Published As

Publication number Publication date
CN106789019B (en) 2020-01-17

Similar Documents

Publication Publication Date Title
WO2018119670A1 (en) Method and device for certificateless partially blind signature
CN106789019A (en) A kind of Certificateless partially blind signature method and device
Zhang et al. Efficient ID-based public auditing for the outsourced data in cloud storage
JP3522447B2 (en) Authentication exchange method and additional public electronic signature method
Boneh et al. Group signatures with verifier-local revocation
US8433897B2 (en) Group signature system, apparatus and storage medium
US8819439B2 (en) Attributes in cryptographic credentials
CN108551392B (en) Blind signature generation method and system based on SM9 digital signature
JP4741503B2 (en) Method and apparatus for generating verifiable public key
US9882890B2 (en) Reissue of cryptographic credentials
CN102387019B (en) Certificateless partially blind signature method
EP1710954A1 (en) Group signature system, method, device, and program
CN108881279B (en) Mobile health medical sensor data privacy protection method
JP2004208263A (en) Apparatus and method of blind signature based on individual identification information employing bilinear pairing
CN106656508B (en) A kind of Partial Blind Signature method and apparatus of identity-based
JP6043804B2 (en) Combined digital certificate
KR20030062402A (en) Apparatus and method for generating and verifying id-based proxy signature by using bilinear parings
US20170373847A1 (en) Method for updating a public key
CN111245625A (en) Digital signature method without certificate aggregation
US20150006900A1 (en) Signature protocol
CN112800482B (en) Identity-based online/offline security cloud storage auditing method
Tso A new way to generate a ring: Universal ring signature
CN111917550A (en) Certificateless cluster signature bilinear-free authentication method and system
JP4772965B2 (en) Method for proving entity authenticity and / or message integrity
Amounas et al. Proposed Developments of Blind Signature Scheme Based on ECC

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant