CN113536378B - Traceable attribute-based cleanable signature method and system - Google Patents

Traceable attribute-based cleanable signature method and system Download PDF

Info

Publication number
CN113536378B
CN113536378B CN202110820317.XA CN202110820317A CN113536378B CN 113536378 B CN113536378 B CN 113536378B CN 202110820317 A CN202110820317 A CN 202110820317A CN 113536378 B CN113536378 B CN 113536378B
Authority
CN
China
Prior art keywords
signature
attribute
message
sigma
omega
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110820317.XA
Other languages
Chinese (zh)
Other versions
CN113536378A (en
Inventor
李继国
朱留富
张亦辰
陈宇
康曌哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Normal University
Original Assignee
Fujian Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Normal University filed Critical Fujian Normal University
Priority to CN202110820317.XA priority Critical patent/CN113536378B/en
Publication of CN113536378A publication Critical patent/CN113536378A/en
Application granted granted Critical
Publication of CN113536378B publication Critical patent/CN113536378B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a traceable attribute-based cleanable signature method and a system, wherein the method comprises the following steps: the attribute authorization terminal outputs a master key, a tracking key and a public parameter, and then outputs a private key of the signature terminal according to the master key, the public parameter, the attribute of the signature terminal and the identity of the signature terminal; the signature end inputs the attribute of the signature end, the private key of the signature end, the signature strategy, the attribute of the purifying end, the public parameters and the information, and outputs a signature and secret value set; the purifying terminal inputs the cleanup message index, the message, the public parameter, the signature terminal attribute, the purifying terminal attribute and the secret value set sent by the signature terminal, and outputs the cleanup message and the cleanup signature; the verification terminal inputs a purified message signature pair, a public parameter, a signature terminal attribute and a purification terminal attribute, and verifies the validity of the signature; the attribute authorization terminal inputs the purified message signature pair and the tracking key, and outputs the identity of the signature terminal. The method and the system can recover the identity of the signature end and modify the sensitive information in the signature to generate the purified signature.

Description

Traceable attribute-based cleanable signature method and system
Technical Field
The invention belongs to the technical field of Internet security, and particularly relates to a traceable attribute-based cleanup signature method and system.
Background
The internet technology has penetrated various industries and has wide application in electronic medical treatment, electronic government affairs and electronic finance. In these application scenarios, the physical device inevitably collects and analyzes data of the user, including the real identity of the user, the medical health status of the patient, and some sensitive data information such as personal financial transfer details, etc., and inevitably involves the problem of privacy disclosure of the user. Attribute-based signatures (ABS) are important ways to solve the above problems, and play an important role in privacy protection, access control, and data authentication. However, in the ABS scheme, on one hand, the attribute authorization terminal cannot recover the identity of the signature terminal when the signature is abused, and the malicious behavior of signature abuse is revealed, i.e. traceability cannot be provided. On the other hand, conventional ABS schemes fail to provide cleanability when modifications to the sensitive information in the signature are required to conceal the sensitive information in the signature.
Disclosure of Invention
The invention aims to provide a traceable attribute-based cleanup signature method and a traceable attribute-based cleanup signature system.
In order to achieve the above purpose, the invention adopts the following technical scheme: a traceable attribute-based cleanup signature method comprising the steps of:
step S1: the attribute authorization terminal inputs a security parameter lambda and outputs a master key msk, a tracking key TK and a public parameter params;
step S2: the attribute authorization end inputs a master key msk, public parameters params and a signature end attribute set omega a And signature end identity u, outputting signature end private key
Figure BDA0003171697160000011
Step S3: the signature end inputs the attribute set omega of the signature end a Private key at signature end
Figure BDA0003171697160000012
Signature policy (ω, d, γ), purge-side attribute set ω b The public parameters params and the message m, and the signature sigma and the secret value set SI are output;
step S4: purifying end input cleanable message index setSynthesis I S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end, outputting a purified message m 'and a purified signature sigma';
step S5: the verification end inputs the signature pair (m ', sigma') of the purified message, public parameters params and signature end attribute set omega a And a purge-side property set omega b Verifying the validity of the signature, outputting an accept if the signature is valid, otherwise outputting a reject;
step S6: the attribute authorization terminal inputs the purifying message signature pair (m ', sigma') and the tracking key TK, and outputs the signature terminal identity u.
Further, the step S1 specifically includes the following steps:
step S11: the attribute authorization terminal inputs a security parameter lambda, randomly selects large prime numbers p and q, and enables q to be a tracking key, namely TK=q; calculating n=pq such that |n|=λ; g and G T Is a group of two multiplication cycles of order n; e, G is G.fwdarw.G T Is bilinear map, G p ,G q A subgroup of orders p, q, respectively G; defining a threshold value as d; is provided with
Figure BDA0003171697160000021
And i.epsilon.S, define the Lagrange coefficient
Figure BDA0003171697160000022
Wherein Z is n ={0,1,2,3,…,n-1};
Step S12: attribute authorization side random selection
Figure BDA0003171697160000023
Calculate g 1 =g α Wherein G is the generator of G, < >>
Figure BDA0003171697160000024
Figure BDA0003171697160000025
Step S13: attribute authorization side random selectionElement G in G 2 、G q Generating element u' of G and a vector of v elements
Figure BDA0003171697160000026
Wherein u is i Is the generator of G, i.e {1, …, v }; the signature end identity u is represented by a binary character string with length v, so that u [ i ]]The ith bit representing u, define +.>
Figure BDA0003171697160000027
To satisfy u [ i ]]The set of sequence numbers of =1, defining W (u) =u' pi i∈U u i
Step S14: the attribute authorization terminal randomly selects t i E G, definition
Figure BDA0003171697160000028
Where i.epsilon.K, K= {1,2, …, K, k+1}, where +.>
Figure BDA0003171697160000029
Step S15: the attribute authorization terminal randomly selects y' E Z n Y i Wherein
Figure BDA00031716971600000210
Calculate w' =g y'
Figure BDA00031716971600000211
Step S16: the attribute authorization end outputs a master key msk=alpha and public parameters
Figure BDA00031716971600000212
Figure BDA00031716971600000213
Further, the step S2 specifically includes the following steps:
step S21: the attribute authorization end inputs the master key msk=α and public parameters
Figure BDA00031716971600000214
Figure BDA00031716971600000215
Signature end attribute set omega a And a signature end identity u, wherein->
Figure BDA00031716971600000216
Step S22: the attribute authorization terminal randomly selects s epsilon Z for each user u n Calculate D u,0 =g s ,D u,1 =h s
Step S23: the attribute authorization terminal selects a d-1 degree polynomial q (x) to satisfy q (0) =alpha; for i.epsilon.omega a Attribute authority randomly selects r i ∈Z n Calculation of
Figure BDA0003171697160000031
Step S24: attribute authorization terminal outputs signature terminal private key
Figure BDA0003171697160000032
Further, the step S3 specifically includes the following steps:
step S31: the signature end inputs the attribute set omega of the signature end a Private key at signature end
Figure BDA0003171697160000033
Signature strategy (omega, d, gamma), purifying end attribute set omega b The public parameters params and message m;
step S32: signature side random selection
Figure BDA0003171697160000034
Re-randomly selecting a default subset
Figure BDA0003171697160000035
Let->
Figure BDA0003171697160000036
Wherein |omega '' a |≥d,|ω' b |≥d,ω' a ∩Ω' a =φ,ω' b ∩Ω' b =Φ; wherein Ω= { ω 1 ,…,ω d-1 }, wherein omega i ∈Z n
Step S33: for each bit u [ i ] of identity u](i=1, …, v), the signature end randomly selects θ i ∈Z n Calculation of
Figure BDA0003171697160000037
Figure BDA0003171697160000038
Calculating a signature end:
Figure BDA0003171697160000039
step S34: the signature end randomly selects s' 1 ∈Z n Let s 1 =s+s' 1 The method comprises the steps of carrying out a first treatment on the surface of the Calculating secret values
Figure BDA00031716971600000310
Wherein I is E I s
Figure BDA00031716971600000311
A message index set representing that the signature end allows the purifying end to purify; let->
Figure BDA00031716971600000312
Represents a set of secret values, |I s I represents set I s The number of elements in the list;
step S35: for all of
Figure BDA00031716971600000313
The signature end randomly selects r' i ∈Z n The method comprises the steps of carrying out a first treatment on the surface of the For all->
Figure BDA00031716971600000314
Signature end random selectionTaking r' i ∈Z n And (3) calculating at a signature end:
Figure BDA00031716971600000315
Figure BDA00031716971600000316
step S36: the signature end outputs a signature: sigma= (sigma) 01aibi ,c,c 1 ,..,c v1 ,…,π v )。
Further, the step S4 specifically includes the following steps:
step S41: purification end input cleanable message index set I S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end;
step S42: purifying end definition message index set needing purifying
Figure BDA00031716971600000317
Let set I 1 ={i∈I:m i =0,m’ i =1},I 2 ={i∈I:m i =1,m’ i =0};
Step S43: the purifying end selects random number
Figure BDA0003171697160000041
And (3) calculating:
Figure BDA0003171697160000042
Figure BDA0003171697160000043
step S44: the purifying end outputs a purifying signature: sigma' = (sigma)' 0 ,σ' ai ,σ' bi ,σ' 1 ,c,c 1 ,…,c v1 ,…,π v )。
Further, the step S5 specifically includes the following steps:
step S51: the verification end inputs the signature pair (m ', sigma') of the purified message, public parameters params and signature end attribute set omega a And a purge-side property set omega b
Step S52: and (3) calculating by a verification end:
Figure BDA0003171697160000044
step S53: the verification end judges the equation:
Figure BDA0003171697160000045
if so, outputting accept if so, otherwise outputting reject.
Further, the step S6 specifically includes the following steps:
step S61: the attribute authorization end inputs a purifying message signature pair (m ', sigma') and a tracking key q;
step S62: attribute authority for each c i Calculation (c) i ) q The method comprises the steps of carrying out a first treatment on the surface of the If (c) i ) q =g 0 U [ i ]]=0; if (c) i ) q =(u i ) q U [ i ]]=1;
Step S63: the attribute authorization terminal outputs the signature terminal identity u.
The invention also provides a traceable attribute-based cleanup signature system for implementing the method, which comprises the following steps:
the attribute authorization terminal is used for generating a main private key msk, a tracking key TK and a public parameter params; for signing end attribute set omega according to main private key msk, public parameter params a And signature end identity u, generating a private key of the signature end
Figure BDA0003171697160000046
The method is also used for determining the identity u of the signature end according to the signature sigma and the tracking key TK;
a signature end for signing policy (omega, d, gamma) according to message m, signature end attribute set omega a Private key at signature end
Figure BDA0003171697160000047
Purifying end attribute set omega b And the public parameter params, generating signature sigma and secret value set SI;
a purifying end for indexing the set I according to the cleanable message S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end, generating a purified message m 'and a purified signature sigma'; and
a verification end for signing the pair (m ', sigma'), the public parameter params and the signature end attribute set omega according to the purified message a And a purge-side property set omega b The validity of the signature is verified.
Compared with the prior art, the invention has the following beneficial effects: the invention is designed based on the attribute base signature, the private key of the signature end is associated with the attribute and the identity of the signature end, the access strategy is embedded in the signature, and if the attribute meets the access strategy, the user can generate an effective signature; the purification end can modify the sensitive information in the signature to regenerate the signature so as to realize the hiding of the sensitive information. In addition, when the signature end misuses the signature, the attribute authority end can reveal malicious behaviors by tracking the identity of the signer. The verifying end is confident that a particular signature is created by a set of possible users whose attributes match the access policy so that the identity information of the signer is not revealed. Therefore, the method and the system have strong practicability and wide application prospect in data authentication and privacy protection access control.
Drawings
FIG. 1 is a system architecture diagram in an embodiment of the invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the present application. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the present application. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
The embodiment provides a traceable attribute-based cleanup signature method, which comprises the following steps:
step S1: the attribute authorization terminal inputs the security parameter lambda and outputs the master key msk, the tracking key TK and the public parameter params.
In this embodiment, the step S1 specifically includes the following steps:
step S11: the attribute authorization terminal inputs a security parameter lambda, randomly selects large prime numbers p and q, and enables q to be a tracking key, namely TK=q; calculating n=pq such that |n|=λ; g and G T Is a group of two multiplication cycles of order n; e, G is G.fwdarw.G T Is bilinear map, G p ,G q A subgroup of orders p, q, respectively G; defining a threshold value as d; is provided with
Figure BDA0003171697160000051
And i.epsilon.S, define the Lagrange coefficient
Figure BDA0003171697160000052
Wherein Z is n ={0,1,2,3,…,n-1}。/>
Step S12: attribute authorization side random selection
Figure BDA0003171697160000061
Calculate g 1 =g α Wherein G is the generator of G, < >>
Figure BDA0003171697160000062
Figure BDA0003171697160000063
Step S13: the attribute authorization terminal randomly selects an element G in G 2 、G q Generating element u' of G and a vector of v elements
Figure BDA0003171697160000064
Wherein u is i Is the generator of G, i.e {1, …, v }; the signature end identity u is represented by a binary character string with length v, so that u [ i ]]The ith bit representing u, define +.>
Figure BDA0003171697160000065
To satisfy u [ i ]]The set of sequence numbers of =1 defines W (u) =u' Γ i∈U u i
Step S14: the attribute authorization terminal randomly selects t i E G, definition
Figure BDA0003171697160000066
Where i.epsilon.K, K= {1,2, …, K, k+1}, where +.>
Figure BDA0003171697160000067
Step S15: the attribute authorization terminal randomly selects y' E Z n Y i Wherein
Figure BDA0003171697160000068
Calculate w' =g y’
Figure BDA0003171697160000069
Step S16: the attribute authorization end outputs a master key msk=alpha and public parameters
Figure BDA00031716971600000610
Figure BDA00031716971600000611
Step S2: the attribute authorization end inputs a master key msk, public parameters params and a signature end attribute set omega a And signature end identity u, outputting signature end private key
Figure BDA00031716971600000612
In this embodiment, the step S2 specifically includes the following steps:
step S21: the attribute authorization end inputs the master key msk=α and public parameters
Figure BDA00031716971600000613
Figure BDA00031716971600000614
Signature end attribute set omega a And a signature end identity u, wherein->
Figure BDA00031716971600000615
Step S22: the attribute authorization terminal randomly selects s epsilon Z for each user u n Calculate D u,0 =g s ,D u,1 =h s
Step S23: the attribute authorization terminal selects a d-1 degree polynomial q (x) to satisfy q (0) =alpha; for i.epsilon.omega a Attribute authority randomly selects r i ∈Z n Calculation of
Figure BDA00031716971600000616
Step S24: attribute authorization terminal outputs signature terminal private key
Figure BDA00031716971600000617
Step S3: the signature end inputs the attribute set omega of the signature end a Private key at signature end
Figure BDA00031716971600000618
Signature policy (ω, d, γ), purge-side attribute set ω b The public parameters params and the message m, the signature sigma and the secret value set SI are output.
In this embodiment, the step S3 specifically includes the following steps:
step S31: the signature end inputs the attribute set omega of the signature end a Private key at signature end
Figure BDA0003171697160000071
Signature strategy (omega, d, gamma), purifying end attribute set omega b The public parameters params and message m.
Step S32: signature side random selection
Figure BDA0003171697160000072
Re-randomly selecting a default subset
Figure BDA0003171697160000073
Let->
Figure BDA0003171697160000074
Wherein |omega '' a |≥d,|ω' b |≥d,ω' a ∩Ω' a =φ,ω' b ∩Ω' b =Φ; wherein Ω= { ω 1 ,…,ω d-1 }, wherein omega i ∈Z n
Step S33: for each bit u [ i ] of identity u](i=1, …, v), the signature end randomly selects θ i ∈Z n Calculation of
Figure BDA0003171697160000075
Figure BDA0003171697160000076
Calculating a signature end: />
Figure BDA0003171697160000077
Step S34: the signature end randomly selects s' 1 ∈Z n Let s 1 =s+s′ 1 The method comprises the steps of carrying out a first treatment on the surface of the Calculating secret values
Figure BDA0003171697160000078
Wherein I is E I s
Figure BDA0003171697160000079
Representing a set of message indexes that the signing side allows the cleansing side to cleanse. Let->
Figure BDA00031716971600000710
Represents a set of secret values, |I s I represents set I s The number of elements in the list.
Step S35: for all of
Figure BDA00031716971600000711
The signature end randomly selects r' i ∈Z n The method comprises the steps of carrying out a first treatment on the surface of the For all->
Figure BDA00031716971600000712
The signature end randomly selects r i ∈Z n And (3) calculating at a signature end:
Figure BDA00031716971600000713
Figure BDA00031716971600000714
step S36: the signature end outputs a signature: sigma= (sigma) 01aibi ,c,c 1 ,..,c v1 ,…,π v )。
Step S4: purification end input cleanable message index set I S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And the secret value set SI sent by the signature end outputs a purified message m 'and a purified signature sigma'.
In this embodiment, the step S4 specifically includes the following steps:
step S41: purification end input cleanable message index set I S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end.
Step S42: purifying end definition message index set needing purifying
Figure BDA00031716971600000715
Let set I 1 ={i∈I:m i =0,m’ i =1},I 2 ={i∈I:m i =1,m’ i =0}。
Step S43: the purifying end selects random number
Figure BDA00031716971600000716
And (3) calculating:
Figure BDA0003171697160000081
Figure BDA0003171697160000082
step S44: the purifying end outputs a purifying signature: sigma '= (sigma' 0 ,σ' ai ,σ' bi ,σ' 1 ,c,c 1 ,…,c v1 ,…,π v )。
Step S5: the verification end inputs the signature pair (m ', sigma') of the purified message, public parameters params and signature end attribute set omega a And a purge-side property set omega b Verifying the validity of the signature, outputting accept if the signature is valid, and outputting reject otherwise.
In this embodiment, the step S5 specifically includes the following steps:
step S51: the verification end inputs the signature pair (m ', sigma') of the purified message, public parameters params and signature end attribute set omega a And a purge-side property set omega b
Step S52: and (3) calculating by a verification end:
Figure BDA0003171697160000083
step S53: the verification end judges the equation:
Figure BDA0003171697160000084
if so, outputting accept if so, otherwise outputting reject.
Step S6: the attribute authorization terminal inputs the purifying message signature pair (m ', sigma') and the tracking key TK, and outputs the signature terminal identity u.
In this embodiment, the step S6 specifically includes the following steps:
step S61: the attribute authority inputs the purge message signature pair (m ', σ') and the tracking key q.
Step S62: attribute authority for each c i Calculation (c) i ) q The method comprises the steps of carrying out a first treatment on the surface of the If (c) i ) q =g 0 U [ i ]]=0; if (c) i ) q =(u i ) q U [ i ]]=1。
Step S63: the attribute authorization terminal outputs the signature terminal identity u.
As shown in fig. 1, the present embodiment further provides a traceable attribute-based cleanup signature system for the above method, including:
the attribute authorization terminal is used for generating a main private key msk, a tracking key TK and a public parameter params; for signing end attribute set omega according to main private key msk, public parameter params a And signature end identity u, generating a private key of the signature end
Figure BDA0003171697160000085
The method is also used for determining the identity u of the signature end according to the signature sigma and the tracking key TK;
a signature end for signing policy (omega, d, gamma) according to message m, signature end attribute set omega a Private key at signature end
Figure BDA0003171697160000091
Purifying end attribute set omega b And the public parameter params, generating signature sigma and secret value set SI;
a purifying end for indexing the set I according to the cleanable message S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end, generating a purified message m 'and a purified signature sigma'; and
a verification end for signing the pair (m ', sigma'), the public parameter params and the signature end attribute set omega according to the purified message a And a purge-side property set omega b The validity of the signature is verified.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the invention in any way, and any person skilled in the art may make modifications or alterations to the disclosed technical content to the equivalent embodiments. However, any simple modification, equivalent variation and variation of the above embodiments according to the technical substance of the present invention still fall within the protection scope of the technical solution of the present invention.

Claims (2)

1. A traceable attribute-based cleanup signature method comprising the steps of:
step S1: the attribute authorization terminal inputs a security parameter lambda and outputs a master key msk, a tracking key TK and a public parameter params;
step S2: the attribute authorization end inputs a master key msk, public parameters params and a signature end attribute set omega a And signature end identity u, outputting signature end private key
Figure FDA0004155267300000011
Step S3: the signature end inputs the attribute set omega of the signature end a Private key at signature end
Figure FDA0004155267300000012
Signature strategy (ω, d, γ), netTerminal attribute set omega b The public parameters params and the message m, and the signature sigma and the secret value set SI are output;
step S4: purification end input cleanable message index set I S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end, outputting a purified message m 'and a purified signature sigma';
step S5: the verification end inputs the signature pair (m ', sigma') of the purified message, public parameters params and signature end attribute set omega a And a purge-side property set omega b Verifying the validity of the signature, outputting an accept if the signature is valid, otherwise outputting a reject;
step S6: the attribute authorization terminal inputs a purifying message signature pair (m ', sigma') and a tracking key TK, and outputs a signature terminal identity u;
the step S1 specifically comprises the following steps:
step S11: the attribute authorization terminal inputs a security parameter lambda, randomly selects large prime numbers p and q, and enables q to be a tracking key, namely TK=q; calculating n=pq such that |n|=λ; g and G T Is a group of two multiplication cycles of order n; e: g is G.fwdarw.G T Is bilinear map, G p ,G q A subgroup of orders p, q, respectively G; defining a threshold value as d; is provided with
Figure FDA0004155267300000013
And i.epsilon.S, define the Lagrange coefficient
Figure FDA0004155267300000014
Wherein Z is n ={0,1,2,3,...,n-1};
Step S12: attribute authorization side random selection
Figure FDA0004155267300000015
Calculate g 1 =g α Wherein G is the generator of G, < >>
Figure FDA0004155267300000016
{1,2,3,...,n-1};
Step S13: the attribute authorization terminal randomly selects an element G in G 2 、G q Generating element u' of G and a vector of v elements
Figure FDA00041552673000000110
Wherein u is i Is the generator of G, i.e { 1.,. V }; the signature end identity u is represented by a binary character string with length v, so that u [ i ]]The ith bit representing u, define +.>
Figure FDA00041552673000000111
To satisfy u [ i ]]Set of sequence numbers of =1, definition
Figure FDA0004155267300000017
Step S14: the attribute authorization terminal randomly selects t i E G, definition
Figure FDA0004155267300000018
Where i e K, k= {1,2,..k, k+1}, where +.>
Figure FDA0004155267300000019
Step S15: the attribute authorization terminal randomly selects y' E Z n Y i Wherein
Figure FDA0004155267300000021
i e {1,.. y′
Figure FDA0004155267300000022
Step S16: the attribute authorization end outputs a master key msk=alpha and public parameters
Figure FDA0004155267300000023
Figure FDA0004155267300000024
The step S2 specifically includes the following steps:
step S21: the attribute authorization end inputs the master key msk=α and public parameters
Figure FDA0004155267300000025
Figure FDA0004155267300000026
Signature end attribute set omega a And a signature end identity u, wherein->
Figure FDA0004155267300000027
Step S22: the attribute authorization terminal randomly selects s epsilon Z for each user u n Calculate D u,0 =g s ,D u,1 =h s
Step S23: the attribute authorization terminal selects a d-1 degree polynomial q (x) to satisfy q (0) =alpha; for i.epsilon.omega a Attribute authority randomly selects r i ∈Z n Calculation of
Figure FDA0004155267300000028
Step S24: attribute authorization terminal outputs signature terminal private key
Figure FDA0004155267300000029
The step S3 specifically comprises the following steps:
step S31: the signature end inputs the attribute set omega of the signature end a Private key at signature end
Figure FDA00041552673000000210
Signature policy (ω, d, γ), purge-side attribute set ω b The public parameters params and message m;
step S32: signature side random selection
Figure FDA00041552673000000211
Selecting the default subset +.>
Figure FDA00041552673000000212
Order the
Figure FDA00041552673000000213
Wherein |omega '' a |≥d,|ω′ b |≥d,ω′ a ∩Ω′ a =φ,ω′ b ∩Ω′ b =Φ; wherein Ω= { ω 1 ,...,ω d-1 }, wherein omega i ∈Z n
Step S33: for each bit u [ i ] of identity u](i=1,., v) the signature end randomly chooses θ i ∈Z n Calculation of
Figure FDA00041552673000000214
Figure FDA00041552673000000215
Calculating a signature end:
Figure FDA00041552673000000216
step S34: the signature end randomly selects s' 1 ∈Z n Let s 1 =s+s′ 1 The method comprises the steps of carrying out a first treatment on the surface of the Calculating secret values
Figure FDA00041552673000000217
Wherein I is E I s
Figure FDA00041552673000000218
A message index set representing that the signature end allows the purifying end to purify; let->
Figure FDA00041552673000000219
Represents a set of secret values, |I s I represents set I s The number of elements in the list;
step S35: for all of
Figure FDA00041552673000000220
The signature end randomly selects r' i ∈Z n The method comprises the steps of carrying out a first treatment on the surface of the For all->
Figure FDA00041552673000000221
The signature end randomly selects r i ∈Z n And (3) calculating at a signature end:
Figure FDA0004155267300000031
Figure FDA0004155267300000032
step S36: the signature end outputs a signature: sigma= (sigma) 0 ,σ 1 ,σ ai ,σ bi ,c,c 1 ,..,c v ,π 1 ,...,π v );
The step S4 specifically includes the following steps:
step S41: purification end input cleanable message index set I S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end;
step S42: purifying end definition message index set needing purifying
Figure FDA0004155267300000033
Let set I 1 ={i∈I:m i =0,m′ i =1},I 2 ={i∈I:m i =1,m′ i =0};
Step S43: purification ofTerminal selection random number
Figure FDA0004155267300000034
And (3) calculating:
Figure FDA0004155267300000035
Figure FDA0004155267300000036
step S44: the purifying end outputs a purifying signature: sigma '= (sigma' 0 ,σ′ ai ,σ′ bi ,σ′ 1 ,c,c 1 ,...,c v ,π 1 ,...,π v );
The step S5 specifically includes the following steps:
step S51: the verification end inputs the signature pair (m ', sigma') of the purified message, public parameters params and signature end attribute set omega a And a purge-side property set omega b
Step S52: and (3) calculating by a verification end:
Figure FDA0004155267300000037
step S53: the verification end judges the equation:
Figure FDA0004155267300000038
whether the answer is met or not, if yes, outputting an accept, otherwise outputting a reject;
the step S6 specifically includes the following steps:
step S61: the attribute authorization end inputs a purifying message signature pair (m ', sigma') and a tracking key q;
step S62: attribute authority for each c i Calculation (c) i ) q The method comprises the steps of carrying out a first treatment on the surface of the If (c) i ) q =g 0 U [ i ]]=0; if (c) i ) q =(u i ) q U [ i ]]=1;
Step S63: the attribute authorization terminal outputs the signature terminal identity u.
2. A traceable attribute-based cleanup signature system for implementing the method of claim 1, comprising:
the attribute authorization terminal is used for generating a main private key msk, a tracking key TK and a public parameter params; for signing end attribute set omega according to main private key msk, public parameter params a And signature end identity u, generating a private key of the signature end
Figure FDA0004155267300000041
The method is also used for determining the identity u of the signature end according to the signature sigma and the tracking key TK;
a signature end for signing the message m, the signature strategy (omega, d, gamma) and the attribute set omega of the signature end a Private key at signature end
Figure FDA0004155267300000042
Purifying end attribute set omega b And the public parameter params, generating signature sigma and secret value set SI;
a purifying end for indexing the set I according to the cleanable message S Message m, common parameter params, signature sigma, signature end attribute set omega a Purification end attribute set omega b And a secret value set SI sent by the signature end, generating a purified message m 'and a purified signature sigma'; and
a verification end for signing the pair (m ', sigma'), the public parameter params and the signature end attribute set omega according to the purified message a And a purge-side property set omega b The validity of the signature is verified.
CN202110820317.XA 2021-07-20 2021-07-20 Traceable attribute-based cleanable signature method and system Active CN113536378B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110820317.XA CN113536378B (en) 2021-07-20 2021-07-20 Traceable attribute-based cleanable signature method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110820317.XA CN113536378B (en) 2021-07-20 2021-07-20 Traceable attribute-based cleanable signature method and system

Publications (2)

Publication Number Publication Date
CN113536378A CN113536378A (en) 2021-10-22
CN113536378B true CN113536378B (en) 2023-05-09

Family

ID=78100477

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110820317.XA Active CN113536378B (en) 2021-07-20 2021-07-20 Traceable attribute-based cleanable signature method and system

Country Status (1)

Country Link
CN (1) CN113536378B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760069B (en) * 2022-04-12 2023-06-09 福建师范大学 Forward secure high-efficiency attribute-based cleanable signature system and method
CN115174105A (en) * 2022-06-29 2022-10-11 福建师范大学 Attribute-based cleanable signature method and system with server-assisted verification
CN115174239B (en) * 2022-07-14 2023-05-05 福建师范大学 Traceable and forward secure attribute-based signature system and method with fixed length

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
WO2019214942A1 (en) * 2018-05-10 2019-11-14 Telecom Italia S.P.A. Protecting signaling messages in hop-by-hop network communication link
CN111447209A (en) * 2020-03-24 2020-07-24 西南交通大学 Black box traceable ciphertext policy attribute-based encryption method
CN112765650A (en) * 2021-01-05 2021-05-07 西安电子科技大学 Attribute-based searchable encryption block chain medical data sharing method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11030317B2 (en) * 2018-12-11 2021-06-08 Intel Corporation Independently recoverable security for processor and peripheral communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019214942A1 (en) * 2018-05-10 2019-11-14 Telecom Italia S.P.A. Protecting signaling messages in hop-by-hop network communication link
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
CN111447209A (en) * 2020-03-24 2020-07-24 西南交通大学 Black box traceable ciphertext policy attribute-based encryption method
CN112765650A (en) * 2021-01-05 2021-05-07 西安电子科技大学 Attribute-based searchable encryption block chain medical data sharing method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Traceable attribute-based signature;Ke Gu 等;《Journal of Information Security and Applications》;全文 *
一个可追踪身份的基于属性签名方案;张秋璞;徐震;叶顶锋;;软件学报(第09期);全文 *

Also Published As

Publication number Publication date
CN113536378A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN113536378B (en) Traceable attribute-based cleanable signature method and system
CN110113156B (en) Traceable hierarchical multi-authorization ciphertext policy attribute-based authentication method
Singh et al. A novel credential protocol for protecting personal attributes in blockchain
CN113554436B (en) User identity anonymizing method, tracking method and system of blockchain system
US20230254136A1 (en) Apparatus and methods for validating user data
CN115174104A (en) Attribute-based online/offline signature method and system based on secret SM9
CN114760069B (en) Forward secure high-efficiency attribute-based cleanable signature system and method
CN113438085B (en) Efficient attribute-based server auxiliary signature verification method and system
CN111404685B (en) Attribute-based signature method and system
Amounas Elliptic curve digital signature algorithm using Boolean permutation based ECC
CN114697019B (en) User account privacy protection method and system
CN116015673A (en) Electronic medical record safe sharing method and system based on limited cleanable signature
CN113792282B (en) Identity data verification method and device, computer equipment and storage medium
CN113630254B (en) ECDSA-based generalized assignment verifier signature proving method and system
Patarin et al. Ultra-short multivariate public key signatures
CN115174105A (en) Attribute-based cleanable signature method and system with server-assisted verification
CN112631552B (en) Random number generation and regeneration method based on non-uniform random source and electronic device
CN115189889A (en) Attribute-based cleanable signature method and system with strongly-specified verifier
CN113849861A (en) Proxy digital signature method based on elliptic curve
CN114172654B (en) Distributed attribute-based server assisted signature system and method
CN115174239B (en) Traceable and forward secure attribute-based signature system and method with fixed length
Saritha Block chain authentication using elliptic curve digital signature algorithm
CN113919008B (en) Traceable attribute-based signature method and system with fixed signature length
CN113343277B (en) Safe and efficient entrusted privacy data category prediction method
Chilakala et al. Advanced Hill Cipher Hybrid Cryptography Model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant