[go: up one dir, main page]

CN113972987B - A method of identity-based multi-signature based on subgroup - Google Patents

A method of identity-based multi-signature based on subgroup Download PDF

Info

Publication number
CN113972987B
CN113972987B CN202111261478.6A CN202111261478A CN113972987B CN 113972987 B CN113972987 B CN 113972987B CN 202111261478 A CN202111261478 A CN 202111261478A CN 113972987 B CN113972987 B CN 113972987B
Authority
CN
China
Prior art keywords
group
signature
gtag
administrator
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111261478.6A
Other languages
Chinese (zh)
Other versions
CN113972987A (en
Inventor
王志伟
田陈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202111261478.6A priority Critical patent/CN113972987B/en
Publication of CN113972987A publication Critical patent/CN113972987A/en
Application granted granted Critical
Publication of CN113972987B publication Critical patent/CN113972987B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提出了一种基于子分组的身份基多重签名方法,首先,群管理员用群私钥为签名者群组中的群成员生成其身份生成对应的成员私钥,并计算出包含群标签的群公钥;其次,选定签名子分组后,子分组中包含的成员将代表整个群组对同一消息进行签名;当子分组中所有成员完成签名后,将成员签名发送给群管理员,群管理员将在验证收到签名的正确性后决定是否聚合为多重签名,若所有成员签名合法则聚合,否则签名失败。多重签名生成后,任意实体均能验证其有效性。本发明能够简化多重签名聚合过程中的认证过程,且提高了多重签名在共识机制应用对抗场景下的鲁棒性,增强了实际应用中的安全性。

The present invention proposes an identity-based multi-signature method based on subgroups. First, the group administrator uses the group private key to generate the corresponding member private key for the group members in the signer group, and calculates secondly, after the signature subgroup is selected, the members contained in the subgroup will sign the same message on behalf of the entire group; when all members in the subgroup complete the signature, the member signature will be sent to the group administrator, The group administrator will decide whether to aggregate into a multi-signature after verifying the correctness of the received signatures. If all member signatures are legal, then aggregate, otherwise the signature will fail. After the multi-signature is generated, any entity can verify its validity. The invention can simplify the authentication process in the multi-signature aggregation process, improve the robustness of the multi-signature in the application confrontation scene of the consensus mechanism, and enhance the security in practical application.

Description

一种基于子分组的身份基多重签名方法A method of identity-based multi-signature based on subgroup

技术领域technical field

本发明提出一种基于子分组的身份基多重签名方法,属于信息安全领域。The invention proposes an identity-based multi-signature method based on subgroups, which belongs to the field of information security.

背景技术Background technique

随着计算机信息技术的蓬勃发展,电子商务与区块链不断的深入应用,数字签名在电子钱包与共识机制的应用场景中被广泛使用。在区块链等相关领域中,安全电子账本的构建效率与签名的验证效率与经济效益息息相关,同时去中心化的匿名共识机制也提出了抵抗恶意伪造消息签名问题的需求。为了确保电子交易的安全性,改进的多重数字签名在签名实体验证、交易完整性等方面起着越来越重要的作用。With the vigorous development of computer information technology and the continuous in-depth application of e-commerce and blockchain, digital signatures are widely used in the application scenarios of electronic wallets and consensus mechanisms. In blockchain and other related fields, the construction efficiency of secure electronic ledgers is closely related to the efficiency of signature verification and economic benefits. At the same time, the decentralized anonymous consensus mechanism also raises the need to resist malicious forgery of message signatures. In order to ensure the security of electronic transactions, improved multiple digital signatures play an increasingly important role in signature entity verification, transaction integrity, etc.

然而在实际应用中,基于公钥基础设施实现的方案需要花费额外资源用于证书管理,如设置公共的证书服务器发布撤销证书,应用时相对复杂繁琐,引入基于身份的签名来构建多重签名方案则将减少相关存储空间,提高验证效率。同时在传统的多重签名方案中默认参与签名的实体是诚实的,这导致实际情况中传统方案在对抗伪造签名的应用场景下难以保证签名的有效性。为了增强多重签名的鲁棒性,方案应当在生成聚合签名前增加对签名实体进行验证的步骤。However, in practical applications, the scheme based on the public key infrastructure needs to spend additional resources for certificate management. For example, setting up a public certificate server to issue a revocation certificate is relatively complicated and cumbersome in application. The relevant storage space will be reduced and the verification efficiency will be improved. At the same time, in the traditional multi-signature scheme, the entities participating in the signature are honest by default, which makes it difficult for the traditional scheme to guarantee the validity of the signature in the actual situation in the application scenario of countering forged signatures. In order to enhance the robustness of multi-signature, the scheme should add a step of verifying the signing entity before generating the aggregate signature.

针对上述问题,为了增强电子交易的高效性、保障电子资产的安全性,多重数字签名应当身份数字签名结合简化实体认证过程,选择随机的签名子分组代表整个群生成多重签名以及增加签名聚合前的验证,提升多重签名的鲁棒性。In response to the above problems, in order to enhance the efficiency of electronic transactions and ensure the security of electronic assets, multiple digital signatures should be combined with identity digital signatures to simplify the entity authentication process, select random signature subgroups to represent the entire group to generate multiple signatures, and increase the number of signatures before aggregation. Verification to improve the robustness of multi-signature.

发明内容Contents of the invention

发明目的:为了解决传统方案在对抗的应用场景下难以保证应有的安全性,简化签名群成员身份认证过程,本发明提出了一种基于子分组的身份基多重签名方法,提高了安全性与认证效率。Purpose of the invention: In order to solve the difficulty of guaranteeing due security in the confrontational application scenarios of traditional solutions and simplify the identity authentication process of signature group members, this invention proposes an identity-based multi-signature method based on sub-groups, which improves security and Authentication efficiency.

技术方案:为了实现上述目的,本发明采用的技术方案为:Technical solution: In order to achieve the above object, the technical solution adopted in the present invention is:

一种基于子分组的身份基多重签名方法,如图1所示,包括以下步骤:An identity-based multi-signature method based on subgroups, as shown in Figure 1, includes the following steps:

步骤1:初始化系统参数,群管理员生成主公私钥对;Step 1: Initialize the system parameters, and the group administrator generates the public-private key pair;

步骤2:群成员将身份发送给群管理员,群管理员为群成员依次生成私钥;Step 2: The group members send their identities to the group administrator, and the group administrator generates private keys for the group members in turn;

步骤3:群管理员根据群成员公钥集合计算群标签,所述群成员公钥集合和群标签合并构成群公钥;Step 3: The group administrator calculates the group label according to the group member public key set, and the group member public key set and the group label are combined to form the group public key;

步骤4:群管理员选定签名子分组并将子分组集合公开,子分组中的成员各自生成签名,并发送给群管理员;Step 4: The group administrator selects the signature sub-group and discloses the sub-group collection, and each member in the sub-group generates a signature and sends it to the group administrator;

步骤5:群管理员验证收到步骤4中所述的子分组重点成员发送的签名,若有不合法签名则回到步骤3;Step 5: The group administrator verifies that the signature sent by the key member of the subgroup described in Step 4 is received, and if there is an illegal signature, return to Step 3;

步骤6:若步骤5中群管理员收到的所有签名均合法,群管理员将成员签名聚合为多重签名;Step 6: If all the signatures received by the group administrator in step 5 are legal, the group administrator aggregates member signatures into multiple signatures;

步骤7:群内外任意实体验证多重签名的正确性。Step 7: Any entity inside or outside the group verifies the correctness of the multi-signature.

进一步地,步骤1具体为:Further, step 1 is specifically:

步骤1.1,设G1为阶为素数q的加法循环群,G2为阶为素数q的乘法循环群。给定安全参数n,设Gen为参数生成算法;通过Gen(n)生成(q,g,G1,G2),其中(G1,G2)为素数阶q的双线性群对,双线性映射为e:G1×G1→G2,表示从G1到G2的映射,g是G1的一个生成元,4个安全散列函数为:H1:{0,1}*→G1H3:{0,1}*→G1,/>其中Zq表示集合{0,1,2...q-1},而/>表示集合{1,2...q-1},H1:{0,1}*→G1表示一个属于{0,1}*范围内的值经过H1后得到一个属于群G1范围内的值,系统参数对所有群成员公开;Step 1.1, let G 1 be the additive cyclic group whose order is prime number q, and G 2 be the multiplicative cyclic group whose order is prime number q. Given a security parameter n, let Gen be the parameter generation algorithm; generate (q, g, G 1 , G 2 ) through Gen(n), where (G 1 , G 2 ) is a bilinear group pair of prime order q, The bilinear mapping is e: G 1 ×G 1 →G 2 , which means the mapping from G 1 to G 2 , g is a generator of G 1 , and the four secure hash functions are: H 1 : {0, 1 } * → G 1 , H 3 : {0, 1} * → G 1 , /> where Z q denotes the set {0, 1, 2...q-1}, and /> Indicates the set {1, 2...q-1}, H 1 : {0, 1} * → G 1 means that a value belonging to the range of {0, 1} * gets a value belonging to the range of group G 1 after passing through H 1 The value in the system parameter is open to all group members;

步骤1.2,群管理员随机选取一个作为主私钥,并计算主公钥y=gxStep 1.2, the group administrator randomly selects one as the master private key, and calculate the master public key y=g x .

进一步地,步骤2具体为:Further, step 2 is specifically:

步骤2.1,每个群成员将自己的身份IDi发送到群管理员PKG处;Step 2.1, each group member sends its ID i to the group administrator PKG;

步骤2.2,群管理员PKG计算pki=H1(IDi)的hash值,再计算dIDi=pki x返回给对应的群成员。In step 2.2, the group administrator PKG calculates the hash value of pk i =H 1 (ID i ), then calculates d IDi =pk i x and returns it to the corresponding group member.

进一步地,步骤3具体为:Further, step 3 is specifically:

步骤3.1,群管理员创建集合IDG,将所有群成员的身份添加到集合中,并且维护一个与身份集合IDG对应的公钥列表 Step 3.1, the group administrator creates a set ID G , adds the identities of all group members to the set, and maintains a list of public keys corresponding to the identity set ID G

步骤3.2,群管理员对公钥集合IDG进行hash处理,得到gtag=H4(IDG),gtag为计算得到的hash值,成为群的识别标签;Step 3.2, the group administrator performs hash processing on the public key set ID G to obtain gtag=H 4 (ID G ), where gtag is the calculated hash value and becomes the identification tag of the group;

步骤3.3,将公钥集合与群标签gtag组合,即得到群公钥gpk=(gtag,IDG),群公钥对群成员公开。In step 3.3, the public key set is combined with the group tag gtag to obtain the group public key gpk=(gtag, ID G ), and the group public key is disclosed to the group members.

进一步地,步骤4具体为:Further, step 4 is specifically:

步骤4.1,对消息m进行签名之前,群管理员确定一个成员子集J,包含代表整个群组参与此次签名的成员的身份ID,并将J的信息在群内公开;Step 4.1, before signing the message m, the group administrator determines a member subset J, including the IDs of the members participating in the signature on behalf of the entire group, and discloses J's information in the group;

步骤4.2,ID在子集J中的成员分别对消息m进行签名,先各自选取随机数 Step 4.2, the members whose IDs are in the subset J sign the message m respectively, and first select random numbers respectively

步骤4.3,参与签名的成员对gtag与m进行hash处理,得到H3(gtag,m),其次计算与/>其中gtag是群标签值,m是需要签名的消息,rj是成员各自选取的随机数,dIDj是各成员的私钥,g是群G1的生成元;In step 4.3, the members participating in the signature perform hash processing on gtag and m to obtain H 3 (gtag, m), and then calculate with /> Where gtag is the group tag value, m is the message to be signed, r j is the random number selected by each member, d IDj is the private key of each member, and g is the generator of group G1 ;

步骤4.4,每个参与签名的群成员生成的签名由2部分组成,即签名值 生成签名Sj后群成员将签名Sj发送给群管理员PKG。Step 4.4, the signature generated by each group member participating in the signature consists of 2 parts, namely the signature value After the signature S j is generated, the group members send the signature S j to the group administrator PKG.

进一步地,步骤5具体为:Further, step 5 is specifically:

步骤5.1,群管理员验证收到的成员签名,对gtag与m进行hash处理,得到H3(gtag,m),其次计算3个双线性配对e(y,pkj)与/>的值,其中/>与/>是成员签名Sj的组成部分,y是群管理员的公钥(j∈(0,1,2…n),n为J中成员数量);Step 5.1, the group administrator verifies the received member signatures, performs hash processing on gtag and m, and obtains H 3 (gtag, m), and then calculates three bilinear pairings e(y, pk j ) and /> the value of where /> with /> is a component of member signature S j , y is the public key of the group administrator (j ∈ (0, 1, 2...n), n is the number of members in J);

步骤5.2,比较与/>两者的值是否相等,若相等,则成员签名Sj为有效签名,否则为非法签名;Step 5.2, compare with /> Whether the values of the two are equal, if they are equal, the member signature S j is a valid signature, otherwise it is an illegal signature;

步骤5.3,当出现非法的成员签名时,此时返回步骤3.1,重新确定签名子分组。In step 5.3, when an illegal member signature occurs, return to step 3.1 to re-determine the signature subgroup.

进一步地,步骤6具体为:Further, step 6 is specifically:

步骤6.1,若所有成员签名验证均为有效签名,群管理员PKG对收到的成员签名进行聚合;Step 6.1, if all member signature verifications are valid signatures, the group administrator PKG aggregates the received member signatures;

步骤6.2,对(IDj,J,IDG)进行hash处理,得到hash值aj=H2(IDj,J,IDG)(j∈(0,1,2…n),n为J中成员数量);Step 6.2, perform hash processing on (ID j , J, ID G ), and obtain the hash value a j = H 2 (ID j , J, ID G ) (j∈(0, 1, 2...n), n is J number of members in);

步骤6.3,计算与/> Step 6.3, calculate with />

步骤6.4,聚合而成的多重签名由2部分组成,即σ=(σ1,σ2)。In step 6.4, the aggregated multi-signature consists of two parts, namely σ=(σ 1 , σ 2 ).

进一步地,步骤7具体为:Further, step 7 is specifically:

步骤7.1,验证多重签名的正确性时,先对(IDj,J,IDG)进行hash处理,得到hash值aj=H3(IDj,J,IDG)(j∈(0,1,2…n),n为J中成员数量),其次计算聚合公钥 Step 7.1, when verifying the correctness of the multi-signature, first perform hash processing on (ID j , J , ID G ), and obtain the hash value a j = H 3 (ID j , J , ID G ) (j∈(0, 1 , 2...n), n is the number of members in J), and then calculate the aggregated public key

步骤7.2,对gtag与m进行hash处理,得到H3(gtag,m),其次计算3个双线性配对e(g,σ1),e(y,apk)与e(σ2,H3(gtag,m))的值,其中σ1与σ2是多重签名σ的组成部分,y是群管理员的公钥;Step 7.2, perform hash processing on gtag and m to obtain H 3 (gtag, m), and then calculate three bilinear pairs e(g, σ 1 ), e(y, apk) and e(σ 2 , H 3 (gtag, m)), where σ 1 and σ 2 are the components of the multi-signature σ, and y is the public key of the group administrator;

步骤7.3,比较e(g,σ1)与e(y,apk)·e(σ2,H3(gtag,m))的两者的值是否相等,若相等,则多重签名σ=(σ1,σ2)为有效签名,否则为非法签名。Step 7.3, compare whether the values of e(g, σ 1 ) and e(y, apk)·e(σ 2 , H 3 (gtag, m)) are equal, if they are equal, the multi-signature σ=(σ 1 , σ 2 ) is a valid signature, otherwise it is an illegal signature.

有益效果:本发明通过提供一种基于子分组的身份基多重签名方法,采用的多重数字签名是身份数字签名结合简化实体认证过程,通过选择随机的签名子分组代表整个群生成多重签名以及增加签名聚合前的验证,提升了多重签名的鲁棒性,从而增强电子交易的高效性、保障电子资产的安全性。Beneficial effects: the present invention provides an identity-based multi-signature method based on sub-groups. The multiple digital signatures adopted are combined with identity digital signatures to simplify the entity authentication process. By selecting random signature sub-groups to represent the entire group, multiple signatures are generated and signatures are added. The verification before aggregation improves the robustness of multi-signatures, thereby enhancing the efficiency of electronic transactions and ensuring the security of electronic assets.

附图说明Description of drawings

图1为本发明的算法流程示意图。Fig. 1 is a schematic flow chart of the algorithm of the present invention.

具体实施方式Detailed ways

下面结合具体实施例对本发明做进一步的详细描述,但不是对本发明的限定。The present invention will be described in further detail below in conjunction with specific examples, but the present invention is not limited thereto.

本发明提出的基于子分组的身份基多重签名方法包含以下三个阶段:密钥准备阶段,签名生成阶段以及签名验证阶段。本实施方式包含群管理员,群成员与验证者三种实体。The subgroup-based identity-based multi-signature method proposed by the present invention includes the following three stages: a key preparation stage, a signature generation stage and a signature verification stage. This implementation includes three entities: group administrators, group members and verifiers.

群管理员:设定系统参数;为群成员生成私钥,计算群标签与群公钥,确定每次产生多重签名的成员子集,当参与签名的群成员完成签名后,验证成员签名,若所有签名均合法,将成员签名聚合为多重签名。Group administrator: set system parameters; generate private keys for group members, calculate group labels and group public keys, and determine the subset of members who generate multiple signatures each time. All signatures are legal, and member signatures are aggregated into multi-signatures.

群成员:各自签名;将公钥IDi发送给群管理员,得到各自的私钥,根据群管理员确定的子分组集合判断是否参与签名,若参与则用私钥生成签名,并发送给群管理员。Group members: each sign their own signature; send the public key ID i to the group administrator to obtain their own private key, judge whether to participate in the signature according to the subgroup set determined by the group administrator, and if they participate, use the private key to generate a signature and send it to the group administrator.

验证者:验证签名;验证者可以是群内外的任何实体,计算出聚合公钥apk后,验证者能够计算相关双线性配对值来验证多重签名的有效性。Verifier: verify the signature; the verifier can be any entity inside or outside the group. After calculating the aggregated public key apk, the verifier can calculate the relevant bilinear pairing value to verify the validity of the multi-signature.

一种基于子分组的身份基多重签名方法,设G1为阶为素数q的加法循环群,其生成元为g∈G1,G2为阶为素数q的乘法循环群。设定安全参数n=|q|,双线性映射为e:G1×G1→G2,表示从G1到G2的映射。设H1和H3是两个将{0,1}*映射到G1的密码学hash函数,H2和H4是两个将{0,1}*映射到的hash函数,公开的系统参数集为Params={q,g,G1,G2,e,H1,H2,H3,H4}。设群成员集合U={u1,u2...un},其中n为群成员的数量,n≥2,对应的身份列表为IDG={ID1,ID2...IDn},由群管理员维护。为了共同签署消息m={0,1}*,包含以下阶段:An identity-based multi-signature method based on subgrouping. Let G 1 be an additive cyclic group whose order is a prime number q, its generator is g∈G 1 , and G 2 is a multiplicative cyclic group whose order is a prime number q. Set the security parameter n=|q|, and the bilinear mapping is e: G 1 ×G 1 →G 2 , representing the mapping from G 1 to G 2 . Suppose H 1 and H 3 are two cryptographic hash functions that map {0, 1} * to G 1 , and H 2 and H 4 are two cryptographic hash functions that map {0, 1} * to hash function, the public system parameter set is Params={q, g, G 1 , G 2 , e, H 1 , H 2 , H 3 , H 4 }. Let the group member set U={u 1 , u 2 ...u n }, where n is the number of group members, n≥2, and the corresponding identity list is ID G ={ID 1 , ID 2 ...ID n }, maintained by the group administrator. To co-sign a message m={0,1} * , the following stages are involved:

(1)密钥准备阶段:(1) Key preparation stage:

①管理员选择作系统主私钥,计算相应的主公钥y=gx①Administrator selection As the system master private key, calculate the corresponding master public key y=g x .

②群成员将身份IDi发送给管理员,群管理员计算pki=H1(IDi)的hash值,再计算dIDi=pki x为群成员依次生成私钥,发送给各群成员。②The group members send the identity ID i to the administrator, and the group administrator calculates the hash value of pk i =H 1 (ID i ), and then calculates d IDi =pk i x to generate private keys for the group members in turn and send them to each group member .

③群管理员计算与目前群成员身份列表IDG对应的群标签gtag=H4(IDG),对群成员公开群公钥gpk=(gtag,IDG),其中hash算法H4使用SHA-256算法。③ The group administrator calculates the group tag gtag=H 4 (ID G ) corresponding to the current group member identity list ID G , and discloses the group public key gpk=(gtag, ID G ) to the group members, wherein the hash algorithm H 4 uses SHA- 256 algorithm.

(2)签名生成阶段:(2) Signature generation stage:

①为了代表整个群签署签署消息m={0,1}*,群管理员首先使用伪随机算法确定参与此次签名的子分组。本实施例设定子分组大小为即成员子集J中包含/>个群成员的身份IDi,每次参与签名的群成员均为随机选取,并将成员子集J的信息在群内公开。① In order to sign the message m={0, 1} * on behalf of the entire group, the group administrator first uses a pseudo-random algorithm to determine the subgroups participating in the signature. In this embodiment, the subgroup size is set as That is, the member subset J contains /> The identity ID i of each group member, the group members participating in the signature each time are randomly selected, and the information of the member subset J is made public in the group.

②群成员收到成员子集J后,判断自己是否参与此次签名。参与签名者首先各自计算hash值H3(gtag,m),其次计算与/>其中gtag是群标签值,m是待签名的消息,/>是成员各自选取的随机数,dIDj是各成员的私钥,g是群G1的生成元。生成签名后群成员各自将签名/> 发送给群管理员。②After receiving the member subset J, the group members judge whether they participate in the signature. Participating signers first calculate the hash value H 3 (gtag, m), and then calculate with /> Where gtag is the group tag value, m is the message to be signed, /> is the random number selected by each member, d IDj is the private key of each member, and g is the generator of group G1 . After the signature is generated, the group members will sign /> Sent to group admin.

③在聚合成员签名之前,需要对签名进行验证。聚合签名不涉及秘密参数,可以由群中的任意群成员执行,本实施例中选择由群管理员来聚合。群管理员首先计算H3(gtag,m),其次对每条签名Sj分别计算3个双线性配对e(y,pkj)与/>的值,比较/>与e(y,pkj)·/>两者的值是否相等,若相等,则成员签名Sj为有效签名,否则为非法签名。若出现不合法签名,退出聚合流程,由群管理员重新确定签名子分组。③ Before the aggregation member signs, the signature needs to be verified. The aggregation signature does not involve secret parameters, and can be executed by any group member in the group. In this embodiment, the aggregation is selected by the group administrator. The group administrator first calculates H 3 (gtag, m), and then calculates three bilinear pairings for each signature S j e(y, pk j ) and /> value, compare /> with e(y, pk j )·> Whether the values of the two are equal, if they are equal, the member signature S j is a valid signature, otherwise it is an illegal signature. If there is an illegal signature, exit the aggregation process, and the group administrator will re-determine the signature subgroup.

④若所有收到的签名均合法,群管理员将成员签名聚合为多重签名。首先计算hash值aj=H2(IDj,J,IDG),其次计算与/>得到最终的多重签名σ=(σ1,σ2)。④ If all received signatures are legal, the group administrator aggregates member signatures into multiple signatures. First calculate the hash value a j = H 2 (ID j , J , ID G ), and then calculate with /> The final multi-signature σ=(σ 1 , σ 2 ) is obtained.

(3)签名验证阶段:(3) Signature verification stage:

在得到群中公开参数Params,群成员身份列表IDG以及签名成员子集J后,任意实体均能验证多重签名σ的正确性。验证者首先计算H3(gtag,m),其次计算aj=H3(IDj,J,IDG)(j∈(0,1,2…n),n为J中成员数量),求出聚合公钥 的值。最后计算3个双线性配对e(g,σ1),e(y,apk)与e(σ2,H3(gtag,m))的值,其中σ1与σ2是多重签名σ的组成部分,y是群管理员的公钥。最后,比较e(g,σ1)与e(y,apk)·e(σ2,H3(gtag,m))的两者的值是否相等,若相等,则多重签名σ=(σ1,σ2)为有效签名,否则为非法签名。Any entity can verify the correctness of the multi-signature σ after obtaining the public parameter Params in the group, the group membership list ID G and the signature member subset J. The verifier first calculates H 3 (gtag, m), and then calculates a j = H 3 (ID j , J, ID G ) (j∈(0, 1, 2…n), n is the number of members in J), find Aggregated public key value. Finally, calculate the values of 3 bilinear pairs e(g, σ 1 ), e(y, apk) and e(σ 2 , H 3 (gtag, m)), where σ 1 and σ 2 are multi-signature σ component, y is the public key of the group administrator. Finally, compare whether the values of e(g, σ 1 ) and e(y, apk)·e(σ 2 , H 3 (gtag, m)) are equal. If they are equal, then the multi-signature σ=(σ 1 , σ 2 ) is a valid signature, otherwise it is an illegal signature.

安全性分析Security Analysis

定理1(正确性)该基于子分组的身份基多重签名方法是正确的。Theorem 1 (Correctness) This subgroup-based identity-based multi-signature approach is correct.

证明:假如多重签名是按照上述签名算法计算得到的,则必有以下两类等式成立:Proof: If the multi-signature is calculated according to the above signature algorithm, the following two types of equations must be established:

1)群组固定且群标签为gtag的情况下,每个参与签名的群成员ui对消息m的签名满足验证等式:1) When the group is fixed and the group tag is gtag, the signature of each group member u i participating in the signature on the message m The verification equation is satisfied:

2)多重签名σ=(σ1,σ2)满足验证等式:2) Multi-signature σ=(σ 1 , σ 2 ) satisfies the verification equation:

定理2(不可伪造性)在随机预言模型下,若存在攻击者以一个不可忽略的概率伪造一个多重签名,则可以得到解决CDH问题的一个实例。Theorem 2 (Unforgeability) Under the random oracle model, if there is an attacker By forging a multi-signature with a non-negligible probability, an instance of solving the CDH problem can be obtained.

证明:是攻击者算法,/>是以/>为子程序的另一个算法,/>是CDH问题挑战者。H1,H2,H3,H4是随机预言机,/>给定(G1,G2,q,g,gα,gβ),其中/> 均为阶为素数q的循环群,/>挑战者/>的目标是利用扩展的分叉引理,运行算法/>解决CDH问题,即计算出gαβprove: is the attacker algorithm, /> Yes /> Another algorithm for the subroutine, /> is a CDH problem challenger. H 1 , H 2 , H 3 , H 4 are random oracles, /> Given (G 1 , G 2 , q, g, g α , g β ), where /> are all cyclic groups of order prime q, /> challenger/> The goal is to exploit the extended bifurcation lemma, running the algorithm /> To solve the CDH problem, that is to calculate g αβ .

将用作子程序的算法B,设定y=gα作为挑战主公钥,则α为系统主私钥。B设定挑战身份ID*,同时B需要回答/>的签名与Hash询问,规定挑战身份ID*在询问中得到的对应公钥被称为挑战公钥pk。选择系统参数Params={G1,G2,e,q,g,y,H1,H2,H3,H4},发送系统参数给/>以下定义B回答/>询问的规则:Will use Algorithm B as a subroutine, set y=g α as the challenge master public key, then α is the system master private key. B sets the challenge identity ID * , and B needs to answer /> The signature and Hash query of the challenge identity ID * The corresponding public key obtained in the query is called the challenge public key pk . Select system parameters Params={G 1 , G 2 , e, q, g, y, H 1 , H 2 , H 3 , H 4 }, send system parameters to /> The following definition B answers /> Asked rules:

①B回答有关H2的询问参考随机向量/> ①B answer For inquiries about H2 refer to random vectors />

②回答H1:B保持一个列表初始为/> 询问z对应的Hash值,若则输出c作为回答;否则先确定随机值x∈{0,1},再选择随机数/>若x=0,令h=gc,若x=1,则令h=gβc,每次回答均更新/> ② Answer H 1 : B keeps a list Initially as /> Query the Hash value corresponding to z, if Then output c as the answer; otherwise, first determine the random value x∈{0, 1}, and then choose the random number /> If x=0, set h=g c , if x=1, then set h=g βc , update each answer />

③回答Extract查询:询问y对应的私钥时,先调用H1预言机查看/>中的(z,c,x,h)。若x=0,即h=gc,返回dID=yc作为私钥;若x=1,h=gαc,则返回⊥。③ Answer the Extract query: When asking for the private key corresponding to y, first call the H 1 oracle machine to view /> (z, c, x, h) in . If x=0, namely h=g c , return d ID =y c as the private key; if x=1, h=g αc , return ⊥.

④回答H2:B保持一个列表初始为/> 第i次询问z对应的hash值,若则输出c作为回答;否则根据z的内容来决定如何回应/>若z=(ID,J,IDG)且ID∈J,当ID=ID时,回答H2(ID,J,IDG)=ci;否则回答H2(IDj,J,IDG)=dj,其中/>若不属于以上情况,选择随机数/>作为回答。每次回答后更新列表/> ④ Answer H 2 : B keeps a list Initially as /> Query the hash value corresponding to z for the ith time, if Then output c as the answer; otherwise, decide how to respond according to the content of z /> If z=(ID, J, ID G ) and ID ∈ J, when ID=ID , answer H 2 (ID, J, ID G ) = c i ; otherwise answer H 2 (ID j , J, ID G )=d j , where /> If it does not belong to the above situation, choose a random number /> as an answer. Update list after each answer />

⑤回答H3:B保持一个列表初始为/> 询问z对应的hash值,若则输出h作为回答;否则选择随机数/>计算H=gλ作为回答;同样每次回答后更新列表/> ⑤ Answer H 3 : B maintains a list Initially as /> Query the hash value corresponding to z, if Then output h as the answer; otherwise choose a random number /> Compute H=g λ as the answer; also update the list after each answer />

⑥回答H4:B保持一个列表初始为/> 询问z对应的hash值,若则输出h作为回答;否则选择随机数/>作为回答;同样每次回答后更新列表 ⑥ Answer H 4 : B keeps a list Initially as /> Query the hash value corresponding to z, if Then output h as the answer; otherwise choose a random number /> as an answer; also update the list after each answer

⑦回答Sign(·,sk,pk,·):A询问z对应的签名时,先调用H3预言机查看中的(z,λ,h)。若/>返回/>;否则根据z的内容来决定如何回应/>若z=(ID,gtag,m)且ID∈J,当ID=ID时,返回⊥;否则查找列表/>获取ID对应的公钥h,选择随机数/>,返回U=yδ,V=yβ,即S=(U,V)作为签名,再计算(gβ-h)作为H,令/>,并增加(z,λ,H)到列表/>中。⑦ Answer Sign( , sk , pk , ): When A inquires about the signature corresponding to z, first call H 3 oracle machine to check (z, λ, h) in . if /> return /> ; otherwise decide how to respond according to the content of z /> If z=(ID, gtag, m) and ID ∈ J, when ID = ID , return ⊥; otherwise look up the list /> Obtain the public key h corresponding to the ID, select a random number /> , return U=y δ , V=y β , that is, S=(U, V) as the signature, and then calculate (g β -h) as H, let /> , and add (z,λ,H) to the list /> middle.

最终,伪造者会返回包含n个群成员的签名者集合J={ID1,ID2...IDn},群成员身份集合IDG以及对应的公钥集合/>伪造的签名σ以及对应的消息m与群公钥gpk=(gtag,IDG)。伪造者/>不能直接询问(m,gtag)的签名,而伪造的签名(J,σ)能被验证为有效。Ultimately, the forger It will return the signer set J={ID 1 , ID 2 ... ID n } containing n group members, the group member identity set ID G and the corresponding public key set/> The forged signature σ and the corresponding message m and group public key gpk=(gtag , ID G ). counterfeiter /> The signature of (m , gtag ) cannot be directly interrogated, while the forged signature (J, σ ) can be verified as valid.

规定若列表中挑战身份ID*对应的x=0则终止算法B。由于x是随机选择的,因此B不终止的概率为1/2。设k是pk在/>中的下标,即pk=pkk;jf是H2(ID*,J,IDG)在f中的下标,即/>aj=H2(IDj,J,IDG)。因此,最后B的输出表示为({jf},{(σ,IDG,J,apk,{aj}j∈J)}),B成功输出的概率为∈/2。If list Algorithm B is terminated if x=0 corresponding to the challenge identity ID * . Since x is chosen at random, the probability that B does not terminate is 1/2. Let k be pk at /> The subscript in, that is, pk =pk k ; j f is the subscript of H 2 (ID * , J, ID G ) in f, that is /> a j =H 2 (ID j , J, ID G ). Therefore, the final output of B is expressed as ({j f }, {(σ , ID G , J, apk, {a j } j∈J )}), and the probability of B's successful output is ∈/2.

挑战者运行算法/>来求解CDH问题,根据根据广义分叉引理算法设置,运行的输出结果为({jf},{out},{out′})。前后两次运行/>使用的随机向量f与f′虽不同,但仍满足/>输出结果中out=(σ,IDG,J,apk,{aj}j∈J)而out′=(σ′,IDG′,J′,apk′,{a′j}j∈J′)。具体地,σ=(σ1,σ2)而σ′=(σ1′,σ2′)。challenger run the algorithm /> To solve the CDH problem, according to the generalized bifurcation lemma algorithm settings, run The output of is ({j f }, {out}, {out′}). Run /> twice before and after The random vectors f and f′ used are different, but still satisfy the /> In the output result, out=(σ, ID G , J, apk, {a j } j∈J ) and out′=(σ′, ID G ′, J′, apk′, {a′ j } j∈J′ ). Specifically, σ=(σ 1 , σ 2 ) and σ′=(σ 1 ′, σ 2 ′).

前后两次运行的分叉设置为/>与/>即ak≠a′k。而签名者群组是固定的,即IDG=IDG′且J=J′。因此除ak外其他j∈J均满足aj=a′j,根据/>可得 run twice before and after The fork is set to /> with /> That is, a k ≠ a′ k . And the group of signers is fixed, that is, ID G =ID G ' and J=J'. Therefore, other j∈J except a k satisfies a j = a′ j , according to /> Available

算法输出的签名σ与σ′均为合法签名,因此有以下验证等式成立:algorithm The output signatures σ and σ′ are legal signatures, so the following verification equations hold:

e(g,σ1)=e(y,apk)·e(σ2,H3(gtag,m))e(g, σ 1 ) = e(y, apk) · e(σ 2 , H 3 (gtag, m))

e(g,σ1′)=e(y,apk′)·e(σ2′,H3(gtag,m))e(g, σ 1 ′)=e(y, apk′) e(σ 2 ′, H 3 (gtag, m))

根据对称双线性映射性质,则有:According to the properties of symmetric bilinear maps, there are:

Right now

最终,挑战者能据此成功计算出CDH困难问题的解,即:Ultimately, the challenger Based on this, the solution to the difficult CDH problem can be successfully calculated, namely:

而在多项式时间下CDH问题是困难的,与推理结果矛盾,因此证明中假定的伪造者不存在,该基于子分组的身份基多重签名方法是不可伪造的。While the CDH problem is difficult in polynomial time, it contradicts the reasoning result, so the assumed falsifier in the proof No, the subgroup-based identity-based multi-signature method is unforgeable.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (7)

1. An identity-based multiple signature method based on sub-packets is characterized in that: the method comprises the following steps:
step 1: initializing system parameters, and generating a main public-private key pair by a group administrator;
step 2: the group member sends the identity to a group manager, and the group manager sequentially generates a private key for the group member;
step 3: the group administrator calculates a group tag according to the group member public key set, and the group member public key set and the group tag are combined to form a group public key;
step 4: the group administrator selects signature sub-groups and discloses a sub-group set, and members in the sub-groups respectively generate signatures and send the signatures to the group administrator;
step 5: the group administrator verifies and receives the signature sent by the sub-group key member in the step 4, and if the signature is illegal, the step 3 is returned to;
step 6: if all the signatures received by the group administrator in the step 5 are legal, the group administrator aggregates the member signatures into multiple signatures;
step 7: any entity inside and outside the group verifies the correctness of the multiple signatures;
the step 3 is specifically as follows:
step 3.1, group Administrator creates set ID G Adding the identities of all group members to the set and maintaining a set ID with the identities G Corresponding public key list
Step 3.2, group administrator vs. public Key set ID G Hash processing is performed to obtain gtag=h 4 (ID G ) Gtag is the calculated hash value and becomes the identification tag of the group;
step 3.3, combining the identity set with the group tag gtag to obtain a group public key gpk= (gtag, ID) G ) The group public key is disclosed to the group members.
2. The sub-packet-based identity-based multi-signature method as claimed in claim 1, wherein step 1 is specifically:
step 1.1, set G 1 For addition cyclic groups of order prime q, G 2 A multiplication cyclic group with the order of prime number q; setting a safety parameter n, and setting Gen as a parameter generation algorithm; by Gen (n) generation of (q, G, G 1 ,G 2 ) Wherein (G) 1 ,G 2 ) Bilinear group pairs for prime order q, bilinear map as e: g 1 ×G 1 →G 2 Represents the slave G 1 To G 2 G is G 1 4 secure hash functions are: h 1 :{0,1} * →G 1H 3 :{0,1} * →G 1 ,/>Wherein Z is q The expression set {0,1, 2..q-1 }, and +.>The representation set {1, 2..q-1 }, H 1 :{0,1} * →G 1 Represents a component belonging to {0,1} * Values within the range pass through H 1 Then a group G is obtained 1 Values within the range, system parameters are disclosed to all group members;
step 1.2, the group administrator randomly selects oneAs the primary private key, and computes the primary public key y=g x
3. The sub-packet-based identity-based multi-signature method of claim 1, wherein step 2 is specifically:
step 2.1, each group member will have its own identity ID i To a group administrator PKG;
step 2.2, group administrator PKG computes pk i =H 1 (ID i ) Is calculated again by the hash value of d IDi =pk i x And returning to the corresponding group member.
4. The sub-packet-based identity-based multi-signature method as claimed in claim 1, wherein step 4 is specifically:
step 4.1, before signing the message m, the group administrator determines a member subset J, including the identity IDs of members representing the entire group participating in the signature, and discloses the information of J in the group;
step 4.2, the members of the ID in the subset J sign the message m respectively, and the random numbers are selected respectively first
Step 4.3, the member participating in the signature performs hash processing on the gtag and the m to obtain H 3 (gtag, m), next calculateAnd->Where gtag is the group tag value, m is the message that needs to be signed, r j Is the random number selected by each member, d IDj Is the private key of each member, G is group G 1 Is a generator of (1);
step 4.4, the signature generated by each group member participating in the signature is composed of 2 parts, i.e. signature value Generating a signature S j Post group member will sign S j To the group administrator PKG.
5. The sub-packet-based identity-based multi-signature method as claimed in claim 1, wherein step 5 is specifically:
step 5.1, the group administrator verifies the received member signature, and performs hash processing on gtag and m to obtain H 3 (gtag, m), next calculate 3 bilinear pairingsAnd->Wherein>And->Is a member signature S j Y is the public key of the group administrator (J e (0, 1,2 … n), n is the number of members in J);
step 5.2, compareAnd->Whether the values of the two are equal, if so, the member signature S j If the signature is valid, otherwise, the signature is illegal;
and 5.3, when illegal member signature appears, returning to the step 3.1 at the moment, and re-determining the signature sub-packet.
6. The sub-packet-based identity-based multi-signature method of claim 1, wherein step 6 is specifically:
step 6.1, if all member signature verification is valid signature, the group administrator PKG aggregates the received member signature;
step 6.2, pair (ID j ,J,ID G ) Performing hash processing to obtain a hash value a j =H 2 (ID j ,J,ID G ) (J E (0, 1,2 … n), n is the number of members in J);
step 6.3, calculatingAnd->
Step 6.4, the aggregated multiple signature consists of 2 parts, i.e. σ= (σ) 1 ,σ 2 )。
7. The sub-packet-based identity-based multi-signature method as claimed in claim 1, wherein step 7 is specifically:
step 7.1, checkingWhen the correctness of the multiple signatures is verified, the method comprises the steps of first checking (ID j ,J,ID G ) Performing hash processing to obtain a hash value a j =H 2 (ID j ,J,ID G ) (J E (0, 1,2 … n), n is the number of members in J), and then compute the aggregated public key
Step 7.2, performing hash processing on gtag and m to obtain H 3 (gtag, m), next 3 bilinear pairings e (g, σ) are calculated 1 ) E (y, apk) and e (sigma) 2 ,H 3 (gtag, m)), wherein σ 1 And sigma (sigma) 2 Is an integral part of the multiple signature sigma, y is the public key of the group administrator;
step 7.3, compare e (g, σ) 1 ) And e (y, apk) e (sigma) 2 ,H 3 (gtag, m)) and if they are equal, the multiple signature σ= (σ) 1 ,σ 2 ) And if the signature is valid, otherwise, the signature is illegal.
CN202111261478.6A 2021-10-28 2021-10-28 A method of identity-based multi-signature based on subgroup Active CN113972987B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111261478.6A CN113972987B (en) 2021-10-28 2021-10-28 A method of identity-based multi-signature based on subgroup

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111261478.6A CN113972987B (en) 2021-10-28 2021-10-28 A method of identity-based multi-signature based on subgroup

Publications (2)

Publication Number Publication Date
CN113972987A CN113972987A (en) 2022-01-25
CN113972987B true CN113972987B (en) 2023-07-18

Family

ID=79588736

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111261478.6A Active CN113972987B (en) 2021-10-28 2021-10-28 A method of identity-based multi-signature based on subgroup

Country Status (1)

Country Link
CN (1) CN113972987B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003090429A1 (en) * 2002-04-15 2003-10-30 Docomo Communications Laboratories Usa, Inc. Signature schemes using bilinear mappings
CN101800641A (en) * 2009-12-29 2010-08-11 河南城建学院 Group signature method suitable for large groups
CN109600233A (en) * 2019-01-15 2019-04-09 西安电子科技大学 Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003090429A1 (en) * 2002-04-15 2003-10-30 Docomo Communications Laboratories Usa, Inc. Signature schemes using bilinear mappings
CN101800641A (en) * 2009-12-29 2010-08-11 河南城建学院 Group signature method suitable for large groups
CN109600233A (en) * 2019-01-15 2019-04-09 西安电子科技大学 Group ranking mark based on SM2 Digital Signature Algorithm signs and issues method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Certificateless broadcast multisignature scheme based on MPKC;YU H, et al.;IEEE;全文 *

Also Published As

Publication number Publication date
CN113972987A (en) 2022-01-25

Similar Documents

Publication Publication Date Title
Baldimtsi et al. Anonymous credentials light
Boneh et al. Group signatures with verifier-local revocation
Escala et al. Revocable attribute-based signatures with adaptive security in the standard model
Xiao et al. Secure and efficient multi-signature schemes for fabric: An enterprise blockchain platform
Huang et al. Short designated verifier signature scheme and its identity-based variant
Canard et al. Protecting privacy by sanitizing personal data: a new approach to anonymous credentials
KR20100018043A (en) Group signature system, device, and program
CN109413078B (en) An Anonymous Authentication Method Based on Group Signature in Standard Model
Wang et al. The fairness of perfect concurrent signatures
Yuen et al. Threshold ring signature without random oracles
He et al. An efficient certificateless designated verifier signature scheme.
Ki et al. Constructing Strong Identity‐Based Designated Verifier Signatures with Self‐Unverifiability
CN109104410A (en) A kind of matching process and device of information
Longo et al. On the security of the blockchain BIX protocol and certificates
Tian et al. Non-delegatable strong designated verifier signature on elliptic curves
Li et al. A forward-secure certificate-based signature scheme
Tian et al. A systematic method to design strong designated verifier signature without random oracles
Wang et al. A novel blockchain identity authentication scheme implemented in fog computing
CN113972987B (en) A method of identity-based multi-signature based on subgroup
Li et al. Proxy ring signature: formal definitions, efficient construction and new variant
Asaar et al. An identity-based multi-proxy multi-signature scheme without bilinear pairings and its variants
Yang et al. A strong designated verifier signature scheme with secure disavowability
Gong et al. Constructing strong designated verifier signatures from key encapsulation mechanisms
Wang et al. Designated confirmer signatures with unified verification
Vangujar et al. Group identity-based identification: Definitions, construction and implementation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant