CN114006691B

CN114006691B - Method and device for remote attestation

Info

Publication number: CN114006691B
Application number: CN202010671512.6A
Authority: CN
Inventors: 杨艳江; 鲍丰
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-07-13
Filing date: 2020-07-13
Publication date: 2023-02-28
Anticipated expiration: 2040-07-13
Also published as: CN114006691A

Abstract

The present application provides methods and systems for remote attestation. The remote attestation method comprises the following steps: the trusted third party server sends a first part of certification private key to the trusted device according to the first master key A-MSK 1; the chip manufacturer server sends a second part certification private key to the trusted device according to the second master key A-MSK 2; the trusted device generates a certification private key according to the first part certification private key and the second part certification private key; the trusted device generates an anonymous signature according to the certification private key; and the verification device verifies the anonymous signature according to the joint master public key. The method and the device have the advantages that the at least one trusted third-party server and the chip manufacturer server jointly generate the certification private key, trust of the user can be dispersed to multiple parties, and any single party cannot generate or know the certification private key of the user.

Description

Method and device for remote attestation

Technical Field

The present application relates to the field of trusted computing (trusted computing), and more particularly, to a method and apparatus for remote attestation in the field of trusted computing.

Background

In the field of trusted computing, remote attestation refers to a technique by which a computing system (prover) attests to the configuration and state of its software/hardware to a remote system (verifier). A remote attestation system typically includes two parts, an attester and a verifier. The prover end has a system integrity measurement (integrity measurement) mechanism, and can report the measurement value of the system of the prover end to the verifier through a remote certification protocol (remote certification protocol) according to the remote certification protocol between the prover and the verifier, so that the verifier verifies the system integrity of the prover.

To protect the prover's privacy, the prover typically needs to participate anonymously in a remote attestation protocol, i.e., the verifier only needs to verify the prover's system integrity, without knowing who the prover is specifically. This is typically achieved by the verifier using (class) group signature techniques. Group signature (group signature) is a special digital signature technology, and has the following core characteristics: a group manager (group manager) has a pair of master public/master keys and is responsible for issuing a private signature key to the group manager (group member). The issuance of the private key requires the use of a master key. The group member uses the private key to sign, and the validity of the generated digital signature is verified by using the master public key. In the group signature technique, only a signature issued by a certain group member can be verified, and it cannot be determined which group member is specifically issued. Further, different signatures generated by the same panelist cannot be linked (unlinkability), i.e., the verifier cannot confirm whether different digital signatures are generated by the same panelist. The use of group signatures can protect the privacy of signers.

In one remote attestation scheme, the chip manufacturer, as the distribution mechanism for the processor, possesses a pair of master public/master keys. The chip manufacturer generates a certification private key (certification key) according to the master key, and the certification private key is used for the certifier to issue a digital signature. The verifier verifies the digital signature using the master public key. Since the chip manufacturer is the distribution authority for the proof private key, the user needs to trust the chip manufacturer completely, i.e. trust the proof private key generated by the chip manufacturer. However, in some cases, the user may not want to trust the chip manufacturer completely, and how to perform remote attestation is a challenge to solve.

Disclosure of Invention

The application provides a method and a system for remote certification, which can realize that a user does not need to completely trust a chip manufacturer in the process of remote certification.

In a first aspect, a method for remote attestation is provided, including:

the second server sends a second part of the certification private key to the first equipment according to the second master key A-MSK 2;

the first device receiving the second partial proof private key from the second server and a first partial proof private key from a first server, wherein the first partial proof private key is generated by the first server from a first master key a-MSK 1;

the first device generates a proof private key according to the first part proof private key and the second part proof private key;

and the first equipment generates an anonymous signature according to the certification private key, wherein a joint master public key for verifying the anonymous signature is determined according to a first master public key A-MPK1 corresponding to the A-MSK1 and a second master public key A-MPK2 corresponding to the A-MSK2.

Illustratively, the first server may be a trusted third party server, the second server may be a chip manufacturer server, and the first device may be a trusted device. In addition, the number of the trusted third-party servers may be at least one, and for example, may be one, two, or more, which is not limited in this embodiment of the application.

Therefore, in the embodiment of the present application, taking the first server as a trusted third party server, the second server as a chip manufacturer server, and the first device as a trusted device, by using the trusted third party server trusted by at least one user (i.e., the trusted device and the verification device) and the chip manufacturer server to jointly generate an attestation private key (attestation key), trust of the user can be distributed to multiple parties, so that any single party (e.g., the chip manufacturer or any trusted third party) cannot generate or know the attestation key of the user, and therefore, the embodiment of the present application can realize that the user does not need to completely trust the chip manufacturer in a remote attestation process.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes:

the second server determines a path { u } of a leaf node of the first device in a binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on said path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

wherein the second server sends the second partial certification private key to the first device according to the second master key a-MSK2, including:

the second server, for each u, according to the A-MSK2 _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (2);

the second server sends each u _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial attestation private key;

wherein the first partial proof private key is determined by the first server from a first signature by the first server from the A-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The signature of (2).

In this way, the first server can generate a signature as a partial authentication key generated by the first server for all nodes on a path from a leaf node corresponding to the trusted chip to a root node of the binary tree according to the own master key; the second server may generate a signature as a partial authentication key generated by the second server for all nodes on a path from a leaf node corresponding to the trusted chip to a root node of the binary tree according to a master key of the second server.

With reference to the first aspect, in certain implementations of the first aspect, the second server is configured to, for each u, perform the operations according to the a-MSK2 _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (1), comprising:

the second server sends the pair (u) to the first server according to the A-MSK2 and the temporary addition homomorphic encryption algorithm _l ,u _j ) The first encryption information of (1);

the second server receives second encrypted information sent by the first server, wherein the second encrypted information is generated by the first server according to the first encrypted information and the A-MSK 1;

the second server decrypts the second encrypted information and generates the pair (u) based on the second encrypted information _l ,u _j ) The second signature of (2).

Therefore, the second server may allow, through the temporal addition homomorphic encryption algorithm, the first server to perform calculation on the secret information while ensuring the privacy of the secret information of the second server (i.e., the process-related information of the second server generating the partial authentication key), so as to obtain a corresponding calculation result.

in some possible implementations, the first server may also send the pair (u) to the second server according to the a-MSK1 and the temporary addition homomorphic encryption algorithm _l ,u _j ) Encryption information c of ₁ ；

The first server receives the encryption information c sent by the second server ₂ Wherein the encryption information c ₂ Is that the second server is based on the encryption information c ₁ And said A-MSK 1;

the first decryption of the encrypted information c ₂ And according to said encryption information c ₂ Generating the pair (u) _l ,u _j ) The first signature of (2).

In this way, the first server may allow, through the tentative addition homomorphic encryption algorithm, the second server to perform calculation on the secret information while ensuring the privacy of the secret information of the first server (i.e., the process-related information of the attack key generated by the first server), so as to obtain a corresponding calculation result.

the second server determines a set R, wherein R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree in a time period t, and R represents a root node of all subtrees formed by remaining valid nodes after RU nodes are revoked in the binary tree BT;

the second server, for each u, according to the A-MSK2 _j E.g. R, generating the pair (t, u) _j ) The fourth signature of (1);

the second server determines the signature according to the fourth signature and the third signatureA revocation list of time periods t, said revocation list comprising said each u _j Pair (t, u) _j ) Wherein the third signature is a joint signature of the first server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2).

In some embodiments, the first server may also determine the set R, and the first server may determine the revocation list together with the second server.

In some embodiments, the first server and/or the second server may disclose the revocation list, so that the trusted device corresponding to each leaf node in the binary tree may obtain the revocation list.

When the first device is not revoked in the time period t, there exists a node u, which belongs to a node on the path from the leaf node corresponding to the first device to the root node of the binary tree, and also belongs to the output CS (RU, BT) of the SM algorithm, i.e. u ∈ { u ∈ } u [, { u } u {, where ₀ ,u ₁ ,…,u _l }∩{u′ ₁ ,u′ ₂ ,…u′ _v }. At this time, the first device may prove with zero knowledge that it owns the signature for (ID, u) and the signature for (t, u '), and that u = u'.

When the first device is revoked in the time period t, the CS (RU, BT) necessarily output in the SM algorithm does not include any node on the path from the leaf node corresponding to the first device to its root node. At this time, the first device does not possess a signature for (t, u').

Therefore, the application provides a chip revocation mechanism, and a revocation list can be generated by the first server and the second server together, so that revocation of the chip can be completed together.

With reference to the first aspect, in certain implementations of the first aspect, the generating, by the first device, an anonymous signature based on the attestation private key includes:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

Determining a zero knowledge signature over the random challenge information and platform integrity metric values.

Therefore, in this embodiment of the application, after obtaining the attestation private key, the first device may determine a node belonging to both a node on a path from the leaf node corresponding to the first device to the root node of the binary tree and a node belonging to the output CS (RU, BT) of the SM algorithm, and obtain the pair from the attestation private key

And obtaining pairs from the revocation list

According to said pair, and further according to said pair

And said pair

To determine a zero knowledge signature over the random challenge information and the platform integrity metric value, such that the verifying device verifies the system integrity of the first device based on the zero knowledge signature.

With reference to the first aspect, in certain implementations of the first aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

In a second aspect, a method for remote attestation is provided, including:

the first device receiving a first partial proof private key from a first server, wherein the first partial proof private key is generated by the first server from a first master key A-MSK 1;

the first device receiving a second partial proof private key from a second server, wherein the second partial proof private key is generated by the second server from a second master key A-MSK 2;

the first device generates a certification private key according to the first part certification private key and the second part certification private key;

With reference to the second aspect, in certain implementations of the second aspect, the first partial attestation private key is determined by the first server from a first signature determined by the first server from the a-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The signature of (2);

the second partial proof private key is determined by the second server from a second signature determined by the first server from the A-MSK2 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2);

wherein, { u { ₀ ,u ₁ ,…,u _l Denotes the path from the leaf node of the first device in the binary tree to the root node in the binary tree, u _j Represents the j-th node, u, on the path _l Indicates the leaf node, u, where the first device is located ₀ Represents the root node, j is more than or equal to 0 and less than or equal to jl, j and l are positive integers.

With reference to the second aspect, in certain implementations of the second aspect, the first device obtains a revocation list for a time period t, the revocation list including the each u _j Pair (t, u) _j ) Wherein the revocation list is determined from a third signature and a fourth signature, the third signature being the first server from the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The fourth signature is the signature of the second server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2);

and R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree in a time period t, and R represents root nodes of all subtrees formed by residual valid nodes after RU nodes are revoked in the binary tree BT.

With reference to the second aspect, in some implementations of the second aspect, the generating, by the first device, an anonymous signature from the attestation private key includes:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

The signature of (a) is stored in the memory,determining a zero knowledge signature for the random challenge information and a platform integrity metric value.

With reference to the second aspect, in certain implementations of the second aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

With reference to the second aspect, in certain implementations of the second aspect, the second server is a chip manufacturer server of the first device.

In a third aspect, a system for remote attestation is provided, comprising:

the second server is used for sending a second part of certification private key to the first equipment according to the second master key A-MSK 2;

the first device to receive the second partial proof private key from the second server and a first partial proof private key from a first server, wherein the first partial proof private key is generated by the first server from a first master key a-MSK 1;

the first device is further configured to generate a certification private key according to the first partial certification private key and the second partial certification private key;

the first device is further configured to generate an anonymous signature according to the certification private key, where a joint master public key for verifying the anonymous signature is determined according to a first master public key a-MPK1 corresponding to the a-MSK1 and a second master public key a-MPK2 corresponding to the a-MSK2.

With reference to the third aspect, in certain implementations of the third aspect, the second server is further configured to determine a path { u } of a leaf node where the first device is located in a binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on said path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

wherein the second server is specifically configured to:

according to the A-MSK2, for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (2);

each u is _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial attestation private key;

wherein the first partial attestation private key is determined by the first server from a second signature by the first server from the A-MSK2 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2).

With reference to the third aspect, in some implementations of the third aspect, the second server is specifically configured to:

sending the pair of (u) to the first server according to the A-MSK2 and a temporary addition homomorphic encryption algorithm _l ,u _j ) The first encryption information of (a);

receiving second encryption information sent by the first server, wherein the second encryption information is generated by the first server according to the first encryption information and the A-MSK 1;

decrypting said second encrypted information and generating said pair (u) based on said second encrypted information _l ,u _j ) The first signature of (1).

With reference to the third aspect, in certain implementations of the third aspect,

the second server is further used for determining a set R, wherein R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree in a time period t, and R represents a root node of all subtrees formed by the remaining valid nodes after RU nodes are revoked in the binary tree BT;

the second server is further configured to, for each u, according to the A-MSK2 _j E is R, generate the pair (t, u) _j ) The fourth signature of (2);

the second server is also used for signing according to a third signatureAnd said fourth signature determining a revocation list for said time period t, said revocation list comprising said each u _j Pair of (t, u) _j ) Wherein the third signature is a joint signature of the first server according to the A-MSK1 for each u _j E is R, generate the pair (t, u) _j ) The signature of (2).

With reference to the third aspect, in some implementations of the third aspect, the first device is specifically configured to:

acquiring random challenge information sent by verification equipment;

determining nodes

Pair contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

With reference to the third aspect, in certain implementations of the third aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

With reference to the third aspect, in certain implementations of the third aspect, the second server is a chip manufacturer server of the first device.

In a fourth aspect, an apparatus for remote attestation is provided, configured to perform the method of the second aspect or any possible implementation manner of the second aspect, and in particular, the apparatus includes a module, such as a receiving unit and a generating unit, configured to perform the method of the second aspect or any possible implementation manner of the second aspect,

a receiving unit, configured to receive a first partial proof private key from a first server, where the first partial proof private key is generated by the first server according to a first master key a-MSK 1;

the receiving unit is further configured to receive a second partial attestation private key from a second server, wherein the second partial attestation private key is generated by the second server from a second master key a-MSK 2;

a generating unit configured to generate a certification private key according to the first part certification private key and the second part certification private key;

the generation unit is further configured to generate, by the first device, an anonymous signature according to the certification private key, where a joint master public key for verifying the anonymous signature is determined according to a first master public key a-MPK1 corresponding to the a-MSK1 and a second master public key a-MPK2 corresponding to the a-MSK2.

With reference to the fourth aspect, in certain implementations of the fourth aspect, the first partial attestation private key is determined by the first server from a first signature determined by the first server from the a-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2);

wherein, { u ₀ ,u ₁ ,…,u _l Denotes the path from the leaf node of the first device in the binary tree to the root node in the binary tree, u _j Represents the j-th node, u, on said path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers.

With reference to the fourth aspect, in some implementations of the fourth aspect, the method further includes obtaining a revocation list of the time period t, where the revocation list includes the each u _j Pair of (t, u) _j ) Wherein the revocation list is determined from a third signature and a fourth signature, the third signature being the first server from the A-MSK1 for each u _j E is R, generate the pair (t, u) _j ) Said fourth signature being the signature of said second server according to said A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2);

With reference to the fourth aspect, in some implementations of the fourth aspect, the generating unit is specifically configured to:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

Is signedAnd determining a zero-knowledge signature for the random challenge information and the platform integrity metric value.

With reference to the fourth aspect, in certain implementations of the fourth aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

With reference to the fourth aspect, in certain implementations of the fourth aspect, the second server is a chip manufacturer server of the first device.

In a fifth aspect, a method for remote attestation is provided, including:

the trusted third party server sends a first part of certification private key to the trusted device according to the first master key A-MSK 1;

the chip manufacturer server sends a second part certification private key to the trusted device according to a second master key A-MSK 2;

the trusted device generates a certification private key according to the first part certification private key and the second part certification private key;

the trusted device generates an anonymous signature according to the certification private key;

and the verification device verifies the anonymous signature according to a joint master public key, wherein the joint master public key is determined according to a first master public key A-MPK1 corresponding to the A-MSK1 and a second master public key A-MPK2 corresponding to the A-MSK2.

Therefore, in the embodiment of the present application, the trusted third party server trusted by at least one user (i.e., the certifying device and the verifying device) and the chip manufacturer server jointly generate the certification private key (certification key), so that the trust of the user can be distributed to multiple parties, and any single party (e.g., the chip manufacturer or any trusted third party) cannot generate or know the certification key of the user.

In this embodiment of the present application, the number of the trusted third-party servers may be at least one, for example, may be one, two, or more, and this is not limited in this embodiment of the present application.

With reference to the fifth aspect, in certain implementations of the fifth aspect, the method further includes:

the trusted third party server and the chip manufacturer server jointly determine a path { u } of a leaf node of the trusted device in a binary tree to a root node of the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on the path _l Indicates the leaf node, u, in which the trusted device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

the method for sending the first part of the certification private key to the trusted device by the trusted third party server according to the first master key A-MSK1 includes:

the trusted third party server, for each u, based on the A-MSK1 _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The first signature of (1);

the trusted third party server sends each u _j Pair (u) _l ,u _j ) Is sent to the trusted device, wherein each u _j Pair (u) _l ,u _j ) Is the first partial attestation private key;

wherein the chip manufacturer server sending a second partial attestation private key to the trusted device according to a second master key a-MSK2, comprising:

the chip manufacturer server according to the A-MSK2 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (1);

the chip manufacturer server sends the each u _j Pair (u) _l ,u _j ) Is sent to the trusted device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial proof private key.

In this way, the trusted third party server can generate a signature as a partial authentication key generated by the trusted third party server for all nodes on a path from a leaf node corresponding to the trusted chip to a root node of the binary tree according to the own master key; the chip manufacturer server can generate a signature as a partial authentication key generated by the chip manufacturer server for all nodes on a path from a leaf node corresponding to the trusted chip to a root node of the binary tree according to the own master key.

With reference to the fifth aspect, in certain implementations of the fifth aspect, the trusted third party server operates according to the a-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The first signature of (a), comprising:

the trusted third party server sends the pair (u) to the chip manufacturer server according to the A-MSK1 and the temporary addition homomorphic encryption algorithm _l ,u _j ) Encryption information c of ₁ ；

The trusted third party server receives the encrypted information c sent by the chip manufacturer server ₂ Wherein the encryption information c ₂ Is that the chip manufacturer server is based on the encryption information c ₁ And said a-MSK 2;

the trusted third party server decrypts the encrypted information c ₂ And according to said encryption information c ₂ Generating the pair (u) _l ,u _j ) The first signature of (2).

Therefore, the trusted third party server can allow the chip manufacturer server to calculate on the secret information under the condition of ensuring the privacy of the secret information of the trusted third party server (namely, the process related information of the trusted third party server generating part authentication key) through the temporary addition homomorphic encryption algorithm, so as to obtain the corresponding calculation result.

In some possible implementations, the chip manufacturer server may also send the pair of (u) to the trusted third server according to the a-MSK2 and the tentative addition homomorphic encryption algorithm _l ,u _j ) Encryption information c of ₃ ；

The chip manufacturer serviceThe device receives the encrypted information c sent by the credible third party server ₄ Wherein the encryption information c ₄ Is that the trusted third party server is based on the encryption information c ₃ And said a-MSK 1;

the chip manufacturer server decrypts the encrypted information c ₄ And according to said encryption information c ₄ Generating the pair (u) _l ,u _j ) The first signature of (1).

In this way, the chip manufacturer server may allow the trusted third party server to perform calculation on the secret information by using the temporary addition homomorphic encryption algorithm, while ensuring the privacy of the secret information of the chip manufacturer server (i.e., the process-related information of the authentication key generated by the chip manufacturer server), thereby obtaining a corresponding calculation result.

the trusted third party server and the chip manufacturer server respectively determine a set R, wherein R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree within a time period t, and R represents root nodes of all subtrees formed by remaining valid nodes after RU nodes are revoked in the binary tree BT;

the trusted third party server operates for each u according to the A-MSK1 _j E is R, generate the pair (t, u) _j ) The third signature of (2);

the chip manufacturer server according to the A-MSK2 for each u _j E is R, generate the pair (t, u) _j ) The fourth signature of (2);

the trusted third party server and the chip manufacturer server determine a revocation list of the time period t according to the third signature and the fourth signature, wherein the revocation list comprises each u _j Pair of (t, u) _j ) The joint signature of (3).

In some embodiments, the revocation list may be exposed by the trusted third party server and/or the chip manufacturer server such that trusted devices corresponding to leaf nodes in the binary tree may obtain the revocation list.

When the trusted device is not revoked in the time period t, there exists a node u, which belongs to a node on the path from the leaf node corresponding to the trusted device to the root node of the binary tree, and also belongs to the output CS (RU, BT) of the SM algorithm, i.e. u ∈ { u ∈ [ { u } is ₀ ,u ₁ ,…,u _l }∩{u′ ₁ ,u′ ₂ ,…u′ _v }. At this time, the trusted device may prove with zero knowledge that it owns the signature for (ID, u) and the signature for (t, u '), and that u = u'.

When a trusted device is revoked within a time period t, the CS (RU, BT) output by the SM algorithm must not contain any node on the path from the leaf node corresponding to the trusted device to its root node. At this point, the trusted device does not possess a signature for (t, u').

Therefore, the application provides a chip revocation mechanism, and a trusted third party server and a chip manufacturer server can jointly generate a revocation list so as to jointly complete the revocation of the chip.

With reference to the fifth aspect, in some implementations of the fifth aspect, the generating, by the trusted device, an anonymous signature based on the attestation private key includes:

acquiring random challenge information sent by the verification equipment;

determining nodes

Pair contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

Determining a zero knowledge signature on the random challenge information and platform integrity metric values.

Therefore, in this embodiment of the present application, after obtaining the attestation private key, the trusted device may determine a node that belongs to both a leaf node corresponding to the trusted device and a path from the root node of the binary tree and a node in an output CS (RU, BT) of the SM algorithm, and obtain a pair from the attestation private key

And obtaining pairs from the revocation list

According to said pair, and further on

And said pair

And determining a zero-knowledge signature of the random challenge information and the platform integrity metric value, so that the verification device verifies the system integrity of the trusted chip according to the zero-knowledge signature.

With reference to the fifth aspect, in some implementations of the fifth aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures, but embodiments of the present application are not limited thereto.

In some alternative embodiments, the trusted third party server may use a first public/private key pair of the trusted third party server for identity authentication, the chip manufacturer server uses a second public/private key pair of the chip manufacturer server for identity authentication, the trusted devices use their endorsement keys (endorsity keys) for mutual authentication, and establish a secure channel. Illustratively, the secure channel may be used to transmit a partial authentication key.

Therefore, the embodiment of the application can be beneficial to more safely carrying out data transmission among the trusted third party server, the chip manufacturer server and the trusted device by establishing the secure channel among the trusted third party server, the chip manufacturer server and the trusted device.

In a sixth aspect, there is provided a system for remote attestation, comprising:

the trusted third party server is used for sending a first part of certification private keys to the trusted device according to the first master key A-MSK 1;

the chip manufacturer server is used for sending a second part certification private key to the trusted device according to a second master key A-MSK 2;

the trusted device is used for generating a certification private key according to the first part certification private key and the second part certification private key;

the trusted device is further used for generating an anonymous signature according to the certification private key;

and the verification device is used for verifying the anonymous signature according to a joint master public key, wherein the joint master public key is determined according to a first master public key A-MPK1 corresponding to the A-MSK1 and a second master public key A-MPK2 corresponding to the A-MSK2.

With reference to the sixth aspect, in certain implementations of the sixth aspect, the trusted third party server and the chip manufacturer server are further configured to jointly determine a path { u } of a leaf node where the trusted device is located in a binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on the path _l A leaf node, u, representing the trusted device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

wherein the trusted third party server is specifically configured to:

according to the A-MSK1, for each u _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The first signature of (1);

each of saidU is composed of _j Pair (u) _l ,u _j ) Is sent to the trusted device, wherein each u _j Pair (u) _l ,u _j ) Is the first partial attestation private key;

wherein the chip manufacturer server is specifically configured to:

according to the A-MSK2, for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (1);

each u is _j Pair (u) _l ,u _j ) Is sent to the trusted device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial attestation private key.

With reference to the sixth aspect, in certain implementations of the sixth aspect, the trusted third party server is specifically configured to send the pair (u) to the chip manufacturer server according to the a-MSK1 and a tentative addition homomorphic encryption algorithm _l ,u _j ) Encryption information c of ₁ ；

The chip manufacturer server is specifically configured to obtain the encryption information c ₁ And said A-MSK2, generating encrypted information c ₂ And sending the encryption information c to the trusted third party server ₂ ；

The trusted third party server is specifically configured to decrypt the encrypted information c ₂ And according to said encryption information c ₂ Generating said pair (u) _l ,u _j ) The first signature of (1).

With reference to the sixth aspect, in certain implementations of the sixth aspect, the trusted third party server and the chip manufacturer server are each further configured to determine a set R, where R ← CS (RU, BT), where BT denotes the binary tree, RU denotes a set of chips revoked in the binary tree over a time period t, and R denotes a root node of all subtrees made up of remaining valid nodes after an RU node is revoked in the binary tree BT;

the trusted third party server is further configured to pair according to the A-MSK1At each u _j E.g. R, generating the pair (t, u) _j ) The third signature of (1);

the chip manufacturer server is further configured to, for each u, according to the A-MSK2 _j E is R, generate the pair (t, u) _j ) The fourth signature of (1);

the trusted third party server and the chip manufacturer server are further configured to determine a revocation list for the time period t based on the third signature and the fourth signature, the revocation list including the each u _j Pair (t, u) _j ) The joint signature of (3).

With reference to the sixth aspect, in some implementations of the sixth aspect, the trusted device is specifically configured to:

acquiring random challenge information sent by the verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

In a seventh aspect, a method for remote attestation is provided, including:

the second server generates a second part of the proof private key according to the second master key A-MSK 2;

the second server sends the second part of the certification private key to the first device, wherein the second part of the certification private key is used for the first device to generate a certification private key according to the first part of the certification private key and the second part of the certification private key, the second part of the certification private key is generated by the second server according to a second master key A-MSK2, the certification private key is used for generating an anonymous signature, and a joint master public key used for verifying the anonymous signature is determined according to a first master public key A-MPK1 corresponding to the A-MSK1 and a second master public key A-MPK2 corresponding to the A-MSK2.

With reference to the seventh aspect, in certain implementations of the seventh aspect,

the second server determines a path { u } of a leaf node of the first device in a binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on said path _l Represents a leaf node, u, at which the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

the second server determines for each u according to the A-MSK2 _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (1);

the second server sends each u _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial proof private key.

With reference to the seventh aspect, in certain implementations of the seventh aspect, the second server is configured to, for each u, according to the a-MSK2 _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (1), comprising:

the second server decrypts the second encrypted information and generates the pair (u) based on the second encrypted information _l ,u _j ) The second signature of (1).

the second server determines a revocation list of the time period t according to a third signature and the fourth signature, wherein the revocation list comprises each u _j Pair of (t, u) _j ) Wherein the third signature is the first server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2).

With reference to the seventh aspect, in some implementations of the seventh aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

With reference to the seventh aspect, in certain implementations of the seventh aspect, the second server is a chip manufacturer server of the first device.

In an eighth aspect, an apparatus for remote attestation is provided, where the apparatus is configured to perform the method in the seventh aspect or any possible implementation manner of the seventh aspect, and in particular, the apparatus includes a module configured to perform the method in the seventh aspect or any possible implementation manner of the seventh aspect.

In a ninth aspect, a method of remote attestation is provided, comprising:

the first server generates a first part of proof private key according to the first master key A-MSK 1;

the first server sends the first part of the certification private key to first equipment, wherein the first part of the certification private key is used for the first equipment to generate a certification private key according to the first part of the certification private key and a second part of the certification private key, the second part of the certification private key is generated by the second server according to a second master key A-MSK2, the certification private key is used for generating an anonymous signature, and a joint master public key used for verifying the anonymous signature is determined according to a first master public key A-MPK1 corresponding to the A-MSK1 and a second master public key A-MPK2 corresponding to the A-MSK2.

With reference to the ninth aspect, in certain implementations of the ninth aspect,

the first server determines a path { u } of a leaf node of the first device in a binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on the path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

wherein, the first server sends the first part of the certification private key to the first device according to the first master key A-MSK1, and the method comprises the following steps:

the first server operates for each u according to the A-MSK1 _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The first signature of (1);

the first server sends each u _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the first partial proof private key.

the first server sends the (u) pair to the second server according to the A-MSK1 and the temporary addition homomorphic encryption algorithm _l ,u _j ) Encryption information c of ₁ ；

the first decryption of the encrypted information c ₂ And according to said encryption information c ₂ Generating said pair (u) _l ,u _j ) The first signature of (1).

the first server determines a set R, wherein R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree within a time period t, and R represents root nodes of all subtrees formed by residual valid nodes after RU nodes are revoked in the binary tree BT;

the first server operates for each u according to the A-MSK1 _j E.g. R, generating the pair (t, u) _j ) The third signature of (2);

the first server determines a revocation list of the time period t according to the third signature and the fourth signature, wherein the revocation list comprises each u _j Pair of (t, u) _j ) Wherein the fourth signature is the second server according to the A-MSK2 for each u _j E is R, generate the pair (t, u) _j ) The signature of (2).

With reference to the ninth aspect, in certain implementations of the ninth aspect, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

With reference to the ninth aspect, in some implementations of the ninth aspect, the first server is a trusted third-party server of the first device.

A tenth aspect provides an apparatus for remote attestation, configured to perform the method of any possible implementation manner of the ninth aspect or the ninth aspect, and in particular, the apparatus includes a module configured to perform the method of any possible implementation manner of the ninth aspect or the ninth aspect.

In an eleventh aspect, an apparatus for remote attestation is provided, comprising: memory, processor. Wherein the memory is configured to store instructions, the processor is configured to execute the memory-stored instructions, and when the processor executes the memory-stored instructions, the execution causes the video coding apparatus to perform the first aspect or the method in any possible implementation of the first aspect, or to perform the second aspect or the method in any possible implementation of the second aspect, or to perform the fifth aspect or the method in any possible implementation of the fifth aspect, or to perform the method in any possible implementation of the seventh aspect or the seventh aspect, or to perform the method in any possible implementation of the ninth aspect or the ninth aspect.

In a twelfth aspect, a computer-readable medium is provided for storing a computer program comprising instructions for performing the method of the first aspect or any possible implementation of the first aspect, or instructions for performing the method of the second aspect or any possible implementation of the second aspect, or instructions for performing the method of the fifth aspect or any possible implementation of the fifth aspect, or instructions for performing the method of the seventh aspect or any possible implementation of the seventh aspect, or instructions for performing the method of the ninth aspect or any possible implementation of the ninth aspect.

A thirteenth aspect provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the first aspect or the method in any one of the possible implementations of the first aspect, or the second aspect, or the method in any possible implementation of the fifth aspect, or the method in any possible implementation of the seventh aspect, or the method in any possible implementation of the ninth aspect.

It should be understood that the beneficial effects obtained by the second to thirteenth aspects and the corresponding implementation manners of the present application are referred to the beneficial effects obtained by the first aspect and the corresponding implementation manners of the present application, and are not described in detail herein.

Drawings

FIG. 1 is a schematic architecture diagram of a remote attestation system;

FIG. 2 is a schematic diagram of a TPM based trusted architecture;

FIG. 3 is a schematic diagram of a system architecture of a processor-based SGX;

FIG. 4 is a schematic block diagram of a remote attestation system provided by an embodiment of the application;

FIG. 5 is a schematic flow chart diagram of a method of remote attestation provided herein;

FIG. 6 is an example of an SM algorithm;

FIG. 7 is a schematic block diagram of an apparatus for remote attestation as provided herein;

FIG. 8 is a schematic block diagram of another apparatus for remote attestation provided herein;

FIG. 9 is a schematic block diagram of another apparatus for remote attestation as provided herein;

FIG. 10 is a schematic block diagram of another apparatus for remote attestation provided herein;

FIG. 11 is a schematic block diagram of another apparatus for remote attestation as provided herein.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

FIG. 1 is a schematic architecture diagram of a remote attestation system. As shown in fig. 1, the remote attestation system includes two parts, an attester and a verifier. The prover side is provided with an integrity measurement module (integrity measurement module) and a remote authentication module (remote authentication module), and the verifier side is provided with a remote authentication module. The integrity measurement module can generate a measurement value of the system according to a system integrity measurement mechanism. The prover's remote authentication module is capable of sending the metric value generated by the integrity metric module to the verifier's remote authentication module in accordance with a remote attestation protocol for the verifier to verify the prover's system integrity.

As one solution, a trusted architecture based on a Trusted Platform Module (TPM) provides a hardware trust root, implements a scalable system boot process, and can form a trust chain from hardware. As shown in fig. 2, the chain of trust may be: trusted hardware TPM > TMP measurement boot loader (boot loader) - - > boot loader measurement operating system (operating system) - - > operating system measurement application (application).

The TMP-based remote attestation protocol is Direct Anonymous Attestation (DAA). The authentication key for the remote attestation protocol is distributed by the TMP manufacturer as a distribution authority. Thus, in a TPM-based trusted architecture, the belief relationship for trusted computing is that users (i.e., provers and verifiers) need to trust the TMP manufacturer.

Alternatively, a processor-based software guard extensions (SGX) is a set of security-related instruction sets. As shown in fig. 3, SGX may extend the processor allowing a user-level program or operating system to define a limited private memory area enclaves. The content in Enclave is protected cryptographically and therefore cannot be read by any other program, including those with higher rights.

The remote attestation protocol of SGX is Enhanced Privacy (EPID). The chip manufacturer acts as a distribution mechanism for the processor, generating the authentication key. Thus, in the processor-based SGX scheme, the trusted computing belief relationship is also that the user (i.e., prover and verifier) needs to trust the TMP manufacturer.

In the two schemes, the user needs to trust the chip manufacturer, and particularly, needs to trust the authentication key generated by the chip manufacturer. However, in some cases, the user may not want to trust the chip manufacturer completely. In view of this, the present application provides a remote attestation system, where the system includes at least one Trusted Third Party (TTP) server trusted by a user (i.e., an attestation device and a verification device), and the trusted third party server can generate an authorization key together with a chip manufacturer server, so that the trust of the user can be distributed to multiple parties, i.e., at least one trusted third party and a chip manufacturer. In this case, any single party (for example, the chip manufacturer or any trusted third party) cannot generate or know the authorization key of the user, so that the embodiment of the present application can realize that the user needs to not completely trust the chip manufacturer.

Fig. 4 is a schematic architecture diagram of a remote attestation system provided by an embodiment of the present application. As shown in fig. 4, the system includes a first server 410, a second server 420, a first device 430, and an authentication device 440. Illustratively, the first server 410 may be a trusted third party server 410, the second server 420 may be a chip manufacturer server 420, and the first device 430 may be a trusted device 430. Here, the trusted device 430 is an example of a prover and the verification device 440 is an example of a verifier. In some possible embodiments, the trusted device may also be referred to as a trusted chip, which is not limited in this application.

In the following, the embodiment of the present application will be described by taking the first server 410 as the trusted third party server 410, the second server 420 as the chip manufacturer server 420, and the first device 430 as the trusted device 430, but this is not a limitation to the embodiment of the present application.

Wherein, the chip manufacturer server 420 and the trusted third party server 410 can be respectively used as the distribution mechanism of attesting key of the trusted device 430. The chip manufacturer server 420 and the trusted third party server 410 each possess a master public/secret key pair, their corresponding master public keys constituting a federated master public key. In the remote distribution process of the attribution key, the trusted third party server 410 and the chip manufacturer server 420 may issue a partial attribution key for the trusted device 430 by using their master keys, respectively, and the trusted device 430 performs trusted aggregation on the partial attribution key to generate a complete attribution key. In the remote attestation protocol, the verification device 440 verifies the validity of the attestation key using the federated master public key.

It should be noted that in the system shown in fig. 4, the number of the trusted third-party servers 410 may be at least one, for example, one, two, or more, and this is not limited in this embodiment of the present application. When the number of the trusted third-party servers 410 is two or more, the at least two trusted third-party servers 410 respectively possess different master public key/key pairs, and respectively can generate partial authentication keys according to the respective master keys, and send the partial authentication keys to the trusted device 430. The trusted device 430 may generate a complete authentication key according to the partial authentication key respectively sent by the at least two trusted third party servers 410 and the partial authentication key sent by the chip manufacturer server 420. Additionally, the federated master public key for remote attestation by the authentication device 440 may be determined from the master public keys of the at least two trusted third party servers 410 and the master public key of the chip manufacturer server 420.

Therefore, in the embodiment of the application, the trusted third party server trusted by at least one user (i.e., a prover and a verifier) and the chip manufacturer server jointly generate the authentication key, so that the trust of the user can be dispersed to multiple parties, and any single party (e.g., the chip manufacturer or any trusted third party) cannot generate or know the authentication key of the user, and therefore, the embodiment of the application can realize that the user does not need to completely trust the chip manufacturer in the process of remote attestation.

It should be understood that the following embodiments will be described primarily based on the inclusion of a trusted third party server in the remote attestation system. When two or more trusted third party servers are included in the system, the specific implementation thereof may refer to the related description of the system including one trusted third party server, and some simple adaptations may be required, but are also within the scope of the embodiments of the present application.

Fig. 5 shows a schematic flow chart of a method 500 of remote attestation provided herein. The method 500 may be applied to the system shown in fig. 4. As shown in fig. 5, method 500 includes steps 510 through 550.

510, the trusted third party server sends a first partial attestation private key to the trusted device 430 based on the first master key a-MSK 1.

Illustratively, the trusted third party server 410 may possess a first master public/secret key pair (A-MPK 1/A-MSK 1). The trusted third party server 410 may generate a first portion of an authentication key, denoted as a-key1, from the a-MSK1 and send the a-key1 to the trusted device 430.

The chip manufacturer server sends 520 a second partial attestation private key to the trusted device 430 based on the second master key a-MSK2.

Illustratively, the chip manufacturer server 420 may possess a second master public/secret key pair (A-MPK 2/A-MSK 2). Chip manufacturer server 420 may generate a second part authentication key, denoted A-key2, from A-MSK2 and send A-key2 to trusted device 430.

530, the trusted device generates an attestation private key from the first partial attestation private key and the second partial attestation private key.

Illustratively, after the trusted device 430 receives the A-key1 and the A-key2, the A-key1 and the A-key2 may be subjected to trusted aggregation to generate a complete authentication key, denoted as A-key.

540, the trusted device generates an anonymous signature based on the attestation private key.

Illustratively, after the trusted device 430 obtains the a-key, the remote authentication module may anonymously sign the message according to the a-key, generating an anonymous signature. Illustratively, the message may be random challenge information received from the authentication device and a platform integrity metric value obtained from the integrity metrics module.

The authentication device 440 authenticates 550 the anonymous signature based on the federated master public key.

In some possible implementations, authentication device 440 may obtain A-MPK1 from trusted third party server 410 (e.g., in a public directory), obtain A-MPK2 from chip manufacturer server 420 (e.g., in a public directory), and generate a federated master public key A-MPK from A-MPK1 and A-MPK 2.

In some possible implementations, trusted third party server 410 or chip manufacturer server 420 may generate a federated master public key A-MPK from A-MPK1 and A-MPK2, which authentication device 440 may obtain from trusted third party server 410 or chip manufacturer server 420. The authentication device 440 may obtain the federated master public key a-MPK from the trusted third party server 410 or the chip manufacturer server 420 (e.g., public directory). The verification device 440, after obtaining the federated master public key a-MPK, may verify the obtained anonymous signature using the federated master public key a-MPK.

Therefore, in the embodiment of the application, the trusted third party server trusted by at least one user (i.e., a prover and a verification device) and the chip manufacturer server jointly generate the authentication key, so that the trust of the user can be dispersed to multiple parties, and any single party (e.g., the chip manufacturer or any trusted third party) cannot generate or know the authentication key of the user, and therefore, the embodiment of the application can realize that the user does not need to completely trust the chip manufacturer in the process of remote attestation.

In some alternative embodiments, the trusted third party server 410 may use a first public/private key pair of the trusted third party server 410 for identity authentication, the chip manufacturer server 420 uses a second public/private key pair of the chip manufacturer server 420 for identity authentication, the trusted devices 430 use their endorsement keys (endorsing keys) for mutual authentication, and establish a secure channel. The endorsement key is a public/private key pair, is in one-to-one correspondence with the trusted device, and is used for authenticating the identity of the trusted device. Illustratively, the secure channel may be used to transmit a partial authentication key.

Accordingly, embodiments of the present application can facilitate more secure data transfer between the trusted third party server 410, the chip manufacturer server 420, and the trusted device 430 by establishing a secure channel between the trusted third party server 410, the chip manufacturer server 420, and the trusted device 430.

As an example, the public/private key for identity authentication of the trusted third party server 410 may be denoted as ID-PK ₁ /ID-SK ₁ The public/private key for identity authentication of the chip manufacturer server 420 may be denoted as ID-PK ₂ /ID-SK ₂ . In some possible implementations, the chip manufacturer server 420 may pre-set the identity public keys of itself and the trusted third party server, i.e., ID-PK, in the trusted device 430 during the production of the trusted device 430 ₁ And ID-PK ₂ And an endorsement key of trusted device 430. The trusted device 430 may then perform authentication and key exchange with the trusted third party server 410 and the chip manufacturer server 420, respectively, using the endorsement key to establish respective secure channels.

In some embodiments, trusted third party server 410 and chip manufacturer server 420 may assign a leaf node to trusted device 430 (e.g., by negotiating) on a known binary tree (binary tree), where each node in the binary tree represents key material. In this way, the trusted third party server 410 and the chip manufacturer server 420 may determine, according to the key material of all nodes on the path from the root node of the binary tree to the leaf node and the master key of the trusted third party server and the chip manufacturer server, the partial authentication key generated for the trusted device 430 corresponding to the leaf node.

Illustratively, for trusted device 430, assume that its ID is its username, and the path of the leaf node corresponding to this trusted device 430 to the root node of the binary tree is { u } ₀ ,u ₁ ,…,u _l Where the subscript l denotes the number of nodes on the path, which is a positive integer. At this point, the trusted third party server 410 and the chip manufacturer server 420 may distribute the pair (ID, u) according to their respective master keys (e.g., trusted third party server according to A-MSK1, chip manufacturer server 420 according to A-MSK 2), respectively _j ) _j＝0…l Is signed to the trusted device 430 as a partial authentication key, where j is a positive integer. The trusted device 430 may be based on a transmission from the trusted third party server 410The partial approval key generated by the partial approval key and the partial approval key transmitted from the chip manufacturer server 420 has a size of O (logN).

Alternatively, when there is a revoked trusted device, the trusted third party server 410 and/or the chip manufacturer server 420 may determine valid nodes in the binary tree according to a complete Subtree Method (SM) algorithm. The output CS (RU, BT) of the SM algorithm represents the root nodes of all subtrees formed by the remaining active nodes in the binary tree after the partial leaf nodes are revoked. Where BT denotes the binary tree and RU denotes the set of chips revoked in the binary tree. In some possible implementations, leaf nodes that are revoked in a time period t (or period t) may be counted, as well as the remaining valid nodes.

Illustratively, fig. 6 shows an example of the SM algorithm. Referring to FIG. 6, after leaf node 1 and leaf node 3 in the binary tree are revoked, all nodes on the path from the revoked leaf node to its root node are invalid nodes (e.g., nodes marked with an "X" next in FIG. 6). At this time, the remaining valid leaf nodes in the binary tree are leaf node 2, leaf node 4, leaf node 5, and leaf node 6. For the binary tree in fig. 6, CS (RU, BT) includes the nodes marked with "√" next to fig. 6, such as leaf node 2, leaf node 4, and node 7.

After outputting the CS (RU, BT) according to the SM algorithm, a Revocation List (RL) of the binary tree may be determined. For example, a revocation list corresponding to the time period t may be determined. Wherein each item in the revocation list is a pair (t, u' _j ) The signature of (2). Wherein u' _j ∈{u′ ₁ ,u′ ₂ ,…u′ _v },{u′ ₁ ,u′ ₂ ,…u′ _v And v represents the number of nodes output by the SM algorithm, and is a positive integer.

Illustratively, the trusted third party server 410 and the chip manufacturer server 420 may each generate a respective master key (e.g., trusted third party server according to A-MSK1 and chip manufacturer server 420 according to A-MSK 2)To (t, u' _j ) The partial signature of (2). Trusted third party server 410 and/or chip manufacturer server 420 may then generate the pair (t, u ') from trusted third party server 410' _j ) And the pair (t, u ') generated by the chip manufacturer server 420' _j ) Is aggregated to generate a complete pair (t, u' _j ) Thereby generating a revocation list. In some embodiments, the revocation list may be exposed by trusted third party server 410 and/or chip manufacturer server 420 such that trusted devices corresponding to leaf nodes in the binary tree may obtain the revocation list.

As a possible scenario, when trusted device 430 is not revoked within time period t, there exists a node u that belongs to both a node on the path from the leaf node corresponding to trusted device 430 to the root node of the binary tree and the output CS (RU, BT) of the SM algorithm, i.e., u ∈ { u } ₀ ,u ₁ ,…,u _l }∩{u′ ₁ ,u′ ₂ ,…u′ _v }. At this time, the trusted device 430 can prove with zero knowledge that it owns the signature for (ID, u) and the signature for (t, u '), and that u = u'.

Another possible scenario is when the trusted device 430 is revoked within the time period t, then the CS (RU, BT) that must be output at the SM algorithm does not contain any node on the path from the leaf node corresponding to the trusted device 430 to its root node. At this point, trusted device 430 does not possess a signature for (t, u').

In some embodiments, pair (ID, u) _j ) _j＝0…l And a pair of (t, u' _j ) The signature of (b) may be a BBS + signature; or pair (ID, u) _j ) _j＝0…l And to (t, u' _j ) The signature of (a) may be an LMPY (Libert-Mouhattem-Peters-Yung) signature, but the embodiment of the present application is not limited thereto.

Next, the present application will be describedPlease refer to two specific examples provided in the embodiments. Wherein, in example one, the two are paired (ID, u) _j ) _j＝0…l And to (t, u' _j ) The signature of (b) is described as BBS + signature, and in example two, the pair (ID, u) is used _j ) _j＝0…l And to (t, u' _j ) The signature of (c) is described as an example of an LMPY + signature.

It should be noted that the following examples are merely intended to aid those skilled in the art in understanding and enabling the embodiments of the present invention, and are not intended to limit the scope of the embodiments of the present application. Equivalent alterations and modifications may be effected by those skilled in the art in light of the examples set forth herein, and such alterations and modifications are intended to be within the scope of the embodiments of the application.

Example 1

For ease of understanding, prior to describing example one, knowledge of the correlation algorithm for the BBS + signature is first introduced. The correlation algorithm for the BBS + signature is as follows:

key generating function KeyGen (1) ^λ ) Selecting bilinear pairing cp = (e: G) ₁ ×G ₂ →G _T P) in which G ₁ ,G ₂ Is a group of elliptic curves with an order of prime p, G _T Is an integer multiplicative group whose order is a prime number p. Selecting a, b, d ← _R G ₁ And h ← _R G ₂ Selecting random number omega ← _R Z _p ^* And calculate W = h ^ω . The public key vk is (cp, a, b, d, h, W) and the private key sk is ω.

Signature function Sign (sk, m ∈ Z) _p ^* ) Selecting random number x, s ← _R Z _p ^* And calculates A = (a) ^m b ^s d) ^1/(x+ω) . The signature on message m is σ: = (a, x, s).

The proof function Verify (vk, σ = (A, x, s), m) if e (A, h) ^x .W)＝e(a ^m b ^s d,h)＝e(a,h) ^m .e(b,h) ^s E (d, h), accept (i.e., consider the signature to be correct), otherwise reject (i.e., consider the signature to be incorrect).

Note that the above-described process is a construction process for the single signature data m. Can use the above-mentionedExtension of the construction process to multiple data m ₁ ,m ₂ ,…,m _l I.e. by

In this application, BBS + signatures need to be done on both messages, e.g. on (ID, u) _j ) Performing a BBS + signature, or performing a BBS + signature on (t, u').

In effect, a user with BBS + signature σ = (a, x, s) on message m can prove that he knows a BBS + signature with a zero knowledge proof, revealing neither m nor σ to the verifier.

Exemplarily, let T = a.b., assuming BBS + signature σ = (a, x, s) for message m ^r ,r← _R Z _p ^* The following derivation can be made:

e(T,h ^x .W)＝e(T,h) ^x .e(T,W)

＝e(A,h ^x .W).e(b ^r ,h ^x .W)

＝e(a,h) ^m .e(b,h) ^s .e(d,h).e(b,h) ^r.x .e(b,W) ^r

＝e(a,h) ^m .e(b,h) ^s+r.x .e(d,h).e(b,W) ^r

so, e (T, W)/e (d, h) = e (T, h) ^-x .e(a,h) ^m .e(b,h) ^s+r.x .e(b,W) ^r 。

Let k = s + r.x, proof of zero knowledge of (m, σ = (A, x, s)) is PoK { (x, m, k, r): e (T, W)/e (d, h) = e (T, h) ^-x .e(a,h) ^m .e(b,h) ^k .e(b,W) ^r }。

In the following, a method of remote attestation in example one is described, which includes four processes of initialization, authentication key distribution, chip revocation, and remote attestation. These four processes are described in detail below, respectively.

In the initialization stage, the trusted third party server and the chip manufacturer server respectively obtain a public/private key pair and a master public/master key pair for identity authentication, and the trusted device obtains an endorsement key of the trusted device.

Exemplary, trusted third partiesServer-generated ID-PK ₁ /ID-SK ₁ Chip manufacturer server generating ID-PK ₂ /ID-SK ₂ 。

For example, the trusted third party server may set the master public/master key pair to A-MPK1/A-MSK1 and the chip manufacturer server may set the master public/master key pair to A-MPK2/A-MSK2.

As one example, the trusted third party server and the chip manufacturer server may jointly determine cp = (e: G) ₁ ×G ₂ →G _T P) in which G ₁ ,G ₂ Is a group of elliptic curves with an order of prime p, G _T Is an integer multiplicative group whose order is a prime number p. Trusted third party server selection a ₁ ,a ₂ ,b,d← _R G ₁ ,h← _R G ₂ ' a ' is selected by chip manufacturer server ' ₁ ,a’ ₂ ,b’,d’← _R G ₁ ,h’← _R G ₂ Wherein a is ₁ ,a ₂ ,b,d,h，a’ ₁ ,a’ ₂ B ', d ', h '. The trusted third party server then chooses a random number (ω) ₁ ,ω’ ₁ ← _R Z _p ^* ) And calculate

Chip manufacturer server selects random number (omega) ₂ ,ω’ ₂ ← _R Z _p ^* ) And calculate

The trusted third party server then sets the A-MSK ₁ ＝(ω ₁ ,ω’ ₁ ) Chip manufacturer server set A-MSK ₂ ＝(ω ₂ ,ω’ ₂ ). At this point, the federated master public key A-MPK is (cp, a) ₁ ,a ₂ ,b,d,h,a’ ₁ ,a’ ₂ ,b’,d’,h’,

)。

For example, the trusted device may produce the endorsement key by itself, or the chip manufacturer may post the endorsement key in the trusted device when producing the trusted device, which is not limited in this embodiment of the present application.

In the authentication key distribution stage, the trusted third party server and the chip manufacturer server respectively distribute the part of the authentication key to the trusted device.

In some embodiments, the trusted device may use the endorsement key and the trusted third party server may use the ID-PK ₁ /ID-SK ₁ And performing mutual authentication and key exchange, and establishing a secure channel between the trusted device and the trusted third-party server. Meanwhile, the trusted device can use the endorsement key and the chip manufacturer server uses the ID-PK ₂ /ID-SK ₂ And performing mutual authentication and key exchange to establish a secure channel between the trusted device and the chip manufacturer server. Illustratively, a secure channel may be used to transmit the partial authentication key.

Through key exchange, the trusted third party server or the chip manufacturer server can obtain the encryption key of the encryption part authentication key. In some possible implementations, the encryption key used to encrypt the portion of the authentication key may be derived from an endorsement key of the trusted device.

In some embodiments, when the trusted device (e.g., which may be denoted as u) has not been registered, the trusted third party server and the chip manufacturer server may assign leaf nodes of a binary tree to the trusted device u and assign an index value indx ∈ Z to the trusted device u _p ^* . At this time, a path from the leaf node of the trusted device u to the root node may be determined and may be denoted as a path (indx).

For each node u on the leaf node to root node path of trusted device u _j I.e. u _j E Path (indx), the trusted third party server and the chip-manufacturer server may collaborate to generate the pair (u, u) _j ) BBS + signature of (1). Illustratively, u may be the ID of the trusted device.

The generation of the pair (u, u) is shown below _j ) An example of a BBS + signature of (a).

First, a trusted third party server may generateTemporary addition homomorphic encryption (additive homomorphic encryption) HE ⁺ () Selecting a random number

Calculating and sending encryption information

To the chip manufacturer server.

Then, the chip manufacturer server selects a random number

Compute and send

To a trusted third party server, wherein c ₂ Is the encryption of information.

The trusted third party server then decrypts c ₂ Selecting a random number

And calculate

The trusted third party server then sends a BBS + signature

To trusted devices, while chip manufacturer server sends

To the trusted device.

The trusted device then calculates

s _j ＝s _j1 +s _j2 And x _j ＝x _j1 +x _j2 Obtaining the authentication key of the trusted device u as

I.e. each node u in Path (indx) _j Corresponding to (u, u) _j ) BBS + signature set of (a).

In this way, the trusted third party server may allow, through the provisional addition homomorphic encryption algorithm, the chip manufacturer server to perform calculation on the secret information under the condition that the privacy of the secret information of the trusted third party server (i.e., the process-related information of the part of authentication key generated by the trusted third party server, such as the part of authentication key, random number, etc.) is ensured, so as to obtain a corresponding calculation result.

Alternatively, in some embodiments, the pair of (u) may be sent by the chip manufacturer server to the trusted third server according to A-MSK2 and a tentative-addition homomorphic encryption algorithm _l ,u _j ) Encryption information c of ₃ . Then, the credible third party server is according to the encryption information c ₃ And encryption information c generated by A-MSK1 ₄ The chip manufacturer server receives the encrypted information c sent by the trusted third party server ₄ And decrypt the encrypted information c ₄ Generating the pair (u) _l ,u _j ) BBS + signature of (1).

In this way, the chip manufacturer server may allow, through the temporal addition homomorphic encryption algorithm, the trusted third party server to perform calculation on the secret information while ensuring the privacy of the secret information of the chip manufacturer server (i.e., the process-related information of the chip manufacturer server generating the part authentication key, such as the part authentication key, a random number, etc.), thereby obtaining a corresponding calculation result.

In the chip revocation phase, the trusted third party server and the chip manufacturer server run R ← CS (RU, BT). For each u _j E.g. R, the trusted third party server and the chip manufacturer server interactively generate a pair (t, u) _j ) BBS + signature (A' _j ,s’ _j ,x’ _j ). Illustratively, a trusted third party server may be able to act on each u according to the A-MSK1 _j E is R, generate the pair (t, u) _j ) The chip manufacturer server may, for each u, according to said a-MSK2, sign a partial BBS + of _j E.g. R, generating the pair (t, u) _j ) Partial BBS + signature of (1). The trusted third party server and the chip manufacturer server can then determine the revocation list RL for the time period t from these two parts BBS + signatures _t . In an exemplary manner, the first and second electrodes are,

i.e. the revocation list comprises each u _j Pair (t, u) _j ) Of (a' _j ,s’ _j ,x’ _j ). Specifically, (A 'is produced' _j ,s’ _j ,x’ _j ) Can be paired with the above-described generation of (u, u) _j ) The BBS + signature is similar in manner and will not be described in detail.

In the remote attestation phase, the trusted device u can attest to its knowledge with zero knowledge (u, u _j ) BBS + signature of, and on (t, u) _j ) BBS + signature of (1). The specific procedure can be as follows.

First, the authenticating device may send a random challenge information Chal to the trusted device u.

The trusted device may then choose

Get contained in sk _u One pair of

BBS + signature (A, s, x), and RL _t In (1) pair

BBS + signature (a ', s ', x '). Exemplary, trusted secondThe three-party server or chip manufacturer server may publish the revocation list RL publicly _t The trusted device may obtain the RL as needed _t In (1) pair

BBS + signature (a ', s ', x '). The trusted device then performs the following calculations:

selecting r, r' ← _R Z _p ^* And calculate T = a.b ^r ,T’＝A’.b’ ^r’ ；

The NIZK (Non-Interactive Zero Knowledge) signature ψ is calculated for Chal and platform integrity metric IntM as shown in the following equation:

and (T, T', ψ) is returned to the authentication apparatus.

Then, the verification device verifies the validity using the joint master public key A-MPK.

And obtaining pairs from the revocation list

According to said pair, and further according to said pair

And said pair

To determine zero for random challenge information and platform integrity metricsAnd the knowledge signature is used for enabling the verification device to verify the system integrity of the trusted chip according to the zero knowledge signature.

Example two

For ease of understanding, prior to describing example two, knowledge of the correlation algorithm of the LMPY signature is first introduced. The LMPY signature scheme uses a semi-adaptive non-interactive zero knowledge proof of linear subspace (QA-NIZK definitions for linear subspaces).

QA-NIZK definitions for linear subspaces to prove that a vector v = (v) ₁ ,v ₂ ,…,v _n ) Is a matrix M = (M) _i,j ) _{i∈[1,t],j∈[1,n]} ) A linear combination of the row vectors of (a).

cp＝(e:G ₁ ×G ₂ →G _T ) Wherein G is ₁ ,G ₂ Is a group of elliptic curves with an order of prime p, G _T Is an integer multiplicative group whose order is a prime number p. QA-NIZK definitions for linear subspaces includes the following functions:

key Generation function QA.KeyGen (cp, M): let M = (M) _i,j ) _{i∈[1,t],j∈[1,n]} ∈G ₁ ^t×n . Selecting h ← h _R G ₂ And back gate tk = (x) ₁ ,…,x _n )← _R Z _p ⁿ . Computing

for j∈[1,n]，

for i∈[1,t]. The function outputs a universal reference string

And the back door tk ∈ Z _p ⁿ 。

Prove function QA.Probe (crs, v, { ω } _i } ^t _i＝1 ) Let a

The function outputs an evidence

It turns out that v is a linear combination of the row vectors of M.

Verification function QA. Verify (crs, v, π) if 1 _GT ＝e(π,h).

Then 1 is output, otherwise 0 is output.

The correlation algorithm for the LMPY signature is described below.

Key generation function KeyGen (lambda, l) selecting cp = (e: G) ₁ ×G ₂ →G _T ,p),g← _R G ₁ and h← _R G ₂ . Selecting omega, a ← and _R Z _p ^* and let α = g ^a ,Ω＝α ^ω . Selecting eta = (eta) ₁ ,η ₂ ,…,η _l ,w)← _R G ₁ ^l+1 . For G ∈ G ₁ And identity matrix I _l+1 We use g ^Il+1 Represents a (l + 1) × (l + 1) matrix with the diagonal elements g and all other elements g

Let a

Setting matrix M E G ₁ ^l+2 ×G ₁ ^2l+4 Comprises the following steps:

by running qa.keygen (cp, M), crs = ({ z) can be obtained _i } _i＝1..l+2 ,h,{h _j } _j＝1..2l+4 ) And tk ∈ Z _p ^2l+4 . At this time, the signature private key sk = ω and the public key vk = (cp, g, α, h, η, Ω, crs) may be output.

Signature function Sign (sk, m = (m) ₁ ,m ₂ ,…,m _l ) Selecting s ← ← _R Z _p ^* And calculate σ ₁ ＝g ^ω (η ₁ ^m1 η ₂ ^m2 …ηl ^ml w) ^s ,σ ₂ ＝g ^s ,σ ₃ ＝α ^s . Let v = (σ) ₁ ,σ ₂ ^m1 ,σ ₂ ^m2 …,σ ₂ ^ml ,σ ₂ ,σ ₃ ^m1 ,σ ₃ ^m2 …,σ ₃ ^ml ,σ ₃ ,Ω)∈G ₁ ^2l+4 . Pro (crs, v, (ω, s.m) was run qa.ve (cr, v) ₁ ,s.m ₂ ,…,s.m _l ,s))＝π＝z ₁ ^ω (z ₂ ^m1 …z _l+1 ^ml z _l+2 ) ^s . Output σ = (σ) ₁ ,σ ₂ ,σ ₃ ,π)。

Proving the function Verify (vk, σ, m) if

Then 1 is output, otherwise 0 is output.

Next, a remote attestation method in example two is described, which includes four processes of initialization, attestation key distribution, chip revocation, and remote attestation. These four processes are described in detail below, respectively.

Illustratively, the trusted third party server generates the ID-PK ₁ /ID-SK ₁ Chip manufacturer server generating ID-PK ₂ /ID-SK ₂ 。

As one example, the trusted third party server and the chip manufacturer server can collectively determine cp = (e: G) ₁ ×G ₂ →G _T P) in which G ₁ ,G ₂ Is a group of elliptic curves with an order of prime p, G _T Is an integer multiplicative group whose order is a prime number p. Selecting b, g ← by the credible third party server _R G ₁ ,h← _R G ₂ Selecting b ', g' ← by the chip manufacturer server _R G ₁ ,h’← _R G ₂ . The trusted third party server and the chip manufacturer server then determine a hash function H: {0,1} ^* →Z _p ^* . The trusted third party server and the chip manufacturer server then collectively generate two sets of public key pairs for generating the LMPY signature. The process of generating the public key pair is as follows:

firstly, the trusted third party server and the chip manufacturer server jointly select eta = (eta) ₁ ,η ₂ ,w)← _R G ₁ ³ ，η’＝(η’ ₁ ,η’ ₂ ,w’)← _R G ₁ ³ ；

Then, the trusted third party server selects omega ₁ ,ω’ ₁ ,a ₁ ,a’ ₁ ← _R Z _p ^* Chip manufacturer server selecting omega ₂ ,ω’ ₂ ,a ₂ ,a’ ₂ ← _R Z _p ^* And calculating through DH (Diffie-Hellman Key Exchange)

And

the trusted third party server then calculates

Chip manufacturer server computing

Illustratively, it may be served by a trusted third partyThe machine and/or chip manufacturer server compute through DH (Diffie-Hellman Key Exchange)

And

for the LMPY signature scheme, the trusted third party server and/or chip manufacturer server may assume l =2 and matrices M and M' as:

the trusted third party server and the chip manufacturer server operate qa.keygen (cp, M), qa.keygen (cp, M') together by simple interaction to obtain crs = ({ z = z) _i } _i＝1..4 ,h,{h _j } _j＝1..8 ),crs’＝({z’ _i } _i＝1..4 ,h’,{h’ _j } _j＝1..8 )。

The trusted third party server then sets the A-MSK ₁ ＝(ω ₁ ,ω’ ₁ ) Chip manufacturer server set A-MSK ₂ ＝(ω ₂ ,ω’ ₂ ). At this time, the joint master public key A-MPK is

For example, the trusted device may produce the endorsement key by itself, or the chip manufacturer may annotate the endorsement key in the trusted device when producing the trusted device, which is not limited in this embodiment of the application.

In some embodiments, the trusted device may use an endorsement key and the trusted third party server uses the ID-PK ₁ /ID-SK ₁ And performing mutual authentication and key exchange, and establishing a secure channel between the trusted device and the trusted third-party server. Meanwhile, the trusted device can use the endorsement key, and the chip manufacturer server uses the ID-PK ₂ /ID-SK ₂ And performing mutual authentication and key exchange to establish a secure channel between the trusted device and the chip manufacturer server. Illustratively, a secure channel may be used to transmit the partial authentication key.

In some embodiments, when a trusted device (e.g., u) has not been registered, the trusted third party server and the chip manufacturer server may assign leaf nodes of a binary tree to the trusted device u and assign the trusted device u an index value indx ∈ Z _p ^* . At this time, a path from the leaf node of the trusted device u to the root node may be determined and may be denoted as a path (indx).

For each node u on the leaf node to root node path of trusted device u _j I.e. u _j E.g., path (index), the trusted third party server and the chip manufacturer server may collaborate to generate a pair (u, u) _j ) The LMPY signature of. Illustratively, u may be the ID of the trusted device.

The generation of the pair (u, u) is shown below _j ) An example of an LMPY signature of (a).

First, a trusted third party server selects s _j1 ← _R Z _p ^* And according to ω ₁ Computing

Chip manufacturer server selection s _j2 ← _R Z _p ^* And according to ω ₂ Computing

and

The trusted third party server then sends

Sending to trusted device, chip manufacturer server

To the trusted device.

The trusted device then calculates

Obtaining an authentication key of the trusted device u as

I.e. each node u in Path (indx) _j Corresponding to (u, u) _j ) A set of LMPY signatures.

In the chip revocation phase, the trusted third party server and the chip manufacturer server run R ← CS (RU, BT). For each u _j E.g. R, the credible third party server and the chip manufacturer server exchange a set of LMPY signature parameters to generate a pair (t, u) _j ) LMPY signature of

Illustratively, the trusted third party server may be configured to determine for each u according to the A-MSK1 _j E.g. R, generating the pair (t, u) _j ) The chip manufacturer server may sign the partial LMPY of (a), for each u, according to said A-MSK2 _j ∈R，Generation of pairs (t, u) _j ) Part LMPY signature of (3). The trusted third party server and the chip manufacturer server may then determine a revocation list RL of time periods t from the two part LMPY signatures _t . In an exemplary manner, the first and second electrodes are,

i.e. the revocation list comprises each u _j Pair of (t, u) _j ) In a joint signature

Specifically, generating

In the manner of (u, u) generation _j ) The LMPY signature is similar in manner and will not be described in detail.

In the remote attestation phase, the trusted device u can attest to its knowledge with zero knowledge (u, u _j ) LMPY signature of (c), and (t, u) _j ) The LMPY signature of. The specific procedure can be as follows.

The trusted device may then choose

Get contained in sk _u One pair of

LMPY signature (σ) of ₁ ,σ ₂ ,σ ₃ π), and RL _t In (1) pair

LMPY signature (σ)' ₁ ,σ’ ₂ ,σ’ ₃ N.pi.). For example, a trusted third party server or chip manufacturer server may publish a revocation list RL in the open _t The trusted device may obtain the RL as needed _t Pair (2) of

LMPY signature (σ' ₁ ,σ’ ₂ ,σ’ ₃ N.pi.'). The trusted device then performs the following calculations:

selecting s, s' ← _R Z _p ^* And blinding the two LMPY signatures as follows:

selecting r ₁ ,r ₂ ,r’ ₁ ,r’ ₂ ← _R Z _p ^* And the following calculation is performed:

the NIZK (Non-Interactive Zero Knowledge) signature ψ is calculated for Chal and the platform integrity metric IntM as shown in the following equation:

recovery of

To the authentication device.

Then, the verifier verifies the legitimacy using the joint master public key A-MPK.

Therefore, in this embodiment of the application, after obtaining the attestation private key, the trusted device may determine a node that belongs to both a node on a path from the leaf node corresponding to the trusted device to the root node of the binary tree and a node in the output CS (RU, BT) of the SM algorithm, and obtain a pair from the attestation private key

And obtaining pairs from the revocation list

According to said pair, and further on

And said pair

In the remote certification device, the solution provided in the embodiment of the present application may be implemented in the form of a hardware chip, or may be implemented in the form of a software code, which is not limited in the embodiment of the present application.

The embodiment of the present application further provides a device for remote attestation, please refer to fig. 7. Illustratively, the apparatus 700 for remote attestation may be a first device, such as a trusted device, that needs to perform system integrity attestation. In this embodiment, the apparatus 700 may include a receiving unit 710 and a generating unit 720.

A receiving unit 710, configured to receive a first partial proof private key from a first server, where the first partial proof private key is generated by the first server according to a first master key a-MSK 1;

the receiving unit 710 is further configured to receive a second partial attestation private key from a second server, wherein the second partial attestation private key is generated by the second server from a second master key a-MSK 2;

a generating unit 720, configured to generate a certification private key according to the first part certification private key and the second part certification private key;

the generating unit 720 is further configured to generate, by the first device, an anonymous signature according to the certification private key, where a joint master public key for verifying the anonymous signature is determined according to the first master public key a-MPK1 corresponding to the a-MSK1 and the second master public key a-MPK2 corresponding to the a-MSK2.

Optionally, the first partial proof private key is determined by the first server from a first signature by the first server from the a-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2);

Optionally, the apparatus further includes an obtaining unit, configured to obtain a revocation list of the time period t, where the revocation list includes each u _j Pair of (t, u) _j ) Wherein the revocation list is determined from a third signature and a fourth signature, the third signature being that the first server is from the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The fourth signature is the signature of the second server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2);

Optionally, the generating unit 720 is specifically configured to:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

The signature of (2);

according to the pair

And said pair

Optionally, the first signature and the second signature are BBS + signatures, or the first signature and the second signature are LMPY signatures.

Optionally, the second server is a chip manufacturer server of the first device.

Optionally, the apparatus further includes a sending unit, configured to send the anonymous signature to the verification device.

The functions and actions of each module or unit in the apparatus 700 are merely exemplary, and each module or unit in the apparatus 700 may be configured to execute each action or processing procedure executed by the trusted device in the foregoing method, which may be specifically referred to the description of these contents in the foregoing embodiment, and are not described herein again.

The embodiment of the present application further provides a device for remote attestation, please refer to fig. 8. For example, the remote attestation apparatus 800 may be a first server that distributes part of the attestation key for the trusted device, such as a trusted third party server. In this embodiment, the apparatus 800 may include a generating unit 810 and a sending unit 820.

A generating unit 810, configured to generate a first partial proof private key according to the first master key a-MSK 1;

a sending unit 820, configured to send the first partial proof private key to a first device, where the first partial proof private key is used by the first device to generate a proof private key according to the first partial proof private key and a second partial proof private key, the second partial proof private key is generated by the second server according to a second master key a-MSK2, the proof private key is used to generate an anonymous signature, and a joint master public key used to verify the anonymous signature is determined according to a first master public key a-MPK1 corresponding to the a-MSK1 and a second master public key a-MPK2 corresponding to the a-MSK2.

Optionally, the generating unit is further configured to determine a path { u } from a leaf node where the first device is located in the binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on the path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

according to the A-MSK1, for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The first signature of (a);

the sending unit is specifically configured to send each u _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the first partial proof private key.

Optionally, the sending unit 820 is specifically configured to:

the A-MSK1 and the temporary addition homomorphic encryption algorithm send the pair (u) to a second server _l ,u _j ) Encryption information c of ₁ ；

Further comprising a receiving unit for receiving the second server transmissionEncryption information c of ₂ Wherein the encryption information c ₂ Is that the second server is based on the encryption information c ₁ And said a-MSK 1;

the generating unit 810 is specifically configured to decrypt the encrypted information c ₂ And according to said encryption information c ₂ Generating said pair (u) _l ,u _j ) The first signature of (1).

Optionally, the generating unit 810 is further configured to determine a set R, where R ← CS (RU, BT), where BT denotes the binary tree, RU denotes a set of chips revoked in the binary tree in a time period t, and R denotes a root node of all subtrees formed by remaining valid nodes after an RU node is revoked in the binary tree BT;

according to the A-MSK1, for each u _j E.g. R, generating the pair (t, u) _j ) The third signature of (1);

determining a revocation list for the time period t from the third and fourth signatures, the revocation list including the each u _j Pair (t, u) _j ) Wherein the fourth signature is a joint signature of the second server according to the A-MSK2 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2).

The functions and actions of the modules or units in the apparatus 800 are merely exemplary illustrations, and the modules or units in the apparatus 800 may be configured to execute the actions or processes executed by the trusted third-party server in the foregoing method, which may be specifically referred to the description of these contents in the foregoing embodiments, and are not described herein again.

The embodiment of the present application further provides a device for remote attestation, please refer to fig. 9. For example, the remote attestation apparatus 900 may be a second server, such as a chip manufacturer server, that distributes the part attestation key for the trusted device. In this embodiment, the apparatus 900 may include a generating unit 910 and a sending unit 920.

The generating unit 910 is configured to generate a second partial certification private key according to the second master key a-MSK 2;

the sending unit 920 is configured to send the second partial certification private key to the first device, where the second partial certification private key is used for the first device to generate a certification private key according to the first partial certification private key and the second partial certification private key, the second partial certification private key is generated by the second server according to a second master key a-MSK2, the certification private key is used to generate an anonymous signature, and a joint master public key used to verify the anonymous signature is determined according to a first master public key a-MPK1 corresponding to the a-MSK1 and a second master public key a-MPK2 corresponding to the a-MSK2.

Optionally, the generating unit 910 is further configured to determine a path { u } from a leaf node where the first device is located in the binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on said path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

the sending unit 920 is further configured to send each u _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial attestation private key.

Optionally, the sending unit 920 is further configured to send the pair of (u) to the first server according to the a-MSK2 and the temporary addition homomorphic encryption algorithm _l ,u _j ) The first encryption information of (1);

the first server is used for generating first encryption information according to the A-MSK1, and the first encryption information is used for encrypting the first encryption information;

the generating unit 910 alsoFor decrypting said second encrypted information and generating said pair (u) based on said second encrypted information _l ,u _j ) The second signature of (1).

Optionally, the generating unit 910 is further configured to determine a set R, where R ← CS (RU, BT), where BT denotes the binary tree, RU denotes a set of chips revoked in the binary tree in a time period t, and R denotes a root node of all subtrees formed by remaining valid nodes after RU nodes are revoked in the binary tree BT;

according to the A-MSK2, for each u _j E.g. R, generating the pair (t, u) _j ) The fourth signature of (2);

determining a revocation list for the time period t from a third signature and the fourth signature, the revocation list including the each u _j Pair (t, u) _j ) Wherein the third signature is a joint signature of the first server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2).

The functions and actions of the modules or units in the apparatus 900 are only exemplary, and the modules or units in the apparatus 900 may be used to execute the actions or processes executed by the chip manufacturer server in the above method, which may be specifically referred to the description of these contents in the foregoing embodiments, and are not described herein again.

The embodiment of the present application further provides a device for remote attestation, please refer to fig. 10. Illustratively, the apparatus 1000 for remote attestation may be an authentication device that authenticates the integrity of a trusted device system. In the embodiment of the present application, the apparatus 1000 may include a receiving unit 1010 and a processing unit 1020.

A receiving unit 1010 configured to receive an anonymous signature from a trusted device, wherein the anonymous signature is generated from a proof private key generated from a partial proof private key generated by a first server and a partial proof private key generated by a second server;

a processing unit 1020, configured to verify the anonymous signature according to a joint master public key, where the joint master public key is determined according to a first master public key a-MPK1 of the first server and a second master public key a-MPK2 of the second server.

The functions and actions of the modules or units in the apparatus 1000 are merely exemplary illustrations, and the modules or units in the apparatus 1000 may be used to execute the actions or processing procedures executed by the verification device in the foregoing method, which may be specifically referred to the description of these contents in the foregoing embodiments, and are not described herein again.

It should be noted that the processing unit may be implemented by a processor, and the receiving unit or the sending unit may be implemented by a communication interface.

Fig. 11 is a hardware configuration diagram of an apparatus 1100 for remote attestation according to an embodiment of the present application. The apparatus 1100 shown in fig. 11 may be considered a computer device, and may be, for example, a first device, a first server, a second server, or an authentication device. The apparatus 1100 may be implemented as an apparatus for remote attestation of embodiments of the present application. The device 1100 includes a processor 1101, a memory 1102, and a bus 1104, and may also include a communication interface 1103. The processor 1101, the memory 1102 and the communication interface 1103 are communicatively connected to each other through a bus 1104.

The processor 1101 may be a general Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, configured to execute related programs to implement the functions required to be performed by the modules in the remote certification apparatus according to the embodiment of the present application or to perform the remote certification method according to the embodiment of the present application. The processor 1101 may be an integrated circuit chip having signal processing capabilities.

In implementation, when the apparatus 1100 is a first device, the steps performed by the first device in the above method may be performed by instructions in the form of hardware integrated logic circuits or software in the processor 1101. When the apparatus 1100 is a first server, the steps performed by the first server in the above method may be performed by hardware integrated logic circuits or instructions in the form of software in the processor 1101. When the apparatus 1100 is a second server, the steps performed by the second server in the above method may be performed by instructions in the form of hardware integrated logic circuits or software in the processor 1101. When the apparatus 1100 is an authentication device, the steps performed by the authentication device in the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 1101.

The processor 1101 may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1102, and the processor 1101 reads the information in the memory 1102, and completes the functions to be executed by the modules included in the apparatus for remote certification according to the embodiment of the present application or performs the method for remote certification according to the embodiment of the method of the present application in combination with the hardware thereof.

The memory 1102 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 1102 may store an operating system and other application programs. When the functions to be performed by the modules included in the apparatus for remote attestation of the embodiment of the present application or the method for remote attestation of the embodiment of the present application are implemented by software or firmware, the program codes for implementing the technical solutions provided by the embodiment of the present application are stored in the memory 1102 and executed by the processor 1101 to perform the operations to be performed by the modules included in the apparatus for remote attestation or execute the method for remote attestation provided by the embodiment of the method of the present application.

The communication interface 1103 enables communication between the apparatus 1100 and other devices or communication networks using transceiver means, such as, but not limited to, a transceiver. May be a receiving unit or a transmitting unit in the apparatus 1100.

Bus 1104 may include a path that conveys information between various components of apparatus 1100, such as processor 1101, memory 1102, and communication interface 1103.

It should be noted that although the apparatus 1100 shown in fig. 11 only shows the processor 1101, the memory 1102, the communication interface 1103 and the bus 1104, in a specific implementation process, a person skilled in the art should understand that the apparatus 1100 also comprises other devices necessary for realizing normal operation, for example, the apparatus 1100 may also comprise hardware devices for realizing other additional functions according to specific needs. Further, those skilled in the art will appreciate that apparatus 1100 may also include only those components necessary to implement embodiments of the present application, and need not include all of the components shown in FIG. 11.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

Embodiments of the present application further provide a computer-readable storage medium, which includes a computer program and when the computer program runs on a computer, the computer is caused to execute the method provided by the above method embodiments.

Embodiments of the present application further provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the method provided by the above method embodiments.

The embodiment of the application also provides a remote certification system, which comprises the first device and the second server.

The embodiment of the application further provides a remote certification system, which comprises the first device, the first server and the second server.

The embodiment of the application further provides a remote certification system, which comprises the first device, the first server, the second server and the verification device.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

It should be understood that the descriptions of the first, second, etc. appearing in the embodiments of the present application are only for illustrating and differentiating the objects, and do not represent a particular limitation to the number of devices in the embodiments of the present application, and do not constitute any limitation to the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of remote attestation, comprising:

2. The method of claim 1, further comprising:

the second server determines a path { u } of a leaf node of the first device in a binary tree to a root node in the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on the path _l Represents a leaf node, u, at which the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

the second server, for each u, according to the A-MSK2 _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The second signature of (1);

the second server sends each u _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial proof private key;

wherein the first partial proof private key is determined by the first server from a first signature by the first server from the A-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2).

3. Method according to claim 2, characterized in that the second server is able to assign to each u a-MSK2 according to the a-MSK2 _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The second signature of (1), comprising:

4. The method of claim 2 or 3, further comprising:

the second server determines a set R, wherein R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree within a time period t, and R represents root nodes of all subtrees formed by residual valid nodes after RU nodes are revoked in the binary tree BT;

the second server, for each u, according to the A-MSK2 _j E is R, generate the pair (t, u) _j ) The fourth signature of (2);

the second server determines a revocation list of the time period t according to the fourth signature and the third signature, wherein the revocation list comprises each u _j Pair (t, u) _j ) Wherein the third signature is a joint signature of the first server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2).

5. The method of claim 4, wherein the first device generates an anonymous signature based on the attestation private key, comprising:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

U represents the first device;

according to the pair

And said pair

Determining the integrity of the random challenge information and the platformZero knowledge signature of metric values.

6. The method of any of claims 2-3, 5, wherein the first signature and the second signature are BBS + signatures, or wherein the first signature and the second signature are LMPY signatures.

7. The method of any of claims 1-3, 5, wherein the second server is a chip manufacturer server of the first device.

8. A method of remote attestation, comprising:

9. The method of claim 8,

the first partial proof private key is determined by the first server from a first signature by the first server from the A-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The signature of (2);

the second partial attestation private key is the second server rootDetermined from a second signature, said second signature being that said first server is according to said A-MSK2 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2);

wherein, { u ₀ ,u ₁ ,…,u _l Denotes the path from the leaf node of the first device in the binary tree to the root node in the binary tree, u _j Represents the j-th node, u, on said path _l Represents a leaf node, u, at which the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers.

10. The method of claim 9, wherein the first device obtains a revocation list for a time period t, wherein the revocation list comprises each u _j Pair of (t, u) _j ) Wherein the revocation list is determined from a third signature and a fourth signature, the third signature being that the first server is from the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) Said fourth signature being the signature of said second server according to said A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2);

and R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree in a time period t, and R represents a root node of all subtrees formed by the remaining valid nodes after RU nodes are revoked in the binary tree BT.

11. The method of claim 10, wherein the first device generates an anonymous signature based on the attestation private key, comprising:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

U represents the first device;

according to the pair

And said pair

12. The method of any of claims 9-11, wherein the first signature and the second signature are BBS + signatures, or wherein the first signature and the second signature are LMPY signatures.

13. The method according to any of claims 8-11, wherein the second server is a chip manufacturer server of the first device.

14. A system for remote attestation, comprising:

the second server is used for sending a second part of the certification private key to the first equipment according to the second master key A-MSK 2;

the first device is further configured to generate a proof private key according to the first partial proof private key and the second partial proof private key;

the first device is further configured to generate an anonymous signature according to the certification private key, where a joint master public key used for verifying the anonymous signature is determined according to a first master public key a-MPK1 corresponding to the a-MSK1 and a second master public key a-MPK2 corresponding to the a-MSK2.

15. The system of claim 14, further comprising:

the second server is further configured to determine a path { u } of a leaf node of the first device in the binary tree to a root node of the binary tree ₀ ,u ₁ ,…,u _l }，u _j Represents the j-th node, u, on said path _l Represents a leaf node, u, at which the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers;

wherein the second server is specifically configured to:

each u is _j Pair (u) _l ,u _j ) Is sent to the first device, wherein each u _j Pair (u) _l ,u _j ) Is the second partial proof private key;

wherein the first partial attestation private key is determined by the first server from a second signature by the first server from the A-MSK2 for each u _j ∈{u ₀ ,u ₁ ,…,u _l H, generate pair (u) _l ,u _j ) The signature of (2).

16. The system of claim 15, wherein the second server is specifically configured to:

sending the pair of (u) to the first server according to the A-MSK2 and a temporary addition homomorphic encryption algorithm _l ,u _j ) The first encryption information of (1);

17. The system of claim 15 or 16,

the second server is further used for determining a set R, wherein R ← CS (RU, BT), wherein BT represents the binary tree, RU represents a set of chips revoked in the binary tree in a time period t, and R represents root nodes of all subtrees formed by residual valid nodes after RU nodes are revoked in the binary tree BT;

the second server is further configured to, for each u, according to the A-MSK2 _j E is R, generate the pair (t, u) _j ) The fourth signature of (1);

the second server is further configured to determine a revocation list for the time period t according to a third signature and the fourth signature, the revocation list including the each u _j Pair (t, u) _j ) Wherein the third signature is the first server according to the A-MSK1 for each u _j E.g. R, generating the pair (t, u) _j ) The signature of (2).

18. The system of claim 17, wherein the first device is specifically configured to:

acquiring random challenge information sent by verification equipment;

determining nodes

Pair contained in said proof private key

And a signature contained inPairs in the revocation list

U represents the first device;

according to the pair

And said pair

19. The system of claim 16, wherein the first signature and the second signature are BBS + signatures or the first signature and the second signature are LMPY signatures.

20. The system according to any of claims 14-16, 18-19, wherein said second server is a chip manufacturer server of said first device.

21. An apparatus for remote attestation, comprising:

the generation unit is further configured to generate, by the first device, an anonymous signature according to the certification private key, where a joint master public key used to verify the anonymous signature is determined according to a first master public key a-MPK1 corresponding to the a-MSK1 and a second master public key a-MPK2 corresponding to the a-MSK2.

22. The apparatus of claim 21,

the first partial proof private key is determined by the first server from a first signature by the first server from the A-MSK1 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2);

the second partial attestation private key is determined by the second server from a second signature by the first server from the A-MSK2 for each u _j ∈{u ₀ ,u ₁ ,…,u _l Get pair (u) _l ,u _j ) The signature of (2);

wherein, { u { ₀ ,u ₁ ,…,u _l Denotes the path from the leaf node of said first device in the binary tree to the root node in said binary tree, u _j Represents the j-th node, u, on said path _l Indicates the leaf node, u, where the first device is located ₀ J is more than or equal to 0 and less than or equal to l, and j and l are positive integers.

23. The apparatus of claim 22, further comprising:

an obtaining unit, configured to obtain a revocation list of a time period t, where the revocation list includes each u _j Pair (t, u) _j ) Wherein the revocation list is determined from a third signature and a fourth signature, the third signature being that the first server is from the A-MSK1 for each u _j E is R, generate the pair (t, u) _j ) Said fourth signature being the signature of said second server according to said A-MSK1 for each u _j E is R, generate the pair (t, u) _j ) The signature of (2);

24. The apparatus according to claim 23, wherein the generating unit is specifically configured to:

acquiring random challenge information sent by verification equipment;

determining nodes

Pairs contained in said proof private key

And the pairs contained in said revocation list

U represents the first device;

according to the pair

And said pair

25. The apparatus of any of claims 22-24, wherein the first signature and the second signature are BBS + signatures, or wherein the first signature and the second signature are LMPY signatures.

26. The apparatus of any of claims 21-24, wherein the second server is a chip manufacturer server of the first device.