CN111030809B - Attribute-based signature system on lattice capable of supporting LSSS matrix - Google Patents

Attribute-based signature system on lattice capable of supporting LSSS matrix Download PDF

Info

Publication number
CN111030809B
CN111030809B CN201911196611.7A CN201911196611A CN111030809B CN 111030809 B CN111030809 B CN 111030809B CN 201911196611 A CN201911196611 A CN 201911196611A CN 111030809 B CN111030809 B CN 111030809B
Authority
CN
China
Prior art keywords
signature
attribute
matrix
signer
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911196611.7A
Other languages
Chinese (zh)
Other versions
CN111030809A (en
Inventor
陈燕俐
李茹
孙力娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN201911196611.7A priority Critical patent/CN111030809B/en
Publication of CN111030809A publication Critical patent/CN111030809A/en
Application granted granted Critical
Publication of CN111030809B publication Critical patent/CN111030809B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a lattice based attribute signature method capable of supporting an LSSS matrix, which is characterized in that a security parameter lambda is input into a system, a private key generation center PKG generates a system public parameter PK and a system master key MK, the public parameter PK is disclosed, and the master key MK is stored by the PKG; the signer inputs public parameters PK, a master key MK and an access structure T, generates a signature private key SK associated with the access structure T, and sends the signature private key to the signer through a secure channel; inputting public parameters PK, a message space sigma to be signed, a signature key SK, a signer attribute set W and an output attribute set W, wherein the signer of the access structure T can sign sigma of a message M; and inputting the signature sigma to be verified, the signed message space sigma and the signer attribute set W, judging whether the attribute set W is truly and effectively output for the signature of the message M, outputting 1 if yes, and outputting 0 if no. The private key in the KP-LABS algorithm adopted by the invention is related to the access structure, the signature is related to the signer attribute set, and the authority control of the data owner on the visitor is easier to realize; by adopting the linear secret sharing structure access structure, the attribute of the visitor can be described in a fine granularity mode, and the access authority can be flexibly controlled.

Description

Attribute-based signature system on lattice capable of supporting LSSS matrix
Technical Field
The invention relates to a lattice based attribute signature system capable of supporting an LSSS matrix, which can resist quantum attack and realize the most flexible access structure of a Linear Secret Sharing Structure (LSSS), and belongs to the field of cryptography security.
Background
In 2008, maji et al put forward an ABS scheme for the first time, and discussed in detail the concept of ABS, that is, a signer obtains a signing key from an attribute authority, and after verifying that an attribute set of the signer satisfies an access structure, a message can be signed, which is secure only under a general group model. ABS can be classified into two types according to access policies, namely signature policy ABS (signature police attribute based signature, SPABS for short) and key policy ABS (key police attribute based signature, KPABS for short). In the SPABS, signing keys are generated from the property sets, and signing the message is done by the access structure satisfied by the property sets. In KPABS, the signing key is generated from the access structure and signing the message is done by the set of attributes that satisfy the access structure.
In 2009 Shahandashti et al proposed an ABS scheme that only supports a threshold access structure under a selection model, and if the intersection of the attribute set of the signer and the attribute set of the verifier reaches the threshold of the system, the verifier can check whether the signature is legal. In 2011, ge and the like propose an ABS scheme supporting only a threshold access structure in the decimal field, the decimal field refers to that a general attribute set is fixed after a system is established, the signature length of the scheme is irrelevant to the number of attributes, the fixed signature length is realized, and the verification process only needs three pairing operations, so that the calculation cost and the communication cost are low. In 2012, herranz et al proposed ABS schemes supporting only a threshold access structure in a large number of fields, which means that the generic set of properties can be dynamically changed after the system is established, which also realizes a fixed signature length. Rao et al propose ABS schemes supporting LSSS matrix in fractional and large number fields, respectively, in 2014 and 2016, and extend the threshold access structure, thereby realizing more flexible access control. So far, attribute-based signature schemes have achieved flexible access control, but all the attribute signature schemes are based on bilinear pair construction, the construction process not only involves complex mathematical operations, but also cannot resist attack of quantum computers with development of quantum technology. Thus, a lattice-based signature scheme has received great attention.
In 2008 Gentry and Peikert et al define a trapdoor one-way function based on SIS problems, and construct an identity-based encryption scheme that can prove security under a random predictive model and a signature scheme that can prove security under a random predictive model accordingly. Gordon et al in 2010 constructed a first lattice-based group signature scheme and Jiang et al in the same year constructed a lattice-based proxy signature scheme using bonsai trees. The identity-based signature scheme on the 2011 grid is proposed, and then the certificate-free signature and the blind signature scheme on the grid appear successively. Mao Xianping et al used a bonsai tree model in 2014 to construct a grid attribute signature scheme that supports and gate signature policies and satisfies the non-counterfeitable existence of selective access structures and static selective message attacks. In the same year, wang et al propose an attribute signature scheme supporting a threshold policy on a grid that also achieves the existence of non-counterfeitability for selective access structures and static selective message attacks in a standard model with a small integer number of hardness of solving the problem. In 2016, xie and Xiang et al have proposed a grid-based attribute signature scheme, respectively. 2018 Shang Haiting et al propose a lattice-based attribute signcryption scheme that satisfies the selective access structure and the existence of non-counterfeitability of selective message attacks. Most of these signatures rely on small integers in the lattice to solve the difficult problem. None of these signature schemes implement a linear secret sharing (LSSS) access structure.
Disclosure of Invention
The invention aims to: in order to overcome the defects of the prior art, the invention provides an attribute signature system based on a lattice cryptosystem, which can resist quantum attack and realize a linear secret sharing (LSSS) access structure.
The technical scheme is as follows: a lattice based attribute signature system capable of supporting LSSS matrix, which comprises a system initialization module, a private key generation module, a signature module and a signature verification module:
system initialization module (1): the system inputs a security parameter lambda, a private key generation center PKG generates a system public parameter PK and a system master key MK, the public parameter PK is disclosed, and the master key MK is stored by the PKG;
private key generation module (2): the signer inputs public parameters PK, a master key MK and an access structure T, generates a signature private key SK associated with the access structure T, and sends the signature private key to the signer through a secure channel;
signature module (3): inputting public parameters PK, a message space sigma to be signed, a signature key SK, a signer attribute set W and an output attribute set W, wherein the signer of the access structure T signs e of a message M;
signature verification module (4): and inputting the signature e to be verified, the signed message space sigma and the signer attribute set W, judging whether the attribute set W is truly and effectively output the signature of the message M, outputting 1 if yes, and outputting 0 if no.
The system is based on a grid attribute-based signature algorithm of a key policy.
The access structure T adopts a linear secret sharing structure as the access structure.
The specific method for initializing the system initialization module (1) comprises the following steps:
input of security parameter lambda, all attributesSet u= { attr 1 ,...,attr l The total number of attributes in the attribute corpus is l, the message size is k, and the system public parameter PK and the master key MK are generated, which comprises the following specific steps:
(1) For each attribute i in the attribute set U, the TrapGen (q, m) algorithm is first run to generate an approximately random matrix A i ∈Z q n*m Sum lambda q (A i ) Full rank short basis
Figure GDA0004085680290000031
Wherein->
Figure GDA0004085680290000032
(2) Selecting an approximately random matrix A 0 ∈Z q n×m
(3) For each (a, i) ∈ {0,1} × [ k ]]Randomly selecting a matrix C with uniform distribution i (a) ∈Z q n×m
The final ream pk= ({ a) i ∈Z q n×m } i∈[l] ,A 0 ∈Z q n×m ,{C i (a) } (a,i)∈[0,1]×[k] );
Order the
Figure GDA0004085680290000033
The specific method for generating the signature private key SK by the private key generation module (2) comprises the following steps:
the method comprises the following steps of inputting public parameters PK, a master key MK and an access structure T, and generating a corresponding private key for a user:
(1) Linear secret sharing matrix L epsilon Z for converting access structure T into low norm l×(1+θ) The ith row of the matrix corresponds to the ith attribute in the z-attribute set U, where i ε [ l ]],L∈Z l×(1+θ) Column j e [0, θ ]]Numbering starts from 0 to θ, each column being an access structure L ε Z l*(1+θ) Wherein θ.ltoreq.l;
(2) Construction matrix Z 0 =Diag(A i ) i∈l ∈Z q ln×lm From l "submatrices" A of order n x m i (i ε l) is constructed as follows:
Figure GDA0004085680290000034
obtaining a base
Figure GDA0004085680290000035
Wherein the method comprises the steps of
Figure GDA0004085680290000036
(3) For each j E [ theta ]]Randomly selecting an n-m order matrix V j ∈Z q n×m The method comprises the steps of carrying out a first treatment on the surface of the Constructing a matrix Z 1 ∈Z ln ×(1+θ)m The "submatrices" of order l× (1+θ) are composed as follows:
Figure GDA0004085680290000041
L=(l i,j ) i∈[l],j∈[1+θ] each row in the secret sharing scheme corresponds to one attribute in U through a mapping function rho in the secret sharing scheme; each attribute number i appears only once in the ith row;
(4) Structure of the device
Figure GDA0004085680290000042
(5)
Figure GDA0004085680290000043
Is lambda q (Z 0 ) Is executed by the algorithm ExtendBasis (T Z0 M) to obtain Λ q The radical T 'of (M)' M ∈Z (l +1+θ)m×(l+1+θ)m Wherein->
Figure GDA0004085680290000044
(6) The algorithm randbisis (T' M δ), yielding Λ q Base T of (M) M Wherein
Figure GDA0004085680290000045
The signature private key is as follows: sk=t M ∈Z (l+1+θ)m×(l+1+θ)m
The specific method for generating the signature e in the signature module (3) comprises the following steps:
the attribute set owned by the signer is w= {1, … l' }, message m= (μ) 1 ,...,μ k )∈{0,1} k Signing, wherein at least one subset of the signer attributes satisfies an access matrix l= (L) i,j ) i∈[l],j∈[1+θ] The correct signature can be obtained, and the specific steps are as follows:
(1) Finding out that the access matrix L epsilon Z is satisfied in the attribute set w= {1, … L' } of the signer l*(1+θ) Is set as
Figure GDA0004085680290000046
At the same time a vector g (1 row +.>
Figure GDA0004085680290000047
Column) satisfies g T ·L=[1,0…0];/>
Figure GDA0004085680290000048
(2) Construction matrix M' = [ g ] 1 A 1 ||g 2 A 2 ||···g l A l ||A 0 ||0Z 1 ||···0Z θ ]Taking the non-zero block column in M' to obtain
Figure GDA0004085680290000049
The row and column corresponding lower marks which do not meet the non-zero block column in M' are recorded from T M Delete the corresponding subscript to obtainTo T' M
(3) Definition of the definition
Figure GDA0004085680290000051
The procedure is followed to obtain->
Figure GDA0004085680290000052
Of (2) are at the radical T' F : structure->
Figure GDA0004085680290000053
Wherein [1 ]]Is m×m order identity matrix, and can be obtained by removing the diagonal blocks with zero in G
Figure GDA0004085680290000054
Calculate T' F =G′T″ M Obtain->
Figure GDA0004085680290000055
Of (2) are at the radical T' F
(4) Calculation of
Figure GDA0004085680290000056
Let F "= [ a 1 ||A 2 ||···A |W| ||A 0 ],F=[F″||C M ];
(5) Using the algorithm ExtendBasis (T' F F) obtaining
Figure GDA0004085680290000057
Trapdoor T of (1) F Wherein->
Figure GDA0004085680290000058
(6) Using the algorithm SampleGaussian (T F Sigma) to obtain signature e Z m′ Where f·e=0 (modq),
Figure GDA0004085680290000059
here the e statistical distribution is close to +.>
Figure GDA00040856802900000510
The signature finally generated is: e E Z m′
The signature verification module (4) performs signature verification by the following specific method:
(1) Construction matrix
Figure GDA00040856802900000511
(2) Calculation of
Figure GDA00040856802900000512
F=[F″||C M ]
If F.e=0 (modq), and
Figure GDA00040856802900000513
then the signature verification returns correctly to 1, otherwise returns to null.
The correctness of the step (2) in the specific signature verification method proves that: according to the algorithm SampleGaussian (T F Sigma) and ExtendBasis (T) F 'F) it can be seen that if we can prove F'. T F ' 0, f.e=0 (mod q),
the specific proving steps are as follows:
1)
Figure GDA0004085680290000061
i.e.
Figure GDA0004085680290000062
2) Because M.T M =0, so M' ·t M =0, it can be seen that M ". T M =0;
3) Then, it can be seen that
Figure GDA0004085680290000063
The correctness is verified.
The beneficial effects are that: compared with the prior art, the method for signing on the lattice based on the attribute of the LSSS matrix has the following advantages:
1. the signature module of the invention uses a signature technology based on attributes, and is suitable for the many-to-many access control by using the related attributes of the user as the basis of whether the signature is effective or not;
2. the KP-LABS adopted by the invention refers to a grid attribute signature algorithm (Key-Policy ABS, KP-LABS) based on a Key strategy, wherein a private Key in the algorithm is related to an access structure, a signature is related to a signer attribute set, and the authority control of a data owner on a visitor is easier to realize;
3. the invention adopts a Linear Secret Sharing Structure (LSSS) access structure, can realize the fine-granularity description of the attribute of the visitor and flexibly control the access authority.
Drawings
FIG. 1 is a flow chart of signing based on an attribute signing system on a grid supporting an LSSS matrix provided by the present invention;
fig. 2 is a diagram of a system model in a blockchain EHRs store.
Detailed Description
The technical scheme of the invention is further described below with reference to the accompanying drawings.
Examples:
in a healthcare blockchain, only the data owner (patient) can create and manage his/her own Electronic Health Record (EHRs) data. The data owner uploads EHRs data to the interplanetary file system (IPFS) while broadcasting the IPFS back to the blockchain after its unique cryptographic hash value signature. The invention discloses a lattice based attribute signature system capable of supporting an LSSS matrix, which comprises a system initialization module 1, a private key generation module 2, a signature module 3 and a signature verification module 4; in the system, doctors, researchers, insurance companies and the like are taken as data users (users) and need to verify the authenticity and validity of the data, through the signature scheme of the invention, the users can verify the validity of the data and can not know the authenticity of the data owners, and after verifying that the signature is correct, the users can obtain the file positions stored in the IPFS and can request the IPFS to obtain the corresponding files. In the present system, the data users cannot modify the HERs data on the blockchain and broadcast data related to the EHRs to the blockchain. The invention will now be described in further detail with reference to fig. 1.
Step 1: the system initialization module 1 initializes a private key generation center PKG, and in the scheme, an attribute domain U= { attr 1 ,...,attr l The method comprises the following steps of (1) inputting a security parameter lambda to generate a system public parameter PK and a master key MK, wherein the security parameter lambda is the total number of attributes in the attribute corpus, and the total number of attributes in the attribute corpus is l:
(1) For each attribute i in the attribute set U, the TrapGen (q, m) algorithm is first run to generate an approximately random matrix A i ∈Z q n*m Sum lambda q (A i ) Full rank short basis
Figure GDA0004085680290000071
Wherein the method comprises the steps of
Figure GDA0004085680290000072
(2) Selecting an approximately random matrix A 0 ∈Z q n×m
(3) For each (a, i) ∈ {0,1} × [ k ]]Randomly selecting a matrix C with uniform distribution i (a) ∈Z q n×m
(4) The output system public parameters and the system master key are as follows:
PK=({A i ∈Z q n×m } i∈[l] ,A 0 ∈Z q n×m ,{C i (a) } (a,i)∈[0,1]×[k] )
Figure GDA0004085680290000081
step 2: the data owner and the user register in a private key generation center PKG, the PKG judges whether the identity of the user is legal, if the identity of the user is legal, a public parameter PK, a master key MK and an access structure T are input, and the private key generation module 2 generates a corresponding private key SK for the data owner and the user and transmits the corresponding private key SK to the data owner and the user through a secure channel, wherein the method comprises the following detailed steps of:
(1) Converting the access structure T into a low norm, preferably a deterministic linear span scheme matrix L E Z l×(1+θ) The ith row of the matrix corresponds to the ith attribute in attribute set U, where i ε l]。L∈Z l×(1+θ) Column j e [0, θ ]]Numbering starts from 0 to θ, each column being an access structure L ε Z l*(1+θ) Wherein θ.ltoreq.l.
(2) Construction matrix Z 0 =Diag(A i ) i∈l ∈Z q ln×lm From l "submatrices" A of order n x m i (i ε l) is constructed as follows:
Figure GDA0004085680290000082
we can easily obtain its base
Figure GDA0004085680290000083
Figure GDA0004085680290000084
Wherein the method comprises the steps of
Figure GDA0004085680290000085
(3) For each j E [ theta ]]Randomly selecting an n-m order matrix V j ∈Z q n×m . Constructing a matrix Z 1 ∈Z ln ×(1+θ)m By accessing the matrix l= (L) by l× (1+θ) n×m order "submatrices = (L) i,j ) i∈[l],j∈[1+θ] The composition is as follows:
Figure GDA0004085680290000091
L=(l i,j ) i∈[l],j∈[1+θ] corresponds to one of the attributes in U through a mapping function p in the secret sharing scheme. In this section we assume that for simplicity each attribute (number i) appears only once (line i) such that the mapping function ρ is an identity function.
(4) Structure of the device
Figure GDA0004085680290000092
(5) From step 2- (2)
Figure GDA0004085680290000099
Is lambda q (Z 0 ) Is executed by the algorithm ExtendBasis (T Z0 M) to obtain a matrix M epsilon Z ln×(l+1+θ)m Of (2) are at the radical T' M ∈Z (l+1+θ)m×(l+1+θ)m Wherein->
Figure GDA0004085680290000093
(6) The algorithm randbisis (T' M δ), yielding Λ q Base T of (M) M Wherein
Figure GDA0004085680290000094
The final PKG will sign private key sk=t M ∈Z (l+1+θ)m×(l+1+θ)m And sent to data owners and users through secure channels.
Step 3: the data owner stores the file (EHRs record) in an interstellar file system (IPFS), which returns to the location of the data owner file (corresponding unique cryptographic hash string).
Step 4: the unique encryption hash character string is placed on a transaction list of a blockchain by a data owner, the transaction list is signed by a signature private key distributed by PKG, the signed blockchain transaction list is uploaded to the blockchain, the audit trail of all transactions in the invariable distributed ledger can be ensured by using the blockchain technology, the credibility of EHRs can be ensured, and the detailed steps for generating a signature e in the signature module 3 are as follows:
(1) Finding out that the access matrix L E Z is satisfied in the attribute set w= {1, … L' } of the data owner l*(1+θ) Is set as
Figure GDA0004085680290000095
At the same time a vector g (1 row +.>
Figure GDA0004085680290000096
Columns), satisfy
g T ·L=[1,0…0];
Figure GDA0004085680290000097
(2) Construction matrix M' = [ g ] 1 A 1 ||g 2 A 2 ||···g l A l ||A 0 ||0Z 1 ||···0Z θ ]Taking the non-zero block column in M' to obtain
Figure GDA0004085680290000098
From T, the same subscript corresponding to the rows and columns in M' that do not satisfy the non-zero block column M Deleted to obtain T M
(3) If it is
Figure GDA00040856802900001010
Then->
Figure GDA0004085680290000101
Of (2) are at the radical T' F Can be obtained according to the following method:
structure of the device
Figure GDA0004085680290000102
(wherein [1 ]]An m×m order identity matrix), the diagonal block of zero in G is removed to obtain +.>
Figure GDA0004085680290000103
Calculate T' F =G′T″ M Obtain->
Figure GDA0004085680290000104
Of (2) are at the radical T' F
(4) Calculation of
Figure GDA0004085680290000105
Let F "= [ a 1 ||A 2 ||···A |W| ||A 0 ],F=[F″||C M ]
(5) Using the algorithm ExtendBasis (T' F F) trapdoor T to F F Wherein
Figure GDA0004085680290000106
(6) Using the algorithm SampleGaussian (T F Sigma) to obtain signature e Z m′ Thus there is F.e=0 (modq), where there is
Figure GDA0004085680290000107
Finally, the data owner signs the transaction ticket containing the file location on the IPFS and then uploads it to the blockchain.
Step 5: the user wants to obtain the data, firstly verifies the correctness of the signature of the transaction list containing the file position on the IPFS on the blockchain, and judges the validity and validity of the file stored on the IPFS by the data owner according to the correctness of the signature, and the signature verification module 4 performs the following detailed steps:
(1) Construction matrix F "= [ a 1 ||A 2 ||···A |W| ||A 0 ]。
(2) Calculation of
Figure GDA0004085680290000108
F=[F″||C M ]。
If F.e=0 (modq), and
Figure GDA0004085680290000109
then the signature verification is correct, i.e. the file stored on the IPFS by the data owner is valid and valid, the user canFor use.
Step 6: the user requests the corresponding file from the IPFS through the file location on the blockchain transaction ticket.
Step 7: the IPFS returns the file for the corresponding location to the user.

Claims (5)

1. A lattice based attribute signature system capable of supporting LSSS matrices, characterized by: the system comprises a system initialization module, a private key generation module, a signature module and a signature verification module:
system initialization module (1): the system inputs a security parameter lambda, a private key generation center PKG generates a system public parameter PK and a system master key MK, the public parameter PK is disclosed, and the master key MK is stored by the PKG;
private key generation module (2): the signer inputs public parameters PK, a master key MK and an access structure T, generates a signature private key SK associated with the access structure T, and sends the signature private key to the signer through a secure channel;
signature module (3): inputting public parameters PK, a message space sigma to be signed, a signature key SK, a signer attribute set W and an output attribute set W, wherein the signer of the access structure T signs e of a message M;
signature verification module (4): inputting a signature e to be verified, a signature message space sigma and a signer attribute set W, judging whether the attribute set W really and effectively outputs the signature of the message M, if so, outputting 1, otherwise, outputting 0;
the specific method for initializing the system initialization module (1) comprises the following steps:
inputting a security parameter lambda, and a property corpus U= { attr 1 ,...,attr l The total number of attributes in the attribute corpus is l, the message size is k, and the system public parameter PK and the master key MK are generated, which comprises the following specific steps:
(11) For each attribute i in the attribute set U, the TrapGen (q, m) algorithm is first run to generate an approximately random matrix A i ∈Z q n*m Sum lambda q (A i ) Full rank short basis
Figure FDA0004085680280000011
Wherein->
Figure FDA0004085680280000012
(12) Selecting an approximately random matrix A 0 ∈Z q n×m
(13) For each (a, i) ∈ {0,1} × [ k ]]Randomly selecting a matrix C with uniform distribution i (a) ∈Z q n×m
The final ream pk= ({ a) i ∈Z q n×m } i∈[l] ,A 0 ∈Z q n×m ,{C i (a) } (a,i)∈[0,1]×[k] );
Let msk= ({ T Ai ∈Z m*m } i∈[l] );
The specific method for generating the signature private key SK by the private key generation module (2) comprises the following steps:
the method comprises the following steps of inputting public parameters PK, a master key MK and an access structure T, and generating a corresponding private key for a user:
(21) Linear secret sharing matrix L epsilon Z for converting access structure T into low norm l×(1+θ) The ith row of the matrix corresponds to the ith attribute in the z-attribute set U, where i ε [ l ]],L∈Z l×(1+θ) Column j e [0, θ ]]Numbering starts from 0 to θ, each column being an access structure L ε Z l*(1+θ) Wherein θ.ltoreq.l;
(22) Construction matrix Z 0 =Diag(A i ) i∈l ∈Z q ln×lm From l "submatrices" A of order n x m i (i ε l) is constructed as follows:
Figure FDA0004085680280000021
obtaining a base
Figure FDA0004085680280000022
Wherein the method comprises the steps of
Figure FDA0004085680280000023
/>
(23) For each j E [ theta ]]Randomly selecting an n-m order matrix V j ∈Z q n×m The method comprises the steps of carrying out a first treatment on the surface of the Constructing a matrix Z 1 ∈Z ln ×(1+θ)m The "submatrices" of order l× (1+θ) are composed as follows:
Figure FDA0004085680280000024
L=(l i,j ) i∈[l],j∈[1+θ] each row in the secret sharing scheme corresponds to one attribute in U through a mapping function rho in the secret sharing scheme; each attribute number i appears only once in the ith row;
(24) Structure of the device
Figure FDA0004085680280000025
(25)T Z0 Is lambda q (Z 0 ) Is executed by the algorithm ExtendBasis (T Z0 M) to obtain Λ q The radical T 'of (M)' M ∈Z (l +1+θ)m×(l+1+θ)m Wherein
Figure FDA0004085680280000026
(26) The algorithm randbisis (T' M δ), yielding Λ q Base T of (M) M Wherein
Figure FDA0004085680280000027
The signature private key is as follows: sk=t M ∈Z (l+1+θ)m×(l+1+θ)m
2. The lattice based attribute signature system of claim 1, wherein the system supports LSSS matrices: the system is based on a grid attribute-based signature algorithm of a key policy.
3. The lattice based attribute signature system of claim 1, wherein the system supports LSSS matrices: the access structure T adopts a linear secret sharing structure as the access structure.
4. The lattice based attribute signature system of claim 1, wherein the system supports LSSS matrices: the specific method for generating the signature e in the signature module (3) comprises the following steps:
the attribute set owned by the signer is w= {1, … l' }, message m= (μ) 1 ,...,μ k )∈{0,1} k Signing, wherein at least one subset of the signer attributes satisfies an access matrix l= (L) i,j ) i∈[l],j∈[1+θ] The correct signature can be obtained, and the specific steps are as follows:
(31) Finding out that the access matrix L epsilon Z is satisfied in the attribute set w= {1, … L' } of the signer l*(1+θ) Is set as
Figure FDA0004085680280000031
Simultaneously select a 1 row +.>
Figure FDA0004085680280000032
Vector g of column, satisfy g T ·L=[1,0…0];/>
Figure FDA0004085680280000033
(32) Construction matrix M' = [ g ] 1 A 1 ||g 2 A 2 ||···g l A l ||A 0 ||0Z 1 ||···0Z θ ]Taking the non-zero block column in M' to obtain
Figure FDA0004085680280000034
The row and column corresponding lower marks which do not meet the non-zero block column in M' are recorded from T M Deleting the corresponding subscript to obtain T M
(33) Definition of the definition
Figure FDA00040856802800000310
The procedure is followed to obtain->
Figure FDA0004085680280000035
Of (2) are at the radical T' F
Structure of the device
Figure FDA0004085680280000036
Wherein [1 ]]Is m×m order identity matrix, and the diagonal block of zero in G is removed to obtain +.>
Figure FDA0004085680280000037
Calculate T' F =G′T″ M Obtain->
Figure FDA0004085680280000038
Of (2) are at the radical T' F
(34) Calculation of
Figure FDA0004085680280000039
Let F "= [ a 1 ||A 2 ||···A |W| ||A 0 ],F=[F″||C M ];
(35) Using the algorithm ExtendBasis (T' F F) obtaining
Figure FDA0004085680280000041
Trapdoor T of (1) F Wherein->
Figure FDA0004085680280000042
(36) Using the algorithm SampleGaussian (T F Sigma) to obtain signature eZ m′ Where f·e=0 (modq),
Figure FDA0004085680280000043
here the e statistical distribution is close to +.>
Figure FDA0004085680280000044
The signature finally generated is: e E Z m′
5. The system for on-grid based attribute-based signature supporting LSSS matrix according to claim 1, wherein said signature verification module (4) performs signature verification by:
(41) Construction matrix F "= [ a 1 ||A 2 ||···A |W| ||A 0 ]
(42) Calculation of
Figure FDA0004085680280000045
F=[F″||C M ]
If F.e=0 (mod q), and
Figure FDA0004085680280000046
then the signature verification returns correctly to 1, otherwise returns to null. />
CN201911196611.7A 2019-11-28 2019-11-28 Attribute-based signature system on lattice capable of supporting LSSS matrix Active CN111030809B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911196611.7A CN111030809B (en) 2019-11-28 2019-11-28 Attribute-based signature system on lattice capable of supporting LSSS matrix

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911196611.7A CN111030809B (en) 2019-11-28 2019-11-28 Attribute-based signature system on lattice capable of supporting LSSS matrix

Publications (2)

Publication Number Publication Date
CN111030809A CN111030809A (en) 2020-04-17
CN111030809B true CN111030809B (en) 2023-04-21

Family

ID=70207035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911196611.7A Active CN111030809B (en) 2019-11-28 2019-11-28 Attribute-based signature system on lattice capable of supporting LSSS matrix

Country Status (1)

Country Link
CN (1) CN111030809B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112260830B (en) * 2020-10-21 2021-11-19 青海交通职业技术学院 Certificateless threshold signcryption method under secret sharing mechanism
CN112769571A (en) * 2020-12-25 2021-05-07 珠海格力电器股份有限公司 Constant-length lattice group signature method and device, storage medium and electronic device
CN112769575B (en) * 2020-12-28 2021-11-26 中国科学院信息工程研究所 Blind signature method based on rank distance coding
CN113852458A (en) * 2021-03-25 2021-12-28 天翼智慧家庭科技有限公司 Multi-authority attribute-based signature method supporting circuit structure
CN113271200A (en) * 2021-05-26 2021-08-17 陕西理工大学 Lattice attribute signature method for resisting quantum attack

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141419A (en) * 2015-07-27 2015-12-09 北京航空航天大学 Attribute-based signature method and attribute-based signature system in large attribute universe

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106533699B (en) * 2017-01-05 2019-12-17 河南理工大学 Identity-based blind signature method on lower lattice of standard model
CN110138543B (en) * 2019-04-24 2022-07-22 西安邮电大学 Blind signcryption method under lattice public key cryptosystem

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141419A (en) * 2015-07-27 2015-12-09 北京航空航天大学 Attribute-based signature method and attribute-based signature system in large attribute universe

Also Published As

Publication number Publication date
CN111030809A (en) 2020-04-17

Similar Documents

Publication Publication Date Title
CN111030809B (en) Attribute-based signature system on lattice capable of supporting LSSS matrix
Maffei et al. Privacy and access control for outsourced personal records
Liu et al. Certificateless signcryption scheme in the standard model
JP5130318B2 (en) Certificate-based encryption and public key structure infrastructure
Li et al. Digital provenance: Enabling secure data forensics in cloud computing
Sun et al. Outsourced decentralized multi-authority attribute based signature and its application in IoT
WO2005078991A1 (en) A method of multi- centric identity-based key management
Peng et al. Efficient, dynamic and identity-based remote data integrity checking for multiple replicas
Fan et al. On indistinguishability in remote data integrity checking
CN106487786B (en) Cloud data integrity verification method and system based on biological characteristics
KR101404642B1 (en) System and method for lattice-based certificateless signature
Xu et al. Accountable ring signatures: A smart card approach
Ishida et al. CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance
CN109743327B (en) Certificateless cloud storage based integrity public verification method for shared data
Tanwar et al. Secure key issuing scheme in ID-based cryptography with revocable ID
Zhang et al. Efficient ring signature schemes over NTRU Lattices
Sun et al. Securely outsourcing decentralized multi-authority attribute based signature
Zhang et al. A revocable multi-authority fine-grained access control architecture against ciphertext rollback attack for mobile edge computing
Emura et al. Efficient revocable identity-based encryption with short public parameters
Yi et al. Distributed data possession provable in cloud
Lin et al. F2P‐ABS: A Fast and Secure Attribute‐Based Signature for Mobile Platforms
KR20240045231A (en) Creation of digitally signed shares
Lin et al. A new universal designated verifier transitive signature scheme for big graph data
Wang et al. Preserving identity privacy on multi‐owner cloud data during public verification
Kim et al. A new certificateless signature scheme under enhanced security models

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant