CN114301604A - Distributed public key infrastructure method based on block chain and attribute signature - Google Patents

Abstract

The invention belongs to the technical field of passwords, and particularly relates to a distributed public key infrastructure method based on a block chain and an attribute signature. The invention changes the single-node CA of the traditional public key infrastructure into a multi-node CA which is arranged on a block chain and used for issuing/verifying certificates in a coordinated mode, and introduces cryptographic algorithms such as signature based on attributes, zero knowledge proof and the like, so that the identity represented by the certificate is finer in granularity; the method comprises the following steps: initializing a system, initializing a user, signing and issuing a certificate, verifying the certificate, canceling the certificate and the like; the invention is a general scheme, is suitable for various certificate-based identity authentication scenes, makes the identity more three-dimensional by using the breadth covered by the attribute, has fine-grained identity authentication and certain fault tolerance, realizes the non-repudiation of the certificate by combining the non-interactive zero knowledge proof, and expands the application breadth of the invention.

Description

Distributed public key infrastructure method based on block chain and attribute signature

Technical Field

The invention belongs to the technical field of cryptography, and particularly relates to a distributed public key infrastructure method based on a block chain and an attribute signature.

Background

The flexible and effective identity authentication/management scheme is one of the core requirements in the information age, and through the flexible and effective identity authentication/management scheme, the identity of each entity in the internet can be uniquely determined. Public key infrastructure is one of the typical representatives, and PKI is one of the important cornerstones of the current internet by managing digital certificates so that trust problems between different entities can be solved. However, the traditional centralized PKI has many problems, the biggest defect is that the CA must be completely trusted, and when the CA is attacked or the CA itself acts as a malicious node, the identity of the entity corresponding to the issued certificate is either not authenticated or not trusted, which may impact the identity authentication system of the interconnection network.

The characteristics of decentralized block chain, consensus mechanism for synchronization, tamper resistance and the like provide a new idea for the development of PKI, and aiming at the problems of the centralized identity authentication system, the inventor consults and finds that a plurality of schemes arrange the traditional CA on a plurality of nodes of the block chain to realize distributed authentication. The introduction of block chains brings about a number of advantages: firstly, a block chain consensus mechanism natively supports multi-node data synchronization; related data can be stored in the blockchain by using a high-level programming language intelligent contract running on the blockchain, so that a user can apply and inquire certificates under multiple nodes; secondly, due to the properties of decentralization and non-tampering of the block chain, communication under the block chain has a trust basis, and different users can perform safe information interaction.

The inventor finds that the existing scheme still has some problems, including large calculation overhead, insufficient anti-attack capability, irrevocability of neglecting certificates and the like, and simultaneously learns the cryptography based on the attributes, and also provides a new development direction for PKI due to the fact that flexible access control with fine granularity can be provided. An identity may consist of a set of attributes, and authentication may be considered successful as long as the user's set of attributes has a certain error from the required set of attributes. The introduction of the attribute cryptography enables the identity of the authenticated entity to be more three-dimensional, the identity of the entity can be formed by a plurality of attributes (such as identification information, organizational relations and the like), and the identity mechanism of the real world is better met.

The inventor designs a novel distributed public key infrastructure method based on block chains and attribute signatures, and the method has the characteristics of universality, good performance, flexible identity mechanism, fine granularity, non-repudiation and the like.

Reference documents:

(1)Eberhardt J,Tai S.ZoKrates-Scalable Privacy-Preserving Off-Chain Computations[C]//2018 IEEE International Conference on Internet of Things(iThings) and IEEE Green Computing and Communications(GreenCom)and IEEE Cyber,Physical and Social Computing(CPSCom)and IEEE Smart Data(SmartData).IEEE,2018.Aumasson J P,Neves S,Wilcox-O’Hearn Z,et al.BLAKE2:simpler,smaller,fast as MD5[C]//International Conference on Applied Cryptography and Network Security. Springer,Berlin,Heidelberg,2013:119-135；

(2) fiat A, Shamir A.how To pro Material Yourself, Practical Solutions To Identification and Signature schemes [ C ]// Proceedings on Advances in cryptography- - -CRYPTO' 86.1999, GB/T32918, information safety technology SM2 elliptic curve public key cryptography [ S ];

(3) weiliang, Huang Zheng Jie, Chen qun shan center-off is based on attribute undeniable signature [ J ]. computer engineering and science 2020,42(6): 9.

Disclosure of Invention

The invention aims to provide a distributed public key infrastructure method based on a block chain and an attribute signature.

The invention designs a general distributed public key infrastructure method based on attribute signature, and in a system realized based on the method, a user can randomly apply for a certificate issued by a CA (certificate authority) of the system through a public Application Programming Interface (API) and verify the certificate.

The invention takes a block chain and an intelligent contract as carriers, because of the one-to-one correspondence characteristic of the block chain nodes and the node public keys, the nodes can initiate safe secret communication through the intelligent contract, simultaneously all the nodes can acquire data (including but not limited to public parameters of attribute signatures and zero knowledge proofs) on the block chain through the intelligent contract, all the nodes need to open the public keys generated by initialization, ciphertexts generated by encryption and other contents, and the data (including certificate libraries and the like) on all the block chains can be synchronized through the common identification mechanism of the block chains.

The invention provides a distributed public key infrastructure method based on a block chain and an attribute signature, which is based on an attribute signature, block chain and zero knowledge proving technology and comprises the following steps: initializing a system, initializing a user, signing and issuing a certificate, verifying the certificate and revoking the certificate; the method comprises the following specific steps:

(1) initializing a system; the system initializes the relevant parameterization of center-removing non-repudiation attribute signature, publicly uploads the parameterization to a block chain, simultaneously initializes zero knowledge to prove the relevant parameters of ZoKrates, publicly links the chain, represents the initialization of an authority CA node of the attribute, randomly generates a private key CSK of the attribute by the CA, calculates a public key CPK by the private key, and publicly links the information such as the CPK and the like;

(2) initializing a user; user initialization, User in addition to information required to register blockchains_{Applicant，u}(user u applying for the certificate) also needs to randomly generate secret value S_uSo that the calculated ID identifies the UID_uIs globally unique on the block chain, and the User applies for attributes from a plurality of CA nodes to obtain an attribute private key A K of the User_u，iAnd public key APK_u，i；

(3) Signing the issued certificate; user desiring to apply for a particular n number of CAs to issue a certificate_{Applicant，u}Having several n attributes, sending network access request certificate service to digital certificate register RA (registration authority) through block chain network, User_{Applicant，u}Submitting various information required by the certificate, confirming the information by RA through various modes (including but not limited to offline authentication), if the information is wrong, rejecting the node request, otherwise, sending the information to n CAs, carrying out signature on the certificate by CA cooperation, generating a signature by RA through collecting signature information, storing the signature in a certificate library of a block chain, and automatically synchronizing the certificate library by the block chain; then User_{Applicant，u}Executing a proof-of-generation algorithm of ZoKrates, generating a non-repudiatable proof of the certificate;

(4) and (4) certificate verification: expected authentication User_{Applicant，u}User of identity_Verifier，s(User s of certificate of authenticity), it is for User_{Applicant，u}Initiating an authentication request, User_{Applicant，u}First go to RA to obtain its own certificateBook and send certificate to User_Verifier，s，User_Verifier，sVerifying the certificate; whether the certificate is legal CA issuance or not is checked, and the User is checked_{Applicant，u}Whether the certificate is revoked or not, checking the validity period of the certificate and checking whether the certificate is issued by the required n CA nodes or not; if the certificate is expired, revoked or not signed by a legal node, the identity authentication fails, otherwise, the certificate is authenticated, the authentication comprises signature authentication and zero knowledge proof ZoKrates authentication, and the authentication is successful, namely the User is authenticated_{Applicant，u}The identity of (a);

(5) certificate revocation; certificate revocation is divided into expired revocation and User_ApplicantThe Certificate Revocation List (CRL) is periodically updated by RA (random access request); user_{Applicant，u}If a request for self certificate revocation is sent to the RA, the RA verifies the zero knowledge proof to validate the User_{Applicant，u}Identity, verification is by adding a certificate to the CRL.

In the invention, the method for issuing the certificate by signing in the step (3) comprises the following steps:

no assumption is made that there is a User desiring to apply for a certificate_{Applicant，u}It expects an application attribute set Ω ═ { Attr₁，Attr₂，...，Attr_nCorresponding certificate, User_{Applicant，u}T attributes are possessed; user_{Applicant，u}Can be regarded as a common node in the block chain, which sends a network access request certificate service, User, to the RA node through the block chain network_{Applicant，u}Various information m (including UID) required to submit a certificate_u) And the RA confirms the information, if the information is wrong, the node request is rejected, otherwise, the information is sent to n CA nodes:

(1)Sign(m，Su，UIDu，Ω，{APK_u，i，ASK_u，i}，{CPK_i，CSK_i})→P_n-t(x)，σ.

User_{Applicant，u}has t attributes, when n CA nodes of PKI receive m (including UID)_u) Begin for the certificate message m e {0, 1}^*Carrying out signature;

(i) for User_{Applicant，u}CA node Attr with attribute_iLet it be i ═ 1., t, Attr_iRandomly choosing t_i∈Zp^*And calculating:

e_i＝H₁(Attr_i，APK_u，i，UID_u，CPK_i)，

s_i＝ASK_u，i+e_iCSK_i，

Attr_ir is to be_iSending the information to the RA node through a secure secret channel;

(ii) for User_{Applicant，u}CA node Attr without attribute_iLet it be i ═ t +1_iRandom selection

Random generation of APK_u，iE G, calculating:

e_i＝H₁(Attr_i，APK_u，i，UID_u，CPK_i)，

Attr_iwill be provided with<c_i，d_i，APK_u，i，R_i>Sending the information to the RA node through a secure secret channel;

(iii) RA node combines R with R_iN is sent to User_{Applicant，u}，User_{Applicant，u}And (3) calculating:

(iv) and returning to the RA node, and calculating by the RA node:

c＝H₂(m，T₁，...，T_n，UID_u).

(v) subsequently, n-t +1 points (0, c), (t +1, c) are used_t+1)，...，(n，c_n) Constructing an n-t order Lagrangian interpolation polynomial Pn-t (x):

(vi) will P_n-t(x) Is sent to a User_{Applicant，u}CA node Attr with attribute_iI 1.., t.ca calculation:

c_i＝P_n-t(i)，d_i＝t_i-c_is_i，i＝1，...，t.

Attr_iwill be provided with<c_i，d_i>Sending the information to the RA node through a secure secret channel;

(vii) RA output polynomial P_n-t(x) And signature:

σ＝<c_i，d_i，T_i，APK_u，i，UID_u>，i＝1，2，...，n.

(viii) RA will P_n-t(x) And sigma is attached to the certificate information M to generate a certificate M, and the certificate M is sent to the User through a secure secret channel_{Applicant，u}And handle UID_uSplicing with the time stamp to be used as a key, storing the certificate content as a value in the certificate libraries, and automatically and synchronously backing up the plurality of certificate libraries;

(2)zkProveGen(zkParams，w，x，M_L)→π_u.

User_{Applicant，u}performing the Prove (zkParams, w, x, M) proof of Generation algorithm for ZoKrates_L) Wherein, in the input parameters, the evidence:

e_i＝ H₁(Attr_i，APK_u，i，UID_u，CPK_i)>，

proof of formation_uIn the form of Fiat-Shamir Heuristic, in particular,. pi._uCan prove User_{Applicant，u}Knowing the discrete logarithm S_uSatisfy the requirement of

And is

User_{Applicant，u}Will prove pi_uProposition x and Turing machine algorithm M_LTransmitting the uplink facilitates the query.

In the invention, the certificate verification method in the step (4) comprises the following steps:

no assumptions are made about the expected authentication User_{Applicant，u}User of identity_Verifier，sIt expects to authenticate User_{Applicant，u}User_{Applicant，u}Firstly, the RA node obtains its own certificate and sends the certificate to the User_Verifier，s，User_Verifier，sVerifying the certificate, checking whether the certificate is issued by the CA node of the legal DPKI, and checking the User_{Applicant，u}Whether the certificate is revoked or not, checking the validity period of the certificate; if the certificate is expired, revoked or not signed and issued by a legal node, the identity authentication fails, otherwise, the certificate is signed and authenticated;

Verify(m，σ，P_n-t(x)，π_u)→True/False.

(i) authentication

If one fails, the signature is an invalid signature;

(ii) after the above items are verified, the User_Verifier，sObtaining a proof pi on a blockchain_uAnd ZoKrates-related parameters, performing the authentication algorithm Verify (zkParams, x, M) of ZoKrates_L，π_u) If the verification is not passed, the signature is an invalid signature; if the verification is passed, the signature is a valid signature.

The invention has good performance in practical experiment tests, so the invention has practical application feasibility. The invention is a flexible and fine-grained identity authentication mechanism, which makes the identity more three-dimensional by utilizing the breadth covered by the attribute of the center-removing non-repudiation attribute signature, simultaneously makes the whole method have fine-grained identity authentication and certain fault tolerance, realizes information relationship fine-grained dynamic management maintenance and credibility maintenance through the attribute signature and a threshold algorithm, and introduces zero knowledge to prove that the non-repudiation of the certificate is ensured.

Drawings

FIG. 1 is an example of a method architecture.

Fig. 2 is an example of an application certificate return field.

Fig. 3 is an example of a certificate signature field.

Fig. 4 is an example of a certificate of authenticity return result.

FIG. 5 is an example of simulating 5000 concurrent accesses by a user.

Detailed Description

The present invention is further described below by way of specific embodiments so that those skilled in the relevant art can better understand the technical and functional features of the present invention, but the scope of the present invention is not limited to the following embodiments.

Example 1: in this embodiment, the programming language is Golang and the browser is Chrome.

Fig. 1 is a system architecture diagram, and the specific flow is as follows:

1. initializing a system:

(1)GlobalSetup(λ)→Params.

selecting a cyclic group G with prime order N ═ p and generator G, corresponding to N CA nodes of the distributed public key infrastructure, we have an attribute total Ω ═ { Attr ═₁，Attr₂，...，Attr_nH, another 2 hash functions H are selected₁：

H₂：

The common parameter Params is set as<G，p，g，Ω，H₁，H₂>Packaging and uploading to a block chain;

(2)CASetup(Params)→CSK，CPK.

authority Attr of n CA nodes, i.e. attributes_iRandomly generating its own private key

And calculates out the public key

And combining the CPK_iPublic chain winding;

(3)ZKSetup(1ⁿ)→zkParams.

setup (1) self-carried by ZoKratesⁿ) The algorithm initializes the common parameter zkParams and publishes zkParams for uplink.

2. User initialization:

(1)USetup(λ^u)→S_u，UID_u.

User_{Applicant，u}randomly generating secret values

So that the calculated ID identifies

Is globally unique on the blockchain;

(2)UAttrSetup(UID_u，Attr_i)→ASK_u，i，APK_u，i.

User_{Applicant，u}attribute authority Attr is referred to by various means including, but not limited to, offline applications_iApplication of attributes and validation by an attribute authority, Attr_iRandom selection

As a User_{Applicant，u}Attribute of (Attr)_iAnd calculates

As a User_{Applicant，u}Is given by the attribute public key of<APK_u，i，ASK_u，i>Sent to User through secure secret channel_{Applicant，u}And adding APK_u，iThe uplink is disclosed.

3. Signing the issued certificate: no assumption is made that there is a User desiring to apply for a certificate_{Applicant，u}It expects to claim the attribute set Ω ═ { Attr₁，Attr₂，...，Attr_nCorresponding certificate, User_{Applicant，u}Having t attributes therein. User_{Applicant，u}Can be regarded as a common node in the block chain, which sends a network access request certificate service, User, to the RA node through the block chain network_{Applicant，u}Various information m (including UID) required to submit a certificate_u) The RA confirms the information by various means (including but not limited to offline authentication), rejects the node request if the information is wrong, otherwise sends the information to the n CA nodes:

(1)Sign(m，Su，UIDu，Ω，{APK_u，i，ASK_u，i}，{CPK_i，CSK_i})→P_n-t(x)，σ.

User_{Applicant，u}has t attributes, when n CA nodes of PKI receive m (including UID)_u) Begin for the certificate message m e {0, 1}^*Carrying out signature;

(i) for User_{Applicant，u}CA node Attr with attribute_iLet it be i ═ 1., t, Attr_iRandomly choosing t_i∈Zp^*And calculating:

e_i＝H₁(Attr_i，APK_u，i，UID_u，CPK_i)，

s_i＝ASK_u，i+e_iCSK_i，

Attr_ir is to be_iSending the information to the RA node through a secure secret channel;

(ii) for User_{Applicant，u}CA node Attr without attribute_iLet it be i ═ t +1_iRandom selection

Random generation of APK_u，iE G, calculating:

e_i＝H₁(Attr_i，APK_u，i，UID_u，CPK_i)，

Attr_iwill be provided with<c_i，d_i，APK_u，i，R_i>Sending the information to the RA node through a secure secret channel;

(iii) RA node combines R with R_iN is sent to User_{Applicant，u}， User_{Applicant，u}And (3) calculating:

(iv) and returning to the RA node, and calculating by the RA node:

c＝H₂(m，T₁，...，T_n，UID_u).

(v) subsequently, n-t +1 points (0, c), (t +1, c) are used_t+1)，...，(n，c_n) Constructing an n-t order Lagrangian interpolation polynomial Pn-t (x):

(vi) will P_n-t(x) Is sent to a User_{Applicant，u}CA node Attr with attribute_iI 1.., t.ca calculation:

c_i＝P_n-t(i)，d_i＝t_i-c_is_i，i＝1，...，t.

Attr_iwill be provided with<c_i，d_i>Sending the information to the RA node through a secure secret channel;

(vii) RA output polynomial P_n-t(x) And signature:

σ＝<c_i，d_i，T_i，APK_u，i，UID_u>，i＝1，2，...，n.

(viii) RA will P_n-t(x) And sigma is attached to the certificate information M to generate a certificate M, and the certificate M is sent to the User through a secure secret channel_{Applicant，u}And handle UID_uSplicing with the time stamp to be used as a key, storing the certificate content as a value in the certificate libraries, and automatically and synchronously backing up the plurality of certificate libraries;

(2)zkProveGen(zkParams，w，x，M_L)→π_u.

User_{Applicant，u}performing the Prove (zkParams, w, x, M) proof of Generation algorithm for ZoKrates_L) Wherein, in the input parameters, the evidence:

e_i＝ H₁(Attr_i，APK_u，i，UID_u，CPK_i)>，

proof of formation_uIn the form of Fiat-Shamir Heuristic, in particular,. pi._uCan prove User_{Applicant，u}Knowing the discrete logarithm S_uSatisfy the requirement of

And is

User_{Applicant，u}Will prove pi_uProposition x and Turing machine algorithm M_LTransmitting the uplink facilitates the query.

4. And (4) certificate verification: no assumptions are made about the expected authentication User_{Applicant，u}User of identity_Verifier，sIt expects to authenticate User_{Applicant，u}User_{Applicant，u}Firstly, the RA node obtains its own certificate and sends the certificate to the User_Verifier，s，User_Verifier，sThe certificate is verified, whether the certificate is signed by a CA node of a legal DPKI is firstly checked, and a User is checked_{Applicant，u}If the certificate is expired, revoked or not, the certificate is signed and issued by a legal node, the identity authentication fails, otherwise, the certificate is signed and authenticated;

Verify(m，σ，P_n-t(x)，π_u)→True/False.

(i) authentication

If one of the signatures fails, the signature is an invalid signature.

(ii) After the above items are verified, the User_Verifier，sObtaining a proof pi on a blockchain_uAnd ZoKrates-related parameters, performing the authentication algorithm Verify (zkParams, x, M) of ZoKrates_L，π_u) If the verification is not passed, the signature is an invalid signature; if the verification is passed, the signature is a valid signature.

5. Certificate revocation: user_{Applicant，u}A revocation request of a certain certificate M is sent to the RA node.

Revoke(M，π_u，UID_u)→True/False.

RA gets proof of pi on blockchains_uThe verification algorithm Verify (zkParams, x, M) of ZoKrates is performed_L，π_u) If the verification is not passed, the signature is an invalid signature; and if the verification is passed, sending certificate revocation requests to the n CA nodes, and otherwise, returning error information. The CA node destroys the generated information of the related intermediate parameters and returns a revocation certificate Cer which is successfully revoked to the RA node_iRA collects n revocation certificates Cer_iThe resultant revocation certificate is stored in the CRL and the User is assigned_{Applicant，u}The certificate of (a) is revoked from the certificate store. Multiple certificate stores in the blockchain are then automatically synchronized with the CRL.

The method is an infrastructure providing an API interface, and can perform corresponding operations by sending a request to the API interface, fig. 2 is an example of a field returned by a certificate application, where the field includes information such as a serial number and a signature of the certificate, fig. 3 is an example of a field signed by a plurality of CAs (100 in this example) in cooperation, fig. 4 is an example of a field returned by a certificate verification, whether the certificate verification is successful or not is prompted, and fig. 5 is an example of simulating 5000 users to concurrently apply/verify the certificate, which can show that the method has low overhead and good performance.

Claims (3)

1. A distributed public key infrastructure method based on block chains and attribute signatures, the method is based on attribute signature, block chains and zero knowledge proof technology, and the method comprises the following steps: initializing a system, initializing a user, signing and issuing a certificate, verifying the certificate and revoking the certificate; the method comprises the following specific steps:

(1) initializing a system; the system initializes the relevant parameterization of center-removing non-repudiation attribute signature, publicly uploads the parameterization to a block chain, simultaneously initializes zero knowledge to prove the relevant parameters of ZoKrates, publicly links the chain, represents the initialization of an authority CA node of the attribute, randomly generates a private key CSK of the attribute by the CA, calculates a public key CPK by the private key, and publicly links the CPK information;

(2) initializing a user; user initialization, User in addition to information required to register blockchains_{Applicant，u}(user u applying for the certificate) also needs to randomly generate secret value S_uSo that the calculated ID identifies the UID_uThe block chain is globally unique, and the User applies for attributes from a plurality of CA nodes to obtain an attribute private key ASK of the User_u，iAnd public key APK_u，i；

(3) Signing the issued certificate; user desiring to apply for a particular n number of CAs to issue a certificate_{Applicant，u}Having several n attributes, sending a network access request certificate service, User, to a digital certificate registry RA via a blockchain network_{Applicant，u}Submitting various information required by the certificate, confirming the information by RA, rejecting the node request if the information is wrong, otherwise sending the information to n CA, carrying out signature on the certificate by CA in cooperation, collecting signature information by RA to generate a signature, storing the signature in a certificate library of a block chain, and automatically synchronizing the certificate library by the block chain; then User_{Applicant，u}Executing a proof-of-generation algorithm of ZoKrates, generating a non-repudiatable proof of the certificate;

(4) and (4) certificate verification: expected authentication User_{Applicant，u}User of identity_Verifier，s(User s of certificate of authenticity), it is for User_{Applicant，u}Initiating an authentication request, User_{Applicant，u}Firstly, go RA to obtain its own certificate and send the certificate to User_Verifier，s，User_Verifier，sVerifying the certificate; firstly, whether the certificate is legal CA issuance or not is checked, and the User is checked_{Applicant，u}Whether the certificate is revoked, checking the validity period of the certificate and checking whether the certificate is issued by the required n CA nodes; if the certificate is expired, revoked or not signed by a legal node, the identity authentication fails, otherwise, the certificate is authenticated, the authentication comprises signature authentication and zero knowledge proof ZoKrates authentication, and the authentication is successful, namely the User is authenticated_{Applicant，u}The identity of (a);

(5) certificate revocation; certificate revocation is divided into expired revocation and User_ApplicantActive withdrawingPinning, the Certificate Revocation List (CRL) will be periodically updated by RA; user_{Applicant，u}If a request for self certificate revocation is sent to the RA, the RA verifies the zero knowledge proof to validate the User_{Applicant，u}Identity, verification is by adding a certificate to the CRL.

2. The distributed public key infrastructure method based on blockchain and attribute signatures of claim 1, wherein: the method for issuing the certificate by signing in the step (3) comprises the following steps:

no assumption is made that there is a User desiring to apply for a certificate_{Applicant，u}It expects an application attribute set Ω ═ { Attr₁，Attr₂，...，Attr_nCorresponding certificate, User_{Applicant，u}T attributes are possessed; user_{Applicant，u}Can be regarded as a common node in the block chain, which sends a network access request certificate service, User, to the RA node through the block chain network_{Applicant，u}Various information m (including UID) required to submit a certificate_u) And the RA confirms the information, if the information is wrong, the node request is rejected, otherwise, the information is sent to n CA nodes:

(1)Sign(m，Su，UIDu，Ω，{APK_u，i，ASK_u，i}，{CPK_i，CSK_i})→P_n-t(x)，σ.

User_{Applicant，u}has t attributes, when n CA nodes of PKI receive m (including UID)_u) Begin for the certificate message m e {0, 1}^*Carrying out signature;

(i) for User_{Applicant，u}CA node Attr with attribute_iLet it be i ═ 1., t, Attr_iRandomly choosing t_i∈Zp^*And calculating:

e_i＝H₁(Attr_i，APK_u，i，UID_u，CPK_i)，

s_i＝ASK_u，i+e_iCSK_i，

Attr_ir is to be_iSending the information to the RA node through a secure secret channel;

(ii) for User_{Applicant，u}CA node Attr without attribute_iLet it be i ═ t +1_iRandom selection

Random generation of APK_u，iE G, calculating:

e_i＝H₁(Attr_i，APK_u，i，UID_u，CPK_i)，

Attr_iwill be provided with<c_i，d_i，APK_u，i，R_i>Sending the information to the RA node through a secure secret channel;

(iii) RA node combines R with R_iN is sent to User_{Applicant，u}，User_{Applicant，u}And (3) calculating:

(iv) and returning to the RA node, and calculating by the RA node:

c＝H₂(m，T₁，...，T_n，UID_u).

(v) subsequently, n-t +1 points (0, c), (t +1, c) are used_t+1)，...，(n，c_n) Constructing an n-t Lagrange interpolation polynomial Pn-t (x):

(vi) will P_n-t(x) Is sent to a User_{Applicant，u}CA node Attr with attribute_iI 1.., t.ca calculation:

c_i＝P_n-t(i)，d_i＝t_i-C_is_i，i＝1，...，t.

Attr_iwill be provided with<c_i，d_i>Sending the information to the RA node through a secure secret channel;

(vii) RA output polynomial P_n-t(x) And signature:

σ＝<c_i，d_i，T_i，APK_u，i，UID_u>，i＝1，2，...，n.

(viii) RA will P_n-t(x) And sigma is attached to the certificate information M to generate a certificate M, and the certificate M is sent to the User through a secure secret channel_{Applicant，u}And handle UID_uSplicing with the time stamp to be used as a key, storing the certificate content as a value in the certificate libraries, and automatically and synchronously backing up the plurality of certificate libraries;

(2)zkProveGen(zkParams，w，x，M_L)→π_u.

User_{Applicant，u}performing the Prove (zkParams, w, x, M) proof of Generation algorithm for ZoKrates_L) Wherein, in the input parameters, the evidence:

proof of formation_uIn the form of Fiat-Shamir Heuristic, in particular,. pi._uCan prove User_{Applicant，u}Knowing the discrete logarithm S_uSatisfy the requirement of

And is

User_{Applicant，u}Will prove pi_uProposition x and Turing machine algorithm M_LTransmitting the uplink facilitates the query.

3. The distributed public key infrastructure method based on blockchain and attribute signatures of claim 1, wherein: the certificate verification method in the step (4) comprises the following steps:

no assumptions are made about the expected authentication User_{Applicant，u}User of identity_Verifier，sIt expects to authenticate User_{Applicant，u}User_{Applicant，u}Firstly, the RA node obtains its own certificate and sends the certificate to the User_Verifier，s，User_Verifier，sVerifying the certificate, checking whether the certificate is issued by the CA node of the legal DPKI, and checking the User_{Applicant，u}Whether the certificate is revoked or not, checking the validity period of the certificate; if the certificate is expired, revoked or not signed and issued by a legal node, the identity authentication fails, otherwise, the certificate is signed and authenticated;

Verify(m，σ，P_n-t(x)，π_u)→True/False.

(i) authentication

If one fails, the signature is an invalid signature;

(ii) after the above items are verified, the User_Verifier，sObtaining a proof pi on a blockchain_uAnd ZoKrates-related parameters, performing the authentication algorithm Verify (zkParams, x, M) of ZoKrates_L，π_u) If the verification is not passed, the signature is an invalid signature; if the verification is passed, the signature is a valid signature.

Images