CN106027240A - Key isolation signing method based on attribute - Google Patents

Abstract

The invention discloses a key isolation signing method based on attribute, which aims at problems of lack of protective measures for key leakage and increase of computation overhead of a terminal caused by bilinear pairing operation in the prior art. A whole signing system is divided into several independent time slices, when the system enters into a new time slice, a key helper generates a private key updating slice, and a user updates a private key. For a certain file, the user signs with the private key corresponding to the current time slice, and verification result of a signature is also corresponding to a certain time slice of the system. If the private key of the user is leaked within a certain time slice, the system also can keep forward security and backward security in other time slices, and thus, harm of private key leakage is minimized. In a process of signing, any operation of bilinear pairing is not required, and computation overhead of a user terminal is reduced. When system time slices evolve, system public parameters are not required to be updated again, and communication overhead caused by synchronization of the public parameters is reduced.

Description

A kind of Key-insulated endorsement method based on attribute

Technical field

The present invention relates to secrecy or the safety communication technology of digital information transmission, be specifically related to a kind of key based on attribute Isolation endorsement method.

Background technology

Cryptography based on attribute is the important component part in information security, and meanwhile, the system of attribute signature is near Also attracted over Nian and be widely applied.In signature system based on attribute, the corresponding attribute structure of the private key of user, certain closes The signature of the private key generation that method user is corresponding can be authenticated in its own corresponding attribute structure.But it is current Attribute signature mechanism yet suffers from two problems to be needed to solve: first, when the attribute private key of certain user there occurs leakage, any The user obtaining this private key may be by this private key one legal signature of generation, thus brings a series of potential safety hazard. Second, the cryptography scheme being currently based on attribute is all based on Bilinear map mostly.The computing cost of Bilinear map is the biggest Computing (such as point multiplication operation, Hash operation etc.) in other.Conventional attribute endorsement method contains a lot of two-wire pair Computing, the terminal that some computing capabilitys can be given limited is brought burden, thus is produced communication performance bottleneck.To sum up, at attribute signature system In, need a kind of new mechanism, the security of system after key exposure can be protected, can produce and during checking at signature again The most minimizing Bilinear map operation times.

Within 2015, BJ University of Aeronautics & Astronautics discloses entitled " the attribute base endorsement method in large attribute territory and system " (public affairs The number of opening is CN105141419A) application for a patent for invention.This invention provides the attribute base endorsement method in a kind of large attribute territory and is System, the method includes: private key generates center and obtains common parameter and master key according to the security of system parameter of input；Private key generates Center obtains private key for user according to master key and user property collection, and private key for user is sent to the user of correspondence；Signer according to Access structure, user property collection and predetermined message that private key for user, user meet generate the digital signature of user；Authentication according to User is verified by the digital signature of common parameter and user.The method can realize fine-granularity access control, supports " with door " And disjunction gate, flexible operation, at initial phase, number of attributes need not be limited, can neatly system be extended, The a length of constant of common parameter, effectively alleviates the burden of system.But, the method lacks the protective measure to Key Exposure. Once the attribute private key of user leaks, and any malicious user obtaining private key can forge a legitimate signature with it, Thus bring security threat to system.Additionally, have employed the operation of substantial amounts of Bilinear map in scheme, the calculating adding terminal is opened Pin.

Summary of the invention

The technical problem to be solved in the present invention is to lack the protective measure to Key Exposure present in prior art And the problems such as the computing cost of increase terminal are caused due to Bilinear map operation.

To this end, the present invention proposes a kind of Key-insulated endorsement method based on attribute, concrete technical scheme comprises following step Rapid:

Step one: system initialization

1. definition G₁Being an addition cyclic group, it is G that its exponent number is q. definition p₁On one generation unit；

2. one hash function H of definition₁:{0,1}^*→Z_q, the function of this function is the character string of random length to be projected Finite field territory Z_qOn；

3. attribute AUC is at finite fieldInterior is one random number of each Attributions selectionIt is additionally each Time slice TP_nChoose random numberFinally select random numberThen the main private key of system is { t_i,k_n, y}, be System common parameter is { G₁, p, q, Y=yp, K_n=k_nP, T_i=t_iP, H₁}；

Step 2: initial key is distributed

In initial time fragment TP₀, attribute AUC of attribute AUC is according to the attribute structure tree T of each user_k's Each leaf node chooses a multinomial q_x, polynomial degree d_xThreshold value k for this node_xSubtract 1, i.e. (d_x=k_x-1), Q is arranged for root node_root(0)=y, for other node, arranges q_x(0)=q_parent(x) ^index(x), wherein parent (x) For the father node of node x, index (x) is node x sequence number in its all brotghers of node, and then attribute AUC will just Beginning keyIt is sent to signer；

Step 3: key updating:

1. when the time slice of system is from TP_n-1Evolve to TP_nTime, attribute AUC is each property calculation key More

Fresh information

2. user obtainsAfter, by the key updating before oneself to latest edition, calculation procedure method is as follows:

${\mathrm{SK}}_{{\mathrm{TP}}_n}={\mathrm{SK}}_{{\mathrm{TP}}_{n-1}}+{\mathrm{UP}}_{i,{\mathrm{TP}}_n}=\{q_x\left(0\right)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n),i\∈T_k\};$

Step 4: signature

1. couple file M, signer is chosen

2., according to the common parameter of system, data sender calculates following information:

v₁=xp,

$v_2={\mathrm{SK}}_{{\mathrm{TP}}_n}+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n)=q_x\left(0\right)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n);$

3. data sender is by { v₁,v₂, M} packing is uploaded to data server；

Step 5: checking

1. Data receiver downloads corresponding file and signature at data server；

2. Data receiver to utilize system common parameter to carry out calculated as below:

$\underset{i\∈T_k}{\Σ}{v}_{2}p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_n)K_n=y$

If equation is set up, sign legal.

Further, in step 5, Data receiver utilizes system common parameter to carry out judging to sign legal correctness such as Under:

$\begin{array}{c}\underset{i\∈T_k}{\Σ}{v}_{2}p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_b)k_n\\ =\underset{i\∈T_k}{\Σ}\left(q_x\right(0)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n\left)\right)p-T_i-H_1(M,{\mathrm{TP}}_n)v_1\\ -H_1(T_i,{\mathrm{TP}}_n)K_n\\ =\underset{i\∈T_k}{\Σ}\left(q_x\right(x)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n\left)\right)p-t_{i}p-H_1(M,{\mathrm{TP}}_n)xp\\ -H_1(T_i,{\mathrm{TP}}_n)k_{n}p\\ ={\Σ}_{i\∈T_k}{q}_x\left(0\right)p=yp=Y.\end{array}$

Compared with prior art, the beneficial effects of the present invention is:

1. the corresponding attribute structure of the private key of signer, verifier can be full to signature authentication with system common parameter Foot authentication in open.In order to ensure before and after attribute signature to safety and solve the problem that attribute key is revealed, the present invention is open A kind of Key-insulated based on attribute mechanism, the information of each time slice can be embedded in the private key that user is current. When occurring user property to cancel in system, update or during the situation such as private key for user leakage, by updating the private key of validated user Guarantee intrasystem front backward security.

2., traditional based in properties secret system, most variations is based on bilinear.The computing of two-wire pair is opened Pin is relatively big, can meet giving the substantial amounts of computing that arrives whole system.In the present invention, the whole process of signature authentication need not Any Bilinear map operates, and significantly reduces the burden of system and terminal.

Accompanying drawing explanation

Fig. 1 is the flow chart of the present invention.

Detailed description of the invention

In conjunction with accompanying drawing, the detailed description of the invention of the present invention is described in further detail.

The invention discloses a kind of Key-insulated endorsement method based on attribute, whole signature system is divided into some independence Time slice, as shown in Figure 1.After system enters new time slice, key aid generates private key more new segment, uses Family updates private key.For a certain file, user signs with the private key corresponding to current time fragment, the result of signature Also correspond to some time slice of system.If private key for user leaks in certain time slice, system is in other timeslice Section still can keep forward secrecy and backward security, falls below minimum by the harm that private key is revealed.

During signature, it is not necessary to the operation of any Bilinear map, decrease the computing cost of user terminal.This Outward, when system time fragment is evolved, it is not necessary to update system common parameter again, decrease and synchronize the communication that brings of common parameter and open Pin.

The content that the present invention is concrete is described as follows: the system that present invention assumes that by attribute AUC, signer, verifier, Four functional entity compositions of data server.Wherein, attribute AUC is responsible for the attribute of user, and at the beginning of dispatch user Beginning private key also enters the private key of renewal user when new time slice starts in system.Data server is by computer cluster group The physical node become, is responsible for the storage data of safety.Signer utilizes private key file is produced signature and is uploaded to data, services Device；Signed by common parameter checking after verifying download file the most legal.

Below for process prescription: a kind of Key-insulated endorsement method based on attribute comprises initialization, initial key is distributed, Key updating, signs and verifies this five steps, being described in detail below of each step:

Step one: system initialization:

1. definition G₁Being an addition cyclic group, it is G that its exponent number is q. definition p₁On one generation unit.

2. one hash function H of definition₁: { 0,1}^*→Z_q, the function of this function is the character string of random length to be projected Finite field territory Z_qOn.

3. attribute AUC is at finite fieldInterior is one random number of each Attributions selectionIt is additionally each Time slice TP_nChoose random numberFinally select random numberThen the main private key of system is { t_i, k_n, y}, be System common parameter is { G₁, p, q, Y=yp, K_n=k_np,T_i=t_ip,H₁}

Step 2: initial key is distributed:

In initial time fragment TP₀, attribute AUC of attribute AUC is according to the attribute structure tree T of each user_k's Each leaf node chooses a multinomial q_x, polynomial degree d_xThreshold value k for this node_xSubtract 1, i.e. (d_x=k_x-1). Q is arranged for root node_root(0)=y., for other node, arranges q_x(0)=q_parent(x) ^index(x), wherein parent (x) For the father node of node x, index (x) is node x sequence number in its all brotghers of node.Then attribute AUC will just Beginning keyIt is sent to signer.

Step 3: key updating:

1. when the time slice of system is from TP_n-1Evolve to TP_nTime, attribute AUC is each property calculation key More fresh information

2. user obtainsAfter, by the key updating before oneself to latest edition, calculation procedure method is as follows:

${\mathrm{SK}}_{{\mathrm{TP}}_n}={\mathrm{SK}}_{{\mathrm{TP}}_{n-1}}+{\mathrm{UP}}_{i,{\mathrm{TP}}_n}=\{q_x\left(0\right)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n),i\∈T_k\}$

Step 4: signature:

1. couple file M, signer is chosen

2., according to the common parameter of system, data sender calculates following information:

v₁=xp

$v_2={\mathrm{SK}}_{{\mathrm{TP}}_n}+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n)=q_x\left(0\right)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n)$

3. data sender is by { v₁, v2, M} packing is uploaded to data server.

Step 5: signature authentication:

1. Data receiver downloads corresponding file and signature at data server.

2. Data receiver to utilize system common parameter to carry out calculated as below:

$\underset{i\∈T_k}{\Σ}{v}_{2}p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_n)K_n=Y$

If equation is set up, sign legal.

Correctness specification is as follows:

$\begin{array}{c}\underset{i\∈T_k}{\Σ}{v}_{p}p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_n)K_n\\ =\underset{i\∈T_k}{\Σ}\left(q_x\right(0)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n\left)\right)p-T_i-H_1(M,{\mathrm{TP}}_n)v_1\\ -H_1(T_i,{\mathrm{TP}}_n)K_n\\ =\underset{i\∈T_k}{\Σ}\left(q_x\right(0)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n\left)\right)p-t_{i}p-H_1(M,{\mathrm{TP}}_n)xp\\ -H_1(T_i,{\mathrm{TP}}_n)k_{n}p\\ =\underset{i\∈T_k}{\Σ}{q}_k\left(0\right)p=yp=Y\end{array}$

By above-mentioned five steps, complete Key-insulated endorsement method overall process based on attribute.

1., in key problem in technology point 1, the invention discloses a kind of Key-insulated based on attribute mechanism, each timeslice The information of section all can be embedded in the private key that user is current.When occurring user property to cancel in system, updating or user's private During the situations such as key leakage, guarantee intrasystem front backward security by updating the private key of validated user.

2., in key problem in technology point 2, eliminate the calculating of Bilinear map in conventional attribute signature mechanism, signature authentication Whole process need not any Bilinear map operation, significantly reduce the burden of system and terminal.

The foregoing is only a specific embodiment of the present invention, not in order to limit the present invention, used in the present embodiment Data set and attack mode are only limitted to the present embodiment, all within the spirit and principles in the present invention, any amendment of being made, equivalent Replacement, improvement etc., should be included within the scope of the present invention.

Claims (2)

1. a Key-insulated endorsement method based on attribute, it is characterised in that comprise the steps of

Step one: system initialization

1.1 definition G₁Being an addition cyclic group, it is G that its exponent number is q. definition p₁On one generation unit；

1.2 one hash function H of definition₁:{0,1}^*→Z_q, the function of this function is the character string of random length to have been projected Confinement territory Z_qOn；

1.3 attribute AUCs are at finite fieldInterior is one random number of each Attributions selectionWhen being additionally each Between fragment TP_nChoose random numberFinally select random numberThen the main private key of system is { t_i,k_n, y}, system Common parameter is { G₁, p, q, Y=yp, K_n=k_np,T_i=t_ip,H₁}；

Step 2: initial key is distributed

In initial time fragment TP₀, attribute AUC of attribute AUC is according to the attribute structure tree T of each user_kEach Individual leaf node chooses a multinomial q_x, polynomial degree d_xThreshold value k for this node_xSubtract 1, i.e. (d_x=k_x-1), for Root node arranges q_root(0)=y, for other node, arranges q_x(0)=q_parent(x) ^index(x), wherein parent (x) is joint The father node of some x, index (x) is node x sequence number in its all brotghers of node, and then attribute AUC will be the closeest KeyIt is sent to signer；

Step 3: key updating:

3.1 when the time slice of system is from TP_n-1Evolve to TP_nTime, attribute AUC is the renewal of each property calculation key Information

3.2 users obtainAfter, by the key updating before oneself to latest edition, calculation procedure method is as follows:

${\mathrm{SK}}_{{\mathrm{TP}}_n}={\mathrm{SK}}_{{\mathrm{TP}}_{n-1}}+{\mathrm{UP}}_{i,{\mathrm{TP}}_n}=\{q_x\left(0\right)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n),i\∈T_k\};$

Step 4: signature

4.1 couples of file M, signer is chosen

4.2 according to the common parameter of system, and data sender calculates following information:

v₁=xp,

$v_2={\mathrm{SK}}_{{\mathrm{TP}}_n}+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n)=q_x\left(0\right)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n);$

4.3 data senders are by { v₁,v₂, M} packing is uploaded to data server；

Step 5: checking

5.1 Data receiver download corresponding file and signature at data server；

It is calculated as below that 5.2 Data receiver utilize system common parameter to carry out:

$\underset{i\∈T_k}{\Σ}{v}_{2}p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_n)K_n=Y$

If equation is set up, sign legal.

A kind of Key-insulated endorsement method based on attribute the most according to claim 1, it is characterised in that in step 5, sentence Disconnected legal correctness of signing is as follows:

$\begin{array}{c}\underset{i\∈T_k}{\Σ}{v}_{2}p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_n)K_n\\ =\underset{i\∈T_k}{\Σ}\left(q_x\right(0)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n\left)\right)p-T_i-H_1(M,{\mathrm{TP}}_n)v_1-H_1(T_i,{\mathrm{TP}}_n)K_n\\ =\underset{i\∈T_k}{\Σ}\left(q_x\right(0)+t_i+k_n{H}_1(T_i,{\mathrm{TP}}_n)+{\mathrm{xH}}_1(M,{\mathrm{TP}}_n\left)\right)p-t_{i}p-H_1(M,{\mathrm{TP}}_n)xp\\ -H_1(T_i,{\mathrm{TP}}_n)k_{n}p\\ ={\Σ}_{i\∈T_k}{q}_x\left(0\right)p=yp=Y.\end{array}$