CN116527275A - Remote medical agent signature verification method and system - Google Patents

Remote medical agent signature verification method and system Download PDF

Info

Publication number
CN116527275A
CN116527275A CN202310550117.6A CN202310550117A CN116527275A CN 116527275 A CN116527275 A CN 116527275A CN 202310550117 A CN202310550117 A CN 202310550117A CN 116527275 A CN116527275 A CN 116527275A
Authority
CN
China
Prior art keywords
private key
attribute
signer
public
representing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310550117.6A
Other languages
Chinese (zh)
Inventor
周豫苹
胡玉
郑清竹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Minnan Normal University
Original Assignee
Minnan Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Minnan Normal University filed Critical Minnan Normal University
Priority to CN202310550117.6A priority Critical patent/CN116527275A/en
Publication of CN116527275A publication Critical patent/CN116527275A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a remote medical agent signature verification method and a remote medical agent signature verification system, wherein the remote medical agent signature verification method comprises the following steps: the private key generator generates a user public and private key pair and an attribute public and private key pair according to the attribute information of the user, and sends the user public and private key pair and the attribute public and private key pair to the corresponding user; the original signer generates an authorization token according to the private key and the delegated token of the original signer, and sends the authorization token to the proxy signer; the agent signer generates an agent signature according to the private key of the agent signer, the authorization token, the attribute public key of the appointed verifier and the message, and sends the agent signature to the appointed verifier; the appointed verifier verifies according to the attribute private key, the authorization token, the proxy signature, the public key of the original signer and the public key of the proxy signer of the appointed verifier, and if the verification is passed, the message is recovered. The invention can lead the proxy signer to obtain the same signing capability as the original signer, thereby realizing the non-counterfeitability of the signature.

Description

Remote medical agent signature verification method and system
Technical Field
The invention relates to the field of cloud medical treatment, in particular to a remote medical agent signature verification method and system.
Background
Along with popularization of cloud medical diagnosis application, a remote medical system is mature increasingly, so that convenience is brought to life of people, and meanwhile, diagnosis time is also shortened greatly. Since telemedicine systems typically involve sensitive information of the user, privacy issues are in need of resolution.
Disclosure of Invention
In order to solve the problems, the invention provides a remote medical agent signature verification method and a remote medical agent signature verification system.
The specific scheme is as follows:
a method of remote medical agent signature verification, comprising the steps of:
s1: the attribute mechanism generates attribute information of the user according to the personal information of the user and sends the attribute information to the private key generator;
s2: the private key generator generates a public-private key pair (pk) of the original signer according to attribute information of the user a ,sk a ) And a public-private key pair (pk) of the proxy signer b ,sk b ) At the same time, an attribute public-private key pair (pk) of the specified verifier is generated according to the attribute set omega of the specified verifier c ,sk c ) The method comprises the steps of carrying out a first treatment on the surface of the And the private key sk of the original signer is used for a The private key sk sent to the original signer to be signed by the proxy signer b And an attribute public key pk specifying a verifier c Sent to the proxy signer to send the public key pk of the original signer a Public key pk of proxy signer b And an attribute public-private key pair (pk) specifying the verifier c ,sk c ) Sending to a designated verifier;
s3: the original signer is based on the private key sk of the original signer a And the delegate token w generates an authorization token delta and sends the authorization token delta to the proxy signer;
s4: the proxy signer is based on the private key sk of the proxy signer b An authorization token delta, an attribute public key pk specifying a verifier c And message m, generating a proxy signature sigma and transmitting to the designated verifier;
s5: the appointed verifier private key sk according to the attribute of the appointed verifier c An authorization token delta, a proxy signature sigma, a public key pk of the original signer a Proxy labelPublic key pk of nominator b And performing verification, and if the verification is passed, recovering the message m.
Further, the private key generator generates a public-private key pair (pk a ,sk a ) And a public-private key pair (pk) of the proxy signer b ,sk b ) The method of (1) is as follows: in modulo P remaining class domainRandomly selects two elements x a ,x b Generating a public-private key pair of the original signer based on the two selected elements>Public-private key pair of proxy signer +.>Wherein sk a Private key, pk representing original signer a Public key, sk, representing the original signer b Representing the private key, pk, of the proxy signer b Representing the public key of the proxy signer, g represents a preset first generator.
Further, the private key generator generates an attribute public-private key pair (pk c ,sk c ) The method of (1) is as follows:
s101: randomly selecting a Lagrangian interpolation polynomial q ()'s of (d-1) order, so that q (0) =α, wherein α represents a preset master key;
s102: building a first set of attributesSatisfy->Wherein Ω= { Ω 12 ,…Ω d-1 The } indicates the remaining class domain of modulo P +.>In the dummy variable attribute set, d represents the number of elements in the dummy variable attribute set omegaAdding 1;
s103: in any attributeRandomly select the first group element->Calculating the attribute public key pk by c And an attribute private key sk c
Wherein g represents a preset first generation element, represents the addition cycle group, g 2 Representing a second preset generator, +.>H 1 (.) represents a preset first collision-resistant hash function.
Further, the calculation formula for generating the authorization token delta by the original signer is as follows:
wherein H is 1 (.) represents a preset first collision-resistant hash function, x a Representing the remaining class fields in modulo PSelected for generating an original signer public-private key pairElement w represents the delegate token.
Further, the construction process of the proxy signature comprises the following steps:
s401: establishing an attribute subset omega' containing k attributes and meetingWherein (1)>Representing the global property set +.>A set of any n attributes, +.>Representing a preset global attribute set;
s402: extracting a dummy variable attribute subset omega ' from the dummy variable attribute set omega, and meeting the condition that |omega ' |=d-k, wherein |omega ' | represents the number of elements in omega ', d represents the number of elements in the dummy variable attribute set omega plus 1, and k represents the number of elements in the attribute subset omega ';
s403: in arbitrary attribute i epsilon omega * U.OMEGA', randomly selects a second group of elements r consisting of n+d-k components i ′;
S404: blinding the message by:
wherein F represents the result of message blinding processing, F 1 、F 2 Respectively representing a preset third and fourth collision-resistant hash functions, ||represents an OR operation,representing an exclusive-or operation;
s405: the encryption of the message is achieved by:
M=H 2 (E)+f
E=e(g α ,g 2 )
where M represents the encryption result of the message, H 2 Representing a second preset collision resistant hash function, E representing a bilinear mapping result, E representing a bilinear mapping, g representing a first preset generator, represents the addition cycle group, g 2 Representing a second preset generator, +.>Alpha represents a preset master key;
s406: constructing a proxy signature σ as σ= (M, σ) 12 ) And:
σ 2 =σ i (i∈ω * ∪Ω′)
wherein: sigma (sigma) 1 Representing the first parameter, sigma 2 Representing the second parameter, sigma i Representing intermediate parameters, H 1 (.) represents a preset first collision-resistant hash function, Δi,s (.) represents a Lagrangian base polynomial.
Further, the condition for passing the verification in step S5 is: at the same time satisfyAnd
wherein (1)>The predicate formula is represented as a formula of the predicate,mu represents the attribute private key sk c Is a result of the accumulation of (a).
Further, the recovery method of the message m is to recover from the message blinding processing result f:
wherein F is 1 、F 2 Respectively representing preset third and fourth collision-resistant hash functions, l 1 ,l 2 Representing the length of the message, F 1 Message from length l 2 Conversion to Length l 1 ,F 2 Message from length l 1 Conversion to Length l 2Representing an exclusive or operation.
A remote medical agent signature verification system comprises an attribute mechanism, a private key generator, an original signer, an agent signer and a designated verifier, wherein the system realizes the steps of the method according to the embodiment of the invention.
The invention adopts the technical scheme, can lead the proxy signer to obtain the same signature capability as the original signer, realizes the non-counterfeitability of the signature, and can resist the attack of the selected message in the random Oracle model.
Drawings
Fig. 1 is a schematic diagram showing relationships among entities in a first embodiment of the present invention.
FIG. 2 is a flow chart of a method according to an embodiment of the invention.
Detailed Description
For further illustration of the various embodiments, the invention is provided with the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments and together with the description, serve to explain the principles of the embodiments. With reference to these matters, one of ordinary skill in the art will understand other possible embodiments and advantages of the present invention.
The invention will now be further described with reference to the drawings and detailed description.
Embodiment one:
the embodiment of the invention provides a remote medical agent signature verification method, which is realized based on the following six entities as shown in fig. 1:
(1) Attribute mechanism: it is responsible for all users participating in the system to generate attribute information from their personal information and distribute these attributes to different users. The user includes patients and medical professionals.
(2) A private key generator: and the corresponding public and private key pairs and attribute public and private key pairs are generated according to the attributes of the user.
(3) Deployment mechanism (original signer): as a network developer, in a specific case, such as a network administrator of a hospital. They develop a remote wireless sensor network and have the right to be responsible for the related problems in all wireless sensor networks.
(4) Sensor (proxy signer): deployed on the patient's body to monitor the relevant information and transmit the detection data to the medical server via the wireless bridge. The sensor is a storage device with limited energy and can only send short messages.
(5) Medical server: is a host with large reserves and computing power. It gathers information from all connected wireless gateways and sends it to the relevant medical specialist.
(6) Medical specialist (specified verifier): are trained in the professionals who receive the relevant post-analysis data and will provide further medical diagnosis.
As shown in fig. 2, based on the above-mentioned entities, the method of the present embodiment includes the following steps:
s1: the attribute mechanism generates attribute information of the user according to the personal information of the user and sends the attribute information to the private key generator.
S2: the private key generator generates a public-private key pair (pk) of the original signer according to attribute information of the user a ,sk a ) And a public-private key pair (pk) of the proxy signer b ,sk b ) At the same time, an attribute public-private key pair (pk) of the specified verifier is generated according to the attribute set omega of the specified verifier c ,sk c ) The method comprises the steps of carrying out a first treatment on the surface of the And the private key sk of the original signer is used for a The private key sk sent to the original signer to be signed by the proxy signer b And an attribute public key pk specifying a verifier c Sent to the proxy signer to send the public key pk of the original signer a Public key pk of proxy signer b And an attribute public-private key pair (pk) specifying the verifier c ,sk c ) To the designated verifier.
S3: the original signer is based on the private key sk of the original signer a And the delegate token w generates an authorization token delta and sends it to the proxy signer.
S4: the proxy signer is based on the private key sk of the proxy signer b An authorization token delta, an attribute public key pk specifying a verifier c And message m, generating a proxy signature sigma and transmitting to the designated verifier.
S5: the appointed verifier private key sk according to the attribute of the appointed verifier c An authorization token delta, a proxy signature sigma, a public key pk of the original signer a Public key pk of proxy signer b And performing verification, and if the verification is passed, recovering the message m.
The implementation of the method mainly comprises six algorithms, namely Setup (parameter initialization), key Gen (key generation), attrKey Gen (attribute key generation), deleGen (authorization agency), DVProxySign (signature) and DVProxyVerify (verification). The algorithm is composed of the following steps:
(1) Setup (parameter initialization): inputting security parameter 1 λ The master key mk and the system parameter params are output.
(2) KeyGen (key generation): inputting system parameter params, outputting public-private key pair (pk of original signer a ,sk a ) And a public-private key pair (pk) of the proxy signer b ,sk b )。
(3) Attrekeygen (attribute key generation): inputting the attribute set omega of the specified verifier, outputting the attribute public-private key pair (pk c ,sk c )。
(4) DeleGen (authorization agent): inputting the private key sk of the original signer a The delegate token w (specified by the original signer) outputs an authorization token delta.
(5) DVProxySign (signature): the private key sk of the proxy signer is input b An authorization token delta, an attribute public key pk specifying a verifier c And message m, outputting proxy signature sigma.
(6) DVProxyVerify: inputting an attribute private key sk specifying a verifier c An authorization token delta, a proxy signature sigma, a public key pk of the original signer a Public key pk of proxy signer b And predicate y=1, if predicate y=1, indicating that the verification is passed, outputting "accept", recovering message m; otherwise, a "reject" is output.
1. Safety model
In this embodiment, assuming that the attribute authorities and the private key generator are honest and reliable, the private information stored in the attribute authorities is not revealed, and the private key generator distributes the user's key through a secure channel. Deployment institutions and medical servers are honest but curious, i.e., they can only operate with existing algorithms and protocols, but they also want to try to infer the user's private information from known data. According to the characteristics of the scheme, three types of adversaries are considered:
(1)A 1 (type 1): the adversary only obtains the public key pk of the original signer a Proxy signer public key pk b Attribute public key pk specifying verifier c Then try to get a forged signature
(2)A 2 (type 2): the adversary obtains the public-private key pair (pk) of the original signer a ,sk a ) Proxy signer public key pk b Attribute public key pk specifying verifier c Then tastingTry to obtain a forged signature
(3)A 3 (type 3): the adversary obtains the public-private key pair (pk) of the proxy signer b ,sk b ) Public key pk of original signer a Attribute public key pk specifying verifier c Then try to get a forged signature
Obviously, if the scheme can resist A 2 Or A 3 Is also resistant to attack by A 1 Is an attack on (c). In the following analysis, attention is paid only to A 2 And A 3 Two types of adversaries. Before a specific adversary model is presented, first define a predictor query for adversaries a and challengers C:
(1) Attribute query: for attribute i εω, challenger C returns the hash valueTo adversary a.
(2) Authorization token challenge: for the delegate token w e {0,1} * Challenger C returns the hash valueTo adversary a.
(3) Public key challenge: for a specified verifier attribute setChallenger C returns public key pk c To adversary a.
(4) Proxy signature challenge: for a specified verifierAnd message m epsilon {0,1} * Challenger C returns the correct signature σ to adversary a.
2. Scheme structure
(1) Setup (parameter initialization): first, define a module P residual class domainGlobal property set->(containing all possible property sets), one +.>The dummy variable attribute set Ω= { Ω on the upper 12 ,…Ω d-1 (and global property set->Without intersection) and a property set comprising n elements +.>From the addition cycle group->Is selected randomly as a first generator +.>A random element->And calculate g 1 =g α . From the addition cycle group->Is selected randomly as a second generator +.>Let->Calculate e=e (g 1 ,g 2 ) Wherein E represents bilinearThe mapping result, e, represents bilinear mapping. Constructing first, second, third and fourth collision-resistant hash functions: wherein l 1 ,l 2 All represent length, are positive integers, and l 1 +l 2 P (p is prime). H 1 Converting a message from random length to +.>H 1 Converting a message from random length to +.>F 1 Message from length l 2 Conversion to Length l 1 ,F 2 Message from length l 1 Conversion to Length l 2 . The common parameter of the system is params= (g, g) 1 ,g 2 ,g 3 ,d,E,H 1 ,H 2 ,F 1 ,F 2 ) The master key is mk=α.
(2) KeyGen (key generation): the user is atRandomly selects two elements x a ,x b Then generating the public-private key pair of the original signer +.>Public-private key pair of proxy signer +.>
(3) Attrekeygen (attribute key generation): in order to generate an attribute public-private key pair of a specified verifier, the attribute public-private key pair is generated by using an attribute set omega of the specified verifier by the following steps:
(1) a lagrangian interpolation polynomial q (), of order (d-1), is randomly chosen such that q (0) =α.
(2) Building a first set of attributesSatisfy->
(3) In any attributeRandomly select the first group element->Calculating the attribute public key pk by c And an attribute private key sk c
(4) Output attribute public-private key pair (pk c ,sk c )。
(4) DeleGen (authorization agent): to delegate the signing authority of the original signer to the proxy signer, the original signer first generates a delegate token w for the proxy signer. The original signer generates an authorization token asAnd then (w, delta) is sent to the proxy signer.
(5) DVProxySign (signature): given an authorization token δ, a public-private key pair (pk) of a property of a specified verifier c ,sk c ) Private key sk of proxy signer b . Now for a length k 2 The proxy signature is constructed as follows:
(1) establishing an attribute subset omega' containing k attributes and meeting
(2) A subset of dummy variable attributes Ω 'is extracted from the set of dummy variable attributes Ω, and |Ω' |=d-k is satisfied.
(3) In arbitrary attribute i epsilon omega * U.OMEGA', randomly selects a second group of elements r consisting of n+d-k components i ′。
(4) Calculation off represents the result of the message blinding process.
(5) Calculate m=h 2 (E) +f. M represents the encryption result of the message.
(6) The proxy signature is constructed as σ= (M, σ) 12 ) Wherein
σ 2 =σ i (i∈ω * ∪Ω′)
Wherein: sigma (sigma) 1 Representing the first parameter, sigma 2 Representing the second parameter, sigma i Representing intermediate parameters, delta i,s (.) represents a Lagrangian base polynomial.
(6) DVProxyVerify: given a proxy signature sigma, an authorization token delta, an attribute private key sk specifying a verifier c Predicate(s)Let->(mu represents the attribute private key sk) c An accumulated result of) a given verifier signature is correct, provided +.>And satisfies the following equation:
message m can be recovered from f:
3. security analysis
(a) Correctness of
The scheme satisfies the following equation:
(b) Existence of non-counterfeitable
Theorem one: the scheme is non-counterfeitable in the presence of a random predictor model selected plaintext attack, i.e. no adversary A is present 2 The correct proxy signature can be forged in probabilistic polynomial time.
And (3) proving: due to adversary A 2 Public-private key (pk) of knowing original signer a ,sk a ) Public key pk of proxy signer b Attribute public key pk specifying verifier c . To prove adversary A 2 Failure to obtain the correct proxy signature, build challenger C and adversary A 2 The game of (2) is as follows:
(1) Setup (parameter initialization): given attribute set Ω= { Ω 12 ,…Ω d-1 As a dummy attribute set. Challenger C selects g 1 =g α And g 2 =g β Calculate e=e (g 1 ,g 2 ) The system common parameter params= (g, g 1 ,g 2 ,d,E,H 1 ,H 2 ,F 1 ,F 2 ) Sent to adversary A 2
(2) KeyGen (key generation): challenger C randomly selects elementsAnd will->As a public-private key pair of the original signer.
(3) Hash-Query (Hash challenge): challenger C uses three hash tables L, respectively 1 ,L 2 ,L 3 As a result of attribute queries, authorization queries, and message queries. The hash interrogation process is as follows:
(1) Attr-Query (attribute Query): assume enemy A 2 Q is performed a Secondary attribute challenges, for each challenge's attribute, the challenger C simulation process is: for the attribute i of each query, if i is already in hash table L 1 Then challenger C will hash value H 1 (i) Returns to adversary A 2 Otherwise: if i is not in hash table L 1 And i is omega * U.OMEGA', challenger C randomly selectsReturn hash value +.>For adversary A 2 Will->Stored in hash table L 1 Is a kind of medium. If i is not in hash table L 1 Middle and->Challenger C randomly select->Return hash value +.>For adversary A 2 Will beStored in hash table L 1 Is a kind of medium.
(2) delay-Query (authorization Query): assume enemy A 2 Q is performed d The challenger C randomly selects eta epsilon (0, q d ) For each delegate token w i The simulation process for challenger C is: for the received delegate token w i If w i Already in hash table L 2 Then challenger C will hash value H 1 (w i ) Returns to adversary A 2 Otherwise: if i=η, challenger C randomly selectsReturn hash value +.>For adversary A 2 Will->Stored in hash table L 2 Is a kind of medium. If i.noteq.eta, challenger C randomly selects +.>Return hash value +.>For adversary A 2 Will->Stored in hash table L 2 Is a kind of medium.
(3) Message-Query: assume enemy A 2 Q is performed m Secondary message interrogation, for each message M i The simulation process for challenger C is: if M i Already in hash table L 3 Then challenger C will hash value H 1 (M i ) Returns to adversary A 2 Otherwise: challenger C random selectionReturn hash value +.>For adversary A 2 Will->Stored in hash table L 3 Is a kind of medium.
(4) attrey-Query (attribute key pair challenge): assume enemy A 2 Query the attribute set ω, where |ω * And ∈ω| < k. Three sets Γ, Γ', S are defined, S satisfying: Γ= (ω u ω) * )∩Ω′,Where Γ '|=d-1, s=Γ' Σ0. The challenger C generates an attribute public-private key pair by the following steps: for i εΓ', challenger C randomly selects two elementsSelecting a d-1 order polynomial q (i) =τ i Calculating attribute public and private key pairsFor->Challenger C is in hash table L 1 Searching record in the database to obtain corresponding value a i . Challenger C randomly selects element->Let->The value of q (i) can be calculated using the following Lagrangian interpolation polynomial:
challenger C may calculate (pk c ,sk c ) Is the value of (1):
where i.epsilon.omega.n.OMEGA.
Challenger C then will (pk c ,sk c ) Returns the value of (a) to adversary A 2
(5) DSign-Query (proxy signature challenge): at this stage, challenger C begins to simulate a proxy signature. Assume enemy A 2 Q is performed ps The secondary agent signs the challenge, for each challenge message M i The challenger C simulation procedure is as follows:
(1) calculate e=e (g 1 ,g 2 )。
(2) Calculation of
(3) Calculate M i =H 2 (E)+f i
(4) Calculation of
Output proxy signatureWherein i is E omega * ∩Ω′。
From the above results, challenger C may calculate:
wherein the method comprises the steps of
If no adversary can forge a correct proxy signature within polynomial time, the scheme can be considered to be at adversary A 2 The plain text attack is chosen to be present and not counterfeitable.
Theorem two: the scheme is non-counterfeitable in the presence of a random predictor model selected plaintext attack, i.e. no adversary A is present 3 The correct proxy signature can be forged in probabilistic polynomial time.
And (3) proving: due to adversary A 3 Knowing the public-private key (pk) of a proxy signer b ,sk b ) Public key pk of original signer a And an attribute public key pk specifying a verifier c . To prove adversary A 3 Failure to obtain the correct proxy signature, build challenger C and adversary A 3 The game of (2) is as follows:
(1) Setup (parameter initialization): challenger C randomly selects one generatorA d-1 order polynomial q is selected, where q (0) =x. Make sk a =α,pk a =g 1 =g α ,g 2 =g β Calculate e=e (g 1 ,g 2 ) The system common parameter params= (g, g 1 ,g 2 ,d,E,H 1 ,H 2 ,F 1 ,F 2 ) Sent to adversary A 3
(2) KeyGen (key generation): challenger C randomly selects elementsAnd will->As a public-private key pair for the proxy signer.
(3) Hash-Query (Hash challenge): suppose challenger C uses three hash tables L, respectively 1 ,L 2 ,L 3 As a result of attribute queries, authorization queries, and message queries. The inquiry for the attribute and the authorization is similar to that in theorem 3.1, and will not be described in detail. Assume enemy A 3 Q is performed m The challenge C simulation procedure was as follows: if M i ≠M v Challenger C returns the hash valueAnd (M) i ,H 1 (M i ) Record in hash table L 3 Is a kind of medium. Otherwise, challenger C randomly selectsWill->Returns to adversary A 3 Challenger C will->Recorded in hash table L 3 Is a kind of medium.
(4) DSign-Query (proxy signature challenge): assume enemy A 3 To be applied to message M E {0,1} * Agent signing is performed, and challenger C first generates (pk) using AttrKey-Query (Attribute Key pair challenge) in theorem one c ,sk c ) Challenger C then generates an authorization token using the Del-Query in theorem oneFinally, the challenger C simulates the proxy signature challenge procedure as follows:
(1) if M is already in hash table L 3 In the following, it is assumed thatChallenger C simulates a proxy signature σ= (M, σ) 12 ) Wherein
(2) Otherwise, challenger C selectsAnalog proxy signature +.>Wherein the method comprises the steps of
And will (M, H) 1 (M)) is recorded in hash table L 3 Is a kind of medium.
Challenger C can calculate
If there is no adversary A in polynomial time 3 Can forge a correct proxy signature, and can consider the scheme to be in adversary A 3 The plain text attack is chosen to be present and not counterfeitable.
The performance comparison analysis shows that the total calculation cost of the scheme of the embodiment is 17.97ms, the efficiency is high, and all four security requirements and the shortest bandwidth are also met due to the designated verifier and the recoverable attribute of the message. Meanwhile, other schemes are not efficient in bandwidth and only meet part of the security requirements. Therefore, the present embodiment is suitable for a telemedicine system.
The embodiment of the invention can realize the identity anonymity of the user, and replaces the true identity of the user by using some user-related attributes. Meanwhile, the proxy signer is allowed to sign the message on behalf of the original signer and the designated verifier is allowed to verify the proxy signature. In addition, it has been demonstrated that the scheme is specific to adversary A 2 And A 3 Is non-counterfeitable in existence.
Embodiment two:
the invention also provides a remote medical agent signature verification system which comprises an attribute mechanism, a private key generator, an original signer, an agent signer and a designated verifier.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (8)

1. A method for verifying a signature of a remote medical agent, comprising the steps of:
s1: the attribute mechanism generates attribute information of the user according to the personal information of the user and sends the attribute information to the private key generator;
s2: the private key generator generates a public-private key pair (pk) of the original signer according to attribute information of the user a ,sk a ) And a public-private key pair (pk) of the proxy signer b ,sk b ) At the same time, an attribute public-private key pair (pk) of the specified verifier is generated according to the attribute set omega of the specified verifier c ,sk c ) The method comprises the steps of carrying out a first treatment on the surface of the And the private key sk of the original signer is used for a Sent to the original signaturePrivate key sk of person to be signed by agent b And an attribute public key pk specifying a verifier c Sent to the proxy signer to send the public key pk of the original signer a Public key pk of proxy signer b And an attribute public-private key pair (pk) specifying the verifier c ,sk c ) Sending to a designated verifier;
s3: the original signer is based on the private key sk of the original signer a And the delegate token w generates an authorization token delta and sends the authorization token delta to the proxy signer;
s4: the proxy signer is based on the private key sk of the proxy signer b An authorization token delta, an attribute public key pk specifying a verifier c And message m, generating a proxy signature sigma and transmitting to the designated verifier;
s5: the appointed verifier private key sk according to the attribute of the appointed verifier c An authorization token delta, a proxy signature sigma, a public key pk of the original signer a Public key pk of proxy signer b And performing verification, and if the verification is passed, recovering the message m.
2. The telemedicine agent signature verification method as set forth in claim 1, wherein: the private key generator generates a public-private key pair (pk) of the original signer a ,sk a ) And a public-private key pair (pk) of the proxy signer b ,sk b ) The method of (1) is as follows: in modulo P remaining class domainRandomly selects two elements x a ,x b Generating a public-private key pair of an original signer based on the two selected elementsPublic-private key pair of proxy signer +.> Wherein sk a Private key, pk representing original signer a Public key, sk, representing the original signer b Representing the private key, pk, of the proxy signer b Representing the public key of the proxy signer, g represents a preset first generator.
3. The telemedicine agent signature verification method as set forth in claim 1, wherein: the private key generator generates a public-private key pair (pk) specifying the attributes of the verifier c ,sk c ) The method of (1) is as follows:
s101: randomly selecting a Lagrangian interpolation polynomial q ()'s of (d-1) order, so that q (0) =α, wherein α represents a preset master key;
s102: building a first set of attributesSatisfy->Wherein Ω= { Ω 12 ,…Ω d-1 The remaining class domain of the module P is representedD represents the number of elements in the dummy variable attribute set omega plus 1;
s103: in any attributeRandomly select the first group element->Calculating the attribute public key pk by c And an attribute private key sk c
Wherein g represents a preset first generation element, represents the addition cycle group, g 2 Representing a second preset generator, +.>H 1 (.) represents a preset first collision-resistant hash function.
4. The telemedicine agent signature verification method as set forth in claim 1, wherein: the calculation formula for generating the authorization token delta by the original signer is as follows:
wherein H is 1 (.) represents a preset first collision-resistant hash function, x a Representing the remaining class fields in modulo PW represents the delegate token, which is the element selected to generate the original signer public-private key pair.
5. The telemedicine agent signature verification method as set forth in claim 1, wherein: the construction process of the proxy signature comprises the following steps:
s401: establishing an attribute subset omega' containing k attributes and meetingWherein (1)>Representing the global property set +.>A set of any n attributes, +.>Representing a preset global attribute set;
s402: extracting a dummy variable attribute subset omega ' from the dummy variable attribute set omega, and meeting the condition that |omega ' |=d-k, wherein |omega ' | represents the number of elements in omega ', d represents the number of elements in the dummy variable attribute set omega plus 1, and k represents the number of elements in the attribute subset omega ';
s403: in arbitrary attribute i epsilon omega * U.OMEGA', randomly selects a second group of elements r consisting of n+d-k components i ′;
S404: blinding the message by:
wherein F represents the result of message blinding processing, F 1 、F 2 Respectively representing a preset third and fourth collision-resistant hash functions, ||represents an OR operation,representing an exclusive-or operation;
s405: the encryption of the message is achieved by:
M=H 2 (E)+f
E=e(g α ,g 2 )
where M represents the encryption result of the message, H 2 Representing a preset second collision-resistant hash function, E representing a bilinear mapping result, E representingBilinear mapping, g represents a preset first generator, represents the addition cycle group, g 2 Representing a second preset generator, +.>Alpha represents a preset master key;
s406: constructing a proxy signature σ as σ= (M, σ) 12 ) And:
σ 2 =σ i (i∈ω * ∪Ω′)
wherein: sigma (sigma) 1 Representing the first parameter, sigma 2 Representing the second parameter, sigma i Representing intermediate parameters, H 1 (.) represents a preset first collision-resistant hash function, Δ i,s (.) represents a Lagrangian base polynomial.
6. The telemedicine agent signature verification method as set forth in claim 1, wherein: the conditions for verification pass in step S5 are: at the same time satisfyAnd
wherein (1)>Representing predicate formulas->Mu represents the attribute private key sk c Is a result of the accumulation of (a).
7. The telemedicine agent signature verification method as set forth in claim 1, wherein: the recovery method of the message m is to recover from the message blinding processing result f:
wherein F is 1 、F 2 Respectively representing preset third and fourth collision-resistant hash functions, l 1 ,l 2 Representing the length of the message, F 1 Message from length l 2 Conversion to Length l 1 ,F 2 Message from length l 1 Conversion to Length l 2Representing an exclusive or operation.
8. A remote medical agent signature verification system, characterized by: comprising an attribute authority, a private key generator, an original signer, a proxy signer and a specified verifier, the system implementing the steps of the method according to any of claims 1 to 7.
CN202310550117.6A 2023-05-16 2023-05-16 Remote medical agent signature verification method and system Pending CN116527275A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310550117.6A CN116527275A (en) 2023-05-16 2023-05-16 Remote medical agent signature verification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310550117.6A CN116527275A (en) 2023-05-16 2023-05-16 Remote medical agent signature verification method and system

Publications (1)

Publication Number Publication Date
CN116527275A true CN116527275A (en) 2023-08-01

Family

ID=87394020

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310550117.6A Pending CN116527275A (en) 2023-05-16 2023-05-16 Remote medical agent signature verification method and system

Country Status (1)

Country Link
CN (1) CN116527275A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117692150A (en) * 2024-02-01 2024-03-12 深圳市纽创信安科技开发有限公司 Signature generation and signature verification method and computer equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117692150A (en) * 2024-02-01 2024-03-12 深圳市纽创信安科技开发有限公司 Signature generation and signature verification method and computer equipment
CN117692150B (en) * 2024-02-01 2024-05-24 深圳市纽创信安科技开发有限公司 Signature generation and signature verification method and computer equipment

Similar Documents

Publication Publication Date Title
EP2375628A2 (en) Signature schemes using bilinear mappings
JP6069852B2 (en) Information processing apparatus, information processing method, and program
WO2013031414A1 (en) Signature verification device, signature verification method, program, and recording medium
CN103563288B (en) Single-round password-based key exchange protocols
EP2249283A1 (en) Image processing apparatus, electronic signature generation system, electronic signature key generation method, image processing method, and program
Li et al. Generalization of proxy signature-based on discrete logarithms
Verma et al. Efficient identity‐based blind message recovery signature scheme from pairings
CN116527275A (en) Remote medical agent signature verification method and system
Kar et al. CL-ASS: An efficient and low-cost certificateless aggregate signature scheme for wireless sensor networks
CN111130758B (en) Lightweight anonymous authentication method suitable for resource-constrained equipment
Cui et al. Proof of retrievability with public verifiability resilient against related‐key attacks
Zhang et al. A provably secure anonymous authenticated key exchange protocol based on ECC for wireless sensor networks
Lu et al. Improved certificate‐based signature scheme without random oracles
CN112989436B (en) Multi-signature method based on block chain platform
Hu et al. Short and provably secure designated verifier proxy signature scheme
Nakanishi et al. Efficient blacklistable anonymous credential system with reputation using a pairing‐based accumulator
CN107947923A (en) A kind of attribute key distribution method of no trusted party
Tian et al. A systematic method to design strong designated verifier signature without random oracles
Chiou et al. Design and implementation of a mobile voting system using a novel oblivious and proxy signature
Zhou et al. [Retracted] Identity‐Based Designated‐Verifier Proxy Signature Scheme with Information Recovery in Telemedicine System
Hu et al. An efficient designated verifier signature scheme with pairing‐free and low cost
Yan et al. New certificateless public key encryption scheme without pairing
WO2013024627A1 (en) Information processing device, signature-generation device, information processing method, signature-generation method, and program
Lyuu et al. Convertible group undeniable signatures
CN109600218B (en) Anonymous PKI system with traceable user identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination