CN105812369A - Traceable anonymous authentication method based on elliptic curve - Google Patents

Abstract

The invention discloses a traceable anonymous authentication method based on an elliptic curve. The method comprises following stages of initializing a system and generating a secrete key, generating anonymous signatures, authenticating the signatures, linking and tracing nodes. According to the method, a ring signature algorithm in a data signing process is improved; the ring signatures and the elliptic curve are combined; the linkage performance is increased; moreover, traceability to malicious nodes is provided, thus finding out the malicious nodes efficiently and accurately; the network security is improved; a critical value is unnecessary; an efficient hop-by-hop message authentication mechanism is provided; the privacy leakage problem of sending nodes in a wireless sensor network can be solved; moreover, the reality and integrity of the sent messages are ensured; and the malicious nodes can be traced if necessary.

Description

A kind of traceable anonymous authentication method based on elliptic curve

Technical field

The present invention relates to the safe information transmission technical field in wireless sensor network, particularly a kind of traceable anonymous authentication method based on elliptic curve.

Background technology

About wireless sensor network

Wireless sensor network is generally made up of the sensor node that one or more resourceful base stations and ample resources are limited.For forming self-organizing and self adaptation group under different scenes with detection, collection, process and transmission data.Due to sensor network easily dispose, self-organizing, the easily distinguishing feature such as camouflage and strong fault tolerance so that it is be widely applied in civil and military field.

The application of current wireless sensor network mainly has:

(1) military field.For monitoring hostile forces and equipment, the real-time status in battlefield and search enemy and attack.

(2) agriculture field.China is as a large agricultural country, and expanding economy is had significant impact by high-quality and the yield of crops.Wireless sensor network has obvious technical advantage in agricultural.Can use the irrigation state of wireless sense network monitoring crop, the earth air quality and detection Earth Surface situation.

(3) environment measuring.Environmental conservation is always up the focus that the whole world is paid close attention to.Wireless sensor network can be used for following the tracks of wild area rare animal and their existence habit of detection；For monitor in real time water quality；And there is regional temporary transient emergency communication etc. for earthquake.

(4) building field.Use sensor network can monitor the real time status of bridge, highway and overpass.Suitable sensor, as piezoelectric transducer, acceleration transducer, ultrasonic sensor, humidity sensor can collaborative work to monitor building structure.

(5) medical domain.Sensor network performance in detection human physiological's data, old man's health and drug control is good.In virtual-sensor intelligent hospital scene, medical services are made up of three simple sensors to provide medical condition monitoring, position to follow the tracks of and periphery monitoring.

(6) Smart Home.The design object of Intelligent house system is to connect intelligentized Furniture, and so they just can automatically run and cooperate, and provide convenience as much as possible and comfortable for habitant.

Along with wireless sensor network is in the application in above each field, the safety of wireless sensor network also receives much concern.When a sensor network disposition is in unmanned or hostile environment, opponent is likely to catch and pmc sensor node, or injects the sensor node of oneself in network, and promotes network to accept these illegal nodes as legitimate node.Once some sensor nodes are controlled, opponent can start the various attack from internal network.Therefore, sending node privacy leakage problem in radio sensing network, how ensureing to send the authenticity and integrity of message and to how malicious node being tracked, becoming the emphasis of our research.

About ring signatures technology

Calendar year 2001, Rivest etc. proposes ring signatures first.Subsequently, article proposes the ring signatures scheme that many structures are improved, performance improves in succession.Ring signatures scheme allows signer to cooperate with other members anonymity signature information, and anonymous collection that the real signer of message and other members are constituted is referred to as " ring ".It is that one does not have manager, it does not have group sets up process, the simplification group ranking for user's full energy matries.In ring, any one member uses the private key of oneself and the PKI of other ring memberses, can represent whole ring without the agreement through them and sign, and only knows for verifier to sign and be not aware that who is real signer from this ring.Conventional ring signatures is un-linkable, say, that nobody can determine that two ring signatures are to be produced by identical signer.

2004, Liu et al. proposed the ring signatures scheme of a kind of variant, creates linkable ring signature.Under this concept, the identity of the signer of ring signatures remains anonymous, but if two ring signatures are by identical signer signature, then the two signature is linkable.The application in wireless sense network of the linkable ring signatures receives publicity, because not having authoritative center or trusted third party in wireless sense network, the formation of group is spontaneous.When whether the sending node that authenticator wonders message is same node, linkable ring signature just can meet the demand under these scenes.So, in wireless sense network, ring signatures is a good candidate as anonymous authentication instrument.

About Elliptic Curve Cryptography

1985, NealKoblitz and VictorMiller respectively proposed a kind of common key cryptosystem independently, is called elliptic curve cipher system (EllipticCurveCryptosystem, ECC).ECC is short and small with its less systematic parameter, key, low bandwidth, realization quickly, the characteristic such as low energy consumption and less hardware processor demand, it is shown that its superior performance.Therefore, a cryptographic system safely and efficiently to be set up, use ECC to fit like a glove.

Being applied to cryptographic elliptic curve and generally use the elliptic curve of mould prime number, p is a prime number more than 3, F_pIt it is the finite field of mould p.F_pOn curve E be defined as: y²=x³+ax+bmodp；Wherein a, b ∈ F_pAnd meet 4a²+27b³≠0modp.If number is even, (x, y) meets above formula, then be the point on curve E, and definition ∞ is the infinite point on E.Assuming that G=(x_G,y_G) it is the generation unit on curve, its rank are that N is sufficiently large.

As a public key encryp, elliptic curve cryptography system also has all features of public key encryp.The encryption both sides of public key encryp are required for two keys: PKI and private key.The private key that the PKI of each party is all by oneself obtains, and will use the PKI of the other side when encrypting plaintext, uses the private key of oneself when decrypting ciphertext.

Propose the various message authentication method based on symmetric-key cryptography and public-key cryptosystem in recent years.But, all there is higher calculating and communication overhead in the great majority of these methods, and node cracks attack and lacks scalability and elasticity.And lack, under some application scenarios, link property, the traceability of the node that is cracked is not strong.

Summary of the invention

The technical problem to be solved in the present invention is: based on elliptic curve cryptography, utilizes ring signatures technology to realize anonymous communication, solves sending node privacy leakage problem in radio sensing network, it is ensured that sends the authenticity and integrity of message；Simultaneously by extra information more additional in ring signatures, the cooperation of all nodes in ring can be passed through when necessary and follow the trail of the true identity of signer, solve the problem that signer identity cannot be followed the trail of.

The technical scheme that the present invention takes is particularly as follows: a kind of traceable anonymous authentication method based on elliptic curve, and each node in radio sensing network connects Sink node respectively, and method includes:

One, key generation phase:

Assume G=(x_G,z_G) it is the generation unit on elliptic curve, wherein the discrete logarithm problem based on elliptic curve is double linear problems of difficulty for solving, it is assumed that H₁:{0,1}^*→ G and H₂:{0,1}^*→Z_pIt is two hash functions；Common parameter is: param=(G, H₁,H₂)；

Assuming that the sender A of message_kAnonymity is wanted to send message m to other node, it is assumed that ring has n node, anonymous set of node S={A₁,A₂,…,A_k,…,A_n, do not differentiate between node A_iPKI Q with it_iWhen, also there is S={Q₁,Q₂,…,Q_k,…,Q_n}；Node A_kOne integer d of random choose_k=[1, N-1] is as private key, computing node A_kPKI Q_k=d_k×G；

The parameter in following stage: n is member node number in ring；T is an intermediate object program value of algorithm, is a part in signature, in order to the link detection signed；I is equivalent to the subscript of ring members node；R is the random big number that random function produces；Si, ci are also the randoms number produced by random function, correspond to respective subscript；G is the upper generation unit of elliptic curve；Xi, zi are the horizontal stroke of point on calculated elliptic curve, ordinate value；Yi is an intermediate object program value of algorithm, corresponding corresponding subscript.

Two, anonymity signature produces the stage:

(2.1) h=H (Q is calculated₁,Q₂,…,Q_k,…,Q_n), H is hash function；

(2.2) t=h is calculated^dk；

(2.3) random number r, s are selected_i、c_i∈Z_p ^*, i ∈ [1, n], i ≠ k；

(2.4) (x is calculated_i,z_i)=s_iG+c_iQ_i, y_i=h^sit^ci(i=1,2 ..., k-1, k+1 ..., n)；

(2.5) (x is calculated_k,z_k)=rG, y_k=h^r；

(2.6) calculatei≠k；s_k=r-c_kd_k；

(2.7) output signature and σ=(t, s₁,…,s_n,c₁,…,c_n)；

Above, n is member node number in ring；T is an intermediate object program value of algorithm, is a part in signature, in order to the link detection signed；I is equivalent to the subscript of ring members node；R is the random big number that random function produces；s_i, c_iAlso it is the random number produced by random function, correspond to respective subscript；G is the upper generation unit of elliptic curve；x_i,z_iIt is the horizontal stroke of point on calculated elliptic curve, ordinate value；y_iIt is an intermediate object program value of algorithm, corresponding corresponding subscript；

Three, the signature authentication stage:

For ring S={Q₁,Q₂,…,Q_k,…,Q_n, message m and signature sigma to be verified=(t, s₁,…,s_n,c₁,…,c_n),

3.1 after the recipient of message receives signature information, and recipient carries out checking as follows:

A checks whether PKI Q_i≠ ∞, i=1 ..., n；Then sign if not invalid；

B checks PKI Q_i, i=1 ..., n, if on elliptic curve is otherwise invalid；

C checks nQ_i=∞, i=1 ..., n is otherwise invalid；

After 3.2 above-mentioned inspections, then proceed as follows:

3.2.1 h=H (Q is calculated₁,Q₂,…,Q_k,…,Q_n), (x_i,z_i)=s_iG+c_iQ_i, y_i=h^sit^ci(i=1 ..., n)；

3.2.2 check whether following equation is set up:

$\begin{array}{cc}\underset{1}{\overset{n}{\Σ}}{c}_i=H_1(m,t,x_1,\mathrm{...},x_n,y_1,\mathrm{...},y_n)& (i=1,\mathrm{...},n)\end{array}$

If equation is set up, then exporting 1, namely signature authentication passes through, and otherwise exports 0, and namely signature authentication does not pass through；

Four, the nodes keep track stage；

For signature not authenticated in the signature authentication stage, the message received is transmitted to sink node by the receiving node of message；

Sink node receives after forwarding the message come, it is assumed that its signature received is σ=(t, s₁,…,s_n,c₁,…,c_n), sink node carries out following operation:

Ring S={Q according to information signature₁,Q₂,…,Q_k,…,Q_n, sink node and the member node in ring carry out once mutual one by one, and namely sink node Xiang Huanzhong member sends querying command, and in ring, member sends through anonymous message to sink node；

The signature that the signature not passing through signature authentication sends, with current ring members, the anonymous message come is compared one by one；Ring members collection selected by same sending node is identical, so t value is identical in the signature of same node signature different messages, can find the node of not verified message accordingly, complete the tracking of node.

Further, present invention additionally comprises the link stage:

For to fixed ring S={Q₁,Q₂,…,Q_k,…,Q_nAnd two anonymity signature σ=(t, s₁,…,s_n,c₁,…,c_n) and σ '=(t ', s '₁,…,s′_n,c′₁,…,c′_n)；First the two signature is performed signature verification algorithm by the recipient of signature, and two signatures are all effectively, then extract t and t' respectively in the two is signed；Then whether equal comparing t and t', if equal, then the two signature is to be produced by same subscriber, otherwise the two signature un-linkable.

Further, in the present invention, sink node is connected to security server, in the nodes keep track stage, the anonymous information signature transmission that the information signature received and each ring members are returned by sink node carries out the comparison signed to security server, and then completes the tracking of node.

More existing schemes utilize shared private key between two nodes to provide entity authentication end to end, and this means that only receiver is just able to verify that the verity of message.It is to say, intermediate node can not carry out message authentication, message can only be forwarded until message is finally by recipient node certification.This not only consumes the energy of extra sensor, but also adds network collision, reduces message transmission rate.

Compared to existing technology, beneficial effects of the present invention is to realize the certification of intermediate node, as long as the situation that message is not authenticated occurs in intermediate node, then abandons message, thus can resist and Denial of Service attack.

Ring signatures algorithm in data signature process has been improved by the present invention simultaneously, is combined with elliptic curve by ring signatures, from its link property, completes the traceability to malicious node, improves the safety of network.And, the ECC in signature generation stage takes advantage of and adds as n-1 for 2n-1, ECC, identical based on calculation cost compared with the ring signatures of elliptic curve with existing, and use the number of times of hash function only need 2 times relatively before compare cost little (wherein, n is membership in ring) for n time.

Accompanying drawing explanation

Fig. 1 show wireless sensor network model schematic of the present invention；

Fig. 2 show the inventive method schematic flow sheet.

Detailed description of the invention

Further describe below in conjunction with the drawings and specific embodiments.

Refer to Fig. 1, the present invention based on the application foundation of the traceable anonymous authentication method of elliptic curve is: the Sink in radio sensing network is aggregation node, the connection of primary responsibility sensor network and outer net, it is possible to regard gateway node as；Complicated calculating trustship can be processed by sink node to security server, is the gateway connecting radio sensing network and outer net；

With reference to Fig. 2, the inventive method before application, first carries out system initialization, security server produces initiation parameter, and security server is responsible in whole signature and Verification System to produce, stores, is distributed security parameter.

The inventive method includes:

One, and key generation phase:

Assume G=(x_G,z_G) it is the generation unit on elliptic curve, wherein the discrete logarithm problem based on elliptic curve is double linear problems of difficulty for solving, it is assumed that H₁:{0,1}^*→ G and H₂:{0,1}^*→Z_pIt is two hash functions；Common parameter is: param=(G, H₁,H₂)；

Assuming that the sender A of message_kAnonymity is wanted to send message m to other node, without loss of generality, it is assumed that ring has n node, anonymous set of node S={A₁,A₂,…,A_k,…,A_n, the present invention does not differentiate between node A_iPKI Q with it_i, therefore also have S={Q₁,Q₂,…,Q_k,…,Q_n}；Node A_kOne integer d of random choose_k=[1, N-1] is as private key, computing node A_kPKI Q_k=d_k×G；

Two, anonymity signature produces the stage:

Node A_kSend message m, step one creates private key d_k=[1, N-1] and sending node A_kRing members PKI (the Q randomly choosed₁,Q₂,…,Q_k,…,Q_n), in order to produce an effective signature, A_kCarry out following steps:

(2.1) h=H (Q is calculated₁,Q₂,…,Q_k,…,Q_n), H here is hash function, for instance SHA-1；

(2.2) t=h is calculated^dk；

(2.3) random number r, s are selected_i、c_i∈Z_p ^*, i ∈ [1, n], i ≠ k；

(2.4) (x is calculated_i,z_i)=s_iG+c_iQ_i, y_i=h^sit^ci(i=1,2 ..., k-1, k+1 ..., n)；

(2.5) (x is calculated_k,z_k)=rG, y_k=h^r；

(2.6) calculatei≠k；s_k=r-c_kd_k；

(2.7) output signature and σ=(t, s₁,…,s_n,c₁,…,c_n)；

Three, the signature authentication stage:

For ring S={Q₁,Q₂,…,Q_k,…,Q_n, message m and signature sigma to be verified=(t, s₁,…,s_n,c₁,…,c_n),

3.1 after the recipient of message receives signature information, and recipient to carry out checking as follows:

A checks whether PKI Q_i≠ ∞, i=1 ..., n；Then invalid if not；

B checks PKI Q_i, i=1 ..., n, if on elliptic curve is otherwise invalid；

C checks nQ_i=∞, i=1 ..., n is otherwise invalid；

After 3.2 above-mentioned inspections, then proceed as follows:

3.2.1 h=H (Q is calculated₁,Q₂,…,Q_k,…,Q_n), (x_i,z_i)=s_iG+c_iQ_i, y_i=h^sit^ci(i=1 ..., n)；

3.2.2 check whether following equation is set up:

$\begin{array}{cc}\underset{1}{\overset{n}{\Σ}}{c}_i=H_1(m,t,x_1,\mathrm{...},x_n,y_1,\mathrm{...},y_n)& (i=1,\mathrm{...},n)\end{array}$

If equation is set up, then exporting 1, namely signature authentication passes through, and otherwise exports 0, and namely signature authentication does not pass through；

Four, the nodes keep track stage；

For signature not authenticated in the signature authentication stage, the message received is transmitted to sink node by the receiving node of message；

Sink node receives after forwarding the message come, it is assumed that its signature received is σ=(t, s₁,…,s_n,c₁,…,c_n), sink node carries out following operation:

Ring S={Q according to information signature₁,Q₂,…,Q_k,…,Q_n, sink node and the member node in ring carry out once mutual one by one, and namely sink node Xiang Huanzhong member sends querying command, and in ring, member sends through anonymous message to sink node；

The signature that the signature not passing through signature authentication sends, with current ring members, the anonymous message come is compared one by one；Ring members collection selected by same sending node is identical, so t value is identical in the signature of same node signature different messages, can find the node of not verified message accordingly, complete the tracking of node.Concrete, the process of signature link, after carrying out information exchange with ring members, is transferred to security server to process by sink node.

The process that signature is linked by security server is as follows:

For to fixed ring S={Q₁,Q₂,…,Q_k,…,Q_nAnd two effective anonymity signatures, namely do not pass through the signature sigma of signature authentication=(t, s₁,…,s_n,c₁,…,c_n), and the signature sigma ' in the anonymous message that returns of each ring members=(t ', s '₁,…,s′_n,c′_n,…,c′_n)；Extracting t and the t' in two signatures respectively, whether equal then compare t and t', if equal, then the two signature is to be produced by same subscriber, otherwise the two signature un-linkable, and namely non-same subscriber produces.

When recipient finds that sender sends malicious messages, step is with reference to above nodes keep track and signature link process, for fixed ring S={Q₁,Q₂,…,Q_k,…,Q_nAnd malicious messages signature sigma=(t, s₁,…,s_n,c₁,…,c_n), and the signature sigma ' in the anonymous message that returns of each ring members=(t ', s '₁,…,s′_n,c′₁,…,c′_n)；Extracting t and the t' in two signatures respectively, whether equal then compare t and t', if equal, then the two signature is to be produced by same subscriber, can complete the tracking to the node sending malicious messages.

Claims (3)

1., based on a traceable anonymous authentication method for elliptic curve, each node in radio sensing network connects sink node respectively, it is characterized in that, method includes:

One, key generation phase:

Assume G=(x_G,z_G) it is the generation unit on elliptic curve, wherein the discrete logarithm problem based on elliptic curve is double linear problems of difficulty for solving, it is assumed that H₁:{0,1}^*→ G and H₂:{0,1}^*→Z_pIt is two hash functions；Common parameter is: param=(G, H₁,H₂)；

Assuming that the sender A of message_kAnonymity is wanted to send message m to other node, it is assumed that ring has n node, anonymous set of node S={A₁,A₂,…,A_k,…,A_n, do not differentiate between node A_iPKI Q with it_iWhen, also there is S={Q₁,Q₂,…,Q_k,…,Q_n}；Node A_kOne integer d of random choose_k=[1, N-1] is as private key, computing node A_kPKI Q_k=d_k×G；

Two, anonymity signature produces the stage:

(2.1) h=H (Q is calculated₁,Q₂,…,Q_k,…,Q_n), H is hash function；

(2.2) t=h is calculated^dk；

(2.3) random number r, s are selected_i、c_i∈Z_p ^*, i ∈ [1, n], i ≠ k；

(2.4) (x is calculated_i,z_i)=s_iG+c_iQ_i, y_i=h^sit^ci(i=1,2 ..., k-1, k+1 ..., n)；

(2.5) (x is calculated_k,z_k)=rG, y_k=h^r；

(2.6) calculate

(2.7) output signature and σ=(t, s₁,…,s_n,c₁,…,c_n)；

Three, the signature authentication stage:

For ring S={Q₁,Q₂,…,Q_k,…,Q_n, message m and signature sigma to be verified=(t, s₁,…,s_n,c₁,…,c_n),

3.1 after the recipient of message receives signature information, and recipient carries out checking as follows:

A checks whether PKI Q_i≠ ∞, i=1 ..., n；Then sign if not invalid；

B checks PKI Q_i, i=1 ..., n, if on elliptic curve is otherwise invalid；

C checks nQ_i=∞, i=1 ..., n is otherwise invalid；

After 3.2 above-mentioned inspections, then proceed as follows:

3.2.1 h=H (Q is calculated₁,Q₂,…,Q_k,…,Q_n), (x_i,z_i)=s_iG+c_iQ_i, y_i=h^sit^ci(i=1 ..., n)；

3.2.2 check whether following equation is set up:

$\underset{1}{\overset{n}{\mathrm{\Σ}}}{c}_i=H_1(m,t{,x}_1,...,x_n,y_1,...,y_n)(i=1,...,n)$

If equation is set up, then exporting 1, namely signature authentication passes through, and otherwise exports 0, and namely signature authentication does not pass through；

Four, the nodes keep track stage；

For signature not authenticated in the signature authentication stage, the message received is transmitted to sink node by the receiving node of message；Sink node receives after forwarding the message come, it is assumed that its signature received is σ=(t, s₁,…,s_n,c₁,…,c_n), sink node carries out following operation:

Ring S={Q according to information signature₁,Q₂,…,Q_k,…,Q_n, sink node and the member node in ring carry out once mutual one by one, and namely sink node Xiang Huanzhong member sends querying command, and in ring, member sends through anonymous message to sink node；

The signature that the signature not passing through signature authentication sends, with current ring members, the anonymous message come is compared one by one；Ring members collection selected by same sending node is identical, so t value is identical in the signature of same node signature different messages, can find the node of not verified message accordingly, complete the tracking of node.

2. method according to claim 1, is characterized in that, also includes the link stage:

For to fixed ring S={Q₁,Q₂,…,Q_k,…,Q_nAnd two anonymity signature σ=(t, s₁,…,s_n,c₁,…,c_n) and σ '=(t ', s '₁,…,s′_n,c′₁,…,c′_n)；First the two signature is performed signature verification algorithm by the recipient of signature, and two signatures are all effectively, then extract t and t' respectively in the two is signed；Then whether equal comparing t and t', if equal, then the two signature is to be produced by same subscriber, otherwise the two signature un-linkable.

3. method according to claim 1, it is characterized in that, sink node is connected to security server, in the nodes keep track stage, the anonymous information signature transmission that the information signature received and each ring members are returned by sink node carries out the comparison signed to security server, and then completes the tracking of node.