CN113536378B - Traceable attribute-based purifiable signature method and system - Google Patents

Traceable attribute-based purifiable signature method and system Download PDF

Info

Publication number
CN113536378B
CN113536378B CN202110820317.XA CN202110820317A CN113536378B CN 113536378 B CN113536378 B CN 113536378B CN 202110820317 A CN202110820317 A CN 202110820317A CN 113536378 B CN113536378 B CN 113536378B
Authority
CN
China
Prior art keywords
signature
attribute
message
outputs
purification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110820317.XA
Other languages
Chinese (zh)
Other versions
CN113536378A (en
Inventor
李继国
朱留富
张亦辰
陈宇
康曌哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Normal University
Original Assignee
Fujian Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Normal University filed Critical Fujian Normal University
Priority to CN202110820317.XA priority Critical patent/CN113536378B/en
Publication of CN113536378A publication Critical patent/CN113536378A/en
Application granted granted Critical
Publication of CN113536378B publication Critical patent/CN113536378B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a traceable attribute-based cleanable signature method and a system, wherein the method comprises the following steps: the attribute authorization terminal outputs a master key, a tracking key and a public parameter, and then outputs a private key of the signature terminal according to the master key, the public parameter, the attribute of the signature terminal and the identity of the signature terminal; the signature end inputs the attribute of the signature end, the private key of the signature end, the signature strategy, the attribute of the purifying end, the public parameters and the information, and outputs a signature and secret value set; the purifying terminal inputs the cleanup message index, the message, the public parameter, the signature terminal attribute, the purifying terminal attribute and the secret value set sent by the signature terminal, and outputs the cleanup message and the cleanup signature; the verification terminal inputs a purified message signature pair, a public parameter, a signature terminal attribute and a purification terminal attribute, and verifies the validity of the signature; the attribute authorization terminal inputs the purified message signature pair and the tracking key, and outputs the identity of the signature terminal. The method and the system can recover the identity of the signature end and modify the sensitive information in the signature to generate the purified signature.

Description

可追踪属性基可净化签名方法与系统Traceable attribute-based purifiable signature method and system

技术领域Technical Field

本发明属于互联网安全技术领域,具体涉及一种可追踪属性基可净化签名方法与系统。The present invention belongs to the field of Internet security technology, and in particular relates to a traceable attribute-based purifiable signature method and system.

背景技术Background Art

互联网技术已经渗透各行各业,在电子医疗,电子政务,电子金融方面有广泛的应用。在这些应用场景中,物理设备不可避免地收集和分析用户的数据,包括用户的真实身份,病患医疗健康状况以及个人金融转账细节等一些敏感数据信息,不可避免地涉及到用户隐私泄露的问题。属性基签名(ABS)是解决上述问题的重要方法,它在隐私保护、访问控制和数据身份验证方面发挥了重要作用。但在ABS方案中,一方面,属性授权端无法在签名滥用时恢复签名端身份,揭露签名滥用恶意行为,即无法提供可追踪性。另一方面,当需要对签名中的敏感信息进行修改从而隐藏签名中的敏感信息时,传统的ABS方案无法提供可净化性。Internet technology has penetrated all walks of life and has been widely used in e-health, e-government, and e-finance. In these application scenarios, physical devices inevitably collect and analyze user data, including the user's real identity, the patient's medical health status, and some sensitive data information such as personal financial transfer details, which inevitably involves the problem of user privacy leakage. Attribute-based signature (ABS) is an important method to solve the above problems. It plays an important role in privacy protection, access control, and data authentication. However, in the ABS scheme, on the one hand, the attribute authorization end cannot restore the identity of the signing end when the signature is abused, and reveal the malicious behavior of signature abuse, that is, it cannot provide traceability. On the other hand, when it is necessary to modify the sensitive information in the signature to hide the sensitive information in the signature, the traditional ABS scheme cannot provide purifiability.

发明内容Summary of the invention

本发明的目的在于提供一种可追踪属性基可净化签名方法与系统,该方法及系统可以恢复签名端身份,并对签名中的敏感信息进行修改生成净化签名。The purpose of the present invention is to provide a traceable attribute-based purifiable signature method and system, which can restore the identity of the signing end and modify the sensitive information in the signature to generate a purified signature.

为实现上述目的,本发明采用的技术方案是:一种可追踪属性基可净化签名方法,包括以下步骤:To achieve the above object, the technical solution adopted by the present invention is: a traceable attribute-based purifiable signature method, comprising the following steps:

步骤S1:属性授权端输入安全参数λ,输出主密钥msk、追踪密钥TK和公开参数params;Step S1: The attribute authorization end inputs the security parameter λ and outputs the master key msk, the tracking key TK and the public parameter params;

步骤S2:属性授权端输入主密钥msk、公开参数params、签名端属性集合ωa和签名端身份u,输出签名端私钥

Figure BDA0003171697160000011
Step S2: The attribute authorization end inputs the master key msk, the public parameter params, the signature end attribute set ωa and the signature end identity u, and outputs the signature end private key
Figure BDA0003171697160000011

步骤S3:签名端输入签名端属性集合ωa、签名端私钥

Figure BDA0003171697160000012
签名策略(ω,d,γ)、净化端属性集合ωb、公开参数params和消息m,输出签名σ和秘密值集合SI;Step S3: The signing end inputs the signing end attribute set ω a and the signing end private key
Figure BDA0003171697160000012
Signature strategy (ω, d, γ), purification end attribute set ω b , public parameters params and message m, output signature σ and secret value set SI;

步骤S4:净化端输入可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI,输出净化消息m'和净化签名σ';Step S4: the purification end inputs the purifiable message index set IS , message m, public parameter params, signature σ, signature end attribute set ωa , purification end attribute set ωb and secret value set SI sent by the signature end, and outputs the purified message m' and purified signature σ';

步骤S5:验证端输入净化消息签名对(m',σ')、公开参数params、签名端属性集合ωa和净化端属性集合ωb,验证签名的有效性,如果签名有效则输出accept,否则输出reject;Step S5: The verification end inputs the purified message signature pair (m', σ'), public parameter params, signature end attribute set ω a and purification end attribute set ω b , verifies the validity of the signature, and outputs accept if the signature is valid, otherwise outputs reject;

步骤S6:属性授权端输入净化消息签名对(m',σ')和追踪密钥TK,输出签名端身份u。Step S6: The attribute authorization end inputs the purified message signature pair (m', σ') and the tracking key TK, and outputs the signing end identity u.

进一步地,所述步骤S1具体包括以下步骤:Furthermore, the step S1 specifically includes the following steps:

步骤S11:属性授权端输入安全参数λ,随机选择大素数p、q,令q为追踪密钥,即TK=q;计算n=pq,使得|n|=λ;G和GT是两个阶为n的乘法循环群;e:G×G→GT是双线性映射,Gp,Gq分别为G的阶为p,q的子群;定义门限值为d;设

Figure BDA0003171697160000021
且i∈S,定义拉格朗日系数
Figure BDA0003171697160000022
其中Zn={0,1,2,3,…,n-1};Step S11: The attribute authorization terminal inputs the security parameter λ, randomly selects large prime numbers p and q, and sets q as the tracking key, that is, TK = q; calculates n = pq, so that |n| = λ; G and GT are two multiplicative cyclic groups of order n; e:G×G→ GT is a bilinear mapping, Gp , Gq are subgroups of G of order p and q respectively; defines the threshold value as d; set
Figure BDA0003171697160000021
And i∈S, define the Lagrange coefficient
Figure BDA0003171697160000022
Where Z n ={0,1,2,3,…,n-1};

步骤S12:属性授权端随机选取

Figure BDA0003171697160000023
计算g1=gα,其中g是G的生成元,
Figure BDA0003171697160000024
Figure BDA0003171697160000025
Step S12: Random selection of attribute authorization end
Figure BDA0003171697160000023
Compute g 1 =g α , where g is a generator of G,
Figure BDA0003171697160000024
Figure BDA0003171697160000025

步骤S13:属性授权端随机选取G中的元素g2、Gq的生成元h、G的生成元u′和一个v个元素的向量

Figure BDA0003171697160000026
其中ui是G的生成元,i∈{1,…,v};签名端身份u用长为v的二进制字符串表示,令u[i]表示u的第i个比特,定义
Figure BDA0003171697160000027
为满足u[i]=1的序号的集合,定义W(u)=u'Πi∈Uui;Step S13: The attribute authorization terminal randomly selects an element g 2 in G, a generator h of G q , a generator u′ of G, and a vector of v elements
Figure BDA0003171697160000026
Where u i is a generator of G, i∈{1,…,v}; the signature end identity u is represented by a binary string of length v, let u[i] represent the i-th bit of u, and define
Figure BDA0003171697160000027
For the set of serial numbers satisfying u[i]=1, define W(u)=u'Π i∈U u i ;

步骤S14:属性授权端随机选取ti∈G,定义

Figure BDA0003171697160000028
其中i∈K,K={1,2,…,k,k+1},其中选取
Figure BDA0003171697160000029
Step S14: The attribute authorization end randomly selects t i ∈ G and defines
Figure BDA0003171697160000028
where i∈K, K={1,2,…,k,k+1}, and select
Figure BDA0003171697160000029

步骤S15:属性授权端随机选取y'∈Zn以及yi,其中

Figure BDA00031716971600000210
计算w'=gy'
Figure BDA00031716971600000211
Step S15: The attribute authorization terminal randomly selects y'∈Z n and yi , where
Figure BDA00031716971600000210
Calculate w'= gy' ,
Figure BDA00031716971600000211

步骤S16:属性授权端输出主密钥msk=α和公开参数

Figure BDA00031716971600000212
Figure BDA00031716971600000213
Step S16: The attribute authorization terminal outputs the master key msk=α and public parameters
Figure BDA00031716971600000212
Figure BDA00031716971600000213

进一步地,所述步骤S2具体包括以下步骤:Furthermore, the step S2 specifically includes the following steps:

步骤S21:属性授权端输入主密钥msk=α、公开参数

Figure BDA00031716971600000214
Figure BDA00031716971600000215
签名端属性集合ωa和签名端身份u,其中
Figure BDA00031716971600000216
Step S21: The attribute authorization terminal inputs the master key msk=α and the public parameter
Figure BDA00031716971600000214
Figure BDA00031716971600000215
The signature end attribute set ω a and the signature end identity u, where
Figure BDA00031716971600000216

步骤S22:属性授权端为每个用户u随机选取s∈Zn,计算Du,0=gs,Du,1=hs Step S22: The attribute authorization terminal randomly selects s∈Z n for each user u and calculates Du,0 = g s , Du,1 = h s

步骤S23:属性授权端选取一个d-1次多项式q(x),满足q(0)=α;对于i∈ωa,属性授权端随机选择ri∈Zn,计算

Figure BDA0003171697160000031
Step S23: The attribute authorization end selects a d-1 degree polynomial q(x) that satisfies q(0) = α; for i∈ω a , the attribute authorization end randomly selects ri∈Z n and calculates
Figure BDA0003171697160000031

步骤S24:属性授权端输出签名端私钥

Figure BDA0003171697160000032
Step S24: The attribute authorization end outputs the signature end private key
Figure BDA0003171697160000032

进一步地,所述步骤S3具体包括以下步骤:Furthermore, the step S3 specifically includes the following steps:

步骤S31:签名端输入签名端属性集合ωa、签名端私钥

Figure BDA0003171697160000033
签名策略(ω,d,Υ)、净化端属性集合ωb、公开参数params和消息m;Step S31: The signing end inputs the signing end attribute set ω a and the signing end private key
Figure BDA0003171697160000033
Signature strategy (ω, d, Υ), purification end attribute set ω b , public parameters params and message m;

步骤S32:签名端随机选择

Figure BDA0003171697160000034
再随机选择默认子集
Figure BDA0003171697160000035
Figure BDA0003171697160000036
其中|ω'a|≥d,|ω'b|≥d,ω'a∩Ω'a=φ,ω'b∩Ω'b=φ;其中Ω={ω1,…,ωd-1},其中ωi∈Zn;Step S32: Signature end random selection
Figure BDA0003171697160000034
Then randomly select the default subset
Figure BDA0003171697160000035
make
Figure BDA0003171697160000036
Where |ω' a |≥d, |ω' b |≥d, ω' a ∩Ω' a =φ, ω' b ∩Ω' b =φ; where Ω={ω 1 ,…,ω d-1 }, where ω i ∈Z n ;

步骤S33:对身份u的每一个比特u[i](i=1,…,v),签名端随机选取θi∈Zn,计算

Figure BDA0003171697160000037
Figure BDA0003171697160000038
签名端计算:Step S33: For each bit u[i] (i=1,…,v) of identity u, the signature end randomly selects θ i ∈ Z n and calculates
Figure BDA0003171697160000037
Figure BDA0003171697160000038
Signature end calculation:

Figure BDA0003171697160000039
Figure BDA0003171697160000039

步骤S34:签名端随机选取s'1∈Zn,令s1=s+s'1;计算秘密值

Figure BDA00031716971600000310
其中i∈Is
Figure BDA00031716971600000311
表示签名端允许净化端净化的消息索引集合;令
Figure BDA00031716971600000312
表示秘密值集合,|Is|表示集合Is中元素的个数;Step S34: The signature end randomly selects s' 1 ∈Z n , sets s 1 =s+s'1; calculates the secret value
Figure BDA00031716971600000310
where i∈I s ,
Figure BDA00031716971600000311
Represents the message index set that the signing end allows the purifying end to purify;
Figure BDA00031716971600000312
represents a set of secret values, |I s | represents the number of elements in the set I s ;

步骤S35:对所有

Figure BDA00031716971600000313
签名端随机选取r'i∈Zn;对所有
Figure BDA00031716971600000314
签名端随机选取r”i∈Zn,签名端计算:Step S35: For all
Figure BDA00031716971600000313
The signature end randomly selects r' i ∈ Z n ; for all
Figure BDA00031716971600000314
The signature end randomly selects r” i ∈Z n and calculates:

Figure BDA00031716971600000315
Figure BDA00031716971600000315

Figure BDA00031716971600000316
Figure BDA00031716971600000316

步骤S36:签名端输出签名:σ=(σ01aibi,c,c1,..,cv1,…,πv)。Step S36: the signature end outputs a signature: σ = (σ 0 , σ 1 , σ ai , σ bi , c, c 1 , .. , c v , π 1 , … , π v ).

进一步地,所述步骤S4具体包括以下步骤:Furthermore, the step S4 specifically includes the following steps:

步骤S41:净化端输入可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI;Step S41: the purification end inputs the purifiable message index set IS , the message m, the public parameter params, the signature σ, the signature end attribute set ωa , the purification end attribute set ωb and the secret value set SI sent by the signature end;

步骤S42:净化端定义需要净化的消息索引集合

Figure BDA00031716971600000317
令集合I1={i∈I:mi=0,m’i=1},I2={i∈I:mi=1,m’i=0};Step S42: The purification end defines the message index set that needs to be purified
Figure BDA00031716971600000317
Let the set I 1 ={i∈I:m i =0,m' i =1}, I 2 ={i∈I:m i =1,m' i =0};

步骤S43:净化端选择随机数

Figure BDA0003171697160000041
计算:Step S43: The purification end selects a random number
Figure BDA0003171697160000041
calculate:

Figure BDA0003171697160000042
Figure BDA0003171697160000042

Figure BDA0003171697160000043
Figure BDA0003171697160000043

步骤S44:净化端输出净化签名:σ'=(σ'0,σ'ai,σ'bi,σ'1,c,c1,…,cv1,…,πv)。Step S44: the purification end outputs a purified signature: σ' = (σ' 0 , σ' ai , σ' bi , σ' 1 , c, c 1 , ..., c v , π 1 , ..., π v ).

进一步地,所述步骤S5具体包括以下步骤:Furthermore, the step S5 specifically includes the following steps:

步骤S51:验证端输入净化消息签名对(m',σ')、公开参数params、签名端属性集合ωa和净化端属性集合ωbStep S51: The verification end inputs the purified message signature pair (m', σ'), public parameter params, signature end attribute set ω a and purification end attribute set ω b ;

步骤S52:验证端计算:

Figure BDA0003171697160000044
Step S52: The verification end calculates:
Figure BDA0003171697160000044

步骤S53:验证端判断等式:

Figure BDA0003171697160000045
是否成立,若成立输出accept,否则输出reject。Step S53: The verification end determines the equation:
Figure BDA0003171697160000045
Is it true? If so, output accept, otherwise output reject.

进一步地,所述步骤S6具体包括以下步骤:Furthermore, the step S6 specifically includes the following steps:

步骤S61:属性授权端输入净化消息签名对(m',σ')和追踪密钥q;Step S61: the attribute authorization terminal inputs the purified message signature pair (m', σ') and the tracking key q;

步骤S62:属性授权端对每一个ci计算(ci)q;若(ci)q=g0,则u[i]=0;若(ci)q=(ui)q,则u[i]=1;Step S62: the attribute authorization terminal calculates ( ci ) q for each ci ; if ( ci ) q = g0 , then u[i] = 0; if (ci ) q = (u i ) q , then u[i] = 1;

步骤S63:属性授权端输出签名端身份u。Step S63: The attribute authorization end outputs the signature end identity u.

本发明还提供了一种用于实现上述方法的可追踪属性基可净化签名系统,包括:The present invention also provides a traceable attribute-based purifiable signature system for implementing the above method, comprising:

属性授权端,用于产生主私钥msk、追踪密钥TK和公开参数params;用于根据主私钥msk、公开参数params、签名端属性集合ωa和签名端身份u,产生签名端私钥

Figure BDA0003171697160000046
还用于根据签名σ和追踪密钥TK,确定签名端身份u;The attribute authorization end is used to generate the master private key msk, the tracking key TK and the public parameter params; it is used to generate the signature end private key according to the master private key msk, the public parameter params, the signature end attribute set ω a and the signature end identity u
Figure BDA0003171697160000046
It is also used to determine the identity u of the signing end based on the signature σ and the tracking key TK;

签名端,用于根据消息m、签名策略(ω,d,Υ)、签名端属性集合ωa、签名端私钥

Figure BDA0003171697160000047
净化端属性集合ωb和公共参数params,产生签名σ和秘密值集合SI;The signature end is used to generate a signature based on the message m, signature strategy (ω, d, Υ), signature end attribute set ω a , and signature end private key
Figure BDA0003171697160000047
Purify the end attribute set ω b and public parameters params, generate the signature σ and the secret value set SI;

净化端,用于根据可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI,产生净化消息m'和净化签名σ';以及A purification end, used to generate a purified message m' and a purified signature σ' according to the purgeable message index set I S , the message m, the public parameter params, the signature σ, the signature end attribute set ω a , the purification end attribute set ω b and the secret value set SI sent by the signature end; and

验证端,用于根据净化消息签名对(m',σ')、公开参数params、签名端属性集合ωa和净化端属性集合ωb,验证签名的有效性。The verification end is used to verify the validity of the signature according to the purified message signature pair (m', σ'), the public parameter params, the signature end attribute set ω a and the purification end attribute set ω b .

与现有技术相比,本发明具有以下有益效果:本发明基于属性基签名设计,签名端的私钥与签名端属性和身份相关联,签名中嵌入了访问策略,如果属性满足访问策略,则用户可以生成有效的签名;净化端可以对签名中的敏感信息进行修改重新生成签名从而实现敏感信息的隐藏。此外,当签名端滥用签名时,属性授权端可以通过追踪签名者身份揭露恶意行为。验证端确信由一组可能的用户创建特定的签名,这些用户的属性与访问策略相匹配,从而不泄露签名者的身份信息。因此,提出的方法及系统在数据认证和隐私保护访问控制中具有很强的实用性和广阔的应用前景。Compared with the prior art, the present invention has the following beneficial effects: the present invention is based on the attribute-based signature design, the private key of the signing end is associated with the signing end attributes and identity, the access policy is embedded in the signature, and if the attributes meet the access policy, the user can generate a valid signature; the purification end can modify the sensitive information in the signature and regenerate the signature to achieve the hiding of sensitive information. In addition, when the signing end abuses the signature, the attribute authorization end can reveal malicious behavior by tracking the identity of the signer. The verification end is sure that a specific signature is created by a group of possible users, and the attributes of these users match the access policy, so as not to disclose the identity information of the signer. Therefore, the proposed method and system have strong practicality and broad application prospects in data authentication and privacy protection access control.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明一实施例中的系统架构图。FIG. 1 is a system architecture diagram according to an embodiment of the present invention.

具体实施方式DETAILED DESCRIPTION

下面结合附图及实施例对本发明做进一步说明。The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

应该指出,以下详细说明都是示例性的,旨在对本申请提供进一步的说明。除非另有指明,本文使用的所有技术和科学术语具有与本申请所属技术领域的普通技术人员通常理解的相同含义。It should be noted that the following detailed descriptions are exemplary and are intended to provide further explanation of the present application. Unless otherwise specified, all technical and scientific terms used herein have the same meanings as those commonly understood by those skilled in the art to which the present application belongs.

需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本申请的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terms used herein are only for describing specific embodiments and are not intended to limit the exemplary embodiments according to the present application. As used herein, unless the context clearly indicates otherwise, the singular form is also intended to include the plural form. In addition, it should be understood that when the terms "comprise" and/or "include" are used in this specification, it indicates the presence of features, steps, operations, devices, components and/or combinations thereof.

本实施例提供了一种可追踪属性基可净化签名方法,包括以下步骤:This embodiment provides a traceable attribute-based purifiable signature method, including the following steps:

步骤S1:属性授权端输入安全参数λ,输出主密钥msk、追踪密钥TK和公开参数params。Step S1: The attribute authorization end inputs the security parameter λ and outputs the master key msk, the tracking key TK and the public parameter params.

在本实施例中,所述步骤S1具体包括以下步骤:In this embodiment, step S1 specifically includes the following steps:

步骤S11:属性授权端输入安全参数λ,随机选择大素数p、q,令q为追踪密钥,即TK=q;计算n=pq,使得|n|=λ;G和GT是两个阶为n的乘法循环群;e:G×G→GT是双线性映射,Gp,Gq分别为G的阶为p,q的子群;定义门限值为d;设

Figure BDA0003171697160000051
且i∈S,定义拉格朗日系数
Figure BDA0003171697160000052
其中Zn={0,1,2,3,…,n-1}。Step S11: The attribute authorization terminal inputs the security parameter λ, randomly selects large prime numbers p and q, and sets q as the tracking key, that is, TK = q; calculates n = pq, so that |n| = λ; G and GT are two multiplicative cyclic groups of order n; e:G×G→ GT is a bilinear mapping, Gp , Gq are subgroups of G of order p and q respectively; defines the threshold value as d; set
Figure BDA0003171697160000051
And i∈S, define the Lagrange coefficient
Figure BDA0003171697160000052
Where Zn = {0, 1, 2, 3, ..., n-1}.

步骤S12:属性授权端随机选取

Figure BDA0003171697160000061
计算g1=gα,其中g是G的生成元,
Figure BDA0003171697160000062
Figure BDA0003171697160000063
Step S12: Random selection of attribute authorization end
Figure BDA0003171697160000061
Calculate g 1 = g α , where g is the generator of G,
Figure BDA0003171697160000062
Figure BDA0003171697160000063

步骤S13:属性授权端随机选取G中的元素g2、Gq的生成元h、G的生成元u'和一个v个元素的向量

Figure BDA0003171697160000064
其中ui是G的生成元,i∈{1,…,v};签名端身份u用长为v的二进制字符串表示,令u[i]表示u的第i个比特,定义
Figure BDA0003171697160000065
为满足u[i]=1的序号的集合,定义W(u)=u'∏i∈Uui。Step S13: The attribute authorization terminal randomly selects an element g 2 in G, a generator h of G q , a generator u' of G, and a vector of v elements
Figure BDA0003171697160000064
Where u i is a generator of G, i∈{1,…,v}; the identity u of the signer is represented by a binary string of length v, let u[i] represent the i-th bit of u, and define
Figure BDA0003171697160000065
For the set of serial numbers satisfying u[i]=1, define W(u)=u'∏ i∈U u i .

步骤S14:属性授权端随机选取ti∈G,定义

Figure BDA0003171697160000066
其中i∈K,K={1,2,…,k,k+1},其中选取
Figure BDA0003171697160000067
Step S14: The attribute authorization end randomly selects t i ∈ G and defines
Figure BDA0003171697160000066
Where i∈K, K={1,2,…,k,k+1}, among which select
Figure BDA0003171697160000067

步骤S15:属性授权端随机选取y'∈Zn以及yi,其中

Figure BDA0003171697160000068
计算w'=gy’
Figure BDA0003171697160000069
Step S15: The attribute authorization terminal randomly selects y'∈Z n and yi , where
Figure BDA0003171697160000068
Calculate w'= gy' ,
Figure BDA0003171697160000069

步骤S16:属性授权端输出主密钥msk=α和公开参数

Figure BDA00031716971600000610
Figure BDA00031716971600000611
Step S16: The attribute authorization terminal outputs the master key msk=α and public parameters
Figure BDA00031716971600000610
Figure BDA00031716971600000611

步骤S2:属性授权端输入主密钥msk、公开参数params、签名端属性集合ωa和签名端身份u,输出签名端私钥

Figure BDA00031716971600000612
Step S2: The attribute authorization end inputs the master key msk, the public parameter params, the signature end attribute set ωa and the signature end identity u, and outputs the signature end private key
Figure BDA00031716971600000612

在本实施例中,所述步骤S2具体包括以下步骤:In this embodiment, step S2 specifically includes the following steps:

步骤S21:属性授权端输入主密钥msk=α、公开参数

Figure BDA00031716971600000613
Figure BDA00031716971600000614
签名端属性集合ωa和签名端身份u,其中
Figure BDA00031716971600000615
Step S21: The attribute authorization terminal inputs the master key msk=α and the public parameter
Figure BDA00031716971600000613
Figure BDA00031716971600000614
The signature end attribute set ω a and the signature end identity u, where
Figure BDA00031716971600000615

步骤S22:属性授权端为每个用户u随机选取s∈Zn,计算Du,0=gs,Du,1=hsStep S22: The attribute authorization end randomly selects s∈Z n for each user u and calculates Du,0 = g s , Du,1 = h s .

步骤S23:属性授权端选取一个d-1次多项式q(x),满足q(0)=α;对于i∈ωa,属性授权端随机选择ri∈Zn,计算

Figure BDA00031716971600000616
Step S23: The attribute authorization end selects a d-1 degree polynomial q(x) that satisfies q(0) = α; for i∈ω a , the attribute authorization end randomly selects ri∈Z n and calculates
Figure BDA00031716971600000616

步骤S24:属性授权端输出签名端私钥

Figure BDA00031716971600000617
Step S24: The attribute authorization end outputs the signature end private key
Figure BDA00031716971600000617

步骤S3:签名端输入签名端属性集合ωa、签名端私钥

Figure BDA00031716971600000618
签名策略(ω,d,γ)、净化端属性集合ωb、公开参数params和消息m,输出签名σ和秘密值集合SI。Step S3: The signing end inputs the signing end attribute set ω a and the signing end private key
Figure BDA00031716971600000618
Signature strategy (ω, d, γ), purification end attribute set ω b , public parameters params and message m, output signature σ and secret value set SI.

在本实施例中,所述步骤S3具体包括以下步骤:In this embodiment, step S3 specifically includes the following steps:

步骤S31:签名端输入签名端属性集合ωa、签名端私钥

Figure BDA0003171697160000071
签名策略(ω,d,Υ)、净化端属性集合ωb、公开参数params和消息m。Step S31: The signing end inputs the signing end attribute set ω a and the signing end private key
Figure BDA0003171697160000071
Signature strategy (ω, d, Υ), purification end attribute set ω b , public parameters params and message m.

步骤S32:签名端随机选择

Figure BDA0003171697160000072
再随机选择默认子集
Figure BDA0003171697160000073
Figure BDA0003171697160000074
其中|ω'a|≥d,|ω'b|≥d,ω'a∩Ω'a=φ,ω'b∩Ω'b=φ;其中Ω={ω1,…,ωd-1},其中ωi∈Zn。Step S32: Signature end random selection
Figure BDA0003171697160000072
Then randomly select the default subset
Figure BDA0003171697160000073
make
Figure BDA0003171697160000074
Where |ω' a |≥d, |ω' b |≥d, ω' a ∩Ω' a =φ, ω' b ∩Ω' b =φ; where Ω={ω 1 ,…,ω d-1 }, where ω i ∈Z n .

步骤S33:对身份u的每一个比特u[i](i=1,…,v),签名端随机选取θi∈Zn,计算

Figure BDA0003171697160000075
Figure BDA0003171697160000076
签名端计算:Step S33: For each bit u[i] (i=1,…,v) of identity u, the signature end randomly selects θ i ∈ Z n and calculates
Figure BDA0003171697160000075
Figure BDA0003171697160000076
Signature end calculation:

Figure BDA0003171697160000077
Figure BDA0003171697160000077

步骤S34:签名端随机选取s′1∈Zn,令s1=s+s′1;计算秘密值

Figure BDA0003171697160000078
其中i∈Is
Figure BDA0003171697160000079
表示签名端允许净化端净化的消息索引集合。令
Figure BDA00031716971600000710
表示秘密值集合,|Is|表示集合Is中元素的个数。Step S34: The signature end randomly selects s′ 1 ∈Z n , sets s 1 =s+s′ 1 ; calculates the secret value
Figure BDA0003171697160000078
where i∈I s ,
Figure BDA0003171697160000079
Represents the message index set that the signing end allows the purifying end to purify.
Figure BDA00031716971600000710
represents a set of secret values, and |I s | represents the number of elements in the set I s .

步骤S35:对所有

Figure BDA00031716971600000711
签名端随机选取r′i∈Zn;对所有
Figure BDA00031716971600000712
签名端随机选取r″i∈Zn,签名端计算:Step S35: For all
Figure BDA00031716971600000711
The signature end randomly selects r′ i ∈Z n ; for all
Figure BDA00031716971600000712
The signature end randomly selects r″ i ∈Z n and calculates:

Figure BDA00031716971600000713
Figure BDA00031716971600000713

Figure BDA00031716971600000714
Figure BDA00031716971600000714

步骤S36:签名端输出签名:σ=(σ01aibi,c,c1,..,cv1,…,πv)。Step S36: the signature end outputs a signature: σ = (σ 0 , σ 1 , σ ai , σ bi , c, c 1 , .. , c v , π 1 , … , π v ).

步骤S4:净化端输入可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI,输出净化消息m′和净化签名σ′。Step S4: The purification end inputs the purifiable message index set IS , message m, public parameter params, signature σ, signature end attribute set ωa , purification end attribute set ωb and secret value set SI sent by the signature end, and outputs the purified message m′ and purified signature σ′.

在本实施例中,所述步骤S4具体包括以下步骤:In this embodiment, step S4 specifically includes the following steps:

步骤S41:净化端输入可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI。Step S41: the purification end inputs the purifiable message index set IS , the message m, the public parameter params, the signature σ, the signature end attribute set ωa , the purification end attribute set ωb and the secret value set SI sent by the signature end.

步骤S42:净化端定义需要净化的消息索引集合

Figure BDA00031716971600000715
令集合I1={i∈I:mi=0,m’i=1},I2={i∈I:mi=1,m’i=0}。Step S42: The purification end defines the message index set that needs to be purified
Figure BDA00031716971600000715
Let the set I 1 ={i∈I:m i =0, m' i =1}, I 2 ={i∈I:m i =1, m' i =0}.

步骤S43:净化端选择随机数

Figure BDA00031716971600000716
计算:Step S43: The purification end selects a random number
Figure BDA00031716971600000716
calculate:

Figure BDA0003171697160000081
Figure BDA0003171697160000081

Figure BDA0003171697160000082
Figure BDA0003171697160000082

步骤S44:净化端输出净化签名:σ'=(σ'0,σ'ai,σ'bi,σ'1,c,c1,…,cv1,…,πv)。Step S44: the purification end outputs a purified signature: σ' = (σ' 0 , σ' ai , σ' bi , σ' 1 , c, c 1 , ..., c v , π 1 , ..., π v ).

步骤S5:验证端输入净化消息签名对(m',σ')、公开参数params、签名端属性集合ωa和净化端属性集合ωb,验证签名的有效性,如果签名有效则输出accept,否则输出reject。Step S5: The verification end inputs the purified message signature pair (m', σ'), public parameters params, the signing end attribute set ω a and the purification end attribute set ω b , verifies the validity of the signature, and outputs accept if the signature is valid, otherwise outputs reject.

在本实施例中,所述步骤S5具体包括以下步骤:In this embodiment, step S5 specifically includes the following steps:

步骤S51:验证端输入净化消息签名对(m',σ')、公开参数params、签名端属性集合ωa和净化端属性集合ωbStep S51: the verification end inputs the purified message signature pair (m', σ'), public parameters params, the signature end attribute set ω a and the purification end attribute set ω b .

步骤S52:验证端计算:

Figure BDA0003171697160000083
Step S52: The verification end calculates:
Figure BDA0003171697160000083

步骤S53:验证端判断等式:

Figure BDA0003171697160000084
是否成立,若成立输出accept,否则输出reject。Step S53: The verification end determines the equation:
Figure BDA0003171697160000084
Is it true? If so, output accept, otherwise output reject.

步骤S6:属性授权端输入净化消息签名对(m′,σ')和追踪密钥TK,输出签名端身份u。Step S6: The attribute authorization end inputs the purified message signature pair (m′, σ′) and the tracking key TK, and outputs the signing end identity u.

在本实施例中,所述步骤S6具体包括以下步骤:In this embodiment, step S6 specifically includes the following steps:

步骤S61:属性授权端输入净化消息签名对(m',σ′)和追踪密钥q。Step S61: The attribute authority inputs the purified message signature pair (m', σ') and the tracking key q.

步骤S62:属性授权端对每一个ci计算(ci)q;若(ci)q=g0,则u[i]=0;若(ci)q=(ui)q,则u[i]=1。Step S62: The attribute authorization end calculates ( ci ) q for each ci ; if ( ci ) q = g0 , then u[i] = 0; if (ci ) q = (u i ) q , then u[i] = 1.

步骤S63:属性授权端输出签名端身份u。Step S63: The attribute authorization end outputs the signature end identity u.

如图1所示,本实施例还提供了一种用于上述方法的可追踪属性基可净化签名系统,包括:As shown in FIG1 , this embodiment further provides a traceable attribute-based purifiable signature system for the above method, including:

属性授权端,用于产生主私钥msk、追踪密钥TK和公开参数params;用于根据主私钥msk、公开参数params、签名端属性集合ωa和签名端身份u,产生签名端私钥

Figure BDA0003171697160000085
还用于根据签名σ和追踪密钥TK,确定签名端身份u;The attribute authorization end is used to generate the master private key msk, the tracking key TK and the public parameter params; it is used to generate the signature end private key according to the master private key msk, the public parameter params, the signature end attribute set ω a and the signature end identity u
Figure BDA0003171697160000085
It is also used to determine the identity u of the signing end based on the signature σ and the tracking key TK;

签名端,用于根据消息m、签名策略(ω,d,Υ)、签名端属性集合ωa、签名端私钥

Figure BDA0003171697160000091
净化端属性集合ωb和公共参数params,产生签名σ和秘密值集合SI;The signature end is used to generate a signature based on the message m, signature strategy (ω, d, Υ), signature end attribute set ω a , and signature end private key
Figure BDA0003171697160000091
Purify the end attribute set ω b and public parameters params, generate the signature σ and the secret value set SI;

净化端,用于根据可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI,产生净化消息m′和净化签名σ′;以及A purification end, used to generate a purified message m′ and a purified signature σ′ according to a set of purifiable message indexes I S , a message m, public parameters params, a signature σ, a set of signature end attributes ω a , a set of purification end attributes ω b and a set of secret values SI sent by the signature end; and

验证端,用于根据净化消息签名对(m′,σ′)、公开参数params、签名端属性集合ωa和净化端属性集合ωb,验证签名的有效性。The verification end is used to verify the validity of the signature according to the purified message signature pair (m′, σ′), the public parameter params, the signature end attribute set ω a and the purification end attribute set ω b .

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented in one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that contain computer-usable program code.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

以上所述,仅是本发明的较佳实施例而已,并非是对本发明作其它形式的限制,任何熟悉本专业的技术人员可能利用上述揭示的技术内容加以变更或改型为等同变化的等效实施例。但是凡是未脱离本发明技术方案内容,依据本发明的技术实质对以上实施例所作的任何简单修改、等同变化与改型,仍属于本发明技术方案的保护范围。The above is only a preferred embodiment of the present invention, and does not limit the present invention in other forms. Any technician familiar with the profession may use the above disclosed technical content to change or modify it into an equivalent embodiment with equivalent changes. However, any simple modification, equivalent change and modification made to the above embodiment according to the technical essence of the present invention without departing from the technical solution of the present invention still belongs to the protection scope of the technical solution of the present invention.

Claims (2)

1.一种可追踪属性基可净化签名方法,其特征在于,包括以下步骤:1. A traceable attribute-based purifiable signature method, comprising the following steps: 步骤S1:属性授权端输入安全参数λ,输出主密钥msk、追踪密钥TK和公开参数params;Step S1: The attribute authorization end inputs the security parameter λ and outputs the master key msk, the tracking key TK and the public parameter params; 步骤S2:属性授权端输入主密钥msk、公开参数params、签名端属性集合ωa和签名端身份u,输出签名端私钥
Figure FDA0004155267300000011
Step S2: The attribute authorization end inputs the master key msk, the public parameter params, the signature end attribute set ωa and the signature end identity u, and outputs the signature end private key
Figure FDA0004155267300000011
 步骤S3:签名端输入签名端属性集合ωa、签名端私钥
Figure FDA0004155267300000012
签名策略(ω,d,γ)、净化端属性集合ωb、公开参数params和消息m,输出签名σ和秘密值集合SI;Step S3: The signing end inputs the signing end attribute set ω a and the signing end private key
Figure FDA0004155267300000012
Signature strategy (ω, d, γ), purification end attribute set ω b , public parameters params and message m, output signature σ and secret value set SI; 步骤S4:净化端输入可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI,输出净化消息m′和净化签名σ′;Step S4: The purification end inputs the purifiable message index set IS , message m, public parameter params, signature σ, signature end attribute set ωa , purification end attribute set ωb and secret value set SI sent by the signature end, and outputs the purified message m′ and purified signature σ′; 步骤S5:验证端输入净化消息签名对(m′,σ′)、公开参数params、签名端属性集合ωa和净化端属性集合ωb,验证签名的有效性,如果签名有效则输出accept,否则输出reject;Step S5: The verification end inputs the purified message signature pair (m′, σ′), public parameter params, signature end attribute set ω a and purification end attribute set ω b , verifies the validity of the signature, and outputs accept if the signature is valid, otherwise outputs reject; 步骤S6:属性授权端输入净化消息签名对(m′,σ′)和追踪密钥TK,输出签名端身份u;Step S6: The attribute authorization end inputs the purified message signature pair (m′, σ′) and the tracking key TK, and outputs the signature end identity u; 所述步骤S1具体包括以下步骤:The step S1 specifically includes the following steps: 步骤S11:属性授权端输入安全参数λ,随机选择大素数p、q,令q为追踪密钥,即TK=q;计算n=pq,使得|n|=λ;G和GT是两个阶为n的乘法循环群;e:G×G→GT是双线性映射,Gp,Gq分别为G的阶为p,q的子群;定义门限值为d;设
Figure FDA0004155267300000013
且i∈S,定义拉格朗日系数
Figure FDA0004155267300000014
其中Zn={0,1,2,3,...,n-1};Step S11: The attribute authorization terminal inputs the security parameter λ, randomly selects large prime numbers p and q, and sets q as the tracking key, that is, TK=q; calculates n=pq, so that |n|=λ; G and GT are two multiplicative cyclic groups of order n; e: G×G→ GT is a bilinear mapping, Gp , Gq are subgroups of G of order p and q respectively; defines the threshold value as d; set
Figure FDA0004155267300000013
And i∈S, define the Lagrange coefficient
Figure FDA0004155267300000014
Where Zn = {0, 1, 2, 3, ..., n-1}; 步骤S12:属性授权端随机选取
Figure FDA0004155267300000015
计算g1=gα,其中g是G的生成元,
Figure FDA0004155267300000016
{1,2,3,...,n-1};Step S12: Random selection of attribute authorization end
Figure FDA0004155267300000015
Calculate g 1 = g α , where g is the generator of G,
Figure FDA0004155267300000016
{1, 2, 3, ..., n-1}; 步骤S13:属性授权端随机选取G中的元素g2、Gq的生成元h、G的生成元u′和一个v个元素的向量
Figure FDA00041552673000000110
其中ui是G的生成元,i∈{1,...,v};签名端身份u用长为v的二进制字符串表示,令u[i]表示u的第i个比特,定义
Figure FDA00041552673000000111
为满足u[i]=1的序号的集合,定义
Figure FDA0004155267300000017
Step S13: The attribute authorization terminal randomly selects an element g 2 in G, a generator h of G q , a generator u′ of G, and a vector of v elements
Figure FDA00041552673000000110
Where u i is a generator of G, i∈{1,...,v}; the identity u of the signer is represented by a binary string of length v, let u[i] represent the i-th bit of u, and define
Figure FDA00041552673000000111
For the set of serial numbers satisfying u[i]=1, define
Figure FDA0004155267300000017
 步骤S14:属性授权端随机选取ti∈G,定义
Figure FDA0004155267300000018
其中i∈K,K={1,2,...,k,k+1},其中选取
Figure FDA0004155267300000019
Step S14: The attribute authorization end randomly selects t i ∈ G and defines
Figure FDA0004155267300000018
where i∈K, K={1, 2, ..., k, k+1}, and
Figure FDA0004155267300000019
 步骤S15:属性授权端随机选取y′∈Zn以及yi,其中
Figure FDA0004155267300000021
i∈{1,...,l},计算w′=gy′
Figure FDA0004155267300000022
Step S15: The attribute authorization terminal randomly selects y′∈Z n and yi , where
Figure FDA0004155267300000021
i∈{1,...,l}, calculate w′=gy ,
Figure FDA0004155267300000022
 步骤S16:属性授权端输出主密钥msk=α和公开参数
Figure FDA0004155267300000023
Figure FDA0004155267300000024
Step S16: The attribute authorization terminal outputs the master key msk=α and public parameters
Figure FDA0004155267300000023
Figure FDA0004155267300000024
 所述步骤S2具体包括以下步骤:The step S2 specifically comprises the following steps: 步骤S21:属性授权端输入主密钥msk=α、公开参数
Figure FDA0004155267300000025
Figure FDA0004155267300000026
签名端属性集合ωa和签名端身份u,其中
Figure FDA0004155267300000027
Step S21: The attribute authorization terminal inputs the master key msk=α and the public parameter
Figure FDA0004155267300000025
Figure FDA0004155267300000026
The signature end attribute set ω a and the signature end identity u, where
Figure FDA0004155267300000027
 步骤S22:属性授权端为每个用户u随机选取s∈Zn,计算Du,0=gs,Du,1=hs Step S22: The attribute authorization terminal randomly selects s∈Z n for each user u and calculates Du,0 = g s , Du,1 = h s 步骤S23:属性授权端选取一个d-1次多项式q(x),满足q(0)=α;对于i∈ωa,属性授权端随机选择ri∈Zn,计算
Figure FDA0004155267300000028
Step S23: The attribute authorization end selects a d-1 degree polynomial q(x) that satisfies q(0) = α; for i∈ω a , the attribute authorization end randomly selects ri∈Z n and calculates
Figure FDA0004155267300000028
 步骤S24:属性授权端输出签名端私钥
Figure FDA0004155267300000029
Step S24: The attribute authorization end outputs the signature end private key
Figure FDA0004155267300000029
 所述步骤S3具体包括以下步骤:The step S3 specifically comprises the following steps: 步骤S31:签名端输入签名端属性集合ωa、签名端私钥
Figure FDA00041552673000000210
签名策略(ω,d,γ)、净化端属性集合ωb、公开参数params和消息m;Step S31: The signing end inputs the signing end attribute set ω a and the signing end private key
Figure FDA00041552673000000210
Signature strategy (ω, d, γ), purification end attribute set ω b , public parameters params and message m; 步骤S32:签名端随机选择
Figure FDA00041552673000000211
再随机选择默认子集
Figure FDA00041552673000000212
Figure FDA00041552673000000213
其中|ω′a|≥d,|ω′b|≥d,ω′a∩Ω′a=φ,ω′b∩Ω′b=φ;其中Ω={ω1,...,ωd-1},其中ωi∈ZnStep S32: Signature end random selection
Figure FDA00041552673000000211
Then randomly select the default subset
Figure FDA00041552673000000212
make
Figure FDA00041552673000000213
Where |ω′ a |≥d, |ω′ b |≥d, ω′ a ∩Ω′ a =φ, ω′ b ∩Ω′ b =φ; where Ω={ω 1 ,...,ω d-1 }, where ω i ∈Z n ; 步骤S33:对身份u的每一个比特u[i](i=1,...,v),签名端随机选取θi∈Zn,计算
Figure FDA00041552673000000214
Figure FDA00041552673000000215
签名端计算:Step S33: For each bit u[i] (i=1, ..., v) of identity u, the signature end randomly selects θ i ∈ Z n and calculates
Figure FDA00041552673000000214
Figure FDA00041552673000000215
Signature end calculation:
Figure FDA00041552673000000216
Figure FDA00041552673000000216
 步骤S34:签名端随机选取s′1∈Zn,令s1=s+s′1;计算秘密值
Figure FDA00041552673000000217
其中i∈Is
Figure FDA00041552673000000218
表示签名端允许净化端净化的消息索引集合;令
Figure FDA00041552673000000219
表示秘密值集合,|Is|表示集合Is中元素的个数;Step S34: The signature end randomly selects s′ 1 ∈Z n , sets s 1 =s+s′ 1 ; calculates the secret value
Figure FDA00041552673000000217
where i∈I s ,
Figure FDA00041552673000000218
Represents the message index set that the signing end allows the purifying end to purify;
Figure FDA00041552673000000219
represents a set of secret values, |I s | represents the number of elements in the set I s ; 步骤S35:对所有
Figure FDA00041552673000000220
签名端随机选取r′i∈Zn;对所有
Figure FDA00041552673000000221
签名端随机选取r″i∈Zn,签名端计算:Step S35: For all
Figure FDA00041552673000000220
The signature end randomly selects r′ i ∈Z n ; for all
Figure FDA00041552673000000221
The signature end randomly selects r″ i ∈Z n and calculates:
Figure FDA0004155267300000031
Figure FDA0004155267300000031
Figure FDA0004155267300000032
Figure FDA0004155267300000032
 步骤S36:签名端输出签名:σ=(σ0,σ1,σai,σbi,c,c1,..,cv,π1,...,πv);Step S36: the signature end outputs a signature: σ = (σ 0 , σ 1 , σ ai , σ bi , c, c 1 , .. , c v , π 1 , ... , π v ); 所述步骤S4具体包括以下步骤:The step S4 specifically comprises the following steps: 步骤S41:净化端输入可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI;Step S41: the purification end inputs the purifiable message index set IS , the message m, the public parameter params, the signature σ, the signature end attribute set ωa , the purification end attribute set ωb and the secret value set SI sent by the signature end; 步骤S42:净化端定义需要净化的消息索引集合
Figure FDA0004155267300000033
令集合I1={i∈I:mi=0,m′i=1},I2={i∈I:mi=1,m′i=0};Step S42: The purification end defines the message index set that needs to be purified
Figure FDA0004155267300000033
Let the set I 1 ={i∈I: m i =0, m′ i =1}, I 2 ={i∈I: m i =1, m′ i =0}; 步骤S43:净化端选择随机数
Figure FDA0004155267300000034
计算:Step S43: The purification end selects a random number
Figure FDA0004155267300000034
calculate:
Figure FDA0004155267300000035
Figure FDA0004155267300000035
Figure FDA0004155267300000036
Figure FDA0004155267300000036
 步骤S44:净化端输出净化签名:σ′=(σ′0,σ′ai,σ′bi,σ′1,c,c1,...,cv,π1,...,πv);Step S44: the purification end outputs a purified signature: σ′=(σ′ 0 , σ′ ai , σ′ bi , σ′ 1 , c, c 1 , ..., c v , π 1 , ..., π v ); 所述步骤S5具体包括以下步骤:The step S5 specifically comprises the following steps: 步骤S51:验证端输入净化消息签名对(m′,σ′)、公开参数params、签名端属性集合ωa和净化端属性集合ωbStep S51: The verification end inputs the purified message signature pair (m′, σ′), public parameter params, signature end attribute set ω a and purification end attribute set ω b ; 步骤S52:验证端计算:
Figure FDA0004155267300000037
Step S52: The verification end calculates:
Figure FDA0004155267300000037
 步骤S53:验证端判断等式:
Figure FDA0004155267300000038
是否成立,若成立输出accept,否则输出reject;Step S53: The verification end determines the equation:
Figure FDA0004155267300000038
Is it true? If so, output accept, otherwise output reject; 所述步骤S6具体包括以下步骤:The step S6 specifically comprises the following steps: 步骤S61:属性授权端输入净化消息签名对(m′,σ′)和追踪密钥q;Step S61: the attribute authorization terminal inputs the purified message signature pair (m′, σ′) and the tracking key q; 步骤S62:属性授权端对每一个ci计算(ci)q;若(ci)q=g0,则u[i]=0;若(ci)q=(ui)q,则u[i]=1;Step S62: the attribute authorization end calculates ( ci ) q for each ci ; if ( ci ) q = g0 , then u[i] = 0; if (ci ) q = (u i ) q , then u[i] = 1; 步骤S63:属性授权端输出签名端身份u。Step S63: The attribute authorization end outputs the signature end identity u. 2.一种用于实现如权利要求1所述方法的可追踪属性基可净化签名系统,其特征在于,包括:2. A traceable attribute-based purifiable signature system for implementing the method of claim 1, comprising: 属性授权端,用于产生主私钥msk、追踪密钥TK和公开参数params;用于根据主私钥msk、公开参数params、签名端属性集合ωa和签名端身份u,产生签名端私钥
Figure FDA0004155267300000041
还用于根据签名σ和追踪密钥TK,确定签名端身份u;The attribute authorization end is used to generate the master private key msk, the tracking key TK and the public parameter params; it is used to generate the signature end private key according to the master private key msk, the public parameter params, the signature end attribute set ω a and the signature end identity u
Figure FDA0004155267300000041
It is also used to determine the identity u of the signing end based on the signature σ and the tracking key TK; 签名端,用于根据消息m、签名策略(ω,d,γ)、签名端属性集合ωa、签名端私钥
Figure FDA0004155267300000042
净化端属性集合ωb和公共参数params,产生签名σ和秘密值集合SI;The signature end is used to generate a signature based on the message m, signature strategy (ω, d, γ), signature end attribute set ω a , and signature end private key.
Figure FDA0004155267300000042
Purify the end attribute set ω b and public parameters params, generate the signature σ and the secret value set SI; 净化端,用于根据可净化消息索引集合IS、消息m、公共参数params、签名σ、签名端属性集合ωa、净化端属性集合ωb和签名端发送的秘密值集合SI,产生净化消息m′和净化签名σ′;以及A purification end, used to generate a purified message m′ and a purified signature σ′ according to a set of purifiable message indexes I S , a message m, public parameters params, a signature σ, a set of signature end attributes ω a , a set of purification end attributes ω b and a set of secret values SI sent by the signature end; and 验证端,用于根据净化消息签名对(m′,σ′)、公开参数params、签名端属性集合ωa和净化端属性集合ωb,验证签名的有效性。The verification end is used to verify the validity of the signature according to the purified message signature pair (m′, σ′), the public parameter params, the signature end attribute set ω a and the purification end attribute set ω b .
CN202110820317.XA 2021-07-20 2021-07-20 Traceable attribute-based purifiable signature method and system Active CN113536378B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110820317.XA CN113536378B (en) 2021-07-20 2021-07-20 Traceable attribute-based purifiable signature method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110820317.XA CN113536378B (en) 2021-07-20 2021-07-20 Traceable attribute-based purifiable signature method and system

Publications (2)

Publication Number Publication Date
CN113536378A CN113536378A (en) 2021-10-22
CN113536378B true CN113536378B (en) 2023-05-09

Family

ID=78100477

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110820317.XA Active CN113536378B (en) 2021-07-20 2021-07-20 Traceable attribute-based purifiable signature method and system

Country Status (1)

Country Link
CN (1) CN113536378B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113919008B (en) * 2021-10-28 2024-10-25 福建师范大学 Traceable attribute-based signature method and system with fixed signature length
CN114760069B (en) * 2022-04-12 2023-06-09 福建师范大学 Forward secure high-efficiency attribute-based cleanable signature system and method
CN115174105B (en) * 2022-06-29 2024-11-26 福建师范大学 Attribute-based purifiable signature method and system with server-assisted verification
CN115174239B (en) * 2022-07-14 2023-05-05 福建师范大学 Traceable and forward secure attribute-based signature system and method with fixed length

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
WO2019214942A1 (en) * 2018-05-10 2019-11-14 Telecom Italia S.P.A. Protecting signaling messages in hop-by-hop network communication link
CN111447209A (en) * 2020-03-24 2020-07-24 西南交通大学 Black box traceable ciphertext policy attribute-based encryption method
CN112765650A (en) * 2021-01-05 2021-05-07 西安电子科技大学 Attribute-based searchable encryption block chain medical data sharing method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11030317B2 (en) * 2018-12-11 2021-06-08 Intel Corporation Independently recoverable security for processor and peripheral communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019214942A1 (en) * 2018-05-10 2019-11-14 Telecom Italia S.P.A. Protecting signaling messages in hop-by-hop network communication link
CN110113156A (en) * 2019-04-30 2019-08-09 福建师范大学 A kind of traceable layering authorizes ciphertext policy ABE base authentication method more
CN111447209A (en) * 2020-03-24 2020-07-24 西南交通大学 Black box traceable ciphertext policy attribute-based encryption method
CN112765650A (en) * 2021-01-05 2021-05-07 西安电子科技大学 Attribute-based searchable encryption block chain medical data sharing method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Traceable attribute-based signature;Ke Gu 等;《Journal of Information Security and Applications》;全文 *
一个可追踪身份的基于属性签名方案;张秋璞;徐震;叶顶锋;;软件学报(第09期);全文 *

Also Published As

Publication number Publication date
CN113536378A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN113536378B (en) Traceable attribute-based purifiable signature method and system
Zhou et al. PassBio: Privacy-preserving user-centric biometric authentication
US11425171B2 (en) Method and system for cryptographic attribute-based access control supporting dynamic rules
CN104168108B (en) It is a kind of to reveal the traceable attribute base mixed encryption method of key
CN108737115B (en) A privacy-preserving method for solving intersection of private attribute sets
CN110113156B (en) Traceable hierarchical multi-authorization ciphertext policy attribute-based authentication method
CN111913981A (en) Online and offline attribute-based boolean keyword searchable encryption method and system
CN113438085B (en) Efficient attribute-based server-assisted signature verification method and system
CN106789082A (en) Cloud storage medical data based on wireless body area network is in batches from auditing method
CN101753304A (en) Method for binding biological specificity and key
CN106059765A (en) Digital virtual asset access control method based on attribute password under cloud environment
CN113794556B (en) PCH revocable method and system for collectable blockchain protocol
CN106453393B (en) Verifiable privacy-preserving data type matching method in participatory sensing
CN102710417A (en) Fuzzy vault method based on fingerprint features and Internet key exchange protocol
CN114219479B (en) Blockchain editable system and method for distributed environment
CN113708927B (en) General assignment verifier signature proving system based on SM2 digital signature
US11856095B2 (en) Apparatus and methods for validating user data by using cryptography
CN113158253A (en) Privacy union method and device
CN115865330B (en) Method and medium for supervising modification of information on chain based on block chain
CN105978696B (en) Reversible fast data outsourcing encapsulation method and device
CN114760069B (en) Forward secure high-efficiency attribute-based cleanable signature system and method
CN116599706A (en) Block chain-based data sharing fine granularity access control method for Internet of things
CN113630254B (en) ECDSA-based generalized assignment verifier signature proving method and system
CN107294705A (en) A kind of method, equipment and the system of key generation and checking
CN113792282B (en) Identity data verification method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant