CN108777626A - A kind of attribute base net network endorsement method for supporting dynamic attribute space - Google Patents

Abstract

The invention discloses a kind of attribute base net network endorsement methods for supporting dynamic attribute space, belong to information security field, way is mainly：The present invention (is divided into using demixing technology：Attribute layer and privacy sharing layer) realize the construction in dynamic attribute space, in attribute layer, attribute authority AA carries out Fuzzy processing using randomized method to user property, when needing that new attribute is added, attribute authority AA need to be only that the attribute chooses random number, and calculate corresponding promise to undertake and be used as the attribute sub-key, avoid the problem of reinitializing system；In privacy sharing layer, this programme defines access structure using linear privacy sharing method and signs to message, can not only support fine-grained access strategy, but also have higher signature efficiency.This method anonymity is strong, safe, can effectively realize anonymous Identity certification and the access control function of the networks such as cloud computing, electron medical treatment.

Description

A kind of attribute base net network endorsement method for supporting dynamic attribute space

Technical field

The present invention relates to a kind of attribute base net network endorsement methods for supporting dynamic attribute space.

Background technology

With flourishing for the big datas such as electron medical treatment, cloud computing application, the authentication to data and secret protection The critical issue solved as very real and urgent need.In based on attribute signature scheme, verifier, which is able to validate only signer, is It is no that there is the specific identity for accessing access structure (attribute) defined by message, but not confirming signer.Therefore attribute base label Name have ability to express it is strong, using flexible, convenient for concealment signer identity the advantages that, be therefore particularly suitable for realize cloud computing, Electron medical treatment etc. requires anonymity anonymous Identity certification and access control function in high network.

Currently, to the advantageous method of attribute base signature of large attribute collection, it is (linear secret total to be mainly based upon LSSS Enjoy) attribute base endorsement method.The endorsement method needs possible increased attribute after estimating in advance, and predicts signature algorithm In required attribute space size；But it when the space that subsequent practical increased attribute needs is more than reserved space, needs The operation complexity of system has been significantly greatly increased in reconstructing system.And form the waste of reserved space early period, also increase the money of system Source consumes.And it only supports key strategy mostly, message is related to attribute set in the strategy, the key and access structure of user It is associated, only when the attribute set in message meets the access structure in user key, legal signature can be generated.Tool For body, system can not independently define the access structure of message, and it is related to one group of attribute set to define message, compared to label For system can freely define the access structure of message in name strategy, used in cloud environment and dumb.

Invention content

The object of the present invention is to provide a kind of attribute base net network endorsement method for supporting dynamic attribute space, this method is belonging to Property increase when, can independently define the access structure of message, support fine-grained access control；And it is empty without reserved attribute in advance Between, it realizes dynamic attribute space, saves system resource, system operation complexity is low.

The technical scheme adopted by the invention for realizing the object of the invention is a kind of attribute base net for supporting dynamic attribute space Network endorsement method, step are：

A, parameter generates

The generation of A1, system public key, private key

System builds q rank multiplicative cyclic group G and q rank multiplicative cyclic group Y, and q rank multiplicative cyclic group G and q factorial methods respectively There are bilinear map relationship y=e (g between cyclic group Y_a,g_b)；Wherein q is more than 2⁵¹²Safe prime, y be q factorial methods follow Element in ring group Y, e (g_a,g_b) indicate element g in q rank multiplicative cyclic groups G_aWith element g_bCarry out bilinear map operation；

System randomly selects master key α of the number as system in 1~q of integer；System randomly selects out q factorial methods The generation member g of cyclic group G₁As the first public key of system g₁, and then obtain the second public key of system g₂,System is selected at random again Take out four element g in q rank multiplicative cyclic groups G₃g₄,g₅,g₆, respectively as the third public key g of system₃, the 4th public key g₄、 5th public key g₅, the 6th public key g₆；Again by the first public key of system g₁, the second public key of system g₂Bilinear map operation is carried out to obtain System verification public key y₀, y₀=e (g₁,g₂)；

The selection of A3, hash function

System chooses a hash function：H(m):M → G, and selected hash function H (m) is announced, wherein:M → G tables Show that the file m by be signed is mapped as the Hash operation of element on multiplicative cyclic group G；

B, user key is distributed

The explanation of B1, user property set

User ID possesses user property set W_ID, W_ID={ w₁,w₂,…,w_n,…,w_N, wherein w_nFor User ID property set Close W_IDN-th of attribute, value range be 1~q；N is User ID attribute set W_IDIn attribute number；

The generation of B2, user's master key

Attribute authority AA selects random number r at random in 1~q of integer for User ID, and is generated and used according to random number r The first part K of family ID master keys₁, K₁=g₂·g₆ ^-rWith the second part K of User ID master key₂, K₂=g^-r；

The generation of B3, user property key

Attribute authority AA is n-th of attribute w of User ID in 1~q of integer_nRandomly select random number r_n, Jin Ersheng At n-th of attribute w of User ID_nOne k of attribute sub-key_1,n,With n-th of attribute w of User ID_n Two k of attribute sub-key_2,n,

By all attribute w of User ID_nOne k of attribute sub-key_1,nLink, obtains one k of attribute key of User ID₁, k₁ =k_1,1||k_1,2||…||k_1,n||…||k_1,N；By all attribute w of User ID_nTwo k of attribute sub-key_2,nLink, is used Two k of attribute key of family ID₂, k₂=k_2,1||k_2,2||…||k_2,n||…||k_2,N；Wherein, | | indicate Linked operators；

The distribution of B4, user property key

Attribute authority AA is respectively by the first part K of User ID master key₁, User ID master key second part K₂、 One k of attribute key of User ID₁, User ID two k of attribute key₂It is sent to User ID by safe lane；

C, signature generates

When User ID accesses network service, network server utilizes the side of linear privacy sharing according to message m to be signed Signature attribute w ' in the access structure γ of legal justice message, access structure γ_iForm signature attribute subset W ', W '={ w '₁, w′₂,w′₃..., w '_i,…,w′_L, wherein i is signature attribute w '_iSerial number, L signature attributes w '_iNumber；Signature attribute Collect W ' and arrives user property set W_IDOne-to-one mapping relations be denoted as f：W′→W_ID；

The method for utilizing linear privacy sharing according to access structure simultaneously obtains the linear privacy sharing matrix M of L rows Z row, M=[M₁,M₂,M₃,…,M_i,…,M_L]^T, wherein M_iFor the i-th row of linear privacy sharing matrix M；

The selection of C1, signature attribute key

Signer is user property set W according to signature attribute subset W '_IDOne-to-one mapping relationship f：W′→W_ID, Find out signature attribute w '_iCorresponding user property w_nAnd its one k of attribute sub-key_1,nWith two k of attribute sub-key_2,nIt is denoted as label respectively Name attribute w '_iOne k ' of signature attribute sub-key_1,i, two k ' of signature attribute sub-key_2,i；

Signer is by all one k ' of signature attribute sub-key_1,iLink generates one k ' of User ID signature attribute key₁, k '₁ =k '_1,1||…||k′_1,i||…||k′_1,L；By all two k ' of signature attribute sub-key_2,iLink generates User ID signature and belongs to Two k ' of property key₂, k '₂=k '_2,1||…||k′_2,i||…||k′_2,L；

C2, the first son signature generate

Signer calculates the first son signature Q of file m to be signed first₁First part Q_1,1, Q_1,1=K₁·H(m )^r′；Wherein r ' be in 1~q of integer on the message random factor that randomly selects out, H (m) is to be mapped as file m to be signed The Hash operation of element on multiplicative cyclic group G；

Then, the first son signature Q of file m to be signed is calculated₁Second part in i-th of subdivision Q_1,2,i,Wherein x_iIt is that random number is chosen in 1~q of integer, and itself and linear privacy sharing method Linear privacy sharing matrix M the first row M₁Product be equal to 1, remaining each row M_iProduct be equal to 0；Wherein b_iIt is whole Random number, and each row M of itself and linear privacy sharing matrix M are chosen in 1~q of number_iProduct be equal to 0；

By each subdivision Q in the second part of the first son signature_1,2,iLian Cheng obtains the first son of file m to be signed Sign Q₁Second part Q_1,2, Q_1,2=Q_1,2,1·Q_1,2,2·Q_1,2,3…·Q_1,2,i…·Q_1,2,L；

Finally by the first son signature Q of file m to be signed₁First part Q_1,1With second part of the first son signature Part Q_1,2It is multiplied, obtains the first son signature Q of file m to be signed₁, Q₁=Q_1,1·Q_1,2；

C3, the second son signature generate

Signer calculates the second son signature Q of file m to be signed₂：Q₂=g^r′。

C4, third signature generate

Signer calculates the third signature Q of file m to be signed₃I-th of subdivision

Signer signs third of file m to be signed Q₃The i-th subdivision each subdivision Q_3,iLink, obtains The third signature Q of file m to be signed₃：Q₃=Q_3,1||…||Q_3,i||…||Q_3,L；

C5, the 4th son signature generate

Signer calculates the 4th son signature Q of file m to be signed₄I-th of subdivision Q_4,i：

Signer is by the 4th of file m to be signed son signature Q₄All subdivision Q_4,iLink, obtains file m to be signed The 4th son signature Q₄：Q₄=Q_4,1||…||Q_4,i||…||Q_4,L；

C6, signature are sent

By file m to be signed, the first son signature Q₁, second son signature Q₂, third sign Q₃With the 4th son signature Q₄, hair Give network server；

D, signature verification

Network server receives file m to be signed, the first son signature Q₁, second son signature Q₂, third sign Q₃With the 4th Son signature Q₄, and by third sign Q₃I-th of subdivision Q_3,iWith i-th of subdivision Q of the 4th son signature_4,iIt takes out；So Afterwards, Z-1 random number μ is randomly choosed in 1~q of integer₂,…,μ_Z, constitute verification vectors μ={ 1, μ₂,…,μ_Z, wherein Z is The columns of linear privacy sharing matrix M；

Network server recycles the i-th row M of linear privacy sharing matrix M_i, calculate the verification of i-th of signature attribute The factor System verification public key value y is obtained finally by following formula₀′,

WhereinI=1 are indicated until i=L companies multiply；

If system verification public key value y₀' verification public key the y with A1 steps₀Equal, then it is legal to judge to sign, and User ID is allowed to visit Ask signature file m；Otherwise, it is determined that signature is invalid, network server refusal User ID accesses to signature file m.

Compared with prior art, useful achievement of the invention is：

One, the present invention (is divided by demixing technology：Attribute layer and privacy sharing layer) realize the construction in dynamic attribute space. In attribute layer, attribute authority AA carries out Fuzzy processing using randomized method to user property, when needing to be added When new attribute, attribute authority AA need to be only that the attribute chooses random number, and calculates the corresponding son promised to undertake as the attribute Key avoids the problem of reinitializing system, without prior reserved attribute space, realizes the structure in dynamic attribute space It makes, saves system resource, system operation complexity is low.

Two, the present invention defines the access knot of message using linear privacy sharing method in privacy sharing layer when attribute increases Structure signs to message；Support the abundant fine-grained access strategy of AND, OR, thresholding；And it is main in signature generating process It is modular multiplication, is needed for calculating a large amount of Bilinear map operation Restore Secret value compared to tree is accessed, there is higher signature Efficiency；System resource is also saved, system operation complexity is reduced.

The present invention is described in further detail With reference to embodiment.

Specific implementation mode

Embodiment

A kind of specific implementation mode of the present invention is a kind of attribute base net network endorsement method for supporting dynamic attribute space, Its step is：

A, parameter generates

The generation of A1, system public key, private key

System builds q rank multiplicative cyclic group G and q rank multiplicative cyclic group Y, and q rank multiplicative cyclic group G and q factorial methods respectively There are bilinear map relationship y=e (g between cyclic group Y_a, g_b)；Wherein q is more than 2⁵¹²Safe prime, y be q factorial methods follow Element in ring group Y, e (g_a,g_b) indicate element g in q rank multiplicative cyclic groups G_aWith element g_bCarry out bilinear map operation；

System randomly selects master key α of the number as system in 1~q of integer；System randomly selects out q factorial methods The generation member g of cyclic group G₁As the first public key of system g₁, and then obtain the second public key of system g₂,System is selected at random again Take out four element g in q rank multiplicative cyclic groups G₃g₄,g₅,g₆, respectively as the third public key g of system₃, the 4th public key g₄、 5th public key g₅, the 6th public key g₆；Again by the first public key of system g₁, the second public key of system g₂Bilinear map operation is carried out to obtain System verification public key y₀, y₀=e (g₁,g₂)；

The selection of A3, hash function

System chooses a hash function：H(m):M → G, and selected hash function H (m) is announced, wherein:M → G tables Show that the file m by be signed is mapped as the Hash operation of element on multiplicative cyclic group G；

B, user key is distributed

The explanation of B1, user property set

User ID possesses user property set W_ID, W_ID={ w₁,w₂,…,w_n,…,w_N, wherein w_nFor User ID property set Close W_IDN-th of attribute, value range be 1~q；N is User ID attribute set W_IDIn attribute number；

The generation of B2, user's master key

Attribute authority AA selects random number r at random in 1~q of integer for User ID, and is generated and used according to random number r The first part K of family ID master keys₁, K₁=g₂·g₆ ^-rWith the second part K of User ID master key₂, K₂=g^-r；

The generation of B3, user property key

Attribute authority AA is n-th of attribute w of User ID in 1~q of integer_nRandomly select random number r_n, Jin Ersheng At n-th of attribute w of User ID_nOne k of attribute sub-key_1,n,With n-th of attribute w of User ID_n Two k of attribute sub-key_2,n,

By all attribute w of User ID_nOne k of attribute sub-key_1,nLink, obtains one k of attribute key of User ID₁, k₁ =k_1,1||k_1,2||…||k_1,n||…||k_1,N；By all attribute w of User ID_nTwo k of attribute sub-key_2,nLink, is used Two k of attribute key of family ID₂, k₂=k_2,1||k_2,2||…||k_2,n||…||k_2,N；Wherein, | | indicate Linked operators；

The distribution of B4, user property key

Attribute authority AA is respectively by the first part K of User ID master key₁, User ID master key second part K₂、 One k of attribute key of User ID₁, User ID two k of attribute key₂It is sent to User ID by safe lane；

C, signature generates

When User ID accesses network service, network server utilizes the side of linear privacy sharing according to message m to be signed Signature attribute w ' in the access structure γ of legal justice message, access structure γ_iForm signature attribute subset W ', W '={ w '₁, w′₂,w′₃..., w '_i,…,w′_L, wherein i is signature attribute w '_iSerial number, L signature attributes w '_iNumber；Signature attribute Collect W ' and arrives user property set W_IDOne-to-one mapping relations be denoted as f：W′→W_ID；

The method for utilizing linear privacy sharing according to access structure simultaneously obtains the linear privacy sharing matrix M of L rows Z row, M=[M₁,M₂,M₃,…,M_i,…,M_L]^T, wherein M_iFor the i-th row of linear privacy sharing matrix M；

The selection of C1, signature attribute key

Signer is user property set W according to signature attribute subset W '_IDOne-to-one mapping relationship f：W′→W_ID, Find out signature attribute w '_iCorresponding user property w_nAnd its one k of attribute sub-key_1,nWith two k of attribute sub-key_2,nIt is denoted as label respectively Name attribute w '_iOne k ' of signature attribute sub-key_1,i, two k ' of signature attribute sub-key_2,i；

Signer is by all one k ' of signature attribute sub-key_1,iLink generates one k ' of User ID signature attribute key₁, k '₁ =k '_1,1||…||k′_1,i||…||k′_1,L；By all two k ' of signature attribute sub-key_2,iLink generates User ID signature and belongs to Two k ' of property key₂, k '₂=k '_2,1||…||k′_2,i||…||k′_2,L；

C2, the first son signature generate

Signer calculates the first son signature Q of file m to be signed first₁First part Q_1,1, Q_1,1=K₁·H(m )^r′；Wherein r ' be in 1~q of integer on the message random factor that randomly selects out, H (m) is to be mapped as file m to be signed The Hash operation of element on multiplicative cyclic group G；

Then, the first son signature Q of file m to be signed is calculated₁Second part in i-th of subdivision Q_1,2,i,Wherein x_iIt is that random number is chosen in 1~q of integer, and itself and linear privacy sharing method Linear privacy sharing matrix M the first row M₁Product be equal to 1, remaining each row M_iProduct be equal to 0；Wherein b_iIt is whole Random number, and each row M of itself and linear privacy sharing matrix M are chosen in 1~q of number_iProduct be equal to 0；

By each subdivision Q in the second part of the first son signature_1,2,iLian Cheng obtains the first son of file m to be signed Sign Q₁Second part Q_1,2, Q_1,2=Q_1,2,1·Q_1,2,2·Q_1,2,3…·Q_1,2,i…·Q_1,2,L；

Finally by the first son signature Q of file m to be signed₁First part Q_1,1With second part of the first son signature Part Q_1,2It is multiplied, obtains the first son signature Q of file m to be signed₁, Q₁=Q_1,1·Q_1,2；

C3, the second son signature generate

Signer calculates the second son signature Q of file m to be signed₂：Q₂=g^r′。

C4, third signature generate

Signer calculates the third signature Q of file m to be signed₃I-th of subdivision

Signer signs third of file m to be signed Q₃The i-th subdivision each subdivision Q_3,iLink, obtains The third signature Q of file m to be signed₃：Q₃=Q_3,1||…||Q_3,i||…||Q_3,L；

C5, the 4th son signature generate

Signer calculates the 4th son signature Q of file m to be signed₄I-th of subdivision Q_4,i：

Signer is by the 4th of file m to be signed son signature Q₄All subdivision Q_4,iLink, obtains file m to be signed The 4th son signature Q₄：Q₄=Q_4,1||…||Q_4,i||…||Q_4,L；

C6, signature are sent

By file m to be signed, the first son signature Q₁, second son signature Q₂, third sign Q₃With the 4th son signature Q₄, hair Give network server；

D, signature verification

Network server receives file m to be signed, the first son signature Q₁, second son signature Q₂, third sign Q₃With the 4th Son signature Q₄, and by third sign Q₃I-th of subdivision Q_3,iWith i-th of subdivision Q of the 4th son signature_4,iIt takes out；So Afterwards, Z-1 random number μ is randomly choosed in 1~q of integer₂,…,μ_Z, constitute verification vectors μ={ 1, μ₂,…,μ_Z, wherein Z is The columns of linear privacy sharing matrix M；

Network server recycles the i-th row M of linear privacy sharing matrix M_i, calculate the verification of i-th of signature attribute The factor System verification public key value y is obtained finally by following formula₀′,

WhereinI=1 are indicated until i=L companies multiply；

If system verification public key value y₀' verification public key the y with A1 steps₀Equal, then it is legal to judge to sign, and User ID is allowed to visit Ask signature file m；Otherwise, it is determined that signature is invalid, network server refusal User ID accesses to signature file m.

Claims (1)

1. a kind of attribute base net network endorsement method for supporting dynamic attribute space, step are：

A, parameter generates

The generation of A1, system public key, private key

System builds q rank multiplicative cyclic group G and q rank multiplicative cyclic group Y, and q rank multiplicative cyclic group G and q rank multiplication loops respectively There are bilinear map relationship y=e (g between group Y_a,g_b)；Wherein q is more than 2⁵¹²Safe prime, y be q rank multiplicative cyclic groups Element in Y, e (g_a,g_b) indicate element g in q rank multiplicative cyclic groups G_aWith element g_bCarry out bilinear map operation；

System randomly selects master key α of the number as system in 1~q of integer；System randomly selects out q rank multiplication loops The generation member g of group G₁As the first public key of system g₁, and then obtain the second public key of system g₂,System randomly selects out again Four element g in q rank multiplicative cyclic groups G₃g₄,g₅,g₆, respectively as the third public key g of system₃, the 4th public key g₄, the 5th Public key g₅, the 6th public key g₆；Again by the first public key of system g₁, the second public key of system g₂It carries out bilinear map operation and obtains system Verification public key y₀, y₀=e (g₁,g₂)；

The selection of A3, hash function

System chooses a hash function：H(m):M → G, and selected hash function H (m) is announced, wherein:M → G is indicated will File m to be signed is mapped as the Hash operation of element on multiplicative cyclic group G；

B, user key is distributed

The explanation of B1, user property set

User ID possesses user property set W_ID, W_ID={ w₁,w₂,…,w_n,…,w_N, wherein w_nFor User ID attribute set W_ID N-th of attribute, value range be 1~q；N is User ID attribute set W_IDIn attribute number；

The generation of B2, user's master key

Attribute authority AA selects random number r at random in 1~q of integer for User ID, and generates User ID according to random number r The first part K of master key₁, K₁=g₂·g₆ ^-rWith the second part K of User ID master key₂, K₂=g^-r；

The generation of B3, user property key

Attribute authority AA is n-th of attribute w of User ID in 1~q of integer_nRandomly select random number r_n, and then generate and use N-th of attribute w of family ID_nOne k of attribute sub-key_1,n,With n-th of attribute w of User ID_nCategory Two k of temper key_2,n,

By all attribute w of User ID_nOne k of attribute sub-key_1,nLink, obtains one k of attribute key of User ID₁, k₁=k_1,1 ||k_1,2||…||k_1,n||…||k_1,N；By all attribute w of User ID_nTwo k of attribute sub-key_2,nLink, obtains User ID Two k of attribute key₂, k₂=k_2,1||k_2,2||…||k_2,n||…||k_2,N；Wherein, | | indicate Linked operators；

The distribution of B4, user property key

Attribute authority AA is respectively by the first part K of User ID master key₁, User ID master key second part K₂, user One k of attribute key of ID₁, User ID two k of attribute key₂It is sent to User ID by safe lane；

C, signature generates

When User ID accesses network service, network server is fixed using the method for linear privacy sharing according to message m to be signed Signature attribute w ' in the access structure γ of adopted message, access structure γ_iForm signature attribute subset W ', W '={ w '₁,w₂′, w₃' ..., w_i′,…,w′_L, wherein i is signature attribute w '_iSerial number, L signature attributes w '_iNumber；Signature attribute subset W ' To user property set W_IDOne-to-one mapping relations be denoted as f：W′→W_ID；

The method for utilizing linear privacy sharing according to access structure simultaneously obtains linear privacy sharing the matrix M, M=of L rows Z row [M₁,M₂,M₃,…,M_i,…,M_L]^T, wherein M_iFor the i-th row of linear privacy sharing matrix M；

The selection of C1, signature attribute key

Signer is user property set W according to signature attribute subset W '_IDOne-to-one mapping relationship f：W′→W_ID, find out label Name attribute w_i' corresponding user property w_nAnd its one k of attribute sub-key_1,nWith two k of attribute sub-key_2,nIt is denoted as signature attribute respectively w′_iOne k ' of signature attribute sub-key_1,i, two k ' of signature attribute sub-key_2,i；

Signer is by all one k ' of signature attribute sub-key_1,iLink generates one k ' of User ID signature attribute key₁, k '₁= k′_1,1||…||k′_1,i||…||k′_1,L；By all two k ' of signature attribute sub-key_2,iLink generates User ID signature attribute Two k ' of key₂, k '₂=k '_2,1||…||k′_2,i||…||k′_2,L；

C2, the first son signature generate

Signer calculates the first son signature Q of file m to be signed first₁First part Q_1,1, Q_1,1=K₁·H(m)^r′；Wherein R ' be in 1~q of integer on the message random factor that randomly selects out, H (m) is that file m to be signed is mapped as multiplication to follow The Hash operation of element on ring group G；

Then, the first son signature Q of file m to be signed is calculated₁Second part in i-th of subdivision Q_1,2,i,Wherein x_iIt is that random number is chosen in 1~q of integer, and itself and linear privacy sharing method Linear privacy sharing matrix M the first row M₁Product be equal to 1, remaining each row M_iProduct be equal to 0；Wherein b_iIt is whole Random number, and each row M of itself and linear privacy sharing matrix M are chosen in 1~q of number_iProduct be equal to 0；

By each subdivision Q in the second part of the first son signature_1,2,iLian Cheng obtains the first son signature of file m to be signed Q₁Second part Q_1,2, Q_1,2=Q_1,2,1·Q_1,2,2·Q_1,2,3…·Q_1,2,i…·Q_1,2,L；

Finally by the first son signature Q of file m to be signed₁First part Q_1,1With the second part subdivision of the first son signature Q_1,2It is multiplied, obtains the first son signature Q of file m to be signed₁, Q₁=Q_1,1·Q_1,2；

C3, the second son signature generate

Signer calculates the second son signature Q of file m to be signed₂：Q₂=g^r′。

C4, third signature generate

Signer calculates the third signature Q of file m to be signed₃I-th of subdivision

Signer signs third of file m to be signed Q₃The i-th subdivision each subdivision Q_3,iLink, obtains to be signed The third signature Q of file m₃：Q₃=Q_3,1||…||Q_3,i||…||Q_3,L；

C5, the 4th son signature generate

Signer calculates the 4th son signature Q of file m to be signed₄I-th of subdivision Q_4,i：

Signer is by the 4th of file m to be signed son signature Q₄All subdivision Q_4,iLink, obtains the 4th of file m to be signed Son signature Q₄：Q₄=Q_4,1||…||Q_4,i||…||Q_4,L；

C6, signature are sent

By file m to be signed, the first son signature Q₁, second son signature Q₂, third sign Q₃With the 4th son signature Q₄, it is sent to net Network server；

D, signature verification

Network server receives file m to be signed, the first son signature Q₁, second son signature Q₂, third sign Q₃With the 4th son label Name Q₄, and by third sign Q₃I-th of subdivision Q_3,iWith i-th of subdivision Q of the 4th son signature_4,iIt takes out；Then, exist Z-1 random number μ is randomly choosed in 1~q of integer₂,…,μ_Z, constitute verification vectors μ={ 1, μ₂,…,μ_Z, wherein Z is linear The columns of privacy sharing matrix M；

Network server recycles the i-th row M of linear privacy sharing matrix M_i, calculate the proof factor of i-th of signature attribute System verification public key value y is obtained finally by following formula₀′,

WhereinI=1 are indicated until i=L companies multiply；

If system verification public key value y₀' verification public key the y with A1 steps₀Equal, then it is legal to judge to sign, and User ID is allowed to access label Name file m；Otherwise, it is determined that signature is invalid, network server refusal User ID accesses to signature file m.