(m, N) threshold group signatures method based on ECC
Technical field
The invention belongs to field of digital signature, and in particular to (m, N) threshold group signatures method based on ECC.
Background technique
Digital signature is an important invention of contemporary cryptology.Digital signature is also to guarantee data integrity, realize net
Network certification and the important tool for carrying out hyundai electronics commercial affairs, in recent years, numerous researchers propose many special digital signature.
Group ranking, threshold group signatures, non-repudiation group ranking and multiple party signatures are exactly four kinds therein.Group signature scheme is for the first time by Chaum
[1] is proposed with Heyst.In group signature scheme, each member can represent entire group's signature.Draw in group signature scheme
Enter secret sharing [2], just forms Threshold Group-signature Scheme [3-8] so that certain given subsets in group can represent entirely
Group's signature.In non-repudiation group ranking, the verifying of signature needs the cooperation of signer.And in multiple party signatures scheme, it is each to sign
The identity of name member is disclosed, and verifies the public key that each member is generally required when signing.In Threshold Group-signature Scheme, thresholding
Group ranking is generated after the part number signature signed by each member for participating in signature combines in some way.According to point
The difference of secret ways of distribution is deposited, existing Threshold Group-signature Scheme can be divided into two types: with secret Distribution Center
Secret Threshold Group-signature Scheme [5-7] is deposited in Threshold Group-signature Scheme [4,7,8] and distributed distribution point.Good Threshold Group label
Name should have following property:
(1) group ranking characteristic: the member only in group just can be generated effective part and sign, and non-group members can not be pseudo-
Effective part is made to sign;
(2) only when signature number is no less than thresholding, effective threshold group signatures just threshold performance: be can produce out;
(3) anti-posing: any group cannot palm off other groups and generate group ranking;
(4) verify simplicity: the verifier of signature can be convenient and simply verify signature it is whether effective;
(5) anonymity: the verifier of signature does not know the signature is which member's signature in group;
(6) when subsequent generation dispute, the identity of signer can traceability: be run down;
(7) robustness: malice member still can not obtain system secret parameter when being more than or equal to thresholding;
(8) system stability: when rejecting violation member or newcomer be added, do not need or only need to change on a small quantity system parameter and
Old constituent parameters.
However, existing Threshold Group-signature Scheme nearly all has disadvantage.Desmedt and Frankel are put forward for the first time based on RSA
Threshold Group-signature Scheme [4], when still the malice member in [9] discovery [4] is greater than or equal to thresholding, they conspire can be high
Probability obtains system secret (group's privacy key), and then can irresponsiblely forge the group ranking of other members.Langford exists
[10] point out in: [5], the Key generation protocol in [6] and [7] are problematic.To the Threshold Group-signature Scheme that [11] are proposed,
[12] indicate two attacks to the program: attacker pseudo- can produce group's label about other message according to existing group ranking
Name.
Bibliography
1、D.Chaum and E.van Heyst.Group Signatures.In:Davies D W ed.Advances
in Cryptology–Eurocrypt’91proceedings.Berlin:Springer-Verlag,1992.257-265.
2、A.Shamir.How to Share a Secret.Communication of ACM,1979,22(11):
612-613.
3、Y.Desmedt.Society and Group Oriented Cryptography.In:Pomerance C
ed.Advances in Cryptology–Crypto’87proceedings.Berlin:Springer-Verlag,
1988.120-127.
4、Y.Desmedt and Y.Frankel.Shared Generation of Authenticators and
Signatures.In:Feigenbaum J ed.Advancesin Cryptology–Crypto’
91proceedings.Berlin:Springer-Verlag,1992.457-469.
5、L.Harn and S.Yang.Group-Oriented Undeniable Signature Schemes
without the Assistance of a MutuallyTrusted Party.In:Seberry J and Zheng Y
eds.Advances in Cryptology–Auscrypt’92 proceedings.Berlin:Springer-Verlag,
1992.133-142.
6、L.Harn.Group-Oriented(t,n)Threshold Digital Signature Scheme and
Multisignature.IEE proceedings,Computers and digital techniques,1994,141(5):
307-313.
7、C.Li,T.Hwang and N.Lee.Threshold-Multisignature Schemes Where
Suspected Forgery Implies Traceabilityof Adversarial Shareholders.In:Santis A
D ed.Advances in Cryptology–Eurocrypt’94proceedings.Berlin:Springer-Verlag,
1995.194-204.
8、Lu Langru and Zhao Renjie.A(t,n)Threshold Group Signature
Scheme.In:Pei Ding-yi,Zhao Ren-jie andZhou Jin-jun eds.Advances in
Cryptology—Chinacrypt’96.Beijing:Science Press,1996.177-184.(Lu Langru and
Zhao Renjie.A (t, n) Threshold Group Signature Scheme. Pei Ding mono-, it is close that Zhao Renjie, Zhou Jinjun compile
Code learns progress --- 96. Beijing Chinacrypt ': scientific publication, 1996.177-184.)
9、C.Li,T.Hwang and N.Lee.Remark on the Threshold RSA Signature
Scheme.In:Stinson D R ed.Advances inCryptology–Crypto’93proceedings.Berlin:
Springer-Verlag,1993.413-419.
10、Susan K.Langford.Weakness in Some Threshold Cryptosystems.In:
Koblitz N ed.Advances in Cryptology–Crypto’96proceedings.Berlin:Springer-
Verlag,1996.74-82.
11、C.T.Wang,C.H.Lin and C.C.Chang.Threshold Signature Schemes with
Traceable Signers in GroupCommunications.Computer Communications,1998,21(8):
771-776.
12、Y.M.Tseng,J.K.Jan.Attacks on Threshold Signature Schemes with
Traceable Signers.Information ProcessingLetters,1999,71(1):1-4.13Xu Qiu-
Liang.
Summary of the invention
In order to solve the above problems existing in the present technology, it is an object of that present invention to provide (m, N) Threshold Groups based on ECC
Endorsement method.
The technical scheme adopted by the invention is as follows:
(m, N) threshold group signatures method based on ECC, includes the following steps;
S1, according to elliptic curve, a secret information k is safely randomly generatedsAnd calculate its scalar multiplication K with basic point GS
=ksG, (ks, KS) one key pair of composition, wherein ksFor private key, KsFor public key, elliptic curve parameter is p, a, b, n, G, wherein
P is Big prime or 2l, l is integer, and a, b are coefficient, and n is rank, and G is basic point;
S2, by secret information ksIt is divided into m part, generates x at randomi, and according to xiCalculate yi, xiAs group's verification public key
A part, yiFor the signature private key of user, i ∈ { 1 ..., N };
S3, possessing private key yi, i ∈'s { 1 ..., N } votes containing initiation in N number of member organization, when in N number of member
Any m member agrees to, can realize (m, N) threshold group signatures by executing.
ECC algorithm is the difficult math question based on discrete logarithm, i.e., a point Q on given an integer z and elliptic curve,
Calculate Qz=zQ is easy, but gives Q in turnzAnd Q, it is infeasible for seeking z.
Specifically, in the step S1, the first kind curvilinear equation of elliptic curve are as follows:
y2=x3+ax+b
Wherein, a, b be coefficient, and the elliptic curve be applicable in the domain GF (p), due to p be Big prime, hereafter group's verification public key and
It is 0,1,2,3,4,5,6 to the modulus value of p in the generating process of signature private key.
Alternatively, in the step S1, the second class curvilinear equation of elliptic curve are as follows:
y2+ xy=x3+ax+b
Wherein, a, b are coefficient, and the elliptic curve is applicable in GF (2l) domain, the hereafter life of group's verification public key and signature private key
At in the process with use equation for y2=x3The calculation method of the elliptic curve of+ax+b is identical, only to 2 in calculatingmIt carries out
Modulus, and modulus value is 0,1 ..., 31.
Any m (m < N) a above (containing m) partially can produce effective group ranking, by the verifying of group's public key, herein
Group's public key be point on an elliptic curve, be denoted as Ks。
When using first kind curvilinear equation, in the step S2, xiAnd yiSpecific calculation method are as follows:
S21, a secret information k is safely generated at randoms, calculate KS=ksG, a part as group's public key;
S22, by ksIt is divided into m part a0, a1..., am-1, that is, meet ks=a0+a1+…+am-1Mod (p), wherein p is big
Prime number, mod (p) is to carry out modular arithmetic to p, in ring ZpUpper composition multinomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1;
S23, x is chosen1, x2..., xN, so that meeting xi=xj, and if only if i=j;I, j ∈ 1 ..., and N }, calculate yi=
Pm-1(xi) mod (p), i=1 ..., N;
S24, open x1, x2..., xN, i.e. xi, i ∈ { 1 ..., N } is used as system parameter, for verifying group ranking;
Secrecy y1, y2..., yN, by yi, i ∈ { 1 ..., N } is distributed to N number of member by hidden passageway respectively, as signature
Private key, each member have a signature private key yi。
When using the second class curvilinear equation, in the step S2, xiAnd yiSpecific calculation method are as follows:
S21, a secret information k is safely generated at randoms, calculate KS=ksG, a part as group's public key;
S22, by ksIt is divided into m part a0, a1..., am-1, that is, meet ks=a0+a1+…+am-1mod(2l), wherein l is
Integer, mod (2l) it is to 2lModular arithmetic is carried out, in ring ZpUpper composition multinomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1;
S23, x is chosen1, x2..., xN, so that meeting xi=xj, and if only if i=j;I, j ∈ 1 ..., and N }, calculate yi=
Pm-1(xi)mod(2l), i=1 ..., N;
S24, open x1, x2..., xN, i.e. xi, i ∈ { 1 ..., N } is used as system parameter, for verifying group ranking;
Secrecy y1, y2..., yN, by yi, i ∈ { 1 ..., N } is distributed to N number of member by hidden passageway respectively, as signature
Private key, each member have a signature private key yi。
Further, in the step S3, specific endorsement method are as follows:
For an information text, each to the tissue of content approval, it is assumed that be i-th, corresponding signature private key is yi,
It is done as follows:
S31, the hashed value h=Hash (text) for calculating information text;
S32, a random number k is generatedi, calculate Ri=kiG=(xR,i, yR,i), xR,i, yR,iRespectively X-axis and Y axis coordinate,
Enable ci=xR,i;
S33, calculatingWherein,For inverse element calculating, ciyiFor big integer, siIt is big
Integer;
S34, (text, s are obtainedi,Ri) the signature value of member and announce away.
Still further, threshold group signatures method further includes verification step.
The verification step includes:
S41, member signature value (text, si,Ri) group the m that is less than, return to failure;If choosing m progress more than m
Verifying calculates.
Still further, the verification step further include:
S42, assume that the member chosen corresponds to x1, x2..., xm, corresponding secret for y1, y2..., ym, then:
MatrixAdjoint matrix
Meeting XX*=det (X) I, I is unit matrix, and det (*) is the value for seeking determinant;
S43, to each group of (text, cj,sj,Rj), cj=xR,j, it is RjX-coordinate point, calculate elliptic curve on point Tj:
S44, calculating
S45, calculating
If S46,Then it is verified.
The invention has the benefit that
The present invention overcomes the defect of traditional group ranking, any m in N number of secret can produce effective group ranking,
And m-1 then cannot.(m, N) threshold group signatures method based on ECC of the invention be it is safe, signature private key will not expose
Out, it and does not need a believable third party (TC) and can verify.
Specific embodiment
The present invention is further elaborated combined with specific embodiments below.
Embodiment:
Fundamentals of Mathematics of the invention are as follows:
Adjoint matrix:
Referred to as n rank Vandermonde determinant, the value of determinant are as follows:
Obviously, if xiIt is different, then Dn≠0.Its corresponding matrix:
There are adjoint matrix X*:
So that XX*=det (X) I, I is unit matrix here.
(m, N) threshold group signatures method based on ECC of the present embodiment, includes the following steps:
The first step, according to the elliptic curve of formula (1) first kind curvilinear equation, a secret information k is safely randomly generateds
And calculate its scalar multiplication K with basic point GS=ksG, (ks, KS) one key pair of composition, wherein ksFor private key, KsIt is ellipse for public key
Curve parameters are p, a, b, n, G, and wherein p is Big prime or 2l, l is integer, and a, b are coefficient, and n is rank, and G is basic point:
y2=x3+ax+b (1)
Wherein, a, b be coefficient, and the elliptic curve be applicable in the domain GF (p), due to p be Big prime, hereafter group's verification public key and
It is 0,1,2,3,4,5,6 to the modulus value of P in the generating process of signature private key.
Elliptic curve can be also the second class curvilinear equation:
y2+ xy=x3+ax+b
Wherein, a, b are coefficient, and the elliptic curve is applicable in GF (2l) domain, the hereafter life of group's verification public key and signature private key
At in the process with use equation for y2x3The calculation method of the elliptic curve of+ax+b is identical, only to 2 in calculatingmIt is taken
Mould, and modulus value is 0,1 ..., 31.
Key pair is meant that: being used private key signature, can be used public key verifications success.
ECC algorithm is the difficult math question based on discrete logarithm, i.e., a point Q on given an integer z and elliptic curve,
Calculate Qz=zQ is easy, but gives Q in turnzAnd Q, it is infeasible for seeking z.
Under second step, ECC system, by secret information ksIt is divided into m part, generates x at randomi, and according to xiCalculate yi, xiMake
For a part of group's verification public key, yiFor the signature private key of user, i ∈ { 1 ..., N } (contains above wherein any m (m < N) is a
M) it partially can produce effective group ranking, by the verifying of group's public key, group's public key herein is the point on an elliptic curve,
It is denoted as Ks, group's public key and the specific calculation method of signature private key are as follows:
Choose a secret information ks, calculate KS=ksG, a part as group's public key;
When using first kind curvilinear equation, by ksIt is divided into m part a0, a1..., am-1, that is, meet ks=a0+a1+…+am- 1Mod (p), wherein p is Big prime, and mod (p) is to carry out modular arithmetic to p, in ring ZpUpper composition multinomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1 (2)
Choose x1, x2..., xN, so that meeting xi=xj, and if only if i=j;I, j ∈ 1 ..., and N }, calculate yi=Pm-1
(xi) mod (p), i=1 ..., N;
When using the second class curvilinear equation, by ksIt is divided into m part a0, a1..., am-1, that is, meet ks=a0+a1+…+am- 1mod(2l), wherein l is integer, mod (2l) it is to 2lModular arithmetic is carried out, in ring ZpUpper composition multinomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1;
Choose x1, x2..., xN, so that meeting xi=xj, and if only if i=j;I, j ∈ 1 ..., and N }, calculate yi=Pm-1
(xi)mod(2l), i=1 ..., N;
Open x1, x2..., xN, i.e. xi, i ∈ { 1 ... N } is used as system parameter, for verifying group ranking, secrecy y1,
y2..., yN, by yi, i ∈ { 1 ..., N } is distributed to N number of member by hidden passageway respectively, as signature private key, each member
There is a signature private key yi。
Third step is possessing private key yi, i ∈'s { 1 ..., N } votes containing initiation in N number of member organization, as N number of member
In any m member agree to, can pass through execute, realize (m, N) threshold group signatures.
Specific endorsement method are as follows:
For a text information text, each to the tissue of content approval, it is assumed that it is i-th, corresponding signature private key
For yi, it is done as follows:
It is the hashed value of text firstly, calculating h=Hash (text);
Then, a random number k is generatedi, calculate Ri=kiG=(xR,i, yR,i), xR,i, yR,iRespectively X-axis and Y-axis are sat
Mark, enables ci=xR,i;
Then, it calculatesWherein,For inverse element calculating, ciyiFor big integer, siIt is big
Integer;
Finally, (text, si,Ri) i.e. member signature value, announcement goes out.
(m, N) threshold group signatures method based on ECC, further includes verification step.
If (text, si,Ri) group the m that is less than, return to failure;If choosing m more than m and carrying out verifying calculating.It does not lose
It is general, it is assumed that the member of selection corresponds to x1, x2..., xm, corresponding secret for y1, y2..., ym。
MatrixAdjoint matrixMeet XX*=det (X) I, I is unit matrix, and det (*) seeks determinant
Value.
Verification process is as follows:
Firstly, to each group of (text, cj, sj, Rj), cj=xR, j, it is RjX-coordinate point, calculate elliptic curve on point
Tj, such as formula (3);
Then, it calculates
Then, it calculates
IfThen it is verified.
The present invention is proved as follows:
Symbol letter meaning is same as above, because of yi=Pm-1(xi) mod (p), i=1 ..., m.Remember Y=(y1, y2..., ym), it obtains
Formula (4):
AX=Ymod (p) (4)
Enable X*For the adjoint matrix on integer field, then X*Meet XX*=det (X) I is enabled:
HereThen there are formula (6):
Det (X) A=YX*over Z (6)
Wherein, over Z is that the equation exists on integer field, therefore:
Same above formula is set up in GF (p) number field, i.e. formula (7):
By: siki=(h+ciyi), dot product is done to G simultaneously in both sides, obtains: sikiG=(hG
+yi.ciG) i.e.:
siRi=hG+yi.ciG
It can obtainBoth sides simultaneously multiplied byAnd formula (8) are obtained by formula (3):
Formula (8) both sides sum to i, the right T, the left side are as follows:
So ifThen it is verified.
It is as follows that safety analysis is carried out to the present invention:
I. from proof procedure above it is found that any k-1 part in N cannot generate effective signature T.
Ii. due to from Tj, j=1 ..., k andMiddle calculating yjDifficulty be equal to and calculate discrete logarithm
Complexity, theoretically attacker cannot be from SjIn obtain yj.Therefore, TjY will not be exposedjAny information.
Iii. the threshold group signatures method of the invention based on ECC is safe.
Thus, (k, N) thresholding ECC group signature method of the invention is safe.
The present invention is not limited to above-mentioned optional embodiment, anyone can show that other are various under the inspiration of the present invention
The product of form, however, make any variation in its shape or structure, it is all to fall into the claims in the present invention confining spectrum
Technical solution, be within the scope of the present invention.