CN114499884A - Attribute-based signature method for multiple authorization centers - Google Patents

Abstract

The invention relates to an attribute-based signature method of multiple authorization centers, which comprises the following steps: s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center; s2: a user applies for attribute key components associated with the owned attribute set from k attribute authorization centers of n attribute authorization centers and reconstructs the attribute key components to obtain a complete key; s3: a user sends a signature message of a specified predicate strategy according to the complete key; s4: and judging whether the signature message is legal or not by any other user according to the predicate strategy, if so, outputting 1, and otherwise, outputting 0. The invention realizes integrity verification in the message transmission process and simultaneously protects the identity privacy of a signer, fundamentally solves the problem of single point failure and constructs a distributed attribute signature system.

Description

Attribute-based signature method for multiple authorization centers

Technical Field

The invention relates to the field of digital signatures, in particular to an attribute-based signature method of a multi-authorization center.

Background

In a conventional digital signature mechanism, a verification key is closely associated with a user identity, so that the identity privacy of the user is exposed to an arbitrary signature verifier. The attribute-based signature mechanism (ABS) is used as a new cryptology principle, and the identity privacy of a signer is protected while the message non-falsification or integrity is realized. The identity information of the user is described by a series of attributes, and the right of signature construction is determined by the attribute set owned by the user. The verifier can only determine that the signer has the attribute set meeting the predicate policy by verifying the signature, but cannot determine the specific identity information of the signer.

Due to its compatibility in message integrity verification and identity privacy protection, an attribute signature mechanism satisfying various properties is constructed. However, many existing schemes reflect the biggest defect of the attribute signature mechanism that the time for generating the signature increases with the complexity of predicate rules. In order to implement a signature algorithm with a fixed size, i.e. independent of the number of predicates involved, research into short signature schemes has become a focus of attention. In particular, Javier proposes an attribute short signature technology based on trapdoor predicates, the signature size of which does not increase linearly with the growth of predicate strategies, and the technology has obvious advantages in reducing bandwidth consumption.

However, this short signature of attributes scheme employs a single rights issuer responsible for managing the set of attributes for all users for key issuance, which inevitably results in a single point of failure for system security and performance. Since the authorization center manages the attribute set and the related private key of the whole system, if it is attacked by a malicious attack, the whole system is affected. More seriously, the authorization center can forge the signature of any entity by generating a private key with any attribute, which poses a serious challenge to the security of the whole system.

In the prior art, the problem is solved by a scheme of a plurality of attribute authorization centers, however, in the existing scheme of attribute signature of the plurality of authorization centers, each attribute authorization center is respectively responsible for managing a disjoint subset of system attributes and issuing a related attribute private key for a legal user having a corresponding attribute; each attribute authorization center can be responsible for the management of a plurality of system attributes, but each system attribute can only be responsible for one attribute authorization center, so that all the attribute authorization centers are required to be kept in an online state when a user applies for an attribute private key to ensure the smooth issuance of the user private key, the challenge is brought to the system expandability, and the problem of single-point failure brought by a central authorization center is not fundamentally solved; in addition, the attribute private key of the user is reconstructed by combining partial private keys obtained from a plurality of attribute authorization centers, the fact that the central authorization center controls the system master key independently is not changed, and once the central authorization center is attacked, the security of the whole system is threatened.

Disclosure of Invention

The invention aims to provide an attribute-based signature method of multiple authorization centers, which aims to solve the problem of single point failure and improve the flexibility of a system.

The invention designs a new attribute signature scheme of multiple authorization centers on the basis of a Javier threshold strategy short signature scheme and a Li Wei multiple authorization attribute encryption scheme, and the scheme meets three requirements: the system attribute set is not subjected to cooperative management of a plurality of attribute authorization centers any more, and any one attribute authorization center can verify the authenticity of the user attribute set and issue a part of private keys for the specific attribute set; secondly, the attribute private key of the user is not issued by a single authorization center any more, but a threshold secret sharing technology is applied, and partial attribute key components of a plurality of attribute authorization centers are combined to reconstruct to obtain a complete key, so that the problem of key escrow caused by the single authorization center is solved; and thirdly, only the user with the key satisfying the threshold policy attribute can successfully construct the signature, thereby realizing the message integrity verification and protecting the specific identity privacy of the user.

The invention provides an attribute-based signature method of multiple authorization centers, which comprises the following steps:

s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center;

s2: the user applies for attribute key components associated with the owned attribute set from k of the n attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;

s3: a user sends a signature message of a specified predicate strategy according to the complete key;

s4: and judging whether the signature message is legal or not by any other entity according to the predicate policy, if so, outputting 1, and otherwise, outputting O.

Further, step S1 further includes:

s11: the central authorization center takes a security parameter lambda as input, firstly selects a hash function which can resist collusion attack

Wherein n is_MRepresenting the binary upper limit of the signature message size, and then selecting two multiplication cyclic groups G and G of prime order p_TAnd defines a bilinear map on the group e: g → G_T(ii) a Selecting a generator with G as G, and randomly selecting a set of mapping parameters

Define the function according to the above

To map the signature message onto the corresponding cyclic group G; selecting

D different element creation set phi ═ { phi ═ phi₁，φ₂，…，φ_dAs a default set of attributes for the system; then setting the parameter l to 2d +1, selecting a set of vector parameters

Each of which

And calculating a vector parameter

The central authorization center is additionally provided with a digital signature algorithm omega_SignAnd a corresponding public and private key pair (pk)_CA；sk_CA) Public key pk_CAIs disclosed in the system, the private key sk_CAOwned only by a central authority, passing sk_CARealizing the registration of the user and each attribute authorization center;

the registration process of the user comprises the following steps: when any user joins the system, the central authorization center firstly verifies the validity of the user, and after the validity is verified, the central authorization center randomly selects

One element is used as a global identity uid of the user to be issued to the user, and a corresponding digital certificate Cert.uid is constructed according to a signature algorithm and a signature private key;

the registration of the attribute authority includes: central authority random selection

One element of the global identity aid as an attribute authority_iIssuing to an attribute authority, and constructing a corresponding digital certificate Cert_i。

Further, step S1 further includes:

s12: each attribute authority AA_i(i ═ 1, 2, …, n) a random number α is selected_i∈Z_pAs a subkey, the system master key is now represented as

Then each AA_i(i-1, 2, …, n) each form a polynomial f of degree k-1_i(x) Satisfies alpha_i＝f_i(0) (ii) a According to a selected polynomial, each AA_i(i-1, 2, …, n) is another AA_j(i ═ 1, 2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares s_ij＝f_i(aid_j) And through AA_jIs passed to the AA in secret_i(ii) a Simultaneous AA_iCalculate s for oneself_ii＝f_i(aid_i) When receiving data from other n-1 AA_j(j ═ 1, 2, …, i-1, i +1, …, n) of the subgroup s_ji(j ═ 1, 2, …, i-1, i +1, …, n), AA_iCalculating to obtain the private key of the user

And according to the private key sk_iCalculating to obtain corresponding public key

Eventually after all attribute rights issuer initialization, each AA_iObtaining a group of self public and private key pairs (pk)_i，sk_i) Wherein pk_iIs securely shared to any entity, including the central authority.

Further, step S1 further includes:

s13: central authority selects n AA_iK public keys are subjected to reconstruction calculation to obtain the public key of the system:

wherein the content of the first and second substances,

e is a defined bilinear map, G is a generator of a public multiplication cyclic group G; sk_iThe private key of the ith edge server; pk_iK is the parameter of the threshold secret sharing mechanism (k, n) for the public key of the ith edge server.

Further, the public parameters of the system are:

wherein G is the generator of multiplication cycle group G, n is the number of attribute authorization centers, e (G, G)^αFor the calculated system public key, λ is a security parameterNumber, G_TFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F (M) is the mapping function defined during initialization,

for the vector parameters defined during initialization, H₀Is a hash function.

Further, step S2 further includes:

ith Attribute Authority center AA_iThe private key sk of the authority according to the ith attribute_iAnd a set of random parameters

An implicit polynomial is defined:

for each attribute ω ∈ Ω, Ω is the set of role attributes, AA_iSelecting a random number

The ith attribute key component at this time

Is constructed as follows:

for each attribute φ ∈ φ, φ is a default set of attributes, AA_iSelecting a random number

Attribute key component

Is constructed as follows:

after collecting the key components from the k attribute rights issuer, the set of k key components is labeled as I_k＝(i₁，i₂，…，i_k) The user then reconstructs the resulting attribute key SK_ω＝(D_ω，0，D_ω，1，K_ω，i) The following were used:

wherein i is 1, 2, …, l-1;

likewise, for each element φ in the default attribute set φ, the following attribute key SK is calculated_φ＝(D_φ，0，D_φ，1，K_φ，i)：

The complete key combination for the end user is then: (SK)_ω＝D_ω，0，D_ω，1，K_ω，iI ∈ Ω, i ═ 1, 2, …, l-1 for each ω ∈ Ω; SK_φ＝D_φ，0，D_φ，1，K_φ，iI-1, 2, …, l-1 for each Φ ∈ Φ).

Further, step S3 further includes:

when a predicate policy Γ ═ (M, S) is selected for the message M, where S is a set of attributes with size S ═ S ≦ d, and M ∈ {1, …, S }; user first calculates

And the complete key is grouped as follows ({ SK_ω}_ω∈Ω，{SK_φ}_φ∈Φ) (ii) a According to the dictionary order, first select the set ΦThe first d-m elements of (c) construct a subset Φ_d-mSimultaneously selecting arbitrary subsets

Satisfy | S_mI ═ m, and then a vector parameter is defined according to the following polynomial

The following were used:

since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient y_d-m+s+2，…，y_lIs determined to be 0;

for each attribute ω ∈ S_mUser based on attribute key SK_ω＝{D_ω，0，D_ω，1，K_ω，i1, 2, …, l-1} to obtain the parameters

For each attribute φ ∈ φ_d-mUser based on attribute key SK_φ＝{D_φ，0，D_φ，1，K_φ，iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}

According to the result

And

two attribute sets S are obtained by calculation_mAnd phi_d-mDetermined parameter D₀And D₁：

D₁＝g^r

Wherein the content of the first and second substances,

and

is composed of the set S_mAnd phi_d-mCo-determined Lagrange coefficients, for a certain ω ∈ S_m，

For a certain phi e phi_d-m，

Will be provided with

Resolving into binary expression and mapping it into group G to obtain

Wherein M is_j∈(0，1)，j＝1，…，n_M(ii) a Then a signer with an attribute key meeting the predicate strategy randomly selects Z, and w belongs to Z_pThe final complete signature ∑ (σ)₀，σ₁，σ₂) Is constructed as follows:

further, step S4 further includes:

other arbitrary entities are firstly analyzed into (m, S) according to the predicate strategy gamma, and the predicate strategy gamma is calculated

Then, according to the parameter m, a subset of Φ is defined which contains the d-m elements

Using a polynomial P_S(Z) design rule definition vector

If equation

If true, the acceptance signature ∑ (σ) is set₀，σ₁，σ₂) Legally sign and output a 1, otherwise the output is 0, where h₀And h_iAre respectively vector parameters

The 1 st and the i-1 st elements in (a); u. of₀And u_jAre all randomly selected elements in the multiplicative cyclic group G.

The attribute-based signature method of multiple authorization centers of the invention utilizes multiple authorization centers to manage the same system attribute set on the basis of the existing trap predicate short attribute signature, instead of each authorization center managing a disjoint subset of the system attribute set; meanwhile, by combining a threshold secret sharing technology, a system master key is jointly constructed by a plurality of attribute authorization centers and does not belong to any single authorization center any more, and any single attribute authorization center cannot obtain the system master key and cannot forge a signature in a mode of randomly generating a private key; the user can reconstruct a complete signature private key by combining the attribute key components exceeding the threshold number, and the user can successfully construct an attribute signature only if the user really has the private key meeting the trapdoor predicate. The invention not only realizes integrity verification in the message transmission process, but also protects the identity privacy of a signer, and fundamentally solves the problem of single point failure, thereby really constructing a distributed attribute signature system.

Drawings

Fig. 1 is a flowchart of an attribute-based signature method of multiple rights issuer according to an embodiment of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

The entities involved in the embodiments of the present invention include:

central Authority (CA): as a global trusted certificate center of the system, initializing and establishing the system and receiving registration of a legal user and an attribute authorization center;

attribute Authority (AA): a plurality of attribute authorization centers manage the same system attribute set and issue partial attribute key components for each user applying for the private key;

the signer: a user possessing a private key; wherein, only a legal signer can construct a signature meeting the corresponding predicate policy;

and (3) verifier: an entity that completes the signature verification; any entity can complete signature verification without any additional secret information.

As shown in fig. 1, an embodiment of the present invention provides an attribute-based signature method for multiple authorization centers, including the following steps:

s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center;

s2: the user applies for attribute key components associated with the owned attribute set from k of the n attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;

s3: a user sends a signature message of a specified predicate strategy according to the complete key;

s4: and judging whether the signature message is legal or not by any other entity according to the predicate policy, if so, outputting 1, and otherwise, outputting O.

Step S1 is a system initialization, which includes three steps: CASetup1, AASetup and CASetup 2. The CASetup1 is mainly responsible for the establishment of system parameters by a Central Authority (CA) and the registration of all users and a plurality of Attribute Authorities (AA); in the AASetup stage, all attribute authorization centers (AA) interact and share the subkeys; finally CA reconstructs the complete system public parameters at the stage CASetup 2. The method comprises the following specific steps:

S11：CASetup1

CA runs the initialization operation with the security parameter λ as input. Firstly, a hash function which can resist collusion attack is selected

Wherein n is_MRepresenting the upper binary limit of the size of the signature message M, i.e. using the maximum value of the binary description message, CA continues to randomly select two multiplicative cyclic groups G and G of order prime p_TAnd defines a bilinear map on the group e: g → G_T(ii) a Selecting a generator with G as G, and randomly selecting a set of mapping parameters

Thereby defining a mapping function

Wherein M is_jFor any j e (1, 2, …, n) {0, 1}_M) I.e. M is the jth bit represented by binary, and the mapping function is to map the signature message onto the corresponding cyclic group G; meanwhile, in order to simplify the description of a trapdoor predicate strategy, an integer group with the order of prime number is selected

D different element creation set phi ═ { phi ═ phi₁，φ₂，…，φ_dThe attribute signature is used as a default attribute set of the system for the specific construction of the following attribute signature, and the selection condition of the attribute signature does not influence the actual result of the attribute signature at all; then setting parameter l to 2d +1, CA continues to select

Specify each one

And calculating a vector parameter

Besides, the CA additionally configures a traditional digital signature algorithm omega_SignAnd a corresponding public and private key pair (pk)_CA；sk_CA) For signing and verifying digital certificates, wherein the public key pk_CAIs disclosed to any entity of the system and the private key sk_CAThe registration for subsequent users and attribute authorities is only handled by the CA. To avoid confusion, the two registration processes will be described separately next.

When any user joins the system, the CA firstly verifies the validity of the user, and mainly verifies whether the user has previously performed a registration application to resist replay attack and denial of service attack. When the user is authenticated to be legitimate, the CA willRandom selection

One element of which is issued as a global identity uid of the user, and which is issued in accordance with a signature algorithm omega_SignBuilt digital certificate cert.

Each attribute authority also needs to register with the CA during system initialization. Likewise, CA randomly selects

One element as attribute authority AA_iGlobal identity of (aid)_iIssued to it and according to the signature algorithm omega_SignAid constructing a corresponding digital certificate_iThe method is used for guaranteeing the safety of interactive communication among the following authorization centers.

S12：AASetup

This step is run cooperatively by all attribute authorities. All n AA inter-calls the (k, n) threshold secret sharing mechanism as follows:

assume AA_iRepresenting the ith attribute rights issuer (AA), each AA_i(i ═ 1, 2, …, n) a random number α is selected_i∈Z_pAs its discretionary key, the system master key may now be obscured as shown

Followed by each AA_i(i-1, 2, …, n) each form a polynomial f of degree k-1_i(x) Satisfies alpha_i＝f_i(0). According to a selected polynomial, each AA_i(i-1, 2, …, n) is another AA_j(i ═ 1, 2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares s_ij＝f_i(aid_j) And through AA_jTo which it is passed in secret. Simultaneous AA_iCalculate s for oneself_ii＝f_i(aid_i). When receiving data from other n-1 AA_j(j ═ 1, 2, …, i-1, i +1, …, n) of the subgroup s_ji(j＝1，2，…I-1, i +1, …, n), AA_iIt's private key (i.e. private key of ith attribute authority) can be easily calculated

And calculates the corresponding public key according to it

After all attribute rights issuer initialization, each AA_iObtaining a group of public and private key pairs (pk)_i，sk_i) Here pk_iIs securely shared to any entity, including the CA.

S13：CASetup2

To get the public key of the system, the CA arbitrarily chooses n AA_iK public keys are subjected to reconstruction calculation to obtain:

as an important parameter for signature verification is no longer determined by a single entity, we can show it in a cryptic way

Wherein the content of the first and second substances,

e is a defined bilinear map. G is the generator of the disclosed multiplication cycle group G; sk_iThe private key of the ith edge server; pk_iIs the public key of the ith edge server, k is a parameter of the threshold secret sharing mechanism (k, n), and P (i) represents the set of identities (aid) by the edge server₁，aid₂，…aid_k) The determined lagrangian coefficients are chosen according to the dictionary order for the sake of simplicity of description, but in practice, the id sets of any k edge servers from n are all implemented. It is particularly emphasized that alpha is only meAn expression of the arcane of these does not exist in practice, and what is obtained in practice is the public parameter e (g, g) reconstructed by the central authority^αThis is why α no longer belongs to any single authority.

After the final initialization is completed, the published parameters of the whole system are as follows:

wherein G is the generator of multiplication cycle group G, n is the number of attribute authorization centers, e (G, G)^αFor the calculated system public key, λ is the security parameter, G_TFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F (M) is the mapping function defined during initialization,

for the vector parameters defined during initialization, H₀Is a hash function.

Step S2 is the issuance of the attribute key, which specifically includes:

the generation of the attribute key is performed by more than a threshold number of attribute authorization centers, and less than k, the user cannot construct a complete attribute key. In the process, any attribute authorization center does not need to interact any more, and each user can select k attribute authorization centers to obtain corresponding attribute key components respectively according to the consideration of the user. Specifically, a global identity and a certificate are used as input, a user submits a key application to a certain attribute authorization center, and after the attribute authorization center verifies the authenticity of the user, a corresponding attribute set omega is issued according to the specific identity role of the user, and an attribute key component related to the attribute set omega is generated. First of all, the attribute authority AA_iAccording to the sub-key sk_iAnd a set of random parameters

An implicit polynomial is defined:

for each attribute ω ∈ Ω in the set of role attributes Ω, AA_iSelecting a random number

Attribute key component at this time

Composed of three elements

Composition, which can ultimately be constructed as follows:

wherein j is 1, 2, …, l-1, h₁And h_j+1Are respectively vector parameters

And the 1 st and j +1 st elements.

Likewise, for each attribute φ ∈ φ, AA in the default set of attributes φ_iSelecting a random number

The key component

Also composed of three elements

The composition, ultimately, can be constructed as follows:

for j ═ 1, 2, …, l-1

After collecting the attribute key components from the k attribute authorities, this set is labeled as I without loss of generality here_k＝(i₁，i₂，…，i_k)，i_kRepresenting the k-th attribute key component of the collected k attribute authority centers, the user can reconstruct its specific attribute key SK_ω. Likewise, it is composed of three elements D_w，0、D_w，1And K_w，iComposition, for three corresponding parts of the attribute key component respectively:

wherein P (j) is from the set I_kDetermined Lagrange coefficient

For any particular attribute ω, it can be considered a random number associated with it;

wherein, i is 1, 2, …, l-1.

Applying the same calculation principle, we can calculate the following attribute key SK for each element φ in the default attribute set φ_φ(D_φ，0，D_φ，1，K_φ，i)：

The complete key combination for the end user is: { SK_ω＝(D_ω，0，D_ω，1，K_ω，iI ∈ Ω, i ═ 1, 2, …, l-1) for each ω ∈ Ω; SK_φ＝(D_φ，0，D_φ，1，K_φ，iI ∈ Φ, i ═ 1, 2, …, l-1 }.

Each attribute authorization center manages a sub-key by applying a secret sharing mechanism based on a threshold, and the central authorization center reconstructs complete system parameters in a sharing mode, but the central authorization center or any attribute authorization center cannot obtain the complete system key, so that the problem of single-point failure is fundamentally solved; meanwhile, the attribute key of the user is obtained by combining the components obtained from the attribute authorization centers, the components exceeding the threshold number can be successfully reconstructed, all the attribute authorization centers are not required to be kept online to issue a key related to a specific attribute for the user, and the flexibility of the system is greatly improved.

Step S3 is a message signature generation, specifically including:

when it is a message

When the predicate strategy Γ ═ m, S is selected, where S is a randomly selected attribute set with size S ═ S ≦ d, but at least m user attributes must be wrapped, and the rest are randomly selected as interference options, that is, m ∈ {1, …, S }, where m is a dynamic number selection of signers, representing how many attribute keys are selected to construct corresponding signatures; the signer first calculates

And the complete key is grouped as follows ({ SK_ω}_ω∈Ω，{SK_φ}_φ∈Φ). According to the dictionary order, the first d-m elements of the set phi are selected first to construct the subset phi_d-mSimultaneously selecting arbitrary subsets

Satisfy | S_mAnd m. According to the following polynomial P_S(Z) A vector parameter may be defined

Since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient y_d-m+s+2，…，y_lIt is certainly determined to be 0.

For each attribute ω ∈ S_mSigner depends on the attribute key SK_ω＝{D_ω，0，D_ω，1，K_ω，iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}

For each attribute φ ∈ φ_d-mLikewise, signer bases onAttribute key SK_φ＝{D_φ，0，D_φ，1，K_φ，i1, 2, …, l-1} to obtain the parameters

According to the result

And

then two attribute sets S are obtained through calculation_mAnd phi_d-mDetermined parameter D₀And D₁：

Here we mark

And

is composed of a set S_mAnd phi_d-mCo-determined Lagrange coefficients, for a certain ω ∈ S_m，

For a certain phi e phi_d-m，

Finally will be

Resolving into binary expression and obtaining according to function

Then a signer with an attribute key meeting the predicate policy randomly selects Z, w belongs to Z_pThe final complete signature ∑ (σ)₀，σ₁，σ₂) Comprises three components, which are respectively constructed as follows:

step S4 is signature verification, which specifically includes:

the verifier first resolves the predicate policy Γ into (m, S), and calculates

Then according to the parameter m, defineSubset of Φ containing d-m elements

Using the same polynomial P_S(Z) design rule definition vectors

If the following equation holds true, the signature ∑ will be accepted (σ)₀，σ₁，σ₂) Legal signature and output 1, otherwise, output 0:

wherein h is₀And h_iAre respectively vector parameters

The 1 st and the i-1 st elements in (a); u. of₀And u_jAre all randomly selected elements in the multiplicative cyclic group G.

The attribute-based signature method for multiple authorization centers provided by the embodiment of the invention utilizes multiple authorization centers to manage the same system attribute set on the basis of the existing trap predicate short attribute signature, instead of each authorization center managing a disjoint subset of the system attribute set; meanwhile, by combining a threshold secret sharing technology, a system master key is jointly constructed by a plurality of attribute authorization centers and does not belong to any single authorization center any more, and any single attribute authorization center cannot obtain the system master key and cannot forge a signature in a mode of randomly generating a private key; the user can reconstruct a complete signature key by combining the attribute private key components exceeding the threshold number, and the user can successfully construct an attribute signature only if the user really has the attribute private key meeting the trapdoor predicate. The invention not only realizes integrity verification in the message transmission process, but also protects the identity privacy of the signer, fundamentally solves the problem of single point failure, and really constructs a distributed attribute signature system.

The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and various modifications may be made to the above-described embodiment of the present invention. All simple and equivalent changes and modifications made according to the claims and the content of the specification of the present application fall within the scope of the claims of the present patent application. The invention has not been described in detail in order to avoid obscuring the invention.

Claims (8)

1. An attribute-based signature method of multiple authorization centers is characterized by comprising the following steps:

s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center;

s2: the user applies for attribute key components associated with the owned attribute set from k of the n attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;

s3: a user sends a signature message of a specified predicate strategy according to the complete key;

s4: and judging whether the signature message is legal or not by any other entity according to the predicate policy, if so, outputting 1, and otherwise, outputting 0.

2. The attribute-based signature method of multiple rights issuer of claim 1, wherein the step S1 further comprises:

s11: the central authorization center takes a security parameter lambda as input, firstly selects a hash function which can resist collusion attack

Wherein n is_MRepresenting the binary upper limit of the signature message size, and then selecting two multiplication cyclic groups G and G of prime order p_TAnd defines a bilinear map on the group e: g → G_T(ii) a Selecting a generator with G as G, and randomly selecting a set of mapping parameters

Define the function according to the above

To map the signature message onto the corresponding cyclic group G; selecting

D different element creation set phi ═ { phi ═ phi₁，φ₂，…，φ_dAs a default set of attributes for the system; then setting the parameter l to 2d +1, selecting a set of vector parameters

Each of which

And calculating a vector parameter

The central authorization center is additionally provided with a digital signature algorithm omega_SignAnd a corresponding public and private key pair (pk)_CA；sk_CA) Public key pk_CAIs disclosed in the system, the private key sk_CAOwned only by a central authority, passing sk_CARealizing the registration of the user and each attribute authorization center;

the registration process of the user comprises the following steps: when any user joins the system, the central authorization center firstly verifies the validity of the user, and when the user is verified to be legal, the central authorization center randomly selects

One element is issued to the user as the global identity uid of the user, andconstructing a corresponding digital certificate Cert.uid according to a signature algorithm and a signature private key;

the registration of the attribute authority includes: central authority random selection

One element as global identity aid of attribute authority_iIssuing to an attribute authority, and constructing a corresponding digital certificate Cert_i。

3. The attribute-based signature method of multiple rights issuer of claim 2, wherein the step S1 further comprises:

s12: each attribute authority AA_i(i ═ 1, 2, …, n) a random number α is selected_i∈Z_pAs a subkey, the system master key is now represented implicitly as

Followed by each AA_i(i-1, 2, …, n) each form a polynomial f of degree k-1_i(x) Satisfies alpha_i＝f_i(0) (ii) a According to a selected polynomial, each AA_i(i-1, 2, …, n) is another AA_j(i ═ 1, 2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares s_ij＝f_i(aid_j) And through AA_jIs passed to the AA in secret_j(ii) a Simultaneous AA_iCalculate s for oneself_ii＝f_i(aid_i) When receiving data from other n-1 AA_j(j ═ 1, 2, …, i-1, i +1, …, n) of the subgroup s_ji(j ═ 1, 2, …, i-1, i +1, …, n), AA_iCalculating to obtain the private key of the user

And according to the private key sk_iCalculating to obtain corresponding public key

Eventually after all attribute rights issuer initialization, each AA_iObtaining a group of self public and private key pairs (pk)_i，sk_i) Wherein pk_iIs securely shared to any entity including a central authority.

4. The attribute-based signature method of multiple rights issuer of claim 3, wherein the step S1 further comprises:

s13: central authority selects n AA_iK public keys are subjected to reconstruction calculation to obtain the public key of the system:

wherein the content of the first and second substances,

e is defined bilinear mapping, G is a generator of a multiplication cycle group G; sk_iThe private key of the ith edge server; pk_iK is the parameter of the threshold secret sharing mechanism (k, n) for the public key of the ith edge server.

5. The attribute-based signature method of multiple rights issuer of claim 4, wherein the public parameters of the system are:

wherein G is the generator of multiplication cycle group G, n is the number of attribute authorization centers, e (G, G)^αFor the calculated system public key, λ is the security parameter, G_TFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F (M) is the mapping function defined during initialization,

for the vector parameters defined during initialization, H₀Is a hash function.

6. The attribute-based signature method of multiple rights issuer of claim 5, wherein the step S2 further comprises:

ith Attribute Authority center AA_iThe private key sk of the authority according to the ith attribute_iAnd a set of random parameters

An implicit polynomial is defined:

for each attribute ω ∈ Ω, Ω is the set of role attributes, AA_iSelecting a random number

The ith attribute key component at this time

Is constructed as follows:

for each attribute φ ∈ φ, φ is a default set of attributes, AA_iSelecting a random number

Attribute key component

Is constructed as follows:

after collecting the key components from the k attribute rights issuer, the set of k key components is labeled as I_k＝(i₁，i₂，…，i_k) The user then reconstructs the resulting attribute key SK_ω＝(D_ω，0，D_ω，1，K_ω，i) The following were used:

wherein，i＝1，2，…，l-1；

Likewise, for each element φ in the default attribute set φ, the following attribute key SK is calculated_φ＝(D_φ，0，D_φ，1，K_φ，i)：

The end user's full key combination is then: (SK)_ω＝D_ω，0，D_ω，1，K_ω，iI ∈ Ω, i ═ 1, 2, …, l-1 for each ω ∈ Ω; SK_φ＝D_φ，0，D_φ，1，K_φ，iI-1, 2, …, l-1 for each Φ ∈ Φ).

7. The attribute-based signature method of multiple rights issuer of claim 6, wherein the step S3 further comprises:

when it is a message

When a predicate strategy Γ is selected as (m, S), wherein S is an attribute set with the size S ═ S ≦ d, and m ∈ {1, …, S }; user first calculates

And the complete key is grouped as follows ({ SK_ω}_ω∈Ω，{SK_φ}_φ∈Φ) (ii) a According to the dictionary order, the first d-m elements of the set phi are selected first to construct the subset phi_d-mSimultaneously selecting arbitrary subsets

Satisfy | S_mI ═ m, and then a vector parameter is defined according to the following polynomial

The following were used:

since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient y_d-m+s+2，…，y_lIs determined to be 0;

for each attribute ω ∈ S_mUser based on attribute key SK_ω＝{D_ω，0，D_ω，1，K_ω，iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}

For each attribute φ ∈ φ_d-mUser based on attribute key SK_φ＝{D_φ，0，D_φ，1，K_φ，iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}

According to the result

And

two attribute sets S are obtained by calculation_mAnd phi_d-mDetermined parameter D₀And D₁：

D₁＝g^r

Wherein the content of the first and second substances,

and

is composed of a set S_mAnd phi_d-mCo-determined Lagrange coefficients, for a certain ω ∈ S_m，

For a certain phi e phi_d-m，

Will be provided with

Resolving into binary expression and mapping it into group G to obtain

Wherein M is_j∈(0，1)，j＝1，…，n_M(ii) a Then a signer with an attribute key meeting the predicate policy randomly selects Z, w belongs to Z_pThe final complete signature ∑ (σ)₀，σ₁，σ₂) Is constructed as follows:

8. the attribute-based signature method of multiple rights issuer of claim 7, wherein the step S4 further comprises:

other arbitrary entities are firstly analyzed into (m, S) according to the predicate strategy gamma, and the predicate strategy gamma is calculated

Then theDefining a subset of Φ containing d-m elements according to the parameter m

Using a polynomial P_S(Z) design rule definition vector

If equation

If true, the acceptance signature ∑ (σ) is set₀，σ₁，σ₂) Legally sign and output a 1, otherwise the output is 0, where h₀And h_iAre respectively vector parameters

The 1 st and the i-1 st elements in (a); u. of₀And u_jAre all randomly selected elements in the multiplicative cyclic group G.

Images