CN110071812B - Editable, linkable and non-repudiatable ring signature method - Google Patents

Editable, linkable and non-repudiatable ring signature method Download PDF

Info

Publication number
CN110071812B
CN110071812B CN201910353137.8A CN201910353137A CN110071812B CN 110071812 B CN110071812 B CN 110071812B CN 201910353137 A CN201910353137 A CN 201910353137A CN 110071812 B CN110071812 B CN 110071812B
Authority
CN
China
Prior art keywords
signature
key
ring
message
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910353137.8A
Other languages
Chinese (zh)
Other versions
CN110071812A (en
Inventor
张小松
黄可
牛伟纳
谢鑫
蒋天宇
葛洪麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201910353137.8A priority Critical patent/CN110071812B/en
Publication of CN110071812A publication Critical patent/CN110071812A/en
Application granted granted Critical
Publication of CN110071812B publication Critical patent/CN110071812B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

An editable, linkable and non-repudiatable ring signature method belongs to the field of network security and solves the problems that in the prior art, a ring signature is difficult to revoke, identity information of a malicious user is difficult to trace, the edited ring signature can still be authenticated by a signature, privacy protection and a flexible authentication mechanism are not provided, and the like. The method is used for sequentially carrying out system initialization, user key generation, Hash key generation, signature and providing the identity privacy, editable and non-repudiatable ring signature which can be conditionally revoked, respectively verifying the signature if the signature needs to be edited and whether the signature can be linked or repudiated is judged after the signature is signed, and carrying out signature editing, judgment whether the signature can be linked or repudiated and the like after the signature passes verification, and is used for providing the identity privacy, editable and non-repudiatable ring signature which can be conditionally revoked.

Description

Editable, linkable and non-repudiatable ring signature method
Technical Field
An editable, linkable and non-repudiatable ring signature method belongs to the field of network security and is used for providing an identity privacy, editable and non-repudiatable ring signature capable of conditional cancellation.
Background
Ring signatures evolve from group signatures, as opposed to group signatures where there is one group administrator-centric, ring signatures do not rely on such one-centric. In short, ring signatures are spontaneous, that is, a certain user in a ring arbitrarily selects the public keys of other users to form a ring required by a signature together, so as to hide the public key of the user, and the other users on the ring do not know that the user is added into the ring at all, thereby realizing the identity privacy of a signer.
The current ring signature has the problems that the identity privacy condition can be difficult to revoke and cannot be edited. For the former (difficult revocable), due to the privacy problem of the ring signature, it is difficult to trace the identity information of the user, so that a malicious user may use this property to make a fake, and other users cannot know or cannot trace the identity information of the malicious user. If the cryptocurrency uses the ring signature to realize the user identity privacy (which is a good privacy protection mechanism for cryptocurrency), if the malicious user signs multiple transactions to realize the repeated use of the cryptocurrency (generally called as Double-blossom), the actual identity of the malicious user cannot be known due to the privacy of the ring signature. In the latter case (non-editable), generally, the digital signature is not editable, which brings disaster-tolerant alarm-backing difficulties to the digital currency mainly based on the block chain and the system derived from the digital currency, that is, after the system is attacked maliciously, the system needs to be restored to a certain normal state before the attack, and once this operation is executed, the validity of the signature is affected, so the signature needs to be re-edited to be able to correctly authenticate the current message (or to take effect at the current time point), and a typical technical means is to use a signature based on a chameleon hash function, such as: chameleon signatures, sanitizable signatures, editable signatures, and the like. At present, no one has proposed the concept of an editable ring signature.
The traditional chameleon signature and the cleanable signature can enable the signature to have editable characteristics, but the signature framework cannot support the privacy of the user, namely the signature and the public key of the user are publicly verifiable, and therefore a privacy protection mechanism is not provided.
The ring signature is a signature mechanism capable of effectively protecting the identity privacy of a user, but the traditional ring signature cannot realize the editing characteristic, namely, the message subjected to signature authentication is dynamically modified, and the modified message can still be authenticated by the signature, so that the flexible authentication mechanism is lacked.
Disclosure of Invention
In view of the above-mentioned research problems, an object of the present invention is to provide an editable, linkable and non-repudiatable ring signature method, which solves the problems in the prior art that a ring signature is difficult to revoke, it is difficult to trace the identity information of a malicious user, the signature can still be authenticated after editing, and the ring signature method does not have privacy protection and a flexible authentication mechanism.
In order to achieve the purpose, the invention adopts the following technical scheme:
an editable, linkable, non-repudiatable ring signature method, comprising the steps of:
step a, system initialization:
selecting a safety parameter lambda and setting a system public parameter P;
step b, generating a user key:
calculating the private key sk of the user i according to the system public parameter PiAnd the public key pk of user ii
Step c, Hash key generation:
calculating a trapdoor key tk and a Hash key hk according to a system public parameter P;
step d, signature:
according to the Hash key hk, a list L consisting of n public keys and the private key x of the signerπComputing the signature σ of the message mL(m) wherein L ═ { pk ═ p1,…,pkn},i=1,…,n,xπB, calculating to obtain the signature, and using pi to refer to a signer due to the anonymity of the ring signature;
after signing, if the signature needs to be edited and whether the signature can be linked or repudiated is judged, firstly verifying the signature:
list L of n public keys, signature σ of the verification message mL(m) and outputting 0 or 1, 0 indicating that the verification is failed, and 1 indicating that the verification is passed;
if the signature passes the verification, editing the signature:
signing sigma to the target according to the trapdoor key tk, the list L consisting of n public keys and the new message mL(m) editing to output abnormal symbol ^ or edited signature σL(m);
If the signature passes the verification, judging whether the signature can be linked:
list L of n public keys, list of n public keys
Figure BDA0002044291760000021
Message
Figure BDA0002044291760000022
And an array of signatures
Figure BDA0002044291760000023
djRepresenting an unknown user, j is 0, 1, obtaining a pair of arrays, judging whether signatures of the two arrays can be linked, and outputting inverted T, 0 or 1;
step h, judging whether the signature can be repudiated:
list L of n public keys, dispute message and signature (m)*,σL(m*) Messages and signatures (m, σ)L(m)) performing dependence judgment, and outputting ^ 0 or 1.
Further, in the step a, a system public parameter P is set, and the specific steps are as follows:
selecting a group G with a generating element G and a group order q according to a safety parameter lambda;
the hash functions are set as follows: h1:{0,1}*→ G and H2:{0,1}*→Zq,ZqQ-1, which is a q-order integer group;
output system public parameter P ═<G,q,g,H1,H2>。
Further, in step b, the specific steps of generating the user key are as follows:
selecting a random number according to the system public parameter P
Figure BDA0002044291760000031
As the private key sk of user iiComputing user i public key
Figure BDA0002044291760000032
Outputting the private key and the public key (sk) of the user ii,pki) Wherein, in the step (A),
Figure BDA0002044291760000033
represents from ZqA value is randomly selected from the group.
Further, in step c, the hash key generation specifically includes:
selecting a random number according to the system public parameter P
Figure BDA0002044291760000034
As the trapdoor key tk, the hash key hk y g is calculatedxThe trapdoor key and hash key (tk, from) are output.
Further, in said step d, the signature σ of the message m is calculatedLThe specific steps of (m) are as follows:
based on the hash key hk, a list L of n public keys y1,...,yn}1≤i≤nWherein each public key yiCorresponding to a private key xi,yi=pki,xi=skiMessage, message
Figure BDA0002044291760000035
Private key x of signerπN is not less than 1 and not more than pi, and H is calculated as H1(L) and
Figure BDA0002044291760000036
where h is a hash value used to bind ring information, i.e., all public key information L included in the ring, to the ring signature,
Figure BDA0002044291760000037
private key information representing the signer, for binding the private key of the signer to the ring signature;
based on h and
Figure BDA0002044291760000038
selecting two random numbers for calculating the value of the last random number of the ring
Figure BDA0002044291760000039
Computing
Figure BDA00020442917600000310
Figure BDA00020442917600000311
cπ+1All public key information L including ring and private key information of signer
Figure BDA00020442917600000312
Color change Lonhahi value g of last signeruHash value h related to information of last signer and current signervThe formed hash value is used for realizing the end-to-end connection of the ring;
based on
Figure BDA00020442917600000313
When i ═ pi +1,.. times, n, 1.. times, pi-1, two random numbers are selected that keep the ends of the ring coincident
Figure BDA00020442917600000314
Computing
Figure BDA00020442917600000315
And
Figure BDA00020442917600000316
then calculate
Figure BDA00020442917600000317
,riRepresenting the ith chameleon random number for distinguishing different chameleon hash values
Figure BDA00020442917600000318
Edited ring signature, ci+1Representing the last point on the ring, i.e. the last signer, where cπ+1And ci+1Satisfy the same constitution, i.e. guCorrespond to
Figure BDA00020442917600000319
hvCorrespond to
Figure BDA00020442917600000320
Calculating alphaπ=u-xπcπmod q,βπ=v-xπcπmod q;
Outputting signatures
Figure BDA00020442917600000321
c1Representing the hash value of a signer on the ring.
Further, in said step e, the signature σ of the message m is verifiedLThe specific steps of (m) are as follows:
list L, message m, signature composed of n public keys
Figure BDA0002044291760000041
Calculating H as H1(L) for i ═ 1.. times, n, calculated
Figure BDA0002044291760000042
For i ≠ n, calculate
Figure BDA0002044291760000043
Figure BDA0002044291760000044
Check if the equation holds:
Figure BDA0002044291760000045
if yes, returning 1 to represent that the verification is passed; otherwise, return 0 represents a verification failure.
Further, in the step f, the signature σ is editedLThe specific steps of (m) are as follows:
according to the trapdoor key tk, a list L consisting of n public keys, a new message m' and a target signature
Figure BDA0002044291760000046
Figure BDA0002044291760000047
For 1 ≦ i ≦ n, calculate
Figure BDA0002044291760000048
r′iDenotes the new chameleon random number, α 'of user i'iIndicating that it is not the original random number;
outputting signed signatures
Figure BDA0002044291760000049
Further, in the step g, the specific step of judging whether the signature is linkable is as follows:
list L of n public keys, list of n public keys
Figure BDA00020442917600000410
Message
Figure BDA00020442917600000411
And an array of signatures
Figure BDA00020442917600000412
j is 0, 1, and for j 0 and 1, it is checked whether or not
Figure BDA00020442917600000413
If yes, returning 1 to represent that the signature can be linked, namely the pair of signatures are generated by the same user; otherwise, returning 0 represents that the signature is not linkable.
Further, in the step h, the specific step of judging whether the signature can be repudiated is:
according to a list L consisting of n public keys, dispute messages and signatures
Figure BDA00020442917600000414
Figure BDA00020442917600000415
Message and signature
Figure BDA00020442917600000416
For 1 ≦ i ≦ n, check if there is an equation
Figure BDA00020442917600000417
Figure BDA00020442917600000418
And is
Figure BDA00020442917600000419
If yes, returning 1 to represent successful repudiation; if not, return 0 represents a denial failure.
Compared with the prior art, the invention has the beneficial effects that:
firstly, the invention can detect a group of signature information from the same signer for the same group of public key information (the same ring) through a link algorithm (namely judging whether the signature is linkable or not), thereby providing the privacy protection with revocable conditions, namely providing the maximum privacy protection and ensuring that the privacy is not abused.
The invention allows editing the signed authentication information without the help of a signer in the editing process, the edited signature can authenticate a new message, so that the extensible signature function is realized, the message after signature authentication can be re-edited, and the edited signature and the message pair can still pass verification.
Third, the invention allows the original signer to repudiate a signature after being edited through a repudiation algorithm, so as to realize the non-repudiation (denability) of the signature editing, namely, the signer (the person holding the trap key tk) can not repudiate the signature edited by the signer, so as to realize the traceability of the signature editing function and ensure that the function is not abused.
The invention realizes a signature mechanism which can protect the identity privacy of the user and can be flexibly authenticated.
Drawings
FIG. 1 is a schematic flow diagram of the present invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings and specific embodiments.
An editable, linkable, non-repudiatable ring signature method, comprising the steps of:
step a, system initialization:
selecting a safety parameter lambda and setting a system public parameter P;
setting a system public parameter P, which comprises the following specific steps:
selecting a group G with a generating element G and a group order q according to a safety parameter lambda;
the hash functions are set as follows: h1:{0,1}*→ G and H2:{0,1}*→Zq,ZqQ-1, which is a q-order integer group;
output system public parameter P ═<G,q,g,H1,H2>。
Step b, generating a user key:
calculating the private key sk of the user i according to the system public parameter PiAnd the public key pk of user ii
The method comprises the following specific steps:
selecting a random number according to the system public parameter P
Figure BDA0002044291760000051
As the private key sk of user iiComputing user i public key
Figure BDA0002044291760000052
Outputting the private key and the public key (sk) of the user ii,pki) Wherein, in the step (A),
Figure BDA0002044291760000053
represents from ZqA value is randomly selected from the group.
Step c, Hash key generation:
calculating a trapdoor key tk and a Hash key hk according to a system public parameter P;
the method comprises the following specific steps:
according to the system public parameter P, selectingA random number
Figure BDA0002044291760000054
As the trapdoor key tk, the hash key hk y g is calculatedxAnd outputting the trapdoor key and the hash key (tk, hk).
Step d, signature:
according to the Hash key hk, a list L consisting of n public keys and the private key x of the signerπComputing the signature σ of the message mL(m) wherein L ═ { pk ═ p1,…,pkn},i=1,…,n,xπB, calculating to obtain the signature, and using pi to refer to a signer due to the anonymity of the ring signature;
computing a signature σ for a message mLThe specific steps of (m) are as follows:
based on the hash key hk, a list L of n public keys y1,...,yn}1≤i≤nWherein each public key yiCorresponding to a private key xi,yi=pki,xi=skiMessage, message
Figure BDA0002044291760000061
Private key x of signerπN is not less than 1 and not more than pi, and H is calculated as H1(L) and
Figure BDA0002044291760000062
where h is a hash value used to bind ring information, i.e., all public key information L included in the ring, to the ring signature,
Figure BDA0002044291760000063
private key information representing a signer for binding the signer's private key to a ring signature, so that ring signatures of the same signers can be linked because they share parameters
Figure BDA0002044291760000064
Based on h and
Figure BDA0002044291760000065
selecting two random numbers for calculating the value of the last random number of the ring
Figure BDA0002044291760000066
Computing
Figure BDA0002044291760000067
Figure BDA0002044291760000068
cπ+1All public key information L including ring and private key information of signer
Figure BDA0002044291760000069
Color change Lonhahi value g of last signeruHash value h related to information of last signer and current signervThe formed hash value is used for realizing the end-to-end connection of the ring;
based on
Figure BDA00020442917600000610
When i ═ pi +1,.. times, n, 1.. times, pi-1, two random numbers are selected that keep the ends of the ring coincident
Figure BDA00020442917600000611
Computing
Figure BDA00020442917600000612
And
Figure BDA00020442917600000613
then calculate
Figure BDA00020442917600000614
,riRepresenting the ith chameleon random number for distinguishing different chameleon hash values
Figure BDA00020442917600000621
Edited ring signature, chameleon hash value
Figure BDA00020442917600000622
Namely, the key that the ring signature can be edited is ensured, the chameleon hash value has the capability of recalculation, so that the re-editing can be realized, and the chameleon hash value is edited
Figure BDA00020442917600000620
Is kept constant, r corresponding to itiA change for realizing a ring signature editing characteristic based on the color changing ronchessman value, ci+1Representing the last point on the ring, i.e. the last signer, where cπ+1And ci+1Satisfy the same constitution, i.e. guCorrespond to
Figure BDA00020442917600000615
hvCorrespond to
Figure BDA00020442917600000616
Calculating alphaπ=u-xπcπmod q,βπ=v-xπcπmod q;
Outputting signatures
Figure BDA00020442917600000617
c1Representing the hash value of a signer on the ring.
In summary, based on the ring sequence of the L list corresponding to the signer, the parameters are sequentially calculated according to the ring sequence
Figure BDA00020442917600000618
Figure BDA00020442917600000619
Finally, an end-to-end ring signature is obtained.
After signing, if the signature needs to be edited and whether the signature can be linked or repudiated is judged, firstly verifying the signature:
list L of n public keys, signature σ of the verification message mL(m)And outputs 0 or 1, 0 indicating that the verification is not passed, and 1 indicating that the verification is passed;
verifying the signature σ of a message mLThe specific steps of (m) are as follows:
list L, message m, signature composed of n public keys
Figure BDA0002044291760000071
Calculating H as H1(L) for i ═ 1.. times, n, calculated
Figure BDA0002044291760000072
For i ≠ n, calculate
Figure BDA0002044291760000073
Figure BDA0002044291760000074
Check if the equation holds:
Figure BDA0002044291760000075
if yes, returning 1 to represent that the verification is passed; otherwise, return 0 represents a verification failure.
If the signature passes the verification, editing the signature:
signing sigma to the target according to the trapdoor key tk, the list L consisting of n public keys and the new message mL(m) editing to output abnormal symbol ^ or edited signature σL(m′);
Editing signature σLThe specific steps of (m) are as follows:
according to the trapdoor key tk, a list L consisting of n public keys, a new message m and a target signature
Figure BDA0002044291760000076
Figure BDA0002044291760000077
For 1 ≦ i ≦ n, calculate
Figure BDA0002044291760000078
r′iDenotes the new chameleon random number, α 'of user i'iIndicating that it is not the original random number;
outputting signed signatures
Figure BDA0002044291760000079
If the signature passes the verification, judging whether the signature can be linked:
list L of n public keys, list of n public keys
Figure BDA00020442917600000710
Message
Figure BDA00020442917600000711
And an array of signatures
Figure BDA00020442917600000712
djRepresenting unknown users, j is 0, 1, obtaining a pair of arrays, judging whether signatures of the two arrays can be linked, and outputting the signatures to be 0 or 1;
the specific steps for judging whether the signature is linkable are as follows:
list L of n public keys, list of n public keys
Figure BDA00020442917600000713
Message
Figure BDA00020442917600000714
And an array of signatures
Figure BDA00020442917600000715
j is 0, 1, and for j 0 and 1, it is checked whether or not
Figure BDA00020442917600000716
If true, returning 1 represents that the signature is linkable, i.e. the pair of signatures was generated by the same user 2 otherwise returning 0 represents that the signature is not linkable.
Step h, judging whether the signature can be repudiated:
list L of n public keys, dispute message and signature (m)*,σL(m*) Messages and signatures (m, σ)L(m)) makes a denial judgment and outputs an upper, 0 or 1.
The specific steps for judging whether the signature can be repudiated are as follows:
according to a list L consisting of n public keys, dispute messages and signatures
Figure BDA0002044291760000081
Figure BDA0002044291760000082
Message and signature
Figure BDA0002044291760000083
For 1 ≦ i ≦ n, check if there is an equation
Figure BDA0002044291760000084
Figure BDA0002044291760000085
And is
Figure BDA0002044291760000086
If yes, returning 1 to represent successful repudiation; if not, return 0 represents a denial failure.
The above are merely representative examples of the many specific applications of the present invention, and do not limit the scope of the invention in any way. All the technical solutions formed by the transformation or the equivalent substitution fall within the protection scope of the present invention.

Claims (6)

1. An editable, linkable, non-repudiatable ring signature method, comprising the steps of:
step a, system initialization:
selecting a safety parameter lambda and setting a system public parameter P;
step b, generating a user key:
calculating the private key sk of the user i according to the system public parameter PiAnd the public key pk of user ii
Step c, Hash key generation:
calculating a trapdoor key tk and a Hash key hk according to a system public parameter P;
step d, signature:
according to the Hash key hk, a list L consisting of n public keys and the private key x of the signerπComputing the signature σ of the message mL(m) wherein L ═ { pk ═ p1,…,pkn},i=1,…,n,xπB, calculating to obtain the signature, and using pi to refer to a signer due to the anonymity of the ring signature;
computing a signature σ for a message mLThe specific steps of (m) are as follows:
based on the hash key hk, a list L of n public keys y1,...,yn}1≤i≤nWherein each public key yiCorresponding to a private key xi,yi=pki,xi=skiMessage, message
Figure FDA0002947491520000011
Private key x of signerπN is not less than 1 and not more than pi, and H is calculated as H1(L) and
Figure FDA0002947491520000012
where h is a hash value used to bind ring information, i.e., all public key information L included in the ring, to the ring signature,
Figure FDA0002947491520000013
private key information representing the signer, for binding the private key of the signer to the ring signature;
based on h and
Figure FDA0002947491520000014
two random numbers u are selected that calculate the value of the last random number of the ring,
Figure FDA0002947491520000015
computing
Figure FDA0002947491520000016
Figure FDA0002947491520000017
cπ+1All public key information L including ring and private key information of signer
Figure FDA0002947491520000018
Chameleon hash value g of last signeruHash value h related to information of last signer and current signervThe formed hash value is used for realizing the end-to-end connection of the rings;
based on
Figure FDA0002947491520000019
When i ═ pi +1,.., n, 1,. and pi-1, two random numbers alpha are selected so that the heads and tails of the rings are consistenti
Figure FDA00029474915200000110
Computing
Figure FDA00029474915200000111
And
Figure FDA00029474915200000112
then calculate
Figure FDA00029474915200000113
Figure FDA00029474915200000114
riRepresenting the ith chameleon random number for distinguishing different chameleon hash values
Figure FDA00029474915200000115
Edited ring signature, ci+1Representing the last point on the ring, i.e. the last signer, where cπ+1And ci+1Satisfy the same constitution, i.e. guCorrespond to
Figure FDA00029474915200000116
hvCorrespond to
Figure FDA00029474915200000117
Calculating alphaπ=u-xπcπmod q,βπ=v-xπcπmod q;
Outputting signatures
Figure FDA00029474915200000118
c1A hash value representing a signer on the ring;
after signing, if the signature needs to be edited and whether the signature can be linked or repudiated is judged, firstly verifying the signature:
list L of n public keys, signature σ of the verification message mL(m) and outputting 0 or 1, 0 indicating that the verification is failed, and 1 indicating that the verification is passed;
if the signature passes the verification, editing the signature:
signing sigma to the target according to the trapdoor key tk, the list L consisting of n public keys and the new message mL(m) editing, and outputting abnormal symbol T or edited signature sigmaL(m′);
If the signature passes the verification, judging whether the signature can be linked:
list L of n public keys, list of n public keys
Figure FDA0002947491520000021
Message
Figure FDA0002947491520000022
And an array of signatures
Figure FDA0002947491520000023
djRepresenting an unknown user, j is 0, 1, obtaining a pair of arrays, judging whether signatures of the two arrays can be linked, and outputting inverted T, 0 or 1;
in step g, the specific step of judging whether the signature is linkable is as follows:
list L of n public keys, list of n public keys
Figure FDA0002947491520000024
Message
Figure FDA0002947491520000025
And an array of signatures
Figure FDA0002947491520000026
j is 0, 1, and for j 0 and 1, it is checked whether or not
Figure FDA0002947491520000027
If yes, returning 1 to represent that the signatures can be linked, namely the pair of signatures are generated by the same user; otherwise, returning 0 represents that the signature is not linkable;
step h, judging whether the signature can be repudiated:
list L of n public keys, dispute message and signature (m)*,σL(m*) Messages and signatures (m, σ)L(m)) performing denial judgment, and outputting T, 0 or 1;
in the step h, the specific steps of judging whether the signature can be repudiated are as follows:
according to a list L consisting of n public keys, dispute messages and signatures
Figure FDA0002947491520000028
Message and signature
Figure FDA0002947491520000029
For 1. ltoreq. i. ltoreq.n, the inspection isWhether there is an equation
Figure FDA00029474915200000210
And is
Figure FDA00029474915200000211
If yes, returning 1 to represent successful repudiation; if not, return 0 represents a denial failure.
2. The method as claimed in claim 1, wherein in the step a, a system public parameter P is set, and the specific steps are as follows:
selecting a group G with a generating element G and a group order q according to a safety parameter lambda;
the hash functions are set as follows: h1:{0,1}*→ G and H2:{0,1}*→Zq,ZqQ-1, which is a q-order integer group;
output system public parameter P ═<G,q,g,H1,H2>。
3. The method as claimed in claim 2, wherein the step b of generating the user key comprises the following steps:
selecting a random number according to the system public parameter P
Figure FDA0002947491520000031
As the private key sk of user iiComputing user i public key
Figure FDA0002947491520000032
Exporting private and public keys (sk) of user ii,pki) Wherein, in the step (A),
Figure FDA0002947491520000033
represents from ZqRandomly selects one from the groupA value.
4. The editable, linkable and non-repudiatable ring signature method according to claim 3, wherein in the step c, the hash key generation comprises the following specific steps:
selecting a random number according to the system public parameter P
Figure FDA0002947491520000034
As the trapdoor key tk, the hash key hk y g is calculatedxAnd outputting the trapdoor key and the hash key (tk, hk).
5. An editable, linkable, non-repudiatable ring signature method according to claim 1, wherein in step e, the signature σ of the message m is verifiedLThe specific steps of (m) are as follows:
list L, message m, signature composed of n public keys
Figure FDA0002947491520000035
Calculating H as H1(L) for i ═ 1.. times, n, calculated
Figure FDA0002947491520000036
For i ≠ n, calculate
Figure FDA0002947491520000037
Figure FDA0002947491520000038
Check if the equation holds:
Figure FDA0002947491520000039
if yes, returning 1 to represent that the verification is passed; otherwise, returning 0 represents a verification failure.
6. An editable, linkable, non-editable device as claimed in claim 5The method of ring signature for repudiation is characterized in that, in the step f, the signature sigma is editedLThe specific steps of (m) are as follows:
according to the trapdoor key tk, a list L consisting of n public keys, a new message m' and a target signature
Figure FDA00029474915200000310
Figure FDA00029474915200000311
For 1 ≦ i ≦ n, calculate
Figure FDA00029474915200000312
ri' means New chameleon random number, α ' of user i 'iIndicating that it is not the original random number;
outputting signed signatures
Figure FDA00029474915200000313
CN201910353137.8A 2019-04-29 2019-04-29 Editable, linkable and non-repudiatable ring signature method Active CN110071812B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910353137.8A CN110071812B (en) 2019-04-29 2019-04-29 Editable, linkable and non-repudiatable ring signature method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910353137.8A CN110071812B (en) 2019-04-29 2019-04-29 Editable, linkable and non-repudiatable ring signature method

Publications (2)

Publication Number Publication Date
CN110071812A CN110071812A (en) 2019-07-30
CN110071812B true CN110071812B (en) 2021-06-08

Family

ID=67369489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910353137.8A Active CN110071812B (en) 2019-04-29 2019-04-29 Editable, linkable and non-repudiatable ring signature method

Country Status (1)

Country Link
CN (1) CN110071812B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110474762B (en) * 2019-08-22 2021-05-25 电子科技大学 Method for constructing ring-type editable block chain
CN111526009B (en) * 2020-04-09 2021-06-15 西南交通大学 Forward security editable block chain construction method suitable for alliance chain
CN111698090B (en) * 2020-05-22 2022-09-27 哈尔滨工程大学 Ring signature method applied to threat intelligence transaction alliance chain
CN112187455B (en) * 2020-09-24 2023-04-18 西南交通大学 Method for constructing distributed public key infrastructure based on editable block chain
CN113360943A (en) * 2021-06-23 2021-09-07 京东数科海益信息科技有限公司 Block chain private data protection method and device
CN113794556B (en) * 2021-09-10 2023-05-23 福建师范大学 PCH revocable method and system for collectable blockchain protocol
CN114584280B (en) * 2022-03-04 2024-06-21 浪潮云信息技术股份公司 Key management method and system for AOS ring signature
CN114417429B (en) * 2022-04-02 2022-06-07 湖南宸瀚科技有限公司 Editable block chain system based on ring type verification
CN114726645B (en) * 2022-05-06 2023-01-24 电子科技大学 Linkable ring signature method based on user information security
CN115017170B (en) * 2022-08-04 2022-10-11 北京邮电大学 Traceable block chain transaction credible erasing method and device
CN115473632B (en) * 2022-08-24 2024-05-31 武汉大学 Improved multi-layer linkable ring signature generation method and device
CN116743396B (en) * 2023-08-14 2023-11-03 深圳奥联信息安全技术有限公司 Optimized ring signature method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045164A (en) * 2009-10-20 2011-05-04 广州信睿网络科技有限公司 Key exposure free chameleon digital signature method based on ID (Identity)
US20120166808A1 (en) * 2010-12-23 2012-06-28 Electronics And Telecommunications Research Institute Lattice-based ring signature method
CN109257184A (en) * 2018-11-08 2019-01-22 西安电子科技大学 Linkable ring signature method based on anonymous broadcast enciphering

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045164A (en) * 2009-10-20 2011-05-04 广州信睿网络科技有限公司 Key exposure free chameleon digital signature method based on ID (Identity)
US20120166808A1 (en) * 2010-12-23 2012-06-28 Electronics And Telecommunications Research Institute Lattice-based ring signature method
CN109257184A (en) * 2018-11-08 2019-01-22 西安电子科技大学 Linkable ring signature method based on anonymous broadcast enciphering

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《可证明安全数字签名的研究》;高伟;《中国博士学位论文全文数据库》;20070715;全文 *
《数字签名在公平交易协议中的应用研究》;马晓静;《中国优秀硕士学位论文全文数据库》;20070615;全文 *

Also Published As

Publication number Publication date
CN110071812A (en) 2019-07-30

Similar Documents

Publication Publication Date Title
CN110071812B (en) Editable, linkable and non-repudiatable ring signature method
CN109257184B (en) Linkable ring signature method based on anonymous broadcast encryption
CN108551392B (en) Blind signature generation method and system based on SM9 digital signature
CN109905247B (en) Block chain based digital signature method, device, equipment and storage medium
KR20130065278A (en) Authentication method and apparatus for detection and prevention of source spoofing packets
CN103902925B (en) The method and apparatus signed for digital document
CN101873307A (en) Digital signature method, device and system based on identity forward secrecy
CN106899413B (en) Digital signature verification method and system
CN104320259B (en) Based on Schnorr signature algorithms without certificate signature method
CN108259506B (en) SM2 whitepack password implementation method
EP2247025A1 (en) Apparatus, method, and program for updating a pair of public and secret key for digital signature
Accorsi Log data as digital evidence: What secure logging protocols have to offer?
CN116566626B (en) Ring signature method and apparatus
CN106936584A (en) A kind of building method without CertPubKey cryptographic system
CN110661816B (en) Cross-domain authentication method based on block chain and electronic equipment
Feng et al. White-box implementation of Shamir’s identity-based signature scheme
CN104410500A (en) Specified verifier-based signing, signature verification and signature copy simulation method and system
WO2019174404A1 (en) Digital group signature method, device and apparatus, and verification method, device and apparatus
TWI555370B (en) Digital signature method
JP2004526387A (en) Ring-based signature scheme
CN115174102A (en) Efficient batch verification method and system based on SM2 signature
Zentai On the efficiency of the Lamport Signature Scheme
CN113326527A (en) Credible digital signature system and method based on block chain
CN114329551B (en) Zk-SNARK-based lightweight ring signature method
WO2011106059A1 (en) Method and apparatus for providing authenticity and integrity to stored data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant