CN110351093B - Linkable network ring signature method based on attributes - Google Patents

Linkable network ring signature method based on attributes Download PDF

Info

Publication number
CN110351093B
CN110351093B CN201910514752.2A CN201910514752A CN110351093B CN 110351093 B CN110351093 B CN 110351093B CN 201910514752 A CN201910514752 A CN 201910514752A CN 110351093 B CN110351093 B CN 110351093B
Authority
CN
China
Prior art keywords
signature
attribute
signer
key
attributes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910514752.2A
Other languages
Chinese (zh)
Other versions
CN110351093A (en
Inventor
张文芳
管桂林
王小敏
焦恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yami Technology Guangzhou Co ltd
Original Assignee
Southwest Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwest Jiaotong University filed Critical Southwest Jiaotong University
Priority to CN201910514752.2A priority Critical patent/CN110351093B/en
Publication of CN110351093A publication Critical patent/CN110351093A/en
Application granted granted Critical
Publication of CN110351093B publication Critical patent/CN110351093B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a linkable network ring signature method based on attributes, which mainly comprises the following steps: in the signature stage, the mode of randomly selecting parameters to generate the link tags ensures that the signatures with the same link tags have the linkability which can be independently determined by a signer and can prove whether the two signatures are issued by the same person on the premise of not revealing the identity of a real signer; by injecting the identity into each user private key in the attribute key generation stage, the method can resist collusion attack. The method has strong anonymity and high safety, can effectively solve the problem of secondary signature existing in electronic cash, electronic voting and the like, and provides the functions of anonymous identity authentication and access control.

Description

Linkable network ring signature method based on attributes
Technical Field
The invention belongs to the technical field of digital signatures in cryptography, and relates to a network anonymous identity authentication method supporting chaining.
Background
As a novel asymmetric cryptographic technology based on attribute signature, the asymmetric cryptographic technology has the advantages of strong expression capability, flexible use, convenience in identity hiding and the like, is particularly suitable for providing an anonymous identity authentication function in the Internet, and is paid more and more attention by students. The system divides a crowd fine-grained through attributes, represents the identity in the original identity-based signature system as an attribute set, adds the concept of an access structure into the identity-based signature system, and can use an attribute private key to sign if and only if a user attribute set meets the access structure. Compared with the identity-based signature system, the attribute-based signature system not only can provide finer-grained access control for data, but also can protect the privacy of the user identity, namely the identity information of the user cannot be disclosed in the signature process. Through deep research and analysis, the existing attribute-based ring signature method still has the following problems to be solved urgently:
firstly, the existing attribute-based ring signature scheme has the problem that the linkability cannot be realized, and is difficult to provide powerful anonymous identity authentication for the fields of complex and dynamic electronic voting, electronic election and the like, so that the system cannot judge whether different signatures have the linkability or not; secondly, most of the existing attribute-based ring signature schemes have the problems that users with complementary attributes can generate legal signatures which can not be generated independently in a key combination mode, and then collusion attack can not be resisted, so that how to design an attribute-based network ring signature method which supports linkability and can resist collusion attack is a problem to be solved, and the method has important academic significance and wide application value;
in 2018, the southwest university of transportation applies for patent number 201810934093.3, entitled "an attribute-based network signature method supporting dynamic attribute space", which mainly includes that the structure of the dynamic attribute space is realized through a layering technology (divided into an attribute layer and a secret sharing layer), and a more flexible access strategy is realized by utilizing an access structure of linear secret sharing. The method solves the problems of poor attribute space expandability, inflexible access structure and the like of most of the current attribute-based signature methods, and simultaneously the safety is further enhanced compared with the existing methods. However, this method fails to achieve linkability, cannot determine whether two signatures are signed by the same person, and is difficult to solve the problem of secondary signatures in the internet field such as electronic cash, electronic election, and electronic expense. In addition, the signature method has the problem that collusion attack cannot be resisted, and users with complementary attributes can still generate legal signatures which cannot be generated by the users alone in a key combination mode.
Disclosure of Invention
The invention aims to provide a linkable network ring signature method based on attributes, which aims to have the linkable property, ensure whether the signatures with the same linked label have the linkable property or not, and embed the identity information ID in the private key of the user attribute so that the method can resist the collusion attack initiated by the user with the complementary attributes.
The invention adopts the technical scheme that the invention achieves the aim that: a linkable network ring signature method based on attributes comprises the following steps:
(1) system set-up phase
a) System disclosure parameter generation
First, the attribute authority AA is in a finite domain
Figure GDA0002158185850000026
Randomly selecting an integer alpha as a system master key MSK, wherein q is more than 2512The security prime number of (1); then, the attribute authority AA randomly selects two cyclic multiplication groups G with the order of p1、G2And defining a bilinear map e: G1×G1→G2(ii) a Finally, the attribute authority AA follows the group G1Two elements of the public key are randomly selected as a public key one g1And public key three g3While the public key is one g1Performing modular exponentiation to obtain public key of two g2
Figure GDA0002158185850000021
Using the public key two g2Public key of three g3Carry out bilinear pairing operation to generate four g public keys4,g4=e(g2,g3);
The attribute authority AA outputs the public parameter PK ═ G1,G2,e,g1,g2,g3,g4Storing the system master key MSK as alpha secret;
b) selection of hash function
The attribute authority AA defines three hash functions, first a file hash function H1:H1M → G, where m → G is the mapping of the file m to the cyclic multiplicative group G1Performing hash operation on the upper element; secondly, a function hash function H2:H2:wi→ G, wherein wi→ G is attribute wiMapping to group G1Performing hash operation on the upper element;finally, the identity hash function H3:H3:
Figure GDA0002158185850000022
Wherein
Figure GDA0002158185850000023
To map a {0,1} string of arbitrary length into a finite field
Figure GDA0002158185850000024
Performing hash operation on the upper element; finally, the attribute authority AA hashes the function H1、H2、H3Publishing;
(2) attribute key generation phase
a) Shamir secret sharing polynomial generation
Assume that the user ID is aggregated W according to its possession propertyID={WID,1,…,WID,i,…,WID,IIn which wID,iFor a user attribute set WIDThe ith attribute of the first time, and a key is applied to an attribute authorization center AA;
after receiving a user ID key application, an attribute authorization center AA randomly selects a d-1 order polynomial f (x), wherein d is a threshold value of AA predefined recovery secret, f (0) is alpha, and the rest coefficients are AA in a finite field
Figure GDA0002158185850000025
D-1 elements selected randomly;
b) attribute key generation
First, for an attribute W owned by a userID={WID,1,…,WID,i,…,WID,IAnd the attribute authorization center AA belongs to W for each attribute i belonging to WIDRandomly selecting an integer tID,iUsing the public key three g at the same time3Function hash function H2And identity hash function H3Generating an attribute key-S1,i
Figure GDA0002158185850000031
The attribute authority AA then utilizes itselfHash function H3Generating an attribute key with the public key2,i
Figure GDA0002158185850000032
c) Attribute key delivery
First, the attribute authority AA assigns an attribute key one
Figure GDA0002158185850000033
Attribute key two
Figure GDA0002158185850000034
Secret sending to the user ID;
(3) signature phase
A network server gives a file m to be signed and randomly selects N attributes as a declaration signature attribute set W*:
Figure GDA0002158185850000035
Wherein Wn *Signing a collection of attributes W for a declaration*An nth subset of declarative signature attributes;
when a user ID accesses a web service, the signer, i.e., the user ID, signs a collection of attributes W from the claim*And its set of user attributes WIDD attributes are randomly selected to form a signature attribute set W'ID,W′ID={wID',1,…,wID',i,…,wID',d}; wherein, wID',iIs a signature attribute set W'IDThe ith attribute of (1);
a) first signature generation
First, the signer calculates a first partial signature σ1First part σ of1,1,σ1,1=H1(m)vWherein
Figure GDA0002158185850000036
A file random factor selected for the signer;
the signer then selects a random number
Figure GDA0002158185850000037
To obtain T ═ g1 tAnd using T as a link label to further calculate sigma1Second part σ of1,2
Figure GDA0002158185850000038
Wherein the content of the first and second substances,
Figure GDA0002158185850000039
randomly selected attribute w in signature attribute set for signerID',i(ii) an attribute random factor;
Figure GDA00021581858500000310
the Lagrange coefficient of the polynomial f' (x) at x ═ 0 is calculated by
Figure GDA00021581858500000311
Wherein wID',jIs W'IDJ ≠ i;
second, calculate σ1Is a third partial signature of1,3
Figure GDA00021581858500000312
Wherein
Figure GDA00021581858500000313
Is a set of declarative attributes W*And signature Attribute set W'IDDifference set W of*\W′IDThe (c) th attribute of (a),
Figure GDA00021581858500000314
the signer is W*\W′IDA corresponding attribute random factor is selected for each attribute in the data;
finally, the signer will sign σ1,1、σ1,2、σ1,3Performing multiplication to obtain a first partial signature sigma1:σ1=σ1,1σ1,2σ1,3
b) Second signature generation
Signer utilizes the above in a finite field
Figure GDA0002158185850000041
Randomly selecting a file random factor v, and calculating a signature sigma of a second part of the signature sigma of the file m2:σ2=g1 v
c) Third signature generation
The signer utilizes the selected attribute random factor r'i、ri #And then calculating a third partial signature sigma of the file m3
Figure GDA0002158185850000042
d) Fourth signature Generation
The signer calculates the fourth partial signature of the file m by the following method:
when w isID',i∈W′IDAnd calculating:
Figure GDA0002158185850000043
when in use
Figure GDA0002158185850000044
And (3) calculating:
Figure GDA0002158185850000045
e) outputting signatures
The signature that the signer will produce
Figure GDA0002158185850000046
Transmitting to a network server;
(4) verification phase
After receiving the signature generated by using the signature algorithm, the network server verifies whether the signature is legal or not as follows:
Figure GDA0002158185850000047
if both ends of equation (1) above are true, then the signature is valid; otherwise, the signature is illegal;
(5) linkability verification
The network server receives two different signatures generated by the signatures algorithm for the files m and m', which are respectively sigma (m):
Figure GDA0002158185850000048
and σ (m'):
Figure GDA0002158185850000049
wherein; sigma'1Adopting a first signature, sigma ', generated for the message m ' by the step a in the (3) signature stage for the signer '2Adopting a second signature, sigma ', generated for the message m ' by the step b in the (3) signature stage for the signer '3The third signature generated for the message m' by step c in the (3) th signature phase is adopted for the signer,
Figure GDA0002158185850000051
generating a fourth signature for the message m ' by the step d in the signing stage (3) for the signer, and generating a link label for the message m ' by the step a in the signing stage (3) for the signer by T ';
the following validation was performed:
if the equation T ═ T ' holds, it is determined that the signature σ (m) of the file m and the signature σ (m ') of the file m ' have linkability; otherwise, it is determined that the signature σ (m) of the document m and the signature σ (m ') of the document m' do not have linkability.
Compared with the prior art, the beneficial results of the invention are as follows:
firstly, in the signature stage, the mode of randomly selecting random numbers to generate the link tags is adopted to ensure that the signatures with the same link tags have the linkability which can be independently determined by a signer, and whether two signatures are issued by the same person can be proved on the premise of not revealing the identity of a real signer. At the same time, the invention enables any attacker to: the malicious user or the malicious attribute authorization center can not link the signatures without the linkability by modifying the link tags within the polynomial time, thereby ensuring the linkability of the method provided by the invention.
In the key distribution stage, the attribute authorization center embeds the user identity identification in the user attribute key, so that the user attribute keys of all users are different aiming at the same attribute, so that malicious users with complementary attribute sets cannot mutually collude, and the signatures which cannot be independently generated by the malicious users can be forged by combining the complementary user attribute keys, thereby ensuring the collusion attack resistance of the method.
The method has strong anonymity and high safety, can effectively solve the problem of secondary signature existing in electronic cash, electronic voting and the like, and provides the functions of anonymous identity authentication and access control.
The present invention will be described in further detail with reference to specific embodiments.
Detailed Description
Examples
A specific embodiment of the present invention is a linkable network ring signature method based on attributes, the proposed method process is as follows:
(1) system set-up phase
a) System disclosure parameter generation
First, the attribute authority AA is in a finite domain
Figure GDA0002158185850000052
Randomly selecting an integer alpha as a system master key MSK, wherein q is more than 2512The security prime number of (1); then, the attribute authority AA randomly selects two cyclic multiplication groups G with the order of p1、G2And defining a bilinear map e: G1×G1→G2(ii) a Finally, the attribute authority AA follows the group G1Two elements of the public key are randomly selected as a public key one g1And public key three g3While the public key is one g1Performing modular exponentiation to obtain public key of two g2
Figure GDA0002158185850000053
Using the public key two g2Public key of three g3Carry out bilinear pairing operation to generate four g public keys4,g4=e(g2,g3);
The attribute authority AA outputs the public parameter PK ═ G1,G2,e,g1,g2,g3,g4Storing the system master key MSK as alpha secret;
b) selection of hash function
The attribute authority AA defines three hash functions, first a file hash function H1:H1M → G, where m → G is the mapping of the file m to the cyclic multiplicative group G1Performing hash operation on the upper element; secondly, a function hash function H2:H2:wi→ G, wherein wi→ G is attribute wiMapping to group G1Performing hash operation on the upper element; finally, the identity hash function H3:H3:
Figure GDA0002158185850000061
Wherein
Figure GDA0002158185850000062
To map a {0,1} string of arbitrary length into a finite field
Figure GDA0002158185850000063
Performing hash operation on the upper element; finally, the attribute authority AA hashes the function H1、H2、H3Publishing;
(2) attribute key generation phase
a) Shamir secret sharing polynomial generation
Assume that the user ID is aggregated W according to its possession propertyID={WID,1,…,WID,i,…,WID,IIn which wID,iFor a user attribute set WIDThe ith attribute of the first time, and a key is applied to an attribute authorization center AA;
attribute authorization center AA receiptsAfter the user ID key is applied, a d-1 order polynomial f (x) is randomly selected, wherein d is a threshold value of AA predefined recovery secret, f (0) is alpha, and the rest coefficients are AA in a finite field
Figure GDA0002158185850000064
D-1 elements selected randomly;
b) attribute key generation
First, for an attribute W owned by a userID={WID,1,…,WID,i,…,WID,IAnd the attribute authorization center AA belongs to W for each attribute i belonging to WIDRandomly selecting an integer tID,iUsing the public key three g at the same time3Function hash function H2And identity hash function H3Generating an attribute key-S1,i
Figure GDA0002158185850000065
The attribute authority AA then uses the identity hash function H3Generating an attribute key with the public key2,i
Figure GDA0002158185850000066
c) Attribute key delivery
First, the attribute authority AA assigns an attribute key one
Figure GDA0002158185850000067
Attribute key two
Figure GDA0002158185850000068
Secret sending to the user ID;
(3) signature phase
A network server gives a file m to be signed and randomly selects N attributes as a declaration signature attribute set W*:
Figure GDA0002158185850000069
Wherein Wn *Signing a collection of attributes W for a declaration*An nth subset of declarative signature attributes;
when a user ID accesses a web service, the signer, i.e., the user ID, signs a collection of attributes W from the claim*And its set of user attributes WIDD attributes are randomly selected to form a signature attribute set W'ID,W′ID={wID′,1,…,wID',i,…,wID',d}; wherein, wID',iIs a signature attribute set W'IDThe ith attribute of (1);
a) first signature generation
First, the signer calculates a first partial signature σ1First part σ of1,1,σ1,1=H1(m)vWherein
Figure GDA0002158185850000071
A file random factor selected for the signer;
the signer then selects a random number
Figure GDA0002158185850000072
To obtain T ═ g1 tAnd using T as a link label to further calculate sigma1Second part σ of1,2
Figure GDA0002158185850000073
Wherein the content of the first and second substances,
Figure GDA0002158185850000074
randomly selected attribute w in signature attribute set for signerID',i(ii) an attribute random factor;
Figure GDA0002158185850000075
the Lagrange coefficient of the polynomial f' (x) at x ═ 0 is calculated by
Figure GDA0002158185850000076
Wherein wID',jIs W'IDJ ≠ i;
second, calculate σ1Is a third partial signature of1,3
Figure GDA0002158185850000077
Wherein
Figure GDA0002158185850000078
Is a set of declarative attributes W*And signature Attribute set W'IDDifference set W of*\W′IDThe (c) th attribute of (a),
Figure GDA0002158185850000079
the signer is W*\W′IDA corresponding attribute random factor is selected for each attribute in the data;
finally, the signer will sign σ1,1、σ1,2、σ1,3Performing multiplication to obtain a first partial signature sigma1:σ1=σ1,1σ1,2σ1,3
b) Second signature generation
Signer utilizes the above in a finite field
Figure GDA00021581858500000714
Randomly selecting a file random factor v, and calculating a signature sigma of a second part of the signature sigma of the file m2:σ2=g1 v
c) Third signature generation
The signer utilizes the selected attribute random factor r'i、ri #And then calculating a third partial signature sigma of the file m3
Figure GDA00021581858500000710
d) Fourth signature Generation
The signer calculates the fourth partial signature of the file m by the following method:
when w isID',i∈W′IDAnd calculating:
Figure GDA00021581858500000711
when in use
Figure GDA00021581858500000712
And (3) calculating:
Figure GDA00021581858500000713
e) outputting signatures
The signature that the signer will produce
Figure GDA0002158185850000081
Transmitting to a network server;
(4) verification phase
After receiving the signature generated by using the signature algorithm, the network server verifies whether the signature is legal or not as follows:
Figure GDA0002158185850000082
if both ends of equation (1) above are true, then the signature is valid; otherwise, the signature is illegal;
(5) linkability verification
The network server receives two different signatures generated by the signatures algorithm for the files m and m', which are respectively sigma (m):
Figure GDA0002158185850000083
and σ (m'):
Figure GDA0002158185850000084
wherein; sigma'1Adopting a first signature, sigma ', generated for the message m ' by the step a in the (3) signature stage for the signer '2Adopting a second signature, sigma ', generated for the message m ' by the step b in the (3) signature stage for the signer '3The third signature generated for the message m' by step c in the (3) th signature phase is adopted for the signer,
Figure GDA0002158185850000085
generating a fourth signature for the message m ' by the step d in the signing stage (3) for the signer, and generating a link label for the message m ' by the step a in the signing stage (3) for the signer by T ';
the following validation was performed:
if the equation T ═ T ' holds, it is determined that the signature σ (m) of the file m and the signature σ (m ') of the file m ' have linkability; otherwise, it is determined that the signature σ (m) of the document m and the signature σ (m ') of the document m' do not have linkability.

Claims (1)

1. A linkable network ring signature method based on attributes comprises the following steps:
(1) system set-up phase
a) System disclosure parameter generation
First, the attribute authority AA is in a finite domain
Figure FDA0003114257090000011
Randomly selecting an integer alpha as a system master key MSK, wherein q is more than 2512The security prime number of (1); then, the attribute authority AA randomly selects two cyclic multiplication groups G with the order of p1、G2And defining a bilinear map e: G1×G1→G2(ii) a Finally, the attribute authority AA follows the group G1Two elements of the public key are randomly selected as a public key one g1And public key three g3While the public key is one g1Performing modular exponentiation to obtain public key of two g2
Figure FDA0003114257090000012
Using the public key two g2Public key of three g3Carry out bilinear pairing operation to generate four g public keys4,g4=e(g2,g3);
The attribute authority AA outputs the public parameter PK ═ G1,G2,e,g1,g2,g3,g4Storing the system master key MSK as alpha secret;
b) selection of hash function
The attribute authority AA defines three hash functions, first a file hash function H1:H1M → G, where m → G is the mapping of the file m to the cyclic multiplicative group G1Performing hash operation on the upper element; secondly, an attribute hash function H2:H2W → G, wherein w → G is the attribute w mapped to the group G1Performing hash operation on the upper element; finally, the identity hash function H3
Figure FDA0003114257090000013
Wherein
Figure FDA0003114257090000014
To map a {0,1} string of arbitrary length into a finite field
Figure FDA0003114257090000015
Performing hash operation on the upper element; finally, the attribute authority AA hashes the function H1、H2、H3Publishing;
(2) attribute key generation phase
a) Shamir secret sharing polynomial generation
Assume that the user ID is aggregated W according to its possession propertyID={wID,1,L,wID,i,L,wID,IWherein, I is the number of all attributes owned by the user ID, wID,iFor a user attribute set WIDThe ith attribute (I is more than or equal to 1 and less than or equal to I), and a key is applied to an attribute authorization center AA;
after receiving a user ID key application, an attribute authorization center AA randomly selects a d-1 order polynomial f (x), wherein d is a threshold value of AA predefined recovery secret, f (0) is alpha, and the rest coefficients are AA in a finite field
Figure FDA0003114257090000016
D-1 elements selected randomly;
b) attribute key generation
First, for an attribute W owned by a userID={wID,1,L,wID,i,L,wID,IAn attribute authority AA for each attribute wID,i∈WIDRandomly selecting an integer tID,iUsing the public key three g at the same time3Function hash function H2And identity hash function H3Generating an attribute key-S1,i
Figure FDA0003114257090000021
The attribute authority AA then uses the identity hash function H3Generating an attribute key with the public key2,i
Figure FDA0003114257090000022
c) Attribute key delivery
First, the attribute authority AA assigns an attribute key one
Figure FDA0003114257090000023
Attribute key two
Figure FDA0003114257090000024
Secret sending to the user ID;
(3) signature phase
A network server gives a file m to be signed and randomly selects N attributes as a declaration signature attribute set W*:
Figure FDA0003114257090000025
Wherein
Figure FDA0003114257090000026
Signing a collection of attributes W for a declaration*An nth subset of declarative signature attributes;
when a user ID accesses a web service, the signer, i.e., the user ID, signs a collection of attributes W from the claim*And its set of user attributes WIDD attributes are randomly selected to form a signature attribute set W'ID,W′ID={wID',1,L,wID',i,L,wID',d}; wherein, wID',iIs a signature attribute set W'IDThe ith attribute of (1);
a) first signature generation
First, the signer calculates a first partial signature σ1First part σ of1,1,σ1,1=H1(m)vWherein
Figure FDA0003114257090000027
A file random factor selected for the signer;
the signer then selects a random number
Figure FDA0003114257090000028
To obtain T ═ g1 tAnd using T as a link label to further calculate sigma1Second part σ of1,2
Figure FDA0003114257090000029
Wherein the content of the first and second substances,
Figure FDA00031142570900000210
randomly selected attribute w in signature attribute set for signerID',i(ii) an attribute random factor;
Figure FDA00031142570900000211
the Lagrange coefficient of the polynomial f' (x) at x ═ 0 is calculated by
Figure FDA00031142570900000212
Wherein wID',jIs W'IDJ ≠ i;
second, calculate σ1Is a third partial signature of1,3
Figure FDA00031142570900000213
Wherein
Figure FDA00031142570900000214
Is a set of declarative attributes W*And signature Attribute set W'IDDifference set W of*\W′IDThe (c) th attribute of (a),
Figure FDA00031142570900000215
the signer is W*\W′IDA corresponding attribute random factor is selected for each attribute in the data;
finally, the signer will sign σ1,1、σ1,2、σ1,3Performing multiplication to obtain a first partial signature sigma1:σ1=σ1,1σ1,2σ1,3
b) Second signature generation
Signer utilizes the above in a finite field
Figure FDA0003114257090000038
Randomly selecting a file random factor v, and calculating a signature sigma of a second part of the signature sigma of the file m2:σ2=g1 v
c) Third signature generation
The signer utilizes the selected attribute random factor ri′、ri #And then calculating a third partial signature sigma of the file m3
Figure FDA0003114257090000031
d) Fourth signature Generation
The signer calculates the fourth partial signature of the file m by the following method:
when w isID',i∈W′IDAnd calculating:
Figure FDA0003114257090000032
when in use
Figure FDA0003114257090000039
And (3) calculating:
Figure FDA00031142570900000310
e) outputting signatures
The signature that the signer will produce
Figure FDA0003114257090000033
Transmitting to a network server;
(4) verification phase
After receiving the signature generated by using the signature algorithm, the network server verifies whether the signature is legal or not as follows:
Figure FDA0003114257090000034
if both ends of equation (1) above are true, then the signature is valid; otherwise, the signature is illegal;
(5) linkability verification
The network server receives two different signatures generated by the signatures algorithm for the files m and m', which are respectively sigma (m):
Figure FDA0003114257090000035
and σ (m'):
Figure FDA0003114257090000036
wherein; sigma'1Adopting a first signature, sigma ', generated for the message m ' by the step a in the (3) signature stage for the signer '2Adopting a second signature, sigma ', generated for the message m ' by the step b in the (3) signature stage for the signer '3The third signature generated for the message m' by step c in the (3) th signature phase is adopted for the signer,
Figure FDA0003114257090000037
the signer adopts the step d in the signing stage (3) as cancellationA fourth signature is generated by the message m ', and T ' is a signer which generates a link label for the message m ' by adopting the step a in the signature stage (3);
the following validation was performed:
if the equation T ═ T ' holds, it is determined that the signature σ (m) of the file m and the signature σ (m ') of the file m ' have linkability; otherwise, it is determined that the signature σ (m) of the document m and the signature σ (m ') of the document m' do not have linkability.
CN201910514752.2A 2019-06-14 2019-06-14 Linkable network ring signature method based on attributes Active CN110351093B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910514752.2A CN110351093B (en) 2019-06-14 2019-06-14 Linkable network ring signature method based on attributes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910514752.2A CN110351093B (en) 2019-06-14 2019-06-14 Linkable network ring signature method based on attributes

Publications (2)

Publication Number Publication Date
CN110351093A CN110351093A (en) 2019-10-18
CN110351093B true CN110351093B (en) 2021-08-03

Family

ID=68182149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910514752.2A Active CN110351093B (en) 2019-06-14 2019-06-14 Linkable network ring signature method based on attributes

Country Status (1)

Country Link
CN (1) CN110351093B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113271200A (en) * 2021-05-26 2021-08-17 陕西理工大学 Lattice attribute signature method for resisting quantum attack
CN114726645B (en) * 2022-05-06 2023-01-24 电子科技大学 Linkable ring signature method based on user information security
CN115378613A (en) * 2022-08-25 2022-11-22 天津大学 Anonymous information supervision method and system based on block chain

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014068427A1 (en) * 2012-10-30 2014-05-08 International Business Machines Corporation Reissue of cryptographic credentials
CN104967513A (en) * 2015-05-29 2015-10-07 西北工业大学 Identity-based multi-recipient ring signcryption method with multiple safety attributes
CN107342990A (en) * 2017-06-23 2017-11-10 西南交通大学 A kind of attribute base net network ring signatures method of distributed authorization
CN108777626A (en) * 2018-08-16 2018-11-09 西南交通大学 A kind of attribute base net network endorsement method for supporting dynamic attribute space
CN108880801A (en) * 2018-07-09 2018-11-23 西南交通大学 The distributed nature base encryption method of fine granularity attribute revocation is supported on a kind of lattice
CN109104284A (en) * 2018-07-11 2018-12-28 四川大学 A kind of block chain anonymity transport protocol based on ring signatures
CN109246137A (en) * 2018-10-23 2019-01-18 北京航空航天大学 The safety protecting method and device of naval warfare data based on block chain

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014068427A1 (en) * 2012-10-30 2014-05-08 International Business Machines Corporation Reissue of cryptographic credentials
CN104967513A (en) * 2015-05-29 2015-10-07 西北工业大学 Identity-based multi-recipient ring signcryption method with multiple safety attributes
CN107342990A (en) * 2017-06-23 2017-11-10 西南交通大学 A kind of attribute base net network ring signatures method of distributed authorization
CN108880801A (en) * 2018-07-09 2018-11-23 西南交通大学 The distributed nature base encryption method of fine granularity attribute revocation is supported on a kind of lattice
CN109104284A (en) * 2018-07-11 2018-12-28 四川大学 A kind of block chain anonymity transport protocol based on ring signatures
CN108777626A (en) * 2018-08-16 2018-11-09 西南交通大学 A kind of attribute base net network endorsement method for supporting dynamic attribute space
CN109246137A (en) * 2018-10-23 2019-01-18 北京航空航天大学 The safety protecting method and device of naval warfare data based on block chain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"An Attribute-Based Ring Signature Scheme in Lattice";LI Wei , FAN Mingyu , JIA Zhenhong;《Wuhan University Journal of Natural Sciences》;20120824;全文 *
"Certificate based (linkable) ring signature";Au M H , Liu J K , Susilo W;《International Conference on Information Security Practice and Experience》;20070331;全文 *
"属性基门限签名方案及其安全性研究";马春光;石岚;周长利;《电子学报》;20130801;全文 *
"高效的基于属性的环签名方案";陈少真;王文强;彭书娟;《计算机研究与发展》;20110315;全文 *

Also Published As

Publication number Publication date
CN110351093A (en) 2019-10-18

Similar Documents

Publication Publication Date Title
Li et al. Attribute-based signature and its applications
Zhang et al. Anonymous attribute-based encryption supporting efficient decryption test
Liu et al. White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures
Li et al. Hidden attribute-based signatures without anonymity revocation
CN107342990B (en) Distributed authorized attribute-based network ring signature method
CN110351093B (en) Linkable network ring signature method based on attributes
Bao et al. Comment on “privacy-enhanced data aggregation scheme against internal attackers in smart grid”
Liu et al. Server-aided anonymous attribute-based authentication in cloud computing
Cao et al. An attack on a certificateless signature scheme
Kang et al. Identity-based strong designated verifier signature schemes: attacks and new construction
CN109951288B (en) Hierarchical signature method and system based on SM9 digital signature algorithm
Hur et al. Removing escrow from ciphertext policy attribute-based encryption
KR20030062401A (en) Apparatus and method for generating and verifying id-based blind signature by using bilinear parings
Rastegari et al. Efficient Certificateless Signcryption in the standard model: Revisiting Luo and Wan’s scheme from wireless personal communications (2018)
Li et al. ABKS-SKGA: Attribute-based keyword search secure against keyword guessing attack
Padhye et al. ECDLP‐based certificateless proxy signature scheme with message recovery
CN109936456A (en) Anti- quantum calculation digital signature method and system based on private key pond
Sahu et al. Identity‐based multi‐proxy multi‐signature scheme provably secure in random oracle model
Liu et al. Certificate-based sequential aggregate signature
CN110519040B (en) Anti-quantum computation digital signature method and system based on identity
Zhang et al. On the security of an ID-based anonymous proxy signature scheme and its improved scheme
Zhang et al. Attack on Chen et al.'s certificateless aggregate signature scheme
CN111431715A (en) Policy control signature method supporting privacy protection
Yang et al. Certificateless universal designated verifier signature schemes
Cheng et al. Cryptanalysis and improvement of a certificateless partially blind signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230418

Address after: Room 801, 85 Kefeng Road, Huangpu District, Guangzhou City, Guangdong Province

Patentee after: Yami Technology (Guangzhou) Co.,Ltd.

Address before: 610031 science and technology division, Southwest Jiao Tong University, 111 north section of two ring road, Sichuan, Chengdu

Patentee before: SOUTHWEST JIAOTONG University