[go: up one dir, main page]

CN106789019B - A certificateless partial blind signature method and device - Google Patents

A certificateless partial blind signature method and device Download PDF

Info

Publication number
CN106789019B
CN106789019B CN201611226746.XA CN201611226746A CN106789019B CN 106789019 B CN106789019 B CN 106789019B CN 201611226746 A CN201611226746 A CN 201611226746A CN 106789019 B CN106789019 B CN 106789019B
Authority
CN
China
Prior art keywords
signer
signature
key
private key
certificateless
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201611226746.XA
Other languages
Chinese (zh)
Other versions
CN106789019A (en
Inventor
张鹏
李俊超
喻建平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen University
Original Assignee
Shenzhen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen University filed Critical Shenzhen University
Priority to CN201611226746.XA priority Critical patent/CN106789019B/en
Publication of CN106789019A publication Critical patent/CN106789019A/en
Application granted granted Critical
Publication of CN106789019B publication Critical patent/CN106789019B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3257Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using blind signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明适用于信息安全技术领域,提供了一种无证书部分盲签名方法,包括建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};签名者提取其私钥为

Figure DDA0001193762870000011
提取公钥为
Figure DDA0001193762870000012
签名者随机选择
Figure DDA0001193762870000013
并计算z=H0(c)和R=rP,并把R发送给签名请求者;签名请求者接受到R后,随机选择盲化因子
Figure DDA0001193762870000014
并计算z=H0(c)、R′=αR,
Figure DDA0001193762870000015
h′=H2(m,z,y),h=α‑1(β‑h′),并把h发送给签名者;签名者接收到h后,计算并把S发送给签名请求者;签名请求者进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);验证者进行签名验证。本发明有效解决了无证书部分盲签名中因协商公共信息篡改而带来的安全性问题。

Figure 201611226746

The invention is applicable to the technical field of information security, and provides a certificateless partial blind signature method, which includes establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }; the signer extracts its private key as

Figure DDA0001193762870000011
Extract the public key as
Figure DDA0001193762870000012
Signers randomly selected
Figure DDA0001193762870000013
And calculate z=H 0 (c) and R=rP, and send R to the signature requester; after the signature requester receives R, it randomly selects the blinding factor
Figure DDA0001193762870000014
And calculate z=H 0 (c), R′=αR,
Figure DDA0001193762870000015
h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer; after the signer receives h, calculate And send S to the signature requester; the signature requester performs deblinding work, calculates S'=αS, and obtains the signature of message m and negotiated message c as σ=(y, h', S'); the verifier performs signature verification. The invention effectively solves the security problem caused by negotiating public information tampering in the certificateless partial blind signature.

Figure 201611226746

Description

一种无证书部分盲签名方法和装置A certificateless partial blind signature method and device

技术领域technical field

本发明属于信息安全技术领域,尤其涉及一种无证书部分盲签名方法和装置。The invention belongs to the technical field of information security, and in particular relates to a method and device for partial blind signature without a certificate.

背景技术Background technique

盲签名是签名者在不知道签名请求者所请求消息内容情况下完成的一种签名,这种特性称为盲性。盲签名不仅具有数字签名所具有的内容完整性、交易的不可抵赖性和双方身份的真实性等性质,还可以利用盲性很好地保护用户隐私。在盲签名中签名者对签名消息一无所知,易造成签名被恶意的请求者非法使用。随后,部分盲签名的概念被提出,其将消息分为盲化部分和公共部分,因此部分盲签名在保证用户隐私的同时又对签名内容部分可控。Blind signature is a type of signature completed by the signer without knowing the content of the message requested by the signature requester. This feature is called blindness. Blind signature not only has the properties of content integrity, non-repudiation of transaction and authenticity of identities of both parties, but also can protect user privacy by using blindness. In blind signatures, the signer knows nothing about the signed message, which can easily cause the signature to be illegally used by malicious requesters. Subsequently, the concept of partial blind signature was proposed, which divides the message into a blind part and a public part. Therefore, the partial blind signature can ensure user privacy while partially controlling the content of the signature.

在基于身份的密码体制中,密钥生成中心(Key Generation Center,KGC)知道所有用户的私钥,可以伪造任何用户的签名,这种问题被称为密钥托管问题。为了解决此问题,2003年Al-Riyam和Paterson提出了无证书公钥密码学(Certificateless Public KeyCryptography,CL-PKC)的概念。具体可参见文献:Al-Riyami S S,Paterson KG.Certificateless Public Key Cryptography[J].Lecture Notes in ComputerScience,2003,2894(2):452-473.以下简称文献1。在CL-PKC中,密钥生成中心为用户生成部分私钥,而用户的私钥是由部分私钥和自己随机选择的秘密值组成,从而解决密钥托管问题。将无证书公钥密码学和盲签名相结合称为无证书的盲签名(Certificateless BlindSignature,CL-BS),将CL-BS用于电子商务中既可以保护用户的隐私,又可以避免PKI中的证书管理和ID-PKC中的密钥托管问题。为了更好地应用到电子现金系统中,将无证书公钥密码学和部分盲签名相结合称为无证书的部分盲签名(Certificateless PartiallyBlind Signature,CL-PBS)。In the identity-based cryptosystem, the Key Generation Center (KGC) knows the private keys of all users and can forge any user's signature. This problem is called the key escrow problem. To solve this problem, Al-Riyam and Paterson proposed the concept of Certificateless Public Key Cryptography (CL-PKC) in 2003. For details, please refer to the document: Al-Riyami S S, Paterson KG. Certificateless Public Key Cryptography [J]. Lecture Notes in Computer Science, 2003, 2894(2): 452-473. Hereinafter referred to as document 1. In CL-PKC, the key generation center generates part of the private key for the user, and the user's private key is composed of part of the private key and a secret value randomly selected by himself, thus solving the problem of key escrow. The combination of certificateless public key cryptography and blind signature is called certificateless blind signature (CL-BS). The use of CL-BS in e-commerce can not only protect the privacy of users, but also avoid PKI. Certificate management and key escrow issues in ID-PKC. In order to better apply to the electronic cash system, the combination of certificateless public key cryptography and partial blind signature is called certificateless partial blind signature (CL-PBS).

现有的已经有发表相关无证书的部分盲签名的相关文献,如:There are existing literatures on certificateless partial blind signatures, such as:

Cheng L,Wen Q.Cryptanalysis and improvement of a certificatelesspartially blind signature[J].IET Information Security,2015,9(6):380-386.以下简称文献2。Cheng L,Wen Q.Cryptanalysis and improvement of a certificateless partially blind signature[J].IET Information Security,2015,9(6):380-386. Hereinafter referred to as document 2.

Zhang L,Zhang F,Qin B,et al.Corrigendum:"Provably-secure electroniccash based on certicateless partially-blind signatures"[J].ElectronicCommerce Research & applications,2011,10(1):545-552.以下简称文献3。Zhang L, Zhang F, Qin B, et al. Corrigendum: "Provably-secure electroniccash based on certificateless partially-blind signatures" [J]. Electronic Commerce Research & applications, 2011, 10(1): 545-552. 3.

文献2指出文献3提出的CL-PBS方案不能抵抗恶意的用户替换签名者公钥的攻击并提出了改进方案。但通过对改进方案分析,发现其并不能防恶意的用户篡改协商公共信息攻击。Reference 2 points out that the CL-PBS scheme proposed in Reference 3 cannot resist malicious users replacing the signer's public key and proposes an improved scheme. However, through the analysis of the improved scheme, it is found that it cannot prevent malicious users from tampering and negotiating public information attacks.

发明内容SUMMARY OF THE INVENTION

本发明实施例提供一种无证书部分盲签名方法,旨在解决现有的无证书部分盲签名中协商公共信息安全性低的问题。The embodiment of the present invention provides a certificateless partial blind signature method, aiming to solve the problem of low security of negotiated public information in the existing certificateless partial blind signature.

本发明实施例是这样实现的,一种无证书部分盲签名方法,包括:The embodiment of the present invention is implemented in this way, a certificateless partial blind signature method includes:

建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};其中,l为安全参数,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e(P,P)∈G2;hash函数:

Figure BDA0001193762850000021
H1:{0,1}*→G1KGC选取s为主密钥,Ppub=sP为公钥;Establish a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }; where l is a security parameter and satisfies the prime number q>2 l , {G 1 ,+} is a cyclic additive group of order q, P is any generator in the group G 1 ; {G 2 ,·} is a cyclic multiplication group of order q, g is a generator; bilinear pair mapping e : G 1 ×G 1 →G 2 , g=e(P,P)∈G 2 ; hash function:
Figure BDA0001193762850000021
H 1 :{0,1} * →G 1 , KGC selects s as the primary key, and P pub = sP as the public key;

签名者提取其私钥为

Figure BDA0001193762850000023
公钥为 The signer extracts its private key as
Figure BDA0001193762850000023
The public key is

签名者随机选择

Figure BDA0001193762850000025
并计算z=H0(c)和R=rP,并把R发送给签名请求者;Signers randomly selected
Figure BDA0001193762850000025
And calculate z=H 0 (c) and R=rP, and send R to the signature requester;

签名请求者接受到R后,随机选择盲化因子

Figure BDA0001193762850000031
并计算z=H0(c)、
Figure BDA0001193762850000032
h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;After the signature requester receives R, the blinding factor is randomly selected
Figure BDA0001193762850000031
and calculate z=H 0 (c),
Figure BDA0001193762850000032
h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;

签名者接收到h后,计算

Figure BDA0001193762850000033
并把S发送给签名请求者;After the signer receives h, calculate
Figure BDA0001193762850000033
And send S to the signature requester;

签名请求者进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);The signature requester performs deblinding work, calculates S′=αS, and obtains the signatures of message m and negotiated message c as σ=(y,h′,S′);

验证者进行签名验证。The verifier performs signature verification.

优选地,所述建立一个公开系统参数params={G1,G2,P,l,q,e,H1,H2,H3,Ppub}的具体步骤为:Preferably, the specific steps for establishing a public system parameter params={G 1 ,G 2 ,P,l,q,e,H 1 ,H 2 ,H 3 ,P pub } are:

根据安全需要,确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};According to the security requirements, determine the size of the safety factor l and the prime number q, and use the elliptic curve to construct the cyclic addition group {G 1 ,+} and the cyclic multiplication group {G 2 that satisfy the bilinear mapping e: G 1 ×G 1 →G 2 , · };

选择无碰撞杂凑函数

Figure BDA0001193762850000034
H1:{0,1}*→G1
Figure BDA0001193762850000035
Choose a collision-free hash function
Figure BDA0001193762850000034
H 1 :{0,1} * →G 1 ,
Figure BDA0001193762850000035

从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥;Randomly select an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, and calculate P pub =sP as its corresponding public key;

公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。Public system parameters {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }, and save s as the master key value.

优选地,所述签名者提取其私钥为

Figure BDA0001193762850000036
公钥为
Figure BDA0001193762850000037
的具体步骤为:Preferably, the signer extracts its private key as
Figure BDA0001193762850000036
The public key is
Figure BDA0001193762850000037
The specific steps are:

输入系统参数params,签名者的身份IDB,KGC计算

Figure BDA0001193762850000038
并把部分私钥
Figure BDA0001193762850000039
发送给签名者;Input system parameters params, signer's identity ID B , KGC calculation
Figure BDA0001193762850000038
and put part of the private key
Figure BDA0001193762850000039
sent to the signer;

根据系统参数params和签名者的身份IDB,签名者随机选择

Figure BDA00011937628500000310
作为其秘密值;According to the system parameters params and the identity ID B of the signer, the signer randomly selects
Figure BDA00011937628500000310
as its secret value;

根据系统参数params、签名者的身份IDB、部分私钥

Figure BDA00011937628500000311
和秘密值得到签名者的私钥为
Figure BDA00011937628500000313
According to the system parameters params, the signer's identity ID B , part of the private key
Figure BDA00011937628500000311
and secret value Get the signer's private key as
Figure BDA00011937628500000313

根据系统参数params、签名者的身份IDB和秘密值

Figure BDA0001193762850000041
得到签名者的公钥
Figure BDA0001193762850000042
According to system parameters params, signer's identity ID B and secret value
Figure BDA0001193762850000041
Get the signer's public key
Figure BDA0001193762850000042

优选地,所述验证者进行签名验证的具体步骤包括:Preferably, the specific steps for the verifier to perform signature verification include:

验证者接收到签名者的消息-签名对(m,c,σ=(y,h′,S′));The verifier receives the signer's message-signature pair (m,c,σ=(y,h',S'));

计算z=H0(c), Calculate z=H 0 (c),

验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名;Verify that the equation h'=H 2 (m,z,y') holds, and if so, the verifier believes that (m,c,σ=(y,h',S')) is valid by the signer blind signature;

否则无效。Otherwise invalid.

本发明的实施例还提供一种无证书部分盲签名装置,包括:The embodiment of the present invention also provides a certificateless partial blind signature device, including:

系统参数建立单元,用于建立公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};a system parameter establishment unit, used to establish public system parameters params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };

提取单元,用于签名者提取私钥及公钥;The extraction unit is used for the signer to extract the private key and the public key;

承诺单元,用于随机选择

Figure BDA0001193762850000044
并计算z=H0(c)和R=rP,并把R发送给签名请求者;Commitment unit, for random selection
Figure BDA0001193762850000044
And calculate z=H 0 (c) and R=rP, and send R to the signature requester;

盲化单元,用于接受到R后,随机选择盲化因子

Figure BDA0001193762850000045
并计算z=H0(c)、
Figure BDA0001193762850000046
h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;The blinding unit is used to randomly select the blinding factor after receiving R
Figure BDA0001193762850000045
and calculate z=H 0 (c),
Figure BDA0001193762850000046
h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;

部分盲签名单元,用于接收到h后,计算

Figure BDA0001193762850000047
并把S发送给签名请求者;Partially blind signature unit, used to calculate after receiving h
Figure BDA0001193762850000047
And send S to the signature requester;

脱盲单元,用于进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);The deblinding unit is used for deblinding work, calculates S′=αS, and obtains the signature of message m and negotiation message c as σ=(y,h′,S′);

验证单元,用于进行签名验证。Verification unit for signature verification.

优选地,所述系统参数建立单元包括:Preferably, the system parameter establishment unit includes:

构建模块,用于确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};The building blocks are used to determine the size of the safety factor l and the prime number q, and use the elliptic curve to construct the cyclic addition group {G 1 ,+} and the cyclic multiplication group {G that satisfy the bilinear mapping e: G 1 ×G 1 →G 2 2 , · };

函数选择模块,用于选择无碰撞杂凑函数

Figure BDA0001193762850000051
H1:{0,1}*→G1
Figure BDA0001193762850000052
Function selection module for selecting collision-free hash functions
Figure BDA0001193762850000051
H 1 :{0,1} * →G 1 ,
Figure BDA0001193762850000052

密钥模块,用于从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥,并公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。The key module is used to randomly select an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, and calculate P pub =sP as its corresponding public key, and disclose the system parameters {G 1 ,G 2 ,P,e,g,H 0 ,H 1 ,H 2 ,P pub }, and save s as the master key value.

优选地,所述提取单元包括:Preferably, the extraction unit includes:

部分私钥生成模块,用于根据系统参数params,签名者的身份IDB,KGC计算

Figure BDA0001193762850000053
Figure BDA0001193762850000054
并把部分私钥
Figure BDA0001193762850000055
发送给签名者;Part of the private key generation module, which is used to calculate according to the system parameters params, the signer's identity ID B , and KGC
Figure BDA0001193762850000053
Figure BDA0001193762850000054
and put part of the private key
Figure BDA0001193762850000055
sent to the signer;

秘密值生成模块,用于根据系统参数params和签名者的身份IDB,随机选择

Figure BDA0001193762850000056
作为其秘密值;The secret value generation module is used to randomly select according to the system parameters params and the identity ID B of the signer
Figure BDA0001193762850000056
as its secret value;

私钥模块,用于根据系统参数params、签名者的身份IDB、部分私钥

Figure BDA0001193762850000057
和秘密值
Figure BDA0001193762850000058
得到签名者的私钥为
Figure BDA0001193762850000059
The private key module is used for according to the system parameters params, the signer's identity ID B , part of the private key
Figure BDA0001193762850000057
and secret value
Figure BDA0001193762850000058
Get the signer's private key as
Figure BDA0001193762850000059

公钥模块,用于根据系统参数params、签名者的身份IDB和秘密值

Figure BDA00011937628500000510
得到签名者的公钥
Figure BDA00011937628500000511
The public key module, which is used according to the system parameters params, the signer's identity ID B and the secret value
Figure BDA00011937628500000510
Get the signer's public key
Figure BDA00011937628500000511

优选地,所述验证单元包括:Preferably, the verification unit includes:

接收模块,用于接收签名请求者发送的消息-签名对(m,c,σ=(y,h′,S′));The receiving module is used to receive the message-signature pair (m,c,σ=(y,h',S')) sent by the signature requester;

计算模块,用于计算z=H0(c),

Figure BDA00011937628500000512
a calculation module for calculating z=H 0 (c),
Figure BDA00011937628500000512

验证模块,用于验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名,否则无效。The verification module is used to verify whether the equation h'=H 2 (m,z,y') holds, and if so, the verifier believes that (m,c,σ=(y,h',S')) is determined by The signer makes a valid blind signature, otherwise it is invalid.

本发明的技术方案,由于由于签名者把协商信息插入到计算

Figure BDA00011937628500000513
中,其中z=H0(c),通过证明签名方案的正确性时,签名者插入协商信息z=H0(c)不仅对应到签名请求者C进行盲化签名插入的协商信息同时也与验证等式中用到的插入协商协商信息
Figure BDA00011937628500000515
相对应,因此,本发明的方案在协商信息篡改攻击下是安全的,有效解决了无证书部分盲签名中因协商公共信息篡改而带来的安全性问题。The technical solution of the present invention is due to the fact that the signer inserts the negotiation information into the calculation
Figure BDA00011937628500000513
, where z=H 0 (c), by proving the correctness of the signature scheme, the signer inserts negotiation information z=H 0 (c) not only corresponds to the negotiation information that the signature requester C performs blind signature insertion It also negotiates with the insertion negotiation information used in the verification equation.
Figure BDA00011937628500000515
Correspondingly, therefore, the solution of the present invention is safe under negotiation information tampering attacks, and effectively solves the security problem caused by negotiating public information tampering in a certificateless partial blind signature.

附图说明Description of drawings

图1是本发明实施例提供的一种无证书部分盲签名方法流程示意图;1 is a schematic flowchart of a method for partial blind signature without a certificate provided by an embodiment of the present invention;

图2是本发明实施例提供的一种无证书部分盲签名方法流程简图;2 is a schematic flowchart of a method for partially blind signature without a certificate provided by an embodiment of the present invention;

图3是本发明实施例提供的一种无证书部分盲签名装置结构框图;3 is a structural block diagram of a certificateless partial blind signature device provided by an embodiment of the present invention;

图4是本发明的系统参数建立单元的结构框图;Fig. 4 is the structural block diagram of the system parameter establishment unit of the present invention;

图5是本发明的提取单元的结构框图;Fig. 5 is the structural block diagram of the extraction unit of the present invention;

图6是本发明的验证单元的结构框图。FIG. 6 is a structural block diagram of the verification unit of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

为了更有效的理解本发明的技术方案,我们简单描述一下上述文献2中的部分盲签名的过程:In order to understand the technical solution of the present invention more effectively, we briefly describe the process of partial blind signature in the above-mentioned document 2:

首先建立一个建立一个公开系统参数params={G1,G2,P,l,q,e,H0,H1,H2,Ppub}。First establish a public system parameter params={G 1 , G 2 , P, l, q, e, H 0 , H 1 , H 2 , P pub }.

给定安全参数l,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e(P,P)∈G2;hash函数:

Figure BDA0001193762850000061
Figure BDA0001193762850000062
Figure BDA0001193762850000063
KGC选取s为主密钥,Ppub=sP为公钥,系统参数params={G1,G2,P,l,q,e,H0,H1,H2,Ppub}。Given a security parameter l, and the prime number q>2 l , {G 1 ,+} is a cyclic addition group of order q, P is an arbitrary generator in the group G 1 ; {G 2 ,·} is a cyclic addition group of order q The cyclic multiplicative group of , g is the generator; bilinear pair mapping e:G 1 ×G 1 →G 2 , g=e(P,P)∈G 2 ; hash function:
Figure BDA0001193762850000061
Figure BDA0001193762850000062
Figure BDA0001193762850000063
KGC selects s as the master key, P pub =sP as the public key, and system parameters params={G 1 ,G 2 ,P,l,q,e,H 0 ,H 1 ,H 2 ,P pub }.

然后进行密钥提取算法:Then perform the key extraction algorithm:

部分私钥生成算法:输入系统参数params,签名者的身份IDB,KGC计算

Figure BDA0001193762850000071
并把部分私钥发送给签名者。Part of the private key generation algorithm: input system parameters params, signer's identity ID B , KGC calculation
Figure BDA0001193762850000071
and put part of the private key Sent to signer.

设置秘密值算法:输入系统参数params和签名者的身份IDB,签名者随机选择

Figure BDA0001193762850000072
作为其秘密值。Set the secret value algorithm: enter the system parameters params and the signer's identity ID B , the signer randomly selects
Figure BDA0001193762850000072
as its secret value.

设置私钥算法:算法输入系统参数、签名者的身份IDB、部分私钥

Figure BDA0001193762850000073
和秘密值
Figure BDA0001193762850000074
输出签名者的私钥为
Figure BDA0001193762850000075
Set private key algorithm: algorithm input system parameters, signer's identity ID B , part of the private key
Figure BDA0001193762850000073
and secret value
Figure BDA0001193762850000074
The private key of the output signer is
Figure BDA0001193762850000075

设置公钥算法:算法输入系统参数、签名者的身份IDB和秘密值输入签名者的公钥

Figure BDA0001193762850000077
Set up the public key algorithm: the algorithm inputs the system parameters, the signer's identity ID B and the secret value Enter the signer's public key
Figure BDA0001193762850000077

然后再进行部分盲签名生成算法:Then perform a partial blind signature generation algorithm:

假设m为签名请求者请求签名的信息,c为签名者与签名请求者协商的公共信息,签名者用其私钥

Figure BDA0001193762850000078
和公钥
Figure BDA0001193762850000079
与签名请求者进行消息m和公共协商信息c签名。具体过程如下:Suppose m is the information requested by the signature requester, c is the public information negotiated between the signer and the signature requester, and the signer uses its private key
Figure BDA0001193762850000078
and public key
Figure BDA0001193762850000079
Sign the message m and the public negotiation information c with the signature requester. The specific process is as follows:

a)承诺。签名者随机选择

Figure BDA00011937628500000710
并计算z=H0(c)和R=rzP,并将R发送签名请求者。a) Commitment. Signers randomly selected
Figure BDA00011937628500000710
And calculate z = H 0 (c) and R = rzP, and send R to the signature requester.

b)盲化。签名请求者接受到R后,随机选择盲化因子并计算z=H0(c),R′=γR,

Figure BDA00011937628500000712
h=γ-1(β-h′),并把h发送给签名者。b) Blinding. After the signature requester receives R, the blinding factor is randomly selected and calculate z=H 0 (c), R′=γR,
Figure BDA00011937628500000712
h=γ -1 (β-h'), and send h to the signer.

c)部分盲签名。接受到h后,签名者只需计算

Figure BDA00011937628500000713
并把S发送签名请求者。c) Partially blind signature. After receiving h, the signer only needs to calculate
Figure BDA00011937628500000713
And send S to the signature requester.

d)脱盲。签名请求者计算S′=γS+αPpubd) Deblindness. The signature requester computes S'=γS+ αPpub .

这一系列的交互后,签名请求者得到对消息m和协商信息c的签名为σ=(R′,h′,S′)。After this series of interactions, the signature requester obtains the signature for message m and negotiation information c as σ=(R', h', S').

最后进行签名验证算法:Finally, the signature verification algorithm is performed:

验证者接受到由签名者对消息m和协商信息c的签名为σ=(R′,h′,S′)后,先计算z=H0(c),

Figure BDA00011937628500000714
最后验证等式
Figure BDA00011937628500000715
是否成立。如果成立,则认为消息-签名对(m,c,σ=(R′,h′,S′))是签名者合法的签名。否则无效。After the verifier receives the signature of the message m and the negotiation information c from the signer as σ=(R', h', S'), it first calculates z=H 0 (c),
Figure BDA00011937628500000714
Finally verify the equation
Figure BDA00011937628500000715
is established. If so, the message-signature pair (m,c,σ=(R',h',S')) is considered to be a legitimate signature of the signer. Otherwise invalid.

以上方案会产生安全攻击,具体攻击分析如下:The above solutions will generate security attacks. The specific attack analysis is as follows:

因为是对方案进行将协商信息c篡改为c′攻击,签名者用其私钥和公钥

Figure BDA0001193762850000082
与签名请求者进行消息m和公共协商信息c签名,签名请求者将协商信息c篡改为c′:Because the scheme is to tamper with the negotiation information c into c' attack, the signer uses his private key and public key
Figure BDA0001193762850000082
Sign the message m and the public negotiation information c with the signature requester, and the signature requester tampered with the negotiation information c to c':

a)承诺。签名者随机选择

Figure BDA0001193762850000083
并计算z=H0(c)和R=rzP,并将R发送签名请求者。a) Commitment. Signers randomly selected
Figure BDA0001193762850000083
And compute z=H 0 (c) and R=rzP, and send R to the signature requester.

b)盲化。签名请求者接受到R后,随机选择盲化因子计算z=H0(c),z′=H0(c′)、R′=γR,R″=z-1z′R′,

Figure BDA0001193762850000085
h=γ-1(β-h′)和h″=zz′-1h,并把h″发送给签名者。b) Blinding. After the signature requester receives R, the blinding factor is randomly selected Calculate z=H 0 (c), z'=H 0 (c'), R'=γR, R″=z -1 z'R',
Figure BDA0001193762850000085
h=γ -1 (β-h') and h"=zz' -1 h, and h" is sent to the signer.

c)部分盲签名。接受到h″后,签名者只需计算并把S发送签名请求者。c) Partially blind signature. After receiving h", the signer only needs to calculate And send S to the signature requester.

d)脱盲。签名请求者计算S′=z-1z′S,S″=γS′+αPpubd) Deblindness. The signature requester computes S'=z -1 z'S, S"=γS'+ αPpub .

这一系列的交互后,签名请求者得到对消息m和协商信息c′的签名为σ=(R″,h′,S″)。After this series of interactions, the signature requester obtains the signature of message m and negotiation information c' as σ=(R", h', S").

签名请求者对消息m和协商信息c′的签名为σ=(R″,h′,S″),需要计算

Figure BDA0001193762850000087
z′=H0(c′)验证等式
Figure BDA0001193762850000088
是否成立。如果成立,则为有效的签名,即篡改协商信息c′成功。在这个验证过程中,其实只需要验证等式
Figure BDA0001193762850000089
是否成立;The signature requester's signature on message m and negotiation information c' is σ=(R", h', S"), which needs to be calculated
Figure BDA0001193762850000087
z'=H 0 (c') to verify the equation
Figure BDA0001193762850000088
is established. If it is established, it is a valid signature, that is, the negotiation information c' is tampered with successfully. In this verification process, it is only necessary to verify the equation
Figure BDA0001193762850000089
whether it is established;

Figure BDA00011937628500000810
Figure BDA00011937628500000810

Figure BDA0001193762850000091
Figure BDA0001193762850000091

即在未经签名者同意的前提下,签名请求者篡改公共信息后所形成的签名也能通过验证等式验证,故验证者相信σ=(R″,h′,S″)是签名者对消息m和协商消息c′的有效签名。That is, without the consent of the signer, the signature formed by the signature requester after tampering with the public information can also be verified by the verification equation, so the verifier believes that σ=(R″, h′, S″) is the signer’s right to A valid signature for message m and negotiation message c'.

结合图1及图2所示,本发明的实施例提供一种无证书部分盲签名方法,包括以下步骤:1 and 2, an embodiment of the present invention provides a certificateless partial blind signature method, including the following steps:

步骤S100,建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};Step S100, establish a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };

其中,l为安全参数,且满足素数q>2l,{G1,+}是阶为q的循环加法群,P为群G1中的任意生成元;{G2,·}是阶为q的循环乘法群,g为生成元;双线性对映射e:G1×G1→G2,g=e(P,P)∈G2;hash函数:H1:{0,1}*→G1

Figure BDA0001193762850000093
KGC选取s为主密钥,Ppub=sP为公钥;Among them, l is a security parameter, and the prime number q>2 l is satisfied, {G 1 ,+} is a cyclic addition group of order q, P is an arbitrary generator in the group G 1 ; {G 2 ,·} is the order of Circular multiplicative group of q, g is the generator; bilinear pair mapping e:G 1 ×G 1 →G 2 , g=e(P,P)∈G 2 ; hash function: H 1 :{0,1} * →G 1 ,
Figure BDA0001193762850000093
KGC selects s as the primary key, and P pub = sP as the public key;

步骤S200,签名者提取其私钥为

Figure BDA0001193762850000094
公钥为
Figure BDA0001193762850000095
Step S200, the signer extracts its private key as
Figure BDA0001193762850000094
The public key is
Figure BDA0001193762850000095

步骤S300,签名者随机选择

Figure BDA0001193762850000096
并计算z=H0(c)和R=rP,并把R发送给签名请求者;Step S300, the signer randomly selects
Figure BDA0001193762850000096
And calculate z=H 0 (c) and R=rP, and send R to the signature requester;

步骤S400,签名请求者接受到R后,随机选择盲化因子

Figure BDA0001193762850000097
并计算z=H0(c),R′=αR,
Figure BDA0001193762850000098
h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;Step S400, the signature requester randomly selects a blinding factor after receiving R
Figure BDA0001193762850000097
And calculate z=H 0 (c), R′=αR,
Figure BDA0001193762850000098
h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;

步骤S500,签名者接收到h后,计算并把S发送给签名请求者;Step S500, after the signer receives h, calculate And send S to the signature requester;

步骤S600,签名请求者进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);Step S600, the signature requester performs deblinding work, calculates S′=αS, and obtains the signatures of message m and negotiation message c as σ=(y,h′,S′);

步骤S700,验证者进行签名验证。In step S700, the verifier performs signature verification.

优选地,在所述步骤S100中,所述建立一个公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub}的具体步骤为:Preferably, in the step S100, the specific steps of establishing a public system parameter params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub } are:

步骤S110,根据安全需要,确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};Step S110, according to security requirements, determine the size of the safety factor l and the prime number q, and use the elliptic curve to construct a cyclic addition group {G 1 ,+} and a cyclic multiplication group that satisfy the bilinear mapping e: G 1 ×G 1 →G 2 {G 2 , ·};

步骤S120,选择无碰撞杂凑函数H1:{0,1}*→G1

Figure BDA0001193762850000101
Figure BDA0001193762850000102
Step S120, select a collision-free hash function H 1 :{0,1} * →G 1 ,
Figure BDA0001193762850000101
Figure BDA0001193762850000102

步骤S130,从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥;Step S130, randomly select an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, and calculate P pub =sP as its corresponding public key;

步骤S140,公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。Step S140, disclose system parameters {G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub }, and store s as the master key value.

进一步地,所述步骤S200具体包括:Further, the step S200 specifically includes:

步骤S210,输入系统参数params,签名者的身份IDB,KGC计算

Figure BDA0001193762850000103
Figure BDA0001193762850000104
并把部分私钥
Figure BDA0001193762850000105
发送给签名者;Step S210, input system parameters params, signer's identity ID B , KGC calculation
Figure BDA0001193762850000103
Figure BDA0001193762850000104
and put part of the private key
Figure BDA0001193762850000105
sent to the signer;

步骤S220,根据系统参数params和签名者的身份IDB,签名者随机选择

Figure BDA0001193762850000106
作为其秘密值;Step S220, according to the system parameter params and the identity ID B of the signer, the signer randomly selects
Figure BDA0001193762850000106
as its secret value;

步骤S230,根据系统参数params、签名者的身份IDB、部分私钥

Figure BDA0001193762850000107
和秘密值
Figure BDA0001193762850000108
得到签名者的私钥为
Figure BDA0001193762850000109
Step S230, according to the system parameter params, the identity ID B of the signer, and part of the private key
Figure BDA0001193762850000107
and secret value
Figure BDA0001193762850000108
Get the signer's private key as
Figure BDA0001193762850000109

步骤S240,根据系统参数params、签名者的身份IDB和秘密值

Figure BDA00011937628500001010
得到签名者的公钥
Figure BDA00011937628500001011
Step S240, according to the system parameter params, the signer's identity ID B and the secret value
Figure BDA00011937628500001010
Get the signer's public key
Figure BDA00011937628500001011

进一步地,所述步骤S700中,具体包括:Further, in the step S700, it specifically includes:

步骤S710,验证者接收到签名者的消息-签名对(m,c,σ=(y,h′,S′));Step S710, the verifier receives the signer's message-signature pair (m,c,σ=(y,h',S'));

步骤S720,计算z=H0(c),

Figure BDA00011937628500001012
Step S720, calculate z=H 0 (c),
Figure BDA00011937628500001012

步骤S730,验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名;Step S730, verify whether the equation h'=H 2 (m, z, y') holds, if so, the verifier believes that (m, c, σ=(y, h', S')) is signed by the signer Make a valid blind signature;

否则无效。Otherwise invalid.

由于签名者把协商信息插入到计算

Figure BDA0001193762850000111
中,其中z=H0(c),通过证明签名方案的正确性时,发现签名者插入协商信息z=H0(c)不仅对应到签名请求者进行盲化签名插入的协商信息
Figure BDA0001193762850000112
同时也与验证等式中用到的插入协商协商信息
Figure BDA0001193762850000113
相对应。故本方案可以防公共协商信息篡改攻击。Since the signer inserts negotiation information into the computation
Figure BDA0001193762850000111
, where z=H 0 (c), by proving the correctness of the signature scheme, it is found that the signer inserts the negotiation information z=H 0 (c) not only corresponds to the negotiation information that the signature requester performs blinded signature insertion
Figure BDA0001193762850000112
It also negotiates with the insertion negotiation information used in the verification equation.
Figure BDA0001193762850000113
Corresponding. Therefore, this scheme can prevent public negotiation information tampering attacks.

如图3所示,本发明的实施例还提供一种无证书部分盲签名装置,包括:As shown in FIG. 3, an embodiment of the present invention further provides a certificateless partial blind signature device, including:

系统参数建立单元100,用于建立公开系统参数params={G1,G2,P,e,g,H0,H1,H2,Ppub};A system parameter establishment unit 100, configured to establish public system parameters params={G 1 , G 2 , P, e, g, H 0 , H 1 , H 2 , P pub };

提取单元200,用于签名者提取私钥及公钥;The extraction unit 200 is used for the signer to extract the private key and the public key;

承诺单元300,用于随机选择并计算z=H0(c)和R=rP,并把R发送给签名请求者;Commitment unit 300 for random selection And calculate z=H 0 (c) and R=rP, and send R to the signature requester;

盲化单元400,用于接受到R后,随机选择盲化因子

Figure BDA0001193762850000115
并计算z=H0(c)、
Figure BDA0001193762850000116
h′=H2(m,z,y),h=α-1(β-h′),并把h发送给签名者;The blinding unit 400 is used to randomly select a blinding factor after receiving R
Figure BDA0001193762850000115
and calculate z=H 0 (c),
Figure BDA0001193762850000116
h'=H 2 (m,z,y),h=α -1 (β-h'), and send h to the signer;

部分盲签名单元500,用于接收到h后,计算

Figure BDA0001193762850000117
并把S发送给签名请求者;The partially blind signature unit 500 is used for calculating h after receiving h
Figure BDA0001193762850000117
And send S to the signature requester;

脱盲单元600,用于进行脱盲工作,计算S′=αS,得到消息m和协商消息c的签名为σ=(y,h′,S′);The deblinding unit 600 is used for deblinding work, calculates S′=αS, and obtains the signature of message m and negotiation message c as σ=(y,h′,S′);

验证单元700,用于进行签名验证。The verification unit 700 is used for signature verification.

如图4所示,进一步地,所述系统参数建立单元100包括:As shown in FIG. 4 , further, the system parameter establishing unit 100 includes:

构建模块101,用于确定安全系数l和素数q的大小,利用椭圆曲线构造满足双线性映射e:G1×G1→G2的循环加法群{G1,+}和循环乘法群{G2,·};The building block 101 is used to determine the size of the safety factor l and the prime number q, and utilize elliptic curves to construct a cyclic addition group {G 1 ,+} and a cyclic multiplication group { that satisfy the bilinear mapping e: G 1 ×G 1 →G 2 G 2 ,·};

函数选择模块102,用于选择无碰撞杂凑函数

Figure BDA0001193762850000118
H1:{0,1}*→G1
Figure BDA0001193762850000121
A function selection module 102 for selecting a collision-free hash function
Figure BDA0001193762850000118
H 1 :{0,1} * →G 1 ,
Figure BDA0001193762850000121

密钥模块103,用于从mod q的整数乘法群中随机选取一个整数s作为私钥生成中心KGC的主密钥,并计算Ppub=sP作为其对应的公钥,并公开系统参数{G1,G2,P,e,g,H0,H1,H2,Ppub},并将s作为主密钥值保存。The key module 103 is used to randomly select an integer s from the integer multiplication group of mod q as the master key of the private key generation center KGC, and calculate P pub =sP as its corresponding public key, and disclose the system parameter {G 1 ,G 2 ,P,e,g,H 0 ,H 1 ,H 2 ,P pub }, and save s as the master key value.

如图5所示,进一步地,所述提取单元200进一步包括:As shown in FIG. 5, further, the extraction unit 200 further includes:

部分私钥生成模块201,用于根据系统参数params,签名者的身份IDB,KGC计算

Figure BDA0001193762850000122
Figure BDA0001193762850000123
并把部分私钥发送给签名者;Part of the private key generation module 201 is used to calculate according to the system parameters params, the signer's identity ID B , and KGC
Figure BDA0001193762850000122
Figure BDA0001193762850000123
and put part of the private key sent to the signer;

秘密值生成模块202,用于根据系统参数params和签名者的身份IDB,随机选择作为其秘密值;The secret value generation module 202 is used for randomly selecting according to the system parameter params and the identity ID B of the signer as its secret value;

私钥模块203,用于根据系统参数params、签名者的身份IDB、部分私钥

Figure BDA0001193762850000126
和秘密值
Figure BDA0001193762850000127
得到签名者的私钥为
Figure BDA0001193762850000128
The private key module 203 is used for according to the system parameter params, the identity ID B of the signer, the partial private key
Figure BDA0001193762850000126
and secret value
Figure BDA0001193762850000127
Get the signer's private key as
Figure BDA0001193762850000128

公钥模块204,用于根据系统参数params、签名者的身份IDB和秘密值

Figure BDA0001193762850000129
得到签名者的公钥
Figure BDA00011937628500001210
The public key module 204 is used for according to the system parameter params, the signer's identity ID B and the secret value
Figure BDA0001193762850000129
Get the signer's public key
Figure BDA00011937628500001210

如图6所示,更进一步地,所述验证单元700包括:As shown in Figure 6, further, the verification unit 700 includes:

接收模块701,用于接收签名请求者发送的消息-签名对(m,c,σ=(y,h′,S′));A receiving module 701, configured to receive a message-signature pair (m,c,σ=(y,h',S')) sent by a signature requester;

计算模块702,用于计算z=H0(c),

Figure BDA00011937628500001211
a calculation module 702 for calculating z=H 0 (c),
Figure BDA00011937628500001211

验证模块702,用于验证等式h′=H2(m,z,y′)是否成立,如果是,验证者就相信(m,c,σ=(y,h′,S′))是由签名者进行有效的盲签名,否则无效。Verification module 702, for verifying whether the equation h'=H 2 (m,z,y') holds, if so, the verifier believes that (m,c,σ=(y,h',S')) is Valid blind signature by the signer, otherwise invalid.

下面,将本发明中的技术方案与上述已存在的CL-PBS方案进行计算效率的比较,其中包括文献2及文献3中的方案,其中文献2是对文献3存在公钥替换攻击提出的改进方案。使用嵌入度为2的超奇异椭圆曲线E(FP):y2=x3+x,其中q=2159+217+1为160比特素数,p为满足条件p+1=12qr的512比特素数。硬件平台:CPU为CPIV 3-GHZ,512MB内存和WindowsXP操作系统。表1列出密码方案中耗时大的基本单元运算效率。Next, the computational efficiency of the technical solution in the present invention is compared with the existing CL-PBS solution above, including the solutions in Document 2 and Document 3, where Document 2 is an improvement to the public key substitution attack in Document 3. Program. Using a supersingular elliptic curve E(F P ) with an embedding degree of 2: y 2 =x 3 +x, where q=2 159 +2 17 +1 is a 160-bit prime number, and p is 512 satisfying the condition p+1=12qr Bit prime. Hardware platform: CPU is CPIV 3-GHZ, 512MB memory and WindowsXP operating system. Table 1 lists the computational efficiency of the basic unit that is time-consuming in the cryptographic scheme.

表1方案中基本单元运算效率(单位为:毫秒)Operational efficiency of the basic unit in the scheme in Table 1 (unit: milliseconds)

Figure BDA0001193762850000131
Figure BDA0001193762850000131

表2列出了各方案中具体耗时运算的计算数量,主要比较签名者、签名请求者和验证者在方案构建过程中计算量。Table 2 lists the calculation amount of specific time-consuming operations in each scheme, mainly comparing the calculation amount of signer, signature requester and verifier in the process of scheme construction.

表2各种方案的计算性能比较(单位:毫秒)Table 2 Computational performance comparison of various schemes (unit: milliseconds)

Figure BDA0001193762850000132
Figure BDA0001193762850000132

综上,可以明显得到本发明所构造的方案具有更高的效率。To sum up, it can be obviously obtained that the solution constructed by the present invention has higher efficiency.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (8)

1. A certificateless partial blind signature method, comprising:
establishing a public system parameter params ═ G1,G2,P,e,g,H0,H1,H2,Ppub}; wherein l is a safety parameter and satisfies a prime number q>2l,{G1, + } is a cyclic addition group of order q, P is a group G1Any generator of (1); { G2V is a cyclic multiplicative group of order q, g is a generator; bilinear pairwise mappings e G1×G1→G2,g=e(P,P)∈G2(ii) a A hash function:
Figure FDA0002272776610000011
H1:{0,1}*→G1
Figure FDA0002272776610000012
the private key generation center KGC selects s as a main key PpubsP is a public key;
the signer extracts its private key as
Figure FDA0002272776610000013
The public key is
Figure FDA0002272776610000014
Signer random selection
Figure FDA0002272776610000015
And calculating z ═ H0(c) And R ═ rP, and sends R to the signature requestor;
after the signature requester receives R, a blinding factor is randomly selected
Figure FDA0002272776610000016
And calculating z ═ H0(c)、R′=αR,
Figure FDA0002272776610000017
h′=H2(m,z,y),h=α-1(β -h') and sending h to the signer;
after the signer receives h, the signer calculates
Figure FDA0002272776610000018
And sends S to the signature requestor;
the signature requester performs blind removal work, calculates S ' ═ α S, and obtains the signature of the message m and the negotiation message c as σ ═ y, h ', S ');
and the verifier verifies the signature.
2. The certificateless partial blind signature method of claim 1, wherein the establishing a public system parameter params ═ G1,G2,P,e,g,H0,H1,H2,PpubThe concrete steps are as follows:
according to the safety requirement, the safety factor l and the prime number q are determined, and the bilinear mapping e: G is satisfied by an elliptic curve structure1×G1→G2Cyclic addition group of (G)1, + } and a cyclic multiplicative group G2,·};
Selecting a hash function
Figure FDA0002272776610000019
H1:{0,1}*→G1
Figure FDA00022727766100000110
Randomly selecting an integer s from the integer multiplication group of mod q as a master key of a private key generation center KGC, and calculating PpubsP as its corresponding public key;
publishing System parameters G1,G2,P,e,g,H0,H1,H2,PpubAnd s is saved as the primary key value.
3. The certificateless partial blind signature method of claim 1, wherein the signer extracts its private key as
Figure FDA0002272776610000021
The public key is
Figure FDA0002272776610000022
The method comprises the following specific steps:
enter system parameter params, signer IDBKGC calculation
Figure FDA0002272776610000023
And to make part of the private key
Figure FDA0002272776610000024
Sending the signature to the signer;
according to the system parameters params and the identity ID of the signerBRandom selection by signer
Figure FDA0002272776610000025
As its secret value;
according to the system parameter params and the ID of the signerBPart of the private key
Figure FDA0002272776610000026
And a secret value
Figure FDA0002272776610000027
Obtain the private key of the signer as
Figure FDA0002272776610000028
According to the system parameter params and the ID of the signerBAnd a secret valueObtaining the public key of the signer
4. The certificateless partial blind signature method of claim 1, wherein the specific steps of the verifier performing signature verification comprise:
the verifier receives the signer ' S message-signature pair (m, c, σ ═ y, h ', S '));
calculating z as H0(c),
Figure FDA00022727766100000213
Verify equation H ═ H2(m, z, y ') if true, and if so, the verifier believes (m, c, σ ═ y, h ', S ')) is a valid blind signature by the signer;
otherwise it is not valid.
5. A certificateless partial blind signature apparatus, comprising:
a system parameter establishing unit for establishing an open system parameter params ═ G1,G2,P,e,g,H0,H1,H2,Ppub};
Wherein l is a safety parameter and satisfies a prime number q>2l,{G1, + } is a cyclic addition group of order q, P is a group G1Any generator of (1); { G2V is a cyclic multiplicative group of order q, g is a generator; bilinear pairwise mappings e G1×G1→G2,g=e(P,P)∈G2(ii) a A hash function:
Figure FDA00022727766100000211
H1:{0,1}*→G1
Figure FDA00022727766100000212
KGC selects s as the master key, PpubsP is a public key; the extraction unit is used for extracting the private key and the public key by the signer;
a commitment unit for randomly selectingAnd calculating z ═ H0(c) And R ═ rP, and sends R to the signature requestor;
a blinding unit for randomly selecting a blinding factor after receiving RAnd calculating z ═ H0(c)、R′=αR,
Figure FDA0002272776610000033
h′=H2(m,z,y),h=α-1(β -h') and sending h to the signer;
a partial blind signature unit for calculating after receiving hAnd sends S to the signature requestor;
a blind removing unit, configured to perform blind removing work, calculate S ═ α S, and obtain a signature σ ═ y, h ', and S' of the message m and the negotiation message c;
and the verification unit is used for verifying the signature.
6. The certificateless partial blind signature apparatus according to claim 5, wherein the system parameter establishing unit comprises:
building block for determiningThe safety coefficient l and the prime number q are determined, and bilinear mapping e: G is satisfied by an elliptic curve structure1×G1→G2Cyclic addition group of (G)1, + } and a cyclic multiplicative group G2,·};
A function selection module for selecting a collision-free hash function
Figure FDA0002272776610000035
H1:{0,1}*→G1
Figure FDA0002272776610000036
A key module for randomly selecting an integer s from the integer multiplication group of mod q as a master key of a private key generation center KGC and calculating PpubsP as its corresponding public key and discloses the system parameter G1,G2,P,e,g,H0,H1,H2,PpubAnd s is saved as the primary key value.
7. The certificateless partial blind signature apparatus according to claim 5, wherein the extraction unit comprises:
a partial private key generation module for generating the ID of the signer according to the system parameter paramsBKGC calculation
Figure FDA0002272776610000037
And to make part of the private keySending the signature to the signer;
a secret value generation module for generating a secret value according to the system parameter params and the ID of the signerBRandom selection of
Figure FDA0002272776610000039
As its secret value;
a private key module for signing the identity of the signer according to the system parameters paramsIDBPart of the private keyAnd a secret value
Figure FDA0002272776610000042
Obtain the private key of the signer as
A public key module for generating a public key according to the system parameters params and the ID of the signerBAnd a secret value
Figure FDA0002272776610000044
Obtaining the public key of the signer
8. The certificateless partial blind signature apparatus according to claim 5, wherein the verification unit comprises:
a receiving module, configured to receive a message-signature pair (m, c, σ ═ y, h ', S')) sent by a signature requester;
a calculation module for calculating z ═ H0(c),
Figure FDA0002272776610000046
A verification module for verifying the equation H ═ H2If (m, z, y ') is true, the verifier believes (m, c, σ ═ y, h ', S ')) is a valid blind signature by the signer, otherwise it is invalid.
CN201611226746.XA 2016-12-27 2016-12-27 A certificateless partial blind signature method and device Expired - Fee Related CN106789019B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611226746.XA CN106789019B (en) 2016-12-27 2016-12-27 A certificateless partial blind signature method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611226746.XA CN106789019B (en) 2016-12-27 2016-12-27 A certificateless partial blind signature method and device

Publications (2)

Publication Number Publication Date
CN106789019A CN106789019A (en) 2017-05-31
CN106789019B true CN106789019B (en) 2020-01-17

Family

ID=58922071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611226746.XA Expired - Fee Related CN106789019B (en) 2016-12-27 2016-12-27 A certificateless partial blind signature method and device

Country Status (1)

Country Link
CN (1) CN106789019B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108521396B (en) * 2018-02-09 2021-02-26 天津职业技术师范大学 Blind computing method of private information
CN108989050B (en) * 2018-08-23 2020-08-11 电子科技大学 A certificateless digital signature method
CN111784338B (en) * 2019-04-10 2024-10-18 北京沃东天骏信息技术有限公司 Information processing method, device, system and storage medium
CN110311776B (en) * 2019-06-21 2022-03-22 矩阵元技术(深圳)有限公司 Range proving method, range proving device, computer equipment and storage medium
CN112070490B (en) * 2020-08-20 2022-03-25 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system based on two-dimension code
CN112070492B (en) * 2020-08-20 2022-03-25 郑州信大捷安信息技术股份有限公司 Off-line POS machine transaction method and system
CN117014133A (en) * 2022-04-28 2023-11-07 华为技术有限公司 Quantum-resistant blind signature method, user equipment, signature device and signature verification device
CN114915426B (en) * 2022-05-20 2023-12-15 曲阜师范大学 Certificate-free message recoverable blind signature method
CN118764214B (en) * 2024-07-15 2025-07-11 北京电子科技学院 User privacy protection method and system based on Dilithium certificate-free blind signature scheme in Internet of vehicles

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387019A (en) * 2011-10-19 2012-03-21 西安电子科技大学 Certificateless partially blind signature method
CN102420810A (en) * 2011-09-28 2012-04-18 盛乐信息技术(上海)有限公司 Network file system and method based on certificateless public key mechanism
EP2947840A1 (en) * 2013-09-16 2015-11-25 Huawei Device Co., Ltd. Certificateless multi-agent signature method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420810A (en) * 2011-09-28 2012-04-18 盛乐信息技术(上海)有限公司 Network file system and method based on certificateless public key mechanism
CN102387019A (en) * 2011-10-19 2012-03-21 西安电子科技大学 Certificateless partially blind signature method
EP2947840A1 (en) * 2013-09-16 2015-11-25 Huawei Device Co., Ltd. Certificateless multi-agent signature method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《无证书盲签名方案》;苏万力等;《电子科技大学学报》;20090731;全文 *

Also Published As

Publication number Publication date
CN106789019A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
WO2018119670A1 (en) Method and device for certificateless partially blind signature
CN106789019B (en) A certificateless partial blind signature method and device
CN108989050B (en) A certificateless digital signature method
US9967239B2 (en) Method and apparatus for verifiable generation of public keys
US8433897B2 (en) Group signature system, apparatus and storage medium
JP3522447B2 (en) Authentication exchange method and additional public electronic signature method
CN103023648B (en) Based on elliptic curves discrete logarithm problem without certificate signature method
CN102983971B (en) Certificateless signature algorithm for user identity authentication in network environment
CN106656508B (en) A Partially Blind Signature Method and Device Based on Identity
US20170373847A1 (en) Method for updating a public key
JP2004208263A (en) Apparatus and method of blind signature based on individual identification information employing bilinear pairing
JP6043804B2 (en) Combined digital certificate
KR20030062402A (en) Apparatus and method for generating and verifying id-based proxy signature by using bilinear parings
CN103220146B (en) Zero Knowledge digital signature method based on multivariate public key cryptosystem
CN105141419B (en) Attribute-based signature method and system for large attribute domains
Tahat et al. An efficient self-certified multi-proxy signature scheme based on elliptic curve discrete logarithm problem
CN112989436B (en) Multi-signature method based on block chain platform
CN107332665A (en) A kind of Partial Blind Signature method of identity-based on lattice
CN101697513A (en) Digital signature method, device and system as well as digital signature verification method
CN115174104A (en) Attribute-based online/offline signature method and system based on secret SM9
CN115766028A (en) A SM2-based collaborative signature method without certificates
Zhang et al. Key replacement attack on a certificateless signature scheme
CN116346328A (en) A digital signature method, system, device and computer-readable storage medium
CN105187208B (en) The unauthorized strong designated verifier signature system based on no certificate
Tso A new way to generate a ring: Universal ring signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200117