CN113114469A - Method for generating, purifying and verifying cleanable signature and privacy protection method thereof - Google Patents

Method for generating, purifying and verifying cleanable signature and privacy protection method thereof Download PDF

Info

Publication number
CN113114469A
CN113114469A CN202110327338.8A CN202110327338A CN113114469A CN 113114469 A CN113114469 A CN 113114469A CN 202110327338 A CN202110327338 A CN 202110327338A CN 113114469 A CN113114469 A CN 113114469A
Authority
CN
China
Prior art keywords
signature
message
signer
generating
purge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110327338.8A
Other languages
Chinese (zh)
Inventor
张伟剑
郭志民
许芷岩
吕卓
杨文�
陈岑
李暖暖
张铮
罗敏
何德彪
蔡军飞
李鸣岩
张伟
常昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Lianweitu Software Co ltd
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Original Assignee
Wuhan Lianweitu Software Co ltd
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Lianweitu Software Co ltd, State Grid Corp of China SGCC, State Grid Henan Electric Power Co Ltd, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd filed Critical Wuhan Lianweitu Software Co ltd
Priority to CN202110327338.8A priority Critical patent/CN113114469A/en
Publication of CN113114469A publication Critical patent/CN113114469A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

The invention relates to a method for generating, purifying and verifying a cleanable signature with a privacy protection function. The method for generating the cleanable signature specifically comprises the following steps: step 101, generating equivalence class signatures theta and omega for the public key of the signer S by utilizing an equivalence class signature algorithm; 102, decomposing a given message m into message blocks, and generating each message block m according to the given message and a private key of a signeriSignature σ ofiWherein i is the identifier of the message block; step 103, signing the sigmaiCombining into an original signature sigma; 104, selecting a random number R, and generating two-dimensional coordinates of a point R and a point Q by using an addition cyclic group algorithm; step 105, generating a corresponding ciphertext c for the auxiliary information related to the given message m; and 106, sending the generated information to the purifier Z. Base ofThe method can ensure the integrity, the authenticity and the usability of the data and ensure the privacy and the unforgeability of the data.

Description

Method for generating, purifying and verifying cleanable signature and privacy protection method thereof
Technical Field
The invention relates to a digital signature, in particular to a generation, purification and verification method based on a cleanable signature and a privacy protection method based on the cleanable signature.
Background
Digital signatures are one of the cryptographic techniques that guarantee network security. The signature message, once modified, will result in the property that the original signature is invalid, thus enabling data integrity, authenticity and non-repudiation by adding the signature to the original message. However, in many practical application scenarios, users want privacy-sensitive information to be protected while guaranteeing data integrity and availability. One solution to the above problem is to require the signer to sign only the data relevant to the current application. However, this process must be repeated each time there is a new subset of the information to share. This would create too high an overhead to be practical in a practical scenario.
Atenise et al propose the concept of a sanitizable signature. The decontaminable signature is a digital signature technology supporting controlled modification of a signature message, and a decontaminant can modify the signed message without any interaction with an original signer and can derive an effective signature of the modified message, so that sensitive information of a user can be effectively hidden while the integrity and the authenticity of data are ensured.
However, in the current privacy protection scheme based on the sanitizable signature, a safe and efficient protection scheme is still lacking.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a method for generating, purifying and verifying a cleanable signature and a privacy protection method thereof. The method can ensure the integrity, authenticity and usability of the data, can ensure the privacy and the unforgeability of the data, and has the characteristics of high safety, simple realization, high verification efficiency and the like.
The invention adopts the following technical scheme.
In a first aspect of the present invention, a method for generating a sanitizable signature is provided, which includes the following steps: step 101, according to the private key and the public key of the signer S and the public key of the purifiers Z, the equivalence class signature algorithm is used for generating equivalence class signatures for the public key of the signer S
Figure BDA0002995130890000011
And ω; step 102, decomposing a given message m into l message blocks m with the same length1,m2,…,mlAccording to a given message m ═ m1,m2,…,mlAnd the private key of the signer S, the signer S generates for each message block m in the given messageiSignature σ ofiWherein i is the identifier of the message block, and i belongs to {1, …, l }; step 103, generating each message block miSignature σ ofiCombined into the original signature σ, where σ ═ σ { [ σ ]1,σ2,…,σl}; 104, selecting a random number R, and generating two-dimensional coordinates of a point R and a point Q by using an addition cycle group algorithm according to the public key of the purifier Z and the random number R; 105, generating a corresponding ciphertext c for auxiliary information related to the given message m according to the two-dimensional coordinates of the point R and the point Q and information of the message block which is allowed to be modified in the given message m; step 106, signing the equivalence class of the generated public key of the signer S
Figure BDA00029951308900000215
And ω, the public key of the signer S, the original signature σ of the given message m and the side information ciphertext c are sent to the purger Z.
Preferably, the public key of the signer S is PKs(X, Y), wherein X ═ X (X)1,X2),Y=(Y1,Y2) And X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure BDA0002995130890000021
Wherein x is1,x2,y1
Figure BDA0002995130890000022
Figure BDA0002995130890000023
Is an integer set comprising 1, 2, … …, q-1; and generating an equivalence class signature for the public key X of the signer S by utilizing an equivalence class signature algorithm
Figure BDA00029951308900000216
Wherein
Figure BDA00029951308900000217
Figure BDA00029951308900000218
And generating an equivalence class signature omega for the public key Y of the signer S by utilizing an equivalence class signature algorithm, wherein omega is EQS.Sign (Y), and EQS.Sign () is the equivalence class signature algorithm.
Preferably, step 102 further comprises: it is assumed that,
Figure BDA0002995130890000024
where alpha is the information description of the message blocks in message m that are allowed to be modified,
Figure BDA0002995130890000025
and is
Figure BDA0002995130890000026
Is an integer set comprising 1, 2, … …, q-1; addition cyclic group using order prime q
Figure BDA0002995130890000027
For the signer S for each message block m in the given messageiComputing the signature σiThe signature σiIs calculated by the formula
Figure BDA0002995130890000028
Wherein H () is the group of addition cycles of said order of prime q
Figure BDA0002995130890000029
The cipher hash function of (1), wherein | is a character string connection operator, when the input of the function is a bit string {0, 1} of any length*When it is output as a group
Figure BDA00029951308900000219
The above elements.
Preferably, step 104 further comprises: the two-dimensional coordinate calculation formula of the point R is that R is equal to rP (x)R,yR) Wherein P is a cyclic group
Figure BDA00029951308900000210
Is generated by the one of the generators of (1),
Figure BDA00029951308900000211
is a cyclic group of addition of order q, q being a prime number, xRAnd yRRespectively the abscissa and ordinate of the point R; the two-dimensional coordinate calculation formula of the point Q is that Q is rPKz=(xQ,yQ) Wherein PK iszIs the public key of the cleaner Z, and PKz=xP,
Figure BDA00029951308900000212
Is the private key of the purifier, xQAnd yQRespectively the abscissa and ordinate of the point Q; wherein the random number
Figure BDA00029951308900000213
And is
Figure BDA00029951308900000214
Is a set of integers including 1, 2, … …, q-1.
Preferably, step 105 further comprises: the calculation formula of the auxiliary information ciphertext c is (x)Q||yQ)(α|| y1) Wherein x isQAnd yQThe abscissa and the ordinate, respectively, of the point Q, alpha is the information description of the message block in the message m that is allowed to be modified,
Figure BDA0002995130890000031
and is
Figure BDA0002995130890000032
Is a set of integers including 1, 2, … …, q-1.
In a second aspect of the present invention, a signature cleansing method capable of cleansing a signature is provided, which includes the following steps: step 201, verifying the validity of an original signature sigma based on the basic attribute information of a signer S and a purifier Z, if the verification is passed, selecting to receive the original signature sigma and an auxiliary information ciphertext c generated by the signer and entering the next step, and if the verification fails, refusing to receive the original signature sigma and the auxiliary information ciphertext c and exiting; step 202, performing coordinate transformation on the point R generated by the signer S by using the addition cycle group algorithm according to the private key of the purifiers Z to generate a point theta, wherein the point theta is a group
Figure BDA0002995130890000033
Has a coordinate of (x)θ,yθ) And calculating alpha | y according to the two-dimensional coordinates of the point theta and the auxiliary information ciphertext c1Wherein, | | is a character string connection operator; step 203, judging the information description xi of the message block to be modified, if so, judging
Figure BDA0002995130890000034
If yes, go to the next step, if yes
Figure BDA0002995130890000035
If the message is not true, exiting, wherein alpha is the information description of the message block which is allowed to be modified in the message m; step 204, judging the identifier i of the message block, and if i belongs to xi, executing m'i=f(mi) If i ∈ ξ is not satisfied, then let m'i=miWherein, m'iIs in the purge message mThe ith message block, purge message m ═ m1′,m2′,…,ml'}, f () is an operation of updating the message m to new information m'; step 205, traverse i within a range of i e {1, …, l }, and repeat step 204 until each message block m ' in the purge message m ' is generated 'iAnd generating each message block m 'in the purge message m'iCombining into said purge message m ═ m1′,m2′,…,ml' }; step 206, selecting a random number u and a random number v, and calculating the values X 'and Y' of the public key X and Y of the signer S after randomization according to the public key of the signer S and the random numbers u and v; step 207, calculating a private key y 'used by the cleaner Z to generate the cleaning message signature according to the private key of the signer S and the random number u'1(ii) a Step 208, according to the cleansing message m' ═ { m ═ m1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the message m 'to the cleaner Z'iOf signature σ'iAnd generating each message block m'iOf signature σ'iIs the cleansing signature σ ', where σ ' { σ '1,σ′2,…,σ′l}; step 209, the generated purge message m ', the randomized values X', Y 'of the public keys X, Y of the signer S, and the purge signature σ' are sent to the verifier V.
Preferably, step 201 further comprises: verifying the equivalent class signatures of the public keys X and Y of the signer S by using a signature verification method
Figure BDA0002995130890000036
The effectiveness of (a); and, the signature verification method includes: traversing the message block identification i in the range of i epsilon {1, …, l }, and according to the public key X, Y of the signer S, the signer S sets { m ═ m ∈ for the given message1,m2,…,mlEach message block m iniSignature σ ofiFor each message block m of a given messageiGenerating a verification factor bi=(e(Xi,σi)=e(Yi,H(i||mi) ))) wherein
Figure BDA0002995130890000041
Figure BDA0002995130890000042
Computing the product of all the verification factors when a message block identifies i e {0, 1, …, l }
Figure BDA0002995130890000043
If the product is 1, the verification is passed, the original signature sigma and the given message m are received, and if the product is not 1, the verification fails, and the original signature sigma and the given message m are rejected; wherein, X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure BDA0002995130890000044
x1,x2,y1
Figure BDA0002995130890000045
Wherein e () is a bilinear map
Figure BDA0002995130890000046
Figure BDA0002995130890000047
Is a group of addition cycles of order prime q,
Figure BDA0002995130890000048
is a group of addition cycles of order prime q,
Figure BDA0002995130890000049
is a multiplication loop group of order q, q being a prime number, H () being a bit string {0, 1} of arbitrary length as input*Output as a group
Figure BDA00029951308900000410
Cryptographic hash function of the upper element, i | | | miIs i and message miAnd connecting the binary strings.
Preferably, step 202 further comprises: the calculation formula of the point theta is theta-SKz·R=(xθ,yθ),α||y1Is calculated by the formula
Figure BDA00029951308900000411
Wherein SKzIs the private key of the signer S, and SKs= (x1,x2,y1,y2),x1,x2,y1
Figure BDA00029951308900000412
Wherein R is a point generated by the signer S by an addition cyclic group algorithm according to the public key of the clarifier Z and the random number R, (x)θ,yθ) Is the two-dimensional coordinate of point theta, c is the auxiliary information cipher text generated by the signer S, xθ||yθIs the connection of a binary string of the vertical and horizontal coordinates of the point theta.
Preferably, step 206 further comprises: the formula of X ', Y' is
Figure BDA00029951308900000413
And
Figure BDA00029951308900000414
wherein the content of the first and second substances,
Figure BDA00029951308900000415
Figure BDA00029951308900000416
Figure BDA00029951308900000417
and x1,x2,y1
Figure BDA00029951308900000418
Preferably, step 207 further comprises: method for preparing a productKey y'1Is calculated as y'1=u·y1Wherein
Figure BDA00029951308900000419
Preferably, step 208 further comprises: it is assumed that,
Figure BDA00029951308900000420
addition cyclic group using order prime q
Figure BDA00029951308900000421
Is the purger Z to each message block m 'in the purge message'iCalculate signature σ'iOf 'signature σ'iIs calculated by the formula
Figure BDA00029951308900000422
Wherein, H () is input as bit string {0, 1} of arbitrary length*Output as a group
Figure BDA0002995130890000051
The cryptographic hash function of the upper element,
Figure BDA0002995130890000052
is an addition cycle group with a rank of prime number q, wherein i | | m'iIs i and a cleaned message m'iThe binary string of (a).
In a third aspect of the present invention, a method for verifying a signature of a sanitizable signature is provided, which includes the following steps: in step 301, receiver V receives a purge message m' from purge Z, { m ═ m1′,m2′,…,ml' } and purge signature σ ' ═ σ '1,σ′2,…,σ′l}, randomized public key PK 'of signer S'sPublic key PK of the cleaner ZzAnd information description of message blocks that allow modification {; step 302, traversing i in the range of i epsilon {1, …, l }, randomizing the values X ', Y ' of the public key X, Y of the signer S, and adding the decontaminant Z to the message m 'iIs signedName sigma'iIs each message block m 'of a purge message'iGenerating a verification factor bi(ii) a Step 303, calculating the product of all verification factors when the message block identifier i belongs to {1, …, l }, if the product is 1, the verification is passed, receiving the purge signature σ 'and the purge message m', if the product is not 1, the verification is failed, and rejecting the purge signature σ 'and the purge message m'.
Preferably, i is traversed within the range of i ∈ {0, 1, …, l } and b is calculatedi=(e(X′i,σ′i)= e(Yi′,H(i||m′i) In a container), wherein,
Figure BDA0002995130890000053
for all the verification factors biObtaining the product
Figure BDA0002995130890000054
If b is true, receiving the cleansing signature σ 'and the cleansing message m', and otherwise rejecting the cleansing signature σ 'and the cleansing message m'; wherein, X'iAnd Yi' randomized values of the public keys X and Y of the signer S respectively,
Figure BDA0002995130890000055
Figure BDA0002995130890000056
wherein, X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure BDA0002995130890000057
Figure BDA0002995130890000058
x1,x2,y1
Figure BDA0002995130890000059
Wherein e () is a bilinear map
Figure BDA00029951308900000510
Figure BDA00029951308900000511
Figure BDA00029951308900000512
Is a group of addition cycles of order q,
Figure BDA00029951308900000513
is a group of addition cycles of order q,
Figure BDA00029951308900000514
is a multiplication loop group of order q, q being a prime number, H () being a bit string {0, 1} of arbitrary length as input*Output as a group
Figure BDA00029951308900000515
Cryptographic hash function of the above element.
The invention provides a privacy protection method based on a cleanable signature, which comprises the following steps: step 1, after a signer S acquires a given message m, generating an original signature sigma and a related auxiliary information ciphertext c for the given message m based on basic attribute information of the signer S and a clarifier Z; step 2, after receiving the related auxiliary information ciphertext c and the original signature sigma of the given message m, the purifier Z generates a purified signature sigma ' for the purified message m ' based on the basic attribute information of the signer S and the purifier Z, the related auxiliary information ciphertext c and the generated purified message m '; and 3, after receiving the purification message m ' and the purification signature sigma ', the verifier V verifies the validity of the purification signature sigma ' by using a signature verification method based on the basic attribute information of the signer S and the purifier Z, and selects to receive or reject the purification signature sigma ' and the purification message m ' according to a verification result.
Preferably, step 1 of a privacy protection method based on a sanitizable signature is implemented based on a sanitizable signature generation method described in the first aspect of the present invention.
Preferably, step 2 of the privacy protection method based on the sanitizable signature is implemented based on the signature sanitization method of the sanitizable signature according to the second aspect of the present invention.
Preferably, step 3 of the privacy protection method based on the sanitizable signature is implemented based on the signature verification method of the sanitizable signature according to the third aspect of the present invention.
Compared with the prior art, the method for generating, purifying and verifying the cleanable signature and the privacy protection method thereof provided by the invention can ensure the integrity, authenticity and availability of data, can ensure the privacy and the unforgeability of the data, and have the characteristics of high safety, simplicity in implementation, high verification efficiency and the like.
The beneficial effects of the invention also include:
1. the invention can ensure the verification of data integrity, the availability and the authenticity of data, and simultaneously support the privacy protection function of the data, so that the data information is difficult to forge.
2. The cleanable signature algorithm in the prior art strictly limits the number of private keys and public keys, i.e. the number of private keys and public keys is required to be in proportion to the number of message blocks. The invention does not need to limit the number of the private keys and the public keys in the signature algorithm according to the number of the message blocks, but divides the signature key into two parts, thereby effectively reducing the calculation overhead of the signature algorithm and the communication overhead of information transmission.
3. Compared with the cleanable signature in the prior art, the method can verify the safety of the method under the random prediction model.
Drawings
FIG. 1 is a flow chart illustrating steps of a method for generating a sanitizable signature according to the present invention;
FIG. 2 is a flowchart illustrating steps of a signature cleansing method for cleansing a signature according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating steps of a method for verifying a signature of a sanitizable signature according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating implementation steps of a privacy preserving method based on a sanitizable signature according to the present invention;
fig. 5 is a flowchart illustrating a privacy protection method based on a sanitizable signature according to the present invention.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
FIG. 1 is a flowchart illustrating steps of a method for generating a sanitizable signature according to the present invention. As shown in fig. 1, a method for generating a cleanable signature specifically includes steps 101-106.
Step 101, according to the private key and the public key of the signer S and the public key of the purifiers Z, the equivalence class signature algorithm is used for generating equivalence class signatures for the public key of the signer S
Figure BDA00029951308900000712
And ω.
During the system initialization process, the security parameter λ at the system initialization can be set to reflect the security level of the whole scheme. After the system initialization is completed, the system can be used to implement the specific cleanable signature generation, cleaning and verification algorithm described in the present invention.
Preferably, the public key of the signer S is PKs(X, Y), wherein X ═ X (X)1,X2),Y=(Y1,Y2) And X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure BDA0002995130890000071
Wherein x is1,x2,y1
Figure BDA0002995130890000072
And generating an equivalence class signature for the public key X of the signer S by utilizing an equivalence class signature algorithm
Figure BDA0002995130890000073
Wherein
Figure BDA0002995130890000074
And generating an equivalence class signature omega for the public key Y of the signer S by utilizing an equivalence class signature algorithm, wherein omega is EQS.Sign (Y), and EQS.Sign () is the equivalence class signature algorithm.
Step 102, decomposing a given message m into l message blocks m with the same length1,m2,…,mlAccording to a given message m ═ m1,m2,…,mlAnd the private key of the signer S, the signer S generates for each message block m in the given messageiSignature σ ofiWhere i is the identity of the message block and i ∈ {1, …, l }.
It is worth noting that l represents the number of message blocks contained in the message m, and l ∈ Z+Wherein is Z+A set of positive integers.
Preferably, the first and second sensors are arranged, assuming,
Figure BDA0002995130890000075
where alpha is the information description of the message blocks in message m that are allowed to be modified,
Figure BDA0002995130890000076
and is
Figure BDA0002995130890000077
Is a set comprising the integer 1, 2, … … q-1; addition cyclic group using order prime q
Figure BDA0002995130890000078
For the signer S for each message block m in the given messageiComputing the signature σiThe signature σiIs calculated by the formula
Figure BDA0002995130890000079
In which H () is an addition cyclic group of order prime q
Figure BDA00029951308900000710
The cipher hash function of (1), wherein | is the character string connection operator, when the input of the function is the bit string {0, 1} of any length*When it is output as a group
Figure BDA00029951308900000711
The above elements.
Step 103, generating each message block miSignature σ ofiCombined into the original signature σ, where σ ═ σ { [ σ ]1,σ2,…,σl}。
And 104, selecting a random number R, and generating two-dimensional coordinates of the point R and the point Q by using an addition cycle group algorithm according to the public key of the purifier Z and the random number R.
Preferably, the two-dimensional coordinate calculation formula of the point R is R ═ rP ═ x (x)R,yR) Wherein P is a cyclic group
Figure BDA0002995130890000081
Is generated by the one of the generators of (1),
Figure BDA0002995130890000082
is a cyclic group of addition of order prime q, xRAnd yRRespectively the abscissa and ordinate of the point R; the two-dimensional coordinate calculation formula of the point Q is that Q is rPKz=(xQ,yQ) Wherein PK iszIs the public key of the cleaner Z, and PKzX is the private key of the purifier Z, xQAnd yQRespectively the abscissa and ordinate of the point Q; wherein the random number
Figure BDA0002995130890000083
And 105, generating a corresponding ciphertext c for the auxiliary information related to the given message m according to the two-dimensional coordinates of the point R and the point Q and the information of the message block which is allowed to be modified in the given message m.
Preferably, the auxiliary information ciphertext c is calculated as c ═ x (x)Q||yQ)(α||y1) Wherein x isQAnd yQAre respectively asThe abscissa and the ordinate of the point Q, α, are the information description of the message blocks in the message m that are allowed to be modified.
Step 106, signing the equivalence class of the generated public key of the signer S
Figure BDA0002995130890000084
And ω, the public key of the signer S, the original signature σ of the given message m and the side information ciphertext c are sent to the purger Z.
According to a method for generating a sanitizable signature in the present invention, the signer S can generate a sanitizable signature for given information and an auxiliary information ciphertext according to basic attribute information of the signer S and the sanitizer Z. After the sanitizable signature and the auxiliary information ciphertext are sent to the sanitizer Z, the sanitizer Z is allowed to sanitize its signature and parse the auxiliary information ciphertext into the original message. Therefore, the invention also provides a signature purifying method capable of purifying the signature.
As shown in fig. 2, a signature cleansing method capable of cleansing a signature specifically includes step 201 and step 209. Wherein the content of the first and second substances,
step 201, based on the basic attribute information of the signer S and the purifiers Z, verifying the validity of the original signature σ, if the verification is passed, selecting to receive the original signature σ and the auxiliary information ciphertext c generated by the signer and entering the next step, and if the verification fails, rejecting to receive the original signature σ and the auxiliary information ciphertext c and exiting.
Preferably, the equivalent signatures of the public keys X and Y of the signer S may be verified in step 201 using a signature verification method
Figure BDA0002995130890000085
The effectiveness of (c).
Specifically, the signature verification method includes: traversing the message block identification i in the range of i epsilon {1, …, l }, and according to the public key X, Y of the signer S, the signer S sets { m ═ m ∈ for the given message1,m2,…,mlEach message block m iniSignature σ ofiFor each message block m of a given messageiGenerating a verification factor bi= (e(Xi,σi)=e(Yi,H(i||mi) ))) wherein
Figure BDA0002995130890000091
And, calculating the product of all the verification factors when the message block identity i ∈ {0, 1, …, l }, and
Figure BDA0002995130890000092
if the product is 1, the verification is passed, the original signature sigma and the given message m are received, and if the product is not 1, the verification fails, and the original signature sigma and the given message m are rejected; wherein e () is a bilinear map
Figure BDA0002995130890000093
Figure BDA0002995130890000094
Is a group of addition cycles of order q,
Figure BDA0002995130890000095
is a multiplicative cyclic group of order q, q being a prime number.
Step 202, according to the private key of the cleaner Z, the coordinate transformation is carried out on the point R generated by the signer S by the addition cycle group algorithm to generate a point theta, wherein the point theta is a group
Figure BDA0002995130890000096
Has a coordinate of (x)θ,yθ) And calculating alpha y according to the two-dimensional coordinates of the point theta and the related auxiliary information ciphertext c1Wherein, | | is a character string connection operator.
Preferably, the calculation formula of the point θ is θ ═ SKz·R=(xθ,yθ),α||y1Is calculated by the formula
Figure BDA0002995130890000097
Wherein SKzIs the private key of the signer S, and SKs=(x1,x2,y1,y2) Wherein R is the signer S according to the cleaner ZUsing the points generated by the additive cyclic group algorithm, (x)θ,yθ) Two-dimensional coordinates of a point theta, c is an m-related auxiliary information ciphertext generated by the signer S, xθ||yθIs the connection of a binary string of the vertical and horizontal coordinates of the point theta.
Step 203, judging the information description xi of the message block to be modified, if so, judging
Figure BDA00029951308900000912
If yes, go to the next step, if yes
Figure BDA00029951308900000913
And if not, exiting, wherein alpha is the information description of the message block which is allowed to be modified in the message m.
Step 204, judging the mark i of the message block, and if i belongs to xi, executing m'i=f(mi) If i ∈ ξ is not satisfied, then let m'i=miWherein, m'iIs the ith message block in the purge message m', the purge message m ═ m1′,m2′,…,ml'}, f () is an operation of updating the message m to new information m'.
Step 205, traverse i within a range of i e {1, …, l }, and repeat step 204 until each message block m ' in the purge message m ' is generated 'iAnd generates each message block m ' in the purge message m ' generated 'iCombining into said purge message m ═ m1′,m2′,…,ml′}。
Step 206, selecting a random number u and a random number v, and calculating the randomized values X ', Y' of the public key X and Y of the signer S according to the public key of the signer S and the random numbers u and v.
Preferably, X ', Y' are calculated as
Figure BDA0002995130890000098
And
Figure BDA0002995130890000099
Figure BDA00029951308900000910
wherein the content of the first and second substances,
Figure BDA00029951308900000911
step 207, calculating the private key y 'used by the purge Z to generate the purge message signature based on the private key of the signer S and the random number u'1
Preferably, private key y'1Is calculated as y'1=u·y1
Step 208, according to the cleansing message m' ═ { m ═ m1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the message m 'to the cleaner Z'iOf signature σ'iAnd generating each message block m'iOf signature σ'iIs the cleansing signature σ ', where σ ' { σ '1,σ′2,…,σ′l}。
Preferably, the first and second sensors are arranged, assuming,
Figure BDA0002995130890000101
addition cyclic group using order prime q
Figure BDA0002995130890000102
Is the purger Z to each message block m 'in the purge message'iCalculate signature σ'iOf 'signature σ'iIs calculated by the formula
Figure BDA0002995130890000103
Wherein, i | | miIs i and message miAnd connecting the binary strings.
Step 209 sends the generated purge message m ', the randomized values X', Y 'of the public keys X, Y of the signer S, and the purge signature σ' to the verifier V.
Based on the method, the cleaner Z can perform the above steps to clean the message from the signer S, and restore the encrypted message to the original message. Meanwhile, in order to further transmit or utilize the message, a derivative signature can be correspondingly generated after the signature is purified. In this process, more than one decontaminator may be included in the communication system, and the message may be decontaminated and signed in derivative multiple times. And finally, sending the decontamination message and the decontamination signature to the verifier V. The verifier V can verify the scrub signature according to the signature verification method and receive the scrub message after passing the verification.
As shown in fig. 3, a signature verification method for a cleanable signature specifically includes steps 301-303. Wherein the content of the first and second substances,
in step 301, receiver V receives a purge message m' from purge Z, { m ═ m1′,m2′,…,ml' } and purge signature σ ' ═ σ '1,σ′2,…,σ′l}, public key PK 'of signer S after being re-randomized by purgers'sOf which is PK's(X ', Y') the public key PK of the purge ZzAnd information description ξ of the message block to be modified.
Step 302, traversing i in the range of i epsilon {1, …, l }, randomizing the values X ', Y ' of the public key X, Y of the signer S, and adding the decontaminant Z to the message m 'iOf signature σ'iIs each message block m 'of a purge message'iGenerating a verification factor bi
Step 303, calculating the product of all verification factors when the message block identifier i belongs to {1, …, l }, if the product is 1, the verification is passed, receiving the purge signature σ 'and the purge message m', if the product is not 1, the verification is failed, and rejecting the purge signature σ 'and the purge message m'.
Specifically, steps 302 and 303 further include: traverse i within the range of i e {1, …, l } and calculate bi=(e(X′i,σ′i)=e(Yi′,H(i||m′i) In a container), wherein,
Figure BDA0002995130890000111
Figure BDA0002995130890000112
for all the verification factors biObtaining the product
Figure BDA0002995130890000113
If b is true, the cleansing signature σ 'and the cleansing message m' are received, otherwise the cleansing signature σ 'and the cleansing message m' are rejected.
According to the signature verification algorithm, the verifier V can verify the sanitization message and the sanitization signature from the sanitizer Z and receive and utilize the sanitization message after the verification is successful.
According to the method for generating, purifying and verifying the cleanable signature, the invention also provides a privacy protection method based on the cleanable signature. As shown in fig. 4-5, the method further specifically includes steps 1-3. Wherein the content of the first and second substances,
step 1, after a signer S acquires a given message m, an original signature sigma and an auxiliary information ciphertext c are generated for the given message m based on the basic attribute information of the signer S and a clarifier Z.
Specifically, the basic attribute information of the signer S and the clarifier Z comprises the private key SK of the signersAnd public key PKsPrivate key SK of the purifierzAnd public key PKzAnd so on. Also included in a given message m is a partitioning of the message block, i.e., m ═ m1,m2,…,mlAnd information description alpha of the message block allowed to be modified in the message m. In addition, the original signature σ generated by the signer S is generated from each message block, i.e., σ ═ σ { [ σ ]1,σ2,…,σl}。
Preferably, step 1 is embodied according to one of the above methods for generating a sanitizable signature.
And 2, after receiving the auxiliary information ciphertext c and the original signature sigma of the given message m, the cleaner Z generates a cleaning message m ' based on the basic attribute information of the signer S and the cleaner Z and the auxiliary information ciphertext c related to m, and generates a cleaning signature sigma ' for the cleaning message m '.
Specifically, the information description ξ and other information of the message block to be modified are also included in the auxiliary information ciphertext c received by the cleaner Z. The generated cleansing message is m' ═ { m ═ m1′,m2′,…,ml', the purge signature is σ ' ═ σ '1,σ′2,…,σ′l}。
Preferably, step 2 is implemented based on a signature cleansing method of cleansing a signature as described above.
And 3, after receiving the purge message m 'and the purge signature sigma', the verifier V uses a signature verification method to verify the basic attribute information of the signer S and the purger Z, wherein the basic attribute information comprises a public key PK 'of the signer S after being re-randomized by the purger'sOf which is PK's(X ', Y '), verifying the validity of the cleansing signature σ ', and selecting to accept or reject the cleansing signature σ ' and the cleansing message m ' according to the verification result.
Preferably, step 3 is implemented based on the above signature verification method of a sanitizable signature.
Compared with the prior art, the method for generating, purifying and verifying the cleanable signature and the privacy protection method thereof provided by the invention can ensure the integrity, authenticity and availability of data, can ensure the privacy and the unforgeability of the data, and have the characteristics of high safety, simplicity in implementation, high verification efficiency and the like.
The beneficial effects of the invention also include:
1. the invention can ensure the verification of data integrity, the availability and the authenticity of data, and simultaneously support the privacy protection function of the data, so that the data information is difficult to forge.
2. The cleanable signature algorithm in the prior art strictly limits the number of private keys and public keys, i.e. the number of private keys and public keys is required to be in proportion to the number of message blocks. The invention does not need to limit the number of the private keys and the public keys in the signature algorithm according to the number of the message blocks, but divides the signature key into two parts, thereby effectively reducing the calculation overhead of the signature algorithm and the communication overhead of information transmission.
3. Compared with the cleanable signature in the prior art, the method can verify the safety of the method under the random prediction model.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.

Claims (17)

1. A method for generating a sanitizable signature, comprising the steps of:
step 101, according to the private key and the public key of the signer S and the public key of the purifiers Z, generating an equivalence class signature for the public key of the signer S by using an equivalence class signature algorithm
Figure FDA0002995130880000014
And ω;
step 102, decomposing a given message m into l message blocks m with the same length1,m2,…,mlAccording to said given message m ═ { m ═ m1,m2,…,mlThe private key of the signer S, the generation of each message block m of the given message by the signer SiSignature σ ofiWherein i is the identifier of the message block, and i belongs to {0, 1, …, l };
step 103, generating each message block miSignature σ ofiCombined into the original signature σ, where σ ═ σ { [ σ ]1,σ2,…,σl};
104, selecting a random number R, and generating two-dimensional coordinates of a point R and a point Q by using an addition cycle group algorithm according to the public key of the purifier Z and the random number R;
105, generating a corresponding ciphertext c for the auxiliary information related to the given message m according to the two-dimensional coordinates of the point R and the point Q and the information of the message block which is allowed to be modified in the given message m;
step 106, signing the generated equivalence class of the public key of the signer S
Figure FDA0002995130880000015
And ω, the public key of the signer S, the original signature σ of the given message m and the side information ciphertext c are sent to the purger Z.
2. The method for generating a sanitizable signature according to claim 1, wherein in step 101, the equivalence class signature algorithm is used to generate the equivalence class signature for the public key of the signer S according to the private key and the public key of the signer S and the public key of the sanitizer Z
Figure FDA0002995130880000016
And ω further includes:
the public key of the signer S is PKs(X, Y), wherein X ═ X (X)1,X2),Y=(Y1,Y2) And X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure FDA0002995130880000011
Wherein x is1,x2,y1
Figure FDA0002995130880000012
Figure FDA0002995130880000013
Is an integer set comprising 1, 2, … …, q-1; and the number of the first and second groups,
generating an equivalence class signature for the public key X of the signer S by using an equivalence class signature algorithm
Figure FDA0002995130880000017
Wherein
Figure FDA0002995130880000018
Figure FDA0002995130880000019
And generating an equivalence class signature omega for the public key Y of the signer S by utilizing an equivalence class signature algorithm, wherein omega is EQS.Sign (Y), and EQS.Sign () is the equivalence class signature algorithm.
3. A method for generating a sanitizable signature as in claim 1 wherein said step 102 decomposes a given message m into l message blocks m of equal length1,m2,…,mlAccording to said given message m ═ { m ═ m1,m2,…,mlThe private key of the signer S, the generation of each message block m of the given message by the signer SiSignature σ ofiWhere i is the identity of the message block, and i ∈ {1, …, l } further includes:
it is assumed that,
Figure FDA0002995130880000021
where alpha is the information description of the message blocks in message m that are allowed to be modified,
Figure FDA0002995130880000022
and is
Figure FDA0002995130880000023
Is an integer set comprising 1, 2, … …, q-1;
addition cyclic group using order prime q
Figure FDA0002995130880000024
For the signer S for each message block m in the given messageiComputing the signature σiThe signature σiIs calculated by the formula
Figure FDA0002995130880000025
Wherein H () is the group of addition cycles of said order of prime q
Figure FDA0002995130880000026
The cipher hash function of (1), wherein | is a character string connection operator, when the input of the function is a bit string {0, 1} of any length*When it is output as a group
Figure FDA0002995130880000027
The above elements.
4. The method of claim 1, wherein the step 104 of selecting a random number R, and generating the two-dimensional coordinates of point R and point Q by an additive cyclic group algorithm based on the public key of the cleaner Z and the random number R further comprises:
the two-dimensional coordinate calculation formula of the point R is that R is equal to rP (x)R,yR) Wherein P is a cyclic group
Figure FDA0002995130880000028
Is generated by the one of the generators of (1),
Figure FDA0002995130880000029
is a cyclic group of addition of order prime q, xRAnd yRRespectively the abscissa and ordinate of the point R;
the two-dimensional coordinate calculation formula of the point Q is that Q is rPKz=(xQ,yQ) Wherein PK iszIs the public key of the cleaner Z, and PKz=xP,
Figure FDA00029951308800000210
Is the private key of the purifier, xQAnd yQRespectively the abscissa and ordinate of the point Q;
wherein the random number
Figure FDA00029951308800000211
And is
Figure FDA00029951308800000212
Is a set of integers including 1, 2, … …, q-1.
5. The method for generating a sanitizable signature according to claim 1, wherein the step 105 of generating an auxiliary information ciphertext c for the given message m according to the two-dimensional coordinates of the point R and the point Q and information of the message blocks that are allowed to be modified in the given message m further comprises:
the calculation formula of the auxiliary information ciphertext c is (x)Q||yQ)(α||y1) Wherein x isQAnd yQThe abscissa and the ordinate, respectively, of the point Q, alpha is the information description of the message block in the message m that is allowed to be modified,
Figure FDA00029951308800000213
and is
Figure FDA00029951308800000214
Is a set of integers including 1, 2, … …, q-1.
6. A signature cleansing method capable of cleansing a signature, comprising the steps of:
step 201, verifying the validity of an original signature sigma based on the basic attribute information of a signer S and a purifier Z, if the verification is passed, selecting to receive the original signature sigma and an auxiliary information ciphertext c generated by the signer and entering the next step, and if the verification fails, refusing to receive the original signature sigma and the auxiliary information ciphertext c and exiting;
step 202, performing coordinate transformation on the point R generated by the signer S by using the addition cycle group algorithm according to the private key of the purifiers Z to generate a point theta, wherein the point theta is a group
Figure FDA0002995130880000031
Has a coordinate of (x)θ,yθ) And calculating alpha | y according to the two-dimensional coordinates of the point theta and the auxiliary information ciphertext c1Wherein, | | is a character string connection operator;
step 203, judging the information description xi of the message block to be modified, if so, judging
Figure FDA0002995130880000032
If yes, go to the next step, if yes
Figure FDA0002995130880000033
If the message is not true, exiting, wherein alpha is the information description of the message block which is allowed to be modified in the message m;
step 204, judging the identifier i of the message block, and if i belongs to xi, executing m'i=f(mi) If i ∈ ξ is not satisfied, then let m'i=miWherein, m'iIs the ith message block in the purge message m', the purge message m ═ m1′,m2′,…,ml'}, f () is an operation of updating the message m to new information m';
step 205, traverse i within a range of i e {1, …, l }, and repeat step 204 until each message block m ' in the purge message m ' is generated 'iAnd generating each message block m 'in the purge message m'iCombining into said purge message m ═ m1′,m2′,…,ml′};
Step 206, selecting a random number u and a random number v, and calculating the values X 'and Y' of the public key X and Y of the signer S after randomization according to the public key of the signer S and the random numbers u and v;
step 207, calculating a private key y 'used by the cleaner Z to generate the cleaning message signature according to the private key of the signer S and the random number u'1
Step 208, according to the cleansing message m' ═ { m ═ m1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the message m 'to the cleaner Z'iOf signature σ'iAnd generating each message block m'iOf signature σ'iIs the cleansing signature σ ', where σ ' { σ '1,σ′2,…,σ′l};
Step 209, the generated purge message m ', the randomized values X', Y 'of the public keys X, Y of the signer S, and the purge signature σ' are sent to the verifier V.
7. The method for clarifying a signature of a sanitizable signature according to claim 6, wherein the step 201 of verifying the validity of the original signature σ based on the basic attribute information of the signer S and the sanitizer Z further comprises:
verifying equivalent signatures of public keys X and Y of the signer S by using a signature verification method
Figure FDA0002995130880000034
The effectiveness of (a); and the number of the first and second groups,
the signature verification method comprises the following steps: traversing the message block identifier i in the range of i e {1, …, l } and according to the public key X, Y of the signer S, the signer S sets { m } for the given message m1,m2,…,mlEach message block m iniSignature σ ofiFor each message block m of the given messageiGenerating a verification factor ai=(e(Xi,σi)=e(Yi,H(i||mi) ))) wherein
Figure FDA0002995130880000041
Figure FDA0002995130880000042
Calculate what the message block identifies i e {1, …, l }Product with verification factor
Figure FDA0002995130880000043
If the product is 1, the verification is passed, the original signature sigma and the given message m are received, if the product is not 1, the verification is failed, and the original signature sigma and the given message m are rejected;
wherein, X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure FDA0002995130880000044
Figure FDA0002995130880000045
x1,x2,y1
Figure FDA0002995130880000046
Wherein e () is a bilinear map
Figure FDA0002995130880000047
Figure FDA0002995130880000048
Is a group of addition cycles of order prime q,
Figure FDA0002995130880000049
is a group of addition cycles of order prime q,
Figure FDA00029951308800000410
is a multiplication loop group of order prime q, and H () is a bit string {0, 1} of arbitrary length as input*Output as a group
Figure FDA00029951308800000411
Cryptographic hash function of the upper element, i | | | miIs i and message miAnd connecting the binary strings.
8. The method for clarifying a signature according to claim 6, wherein in step 202, the private key of the clarifier Z is used to perform coordinate transformation on the point R generated by the signer S using the additive cyclic group algorithm to generate a point θ, and the two-dimensional coordinates of the point θ and the auxiliary information ciphertext c are used to calculate α | | y1Further comprising:
the calculation formula of the point theta is theta-SKz·R=(xθ,yθ),α||y1Is calculated by the formula
Figure FDA00029951308800000412
Figure FDA00029951308800000413
Wherein SKzIs the private key of the signer S, and SKs=(x1,x2,y1,y2),x1,x2,y1
Figure FDA00029951308800000414
Wherein R is a point generated by the signer S by an addition cyclic group algorithm according to the public key of the clarifier Z and the random number R, (x)θ,yθ) Is the two-dimensional coordinate of point theta, c is the auxiliary information cipher text generated by the signer S, xθ||yθIs the connection of a binary string of the vertical and horizontal coordinates of the point theta.
9. The method of claim 6, wherein the step 206 of selecting a random number u and a random number v, and calculating the public key X of the signer S according to the public key of the signer S and the random numbers u, v, and the randomized values X ', Y' further comprises:
the formula of X ', Y' is
Figure FDA0002995130880000051
And
Figure FDA0002995130880000052
wherein the ratio of u,
Figure FDA0002995130880000053
Figure FDA0002995130880000054
and x1,x2,y1
Figure FDA00029951308800000512
Figure FDA0002995130880000055
10. The method of claim 6, wherein the step 207 calculates a secret key y 'used by the purge message signature generated by the purge Z according to the secret key of the signer S and the random number u'1Further comprising:
the private key y'1Is calculated as y'1=u·y1Wherein
Figure FDA0002995130880000056
11. The method for cleansing a signature according to claim 6 wherein said step 208 comprises the step of cleansing said signature from said cleansing message m ═ { m ═ in1′,m2′,…,ml' } and the private key y ' used by the purger Z in generating the purge message signature '1Generating the purge message m 'to the purge Z'iOf signature σ'iFurther comprising:
it is assumed that,
Figure FDA0002995130880000057
addition cyclic group using order prime q
Figure FDA0002995130880000058
Is the purger Z to each message block m 'in the purge message'iCalculate signature σ'iOf 'signature σ'iIs calculated by the formula
Figure FDA0002995130880000059
Wherein, H () is input as bit string {0, 1} of arbitrary length*Output as a group
Figure FDA00029951308800000510
The cryptographic hash function of the upper element,
Figure FDA00029951308800000511
is a cyclic group of additions of order q, where i miIs i with a cleaned message mi' q is a prime number.
12. A signature verification method of a cleanable signature is characterized by comprising the following steps:
in step 301, receiver V receives a purge message m' from purge Z, { m ═ m1′,m2′,…,ml' } and purge signature σ ' ═ σ '1,σ′2,…,σ′lThe randomized public key PK of the signer Ss', public key PK of the cleaner ZzAnd an information description ξ of the message block to be modified;
step 302, traversing i in the range of i epsilon {1, …, l } and randomizing the values X ', Y ' of the public key X, Y of the signer S, and the purifiers Z to the message m 'iOf signature σ'iIs each message block m 'of the purge message'iGenerating a verification factor bi
Step 303, calculating the product of all verification factors when the message block identifier i belongs to {1, …, l }, if the product is 1, the verification is passed, receiving the purge signature σ 'and the purge message m', if the product is not 1, the verification is failed, and rejecting the purge signature σ 'and the purge message m'.
13. The method of signature verification of a sanitizable signature as in claim 12, the method further comprising:
traverse i within the range of i e {1, …, l } and calculate bi=(e(X′i,σ′i)=e(Yi′,H(i||mi'))) of the two-dimensional array, wherein,
Figure FDA0002995130880000061
for all the verification factors biObtaining the product
Figure FDA0002995130880000062
If b is true, receiving the cleansing signature σ 'and the cleansing message m', and otherwise rejecting the cleansing signature σ 'and the cleansing message m';
wherein, X'iAnd Yi' randomized values of the public keys X and Y of the signer S respectively,
Figure FDA0002995130880000063
Figure FDA0002995130880000064
wherein, X1、X2、Y1、Y2Are respectively calculated in the manner of
Figure FDA0002995130880000066
Figure FDA0002995130880000067
x1,x2,y1
Figure FDA0002995130880000068
Wherein e () is a bilinear map
Figure FDA0002995130880000069
Figure FDA00029951308800000610
Is a group of addition cycles of order prime q,
Figure FDA00029951308800000611
is a group of addition cycles of order prime q,
Figure FDA00029951308800000612
is a multiplication loop group of order prime q, and H () is a bit string {0, 1} of arbitrary length as input*Output as a group
Figure FDA00029951308800000613
Cryptographic hash function of the above element.
14. A privacy protection method based on a cleanable signature is characterized by comprising the following steps:
step 1, after a signer S acquires a given message m, generating an original signature sigma and an auxiliary information ciphertext c for the given message m based on basic attribute information of the signer S and a clarifier Z;
step 2, after receiving the auxiliary information ciphertext c and the original signature σ of the given message m, the cleaner Z cleans the auxiliary information ciphertext c based on the basic attribute information of the signer S and the cleaner Z to generate a cleaned message m ', and generates a cleaned signature σ ' for the cleaned message m ';
and 3, after receiving the purified message m ' and the purified signature sigma ', the verifier V verifies the validity of the purified signature sigma ' by using a signature verification method based on the basic attribute information of the signer S and the purifier Z, and selects to receive or reject the purified signature sigma ' and the purified message m ' according to a verification result.
15. The privacy protection method based on the sanitizable signature as claimed in claim 14, wherein the step 1 is implemented based on the sanitizable signature generation method as claimed in claims 1 to 5.
16. The privacy protection method based on the sanitizable signature as claimed in claim 14, wherein the step 2 is implemented based on the signature sanitization method based on the sanitizable signature as claimed in claims 6 to 11.
17. The privacy protection method based on the sanitizable signature as claimed in claim 14, wherein the step 3 is implemented based on the signature verification method of the sanitizable signature as claimed in claims 12 to 13.
CN202110327338.8A 2021-03-26 2021-03-26 Method for generating, purifying and verifying cleanable signature and privacy protection method thereof Pending CN113114469A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110327338.8A CN113114469A (en) 2021-03-26 2021-03-26 Method for generating, purifying and verifying cleanable signature and privacy protection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110327338.8A CN113114469A (en) 2021-03-26 2021-03-26 Method for generating, purifying and verifying cleanable signature and privacy protection method thereof

Publications (1)

Publication Number Publication Date
CN113114469A true CN113114469A (en) 2021-07-13

Family

ID=76712351

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110327338.8A Pending CN113114469A (en) 2021-03-26 2021-03-26 Method for generating, purifying and verifying cleanable signature and privacy protection method thereof

Country Status (1)

Country Link
CN (1) CN113114469A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760069A (en) * 2022-04-12 2022-07-15 福建师范大学 Forward-safe efficient attribute-based cleanable signature system and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103354500A (en) * 2013-07-05 2013-10-16 长安大学 Sanitizable agent signature method in standard model
US20170033933A1 (en) * 2014-04-08 2017-02-02 Hewlett Packard Enterprise Development Lp Redactable document signatures
KR20200041134A (en) * 2018-10-11 2020-04-21 세종대학교산학협력단 System and method for providng redactable signature with recovery functionality

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103354500A (en) * 2013-07-05 2013-10-16 长安大学 Sanitizable agent signature method in standard model
US20170033933A1 (en) * 2014-04-08 2017-02-02 Hewlett Packard Enterprise Development Lp Redactable document signatures
KR20200041134A (en) * 2018-10-11 2020-04-21 세종대학교산학협력단 System and method for providng redactable signature with recovery functionality

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ZHIYAN XU 等: "Privacy-Protection Scheme Based on Sanitizable Signature for Smart Mobile Medical Scenarios", 《WIRELESS COMMUNICATIONS AND MOBILE COMPUTING》 *
张君何 等: "一种基于环签名和短签名的可净化签名方案", 《计算机科学》 *
明洋 等: "标准模型下高效的基于身份可净化签名方案", 《计算机科学》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760069A (en) * 2022-04-12 2022-07-15 福建师范大学 Forward-safe efficient attribute-based cleanable signature system and method
CN114760069B (en) * 2022-04-12 2023-06-09 福建师范大学 Forward secure high-efficiency attribute-based cleanable signature system and method

Similar Documents

Publication Publication Date Title
Jakobsson et al. An optimally robust hybrid mix network
JP4687465B2 (en) Mix net system
CN102420691B (en) Certificate-based forward security signature method and system thereof
CN110414981B (en) Homomorphic encryption method supporting ZKPs and blockchain transaction amount encryption method
CN101562524B (en) Digital signature method based on identity
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
Shim A new certificateless signature scheme provably secure in the standard model
CN109547209A (en) A kind of two side's SM2 digital signature generation methods
CN113271209B (en) Trustable public key encryption system and method based on non-interactive zero-knowledge proof
JP2012151756A (en) Decryption system, key device, decryption method, and program
CN112632630A (en) SM 2-based collaborative signature calculation method and device
Tbatou et al. A New Mutuel Kerberos Authentication Protocol for Distributed Systems.
CN110932865B (en) Linkable ring signature generation method based on SM2 digital signature algorithm
Muhammad et al. Loop-based RSA key generation algorithm using string identity
CN109361519A (en) A kind of improved generation method and system comprising secret number
CN111447065A (en) Active and safe SM2 digital signature two-party generation method
Sarier A new biometric identity based encryption scheme secure against DoS attacks
Mashhadi Computationally Secure Multiple Secret Sharing: Models, Schemes, and Formal Security Analysis.
CN113114469A (en) Method for generating, purifying and verifying cleanable signature and privacy protection method thereof
CN1332919A (en) Incorporating shared randomness into distributed cryptography
Johansson Further results on asymmetric authentication schemes
Li et al. Cryptographic algorithms for privacy-preserving online applications.
Li et al. A general compiler for password-authenticated group key exchange protocol
Wang et al. ID-based Proxy Re-signature with Aggregate Property.
Thomas et al. A Zero-knowledge Undeniable Signature Scheme in Non-abelian Group Setting.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210713

WD01 Invention patent application deemed withdrawn after publication