Disclosure of Invention
In order to solve the above problems, the present invention provides an attribute-based signature method and system, which can reduce the amount of computation in the signature and verification processes and ensure the security in the signature and verification processes.
In order to achieve the purpose, the invention adopts the following technical scheme:
a first aspect of the invention provides an attribute-based signature method.
An attribute-based signature method described from the side of an attribute authority, a signer, a verifier, an outsource signature server, and an outsource validation server, comprising:
an attribute authority generates a public key PK and a master key MSK;
the signer generates a public key UPK and a private key USK of the signer according to the public key PK and the whole attribute set;
the signer applies for a private key from an attribute authorization mechanism, the attribute authorization mechanism generates a signer outsourced secret key OSK according to an attribute set, a public key UPK and the private key USK of the signer, and then issues the signature to the signer, and the signer entrusts the signature to an outsourced signature server;
after receiving the signature entrustment of the signer, the outsourced signature server generates a signature intermediate result sigma 'and sends the signature intermediate result sigma' to the signer when verifying that the attribute set of the signer meets the access structure;
the signer obtains a final signature sigma according to the intermediate result sigma' and the private key USK and sends the final signature sigma to the verifier;
the verifier converts the signature sigma into a signature sigma 'and sends the signature sigma' to an outsourcing verification server;
the outsourcing verification server performs outsourcing verification according to the converted signature sigma', obtains an intermediate result V of the verification signature and sends the intermediate result V to the verifier;
and the verifier obtains a final verification result through local verification according to the intermediate result V.
The invention also provides an attribute-based signature method, which is described from outsourcing signature server and outsourcing verification server sides and comprises the following steps:
after receiving the signature entrustment of the signer, when the attribute set of the signer is verified to meet the access structure, generating a middle result sigma 'of the signature and sending the middle result sigma' to the signer; the signature entrustment is issued to the signer by an attribute authority according to the attribute set, the public key UPK and the private key USK of the signer to generate a signer outsourcing key OSK;
receiving a signature sigma ' converted by a verifier from a final signature sigma ', wherein the final signature sigma is obtained by a signer according to an intermediate result sigma ' and a private key USK;
and performing outsourcing verification according to the converted signature sigma' to obtain an intermediate result V of the verification signature and sending the intermediate result V to the verifier, and then locally verifying by the verifier according to the intermediate result V to obtain a final verification result.
A second aspect of the invention provides an attribute-based signature system.
An attribute-based signature system comprises an attribute authority, a signer, an outsourced signature server, a verifier and an outsourced verification server;
the attribute authority is used for generating a public key PK and a master key MSK;
the signer is used for generating a public key UPK and a private key USK of the signer;
the signer is also used for applying a private key to an attribute authorization mechanism, and the attribute authorization mechanism is used for generating a signer outsourced secret key OSK according to the attribute set and the public key UPK of the signer, then issuing the signer with the private key OSK and transmitting the private key to an outsourced signature server by entrusting of the signer;
the outsourcing signature server is used for generating a signature intermediate result sigma 'and sending the signature intermediate result sigma' to the signer when the attribute set of the signer meets the access structure after receiving the signature entrustment of the signer;
the signer is used for obtaining a final signature sigma according to the intermediate result sigma' and the private key USK and sending the final signature sigma to the verifier;
the verifier is used for converting the signature sigma into a signature sigma 'and sending the signature sigma' to the outsourcing verification server;
the outsourcing verification server is used for carrying out outsourcing verification according to the converted signature sigma' to obtain an intermediate result V of the verification signature and sending the intermediate result V to the verifier;
and the verifier is also used for locally verifying to obtain a final verification result according to the intermediate result V.
The third aspect of the invention also provides an outsourcing server.
An outsourcing server comprising:
the outsourcing signature server is used for generating a signature intermediate result sigma 'and sending the signature intermediate result sigma' to the signer when the attribute set of the signer meets the access structure after receiving the signature request of the signer; the signature entrustment is issued to the signer by an attribute authority according to the attribute set, the public key UPK and the private key USK of the signer to generate a signer outsourcing key OSK;
the outsourced signature server is also used for receiving a signature sigma 'converted by a final signature sigma of the verifier, wherein the final signature sigma is obtained by the signer according to the intermediate result sigma' and the private key USK;
and the outsourcing verification server is used for carrying out outsourcing verification according to the converted signature sigma' to obtain an intermediate result V of the verification signature and sending the intermediate result V to the verifier, and the verifier obtains a final verification result through local verification according to the intermediate result V.
The invention has the beneficial effects that:
the signer of the invention can use the private key corresponding to the attribute to sign, and the verifier can verify that the attribute of the signer meets a specific access structure, but does not know the specific identity and attribute of the signer; meanwhile, most of the calculation amount in the signing and verifying process is borne by the outsourcing server, so that the method is suitable for lightweight equipment with low calculation capacity.
Detailed Description
The invention is further described with reference to the following figures and examples.
It is to be understood that the following detailed description is exemplary and is intended to provide further explanation of the invention as claimed. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Example one
The attribute-based signature method comprises the participants of an attribute authority, a signer, a verifier, an outsourced signature server and an outsourced verification server;
an attribute authority: and the trusted authority manages the attribute private key of the signer and generates a cloud server private key related to the signer for the cloud server.
The signer: the user with the signature requirement can send an outsourcing signature request to the cloud server to obtain an intermediate result of the signature, and the intermediate result is used for calculating a final signature.
And (3) verifier: the user with the verification requirement can send an outsourcing verification request to the cloud server to obtain an intermediate result of the verification signature, and the intermediate result is used for calculating a final verification result.
Outsourcing signature server and outsourcing verification server: the cloud server can be used for assisting the signer and the verifier to generate the intermediate result of the signature and the intermediate result of the verification signature respectively.
The attribute-based signature method of the embodiment includes: (1) initialization, (2) signer individual key generation, (3) signer outsourced key generation, (4) outsourced signature generation, (5) final signature generation, (6) signature conversion, (7) outsourced verification, and (8) final verification.
In this embodiment, the attribute authority, the signer, the verifier, the outsource signature server, and the outsource verification server are described, and the attribute-based signature method includes:
an attribute authority generates a public key PK and a master key MSK;
the signer generates a public key UPK and a private key USK of the signer according to the public key PK and the whole attribute set;
the signer applies for a private key from an attribute authorization mechanism, the attribute authorization mechanism generates a signer outsourced secret key OSK according to an attribute set, a public key UPK and the private key USK of the signer, and then issues the signature to the signer, and the signer entrusts the signature to an outsourced signature server;
after receiving the signature entrustment of the signer, the outsourced signature server generates a signature intermediate result sigma 'and sends the signature intermediate result sigma' to the signer when verifying that the attribute set of the signer meets the access structure;
the signer obtains a final signature sigma according to the intermediate result sigma' and the private key USK and sends the final signature sigma to the verifier;
the verifier converts the signature sigma into a signature sigma 'and sends the signature sigma' to an outsourcing verification server;
the outsourcing verification server performs outsourcing verification according to the converted signature sigma', obtains an intermediate result V of the verification signature and sends the intermediate result V to the verifier;
and the verifier obtains a final verification result through local verification according to the intermediate result V.
Specifically, the method comprises the following steps:
(1) initialization: the algorithm is executed by the attribute authority. Set of global attributes in a systemThe sum is U ═ 1,. ·, p-1 }. Selecting a p-order bilinear group G, G
TThere is a bilinear map e G → G
T. Selecting two cryptographic hash functions H
1:{0,1}
*→G
1,
Randomly selecting group elements G, h, u, v, W, τ in group G, randomly selecting α in {1,. eta., p-1}, calculating W ═ e (G, G)
αOutputting a system public parameter PK and a system master key MSK: PK ═ g, H, u, v, w, τ, e, H
1,H
2,W),MSK=(α)。
It is first specified what the overall set of attributes is, for example, attributes such as age, sex, profession, work unit, doctor, professor, company high management, etc. are related to a certain system, then the overall set of attributes related to the system is first specified, and of course, in the system, the attributes may be numbered, i.e., U as mentioned herein, including numbers 1 to p-1. When an attribute is reused later, its number is used.
(2) Signer individual key generation: the algorithm is executed by the signer. Randomly choosing x from { 1.,. p-1}
uidThe public key of the signer is set to
The private key is USK
uid=x
uid。
(3) Signer outsourcing key generation: the algorithm is executed by the attribute authority. Let attribute set of signer be S ═ S (S)
1,S
2,…,S
n). The attribute authority randomly selects r from { 1.,. p-1}, and calculates
K
1=g
-r,
For each S
iE.g. S, the attribute authority randomly selects r from { 1.,. p-1}
iCalculating
Outsourcing key of output signer
The attribute authority issues the key to the signer, and the signer entrusts the key to an outsourced signing server.
(4) Outsourcing signature generation: the algorithm is executed by the outsource signature server. After receiving an outsourcing signature request (containing an access structure A ═ M, ρ) submitted by a signer, first verifying whether a signer attribute set S satisfies the access structure A ═ M, ρ, where M is a matrix of l rows and n columns, and M is a matrix of l rows and n columnsiIs the row vector formed by the ith row of the matrix M, and ρ is a function that maps the row number of M to the corresponding attribute.
For example: the attributes of signer 1 are (A, B, C); the attributes of signer 2 are (a, C, D); the attribute of signer 3 is (D, E); when the verifier can verify against the access structure (a and C) or E, the signatures of the signers 1, 2, 3 can be verified, and the verifier does not know which signer is specific (identity privacy protection) nor what the specific attribute of the signer is (attribute privacy protection), because the set of attributes satisfying (a and C) or E can be verified.
If not, outputting an error prompt T; otherwise, the calculation is as follows:
outsourcing signature server calculates a group of vectors w ═ w
1,w
2,…,w
lSatisfy Σ
i∈Iw
iM
i(1,0, …,0), where I ═ I:ρ (I) e S, and then a set of vectors b ═ S ═ is selected
1,b
2,…,b
lIs caused to satisfy
For each ie I, outsourcing signature server computation
Random selection
Computing
Σ'
4=g
s,
Outputting signed intermediate results
(5) And (3) final signature generation: the algorithm is executed by the signer. When the signer receives the sigma', the private key USK is firstly used for calculation
Output final signature Σ ═ m, (Σ)1,i,Σ2,i)i∈I,Σ3,Σ4,Σ5Therein Σ1,i=Σ1,i′,Σ2,i=Σ2,i′,Σ3=Σ3′,Σ4=Σ4′。
(6) Signature conversion: the algorithm is executed by the verifier. After receiving the signature sigma, the verifier verifies whether the attribute set S meets the access structure A or not, and outputs inverted T if not; otherwise, randomly selecting a secret factor
And calculate sigma
3″=Σ
3 d,Σ
4″=Σ
4 d,Σ
5″=Σ
5 d. To change Σ to { m, (Σ)
1,i,Σ
2,i)
i∈I,Σ
3″,Σ
4″,Σ
5And sending the outsource verification server.
(7) Outsourcing verification: the algorithm is executed by the outsource validation server. The authentication server receives ∑ to select
μ′={1,μ
2′,…,μ
n′},
Where I ∈ I, and calculate:
the intermediate result V of the verification signature is equal to (V)
1′,V
2') to the verifier.
(8) Local authentication: the algorithm is executed by the verifier. The verifier receives V ═ V (V)
1′,V
2') is first calculated using a secret random factor d
V
2=V
2', and verify:
if the equation is true, the signature Σ is legal, and 1 is output; otherwise, Σ is an illegal signature, outputting 0.
In some practical scenarios, the user only needs to use "signature" to guarantee authentication, and does not need to use "encryption" to guarantee confidentiality, at which time the user should select a signature scheme rather than a signcryption scheme. In order to guarantee the two functions of encryption and signature, the signature is necessarily complex in design, the efficiency of the signature part is lower than that of a simple signature scheme, and the signature part cannot be separated, so that the independent signature scheme is valuable.
The present embodiment generally includes two parts, namely a "signature algorithm" and a "verification signature algorithm", which are executed by a signer and a verifier respectively in the signing process. By considering the outsourced computation of the two algorithms, the local computation amount of both the signer and the verifier can be reduced. The signer and the verifier are often not the same party and therefore need to each invoke their own outsourcing server.
The outsourcing verification server only plays a role of auxiliary computation, namely the outsourcing verification server only helps the verifier to complete complex computation and returns the computation intermediate result (corresponding to the outsourcing verification process), the outsourcing verification server does not know whether the signature is correct or wrong from the intermediate result, and final verification is completed by the user (corresponding to the local verification process). The method has the advantages that the trust requirement on the external packet server can be reduced, and any public cloud service (Ali, Tencent, Amazon and the like) provided by a third party can be adopted. In another interpretation mode, the cloud server only helps the user to complete part of the operation, and does not know the verification result of the user. To achieve this, we need to "masquerade" the task delegated to the cloud, which corresponds to the "signature transformation" process in our application. The cloud takes not a true signature but a disguised signature Σ "which can only work on this disguised signature and therefore does not know whether the signature is correct or not. Only the user, in possession of the secret factor d, can the correctness of the signature be finally verified.
Example two
The embodiment also provides an attribute-based signature method, which is described from an outsource signature server and an outsource verification server, and comprises the following steps:
after receiving the signature entrustment of the signer, when the attribute set of the signer is verified to meet the access structure, generating a middle result sigma 'of the signature and sending the middle result sigma' to the signer; the signature entrustment is issued to the signer by an attribute authority according to the attribute set, the public key UPK and the private key USK of the signer to generate a signer outsourcing key OSK;
receiving a signature sigma ' converted by a verifier from a final signature sigma ', wherein the final signature sigma is obtained by a signer according to an intermediate result sigma ' and a private key USK;
and performing outsourcing verification according to the converted signature sigma' to obtain an intermediate result V of the verification signature and sending the intermediate result V to the verifier, and then locally verifying by the verifier according to the intermediate result V to obtain a final verification result.
EXAMPLE III
The embodiment provides an attribute-based signature system, which comprises an attribute authority, a signer, an outsourced signature server, a verifier and an outsourced verification server;
the attribute authority is used for generating a public key PK and a master key MSK;
the signer is used for generating a public key UPK and a private key USK of the signer;
the signer is also used for applying a private key to an attribute authorization mechanism, and the attribute authorization mechanism is used for generating a signer outsourced secret key OSK according to the attribute set and the public key UPK of the signer, then issuing the signer with the private key OSK and transmitting the private key to an outsourced signature server by entrusting of the signer;
the outsourcing signature server is used for generating a signature intermediate result sigma 'and sending the signature intermediate result sigma' to the signer when the attribute set of the signer meets the access structure after receiving the signature entrustment of the signer;
the signer is used for obtaining a final signature sigma according to the intermediate result sigma' and the private key USK and sending the final signature sigma to the verifier;
the verifier is used for converting the signature sigma into a signature sigma 'and sending the signature sigma' to the outsourcing verification server;
the outsourcing verification server is used for carrying out outsourcing verification according to the converted signature sigma', obtaining an intermediate result V of the verification signature and sending the intermediate result V to the verifier;
and the verifier is also used for locally verifying to obtain a final verification result according to the intermediate result V.
Example four
The present embodiment provides an outsourcing server, which includes:
the outsourcing signature server is used for generating a signature intermediate result sigma 'and sending the signature intermediate result sigma' to the signer when the attribute set of the signer meets the access structure after receiving the signature request of the signer; the signature entrustment is issued to the signer by an attribute authority according to the attribute set, the public key UPK and the private key USK of the signer to generate a signer outsourcing key OSK;
the outsourced signature server is also used for receiving a signature sigma 'converted by a final signature sigma of the verifier, wherein the final signature sigma is obtained by the signer according to the intermediate result sigma' and the private key USK;
and the outsourcing verification server is used for carrying out outsourcing verification according to the converted signature sigma' to obtain an intermediate result V of the verification signature and sending the intermediate result V to the verifier, and the verifier obtains a final verification result through local verification according to the intermediate result V.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.