CN111064581A - Privacy protection method and system with connection capability - Google Patents
Privacy protection method and system with connection capability Download PDFInfo
- Publication number
- CN111064581A CN111064581A CN201911385217.8A CN201911385217A CN111064581A CN 111064581 A CN111064581 A CN 111064581A CN 201911385217 A CN201911385217 A CN 201911385217A CN 111064581 A CN111064581 A CN 111064581A
- Authority
- CN
- China
- Prior art keywords
- signer
- key
- signature
- modp
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a privacy protection method and a system with connection capability.A secret key is generated firstly, and comprises a group public key, a group member release secret key and a signature secret key of a signer; then signing according to the generated key, including signing by one signer and signing by the main signer and the assistant signer together; and finally, verifying the obtained signature.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a privacy protection method and system with connection capability.
Background
Information security is a comprehensive discipline relating to computer technology, network technology, communication technology, number theory, finite field and other disciplines. The method mainly researches how to guarantee the confidentiality, the integrity and the non-repudiation of the information in the information transmission process so as to prevent the information from being forged, counterfeited, tampered, maliciously attacked and the like in the information transmission process.
In recent years, with the development of scientific technology, the security requirements of various countries on information are higher and higher, and the information security becomes more and more important for various aspects of a country. Network information security issues are one of the many key issues in the field of information security. How to prevent the privacy information from being illegally intercepted and modified in the network environment and even being impersonated as an identity is an important issue to be solved urgently in the field of network security.
Disclosure of Invention
The invention aims to provide a privacy protection method and a privacy protection system with connection capability, which overcome the defects of the prior art, and the method adds a connection function for an anonymous signature mechanism in the process of designing the anonymous signature mechanism, wherein the function can be used for judging whether two anonymous signatories are the same entity if necessary, and the entities include but are not limited to individuals, equipment and the like with identity information, and have wider application prospects at home and abroad.
In order to achieve the purpose, the invention adopts the following technical scheme:
a privacy protection method with connectivity capability, comprising the steps of:
step 1, generating a key, including generating a group public key, a group member issuing key and a signature key of a signer;
step 2, signing according to the key generated in the step 1, wherein the signing comprises signing by a signer and common signing by a main signer and an assistant signer;
and 3, verifying the signature generated in the step 2.
Further, the process of generating the group public key and the group member issuing key in step 1 is as follows:
step 1.1.1, select an asymmetric bilinear pair G with large prime number p1、G2And a corresponding bilinear function e: g1×G2→GT;
Wherein G is1And G2An addition cycle group with an order p on the elliptic curve; gTA multiplication loop group of order p;
step 1.1.2, select G1Generating element P of1Wherein P is1:G1A random number of (1);
step 1.1.3, select G2Generating element P of2Wherein P is2:G2A random number of (1);
step 1.1.4, select a hash function, H1:{0,1}*→Zp(ii) a Wherein Z ispRepresents [0, p-1 ]]A set of integers of (d);
step 1.1.5 from G1Selection inRandom element Q1、Q2;
Step 1.1.6 from Zp *Selecting a random integer y, and calculating: w ═ y]P2Wherein Z isp *Represents [1, p-1 ]]A set of integers of [ y ]]P2For multiplication operations on elliptic curves, representing y P2Adding;
step 1.1.7, calculating: t is1=e(P1,P2),T2=e(Q1,P2),T3=e(Q2,P2),T4=e(Q2W); wherein, T1、T2、T3、T4Are all GTThe elements of (1);
step 1.1.8, output group common parameter ═ G1、G2、GT、p、e、P1、P2、H1、H2) (ii) a Wherein H2To be used for generating Zp *A hash function of the element in (a);
group public key ═ (Q)1、Q2、W、T1、T2、T3、T4);
The group member issues a key y.
Further, the process of generating the signing key of the signer in the step 1 is as follows:
step 1.2.1, group member publisher selects a temporary nI∈{0,1}t(ii) a Wherein n isIAn integer representing a length t, t representing a security parameter;
step 1.2.2 group member publisher nISending the signature to the signer;
step 1.2.3 signer slave Zp *Randomly selecting a member private key f;
step 1.2.4 signer slave Zp *Randomly selecting an integer r;
step 1.2.5, signer calculates: f ═ F]Q1,R=[r]Q1;
Step 1.2.6, signer calculates:
m1=H1(p||P1||P2||Q1||Q2||W||F||R||nI);
c=(m1+xR)modp;
wherein x isRDenotes the abscissa of the R point, m1Representing a temporary hash value generated in a process, mod representing a modulo operation;
step 1.2.7, signer calculates: s ═ 1+ f)-1·(r-c·f)modp;
Step 1.2.8, the signer sends (F, c, s) to the group member publishers;
step 1.2.9, group member publisher calculation:
m2=H1(p||P1||P2||Q1||Q2||W||F||R||nI)
t1=(c+s)modp
verification t1If equal to 0, then the verification fails and the process terminates; if not equal to 0, the verification passes, then:
R4=[s]Q1+[t1]F
c1=(m2+xR4)modp
wherein x isR4Represents R4Abscissa of point, m2Representing a temporary hash value generated in a process;
step 1.2.10, group member publisher verification equation c1If yes, continuing to execute step 1.2.11; otherwise, the verification fails and the process is terminated;
step 1.2.11, group member publisher from Zp *Randomly selecting an integer x;
step 1.2.12, group member publisher calculates:
A=[1/(x+y)](P1+F)
step 1.2.13, the group member publisher generates a member certificate (A, x) of the signer, and sends the member certificate of the signer to the signer;
step 1.2.14, signer judges the equation e (A, W [ x ]]P2)=e(P1+F,P2) Whether to verify the member certificate in the right place, if so, continue to step 1.2.15, otherwise the process terminates;
step 1.2.15, the signer's signature key is: (f, A, x).
Further, when a signer signs a signature in step 2, the public key of the input group (Q) is equal to1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp; wherein "·" represents a multiplication operation;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2;
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb;
Step 2.1.6, signer calculates: r1=[rf]J;
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
Further, when the master signer and the assistant signer jointly sign in step 2, ① group public key (Q) is input1、Q2、W、T1、T2、T3、T4) ② signer's member signature key (f, A, x), ③ connection base bsn, ④ message m e {0, 1}*The method comprises the following steps:
step 2.2.1, the main signer owns the private key f of the group member, and the assistant signer owns (A, x);
step 2.2.2 from G1Selecting a random number J;
step 2.2.3, calculating by the main signer: k ═ f ] J;
step 2.2.4, Master signer Slave Zp *Randomly selecting 1 integer: r isf;
Step 2.2.5, calculating by the main signer: r1=[rf]J,R2t=[rf]Q1;
Step 2.2.6, Master signer will (J, K, R)1,R2t) Sending to the assistant signer;
step 2.2.7, assistant signer from Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.2.8, Assistant signatureThe calculation is as follows: t ═ A + [ a ]]Q2;
Step 2.2.9, Assistant signer from Zp *Randomly selecting 3 integers: r isx、ra、rb;
step 2.2.11, the assistant signer calculates:
ch=H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2)
step 2.2.12, Assistant signer will chSending the signature to a main signer;
step 2.2.13, the primary signer selects a random number nT∈{0,1}t;
Step 2.2.14, calculation of the main signer: c is H1(ch||nT||m);
Step 2.2.15, calculation of the main signer: sf=(rf+c·f)modp;
step 2.2.17, the master signer will (c, n)T,sf,r2,s2) Sending to the assistant signer;
step 2.2.18, the assistant signer calculates:
sx=(rx+c·x)modp
sa=(ra+c·a)modp
sb=(rb+c·b)modp
step 2.2.19, the assistant signer outputs an anonymous signature value: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2)。
Further, when the signature obtained in step 2 is verified in step 3, a message m is input; a linker bsn; signature (J, K, T, c, n)T,sf,sx,sa,sb,r2,s2) (ii) a Group public key (Q)1、Q2、W、T1、T2、T3、T4) The verifier performs the following steps to verify the signature:
step 3.1, verifying by a verifier: whether J, K, T are G1The elements of (1);
step 3.2, verifying by a verifier: sf,sx,sa,sbWhether or not it is ZpThe elements of (1);
step 3.3, if bsn is not null, the verifier verifies that equation J equals H2(bsn) if true, continuing to step 3.4 if true, otherwise, ending the verification process; if bsn is empty, the verification process ends;
and 3.4, calculating by the verifier: r1=[sf]J-[c]K;
and 3.6, calculating by the verifier: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
And 3.7, calculating by the verifier: t is t3=(r2+s2)modp;
Verification of equation t3If yes, the verification is not passed, otherwise, the verification is passed;
and 3.8, calculating by a verifier: r5=[s2]J+[t3]K,And verifies equation r5=r2If the verification result is positive, the verification is passed, otherwise, the verification is not passed;
and 3.9, if the verification is not passed in the steps 3.7 or 3.8, outputting 0 to indicate that the signature is invalid, otherwise, outputting 1 to indicate that the signature is valid.
Further, the method further comprises the step of judging whether the two signatures are signed by the same signer, specifically: the join process inputs two signatures: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2),σ’=(J’,K’,T’,c’,nT’,sf’,sx’,sa’,sb’,r2’,s2'), the signature joiner performs the following process to complete the connection: if J is equal to J 'and K is equal to K', outputting 1 to indicate that the connection is successful, namely that the two signatures are signed by the same signer, otherwise outputting 0 to indicate that the connection is invalid, namely that the two signatures are not signed by the same signer.
A privacy protection system with connection capability comprises a key generation module, a signature module and a verification module;
a key generation module: the group public key, the group member issuing key and the signature key of the signer are generated;
a signature module: for signing based on the generated key, including signing by one signer and common signing by a master signer and an assistant signer;
a verification module: for verifying the resulting signature.
Compared with the prior art, the invention has the following beneficial technical effects:
the parameters used in the process of generating the digital signature are completely random, and an attacker cannot calculate the identity of the signer, so that the anonymity of the signature is ensured. In addition, in the invention, except the signer, any group member including the group administrator cannot generate legal signature on the name of other people, and the invention has the capability of preventing the damage attack. The connection function provided by the invention can judge whether two signatories are the same entity or not when necessary, thereby determining the relationship between two anonymous signatures and providing an interface for supervision while protecting privacy.
Detailed Description
Embodiments of the invention are described in further detail below:
the symbols used in the present invention are as follows:
(1) p: a large prime number.
(2)G1: an additive cyclic group with an order p on the elliptic curve.
(3)G2: an additive cyclic group with an order p on the elliptic curve.
(4)GT: a multiplication loop group of order p.
(5) e: bilinear function, G1×G2→GT。
(6)P1:G1A random number of (2).
(7)P2:G2A random number of (2).
(8) m: a message to be signed.
(9)Zp:[0,p-1]Is set of integers of (a).
(10)Zp *:[1,p-1]Is set of integers of (a).
(11) H: a hash function.
(12) bsn: a linking group.
(13) L |: x | | Y represents the result of concatenating data items X and Y in the specified order.
(14) [ n ] P: multiplication on an elliptic curve represents n additions of P.
(15) t: a security parameter
(16)Q1、Q2、A、F、R、J、K、J’、K’、R1、R2t、R3:G1Of (1).
(17)W:G2Of (1).
(18)T1、T2、T3、T4、R2:GTOf (1).
(19)y、f、f’、x、r、c、c1、ch、a、b、rf、rx、ra、rb、sf、sx、sa、sb、u、v、ru、rv、su、sv:ZpElement of (5), ZpAll elements in (1) other than 0 also belong to Zp *。
(20)nI、nV、nT: an integer t bits long.
(21)H1: for generating ZpA hash function of the element in (a).
(22)H2: for generating Zp *A hash function of the element in (a).
A privacy protection method with connectivity capability, comprising the steps of:
step 1, generating a key, including generating a group public key, a group member issuing key and a signature key of a signer;
the process of generating the group public key and the group member issuing the key is as follows:
step 1.1.1, select an asymmetric bilinear pair G with large prime number p1、G2And a corresponding bilinear function e: g1×G2→GT;
Wherein G is1And G2An addition cycle group with an order p on the elliptic curve; gTA multiplication loop group of order p;
step 1.1.2, select G1Generating element P of1Wherein P is1:G1A random number of (1);
step 1.1.3, select G2Generating element P of2Wherein P is2:G2A random number of (1);
step 1.1.4, select a hash function, H1:{0,1}*→Zp(ii) a Wherein Z ispRepresents [0, p-1 ]]A set of integers of (d);
step 1.1.5 from G1In the selection of random element Q1、Q2;
Step 1.1.6 from Zp *Selecting a random integer y, and calculating: w ═ y]P2Wherein Z isp *Represents [1, p-1 ]]A set of integers of (d);
step 1.1.7, calculating: t is1=e(P1,P2),T2=e(Q1,P2),T3=e(Q2,P2),T4=e(Q2W); wherein, T1、T2、T3、T4Are all GTThe elements of (1);
step 1.1.8, output group common parameter ═ G1、G2、GT、p、e、P1、P2、H1、H2) (ii) a Wherein H2To be used for generating Zp *A hash function of the element in (a);
group public key ═ (Q)1、Q2、W、T1、T2、T3、T4);
The group member issues a key y.
The process of generating the signer's signing key is as follows:
step 1.2.1, group member publisher selects a temporary nI∈{0,1}t(ii) a Wherein n isIAn integer representing a length t, t representing a security parameter;
step 1.2.2 group member publisher nISending the signature to the signer;
step 1.2.3 signer slave Zp *Randomly selecting a member private key f;
step 1.2.4 signer slave Zp *Randomly selecting an integer r;
step 1.2.5, signer calculates: f ═ F]Q1,R=[r]Q1;
Step 1.2.6, signer calculates:
m1=H1(p||P1||P2||Q1||Q2||W||F||R||nI);
c=(m1+xR)modp;
wherein x isRDenotes the abscissa of the R point, m1Representing a temporary hash value generated in a process, mod representing a modulo operation;
step 1.2.7, signer calculates: s ═ 1+ f)-1·(r-c·f)modp;
Step 1.2.8, the signer sends (F, c, s) to the group member publishers;
step 1.2.9, group member publisher calculation:
m2=H1(p||P1||P2||Q1||Q2||W||F||R||nI)
t1=(c+s)modp
verification t1If equal to 0, then the verification fails and the process terminates; if not equal to 0, the verification passes, then:
R4=[s]Q1+[t1]F
c1=(m2+xR4)modp
wherein x isR4Represents R4Abscissa of point, m2Representing a temporary hash value generated in a process;
step 1.2.10, group member publisher verification equation c1If yes, continuing to execute step 1.2.11; otherwise, the verification fails and the process is terminated;
step 1.2.11, group member publisher from Zp *Randomly selecting an integer x;
step 1.2.12, group member publisher calculates:
A=[1/(x+y)](P1+F)
step 1.2.13, the group member publisher generates a member certificate (A, x) of the signer, and sends the member certificate of the signer to the signer;
step 1.2.14, signer judges the equation e (A, W [ x ]]P2)=e(P1+F,P2) Whether to verify the member certificate in the right place, if so, continue to step 1.2.15, otherwise the process terminates;
step 1.2.15, the signer's signature key is: (f, A, x).
Step 2, signing according to the key generated in the step 1, wherein the signing comprises signing by a signer and common signing by a main signer and an assistant signer;
when signed by a signer, the input group public key (Q)1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2;
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb;
Step 2.1.6, signer calculates: r1=[rf]J;
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
When signed by a signer, the input group public key (Q)1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2;
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb;
Step 2.1.6, signer calculates: r1=[rf]J;
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2)||m);
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
Step 3, verifying the signature generated in the step 2, and inputting a message m during verification; a linker bsn; signature (J, K, T, c, n)T,sf,sx,sa,sb,r2,s2) (ii) a Group public key (Q)1、Q2、W、T1、T2、T3、T4) The verifier performs the following steps to verify the signature:
step 3.1, verifying by a verifier: whether J, K, T are G1The elements of (1);
step 3.2, verifying by a verifier: sf,sx,sa,sbWhether or not it is ZpThe elements of (1);
step 3.3, if bsn is not null, the verifier verifies that equation J equals H2(bsn) if true, continuing to step 3.4 if true, otherwise, ending the verification process; if bsn is empty, the verification process ends;
and 3.4, calculating by the verifier: r1=[sf]J-[c]K;
and 3.6, calculating by the verifier: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
And 3.7, calculating by the verifier: t is t3=(r2+s2)modp;
Verification of equation t3If yes, the verification is not passed, otherwise, the verification is passed;
And verifies equation r5=r2If the verification result is positive, the verification is passed, otherwise, the verification is not passed;
and 3.9, if the verification is not passed in the steps 3.7 or 3.8, outputting 0 to indicate that the signature is invalid, otherwise, outputting 1 to indicate that the signature is valid.
When it is necessary to determine whether two signatures are signed by the same signer, the following steps are specifically performed: the join process inputs two signatures: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2),σ’=(J’,K’,T’,c’,nT’,sf’,sx’,sa’,sb’,r2’,s2'), the signature joiner performs the following process to complete the connection: if J is J 'and K is K', then output 1, meaning connected toAnd if not, outputting 0 to indicate that the connection is invalid and to indicate that the two signatures are not signed by the same signer.
The invention also provides a privacy protection system with connection capability for realizing the method, which comprises a key generation module, a signature module and a verification module;
a key generation module: the group public key, the group member issuing key and the signature key of the signer are generated;
a signature module: for signing based on the generated key, including signing by one signer and common signing by a master signer and an assistant signer;
a verification module: for verifying the resulting signature.
The anonymous signature mechanism is a basic information security technology, can provide privacy protection for entities in a network environment, and is a core technology which is most commonly used in academia and industry and is used for protecting private information. The anonymous signature mechanism can provide security guarantee for various network applications, does not expose the real identity of a user, and can judge whether two signatures are the same entity by using a special interface when required by a supervision department, so that the identity of the entity is further judged.
The technical scheme of the invention is realized by C language under a Linux system, and the total code amount is 2808 lines. When the program is running, the occupancy rate of the CPU is 12.3%, the RAM4824KB is occupied, and the ROM41320KB is occupied. The signature speed is 0.04 seconds and the signature verification speed is 0.048 seconds. The scheme of the invention is based on the elliptic curve cryptographic algorithm, has the characteristics of small key length, high safety performance and less time consumption of the whole digital signature, and has higher safety and practicability.
Claims (8)
1. A privacy protection method with connectivity capability, comprising the steps of:
step 1, generating a key, including generating a group public key, a group member issuing key and a signature key of a signer;
step 2, signing according to the key generated in the step 1, wherein the signing comprises signing by a signer and common signing by a main signer and an assistant signer;
and 3, verifying the signature generated in the step 2.
2. The privacy protection method with connection capability as claimed in claim 1, wherein the generating of the group public key and the group member issuing key in step 1 are as follows:
step 1.1.1, select an asymmetric bilinear pair G with large prime number p1、G2And a corresponding bilinear function e: g1×G2→GT;
Wherein G is1And G2An addition cycle group with an order p on the elliptic curve; gTA multiplication loop group of order p;
step 1.1.2, select G1Generating element P of1Wherein P is1:G1A random number of (1);
step 1.1.3, select G2Generating element P of2Wherein P is2:G2A random number of (1);
step 1.1.4, select a hash function, H1:{0,1}*→Zp(ii) a Wherein Z ispRepresents [0, p-1 ]]A set of integers of (d);
step 1.1.5 from G1In the selection of random element Q1、Q2;
Step 1.1.6 from Zp *Selecting a random integer y, and calculating: w ═ y]P2Wherein Z isp *Represents [1, p-1 ]]A set of integers of [ y ]]P2For multiplication operations on elliptic curves, representing y P2Adding;
step 1.1.7, calculating: t is1=e(P1,P2),T2=e(Q1,P2),T3=e(Q2,P2),T4=e(Q2W); wherein, T1、T2、T3、T4Are all GTThe elements of (1);
step 1.1.8, outputting:
group common parameter (G)1、G2、GT、p、e、P1、P2、H1、H2) (ii) a Wherein H2To be used for generating Zp *A hash function of the element in (a);
group public key ═ (Q)1、Q2、W、T1、T2、T3、T4);
The group member issues a key y.
3. The method according to claim 2, wherein the process of generating the signing key of the signer in step 1 is as follows:
step 1.2.1, group member publisher selects a temporary nI∈{0,1}t(ii) a Wherein n isIAn integer representing a length t, t representing a security parameter;
step 1.2.2 group member publisher nISending the signature to the signer;
step 1.2.3 signer slave Zp *Randomly selecting a member private key f;
step 1.2.4 signer slave Zp *Randomly selecting an integer r;
step 1.2.5, signer calculates: f ═ F]Q1,R=[r]Q1;
Step 1.2.6, signer calculates:
m1=H1(p||P1||P2||Q1||Q2||W||F||R||nI);
c=(m1+xR)modp;
wherein x isRDenotes the abscissa of the R point, m1Representing a temporary hash value generated in a process, mod representing a modulo operation;
step 1.2.7, signer calculates: s ═ 1+ f)-1·(r-c·f)modp;
Step 1.2.8, the signer sends (F, c, s) to the group member publishers;
step 1.2.9, group member publisher calculation:
m2=H1(p||P1||P2||Q1||Q2||W||F||R||nI)
t1=(c+s)modp
verification t1If equal to 0, then the verification fails and the process terminates; if not equal to 0, the verification passes, then:
R4=[s]Q1+[t1]F
c1=(m2+xR4)modp
wherein the content of the first and second substances,represents R4Abscissa of point, m2Representing a temporary hash value generated in a process;
step 1.2.10, group member publisher verification equation c1If yes, continuing to execute step 1.2.11; otherwise, the verification fails and the process is terminated;
step 1.2.11, group member publisher from Zp *Randomly selecting an integer x;
step 1.2.12, group member publisher calculates:
A=[1/(x+y)](P1+F)
step 1.2.13, the group member publisher generates a member certificate (A, x) of the signer, and sends the member certificate of the signer to the signer;
step 1.2.14, signer judges the equation e (A, W [ x ]]P2)=e(P1+F,P2) Whether to verify the member certificate in the right place, if so, continue to step 1.2.15, otherwise the process terminates;
step 1.2.15, the signer's signature key is: (f, A, x).
4. A connectivity-capable privacy guard as claimed in claim 3The method of protection is characterized in that, when a signer signs in step 2, the input group public key (Q) is1、Q2、W、T1、T2、T3、T4) (ii) a The member signing key of the signer is (f, a, x); a linker bsn; message m belongs to {0, 1}*The signer uses its group member signing key to perform the following steps to compute an anonymous signed message for a particular message:
step 2.1.1 from G1Selecting a random number J;
step 2.1.2, signer calculates: k ═ f ] J;
step 2.1.3 signer slave Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp; wherein "·" represents a multiplication operation;
step 2.1.4, signer calculates: t ═ A + [ a ]]Q2;
Step 2.1.5, signer follows Zp *Randomly selecting 4 integers: r isf、rx、ra、rb;
Step 2.1.6, signer calculates: r1=[rf]J;
step 2.1.8, signer calculates: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
Step 2.1.9, signer calculates: sf=(rf+c·f)modp;sx=(rx+c·x)modp;
Step 2.1.10, signer calculates: sa=(ra+c·a)modp,sb=(rb+c·b)modp;
step 2.1.12, the signer outputs an anonymous signature value: σ ═ of (J, K, T, c, sf,sx,sa,sb,r1,s1)。
5. The method of claim 4, wherein when the master signer and the assistant signer jointly sign in step 2, ① group public key (Q) is input1、Q2、W、T1、T2、T3、T4) ② signer's member signature key (f, A, x), ③ connection base bsn, ④ message m e {0, 1}*The method comprises the following steps:
step 2.2.1, the main signer owns the private key f of the group member, and the assistant signer owns (A, x);
step 2.2.2 from G1Selecting a random number J;
step 2.2.3, calculating by the main signer: k ═ f ] J;
step 2.2.4, Master signer Slave Zp *Randomly selecting 1 integer: r isf;
Step 2.2.5, calculating by the main signer: r1=[rf]J,R2t=[rf]Q1;
Step 2.2.6, Master signer will (J, K, R)1,R2t) Sending to the assistant signer;
step 2.2.7, assistant signer from Zp *Selecting a random integer a, and calculating: b ═ (a · x) modp;
step 2.2.8, assistant signer calculates: t ═ A + [ a ]]Q2;
Step 2.2.9, Assistant signer from Zp *Randomly selecting 3 integers: r isx、ra、rb;
step 2.2.11, the assistant signer calculates:
ch=H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2)
step 2.2.12, Assistant signer will chSending the signature to a main signer;
step 2.2.13, the primary signer selects a random number nT∈{0,1}t;
Step 2.2.14, calculation of the main signer: c is H1(ch||nT||m);
Step 2.2.15, calculation of the main signer: sf=(rf+c·f)modp;
step 2.2.17, the master signer will (c, n)T,sf,r2,s2) Sending to the assistant signer;
step 2.2.18, the assistant signer calculates:
sx=(rx+c·x)modp
sa=(ra+c·a)modp
sb=(rb+c·b)modp
step 2.2.19, the assistant signer outputs an anonymous signature value: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2)。
6. The privacy protection method with the connection capability according to claim 5, wherein when the signature obtained in step 2 is verified in step 3, a message m is input; a linker bsn; signature (J, K, T, c, n)T,sf,sx,sa,sb,r2,s2) (ii) a Group public key (Q)1、Q2、W、T1、T2、T3、T4) The verifier performs the following steps to verify the signature:
step 3.1, verifying by a verifier: whether J, K, T are G1The elements of (1);
step 3.2, verifying by a verifier: sf,sx,sa,sbWhether or not it is ZpThe elements of (1);
step 3.3, if bsn is not null, the verifier verifies that equation J equals H2(bsn) if true, continuing to step 3.4 if true, otherwise, ending the verification process; if bsn is empty, the verification process ends;
and 3.4, calculating by the verifier: r1=[sf]J-[c]K;
and 3.6, calculating by the verifier: c is H1(H1(p||P1||P2||Q1||Q2||W||J||K||T||R1||R2||m;
And 3.7, calculating by the verifier: t is t3=(r2+s2)modp;
Verification of equation t3If yes, the verification is not passed, otherwise, the verification is passed;
and 3.8, calculating by a verifier: r5=[s2]J+[t3]K,And verifies equation r5=r2If the verification result is positive, the verification is passed, otherwise, the verification is not passed;
and 3.9, if the verification is not passed in the steps 3.7 or 3.8, outputting 0 to indicate that the signature is invalid, otherwise, outputting 1 to indicate that the signature is valid.
7. The privacy protection method with the connection capability according to claim 6, further comprising determining whether two signatures are signed by the same signer, specifically: the join process inputs two signatures: σ ═ of (J, K, T, c, nT,sf,sx,sa,sb,r2,s2),σ’=(J’,K’,T’,c’,nT’,sf’,sx’,sa’,sb’,r2’,s2'), the signature joiner performs the following process to complete the connection: if J is equal to J 'and K is equal to K', outputting 1 to indicate that the connection is successful, namely that the two signatures are signed by the same signer, otherwise outputting 0 to indicate that the connection is invalid, namely that the two signatures are not signed by the same signer.
8. A connectionless privacy protection system for implementing a connectionless privacy protection method as claimed in any one of claims 1 to 7, comprising a key generation module, a signature module and a verification module;
a key generation module: the group public key, the group member issuing key and the signature key of the signer are generated;
a signature module: for signing based on the generated key, including signing by one signer and common signing by a master signer and an assistant signer;
a verification module: for verifying the resulting signature.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911385217.8A CN111064581B (en) | 2019-12-28 | 2019-12-28 | Privacy protection method and system with connection capability |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911385217.8A CN111064581B (en) | 2019-12-28 | 2019-12-28 | Privacy protection method and system with connection capability |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111064581A true CN111064581A (en) | 2020-04-24 |
CN111064581B CN111064581B (en) | 2022-11-08 |
Family
ID=70304427
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911385217.8A Active CN111064581B (en) | 2019-12-28 | 2019-12-28 | Privacy protection method and system with connection capability |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111064581B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001166687A (en) * | 1999-09-29 | 2001-06-22 | Hitachi Software Eng Co Ltd | Group signature generating method and system |
US20090129600A1 (en) * | 2007-11-15 | 2009-05-21 | Brickell Ernie F | Apparatus and method for a direct anonymous attestation scheme from short-group signatures |
CN101977110A (en) * | 2010-10-09 | 2011-02-16 | 北京航空航天大学 | Group signature method based on elliptic curve |
US20120084567A1 (en) * | 2010-10-04 | 2012-04-05 | Electronics And Telecommunications Research Institute | Group signature system and method providing controllable linkability |
CN109413078A (en) * | 2018-11-07 | 2019-03-01 | 沈阳工业大学 | A kind of anonymous authentication scheme based on group ranking under master pattern |
CN109600233A (en) * | 2019-01-15 | 2019-04-09 | 西安电子科技大学 | Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method |
WO2019174404A1 (en) * | 2018-03-14 | 2019-09-19 | 西安西电捷通无线网络通信股份有限公司 | Digital group signature method, device and apparatus, and verification method, device and apparatus |
CN110603783A (en) * | 2017-05-05 | 2019-12-20 | 区块链控股有限公司 | Secure dynamic threshold signature scheme using trusted hardware |
-
2019
- 2019-12-28 CN CN201911385217.8A patent/CN111064581B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001166687A (en) * | 1999-09-29 | 2001-06-22 | Hitachi Software Eng Co Ltd | Group signature generating method and system |
US20090129600A1 (en) * | 2007-11-15 | 2009-05-21 | Brickell Ernie F | Apparatus and method for a direct anonymous attestation scheme from short-group signatures |
US20120084567A1 (en) * | 2010-10-04 | 2012-04-05 | Electronics And Telecommunications Research Institute | Group signature system and method providing controllable linkability |
CN101977110A (en) * | 2010-10-09 | 2011-02-16 | 北京航空航天大学 | Group signature method based on elliptic curve |
CN110603783A (en) * | 2017-05-05 | 2019-12-20 | 区块链控股有限公司 | Secure dynamic threshold signature scheme using trusted hardware |
WO2019174404A1 (en) * | 2018-03-14 | 2019-09-19 | 西安西电捷通无线网络通信股份有限公司 | Digital group signature method, device and apparatus, and verification method, device and apparatus |
CN109413078A (en) * | 2018-11-07 | 2019-03-01 | 沈阳工业大学 | A kind of anonymous authentication scheme based on group ranking under master pattern |
CN109600233A (en) * | 2019-01-15 | 2019-04-09 | 西安电子科技大学 | Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method |
Also Published As
Publication number | Publication date |
---|---|
CN111064581B (en) | 2022-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108809658B (en) | SM 2-based identity base digital signature method and system | |
CN108551392B (en) | Blind signature generation method and system based on SM9 digital signature | |
US8433897B2 (en) | Group signature system, apparatus and storage medium | |
CN111342973B (en) | Safe bidirectional heterogeneous digital signature method between PKI and IBC | |
CN108650097B (en) | Efficient digital signature aggregation method | |
JP2009526411A5 (en) | ||
CN108737391B (en) | Method for quickly revoking identity of information service entity | |
CN108667623A (en) | A kind of SM2 ellipse curve signatures verification algorithm | |
JP2013539295A (en) | Authenticated encryption of digital signatures with message recovery | |
CN110896351B (en) | Identity-based digital signature method based on global hash | |
CN112532394B (en) | Block chain anti-signature traceable certificateless blind signature generation method | |
CN110086599B (en) | Hash calculation method and signcryption method based on homomorphic chameleon Hash function | |
CN110505061B (en) | Digital signature algorithm and system | |
CN107171788B (en) | Identity-based online and offline aggregated signature method with constant signature length | |
He et al. | An efficient certificateless designated verifier signature scheme. | |
CN106936584A (en) | A kind of building method without CertPubKey cryptographic system | |
CN112422288A (en) | SM2 algorithm-based two-party collaborative signature method for resisting energy analysis attack | |
CN107332665A (en) | A kind of Partial Blind Signature method of identity-based on lattice | |
CN101741559B (en) | Chameleon digital signature method without key disclosure | |
CN112491556A (en) | Block chain agent blind signature generation method | |
CN111654366A (en) | Secure bidirectional heterogeneous strong-designation verifier signature method between PKI and IBC | |
CN108847933B (en) | SM9 cryptographic algorithm-based identification issuing method | |
CN113032844B (en) | Signature method, signature verification method and signature verification device for elliptic curve | |
CN111147240B (en) | Privacy protection method and system with traceability | |
CN113014398B (en) | Aggregate signature generation method based on SM9 digital signature algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |