CN115765983A - Group signature method and signature center group administrator node - Google Patents
Group signature method and signature center group administrator node Download PDFInfo
- Publication number
- CN115765983A CN115765983A CN202211279860.4A CN202211279860A CN115765983A CN 115765983 A CN115765983 A CN 115765983A CN 202211279860 A CN202211279860 A CN 202211279860A CN 115765983 A CN115765983 A CN 115765983A
- Authority
- CN
- China
- Prior art keywords
- identifier
- group
- signature
- private key
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a group signature method and a signature center group manager node, wherein the method comprises the following steps: the signature center member node sends the unique identity identifier ID and the first identification L of the member node in the distributed system to each group manager node in the distributed group signature system, so that the group manager node generates a second identification h by applying an SM2 digital signature algorithm based on the ID and the L, and each group manager node generates a corresponding third sub-identification d' i (ii) a Based on respective d' i And generating a third identifier d to obtain an identifier private key isk containing L, h and d, and signing and checking the target message based on the identifier private key isk and the master public key mpk of the group signature system. The method and the system can simultaneously solve the problems of low signature verification efficiency caused by bilinear peer-to-peer high-time-consumption operation and the problem that a single group of administrators are easy to be attacked maliciouslyThe privacy leakage problem of the signer can improve the efficiency and the privacy of the group digital signature scheme.
Description
Technical Field
The present application relates to the field of data encryption technologies, and in particular, to a group signature method and a signature center group administrator node.
Background
In the current digital economy era, new-generation informatics technologies such as block chains and the like face the problems of low operation efficiency and serious privacy leakage while reducing cost and improving data security, and are widely concerned by researchers. Digital signatures are one of the key technologies to solve the above problems. The group signature (group signature) is more suitable for scenes needing supervision, so that the group signature can be applied to a plurality of fields such as electronic cash, trusted computing and vehicle-mounted ad hoc networks besides scenes such as electronic voting and digital currency systems for protecting user privacy.
At present, the existing group signature mode can generally realize certificate-free signature, thereby avoiding huge certificate management overhead under a PKI system and protecting the privacy of a signer by utilizing the group signature. However, the existing group signature schemes all adopt bilinear pairings, and have high calculation overhead. And most of the existing identity group signature schemes adopt a single group administrator mode design scheme, the private key of a group user is generated by a group administrator, and the trust problem caused by the fact that the group administrator is easily attacked maliciously under the current large-scale open network environment is not considered. Identity base group signature algorithm schemes still need to be further researched in terms of efficiency and privacy security.
Disclosure of Invention
In view of the above, embodiments of the present application provide a group signature method and a signature center group administrator node to obviate or mitigate one or more deficiencies in the prior art.
A first aspect of the present application provides a group signature method, including:
the method comprises the steps of identifying a unique identity identifier ID of a user in a distributed system and determining a first target based on a random private key factor lThe identification L is sent to all the group administrator nodes in the distributed group signature system, so that all the group administrator nodes generate second identifications h by applying an SM2 digital signature algorithm based on the unique identity identifiers ID and the first identification L, and all the group administrator nodes respectively generate third sub-identifications d 'corresponding to all the group administrator nodes' i ;
Based on each third sub identifier d' i And generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
In some embodiments of the present application, the unique identity identifier ID of the group administrator node in the distributed system and the first identifier L determined based on the random private key factor L are sent to each group administrator node in the distributed group signature system, so that all the group administrator nodes apply an SM2 digital signature algorithm to generate the second identifier h based on the unique identity identifier ID and the first identifier L, and each of the group administrator nodes generates a third sub-identifier d 'corresponding to each other respectively' i The method comprises the following steps:
selecting a random private key factor L of the user, and generating a first identifier L based on the random private key factor L and preset system parameters of the group signature system;
sending the unique identity identifier ID and the first identifier L in the distributed system to each group administrator node in the distributed group signature system, so that all the group administrator nodes firstly determine a random number ts based on an SM2 digital signature algorithm, generate a corresponding second identifier h based on the random number ts, the first identifier L and the unique identity identifier ID, and then each administrator node generates a corresponding second identifier h according to a respective master private key x i And the second identifier h respectively generates corresponding third sub identifiers d' i 。
In some embodiments of the present application, said base is based on respective said third sub-identities d' i Generating a corresponding third identifier d to obtain a private identifier comprising the first identifier L, the second identifier h and the third identifier dThe key isk is used for signing and verifying the target message based on the identification private key isk and the master public key mpk of the group signature system, and comprises the following steps:
receiving the second identifier h and a third sub identifier d 'respectively corresponding to each group administrator node' i ;
Based on the random private key factor l and each of the third sub-identifiers d' i Generating a corresponding third identifier d;
generating an own identification private key isk according to the first identification L, the second identification h and the third identification d;
constructing a zero knowledge proof of the identification private key isk to enable each administrator node to generate a verification identification tH corresponding to the unique identity identifier ID according to the zero knowledge proof, a first identification L, a second identification h and a random number ts, and storing a corresponding relation between the unique identity identifier ID and the verification identification tH by each administrator node;
if a target message to be group signed is received currently, signing and signature checking are carried out on the target message based on the identification private key isk, the master public key mpk of the group signature system and preset system parameters of the group signature system, and a signature sigma of the target message is obtained.
In some embodiments of the present application, the group signature system is constructed in advance according to a security parameter λ, a system parameter, and a plurality of hash functions, and the group signature system includes a plurality of group administrator nodes, each of the group administrator nodes selects its own master private key x i And publishes a sub-public key P pub-i Based on the sub public key P corresponding to each group administrator node pub-i Determining a master public key mpk of the group signature system.
In some embodiments of the present application, before sending the unique identity identifier ID of the node itself in the distributed system and the first identifier L determined based on the random private key factor L to each group administrator node in the distributed group signature system, the method further includes:
sending a unique identity Identifier (ID) of the node in a distributed system and a verifiable claim IVC of the identity of the node to a group administrator node in the group signature system through a secure channel, so that the group administrator node verifies the unique identity Identifier (ID) based on the verifiable claim IVC, and if the verification is passed, sending a notification message of agreeing to join the group signature system;
receiving the notification message to complete registration of the member node in the group signature system.
In some embodiments of the present application, the group signature method provided in the first aspect further includes:
and sending the signature sigma of the target message and the target message to a verification node in the group signature system, so that the verification node verifies the validity of the signature sigma of the target message based on the target message, the system parameters of the group signature system and the master public key mpk, and outputs a corresponding verification result.
A second aspect of the present application provides a group signature method, including:
receiving a unique identity identifier ID of a registered signing center member node in a distributed system and a first identification L determined by the signing center member node based on a random private key factor L in the distributed system;
and generating a second identifier h by applying an SM2 digital signature algorithm together with other group administrator nodes in the group signature system based on the unique identity identifier ID and the first identifier L, and independently generating a third sub-identifier d 'corresponding to the second identifier h' i ;
The second identification h and the third sub-identification d' i Sending the information to the signature center member node so that the signature center member node is based on the received third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk of the member node of the signature center, wherein the identifier private key isk comprises the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
In some embodiments of the present application, the group management system is associated with other group managers in the group signature systemThe manager node jointly generates a second identifier h by applying an SM2 digital signature algorithm based on the unique identity identifier ID and the first identifier L, and independently generates a third sub-identifier d 'corresponding to the manager node' i The method comprises the following steps:
firstly determining a random number ts together with other group administrator nodes in the group signature system based on an SM2 digital signature algorithm, and generating a corresponding second identifier h based on the random number ts, the first identifier L and the unique identity identifier ID;
according to its own master private key x i And the second identifier h generates a third sub identifier d 'corresponding to the second identifier h' i 。
Another aspect of the present application also provides a signature center member node, including:
an identification application module, configured to send a unique identity identifier ID of the group administrator node in the distributed system and a first identification L determined based on a random private key factor L to each group administrator node in the distributed group signature system, so that all group administrator nodes generate a second identification h based on the unique identity identifier ID and the first identification L by applying an SM2 digital signature algorithm, and each group administrator node generates a third sub-identification d 'corresponding to each group administrator node respectively' i ;
A private key generating module configured to generate a private key based on each of the third sub identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
Another aspect of the present application further provides a signature center group administrator node, including:
the data receiving module is used for receiving a unique identity identifier ID of a registered signature center member node in the distributed system and a first identification L determined by the signature center member node based on a random private key factor L in the distributed system;
an identity generation module to base the group signature on with other group administrator nodes in the group signature systemThe unique identity identifier ID and the first identifier L are used for generating a second identifier h by applying an SM2 digital signature algorithm and independently generating a third sub-identifier d 'corresponding to the unique identity identifier ID and the first identifier L' i ;
A data sending module, configured to send the second identifier h and the third sub-identifier d' i Sending the information to the signature center member node so that the signature center member node is based on the received third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk of the member node of the signature center, wherein the identifier private key isk comprises the first identifier L, the second identifier h and the third identifier d, and signing and signature checking are carried out on the target message based on the identifier private key isk and the master public key mpk of the group signature system.
Another aspect of the present application further provides a group signature system, including:
a signature center member node, configured to implement the group signature method provided in the foregoing first aspect;
and the signature center group administrator node is used for realizing the group signature method provided by the second aspect.
Another aspect of the present application also provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement the group signature method provided in the foregoing first aspect, or to implement the group signature method provided in the foregoing second aspect.
Another aspect of the present application also provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the group signature method provided by the foregoing first aspect, or implements the group signature method provided by the foregoing second aspect.
The group signature method provided by the application adopts identity-based signature and generates the private key of the user by using the identity, thereby avoiding huge certificate management overhead under a PKI system; compared with a digital signature scheme adopting bilinear pairings, the method has the advantages that the scheme of the SM2 elliptic curve public key cryptographic algorithm design is utilized, high-time-consuming bilinear pairings are avoided, and signature verification efficiency is greatly improved; according to the method, the group signature scheme is designed based on the SM2 identification digital signature algorithm to protect the privacy of the signers, and aiming at the credibility problem of group administrators in a large-scale open environment, a distributed multi-group administrator mode is adopted, and users generate own signature private keys, so that the problem that the identity of the signers is revealed by a single group of administrators due to attack can be effectively solved.
Additional advantages, objects, and features of the application will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present application are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present application will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, are incorporated in and constitute a part of this application, and are not intended to limit the application. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the application. For purposes of illustrating and describing certain portions of the present application, the drawings may have been enlarged, i.e., may be larger, relative to other features of the exemplary devices actually made in accordance with the present application. In the drawings:
fig. 1 is a general flowchart of a first group signature method according to an embodiment of the present application.
Fig. 2 is a flowchart illustrating a first group signature method according to an embodiment of the present application.
Fig. 3 is a general flowchart of a second group signature method according to an embodiment of the present application.
Fig. 4 is a schematic structural diagram of a signature center member node in another embodiment of the present application.
Fig. 5 is a schematic structural diagram of a signature center group administrator node in another embodiment of the present application.
Fig. 6 is a general flowchart of a group signature scheme provided in an application example of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present application are provided to explain the present application and not to limit the present application.
Here, it should be further noted that, in order to avoid obscuring the present application with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present application are shown in the drawings, and other details not so relevant to the present application are omitted.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
It is also noted herein that the term "coupled," if not specifically stated, may refer herein to not only a direct connection, but also an indirect connection in which an intermediate is present.
Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. In the drawings, the same reference numerals denote the same or similar components, or the same or similar steps.
In the current era, data is the most important production element, and the sharing and circulation of data resources is an important trend. How to protect the privacy of the user as much as possible in the process of ensuring the safe sharing and value exertion of the data becomes a key problem. The traditional digital signature algorithm does not take privacy as a safety target, and the identity of a signer is visible to a verifier, so that the privacy protection requirement under certain scenes cannot be met. For example, in an electronic voting system, a voter wishes to have his votes legitimately verifiable without revealing his identity; in a digital currency system, a user would like the currency he spends to be able to be verified by the system to be legitimate but without explicitly indicating the account address from which he spends the currency. These scenarios require both authentication and privacy protection. Group signature (group signature) and ring signature (ring signature) algorithms are proposed with attention to the problem of user privacy protection, and the group of signers is formed by the group, anyone in the group can generate a legal signature, and a verifier can only verify that the signature is legal and cannot confirm which user in the group generates the signature. However, the group in the ring signature is formed by complete self-organization, no third party exists, the identity of the signer cannot be traced when disputes occur, and although higher-level privacy protection is provided, the method is not suitable for the scene needing supervision; for example, in 2016, shen et al proposed a blockchain secret transaction method based on ring signatures. The method randomly selects an irrelevant address and then carries out ring signature together with a transaction initiator, thereby achieving the purpose of confusing the identity of a transaction user. However, both the method and the zero-currency method have the problems of poor traceability caused by cutting off transaction relevance, are difficult to be applied in actual scenes, have overlarge single-transaction information quantity, have anonymity depending on the number of addresses participating in the ring signature, reduce the number of addresses for reducing the transaction information quantity and face the risk of de-anonymization. The group signature system has a group administrator, and only the group administrator with the secret key can open the signature to track the identity of the signer. Because the group signature has good characteristics of privacy protection and traceability, the group signature can be applied to electronic voting and a digital currency system to protect the privacy of users, and can also be applied to numerous fields such as electronic cash, trusted computing, vehicle-mounted ad hoc networks and the like.
Currently, many identity-based group signature schemes are proposed. In 2007, scholars provide a short group signature scheme based on bilinear groups and fixed size under a standard model; in 2012, scholars proposed a practical identity-based group signature scheme; in 2012, scholars introduced a non-interactive zero-knowledge proof theory and constructed a group signature scheme based on a BMW model by using a combined-order bilinear group; in 2019, some learners propose a block chain privacy protection scheme based on the SM9 algorithm and capable of proving safety, and the block chain privacy protection scheme is used for hiding and protecting the identity of a transaction sender (a signature node) aiming at a highly open environment of a block chain. The schemes realize certificateless signature, avoid huge certificate management overhead under a PKI system, and protect the privacy of signers by using group signature.
However, the above group signature schemes all adopt bilinear pairwise operation, and have higher computation overhead. And most of the existing identity group signature schemes adopt a single group administrator mode design scheme, the private key of a group user is generated by a group administrator, and the trust problem caused by the fact that the group administrator is easily attacked maliciously under the current large-scale open network environment is not considered. Identity base group signature algorithm schemes still need to be further researched in terms of efficiency and privacy security.
Based on the group signature algorithm, the group signature algorithm with the characteristics of protecting identity privacy of signers and effectively tracing when disputes occur is researched, the signature method can simultaneously solve the problems that signature verification efficiency is low due to the fact that high time-consuming operations such as bilinear pairings are adopted in the existing group signature algorithm, privacy of the signers is leaked due to the fact that a single group of managers are prone to being maliciously attacked, the efficiency and the privacy of the group digital signature method are further improved, and the group digital signature method is more suitable for scenes needing strong privacy protection, such as block chains, anonymous certificates, electronic cash, electronic votes and the like.
The details are explained by the following examples.
In one or more embodiments of the present application, the specific meanings of the various parameters are shown in table 1.
TABLE 1
Based on this, in order to effectively and improve the efficiency and privacy of the group digital signature scheme, the embodiment of the present application provides a first group signature method that can be executed by the signature center member node, and referring to fig. 1, the first group signature method executed by the signature center member node specifically includes the following contents:
step 100: unique ID of self in distributed system a And sending a first identifier L determined based on a random private key factor L to each group administrator node in a distributed group signature system, so that all the group administrator nodes generate a second identifier h by applying an SM2 digital signature algorithm based on the unique identity identifier ID and the first identifier L, and each group administrator node generates a third sub-identifier d 'corresponding to each group administrator node respectively' i 。
In one or more embodiments of the present application, a signature center member node may also be written as a member or a center member, for example: a member A; correspondingly, the unique identity identifier ID for the signature center member node a may be written as: ID a (ii) a The group administrator node may also be written as a group administrator or administrator, etc., and the identification may be written as: and (4) SCM.
In step 100, member A picksAs its own random private key factor, the first identification L = lP = (x) is calculated L ,y L ) And sent to the SCM. All SCMs agree first on a random numberCalculate H = H (ID) a L ts), and then d 'is calculated, respectively' i =x i h (modh) is sent to member a.
Step 200: based on each of the third sub identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and checking the target message based on the identifier private key isk and the master public key mpk of the group signature system.
In step 200, member A receives d 'from each SCA' i In local computingd = L + d' = L + xh (modn), resulting in the final identification private key isk = (L, h, d).
From the above description, it can be seen that the group signature method provided in the embodiment of the present application improves an identification digital signature algorithm based on the SM2 secret, and provides an identity group signature method for multiple group administrators, which avoids tedious certificate management, avoids high time-consuming bilinear pairing operation, and further reduces communication bandwidth and calculation overhead. According to the method and the system, multiple groups of administrators are built based on the distributed system, and the users generate own identification private keys, so that the risk that privacy of signers is revealed due to the fact that single group of administrators are attacked maliciously is avoided, and the credibility problem of the group administrators is solved. Compared with a ring signature method, the signature method provided by the application can protect the privacy of the signer and can quickly trace the identity of the signer when disputes occur. Therefore, the method and the device have stronger practicability and can meet the privacy protection requirements under various highly open scenes such as block chains and electronic cash.
In order to further improve the efficiency of group signature, in the first group signature method executed by the signature center member node provided in the embodiment of the present application, referring to fig. 2, step 100 in the first group signature method executed by the signature center member node further includes the following contents:
step 110: and selecting a random private key factor L of the user, and generating a first identifier L based on the random private key factor L and preset system parameters of the group signature system.
Step 120: sending the unique identity identifier ID and the first identifier L in the distributed system to each group administrator node in the distributed group signature system, so that all the group administrator nodes firstly determine a random number ts based on an SM2 digital signature algorithm, generate a corresponding second identifier h based on the random number ts, the first identifier L and the unique identity identifier ID, and then generate corresponding master private keys x according to the master private keys x of the manager nodes i And the second identifier h respectively generates corresponding third sub identifiers d' i 。
In order to further improve the security, the credibility and the traceability of the group signature, in the first group signature method executed by the signature center member node provided in the embodiment of the present application, referring to fig. 2, step 200 in the first group signature method executed by the signature center member node further includes the following contents:
step 210: receiving the second identifier h and a third sub identifier d 'respectively corresponding to each group administrator node' i 。
Step 220: based on the random private key factor l and each of the third sub-identifiers d' i A corresponding third identification d is generated.
Step 230: generating a self identification private key isk according to the first identification L, the second identification h and the third identification d;
step 240: and constructing a zero knowledge proof of the identification private key isk so that each administrator node generates a verification identification tH corresponding to the unique identity identifier ID according to the zero knowledge proof first identification L, the second identification h and the random number ts, and each administrator node stores the corresponding relation between the unique identity identifier ID and the verification identification tH.
The verification identifier tH for the signature center member node a can be written as: tH a 。
Step 250: if a target message to be group-signed is currently received, signing and signature verification are carried out on the target message based on the identification private key isk, the master public key mpk of the group signature system and preset system parameters of the group signature system, and a signature sigma of the target message is obtained.
In order to further improve the application reliability and effectiveness of the group signature method, in the first group signature method executed by the signature center member node provided in the embodiment of the present application, the group signature system is constructed in advance according to the security parameter λ, the system parameter, and the plurality of hash functions, and the group signature system includes a plurality of group administrator nodes, each of the group administrator nodes selects its own master private key x i And publishes a sub public key P pub-i Based on the sub public key P corresponding to each group administrator node pub-i Determining a principal of the group signature systemThe key mpk.
In order to further improve the application reliability and effectiveness of the group signature method, in the first group signature method executed by the signature center member node provided in the embodiment of the present application, referring to fig. 2, the following content is further included before step 100 in the first group signature method executed by the signature center member node:
step 010: and sending the unique identity identifier ID and the verifiable claim IVC of the identity of the self in the distributed system to the group administrator nodes in the group signature system through a secure channel, so that the group administrator nodes verify the unique identity identifier ID based on the verifiable claim IVC, and if the verification is passed, sending a notification message of agreeing to join the group signature system.
Wherein, the verifiable assertion IVC for the signature center member node a can be written as: IVC a 。
Step 020: receiving the notification message to complete registration of the member node in the group signature system.
In order to further improve the application reliability and effectiveness of the group signature method, in the first group signature method executed by the signature center member node provided in the embodiment of the present application, referring to fig. 2, the following contents are further included after step 200 in the first group signature method executed by the signature center member node:
step 300: and sending the signature sigma of the target message and the target message to a verification node in the group signature system, so that the verification node verifies the validity of the signature sigma of the target message based on the target message, the system parameters of the group signature system and the master public key mpk, and outputs a corresponding verification result.
In order to effectively and improve the efficiency and privacy of the group digital signature scheme, an embodiment of the present application provides a second group signature method that can be executed by a signature center group administrator node, and referring to fig. 3, the second group signature method executed by the signature center group administrator node specifically includes the following contents:
step 400: receiving a unique identity identifier ID of a registered signing center member node in a distributed system and a first identification L determined by the signing center member node based on a random private key factor L in the distributed system;
step 500: and generating a second identifier h by applying an SM2 digital signature algorithm together with other group administrator nodes in the group signature system based on the unique identity identifier ID and the first identifier L, and independently generating a third sub-identifier d 'corresponding to the second identifier h' i 。
Step 600: the second identification h and the third sub-identification d' i Sending the information to the signature center member node so that the signature center member node is based on the received third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk of the member node of the signature center, wherein the identifier private key isk comprises the first identifier L, the second identifier h and the third identifier d, and signing and signature checking are carried out on the target message based on the identifier private key isk and the master public key mpk of the group signature system.
In the embodiment of the second group signature method executed by the signature center group administrator node provided in the present application, and the first group signature method executed by the signature center member node, there is a data interaction process, specifically, from a general interaction flow, steps 400 to 600 may be executed between step 100 and step 200, and the embodiment of the second group signature method executed by the signature center group administrator node is the same as the function realized by the signature center group administrator node in the foregoing first group signature method executed by the signature center member node, and the detailed description of the embodiment of the group signature method may be referred to.
In terms of software, in order to effectively improve the efficiency and privacy of the group digital signature scheme, the present application further provides a signature center member node for implementing all or part of the first group signature method, and referring to fig. 4, the signature center member node specifically includes the following contents:
an identification application module 10 for sending a unique identity identifier ID of itself in the distributed system and a first identification L determined based on a random private key factor LSending to each group administrator node in the distributed group signature system, so that all the group administrator nodes generate a second identifier h by applying an SM2 digital signature algorithm based on the unique identity identifier ID and the first identifier L, and each group administrator node generates a corresponding third sub-identifier d' i ;
A private key generating module 20 configured to generate a private key based on each of the third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
The embodiment of the signature center member node provided in the present application may be specifically used to execute the processing flow of the embodiment of the first group signature method in the foregoing embodiment, and the functions of the embodiment are not described herein again, and refer to the detailed description of the embodiment of the first group signature method.
From the above description, it can be seen that the signature center member node provided in the embodiment of the present application improves an identification digital signature algorithm based on the SM2 secret, and provides an identity group signature method for multiple group administrators, so that the complex certificate management is avoided, and meanwhile, the high time-consuming bilinear pairing operation is avoided, and the communication bandwidth and the calculation overhead are further reduced. According to the method and the system, multiple groups of administrators are built based on the distributed system, and the users generate own identification private keys, so that the risk that privacy of signers is revealed due to the fact that single group of administrators are attacked maliciously is avoided, and the credibility problem of the group administrators is solved. Compared with a ring signature method, the method provided by the application can protect the privacy of the signer and can quickly trace the identity of the signer when disputes occur. Therefore, the method and the device have stronger practicability and can better meet the privacy protection requirements under various highly open scenes such as block chains, electronic cash and the like.
From the software aspect, in order to effectively improve the efficiency and privacy of the group digital signature scheme, the present application further provides a signature center group administrator node for implementing all or part of the second group signature method, and referring to fig. 5, the signature center group administrator node specifically includes the following contents:
the data receiving module 40 is configured to receive, in the distributed group signature system, a unique identity identifier ID of a registered signing authority member node in the distributed system and a first identifier L determined by the signing authority member node based on a random private key factor L;
an identifier generating module 50, configured to apply an SM2 digital signature algorithm to generate a second identifier h and independently generate a third sub-identifier d 'corresponding to itself based on the unique identifier ID and the first identifier L together with other group administrator nodes in the group signature system' i ;
A data sending module 60, configured to send the second identifier h and the third sub identifier d' i Sending the information to the signature center member node so that the signature center member node is based on the received third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk of the member node of the signature center, wherein the identifier private key isk comprises the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
The embodiment of the signature center group administrator node provided in this application may be specifically used to execute the processing flow of the embodiment of the second group signature method in the foregoing embodiment, and its functions are not described herein again, and reference may be made to the detailed description of the embodiment of the second group signature method.
The signature center group administrator node performs part of the group signature in the server, and in another practical application scenario, all the operations can be completed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. If all the operations are completed in the client device, the client device may further include a processor for performing a specific process of the group signature.
The client device may have a communication module (i.e., a communication unit), and may be communicatively connected to a remote server to implement data transmission with the server. The server may include a server on the task scheduling center side, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
The server and the client device may communicate using any suitable network protocol, including a network protocol that has not been developed at the filing date of the present application. The network protocol may include, for example, a TCP/IP protocol, a UDP/IP protocol, an HTTP protocol, an HTTPS protocol, or the like. Of course, the network Protocol may also include, for example, an RPC Protocol (Remote Procedure Call Protocol), a REST Protocol (Representational State Transfer Protocol), and the like used above the above Protocol.
As can be seen from the above description, the signature center group administrator node provided in the embodiment of the present application improves the identification digital signature algorithm based on the secret SM2, and provides an identity group signature method for multiple group administrators, so that the complex certificate management is avoided, and meanwhile, the high-time-consuming bilinear pairing operation is avoided, and the communication bandwidth and the calculation overhead are further reduced. According to the method and the system, multiple groups of administrators are built based on the distributed system, and the users generate own identification private keys, so that the risk that privacy of signers is revealed due to the fact that single group of administrators are attacked maliciously is avoided, and the credibility problem of the group administrators is solved. Compared with a ring signature method, the method provided by the application can protect the privacy of the signer and can quickly trace the identity of the signer when disputes occur. Therefore, the method and the device have stronger practicability and can better meet the privacy protection requirements under various highly open scenes such as block chains, electronic cash and the like.
Based on the embodiments of the first group signature method and the second group signature method, the present application further provides a group signature system, which specifically includes the following contents:
a signature center member node for implementing the first group signature method;
and the signature center group administrator node is used for realizing the second group signature method.
For further explaining the scheme, the application also provides a specific application example of the group signature method, specifically a group signature algorithm method based on a distributed system and SM2 identification signatures, which comprises system establishment, a signature algorithm, a verification algorithm and an opening algorithm, and referring to fig. 6, the system establishment comprises system initialization Setup, master key generation MKeyGen and key center member registration Join, and is used for establishing a group signature system, a center member key analysis Extract process is used for generating an identification key for a key center member, and a signature Sign algorithm is used for generating a message signature; and the verification Verify algorithm is used for verifying the correctness of the message signature, and the Open algorithm is opened for tracing the identity of the signer by tracking the key by the group administrator when disputes occur. The application simultaneously gives a correctness proof of the algorithm and proofs of several security characteristics of unforgeability, malicious SCM attack resistance, anonymity, incorrelation, traceability and collusion attack resistance. The concrete description is as follows:
system establishment SysGen
(1) Initializing Setup: inputting safety parameter lambda and outputting system parameter (q, F) q A, b, n, G, P), wherein q is a randomly selected large prime number, F q Is a finite field containing q elements; a and b are F q Element of (1) for defining F q An elliptic curve E ofG is a prime number n (n)>2 191 And n is>4p 1/2 ) For a cyclic group of orders, P is a generator of G, i.e. a base point on the elliptic curve E, and nP = O (O is an infinitely distant point). Simultaneously, 3 safe hash functions are selected:
(2) Master key generation MKeyGen: the system is provided with M Signature Center Managers (SCMs), and each SCM randomly selectsCalculating P pub-i =x i P (modn). Wherein i represents the ith SCA, i ∈ [1,M ]]Each SCM secret holds its own x i And disclose P pub-i If the signature verification master public key is mpk:
(3) The key center member registers Join: when a Signature Center (SC) is added, member registration is required, and a user A enables a unique identity Identifier (ID) on a block chain a Together with verifiable claims of their identity IVC a Sent to SCM over secure channel, SCM based on IVC a Verifying the identity ID of user A a If no error, the user agrees to join the network.
(II) Central Member Key resolution Extract
The master public key mpk, the master private key x and the user identity information ID of the algorithm input group a . First, member A picksAs its random private key factor, L = lP = (x) is calculated L ,y L ) Sent to SCMs, all of which first agree on a random numberCalculate H = H (ID) a L ts), and then d 'is calculated, respectively' i =x i h (modn) hairAnd is sent to member a.
Member A receives d 'from each SCA' i Locally calculatingd = L + d' = L + xh (modn), resulting in the final identification private key isk = (L, h, d). Center member A constructs zero-knowledge proof of identification private key through non-interactive Sigma protocolAnyone can verify the correctness of his isk. SCM calculationEach SCM stores (ID) a ,tH a )。
(III) signature Sign
Assuming that member a needs to sign message m, the algorithm inputs the group's master public key mpk, the user identification private key isk = (L, h, d), and message m. ComputingAndwherein ENTLA is ID a Bit length (x) of P ,y P ) And (x) L ,y L ) Respectively, the abscissa and ordinate of P and L. Random selectionCalculation K = kP = (x) K ,y K ) And r = (e + x) K ) (modn). If r =0 or r + k = n, k is reselected for recalculation, otherwise s = (1 + d) -1 (k-rd) (modn). If s ≠ 0, the signature σ = (L, h, r, s) of the output message m.
(IV) Verify
The verifier judges, for the received message m, the central master public key mpk owned by the verifier itself, and the signature σ = (L, h, r, s) to be verified:
(2) Otherwise, t = r + s (modn) is calculated. If t =0, 0 is output;
(3) Otherwise calculateK′=sP+t(L+hP pub )=(x′ K ,y′ K ) And r ' = (e ' + x ' K ) (modn). If r' = r, 1 is output, otherwise 0 is output. Output 1 indicates that the signature is valid, otherwise it is invalid.
(V) Open
When a member joins the signature center, the SCM is required to verify the identity together and bind the key pair of the member with the identity ID, so that the user identity can be conveniently tracked when disputes occur, whether the user key is updated/cancelled or not can be conveniently checked, and the like. When the identity of a signer needs to be verified, the SCM verifies whether the signature is valid or not in a priori, if so, a matching ID can be searched from ((ID, tH)) stored in the key generation process by inputting L, h and the tracking private key ts, and if the matching ID exists, the identity of the user can be determined.
(VI) proof of Security
(1) Accuracy of measurement
Theorem 1: the signature method proposed in this application is correct.
Correctness, i.e. ensuring that the truthfully generated signature can be correctly verified and traced.
If all algorithms proceed in steps, the verifier output signature is valid because:
r=(e+x K )(modn)
s=(1+d) -1 (k-rd)(modn)
t=r+s(modn)
L=lP=(x L ,y L )
K=kP
if the certificate name signature is valid, only r ' = r needs to be certified, and only x ' needs to be certified ' K =x K Only need to prove:
that is to say
(x′ K ,y′ K )=(x K ,y K ),x′ K =x K ,y′ K =y K
Therefore, it is not only easy to use
r' = r, correctness is proved.
(2) Non-forgeability
Definitions 1. If opponent A has at least advantage e in the simulated attack game, the run time is at most t, and each run is at most q E Sub-extraction of query sum q S And (4) secondary signature query is called as the epsilon, t and q based on the identity signature method E ,q S ) -counterfeiting. If not (∈, t, q) E ,q S ) Forgery, then the method is called (∈, t, q) E ,q S ) -secure.
Theorem 2. Assuming that the hash function H is a random oracle, if ECDLP (discrete logarithm problem on elliptic curves) is difficult, our signature method is (e, t, q) E ,q S ) Secure against EU-CM-IDB-ase:Sub>A (presence of adaptive selection messages and identity-based attacks).
And (3) proving that: we will assume that our method exists with a PPT (probabilistic polynomial time) adversaryWe will construct an algorithmTo simulateTo the challenger. Our method is to defineIs an adversary for attacking EU-CMA (adaptive selective message attack) in the simulated game of the scheme.Controlling and executing random word-spotting machinesHis principle of operation is as follows:
Inquiring: opponent in operationA query may be made including an extraction and a signature.The response is made in the following manner.
Extracting and querying: consider identifying a user ID i The hash value and the private key of (2) are queried.FromRandomly selecting a number, and then calculating L i (assuming that there are 1 SCM, the multiple SCM case will be analyzed below, and in fact, the multiple SCM will double the difficulty of hostile attack) Based on L i Andcalculating h i =H(ID i ||L i R), then calculate d i ,Will (h) i ,L i ,d i ) Is returned to
Signature query: considering ID i About message m i The signature of (2) is queried,random selectionThen executeCalculating r in the signature query in the method simulation attack game i =h(Z i ||m i )+x k mod n, and s i =(k-r i d i )/(1+d i ) mod n, where Z i Is other relevant information known to be determined in the signature algorithm. Finally, the process is carried out in a batch,return (ID) i ,m i ,σ i ) To give
Counterfeiting: after the above two types are queried for polynomial time, the opponentSelecting a user ID *
(i∈[q E ]) Generation (h) * ,L * ,d * ) Then selects the message m * (i∈[q S ]) Execute byOutputting a forged signature sigma in a challenge stage of a simulated game * =(r * ,s * ). Next, we demonstrate that the advantage of a fake signature being valid is negligible under the assumption that the hash function h is unique and collision resistant.
And (3) analysis: the randomness of the simulation includes all random numbers in the key generation and query response, and is independent of adversary perspectives. Thus, simulation is indistinguishable from actual attack. Next, we analyze the advantage of proving the validity of forged signaturesAnd the time cost t is negligible under this assumption.
It takes time to consume t = t 0 +q E t E +q S t S Wherein t is E And t S Time to extract challenge and signature for B single simulation, respectively. Since the scholars have demonstrated in the literature that the SM2 digital signature algorithm satisfies EUF-CMA, the present application also satisfies EU-CMA. In fact, because of the ID * =ID i This means that A needs to find a collision (ID) of the hash function i ||L i ||ts i ,ID * L ts). This can only occur with negligible probability given that h is a random predictor and ECDLP is a difficult problem. Therefore, the EUF-CM-IDB-A is satisfied at the same time.
Theorem 3. The scheme can resist strong and malicious SCM attacks.
In the signature method of the present application, the number k of SCMs>=1, there are typically many k, which makes it effective against malicious SCM attacks. Suppose an enemyBeing a malicious SCM in the method, it knows the key factor ts of the central member and its own x i . In this scenario, ts is agreed upon by all SCMs in common, and x is due to the system parameters required for the multiple SCM co-maintenance approach i Only knows the SCM by self, and can know the private key of the user signature, and each SCM can only calculate x held by the SCM under the condition that the private key of the user and the random private key factor of the user cannot be obtained i Of d' i =x i h (modn), a one-way algorithm of a hash function and a double problem of solving discrete logarithm on an elliptic curve exist, so that an adversary can solve the problem of any x according to ts i It is difficult to obtain the private key of the user. Thus, the present method may be resistant to strong malicious SCM attacks.
(3) Other security features
Anonymity: since l is randomly generated by SCMs and SC members. H = H (ID) a L | | | ts), L = lP, the processing of the user identity ID by the algorithm involves a one-way algorithm of a hash function and a discrete logarithm-diff problem on an elliptic curve, i.e., an attacker cannot recover the identity of a signer after giving a signature to a message without the aid of an SCM.
Traceability: the SCM may open any valid group signature based on the tracking key ts, certify that the signer actually generated the signature, and match the corresponding ID from the list. Furthermore, from theorem 3, whenever any one trusted SCM exists, it can ensure that all signatures, even those created by multiple users in conjunction with SCMs, can track the members of fake signatures whenever any trusted SCM exists.
Non-associability: in the signature algorithm, since the signature center member uses the public key mpk of the SCM to sign the message, r = (e + x) is calculated at the time of signature K )(modn),s=(1+d) -1 (k-rd) (modn) where x K :K=kP=(x K ,y K ),Given k i P and k j P, in the absence of k i And k j It is computationally difficult to determine that they correspond to the same kP. Under the condition that an enemy does not know a tracking key, whether two different signatures are signed by the same central member or not can be judged, and the uncorrelation of the signatures is realized.
Collusion attack resistance: the identification private key of the central member is only mastered by the member, the member only discloses zero knowledge proof about the identification private key of the member to all persons, multiple SCMs are endorsed together in an SC signature list, and any SCM (or colludes with other members) cannot tamper the ID of a certain member and the corresponding signature information. In conjunction with theorem 3, we can conclude that the set of member subsets of SCs (even consisting of entire SC members) cannot produce a valid signature that cannot be traced by SCM.
(VII) advantageous effects brought by the present application
The signature method is improved based on the SM2 algorithm, except for the generation of initialization parameters and keys, the signature verification steps are basically consistent, and therefore the calculation cost is basically the same as that of the SM2 digital signature algorithm. In order to protect the identity information of the signer, the ID-based SM2 group signature method is designed, so that anonymous signature is realized on the premise of keeping the efficiency unchanged, and the privacy of the signer can be effectively protected.
Specifically, (1) and (2) below mainly compare the communication cost and the calculation cost of the existing group signature method and the signature method designed in the present application. To achieve the security level of lamda =128, for the existing group signature method, a bilinear pair operation on an elliptic curve is used, which is test-evaluated by the present application using a BN (Barreto Naehrig) curve (using a third type of bilinear pair G2G 1= GT) on an elliptic curve GF (p) (256-bit coefficient p, k = 12); for the signature method proposed in this application, a 256-bit GF (p) elliptic curve (p has no special form) is used according to the SM2 national cipher algorithm standard recommendation.
In 2019, yang et al improve an SM9 identification cryptographic algorithm, and provide a multi-KGC group signature method based on identity authentication. Although the application improves the operation efficiency, the application still adopts bilinear pairing operation with high time consumption, and is difficult to effectively cope with scenes with large signature quantity.
(1) Computational overhead analysis
In order to compare the calculation overhead of the protocol of the existing group signature method with the protocol designed by the application, the application firstly tests the time consumption of the relevant operation of the protocol, and the test environment is as follows: on a 2.4GHz Intel i5 520 single-core processor, the GCC compilation is used, and the standard/O2 compiler is used for optimization. The operation running time is calculated through the iteration times in the Miracl library 1s, the unit is millisecond, and the corresponding symbol definition and the running time are shown in the table 2.
TABLE 2 execution time reference for different encryption operations
(2) Firstly, the calculation types and times of the two comparison protocol designs are counted, and then the calculation overhead of each role in each stage is calculated by combining the calculation time consumption conditions in the table 2 (as shown in the table 3). The key generation stage comprises group key generation and user identification key generation, the total time consumption of a protocol of the existing group signature method is 0.6707 millisecond, and the time consumption of the protocol is 2.1256 milliseconds; in the signature stage, the time consumption of the existing group signature method is 1.6203 milliseconds, and the time consumption of the existing group signature method is 1.0655 milliseconds; in the signature verification stage, the time consumed by the existing group signature method is 7.9512 milliseconds, and the time consumed by the existing group signature method is 1.4087 milliseconds. It can be seen that compared with the literature, the computational overhead of the protocol still consumes much computational power in the key generation stage, and the cost can be accepted because the key generation stage is executed only once; the algorithm is a major improvement in the signature phase, particularly the verification phase, where it is reduced by about 34.24% in the signature phase and 82.28% in the verification phase. This is primarily because the protocol designed by the present application does not involve highly time consuming bilinear pairings. In addition, the protocol designed by the method is the same as that of the existing group signature method, and is a signature protocol based on the identity, so that huge certificate management overhead under a PKI system is avoided, and the practicability is higher.
TABLE 3 overhead comparison analysis of signature methods
In summary, the core improvement content of the application example of the present application is specifically as follows:
the method is combined with a distributed system, improves the identification digital signature algorithm based on the SM2 secret, provides an identity group signature method of multiple group managers, avoids high-time-consuming bilinear pairing operation while avoiding fussy certificate management, and further reduces communication bandwidth and calculation cost. According to the method and the system, multiple groups of administrators are built based on the distributed system, and the users generate own identification private keys, so that the risk that privacy of signers is revealed due to the fact that single group of administrators are attacked maliciously is avoided, and the credibility problem of the group administrators is solved. Compared with a ring signature method, the signature method provided by the application can protect the privacy of the signer and can quickly trace the identity of the signer when disputes occur. Therefore, the method and the device have stronger practicability and can better meet the privacy protection requirements under various highly open scenes such as block chains, electronic cash and the like.
Compared with a digital signature method based on a certificate, the method adopts identity-based signature, and generates the private key of the user by using the identity, thereby avoiding huge certificate management overhead under a PKI system; compared with a digital signature method adopting bilinear pairings, the method utilizes a national secret SM2 elliptic curve public key cryptographic algorithm design method, avoids high-time-consuming bilinear pairings operation, and greatly improves signature verification efficiency.
According to the method, the privacy of the signer is protected by designing the group signature method based on the SM2 identification digital signature algorithm, and aiming at the credibility problem of the group administrators in a large-scale open environment, a distributed multi-group administrator mode is adopted, and the user generates the own signature private key, so that the problem that the identity of the signer is revealed by a single group of administrators due to attack can be effectively solved.
The present application further provides an electronic device (i.e., an electronic device), which may include a processor, a memory, a receiver, and a transmitter, where the processor is configured to execute the first group signature method or the second group signature method mentioned in the foregoing embodiments, where the processor and the memory may be connected by a bus or in another manner, for example, connected by a bus. The receiver can be connected with the processor and the memory in a wired or wireless mode. The electronic device may receive real-time motion data from sensors in the wireless multimedia sensor network and receive an original video sequence from the video capture device.
The processor may be a Central Processing Unit (CPU). The Processor may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or a combination thereof.
The memory, as a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the first group signature method or the second group signature method in the embodiments of the present application. The processor executes various functional applications and data processing of the processor by executing non-transitory software programs, instructions and modules stored in the memory, that is, implementing the first group signature method or the second group signature method in the above method embodiments.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and such remote memory may be coupled to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory and, when executed by the processor, perform a first group signature method or a second group signature method in an embodiment.
In some embodiments of the present application, the user equipment may include a processor, a memory, and a transceiving unit, the transceiving unit may include a receiver and a transmitter, the processor, the memory, the receiver, and the transmitter may be connected through a bus system, the memory to store computer instructions, the processor to execute the computer instructions stored in the memory to control the transceiving unit to transceive signals.
As an implementation manner, the functions of the receiver and the transmitter in this application may be considered to be implemented by a transceiving circuit or a transceiving dedicated chip, and the processor may be considered to be implemented by a dedicated processing chip, a processing circuit or a general-purpose chip.
As another implementation manner, a manner of using a general-purpose computer to implement the server provided in the embodiment of the present application may be considered. That is, program code that implements the functions of the processor, receiver and transmitter is stored in the memory, and a general-purpose processor implements the functions of the processor, receiver and transmitter by executing the code in the memory.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps of the first group signature method or the second group signature method. The computer readable storage medium may be a tangible storage medium such as Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, floppy disks, hard disks, removable storage disks, CD-ROMs, or any other form of storage medium known in the art.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations of both. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the present application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link.
It is to be understood that the present application is not limited to the particular arrangements and instrumentality described above and shown in the attached drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications, and additions or change the order between the steps after comprehending the spirit of the present application.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made to the embodiment of the present application for those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A group signature method, comprising:
sending the unique identity identifier ID of the distributed system and the first identification L determined based on the random private key factor L to each group manager node in the distributed group signature system, so that all the group manager nodes generate a second identification h by applying an SM2 digital signature algorithm based on the unique identity identifier ID and the first identification L, and each group manager node generates a corresponding third sub-identification d' i ;
Based on each third sub identifier d' i And generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
2. The group signature method as claimed in claim 1, wherein the unique ID of the distributed system and the first ID L determined based on the random private key factor I are sent to the distributed systemSuch that all cluster administrator nodes generate a second identity h based on the unique identity identifier ID and the first identity L using an SM2 digital signature algorithm, and each of the cluster administrator nodes generates a respective corresponding third sub-identity d' i The method comprises the following steps:
selecting a random private key factor L of the user, and generating a first identifier L based on the random private key factor L and preset system parameters of the group signature system;
sending the unique identity identifier ID and the first identifier L in the distributed system to each group administrator node in the distributed group signature system, so that all the group administrator nodes firstly determine a random number ts based on an SM2 digital signature algorithm, generate a corresponding second identifier h based on the random number ts, the first identifier L and the unique identity identifier, and then generate corresponding master private keys x according to the master private keys x of the administrator nodes i And the second identifier h respectively generates a third sub identifier d 'corresponding to each other' i 。
3. The group signature method of claim 1, wherein the group signature is based on each of the third sub-identifiers d' i Generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and a master public key mpk of the group signature system, wherein the method comprises the following steps:
receiving the second identifier h and a third sub identifier d 'respectively corresponding to each group administrator node' i ;
Based on the random private key factor l and each of the third sub-identifiers d' i Generating a corresponding third identifier d;
generating an own identification private key isk according to the first identification L, the second identification h and the third identification d;
constructing a zero knowledge proof of the identification private key isk to enable each administrator node to generate a verification identification tH corresponding to the unique identity identifier ID according to the zero knowledge proof, a first identification L, a second identification h and a random number ts, and storing a corresponding relation between the unique identity identifier ID and the verification identification tH by each administrator node;
if a target message to be group signed is received currently, signing and signature checking are carried out on the target message based on the identification private key isk, the master public key mpk of the group signature system and preset system parameters of the group signature system, and a signature sigma of the target message is obtained.
4. A group signature method as claimed in any one of claims 1 to 3, wherein the group signature system is constructed in advance according to a security parameter λ, a system parameter and a plurality of hash functions, and the group signature system comprises a plurality of group administrator nodes, each of which selects its own master private key x i And publishes a sub-public key P pub-i Based on the sub public key P corresponding to each group administrator node pub-i Determining a master public key mpk of the group signature system.
5. The group signature method of claim 4, wherein before sending the unique identity identifier ID of the distributed system and the first identifier L determined based on the random private key factor L to each group administrator node in the distributed group signature system, the method further comprises:
sending a unique identity Identifier (ID) of the node in a distributed system and a verifiable claim IVC of the identity of the node to a group administrator node in the group signature system through a secure channel, so that the group administrator node verifies the unique identity Identifier (ID) based on the verifiable claim IVC, and if the verification is passed, sending a notification message of agreeing to join the group signature system;
receiving the notification message to complete registration of the self with the member node in the group signature system.
6. The group signature method as claimed in claim 3, further comprising:
and sending the signature sigma of the target message and the target message to a verification node in the group signature system, so that the verification node verifies the validity of the signature sigma of the target message based on the target message, the system parameters of the group signature system and the master public key mpk, and outputs a corresponding verification result.
7. A group signature method, comprising:
receiving a unique identity identifier ID of a registered signing center member node in a distributed system and a first identification L determined by the signing center member node based on a random private key factor L in the distributed system;
and generating a second identifier h by applying an SM2 digital signature algorithm together with other group administrator nodes in the group signature system based on the unique identity identifier ID and the first identifier L, and independently generating a third sub-identifier d 'corresponding to the second identifier h' i ;
The second identification h and the third sub-identification d' i Sending the information to the signature center member node so that the signature center member node is based on the received third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk of the member node of the signature center, wherein the identifier private key isk comprises the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
8. A signature center member node, comprising:
an identification application module, configured to send a unique identity identifier ID of the group administrator node in the distributed system and a first identification L determined based on a random private key factor L to each group administrator node in the distributed group signature system, so that all group administrator nodes generate a second identification h based on the unique identity identifier ID and the first identification L by applying an SM2 digital signature algorithm, and each group administrator node generates a third sub-identification d 'corresponding to each group administrator node respectively' i ;
A private key generating module configured to generate a private key based on each of the third sub identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk containing the first identifier L, the second identifier h and the third identifier d, and signing and checking the target message based on the identifier private key isk and the master public key mpk of the group signature system.
9. A signature center group administrator node, comprising:
the data receiving module is used for receiving a unique identity identifier ID of a registered signature center member node in the distributed system and a first identification L determined by the signature center member node based on a random private key factor L in the distributed system;
an identifier generation module, configured to apply an SM2 digital signature algorithm to generate a second identifier h and independently generate a third sub-identifier d ' corresponding to the second identifier h ' based on the unique identifier ID and the first identifier L together with other group administrator nodes in the group signature system ' i ;
A data transmitting module, configured to transmit the second identifier h and the third sub-identifier d' i Sending the information to the signature center member node so that the signature center member node is based on the received third sub-identifiers d' i And generating a corresponding third identifier d, obtaining an identifier private key isk of the member node of the signature center, wherein the identifier private key isk comprises the first identifier L, the second identifier h and the third identifier d, and signing and verifying the target message based on the identifier private key isk and the master public key mpk of the group signature system.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the group signature method as claimed in any one of claims 1 to 6, or carries out the group signature method as claimed in claim 7.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211138349 | 2022-09-19 | ||
CN2022111383492 | 2022-09-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115765983A true CN115765983A (en) | 2023-03-07 |
Family
ID=85353809
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211279860.4A Pending CN115765983A (en) | 2022-09-19 | 2022-10-19 | Group signature method and signature center group administrator node |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115765983A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116743382A (en) * | 2023-08-14 | 2023-09-12 | 鼎铉商用密码测评技术(深圳)有限公司 | Electronic voting method, trust center terminal, voting terminal and readable storage medium |
-
2022
- 2022-10-19 CN CN202211279860.4A patent/CN115765983A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116743382A (en) * | 2023-08-14 | 2023-09-12 | 鼎铉商用密码测评技术(深圳)有限公司 | Electronic voting method, trust center terminal, voting terminal and readable storage medium |
CN116743382B (en) * | 2023-08-14 | 2023-11-21 | 鼎铉商用密码测评技术(深圳)有限公司 | Electronic voting method, trust center terminal, voting terminal and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Feng et al. | Blockchain-based cross-domain authentication for intelligent 5G-enabled internet of drones | |
Ali et al. | An efficient and provably secure ECC-based conditional privacy-preserving authentication for vehicle-to-vehicle communication in VANETs | |
He et al. | An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks | |
Asaar et al. | A secure and efficient authentication technique for vehicular ad-hoc networks | |
Xu et al. | Efficient certificateless aggregate signature scheme for performing secure routing in VANETs | |
Abdi Nasib Far et al. | LAPTAS: lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT | |
Feng et al. | P2BA: A privacy-preserving protocol with batch authentication against semi-trusted RSUs in vehicular ad hoc networks | |
Eddine et al. | EASBF: An efficient authentication scheme over blockchain for fog computing-enabled internet of vehicles | |
Feng et al. | An efficient privacy-preserving authentication model based on blockchain for VANETs | |
Chow et al. | Server-aided signatures verification secure against collusion attack | |
Ali et al. | ECCHSC: Computationally and bandwidth efficient ECC-based hybrid signcryption protocol for secure heterogeneous vehicle-to-infrastructure communications | |
Liang et al. | Physically secure and conditional-privacy authenticated key agreement for VANETs | |
Kamil et al. | A lightweight CLAS scheme with complete aggregation for healthcare mobile crowdsensing | |
Chen et al. | Privacy‐Preserving Data Aggregation Protocol for Fog Computing‐Assisted Vehicle‐to‐Infrastructure Scenario | |
CN115277010A (en) | Identity authentication method, system, computer device and storage medium | |
CN108390866A (en) | Trusted remote method of proof based on the two-way anonymous authentication of dual-proxy | |
Yang et al. | Perception layer lightweight certificateless authentication scheme for IoT-based emergency logistics | |
Yan et al. | Edge-Assisted Hierarchical Batch Authentication Scheme for VANETs | |
Sun et al. | Anonymous authentication and key agreement scheme combining the group key for vehicular ad hoc networks | |
CN115765983A (en) | Group signature method and signature center group administrator node | |
Gong et al. | A threshold group signature scheme suitable for the Internet of Things | |
Zhou et al. | An efficient heterogeneous signcryption scheme for internet of things | |
Wang et al. | Towards Synchronized Privacy-Preserving Authentication for MDTEN-Driven VANETs | |
Kumar et al. | Secure and efficient cache-based authentication scheme for vehicular ad-hoc networks | |
Zhang et al. | Hardware Secure Module based Lightweight Conditional Privacy-Preserving Authentication for VANETs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |