CN113114469A - Method for generating, purifying and verifying cleanable signature and privacy protection method thereof - Google Patents
Method for generating, purifying and verifying cleanable signature and privacy protection method thereof Download PDFInfo
- Publication number
- CN113114469A CN113114469A CN202110327338.8A CN202110327338A CN113114469A CN 113114469 A CN113114469 A CN 113114469A CN 202110327338 A CN202110327338 A CN 202110327338A CN 113114469 A CN113114469 A CN 113114469A
- Authority
- CN
- China
- Prior art keywords
- signature
- message
- signer
- generating
- purge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Abstract
The invention relates to a method for generating, purifying and verifying a cleanable signature with a privacy protection function. The method for generating the cleanable signature specifically comprises the following steps: step 101, generating equivalence class signatures theta and omega for the public key of the signer S by utilizing an equivalence class signature algorithm; 102, decomposing a given message m into message blocks, and generating each message block m according to the given message and a private key of a signeriSignature σ ofiWherein i is the identifier of the message block; step 103, signing the sigmaiCombining into an original signature sigma; 104, selecting a random number R, and generating two-dimensional coordinates of a point R and a point Q by using an addition cyclic group algorithm; step 105, generating a corresponding ciphertext c for the auxiliary information related to the given message m; and 106, sending the generated information to the purifier Z. Base ofThe method can ensure the integrity, the authenticity and the usability of the data and ensure the privacy and the unforgeability of the data.
Description
Technical Field
The invention relates to a digital signature, in particular to a generation, purification and verification method based on a cleanable signature and a privacy protection method based on the cleanable signature.
Background
Digital signatures are one of the cryptographic techniques that guarantee network security. The signature message, once modified, will result in the property that the original signature is invalid, thus enabling data integrity, authenticity and non-repudiation by adding the signature to the original message. However, in many practical application scenarios, users want privacy-sensitive information to be protected while guaranteeing data integrity and availability. One solution to the above problem is to require the signer to sign only the data relevant to the current application. However, this process must be repeated each time there is a new subset of the information to share. This would create too high an overhead to be practical in a practical scenario.
Atenise et al propose the concept of a sanitizable signature. The decontaminable signature is a digital signature technology supporting controlled modification of a signature message, and a decontaminant can modify the signed message without any interaction with an original signer and can derive an effective signature of the modified message, so that sensitive information of a user can be effectively hidden while the integrity and the authenticity of data are ensured.
However, in the current privacy protection scheme based on the sanitizable signature, a safe and efficient protection scheme is still lacking.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a method for generating, purifying and verifying a cleanable signature and a privacy protection method thereof. The method can ensure the integrity, authenticity and usability of the data, can ensure the privacy and the unforgeability of the data, and has the characteristics of high safety, simple realization, high verification efficiency and the like.
The invention adopts the following technical scheme.
In a first aspect of the present invention, a method for generating a sanitizable signature is provided, which includes the following steps: step 101, according to the private key and the public key of the signer S and the public key of the purifiers Z, the equivalence class signature algorithm is used for generating equivalence class signatures for the public key of the signer SAnd ω; step 102, decomposing a given message m into l message blocks m with the same length1,m2,…,mlAccording to a given message m ═ m1,m2,…,mlAnd the private key of the signer S, the signer S generates for each message block m in the given messageiSignature σ ofiWherein i is the identifier of the message block, and i belongs to {1, …, l }; step 103, generating each message block miSignature σ ofiCombined into the original signature σ, where σ ═ σ { [ σ ]1,σ2,…,σl}; 104, selecting a random number R, and generating two-dimensional coordinates of a point R and a point Q by using an addition cycle group algorithm according to the public key of the purifier Z and the random number R; 105, generating a corresponding ciphertext c for auxiliary information related to the given message m according to the two-dimensional coordinates of the point R and the point Q and information of the message block which is allowed to be modified in the given message m; step 106, signing the equivalence class of the generated public key of the signer SAnd ω, the public key of the signer S, the original signature σ of the given message m and the side information ciphertext c are sent to the purger Z.
Preferably, the public key of the signer S is PKs(X, Y), wherein X ═ X (X)1,X2),Y=(Y1,Y2) And X1、X2、Y1、Y2Are respectively calculated in the manner ofWherein x is1,x2,y1, Is an integer set comprising 1, 2, … …, q-1; and generating an equivalence class signature for the public key X of the signer S by utilizing an equivalence class signature algorithmWherein And generating an equivalence class signature omega for the public key Y of the signer S by utilizing an equivalence class signature algorithm, wherein omega is EQS.Sign (Y), and EQS.Sign () is the equivalence class signature algorithm.
Preferably, step 102 further comprises: it is assumed that,where alpha is the information description of the message blocks in message m that are allowed to be modified,and isIs an integer set comprising 1, 2, … …, q-1; addition cyclic group using order prime qFor the signer S for each message block m in the given messageiComputing the signature σiThe signature σiIs calculated by the formulaWherein H () is the group of addition cycles of said order of prime qThe cipher hash function of (1), wherein | is a character string connection operator, when the input of the function is a bit string {0, 1} of any length*When it is output as a groupThe above elements.
Preferably, step 104 further comprises: the two-dimensional coordinate calculation formula of the point R is that R is equal to rP (x)R,yR) Wherein P is a cyclic groupIs generated by the one of the generators of (1),is a cyclic group of addition of order q, q being a prime number, xRAnd yRRespectively the abscissa and ordinate of the point R; the two-dimensional coordinate calculation formula of the point Q is that Q is rPKz=(xQ,yQ) Wherein PK iszIs the public key of the cleaner Z, and PKz=xP,Is the private key of the purifier, xQAnd yQRespectively the abscissa and ordinate of the point Q; wherein the random numberAnd isIs a set of integers including 1, 2, … …, q-1.
Preferably, step 105 further comprises: the calculation formula of the auxiliary information ciphertext c is (x)Q||yQ)(α|| y1) Wherein x isQAnd yQThe abscissa and the ordinate, respectively, of the point Q, alpha is the information description of the message block in the message m that is allowed to be modified,and isIs a set of integers including 1, 2, … …, q-1.
In a second aspect of the present invention, a signature cleansing method capable of cleansing a signature is provided, which includes the following steps: step 201, verifying the validity of an original signature sigma based on the basic attribute information of a signer S and a purifier Z, if the verification is passed, selecting to receive the original signature sigma and an auxiliary information ciphertext c generated by the signer and entering the next step, and if the verification fails, refusing to receive the original signature sigma and the auxiliary information ciphertext c and exiting; step 202, performing coordinate transformation on the point R generated by the signer S by using the addition cycle group algorithm according to the private key of the purifiers Z to generate a point theta, wherein the point theta is a groupHas a coordinate of (x)θ,yθ) And calculating alpha | y according to the two-dimensional coordinates of the point theta and the auxiliary information ciphertext c1Wherein, | | is a character string connection operator; step 203, judging the information description xi of the message block to be modified, if so, judgingIf yes, go to the next step, if yesIf the message is not true, exiting, wherein alpha is the information description of the message block which is allowed to be modified in the message m; step 204, judging the identifier i of the message block, and if i belongs to xi, executing m'i=f(mi) If i ∈ ξ is not satisfied, then let m'i=miWherein, m'iIs in the purge message mThe ith message block, purge message m ═ m1′,m2′,…,ml'}, f () is an operation of updating the message m to new information m'; step 205, traverse i within a range of i e {1, …, l }, and repeat step 204 until each message block m ' in the purge message m ' is generated 'iAnd generating each message block m 'in the purge message m'iCombining into said purge message m ═ m1′,m2′,…,ml' }; step 206, selecting a random number u and a random number v, and calculating the values X 'and Y' of the public key X and Y of the signer S after randomization according to the public key of the signer S and the random numbers u and v; step 207, calculating a private key y 'used by the cleaner Z to generate the cleaning message signature according to the private key of the signer S and the random number u'1(ii) a Step 208, according to the cleansing message m' ═ { m ═ m1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the message m 'to the cleaner Z'iOf signature σ'iAnd generating each message block m'iOf signature σ'iIs the cleansing signature σ ', where σ ' { σ '1,σ′2,…,σ′l}; step 209, the generated purge message m ', the randomized values X', Y 'of the public keys X, Y of the signer S, and the purge signature σ' are sent to the verifier V.
Preferably, step 201 further comprises: verifying the equivalent class signatures of the public keys X and Y of the signer S by using a signature verification methodThe effectiveness of (a); and, the signature verification method includes: traversing the message block identification i in the range of i epsilon {1, …, l }, and according to the public key X, Y of the signer S, the signer S sets { m ═ m ∈ for the given message1,m2,…,mlEach message block m iniSignature σ ofiFor each message block m of a given messageiGenerating a verification factor bi=(e(Xi,σi)=e(Yi,H(i||mi) ))) wherein Computing the product of all the verification factors when a message block identifies i e {0, 1, …, l }If the product is 1, the verification is passed, the original signature sigma and the given message m are received, and if the product is not 1, the verification fails, and the original signature sigma and the given message m are rejected; wherein, X1、X2、Y1、Y2Are respectively calculated in the manner ofx1,x2,y1,Wherein e () is a bilinear map Is a group of addition cycles of order prime q,is a group of addition cycles of order prime q,is a multiplication loop group of order q, q being a prime number, H () being a bit string {0, 1} of arbitrary length as input*Output as a groupCryptographic hash function of the upper element, i | | | miIs i and message miAnd connecting the binary strings.
Preferably, step 202 further comprises: the calculation formula of the point theta is theta-SKz·R=(xθ,yθ),α||y1Is calculated by the formulaWherein SKzIs the private key of the signer S, and SKs= (x1,x2,y1,y2),x1,x2,y1,Wherein R is a point generated by the signer S by an addition cyclic group algorithm according to the public key of the clarifier Z and the random number R, (x)θ,yθ) Is the two-dimensional coordinate of point theta, c is the auxiliary information cipher text generated by the signer S, xθ||yθIs the connection of a binary string of the vertical and horizontal coordinates of the point theta.
Preferably, step 206 further comprises: the formula of X ', Y' isAndwherein the content of the first and second substances, and x1,x2,y1,
Preferably, step 207 further comprises: method for preparing a productKey y'1Is calculated as y'1=u·y1Wherein
Preferably, step 208 further comprises: it is assumed that,addition cyclic group using order prime qIs the purger Z to each message block m 'in the purge message'iCalculate signature σ'iOf 'signature σ'iIs calculated by the formulaWherein, H () is input as bit string {0, 1} of arbitrary length*Output as a groupThe cryptographic hash function of the upper element,is an addition cycle group with a rank of prime number q, wherein i | | m'iIs i and a cleaned message m'iThe binary string of (a).
In a third aspect of the present invention, a method for verifying a signature of a sanitizable signature is provided, which includes the following steps: in step 301, receiver V receives a purge message m' from purge Z, { m ═ m1′,m2′,…,ml' } and purge signature σ ' ═ σ '1,σ′2,…,σ′l}, randomized public key PK 'of signer S'sPublic key PK of the cleaner ZzAnd information description of message blocks that allow modification {; step 302, traversing i in the range of i epsilon {1, …, l }, randomizing the values X ', Y ' of the public key X, Y of the signer S, and adding the decontaminant Z to the message m 'iIs signedName sigma'iIs each message block m 'of a purge message'iGenerating a verification factor bi(ii) a Step 303, calculating the product of all verification factors when the message block identifier i belongs to {1, …, l }, if the product is 1, the verification is passed, receiving the purge signature σ 'and the purge message m', if the product is not 1, the verification is failed, and rejecting the purge signature σ 'and the purge message m'.
Preferably, i is traversed within the range of i ∈ {0, 1, …, l } and b is calculatedi=(e(X′i,σ′i)= e(Yi′,H(i||m′i) In a container), wherein,for all the verification factors biObtaining the productIf b is true, receiving the cleansing signature σ 'and the cleansing message m', and otherwise rejecting the cleansing signature σ 'and the cleansing message m'; wherein, X'iAnd Yi' randomized values of the public keys X and Y of the signer S respectively, wherein, X1、X2、Y1、Y2Are respectively calculated in the manner of x1,x2,y1,Wherein e () is a bilinear map Is a group of addition cycles of order q,is a group of addition cycles of order q,is a multiplication loop group of order q, q being a prime number, H () being a bit string {0, 1} of arbitrary length as input*Output as a groupCryptographic hash function of the above element.
The invention provides a privacy protection method based on a cleanable signature, which comprises the following steps: step 1, after a signer S acquires a given message m, generating an original signature sigma and a related auxiliary information ciphertext c for the given message m based on basic attribute information of the signer S and a clarifier Z; step 2, after receiving the related auxiliary information ciphertext c and the original signature sigma of the given message m, the purifier Z generates a purified signature sigma ' for the purified message m ' based on the basic attribute information of the signer S and the purifier Z, the related auxiliary information ciphertext c and the generated purified message m '; and 3, after receiving the purification message m ' and the purification signature sigma ', the verifier V verifies the validity of the purification signature sigma ' by using a signature verification method based on the basic attribute information of the signer S and the purifier Z, and selects to receive or reject the purification signature sigma ' and the purification message m ' according to a verification result.
Preferably, step 1 of a privacy protection method based on a sanitizable signature is implemented based on a sanitizable signature generation method described in the first aspect of the present invention.
Preferably, step 2 of the privacy protection method based on the sanitizable signature is implemented based on the signature sanitization method of the sanitizable signature according to the second aspect of the present invention.
Preferably, step 3 of the privacy protection method based on the sanitizable signature is implemented based on the signature verification method of the sanitizable signature according to the third aspect of the present invention.
Compared with the prior art, the method for generating, purifying and verifying the cleanable signature and the privacy protection method thereof provided by the invention can ensure the integrity, authenticity and availability of data, can ensure the privacy and the unforgeability of the data, and have the characteristics of high safety, simplicity in implementation, high verification efficiency and the like.
The beneficial effects of the invention also include:
1. the invention can ensure the verification of data integrity, the availability and the authenticity of data, and simultaneously support the privacy protection function of the data, so that the data information is difficult to forge.
2. The cleanable signature algorithm in the prior art strictly limits the number of private keys and public keys, i.e. the number of private keys and public keys is required to be in proportion to the number of message blocks. The invention does not need to limit the number of the private keys and the public keys in the signature algorithm according to the number of the message blocks, but divides the signature key into two parts, thereby effectively reducing the calculation overhead of the signature algorithm and the communication overhead of information transmission.
3. Compared with the cleanable signature in the prior art, the method can verify the safety of the method under the random prediction model.
Drawings
FIG. 1 is a flow chart illustrating steps of a method for generating a sanitizable signature according to the present invention;
FIG. 2 is a flowchart illustrating steps of a signature cleansing method for cleansing a signature according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating steps of a method for verifying a signature of a sanitizable signature according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating implementation steps of a privacy preserving method based on a sanitizable signature according to the present invention;
fig. 5 is a flowchart illustrating a privacy protection method based on a sanitizable signature according to the present invention.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
FIG. 1 is a flowchart illustrating steps of a method for generating a sanitizable signature according to the present invention. As shown in fig. 1, a method for generating a cleanable signature specifically includes steps 101-106.
Step 101, according to the private key and the public key of the signer S and the public key of the purifiers Z, the equivalence class signature algorithm is used for generating equivalence class signatures for the public key of the signer SAnd ω.
During the system initialization process, the security parameter λ at the system initialization can be set to reflect the security level of the whole scheme. After the system initialization is completed, the system can be used to implement the specific cleanable signature generation, cleaning and verification algorithm described in the present invention.
Preferably, the public key of the signer S is PKs(X, Y), wherein X ═ X (X)1,X2),Y=(Y1,Y2) And X1、X2、Y1、Y2Are respectively calculated in the manner ofWherein x is1,x2,y1,And generating an equivalence class signature for the public key X of the signer S by utilizing an equivalence class signature algorithmWhereinAnd generating an equivalence class signature omega for the public key Y of the signer S by utilizing an equivalence class signature algorithm, wherein omega is EQS.Sign (Y), and EQS.Sign () is the equivalence class signature algorithm.
Step 102, decomposing a given message m into l message blocks m with the same length1,m2,…,mlAccording to a given message m ═ m1,m2,…,mlAnd the private key of the signer S, the signer S generates for each message block m in the given messageiSignature σ ofiWhere i is the identity of the message block and i ∈ {1, …, l }.
It is worth noting that l represents the number of message blocks contained in the message m, and l ∈ Z+Wherein is Z+A set of positive integers.
Preferably, the first and second sensors are arranged, assuming,where alpha is the information description of the message blocks in message m that are allowed to be modified,and isIs a set comprising the integer 1, 2, … … q-1; addition cyclic group using order prime qFor the signer S for each message block m in the given messageiComputing the signature σiThe signature σiIs calculated by the formulaIn which H () is an addition cyclic group of order prime qThe cipher hash function of (1), wherein | is the character string connection operator, when the input of the function is the bit string {0, 1} of any length*When it is output as a groupThe above elements.
Step 103, generating each message block miSignature σ ofiCombined into the original signature σ, where σ ═ σ { [ σ ]1,σ2,…,σl}。
And 104, selecting a random number R, and generating two-dimensional coordinates of the point R and the point Q by using an addition cycle group algorithm according to the public key of the purifier Z and the random number R.
Preferably, the two-dimensional coordinate calculation formula of the point R is R ═ rP ═ x (x)R,yR) Wherein P is a cyclic groupIs generated by the one of the generators of (1),is a cyclic group of addition of order prime q, xRAnd yRRespectively the abscissa and ordinate of the point R; the two-dimensional coordinate calculation formula of the point Q is that Q is rPKz=(xQ,yQ) Wherein PK iszIs the public key of the cleaner Z, and PKzX is the private key of the purifier Z, xQAnd yQRespectively the abscissa and ordinate of the point Q; wherein the random number
And 105, generating a corresponding ciphertext c for the auxiliary information related to the given message m according to the two-dimensional coordinates of the point R and the point Q and the information of the message block which is allowed to be modified in the given message m.
Preferably, the auxiliary information ciphertext c is calculated as c ═ x (x)Q||yQ)(α||y1) Wherein x isQAnd yQAre respectively asThe abscissa and the ordinate of the point Q, α, are the information description of the message blocks in the message m that are allowed to be modified.
Step 106, signing the equivalence class of the generated public key of the signer SAnd ω, the public key of the signer S, the original signature σ of the given message m and the side information ciphertext c are sent to the purger Z.
According to a method for generating a sanitizable signature in the present invention, the signer S can generate a sanitizable signature for given information and an auxiliary information ciphertext according to basic attribute information of the signer S and the sanitizer Z. After the sanitizable signature and the auxiliary information ciphertext are sent to the sanitizer Z, the sanitizer Z is allowed to sanitize its signature and parse the auxiliary information ciphertext into the original message. Therefore, the invention also provides a signature purifying method capable of purifying the signature.
As shown in fig. 2, a signature cleansing method capable of cleansing a signature specifically includes step 201 and step 209. Wherein the content of the first and second substances,
step 201, based on the basic attribute information of the signer S and the purifiers Z, verifying the validity of the original signature σ, if the verification is passed, selecting to receive the original signature σ and the auxiliary information ciphertext c generated by the signer and entering the next step, and if the verification fails, rejecting to receive the original signature σ and the auxiliary information ciphertext c and exiting.
Preferably, the equivalent signatures of the public keys X and Y of the signer S may be verified in step 201 using a signature verification methodThe effectiveness of (c).
Specifically, the signature verification method includes: traversing the message block identification i in the range of i epsilon {1, …, l }, and according to the public key X, Y of the signer S, the signer S sets { m ═ m ∈ for the given message1,m2,…,mlEach message block m iniSignature σ ofiFor each message block m of a given messageiGenerating a verification factor bi= (e(Xi,σi)=e(Yi,H(i||mi) ))) whereinAnd, calculating the product of all the verification factors when the message block identity i ∈ {0, 1, …, l }, andif the product is 1, the verification is passed, the original signature sigma and the given message m are received, and if the product is not 1, the verification fails, and the original signature sigma and the given message m are rejected; wherein e () is a bilinear map Is a group of addition cycles of order q,is a multiplicative cyclic group of order q, q being a prime number.
Step 202, according to the private key of the cleaner Z, the coordinate transformation is carried out on the point R generated by the signer S by the addition cycle group algorithm to generate a point theta, wherein the point theta is a groupHas a coordinate of (x)θ,yθ) And calculating alpha y according to the two-dimensional coordinates of the point theta and the related auxiliary information ciphertext c1Wherein, | | is a character string connection operator.
Preferably, the calculation formula of the point θ is θ ═ SKz·R=(xθ,yθ),α||y1Is calculated by the formulaWherein SKzIs the private key of the signer S, and SKs=(x1,x2,y1,y2) Wherein R is the signer S according to the cleaner ZUsing the points generated by the additive cyclic group algorithm, (x)θ,yθ) Two-dimensional coordinates of a point theta, c is an m-related auxiliary information ciphertext generated by the signer S, xθ||yθIs the connection of a binary string of the vertical and horizontal coordinates of the point theta.
Step 203, judging the information description xi of the message block to be modified, if so, judgingIf yes, go to the next step, if yesAnd if not, exiting, wherein alpha is the information description of the message block which is allowed to be modified in the message m.
Step 204, judging the mark i of the message block, and if i belongs to xi, executing m'i=f(mi) If i ∈ ξ is not satisfied, then let m'i=miWherein, m'iIs the ith message block in the purge message m', the purge message m ═ m1′,m2′,…,ml'}, f () is an operation of updating the message m to new information m'.
Step 205, traverse i within a range of i e {1, …, l }, and repeat step 204 until each message block m ' in the purge message m ' is generated 'iAnd generates each message block m ' in the purge message m ' generated 'iCombining into said purge message m ═ m1′,m2′,…,ml′}。
Step 206, selecting a random number u and a random number v, and calculating the randomized values X ', Y' of the public key X and Y of the signer S according to the public key of the signer S and the random numbers u and v.
step 207, calculating the private key y 'used by the purge Z to generate the purge message signature based on the private key of the signer S and the random number u'1。
Preferably, private key y'1Is calculated as y'1=u·y1。
Step 208, according to the cleansing message m' ═ { m ═ m1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the message m 'to the cleaner Z'iOf signature σ'iAnd generating each message block m'iOf signature σ'iIs the cleansing signature σ ', where σ ' { σ '1,σ′2,…,σ′l}。
Preferably, the first and second sensors are arranged, assuming,addition cyclic group using order prime qIs the purger Z to each message block m 'in the purge message'iCalculate signature σ'iOf 'signature σ'iIs calculated by the formulaWherein, i | | miIs i and message miAnd connecting the binary strings.
Step 209 sends the generated purge message m ', the randomized values X', Y 'of the public keys X, Y of the signer S, and the purge signature σ' to the verifier V.
Based on the method, the cleaner Z can perform the above steps to clean the message from the signer S, and restore the encrypted message to the original message. Meanwhile, in order to further transmit or utilize the message, a derivative signature can be correspondingly generated after the signature is purified. In this process, more than one decontaminator may be included in the communication system, and the message may be decontaminated and signed in derivative multiple times. And finally, sending the decontamination message and the decontamination signature to the verifier V. The verifier V can verify the scrub signature according to the signature verification method and receive the scrub message after passing the verification.
As shown in fig. 3, a signature verification method for a cleanable signature specifically includes steps 301-303. Wherein the content of the first and second substances,
in step 301, receiver V receives a purge message m' from purge Z, { m ═ m1′,m2′,…,ml' } and purge signature σ ' ═ σ '1,σ′2,…,σ′l}, public key PK 'of signer S after being re-randomized by purgers'sOf which is PK's(X ', Y') the public key PK of the purge ZzAnd information description ξ of the message block to be modified.
Step 302, traversing i in the range of i epsilon {1, …, l }, randomizing the values X ', Y ' of the public key X, Y of the signer S, and adding the decontaminant Z to the message m 'iOf signature σ'iIs each message block m 'of a purge message'iGenerating a verification factor bi。
Step 303, calculating the product of all verification factors when the message block identifier i belongs to {1, …, l }, if the product is 1, the verification is passed, receiving the purge signature σ 'and the purge message m', if the product is not 1, the verification is failed, and rejecting the purge signature σ 'and the purge message m'.
Specifically, steps 302 and 303 further include: traverse i within the range of i e {1, …, l } and calculate bi=(e(X′i,σ′i)=e(Yi′,H(i||m′i) In a container), wherein, for all the verification factors biObtaining the productIf b is true, the cleansing signature σ 'and the cleansing message m' are received, otherwise the cleansing signature σ 'and the cleansing message m' are rejected.
According to the signature verification algorithm, the verifier V can verify the sanitization message and the sanitization signature from the sanitizer Z and receive and utilize the sanitization message after the verification is successful.
According to the method for generating, purifying and verifying the cleanable signature, the invention also provides a privacy protection method based on the cleanable signature. As shown in fig. 4-5, the method further specifically includes steps 1-3. Wherein the content of the first and second substances,
step 1, after a signer S acquires a given message m, an original signature sigma and an auxiliary information ciphertext c are generated for the given message m based on the basic attribute information of the signer S and a clarifier Z.
Specifically, the basic attribute information of the signer S and the clarifier Z comprises the private key SK of the signersAnd public key PKsPrivate key SK of the purifierzAnd public key PKzAnd so on. Also included in a given message m is a partitioning of the message block, i.e., m ═ m1,m2,…,mlAnd information description alpha of the message block allowed to be modified in the message m. In addition, the original signature σ generated by the signer S is generated from each message block, i.e., σ ═ σ { [ σ ]1,σ2,…,σl}。
Preferably, step 1 is embodied according to one of the above methods for generating a sanitizable signature.
And 2, after receiving the auxiliary information ciphertext c and the original signature sigma of the given message m, the cleaner Z generates a cleaning message m ' based on the basic attribute information of the signer S and the cleaner Z and the auxiliary information ciphertext c related to m, and generates a cleaning signature sigma ' for the cleaning message m '.
Specifically, the information description ξ and other information of the message block to be modified are also included in the auxiliary information ciphertext c received by the cleaner Z. The generated cleansing message is m' ═ { m ═ m1′,m2′,…,ml', the purge signature is σ ' ═ σ '1,σ′2,…,σ′l}。
Preferably, step 2 is implemented based on a signature cleansing method of cleansing a signature as described above.
And 3, after receiving the purge message m 'and the purge signature sigma', the verifier V uses a signature verification method to verify the basic attribute information of the signer S and the purger Z, wherein the basic attribute information comprises a public key PK 'of the signer S after being re-randomized by the purger'sOf which is PK's(X ', Y '), verifying the validity of the cleansing signature σ ', and selecting to accept or reject the cleansing signature σ ' and the cleansing message m ' according to the verification result.
Preferably, step 3 is implemented based on the above signature verification method of a sanitizable signature.
Compared with the prior art, the method for generating, purifying and verifying the cleanable signature and the privacy protection method thereof provided by the invention can ensure the integrity, authenticity and availability of data, can ensure the privacy and the unforgeability of the data, and have the characteristics of high safety, simplicity in implementation, high verification efficiency and the like.
The beneficial effects of the invention also include:
1. the invention can ensure the verification of data integrity, the availability and the authenticity of data, and simultaneously support the privacy protection function of the data, so that the data information is difficult to forge.
2. The cleanable signature algorithm in the prior art strictly limits the number of private keys and public keys, i.e. the number of private keys and public keys is required to be in proportion to the number of message blocks. The invention does not need to limit the number of the private keys and the public keys in the signature algorithm according to the number of the message blocks, but divides the signature key into two parts, thereby effectively reducing the calculation overhead of the signature algorithm and the communication overhead of information transmission.
3. Compared with the cleanable signature in the prior art, the method can verify the safety of the method under the random prediction model.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.
Claims (17)
1. A method for generating a sanitizable signature, comprising the steps of:
step 101, according to the private key and the public key of the signer S and the public key of the purifiers Z, generating an equivalence class signature for the public key of the signer S by using an equivalence class signature algorithmAnd ω;
step 102, decomposing a given message m into l message blocks m with the same length1,m2,…,mlAccording to said given message m ═ { m ═ m1,m2,…,mlThe private key of the signer S, the generation of each message block m of the given message by the signer SiSignature σ ofiWherein i is the identifier of the message block, and i belongs to {0, 1, …, l };
step 103, generating each message block miSignature σ ofiCombined into the original signature σ, where σ ═ σ { [ σ ]1,σ2,…,σl};
104, selecting a random number R, and generating two-dimensional coordinates of a point R and a point Q by using an addition cycle group algorithm according to the public key of the purifier Z and the random number R;
105, generating a corresponding ciphertext c for the auxiliary information related to the given message m according to the two-dimensional coordinates of the point R and the point Q and the information of the message block which is allowed to be modified in the given message m;
2. The method for generating a sanitizable signature according to claim 1, wherein in step 101, the equivalence class signature algorithm is used to generate the equivalence class signature for the public key of the signer S according to the private key and the public key of the signer S and the public key of the sanitizer ZAnd ω further includes:
the public key of the signer S is PKs(X, Y), wherein X ═ X (X)1,X2),Y=(Y1,Y2) And X1、X2、Y1、Y2Are respectively calculated in the manner ofWherein x is1,x2,y1, Is an integer set comprising 1, 2, … …, q-1; and the number of the first and second groups,
generating an equivalence class signature for the public key X of the signer S by using an equivalence class signature algorithmWherein And generating an equivalence class signature omega for the public key Y of the signer S by utilizing an equivalence class signature algorithm, wherein omega is EQS.Sign (Y), and EQS.Sign () is the equivalence class signature algorithm.
3. A method for generating a sanitizable signature as in claim 1 wherein said step 102 decomposes a given message m into l message blocks m of equal length1,m2,…,mlAccording to said given message m ═ { m ═ m1,m2,…,mlThe private key of the signer S, the generation of each message block m of the given message by the signer SiSignature σ ofiWhere i is the identity of the message block, and i ∈ {1, …, l } further includes:
it is assumed that,where alpha is the information description of the message blocks in message m that are allowed to be modified,and isIs an integer set comprising 1, 2, … …, q-1;
addition cyclic group using order prime qFor the signer S for each message block m in the given messageiComputing the signature σiThe signature σiIs calculated by the formulaWherein H () is the group of addition cycles of said order of prime qThe cipher hash function of (1), wherein | is a character string connection operator, when the input of the function is a bit string {0, 1} of any length*When it is output as a groupThe above elements.
4. The method of claim 1, wherein the step 104 of selecting a random number R, and generating the two-dimensional coordinates of point R and point Q by an additive cyclic group algorithm based on the public key of the cleaner Z and the random number R further comprises:
the two-dimensional coordinate calculation formula of the point R is that R is equal to rP (x)R,yR) Wherein P is a cyclic groupIs generated by the one of the generators of (1),is a cyclic group of addition of order prime q, xRAnd yRRespectively the abscissa and ordinate of the point R;
the two-dimensional coordinate calculation formula of the point Q is that Q is rPKz=(xQ,yQ) Wherein PK iszIs the public key of the cleaner Z, and PKz=xP,Is the private key of the purifier, xQAnd yQRespectively the abscissa and ordinate of the point Q;
5. The method for generating a sanitizable signature according to claim 1, wherein the step 105 of generating an auxiliary information ciphertext c for the given message m according to the two-dimensional coordinates of the point R and the point Q and information of the message blocks that are allowed to be modified in the given message m further comprises:
the calculation formula of the auxiliary information ciphertext c is (x)Q||yQ)(α||y1) Wherein x isQAnd yQThe abscissa and the ordinate, respectively, of the point Q, alpha is the information description of the message block in the message m that is allowed to be modified,and isIs a set of integers including 1, 2, … …, q-1.
6. A signature cleansing method capable of cleansing a signature, comprising the steps of:
step 201, verifying the validity of an original signature sigma based on the basic attribute information of a signer S and a purifier Z, if the verification is passed, selecting to receive the original signature sigma and an auxiliary information ciphertext c generated by the signer and entering the next step, and if the verification fails, refusing to receive the original signature sigma and the auxiliary information ciphertext c and exiting;
step 202, performing coordinate transformation on the point R generated by the signer S by using the addition cycle group algorithm according to the private key of the purifiers Z to generate a point theta, wherein the point theta is a groupHas a coordinate of (x)θ,yθ) And calculating alpha | y according to the two-dimensional coordinates of the point theta and the auxiliary information ciphertext c1Wherein, | | is a character string connection operator;
step 203, judging the information description xi of the message block to be modified, if so, judgingIf yes, go to the next step, if yesIf the message is not true, exiting, wherein alpha is the information description of the message block which is allowed to be modified in the message m;
step 204, judging the identifier i of the message block, and if i belongs to xi, executing m'i=f(mi) If i ∈ ξ is not satisfied, then let m'i=miWherein, m'iIs the ith message block in the purge message m', the purge message m ═ m1′,m2′,…,ml'}, f () is an operation of updating the message m to new information m';
step 205, traverse i within a range of i e {1, …, l }, and repeat step 204 until each message block m ' in the purge message m ' is generated 'iAnd generating each message block m 'in the purge message m'iCombining into said purge message m ═ m1′,m2′,…,ml′};
Step 206, selecting a random number u and a random number v, and calculating the values X 'and Y' of the public key X and Y of the signer S after randomization according to the public key of the signer S and the random numbers u and v;
step 207, calculating a private key y 'used by the cleaner Z to generate the cleaning message signature according to the private key of the signer S and the random number u'1;
Step 208, according to the cleansing message m' ═ { m ═ m1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the message m 'to the cleaner Z'iOf signature σ'iAnd generating each message block m'iOf signature σ'iIs the cleansing signature σ ', where σ ' { σ '1,σ′2,…,σ′l};
Step 209, the generated purge message m ', the randomized values X', Y 'of the public keys X, Y of the signer S, and the purge signature σ' are sent to the verifier V.
7. The method for clarifying a signature of a sanitizable signature according to claim 6, wherein the step 201 of verifying the validity of the original signature σ based on the basic attribute information of the signer S and the sanitizer Z further comprises:
verifying equivalent signatures of public keys X and Y of the signer S by using a signature verification methodThe effectiveness of (a); and the number of the first and second groups,
the signature verification method comprises the following steps: traversing the message block identifier i in the range of i e {1, …, l } and according to the public key X, Y of the signer S, the signer S sets { m } for the given message m1,m2,…,mlEach message block m iniSignature σ ofiFor each message block m of the given messageiGenerating a verification factor ai=(e(Xi,σi)=e(Yi,H(i||mi) ))) wherein
Calculate what the message block identifies i e {1, …, l }Product with verification factorIf the product is 1, the verification is passed, the original signature sigma and the given message m are received, if the product is not 1, the verification is failed, and the original signature sigma and the given message m are rejected;
Wherein e () is a bilinear map Is a group of addition cycles of order prime q,is a group of addition cycles of order prime q,is a multiplication loop group of order prime q, and H () is a bit string {0, 1} of arbitrary length as input*Output as a groupCryptographic hash function of the upper element, i | | | miIs i and message miAnd connecting the binary strings.
8. The method for clarifying a signature according to claim 6, wherein in step 202, the private key of the clarifier Z is used to perform coordinate transformation on the point R generated by the signer S using the additive cyclic group algorithm to generate a point θ, and the two-dimensional coordinates of the point θ and the auxiliary information ciphertext c are used to calculate α | | y1Further comprising:
Wherein R is a point generated by the signer S by an addition cyclic group algorithm according to the public key of the clarifier Z and the random number R, (x)θ,yθ) Is the two-dimensional coordinate of point theta, c is the auxiliary information cipher text generated by the signer S, xθ||yθIs the connection of a binary string of the vertical and horizontal coordinates of the point theta.
9. The method of claim 6, wherein the step 206 of selecting a random number u and a random number v, and calculating the public key X of the signer S according to the public key of the signer S and the random numbers u, v, and the randomized values X ', Y' further comprises:
11. The method for cleansing a signature according to claim 6 wherein said step 208 comprises the step of cleansing said signature from said cleansing message m ═ { m ═ in1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the purge message m 'to the purge Z'iOf signature σ'iFurther comprising:
it is assumed that,addition cyclic group using order prime qIs the purger Z to each message block m 'in the purge message'iCalculate signature σ'iOf 'signature σ'iIs calculated by the formulaWherein, H () is input as bit string {0, 1} of arbitrary length*Output as a groupThe cryptographic hash function of the upper element,is a cyclic group of additions of order q, where i miIs i with a cleaned message mi' q is a prime number.
12. A signature verification method of a cleanable signature is characterized by comprising the following steps:
in step 301, receiver V receives a purge message m' from purge Z, { m ═ m1′,m2′,…,ml' } and purge signature σ ' ═ σ '1,σ′2,…,σ′lThe randomized public key PK of the signer Ss', public key PK of the cleaner ZzAnd an information description ξ of the message block to be modified;
step 302, traversing i in the range of i epsilon {1, …, l } and randomizing the values X ', Y ' of the public key X, Y of the signer S, and the purifiers Z to the message m 'iOf signature σ'iIs each message block m 'of the purge message'iGenerating a verification factor bi;
Step 303, calculating the product of all verification factors when the message block identifier i belongs to {1, …, l }, if the product is 1, the verification is passed, receiving the purge signature σ 'and the purge message m', if the product is not 1, the verification is failed, and rejecting the purge signature σ 'and the purge message m'.
13. The method of signature verification of a sanitizable signature as in claim 12, the method further comprising:
traverse i within the range of i e {1, …, l } and calculate bi=(e(X′i,σ′i)=e(Yi′,H(i||mi'))) of the two-dimensional array, wherein,
If b is true, receiving the cleansing signature σ 'and the cleansing message m', and otherwise rejecting the cleansing signature σ 'and the cleansing message m';
Wherein e () is a bilinear map Is a group of addition cycles of order prime q,is a group of addition cycles of order prime q,is a multiplication loop group of order prime q, and H () is a bit string {0, 1} of arbitrary length as input*Output as a groupCryptographic hash function of the above element.
14. A privacy protection method based on a cleanable signature is characterized by comprising the following steps:
step 1, after a signer S acquires a given message m, generating an original signature sigma and an auxiliary information ciphertext c for the given message m based on basic attribute information of the signer S and a clarifier Z;
step 2, after receiving the auxiliary information ciphertext c and the original signature σ of the given message m, the cleaner Z cleans the auxiliary information ciphertext c based on the basic attribute information of the signer S and the cleaner Z to generate a cleaned message m ', and generates a cleaned signature σ ' for the cleaned message m ';
and 3, after receiving the purified message m ' and the purified signature sigma ', the verifier V verifies the validity of the purified signature sigma ' by using a signature verification method based on the basic attribute information of the signer S and the purifier Z, and selects to receive or reject the purified signature sigma ' and the purified message m ' according to a verification result.
15. The privacy protection method based on the sanitizable signature as claimed in claim 14, wherein the step 1 is implemented based on the sanitizable signature generation method as claimed in claims 1 to 5.
16. The privacy protection method based on the sanitizable signature as claimed in claim 14, wherein the step 2 is implemented based on the signature sanitization method based on the sanitizable signature as claimed in claims 6 to 11.
17. The privacy protection method based on the sanitizable signature as claimed in claim 14, wherein the step 3 is implemented based on the signature verification method of the sanitizable signature as claimed in claims 12 to 13.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110327338.8A CN113114469A (en) | 2021-03-26 | 2021-03-26 | Method for generating, purifying and verifying cleanable signature and privacy protection method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110327338.8A CN113114469A (en) | 2021-03-26 | 2021-03-26 | Method for generating, purifying and verifying cleanable signature and privacy protection method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113114469A true CN113114469A (en) | 2021-07-13 |
Family
ID=76712351
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110327338.8A Pending CN113114469A (en) | 2021-03-26 | 2021-03-26 | Method for generating, purifying and verifying cleanable signature and privacy protection method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113114469A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114760069A (en) * | 2022-04-12 | 2022-07-15 | 福建师范大学 | Forward-safe efficient attribute-based cleanable signature system and method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103354500A (en) * | 2013-07-05 | 2013-10-16 | 长安大学 | Sanitizable agent signature method in standard model |
US20170033933A1 (en) * | 2014-04-08 | 2017-02-02 | Hewlett Packard Enterprise Development Lp | Redactable document signatures |
KR20200041134A (en) * | 2018-10-11 | 2020-04-21 | 세종대학교산학협력단 | System and method for providng redactable signature with recovery functionality |
-
2021
- 2021-03-26 CN CN202110327338.8A patent/CN113114469A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103354500A (en) * | 2013-07-05 | 2013-10-16 | 长安大学 | Sanitizable agent signature method in standard model |
US20170033933A1 (en) * | 2014-04-08 | 2017-02-02 | Hewlett Packard Enterprise Development Lp | Redactable document signatures |
KR20200041134A (en) * | 2018-10-11 | 2020-04-21 | 세종대학교산학협력단 | System and method for providng redactable signature with recovery functionality |
Non-Patent Citations (3)
Title |
---|
ZHIYAN XU 等: "Privacy-Protection Scheme Based on Sanitizable Signature for Smart Mobile Medical Scenarios", 《WIRELESS COMMUNICATIONS AND MOBILE COMPUTING》 * |
张君何 等: "一种基于环签名和短签名的可净化签名方案", 《计算机科学》 * |
明洋 等: "标准模型下高效的基于身份可净化签名方案", 《计算机科学》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114760069A (en) * | 2022-04-12 | 2022-07-15 | 福建师范大学 | Forward-safe efficient attribute-based cleanable signature system and method |
CN114760069B (en) * | 2022-04-12 | 2023-06-09 | 福建师范大学 | Forward secure high-efficiency attribute-based cleanable signature system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Jakobsson et al. | An optimally robust hybrid mix network | |
JP4687465B2 (en) | Mix net system | |
CN102420691B (en) | Certificate-based forward security signature method and system thereof | |
CN110414981B (en) | Homomorphic encryption method supporting ZKPs and blockchain transaction amount encryption method | |
CN101562524B (en) | Digital signature method based on identity | |
CN110545279A (en) | block chain transaction method, device and system with privacy and supervision functions | |
Shim | A new certificateless signature scheme provably secure in the standard model | |
CN109547209A (en) | A kind of two side's SM2 digital signature generation methods | |
CN113271209B (en) | Trustable public key encryption system and method based on non-interactive zero-knowledge proof | |
JP2012151756A (en) | Decryption system, key device, decryption method, and program | |
CN112632630A (en) | SM 2-based collaborative signature calculation method and device | |
Tbatou et al. | A New Mutuel Kerberos Authentication Protocol for Distributed Systems. | |
CN110932865B (en) | Linkable ring signature generation method based on SM2 digital signature algorithm | |
Muhammad et al. | Loop-based RSA key generation algorithm using string identity | |
CN109361519A (en) | A kind of improved generation method and system comprising secret number | |
CN111447065A (en) | Active and safe SM2 digital signature two-party generation method | |
Sarier | A new biometric identity based encryption scheme secure against DoS attacks | |
Mashhadi | Computationally Secure Multiple Secret Sharing: Models, Schemes, and Formal Security Analysis. | |
CN113114469A (en) | Method for generating, purifying and verifying cleanable signature and privacy protection method thereof | |
CN1332919A (en) | Incorporating shared randomness into distributed cryptography | |
Johansson | Further results on asymmetric authentication schemes | |
Li et al. | Cryptographic algorithms for privacy-preserving online applications. | |
Li et al. | A general compiler for password-authenticated group key exchange protocol | |
Wang et al. | ID-based Proxy Re-signature with Aggregate Property. | |
Thomas et al. | A Zero-knowledge Undeniable Signature Scheme in Non-abelian Group Setting. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210713 |
|
WD01 | Invention patent application deemed withdrawn after publication |