CN110851859B - Authentication method of distributed authority node block chain system with (n, t) threshold - Google Patents

Authentication method of distributed authority node block chain system with (n, t) threshold Download PDF

Info

Publication number
CN110851859B
CN110851859B CN201911004459.8A CN201911004459A CN110851859B CN 110851859 B CN110851859 B CN 110851859B CN 201911004459 A CN201911004459 A CN 201911004459A CN 110851859 B CN110851859 B CN 110851859B
Authority
CN
China
Prior art keywords
user
key
authentication
transaction
proxy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911004459.8A
Other languages
Chinese (zh)
Other versions
CN110851859A (en
Inventor
周俊
沈华杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN201911004459.8A priority Critical patent/CN110851859B/en
Publication of CN110851859A publication Critical patent/CN110851859A/en
Application granted granted Critical
Publication of CN110851859B publication Critical patent/CN110851859B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a distributed authority node block chain system with (n, t) threshold and an authentication method thereof, which is characterized in that the system consists of n authority nodes with CA threshold architecture, each authority node bears the function of an authentication Center (CA), and the authentication comprises: system initialization, secret sharing, blockchain node initialization, proxy key request, proxy key recovery, wallet generation, authentication, verification, transaction signature, and transaction verification. Compared with the prior art, the method is simple and feasible, has high efficiency, and the user can avoid public key replacement attack by carrying out public key authentication on the user, so that the user can periodically update the address, effective privacy protection is provided for transactions, the method is particularly suitable for all alliance chains, and the adversary can not acquire the user privacy data by analyzing the past transaction data in the public account book, thereby meeting the requirements of high efficiency and privacy.

Description

Authentication method of distributed authority node block chain system with (n, t) threshold
Technical Field
The invention relates to the technical field of information security, in particular to an authentication method of a distributed authority node blockchain system with (n, t) threshold.
Background
In recent years, blockchain technology has come into rapid progress, and has received wide attention from industry and academia. The blockchain is simply a cryptographically verifiable list of data in its own right, but differs from a database in the traditional sense in that the blockchain cryptographically guarantees the integrity of the data stored therein, i.e., the data stored in the blockchain is not worried about being tampered with maliciously. In addition to ensuring data integrity, the blockchain is also favored because of its distributed and public nature, in which all data is stored in a public, distributed, ledger, and thus is also used as a technical carrier for various electronic currencies, however, using distributed ledger technology also buries the blockchain with the risk of privacy disclosure.
In bitcoin proposed by the current state of the art in 2009, blockchain users all have one or more blockchain addresses as a pseudonym in the blockchain network to achieve anonymity in cryptography. However, since anyone stores the relation of the complete ledger, there has been a corresponding study showing that the identity information of the holder of a certain blockchain address can be determined by analyzing the transaction record of this address, so that the anonymity of the blockchain does not provide a good privacy protection for the user. Moreover, existing blockchain structures are vulnerable to 51% computing power, i.e., once a network node or nodes collude to having 51% of the computing power of the entire network, that node can control the entire blockchain network. Blockchains also diverge, i.e., the lists of data stored by multiple nodes differ at some point in time, resulting in subsequent data being all different. The architecture of blockchains without authentication also makes them very vulnerable to address replacement attacks, existing solutions either use inefficient authentication mechanisms or attempt to join a single point of online Certificate Authority (CA) to authenticate all network nodes, which requires real-time online presence of CA to frequently interact with network nodes to issue public key certificates, which can lead to significant computational and communication load. Moreover, in a trust-distributed blockchain system, a single-point CA often means not trusted enough, so that enterprises often adopt the structure of a coalition chain when building their own blockchain services. The alliance chain is one of block chains, and is different from the public chain which is most widely used, the alliance chain is provided with one or more administrators, new nodes are added into the network and need to be authenticated by the administrators, the block is generated by the administrators, and once loss caused by malicious operation occurs, the administrators can stop the loss in time. Thus, blockchain services created by the enterprise itself at the present stage, including distributed transaction systems, often employ a federated chain architecture. However, the structure of the alliance chain does not solve the pain point of the blockchain privacy protection, and as an enterprise-oriented blockchain type, the alliance chain does not provide an effective responsibility-following means, and cannot find out malicious users who destroy the system.
In summary, the blockchain in the prior art has a risk of privacy disclosure, which severely restricts the large-scale application of the blockchain system.
Disclosure of Invention
The invention aims to provide an authentication method of a distributed authority node blockchain system with (n, t) threshold, which is designed aiming at the defects of the prior art, and adopts a multi-mechanism distributed CA structure, so that a CA issues a proxy key to a user, a trust model of the CA is distributed, rights of a single CA are dispersed, the user performs public key authentication to avoid public key replacement attack, the user periodically updates an address, effective privacy protection is provided for transactions, the authentication method is particularly suitable for application of all alliance chains, and an adversary cannot acquire user privacy data by analyzing the past transaction data in a public account book, thereby meeting the requirements of high efficiency and privacy.
The purpose of the invention is realized in the following way: the authentication method of the distributed authority node blockchain system with (n, t) threshold is characterized in that the blockchain system consists of n authority nodes with certificate authority CA threshold architecture, and each authority node plays a role of an authentication center; the authentication center consists of an account pool and a block pool which are connected with the transaction controller.
The authentication method of the blockchain system with (n, t) threshold distributed authority nodes is characterized in that a CA issues a proxy key to a user, the user authenticates the public key of the user through the proxy key to carry out privacy protection of periodically updated addresses, and the authentication process specifically comprises the following steps:
system initialization
The system generates a main public key on the premise of given security parameters;
(II) secret sharing
The system generates a secret sharing polynomial and distributes the generated partial private key to the distributed CA;
(III) Block Link Point initialization
Generating a blockchain node in the network and generating a long-term public-private key pair for the blockchain node, wherein the public key is used as a certificate for self identity stored at a CA;
(IV) proxy Key request
The user requests the proxy key from the CA, and the CA calculates a part of proxy key and sends the part of proxy key to the user;
(IV) proxy Key recovery
After the user receives partial proxy keys sent by the threshold CA, the complete proxy key can be calculated through a secret recovery means;
wallet generation
The user generates a periodically updated short-term public-private key pair, wherein the short-term public key is used as the address of the wallet;
wallet authentication (seven)
The user authenticates the wallet address through the proxy authentication key;
eighth authentication verification
Other people can verify the authentication of the wallet address through the main public key and the public key of the user;
(nine) transaction signature
The user digitally signs the transaction through the short-term public and private key;
(ten) transaction verification
The owner can verify the transaction by the short-term public key of the sender, and the verification passes the verification to indicate that the transaction is true and can be stored in the blockchain by the CA.
The system initialization process of the step (one) specifically comprises the following steps:
a) Input 1 λ Wherein λ is a security parameter;
b) The system selects two safety prime numbers p with the length lambda 0 ,q 0 And satisfies the following formula (I).
q 0 =2q′ 0 +1,p 0 =2p′ 0 +1 (where p' 0 ,q′ 0 Prime number) (I)
Then calculate n 0 =p 0 ·q 0 ,m 0 =p′ 0 ·q′ 0 . Select e 0 ,d 0 So that e 0 ·d 0 ≡1(modφ(m 0 ) Then n trusted nodes are selected as distributed CA ((n, t) thresholds, where n>t) and a common CA master public key pk is set CA =(n 0 ,e 0 ) A hash function is disclosed
The secret sharing process in the step (II) specifically comprises the following steps:
a) The system will d 0 Private key d dispersed into n parts i (i=1, 2, …, n), i.e. one is selected according to the following formula (II)The t-1 order polynomial of (2):
f(x)=a t-1 x t-1 +…+a 2 x 2 +a 1 x+d 0 (mod m 0 )
(wherein(i=1,2,…,t-1)) (II)
For each CA j (j.epsilon.1, 2, …, n), d is calculated j =f (j), and sent to the corresponding CA j After this step is completed, the system destroys p 0 ,q 0 And d 0
b) Definition operator Δ=n-! A subset of any t CA' S is defined as S, for any i e {0, …, n } \s, j e S, and defined as the following formula (III):
the following formula (IV) is then obtained according to lagrangian interpolation:
the initialization process of the blockchain node in the step (III) specifically comprises the following steps:
a) When a new user u joins the network, a zone is createdThe identity of the block link points and nodes is then entered 1 λ Wherein λ is a security parameter;
b) Selecting two large prime numbers p u ,q u Length k, and calculating n according to formula (I) u =p u ·q u And selecting e u ,d u Satisfy e u d u =1(modφ(n u ) And let pk u =(n u ,e u ),sk u =(d u )。
The proxy key request process in the step (four) specifically comprises the following steps:
a) The user computes the request body x by the disclosed hash function h (·) as follows:
x=h(n u ,e u )(V)
and sends request information (u, pk) to all CA' s u X), wherein: u represents the true identity of the user; pk (pk) u Is the public key of the user, namely the identity of the blockchain node;
b) When CA j After receiving the request sent by the user u, the prior certificate u is a legal user, namely the user who purchases the block chain service, if the request is legal, the CA j Couple the identity information pairs (u, pk u ) Deposit into the account pool and calculate a partial proxy key as follows (VI):
and v is set u,j And sent to user u.
The proxy key recovery process in the step (five) specifically comprises the following steps:
a) When user u receives not less than t partial proxy keys, it is noted that) Thereafter, the intermediate variable w is calculated as follows (VII):
wherein: w is an intermediate variable generated in the calculation process, and the right side of the equation is Lagrange interpolation performed exponentially;
b) Obtaining intermediate variables according to formulae (IV) and (VII)
Wherein: e, e 0 And 4 delta 2 Mutually prime, can find a pair (a, b) to make 4Δ 2 ·a+e 0 b=-1。
c) The proxy key v of the user is calculated as follows (IX) u
v u =w a x b (IX)
d) The user verifies v as follows (X) u Correctness of (v) u Whether or not it is x -d0
If COR≡1 (mod m 0 ) The proxy key is correct; otherwise the proxy key is wrong, the user submits an error message to the CA, the former user u now being represented by the parties a, b of the transaction in order to indicate the parties to the transaction.
The wallet generating process in the step (six) specifically comprises the following steps:
a) Input 1 λ Wherein λ is a security parameter;
b) Selecting two large prime numbers p b,i ,q b,i Having a length k, n is calculated b,i =p b,i ·q b,i And selecting e b,i ,d b,i Satisfy e b,i d b,i =1(modφ(n b,i ) Let pk b,i =(n b,i ,e b,i ),sk b,i =(d b,i ) Let the address of wallet be pk b,i Where i represents the ith update; b is a transaction party; u represents all users.
The wallet authentication process in the step (seven) specifically comprises the following steps:
a) When user a wants to receive the transfer of other people, first to his address pk b,i Authentication is performed, input 1 λ ,v b ,pk b,i ,pk CA ,sk b ,pk b In the followingRandom selection on Domain->The intermediate variable r is calculated according to the following formula (XI) i ,k i
The intermediate variable g is calculated as follows (XII) i ,y i
b) Address pk of user b b,i Is Cert b,i =(y i ,g i )。
The authentication and verification process in the step (eight) specifically comprises the following steps:
a) Input 1 λ ,pk b =(n b ,e b ),pk b,i =(n b,i ,e b,i ),Cert b,i =(y i ,g i ),pk CA =(n 0 ,e 0 ) The intermediate variable k 'is calculated according to the following formula (XIII)' i And r' i
b) User a checks h (r 'by the following (XIV)' i ,n b,i ,e b,i )=k′ j If so, verifying correctly, otherwise, possibly replacing the address;
thus, the first and second substrates are bonded together,
h(r′ i ,n b,i ,e b,i )=h(r i ,n b,i ,e b,i )=k i =k′ i
the transaction signature of the step (nine) is that a transaction generator a signs a T, and the process specifically comprises the following steps:
a) Input 1 λ ,T,sk a,i′ ,pk a,i′ Wherein i 'is the i' th updated address of user a, selecting a random number r i′R {0,1} λ Calculated according to the following formula (XV):
wherein: sigma (sigma) a,T,i′ Is a signature for the transaction; the symbol of the connection is represented by the symbol.
The transaction verification process of the step (ten) specifically comprises the following steps:
a) Input 1 λa,T,i′ ,pk a,i′ T is calculated according to the following formula (XVI) after verifying the validity of the public key according to the method of the step (eight):
will y i′ Change into w i′ ||s i′
And checking whether the following formula (XVII) is true:
if yes, the verification is passed, otherwise, the verification is not passed.
Compared with the prior art, the invention has the following advantages:
1) The distributed CA structure makes the trust model of the CA distributed and disperses the rights of a single CA; single point damage attack is prevented; the trust structure of decentralization of the block chain is matched, and address substitution attack is effectively prevented by adding the CA.
2) By adopting the proxy CA structure, the CA issues the proxy key to the user, and the user does not need to perform complicated interaction with the CA each time of authentication, thereby achieving high efficiency.
3) The user periodically updates the address, and the adversary cannot acquire the user privacy data by analyzing the past transaction data in the public account book.
Drawings
FIG. 1 is a schematic diagram of a network architecture according to the present invention;
FIG. 2 is a schematic diagram of the authentication center CA structure;
FIG. 3 is a schematic illustration of an embodiment;
FIG. 4 is a schematic diagram of the flow structure of the present invention.
Detailed Description
1. Mathematical theory applied by the present invention states:
1. hash function
The Hash function maps variable length messages to fixed length Hash values or message digests. There are many ways of hashing algorithms, and methods commonly used today are MD2, MD4, MD5 and secure hashing algorithm (SHA-1). For a Hash function (a string composed of 0 and 1) in which the input and output are both bit strings, the length of bit string x is denoted as |x|, and bit strings x and y are denoted as x||y. Let compact {0,1} m+t →{0,1} m Is a compression function (where t.gtoreq.1). An iterative Hash function is constructed based on compression function expressThe evaluation of the iterative Hash function h mainly consists of the following three steps.
1) Pretreatment: given an input bit string x, where |x| is equal to m+t+1, a string y is constructed with a disclosed algorithm such that |y|≡0 (mod t). Let y=y 1 ||y 2 ||…||y r Wherein for i.ltoreq.r.ltoreq.1, there is |y i |=t。
2) And (3) treatment: let IV be a published initial value bit string of length m, then calculate:
3) Output transformation: let g {0,1} m →{0,1} l Is a public function. Definition h (x) =g (z r )。
2. Proxy signature algorithm
The signer can issue a proxy key to some other user, and the user who obtains the proxy key can sign the message instead of the signer.
The specific algorithm is as follows:
1) Agent generation: for an original signer p 0 And proxy signer p i Wherein p is 0 The public key of (2) is (n) 0 ,e 0 ) The private key is (n 0 ,e 0 )p i Is ID (identity) i The public key is (n i ,e i )。p 0 Calculation of
And u is set up i ,m w ,w i Send to p i
2) Proxy key recovery: p is p i Upon receiving p 0 Transmitted u i ,m w ,w i After that, can calculate
To derive proxy key v i
3) Proxy signature: p is p i Signing message m using the proxy key:
randomly selecting t epsilon [1, n ] 0 ]Calculation of
k=h(m,r),
Wherein the signature is (y, u).
4) Signature verification: the message recipient can verify the signature (y, u):
calculation of
Checking whether h (m, r ')=k' is true, if true, the signature is correct, and if false, the signature is incorrect.
3. Shamir secret sharing
The Shamir (k, n) secret sharing algorithm divides the secret S into n sub-secrets, any k sub-secrets can recover S, and any k-1 sub-secrets cannot recover S.
Secret sharing process:
assuming a secret S, taking the random number a 1 ,…,a k-1 . Let a 0 =s, the following polynomial is constructed:
f(x)=a 0 +a 1 x+a 2 x 2 +…a k-1 x k-1 (mod p)
taking n random numbers x i Respectively taking in f (x), calculating y i =f(x i )。
Secret recovery process:
take k data, assume (x 1 ,y 1 ),…,(x k ,y k ) Carry in and calculate
The invention is further illustrated by the following specific examples, which include the following entities: the sender, the evaluator and the receiver, and only the legal receiver is allowed to have the decryption key to decrypt the final calculation result.
Example 1
Referring to fig. 1, the present invention is composed of n authoritative nodes 1 with CA threshold architecture, each authoritative node 1 takes on the role of a Certification Authority (CA) 2. In the off-line stage, if and only if not less than a threshold t authentication Centers (CA) 2 issue partial authentication keys for users, the users can recover the correct overall authentication keys for proving the legal identity of the users to other users in the transaction. When the user periodically updates the identity information in the online stage and authenticates the updated identity information of other users in the transaction, the user does not need to interact with the distributed CA any more, and the self-authentication can be realized by the integral authentication key recovered in the offline stage. Therefore, the system structure greatly reduces the local computing overhead and communication overhead of the resource-constrained user terminal. The invention disperses the trust model of the CA, weakens the centralized power of a single CA to a certain extent, and effectively prevents the damage to the blockchain system caused by single-point failure of the malicious CA. On the other hand, the invention adopts a CA architecture with (n, t) threshold structure, so that the identity authentication in the block chain system is more flexible, and the threshold t can be respectively set according to the security and availability requirements of different network application environments. Finally, in the present invention, the CAs communicate with each other and the CAs are responsible for verifying transactions generated between users and posting the blockchain, so that the blockchain structure keeps the data stored by each CA synchronized and consistent.
Referring to fig. 2, each authority node 1 plays a role of a Certification Authority (CA) 2; the authentication Center (CA) 2 is composed of an account pool 22 and a block pool 23 connected by a transaction controller 21.
Referring to fig. 3 to 4, the present invention performs CA authentication according to the following steps:
step one: system initialization
a) Input 1 λ Where λ is a security parameter, taking λ=512;
b) Two 512-bit large prime numbers p 'are selected' 0 ,q′ 0 Obtained according to formula (I):
q 0 =2q′ 0 +1,p 0 =2pσ 0 +1 (where pσ) 0 ,qσ 0 Prime number) (I)
0 =5026859471096751702323315488735803026273392216914140462221122
0931497296784397,
q′ 0 =4467994841909530876604874041204195129049061440810849001908811
4962317615599097,
Calculating to obtain p 0 ,q 0 ,n 0 =p 0 ·q 0
p 0 =1005371894219350340464663097747160605254678443382828092444224
41862994593568793;
q 0 =8935989683819061753209748082408390258098122881621698003817622
9924635231198193;
n 0 =8983992875145743647661873350841381211058391128689554052088016
297842503447278245065186363664333852060585694749885884592135277741138062217981517429362791049;
Selecting an integer e 0 =65537 and φ (n 0 )=4p′ 0 q′ 0 Mutually of prime nature, and e 0 Less than phi (n) 0 ) Calculate d 0 :d 0 ·e 0 ≡1mod(φ(n 0 ) Obtained)
d 0 =2011278262113590045294947980584169936503787397044923280776284
772295729291521791132129403529602305823351353400022384315959037981553462846552517747513952257. Wherein the CA master public key is pk CA =(n 0 ,e 0 )。
Step two: secret sharing
a) According to the secret sharing principle, the system will d 0 Private key d dispersed into n parts i (i=1, 2, …, n) and sent to n CAs, respectively, i.e. one is selected according to the following formula (II)The t-1 order polynomial of (2):
f(x)=a t-1 x t-1 +…+a 2 x 2 +a 1 x+d 0 (mod m 0 )
(wherein(i=1,2,…,t-1))(II)
For each CA j (j.epsilon.1, 2, …, n), d is calculated j =f (j), and sent to the corresponding CA j After this step is completed, the system destroys p 0 ,q 0 And d 0
In this embodiment, n is 5 and t is 3.
a 1 =1118681394824277630334138408617719674482225060081695861825433
67613992623427261;
a 2 =1020869870046315919588522325526630013682445206182220437959055
59992876750911991;
a 3 =1055097645251968336759597835016532470499035589266670500803419
53994783283325233;
d 1 =2011278262113590045294947980584169936503787397044923280776284
772295729291522110597020415785790974049208269488238250686544591040233521637434119400171616744;
d 2 =2011278262113590045294947980584169936503787397044923280776284
772295729291522110597020415785790974049208269488238250686544591040233521637434119400171616748;
d 3 =2011278262113590045294947980584169936503787397044923280776284
772295729291522110597020415785790974049208269488238250686544591040233521637434119400171616754;
d 4 =2011278262113590045294947980584169936503787397044923280776284
772295729291522110597020415785790974049208269488238250686544591040233521637434119400171616762;
d 5 =2011278262113590045294947980584169936503787397044923280776284
772295729291522110597020415785790974049208269488238250686544591040233521637434119400171616772。
Step three: blockchain node initialization
When a new user u joins the network, a blockchain node and node identification are created, and then 1 is input λ Wherein λ is a security parameter; two 512-bit large prime numbers p are selected u ,q u And calculate n u =p u ·q u
p u =1075132135461454340942816537600107213861613768075567886798650
09269593320778641;
q u =8567530654031564871998576487058987579022221663631201556368922
3613158559234427;
n u =9211227527700426909686344949684638812321364175754381371541878
004489191550387403678276985477281435782877772667199637422197936885437097898642226948493473707。
Selecting an integer e u =65537 and φ (n u ) Mutually prime, and e is less than phi (n u ) D.e.ident.1 mod (phi (n) u ) Obtained:
d u =2138468755572607770127984778208520065451112439295404314631577
182939454803227816464007373217136305085031521835655529619945486690694857543833074018515858273。
step four: proxy key request
a) The user calculates x=h (n) by the public hash function h (·) u ,e u ) And sends request information (u, pk) to all CAs u X), u represents the true identity of the user, pk u Is the identity of the user's public key, namely the blockchain node, the request body x is calculated as follows:
x=h(n u ,e u )(V)
b) When CA j After receiving the request sent by the user u, the prior certificate u is a legal user (the user who purchases the block chain service), if the request is legal, the CA j Couple the identity information pairs (u, pk u ) Deposit into the account pool and calculate a partial proxy key as follows (VI):
x= 34229368949702775535486670805532819702848175206385354385109072861246234918113; the proxy keys are respectively:
v u,1 =310746956858360996347531645566076190789458652046924278485130
3302863973716341398100450859581631473552009496028392525614455537847629804351902619471099787719;
v u,2 =737895664228313001534591517666668629687988255349172505743844
0396483980166043824002214585285955576064806260196113442992172472468459032008898016752529795660;
v u,3 =799397335565095597184741482495587992684801304120020879498110
0843483890345654836062947158139193051412888129387005082379785829843651622676136967963095940626;
v u,4 =172218952368550579935853437811874807504236009291360008677588
3115194913909026068409530825457737667638306771151013515936407379793411551124861042234097874372;
v u,5 =476089287821285372156005598764289989111735974369429603239384
9734192706915229803040386710204088250926222712721754045995749274504234455139205338757314947857。
step five: proxy key recovery
a) When user u receives not less than t partial proxy keys, it is noted that) Thereafter, the intermediate variable w is calculated as follows (VII):
wherein: w is an intermediate variable generated in the calculation process, and the right side of the equation is Lagrange interpolation performed exponentially;
b) Obtaining the intermediate variable w according to formulas (IV) and (VII) e0
Wherein: e, e 0 And 4 delta 2 Mutually prime, can find a pair (a, b) to make 4Δ 2 ·a+e 0 b=-1。
c) The proxy key v of the user is calculated as follows (IX) u
v u =w a x b (IX)
w=5448008741470273527977346493550158516483005928174925115284777271631864527647082812910862791029619609799108446763605980771538008101839030156466013891149424;
v u =4712691729553089439760273523066311877826260038654936923475248
469170827356264825506588103938269937795419054495282278965753252223481661059251418397543505956, validated v u Correct.
Step six: wallet generation
a) Input 1 λ Wherein: lambda is a safety parameter.
b) Selecting two large prime numbers p b,i ,q b,i Length k, calculate n b,i =p b,i ·q b,i And selecting e b,i ,d b,i Satisfy e b,i d b,i =1(modφ(n b,i )). Let pk b,i =(n b,i ,e b,i ),sk b,i =(d b,i ) The method comprises the steps of carrying out a first treatment on the surface of the Let the address of wallet be pk b,i The method comprises the steps of carrying out a first treatment on the surface of the The wallet address needs to be updated periodically, i representing the ith update.
p u,i =98905411631433183413607147068875624006656974845456685657046402584491734670889;
q u,i =72730738245982562336422357343086698203136123108136595248092083835528635746699;
n u,i =7193463604476926009399532971323950624796983213047047825374519338568991305069456418851897305894761957075235280530591039927240640250914473574454193533145411;
Selecting an integer e u,i =65537 and φ (n u,i ) Mutually prime, and e is less than phi (n u,i ) D.e.ident.1 mod (phi (n) u,i ) Obtained:
d u,i =1327020995439614804669733946065681417425202970012951587786714967168150890005457268762186558309070512906163753561184205474252413108128429150164535354645153。
step seven: wallet authentication
a) To prevent public key substitution attacks, when user a wants to receive transfers from others, he first needs to address pk for himself b,i Authentication is performed, input 1 λ ,v b ,pk b,i ,pk CA ,sk b ,pk b . At the position ofRandom selection on Domain->The intermediate variable r is calculated according to the following formula (XI) i ,k i
The intermediate variable g is calculated as follows (XII) i ,y i
b) Address pk of user b b,i Is Cert b,i =(y i ,g i ) The method comprises the following steps of:
t i =7377853991639920693270177433470989967622853179914631740065118262053887494171504971974136976716318998049342263434334398368679265954803208521949393069401389;
r i =47591495282797376299504528878272673832692685786103340608803015
54450520527466535928451176835643134046571724019687794737582238898486740541395197958109081923;
k i =74469019427167096097686486431364227220180059280064059007074119
68380378957325286282605952037847256899073567374466120759659856975991673319706321648352959654;
g i =59349577826779150409752651719986830883874666451413073702655799
50722329541925402847404340171714876862891762517377267961507350534965043720751011686487922359;
y i =61972689092458051638255726923990373937036115139364889434629690
02309231062428589897781755667621765071117108786072486216616715533972207340281136913228866397。
step eight: verification of authentication
a) Input 1 λ ,pk b =(n b ,e b ),pk b,i =(n b,i ,e b,i ),Cert b,i =(y i ,g i ),pk CA
(n 0 ,e 0 ) The intermediate variable k is calculated according to the following formula (XIII) i ' and r i ′:
b) User a checks h (r) as follows (XIV) i ′,n b,i ,e b,i )=k j ' if true, then verify correctly, otherwise the possible address has been replaced;
thus, h (r i ′,n b,i ,e b,i )=h(r i ,n b,i ,e b,i )=k i =k i ' obtaining:
k i ′=7446901942716709609768648643136422722018005928006405900707411968380378957325286282605952037847256899073567374466120759659856975991673319706321648352959654;
r′ i = 4759149528279737629950452887827267383269268578610334060880301554450520527466535928451176835643134046571724019687794737582238898486740541395197958109081923, the empirical calculation found that the signature was correct.
Step nine: transaction signature
a) Input 1 λ ,T,sk a,i′ ,pk a,i′ Wherein i 'is the i' th updated address of user a, selecting a random number r j′R {0,1} λ Calculated according to the following formula (XIV):
wherein: sigma (sigma) a,T,i′ Is a signature for the transaction; the symbol of connection;
and (3) calculating to obtain:
w i′ =6425941316133608642685579521757295578843469467367884586893312671232178055740243311716175315457731090228336036213248675490550041374780874470257701551528412;
s i′ =6490784888263208080165114053520225731283508898090761381028190908941488180861682415671131714212257050358086803822236295472455713951151181728653424625726065;
y i′ =8763027865230433902287723246783700781708830928452529142506754469719380895006891602696361364369441141142861812013529386417964928664794239558824637148205589;
σ a,T,i′ =4712691729553089439760273523066311877826260038654936923475248469170827356264825506588103938269937795419054495282278965753252223481661059251418397543505956。
step ten: verification of transactions
a) Input 1 λa,T,i′ ,pk a,i′ T is calculated according to the following formula (XVI) after verifying the validity of the public key according to the method of the step (eight):
the method comprises the following steps:
y i′ =8763027865230433902287723246783700781708830928452529142506754469719380895006891602696361364369441141142861812013529386417964928664794239558824637148205589。
will y i′ Change into w i′ ||s i′ The method comprises the following steps of:
w i′ =6425941316133608642685579521757295578843469467367884586893312671232178055740243311716175315457731090228336036213248675490550041374780874470257701551528412;
s i′ =6490784888263208080165114053520225731283508898090761381028190908941488180861682415671131714212257050358086803822236295472455713951151181728653424625726065。
and checking whether the following formula (XVII) is true:
the method comprises the following steps:
g(w i′ ) = 6490784888263208080165114053520225731283508898090761381028190908941488180861682415671131714212257050358086803822236295472455713951151181728653424625726065, the signature is calculated to be correct by verification.
The invention is further described with reference to the following claims, which are not intended to limit the scope of the invention. The present invention is not limited to the above embodiments, and variations and advantages which can be conceived by those skilled in the art are included in the present invention without departing from the spirit and scope of the inventive concept, and the scope of the claims is defined in the appended claims.

Claims (1)

1. The authentication method of the distributed authority node blockchain system with (n, t) threshold is characterized in that the blockchain system consists of n authority nodes with certificate authority CA threshold architecture, and each authority node plays a role of an authentication center; the authentication center consists of an account pool and a block pool which are connected with the transaction controller; the CA is made to issue a proxy key to the user, the user realizes authentication to the public key through the proxy key, and privacy protection of the periodically updated address is carried out, and the authentication process specifically comprises the following steps:
system initialization
The system generates a main public key on the premise of given security parameters;
(II) secret sharing
The system generates a secret sharing polynomial and distributes the generated partial private key to the distributed CA;
(III) Block Link Point initialization
Generating a blockchain node in the network and generating a long-term public-private key pair for the blockchain node, wherein the public key is used as a certificate for self identity stored at a CA;
(IV) proxy Key request
The user requests the proxy key from the CA, and the CA calculates a part of proxy key and sends the part of proxy key to the user;
(V) proxy Key recovery
After the user receives partial proxy keys sent by the threshold CA, the complete proxy key can be calculated through a secret recovery means;
wallet generation
The user generates a periodically updated short-term public-private key pair, wherein the short-term public key is used as the address of the wallet;
wallet authentication (seven)
The user authenticates the wallet address through the proxy authentication key;
eighth authentication verification
Other people can verify the authentication of the wallet address through the main public key and the public key of the user;
(nine) transaction signature
The user digitally signs the transaction through the short-term public and private key;
(ten) transaction verification
All persons can verify the transaction through the short-term public key of the sender, and the verification passes the verification to indicate that the transaction is established, and the transaction can be stored in the blockchain by the CA;
the system initialization process of the step (one) specifically comprises the following steps:
a) Input 1 λ Wherein λ is a security parameter;
b) The system selects two safety prime numbers p with the length lambda 0 ,q 0 And satisfies the following formula (I):
q 0 =2q′ 0 +1,p 0 =2p′ 0 +1 where p' 0 ,q′ 0 Is prime number (I)
Then calculate n 0 =p 0 ·q 0 ,m 0 =p′ 0 ·q′ 0 Select e 0 ,d 0 So that e 0 ·d 0 ≡1(modφ(m 0 ) N trusted nodes are then selected as distributed CAsAn (n, t) threshold, where n > t, and a common CA master public key pk is set CA =(n 0 ,e 0 ) A hash function h (·) is disclosed:
the secret sharing process in the step (II) specifically comprises the following steps:
a) The system will d 0 Private key d dispersed into n parts i (i=1, 2, …, n) and sent to n CAs, respectively, i.e. one is selected according to the following formula (II)The t-1 order polynomial of (2):
f(x)=a t-1 x t-1 +…+a 2 x 2 +a 1 x+d 0 (mod m 0 )
wherein the method comprises the steps of
For each CA j J.epsilon.1, 2, …, n, d is calculated j =f (j), and sent to the corresponding CA j After this step is completed, the system destroys p 0 ,q 0 And d 0
b) Definition operator Δ=n-! A subset of any t CA' S is defined as S, for any i e {0, …, n } \s, j e S, and defined as the following formula (III):
the following formula (IV) is then obtained according to lagrangian interpolation:
the initialization process of the blockchain node in the step (III) specifically comprises the following steps:
a) When a new user u joins the network, a blockchain node and node identification are created, and then 1 is input λ Wherein λ is a security parameter;
b) Selecting two large prime numbers p u ,q u Length lambda, and calculate n u =p u ·q u And selecting e u ,d u Satisfy e u d u =1(modφ(n u ) And let pk u =(n u ,e u ),sk u =(d u );
The proxy key request process in the step (four) specifically comprises the following steps:
a) The user computes the request body x by the disclosed hash function h (·) as follows:
x=h(n u ,e u ) (V)
and sends request information (u, pk) to all CA' s u X), wherein: u represents the true identity of the user; pk (pk) u Is the public key of the user, namely the identity of the blockchain node;
b) When CA i After receiving the request sent by the user u, the prior certificate u is a legal user, namely the user who purchases the block chain service, if the request is legal, the CA j Couple the identity information pairs (u, pk u ) Deposit into the account pool and calculate a partial proxy key as follows (VI):
and v is set u,j Sending to user u;
the proxy key recovery process in the step (five) specifically comprises the following steps:
a) When user u receives not less than t partial proxy keys, it is noted thatThereafter, the intermediate variable w is calculated as follows (VII):
wherein: w is an intermediate variable generated in the calculation process, and the right side of the equation is Lagrange interpolation performed exponentially;
b) Obtaining intermediate variables according to formulae (IV) and (VII)
Wherein: e, e 0 And 4 delta 2 Mutually prime, can find a pair (a, b) to make 4Δ 2 ·a+e 0 b=-1;
c) The proxy key v of the user is calculated as follows (IX) u
v u =w a x b (IX)
d) The user verifies v as follows (X) u Correctness of (v) u Whether or not it is
If COR≡1 (mod m 0 ) The proxy key is correct; otherwise, the proxy key is wrong, the user submits error information to the CA, and in order to indicate the two transaction sides, the previous user u is represented by the two transaction sides a and b;
the wallet generating process in the step (six) specifically comprises the following steps:
a) Input 1 λ Wherein λ is a security parameter;
b) Selecting two large prime numbers p b,i ,q b,i The length of the sample is lambda, and n is calculated b,i =p b,i ·q b,i And selecting e b,i ,d b,i Satisfy e b,i d b,i =1(modφ(n b,i ) Let pk b,i =(n b,i ,e b,i ),sk b,i =(d b,i ) Let the address of wallet be pk b,i Where i represents the ith update; b is a transaction party; u represents all users;
the wallet authentication process in the step (seven) specifically comprises the following steps:
a) When user b wants to receive the transfer of other people, first to his address pk b,i Authentication is performed, input 1 λ ,v b ,pk b,i ,pk CA ,sk b ,pk b In the followingRandom selection on Domain->The intermediate variable r is calculated according to the following formula (XI) i ,k i
The intermediate variable g is calculated as follows (XII) i ,y i
b) Address pk of user b b,i Is Cert b,i =(y i ,g i );
The authentication and verification process in the step (eight) specifically comprises the following steps:
a) Input 1 λ ,pk b =(n b ,e b ),pk b,i =(n b,i ,e b,i ),Cert b,i =(y i ,g i ),pk CA =(n 0 ,e 0 ) Pressing downThe intermediate variable k 'is calculated by the following formula (XIII)' i And r' i
b) User a checks h (r 'by the following (XIV)' i ,n b,i ,e b,i )=k′ i If so, verifying correctly, otherwise, possibly replacing the address;
thus, the first and second substrates are bonded together,
h(r′ i ,n b,i ,e b,i )=h(r i ,n b,i ,e b,i )=k i =k′ i
the transaction signature of the step (nine) is that a transaction generator a signs a T, and the process specifically comprises the following steps:
a) Input 1 Into (I) ,T,sk a,i′ ,pk a,i′ Wherein i 'is the i' th updated address of user a, selecting a random number r i′R {0,1} λ Calculated according to the following formula (XV):
wherein: sigma (sigma) a,T,i′ Is a signature for the transaction; the symbol of connection;
the transaction verification process of the step (ten) specifically comprises the following steps:
a) Input 1 λ ,σ a,T,i′ ,pk a,i′ T is calculated according to the following formula (XVI) after verifying the validity of the public key according to the method of the step (eight):
will y i′ Change into w i′ ||s i′
And checking whether the following formula (XVII) is true:
if yes, the verification is passed, otherwise, the verification is not passed.
CN201911004459.8A 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold Active CN110851859B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911004459.8A CN110851859B (en) 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911004459.8A CN110851859B (en) 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold

Publications (2)

Publication Number Publication Date
CN110851859A CN110851859A (en) 2020-02-28
CN110851859B true CN110851859B (en) 2023-09-29

Family

ID=69596758

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911004459.8A Active CN110851859B (en) 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold

Country Status (1)

Country Link
CN (1) CN110851859B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371790B (en) * 2020-03-05 2022-06-17 中国工商银行股份有限公司 Data encryption sending method based on alliance chain, related method, device and system
CN112686672A (en) * 2021-01-08 2021-04-20 新晨科技股份有限公司 Block chain endorsement signature compression method, electronic device and storage medium
CN116384999A (en) * 2023-04-19 2023-07-04 北方工业大学 Lightweight hierarchical deterministic wallet model supporting invisible addresses and method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273760A (en) * 2017-06-09 2017-10-20 济南浪潮高新科技投资发展有限公司 One kind is based on many CA application authentication methods of block chain
CN107395349A (en) * 2017-08-16 2017-11-24 深圳国微技术有限公司 A kind of block chain network cryptographic key distribution method based on self-certified public key system
CN109003083A (en) * 2018-07-27 2018-12-14 山东渔翁信息技术股份有限公司 A kind of ca authentication method, apparatus and electronic equipment based on block chain
CN109150968A (en) * 2018-07-13 2019-01-04 上海大学 A kind of block chain distributed storage method based on privacy sharing
WO2019034951A1 (en) * 2017-08-15 2019-02-21 nChain Holdings Limited Threshold digital signature method and system
CN109684878A (en) * 2018-12-17 2019-04-26 杭州安恒信息技术股份有限公司 One kind being based on block chain technology privacy information tamper resistant method and system
CN110197081A (en) * 2019-05-30 2019-09-03 北京理工大学 A kind of cloud data sharing secret protection scheme based on block chain
CN110289951A (en) * 2019-06-03 2019-09-27 杭州电子科技大学 A kind of shared content monitoring method based on Threshold key sharing and block chain

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273760A (en) * 2017-06-09 2017-10-20 济南浪潮高新科技投资发展有限公司 One kind is based on many CA application authentication methods of block chain
WO2019034951A1 (en) * 2017-08-15 2019-02-21 nChain Holdings Limited Threshold digital signature method and system
CN107395349A (en) * 2017-08-16 2017-11-24 深圳国微技术有限公司 A kind of block chain network cryptographic key distribution method based on self-certified public key system
CN109150968A (en) * 2018-07-13 2019-01-04 上海大学 A kind of block chain distributed storage method based on privacy sharing
CN109003083A (en) * 2018-07-27 2018-12-14 山东渔翁信息技术股份有限公司 A kind of ca authentication method, apparatus and electronic equipment based on block chain
CN109684878A (en) * 2018-12-17 2019-04-26 杭州安恒信息技术股份有限公司 One kind being based on block chain technology privacy information tamper resistant method and system
CN110197081A (en) * 2019-05-30 2019-09-03 北京理工大学 A kind of cloud data sharing secret protection scheme based on block chain
CN110289951A (en) * 2019-06-03 2019-09-27 杭州电子科技大学 A kind of shared content monitoring method based on Threshold key sharing and block chain

Also Published As

Publication number Publication date
CN110851859A (en) 2020-02-28

Similar Documents

Publication Publication Date Title
CN114730420A (en) System and method for generating signatures
JP2019507510A (en) Common secret determination for secure exchange of information and hierarchical and deterministic encryption keys
US10742426B2 (en) Public key infrastructure and method of distribution
JP2023024499A (en) System and method for enabling secure storage of large block chain over multiple storage nodes, which are implemented by computer
CN110851859B (en) Authentication method of distributed authority node block chain system with (n, t) threshold
Babu et al. A distributed identity‐based authentication scheme for internet of things devices using permissioned blockchain system
Jiang et al. Anonymous and efficient authentication scheme for privacy-preserving distributed learning
Xi et al. ZAMA: A ZKP-based anonymous mutual authentication scheme for the IoV
Benantar The Internet public key infrastructure
WO2022089865A1 (en) Identifying denial-of-service attacks
Ra et al. A study on KSI-based authentication management and communication for secure smart home environments
Zheng et al. Blockchain-based privacy protection unified identity authentication
Cao et al. Decentralized group signature scheme based on blockchain
CN110945833A (en) Method and system for multi-mode identification network privacy protection and identity management
WO2021213959A1 (en) (ec)dsa threshold signature with secret sharing
CN116827584B (en) Method for certificateless anonymous cross-domain authentication of Internet of things equipment based on blockchain
CN112529573A (en) Combined block chain threshold signature method and system
CN112039837A (en) Electronic evidence preservation method based on block chain and secret sharing
CN110740034A (en) Method and system for generating QKD network authentication key based on alliance chain
Cho et al. Big data cloud deduplication based on verifiable hash convergent group signcryption
Rawat et al. PAS-TA-U: PASsword-based threshold authentication with password update
JP5099771B2 (en) Two-factor authentication system
KR101042834B1 (en) A Self-Certified Signcryption Method for Mobile Communications
Yap et al. On the security of a lightweight authentication and encryption scheme for mobile ad hoc network
Chaudhari et al. Towards lightweight provable data possession for cloud storage using indistinguishability obfuscation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant