CN114499884A - Attribute-based signature method for multiple authorization centers - Google Patents
Attribute-based signature method for multiple authorization centers Download PDFInfo
- Publication number
- CN114499884A CN114499884A CN202210122279.5A CN202210122279A CN114499884A CN 114499884 A CN114499884 A CN 114499884A CN 202210122279 A CN202210122279 A CN 202210122279A CN 114499884 A CN114499884 A CN 114499884A
- Authority
- CN
- China
- Prior art keywords
- attribute
- key
- user
- signature
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 title claims abstract description 24
- 239000013598 vector Substances 0.000 claims description 18
- 125000004122 cyclic group Chemical group 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 7
- 239000000126 substance Substances 0.000 claims description 5
- 238000013461 design Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 abstract description 10
- 230000005540 biological transmission Effects 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 5
- 238000010276 construction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000287196 Asthenes Species 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to an attribute-based signature method of multiple authorization centers, which comprises the following steps: s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center; s2: a user applies for attribute key components associated with the owned attribute set from k attribute authorization centers of n attribute authorization centers and reconstructs the attribute key components to obtain a complete key; s3: a user sends a signature message of a specified predicate strategy according to the complete key; s4: and judging whether the signature message is legal or not by any other user according to the predicate strategy, if so, outputting 1, and otherwise, outputting 0. The invention realizes integrity verification in the message transmission process and simultaneously protects the identity privacy of a signer, fundamentally solves the problem of single point failure and constructs a distributed attribute signature system.
Description
Technical Field
The invention relates to the field of digital signatures, in particular to an attribute-based signature method of a multi-authorization center.
Background
In a conventional digital signature mechanism, a verification key is closely associated with a user identity, so that the identity privacy of the user is exposed to an arbitrary signature verifier. The attribute-based signature mechanism (ABS) is used as a new cryptology principle, and the identity privacy of a signer is protected while the message non-falsification or integrity is realized. The identity information of the user is described by a series of attributes, and the right of signature construction is determined by the attribute set owned by the user. The verifier can only determine that the signer has the attribute set meeting the predicate policy by verifying the signature, but cannot determine the specific identity information of the signer.
Due to its compatibility in message integrity verification and identity privacy protection, an attribute signature mechanism satisfying various properties is constructed. However, many existing schemes reflect the biggest defect of the attribute signature mechanism that the time for generating the signature increases with the complexity of predicate rules. In order to implement a signature algorithm with a fixed size, i.e. independent of the number of predicates involved, research into short signature schemes has become a focus of attention. In particular, Javier proposes an attribute short signature technology based on trapdoor predicates, the signature size of which does not increase linearly with the growth of predicate strategies, and the technology has obvious advantages in reducing bandwidth consumption.
However, this short signature of attributes scheme employs a single rights issuer responsible for managing the set of attributes for all users for key issuance, which inevitably results in a single point of failure for system security and performance. Since the authorization center manages the attribute set and the related private key of the whole system, if it is attacked by a malicious attack, the whole system is affected. More seriously, the authorization center can forge the signature of any entity by generating a private key with any attribute, which poses a serious challenge to the security of the whole system.
In the prior art, the problem is solved by a scheme of a plurality of attribute authorization centers, however, in the existing scheme of attribute signature of the plurality of authorization centers, each attribute authorization center is respectively responsible for managing a disjoint subset of system attributes and issuing a related attribute private key for a legal user having a corresponding attribute; each attribute authorization center can be responsible for the management of a plurality of system attributes, but each system attribute can only be responsible for one attribute authorization center, so that all the attribute authorization centers are required to be kept in an online state when a user applies for an attribute private key to ensure the smooth issuance of the user private key, the challenge is brought to the system expandability, and the problem of single-point failure brought by a central authorization center is not fundamentally solved; in addition, the attribute private key of the user is reconstructed by combining partial private keys obtained from a plurality of attribute authorization centers, the fact that the central authorization center controls the system master key independently is not changed, and once the central authorization center is attacked, the security of the whole system is threatened.
Disclosure of Invention
The invention aims to provide an attribute-based signature method of multiple authorization centers, which aims to solve the problem of single point failure and improve the flexibility of a system.
The invention designs a new attribute signature scheme of multiple authorization centers on the basis of a Javier threshold strategy short signature scheme and a Li Wei multiple authorization attribute encryption scheme, and the scheme meets three requirements: the system attribute set is not subjected to cooperative management of a plurality of attribute authorization centers any more, and any one attribute authorization center can verify the authenticity of the user attribute set and issue a part of private keys for the specific attribute set; secondly, the attribute private key of the user is not issued by a single authorization center any more, but a threshold secret sharing technology is applied, and partial attribute key components of a plurality of attribute authorization centers are combined to reconstruct to obtain a complete key, so that the problem of key escrow caused by the single authorization center is solved; and thirdly, only the user with the key satisfying the threshold policy attribute can successfully construct the signature, thereby realizing the message integrity verification and protecting the specific identity privacy of the user.
The invention provides an attribute-based signature method of multiple authorization centers, which comprises the following steps:
s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center;
s2: the user applies for attribute key components associated with the owned attribute set from k of the n attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;
s3: a user sends a signature message of a specified predicate strategy according to the complete key;
s4: and judging whether the signature message is legal or not by any other entity according to the predicate policy, if so, outputting 1, and otherwise, outputting O.
Further, step S1 further includes:
s11: the central authorization center takes a security parameter lambda as input, firstly selects a hash function which can resist collusion attackWherein n isMRepresenting the binary upper limit of the signature message size, and then selecting two multiplication cyclic groups G and G of prime order pTAnd defines a bilinear map on the group e: g → GT(ii) a Selecting a generator with G as G, and randomly selecting a set of mapping parametersDefine the function according to the aboveTo map the signature message onto the corresponding cyclic group G; selectingD different element creation set phi ═ { phi ═ phi1,φ2,…,φdAs a default set of attributes for the system; then setting the parameter l to 2d +1, selecting a set of vector parametersEach of which And calculating a vector parameter The central authorization center is additionally provided with a digital signature algorithm omegaSignAnd a corresponding public and private key pair (pk)CA;skCA) Public key pkCAIs disclosed in the system, the private key skCAOwned only by a central authority, passing skCARealizing the registration of the user and each attribute authorization center;
the registration process of the user comprises the following steps: when any user joins the system, the central authorization center firstly verifies the validity of the user, and after the validity is verified, the central authorization center randomly selectsOne element is used as a global identity uid of the user to be issued to the user, and a corresponding digital certificate Cert.uid is constructed according to a signature algorithm and a signature private key;
the registration of the attribute authority includes: central authority random selectionOne element of the global identity aid as an attribute authorityiIssuing to an attribute authority, and constructing a corresponding digital certificate Certi。
Further, step S1 further includes:
s12: each attribute authority AAi(i ═ 1, 2, …, n) a random number α is selectedi∈ZpAs a subkey, the system master key is now represented asThen each AAi(i-1, 2, …, n) each form a polynomial f of degree k-1i(x) Satisfies alphai=fi(0) (ii) a According to a selected polynomial, each AAi(i-1, 2, …, n) is another AAj(i ═ 1, 2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares sij=fi(aidj) And through AAjIs passed to the AA in secreti(ii) a Simultaneous AAiCalculate s for oneselfii=fi(aidi) When receiving data from other n-1 AAj(j ═ 1, 2, …, i-1, i +1, …, n) of the subgroup sji(j ═ 1, 2, …, i-1, i +1, …, n), AAiCalculating to obtain the private key of the userAnd according to the private key skiCalculating to obtain corresponding public keyEventually after all attribute rights issuer initialization, each AAiObtaining a group of self public and private key pairs (pk)i,ski) Wherein pkiIs securely shared to any entity, including the central authority.
Further, step S1 further includes:
s13: central authority selects n AAiK public keys are subjected to reconstruction calculation to obtain the public key of the system:wherein the content of the first and second substances,e is a defined bilinear map, G is a generator of a public multiplication cyclic group G; skiThe private key of the ith edge server; pkiK is the parameter of the threshold secret sharing mechanism (k, n) for the public key of the ith edge server.
Further, the public parameters of the system are:
wherein G is the generator of multiplication cycle group G, n is the number of attribute authorization centers, e (G, G)αFor the calculated system public key, λ is a security parameterNumber, GTFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F (M) is the mapping function defined during initialization,for the vector parameters defined during initialization, H0Is a hash function.
Further, step S2 further includes:
ith Attribute Authority center AAiThe private key sk of the authority according to the ith attributeiAnd a set of random parametersAn implicit polynomial is defined: for each attribute ω ∈ Ω, Ω is the set of role attributes, AAiSelecting a random numberThe ith attribute key component at this time Is constructed as follows:
for each attribute φ ∈ φ, φ is a default set of attributes, AAiSelecting a random number Attribute key componentIs constructed as follows:
after collecting the key components from the k attribute rights issuer, the set of k key components is labeled as Ik=(i1,i2,…,ik) The user then reconstructs the resulting attribute key SKω=(Dω,0,Dω,1,Kω,i) The following were used:
likewise, for each element φ in the default attribute set φ, the following attribute key SK is calculatedφ=(Dφ,0,Dφ,1,Kφ,i):
The complete key combination for the end user is then: (SK)ω=Dω,0,Dω,1,Kω,iI ∈ Ω, i ═ 1, 2, …, l-1 for each ω ∈ Ω; SKφ=Dφ,0,Dφ,1,Kφ,iI-1, 2, …, l-1 for each Φ ∈ Φ).
Further, step S3 further includes:
when a predicate policy Γ ═ (M, S) is selected for the message M, where S is a set of attributes with size S ═ S ≦ d, and M ∈ {1, …, S }; user first calculatesAnd the complete key is grouped as follows ({ SKω}ω∈Ω,{SKφ}φ∈Φ) (ii) a According to the dictionary order, first select the set ΦThe first d-m elements of (c) construct a subset Φd-mSimultaneously selecting arbitrary subsets Satisfy | SmI ═ m, and then a vector parameter is defined according to the following polynomial The following were used:
since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient yd-m+s+2,…,ylIs determined to be 0;
for each attribute ω ∈ SmUser based on attribute key SKω={Dω,0,Dω,1,Kω,i1, 2, …, l-1} to obtain the parameters
For each attribute φ ∈ φd-mUser based on attribute key SKφ={Dφ,0,Dφ,1,Kφ,iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}
According to the resultAndtwo attribute sets S are obtained by calculationmAnd phid-mDetermined parameter D0And D1:
D1=gr
Wherein the content of the first and second substances,andis composed of the set SmAnd phid-mCo-determined Lagrange coefficients, for a certain ω ∈ Sm,For a certain phi e phid-m,
Will be provided withResolving into binary expression and mapping it into group G to obtain Wherein M isj∈(0,1),j=1,…,nM(ii) a Then a signer with an attribute key meeting the predicate strategy randomly selects Z, and w belongs to ZpThe final complete signature ∑ (σ)0,σ1,σ2) Is constructed as follows:
further, step S4 further includes:
other arbitrary entities are firstly analyzed into (m, S) according to the predicate strategy gamma, and the predicate strategy gamma is calculated Then, according to the parameter m, a subset of Φ is defined which contains the d-m elementsUsing a polynomial PS(Z) design rule definition vectorIf equationIf true, the acceptance signature ∑ (σ) is set0,σ1,σ2) Legally sign and output a 1, otherwise the output is 0, where h0And hiAre respectively vector parametersThe 1 st and the i-1 st elements in (a); u. of0And ujAre all randomly selected elements in the multiplicative cyclic group G.
The attribute-based signature method of multiple authorization centers of the invention utilizes multiple authorization centers to manage the same system attribute set on the basis of the existing trap predicate short attribute signature, instead of each authorization center managing a disjoint subset of the system attribute set; meanwhile, by combining a threshold secret sharing technology, a system master key is jointly constructed by a plurality of attribute authorization centers and does not belong to any single authorization center any more, and any single attribute authorization center cannot obtain the system master key and cannot forge a signature in a mode of randomly generating a private key; the user can reconstruct a complete signature private key by combining the attribute key components exceeding the threshold number, and the user can successfully construct an attribute signature only if the user really has the private key meeting the trapdoor predicate. The invention not only realizes integrity verification in the message transmission process, but also protects the identity privacy of a signer, and fundamentally solves the problem of single point failure, thereby really constructing a distributed attribute signature system.
Drawings
Fig. 1 is a flowchart of an attribute-based signature method of multiple rights issuer according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The entities involved in the embodiments of the present invention include:
central Authority (CA): as a global trusted certificate center of the system, initializing and establishing the system and receiving registration of a legal user and an attribute authorization center;
attribute Authority (AA): a plurality of attribute authorization centers manage the same system attribute set and issue partial attribute key components for each user applying for the private key;
the signer: a user possessing a private key; wherein, only a legal signer can construct a signature meeting the corresponding predicate policy;
and (3) verifier: an entity that completes the signature verification; any entity can complete signature verification without any additional secret information.
As shown in fig. 1, an embodiment of the present invention provides an attribute-based signature method for multiple authorization centers, including the following steps:
s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center;
s2: the user applies for attribute key components associated with the owned attribute set from k of the n attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;
s3: a user sends a signature message of a specified predicate strategy according to the complete key;
s4: and judging whether the signature message is legal or not by any other entity according to the predicate policy, if so, outputting 1, and otherwise, outputting O.
Step S1 is a system initialization, which includes three steps: CASetup1, AASetup and CASetup 2. The CASetup1 is mainly responsible for the establishment of system parameters by a Central Authority (CA) and the registration of all users and a plurality of Attribute Authorities (AA); in the AASetup stage, all attribute authorization centers (AA) interact and share the subkeys; finally CA reconstructs the complete system public parameters at the stage CASetup 2. The method comprises the following specific steps:
S11:CASetup1
CA runs the initialization operation with the security parameter λ as input. Firstly, a hash function which can resist collusion attack is selectedWherein n isMRepresenting the upper binary limit of the size of the signature message M, i.e. using the maximum value of the binary description message, CA continues to randomly select two multiplicative cyclic groups G and G of order prime pTAnd defines a bilinear map on the group e: g → GT(ii) a Selecting a generator with G as G, and randomly selecting a set of mapping parametersThereby defining a mapping functionWherein M isjFor any j e (1, 2, …, n) {0, 1}M) I.e. M is the jth bit represented by binary, and the mapping function is to map the signature message onto the corresponding cyclic group G; meanwhile, in order to simplify the description of a trapdoor predicate strategy, an integer group with the order of prime number is selectedD different element creation set phi ═ { phi ═ phi1,φ2,…,φdThe attribute signature is used as a default attribute set of the system for the specific construction of the following attribute signature, and the selection condition of the attribute signature does not influence the actual result of the attribute signature at all; then setting parameter l to 2d +1, CA continues to selectSpecify each oneAnd calculating a vector parameter Besides, the CA additionally configures a traditional digital signature algorithm omegaSignAnd a corresponding public and private key pair (pk)CA;skCA) For signing and verifying digital certificates, wherein the public key pkCAIs disclosed to any entity of the system and the private key skCAThe registration for subsequent users and attribute authorities is only handled by the CA. To avoid confusion, the two registration processes will be described separately next.
When any user joins the system, the CA firstly verifies the validity of the user, and mainly verifies whether the user has previously performed a registration application to resist replay attack and denial of service attack. When the user is authenticated to be legitimate, the CA willRandom selectionOne element of which is issued as a global identity uid of the user, and which is issued in accordance with a signature algorithm omegaSignBuilt digital certificate cert.
Each attribute authority also needs to register with the CA during system initialization. Likewise, CA randomly selectsOne element as attribute authority AAiGlobal identity of (aid)iIssued to it and according to the signature algorithm omegaSignAid constructing a corresponding digital certificateiThe method is used for guaranteeing the safety of interactive communication among the following authorization centers.
S12:AASetup
This step is run cooperatively by all attribute authorities. All n AA inter-calls the (k, n) threshold secret sharing mechanism as follows:
assume AAiRepresenting the ith attribute rights issuer (AA), each AAi(i ═ 1, 2, …, n) a random number α is selectedi∈ZpAs its discretionary key, the system master key may now be obscured as shownFollowed by each AAi(i-1, 2, …, n) each form a polynomial f of degree k-1i(x) Satisfies alphai=fi(0). According to a selected polynomial, each AAi(i-1, 2, …, n) is another AAj(i ═ 1, 2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares sij=fi(aidj) And through AAjTo which it is passed in secret. Simultaneous AAiCalculate s for oneselfii=fi(aidi). When receiving data from other n-1 AAj(j ═ 1, 2, …, i-1, i +1, …, n) of the subgroup sji(j=1,2,…I-1, i +1, …, n), AAiIt's private key (i.e. private key of ith attribute authority) can be easily calculatedAnd calculates the corresponding public key according to itAfter all attribute rights issuer initialization, each AAiObtaining a group of public and private key pairs (pk)i,ski) Here pkiIs securely shared to any entity, including the CA.
S13:CASetup2
To get the public key of the system, the CA arbitrarily chooses n AAiK public keys are subjected to reconstruction calculation to obtain:as an important parameter for signature verification is no longer determined by a single entity, we can show it in a cryptic way
Wherein the content of the first and second substances,e is a defined bilinear map. G is the generator of the disclosed multiplication cycle group G; skiThe private key of the ith edge server; pkiIs the public key of the ith edge server, k is a parameter of the threshold secret sharing mechanism (k, n), and P (i) represents the set of identities (aid) by the edge server1,aid2,…aidk) The determined lagrangian coefficients are chosen according to the dictionary order for the sake of simplicity of description, but in practice, the id sets of any k edge servers from n are all implemented. It is particularly emphasized that alpha is only meAn expression of the arcane of these does not exist in practice, and what is obtained in practice is the public parameter e (g, g) reconstructed by the central authorityαThis is why α no longer belongs to any single authority.
After the final initialization is completed, the published parameters of the whole system are as follows:
wherein G is the generator of multiplication cycle group G, n is the number of attribute authorization centers, e (G, G)αFor the calculated system public key, λ is the security parameter, GTFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F (M) is the mapping function defined during initialization,for the vector parameters defined during initialization, H0Is a hash function.
Step S2 is the issuance of the attribute key, which specifically includes:
the generation of the attribute key is performed by more than a threshold number of attribute authorization centers, and less than k, the user cannot construct a complete attribute key. In the process, any attribute authorization center does not need to interact any more, and each user can select k attribute authorization centers to obtain corresponding attribute key components respectively according to the consideration of the user. Specifically, a global identity and a certificate are used as input, a user submits a key application to a certain attribute authorization center, and after the attribute authorization center verifies the authenticity of the user, a corresponding attribute set omega is issued according to the specific identity role of the user, and an attribute key component related to the attribute set omega is generated. First of all, the attribute authority AAiAccording to the sub-key skiAnd a set of random parametersAn implicit polynomial is defined: for each attribute ω ∈ Ω in the set of role attributes Ω, AAiSelecting a random numberAttribute key component at this timeComposed of three elementsComposition, which can ultimately be constructed as follows:
wherein j is 1, 2, …, l-1, h1And hj+1Are respectively vector parametersAnd the 1 st and j +1 st elements.
Likewise, for each attribute φ ∈ φ, AA in the default set of attributes φiSelecting a random numberThe key componentAlso composed of three elementsThe composition, ultimately, can be constructed as follows:
After collecting the attribute key components from the k attribute authorities, this set is labeled as I without loss of generality herek=(i1,i2,…,ik),ikRepresenting the k-th attribute key component of the collected k attribute authority centers, the user can reconstruct its specific attribute key SKω. Likewise, it is composed of three elements Dw,0、Dw,1And Kw,iComposition, for three corresponding parts of the attribute key component respectively:
wherein P (j) is from the set IkDetermined Lagrange coefficient For any particular attribute ω, it can be considered a random number associated with it;
Applying the same calculation principle, we can calculate the following attribute key SK for each element φ in the default attribute set φφ(Dφ,0,Dφ,1,Kφ,i):
The complete key combination for the end user is: { SKω=(Dω,0,Dω,1,Kω,iI ∈ Ω, i ═ 1, 2, …, l-1) for each ω ∈ Ω; SKφ=(Dφ,0,Dφ,1,Kφ,iI ∈ Φ, i ═ 1, 2, …, l-1 }.
Each attribute authorization center manages a sub-key by applying a secret sharing mechanism based on a threshold, and the central authorization center reconstructs complete system parameters in a sharing mode, but the central authorization center or any attribute authorization center cannot obtain the complete system key, so that the problem of single-point failure is fundamentally solved; meanwhile, the attribute key of the user is obtained by combining the components obtained from the attribute authorization centers, the components exceeding the threshold number can be successfully reconstructed, all the attribute authorization centers are not required to be kept online to issue a key related to a specific attribute for the user, and the flexibility of the system is greatly improved.
Step S3 is a message signature generation, specifically including:
when it is a messageWhen the predicate strategy Γ ═ m, S is selected, where S is a randomly selected attribute set with size S ═ S ≦ d, but at least m user attributes must be wrapped, and the rest are randomly selected as interference options, that is, m ∈ {1, …, S }, where m is a dynamic number selection of signers, representing how many attribute keys are selected to construct corresponding signatures; the signer first calculates And the complete key is grouped as follows ({ SKω}ω∈Ω,{SKφ}φ∈Φ). According to the dictionary order, the first d-m elements of the set phi are selected first to construct the subset phid-mSimultaneously selecting arbitrary subsetsSatisfy | SmAnd m. According to the following polynomial PS(Z) A vector parameter may be defined
Since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient yd-m+s+2,…,ylIt is certainly determined to be 0.
For each attribute ω ∈ SmSigner depends on the attribute key SKω={Dω,0,Dω,1,Kω,iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}
For each attribute φ ∈ φd-mLikewise, signer bases onAttribute key SKφ={Dφ,0,Dφ,1,Kφ,i1, 2, …, l-1} to obtain the parameters
According to the resultAndthen two attribute sets S are obtained through calculationmAnd phid-mDetermined parameter D0And D1:
Here we mark Andis composed of a set SmAnd phid-mCo-determined Lagrange coefficients, for a certain ω ∈ Sm,For a certain phi e phid-m,
Finally will beResolving into binary expression and obtaining according to function Then a signer with an attribute key meeting the predicate policy randomly selects Z, w belongs to ZpThe final complete signature ∑ (σ)0,σ1,σ2) Comprises three components, which are respectively constructed as follows:
step S4 is signature verification, which specifically includes:
the verifier first resolves the predicate policy Γ into (m, S), and calculates Then according to the parameter m, defineSubset of Φ containing d-m elementsUsing the same polynomial PS(Z) design rule definition vectorsIf the following equation holds true, the signature ∑ will be accepted (σ)0,σ1,σ2) Legal signature and output 1, otherwise, output 0:
wherein h is0And hiAre respectively vector parametersThe 1 st and the i-1 st elements in (a); u. of0And ujAre all randomly selected elements in the multiplicative cyclic group G.
The attribute-based signature method for multiple authorization centers provided by the embodiment of the invention utilizes multiple authorization centers to manage the same system attribute set on the basis of the existing trap predicate short attribute signature, instead of each authorization center managing a disjoint subset of the system attribute set; meanwhile, by combining a threshold secret sharing technology, a system master key is jointly constructed by a plurality of attribute authorization centers and does not belong to any single authorization center any more, and any single attribute authorization center cannot obtain the system master key and cannot forge a signature in a mode of randomly generating a private key; the user can reconstruct a complete signature key by combining the attribute private key components exceeding the threshold number, and the user can successfully construct an attribute signature only if the user really has the attribute private key meeting the trapdoor predicate. The invention not only realizes integrity verification in the message transmission process, but also protects the identity privacy of the signer, fundamentally solves the problem of single point failure, and really constructs a distributed attribute signature system.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and various modifications may be made to the above-described embodiment of the present invention. All simple and equivalent changes and modifications made according to the claims and the content of the specification of the present application fall within the scope of the claims of the present patent application. The invention has not been described in detail in order to avoid obscuring the invention.
Claims (8)
1. An attribute-based signature method of multiple authorization centers is characterized by comprising the following steps:
s1: the central authorization center establishes the public parameters of the system and completes the registration of all users and n attribute authorization centers, each attribute authorization center generates a group of public and private key pairs, wherein the public key is safely shared to any entity in the system, and the central authorization center generates the public key of the system according to the public key of the attribute authorization center;
s2: the user applies for attribute key components associated with the owned attribute set from k of the n attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;
s3: a user sends a signature message of a specified predicate strategy according to the complete key;
s4: and judging whether the signature message is legal or not by any other entity according to the predicate policy, if so, outputting 1, and otherwise, outputting 0.
2. The attribute-based signature method of multiple rights issuer of claim 1, wherein the step S1 further comprises:
s11: the central authorization center takes a security parameter lambda as input, firstly selects a hash function which can resist collusion attackWherein n isMRepresenting the binary upper limit of the signature message size, and then selecting two multiplication cyclic groups G and G of prime order pTAnd defines a bilinear map on the group e: g → GT(ii) a Selecting a generator with G as G, and randomly selecting a set of mapping parametersDefine the function according to the aboveTo map the signature message onto the corresponding cyclic group G; selectingD different element creation set phi ═ { phi ═ phi1,φ2,…,φdAs a default set of attributes for the system; then setting the parameter l to 2d +1, selecting a set of vector parametersEach of whichAnd calculating a vector parameter The central authorization center is additionally provided with a digital signature algorithm omegaSignAnd a corresponding public and private key pair (pk)CA;skCA) Public key pkCAIs disclosed in the system, the private key skCAOwned only by a central authority, passing skCARealizing the registration of the user and each attribute authorization center;
the registration process of the user comprises the following steps: when any user joins the system, the central authorization center firstly verifies the validity of the user, and when the user is verified to be legal, the central authorization center randomly selectsOne element is issued to the user as the global identity uid of the user, andconstructing a corresponding digital certificate Cert.uid according to a signature algorithm and a signature private key;
3. The attribute-based signature method of multiple rights issuer of claim 2, wherein the step S1 further comprises:
s12: each attribute authority AAi(i ═ 1, 2, …, n) a random number α is selectedi∈ZpAs a subkey, the system master key is now represented implicitly asFollowed by each AAi(i-1, 2, …, n) each form a polynomial f of degree k-1i(x) Satisfies alphai=fi(0) (ii) a According to a selected polynomial, each AAi(i-1, 2, …, n) is another AAj(i ═ 1, 2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares sij=fi(aidj) And through AAjIs passed to the AA in secretj(ii) a Simultaneous AAiCalculate s for oneselfii=fi(aidi) When receiving data from other n-1 AAj(j ═ 1, 2, …, i-1, i +1, …, n) of the subgroup sji(j ═ 1, 2, …, i-1, i +1, …, n), AAiCalculating to obtain the private key of the userAnd according to the private key skiCalculating to obtain corresponding public keyEventually after all attribute rights issuer initialization, each AAiObtaining a group of self public and private key pairs (pk)i,ski) Wherein pkiIs securely shared to any entity including a central authority.
4. The attribute-based signature method of multiple rights issuer of claim 3, wherein the step S1 further comprises:
s13: central authority selects n AAiK public keys are subjected to reconstruction calculation to obtain the public key of the system:wherein the content of the first and second substances,e is defined bilinear mapping, G is a generator of a multiplication cycle group G; skiThe private key of the ith edge server; pkiK is the parameter of the threshold secret sharing mechanism (k, n) for the public key of the ith edge server.
5. The attribute-based signature method of multiple rights issuer of claim 4, wherein the public parameters of the system are:
wherein G is the generator of multiplication cycle group G, n is the number of attribute authorization centers, e (G, G)αFor the calculated system public key, λ is the security parameter, GTFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F (M) is the mapping function defined during initialization,for the vector parameters defined during initialization, H0Is a hash function.
6. The attribute-based signature method of multiple rights issuer of claim 5, wherein the step S2 further comprises:
ith Attribute Authority center AAiThe private key sk of the authority according to the ith attributeiAnd a set of random parametersAn implicit polynomial is defined: for each attribute ω ∈ Ω, Ω is the set of role attributes, AAiSelecting a random numberThe ith attribute key component at this time Is constructed as follows:
for each attribute φ ∈ φ, φ is a default set of attributes, AAiSelecting a random numberAttribute key componentIs constructed as follows:
after collecting the key components from the k attribute rights issuer, the set of k key components is labeled as Ik=(i1,i2,…,ik) The user then reconstructs the resulting attribute key SKω=(Dω,0,Dω,1,Kω,i) The following were used:
Likewise, for each element φ in the default attribute set φ, the following attribute key SK is calculatedφ=(Dφ,0,Dφ,1,Kφ,i):
The end user's full key combination is then: (SK)ω=Dω,0,Dω,1,Kω,iI ∈ Ω, i ═ 1, 2, …, l-1 for each ω ∈ Ω; SKφ=Dφ,0,Dφ,1,Kφ,iI-1, 2, …, l-1 for each Φ ∈ Φ).
7. The attribute-based signature method of multiple rights issuer of claim 6, wherein the step S3 further comprises:
when it is a messageWhen a predicate strategy Γ is selected as (m, S), wherein S is an attribute set with the size S ═ S ≦ d, and m ∈ {1, …, S }; user first calculatesAnd the complete key is grouped as follows ({ SKω}ω∈Ω,{SKφ}φ∈Φ) (ii) a According to the dictionary order, the first d-m elements of the set phi are selected first to construct the subset phid-mSimultaneously selecting arbitrary subsets Satisfy | SmI ═ m, and then a vector parameter is defined according to the following polynomial The following were used:
since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient yd-m+s+2,…,ylIs determined to be 0;
for each attribute ω ∈ SmUser based on attribute key SKω={Dω,0,Dω,1,Kω,iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}
For each attribute φ ∈ φd-mUser based on attribute key SKφ={Dφ,0,Dφ,1,Kφ,iThe parameter is obtained by calculating | i ═ 1, 2, …, l-1}
According to the resultAndtwo attribute sets S are obtained by calculationmAnd phid-mDetermined parameter D0And D1:
D1=gr
Wherein the content of the first and second substances, andis composed of a set SmAnd phid-mCo-determined Lagrange coefficients, for a certain ω ∈ Sm,For a certain phi e phid-m,
Will be provided withResolving into binary expression and mapping it into group G to obtain Wherein M isj∈(0,1),j=1,…,nM(ii) a Then a signer with an attribute key meeting the predicate policy randomly selects Z, w belongs to ZpThe final complete signature ∑ (σ)0,σ1,σ2) Is constructed as follows:
8. the attribute-based signature method of multiple rights issuer of claim 7, wherein the step S4 further comprises:
other arbitrary entities are firstly analyzed into (m, S) according to the predicate strategy gamma, and the predicate strategy gamma is calculated Then theDefining a subset of Φ containing d-m elements according to the parameter mUsing a polynomial PS(Z) design rule definition vectorIf equationIf true, the acceptance signature ∑ (σ) is set0,σ1,σ2) Legally sign and output a 1, otherwise the output is 0, where h0And hiAre respectively vector parametersThe 1 st and the i-1 st elements in (a); u. of0And ujAre all randomly selected elements in the multiplicative cyclic group G.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210122279.5A CN114499884B (en) | 2022-02-09 | 2022-02-09 | Attribute-based signature method for multiple authorization centers |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210122279.5A CN114499884B (en) | 2022-02-09 | 2022-02-09 | Attribute-based signature method for multiple authorization centers |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114499884A true CN114499884A (en) | 2022-05-13 |
CN114499884B CN114499884B (en) | 2024-03-29 |
Family
ID=81479145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210122279.5A Active CN114499884B (en) | 2022-02-09 | 2022-02-09 | Attribute-based signature method for multiple authorization centers |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114499884B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103312707A (en) * | 2013-06-06 | 2013-09-18 | 南京邮电大学 | Attribute-based signature verification method by aid of cloud server |
US9635000B1 (en) * | 2016-05-25 | 2017-04-25 | Sead Muftic | Blockchain identity management system based on public identities ledger |
CN107342990A (en) * | 2017-06-23 | 2017-11-10 | 西南交通大学 | A kind of attribute base net network ring signatures method of distributed authorization |
CN107819586A (en) * | 2017-11-20 | 2018-03-20 | 电子科技大学 | A kind of thresholding attribute base endorsement method of more authorization centers |
-
2022
- 2022-02-09 CN CN202210122279.5A patent/CN114499884B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103312707A (en) * | 2013-06-06 | 2013-09-18 | 南京邮电大学 | Attribute-based signature verification method by aid of cloud server |
US9635000B1 (en) * | 2016-05-25 | 2017-04-25 | Sead Muftic | Blockchain identity management system based on public identities ledger |
CN107342990A (en) * | 2017-06-23 | 2017-11-10 | 西南交通大学 | A kind of attribute base net network ring signatures method of distributed authorization |
CN107819586A (en) * | 2017-11-20 | 2018-03-20 | 电子科技大学 | A kind of thresholding attribute base endorsement method of more authorization centers |
Non-Patent Citations (2)
Title |
---|
唐飞: "基于属性的多授权中心身份认证方案", 通信学报, vol. 42, no. 3, pages 220 - 228 * |
杨晓晖;丁文卿;: "云存储环境下基于CP-ASBE数据加密机制", 河北大学学报(自然科学版), no. 04, pages 93 - 100 * |
Also Published As
Publication number | Publication date |
---|---|
CN114499884B (en) | 2024-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Wang et al. | Identity-based data outsourcing with comprehensive auditing in clouds | |
CN112532588B (en) | Policy hidden type data access control method based on block chain | |
CN113364600B (en) | Certificateless public auditing method for integrity of cloud storage data | |
Liu et al. | Certificateless signcryption scheme in the standard model | |
Barbosa et al. | Certificateless signcryption | |
US9021572B2 (en) | Anonymous access to a service by means of aggregated certificates | |
CN109413078B (en) | Anonymous authentication method based on group signature under standard model | |
Lin et al. | Ppchain: A privacy-preserving permissioned blockchain architecture for cryptocurrency and other regulated applications | |
Nguyen-Van et al. | Scalable distributed random number generation based on homomorphic encryption | |
CN116049897A (en) | Verifiable privacy protection federal learning method based on linear homomorphic hash and signcryption | |
CN115766033A (en) | Threshold single sign-on method for privacy protection | |
Liu et al. | An efficient fine-grained data access control system with a bounded service number | |
Li et al. | A forward-secure certificate-based signature scheme | |
Feng et al. | A new public remote integrity checking scheme with user and data privacy | |
Tian et al. | A systematic method to design strong designated verifier signature without random oracles | |
WO2019174404A1 (en) | Digital group signature method, device and apparatus, and verification method, device and apparatus | |
CN116707854A (en) | Robust cloud storage access control method based on attribute encryption | |
Deng et al. | Designated‐Verifier Anonymous Credential for Identity Management in Decentralized Systems | |
CN116318736A (en) | Two-level threshold signature method and device for hierarchical management | |
CN111490967A (en) | Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication | |
CN114339743A (en) | Internet of things client privacy protection authentication method based on edge calculation | |
Chen et al. | Public-key quantum signature for classical messages without third-party verification | |
CN114499884B (en) | Attribute-based signature method for multiple authorization centers | |
CN113507366B (en) | Grid-based searchable log blind signature scheme | |
CN113468614A (en) | Kerberos cross-domain authentication method based on Bulletprofs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |