CN109150545B - ECC-based (m, N) threshold group signature method - Google Patents

ECC-based (m, N) threshold group signature method Download PDF

Info

Publication number
CN109150545B
CN109150545B CN201811015313.9A CN201811015313A CN109150545B CN 109150545 B CN109150545 B CN 109150545B CN 201811015313 A CN201811015313 A CN 201811015313A CN 109150545 B CN109150545 B CN 109150545B
Authority
CN
China
Prior art keywords
signature
group
calculating
key
elliptic curve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811015313.9A
Other languages
Chinese (zh)
Other versions
CN109150545A (en
Inventor
尚小朋
田文春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong urban construction vocational college
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201811015313.9A priority Critical patent/CN109150545B/en
Publication of CN109150545A publication Critical patent/CN109150545A/en
Application granted granted Critical
Publication of CN109150545B publication Critical patent/CN109150545B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an ECC-based (m, N) threshold group signature method, which comprises the following steps: s1, generating a secret information k according to the elliptic curvesAnd calculates its scalar product K with the base point GS=ksG,(ks,KS) Form a key pair, where ksIs a private key, KsIs a public key, and the elliptic curve parameters are p, a, b, n and G, wherein p is a large prime number or 2lL is an integer, a and b are coefficients, n is an order, and G is a base point; s2, secret information ksDividing into m parts, and randomly generating xiAnd according to xiCalculating yi,xiAs part of the group verification public key, yiA signature private key for a user, i belongs to {1, …, N }; s3, possessing private key yiAnd when any m members in the N members agree, the (m, N) threshold group signature can be realized through execution. The invention has high safety, the signature private key can not be exposed, and the verification can be carried out without a third party (TC).

Description

ECC-based (m, N) threshold group signature method
Technical Field
The invention belongs to the field of digital signatures, and particularly relates to an (m, N) threshold group signature method based on ECC.
Background
Digital signatures are an important invention of modern cryptography. Digital signatures are also important tools for ensuring data integrity, implementing network authentication, and developing modern electronic commerce, and in recent years, many researchers have proposed many special digital signatures. Group signatures, threshold group signatures, non-repudiation group signatures and multiparty signatures are four of these. The group signature scheme was first proposed by Chaum and Heyst [1 ]. In a group signature scheme, each member may represent the entire group signature. Introducing secret sharing [2] in the group signature scheme forms a threshold group signature scheme [3-8] such that some given subset of the group can represent the entire group signature. In non-repudiation group signatures, verification of the signature requires cooperation by the signer. In the multi-party signature scheme, the identity of each signature member is public, and a public key of each member is generally required for signature verification. In the threshold group signature scheme, a threshold group signature is generated by combining partial digital signatures signed by the individual members participating in the signature in some manner. According to different distribution modes of the stored secrets, the existing threshold group signature scheme can be divided into two types: a threshold group signature scheme with secret distribution centers [4,7,8] and a threshold group signature scheme with distributed distribution of stored secrets [5-7 ]. A good threshold group signature should have the following properties:
(1) group signature characteristics: only members in the group can generate effective partial signatures, and non-group members cannot forge effective partial signatures;
(2) threshold characteristics: only when the number of signature people is not less than the threshold, the effective threshold group signature can be generated;
(3) anti-spoofing: any group cannot impersonate other groups to generate group signatures;
(4) and (3) verification simplicity: the verifier of the signature can conveniently and simply verify whether the signature is valid;
(5) anonymity: the verifier of the signature does not know which members of the group signed the signature;
(6) traceability: when disputes occur afterwards, the identity of the signer can be traced;
(7) robustness: when the malicious member is larger than or equal to the threshold, the system secret parameter still cannot be acquired;
(8) and (3) system stability: no or only a small amount of changes to system parameters and old member parameters are required when removing offending members or adding new members.
However, existing threshold group signature schemes have almost all disadvantages. Desmedt and Frankel propose a threshold group signature scheme [4] based on RSA for the first time, but when [9] discover that malicious members in [4] are greater than or equal to the threshold, the malicious members can acquire a system secret (group secret key) with high probability by collusion, and further can forge the group signatures of other members without liability. Langford indicates in [10 ]: [5] the key generation protocols in [6] and [7] have problems. For the threshold group signature scheme proposed in [11], [12] indicates two attacks on the scheme: an attacker can forge group signatures for other messages based on existing group signatures.
Reference to the literature
1、D.Chaum and E.van Heyst.Group Signatures.In:Davies D W ed.Advances in Cryptology–Eurocrypt’91proceedings.Berlin:Springer-Verlag,1992.257-265.
2、A.Shamir.How to Share a Secret.Communication of ACM,1979,22(11):612-613.
3、Y.Desmedt.Society and Group Oriented Cryptography.In:Pomerance C ed.Advances in Cryptology–Crypto’87proceedings.Berlin:Springer-Verlag,1988.120-127.
4、Y.Desmedt and Y.Frankel.Shared Generation of Authenticators and Signatures.In:Feigenbaum J ed.Advancesin Cryptology–Crypto’91proceedings.Berlin:Springer-Verlag,1992.457-469.
5、L.Harn and S.Yang.Group-Oriented Undeniable Signature Schemes without the Assistance of a MutuallyTrusted Party.In:Seberry J and Zheng Y eds.Advances in Cryptology–Auscrypt’92 proceedings.Berlin:Springer-Verlag,1992.133-142.
6、L.Harn.Group-Oriented(t,n)Threshold Digital Signature Scheme and Multisignature.IEE proceedings,Computers and digital techniques,1994,141(5):307-313.
7、C.Li,T.Hwang and N.Lee.Threshold-Multisignature Schemes Where Suspected Forgery Implies Traceabilityof Adversarial Shareholders.In:Santis A D ed.Advances in Cryptology–Eurocrypt’94proceedings.Berlin:Springer-Verlag,1995.194-204.
8. Lu Langru and Zhao Renjie. A (t, n) Threshold Group Signature scheme in Pei Ding-yi, Zhao Ren-jee and zhou Jin-jun eds. Advances in Cryptology-Chinacrypt '96. Beijing: Science Press,1996.177-184.(Lu Langru and Zhao Renjie. A (t, n) Threshold Group Signature scheme, Miniangyu, Renzejie, Wenjunjun eds. Cryptology-Chinacrypt' 96.Beijing: scientific publication, 1996.177-184.).
9、C.Li,T.Hwang and N.Lee.Remark on the Threshold RSA Signature Scheme.In:Stinson D R ed.Advances inCryptology–Crypto’93proceedings.Berlin:Springer-Verlag,1993.413-419.
10、Susan K.Langford.Weakness in Some Threshold Cryptosystems.In:Koblitz N ed.Advances in Cryptology–Crypto’96proceedings.Berlin:Springer-Verlag,1996.74-82.
11、C.T.Wang,C.H.Lin and C.C.Chang.Threshold Signature Schemes with Traceable Signers in GroupCommunications.Computer Communications,1998,21(8):771-776.
12、Y.M.Tseng,J.K.Jan.Attacks on Threshold Signature Schemes with Traceable Signers.Information ProcessingLetters,1999,71(1):1-4.13Xu Qiu-Liang.
Disclosure of Invention
In order to solve the above problems in the prior art, the present invention is directed to an ECC-based (m, N) threshold group signature method.
The technical scheme adopted by the invention is as follows:
an ECC-based (m, N) threshold group signature method comprises the following steps;
s1, generating a secret information k according to the elliptic curvesAnd calculates its scalar product K with the base point GS=ksG,(ks,KS) Form a key pair, where ksIs a private key, KsIs a public key, and the elliptic curve parameters are p, a, b, n and G, wherein p is a large prime number or 2lL is an integer, a and b are coefficients, n is an order, and G is a base point;
s2, secret information ksIs divided into m parts, and the m parts are divided into m parts,randomly generating xiAnd according to xiCalculating yi,xiAs part of the group verification public key, yiA signature private key for a user, i belongs to {1, …, N };
s3, possessing private key yiAnd when any m members in the N members agree, the (m, N) threshold group signature can be realized through execution.
The ECC algorithm is a discrete logarithm based mathematical problem, i.e. given an integer z and a point Q on an elliptic curve, calculate QzEasy to do with zQ, but give Q in reversezAnd Q, solving for z is not feasible.
Specifically, in step S1, the first type of curve equation of the elliptic curve is:
y2=x3+ax+b
wherein a and b are coefficients, and the elliptic curve is applicable to GF (p) domain, and since p is a large prime number, the modulo value of p in the generation process of the group verification public key and the signature private key is 0,1,2,3,4,5 and 6.
Alternatively, in step S1, the second type of curve equation of the elliptic curve is:
y2+xy=x3+ax+b
wherein a and b are coefficients, and GF (2) is applied to the elliptic curvel) Domain, hereinafter group verification public key and signature private key generation process and using equation as y2=x3The method of calculating the elliptic curve of + ax + b is the same, except that 2 is used in the calculationmModulo is performed and the modulo value is 0,1, …, 31.
Any more than m (m < N) (including m) parts can generate effective group signature, and the group public key is a point on an elliptic curve and is marked as K through the verification of the group public keys
When the first type of curve equation is used, x is determined in step S2iAnd yiThe specific calculation method comprises the following steps:
s21, generating a secret information k safely and randomlysCalculating KS=ksG as part of the group public key;
S22, mixing ksIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am-1mod (p), where p is a large prime number, and mod (p) is a modulo operation on p, in ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1
S23, selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(p),i=1,…,N;
S24, publication x1,x2,…,xNI.e. xiI ∈ {1, …, N } as a system parameter for verifying group signatures;
privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi
When the second type of curve equation is used, x is determined in step S2iAnd yiThe specific calculation method comprises the following steps:
s21, generating a secret information k safely and randomlysCalculating KS=ksG, as part of a group public key;
s22, mixing ksIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am-1mod(2l) Where l is an integer, mod (2)l) Is pair 2lPerforming modulo operation on ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1
S23, selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(2l),i=1,…,N;
S24, publication x1,x2,…,xNI.e. xiI ∈ {1, …, N } as a system parameter for verifying group signatures;
privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi
Further, in step S3, the specific signature method is as follows:
for a message text, each organization approved for the content, assumed to be the ith, has the corresponding private signature key yiThe following operations are performed:
s31, calculating hash value h of information text as hash (text);
s32, generating a random number kiCalculating Ri=kiG=(xR,i,yR,i),xR,i,yR,iRespectively, X-axis and Y-axis coordinates, order ci=xR,i
S33, calculating
Figure BDA0001785971010000061
Wherein,
Figure BDA0001785971010000062
for inverse element calculation, ciyiIs a large integer, siIs a large integer;
s34, obtaining (text, S)i,Ri) I.e., the signature value of the member and published.
Still further, the threshold group signature method further comprises a verification step.
The verifying step includes:
s41, signature value (text, S) of memberi,Ri) The number of the groups is less than m,returning to failure; and if the number of the verification calculation exceeds m, selecting m to carry out verification calculation.
Still further, the verifying step further comprises:
s42, assuming that the selected member corresponds to x1,x2,…,xmWith the corresponding secret y1,y2,…,ymAnd then:
matrix array
Figure BDA0001785971010000071
Is associated with the matrix
Figure BDA0001785971010000072
Satisfying XX ═ det (x) I, I is the identity matrix, det (×) is the value of the determinant;
s43, for each group (text, c)j,sj,Rj),cj=xR,jIs RjThe point of X coordinate of (2) is calculated, and the point T on the elliptic curve is calculatedj
Figure BDA0001785971010000073
S44, calculating
Figure BDA0001785971010000074
S45, calculating
Figure BDA0001785971010000075
S46, if
Figure BDA0001785971010000076
The verification passes.
The invention has the beneficial effects that:
the invention overcomes the defects of the traditional group signature, and any m of the N secrets can generate effective group signatures, but m-1 secrets cannot. The ECC-based (m, N) threshold group signature method is safe, the private signature key is not exposed, and the signature can be verified without a trusted third party (TC).
Detailed Description
The invention will be further illustrated with reference to specific examples.
Example (b):
the mathematical basis of the invention is as follows:
the adjoint matrix:
Figure BDA0001785971010000081
referred to as the n-order van der mond determinant, whose determinant values are:
Figure BDA0001785971010000082
obviously, if xiAre different from each other, then DnNot equal to 0. Its corresponding matrix:
Figure BDA0001785971010000083
presence of the adjoint matrix X*
Figure BDA0001785971010000084
So that XX*De (x) I, where I is the identity matrix.
The (m, N) threshold group signature method based on ECC of the present embodiment includes the following steps:
first step, a secret information k is generated safely and randomly according to an elliptic curve of a first type curve equation of formula (1)sAnd calculates its scalar product K with the base point GS=ksG,(ks,KS) Form a key pair, where ksIs a private key, KsIs a public key, and the elliptic curve parameters are p, a, b, n and G, wherein p is a large prime number or 2lL is an integer, a and b are coefficients, n is an order, G is a base point:
y2=x3+ax+b (1)
wherein a and b are coefficients, and the elliptic curve is applicable to GF (P) domain, and since P is a large prime number, the modulo value of P in the generation process of the group verification public key and the signature private key is 0,1,2,3,4,5, 6.
The elliptic curve may also be a curve equation of the second kind:
y2+xy=x3+ax+b
wherein a and b are coefficients, and GF (2) is applied to the elliptic curvel) Domain, hereinafter group verification public key and signature private key generation process and using equation as y2x3The method of calculating the elliptic curve of + ax + b is the same, except that 2 is used in the calculationmModulo is performed and the modulo value is 0,1, …, 31.
The meaning of the key pair is: signed with the private key, the public key can be used to verify success.
The ECC algorithm is a discrete logarithm based mathematical problem, i.e. given an integer z and a point Q on an elliptic curve, calculate QzEasy to do with zQ, but give Q in reversezAnd Q, solving for z is not feasible.
Secondly, under the ECC system, secret information k is processedsDivided into m parts, x is randomly generatediAnd according to xiCalculating yi,xiAs part of the group verification public key, yiThe signature private key of the user is i epsilon {1, …, N }, wherein any more than m (m < N) (including m) parts can generate effective group signatures, and the group public key is a point on an elliptic curve and is marked as K through the verification of the group public keysThe specific calculation method of the group public key and the signature private key is as follows:
selecting a secret ksCalculating KS=ksG, as part of a group public key;
when the first type of curve equation is adopted, k is calculatedsIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am- 1mod (p), where p is a large prime number, and mod (p) is a modulo operation on p, in ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1 (2)
Selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(p),i=1,…,N;
When the curve equation of the second kind is adopted, k is calculatedsIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am- 1mod(2l) Where l is an integer, mod (2)l) Is pair 2lPerforming modulo operation on ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1
Selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(2l),i=1,…,N;
Disclosure of x1,x2,…,xNI.e. xiI e {1, … N } as a system parameter for verifying group signatures, privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi
Thirdly, the private key y is possessediAnd when any m members in the N members agree, the (m, N) threshold group signature can be realized through execution.
The specific signature method comprises the following steps:
for a text message text, each organization approved for the content is assumed to be the ith, and the corresponding private signature key is yiThe following operations are performed:
firstly, h is calculated as hash (text), which is the hash value of text;
then, a random number k is generatediCalculating Ri=kiG=(xR,i,yR,i),xR,i,yR,iRespectively, X-axis and Y-axis coordinates, order ci=xR,i
Then, calculate
Figure BDA0001785971010000101
Wherein,
Figure BDA0001785971010000102
for inverse element calculation, ciyiIs a large integer, siIs a large integer;
finally, (text, s)i,Ri) I.e., the signature value of the member, is published.
The ECC-based (m, N) threshold group signature method further comprises a verification step.
If (text, s)i,Ri) Returning failure if the number of the groups is less than m; and if the number of the verification calculation exceeds m, selecting m to carry out verification calculation. Without loss of generality, assume that the selected member corresponds to x1,x2,…,xmWith the corresponding secret y1,y2,…,ym
Matrix array
Figure BDA0001785971010000111
Is associated with the matrix
Figure BDA0001785971010000112
Satisfy XX*I is the identity matrix, det (×) is the determinant value.
The verification process is as follows:
first, for each group (text, c)j,sj,Rj),cj=xR,jIs RjThe point of X coordinate of (2) is calculated, and the point T on the elliptic curve is calculatedjAs in formula (3);
Figure BDA0001785971010000113
then, calculate
Figure BDA0001785971010000115
Then, calculate
Figure BDA0001785971010000116
If it is
Figure BDA0001785971010000117
The verification passes.
The invention was demonstrated as follows:
the symbols and letters have the same meanings as above, due to yi=Pm-1(xi) mod (p), i ═ 1, …, m. Let Y ═ Y1,y2,…,ym) To give formula (4):
AX=Ymod(p) (4)
let X*Is a companion matrix over an integer field, then X*Satisfy XX*D, (x) I, let:
Figure BDA0001785971010000114
here, the
Figure BDA0001785971010000118
Then, formula (6):
det(X)A=YX*over Z (6)
where over Z is the presence of the equation over an integer domain, so:
Figure BDA0001785971010000121
similarly, the above formula holds in the GF (p) number domain, i.e., formula (7):
Figure BDA0001785971010000122
by
Figure BDA0001785971010000123
Obtaining: siki=(h+ciyi) And performing dot multiplication on G at the two sides simultaneously to obtain: sikiG=(hG+yi.ciG) Namely:
siRi=hG+yi.ciG
can obtain the product
Figure BDA0001785971010000124
Both sides are multiplied simultaneously
Figure BDA0001785971010000125
And formula (8) from formula (3):
Figure BDA0001785971010000126
equation (8) sums i on both sides, T on the right and T on the left:
Figure BDA0001785971010000127
thus, if
Figure BDA0001785971010000128
The verification passes.
The safety analysis of the present invention was as follows:
i. from the above proof process, it is known that any k-1 parts in N do not yield a valid signature T.
Due to Tj,j=1,…, k and
Figure BDA0001785971010000129
in calculating yjIs equivalent to the complexity of calculating discrete logarithms, theoretically an attacker cannot be derived from SjTo obtain yj. Thus, TjDoes not expose yjAny of (3).
The ECC-based threshold group signature method of the present invention is secure.
Thus, the (k, N) threshold ECC group signature method of the present invention is secure.
The invention is not limited to the above alternative embodiments, and any other various forms of products can be obtained by anyone in the light of the present invention, but any changes in shape or structure thereof, which fall within the scope of the present invention as defined in the claims, fall within the scope of the present invention.

Claims (4)

1. An ECC-based (m, N) threshold group signature method is characterized in that: comprises the following steps;
s1, generating a secret information k according to the elliptic curvesAnd calculates its scalar product K with the base point GS=ksG,(ks,KS) Form a key pair, where ksIs a private key, KsIs a public key, and the elliptic curve parameters are p, a, b, n and G, wherein p is a large prime number or 2lL is an integer, a and b are coefficients, n is an order, and G is a base point;
s2, secret information ksDividing into m parts, and randomly generating xiAnd according to xiCalculating yi,xiAs part of the group verification public key, yiA signature private key for a user, i belongs to {1, …, N };
s3, possessing private key yiWhen any m members in the N members agree, the (m, N) threshold group signature can be realized through execution;
in step S1, the equation of the elliptic curve is:
y2=x3+ax+b
wherein a and b are coefficients, and the elliptic curve applies GF (p) domain;
in the step S2, xiAnd yiThe specific calculation method comprises the following steps:
secure random generation of a secret ksCalculating KS=ksG, as part of a group public key;
will ksIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am-1mod (p), where p is a large prime number, and mod (p) is a modulo operation on p, in ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1
Selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(p),i=1,…,N;
Disclosure of x1,x2,…,xNI.e. xiI ∈ { 1., N } as a system parameter for verifying group signatures;
privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi
Alternatively, in step S1, the equation of the elliptic curve is:
y2+xy=x3+ax+b
wherein a and b are coefficients, and GF (2) is applied to the elliptic curvel) A domain;
in the step S2, xiAnd yiThe specific calculation method comprises the following steps:
secure random generation of a secret ksMeter for measuringCalculating KS=ksG, as part of a group public key;
will ksIs divided into m parts a0,a1,…,am-1I.e. satisfy ks=a0+a1+…+am-1mod(2l) Where l is an integer, mod (2)l) Is pair 2lPerforming modulo operation on ring ZpUpper form polynomial Pm-1(x):
Pm-1(x)=a0+a1x+a2x2+…+am-1xm-1
Selecting x1,x2,…,xNSo as to satisfy xi=xjIf and only if i ═ j; i, j ∈ {1, …, N }, calculating yi=Pm-1(xi)mod(2l),i=1,…,N;
Disclosure of x1,x2,…,xNI.e. xiI ∈ { 1., N } as a system parameter for verifying group signatures;
privacy y1,y2,…,yNWill y isiI e {1, …, N } is distributed to N members through secret channels respectively as private signature keys, and each member has a private signature key yi
Wherein, ring ZpRepresents the set 0,1,2 …, p-1;
in step S3, the specific signature method is as follows:
for a message text, each organization approved for the content, assumed to be the ith, has the corresponding private signature key yiThe following operations are performed:
s31, calculating hash value h of information text as hash (text);
s32, generating a random number kiCalculating Ri=kiG=(xR,i,yR,i),xR,i,yR,iRespectively, X-axis and Y-axis coordinates, order ci=xR,i
S33, calculating
Figure FDA0003124942220000034
Wherein,
Figure FDA0003124942220000035
for inverse element calculation, ciyiIs a large integer, siIs a large integer;
s34, obtaining (text, S)i,Ri) I.e., the signature value of the member and published.
2. The ECC-based (m, N) threshold group signature method of claim 1, wherein: the threshold group signature method further comprises a verification step.
3. The ECC-based (m, N) threshold group signature method of claim 2, wherein: the verifying step includes:
s41, signature value (text, S) of memberi,Ri) Returning failure if the number of the groups is less than m; and if the number of the verification calculation exceeds m, selecting m to carry out verification calculation.
4. An ECC-based (m, N) threshold group signature method as claimed in claim 3, wherein: the step of verifying further comprises:
s42, assuming that the selected member corresponds to x1,x2,…,xmWith the corresponding secret y1,y2,…,ymAnd then:
matrix array
Figure FDA0003124942220000031
Is associated with the matrix
Figure FDA0003124942220000032
Satisfy XX*I (det), (x) I, I being the identity matrix, det (×) being the value of the determinant;
s43, for each group (text, c)j,sj,Rj),cj=xR,jIs RjThe point of X coordinate of (2) is calculated, and the point T on the elliptic curve is calculatedj
Figure FDA0003124942220000033
S44, calculating
Figure FDA0003124942220000041
S45, calculating
Figure FDA0003124942220000042
S46, if
Figure FDA0003124942220000043
The verification passes.
CN201811015313.9A 2018-08-31 2018-08-31 ECC-based (m, N) threshold group signature method Active CN109150545B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811015313.9A CN109150545B (en) 2018-08-31 2018-08-31 ECC-based (m, N) threshold group signature method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811015313.9A CN109150545B (en) 2018-08-31 2018-08-31 ECC-based (m, N) threshold group signature method

Publications (2)

Publication Number Publication Date
CN109150545A CN109150545A (en) 2019-01-04
CN109150545B true CN109150545B (en) 2021-10-08

Family

ID=64826034

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811015313.9A Active CN109150545B (en) 2018-08-31 2018-08-31 ECC-based (m, N) threshold group signature method

Country Status (1)

Country Link
CN (1) CN109150545B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192928A (en) * 2006-12-01 2008-06-04 华为技术有限公司 Mobile ad hoc authentication method, network and system
CN101702806A (en) * 2009-07-24 2010-05-05 华中科技大学 Method for realizing wireless network anonymous access authentication system
CN103209413A (en) * 2013-01-29 2013-07-17 无锡南理工科技发展有限公司 Threshold tracking Ad Hoc network anonymous authentication method free of trusted center

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079412B (en) * 2014-07-08 2018-01-02 中国能源建设集团甘肃省电力设计院有限公司 The threshold proxy signature method without credible PKG based on intelligent grid identity security
WO2018094299A2 (en) * 2016-11-19 2018-05-24 Dominic Williams System architecture and method of processing data therein

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192928A (en) * 2006-12-01 2008-06-04 华为技术有限公司 Mobile ad hoc authentication method, network and system
CN101702806A (en) * 2009-07-24 2010-05-05 华中科技大学 Method for realizing wireless network anonymous access authentication system
CN103209413A (en) * 2013-01-29 2013-07-17 无锡南理工科技发展有限公司 Threshold tracking Ad Hoc network anonymous authentication method free of trusted center

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"An Elliptic Curve Threshold Group Signature Scheme";Ahmed Kamal;Hisham Dahshan;《International Conference on Aerospace Sciences and Aviation Technology》;20130528;全文 *
"Threshold Group Signature Scheme with Privilege Subjects Based on ECC";Xueming Wang; Yurong Dong;《2010 International Conference on Communications and Intelligence Information Security》;20101111;全文 *
"基于椭圆曲线密码体制的门限签密研究";成凤舞;《中国优秀硕士学位论文全文数据库 信息科技辑》;20100415;论文第27页第3.3节至第39页第4.5节 *
"无可信中心的(t,n)门限群签名方案研究";李海峰;《中国优秀硕士学位论文全文数据库 信息科技辑》;20080715;全文 *
"椭圆曲线密码体制的应用研究";刘东;《中国优秀硕士学位论文全文数据库 信息科技辑》;20071115;论文第39-40页第2.3节 *
刘雁孝." (k,n)门限密钥共享技术研究".《中国博士学位论文全文数据库 信息科技辑》.2014, *
成凤舞."基于椭圆曲线密码体制的门限签密研究".《中国优秀硕士学位论文全文数据库 信息科技辑》.2010, *
王贵林;卿斯汉." 几个门限群签名方案的弱点".《软件学报》.2000, *

Also Published As

Publication number Publication date
CN109150545A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN108173639B (en) Two-party cooperative signature method based on SM9 signature algorithm
CN107707358B (en) EC-KCDSA digital signature generation method and system
Mandt et al. Certificateless authenticated two-party key agreement protocols
CN107733648B (en) Identity-based RSA digital signature generation method and system
CN108667625B (en) Digital signature method of cooperative SM2
CN110138567B (en) ECDSA (electronic signature system) based collaborative signature method
Nose Security weaknesses of authenticated key agreement protocols
US20150006900A1 (en) Signature protocol
Islam et al. Certificateless strong designated verifier multisignature scheme using bilinear pairings
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
Jie et al. A SM2 elliptic curve threshold signature scheme without a trusted center
CN111756537B (en) Two-party cooperative decryption method, system and storage medium based on SM2 standard
Vijayalakshmi et al. Performance analysis of RSA and ECC in identity-based authenticated new multiparty key agreement protocol
Huang et al. Two-party authenticated multiple-key agreement based on elliptic curve discrete logarithm problem
CN110557260B (en) SM9 digital signature generation method and device
Liu et al. Identity-based threshold proxy signature from bilinear pairings
Oh et al. How to solve key escrow and identity revocation in identity-based encryption schemes
Nayak A secure ID-based signcryption scheme based on elliptic curve cryptography
Yang et al. An improved certificateless authenticated key agreement protocol
Ahirwal et al. Signcryption scheme that utilizes elliptic curve for both encryption and signature generation
CN109150545B (en) ECC-based (m, N) threshold group signature method
Muthukumarn et al. A Secure and Enhanced Public Key Cryptosystem Using Double Conjugacy Search Problem Near-Ring
Saadatmandan et al. A secure authenticated key agreement protocol for application at digital certificat
Chen et al. Comparing performance of hierarchical identity-based signature schemes
Zhu et al. A provably secure parallel certificatelesss ring signcryption scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20210910

Address after: No.18-10, north section of Tianfu Avenue, high tech Zone, Chengdu, Sichuan 610000

Applicant after: Shang Xiaopeng

Address before: 2502-12, 25 / F, innovation building, Southwest Jiaotong University, No. 111, north section of the Second Ring Road, smart city, Jinniu District, Chengdu, Sichuan 610000

Applicant before: CHENGDU BOSHA TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20231204

Address after: No. 4657, tourist road, Licheng District, Jinan City, Shandong Province

Patentee after: SHANDONG URBAN CONSTRUCTION VOCATIONAL College

Address before: No.18-10, north section of Tianfu Avenue, high tech Zone, Chengdu, Sichuan 610000

Patentee before: Shang Xiaopeng

TR01 Transfer of patent right