CN109600233B - Group signature label issuing method based on SM2 digital signature algorithm - Google Patents

Group signature label issuing method based on SM2 digital signature algorithm Download PDF

Info

Publication number
CN109600233B
CN109600233B CN201910036016.0A CN201910036016A CN109600233B CN 109600233 B CN109600233 B CN 109600233B CN 201910036016 A CN201910036016 A CN 201910036016A CN 109600233 B CN109600233 B CN 109600233B
Authority
CN
China
Prior art keywords
group
signature
group member
key
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910036016.0A
Other languages
Chinese (zh)
Other versions
CN109600233A (en
Inventor
马文平
刘威
刘小雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201910036016.0A priority Critical patent/CN109600233B/en
Publication of CN109600233A publication Critical patent/CN109600233A/en
Application granted granted Critical
Publication of CN109600233B publication Critical patent/CN109600233B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention provides a group signature label issuing method based on SM2 digital signature, which mainly solves the problems of low issuing and signature checking efficiency and difficult member revocation in the prior art, and the implementation scheme is as follows: initializing system parameters; key generation center generates group public key PKGMAnd a group private key SKGM(ii) a Group members apply for group entry and generate public and private key pair (SK)A,PKA) Intermediate amount of signature EASharing a symmetric key θ with the group; the group members use their own private key SKAAnd intermediate quantity of signatures EAPerforming group signature on the message M; the verifier verifies whether the group signature identification is legal, if so, the group signature is finished, otherwise, the group administrator utilizes the group private key SKGMOpening the ID of the signerA(ii) a The group administrator selects a new group sharing symmetric key, and the revocation identity is IDAA group member of (1). The invention has short key length, good safety performance and high signing and verifying efficiency, and can be used for realizing the signing and the verification of the group signature identifier of the information service entity under the alliance network system.

Description

Group signature label issuing method based on SM2 digital signature algorithm
Technical Field
The invention belongs to the technical field of network communication, and further relates to a group signature label issuing method which can be applied to group signature label issuing and authentication of information service entities under a alliance network system.
Background
Group digital signatures were proposed by d.chaum and e.van Heyst in 1991. Modified and improved by j.camenish, m.stadler, j.camenish, m.michels, g.ateniese, g.tsudik, and the like. In a group signature scheme, any member of a group can sign messages anonymously on behalf of the entire group. Like other digital signatures, group signatures are publicly verifiable and can be verified with only a single group public key. Because the group signature has the characteristics of privacy protection and traceability, the group signature plays an indispensable role in many fields such as modern electronic commerce, electronic currency, trusted computing, network evidence obtaining, internal organization architecture hiding, electronic election protocol and the like.
In order to meet the application requirements of an electronic authentication service system, the SM2 elliptic curve public key cryptographic algorithm is released by the national cryptographic authority in 12 th and 17 th 2010-month, and the SM2 signature algorithm in 11 th and 11 th 2018-month is released in the latest version along with ISO/IEC14888-3:2018, part 3 of digital signature with appendix in information security technology, namely mechanism based on discrete logarithm. In detail, the SM2 algorithm specifies specific details of signing, authentication, key exchange, etc.
A good group signature mark issuing scheme can not only safely and efficiently generate a group signature mark, but also safely and effectively eliminate group members, and can efficiently open the group signature mark to determine the true identity of a signer when disputes occur. Since the public keys of the group members have a one-to-one correspondence relationship with the real identities thereof, if the group members use the same public key to sign a message each time, an attacker can use the signature identifier to deduce whether the group signature identifier is signed by the same person, which cannot guarantee the non-relevance of the group signature identifier, and therefore the public key needs to be updated in each time period to ensure the non-relevance. However, updating the key at intervals results in the member needing to register to obtain the member certificate every time the member signs, which greatly reduces the efficiency of the group signature process. For example, in the article entitled "electronic cash system based on certificateless group signature scheme" published by zhang, in the communications newspaper of 2016, 5, published at volume 37, 5, an efficient certificateless group signature scheme is proposed, when a member is added in step 3.3, the member needs to send a newly generated secret key to a group manager each time, so that the signature process needs to be repeated each time, the calculation amount is greatly increased, and the signature efficiency is reduced.
The patent document "a verifiable encryption group signature method with anonymity" (application number CN201810198425.6, publication number CN108551435A) applied by the university of beijing aerospace discloses and realizes a verifiable encryption group signature method with anonymity. In the method, when a user determines to sign on a file, the user firstly registers in the system to obtain a signature key, and then generates a verifiable encrypted group signature by using the signature key and an arbitrator public key. The verifier can verify the validity of the signature without decrypting. The group administrator recovers the signer identity by using the tracking key, and the arbitrator recovers the original signature from the verifiable encrypted group signature, and the scheme has the following defects: revocation of a member cannot be efficiently performed, and when a group signature disputes or a group member is deceived in the signature process, a group administrator cannot immediately remove the user from the group, which results in that the member can continue to generate illegal group signatures on behalf of the entire group during this period.
Disclosure of Invention
The invention aims to provide a group signature identifier issuing method based on SM2 digital signature aiming at overcoming the defects of the prior art, so as to improve issuing efficiency on the premise of ensuring the anonymity of a signer, rapidly revoke members disputed or deceived during issuing and prevent illegal group signature identifiers from being generated.
In order to achieve the purpose, the scheme of the invention comprises the following steps:
(1) initializing parameters:
let FqIs a finite field of order q; selecting an elliptic curve equation E as y2=x3+ ax + b, where a, b ∈ Fq(ii) a Is provided with a limited area FqThe set of all rational points of the upper elliptic curve equation E is E (F)q) (ii) a Let base point G with order n on E be (x)G,yG) Wherein x isG,yGAs coordinates of a base point; cipher hash algorithm H with selected message length of v bitsv() (ii) a Choose secure hash function H: {0,1} → ZGWherein Z isGSelecting a symmetric encryption algorithm E (), which is an integer value of a base point G;
(2) random selection of key generation center KGC
Figure BDA0001945941900000021
As a group private key, wherein
Figure BDA0001945941900000022
Is an integer string of order q and private keys SK to the groupGMAnd the product of base point G as the group public key: PKGM=SKGMG;
(3) Group member a joined the group:
(3.1) Key Generation center KGC generates public and private Key Pair (SK) for group Member AA,PKA) The group member A sends identity Information (ID)A,PKA) Sent to the group Administrator GM through a secure channel, wherein the IDAFor group member A true identity, PKABeing the public key of group member A, SKAA private key that is a group member a; the group administrator GM associates the identity Information (ID) of the group member AA,PKA) Storing the data into a group member information list and calculating a group signature intermediate quantity EAAnd then E is transmitted through a secure channelASending the information to a group member A;
(3.2) group Administrator GM first selects a polynomial
Figure BDA0001945941900000023
Figure BDA0001945941900000024
Where t is the total number of group members, xiIs the pseudonym of the ith group member, theta is the group shared symmetric key, (C)0,C1,…,Ct-1) Is as follows; then, the omega multiple point W of base point G on the elliptic curve is calculated as omega G, and the pseudonym x of group member AAAnd disclosing the W point and the polynomial parameter within a group, wherein t is the number of group members;
(3.3) group Member A based on the received parameter (C)0,C1,…,Ct-1) Calculating a group sharing symmetric key theta;
(4) the group member a signs the message M:
(4.1) group Member A sends symmetric ciphertext Eθ(IDA,PKA,TT) group administrator GM, where PKA,TIs a temporary public key of group member A, T is a time stamp of the current time, Eθ() A symmetric encryption algorithm;
(4.2) group Administrator GM receives ciphertext Eθ(IDA,PKA,TAnd T) then using the secret key theta to decrypt, and if the decryption is successful and the time stamp T is valid, the identity Information (ID) of the member A can be obtainedA,PKA,TT), execution of stepStep (4.3), otherwise, terminating the signature;
(4.3) group Member A generates a random number k e [1, n-1 ∈]Where n is the order of the base point G, and calculating the point K on the elliptic curve as (x)1,y1)=[k]G, wherein x1,y1The horizontal and vertical coordinates of the calculated point are obtained;
(4.4) group Member A selects three random numbers
Figure BDA0001945941900000031
And using the message M to be signed, the group public key PKGMAnd the temporary private key SK of the group member AA,TOutputting the group signature identifier as (c, s) through a probability algorithm1,s2,s3,TA,TR, s), where c is a hash function on the temporary public key PKA,TAnd a group public key PKGMOf the hash value s1Is a first random number r1Blind value of s2Is a second random number r2Blind value of s3Is a third random number r3And a temporary private key SKA,TBlind value of, TA,TSK is private key of memberA,TIntermediate quantity E to signatureAR is the abscissa x of the point of the elliptic curve1The obtained remainder value s is the group public key PKGMFor random number r1,r2,r3(ii) a blinded value of;
(5) identifying (c, s) the group signature1,s2,s3,TA,T,PKA,TR, s) verify:
(5.1) the verifier B firstly verifies whether r belongs to [1, n-1], s belongs to [1, n-1], if yes, the step (5.2) is executed, otherwise, the group signature identification is illegal, and the step (6) is executed;
(5.2) the verifier B calculates the hash value e ' and the verification intermediate quantity t ' of the message M to be signed in turn, and calculates an elliptic curve point (x '1,y′1)=(s1+s3)-1(s-t '), and a proof value of R ═ e ' + x '1) mod n, where x'1,y′1Mod n represents a modulo operation of dividing an integer by n for the abscissa and ordinate of the elliptic curve point;
(5.3) verifying whether R is true or not by the verifier B, if so, judging that the group signature identifier is legal, ending the group signature process, otherwise, judging that the group signature identifier is illegal, and executing (6);
(6) the group administrator GM extracts the member private key SK from the group signature identificationA,TIntermediate quantity E to signatureAIs encrypted value TA,TUsing the group private key SKGMAnd the temporary public key PK of the group member AA,TCalculating the public key PK of the signerAAnd then through group membership Information (ID) stored in a membership information listA,PKA) Group member true identity ID with tracked to signatureAExecuting (7);
(7) the group master GM selects a new group-shared symmetric key
Figure BDA0001945941900000041
Generating a new polynomial f (x)', calculating the real identity ID of the group member except the tracked signatureAPseudonyms x of the remaining t-1 group members outsideiAnd new polynomial parameters (C)0′,C1′,…Ct-1') public so that the identity is tracked as an IDAThe group member of (1) will not be able to compute a new group-shared symmetric key from the parameter and therefore not be able to sign, at which point the group member is revoked.
Compared with the prior art, the invention has the following advantages:
firstly, the SM2 digital signature algorithm is applied in the process of signing the message M to be signed by the group member A, so that the group signature identifier can carry the identity information of a signer, the difficulty of other people for generating illegal group signature identifiers by counterfeiting the identity of the signer is increased, the signature process is ensured to be safer, meanwhile, the group signature algorithm is established on the elliptic curve model, the length of a secret key generated in the secret key generation process is shortened, the length of the secret key is not influenced by the number of the group members, and the signing, issuing and verifying processes of the group signature identifiers are more efficient on the premise of ensuring higher security.
Secondly, because the group member A uses the temporary key to sign in the signing process, the invention ensures that the group member A signs by using the temporary keyThe method has the advantages that the group members except the group manager GM cannot judge whether two different signatures are signed by the same person through the temporary public key, so that the non-relevance and the forward security of the group signature identification are improved; meanwhile, in order to realize traceability, an intermediate quantity E of group signatures is introducedAEnabling the group administrator GM to base the identity Information (ID) of the group member AA,PKA) Generating time invariant group signature intermediate quantities EAThe method avoids the registration procedure of the group members before each group signature, and improves the signature efficiency.
Thirdly, since the group member obtains the group sharing symmetric key in a secret sharing manner when the group member registers in the present invention, the group administrator GM only needs to reselect the group sharing symmetric key θ' and broadcast the new polynomial parameter (C) when the group member revokes0′,…,C1′,Ct-1') and other group members can continue to calculate a new group shared symmetric key according to the received parameters and represent the whole group to carry out signature, thereby overcoming the trouble that the group public key needs to be replaced and the group members need to be registered again when the members are revoked in the prior art, and improving the efficiency of revoking the group members.
Drawings
FIG. 1 is a flow chart of an implementation of the present invention.
Detailed Description
The invention is further described below with reference to fig. 1.
Referring to the figure, the implementation steps of the example are as follows:
step 1, initializing parameters.
(1.1) setting FqIs a finite field of order q, where q is an odd prime number or a power of 2, and when q is an odd prime number, q is required>2191(ii) a When q is 2 raised to the power of 2mWhen it is required for m>192 and is a prime number, when q is an odd prime number, the elements in the prime field are represented by the integers 0,1,2 …, q-1; when q is 2 raised to the power of 2mTime, binary extension
Figure BDA0001945941900000055
F of order 22M-dimensional vector space of (1), its elements being available longBit string representation with degree m;
(1.2) selecting a finite field FqThe elliptic curve equation E is:
y2=x3+ax+b, <1>
wherein the parameters a and b of the elliptic curve are belonged to FqAnd (4 a)3+27b2) mod q ≠ 0, where mod q represents a remainder operation of an integer divided by q;
(1.3) setting a limit FqThe set of all rational points of the upper elliptic curve equation E is E (F)q) Wherein E (F)q)={(x,y)|x,y∈FqAnd satisfy the equation<1>} U { O }, where O is an infinity point;
(1.4) setting a limit FqThe base point G of the order n on the elliptic curve equation E is (x)G,yG) Wherein x isG,yGIs the horizontal and vertical coordinates of the base point;
(1.5) selecting a cryptographic hash algorithm H with the message length of v bitsv(Z), wherein v denotes a length of the message digest, the cryptographic hash algorithm, and Z denotes the message digest;
(1.6) selecting a symmetric encryption algorithm E ().
And 2, the key generation center generates a group public key and a group private key.
Random selection of key generation center KGC
Figure BDA0001945941900000051
As a group private key, wherein
Figure BDA0001945941900000052
Is an integer string of order q and private keys SK to the groupGMAnd the product of base point G as the group public key: PKGM=SKGMG;
And 3, applying for joining the group by the group members.
(3.1) when the group member A applies for group entry, the group manager GM first selects a random number
Figure BDA0001945941900000053
As the private key of group member A, and calculates the group memberA public key PKA=SKAG, wherein G is the base point of the elliptic curve, and then the group member A couples the public and private keys (SK) through the secure channelA,PKA) Sending the public key information to a group member A, and after receiving the public and private key pair of the group member A, sending the identity and the public key Information (ID) of the group member AA,PKA) Sent to the group Administrator GM through a secure channel, wherein the IDAThe group manager receives the identity public key information and stores the identity public key information into a group member information list for the real identity of the group member A;
(3.2) group Administrator GM selects the intermediate random number of group signature
Figure BDA0001945941900000054
And calculating the intermediate quantity E of the group signature by using the following formulaA
EA=(SKGM+PKA)·γ-1 <2>
Wherein SKGMIs a group public key, PKAIs the public key of the group member A, after which the group administrator GM sends E over a secure channelASending the information to a group member A;
(3.3) the group administrator GM selects a polynomial:
Figure BDA0001945941900000061
where t is the total number of group members, xiIs the pseudonym of the ith group member, theta is the group shared symmetric key;
(3.4) the group administrator GM calculates ω -times the base point G on the elliptic curve, and discloses the W point in the group, and calculates the pseudonym x of the group member a using the following formulaA
xA=H(IDA||ωPKA) <4>
Where H () is a hash function, IDAIs the true identity, PK, of group member AAIs the public key of group member A;
(3.5) the group Administrator GM will calculate the pseudonym x of the group Member AAIs brought into the selected polynomial f (x) to obtainThe following equation:
Figure BDA0001945941900000062
wherein (C)0,C1,…,Ct-1) A parameter that is a polynomial; the group administrator GM then assigns a polynomial parameter (C)0,C1,…,Ct-1) Disclosed within a group;
(3.6) group Member A based on the received parameter (C)0,C1,…,Ct-1) And a omega time point W of a base point G on the disclosed elliptic curve, and calculating a group sharing symmetric key theta, which is realized as follows:
(3.6a) group member A firstly uses omega times point W of base point G on the elliptic curve disclosed by group manager and its private key SKACalculating its own pseudonym xA′=H(IDA||WSKA);
(3.6b) group member a calculates the group-shared symmetric key θ by the following formula:
Figure BDA0001945941900000063
where t is the total number of members in the group, xiIs a pseudonym of the ith group member, (C)0,…,C1,Ct-1) Is a parameter of a polynomial.
And 4, carrying out group signature on the group members.
(4.1) after recording the current time stamp T epsilon {0,1} of the group member A*Then, the temporary private key SK of the group member A is calculatedA,T=H(SKA| T), then calculates group member a temporary public key PKA,T=SKA,TG, where, SKAIs the private key of the group member A, and H () is a secure hash function, wherein G is the base point of the elliptic curve;
(4.2) group Member A sends symmetric ciphertext Eθ(IDA,PKA,TT) to a group administrator GM, where Eθ() A symmetric encryption algorithm;
(4.3) group Administrator GM interfaceReceive ciphertext Eθ(IDA,PKA,TT) and then using the key theta to decrypt, and if the decryption is successful and the timestamp T is valid, the identity Information (ID) of the member a can be obtainedA,PKA,TT), executing the step (4.4), otherwise, terminating the signature;
(4.4) group Member A generates a random number k e [1, n-1 ∈]Where n is the order of the base point G, and calculating the point β on the elliptic curve as (x)1,y1)=[k]G, wherein x1,y1The horizontal and vertical coordinates of the calculated point are obtained;
(4.5) calculating the group signature identification by the group member A through a probability algorithm, wherein the method is realized as follows:
(4.5a) the group member A computes a hash function on the temporary public key PK using the following formulaA,TAnd a group public key PKGMHash value c of (a):
c=H(PKA,T||PKGM||EA) <7>
where H () is a secure hash function, PKA,TTemporary public key, PK, for group member AGMIs a group public key, EAIs the intermediate quantity of the signature;
(4.5b) group Member A first considers two parameters a and b of the elliptic curve equation, and the abscissa x and the ordinate of the base point G on the elliptic curveG、yGAnd the public key PK A of the group membersAAbscissa and ordinate x ofA、yAConverting the data type into bit string, and calculating the hash value Z of the hash function acting on the identity information of the group member A by using the following formulaA
ZA=H256(ENTLA||IDA||a||b||xG||yG||xA||yA) <8>
Wherein, IDABeing the true identity of group member A, ENTLAIs IDAA length value of (d);
(4.5c) group member A computes the hash value of the message M to be signed: e ═ Hv(ZA| M), wherein Hv() V is the message digest length, a cryptographic hash function;
(4.5d) calculation of the abscissa x of the elliptic Curve Point by the group Member A1The remainder value found: r ═ e + x1) mod n, where x1Is an elliptic curve point (x)1,y1) Mod n represents a modulo operation of an integer divided by n;
(4.5e) group Member A selects three random numbers
Figure BDA0001945941900000071
And sequentially calculating a first random number r by the following formula1Blind value s of1A second random number r2Blind value s of2A third random number r3And a temporary private key SKA,TBlind value s of3
s1=r1-ce,
s2=r2-ce, <9>
s3=r3-cSKA,Tk-1
Where k is the point (x) of the group member A on the computed elliptic curve1,y1) Random number of time selection, SKA,TA temporary private key that is a group member a;
(4.5f) the group Member A calculates the Member temporary private Key SK using the formulaA,TIntermediate quantity E to signatureAIs encrypted value TA,T
TA,T=EA+SKA,TPKGM <10>
(4.5g) group member A calculates group public key PK from integer point beta on the elliptic curveGMFor three random numbers r1,r2,r3The blinding value of(s) ═ r1TA,T-r2GPKGM+r1β-r2G+r3β;
(4.6) outputting the group signature identification as (c, s)1,s2,s3,TA,T,PKA,T,r,s)。
And 5, verifying the group signature identification.
(5.1) the verifier D firstly verifies whether r belongs to [1, n-1], s belongs to [1, n-1], if yes, the step (5.2) is executed, otherwise, the group signature identification is illegal, and the step 6 is executed;
(5.2) the verifier D calculates the hash value e 'and the verification intermediate quantity t' of the message M to be signed in sequence according to the following formula:
t′=c(PKGM+GPKA,T)+s1TA,T-s2GPKGM-s2G+cPKA,T <11>
e′=Hv(ZA||M) <12>
wherein c is a hash function acting on the temporary public key PKA,TAnd a group public key PKGMOf a hash value, PKGMIs a group public key, G is a base point of an elliptic curve, PKA,TTemporary private key, s, being a group member A1Is a first random number r1Blind value of s2Is a second random number r2Blind value of, PKGMIs a group public key, Hv() For cryptographic hash functions, v is the message digest length, ZAIs a hash value of the group member a.
(5.3) calculating elliptic Curve Point (x'1,y′1)=(s1+s3)-1(s-t '), and a proof value of R ═ e ' + x '1) mod n, where x'1,y′1Mod n represents a modulo operation of dividing an integer by n for the abscissa and ordinate of the elliptic curve point;
and (5.4) verifying whether the R is true or not by the verifier D, if so, judging that the group signature identifier is legal, ending the group signature process, otherwise, judging that the group signature identifier is illegal, and executing the step 6.
And 6, opening the group signature identification.
(6.1) group Administrator GM uses the group private Key SKGMAnd the temporary public key PK of the group member AA,TCalculating the public key PK of the signerAIt is implemented as follows:
(6.1a) the group Administrator GM calculates the intermediate quantity E of the group signature of the tracking procedure by the following formulaA′:
EA′=TA,T-PKA,TSKGM, <13>
Wherein, TA,TSK is private key of memberA,TIntermediate quantity E to signatureAEncrypted value of, PKA,TIs a temporary public key of the signer, SKGMIs a group private key;
(6.1b) group Administrator GM computes public Key PK of group Member AA=γEA′-SKGMWherein gamma is a medium random number of the group signature selected by the group administrator GM;
(6.2) the group administrator GM further passes the group membership Information (ID) stored in the membership information listA,PKA) Group member true identity ID with tracked to signatureAExecuting (7);
and 7, revoking the group members.
(7.1) the group administrator GM selects a new group-shared symmetric key
Figure BDA0001945941900000091
A new polynomial f (x)' is generated, expressed as follows:
Figure BDA0001945941900000092
where t is the total number of members in the group, xiIs the pseudonym of the ith group member, theta' is the newly generated group shared symmetric key, (C)0′,C1′,…Ct-1') are parameters of the newly generated polynomial.
(7.2) the group Administrator GM computes the group Member real identity ID in addition to the signature tracedAPseudonyms x of the remaining t-1 group members outsideiAnd new polynomial parameters (C)0′,C1′,…Ct-1') public so that the identity is tracked as an IDAThe group member of (1) will not be able to compute a new group-shared symmetric key from the parameter and therefore not be able to sign, at which point the group member is revoked.
The foregoing description is only an example of the present invention and is not intended to limit the invention, so that it will be apparent to those skilled in the art that various changes and modifications in form and detail may be made therein without departing from the spirit and scope of the invention.

Claims (6)

1. A group signature label issuing method based on SM2 digital signature algorithm is characterized by comprising the following steps:
(1) initializing parameters:
let FqIs a finite field of order q; selecting an elliptic curve equation E as y2=x3+ ax + b, where a, b ∈ Fq(ii) a Is provided with a limited area FqThe set of all rational points of the upper elliptic curve equation E is E (F)q) (ii) a Let base point G with order n on E be (x)G,yG) Wherein x isG,yGAs coordinates of a base point; cipher hash algorithm H with selected message length of v bitsv() (ii) a Selecting a secure hash function H: {0,1} → ZGWherein Z isGSelecting a symmetric encryption algorithm E (), which is an integer value of a base point G;
(2) random selection of key generation center KGC
Figure FDA0002991323380000011
As a group private key, wherein
Figure FDA0002991323380000012
Is an integer string of order q and private keys SK to the groupGMAnd the product of base point G as the group public key: PKGM=SKGMG;
(3) Group member a joined the group:
(3.1) group Administrator GM generates a public and private key pair (SK) for group Member AA,PKA) And sent to group member a over a secure channel, the group member a communicating the identity and public key Information (ID)A,PKA) Sent to the group Administrator GM through a secure channel, wherein the IDAFor group member A true identity, PKABeing the public key of group member A, SKAA private key that is a group member a; the group administrator GM associates the identity Information (ID) of the group member AA,PKA) Storing the information into a group member information list and countingComputing group signature intermediate quantity EAAnd then E is transmitted through a secure channelASending the information to a group member A; group administrator GM calculates the intermediate quantity E of group signaturesAThe group administrator GM selects the intermediate random number of the group signature
Figure FDA0002991323380000013
Calculating the group signature intermediate quantity E by using the following formulaA
EA=(SKGM+PKA)·γ-1
Wherein SKGMIs a group public key, PKAIs the public key of group member A;
(3.2) group Administrator GM first selects a polynomial
Figure FDA0002991323380000014
Figure FDA0002991323380000015
Where t is the total number of group members, xiIs the pseudonym of the ith group member, theta is the group shared symmetric key, (C)0,C1,…,Ct-1) A parameter that is a polynomial; then, the omega multiple point W of base point G on the elliptic curve is calculated as omega G, and the pseudonym x of group member AAAnd the W point and the polynomial parameter are disclosed in the group; the group administrator GM first selects a random number
Figure FDA0002991323380000016
Then, the pseudonym x of the group member A is calculated by using the following formulaA
xA=H(IDA||ωPKA)
Where H () is a hash function, IDAIs the true identity, PK, of group member AAIs the public key of group member A;
(3.3) group Member A based on the received parameter (C)0,C1,…,Ct-1) Calculating a group sharing symmetric key theta; the implementation is as follows:
(3.3a) group Member A first bases on the ellipse published by the group administratorOmega multiple point W of base point G on curve and private key SK of base point GACalculating its own pseudonym xA′=H(IDA||WSKA);
(3.3b) the group member a calculates the group-shared symmetric key θ by the following formula:
Figure FDA0002991323380000021
where t is the total number of members in the group, xiIs a pseudonym of the ith group member, (C)0,…,C1,Ct-1) A parameter that is a polynomial;
(4) the group member a signs the message M:
(4.1) group Member A sends symmetric ciphertext Eθ(IDA,PKA,TT) group administrator GM, where PKA,TIs a temporary public key of group member A, T is a time stamp of the current time, Eθ() A symmetric encryption algorithm;
(4.2) group Administrator GM receives ciphertext Eθ(IDA,PKA,TAnd T) then using the secret key theta to decrypt, and if the decryption is successful and the time stamp T is valid, the identity Information (ID) of the member A can be obtainedA,PKA,TAnd T), executing the step (4.3), otherwise, terminating the signature;
(4.3) group Member A generates a random number k e [1, n-1 ∈]Where n is the order of the base point G, and calculating the point β on the elliptic curve as (x)1,y1)=[k]G, wherein x1,y1The horizontal and vertical coordinates of the calculated point are obtained;
(4.4) group Member A selects three random numbers
Figure FDA0002991323380000022
And using the message M to be signed, the group public key PKGMAnd the temporary private key SK of the group member AA,TOutputting the group signature identifier as (c, s) through a probability algorithm1,s2,s3,TA,T,PKA,TR, s), where c is the hash function applied to the neighborTime public key PKA,TAnd a group public key PKGMOf the hash value s1Is a first random number r1Blind value of s2Is a second random number r2Blind value of s3Is a third random number r3And a temporary private key SKA,TBlind value of, TA,TSK is private key of memberA,TIntermediate quantity E to signatureAR is the abscissa x of the point of the elliptic curve1The obtained remainder value s is the group public key PKGMFor random number r1,r2,r3(ii) a blinded value of;
the hash function is computed to act on the temporary public key PK using the following formulaA,TAnd a group public key PKGMHash value c of (a):
c=H(PKA,T||PKGM||EA)
where H () is a secure hash function, PKA,TTemporary public key, PK, for group member AGMIs a group public key, EAIs the intermediate quantity of the signature;
(5) identifying (c, s) the group signature1,s2,s3,TA,T,PKA,TR, s) verify:
(5.1) firstly checking whether r belongs to [1, n-1], s belongs to [1, n-1] or not by a verifier D, if yes, executing (5.2), otherwise, executing the step (6) if the group signature is illegal;
(5.2) the verifier D calculates the hash value e ' and the verification intermediate quantity t ' of the message M to be signed in turn, and calculates the elliptic curve point (x '1,y′1)=(s1+s3)-1(s-t '), and a proof value of R ═ e ' + x '1) mod n, where x'1,y′1Mod n represents a modulo operation of dividing an integer by n for the abscissa and ordinate of the elliptic curve point; the hash value e 'and the intermediate signature checking quantity t' are carried out according to the following formula:
t′=c(PKGM+GPKA,T)+s1TA,T-s2GPKGM-s2G+cPKA,T
e′=Hv(ZA||M),
wherein c is a hash function acting on the temporary public key PKA,TAnd a group public key PKGMOf a hash value, PKGMIs a group public key, G is a base point of an elliptic curve, PKA,TTemporary private key, s, being a group member A1Is a first random number r1Blind value of s2Is a second random number r2Blind value of, PKGMIs a group public key, Hv() For cryptographic hash functions, v is the message digest length, ZAIs a hash value of group member a;
(5.3) the verifier D verifies whether the R is true, if so, the group signature is legal, the group signature process is ended, otherwise, the group signature is illegal, and (6) is executed;
(6) the group administrator GM extracts the member private key SK from the group signatureA,TIntermediate quantity E to signatureAIs encrypted value TA,TUsing the group private key SKGMAnd the temporary public key PK of the group member AA,TCalculating the public key PK of the signerAAnd then through group membership Information (ID) stored in a membership information listA,PKA) Group member true identity ID with tracked to signatureAExecuting (7);
(7) the group master GM selects a new group-shared symmetric key
Figure FDA0002991323380000031
Generating a new polynomial f (x)', calculating the real identity ID of the group member except the tracked signatureAPseudonyms x of the remaining t-1 group members outsideiAnd new polynomial parameters (C)0′,C1′,…Ct-1') public so that the identity is tracked as an IDAThe group member of (1) will not be able to compute a new group-shared symmetric key from the parameter and therefore not be able to sign, at which point the group member is revoked.
2. The method according to claim 1, wherein said (3.1) key generation center KGC generates a public-private key pair (SK) for group member aA,PKA) Is selected by the group administrator GMRandom number
Figure FDA0002991323380000032
As the private key of the group member A and calculates the public key PK of the group member AA=SKAG, wherein G is the base point of the elliptic curve.
3. The method according to claim 1, wherein the temporary public key PK in (4.1)A,TThe current time stamp T epsilon {0,1} is recorded by the group member A*Then, the temporary private key SK of the group member A is calculatedA,T=H(SKA| T), then calculates group member a temporary public key PKA,T=SKA,TG, where, SKAIs the private key of group member a, H () is the secure hash function, where G is the base point of the elliptic curve.
4. The method according to claim 1, wherein the (4.4) outputs the group signature as (c, s) through a probabilistic algorithm1,s2,s3,TA,T,PKA,TR, s), which is implemented as follows:
(4.4b) group Member A first considers two parameters a and b of the elliptic curve equation, and the abscissa x and the ordinate of the base point G on the elliptic curveG、yGAnd group member A public key PKAAbscissa and ordinate x ofA、yAConverting the data type into bit string, and calculating the hash value Z of the hash function acting on the identity information of the group member A by using the following formulaA
ZA=H256(ENTLA||IDA||a||b||xG||yG||xA||yA),
Wherein, IDABeing the true identity of group member A, ENTLAIs IDAA length value of (d);
(4.4c) group member A computes the hash value e ═ H of the message M to be signedv(ZA| M), wherein Hv() V is the message digest length, a cryptographic hash function;
(4.4d) group Member ACalculating the abscissa x of the point of the elliptic curve1Found remainder value r: r ═ e + x1) mod n, where x1Is an elliptic curve point (x)1,y1) Mod n represents a modulo operation of an integer divided by n;
(4.4e) group Member A calculates a first random number r1Blind value s of1:s1=r1-ce;
(4.4f) group Member A calculates a second random number r2Blind value s of2:s2=r2-ce;
(4.4g) calculation of the third random number r by the group Member A3And a temporary private key SKA,TBlind value s of3:s3=r3-cSKA,Tk-1Where k is the point (x) of the group member A on the computed elliptic curve1,y1) A random number selected;
(4.4h) the group Member A calculates the Member temporary private Key SK using the following formulaA,TIntermediate quantity E to signatureAIs encrypted value TA,T
TA,T=EA+SKA,TPKGM
(4.4i) group Member A points (x) on the elliptic curve1,y1) Converting to integer point beta, calculating group public key PKGMFor random number r1,r2,r3The blinding value of(s) ═ r1TA,T-r2GPKGM+r1β-r2G+r3β。
5. The method according to claim 1, wherein the (6) uses a group private key SKGMAnd the temporary public key PK of the group member AA,TCalculating the public key PK of the signerAIt is implemented as follows:
(6a) the group master GM calculates the intermediate quantity E of group signatures for the tracking process by the following formulaA′:
EA′=TA,T-PKA,TSKGM
Wherein, TA,TSK is private key of memberA,TIntermediate quantity E to signatureAEncrypted value of, PKA,TIs a temporary public key of the signer, SKGMIs a group private key;
(6b) group administrator GM compute PKA=γEA′-SKGMWhere γ is the median random number of the group signature selected by the group administrator GM.
6. The method according to claim 1, characterized in that said (7) group administrator GM selects a new group-shared symmetric key θ 'to generate a new polynomial f (x)' expressed as follows:
Figure FDA0002991323380000051
where t is the total number of members in the group, xiIs the pseudonym of the ith group member, theta' is the newly generated group shared symmetric key, (C)0′,C1′,…Ct-1') are parameters of the newly generated polynomial.
CN201910036016.0A 2019-01-15 2019-01-15 Group signature label issuing method based on SM2 digital signature algorithm Active CN109600233B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910036016.0A CN109600233B (en) 2019-01-15 2019-01-15 Group signature label issuing method based on SM2 digital signature algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910036016.0A CN109600233B (en) 2019-01-15 2019-01-15 Group signature label issuing method based on SM2 digital signature algorithm

Publications (2)

Publication Number Publication Date
CN109600233A CN109600233A (en) 2019-04-09
CN109600233B true CN109600233B (en) 2021-06-08

Family

ID=65966157

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910036016.0A Active CN109600233B (en) 2019-01-15 2019-01-15 Group signature label issuing method based on SM2 digital signature algorithm

Country Status (1)

Country Link
CN (1) CN109600233B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147240B (en) * 2019-12-28 2023-02-03 西安工业大学 Privacy protection method and system with traceability
CN111064581B (en) * 2019-12-28 2022-11-08 西安工业大学 Privacy protection method and system with connection capability
CN112118113B (en) * 2020-09-18 2022-07-15 上海市数字证书认证中心有限公司 Multi-party cooperative group signature method, device, system and medium based on SM2 algorithm
CN112367175B (en) * 2020-11-12 2021-07-06 西安电子科技大学 Implicit certificate key generation method based on SM2 digital signature
CN113301520B (en) * 2021-05-21 2023-02-28 国网四川省电力公司电力科学研究院 Method for secure communication of wireless sensor network
CN113221193B (en) * 2021-06-02 2022-07-29 上海交通大学 SM2 digital signature and signature verification quick implementation method and system based on GPU
CN113158176B (en) * 2021-06-02 2022-08-02 工业信息安全(四川)创新中心有限公司 Public key analysis method, device, equipment and storage medium based on SM2 signature
CN113972987B (en) * 2021-10-28 2023-07-18 南京邮电大学 Identity-based multi-signature method based on sub-packets
CN114661934B (en) * 2022-03-21 2024-03-01 重庆市规划和自然资源信息中心 Method for multidimensional monitoring of government new media public opinion early warning based on data mining analysis technology
CN116743382B (en) * 2023-08-14 2023-11-21 鼎铉商用密码测评技术(深圳)有限公司 Electronic voting method, trust center terminal, voting terminal and readable storage medium
CN116980228B (en) * 2023-09-01 2024-03-08 河南省信息化集团有限公司 Method and system for realizing anonymous identity login in Internet environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549767A (en) * 2016-11-04 2017-03-29 上海电力学院 A kind of data authentication with secret protection and tracing system
CN108289028A (en) * 2018-01-15 2018-07-17 深圳市金立通信设备有限公司 A kind of signature authentication method, relevant device and computer readable storage medium
CN108880807A (en) * 2018-08-02 2018-11-23 中钞信用卡产业发展有限公司杭州区块链技术研究院 Private key signature process method, apparatus, equipment and medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005071880A1 (en) * 2004-01-23 2005-08-04 Nec Corporation Group signature system, method, device, and program
KR101099814B1 (en) * 2007-07-11 2011-12-27 도시바 솔루션 가부시끼가이샤 GROUP SIGNATURE SYSTEM, DEVICE, AND Recording medium
CN104780050B (en) * 2015-04-23 2018-03-13 北京航空航天大学 A kind of member of the forward secrecy based on elliptic curve is revocable without certificate group signature method
CN104836670B (en) * 2015-05-12 2017-12-08 中国科学院软件研究所 A kind of SM2 signature algorithm security verification method unknown based on random number
WO2017049111A1 (en) * 2015-09-18 2017-03-23 Jung-Min Park Group signatures with probabilistic revocation
CN108809658B (en) * 2018-07-20 2021-06-01 武汉大学 SM 2-based identity base digital signature method and system
CN109067525B (en) * 2018-08-01 2021-03-02 安徽大学 Message authentication method based on semi-trusted management center in Internet of vehicles

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549767A (en) * 2016-11-04 2017-03-29 上海电力学院 A kind of data authentication with secret protection and tracing system
CN108289028A (en) * 2018-01-15 2018-07-17 深圳市金立通信设备有限公司 A kind of signature authentication method, relevant device and computer readable storage medium
CN108880807A (en) * 2018-08-02 2018-11-23 中钞信用卡产业发展有限公司杭州区块链技术研究院 Private key signature process method, apparatus, equipment and medium

Also Published As

Publication number Publication date
CN109600233A (en) 2019-04-09

Similar Documents

Publication Publication Date Title
CN109600233B (en) Group signature label issuing method based on SM2 digital signature algorithm
CN108964919B (en) Lightweight anonymous authentication method with privacy protection based on Internet of vehicles
CN108989053B (en) Method for realizing certificateless public key cryptosystem based on elliptic curve
CN109584978B (en) Information processing method and system based on signature aggregation medical health monitoring network model
WO2021042685A1 (en) Transaction method, device, and system employing blockchain
CN109257184B (en) Linkable ring signature method based on anonymous broadcast encryption
CN106789042B (en) Authentication key negotiation method for user in IBC domain to access resources in PKI domain
Feng et al. P2BA: A privacy-preserving protocol with batch authentication against semi-trusted RSUs in vehicular ad hoc networks
US11223486B2 (en) Digital signature method, device, and system
JPWO2008146667A1 (en) Anonymous authentication system and anonymous authentication method
CN112104453B (en) Anti-quantum computation digital signature system and signature method based on digital certificate
EP2792098B1 (en) Group encryption methods and devices
Sudarsono et al. A secure data sharing using identity-based encryption scheme for e-healthcare system
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
Xie et al. Provable secure and lightweight vehicle message broadcasting authentication protocol with privacy protection for VANETs
CN114189338B (en) SM9 key secure distribution and management system and method based on homomorphic encryption technology
Chen et al. Provable secure group key establishment scheme for fog computing
CN113132315B (en) Online conference authentication method, device, equipment, medium and system
Tian et al. Cryptanalysis and improvement of a certificateless multi-proxy signature scheme
CN114070570A (en) Safe communication method of power Internet of things
CN109412815B (en) Method and system for realizing cross-domain secure communication
CN114071463A (en) Batch authentication method of vehicle-mounted self-organizing network based on bilinear mapping
CN105187213A (en) Method for ensuring computer information security
CN114070549A (en) Key generation method, device, equipment and storage medium
Mirzamohammadi et al. Analysis and improvement of the SPACF scheme in vehicular ad-hoc networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant