CN104168115A - Forward-secure undetachable digital signature method - Google Patents

Abstract

The invention discloses a forward-secure undetachable digital signature method. According to the forward-secure undetachable digital signature method, a key generation algorithm KGen, a key updating algorithm KUpd, an undetachable signature method generation algorithm UndSigFunGen, an undetachable signature algorithm FSUndSig, an undetachable signature verification algorithm FSUndVrfy, a signature algorithm Sign and a verification algorithm Vrfy are included. The forward-secure undetachable digital signature method realizes a forward-secure undetachable digital signature under the white-box attack environment. In the whole scheme, a mobile agent does not need to carry private keys to use digital signatures generated by the private keys as original signatures, so that the private keys will not be affected. The encryption function and the requirement for original signers are combined so that fault operation of the signature algorithm can be prevented. A special key distribution mechanism is not needed, and the forward-secure undetachable digital signature method still has the forward-secure property even if the signers are attacked.

Description

The undetachable digital signatures method of forward secrecy

Technical field

The present invention relates to field of information security technology, be specifically related to mobile security agent skill group, be applied to ecommerce, mobile computing etc.

Background technology

Along with more and more entering the practice stage based on mobile proxy technology; if do not have suitable, safety, believable and concealed technology to protect responsive business data and allow business parnters have sufficient confidence to cooperate together, these application are impossible success to realize.Yet mobile agent is faced with huge security threat, current mobile security is acted on behalf of the undetachable digital signatures method based on identity on field and can well and be finished the work safely and effectively.

But the undetachable digital signatures method based on identity must need the release mechanism of a centralization distributed key, is there is no this authority that has and in fact there are a lot of situations, the mechanism of reliability.Therefore be badly in need of one here and do not rely on cipher key distribution mechanism, have again high security simultaneously, the method for high reliability is protected mobile agent.

This scheme is based upon bilinearity on basis.Its fail safe depends on solving in Diffie-Hellman group on the degree of difficulty that calculates Diffie-Hellman problem.Most of basic conception wherein, for example group, ring, territory all belong to standard concept in Abstract Algebra one section.

Similar technique (product) summary:

In order to solve in conditional electronic signature scheme is in the past realized, mobile agent is when acting on behalf of original user activity, generating electronic signature needs in the process of self-contained signature algorithm and signature key, can allow assailant from the agent side algorithm that forges a signature, even crack the safety problem of signature key.Adopt Kotzanikolaous, P., Burmester, M., Chrissikopoulos, V., Secure Transactions with Mobile Agents in Hostile Environments, proceeding of ACISP 2000, pp289-297,2000, Yang Shi, Xiaoping Wang, Liming Cao, et.al.A Security Scheme of Electronic Commerce for Mobile Agents Uses Undetachable Digital Signatures.The Third International Conference on Information Security, ACM Press, 2004:pp.242-243. and Yang Shi, Xiaoping Wang, Liming Cao, Jianxin Ren.Secure Mobile Agents in Electronic Commerce by Using Undetachable Signatures from Pairings.Proc.The 4th International Conference on Electronic Business, pp.1038-1043. three pieces of documents provide any one can not be split electronic signature, can control to a certain extent the leakage of signature key or endorsement method.

In order to solve, do not having in reliable cipher key distribution mechanism situation, key generation person can be attacked the security threat H.Krawezyk.Simple forward-secure signatures from any Signature seheme.Proceedings of the 7th ACM Conference on Computer and Communications Seeurity that obtains signature key, 2000, pp.108-115. document has proposed forward secrecy endorsement method and has solved this class problem, and, be that convenient signer main frame is captured while forming white box attack context, still can guarantee that signature key is forward secrecy, this scheme key is time dependent, used signature key before the time point of being captured all cannot obtain, therefore named forward secrecy.

But these several signature schemes can not meet the demand of current mobile agent security separately.

Summary of the invention

As everyone knows, signature key is the core of a signature scheme, if signature key is stolen, so whole endorsement method has just lost effect, and therefore forward secrecy endorsement method mentioned above can allow signature key upgrade with the passing of time, do not have a time period just irreversibly to upgrade a secondary key, like this, after convenient signer is captured, still can guarantee the fail safe of current time fragment signature key in the past, that is, signed to such an extent that data cannot be copied again.

But the signature scheme of forward secrecy cannot reach the effect that can not be split signature again at present.The signature scheme simultaneously with two kinds of features becomes the blank in current mobile agent security field, because in disclosed signature scheme, the effective scheme of scheme is not two kinds of feature combinations, because this combination can be described as suitable difficulty.And the object of the invention is to overcome current this two schemes in mobile agent security field deficiency separately, can solve generation electronic signature needs in the process of self-contained signature algorithm and signature key, can allow assailant from the agent side algorithm that forges a signature, even crack the safety problem of signature key, can remove again mobile agent and when passing by certain malicious host, may form the threat facing when white box is attacked (WBAC) environment, do not need special release mechanism to issue certificate or key simultaneously yet, increased the scope of application of endorsement method, moreover, not only make communication risk lower, also offset grave danger that authoritative institution is broken, filled up this blank of mobile security field.

Innovation of the present invention is by special algorithm design, and then reaches forward secrecy and the security feature that can not be split signature simultaneously.It is not that simple simple algorithm is assembled, but by theoretical reasoning, is proved and tested accordingly the combination of two kinds of safety approachs that reach.

For this reason, the technical scheme that the present invention provides is:

A kind of undetachable digital signatures method of forward secrecy, it is characterized in that, it comprises that eight steps are as follows: certain client of step 1. completes shopping on a client computer, immediately, computer generates mobile agent, client computer (the safety index k that input needs) executing arithmetic 1. under good level of security according to the rules afterwards, algorithm is defined as follows

Algorithm 1. key schedules: KGen (1 ^k) input timeslice hop count T and 1 altogether ^ka security parameter when k ∈ (is natural number), the setting of algorithm output public keys $\mathrm{\Ω}=(G_1,G_2,\hat{e}(\·,\·),q,P,H_1(\·),H_2(\·))$ And initial key S ₀.

Ω explains: in above-mentioned, about security parameter 1 ^kbe a conceptual saying, k is exactly safety index, can simply be interpreted as that encryption system is k bit length, when specific implementation, depending on the public key encryp (such as hyperelliptic elliptic curve etc.) of project demands and employing.

G in Ω ₁that rank are q multiplication loop group, G ₂a multiplication loop group that rank are q equally.G and P are G ₁and G ₂fixedly generator separately. a Linear Mapping, by G ₁and G ₂in element first do cartesian product, be then mapped to G _tin element on. and H ₂: { 0,1} ^*→ G ₁be two special Hash mapping, effect is exactly respectively any binary numeral to be mapped to and G ₁, to take prime number q as rank and without the addition of integer group of null element.

Explain: suppose to exist Homomorphic Mapping ψ: G ₂→ G ₁there is ψ (P)=G.

Definition: at (G ₁, G ₂) on judgement Diffie-Hellman problem (co-DDH): provide P, P ^a∈ G ₂and Y, Y ^b∈ G ₁as input, if a=b exports yes so, otherwise output no.When being output as yes, we claim (P, P ^a, Y, Y ^b) be a Diffie-Hellman tuple (co-DHT).

Suppose: we suppose can be calculated fast, so co-DDH is at (G ₁, G ₂) on be easily to solve.This method is based upon in this hypothesis.

Initial key S ₀generate:

from in take out immediately S ₀, calculate U ₀

For(j＝1；j≤T；j++) do

${\mathrm{CERT}}_j\&LeftArrow;<U_0,j,U_j,H_2{(U_0,j,U_j)}^{s_0}>$

EndFor

Circulate complete, s erases _j, j=1 ..., T, storage CERT _j, j=1 ..., T

Annotation: at this, this algorithm hypothesis U ₀be a data aggregate, therefore, the overall situation set to Ω and be stored in U ₀, namely PKI element is carrying global information.

KGen (1 ^k) algorithm completes, output PKI U ₀with initial key S ₀, carry out next step.

Step 2 then client is inputted PKI U to algorithm 2 ₀, initial key s ₀, CERT _jwith current time sheet j, then executing arithmetic 2, and it is defined as follows:

Algorithm 2.

KUpd(s _j-1,CERT _j,j,U ₀)

BEGIN

<U ₀′,j′,U _j′,Λ _j>←CERT _j

$s_j\&LeftArrow;H_1\left(s_{j-1}\right);U_j\&LeftArrow;P^{s_j}$

$\mathrm{If}(\hat{e}({\mathrm{\&Lambda;}}_j,P)\&NotEqual;\hat{e}(H_2(U_0,j,U_j),U_0))$

return ⊥ //abort

erase s _j-1

return s _j

END

S erases ₀after, algorithm returns to S ₁, carry out next step

Step 3. client completes transaction, is ready for sending mobile agent and concludes the business.

If the expired execution step 4 of current key, otherwise execution step 5.

Step 4. client above one period key S _j-1, current period j, PKI U ₀and the CERT of algorithm 1 generation _jfor input, rerun KUpd, obtain next time period key S _j, carry out next step.

Step 5. client is with REQ_C||ID _c, s _j, CERT _jfor input, wherein REQ_C||ID _cbe that customer demand and user ID belong to sensitive data executing arithmetic 3, it is defined as follows:

Algorithm 3.

UndSigFunGen(REQ_C||ID _C,s _j,CERT _j)

Begin

H←H ₂(REQ_C||ID _C)；

$K\&LeftArrow;H^{s_j}$

$\begin{array}{cc}\mathrm{setup}& f_{\mathrm{Signe}{d}_j}\left(x\right)=<<{\mathrm{CERT}}_j,K^x>,j>\end{array}$

$\begin{array}{cc}\mathrm{return}& f_{\mathrm{Signe}{d}_j(\&CenterDot;)}\end{array}$

End

Output $f_{\mathrm{Signe}{d}_j}(\&CenterDot;),$ Agency is carried;

Client executing arithmetic 6, for acting on behalf of sensitive data signature, is input as sensitive data, current time fragment j and current key s subsequently _j, algorithm is defined as follows

Algorithm 6.

Sign(s _j,j,Msg)

Begin

${\mathrm{\&sigma;}}^{\&prime;}\&LeftArrow;H_2{\left(\mathrm{Msg}\right)}^{s_j};\mathrm{\&sigma;}\&LeftArrow;<{\mathrm{CERT}}_j{,\mathrm{\&sigma;}}^{\&prime;}>;{\mathrm{\&sigma;}}_j\&LeftArrow;<\mathrm{\&sigma;},j>$

return σ _j

End

Be output as the j signature in period, make equally agency carry.Carry out next step

Step 6. shop receives agency, first uses algorithm 7 surveying agents' legitimacy, checks σ _j, being input as PKI, signature information, signature and current period, algorithm is defined as follows:

Algorithm 7.

Vrfy(U ₀,σ,j,Msg)

Begin

<CERT _j,σ′>←σ；<U ₀′,j′,U _j′,Λ _j>←CERT _j

If(U ₀≠U ₀′) return 0

If(j≠j′) return 0

$\begin{array}{ccc}\mathrm{If}(\hat{e}({\mathrm{\&Lambda;}}_j,P)\&NotEqual;\hat{e}(H_2(U_0,j^{\&prime;},{U_j}^{\&prime;}),U_0))& \mathrm{return}& 0\end{array}$

$\begin{array}{ccc}\mathrm{If}(\hat{e}({\mathrm{\&sigma;}}^{\&prime;},P)\&NotEqual;\hat{e}(H_2\left(\mathrm{Msg}\right),U_j))& \mathrm{return}& 0\end{array}$

Else return 1

End

If be output as 0, exit transaction

If be output as 1, judge whether that agency continues to move between shop, if needed, repeat this step, carry out step 6; Otherwise carry out step 7.

Step 7. is at this, and final decision has been made in shop, if complete transaction, generates so CONTRACT and other Transaction Informations as input, and executing arithmetic 4, is defined as follows:

Algorithm 4.

UndSig(Msg)

Begin

h＝H ₁(Msg)

$\begin{array}{cc}\mathrm{return}& f_{\mathrm{Signe}{d}_j}\left(h\right)\end{array}$

End

Be output as the final signature that can not be split, at this, be designated as Z.Be saved in agency, then make agency's migration get back to client, carry out next step.

Step 8. client is received the agency who has concluded the business, with U ₀, Z, j, Msg, REQ_C||ID _cfor input, wherein Msg is CONTRACT and other Transaction Informations, the legitimacy of executing arithmetic 5 check Msg, and algorithm is defined as follows:

Algorithm 5.

UndVrfy(U ₀,Z,j,Msg,REQ_C||ID _C)

Begin

<<CERT _j,Z′>,j>←Z；<U ₀′,j′,U _j′,Λ _j>←CERT _j

If(U ₀≠U ₀′) return 0

If(j≠j′) return 0

If(Msg does not satisfy REQ_C) return 0

$\begin{array}{ccc}\mathrm{If}(\hat{e}({\mathrm{\&Lambda;}}_j,P)\&NotEqual;\hat{e}\left(H_2({U_0}^{\&prime;},j^{\&prime;},{U_j}^{\&prime;})U_0\right))& \mathrm{return}& 0\end{array}$

$\left[\begin{array}{ccc}\mathrm{If}(\hat{e}(Z^{\&prime;},P)\&NotEqual;\hat{e}(H_2{(\mathrm{REQ}\_C|\left|{\mathrm{ID}}_C\right)}^{H_1\left(\mathrm{Msg}\right)},U_j))& \mathrm{return}& 0\end{array}\right]$

else return 1

End

If algorithm is output as 0, stop transaction;

Otherwise be output as 1, complete transaction.

If user still needs transaction, leap to step 3

Arrive this, the method that can not be split of whole forward secrecy completes.

By above technical scheme, the present invention, under white box attack context (for example, on unsafe computer), can realize the undetachable digital signatures of forward secrecy.This programme has solved the problem that lacks good safety approach on current mobile agent.In whole scheme, mobile agent does not need to carry private cipher key and represents original signature when the digital signature of their generations, so private key will can not be affected.The function of encrypting combines with original signatory's requirement, so the misoperation of signature algorithm can be prevented from.In addition, because this scheme is forward secrecy, this scheme does not need special cipher key distribution mechanism, even if signer is broken simultaneously, this scheme still has forward security (being broken current time sheet signature key before can not reveal).Therefore, this scheme can well resist that current mobile agent faces threat.

Accompanying drawing explanation

Fig. 1 is the operation principle of the non-removable digital signature method of forward secrecy of the present invention.

Fig. 2 is the schematic flow sheet of the whole method of contrast.

Fig. 3 is the fundamental relation of 7 rudimentary algorithms.

Embodiment

The invention discloses a kind of undetachable digital signatures method of forward secrecy, as Fig. 3, the method comprises following seven algorithms:

1) KGen: key schedule KGen is with security parameter 1 ^k(k ∈) and scheme be total epoch number T of operation, or the relevant parameter that also has other is as input, returns to a basic PKI PK and corresponding initial key (signature key) SK ₀.Algorithm complex is uncertain.

2) KUpd: key upgrading algorithm KUpd is with the key key SK in last period _j-1for input, return to current signature key SK _j.Algorithm time complexity is normally determined.

3) UndSigFunGen: can not be split endorsement method generating algorithm UndSigFunGen and be one definite, polynomial time complexity algorithm, it is with user's demand REQ_C, user's identity ID _cwith user's PKI and the key in current period as input, algorithm return method to f () and

4) UndSig: can not be split signature algorithm FSUndSig is a polynomial time complexity algorithm, the relevant contract restriction (or corresponding cryptographic Hash) of usining, as input, is returned to undetachable digital signatures z=ζ _j=< ζ, j>.

5) UndVrfy: can not be split signature verification algorithm FSUndVrfy is a polynomial time complexity algorithm, the relevant contract of usining limits and can not be split signature z as input.Algorithm returns to " acceptance " or " refusal ", and in simple terms 1 or 0.

6) Sign: signature algorithm Sign is with key SK in current period _jas input, return to j and the signature of message M in period with message M.Be denoted as herein algorithm complex may be uncertain.The normally a pair of value of signing, period j and corresponding label σ.

7) Vrfy: verification algorithm Vrfy is with PKI PK, message M and signature <j, σ >, returns to " acceptance " or " refusal ", and in simple terms 1 or 0.Here be denoted as b ← Vrfy _pK(M, <j, σ >).

Fig. 1, Fig. 2 describe the use of this algorithm in the digital signature scheme can not be split of forward secrecy.

As shown in Figure 1, the common operation principle of non-removable digital signature scheme based on identity is as follows.First, client is first moved KGen (1 ^k) generate corresponding global parameter, PKI and initial key.Move subsequently KUpd and upgrade initial key, subsequently according to time lapse, constantly update key.Then client completes shopping, produces agency, first uses UndSigFunGen to generate and can not be split signature function then use the sensitive data signature that Sign is agency.Agency moves to shop server afterwards, shop receives the legitimacy that agency first uses Vrfy surveying agent afterwards, if illegal direct termination transaction, if rationally, continue to process transaction, then between shop, moved transaction, finally generation contract and other Transaction Informations in final shop, then can not be split signature with UndSig for these information produce, and then sends agency and get back to client.Client, to agency, is checked the legitimacy of transaction with UndVrfy, only have algorithm to be output as 1 and just make Transaction Success.If continue afterwards other transaction, so just may use new key to sign, even if current key is stolen, the transaction before also guaranteeing is safe.

As shown in Figure 2, the signature scheme can not be split of forward secrecy comprises following eight steps:

1) client operation KGen, produces overall situation setting, PKI U ₀with initial key s ₀

2) client operation KUpd output very first time section key s ₁

3) complete purchase inventory, conclude the business, expired if key does not have, directly carry out 5)

4) client operation KUpd exports next time period key s _j

5) client operation UndSigFunGen output agency is carried $f_{\mathrm{Signe}{d}_j}(\&CenterDot;);$

Client operation Sign is for acting on behalf of sensitive data signature;

6) Vrfy checking agency, illegal direct termination transaction for shop server

7) conclude the business, and be that contract is signed with UndSig

8) client is carried out checking contract with UndVrfy, if illegal termination transaction.

In Fig. 3, be the contact effect for 7 algorithms: first by KGen, generate global variable, PKI and initial key, then KUpd is responsible for constantly updating key in passage process in time, UndSigFunGen is responsible for producing a kind of " semi-finished product ", make needn't expose signature key in transmittance process, UndSig is " semi-finished product " generation " finished product " by above, can not be split signature, UndVrfy is corresponding verification method, and remaining Sign and Vrfy are corresponding common endorsement methods.

With specific embodiment, the invention will be further described below:

This programme is based upon bilinearity on basis.Its fail safe depends on solving in Diffie-Hellman group on the degree of difficulty that calculates Diffie-Hellman problem.

This example is to adopt JAVA language compilation, uses The Java Pairing Based Cryptography Library (JPBC) storehouse to realize.JPBC storehouse be one group about a set of standard A PI of asymmetric cryptosystem, the network address http://gas.dia.unisa.it/projects/jpbc/ of official.

Algorithm KGen (1 ^k) realization be the Type A type elliptic curve based on JPBC, the configuration file a.properties of Ci You official is as input, so this strength does not need obvious 1 ^kparameter.And the elliptic curve character of setting up is as follows:

Elliptic curve adopts territory F _qthe y of upper structure ²=x ³+ x, prime number q=3mod4 wherein, JPBC storehouse provides mapping e:G ₁1 * G ₂→ G _taPI, in the elliptic curve system of current setting, the G in mapping ₁=G ₂, therefore meet KGen (1 ^k) there is Homomorphic Mapping ψ: G in definition ₂→ G ₁there is ψ (P)=G condition.At this, in use, after elliptic curve system initialization completes, can obtain a Pairing object, by the member function of Pairing, getG1 (), getGT () and getZr () can obtain G ₁, G ₂with and then get G by getG1 () .newRandomElement () ₁generator P, in like manner from get S, the member function powZn (s) that just can call P calculates P _pub, and by calling G ₁or under member function newElementFromHash () can realize two hash functions in Ω.By arthmetic statement, just can construct easily Ω.

Equally, make a general survey of 7 algorithms, calling also is wherein just basic for superior function, there is no more that multi-region is other, in this just not total number introduction, at 7 algorithms, all uses after JAVA realizes, and just can carry out according to the following steps:

Certain client of step 1. completes shopping on a client computer, and immediately, computer generates mobile agent, client computer (the safety index k that input needs) executing arithmetic 1 under good level of security according to the rules afterwards, the setting of algorithm output public keys $\mathrm{\&Omega;}=(G_1,G_2,\hat{e}(\&CenterDot;,\&CenterDot;),q,P,H_1(\&CenterDot;),H_2(\&CenterDot;)),$ U ₀and initial key S ₀.The overall situation is set to Ω and be stored in U ₀, namely PKI element is carrying global information.

KGen (1 ^k) algorithm completes, output PKI U ₀with initial key S ₀, carry out next step.

Step 2 then client is inputted PKI U to algorithm 2 ₀, initial key S ₀, CERT _jwith current time sheet j, then executing arithmetic 2, and algorithm returns to S ₁, carry out next step

Step 3. client completes transaction, is ready for sending mobile agent and concludes the business.

If the expired execution step 4 of current key, otherwise execution step 5.

Step 4. client above one period key S _j-1, current period j, PKI U ₀and the CERT of algorithm 1 generation _jfor input, rerun KUpd, obtain next time period key S _j, carry out next step.

Step 5. client is with REQ_C||ID _c, s _j, CERT _jfor input, wherein REQ_C||ID _cthat customer demand and user ID belong to sensitive data executing arithmetic 3, output deposit during agency takes; Client executing arithmetic 6, for acting on behalf of sensitive data signature, is input as sensitive data, current time fragment j and current key S subsequently _j, be output as the j signature in period, deposit equally in agency.Carry out next step

Step 6. shop receives agency, first uses algorithm 7 surveying agents' legitimacy, is input as PKI, signature information, signature and current period, if be output as 0, exits transaction; If be output as 1, judge whether that agency continues to move between shop, if needed, repeat this step, carry out step 6; Otherwise carry out step 7.

Step 7. is at this, and final decision has been made in shop, if complete transaction, generates so CONTRACT and other Transaction Informations as input, and executing arithmetic 4, is output as the final signature that can not be split, and at this, is designated as Z.Be saved in agency, then make agency's migration get back to client, carry out next step.

Step 8. client is received the agency who has concluded the business, with U ₀, Z, j, Msg, REQ_C||ID _cfor input, wherein Msg is CONTRACT and other Transaction Informations, and the legitimacy of executing arithmetic 5 check Msg, if algorithm is output as 0, stops transaction; Otherwise be output as 1, complete transaction.

If user still needs transaction, leap to step 3

Arrive this, the method that can not be split of whole forward secrecy completes.

Claims (1)

1. a undetachable digital signatures method for forward secrecy, is characterized in that, it comprises that eight steps are as follows:

Certain client of step 1. completes shopping on a client computer, and immediately, computer generates mobile agent, client computer (the safety index k that input needs) executing arithmetic 1. under good level of security according to the rules afterwards, and algorithm is defined as follows

Algorithm 1. key schedules: KGen (1 ^k) input timeslice hop count T and 1 altogether ^ka security parameter when k ∈ (is natural number), the setting of algorithm output public keys and initial key S ₀;

G in Ω ₁that rank are q multiplication loop group, G ₂a multiplication loop group that rank are q equally; G and P are G ₁and G ₂fixedly generator separately; a Linear Mapping, by G ₁and G ₂in element first do cartesian product, be then mapped to G _tin element on; and H ₂: { 0,1} ^*→ G ₁be two special Hash mapping, effect is exactly respectively any binary numeral to be mapped to and G ₁, to take prime number q as rank and without the addition of integer group of null element;

Definition: at (G ₁, G ₂) on judgement Diffie-Hellman problem (co-DDH): provide P, P ^a∈ G ₂and Y, Y ^b∈ G ₁as input, if a=b exports yes so, otherwise output no; When being output as yes, claim (P, P ^a, Y, Y ^b) be a Diffie-Hellman tuple (co-DHT);

The overall situation is set to Ω and be stored in U ₀, namely PKI element is carrying global information;

KGen (1 ^k) algorithm completes, output PKI U ₀with initial key S ₀, carry out next step;

Step 2 then client is inputted PKI U to algorithm 2 ₀, initial key s ₀, CERT _jwith current time sheet j, then executing arithmetic 2, and it is defined as follows:

Algorithm 2.

KUpd(s _j-1,CERT _j,j,U ₀)

BEGIN

<U ₀′,j′,U _j′,Λ _j>←CERT _j

return ⊥ //abort

erase s _j-1

return s _j

END

S erases ₀after, algorithm returns to S ₁, carry out next step;

Step 3. client completes transaction, is ready for sending mobile agent and concludes the business;

If the expired execution step 4 of current key, otherwise execution step 5;

Step 4. client above one period key S _j-1, current period j, PKI U ₀and the CERT of algorithm 1 generation _jfor input, rerun KUpd, obtain next time period key S _j, carry out next step;

Step 5. client is with REQ_C||ID _c, s _j, CERT _jfor input, wherein REQ_C||ID _cbe that customer demand and user ID belong to sensitive data executing arithmetic 3, it is defined as follows:

Algorithm 3.

UndSigFunGen(REQ_C||ID _C,s _j,CERT _j)

Begin

H←H ₂(REQ_C||ID _C)；

End

Output agency is carried;

Client executing arithmetic 6, for acting on behalf of sensitive data signature, is input as sensitive data, current time fragment j and current key S subsequently _j, algorithm is defined as follows

Algorithm 6.

Sign(s _j,j,Msg)

Begin

return σ _j

End

Be output as the j signature in period, make equally agency carry; Carry out next step

Step 6. shop receives agency, first uses algorithm 7 surveying agents' legitimacy, checks σ _j, being input as PKI, signature information, signature and current period, algorithm is defined as follows:

Algorithm 7.

Vrfy(U ₀,σ,j,Msg)

Begin

<CERT _j,σ′>←σ；<U ₀′,j′,U _j′,Λ _j>←CERT _j

If(U ₀≠U ₀′) return 0

If(j≠j′) return 0

Else return 1

End

If be output as 0, exit transaction

If be output as 1, judge whether that agency continues to move between shop, if needed, repeat this step, carry out step 6; Otherwise carry out step 7;

Step 7. is at this, and final decision has been made in shop, if complete transaction, generates so CONTRACT and other Transaction Informations as input, and executing arithmetic 4, is defined as follows:

Algorithm 4.

UndSig(Msg)

Begin

h＝H ₁(Msg)

End

Be output as the final signature that can not be split, at this, be designated as Z.Be saved in agency, then make agency's migration get back to client, carry out next step.

Step 8. client is received the agency who has concluded the business, with U ₀, Z, j, Msg, REQ_C||ID _cfor input, wherein Msg is CONTRACT and other Transaction Informations, the legitimacy of executing arithmetic 5 check Msg, and algorithm is defined as follows:

Algorithm 5.

UndVrfy(U ₀,Z,j,Msg,REQ_C||ID _C)

Begin

<<CERT _j,Z′>,j>←Z；<U ₀′,j′,U _j′,Λ _j>←CERT _j

If(U ₀≠U ₀′) return 0

If(j≠j′) return 0

If(Msg does not satisfy REQ_C) return 0

else return 1

End

If algorithm is output as 0, stop transaction;

Otherwise be output as 1, complete transaction.

If user still needs transaction, leap to step 3.