CN104168115B

CN104168115B - The undetachable digital signatures method of forward secrecy

Info

Publication number: CN104168115B
Application number: CN201410407512.XA
Authority: CN
Inventors: 史扬; 刘琴; 穆斌; 赵钦佩; 韩景轩
Original assignee: Tongji University
Current assignee: Tongji University
Priority date: 2014-08-19
Filing date: 2014-08-19
Publication date: 2017-07-11
Anticipated expiration: 2034-08-19
Also published as: CN104168115A

Abstract

The invention discloses a forward secure inseparable digital signature method, the method includes the following algorithms: key generation algorithm KGen, key upgrade algorithm KUpd, inseparable signature method generation algorithm UndSigFunGen, inseparable signature algorithm FSUndSig, indivisible signature verification algorithm FSUndVrfy, signature algorithm Sign, verification algorithm Vrfy. The present invention can realize the forward-safe inseparable digital signature under the white-box attack environment. Throughout the scheme, mobile agents do not need to carry the private key as the digital signature they generate represents the original signature, so the private key will not be affected. The function of encryption is combined with the request of the original signer, so the misoperation of the signature algorithm can be prevented. The scheme does not need a special key distribution organization, and even if the signer is compromised, the scheme still has forward security.

Description

Forward-safe indivisible digital signature method

技术领域technical field

本发明涉及信息安全技术领域，具体涉及移动安全代理技术，应用于电子商务、移动计算等。The invention relates to the technical field of information security, in particular to mobile security agent technology, which is applied to e-commerce, mobile computing and the like.

背景技术Background technique

随着越来越多的基于移动代理技术进入实践阶段，如果没有合适的、安全的、可信的和隐秘的技术来保护敏感的商业数据并且让商业伙伴们有充分的信心来一起合作的话，这些应用是不可能成功实现的。然而，移动代理面临着巨大的安全威胁，当前移动安全代理领域上基于身份的不可拆分数字签名方法可以很好的并安全有效的完成任务。As more and more mobile agent-based technologies come into practice, without suitable, secure, trusted and stealthy technologies to protect sensitive business data and allow business partners to work together with sufficient confidence, These applications are impossible to implement successfully. However, mobile agents are facing a huge security threat, and the current identity-based inseparable digital signature method in the field of mobile security agents can complete the task safely and effectively.

但是，基于身份的不可拆分数字签名方法必须需要一个中心化分发密钥的安全机构，而实际上有很多情况是没有这种具有权威性，可靠性的机构的。因此这里急需一个不依靠密钥分发机构的，又同时具有高安全性，高可靠性的方法来保护移动代理。However, the identity-based inseparable digital signature method must require a centralized security agency that distributes keys, but in fact there are many cases where there is no such authoritative and reliable agency. Therefore, there is an urgent need for a method that does not rely on the key distribution organization, but also has high security and high reliability to protect the mobile agent.

该方案是建立在双线性对基础上的。其安全性依赖于对在Diffie-Hellman组求解计算Diffie-Hellman问题的困难度上。其中大部分基本概念，例如群、环、域，在近世代数一科中都属于标准概念。The scheme is based on bilinear pairings. Its security depends on the difficulty of solving computational Diffie-Hellman problems in Diffie-Hellman groups. Most of the basic concepts, such as groups, rings, and fields, are standard concepts in modern algebra.

相似技术(产品)简述：Brief description of similar technologies (products):

为了解决在以往的传统电子签名方案实现中，移动代理在代理原始用户活动时，生成电子签名需要自身携带签名算法以及签名密钥的过程中，会让攻击者从代理端伪造签名算法，甚至破解签名密钥的安全问题。采用Kotzanikolaous,P.,Burmester,M.,Chrissikopoulos,V.,Secure Transactions with Mobile Agents in HostileEnvironments,proceeding of ACISP 2000,pp289-297,2000；Yang Shi,Xiaoping Wang,Liming Cao,et.al.A Security Scheme of Electronic Commerce for Mobile AgentsUses Undetachable Digital Signatures.The Third International Conference onInformation Security,ACM Press,2004:pp.242-243.和Yang Shi,Xiaoping Wang,Liming Cao,Jianxin Ren.Secure Mobile Agents in Electronic Commerce by UsingUndetachable Signatures from Pairings.Proc.The 4th International Conferenceon Electronic Business,pp.1038-1043.三篇文献给出的任意一种不可拆分电子签名，可以在一定程度上控制签名密钥或者签名方法的泄露。In order to solve the problem in the implementation of traditional electronic signature schemes in the past, when the mobile agent generates an electronic signature on behalf of the original user, it needs to carry the signature algorithm and signature key itself, which will allow the attacker to forge the signature algorithm from the agent, or even crack Security issues for signing keys. Using Kotzanikolaous, P., Burmester, M., Chrissikopoulos, V., Secure Transactions with Mobile Agents in Hostile Environments, proceeding of ACISP 2000, pp289-297, 2000; Yang Shi, Xiaoping Wang, Liming Cao, et.al.A Security Scheme of Electronic Commerce for Mobile AgentsUses Undetachable Digital Signatures. The Third International Conference on Information Security, ACM Press, 2004: pp.242-243. and Yang Shi, Xiaoping Wang, Liming Cao, Jianxin Ren. Secure Mobile Agents in Electronic Commerce by Using Undetachable Signatures from Pairings.Proc.The 4th International Conference on Electronic Business,pp.1038-1043.Any kind of inseparable electronic signature given in the three documents can control the leakage of the signature key or signature method to a certain extent.

为了解决在没有可靠密钥分发机构情况下，密钥生成者会被攻击得到签名密钥的安全威胁H.Krawezyk.Simple forward-secure signatures from any Signatureseheme.Proceedings of the 7th ACM Conference on Computer and CommunicationsSeeurity,2000，pp.108-115.文献提出了前向安全签名方法来解决这类问题，而且，即便当签名者主机被攻陷形成白盒攻击环境时，仍能保证签名密钥是前向安全的，即该方案密钥是随时间变化的，在被攻陷的时间点之前的已经使用过的签名密钥都是无法获取的，故名前向安全。In order to solve the security threat that the key generator will be attacked to obtain the signature key in the absence of a reliable key distribution agency H. Krawezyk. Simple forward-secure signatures from any Signaturese heme. Proceedings of the 7th ACM Conference on Computer and Communications Seeurity, 2000, pp.108-115. The literature proposes a forward secure signature method to solve this kind of problem, and even when the host of the signer is compromised to form a white box attack environment, the signature key can still be guaranteed to be forward secure, That is to say, the key of this scheme changes with time, and the signature key that has been used before the time point of being compromised cannot be obtained, so it is called forward security.

但是这几种签名方案各自并不能满足目前移动代理安全性的需求。However, each of these signature schemes cannot meet the current security requirements of mobile agents.

发明内容Contents of the invention

众所周知，签名密钥是一个签名方案的核心，如果签名密钥被盗，那么整个签名方法就失去了作用，因此上文提到的前向安全签名方法可以让签名密钥随时间的流逝而更新，没过一个时间段就不可逆地更新一次密钥，这样，即便当签名者被攻陷后，仍能保证当前时间片段以前的签名密钥的安全性，即，已经签名过得数据无法再仿造。As we all know, the signature key is the core of a signature scheme. If the signature key is stolen, the entire signature method will be useless. Therefore, the forward security signature method mentioned above can allow the signature key to be updated over time. , the key is irreversibly updated every time period, so that even when the signer is compromised, the security of the signature key before the current time period can still be guaranteed, that is, the signed data cannot be counterfeited.

但是，目前前向安全的签名方案又无法达到不可拆分签名的效果。同时具有两种特点的签名方案成为了目前移动代理安全领域的空白，因为公开的签名方案中，并没有方案有效的方案是两种特点结合，因为这种结合可以说是相当困难的。而本发明的目的在于克服目前这两种方案在移动代理安全领域各自的不足，既能解决生成电子签名需要自身携带签名算法以及签名密钥的过程中，会让攻击者从代理端伪造签名算法，甚至破解签名密钥的安全问题，又能解除移动代理在路过某恶意主机时可能会形成白盒攻击(WBAC)环境时所面临的威胁，同时也不需要专门的安全机构来颁发证书或者是密钥，增加了签名方法的适用范围，再者，不仅使通讯风险更加低，也抵消了权威机构被攻破的巨大威胁，填补了移动安全领域该项的空白。However, the current forward-secure signature scheme cannot achieve the effect of indivisible signatures. The signature scheme with two characteristics at the same time has become a blank in the field of mobile agent security, because among the public signature schemes, there is no effective scheme that combines the two characteristics, because this combination can be said to be quite difficult. The purpose of the present invention is to overcome the respective deficiencies of the current two solutions in the field of mobile agent security, and to solve the problem of generating an electronic signature that requires itself to carry a signature algorithm and a signature key, which will allow an attacker to forge a signature algorithm from the agent , even cracking the security issue of the signature key, and can remove the threat that the mobile agent may face when it passes a malicious host and may form a white-box attack (WBAC) environment, and does not require a special security agency to issue certificates or The key increases the scope of application of the signature method. Furthermore, it not only reduces the communication risk, but also offsets the huge threat of the authoritative organization being breached, filling the gap in the field of mobile security.

本发明的创新在于通过特殊的算法设计，进而同时达到前向安全和不可拆分签名的安全特征。它并不是单纯简单的算法拼装，而是通过理论推理论证以及相应的实验而达到的两种安全方案的有机结合。The innovation of the present invention lies in the design of a special algorithm so as to simultaneously achieve the security features of forward security and inseparable signatures. It is not a simple assembly of algorithms, but an organic combination of two security solutions achieved through theoretical reasoning and corresponding experiments.

为此，本发明给出的技术方案为：For this reason, the technical scheme that the present invention provides is:

一种前向安全的不可拆分数字签名方法，其特征在于，它包括八个步骤如下：步骤1.某客户在一台客户端计算机上完成购物，随即，计算机生成移动代理，之后客户端计算机根据规定好的安全级别下(输入需要的安全指数k)运行算法1.，算法定义如下A kind of forward safe inseparable digital signature method, it is characterized in that, it comprises eight steps as follows: Step 1. certain client completes shopping on a client computer, then, computer generates mobile agent, client computer afterwards Run Algorithm 1. according to the specified security level (input the required security index k), the algorithm is defined as follows

算法1.密钥生成算法：KGen(1^k)输入总共的时间片段数T和1^k当k∈□(□为自然数)时一个安全参数，算法输出公共密钥设置以及初始密钥S₀。Algorithm 1. Key generation algorithm: KGen(1 ^k ) inputs the total number of time segments T and 1 ^k as a security parameter when k∈□ (□ is a natural number), and the algorithm outputs the public key setting and the initial key S ₀ .

Ω解释说明：上述中，关于安全参数1^k是一个概念性说法，k就是安全指数，可以简单理解为加密系统是k位长度的，当具体实现时，视项目需求和采用的公钥加密系统(比如hyperelliptic椭圆曲线等)而定。Ω Explanation: In the above, the security parameter 1 ^k is a conceptual statement, and k is the security index, which can be simply understood as the encryption system is of k-bit length. When it is implemented, it depends on the project requirements and the public key encryption system used. (such as hyperelliptic elliptic curves, etc.) depends.

Ω中G₁是一个阶为q乘法循环群，G₂同样是一个阶为q的乘法循环群。G和P是G₁和G₂各自的固定生成元。是一个线性映射，将G₁和G₂中的元素先做笛卡尔积，然后映射到G_T中的元素上。和H₂:{0,1}^*→G₁是两个特殊的哈希映射，作用就是分别将任意二进制数值映射到和G₁，是以质数q为阶且无零元的整数加法群。G ₁ in Ω is a multiplicative cyclic group with order q, and G ₂ is also a multiplicative cyclic group with order q. G and P are fixed generators of _G1 and _G2 respectively. Is a linear mapping, the elements in G ₁ and G ₂ are firstly Cartesian product, and then mapped to the elements in G _T. and H ₂ : {0,1} ^* →G ₁ are two special hash maps, which are used to map any binary value to and G ₁ , is the additive group of integers of order q with no zero elements.

注解：假设存在同态映射ψ:G₂→G₁有ψ(P)＝G。Note: Suppose there is a homomorphic map ψ:G ₂ →G ₁ with ψ(P)=G.

定义：在(G₁,G₂)上的判定Diffie-Hellman问题(co-DDH)：给出P,P^a∈G₂和Y,Y^b∈G₁作为输入，如果a＝b那么输出yes，否则输出no。当输出为yes时，我们称(P,P^a,Y,Y^b)是一个Diffie-Hellman元组(co-DHT)。Definition: Decision Diffie-Hellman problem (co-DDH) on (G ₁ ,G ₂ ): Given P, P ^a ∈ G ₂ and Y, Y ^b ∈ G ₁ as input, if a=b then output yes , otherwise output no. When the output is yes, we say (P,P ^a ,Y,Y ^b ) is a Diffie-Hellman tuple (co-DHT).

假设：我们假设是可以被快速计算的，因此co-DDH在(G₁,G₂)上是容易解决的。本方法就是建立在这个假设上的。Hypothesis: We assume can be calculated quickly, so co-DDH is easy to solve on (G ₁ ,G ₂ ). This method is based on this assumption.

初始密钥S₀生成：The initial key S ₀ is generated:

从中随即取出S₀，计算U₀ from S ₀ is taken out immediately, and U ₀ is calculated

For(j＝1；j≤T；j++) doFor(j=1; j≤T; j++) do

EndForEndFor

循环完毕，抹除s_j,j＝1,…,T，存储CERT_j,j＝1,…,TAfter the cycle is completed, erase s _j ,j=1,…,T, store CERT _j ,j=1,…,T

注释：在此，本算法假设U₀是个数据集合体，因此，将全局设定Ω存储在U₀，也就是公钥元素携带着全局信息。Note: Here, this algorithm assumes that U ₀ is a data aggregate, therefore, the global setting Ω is stored in U ₀ , that is, the public key element carries global information.

KGen(1^k)算法完成，输出公钥U₀和初始密钥S₀，进行下一步。The KGen(1 ^k ) algorithm is completed, output the public key U ₀ and the initial key S ₀ , and proceed to the next step.

步骤2然后客户端向算法2输入公钥U₀、初始密钥s₀、CERT_j和当前时间片j，然后运行算法2，其定义如下：Step 2: Then the client inputs public key U ₀ , initial key s ₀ , CERT _j and current time slice j to Algorithm 2, and then runs Algorithm 2, which is defined as follows:

算法2.Algorithm 2.

KUpd(s_j-1,CERT_j,j,U₀)KUpd(s _j-1 ,CERT _j ,j,U ₀ )

BEGINBEGIN

<U₀′,j′,U_j′,Λ_j>←CERT_j ←CERT _j

return ⊥ //abortreturn ⊥ //abort

erase s_j-1 erase s _j-1

return s_j return s _j

ENDEND

抹除S₀后，算法返回S₁，进行下一步After erasing S ₀ , the algorithm returns to S ₁ and proceeds to the next step

步骤3.客户端完成交易，准备发送移动代理进行交易。Step 3. The client completes the transaction and is ready to send the mobile agent for the transaction.

如果当前密钥过期执行步骤4，否则执行步骤5。If the current key has expired, go to step 4, otherwise go to step 5.

步骤4.客户端以上一时期密钥S_j-1，当前时期j，公钥U₀以及算法1生成的CERT_j为输入，重新运行KUpd，得到下一时间段密钥S_j，进行下一步。Step 4. The client takes the key S _j-1 of the previous period, the current period j, the public key U ₀ and the CERT _j generated by Algorithm 1 as input, re-runs KUpd to obtain the key S _j of the next period, and proceeds to the next step .

步骤5.客户端以REQ_C||ID_C,s_j,CERT_j为输入，其中REQ_C||ID_C是客户需求和用户ID属于敏感数据运行算法3，其定义如下：Step 5. The client takes REQ_C||ID _C , s _j , and CERT _j as input, where REQ_C||ID _C is customer demand and user ID belongs to sensitive data and runs Algorithm 3, which is defined as follows:

算法3.Algorithm 3.

UndSigFunGen(REQ_C||ID_C,s_j,CERT_j)UndSigFunGen(REQ_C||ID _C ,s _j ,CERT _j )

BeginBegin

H←H₂(REQ_C||ID_C)；H←H ₂ (REQ_C||ID _C );

Endend

输出使代理携带；output make the agent carry;

随后客户端运行算法6为代理敏感数据签名，输入为敏感数据、当前时间片段j以及当前密钥s_j，算法定义如下Then the client runs Algorithm 6 to sign the proxy sensitive data. The input is sensitive data, the current time segment j and the current key s _j . The algorithm is defined as follows

算法6.Algorithm 6.

Sign(s_j,j,Msg)Sign(s _j ,j,Msg)

BeginBegin

return σ_j return σ _j

Endend

输出为j时期的签名，同样使代理携带。进行下一步The output is the signature of period j, which is also carried by the agent. proceed to the next step

步骤6.商店接收到代理，先用算法7检验代理的合法性，即检验σ_j，输入为公钥、签名消息、签名和当前时期，算法定义如下：Step 6. When the store receives the proxy, it first uses Algorithm 7 to check the legitimacy of the proxy, that is, to check σ _j . The input is the public key, signature message, signature and the current period. The algorithm is defined as follows:

算法7.Algorithm 7.

Vrfy(U₀,σ,j,Msg)Vrfy(U ₀ ,σ,j,Msg)

BeginBegin

<CERT_j,σ′>←σ；<U₀′,j′,U_j′,Λ_j>←CERT_j <CERT _j ,σ′>←σ;←CERT _j

If(U₀≠U₀′) return 0If(U ₀ ≠ U ₀ ′) return 0

If(j≠j′) return 0If(j≠j′) return 0

Else return 1Else return 1

Endend

如果输出为0，退出交易If the output is 0, exit the transaction

如果输出为1，判断是否代理继续在商店间迁移，如果需要，重复该步骤，即进行步骤6；否则进行步骤7。If the output is 1, judge whether the agent continues to migrate between stores. If necessary, repeat this step, that is, go to step 6; otherwise, go to step 7.

步骤7.在此，商店已经做出最终决策，如果完成交易，那么生成CONTRACT和其他交易信息作为输入，运行算法4，定义如下：Step 7. At this point, the store has made a final decision, if the transaction is completed, then generate CONTRACT and other transaction information as input, run Algorithm 4, defined as follows:

算法4.Algorithm 4.

UndSig(Msg)UndSig(Msg)

BeginBegin

h＝H₁(Msg)h=H ₁ (Msg)

Endend

输出为最终的不可拆分签名，在此记为Z。保存到代理中，然后使代理迁移回到客户端，进行下一步。The output is the final inseparable signature, denoted as Z here. Save into the agent, then make the agent migrate back to the client for the next step.

步骤8.客户端收到交易完成的代理，以U₀,Z,j,Msg,REQ_C||ID_C为输入，其中Msg为CONTRACT和其他交易信息，运行算法5检验Msg的合法性，算法定义如下：Step 8. The client receives the transaction completion agent, takes U ₀ , Z, j, Msg, REQ_C||ID _C as input, where Msg is CONTRACT and other transaction information, and runs Algorithm 5 to check the validity of Msg, algorithm definition as follows:

算法5.Algorithm 5.

UndVrfy(U₀,Z,j,Msg,REQ_C||ID_C)UndVrfy(U ₀ ,Z,j,Msg,REQ_C||ID _C )

BeginBegin

<<CERT_j,Z′>,j>←Z；<U₀′,j′,U_j′,Λ_j>←CERT_j <<CERT _j ,Z′>,j>←Z;←CERT _j

If(U₀≠U₀′) return 0If(U ₀ ≠ U ₀ ′) return 0

If(j≠j′) return 0If(j≠j′) return 0

If(Msg does not satisfy REQ_C) return 0If(Msg does not satisfy REQ_C) return 0

else return 1else return 1

Endend

如果算法输出为0，则终止交易；If the algorithm output is 0, terminate the transaction;

否则输出为1，完成交易。Otherwise the output is 1 and the transaction is completed.

如果用户仍需要交易，直接跳到步骤3If the user still needs to trade, skip directly to step 3

到此，整个前向安全的不可拆分方法已经完成。At this point, the entire forward-secure indivisible method has been completed.

通过以上技术方案，本发明在白盒攻击环境下(例如不安全的计算机上)，可实现前向安全的不可拆分数字签名。本方案解决了目前移动代理上缺乏良好的安全方案的问题。整个方案中，移动代理不需要携带私有密钥当它们产生的数字签名代表原始签名，因此私钥将不会受到影响。加密的功能与原始签署者的要求相结合，所以签名算法的误操作可被防止。此外，由于该方案是前向安全的，该方案并不需要专门的密钥分发机构，同时即便签名者被攻破，该方案仍具有前向安全性(被攻破当前时间片之前的签名密钥不会泄露)。因此，该方案可以很好的抵抗目前移动代理所面临的的威胁。Through the above technical solutions, the present invention can realize forward-safe inseparable digital signatures in a white-box attack environment (for example, on an unsafe computer). This solution solves the problem of lack of a good security solution on the current mobile agent. Throughout the scheme, mobile agents do not need to carry the private key as the digital signature they generate represents the original signature, so the private key will not be affected. The function of encryption is combined with the request of the original signer, so the misoperation of the signature algorithm can be prevented. In addition, since the scheme is forward secure, the scheme does not require a special key distribution organization, and even if the signer is compromised, the scheme still has forward security (the signature key before the compromised current time slice is not will leak). Therefore, the scheme can well resist the threats faced by mobile agents at present.

附图说明Description of drawings

图1为本发明前向安全的不可拆卸的数字签名方法的工作原理。Fig. 1 is the working principle of the forward secure non-detachable digital signature method of the present invention.

图2为对照整个方法的流程示意图。Figure 2 is a schematic flow chart of the entire method.

图3为7个基本算法的基本关系。Figure 3 shows the basic relationship of the seven basic algorithms.

具体实施方式detailed description

本发明公开了一种前向安全的不可拆分数字签名方法，如图3，该方法中包括如下七个算法：The present invention discloses a forward secure inseparable digital signature method, as shown in Figure 3, the method includes the following seven algorithms:

1)KGen：密钥生成算法KGen以安全参数1^k(k∈□)和方案将操作的总的时期数T，或者还有其他的相关参数作为输入，返回一个基本的公钥PK和相应的初始密钥(签名密钥)SK₀。算法复杂度是不确定的。1) KGen: The key generation algorithm KGen takes the security parameter 1 ^k (k∈□) and the total period T of the scheme to operate, or other relevant parameters as input, and returns a basic public key PK and the corresponding Initial key (signature key) SK ₀ . Algorithmic complexity is indeterminate.

2)KUpd：密钥升级算法KUpd以密钥上个时期的密钥SK_j-1为输入，返回当前签名密钥SK_j。算法时间复杂度通常是确定的。2) KUpd: The key upgrade algorithm KUpd takes the key SK _j-1 of the previous key period as input and returns the current signature key SK _j . Algorithm time complexity is usually deterministic.

3)UndSigFunGen：不可拆分签名方法生成算法UndSigFunGen是一个确定的，多项式时间复杂度算法，它以用户的需求REQ_C，用户的身份ID_C和用户的公钥以及当前时期的密钥作为输入，算法返回方法对f(·)和 3) UndSigFunGen: The inseparable signature method generation algorithm UndSigFunGen is a deterministic, polynomial time complexity algorithm, which takes the user's requirement REQ_C, the user's identity ID _C and the user's public key and the current period's key as input, the algorithm return method pair f( ) and

4)UndSig：不可拆分签名算法FSUndSig是一个多项式时间复杂度算法，以有关的合同限制(或者相应的哈希值)作为输入，返回不可拆分数字签名z＝ζ_j＝<ζ,j>。4) UndSig: Inseparable signature algorithm FSUndSig is a polynomial time complexity algorithm that takes relevant contract restrictions (or corresponding hash values) as input and returns an inseparable digital signature z=ζ _j =<ζ,j> .

5)UndVrfy：不可拆分签名验证算法FSUndVrfy是一个多项式时间复杂度算法，以有关合同限制和不可拆分签名z作为输入。算法返回“接受”或者“拒绝”，简单来说1或者0。5) UndVrfy: Inseparable signature verification algorithm FSUndVrfy is a polynomial time complexity algorithm, which takes the relevant contract constraints and the indivisible signature z as input. The algorithm returns "accepted" or "rejected", simply 1 or 0.

6)Sign：签名算法Sign以当前时期密钥SK_j和消息M作为输入，返回时期j和消息M的签名。本文记作算法复杂度可能是不确定的。签名通常是一对值，时期j和相应的标签σ。6) Sign: The signature algorithm Sign takes current epoch key SK _j and message M as input, and returns the signature of epoch j and message M. This article is recorded as Algorithmic complexity may be indeterminate. A signature is usually a pair of values, an epoch j and a corresponding label σ.

7)Vrfy：验证算法Vrfy以公钥PK，消息M以及签名<j,σ>，返回“接受”或者“拒绝”，简单来说1或者0。这里记作b←Vrfy_PK(M,<j,σ>)。7) Vrfy: The verification algorithm Vrfy uses the public key PK, the message M and the signature <j, σ> to return "accept" or "reject", in simple terms 1 or 0. Here it is denoted as b←Vrfy _PK (M,<j,σ>).

图1、图2描述该算法在前向安全的不可拆分的数字签名方案中的使用。Figures 1 and 2 describe the use of this algorithm in a forward-secure indivisible digital signature scheme.

如图1所示，基于身份的不可拆卸的数字签名方案通常的工作原理如下。首先，客户端先运行KGen(1^k)生成相应的全局参数、公钥和初始密钥。随后运行KUpd更新初始密钥，随后根据时间流逝，不断更新密钥。然后客户端完成购物，产生代理，先使用UndSigFunGen生成不可拆分签名函数然后使用Sign为代理的敏感数据签名。之后代理迁移到商店服务器，商店接收到代理之后先用Vrfy检验代理的合法性，如果不合法直接终止交易，如果合理则继续处理交易，然后在商店间迁移完成交易，最后在最终商店里生成合同以及其他交易信息，然后用UndSig为这些信息产生不可拆分签名，然后发送代理回到客户端。客户端接收到代理，使用UndVrfy来检验交易的合法性，只有算法输出为1才使交易成功。之后如果继续其他交易，那么就可能会使用新的密钥进行签名，即便当前密钥被盗，也能保证之前的交易是安全的。As shown in Figure 1, identity-based non-detachable digital signature schemes generally work as follows. First, the client runs KGen(1 ^k ) to generate the corresponding global parameters, public key and initial key. Then run KUpd to update the initial key, and then update the key continuously according to the passage of time. Then the client completes the shopping, generates a proxy, and first uses UndSigFunGen to generate an inseparable signature function Then use Sign to sign the proxy's sensitive data. Afterwards, the agent is migrated to the store server. After receiving the agent, the store first uses Vrfy to verify the legality of the agent. If it is not legal, the transaction will be terminated directly. If it is reasonable, the transaction will continue to be processed, and then the transaction will be migrated between stores to complete the transaction, and finally the contract will be generated in the final store. And other transaction information, and then use UndSig to generate an inseparable signature for these information, and then send the agent back to the client. The client receives the proxy and uses UndVrfy to verify the legitimacy of the transaction. Only when the algorithm output is 1 can the transaction be successful. If other transactions are continued later, the new key may be used for signature, even if the current key is stolen, the previous transaction can be guaranteed to be safe.

如图2所示，前向安全的不可拆分的签名方案包括如下八个步骤：As shown in Figure 2, the forward-secure indivisible signature scheme includes the following eight steps:

1)客户端运行KGen，产生全局设置、公钥U₀和初始密钥s₀ 1) The client runs KGen to generate global settings, public key U ₀ and initial key s ₀

2)客户端运行KUpd输出第一时间段密钥s₁ 2) The client runs KUpd to output the first time period key s ₁

3)完成购买清单，进行交易，如果密钥没有过期，直接执行5)3) Complete the purchase list and make a transaction. If the key has not expired, directly execute 5)

4)客户端运行KUpd输出下一时间段密钥s_j 4) The client runs KUpd to output the next time period key s _j

5)客户端运行UndSigFunGen输出使代理携带 5) The client runs UndSigFunGen output make the agent carry

客户端运行Sign为代理敏感数据签名；The client runs Sign to sign the agent's sensitive data;

6)商店服务器用Vrfy验证代理，不合法直接终止交易6) The store server uses Vrfy to verify the proxy, and the transaction is terminated directly if it is illegal

7)进行交易，并用UndSig为合同进行签名7) Make a transaction and sign the contract with UndSig

8)客户端用UndVrfy来验证合同，如果不合法终止交易。8) The client uses UndVrfy to verify the contract, if it is not legal to terminate the transaction.

图3中是对于7个算法的联系作用：首先由KGen生成全局变量，公钥以及初始密钥，然后KUpd负责随时间流逝过程中不断更新密钥，UndSigFunGen负责产生一种“半成品”，使传递过程中不必暴露签名密钥，UndSig是将前面的“半成品”生成“成品”，即不可拆分签名，UndVrfy是相应的验证方法，而剩下的Sign和Vrfy是相应的普通签名方法。Figure 3 shows the relationship between the seven algorithms: first, KGen generates global variables, public keys, and initial keys, then KUpd is responsible for updating the keys as time goes by, and UndSigFunGen is responsible for generating a "semi-finished product" to make the transfer There is no need to expose the signature key during the process. UndSig is to generate a "finished product" from the previous "semi-finished product", that is, an inseparable signature. UndVrfy is the corresponding verification method, and the remaining Sign and Vrfy are the corresponding common signature methods.

下面以具体实施例对本发明作进一步说明：The present invention will be further described below with specific embodiment:

本方案是建立在双线性对基础上的的。其安全性依赖于对在Diffie-Hellman组求解计算Diffie-Hellman问题的困难度上。This scheme is based on bilinear pairing. Its security depends on the difficulty of solving computational Diffie-Hellman problems in Diffie-Hellman groups.

本实例是采用JAVA语言编写，使用The Java Pairing Based CryptographyLibrary(JPBC)库来实现的。JPBC库是一组关于非对称密码系统的一套标准API，官方网址http://gas.dia.unisa.it/projects/jpbc/。This example is written in JAVA language and implemented using The Java Pairing Based Cryptography Library (JPBC) library. The JPBC library is a set of standard APIs for asymmetric cryptosystems. The official website is http://gas.dia.unisa.it/projects/jpbc/.

算法KGen(1^k)的实现是基于JPBC的Type A型椭圆曲线，在此有官方配置文件a.properties作为输入，因此此实力不需要明显的1^k参数。而建立的椭圆曲线性质如下：The implementation of the algorithm KGen(1 ^k ) is based on the Type A elliptic curve of JPBC, where the official configuration file a.properties is used as input, so this strength does not require obvious 1 ^k parameters. The properties of the established elliptic curve are as follows:

椭圆曲线采用域F_q上构建的y²＝x³+x，其中质数q＝3mod4，JPBC库提供了映射e:G₁1×G₂→G_T的API，在当前设定的椭圆曲线系统上，映射中的G₁＝G₂，因此满足KGen(1^k)定义中的存在同态映射ψ:G₂→G₁有ψ(P)＝G条件。在此，使用上，在椭圆曲线系统初始化完成后，会得到一个Pairing对象，通过Pairing的成员函数，getG1()，getGT()和getZr()可以得到G₁、G₂和进而通过getG1().newRandomElement()取到G₁的生成元P，同理从取S，便可以调用P的成员函数powZn(s)计算P_pub，而通过调用G₁或下的成员函数newElementFromHash()可以实现Ω中的两个哈希函数。按算法描述，便可轻易构造出Ω。The elliptic curve adopts y ² =x ³ +x constructed on the field F _q , where the prime number q=3mod4, and the JPBC library provides an API for mapping e:G ₁ 1×G ₂ →G _T , in the currently set elliptic curve system Above, G ₁ =G ₂ in the mapping, so the existence of a homomorphic mapping ψ:G ₂ →G ₁ in the definition of KGen(1 ^k ) has the condition of ψ(P)=G. Here, in use, after the initialization of the elliptic curve system is completed, a Pairing object will be obtained. Through the member functions of Pairing, getG1(), getGT() and getZr() can get G ₁ , G ₂ and Then get the generator P of G ₁ through getG1().newRandomElement(), similarly from Taking S, the member function powZn(s) of P can be called to calculate P _pub , and by calling G ₁ or The member function newElementFromHash() under can realize the two hash functions in Ω. According to the description of the algorithm, Ω can be easily constructed.

同样，纵观7个算法，其中的调用也就基本为以上函数，并无更多区别，在此就不尽数介绍，在7个算法都使用JAVA实现之后，就可以按照下面的步骤进行：Similarly, looking at the 7 algorithms, the calls are basically the above functions, and there is no more difference, so I will not introduce them here. After the 7 algorithms are implemented in JAVA, you can follow the steps below:

步骤1.某客户在一台客户端计算机上完成购物，随即，计算机生成移动代理，之后客户端计算机根据规定好的安全级别下(输入需要的安全指数k)运行算法1，算法输出公共密钥设置U₀以及初始密钥S₀。将全局设定Ω存储在U₀，也就是公钥元素携带着全局信息。Step 1. A customer completes shopping on a client computer. Immediately, the computer generates a mobile agent, and then the client computer runs Algorithm 1 according to the specified security level (input required security index k), and the algorithm outputs a public key set up U ₀ and the initial key S ₀ . Store the global setting Ω in U ₀ , that is, the public key element carries global information.

步骤2然后客户端向算法2输入公钥U₀、初始密钥S₀、CERT_j和当前时间片j，然后运行算法2，算法返回S₁，进行下一步Step 2 Then the client inputs public key U ₀ , initial key S ₀ , CERT _j and current time slice j to Algorithm 2, then runs Algorithm 2, the algorithm returns S ₁ , and proceeds to the next step

步骤5.客户端以REQ_C||ID_C,s_j,CERT_j为输入，其中REQ_C||ID_C是客户需求和用户ID属于敏感数据运行算法3，输出存到代理携中；随后客户端运行算法6为代理敏感数据签名，输入为敏感数据、当前时间片段j以及当前密钥S_j，输出为j时期的签名，同样存到代理中。进行下一步Step 5. The client takes REQ_C||ID _C , s _j , and CERT _j as input, where REQ_C||ID _C is customer demand and user ID belongs to sensitive data and runs Algorithm 3, output Stored in the proxy port; then the client runs Algorithm 6 to sign the sensitive data of the proxy, the input is the sensitive data, the current time segment j and the current key S _j , and the output is the signature of period j, which is also stored in the proxy. proceed to the next step

步骤6.商店接收到代理，先用算法7检验代理的合法性，输入为公钥、签名消息、签名和当前时期，如果输出为0，退出交易；如果输出为1，判断是否代理继续在商店间迁移，如果需要，重复该步骤，即进行步骤6；否则进行步骤7。Step 6. When the store receives the proxy, it first checks the legitimacy of the proxy with Algorithm 7. The input is the public key, signature message, signature and the current period. If the output is 0, exit the transaction; if the output is 1, determine whether the proxy continues to be in the store If necessary, repeat this step, that is, go to step 6; otherwise, go to step 7.

步骤7.在此，商店已经做出最终决策，如果完成交易，那么生成CONTRACT和其他交易信息作为输入，运行算法4，输出为最终的不可拆分签名，在此记为Z。保存到代理中，然后使代理迁移回到客户端，进行下一步。Step 7. Here, the store has made a final decision. If the transaction is completed, then generate CONTRACT and other transaction information as input, run Algorithm 4, and the output is the final inseparable signature, which is denoted as Z here. Save into the agent, then make the agent migrate back to the client for the next step.

步骤8.客户端收到交易完成的代理，以U₀,Z,j,Msg,REQ_C||ID_C为输入，其中Msg为CONTRACT和其他交易信息，运行算法5检验Msg的合法性，如果算法输出为0，则终止交易；否则输出为1，完成交易。Step 8. The client receives the transaction completion agent, takes U ₀ , Z, j, Msg, REQ_C||ID _C as input, where Msg is CONTRACT and other transaction information, and runs Algorithm 5 to check the legitimacy of Msg, if the algorithm If the output is 0, the transaction is terminated; otherwise, the output is 1, and the transaction is completed.

Claims

1. A forward-safe inseparable digital signature method is characterized in that it comprises eight steps as follows:

Step 1. A customer completes shopping on a client computer. Immediately, the computer generates a mobile agent, and then the client computer runs Algorithm 1 according to the specified security level (input the required security index k). The algorithm is defined as follows

Algorithm 1. Key generation algorithm KGen(1 ^k ): Input the total number of time segments T and 1 ^k when ( is a natural number), the algorithm outputs a public key set and the initial key s ₀ ;

G ₁ in Ω is a multiplicative cyclic group with order q, and G ₂ is also a multiplicative cyclic group with order q; G and P are fixed generators of G ₁ and G ₂ respectively; is a linear mapping, the elements in G ₁ and G ₂ are first Cartesian product, and then mapped to the elements in G _T ; and H ₂ : {0,1} ^* →G ₁ are two special hash maps, which are used to map any binary value to and G ₁ , is the additive group of integers of order prime q and without zero elements;

Definition: Decision Diffie-Hellman problem (co-DDH) on (G ₁ ,G ₂ ): Given P, P ^a ∈ G ₂ and Y, Y ^b ∈ G ₁ as input, if a=b then output yes , otherwise output no; when the output is yes, it is said that (P,P ^a ,Y,Y ^b ) is a Diffie-Hellman tuple (co-DHT);

Store the public key setting Ω in U ₀ , that is, the public key element carries global information;

The KGen(1 ^k ) algorithm is completed, output the public key U ₀ and the initial key s ₀ , and proceed to the next step;

Step 2: Then the client inputs public key U ₀ , initial key s ₀ , CERT _j and current time slice j to Algorithm 2, and then runs Algorithm 2, which is defined as follows:

Algorithm 2.

KUpd(s _j-1 ,CERT _j ,j,U ₀ )

BEGIN←CERT _j

{s the s}_{j j} &LeftArrow; &LeftArrow; {H h}_{11} (({s the s}_{j j - - 11}));; {U u}_{j j} &LeftArrow; &LeftArrow; {P P}^{{s the s}_{j j}}

I I f f ((\overset{^^}{e e} (({Λ Λ}_{j j},, P P)) &NotEqual; &NotEqual; \overset{^^}{e e} (({H h}_{22} (({U u}_{00},, j j,, {U u}_{j j})),, {U u}_{00}))))

return⊥//abort

erase s _j-1

return s _j

END

After erasing s ₀ , the algorithm returns to s ₁ and proceeds to the next step;

Step 3. The client completes the transaction and prepares to send the mobile agent to conduct the transaction;

If the current key expires, go to step 4, otherwise go to step 5;

Step 4. The client takes the key s _j-1 of the previous period, the current period j, the public key U ₀ and the CERT _j generated by Algorithm 1 as input, re-runs KUpd to obtain the key s _j of the next period, and proceeds to the next step ;

Step 5. The client takes REQ_C||ID _C , s _j , and CERT _j as input, where REQ_C||ID _C is customer demand and user ID belongs to sensitive data and runs Algorithm 3, which is defined as follows:

Algorithm 3.

UndSigFunGen(REQ_C||ID _C ,s _j ,CERT _j )

Begin

H←H ₂ (REQ_C||ID _C );

K K &LeftArrow; &LeftArrow; {H h}^{{s the s}_{j j}}

\begin{matrix} s the s e e t t u u p p & {f f}_{{Signed signed}_{j j}} ((x x)) = = < < < < {CERT CERTs}_{j j},, {K K}^{x x} > >,, j j > > \end{matrix}

\begin{matrix} r r e e t t u u r r n no & {f f}_{{Signed signed}_{j j}} ((\cdot \cdot)) \end{matrix}

end

output make the agent carry;

Then the client runs Algorithm 6 to sign the proxy sensitive data. The input is sensitive data, the current time segment j and the current key s _j . The algorithm is defined as follows

Algorithm 6.

Sign(s _j ,j,Msg)

Begin

{σ σ}^{' '} &LeftArrow; &LeftArrow; {H h}_{22} {((M m s the s g g))}^{{s the s}_{j j}};; σ σ &LeftArrow; &LeftArrow; < < {CERT CERTs}_{j j},, {σ σ}^{' '} > >;; {σ σ}_{j j} &LeftArrow; &LeftArrow; < < σ σ,, j j > >

return σ _j

end

The output is the signature of period j, which is also carried by the agent; proceed to the next step

Step 6. When the store receives the proxy, it first uses Algorithm 7 to check the legitimacy of the proxy, that is, to check σ _j . The input is the public key, signature message, signature and the current period. The algorithm is defined as follows:

Algorithm 7.

Vrfy(U ₀ ,σ,j,Msg)

Begin

<CERT _j ,σ'>←σ;←CERT _j

If(U ₀ ≠ U ₀ ') return 0

If(j≠j') return 0

\begin{matrix} I I f f ((\overset{^^}{e e} (({Λ Λ}_{j j},, P P)) &NotEqual; &NotEqual; \overset{^^}{e e} (({H h}_{22} (({U u}_{00},, {j j}^{' '},, {U u}_{j j}^{' '})),, {U u}_{00})))) & r r e e t t u u r r n no & 00 \end{matrix}

\begin{matrix} I I f f ((\overset{^^}{e e} (({σ σ}^{' '},, P P)) &NotEqual; &NotEqual; \overset{^^}{e e} (({H h}_{22} ((M m s the s g g)),, {U u}_{j j})))) & r r e e t t u u r r n no & 00 \end{matrix}

Else return 1

end

If the output is 0, exit the transaction

If the output is 1, judge whether the agent continues to migrate between stores. If necessary, repeat this step, that is, go to step 6; otherwise, go to step 7;

Step 7. At this point, the store has made a final decision, if the transaction is completed, then generate CONTRACT and other transaction information as input, run Algorithm 4, defined as follows:

Algorithm 4.

UndSig(Msg)

Begin

h=H ₁ (Msg)

\begin{matrix} r r e e t t u u r r n no & {f f}_{{Signed signed}_{j j}} ((h h)) \end{matrix}

end

The output is the final inseparable signature, denoted as Z here, saved to the proxy, and then the proxy is migrated back to the client for the next step;

Step 8. The client receives the transaction completion agent, takes U ₀ , Z, j, Msg, REQ_C||ID _C as input, where Msg is CONTRACT and other transaction information, and runs Algorithm 5 to check the validity of Msg, algorithm definition as follows:

Algorithm 5.

UndVrfy(U ₀ ,Z,j,Msg,REQ_C||ID _C )

Begin

<<CERT _j ,Z'>,j>←Z;←CERT _j

If(U ₀ ≠ U ₀ ')return 0

If(j≠j') return 0

If(Msg does not satisfy REQ_C) return 0

\begin{matrix} I I f f ((\overset{^^}{e e} (({Λ Λ}_{j j},, P P)) &NotEqual; &NotEqual; \overset{^^}{e e} (({H h}_{22} (({U u}_{00}^{' '},, {j j}^{' '},, {U u}_{j j}^{' '})),, {U u}_{00})))) & r r e e t t u u r r n no & 00 \end{matrix}

\begin{matrix} I I f f ((\overset{^^}{e e} (({Z Z}^{' '},, P P)) &NotEqual; &NotEqual; \overset{^^}{e e} (({H h}_{22} {((R R E E. Q Q__C C | | | | {ID ID}_{C C}))}^{{H h}_{11} ((M m s the s g g))},, {U u}_{j j})))) & r r e e t t u u r r n no & 00 \end{matrix}

else return 1

end

If the algorithm output is 0, terminate the transaction;

Otherwise, the output is 1 and the transaction is completed;

If the user still needs to trade, skip directly to step 3.