CN105187212A - Schnorr ring signature scheme with specified verifiability - Google Patents

Abstract

The invention discloses a Schnorr ring signature scheme with specified verifiability. The scheme comprises four stages, namely, system initialization, signature generation, signature verification and identity confirmation. An identity confirmation process of the scheme is interactive zero-knowledge proof, the identity confirmation can be finished by only twice interaction of a signer and a verification party, and identity evidences presented in the process are incommunicable. Meanwhile, the scheme is based on Schnorr ring signature, and each stage has high execution efficiency. Under a random oracle model, adaptive chosen-message attacks can be resisted, namely, unforgeability is realized.

Description

A kind of have the Schnorr ring signatures scheme of specifying verifiability

Technical field

The present invention relates to a kind of digital signature technology, particularly relate to a kind of Schnorr ring signatures scheme possessing appointment verifiability.

Background technology

Increasing network application relates to the mutual of privacy information, day by day increases the demand of anonymous communication ability.Ring signatures is a kind of novel anonymity signature technology, is proposed in calendar year 2001 by people such as Rivest under the background of " safety betrays the pot to the roses ".It is a kind of signature of special Group-oriented, there is no the process of establishing of crowd keeper and group, signer only need choose arbitrarily a part of member public key (for hiding signer identity), generate a signature by the private key of oneself again, which reduce a lot of complicated interaction proof process.The maximum feature of ring signatures is that signer has Unconditional anonymity, even if assailant has unlimited computing capability, also cannot follow the trail of the identity of signer.Therefore, it is all widely used in anonymous electronic voting, electronic-monetary system, ad hoc network communication and multi-party computations.

Ring signatures is a kind of anonymity technology, but is needing in some cases to cancel its anonymity.Such as in some occasion, give out an award to blabber (signer), need actual signature people to prove its identity.Given this problem, research work comparatively early has: the ring signatures the verified scheme based on two discrete logarithm that the people such as Lv proposed in 2003, but signature complexity is too high.2004, the people such as GAN embedded authentication information in valve lower channel, also achieve verifying of ring signatures, but it were higher to realize cost.In addition, somebody proposes convertible ring signatures scheme.If actual signature people needs to confirm its identity, ring signatures is converted to common signature by the secret information revealed about ring signatures by him, but any verifier can obtain its identity information thus, and the scope that identity exposes is by uncontrollable.

In recent years, propose again deniable ring signatures (Komanoetal successively, 2006), Step-Out ring signatures (Klonowskietal, 2008), the RST ring signatures (Dongetal of expansion, 2012), but it is complicated that they all exist reciprocal process, realize complicated, the problem of inefficiency.

Summary of the invention

Goal of the invention: for the problems referred to above, the present invention proposes a kind of succinct, efficient and Schnorr ring signatures scheme that can verify of constructing, and it possesses unforgeable and the characteristic of the checking range-controllable of identity.

Technical scheme: described a kind of Schnorr ring signatures scheme possessing appointment verifiability, comprises with lower module:

System initialization module: based on corresponding security parameter, the open parameter needed for Choice, for each ring members generates public private key pair;

Signature blocks: i.e. probability signature algorithm, probability ground generates ring signatures and the key parameter for identity validation;

Authentication module: non-interactive type certainty proves algorithm, identity verification confirms the validity of parameter and ring signatures;

Confirm module: interactive zero knowledge probative agreement, make specific authentication side confirm to show the identity of card side;

Comprising concrete operating procedure is:

1) system initialization: the open parameter generating ring members public private key pair and system;

2) signature generates: actual signature people generates information signature;

3) signature verification: for given message and corresponding signature, first whether verifier detect key parameter and generate on request, the then validity of certifying signature again;

4) identity validation: actual signature people is by a kind of interactive proof protocol, and the authentication making it specify be sure of his identity.

System initialization concrete steps: first system chooses Big prime p, and q makes q|p-1, and q > 2 ^k, wherein k is the security parameter of scheme; Choose in two q rank generator g, h, and crash-resistant hash function h ₁(): { 0,1} ^*→ Z _p, the hash function of band encryption all ring memberses are made to be A ₁, A ₂..., A _n, each member A _ichoose its private key $x_i\∈Z_q^{*},$ Then corresponding PKI is $y_i=g^{x_i}\mathrm{mod}p;$

Described on comprehensive, the open parameter of system is params=(p, q, g, h, H, H ₁, F), the public and private key set of ring members is { (x _i, y _i) _{i=1,2 ..., n};

Signature generation is specially: in order to the signature of generating messages m, actual signature people A _s, s ∈ 1,2 ..., n} performs following steps:

Step 2-1: random selecting and calculate a ^*=h ^amodp, b ^*=(a ^*) ^vmodp;

Step 2-2: random selecting and calculate

U＝(a ^*) ^umodp,θ＝u+vF(m||a ^*,U)modq；

Step 2-3: be all the other n-1 ring members A _i(i ≠ s) respectively chooses a random number and calculate $R_i=g^{a_i}\mathrm{mod}p(i\≠s);$

Step 2-4: calculate m '=H ₁(m||a ^*|| b ^*);

Step 2-5: random selecting $a_s\∈Z_q^{*},$ And calculate $R_s=g^{a_s}\underset{i\≠s}{\mathrm{\Π}}{y}_i^{-H(m^{\′},R_i)}\mathrm{mod}p;$

Step 2-6: calculate $\mathrm{\σ}=\underset{i=1}{\overset{n}{\Σ}}{a}_i+x_{s}H(m^{\′},R_s)\mathrm{mod}q;$

Step 2-7: be (m, R to the signature of message m ₁..., R _n, σ, a ^*, b ^*, U, θ);

Signature verification concrete steps are as follows:

Step 3-1: check equation whether set up, if set up, then perform next step; Otherwise it is invalid then to sign;

Step 3-2: calculate m '=H ₁(m||a ^*|| b ^*), to all 1≤i≤n, calculate h _i=H (m ', R _i);

Step 3-3: check equation $g^{\mathrm{\σ}}=R_1\·R_2\·...\·R_n\·y_1^{h_1}\·y_2^{h_2}...\·y_n^{h_n}\mathrm{mod}p$ Whether set up, if set up, then signature effectively; Otherwise it is invalid then to sign;

Identity validation concrete steps are as follows:

Step 4-1: signer's Stochastic choice and calculate β=(a ^*) ^αmodp.Meanwhile, Stochastic choice $\mathrm{\γ}\∈Z_q^{*},$ And calculate the promise of β $c=g^{\mathrm{\β}}{\mathrm{PK}}_v^{\mathrm{\γ}}\mathrm{mod}p,$ Wherein ${\mathrm{PK}}_v=g^{{\mathrm{SK}}_v}\mathrm{mod}p$ The PKI of specifying authentication, SK _vits private key, PK _vbe different from the PKI y of all ring memberses _i(i=1,2 ..., n).C is sent to specific authentication side by signer;

Step 4-2: specific authentication side's random selecting and send to signer;

Step 4-3: after receiving challenge information ε, signer calculates η=α+v ε modq and sends to designated-verifier.Then, the open beta, gamma of signer, verifies for the other side and promises to undertake c;

Step 4-4: specific authentication side checks two equation c=g ^β(PK _v) ^γmodp, (a ^*) ^η=β (b ^*) ^εwhether modp sets up, if set up, then be sure of that the side of being verified is about message m actual signature people.

The related notion that technique scheme relates to is described and is explained:

One, trap-door one-way function (Trap-doorone-wayfunction)

Trap-door one-way function is the basis of digital signature, trap-door one-way function f _tx (): D → R is an one-way function, namely to arbitrary x ∈ D, easily calculate f _t(x), and to the value in nearly all R, difficulty of inverting.But, if know trap door information t, then to all y ∈ R, easily calculate and meet y=f _tthe x ∈ D of (x); Wherein, trap-door one-way function is the basis of public key cryptography, f _tx () is equivalent to x encryption, trap door information t is then equivalent to private key, for deciphering f _tx the x in (), when not having t, when namely not having private key, deciphering (inverting) is difficult.Public key cryptography, except being convenient to encryption and decryption, also makes digital signature become possibility, both based on trap-door one-way function.

Two, in system initialization, choose Big prime p, q, and then generate ring members public private key pair (x _i, y _i), wherein, relate to the supposition of DL (DiscreteLogarithm) difficult problem, it is defined as: given prime number q and finite field F _q, g is a generator, for arbitrarily solve only integer a < q, meet h=g ^a.

Beneficial effect: compared with prior art, the invention has the advantages that: devise a kind of ring signatures scheme with special nature, the program adds identity confirmation, only need in identity validation process signer and authentication 2 times mutual, identity validation can be completed, easy and simple to handle, structure is succinct, efficient, and achieves the controllability of authentication scope.

Accompanying drawing explanation

Fig. 1 is common Schnorr ring signatures protocol procedures figure;

Fig. 2 is the Schnorr ring signatures protocol procedures figure possessing appointment verifiability of the present invention.

Embodiment

Below in conjunction with the drawings and specific embodiments, illustrate the present invention further.

As shown in Figure 1, for common Schnorr ring signatures scheme (Herranzetal, 2003), it comprises system initialization, signature generates, signature verification 3 steps, a kind of Schnorr ring signatures scheme possessing appointment verifiability that the present invention relates to is the step adding identity validation on its basis, as shown in Figure 2, the program comprises system initialization module, signature blocks, authentication module and confirmation module; The program selects the system parameters generating signature and certifying signature, and generates the public and private key of ring members; Member utilizes private key to sign to message; Verifier verifies information signature according to the open parameter of system and all ring members PKIs; Signer utilizes designated-verifier PKI to initiate interactive proof protocol, can confirm whether the other side is actual signature people by this process designated-verifier.

The concrete operation step of modules of the present invention execution is provided by Fig. 2:

Step 1, first system chooses Big prime p, and q makes q|p-1, and q > 2 ^k, wherein k is the security parameter of scheme.Choose in two q rank generator g, h, and crash-resistant hash function h ₁(): { 0,1} ^*→ Z _p, the hash function of band encryption all ring memberses are made to be A ₁, A ₂..., A _n, each member Ai chooses its private key $x_i\&Element;Z_q^{*},$ Then corresponding PKI is $y_i=g^{x_i}\mathrm{mod}p.$

Comprehensive above-mentioned information, the open parameter of system is params=(p, q, g, h, H, H ₁, F), the public and private key set of ring members is { (x _i, y _i) _{i=1,2 ..., n}.

In order to the signature of generating messages m, actual signature people A _s, s ∈ 1,2 ..., n} performs following steps:

Step 2-1: random selecting and calculate a ^*=h ^amodp, b ^*=(a ^*) ^vmodp;

Step 2-2: random selecting and calculate U=(a ^*) ^umodp, θ=u+vF (m||a ^*, U) and modq;

Step 2-3: be all the other n-1 ring members A _i(i ≠ s) respectively chooses a random number and calculate $R_i=g^{a_i}\mathrm{mod}p(i\&NotEqual;s);$

Step 2-4: calculate m '=H ₁(m||a ^*|| b ^*);

Step 2-5: random selecting $a_s\&Element;Z_q^{*},$ And calculate $R_s=g^{a_s}\underset{i\&NotEqual;s}{\mathrm{\&Pi;}}{y}_i^{-H(m^{\&prime;},R_i)}\mathrm{mod}p;$

Step 2-6: calculate $\mathrm{\&sigma;}=\underset{i=1}{\overset{n}{\&Sigma;}}{a}_i+x_{s}H(m^{\&prime;},R_s)\mathrm{mod}q;$

Step 2-7: be (m, R to the signature of message m ₁..., R _n, σ, a ^*, b ^*, U, θ).

For given message m and corresponding signature, first verifier detects key parameter a ^*, b ^*whether generate on request, then the validity of certifying signature again.Concrete operation step is as follows:

Step 3-1: check equation whether set up.If set up, then perform next step; Otherwise it is invalid then to sign;

Step 3-2: calculate m '=H ₁(m||a ^*|| b ^*), to all 1≤i≤n, calculate h _i=H (m ', R _i);

Step 3-3: check equation $g^{\mathrm{\&sigma;}}=R_1\&CenterDot;R_2\&CenterDot;...\&CenterDot;R_n\&CenterDot;y_1^{h_1}\&CenterDot;y_2^{h_2}...\&CenterDot;y_n^{h_n}\mathrm{mod}p$ Whether set up.If set up, then signature effectively; Otherwise it is invalid then to sign.

Actual signature people is by following interactive proof protocol, and the authentication making it specify is be sure of his identity namely to prove that he knows with a to the other side ^*the end of for, b ^*logarithm (not revealing concrete v).Concrete steps are as follows:

Step 4-1: signer's Stochastic choice and calculate β=(a ^*) ^αmodp.Meanwhile, Stochastic choice $\mathrm{\&gamma;}\&Element;Z_q^{*},$ And calculate the promise of β $c=g^{\mathrm{\&beta;}}{\mathrm{PK}}_v^{\mathrm{\&gamma;}}\mathrm{mod}p,$ Wherein ${\mathrm{PK}}_v=g^{{\mathrm{SK}}_v}\mathrm{mod}p$ The PKI of specifying authentication, SK _vits private key, PK _vbe different from the PKI y of all ring memberses _i(i=1,2 ..., n).C is sent to specific authentication side by signer;

Step 4-2: specific authentication side's random selecting and send to signer;

Step 4-3: after receiving challenge information ε, signer calculates η=α+v ε modq and sends to designated-verifier.Then, the open beta, gamma of signer, verifies for the other side and promises to undertake c;

Step 4-4: specific authentication side checks two equation c=g ^β(PK _v) ^γmodp, (a ^*) ^η=β (b ^*) ^εwhether modp sets up.If set up, then be sure of that the side of being verified is the actual signature people about message m.

The present invention's more existing Schnorr ring signatures scheme, adds identity confirmation.Authentication only needs to carry out 2 times with signer alternately, can confirm whether the other side is actual signature people.Verify with similar/revocable anonymity ring signatures scheme compared with, structure of the present invention is succinct, efficient, and achieves the controlled of authentication scope.

Below the situation being applied to enterprise to ring signatures scheme of the present invention is described.

According to step of the present invention, when government department or large enterprise apply signature system of the present invention, as a certain office worker find to lead, the corruption and degeneration of superior or dereliction of duty, he can utilize the PKI of the inner all employees of department to generate ring signatures, is made public by report information or reflects to higher higher level.Because public key information is all from department inside, verifier (report information recipient) can acknowledge messages originate, but cannot confirm informant's identity.Report information once the case is verified to be true, relevant department wishes to award to informant, and now this office worker is by identity confirmation, confirms its identity to being specifically responsible for people.Due to the not transferability of this process, authentication cannot disseminate the identity information of informer, avoids the reprisal that person being reported and ally thereof may implement.

So the beneficial effect that the present invention brings is: the applicability enhancing ring signatures scheme, be particularly useful for reporting an offender anonymously--the application scenarios of afterwards rewarding.

For those skilled in the art, according to above implementation type can be easy to association other advantage and distortion.Therefore, the present invention is not limited to above-mentioned instantiation, and it carries out detailed, exemplary explanation as just example to a kind of form of the present invention.Not deviating from the scope of present inventive concept, the technical scheme that those of ordinary skill in the art are obtained by various equivalent replacement according to above-mentioned instantiation, all should be included within right of the present invention and equivalency range thereof.

Claims (5)

1. possess a Schnorr ring signatures scheme of specifying verifiability, it is characterized in that: comprise with lower module:

System initialization module: based on corresponding security parameter, the open parameter needed for Choice, for each ring members generates public private key pair;

Signature blocks: i.e. probability signature algorithm, probability ground generates ring signatures and the key parameter for identity validation;

Authentication module: non-interactive type certainty proves algorithm, identity verification confirms the validity of parameter and ring signatures;

Confirm module: interactive zero knowledge probative agreement, make specific authentication side confirm to show the identity of card side;

Concrete operating procedure is:

1) system initialization: the open parameter generating ring members public private key pair and system;

2) signature generates: actual signature people generates information signature;

3) signature verification: for given message and corresponding signature, first whether verifier detect key parameter and generate on request, the then validity of certifying signature again;

4) identity validation: actual signature people is by a kind of interactive proof protocol, and the authentication making it specify be sure of his identity.

2. a kind of Schnorr ring signatures scheme possessing appointment verifiability according to claim 1, it is characterized in that, the concrete operations of described system initialization are: first system chooses Big prime p, and q makes q|p-1, and q > 2 ^k, wherein k is the security parameter of scheme; Choose in two q rank generator g, h, and crash-resistant hash function h ₁(): { 0,1} ^*→ Z _p, the hash function of band encryption all ring memberses are made to be A ₁, A ₂..., A _n, each member A _ichoose its private key then corresponding PKI is

In sum, the open parameter of system is params=(p, q, g, h, H, H ₁, F), the public and private key set of ring members is { (x _i, y _i) _{i=1,2 ..., n}.

3. a kind of Schnorr ring signatures scheme possessing appointment verifiability according to claim 1, is characterized in that, described signature generates and performs following steps:

Step 2-1: random selecting a, and calculate a ^*=h ^amodp, b ^*=(a ^*) ^vmodp;

Step 2-2: random selecting and calculate U=(a ^*) ^umodp, θ=u+vF (m||a ^*, U) and modq;

Step 2-3: be all the other n-1 ring members A _i(i ≠ s) respectively chooses a random number and calculate

Step 2-4: calculate m '=H ₁(m||a ^*|| b ^*);

Step 2-5: random selecting and calculate

Step 2-6: calculate

Step 2-7: be (m, R to the signature of message m ₁..., R _n, σ, a ^*, b ^*, U, θ);

Wherein, the signature of generating messages m, actual signature people A _s, s ∈ 1,2 ..., n}.

4. a kind of Schnorr ring signatures scheme possessing appointment verifiability according to claim 1, it is characterized in that, described signature verification concrete steps are as follows:

Step 3-1: check equation whether set up, if set up, then perform next step;

Otherwise it is invalid then to sign;

Step 3-2: calculate m '=H ₁(m||a ^*|| b ^*), to all 1≤i≤n, calculate h _i=H (m ', R _i);

Step 3-3: check equation whether set up, if set up, then signature effectively; Otherwise it is invalid then to sign.

5. a kind of Schnorr ring signatures scheme possessing appointment verifiability according to claim 1, it is characterized in that, to the other side, namely described identity validation proves that he knows with a ^*the end of for, b ^*logarithm, and do not reveal concrete v, concrete steps are as follows:

Step 4-1: signer's Stochastic choice and calculate β=(a ^*) ^αmodp.Meanwhile, Stochastic choice and calculate the promise of β wherein the PKI of specifying authentication, SK _vits private key, PK _vbe different from the PKI y of all ring memberses _i(i=1,2 ..., n), c is sent to specific authentication side by signer;

Step 4-2: specific authentication side's random selecting and send to signer;

Step 4-3: after receiving challenge information ε, signer calculates η=α+v ε modq and sends to designated-verifier.Then, the open beta, gamma of signer, verifies for the other side and promises to undertake c;

Step 4-4: specific authentication side checks two equatioies whether set up, if set up, then be sure of that the side of being verified is the actual signature people about message m.