CN114866255B - Multi-factor authentication method for multi-IDP aggregation with user as center - Google Patents

Abstract

A user-centered multi-factor authentication method for multi-IDP aggregation to solve the problems of user identity privacy and the inability to achieve multi-IDP scalability. The specific steps include: the data registration center generates public parameters and each identity provider IDP Signing key and verification key; each identity provider IDP issues identity credentials for users with different authentication factors and stores them in the data registration center; users obtain credentials from the data registration center according to the authorization policy of the service provider SP; users use multiple Credentials are aggregated into one credential; the service provider SP uses zero-knowledge proof and bilinear mapping technology to verify the authentication factors in the credential. The invention has user non-linkability and non-trackability, reduces the computing overhead of multi-IDP scenario authentication, and can be widely used in high-security identity authentication application systems.

Description

User-centric multi-factor authentication method for multi-IDP aggregation

Technical field

The invention belongs to the field of information security technology, and further relates to a user-centered multi-factor authentication method oriented to the aggregation of multiple identity providers (Identity Providers) in the field of identity authentication technology. The present invention relies on a remote server to authenticate the identity of the person to be authenticated (terminal user), and can be widely used in identity authentication scenarios of multiple IDP scenarios to handle the relationship between the identity of the terminal user and authentication factors.

Background technique

Multi-factor authentication refers to the use of cryptographic technology to combine two or more different authentication factors to achieve identity authentication. Authentication factors are divided into three categories, namely secrets (passwords) that people can remember, devices held by people, smart cards, and long passwords. keys, etc., as well as the characteristics of the person (face, fingerprint, behavior). Only when all authentication factors are obtained at the same time can the authentication be passed. Multi-factor authentication strengthens the security strength of identity authentication. However, as the number of digital platforms continues to grow and the threats faced by end users become increasingly sophisticated, existing multi-factor authentication methods fall short. On the one hand, identity privacy issues are not considered, and malicious attackers can track users or link to the same user based on the end user's identity; on the other hand, the multi-IDP scalability issue is ignored, that is, the end user can only send services to the service provider SP (Service) at one time. Provider) displays identity credentials issued by one IDP. Credentials issued by multiple IDPs require multiple verifications, which increases the computational overhead of the authentication process.

Peking University disclosed a threshold-based multi-factor authentication method in its patent document "A Threshold-Based Dynamic Multi-Factor Identity Authentication Method and Communication Method" (Patent Application No. CN202111158752.7, Application Publication No. CN113904833A). This method uses the threshold-based oblivious pseudo-random function TOPRF (ThresholdOblivious Pseudo Random Function) and the authentication key exchange protocol AKE (Authenticated Key-Exchange) to construct the threshold multi-factor authentication method TMFA (Threshold Multi-factor Authentication). This method allows users to authenticate through passwords, multiple optional devices, and biometrics, and supports users to independently select several factors from multiple authentication factors for authentication based on their needs. Through the modified TOPRF protocol, the password is enhanced into a random key, and then the random key is used to run the AKE protocol for identity authentication. The key of the device factor is stored locally, and the biometric factor extracts the user's biometric characteristics into a key through fuzzy extraction technology to prevent biometric factor leakage when the server storage file is leaked. Although this method improves the security of multi-factor authentication and effectively achieves the flexibility of user factors in multi-factor authentication, this method still has shortcomings: first, because this method limits the types of authentication factors, That is, the user achieves authentication by freely selecting t from passwords, biometrics, and multiple devices (n in total). As long as a malicious attacker obtains t of the n factors, he can disguise himself as the user; secondly, for different SPs, Users may use the same credentials for authentication, resulting in multiple SPs being able to link to the same user, thus leaking other user privacy. Finally, for multiple identity credentials issued by multiple IDPs, SPs need to be verified separately, which greatly increases the computational overhead.

Laborde R et al. proposed in their paper "A User-Centric Identity Management Framework based on the W3C Verifiable Credentials and the FIDO Universal Authentication Framework" (2020IEEE 17th Annual Consumer Communications & Networking Conference (CCNC), IEEE, 2020:1-8.) A user-centered identity authentication method for multiple IDPs is proposed. This method divides the IDP into multiple attribute authorities AA (Attribute Authorities). For example, universities declare diplomas or student status as AAs, companies and city halls declare names and addresses as AAs, and so on. The steps of this method are: first, the user requests services from the SP, and the SP returns an authorization policy containing AA and corresponding attributes; then the user queries multiple AAs, and the AA verifies the user's identity and signs the user's attributes to obtain an attribute-based certificate (Attribute BasedCredentials); after the user receives all the credentials and forwards them to the SP; after the SP receives the set of credentials, it uses the AA public key to verify the authenticity of the credentials. If the verification is successful, the user passes the identity authentication, and the SP provides services to the user, otherwise, it is rejected Serve. SP can fine-grainedly select the attributes required in the authorization policy, which improves the flexibility of the authentication method. However, this method still has shortcomings: first, this method requires that SP and AA must be online at the same time, because SP proposes After authorizing the policy, the user needs to immediately query the AA to obtain the ABC; secondly, this method requires separate verification of ABCs issued by different AAs, which increases the computational overhead of SP verification credentials; thirdly, this method only supports multi-attribute authentication, which is common Attributes include gender, language, address, age, etc. It is difficult to ensure the accuracy of authentication by using attributes to authenticate users. The reason is that users with the same attributes may not be the same person.

Contents of the invention

The purpose of the present invention is to provide a user-centered multi-factor authentication method oriented to multi-IDP aggregation in order to solve the problem of leaking other user privacy caused by multiple SPs linking the same user. IDP certification, IDP is able to track SP issues visited by users, as well as issues that achieve untraceability and unlinkability.

The idea to achieve the purpose of the present invention is: the present invention sets four participating entities according to the verifiable credential data model proposed by the W3C official organization, which are data registration center, user, IDP and SP. This invention adopts a user-centered authentication architecture. The user interacts with the IDP to obtain credentials, interacts with the SP to verify the credentials, and interacts with the data registration center to store and retrieve credentials. The other three entities except the user cannot interact. The user-centered The architecture ensures that the IDP does not participate in the credential verification process and cannot track the SPs visited by users. This solves the problem that the SP entrusts IDP authentication and the IDP can track the SPs visited by the users. This invention uses zero-knowledge proof technology to verify the user's password, biometrics and other authentication factors for multiple IDPs. During the authentication process, the authentication factors are not leaked to the IDP, and the identity based on the authentication factors is issued to the user through tag-based signature technology. certificate. In the present invention, users retrieve credentials from the data registration center and perform randomization processing, using zero-knowledge proof technology for authentication, so that different SPs display different credentials, and multiple SPs cannot be linked to the same user through credentials, thereby solving the problem of multiple SP links. The problem of leaking other privacy of users caused by the same user. In the present invention, the user aggregates multiple credentials and displays them to the SP in the form of one voucher. The SP verifies the authenticity and integrity of the voucher. If the verification is successful, the service is provided. Otherwise, the service is denied, thereby achieving multi-IDP scalability and improving authentication efficiency.

The implementation steps of the present invention include the following:

Step 1, the data registry generates public parameters and the signing and verification keys for each identity provider:

Step 1.1, the data registration center generates and publishes seven public parameters q, p, G ₁ , G ₂ , g, G _T , the digital data registration center generates a user identity for each user and transmits it to the user; where p and q represent prime numbers with a length of 160 bits, and the relationship between p and q satisfies q|(p-1), | represents the integer division symbol, G ₁ and G ₂ represent the cyclic group of order q, g and /> Represent the generators of G ₁ and G ₂ respectively. There is a bilinear mapping G ₁ ×G ₂ →G _T between the cyclic groups G ₁ , G ₂ , and G _T , which can be generated by all elements in the groups G ₁ and G ₂ All elements in group G _T ;

Step 1.2, the data registration center uses a random number generator to generate random numbers (t _j ,u _j ,v _j ,r _j,i ,s _j,i )∈[1,q- 1], as the signing key of each identity provider; according to the public key infrastructure standard, the data registration center calculates the verification key corresponding to the signing key: Among them, j represents the serial number of the identity provider, and i represents the serial number of the user authentication factor;

Step 2, each identity provider issues identity credentials for different authentication factors for each user:

Step 2.1, the user uses the Map-to-point function to calculate the group element h=H _G (ID)∈G ₂ ; the user uses the random number generator to generate random numbers between integers 1 to q-1 As the user's temporary secret; the user utilizes the group element h and the temporary secret/> Construction tag/> Send a request to each identity provider to issue a certificate for the user; where ID represents the user's identity, which is different for each user;

Step 2.2, the user and each identity provider perform a zero-knowledge proof about the user authentication factors (x _j,1 ,x _j,2 ,...,x _j,n ), where x _j,1 represents the user in the jth The first authentication factor proved at the identity provider, n represents the total number of authentication factors proved by the user at the jth identity provider;

Step 2.3, each identity provider uses tag-based signature technology to sign the user’s authentication factors (x _j,1 ,x _j,2 ,...,x _j,n ) to obtain the following multi-factor certificate based on tag τ and then sent to the user:

Among them, σ _j represents the certificate issued by the j-th identity provider;

Step 2.4, the user stores the credentials of each identity provider in the data registration center;

Step 3. Each user obtains credentials from the data registration center according to the authorization policy:

The user requests authentication from the service provider, and the service provider sends an authorization policy containing the authentication factors required by the service provider to authenticate the user. The user obtains the credentials corresponding to the authentication factors from the data registration center according to the authorization policy;

Step 4. Each user uses the aggregation method to build aggregate credentials:

The user calculates σ = Πσ _j and obtains the user’s aggregated voucher; after randomizing the label τ and the aggregated voucher σ, the user sends the randomized label τ′ and the randomized aggregated voucher σ′ to the service provider; where ∏ represents the connection multiplication sign;

Step 5: After the service provider receives the randomized aggregated credentials σ′, it uses the verification key vk _j,i of each identity provider to perform authentication factors (x _j,1 ,x _j,2 ,…) with each user. ,x _j,n ), and verify the authentication factors in the voucher through bilinear mapping technology. If the verification is successful, proceed to step 6, otherwise, proceed to step 7;

Step 6: Each user's identity verification is successful, and the service provider provides services to the user;

Step 7. Each user fails authentication, and the service provider sends a verification failure to the user and refuses to provide services to the user.

Compared with the prior art, the present invention has the following advantages:

First, since the present invention uses a user-centered architecture, the IDP does not need to participate in the authentication process between the user and the SP, overcoming the problem in the prior art that the SP entrusts the IDP authentication and the IDP can track the SP accessed by the user. This enables the present invention to protect user identity privacy at the IDP and provide non-trackability.

Second, because the present invention uses zero-knowledge proof technology to verify the user's identity credentials, it overcomes the existing technology where the user directly sends the credentials to the SP for authentication, resulting in multiple SPs being able to link to the same user based on the credentials, thus leaking other privacy of the user. The problem. This enables the present invention to protect user identity privacy at the SP and provide unlinkability.

Third, since the present invention uses tag-based signature technology to aggregate credentials from multiple IDPs and presents them to the SP for simultaneous authentication in the form of one voucher, it overcomes the need for multiple verifications of credentials issued by multiple IDPs in the prior art, and increases Computational cost issue. The authentication efficiency of the present invention is greatly improved.

Description of the drawings

Figure 1 is an implementation flow chart of the method of the present invention;

Figure 2 is a schematic structural diagram of an identity authentication system applicable to the present invention.

Detailed ways

The present invention will be further described below in conjunction with the accompanying drawings.

With reference to Figure 1 and the embodiment, the implementation steps of the present invention will be further described.

The embodiment of the present invention performs identity authentication on a mobile phone user to be authenticated in the case of two identity providers and three authentication factors.

Step 1, the data registry generates public parameters and the signing and verification keys for each identity provider.

Step 1.1, using bilinear mapping rules and tag-based signature algorithm standards, the data registration center will generate 7 public parameters q, p, G ₁ , G ₂ , g, respectively. G _T is public, and the data registration center transmits the generated identity of each mobile phone user to the user. Each mobile phone user uses its identity to generate a label. The label can be regarded as an alias of the mobile phone user, where p and q both represent the length. It is a 160-bit prime number. The relationship between p and q satisfies q|(p-1), and "|" represents the integer division sign. G ₁ and G ₂ represent cyclic groups of order q, g and/> represent the generators of G ₁ and G ₂ respectively. There is a bilinear mapping relationship between the cyclic groups G ₁ , G ₂ , and G _T , G ₁ ×G ₂ →G _T , and all elements in the group G _T are generated from all elements in the groups G ₁ and G ₂ .

The label-based signature algorithm standard is the paper "TraceableConstant-Size Multi-Authority Credentials[J]" published by Hébant.C et al. (Cryptology eprint Archive, Report 2020/657, https://eprint.iacr.org /2020/657, a signature algorithm proposed in 2020).

Step 1.2, the data registration center generates 7 random numbers between integers 1 to q-1 through a random number generator, and uses the 7 random numbers as the signature key of the first identity provider according to the tag-based signature algorithm standard sk ₁ =(t ₁ ,u ₁ ,v ₁ ,r _1,1 ,s _1,1 ,r _1,2 ,s _1,2 )∈[1,q-1]. According to the public key infrastructure standard, the data registration center generates the verification key corresponding to the signature key.

Step 1.3, the data registration center generates 5 random numbers between integers 1 to q-1 through a random number generator, and uses the 5 random numbers as the signature key of the second identity provider according to the tag-based signature algorithm standard sk ₂ =(t ₂ ,u ₂ ,v ₂ ,r _2,1 ,s _2,1 )∈[1,q-1]. According to the public key infrastructure standard, the data registration center generates the verification key corresponding to the signature key.

Step 2, each identity provider issues identity credentials for different authentication factors of the user and stores the credentials in the data registration center.

In the embodiment of the present invention, the first identity provider issues identity certificates based on passwords and device keys to mobile phone users, and the second identity provider issues identity certificates based on biometrics to mobile phone users.

Step 2.1, the mobile phone user uses the Map-to-point function H _G (·) to calculate the group element h=H _G (ID)∈G ₂ in the G ₂ cyclic group, where ID represents the mobile phone user identity. Generate random numbers using a random number generator As a temporary secret of the mobile phone user, the identity tag of the mobile phone user is calculated according to the tag-based signature algorithm standard. And the identity tag is sent to two identity providers respectively to request the issuance of credentials for the mobile phone user. After receiving the label, the identity provider queries the registration list in the database to see if there is a label for the mobile phone user. If so, it means that the mobile phone user has already been registered and refuses to issue a certificate for it again. Otherwise, proceed to step 2.2.

In step 2.2, the two identity providers use zero-knowledge proof technology to verify the user's authentication factors. The following takes the first identity provider as an example to describe the process of verifying the mobile phone user password pwd _U and the device key sk _U.

Step 1: Mobile phone users calculate zero-knowledge proof information separately and/> and sent to the first identity provider, where x _1,1 is the mobile user's password hash x _1,1 = H(pwd _U ), x _1,2 is the mobile user's key hash x _1,2 =H(sk _U ), H(·) is the SHA-1 hash function, d ₁ , d ₂ ∈[1,q-1] are the random numbers generated by the random number generator, mod(·) is the modulo operation .

Step 2: After receiving the message, the first identity provider uses a random number generator to generate a random number c and sends it to the user, c∈[1,q-1].

Step 3. According to the zero-knowledge proof standard, the mobile phone user calculates the zero-knowledge proof information m ₁ =d ₁ +x _1,1 ·cmodq and m ₂ =d ₂ +x _1,2 ·cmodq respectively and sends them to the first identity provider.

Step 4. After the first identity provider receives m ₁ and m ₂ , it verifies the equation according to the zero-knowledge proof. and Whether both are established at the same time, if so, it is determined that the mobile phone user has the password pwd _U and the device key sk _U and then performs step 2.3. Otherwise, the first identity provider refuses to issue a certificate to the mobile phone user.

In step 2.3, the two identity providers use tag-based signatures to construct different credentials for the user.

The first identity provider generates credentials for mobile phone users related to their own password pwd _U and device key sk _U and transmitted to the mobile phone user, where (t ₁ ,u ₁ ,v ₁ ,r _1,1 ,s _1,1 ,r _1,2 ,s _1,2 ) represents the signing key of the first identity provider .

Second identity provider generates biometric W _U- related credentials for mobile phone users and transmitted to the mobile phone user, where (t ₂ , u ₂ , v ₂ , r _2,1 , s _2,1 ) represents the signature key of the second identity provider, and x _2,1 represents the biometric characteristics of the mobile phone user Hash x _2,1 =H(R _U ), the biometric key _RU is calculated using the fuzzy extractor's generation algorithm Gen(W _U )→(R _U ,P _U ).

In step 2.4, the mobile phone user stores the voucher σ ₁ and voucher σ ₂ obtained in step 2.3 in the data registration center.

Step 3: The mobile phone user requests authentication from the service provider SP, and the service provider SP sends an authorization policy. The authorization policy refers to the authentication factors required for the service provider SP authentication. The mobile phone user obtains the authorization policy through the mobile phone user tag from the data registration center. The credentials corresponding to the authentication factors in are σ ₁ and σ ₂ .

Step 4: The mobile phone user constructs the credentials σ ₁ and σ ₂ into one voucher through aggregation.

The mobile phone user generates a random number ρ∈[1,q-1] through a random number generator, and randomizes the label τ to obtain Randomization refers to exponentiating elements using random numbers. The mobile phone user generates a random number b∈[1,q-1] through a random number generator, aggregates the voucher σ ₁ and σ ₂ to obtain σ′=(h ^b ·σ ₁ ·σ ₂ ) ^ρ modp, and the mobile phone user will randomize The label τ′ and the aggregation certificate σ′ are sent to the service provider SP.

Step 5: After receiving the randomized label τ′ and the aggregated certificate σ′, the service provider SP uses zero-knowledge proof and bilinear mapping technology to verify the authentication factors in the certificate.

Step 5.1, the mobile phone user generates random numbers (z ₀ , z ₁ , z ₂ , z ₃ ) ∈ [1, q-1] through a random number generator, and uses the verification keys of the two identity providers to construct a password-based, device-based Auxiliary Commitment of Keys and Biometrics and sent to the service provider SP.

Step 5.2, the service provider SP uses a random number generator to generate a random number k∈[1,q-1] and sends it to the mobile phone user.

Step 5.3, the mobile phone user calculates the zero-knowledge proof information w ₀ =z ₀ +b·kmodq, w ₁ =z ₁ +x _1,1 ·kmodq, w ₂ =z ₂ +x _1,2 ·kmodq and w ₃ =z ₃ +x _2,1 ·kmodq and sent to the service provider SP, where x _1,1 is the mobile phone user's password hash x _1,1 = H(pwd _U ), x _1,2 is the mobile phone user's key Hash x _1,2 = H(sk _U ), x _2,1 is the biometric hash of the mobile phone user x _2,1 = H(R _U ), R _U is calculated using fuzzy extractor technology Rep(P _U , The biometric key of the mobile phone user obtained by W _U ), Rep(·) is the reconstruction algorithm of the fuzzy extractor.

Step 5.4: After receiving the zero-knowledge proof information, the service provider SP verifies the formula Whether it is true, if so, go to step 6, otherwise, go to step 7. Among them, e(·) represents the bilinear mapping function.

Step 6: The identity verification of the mobile phone user is successful, and the service provider SP provides services to the mobile phone user.

Step 7: The mobile phone user's identity verification fails, and the service provider SP sends a verification failure message to the mobile phone user and refuses to provide services to the mobile phone user.

Referring to Figure 2, the system architecture of the present invention is further described.

The present invention adopts a mobile phone user-centered authentication architecture, placing the mobile phone user at the center, and the functions of each participating entity are as follows.

The mobile phone user, placed in the center of the authentication frame, is responsible for interacting with the identity provider IDP to obtain identity credentials, interacting with the data registration center to store and retrieve credentials, and interacting with the service provider SP to implement authentication and obtain services.

The data registration center is responsible for generating parameters and storing credentials.

The identity provider IDP is responsible for verifying mobile phone user information and issuing identity certificates to mobile phone users.

The service provider SP is responsible for verifying the identity credentials of mobile phone users and providing corresponding services.

The overall operating flow of the present invention is as follows.

The data registration center performs system initialization, and multiple identity providers use tag-based signatures to issue certificates with different authentication factors to mobile phone users. The reason for using tag-based signatures is that the signatures can aggregate the certificates issued by different IDPs of the same mobile phone user based on the tags. Voucher, after the mobile phone user receives the voucher, it is stored in the data registration center.

The mobile phone user requests services from the service provider SP, and the service provider SP provides an authorization policy. The mobile phone user accesses the data registration center according to the authorization policy to retrieve the required credentials in the authorization policy. In order to prevent multiple service provider SPs from being linked to the same mobile phone user, the mobile phone user randomizes the credentials so that the credentials displayed are different for different service provider SPs. In addition, in order to reduce computing overhead, mobile phone users aggregate randomized credentials and use zero-knowledge proof technology to prove their identity to the service provider SP. When the service provider SP is successfully verified, it provides services to mobile phone users.

Claims (5)

1. A user-centric multi-factor authentication method oriented to multi-IDP aggregation, which is characterized by adopting a user-centric authentication architecture and using tag-based signatures to aggregate different credentials issued by multiple identity provider IDPs, using Zero-knowledge proofs verify authentication factors in aggregate credentials; the steps of this method include the following: Step 1, the data registry generates public parameters and the signing and verification keys for each identity provider: Step 1.1, the data registration center generates and exposes seven public parameters respectively The digital data registration center generates a user identity for each user and transmits it to the user; where p and q represent prime numbers with a length of 160 bits, the relationship between p and q satisfies q|(p-1), and | represents integer divisibility Symbols, G ₁ and G ₂ represent cyclic groups of order q, g and/> Represent the generators of G ₁ and G ₂ respectively. There is a bilinear mapping G ₁ ×G ₂ →G _T between the cyclic groups G ₁ , G ₂ , and G _T , which can be generated by all elements in the groups G ₁ and G ₂ All elements in group G _T ; Step 1.2, the data registration center uses a random number generator to generate random numbers (t _j ,u _j ,v _j ,r _j,i ,s _j,i )∈[1,q- 1], as the signing key of each identity provider; according to the public key infrastructure standard, the data registration center calculates the verification key corresponding to the signing key: Among them, j represents the serial number of the identity provider, and i represents the serial number of the user authentication factor; Step 2, each identity provider issues identity credentials for different authentication factors for each user: Step 2.1, the user uses the Map-to-point function to calculate the group element h=H _G (ID)∈G ₂ ; the user uses the random number generator to generate random numbers between integers 1 to q-1 As the user's temporary secret; the user utilizes the group element h and the temporary secret/> Construction tag/> Send a request to each identity provider to issue a certificate for the user; where ID represents the user's identity, which is different for each user; Step 2.2, the user and each identity provider perform a zero-knowledge proof about the user authentication factors (x _j,1 ,x _j,2 ,...,x _j,n ), where x _j,1 represents the user in the jth The first authentication factor proved at the identity provider, n represents the total number of authentication factors proved by the user at the jth identity provider; Step 2.3, each identity provider uses tag-based signature technology to sign the user’s authentication factors (x _j,1 ,x _j,2 ,...,x _j,n ) to obtain the following multi-factor certificate based on tag τ and then sent to the user: Among them, σ _j represents the certificate issued by the j-th identity provider; Step 2.4, the user stores the credentials of each identity provider in the data registration center; Step 3. Each user obtains credentials from the data registration center according to the authorization policy: The user requests authentication from the service provider, and the service provider sends an authorization policy containing the authentication factors required by the service provider to authenticate the user. The user obtains the credentials corresponding to the authentication factors from the data registration center according to the authorization policy; Step 4. Each user uses the aggregation method to build aggregate credentials: The user calculates σ = Πσ _j and obtains the user’s aggregated voucher; after randomizing the label τ and the aggregated voucher σ, the user sends the randomized label τ′ and the randomized aggregated voucher σ′ to the service provider; where ∏ represents the connection multiplication sign; Step 5: After the service provider receives the randomized aggregated credentials σ′, it uses the verification key vk _j,i of each identity provider to perform authentication factors (x _j,1 ,x _j,2 ,…) with each user. ,x _j,n ), and verify the authentication factors in the voucher through bilinear mapping technology. If the verification is successful, proceed to step 6, otherwise, proceed to step 7; Step 6: Each user's identity verification is successful, and the service provider provides services to the user; Step 7. Each user fails authentication, and the service provider sends a verification failure to the user and refuses to provide services to the user. 2. The user-centered multi-factor authentication method for multi-IDP aggregation according to claim 1, characterized in that: the authentication factors (x _j,1 ,x _{j, 2} ,…,x _j,n ) refers to user password, biometrics, device key, smartphone. 3. The user-centered multi-factor authentication method for multi-IDP aggregation according to claim 1, characterized in that: the zero-knowledge proof described in step 2.2 refers to the agreement reached between the prover and the verifier. Authentication protocol, the goal of the protocol is to convince the verifier that the prover possesses the secret without the prover providing the verifier with the plaintext value of the secret. 4. The user-centered multi-factor authentication method for multi-IDP aggregation according to claim 1, characterized in that: the label-based signature technology described in step 2.3 means that the label can be regarded as the pseudonym of the user, Users use tags to aggregate signatures from multiple signers, and the verifier verifies the aggregated signatures. 5. The user-centered multi-factor authentication method for multi-IDP aggregation according to claim 1, characterized in that: the bilinear mapping technology described in step 5 is to generate the first element from two vector spaces. A function of one element in a space of three vectors that is linear with respect to each argument.