CN113972987A - Identity-based multiple signature method based on sub-grouping - Google Patents

Identity-based multiple signature method based on sub-grouping Download PDF

Info

Publication number
CN113972987A
CN113972987A CN202111261478.6A CN202111261478A CN113972987A CN 113972987 A CN113972987 A CN 113972987A CN 202111261478 A CN202111261478 A CN 202111261478A CN 113972987 A CN113972987 A CN 113972987A
Authority
CN
China
Prior art keywords
group
signature
sub
signatures
members
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111261478.6A
Other languages
Chinese (zh)
Other versions
CN113972987B (en
Inventor
王志伟
田陈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202111261478.6A priority Critical patent/CN113972987B/en
Publication of CN113972987A publication Critical patent/CN113972987A/en
Application granted granted Critical
Publication of CN113972987B publication Critical patent/CN113972987B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an identity-based multi-signature method based on sub-groups, which comprises the following steps that firstly, a group administrator uses a group private key to generate a member private key corresponding to the identity generation for group members in a signer group, and calculates a group public key containing a group label; secondly, after the signature sub-group is selected, the members contained in the sub-group represent the whole group to sign the same message; and after all members in the sub-group complete the signature, sending the member signature to a group manager, and after verifying the correctness of the received signature, the group manager determines whether to aggregate the signatures into multiple signatures, if the signatures of all the members are legal, the multiple signatures are aggregated, otherwise, the signatures fail. After the multiple signatures are generated, any entity can verify the validity of the multiple signatures. The invention can simplify the authentication process in the multiple signature aggregation process, improve the robustness of the multiple signatures in the application countermeasure scene of the consensus mechanism, and enhance the safety in practical application.

Description

Identity-based multiple signature method based on sub-grouping
Technical Field
The invention provides an identity-based multiple signature method based on sub-grouping, belonging to the field of information security.
Background
With the rapid development of computer information technology, electronic commerce and block chaining are continuously applied deeply, and digital signatures are widely used in the application scenarios of electronic wallets and consensus mechanisms. In the related fields such as block chains, the construction efficiency of the secure electronic account book, the verification efficiency of the signature and economic benefits are related, and meanwhile, a centralized anonymous consensus mechanism also provides a requirement for resisting the signature problem of malicious forged messages. To ensure the security of electronic transactions, improved multiple digital signatures play an increasingly important role in signing entity verification, transaction integrity, etc.
However, in practical applications, the scheme implemented based on the public key infrastructure needs to spend additional resources for certificate management, for example, setting a public certificate server to issue a revocation certificate is relatively complicated and tedious in application, and introducing the identity-based signature to construct the multiple signature scheme will reduce the related storage space and improve the verification efficiency. Meanwhile, in the conventional multiple signature scheme, entities which participate in the signature by default are honest, so that the validity of the signature is difficult to guarantee in the application scene of resisting the fake signature in the conventional scheme in practical situations. To enhance the robustness of multiple signatures, the scheme should add a step of verifying the signing entity before generating the aggregated signature.
Aiming at the problems, in order to enhance the efficiency of electronic transaction and guarantee the safety of electronic assets, the multiple digital signatures are combined with identity digital signatures to simplify the entity authentication process, random signature sub-groups are selected to represent the whole group to generate multiple signatures, the verification before signature aggregation is increased, and the robustness of the multiple signatures is improved.
Disclosure of Invention
The purpose of the invention is as follows: in order to solve the problem that the traditional scheme is difficult to ensure the required security in the antagonistic application scene and simplify the identity authentication process of signature group members, the invention provides an identity-based multi-signature method based on sub-grouping, and the security and the authentication efficiency are improved.
The technical scheme is as follows: in order to achieve the purpose, the invention adopts the technical scheme that:
a method of identity based multiple signatures based on sub-packets, as shown in fig. 1, comprising the steps of:
step 1: initializing system parameters, and generating a master public and private key pair by a group manager;
step 2: the group members send the identities to a group manager, and the group manager sequentially generates private keys for the group members;
and step 3: the group administrator calculates a group label according to a group member public key set, and the group member public key set and the group label are combined to form a group public key;
and 4, step 4: the group administrator selects the signature sub-group and discloses the sub-group set, and the members in the sub-group respectively generate signatures and send the signatures to the group administrator;
and 5: the group administrator verifies that the signature sent by the key member of the sub-group in the step 4 is received, and if the signature is illegal, the group administrator returns to the step 3;
step 6: if all the signatures received by the group administrator in the step 5 are legal, the group administrator aggregates the member signatures into multiple signatures;
and 7: any entity inside or outside the group verifies the correctness of the multiple signatures.
Further, step 1 specifically comprises:
step 1.1, set G1For addition cycles of order prime q, G2Is a group of multiplication cycles of order prime q. Giving a safety parameter n, and setting Gen as a parameter generation algorithm; generation of (q, G, G) by Gen (n)1,G2) Wherein (G)1,G2) Is a bilinear group pair of prime order q, and the bilinear mapping is e: g1×G1→G2Denotes from G1To G2G is G1The 4 secure hash functions are: h1:{0,1}*→G1
Figure BDA0003325639600000021
H3:{0,1}*→G1
Figure BDA0003325639600000022
Wherein ZqRepresents the set 0, 1, 2.. q-1}, and
Figure BDA0003325639600000023
represents the set {1, 2.. q-1}, H1:{0,1}*→G1Denotes a term belonging to {0, 1}*Values within the range are through H1Then obtain a group G1Values within the range, system parameters are disclosed for all group members;
step 1.2, the group administrator randomly selects oneAn
Figure BDA0003325639600000024
As the main private key, and calculating the main public key y ═ gx
Further, step 2 specifically comprises:
step 2.1, each group member will have its own identity IDiSending the data to a PKG (public Key group) of a group administrator;
step 2.2, the group administrator PKG calculates pki=H1(IDi) The hash value of d is calculatedIDi=pki xAnd returning to the corresponding group member.
Further, step 3 specifically comprises:
step 3.1 group administrators create set IDsGAdding the identities of all group members to the set and maintaining an ID associated with the identity setGCorresponding public key list
Figure BDA0003325639600000025
Step 3.2 group administrators set public key IDsGHash processing is carried out to obtain gtag ═ H4(IDG) Gtag is the hash value obtained by calculation, and becomes the identification tag of the group;
step 3.3, the public key set is combined with the group tag gtag, and the group public key gpk ═ g, ID is obtainedG) The group public key is public to the group members.
Further, step 4 specifically includes:
step 4.1, before signing the message m, the group administrator determines a member subset J, which contains the identity ID of the member participating in the signature of the whole group, and the information of the J is disclosed in the group;
step 4.2, the members of the ID in the subset J respectively sign the message m, and respectively select random numbers
Figure BDA0003325639600000031
Step 4.3, the members participating in the signature hash the gtag and m to obtain H3(gtag, m), second calculation
Figure BDA0003325639600000032
And
Figure BDA0003325639600000033
where gtag is the group tag value, m is the message to be signed, rjIs a random number selected by each member, dIDjIs a private key of each member, G is a group G1A generator of (2);
step 4.4, the signature generated by each group member participating in the signature consists of 2 parts, i.e. the signature value
Figure BDA0003325639600000034
Figure BDA0003325639600000035
Generating a signature SjThe members of the later group will sign SjAnd sending the data to a PKG (public key gateway).
Further, step 5 specifically comprises:
step 5.1, the group administrator verifies the received member signature, and hash processing is carried out on the gtag and the m to obtain H3(gtag, m), and then 3 bilinear pairings
Figure BDA00033256396000000313
e(y,pkj) And
Figure BDA0003325639600000036
a value of (1), wherein
Figure BDA0003325639600000037
And
Figure BDA0003325639600000038
is a member signature SjY is the public key of the group administrator (J ∈ (0, 1, 2 … n), n is the number of members in J);
step 5.2, comparison
Figure BDA0003325639600000039
And
Figure BDA00033256396000000310
whether the values of the two are equal or not, if so, the member signature SjThe signature is a valid signature, otherwise, the signature is an illegal signature;
and 5.3, when the illegal member signature appears, returning to the step 3.1, and re-determining the signature sub-packet.
Further, step 6 specifically includes:
step 6.1, if all member signature verifications are valid signatures, the group administrator PKG aggregates the received member signatures;
step 6.2, for (ID)j,J,IDG) Performing hash processing to obtain a hash value aj=H2(IDj,J,IDG) (J ∈ (0, 1, 2 … n), n is the number of members in J);
step 6.3, calculate
Figure BDA00033256396000000311
And
Figure BDA00033256396000000312
step 6.4, the aggregated multiple signature consists of 2 parts, i.e., (σ ═ σ)1,σ2)。
Further, step 7 specifically comprises:
step 7.1, when verifying the correctness of the multiple signatures, firstly checking the (ID)j,J,IDG) Performing hash processing to obtain a hash value aj=H3(IDj,J,IDG) (J ∈ (0, 1, 2 … n), n is the number of members in J), and then the aggregate public key is calculated
Figure BDA0003325639600000041
Step 7.2, hash processing is carried out on the gtag and the m to obtain H3(gtag, m), and then 3 bilinear pairings e (g, σ) are computed1) E (y, apk) and e (σ)2,H3(gtag, m)),wherein sigma1And σ2Is a component of the multiple signature σ, y is the public key of the group administrator;
step 7.3, compare e (g, σ)1) And e (y, apk). e (σ)2,H3(gtag, m)) and if they are equal, the multiple signature σ becomes (σ ═ σ)1,σ2) The signature is a valid signature, otherwise, the signature is an illegal signature.
Has the advantages that: the invention provides the identity-based multi-signature method based on the sub-groups, the adopted multi-digital signature is the identity digital signature combined with the simplified entity authentication process, the random signature sub-groups are selected to represent the whole group to generate the multi-signature and the verification before signature aggregation is increased, so that the robustness of the multi-signature is improved, the efficiency of electronic transaction is enhanced, and the safety of electronic assets is guaranteed.
Drawings
FIG. 1 is a schematic diagram of the algorithm flow of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples, but the present invention is not limited thereto.
The identity-based multiple signature method based on the sub-grouping provided by the invention comprises the following three stages: a key preparation phase, a signature generation phase and a signature verification phase. The present embodiment includes three entities, a group administrator, a group member, and a verifier.
A group administrator: setting system parameters; generating a private key for group members, calculating a group label and a group public key, determining a member subset generating multiple signatures each time, verifying member signatures after the group members participating in the signatures finish signing, and aggregating the member signatures into multiple signatures if all the signatures are legal.
Group members: respective signatures; ID of public keyiAnd sending the private key to a group administrator to obtain respective private keys, judging whether to participate in the signature according to a sub-grouping set determined by the group administrator, and if so, generating the signature by using the private key and sending the signature to the group administrator.
And (3) verifier: verifying the signature; the verifier can be any entity inside or outside the group, and after the aggregation public key apk is calculated, the verifier can calculate a related bilinear pairing value to verify the validity of the multiple signatures.
A multiple signature method based on sub-groups for identity base, G1Is an addition cycle group with a prime number q of order and a generator G ∈ G1,G2Is a group of multiplication cycles of order prime q. Setting a security parameter n as | q |, and mapping bilinearity as e: g1×G1→G2Denotes from G1To G2To (3) is performed. Let H1And H3Is two will {0, 1}*Mapping to G1Of a cryptographic hash function, H2And H4Is two will {0, 1}*Mapping to
Figure BDA0003325639600000051
The disclosed system parameter set is Params ═ q, G1,G2,e,H1,H2,H3,H4}. Let group member set U ═ { U ═ U1,u2...unN is the number of group members, n is more than or equal to 2, and the corresponding identity list is IDG={ID1,ID2...IDnAnd maintained by the group administrator. In order to sign the message m ═ {0, 1 }jointly*Comprising the following stages:
(1) a key preparation stage:
manager selection
Figure BDA0003325639600000052
As the main private key of the system, calculating the corresponding main public key y ═ gx
② group members IDiSent to the manager, the group manager calculates pki=H1(IDi) The hash value of d is calculatedIDi=pki xAnd sequentially generating private keys for the group members and sending the private keys to all the group members.
Third, the group manager calculates and lists ID of the current group membershipGThe corresponding group tag gtag ═ H4(IDG) The group public key gpk ═ to (gtag,IDG) Wherein the hash algorithm H4The SHA-256 algorithm is used.
(2) A signature generation stage:
(r) to sign a signed message m-0, 1 on behalf of the whole group*The group administrator first determines the sub-groups participating in this signature using a pseudo-random algorithm. In the present embodiment, the sub-group size is set to
Figure BDA0003325639600000058
I.e. member subset J comprises
Figure BDA0003325639600000059
Identity ID of individual group membersiAnd randomly selecting the group members participating in the signature each time, and disclosing the information of the member subset J in the group.
And secondly, after receiving the member subset J, the group members judge whether to participate in the signature. The participators firstly calculate the hash value H respectively3(gtag, m), second calculation
Figure BDA0003325639600000053
And
Figure BDA0003325639600000054
where gtag is the group tag value, m is the message to be signed,
Figure BDA0003325639600000055
is a random number selected by each member, dIDjIs a private key of each member, G is a group G1The generator of (1). After the signature is generated, the group members respectively sign the signature
Figure BDA0003325639600000056
Figure BDA0003325639600000057
And sending to the group administrator.
③ before aggregating member signatures, the signatures need to be verified. The aggregated signature does not involve secret parameters and can be performed by any group member in the group, in this embodiment, the selectionAggregated by the group administrator. The group administrator first calculates H3(gtag, m), followed by a signature S for eachjCalculate 3 bilinear pairings separately
Figure BDA0003325639600000061
e(y,pkj) And
Figure BDA0003325639600000062
value of (2), comparison
Figure BDA0003325639600000063
And e (y, pk)j
Figure BDA0003325639600000064
Whether the values of the two are equal or not, if so, the member signature SjThe signature is a valid signature, otherwise, the signature is an illegal signature. If the illegal signature appears, the aggregation process is exited, and the cluster administrator re-determines the signature sub-packet.
If all the received signatures are legal, the group administrator aggregates the member signatures into multiple signatures. First, a hash value a is calculatedj=H2(IDj,J,IDG) Second calculation of
Figure BDA0003325639600000065
And
Figure BDA0003325639600000066
the final multiple signature σ ═ is obtained (σ ═1,σ2)。
(3) And (3) signature verification stage:
the public parameter Params, group membership list ID, is obtained in the acquisition of the groupGAnd the signature member subset J, any entity can verify the correctness of the multiple signatures σ. The verifier first calculates H3(gtag, m), and then a is calculatedj=H3(IDj,J,IDG) (J ∈ (0, 1, 2 … n), n is the number of members in J), and the aggregation public key is obtained
Figure BDA0003325639600000067
Figure BDA0003325639600000068
The value of (c). Finally, 3 bilinear pairings e (g, sigma) are calculated1) E (y, apk) and e (σ)2,H3(gtag, m)) value, where σ1And σ2Is a component of the multiple signature σ and y is the public key of the group administrator. Finally, e (g, σ) is compared1) And e (y, apk). e (σ)2,H3(gtag, m)) and if they are equal, the multiple signature σ becomes (σ ═ σ)1,σ2) The signature is a valid signature, otherwise, the signature is an illegal signature.
Security analysis
Theorem 1 (correctness) this identity based multiple signature method based on sub-packets is correct.
And (3) proving that: if the multiple signatures are calculated according to the signature algorithm, the following two equations must be satisfied:
1) with the group fixed and the group tag gtag, each group member u that participates in the signatureiSignature on message m
Figure BDA0003325639600000069
Satisfying the verification equation:
Figure BDA00033256396000000610
2) multiple signature σ ═ s (σ)1,σ2) Satisfying the verification equation:
Figure BDA0003325639600000071
theorem 2 (non-forgeability) under the random prediction model, if there is an attacker
Figure BDA0003325639600000072
Forging a multiple signature with a non-negligible probability can result in a solution to the CDH problemAn example.
And (3) proving that:
Figure BDA0003325639600000073
is an algorithm of an attacker with the help of,
Figure BDA0003325639600000074
so as to make
Figure BDA0003325639600000075
As an alternative to the algorithm of the sub-routine,
Figure BDA0003325639600000076
is a challenge to CDH problems. H1,H2,H3,H4Is a random word prediction machine, and the word prediction machine,
Figure BDA0003325639600000077
given (G)1,G2,q,g,gα,gβ) Wherein
Figure BDA0003325639600000078
Figure BDA0003325639600000079
Are all cyclic groups of the order of a prime number q,
Figure BDA00033256396000000710
challenger
Figure BDA00033256396000000711
The goal of (1) is to run the algorithm using the extended fork lemma
Figure BDA00033256396000000712
Solving the CDH problem, i.e. calculating gαβ
Will use
Figure BDA00033256396000000713
Algorithm B as subroutine, set y to gαAs the challenge master public key, α is the system master private key. B isSetting challenge identity ID*While B needs to answer
Figure BDA00033256396000000729
The signature and the Hash query of, specifying a challenge identity, ID*The corresponding public key obtained in the challenge is called the challenge public key pk. Selecting a system parameter Params ═ G1,G2,e,q,g,y,H1,H2,H3,H4Sending system parameters to
Figure BDA00033256396000000714
Definition of the following B answer
Figure BDA00033256396000000715
Rules of the query:
(B) answer
Figure BDA00033256396000000716
Related to H2Is referenced to a random vector
Figure BDA00033256396000000717
② answer H1: b maintains a list
Figure BDA00033256396000000718
Is initially as
Figure BDA00033256396000000719
Figure BDA00033256396000000720
Inquiring the Hash value corresponding to z if
Figure BDA00033256396000000721
Outputting c as a reply; otherwise, firstly determining the random value x is in the range of {0, 1}, and then selecting the random number
Figure BDA00033256396000000722
If x is 0, let h be gcIf x is equal to 1, leth=gβcEach answer is updated
Figure BDA00033256396000000723
Answer Extract query:
Figure BDA00033256396000000724
when inquiring the private key corresponding to y, calling H first1Preview machine viewing
Figure BDA00033256396000000725
(z, c, x, h) in (1). If x is 0, i.e. h is gcReturning to dID=ycAs a private key; if x is 1, h is gαcReturning to the position of T.
Answer H2: b maintains a list
Figure BDA00033256396000000726
Is initially as
Figure BDA00033256396000000727
Figure BDA00033256396000000728
Inquiring the hash value corresponding to z for the ith time, if
Figure BDA0003325639600000081
Outputting c as a reply; otherwise, it is decided how to respond according to the content of z
Figure BDA0003325639600000082
If z is (ID, J, ID)G) And IDE.g. J, when ID is equal to IDHour, answer H2(ID,J,IDG)=ci(ii) a Otherwise answer H2(IDj,J,IDG)=djWherein
Figure BDA0003325639600000083
If not, selecting random number
Figure BDA0003325639600000084
As an answer. Updating lists after each answer
Figure BDA0003325639600000085
Answer H3: b maintains a list
Figure BDA0003325639600000086
Is initially as
Figure BDA0003325639600000087
Figure BDA0003325639600000088
Inquiring the hash value corresponding to z if
Figure BDA0003325639600000089
Outputting h as a response; otherwise, selecting random number
Figure BDA00033256396000000810
Calculating H ═ gλAs a response; also, the list is updated after each answer
Figure BDA00033256396000000811
Sixth answer H4: b maintains a list
Figure BDA00033256396000000812
Is initially as
Figure BDA00033256396000000813
Figure BDA00033256396000000814
Inquiring the hash value corresponding to z if
Figure BDA00033256396000000815
Outputting h as a response; otherwise, selecting random number
Figure BDA00033256396000000816
As a response; also, the list is updated after each answer
Figure BDA00033256396000000817
Seventhly, answer Sign (·, sk),pkV.: when A inquires the signature corresponding to z, H is called first3Preview machine viewing
Figure BDA00033256396000000818
(z, λ, h) in (1). If it is
Figure BDA00033256396000000819
Return to
Figure BDA00033256396000000820
(ii) a Otherwise, it is decided how to respond according to the content of z
Figure BDA00033256396000000821
If z is (ID, gtag, m) and IDE.g. J, when ID is equal to IDReturning to the T part in the meantime; otherwise look up the list
Figure BDA00033256396000000822
Obtaining a public key h corresponding to the ID, and selecting a random number
Figure BDA00033256396000000823
Returning U ═ yδ,V=yβI.e. S ═ U, V as signature, and then (g) is calculatedβ-h)As H, let
Figure BDA00033256396000000831
And add (z, λ, H) to the list
Figure BDA00033256396000000824
In (1).
Finally, the counterfeiter
Figure BDA00033256396000000825
A signer set J ═ { ID } containing n group members is returned1,ID2...IDn}, group membership set IDGAnd corresponding public key set
Figure BDA00033256396000000826
Forged signature σAnd corresponding message mAnd group public key gpk ═ gtag,IDG). Counterfeiter
Figure BDA00033256396000000827
Cannot be directly interrogated (m),gtag) And a forged signature (J, σ)) Can be verified as valid.
Specify if list
Figure BDA00033256396000000828
Middle challenge identity ID*The corresponding algorithm B is terminated when x is 0. Since x is randomly chosen, the probability that B does not terminate is 1/2. Let k be pkIn that
Figure BDA00033256396000000829
Subscript of (1), i.e. pk=pkk;jfIs H2(ID*,J,IDG) Subscripts in f, i.e.
Figure BDA00033256396000000830
aj=H2(IDj,J,IDG). Thus, the final B output is denoted ({ j })f},{(σ,IDG,J,apk,{aj}j∈J) }), the probability of successful output of B is e/2.
Challenger
Figure BDA0003325639600000091
Running algorithm
Figure BDA0003325639600000092
To solve the CDH problem according to the generalized bifurcation theoremAlgorithm setting and operation
Figure BDA0003325639600000093
The output result of (a) is ({ j)f{ out }, { out' }). Two runs before and after
Figure BDA0003325639600000094
The random vectors f and f' used are different but still satisfy
Figure BDA0003325639600000095
Out in the output result is (σ, ID)G,J,apk,{aj}j∈J) And out ═ σ', IDG′,J′,apk′,{a′j}j∈J′). Specifically, σ ═ (σ)1,σ2) And σ ═ (σ)1′,σ2′)。
Two runs before and after
Figure BDA0003325639600000096
Is arranged to diverge
Figure BDA0003325639600000097
And
Figure BDA0003325639600000098
namely ak≠a′k. While the signer group is fixed, i.e. IDG=IDG'and J ═ J'. Thus removing akAll other J e J satisfy aj=a′jAccording to
Figure BDA0003325639600000099
Can obtain the product
Figure BDA00033256396000000910
Algorithm
Figure BDA00033256396000000911
The output signatures σ and σ' are both legitimate signatures, so the following verification equation holds:
e(g,σ1)=e(y,apk)·e(σ2,H3(gtag,m))
e(g,σ1′)=e(y,apk′)·e(σ2′,H3(gtag,m))
according to the property of symmetric bilinear mapping, there are:
Figure BDA00033256396000000912
Figure BDA00033256396000000913
namely, it is
Figure BDA00033256396000000914
Finally, the challenger
Figure BDA00033256396000000915
The solution to the CDH difficult problem can be successfully calculated from this, namely:
Figure BDA00033256396000000916
while the CDH problem is difficult in polynomial time, contradicts reasoning results, so the falsehood assumed in the proof
Figure BDA00033256396000000917
Absent, this sub-packet based identity based multiple signature approach is not forgeable.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (8)

1. An identity-based multiple signature method based on sub-packets is characterized in that: the method comprises the following steps:
step 1: initializing system parameters, and generating a master public and private key pair by a group manager;
step 2: the group members send the identities to a group manager, and the group manager sequentially generates private keys for the group members;
and step 3: the group administrator calculates a group label according to a group member public key set, and the group member public key set and the group label are combined to form a group public key;
and 4, step 4: the group administrator selects the signature sub-group and discloses the sub-group set, and the members in the sub-group respectively generate signatures and send the signatures to the group administrator;
and 5: the group administrator verifies that the signature sent by the key member of the sub-group in the step 4 is received, and if the signature is illegal, the group administrator returns to the step 3;
step 6: if all the signatures received by the group administrator in the step 5 are legal, the group administrator aggregates the member signatures into multiple signatures;
and 7: any entity inside or outside the group verifies the correctness of the multiple signatures.
2. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 1 specifically comprises:
step 1.1, set G1For addition cycles of order prime q, G2A multiplication loop group of order prime q; giving a safety parameter n, and setting Gen as a parameter generation algorithm; generation of (q, G, G) by Gen (n)1,G2) Wherein (G)1,G2) Is a bilinear group pair of prime order q, and the bilinear mapping is e: g1×G1→G2Denotes from G1To G2G is G1The 4 secure hash functions are: h1:{0,1}*→G1
Figure FDA0003325639590000011
H3:{0,1}*→G1
Figure FDA0003325639590000012
Wherein ZqRepresents the set 0, 1, 2.. q-1}, and
Figure FDA0003325639590000013
represents the set {1, 2.. q-1}, H1:{0,1}*→G1Denotes a term belonging to {0, 1}*Values within the range are through H1Then obtain a group G1Values within the range, system parameters are disclosed for all group members;
step 1.2, the group administrator randomly selects one
Figure FDA0003325639590000014
As the main private key, and calculating the main public key y ═ gx
3. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 2 specifically comprises:
step 2.1, each group member will have its own identity IDiSending the data to a PKG (public Key group) of a group administrator;
step 2.2, the group administrator PKG calculates pki=H1(IDi) The hash value of d is calculatedIDi=pki xAnd returning to the corresponding group member.
4. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 3 specifically comprises:
step 3.1 group administrators create set IDsGAdding the identities of all group members to the set and maintaining an ID associated with the identity setGCorresponding public key list
Figure FDA0003325639590000021
Step 3.2 group administrators set public key IDsGHash processing is carried outObtaining gtag ═ H4(IDG) Gtag is the hash value obtained by calculation, and becomes the identification tag of the group;
step 3.3, combining the identity set with the group tag gtag to obtain the group public key gpk ═ gtag, IDG) The group public key is public to the group members.
5. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 4 specifically comprises:
step 4.1, before signing the message m, the group administrator determines a member subset J, which contains the identity ID of the member participating in the signature of the whole group, and the information of the J is disclosed in the group;
step 4.2, the members of the ID in the subset J respectively sign the message m, and respectively select random numbers
Figure FDA0003325639590000022
Step 4.3, the members participating in the signature hash the gtag and m to obtain H3(gtag, m), second calculation
Figure FDA0003325639590000023
And
Figure FDA0003325639590000024
where gtag is the group tag value, m is the message to be signed, rjIs a random number selected by each member, dIDjIs a private key of each member, G is a group G1A generator of (2);
step 4.4, the signature generated by each group member participating in the signature consists of 2 parts, i.e. the signature value
Figure FDA0003325639590000025
Figure FDA0003325639590000026
Generating a signature SjThe members of the later group will sign SjSendingThe group administrator is given a PKG.
6. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 5 specifically comprises:
step 5.1, the group administrator verifies the received member signature, and hash processing is carried out on the gtag and the m to obtain H3(gtag, m), and then 3 bilinear pairings
Figure FDA0003325639590000027
And
Figure FDA0003325639590000028
a value of (1), wherein
Figure FDA0003325639590000029
And
Figure FDA00033256395900000210
is a member signature SjY is the public key of the group administrator (J ∈ (0, 1, 2 … n), n is the number of members in J);
step 5.2, comparison
Figure FDA00033256395900000211
And
Figure FDA00033256395900000212
whether the values of the two are equal or not, if so, the member signature SjThe signature is a valid signature, otherwise, the signature is an illegal signature;
and 5.3, when the illegal member signature appears, returning to the step 3.1, and re-determining the signature sub-packet.
7. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 6 specifically comprises:
step 6.1, if all member signature verifications are valid signatures, the group administrator PKG aggregates the received member signatures;
step 6.2, for (ID)j,J,IDG) Performing hash processing to obtain a hash value aj=H2(IDj,J,IDG) (J ∈ (0, 1, 2 … n), n is the number of members in J);
step 6.3, calculate
Figure FDA0003325639590000031
And
Figure FDA0003325639590000033
step 6.4, the aggregated multiple signature consists of 2 parts, i.e., (σ ═ σ)1,σ2)。
8. The identity-based multiple signature method based on sub-packets as claimed in claim 1, wherein step 7 specifically comprises:
step 7.1, when verifying the correctness of the multiple signatures, firstly checking the (ID)j,J,IDG) Performing hash processing to obtain a hash value aj=H2(IDj,J,IDG) (J ∈ (0, 1, 2 … n), n is the number of members in J), and then the aggregate public key is calculated
Figure FDA0003325639590000032
Step 7.2, hash processing is carried out on the gtag and the m to obtain H3(gtag, m), and then 3 bilinear pairings e (g, σ) are computed1) E (y, apk) and e (σ)2,H3(gtag, m)) value, where σ1And σ2Is a component of the multiple signature σ, y is the public key of the group administrator;
step 7.3, compare e (g, σ)1) And e (y, apk). e (σ)2,H3(gtag, m)) and if they are equal, the multiple signature σ becomes (σ ═ σ)1,σ2) The signature is a valid signature, otherwise, the signature is an illegal signature.
CN202111261478.6A 2021-10-28 2021-10-28 Identity-based multi-signature method based on sub-packets Active CN113972987B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111261478.6A CN113972987B (en) 2021-10-28 2021-10-28 Identity-based multi-signature method based on sub-packets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111261478.6A CN113972987B (en) 2021-10-28 2021-10-28 Identity-based multi-signature method based on sub-packets

Publications (2)

Publication Number Publication Date
CN113972987A true CN113972987A (en) 2022-01-25
CN113972987B CN113972987B (en) 2023-07-18

Family

ID=79588736

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111261478.6A Active CN113972987B (en) 2021-10-28 2021-10-28 Identity-based multi-signature method based on sub-packets

Country Status (1)

Country Link
CN (1) CN113972987B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003090429A1 (en) * 2002-04-15 2003-10-30 Docomo Communications Laboratories Usa, Inc. Signature schemes using bilinear mappings
CN101800641A (en) * 2009-12-29 2010-08-11 河南城建学院 Group signature method suitable for large groups
CN109600233A (en) * 2019-01-15 2019-04-09 西安电子科技大学 Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003090429A1 (en) * 2002-04-15 2003-10-30 Docomo Communications Laboratories Usa, Inc. Signature schemes using bilinear mappings
CN101800641A (en) * 2009-12-29 2010-08-11 河南城建学院 Group signature method suitable for large groups
CN109600233A (en) * 2019-01-15 2019-04-09 西安电子科技大学 Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YU H, ET AL.: "Certificateless broadcast multisignature scheme based on MPKC", IEEE *

Also Published As

Publication number Publication date
CN113972987B (en) 2023-07-18

Similar Documents

Publication Publication Date Title
Xiao et al. Secure and efficient multi-signature schemes for fabric: An enterprise blockchain platform
Chow et al. Server-aided signatures verification secure against collusion attack
Lin et al. Ppchain: A privacy-preserving permissioned blockchain architecture for cryptocurrency and other regulated applications
Gu et al. Efficient traceable ring signature scheme without pairings.
Zhou et al. A lightweight cryptographic protocol with certificateless signature for the Internet of Things
WO2021150238A1 (en) Remote attestation
Han et al. A certificateless verifiable strong designated verifier signature scheme
CN115442057A (en) Randomizable blind signature method and system with strong unlinkability
CN111245615B (en) Digital signature password reverse firewall method based on identity
Li et al. A forward-secure certificate-based signature scheme
CN112434281A (en) Multi-factor identity authentication method oriented to alliance chain
Wang et al. A novel blockchain identity authentication scheme implemented in fog computing
Tso A new way to generate a ring: Universal ring signature
CN115174037B (en) Construction method and device of chameleon hash function based on SM9 signature
Xie et al. A new lattice-based blind ring signature for completely anonymous blockchain transaction systems
Tian et al. A systematic method to design strong designated verifier signature without random oracles
Yang et al. Top-level secure certificateless signature against malicious-but-passive KGC
Dodis et al. Time capsule signature
Goodell et al. Thring signatures and their applications to spender-ambiguous digital currencies
Yang et al. Cryptanalysis of a transaction scheme with certificateless cryptographic primitives for IoT-based mobile payments
CN113507366B (en) Grid-based searchable log blind signature scheme
Cheng et al. Cryptanalysis and improvement of a certificateless partially blind signature
CN113972987B (en) Identity-based multi-signature method based on sub-packets
Gong et al. Constructing strong designated verifier signatures from key encapsulation mechanisms
Wang et al. Designated confirmer signatures with unified verification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant