CN112600851A - Link traceable anonymous authentication method for event - Google Patents

Abstract

The invention discloses an event-oriented linkable traceable anonymous authentication method, which comprises the following steps: initializing a system, and generating a master public key and a master private key; generating a user secret key, namely generating a public and private key pair of the user through a secret key generation algorithm; generating a certificate of a user through a certificate generation algorithm; anonymous authentication information, and authenticating the information through an authentication algorithm; verifying the authentication, namely verifying the obtained authentication through a verification algorithm; link authentication, namely checking whether two authentication tokens come from the same user through a link algorithm; and tracking the secondary authentication user, and obtaining the public key of the secondary authentication user through a tracking algorithm when the secondary authentication user is linked to the two authentication tokens. The method does not depend on group signature or ring signature, has complete anonymity in one-time authentication in the authentication facing the same event, and further realizes the linkability and traceability which do not depend on an authority aiming at the condition of twice authentication, thereby balancing anonymity and accountability.

Description

Link traceable anonymous authentication method for event

Technical Field

The invention belongs to the technical field of anonymous authentication, and particularly relates to an event-oriented linkable traceable anonymous authentication method.

Background

The anonymous authentication is an authentication protocol for protecting privacy, namely, on the premise of effectively protecting sensitive information of a user, the authentication function of the message is completed, and meanwhile, the verifiability can be ensured. In the group signature or ring signature, the group members can sign the message on behalf of the whole group without revealing the identity of the group members, but the group administrator in the group signature can open the signature and discover a signer, and the ring signature has no role of the group administrator, so that anyone can not open the signature, and the stronger anonymity is achieved. The common linkable group signature and the linkable ring signature can identify two signatures of the same user, but fail to further track the identity of the user. Moreover, such accountability is somewhat dependent on trusted parties and does not enable open traceability. While traceable attribute-based signatures and traceable anonymous credential schemes may guarantee users to authenticate messages anonymously and to track malicious users, the tracking process relies on trusted authorities and does not enable public traceability. Current implementations of publicly linkable traceable anonymous authentication schemes are based on group signatures or ring signatures, nor do they suggest a corresponding generic construction scheme.

Disclosure of Invention

The invention mainly aims to overcome the defects of the prior art and provide an event-oriented anonymous authentication method capable of linking and tracing, which is based on the realization of anonymity and verifiability of the existing anonymous authentication, realizes that the anonymous authentication is independent of group signatures or ring signatures, has anonymity once in the authentication for the same event, and further realizes the linkable and traceable properties independent of an authority aiming at the condition of twice authentication, thereby balancing the anonymity and the accountability.

In order to achieve the purpose, the invention adopts the following technical scheme:

an event-oriented linkable traceable anonymous authentication method, comprising the steps of:

initializing a system, and generating a main public key and a main private key by setting an algorithm;

generating a user secret key, namely generating a public and private key pair of the user through a secret key generation algorithm;

generating a user certificate, namely generating the certificate of the user through a certificate generating algorithm;

the method comprises the steps of anonymizing authentication information, authenticating the information through an authentication algorithm, and generating an authentication token;

verifying authentication, namely verifying the obtained authentication token through a verification algorithm;

link authentication, namely checking whether two authentication tokens come from the same user through a link algorithm;

and tracking the secondary authentication user, and obtaining the public key of the secondary authentication user through a tracking algorithm when the secondary authentication user is linked to the two authentication tokens.

Further, the system initialization specifically includes:

let S ═ s.setup, s.sign, s.verify, and U ═ u.setup, u.sign, u.verify) be two digital signature schemes;

S.Setup is a setting algorithm of the S scheme, specifically S.Setup (lambda) → (pk, msk), inputs a security parameter lambda, outputs a verification key pk and a signature key msk, and is used for initializing the signature scheme;

s. sign is a certificate generation algorithm of the S scheme, specifically s.sign (upk)_i,msk)→σ_iInput public key upk_iAnd a signature key msk, an output certificate sigma_iA certificate authority for generating a certificate for the user;

s.verify is a verification algorithm of the S scheme, specifically S.verify (upk)_i,σ_iPk) → 0/1, import public key upk_iCertificate sigma_iAnd verifying the key pk to output 0 or 1 for verifying the validity of the certificate;

setup is a setting algorithm of the U scheme, specifically, U setup (λ) → (upk)_i,usk_i) Input security parameter lambda, output public key upk_iAnd private key usk_iThe system is used for generating a public and private key pair of a user;

wherein i is a positive integer.

Further, the system initialization further includes:

let Z ═ (z.setup, z.river, z.verifier) be zk-SNARK protocol;

setting algorithm of Z scheme, Z scheme (lambda £.,) → crs, inputting safety parameter lambda and language £ and outputting public reference character string crs for initializing zk-SNARK scheme;

the proof algorithm of the Z scheme is Z.Prover (x, w, crs) → eta, the input statement x, the evidence w and the public reference character string crs, and the output proof eta is used for generating a proof;

the verification algorithm of the Z scheme is Z.Verifier (x, pi, crs) → 0/1, the input statement x, the authentication token pi and the common reference character string crs, and the output is 0 or 1, which is used for verifying the validity of the authentication token pi.

Further, the setting algorithm is expressed as CSetup (λ,) and specifically:

calling an S.Setup (lambda) algorithm to generate a verification key pk and a signature key msk;

invoking a Z.Setup (lambda ) algorithm to generate a public reference character string crs;

two Hash functions are selected, H₁:{0,1}^*×{0,1}^*→USK，H₂:{0,1}^*×{0,1}^*→USK；

Wherein, the USK is a private key space;

export master public key mpk ═ (pk, crs, H)₁,H₂) The master private key msk.

Further, the key generation algorithm is expressed as UKeyGen (λ), and specifically includes:

set (λ) algorithm is invoked to generate a pair of public and private keys (upk) for the user_i,usk_i)。

Further, the certificate generation algorithm is denoted CertGen (upk)_iMsk), in particular:

signal (upk) call S._iMsk) algorithm, input derived public key upk_iAnd a signature key msk generated by the certificate authority and outputting a certificate sigma_i。

Further, the authentication algorithm is denoted as Auth (m, upk)_i,usk_i,σ_iMpk), in particular:

let message m ═ e | | | p;

wherein e is an event identifier, p is the load of the message m, and | represents a connector;

calculating t₁＝H₁(e,usk_i)，t₂＝H₂(e,upk_i||usk_i)+p·usk_i；

Let x be (m, t)₁,t₂Mpk) is a statement, w ═ upk_i,usk_i,σ_i) For one proof, for NP language L ═ { x ═ (m, t ═ m, t)₁,t₂,mpk):

w＝(upk_i,usk_i,σ_i)s.t.upk_i＝f(usk_i)∧t₁＝H₁(e,usk_i)∧t₂＝H₂(e,upk_i||usk_i)+p·usk_i∧S.Verify(upk_i,σ_i,pk)＝1}；

The function f is USK → UPK is used for checking the consistency of the public and private keys, and the UPK is a public key space;

calling a ZK.Prover (x, w, crs) algorithm to generate a proof eta;

output authentication token pi ═ (t)₁,t₂,η)。

Further, the verification algorithm is expressed as Verify (m, pi, mpk), and specifically includes:

and calling Z.Verifier (x, pi, crs), verifying the validity of the obtained authentication token pi, and outputting 1 if the verification is passed, otherwise outputting 0.

Further, the linking algorithm is denoted Link (m)₁,m₂,π₁,π₂) The method specifically comprises the following steps:

checking for two t's corresponding to two authentication tokens₁And whether the two are equal or not is judged, if so, 1 is output, and otherwise, 0 is output.

Further, the tracking algorithm is denoted as Trace (m)₁,m₂,π₁,π₂) The method specifically comprises the following steps:

suppose that

And

respectively for a certain user to message m₁＝e||p₁And m₂＝e||p₂Two generated authentication tokens;

wherein p is₁And p₂Are two different message loads, i.e. p₁≠p₂；

If the chaining algorithm outputs 1, then

If the two authentication tokens generated by the same user are detected, the user's identity is calculated

The corresponding upk is then calculated using function f_i。

Compared with the prior art, the invention has the following advantages and beneficial effects:

1. the invention provides a general construction scheme independent of group signature or ring signature aiming at the condition that the current linkable traceable anonymous authentication scheme usually depends on the group signature or the ring signature and the scheme does not provide a general construction scheme, thereby improving the compatibility and the expandability of the scheme and having higher innovation value and application value.

2. Aiming at the requirements of privacy protection and verifiability, according to the characteristic that zk-SANRK has zero knowledge, the invention realizes that the identity information of a user is not leaked in the anonymous authentication process, anyone can not effectively identify the identity of the user, and meanwhile, the anonymous authentication can be publicly verified.

3. Aiming at the condition that the current anonymous authentication scheme usually depends on a trusted authority to realize tracking, the invention adopts the technology of preventing double flowers based on electronic cash, achieves the aim of allowing all people to track the secondary authentication user in the authentication facing the same event, and maintains the anonymity of the user authenticated once, thereby having higher innovation degree and practicability.

Drawings

FIG. 1 is a flow chart of the method of the present invention.

Detailed Description

The present invention will be described in further detail with reference to examples and drawings, but the present invention is not limited thereto.

Examples

As shown in FIG. 1, the invention relates to an event-oriented linkable traceable anonymous authentication method, which comprises the following steps:

s1, initializing the system, and generating a main public key and a main private key through a setting algorithm;

s11, initializing the system, specifically:

let S ═ s.setup, s.sign, s.verify, and U ═ u.setup, u.sign, u.verify) be two digital signature schemes;

S.Setup is a setting algorithm of the S scheme, specifically S.Setup (lambda) → (pk, msk), inputs a security parameter lambda, outputs a verification key pk and a signature key msk, and is used for initializing the signature scheme;

s. sign is a certificate generation algorithm of the S scheme, specifically s.sign (upk)_i,msk)→σ_iInput public key upk_iAnd a signature key msk, an output certificate sigma_iA certificate authority for generating a certificate for the user;

s.verify is a verification algorithm of the S scheme, specifically S.verify (upk)_i,σ_iPk) → 0/1, import public key upk_iCertificate sigma_iAnd verifying the key pk to output 0 or 1 for verifying the validity of the certificate;

setup is a setting algorithm of the U scheme, specifically, U setup (λ) → (upk)_i,usk_i) Input security parameter lambda, output public key upk_iAnd private key usk_iThe system is used for generating a public and private key pair of a user;

let Z ═ (z.setup, z.river, z.verifier) be zk-SNARK protocol;

setting algorithm of Z scheme, Z scheme (lambda £.,) → crs, inputting safety parameter lambda and language £ and outputting public reference character string crs for initializing zk-SNARK scheme;

the proof algorithm of the Z scheme is Z.Prover (x, w, crs) → eta, the input statement x, the evidence w and the public reference character string crs, and the output proof eta is used for generating a valid proof;

the verification algorithm of the Z scheme is Z.Verifier (x, pi, crs) → 0/1, the declaration x, the authentication token pi and the common reference character string crs are input, and 0 or 1 is output for verifying the validity of the authentication token;

wherein i is a positive integer.

S12, generating a main public key and a main private key through a setting algorithm; the setting algorithm is specifically expressed as CSetup (λ, £ and) and specifically:

calling an S.Setup (lambda) algorithm to generate a verification key pk and a signature key msk;

invoking a Z.Setup (lambda ) algorithm to generate a public reference character string crs;

two Hash functions are selected, H₁:{0,1}^*×{0,1}^*→USK，H₂:{0,1}^*×{0,1}^*→USK；

Wherein, the USK is a private key space;

export master public key mpk ═ (pk, crs, H)₁,H₂) The master private key msk.

S2, generating a user key, specifically:

generating a public and private key pair of a user through a secret key generation algorithm; the key generation algorithm is specifically expressed as UKeyGen (λ), and specifically includes:

set (λ) algorithm is invoked to generate a pair of public and private keys (upk) for the user_i,usk_i)。

S3, generating a user certificate, specifically:

generating a certificate of a user through a certificate generation algorithm; the certificate generation algorithm is specifically denoted CertGen (upk)_iMsk), in particular:

signal (upk) call S._iMsk) algorithm, generated by a certificate authority and outputting a certificate sigma_i。

S4, the anonymous authentication message specifically includes:

authenticating a message by an authentication algorithmGenerating an authentication token; the authentication algorithm is specifically denoted Auth (m, upk)_i,usk_i,σ_iMpk), in particular:

let message m ═ e | | | p;

wherein e is an event identifier, p is the load of the message m, and | represents a connector;

calculating t₁＝H₁(e,usk_i)，t₂＝H₂(e,upk_i||usk_i)+p·usk_i；

Let x be (m, t)₁,t₂Mpk) is a statement, w ═ upk_i,usk_i,σ_i) For one proof, for NP language L ═ { x ═ (m, t ═ m, t)₁,t₂,mpk):

w＝(upk_i,usk_i,σ_i)s.t.upk_i＝f(usk_i)∧t₁＝H₁(e,usk_i)∧t₂＝H₂(e,upk_i||usk_i)+p·usk_i∧S.Verify(upk_i,σ_i,pk)＝1}；

The function f is USK → UPK is used for checking the consistency of the public and private keys, and the UPK is a public key space;

calling a Z.Prover (x, w, crs) algorithm to generate a proof eta;

output authentication token pi ═ (t)₁,t₂,η)。

S5, verifying and authenticating, specifically comprising:

verifying the obtained authentication token through a verification algorithm; the verification algorithm is specifically expressed as Verify (M, pi, mpk), and specifically includes:

and calling Z.Verifier (x, pi, crs), verifying the validity of the authentication token pi, and outputting 1 if the verification is passed, otherwise outputting 0.

S6, link authentication, specifically:

checking whether the two authentication tokens come from the same user through a link algorithm; the linking algorithm is specifically denoted Link (m)₁,m₂,π₁,π₂) The method specifically comprises the following steps:

checking for two t's corresponding to two authentication tokens₁And whether the two are equal or not is judged, if so, 1 is output, and otherwise, 0 is output.

S7, tracking the identity of the secondary authentication user, specifically:

when the two authentication tokens are linked, obtaining the public key of the secondary authentication user through a tracking algorithm; the tracking algorithm is particularly denoted Trace (m)₁,m₂,π₁,π₂) The method specifically comprises the following steps:

suppose that

And

respectively for a certain user to message m₁＝e||p₁And m₂＝e||p₂Two generated authentication tokens;

wherein p is₁And p₂Are two different message loads, i.e. p₁≠p₂；

If the chaining algorithm outputs 1, then

If the two authentication tokens generated by the same user are detected, the user's identity is calculated

The corresponding upk is then calculated using function f_i。

It should also be noted that in this specification, terms such as "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. An event-oriented linkable traceable anonymous authentication method, characterized by comprising the steps of:

initializing a system, and generating a main public key and a main private key by setting an algorithm;

generating a user secret key, namely generating a public and private key pair of the user through a secret key generation algorithm;

generating a user certificate, namely generating the certificate of the user through a certificate generating algorithm;

the method comprises the steps of anonymizing authentication information, authenticating the information through an authentication algorithm, and generating an authentication token;

verifying authentication, namely verifying the obtained authentication token through a verification algorithm;

link authentication, namely checking whether two authentication tokens come from the same user through a link algorithm;

and tracking the secondary authentication user, and obtaining the public key of the secondary authentication user through a tracking algorithm when the secondary authentication user is linked to the two authentication tokens.

2. The event-oriented linkable traceable anonymous authentication method according to claim 1, wherein said system initialization is specifically:

let S ═ s.setup, s.sign, s.verify, and U ═ u.setup, u.sign, u.verify) be two digital signature schemes;

S.Setup is a setting algorithm of the S scheme, specifically S.Setup (lambda) → (pk, msk), inputs a security parameter lambda, outputs a verification key pk and a signature key msk, and is used for initializing the signature scheme;

s. sign is a certificate generation algorithm of the S scheme, specifically s.sign (upk)_i,msk)→σ_iInput public key upk_iAnd a signature key msk, an output certificate sigma_iA certificate authority for generating a certificate for the user;

s.verify is a verification algorithm of the S scheme, specifically S.verify (upk)_i,σ_iPk) → 0/1, import public key upk_iCertificate sigma_iAnd verifying the key pk to output 0 or 1 for verifying the validity of the certificate;

setup is a setting algorithm of the U scheme, specifically, U setup (λ) → (upk)_i,usk_i) Input security parameter lambda, output public key upk_iAnd private key usk_iThe system is used for generating a public and private key pair of a user;

wherein i is a positive integer.

3. The event-oriented linkable traceable anonymous authentication method according to claim 1, wherein said system initialization further comprises:

let Z ═ (z.setup, z.river, z.verifier) be zk-SNARK protocol;

setting algorithm of Z scheme, Z scheme (lambda £.,) → crs, inputting safety parameter lambda and language £ and outputting public reference character string crs for initializing zk-SNARK scheme;

the proof algorithm of the Z scheme is Z.Prover (x, w, crs) → eta, the input statement x, the evidence w and the public reference character string crs, and the output proof eta is used for generating a proof;

the verification algorithm of the Z scheme is Z.Verifier (x, pi, crs) → 0/1, the input statement x, the authentication token pi and the common reference character string crs, and the output is 0 or 1, which is used for verifying the validity of the authentication token.

4. Event-oriented linkable traceable anonymous authentication method according to claim 2 or 3, characterized in that said setting algorithm is denoted CSetup (λ £ j), in particular:

calling an S.Setup (lambda) algorithm to generate a verification key pk and a signature key msk;

invoking a Z.Setup (lambda ) algorithm to generate a public reference character string crs;

two Hash functions are selected, H₁:{0,1}^*×{0,1}^*→USK，H₂:{0,1}^*×{0,1}^*→USK；

Wherein, the USK is a private key space;

export master public key mpk ═ (pk, crs, H)₁,H₂) The master private key msk.

5. The event-oriented linkable traceable anonymous authentication method according to claim 4, wherein said key generation algorithm is denoted UKeyGen (λ), in particular:

set (λ) algorithm is invoked to generate a pair of public and private keys (upk) for the user_i,usk_i)。

6. The event-oriented linkable traceable anonymous authentication method of claim 5, wherein the certificate generation algorithm is represented as CertGen (upk)_iMsk), in particular:

signal (upk) call S._iMsk) algorithm, input derived public key upk_iAnd a signature key msk generated by the certificate authority and outputting a certificate sigma_i。

7. The event-oriented linkable traceable anonymous authentication method according to claim 6, wherein said authentication algorithm is denoted Auth (m, upk)_i,usk_i,σ_iMpk), in particular:

let message m ═ e | | | p;

wherein e is an event identifier, p is the load of the message m, and | represents a connector;

calculating t₁＝H₁(e,usk_i)，t₂＝H₂(e,upk_i||usk_i)+p·usk_i；

Let x be (m, t)₁,t₂Mpk) is a statement, w ═ upk_i,usk_i,σ_i) For an evidence, for NP language

The function f is USK → UPK is used for checking the consistency of the public and private keys, and the UPK is a public key space;

calling a ZK.Prover (x, w, crs) algorithm to generate a proof eta;

output authentication token pi ═ (t)₁,t₂,η)。

8. The event-oriented linkable traceable anonymous authentication method according to claim 7, wherein said verification algorithm is denoted Verify (m, pi, mpk), and in particular:

and calling Z.Verifier (x, pi, crs), verifying the validity of the obtained authentication token pi, and outputting 1 if the verification is passed, otherwise outputting 0.

9. The event-oriented linkable traceable anonymous authentication method according to claim 8, wherein the linking algorithm is denoted Link (m)₁,m₂,π₁,π₂) The method specifically comprises the following steps:

checking for two t's corresponding to two authentication tokens₁And whether the two are equal or not is judged, if so, 1 is output, and otherwise, 0 is output.

10. The event-oriented linkable traceable anonymous authentication method according to claim 9, wherein said tracing algorithm is represented by Trace (m)₁,m₂,π₁,π₂) The method specifically comprises the following steps:

suppose that

And

respectively for a certain user to message m₁＝e||p₁And m₂＝e||p₂Two generated authentication tokens;

wherein p is₁And p₂Are two different message loads, i.e. p₁≠p₂；

If the chaining algorithm outputs 1, then

If the two authentication tokens generated by the same user are detected, the user's identity is calculated

The corresponding upk is then calculated using function f_i。

Images