WO2018119670A1 - Method and device for certificateless partially blind signature - Google Patents
Method and device for certificateless partially blind signature Download PDFInfo
- Publication number
- WO2018119670A1 WO2018119670A1 PCT/CN2016/112385 CN2016112385W WO2018119670A1 WO 2018119670 A1 WO2018119670 A1 WO 2018119670A1 CN 2016112385 W CN2016112385 W CN 2016112385W WO 2018119670 A1 WO2018119670 A1 WO 2018119670A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signer
- signature
- private key
- system parameter
- key
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Definitions
- the invention belongs to the technical field of information security, and in particular relates to a method and device for blind signature of a certificateless part.
- a blind signature is a signature that the signer completes without knowing the content of the message requested by the signature requester. This feature is called blindness.
- the blind signature not only has the content integrity of the digital signature, the non-repudiation of the transaction and the authenticity of the identity of both parties, but also can protect the user's privacy by using blindness.
- the signer knows nothing about the signed message, and it is easy to cause the signature to be illegally used by the malicious requester.
- the concept of a partial blind signature is proposed, which divides the message into a blinded part and a public part, so that part of the blind signature is controllable to the content of the signature while ensuring user privacy.
- the Key Generation Center knows the private keys of all users and can spoof any user's signature. This problem is called key escrow.
- Al-Riyam and Paterson proposed the concept of Certificateless Public Key Cryptography (CL-PKC). For details, see Al-Riyami S S, Paterson K G. Certificateless Public Key Cryptography [J]. Lecture Notes in Computer Science, 2003, 2894 (2): 452-473.
- CL-PKC the key generation center generates a partial private key for the user, and the private key of the user is composed of a partial private key and a secret value randomly selected by itself, thereby solving the key escrow problem.
- Certificateless public key cryptography and blind signature The combination of certificateless public key cryptography and blind signature is called Certificateless Blind Signature (CL-BS).
- CL-BS Certificateless Blind Signature
- ID-PKC Certificate management and key escrow issues in ID-PKC.
- certificateless public key cryptography and partial blind signature phase Combined with a Certificateless Partially Blind Signature (CL-PBS).
- Document 2 indicates that the CL-PBS scheme proposed in Document 3 cannot resist the attack of a malicious user replacing the signer's public key and proposes an improved scheme. However, through the analysis of the improvement plan, it is found that it cannot prevent malicious users from tampering with the negotiation of public information attacks.
- the embodiment of the invention provides a certificateless partial blind signature method, which aims to solve the problem of low security of negotiating public information in the existing certificateless partial blind signature.
- a method for blind signature of a certificateless portion includes:
- the signer extracts his private key as Public key is
- the verifier performs signature verification.
- the system parameters ⁇ G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub ⁇ are disclosed and s is stored as the master key value.
- the signer extracts its private key as Public key is The specific steps are:
- the signer randomly chooses As its secret value
- the signer's identity ID B part of the private key
- And secret value Get the signer's private key as
- the specific steps of the verifier to perform signature verification include:
- An embodiment of the present invention further provides a certificateless partial blind signature device, including:
- An extracting unit configured for the signer to extract the private key and the public key
- Partial blind signature unit used to receive h after calculation And send S to the signature requester
- a verification unit for signature verification for signature verification.
- the system parameter establishing unit comprises:
- Function selection module for selecting collision-free hash functions H 1 : ⁇ 0,1 ⁇ * ⁇ G 1 ,
- the extracting unit comprises:
- Partial private key generation module for calculating according to the system parameter params, the signer's identity ID B , KGC Partial private key Sent to the signer;
- a secret value generating module for randomly selecting according to the system parameter params and the signer's identity ID B As its secret value
- Private key module used according to system parameter params, signer's identity ID B , partial private key And secret value Get the signer's private key as
- Public key module for identifying the system parameter params, the signer's identity ID B, and the secret value Get the signer's public key
- the verification unit comprises:
- the solution of the present invention is safe under the negotiation information tampering attack, and effectively solves the security problem caused by tampering with the public information in the certificateless partial blind signature.
- FIG. 1 is a schematic flowchart of a method for blind signature of a certificateless portion according to an embodiment of the present invention
- FIG. 2 is a schematic flow chart of a method for blind signature of a certificateless portion according to an embodiment of the present invention
- FIG. 3 is a structural block diagram of a certificateless partial blind signature device according to an embodiment of the present invention.
- FIG. 4 is a structural block diagram of a system parameter establishing unit of the present invention.
- FIG. 5 is a block diagram showing the structure of an extracting unit of the present invention.
- Figure 6 is a block diagram showing the structure of a verification unit of the present invention.
- Partial private key generation algorithm input system parameter params, signer's identity ID B , KGC calculation Partial private key Sent to the signer.
- m is the information that the signature requester requests to sign
- c is the public information that the signer negotiates with the signing requester, and the signer uses its private key.
- public key The message m and the public consultation information c are signed with the signature requester.
- the signer uses its private key. And public key
- the message requester and the public negotiation information c are signed with the signature requester, and the signature requester changes the negotiation information c to c':
- z' H 0 (c') verification equation Whether it is established. If it is established, it is a valid signature, that is, the tampering negotiation information c' is successful. In this verification process, you only need to verify the equation. Whether it is established;
- an embodiment of the present invention provides a certificateless partial blind signature method, including the following steps:
- l is a security parameter and satisfies the prime number q>2 l
- ⁇ G 1 , + ⁇ is a cyclic addition group of order q
- P is any generator in group G 1 ;
- ⁇ G 2 , ⁇ is the order
- Step S200 the signer extracts its private key as Public key is
- Step S500 after the signer receives the h, the calculation is performed. And send S to the signature requester;
- step S700 the verifier performs signature verification.
- Step S110 determining the size of the safety factor l and the prime number q according to the safety requirement, and constructing the cyclic addition group ⁇ G 1 , + ⁇ and the cyclic multiplication group satisfying the bilinear mapping e: G 1 ⁇ G 1 ⁇ G 2 by using an elliptic curve. ⁇ G 2 , ⁇ ;
- Step S120 selecting a collision-free hash function H 1 : ⁇ 0, 1 ⁇ * ⁇ G 1 ,
- step S140 the system parameters ⁇ G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub ⁇ are disclosed, and s is saved as the master key value.
- step S200 specifically includes:
- Step S210 input system parameter params, signer's identity ID B , KGC calculation Partial private key Sent to the signer;
- Step S220 according to the system parameter params and the identity ID B of the signer, the signer randomly selects As its secret value;
- Step S230 according to the system parameter params, the signer's identity ID B , part of the private key And secret value Get the signer's private key as
- Step S240 according to the system parameter params, the signer's identity ID B and the secret value Get the signer's public key
- the method specifically includes:
- an embodiment of the present invention further provides a certificateless partial blind signature device, including:
- the extracting unit 200 is configured to extract a private key and a public key by the signer;
- Partial blind signature unit 500 configured to receive h after calculation And send S to the signature requester
- the verification unit 700 is configured to perform signature verification.
- the system parameter establishing unit 100 further includes:
- the construction module 101 is configured to determine the size of the safety factor l and the prime number q, and construct the cyclic addition group ⁇ G 1 , + ⁇ and the cyclic multiplication group satisfying the bilinear mapping e: G 1 ⁇ G 1 ⁇ G 2 by using an elliptic curve ⁇ G 2 , ⁇ ;
- Function selection module 102 for selecting a collision-free hash function H 1 : ⁇ 0,1 ⁇ * ⁇ G 1 ,
- the extracting unit 200 further includes:
- Partial private key generation module 201 params, the signer's identity ID B, KGC calculated Partial private key Sent to the signer;
- the secret value generating module 202 is configured to randomly select according to the system parameter params and the identity ID B of the signer. As its secret value;
- the private key module 203 is configured to use a system parameter params, a signer's identity ID B , and a partial private key. And secret value Get the signer's private key as
- Public key module 204 for using system parameter params, signer's identity ID B, and secret value Get the signer's public key
- the verification unit 700 further includes:
- Table 2 lists the number of calculations for specific time-consuming operations in each scenario, mainly comparing the amount of calculations by the signer, signature requester, and verifier during the scenario construction process.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention belongs to the field of information security technology. A method for certificateless partially blind signature (CL-PBS), comprising: establishing a public system parameter params={G1, G2, P, e, g, H0, H1, H2, Ppub}; a signer extracting (SID) as a private key and extracting (P) as a public key; the signer randomly selecting γ∈Z*q, and calculating z=H0(c) and R=rP, and transmitting R to a signature requester; having received R, the signature requester randomly selecting blinding factors α and β∈Z*q, and calculating z=H0(c), R'=αR, (y), h'=H2(m, z, y), h=α-1(β-h'), and transmitting h to the signer; having received h, the signer calculating (S), and transmitting S to the signature requester; the signature requester performing an unblinding operation, calculating S'=αS, and obtaining σ= (y, h', S') as a signature for a message m and a negotiation message c; and a verifier performing signature verification. The method effectively solves the security problem caused by the falsification of negotiation public information during the CL-PBS.
Description
本发明属于信息安全技术领域,尤其涉及一种无证书部分盲签名方法和装置。The invention belongs to the technical field of information security, and in particular relates to a method and device for blind signature of a certificateless part.
盲签名是签名者在不知道签名请求者所请求消息内容情况下完成的一种签名,这种特性称为盲性。盲签名不仅具有数字签名所具有的内容完整性、交易的不可抵赖性和双方身份的真实性等性质,还可以利用盲性很好地保护用户隐私。在盲签名中签名者对签名消息一无所知,易造成签名被恶意的请求者非法使用。随后,部分盲签名的概念被提出,其将消息分为盲化部分和公共部分,因此部分盲签名在保证用户隐私的同时又对签名内容部分可控。A blind signature is a signature that the signer completes without knowing the content of the message requested by the signature requester. This feature is called blindness. The blind signature not only has the content integrity of the digital signature, the non-repudiation of the transaction and the authenticity of the identity of both parties, but also can protect the user's privacy by using blindness. In the blind signature, the signer knows nothing about the signed message, and it is easy to cause the signature to be illegally used by the malicious requester. Subsequently, the concept of a partial blind signature is proposed, which divides the message into a blinded part and a public part, so that part of the blind signature is controllable to the content of the signature while ensuring user privacy.
在基于身份的密码体制中,密钥生成中心(Key Generation Center,KGC)知道所有用户的私钥,可以伪造任何用户的签名,这种问题被称为密钥托管问题。为了解决此问题,2003年Al-Riyam和Paterson提出了无证书公钥密码学(Certificateless Public Key Cryptography,CL-PKC)的概念。具体可参见文献:Al-Riyami S S,Paterson K G.Certificateless Public Key Cryptography[J].Lecture Notes in Computer Science,2003,2894(2):452-473.以下简称文献1。在CL-PKC中,密钥生成中心为用户生成部分私钥,而用户的私钥是由部分私钥和自己随机选择的秘密值组成,从而解决密钥托管问题。将无证书公钥密码学和盲签名相结合称为无证书的盲签名(Certificateless Blind Signature,CL-BS),将CL-BS用于电子商务中既可以保护用户的隐私,又可以避免PKI中的证书管理和ID-PKC中的密钥托管问题。为了更好地应用到电子现金系统中,将无证书公钥密码学和部分盲签名相
结合称为无证书的部分盲签名(Certificateless Partially Blind Signature,CL-PBS)。In an identity-based cryptosystem, the Key Generation Center (KGC) knows the private keys of all users and can spoof any user's signature. This problem is called key escrow. In order to solve this problem, in 2003 Al-Riyam and Paterson proposed the concept of Certificateless Public Key Cryptography (CL-PKC). For details, see Al-Riyami S S, Paterson K G. Certificateless Public Key Cryptography [J]. Lecture Notes in Computer Science, 2003, 2894 (2): 452-473. In CL-PKC, the key generation center generates a partial private key for the user, and the private key of the user is composed of a partial private key and a secret value randomly selected by itself, thereby solving the key escrow problem. The combination of certificateless public key cryptography and blind signature is called Certificateless Blind Signature (CL-BS). The use of CL-BS in e-commerce can protect the privacy of users and avoid PKI. Certificate management and key escrow issues in ID-PKC. In order to be better applied to the electronic cash system, certificateless public key cryptography and partial blind signature phase
Combined with a Certificateless Partially Blind Signature (CL-PBS).
现有的已经有发表相关无证书的部分盲签名的相关文献,如:Existing literature on the publication of relevant uncertified partial blind signatures, such as:
Cheng L,Wen Q.Cryptanalysis and improvement of a certificateless partially blind signature[J].IET Information Security,2015,9(6):380-386.以下简称文献2。Cheng L, Wen Q. Cryptanalysis and improvement of a certificateless partially blind signature [J]. IET Information Security, 2015, 9(6): 380-386.
Zhang L,Zhang F,Qin B,et al.Corrigendum:″Provably-secure electronic cash based on certicateless partially-blind signatures″[J].Electronic Commerce Research & applications,2011,10(1):545-552.以下简称文献3。Zhang L, Zhang F, Qin B, et al. Corrigendum: "Provably-secure electronic cash based on certicateless partially-blind signatures" [J]. Electronic Commerce Research & applications, 2011, 10(1): 545-552. Referred to as document 3.
文献2指出文献3提出的CL-PBS方案不能抵抗恶意的用户替换签名者公钥的攻击并提出了改进方案。但通过对改进方案分析,发现其并不能防恶意的用户篡改协商公共信息攻击。Document 2 indicates that the CL-PBS scheme proposed in Document 3 cannot resist the attack of a malicious user replacing the signer's public key and proposes an improved scheme. However, through the analysis of the improvement plan, it is found that it cannot prevent malicious users from tampering with the negotiation of public information attacks.
发明内容Summary of the invention
本发明实施例提供一种无证书部分盲签名方法,旨在解决现有的无证书部分盲签名中协商公共信息安全性低的问题。The embodiment of the invention provides a certificateless partial blind signature method, which aims to solve the problem of low security of negotiating public information in the existing certificateless partial blind signature.
本发明实施例是这样实现的,一种无证书部分盲签名方法,包括:The embodiment of the present invention is implemented in this manner, and a method for blind signature of a certificateless portion includes:
建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};其中,l为安全参数,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e(P,P)∈G2;hash函数:H1:{0,1}*→G1,KGC选取s为主密钥,Ppub=sP为公钥;Establish a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }; where l is a security parameter and satisfies the prime number q> 2 l , {G 1 , +} is a cyclic addition group of order q, P is an arbitrary generator in group G 1 ; {G 2 , ·} is a cyclic multiplicative group of order q, g is a generator; bilinear pair mapping e :G 1 ×G 1 →G 2 ,g=e(P,P)∈G 2 ;hash function: H 1 :{0,1} * →G 1 , KGC selects s as the primary key and P pub =sP as the public key;
签名者随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;
Signer randomly selected And calculate z = H 0 (c) and R = rP, and send R to the signature requester;
签名请求者接受到R后,随机选择盲化因子并计算z=H0(c)、R′=αR,h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;After the signature requester receives R, randomly selects the blinding factor And calculate z=H 0 (c), R'=αR, h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;
签名者接收到h后,计算并把S发送给签名请求者;After the signer receives h, the calculation And send S to the signature requester;
签名请求者进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);The signature requester performs the detachment work, calculates S'=αS, and obtains the signature of the message m and the negotiation message c as σ=(y, h', S');
验证者进行签名验证。The verifier performs signature verification.
优选地,所述建立一个公开系统参数params={G1,G2,P,l,q,e,H1,H2,H3,Ppub}的具体步骤为:Preferably, the specific steps of establishing a public system parameter params={G 1 , G 2 , P, l, q, e, H 1 , H 2 , H 3 , P pub } are:
根据安全需要,确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};According to the security needs, determine the size of the safety factor l and the prime number q, and construct the cyclic addition group {G 1 , +} and the cyclic multiplication group {G 2 satisfying the bilinear mapping e: G 1 × G 1 → G 2 by using the elliptic curve. ,·};
从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥;An integer s is randomly selected from the integer multiplication group of mod q as the master key of the private key generation center KGC, and P pub =sP is calculated as its corresponding public key;
公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。The system parameters {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub } are disclosed and s is stored as the master key value.
优选地,所述签名者提取其私钥为公钥为的具体步骤为:Preferably, the signer extracts its private key as Public key is The specific steps are:
输入系统参数params,签名者的身份IDB,KGC计算并把部分私钥发送给签名者;Enter the system parameter params, the signer's identity ID B , KGC calculation Partial private key Sent to the signer;
根据系统参数params和签名者的身份IDB,签名者随机选择作为其秘密值;According to the system parameter params and the signer's identity ID B , the signer randomly chooses As its secret value;
根据系统参数params、签名者的身份IDB、部分私钥和秘密值得到签名者的私钥为
According to the system parameter params, the signer's identity ID B , part of the private key And secret value Get the signer's private key as
根据系统参数params、签名者的身份IDB和秘密值得到签名者的公钥
According to the system parameter params, the signer's identity ID B and the secret value Get the signer's public key
优选地,所述验证者进行签名验证的具体步骤包括:Preferably, the specific steps of the verifier to perform signature verification include:
验证者接收到签名者的消息-签名对(m,c,σ=(y,h′,S′));The verifier receives the message-signature pair of the signer (m, c, σ = (y, h', S'));
验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名;Verify that the equality h'=H 2 (m,z,y') holds, and if so, the verifier believes that (m,c,σ=(y,h',S')) is valid by the signer Blind signature
否则无效。Otherwise invalid.
本发明的实施例还提供一种无证书部分盲签名装置,包括:An embodiment of the present invention further provides a certificateless partial blind signature device, including:
系统参数建立单元,用于建立公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};a system parameter establishing unit for establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };
提取单元,用于签名者提取私钥及公钥;An extracting unit, configured for the signer to extract the private key and the public key;
承诺单元,用于随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;Commitment unit for random selection And calculate z = H 0 (c) and R = rP, and send R to the signature requester;
盲化单元,用于接受到R后,随机选择盲化因子并计算z=H0(c)、R′=αR,h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;Blind unit for randomly selecting the blinding factor after receiving R And calculate z=H 0 (c), R'=αR, h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;
部分盲签名单元,用于接收到h后,计算并把S发送给签名请求者;Partial blind signature unit, used to receive h after calculation And send S to the signature requester;
脱盲单元,用于进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);a detachment unit for performing detachment work, calculating S'=αS, obtaining a signature of the message m and the negotiation message c as σ=(y, h', S');
验证单元,用于进行签名验证。A verification unit for signature verification.
优选地,所述系统参数建立单元包括:Preferably, the system parameter establishing unit comprises:
构建模块,用于确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};
Constructing a module for determining the size of the safety factor l and the prime number q, constructing a cyclic addition group {G 1 , +} and a cyclic multiplication group {G satisfying the bilinear map e: G 1 × G 1 → G 2 using an elliptic curve 2 ,·};
函数选择模块,用于选择无碰撞杂凑函数H1:{0,1}*→G1,
Function selection module for selecting collision-free hash functions H 1 :{0,1} * →G 1 ,
密钥模块,用于从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥,并公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。a key module for randomly selecting an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, and calculating P pub =sP as its corresponding public key, and exposing the system parameter {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }, and save s as the master key value.
优选地,所述提取单元包括:Preferably, the extracting unit comprises:
部分私钥生成模块,用于根据系统参数params,签名者的身份IDB,KGC计算并把部分私钥发送给签名者;Partial private key generation module for calculating according to the system parameter params, the signer's identity ID B , KGC Partial private key Sent to the signer;
秘密值生成模块,用于根据系统参数params和签名者的身份IDB,随机选择作为其秘密值;a secret value generating module for randomly selecting according to the system parameter params and the signer's identity ID B As its secret value;
私钥模块,用于根据系统参数params、签名者的身份IDB、部分私钥和秘密值得到签名者的私钥为
Private key module, used according to system parameter params, signer's identity ID B , partial private key And secret value Get the signer's private key as
公钥模块,用于根据系统参数params、签名者的身份IDB和秘密值得到签名者的公钥
Public key module for identifying the system parameter params, the signer's identity ID B, and the secret value Get the signer's public key
优选地,所述验证单元包括:Preferably, the verification unit comprises:
接收模块,用于接收签名请求者发送的消息-签名对(m,c,σ=(y,h′,S′));a receiving module, configured to receive a message-signature pair (m, c, σ=(y, h', S')) sent by the signature requester;
验证模块,用于验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名,否则无效。a verification module for verifying whether the equation h'=H 2 (m, z, y') holds, and if so, the verifier believes that (m, c, σ = (y, h', S')) is The signer performs a valid blind signature, otherwise it is invalid.
本发明的技术方案,由于由于签名者把协商信息插入到计算中,其中z=H0(c),通过证明签名方案的正确性时,签名者插入协商信息z=H0(c)不仅对应到签名请求者C进行盲化签名插入的协商信息同时也与验证等式中用到的插入协商协商信息相对应,因此,本发明的方案在协商信息篡
改攻击下是安全的,有效解决了无证书部分盲签名中因协商公共信息篡改而带来的安全性问题。The technical solution of the present invention, since the signer inserts the negotiation information into the calculation Where z=H 0 (c), by proving the correctness of the signature scheme, the signer inserts the negotiation information z=H 0 (c) not only corresponds to the negotiation information of the signature requester C for blind signature insertion Also negotiates the insertion negotiation information used in the verification equation. Correspondingly, therefore, the solution of the present invention is safe under the negotiation information tampering attack, and effectively solves the security problem caused by tampering with the public information in the certificateless partial blind signature.
图1是本发明实施例提供的一种无证书部分盲签名方法流程示意图;FIG. 1 is a schematic flowchart of a method for blind signature of a certificateless portion according to an embodiment of the present invention;
图2是本发明实施例提供的一种无证书部分盲签名方法流程简图;2 is a schematic flow chart of a method for blind signature of a certificateless portion according to an embodiment of the present invention;
图3是本发明实施例提供的一种无证书部分盲签名装置结构框图;3 is a structural block diagram of a certificateless partial blind signature device according to an embodiment of the present invention;
图4是本发明的系统参数建立单元的结构框图;4 is a structural block diagram of a system parameter establishing unit of the present invention;
图5是本发明的提取单元的结构框图;Figure 5 is a block diagram showing the structure of an extracting unit of the present invention;
图6是本发明的验证单元的结构框图。Figure 6 is a block diagram showing the structure of a verification unit of the present invention.
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
为了更有效的理解本发明的技术方案,我们简单描述一下上述文献2中的部分盲签名的过程:In order to more effectively understand the technical solution of the present invention, we briefly describe the process of partial blind signature in the above document 2:
首先建立一个建立一个公开系统参数params={G1,G2,P,l,q,e,H0,H1,H2,Ppub}。First, establish a public system parameter params={G 1 , G 2 , P, l, q, e, H 0 , H 1 , H 2 , P pub }.
给定安全参数l,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e(P,P)∈G2;hash函数:
KGC选取s为主密钥,Ppub=sP为公钥,系统参数params={G1,G2,P,l,q,e,H0,H1,H2,Ppub}。Given the security parameter l, and satisfying the prime number q>2 l , {G 1 , +} is a cyclic addition group of order q, P is any generator in group G 1 ; {G 2 ,·} is the order q The cyclic multiplication group, g is the generator; the bilinear pair map e: G 1 × G 1 → G 2 , g = e(P, P) ∈ G 2 ; hash function: KGC selects s as the primary key, P pub =sP as the public key, and the system parameters params={G 1 , G 2 , P, l, q, e, H 0 , H 1 , H 2 , P pub }.
然后进行密钥提取算法:Then perform the key extraction algorithm:
部分私钥生成算法:输入系统参数params,签名者的身份IDB,KGC计算
并把部分私钥发送给签名者。Partial private key generation algorithm: input system parameter params, signer's identity ID B , KGC calculation Partial private key Sent to the signer.
设置秘密值算法:输入系统参数params和签名者的身份IDB,签名者随机选择作为其秘密值。Set the secret value algorithm: enter the system parameter params and the signer's identity ID B , the signer randomly chooses As its secret value.
设置私钥算法:算法输入系统参数、签名者的身份IDB、部分私钥和秘密值输出签名者的私钥为
Set the private key algorithm: algorithm input system parameters, signer's identity ID B , partial private key And secret value The private key of the output signer is
设置公钥算法:算法输入系统参数、签名者的身份IDB和秘密值输入签名者的公钥
Set the public key algorithm: algorithm input system parameters, signer's identity ID B and secret value Enter the signer's public key
然后再进行部分盲签名生成算法:Then part of the blind signature generation algorithm:
假设m为签名请求者请求签名的信息,c为签名者与签名请求者协商的公共信息,签名者用其私钥和公钥与签名请求者进行消息m和公共协商信息c签名。具体过程如下:Suppose m is the information that the signature requester requests to sign, c is the public information that the signer negotiates with the signing requester, and the signer uses its private key. And public key The message m and the public consultation information c are signed with the signature requester. The specific process is as follows:
a)承诺。签名者随机选择并计算z=H0(c)和R=rzP,并将R发送签名请求者。a) Commitment. Signer randomly selected And calculate z = H 0 (c) and R = rzP, and send R to the signature requester.
b)盲化。签名请求者接受到R后,随机选择盲化因子并计算z=H0(c),R′=γR,h=γ-1(β-h′),并把h发送给签名者。b) Blind. After the signature requester receives R, randomly selects the blinding factor And calculate z = H 0 (c), R' = γR, h = γ -1 (β-h') and send h to the signer.
c)部分盲签名。接受到h后,签名者只需计算并把S发送签名请求者。c) Partial blind signature. After accepting h, the signer only needs to calculate And send S to the signature requester.
d)脱盲。签名请求者计算S′=γS+αPpub。d) literacy. The signature requester calculates S' = γS + αP pub .
这一系列的交互后,签名请求者得到对消息m和协商信息c的签名为σ=(R′,h′,S′)。After this series of interactions, the signature requester obtains the signature of the message m and the negotiation information c as σ=(R', h', S').
最后进行签名验证算法:Finally, the signature verification algorithm is performed:
验证者接受到由签名者对消息m和协商信息c的签名为σ=(R′,h′,S′)后,先计算z=H0(c),最后验证等式是否成立。如果成立,则认为消息-签名对(m,c,σ=(R′,h′,S′))是签名者合法的签名。
否则无效。The verifier receives the signature by the signer message negotiation information c and m is σ = (R ', h' , S '), the first calculation z = H 0 (c), Final verification equation Whether it is established. If so, the message-signature pair (m, c, σ = (R', h', S')) is considered to be the signature of the signer. Otherwise invalid.
以上方案会产生安全攻击,具体攻击分析如下:The above scenarios will generate security attacks. The specific attacks are analyzed as follows:
因为是对方案进行将协商信息c篡改为c′攻击,签名者用其私钥和公钥与签名请求者进行消息m和公共协商信息c签名,签名请求者将协商信息c篡改为c′:Because the scheme is to change the negotiation information c篡 to c' attack, the signer uses its private key. And public key The message requester and the public negotiation information c are signed with the signature requester, and the signature requester changes the negotiation information c to c':
a)承诺。签名者随机选择并计算z=H0(c)和R=rzP,并将R发送签名请求者。a) Commitment. Signer randomly selected And calculate z = H 0 (c) and R = rzP, and send R to the signature requester.
b)盲化。签名请求者接受到R后,随机选择盲化因子计算z=H0(c),z′=H0(c′)、R′=γR,R″=z-1z′R′,h=γ-1(β-h′)和h″=zz′-1h,并把h″发送给签名者。b) Blind. After the signature requester receives R, randomly selects the blinding factor Calculate z = H 0 (c), z' = H 0 (c'), R' = γR, R" = z -1 z'R', h = γ -1 (β-h') and h" = zz' - 1 h, and send h" to the signer.
c)部分盲签名。接受到h″后,签名者只需计算并把S发送签名请求者。c) Partial blind signature. After accepting h′′, the signer only needs to calculate And send S to the signature requester.
d)脱盲。签名请求者计算S′=z-1z′S,S″=γS′+αPpub。d) literacy. The signature requester calculates S'=z -1 z'S, S" = γS' + αP pub .
这一系列的交互后,签名请求者得到对消息m和协商信息c′的签名为σ=(R″,h′,S″)。After this series of interactions, the signature requester obtains the signature of the message m and the negotiation information c' as σ = (R", h', S").
签名请求者对消息m和协商信息c′的签名为σ=(R″,h′,S″),需要计算z′=H0(c′)验证等式是否成立。如果成立,则为有效的签名,即篡改协商信息c′成功。在这个验证过程中,其实只需要验证等式是否成立;The signature of the signature requester to the message m and the negotiation information c' is σ=(R′′, h′, S′′), which needs to be calculated. z'=H 0 (c') verification equation Whether it is established. If it is established, it is a valid signature, that is, the tampering negotiation information c' is successful. In this verification process, you only need to verify the equation. Whether it is established;
即在未经签名者同意的前提下,签名请求者篡改公共信息后所形成的签名也能通过验证等式验证,故验证者相信σ=(R″,h′,S″)是签名者对消息m和协商消息c′的有效签名。That is, without the consent of the signer, the signature formed by the signature requester after tampering with the public information can also be verified by the verification equation, so the verifier believes that σ=(R′′,h′,S′′) is the signer pair. The valid signature of message m and negotiation message c'.
结合图1及图2所示,本发明的实施例提供一种无证书部分盲签名方法,包括以下步骤:As shown in FIG. 1 and FIG. 2, an embodiment of the present invention provides a certificateless partial blind signature method, including the following steps:
步骤S100,建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};Step S100, establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };
其中,l为安全参数,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e(P,P)∈G2;hash函数:H1:{0,1}*→G1,KGC选取s为主密钥,Ppub=sP为公钥;Where l is a security parameter and satisfies the prime number q>2 l , {G 1 , +} is a cyclic addition group of order q, P is any generator in group G 1 ; {G 2 ,·} is the order The cyclic multiplicative group of q, g is the generator; the bilinear pair map e:G 1 ×G 1 →G 2 ,g=e(P,P)∈G 2 ;hash function: H 1 :{0,1} * →G 1 , KGC selects s as the primary key and P pub =sP as the public key;
步骤S300,签名者随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;Step S300, the signer randomly selects And calculate z = H 0 (c) and R = rP, and send R to the signature requester;
步骤S400,签名请求者接受到R后,随机选择盲化因子并计算z=H0(c),R′=αR,h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;Step S400, after the signature requester receives the R, randomly selects the blinding factor. And calculate z = H 0 (c), R' = αR, h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;
步骤S500,签名者接收到h后,计算并把S发送给签名请求者;Step S500, after the signer receives the h, the calculation is performed. And send S to the signature requester;
步骤S600,签名请求者进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);Step S600, the signature requester performs the detachment work, calculates S'=αS, and obtains the signature of the message m and the negotiation message c as σ=(y, h', S');
步骤S700,验证者进行签名验证。
In step S700, the verifier performs signature verification.
优选地,在所述步骤S100中,所述建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub}的具体步骤为:Preferably, in the step S100, the specific steps of establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub } are:
步骤S110,根据安全需要,确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};Step S110, determining the size of the safety factor l and the prime number q according to the safety requirement, and constructing the cyclic addition group {G 1 , +} and the cyclic multiplication group satisfying the bilinear mapping e: G 1 × G 1 → G 2 by using an elliptic curve. {G 2 ,·};
步骤S120,选择无碰撞杂凑函数H1:{0,1}*→G1,
Step S120, selecting a collision-free hash function H 1 : {0, 1} * → G 1 ,
步骤S130,从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥;Step S130, randomly selecting an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, and calculating P pub =sP as its corresponding public key;
步骤S140,公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。In step S140, the system parameters {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub } are disclosed, and s is saved as the master key value.
进一步地,所述步骤S200具体包括:Further, the step S200 specifically includes:
步骤S210,输入系统参数params,签名者的身份IDB,KGC计算
并把部分私钥发送给签名者;Step S210, input system parameter params, signer's identity ID B , KGC calculation Partial private key Sent to the signer;
步骤S220,根据系统参数params和签名者的身份IDB,签名者随机选择作为其秘密值;Step S220, according to the system parameter params and the identity ID B of the signer, the signer randomly selects As its secret value;
步骤S230,根据系统参数params、签名者的身份IDB、部分私钥和秘密值得到签名者的私钥为
Step S230, according to the system parameter params, the signer's identity ID B , part of the private key And secret value Get the signer's private key as
步骤S240,根据系统参数params、签名者的身份IDB和秘密值得到签名者的公钥
Step S240, according to the system parameter params, the signer's identity ID B and the secret value Get the signer's public key
进一步地,所述步骤S700中,具体包括:Further, in the step S700, the method specifically includes:
步骤S710,验证者接收到签名者的消息-签名对(m,c,σ=(y,h′,S′));Step S710, the verifier receives the message-signature pair of the signer (m, c, σ = (y, h', S'));
步骤S730,验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名;
Step S730, verifying whether the equation h'=H 2 (m, z, y') holds, and if so, the verifier believes that (m, c, σ = (y, h', S')) is the signer Conduct effective blind signatures;
否则无效。Otherwise invalid.
由于签名者把协商信息插入到计算中,其中z=H0(c),通过证明签名方案的正确性时,发现签名者插入协商信息z=H0(c)不仅对应到签名请求者进行盲化签名插入的协商信息同时也与验证等式中用到的插入协商协商信息相对应。故本方案可以防公共协商信息篡改攻击。Because the signer inserts the negotiation information into the calculation Where z=H 0 (c), by proving the correctness of the signature scheme, it is found that the signer inserts the negotiation information z=H 0 (c) not only corresponds to the negotiation information of the signature requester for blind signature insertion. Also negotiates the insertion negotiation information used in the verification equation. Corresponding. Therefore, this program can prevent public consultation information from tampering attacks.
如图3所示,本发明的实施例还提供一种无证书部分盲签名装置,包括:As shown in FIG. 3, an embodiment of the present invention further provides a certificateless partial blind signature device, including:
系统参数建立单元100,用于建立公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};a system parameter establishing unit 100, configured to establish a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };
提取单元200,用于签名者提取私钥及公钥;The extracting unit 200 is configured to extract a private key and a public key by the signer;
承诺单元300,用于随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;Commitment unit 300 for random selection And calculate z = H 0 (c) and R = rP, and send R to the signature requester;
盲化单元400,用于接受到R后,随机选择盲化因子并计算z=H0(c)、R′=αR,h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;The blinding unit 400 is configured to randomly select a blinding factor after receiving the R And calculate z=H 0 (c), R'=αR, h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;
部分盲签名单元500,用于接收到h后,计算并把S发送给签名请求者;Partial blind signature unit 500, configured to receive h after calculation And send S to the signature requester;
脱盲单元600,用于进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);The detachment unit 600 is configured to perform detachment work, calculate S'=αS, and obtain the signature of the message m and the negotiation message c as σ=(y, h', S');
验证单元700,用于进行签名验证。The verification unit 700 is configured to perform signature verification.
如图4所示,进一步地,所述系统参数建立单元100包括:As shown in FIG. 4, the system parameter establishing unit 100 further includes:
构建模块101,用于确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};The construction module 101 is configured to determine the size of the safety factor l and the prime number q, and construct the cyclic addition group {G 1 , +} and the cyclic multiplication group satisfying the bilinear mapping e: G 1 × G 1 → G 2 by using an elliptic curve { G 2 ,·};
函数选择模块102,用于选择无碰撞杂凑函数H1:{0,1}*→G1,
Function selection module 102 for selecting a collision-free hash function H 1 :{0,1} * →G 1 ,
密钥模块103,用于从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥,并公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。The key module 103 is configured to randomly select an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, calculate P pub =sP as its corresponding public key, and disclose the system parameter {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }, and s is stored as the master key value.
如图5所示,进一步地,所述提取单元200进一步包括:As shown in FIG. 5, the extracting unit 200 further includes:
部分私钥生成模块201,用于根据系统参数params,签名者的身份IDB,KGC计算并把部分私钥发送给签名者;Partial private key generation module 201, according to the system parameters params, the signer's identity ID B, KGC calculated Partial private key Sent to the signer;
秘密值生成模块202,用于根据系统参数params和签名者的身份IDB,随机选择作为其秘密值;The secret value generating module 202 is configured to randomly select according to the system parameter params and the identity ID B of the signer. As its secret value;
私钥模块203,用于根据系统参数params、签名者的身份IDB、部分私钥和秘密值得到签名者的私钥为
The private key module 203 is configured to use a system parameter params, a signer's identity ID B , and a partial private key. And secret value Get the signer's private key as
公钥模块204,用于根据系统参数params、签名者的身份IDB和秘密值得到签名者的公钥
Public key module 204 for using system parameter params, signer's identity ID B, and secret value Get the signer's public key
如图6所示,更进一步地,所述验证单元700包括:As shown in FIG. 6, the verification unit 700 further includes:
接收模块701,用于接收签名请求者发送的消息-签名对(m,c,σ=(y,h′,S′));The receiving module 701 is configured to receive a message-signature pair (m, c, σ=(y, h', S')) sent by the signature requester;
验证模块702,用于验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名,否则无效。The verification module 702 is configured to verify whether the equation h'=H 2 (m, z, y') is established, and if so, the verifier believes that (m, c, σ = (y, h', S')) is A valid blind signature is performed by the signer, otherwise it is invalid.
下面,将本发明中的技术方案与上述已存在的CL-PBS方案进行计算效率的比较,其中包括文献2及文献3中的方案,其中文献2是对文献3存在公钥替换攻击提出的改进方案。使用嵌入度为2的超奇异椭圆曲线E(FP):y2=x3+x,其中q=2159+217+1为160比特素数,p为满足条件p+1=12qr的512比特素数。硬件平台:CPU为CPIV 3-GHZ,512MB内存和Windows XP操作系统。表1列出密码方案中耗时大的基本单元运算效率。
In the following, the technical solution in the present invention is compared with the above-mentioned existing CL-PBS scheme, including the schemes in the literature 2 and the document 3, wherein the document 2 is an improvement on the public key replacement attack in the document 3. Program. A super-singular elliptic curve E(F P ) with an embedding degree of 2 is used: y 2 = x 3 + x, where q = 2 159 + 2 17 +1 is a 160-bit prime number, and p is 512 satisfying the condition p+1 = 12qr Bit number. Hardware platform: CPU is CPIV 3-GHZ, 512MB memory and Windows XP operating system. Table 1 lists the time-consuming basic unit operation efficiencies in the cryptographic scheme.
表1 方案中基本单元运算效率(单位为:毫秒)Table 1 Basic unit operation efficiency in the scheme (in milliseconds)
表2列出了各方案中具体耗时运算的计算数量,主要比较签名者、签名请求者和验证者在方案构建过程中计算量。Table 2 lists the number of calculations for specific time-consuming operations in each scenario, mainly comparing the amount of calculations by the signer, signature requester, and verifier during the scenario construction process.
表2 各种方案的计算性能比较(单位:毫秒)Table 2 Comparison of calculation performance of various schemes (unit: millisecond)
综上,可以明显得到本发明所构造的方案具有更高的效率。In summary, it can be clearly seen that the solution constructed by the present invention has higher efficiency.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。
The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.
Claims (8)
- 一种无证书部分盲签名方法,其特征在于,包括:A certificateless partial blind signature method, comprising:建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};其中,l为安全参数,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e{P,P)∈G2;hash函数:H1:{0,1}*→G1,KGC选取s为主密钥,Ppub=sP为公钥;Establish a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }; where l is a security parameter and satisfies the prime number q> 2 l , {G 1 , +} is a cyclic addition group of order q, P is an arbitrary generator in group G 1 ; {G 2 , ·} is a cyclic multiplicative group of order q, g is a generator; bilinear pair mapping e :G 1 ×G 1 →G 2 ,g=e{P,P)∈G 2 ;hash function: H 1 :{0,1} * →G 1 , KGC selects s as the primary key and P pub =sP as the public key;签名者随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;Signer randomly selected And calculate z = H 0 (c) and R = rP, and send R to the signature requester;签名请求者接受到R后,随机选择盲化因子并计算z=H0(c)、R′=αR,h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;After the signature requester receives R, randomly selects the blinding factor And calculate z=H 0 (c), R'=αR, h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;签名者接收到h后,计算并把S发送给签名请求者;After the signer receives h, the calculation And send S to the signature requester;签名请求者进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);The signature requester performs the detachment work, calculates S'=αS, and obtains the signature of the message m and the negotiation message c as σ=(y, h', S');验证者进行签名验证。The verifier performs signature verification.
- 如权利要求1所述的无证书部分盲签名方法,其特征在于,所述建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub}的具体步骤为:The uncertified partial blind signature method according to claim 1, wherein said establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P The specific steps of pub } are:根据安全需要,确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};According to the security needs, determine the size of the safety factor l and the prime number q, and construct the cyclic addition group {G 1 , +} and the cyclic multiplication group {G 2 satisfying the bilinear mapping e: G 1 × G 1 → G 2 by using the elliptic curve. ,·};从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥;An integer s is randomly selected from the integer multiplication group of mod q as the master key of the private key generation center KGC, and P pub =sP is calculated as its corresponding public key;公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。 The system parameters {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub } are disclosed and s is stored as the master key value.
- 如权利要求1所述的无证书部分盲签名方法,其特征在于,所述签名者提取其私钥为公钥为的具体步骤为:The certificateless partial blind signature method according to claim 1, wherein said signer extracts his private key as Public key is The specific steps are:输入系统参数params,签名者的身份IDB,KGC计算并把部分私钥发送给签名者;Enter the system parameter params, the signer's identity ID B , KGC calculation Partial private key Sent to the signer;根据系统参数params和签名者的身份IDB,签名者随机选择作为其秘密值;The system parameters params and the identity of the signer ID B, the signer randomly selected As its secret value;根据系统参数params、签名者的身份IDB、部分私钥和秘密值得到签名者的私钥为 According to the system parameter params, the signer's identity ID B , part of the private key And secret value Get the signer's private key as
- 如权利要求1所述的无证书部分盲签名方法,其特征在于,所述验证者进行签名验证的具体步骤包括:The certificateless partial blind signature method according to claim 1, wherein the specific step of the verifier performing signature verification comprises:验证者接收到签名者的消息-签名对(m,c,σ=(y,h′,S′));The verifier receives the message-signature pair of the signer (m, c, σ = (y, h', S'));验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名;Verify that the equality h'=H 2 (m,z,y') holds, and if so, the verifier believes that (m,c,σ=(y,h',S')) is valid by the signer Blind signature否则无效。Otherwise invalid.
- 一种无证书部分盲签名装置,其特征在于,包括:A certificateless partial blind signature device, comprising:系统参数建立单元,用于建立公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};a system parameter establishing unit for establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };提取单元,用于签名者提取私钥及公钥;An extracting unit, configured for the signer to extract the private key and the public key;承诺单元,用于随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;Commitment unit for random selection And calculate z = H 0 (c) and R = rP, and send R to the signature requester;盲化单元,用于接受到R后,随机选择盲化因子并计算z=H0(c)、R′=αR,h′=H2(m,z,y),h=α-1(β-h′),并把h发 送给签名者;Blind unit for randomly selecting the blinding factor after receiving R And calculate z=H 0 (c), R'=αR, h' = H 2 (m, z, y), h = α -1 (β-h'), and send h to the signer;部分盲签名单元,用于接收到h后,计算并把S发送给签名请求者;Partial blind signature unit, used to receive h after calculation And send S to the signature requester;脱盲单元,用于进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);a detachment unit for performing detachment work, calculating S'=αS, obtaining a signature of the message m and the negotiation message c as σ=(y, h', S');验证单元,用于进行签名验证。A verification unit for signature verification.
- 根据权利要求5所述的无证书部分盲签名装置,其特征在于,所述系统参数建立单元包括:The certificateless partial blind signature device according to claim 5, wherein the system parameter establishing unit comprises:构建模块,用于确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};Constructing a module for determining the size of the safety factor l and the prime number q, constructing a cyclic addition group {G 1 , +} and a cyclic multiplication group {G satisfying the bilinear map e: G 1 × G 1 → G 2 using an elliptic curve 2 ,·};函数选择模块,用于选择无碰撞杂凑函数H1:{0,1}*→G1, Function selection module for selecting collision-free hash functions H 1 :{0,1} * →G 1 ,密钥模块,用于从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGG的主密钥,并计算Ppub=sP作为其对应的公钥,并公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。a key module for randomly selecting an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGG, and calculating P pub =sP as its corresponding public key, and exposing the system parameter {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }, and save s as the master key value.
- 根据权利要求5所述的无证书部分盲签名装置,其特征在于,所述提取单元包括:The certificateless partial blind signature device according to claim 5, wherein the extracting unit comprises:部分私钥生成模块,用于根据系统参数params,签名者的身份IDB,KGG计算并把部分私钥发送给签名者;Part of the private key generation module for calculating according to the system parameter params, the signer's identity ID B , KGG Partial private key Sent to the signer;秘密值生成模块,用于根据系统参数params和签名者的身份IDB,随机选择作为其秘密值;a secret value generating module for randomly selecting according to the system parameter params and the signer's identity ID B As its secret value;私钥模块,用于根据系统参数params、签名者的身份IDB、部分私钥和秘密值得到签名者的私钥为 Private key module, used according to system parameter params, signer's identity ID B , partial private key And secret value Get the signer's private key as
- 根据权利要求5所述的无证书部分盲签名装置,其特征在于,所述验证单元包括:The certificateless partial blind signature device according to claim 5, wherein the verification unit comprises:接收模块,用于接收签名请求者发送的消息-签名对(m,c,σ=(y,h′,S′));a receiving module, configured to receive a message-signature pair (m, c, σ=(y, h', S')) sent by the signature requester;验证模块,用于验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名,否则无效。 a verification module for verifying whether the equation h'=H 2 (m, z, y') holds, and if so, the verifier believes that (m, c, σ = (y, h', S')) is The signer performs a valid blind signature, otherwise it is invalid.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/112385 WO2018119670A1 (en) | 2016-12-27 | 2016-12-27 | Method and device for certificateless partially blind signature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/112385 WO2018119670A1 (en) | 2016-12-27 | 2016-12-27 | Method and device for certificateless partially blind signature |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018119670A1 true WO2018119670A1 (en) | 2018-07-05 |
Family
ID=62707593
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/112385 WO2018119670A1 (en) | 2016-12-27 | 2016-12-27 | Method and device for certificateless partially blind signature |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018119670A1 (en) |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900299A (en) * | 2018-08-17 | 2018-11-27 | 延边大学 | The shared key method of individual privacy is protected between a kind of group in communication |
CN110009354A (en) * | 2019-04-04 | 2019-07-12 | 郑州师范学院 | Voting method based on group ranking in a kind of block chain |
CN111711524A (en) * | 2020-05-25 | 2020-09-25 | 南京师范大学 | Certificate-based lightweight outsourcing data auditing method |
CN111783136A (en) * | 2020-06-17 | 2020-10-16 | 联想(北京)有限公司 | Data protection method, device, equipment and storage medium |
CN112235113A (en) * | 2020-07-15 | 2021-01-15 | 秦绪祥 | Wisdom community endowment service platform |
CN112241526A (en) * | 2020-10-26 | 2021-01-19 | 北京华大信安科技有限公司 | Batch verification method and system based on SM9 digital signature |
CN112291059A (en) * | 2020-07-28 | 2021-01-29 | 北京金山云网络技术有限公司 | Key generation method and device, storage medium and electronic equipment |
CN112364335A (en) * | 2020-11-09 | 2021-02-12 | 成都卫士通信息产业股份有限公司 | Identification identity authentication method and device, electronic equipment and storage medium |
CN112383397A (en) * | 2020-09-15 | 2021-02-19 | 淮阴工学院 | Heterogeneous signcryption communication method based on biological characteristics |
CN112906059A (en) * | 2021-01-19 | 2021-06-04 | 中国银联股份有限公司 | Proxy signature and verification method, device, system and storage medium |
CN113038465A (en) * | 2021-02-25 | 2021-06-25 | 安徽农业大学 | Certificate-free condition privacy protection authentication scheme capable of being revoked in WBANs |
CN113098684A (en) * | 2021-03-26 | 2021-07-09 | 国网河南省电力公司电力科学研究院 | Intelligent power grid-oriented untraceable blind signature method and system |
CN113221130A (en) * | 2021-01-28 | 2021-08-06 | 武汉大学 | Certificateless online and offline signature method and medium for food safety Internet of things |
CN113301520A (en) * | 2021-05-21 | 2021-08-24 | 国网四川省电力公司电力科学研究院 | Method for secure communication of wireless sensor network |
CN113360943A (en) * | 2021-06-23 | 2021-09-07 | 京东数科海益信息科技有限公司 | Block chain private data protection method and device |
CN113810412A (en) * | 2021-09-17 | 2021-12-17 | 国家工业信息安全发展研究中心 | Certificateless identification resolution identity trust control method, system and equipment |
CN113904777A (en) * | 2021-09-23 | 2022-01-07 | 武汉大学 | Signcryption method based on SM2 digital signature algorithm |
CN114039722A (en) * | 2021-01-26 | 2022-02-11 | 中安网脉(北京)技术股份有限公司 | Secret sharing hidden identity SM2 signature private key generation device and method thereof |
CN114339728A (en) * | 2021-12-30 | 2022-04-12 | 扬州大学 | Privacy protection and secure communication method suitable for wireless medical sensor network |
CN114726542A (en) * | 2022-04-08 | 2022-07-08 | 中国再保险(集团)股份有限公司 | Data transmission method and device based on privacy intersection |
CN115001764A (en) * | 2022-05-23 | 2022-09-02 | 中国科学技术大学 | Cross-domain key agreement method and system based on consensus database under layered system |
CN115174053A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Signature generation method and device for disclainable ring authentication based on SM9 algorithm |
CN115174056A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Chameleon signature generation method and device based on SM9 signature |
CN115174055A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | SM9 signature-based certificate-based signature generation method and device |
CN115174054A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Certificateless signature generation method and device based on SM9 signature |
CN115174101A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Method and system for generating disclainable ring signature based on SM2 algorithm |
CN115174052A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Adapter signature generation method and device based on SM9 signature |
CN115225361A (en) * | 2022-07-14 | 2022-10-21 | 浪潮云信息技术股份公司 | Anonymous authentication and tracking method and system for P2P network |
CN116032480A (en) * | 2022-09-21 | 2023-04-28 | 辽宁工程技术大学 | Certificate-free broadcast multiple signature method based on pair-free mapping |
CN116094729A (en) * | 2023-01-12 | 2023-05-09 | 武汉大学 | Method and system for offline authorization and online signature generation based on SM9 signature |
CN116150793A (en) * | 2023-03-17 | 2023-05-23 | 北京信源电子信息技术有限公司 | DOA-based handle identification analysis technology data protection method and system |
CN116318738A (en) * | 2023-05-18 | 2023-06-23 | 北京信安世纪科技股份有限公司 | Signature method, signature system, electronic equipment and storage medium |
CN117201015A (en) * | 2023-09-27 | 2023-12-08 | 西安邮电大学 | Multi-source network coding group signcryption method based on certificate-free |
CN117499039A (en) * | 2023-10-09 | 2024-02-02 | 贵州大学 | Blockchain signature method based on elliptic curve public key cryptographic algorithm |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102387019A (en) * | 2011-10-19 | 2012-03-21 | 西安电子科技大学 | Certificateless partially blind signature method |
US20150358167A1 (en) * | 2013-09-16 | 2015-12-10 | Huawei Device Co., Ltd. | Certificateless Multi-Proxy Signature Method and Apparatus |
-
2016
- 2016-12-27 WO PCT/CN2016/112385 patent/WO2018119670A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102387019A (en) * | 2011-10-19 | 2012-03-21 | 西安电子科技大学 | Certificateless partially blind signature method |
US20150358167A1 (en) * | 2013-09-16 | 2015-12-10 | Huawei Device Co., Ltd. | Certificateless Multi-Proxy Signature Method and Apparatus |
Non-Patent Citations (1)
Title |
---|
CHENG LIN: "Research on Provably Secure Certificateless Signature Schemes", CDFD INFORMATION TECHNOLOGY, no. 4, 15 April 2015 (2015-04-15), pages 66 - 67 * |
Cited By (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900299A (en) * | 2018-08-17 | 2018-11-27 | 延边大学 | The shared key method of individual privacy is protected between a kind of group in communication |
CN110009354A (en) * | 2019-04-04 | 2019-07-12 | 郑州师范学院 | Voting method based on group ranking in a kind of block chain |
CN111711524A (en) * | 2020-05-25 | 2020-09-25 | 南京师范大学 | Certificate-based lightweight outsourcing data auditing method |
CN111783136A (en) * | 2020-06-17 | 2020-10-16 | 联想(北京)有限公司 | Data protection method, device, equipment and storage medium |
CN112235113A (en) * | 2020-07-15 | 2021-01-15 | 秦绪祥 | Wisdom community endowment service platform |
CN112291059B (en) * | 2020-07-28 | 2022-10-21 | 北京金山云网络技术有限公司 | Key generation method and device, storage medium and electronic equipment |
CN112291059A (en) * | 2020-07-28 | 2021-01-29 | 北京金山云网络技术有限公司 | Key generation method and device, storage medium and electronic equipment |
CN112383397A (en) * | 2020-09-15 | 2021-02-19 | 淮阴工学院 | Heterogeneous signcryption communication method based on biological characteristics |
CN112241526A (en) * | 2020-10-26 | 2021-01-19 | 北京华大信安科技有限公司 | Batch verification method and system based on SM9 digital signature |
CN112241526B (en) * | 2020-10-26 | 2024-03-19 | 北京华大信安科技有限公司 | Batch verification method and system based on SM9 digital signature |
CN112364335A (en) * | 2020-11-09 | 2021-02-12 | 成都卫士通信息产业股份有限公司 | Identification identity authentication method and device, electronic equipment and storage medium |
CN112364335B (en) * | 2020-11-09 | 2022-05-13 | 成都卫士通信息产业股份有限公司 | Identification identity authentication method and device, electronic equipment and storage medium |
CN112906059A (en) * | 2021-01-19 | 2021-06-04 | 中国银联股份有限公司 | Proxy signature and verification method, device, system and storage medium |
CN112906059B (en) * | 2021-01-19 | 2024-02-23 | 中国银联股份有限公司 | Proxy signature and verification method, device, system and storage medium |
CN114039722A (en) * | 2021-01-26 | 2022-02-11 | 中安网脉(北京)技术股份有限公司 | Secret sharing hidden identity SM2 signature private key generation device and method thereof |
CN113221130A (en) * | 2021-01-28 | 2021-08-06 | 武汉大学 | Certificateless online and offline signature method and medium for food safety Internet of things |
CN113038465A (en) * | 2021-02-25 | 2021-06-25 | 安徽农业大学 | Certificate-free condition privacy protection authentication scheme capable of being revoked in WBANs |
CN113038465B (en) * | 2021-02-25 | 2022-05-17 | 安徽农业大学 | Revocable certificateless condition privacy protection authentication method in self-organizing network |
CN113098684A (en) * | 2021-03-26 | 2021-07-09 | 国网河南省电力公司电力科学研究院 | Intelligent power grid-oriented untraceable blind signature method and system |
CN113301520A (en) * | 2021-05-21 | 2021-08-24 | 国网四川省电力公司电力科学研究院 | Method for secure communication of wireless sensor network |
CN113301520B (en) * | 2021-05-21 | 2023-02-28 | 国网四川省电力公司电力科学研究院 | Method for secure communication of wireless sensor network |
CN113360943A (en) * | 2021-06-23 | 2021-09-07 | 京东数科海益信息科技有限公司 | Block chain private data protection method and device |
CN113810412A (en) * | 2021-09-17 | 2021-12-17 | 国家工业信息安全发展研究中心 | Certificateless identification resolution identity trust control method, system and equipment |
CN113904777A (en) * | 2021-09-23 | 2022-01-07 | 武汉大学 | Signcryption method based on SM2 digital signature algorithm |
CN113904777B (en) * | 2021-09-23 | 2023-10-03 | 武汉大学 | SM2 digital signature algorithm-based signcryption method |
CN114339728A (en) * | 2021-12-30 | 2022-04-12 | 扬州大学 | Privacy protection and secure communication method suitable for wireless medical sensor network |
CN114339728B (en) * | 2021-12-30 | 2023-09-19 | 扬州大学 | Privacy protection and safety communication method suitable for wireless medical sensor network |
CN114726542A (en) * | 2022-04-08 | 2022-07-08 | 中国再保险(集团)股份有限公司 | Data transmission method and device based on privacy intersection |
CN114726542B (en) * | 2022-04-08 | 2024-04-09 | 中国再保险(集团)股份有限公司 | Data transmission method and device based on privacy intersection |
CN115001764A (en) * | 2022-05-23 | 2022-09-02 | 中国科学技术大学 | Cross-domain key agreement method and system based on consensus database under layered system |
CN115174054A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Certificateless signature generation method and device based on SM9 signature |
CN115174055A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | SM9 signature-based certificate-based signature generation method and device |
CN115174052B (en) * | 2022-06-23 | 2024-04-16 | 武汉大学 | Adapter signature generation method and device based on SM9 signature |
CN115174053B (en) * | 2022-06-23 | 2024-04-12 | 武汉大学 | Signature generation method and device for repudiation ring authentication based on SM9 algorithm |
CN115174053A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Signature generation method and device for disclainable ring authentication based on SM9 algorithm |
CN115174054B (en) * | 2022-06-23 | 2024-04-19 | 武汉大学 | Certificate-free signature generation method and device based on SM9 signature |
CN115174052A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Adapter signature generation method and device based on SM9 signature |
CN115174101A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Method and system for generating disclainable ring signature based on SM2 algorithm |
CN115174056A (en) * | 2022-06-23 | 2022-10-11 | 武汉大学 | Chameleon signature generation method and device based on SM9 signature |
CN115174055B (en) * | 2022-06-23 | 2024-04-26 | 武汉大学 | Certificate signature generation method and device based on SM9 signature |
CN115174056B (en) * | 2022-06-23 | 2024-04-19 | 武汉大学 | Chameleon signature generation method and chameleon signature generation device based on SM9 signature |
CN115225361A (en) * | 2022-07-14 | 2022-10-21 | 浪潮云信息技术股份公司 | Anonymous authentication and tracking method and system for P2P network |
CN116032480B (en) * | 2022-09-21 | 2024-05-17 | 辽宁工程技术大学 | Certificate-free broadcast multiple signature method based on pair-free mapping |
CN116032480A (en) * | 2022-09-21 | 2023-04-28 | 辽宁工程技术大学 | Certificate-free broadcast multiple signature method based on pair-free mapping |
CN116094729B (en) * | 2023-01-12 | 2024-04-19 | 武汉大学 | Method and system for offline authorization and online signature generation based on SM9 signature |
CN116094729A (en) * | 2023-01-12 | 2023-05-09 | 武汉大学 | Method and system for offline authorization and online signature generation based on SM9 signature |
CN116150793B (en) * | 2023-03-17 | 2023-10-24 | 北京信源电子信息技术有限公司 | DOA-based handle identification analysis technology data protection method and system |
CN116150793A (en) * | 2023-03-17 | 2023-05-23 | 北京信源电子信息技术有限公司 | DOA-based handle identification analysis technology data protection method and system |
CN116318738B (en) * | 2023-05-18 | 2023-09-05 | 北京信安世纪科技股份有限公司 | Signature method, signature system, electronic equipment and storage medium |
CN116318738A (en) * | 2023-05-18 | 2023-06-23 | 北京信安世纪科技股份有限公司 | Signature method, signature system, electronic equipment and storage medium |
CN117201015A (en) * | 2023-09-27 | 2023-12-08 | 西安邮电大学 | Multi-source network coding group signcryption method based on certificate-free |
CN117201015B (en) * | 2023-09-27 | 2024-05-17 | 西安邮电大学 | Multi-source network coding group signcryption method based on certificate-free |
CN117499039B (en) * | 2023-10-09 | 2024-03-26 | 贵州大学 | Blockchain signature method based on elliptic curve public key cryptographic algorithm |
CN117499039A (en) * | 2023-10-09 | 2024-02-02 | 贵州大学 | Blockchain signature method based on elliptic curve public key cryptographic algorithm |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018119670A1 (en) | Method and device for certificateless partially blind signature | |
CN106789019B (en) | Certificate-free partial blind signature method and device | |
US10944575B2 (en) | Implicitly certified digital signatures | |
Zhang et al. | Efficient ID-based public auditing for the outsourced data in cloud storage | |
US9967239B2 (en) | Method and apparatus for verifiable generation of public keys | |
CN108989050B (en) | Certificateless digital signature method | |
CN104539423B (en) | A kind of implementation method without CertPubKey cipher system of no Bilinear map computing | |
US8433897B2 (en) | Group signature system, apparatus and storage medium | |
JP3522447B2 (en) | Authentication exchange method and additional public electronic signature method | |
EP3681093B1 (en) | Secure implicit certificate chaining | |
CN102387019B (en) | Certificateless partially blind signature method | |
US9882890B2 (en) | Reissue of cryptographic credentials | |
US20090210716A1 (en) | Direct anonymous attestation using bilinear maps | |
CN111211910B (en) | Anti-quantum computation CA (certificate Authority) and certificate issuing system based on secret shared public key pool and issuing and verifying method thereof | |
JP2004208263A (en) | Apparatus and method of blind signature based on individual identification information employing bilinear pairing | |
JP6043804B2 (en) | Combined digital certificate | |
KR20030062402A (en) | Apparatus and method for generating and verifying id-based proxy signature by using bilinear parings | |
CN106656508B (en) | A kind of Partial Blind Signature method and apparatus of identity-based | |
US20150006900A1 (en) | Signature protocol | |
Tso | A new way to generate a ring: Universal ring signature | |
Pandey et al. | Detection of Blind Signature Using Recursive Sum | |
CN116886401A (en) | Cloud storage data integrity auditing method based on identity | |
Kumar et al. | Cryptanalysis and improvement of two provably secure certificateless signature schemes | |
CN117611162A (en) | Transaction authentication method and device based on elliptic curve cryptography algorithm | |
Shim | On the security of verifiably encrypted signature schemes in a multi-user setting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16925041 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11-09-2019) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16925041 Country of ref document: EP Kind code of ref document: A1 |