CN116743431B - Certificate-free aggregation signature data security protection method and system based on pairing-free - Google Patents

Certificate-free aggregation signature data security protection method and system based on pairing-free Download PDF

Info

Publication number
CN116743431B
CN116743431B CN202310526605.3A CN202310526605A CN116743431B CN 116743431 B CN116743431 B CN 116743431B CN 202310526605 A CN202310526605 A CN 202310526605A CN 116743431 B CN116743431 B CN 116743431B
Authority
CN
China
Prior art keywords
sensor
digital device
signature
aggregate
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310526605.3A
Other languages
Chinese (zh)
Other versions
CN116743431A (en
Inventor
胡春强
陈希
邓绍江
向涛
蔡斌
桑军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University
Original Assignee
Chongqing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University filed Critical Chongqing University
Priority to CN202310526605.3A priority Critical patent/CN116743431B/en
Publication of CN116743431A publication Critical patent/CN116743431A/en
Application granted granted Critical
Publication of CN116743431B publication Critical patent/CN116743431B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The invention provides a certificate-free aggregation signature data security protection method and system based on pairing-free, comprising the following steps: a system initializing step; a secret value selecting step of selecting a digital device secret value and a sensor secret value; partial key extraction: generating a digital device portion private key for the digital device, generating a sensor portion private key for each sensor; a complete key generation step; uploading and verifying sensor data signatures: each sensor sends own signature and information to a sensor tuple to be verified; aggregate signature and verification: generating an aggregate signature based on the signatures of all sensors, generating an aggregate message based on all sensor messages; the server accepts the aggregate signature and aggregate message after verification passes. The absence of pairing reduces the computational overhead, the aggregation of multiple sensor signatures into one single signature reduces the signature verification time, has anonymity, solves the privacy protection problem, and can resist replay attacks by verifying the freshness of the message through the timestamp.

Description

Certificate-free aggregation signature data security protection method and system based on pairing-free
Technical Field
The invention relates to the technical field of data security, in particular to a pairing-free certificate-free aggregation signature data security protection method and system.
Background
At present, the internet of things is widely applied to various fields, and some internet of things related to private data, such as medical internet of things, intelligent home internet of things and the like, are generated, in which data collected by a sensor is generally uploaded to digital equipment (PDA, such as a personal mobile phone, a tablet personal computer and the like), and the data is transmitted to a server by the digital equipment through a public network. Research shows that data can be subject to various attacks during public network transmission. An attacker can tamper with and falsify data through a network, so that a server cannot process the data timely, accurately and effectively. At the same time, an attacker can also obtain these data via the public network, causing unnecessary loss.
By taking an application scene example of the medical Internet of things, the medical Internet of things is used for connecting residents, patients, medical staff, medicines and various medical equipment and facilities by using intelligent Internet of things and communication technology, and supporting automatic identification, positioning, acquisition, tracking, management and sharing of medical data, so that intelligent medical treatment of people and intelligent management of objects are realized. Greatly changes the existing medical environment and improves the medical level. The patient monitors physical health in real time by using the medical Internet of things, and transmits monitoring data to the server by using digital equipment (PDA) such as a mobile phone, a tablet and the like through a public network, and the server makes corresponding decisions to provide medical services for the patient by analyzing the data. The patient can observe the collected data through the PDA to check the body state of the patient and make corresponding adjustment modes. An attacker can tamper with and falsify data through a public network, so that a server cannot timely, accurately and effectively process the data, and further life and health of a patient are threatened. Meanwhile, an attacker can obtain relevant privacy of a patient through a public network, so that unnecessary loss is caused.
Digital signatures are a public key cryptosystem, which is a technique used to verify the integrity of digital information and authenticate the identity of a sender. Digital signatures can prevent data from being tampered with, repudiated and counterfeited. Since there is more than one sensor deployed in the internet of things, such as more than one sensor deployed on a patient, how to efficiently and mass verify and protect such data is a problem to be solved.
Existing digital signature schemes can be summarized in three categories:
(1) Digital signature scheme based on traditional public key
Traditional public key digital signatures are a Public Key Infrastructure (PKI) based digital signature scheme that uses digital certificates to prove the authenticity of digital signatures and the identity of the sender. In the public key digital signature scheme with a certificate, a sender generates a digital signature and sends the digital signature to a receiver together with the sender's digital certificate. The receiver verifies the authenticity of the digital certificate using the public key of the CA and verifies the authenticity of the digital signature using the public key of the sender. If the digital signature is valid and the digital certificate is also authentic, the recipient may trust the integrity and authenticity of the document and be confident of the identity of the sender. Public key digital signature schemes with certificates are widely applied to the fields of network communication, medical health and the like, and can effectively prevent tampering, fraud and illegal access. In addition, it can also provide the functions of identity authentication and confidentiality protection, thereby protecting the security and reliability of data.
However, the drawbacks of the digital signature scheme based on the conventional public key mainly include trust chain problem, man-in-the-middle attack risk, theft risk of private key, certificate revocation problem, high certificate management cost, and the like. The certificate needs to be verified for authenticity through a trust chain, which may be broken by an attack, resulting in unreliable certificates. Man-in-the-middle attacks can fool the user by forging certificates, and theft of private keys can also lead to unreliability of signatures. Certificate revocation requires a lot of costs, and the revocation of certificates may be inconvenient for normal business operations, and the cost of certificate management is also high, which affects the competitiveness of the enterprise.
(2) Digital signature scheme based on identity encryption
Digital signature based on identity encryption is an encryption technique (ID-based cryptographic signature) used to verify the authenticity and integrity of data. It uses public key encryption and a hash function, while encrypting in combination with the signer's identity information. In this technique, a signer signs a document using its own private key, and a receiver verifies the authenticity of the signature using the public key of the signer and the hash value of the document. This encryption technique has a high degree of security because the signer's identity information is incorporated into the encryption process, resulting in a reduced risk of falsifying the signature. Digital signature based on identity encryption is widely applied to the fields of electronic commerce, digital certificates, medical health and the like, and plays a positive role in guaranteeing network safety and information safety.
However, the identity-based encryption digital signature scheme has some drawbacks, although it has advantages in terms of simplifying the PKI public key infrastructure and improving the signature efficiency. First, the trustworthiness of the ID-based encryption algorithm requires full trust of the private key generator, otherwise the private key may be stolen. Secondly, identity authentication by using the ID and solving the problem of key distribution need to support an efficient public key association center (Key Issuance Center) to manage the mapping relationship between the ID and the private key, otherwise, security is difficult to ensure. In addition, because the private key is bound to the ID, the user must reissue a new private key when modifying his ID, which poses a challenge to the scalability of the system. Finally, the ID-based digital signature has a potential security vulnerability different from that of the conventional digital signature, such as disguising as an attack mode of a legal user, and needs to enhance precautionary measures.
(3) Digital signature scheme based on no certificate
The digital signature scheme based on no certificate is a digital signature technology without digital certificates, and adopts some special algorithms to realize the verification of digital signatures. In this scheme, the signer and verifier use the same secret key for digital signing and verification. The proposal has the advantages of simplifying the digital signature process, reducing the management and maintenance cost of the digital certificate and improving the efficiency of digital signature. However, the digital signature scheme based on the non-certificate has some security drawbacks, for example, a secret key of a signer may be compromised, resulting in forgery of the signature. Therefore, in practical applications, there is a need for in-depth safety analysis and evaluation of such solutions to ensure that they provide adequate security. However, the scheme based on the non-certificate digital signature does not need certificate management, does not have the problem of key escrow, and can be well applied to the medical internet of things, but the existing scheme without the certificate has certain defects, the communication quantity and the calculation quantity of some schemes are excessively consumed, the sensor with limited resources is a huge expenditure, and meanwhile, the scheme also has related security.
In the prior art, china patent with publication number of CN111245625A discloses a digital signature method without certificate aggregation, and the patent aims at resisting adversary public key substitution attack, part of public key information of a user is added in the step of generating a user key, the relevance between the user public key information and a hash function is enhanced, a key generation center is restricted by the user in the process of generating a user private key, and the signature safety is improved. However, the patent mainly relates to signature verification of both a user and a key generation center, is not suitable for signature verification of three parties involving a sensor, a digital device PDA and a data center, such as the internet of things, and has no capability of resisting replay attack, and signature security is still to be improved.
Disclosure of Invention
The invention aims to at least solve the technical problems in the prior art and provides a certificate-free aggregation signature data security protection method and system based on pairing-free.
To achieve the above object of the present invention, according to a first aspect of the present invention, there is provided a pairing-free and certificate-free aggregated-signature data security protection method including: a system initialization step: the server acquires and broadcasts system parameters; a secret value selection step: the digital equipment selects a digital equipment secret value, generates a digital equipment parameter set based on the digital equipment secret value, and sends the digital equipment parameter set to a server; the sensor selects a sensor secret value; partial key extraction: the server generates a digital device part private key for the digital device according to the digital device parameter set, and the server generates a sensor part private key for each sensor; a complete key generation step: the digital device generates a digital device complete private key and a digital device complete public key; each sensor generates a sensor complete private key and a sensor complete public key which correspond to each other; uploading and verifying sensor data signatures: acquiring a signature of each sensor based on the sensor data, wherein each sensor forms a sensor tuple by the signature and a message of each sensor and sends the sensor tuple to the digital device, and the message of each sensor comprises the sensor data, the anonymity of the sensor and the current timestamp of the sensor; the digital equipment receives the sensor tuple after verifying the sensor tuple combination method; aggregate signature and verification: the digital device generates an aggregate signature based on the signatures of all the sensors, and generates an aggregate message based on the messages of all the sensors, wherein the aggregate message comprises the current time stamp of the digital device, and the aggregate signature and the aggregate message are sent to the server; the server verifies the aggregate signature and the aggregate message, and accepts the aggregate signature and the aggregate message after the verification is passed.
In order to achieve the above object of the present invention, according to a second aspect of the present invention, there is provided an internet of things system comprising a plurality of sensor nodes, at least one digital device in connection communication with the plurality of sensor nodes, and a server in connection communication with the digital device, the sensor nodes, the digital device and the server secure sensor data according to the method of the first aspect of the present invention.
The scheme realizes the data security protection of the sensor, the PDA and the server, reduces the calculation cost by adopting a pairing-free method, solves the problem of sensor energy consumption with limited resources, and reduces the signature verification time by aggregating the signatures of a plurality of sensors into a single signature by the PDA; the scheme has anonymity, the adversary cannot infer the real identity marks of the sensor and the PDA by analyzing the data sent by the same sensor and the same PDA and the pseudo identity marks (anonymity), and the pseudo identity marks (anonymity) are used, so that the sensor and the PDA cannot be tracked, the privacy protection problem is solved, but in special cases, the server can track the real identity of the sensor or the PDA according to the stored information, and anonymity traceability is realized; in this patent scheme, the signature process and the verification process can verify the freshness of the message through the time stamp, so that the patent scheme can resist replay attack.
Drawings
FIG. 1 is a flow diagram of a pairing-free, certificate-free aggregate signature data security protection method of the present invention;
FIG. 2 is a schematic diagram of the procedure of the secret value selection step in the present invention;
FIG. 3 is a schematic diagram of a partial key extraction step process of the present invention;
FIG. 4 is a schematic process diagram of the sensor data signature upload and verification steps of the present invention;
FIG. 5 is a schematic diagram of the process of aggregating signatures and verification steps in the present invention;
FIG. 6 is a schematic diagram of a framework of the Internet of things system of the present invention;
fig. 7 is a schematic diagram of a framework of the internet of things in the medical field.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention.
In the description of the present invention, it should be understood that the terms "longitudinal," "transverse," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like indicate orientations or positional relationships based on the orientation or positional relationships shown in the drawings, merely to facilitate describing the present invention and simplify the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present invention.
In the description of the present invention, unless otherwise specified and defined, it should be noted that the terms "mounted," "connected," and "coupled" are to be construed broadly, and may be, for example, mechanical or electrical, or may be in communication with each other between two elements, directly or indirectly through intermediaries, as would be understood by those skilled in the art, in view of the specific meaning of the terms described above.
The invention discloses a pairing-free certificate-free aggregation signature data security protection method, which is shown in fig. 1 and comprises the following steps:
system initialization step S1: the server obtains and broadcasts system parameters.
The server is preferably, but not limited to, a cloud server, such as in medical internet of things, and specifically a medical cloud server. The system initialization step S1 specifically includes:
the server is based on given security parameters 1 λ Selecting a group G with a prime number q as one order and generating a primitive P from the rest classes of the modulo qRandomly selecting a first parameter s as a system master key msk, generating a system master public key mpk, and selecting 8 hash functions H, H and H 0 、H 1 、H 2 、H 3 、H 4 And H 5 Broadcasting system parameters params= { G, q, P, mpk, H 0 ~H 5 }。
Secret value selection step S2: the digital device selects a digital device secret value, generates a digital device parameter set based on the digital device secret value, and sends the digital device parameter set to the server; the sensor selects a sensor secret value.
Preferably, as shown in FIG. 2, the digital device parameter set includes a digital device group ID first exclusive OR result G ID * Key expiration time T for digital devices p Anonymous PID with digital device p . After the sensor in the digital equipment jurisdiction acquires the secret value of the sensor, the sensor sends the true identity ID of the sensor to the server. Further preferably, the secret value selection step S2 includes:
step 201, the digital device randomly selects a second parameterAs digital device secret value, based on digital device secret value x p Generating a digital device parameter set and transmitting the digital device parameter set to a server, the digital device parameter set having been generatedThe process is as follows: obtaining digital device secret value public key X p =x p P and is disclosed; acquiring a group ID of the digital device:wherein, ID p Representing the true identity ID of the digital device, +.>An exclusive or operator; obtaining a first exclusive OR result of the digital device group ID: />Obtaining anonymity of a digital device:wherein T is p Representing the key expiration time of the digital device.
Step 202, each sensor in the digital device management area is left from the modulo qRandomly selecting a third parameter as a sensor secret value of the sensor, acquiring a sensor secret value public key based on the sensor secret value and disclosing, sending a true identity ID to a server by the sensor, and setting a jth sensor SN j Leave class from modulo q->Randomly selects the third parameter x j Calculating a sensor secret value public key X of a jth sensor as a sensor secret value j ,X j =x j P, disclosure X j . Jth sensor SN j The true identity ID of (1) is expressed as ID j Modulo q is modq.
Partial key extraction step S3: the server generates a digital device portion private key for the digital device based on the digital device parameter set, and the server generates a sensor portion private key for each sensor.
In the partial key extraction step S3, the sub-step of generating, by the server, a digital device partial private key for the digital device according to the digital device parameter set specifically includes:
randomly selecting a sixth parameterComputing partial public key C of digital device p =c p ·P;
Obtaining a digital device partial private key calculation intermediate value h 1p =H 1 (PID p ,C p ,mpk,X p );
Obtaining digital device portion private key ppk p =c p +s·h 1p modq, modq represents a modulo operation on q, i.e., modulo q;
obtaining a digital device element set PPK p =(C p ,ppk p ) Transmitting the digital device element set to the digital device;
digital device authentication digital device element set: digital device calculation digital device partial private key calculation intermediate value h 1p If equation ppk p ·P=C p +mpk·h 1p The digital device accepts the digital device element set PPK p
In the partial key extraction step S3, the server generates a sensor partial private key for each sensor sub-step comprising:
for the jth sensor, the server randomly selects a fourth parameterCalculating sensor anonymity of jth mediated sensor>Wherein, ID j Representing the true identity ID, T of the jth sensor j A key expiration time representing a jth sensor;
calculating partial public key U of jth sensor j =u j P; calculating partial private key intermediate value h of jth sensor 1j =H 1 (PID j ,U j ,mpk,X j );
Calculating partial private key ppk of jth sensor j =u j +s·h 1j modq;
Obtaining a second exclusive OR result of the digital device group ID:
obtaining a j-th set of sensor elements PPK j =(U j ,ppk j ,G′ ID ) Transmitting the j-th set of sensor elements to the j-th sensor;
the j-th sensor validates the j-th set of sensor elements: the jth sensor calculates the partial private key intermediate value h of the jth sensor 1j If equation ppk j ·P=U j +mpk·h 1j The j-th sensor accepts the j-th sensor element set PPK j
In one embodiment, in order to save information and facilitate subsequent searching, in the partial key extraction step S3, the method further includes: server creates dictionary D p Sum list L p After the digital device verifies that the digital device element set passes, the first parameter tuple (G ID ,c p ,T p ) Add to list L p In (a) and (b); after the jth sensor verifies that the jth set of sensor elements passes, a second parameter tuple (PID j ,u j ,T j ) Add to list L p In (a) and (b); according to anonymous PID with digital device p List L as key word p Anonymous PID for digital devices for value p Sum list L p Added to dictionary D p Is a kind of medium.
As shown in fig. 3, the partial key extraction step S3 includes, when specifically executed:
step 301: MCS creates a dictionary D p Sum list L p For storing information about the PDA and SN; calculation of
Step 302: the server randomly selects the sixth parameterComputing partial public key C of digital device p =c p P, obtaining the partial private key calculation intermediate value h of the digital device 1p =H 1 (PID p ,C p ,mpk,X p ),ppk p =c p +s·h 1p modq,PPK p =(C p ,ppk p ). PPK is put into p =(C p ,ppk p ) Sent to the digital device PDA through a secure channel, the PDA calculates h 1p If ppk is p ·P=C p +mpk·h 1p The PDA accepts the PPK p . Tuple first parameter tuple (G ID ,c p ,T p ) Add to list L p Is a kind of medium.
Step 303: for the jth sensor, the server randomly selects a fourth parameterCalculating sensor anonymity of jth sensor +.>Wherein, ID j Representing the true identity ID, T of the jth sensor j A key expiration time representing a jth sensor; calculating partial public key U of jth sensor j =u j P; calculating partial private key intermediate value h of jth sensor 1j =H 1 (PID j ,U j ,mpk,X j ) The method comprises the steps of carrying out a first treatment on the surface of the Calculating partial private key ppk of jth sensor j =u j +s·h 1j modq; obtaining a second exclusive OR result of the digital device group ID: />Obtaining a j-th set of sensor elements PPK j =(U j ,ppk j ,G′ ID ) Transmitting the j-th set of sensor elements to the j-th sensor, and transmitting a second parameter tuple (PID j ,u j ,T j ) Add to list L p In (a) and (b);
step 304: according to anonymous PID with digital device p List L as key word p Anonymous PID for digital devices for value p Sum list L p Added to dictionary D p Is a kind of medium.
S4, a complete key generation step: the digital device generates a digital device complete private key and a digital device complete public key; each sensor generates a respective sensor full private key and sensor full public key. The complete private key of the digital equipment is sk p =(ppk p ,x p ) The complete public key of the digital equipment is pk p =(C p ,X p ) Disclosing a digital device complete public key; the sensor complete private key of the j-th sensor is: sk (sk) j =(ppk j ,x j ) The sensor complete public key of the j-th sensor is: pk (pk) j =(U j ,X j ) A sensor full public key is disclosed.
Step S5 of uploading and verifying the sensor data signature: acquiring a signature of each sensor based on the sensor data, wherein each sensor forms a sensor tuple by the signature and a message of each sensor and sends the sensor tuple to the digital device, and the message of each sensor comprises the sensor data, the anonymity of the sensor and the current timestamp of the sensor; the digital device accepts the sensor tuple after verifying the sensor tuple composition method.
In one embodiment, as shown in fig. 4, the step S5 of uploading and verifying the sensor data signature specifically includes:
step 501, set the jth sensor SN j The data generated is M j The current timestamp of the jth sensor is t j Randomly selecting a fifth parameterComputing a first partial signature V of a jth sensor j =v j P, calculating the first signature intermediate value h of the jth sensor 2j =H 2 (M j ,PID j ,t j ,pk j ) Calculating a second signature intermediate value h of the jth sensor 3j =H 3 (M j ,PID j ,t j Mpk), calculate a second partial signature w of the jth sensor j =v j +x j ·h 2j +ppk j ·h 3j The signature of the j-th sensor is: sigma (sigma) j =(V j ,w j ) The method comprises the steps of carrying out a first treatment on the surface of the The sensor tuple of the j-th sensor is (σ j ,M j ,PID j ,t j )。
Each sensor sends a respective sensor tuple over the channel to the corresponding digital device PDA, step 502.
Step 503, the digital device verifies the sensor tuple of the j-th sensor: the digital device first verifies the current timestamp t of the j-th sensor j Whether the method is legal or not, executing the following steps: calculating partial private key intermediate value h of jth sensor 1j =H 1 (PID j ,U j ,mpk,H j ) First signature intermediate value h of jth sensor 2j And a second signature intermediate value h for the jth sensor 3j
Step 504, verifying whether the first equation is satisfied, and if so, accepting the sensor tuple of the j-th sensor; the first equation is: w (w) j ·P-V j =X j ·h 2j +h 3j ·(U j +mpk·h 1j )。
Aggregate signature and verification step S6: the digital device generates an aggregate signature based on the signatures of all the sensors, and generates an aggregate message based on the messages of all the sensors, wherein the aggregate message comprises the current time stamp of the digital device, and the aggregate signature and the aggregate message are sent to the server; the server verifies the aggregate signature and the aggregate message, and accepts the aggregate signature and the aggregate message after the verification is passed.
Preferably, the aggregating signature and verifying step S6 includes:
step A, the digital device generates an aggregation signature and an aggregation message, which specifically comprises the following steps: computing second partial signature accumulation sums for all sensorsCalculating an aggregate signature intermediate value h 4p =H 4 (M J ,PID J ,T J ,pk p ,t p ) Wherein M is J Data set representing all sensors, M J ={M 1 ,M 2 ,...,M n },PID J Representing anonymous aggregation of all sensors, PID J ={PID 1 ,PID 2 ,...,PID n },T J Time stamp set representing all sensors, T J ={t 1 ,t 2 ,...,t n },t p Representing a current timestamp of the digital device, n representing the number of sensors; computing digital device signature W pComputing collusion attack resistant signatures: z=h 5 (w 1 ·p-V 1 ||w 2 ·p-V 2 ||…||w n ·p-V n ) Wherein, || represents putting the front and back data together; by (M) J ,PID J ,T J ,PID p ,t p ) To aggregate messages, σ is calculated p =(W J ,W p Z) sending the aggregate signature and the aggregate message to the server as the aggregate signature corresponding to the aggregate message.
Step B, the server verifies the aggregate signature and the aggregate message, and the specific verification process is as follows: validating a set of timestamps T for all sensors J And the current timestamp t of the digital device p Whether it is legal, if so, executing: calculating a partial private key intermediate value, a first signature intermediate value and a second signature intermediate value of each sensor, and calculating a collusion attack resistant signature intermediate value of each sensor, wherein the collusion attack resistant signature intermediate value of the jth sensor is as follows: z j =X j ·h 2j +h 3j ·(U j +mpk·h 1j ) The method comprises the steps of carrying out a first treatment on the surface of the Calculating an aggregate signature intermediate value; verifying whether the second equation and the third equation are established, and when the second equation and the third equation are established at the same time, the server receives the aggregate signature and the aggregate message; the second equation is: z=h 5 (z 1 ||z 2 ||…||z n ) The method comprises the steps of carrying out a first treatment on the surface of the The third equation is: w (W) p =W J ·[X p +(C p +mpk·h 1p )·h 4p ]。
In the present embodiment, collusion attack resistant signature z=h is calculated by the nature of the collusion attack resistance by the hash function 5 (w 1 ·p-V 1 ||w 2 ·p-V 2 ||…||w n ·p-V n ) Collusion attacks of malicious sensor nodes can be resisted. The collision resistance of the hash function means that two different values, such as x1, x2, cannot be found within polynomial time, such that h (x 1) =h (x 2). And the embodiment ensures that the scheme can meet three-level trust security comparable with the traditional public key by changing the key generation sequence. Collusion attack specific meaning: such an attacker can obtain n private keys with the aim of aggregating a valid aggregate signature with multiple invalid monomer signatures, e.g. adversaries after obtaining two private keys, message M 1 And M 2 Generating two illegal signatures w respectively 1 =v 1 +x 1 ·h 21 +ppk 1 ·h 31 +y and w 2 =v 2 +x 2 ·h 22 +ppk 2 ·h 32 -y, whereinHowever w=w 1 +w 2 But is a legal aggregate signature.
In one embodiment, as shown in fig. 5, the aggregation signature and verification step S6 specifically includes:
step 601, let T J ={t 1 ,t 2 ,...,t n },M J ={M 1 ,M 2 ,...,M n },PID J ={PID 1 ,PID 2 ,...,PID n Let the first partial signature set V of the sensor J ={V 1 ,V 2 ,...,V n Digital device selects the current timestamp t p
Step 602, calculating a second partial signature accumulation sum for all sensorsCalculating an aggregate signature intermediate value h 4p =H 4 (M J ,PID J ,T J ,pk p ,t p ) Computing digital device signature W p :/>
Step 603, calculating collusion attack resistant signature: z=h 5 (w 1 ·p-V 1 ||w 2 ·p-V 2 ||…||w n ·p-V n )。
Step 604, at (M J ,PID J ,T J ,PID p ,t p ) To aggregate messages, σ is calculated p =(W J ,W p Z) sending the aggregate signature and the aggregate message to the server as the aggregate signature corresponding to the aggregate message.
Step 605, the server verifies the aggregate signature and the aggregate message, first verifying the timestamp set T J And the current timestamp t of the digital device p Legitimacy of (2);
step 606 calculates a partial private key intermediate value, a first signature intermediate value, a second signature intermediate value, and an aggregate signature intermediate value for each sensor.
Step 607, calculating a collusion attack resistant signature intermediate value of each sensor, where the collusion attack resistant signature intermediate value of the j-th sensor is: z j =X j ·h 2j +h 3j ·(U j +mpk·h 1j )。
Step 608, verifying whether the second equation and the third equation are satisfied, and when the second equation and the third equation are simultaneously satisfied, the server accepts the aggregate signature and the aggregate message; the second equation is: z=h 5 (z 1 ||z 2 ||…||z n ) The method comprises the steps of carrying out a first treatment on the surface of the The third equation is: w (W) p =W J ·[X p +(C p +mpk·h 1p )·h 4p ]。
Therefore, the pairing-free certificate-free aggregation signature data security protection method has the following beneficial technical effects:
anonymity: the adversary cannot infer the true identity of the sensor and PDA by analyzing the data sent by the same sensor and the same PDA, and the false identity.
Traceability: in the design scheme, a pseudo identity (i.e. anonymity) is used, so neither the sensor nor the PDA can be tracked. Due to In special cases, the MCS can track the true identity of the sensor or PDA based on information stored in the MCS.
Collusion attack against malicious sensor nodes: in the design of this patent, the operation of resisting the malicious node collusion attack is designed by the nature of the collision resistance of the hash function, see step 603. The collision resistance of the hash function means that two different values, such as x1, x2, cannot be found within polynomial time, such that h (x 1) =h (x 2).
Anti-replay attack: in the solution proposed in this patent, both the signing process and the verification process verify the freshness of the message by means of a time stamp. The solution proposed by this patent is therefore resistant to replay attacks. Replay attack interpretation: replay Attacks (Replay Attacks), also known as Replay Attacks, or freshness Attacks (Freshness Attacks), refer to an attacker sending a packet received by a destination host, and are used to authenticate a packet received by a user identity in an authentication process, so as to achieve the purpose of spoofing the system, and are mainly used in an identity authentication process to destroy the security of authentication.
More accords with the actual scene: when the method is applied to the medical Internet, the information of the patient is stored in the personal digital equipment, so that the method is more in line with the modern life scene, the patient can also check own monitoring data through the personal digital equipment, and the method is also in line with the actual life scene.
The invention also discloses an Internet of things system, as shown in fig. 6, which comprises a plurality of sensor nodes, at least one digital device connected and communicated with the plurality of sensor nodes, and a server connected and communicated with the digital device. The server is preferably, but not limited to, a cloud server or a group of computers.
In an embodiment, when the internet of things system is a medical internet of things, a system block diagram is shown in fig. 7:
sensor Node (SN): is deployed on or in the body surface of a patient, is used for collecting data, signing the data, and transmitting the data and the signature to a digital device.
Digital device (PDA): the equipment is self-held by the patient, and the identity information of the patient is stored in the equipment. The data generated by the sensor nodes are all sent to the equipment, a plurality of single signatures are aggregated to form an aggregate signature, and all sensor information is aggregated to form aggregate information.
Medical Cloud Server (MCS): and verifying the aggregate signature and the aggregate information, and storing the data after verification. The data is sent to authorized medical centers and research institutions.
The sensor node, the digital equipment and the medical cloud server carry out safety protection on the sensor data according to the pairing-free certificate-free aggregation signature data safety protection method provided by the invention.
Preferably, in one embodiment, the medical internet of things system further comprises an authorized medical center: and making corresponding judgment according to the data, and providing corresponding medical services for the patient.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.

Claims (6)

1. The certificate-free aggregation signature data security protection method based on pairing-free is characterized by comprising the following steps of:
a system initialization step: the server acquires and broadcasts system parameters;
a secret value selection step: the digital equipment selects a digital equipment secret value, generates a digital equipment parameter set based on the digital equipment secret value, and sends the digital equipment parameter set to a server; the sensor selects a sensor secret value;
partial key extraction: the server generates a digital device part private key for the digital device according to the digital device parameter set, and the server generates a sensor part private key for each sensor;
a complete key generation step: the digital device generates a digital device complete private key and a digital device complete public key; each sensor generates a sensor complete private key and a sensor complete public key which correspond to each other;
uploading and verifying sensor data signatures: acquiring a signature of each sensor based on the sensor data, wherein each sensor forms a sensor tuple by the signature and a message of each sensor and sends the sensor tuple to the digital device, and the message of each sensor comprises the sensor data, the anonymity of the sensor and the current timestamp of the sensor; the digital equipment receives the sensor tuple after verifying the sensor tuple combination method;
aggregate signature and verification: the digital device generates an aggregate signature based on the signatures of all the sensors, and generates an aggregate message based on the messages of all the sensors, wherein the aggregate message comprises the current time stamp of the digital device, and the aggregate signature and the aggregate message are sent to the server; the server verifies the aggregate signature and the aggregate message, and accepts the aggregate signature and the aggregate message after verification;
the system initialization step specifically includes:
the server selects a group G with a prime number q as a first order generating element P according to a given security parameter 1 lambda, and the rest class of the module qRandomly selecting a first parameter s as a system master key msk, generating a system master public key mpk, and selecting 8 hash functions H, H and H 0 、H 1 、H 2 、H 3 、H 4 And H 5 Broadcasting system parameters params= { G, q, P, mpk, H 0 ~H 5 -a }; the secret value selection step specifically includes:
the digital device randomly selects the second parameterAs digital device secret value, based on digital device secret value x p Generating a digital device parameter set and transmitting the digital device parameter set to a server, the digital device parameter set including a digital device set ID first exclusive OR result G ID * Key expiration time T for digital devices p Anonymous PID with digital device p
The generation process of the digital equipment parameter set is as follows: obtaining digital device secret value public key X p =x p P and is disclosed; acquiring a group ID of the digital device:wherein, ID p Representing the true identity ID of the digital device, +.>An exclusive or operator; obtaining a first exclusive OR result of the digital device group ID: />Obtaining anonymity of a digital device:wherein T is p Representing a key expiration time of the digital device;
each sensor within the digital device management area is modeled as a q-residue classRandomly selecting a third parameter as a sensor secret value of the sensor, acquiring a sensor secret value public key based on the sensor secret value and disclosing, sending a true identity ID to a server by the sensor, and setting a jth sensor SN j Leave class from modulo q->Randomly selects the third parameter x j Calculating a sensor secret value public key X of a jth sensor as a sensor secret value j ,X j =x j P, disclosure X j The method comprises the steps of carrying out a first treatment on the surface of the In the step of extracting the partial key, the sub-step of generating the partial private key of the digital device for the digital device by the server according to the parameter set of the digital device specifically includes:
randomly selecting a sixth parameterComputing partial public key C of digital device p =c p ·P;
Obtaining a digital device partial private key calculation intermediate value
Obtaining digital device portion private key ppk p =c p +s·h 1p modq, modq represents a modulo operation on q;
obtaining a digital device element set PPK p =(C p ,ppk p ) Transmitting the digital device element set to the digital device;
digital device authentication digital device element set: digital device calculation digital device partial private key calculation intermediate value h 1p If equation ppk p ·P=C p +mpk·h 1p The digital device accepts the digital device element set PPK p The method comprises the steps of carrying out a first treatment on the surface of the In the partial key extraction step, the server generating a sensor partial private key for each sensor sub-step includes:
for the jth sensor, the server randomly selects a fourth parameterSensor anonymity for computing jth sensorWherein, ID j Representing the true identity ID, T of the jth sensor j A key expiration time representing a jth sensor;
calculating partial public key U of jth sensor j =u j P; calculating partial private key intermediate value h of jth sensor 1j =H 1 (PID j ,U j ,mpk,X j );
Calculating partial private key ppk of jth sensor j =u j +s·h 1j modq;
Obtaining a second exclusive OR result of the digital device group ID:
obtaining a j-th set of sensor elements PPK j =(U j ,ppk j ,G′ ID ) Transmitting the j-th set of sensor elements to the j-th sensor;
the j-th sensor validates the j-th set of sensor elements: the jth sensor calculates the partial private key intermediate value h of the jth sensor 1j If equation ppk j ·P=U j +mpk·h 1j The j-th sensor accepts the j-th sensor element set PPK j
2. The pairing-free and certificate-free aggregated-signature data security protection method according to claim 1, further comprising, in the partial key extraction step:
server creates dictionary D p Sum list L p After the digital device verifies that the digital device element set passes, the first parameter tuple (G ID ,c p ,T p ) Add to list L p In (a) and (b);
after the jth sensor verifies that the jth set of sensor elements passes, a second parameter tuple (PID j ,u j ,T j ) Add to list L p In (a) and (b);
according to anonymous PID with digital device p List L as key word p Anonymous PID for digital devices for value p Sum list L p Added to dictionary D p Is a kind of medium.
3. The pairing-free and certificate-free aggregated-signature data security protection method according to claim 1, wherein in the complete key generation step:
the complete private key of the digital equipment is sk p =(ppk p ,x p ) The complete public key of the digital equipment is pk p =(C p ,X p ) Disclosing a digital device complete public key;
the sensor complete private key of the j-th sensor is: sk (sk) j =(ppk j ,x j ) The sensor complete public key of the j-th sensor is: pk (pk) j =(U j ,X j ) A sensor full public key is disclosed.
4. The method for protecting security of data based on pairing-free and certificate-free aggregated signature according to claim 1, wherein the steps of uploading and verifying the sensor data signature specifically comprise:
let the data generated by the jth sensor be M j The current timestamp of the jth sensor is t j Randomly selecting a fifth parameterComputing a first partial signature V of a jth sensor j =v j P, calculate the first signature intermediate of the jth sensorValue h 2j =H 2 (M j ,PID j ,t j ,pk j ) Calculating a second signature intermediate value h of the jth sensor 3j =H 3 (M j ,PID j ,t j Mpk), calculate a second partial signature w of the jth sensor j =v j +x j ·h 2j +ppk j ·h 3j The signature of the j-th sensor is: sigma (sigma) j =(V j ,w j ) The method comprises the steps of carrying out a first treatment on the surface of the The sensor tuple of the j-th sensor is (σ j ,M j ,PID j ,t j );
The digital device verifying the sensor tuple of the j-th sensor includes: the digital device first verifies the current timestamp t of the j-th sensor j Whether the method is legal or not, executing the following steps: calculate partial private key intermediate value h of the first sensor 1j =H 1 (PID j ,U j ,mpk,X j ) First signature intermediate value h of jth sensor 2j And a second signature intermediate value h for the jth sensor 3j Verifying whether the first equation is satisfied, and if so, accepting the sensor tuple of the j-th sensor; the first equation is: w (w) j ·P-V j =X j ·h 2j +h 3j ·(U j +mpk·h 1j )。
5. The pairing-free and certificate-free aggregate signature data security protection method as set forth in claim 4, wherein the aggregate signature and verification step includes:
step A, the digital device generates an aggregation signature and an aggregation message, which specifically comprises the following steps:
computing second partial signature accumulation sums for all sensors
Calculating an aggregate signature intermediate value h 4p =H 4 (M J ,PID J ,T J ,pk p ,t p ) Wherein M is J Data set representing all sensors,M J ={M 1 ,M 2 ,...,M n },PID J Representing anonymous aggregation of all sensors, PID J ={PID 1 ,PID 2 ,...,PID n },T J Time stamp set representing all sensors, T J ={t 1 ,t 2 ,...,t n },t p Representing a current timestamp of the digital device, n representing the number of sensors;
computing digital device signature W p
Computing collusion attack resistant signatures: z=h 5 (w 1 ·p-V 1 ||w 2 ·p-V 2 ||…||w n ·p-V n ) Wherein, || represents putting the front and back data together;
by (M) J ,PID J ,T J ,PID p ,t p ) To aggregate messages, σ is calculated p =(W J ,W p Z) sending the aggregate signature and the aggregate message to a server as an aggregate signature corresponding to the aggregate message;
step B, the server verifies the aggregate signature and the aggregate message, and the specific verification process is as follows:
validating a set of timestamps T for all sensors J And the current timestamp t of the digital device p Whether it is legal, if so, executing:
calculating a partial private key intermediate value, a first signature intermediate value and a second signature intermediate value of each sensor, and calculating a collusion attack resistant signature intermediate value of each sensor, wherein the collusion attack resistant signature intermediate value of the jth sensor is as follows: z j =X j ·h 2j +h 3j ·(U j +mpk·h 1j );
Calculating an aggregate signature intermediate value;
verifying whether the second equation and the third equation are established, and when the second equation and the third equation are established at the same time, the server receives the aggregate signature and the aggregate message;
second oneThe equation is: z=h 5 (z 1 ||z 2 ||…||z n );
The third equation is: w (W) p =W J ·[X p +(C p +mpk·h 1p )·h 4p ]。
6. An internet of things system comprising a plurality of sensor nodes, at least one digital device in communication with the plurality of sensor nodes, and a server in communication with the digital device connections, the sensor nodes, digital devices, and server securing sensor data according to the method of any one of claims 1-5.
CN202310526605.3A 2023-05-10 2023-05-10 Certificate-free aggregation signature data security protection method and system based on pairing-free Active CN116743431B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310526605.3A CN116743431B (en) 2023-05-10 2023-05-10 Certificate-free aggregation signature data security protection method and system based on pairing-free

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310526605.3A CN116743431B (en) 2023-05-10 2023-05-10 Certificate-free aggregation signature data security protection method and system based on pairing-free

Publications (2)

Publication Number Publication Date
CN116743431A CN116743431A (en) 2023-09-12
CN116743431B true CN116743431B (en) 2024-02-02

Family

ID=87900168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310526605.3A Active CN116743431B (en) 2023-05-10 2023-05-10 Certificate-free aggregation signature data security protection method and system based on pairing-free

Country Status (1)

Country Link
CN (1) CN116743431B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881279A (en) * 2018-07-11 2018-11-23 陕西师范大学 A kind of mobile health medical treatment sensing data method for secret protection based on no certificate double authentication protection aggregate signature
CN114339728A (en) * 2021-12-30 2022-04-12 扬州大学 Privacy protection and secure communication method suitable for wireless medical sensor network
CN114362958A (en) * 2021-12-28 2022-04-15 湖北工业大学 Intelligent home data security storage auditing method and system based on block chain
CN114422152A (en) * 2022-03-30 2022-04-29 科大天工智能装备技术(天津)有限公司 Industrial environment authentication method based on PUF and block chain
CN114584976A (en) * 2022-03-29 2022-06-03 东北大学 Internet of vehicles identity authentication system and method based on certificateless aggregated signature
KR20220080318A (en) * 2020-12-07 2022-06-14 순천향대학교 산학협력단 Certificateless aggregated arbitrated signature verification system and method for internet of thing environment
CN115834056A (en) * 2022-12-05 2023-03-21 信阳师范学院 Certificateless ordered aggregation signature method, certificateless ordered aggregation signature system and related devices

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881279A (en) * 2018-07-11 2018-11-23 陕西师范大学 A kind of mobile health medical treatment sensing data method for secret protection based on no certificate double authentication protection aggregate signature
KR20220080318A (en) * 2020-12-07 2022-06-14 순천향대학교 산학협력단 Certificateless aggregated arbitrated signature verification system and method for internet of thing environment
CN114362958A (en) * 2021-12-28 2022-04-15 湖北工业大学 Intelligent home data security storage auditing method and system based on block chain
CN114339728A (en) * 2021-12-30 2022-04-12 扬州大学 Privacy protection and secure communication method suitable for wireless medical sensor network
CN114584976A (en) * 2022-03-29 2022-06-03 东北大学 Internet of vehicles identity authentication system and method based on certificateless aggregated signature
CN114422152A (en) * 2022-03-30 2022-04-29 科大天工智能装备技术(天津)有限公司 Industrial environment authentication method based on PUF and block chain
CN115834056A (en) * 2022-12-05 2023-03-21 信阳师范学院 Certificateless ordered aggregation signature method, certificateless ordered aggregation signature system and related devices

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
VANET中隐私保护的无证书聚合签名方案;赵楠 等;计算机工程(01);全文 *
无线体域网中基于聚合签名的匿名认证研究;郑立伟;中国优秀硕士学位论文全文数据库;全文 *

Also Published As

Publication number Publication date
CN116743431A (en) 2023-09-12

Similar Documents

Publication Publication Date Title
Guan et al. APPA: An anonymous and privacy preserving data aggregation scheme for fog-enhanced IoT
Feng et al. Blockchain-based cross-domain authentication for intelligent 5G-enabled internet of drones
Xiong et al. CPPA-D: Efficient conditional privacy-preserving authentication scheme with double-insurance in VANETs
Gupta et al. Quantum-defended blockchain-assisted data authentication protocol for internet of vehicles
Chatterjee et al. An effective ECC‐based user access control scheme with attribute‐based encryption for wireless sensor networks
CN112953727B (en) Internet of things-oriented equipment anonymous identity authentication method and system
CN111083131A (en) Lightweight identity authentication method for power Internet of things sensing terminal
Feng et al. P2BA: A privacy-preserving protocol with batch authentication against semi-trusted RSUs in vehicular ad hoc networks
CN102546173B (en) Digital signature system and signature method based on certificate
Ali et al. Bilinear pairing-based hybrid signcryption for secure heterogeneous vehicular communications
CN101711027A (en) Method for managing dispersed keys based on identities in wireless sensor network
CN114710275B (en) Cross-domain authentication and key negotiation method based on blockchain in Internet of things environment
CN110086599B (en) Hash calculation method and signcryption method based on homomorphic chameleon Hash function
Jiang et al. Anonymous and efficient authentication scheme for privacy-preserving distributed learning
CN112417494A (en) Power block chain system based on trusted computing
Gong et al. Practical Certificateless Aggregate Signatures from Bilinear Maps.
Zhang et al. A novel privacy-preserving authentication protocol using bilinear pairings for the VANET environment
Qiao et al. Secure and efficient certificate-based proxy signature schemes for industrial internet of things
CN116432204B (en) Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116743431B (en) Certificate-free aggregation signature data security protection method and system based on pairing-free
Sun et al. A tamper-resistant broadcasting scheme for secure communication in Internet of Autonomous Vehicles
Du et al. An Improved Conditional Privacy Protection Scheme Based on Ring Signcryption for VANETs
Kumar et al. Securing Wireless Sensor Networks with Public Key Techniques.
Zhao et al. Blockchain-Based Trust Management Model for Vehicular Ad Hoc Networks
Xu et al. DPB-MA: Low-Latency Message Authentication Scheme Based on Distributed Verification and Priority in Vehicular Ad Hoc Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant