CN110492993B - Novel certificateless group signature method - Google Patents

Novel certificateless group signature method Download PDF

Info

Publication number
CN110492993B
CN110492993B CN201910669065.8A CN201910669065A CN110492993B CN 110492993 B CN110492993 B CN 110492993B CN 201910669065 A CN201910669065 A CN 201910669065A CN 110492993 B CN110492993 B CN 110492993B
Authority
CN
China
Prior art keywords
group
signature
public
key
administrator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910669065.8A
Other languages
Chinese (zh)
Other versions
CN110492993A (en
Inventor
李凤银
刘中兴
崔璨
王伊蕾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Houquantum Cryptography Technology Co.,Ltd.
Original Assignee
Qufu Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qufu Normal University filed Critical Qufu Normal University
Priority to CN201910669065.8A priority Critical patent/CN110492993B/en
Publication of CN110492993A publication Critical patent/CN110492993A/en
Application granted granted Critical
Publication of CN110492993B publication Critical patent/CN110492993B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Abstract

The present invention proposes a group signature scheme suitable for anonymous communications. The signature scheme consists of five parts, namely Setup, Join, Sign, Verify and Revoke. The five parts form a whole, and the efficient anonymous signature of the group members is realized together. The invention meets the security requirement of standard group signature and has the characteristics of identity anonymity of signature members, integrity of signature information, unforgeability of signature, high signature efficiency and the like.

Description

Novel certificateless group signature method
Technical Field
The invention belongs to the technical field of information security, and relates to a group signature technology.
Background
Since camelish and stadler put forward a group signature scheme applicable to a large group for the first time in 1997, group signature research has entered a very active period, and has achieved a great deal of research results, and has begun to be applied to the fields of management of public resources, issuance of important military information, election of important leaders, distribution of electronic commerce important news, signing of financial contracts, and the like. The research on the group signatures focuses on the safety, efficiency and practicability of the group signatures, and also relates to a plurality of research directions, and the research on a safe and efficient group signature scheme, the research on the interconversion between the group signatures and the common digital signatures, and the research on the popularization of the group signatures, such as hierarchical multi-group signatures (group signatures), group blind signatures (group blind signatures), multi-group signatures (group-groups signatures), sub-group signatures (sub-group signatures), and the like.
The efficiency of the current group signature scheme is not high, and the practical application process of the group signature is seriously influenced, so that the research on the efficient group signature scheme has important significance for promoting the application of the group signature. The invention can realize high-efficiency anonymous signature in the group and ensure the complete forwarding of the message.
Disclosure of Invention
The invention aims to provide a group signature scheme, which consists of five parts and comprises the following operation steps:
the first step is as follows: a Key distribution Center (KGC) first generates a system public and private Key pair in response to a request from a group administrator. After the group administrator applies for the group administrator to the KGC, the KGC first verifies that the identity of the group administrator is legal, then generates a partial key for the group administrator, and sends it to the group administrator through a secure channel. The group administrator receives the partial key sent by KGC, and further generates its own public and private key pair. Public and private key pairs of the group administrator are set as public and private key pairs of the group, the group administrator transmits the group public key to the KGC through a secure channel, and the KGC publishes the public key in a public parameter list. And the common group member user interacts with the KGC to generate the public and private keys of the common group member user through the same process.
The second step is that: the group member user sends a group adding request to a group administrator, after the administrator verifies that the identity of the group member user is legal, if the group member user is allowed to enter the group, a group member certificate cert is generated for the group member userA
The third step: group member user ID when signature is requiredAUsing a signing key and a group member credential certAThe message m is signed.
The fourth step: the public verifier of the group signature first checks whether the public signature key of the group member user is in the public revocation list of the group member. If yes, the signature verification fails, the signature is ignored, and 'reject' is output; otherwise, verifying the validity of the group signature according to the public parameters of the system.
The fifth step: a member user that wants to leave the group first sends an outlier request to the group administrator, if it wants to revoke the member credentials. After receiving the request of the member to leave the group, the administrator updates the group member list and uses the ID of the group member userAIs signed with public key UAJoin the public revocation list of group members.
The signature scheme is rapid and efficient, has high safety and high reliability, and achieves the following effects: the members in the group carry out signature on behalf of the group, and important characteristics such as integrity of the signature message, anonymity of the signature members, unforgeability of the signature and the like can be guaranteed.
Drawings
FIG. 1 is a flow chart detailing the interaction of members in the system.
Fig. 2 is a system initialization phase, which is an interaction process among the key distribution center KGC, the group administrator, and the group members.
Fig. 3 shows the interaction process between users in the joining phase and the signing and verifying phase of the group members.
Detailed Description
Setup phase:
the first step is as follows: input deviceFull parameter l, a prime number q (length 2)l) Generator G of cyclic multiplicative group G, G of order, hash function H1:{0,1}*×G→Zq,H2:{0,1}*→ZqKGC random optionalization
Figure GDA0003484478330000021
As system key, calculated
Figure GDA0003484478330000022
As the system public key, the system public parameter is params ═ q, G, H1,H2,pksys) Message to be signed m e {0,1}*
The second step is that: the group administrator GM submits the group administrator application to KGC, and KGC verifies the ID of GMGAfter legal, it is first randomly selected
Figure GDA0003484478330000023
Computing
Figure GDA0003484478330000024
Deriving partial keys
Figure GDA0003484478330000025
The KGC transmits it to the GM through a secure channel.
The third step: GM receives partial key sent by KGC
Figure GDA0003484478330000026
Optionally a random number
Figure GDA0003484478330000027
Computing
Figure GDA0003484478330000028
Figure GDA0003484478330000029
Get its own public and private key pair<pkG,skG>. Then, the public key of the GM is
Figure GDA00034844783300000210
The private key is
Figure GDA00034844783300000211
Figure GDA00034844783300000212
The fifth step: the public and private key pair of the group administrator is set as the public and private key pair of the group, so that the public key of the group is
Figure GDA00034844783300000213
Group private key
Figure GDA00034844783300000214
The GM transmits the group public key to the KGC through a secure channel, and the KGC publishes the group public key in a public parameter list.
And a sixth step: group member user IDAThrough the same way, it interacts with KGC to generate its own public-private key and public key
Figure GDA00034844783300000215
Figure GDA00034844783300000216
Private key
Figure GDA00034844783300000217
2. Group member Join phase:
the first step is as follows: group member user IDAFirst, a signature key is selected
Figure GDA00034844783300000218
Computing signature public key
Figure GDA00034844783300000219
Hash value
Figure GDA00034844783300000220
Then (h, U)A,IDA) As group member IDAAfter the group addition request, it is transferred to the GM through a secure channel.
The second step is that: after the GM receives the group member adding request, it first checks the public key U of the group memberAIf U is present in the public revocation list of the group memberAPresent in the public revocation list, the GM ignores this group addition request. Otherwise, GM verification equation
Figure GDA0003484478330000031
Figure GDA0003484478330000032
Whether the result is true or not; if the equation holds, the GM is the group member user IDAGenerating group member credentials
Figure GDA0003484478330000033
And mix certADelivery of group member user IDs over secure channelAAt the same time handle (ID)A,certA,UA) Join the group member list.
The third step: group member user IDAFirst verifying equation after receiving member certificate
Figure GDA0003484478330000034
Figure GDA0003484478330000035
Whether the result is true or not; if the equation holds, the group member user IDAMix certAStored properly, and later can utilize its own signature key and member certificate certAGroup signatures are performed on behalf of the groups.
3. Signature Sign stage:
the first step is as follows: group member user IDAUsing a signing key hAAnd a certificate GertASigning the message m and calculating h1= H2(m||IDG||UA||pkG),σ=hAh1+certA. Obtaining a group signature (U)A,σ)。
4. Group signature verification Verify stage:
the first step is as follows: the public verifier of the signature message first checks the group member user IDAIs signed with public key UAWhether in the public revocation list of group members. If U is presentAIf the signature exists in the public revocation list and the group member user does not belong to the valid member in the group, the group signature verification fails, the signature is ignored, and a 'reject' is output. Otherwise, the equation is verified according to the system common parameters
Figure GDA0003484478330000036
Figure GDA0003484478330000037
Whether or not this is true. If the equation is true, the signature is legal, the signature verification passes, and the verifier outputs "accept". Otherwise, "reject" is output.
5. Group member revocation Revoke phase:
the first step is as follows: group member user IDAAn outlier request REQ is sent to the GM.
The second step is that: the GM accepts the request of group member user to leave the group, firstly updates the member list, and then uses the ID of the group member userAU of (1)AAnd adding the group member into the public revocation list of the group member to delete and revoke the group member, wherein the group member user cannot perform group signature on behalf of the group.
Performance analysis of the invention
The group signature technology of the invention meets the security requirements of standard group signature such as message integrity, signature identity anonymity and signature non-forgeability.
1. Integrity of signed messages
The group signature technology can realize the integrity check of the data packet in the transmission process. We assume that the signature sent by the sender is σ. If an attacker modifies the data packet in the communication process, when a receiver receives the data packet and verifies the received signature sigma, a result of signature verification failure occurs, and at the moment, the receiver directly discards the data packet. According to the verification process of the group signature, if the conclusion that the signature is legal can be obtained, the signature is provedThe data packet received by the receiver is not tampered, and the data packet is complete. I.e. inputting the common parameter pksysGroup public key pkGPublic signature key U of signerAAnd m, verifying and calculating h1=H2(m||IDG||UA||pkG) Then, it is verified that the following equation holds:
Figure GDA0003484478330000041
if the equation is established, the signature is legal, and the signed message is not tampered in the transmission process.
2. Anonymity of signature identity
For a legitimate group signature, it is not possible to open the group signature to determine the identity of the signing user even if the attacker owns the signing key. That is, it is not possible for an attacker to trace the true identity of a signer through limited computations. In the signature algorithm herein, the group signature is in the form of (U)Aσ), where UAWith sigma added random number component, group signature (U)Aσ) so that anyone other than the GM cannot know the identity of the signer, the anonymity of the signing user is guaranteed.
3. Non-forgeability of signatures
If the hash function H1Is a random oracle, the group signature scheme of the present invention is not forgeable based on the security assumptions of the CDH (computerized Diffie-Hellman) problem.
A valid group signature may be derived from a valid group member credential certIDAnd a corresponding signing key hIDAnd (4) generating. In this case, the attacker intercepts the identity information and intends to forge a group signature to pass the group signature verification. According to the above scheme, the attacker must first calculate the parameter hash value h1Also know the signing key hID. Due to the signing key hIDIs randomly selected by the user ID and the group administrator GM uses its private key skGAt which public key UI is signedDAre signed, thereby forming a groupMember credential certIDTherefore, the unforgeability of the group signature is reduced to solving the public key cryptography mechanism in a limited polynomial time, and based on the difficulty of the CDH problem, as long as the public key cryptography mechanism for generating the public and private keys of the group administrator is not broken by an attacker, no attacker can forge a valid group signature passing verification.

Claims (1)

1. A group signature method comprises five parts, and the operation steps are as follows:
the first step is as follows: inputting a security parameter l, a cyclic multiplication group G of order of a prime number q, the length of the prime number q being 2lG generator G, Hash function H1:{0,1}*×G→Zq,H2:{0,1}*→ZqKGC random optionalization
Figure FDA0003502748060000011
As system key, calculated
Figure FDA0003502748060000012
As a system public key, a key distribution center KGC obtains a system public and private key pair
Figure FDA0003502748060000013
The system common parameter is params ═ q, G, H1,H2,pksys) The message m to be signed belongs to {0,1}*The KGC responds to the application of the group administrator GM; after the group administrator GM submits the application of the group administrator to the KGC, the KGC firstly verifies the identity ID of the group administrator GMGLegal and then randomly selected
Figure FDA0003502748060000014
Generating partial keys for group administrators GM
Figure FDA0003502748060000015
And transmits it to the group administrator GM through a secure channel; the group administrator GM receives the partial key sent by KGC
Figure FDA0003502748060000016
Further generating own public and private key pair < pkG,skG>, the public key is
Figure FDA0003502748060000017
The private key is
Figure FDA0003502748060000018
Wherein the content of the first and second substances,
Figure FDA0003502748060000019
Figure FDA00035027480600000110
public and private key pair < pk of group administrator GMG,skGSet as public and private key pair of group, group administrator GM sends public key pk of groupGThe data is transmitted to KGC through a safety channel, and the KGC publishes the data in a public parameter list; and a common group member user IDAThrough the same process, the KGC generates own public and private keys in an interactive way, and the public key is
Figure FDA00035027480600000111
The private key is
Figure FDA00035027480600000112
The second step is that: group member user IDASending a group adding request (h, U) to a group manager GMA,IDA) Wherein a signing key is selected
Figure FDA00035027480600000113
Hash value
Figure FDA00035027480600000114
Signature public key
Figure FDA00035027480600000115
Administrator GM authentication group member user IDAIf the identity is legal, agreeing to the group member user IDAEntering the group, it is the user ID of the group memberAGenerating group member credentials
Figure FDA00035027480600000116
The third step: group member user ID when signature is requiredAUsing a signing key hAAnd a group member credential certASigning the message m and calculating h1=H2(m||IDG||UA||pkG),σ=hAh1+certAObtaining a group signature (U)A,σ);
The fourth step: the public verifier of the group signature first checks the group member user IDAIs signed with public key UAWhether in the public revocation list of group members; if yes, the signature verification fails, the signature is ignored, and 'reject' is output; otherwise, the equation is validated against the system common parameters
Figure FDA00035027480600000117
If the group signature is established, verifying the validity of the group signature;
the fifth step: member user ID to leave groupAIt is necessary to revoke the member certificate certAFirst, sending an outlier request REQ to a group administrator GM; after the administrator GM receives the member's request for group departure, the group member list is updated, and the group member user ID is usedAIs signed with public key UAJoin the public revocation list of group members.
CN201910669065.8A 2019-07-24 2019-07-24 Novel certificateless group signature method Active CN110492993B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910669065.8A CN110492993B (en) 2019-07-24 2019-07-24 Novel certificateless group signature method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910669065.8A CN110492993B (en) 2019-07-24 2019-07-24 Novel certificateless group signature method

Publications (2)

Publication Number Publication Date
CN110492993A CN110492993A (en) 2019-11-22
CN110492993B true CN110492993B (en) 2022-03-29

Family

ID=68548031

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910669065.8A Active CN110492993B (en) 2019-07-24 2019-07-24 Novel certificateless group signature method

Country Status (1)

Country Link
CN (1) CN110492993B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114915426B (en) * 2022-05-20 2023-12-15 曲阜师范大学 Certificate-free message recoverable blind signature method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209413A (en) * 2013-01-29 2013-07-17 无锡南理工科技发展有限公司 Threshold tracking Ad Hoc network anonymous authentication method free of trusted center
CN104780050B (en) * 2015-04-23 2018-03-13 北京航空航天大学 A kind of member of the forward secrecy based on elliptic curve is revocable without certificate group signature method

Also Published As

Publication number Publication date
CN110492993A (en) 2019-11-22

Similar Documents

Publication Publication Date Title
US8533806B2 (en) Method for authenticating a trusted platform based on the tri-element peer authentication(TEPA)
Hasan et al. A decentralized privacy preserving reputation protocol for the malicious adversarial model
CN109714153B (en) Efficient aggregated signature method
CN110278082B (en) Group member issuing method and device for group digital signature
Gu et al. Traceable identity-based group signature
Yap et al. Security mediated certificateless signatures
Islam et al. Certificateless strong designated verifier multisignature scheme using bilinear pairings
Bicakci et al. Server assisted signatures revisited
EP1571778A1 (en) Method for generating fair blind signatures
Longo et al. On the security of the blockchain BIX protocol and certificates
Tzeng et al. A batch verification for multiple proxy signature
CN110492993B (en) Novel certificateless group signature method
Ma A new construction of identity-based group signature
US7975142B2 (en) Ring authentication method for concurrency environment
Wang et al. Anonymous single sign-on schemes transformed from group signatures
Zhou et al. Three-round secret handshakes based on ElGamal and DSA
CN114389808B (en) OpenID protocol design method based on SM9 blind signature
Wang et al. Secure single sign-on schemes constructed from nominative signatures
Han et al. A generic construction of dynamic single sign-on with strong security
Chen et al. Strong non‐repudiation based on certificateless short signatures
Saadatmandan et al. Digital Certificate of Public Key for User Authentication and Session Key Establishment for Secure Network Communications
Hwang et al. New efficient batch verification for an identity‐based signature scheme
Jivanyan et al. Enabling untraceable anonymous payments in the Lelantus Protocol
Kiyomoto et al. Anonymous attribute authentication scheme using self-blindable certificates
Park et al. A proxy blind signature scheme with proxy revocation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20221118

Address after: 311100 Room 1005-32, 10th Floor, Building H, Haichuang Park, CEC Haikang Group Co., Ltd., No. 198, Aicheng Street, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province

Patentee after: Hangzhou Houquantum Cryptography Technology Co.,Ltd.

Address before: 273165 Jingxuan West Road, Qufu City, Jining, Shandong Province, No. 57

Patentee before: QUFU NORMAL University