CN111064581A - Privacy protection method and system with connection capability - Google Patents

Privacy protection method and system with connection capability Download PDF

Info

Publication number
CN111064581A
CN111064581A CN201911385217.8A CN201911385217A CN111064581A CN 111064581 A CN111064581 A CN 111064581A CN 201911385217 A CN201911385217 A CN 201911385217A CN 111064581 A CN111064581 A CN 111064581A
Authority
CN
China
Prior art keywords
signer
key
signature
modp
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911385217.8A
Other languages
Chinese (zh)
Other versions
CN111064581B (en
Inventor
容晓峰
曹子建
刁振军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Technological University
Original Assignee
Xian Technological University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Technological University filed Critical Xian Technological University
Priority to CN201911385217.8A priority Critical patent/CN111064581B/en
Publication of CN111064581A publication Critical patent/CN111064581A/en
Application granted granted Critical
Publication of CN111064581B publication Critical patent/CN111064581B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a privacy protection method and a system with connection capability.A secret key is generated firstly, and comprises a group public key, a group member release secret key and a signature secret key of a signer; then signing according to the generated key, including signing by one signer and signing by the main signer and the assistant signer together; and finally, verifying the obtained signature.

Description

Privacy protection method and system with connection capability
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a privacy protection method and system with connection capability.
Background
Information security is a comprehensive discipline relating to computer technology, network technology, communication technology, number theory, finite field and other disciplines. The method mainly researches how to guarantee the confidentiality, the integrity and the non-repudiation of the information in the information transmission process so as to prevent the information from being forged, counterfeited, tampered, maliciously attacked and the like in the information transmission process.
In recent years, with the development of scientific technology, the security requirements of various countries on information are higher and higher, and the information security becomes more and more important for various aspects of a country. Network information security issues are one of the many key issues in the field of information security. How to prevent the privacy information from being illegally intercepted and modified in the network environment and even being impersonated as an identity is an important issue to be solved urgently in the field of network security.
Disclosure of Invention
The invention aims to provide a privacy protection method and a privacy protection system with connection capability, which overcome the defects of the prior art, and the method adds a connection function for an anonymous signature mechanism in the process of designing the anonymous signature mechanism, wherein the function can be used for judging whether two anonymous signatories are the same entity if necessary, and the entities include but are not limited to individuals, equipment and the like with identity information, and have wider application prospects at home and abroad.
In order to achieve the purpose, the invention adopts the following technical scheme:
a privacy protection method with connectivity capability, comprising the steps of:
step 1, generating a key, including generating a group public key, a group member issuing key and a signature key of a signer;
step 2, signing according to the key generated in the step 1, wherein the signing comprises signing by a signer and common signing by a main signer and an assistant signer;
and 3, verifying the signature generated in the step 2.
Further, the process of generating the group public key and the group member issuing key in step 1 is as follows:
step 1.1.1, select an asymmetric bilinear pair G with large prime number p1、G2And a corresponding bilinear function e: g1×G2→GT
Wherein G is1And G2An addition cycle group with an order p on the elliptic curve; gTA multiplication loop group of order p;
step 1.1.2, select G1Generating element P of1Wherein P is1:G1A random number of (1);
step 1.1.3, select G2Generating element P of2Wherein P is2:G2A random number of (1);
step 1.1.4, select a hash function, H1:{0,1}*→Zp(ii) a Wherein Z ispRepresents [0, p-1 ]]A set of integers of (d);
step 1.1.5 from G1Selection inRandom element Q1、Q2
Step 1.1.6 from Zp *Selecting a random integer y, and calculating: w ═ y]P2Wherein Z isp *Represents [1, p-1 ]]A set of integers of [ y ]]P2For multiplication operations on elliptic curves, representing y P2Adding;
step 1.1.7, calculating: t is1=e(P1,P2),T2=e(Q1,P2),T3=e(Q2,P2),T4=e(Q2W); wherein, T1、T2、T3、T4Are all GTThe elements of (1);
step 1.1.8, output group common parameter ═ G1、G2、GT、p、e、P1、P2、H1、H2) (ii) a Wherein H2To be used for generating Zp *A hash function of the element in (a);
group public key ═ (Q)1、Q2、W、T1、T2、T3、T4);
The group member issues a key y.
Further, the process of generating the signing key of the signer in the step 1 is as follows:
step 1.2.1, group member publisher selects a temporary nI∈{0,1}t(ii) a Wherein n isIAn integer representing a length t, t representing a security parameter;
step 1.2.2 group member publisher nISending the signature to the signer;
step 1.2.3 signer slave Zp *Randomly selecting a member private key f;
step 1.2.4 signer slave Zp *Randomly selecting an integer r;
step 1.2.5, signer calculates: f ═ F]Q1,R=[r]Q1
Step 1.2.6, signer calculates:
m1=H1(p||P1||P2||Q1||Q2||W||F||R||nI);
c=(m1+xR)modp;
wherein x isRDenotes the abscissa of the R point, m1Representing a temporary hash value generated in a process, mod representing a modulo operation;
step 1.2.7, signer calculates: s ═ 1+ f)-1·(r-c·f)modp;
Step 1.2.8, the signer sends (F, c, s) to the group member publishers;
step 1.2.9, group member publisher calculation:
m2=H1(p||P1||P2||Q1||Q2||W||F||R||nI)
t1=(c+s)modp
verification t1If equal to 0, then the verification fails and the process terminates; if not equal to 0, the verification passes, then:
R4=[s]Q1+[t1]F
c1=(m2+xR4)modp
wherein x isR4Represents R4Abscissa of point, m2Representing a temporary hash value generated in a process;
step 1.2.10, group member publisher verification equation c1If yes, continuing to execute step 1.2.11; otherwise, the verification fails and the process is terminated;
step 1.2.11, group member publisher from Zp *Randomly selecting an integer x;
step 1.2.12, group member publisher calculates:
A=[1/(x+y)](P1+F)
step 1.2.13, the group member publisher generates a member certificate (A, x) of the signer, and sends the member certificate of the signer to the signer;
step 1.2.14, signer judges the equation e (A, W [ x ]]P2)=e(P1+F,P2) Whether to verify the member certificate in the right place, if so, continue to step 1.2.15, otherwise the process terminates;
step 1.2.15, the signer's signature key is: (f, A, x).
Further, when a signer signs a signature in step 2, the public key of the input group (Q) is equal to1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp; wherein "·" represents a multiplication operation;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb
Step 2.1.6, signer calculates: r1=[rf]J;
Step 2.1.7, signer calculates:
Figure BDA0002343406790000041
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
Step 2.1.11, signer calculates:
Figure BDA0002343406790000043
s1=(1+f)-1·(rf-r1·f)modp;
wherein the content of the first and second substances,
Figure BDA0002343406790000042
represents R1The abscissa of the point;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
Further, when the master signer and the assistant signer jointly sign in step 2, ① group public key (Q) is input1、Q2、W、T1、T2、T3、T4) ② signer's member signature key (f, A, x), ③ connection base bsn, ④ message m e {0, 1}*The method comprises the following steps:
step 2.2.1, the main signer owns the private key f of the group member, and the assistant signer owns (A, x);
step 2.2.2 from G1Selecting a random number J;
step 2.2.3, calculating by the main signer: k ═ f ] J;
step 2.2.4, Master signer Slave Zp *Randomly selecting 1 integer: r isf
Step 2.2.5, calculating by the main signer: r1=[rf]J,R2t=[rf]Q1
Step 2.2.6, Master signer will (J, K, R)1,R2t) Sending to the assistant signer;
step 2.2.7, assistant signer from Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.2.8, Assistant signatureThe calculation is as follows: t ═ A + [ a ]]Q2
Step 2.2.9, Assistant signer from Zp *Randomly selecting 3 integers: r isx、ra、rb
Step 2.2.10, assistant signer calculates:
Figure BDA0002343406790000051
step 2.2.11, the assistant signer calculates:
ch=H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2)
step 2.2.12, Assistant signer will chSending the signature to a main signer;
step 2.2.13, the primary signer selects a random number nT∈{0,1}t
Step 2.2.14, calculation of the main signer: c is H1(ch||nT||m);
Step 2.2.15, calculation of the main signer: sf=(rf+c·f)modp;
Step 2.2.16, master signer calculates:
Figure BDA0002343406790000053
s2=(1+f)-1·(rf-r1·f)modp;
wherein
Figure BDA0002343406790000052
Represents R1The abscissa of the point;
step 2.2.17, the master signer will (c, n)T,sf,r2,s2) Sending to the assistant signer;
step 2.2.18, the assistant signer calculates:
sx=(rx+c·x)modp
sa=(ra+c·a)modp
sb=(rb+c·b)modp
step 2.2.19, the assistant signer outputs an anonymous signature value: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2)。
Further, when the signature obtained in step 2 is verified in step 3, a message m is input; a linker bsn; signature (J, K, T, c, n)T,sf,sx,sa,sb,r2,s2) (ii) a Group public key (Q)1、Q2、W、T1、T2、T3、T4) The verifier performs the following steps to verify the signature:
step 3.1, verifying by a verifier: whether J, K, T are G1The elements of (1);
step 3.2, verifying by a verifier: sf,sx,sa,sbWhether or not it is ZpThe elements of (1);
step 3.3, if bsn is not null, the verifier verifies that equation J equals H2(bsn) if true, continuing to step 3.4 if true, otherwise, ending the verification process; if bsn is empty, the verification process ends;
and 3.4, calculating by the verifier: r1=[sf]J-[c]K;
And 3.5, calculating by the verifier:
Figure BDA0002343406790000061
and 3.6, calculating by the verifier: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
And 3.7, calculating by the verifier: t is t3=(r2+s2)modp;
Verification of equation t3If yes, the verification is not passed, otherwise, the verification is passed;
and 3.8, calculating by a verifier: r5=[s2]J+[t3]K,
Figure BDA0002343406790000062
And verifies equation r5=r2If the verification result is positive, the verification is passed, otherwise, the verification is not passed;
and 3.9, if the verification is not passed in the steps 3.7 or 3.8, outputting 0 to indicate that the signature is invalid, otherwise, outputting 1 to indicate that the signature is valid.
Further, the method further comprises the step of judging whether the two signatures are signed by the same signer, specifically: the join process inputs two signatures: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2),σ’=(J’,K’,T’,c’,nT’,sf’,sx’,sa’,sb’,r2’,s2'), the signature joiner performs the following process to complete the connection: if J is equal to J 'and K is equal to K', outputting 1 to indicate that the connection is successful, namely that the two signatures are signed by the same signer, otherwise outputting 0 to indicate that the connection is invalid, namely that the two signatures are not signed by the same signer.
A privacy protection system with connection capability comprises a key generation module, a signature module and a verification module;
a key generation module: the group public key, the group member issuing key and the signature key of the signer are generated;
a signature module: for signing based on the generated key, including signing by one signer and common signing by a master signer and an assistant signer;
a verification module: for verifying the resulting signature.
Compared with the prior art, the invention has the following beneficial technical effects:
the parameters used in the process of generating the digital signature are completely random, and an attacker cannot calculate the identity of the signer, so that the anonymity of the signature is ensured. In addition, in the invention, except the signer, any group member including the group administrator cannot generate legal signature on the name of other people, and the invention has the capability of preventing the damage attack. The connection function provided by the invention can judge whether two signatories are the same entity or not when necessary, thereby determining the relationship between two anonymous signatures and providing an interface for supervision while protecting privacy.
Detailed Description
Embodiments of the invention are described in further detail below:
the symbols used in the present invention are as follows:
(1) p: a large prime number.
(2)G1: an additive cyclic group with an order p on the elliptic curve.
(3)G2: an additive cyclic group with an order p on the elliptic curve.
(4)GT: a multiplication loop group of order p.
(5) e: bilinear function, G1×G2→GT
(6)P1:G1A random number of (2).
(7)P2:G2A random number of (2).
(8) m: a message to be signed.
(9)Zp:[0,p-1]Is set of integers of (a).
(10)Zp *:[1,p-1]Is set of integers of (a).
(11) H: a hash function.
(12) bsn: a linking group.
(13) L |: x | | Y represents the result of concatenating data items X and Y in the specified order.
(14) [ n ] P: multiplication on an elliptic curve represents n additions of P.
(15) t: a security parameter
(16)Q1、Q2、A、F、R、J、K、J’、K’、R1、R2t、R3:G1Of (1).
(17)W:G2Of (1).
(18)T1、T2、T3、T4、R2:GTOf (1).
(19)y、f、f’、x、r、c、c1、ch、a、b、rf、rx、ra、rb、sf、sx、sa、sb、u、v、ru、rv、su、sv:ZpElement of (5), ZpAll elements in (1) other than 0 also belong to Zp *
(20)nI、nV、nT: an integer t bits long.
(21)H1: for generating ZpA hash function of the element in (a).
(22)H2: for generating Zp *A hash function of the element in (a).
A privacy protection method with connectivity capability, comprising the steps of:
step 1, generating a key, including generating a group public key, a group member issuing key and a signature key of a signer;
the process of generating the group public key and the group member issuing the key is as follows:
step 1.1.1, select an asymmetric bilinear pair G with large prime number p1、G2And a corresponding bilinear function e: g1×G2→GT
Wherein G is1And G2An addition cycle group with an order p on the elliptic curve; gTA multiplication loop group of order p;
step 1.1.2, select G1Generating element P of1Wherein P is1:G1A random number of (1);
step 1.1.3, select G2Generating element P of2Wherein P is2:G2A random number of (1);
step 1.1.4, select a hash function, H1:{0,1}*→Zp(ii) a Wherein Z ispRepresents [0, p-1 ]]A set of integers of (d);
step 1.1.5 from G1In the selection of random element Q1、Q2
Step 1.1.6 from Zp *Selecting a random integer y, and calculating: w ═ y]P2Wherein Z isp *Represents [1, p-1 ]]A set of integers of (d);
step 1.1.7, calculating: t is1=e(P1,P2),T2=e(Q1,P2),T3=e(Q2,P2),T4=e(Q2W); wherein, T1、T2、T3、T4Are all GTThe elements of (1);
step 1.1.8, output group common parameter ═ G1、G2、GT、p、e、P1、P2、H1、H2) (ii) a Wherein H2To be used for generating Zp *A hash function of the element in (a);
group public key ═ (Q)1、Q2、W、T1、T2、T3、T4);
The group member issues a key y.
The process of generating the signer's signing key is as follows:
step 1.2.1, group member publisher selects a temporary nI∈{0,1}t(ii) a Wherein n isIAn integer representing a length t, t representing a security parameter;
step 1.2.2 group member publisher nISending the signature to the signer;
step 1.2.3 signer slave Zp *Randomly selecting a member private key f;
step 1.2.4 signer slave Zp *Randomly selecting an integer r;
step 1.2.5, signer calculates: f ═ F]Q1,R=[r]Q1
Step 1.2.6, signer calculates:
m1=H1(p||P1||P2||Q1||Q2||W||F||R||nI);
c=(m1+xR)modp;
wherein x isRDenotes the abscissa of the R point, m1Representing a temporary hash value generated in a process, mod representing a modulo operation;
step 1.2.7, signer calculates: s ═ 1+ f)-1·(r-c·f)modp;
Step 1.2.8, the signer sends (F, c, s) to the group member publishers;
step 1.2.9, group member publisher calculation:
m2=H1(p||P1||P2||Q1||Q2||W||F||R||nI)
t1=(c+s)modp
verification t1If equal to 0, then the verification fails and the process terminates; if not equal to 0, the verification passes, then:
R4=[s]Q1+[t1]F
c1=(m2+xR4)modp
wherein x isR4Represents R4Abscissa of point, m2Representing a temporary hash value generated in a process;
step 1.2.10, group member publisher verification equation c1If yes, continuing to execute step 1.2.11; otherwise, the verification fails and the process is terminated;
step 1.2.11, group member publisher from Zp *Randomly selecting an integer x;
step 1.2.12, group member publisher calculates:
A=[1/(x+y)](P1+F)
step 1.2.13, the group member publisher generates a member certificate (A, x) of the signer, and sends the member certificate of the signer to the signer;
step 1.2.14, signer judges the equation e (A, W [ x ]]P2)=e(P1+F,P2) Whether to verify the member certificate in the right place, if so, continue to step 1.2.15, otherwise the process terminates;
step 1.2.15, the signer's signature key is: (f, A, x).
Step 2, signing according to the key generated in the step 1, wherein the signing comprises signing by a signer and common signing by a main signer and an assistant signer;
when signed by a signer, the input group public key (Q)1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb
Step 2.1.6, signer calculates: r1=[rf]J;
Step 2.1.7, signer calculates:
Figure BDA0002343406790000111
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
Step 2.1.11, signer calculates:
Figure BDA0002343406790000113
s1=(1+f)-1·(rf-r1·f)modp
wherein the content of the first and second substances,
Figure BDA0002343406790000114
represents R1The abscissa of the point;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
When signed by a signer, the input group public key (Q)1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb
Step 2.1.6, signer calculates: r1=[rf]J;
Step 2.1.7, signer calculates:
Figure BDA0002343406790000112
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2)||m);
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
Step 2.1.11, signer calculates:
Figure BDA0002343406790000123
s1=(1+f)-1·(rf-r1·f)modp
wherein the content of the first and second substances,
Figure BDA0002343406790000121
represents R1The abscissa of the point;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
Step 3, verifying the signature generated in the step 2, and inputting a message m during verification; a linker bsn; signature (J, K, T, c, n)T,sf,sx,sa,sb,r2,s2) (ii) a Group public key (Q)1、Q2、W、T1、T2、T3、T4) The verifier performs the following steps to verify the signature:
step 3.1, verifying by a verifier: whether J, K, T are G1The elements of (1);
step 3.2, verifying by a verifier: sf,sx,sa,sbWhether or not it is ZpThe elements of (1);
step 3.3, if bsn is not null, the verifier verifies that equation J equals H2(bsn) if true, continuing to step 3.4 if true, otherwise, ending the verification process; if bsn is empty, the verification process ends;
and 3.4, calculating by the verifier: r1=[sf]J-[c]K;
And 3.5, calculating by the verifier:
Figure BDA0002343406790000122
and 3.6, calculating by the verifier: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
And 3.7, calculating by the verifier: t is t3=(r2+s2)modp;
Verification of equation t3If yes, the verification is not passed, otherwise, the verification is passed;
and 3.8, calculating by a verifier: r5=[s2]J+[t3]K,
Figure BDA0002343406790000124
And verifies equation r5=r2If the verification result is positive, the verification is passed, otherwise, the verification is not passed;
and 3.9, if the verification is not passed in the steps 3.7 or 3.8, outputting 0 to indicate that the signature is invalid, otherwise, outputting 1 to indicate that the signature is valid.
When it is necessary to determine whether two signatures are signed by the same signer, the following steps are specifically performed: the join process inputs two signatures: σ ═ of (J, K, T, c, nT,sf,sx,sa,sbr2,s2),σ’=(J’,K’,T’,c’,nT’,sf’,sx’,sa’,sb’,r2’,s2'), the signature joiner performs the following process to complete the connection: if J is J 'and K is K', then output 1, meaning connected toAnd if not, outputting 0 to indicate that the connection is invalid and to indicate that the two signatures are not signed by the same signer.
The invention also provides a privacy protection system with connection capability for realizing the method, which comprises a key generation module, a signature module and a verification module;
a key generation module: the group public key, the group member issuing key and the signature key of the signer are generated;
a signature module: for signing based on the generated key, including signing by one signer and common signing by a master signer and an assistant signer;
a verification module: for verifying the resulting signature.
The anonymous signature mechanism is a basic information security technology, can provide privacy protection for entities in a network environment, and is a core technology which is most commonly used in academia and industry and is used for protecting private information. The anonymous signature mechanism can provide security guarantee for various network applications, does not expose the real identity of a user, and can judge whether two signatures are the same entity by using a special interface when required by a supervision department, so that the identity of the entity is further judged.
The technical scheme of the invention is realized by C language under a Linux system, and the total code amount is 2808 lines. When the program is running, the occupancy rate of the CPU is 12.3%, the RAM4824KB is occupied, and the ROM41320KB is occupied. The signature speed is 0.04 seconds and the signature verification speed is 0.048 seconds. The scheme of the invention is based on the elliptic curve cryptographic algorithm, has the characteristics of small key length, high safety performance and less time consumption of the whole digital signature, and has higher safety and practicability.

Claims (8)

1. A privacy protection method with connectivity capability, comprising the steps of:
step 1, generating a key, including generating a group public key, a group member issuing key and a signature key of a signer;
step 2, signing according to the key generated in the step 1, wherein the signing comprises signing by a signer and common signing by a main signer and an assistant signer;
and 3, verifying the signature generated in the step 2.
2. The privacy protection method with connection capability as claimed in claim 1, wherein the generating of the group public key and the group member issuing key in step 1 are as follows:
step 1.1.1, select an asymmetric bilinear pair G with large prime number p1、G2And a corresponding bilinear function e: g1×G2→GT
Wherein G is1And G2An addition cycle group with an order p on the elliptic curve; gTA multiplication loop group of order p;
step 1.1.2, select G1Generating element P of1Wherein P is1:G1A random number of (1);
step 1.1.3, select G2Generating element P of2Wherein P is2:G2A random number of (1);
step 1.1.4, select a hash function, H1:{0,1}*→Zp(ii) a Wherein Z ispRepresents [0, p-1 ]]A set of integers of (d);
step 1.1.5 from G1In the selection of random element Q1、Q2
Step 1.1.6 from Zp *Selecting a random integer y, and calculating: w ═ y]P2Wherein Z isp *Represents [1, p-1 ]]A set of integers of [ y ]]P2For multiplication operations on elliptic curves, representing y P2Adding;
step 1.1.7, calculating: t is1=e(P1,P2),T2=e(Q1,P2),T3=e(Q2,P2),T4=e(Q2W); wherein, T1、T2、T3、T4Are all GTThe elements of (1);
step 1.1.8, outputting:
group common parameter (G)1、G2、GT、p、e、P1、P2、H1、H2) (ii) a Wherein H2To be used for generating Zp *A hash function of the element in (a);
group public key ═ (Q)1、Q2、W、T1、T2、T3、T4);
The group member issues a key y.
3. The method according to claim 2, wherein the process of generating the signing key of the signer in step 1 is as follows:
step 1.2.1, group member publisher selects a temporary nI∈{0,1}t(ii) a Wherein n isIAn integer representing a length t, t representing a security parameter;
step 1.2.2 group member publisher nISending the signature to the signer;
step 1.2.3 signer slave Zp *Randomly selecting a member private key f;
step 1.2.4 signer slave Zp *Randomly selecting an integer r;
step 1.2.5, signer calculates: f ═ F]Q1,R=[r]Q1
Step 1.2.6, signer calculates:
m1=H1(p||P1||P2||Q1||Q2||W||F||R||nI);
c=(m1+xR)modp;
wherein x isRDenotes the abscissa of the R point, m1Representing a temporary hash value generated in a process, mod representing a modulo operation;
step 1.2.7, signer calculates: s ═ 1+ f)-1·(r-c·f)modp;
Step 1.2.8, the signer sends (F, c, s) to the group member publishers;
step 1.2.9, group member publisher calculation:
m2=H1(p||P1||P2||Q1||Q2||W||F||R||nI)
t1=(c+s)modp
verification t1If equal to 0, then the verification fails and the process terminates; if not equal to 0, the verification passes, then:
R4=[s]Q1+[t1]F
c1=(m2+xR4)modp
wherein the content of the first and second substances,
Figure FDA0002343406780000021
represents R4Abscissa of point, m2Representing a temporary hash value generated in a process;
step 1.2.10, group member publisher verification equation c1If yes, continuing to execute step 1.2.11; otherwise, the verification fails and the process is terminated;
step 1.2.11, group member publisher from Zp *Randomly selecting an integer x;
step 1.2.12, group member publisher calculates:
A=[1/(x+y)](P1+F)
step 1.2.13, the group member publisher generates a member certificate (A, x) of the signer, and sends the member certificate of the signer to the signer;
step 1.2.14, signer judges the equation e (A, W [ x ]]P2)=e(P1+F,P2) Whether to verify the member certificate in the right place, if so, continue to step 1.2.15, otherwise the process terminates;
step 1.2.15, the signer's signature key is: (f, A, x).
4. A connectivity-capable privacy guard as claimed in claim 3The method of protection is characterized in that, when a signer signs in step 2, the input group public key (Q) is1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp; wherein "·" represents a multiplication operation;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb
Step 2.1.6, signer calculates: r1=[rf]J;
Step 2.1.7, signer calculates:
Figure FDA0002343406780000031
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
Step 2.1.11, signer calculates:
Figure FDA0002343406780000043
s1=(1+f)-1.(rf-r1·f)modp
wherein the content of the first and second substances,
Figure FDA0002343406780000041
represents R1The abscissa of the point;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
5. The method of claim 4, wherein when the master signer and the assistant signer jointly sign in step 2, ① group public key (Q) is input1、Q2、W、T1、T2、T3、T4) ② signer's member signature key (f, A, x), ③ connection base bsn, ④ message m e {0, 1}*The method comprises the following steps:
step 2.2.1, the main signer owns the private key f of the group member, and the assistant signer owns (A, x);
step 2.2.2 from G1Selecting a random number J;
step 2.2.3, calculating by the main signer: k ═ f ] J;
step 2.2.4, Master signer Slave Zp *Randomly selecting 1 integer: r isf
Step 2.2.5, calculating by the main signer: r1=[rf]J,R2t=[rf]Q1
Step 2.2.6, Master signer will (J, K, R)1,R2t) Sending to the assistant signer;
step 2.2.7, assistant signer from Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.2.8, assistant signer calculates: t ═ A + [ a ]]Q2
Step 2.2.9, Assistant signer from Zp *Randomly selecting 3 integers: r isx、ra、rb
Step 2.2.10, assistant signer calculates:
Figure FDA0002343406780000042
step 2.2.11, the assistant signer calculates:
ch=H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2)
step 2.2.12, Assistant signer will chSending the signature to a main signer;
step 2.2.13, the primary signer selects a random number nT∈{0,1}t
Step 2.2.14, calculation of the main signer: c is H1(ch||nT||m);
Step 2.2.15, calculation of the main signer: sf=(rf+c·f)modp;
Step 2.2.16, master signer calculates:
Figure FDA0002343406780000051
s2=(1+f)-1.(rf-r1·f)modp;
wherein
Figure FDA0002343406780000052
Represents R1The abscissa of the point;
step 2.2.17, the master signer will (c, n)T,sf,r2,s2) Sending to the assistant signer;
step 2.2.18, the assistant signer calculates:
sx=(rx+c·x)modp
sa=(ra+c·a)modp
sb=(rb+c·b)modp
step 2.2.19, the assistant signer outputs an anonymous signature value: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2)。
6. The privacy protection method with the connection capability according to claim 5, wherein when the signature obtained in step 2 is verified in step 3, a message m is input; a linker bsn; signature (J, K, T, c, n)T,sf,sx,sa,sb,r2,s2) (ii) a Group public key (Q)1、Q2、W、T1、T2、T3、T4) The verifier performs the following steps to verify the signature:
step 3.1, verifying by a verifier: whether J, K, T are G1The elements of (1);
step 3.2, verifying by a verifier: sf,sx,sa,sbWhether or not it is ZpThe elements of (1);
step 3.3, if bsn is not null, the verifier verifies that equation J equals H2(bsn) if true, continuing to step 3.4 if true, otherwise, ending the verification process; if bsn is empty, the verification process ends;
and 3.4, calculating by the verifier: r1=[sf]J-[c]K;
And 3.5, calculating by the verifier:
Figure FDA0002343406780000053
and 3.6, calculating by the verifier: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
And 3.7, calculating by the verifier: t is t3=(r2+s2)modp;
Verification of equation t3If yes, the verification is not passed, otherwise, the verification is passed;
and 3.8, calculating by a verifier: r5=[s2]J+[t3]K,
Figure FDA0002343406780000061
And verifies equation r5=r2If the verification result is positive, the verification is passed, otherwise, the verification is not passed;
and 3.9, if the verification is not passed in the steps 3.7 or 3.8, outputting 0 to indicate that the signature is invalid, otherwise, outputting 1 to indicate that the signature is valid.
7. The privacy protection method with the connection capability according to claim 6, further comprising determining whether two signatures are signed by the same signer, specifically: the join process inputs two signatures: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2),σ’=(J’,K’,T’,c’,nT’,sf’,sx’,sa’,sb’,r2’,s2'), the signature joiner performs the following process to complete the connection: if J is equal to J 'and K is equal to K', outputting 1 to indicate that the connection is successful, namely that the two signatures are signed by the same signer, otherwise outputting 0 to indicate that the connection is invalid, namely that the two signatures are not signed by the same signer.
8. A connectionless privacy protection system for implementing a connectionless privacy protection method as claimed in any one of claims 1 to 7, comprising a key generation module, a signature module and a verification module;
a key generation module: the group public key, the group member issuing key and the signature key of the signer are generated;
a signature module: for signing based on the generated key, including signing by one signer and common signing by a master signer and an assistant signer;
a verification module: for verifying the resulting signature.
CN201911385217.8A 2019-12-28 2019-12-28 Privacy protection method and system with connection capability Active CN111064581B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911385217.8A CN111064581B (en) 2019-12-28 2019-12-28 Privacy protection method and system with connection capability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911385217.8A CN111064581B (en) 2019-12-28 2019-12-28 Privacy protection method and system with connection capability

Publications (2)

Publication Number Publication Date
CN111064581A true CN111064581A (en) 2020-04-24
CN111064581B CN111064581B (en) 2022-11-08

Family

ID=70304427

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911385217.8A Active CN111064581B (en) 2019-12-28 2019-12-28 Privacy protection method and system with connection capability

Country Status (1)

Country Link
CN (1) CN111064581B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001166687A (en) * 1999-09-29 2001-06-22 Hitachi Software Eng Co Ltd Group signature generating method and system
US20090129600A1 (en) * 2007-11-15 2009-05-21 Brickell Ernie F Apparatus and method for a direct anonymous attestation scheme from short-group signatures
CN101977110A (en) * 2010-10-09 2011-02-16 北京航空航天大学 Group signature method based on elliptic curve
US20120084567A1 (en) * 2010-10-04 2012-04-05 Electronics And Telecommunications Research Institute Group signature system and method providing controllable linkability
CN109413078A (en) * 2018-11-07 2019-03-01 沈阳工业大学 A kind of anonymous authentication scheme based on group ranking under master pattern
CN109600233A (en) * 2019-01-15 2019-04-09 西安电子科技大学 Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method
WO2019174404A1 (en) * 2018-03-14 2019-09-19 西安西电捷通无线网络通信股份有限公司 Digital group signature method, device and apparatus, and verification method, device and apparatus
CN110603783A (en) * 2017-05-05 2019-12-20 区块链控股有限公司 Secure dynamic threshold signature scheme using trusted hardware

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001166687A (en) * 1999-09-29 2001-06-22 Hitachi Software Eng Co Ltd Group signature generating method and system
US20090129600A1 (en) * 2007-11-15 2009-05-21 Brickell Ernie F Apparatus and method for a direct anonymous attestation scheme from short-group signatures
US20120084567A1 (en) * 2010-10-04 2012-04-05 Electronics And Telecommunications Research Institute Group signature system and method providing controllable linkability
CN101977110A (en) * 2010-10-09 2011-02-16 北京航空航天大学 Group signature method based on elliptic curve
CN110603783A (en) * 2017-05-05 2019-12-20 区块链控股有限公司 Secure dynamic threshold signature scheme using trusted hardware
WO2019174404A1 (en) * 2018-03-14 2019-09-19 西安西电捷通无线网络通信股份有限公司 Digital group signature method, device and apparatus, and verification method, device and apparatus
CN109413078A (en) * 2018-11-07 2019-03-01 沈阳工业大学 A kind of anonymous authentication scheme based on group ranking under master pattern
CN109600233A (en) * 2019-01-15 2019-04-09 西安电子科技大学 Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method

Also Published As

Publication number Publication date
CN111064581B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
CN108809658B (en) SM 2-based identity base digital signature method and system
CN108551392B (en) Blind signature generation method and system based on SM9 digital signature
US8433897B2 (en) Group signature system, apparatus and storage medium
CN111342973B (en) Safe bidirectional heterogeneous digital signature method between PKI and IBC
CN108650097B (en) Efficient digital signature aggregation method
JP2009526411A5 (en)
CN108737391B (en) Method for quickly revoking identity of information service entity
CN108667623A (en) A kind of SM2 ellipse curve signatures verification algorithm
JP2013539295A (en) Authenticated encryption of digital signatures with message recovery
CN110896351B (en) Identity-based digital signature method based on global hash
CN112532394B (en) Block chain anti-signature traceable certificateless blind signature generation method
CN110086599B (en) Hash calculation method and signcryption method based on homomorphic chameleon Hash function
CN110505061B (en) Digital signature algorithm and system
CN107171788B (en) Identity-based online and offline aggregated signature method with constant signature length
He et al. An efficient certificateless designated verifier signature scheme.
CN106936584A (en) A kind of building method without CertPubKey cryptographic system
CN112422288A (en) SM2 algorithm-based two-party collaborative signature method for resisting energy analysis attack
CN107332665A (en) A kind of Partial Blind Signature method of identity-based on lattice
CN101741559B (en) Chameleon digital signature method without key disclosure
CN112491556A (en) Block chain agent blind signature generation method
CN111654366A (en) Secure bidirectional heterogeneous strong-designation verifier signature method between PKI and IBC
CN108847933B (en) SM9 cryptographic algorithm-based identification issuing method
CN113032844B (en) Signature method, signature verification method and signature verification device for elliptic curve
CN111147240B (en) Privacy protection method and system with traceability
CN113014398B (en) Aggregate signature generation method based on SM9 digital signature algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant