CN113114470A

CN113114470A - Group signature method and device, electronic equipment and storage medium

Info

Publication number: CN113114470A
Application number: CN202110340792.7A
Authority: CN
Inventors: 杨天雅
Original assignee: Beijing Kingsoft Cloud Network Technology Co Ltd
Current assignee: Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date: 2021-03-30
Filing date: 2021-03-30
Publication date: 2021-07-13

Abstract

The application provides a group signature method and device, an electronic device and a storage medium, wherein the method comprises the following steps: acquiring a first number of member sub-signatures from a plurality of groups of a target signature group, wherein each member sub-signature is a signature generated by one target member in one group for a message to be signed, the groups are mutually independent, and the groups with different authorities provide different numbers of member sub-signatures; generating a target group signature of the target signature group using the first number of the member sub-signatures; and sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using a target group public key of the target signature group. By the method and the device, the problem that the applicability of the group signature mode in the related technology is poor is solved.

Description

Group signature method and device, electronic equipment and storage medium

Technical Field

The present application relates to the field of communications, and in particular, to a group signature method and apparatus, an electronic device, and a storage medium.

Background

For a group, members of the group may anonymously sign on behalf of the group without revealing the signature identity, and the verifier may verify this group signature using the group public key. When the signature verification needs to be checked, the group administrator can use the user key to reveal the identity of the signer in the group.

However, when there are multiple groups with different permissions temporarily forming a signature group (or voting group, election group, etc.), the above-mentioned group signature method is not suitable for this scenario because the above-mentioned group signature does not distinguish the permissions between each group member.

Therefore, the group signature method in the related art cannot be applied to signature sets including groups with different authorities, and the applicability is poor.

Disclosure of Invention

The application provides a group signature method and device, electronic equipment and a storage medium, which are used for at least solving the problem of poor applicability of a group signature mode in the related art.

According to an aspect of an embodiment of the present application, there is provided a group signature method, including: acquiring a first number of member sub-signatures from a plurality of groups of a target signature group, wherein each member sub-signature is a signature generated by one target member in one group for a message to be signed, the groups are mutually independent, and the groups with different authorities provide different numbers of member sub-signatures; generating a target group signature of the target signature group using the first number of the member sub-signatures; and sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using a target group public key of the target signature group.

Optionally, before obtaining the first number of the member sub-signatures from the plurality of the groups of the target signature set, the method further comprises: generating sub-key pairs of each group according to the secret shared by each group to obtain the first number of sub-key pairs, wherein one sub-key pair belongs to one target member, and each member sub-signature is obtained by using a sub-private key in one sub-key pair to sign the message to be signed; and generating a target group key pair of the target signature group according to the secret shared by each group, wherein the target group key pair comprises the target group public key and a target group private key matched with the target group public key.

Optionally, the generating the sub-key pair of each group according to the secret shared by each group respectively comprises: generating a target polynomial for a target group, wherein the target group is any one of a plurality of groups, the number of the sub-key pairs to be generated by the target group is a second number, the degree of the target polynomial is the second number minus 1, the coefficient of each term of the target polynomial is a random number, and the coefficient of a term of the target polynomial of degree 0 is a secret shared by the target group; generating the second number of the sub-key pairs for the target group, where the sub-private keys of each sub-key pair are a first target value and a second target value, the sub-public key of each sub-key pair is a value obtained by modulo the first prime number by a third target value power of a target primitive of the first prime number, the first target value is a randomly selected value, the second target value is a value obtained by substituting the first target value as an argument into the target polynomial to modulo the second prime number, the third target value is a product of a lagrange coefficient corresponding to the sub-private key of each sub-key pair and the second target value, the lagrange coefficient is a recovery coefficient corresponding to the sub-private key of each sub-key pair when the target polynomial is recovered by using the sub-private keys of the second number of the sub-key pairs, the difference between the first prime number and 1 is a multiple of the second prime number.

Optionally, generating the target group key pair of the target signature group according to the secret shared by each of the groups comprises: determining the secret shared by each group and the value modulo the second prime as the target set private key; and determining a value obtained by performing modulo operation on the first prime number by the target group private key power of the target primitive as the target group public key.

Optionally, before obtaining the first number of the member sub-signatures from the plurality of the groups of the target signature set, the method further comprises: receiving a first sub-signature value broadcast by each target member, wherein the first sub-signature value of one target member is a value obtained by taking a power of a target random number of the target primitive modulo the first prime number, and the target random number is a random number of one target member; determining a value obtained after the product of the first sub-signature value of each target member is modulo the first prime number as a first signature value of the target group signature; generating the target group signature for the target signature group using the first number of the member sub-signatures comprises: determining a second signature value of the target group signature by a sum of second sub-signatures of the first number of the member sub-signatures and a value obtained after modulo the second prime number, wherein one of the second sub-signatures is a value obtained after modulo the second prime number by a difference between a fourth target value and a fifth target value, the fourth target value is a product of the third target value of one of the target members and a target hash value of the message to be signed, and the fifth target value is a product of the target random number of one of the target members and the first signature value.

Optionally, after sending the target group signature to the first signer, the method further comprises: acquiring a first signature verification value and a second signature verification value corresponding to the target group signature through the first signature verification party, wherein the first signature verification value is a product of a second signature value power of the target primitive and a first signature value power of the first signature value, and the second signature verification value is the target hash value power of the target group public key; determining that the target group signature passes verification if the first verification value is consistent with the second verification value.

Optionally, after obtaining the first number of the member sub-signatures from the plurality of the groups of the target signature set, the method further comprises: selecting the sub-signature of the member to be checked corresponding to the member to be checked from the member sub-signatures of the first number; sending the sub-signature of the member to be signed to a second signature verifier, wherein the second signature verifier is a signature verifier for verifying the sub-signature of the member to be signed by using the sub-public key of the member to be signed; and receiving a target signature verification result returned by the second signature verification party, wherein the target signature verification result is used for indicating whether the sub-signature of the member to be verified passes the signature verification.

Optionally, after sending the target group signature to the first verifier, the method further comprises: receiving a target request message sent by the first signature verifier, wherein the target request message is used for requesting to acquire membership information associated with the target group signature; determining target membership information corresponding to the target group signature, wherein the target membership information includes membership information of the target member generating each of the member sub-signatures; and responding to the target request message, and sending the target membership information to the first signature verifier.

According to another aspect of the embodiments of the present application, there is also provided a signature apparatus for a group, including: a first obtaining unit, configured to obtain a first number of member sub-signatures from multiple groups of a target signature set, where each member sub-signature is a signature generated by a target member in one group for a message to be signed, the multiple groups are independent from each other, and the groups with different permissions provide different numbers of member sub-signatures; a first generating unit configured to generate a target group signature of the target signature group using the first number of the member sub-signatures; and the first sending unit is used for sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using a target group public key of the target signature group.

Optionally, the apparatus further comprises: a second generating unit, configured to generate, before obtaining the first number of member sub-signatures from the plurality of groups in the target signature group, a sub-key pair of each group according to a secret shared by each group, respectively, to obtain the first number of sub-key pairs, where one sub-key pair belongs to one target member, and each member sub-signature is obtained by signing the message to be signed using a sub-private key in one sub-key pair; a third generating unit, configured to generate a target group key pair of the target signature group according to the secret shared by each group, where the target group key pair includes the target group public key and a target group private key matching the target group public key.

Optionally, the second generating unit includes: a first generating module, configured to generate a target polynomial for a target group, where the target group is any one of a plurality of groups, a number of the sub-key pairs to be generated by the target group is a second number, a degree of the target polynomial is obtained by subtracting 1 from the second number, a coefficient of each term of the target polynomial is a random number, and a coefficient of a term with a degree of 0 in the target polynomial is a secret shared by the target group; a second generating module, configured to generate the second number of the sub-key pairs for the target group, where the sub-private keys of each sub-key pair are a first target value and a second target value, the sub-public key of each sub-key pair is a value obtained by modulo the first prime number by a third target value power of a target primitive of the first prime number, the first target value is a randomly selected value, the second target value is a value obtained by modulo the second prime number by a value of a dependent variable obtained by substituting the first target value into the target polynomial as an argument, the third target value is a product of a lagrangian coefficient corresponding to the sub-private key of each sub-key pair and the second target value, and the lagrangian coefficient is a recovery coefficient corresponding to the sub-private key of each sub-key pair when the target polynomial is recovered by using the sub-private keys of the second number of the sub-key pairs, the difference between the first prime number and 1 is a multiple of the second prime number.

Optionally, the third pair of generating units comprises: a first determining module, configured to determine a secret shared by each group and a value obtained by modulo the second prime number as the target set private key; a second determining module, configured to determine a value obtained by modulo the first prime number by a power of the target group private key of the target primitive as the target group public key.

Optionally, the apparatus further comprises: a first receiving unit and a first determining unit, wherein the first generating unit includes a third determining module, the first receiving unit is configured to receive a first sub-signature value broadcast by each target member before acquiring the first number of member sub-signatures from the plurality of groups of the target signature group, the first sub-signature value of one target member is a value obtained by performing modulo operation on the first prime number by a target random number of one target member to a power of the target random number of the target primitive; the first determining unit is configured to determine, as a first signature value of the target group signature, a value obtained by modulo the first prime number by a product of the first sub-signature values of each of the target members; the third determining module is configured to determine, as a second signature value of the target group signature, a sum of second sub-signatures of the first number of member sub-signatures and a value obtained after modulo the second prime number, where one of the second sub-signatures is a value obtained after modulo the second prime number by a difference between a fourth target value and a fifth target value, the fourth target value is a product of the third target value of one of the target members and a target hash value of the message to be signed, and the fifth target value is a product of the target random number of one of the target members and the first signature value.

Optionally, the apparatus further comprises: a second obtaining unit, configured to obtain, by the first signer, a first signed verification value and a second signed verification value corresponding to the target group signature after sending the target group signature to the first signer, where the first signed verification value is a product of a second signed value to a power of the target primitive and a first signed value to a power of the first signed value, and the second signed verification value is a power of the target hash value of the target group public key; a second determination unit, configured to determine that the target group signature passes the verification if the first verification value matches the second verification value.

Optionally, the apparatus further comprises: the selecting unit is used for selecting the sub-signatures of the members to be checked corresponding to the members to be checked from the member sub-signatures of the first number after the member sub-signatures of the first number are obtained from the plurality of groups of the target signature group; the second sending unit is used for sending the sub-signature of the member to be signed to a second signature verifier, wherein the second signature verifier is a signature verifier for verifying the sub-signature of the member to be signed by using the sub-public key of the member to be signed; and the second receiving unit is used for receiving a target signature verification result returned by the second signature verification party, wherein the target signature verification result is used for indicating whether the sub-signature name of the member to be signed is valid or not.

Optionally, the apparatus further comprises: a third receiving unit, configured to receive a target request message sent by a first verifier after sending the target group signature to the first verifier, where the target request message is used to request to acquire membership information associated with the target group signature; a third determining unit, configured to determine target membership information corresponding to the target group signature, where the target membership information includes membership information of the target member that generates each of the member sub-signatures; and the third sending unit is used for responding to the target request message and sending the target member identity information to the first signature verifier.

According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory communicate with each other through the communication bus; wherein the memory is used for storing the computer program; a processor for performing the method steps in any of the above embodiments by running the computer program stored on the memory.

According to a further aspect of the embodiments of the present application, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to perform the method steps of any of the above embodiments when the computer program is executed.

In the embodiment of the application, a mode that groups with different authorities provide different numbers of member sub-signatures is adopted, and a first number of member sub-signatures are obtained from a plurality of groups of a target tag name group, wherein each member sub-signature is a signature generated by a target member in one group for a message to be signed, the plurality of groups are mutually independent, and the groups with different authorities provide different numbers of member sub-signatures; generating a target group signature of the target signature group using the first number of member sub-signatures; the target group signature is sent to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using a target group public key of the target signature group, and groups with different authorities provide different numbers of member sub-signatures and generate group signatures of signature groups consisting of a plurality of groups according to the member sub-signatures provided by the groups, so that the purpose of being suitable for signature groups containing groups with different authorities can be achieved, the technical effect of improving the applicability of the group signature is achieved, and the problem of poor applicability of the group signature mode in the related technology is solved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.

FIG. 1 is a schematic diagram of a hardware environment for an alternative group signature method according to an embodiment of the present application;

FIG. 2 is a flow chart illustrating an alternative group signature method according to an embodiment of the present application;

FIG. 3 is a schematic flow chart diagram illustrating an alternative group signature method according to an embodiment of the present application;

FIG. 4 is a block diagram of an alternative group of signature devices according to an embodiment of the present application;

fig. 5 is a block diagram of an alternative electronic device according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

According to an aspect of an embodiment of the present application, there is provided a group signature method. Alternatively, in this embodiment, the group signature method described above may be applied to a hardware environment composed of a plurality of groups, a group administrator and a signature verifier as shown in fig. 1, where each member of the plurality of groups may correspond to one first device, the group administrator may correspond to one or more second devices, and the signature verifier may correspond to one or more third devices.

As shown in fig. 1, a plurality of groups and group administrators, and signature verifiers may be connected via a network. The group members of each group may be configured to receive the subkey pair of each group sent by the group administrator, sign a message to be signed (i.e., a member sub-signature) using the subkey pair of the group member, and send the generated signature to the group administrator. The group administrator can be used for generating a sub-key pair of each group and a group key pair of a signature group consisting of a plurality of groups, and can also be used for receiving member sub-signatures sent by each group and generating a group signature of the signature group, and sending the generated group signature to the signature verifier. The verifier may receive the group signature and verify the group signature using the group public key of the signature group.

Alternatively, the group members, group administrators, and signature verifiers may be terminal devices, servers, or other similar devices. The network may include, but is not limited to, at least one of: wired networks, wireless networks. The wired network may include, but is not limited to, at least one of: wide area networks, metropolitan area networks, local area networks, which may include, but are not limited to, at least one of the following: WIFI (Wireless Fidelity), bluetooth. The terminal 102 may not be limited to a PC, a mobile phone, a tablet computer, etc.

The group signature method according to the embodiment of the present application may be executed by a group member, a group administrator, a signature verifier, or both of the two parties. The group signature method according to the embodiment of the present application may be performed by a client installed on each device.

Taking the group administrator to execute the group signing method in this embodiment as an example, fig. 2 is a schematic flow chart of an optional group signing method according to this embodiment, and as shown in fig. 2, the flow chart of the method may include the following steps:

step S202, a first number of member sub-signatures are obtained from a plurality of groups of the target signature group, wherein each member sub-signature is a signature generated by one target member in one group for the message to be signed, the plurality of groups are independent from each other, and the groups with different authorities provide different numbers of member sub-signatures.

The group signature method in this embodiment may be applied to a scenario in which a signature group is composed of a plurality of groups with different rights. For example, a plurality of different rights groups (also referred to as groups) temporarily form a signature group (or voting group, election group, etc.) to sign such a scenario. For a target signature set, the target signature set may be a plurality of groups, each group containing a certain number of members. The groups are independent of each other, i.e. there is no overlap between the members comprised by different groups. The multiple groups have at least two kinds of rights, each group has a corresponding right, and the rights of different groups may be the same or different. Alternatively, each group may be a threshold signature group.

When a message to be signed is signed, in order to distinguish different authority groups in a signature group and flexibly configure the threshold strategy of the different authority groups, only part of members (signers, namely target members) in the same group can be configured to sign, and the groups with different authorities provide different numbers of member sub-signatures. Here, a member sub-signature is a signature generated by a target member in a group for a message to be signed. The group administrator may obtain a number of member sub-signatures from each group to obtain a first number of member sub-signatures.

Optionally, for multiple groups, the number of member sub-signatures provided by a high-rights group may be greater than the number of member sub-signatures provided by a low-rights group. For example, by configuring the threshold policy, the high-authority group can form an effective group signature only by providing less signatures, and the low-authority group can form an effective group signature only by providing more signatures, so as to increase the weight occupied by the high-authority group signature.

For example, for a group, there are W group members, and at least t member signatures need to be obtained to consider the signature as valid, which is called a (t, W) threshold signature. For some scenarios, i.e. there are N different permission groups W₁、W₂、…、W_NTogether form a signature group having t₁≤W₁、t₂≤W₂、…、t_N≤W_NIf the groups in the signature set satisfy (t) simultaneously₁,W₁)、(t₂,W₂)、…、(t_N,W_N) Threshold, i.e. W₁In which at least t is₁Individual signature, W₂In which at least t is₂Each signature_NIn which at least t is_NAnd each signature indicates that the group signature value of the signature group is valid.

Step S204 generates a target group signature of the target signature group using the first number of member sub-signatures.

After obtaining the first number of member sub-signatures, the group administrator may generate a target group signature for the target signature group using the first number of member sub-signatures. According to different encryption and decryption algorithms, there may be multiple ways of generating the target group signature using the first number of member sub-signatures, for example, the first number of member sub-signatures are summed to obtain the target group signature, and for example, a security prime number is modulo after the first number of member sub-signatures are summed to obtain the target group signature, or other ways of generating the target group signature, which is not limited in this embodiment.

The target group signature may comprise a plurality of signature values, and the partial signature value may be a partial signature value of the plurality of signature values generated using the first number of member sub-signatures. For other signature values besides the above partial signature value, other parameters may be used to generate the signature value according to the adopted encryption and decryption algorithm, which is not limited in this embodiment.

Step S206, the target group signature is sent to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using the target group public key of the target signature group.

The group administrator may send the target group signature to the first signer, and the first signer performs signature verification on the target group signature using the target group public key of the target signature group, and determines whether the target group signature passes the signature verification, that is, determines whether the target group signature is valid.

In signing, the signer (i.e., the target object) is hidden among the numerous signers of the signature group, and the signer cannot obtain the specific identity of the signer, thereby protecting the privacy of the signer.

Through the steps S202 to S206, a first number of member sub-signatures are obtained from a plurality of groups of the target signature set, wherein each member sub-signature is a signature generated by one target member in one group for a message to be signed, the plurality of groups are independent from each other, and the groups with different permissions provide different numbers of member sub-signatures; generating a target group signature of the target signature group using the first number of member sub-signatures; and sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using the target group public key of the target signature group, so that the problem of poor applicability of a group signature mode in the related technology is solved, and the applicability of the group signature is improved.

Optionally, in this embodiment, signing the message to be signed may be a group signature reconstructed from a single digital signature (e.g., ElGamal single digital signature) by using a threshold secret sharing algorithm (e.g., shamir threshold secret sharing algorithm). For a group, a threshold secret sharing algorithm and/or a single-digit signature algorithm may be used to generate a sub-key pair for a target member in the group, and for a signature group, a threshold secret sharing algorithm and/or a single-digit signature algorithm may be used to generate a group key pair for the signature group.

As an alternative embodiment, before obtaining the first number of member sub-signatures from the plurality of groups of the target signature set, the method further comprises:

s11, generating sub-key pairs of each group according to the secret shared by each group to obtain a first number of sub-key pairs, wherein one sub-key pair belongs to a target member, and each member sub-signature is obtained by signing the message to be signed by using a sub-private key in one sub-key pair;

s12, generating a target group key pair of the target signature group according to the secret shared by each group, wherein the target group key pair includes a target group public key and a target group private key matching the target group public key.

For a target signature group, a signature algorithm can be designed into how many groups with different authorities in the signature group adopt how many layers of threshold secret sharing and overlapping calculation, so that the members in the signature group can be easily divided into different authority groups. For a group, the group administrator may generate a pair of subkeys for the group using a threshold secret sharing algorithm, e.g., a pair of subkeys for each group may be generated according to the secret shared by each group.

Each group may be preconfigured with the number of member sub-signatures that need to be provided, and the number of sub-key pairs generated for the group may be the number of member sub-signatures that need to be provided for the group. Correspondingly, the sum of the number of sub-key pairs generated for the plurality of groups is a first number.

For a target signature group, the group administrator may generate a target group key pair for the target signature group according to the secret shared by each group. The target group key pair may be generated based on a single digital signature algorithm, and includes the target group public key and a target group private key matching the target group public key.

Alternatively, after generating the subkey pairs for each group according to the secret shared by each group, respectively, the group administrator may distribute each subkey pair for each group to the corresponding target members in each group. The target member in each group may be a member selected from each group that signs the message to be signed. The member to be selected to sign the message to be signed may be selected in advance, or may be selected after the sub-key pair of each group is generated, which is not limited in this embodiment.

By the embodiment, the sub-key pairs are generated for each group and the group key pairs are generated for the signature group by using the threshold secret sharing algorithm and the single digital signature algorithm, so that members in the signature group can be conveniently divided into different authority groups, and convenience in expanding the signature group is improved.

As an alternative embodiment, generating the sub-key pair of each group according to the secret shared by each group respectively comprises:

s21, generating a target polynomial for the target group, where the target group is any one of a plurality of groups, the number of sub-key pairs to be generated by the target group is a second number, the degree of the target polynomial is the second number minus 1, the coefficient of each term of the target polynomial is a random number, and the coefficient of a term with a degree of 0 in the target polynomial is a secret shared by the target group;

s22, generating a second number of sub-key pairs for the target group, where the sub-private key of each sub-key pair is a first target value and a second target value, the sub-public key of each sub-key pair is a value obtained by modulo the first prime number by a third target value of the target primitive of the first prime number, the first target value is a randomly selected value, the second target value is a value obtained by substituting the first target value into the target polynomial as an argument to obtain a dependent variable value, the third target value is a product of a lagrange coefficient corresponding to the sub-private key of each sub-key pair and the second target value, the lagrange coefficient is a recovery coefficient corresponding to the sub-private key of each sub-key pair when the target polynomial is recovered using the sub-keys of the second number of sub-key pairs, and a difference between the first prime number and 1 is a multiple of the second prime number.

In this embodiment, a shamir threshold secret sharing algorithm may be used to generate the group signature and control threshold configuration. For any one of the plurality of groups, a sharer threshold secret sharing algorithm may be employed to generate a sub-key pair for the group. The basic principle of the shamir threshold secret sharing algorithm is now explained by taking the thresholds (t, W) as an example.

In the secret generation phase, a polynomial may be constructed as shown in equation (1):

f(x)＝(a₀+a₁x+a₂x²+...+a_t-1x^t-1)mod q (1)

wherein, a₀For secrets to be recovered, a₁、a₂、...、a_t-1Is a random number, q is a randomly selected ampereAll prime numbers. Taking W different x_iSubstituting into (x) to obtain W groups of secret sub-keys (x)_i,f(x_i) Respectively to W members.

In the secret recovery phase, t sets of sub-secrets (x) may be collected_i,f(x_i) A polynomial expression can be recovered by Lagrange interpolation theorem as shown in formula (2):

wherein ξ_iThat is, the Lagrange recovery coefficient, the secret a can be recovered by substituting x as 0 into the recovered f (x)₀. But for a set of sub-secrets (x)_i,f(x_i) Corresponding Lagrange coefficient is a value obtained by substituting x ═ 0 into equation (3):

in this embodiment, a single digital signature is modified based on the threshold secret sharing algorithm. The group administrator may choose two prime numbers p (i.e., a first prime number) and q (i.e., a second prime number) requiring that q be divisible by p-1, i.e., that p-1 be an integer multiple of q. Selecting a finite field Z_pG (i.e., target primitive), p, q, g are disclosed. Here, p may have a plurality of primitive elements, and g is one of the plurality of primitive elements of p.

For example, p is 10, and a number that is coprime to 10 among numbers less than or equal to 10 includes: 1, 3, 7, 9, then ψ (p) ═ 4, in data less than 10, the value of a that can make a ^4 ^ 1(mod 10) includes: 3,7,9. That is, the primitive elements of GF (10) include: 3,7,9.

For any one group, e.g., the target group, the number of sub-key pairs to be generated by the target group is the second number. The group administrator may generate a target polynomial for the target group, the degree of the target polynomial being the second number minus 1, the coefficients of each term of the target polynomial being random numbers (e.g., mayTo be a random number chosen from a finite field of first prime numbers), the coefficients of the terms of degree 0 in the target polynomial are the secret shared by the target group. Illustratively, the target polynomial may be: (x) ═ a₀+a₁x+a₂x²+...+a_t-1x^t-1)mod q。

For example, there are groups W of 2 different rights in the signature set₁And W₂Requires W₁And W₂Do not intersect each other, t₁≤W₁，t₂≤W₂Is required to satisfy W₁In at least providing t₁Individual member signature, W₂In at least providing t₂Individual member signatures can be considered valid and valid as a group signature. In a finite field F_qUpper selection polynomial f₁(x) The number of times t₁-1, polynomial f₂(x) The number of times t₂-1. For polynomial f₁(x) And f₂(x) Coefficient of a term of degree 0 (i.e., f)₁(0) And f₂(0) May be considered a secret shared by the group.

The group administrator may generate a second number of sub-key pairs for the target group, and one sub-key pair may contain the sub-private key sk_iAnd the child public key pk_i. Sub private key sk_iIs (x)_i,f(x_i))，x_iIs a randomly selected value, f (x)_i) To be x_iSubstituting the value of the dependent variable obtained by the target polynomial into a value obtained after the modulus of the second prime number. Sub public key pk_iIs g^ξif(xi)modp, where ξ_iIs a Lagrange coefficient, i.e., a recovery coefficient corresponding to the child private key of each child key pair when the child private keys of the second number of child key pairs are used to recover the target polynomial, which may be a Lagrange interpolation formula.

For example, the group administrator may separately compute the group W₁And W₂The child private keys and the child public keys of all members in the group. If member i is in group W₁In 1. ltoreq. i.ltoreq.t₁Then, the child private key is: sk_1i＝(x_1i,f₁(x_1i) A child public key of

If member i is in group W₂In 1. ltoreq. i.ltoreq.t₂Then, the child private key is: sk_2i＝(x_2i,f₂(x_2i) A child public key of

Wherein ξ_1iAnd xi_2iRespectively in sharer secret sharing (t)₁,W₁) And (t)₂,W₂) The threshold Lagrange coefficient is calculated by the group administrator and then distributed to the corresponding members, and then the group administrator distributes the sub private key and the sub public key to the corresponding members.

By the embodiment, the corresponding sub-key pairs are generated for each member based on the threshold secret sharing algorithm, so that the groups with different authorities can be calculated by adopting multilayer threshold secret sharing superposition, and the flexibility of key pair generation is improved.

As an alternative embodiment, generating the target group key pair of the target signature group according to the secret shared by each group comprises:

s31, determining the secret shared by each group and a value obtained by taking the modulus of the second prime number as a target group private key;

and S32, determining the value obtained by the target group private key power of the target primitive element modulo the first prime number as the target group public key.

In generating the group key of the signature group, calculation may be performed based on a single digital signature algorithm. The group administrator may modulo the second prime number and the secret shared by each group, determine a target group private key by the obtained value, modulo the first prime number by the target group private key power of the target primitive, and determine the obtained value as the target group public key.

For example, for the group W₁And W₂The group administrator calculates the group private key sk (f) first₁(0)+f₂(0) Mod q) recalculating the group public key

The group public key pk is externally disclosed.

By the embodiment, the group key is generated for the signature group based on the single digital signature algorithm, so that the key generation efficiency can be improved, and the information transmission safety can be improved.

s41, receiving a first sub-signature value broadcast by each target member, wherein the first sub-signature value of one target member is a value obtained by taking the modulus of the target random number power of the target primitive element to the first prime number, and the target random number is the random number of one target member;

s42, determining a value obtained by modulo the first prime number by the product of the first sub-signature value of each target member as a first signature value of the target group signature;

generating a target group signature for the target signature group using the first number of member sub-signatures comprises:

s43, determining a sum of the second sub-signatures of the first number of member sub-signatures modulo a second prime number to be a second signature value of the target group signature, wherein a second sub-signature is a difference between a fourth target value and a fifth target value, the fourth target value is a product of a third target value of a target member and a target hash value of the message to be signed, and the fifth target value is a product of a target random number of the target member and the first signature value.

For each target member, it can choose a random number, i.e., a target random number, respectively; calculating a first sub-signature value of the target member, wherein the first sub-signature value is a value obtained by taking a modulus of a target random number power of the target primitive element to a first prime number; and anonymously broadcasting the first sub-signature value within the signature group.

Each member (at least a first number of target members) in the target signature group and the group administrator may receive the first sub-signature values broadcast by all target members and determine a value obtained by modulo the first prime number by the product of the first sub-signature values of all target members as the first signature value of the target group signature.

For example, for convenience of description, it is assumed that t is required in total for the entire signature group (t ═ t)₁+t₂) A member signature, wherein W₁T in need of signature₁Each member is exactly member 1, 2, 3, …, t₁，W₂T in need of signature₂The member is just member t₁+1、t₁+2、t₁+3、…、t₁+t₂. Set public key set as pk_j＝(pk_1i,pk_2i) The set of sub-private keys is sk_j＝(sk_1i,sk_2i) The set of sub-signatures is (k)_j,s_j＝(s_1i,s_2i) J is more than or equal to 1 and less than or equal to t, and the message to be signed is m.

When signing is carried out, t members are respectively selected randomly

Computing

And anonymously broadcasting k within the signature group_j. Each member and the group administrator can receive the broadcast of all the members, and respectively calculate k in the group signature (k, s) according to formula (4):

for each target member, when generating a second sub-signature value of the member sub-signature, it may first calculate a product between a third target value of the target member and a target hash value of the message to be signed, to obtain a fourth target value, and calculate a product between a target random number of the target member and the first signature value, to obtain a fifth target value; then, a value obtained by modulo the second prime number by calculating the difference between the fourth target value and the fifth target value is determined as a second sub-signature value of the member sub-signature of the target member, and the member sub-signature (i.e., (first sub-signature value, second sub-signature value)) is transmitted to the group administrator.

The group administrator may determine, after receiving the first number of member sub-signatures, a value obtained by modulo the first prime number by a sum of second sub-signature values in the first number of member sub-signatures as a second signature value of the target group signature. Then, the target group signature of the target signature group includes: a first signature value and a second signature value.

For example, the t members may generate member signatures and send the member signatures to the group administrator. If member j is in group W₁In 1. ltoreq. i.ltoreq.t₁，1≤j≤t₁Then calculate s_1i＝(f₁(x_1i)ξ_1ihash(m)-r_jk) modq; if member j is in group W₂In 1. ltoreq. i.ltoreq.t₂，t₁+1≤j≤t₁+t₂Then calculate s_2i＝(f₂(x_2i)ξ_2ihash(m)-r_jk) mod q, where ξ_1iAnd xi_2iIs in sharer secret sharing (t)₁,W₁) And (t)₂,W₂) The Lagrange coefficient of the threshold, hash () is a secure hash function, and a single member sub-signature (k) is obtained_j,s_j)。

After the group administrator receives the t member sub-signatures, s ═ can be calculated₁+s₂+...+s_t) modq, resulting in a group signature (k, s). The obtained group signature can be sent to a signature verifier by a group administrator for signature verification.

Through the embodiment, the single digital signature is reformed into the group signature by using the threshold secret sharing algorithm, so that the convenience and the efficiency of generating the group signature can be improved.

As an alternative embodiment, after sending the target group signature to the first signer, the method further includes:

s51, a first signature verification value and a second signature verification value corresponding to the target group signature are obtained through a first signature verification party, wherein the first signature verification value is the product of the second signature value power of the target primitive and the first signature value power of the first signature value, and the second signature verification value is the target hash value power of the target group public key;

and S52, determining that the target group signature passes the verification under the condition that the first verification value is consistent with the second verification value.

The first verifier may verify the target group signature using the target group public key of the target signature group after receiving the target group signature. When the signature is verified, the first signature verifying party can calculate the product of the second signature value power of the target primitive and the first signature value power of the first signature value to obtain a first signature verification value, and calculate the target hash value power of the target group public key to obtain a second signature verification value.

The first signature verifier may compare the first signature verification value and the second signature verification value to determine whether the first signature verification value and the second signature verification value are consistent, for example, determine whether the first signature verification value and the second signature verification value are the same. If the first signature verification value is consistent with the second signature verification value, the first signature verification party may determine that the signature verification passes for the target group signature, i.e., that the target group signature is valid. If the target group signature is not consistent, the first signer may determine that the target group signature fails to be signed, i.e., that the target group signature is invalid.

For example, after the verifier receives the group signature (k, s), g may be verified^sk^k＝pk^hash(m)Whether or not this is true. If yes, the group signature of the information m is valid, and the signature is accepted. If not, the group signature indicating the message m is invalid and the signature is rejected.

Through this embodiment, through using group signature and group public key to obtain two verification value to whether the unanimity of two verification values confirms that the verification passes through, can guarantee the security of verifying the signature.

As an alternative embodiment, after obtaining the first number of member sub-signatures from the plurality of groups of the target signature set, the method further comprises:

s61, selecting the sub-signature of the member to be checked corresponding to the member to be checked from the member sub-signatures of the first number;

s62, sending the sub signature name of the member to be checked to a second checking party, wherein the second checking party is a checking party for checking the sub signature of the member to be checked by using the sub public key of the member to be checked;

and S63, receiving a target signature verification result returned by the second signature verification party, wherein the target signature verification result is used for indicating whether the sub-signature of the member to be verified passes the verification.

According to practical situations, if the validity of the sub-signature of a member in a group needs to be checked, the group administrator can disclose the sub-public key of the member (i.e., the member to be checked) to a checker (e.g., a second checker). Taking the verifier as the second verifier as an example, the group administrator may further select the sub-signature of the member to be verified corresponding to the member to be verified from the member sub-signatures of the first number, and send the sub-signature of the member to be verified to the second verifier.

It should be noted that the sub public key of the member to be checked and signed and the sub signature of the member to be checked and signed can be sent simultaneously or respectively; the second signature checking party and the first signature checking party may be the same checking party or may be synchronous checking parties, which is not limited in this embodiment.

For example, according to the actual situation, if the sub-signature validity of a member in a certain group needs to be checked, the member sub-signature can be sent to a checker for verification

And if so, accepting the member signature.

Through the embodiment, the sub public key and the sub signature of the member are disclosed to the verifying party according to the requirement, so that the verifying party can conveniently verify the signature of the sub signature, a manager can conveniently verify the validity of a single signature, and the validity of the message signature is improved.

As an alternative embodiment, after sending the target group signature to the first verifier, the method further comprises:

s71, receiving a target request message sent by a first signature verifier, wherein the target request message is used for requesting to acquire membership information associated with a target group signature;

s72, determining target member identity information corresponding to the target group signature, wherein the target member identity information comprises member identity information of the target member generating each member sub-signature;

and S73, responding to the target request message, and sending the target member identity information to the first signature verifier.

If there is a need for signature membership disclosure, the verifier may delegate group administrators to track the identity of member sub-signature issuers. The checking party may be the first checking party or may be other checking parties other than the first checking party).

Taking the verifier as the first verifier as an example, the first verifier may send a target request message to the group administrator to request to acquire membership information associated with the target group signature. After receiving the target request message, the group administrator may determine target membership information corresponding to the target group signature, that is, membership information of a first number of target members, and send the target membership information to the first signature verifier.

Through the embodiment, the signature member identity is disclosed to the signature verifier based on the requirement of the signature verifier, so that the member can be prevented from signing maliciously, and the security of message signature is improved.

It should be noted that, although the group administrator performs the group signature method in this embodiment, it is not excluded that other one or more devices may perform the group signature method. The scope of the present application can be considered as the scheme of flexibly configuring the threshold policy for groups with different authority levels in the signature group.

For example, the group administrator is a hosting center for the group key and the user key, and thus centralized key management results in that the public key must be obtained through the group administrator, which is costly and burdensome. It is contemplated to use the user Identity directly as its public key using an Identity-Based Cryptograph (IBC), i.e. an Identity-Based cryptosystem. On the other hand, the centralization of the right of the signature group may increase security threat, and once the group administrator is attacked by a malicious person and the key and privacy information are leaked, a key management mode of decentralization or multicentricization can be adopted.

The following explains a group signature method in the embodiment of the present application with reference to an alternative example. The group signature method in this example is a group threshold signature method based on secret sharing, and by distinguishing different authority groups in a signature group and flexibly configuring a threshold policy of the different authority groups, a signature group can be temporarily formed by a plurality of groups with different authorities to perform signature.

In the example, an ElGamal single-digit signature is transformed into a group signature by using a shamir threshold secret sharing algorithm, only part of members in the same group need to carry out signature, sub-signatures of the members in the group are combined to form the group signature, on the premise that mutual independence among multiple groups is met, a signature verifier outside the signature group can carry out signature verification, and if the signature verification is successful, the group signature meets the requirements and is effective. The signer is hidden in a plurality of signers of the signature group, and the signer cannot obtain the specific identity of the signer.

The plurality of groups may be W₁、W₂、…、W_NThe groups with different authority levels flexibly configure threshold strategies, which are respectively as follows: (t)₁,W₁)、(t₂,W₂)、…、(t_N,W_N). In this example with a group W of 2 different rights₁And W₂The composed signature groups are illustrated by way of example, wherein W₁And W₂Do not intersect each other, t₁≤W₁，t₂≤W₂Is required to satisfy W₁In at least providing t₁Individual member signature, W₂In at least providing t₂Individual member signatures can be considered valid and valid as a group signature.

As shown in fig. 3, the flow of the signature method of the group in this alternative example may include the following steps:

step S302, generating sub-key pairs for each group according to the number of the sub-key pairs required to be generated by each group, and sending the sub-key pairs to corresponding members in each group.

The group administrator may be W₁Generating t₁A sub-key pair of W₂Generating t₂Sub-key pairs and sending the generated sub-key pairs to the pairs in each groupThe member of interest (i.e., the target member). The members sent may be pre-selected.

In step S304, a group key pair is generated for the signature group, and a group public key in the group key pair is disclosed to the verifier.

Step S306, respectively receiving the sub-signatures sent by the corresponding members in each group, generating the group signature of the signature group by using the received sub-signatures, and sending the generated group signature to the verifier.

And step S308, the verifying party verifies the signature by using the group public key of the signature group to obtain the signature verification result of the group of signatures.

In addition, member signatures provided by individual members within a group can be verified and the particular identity of the signer can be tracked. For example, if the validity of the sub-signature of a member in a group needs to be checked, the sub-public key of the member may be published to the verifier, and the sub-signature of the member is sent to the verifier, so that the verifier checks the sub-signature of the member using the sub-public key of the member. For example, a group administrator may be entrusted with tracking the identity of the member sub-signature issuer if the signature membership exposure is required.

By the example, the threshold strategy can be flexibly configured for the groups with different authority levels in the signature group; the member signature is combined into a group signature, and a verifier can verify the group signature by using a group public key and cannot acquire the identity of a signer in the group; meanwhile, a signature verification mode of a single group member signature and a mode of disclosing the identity of a signer in the group are provided.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., a ROM (Read-Only Memory)/RAM (Random Access Memory), a magnetic disk, an optical disk) and includes several instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the methods according to the embodiments of the present application.

According to another aspect of the embodiments of the present application, there is also provided a signature apparatus for a group for implementing the signature method for the group. Fig. 4 is a block diagram of a structure of a signature apparatus of an optional group according to an embodiment of the present application, and as shown in fig. 4, the signature apparatus may include:

a first obtaining unit 402, configured to obtain a first number of member sub-signatures from multiple groups of a target signature set, where each member sub-signature is a signature generated by one target member in one group for a message to be signed, the multiple groups are independent from each other, and the groups with different permissions provide different numbers of member sub-signatures;

a first generating unit 404, connected to the first obtaining unit 402, for generating a target group signature of the target signature group using a first number of member sub-signatures;

and a first sending unit 406, connected to the first generating unit 404, configured to send the target group signature to a first signer, where the first signer is a signer that uses the target group public key of the target signature group to sign the target group signature.

It should be noted that the first obtaining unit 402 in this embodiment may be configured to execute the step S202, the first generating unit 404 in this embodiment may be configured to execute the step S204, and the first sending unit 406 in this embodiment may be configured to execute the step S206.

Acquiring a first number of member sub-signatures from a plurality of groups of a target signature group through the module, wherein each member sub-signature is a signature generated by one target member in one group for a message to be signed, the plurality of groups are independent from each other, and the groups with different authorities provide different numbers of member sub-signatures; generating a target group signature of the target signature group using the first number of member sub-signatures; and sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using the target group public key of the target signature group, so that the problem of poor applicability of a group signature mode in the related technology is solved, and the applicability of the group signature is improved.

As an alternative embodiment, the apparatus further comprises:

the second generation unit is used for generating a sub-key pair of each group according to the secret shared by each group respectively before acquiring a first number of member sub-signatures from a plurality of groups of the target signature group to obtain a first number of sub-key pairs, wherein one sub-key pair belongs to one target member, and each member sub-signature is obtained by using a sub-private key in one sub-key pair to sign a message to be signed;

and the third generation unit comprises a target group key pair for generating a target signature group according to the secret shared by each group, wherein the target group key pair comprises a target group public key and a target group private key matched with the target group public key.

As an alternative embodiment, the second generating unit includes:

the first generating module is used for generating a target polynomial for the target group, wherein the target group is any one of a plurality of groups, the number of sub-key pairs to be generated by the target group is a second number, the degree of the target polynomial is the second number minus 1, the coefficient of each item of the target polynomial is a random number, and the coefficient of an item with the degree of 0 in the target polynomial is a secret shared by the target group;

the second generation module is used for generating a second number of sub-key pairs for the target group, wherein the sub-private keys of each sub-key pair are a first target value and a second target value, the sub-public key of each sub-key pair is a value obtained after a third target value power of a target primitive of the first prime number is modulo the first prime number, the first target value is a randomly selected value, the second target value is a value obtained after the value of a dependent variable obtained by substituting the first target value into the target polynomial as an independent variable is modulo the second prime number, the third target value is a product of a lagrangian coefficient corresponding to the sub-private key of each sub-key pair and the second target value, the lagrangian coefficient is a recovery coefficient corresponding to the sub-private key of each sub-key pair when the sub-private keys of the second number of sub-key pairs are used for recovering the target polynomial, and a difference between the first prime number and 1 is a multiple of the second prime number.

As an alternative embodiment, the third pair of generating units comprises:

a first determining module, configured to determine a secret shared by each group and a value obtained by modulo the second prime number as a target group private key;

and the second determining module is used for determining a value obtained by modulo the first prime number by the target group private key power of the target primitive element as a target group public key.

As an alternative embodiment, the apparatus further comprises: a first receiving unit and a first determining unit, the first generating unit comprising a third determining module, wherein,

the first receiving unit is used for receiving a first sub-signature value broadcasted by each target member before acquiring a first number of member sub-signatures from a plurality of groups of a target signature group, wherein the first sub-signature value of one target member is a value obtained by performing a modulo operation on a first prime number by the target random number power of a target primitive, and the target random number is a random number of one target member;

a first determining unit, configured to determine, as a first signature value of the target group signature, a value obtained by modulo a first prime number by a product of the first sub-signature values of each target member;

and a third determining module, configured to determine a value obtained by modulo the first prime number by a sum of the first number of member sub-signatures as a second signature value of the target group signature, where one member sub-signature is a value obtained by modulo the second prime number by a difference between a fourth target value and a fifth target value, the fourth target value is a product of a third target value of one target member and a target hash value of the message to be signed, and the fifth target value is a product of a target random number of one target member and the first signature value.

As an alternative embodiment, the apparatus further comprises:

the second acquisition unit is used for acquiring a first signature verification value and a second signature verification value corresponding to the target group signature through the first signature verification party after the target group signature is sent to the first signature verification party, wherein the first signature verification value is the product of the second signature value power of the target primitive and the first signature value power of the first signature value, and the second signature verification value is the target hash value power of the target group public key;

and the second determination unit is used for determining that the target group signature passes the signature verification under the condition that the first signature verification value is consistent with the second signature verification value.

As an alternative embodiment, the apparatus further comprises:

the selecting unit is used for selecting the sub-signatures of the members to be checked corresponding to the members to be checked from the member sub-signatures of the first number after the member sub-signatures of the first number are obtained from the plurality of groups of the target signature group;

the second sending unit is used for sending the sub signature name of the member to be checked to a second checking party, wherein the second checking party is a checking party for checking the sub signature of the member to be checked by using the sub public key of the member to be checked;

and the second receiving unit is used for receiving a target signature checking result returned by the second signature checking party, wherein the target signature checking result is used for indicating whether the sub-signature name of the member to be checked is valid.

As an alternative embodiment, the apparatus further comprises:

the third receiving unit is used for receiving a target request message sent by the first verifier after the target group signature is sent to the first verifier, wherein the target request message is used for requesting to acquire membership information associated with the target group signature;

a third determining unit, configured to determine target membership information corresponding to the target group signature, where the target membership information includes membership information of a target member that generates each member sub-signature;

and the third sending unit is used for responding to the target request message and sending the target member identity information to the first signature verifier.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.

According to another aspect of the embodiments of the present application, there is also provided an electronic device for implementing the signature method of the group, where the electronic device may be a server, a terminal, or a combination thereof.

Fig. 5 is a block diagram of an alternative electronic device according to an embodiment of the present application, as shown in fig. 5, including a processor 502, a communication interface 504, a memory 506, and a communication bus 508, where the processor 502, the communication interface 504, and the memory 506 are communicated with each other via the communication bus 508, and where,

a memory 506 for storing a computer program;

the processor 502, when executing the computer program stored in the memory 506, implements the following steps:

s1, acquiring a first number of member sub-signatures from a plurality of groups of a target signature group, wherein each member sub-signature is a signature generated by one target member in one group for a message to be signed, the plurality of groups are independent from each other, and the groups with different authorities provide different numbers of member sub-signatures;

s2, generating a target group signature of the target signature group by using the member sub-signatures with the first number;

and S3, sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using the target group public key of the target signature group.

Alternatively, in this embodiment, the communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 5, but this is not intended to represent only one bus or type of bus. The communication interface is used for communication between the electronic equipment and other equipment.

The memory may include RAM, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. Alternatively, the memory may be at least one memory device located remotely from the processor.

As an example, the memory 506 may include, but is not limited to, the first obtaining unit 402, the first generating unit 404, and the first sending unit 406 of the signature devices of the group. In addition, the signature apparatus may further include, but is not limited to, other module units in the signature apparatus of the above group, which is not described in detail in this example.

The processor may be a general-purpose processor, and may include but is not limited to: a CPU (Central Processing Unit), an NP (Network Processor), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.

It can be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration, and the device implementing the group signature method may be a terminal device, and the terminal device may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 5 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 5, or have a different configuration than shown in FIG. 5.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, and the like.

According to still another aspect of an embodiment of the present application, there is also provided a storage medium. Optionally, in this embodiment, the storage medium may be configured to execute a program code of the signature method of any one group in this embodiment of the present application.

Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:

Optionally, the specific example in this embodiment may refer to the example described in the above embodiment, which is not described again in this embodiment.

Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a U disk, a ROM, a RAM, a removable hard disk, a magnetic disk, or an optical disk.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method described in the embodiments of the present application.

In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, and may also be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution provided in the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims

1. A method for signing a group, comprising:

acquiring a first number of member sub-signatures from a plurality of groups of a target signature group, wherein each member sub-signature is a signature generated by one target member in one group for a message to be signed, the groups are mutually independent, and the groups with different authorities provide different numbers of member sub-signatures;

generating a target group signature of the target signature group using the first number of the member sub-signatures;

and sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using a target group public key of the target signature group.

2. The method of claim 1, wherein prior to obtaining the first number of the member sub-signatures from the plurality of groups of the target signature set, the method further comprises:

generating sub-key pairs of each group according to the secret shared by each group to obtain the first number of sub-key pairs, wherein one sub-key pair belongs to one target member, and each member sub-signature is obtained by using a sub-private key in one sub-key pair to sign the message to be signed;

and generating a target group key pair of the target signature group according to the secret shared by each group, wherein the target group key pair comprises the target group public key and a target group private key matched with the target group public key.

3. The method of claim 2, wherein generating the subkey pair for each of the groups according to the secret shared by each of the groups respectively comprises:

generating a target polynomial for a target group, wherein the target group is any one of a plurality of groups, the number of the sub-key pairs to be generated by the target group is a second number, the degree of the target polynomial is the second number minus 1, the coefficient of each term of the target polynomial is a random number, and the coefficient of a term of the target polynomial of degree 0 is a secret shared by the target group;

generating the second number of the sub-key pairs for the target group, where the sub-private keys of each sub-key pair are a first target value and a second target value, the sub-public key of each sub-key pair is a value obtained by modulo the first prime number by a third target value power of a target primitive of the first prime number, the first target value is a randomly selected value, the second target value is a value obtained by substituting the first target value as an argument into the target polynomial to modulo the second prime number, the third target value is a product of a lagrange coefficient corresponding to the sub-private key of each sub-key pair and the second target value, the lagrange coefficient is a recovery coefficient corresponding to the sub-private key of each sub-key pair when the target polynomial is recovered by using the sub-private keys of the second number of the sub-key pairs, the difference between the first prime number and 1 is a multiple of the second prime number.

4. The method of claim 3, wherein generating the target group key pair for the target signature group according to the secret shared by each of the groups comprises:

determining the secret shared by each group and the value modulo the second prime as the target set private key;

and determining a value obtained by performing modulo operation on the first prime number by the target group private key power of the target primitive as the target group public key.

5. The method of claim 3,

prior to obtaining the first number of the member sub-signatures from the plurality of the groups of the target signature set, the method further comprises: receiving a first sub-signature value broadcast by each target member, wherein the first sub-signature value of one target member is a value obtained by taking a power of a target random number of the target primitive modulo the first prime number, and the target random number is a random number of one target member; determining a value obtained after the product of the first sub-signature value of each target member is modulo the first prime number as a first signature value of the target group signature;

generating the target group signature for the target signature group using the first number of the member sub-signatures comprises: determining a second signature value of the target group signature by a sum of second sub-signatures of the first number of the member sub-signatures and a value obtained after modulo the second prime number, wherein one of the second sub-signatures is a value obtained after modulo the second prime number by a difference between a fourth target value and a fifth target value, the fourth target value is a product of the third target value of one of the target members and a target hash value of the message to be signed, and the fifth target value is a product of the target random number of one of the target members and the first signature value.

6. The method of claim 5, wherein after sending the target group signature to the first signer, the method further comprises:

acquiring a first signature verification value and a second signature verification value corresponding to the target group signature through the first signature verification party, wherein the first signature verification value is a product of a second signature value power of the target primitive and a first signature value power of the first signature value, and the second signature verification value is the target hash value power of the target group public key;

determining that the target group signature passes verification if the first verification value is consistent with the second verification value.

7. The method of claim 1, wherein after obtaining the first number of the member sub-signatures from the plurality of groups of the target signature set, the method further comprises:

selecting the sub-signature of the member to be checked corresponding to the member to be checked from the member sub-signatures of the first number;

sending the sub-signature of the member to be signed to a second signature verifier, wherein the second signature verifier is a signature verifier for verifying the sub-signature of the member to be signed by using the sub-public key of the member to be signed;

and receiving a target signature verification result returned by the second signature verification party, wherein the target signature verification result is used for indicating whether the sub-signature of the member to be verified passes the signature verification.

8. The method according to any of claims 1 to 7, wherein after sending the target group signature to a first verifier, the method further comprises:

receiving a target request message sent by the first signature verifier, wherein the target request message is used for requesting to acquire membership information associated with the target group signature;

determining target membership information corresponding to the target group signature, wherein the target membership information includes membership information of the target member generating each of the member sub-signatures;

and responding to the target request message, and sending the target membership information to the first signature verifier.

9. A signature apparatus for a group, comprising:

a first obtaining unit, configured to obtain a first number of member sub-signatures from multiple groups of a target signature set, where each member sub-signature is a signature generated by a target member in one group for a message to be signed, the multiple groups are independent from each other, and the groups with different permissions provide different numbers of member sub-signatures;

a first generating unit configured to generate a target group signature of the target signature group using the first number of the member sub-signatures;

and the first sending unit is used for sending the target group signature to a first signature verifier, wherein the first signature verifier is a signature verifier for verifying the target group signature by using a target group public key of the target signature group.

10. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein said processor, said communication interface and said memory communicate with each other via said communication bus,

the memory for storing a computer program;

the processor for performing the method steps of any one of claims 1 to 8 by running the computer program stored on the memory.

11. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to carry out the method steps of any one of claims 1 to 8 when executed.