CN114499884B - Attribute-based signature method for multiple authorization centers - Google Patents

Attribute-based signature method for multiple authorization centers Download PDF

Info

Publication number
CN114499884B
CN114499884B CN202210122279.5A CN202210122279A CN114499884B CN 114499884 B CN114499884 B CN 114499884B CN 202210122279 A CN202210122279 A CN 202210122279A CN 114499884 B CN114499884 B CN 114499884B
Authority
CN
China
Prior art keywords
attribute
key
signature
user
public
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210122279.5A
Other languages
Chinese (zh)
Other versions
CN114499884A (en
Inventor
请求不公布姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongke Shuiyan Jiangxi Technology Co ltd
Original Assignee
Zhongke Shuiyan Jiangxi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongke Shuiyan Jiangxi Technology Co ltd filed Critical Zhongke Shuiyan Jiangxi Technology Co ltd
Priority to CN202210122279.5A priority Critical patent/CN114499884B/en
Publication of CN114499884A publication Critical patent/CN114499884A/en
Application granted granted Critical
Publication of CN114499884B publication Critical patent/CN114499884B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for signing attribute base of a multi-authorization center, which comprises the following steps: s1: the central authority establishes public parameters of the system and completes registration of all users and n attribute authorities, each attribute authority generates a group of public-private key pairs, wherein the public keys are safely shared to any entity in the system, and the central authority generates a public key of the system according to the public keys of the attribute authorities; s2: k application attribute key components associated with the owned attribute sets are applied to n attribute authorization centers by a user and are reconstructed to obtain complete keys; s3: the user sends a signature message for specifying the predicate strategy according to the complete secret key; s4: and judging whether the signature message is legal or not by other arbitrary users according to the predicate strategy, outputting 1 if yes, and outputting 0 if not. The invention realizes the integrity verification in the message transmission process, protects the identity privacy of the signer, fundamentally solves the problem of single-point failure and builds a distributed attribute signature system.

Description

Attribute-based signature method for multiple authorization centers
Technical Field
The invention relates to the field of digital signature, in particular to an attribute-based signature method of a multi-authorization center.
Background
In conventional digital signature mechanisms, the authentication key is closely associated with the user's identity, exposing the user's identity privacy to any signature verifier. An attribute-based signature mechanism (ABS) serves as a new cryptographic principle, which protects the identity privacy of the signer while achieving non-counterfeitability or integrity of the message. The identity information of the user is described by a series of attributes, and the right to construct the signature is determined by the attribute set owned by the user. By verifying the signature, the verifier can only determine that the signer has the attribute set meeting the predicate-policy, but cannot determine the specific identity information of the signer.
Due to its compatibility in terms of message integrity verification and identity privacy protection, attribute signature mechanisms satisfying various properties are constructed. However, many schemes exist which reflect that the biggest drawback of the attribute signature mechanism is that the time of signature generation increases with the complexity of predicate rules. In order to implement a signature algorithm that is fixed in size, i.e. independent of the number of predicates involved, the study of short signature schemes is a focus of attention. In particular, the attribute short signature technology based on trapdoor predicates, which is proposed by Javier, has the advantages that the signature size is not linearly increased along with the growth of predicate strategies, and the bandwidth consumption is reduced.
However, this attribute short signature scheme employs a single authority responsible for managing the attribute sets of all users for key issuance, which inevitably results in a single point of failure for the security and performance of the system. Since the rights issuer manages the attribute set and associated private keys of the entire system, the entire system is affected if it is maliciously attacked. Even worse, the rights issuer can forge the signature of any entity by generating a private key of any nature, which poses serious challenges to the security of the overall system.
In the prior art, the problem is solved by a scheme of a plurality of attribute authorization centers, however, in the existing multi-authorization center attribute signature scheme, each attribute authorization center is respectively responsible for managing a disjoint subset of system attributes and issuing related attribute private keys for legal users with corresponding attributes; each attribute authorization center can be responsible for the management of a plurality of system attributes, but each system attribute can only be responsible for a certain attribute authorization center, so that all attribute authorization centers are required to be kept in an online state when a user applies for an attribute private key, the smooth issuing of the user private key is ensured, challenges are brought to the system expansibility, and the single-point failure problem brought by the central authorization center is not fundamentally solved; in addition, the attribute private key of the user is also obtained by combining partial private key reconstruction obtained from a plurality of attribute authorization centers, and the fact that the central authorization center individually controls the system master key is not changed, and once the central authorization center is attacked, the security of the whole system is also threatened.
Disclosure of Invention
The invention aims to provide an attribute base signature method of a multi-authority center, which aims to solve the problem of single-point failure and improve the flexibility of a system.
The invention designs a new multi-authorization center attribute signature scheme based on a Javier threshold strategy short signature scheme and a Li Wei multi-authorization attribute encryption scheme, which meets three requirements: firstly, the system attribute set is not managed by a plurality of attribute authorization centers in a cooperative manner, and any one attribute authorization center can verify the authenticity of the user attribute set and issue partial private keys for the specific attribute set; secondly, the attribute private key of the user is not issued by a single authorization center any more, but a threshold secret sharing technology is applied, partial attribute key components of a plurality of attribute authorization centers are combined to reconstruct to obtain a complete key, and the key escrow problem caused by the single authorization center is solved; thirdly, only the user with the attribute key meeting the threshold strategy can successfully construct the signature, and the specific identity privacy of the user is protected while the message integrity verification is realized.
The invention provides a multi-authority attribute base signature method, which comprises the following steps:
s1: the central authority establishes public parameters of the system and completes registration of all users and n attribute authorities, each attribute authority generates a group of public-private key pairs, wherein the public keys are safely shared to any entity in the system, and the central authority generates a public key of the system according to the public keys of the attribute authorities;
s2: the user applies for attribute key components associated with the owned attribute sets to k attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;
s3: the user sends a signature message for specifying the predicate strategy according to the complete secret key;
s4: and judging whether the signature message is legal or not by any other entity according to the predicate strategy, if so, outputting 1, otherwise, outputting 0.
Further, step S1 further includes:
s11: the central authority takes the security parameter lambda as input, and firstly selects a hash function capable of resisting collusion attackWherein n is M A binary upper limit representing the size of the signed message, and then two multiplicative cyclic groups G and G of prime number p are selected T And defines a bilinear map e on the cluster: G is G.fwdarw.G T The method comprises the steps of carrying out a first treatment on the surface of the Selecting G as G generator, and randomly selecting a group of mapping parameters +.>Defining a function according to thisTo map the signed message onto the corresponding cyclic group G; select->Creates a set Φ= { Φ of d different elements in (a) 12 ,…,φ d As a default set of attributes for the system; then the parameter l=2d+1 is set and a set of vector parameters is selected +.>Each of which is +.> And calculate a vector parameterCentral authorizationThe center is additionally provided with a digital signature algorithm omega Sign And a corresponding public-private key pair (pk CA ;sk CA ) Public key pk CA Is disclosed in the system, private key sk CA Owned by central authority only, by sk CA Registering the user and each attribute authorization center;
the registration process of the user comprises the following steps: when any user joins the system, the central authority firstly performs the validity verification of the user, and after the verification is legal, the central authority randomly selectsOne element of the digital certificate Cert.uid is issued to the user as a global identity id uid of the user, and a corresponding digital certificate Cert.uid is constructed according to a signature algorithm and a signature private key;
the registering of the attribute authority includes: central authority random selectionGlobal identity mark aid of one element in the list as attribute authorization center i Issuing to attribute authorization center, and constructing corresponding digital certificate Cert.aid according to signature algorithm and signature private key i
Further, step S1 further includes:
s12: each attribute authority AA i (i=1, 2, …, n) selecting a random number α i ∈Z p As a subkey, the system master key is represented at this time asEach AA then i (i=1, 2, …, n each constructing a k-1 th order polynomial fix satisfying αi=f0; each AA according to the selected polynomial i (i=1, 2, …, n) is other AA j (j=1, 2, …, i-1, i+1, …, n) to obtain the corresponding sub-share s ij =f i (aid j ) And pass through AA j Is passed to AA by the certificate secret of (C) i The method comprises the steps of carrying out a first treatment on the surface of the At the same time AA i Calculating s for oneself ii =f i (aid i ) When receiving the data from other n-1 AA j Sub-shares s of (j=1, 2, …, i-1, i+1, …, n) ji (j=1, 2, …, i-1, i+1, …, n), AA i Calculating to obtain private key ∈>And according to the private key sk i Calculating to obtain corresponding public key->Finally, after all attribute authority initialization, each AA i Obtain a set of own public-private key pairs (pk i ,sk i ) Wherein pk is i Is securely shared to any entity including a central authority.
Further, step S1 further includes:
s13: the central authority selects n AA i K public keys are reconstructed and calculated to obtain the public key of the system:wherein,e is defined bilinear mapping, G is the generator of the disclosed multiplication loop group G; sk (sk) i A private key of an ith edge server; pk (pk) i K is a parameter of a threshold secret sharing mechanism (k, n) for the public key of the ith edge server.
Further, the disclosed parameters of the system are:
wherein G is the generator of the multiplication cyclic group G, n is the number of attribute authorization centers, e (G, G) α For the calculated system public key, lambda is the security parameter, G T For the multiplicative cyclic group, Φ is the default set of properties of the system, F (M) is the mapping function defined during initialization, +.>To define vector parameters in the initialization process, H 0 Is a hash function.
Further, step S2 further includes:
ith attribute authority AA i Authorizing the private key sk of the center according to the ith attribute i A set of random parametersDefining a hidden polynomial: /> For each attribute omega E omega, omega is a role attribute set, AA i Select a random number +.>The ith attribute key component at this time +.>Is constructed as follows:
for each attribute, φ ε Φ, Φ is the default set of attributes, AA i Selecting a random numberAttribute Key component->Is constructed as follows:
after collecting key components from k attribute authority, the set of k key components is labeled I k =(i 1 ,i 2 ,…,i k ) Then the user reconstructs the obtained attribute key SK ω =(D ω,0 ,D ω,1 ,K ω,i ) The following are provided:
wherein i=1, 2, …, l-1;
likewise, for each element Φ in the default property set Φ, the following property key SK is calculated φ =(D φ,0 ,D φ,1 ,K φ,i ):
The end user's complete key combination is: (SK) ω =D ω,0 ,D ω,1 ,K ω,i I for each ω e Ω, i=1, 2, …, l-1; SK (SK) φ D phi, 0, D phi, 1, k phi, i for each phi e phi, i = 1,2, …, l-1.
Further, step S3 further includes:
when it is a messageWhen the predicate strategy is selected, wherein S is an attribute set with the size of s= |S|d, and m epsilon {1, …, S }; the user first calculates +.>And the complete key is grouped as follows ({ SK) ω } ω∈Ω ,{SK φ } φ∈Φ ) The method comprises the steps of carrying out a first treatment on the surface of the According to the dictionary order, first a subset of the first d-m element constructs Φ of the set Φ is selected d-m Simultaneously select arbitrary subset +.>Satisfy |S m |=m, and then define a vector parameter according to the following polynomialThe following are provided:
since d-m+s+1 is equal to or less than 2d+1=l, the coefficient y d-m+s+2 ,…,y l Determined to be 0;
for each attribute ω∈S m The user is based on the attribute key SK ω ={D ω,0 ,D ω,1 ,K ω,i I=1, 2, …, l-1} calculated as parameters
For each attribute φ ε Φ d-m The user is based on the attribute key SK φ ={D φ,0 ,D φ,1 ,K φ,i I=1, 2, …, l-1} calculated as parameters
According to the resultAnd->Calculation ofObtaining two attribute sets S m And phi is d-m The determined parameter D 0 And D 1
D 1 =g r
Wherein, and +.>Is composed of a set S m And phi is d-m The co-determined Lagrange coefficients for a certain ω εS mFor a certain phi d-m ,/>
Will beResolving into binary representation and mapping it into group G to obtainWherein M is j ∈(0,1),j=1,…,n M The method comprises the steps of carrying out a first treatment on the surface of the Then the signer with the attribute key satisfying the predicate policy randomly selects Z, w e Z p Final complete signature Σ= (σ) 012 ) Is constructed as follows:
σ 1 =D 1 g w2 =g z
further, step S4 further includes:
the other arbitrary entities are firstly resolved into (m, S) according to the predicate strategy Γ, and calculated Then defining a subset of phi comprising d-m elements according to the parameter m>Using polynomials P S (Z) design rule definition vector +.>If the equation isIf true, the signature Σ= (σ) will be accepted 012 ) For legal signature and outputting 1, otherwise outputting 0, wherein h 0 And h i Vector parameters>The 1 st and i-1 st elements in (a); u (u) 0 And u j Are randomly selected elements in the multiplicative cyclic group G.
According to the attribute base signature method of the multi-authority center, on the basis of the existing trapdoor predicate short attribute signature, the same system attribute set is managed by utilizing a plurality of authority centers instead of a disjoint subset of each authority center management system attribute set; meanwhile, by combining a threshold secret sharing technology, a system master key is jointly constructed by a plurality of attribute authorization centers and does not belong to any single authorization center any more, and any independent attribute authorization center cannot acquire the system master key, so that a signature cannot be forged in a mode of randomly generating a private key; the user can reconstruct the complete signature private key by combining attribute key components exceeding the threshold number, and can successfully construct the attribute signature only if the user really owns the private key meeting trapdoor predicates. The invention not only realizes the integrity verification in the message transmission process, but also protects the identity privacy of the signer, and fundamentally solves the problem of single-point failure, thereby truly constructing a distributed attribute signature system.
Drawings
Fig. 1 is a flowchart of a method of attribute-based signatures of multiple rights issuer according to an embodiment of the present invention.
Detailed Description
Preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The entity involved in the embodiment of the invention comprises the following steps:
central Authority (CA): as a global trusted certificate center of the system, carrying out initialization creation of the system and receiving registration of legal users and attribute authorization centers;
attribute Authority (AA): multiple attribute authorization centers manage the same system attribute set and issue partial attribute key components for each user applying private keys;
signer: a user having a private key; only legal signers can construct signatures meeting corresponding predicate strategies;
the verifier: an entity that completes signature verification; any entity can accomplish signature verification without any additional secret information.
As shown in fig. 1, an embodiment of the present invention provides a method for signing a property base of a multi-authority, including the following steps:
s1: the central authority establishes public parameters of the system and completes registration of all users and n attribute authorities, each attribute authority generates a group of public-private key pairs, wherein the public keys are safely shared to any entity in the system, and the central authority generates a public key of the system according to the public keys of the attribute authorities;
s2: the user applies for attribute key components associated with the owned attribute sets to k attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;
s3: the user sends a signature message for specifying the predicate strategy according to the complete secret key;
s4: and judging whether the signature message is legal or not by any other entity according to the predicate strategy, if so, outputting 1, otherwise, outputting 0.
Step S1 is system initialization, which includes three steps: CASetup1, AASetup, and CASetup2. The CASetup1 is mainly responsible for the establishment of system parameters by a Central Authority (CA) and the registration of all users and a plurality of Attribute Authorities (AA); in the AAsetup stage, all attribute authorization centers (AA) interact and share subkeys; and finally reconstructing complete system disclosure parameters in the CASetup2 stage CA. The method comprises the following steps:
S11:CASetup1
the CA takes the security parameter lambda as input to run an initialization operation. First, a hash function capable of resisting collusion attack is selectedWherein n is M Representing the binary upper limit of the size of the signed message M, i.e. using the maximum value of the binary description message, CA continues to randomly select two multiplicative cyclic groups G and G of prime number p T And defines a bilinear map e on the cluster: g is G.fwdarw.G T The method comprises the steps of carrying out a first treatment on the surface of the Selecting G as G generator, and randomly selecting a group of mapping parametersThereby defining a mapping function->Wherein M is j = {0,1} e (1, 2, …, n) for any j M ) I.e. the j-th bit of the binary representation of M, and the mapping function is for mapping the signed message to the corresponding loopGroup G; at the same time, to simplify the description of trapdoor predicate strategies, an integer group with order prime is selected +.>Creates a set Φ= { Φ of d different elements in (a) 1 ,φ 2 ,…,φ d As a default attribute set of the system, the system is used for the specific construction of the following attribute signature, and the selection condition of the system does not affect the actual result of the attribute signature at all; then the parameter l=2d+1 is set and ca continues to select +.>Designating each +.>And calculate a vector parameter +.>In addition, CA is additionally provided with a traditional digital signature algorithm omega Sign And a corresponding public-private key pair (pk CA ;sk CA ) For signing and verification of digital certificates, wherein the public key pk CA Public to any entity of the system, while private key sk CA Registration for the following user and attribute authority is grasped only by the CA. To avoid confusion, the two registration processes will be described separately.
When an arbitrary user joins the system, the CA first performs validity verification of the user, mainly to verify whether the user has previously performed a registration application to resist replay attacks and denial of service attacks. After the user is authenticated, the CA will randomly selectOne element of the list is issued to the user as a global identity uid of the user, and the issuing is also performed according to a signature algorithm omega Sign The constructed digital certificate cert.
Each attribute authority also needs to register with the CA during the system initialization phase. As same asSampling plot, CA random selectionOne element of the list is taken as an attribute authorization center AA i Is to be used as a global identity aid i Issued to it and according to a signature algorithm Ω Sign Constructing a corresponding digital certificate cert.aid i The method is used for guaranteeing the safety of the interaction communication among the following authorization centers.
S12:AASetup
This step is performed cooperatively by all attribute authority centers. All n AA interaction calls (k, n) threshold secret sharing mechanisms are as follows:
suppose AA i Representing an ith Attribute Authority (AA), each AA i (i=1, 2, …, n) selecting a random number α i ∈Z p As its discretionary key, the system master key may be represented as being obscured at this timeEach AA then i (i=1, 2, …, n) constructing a k-1 th order polynomial f, respectively i (x) Satisfy alpha i =f i (0). Each AA according to a selected polynomial i (i=1, 2, …, n) is other AA j (j=1, 2, …, i-1, i+1, …, n) to obtain the corresponding sub-share s ij =f i (aid j ) And pass through AA j To which the certificate secret is passed. At the same time AA i Calculating s for oneself ii =f i (aid i ). When receiving from other n-1 AA j Sub-shares s of (j=1, 2, …, i-1, i+1, …, n) ji (j=1, 2, …, i-1, i+1, …, n), AA i It is easy to calculate its private key (i.e. the private key of the ith attribute authority)/(private key)>And based on it calculate the corresponding public key +.>After all attribute authority initialization, each AA i Obtain a set of public-private key pairs (pk i ,sk i ) Where pk is i Is securely shared to any entity including the CA.
S13:CASetup2
To obtain the public key of the system, the CA arbitrarily selects n AA i K public keys are obtained by reconstruction calculation:as an important parameter for signature verification is no longer determined by a single entity, we can implicitly represent +.>
Wherein,e is defined bilinear mapping, G is the generator of the disclosed multiplication loop group G; sk (sk) i A private key of an ith edge server; pk (pk) i For the public key of the ith edge server, k is a parameter of the threshold secret sharing mechanism (k, n), and P (i) represents the public key of the second edge server, the public key of the first edge server, and the public key of the second edge server is a parameter of the threshold secret sharing mechanism (k, n), and P (i) represents the public key of the second edge server 1 ,aid 2 ,…aid k ) The lagrangian coefficients are determined, here we choose according to dictionary order for simplicity of description, and in practice, the set of identities from any k edge servers in n will be implemented. It is particularly emphasized that α is only an expression of our obscuration, not actually present, and that what is obtained in practice is the public parameter e (g, g) reconstructed by the central authority α This is why α no longer belongs to any single authority.
After the final initialization is completed, the public parameters of the whole system are as follows:
wherein G is the generator of the multiplication cyclic group G, and n isNumber of attribute authority, e (g, g) α For the calculated system public key, lambda is the security parameter, G T For the multiplicative cyclic group, Φ is the default set of properties of the system, F (M) is the mapping function defined during initialization, +.>For the vector parameters defined in the initialization process, H0 is a hash function.
Step S2 is attribute key issuing, and specifically comprises the following steps:
the generation of the attribute key is performed by more than a threshold number of attribute authority centers, less than k, and the user will not be able to construct the complete attribute key. In the process, any attribute authorization centers do not need to interact any more, and each user can select k attribute authorization centers according to own consideration to obtain corresponding attribute key components respectively. Specifically, a global identity and a certificate are taken as input, a user submits a key application to a certain attribute authorization center, and after the attribute authorization center verifies the authenticity of the user, the attribute authorization center issues a corresponding attribute set omega according to the specific identity role of the user and generates an attribute key component related to the attribute set omega. First, attribute authority AA i According to the subkey sk i A set of random parametersDefining a hidden polynomial: /> For each attribute ω εΩ, AA in the role attribute set Ω i Select a random number +.>Attribute key component +_at this time>Is composed of three elements->The composition, which may ultimately be constructed as follows:
where j=1, 2, …, l-1, h 1 And h j+1 Vector parameters>And j+1st element.
Likewise, for each attribute φ ε Φ, AA in the default set of attributes Φ i Selecting a random numberThe key component->Also by three elements->The composition, ultimately, may be constructed as follows:
for j=1, 2, …, l-1
After collecting the attribute key components from the k attribute authority, this set is labeled I without loss of generality k =(i 1 ,i 2 ,…,i k ),i k Representing the kth attribute key component in the k collected attribute authorization centers, the user can reconstruct its specific attribute key SK ω . It is likewise composed of three elements D w,0 、D w,1 And K w,i Composition, for three corresponding parts of the attribute key component:
wherein P (j) is defined by set I k Determined Lagrangian coefficients For any particular attribute ω, it can be considered a random number associated therewith; />
Where i=1, 2, …, l-1.
Applying the same calculation principle, we can calculate the following attribute key SK for each element phi in the default attribute set phi φ (D φ,0 ,D φ,1 ,K φ,i ):
The end user's complete key combination is: { SK ω =(D ω,0 ,D ω,1 ,K ω,i I for each ω e Ω, i=1, 2, …, l-1); SK (SK) φ =(D φ,0 ,D φ,1 ,K φ,i I for each Φ e Φ, i=1, 2, …, l-1.
By applying a secret sharing mechanism based on a threshold, each attribute authorization center manages a subkey, and the central authorization center reconstructs complete system parameters in a sharing mode, but neither the central authorization center nor any attribute authorization center can obtain the complete system key, so that the problem of single-point failure is fundamentally solved; meanwhile, the attribute keys of the users are obtained by combining the components obtained from the attribute authorization centers, so that the components can be successfully reconstructed as long as the threshold number is exceeded, all the attribute authorization centers are not required to be kept on line to issue keys related to a specific attribute for the users, and the flexibility of the system is greatly improved.
Step S3 is message signature generation, and specifically comprises the following steps:
when it is a messageWhen the predicate policy "= (m, S) is selected, where S is a randomly selected set of attributes of size s= |s|d, but at least m user attributes must be wrapped, the rest are randomly selected as interference options, i.e., let m e {1, …, S }, m be a dynamic number selection of signers, representing how many attribute keys to select to construct the corresponding signature; the signer first calculates +.>And the complete key is grouped as follows ({ SK) ω } ω∈Ω ,{SK φ } φ∈Φ ). According to the dictionary order, first a subset of the first d-m element constructs Φ of the set Φ is selected d-m Simultaneously select arbitrary subset +.>Satisfy |S m |=m. According to the following polynomial P S (Z) a vector parameter may be defined
Since d-m+s+1 is equal to or less than 2d+1=l, the coefficient y d-m+s+2 ,…,y l It is undoubtedly determined to be 0.
For each attribute ω∈S m Signer based on attribute key SK ω ={D ω,0 ,D ω,1 ,K ω,i I=1, 2, …, l-1} calculated as parameters
For each attribute φ ε Φ d-m Similarly, the signer is based on the attribute key SK φ ={D φ,0 ,D φ,1 ,K φ,i I=1, 2, …, l-1} calculated as parameters
According to the resultAnd->Then calculate two attribute sets S m And phi is d-m The determined parameter D 0 And D 1
Here we mark And +.>Is composed of a set S m And phi is d-m The co-determined Lagrange coefficients for a certain ω εS mFor a certain phi d-m ,/>
Finally, willResolving into binary expression and obtaining according to functionThen the signer with the attribute key satisfying the predicate policy randomly selects Z, w e Z p Final complete signature Σ= (σ) 0 ,σ 1 ,σ 2 ) Comprising three components, each configured as follows:
σ 1 =D 1 g w ,σ 2 =g z
step S4 is signature verification, and specifically comprises the following steps:
the verifier first "parses (m, S) into (m, S) according to the predicate policy, and calculates Then defining a subset of phi comprising d-m elements according to the parameter m>Using the same polynomials P S (Z) design rule definition vector +.>If the following equation holds, the signature Σ= (σ) will be accepted 0 ,σ 1 ,σ 2 ) For legal signature and output 1, otherwise output 0:
wherein h is 0 And h i Vector parameters>The 1 st and i-1 st elements in (a); u (u) 0 And u j Are randomly selected elements in the multiplicative cyclic group G.
According to the attribute base signature method of the multiple authorization centers, on the basis of the existing trapdoor predicate short attribute signature, the same system attribute set is managed by utilizing the multiple authorization centers instead of a disjoint subset of each authorization center management system attribute set; meanwhile, by combining a threshold secret sharing technology, a system master key is jointly constructed by a plurality of attribute authorization centers and does not belong to any single authorization center any more, and any independent attribute authorization center cannot acquire the system master key, so that a signature cannot be forged in a mode of randomly generating a private key; the user can reconstruct the complete signature key by combining attribute private key components exceeding the threshold number, and can successfully construct the attribute signature only if the user really owns the attribute private key meeting trapdoor predicates. The invention not only realizes the integrity verification in the message transmission process, but also protects the identity privacy of the signer, and fundamentally solves the problem of single-point failure, thereby truly constructing a distributed attribute signature system.
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and various modifications can be made to the above-described embodiment of the present invention. All simple, equivalent changes and modifications made in accordance with the claims and the specification of this application fall within the scope of the patent claims. The present invention is not described in detail in the conventional art.

Claims (3)

1. A method for attribute-based signing at a multi-authority comprising the steps of:
s1: the central authority establishes public parameters of the system and completes registration of all users and n attribute authorities, each attribute authority generates a group of public-private key pairs, wherein the public keys are safely shared to any entity in the system, and the central authority generates a public key of the system according to the public keys of the attribute authorities;
s2: the user applies for attribute key components associated with the owned attribute sets to k attribute authorization centers respectively, and reconstructs the k attribute key components to obtain a complete key;
s3: the user sends a signature message for specifying the predicate strategy according to the complete secret key;
s4: judging whether the signature message is legal or not by other arbitrary entities according to the predicate strategy, if so, outputting 1, otherwise, outputting 0;
step S1 further comprises:
s11: the central authority takes the security parameter lambda as input, firstly selects a hash function H which can resist collusion attack 0Wherein n is M A binary upper limit representing the size of the signed message, and then two multiplicative cyclic groups G and G of prime number p are selected T And defines a bilinear map e on the cluster: g is G.fwdarw.G T The method comprises the steps of carrying out a first treatment on the surface of the Selecting G as G generator, and randomly selecting a group of mapping parameters +.>According to which the function +.>To map the signed message onto the corresponding cyclic group G, where M j ∈(0,1),j=1,…,n M The method comprises the steps of carrying out a first treatment on the surface of the Selecting an integer group with order prime number +.>Creates a set Φ= { Φ of d different elements in (a) 1 ,φ 2 ,…,φ d As a default set of attributes for the system; then the parameter l=2d+1 is set and a set of vector parameters is selected +.>Each of which is provided withAnd calculate a vector parameterThe central authority is additionally provided with a digital signature algorithm omega Sign And a corresponding public-private key pair (pk CA ;sk CA ) Public key pk CA Is disclosed in the system, private key sk CA Owned by central authority only, by sk CA Registering the user and each attribute authorization center;
the registration process of the user comprises the following steps: when any user joins the system, the central authority firstly performs the validity verification of the user, and after the verification is legal, the central authority randomly selectsOne element of the digital certificate Cert.uid is issued to the user as a global identity id uid of the user, and a corresponding digital certificate Cert.uid is constructed according to a signature algorithm and a signature private key;
the registering of the attribute authority includes: central authority random selectionGlobal identity mark aid of one element in the list as attribute authorization center i Issuing to attribute authorization center, and constructing corresponding digital certificate Cert.aid according to signature algorithm and signature private key i
S12: each attribute authority AA i (i=1, 2, …, n) selecting a random number α i ∈Z p As a subkey, the system master key is now represented implicitly asEach AA then i (i=1, 2, …, n each constructing a k-1 th order polynomial fix satisfying αi=f0; each AA according to the selected polynomial i (i=1, 2, …, n) is other AA j (j=1, 2, …, i-1, i+1, …, n) to obtain the corresponding sub-share s ij =f i (aid j ) And pass through AA j Is passed to AA by the certificate secret of (C) j The method comprises the steps of carrying out a first treatment on the surface of the At the same time AA i Calculating s for oneself ii =f i (aid i ) When receiving the data from other n-1 AA j Sub-shares s of (j=1, 2, …, i-1, i+1, …, n) ji (j=1, 2, …, i-1, i+1, …, n), AA i Calculating to obtain private key ∈>And according to the private key sk i Calculating to obtain corresponding public key->Finally, after all attribute authority initialization, each AA i Obtain a set of own public-private key pairs (pk i ,sk i ) Wherein pk is i Is securely shared to any entity including a central authority;
s13: the central authority selects n AA i K public keys are reconstructed and calculated to obtain the public key of the system:wherein,e is defined bilinear mapping, G is the generator of multiplication cyclic group G; sk (sk) i A private key of an ith edge server; pk (pk) i K is a parameter of a threshold secret sharing mechanism (k, n) and n is the number of attribute authorization centers;
the disclosed parameters of the system are:
wherein G is the generator of the multiplication cyclic group G, n is the number of attribute authorization centers, e (G, G) α For the calculated system public key, lambda is the security parameter, G T For the multiplicative cyclic group, Φ is the default set of properties of the system, F (M) is the mapping function defined during initialization, +.>To define vector parameters in the initialization process, H 0 Is a hash function;
step S2 further comprises:
ith attribute authority AA i Authorizing the private key sk of the center according to the ith attribute i A set of random parametersDefining a hidden polynomial: /> For each attribute omega E omega, omega is a role attribute set, AA i Select a random number +.>The ith attribute key component at this time +.> Is constructed as follows:
for each attribute, φ ε Φ, Φ is the default set of attributes, AA i Selecting a random numberAttribute Key component->Is constructed as follows:
after collecting key components from k attribute authority, the set of k key components is labeled I k =(i 1 ,i 2 ,…,i k ) Then the user reconstructs the obtained attribute key SK ω =(D ω,0 ,D ω,1 ,K ω,i ) The following are provided:
wherein i=1, 2, …, l-1;
likewise, for each element Φ in the default property set Φ, the following property key SK is calculated φ =(D φ,0 ,D φ,1 ,K φ,i ):
Wherein,
the end user's complete key combination is: (SK) ω =D ω,0 ,D ω,1 ,K ω,i I for each ω e Ω, i=1, 2, …, l-1; SK phi = dphi, 0, dphi, 1, kphi, i for each phi e phi, i = 1,2, …, l-1.
2. The multi-rights issuer attribute-based signature method of claim 1, wherein step S3 further includes:
when a predicate strategy Γ= (M, S) is selected for the message M, where S is a set of attributes of size s= |s|d, M e {1, …, S }; the user first calculatesAnd the complete key is grouped as follows ({ SK) ω } ω∈Ω ,{SK φ } φ∈Φ ) The method comprises the steps of carrying out a first treatment on the surface of the According to the dictionary order, first a subset of the first d-m element constructs Φ of the set Φ is selected d-m Simultaneously select arbitrary subset +.>Satisfy |S m |=m, and then define a vector parameter according to the following polynomialThe following are provided:
since d-m+s+1 is equal to or less than 2d+1=l, the coefficient y d-m+s+2 ,…,y l Determined to be 0;
for each attribute ω∈S m The user is based on the attribute key SK ω ={D ω,0 ,D ω,1 ,K ω,i |i=1,2, …, l-1} to calculate the parameters
For each attribute φ ε Φ d-m The user is based on the attribute key SK φ ={D φ,0 ,D φ,1 ,K φ,i I=1, 2, …, l-1} calculated as parameters
According to the resultAnd->Calculating to obtain two attribute sets S m And phi is d-m The determined parameter D 0 And D 1
D 1 =g r
Wherein,andIs composed of a set S m And phi is d-m The co-determined Lagrange coefficients for a certain ω εS mFor a certain phi d-m ,/>
Will beResolving into binary representation and mapping it into group G to obtainWherein M is j ∈(0,1),j=1,…,n M The method comprises the steps of carrying out a first treatment on the surface of the Then the signer with the attribute key satisfying the predicate policy randomly selects Z, w e Z p Final complete signature Σ= (σ) 0 ,σ 1 ,σ 2 ) Is constructed as follows:
σ 1 =D 1 g w ,σ 2 =g z
3. the multi-rights issuer attribute-based signature method of claim 2, wherein step S4 further includes:
the other arbitrary entities are firstly resolved into (m, S) according to the predicate strategy Γ, and calculated Then defining a subset of phi comprising d-m elements according to the parameter m>Using polynomials P S (Z) design rule definition vector +.>If the equation isIf true, the signature Σ= (σ) will be accepted 0 ,σ 1 ,σ 2 ) For legal signature and outputting 1, otherwise outputting 0, wherein h 0 And h i Vector parameters>The 1 st and i-1 st elements in (a); u (u) 0 And u j Are randomly selected elements in the multiplicative cyclic group G.
CN202210122279.5A 2022-02-09 2022-02-09 Attribute-based signature method for multiple authorization centers Active CN114499884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210122279.5A CN114499884B (en) 2022-02-09 2022-02-09 Attribute-based signature method for multiple authorization centers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210122279.5A CN114499884B (en) 2022-02-09 2022-02-09 Attribute-based signature method for multiple authorization centers

Publications (2)

Publication Number Publication Date
CN114499884A CN114499884A (en) 2022-05-13
CN114499884B true CN114499884B (en) 2024-03-29

Family

ID=81479145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210122279.5A Active CN114499884B (en) 2022-02-09 2022-02-09 Attribute-based signature method for multiple authorization centers

Country Status (1)

Country Link
CN (1) CN114499884B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312707A (en) * 2013-06-06 2013-09-18 南京邮电大学 Attribute-based signature verification method by aid of cloud server
US9635000B1 (en) * 2016-05-25 2017-04-25 Sead Muftic Blockchain identity management system based on public identities ledger
CN107342990A (en) * 2017-06-23 2017-11-10 西南交通大学 A kind of attribute base net network ring signatures method of distributed authorization
CN107819586A (en) * 2017-11-20 2018-03-20 电子科技大学 A kind of thresholding attribute base endorsement method of more authorization centers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312707A (en) * 2013-06-06 2013-09-18 南京邮电大学 Attribute-based signature verification method by aid of cloud server
US9635000B1 (en) * 2016-05-25 2017-04-25 Sead Muftic Blockchain identity management system based on public identities ledger
CN107342990A (en) * 2017-06-23 2017-11-10 西南交通大学 A kind of attribute base net network ring signatures method of distributed authorization
CN107819586A (en) * 2017-11-20 2018-03-20 电子科技大学 A kind of thresholding attribute base endorsement method of more authorization centers

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
云存储环境下基于CP-ASBE数据加密机制;杨晓晖;丁文卿;;河北大学学报(自然科学版)(第04期);93-100 *
基于属性的多授权中心身份认证方案;唐飞;通信学报;第42卷(第3期);220-228 *

Also Published As

Publication number Publication date
CN114499884A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
Wang et al. Identity-based data outsourcing with comprehensive auditing in clouds
Zhang et al. Efficient ID-based public auditing for the outsourced data in cloud storage
CN103856477B (en) A kind of credible accounting system and corresponding authentication method and equipment
US9021572B2 (en) Anonymous access to a service by means of aggregated certificates
US7590850B2 (en) Digital signature method based on identification information of group members, and method of acquiring identification information of signed-group member, and digital signature system for performing digital signature based on identification information of group members
Belguith et al. Accountable privacy preserving attribute based framework for authenticated encrypted access in clouds
EP2974127A1 (en) Minimal disclosure credential verification and revocation
Zheng et al. CLKS: Certificateless keyword search on encrypted data
Xin et al. Identity-based quantum designated verifier signature
Garcia-Rodriguez et al. Implementation and evaluation of a privacy-preserving distributed ABC scheme based on multi-signatures
CN115766033A (en) Threshold single sign-on method for privacy protection
Liu et al. An efficient fine-grained data access control system with a bounded service number
CN118133311A (en) Federal learning privacy protection method based on improved group signature
Takaragi et al. Secure revocation features in eKYC-privacy protection in central bank digital currency
Zhang et al. A Stronger Secure Ciphertext Fingerprint-Based Commitment Scheme for Robuster Verifiable OD-CP-ABE in IMCC
Fan et al. Attribute-based strong designated-verifier signature scheme
WO2019174404A1 (en) Digital group signature method, device and apparatus, and verification method, device and apparatus
Tso A new way to generate a ring: Universal ring signature
Tian et al. A systematic method to design strong designated verifier signature without random oracles
CN116707854A (en) Robust cloud storage access control method based on attribute encryption
CN114499884B (en) Attribute-based signature method for multiple authorization centers
Chen et al. Public-key quantum signature for classical messages without third-party verification
Cheng et al. Cryptanalysis and improvement of a certificateless partially blind signature
CN114339743A (en) Internet of things client privacy protection authentication method based on edge calculation
CN114389808A (en) Open ID protocol design method based on SM9 blind signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant