ECC-based (m, N) threshold group signature method
Technical Field
The invention belongs to the field of digital signatures, and particularly relates to an (m, N) threshold group signature method based on ECC.
Background
Digital signatures are an important invention of modern cryptography. Digital signatures are also important tools for ensuring data integrity, implementing network authentication, and developing modern electronic commerce, and in recent years, many researchers have proposed many special digital signatures. Group signatures, threshold group signatures, non-repudiation group signatures and multiparty signatures are four of these. The group signature scheme was first proposed by Chaum and Heyst [1 ]. In a group signature scheme, each member may represent the entire group signature. Introducing secret sharing [2] in the group signature scheme forms a threshold group signature scheme [3-8] such that some given subset of the group can represent the entire group signature. In non-repudiation group signatures, verification of the signature requires cooperation by the signer. In the multi-party signature scheme, the identity of each signature member is public, and a public key of each member is generally required for signature verification. In the threshold group signature scheme, a threshold group signature is generated by combining partial digital signatures signed by the individual members participating in the signature in some manner. According to different distribution modes of the stored secrets, the existing threshold group signature scheme can be divided into two types: a threshold group signature scheme with secret distribution centers [4,7,8] and a threshold group signature scheme with distributed distribution of stored secrets [5-7 ]. A good threshold group signature should have the following properties:
(1) group signature characteristics: only members in the group can generate effective partial signatures, and non-group members cannot forge effective partial signatures;
(2) threshold characteristics: only when the number of signature people is not less than the threshold, the effective threshold group signature can be generated;
(3) anti-spoofing: any group cannot impersonate other groups to generate group signatures;
(4) and (3) verification simplicity: the verifier of the signature can conveniently and simply verify whether the signature is valid;
(5) anonymity: the verifier of the signature does not know which members of the group signed the signature;
(6) traceability: when disputes occur afterwards, the identity of the signer can be traced;
(7) robustness: when the malicious member is larger than or equal to the threshold, the system secret parameter still cannot be acquired;
(8) and (3) system stability: no or only a small amount of changes to system parameters and old member parameters are required when removing offending members or adding new members.
However, existing threshold group signature schemes have almost all disadvantages. Desmedt and Frankel propose a threshold group signature scheme [4] based on RSA for the first time, but when [9] discover that malicious members in [4] are greater than or equal to the threshold, the malicious members can acquire a system secret (group secret key) with high probability by collusion, and further can forge the group signatures of other members without liability. Langford indicates in [10 ]: [5] the key generation protocols in [6] and [7] have problems. For the threshold group signature scheme proposed in [11], [12] indicates two attacks on the scheme: an attacker can forge group signatures for other messages based on existing group signatures.
Reference to the literature
1、D.Chaum and E.van Heyst.Group Signatures.In:Davies D W ed.Advances in Cryptology–Eurocrypt’91proceedings.Berlin:Springer-Verlag,1992.257-265.
2、A.Shamir.How to Share a Secret.Communication of ACM,1979,22(11):612-613.
3、Y.Desmedt.Society and Group Oriented Cryptography.In:Pomerance C ed.Advances in Cryptology–Crypto’87proceedings.Berlin:Springer-Verlag,1988.120-127.
4、Y.Desmedt and Y.Frankel.Shared Generation of Authenticators and Signatures.In:Feigenbaum J ed.Advancesin Cryptology–Crypto’91proceedings.Berlin:Springer-Verlag,1992.457-469.
5、L.Harn and S.Yang.Group-Oriented Undeniable Signature Schemes without the Assistance of a MutuallyTrusted Party.In:Seberry J and Zheng Y eds.Advances in Cryptology–Auscrypt’92 proceedings.Berlin:Springer-Verlag,1992.133-142.
6、L.Harn.Group-Oriented(t,n)Threshold Digital Signature Scheme and Multisignature.IEE proceedings,Computers and digital techniques,1994,141(5):307-313.
7、C.Li,T.Hwang and N.Lee.Threshold-Multisignature Schemes Where Suspected Forgery Implies Traceabilityof Adversarial Shareholders.In:Santis A D ed.Advances in Cryptology–Eurocrypt’94proceedings.Berlin:Springer-Verlag,1995.194-204.
8. Lu Langru and Zhao Renjie. A (t, n) Threshold Group Signature scheme in Pei Ding-yi, Zhao Ren-jee and zhou Jin-jun eds. Advances in Cryptology-Chinacrypt '96. Beijing: Science Press,1996.177-184.(Lu Langru and Zhao Renjie. A (t, n) Threshold Group Signature scheme, Miniangyu, Renzejie, Wenjunjun eds. Cryptology-Chinacrypt' 96.Beijing: scientific publication, 1996.177-184.).
9、C.Li,T.Hwang and N.Lee.Remark on the Threshold RSA Signature Scheme.In:Stinson D R ed.Advances inCryptology–Crypto’93proceedings.Berlin:Springer-Verlag,1993.413-419.
10、Susan K.Langford.Weakness in Some Threshold Cryptosystems.In:Koblitz N ed.Advances in Cryptology–Crypto’96proceedings.Berlin:Springer-Verlag,1996.74-82.
11、C.T.Wang,C.H.Lin and C.C.Chang.Threshold Signature Schemes with Traceable Signers in GroupCommunications.Computer Communications,1998,21(8):771-776.
12、Y.M.Tseng,J.K.Jan.Attacks on Threshold Signature Schemes with Traceable Signers.Information ProcessingLetters,1999,71(1):1-4.13Xu Qiu-Liang.
Disclosure of Invention
In order to solve the above problems in the prior art, the present invention is directed to an ECC-based (m, N) threshold group signature method.
The technical scheme adopted by the invention is as follows:
an ECC-based (m, N) threshold group signature method comprises the following steps;
s1, generating a secret information k according to the elliptic curvesAnd calculates its scalar product K with the base point GS=ksG,(ks,KS) Form a key pair, where ksIs a private key, KsIs a public key, and the elliptic curve parameters are p, a, b, n and G, wherein p is a large prime number or 2lL is an integer, a and b are coefficients, n is an order, and G is a base point;
s2, secret information ksIs divided into m parts, and the m parts are divided into m parts,randomly generating xiAnd according to xiCalculating yi,xiAs part of the group verification public key, yiA signature private key for a user, i belongs to {1, …, N };
s3, possessing private key yiAnd when any m members in the N members agree, the (m, N) threshold group signature can be realized through execution.
The ECC algorithm is a discrete logarithm based mathematical problem, i.e. given an integer z and a point Q on an elliptic curve, calculate QzEasy to do with zQ, but give Q in reversezAnd Q, solving for z is not feasible.
Specifically, in step S1, the first type of curve equation of the elliptic curve is:
y2=x3+ax+b
wherein a and b are coefficients, and the elliptic curve is applicable to GF (p) domain, and since p is a large prime number, the modulo value of p in the generation process of the group verification public key and the signature private key is 0,1,2,3,4,5 and 6.
Alternatively, in step S1, the second type of curve equation of the elliptic curve is:
y2+xy=x3+ax+b
wherein a and b are coefficients, and GF (2) is applied to the elliptic curvel) Domain, hereinafter group verification public key and signature private key generation process and using equation as y2=x3The method of calculating the elliptic curve of + ax + b is the same, except that 2 is used in the calculationmModulo is performed and the modulo value is 0,1, …, 31.
Any more than m (m < N) (including m) parts can generate effective group signature, and the group public key is a point on an elliptic curve and is marked as K through the verification of the group public keys。
When the first type of curve equation is used, x is determined in step S2iAnd yiThe specific calculation method comprises the following steps:
s21, generating a secret information k safely and randomlysCalculating KS=ksG as part of the group public key;
S22, mixing ksIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am-1mod (p), where p is a large prime number, and mod (p) is a modulo operation on p, in ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1;
S23, selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(p),i=1,…,N;
S24, publication x1,x2,…,xNI.e. xiI ∈ {1, …, N } as a system parameter for verifying group signatures;
privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi。
When the second type of curve equation is used, x is determined in step S2iAnd yiThe specific calculation method comprises the following steps:
s21, generating a secret information k safely and randomlysCalculating KS=ksG, as part of a group public key;
s22, mixing ksIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am-1mod(2l) Where l is an integer, mod (2)l) Is pair 2lPerforming modulo operation on ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1;
S23, selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(2l),i=1,…,N;
S24, publication x1,x2,…,xNI.e. xiI ∈ {1, …, N } as a system parameter for verifying group signatures;
privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi。
Further, in step S3, the specific signature method is as follows:
for a message text, each organization approved for the content, assumed to be the ith, has the corresponding private signature key yiThe following operations are performed:
s31, calculating hash value h of information text as hash (text);
s32, generating a random number kiCalculating Ri=kiG=(xR,i,yR,i),xR,i,yR,iRespectively, X-axis and Y-axis coordinates, order ci=xR,i;
S33, calculating
Wherein,
for inverse element calculation, c
iy
iIs a large integer, s
iIs a large integer;
s34, obtaining (text, S)i,Ri) I.e., the signature value of the member and published.
Still further, the threshold group signature method further comprises a verification step.
The verifying step includes:
s41, signature value (text, S) of memberi,Ri) The number of the groups is less than m,returning to failure; and if the number of the verification calculation exceeds m, selecting m to carry out verification calculation.
Still further, the verifying step further comprises:
s42, assuming that the selected member corresponds to x1,x2,…,xmWith the corresponding secret y1,y2,…,ymAnd then:
matrix array
Is associated with the matrix
Satisfying XX ═ det (x) I, I is the identity matrix, det (×) is the value of the determinant;
s43, for each group (text, c)j,sj,Rj),cj=xR,jIs RjThe point of X coordinate of (2) is calculated, and the point T on the elliptic curve is calculatedj:
S46, if
The verification passes.
The invention has the beneficial effects that:
the invention overcomes the defects of the traditional group signature, and any m of the N secrets can generate effective group signatures, but m-1 secrets cannot. The ECC-based (m, N) threshold group signature method is safe, the private signature key is not exposed, and the signature can be verified without a trusted third party (TC).
Detailed Description
The invention will be further illustrated with reference to specific examples.
Example (b):
the mathematical basis of the invention is as follows:
the adjoint matrix:
referred to as the n-order van der mond determinant, whose determinant values are:
obviously, if xiAre different from each other, then DnNot equal to 0. Its corresponding matrix:
presence of the adjoint matrix X*:
So that XX*De (x) I, where I is the identity matrix.
The (m, N) threshold group signature method based on ECC of the present embodiment includes the following steps:
first step, a secret information k is generated safely and randomly according to an elliptic curve of a first type curve equation of formula (1)sAnd calculates its scalar product K with the base point GS=ksG,(ks,KS) Form a key pair, where ksIs a private key, KsIs a public key, and the elliptic curve parameters are p, a, b, n and G, wherein p is a large prime number or 2lL is an integer, a and b are coefficients, n is an order, G is a base point:
y2=x3+ax+b (1)
wherein a and b are coefficients, and the elliptic curve is applicable to GF (P) domain, and since P is a large prime number, the modulo value of P in the generation process of the group verification public key and the signature private key is 0,1,2,3,4,5, 6.
The elliptic curve may also be a curve equation of the second kind:
y2+xy=x3+ax+b
wherein a and b are coefficients, and GF (2) is applied to the elliptic curvel) Domain, hereinafter group verification public key and signature private key generation process and using equation as y2x3The method of calculating the elliptic curve of + ax + b is the same, except that 2 is used in the calculationmModulo is performed and the modulo value is 0,1, …, 31.
The meaning of the key pair is: signed with the private key, the public key can be used to verify success.
The ECC algorithm is a discrete logarithm based mathematical problem, i.e. given an integer z and a point Q on an elliptic curve, calculate QzEasy to do with zQ, but give Q in reversezAnd Q, solving for z is not feasible.
Secondly, under the ECC system, secret information k is processedsDivided into m parts, x is randomly generatediAnd according to xiCalculating yi,xiAs part of the group verification public key, yiThe signature private key of the user is i epsilon {1, …, N }, wherein any more than m (m < N) (including m) parts can generate effective group signatures, and the group public key is a point on an elliptic curve and is marked as K through the verification of the group public keysThe specific calculation method of the group public key and the signature private key is as follows:
selecting a secret ksCalculating KS=ksG, as part of a group public key;
when the first type of curve equation is adopted, k is calculatedsIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am- 1mod (p), where p is a large prime number, and mod (p) is a modulo operation on p, in ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1 (2)
Selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(p),i=1,…,N;
When the curve equation of the second kind is adopted, k is calculatedsIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am- 1mod(2l) Where l is an integer, mod (2)l) Is pair 2lPerforming modulo operation on ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1;
Selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(2l),i=1,…,N;
Disclosure of x1,x2,…,xNI.e. xiI e {1, … N } as a system parameter for verifying group signatures, privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi。
Thirdly, the private key y is possessediAnd when any m members in the N members agree, the (m, N) threshold group signature can be realized through execution.
The specific signature method comprises the following steps:
for a text message text, each organization approved for the content is assumed to be the ith, and the corresponding private signature key is yiThe following operations are performed:
firstly, h is calculated as hash (text), which is the hash value of text;
then, a random number k is generatediCalculating Ri=kiG=(xR,i,yR,i),xR,i,yR,iRespectively, X-axis and Y-axis coordinates, order ci=xR,i;
Then, calculate
Wherein,
for inverse element calculation, c
iy
iIs a large integer, s
iIs a large integer;
finally, (text, s)i,Ri) I.e., the signature value of the member, is published.
The ECC-based (m, N) threshold group signature method further comprises a verification step.
If (text, s)i,Ri) Returning failure if the number of the groups is less than m; and if the number of the verification calculation exceeds m, selecting m to carry out verification calculation. Without loss of generality, assume that the selected member corresponds to x1,x2,…,xmWith the corresponding secret y1,y2,…,ym。
Matrix array
Is associated with the matrix
Satisfy XX
*I is the identity matrix, det (×) is the determinant value.
The verification process is as follows:
first, for each group (text, c)j,sj,Rj),cj=xR,jIs RjThe point of X coordinate of (2) is calculated, and the point T on the elliptic curve is calculatedjAs in formula (3);
If it is
The verification passes.
The invention was demonstrated as follows:
the symbols and letters have the same meanings as above, due to yi=Pm-1(xi) mod (p), i ═ 1, …, m. Let Y ═ Y1,y2,…,ym) To give formula (4):
AX=Ymod(p) (4)
let X*Is a companion matrix over an integer field, then X*Satisfy XX*D, (x) I, let:
here, the
Then, formula (6):
det(X)A=YX*over Z (6)
where over Z is the presence of the equation over an integer domain, so:
similarly, the above formula holds in the GF (p) number domain, i.e., formula (7):
by
Obtaining: s
ik
i=(h+c
iy
i) And performing dot multiplication on G at the two sides simultaneously to obtain: s
ik
iG=(hG+y
i.c
iG) Namely:
siRi=hG+yi.ciG
can obtain the product
Both sides are multiplied simultaneously
And formula (8) from formula (3):
equation (8) sums i on both sides, T on the right and T on the left:
thus, if
The verification passes.
The safety analysis of the present invention was as follows:
i. from the above proof process, it is known that any k-1 parts in N do not yield a valid signature T.
Due to T
j,j=1,…, k and
in calculating y
jIs equivalent to the complexity of calculating discrete logarithms, theoretically an attacker cannot be derived from S
jTo obtain y
j. Thus, T
jDoes not expose y
jAny of (3).
The ECC-based threshold group signature method of the present invention is secure.
Thus, the (k, N) threshold ECC group signature method of the present invention is secure.
The invention is not limited to the above alternative embodiments, and any other various forms of products can be obtained by anyone in the light of the present invention, but any changes in shape or structure thereof, which fall within the scope of the present invention as defined in the claims, fall within the scope of the present invention.